diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 000000000..1b1b6fbaf --- /dev/null +++ b/.gitmodules @@ -0,0 +1,6 @@ +[submodule "crypto-agiligo"] + path = crypto-agiligo + url = https://github.com/smallstep/crypto.git +[submodule "cli"] + path = cli + url = https://github.com/smallstep/cli.git diff --git a/AGILIGO-TODO.md b/AGILIGO-TODO.md new file mode 100644 index 000000000..391296abd --- /dev/null +++ b/AGILIGO-TODO.md @@ -0,0 +1,333 @@ +# Agiligo Migration TODO + +This document tracks the remaining work to complete the Agiligo migration for step-ca. + +## 🔄 In Progress / Blocked + +### Dependency Setup +- [x] **Add go.step.sm/crypto as git submodule** + - ✅ Added as `crypto-agiligo/` submodule + - ✅ Created `agiligo-pqc` branch in submodule + - ✅ Updated go.mod replace directive to point to `./crypto-agiligo` + +### Testing & Validation +- [x] **Test crypto submodule build** ⚠️ PARTIAL SUCCESS + - ✅ Dependencies download successfully + - ⚠️ Build has compilation errors in third-party dependencies + - ⚠️ Tests: 14/42 packages pass (33.3% pass rate) + - See "Build Issues" section below for details + +- [x] **Test step-ca build with Agiligo** ❌ **FAILED** + - ❌ Build fails with same x509 API errors as crypto submodule + - ❌ Blocked by third-party dependency incompatibilities + - ❌ Cannot produce binary until crypto issues resolved + +- [ ] **Run step-ca test suite** (ready to test) + - `make testdefault` + - `make testtpmsimulator` + - Document any test failures + - Create issue list for failures + +- [ ] **Validate core functionality** (blocked until builds work) + - Initialize CA: `step-ca init` + - Issue certificate + - Test ACME protocol + - Test provisioner authentication + +## 🔮 Future Work (Out of Current Scope) + +### Phase 4: Post-Quantum Algorithms +- [ ] Research and document PQC algorithms to support (ML-KEM, ML-DSA, etc.) +- [ ] Design hybrid certificate format (classical + PQC) +- [ ] Implement PQC key generation +- [ ] Implement PQC certificate signing +- [ ] Add PQC cipher suites to TLS configuration +- [ ] Update provisioners to support PQC authentication + +### Phase 5: KMS & Hardware Integration +- [ ] Test cloud KMS compatibility (AWS, Azure, GCP) +- [ ] Verify HSM/PKCS#11 support with PQC +- [ ] Test TPM integration with Agiligo +- [ ] YubiKey compatibility testing + +### Phase 6: CI/CD & Release +- [ ] Update GitHub Actions to use Agiligo +- [ ] Create Agiligo-based Docker images +- [ ] Update GoReleaser configuration +- [ ] Multi-platform builds with Agiligo +- [ ] Automated testing in CI + +### Phase 7: Advanced Features +- [ ] Certificate chain validation with mixed algorithms +- [ ] Backward compatibility mode (classical-only fallback) +- [ ] Performance optimization for PQC operations +- [ ] Comprehensive integration tests +- [ ] Load testing with PQC certificates + +## 📋 Immediate Next Steps + +### Phase 2A: COMPLETE ✅ +1. ✅ Created x509compat package with full API coverage +2. ✅ Added crypto/init imports +3. ✅ Updated pemutil to use compatibility layer +4. ✅ Comprehensive test suite (all tests passing) + +### Phase 2B: DECISION POINT ⚠️ + +**Current Status:** Compatibility layer works, but blocked by third-party dependencies. + +**Options:** + +**A. Fork Critical Dependencies** (RECOMMENDED) +```bash +# 1. Fork golang.org/x/crypto +git clone https://github.com/golang/crypto +cd crypto +# Apply x509compat-style patches to ssh, pkcs12, ocsp +# Create branch: agiligo-compat + +# 2. Update go.mod in crypto-agiligo and step-ca +replace golang.org/x/crypto => github.com/smallstep/crypto-agiligo-deps v0.43.0 +``` + +**B. Disable Non-Essential Features** +```bash +# Use build tags to exclude: +# - MySQL support +# - Some KMS providers +# - Vault integration +# Get minimal step-ca building first +``` + +**C. Hybrid Approach** (PRACTICAL) +- Fork golang.org/x/crypto (most critical) +- Fork smallstep/* packages (we control these) +- Disable less-critical cloud features temporarily +- Document all changes for upstream contributions + +### Success Metrics (Updated) +- ✅ x509compat package builds without errors +- ✅ x509compat tests pass (100%) +- ⚠️ crypto-agiligo blocked by external deps +- ⚠️ step-ca blocked by cascading failures + +**Next Decision:** Choose dependency strategy before proceeding + +## 📊 Success Criteria (Current Phase) + +### Phase 1: Build Infrastructure ✅ COMPLETE +- ✅ Docker Compose environment builds and runs Agiligo +- ✅ Makefile configured for Agiligo +- ✅ Documentation complete +- ✅ go.step.sm/crypto submodule available +- ✅ Initial build testing completed +- ✅ Agiligo API investigation complete +- ✅ Compatibility strategy defined + +### Phase 2: Compatibility Layer ⚠️ PARTIAL - BLOCKED +- ✅ x509compat package created and tested +- ✅ crypto-agiligo code updated to use compatibility layer +- ❌ crypto-agiligo builds - **BLOCKED by third-party dependencies** +- ⏳ crypto-agiligo tests pass (>80% target) - Cannot test until builds + +**Blocker:** Third-party dependencies (golang.org/x/crypto, jwt, cloud auth, etc.) use old x509 API + +**See:** `AGILIGO.md` (sections "The Blocker: Third-Party Dependencies" and "Path Forward") for detailed analysis + +### Phase 3: step-ca Integration (BLOCKED) +- ⏳ step-ca compiles successfully with Agiligo +- ⏳ Basic CA operations functional (init, start, sign) +- ⏳ Core test suite runs (>80% pass rate acceptable for MVP) + +## 🐛 Build Issues Found + +### crypto-agiligo Test Results (as of 2025-10-30) + +**Summary:** +- ✅ 14 packages pass all tests +- ❌ 28 packages fail to build (build errors) +- 📊 Pass rate: 33.3% (below 80% target) + +**Passing Packages:** +- go.step.sm/crypto/fingerprint +- go.step.sm/crypto/fipsutil +- go.step.sm/crypto/internal/bcrypt_pbkdf +- go.step.sm/crypto/internal/emoji +- go.step.sm/crypto/internal/utils/asn1 +- go.step.sm/crypto/internal/utils/convert +- go.step.sm/crypto/internal/utils/file +- go.step.sm/crypto/internal/utils/utfbom +- go.step.sm/crypto/kms/apiv1 +- go.step.sm/crypto/kms/uri +- go.step.sm/crypto/randutil +- go.step.sm/crypto/tpm/algorithm +- go.step.sm/crypto/tpm/manufacturer +- go.step.sm/crypto/tpm/tss2 + +**Critical Issues:** + +1. **crypto/x509 API Changes** - Many third-party dependencies fail + - Missing functions: `ParsePKCS1PrivateKey`, `ParsePKCS8PrivateKey`, `ParseECPrivateKey`, `ParsePKIXPublicKey` + - Missing functions: `MarshalPKCS1PrivateKey`, `MarshalECPrivateKey`, `MarshalPKCS8PrivateKey` + - Missing constants: `x509.RSA`, `x509.ECDSA`, `x509.Ed25519` + + **Affected packages:** + - golang.org/x/crypto/ssh + - golang.org/x/oauth2/internal + - cloud.google.com/go/auth/internal + - github.com/go-jose/go-jose/v3 (via dependencies) + - github.com/Masterminds/sprig/v3 + - github.com/golang-jwt/jwt/v5 + - golang.org/x/crypto/pkcs12 + - github.com/googleapis/enterprise-certificate-proxy + - github.com/google/s2a-go + +2. **crypto.PrivateKey Interface Changes** + - New `Equal` method required on crypto.PrivateKey/PublicKey + - Type switches on concrete types fail (rsa.PrivateKey, ecdsa.PrivateKey) + + **Affected packages:** + - github.com/ThalesIgnite/crypto11 + - github.com/go-piv/piv-go/v2 + - github.com/google/certificate-transparency-go/tls + - go.step.sm/crypto/x25519 (internal tests) + +3. **Build-Blocking Packages:** + - ❌ go.step.sm/crypto/jose (JWT/JWS/JWE - CRITICAL) + - ❌ go.step.sm/crypto/keyutil (key parsing - CRITICAL) + - ❌ go.step.sm/crypto/pemutil (PEM handling - CRITICAL) + - ❌ go.step.sm/crypto/sshutil (SSH operations) + - ❌ go.step.sm/crypto/tlsutil (TLS utilities) + - ❌ go.step.sm/crypto/x509util (x509 utilities - CRITICAL) + - ❌ All KMS providers (awskms, azurekms, cloudkms, pkcs11, tpmkms, yubikey) + +### Root Cause Analysis + +Agiligo has modified the standard library crypto packages to support post-quantum algorithms. These changes include: +1. **Restructured x509 parsing/marshaling functions** - Likely consolidated or renamed +2. **Modified crypto.PrivateKey interface** - Added Equal() method for key comparison +3. **Changed key type constants** - x509.RSA, x509.ECDSA, x509.Ed25519 removed or relocated + +### Impact Assessment + +🔴 **HIGH IMPACT** - Critical crypto functionality blocked: +- Certificate parsing and generation (x509util, pemutil) +- JWT/JWS operations (jose) +- Key management (keyutil) +- All cloud KMS providers + +🟡 **MEDIUM IMPACT** - Hardware/specialized features: +- TPM operations +- YubiKey support +- PKCS#11/HSM integration + +🟢 **LOW IMPACT** - Internal utilities mostly work: +- Fingerprinting, hashing, random utilities +- Internal data structures + +### Next Steps to Unblock + +**Option A: Fix in crypto-agiligo fork** (RECOMMENDED) +1. Add compatibility shims for x509 functions +2. Update go.step.sm/crypto code to use new Agiligo APIs +3. Fix Equal() method implementations +4. Update type assertions for new crypto interfaces + +**Option B: Wait for upstream Agiligo fixes** +- Track Agiligo project for stdlib compatibility updates +- May require engagement with Agiligo team + +**Option C: Vendor and patch dependencies** +- Fork problematic dependencies +- Patch to work with Agiligo +- Maintain as separate vendored copies + +**Immediate Action:** Proceed to test step-ca build to assess if any direct code works without crypto dependencies. + +### step-ca Build Results (as of 2025-10-30) + +**Status:** ❌ **FAILED** - Cannot build step-ca binary + +**Root Cause:** Same x509 API incompatibilities blocking crypto submodule + +**Build Errors:** +1. `github.com/Masterminds/sprig/v3` - x509.MarshalPKCS1PrivateKey, ParsePKCS8PrivateKey, etc. +2. `golang.org/x/crypto/ssh` - x509 parsing functions +3. `github.com/google/s2a-go` - x509.RSA, x509.ECDSA, x509.Ed25519 constants +4. Cascading failures through all dependencies + +**Conclusion:** Cannot proceed with step-ca testing until crypto compatibility layer is implemented in crypto-agiligo fork. + +**Required Fix Path:** +1. ✅ **COMPLETE** - Investigate Agiligo's x509 package to understand the new API +2. Create compatibility shims in crypto-agiligo +3. Update crypto-agiligo code to use new Agiligo APIs +4. Rebuild and test until step-ca compiles + +### Agiligo API Investigation Results (2025-10-30) + +**Status:** ✅ **INVESTIGATION COMPLETE** - Full API mapping documented + +See detailed report in `AGILIGO.md` (section "Understanding Agiligo's Changes") + +**Key Findings:** + +1. **Functions Not Removed - Just Relocated!** + - `x509.ParsePKCS1PrivateKey` → `rsa.ParsePKCS1PrivateKey` + - `x509.ParsePKCS8PrivateKey` → `pkcs8.UnmarshalPKCS8PrivateKey` + - `x509.ParseECPrivateKey` → `ecdsa.ParseECPrivateKey` + - `x509.ParsePKIXPublicKey` → Two-step: `pkix.UnmarshalPKIXPublicKeyInfo` + `pkixparser.GetPublicKeyFromPKIXPublicKeyInfo` + - All Marshal* functions similarly relocated + +2. **Architecture Change: Registry-Based System** + ```go + // Algorithms now register themselves + crypto.PublicKeyAlgorithms map[string]PublicKeyAlgorithm + crypto.SignatureAlgorithms map[string]SignatureAlgorithm + ``` + +3. **Required Initialization** + - Must import `crypto/init` or individual algorithm packages + - Algorithms register in their init() functions + +4. **Interface Changes (BREAKING)** + ```go + // New requirements + type PublicKey interface { + Equal(x PublicKey) bool + } + type PrivateKey interface { + Public() PublicKey + Equal(x PrivateKey) bool + } + ``` + +5. **Type Constants Removed** + - `x509.RSA`, `x509.ECDSA`, `x509.Ed25519` no longer exist + - Use type switches or algorithm.GetPublicKeyAlgorithmName() instead + +**Solution Strategy: Compatibility Shim Layer** + +Create `crypto-agiligo/x509compat` package that: +- Wraps relocated functions with old names +- Provides type constants for backward compatibility +- Allows minimal changes to crypto-agiligo code +- Avoids forking dozens of dependencies + +## 🆘 Known Issues + +### Blockers +2. 🔴 **CRITICAL: step-ca cannot build** - Blocked by x509 API incompatibilities +3. 🔴 **CRITICAL: 28/42 crypto packages fail to build** - Third-party dependency issues +4. 🔴 **CRITICAL: Agiligo x509 API changes** - Missing Parse*/Marshal* functions, type constants + +### Warnings +- ⚠️ Many third-party crypto dependencies don't compile with Agiligo +- ⚠️ Will need extensive compatibility shims or dependency updates +- ⚠️ KMS providers all blocked - cloud integration at risk + +## 📝 Notes + +- Agiligo is based on Go 1.24, matching step-ca's current Go version requirement +- This migration focuses on build infrastructure; PQC algorithm implementation is future work +- Hybrid mode (classical + PQC) is the intended end goal diff --git a/AGILIGO.md b/AGILIGO.md new file mode 100644 index 000000000..78ea2ba5e --- /dev/null +++ b/AGILIGO.md @@ -0,0 +1,398 @@ +# Agiligo Development Guide + +This fork of step-ca uses the [Agiligo Go variant](https://github.com/ISRI-PQC/agiligo) to explore post-quantum cryptographic support. Agiligo is a modified version of the Go toolchain that adds cryptographic agility features, allowing the use of post-quantum algorithms not yet available in mainline Go. + +## Quick Start + +**This project requires Docker Compose** - the Agiligo Go toolchain is built and configured automatically inside a container. All development must be done in the container environment. + +### Starting the Development Environment + +```bash +# From project root - start the container +docker compose run --rm dev + +# Inside container - verify setup +go version # Should show Agiligo-based Go +go env GOROOT # Should show /usr/local/agiligo +claude --version # Claude Code is pre-installed + +# Initialize git submodules (automatically done on first run) +git submodule update --init --recursive + +# Start Claude Code for AI assistance +claude + +# Build step-ca +make build + +# Run tests +make test +``` + +## Current Status + +### What Works ✅ +- Docker development environment with Agiligo +- Build system configured +- `go.step.sm/crypto` submodule added at `./crypto-agiligo` (branch: `agiligo-pqc`) +- **Compatibility layer created** (`crypto-agiligo/x509compat/`) + - Provides old x509 API names that delegate to new Agiligo locations + - 100% test pass rate + - Successfully updated `pemutil` to use compatibility layer + +### What's Blocked ❌ +- **step-ca cannot build** - Third-party dependencies use old x509 API +- **28/42 crypto packages fail** - External dependencies in `/go/pkg/mod/` cannot be patched +- **Critical packages affected**: jose, keyutil, x509util, all KMS providers + +### Build Metrics +- **x509compat package**: 1/1 packages (100%) ✅ +- **crypto-agiligo**: 14/42 packages (33.3%) - Blocked by dependencies +- **step-ca**: 0% - Cannot build until dependencies resolved + +## Understanding Agiligo's Changes + +### Key Finding: Functions Were Relocated, Not Removed + +Agiligo reorganized crypto functions into algorithm-specific packages to support a **registry-based crypto-agile architecture**: + +| Old Location (Standard Go) | New Location (Agiligo) | +|----------------------------|------------------------| +| `x509.ParsePKCS1PrivateKey` | `rsa.ParsePKCS1PrivateKey` | +| `x509.ParsePKCS8PrivateKey` | `pkcs8.UnmarshalPKCS8PrivateKey` | +| `x509.ParseECPrivateKey` | `ecdsa.ParseECPrivateKey` | +| `x509.ParsePKIXPublicKey` | `pkixparser.GetPublicKeyFromPKIXPublicKeyInfo` (two-step) | +| `x509.MarshalPKCS1PrivateKey` | `rsa.MarshalPKCS1PrivateKey` | +| `x509.MarshalECPrivateKey` | `ecdsa.MarshalECPrivateKey` | + +### Registry-Based Architecture + +Agiligo replaces hard-coded algorithm lists with dynamic registration: + +```go +// Algorithms register themselves in init() functions +var crypto.PublicKeyAlgorithms map[string]PublicKeyAlgorithm +var crypto.SignatureAlgorithms map[string]SignatureAlgorithm +``` + +**Critical requirement:** Applications must import `crypto/init` or specific algorithm packages to register algorithms. + +### Interface Changes (BREAKING) + +```go +// New requirements in Agiligo +type PublicKey interface { + Equal(x PublicKey) bool // NEW +} + +type PrivateKey interface { + Public() PublicKey + Equal(x PrivateKey) bool // NEW +} +``` + +### Type Constants Removed + +- `x509.RSA`, `x509.ECDSA`, `x509.Ed25519` no longer exist +- Use type switches or `algorithm.GetPublicKeyAlgorithmName()` instead + +## Our Compatibility Solution + +### x509compat Package + +Created `/workspace/crypto-agiligo/x509compat/` that provides the old x509 API as wrapper functions: + +```go +// Example: ParsePKCS8PrivateKey delegates to new location +func ParsePKCS8PrivateKey(der []byte) (crypto.PrivateKey, error) { + return pkcs8.UnmarshalPKCS8PrivateKey(der) +} +``` + +**Coverage:** +- ✅ All Parse* functions (PKCS1, PKCS8, EC, PKIX) +- ✅ All Marshal* functions (PKCS1, PKCS8, EC, PKIX) +- ✅ Type constants (RSA, ECDSA, Ed25519) +- ✅ Helper functions (GetPublicKeyAlgorithm, IsRSA, IsECDSA, IsEd25519) + +**Usage in crypto-agiligo:** +```go +import ( + _ "crypto/init" // Register all Agiligo algorithms + "go.step.sm/crypto/x509compat" +) + +// Use old API names +key, err := x509compat.ParsePKCS8PrivateKey(derBytes) +``` + +### Files Updated + +- `crypto-agiligo/pemutil/pem.go` - 11 function calls updated +- `crypto-agiligo/pemutil/cosign.go` - 1 function call updated + +## The Blocker: Third-Party Dependencies + +Our compatibility layer works perfectly for code we control, but **cannot fix cached third-party dependencies**. + +### Critical Blocking Dependencies + +**High Priority (Core Functionality):** +- `golang.org/x/crypto/ssh` - SSH protocol operations +- `golang.org/x/crypto/pkcs12` - PKCS#12 format +- `github.com/golang-jwt/jwt/v5` - JWT tokens +- `github.com/Masterminds/sprig/v3` - Template functions +- `github.com/google/s2a-go` - Google security (uses x509.RSA constants) + +**Medium Priority (Cloud/Hardware):** +- `cloud.google.com/go/auth` - Google Cloud authentication +- `golang.org/x/oauth2` - OAuth2 authentication +- `github.com/smallstep/scep` - SCEP protocol +- `github.com/smallstep/pkcs7` - PKCS#7 support +- `github.com/ThalesIgnite/crypto11` - PKCS#11/HSM +- `github.com/go-piv/piv-go/v2` - YubiKey PIV + +### Why This Blocks Progress + +These dependencies are: +1. Downloaded from go.mod as pre-compiled modules +2. Stored in `/go/pkg/mod/` (read-only cache) +3. Cannot be patched without forking + +**Impact:** +- ❌ pemutil (depends on golang.org/x/crypto/ssh) +- ❌ jose (depends on github.com/golang-jwt/jwt) +- ❌ keyutil (depends on pemutil → ssh) +- ❌ x509util (depends on keyutil) +- ❌ All KMS providers (depend on cloud auth libraries) +- ❌ step-ca build (cascading dependency failures) + +### Agiligo's x/crypto Support + +**Key Discovery:** Agiligo does **NOT** ship with a compatible golang.org/x/crypto alternative. + +- Agiligo includes minimal vendored x/crypto (only 6 packages for Go toolchain internals) +- Does **NOT** include: ssh, pkcs12, ocsp, bcrypt, argon2, poly1305, etc. +- No application-level x/crypto support provided + +**Implication:** Must fork golang.org/x/crypto and many other dependencies to proceed with Agiligo. + +## Path Forward: Three Options + +### Option A: Fork Critical Dependencies (Agiligo Approach) + +**Strategy:** +1. Fork `golang.org/x/crypto` - Apply x509compat-style patches to ssh, pkcs12, ocsp packages +2. Fork `github.com/smallstep/scep` and `github.com/smallstep/pkcs7` (we control these) +3. Update go.mod replace directives +4. Maintain forks and sync with upstream updates + +**Pros:** +- Complete control over the code +- Eventual upstream contribution possible + +**Cons:** +- **8-12 weeks estimated effort** +- Maintenance burden (10+ forked repositories) +- Complex dependency management +- Need to sync with upstream continuously + +### Option B: Alternative PQC Library (RECOMMENDED) + +**Use Cloudflare CIRCL instead of Agiligo:** + +Cloudflare CIRCL (https://github.com/cloudflare/circl) provides production-ready PQC algorithms: +- Pure Go implementation +- ML-DSA (Dilithium) and ML-KEM (Kyber) support +- **No forking required** - works with standard Go +- FIPS 203/204 compliant +- Battle-tested in Cloudflare production + +**Approach:** +1. Implement `crypto.Signer` interface for CIRCL ML-DSA keys +2. Update step-ca certificate templates to support PQC signature algorithms +3. Add PQC key generation to CLI +4. No compatibility shims needed + +**Pros:** +- **5-7 days estimated effort** (vs 8-12 weeks for Agiligo) +- Zero dependency forking +- Works with standard Go toolchain +- Production-ready and well-maintained +- Lower long-term maintenance + +**Cons:** +- Don't get Agiligo's full crypto-agility framework +- Need to integrate PQC algorithms ourselves +- But we only need PQC algorithms, not full crypto-agility + +### Option C: Wait for Ecosystem + +Wait for: +1. Agiligo to gain broader adoption +2. golang.org/x/crypto to add Agiligo support +3. Other dependencies to update + +**Pros:** No maintenance burden + +**Cons:** Could take months/years, blocks all progress + +## Development Roadmap + +### If Choosing Agiligo (Option A) + +**Phase 2: Fork Dependencies (8-12 weeks)** +1. Fork golang.org/x/crypto with patches +2. Fork Smallstep packages (scep, pkcs7) +3. Disable non-essential features temporarily +4. Get crypto-agiligo building (80%+ package success) +5. Get step-ca building + +**Phase 3: PQC Certificate Issuance (4-6 weeks)** +1. ML-DSA key generation +2. PQC certificate templates +3. Update provisioners for algorithm selection +4. ACME protocol support for PQC + +**Phase 4: Hybrid Certificates (4-6 weeks)** +1. Dual certificate issuance (classical + PQC) +2. Certificate linking via extensions +3. Client validation support + +**Total: 16-24 weeks** + +### If Choosing CIRCL (Option B) + +**Phase 1: Proof of Concept (5-7 days)** +1. Implement crypto.Signer for CIRCL ML-DSA +2. Create minimal test: issue one ML-DSA certificate +3. Validate with standard crypto/x509 + +**Phase 2: Integration (2-3 weeks)** +1. Add PQC key generation to step CLI +2. Update certificate templates +3. Add provisioner algorithm selection +4. ACME support + +**Phase 3: Production Ready (2-3 weeks)** +1. Testing and validation +2. Documentation +3. Performance optimization +4. Hybrid certificate support + +**Total: 5-7 weeks** + +## Comparison: Agiligo vs CIRCL + +| Aspect | Agiligo | Cloudflare CIRCL | +|--------|---------|------------------| +| **Time to MVP** | 8-12 weeks | 5-7 days | +| **Dependency Forks** | 10+ repositories | Zero | +| **Maintenance** | High (ongoing sync) | Low (standard Go) | +| **Crypto-Agility** | Full framework | Manual integration | +| **Production Ready** | Experimental | Battle-tested | +| **Standards Support** | FIPS 203/204 | FIPS 203/204 | +| **Ecosystem** | Emerging | Mature | + +## Next Steps & Recommendations + +### Immediate Decision Required + +**Choose PQC approach:** +1. **Option A (Agiligo)** - If full crypto-agility framework is critical +2. **Option B (CIRCL)** - If PQC support is the primary goal ⭐ RECOMMENDED + +### If Proceeding with Agiligo + +**Priority 1:** Fork golang.org/x/crypto +1. Clone https://github.com/golang/crypto +2. Apply x509compat-style patches +3. Test with crypto-agiligo +4. Update go.mod replace directive + +**Priority 2:** Fork Smallstep packages +- github.com/smallstep/scep +- github.com/smallstep/pkcs7 + +**Priority 3:** Disable non-essential features +- Use build tags for MySQL, Vault, some cloud KMS + +### If Switching to CIRCL + +**Priority 1:** Proof of Concept +1. Install CIRCL: `go get github.com/cloudflare/circl` +2. Implement crypto.Signer for ML-DSA keys +3. Issue test certificate with x509.CreateCertificate +4. Validate approach + +**Priority 2:** Design Integration +- Update step-ca authority package +- Design CLI interface for PQC +- Plan certificate template changes + +## Troubleshooting + +### Build failures with crypto dependencies +- Ensure submodules are initialized: `git submodule update --init --recursive` +- Check that `go.step.sm/crypto` replace directive points to `./crypto-agiligo` in `go.mod` +- Use `GOWORK=off` flag if encountering workspace issues + +### Container issues +```bash +# Rebuild container from scratch +docker compose build --no-cache + +# Remove old containers/images +docker compose down +docker system prune -a +``` + +### Claude Code not working +- Ensure you're authenticated on host: `claude auth login` (run on host, not in container) +- Check credentials exist: `ls ~/.claude` +- The container automatically mounts `~/.claude` to `/root/.claude` + +### Permission errors with /go/pkg +```bash +# Fix Go module cache permissions +sudo chown -R $(id -u):$(id -g) /go/pkg +``` + +## Resources + +### Agiligo +- [Agiligo GitHub Repository](https://github.com/ISRI-PQC/agiligo) +- Agiligo source: `/usr/local/agiligo/src/` +- Agiligo docs: `/usr/local/agiligo/README*.md` + +### Cloudflare CIRCL +- [CIRCL GitHub Repository](https://github.com/cloudflare/circl) +- [CIRCL Documentation](https://pkg.go.dev/github.com/cloudflare/circl) + +### Standards +- [FIPS 204: ML-DSA](https://csrc.nist.gov/pubs/fips/204/final) +- [FIPS 203: ML-KEM](https://csrc.nist.gov/pubs/fips/203/final) +- [Post-Quantum Cryptography](https://csrc.nist.gov/projects/post-quantum-cryptography) + +### step-ca +- [step-ca Documentation](https://smallstep.com/docs/step-ca) +- [step CLI Documentation](https://smallstep.com/docs/step-cli) + +## Contributing + +When contributing to this Agiligo exploration: + +1. Use Docker Compose for all development (`docker compose run --rm dev`) +2. Ensure all builds and tests pass with Agiligo toolchain +3. Document any new PQC-specific features +4. Update this guide if you discover new setup steps or issues +5. Consider the CIRCL alternative for production PQC needs + +## Project Files + +- `AGILIGO-TODO.md` - Detailed task tracking and progress +- `crypto-agiligo/` - Git submodule for go.step.sm/crypto fork +- `crypto-agiligo/x509compat/` - Compatibility layer for Agiligo API changes +- `Dockerfile` - Container build configuration +- `docker-compose.yml` - Development environment setup diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 000000000..28e79cb5e --- /dev/null +++ b/Dockerfile @@ -0,0 +1,69 @@ +FROM mcr.microsoft.com/devcontainers/go:1.24 AS base + +# Install system dependencies +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + build-essential \ + libc6-dev \ + netbase \ + ca-certificates \ + curl \ + wget \ + git \ + bash \ + gcc \ + libpcsclite-dev \ + make \ + dnsutils \ + && update-ca-certificates \ + && rm -rf /var/lib/apt/lists/* + +# ============================================================================ +# AGILIGO BUILD LAYER - This layer is cached separately +# ============================================================================ +FROM base AS agiligo-builder + +WORKDIR /usr/local/agiligo +ENV GOROOT_BOOTSTRAP=/usr/local/go + +# Clone and build Agiligo (this is the expensive operation we want to cache) +RUN git clone --depth 1 https://github.com/ISRI-PQC/agiligo.git . && \ + cd src && \ + ./all.bash + +# ============================================================================ +# FINAL DEVELOPMENT IMAGE +# ============================================================================ +FROM base AS dev + +# Copy Agiligo from builder stage +COPY --from=agiligo-builder /usr/local/agiligo /usr/local/agiligo + +# Configure Agiligo environment +ENV GOROOT=/usr/local/agiligo +ENV PATH=/usr/local/agiligo/bin:$PATH + +# Install Node.js and npm for Claude Code CLI +RUN apt-get update && \ + apt-get install -y --no-install-recommends nodejs npm && \ + rm -rf /var/lib/apt/lists/* + +# Install Go development tools (these change less frequently than Agiligo) +RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest && \ + go install golang.org/x/vuln/cmd/govulncheck@latest && \ + go install gotest.tools/gotestsum@latest + +# Install Claude Code CLI via npm +RUN npm install -g @anthropic-ai/claude-code + +# Create workspace directory and set ownership for vscode user +RUN mkdir -p /workspace && chown -R vscode:vscode /workspace + +# Initialize submodules on container start +RUN echo 'if [ -d /workspace/.git ]; then cd /workspace && git submodule update --init --recursive 2>/dev/null || true; fi' >> /home/vscode/.bashrc + +# Switch to non-root user +USER vscode + +# Set working directory for step-ca development +WORKDIR /workspace diff --git a/README.md b/README.md index 6303ff0fc..0bfd0c4cc 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,9 @@ -# step-ca +# step-ca (Agiligo Fork) + +> **⚠️ AGILIGO FORK NOTICE** +> This is a fork of step-ca built with [Agiligo](https://github.com/ISRI-PQC/agiligo), a Go variant that adds cryptographic agility for post-quantum algorithm support. +> 📖 **See [AGILIGO.md](./AGILIGO.md) for setup and development instructions.** +> This fork requires the Agiligo Go toolchain and cannot be built with standard Go. [![GitHub release](https://img.shields.io/github/release/smallstep/certificates.svg)](https://github.com/smallstep/certificates/releases/latest) [![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/certificates)](https://goreportcard.com/report/github.com/smallstep/certificates) diff --git a/cli b/cli new file mode 160000 index 000000000..9b02d1eb0 --- /dev/null +++ b/cli @@ -0,0 +1 @@ +Subproject commit 9b02d1eb0431b3a3a38edbd5942a71cd896d80a1 diff --git a/crypto-agiligo b/crypto-agiligo new file mode 160000 index 000000000..1b6c66795 --- /dev/null +++ b/crypto-agiligo @@ -0,0 +1 @@ +Subproject commit 1b6c66795115185e332cd5f064a694e8e60a841f diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 000000000..b2391cce5 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,17 @@ +services: + dev: + build: + context: . + dockerfile: Dockerfile + target: dev + user: "1000:1000" + volumes: + - .:/workspace + working_dir: /workspace + stdin_open: true + tty: true + # Use host network for better DNS resolution (alternative: comment out and use bridge) + # network_mode: "host" + environment: + - GOROOT=/usr/local/agiligo + - PATH=/usr/local/agiligo/bin:${PATH} diff --git a/go.mod b/go.mod index 3229804a8..105abb5d9 100644 --- a/go.mod +++ b/go.mod @@ -52,12 +52,12 @@ require ( cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect cloud.google.com/go/compute/metadata v0.9.0 // indirect cloud.google.com/go/iam v1.5.2 // indirect - cloud.google.com/go/kms v1.23.1 // indirect + cloud.google.com/go/kms v1.23.2 // indirect dario.cat/mergo v1.0.1 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 // indirect - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 // indirect @@ -66,20 +66,20 @@ require ( github.com/Masterminds/semver/v3 v3.3.1 // indirect github.com/ThalesIgnite/crypto11 v1.2.5 // indirect github.com/aws/aws-sdk-go v1.55.7 // indirect - github.com/aws/aws-sdk-go-v2 v1.39.2 // indirect - github.com/aws/aws-sdk-go-v2/config v1.31.12 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.18.16 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.29.6 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 // indirect - github.com/aws/smithy-go v1.23.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.39.4 // indirect + github.com/aws/aws-sdk-go-v2/config v1.31.15 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.18.19 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.46.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 // indirect + github.com/aws/smithy-go v1.23.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect github.com/cespare/xxhash v1.1.0 // indirect @@ -172,3 +172,7 @@ require ( google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) + +// Replace go.step.sm/crypto with Agiligo-compatible fork (git submodule) +// The crypto-agiligo submodule is on the 'agiligo-pqc' branch +replace go.step.sm/crypto => ./crypto-agiligo diff --git a/go.sum b/go.sum index 33643d6e1..ca80cc9b4 100644 --- a/go.sum +++ b/go.sum @@ -8,8 +8,8 @@ cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdB cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8= cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE= -cloud.google.com/go/kms v1.23.1 h1:Mesyv84WoP3tPjUC0O5LRqPWICO0ufdpWf9jtBCEz64= -cloud.google.com/go/kms v1.23.1/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g= +cloud.google.com/go/kms v1.23.2 h1:4IYDQL5hG4L+HzJBhzejUySoUOheh3Lk5YT4PCyyW6k= +cloud.google.com/go/kms v1.23.2/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g= cloud.google.com/go/longrunning v0.7.0 h1:FV0+SYF1RIj59gyoWDRi45GiYUMM3K1qO51qoboQT1E= cloud.google.com/go/longrunning v0.7.0/go.mod h1:ySn2yXmjbK9Ba0zsQqunhDkYi0+9rlXIwnoAf+h+TPY= cloud.google.com/go/security v1.19.2 h1:cF3FkCRRbRC1oXuaGZFl3qU2sdu2gP3iOAHKzL5y04Y= @@ -22,8 +22,8 @@ github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIo github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1 h1:5YTBM8QDVIBN3sxBil89WfdAAqDZbyJTgh688DSxX5w= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.19.1/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0 h1:wL5IEG5zb7BVv1Kv0Xm92orq+5hB5Nipn3B5tn4Rqfk= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.12.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0 h1:KpMC6LFL7mqpExyMC9jVOYRiVhLmamjeZfRsUpB7l4s= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.0/go.mod h1:J7MUC/wtRpfGVbQ5sIItY5/FuVWmvzlY21WAOfQnq/I= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2 h1:yz1bePFlP5Vws5+8ez6T3HWXPmwOK7Yvq8QxDBD3SKY= github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.2/go.mod h1:Pa9ZNPuoNu/GztvBSKk9J1cDJW6vk/n0zLtV4mgd8N8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA= @@ -52,34 +52,34 @@ github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5 github.com/aws/aws-sdk-go v1.34.0/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.39.2 h1:EJLg8IdbzgeD7xgvZ+I8M1e0fL0ptn/M47lianzth0I= -github.com/aws/aws-sdk-go-v2 v1.39.2/go.mod h1:sDioUELIUO9Znk23YVmIk86/9DOpkbyyVb1i/gUNFXY= -github.com/aws/aws-sdk-go-v2/config v1.31.12 h1:pYM1Qgy0dKZLHX2cXslNacbcEFMkDMl+Bcj5ROuS6p8= -github.com/aws/aws-sdk-go-v2/config v1.31.12/go.mod h1:/MM0dyD7KSDPR+39p9ZNVKaHDLb9qnfDurvVS2KAhN8= -github.com/aws/aws-sdk-go-v2/credentials v1.18.16 h1:4JHirI4zp958zC026Sm+V4pSDwW4pwLefKrc0bF2lwI= -github.com/aws/aws-sdk-go-v2/credentials v1.18.16/go.mod h1:qQMtGx9OSw7ty1yLclzLxXCRbrkjWAM7JnObZjmCB7I= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9 h1:Mv4Bc0mWmv6oDuSWTKnk+wgeqPL5DRFu5bQL9BGPQ8Y= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.9/go.mod h1:IKlKfRppK2a1y0gy1yH6zD+yX5uplJ6UuPlgd48dJiQ= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9 h1:se2vOWGD3dWQUtfn4wEjRQJb1HK1XsNIt825gskZ970= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.9/go.mod h1:hijCGH2VfbZQxqCDN7bwz/4dzxV+hkyhjawAtdPWKZA= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9 h1:6RBnKZLkJM4hQ+kN6E7yWFveOTg8NLPHAkqrs4ZPlTU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.9/go.mod h1:V9rQKRmK7AWuEsOMnHzKj8WyrIir1yUJbZxDuZLFvXI= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1 h1:oegbebPEMA/1Jny7kvwejowCaHz1FWZAQ94WXFNCyTM= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.1/go.mod h1:kemo5Myr9ac0U9JfSjMo9yHLtw+pECEHsFtJ9tqCEI8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9 h1:5r34CgVOD4WZudeEKZ9/iKpiT6cM1JyEROpXjOcdWv8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.9/go.mod h1:dB12CEbNWPbzO2uC6QSWHteqOg4JfBVJOojbAoAUb5I= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.6 h1:Br3kil4j7RPW+7LoLVkYt8SuhIWlg6ylmbmzXJ7PgXY= -github.com/aws/aws-sdk-go-v2/service/kms v1.45.6/go.mod h1:FKXkHzw1fJZtg1P1qoAIiwen5thz/cDRTTDCIu8ljxc= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.6 h1:A1oRkiSQOWstGh61y4Wc/yQ04sqrQZr1Si/oAXj20/s= -github.com/aws/aws-sdk-go-v2/service/sso v1.29.6/go.mod h1:5PfYspyCU5Vw1wNPsxi15LZovOnULudOQuVxphSflQA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 h1:5fm5RTONng73/QA73LhCNR7UT9RpFH3hR6HWL6bIgVY= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1/go.mod h1:xBEjWD13h+6nq+z4AkqSfSvqRKFgDIQeaMguAJndOWo= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 h1:p3jIvqYwUZgu/XYeI48bJxOhvm47hZb5HUQ0tn6Q9kA= -github.com/aws/aws-sdk-go-v2/service/sts v1.38.6/go.mod h1:WtKK+ppze5yKPkZ0XwqIVWD4beCwv056ZbPQNoeHqM8= -github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= -github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= +github.com/aws/aws-sdk-go-v2 v1.39.4 h1:qTsQKcdQPHnfGYBBs+Btl8QwxJeoWcOcPcixK90mRhg= +github.com/aws/aws-sdk-go-v2 v1.39.4/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM= +github.com/aws/aws-sdk-go-v2/config v1.31.15 h1:gE3M4xuNXfC/9bG4hyowGm/35uQTi7bUKeYs5e/6uvU= +github.com/aws/aws-sdk-go-v2/config v1.31.15/go.mod h1:HvnvGJoE2I95KAIW8kkWVPJ4XhdrlvwJpV6pEzFQa8o= +github.com/aws/aws-sdk-go-v2/credentials v1.18.19 h1:Jc1zzwkSY1QbkEcLujwqRTXOdvW8ppND3jRBb/VhBQc= +github.com/aws/aws-sdk-go-v2/credentials v1.18.19/go.mod h1:DIfQ9fAk5H0pGtnqfqkbSIzky82qYnGvh06ASQXXg6A= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11 h1:X7X4YKb+c0rkI6d4uJ5tEMxXgCZ+jZ/D6mvkno8c8Uw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.11/go.mod h1:EqM6vPZQsZHYvC4Cai35UDg/f5NCEU+vp0WfbVqVcZc= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11 h1:7AANQZkF3ihM8fbdftpjhken0TP9sBzFbV/Ze/Y4HXA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.11/go.mod h1:NTF4QCGkm6fzVwncpkFQqoquQyOolcyXfbpC98urj+c= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11 h1:ShdtWUZT37LCAA4Mw2kJAJtzaszfSHFb5n25sdcv4YE= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.11/go.mod h1:7bUb2sSr2MZ3M/N+VyETLTQtInemHXb/Fl3s8CLzm0Y= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11 h1:GpMf3z2KJa4RnJ0ew3Hac+hRFYLZ9DDjfgXjuW+pB54= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.11/go.mod h1:6MZP3ZI4QQsgUCFTwMZA2V0sEriNQ8k2hmoHF3qjimQ= +github.com/aws/aws-sdk-go-v2/service/kms v1.46.2 h1:hz2rJseQXnVQtVbByFpeSCNJBBU7oFN+yenW4biJtvs= +github.com/aws/aws-sdk-go-v2/service/kms v1.46.2/go.mod h1:E4ink1KCQgqIe2pHFD9E+b5CNXovm50rQbWFuh0cM+I= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.8 h1:M5nimZmugcZUO9wG7iVtROxPhiqyZX6ejS1lxlDPbTU= +github.com/aws/aws-sdk-go-v2/service/sso v1.29.8/go.mod h1:mbef/pgKhtKRwrigPPs7SSSKZgytzP8PQ6P6JAAdqyM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 h1:S5GuJZpYxE0lKeMHKn+BRTz6PTFpgThyJ+5mYfux7BM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3/go.mod h1:X4OF+BTd7HIb3L+tc4UlWHVrpgwZZIVENU15pRDVTI0= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 h1:Ekml5vGg6sHSZLZJQJagefnVe6PmqC2oiRkBq4F7fU0= +github.com/aws/aws-sdk-go-v2/service/sts v1.38.9/go.mod h1:/e15V+o1zFHWdH3u7lpI3rVBcxszktIKuHKCY2/py+k= +github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M= +github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/ccoveille/go-safecast v1.7.0 h1:i+0eldPFBeXCTARGyocNS6BNRomquA/GhTZVNEtaIXI= @@ -409,8 +409,6 @@ go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFh go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps= go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4= go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0= -go.step.sm/crypto v0.72.0 h1:cwkxbmnN8jj8YWmoXdoGhaac81d2SwXguwmHN9KJxHw= -go.step.sm/crypto v0.72.0/go.mod h1:EAy7MSOXxCvCaDAKJqz0bLdTSDdhpEM9xqye8XsfrM4= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=