1 week ago · 1ea5f776d7
--- a/.github/workflows/gofmt.yml
+++ b/.github/workflows/gofmt.yml
@@ -18,7 +18,7 @@ jobs:
 
				 
			
 
				     - uses: actions/setup-go@v5
			
 
				       with:
			
 
				-        go-version: '1.24'
			
 
				+        go-version: '1.25'
			
 
				         check-latest: true
			
 
				 
			
 
				     - name: Install goimports
			
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
 
				 
			
 
				       - uses: actions/setup-go@v5
			
 
				         with:
			
 
				-          go-version: '1.24'
			
 
				+          go-version: '1.25'
			
 
				           check-latest: true
			
 
				 
			
 
				       - name: Build
			
@@ -37,7 +37,7 @@ jobs:
 
				 
			
 
				       - uses: actions/setup-go@v5
			
 
				         with:
			
 
				-          go-version: '1.24'
			
 
				+          go-version: '1.25'
			
 
				           check-latest: true
			
 
				 
			
 
				       - name: Build
			
@@ -70,7 +70,7 @@ jobs:
 
				 
			
 
				       - uses: actions/setup-go@v5
			
 
				         with:
			
 
				-          go-version: '1.24'
			
 
				+          go-version: '1.25'
			
 
				           check-latest: true
			
 
				 
			
 
				       - name: Import certificates
			
--- a/.github/workflows/smoke.yml
+++ b/.github/workflows/smoke.yml
@@ -22,7 +22,7 @@ jobs:
 
				 
			
 
				     - uses: actions/setup-go@v5
			
 
				       with:
			
 
				-        go-version: '1.24'
			
 
				+        go-version: '1.25'
			
 
				         check-latest: true
			
 
				 
			
 
				     - name: build
			
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:
 
				 
			
 
				     - uses: actions/setup-go@v5
			
 
				       with:
			
 
				-        go-version: '1.24'
			
 
				+        go-version: '1.25'
			
 
				         check-latest: true
			
 
				 
			
 
				     - name: Build
			
@@ -34,7 +34,7 @@ jobs:
 
				     - name: golangci-lint
			
 
				       uses: golangci/golangci-lint-action@v8
			
 
				       with:
			
 
				-        version: v2.1
			
 
				+        version: v2.5
			
 
				 
			
 
				     - name: Test
			
 
				       run: make test
			
@@ -60,7 +60,7 @@ jobs:
 
				 
			
 
				     - uses: actions/setup-go@v5
			
 
				       with:
			
 
				-        go-version: '1.24'
			
 
				+        go-version: '1.25'
			
 
				         check-latest: true
			
 
				 
			
 
				     - name: Build
			
@@ -81,7 +81,7 @@ jobs:
 
				 
			
 
				     - uses: actions/setup-go@v5
			
 
				       with:
			
 
				-        go-version: '1.22'
			
 
				+        go-version: '1.25'
			
 
				         check-latest: true
			
 
				 
			
 
				     - name: Build
			
@@ -102,7 +102,7 @@ jobs:
 
				 
			
 
				     - uses: actions/setup-go@v5
			
 
				       with:
			
 
				-        go-version: '1.24'
			
 
				+        go-version: '1.25'
			
 
				         check-latest: true
			
 
				 
			
 
				     - name: Build nebula
			
@@ -117,7 +117,7 @@ jobs:
 
				     - name: golangci-lint
			
 
				       uses: golangci/golangci-lint-action@v8
			
 
				       with:
			
 
				-        version: v2.1
			
 
				+        version: v2.5
			
 
				 
			
 
				     - name: Test
			
 
				       run: make test
			
--- a/cert/cert_v1.go
+++ b/cert/cert_v1.go
@@ -110,8 +110,10 @@ func (c *certificateV1) CheckSignature(key []byte) bool {
 
				 	case Curve_CURVE25519:
			
 
				 		return ed25519.Verify(key, b, c.signature)
			
 
				 	case Curve_P256:
			
 
				-		x, y := elliptic.Unmarshal(elliptic.P256(), key)
			
 
				-		pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
			
 
				+		pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
			
 
				+		if err != nil {
			
 
				+			return false
			
 
				+		}
			
 
				 		hashed := sha256.Sum256(b)
			
 
				 		return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
			
 
				 	default:
			
--- a/cert/cert_v2.go
+++ b/cert/cert_v2.go
@@ -149,8 +149,10 @@ func (c *certificateV2) CheckSignature(key []byte) bool {
 
				 	case Curve_CURVE25519:
			
 
				 		return ed25519.Verify(key, b, c.signature)
			
 
				 	case Curve_P256:
			
 
				-		x, y := elliptic.Unmarshal(elliptic.P256(), key)
			
 
				-		pubKey := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
			
 
				+		pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
			
 
				+		if err != nil {
			
 
				+			return false
			
 
				+		}
			
 
				 		hashed := sha256.Sum256(b)
			
 
				 		return ecdsa.VerifyASN1(pubKey, hashed[:], c.signature)
			
 
				 	default:
			
--- a/cert/sign.go
+++ b/cert/sign.go
@@ -7,7 +7,6 @@ import (
 
				 	"crypto/rand"
			
 
				 	"crypto/sha256"
			
 
				 	"fmt"
			
 
				-	"math/big"
			
 
				 	"net/netip"
			
 
				 	"time"
			
 
				 )
			
@@ -55,15 +54,10 @@ func (t *TBSCertificate) Sign(signer Certificate, curve Curve, key []byte) (Cert
 
				 		}
			
 
				 		return t.SignWith(signer, curve, sp)
			
 
				 	case Curve_P256:
			
 
				-		pk := &ecdsa.PrivateKey{
			
 
				-			PublicKey: ecdsa.PublicKey{
			
 
				-				Curve: elliptic.P256(),
			
 
				-			},
			
 
				-			// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L95
			
 
				-			D: new(big.Int).SetBytes(key),
			
 
				+		pk, err := ecdsa.ParseRawPrivateKey(elliptic.P256(), key)
			
 
				+		if err != nil {
			
 
				+			return nil, err
			
 
				 		}
			
 
				-		// ref: https://github.com/golang/go/blob/go1.19/src/crypto/x509/sec1.go#L119
			
 
				-		pk.X, pk.Y = pk.Curve.ScalarBaseMult(key)
			
 
				 		sp := func(certBytes []byte) ([]byte, error) {
			
 
				 			// We need to hash first for ECDSA
			
 
				 			// - https://pkg.go.dev/crypto/ecdsa#SignASN1
			
--- a/go.mod
+++ b/go.mod
@@ -1,8 +1,6 @@
 
				 module github.com/slackhq/nebula
			
 
				 
			
 
				-go 1.23.0
			
 
				-
			
 
				-toolchain go1.24.1
			
 
				+go 1.25
			
 
				 
			
 
				 require (
			
 
				 	dario.cat/mergo v1.0.2