don't allow mismatched curves

2026-02-14 08:44:24 +01:00 · 2026-02-06 14:13:55 -06:00
parent 8c828b3cae
commit 9546cf0aec
2 changed files with 5 additions and 0 deletions
--- a/cert/ca_pool.go
+++ b/cert/ca_pool.go
@@ -190,6 +190,10 @@ func (ncp *CAPool) verify(c Certificate, now time.Time, certFp string, signerFp
 		return nil, err
 	}

+	if signer.Certificate.Curve() != c.Curve() {
+		return nil, ErrCurveMismatch
+	}
+
 	if signer.Certificate.Expired(now) {
 		return nil, ErrRootExpired
 	}
--- a/cert/errors.go
+++ b/cert/errors.go
@@ -22,6 +22,7 @@ var (
 	ErrCaNotFound                 = errors.New("could not find ca for the certificate")
 	ErrUnknownVersion             = errors.New("certificate version unrecognized")
 	ErrCertPubkeyPresent          = errors.New("certificate has unexpected pubkey present")
+	ErrCurveMismatch              = errors.New("certificate curve does not match CA")

 	ErrInvalidPEMBlock                   = errors.New("input did not contain a valid PEM encoded block")
 	ErrInvalidPEMCertificateBanner       = errors.New("bytes did not contain a proper certificate banner")