mirrors/nebula
1
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-12-06 02:30:57 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

update to go 1.25, use the cool new ECDSA key marshalling functions (#1483)
Some checks are pending
gofmt / Run gofmt (push) Waiting to run
Details
smoke-extra / Run extra smoke tests (push) Waiting to run
Details
smoke / Run multi node smoke test (push) Waiting to run
Details
Build and test / Build all and test on ubuntu-linux (push) Waiting to run
Details
Build and test / Build and test on linux with boringcrypto (push) Waiting to run
Details
Build and test / Build and test on linux with pkcs11 (push) Waiting to run
Details
Build and test / Build and test on macos-latest (push) Waiting to run
Details
Build and test / Build and test on windows-latest (push) Waiting to run
Details

Browse source 
* update to go 1.25, use the cool new ECDSA key marshalling functions

* bonk the runners

* actually bump go.mod

* bump golangci-lint
This commit is contained in:
Jack Doan 2025-09-29 13:02:25 -05:00 committed by GitHub
parent 4cdeb284ef
commit 1ea5f776d7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 23 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/gofmt.yml vendored
View file

@ -18,7 +18,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Install goimports - name: Install goimports

6
.github/workflows/release.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Build - name: Build
@ -37,7 +37,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Build - name: Build
@ -70,7 +70,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Import certificates - name: Import certificates

2
.github/workflows/smoke.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: build - name: build

12
.github/workflows/test.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Build - name: Build
@ -34,7 +34,7 @@ jobs:
- name: golangci-lint - name: golangci-lint
uses: golangci/golangci-lint-action@v8 uses: golangci/golangci-lint-action@v8
with: with:
version: v2.1 version: v2.5
- name: Test - name: Test
run: make test run: make test
@ -60,7 +60,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Build - name: Build
@ -81,7 +81,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.22' go-version: '1.25'
check-latest: true check-latest: true
- name: Build - name: Build
@ -102,7 +102,7 @@ jobs:
- uses: actions/setup-go@v5 - uses: actions/setup-go@v5
with: with:
go-version: '1.24' go-version: '1.25'
check-latest: true check-latest: true
- name: Build nebula - name: Build nebula
@ -117,7 +117,7 @@ jobs:
- name: golangci-lint - name: golangci-lint
uses: golangci/golangci-lint-action@v8 uses: golangci/golangci-lint-action@v8
with: with:
version: v2.1 version: v2.5
- name: Test - name: Test
run: make test run: make test

6
cert/cert_v1.go
View file

@ -110,8 +110,10 @@ func (c *certificateV1) CheckSignature(key []byte) bool {
case Curve_CURVE25519: case Curve_CURVE25519:
return ed25519.Verify(key, b, c.signature) return ed25519.Verify(key, b, c.signature)
case Curve_P256: case Curve_P256:
x, y := elliptic.Unmarshal(elliptic.P256(), key) pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y} if err != nil {
return false
}
hashed := sha256.Sum256(b) hashed := sha256.Sum256(b)
return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature) return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
default: default:

6
cert/cert_v2.go
View file

@ -149,8 +149,10 @@ func (c *certificateV2) CheckSignature(key []byte) bool {
case Curve_CURVE25519: case Curve_CURVE25519:
return ed25519.Verify(key, b, c.signature) return ed25519.Verify(key, b, c.signature)
case Curve_P256: case Curve_P256:
x, y := elliptic.Unmarshal(elliptic.P256(), key) pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y} if err != nil {
return false
}
hashed := sha256.Sum256(b) hashed := sha256.Sum256(b)
return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature) return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
default: default:

12
cert/sign.go
View file

@ -7,7 +7,6 @@ import (
"crypto/rand" "crypto/rand"
"crypto/sha256" "crypto/sha256"
"fmt" "fmt"
"math/big"
"net/netip" "net/netip"
"time" "time"
) )
@ -55,15 +54,10 @@ func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Cert
} }
return t.SignWith(signer, curve, sp) return t.SignWith(signer, curve, sp)
case Curve_P256: case Curve_P256:
pk := &ecdsa.PrivateKey{ pk, err := ecdsa.ParseRawPrivateKey(elliptic.P256(), key)
PublicKey: ecdsa.PublicKey{ if err != nil {
Curve: elliptic.P256(), return nil, err
},
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95
D: new(big.Int).SetBytes(key),
} }
// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119
pk.X, pk.Y = pk.Curve.ScalarBaseMult(key)
sp := func(certBytes []byte) ([]byte, error) { sp := func(certBytes []byte) ([]byte, error) {
// We need to hash first for ECDSA // We need to hash first for ECDSA
// - https://pkg.go.dev/crypto/ecdsa#SignASN1 // - https://pkg.go.dev/crypto/ecdsa#SignASN1

4
go.mod
View file

@ -1,8 +1,6 @@
module github.com/slackhq/nebula module github.com/slackhq/nebula
go 1.23.0 go 1.25
toolchain go1.24.1
require ( require (
dario.cat/mergo v1.0.2 dario.cat/mergo v1.0.2