Merge branch 'globalsign:master' into master

61131 · web-flow · commit 209462784b8d · 2024-05-01T17:36:57.000+10:00
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -2,17 +2,17 @@ name: Go
 
 on:
   push:
-    branches: [ master, development ]
+    branches: [ master ]
   pull_request:
-    branches: [ master, development ]
+    branches: [ master ]
 
 jobs:
 
   build-linux:
 
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x, 1.16.x]
+        go-version: [1.21.x, 1.22.x]
 
     runs-on: ubuntu-latest
 
@@ -43,7 +43,7 @@ jobs:
 
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x, 1.16.x]
+        go-version: [1.21.x, 1.22.x]
 
     runs-on: macos-latest
 
@@ -67,7 +67,7 @@ jobs:
 
     strategy:
       matrix:
-        go-version: [1.13.x, 1.14.x, 1.15.x, 1.16.x]
+        go-version: [1.21.x, 1.22.x]
 
     runs-on: windows-latest
 
diff --git a/cmd/estclient/config_test.go b/cmd/estclient/config_test.go
@@ -27,7 +27,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"flag"
-	"io/ioutil"
+	"io"
 	"log"
 	"net"
 	"net/http"
@@ -250,14 +250,18 @@ func TestCACerts(t *testing.T) {
 	var testcases = []struct {
 		name string
 		args []string
-		err  error
+		err  []error
 	}{
 		{
 			name: "NoAnchor",
 			args: []string{
 				"-" + serverFlag, uri,
 			},
-			err: errors.New("certificate signed by unknown authority"),
+			err: []error{
+				errors.New("failed to verify certificate"),
+				errors.New("certificate is not trusted"),
+				errors.New("certificate signed by unknown authority"),
+			},
 		},
 		{
 			name: "Insecure",
@@ -289,7 +293,7 @@ func TestCACerts(t *testing.T) {
 				"-" + apsFlag, "triggererrors",
 				"-" + explicitAnchorFlag, cafile,
 			},
-			err: errors.New("internal server error"),
+			err: []error{errors.New("internal server error")},
 		},
 	}
 
@@ -299,7 +303,7 @@ func TestCACerts(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			buf := bytes.NewBuffer([]byte{})
 			err := cacerts(buf, makeCmdFlagSet(t, cacertsCmd, tc.args))
-			verifyErrorTextContains(t, err, tc.err)
+			verifyErrorTextContainsOneOf(t, err, tc.err)
 			if tc.err != nil {
 				return
 			}
@@ -322,14 +326,18 @@ func TestCSRAttrs(t *testing.T) {
 		name   string
 		args   []string
 		length int
-		err    error
+		err    []error
 	}{
 		{
 			name: "NoAnchor",
 			args: []string{
 				"-" + serverFlag, uri,
 			},
-			err: errors.New("certificate signed by unknown authority"),
+			err: []error{
+				errors.New("failed to verify certificate"),
+				errors.New("certificate is not trusted"),
+				errors.New("certificate signed by unknown authority"),
+			},
 		},
 		{
 			name: "Insecure",
@@ -364,7 +372,9 @@ func TestCSRAttrs(t *testing.T) {
 				"-" + apsFlag, "triggererrors",
 				"-" + explicitAnchorFlag, cafile,
 			},
-			err: errors.New("internal server error"),
+			err: []error{
+				errors.New("internal server error"),
+			},
 		},
 	}
 
@@ -374,7 +384,7 @@ func TestCSRAttrs(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			buf := bytes.NewBuffer([]byte{})
 			err := csrattrs(buf, makeCmdFlagSet(t, csrattrsCmd, tc.args))
-			verifyErrorTextContains(t, err, tc.err)
+			verifyErrorTextContainsOneOf(t, err, tc.err)
 
 			if tc.err != nil {
 				return
@@ -507,7 +517,7 @@ func TestReenroll(t *testing.T) {
 		tc := tc
 
 		t.Run(tc.name, func(t *testing.T) {
-			f, err := ioutil.TempFile("", "reenroll_test_")
+			f, err := os.CreateTemp("", "reenroll_test_")
 			if err != nil {
 				t.Fatalf("failed to create temporary file: %v", err)
 			}
@@ -809,9 +819,9 @@ func newTestServer(t *testing.T) (*httptest.Server, *x509.Certificate, string) {
 	}
 
 	checkBasicAuth := func(
-		ctx context.Context,
-		r *http.Request,
-		aps, username, password string,
+		_ context.Context,
+		_ *http.Request,
+		_, username, password string,
 	) error {
 		if username != "testuser" || password != "xyzzy" {
 			return errors.New("bad credentials")
@@ -834,7 +844,7 @@ func newTestServer(t *testing.T) (*httptest.Server, *x509.Certificate, string) {
 
 	s := httptest.NewUnstartedServer(r)
 
-	s.Config.ErrorLog = log.New(ioutil.Discard, "", 0)
+	s.Config.ErrorLog = log.New(io.Discard, "", 0)
 
 	var clientCAs = x509.NewCertPool()
 	clientCAs.AddCert(caCerts[len(caCerts)-1])
@@ -907,7 +917,7 @@ func makeCmdFlagSet(t *testing.T, cmd string, args []string) *flag.FlagSet {
 		t.Fatalf("command not recognized: %s", cmd)
 	}
 
-	set := fcmd.FlagSet(ioutil.Discard, 80)
+	set := fcmd.FlagSet(io.Discard, 80)
 	if err := set.Parse(args); err != nil {
 		t.Fatalf("failed to parse flag set: %v", err)
 	}
@@ -918,7 +928,7 @@ func makeCmdFlagSet(t *testing.T, cmd string, args []string) *flag.FlagSet {
 func makeRootCertFile(t *testing.T, cert *x509.Certificate) (string, func(t *testing.T)) {
 	t.Helper()
 
-	f, err := ioutil.TempFile("", "estclient_test_")
+	f, err := os.CreateTemp("", "estclient_test_")
 	if err != nil {
 		t.Fatalf("failed to create temporary file: %v", err)
 	}
@@ -951,6 +961,38 @@ func verifyErrorTextContains(t *testing.T, got, want error) {
 	}
 }
 
+// verifyErrorTextContainsOneOf tests if the error text contains one of the strings.
+// This is useful for testing errors that output different text on different
+// platforms or between versions.
+func verifyErrorTextContainsOneOf(t *testing.T, got error, wants []error) {
+	t.Helper()
+
+	if got == nil && len(wants) == 0 {
+		return
+	}
+
+	if got == nil && len(wants) > 0 {
+		t.Fatalf("got nil, want one of %v", wants)
+	}
+
+	if got != nil && len(wants) == 0 {
+		t.Fatalf("got %v, want no error", got)
+	}
+
+	// got != nil && len(wants) > 0
+
+	contains := false
+	for _, w := range wants {
+		if strings.Contains(got.Error(), w.Error()) {
+			contains = true
+		}
+	}
+
+	if !contains {
+		t.Fatalf("got error %v, want one of %v", got, wants)
+	}
+}
+
 // assertPKIXNamesEqual tests if two pkix.Name objects are equal in all
 // respects other than the ordering of the name attributes.
 func assertPKIXNamesEqual(t *testing.T, first, second pkix.Name) {
@@ -972,11 +1014,7 @@ func assertPKIXNamesEqual(t *testing.T, first, second pkix.Name) {
 				}
 			}
 
-			if s[i].Value.(string) < s[j].Value.(string) {
-				return true
-			}
-
-			return false
+			return s[i].Value.(string) < s[j].Value.(string)
 		}
 	}
 
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/globalsign/est
 
-go 1.13
+go 1.22.1
 
 require (
 	github.com/ThalesIgnite/crypto11 v1.2.1
@@ -9,7 +9,14 @@ require (
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/google/go-tpm v0.3.2
 	go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1
-	golang.org/x/crypto v0.0.0-20200602180216-279210d13fed
-	golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 // indirect
+	golang.org/x/crypto v0.17.0
 	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
 )
+
+require (
+	github.com/miekg/pkcs11 v1.0.3-0.20190429190417-a667d056470f // indirect
+	github.com/pkg/errors v0.8.1 // indirect
+	github.com/thales-e-security/pool v0.0.1 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -45,7 +45,6 @@ github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4er
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
@@ -65,7 +64,6 @@ github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2
 github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
 github.com/google/go-tpm v0.3.2 h1:3iQQ2dlEf+1no7CLlfLPYzxhQy7j2G/emBqU5okydaw=
 github.com/google/go-tpm v0.3.2/go.mod h1:j71sMBTfp3X5jPHz852ZOfQMUOf65Gb/Th8pRmp7fvg=
-github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845 h1:2WNNKKRI+a5OZi5xiJVfDoOiUyfK/BU1D4w+N6967F4=
 github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
 github.com/google/go-tpm-tools v0.2.0 h1:pBflcn8x5iFohPScqlmLaImrC7ts/EUJa7ZY4FkTFq4=
 github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
@@ -142,13 +140,11 @@ go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9 h1:mKdxBk7AujPs8kU4m80U72y/zjbZ3UcXC7dClwKbUI0=
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
 golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200602180216-279210d13fed h1:g4KENRiCMEx58Q7/ecwfT0N2o8z35Fnbsjig/Alf2T4=
-golang.org/x/crypto v0.0.0-20200602180216-279210d13fed/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -159,10 +155,10 @@ golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092 h1:4QSRKanuywn15aTZvI/mIDEgPQpswuFndXpOj3rKEco=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -172,17 +168,18 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a h1:1n5lsVfiQW3yfsRGu98756EH1YthsFqr/5mxHduZW2A=
 golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201207223542-d4d67f95c62d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210219172841-57ea560cfca1 h1:mDSj8NPponP6fRpRDblAGl5bpSHjPulHtk5lGl0gLSY=
 golang.org/x/sys v0.0.0-20210219172841-57ea560cfca1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43 h1:SgQ6LNaYJU0JIuEHv9+s6EbhSCwYeAf5Yvj6lpYlqAE=
-golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba h1:O8mE0/t419eoIwhTFpKVkHiTs/Igowgfkj25AcZrtiE=
 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -191,7 +188,6 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -209,7 +205,6 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
