From 9546cf0aec55727df577d73a982f07f0628c6b18 Mon Sep 17 00:00:00 2001
From: JackDoan <me@jackdoan.com>
Date: Fri, 6 Feb 2026 14:13:55 -0600
Subject: [PATCH] don't allow mismatched curves

---
 cert/ca_pool.go | 4 ++++
 cert/errors.go  | 1 +
 2 files changed, 5 insertions(+)

diff --git a/cert/ca_pool.go b/cert/ca_pool.go
index e9903e1f..168bffab 100644
--- a/cert/ca_pool.go
+++ b/cert/ca_pool.go
@@ -190,6 +190,10 @@ func (ncp *CAPool) verify(c Certificate, now time.Time, certFp string, signerFp
 		return nil, err
 	}
 
+	if signer.Certificate.Curve() != c.Curve() {
+		return nil, ErrCurveMismatch
+	}
+
 	if signer.Certificate.Expired(now) {
 		return nil, ErrRootExpired
 	}
diff --git a/cert/errors.go b/cert/errors.go
index 8c480a14..596cfe19 100644
--- a/cert/errors.go
+++ b/cert/errors.go
@@ -22,6 +22,7 @@ var (
 	ErrCaNotFound                 = errors.New("could not find ca for the certificate")
 	ErrUnknownVersion             = errors.New("certificate version unrecognized")
 	ErrCertPubkeyPresent          = errors.New("certificate has unexpected pubkey present")
+	ErrCurveMismatch              = errors.New("certificate curve does not match CA")
 
 	ErrInvalidPEMBlock                   = errors.New("input did not contain a valid PEM encoded block")
 	ErrInvalidPEMCertificateBanner       = errors.New("bytes did not contain a proper certificate banner")