update to go 1.25, use the cool new ECDSA key marshalling functions (#1483)

* update to go 1.25, use the cool new ECDSA key marshalling functions * bonk the runners * actually bump go.mod * bump golangci-lint
2025-11-22 08:24:25 +01:00 · 2025-09-29 13:02:25 -05:00
parent 4cdeb284ef
commit 1ea5f776d7
8 changed files with 23 additions and 27 deletions
--- a/.github/workflows/gofmt.yml
+++ b/.github/workflows/gofmt.yml
@@ -18,7 +18,7 @@ jobs:

    - uses: actions/setup-go@v5
      with:
-        go-version: '1.24'
+        go-version: '1.25'
        check-latest: true

    - name: Install goimports
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:

      - uses: actions/setup-go@v5
        with:
-          go-version: '1.24'
+          go-version: '1.25'
          check-latest: true

      - name: Build
@@ -37,7 +37,7 @@ jobs:

      - uses: actions/setup-go@v5
        with:
-          go-version: '1.24'
+          go-version: '1.25'
          check-latest: true

      - name: Build
@@ -70,7 +70,7 @@ jobs:

      - uses: actions/setup-go@v5
        with:
-          go-version: '1.24'
+          go-version: '1.25'
          check-latest: true

      - name: Import certificates
--- a/.github/workflows/smoke.yml
+++ b/.github/workflows/smoke.yml
@@ -22,7 +22,7 @@ jobs:

    - uses: actions/setup-go@v5
      with:
-        go-version: '1.24'
+        go-version: '1.25'
        check-latest: true

    - name: build
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:

    - uses: actions/setup-go@v5
      with:
-        go-version: '1.24'
+        go-version: '1.25'
        check-latest: true

    - name: Build
@@ -34,7 +34,7 @@ jobs:
    - name: golangci-lint
      uses: golangci/golangci-lint-action@v8
      with:
-        version: v2.1
+        version: v2.5

    - name: Test
      run: make test
@@ -60,7 +60,7 @@ jobs:

    - uses: actions/setup-go@v5
      with:
-        go-version: '1.24'
+        go-version: '1.25'
        check-latest: true

    - name: Build
@@ -81,7 +81,7 @@ jobs:

    - uses: actions/setup-go@v5
      with:
-        go-version: '1.22'
+        go-version: '1.25'
        check-latest: true

    - name: Build
@@ -102,7 +102,7 @@ jobs:

    - uses: actions/setup-go@v5
      with:
-        go-version: '1.24'
+        go-version: '1.25'
        check-latest: true

    - name: Build nebula
@@ -117,7 +117,7 @@ jobs:
    - name: golangci-lint
      uses: golangci/golangci-lint-action@v8
      with:
-        version: v2.1
+        version: v2.5

    - name: Test
      run: make test
--- a/cert/cert_v1.go
+++ b/cert/cert_v1.go
@@ -110,8 +110,10 @@ func (c *certificateV1) CheckSignature(key []byte) bool {
 	case Curve_CURVE25519:
 		return ed25519.Verify(key, b, c.signature)
 	case Curve_P256:
-		x, y := elliptic.Unmarshal(elliptic.P256(), key)
-		pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
+		pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
+		if err != nil {
+			return false
+		}
 		hashed := sha256.Sum256(b)
 		return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
 	default:
--- a/cert/cert_v2.go
+++ b/cert/cert_v2.go
@@ -149,8 +149,10 @@ func (c *certificateV2) CheckSignature(key []byte) bool {
 	case Curve_CURVE25519:
 		return ed25519.Verify(key, b, c.signature)
 	case Curve_P256:
-		x, y := elliptic.Unmarshal(elliptic.P256(), key)
-		pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
+		pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
+		if err != nil {
+			return false
+		}
 		hashed := sha256.Sum256(b)
 		return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
 	default:
--- a/cert/sign.go
+++ b/cert/sign.go
@@ -7,7 +7,6 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"fmt"
-	"math/big"
 	"net/netip"
 	"time"
 )
@@ -55,15 +54,10 @@ func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Cert
 		}
 		return t.SignWith(signer, curve, sp)
 	case Curve_P256:
-		pk := &ecdsa.PrivateKey{
-			PublicKey: ecdsa.PublicKey{
-				Curve: elliptic.P256(),
-			},
-			// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95
-			D: new(big.Int).SetBytes(key),
+		pk, err := ecdsa.ParseRawPrivateKey(elliptic.P256(), key)
+		if err != nil {
+			return nil, err
 		}
-		// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119
-		pk.X, pk.Y = pk.Curve.ScalarBaseMult(key)
 		sp := func(certBytes []byte) ([]byte, error) {
 			// We need to hash first for ECDSA
 			// - https://pkg.go.dev/crypto/ecdsa#SignASN1
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 module github.com/slackhq/nebula

-go 1.23.0
-
-toolchain go1.24.1
+go 1.25

 require (
 	dario.cat/mergo v1.0.2