x/crypto/acme: The client does not correctly support ES512 signatures.

golang / go

The Go programming language

https://go.dev

BSD 3-Clause "New" or "Revised" License

123.97k stars 17.67k forks source link

x/crypto/acme: The client does not correctly support ES512 signatures. #18357

Closed mendsley closed 7 years ago

mendsley commented 7 years ago

What version of Go are you using (`go version`)?

go version go1.7 linux/amd64

What did you do?

Use a elliptic.P521() key for the acme client signer

example: https://gist.github.com/mendsley/840ce420b1769b05b4e2a22b12538e8e

What did you expect to see?

No output - Acme client correctly signed request using EC512 key

What did you see instead?

output "Should support ES512 signatures"

bradfitz commented 7 years ago

It looks like the error is coming from LetsEncrypt, and not Go's client library. Correct me if I'm wrong. Can other users use P512 with LetsEncrypt?

Note that only Go's P256 implementation is both fast (in assembly on amd64 and s390x currently) and constant-time, and LetsEncrypt is largely written in Go, which might be why they don't accept other curves.

bradfitz commented 7 years ago

Oh, now I see your CL.

gopherbot commented 7 years ago

CL https://golang.org/cl/34555 mentions this issue.