diff --git a/go.mod b/go.mod index c20741820dd..85db74d8409 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module github.com/containers/buildah // Warning: Ensure the "go" and "toolchain" versions match exactly to prevent unwanted auto-updates -go 1.24.3 +go 1.24.6 require ( github.com/containerd/platforms v1.0.0-rc.2 @@ -29,7 +29,7 @@ require ( github.com/opencontainers/selinux v1.13.1 github.com/openshift/imagebuilder v1.2.19 github.com/seccomp/libseccomp-golang v0.11.1 - github.com/sirupsen/logrus v1.9.3 + github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af github.com/spf13/cobra v1.10.1 github.com/spf13/pflag v1.0.10 github.com/stretchr/testify v1.11.1 @@ -87,7 +87,6 @@ require ( github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.18.1 // indirect github.com/klauspost/pgzip v1.2.6 // indirect - github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/manifoldco/promptui v0.9.0 // indirect github.com/mattn/go-runewidth v0.0.19 // indirect github.com/mattn/go-sqlite3 v1.14.32 // indirect @@ -103,21 +102,20 @@ require ( github.com/moby/sys/user v0.4.0 // indirect github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect + github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect github.com/morikuni/aec v1.0.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect - github.com/proglottis/gpgme v0.1.5 // indirect + github.com/proglottis/gpgme v0.1.6 // indirect github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect - github.com/sigstore/fulcio v1.7.1 // indirect - github.com/sigstore/protobuf-specs v0.4.1 // indirect - github.com/sigstore/sigstore v1.9.5 // indirect + github.com/sigstore/fulcio v1.8.1 // indirect + github.com/sigstore/protobuf-specs v0.5.0 // indirect + github.com/sigstore/sigstore v1.9.6-0.20251111174640-d8ab8afb1326 // indirect github.com/smallstep/pkcs7 v0.1.1 // indirect github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect github.com/sylabs/sif/v2 v2.22.0 // indirect github.com/tchap/go-patricia/v2 v2.3.3 // indirect - github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/ulikunitz/xz v0.5.15 // indirect github.com/vbatts/tar-split v0.12.2 // indirect github.com/vbauerster/mpb/v8 v8.11.2 // indirect @@ -128,12 +126,12 @@ require ( go.opentelemetry.io/otel v1.38.0 // indirect go.opentelemetry.io/otel/metric v1.38.0 // indirect go.opentelemetry.io/otel/trace v1.38.0 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect + go.yaml.in/yaml/v2 v2.4.3 // indirect golang.org/x/mod v0.29.0 // indirect golang.org/x/net v0.47.0 // indirect golang.org/x/text v0.31.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect google.golang.org/grpc v1.76.0 // indirect google.golang.org/protobuf v1.36.10 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect @@ -141,3 +139,9 @@ require ( sigs.k8s.io/yaml v1.6.0 // indirect tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 // indirect ) + +replace go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20251125203705-983dbfee824b + +replace go.podman.io/storage => github.com/lsm5/container-libs/storage v0.0.0-20251125203705-983dbfee824b + +replace go.podman.io/image/v5 => github.com/lsm5/container-libs/image/v5 v5.0.0-20251125203705-983dbfee824b diff --git a/go.sum b/go.sum index d6d571cac4f..9543a05d6e6 100644 --- a/go.sum +++ b/go.sum @@ -18,14 +18,10 @@ github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpH github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo= github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 h1:5L8Mj9Co9sJVgW3TpYk2gxGJnDjsYuboNTcRmbtGKGs= github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6/go.mod h1:3HgLJ9d18kXMLQlJvIY3+FszZYMxCz8WfE2MQ7hDY0w= -github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM= github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= -github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= -github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/logex v1.2.1 h1:XHDu3E6q+gdHgsdTPH6ImJMIp436vR6MPtH8gP05QzM= github.com/chzyer/logex v1.2.1/go.mod h1:JLbx6lG2kDbNRFnfkgvh4eRJRPX1QCoOIWomwysCBrQ= @@ -78,8 +74,8 @@ github.com/disiqueira/gotree/v3 v3.0.2 h1:ik5iuLQQoufZBNPY518dXhiO5056hyNBIK9lWh github.com/disiqueira/gotree/v3 v3.0.2/go.mod h1:ZuyjE4+mUQZlbpkI24AmruZKhg3VHEgPLDY8Qk+uUu8= github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= -github.com/docker/cli v29.0.2+incompatible h1:iLuKy2GWOSLXGp8feLYBJQVDv7m/8xoofz6lPq41x6A= -github.com/docker/cli v29.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v29.0.4+incompatible h1:mffN/hPqaI39vx/4QiSkdldHeM0rP1ZZBIXRUOPI5+I= +github.com/docker/cli v29.0.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM= @@ -106,8 +102,6 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= -github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/godbus/dbus/v5 v5.2.0 h1:3WexO+U+yg9T70v9FdHr9kCxYlazaAXUhx2VMkbfax8= github.com/godbus/dbus/v5 v5.2.0/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -129,8 +123,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 h1:NmZ1PKzSTQbuGHw9DGPFomqkkLWMC+vZCkfs+FHv1Vg= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3/go.mod h1:zQrxl1YP88HQlA6i9c63DSVPFklWpGX4OWAc9bFuaH4= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -140,8 +134,6 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/jinzhu/copier v0.4.0 h1:w3ciUoD19shMCRargcpm0cm91ytaBhDvuRpz1ODO/U8= github.com/jinzhu/copier v0.4.0/go.mod h1:DfbEm0FYsaqBcKcFuvmOZb218JkPGtvSHsKg8S8hyyg= -github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= -github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= @@ -154,8 +146,12 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec h1:2tTW6cDth2TSgRbAhD7yjZzTQmcN25sDRPEeinR51yQ= -github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec/go.mod h1:TmwEoGCwIti7BCeJ9hescZgRtatxRE+A72pCoPfmcfk= +github.com/lsm5/container-libs/common v0.0.0-20251125203705-983dbfee824b h1:T3Ua/i/1D9QXzGGR4L6WMB+uE3ofaBBSFNUoK6w0v+I= +github.com/lsm5/container-libs/common v0.0.0-20251125203705-983dbfee824b/go.mod h1:Hkrtv0G+eJBvJxXlDBB5O10fIhHuq7Jq4MGJYDkHApw= +github.com/lsm5/container-libs/image/v5 v5.0.0-20251125203705-983dbfee824b h1:uoUryJtcVdcpEiycaqJnCnvW64kJmxlSwnBmMdAWMAA= +github.com/lsm5/container-libs/image/v5 v5.0.0-20251125203705-983dbfee824b/go.mod h1:5YJtk/ShzEmtIxrJTjiF/0Q4SfuDfWDt9c/kKpwu7MQ= +github.com/lsm5/container-libs/storage v0.0.0-20251125203705-983dbfee824b h1:YbLqeJijElJvPebzKu2Dx5hMEMmCm8rIDDmII9tYBH4= +github.com/lsm5/container-libs/storage v0.0.0-20251125203705-983dbfee824b/go.mod h1:izI0U2FxSpqivwmkVbTO7ECcoER6FnM6ZL7CFPu0Tfs= github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA= github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg= github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw= @@ -197,12 +193,11 @@ github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFL github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= +github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A= github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= -github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= -github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns= github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo= github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= @@ -230,16 +225,8 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/proglottis/gpgme v0.1.5 h1:KCGyOw8sQ+SI96j6G8D8YkOGn+1TwbQTT9/zQXoVlz0= -github.com/proglottis/gpgme v0.1.5/go.mod h1:5LoXMgpE4bttgwwdv9bLs/vwqv3qV7F4glEEZ7mRKrM= -github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= -github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= -github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= -github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= -github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= +github.com/proglottis/gpgme v0.1.6 h1:8WpQ8VWggLdxkuTnW+sZ1r1t92XBNd8GZNDhQ4Rz+98= +github.com/proglottis/gpgme v0.1.6/go.mod h1:5LoXMgpE4bttgwwdv9bLs/vwqv3qV7F4glEEZ7mRKrM= github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ= github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -251,16 +238,16 @@ github.com/seccomp/libseccomp-golang v0.11.1 h1:wuk4ZjSx6kyQII4rj6G6fvVzRHQaSiPv github.com/seccomp/libseccomp-golang v0.11.1/go.mod h1:5m1Lk8E9OwgZTTVz4bBOer7JuazaBa+xTkM895tDiWc= github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g= github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU= -github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= -github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= -github.com/sigstore/fulcio v1.7.1 h1:RcoW20Nz49IGeZyu3y9QYhyyV3ZKQ85T+FXPKkvE+aQ= -github.com/sigstore/fulcio v1.7.1/go.mod h1:7lYY+hsd8Dt+IvKQRC+KEhWpCZ/GlmNvwIa5JhypMS8= -github.com/sigstore/protobuf-specs v0.4.1 h1:5SsMqZbdkcO/DNHudaxuCUEjj6x29tS2Xby1BxGU7Zc= -github.com/sigstore/protobuf-specs v0.4.1/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= -github.com/sigstore/sigstore v1.9.5 h1:Wm1LT9yF4LhQdEMy5A2JeGRHTrAWGjT3ubE5JUSrGVU= -github.com/sigstore/sigstore v1.9.5/go.mod h1:VtxgvGqCmEZN9X2zhFSOkfXxvKUjpy8RpUW39oCtoII= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw= +github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= +github.com/sigstore/fulcio v1.8.1 h1:PmoQv3XmhjR2BWFWw5LcMUXJPmhyizOIL7HeYnpio58= +github.com/sigstore/fulcio v1.8.1/go.mod h1:7tP3KW9eCGlPYRj5N4MSuUOat7CkeIHuXZ2jAUQ+Rwc= +github.com/sigstore/protobuf-specs v0.5.0 h1:F8YTI65xOHw70NrvPwJ5PhAzsvTnuJMGLkA4FIkofAY= +github.com/sigstore/protobuf-specs v0.5.0/go.mod h1:+gXR+38nIa2oEupqDdzg4qSBT0Os+sP7oYv6alWewWc= +github.com/sigstore/sigstore v1.9.6-0.20251111174640-d8ab8afb1326 h1:s39MsSDVn8LhePV5adidcOjjKHaplLxpHM1mvbC24l4= +github.com/sigstore/sigstore v1.9.6-0.20251111174640-d8ab8afb1326/go.mod h1:xSCb7eki7lCdi+mNh4I4MVpKPP2cWGtDYmSPPmX/K70= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0= +github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/smallstep/pkcs7 v0.1.1 h1:x+rPdt2W088V9Vkjho4KtoggyktZJlMduZAtRHm68LU= github.com/smallstep/pkcs7 v0.1.1/go.mod h1:dL6j5AIz9GHjVEBTXtW+QliALcgM19RtXaTeyxI+AfA= github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s= @@ -279,8 +266,6 @@ github.com/sylabs/sif/v2 v2.22.0 h1:Y+xXufp4RdgZe02SR3nWEg7S6q4tPWN237WHYzkDSKA= github.com/sylabs/sif/v2 v2.22.0/go.mod h1:W1XhWTmG1KcG7j5a3KSYdMcUIFvbs240w/MMVW627hs= github.com/tchap/go-patricia/v2 v2.3.3 h1:xfNEsODumaEcCcY3gI0hYPZ/PcpVv5ju6RMAhgwZDDc= github.com/tchap/go-patricia/v2 v2.3.3/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= -github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= -github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4= @@ -322,14 +307,8 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs= go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= -go.podman.io/common v0.66.1-0.20251120131032-23712697ddda h1:Ib1vIEYB5eCSz3G09sROyY/j09jztFlWRm4G52vWj3k= -go.podman.io/common v0.66.1-0.20251120131032-23712697ddda/go.mod h1:8qbjUhjwp4i5u1O19vzwYW2qwIuPdFXIuv4nl3Z8px8= -go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda h1:YySc/E4bpD5b5y4kFN/7ZDo5JcXnOpPfwU78kH9D+EU= -go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda/go.mod h1:9DniP9NaGH03kzwNKYEtOXgRJwO+cQHENH+G4sOwLNc= -go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda h1:bC4fEguil4pwVp2U2zKWUC5ouqIwRDdtyJxtX1bPY+0= -go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda/go.mod h1:4p18A5ymiiJTllTu2Eo7CX88SO+V110TMzi31pXsb1s= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= +go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= +go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= @@ -436,10 +415,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk= gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E= -google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY= -google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 h1:eaY8u2EuxbRv7c3NiGK0/NedzVsCcV6hDuU5qPX5EGE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5/go.mod h1:M4/wBTSeyLxupu3W3tJtOgB14jILAS/XWPSSa3TAlJc= +google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 h1:8XJ4pajGwOlasW+L13MnEGA8W4115jJySQtVfS2/IBU= +google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4/go.mod h1:NnuHhy+bxcg30o7FnVAZbXsPHUDQ9qKWAQKCD7VxFtk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk= google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A= google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c= google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= diff --git a/vendor/github.com/letsencrypt/boulder/LICENSE.txt b/vendor/github.com/letsencrypt/boulder/LICENSE.txt deleted file mode 100644 index fa274d92d74..00000000000 --- a/vendor/github.com/letsencrypt/boulder/LICENSE.txt +++ /dev/null @@ -1,375 +0,0 @@ -Copyright 2016 ISRG. All rights reserved. - -Mozilla Public License Version 2.0 -================================== - -1. Definitions --------------- - -1.1. "Contributor" - means each individual or legal entity that creates, contributes to - the creation of, or owns Covered Software. - -1.2. "Contributor Version" - means the combination of the Contributions of others (if any) used - by a Contributor and that particular Contributor's Contribution. - -1.3. "Contribution" - means Covered Software of a particular Contributor. - -1.4. "Covered Software" - means Source Code Form to which the initial Contributor has attached - the notice in Exhibit A, the Executable Form of such Source Code - Form, and Modifications of such Source Code Form, in each case - including portions thereof. - -1.5. "Incompatible With Secondary Licenses" - means - - (a) that the initial Contributor has attached the notice described - in Exhibit B to the Covered Software; or - - (b) that the Covered Software was made available under the terms of - version 1.1 or earlier of the License, but not also under the - terms of a Secondary License. - -1.6. "Executable Form" - means any form of the work other than Source Code Form. - -1.7. "Larger Work" - means a work that combines Covered Software with other material, in - a separate file or files, that is not Covered Software. - -1.8. "License" - means this document. - -1.9. "Licensable" - means having the right to grant, to the maximum extent possible, - whether at the time of the initial grant or subsequently, any and - all of the rights conveyed by this License. - -1.10. "Modifications" - means any of the following: - - (a) any file in Source Code Form that results from an addition to, - deletion from, or modification of the contents of Covered - Software; or - - (b) any new file in Source Code Form that contains any Covered - Software. - -1.11. "Patent Claims" of a Contributor - means any patent claim(s), including without limitation, method, - process, and apparatus claims, in any patent Licensable by such - Contributor that would be infringed, but for the grant of the - License, by the making, using, selling, offering for sale, having - made, import, or transfer of either its Contributions or its - Contributor Version. - -1.12. "Secondary License" - means either the GNU General Public License, Version 2.0, the GNU - Lesser General Public License, Version 2.1, the GNU Affero General - Public License, Version 3.0, or any later versions of those - licenses. - -1.13. "Source Code Form" - means the form of the work preferred for making modifications. - -1.14. "You" (or "Your") - means an individual or a legal entity exercising rights under this - License. For legal entities, "You" includes any entity that - controls, is controlled by, or is under common control with You. For - purposes of this definition, "control" means (a) the power, direct - or indirect, to cause the direction or management of such entity, - whether by contract or otherwise, or (b) ownership of more than - fifty percent (50%) of the outstanding shares or beneficial - ownership of such entity. - -2. License Grants and Conditions --------------------------------- - -2.1. Grants - -Each Contributor hereby grants You a world-wide, royalty-free, -non-exclusive license: - -(a) under intellectual property rights (other than patent or trademark) - Licensable by such Contributor to use, reproduce, make available, - modify, display, perform, distribute, and otherwise exploit its - Contributions, either on an unmodified basis, with Modifications, or - as part of a Larger Work; and - -(b) under Patent Claims of such Contributor to make, use, sell, offer - for sale, have made, import, and otherwise transfer either its - Contributions or its Contributor Version. - -2.2. Effective Date - -The licenses granted in Section 2.1 with respect to any Contribution -become effective for each Contribution on the date the Contributor first -distributes such Contribution. - -2.3. Limitations on Grant Scope - -The licenses granted in this Section 2 are the only rights granted under -this License. No additional rights or licenses will be implied from the -distribution or licensing of Covered Software under this License. -Notwithstanding Section 2.1(b) above, no patent license is granted by a -Contributor: - -(a) for any code that a Contributor has removed from Covered Software; - or - -(b) for infringements caused by: (i) Your and any other third party's - modifications of Covered Software, or (ii) the combination of its - Contributions with other software (except as part of its Contributor - Version); or - -(c) under Patent Claims infringed by Covered Software in the absence of - its Contributions. - -This License does not grant any rights in the trademarks, service marks, -or logos of any Contributor (except as may be necessary to comply with -the notice requirements in Section 3.4). - -2.4. Subsequent Licenses - -No Contributor makes additional grants as a result of Your choice to -distribute the Covered Software under a subsequent version of this -License (see Section 10.2) or under the terms of a Secondary License (if -permitted under the terms of Section 3.3). - -2.5. Representation - -Each Contributor represents that the Contributor believes its -Contributions are its original creation(s) or it has sufficient rights -to grant the rights to its Contributions conveyed by this License. - -2.6. Fair Use - -This License is not intended to limit any rights You have under -applicable copyright doctrines of fair use, fair dealing, or other -equivalents. - -2.7. Conditions - -Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted -in Section 2.1. - -3. Responsibilities -------------------- - -3.1. Distribution of Source Form - -All distribution of Covered Software in Source Code Form, including any -Modifications that You create or to which You contribute, must be under -the terms of this License. You must inform recipients that the Source -Code Form of the Covered Software is governed by the terms of this -License, and how they can obtain a copy of this License. You may not -attempt to alter or restrict the recipients' rights in the Source Code -Form. - -3.2. Distribution of Executable Form - -If You distribute Covered Software in Executable Form then: - -(a) such Covered Software must also be made available in Source Code - Form, as described in Section 3.1, and You must inform recipients of - the Executable Form how they can obtain a copy of such Source Code - Form by reasonable means in a timely manner, at a charge no more - than the cost of distribution to the recipient; and - -(b) You may distribute such Executable Form under the terms of this - License, or sublicense it under different terms, provided that the - license for the Executable Form does not attempt to limit or alter - the recipients' rights in the Source Code Form under this License. - -3.3. Distribution of a Larger Work - -You may create and distribute a Larger Work under terms of Your choice, -provided that You also comply with the requirements of this License for -the Covered Software. If the Larger Work is a combination of Covered -Software with a work governed by one or more Secondary Licenses, and the -Covered Software is not Incompatible With Secondary Licenses, this -License permits You to additionally distribute such Covered Software -under the terms of such Secondary License(s), so that the recipient of -the Larger Work may, at their option, further distribute the Covered -Software under the terms of either this License or such Secondary -License(s). - -3.4. Notices - -You may not remove or alter the substance of any license notices -(including copyright notices, patent notices, disclaimers of warranty, -or limitations of liability) contained within the Source Code Form of -the Covered Software, except that You may alter any license notices to -the extent required to remedy known factual inaccuracies. - -3.5. Application of Additional Terms - -You may choose to offer, and to charge a fee for, warranty, support, -indemnity or liability obligations to one or more recipients of Covered -Software. However, You may do so only on Your own behalf, and not on -behalf of any Contributor. You must make it absolutely clear that any -such warranty, support, indemnity, or liability obligation is offered by -You alone, and You hereby agree to indemnify every Contributor for any -liability incurred by such Contributor as a result of warranty, support, -indemnity or liability terms You offer. You may include additional -disclaimers of warranty and limitations of liability specific to any -jurisdiction. - -4. Inability to Comply Due to Statute or Regulation ---------------------------------------------------- - -If it is impossible for You to comply with any of the terms of this -License with respect to some or all of the Covered Software due to -statute, judicial order, or regulation then You must: (a) comply with -the terms of this License to the maximum extent possible; and (b) -describe the limitations and the code they affect. Such description must -be placed in a text file included with all distributions of the Covered -Software under this License. Except to the extent prohibited by statute -or regulation, such description must be sufficiently detailed for a -recipient of ordinary skill to be able to understand it. - -5. Termination --------------- - -5.1. The rights granted under this License will terminate automatically -if You fail to comply with any of its terms. However, if You become -compliant, then the rights granted under this License from a particular -Contributor are reinstated (a) provisionally, unless and until such -Contributor explicitly and finally terminates Your grants, and (b) on an -ongoing basis, if such Contributor fails to notify You of the -non-compliance by some reasonable means prior to 60 days after You have -come back into compliance. Moreover, Your grants from a particular -Contributor are reinstated on an ongoing basis if such Contributor -notifies You of the non-compliance by some reasonable means, this is the -first time You have received notice of non-compliance with this License -from such Contributor, and You become compliant prior to 30 days after -Your receipt of the notice. - -5.2. If You initiate litigation against any entity by asserting a patent -infringement claim (excluding declaratory judgment actions, -counter-claims, and cross-claims) alleging that a Contributor Version -directly or indirectly infringes any patent, then the rights granted to -You by any and all Contributors for the Covered Software under Section -2.1 of this License shall terminate. - -5.3. In the event of termination under Sections 5.1 or 5.2 above, all -end user license agreements (excluding distributors and resellers) which -have been validly granted by You or Your distributors under this License -prior to termination shall survive termination. - -************************************************************************ -* * -* 6. Disclaimer of Warranty * -* ------------------------- * -* * -* Covered Software is provided under this License on an "as is" * -* basis, without warranty of any kind, either expressed, implied, or * -* statutory, including, without limitation, warranties that the * -* Covered Software is free of defects, merchantable, fit for a * -* particular purpose or non-infringing. The entire risk as to the * -* quality and performance of the Covered Software is with You. * -* Should any Covered Software prove defective in any respect, You * -* (not any Contributor) assume the cost of any necessary servicing, * -* repair, or correction. This disclaimer of warranty constitutes an * -* essential part of this License. No use of any Covered Software is * -* authorized under this License except under this disclaimer. * -* * -************************************************************************ - -************************************************************************ -* * -* 7. Limitation of Liability * -* -------------------------- * -* * -* Under no circumstances and under no legal theory, whether tort * -* (including negligence), contract, or otherwise, shall any * -* Contributor, or anyone who distributes Covered Software as * -* permitted above, be liable to You for any direct, indirect, * -* special, incidental, or consequential damages of any character * -* including, without limitation, damages for lost profits, loss of * -* goodwill, work stoppage, computer failure or malfunction, or any * -* and all other commercial damages or losses, even if such party * -* shall have been informed of the possibility of such damages. This * -* limitation of liability shall not apply to liability for death or * -* personal injury resulting from such party's negligence to the * -* extent applicable law prohibits such limitation. Some * -* jurisdictions do not allow the exclusion or limitation of * -* incidental or consequential damages, so this exclusion and * -* limitation may not apply to You. * -* * -************************************************************************ - -8. Litigation -------------- - -Any litigation relating to this License may be brought only in the -courts of a jurisdiction where the defendant maintains its principal -place of business and such litigation shall be governed by laws of that -jurisdiction, without reference to its conflict-of-law provisions. -Nothing in this Section shall prevent a party's ability to bring -cross-claims or counter-claims. - -9. Miscellaneous ----------------- - -This License represents the complete agreement concerning the subject -matter hereof. If any provision of this License is held to be -unenforceable, such provision shall be reformed only to the extent -necessary to make it enforceable. Any law or regulation which provides -that the language of a contract shall be construed against the drafter -shall not be used to construe this License against a Contributor. - -10. Versions of the License ---------------------------- - -10.1. New Versions - -Mozilla Foundation is the license steward. Except as provided in Section -10.3, no one other than the license steward has the right to modify or -publish new versions of this License. Each version will be given a -distinguishing version number. - -10.2. Effect of New Versions - -You may distribute the Covered Software under the terms of the version -of the License under which You originally received the Covered Software, -or under the terms of any subsequent version published by the license -steward. - -10.3. Modified Versions - -If you create software not governed by this License, and you want to -create a new license for such software, you may create and use a -modified version of this License if you rename the license and remove -any references to the name of the license steward (except to note that -such modified license differs from this License). - -10.4. Distributing Source Code Form that is Incompatible With Secondary -Licenses - -If You choose to distribute Source Code Form that is Incompatible With -Secondary Licenses under the terms of this version of the License, the -notice described in Exhibit B of this License must be attached. - -Exhibit A - Source Code Form License Notice -------------------------------------------- - - This Source Code Form is subject to the terms of the Mozilla Public - License, v. 2.0. If a copy of the MPL was not distributed with this - file, You can obtain one at http://mozilla.org/MPL/2.0/. - -If it is not possible or desirable to put the notice in a particular -file, then You may include the notice in a location (such as a LICENSE -file in a relevant directory) where a recipient would be likely to look -for such a notice. - -You may add additional accurate notices of copyright ownership. - -Exhibit B - "Incompatible With Secondary Licenses" Notice ---------------------------------------------------------- - - This Source Code Form is "Incompatible With Secondary Licenses", as - defined by the Mozilla Public License, v. 2.0. diff --git a/vendor/github.com/letsencrypt/boulder/core/challenges.go b/vendor/github.com/letsencrypt/boulder/core/challenges.go deleted file mode 100644 index d5e7a87295e..00000000000 --- a/vendor/github.com/letsencrypt/boulder/core/challenges.go +++ /dev/null @@ -1,41 +0,0 @@ -package core - -import "fmt" - -func newChallenge(challengeType AcmeChallenge, token string) Challenge { - return Challenge{ - Type: challengeType, - Status: StatusPending, - Token: token, - } -} - -// HTTPChallenge01 constructs a http-01 challenge. -func HTTPChallenge01(token string) Challenge { - return newChallenge(ChallengeTypeHTTP01, token) -} - -// DNSChallenge01 constructs a dns-01 challenge. -func DNSChallenge01(token string) Challenge { - return newChallenge(ChallengeTypeDNS01, token) -} - -// TLSALPNChallenge01 constructs a tls-alpn-01 challenge. -func TLSALPNChallenge01(token string) Challenge { - return newChallenge(ChallengeTypeTLSALPN01, token) -} - -// NewChallenge constructs a challenge of the given kind. It returns an -// error if the challenge type is unrecognized. -func NewChallenge(kind AcmeChallenge, token string) (Challenge, error) { - switch kind { - case ChallengeTypeHTTP01: - return HTTPChallenge01(token), nil - case ChallengeTypeDNS01: - return DNSChallenge01(token), nil - case ChallengeTypeTLSALPN01: - return TLSALPNChallenge01(token), nil - default: - return Challenge{}, fmt.Errorf("unrecognized challenge type %q", kind) - } -} diff --git a/vendor/github.com/letsencrypt/boulder/core/interfaces.go b/vendor/github.com/letsencrypt/boulder/core/interfaces.go deleted file mode 100644 index 59b55a3f4b8..00000000000 --- a/vendor/github.com/letsencrypt/boulder/core/interfaces.go +++ /dev/null @@ -1,14 +0,0 @@ -package core - -import ( - "github.com/letsencrypt/boulder/identifier" -) - -// PolicyAuthority defines the public interface for the Boulder PA -// TODO(#5891): Move this interface to a more appropriate location. -type PolicyAuthority interface { - WillingToIssue([]string) error - ChallengesFor(identifier.ACMEIdentifier) ([]Challenge, error) - ChallengeTypeEnabled(AcmeChallenge) bool - CheckAuthz(*Authorization) error -} diff --git a/vendor/github.com/letsencrypt/boulder/core/objects.go b/vendor/github.com/letsencrypt/boulder/core/objects.go deleted file mode 100644 index c01f551abd8..00000000000 --- a/vendor/github.com/letsencrypt/boulder/core/objects.go +++ /dev/null @@ -1,505 +0,0 @@ -package core - -import ( - "crypto" - "encoding/base64" - "encoding/json" - "fmt" - "hash/fnv" - "net" - "strings" - "time" - - "github.com/go-jose/go-jose/v4" - "golang.org/x/crypto/ocsp" - - "github.com/letsencrypt/boulder/identifier" - "github.com/letsencrypt/boulder/probs" - "github.com/letsencrypt/boulder/revocation" -) - -// AcmeStatus defines the state of a given authorization -type AcmeStatus string - -// These statuses are the states of authorizations, challenges, and registrations -const ( - StatusUnknown = AcmeStatus("unknown") // Unknown status; the default - StatusPending = AcmeStatus("pending") // In process; client has next action - StatusProcessing = AcmeStatus("processing") // In process; server has next action - StatusReady = AcmeStatus("ready") // Order is ready for finalization - StatusValid = AcmeStatus("valid") // Object is valid - StatusInvalid = AcmeStatus("invalid") // Validation failed - StatusRevoked = AcmeStatus("revoked") // Object no longer valid - StatusDeactivated = AcmeStatus("deactivated") // Object has been deactivated -) - -// AcmeResource values identify different types of ACME resources -type AcmeResource string - -// The types of ACME resources -const ( - ResourceNewReg = AcmeResource("new-reg") - ResourceNewAuthz = AcmeResource("new-authz") - ResourceNewCert = AcmeResource("new-cert") - ResourceRevokeCert = AcmeResource("revoke-cert") - ResourceRegistration = AcmeResource("reg") - ResourceChallenge = AcmeResource("challenge") - ResourceAuthz = AcmeResource("authz") - ResourceKeyChange = AcmeResource("key-change") -) - -// AcmeChallenge values identify different types of ACME challenges -type AcmeChallenge string - -// These types are the available challenges -const ( - ChallengeTypeHTTP01 = AcmeChallenge("http-01") - ChallengeTypeDNS01 = AcmeChallenge("dns-01") - ChallengeTypeTLSALPN01 = AcmeChallenge("tls-alpn-01") -) - -// IsValid tests whether the challenge is a known challenge -func (c AcmeChallenge) IsValid() bool { - switch c { - case ChallengeTypeHTTP01, ChallengeTypeDNS01, ChallengeTypeTLSALPN01: - return true - default: - return false - } -} - -// OCSPStatus defines the state of OCSP for a domain -type OCSPStatus string - -// These status are the states of OCSP -const ( - OCSPStatusGood = OCSPStatus("good") - OCSPStatusRevoked = OCSPStatus("revoked") - // Not a real OCSP status. This is a placeholder we write before the - // actual precertificate is issued, to ensure we never return "good" before - // issuance succeeds, for BR compliance reasons. - OCSPStatusNotReady = OCSPStatus("wait") -) - -var OCSPStatusToInt = map[OCSPStatus]int{ - OCSPStatusGood: ocsp.Good, - OCSPStatusRevoked: ocsp.Revoked, - OCSPStatusNotReady: -1, -} - -// DNSPrefix is attached to DNS names in DNS challenges -const DNSPrefix = "_acme-challenge" - -type RawCertificateRequest struct { - CSR JSONBuffer `json:"csr"` // The encoded CSR -} - -// Registration objects represent non-public metadata attached -// to account keys. -type Registration struct { - // Unique identifier - ID int64 `json:"id,omitempty" db:"id"` - - // Account key to which the details are attached - Key *jose.JSONWebKey `json:"key"` - - // Contact URIs - Contact *[]string `json:"contact,omitempty"` - - // Agreement with terms of service - Agreement string `json:"agreement,omitempty"` - - // InitialIP is the IP address from which the registration was created - InitialIP net.IP `json:"initialIp"` - - // CreatedAt is the time the registration was created. - CreatedAt *time.Time `json:"createdAt,omitempty"` - - Status AcmeStatus `json:"status"` -} - -// ValidationRecord represents a validation attempt against a specific URL/hostname -// and the IP addresses that were resolved and used. -type ValidationRecord struct { - // SimpleHTTP only - URL string `json:"url,omitempty"` - - // Shared - Hostname string `json:"hostname,omitempty"` - Port string `json:"port,omitempty"` - AddressesResolved []net.IP `json:"addressesResolved,omitempty"` - AddressUsed net.IP `json:"addressUsed,omitempty"` - // AddressesTried contains a list of addresses tried before the `AddressUsed`. - // Presently this will only ever be one IP from `AddressesResolved` since the - // only retry is in the case of a v6 failure with one v4 fallback. E.g. if - // a record with `AddressesResolved: { 127.0.0.1, ::1 }` were processed for - // a challenge validation with the IPv6 first flag on and the ::1 address - // failed but the 127.0.0.1 retry succeeded then the record would end up - // being: - // { - // ... - // AddressesResolved: [ 127.0.0.1, ::1 ], - // AddressUsed: 127.0.0.1 - // AddressesTried: [ ::1 ], - // ... - // } - AddressesTried []net.IP `json:"addressesTried,omitempty"` - // ResolverAddrs is the host:port of the DNS resolver(s) that fulfilled the - // lookup for AddressUsed. During recursive A and AAAA lookups, a record may - // instead look like A:host:port or AAAA:host:port - ResolverAddrs []string `json:"resolverAddrs,omitempty"` - // UsedRSAKEX is a *temporary* addition to the validation record, so we can - // see how many servers that we reach out to during HTTP-01 and TLS-ALPN-01 - // validation are only willing to negotiate RSA key exchange mechanisms. The - // field is not included in the serialized json to avoid cluttering the - // database and log lines. - // TODO(#7321): Remove this when we have collected sufficient data. - UsedRSAKEX bool `json:"-"` -} - -// Challenge is an aggregate of all data needed for any challenges. -// -// Rather than define individual types for different types of -// challenge, we just throw all the elements into one bucket, -// together with the common metadata elements. -type Challenge struct { - // Type is the type of challenge encoded in this object. - Type AcmeChallenge `json:"type"` - - // URL is the URL to which a response can be posted. Required for all types. - URL string `json:"url,omitempty"` - - // Status is the status of this challenge. Required for all types. - Status AcmeStatus `json:"status,omitempty"` - - // Validated is the time at which the server validated the challenge. Required - // if status is valid. - Validated *time.Time `json:"validated,omitempty"` - - // Error contains the error that occurred during challenge validation, if any. - // If set, the Status must be "invalid". - Error *probs.ProblemDetails `json:"error,omitempty"` - - // Token is a random value that uniquely identifies the challenge. It is used - // by all current challenges (http-01, tls-alpn-01, and dns-01). - Token string `json:"token,omitempty"` - - // ProvidedKeyAuthorization used to carry the expected key authorization from - // the RA to the VA. However, since this field is never presented to the user - // via the ACME API, it should not be on this type. - // - // Deprecated: use vapb.PerformValidationRequest.ExpectedKeyAuthorization instead. - // TODO(#7514): Remove this. - ProvidedKeyAuthorization string `json:"keyAuthorization,omitempty"` - - // Contains information about URLs used or redirected to and IPs resolved and - // used - ValidationRecord []ValidationRecord `json:"validationRecord,omitempty"` -} - -// ExpectedKeyAuthorization computes the expected KeyAuthorization value for -// the challenge. -func (ch Challenge) ExpectedKeyAuthorization(key *jose.JSONWebKey) (string, error) { - if key == nil { - return "", fmt.Errorf("Cannot authorize a nil key") - } - - thumbprint, err := key.Thumbprint(crypto.SHA256) - if err != nil { - return "", err - } - - return ch.Token + "." + base64.RawURLEncoding.EncodeToString(thumbprint), nil -} - -// RecordsSane checks the sanity of a ValidationRecord object before sending it -// back to the RA to be stored. -func (ch Challenge) RecordsSane() bool { - if ch.ValidationRecord == nil || len(ch.ValidationRecord) == 0 { - return false - } - - switch ch.Type { - case ChallengeTypeHTTP01: - for _, rec := range ch.ValidationRecord { - // TODO(#7140): Add a check for ResolverAddress == "" only after the - // core.proto change has been deployed. - if rec.URL == "" || rec.Hostname == "" || rec.Port == "" || rec.AddressUsed == nil || - len(rec.AddressesResolved) == 0 { - return false - } - } - case ChallengeTypeTLSALPN01: - if len(ch.ValidationRecord) > 1 { - return false - } - if ch.ValidationRecord[0].URL != "" { - return false - } - // TODO(#7140): Add a check for ResolverAddress == "" only after the - // core.proto change has been deployed. - if ch.ValidationRecord[0].Hostname == "" || ch.ValidationRecord[0].Port == "" || - ch.ValidationRecord[0].AddressUsed == nil || len(ch.ValidationRecord[0].AddressesResolved) == 0 { - return false - } - case ChallengeTypeDNS01: - if len(ch.ValidationRecord) > 1 { - return false - } - // TODO(#7140): Add a check for ResolverAddress == "" only after the - // core.proto change has been deployed. - if ch.ValidationRecord[0].Hostname == "" { - return false - } - return true - default: // Unsupported challenge type - return false - } - - return true -} - -// CheckPending ensures that a challenge object is pending and has a token. -// This is used before offering the challenge to the client, and before actually -// validating a challenge. -func (ch Challenge) CheckPending() error { - if ch.Status != StatusPending { - return fmt.Errorf("challenge is not pending") - } - - if !looksLikeAToken(ch.Token) { - return fmt.Errorf("token is missing or malformed") - } - - return nil -} - -// StringID is used to generate a ID for challenges associated with new style authorizations. -// This is necessary as these challenges no longer have a unique non-sequential identifier -// in the new storage scheme. This identifier is generated by constructing a fnv hash over the -// challenge token and type and encoding the first 4 bytes of it using the base64 URL encoding. -func (ch Challenge) StringID() string { - h := fnv.New128a() - h.Write([]byte(ch.Token)) - h.Write([]byte(ch.Type)) - return base64.RawURLEncoding.EncodeToString(h.Sum(nil)[0:4]) -} - -// Authorization represents the authorization of an account key holder -// to act on behalf of a domain. This struct is intended to be used both -// internally and for JSON marshaling on the wire. Any fields that should be -// suppressed on the wire (e.g., ID, regID) must be made empty before marshaling. -type Authorization struct { - // An identifier for this authorization, unique across - // authorizations and certificates within this instance. - ID string `json:"id,omitempty" db:"id"` - - // The identifier for which authorization is being given - Identifier identifier.ACMEIdentifier `json:"identifier,omitempty" db:"identifier"` - - // The registration ID associated with the authorization - RegistrationID int64 `json:"regId,omitempty" db:"registrationID"` - - // The status of the validation of this authorization - Status AcmeStatus `json:"status,omitempty" db:"status"` - - // The date after which this authorization will be no - // longer be considered valid. Note: a certificate may be issued even on the - // last day of an authorization's lifetime. The last day for which someone can - // hold a valid certificate based on an authorization is authorization - // lifetime + certificate lifetime. - Expires *time.Time `json:"expires,omitempty" db:"expires"` - - // An array of challenges objects used to validate the - // applicant's control of the identifier. For authorizations - // in process, these are challenges to be fulfilled; for - // final authorizations, they describe the evidence that - // the server used in support of granting the authorization. - // - // There should only ever be one challenge of each type in this - // slice and the order of these challenges may not be predictable. - Challenges []Challenge `json:"challenges,omitempty" db:"-"` - - // https://datatracker.ietf.org/doc/html/rfc8555#page-29 - // - // wildcard (optional, boolean): This field MUST be present and true - // for authorizations created as a result of a newOrder request - // containing a DNS identifier with a value that was a wildcard - // domain name. For other authorizations, it MUST be absent. - // Wildcard domain names are described in Section 7.1.3. - // - // This is not represented in the database because we calculate it from - // the identifier stored in the database. Unlike the identifier returned - // as part of the authorization, the identifier we store in the database - // can contain an asterisk. - Wildcard bool `json:"wildcard,omitempty" db:"-"` -} - -// FindChallengeByStringID will look for a challenge matching the given ID inside -// this authorization. If found, it will return the index of that challenge within -// the Authorization's Challenges array. Otherwise it will return -1. -func (authz *Authorization) FindChallengeByStringID(id string) int { - for i, c := range authz.Challenges { - if c.StringID() == id { - return i - } - } - return -1 -} - -// SolvedBy will look through the Authorizations challenges, returning the type -// of the *first* challenge it finds with Status: valid, or an error if no -// challenge is valid. -func (authz *Authorization) SolvedBy() (AcmeChallenge, error) { - if len(authz.Challenges) == 0 { - return "", fmt.Errorf("Authorization has no challenges") - } - for _, chal := range authz.Challenges { - if chal.Status == StatusValid { - return chal.Type, nil - } - } - return "", fmt.Errorf("Authorization not solved by any challenge") -} - -// JSONBuffer fields get encoded and decoded JOSE-style, in base64url encoding -// with stripped padding. -type JSONBuffer []byte - -// MarshalJSON encodes a JSONBuffer for transmission. -func (jb JSONBuffer) MarshalJSON() (result []byte, err error) { - return json.Marshal(base64.RawURLEncoding.EncodeToString(jb)) -} - -// UnmarshalJSON decodes a JSONBuffer to an object. -func (jb *JSONBuffer) UnmarshalJSON(data []byte) (err error) { - var str string - err = json.Unmarshal(data, &str) - if err != nil { - return err - } - *jb, err = base64.RawURLEncoding.DecodeString(strings.TrimRight(str, "=")) - return -} - -// Certificate objects are entirely internal to the server. The only -// thing exposed on the wire is the certificate itself. -type Certificate struct { - ID int64 `db:"id"` - RegistrationID int64 `db:"registrationID"` - - Serial string `db:"serial"` - Digest string `db:"digest"` - DER []byte `db:"der"` - Issued time.Time `db:"issued"` - Expires time.Time `db:"expires"` -} - -// CertificateStatus structs are internal to the server. They represent the -// latest data about the status of the certificate, required for generating new -// OCSP responses and determining if a certificate has been revoked. -type CertificateStatus struct { - ID int64 `db:"id"` - - Serial string `db:"serial"` - - // status: 'good' or 'revoked'. Note that good, expired certificates remain - // with status 'good' but don't necessarily get fresh OCSP responses. - Status OCSPStatus `db:"status"` - - // ocspLastUpdated: The date and time of the last time we generated an OCSP - // response. If we have never generated one, this has the zero value of - // time.Time, i.e. Jan 1 1970. - OCSPLastUpdated time.Time `db:"ocspLastUpdated"` - - // revokedDate: If status is 'revoked', this is the date and time it was - // revoked. Otherwise it has the zero value of time.Time, i.e. Jan 1 1970. - RevokedDate time.Time `db:"revokedDate"` - - // revokedReason: If status is 'revoked', this is the reason code for the - // revocation. Otherwise it is zero (which happens to be the reason - // code for 'unspecified'). - RevokedReason revocation.Reason `db:"revokedReason"` - - LastExpirationNagSent time.Time `db:"lastExpirationNagSent"` - - // NotAfter and IsExpired are convenience columns which allow expensive - // queries to quickly filter out certificates that we don't need to care about - // anymore. These are particularly useful for the expiration mailer and CRL - // updater. See https://github.com/letsencrypt/boulder/issues/1864. - NotAfter time.Time `db:"notAfter"` - IsExpired bool `db:"isExpired"` - - // Note: this is not an issuance.IssuerNameID because that would create an - // import cycle between core and issuance. - // Note2: This field used to be called `issuerID`. We keep the old name in - // the DB, but update the Go field name to be clear which type of ID this - // is. - IssuerNameID int64 `db:"issuerID"` -} - -// FQDNSet contains the SHA256 hash of the lowercased, comma joined dNSNames -// contained in a certificate. -type FQDNSet struct { - ID int64 - SetHash []byte - Serial string - Issued time.Time - Expires time.Time -} - -// SCTDERs is a convenience type -type SCTDERs [][]byte - -// CertDER is a convenience type that helps differentiate what the -// underlying byte slice contains -type CertDER []byte - -// SuggestedWindow is a type exposed inside the RenewalInfo resource. -type SuggestedWindow struct { - Start time.Time `json:"start"` - End time.Time `json:"end"` -} - -// IsWithin returns true if the given time is within the suggested window, -// inclusive of the start time and exclusive of the end time. -func (window SuggestedWindow) IsWithin(now time.Time) bool { - return !now.Before(window.Start) && now.Before(window.End) -} - -// RenewalInfo is a type which is exposed to clients which query the renewalInfo -// endpoint specified in draft-aaron-ari. -type RenewalInfo struct { - SuggestedWindow SuggestedWindow `json:"suggestedWindow"` -} - -// RenewalInfoSimple constructs a `RenewalInfo` object and suggested window -// using a very simple renewal calculation: calculate a point 2/3rds of the way -// through the validity period, then give a 2-day window around that. Both the -// `issued` and `expires` timestamps are expected to be UTC. -func RenewalInfoSimple(issued time.Time, expires time.Time) RenewalInfo { - validity := expires.Add(time.Second).Sub(issued) - renewalOffset := validity / time.Duration(3) - idealRenewal := expires.Add(-renewalOffset) - return RenewalInfo{ - SuggestedWindow: SuggestedWindow{ - Start: idealRenewal.Add(-24 * time.Hour), - End: idealRenewal.Add(24 * time.Hour), - }, - } -} - -// RenewalInfoImmediate constructs a `RenewalInfo` object with a suggested -// window in the past. Per the draft-ietf-acme-ari-01 spec, clients should -// attempt to renew immediately if the suggested window is in the past. The -// passed `now` is assumed to be a timestamp representing the current moment in -// time. -func RenewalInfoImmediate(now time.Time) RenewalInfo { - oneHourAgo := now.Add(-1 * time.Hour) - return RenewalInfo{ - SuggestedWindow: SuggestedWindow{ - Start: oneHourAgo, - End: oneHourAgo.Add(time.Minute * 30), - }, - } -} diff --git a/vendor/github.com/letsencrypt/boulder/core/util.go b/vendor/github.com/letsencrypt/boulder/core/util.go deleted file mode 100644 index 641521f1699..00000000000 --- a/vendor/github.com/letsencrypt/boulder/core/util.go +++ /dev/null @@ -1,383 +0,0 @@ -package core - -import ( - "crypto" - "crypto/ecdsa" - "crypto/rand" - "crypto/rsa" - "crypto/sha256" - "crypto/x509" - "encoding/base64" - "encoding/hex" - "encoding/pem" - "errors" - "expvar" - "fmt" - "io" - "math/big" - mrand "math/rand" - "os" - "path" - "reflect" - "regexp" - "sort" - "strings" - "time" - "unicode" - - "github.com/go-jose/go-jose/v4" - "google.golang.org/protobuf/types/known/durationpb" - "google.golang.org/protobuf/types/known/timestamppb" -) - -const Unspecified = "Unspecified" - -// Package Variables Variables - -// BuildID is set by the compiler (using -ldflags "-X core.BuildID $(git rev-parse --short HEAD)") -// and is used by GetBuildID -var BuildID string - -// BuildHost is set by the compiler and is used by GetBuildHost -var BuildHost string - -// BuildTime is set by the compiler and is used by GetBuildTime -var BuildTime string - -func init() { - expvar.NewString("BuildID").Set(BuildID) - expvar.NewString("BuildTime").Set(BuildTime) -} - -// Random stuff - -type randSource interface { - Read(p []byte) (n int, err error) -} - -// RandReader is used so that it can be replaced in tests that require -// deterministic output -var RandReader randSource = rand.Reader - -// RandomString returns a randomly generated string of the requested length. -func RandomString(byteLength int) string { - b := make([]byte, byteLength) - _, err := io.ReadFull(RandReader, b) - if err != nil { - panic(fmt.Sprintf("Error reading random bytes: %s", err)) - } - return base64.RawURLEncoding.EncodeToString(b) -} - -// NewToken produces a random string for Challenges, etc. -func NewToken() string { - return RandomString(32) -} - -var tokenFormat = regexp.MustCompile(`^[\w-]{43}$`) - -// looksLikeAToken checks whether a string represents a 32-octet value in -// the URL-safe base64 alphabet. -func looksLikeAToken(token string) bool { - return tokenFormat.MatchString(token) -} - -// Fingerprints - -// Fingerprint256 produces an unpadded, URL-safe Base64-encoded SHA256 digest -// of the data. -func Fingerprint256(data []byte) string { - d := sha256.New() - _, _ = d.Write(data) // Never returns an error - return base64.RawURLEncoding.EncodeToString(d.Sum(nil)) -} - -type Sha256Digest [sha256.Size]byte - -// KeyDigest produces the SHA256 digest of a provided public key. -func KeyDigest(key crypto.PublicKey) (Sha256Digest, error) { - switch t := key.(type) { - case *jose.JSONWebKey: - if t == nil { - return Sha256Digest{}, errors.New("cannot compute digest of nil key") - } - return KeyDigest(t.Key) - case jose.JSONWebKey: - return KeyDigest(t.Key) - default: - keyDER, err := x509.MarshalPKIXPublicKey(key) - if err != nil { - return Sha256Digest{}, err - } - return sha256.Sum256(keyDER), nil - } -} - -// KeyDigestB64 produces a padded, standard Base64-encoded SHA256 digest of a -// provided public key. -func KeyDigestB64(key crypto.PublicKey) (string, error) { - digest, err := KeyDigest(key) - if err != nil { - return "", err - } - return base64.StdEncoding.EncodeToString(digest[:]), nil -} - -// KeyDigestEquals determines whether two public keys have the same digest. -func KeyDigestEquals(j, k crypto.PublicKey) bool { - digestJ, errJ := KeyDigestB64(j) - digestK, errK := KeyDigestB64(k) - // Keys that don't have a valid digest (due to marshalling problems) - // are never equal. So, e.g. nil keys are not equal. - if errJ != nil || errK != nil { - return false - } - return digestJ == digestK -} - -// PublicKeysEqual determines whether two public keys are identical. -func PublicKeysEqual(a, b crypto.PublicKey) (bool, error) { - switch ak := a.(type) { - case *rsa.PublicKey: - return ak.Equal(b), nil - case *ecdsa.PublicKey: - return ak.Equal(b), nil - default: - return false, fmt.Errorf("unsupported public key type %T", ak) - } -} - -// SerialToString converts a certificate serial number (big.Int) to a String -// consistently. -func SerialToString(serial *big.Int) string { - return fmt.Sprintf("%036x", serial) -} - -// StringToSerial converts a string into a certificate serial number (big.Int) -// consistently. -func StringToSerial(serial string) (*big.Int, error) { - var serialNum big.Int - if !ValidSerial(serial) { - return &serialNum, fmt.Errorf("invalid serial number %q", serial) - } - _, err := fmt.Sscanf(serial, "%036x", &serialNum) - return &serialNum, err -} - -// ValidSerial tests whether the input string represents a syntactically -// valid serial number, i.e., that it is a valid hex string between 32 -// and 36 characters long. -func ValidSerial(serial string) bool { - // Originally, serial numbers were 32 hex characters long. We later increased - // them to 36, but we allow the shorter ones because they exist in some - // production databases. - if len(serial) != 32 && len(serial) != 36 { - return false - } - _, err := hex.DecodeString(serial) - return err == nil -} - -// GetBuildID identifies what build is running. -func GetBuildID() (retID string) { - retID = BuildID - if retID == "" { - retID = Unspecified - } - return -} - -// GetBuildTime identifies when this build was made -func GetBuildTime() (retID string) { - retID = BuildTime - if retID == "" { - retID = Unspecified - } - return -} - -// GetBuildHost identifies the building host -func GetBuildHost() (retID string) { - retID = BuildHost - if retID == "" { - retID = Unspecified - } - return -} - -// IsAnyNilOrZero returns whether any of the supplied values are nil, or (if not) -// if any of them is its type's zero-value. This is useful for validating that -// all required fields on a proto message are present. -func IsAnyNilOrZero(vals ...interface{}) bool { - for _, val := range vals { - switch v := val.(type) { - case nil: - return true - case bool: - if !v { - return true - } - case string: - if v == "" { - return true - } - case []string: - if len(v) == 0 { - return true - } - case byte: - // Byte is an alias for uint8 and will cover that case. - if v == 0 { - return true - } - case []byte: - if len(v) == 0 { - return true - } - case int: - if v == 0 { - return true - } - case int8: - if v == 0 { - return true - } - case int16: - if v == 0 { - return true - } - case int32: - if v == 0 { - return true - } - case int64: - if v == 0 { - return true - } - case uint: - if v == 0 { - return true - } - case uint16: - if v == 0 { - return true - } - case uint32: - if v == 0 { - return true - } - case uint64: - if v == 0 { - return true - } - case float32: - if v == 0 { - return true - } - case float64: - if v == 0 { - return true - } - case time.Time: - if v.IsZero() { - return true - } - case *timestamppb.Timestamp: - if v == nil || v.AsTime().IsZero() { - return true - } - case *durationpb.Duration: - if v == nil || v.AsDuration() == time.Duration(0) { - return true - } - default: - if reflect.ValueOf(v).IsZero() { - return true - } - } - } - return false -} - -// UniqueLowerNames returns the set of all unique names in the input after all -// of them are lowercased. The returned names will be in their lowercased form -// and sorted alphabetically. -func UniqueLowerNames(names []string) (unique []string) { - nameMap := make(map[string]int, len(names)) - for _, name := range names { - nameMap[strings.ToLower(name)] = 1 - } - - unique = make([]string, 0, len(nameMap)) - for name := range nameMap { - unique = append(unique, name) - } - sort.Strings(unique) - return -} - -// HashNames returns a hash of the names requested. This is intended for use -// when interacting with the orderFqdnSets table and rate limiting. -func HashNames(names []string) []byte { - names = UniqueLowerNames(names) - hash := sha256.Sum256([]byte(strings.Join(names, ","))) - return hash[:] -} - -// LoadCert loads a PEM certificate specified by filename or returns an error -func LoadCert(filename string) (*x509.Certificate, error) { - certPEM, err := os.ReadFile(filename) - if err != nil { - return nil, err - } - block, _ := pem.Decode(certPEM) - if block == nil { - return nil, fmt.Errorf("no data in cert PEM file %q", filename) - } - cert, err := x509.ParseCertificate(block.Bytes) - if err != nil { - return nil, err - } - return cert, nil -} - -// retryJitter is used to prevent bunched retried queries from falling into lockstep -const retryJitter = 0.2 - -// RetryBackoff calculates a backoff time based on number of retries, will always -// add jitter so requests that start in unison won't fall into lockstep. Because of -// this the returned duration can always be larger than the maximum by a factor of -// retryJitter. Adapted from -// https://github.com/grpc/grpc-go/blob/v1.11.3/backoff.go#L77-L96 -func RetryBackoff(retries int, base, max time.Duration, factor float64) time.Duration { - if retries == 0 { - return 0 - } - backoff, fMax := float64(base), float64(max) - for backoff < fMax && retries > 1 { - backoff *= factor - retries-- - } - if backoff > fMax { - backoff = fMax - } - // Randomize backoff delays so that if a cluster of requests start at - // the same time, they won't operate in lockstep. - backoff *= (1 - retryJitter) + 2*retryJitter*mrand.Float64() - return time.Duration(backoff) -} - -// IsASCII determines if every character in a string is encoded in -// the ASCII character set. -func IsASCII(str string) bool { - for _, r := range str { - if r > unicode.MaxASCII { - return false - } - } - return true -} - -func Command() string { - return path.Base(os.Args[0]) -} diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/blocked.go b/vendor/github.com/letsencrypt/boulder/goodkey/blocked.go deleted file mode 100644 index 198c09db4ed..00000000000 --- a/vendor/github.com/letsencrypt/boulder/goodkey/blocked.go +++ /dev/null @@ -1,95 +0,0 @@ -package goodkey - -import ( - "crypto" - "crypto/sha256" - "encoding/base64" - "encoding/hex" - "errors" - "os" - - "github.com/letsencrypt/boulder/core" - "github.com/letsencrypt/boulder/strictyaml" -) - -// blockedKeys is a type for maintaining a map of SHA256 hashes -// of SubjectPublicKeyInfo's that should be considered blocked. -// blockedKeys are created by using loadBlockedKeysList. -type blockedKeys map[core.Sha256Digest]bool - -var ErrWrongDecodedSize = errors.New("not enough bytes decoded for sha256 hash") - -// blocked checks if the given public key is considered administratively -// blocked based on a SHA256 hash of the SubjectPublicKeyInfo. -// Important: blocked should not be called except on a blockedKeys instance -// returned from loadBlockedKeysList. -// function should not be used until after `loadBlockedKeysList` has returned. -func (b blockedKeys) blocked(key crypto.PublicKey) (bool, error) { - hash, err := core.KeyDigest(key) - if err != nil { - // the bool result should be ignored when err is != nil but to be on the - // paranoid side return true anyway so that a key we can't compute the - // digest for will always be blocked even if a caller foolishly discards the - // err result. - return true, err - } - return b[hash], nil -} - -// loadBlockedKeysList creates a blockedKeys object that can be used to check if -// a key is blocked. It creates a lookup map from a list of -// SHA256 hashes of SubjectPublicKeyInfo's in the input YAML file -// with the expected format: -// -// blocked: -// - cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M= -// -// - Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE= -// -// If no hashes are found in the input YAML an error is returned. -func loadBlockedKeysList(filename string) (*blockedKeys, error) { - yamlBytes, err := os.ReadFile(filename) - if err != nil { - return nil, err - } - - var list struct { - BlockedHashes []string `yaml:"blocked"` - BlockedHashesHex []string `yaml:"blockedHashesHex"` - } - err = strictyaml.Unmarshal(yamlBytes, &list) - if err != nil { - return nil, err - } - - if len(list.BlockedHashes) == 0 && len(list.BlockedHashesHex) == 0 { - return nil, errors.New("no blocked hashes in YAML") - } - - blockedKeys := make(blockedKeys, len(list.BlockedHashes)+len(list.BlockedHashesHex)) - for _, b64Hash := range list.BlockedHashes { - decoded, err := base64.StdEncoding.DecodeString(b64Hash) - if err != nil { - return nil, err - } - if len(decoded) != sha256.Size { - return nil, ErrWrongDecodedSize - } - var sha256Digest core.Sha256Digest - copy(sha256Digest[:], decoded[0:sha256.Size]) - blockedKeys[sha256Digest] = true - } - for _, hexHash := range list.BlockedHashesHex { - decoded, err := hex.DecodeString(hexHash) - if err != nil { - return nil, err - } - if len(decoded) != sha256.Size { - return nil, ErrWrongDecodedSize - } - var sha256Digest core.Sha256Digest - copy(sha256Digest[:], decoded[0:sha256.Size]) - blockedKeys[sha256Digest] = true - } - return &blockedKeys, nil -} diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go b/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go deleted file mode 100644 index 04a075d35bb..00000000000 --- a/vendor/github.com/letsencrypt/boulder/goodkey/good_key.go +++ /dev/null @@ -1,460 +0,0 @@ -package goodkey - -import ( - "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rsa" - "errors" - "fmt" - "math/big" - "sync" - - "github.com/letsencrypt/boulder/core" - - "github.com/titanous/rocacheck" -) - -// To generate, run: primes 2 752 | tr '\n' , -var smallPrimeInts = []int64{ - 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, - 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, - 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, - 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, - 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, - 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, - 367, 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, - 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, - 499, 503, 509, 521, 523, 541, 547, 557, 563, 569, 571, - 577, 587, 593, 599, 601, 607, 613, 617, 619, 631, 641, - 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, - 719, 727, 733, 739, 743, 751, -} - -// singleton defines the object of a Singleton pattern -var ( - smallPrimesSingleton sync.Once - smallPrimesProduct *big.Int -) - -type Config struct { - // AllowedKeys enables or disables specific key algorithms and sizes. If - // nil, defaults to just those keys allowed by the Let's Encrypt CPS. - AllowedKeys *AllowedKeys - // WeakKeyFile is the path to a JSON file containing truncated modulus hashes - // of known weak RSA keys. If this config value is empty, then RSA modulus - // hash checking will be disabled. - WeakKeyFile string - // BlockedKeyFile is the path to a YAML file containing base64-encoded SHA256 - // hashes of PKIX Subject Public Keys that should be blocked. If this config - // value is empty, then blocked key checking will be disabled. - BlockedKeyFile string - // FermatRounds is an integer number of rounds of Fermat's factorization - // method that should be performed to attempt to detect keys whose modulus can - // be trivially factored because the two factors are very close to each other. - // If this config value is empty (0), no factorization will be attempted. - FermatRounds int -} - -// AllowedKeys is a map of six specific key algorithm and size combinations to -// booleans indicating whether keys of that type are considered good. -type AllowedKeys struct { - // Baseline Requirements, Section 6.1.5 requires key size >= 2048 and a multiple - // of 8 bits: https://github.com/cabforum/servercert/blob/main/docs/BR.md#615-key-sizes - // Baseline Requirements, Section 6.1.1.3 requires that we reject any keys which - // have a known method to easily compute their private key, such as Debian Weak - // Keys. Our enforcement mechanism relies on enumerating all Debian Weak Keys at - // common key sizes, so we restrict all issuance to those common key sizes. - RSA2048 bool - RSA3072 bool - RSA4096 bool - // Baseline Requirements, Section 6.1.5 requires that ECDSA keys be valid - // points on the NIST P-256, P-384, or P-521 elliptic curves. - ECDSAP256 bool - ECDSAP384 bool - ECDSAP521 bool -} - -// LetsEncryptCPS encodes the five key algorithms and sizes allowed by the Let's -// Encrypt CPS CV-SSL Subscriber Certificate Profile: RSA 2048, RSA 3076, RSA -// 4096, ECDSA 256 and ECDSA P384. -// https://github.com/letsencrypt/cp-cps/blob/main/CP-CPS.md#dv-ssl-subscriber-certificate -// If this is ever changed, the CP/CPS MUST be changed first. -func LetsEncryptCPS() AllowedKeys { - return AllowedKeys{ - RSA2048: true, - RSA3072: true, - RSA4096: true, - ECDSAP256: true, - ECDSAP384: true, - } -} - -// ErrBadKey represents an error with a key. It is distinct from the various -// ways in which an ACME request can have an erroneous key (BadPublicKeyError, -// BadCSRError) because this library is used to check both JWS signing keys and -// keys in CSRs. -var ErrBadKey = errors.New("") - -func badKey(msg string, args ...interface{}) error { - return fmt.Errorf("%w%s", ErrBadKey, fmt.Errorf(msg, args...)) -} - -// BlockedKeyCheckFunc is used to pass in the sa.BlockedKey functionality to KeyPolicy, -// rather than storing a full sa.SQLStorageAuthority. This allows external -// users who don’t want to import all of boulder/sa, and makes testing -// significantly simpler. -// On success, the function returns a boolean which is true if the key is blocked. -type BlockedKeyCheckFunc func(ctx context.Context, keyHash []byte) (bool, error) - -// KeyPolicy determines which types of key may be used with various boulder -// operations. -type KeyPolicy struct { - allowedKeys AllowedKeys - weakRSAList *WeakRSAKeys - blockedList *blockedKeys - fermatRounds int - blockedCheck BlockedKeyCheckFunc -} - -// NewPolicy returns a key policy based on the given configuration, with sane -// defaults. If the config's AllowedKeys is nil, the LetsEncryptCPS AllowedKeys -// is used. If the config's WeakKeyFile or BlockedKeyFile paths are empty, those -// checks are disabled. If the config's FermatRounds is 0, Fermat Factorization -// is disabled. -func NewPolicy(config *Config, bkc BlockedKeyCheckFunc) (KeyPolicy, error) { - if config == nil { - config = &Config{} - } - kp := KeyPolicy{ - blockedCheck: bkc, - } - if config.AllowedKeys == nil { - kp.allowedKeys = LetsEncryptCPS() - } else { - kp.allowedKeys = *config.AllowedKeys - } - if config.WeakKeyFile != "" { - keyList, err := LoadWeakRSASuffixes(config.WeakKeyFile) - if err != nil { - return KeyPolicy{}, err - } - kp.weakRSAList = keyList - } - if config.BlockedKeyFile != "" { - blocked, err := loadBlockedKeysList(config.BlockedKeyFile) - if err != nil { - return KeyPolicy{}, err - } - kp.blockedList = blocked - } - if config.FermatRounds < 0 { - return KeyPolicy{}, fmt.Errorf("Fermat factorization rounds cannot be negative: %d", config.FermatRounds) - } - kp.fermatRounds = config.FermatRounds - return kp, nil -} - -// GoodKey returns true if the key is acceptable for both TLS use and account -// key use (our requirements are the same for either one), according to basic -// strength and algorithm checking. GoodKey only supports pointers: *rsa.PublicKey -// and *ecdsa.PublicKey. It will reject non-pointer types. -// TODO: Support JSONWebKeys once go-jose migration is done. -func (policy *KeyPolicy) GoodKey(ctx context.Context, key crypto.PublicKey) error { - // Early rejection of unacceptable key types to guard subsequent checks. - switch t := key.(type) { - case *rsa.PublicKey, *ecdsa.PublicKey: - break - default: - return badKey("unsupported key type %T", t) - } - // If there is a blocked list configured then check if the public key is one - // that has been administratively blocked. - if policy.blockedList != nil { - if blocked, err := policy.blockedList.blocked(key); err != nil { - return fmt.Errorf("error checking blocklist for key: %v", key) - } else if blocked { - return badKey("public key is forbidden") - } - } - if policy.blockedCheck != nil { - digest, err := core.KeyDigest(key) - if err != nil { - return badKey("%w", err) - } - exists, err := policy.blockedCheck(ctx, digest[:]) - if err != nil { - return err - } else if exists { - return badKey("public key is forbidden") - } - } - switch t := key.(type) { - case *rsa.PublicKey: - return policy.goodKeyRSA(t) - case *ecdsa.PublicKey: - return policy.goodKeyECDSA(t) - default: - return badKey("unsupported key type %T", key) - } -} - -// GoodKeyECDSA determines if an ECDSA pubkey meets our requirements -func (policy *KeyPolicy) goodKeyECDSA(key *ecdsa.PublicKey) (err error) { - // Check the curve. - // - // The validity of the curve is an assumption for all following tests. - err = policy.goodCurve(key.Curve) - if err != nil { - return err - } - - // Key validation routine adapted from NIST SP800-56A § 5.6.2.3.2. - // - // - // Assuming a prime field since a) we are only allowing such curves and b) - // crypto/elliptic only supports prime curves. Where this assumption - // simplifies the code below, it is explicitly stated and explained. If ever - // adapting this code to support non-prime curves, refer to NIST SP800-56A § - // 5.6.2.3.2 and adapt this code appropriately. - params := key.Params() - - // SP800-56A § 5.6.2.3.2 Step 1. - // Partial check of the public key for an invalid range in the EC group: - // Verify that key is not the point at infinity O. - // This code assumes that the point at infinity is (0,0), which is the - // case for all supported curves. - if isPointAtInfinityNISTP(key.X, key.Y) { - return badKey("key x, y must not be the point at infinity") - } - - // SP800-56A § 5.6.2.3.2 Step 2. - // "Verify that x_Q and y_Q are integers in the interval [0,p-1] in the - // case that q is an odd prime p, or that x_Q and y_Q are bit strings - // of length m bits in the case that q = 2**m." - // - // Prove prime field: ASSUMED. - // Prove q != 2: ASSUMED. (Curve parameter. No supported curve has q == 2.) - // Prime field && q != 2 => q is an odd prime p - // Therefore "verify that x, y are in [0, p-1]" satisfies step 2. - // - // Therefore verify that both x and y of the public key point have the unique - // correct representation of an element in the underlying field by verifying - // that x and y are integers in [0, p-1]. - if key.X.Sign() < 0 || key.Y.Sign() < 0 { - return badKey("key x, y must not be negative") - } - - if key.X.Cmp(params.P) >= 0 || key.Y.Cmp(params.P) >= 0 { - return badKey("key x, y must not exceed P-1") - } - - // SP800-56A § 5.6.2.3.2 Step 3. - // "If q is an odd prime p, verify that (y_Q)**2 === (x_Q)***3 + a*x_Q + b (mod p). - // If q = 2**m, verify that (y_Q)**2 + (x_Q)*(y_Q) == (x_Q)**3 + a*(x_Q)*2 + b in - // the finite field of size 2**m. - // (Ensures that the public key is on the correct elliptic curve.)" - // - // q is an odd prime p: proven/assumed above. - // a = -3 for all supported curves. - // - // Therefore step 3 is satisfied simply by showing that - // y**2 === x**3 - 3*x + B (mod P). - // - // This proves that the public key is on the correct elliptic curve. - // But in practice, this test is provided by crypto/elliptic, so use that. - if !key.Curve.IsOnCurve(key.X, key.Y) { - return badKey("key point is not on the curve") - } - - // SP800-56A § 5.6.2.3.2 Step 4. - // "Verify that n*Q == Ø. - // (Ensures that the public key has the correct order. Along with check 1, - // ensures that the public key is in the correct range in the correct EC - // subgroup, that is, it is in the correct EC subgroup and is not the - // identity element.)" - // - // Ensure that public key has the correct order: - // verify that n*Q = Ø. - // - // n*Q = Ø iff n*Q is the point at infinity (see step 1). - ox, oy := key.Curve.ScalarMult(key.X, key.Y, params.N.Bytes()) - if !isPointAtInfinityNISTP(ox, oy) { - return badKey("public key does not have correct order") - } - - // End of SP800-56A § 5.6.2.3.2 Public Key Validation Routine. - // Key is valid. - return nil -} - -// Returns true iff the point (x,y) on NIST P-256, NIST P-384 or NIST P-521 is -// the point at infinity. These curves all have the same point at infinity -// (0,0). This function must ONLY be used on points on curves verified to have -// (0,0) as their point at infinity. -func isPointAtInfinityNISTP(x, y *big.Int) bool { - return x.Sign() == 0 && y.Sign() == 0 -} - -// GoodCurve determines if an elliptic curve meets our requirements. -func (policy *KeyPolicy) goodCurve(c elliptic.Curve) (err error) { - // Simply use a whitelist for now. - params := c.Params() - switch { - case policy.allowedKeys.ECDSAP256 && params == elliptic.P256().Params(): - return nil - case policy.allowedKeys.ECDSAP384 && params == elliptic.P384().Params(): - return nil - case policy.allowedKeys.ECDSAP521 && params == elliptic.P521().Params(): - return nil - default: - return badKey("ECDSA curve %v not allowed", params.Name) - } -} - -// GoodKeyRSA determines if a RSA pubkey meets our requirements -func (policy *KeyPolicy) goodKeyRSA(key *rsa.PublicKey) error { - modulus := key.N - - err := policy.goodRSABitLen(key) - if err != nil { - return err - } - - if policy.weakRSAList != nil && policy.weakRSAList.Known(key) { - return badKey("key is on a known weak RSA key list") - } - - // Rather than support arbitrary exponents, which significantly increases - // the size of the key space we allow, we restrict E to the defacto standard - // RSA exponent 65537. There is no specific standards document that specifies - // 65537 as the 'best' exponent, but ITU X.509 Annex C suggests there are - // notable merits for using it if using a fixed exponent. - // - // The CABF Baseline Requirements state: - // The CA SHALL confirm that the value of the public exponent is an - // odd number equal to 3 or more. Additionally, the public exponent - // SHOULD be in the range between 2^16 + 1 and 2^256-1. - // - // By only allowing one exponent, which fits these constraints, we satisfy - // these requirements. - if key.E != 65537 { - return badKey("key exponent must be 65537") - } - - // The modulus SHOULD also have the following characteristics: an odd - // number, not the power of a prime, and have no factors smaller than 752. - // TODO: We don't yet check for "power of a prime." - if checkSmallPrimes(modulus) { - return badKey("key divisible by small prime") - } - // Check for weak keys generated by Infineon hardware - // (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) - if rocacheck.IsWeak(key) { - return badKey("key generated by vulnerable Infineon-based hardware") - } - // Check if the key can be easily factored via Fermat's factorization method. - if policy.fermatRounds > 0 { - err := checkPrimeFactorsTooClose(modulus, policy.fermatRounds) - if err != nil { - return badKey("key generated with factors too close together: %w", err) - } - } - - return nil -} - -func (policy *KeyPolicy) goodRSABitLen(key *rsa.PublicKey) error { - // See comment on AllowedKeys above. - modulusBitLen := key.N.BitLen() - switch { - case modulusBitLen == 2048 && policy.allowedKeys.RSA2048: - return nil - case modulusBitLen == 3072 && policy.allowedKeys.RSA3072: - return nil - case modulusBitLen == 4096 && policy.allowedKeys.RSA4096: - return nil - default: - return badKey("key size not supported: %d", modulusBitLen) - } -} - -// Returns true iff integer i is divisible by any of the primes in smallPrimes. -// -// Short circuits; execution time is dependent on i. Do not use this on secret -// values. -// -// Rather than checking each prime individually (invoking Mod on each), -// multiply the primes together and let GCD do our work for us: if the -// GCD between and is not one, we know we have -// a bad key. This is substantially faster than checking each prime -// individually. -func checkSmallPrimes(i *big.Int) bool { - smallPrimesSingleton.Do(func() { - smallPrimesProduct = big.NewInt(1) - for _, prime := range smallPrimeInts { - smallPrimesProduct.Mul(smallPrimesProduct, big.NewInt(prime)) - } - }) - - // When the GCD is 1, i and smallPrimesProduct are coprime, meaning they - // share no common factors. When the GCD is not one, it is the product of - // all common factors, meaning we've identified at least one small prime - // which invalidates i as a valid key. - - var result big.Int - result.GCD(nil, nil, i, smallPrimesProduct) - return result.Cmp(big.NewInt(1)) != 0 -} - -// Returns an error if the modulus n is able to be factored into primes p and q -// via Fermat's factorization method. This method relies on the two primes being -// very close together, which means that they were almost certainly not picked -// independently from a uniform random distribution. Basically, if we can factor -// the key this easily, so can anyone else. -func checkPrimeFactorsTooClose(n *big.Int, rounds int) error { - // Pre-allocate some big numbers that we'll use a lot down below. - one := big.NewInt(1) - bb := new(big.Int) - - // Any odd integer is equal to a difference of squares of integers: - // n = a^2 - b^2 = (a + b)(a - b) - // Any RSA public key modulus is equal to a product of two primes: - // n = pq - // Here we try to find values for a and b, since doing so also gives us the - // prime factors p = (a + b) and q = (a - b). - - // We start with a close to the square root of the modulus n, to start with - // two candidate prime factors that are as close together as possible and - // work our way out from there. Specifically, we set a = ceil(sqrt(n)), the - // first integer greater than the square root of n. Unfortunately, big.Int's - // built-in square root function takes the floor, so we have to add one to get - // the ceil. - a := new(big.Int) - a.Sqrt(n).Add(a, one) - - // We calculate b2 to see if it is a perfect square (i.e. b^2), and therefore - // b is an integer. Specifically, b2 = a^2 - n. - b2 := new(big.Int) - b2.Mul(a, a).Sub(b2, n) - - for range rounds { - // To see if b2 is a perfect square, we take its square root, square that, - // and check to see if we got the same result back. - bb.Sqrt(b2).Mul(bb, bb) - if b2.Cmp(bb) == 0 { - // b2 is a perfect square, so we've found integer values of a and b, - // and can easily compute p and q as their sum and difference. - bb.Sqrt(bb) - p := new(big.Int).Add(a, bb) - q := new(big.Int).Sub(a, bb) - return fmt.Errorf("public modulus n = pq factored into p: %s; q: %s", p, q) - } - - // Set up the next iteration by incrementing a by one and recalculating b2. - a.Add(a, one) - b2.Mul(a, a).Sub(b2, n) - } - return nil -} diff --git a/vendor/github.com/letsencrypt/boulder/goodkey/weak.go b/vendor/github.com/letsencrypt/boulder/goodkey/weak.go deleted file mode 100644 index dd7afd5e4c7..00000000000 --- a/vendor/github.com/letsencrypt/boulder/goodkey/weak.go +++ /dev/null @@ -1,66 +0,0 @@ -package goodkey - -// This file defines a basic method for testing if a given RSA public key is on one of -// the Debian weak key lists and is therefore considered compromised. Instead of -// directly loading the hash suffixes from the individual lists we flatten them all -// into a single JSON list using cmd/weak-key-flatten for ease of use. - -import ( - "crypto/rsa" - "crypto/sha1" - "encoding/hex" - "encoding/json" - "fmt" - "os" -) - -type truncatedHash [10]byte - -type WeakRSAKeys struct { - suffixes map[truncatedHash]struct{} -} - -func LoadWeakRSASuffixes(path string) (*WeakRSAKeys, error) { - f, err := os.ReadFile(path) - if err != nil { - return nil, err - } - - var suffixList []string - err = json.Unmarshal(f, &suffixList) - if err != nil { - return nil, err - } - - wk := &WeakRSAKeys{suffixes: make(map[truncatedHash]struct{})} - for _, suffix := range suffixList { - err := wk.addSuffix(suffix) - if err != nil { - return nil, err - } - } - return wk, nil -} - -func (wk *WeakRSAKeys) addSuffix(str string) error { - var suffix truncatedHash - decoded, err := hex.DecodeString(str) - if err != nil { - return err - } - if len(decoded) != 10 { - return fmt.Errorf("unexpected suffix length of %d", len(decoded)) - } - copy(suffix[:], decoded) - wk.suffixes[suffix] = struct{}{} - return nil -} - -func (wk *WeakRSAKeys) Known(key *rsa.PublicKey) bool { - // Hash input is in the format "Modulus={upper-case hex of modulus}\n" - hash := sha1.Sum([]byte(fmt.Sprintf("Modulus=%X\n", key.N.Bytes()))) - var suffix truncatedHash - copy(suffix[:], hash[10:]) - _, present := wk.suffixes[suffix] - return present -} diff --git a/vendor/github.com/letsencrypt/boulder/identifier/identifier.go b/vendor/github.com/letsencrypt/boulder/identifier/identifier.go deleted file mode 100644 index cbf228f869f..00000000000 --- a/vendor/github.com/letsencrypt/boulder/identifier/identifier.go +++ /dev/null @@ -1,32 +0,0 @@ -// The identifier package defines types for RFC 8555 ACME identifiers. -package identifier - -// IdentifierType is a named string type for registered ACME identifier types. -// See https://tools.ietf.org/html/rfc8555#section-9.7.7 -type IdentifierType string - -const ( - // DNS is specified in RFC 8555 for DNS type identifiers. - DNS = IdentifierType("dns") -) - -// ACMEIdentifier is a struct encoding an identifier that can be validated. The -// protocol allows for different types of identifier to be supported (DNS -// names, IP addresses, etc.), but currently we only support RFC 8555 DNS type -// identifiers for domain names. -type ACMEIdentifier struct { - // Type is the registered IdentifierType of the identifier. - Type IdentifierType `json:"type"` - // Value is the value of the identifier. For a DNS type identifier it is - // a domain name. - Value string `json:"value"` -} - -// DNSIdentifier is a convenience function for creating an ACMEIdentifier with -// Type DNS for a given domain name. -func DNSIdentifier(domain string) ACMEIdentifier { - return ACMEIdentifier{ - Type: DNS, - Value: domain, - } -} diff --git a/vendor/github.com/letsencrypt/boulder/probs/probs.go b/vendor/github.com/letsencrypt/boulder/probs/probs.go deleted file mode 100644 index ec6c272ae52..00000000000 --- a/vendor/github.com/letsencrypt/boulder/probs/probs.go +++ /dev/null @@ -1,343 +0,0 @@ -package probs - -import ( - "fmt" - "net/http" - - "github.com/letsencrypt/boulder/identifier" -) - -const ( - // Error types that can be used in ACME payloads. These are sorted in the - // same order as they are defined in RFC8555 Section 6.7. We do not implement - // the `compound`, `externalAccountRequired`, or `userActionRequired` errors, - // because we have no path that would return them. - AccountDoesNotExistProblem = ProblemType("accountDoesNotExist") - AlreadyRevokedProblem = ProblemType("alreadyRevoked") - BadCSRProblem = ProblemType("badCSR") - BadNonceProblem = ProblemType("badNonce") - BadPublicKeyProblem = ProblemType("badPublicKey") - BadRevocationReasonProblem = ProblemType("badRevocationReason") - BadSignatureAlgorithmProblem = ProblemType("badSignatureAlgorithm") - CAAProblem = ProblemType("caa") - // ConflictProblem is a problem type that is not defined in RFC8555. - ConflictProblem = ProblemType("conflict") - ConnectionProblem = ProblemType("connection") - DNSProblem = ProblemType("dns") - InvalidContactProblem = ProblemType("invalidContact") - MalformedProblem = ProblemType("malformed") - OrderNotReadyProblem = ProblemType("orderNotReady") - RateLimitedProblem = ProblemType("rateLimited") - RejectedIdentifierProblem = ProblemType("rejectedIdentifier") - ServerInternalProblem = ProblemType("serverInternal") - TLSProblem = ProblemType("tls") - UnauthorizedProblem = ProblemType("unauthorized") - UnsupportedContactProblem = ProblemType("unsupportedContact") - UnsupportedIdentifierProblem = ProblemType("unsupportedIdentifier") - - ErrorNS = "urn:ietf:params:acme:error:" -) - -// ProblemType defines the error types in the ACME protocol -type ProblemType string - -// ProblemDetails objects represent problem documents -// https://tools.ietf.org/html/draft-ietf-appsawg-http-problem-00 -type ProblemDetails struct { - Type ProblemType `json:"type,omitempty"` - Detail string `json:"detail,omitempty"` - // HTTPStatus is the HTTP status code the ProblemDetails should probably be sent - // as. - HTTPStatus int `json:"status,omitempty"` - // SubProblems are optional additional per-identifier problems. See - // RFC 8555 Section 6.7.1: https://tools.ietf.org/html/rfc8555#section-6.7.1 - SubProblems []SubProblemDetails `json:"subproblems,omitempty"` -} - -// SubProblemDetails represents sub-problems specific to an identifier that are -// related to a top-level ProblemDetails. -// See RFC 8555 Section 6.7.1: https://tools.ietf.org/html/rfc8555#section-6.7.1 -type SubProblemDetails struct { - ProblemDetails - Identifier identifier.ACMEIdentifier `json:"identifier"` -} - -func (pd *ProblemDetails) Error() string { - return fmt.Sprintf("%s :: %s", pd.Type, pd.Detail) -} - -// WithSubProblems returns a new ProblemsDetails instance created by adding the -// provided subProbs to the existing ProblemsDetail. -func (pd *ProblemDetails) WithSubProblems(subProbs []SubProblemDetails) *ProblemDetails { - return &ProblemDetails{ - Type: pd.Type, - Detail: pd.Detail, - HTTPStatus: pd.HTTPStatus, - SubProblems: append(pd.SubProblems, subProbs...), - } -} - -// Helper functions which construct the basic RFC8555 Problem Documents, with -// the Type already set and the Details supplied by the caller. - -// AccountDoesNotExist returns a ProblemDetails representing an -// AccountDoesNotExistProblem error -func AccountDoesNotExist(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: AccountDoesNotExistProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// AlreadyRevoked returns a ProblemDetails with a AlreadyRevokedProblem and a 400 Bad -// Request status code. -func AlreadyRevoked(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: AlreadyRevokedProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusBadRequest, - } -} - -// BadCSR returns a ProblemDetails representing a BadCSRProblem. -func BadCSR(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: BadCSRProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusBadRequest, - } -} - -// BadNonce returns a ProblemDetails with a BadNonceProblem and a 400 Bad -// Request status code. -func BadNonce(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: BadNonceProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// BadPublicKey returns a ProblemDetails with a BadPublicKeyProblem and a 400 Bad -// Request status code. -func BadPublicKey(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: BadPublicKeyProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusBadRequest, - } -} - -// BadRevocationReason returns a ProblemDetails representing -// a BadRevocationReasonProblem -func BadRevocationReason(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: BadRevocationReasonProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusBadRequest, - } -} - -// BadSignatureAlgorithm returns a ProblemDetails with a BadSignatureAlgorithmProblem -// and a 400 Bad Request status code. -func BadSignatureAlgorithm(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: BadSignatureAlgorithmProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusBadRequest, - } -} - -// CAA returns a ProblemDetails representing a CAAProblem -func CAA(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: CAAProblem, - Detail: detail, - HTTPStatus: http.StatusForbidden, - } -} - -// Connection returns a ProblemDetails representing a ConnectionProblem -// error -func Connection(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: ConnectionProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// DNS returns a ProblemDetails representing a DNSProblem -func DNS(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: DNSProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// InvalidContact returns a ProblemDetails representing an InvalidContactProblem. -func InvalidContact(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: InvalidContactProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// Malformed returns a ProblemDetails with a MalformedProblem and a 400 Bad -// Request status code. -func Malformed(detail string, a ...any) *ProblemDetails { - if len(a) > 0 { - detail = fmt.Sprintf(detail, a...) - } - return &ProblemDetails{ - Type: MalformedProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// OrderNotReady returns a ProblemDetails representing a OrderNotReadyProblem -func OrderNotReady(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: OrderNotReadyProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusForbidden, - } -} - -// RateLimited returns a ProblemDetails representing a RateLimitedProblem error -func RateLimited(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: RateLimitedProblem, - Detail: detail, - HTTPStatus: http.StatusTooManyRequests, - } -} - -// RejectedIdentifier returns a ProblemDetails with a RejectedIdentifierProblem and a 400 Bad -// Request status code. -func RejectedIdentifier(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: RejectedIdentifierProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// ServerInternal returns a ProblemDetails with a ServerInternalProblem and a -// 500 Internal Server Failure status code. -func ServerInternal(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: ServerInternalProblem, - Detail: detail, - HTTPStatus: http.StatusInternalServerError, - } -} - -// TLS returns a ProblemDetails representing a TLSProblem error -func TLS(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: TLSProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// Unauthorized returns a ProblemDetails with an UnauthorizedProblem and a 403 -// Forbidden status code. -func Unauthorized(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: UnauthorizedProblem, - Detail: detail, - HTTPStatus: http.StatusForbidden, - } -} - -// UnsupportedContact returns a ProblemDetails representing an -// UnsupportedContactProblem -func UnsupportedContact(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: UnsupportedContactProblem, - Detail: detail, - HTTPStatus: http.StatusBadRequest, - } -} - -// UnsupportedIdentifier returns a ProblemDetails representing an -// UnsupportedIdentifierProblem -func UnsupportedIdentifier(detail string, a ...any) *ProblemDetails { - return &ProblemDetails{ - Type: UnsupportedIdentifierProblem, - Detail: fmt.Sprintf(detail, a...), - HTTPStatus: http.StatusBadRequest, - } -} - -// Additional helper functions that return variations on MalformedProblem with -// different HTTP status codes set. - -// Canceled returns a ProblemDetails with a MalformedProblem and a 408 Request -// Timeout status code. -func Canceled(detail string, a ...any) *ProblemDetails { - if len(a) > 0 { - detail = fmt.Sprintf(detail, a...) - } - return &ProblemDetails{ - Type: MalformedProblem, - Detail: detail, - HTTPStatus: http.StatusRequestTimeout, - } -} - -// Conflict returns a ProblemDetails with a ConflictProblem and a 409 Conflict -// status code. -func Conflict(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: ConflictProblem, - Detail: detail, - HTTPStatus: http.StatusConflict, - } -} - -// ContentLengthRequired returns a ProblemDetails representing a missing -// Content-Length header error -func ContentLengthRequired() *ProblemDetails { - return &ProblemDetails{ - Type: MalformedProblem, - Detail: "missing Content-Length header", - HTTPStatus: http.StatusLengthRequired, - } -} - -// InvalidContentType returns a ProblemDetails suitable for a missing -// ContentType header, or an incorrect ContentType header -func InvalidContentType(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: MalformedProblem, - Detail: detail, - HTTPStatus: http.StatusUnsupportedMediaType, - } -} - -// MethodNotAllowed returns a ProblemDetails representing a disallowed HTTP -// method error. -func MethodNotAllowed() *ProblemDetails { - return &ProblemDetails{ - Type: MalformedProblem, - Detail: "Method not allowed", - HTTPStatus: http.StatusMethodNotAllowed, - } -} - -// NotFound returns a ProblemDetails with a MalformedProblem and a 404 Not Found -// status code. -func NotFound(detail string) *ProblemDetails { - return &ProblemDetails{ - Type: MalformedProblem, - Detail: detail, - HTTPStatus: http.StatusNotFound, - } -} diff --git a/vendor/github.com/letsencrypt/boulder/revocation/reasons.go b/vendor/github.com/letsencrypt/boulder/revocation/reasons.go deleted file mode 100644 index 50f556be011..00000000000 --- a/vendor/github.com/letsencrypt/boulder/revocation/reasons.go +++ /dev/null @@ -1,72 +0,0 @@ -package revocation - -import ( - "fmt" - "sort" - "strings" - - "golang.org/x/crypto/ocsp" -) - -// Reason is used to specify a certificate revocation reason -type Reason int - -// ReasonToString provides a map from reason code to string -var ReasonToString = map[Reason]string{ - ocsp.Unspecified: "unspecified", - ocsp.KeyCompromise: "keyCompromise", - ocsp.CACompromise: "cACompromise", - ocsp.AffiliationChanged: "affiliationChanged", - ocsp.Superseded: "superseded", - ocsp.CessationOfOperation: "cessationOfOperation", - ocsp.CertificateHold: "certificateHold", - // 7 is unused - ocsp.RemoveFromCRL: "removeFromCRL", - ocsp.PrivilegeWithdrawn: "privilegeWithdrawn", - ocsp.AACompromise: "aAcompromise", -} - -// UserAllowedReasons contains the subset of Reasons which users are -// allowed to use -var UserAllowedReasons = map[Reason]struct{}{ - ocsp.Unspecified: {}, - ocsp.KeyCompromise: {}, - ocsp.Superseded: {}, - ocsp.CessationOfOperation: {}, -} - -// AdminAllowedReasons contains the subset of Reasons which admins are allowed -// to use. Reasons not found here will soon be forbidden from appearing in CRLs -// or OCSP responses by root programs. -var AdminAllowedReasons = map[Reason]struct{}{ - ocsp.Unspecified: {}, - ocsp.KeyCompromise: {}, - ocsp.Superseded: {}, - ocsp.CessationOfOperation: {}, - ocsp.PrivilegeWithdrawn: {}, -} - -// UserAllowedReasonsMessage contains a string describing a list of user allowed -// revocation reasons. This is useful when a revocation is rejected because it -// is not a valid user supplied reason and the allowed values must be -// communicated. This variable is populated during package initialization. -var UserAllowedReasonsMessage = "" - -func init() { - // Build a slice of ints from the allowed reason codes. - // We want a slice because iterating `UserAllowedReasons` will change order - // and make the message unpredictable and cumbersome for unit testing. - // We use []ints instead of []Reason to use `sort.Ints` without fuss. - var allowed []int - for reason := range UserAllowedReasons { - allowed = append(allowed, int(reason)) - } - sort.Ints(allowed) - - var reasonStrings []string - for _, reason := range allowed { - reasonStrings = append(reasonStrings, fmt.Sprintf("%s (%d)", - ReasonToString[Reason(reason)], reason)) - } - UserAllowedReasonsMessage = strings.Join(reasonStrings, ", ") -} diff --git a/vendor/github.com/letsencrypt/boulder/strictyaml/yaml.go b/vendor/github.com/letsencrypt/boulder/strictyaml/yaml.go deleted file mode 100644 index 8e3bae9965a..00000000000 --- a/vendor/github.com/letsencrypt/boulder/strictyaml/yaml.go +++ /dev/null @@ -1,46 +0,0 @@ -// Package strictyaml provides a strict YAML unmarshaller based on `go-yaml/yaml` -package strictyaml - -import ( - "bytes" - "errors" - "fmt" - "io" - - "gopkg.in/yaml.v3" -) - -// Unmarshal takes a byte array and an interface passed by reference. The -// d.Decode will read the next YAML-encoded value from its input and store it in -// the value pointed to by yamlObj. Any config keys from the incoming YAML -// document which do not correspond to expected keys in the config struct will -// result in errors. -// -// TODO(https://github.com/go-yaml/yaml/issues/639): Replace this function with -// yaml.Unmarshal once a more ergonomic way to set unmarshal options is added -// upstream. -func Unmarshal(b []byte, yamlObj interface{}) error { - r := bytes.NewReader(b) - - d := yaml.NewDecoder(r) - d.KnownFields(true) - - // d.Decode will mutate yamlObj - err := d.Decode(yamlObj) - - if err != nil { - // io.EOF is returned when the YAML document is empty. - if errors.Is(err, io.EOF) { - return fmt.Errorf("unmarshalling YAML, bytes cannot be nil: %w", err) - } - return fmt.Errorf("unmarshalling YAML: %w", err) - } - - // As bytes are read by the decoder, the length of the byte buffer should - // decrease. If it doesn't, there's a problem. - if r.Len() != 0 { - return fmt.Errorf("yaml object of size %d bytes had %d bytes of unexpected unconsumed trailers", r.Size(), r.Len()) - } - - return nil -} diff --git a/vendor/github.com/modern-go/reflect2/safe_type.go b/vendor/github.com/modern-go/reflect2/safe_type.go index ee4e7bb6edf..5646309e09c 100644 --- a/vendor/github.com/modern-go/reflect2/safe_type.go +++ b/vendor/github.com/modern-go/reflect2/safe_type.go @@ -6,10 +6,12 @@ import ( ) type safeType struct { - reflect.Type - cfg *frozenConfig + Type reflect.Type + cfg *frozenConfig } +var _ Type = &safeType{} + func (type2 *safeType) New() interface{} { return reflect.New(type2.Type).Interface() } @@ -18,6 +20,22 @@ func (type2 *safeType) UnsafeNew() unsafe.Pointer { panic("does not support unsafe operation") } +func (type2 *safeType) Kind() reflect.Kind { + return type2.Type.Kind() +} + +func (type2 *safeType) Len() int { + return type2.Type.Len() +} + +func (type2 *safeType) NumField() int { + return type2.Type.NumField() +} + +func (type2 *safeType) String() string { + return type2.Type.String() +} + func (type2 *safeType) Elem() Type { return type2.cfg.Type2(type2.Type.Elem()) } diff --git a/vendor/github.com/proglottis/gpgme/data.go b/vendor/github.com/proglottis/gpgme/data.go index 0e81c36d662..bbbe86a5a94 100644 --- a/vendor/github.com/proglottis/gpgme/data.go +++ b/vendor/github.com/proglottis/gpgme/data.go @@ -156,31 +156,38 @@ func (d *Data) Close() error { if d.cbc > 0 { d.cbc.Delete() } - _, err := C.gpgme_data_release(d.dh) + C.gpgme_data_release(d.dh) runtime.KeepAlive(d) d.dh = nil - return err + return nil } func (d *Data) Write(p []byte) (int, error) { - var buffer *byte - if len(p) > 0 { - buffer = &p[0] + total := 0 + for total < len(p) { + remaining := p[total:] + + var buffer *byte + if len(remaining) > 0 { + buffer = &remaining[0] + } + + n, err := C.gpgme_data_write(d.dh, unsafe.Pointer(buffer), C.size_t(len(remaining))) + runtime.KeepAlive(d) + switch { + case d.err != nil: + defer func() { d.err = nil }() + return total, d.err + case n < 0: + return total, err + case n == 0: // This should never happen, but ensure we don’t loop forever + // If we got here, we know len(p) > 0, so ErrShortWrite is appropriate. + return total, io.ErrShortWrite + } + + total += int(n) } - - n, err := C.gpgme_data_write(d.dh, unsafe.Pointer(buffer), C.size_t(len(p))) - runtime.KeepAlive(d) - switch { - case d.err != nil: - defer func() { d.err = nil }() - - return 0, d.err - case err != nil: - return 0, err - case len(p) > 0 && n == 0: - return 0, io.EOF - } - return int(n), nil + return total, nil } func (d *Data) Read(p []byte) (int, error) { @@ -196,7 +203,7 @@ func (d *Data) Read(p []byte) (int, error) { defer func() { d.err = nil }() return 0, d.err - case err != nil: + case n < 0: return 0, err case len(p) > 0 && n == 0: return 0, io.EOF @@ -212,7 +219,7 @@ func (d *Data) Seek(offset int64, whence int) (int64, error) { defer func() { d.err = nil }() return 0, d.err - case err != nil: + case n < 0: return 0, err } return int64(n), nil diff --git a/vendor/github.com/proglottis/gpgme/gpgme.go b/vendor/github.com/proglottis/gpgme/gpgme.go index 62a095c1289..6e8d04c62ad 100644 --- a/vendor/github.com/proglottis/gpgme/gpgme.go +++ b/vendor/github.com/proglottis/gpgme/gpgme.go @@ -144,7 +144,16 @@ func (e Error) Code() ErrorCode { } func (e Error) Error() string { - return C.GoString(C.gpgme_strerror(e.err)) + // gpgme_error_t, aka gpg_error_t, is a single 32-bit integer, so it does not include + // strings of arbitrary length + // (compare https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgpg-error.git;a=blob;f=src/err-codes.h.in;hb=HEAD ). + // + // So, a medium-size hard-coded buffer is sufficient. + var buf [1024]C.char + _ = C.gpgme_strerror_r(e.err, &buf[0], C.size_t(len(buf))) + buf[len(buf)-1] = 0 // If gpgme_strerror_r returns ERANGE, the buffer is not guaranteed to be null-terminated + + return C.GoString(&buf[0]) } func handleError(err C.gpgme_error_t) error { @@ -377,20 +386,19 @@ func (c *Context) PinEntryMode() PinEntryMode { } func (c *Context) SetCallback(callback Callback) error { - var err error c.callback = callback if c.cbc > 0 { c.cbc.Delete() } if callback != nil { c.cbc = cgo.NewHandle(c) - _, err = C.gpgme_set_passphrase_cb(c.ctx, C.gpgme_passphrase_cb_t(C.gogpgme_passfunc), unsafe.Pointer(&c.cbc)) + C.gpgme_set_passphrase_cb(c.ctx, C.gpgme_passphrase_cb_t(C.gogpgme_passfunc), unsafe.Pointer(&c.cbc)) } else { c.cbc = 0 - _, err = C.gpgme_set_passphrase_cb(c.ctx, nil, nil) + C.gpgme_set_passphrase_cb(c.ctx, nil, nil) } runtime.KeepAlive(c) - return err + return nil } func (c *Context) EngineInfo() *EngineInfo { diff --git a/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go b/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go index 584aac971f3..4ed41e31a1f 100644 --- a/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go +++ b/vendor/github.com/sigstore/fulcio/pkg/certificate/extensions.go @@ -53,6 +53,7 @@ var ( OIDBuildTrigger = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 20} OIDRunInvocationURI = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 21} OIDSourceRepositoryVisibilityAtSigning = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 22} + OIDDeploymentEnvironment = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 23} ) // Extensions contains all custom x509 extensions defined by Fulcio @@ -132,6 +133,9 @@ type Extensions struct { // Source repository visibility at the time of signing the certificate. SourceRepositoryVisibilityAtSigning string `json:"SourceRepositoryVisibilityAtSigning,omitempty" yaml:"source-repository-visibility-at-signing,omitempty"` // 1.3.6.1.4.1.57264.1.22 + + // Deployment target for a workflow or job + DeploymentEnvironment string `json:"DeploymentEnvironment,omitempty" yaml:"deployment-environment,omitempty"` // 1.3.6.1.4.1.57264.1.23 } func (e Extensions) Render() ([]pkix.Extension, error) { @@ -334,6 +338,16 @@ func (e Extensions) Render() ([]pkix.Extension, error) { Value: val, }) } + if e.DeploymentEnvironment != "" { + val, err := asn1.MarshalWithParams(e.DeploymentEnvironment, "utf8") + if err != nil { + return nil, err + } + exts = append(exts, pkix.Extension{ + Id: OIDDeploymentEnvironment, + Value: val, + }) + } return exts, nil } @@ -417,6 +431,10 @@ func ParseExtensions(ext []pkix.Extension) (Extensions, error) { if err := ParseDERString(e.Value, &out.SourceRepositoryVisibilityAtSigning); err != nil { return Extensions{}, err } + case e.Id.Equal(OIDDeploymentEnvironment): + if err := ParseDERString(e.Value, &out.DeploymentEnvironment); err != nil { + return Extensions{}, err + } } } diff --git a/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go b/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go index 40725bd79c3..5f339b2d78d 100644 --- a/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/vendor/github.com/sigstore/protobuf-specs/gen/pb-go/common/v1/sigstore_common.pb.go @@ -15,7 +15,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.36.5 -// protoc v5.29.4 +// protoc v6.30.2 // source: sigstore_common.proto package v1 @@ -112,7 +112,8 @@ func (HashAlgorithm) EnumDescriptor() ([]byte, []int) { // opinionated options instead of allowing every possible permutation. // // Any changes to this enum MUST be reflected in the algorithm registry. -// See: docs/algorithm-registry.md +// +// See: // // To avoid the possibility of contradicting formats such as PKCS1 with // ED25519 the valid permutations are listed as a linear set instead of a @@ -159,8 +160,9 @@ const ( PublicKeyDetails_PKIX_ECDSA_P521_SHA_256 PublicKeyDetails = 20 // LMS and LM-OTS // - // These keys and signatures may be used by private Sigstore - // deployments, but are not currently supported by the public + // These algorithms are deprecated and should not be used. + // Keys and signatures MAY be used by private Sigstore + // deployments, but will not be supported by the public // good instance. // // USER WARNING: LMS and LM-OTS are both stateful signature schemes. @@ -170,8 +172,26 @@ const ( // MUST NOT be used for more than one signature per LM-OTS key. // If you cannot maintain these invariants, you MUST NOT use these // schemes. - PublicKeyDetails_LMS_SHA256 PublicKeyDetails = 14 + // + // Deprecated: Marked as deprecated in sigstore_common.proto. + PublicKeyDetails_LMS_SHA256 PublicKeyDetails = 14 + // Deprecated: Marked as deprecated in sigstore_common.proto. PublicKeyDetails_LMOTS_SHA256 PublicKeyDetails = 15 + // ML-DSA + // + // These ML_DSA_65 and ML-DSA_87 algorithms are the pure variants that + // take data to sign rather than the prehash variants (HashML-DSA), which + // take digests. While considered quantum-resistant, their usage + // involves tradeoffs in that signatures and keys are much larger, and + // this makes deployments more costly. + // + // USER WARNING: ML_DSA_65 and ML_DSA_87 are experimental algorithms. + // In the future they MAY be used by private Sigstore deployments, but + // they are not yet fully functional. This warning will be removed when + // these algorithms are widely supported by Sigstore clients and servers, + // but care should still be taken for production environments. + PublicKeyDetails_ML_DSA_65 PublicKeyDetails = 21 // See NIST FIPS 204 + PublicKeyDetails_ML_DSA_87 PublicKeyDetails = 22 ) // Enum value maps for PublicKeyDetails. @@ -198,6 +218,8 @@ var ( 20: "PKIX_ECDSA_P521_SHA_256", 14: "LMS_SHA256", 15: "LMOTS_SHA256", + 21: "ML_DSA_65", + 22: "ML_DSA_87", } PublicKeyDetails_value = map[string]int32{ "PUBLIC_KEY_DETAILS_UNSPECIFIED": 0, @@ -221,6 +243,8 @@ var ( "PKIX_ECDSA_P521_SHA_256": 20, "LMS_SHA256": 14, "LMOTS_SHA256": 15, + "ML_DSA_65": 21, + "ML_DSA_87": 22, } ) @@ -1134,7 +1158,7 @@ var file_sigstore_common_proto_rawDesc = string([]byte{ 0x48, 0x41, 0x32, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x33, 0x38, - 0x34, 0x10, 0x05, 0x2a, 0xe9, 0x04, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, + 0x34, 0x10, 0x05, 0x2a, 0x8f, 0x05, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x22, 0x0a, 0x1e, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x44, 0x45, 0x54, 0x41, 0x49, 0x4c, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x11, @@ -1170,25 +1194,27 @@ var file_sigstore_common_proto_rawDesc = string([]byte{ 0x44, 0x53, 0x41, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x13, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1f, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x35, 0x32, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, - 0x36, 0x10, 0x14, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x0e, 0x0a, 0x0a, 0x4c, 0x4d, 0x53, 0x5f, 0x53, - 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0e, 0x12, 0x10, 0x0a, 0x0c, 0x4c, 0x4d, 0x4f, 0x54, 0x53, - 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0f, 0x22, 0x04, 0x08, 0x15, 0x10, 0x32, 0x2a, - 0x6f, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, - 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a, - 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41, 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41, - 0x54, 0x49, 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, - 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, - 0x45, 0x4d, 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, - 0x12, 0x0e, 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03, - 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, - 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, - 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, - 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x36, 0x10, 0x14, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x12, 0x0a, 0x0a, 0x4c, 0x4d, 0x53, 0x5f, 0x53, + 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0e, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x14, 0x0a, 0x0c, 0x4c, + 0x4d, 0x4f, 0x54, 0x53, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0f, 0x1a, 0x02, 0x08, + 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x4d, 0x4c, 0x5f, 0x44, 0x53, 0x41, 0x5f, 0x36, 0x35, 0x10, 0x15, + 0x12, 0x0d, 0x0a, 0x09, 0x4d, 0x4c, 0x5f, 0x44, 0x53, 0x41, 0x5f, 0x38, 0x37, 0x10, 0x16, 0x22, + 0x04, 0x08, 0x17, 0x10, 0x32, 0x2a, 0x6f, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, + 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41, + 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x54, 0x49, 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f, + 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, + 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x4d, 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, + 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f, + 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03, 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, + 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, + 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, + 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, }) var ( diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go index 1e2fa031be9..63e789a8d2d 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go +++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/publickey.go @@ -16,7 +16,6 @@ package cryptoutils import ( - "context" "crypto" "crypto/ecdsa" "crypto/ed25519" @@ -29,8 +28,6 @@ import ( "encoding/pem" "errors" "fmt" - - "github.com/letsencrypt/boulder/goodkey" ) const ( @@ -133,54 +130,3 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string { } return fmt.Sprintf("%s (%s, %s)", msg, hex.EncodeToString(firstSKID), hex.EncodeToString(secondSKID)) } - -// ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key. -func ValidatePubKey(pub crypto.PublicKey) error { - // goodkey policy enforces: - // * RSA - // * Size of key: 2048 <= size <= 4096, size % 8 = 0 - // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) - // * Small primes check for modulus - // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) - // * Key is easily factored with Fermat's factorization method - // * EC - // * Public key Q is not the identity element (Ø) - // * Public key Q's x and y are within [0, p-1] - // * Public key Q is on the curve - // * Public key Q's order matches the subgroups (nQ = Ø) - allowedKeys := &goodkey.AllowedKeys{ - RSA2048: true, - RSA3072: true, - RSA4096: true, - ECDSAP256: true, - ECDSAP384: true, - ECDSAP521: true, - } - cfg := &goodkey.Config{ - FermatRounds: 100, - AllowedKeys: allowedKeys, - } - p, err := goodkey.NewPolicy(cfg, nil) - if err != nil { - // Should not occur, only chances to return errors are if fermat rounds - // are <0 or when loading blocked/weak keys from disk (not used here) - return errors.New("unable to initialize key policy") - } - - switch pk := pub.(type) { - case *rsa.PublicKey: - // ctx is unused - return p.GoodKey(context.Background(), pub) - case *ecdsa.PublicKey: - // ctx is unused - return p.GoodKey(context.Background(), pub) - case ed25519.PublicKey: - return validateEd25519Key(pk) - } - return errors.New("unsupported public key type") -} - -// No validations currently, ED25519 supports only one key size. -func validateEd25519Key(_ ed25519.PublicKey) error { - return nil -} diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/safestring.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/safestring.go new file mode 100644 index 00000000000..cdc69aec377 --- /dev/null +++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/safestring.go @@ -0,0 +1,34 @@ +// +// Copyright 2025 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cryptoutils + +import ( + "crypto/rand" + "encoding/base64" +) + +// GenerateRandomURLSafeString generates a cryptographically secure random +// URL-safe string with the specified number of bits of entropy. +func GenerateRandomURLSafeString(entropyLength uint) string { + if entropyLength == 0 { + return "" + } + // Round up to the nearest byte to ensure minimum entropy is met + entropyBytes := (entropyLength + 7) / 8 + b := make([]byte, entropyBytes) + _, _ = rand.Read(b) + return base64.RawURLEncoding.EncodeToString(b) +} diff --git a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go index d237ef58ea6..abcea306a03 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go +++ b/vendor/github.com/sigstore/sigstore/pkg/cryptoutils/sans.go @@ -132,6 +132,9 @@ func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error) { // and OtherName SANs func GetSubjectAlternateNames(cert *x509.Certificate) []string { sans := []string{} + if cert == nil { + return sans + } sans = append(sans, cert.DNSNames...) sans = append(sans, cert.EmailAddresses...) for _, ip := range cert.IPAddresses { diff --git a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go index 6f8449eea9c..44771ff3daa 100644 --- a/vendor/github.com/sigstore/sigstore/pkg/signature/message.go +++ b/vendor/github.com/sigstore/sigstore/pkg/signature/message.go @@ -55,10 +55,10 @@ func ComputeDigestForSigning(rawMessage io.Reader, defaultHashFunc crypto.Hash, if hashedWith != crypto.Hash(0) && len(digest) != hashedWith.Size() { err = errors.New("unexpected length of digest for hash function specified") } - return + return digest, hashedWith, err } digest, err = hashMessage(rawMessage, hashedWith) - return + return digest, hashedWith, err } // ComputeDigestForVerifying calculates the digest value for the specified message using a hash function selected by the following process: @@ -81,10 +81,10 @@ func ComputeDigestForVerifying(rawMessage io.Reader, defaultHashFunc crypto.Hash if hashedWith != crypto.Hash(0) && len(digest) != hashedWith.Size() { err = errors.New("unexpected length of digest for hash function specified") } - return + return digest, hashedWith, err } digest, err = hashMessage(rawMessage, hashedWith) - return + return digest, hashedWith, err } func hashMessage(rawMessage io.Reader, hashFunc crypto.Hash) ([]byte, error) { diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go b/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go index 499789984d2..69956b425a1 100644 --- a/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go +++ b/vendor/github.com/sirupsen/logrus/terminal_check_bsd.go @@ -1,4 +1,4 @@ -// +build darwin dragonfly freebsd netbsd openbsd +// +build darwin dragonfly freebsd netbsd openbsd hurd // +build !js package logrus diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_unix.go b/vendor/github.com/sirupsen/logrus/terminal_check_unix.go index 04748b8515f..c9aed267a4c 100644 --- a/vendor/github.com/sirupsen/logrus/terminal_check_unix.go +++ b/vendor/github.com/sirupsen/logrus/terminal_check_unix.go @@ -1,5 +1,7 @@ +//go:build (linux || aix || zos) && !js && !wasi // +build linux aix zos // +build !js +// +build !wasi package logrus diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_wasi.go b/vendor/github.com/sirupsen/logrus/terminal_check_wasi.go new file mode 100644 index 00000000000..2822b212fbf --- /dev/null +++ b/vendor/github.com/sirupsen/logrus/terminal_check_wasi.go @@ -0,0 +1,8 @@ +//go:build wasi +// +build wasi + +package logrus + +func isTerminal(fd int) bool { + return false +} diff --git a/vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go b/vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go new file mode 100644 index 00000000000..108a6be12b1 --- /dev/null +++ b/vendor/github.com/sirupsen/logrus/terminal_check_wasip1.go @@ -0,0 +1,8 @@ +//go:build wasip1 +// +build wasip1 + +package logrus + +func isTerminal(fd int) bool { + return false +} diff --git a/vendor/github.com/titanous/rocacheck/LICENSE b/vendor/github.com/titanous/rocacheck/LICENSE deleted file mode 100644 index 7bdce481fa2..00000000000 --- a/vendor/github.com/titanous/rocacheck/LICENSE +++ /dev/null @@ -1,22 +0,0 @@ -MIT License - -Copyright (c) 2017, Jonathan Rudenberg -Copyright (c) 2017, CRoCS, EnigmaBridge Ltd. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/vendor/github.com/titanous/rocacheck/README.md b/vendor/github.com/titanous/rocacheck/README.md deleted file mode 100644 index b8e765ea9c4..00000000000 --- a/vendor/github.com/titanous/rocacheck/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# rocacheck [![GoDoc](https://godoc.org/github.com/titanous/rocacheck?status.svg)](https://godoc.org/github.com/titanous/rocacheck) - -Package rocacheck is a Go implementation of the [key fingerprint -algorithm](https://github.com/crocs-muni/roca) that checks if an RSA key was -generated by broken Infineon code and is vulnerable to factorization via the -[Return of Coppersmith's Attack -(ROCA)](https://crocs.fi.muni.cz/public/papers/rsa_ccs17) / CVE-2017-15361. diff --git a/vendor/github.com/titanous/rocacheck/rocacheck.go b/vendor/github.com/titanous/rocacheck/rocacheck.go deleted file mode 100644 index e813579bb87..00000000000 --- a/vendor/github.com/titanous/rocacheck/rocacheck.go +++ /dev/null @@ -1,52 +0,0 @@ -// Package rocacheck checks if a key was generated by broken Infineon code and -// is vulnerable to factorization via the Return of Coppersmith's Attack (ROCA) -// / CVE-2017-15361. -package rocacheck - -import ( - "crypto/rsa" - "math/big" -) - -type test struct { - Prime *big.Int - Fingerprints map[int64]struct{} -} - -var tests = make([]test, 17) - -func init() { - bigOne := big.NewInt(1) - n := &big.Int{} - // relations table from https://github.com/crocs-muni/roca/pull/40 - for i, r := range [][2]int64{ - {2, 11}, {6, 13}, {8, 17}, {9, 19}, {3, 37}, {26, 53}, {20, 61}, - {35, 71}, {24, 73}, {13, 79}, {6, 97}, {51, 103}, {53, 107}, - {54, 109}, {42, 127}, {50, 151}, {78, 157}, - } { - fps := make(map[int64]struct{}) - bp := big.NewInt(r[1]) - br := big.NewInt(r[0]) - for j := int64(0); j < r[1]; j++ { - if n.Exp(big.NewInt(j), br, bp).Cmp(bigOne) == 0 { - fps[j] = struct{}{} - } - } - tests[i] = test{ - Prime: big.NewInt(r[1]), - Fingerprints: fps, - } - } -} - -// IsWeak returns true if a RSA public key is vulnerable to Return of -// Coppersmith's Attack (ROCA). -func IsWeak(k *rsa.PublicKey) bool { - tmp := &big.Int{} - for _, t := range tests { - if _, ok := t.Fingerprints[tmp.Mod(k.N, t.Prime).Int64()]; !ok { - return false - } - } - return true -} diff --git a/vendor/go.podman.io/common/libnetwork/cni/network.go b/vendor/go.podman.io/common/libnetwork/cni/network.go index 8a22773388a..33220a2827b 100644 --- a/vendor/go.podman.io/common/libnetwork/cni/network.go +++ b/vendor/go.podman.io/common/libnetwork/cni/network.go @@ -327,9 +327,10 @@ func (n *cniNetwork) NetworkInfo() types.NetworkInfo { } info := types.NetworkInfo{ - Backend: types.CNI, - Package: packageVersion, - Path: path, + Backend: types.CNI, + Package: packageVersion, + Path: path, + DefaultNetwork: n.defaultNetwork, } dnsPath := filepath.Join(path, "dnsname") diff --git a/vendor/go.podman.io/common/libnetwork/netavark/network.go b/vendor/go.podman.io/common/libnetwork/netavark/network.go index 855023db7d8..9dbe3b452da 100644 --- a/vendor/go.podman.io/common/libnetwork/netavark/network.go +++ b/vendor/go.podman.io/common/libnetwork/netavark/network.go @@ -369,10 +369,11 @@ func (n *netavarkNetwork) NetworkInfo() types.NetworkInfo { logrus.Infof("Failed to get the netavark version: %v", err) } info := types.NetworkInfo{ - Backend: types.Netavark, - Version: programVersion, - Package: packageVersion, - Path: path, + Backend: types.Netavark, + Version: programVersion, + Package: packageVersion, + Path: path, + DefaultNetwork: n.defaultNetwork, } dnsPath := n.aardvarkBinary diff --git a/vendor/go.podman.io/common/libnetwork/types/network.go b/vendor/go.podman.io/common/libnetwork/types/network.go index 5b15d080372..4471f6c507f 100644 --- a/vendor/go.podman.io/common/libnetwork/types/network.go +++ b/vendor/go.podman.io/common/libnetwork/types/network.go @@ -97,11 +97,12 @@ type NetworkUpdateOptions struct { // NetworkInfo contains the network information. type NetworkInfo struct { - Backend NetworkBackend `json:"backend"` - Version string `json:"version,omitempty"` - Package string `json:"package,omitempty"` - Path string `json:"path,omitempty"` - DNS DNSNetworkInfo `json:"dns,omitempty"` + Backend NetworkBackend `json:"backend"` + Version string `json:"version,omitempty"` + Package string `json:"package,omitempty"` + Path string `json:"path,omitempty"` + DNS DNSNetworkInfo `json:"dns,omitempty"` + DefaultNetwork string `json:"default_network,omitempty"` } // DNSNetworkInfo contains the DNS information. diff --git a/vendor/go.podman.io/common/pkg/config/containers.conf b/vendor/go.podman.io/common/pkg/config/containers.conf index fd337831c9d..d89827d3f58 100644 --- a/vendor/go.podman.io/common/pkg/config/containers.conf +++ b/vendor/go.podman.io/common/pkg/config/containers.conf @@ -216,12 +216,12 @@ default_sysctls = [ # #log_driver = "k8s-file" -# Default path for container logs to be stored in. When empty, logs will be stored +# Default path for container logs to be stored in. When empty, logs will be stored # in the container's default storage and removed when the container is removed. -# A subdirectory named with the container ID will be created under the specified +# A subdirectory named with the container ID will be created under the specified # path, and the log file will have the default name `ctr.log` within that directory. # This option can be overridden by the `--log-opt` flag. -# +# #log_path = "" # Maximum size allowed for the container log file. Negative numbers indicate @@ -359,7 +359,7 @@ default_sysctls = [ # already containers/images or CNI networks preset it will choose CNI. # # Before changing this value all containers must be stopped otherwise it is likely that -# iptables rules and network interfaces might leak on the host. A reboot will fix this. +# firewall rules and network interfaces might leak on the host. A reboot will fix this. # #network_backend = "" @@ -384,7 +384,7 @@ default_sysctls = [ # The firewall driver to be used by netavark. # The default is empty which means netavark will pick one accordingly. Current supported -# drivers are "iptables", "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is +# drivers are "nftables", "none" (no firewall rules will be created) and "firewalld" (firewalld is # experimental at the moment and not recommend outside of testing). # #firewall_driver = "" @@ -542,10 +542,14 @@ default_sysctls = [ # #enable_port_reservation = true -# Environment variables to be used when running the container engine (e.g., Podman, Buildah). -# For example "http_proxy=internal.proxy.company.com". -# Note these environment variables will not be used within the container. -# Set the env section under [containers] table, if you want to set environment variables for the container. +# Environment variables to be used when running the container engine (e.g., +# Podman, Buildah). For example "MYVAR=value". These environment variables +# will not be used within the container. Set the env section under the +# [containers] table, if you want to set environment variables for the +# container. +# Note when using this to set http proxy variables then they might get +# leaked into the container depending on if `http_proxy` (under the +# [containers] table) is set to to true (default) or false. # #env = [] @@ -937,9 +941,9 @@ default_sysctls = [ # wsl - Windows Subsystem for Linux (Default) # hyperv - Windows Server Virtualization # Mac: there are currently two options: -# applehv - Default Apple Hypervisor (Default) # libkrun - Launch virtual machines using the libkrun platform, optimized -# for sharing GPU with the machine. +# for sharing GPU with the machine. (Default) +# applehv - Launch virtual machines using the vfkit platform. #provider = "" # Rosetta supports running x86_64 Linux binaries on a Podman machine on Apple silicon. diff --git a/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd b/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd index bd999c339c9..6a8163066e7 100644 --- a/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd +++ b/vendor/go.podman.io/common/pkg/config/containers.conf-freebsd @@ -169,12 +169,12 @@ default_sysctls = [ # #log_driver = "k8s-file" -# Default path for container logs to be stored in. When empty, logs will be stored +# Default path for container logs to be stored in. When empty, logs will be stored # in the container's default storage and removed when the container is removed. -# A subdirectory named with the container ID will be created under the specified +# A subdirectory named with the container ID will be created under the specified # path, and the log file will have the default name `ctr.log` within that directory. # This option can be overridden by the `--log-opt` flag. -# +# #log_path = "" # Maximum size allowed for the container log file. Negative numbers indicate @@ -393,10 +393,14 @@ default_sysctls = [ # #enable_port_reservation = true -# Environment variables to be used when running the container engine (e.g., Podman, Buildah). -# For example "http_proxy=internal.proxy.company.com". -# Note these environment variables will not be used within the container. -# Set the env section under [containers] table, if you want to set environment variables for the container. +# Environment variables to be used when running the container engine (e.g., +# Podman, Buildah). For example "MYVAR=value". These environment variables +# will not be used within the container. Set the env section under the +# [containers] table, if you want to set environment variables for the +# container. +# Note when using this to set http proxy variables then they might get +# leaked into the container depending on if `http_proxy` (under the +# [containers] table) is set to to true (default) or false. # #env = [] diff --git a/vendor/go.podman.io/image/v5/directory/directory_dest.go b/vendor/go.podman.io/image/v5/directory/directory_dest.go index fc82c969f19..db568590959 100644 --- a/vendor/go.podman.io/image/v5/directory/directory_dest.go +++ b/vendor/go.podman.io/image/v5/directory/directory_dest.go @@ -20,12 +20,21 @@ import ( "go.podman.io/storage/pkg/fileutils" ) -const version = "Directory Transport Version: 1.1\n" +// Write version file based on digest algorithm used +// 1.1 for sha256-only images, 1.2 otherwise. +const ( + versionPrefix = "Directory Transport Version: " + version = versionPrefix + "1.2\n" + version1_1 = versionPrefix + "1.1\n" +) // ErrNotContainerImageDir indicates that the directory doesn't match the expected contents of a directory created // using the 'dir' transport var ErrNotContainerImageDir = errors.New("not a containers image directory, don't want to overwrite important data") +// ErrUnsupportedVersion indicates that the directory uses a version newer than we support +var ErrUnsupportedVersion = errors.New("unsupported directory transport version") + type dirImageDestination struct { impl.Compat impl.PropertyMethodsInitialize @@ -33,7 +42,8 @@ type dirImageDestination struct { stubs.NoPutBlobPartialInitialize stubs.AlwaysSupportsSignatures - ref dirReference + ref dirReference + usesNonSHA256Digest bool } // newImageDestination returns an ImageDestination for writing to a directory. @@ -76,7 +86,11 @@ func newImageDestination(sys *types.SystemContext, ref dirReference) (private.Im return nil, err } // check if contents of version file is what we expect it to be - if string(contents) != version { + versionStr := string(contents) + if versionStr != version && versionStr != version1_1 { + if versionStr > version { + return nil, fmt.Errorf("%w: %q", ErrUnsupportedVersion, versionStr) + } return nil, ErrNotContainerImageDir } } else { @@ -95,7 +109,8 @@ func newImageDestination(sys *types.SystemContext, ref dirReference) (private.Im } } // create version file - err = os.WriteFile(ref.versionPath(), []byte(version), 0o644) + // Start with 1.1 for maximum compatibility + err = os.WriteFile(ref.versionPath(), []byte(version1_1), 0o644) if err != nil { return nil, fmt.Errorf("creating version file %q: %w", ref.versionPath(), err) } @@ -151,7 +166,8 @@ func (d *dirImageDestination) PutBlobWithOptions(ctx context.Context, stream io. } }() - digester, stream := putblobdigest.DigestIfCanonicalUnknown(stream, inputInfo) + digester, stream := putblobdigest.DigestIfUnknown(stream, inputInfo) + // TODO: This can take quite some time, and should ideally be cancellable using ctx.Done(). size, err := io.Copy(blobFile, stream) if err != nil { @@ -165,6 +181,10 @@ func (d *dirImageDestination) PutBlobWithOptions(ctx context.Context, stream io. return private.UploadedBlob{}, err } + if blobDigest.Algorithm() != digest.Canonical { + d.usesNonSHA256Digest = true + } + // On POSIX systems, blobFile was created with mode 0600, so we need to make it readable. // On Windows, the “permissions of newly created files” argument to syscall.Open is // ignored and the file is already readable; besides, blobFile.Chmod, i.e. syscall.Fchmod, @@ -257,6 +277,12 @@ func (d *dirImageDestination) PutSignaturesWithFormat(ctx context.Context, signa // - Uploaded data MAY be visible to others before CommitWithOptions() is called // - Uploaded data MAY be removed or MAY remain around if Close() is called without CommitWithOptions() (i.e. rollback is allowed but not guaranteed) func (d *dirImageDestination) CommitWithOptions(ctx context.Context, options private.CommitOptions) error { + if d.usesNonSHA256Digest { + err := os.WriteFile(d.ref.versionPath(), []byte(version), 0o644) + if err != nil { + return fmt.Errorf("writing version file %q: %w", d.ref.versionPath(), err) + } + } return nil } diff --git a/vendor/go.podman.io/image/v5/directory/directory_src.go b/vendor/go.podman.io/image/v5/directory/directory_src.go index b7fb3855c5c..5e2a34264e4 100644 --- a/vendor/go.podman.io/image/v5/directory/directory_src.go +++ b/vendor/go.podman.io/image/v5/directory/directory_src.go @@ -26,7 +26,25 @@ type dirImageSource struct { // newImageSource returns an ImageSource reading from an existing directory. // The caller must call .Close() on the returned ImageSource. -func newImageSource(ref dirReference) private.ImageSource { +func newImageSource(ref dirReference) (private.ImageSource, error) { + versionPath := ref.versionPath() + contents, err := os.ReadFile(versionPath) + if err != nil { + if os.IsNotExist(err) { + return nil, fmt.Errorf("version file not found at %q: not a valid directory transport image", versionPath) + } + return nil, fmt.Errorf("reading version file %q: %w", versionPath, err) + } + + versionStr := string(contents) + if versionStr != version && versionStr != version1_1 { + // Check if it's a future version we don't support + if versionStr > version { + return nil, fmt.Errorf("%w: %q", ErrUnsupportedVersion, versionStr) + } + return nil, fmt.Errorf("invalid version file content: %q", versionStr) + } + s := &dirImageSource{ PropertyMethodsInitialize: impl.PropertyMethods(impl.Properties{ HasThreadSafeGetBlob: false, @@ -36,7 +54,7 @@ func newImageSource(ref dirReference) private.ImageSource { ref: ref, } s.Compat = impl.AddCompat(s) - return s + return s, nil } // Reference returns the reference used to set up this source, _as specified by the user_ diff --git a/vendor/go.podman.io/image/v5/directory/directory_transport.go b/vendor/go.podman.io/image/v5/directory/directory_transport.go index 77c0e7be57d..165159e5882 100644 --- a/vendor/go.podman.io/image/v5/directory/directory_transport.go +++ b/vendor/go.podman.io/image/v5/directory/directory_transport.go @@ -146,7 +146,7 @@ func (ref dirReference) NewImage(ctx context.Context, sys *types.SystemContext) // NewImageSource returns a types.ImageSource for this reference. // The caller must call .Close() on the returned ImageSource. func (ref dirReference) NewImageSource(ctx context.Context, sys *types.SystemContext) (types.ImageSource, error) { - return newImageSource(ref), nil + return newImageSource(ref) } // NewImageDestination returns a types.ImageDestination for this reference. @@ -172,12 +172,19 @@ func (ref dirReference) manifestPath(instanceDigest *digest.Digest) (string, err } // layerPath returns a path for a layer tarball within a directory using our conventions. -func (ref dirReference) layerPath(digest digest.Digest) (string, error) { - if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. +func (ref dirReference) layerPath(d digest.Digest) (string, error) { + if err := d.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly. return "", err } - // FIXME: Should we keep the digest identification? - return filepath.Join(ref.path, digest.Encoded()), nil + + var filename string + if d.Algorithm() == digest.Canonical { + filename = d.Encoded() + } else { + filename = d.Algorithm().String() + "-" + d.Encoded() + } + + return filepath.Join(ref.path, filename), nil } // signaturePath returns a path for a signature within a directory using our conventions. diff --git a/vendor/go.podman.io/image/v5/docker/reference/normalize.go b/vendor/go.podman.io/image/v5/docker/reference/normalize.go index d3f47d210ff..7de92db0ffa 100644 --- a/vendor/go.podman.io/image/v5/docker/reference/normalize.go +++ b/vendor/go.podman.io/image/v5/docker/reference/normalize.go @@ -100,7 +100,7 @@ func splitDockerDomain(name string) (domain, remainder string) { if domain == defaultDomain && !strings.ContainsRune(remainder, '/') { remainder = officialRepoName + "/" + remainder } - return + return domain, remainder } // familiarizeName returns a shortened version of the name familiar diff --git a/vendor/go.podman.io/image/v5/docker/wwwauthenticate.go b/vendor/go.podman.io/image/v5/docker/wwwauthenticate.go index f5fed07b89d..fa183a59ed2 100644 --- a/vendor/go.podman.io/image/v5/docker/wwwauthenticate.go +++ b/vendor/go.podman.io/image/v5/docker/wwwauthenticate.go @@ -94,7 +94,7 @@ func parseValueAndParams(header string) (value string, params map[string]string) params = make(map[string]string) value, s := expectToken(header) if value == "" { - return + return value, params } value = strings.ToLower(value) s = "," + skipSpace(s) @@ -102,21 +102,21 @@ func parseValueAndParams(header string) (value string, params map[string]string) var pkey string pkey, s = expectToken(skipSpace(s[1:])) if pkey == "" { - return + return value, params } if !strings.HasPrefix(s, "=") { - return + return value, params } var pvalue string pvalue, s = expectTokenOrQuoted(s[1:]) if pvalue == "" { - return + return value, params } pkey = strings.ToLower(pkey) params[pkey] = pvalue s = skipSpace(s) } - return + return value, params } func skipSpace(s string) (rest string) { diff --git a/vendor/go.podman.io/image/v5/internal/image/digest_validation.go b/vendor/go.podman.io/image/v5/internal/image/digest_validation.go new file mode 100644 index 00000000000..88a870ac347 --- /dev/null +++ b/vendor/go.podman.io/image/v5/internal/image/digest_validation.go @@ -0,0 +1,26 @@ +package image + +import ( + "fmt" + + "github.com/opencontainers/go-digest" +) + +func validateBlobAgainstDigest(blob []byte, expectedDigest digest.Digest) error { + if expectedDigest == "" { + return fmt.Errorf("expected digest is empty") + } + err := expectedDigest.Validate() + if err != nil { + return fmt.Errorf("invalid digest format %q: %w", expectedDigest, err) + } + digestAlgorithm := expectedDigest.Algorithm() + if !digestAlgorithm.Available() { + return fmt.Errorf("unsupported digest algorithm: %s", digestAlgorithm) + } + computedDigest := digestAlgorithm.FromBytes(blob) + if computedDigest != expectedDigest { + return fmt.Errorf("blob digest %s does not match expected %s", computedDigest, expectedDigest) + } + return nil +} diff --git a/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go b/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go index 1586d67900e..b40f4fc71e1 100644 --- a/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go +++ b/vendor/go.podman.io/image/v5/internal/image/docker_schema2.go @@ -110,9 +110,8 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) { if err != nil { return nil, err } - computedDigest := digest.FromBytes(blob) - if computedDigest != m.m.ConfigDescriptor.Digest { - return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest) + if err := validateBlobAgainstDigest(blob, m.m.ConfigDescriptor.Digest); err != nil { + return nil, fmt.Errorf("config validation failed: %w", err) } m.configBlob = blob } diff --git a/vendor/go.podman.io/image/v5/internal/image/oci.go b/vendor/go.podman.io/image/v5/internal/image/oci.go index 56a1a6d64e1..8ddb2875e0f 100644 --- a/vendor/go.podman.io/image/v5/internal/image/oci.go +++ b/vendor/go.podman.io/image/v5/internal/image/oci.go @@ -8,7 +8,6 @@ import ( "slices" ociencspec "github.com/containers/ocicrypt/spec" - "github.com/opencontainers/go-digest" imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1" "go.podman.io/image/v5/docker/reference" "go.podman.io/image/v5/internal/iolimits" @@ -74,9 +73,8 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) { if err != nil { return nil, err } - computedDigest := digest.FromBytes(blob) - if computedDigest != m.m.Config.Digest { - return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.Config.Digest) + if err := validateBlobAgainstDigest(blob, m.m.Config.Digest); err != nil { + return nil, fmt.Errorf("config validation failed: %w", err) } m.configBlob = blob } diff --git a/vendor/go.podman.io/image/v5/pkg/shortnames/shortnames.go b/vendor/go.podman.io/image/v5/pkg/shortnames/shortnames.go index 6846c6e44c3..06cc2e19ec7 100644 --- a/vendor/go.podman.io/image/v5/pkg/shortnames/shortnames.go +++ b/vendor/go.podman.io/image/v5/pkg/shortnames/shortnames.go @@ -74,7 +74,7 @@ func splitUserInput(named reference.Named) (isTagged bool, isDigested bool, norm // Strip off tag/digest if present. normalized = reference.TrimNamed(named) - return + return isTagged, isDigested, normalized, tag, digest } // Add records the specified name-value pair as a new short-name alias to the diff --git a/vendor/golang.org/x/crypto/ocsp/ocsp.go b/vendor/golang.org/x/crypto/ocsp/ocsp.go deleted file mode 100644 index e6c645e7ceb..00000000000 --- a/vendor/golang.org/x/crypto/ocsp/ocsp.go +++ /dev/null @@ -1,793 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package ocsp parses OCSP responses as specified in RFC 2560. OCSP responses -// are signed messages attesting to the validity of a certificate for a small -// period of time. This is used to manage revocation for X.509 certificates. -package ocsp - -import ( - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/rsa" - _ "crypto/sha1" - _ "crypto/sha256" - _ "crypto/sha512" - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "errors" - "fmt" - "math/big" - "strconv" - "time" -) - -var idPKIXOCSPBasic = asn1.ObjectIdentifier([]int{1, 3, 6, 1, 5, 5, 7, 48, 1, 1}) - -// ResponseStatus contains the result of an OCSP request. See -// https://tools.ietf.org/html/rfc6960#section-2.3 -type ResponseStatus int - -const ( - Success ResponseStatus = 0 - Malformed ResponseStatus = 1 - InternalError ResponseStatus = 2 - TryLater ResponseStatus = 3 - // Status code four is unused in OCSP. See - // https://tools.ietf.org/html/rfc6960#section-4.2.1 - SignatureRequired ResponseStatus = 5 - Unauthorized ResponseStatus = 6 -) - -func (r ResponseStatus) String() string { - switch r { - case Success: - return "success" - case Malformed: - return "malformed" - case InternalError: - return "internal error" - case TryLater: - return "try later" - case SignatureRequired: - return "signature required" - case Unauthorized: - return "unauthorized" - default: - return "unknown OCSP status: " + strconv.Itoa(int(r)) - } -} - -// ResponseError is an error that may be returned by ParseResponse to indicate -// that the response itself is an error, not just that it's indicating that a -// certificate is revoked, unknown, etc. -type ResponseError struct { - Status ResponseStatus -} - -func (r ResponseError) Error() string { - return "ocsp: error from server: " + r.Status.String() -} - -// These are internal structures that reflect the ASN.1 structure of an OCSP -// response. See RFC 2560, section 4.2. - -type certID struct { - HashAlgorithm pkix.AlgorithmIdentifier - NameHash []byte - IssuerKeyHash []byte - SerialNumber *big.Int -} - -// https://tools.ietf.org/html/rfc2560#section-4.1.1 -type ocspRequest struct { - TBSRequest tbsRequest -} - -type tbsRequest struct { - Version int `asn1:"explicit,tag:0,default:0,optional"` - RequestorName pkix.RDNSequence `asn1:"explicit,tag:1,optional"` - RequestList []request -} - -type request struct { - Cert certID -} - -type responseASN1 struct { - Status asn1.Enumerated - Response responseBytes `asn1:"explicit,tag:0,optional"` -} - -type responseBytes struct { - ResponseType asn1.ObjectIdentifier - Response []byte -} - -type basicResponse struct { - TBSResponseData responseData - SignatureAlgorithm pkix.AlgorithmIdentifier - Signature asn1.BitString - Certificates []asn1.RawValue `asn1:"explicit,tag:0,optional"` -} - -type responseData struct { - Raw asn1.RawContent - Version int `asn1:"optional,default:0,explicit,tag:0"` - RawResponderID asn1.RawValue - ProducedAt time.Time `asn1:"generalized"` - Responses []singleResponse -} - -type singleResponse struct { - CertID certID - Good asn1.Flag `asn1:"tag:0,optional"` - Revoked revokedInfo `asn1:"tag:1,optional"` - Unknown asn1.Flag `asn1:"tag:2,optional"` - ThisUpdate time.Time `asn1:"generalized"` - NextUpdate time.Time `asn1:"generalized,explicit,tag:0,optional"` - SingleExtensions []pkix.Extension `asn1:"explicit,tag:1,optional"` -} - -type revokedInfo struct { - RevocationTime time.Time `asn1:"generalized"` - Reason asn1.Enumerated `asn1:"explicit,tag:0,optional"` -} - -var ( - oidSignatureMD2WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 2} - oidSignatureMD5WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 4} - oidSignatureSHA1WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 5} - oidSignatureSHA256WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 11} - oidSignatureSHA384WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 12} - oidSignatureSHA512WithRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 13} - oidSignatureDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 3} - oidSignatureDSAWithSHA256 = asn1.ObjectIdentifier{2, 16, 840, 1, 101, 3, 4, 3, 2} - oidSignatureECDSAWithSHA1 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 1} - oidSignatureECDSAWithSHA256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 2} - oidSignatureECDSAWithSHA384 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 3} - oidSignatureECDSAWithSHA512 = asn1.ObjectIdentifier{1, 2, 840, 10045, 4, 3, 4} -) - -var hashOIDs = map[crypto.Hash]asn1.ObjectIdentifier{ - crypto.SHA1: asn1.ObjectIdentifier([]int{1, 3, 14, 3, 2, 26}), - crypto.SHA256: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 1}), - crypto.SHA384: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 2}), - crypto.SHA512: asn1.ObjectIdentifier([]int{2, 16, 840, 1, 101, 3, 4, 2, 3}), -} - -// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below -var signatureAlgorithmDetails = []struct { - algo x509.SignatureAlgorithm - oid asn1.ObjectIdentifier - pubKeyAlgo x509.PublicKeyAlgorithm - hash crypto.Hash -}{ - {x509.MD2WithRSA, oidSignatureMD2WithRSA, x509.RSA, crypto.Hash(0) /* no value for MD2 */}, - {x509.MD5WithRSA, oidSignatureMD5WithRSA, x509.RSA, crypto.MD5}, - {x509.SHA1WithRSA, oidSignatureSHA1WithRSA, x509.RSA, crypto.SHA1}, - {x509.SHA256WithRSA, oidSignatureSHA256WithRSA, x509.RSA, crypto.SHA256}, - {x509.SHA384WithRSA, oidSignatureSHA384WithRSA, x509.RSA, crypto.SHA384}, - {x509.SHA512WithRSA, oidSignatureSHA512WithRSA, x509.RSA, crypto.SHA512}, - {x509.DSAWithSHA1, oidSignatureDSAWithSHA1, x509.DSA, crypto.SHA1}, - {x509.DSAWithSHA256, oidSignatureDSAWithSHA256, x509.DSA, crypto.SHA256}, - {x509.ECDSAWithSHA1, oidSignatureECDSAWithSHA1, x509.ECDSA, crypto.SHA1}, - {x509.ECDSAWithSHA256, oidSignatureECDSAWithSHA256, x509.ECDSA, crypto.SHA256}, - {x509.ECDSAWithSHA384, oidSignatureECDSAWithSHA384, x509.ECDSA, crypto.SHA384}, - {x509.ECDSAWithSHA512, oidSignatureECDSAWithSHA512, x509.ECDSA, crypto.SHA512}, -} - -// TODO(rlb): This is also from crypto/x509, so same comment as AGL's below -func signingParamsForPublicKey(pub interface{}, requestedSigAlgo x509.SignatureAlgorithm) (hashFunc crypto.Hash, sigAlgo pkix.AlgorithmIdentifier, err error) { - var pubType x509.PublicKeyAlgorithm - - switch pub := pub.(type) { - case *rsa.PublicKey: - pubType = x509.RSA - hashFunc = crypto.SHA256 - sigAlgo.Algorithm = oidSignatureSHA256WithRSA - sigAlgo.Parameters = asn1.RawValue{ - Tag: 5, - } - - case *ecdsa.PublicKey: - pubType = x509.ECDSA - - switch pub.Curve { - case elliptic.P224(), elliptic.P256(): - hashFunc = crypto.SHA256 - sigAlgo.Algorithm = oidSignatureECDSAWithSHA256 - case elliptic.P384(): - hashFunc = crypto.SHA384 - sigAlgo.Algorithm = oidSignatureECDSAWithSHA384 - case elliptic.P521(): - hashFunc = crypto.SHA512 - sigAlgo.Algorithm = oidSignatureECDSAWithSHA512 - default: - err = errors.New("x509: unknown elliptic curve") - } - - default: - err = errors.New("x509: only RSA and ECDSA keys supported") - } - - if err != nil { - return - } - - if requestedSigAlgo == 0 { - return - } - - found := false - for _, details := range signatureAlgorithmDetails { - if details.algo == requestedSigAlgo { - if details.pubKeyAlgo != pubType { - err = errors.New("x509: requested SignatureAlgorithm does not match private key type") - return - } - sigAlgo.Algorithm, hashFunc = details.oid, details.hash - if hashFunc == 0 { - err = errors.New("x509: cannot sign with hash function requested") - return - } - found = true - break - } - } - - if !found { - err = errors.New("x509: unknown SignatureAlgorithm") - } - - return -} - -// TODO(agl): this is taken from crypto/x509 and so should probably be exported -// from crypto/x509 or crypto/x509/pkix. -func getSignatureAlgorithmFromOID(oid asn1.ObjectIdentifier) x509.SignatureAlgorithm { - for _, details := range signatureAlgorithmDetails { - if oid.Equal(details.oid) { - return details.algo - } - } - return x509.UnknownSignatureAlgorithm -} - -// TODO(rlb): This is not taken from crypto/x509, but it's of the same general form. -func getHashAlgorithmFromOID(target asn1.ObjectIdentifier) crypto.Hash { - for hash, oid := range hashOIDs { - if oid.Equal(target) { - return hash - } - } - return crypto.Hash(0) -} - -func getOIDFromHashAlgorithm(target crypto.Hash) asn1.ObjectIdentifier { - for hash, oid := range hashOIDs { - if hash == target { - return oid - } - } - return nil -} - -// This is the exposed reflection of the internal OCSP structures. - -// The status values that can be expressed in OCSP. See RFC 6960. -// These are used for the Response.Status field. -const ( - // Good means that the certificate is valid. - Good = 0 - // Revoked means that the certificate has been deliberately revoked. - Revoked = 1 - // Unknown means that the OCSP responder doesn't know about the certificate. - Unknown = 2 - // ServerFailed is unused and was never used (see - // https://go-review.googlesource.com/#/c/18944). ParseResponse will - // return a ResponseError when an error response is parsed. - ServerFailed = 3 -) - -// The enumerated reasons for revoking a certificate. See RFC 5280. -const ( - Unspecified = 0 - KeyCompromise = 1 - CACompromise = 2 - AffiliationChanged = 3 - Superseded = 4 - CessationOfOperation = 5 - CertificateHold = 6 - - RemoveFromCRL = 8 - PrivilegeWithdrawn = 9 - AACompromise = 10 -) - -// Request represents an OCSP request. See RFC 6960. -type Request struct { - HashAlgorithm crypto.Hash - IssuerNameHash []byte - IssuerKeyHash []byte - SerialNumber *big.Int -} - -// Marshal marshals the OCSP request to ASN.1 DER encoded form. -func (req *Request) Marshal() ([]byte, error) { - hashAlg := getOIDFromHashAlgorithm(req.HashAlgorithm) - if hashAlg == nil { - return nil, errors.New("Unknown hash algorithm") - } - return asn1.Marshal(ocspRequest{ - tbsRequest{ - Version: 0, - RequestList: []request{ - { - Cert: certID{ - pkix.AlgorithmIdentifier{ - Algorithm: hashAlg, - Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */}, - }, - req.IssuerNameHash, - req.IssuerKeyHash, - req.SerialNumber, - }, - }, - }, - }, - }) -} - -// Response represents an OCSP response containing a single SingleResponse. See -// RFC 6960. -type Response struct { - Raw []byte - - // Status is one of {Good, Revoked, Unknown} - Status int - SerialNumber *big.Int - ProducedAt, ThisUpdate, NextUpdate, RevokedAt time.Time - RevocationReason int - Certificate *x509.Certificate - // TBSResponseData contains the raw bytes of the signed response. If - // Certificate is nil then this can be used to verify Signature. - TBSResponseData []byte - Signature []byte - SignatureAlgorithm x509.SignatureAlgorithm - - // IssuerHash is the hash used to compute the IssuerNameHash and IssuerKeyHash. - // Valid values are crypto.SHA1, crypto.SHA256, crypto.SHA384, and crypto.SHA512. - // If zero, the default is crypto.SHA1. - IssuerHash crypto.Hash - - // RawResponderName optionally contains the DER-encoded subject of the - // responder certificate. Exactly one of RawResponderName and - // ResponderKeyHash is set. - RawResponderName []byte - // ResponderKeyHash optionally contains the SHA-1 hash of the - // responder's public key. Exactly one of RawResponderName and - // ResponderKeyHash is set. - ResponderKeyHash []byte - - // Extensions contains raw X.509 extensions from the singleExtensions field - // of the OCSP response. When parsing certificates, this can be used to - // extract non-critical extensions that are not parsed by this package. When - // marshaling OCSP responses, the Extensions field is ignored, see - // ExtraExtensions. - Extensions []pkix.Extension - - // ExtraExtensions contains extensions to be copied, raw, into any marshaled - // OCSP response (in the singleExtensions field). Values override any - // extensions that would otherwise be produced based on the other fields. The - // ExtraExtensions field is not populated when parsing certificates, see - // Extensions. - ExtraExtensions []pkix.Extension -} - -// These are pre-serialized error responses for the various non-success codes -// defined by OCSP. The Unauthorized code in particular can be used by an OCSP -// responder that supports only pre-signed responses as a response to requests -// for certificates with unknown status. See RFC 5019. -var ( - MalformedRequestErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x01} - InternalErrorErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x02} - TryLaterErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x03} - SigRequredErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x05} - UnauthorizedErrorResponse = []byte{0x30, 0x03, 0x0A, 0x01, 0x06} -) - -// CheckSignatureFrom checks that the signature in resp is a valid signature -// from issuer. This should only be used if resp.Certificate is nil. Otherwise, -// the OCSP response contained an intermediate certificate that created the -// signature. That signature is checked by ParseResponse and only -// resp.Certificate remains to be validated. -func (resp *Response) CheckSignatureFrom(issuer *x509.Certificate) error { - return issuer.CheckSignature(resp.SignatureAlgorithm, resp.TBSResponseData, resp.Signature) -} - -// ParseError results from an invalid OCSP response. -type ParseError string - -func (p ParseError) Error() string { - return string(p) -} - -// ParseRequest parses an OCSP request in DER form. It only supports -// requests for a single certificate. Signed requests are not supported. -// If a request includes a signature, it will result in a ParseError. -func ParseRequest(bytes []byte) (*Request, error) { - var req ocspRequest - rest, err := asn1.Unmarshal(bytes, &req) - if err != nil { - return nil, err - } - if len(rest) > 0 { - return nil, ParseError("trailing data in OCSP request") - } - - if len(req.TBSRequest.RequestList) == 0 { - return nil, ParseError("OCSP request contains no request body") - } - innerRequest := req.TBSRequest.RequestList[0] - - hashFunc := getHashAlgorithmFromOID(innerRequest.Cert.HashAlgorithm.Algorithm) - if hashFunc == crypto.Hash(0) { - return nil, ParseError("OCSP request uses unknown hash function") - } - - return &Request{ - HashAlgorithm: hashFunc, - IssuerNameHash: innerRequest.Cert.NameHash, - IssuerKeyHash: innerRequest.Cert.IssuerKeyHash, - SerialNumber: innerRequest.Cert.SerialNumber, - }, nil -} - -// ParseResponse parses an OCSP response in DER form. The response must contain -// only one certificate status. To parse the status of a specific certificate -// from a response which may contain multiple statuses, use ParseResponseForCert -// instead. -// -// If the response contains an embedded certificate, then that certificate will -// be used to verify the response signature. If the response contains an -// embedded certificate and issuer is not nil, then issuer will be used to verify -// the signature on the embedded certificate. -// -// If the response does not contain an embedded certificate and issuer is not -// nil, then issuer will be used to verify the response signature. -// -// Invalid responses and parse failures will result in a ParseError. -// Error responses will result in a ResponseError. -func ParseResponse(bytes []byte, issuer *x509.Certificate) (*Response, error) { - return ParseResponseForCert(bytes, nil, issuer) -} - -// ParseResponseForCert acts identically to ParseResponse, except it supports -// parsing responses that contain multiple statuses. If the response contains -// multiple statuses and cert is not nil, then ParseResponseForCert will return -// the first status which contains a matching serial, otherwise it will return an -// error. If cert is nil, then the first status in the response will be returned. -func ParseResponseForCert(bytes []byte, cert, issuer *x509.Certificate) (*Response, error) { - var resp responseASN1 - rest, err := asn1.Unmarshal(bytes, &resp) - if err != nil { - return nil, err - } - if len(rest) > 0 { - return nil, ParseError("trailing data in OCSP response") - } - - if status := ResponseStatus(resp.Status); status != Success { - return nil, ResponseError{status} - } - - if !resp.Response.ResponseType.Equal(idPKIXOCSPBasic) { - return nil, ParseError("bad OCSP response type") - } - - var basicResp basicResponse - rest, err = asn1.Unmarshal(resp.Response.Response, &basicResp) - if err != nil { - return nil, err - } - if len(rest) > 0 { - return nil, ParseError("trailing data in OCSP response") - } - - if n := len(basicResp.TBSResponseData.Responses); n == 0 || cert == nil && n > 1 { - return nil, ParseError("OCSP response contains bad number of responses") - } - - var singleResp singleResponse - if cert == nil { - singleResp = basicResp.TBSResponseData.Responses[0] - } else { - match := false - for _, resp := range basicResp.TBSResponseData.Responses { - if cert.SerialNumber.Cmp(resp.CertID.SerialNumber) == 0 { - singleResp = resp - match = true - break - } - } - if !match { - return nil, ParseError("no response matching the supplied certificate") - } - } - - ret := &Response{ - Raw: bytes, - TBSResponseData: basicResp.TBSResponseData.Raw, - Signature: basicResp.Signature.RightAlign(), - SignatureAlgorithm: getSignatureAlgorithmFromOID(basicResp.SignatureAlgorithm.Algorithm), - Extensions: singleResp.SingleExtensions, - SerialNumber: singleResp.CertID.SerialNumber, - ProducedAt: basicResp.TBSResponseData.ProducedAt, - ThisUpdate: singleResp.ThisUpdate, - NextUpdate: singleResp.NextUpdate, - } - - // Handle the ResponderID CHOICE tag. ResponderID can be flattened into - // TBSResponseData once https://go-review.googlesource.com/34503 has been - // released. - rawResponderID := basicResp.TBSResponseData.RawResponderID - switch rawResponderID.Tag { - case 1: // Name - var rdn pkix.RDNSequence - if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &rdn); err != nil || len(rest) != 0 { - return nil, ParseError("invalid responder name") - } - ret.RawResponderName = rawResponderID.Bytes - case 2: // KeyHash - if rest, err := asn1.Unmarshal(rawResponderID.Bytes, &ret.ResponderKeyHash); err != nil || len(rest) != 0 { - return nil, ParseError("invalid responder key hash") - } - default: - return nil, ParseError("invalid responder id tag") - } - - if len(basicResp.Certificates) > 0 { - // Responders should only send a single certificate (if they - // send any) that connects the responder's certificate to the - // original issuer. We accept responses with multiple - // certificates due to a number responders sending them[1], but - // ignore all but the first. - // - // [1] https://github.com/golang/go/issues/21527 - ret.Certificate, err = x509.ParseCertificate(basicResp.Certificates[0].FullBytes) - if err != nil { - return nil, err - } - - if err := ret.CheckSignatureFrom(ret.Certificate); err != nil { - return nil, ParseError("bad signature on embedded certificate: " + err.Error()) - } - - if issuer != nil { - if err := issuer.CheckSignature(ret.Certificate.SignatureAlgorithm, ret.Certificate.RawTBSCertificate, ret.Certificate.Signature); err != nil { - return nil, ParseError("bad OCSP signature: " + err.Error()) - } - } - } else if issuer != nil { - if err := ret.CheckSignatureFrom(issuer); err != nil { - return nil, ParseError("bad OCSP signature: " + err.Error()) - } - } - - for _, ext := range singleResp.SingleExtensions { - if ext.Critical { - return nil, ParseError("unsupported critical extension") - } - } - - for h, oid := range hashOIDs { - if singleResp.CertID.HashAlgorithm.Algorithm.Equal(oid) { - ret.IssuerHash = h - break - } - } - if ret.IssuerHash == 0 { - return nil, ParseError("unsupported issuer hash algorithm") - } - - switch { - case bool(singleResp.Good): - ret.Status = Good - case bool(singleResp.Unknown): - ret.Status = Unknown - default: - ret.Status = Revoked - ret.RevokedAt = singleResp.Revoked.RevocationTime - ret.RevocationReason = int(singleResp.Revoked.Reason) - } - - return ret, nil -} - -// RequestOptions contains options for constructing OCSP requests. -type RequestOptions struct { - // Hash contains the hash function that should be used when - // constructing the OCSP request. If zero, SHA-1 will be used. - Hash crypto.Hash -} - -func (opts *RequestOptions) hash() crypto.Hash { - if opts == nil || opts.Hash == 0 { - // SHA-1 is nearly universally used in OCSP. - return crypto.SHA1 - } - return opts.Hash -} - -// CreateRequest returns a DER-encoded, OCSP request for the status of cert. If -// opts is nil then sensible defaults are used. -func CreateRequest(cert, issuer *x509.Certificate, opts *RequestOptions) ([]byte, error) { - hashFunc := opts.hash() - - // OCSP seems to be the only place where these raw hash identifiers are - // used. I took the following from - // http://msdn.microsoft.com/en-us/library/ff635603.aspx - _, ok := hashOIDs[hashFunc] - if !ok { - return nil, x509.ErrUnsupportedAlgorithm - } - - if !hashFunc.Available() { - return nil, x509.ErrUnsupportedAlgorithm - } - h := opts.hash().New() - - var publicKeyInfo struct { - Algorithm pkix.AlgorithmIdentifier - PublicKey asn1.BitString - } - if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil { - return nil, err - } - - h.Write(publicKeyInfo.PublicKey.RightAlign()) - issuerKeyHash := h.Sum(nil) - - h.Reset() - h.Write(issuer.RawSubject) - issuerNameHash := h.Sum(nil) - - req := &Request{ - HashAlgorithm: hashFunc, - IssuerNameHash: issuerNameHash, - IssuerKeyHash: issuerKeyHash, - SerialNumber: cert.SerialNumber, - } - return req.Marshal() -} - -// CreateResponse returns a DER-encoded OCSP response with the specified contents. -// The fields in the response are populated as follows: -// -// The responder cert is used to populate the responder's name field, and the -// certificate itself is provided alongside the OCSP response signature. -// -// The issuer cert is used to populate the IssuerNameHash and IssuerKeyHash fields. -// -// The template is used to populate the SerialNumber, Status, RevokedAt, -// RevocationReason, ThisUpdate, and NextUpdate fields. -// -// If template.IssuerHash is not set, SHA1 will be used. -// -// The ProducedAt date is automatically set to the current date, to the nearest minute. -func CreateResponse(issuer, responderCert *x509.Certificate, template Response, priv crypto.Signer) ([]byte, error) { - var publicKeyInfo struct { - Algorithm pkix.AlgorithmIdentifier - PublicKey asn1.BitString - } - if _, err := asn1.Unmarshal(issuer.RawSubjectPublicKeyInfo, &publicKeyInfo); err != nil { - return nil, err - } - - if template.IssuerHash == 0 { - template.IssuerHash = crypto.SHA1 - } - hashOID := getOIDFromHashAlgorithm(template.IssuerHash) - if hashOID == nil { - return nil, errors.New("unsupported issuer hash algorithm") - } - - if !template.IssuerHash.Available() { - return nil, fmt.Errorf("issuer hash algorithm %v not linked into binary", template.IssuerHash) - } - h := template.IssuerHash.New() - h.Write(publicKeyInfo.PublicKey.RightAlign()) - issuerKeyHash := h.Sum(nil) - - h.Reset() - h.Write(issuer.RawSubject) - issuerNameHash := h.Sum(nil) - - innerResponse := singleResponse{ - CertID: certID{ - HashAlgorithm: pkix.AlgorithmIdentifier{ - Algorithm: hashOID, - Parameters: asn1.RawValue{Tag: 5 /* ASN.1 NULL */}, - }, - NameHash: issuerNameHash, - IssuerKeyHash: issuerKeyHash, - SerialNumber: template.SerialNumber, - }, - ThisUpdate: template.ThisUpdate.UTC(), - NextUpdate: template.NextUpdate.UTC(), - SingleExtensions: template.ExtraExtensions, - } - - switch template.Status { - case Good: - innerResponse.Good = true - case Unknown: - innerResponse.Unknown = true - case Revoked: - innerResponse.Revoked = revokedInfo{ - RevocationTime: template.RevokedAt.UTC(), - Reason: asn1.Enumerated(template.RevocationReason), - } - } - - rawResponderID := asn1.RawValue{ - Class: 2, // context-specific - Tag: 1, // Name (explicit tag) - IsCompound: true, - Bytes: responderCert.RawSubject, - } - tbsResponseData := responseData{ - Version: 0, - RawResponderID: rawResponderID, - ProducedAt: time.Now().Truncate(time.Minute).UTC(), - Responses: []singleResponse{innerResponse}, - } - - tbsResponseDataDER, err := asn1.Marshal(tbsResponseData) - if err != nil { - return nil, err - } - - hashFunc, signatureAlgorithm, err := signingParamsForPublicKey(priv.Public(), template.SignatureAlgorithm) - if err != nil { - return nil, err - } - - responseHash := hashFunc.New() - responseHash.Write(tbsResponseDataDER) - signature, err := priv.Sign(rand.Reader, responseHash.Sum(nil), hashFunc) - if err != nil { - return nil, err - } - - response := basicResponse{ - TBSResponseData: tbsResponseData, - SignatureAlgorithm: signatureAlgorithm, - Signature: asn1.BitString{ - Bytes: signature, - BitLength: 8 * len(signature), - }, - } - if template.Certificate != nil { - response.Certificates = []asn1.RawValue{ - {FullBytes: template.Certificate.Raw}, - } - } - responseDER, err := asn1.Marshal(response) - if err != nil { - return nil, err - } - - return asn1.Marshal(responseASN1{ - Status: asn1.Enumerated(Success), - Response: responseBytes{ - ResponseType: idPKIXOCSPBasic, - Response: responseDER, - }, - }) -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 726a27e6637..065577633fd 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -246,14 +246,6 @@ github.com/klauspost/compress/zstd/internal/xxhash # github.com/klauspost/pgzip v1.2.6 ## explicit github.com/klauspost/pgzip -# github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec -## explicit; go 1.22.0 -github.com/letsencrypt/boulder/core -github.com/letsencrypt/boulder/goodkey -github.com/letsencrypt/boulder/identifier -github.com/letsencrypt/boulder/probs -github.com/letsencrypt/boulder/revocation -github.com/letsencrypt/boulder/strictyaml # github.com/manifoldco/promptui v0.9.0 ## explicit; go 1.12 github.com/manifoldco/promptui @@ -338,7 +330,7 @@ github.com/moby/term/windows # github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd ## explicit github.com/modern-go/concurrent -# github.com/modern-go/reflect2 v1.0.2 +# github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee ## explicit; go 1.12 github.com/modern-go/reflect2 # github.com/morikuni/aec v1.0.0 @@ -397,7 +389,7 @@ github.com/planetscale/vtprotobuf/protohelpers # github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 ## explicit github.com/pmezard/go-difflib/difflib -# github.com/proglottis/gpgme v0.1.5 +# github.com/proglottis/gpgme v0.1.6 ## explicit; go 1.17 github.com/proglottis/gpgme # github.com/seccomp/libseccomp-golang v0.11.1 @@ -406,19 +398,19 @@ github.com/seccomp/libseccomp-golang # github.com/secure-systems-lab/go-securesystemslib v0.9.1 ## explicit; go 1.23.0 github.com/secure-systems-lab/go-securesystemslib/encrypted -# github.com/sigstore/fulcio v1.7.1 -## explicit; go 1.24.0 +# github.com/sigstore/fulcio v1.8.1 +## explicit; go 1.24.6 github.com/sigstore/fulcio/pkg/certificate -# github.com/sigstore/protobuf-specs v0.4.1 +# github.com/sigstore/protobuf-specs v0.5.0 ## explicit; go 1.22.0 github.com/sigstore/protobuf-specs/gen/pb-go/common/v1 -# github.com/sigstore/sigstore v1.9.5 -## explicit; go 1.23.0 +# github.com/sigstore/sigstore v1.9.6-0.20251111174640-d8ab8afb1326 +## explicit; go 1.24.0 github.com/sigstore/sigstore/pkg/cryptoutils github.com/sigstore/sigstore/pkg/signature github.com/sigstore/sigstore/pkg/signature/options github.com/sigstore/sigstore/pkg/signature/payload -# github.com/sirupsen/logrus v1.9.3 +# github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af ## explicit; go 1.13 github.com/sirupsen/logrus # github.com/smallstep/pkcs7 v0.1.1 @@ -445,9 +437,6 @@ github.com/sylabs/sif/v2/pkg/sif # github.com/tchap/go-patricia/v2 v2.3.3 ## explicit; go 1.16 github.com/tchap/go-patricia/v2/patricia -# github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 -## explicit -github.com/titanous/rocacheck # github.com/ulikunitz/xz v0.5.15 ## explicit; go 1.12 github.com/ulikunitz/xz @@ -510,8 +499,8 @@ go.opentelemetry.io/otel/trace go.opentelemetry.io/otel/trace/embedded go.opentelemetry.io/otel/trace/internal/telemetry go.opentelemetry.io/otel/trace/noop -# go.podman.io/common v0.66.1-0.20251120131032-23712697ddda -## explicit; go 1.24.2 +# go.podman.io/common v0.66.1-0.20251120131032-23712697ddda => github.com/lsm5/container-libs/common v0.0.0-20251125203705-983dbfee824b +## explicit; go 1.24.6 go.podman.io/common/internal go.podman.io/common/internal/attributedstring go.podman.io/common/libimage @@ -564,8 +553,8 @@ go.podman.io/common/pkg/umask go.podman.io/common/pkg/util go.podman.io/common/pkg/version go.podman.io/common/version -# go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda -## explicit; go 1.24.0 +# go.podman.io/image/v5 v5.38.1-0.20251120131032-23712697ddda => github.com/lsm5/container-libs/image/v5 v5.0.0-20251125203705-983dbfee824b +## explicit; go 1.24.6 go.podman.io/image/v5/copy go.podman.io/image/v5/directory go.podman.io/image/v5/directory/explicitfilepath @@ -632,7 +621,7 @@ go.podman.io/image/v5/transports go.podman.io/image/v5/transports/alltransports go.podman.io/image/v5/types go.podman.io/image/v5/version -# go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda +# go.podman.io/storage v1.61.1-0.20251120131032-23712697ddda => github.com/lsm5/container-libs/storage v0.0.0-20251125203705-983dbfee824b ## explicit; go 1.24.0 go.podman.io/storage go.podman.io/storage/drivers @@ -681,7 +670,7 @@ go.podman.io/storage/pkg/tarlog go.podman.io/storage/pkg/truncindex go.podman.io/storage/pkg/unshare go.podman.io/storage/types -# go.yaml.in/yaml/v2 v2.4.2 +# go.yaml.in/yaml/v2 v2.4.3 ## explicit; go 1.15 go.yaml.in/yaml/v2 # golang.org/x/crypto v0.45.0 @@ -698,7 +687,6 @@ golang.org/x/crypto/curve25519 golang.org/x/crypto/internal/alias golang.org/x/crypto/internal/poly1305 golang.org/x/crypto/nacl/secretbox -golang.org/x/crypto/ocsp golang.org/x/crypto/openpgp golang.org/x/crypto/openpgp/armor golang.org/x/crypto/openpgp/elgamal @@ -746,12 +734,12 @@ golang.org/x/text/secure/bidirule golang.org/x/text/transform golang.org/x/text/unicode/bidi golang.org/x/text/unicode/norm -# google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 -## explicit; go 1.23.0 +# google.golang.org/genproto/googleapis/api v0.0.0-20250929231259-57b25ae835d4 +## explicit; go 1.24.0 google.golang.org/genproto/googleapis/api google.golang.org/genproto/googleapis/api/annotations -# google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 -## explicit; go 1.23.0 +# google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 +## explicit; go 1.24.0 google.golang.org/genproto/googleapis/rpc/status # google.golang.org/grpc v1.76.0 ## explicit; go 1.24.0 @@ -872,3 +860,6 @@ tags.cncf.io/container-device-interface/pkg/parser # tags.cncf.io/container-device-interface/specs-go v1.0.1-0.20251120202831-139ffec09210 ## explicit; go 1.19 tags.cncf.io/container-device-interface/specs-go +# go.podman.io/common => github.com/lsm5/container-libs/common v0.0.0-20251125203705-983dbfee824b +# go.podman.io/storage => github.com/lsm5/container-libs/storage v0.0.0-20251125203705-983dbfee824b +# go.podman.io/image/v5 => github.com/lsm5/container-libs/image/v5 v5.0.0-20251125203705-983dbfee824b