mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

support P-384, P-512 constant time implementations (#2224)

Browse Source 
fixes #2223
This commit is contained in:
Harshavardhana
2022-08-04 15:36:38 -07:00
committed by GitHub
parent 46af0ff74c
commit 84b8f9d6fa
1 changed files with 1 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
pkg/certs/certs.go
View File

@@ -19,8 +19,6 @@ package certs
import ( import (
"bytes" "bytes"
"context" "context"
"crypto"
"crypto/ecdsa"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/pem" "encoding/pem"
@@ -213,24 +211,7 @@ func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
} }
keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey}) keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
} }
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) return tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return tls.Certificate{}, err
}
// Ensure that the private key is not a P-384 or P-521 EC key.
// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
switch pub.Params().Name {
case "P-384":
fallthrough
case "P-521":
// unfortunately there is no cleaner way to check
return tls.Certificate{}, fmt.Errorf("tls: the ECDSA curve '%s' is not supported", pub.Params().Name)
}
}
}
return cert, nil
} }
func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err error) { func GetTLSConfig() (x509Certs []*x509.Certificate, manager *xcerts.Manager, err error) {