fix: allow P-384/P-512 constant time implementation (#15445)

since go1.18.x P-384/P-512 are now constant time implementations, enable them.
2025-11-07 21:02:58 -05:00 · 2022-08-01 09:27:16 -07:00
parent 10b49eb4fb
commit fd349103e8
2 changed files with 0 additions and 17 deletions
--- a/internal/config/certs.go
+++ b/internal/config/certs.go
@@ -19,8 +19,6 @@ package config

 import (
 	"bytes"
-	"crypto"
-	"crypto/ecdsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
@@ -103,19 +101,6 @@ func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
 	if err != nil {
 		return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg(err.Error())
 	}
-	// Ensure that the private key is not a P-384 or P-521 EC key.
-	// The Go TLS stack does not provide constant-time implementations of P-384 and P-521.
-	if priv, ok := cert.PrivateKey.(crypto.Signer); ok {
-		if pub, ok := priv.Public().(*ecdsa.PublicKey); ok {
-			switch pub.Params().Name {
-			case "P-384":
-				fallthrough
-			case "P-521":
-				// unfortunately there is no cleaner way to check
-				return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("tls: the ECDSA curve '%s' is not supported", pub.Params().Name)
-			}
-		}
-	}
 	return cert, nil
 }