Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proposal: x/crypto/acme/autocert: export supportsECDSA somewhere? #65727

Open
bradfitz opened this issue Feb 15, 2024 · 1 comment
Open

proposal: x/crypto/acme/autocert: export supportsECDSA somewhere? #65727

bradfitz opened this issue Feb 15, 2024 · 1 comment
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone
Proposal

Comments

@bradfitz
Copy link
Contributor

bradfitz commented Feb 15, 2024
edited

Proposal Details

I recently found myself needing x/crypto/acme/autocert's func supportsECDSA but it's not exported.

Copy/pasting it works, but is slightly sad as it's kinda long and I worry about it getting out of sync.

It's possible to use it indirectly via ugly hacks like tailscale/scertec#3 (using a fake acme/autocert.Cache that looks which keys are accessed) but it's a bit too ugly.

Proposal: export that code somewhere? method on ClientHelloInfo even?

/cc @rolandshoemaker
@gopherbot gopherbot added this to the Proposal milestone Feb 15, 2024
@bradfitz bradfitz mentioned this issue Feb 15, 2024
Merged
@rolandshoemaker
Copy link
Member

This seems like something that would likely be useful in general for people writing Config.GetCertificate functions.

We kind of have an inverse version of this already with ClientHelloInfo.SupportsCertificate, but that requires you already have a certificate to test against, which is obviously not the case in this case and the autocert case (hence why it had to be written in the first place).

I'd not be opposed to adding the following method in crypto/tls:

// SupportsECDSA returns true if the ClientHelloInfo indicates the the client supports both ECDSA based
// key exchanges and cipher suites.
func (*ClientHelloInfo) SupportsECDSA() bool

cc @FiloSottile

bradfitz added a commit to tailscale/scertec that referenced this issue Feb 15, 2024
@bradfitz
scertec: use acme/autocert's supportsECDSA code rather than fork it
4b484fb 
Updates tailscale/corp#13050
Updates golang/go#65727

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
bradfitz added a commit to tailscale/scertec that referenced this issue Feb 15, 2024
@bradfitz
scertec: use acme/autocert's supportsECDSA code rather than fork it
f37e274 
Updates tailscale/corp#13050
Updates golang/go#65727

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
@ianlancetaylor ianlancetaylor added the Proposal-Crypto Proposal related to crypto packages or other security issues label Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Proposals
Status: Incoming
Milestone
Proposal
Development

No branches or pull requests
4 participants
@bradfitz @ianlancetaylor @rolandshoemaker @gopherbot