FAIL: TestNewVerifier/bogus_ecdsa_public_key_(point_not_on_curve): verifier_test.go:148: NewVerifier() error = ES256: invalid public key: P256 point not on curve, wantErr ES256: invalid public key

[jas4711]

What is the areas you would like to add the new feature to?

Go-COSE Library

Is your feature request related to a problem?

Hi! I help maintain this package in Debian. We got a build failure, most likely triggered by us using slightly different versions compared to what your go.mod dictates.

=== RUN   TestNewVerifier/bogus_ecdsa_public_key_(point_not_on_curve)
    verifier_test.go:148: NewVerifier() error = ES256: invalid public key: P256 point not on curve, wantErr ES256: invalid public key
=== RUN   TestNewVerifier/ecdsa_public_key_with_unsupported_curve
--- FAIL: TestNewVerifier (0.05s)
...
 --- FAIL: TestNewVerifier/bogus_ecdsa_public_key_(point_not_on_curve) (0.00s)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129123

Could it be triggered by a more modern crypto libraries than what you test with?

/Simon

What solution do you propose?

No FAIL

What alternatives have you considered?

N/A

Any additional context?

No response

[jas4711]

Here is a build log where this self-test succeeds:

https://ci.debian.net/packages/g/golang-github-veraison-go-cose/testing/amd64/69322980/

And one where the self-test fails:

https://salsa.debian.org/jas/golang-github-veraison-go-cose/-/jobs/9176151

The diff for dependencies are:

 27s Get:61 http://deb.debian.org/debian testing/main amd64 golang-1.24-src all 1.24.13-2 [21.2 MB]
 28s Get:62 http://deb.debian.org/debian testing/main amd64 golang-1.24-go amd64 1.24.13-2 [28.7 MB]
 29s Get:63 http://deb.debian.org/debian testing/main amd64 golang-src all 2:1.24~2 [5,136 B]
 29s Get:64 http://deb.debian.org/debian testing/main amd64 golang-go amd64 2:1.24~2 [44.3 kB]
 29s Get:65 http://deb.debian.org/debian testing/main amd64 golang-any amd64 2:1.24~2 [5,216 B]
 29s Get:66 http://deb.debian.org/debian testing/main amd64 golang-github-x448-float16-dev all 0.8.4-3 [10.6 kB]
 29s Get:67 http://deb.debian.org/debian testing/main amd64 golang-github-fxamacker-cbor-dev all 2.9.0-1 [121 kB]

vs

Get:32 http://deb.debian.org/debian unstable/main amd64 golang-1.26-src all 1.26.1-1 [23.4 MB]
Get:33 http://deb.debian.org/debian unstable/main amd64 golang-1.26-go amd64 1.26.1-1 [20.1 MB]
Get:34 http://deb.debian.org/debian unstable/main amd64 golang-src all 2:1.26~1 [5336 B]
Get:35 http://deb.debian.org/debian unstable/main amd64 golang-go amd64 2:1.26~1 [40.4 kB]
Get:36 http://deb.debian.org/debian unstable/main amd64 golang-any amd64 2:1.26~1 [5420 B]
Get:37 http://deb.debian.org/debian unstable/main amd64 golang-github-x448-float16-dev all 0.8.4-3 [10.6 kB]
Get:38 http://deb.debian.org/debian unstable/main amd64 golang-github-fxamacker-cbor-dev all 2.9.0-1 [121 kB]

This makes me guess this is a golang 1.24 -> 1.26 issue.

/Simon