feature: upgrade go, add -version flag, more bin arch (#1)

* upgrade go to 1.21
* add `-version` flag
* more bin arch

Signed-off-by: xiexianbin <me@xiexianbin.cn>

Author: xiexianbin

.github/workflows/greetings.yml

@@ -7,6 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/first-interaction@v1
+      continue-on-error: true
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         issue-message: "# Welcome.\nThanks for your issue."

.github/workflows/label.yml

@@ -14,6 +14,6 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/labeler@v2
+    - uses: actions/labeler@v4
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/licensed.yml

@@ -1,6 +1,13 @@
 name: Licensed
 
 on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'run license action reason'
+        required: false
+        type: string
+        default: 'manually test'
   push:
     branches:
       - main

.github/workflows/release-new-action-version.yml

@@ -1,5 +1,12 @@
 name: Release new action version
 on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'run release action reason'
+        required: false
+        type: string
+        default: 'manually test'
   push:
     tags:
       - "v*.*.*"
@@ -8,14 +15,9 @@ permissions:
   contents: write
 
 jobs:
-  build:
+  release:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Release
-        uses: softprops/action-gh-release@v1
-
       - name: Checkout
         uses: actions/checkout@v3
 
@@ -40,8 +42,12 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: |
+            bin/xca-linux-amd64
+            bin/xca-linux-arm64
+            bin/xca-linux-ppc64le
+            bin/xca-linux-s390x
+            bin/xca-darwin-amd64
+            bin/xca-darwin-arm64
+            bin/xca-windows-amd64.exe
             Release.txt
             LICENSE
-            bin/xca-linux
-            bin/xca-darwin
-            bin/xca-windows

.github/workflows/workflow.yaml

@@ -1,8 +1,21 @@
-name: build-test
+name: workflow
 on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'run action reason'
+        required: false
+        type: string
+        default: 'manually test'
   push:
     branches:
       - main
+      - dev
+      - bug/**
+      - fix/**
+      - bugfix/**
+      - feature/**
+      - release/**
     paths-ignore:
       - '**.md'
   pull_request:
@@ -14,14 +27,14 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.17.0-rc.2', '1.16.1' ]
+        go: [ '1.19.11', '1.20.6', '1.21.10' ]
     name: Go ${{ matrix.go }} test
     steps:
       - name: Checkout
         uses: actions/checkout@v3
 
       - name: Setup Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go }}
 

.gitignore

@@ -17,4 +17,5 @@
 bin/
 .history/
 .idea/
+.lh/
 x-ca

Makefile

@@ -1,30 +1,108 @@
 # https://www.xiexianbin.cn/program/tools/2016-01-09-makefile/index.html
-.PHONY: all test clean build build-linux build-mac build-windows
-
-GOCMD=go
-GOBUILD=$(GOCMD) build
-GOCLEAN=$(GOCMD) clean
-GOTEST=$(GOCMD) test
-BINARY_NAME=xca
-BINARY_LINUX=$(BINARY_NAME)-linux
-BINARY_MAC=$(BINARY_NAME)-darwin
-BINARY_WIN=$(BINARY_NAME)-windows
-
-help:  ## Show this help.
-	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
-
-all: clean test build build-linux build-mac build-windows  ## Build all
-test:  ## run test
+export SHELL:=bash
+export SHELLOPTS:=$(if $(SHELLOPTS),$(SHELLOPTS):)pipefail:errexit
+
+# https://stackoverflow.com/questions/4122831/disable-make-builtin-rules-and-variables-from-inside-the-make-file
+MAKEFLAGS += --no-builtin-rules
+.SUFFIXES:
+
+VERSION        := latest
+BUILD_DATE     := $(shell TZ=UTC-8 date +'%Y-%m-%dT%H:%M:%SZ+08:00')
+GIT_COMMIT     := $(shell git rev-parse HEAD || echo unknown)
+GIT_BRANCH     := $(shell git rev-parse --symbolic-full-name --verify --quiet --abbrev-ref HEAD)
+GIT_TAG        := $(shell git describe --exact-match --tags --abbrev=0  2> /dev/null || echo untagged)
+GIT_TREE_STATE := $(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
+RELEASE_TAG    := $(shell if [[ "$(GIT_TAG)" =~ ^v[0-9]+\.[0-9]+\.[0-9]+.*$$ ]]; then echo "true"; else echo "false"; fi)
+DEV_BRANCH            := $(shell [ "$(GIT_BRANCH)" = master ] || [ `echo $(GIT_BRANCH) | cut -c -8` = release- ] || [ `echo $(GIT_BRANCH) | cut -c -4` = dev- ] || [ $(RELEASE_TAG) = true ] && echo false || echo true)
+
+GOCMD   ?= go
+GOBUILD ?= $(GOCMD) build -v
+GOCLEAN ?= $(GOCMD) clean
+GOTEST  ?= $(GOCMD) test -v -p 20
+
+linux-amd64: GOARGS = GOOS=linux GOARCH=amd64
+linux-arm64: GOARGS = GOOS=linux GOARCH=arm64
+linux-ppc64le: GOARGS = GOOS=linux GOARCH=ppc64le
+linux-s390x: GOARGS = GOOS=linux GOARCH=s390x
+darwin-amd64: GOARGS = GOOS=darwin GOARCH=amd64
+darwin-arm64: GOARGS = GOOS=darwin GOARCH=arm64
+windows-amd64: GOARGS = GOOS=windows GOARCH=amd64
+
+BINARY_NAME  ?= xca
+IMG          ?= xiexianbin/go-actions-demo:latest
+
+ifeq ($(RELEASE_TAG),true)
+VERSION        := $(GIT_TAG)
+endif
+
+# $(info GIT_COMMIT=$(GIT_COMMIT) GIT_BRANCH=$(GIT_BRANCH) GIT_TAG=$(GIT_TAG) GIT_TREE_STATE=$(GIT_TREE_STATE) RELEASE_TAG=$(RELEASE_TAG) DEV_BRANCH=$(DEV_BRANCH) VERSION=$(VERSION))
+# $(info MAKEFILE_LIST=${MAKEFILE_LIST})
+
+# -X github.com/xiexianbin/go-actions-demo.version=$(VERSION)
+override LDFLAGS += \
+  -X main.version=$(VERSION) \
+  -X main.buildDate=$(BUILD_DATE) \
+	-X main.gitCommit=$(GIT_COMMIT) \
+  -X main.gitTreeState=$(GIT_TREE_STATE)
+
+ifneq ($(GIT_TAG),)
+override LDFLAGS += -X main.gitTag=${GIT_TAG}
+endif
+
+SUB_BUILD_CMD ?= $(GOBUILD)  -gcflags '${GCFLAGS}' -ldflags '${LDFLAGS}  -extldflags -static'
+
+.PHONY: help
+help:  ## Show this help
+	@awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z0-9_-]+:.*?## / {sub("\\\\n",sprintf("\n%22c"," "), $$2);printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST)
+
+.PHONY: all
+all: clean test build linux-amd64 linux-arm64 linux-ppc64le linux-s390x darwin-amd64 darwin-arm64 windows-amd64  ## Build all
+
+.PHONY: test
+test:  ## Run test
 	$(GOTEST) -v ./...
-clean: ## run clean bin files
+
+.PHONY: clean
+clean: ## Run clean bin files
 	$(GOCLEAN)
-	rm -f bin/$(BINARY_NAME)
-build:  ## build for current os
-	$(GOBUILD) -o bin/$(BINARY_NAME) -v
-
-build-linux:  ## build linux amd64
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 $(GOBUILD) -o bin/$(BINARY_LINUX) -v
-build-mac:  ## build mac amd64
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 $(GOBUILD) -o bin/$(BINARY_MAC) -v
-build-windows:  ## build windows amd64
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 $(GOBUILD) -o bin/$(BINARY_WIN) -v
+	rm -f bin/*
+
+.PHONY: build
+build:  ## Build for current os
+	${SUB_BUILD_CMD} -o bin/$(BINARY_NAME)
+
+.PHONY: linux-amd64
+linux-amd64:  ## Build linux amd64
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+
+.PHONY: linux-arm64
+linux-arm64:  ## Build linux arm64
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+
+.PHONY: linux-ppc64le
+linux-ppc64le:  ## Build linux ppc64le
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+
+.PHONY: linux-s390x
+linux-s390x:  ## Build linux s390x
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+
+.PHONY: darwin-amd64
+darwin-amd64:  ## Build darwin amd64
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+
+.PHONY: darwin-arm64
+darwin-arm64:  ## Build darwin arm64
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@
+
+.PHONY: windows-amd64
+windows-amd64:  ## Build windows amd64
+	CGO_ENABLED=0 ${GOARGS} ${SUB_BUILD_CMD} -o bin/${BINARY_NAME}-$@.exe
+
+.PHONY: docker-build
+docker-build: test  ## Build docker image
+	docker build -t ${IMG} .
+
+.PHONY: docker-push
+docker-push:  ## Push docker image
+	docker push ${IMG}

README.md

@@ -1,6 +1,6 @@
 # go-ca
 
-[![build-test](https://github.com/x-ca/go-ca/actions/workflows/workflow.yaml/badge.svg)](https://github.com/x-ca/go-ca/actions/workflows/workflow.yaml)
+[![build](https://github.com/x-ca/go-ca/actions/workflows/workflow.yaml/badge.svg)](https://github.com/x-ca/go-ca/actions/workflows/workflow.yaml)
 [![GoDoc](https://godoc.org/github.com/x-ca/go-ca?status.svg)](https://pkg.go.dev/github.com/x-ca/go-ca)
 [![Go Report Card](https://goreportcard.com/badge/github.com/x-ca/go-ca)](https://goreportcard.com/report/github.com/x-ca/go-ca)
 
@@ -11,7 +11,7 @@ shell implement at [x-ca/x-ca](https://github.com/x-ca/x-ca)
 ## install
 
 ```
-curl -Lfs -o xca https://github.com/x-ca/go-ca/releases/latest/download/xca-{linux|darwin|windows}
+curl -Lfs -o xca https://github.com/x-ca/go-ca/releases/latest/download/xca-{linux|darwin|windows}-{amd64|arm64|s390x|ppc64le}
 chmod +x xca
 mv xca /usr/local/bin/
 ```
@@ -58,6 +58,8 @@ Usage:
     	Second-Level private key file path, PEM format. (default "x-ca/ca/tls-ca/private/tls-ca.key")
   -tls-key-password string
     	tls key password, only work for load github.com/x-ca/x-ca.
+  -version
+    	show version info.
 
 Source Code:
   https://github.com/x-ca/go-ca
@@ -109,7 +111,7 @@ visit https://dev.xiexianbin.cn:8443/
 
 ## FaQ
 
-if CA Cert begin with `BEGIN ENCRYPTED PRIVATE KEY`(raise `Error: fromPEMBytes: x509: no DEK-Info header in block`), 
+if CA Cert begin with `BEGIN ENCRYPTED PRIVATE KEY`(raise `Error: fromPEMBytes: x509: no DEK-Info header in block`),
 Use `openssl rsa -in root-ca.key -des3` change cipher
 
 ## Ref

SECURITY.md

@@ -0,0 +1,18 @@
+# Security Policy
+
+If you have discovered a security vulnerability in this project, please report it
+privately. **Do not disclose it as a public issue.** This gives us time to work with you
+to fix the issue before public exposure, reducing the chance that the exploit will be
+used before a patch is released.
+
+You may submit the report in the following ways:
+
+- send an email to me@xiexianbin.cn
+- send us a [private vulnerability report](https://github.com/x-ca/go-ca/security/advisories/new)
+
+Please provide the following information in your report:
+
+- A description of the vulnerability and its impact
+- How to reproduce the issue
+
+We ask that you give us 90 days to work on a fix before public exposure.

ca/root.go

@@ -21,7 +21,6 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path"
 	"sort"
@@ -66,8 +65,8 @@ func NewRootCA(keyBits int) (*RootCA, error) {
 
 // LoadRootCA create new tls CA
 func LoadRootCA(keyPath, certPath, password string) (*RootCA, error) {
-	keyBytes, kErr := ioutil.ReadFile(keyPath)
-	certBytes, cErr := ioutil.ReadFile(certPath)
+	keyBytes, kErr := os.ReadFile(keyPath)
+	certBytes, cErr := os.ReadFile(certPath)
 	if kErr != nil {
 		return nil, kErr
 	} else if cErr != nil {
@@ -103,6 +102,11 @@ func LoadRootCA(keyPath, certPath, password string) (*RootCA, error) {
 	var key *rsa.PrivateKey
 	var err error
 	if x509.IsEncryptedPEMBlock(keyBlock) == true {
+		// https://pkg.go.dev/crypto/x509@go1.22.2#IsEncryptedPEMBlock
+		fmt.Println("Legacy PEM encryption as specified in RFC 1423 is insecure by design. " +
+			"Since it does not authenticate the ciphertext, it is vulnerable to padding " +
+			"oracle attacks that can let an attacker recover the plaintext.\n" +
+			"https://pkg.go.dev/crypto/x509@go1.22.2#IsEncryptedPEMBlock")
 		der, err := x509.DecryptPEMBlock(keyBlock, []byte(password))
 		if err != nil {
 			return nil, err
@@ -136,7 +140,7 @@ func LoadRootCA(keyPath, certPath, password string) (*RootCA, error) {
 	if certPKErr != nil {
 		return nil, certPKErr
 	}
-	if bytes.Compare(keyPKBytes, certPKBytes) != 0 {
+	if !bytes.Equal(keyPKBytes, certPKBytes) {
 		return nil, fmt.Errorf("public key in CA certificate %s don't match private key in %s", certPath, keyPath)
 	}