all: Go version updates

.github/workflows/go.yaml → .github/workflows/test.yaml

@@ -1,4 +1,4 @@
-name: Go
+name: Test
 
 on:
   push:
@@ -11,27 +11,27 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    strategy:
+      matrix:
+        go-version: ['1.24', '1.25']
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           submodules: recursive
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v6
         with:
-          go-version: ^1
-
-      - name: Install tools
-        run: brew install mkcert staticcheck
+          go-version: ${{ matrix.go-version }}
 
       - name: Vet
         run: go vet ./...
 
-      - name: Staticcheck
-        run: staticcheck ./...
-
       - name: Test
+        run: go test -v ./...
+
+      - name: Test with race detector
         run: go test -v -race ./...
 
       - name: Test without cgo

ca.go

@@ -6,7 +6,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -60,7 +59,7 @@ func CAPEM() (cert []byte, key []byte, err error) {
 	if !pathExists(caPath) {
 		return nil, nil, fmt.Errorf("no CA certificate located at: %s", caPath)
 	}
-	cert, err = ioutil.ReadFile(caPath)
+	cert, err = os.ReadFile(caPath)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -69,7 +68,7 @@ func CAPEM() (cert []byte, key []byte, err error) {
 	if !pathExists(keyPath) {
 		return nil, nil, fmt.Errorf("no CA key located at: %s", keyPath)
 	}
-	key, err = ioutil.ReadFile(keyPath)
+	key, err = os.ReadFile(keyPath)
 	if err != nil {
 		return nil, nil, err
 	}

cert.go

@@ -93,7 +93,7 @@ func PEM(sans ...string) (cert []byte, key []byte, err error) {
 		signKey = caKey
 	}
 
-	b, err := x509.CreateCertificate(zeroes{}, template, parent, priv.Public(), signKey)
+	b, err := x509.CreateCertificate(ones{}, template, parent, priv.Public(), signKey)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create certificate: %s", err)
 	}
@@ -144,15 +144,15 @@ func notBeforeOrAfter(now time.Time) (time.Time, time.Time) {
 // Key returns a P-256 ECDSA private key generated WITHOUT randomess.
 func Key() (priv *ecdsa.PrivateKey, err error) {
 	curve := elliptic.P256()
-	return ecdsa.GenerateKey(curve, zeroes{})
+	return ecdsa.GenerateKey(curve, ones{})
 }
 
 // For deterministic output. Do NOT do this for any real server.
-type zeroes struct{}
+type ones struct{}
 
-func (z zeroes) Read(p []byte) (n int, err error) {
+func (ones) Read(p []byte) (n int, err error) {
 	for i := range p {
-		p[i] = 0
+		p[i] = 1
 	}
 	return len(p), nil
 }

cert_test.go

@@ -6,7 +6,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -29,8 +29,8 @@ func TestUnsigned(t *testing.T) {
 		wantSHA   string
 		wantErr   bool
 	}{
-		{"computer.local", []string{"computer.local"}, []string{"computer.local"}, "cd53416a4bbf741a3d2156369ead968ee16dfdb804f44dffe573ed19912ed9f5", false},
-		{"local SANs + computer.local", append(LocalSANs(), "computer.local"), append(LocalSANs(), "computer.local"), "2280d8a21afaf8b3a08c905c98a1e33c4656367233250a6820f0a24bbdb85698", false},
+		{"computer.local", []string{"computer.local"}, []string{"computer.local"}, "6fc67759f0c2d5e5b21c510ebfe3485c07f7fd3d3d2fb398a26fe4a174599ccf", false},
+		{"local SANs + computer.local", append(LocalSANs(), "computer.local"), append(LocalSANs(), "computer.local"), "bd697fd807f73b6e30699469f6e2ddbbf34520082a9d7b2c5bd6fa0692d6520c", false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -58,7 +58,7 @@ func TestUnsigned(t *testing.T) {
 			}
 			cert, err := x509.ParseCertificate(block.Bytes)
 			if err != nil {
-				t.Fatalf("failed to parse certificate: " + err.Error())
+				t.Fatalf("failed to parse certificate: %s", err.Error())
 			}
 
 			// Verify certificate is valid for all expected names
@@ -69,7 +69,7 @@ func TestUnsigned(t *testing.T) {
 				}
 
 				if _, err := cert.Verify(opts); err != nil {
-					t.Errorf("failed to verify certificate: " + err.Error())
+					t.Errorf("failed to verify certificate: %s", err.Error())
 				}
 			}
 		})
@@ -85,7 +85,7 @@ func TestSigned(t *testing.T) {
 
 	caCert, _, err := CA()
 	if err != nil {
-		cmd := exec.Command("mkcert")
+		cmd := exec.Command("go", "tool", "filippo.io/mkcert", "-install")
 		err := cmd.Run()
 		if err != nil {
 			t.Fatal(err)
@@ -122,7 +122,7 @@ func TestSigned(t *testing.T) {
 			}
 			cert, err := x509.ParseCertificate(block.Bytes)
 			if err != nil {
-				t.Fatalf("failed to parse certificate: " + err.Error())
+				t.Fatalf("failed to parse certificate: %s", err.Error())
 			}
 
 			// Verify certificate is valid for all expected names
@@ -133,7 +133,7 @@ func TestSigned(t *testing.T) {
 				}
 
 				if _, err := cert.Verify(opts); err != nil {
-					t.Errorf("failed to verify certificate: " + err.Error())
+					t.Errorf("failed to verify certificate: %s", err.Error())
 				}
 			}
 		})
@@ -179,7 +179,7 @@ func TestServeCert(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
-	b, err := ioutil.ReadAll(resp.Body)
+	b, err := io.ReadAll(resp.Body)
 	if err != nil {
 		t.Fatal(err)
 	}

go.mod

@@ -1,3 +1,14 @@
 module github.com/alta/insecure
 
-go 1.15
+go 1.24
+
+tool filippo.io/mkcert
+
+require (
+	filippo.io/mkcert v1.4.4 // indirect
+	golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 // indirect
+	golang.org/x/net v0.0.0-20220421235706-1d1ef9303861 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	howett.net/plist v1.0.0 // indirect
+	software.sslmate.com/src/go-pkcs12 v0.2.0 // indirect
+)

go.sum

@@ -0,0 +1,22 @@
+filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc=
+filippo.io/mkcert v1.4.4/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 h1:tkVvjkPTB7pnW3jnid7kNyAMPVWllTNOf/qKDze4p9o=
+golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220421235706-1d1ef9303861 h1:yssD99+7tqHWO5Gwh81phT+67hg+KttniBr6UnEXOY8=
+golang.org/x/net v0.0.0-20220421235706-1d1ef9303861/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
+howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
+howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
+software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
+software.sslmate.com/src/go-pkcs12 v0.2.0/go.mod h1:23rNcYsMabIc1otwLpTkCCPwUq6kQsTyowttG/as0kQ=