Update to Go 1.26#42
Merged
Merged
Conversation
Contributor
|
I don't know enough about this to review it. Does this change reference any existing code/docs I could get a link to. |
Member
Author
|
For comparison, here's the code of
It changed in golang/go@a5ebc6b, see golang/go@a5ebc6b#diff-0cedd2ee8935bfb80aef9cc6f723cff496016771127a055947f9ce9eceea429cL189-R192 |
Kay-Zee
approved these changes
Jun 22, 2026
janezpodhostnik
approved these changes
Jun 23, 2026
Member
Author
|
Created https://github.com/onflow/flow-okrs/issues/239 to track the work for replacing the usage of the APIs which were deprecated in Go 1.26 and we just ignore for now |
Comment on lines
-226
to
+238
| // use crypto/ecdh implementation to perform base scalar multiplication | ||
| // of an ECDH private key, because crypto/elliptic deprecated `ScalarBaseMult` | ||
| ecdhPriv, err := priv.ECDH() | ||
| // Perform the base scalar multiplication using crypto/ecdh, | ||
| // because crypto/elliptic deprecated `ScalarBaseMult`. | ||
| // | ||
| // We build the ecdh.PrivateKey directly from the scalar bytes | ||
| // instead of going through `priv.ECDH()`: since Go 1.26, | ||
| // ecdsa's `(*PrivateKey).ECDH` serializes the key via `(*PrivateKey).Bytes`, | ||
| // which reads the public affine coordinates `X`/`Y`. | ||
| // Those are not set yet at this point (we are computing them), | ||
| // so that path dereferences nil and panics. | ||
| // Constructing the ecdh key from the scalar avoids reading `X`/`Y` | ||
| // and works across Go versions. | ||
| scalarLen := bitsToBytes(curve.Params().N.BitLen()) | ||
| ecdhPriv, err := ecdh.P256().NewPrivateKey(d.FillBytes(make([]byte, scalarLen))) |
Member
There was a problem hiding this comment.
In my review, I focused on scrutinizing the correctness of this line. To the best of my understanding everything is good
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update to Go 1.26. Go 1.25 will be EOL around August.
There were two problems:
Since Go 1.26,
(*ecdsa.PrivateKey).ECDHserializes viaBytes(), which readsX/Yand panics on thenilcoordinates.goecdsaPrivateKeycalledpriv.ECDH()to derive the public point from the scalar, but the public affine coordinatesX/Yare not set at that point.Fixed by building the
ecdh.PrivateKeydirectly from the scalar bytes instead, which avoids readingX/Y. Behavior is unchanged and compatible with Go 1.20+.Go 1.26 deprecated direct access to the raw
crypto/ecdsakey fields (PrivateKey.D,PublicKey.X/Y).The replacement API only works for NIST curves, not the
secp256k1this package supports via btcec — so the fields can't be fully removed without a risky rewrite.Fixed by suppressing in
.golangci.ymlfor now, refactoring is out of scope.