diff --git a/patches/000-initial-setup.patch b/patches/000-initial-setup.patch index d1e235a3d3..5f5f1f3be7 100644 --- a/patches/000-initial-setup.patch +++ b/patches/000-initial-setup.patch @@ -1,65 +1,5 @@ -diff --git a/src/runtime/pprof/proto_test.go b/src/runtime/pprof/proto_test.go -index 84a051a536..a2cd97f14d 100644 ---- a/src/runtime/pprof/proto_test.go -+++ b/src/runtime/pprof/proto_test.go -@@ -15,6 +15,7 @@ import ( - "os/exec" - "reflect" - "runtime" -+ "strconv" - "strings" - "testing" - "unsafe" -@@ -95,11 +96,15 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) { - // region of memory. - t.Skipf("need 2 or more mappings, got %v", len(mprof.Mapping)) - } -- addr1 = mprof.Mapping[0].Start -+ addr1 = findAddrInExecutableSection(t, mmap, mprof.Mapping[0]) - map1 = mprof.Mapping[0] -+ map1.Offset = (addr1 - map1.Start) + map1.Offset -+ map1.Start = addr1 - map1.BuildID, _ = elfBuildID(map1.File) -- addr2 = mprof.Mapping[1].Start -+ addr2 = findAddrInExecutableSection(t, mmap, mprof.Mapping[1]) - map2 = mprof.Mapping[1] -+ map2.Offset = (addr2 - map2.Start) + map2.Offset -+ map2.Start = addr2 - map2.BuildID, _ = elfBuildID(map2.File) - case "js": - addr1 = uint64(abi.FuncPCABIInternal(f1)) -@@ -115,6 +120,29 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) { - return - } - -+func findAddrInExecutableSection(t *testing.T, mmap []byte, m *profile.Mapping) uint64 { -+ mappings := strings.Split(string(mmap), "\n") -+ for _, mapping := range mappings { -+ parts := strings.Fields(mapping) -+ if len(parts) < 6 { -+ continue -+ } -+ if !strings.Contains(parts[1], "x") { -+ continue -+ } -+ addr, err := strconv.ParseUint(strings.Split(parts[0], "-")[0], 16, 64) -+ if err != nil { -+ t.Fatal(err) -+ } -+ if addr >= m.Start && addr < m.Limit { -+ return addr -+ } -+ } -+ -+ t.Error("could not find executable section in /proc/self/maps") -+ return 0 -+} -+ - func TestConvertCPUProfile(t *testing.T) { - addr1, addr2, map1, map2 := testPCs(t) - diff --git a/api/go1.19.txt b/api/go1.19.txt -index 523f752d70..e9f2f7d173 100644 +index 523f752d70..778e1d5a7f 100644 --- a/api/go1.19.txt +++ b/api/go1.19.txt @@ -290,3 +290,5 @@ pkg sync/atomic, type Uint64 struct #50860 @@ -68,9 +8,27 @@ index 523f752d70..e9f2f7d173 100644 pkg time, method (Time) ZoneBounds() (Time, Time) #50062 +pkg crypto/ecdsa, func HashSign(io.Reader, *PrivateKey, []uint8, crypto.Hash) (*big.Int, *big.Int, error) #000000 +pkg crypto/ecdsa, func HashVerify(*PublicKey, []uint8, *big.Int, *big.Int, crypto.Hash) bool #000000 +diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt +index a0a41a50de..208aa7008a 100644 +--- a/src/cmd/go/testdata/script/gopath_std_vendor.txt ++++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt +@@ -21,11 +21,11 @@ go build . + + go list -deps -f '{{.ImportPath}} {{.Dir}}' . + stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack +-! stdout $GOROOT[/\\]src[/\\]vendor ++! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack + + go list -test -deps -f '{{.ImportPath}} {{.Dir}}' . + stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack +-! stdout $GOROOT[/\\]src[/\\]vendor ++! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack + + -- issue16333/issue16333.go -- + package vendoring17 diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify.go b/src/crypto/ecdsa/ecdsa_hashsignverify.go new file mode 100644 -index 0000000000..54db9ae178 +index 0000000000..37f3a18223 --- /dev/null +++ b/src/crypto/ecdsa/ecdsa_hashsignverify.go @@ -0,0 +1,45 @@ @@ -121,7 +79,7 @@ index 0000000000..54db9ae178 +} diff --git a/src/crypto/ecdsa/ecdsa_hashsignverify_test.go b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go new file mode 100644 -index 0000000000..8f95e8af1f +index 0000000000..d12ba2f441 --- /dev/null +++ b/src/crypto/ecdsa/ecdsa_hashsignverify_test.go @@ -0,0 +1,42 @@ @@ -167,24 +125,6 @@ index 0000000000..8f95e8af1f + testHashSignAndHashVerify(t, elliptic.P384(), "p384") + testHashSignAndHashVerify(t, elliptic.P521(), "p521") +} -diff --git a/src/cmd/go/testdata/script/gopath_std_vendor.txt b/src/cmd/go/testdata/script/gopath_std_vendor.txt -index a0a41a50de..208aa7008a 100644 ---- a/src/cmd/go/testdata/script/gopath_std_vendor.txt -+++ b/src/cmd/go/testdata/script/gopath_std_vendor.txt -@@ -21,11 +21,11 @@ go build . - - go list -deps -f '{{.ImportPath}} {{.Dir}}' . - stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack --! stdout $GOROOT[/\\]src[/\\]vendor -+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack - - go list -test -deps -f '{{.ImportPath}} {{.Dir}}' . - stdout $GOPATH[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack --! stdout $GOROOT[/\\]src[/\\]vendor -+! stdout $GOROOT[/\\]src[/\\]vendor[/\\]golang.org[/\\]x[/\\]net[/\\]http2[/\\]hpack - - -- issue16333/issue16333.go -- - package vendoring17 diff --git a/src/crypto/ed25519/ed25519_test.go b/src/crypto/ed25519/ed25519_test.go index 7c5181788f..102c4e5355 100644 --- a/src/crypto/ed25519/ed25519_test.go @@ -258,7 +198,7 @@ new file mode 100644 index 0000000000..e69de29bb2 diff --git a/src/crypto/internal/backend/nobackend.go b/src/crypto/internal/backend/nobackend.go new file mode 100644 -index 0000000000..98066f55fc +index 0000000000..482ed6f470 --- /dev/null +++ b/src/crypto/internal/backend/nobackend.go @@ -0,0 +1,155 @@ @@ -419,7 +359,7 @@ index 0000000000..98066f55fc +} diff --git a/src/crypto/internal/backend/openssl.go b/src/crypto/internal/backend/openssl.go new file mode 100644 -index 0000000000..7dc24420a0 +index 0000000000..4040c77bc1 --- /dev/null +++ b/src/crypto/internal/backend/openssl.go @@ -0,0 +1,105 @@ @@ -528,6 +468,213 @@ index 0000000000..7dc24420a0 + +var ExtractHKDF = openssl.ExtractHKDF +var ExpandHKDF = openssl.ExpandHKDF +diff --git a/src/crypto/rsa/pkcs1v15_test.go b/src/crypto/rsa/pkcs1v15_test.go +index 69c509a771..ae68f03dc9 100644 +--- a/src/crypto/rsa/pkcs1v15_test.go ++++ b/src/crypto/rsa/pkcs1v15_test.go +@@ -7,6 +7,7 @@ package rsa + import ( + "bytes" + "crypto" ++ "crypto/internal/boring" + "crypto/rand" + "crypto/sha1" + "crypto/sha256" +@@ -52,6 +53,10 @@ var decryptPKCS1v15Tests = []DecryptPKCS1v15Test{ + } + + func TestDecryptPKCS1v15(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto") ++ } ++ + decryptionFuncs := []func([]byte) ([]byte, error){ + func(ciphertext []byte) (plaintext []byte, err error) { + return DecryptPKCS1v15(nil, rsaPrivateKey, ciphertext) +@@ -76,6 +81,10 @@ func TestDecryptPKCS1v15(t *testing.T) { + } + + func TestEncryptPKCS1v15(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto") ++ } ++ + random := rand.Reader + k := (rsaPrivateKey.N.BitLen() + 7) / 8 + +@@ -137,6 +146,10 @@ var decryptPKCS1v15SessionKeyTests = []DecryptPKCS1v15Test{ + } + + func TestEncryptPKCS1v15SessionKey(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto") ++ } ++ + for i, test := range decryptPKCS1v15SessionKeyTests { + key := []byte("FAIL") + err := DecryptPKCS1v15SessionKey(nil, rsaPrivateKey, decodeBase64(test.in), key) +@@ -151,6 +164,10 @@ func TestEncryptPKCS1v15SessionKey(t *testing.T) { + } + + func TestEncryptPKCS1v15DecrypterSessionKey(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PKCS#1 v1.5 encryption test with BoringCrypto") ++ } ++ + for i, test := range decryptPKCS1v15SessionKeyTests { + plaintext, err := rsaPrivateKey.Decrypt(rand.Reader, decodeBase64(test.in), &PKCS1v15DecryptOptions{SessionKeyLen: 4}) + if err != nil { +@@ -235,6 +252,10 @@ func TestOverlongMessagePKCS1v15(t *testing.T) { + } + + func TestUnpaddedSignature(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("TODO: skipping PKCS#1 v1.5 signature test with BoringCrypto: too short key") ++ } ++ + msg := []byte("Thu Dec 19 18:06:16 EST 2013\n") + // This base64 value was generated with: + // % echo Thu Dec 19 18:06:16 EST 2013 > /tmp/msg +@@ -257,6 +278,10 @@ func TestUnpaddedSignature(t *testing.T) { + } + + func TestShortSessionKey(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PKCS#1 v1.5 short session key decrypt test with BoringCrypto") ++ } ++ + // This tests that attempting to decrypt a session key where the + // ciphertext is too small doesn't run outside the array bounds. + ciphertext, err := EncryptPKCS1v15(rand.Reader, &rsaPrivateKey.PublicKey, []byte{1}) +diff --git a/src/crypto/rsa/pss_test.go b/src/crypto/rsa/pss_test.go +index 51f9760187..93bbc26bd0 100644 +--- a/src/crypto/rsa/pss_test.go ++++ b/src/crypto/rsa/pss_test.go +@@ -9,6 +9,7 @@ import ( + "bytes" + "compress/bzip2" + "crypto" ++ "crypto/internal/boring" + "crypto/rand" + "crypto/sha1" + "crypto/sha256" +@@ -76,6 +77,9 @@ func TestEMSAPSS(t *testing.T) { + // TestPSSGolden tests all the test vectors in pss-vect.txt from + // ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip + func TestPSSGolden(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PSS test with BoringCrypto: SHA-1 not allowed") ++ } + inFile, err := os.Open("testdata/pss-vect.txt.bz2") + if err != nil { + t.Fatalf("Failed to open input file: %s", err) +@@ -167,6 +171,10 @@ func TestPSSGolden(t *testing.T) { + // TestPSSOpenSSL ensures that we can verify a PSS signature from OpenSSL with + // the default options. OpenSSL sets the salt length to be maximal. + func TestPSSOpenSSL(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PSS test with BoringCrypto: too short key") ++ } ++ + hash := crypto.SHA256 + h := hash.New() + h.Write([]byte("testing")) +@@ -194,10 +202,15 @@ func TestPSSNilOpts(t *testing.T) { + h.Write([]byte("testing")) + hashed := h.Sum(nil) + ++ // Shouldn't this check return value? + SignPSS(rand.Reader, rsaPrivateKey, hash, hashed, nil) + } + + func TestPSSSigning(t *testing.T) { ++ if boring.Enabled { ++ t.Skip("skipping PSS test with BoringCrypto: too short key") ++ } ++ + var saltLengthCombinations = []struct { + signSaltLength, verifySaltLength int + good bool +@@ -233,7 +246,7 @@ func TestPSSSigning(t *testing.T) { + } + + func TestSignWithPSSSaltLengthAuto(t *testing.T) { +- key, err := GenerateKey(rand.Reader, 513) ++ key, err := GenerateKey(rand.Reader, 2048) + if err != nil { + t.Fatal(err) + } +diff --git a/src/crypto/rsa/rsa_test.go b/src/crypto/rsa/rsa_test.go +index 766d9a954f..9118c86165 100644 +--- a/src/crypto/rsa/rsa_test.go ++++ b/src/crypto/rsa/rsa_test.go +@@ -26,6 +26,10 @@ func TestKeyGeneration(t *testing.T) { + if bits := priv.N.BitLen(); bits != size { + t.Errorf("key too short (%d vs %d)", bits, size) + } ++ if boring.Enabled && size < 1024 { ++ t.Logf("skipping short key with BoringCrypto: %d", size) ++ continue; ++ } + testKeyBasics(t, priv) + if testing.Short() { + break +@@ -115,21 +119,7 @@ func testKeyBasics(t *testing.T, priv *PrivateKey) { + } + + if boring.Enabled { +- // Cannot call encrypt/decrypt directly. Test via PKCS1v15. +- msg := []byte("hi!") +- enc, err := EncryptPKCS1v15(rand.Reader, &priv.PublicKey, msg) +- if err != nil { +- t.Errorf("EncryptPKCS1v15: %v", err) +- return +- } +- dec, err := DecryptPKCS1v15(rand.Reader, priv, enc) +- if err != nil { +- t.Errorf("DecryptPKCS1v15: %v", err) +- return +- } +- if !bytes.Equal(dec, msg) { +- t.Errorf("got:%x want:%x (%+v)", dec, msg, priv) +- } ++ t.Logf("skipping encryption tests with BoringCrypto") + return + } + +@@ -253,6 +243,10 @@ func TestEncryptOAEP(t *testing.T) { + n := new(big.Int) + for i, test := range testEncryptOAEPData { + n.SetString(test.modulus, 16) ++ if boring.Enabled && n.BitLen() < 2048 { ++ t.Logf("skipping encryption tests with BoringCrypto: too short key: %d", n.BitLen()) ++ continue ++ } + public := PublicKey{N: n, E: test.e} + + for j, message := range test.msgs { +@@ -276,6 +270,10 @@ func TestDecryptOAEP(t *testing.T) { + d := new(big.Int) + for i, test := range testEncryptOAEPData { + n.SetString(test.modulus, 16) ++ if boring.Enabled && n.BitLen() < 2048 { ++ t.Logf("skipping encryption tests with BoringCrypto: too short key: %d", n.BitLen()) ++ continue ++ } + d.SetString(test.d, 16) + private := new(PrivateKey) + private.PublicKey = PublicKey{N: n, E: test.e} +@@ -309,6 +307,10 @@ func TestEncryptDecryptOAEP(t *testing.T) { + d := new(big.Int) + for i, test := range testEncryptOAEPData { + n.SetString(test.modulus, 16) ++ if boring.Enabled && n.BitLen() < 2048 { ++ t.Logf("skipping encryption tests with BoringCrypto: too short key: %d", n.BitLen()) ++ continue ++ } + d.SetString(test.d, 16) + priv := new(PrivateKey) + priv.PublicKey = PublicKey{N: n, E: test.e} diff --git a/src/crypto/tls/boring.go b/src/crypto/tls/boring.go index 1827f76458..4c5c3527a4 100644 --- a/src/crypto/tls/boring.go @@ -791,6 +938,58 @@ index 314016979a..323d683788 100644 } type x25519Parameters struct { +diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go +index 4aae90570d..42706f93c4 100644 +--- a/src/crypto/x509/boring.go ++++ b/src/crypto/x509/boring.go +@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool { + default: + return false + case *rsa.PublicKey: +- if size := k.N.BitLen(); size != 2048 && size != 3072 { ++ if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 { + return false + } + case *ecdsa.PublicKey: +diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go +index 7010f44b32..70021f3bdd 100644 +--- a/src/crypto/x509/boring_test.go ++++ b/src/crypto/x509/boring_test.go +@@ -54,7 +54,7 @@ type boringCertificate struct { + + func TestBoringAllowCert(t *testing.T) { + R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) +- R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA) ++ R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK) + + M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) + M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) +diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go +index cba44f6f8c..b6597cf1f9 100644 +--- a/src/crypto/x509/x509_test.go ++++ b/src/crypto/x509/x509_test.go +@@ -11,6 +11,7 @@ import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" ++ "crypto/internal/boring" + "crypto/rand" + "crypto/rsa" + _ "crypto/sha256" +@@ -600,6 +601,13 @@ func TestCreateSelfSignedCertificate(t *testing.T) { + extraExtensionData := []byte("extra extension") + + for _, test := range tests { ++ if boring.Enabled && test.sigAlgo.isRSAPSS() { ++ key, _ := test.priv.(*rsa.PrivateKey) ++ if key.PublicKey.N.BitLen() < 2048 { ++ t.Logf("skipping short key with BoringCrypto: %d", key.PublicKey.N.BitLen()) ++ continue ++ } ++ } + commonName := "test.example.com" + template := Certificate{ + SerialNumber: big.NewInt(1), diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go index 141fdb9fbd..d8e81d921d 100644 --- a/src/go/build/deps_test.go @@ -847,6 +1046,66 @@ index 141fdb9fbd..d8e81d921d 100644 haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports } fset := token.NewFileSet() +diff --git a/src/runtime/pprof/proto_test.go b/src/runtime/pprof/proto_test.go +index 84a051a536..a2cd97f14d 100644 +--- a/src/runtime/pprof/proto_test.go ++++ b/src/runtime/pprof/proto_test.go +@@ -15,6 +15,7 @@ import ( + "os/exec" + "reflect" + "runtime" ++ "strconv" + "strings" + "testing" + "unsafe" +@@ -95,11 +96,15 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) { + // region of memory. + t.Skipf("need 2 or more mappings, got %v", len(mprof.Mapping)) + } +- addr1 = mprof.Mapping[0].Start ++ addr1 = findAddrInExecutableSection(t, mmap, mprof.Mapping[0]) + map1 = mprof.Mapping[0] ++ map1.Offset = (addr1 - map1.Start) + map1.Offset ++ map1.Start = addr1 + map1.BuildID, _ = elfBuildID(map1.File) +- addr2 = mprof.Mapping[1].Start ++ addr2 = findAddrInExecutableSection(t, mmap, mprof.Mapping[1]) + map2 = mprof.Mapping[1] ++ map2.Offset = (addr2 - map2.Start) + map2.Offset ++ map2.Start = addr2 + map2.BuildID, _ = elfBuildID(map2.File) + case "js": + addr1 = uint64(abi.FuncPCABIInternal(f1)) +@@ -115,6 +120,29 @@ func testPCs(t *testing.T) (addr1, addr2 uint64, map1, map2 *profile.Mapping) { + return + } + ++func findAddrInExecutableSection(t *testing.T, mmap []byte, m *profile.Mapping) uint64 { ++ mappings := strings.Split(string(mmap), "\n") ++ for _, mapping := range mappings { ++ parts := strings.Fields(mapping) ++ if len(parts) < 6 { ++ continue ++ } ++ if !strings.Contains(parts[1], "x") { ++ continue ++ } ++ addr, err := strconv.ParseUint(strings.Split(parts[0], "-")[0], 16, 64) ++ if err != nil { ++ t.Fatal(err) ++ } ++ if addr >= m.Start && addr < m.Limit { ++ return addr ++ } ++ } ++ ++ t.Error("could not find executable section in /proc/self/maps") ++ return 0 ++} ++ + func TestConvertCPUProfile(t *testing.T) { + addr1, addr2, map1, map2 := testPCs(t) + diff --git a/src/runtime/runtime_boring.go b/src/runtime/runtime_boring.go index 5a98b20253..dc25cdcfd5 100644 --- a/src/runtime/runtime_boring.go @@ -861,29 +1120,3 @@ index 5a98b20253..dc25cdcfd5 100644 + return boring_runtime_arg0() +} \ No newline at end of file -diff --git a/src/crypto/x509/boring.go b/src/crypto/x509/boring.go -index 4aae90570d..42706f93c4 100644 ---- a/src/crypto/x509/boring.go -+++ b/src/crypto/x509/boring.go -@@ -26,7 +26,7 @@ func boringAllowCert(c *Certificate) bool { - default: - return false - case *rsa.PublicKey: -- if size := k.N.BitLen(); size != 2048 && size != 3072 { -+ if size := k.N.BitLen(); size != 2048 && size != 3072 && size != 4096 { - return false - } - case *ecdsa.PublicKey: -diff --git a/src/crypto/x509/boring_test.go b/src/crypto/x509/boring_test.go -index 7010f44b32..70021f3bdd 100644 ---- a/src/crypto/x509/boring_test.go -+++ b/src/crypto/x509/boring_test.go -@@ -54,7 +54,7 @@ type boringCertificate struct { - - func TestBoringAllowCert(t *testing.T) { - R1 := testBoringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) -- R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA) -+ R2 := testBoringCert(t, "R2", boringRSAKey(t, 4096), nil, boringCertCA|boringCertFIPSOK) - - M1_R1 := testBoringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) - M2_R1 := testBoringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA)