I am trying to figure out why on Render, an application that uses the crypto/elliptic library is panicking, but a local version running idential code has no issues. My only guess is its the version of Go running on Render, however if the Go version is specified in the go.mod file, I’m not sure if this is ignored or sets the version, and then that disproves my theory.
When creating a signature in Go, I can do
signatureData := elliptic.Marshal(elliptic.P256(), &sigR, &sigS)
sigR and sigS are retrieved from a private key signing a payload.
Locally, this is all fine, however on Render this panics with the error
crypto/elliptic: attempted operation on invalid point
Mar 15 04:41:08 PM 2023/03/15 16:41:08 http: panic serving 10.201.203.208:60678: crypto/elliptic: attempted operation on invalid point
Mar 15 04:41:08 PM goroutine 378 [running]:
Mar 15 04:41:08 PM net/http.(*conn).serve.func1()
Mar 15 04:41:08 PM /usr/local/go/src/net/http/server.go:1854 +0xbf
Mar 15 04:41:08 PM panic({0xc5ff40, 0xfaae70})
Mar 15 04:41:08 PM /usr/local/go/src/runtime/panic.go:890 +0x263
Mar 15 04:41:08 PM crypto/elliptic.panicIfNotOnCurve({0xfbc088?, 0x15d3950?}, 0x40?, 0x15f0680?)
Mar 15 04:41:08 PM /usr/local/go/src/crypto/elliptic/elliptic.go:215 +0xa5
Mar 15 04:41:08 PM crypto/elliptic.Marshal({0xfbc088, 0x15d3950}, 0x15d3950?, 0xc000240020?)
Mar 15 04:41:08 PM /usr/local/go/src/crypto/elliptic/elliptic.go:105 +0x31
I’ve never seen this locally. Googling, suggests this is some issue with the library getting x and r potentially signed the wrong way, (i.e r could be -r).
So could this be related to a Go version running on the server, differing from a local version?