From 84b8f9d6fa6126e5b8337b8340461e55719403e7 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Thu, 4 Aug 2022 15:36:38 -0700 Subject: [PATCH] support P-384, P-512 constant time implementations (#2224) fixes #2223 --- pkg/certs/certs.go | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/pkg/certs/certs.go b/pkg/certs/certs.go index fa6a2b98a..f19df04d2 100644 --- a/pkg/certs/certs.go +++ b/pkg/certs/certs.go @@ -19,8 +19,6 @@ package certs import ( "bytes" "context" - "crypto" - "crypto/ecdsa" "crypto/tls" "crypto/x509" "encoding/pem" @@ -213,24 +211,7 @@ func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) { } keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey}) } - cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) - if err != nil { - return tls.Certificate{}, err - } - // Ensure that the private key is not a P-384 or P-521 EC key. - // The Go TLS stack does not provide constant-time implementations of P-384 and P-521. - if priv, ok := cert.PrivateKey.(crypto.Signer); ok { - if pub, ok := priv.Public().(*ecdsa.PublicKey); ok { - switch pub.Params().Name { - case "P-384": - fallthrough - case "P-521": - // unfortunately there is no cleaner way to check - return tls.Certificate{}, fmt.Errorf("tls: the ECDSA curve '%s' is not supported", pub.Params().Name) - } - } - } - return cert, nil + return tls.X509KeyPair(certPEMBlock, keyPEMBlock) } func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err error) {