crypto: FIPS Mode and Validation of Crypto Provider?

[ScarletTanager]

I cannot seem to find much information on using go for a solution required to be compliant with FIPS 140-2. Has any work been done on getting go's native crypto provider validated, and if not, is there any movement/interest in doing so? If not, are there current recommendations for go adopters building solutions which have to comply with FIPS 140-2?

If there were to be interest in moving this forward, I'd love to see an API for putting the provider into FIPS mode, in which any unapproved algorithm (e.g.) would simply be disallowed/disabled/generate an error.

If this is something better proposed on golang-dev, let me know, and I'll close this issue and start a thread there.

[ianlancetaylor]

I suppose that if you need certification today, the simplest route is going to be to use cgo to invoke a certified library.

[agl]

Go's crypto is not FIPS 140 validated and I'm afraid that there is no possibility of that happening in the future either. I think Ian's suggestion of using cgo to call out to an existing, certified library is probably your best bet. However, we would not be interested in patches to add hook points all over the Go library, so you would need to carry that work yourself.