Add authority.Capabilities implementation

Update api/api_test.go
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
2022-11-29 10:26:06 -08:00 · 2022-11-29 10:18:33 -08:00 · 2022-11-29 10:17:58 -08:00 · 2022-11-29 10:17:25 -08:00 · 2022-11-29 10:17:17 -08:00 · 2022-11-26 12:16:59 -08:00
157 changed files with 3901 additions and 8280 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -20,8 +20,7 @@ jobs:
  ci:
    uses: smallstep/workflows/.github/workflows/goCI.yml@main
    with:
-      only-latest-golang: false
+      os-dependencies: "libpcsclite-dev"
-      os-dependencies: 'libpcsclite-dev'
+      run-gitleaks: true
      run-codeql: true
      test-command: 'V=1 make test'
    secrets: inherit
--- a/.github/workflows/dependabot-auto-merge.yml
+++ b/.github/workflows/dependabot-auto-merge.yml
@ -1,22 +0,0 @@
 name: Dependabot auto-merge
 on: pull_request
 permissions:
  contents: write
  pull-requests: write
 jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    steps:
      - name: Dependabot metadata
        id: metadata
        uses: dependabot/fetch-metadata@v1.1.1
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{github.event.pull_request.html_url}}
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -21,7 +21,6 @@ jobs:
      version: ${{ steps.extract-tag.outputs.VERSION }}
      is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
      docker_tags: ${{ env.DOCKER_TAGS }}
      docker_tags_hsm: ${{ env.DOCKER_TAGS_HSM }}
    steps:
      - name: Is Pre-release
        id: is_prerelease
@ -37,12 +36,10 @@ jobs:
          VERSION=${GITHUB_REF#refs/tags/v}
          echo "VERSION=${VERSION}" >> ${GITHUB_OUTPUT}
          echo "DOCKER_TAGS=${{ env.DOCKER_IMAGE }}:${VERSION}" >> ${GITHUB_ENV}
          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_IMAGE }}:${VERSION}-hsm" >> ${GITHUB_ENV}
      - name: Add Latest Tag
        if: steps.is_prerelease.outputs.IS_PRERELEASE == 'false'
        run: |
          echo "DOCKER_TAGS=${{ env.DOCKER_TAGS }},${{ env.DOCKER_IMAGE }}:latest" >> ${GITHUB_ENV}
          echo "DOCKER_TAGS_HSM=${{ env.DOCKER_TAGS_HSM }},${{ env.DOCKER_IMAGE }}:hsm" >> ${GITHUB_ENV}
      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
@ -55,12 +52,38 @@ jobs:
          prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
  goreleaser:
    name: Upload Assets To Github w/ goreleaser
    runs-on: ubuntu-latest
    needs: create_release
    permissions:
      id-token: write
      contents: write
-    uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
+    steps:
-    secrets: inherit
+      - name: Checkout
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: 1.19
          check-latest: true
      - name: Install cosign
        uses: sigstore/cosign-installer@v2
        with:
          cosign-release: 'v1.13.1'
      - name: Get Release Date
        id: release_date
        run: |
          RELEASE_DATE=$(date +"%y-%m-%d")
          echo "RELEASE_DATE=${RELEASE_DATE}" >> ${GITHUB_ENV}
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v3
        with:
          version: 'latest'
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GORELEASER_PAT }}
          RELEASE_DATE: ${{ env.RELEASE_DATE }}
          COSIGN_EXPERIMENTAL: 1
  build_upload_docker:
    name: Build & Upload Docker Images
@ -73,19 +96,5 @@ jobs:
      platforms: linux/amd64,linux/386,linux/arm,linux/arm64
      tags: ${{ needs.create_release.outputs.docker_tags }}
      docker_image: smallstep/step-ca
-      docker_file: docker/Dockerfile
+      docker_file: docker/Dockerfile.step-ca
    secrets: inherit
  build_upload_docker_hsm:
    name: Build & Upload HSM Enabled Docker Images
    needs: create_release
    permissions:
      id-token: write
      contents: write
    uses: smallstep/workflows/.github/workflows/docker-buildx-push.yml@main
    with:
      platforms: linux/amd64,linux/386,linux/arm,linux/arm64
      tags: ${{ needs.create_release.outputs.docker_tags_hsm }}
      docker_image: smallstep/step-ca
      docker_file: docker/Dockerfile.hsm
    secrets: inherit
--- a/.gitignore
+++ b/.gitignore
@ -24,4 +24,3 @@ output
 vendor
 .idea
 .envrc
 .vscode
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -31,12 +31,11 @@ builds:
      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
 archives:
-  - &ARCHIVE
+  -
    # Can be used to change the archive formats for specific GOOSs.
    # Most common use case is to archive as zip on Windows.
    # Default is empty.
    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
    rlcp: true
    format_overrides:
      - goos: windows
        format: zip
@ -45,11 +44,6 @@ archives:
      - README.md
      - LICENSE
    allow_different_binary_count: true
  -
    << : *ARCHIVE
    id: unversioned
    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
 nfpms:
  # Configure nFPM for .deb and .rpm releases
@ -61,7 +55,7 @@ nfpms:
  # List file contents: dpkg -c dist/step_...deb
  # Package metadata: dpkg --info dist/step_....deb
  #
-  - &NFPM
+  -
    builds:
      - step-ca
    package_name: step-ca
@ -81,14 +75,9 @@ nfpms:
    contents:
      - src: debian/copyright
        dst: /usr/share/doc/step-ca/copyright
  -
    << : *NFPM
    id: unversioned
    file_name_template: "{{ .PackageName }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
 source:
  enabled: true
  rlcp: true
  name_template: '{{ .ProjectName }}_{{ .Version }}'
 checksum:
@ -141,17 +130,17 @@ release:
    #### Linux
-    - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
+    - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
-    - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
+    - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
    #### OSX Darwin
-    - 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz)
+    - 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz)
-    - 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz)
+    - 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz)
    #### Windows
-    - 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
+    - 📦 [step-ca_windows_{{ .Version }}_arm64.zip](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
    For more builds across platforms and architectures, see the `Assets` section below.
    And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation).
@ -165,11 +154,9 @@ release:
    Below is an example using `cosign` to verify a release artifact:
    ```
-    cosign verify-blob \
+    COSIGN_EXPERIMENTAL=1 cosign verify-blob \
      --certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
      --signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
      --certificate-identity-regexp "https://github\.com/smallstep/certificates/.*" \
      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
      ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
    ```
@ -198,41 +185,3 @@ release:
  #  - glob: ./path/to/file.txt
  #  - glob: ./glob/**/to/**/file/**/*
  #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
 scoops:
  -
    ids: [ default ]
    # Template for the url which is determined by the given Token (github or gitlab)
    # Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
    # Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
    # Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
    url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
    # Repository to push the app manifest to.
    bucket:
      owner: smallstep
      name: scoop-bucket
    # Git author used to commit to the repository.
    # Defaults are shown.
    commit_author:
      name: goreleaserbot
      email: goreleaser@smallstep.com
    # The project name and current git tag are used in the format string.
    commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
    # Your app's homepage.
    # Default is empty.
    homepage: "https://smallstep.com/docs/step-ca"
    # Skip uploads for prerelease.
    skip_upload: auto
    # Your app's description.
    # Default is empty.
    description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
    # Your app's license
    # Default is empty.
    license: "Apache-2.0"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -27,117 +27,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 ### Fixed
 - Improved authentication for ACME requests using kid and provisioner name
  (smallstep/certificates#1386).
 ## [v0.24.2] - 2023-05-11
 ### Added
 - Log SSH certificates (smallstep/certificates#1374)
 - CRL endpoints on the HTTP server (smallstep/certificates#1372)
 - Dynamic SCEP challenge validation using webhooks (smallstep/certificates#1366)
 - For Docker deployments, added DOCKER_STEPCA_INIT_PASSWORD_FILE. Useful for pointing to a Docker Secret in the container (smallstep/certificates#1384)
 ### Changed
 - Depend on [smallstep/go-attestation](https://github.com/smallstep/go-attestation) instead of [google/go-attestation](https://github.com/google/go-attestation)
 - Render CRLs into http.ResponseWriter instead of memory (smallstep/certificates#1373)
 - Redaction of SCEP static challenge when listing provisioners (smallstep/certificates#1204)
 ### Fixed
 - VaultCAS certificate lifetime (smallstep/certificates#1376)
 ## [v0.24.1] - 2023-04-14
 ### Fixed
 - Docker image name for HSM support (smallstep/certificates#1348)
 ## [v0.24.0] - 2023-04-12
 ### Added
 - Add ACME `device-attest-01` support with TPM 2.0
  (smallstep/certificates#1063).
 - Add support for new Azure SDK, sovereign clouds, and HSM keys on Azure KMS
  (smallstep/crypto#192, smallstep/crypto#197, smallstep/crypto#198,
  smallstep/certificates#1323, smallstep/certificates#1309).
 - Add support for ASN.1 functions on certificate templates
  (smallstep/crypto#208, smallstep/certificates#1345)
 - Add `DOCKER_STEPCA_INIT_ADDRESS` to configure the address to use in a docker
  container (smallstep/certificates#1262).
 - Make sure that the CSR used matches the attested key when using AME
  `device-attest-01` challenge (smallstep/certificates#1265).
 - Add support for compacting the Badger DB (smallstep/certificates#1298).
 - Build and release cleanups (smallstep/certificates#1322,
  smallstep/certificates#1329, smallstep/certificates#1340).
 ### Fixed
 - Fix support for PKCS #7 RSA-OAEP decryption through
  [smallstep/pkcs7#4](https://github.com/smallstep/pkcs7/pull/4), as used in
  SCEP.
 - Fix RA installation using `scripts/install-step-ra.sh`
  (smallstep/certificates#1255).
 - Clarify error messages on policy errors (smallstep/certificates#1287,
  smallstep/certificates#1278).
 - Clarify error message on OIDC email validation (smallstep/certificates#1290).
 - Mark the IDP critical in the generated CRL data (smallstep/certificates#1293).
 - Disable database if CA is initialized with the `--no-db` flag
  (smallstep/certificates#1294).
 ## [v0.23.2] - 2023-02-02
 ### Added
 - Added [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) to
  docker images, and a new image, `smallstep/step-ca-hsm`, compiled with cgo
  (smallstep/certificates#1243).
 - Added [`scoop`](https://scoop.sh) packages back to the release
  (smallstep/certificates#1250).
 - Added optional flag `--pidfile` which allows passing a filename where step-ca
  will write its process id (smallstep/certificates#1251).
 - Added helpful message on CA startup when config can't be opened
  (smallstep/certificates#1252).
 - Improved validation and error messages on `device-attest-01` orders
  (smallstep/certificates#1235).
 ### Removed
 - The deprecated CLI utils `step-awskms-init`, `step-cloudkms-init`,
  `step-pkcs11-init`, `step-yubikey-init` have been removed.
  [`step`](https://github.com/smallstep/cli) and
  [`step-kms-plugin`](https://github.com/smallstep/step-kms-plugin) should be
  used instead (smallstep/certificates#1240).
 ### Fixed
 - Fixed remote management flags in docker images (smallstep/certificates#1228).
 ## [v0.23.1] - 2023-01-10
 ### Added
 - Added configuration property `.crl.idpURL`  to be able to set a custom Issuing
  Distribution Point in the CRL (smallstep/certificates#1178).
 - Added WithContext methods to the CA client (smallstep/certificates#1211).
 - Docker: Added environment variables for enabling Remote Management and ACME
  provisioner (smallstep/certificates#1201).
 - Docker: The entrypoint script now generates and displays an initial JWK
  provisioner password by default when the CA is being initialized
  (smallstep/certificates#1223).
 ### Changed
 - Ignore SSH principals validation when using an OIDC provisioner. The
  provisioner will ignore the principals passed and set the defaults or the ones
  including using WebHooks or templates (smallstep/certificates#1206).
 ## [v0.23.0] - 2022-11-11
 ### Added
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -74,7 +74,7 @@ sudo yum install pcsc-lite-devel
 To build `step-ca`, clone this repository and run the following:
 ```shell
-make bootstrap && make build GO_ENVS="CGO_ENABLED=1"
+make bootstrap && make build GOFLAGS=""
 ```
 When the build is complete, you will find binaries in `bin/`.
--- a/121
+++ b/121
@ -1,11 +1,21 @@
 PKG?=github.com/smallstep/certificates/cmd/step-ca
 BINNAME?=step-ca
 CLOUDKMS_BINNAME?=step-cloudkms-init
 CLOUDKMS_PKG?=github.com/smallstep/certificates/cmd/step-cloudkms-init
 AWSKMS_BINNAME?=step-awskms-init
 AWSKMS_PKG?=github.com/smallstep/certificates/cmd/step-awskms-init
 YUBIKEY_BINNAME?=step-yubikey-init
 YUBIKEY_PKG?=github.com/smallstep/certificates/cmd/step-yubikey-init
 PKCS11_BINNAME?=step-pkcs11-init
 PKCS11_PKG?=github.com/smallstep/certificates/cmd/step-pkcs11-init
 # Set V to 1 for verbose output from the Makefile
 Q=$(if $V,,@)
 PREFIX?=
 SRC=$(shell find . -type f -name '*.go' -not -path "./vendor/*")
 GOOS_OVERRIDE ?=
 OUTPUT_ROOT=output/
 RELEASE=./.releases
 all: lint test build
@ -21,8 +31,6 @@ bootstra%:
 	$Q curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $$(go env GOPATH)/bin latest
 	$Q go install golang.org/x/vuln/cmd/govulncheck@latest
 	$Q go install gotest.tools/gotestsum@latest
 	$Q go install github.com/goreleaser/goreleaser@latest
 	$Q go install github.com/sigstore/cosign/v2/cmd/cosign@latest
 .PHONY: bootstra%
@ -30,8 +38,17 @@ bootstra%:
 # Determine the type of `push` and `version`
 #################################################
 # If TRAVIS_TAG is set then we know this ref has been tagged.
 ifdef TRAVIS_TAG
 VERSION ?= $(TRAVIS_TAG)
 NOT_RC  := $(shell echo $(VERSION) | grep -v -e -rc)
 	ifeq ($(NOT_RC),)
 PUSHTYPE := release-candidate
 	else
 PUSHTYPE := release
 	endif
 # GITHUB Actions
-ifdef GITHUB_REF
+else ifdef GITHUB_REF
 VERSION ?= $(shell echo $(GITHUB_REF) | sed 's/^refs\/tags\///')
 NOT_RC  := $(shell echo $(VERSION) | grep -v -e -rc)
 	ifeq ($(NOT_RC),)
@ -44,14 +61,21 @@ VERSION ?= $(shell [ -d .git ] && git describe --tags --always --dirty="-dev")
 # If we are not in an active git dir then try reading the version from .VERSION.
 # .VERSION contains a slug populated by `git archive`.
 VERSION := $(or $(VERSION),$(shell ./.version.sh .VERSION))
 	ifeq ($(TRAVIS_BRANCH),master)
 PUSHTYPE := master
 	else
 PUSHTYPE := branch
 	endif
 endif
 VERSION := $(shell echo $(VERSION) | sed 's/^v//')
 DEB_VERSION := $(shell echo $(VERSION) | sed 's/-/./g')
 ifdef V
 $(info    TRAVIS_TAG is $(TRAVIS_TAG))
 $(info    GITHUB_REF is $(GITHUB_REF))
 $(info    VERSION is $(VERSION))
 $(info    DEB_VERSION is $(DEB_VERSION))
 $(info    PUSHTYPE is $(PUSHTYPE))
 endif
@ -61,33 +85,33 @@ endif
 DATE    := $(shell date -u '+%Y-%m-%d %H:%M UTC')
 LDFLAGS := -ldflags='-w -X "main.Version=$(VERSION)" -X "main.BuildTime=$(DATE)"'
-
+GOFLAGS := CGO_ENABLED=0
 # Always explicitly enable or disable cgo,
 # so that go doesn't silently fall back on
 # non-cgo when gcc is not found.
 ifeq (,$(findstring CGO_ENABLED,$(GO_ENVS)))
 	ifneq ($(origin GOFLAGS),undefined)
 		# This section is for backward compatibility with 
 		# 
 		# $ make build GOFLAGS=""
 		#
 		# which is how we recommended building step-ca with cgo support
 		# until June 2023.
 		GO_ENVS := $(GO_ENVS) CGO_ENABLED=1
 	else
 		GO_ENVS := $(GO_ENVS) CGO_ENABLED=0
 	endif
 endif
 download:
 	$Q go mod download
-build: $(PREFIX)bin/$(BINNAME)
+build: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME) $(PREFIX)bin/$(YUBIKEY_BINNAME) $(PREFIX)bin/$(PKCS11_BINNAME)
 	@echo "Build Complete!"
 $(PREFIX)bin/$(BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
-	$Q $(GOOS_OVERRIDE) GOFLAGS="$(GOFLAGS)" $(GO_ENVS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
+	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(BINNAME) $(LDFLAGS) $(PKG)
 $(PREFIX)bin/$(CLOUDKMS_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(LDFLAGS) $(CLOUDKMS_PKG)
 $(PREFIX)bin/$(AWSKMS_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(AWSKMS_BINNAME) $(LDFLAGS) $(AWSKMS_PKG)
 $(PREFIX)bin/$(YUBIKEY_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(YUBIKEY_BINNAME) $(LDFLAGS) $(YUBIKEY_PKG)
 $(PREFIX)bin/$(PKCS11_BINNAME): download $(call rwildcard,*.go)
 	$Q mkdir -p $(@D)
 	$Q $(GOOS_OVERRIDE) $(GOFLAGS) go build -v -o $(PREFIX)bin/$(PKCS11_BINNAME) $(LDFLAGS) $(PKCS11_PKG)
 # Target to force a build of step-ca without running tests
 simple: build
@ -106,26 +130,19 @@ generate:
 #########################################
 # Test
 #########################################
-test: testdefault testtpmsimulator combinecoverage
+test:
 	$Q $(GOFLAGS) gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...
 testdefault:
 	$Q $(GO_ENVS) gotestsum -- -coverprofile=defaultcoverage.out -short -covermode=atomic ./...
 testtpmsimulator:
 	$Q CGO_ENABLED=1 gotestsum -- -coverprofile=tpmsimulatorcoverage.out -short -covermode=atomic -tags tpmsimulator ./acme 
 testcgo:
 	$Q gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...
-combinecoverage:
+.PHONY: test testcgo
 	cat defaultcoverage.out tpmsimulatorcoverage.out > coverage.out
 .PHONY: test testdefault testtpmsimulator testcgo combinecoverage
 integrate: integration
 integration: bin/$(BINNAME)
-	$Q $(GO_ENVS) gotestsum -- -tags=integration ./integration/...
+	$Q $(GOFLAGS) gotestsum -- -tags=integration ./integration/...
 .PHONY: integrate integration
@ -149,11 +166,15 @@ lint:
 INSTALL_PREFIX?=/usr/
-install: $(PREFIX)bin/$(BINNAME)
+install: $(PREFIX)bin/$(BINNAME) $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(PREFIX)bin/$(AWSKMS_BINNAME)
 	$Q install -D $(PREFIX)bin/$(BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(BINNAME)
 	$Q install -D $(PREFIX)bin/$(CLOUDKMS_BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(CLOUDKMS_BINNAME)
 	$Q install -D $(PREFIX)bin/$(AWSKMS_BINNAME) $(DESTDIR)$(INSTALL_PREFIX)bin/$(AWSKMS_BINNAME)
 uninstall:
 	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(BINNAME)
 	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(CLOUDKMS_BINNAME)
 	$Q rm -f $(DESTDIR)$(INSTALL_PREFIX)/bin/$(AWSKMS_BINNAME)
 .PHONY: install uninstall
@ -165,6 +186,18 @@ clean:
 ifneq ($(BINNAME),"")
 	$Q rm -f bin/$(BINNAME)
 endif
 ifneq ($(CLOUDKMS_BINNAME),"")
 	$Q rm -f bin/$(CLOUDKMS_BINNAME)
 endif
 ifneq ($(AWSKMS_BINNAME),"")
 	$Q rm -f bin/$(AWSKMS_BINNAME)
 endif
 ifneq ($(YUBIKEY_BINNAME),"")
 	$Q rm -f bin/$(YUBIKEY_BINNAME)
 endif
 ifneq ($(PKCS11_BINNAME),"")
 	$Q rm -f bin/$(PKCS11_BINNAME)
 endif
 .PHONY: clean
@ -177,3 +210,23 @@ run:
 .PHONY: run
 #########################################
 # Debian
 #########################################
 changelog:
 	$Q echo "step-ca ($(DEB_VERSION)) unstable; urgency=medium" > debian/changelog
 	$Q echo >> debian/changelog
 	$Q echo "  * See https://github.com/smallstep/certificates/releases" >> debian/changelog
 	$Q echo >> debian/changelog
 	$Q echo " -- Smallstep Labs, Inc. <techadmin@smallstep.com>  $(shell date -uR)" >> debian/changelog
 debian: changelog
 	$Q mkdir -p $(RELEASE); \
 	OUTPUT=../step-ca*.deb; \
 	rm $$OUTPUT; \
 	dpkg-buildpackage -b -rfakeroot -us -uc && cp $$OUTPUT $(RELEASE)/
 distclean: clean
 .PHONY: changelog debian distclean
--- a/README.md
+++ b/README.md
@ -119,12 +119,18 @@ See our installation docs [here](https://smallstep.com/docs/step-ca/installation
 ## Documentation
-* [Official documentation](https://smallstep.com/docs/step-ca) is on smallstep.com
+Documentation can be found in a handful of different places:
-* The `step` command reference is available via `step help`,
+
-[on smallstep.com](https://smallstep.com/docs/step-cli/reference/),
+1. On the web at https://smallstep.com/docs/step-ca.
-or by running `step help --http=:8080` from the command line
+
 2. On the command line with `step help ca xxx` where `xxx` is the subcommand
 you are interested in. Ex: `step help ca provisioner list`.
 3. In your browser, by running `step help --http=:8080 ca` from the command line
 and visiting http://localhost:8080.
 4. The [docs](./docs/README.md) folder is being deprecated, but it still has some documentation and tutorials.
 ## Feedback?
 * Tell us what you like and don't like about managing your PKI - we're eager to help solve problems in this space.
--- a/acme/account.go
+++ b/acme/account.go
@ -20,16 +20,6 @@ type Account struct {
 	Status                 Status           `json:"status"`
 	OrdersURL              string           `json:"orders"`
 	ExternalAccountBinding interface{}      `json:"externalAccountBinding,omitempty"`
 	LocationPrefix         string           `json:"-"`
 	ProvisionerName        string           `json:"-"`
 }
 // GetLocation returns the URL location of the given account.
 func (a *Account) GetLocation() string {
 	if a.LocationPrefix == "" {
 		return ""
 	}
 	return a.LocationPrefix + a.ID
 }
 // ToLog enables response logging.
@ -82,7 +72,6 @@ func (p *Policy) GetAllowedNameOptions() *policy.X509NameOptions {
 		IPRanges:   p.X509.Allowed.IPRanges,
 	}
 }
 func (p *Policy) GetDeniedNameOptions() *policy.X509NameOptions {
 	if p == nil {
 		return nil
--- a/acme/account_test.go
+++ b/acme/account_test.go
@ -66,23 +66,6 @@ func TestKeyToID(t *testing.T) {
 	}
 }
 func TestAccount_GetLocation(t *testing.T) {
 	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
 	type test struct {
 		acc *Account
 		exp string
 	}
 	tests := map[string]test{
 		"empty":     {acc: &Account{LocationPrefix: ""}, exp: ""},
 		"not-empty": {acc: &Account{ID: "bar", LocationPrefix: locationPrefix}, exp: locationPrefix + "bar"},
 	}
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			assert.Equals(t, tc.acc.GetLocation(), tc.exp)
 		})
 	}
 }
 func TestAccount_IsValid(t *testing.T) {
 	type test struct {
 		acc *Account
@ -152,6 +135,7 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
 				if assert.True(t, errors.As(err, &ae)) {
 					assert.Equals(t, ae.Type, tt.err.Type)
 					assert.Equals(t, ae.Detail, tt.err.Detail)
 					assert.Equals(t, ae.Identifier, tt.err.Identifier)
 					assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
 				}
 			} else {
--- a/acme/api/account.go
+++ b/acme/api/account.go
@ -1,7 +1,6 @@
 package api
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
@ -68,12 +67,6 @@ func (u *UpdateAccountRequest) Validate() error {
 	}
 }
 // getAccountLocationPath returns the current account URL location.
 // Returned location will be of the form: https://<ca-url>/acme/<provisioner>/account/<accID>
 func getAccountLocationPath(ctx context.Context, linker acme.Linker, accID string) string {
 	return linker.GetLink(ctx, acme.AccountLinkType, accID)
 }
 // NewAccount is the handler resource for creating new ACME accounts.
 func NewAccount(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@ -135,8 +128,6 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 			Key:     jwk,
 			Contact: nar.Contact,
 			Status:  acme.StatusValid,
 			LocationPrefix:  getAccountLocationPath(ctx, linker, ""),
 			ProvisionerName: prov.GetName(),
 		}
 		if err := db.CreateAccount(ctx, acc); err != nil {
 			render.Error(w, acme.WrapErrorISE(err, "error creating account"))
@ -161,7 +152,7 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
 	linker.LinkAccount(ctx, acc)
-	w.Header().Set("Location", getAccountLocationPath(ctx, linker, acc.ID))
+	w.Header().Set("Location", linker.GetLink(r.Context(), acme.AccountLinkType, acc.ID))
 	render.JSONStatus(w, acc, httpStatus)
 }
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -34,20 +34,27 @@ var (
 type fakeProvisioner struct{}
-func (*fakeProvisioner) AuthorizeOrderIdentifier(context.Context, provisioner.ACMEIdentifier) error {
+func (*fakeProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error {
 	return nil
 }
-func (*fakeProvisioner) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) {
+
 func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) {
 	return nil, nil
 }
-func (*fakeProvisioner) IsChallengeEnabled(context.Context, provisioner.ACMEChallenge) bool {
+
 func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
 	return true
 }
-func (*fakeProvisioner) IsAttestationFormatEnabled(context.Context, provisioner.ACMEAttestationFormat) bool {
+
 func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
 	return true
 }
-func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool)   { return nil, false }
+
-func (*fakeProvisioner) AuthorizeRevoke(context.Context, string) error { return nil }
+func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) {
 	return nil, false
 }
 func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
 func (*fakeProvisioner) GetID() string                                           { return "" }
 func (*fakeProvisioner) GetName() string                                         { return "" }
 func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration                   { return 0 }
@ -362,7 +369,7 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil, "")
+			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
 			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
@ -381,6 +388,7 @@ func TestHandler_GetOrdersByAccountID(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -801,7 +809,7 @@ func TestHandler_NewAccount(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil, "")
+			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
 			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
@ -820,6 +828,7 @@ func TestHandler_NewAccount(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1004,7 +1013,7 @@ func TestHandler_GetOrUpdateAccount(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil, "")
+			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
 			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
@ -1023,6 +1032,7 @@ func TestHandler_GetOrUpdateAccount(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
--- a/acme/api/eab_test.go
+++ b/acme/api/eab_test.go
@ -866,6 +866,7 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
 					assert.Equals(t, ae.Status, tc.err.Status)
 					assert.HasPrefix(t, ae.Err.Error(), tc.err.Err.Error())
 					assert.Equals(t, ae.Detail, tc.err.Detail)
 					assert.Equals(t, ae.Identifier, tc.err.Identifier)
 					assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				}
 			} else {
@ -1144,6 +1145,7 @@ func Test_validateEABJWS(t *testing.T) {
 				assert.Equals(t, tc.err.Status, err.Status)
 				assert.HasPrefix(t, err.Err.Error(), tc.err.Err.Error())
 				assert.Equals(t, tc.err.Detail, err.Detail)
 				assert.Equals(t, tc.err.Identifier, err.Identifier)
 				assert.Equals(t, tc.err.Subproblems, err.Subproblems)
 			} else {
 				assert.Nil(t, err)
--- a/acme/api/handler.go
+++ b/acme/api/handler.go
@ -95,7 +95,7 @@ func (h *handler) Route(r api.Router) {
 			if ca, ok := h.opts.CA.(*authority.Authority); ok && ca != nil {
 				ctx = authority.NewContext(ctx, ca)
 			}
-			ctx = acme.NewContext(ctx, h.opts.DB, client, linker, h.opts.PrerequisitesChecker, "")
+			ctx = acme.NewContext(ctx, h.opts.DB, client, linker, h.opts.PrerequisitesChecker)
 			next(w, r.WithContext(ctx))
 		}
 	})
@ -273,7 +273,7 @@ func shouldAddMetaObject(p *provisioner.ACME) bool {
 // NotImplemented returns a 501 and is generally a placeholder for functionality which
 // MAY be added at some point in the future but is not in any way a guarantee of such.
-func NotImplemented(w http.ResponseWriter, _ *http.Request) {
+func NotImplemented(w http.ResponseWriter, r *http.Request) {
 	render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented"))
 }
--- a/acme/api/handler_test.go
+++ b/acme/api/handler_test.go
@ -193,6 +193,7 @@ func TestHandler_GetDirectory(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -346,7 +347,7 @@ func TestHandler_GetAuthorization(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil, "")
+			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
 			req := httptest.NewRequest("GET", "/foo/bar", nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
@ -365,6 +366,7 @@ func TestHandler_GetAuthorization(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -507,6 +509,7 @@ func TestHandler_GetCertificate(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.HasPrefix(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -746,7 +749,7 @@ func TestHandler_GetChallenge(t *testing.T) {
 	for name, run := range tests {
 		tc := run(t)
 		t.Run(name, func(t *testing.T) {
-			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil, "")
+			ctx := acme.NewContext(tc.ctx, tc.db, nil, acme.NewLinker("test.ca.smallstep.com", "acme"), nil)
 			req := httptest.NewRequest("GET", u, nil)
 			req = req.WithContext(ctx)
 			w := httptest.NewRecorder()
@ -765,6 +768,7 @@ func TestHandler_GetChallenge(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 	"net/url"
 	"path"
 	"strings"
 	"go.step.sm/crypto/jose"
@ -17,6 +16,7 @@ import (
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/nosql"
 )
 type nextHTTP = func(http.ResponseWriter, *http.Request)
@ -293,6 +293,7 @@ func lookupJWK(next nextHTTP) nextHTTP {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		db := acme.MustDatabaseFromContext(ctx)
 		linker := acme.MustLinkerFromContext(ctx)
 		jws, err := jwsFromContext(ctx)
 		if err != nil {
@ -300,16 +301,19 @@ func lookupJWK(next nextHTTP) nextHTTP {
 			return
 		}
 		kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
 		kid := jws.Signatures[0].Protected.KeyID
-		if kid == "" {
+		if !strings.HasPrefix(kid, kidPrefix) {
-			render.Error(w, acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"))
+			render.Error(w, acme.NewError(acme.ErrorMalformedType,
 				"kid does not have required prefix; expected %s, but got %s",
 				kidPrefix, kid))
 			return
 		}
-		accID := path.Base(kid)
+		accID := strings.TrimPrefix(kid, kidPrefix)
 		acc, err := db.GetAccount(ctx, accID)
 		switch {
-		case acme.IsErrNotFound(err):
+		case nosql.IsErrNotFound(err):
 			render.Error(w, acme.NewError(acme.ErrorAccountDoesNotExistType, "account with ID '%s' not found", accID))
 			return
 		case err != nil:
@ -320,45 +324,6 @@ func lookupJWK(next nextHTTP) nextHTTP {
 				render.Error(w, acme.NewError(acme.ErrorUnauthorizedType, "account is not active"))
 				return
 			}
 			if storedLocation := acc.GetLocation(); storedLocation != "" {
 				if kid != storedLocation {
 					// ACME accounts should have a stored location equivalent to the
 					// kid in the ACME request.
 					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 						"kid does not match stored account location; expected %s, but got %s",
 						storedLocation, kid))
 					return
 				}
 				// Verify that the provisioner with which the account was created
 				// matches the provisioner in the request URL.
 				reqProv := acme.MustProvisionerFromContext(ctx)
 				reqProvName := reqProv.GetName()
 				accProvName := acc.ProvisionerName
 				if reqProvName != accProvName {
 					// Provisioner in the URL must match the provisioner with
 					// which the account was created.
 					render.Error(w, acme.NewError(acme.ErrorUnauthorizedType,
 						"account provisioner does not match requested provisioner; account provisioner = %s, requested provisioner = %s",
 						accProvName, reqProvName))
 					return
 				}
 			} else {
 				// This code will only execute for old ACME accounts that do
 				// not have a cached location. The following validation was
 				// the original implementation of the `kid` check which has
 				// since been deprecated. However, the code will remain to
 				// ensure consistent behavior for old ACME accounts.
 				linker := acme.MustLinkerFromContext(ctx)
 				kidPrefix := linker.GetLink(ctx, acme.AccountLinkType, "")
 				if !strings.HasPrefix(kid, kidPrefix) {
 					render.Error(w, acme.NewError(acme.ErrorMalformedType,
 						"kid does not have required prefix; expected %s, but got %s",
 						kidPrefix, kid))
 					return
 				}
 			}
 			ctx = context.WithValue(ctx, accContextKey, acc)
 			ctx = context.WithValue(ctx, jwkContextKey, acc.Key)
 			next(w, r.WithContext(ctx))
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -17,13 +17,14 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 )
 var testBody = []byte("foo")
-func testNext(w http.ResponseWriter, _ *http.Request) {
+func testNext(w http.ResponseWriter, r *http.Request) {
 	w.Write(testBody)
 }
@ -92,6 +93,7 @@ func TestHandler_addNonce(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -145,6 +147,7 @@ func TestHandler_addDirLink(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -249,6 +252,7 @@ func TestHandler_verifyContentType(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -316,6 +320,7 @@ func TestHandler_isPostAsGet(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -327,7 +332,7 @@ func TestHandler_isPostAsGet(t *testing.T) {
 type errReader int
-func (errReader) Read([]byte) (int, error) {
+func (errReader) Read(p []byte) (n int, err error) {
 	return 0, errors.New("force")
 }
 func (errReader) Close() error {
@ -405,6 +410,7 @@ func TestHandler_parseJWS(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -600,6 +606,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -677,7 +684,31 @@ func TestHandler_lookupJWK(t *testing.T) {
 				linker:     acme.NewLinker("test.ca.smallstep.com", "acme"),
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "signature missing 'kid'"),
+				err:        acme.NewError(acme.ErrorMalformedType, "kid does not have required prefix; expected %s, but got ", prefix),
 			}
 		},
 		"fail/bad-kid-prefix": func(t *testing.T) test {
 			_so := new(jose.SignerOptions)
 			_so.WithHeader("kid", "foo")
 			_signer, err := jose.NewSigner(jose.SigningKey{
 				Algorithm: jose.SignatureAlgorithm(jwk.Algorithm),
 				Key:       jwk.Key,
 			}, _so)
 			assert.FatalError(t, err)
 			_jws, err := _signer.Sign([]byte("baz"))
 			assert.FatalError(t, err)
 			_raw, err := _jws.CompactSerialize()
 			assert.FatalError(t, err)
 			_parsed, err := jose.ParseJWS(_raw)
 			assert.FatalError(t, err)
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, _parsed)
 			return test{
 				db:         &acme.MockDB{},
 				linker:     acme.NewLinker("test.ca.smallstep.com", "acme"),
 				ctx:        ctx,
 				statusCode: 400,
 				err:        acme.NewError(acme.ErrorMalformedType, "kid does not have required prefix; expected %s, but got foo", prefix),
 			}
 		},
 		"fail/account-not-found": func(t *testing.T) test {
@ -688,7 +719,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, accID string) (*acme.Account, error) {
 						assert.Equals(t, accID, accID)
-						return nil, acme.ErrNotFound
+						return nil, database.ErrNotFound
 					},
 				},
 				ctx:        ctx,
@ -729,77 +760,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				err:        acme.NewError(acme.ErrorUnauthorizedType, "account is not active"),
 			}
 		},
-		"fail/account-with-location-prefix/bad-kid": func(t *testing.T) test {
+		"ok": func(t *testing.T) test {
 			acc := &acme.Account{LocationPrefix: "foobar", Status: "valid"}
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
 			return test{
 				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
 						assert.Equals(t, id, accID)
 						return acc, nil
 					},
 				},
 				ctx:        ctx,
 				statusCode: http.StatusUnauthorized,
 				err:        acme.NewError(acme.ErrorUnauthorizedType, "kid does not match stored account location; expected foobar, but %q", prefix+accID),
 			}
 		},
 		"fail/account-with-location-prefix/bad-provisioner": func(t *testing.T) test {
 			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerName: "other"}
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
 			return test{
 				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
 						assert.Equals(t, id, accID)
 						return acc, nil
 					},
 				},
 				ctx: ctx,
 				next: func(w http.ResponseWriter, r *http.Request) {
 					_acc, err := accountFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _acc, acc)
 					_jwk, err := jwkFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _jwk, jwk)
 					w.Write(testBody)
 				},
 				statusCode: http.StatusUnauthorized,
 				err: acme.NewError(acme.ErrorUnauthorizedType,
 					"account provisioner does not match requested provisioner; account provisioner = %s, reqested provisioner = %s",
 					prov.GetName(), "other"),
 			}
 		},
 		"ok/account-with-location-prefix": func(t *testing.T) test {
 			acc := &acme.Account{LocationPrefix: prefix + accID, Status: "valid", Key: jwk, ProvisionerName: prov.GetName()}
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
 			return test{
 				linker: acme.NewLinker("test.ca.smallstep.com", "acme"),
 				db: &acme.MockDB{
 					MockGetAccount: func(ctx context.Context, id string) (*acme.Account, error) {
 						assert.Equals(t, id, accID)
 						return acc, nil
 					},
 				},
 				ctx: ctx,
 				next: func(w http.ResponseWriter, r *http.Request) {
 					_acc, err := accountFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _acc, acc)
 					_jwk, err := jwkFromContext(r.Context())
 					assert.FatalError(t, err)
 					assert.Equals(t, _jwk, jwk)
 					w.Write(testBody)
 				},
 				statusCode: http.StatusOK,
 			}
 		},
 		"ok/account-without-location-prefix": func(t *testing.T) test {
 			acc := &acme.Account{Status: "valid", Key: jwk}
 			ctx := acme.NewProvisionerContext(context.Background(), prov)
 			ctx = context.WithValue(ctx, jwsContextKey, parsedJWS)
@ -847,6 +808,7 @@ func TestHandler_lookupJWK(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1046,6 +1008,7 @@ func TestHandler_extractJWK(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1421,6 +1384,7 @@ func TestHandler_validateJWS(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1603,6 +1567,7 @@ func TestHandler_extractOrLookupJWK(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1687,6 +1652,7 @@ func TestHandler_checkPrerequisites(t *testing.T) {
 				assert.FatalError(t, json.Unmarshal(bytes.TrimSpace(body), &ae))
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
--- a/acme/api/order.go
+++ b/acme/api/order.go
@ -392,7 +392,7 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType {
 	case acme.IP:
 		chTypes = []acme.ChallengeType{acme.HTTP01, acme.TLSALPN01}
 	case acme.DNS:
-		chTypes = []acme.ChallengeType{acme.DNS01, acme.NNS01}
+		chTypes = []acme.ChallengeType{acme.DNS01}
 		// HTTP and TLS challenges can only be used for identifiers without wildcards.
 		if !az.Wildcard {
 			chTypes = append(chTypes, []acme.ChallengeType{acme.HTTP01, acme.TLSALPN01}...)
--- a/acme/api/order_test.go
+++ b/acme/api/order_test.go
@ -486,6 +486,7 @@ func TestHandler_GetOrder(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1845,6 +1846,7 @@ func TestHandler_NewOrder(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -2142,6 +2144,7 @@ func TestHandler_FinalizeOrder(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
--- a/acme/api/revoke.go
+++ b/acme/api/revoke.go
@ -151,7 +151,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) {
 // the identifiers in the certificate are extracted and compared against the (valid) Authorizations
 // that are stored for the ACME Account. If these sets match, the Account is considered authorized
 // to revoke the certificate. If this check fails, the client will receive an unauthorized error.
-func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
+func isAccountAuthorized(ctx context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error {
 	if !account.IsValid() {
 		return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' has status '%s'", account.ID, account.Status), nil)
 	}
--- a/acme/api/revoke_test.go
+++ b/acme/api/revoke_test.go
@ -258,7 +258,7 @@ func jwkEncode(pub crypto.PublicKey) (string, error) {
 // jwsFinal constructs the final JWS object.
 // Implementation taken from github.com/mholt/acmez, which seems to be based on
 // https://github.com/golang/crypto/blob/master/acme/jws.go.
-func jwsFinal(_ crypto.Hash, sig []byte, phead, payload string) ([]byte, error) {
+func jwsFinal(sha crypto.Hash, sig []byte, phead, payload string) ([]byte, error) {
 	enc := struct {
 		Protected string `json:"protected"`
 		Payload   string `json:"payload"`
@ -281,7 +281,7 @@ type mockCA struct {
 	MockAreSANsallowed func(ctx context.Context, sans []string) error
 }
-func (m *mockCA) Sign(*x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error) {
+func (m *mockCA) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 	return nil, nil
 }
@ -1090,6 +1090,7 @@ func TestHandler_RevokeCert(t *testing.T) {
 				assert.Equals(t, ae.Type, tc.err.Type)
 				assert.Equals(t, ae.Detail, tc.err.Detail)
 				assert.Equals(t, ae.Identifier, tc.err.Identifier)
 				assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
 				assert.Equals(t, res.Header["Content-Type"], []string{"application/problem+json"})
 			} else {
@ -1229,6 +1230,7 @@ func TestHandler_isAccountAuthorized(t *testing.T) {
 			assert.Equals(t, acmeErr.Type, tc.err.Type)
 			assert.Equals(t, acmeErr.Status, tc.err.Status)
 			assert.Equals(t, acmeErr.Detail, tc.err.Detail)
 			assert.Equals(t, acmeErr.Identifier, tc.err.Identifier)
 			assert.Equals(t, acmeErr.Subproblems, tc.err.Subproblems)
 		})
@ -1321,6 +1323,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 			assert.Equals(t, acmeErr.Type, tc.want.Type)
 			assert.Equals(t, acmeErr.Status, tc.want.Status)
 			assert.Equals(t, acmeErr.Detail, tc.want.Detail)
 			assert.Equals(t, acmeErr.Identifier, tc.want.Identifier)
 			assert.Equals(t, acmeErr.Subproblems, tc.want.Subproblems)
 		})
 	}
--- a/acme/authorization.go
+++ b/acme/authorization.go
@ -11,7 +11,6 @@ type Authorization struct {
 	ID         string       `json:"-"`
 	AccountID  string       `json:"-"`
 	Token      string       `json:"-"`
 	Fingerprint string       `json:"-"`
 	Identifier Identifier   `json:"identifier"`
 	Status     Status       `json:"status"`
 	Challenges []*Challenge `json:"challenges"`
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -26,16 +26,9 @@ import (
 	"time"
 	"github.com/fxamacker/cbor/v2"
 	"github.com/google/go-tpm/tpm2"
 	"golang.org/x/exp/slices"
 	"github.com/smallstep/go-attestation/attest"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
 type ChallengeType string
@ -49,8 +42,6 @@ const (
 	TLSALPN01 ChallengeType = "tls-alpn-01"
 	// DEVICEATTEST01 is the device-attest-01 ACME challenge type
 	DEVICEATTEST01 ChallengeType = "device-attest-01"
 	// NNS01 is the nns-01 ACME challenge type
 	NNS01 ChallengeType = "nns-01"
 )
 var (
@ -88,9 +79,10 @@ func (ch *Challenge) ToLog() (interface{}, error) {
 	return string(b), nil
 }
-// Validate attempts to validate the Challenge. Stores changes to the Challenge
+// Validate attempts to validate the challenge. Stores changes to the Challenge
-// type using the DB interface. If the Challenge is validated, the 'status' and
+// type using the DB interface.
-// 'validated' attributes are updated.
+// satisfactorily validated, the 'status' and 'validated' attributes are
 // updated.
 func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error {
 	// If already valid or invalid then return without performing validation.
 	if ch.Status != StatusPending {
@ -105,8 +97,6 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey,
 		return tlsalpn01Validate(ctx, ch, db, jwk)
 	case DEVICEATTEST01:
 		return deviceAttest01Validate(ctx, ch, db, jwk, payload)
 	case NNS01:
 		return nns01Validate(ctx, ch, db, jwk)
 	default:
 		return NewErrorISE("unexpected challenge type '%s'", ch.Type)
 	}
@ -345,26 +335,20 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
 	return nil
 }
-type payloadType struct {
+type Payload struct {
 	AttObj string `json:"attObj"`
 	Error  string `json:"error"`
 }
-type attestationObject struct {
+type AttestationObject struct {
 	Format       string                 `json:"fmt"`
 	AttStatement map[string]interface{} `json:"attStmt,omitempty"`
 }
 // TODO(bweeks): move attestation verification to a shared package.
 // TODO(bweeks): define new error type for failed attestation validation.
 func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
-	// Load authorization to store the key fingerprint.
+	var p Payload
 	az, err := db.GetAuthorization(ctx, ch.AuthorizationID)
 	if err != nil {
 		return WrapErrorISE(err, "error loading authorization")
 	}
 	// Parse payload.
 	var p payloadType
 	if err := json.Unmarshal(payload, &p); err != nil {
 		return WrapErrorISE(err, "error unmarshalling JSON")
 	}
@ -378,7 +362,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		return WrapErrorISE(err, "error base64 decoding attObj")
 	}
-	att := attestationObject{}
+	att := AttestationObject{}
 	if err := cbor.Unmarshal(attObj, &att); err != nil {
 		return WrapErrorISE(err, "error unmarshalling CBOR")
 	}
@ -402,6 +386,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 			}
 			return WrapErrorISE(err, "error validating attestation")
 		}
 		// Validate nonce with SHA-256 of the token.
 		if len(data.Nonce) != 0 {
 			sum := sha256.Sum256([]byte(ch.Token))
@ -417,9 +402,6 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		if data.UDID != ch.Value && data.SerialNumber != ch.Value {
 			return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match"))
 		}
 		// Update attestation key fingerprint to compare against the CSR
 		az.Fingerprint = data.Fingerprint
 	case "step":
 		data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att)
 		if err != nil {
@ -433,53 +415,13 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 			return WrapErrorISE(err, "error validating attestation")
 		}
-		// Validate the YubiKey serial number from the attestation
+		// Validate Apple's ClientIdentifier (Identifier.Value) with device
-		// certificate with the challenged Order value.
+		// identifiers.
 		//
 		// Note: We might want to use an external service for this.
 		if data.SerialNumber != ch.Value {
-			subproblem := NewSubproblemWithIdentifier(
+			return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match"))
 				ErrorMalformedType,
 				Identifier{Type: "permanent-identifier", Value: ch.Value},
 				"challenge identifier %q doesn't match the attested hardware identifier %q", ch.Value, data.SerialNumber,
 			)
 			return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match").AddSubproblems(subproblem))
 		}
 		// Update attestation key fingerprint to compare against the CSR
 		az.Fingerprint = data.Fingerprint
 	case "tpm":
 		data, err := doTPMAttestationFormat(ctx, prov, ch, jwk, &att)
 		if err != nil {
 			// TODO(hs): we should provide more details in the error reported to the client;
 			// "Attestation statement cannot be verified" is VERY generic. Also holds true for the other formats.
 			var acmeError *Error
 			if errors.As(err, &acmeError) {
 				if acmeError.Status == 500 {
 					return acmeError
 				}
 				return storeError(ctx, db, ch, true, acmeError)
 			}
 			return WrapErrorISE(err, "error validating attestation")
 		}
 		// TODO(hs): currently this will allow a request for which no PermanentIdentifiers have been
 		// extracted from the AK certificate. This is currently the case for AK certs from the CLI, as we
 		// haven't implemented a way for AK certs requested by the CLI to always contain the requested
 		// PermanentIdentifier. Omitting the check below doesn't allow just any request, as the Order can
 		// still fail if the challenge value isn't equal to the CSR subject.
 		if len(data.PermanentIdentifiers) > 0 && !slices.Contains(data.PermanentIdentifiers, ch.Value) { // TODO(hs): add support for HardwareModuleName
 			subproblem := NewSubproblemWithIdentifier(
 				ErrorMalformedType,
 				Identifier{Type: "permanent-identifier", Value: ch.Value},
 				"challenge identifier %q doesn't match any of the attested hardware identifiers %q", ch.Value, data.PermanentIdentifiers,
 			)
 			return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, "permanent identifier does not match").AddSubproblems(subproblem))
 		}
 		// Update attestation key fingerprint to compare against the CSR
 		az.Fingerprint = data.Fingerprint
 	default:
 		return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "unexpected attestation object format"))
 	}
@ -489,362 +431,12 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
 	// Store the fingerprint in the authorization.
 	//
 	// TODO: add method to update authorization and challenge atomically.
 	if az.Fingerprint != "" {
 		if err := db.UpdateAuthorization(ctx, az); err != nil {
 			return WrapErrorISE(err, "error updating authorization")
 		}
 	}
 	if err := db.UpdateChallenge(ctx, ch); err != nil {
 		return WrapErrorISE(err, "error updating challenge")
 	}
 	return nil
 }
 func nns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey) error {
 	domain := strings.TrimPrefix(ch.Value, "*.")
 	nnsCtx, ok := GetNNSContext(ctx)
 	if !ok {
 		return errors.New("error retrieving NNS context")
 	}
 	nns := NNS{}
 	err := nns.Dial(nnsCtx.nnsServer)
 	if err != nil {
 		return err
 	}
 	defer nns.Close()
 	txtRecords, err := nns.GetTXTRecords("acme-challenge." + domain)
 	if err != nil {
 		return storeError(ctx, db, ch, false, WrapError(ErrorNNSType, err,
 			"error looking up TXT records for domain %s", domain))
 	}
 	expectedKeyAuth, err := KeyAuthorization(ch.Token, jwk)
 	if err != nil {
 		return err
 	}
 	h := sha256.Sum256([]byte(expectedKeyAuth))
 	expected := base64.RawURLEncoding.EncodeToString(h[:])
 	var found bool
 	for _, r := range txtRecords {
 		if r == expected {
 			found = true
 			break
 		}
 	}
 	if !found {
 		return storeError(ctx, db, ch, false, NewError(ErrorRejectedIdentifierType,
 			"keyAuthorization does not match; expected %s, but got %s", expectedKeyAuth, txtRecords))
 	}
 	// Update and store the challenge.
 	ch.Status = StatusValid
 	ch.Error = nil
 	ch.ValidatedAt = clock.Now().Format(time.RFC3339)
 	if err = db.UpdateChallenge(ctx, ch); err != nil {
 		return WrapErrorISE(err, "error updating challenge")
 	}
 	return nil
 }
 var (
 	oidSubjectAlternativeName = asn1.ObjectIdentifier{2, 5, 29, 17}
 )
 type tpmAttestationData struct {
 	Certificate          *x509.Certificate
 	VerifiedChains       [][]*x509.Certificate
 	PermanentIdentifiers []string
 	Fingerprint          string
 }
 // coseAlgorithmIdentifier models a COSEAlgorithmIdentifier.
 // Also see https://www.w3.org/TR/webauthn-2/#sctn-alg-identifier.
 type coseAlgorithmIdentifier int32
 const (
 	coseAlgES256 coseAlgorithmIdentifier = -7
 	coseAlgRS256 coseAlgorithmIdentifier = -257
 )
 func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) {
 	ver, ok := att.AttStatement["ver"].(string)
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "ver not present")
 	}
 	if ver != "2.0" {
 		return nil, NewError(ErrorBadAttestationStatementType, "version %q is not supported", ver)
 	}
 	x5c, ok := att.AttStatement["x5c"].([]interface{})
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "x5c not present")
 	}
 	if len(x5c) == 0 {
 		return nil, NewError(ErrorBadAttestationStatementType, "x5c is empty")
 	}
 	akCertBytes, ok := x5c[0].([]byte)
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
 	}
 	akCert, err := x509.ParseCertificate(akCertBytes)
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
 	}
 	intermediates := x509.NewCertPool()
 	for _, v := range x5c[1:] {
 		intCertBytes, vok := v.([]byte)
 		if !vok {
 			return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
 		}
 		intCert, err := x509.ParseCertificate(intCertBytes)
 		if err != nil {
 			return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
 		}
 		intermediates.AddCert(intCert)
 	}
 	// TODO(hs): this can be removed when permanent-identifier/hardware-module-name are handled correctly in
 	// the stdlib in https://cs.opensource.google/go/go/+/refs/tags/go1.19:src/crypto/x509/parser.go;drc=b5b2cf519fe332891c165077f3723ee74932a647;l=362,
 	// but I doubt that will happen.
 	if len(akCert.UnhandledCriticalExtensions) > 0 {
 		unhandledCriticalExtensions := akCert.UnhandledCriticalExtensions[:0]
 		for _, extOID := range akCert.UnhandledCriticalExtensions {
 			if !extOID.Equal(oidSubjectAlternativeName) {
 				// critical extensions other than the Subject Alternative Name remain unhandled
 				unhandledCriticalExtensions = append(unhandledCriticalExtensions, extOID)
 			}
 		}
 		akCert.UnhandledCriticalExtensions = unhandledCriticalExtensions
 	}
 	roots, ok := prov.GetAttestationRoots()
 	if !ok {
 		return nil, NewErrorISE("no root CA bundle available to verify the attestation certificate")
 	}
 	// verify that the AK certificate was signed by a trusted root,
 	// chained to by the intermediates provided by the client. As part
 	// of building the verified certificate chain, the signature over the
 	// AK certificate is checked to be a valid signature of one of the
 	// provided intermediates. Signatures over the intermediates are in
 	// turn also verified to be valid signatures from one of the trusted
 	// roots.
 	verifiedChains, err := akCert.Verify(x509.VerifyOptions{
 		Roots:         roots,
 		Intermediates: intermediates,
 		CurrentTime:   time.Now().Truncate(time.Second),
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
 	})
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid")
 	}
 	// validate additional AK certificate requirements
 	if err := validateAKCertificate(akCert); err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "AK certificate is not valid")
 	}
 	// TODO(hs): implement revocation check; Verify() doesn't perform CRL check nor OCSP lookup.
 	sans, err := x509util.ParseSubjectAlternativeNames(akCert)
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "failed parsing AK certificate Subject Alternative Names")
 	}
 	permanentIdentifiers := make([]string, len(sans.PermanentIdentifiers))
 	for i, pi := range sans.PermanentIdentifiers {
 		permanentIdentifiers[i] = pi.Identifier
 	}
 	// extract and validate pubArea, sig, certInfo and alg properties from the request body
 	pubArea, ok := att.AttStatement["pubArea"].([]byte)
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "invalid pubArea in attestation statement")
 	}
 	if len(pubArea) == 0 {
 		return nil, NewError(ErrorBadAttestationStatementType, "pubArea is empty")
 	}
 	sig, ok := att.AttStatement["sig"].([]byte)
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "invalid sig in attestation statement")
 	}
 	if len(sig) == 0 {
 		return nil, NewError(ErrorBadAttestationStatementType, "sig is empty")
 	}
 	certInfo, ok := att.AttStatement["certInfo"].([]byte)
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "invalid certInfo in attestation statement")
 	}
 	if len(certInfo) == 0 {
 		return nil, NewError(ErrorBadAttestationStatementType, "certInfo is empty")
 	}
 	alg, ok := att.AttStatement["alg"].(int64)
 	if !ok {
 		return nil, NewError(ErrorBadAttestationStatementType, "invalid alg in attestation statement")
 	}
 	// only RS256 and ES256 are allowed
 	coseAlg := coseAlgorithmIdentifier(alg)
 	if coseAlg != coseAlgRS256 && coseAlg != coseAlgES256 {
 		return nil, NewError(ErrorBadAttestationStatementType, "invalid alg %d in attestation statement", alg)
 	}
 	// set the hash algorithm to use to SHA256
 	hash := crypto.SHA256
 	// recreate the generated key certification parameter values and verify
 	// the attested key using the public key of the AK.
 	certificationParameters := &attest.CertificationParameters{
 		Public:            pubArea,  // the public key that was attested
 		CreateAttestation: certInfo, // the attested properties of the key
 		CreateSignature:   sig,      // signature over the attested properties
 	}
 	verifyOpts := attest.VerifyOpts{
 		Public: akCert.PublicKey, // public key of the AK that attested the key
 		Hash:   hash,
 	}
 	if err = certificationParameters.Verify(verifyOpts); err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "invalid certification parameters")
 	}
 	// decode the "certInfo" data. This won't fail, as it's also done as part of Verify().
 	tpmCertInfo, err := tpm2.DecodeAttestationData(certInfo)
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "failed decoding attestation data")
 	}
 	keyAuth, err := KeyAuthorization(ch.Token, jwk)
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "failed creating key auth digest")
 	}
 	hashedKeyAuth := sha256.Sum256([]byte(keyAuth))
 	// verify the WebAuthn object contains the expect key authorization digest, which is carried
 	// within the encoded `certInfo` property of the attestation statement.
 	if subtle.ConstantTimeCompare(hashedKeyAuth[:], []byte(tpmCertInfo.ExtraData)) == 0 {
 		return nil, NewError(ErrorBadAttestationStatementType, "key authorization does not match")
 	}
 	// decode the (attested) public key and determine its fingerprint.  This won't fail, as it's also done as part of Verify().
 	pub, err := tpm2.DecodePublic(pubArea)
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "failed decoding pubArea")
 	}
 	publicKey, err := pub.Key()
 	if err != nil {
 		return nil, WrapError(ErrorBadAttestationStatementType, err, "failed getting public key")
 	}
 	data := &tpmAttestationData{
 		Certificate:          akCert,
 		VerifiedChains:       verifiedChains,
 		PermanentIdentifiers: permanentIdentifiers,
 	}
 	if data.Fingerprint, err = keyutil.Fingerprint(publicKey); err != nil {
 		return nil, WrapErrorISE(err, "error calculating key fingerprint")
 	}
 	// TODO(hs): pass more attestation data, so that that can be used/recorded too?
 	return data, nil
 }
 var (
 	oidExtensionExtendedKeyUsage = asn1.ObjectIdentifier{2, 5, 29, 37}
 	oidTCGKpAIKCertificate       = asn1.ObjectIdentifier{2, 23, 133, 8, 3}
 )
 // validateAKCertifiate validates the X.509 AK certificate to be
 // in accordance with the required properties. The requirements come from:
 // https://www.w3.org/TR/webauthn-2/#sctn-tpm-cert-requirements.
 //
 //   - Version MUST be set to 3.
 //   - Subject field MUST be set to empty.
 //   - The Subject Alternative Name extension MUST be set as defined
 //     in [TPMv2-EK-Profile] section 3.2.9.
 //   - The Extended Key Usage extension MUST contain the OID 2.23.133.8.3
 //     ("joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)").
 //   - The Basic Constraints extension MUST have the CA component set to false.
 //   - An Authority Information Access (AIA) extension with entry id-ad-ocsp
 //     and a CRL Distribution Point extension [RFC5280] are both OPTIONAL as
 //     the status of many attestation certificates is available through metadata
 //     services. See, for example, the FIDO Metadata Service.
 func validateAKCertificate(c *x509.Certificate) error {
 	if c.Version != 3 {
 		return fmt.Errorf("AK certificate has invalid version %d; only version 3 is allowed", c.Version)
 	}
 	if c.Subject.String() != "" {
 		return fmt.Errorf("AK certificate subject must be empty; got %q", c.Subject)
 	}
 	if c.IsCA {
 		return errors.New("AK certificate must not be a CA")
 	}
 	if err := validateAKCertificateExtendedKeyUsage(c); err != nil {
 		return err
 	}
 	return validateAKCertificateSubjectAlternativeNames(c)
 }
 // validateAKCertificateSubjectAlternativeNames checks if the AK certificate
 // has TPM hardware details set.
 func validateAKCertificateSubjectAlternativeNames(c *x509.Certificate) error {
 	sans, err := x509util.ParseSubjectAlternativeNames(c)
 	if err != nil {
 		return fmt.Errorf("failed parsing AK certificate Subject Alternative Names: %w", err)
 	}
 	details := sans.TPMHardwareDetails
 	manufacturer, model, version := details.Manufacturer, details.Model, details.Version
 	switch {
 	case manufacturer == "":
 		return errors.New("missing TPM manufacturer")
 	case model == "":
 		return errors.New("missing TPM model")
 	case version == "":
 		return errors.New("missing TPM version")
 	}
 	return nil
 }
 // validateAKCertificateExtendedKeyUsage checks if the AK certificate
 // has the "tcg-kp-AIKCertificate" Extended Key Usage set.
 func validateAKCertificateExtendedKeyUsage(c *x509.Certificate) error {
 	var (
 		valid = false
 		ekus  []asn1.ObjectIdentifier
 	)
 	for _, ext := range c.Extensions {
 		if ext.Id.Equal(oidExtensionExtendedKeyUsage) {
 			if _, err := asn1.Unmarshal(ext.Value, &ekus); err != nil || !ekus[0].Equal(oidTCGKpAIKCertificate) {
 				return errors.New("AK certificate is missing Extended Key Usage value tcg-kp-AIKCertificate (2.23.133.8.3)")
 			}
 			valid = true
 		}
 	}
 	if !valid {
 		return errors.New("AK certificate is missing Extended Key Usage extension")
 	}
 	return nil
 }
 // Apple Enterprise Attestation Root CA from
 // https://www.apple.com/certificateauthority/private/
 const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE-----
@ -875,10 +467,9 @@ type appleAttestationData struct {
 	UDID         string
 	SEPVersion   string
 	Certificate  *x509.Certificate
 	Fingerprint  string
 }
-func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge, att *attestationObject) (*appleAttestationData, error) {
+func doAppleAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, att *AttestationObject) (*appleAttestationData, error) {
 	// Use configured or default attestation roots if none is configured.
 	roots, ok := prov.GetAttestationRoots()
 	if !ok {
@ -932,9 +523,6 @@ func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge,
 	data := &appleAttestationData{
 		Certificate: leaf,
 	}
 	if data.Fingerprint, err = keyutil.Fingerprint(leaf.PublicKey); err != nil {
 		return nil, WrapErrorISE(err, "error calculating key fingerprint")
 	}
 	for _, ext := range leaf.Extensions {
 		switch {
 		case ext.Id.Equal(oidAppleSerialNumber):
@ -980,10 +568,9 @@ var oidYubicoSerialNumber = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 41482, 3, 7}
 type stepAttestationData struct {
 	Certificate  *x509.Certificate
 	SerialNumber string
 	Fingerprint  string
 }
-func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*stepAttestationData, error) {
+func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *AttestationObject) (*stepAttestationData, error) {
 	// Use configured or default attestation roots if none is configured.
 	roots, ok := prov.GetAttestationRoots()
 	if !ok {
@ -1076,9 +663,6 @@ func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 	data := &stepAttestationData{
 		Certificate: leaf,
 	}
 	if data.Fingerprint, err = keyutil.Fingerprint(leaf.PublicKey); err != nil {
 		return nil, WrapErrorISE(err, "error calculating key fingerprint")
 	}
 	for _, ext := range leaf.Extensions {
 		if !ext.Id.Equal(oidYubicoSerialNumber) {
 			continue
@ -1142,10 +726,10 @@ func uitoa(val uint) string {
 	var buf [20]byte // big enough for 64bit value base 10
 	i := len(buf) - 1
 	for val >= 10 {
-		v := val / 10
+		q := val / 10
-		buf[i] = byte('0' + val - v*10)
+		buf[i] = byte('0' + val - q*10)
 		i--
-		val = v
+		val = q
 	}
 	// val < 10
 	buf[i] = byte('0' + val)
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
--- a/acme/challenge_tpmsimulator_test.go
+++ b/acme/challenge_tpmsimulator_test.go
@ -1,860 +0,0 @@
 //go:build tpmsimulator
 // +build tpmsimulator
 package acme
 import (
 	"context"
 	"crypto"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/url"
 	"testing"
 	"github.com/fxamacker/cbor/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/smallstep/go-attestation/attest"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/tpm"
 	"go.step.sm/crypto/tpm/simulator"
 	tpmstorage "go.step.sm/crypto/tpm/storage"
 	"go.step.sm/crypto/x509util"
 )
 func newSimulatedTPM(t *testing.T) *tpm.TPM {
 	t.Helper()
 	tmpDir := t.TempDir()
 	tpm, err := tpm.New(withSimulator(t), tpm.WithStore(tpmstorage.NewDirstore(tmpDir))) // TODO: provide in-memory storage implementation instead
 	require.NoError(t, err)
 	return tpm
 }
 func withSimulator(t *testing.T) tpm.NewTPMOption {
 	t.Helper()
 	var sim simulator.Simulator
 	t.Cleanup(func() {
 		if sim == nil {
 			return
 		}
 		err := sim.Close()
 		require.NoError(t, err)
 	})
 	sim, err := simulator.New()
 	require.NoError(t, err)
 	err = sim.Open()
 	require.NoError(t, err)
 	return tpm.WithSimulator(sim)
 }
 func generateKeyID(t *testing.T, pub crypto.PublicKey) []byte {
 	t.Helper()
 	b, err := x509.MarshalPKIXPublicKey(pub)
 	require.NoError(t, err)
 	hash := sha256.Sum256(b)
 	return hash[:]
 }
 func mustAttestTPM(t *testing.T, keyAuthorization string, permanentIdentifiers []string) ([]byte, crypto.Signer, *x509.Certificate) {
 	t.Helper()
 	aca, err := minica.New(
 		minica.WithName("TPM Testing"),
 		minica.WithGetSignerFunc(
 			func() (crypto.Signer, error) {
 				return keyutil.GenerateSigner("RSA", "", 2048)
 			},
 		),
 	)
 	require.NoError(t, err)
 	// prepare simulated TPM and create an AK
 	stpm := newSimulatedTPM(t)
 	eks, err := stpm.GetEKs(context.Background())
 	require.NoError(t, err)
 	ak, err := stpm.CreateAK(context.Background(), "first-ak")
 	require.NoError(t, err)
 	require.NotNil(t, ak)
 	// extract the AK public key // TODO(hs): replace this when there's a simpler method to get the AK public key (e.g. ak.Public())
 	ap, err := ak.AttestationParameters(context.Background())
 	require.NoError(t, err)
 	akp, err := attest.ParseAKPublic(attest.TPMVersion20, ap.Public)
 	require.NoError(t, err)
 	// create template and sign certificate for the AK public key
 	keyID := generateKeyID(t, eks[0].Public())
 	template := &x509.Certificate{
 		PublicKey:          akp.Public,
 		IsCA:               false,
 		UnknownExtKeyUsage: []asn1.ObjectIdentifier{oidTCGKpAIKCertificate},
 	}
 	sans := []x509util.SubjectAlternativeName{}
 	uris := []*url.URL{{Scheme: "urn", Opaque: "ek:sha256:" + base64.StdEncoding.EncodeToString(keyID)}}
 	for _, pi := range permanentIdentifiers {
 		sans = append(sans, x509util.SubjectAlternativeName{
 			Type:  x509util.PermanentIdentifierType,
 			Value: pi,
 		})
 	}
 	asn1Value := []byte(fmt.Sprintf(`{"extraNames":[{"type": %q, "value": %q},{"type": %q, "value": %q},{"type": %q, "value": %q}]}`, oidTPMManufacturer, "1414747215", oidTPMModel, "SLB 9670 TPM2.0", oidTPMVersion, "7.55"))
 	sans = append(sans, x509util.SubjectAlternativeName{
 		Type:      x509util.DirectoryNameType,
 		ASN1Value: asn1Value,
 	})
 	ext, err := createSubjectAltNameExtension(nil, nil, nil, uris, sans, true)
 	require.NoError(t, err)
 	ext.Set(template)
 	akCert, err := aca.Sign(template)
 	require.NoError(t, err)
 	require.NotNil(t, akCert)
 	// create a new key attested by the AK, while including
 	// the key authorization bytes as qualifying data.
 	keyAuthSum := sha256.Sum256([]byte(keyAuthorization))
 	config := tpm.AttestKeyConfig{
 		Algorithm:      "RSA",
 		Size:           2048,
 		QualifyingData: keyAuthSum[:],
 	}
 	key, err := stpm.AttestKey(context.Background(), "first-ak", "first-key", config)
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	require.Equal(t, "first-key", key.Name())
 	require.NotEqual(t, 0, len(key.Data()))
 	require.Equal(t, "first-ak", key.AttestedBy())
 	require.True(t, key.WasAttested())
 	require.True(t, key.WasAttestedBy(ak))
 	signer, err := key.Signer(context.Background())
 	require.NoError(t, err)
 	// prepare the attestation object with the AK certificate chain,
 	// the attested key, its metadata and the signature signed by the
 	// AK.
 	params, err := key.CertificationParameters(context.Background())
 	require.NoError(t, err)
 	attObj, err := cbor.Marshal(struct {
 		Format       string                 `json:"fmt"`
 		AttStatement map[string]interface{} `json:"attStmt,omitempty"`
 	}{
 		Format: "tpm",
 		AttStatement: map[string]interface{}{
 			"ver":      "2.0",
 			"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 			"alg":      int64(-257), // RS256
 			"sig":      params.CreateSignature,
 			"certInfo": params.CreateAttestation,
 			"pubArea":  params.Public,
 		},
 	})
 	require.NoError(t, err)
 	// marshal the ACME payload
 	payload, err := json.Marshal(struct {
 		AttObj string `json:"attObj"`
 	}{
 		AttObj: base64.RawURLEncoding.EncodeToString(attObj),
 	})
 	require.NoError(t, err)
 	return payload, signer, aca.Root
 }
 func Test_deviceAttest01ValidateWithTPMSimulator(t *testing.T) {
 	type args struct {
 		ctx     context.Context
 		ch      *Challenge
 		db      DB
 		jwk     *jose.JSONWebKey
 		payload []byte
 	}
 	type test struct {
 		args    args
 		wantErr *Error
 	}
 	tests := map[string]func(t *testing.T) test{
 		"ok/doTPMAttestationFormat-storeError": func(t *testing.T) test {
 			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
 			payload, _, root := mustAttestTPM(t, keyAuth, nil) // TODO: value(s) for AK cert?
 			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
 			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
 			// parse payload, set invalid "ver", remarshal
 			var p payloadType
 			err := json.Unmarshal(payload, &p)
 			require.NoError(t, err)
 			attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj)
 			require.NoError(t, err)
 			att := attestationObject{}
 			err = cbor.Unmarshal(attObj, &att)
 			require.NoError(t, err)
 			att.AttStatement["ver"] = "bogus"
 			attObj, err = cbor.Marshal(struct {
 				Format       string                 `json:"fmt"`
 				AttStatement map[string]interface{} `json:"attStmt,omitempty"`
 			}{
 				Format:       "tpm",
 				AttStatement: att.AttStatement,
 			})
 			require.NoError(t, err)
 			payload, err = json.Marshal(struct {
 				AttObj string `json:"attObj"`
 			}{
 				AttObj: base64.RawURLEncoding.EncodeToString(attObj),
 			})
 			require.NoError(t, err)
 			return test{
 				args: args{
 					ctx: ctx,
 					jwk: jwk,
 					ch: &Challenge{
 						ID:              "chID",
 						AuthorizationID: "azID",
 						Token:           "token",
 						Type:            "device-attest-01",
 						Status:          StatusPending,
 						Value:           "device.id.12345678",
 					},
 					payload: payload,
 					db: &MockDB{
 						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 							assert.Equal(t, "azID", id)
 							return &Authorization{ID: "azID"}, nil
 						},
 						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
 							assert.Equal(t, "chID", updch.ID)
 							assert.Equal(t, "token", updch.Token)
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "device.id.12345678", updch.Value)
 							err := NewError(ErrorBadAttestationStatementType, `version "bogus" is not supported`)
 							assert.EqualError(t, updch.Error.Err, err.Err.Error())
 							assert.Equal(t, err.Type, updch.Error.Type)
 							assert.Equal(t, err.Detail, updch.Error.Detail)
 							assert.Equal(t, err.Status, updch.Error.Status)
 							assert.Equal(t, err.Subproblems, updch.Error.Subproblems)
 							return nil
 						},
 					},
 				},
 				wantErr: nil,
 			}
 		},
 		"ok with invalid PermanentIdentifier SAN": func(t *testing.T) test {
 			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
 			payload, _, root := mustAttestTPM(t, keyAuth, []string{"device.id.12345678"}) // TODO: value(s) for AK cert?
 			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
 			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
 			return test{
 				args: args{
 					ctx: ctx,
 					jwk: jwk,
 					ch: &Challenge{
 						ID:              "chID",
 						AuthorizationID: "azID",
 						Token:           "token",
 						Type:            "device-attest-01",
 						Status:          StatusPending,
 						Value:           "device.id.99999999",
 					},
 					payload: payload,
 					db: &MockDB{
 						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 							assert.Equal(t, "azID", id)
 							return &Authorization{ID: "azID"}, nil
 						},
 						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
 							assert.Equal(t, "chID", updch.ID)
 							assert.Equal(t, "token", updch.Token)
 							assert.Equal(t, StatusInvalid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "device.id.99999999", updch.Value)
 							err := NewError(ErrorRejectedIdentifierType, `permanent identifier does not match`).
 								AddSubproblems(NewSubproblemWithIdentifier(
 									ErrorMalformedType,
 									Identifier{Type: "permanent-identifier", Value: "device.id.99999999"},
 									`challenge identifier "device.id.99999999" doesn't match any of the attested hardware identifiers ["device.id.12345678"]`,
 								))
 							assert.EqualError(t, updch.Error.Err, err.Err.Error())
 							assert.Equal(t, err.Type, updch.Error.Type)
 							assert.Equal(t, err.Detail, updch.Error.Detail)
 							assert.Equal(t, err.Status, updch.Error.Status)
 							assert.Equal(t, err.Subproblems, updch.Error.Subproblems)
 							return nil
 						},
 					},
 				},
 				wantErr: nil,
 			}
 		},
 		"ok": func(t *testing.T) test {
 			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
 			payload, signer, root := mustAttestTPM(t, keyAuth, nil) // TODO: value(s) for AK cert?
 			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
 			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
 			return test{
 				args: args{
 					ctx: ctx,
 					jwk: jwk,
 					ch: &Challenge{
 						ID:              "chID",
 						AuthorizationID: "azID",
 						Token:           "token",
 						Type:            "device-attest-01",
 						Status:          StatusPending,
 						Value:           "device.id.12345678",
 					},
 					payload: payload,
 					db: &MockDB{
 						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 							assert.Equal(t, "azID", id)
 							return &Authorization{ID: "azID"}, nil
 						},
 						MockUpdateAuthorization: func(ctx context.Context, az *Authorization) error {
 							fingerprint, err := keyutil.Fingerprint(signer.Public())
 							assert.NoError(t, err)
 							assert.Equal(t, "azID", az.ID)
 							assert.Equal(t, fingerprint, az.Fingerprint)
 							return nil
 						},
 						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
 							assert.Equal(t, "chID", updch.ID)
 							assert.Equal(t, "token", updch.Token)
 							assert.Equal(t, StatusValid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "device.id.12345678", updch.Value)
 							return nil
 						},
 					},
 				},
 				wantErr: nil,
 			}
 		},
 		"ok with PermanentIdentifier SAN": func(t *testing.T) test {
 			jwk, keyAuth := mustAccountAndKeyAuthorization(t, "token")
 			payload, signer, root := mustAttestTPM(t, keyAuth, []string{"device.id.12345678"}) // TODO: value(s) for AK cert?
 			caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: root.Raw})
 			ctx := NewProvisionerContext(context.Background(), mustAttestationProvisioner(t, caRoot))
 			return test{
 				args: args{
 					ctx: ctx,
 					jwk: jwk,
 					ch: &Challenge{
 						ID:              "chID",
 						AuthorizationID: "azID",
 						Token:           "token",
 						Type:            "device-attest-01",
 						Status:          StatusPending,
 						Value:           "device.id.12345678",
 					},
 					payload: payload,
 					db: &MockDB{
 						MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 							assert.Equal(t, "azID", id)
 							return &Authorization{ID: "azID"}, nil
 						},
 						MockUpdateAuthorization: func(ctx context.Context, az *Authorization) error {
 							fingerprint, err := keyutil.Fingerprint(signer.Public())
 							assert.NoError(t, err)
 							assert.Equal(t, "azID", az.ID)
 							assert.Equal(t, fingerprint, az.Fingerprint)
 							return nil
 						},
 						MockUpdateChallenge: func(ctx context.Context, updch *Challenge) error {
 							assert.Equal(t, "chID", updch.ID)
 							assert.Equal(t, "token", updch.Token)
 							assert.Equal(t, StatusValid, updch.Status)
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "device.id.12345678", updch.Value)
 							return nil
 						},
 					},
 				},
 				wantErr: nil,
 			}
 		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run(t)
 			if err := deviceAttest01Validate(tc.args.ctx, tc.args.ch, tc.args.db, tc.args.jwk, tc.args.payload); err != nil {
 				assert.Error(t, tc.wantErr)
 				assert.EqualError(t, err, tc.wantErr.Error())
 				return
 			}
 			assert.Nil(t, tc.wantErr)
 		})
 	}
 }
 func newBadAttestationStatementError(msg string) *Error {
 	return &Error{
 		Type:   "urn:ietf:params:acme:error:badAttestationStatement",
 		Status: 400,
 		Err:    errors.New(msg),
 	}
 }
 func newInternalServerError(msg string) *Error {
 	return &Error{
 		Type:   "urn:ietf:params:acme:error:serverInternal",
 		Status: 500,
 		Err:    errors.New(msg),
 	}
 }
 var (
 	oidPermanentIdentifier          = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3}
 	oidHardwareModuleNameIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 4}
 )
 func Test_doTPMAttestationFormat(t *testing.T) {
 	ctx := context.Background()
 	aca, err := minica.New(
 		minica.WithName("TPM Testing"),
 		minica.WithGetSignerFunc(
 			func() (crypto.Signer, error) {
 				return keyutil.GenerateSigner("RSA", "", 2048)
 			},
 		),
 	)
 	require.NoError(t, err)
 	acaRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: aca.Root.Raw})
 	// prepare simulated TPM and create an AK
 	stpm := newSimulatedTPM(t)
 	eks, err := stpm.GetEKs(context.Background())
 	require.NoError(t, err)
 	ak, err := stpm.CreateAK(context.Background(), "first-ak")
 	require.NoError(t, err)
 	require.NotNil(t, ak)
 	// extract the AK public key // TODO(hs): replace this when there's a simpler method to get the AK public key (e.g. ak.Public())
 	ap, err := ak.AttestationParameters(context.Background())
 	require.NoError(t, err)
 	akp, err := attest.ParseAKPublic(attest.TPMVersion20, ap.Public)
 	require.NoError(t, err)
 	// create template and sign certificate for the AK public key
 	keyID := generateKeyID(t, eks[0].Public())
 	template := &x509.Certificate{
 		PublicKey:          akp.Public,
 		IsCA:               false,
 		UnknownExtKeyUsage: []asn1.ObjectIdentifier{oidTCGKpAIKCertificate},
 	}
 	sans := []x509util.SubjectAlternativeName{}
 	uris := []*url.URL{{Scheme: "urn", Opaque: "ek:sha256:" + base64.StdEncoding.EncodeToString(keyID)}}
 	asn1Value := []byte(fmt.Sprintf(`{"extraNames":[{"type": %q, "value": %q},{"type": %q, "value": %q},{"type": %q, "value": %q}]}`, oidTPMManufacturer, "1414747215", oidTPMModel, "SLB 9670 TPM2.0", oidTPMVersion, "7.55"))
 	sans = append(sans, x509util.SubjectAlternativeName{
 		Type:      x509util.DirectoryNameType,
 		ASN1Value: asn1Value,
 	})
 	ext, err := createSubjectAltNameExtension(nil, nil, nil, uris, sans, true)
 	require.NoError(t, err)
 	ext.Set(template)
 	akCert, err := aca.Sign(template)
 	require.NoError(t, err)
 	require.NotNil(t, akCert)
 	invalidTemplate := &x509.Certificate{
 		PublicKey:          akp.Public,
 		IsCA:               false,
 		UnknownExtKeyUsage: []asn1.ObjectIdentifier{oidTCGKpAIKCertificate},
 	}
 	invalidAKCert, err := aca.Sign(invalidTemplate)
 	require.NoError(t, err)
 	require.NotNil(t, invalidAKCert)
 	// generate a JWK and the key authorization value
 	jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
 	require.NoError(t, err)
 	keyAuthorization, err := KeyAuthorization("token", jwk)
 	require.NoError(t, err)
 	// create a new key attested by the AK, while including
 	// the key authorization bytes as qualifying data.
 	keyAuthSum := sha256.Sum256([]byte(keyAuthorization))
 	config := tpm.AttestKeyConfig{
 		Algorithm:      "RSA",
 		Size:           2048,
 		QualifyingData: keyAuthSum[:],
 	}
 	key, err := stpm.AttestKey(context.Background(), "first-ak", "first-key", config)
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	params, err := key.CertificationParameters(context.Background())
 	require.NoError(t, err)
 	signer, err := key.Signer(context.Background())
 	require.NoError(t, err)
 	fingerprint, err := keyutil.Fingerprint(signer.Public())
 	require.NoError(t, err)
 	// attest another key and get its certification parameters
 	anotherKey, err := stpm.AttestKey(context.Background(), "first-ak", "another-key", config)
 	require.NoError(t, err)
 	require.NotNil(t, key)
 	anotherKeyParams, err := anotherKey.CertificationParameters(context.Background())
 	require.NoError(t, err)
 	type args struct {
 		ctx  context.Context
 		prov Provisioner
 		ch   *Challenge
 		jwk  *jose.JSONWebKey
 		att  *attestationObject
 	}
 	tests := []struct {
 		name   string
 		args   args
 		want   *tpmAttestationData
 		expErr *Error
 	}{
 		{"ok", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, nil},
 		{"fail ver not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("ver not present")},
 		{"fail ver type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      []interface{}{},
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("ver not present")},
 		{"fail bogus ver", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "bogus",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError(`version "bogus" is not supported`)},
 		{"fail x5c not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c not present")},
 		{"fail x5c type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      [][]byte{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c not present")},
 		{"fail x5c empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c is empty")},
 		{"fail leaf type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "step",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{"leaf", aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c is malformed")},
 		{"fail leaf parse", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "step",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw[:100], aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c is malformed: x509: malformed certificate")},
 		{"fail intermediate type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "step",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, "intermediate"},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c is malformed")},
 		{"fail intermediate parse", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "step",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw[:100]},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c is malformed: x509: malformed certificate")},
 		{"fail roots", args{ctx, mustAttestationProvisioner(t, nil), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newInternalServerError("no root CA bundle available to verify the attestation certificate")},
 		{"fail verify", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "step",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("x5c is not valid: x509: certificate signed by unknown authority")},
 		{"fail validateAKCertificate", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{invalidAKCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("AK certificate is not valid: missing TPM manufacturer")},
 		{"fail pubArea not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 			},
 		}}, nil, newBadAttestationStatementError("invalid pubArea in attestation statement")},
 		{"fail pubArea type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  []interface{}{},
 			},
 		}}, nil, newBadAttestationStatementError("invalid pubArea in attestation statement")},
 		{"fail pubArea empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  []byte{},
 			},
 		}}, nil, newBadAttestationStatementError("pubArea is empty")},
 		{"fail sig not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid sig in attestation statement")},
 		{"fail sig type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      []interface{}{},
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid sig in attestation statement")},
 		{"fail sig empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      []byte{},
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("sig is empty")},
 		{"fail certInfo not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":     "2.0",
 				"x5c":     []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":     int64(-257), // RS256
 				"sig":     params.CreateSignature,
 				"pubArea": params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid certInfo in attestation statement")},
 		{"fail certInfo type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": []interface{}{},
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid certInfo in attestation statement")},
 		{"fail certInfo empty", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": []byte{},
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("certInfo is empty")},
 		{"fail alg not present", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid alg in attestation statement")},
 		{"fail alg type", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(0), // invalid alg
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid alg 0 in attestation statement")},
 		{"fail attestation verification", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  anotherKeyParams.Public,
 			},
 		}}, nil, newBadAttestationStatementError("invalid certification parameters: certification refers to a different key")},
 		{"fail keyAuthorization", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "token"}, &jose.JSONWebKey{Key: []byte("not an asymmetric key")}, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), // RS256
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newInternalServerError("failed creating key auth digest: error generating JWK thumbprint: square/go-jose: unknown key type '[]uint8'")},
 		{"fail different keyAuthorization", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "aDifferentToken"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
 				"ver":      "2.0",
 				"x5c":      []interface{}{akCert.Raw, aca.Intermediate.Raw},
 				"alg":      int64(-257), //
 				"sig":      params.CreateSignature,
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
 		}}, nil, newBadAttestationStatementError("key authorization does not match")},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := doTPMAttestationFormat(tt.args.ctx, tt.args.prov, tt.args.ch, tt.args.jwk, tt.args.att)
 			if tt.expErr != nil {
 				var ae *Error
 				if assert.True(t, errors.As(err, &ae)) {
 					assert.EqualError(t, err, tt.expErr.Error())
 					assert.Equal(t, ae.StatusCode(), tt.expErr.StatusCode())
 					assert.Equal(t, ae.Type, tt.expErr.Type)
 				}
 				assert.Nil(t, got)
 				return
 			}
 			assert.NoError(t, err)
 			if assert.NotNil(t, got) {
 				assert.Equal(t, akCert, got.Certificate)
 				assert.Equal(t, [][]*x509.Certificate{
 					{
 						akCert, aca.Intermediate, aca.Root,
 					},
 				}, got.VerifiedChains)
 				assert.Equal(t, fingerprint, got.Fingerprint)
 				assert.Empty(t, got.PermanentIdentifiers) // currently expected to be always empty
 			}
 		})
 	}
 }
--- a/acme/common.go
+++ b/acme/common.go
@ -29,12 +29,10 @@ type CertificateAuthority interface {
 }
 // NewContext adds the given acme components to the context.
-func NewContext(ctx context.Context, db DB, client Client, linker Linker, fn PrerequisitesChecker,
+func NewContext(ctx context.Context, db DB, client Client, linker Linker, fn PrerequisitesChecker) context.Context {
 	nnsServer string) context.Context {
 	ctx = NewDatabaseContext(ctx, db)
 	ctx = NewClientContext(ctx, client)
 	ctx = NewLinkerContext(ctx, linker)
 	ctx = NewNNSContext(ctx, nnsServer)
 	// Prerequisite checker is optional.
 	if fn != nil {
 		ctx = NewPrerequisitesCheckerContext(ctx, fn)
@ -48,7 +46,7 @@ type PrerequisitesChecker func(ctx context.Context) (bool, error)
 // DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns
 // always true.
-func DefaultPrerequisitesChecker(context.Context) (bool, error) {
+func DefaultPrerequisitesChecker(ctx context.Context) (bool, error) {
 	return true, nil
 }
--- a/acme/db.go
+++ b/acme/db.go
@ -12,12 +12,6 @@ import (
 // account.
 var ErrNotFound = errors.New("not found")
 // IsErrNotFound returns true if the error is a "not found" error. Returns false
 // otherwise.
 func IsErrNotFound(err error) bool {
 	return errors.Is(err, ErrNotFound)
 }
 // DB is the DB interface expected by the step-ca ACME API.
 type DB interface {
 	CreateAccount(ctx context.Context, acc *Account) error
--- a/acme/db/nosql/account.go
+++ b/acme/db/nosql/account.go
@ -17,8 +17,6 @@ type dbAccount struct {
 	Key           *jose.JSONWebKey `json:"key"`
 	Contact       []string         `json:"contact,omitempty"`
 	Status        acme.Status      `json:"status"`
 	LocationPrefix  string           `json:"locationPrefix"`
 	ProvisionerName string           `json:"provisionerName"`
 	CreatedAt     time.Time        `json:"createdAt"`
 	DeactivatedAt time.Time        `json:"deactivatedAt"`
 }
@ -28,7 +26,7 @@ func (dba *dbAccount) clone() *dbAccount {
 	return &nu
 }
-func (db *DB) getAccountIDByKeyID(_ context.Context, kid string) (string, error) {
+func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, error) {
 	id, err := db.db.Get(accountByKeyIDTable, []byte(kid))
 	if err != nil {
 		if nosqlDB.IsErrNotFound(err) {
@ -40,7 +38,7 @@ func (db *DB) getAccountIDByKeyID(_ context.Context, kid string) (string, error)
 }
 // getDBAccount retrieves and unmarshals dbAccount.
-func (db *DB) getDBAccount(_ context.Context, id string) (*dbAccount, error) {
+func (db *DB) getDBAccount(ctx context.Context, id string) (*dbAccount, error) {
 	data, err := db.db.Get(accountTable, []byte(id))
 	if err != nil {
 		if nosqlDB.IsErrNotFound(err) {
@ -68,8 +66,6 @@ func (db *DB) GetAccount(ctx context.Context, id string) (*acme.Account, error)
 		Contact: dbacc.Contact,
 		Key:     dbacc.Key,
 		ID:      dbacc.ID,
 		LocationPrefix:  dbacc.LocationPrefix,
 		ProvisionerName: dbacc.ProvisionerName,
 	}, nil
 }
@ -96,8 +92,6 @@ func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
 		Contact:   acc.Contact,
 		Status:    acc.Status,
 		CreatedAt: clock.Now(),
 		LocationPrefix:  acc.LocationPrefix,
 		ProvisionerName: acc.ProvisionerName,
 	}
 	kid, err := acme.KeyToID(dba.Key)
--- a/acme/db/nosql/account_test.go
+++ b/acme/db/nosql/account_test.go
@ -197,8 +197,6 @@ func TestDB_getAccountIDByKeyID(t *testing.T) {
 func TestDB_GetAccount(t *testing.T) {
 	accID := "accID"
 	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
 	provisionerName := "foo"
 	type test struct {
 		db      nosql.DB
 		err     error
@ -230,8 +228,6 @@ func TestDB_GetAccount(t *testing.T) {
 				DeactivatedAt: now,
 				Contact:       []string{"foo", "bar"},
 				Key:           jwk,
 				LocationPrefix:  locationPrefix,
 				ProvisionerName: provisionerName,
 			}
 			b, err := json.Marshal(dbacc)
 			assert.FatalError(t, err)
@ -270,8 +266,6 @@ func TestDB_GetAccount(t *testing.T) {
 				assert.Equals(t, acc.ID, tc.dbacc.ID)
 				assert.Equals(t, acc.Status, tc.dbacc.Status)
 				assert.Equals(t, acc.Contact, tc.dbacc.Contact)
 				assert.Equals(t, acc.LocationPrefix, tc.dbacc.LocationPrefix)
 				assert.Equals(t, acc.ProvisionerName, tc.dbacc.ProvisionerName)
 				assert.Equals(t, acc.Key.KeyID, tc.dbacc.Key.KeyID)
 			}
 		})
@ -385,7 +379,6 @@ func TestDB_GetAccountByKeyID(t *testing.T) {
 }
 func TestDB_CreateAccount(t *testing.T) {
 	locationPrefix := "https://test.ca.smallstep.com/acme/foo/account/"
 	type test struct {
 		db  nosql.DB
 		acc *acme.Account
@ -400,7 +393,6 @@ func TestDB_CreateAccount(t *testing.T) {
 				Status:  acme.StatusValid,
 				Contact: []string{"foo", "bar"},
 				Key:     jwk,
 				LocationPrefix: locationPrefix,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -424,7 +416,6 @@ func TestDB_CreateAccount(t *testing.T) {
 				Status:  acme.StatusValid,
 				Contact: []string{"foo", "bar"},
 				Key:     jwk,
 				LocationPrefix: locationPrefix,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -448,7 +439,6 @@ func TestDB_CreateAccount(t *testing.T) {
 				Status:  acme.StatusValid,
 				Contact: []string{"foo", "bar"},
 				Key:     jwk,
 				LocationPrefix: locationPrefix,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -466,8 +456,6 @@ func TestDB_CreateAccount(t *testing.T) {
 							assert.FatalError(t, json.Unmarshal(nu, dbacc))
 							assert.Equals(t, dbacc.ID, string(key))
 							assert.Equals(t, dbacc.Contact, acc.Contact)
 							assert.Equals(t, dbacc.LocationPrefix, acc.LocationPrefix)
 							assert.Equals(t, dbacc.ProvisionerName, acc.ProvisionerName)
 							assert.Equals(t, dbacc.Key.KeyID, acc.Key.KeyID)
 							assert.True(t, clock.Now().Add(-time.Minute).Before(dbacc.CreatedAt))
 							assert.True(t, clock.Now().Add(time.Minute).After(dbacc.CreatedAt))
@ -494,7 +482,6 @@ func TestDB_CreateAccount(t *testing.T) {
 				Status:  acme.StatusValid,
 				Contact: []string{"foo", "bar"},
 				Key:     jwk,
 				LocationPrefix: locationPrefix,
 			}
 			return test{
 				db: &db.MockNoSQLDB{
@ -513,8 +500,6 @@ func TestDB_CreateAccount(t *testing.T) {
 							assert.FatalError(t, json.Unmarshal(nu, dbacc))
 							assert.Equals(t, dbacc.ID, string(key))
 							assert.Equals(t, dbacc.Contact, acc.Contact)
 							assert.Equals(t, dbacc.LocationPrefix, acc.LocationPrefix)
 							assert.Equals(t, dbacc.ProvisionerName, acc.ProvisionerName)
 							assert.Equals(t, dbacc.Key.KeyID, acc.Key.KeyID)
 							assert.True(t, clock.Now().Add(-time.Minute).Before(dbacc.CreatedAt))
 							assert.True(t, clock.Now().Add(time.Minute).After(dbacc.CreatedAt))
@ -559,8 +544,6 @@ func TestDB_UpdateAccount(t *testing.T) {
 		CreatedAt:     now,
 		DeactivatedAt: now,
 		Contact:       []string{"foo", "bar"},
 		LocationPrefix:  "foo",
 		ProvisionerName: "alpha",
 		Key:           jwk,
 	}
 	b, err := json.Marshal(dbacc)
@ -663,9 +646,7 @@ func TestDB_UpdateAccount(t *testing.T) {
 			acc := &acme.Account{
 				ID:      accID,
 				Status:  acme.StatusDeactivated,
-				Contact:         []string{"baz", "zap"},
+				Contact: []string{"foo", "bar"},
 				LocationPrefix:  "bar",
 				ProvisionerName: "beta",
 				Key:     jwk,
 			}
 			return test{
@ -685,10 +666,7 @@ func TestDB_UpdateAccount(t *testing.T) {
 						assert.FatalError(t, json.Unmarshal(nu, dbNew))
 						assert.Equals(t, dbNew.ID, dbacc.ID)
 						assert.Equals(t, dbNew.Status, acc.Status)
-						assert.Equals(t, dbNew.Contact, acc.Contact)
+						assert.Equals(t, dbNew.Contact, dbacc.Contact)
 						// LocationPrefix should not change.
 						assert.Equals(t, dbNew.LocationPrefix, dbacc.LocationPrefix)
 						assert.Equals(t, dbNew.ProvisionerName, dbacc.ProvisionerName)
 						assert.Equals(t, dbNew.Key.KeyID, dbacc.Key.KeyID)
 						assert.Equals(t, dbNew.CreatedAt, dbacc.CreatedAt)
 						assert.True(t, dbNew.DeactivatedAt.Add(-time.Minute).Before(now))
@ -708,7 +686,12 @@ func TestDB_UpdateAccount(t *testing.T) {
 					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
 			} else {
-				assert.Nil(t, tc.err)
+				if assert.Nil(t, tc.err) {
 					assert.Equals(t, tc.acc.ID, dbacc.ID)
 					assert.Equals(t, tc.acc.Status, dbacc.Status)
 					assert.Equals(t, tc.acc.Contact, dbacc.Contact)
 					assert.Equals(t, tc.acc.Key.KeyID, dbacc.Key.KeyID)
 				}
 			}
 		})
 	}
--- a/acme/db/nosql/authz.go
+++ b/acme/db/nosql/authz.go
@ -17,7 +17,6 @@ type dbAuthz struct {
 	Identifier   acme.Identifier `json:"identifier"`
 	Status       acme.Status     `json:"status"`
 	Token        string          `json:"token"`
 	Fingerprint  string          `json:"fingerprint,omitempty"`
 	ChallengeIDs []string        `json:"challengeIDs"`
 	Wildcard     bool            `json:"wildcard"`
 	CreatedAt    time.Time       `json:"createdAt"`
@ -32,7 +31,7 @@ func (ba *dbAuthz) clone() *dbAuthz {
 // getDBAuthz retrieves and unmarshals a database representation of the
 // ACME Authorization type.
-func (db *DB) getDBAuthz(_ context.Context, id string) (*dbAuthz, error) {
+func (db *DB) getDBAuthz(ctx context.Context, id string) (*dbAuthz, error) {
 	data, err := db.db.Get(authzTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id)
@ -70,7 +69,6 @@ func (db *DB) GetAuthorization(ctx context.Context, id string) (*acme.Authorizat
 		Wildcard:   dbaz.Wildcard,
 		ExpiresAt:  dbaz.ExpiresAt,
 		Token:      dbaz.Token,
 		Fingerprint: dbaz.Fingerprint,
 		Error:      dbaz.Error,
 	}, nil
 }
@ -99,7 +97,6 @@ func (db *DB) CreateAuthorization(ctx context.Context, az *acme.Authorization) e
 		Identifier:   az.Identifier,
 		ChallengeIDs: chIDs,
 		Token:        az.Token,
 		Fingerprint:  az.Fingerprint,
 		Wildcard:     az.Wildcard,
 	}
@ -114,14 +111,14 @@ func (db *DB) UpdateAuthorization(ctx context.Context, az *acme.Authorization) e
 	}
 	nu := old.clone()
 	nu.Status = az.Status
 	nu.Fingerprint = az.Fingerprint
 	nu.Error = az.Error
 	return db.save(ctx, old.ID, nu, old, "authz", authzTable)
 }
 // GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database.
-func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string) ([]*acme.Authorization, error) {
+func (db *DB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*acme.Authorization, error) {
 	entries, err := db.db.List(authzTable)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error listing authz")
@ -147,7 +144,6 @@ func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string)
 			Wildcard:   dbaz.Wildcard,
 			ExpiresAt:  dbaz.ExpiresAt,
 			Token:      dbaz.Token,
 			Fingerprint: dbaz.Fingerprint,
 			Error:      dbaz.Error,
 		})
 	}
--- a/acme/db/nosql/authz_test.go
+++ b/acme/db/nosql/authz_test.go
@ -473,7 +473,6 @@ func TestDB_UpdateAuthorization(t *testing.T) {
 		ExpiresAt:    now.Add(5 * time.Minute),
 		ChallengeIDs: []string{"foo", "bar"},
 		Wildcard:     true,
 		Fingerprint:  "fingerprint",
 	}
 	b, err := json.Marshal(dbaz)
 	assert.FatalError(t, err)
@ -553,7 +552,6 @@ func TestDB_UpdateAuthorization(t *testing.T) {
 				Token:     dbaz.Token,
 				Wildcard:  dbaz.Wildcard,
 				ExpiresAt: dbaz.ExpiresAt,
 				Fingerprint: "fingerprint",
 				Error:     acme.NewError(acme.ErrorMalformedType, "malformed"),
 			}
 			return test{
@ -584,7 +582,6 @@ func TestDB_UpdateAuthorization(t *testing.T) {
 						assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard)
 						assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt)
 						assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt)
 						assert.Equals(t, dbNew.Fingerprint, dbaz.Fingerprint)
 						assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
 						return nu, true, nil
 					},
--- a/acme/db/nosql/certificate.go
+++ b/acme/db/nosql/certificate.go
@ -69,7 +69,7 @@ func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) err
 // GetCertificate retrieves and unmarshals an ACME certificate type from the
 // datastore.
-func (db *DB) GetCertificate(_ context.Context, id string) (*acme.Certificate, error) {
+func (db *DB) GetCertificate(ctx context.Context, id string) (*acme.Certificate, error) {
 	b, err := db.db.Get(certTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "certificate %s not found", id)
--- a/acme/db/nosql/challenge.go
+++ b/acme/db/nosql/challenge.go
@ -6,10 +6,8 @@ import (
 	"time"
 	"github.com/pkg/errors"
 	"github.com/smallstep/nosql"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/nosql"
 )
 type dbChallenge struct {
@ -21,7 +19,7 @@ type dbChallenge struct {
 	Value       string             `json:"value"`
 	ValidatedAt string             `json:"validatedAt"`
 	CreatedAt   time.Time          `json:"createdAt"`
-	Error       *acme.Error        `json:"error"` // TODO(hs): a bit dangerous; should become db-specific type
+	Error       *acme.Error        `json:"error"`
 }
 func (dbc *dbChallenge) clone() *dbChallenge {
@ -29,7 +27,7 @@ func (dbc *dbChallenge) clone() *dbChallenge {
 	return &u
 }
-func (db *DB) getDBChallenge(_ context.Context, id string) (*dbChallenge, error) {
+func (db *DB) getDBChallenge(ctx context.Context, id string) (*dbChallenge, error) {
 	data, err := db.db.Get(challengeTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "challenge %s not found", id)
@ -69,7 +67,6 @@ func (db *DB) CreateChallenge(ctx context.Context, ch *acme.Challenge) error {
 // GetChallenge retrieves and unmarshals an ACME challenge type from the database.
 // Implements the acme.DB GetChallenge interface.
 func (db *DB) GetChallenge(ctx context.Context, id, authzID string) (*acme.Challenge, error) {
 	_ = authzID // unused input
 	dbch, err := db.getDBChallenge(ctx, id)
 	if err != nil {
 		return nil, err
--- a/acme/db/nosql/eab.go
+++ b/acme/db/nosql/eab.go
@ -35,7 +35,7 @@ type dbExternalAccountKeyReference struct {
 }
 // getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey.
-func (db *DB) getDBExternalAccountKey(_ context.Context, id string) (*dbExternalAccountKey, error) {
+func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExternalAccountKey, error) {
 	data, err := db.db.Get(externalAccountKeyTable, []byte(id))
 	if err != nil {
 		if nosqlDB.IsErrNotFound(err) {
@ -160,8 +160,6 @@ func (db *DB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID
 // GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner
 func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*acme.ExternalAccountKey, string, error) {
 	_, _ = cursor, limit // unused input
 	externalAccountKeyMutex.RLock()
 	defer externalAccountKeyMutex.RUnlock()
@ -229,7 +227,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI
 	return db.GetExternalAccountKey(ctx, provisionerID, dbExternalAccountKeyReference.ExternalAccountKeyID)
 }
-func (db *DB) GetExternalAccountKeyByAccountID(context.Context, string, string) (*acme.ExternalAccountKey, error) {
+func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
 	//nolint:nilnil // legacy
 	return nil, nil
 }
--- a/acme/db/nosql/nonce.go
+++ b/acme/db/nosql/nonce.go
@ -39,7 +39,7 @@ func (db *DB) CreateNonce(ctx context.Context) (acme.Nonce, error) {
 // DeleteNonce verifies that the nonce is valid (by checking if it exists),
 // and if so, consumes the nonce resource by deleting it from the database.
-func (db *DB) DeleteNonce(_ context.Context, nonce acme.Nonce) error {
+func (db *DB) DeleteNonce(ctx context.Context, nonce acme.Nonce) error {
 	err := db.db.Update(&database.Tx{
 		Operations: []*database.TxEntry{
 			{
--- a/acme/db/nosql/nosql.go
+++ b/acme/db/nosql/nosql.go
@ -48,7 +48,7 @@ func New(db nosqlDB.DB) (*DB, error) {
 // save writes the new data to the database, overwriting the old data if it
 // existed.
-func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error {
+func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error {
 	var (
 		err  error
 		newB []byte
--- a/acme/db/nosql/order.go
+++ b/acme/db/nosql/order.go
@ -35,7 +35,7 @@ func (a *dbOrder) clone() *dbOrder {
 }
 // getDBOrder retrieves and unmarshals an ACME Order type from the database.
-func (db *DB) getDBOrder(_ context.Context, id string) (*dbOrder, error) {
+func (db *DB) getDBOrder(ctx context.Context, id string) (*dbOrder, error) {
 	b, err := db.db.Get(orderTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, acme.NewError(acme.ErrorMalformedType, "order %s not found", id)
--- a/acme/errors.go
+++ b/acme/errors.go
@ -65,8 +65,6 @@ const (
 	ErrorUserActionRequiredType
 	// ErrorNotImplementedType operation is not implemented
 	ErrorNotImplementedType
 	// ErrorNNSType was a problem with a NNS query during identifier validation
 	ErrorNNSType
 )
 // String returns the string representation of the acme problem type,
@ -123,8 +121,6 @@ func (ap ProblemType) String() string {
 		return "userActionRequired"
 	case ErrorNotImplementedType:
 		return "notImplemented"
 	case ErrorNNSType:
 		return "nns"
 	default:
 		return fmt.Sprintf("unsupported type ACME error type '%d'", int(ap))
 	}
@ -274,61 +270,21 @@ var (
 	}
 )
-// Error represents an ACME Error
+// Error represents an ACME
 type Error struct {
 	Type        string        `json:"type"`
 	Detail      string        `json:"detail"`
-	Subproblems []Subproblem `json:"subproblems,omitempty"`
+	Subproblems []interface{} `json:"subproblems,omitempty"`
 	Identifier  interface{}   `json:"identifier,omitempty"`
 	Err         error         `json:"-"`
 	Status      int           `json:"-"`
 }
 // Subproblem represents an ACME subproblem. It's fairly
 // similar to an ACME error, but differs in that it can't
 // include subproblems itself, the error is reflected
 // in the Detail property and doesn't have a Status.
 type Subproblem struct {
 	Type   string `json:"type"`
 	Detail string `json:"detail"`
 	// The "identifier" field MUST NOT be present at the top level in ACME
 	// problem documents.  It can only be present in subproblems.
 	// Subproblems need not all have the same type, and they do not need to
 	// match the top level type.
 	Identifier *Identifier `json:"identifier,omitempty"`
 }
 // AddSubproblems adds the Subproblems to Error. It
 // returns the Error, allowing for fluent addition.
 func (e *Error) AddSubproblems(subproblems ...Subproblem) *Error {
 	e.Subproblems = append(e.Subproblems, subproblems...)
 	return e
 }
 // NewError creates a new Error type.
 func NewError(pt ProblemType, msg string, args ...interface{}) *Error {
 	return newError(pt, errors.Errorf(msg, args...))
 }
 // NewSubproblem creates a new Subproblem. The msg and args
 // are used to create a new error, which is set as the Detail, allowing
 // for more detailed error messages to be returned to the ACME client.
 func NewSubproblem(pt ProblemType, msg string, args ...interface{}) Subproblem {
 	e := newError(pt, fmt.Errorf(msg, args...))
 	s := Subproblem{
 		Type:   e.Type,
 		Detail: e.Err.Error(),
 	}
 	return s
 }
 // NewSubproblemWithIdentifier creates a new Subproblem with a specific ACME
 // Identifier. It calls NewSubproblem and sets the Identifier.
 func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...interface{}) Subproblem {
 	s := NewSubproblem(pt, msg, args...)
 	s.Identifier = &identifier
 	return s
 }
 func newError(pt ProblemType, err error) *Error {
 	meta, ok := errorMap[pt]
 	if !ok {
--- a/acme/nns.go
+++ b/acme/nns.go
@ -1,122 +0,0 @@
 package acme
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net/url"
 	"git.frostfs.info/TrueCloudLab/frostfs-contract/nns"
 	"github.com/nspcc-dev/neo-go/pkg/core/state"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/invoker"
 	"github.com/nspcc-dev/neo-go/pkg/rpcclient/unwrap"
 	"github.com/nspcc-dev/neo-go/pkg/smartcontract"
 	"github.com/nspcc-dev/neo-go/pkg/util"
 	"github.com/nspcc-dev/neo-go/pkg/vm/stackitem"
 )
 // multiSchemeClient unites invoker.RPCInvoke and common interface of
 // rpcclient.Client and rpcclient.WSClient.
 type multiSchemeClient interface {
 	invoker.RPCInvoke
 	// Init turns client to "ready-to-work" state.
 	Init() error
 	// Close closes connections.
 	Close()
 	// GetContractStateByID returns state of the NNS contract on 1 input.
 	GetContractStateByID(int32) (*state.Contract, error)
 }
 // NNS is used to interact with NNS contract.
 // Before work, the connection to the NNS server must be established using Dial method.
 type NNS struct {
 	nnsContract util.Uint160
 	client      multiSchemeClient
 }
 // NNSContext is used to store info about NNS server.
 type NNSContext struct {
 	nnsServer string
 }
 type nnsKey struct{}
 // NewNNSContext adds new NNSContext with given params to the context.
 func NewNNSContext(ctx context.Context, nnsServer string) context.Context {
 	return context.WithValue(ctx, nnsKey{}, NNSContext{nnsServer: nnsServer})
 }
 // GetNNSContext returns NNSContext from the given context.
 func GetNNSContext(ctx context.Context) (NNSContext, bool) {
 	c, ok := ctx.Value(nnsKey{}).(NNSContext)
 	return c, ok
 }
 // Dial connects to the address of the NNS server.
 // If URL address scheme is 'ws' or 'wss', then WebSocket protocol is used, otherwise HTTP.
 func (n *NNS) Dial(address string) error {
 	var err error
 	uri, err := url.Parse(address)
 	if err == nil && (uri.Scheme == "ws" || uri.Scheme == "wss") {
 		n.client, err = rpcclient.NewWS(context.Background(), address, rpcclient.WSOptions{})
 		if err != nil {
 			return fmt.Errorf("create Neo WebSocket client: %w", err)
 		}
 	} else {
 		n.client, err = rpcclient.New(context.Background(), address, rpcclient.Options{})
 		if err != nil {
 			return fmt.Errorf("create Neo HTTP client: %w", err)
 		}
 	}
 	if err = n.client.Init(); err != nil {
 		return fmt.Errorf("initialize Neo client: %w", err)
 	}
 	nnsContract, err := n.client.GetContractStateByID(1)
 	if err != nil {
 		return fmt.Errorf("get NNS contract state: %w", err)
 	}
 	n.nnsContract = nnsContract.Hash
 	return nil
 }
 // Close closes connections of multiSchemeClient.
 func (n *NNS) Close() {
 	n.client.Close()
 }
 // GetTXTRecords returns TXT records of the provided domain by calling `getRecords` method of NNS contract.
 func (n *NNS) GetTXTRecords(name string) ([]string, error) {
 	params, err := smartcontract.NewParametersFromValues(name, int64(nns.TXT))
 	if err != nil {
 		return make([]string, 0), fmt.Errorf("create slice of params: %w", err)
 	}
 	item, err := unwrap.Item(n.client.InvokeFunction(n.nnsContract, "getRecords", params, nil))
 	if err != nil {
 		return make([]string, 0), fmt.Errorf("contract invocation: %w", err)
 	}
 	if _, ok := item.(stackitem.Null); !ok {
 		arr, ok := item.Value().([]stackitem.Item)
 		if !ok {
 			return make([]string, 0), errors.New("invalid cast to stack item slice")
 		}
 		var result = make([]string, 0, len(arr))
 		for i := range arr {
 			recordValue, err := arr[i].TryBytes()
 			if err != nil {
 				return make([]string, 0), fmt.Errorf("convert array item to byte slice: %w", err)
 			}
 			result = append(result, string(recordValue))
 		}
 		return result, nil
 	}
 	return make([]string, 0), errors.New("records not found")
 }
--- a/acme/order.go
+++ b/acme/order.go
@ -3,7 +3,6 @@ package acme
 import (
 	"bytes"
 	"context"
 	"crypto/subtle"
 	"crypto/x509"
 	"encoding/json"
 	"net"
@ -12,7 +11,6 @@ import (
 	"time"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x509util"
 )
@ -127,27 +125,6 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
 	return nil
 }
 // getKeyFingerprint returns a fingerprint from the list of authorizations. This
 // fingerprint is used on the device-attest-01 flow to verify the attestation
 // certificate public key with the CSR public key.
 //
 // There's no point on reading all the authorizations as there will be only one
 // for a permanent identifier.
 func (o *Order) getAuthorizationFingerprint(ctx context.Context, db DB) (string, error) {
 	for _, azID := range o.AuthorizationIDs {
 		az, err := db.GetAuthorization(ctx, azID)
 		if err != nil {
 			return "", WrapErrorISE(err, "error getting authorization %q", azID)
 		}
 		// There's no point on reading all the authorizations as there will
 		// be only one for a permanent identifier.
 		if az.Fingerprint != "" {
 			return az.Fingerprint, nil
 		}
 	}
 	return "", nil
 }
 // Finalize signs a certificate if the necessary conditions for Order completion
 // have been met.
 //
@ -173,24 +150,6 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		return NewErrorISE("unexpected status %s for order %s", o.Status, o.ID)
 	}
 	// Get key fingerprint if any. And then compare it with the CSR fingerprint.
 	//
 	// In device-attest-01 challenges we should check that the keys in the CSR
 	// and the attestation certificate are the same.
 	fingerprint, err := o.getAuthorizationFingerprint(ctx, db)
 	if err != nil {
 		return err
 	}
 	if fingerprint != "" {
 		fp, err := keyutil.Fingerprint(csr.PublicKey)
 		if err != nil {
 			return WrapErrorISE(err, "error calculating key fingerprint")
 		}
 		if subtle.ConstantTimeCompare([]byte(fingerprint), []byte(fp)) == 0 {
 			return NewError(ErrorUnauthorizedType, "order %s csr does not match the attested key", o.ID)
 		}
 	}
 	// canonicalize the CSR to allow for comparison
 	csr = canonicalize(csr)
@ -206,15 +165,6 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 	for i := range o.Identifiers {
 		if o.Identifiers[i].Type == PermanentIdentifier {
 			permanentIdentifier = o.Identifiers[i].Value
 			// the first (and only) Permanent Identifier that gets added to the certificate
 			// should be equal to the Subject Common Name if it's set. If not equal, the CSR
 			// is rejected, because the Common Name hasn't been challenged in that case. This
 			// could result in unauthorized access if a relying system relies on the Common
 			// Name in its authorization logic.
 			if csr.Subject.CommonName != "" && csr.Subject.CommonName != permanentIdentifier {
 				return NewError(ErrorBadCSRType, "CSR Subject Common Name does not match identifiers exactly: "+
 					"CSR Subject Common Name = %s, Order Permanent Identifier = %s", csr.Subject.CommonName, permanentIdentifier)
 			}
 			break
 		}
 	}
--- a/acme/order_test.go
+++ b/acme/order_test.go
@ -2,12 +2,9 @@ package acme
 import (
 	"context"
 	"crypto"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/json"
 	"fmt"
 	"net"
 	"net/url"
 	"reflect"
@ -19,7 +16,6 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x509util"
 )
@ -301,7 +297,7 @@ func (m *mockSignAuth) LoadProvisionerByName(name string) (provisioner.Interface
 	return m.ret1.(provisioner.Interface), m.err
 }
-func (m *mockSignAuth) IsRevoked(string) (bool, error) {
+func (m *mockSignAuth) IsRevoked(sn string) (bool, error) {
 	return false, nil
 }
@ -310,14 +306,6 @@ func (m *mockSignAuth) Revoke(context.Context, *authority.RevokeOptions) error {
 }
 func TestOrder_Finalize(t *testing.T) {
 	mustSigner := func(kty, crv string, size int) crypto.Signer {
 		s, err := keyutil.GenerateSigner(kty, crv, size)
 		if err != nil {
 			t.Fatal(err)
 		}
 		return s
 	}
 	type test struct {
 		o    *Order
 		err  *Error
@ -398,72 +386,6 @@ func TestOrder_Finalize(t *testing.T) {
 				err: NewErrorISE("unrecognized order status: %s", o.Status),
 			}
 		},
 		"fail/non-matching-permanent-identifier-common-name": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
 				ID:               "oID",
 				AccountID:        "accID",
 				Status:           StatusReady,
 				ExpiresAt:        now.Add(5 * time.Minute),
 				AuthorizationIDs: []string{"a", "b"},
 				Identifiers: []Identifier{
 					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
 				},
 			}
 			signer := mustSigner("EC", "P-256", 0)
 			fingerprint, err := keyutil.Fingerprint(signer.Public())
 			if err != nil {
 				t.Fatal(err)
 			}
 			csr := &x509.CertificateRequest{
 				Subject: pkix.Name{
 					CommonName: "a-different-identifier",
 				},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			return test{
 				o:   o,
 				csr: csr,
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						switch id {
 						case "a":
 							return &Authorization{
 								ID:     id,
 								Status: StatusValid,
 							}, nil
 						case "b":
 							return &Authorization{
 								ID:          id,
 								Fingerprint: fingerprint,
 								Status:      StatusValid,
 							}, nil
 						default:
 							assert.FatalError(t, errors.Errorf("unexpected authorization %s", id))
 							return nil, errors.New("force")
 						}
 					},
 					MockUpdateOrder: func(ctx context.Context, o *Order) error {
 						return nil
 					},
 				},
 				err: &Error{
 					Type:   "urn:ietf:params:acme:error:badCSR",
 					Detail: "The CSR is unacceptable",
 					Status: 400,
 					Err: fmt.Errorf("CSR Subject Common Name does not match identifiers exactly: "+
 						"CSR Subject Common Name = %s, Order Permanent Identifier = %s", csr.Subject.CommonName, "a-permanent-identifier"),
 				},
 			}
 		},
 		"fail/error-provisioner-auth": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
@ -493,11 +415,6 @@ func TestOrder_Finalize(t *testing.T) {
 						return nil, errors.New("force")
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 				},
 				err: NewErrorISE("error retrieving authorization options from ACME provisioner: force"),
 			}
 		},
@ -537,11 +454,6 @@ func TestOrder_Finalize(t *testing.T) {
 						}
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 				},
 				err: NewErrorISE("error creating template options from ACME provisioner: error unmarshaling template data: invalid character 'o' in literal false (expecting 'a')"),
 			}
 		},
@ -583,11 +495,6 @@ func TestOrder_Finalize(t *testing.T) {
 						return nil, errors.New("force")
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 				},
 				err: NewErrorISE("error signing certificate for order oID: force"),
 			}
 		},
@ -634,9 +541,6 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						assert.Equals(t, cert.AccountID, o.AccountID)
 						assert.Equals(t, cert.OrderID, o.ID)
@ -691,9 +595,6 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -716,297 +617,6 @@ func TestOrder_Finalize(t *testing.T) {
 				err: NewErrorISE("error updating order oID: force"),
 			}
 		},
 		"fail/csr-fingerprint": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
 				ID:               "oID",
 				AccountID:        "accID",
 				Status:           StatusReady,
 				ExpiresAt:        now.Add(5 * time.Minute),
 				AuthorizationIDs: []string{"a", "b"},
 				Identifiers: []Identifier{
 					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
 				},
 			}
 			signer := mustSigner("EC", "P-256", 0)
 			csr := &x509.CertificateRequest{
 				Subject: pkix.Name{
 					CommonName: "a-permanent-identifier",
 				},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			leaf := &x509.Certificate{
 				Subject:   pkix.Name{CommonName: "a-permanent-identifier"},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			inter := &x509.Certificate{Subject: pkix.Name{CommonName: "inter"}}
 			root := &x509.Certificate{Subject: pkix.Name{CommonName: "root"}}
 			return test{
 				o:   o,
 				csr: csr,
 				prov: &MockProvisioner{
 					MauthorizeSign: func(ctx context.Context, token string) ([]provisioner.SignOption, error) {
 						assert.Equals(t, token, "")
 						return nil, nil
 					},
 					MgetOptions: func() *provisioner.Options {
 						return nil
 					},
 				},
 				ca: &mockSignAuth{
 					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{leaf, inter, root}, nil
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{
 							ID:          id,
 							Fingerprint: "other-fingerprint",
 							Status:      StatusValid,
 						}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
 						assert.Equals(t, cert.OrderID, o.ID)
 						assert.Equals(t, cert.Leaf, leaf)
 						assert.Equals(t, cert.Intermediates, []*x509.Certificate{inter, root})
 						return nil
 					},
 					MockUpdateOrder: func(ctx context.Context, updo *Order) error {
 						assert.Equals(t, updo.CertificateID, "certID")
 						assert.Equals(t, updo.Status, StatusValid)
 						assert.Equals(t, updo.ID, o.ID)
 						assert.Equals(t, updo.AccountID, o.AccountID)
 						assert.Equals(t, updo.ExpiresAt, o.ExpiresAt)
 						assert.Equals(t, updo.AuthorizationIDs, o.AuthorizationIDs)
 						assert.Equals(t, updo.Identifiers, o.Identifiers)
 						return nil
 					},
 				},
 				err: NewError(ErrorUnauthorizedType, "order oID csr does not match the attested key"),
 			}
 		},
 		"ok/permanent-identifier": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
 				ID:               "oID",
 				AccountID:        "accID",
 				Status:           StatusReady,
 				ExpiresAt:        now.Add(5 * time.Minute),
 				AuthorizationIDs: []string{"a", "b"},
 				Identifiers: []Identifier{
 					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
 				},
 			}
 			signer := mustSigner("EC", "P-256", 0)
 			fingerprint, err := keyutil.Fingerprint(signer.Public())
 			if err != nil {
 				t.Fatal(err)
 			}
 			csr := &x509.CertificateRequest{
 				Subject: pkix.Name{
 					CommonName: "a-permanent-identifier",
 				},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			leaf := &x509.Certificate{
 				Subject:   pkix.Name{CommonName: "a-permanent-identifier"},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			inter := &x509.Certificate{Subject: pkix.Name{CommonName: "inter"}}
 			root := &x509.Certificate{Subject: pkix.Name{CommonName: "root"}}
 			return test{
 				o:   o,
 				csr: csr,
 				prov: &MockProvisioner{
 					MauthorizeSign: func(ctx context.Context, token string) ([]provisioner.SignOption, error) {
 						assert.Equals(t, token, "")
 						return nil, nil
 					},
 					MgetOptions: func() *provisioner.Options {
 						return nil
 					},
 				},
 				ca: &mockSignAuth{
 					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{leaf, inter, root}, nil
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						switch id {
 						case "a":
 							return &Authorization{
 								ID:     id,
 								Status: StatusValid,
 							}, nil
 						case "b":
 							return &Authorization{
 								ID:          id,
 								Fingerprint: fingerprint,
 								Status:      StatusValid,
 							}, nil
 						default:
 							assert.FatalError(t, errors.Errorf("unexpected authorization %s", id))
 							return nil, errors.New("force")
 						}
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
 						assert.Equals(t, cert.OrderID, o.ID)
 						assert.Equals(t, cert.Leaf, leaf)
 						assert.Equals(t, cert.Intermediates, []*x509.Certificate{inter, root})
 						return nil
 					},
 					MockUpdateOrder: func(ctx context.Context, updo *Order) error {
 						assert.Equals(t, updo.CertificateID, "certID")
 						assert.Equals(t, updo.Status, StatusValid)
 						assert.Equals(t, updo.ID, o.ID)
 						assert.Equals(t, updo.AccountID, o.AccountID)
 						assert.Equals(t, updo.ExpiresAt, o.ExpiresAt)
 						assert.Equals(t, updo.AuthorizationIDs, o.AuthorizationIDs)
 						assert.Equals(t, updo.Identifiers, o.Identifiers)
 						return nil
 					},
 				},
 			}
 		},
 		"ok/permanent-identifier-only": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
 				ID:               "oID",
 				AccountID:        "accID",
 				Status:           StatusReady,
 				ExpiresAt:        now.Add(5 * time.Minute),
 				AuthorizationIDs: []string{"a", "b"},
 				Identifiers: []Identifier{
 					{Type: "dns", Value: "foo.internal"},
 					{Type: "permanent-identifier", Value: "a-permanent-identifier"},
 				},
 			}
 			signer := mustSigner("EC", "P-256", 0)
 			fingerprint, err := keyutil.Fingerprint(signer.Public())
 			if err != nil {
 				t.Fatal(err)
 			}
 			csr := &x509.CertificateRequest{
 				Subject: pkix.Name{
 					CommonName: "a-permanent-identifier",
 				},
 				DNSNames:  []string{"foo.internal"},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			leaf := &x509.Certificate{
 				Subject:   pkix.Name{CommonName: "a-permanent-identifier"},
 				PublicKey: signer.Public(),
 				ExtraExtensions: []pkix.Extension{
 					{
 						Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 8, 3},
 						Value: []byte("a-permanent-identifier"),
 					},
 				},
 			}
 			inter := &x509.Certificate{Subject: pkix.Name{CommonName: "inter"}}
 			root := &x509.Certificate{Subject: pkix.Name{CommonName: "root"}}
 			return test{
 				o:   o,
 				csr: csr,
 				prov: &MockProvisioner{
 					MauthorizeSign: func(ctx context.Context, token string) ([]provisioner.SignOption, error) {
 						assert.Equals(t, token, "")
 						return nil, nil
 					},
 					MgetOptions: func() *provisioner.Options {
 						return nil
 					},
 				},
 				// TODO(hs): we should work on making the mocks more realistic. Ideally, we should get rid of
 				// the mock entirely, relying on an instances of provisioner, authority and DB (possibly hardest), so
 				// that behavior of the tests is what an actual CA would do. We could gradually phase them out by
 				// using the mocking functions as a wrapper for actual test helpers generated per test case or per
 				// function that's tested.
 				ca: &mockSignAuth{
 					sign: func(_csr *x509.CertificateRequest, signOpts provisioner.SignOptions, extraOpts ...provisioner.SignOption) ([]*x509.Certificate, error) {
 						assert.Equals(t, _csr, csr)
 						return []*x509.Certificate{leaf, inter, root}, nil
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{
 							ID:          id,
 							Fingerprint: fingerprint,
 							Status:      StatusValid,
 						}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
 						assert.Equals(t, cert.OrderID, o.ID)
 						assert.Equals(t, cert.Leaf, leaf)
 						assert.Equals(t, cert.Intermediates, []*x509.Certificate{inter, root})
 						return nil
 					},
 					MockUpdateOrder: func(ctx context.Context, updo *Order) error {
 						assert.Equals(t, updo.CertificateID, "certID")
 						assert.Equals(t, updo.Status, StatusValid)
 						assert.Equals(t, updo.ID, o.ID)
 						assert.Equals(t, updo.AccountID, o.AccountID)
 						assert.Equals(t, updo.ExpiresAt, o.ExpiresAt)
 						assert.Equals(t, updo.AuthorizationIDs, o.AuthorizationIDs)
 						assert.Equals(t, updo.Identifiers, o.Identifiers)
 						return nil
 					},
 				},
 			}
 		},
 		"ok/new-cert-dns": func(t *testing.T) test {
 			now := clock.Now()
 			o := &Order{
@ -1050,9 +660,6 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -1114,9 +721,6 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -1181,9 +785,6 @@ func TestOrder_Finalize(t *testing.T) {
 					},
 				},
 				db: &MockDB{
 					MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 						return &Authorization{ID: id, Status: StatusValid}, nil
 					},
 					MockCreateCertificate: func(ctx context.Context, cert *Certificate) error {
 						cert.ID = "certID"
 						assert.Equals(t, cert.AccountID, o.AccountID)
@ -1891,55 +1492,3 @@ func TestOrder_sans(t *testing.T) {
 		})
 	}
 }
 func TestOrder_getAuthorizationFingerprint(t *testing.T) {
 	ctx := context.Background()
 	type fields struct {
 		AuthorizationIDs []string
 	}
 	type args struct {
 		ctx context.Context
 		db  DB
 	}
 	tests := []struct {
 		name    string
 		fields  fields
 		args    args
 		want    string
 		wantErr bool
 	}{
 		{"ok", fields{[]string{"az1", "az2"}}, args{ctx, &MockDB{
 			MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 				return &Authorization{ID: id, Status: StatusValid}, nil
 			},
 		}}, "", false},
 		{"ok fingerprint", fields{[]string{"az1", "az2"}}, args{ctx, &MockDB{
 			MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 				if id == "az1" {
 					return &Authorization{ID: id, Status: StatusValid}, nil
 				}
 				return &Authorization{ID: id, Fingerprint: "fingerprint", Status: StatusValid}, nil
 			},
 		}}, "fingerprint", false},
 		{"fail", fields{[]string{"az1", "az2"}}, args{ctx, &MockDB{
 			MockGetAuthorization: func(ctx context.Context, id string) (*Authorization, error) {
 				return nil, errors.New("force")
 			},
 		}}, "", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			o := &Order{
 				AuthorizationIDs: tt.fields.AuthorizationIDs,
 			}
 			got, err := o.getAuthorizationFingerprint(tt.args.ctx, tt.args.db)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Order.getAuthorizationFingerprint() error = %v, wantErr %v", err, tt.wantErr)
 				return
 			}
 			if got != tt.want {
 				t.Errorf("Order.getAuthorizationFingerprint() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
--- a/api/api.go
+++ b/api/api.go
@ -1,7 +1,6 @@
 package api
 import (
 	"bytes"
 	"context"
 	"crypto"
 	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
@ -21,8 +20,6 @@ import (
 	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
 	"go.step.sm/crypto/sshutil"
 	"golang.org/x/crypto/ssh"
 	"github.com/smallstep/certificates/api/log"
 	"github.com/smallstep/certificates/api/render"
@ -53,6 +50,7 @@ type Authority interface {
 	GetRoots() ([]*x509.Certificate, error)
 	GetFederation() ([]*x509.Certificate, error)
 	Version() authority.Version
 	Capabilities() authority.Capabilities
 	GetCertificateRevocationList() ([]byte, error)
 }
@ -214,6 +212,10 @@ type VersionResponse struct {
 	RequireClientAuthentication bool   `json:"requireClientAuthentication,omitempty"`
 }
 // CapabilitiesResponse is the response object that returns the version of the
 // server.
 type CapabilitiesResponse authority.Capabilities
 // HealthResponse is the response object that returns the health of the server.
 type HealthResponse struct {
 	Status string `json:"status"`
@ -227,39 +229,8 @@ type RootResponse struct {
 // ProvisionersResponse is the response object that returns the list of
 // provisioners.
 type ProvisionersResponse struct {
-	Provisioners provisioner.List
+	Provisioners provisioner.List `json:"provisioners"`
 	NextCursor   string
 }
 // MarshalJSON implements json.Marshaler. It marshals the ProvisionersResponse
 // into a byte slice.
 //
 // Special treatment is given to the SCEP provisioner, as it contains a
 // challenge secret that MUST NOT be leaked in (public) HTTP responses. The
 // challenge value is thus redacted in HTTP responses.
 func (p ProvisionersResponse) MarshalJSON() ([]byte, error) {
 	for _, item := range p.Provisioners {
 		scepProv, ok := item.(*provisioner.SCEP)
 		if !ok {
 			continue
 		}
 		old := scepProv.ChallengePassword
 		scepProv.ChallengePassword = "*** REDACTED ***"
 		defer func(p string) { //nolint:gocritic // defer in loop required to restore initial state of provisioners
 			scepProv.ChallengePassword = p
 		}(old)
 	}
 	var list = struct {
 		Provisioners []provisioner.Interface `json:"provisioners"`
 	NextCursor   string           `json:"nextCursor"`
 	}{
 		Provisioners: []provisioner.Interface(p.Provisioners),
 		NextCursor:   p.NextCursor,
 	}
 	return json.Marshal(list)
 }
 // ProvisionerKeyResponse is the response object that returns the encrypted key
@ -291,12 +262,14 @@ func (h *caHandler) Route(r Router) {
 // New creates a new RouterHandler with the CA endpoints.
 //
 // Deprecated: Use api.Route(r Router)
-func New(Authority) RouterHandler {
+func New(auth Authority) RouterHandler {
 	return &caHandler{}
 }
 // Route defines routing for the API.
 func Route(r Router) {
 	r.MethodFunc("GET", "/version", Version)
 	r.MethodFunc("GET", "/capabilities", Capabilities)
 	r.MethodFunc("GET", "/health", Health)
 	r.MethodFunc("GET", "/root/{sha}", Root)
 	r.MethodFunc("POST", "/sign", Sign)
@ -337,8 +310,14 @@ func Version(w http.ResponseWriter, r *http.Request) {
 	})
 }
 // Capabilities is an HTTP handler that returns the capabilities of the authority
 // server.
 func Capabilities(w http.ResponseWriter, r *http.Request) {
 	render.JSON(w, CapabilitiesResponse(mustAuthority(r.Context()).Capabilities()))
 }
 // Health is an HTTP handler that returns the status of the server.
-func Health(w http.ResponseWriter, _ *http.Request) {
+func Health(w http.ResponseWriter, r *http.Request) {
 	render.JSON(w, HealthResponse{Status: "ok"})
 }
@ -472,7 +451,7 @@ func logOtt(w http.ResponseWriter, token string) {
 	}
 }
-// LogCertificate adds certificate fields to the log message.
+// LogCertificate add certificate fields to the log message.
 func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	if rl, ok := w.(logging.ResponseLogger); ok {
 		m := map[string]interface{}{
@ -504,41 +483,6 @@ func LogCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	}
 }
 // LogSSHCertificate adds SSH certificate fields to the log message.
 func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) {
 	if rl, ok := w.(logging.ResponseLogger); ok {
 		mak := bytes.TrimSpace(ssh.MarshalAuthorizedKey(cert))
 		var certificate string
 		parts := strings.Split(string(mak), " ")
 		if len(parts) > 1 {
 			certificate = parts[1]
 		}
 		var userOrHost string
 		if cert.CertType == ssh.HostCert {
 			userOrHost = "host"
 		} else {
 			userOrHost = "user"
 		}
 		certificateType := fmt.Sprintf("%s %s certificate", parts[0], userOrHost) // e.g. ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate
 		m := map[string]interface{}{
 			"serial":           cert.Serial,
 			"principals":       cert.ValidPrincipals,
 			"valid-from":       time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339),
 			"valid-to":         time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339),
 			"certificate":      certificate,
 			"certificate-type": certificateType,
 		}
 		fingerprint, err := sshutil.FormatFingerprint(mak, sshutil.DefaultFingerprint)
 		if err == nil {
 			fpParts := strings.Split(fingerprint, " ")
 			if len(fpParts) > 3 {
 				m["public-key"] = fmt.Sprintf("%s %s", fpParts[1], fpParts[len(fpParts)-1])
 			}
 		}
 		rl.WithFields(m)
 	}
 }
 // ParseCursor parses the cursor and limit from the request query params.
 func ParseCursor(r *http.Request) (cursor string, limit int, err error) {
 	q := r.URL.Query()
--- a/api/api_test.go
+++ b/api/api_test.go
@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
+	"crypto/dsa" //nolint
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
@ -28,15 +28,12 @@ import (
 	"github.com/go-chi/chi"
 	"github.com/pkg/errors"
-	sassert "github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/ssh"
-	"github.com/stretchr/testify/require"
+
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/crypto/ssh"
 	squarejose "gopkg.in/square/go-jose.v2"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
@ -215,6 +212,7 @@ type mockAuthority struct {
 	checkSSHHost                 func(ctx context.Context, principal, token string) (bool, error)
 	getSSHBastion                func(ctx context.Context, user string, hostname string) (*authority.Bastion, error)
 	version                      func() authority.Version
 	capabilities                 func() authority.Capabilities
 }
 func (m *mockAuthority) GetCertificateRevocationList() ([]byte, error) {
@ -408,6 +406,13 @@ func (m *mockAuthority) Version() authority.Version {
 	return m.ret1.(authority.Version)
 }
 func (m *mockAuthority) Capabilities() authority.Capabilities {
 	if m.capabilities != nil {
 		return m.capabilities()
 	}
 	return m.ret1.(authority.Capabilities)
 }
 func TestNewCertificate(t *testing.T) {
 	cert := parseCertificate(rootPEM)
 	if !reflect.DeepEqual(Certificate{Certificate: cert}, NewCertificate(cert)) {
@ -876,6 +881,35 @@ func Test_Health(t *testing.T) {
 	}
 }
 func Test_Capabilities(t *testing.T) {
 	capResp := CapabilitiesResponse{
 		RequireClientAuthentication:   false,
 		RemoteConfigurationManagement: true,
 	}
 	mockMustAuthority(t, &mockAuthority{ret1: authority.Capabilities(capResp)})
 	req := httptest.NewRequest("GET", "http://example.com/capabilities", nil)
 	w := httptest.NewRecorder()
 	Capabilities(w, req)
 	res := w.Result()
 	if res.StatusCode != 200 {
 		t.Errorf("caHandler.Capabilities StatusCode = %d, wants 200", res.StatusCode)
 	}
 	body, err := io.ReadAll(res.Body)
 	res.Body.Close()
 	if err != nil {
 		t.Errorf("caHandler.Capabilities unexpected error = %v", err)
 	}
 	wantBytes, err := json.Marshal(capResp)
 	if err != nil {
 		assert.FatalError(t, err)
 	}
 	if !bytes.Equal(bytes.TrimSpace(body), wantBytes) {
 		t.Errorf("caHandler.Capabilities Body = %s, wants %s", body, wantBytes)
 	}
 }
 func Test_Root(t *testing.T) {
 	tests := []struct {
 		name       string
@ -1567,122 +1601,3 @@ func mustCertificate(t *testing.T, pub, priv interface{}) *x509.Certificate {
 	}
 	return cert
 }
 func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	k := map[string]any{
 		"use": "sig",
 		"kty": "EC",
 		"kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc",
 		"crv": "P-256",
 		"alg": "ES256",
 		"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
 		"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
 	}
 	key := squarejose.JSONWebKey{}
 	b, err := json.Marshal(k)
 	assert.FatalError(t, err)
 	err = json.Unmarshal(b, &key)
 	assert.FatalError(t, err)
 	r := ProvisionersResponse{
 		Provisioners: provisioner.List{
 			&provisioner.SCEP{
 				Name:                          "scep",
 				Type:                          "scep",
 				ChallengePassword:             "not-so-secret",
 				MinimumPublicKeyLength:        2048,
 				EncryptionAlgorithmIdentifier: 2,
 			},
 			&provisioner.JWK{
 				EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
 				Key:          &key,
 				Name:         "step-cli",
 				Type:         "JWK",
 			},
 		},
 		NextCursor: "next",
 	}
 	expected := map[string]any{
 		"provisioners": []map[string]any{
 			{
 				"type":                          "scep",
 				"name":                          "scep",
 				"challenge":                     "*** REDACTED ***",
 				"minimumPublicKeyLength":        2048,
 				"encryptionAlgorithmIdentifier": 2,
 			},
 			{
 				"type": "JWK",
 				"name": "step-cli",
 				"key": map[string]any{
 					"use": "sig",
 					"kty": "EC",
 					"kid": "4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc",
 					"crv": "P-256",
 					"alg": "ES256",
 					"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
 					"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
 				},
 				"encryptedKey": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
 			},
 		},
 		"nextCursor": "next",
 	}
 	expBytes, err := json.Marshal(expected)
 	sassert.NoError(t, err)
 	br, err := r.MarshalJSON()
 	sassert.NoError(t, err)
 	sassert.JSONEq(t, string(expBytes), string(br))
 	keyCopy := key
 	expList := provisioner.List{
 		&provisioner.SCEP{
 			Name:                          "scep",
 			Type:                          "scep",
 			ChallengePassword:             "not-so-secret",
 			MinimumPublicKeyLength:        2048,
 			EncryptionAlgorithmIdentifier: 2,
 		},
 		&provisioner.JWK{
 			EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
 			Key:          &keyCopy,
 			Name:         "step-cli",
 			Type:         "JWK",
 		},
 	}
 	// MarshalJSON must not affect the struct properties itself
 	sassert.Equal(t, expList, r.Provisioners)
 }
 const (
 	fixtureECDSACertificate = `ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI herman`
 )
 func TestLogSSHCertificate(t *testing.T) {
 	out, _, _, _, err := ssh.ParseAuthorizedKey([]byte(fixtureECDSACertificate))
 	require.NoError(t, err)
 	cert, ok := out.(*ssh.Certificate)
 	require.True(t, ok)
 	w := httptest.NewRecorder()
 	rl := logging.NewResponseLogger(w)
 	LogSSHCertificate(rl, cert)
 	sassert.Equal(t, 200, w.Result().StatusCode)
 	fields := rl.Fields()
 	sassert.Equal(t, uint64(14376510277651266987), fields["serial"])
 	sassert.Equal(t, []string{"herman"}, fields["principals"])
 	sassert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate", fields["certificate-type"])
 	sassert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
 	sassert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
 	sassert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
 	sassert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
 }
--- a/api/crl.go
+++ b/api/crl.go
@ -17,13 +17,13 @@ func CRL(w http.ResponseWriter, r *http.Request) {
 	_, formatAsPEM := r.URL.Query()["pem"]
 	if formatAsPEM {
-		w.Header().Add("Content-Type", "application/x-pem-file")
+		pemBytes := pem.EncodeToMemory(&pem.Block{
 		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.pem\"")
 		_ = pem.Encode(w, &pem.Block{
 			Type:  "X509 CRL",
 			Bytes: crlBytes,
 		})
 		w.Header().Add("Content-Type", "application/x-pem-file")
 		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.pem\"")
 		w.Write(pemBytes)
 	} else {
 		w.Header().Add("Content-Type", "application/pkix-crl")
 		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.der\"")
--- a/api/render/render.go
+++ b/api/render/render.go
@ -2,6 +2,7 @@
 package render
 import (
 	"bytes"
 	"encoding/json"
 	"errors"
 	"net/http"
@ -23,25 +24,14 @@ func JSON(w http.ResponseWriter, v interface{}) {
 // JSONStatus sets the Content-Type of w to application/json unless one is
 // specified.
 func JSONStatus(w http.ResponseWriter, v interface{}, status int) {
 	var b bytes.Buffer
 	if err := json.NewEncoder(&b).Encode(v); err != nil {
 		panic(err)
 	}
 	setContentTypeUnlessPresent(w, "application/json")
 	w.WriteHeader(status)
-
+	_, _ = b.WriteTo(w)
 	if err := json.NewEncoder(w).Encode(v); err != nil {
 		var errUnsupportedType *json.UnsupportedTypeError
 		if errors.As(err, &errUnsupportedType) {
 			panic(err)
 		}
 		var errUnsupportedValue *json.UnsupportedValueError
 		if errors.As(err, &errUnsupportedValue) {
 			panic(err)
 		}
 		var errMarshalError *json.MarshalerError
 		if errors.As(err, &errMarshalError) {
 			panic(err)
 		}
 	}
 	log.EnabledResponse(w, v)
 }
--- a/api/render/render_test.go
+++ b/api/render/render_test.go
@ -1,10 +1,8 @@
 package render
 import (
 	"encoding/json"
 	"fmt"
 	"io"
 	"math"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
@ -28,43 +26,10 @@ func TestJSON(t *testing.T) {
 	assert.Empty(t, rw.Fields())
 }
-func TestJSONPanicsOnUnsupportedType(t *testing.T) {
+func TestJSONPanics(t *testing.T) {
-	jsonPanicTest[json.UnsupportedTypeError](t, make(chan struct{}))
+	assert.Panics(t, func() {
-}
+		JSON(httptest.NewRecorder(), make(chan struct{}))
-
+	})
 func TestJSONPanicsOnUnsupportedValue(t *testing.T) {
 	jsonPanicTest[json.UnsupportedValueError](t, math.NaN())
 }
 func TestJSONPanicsOnMarshalerError(t *testing.T) {
 	var v erroneousJSONMarshaler
 	jsonPanicTest[json.MarshalerError](t, v)
 }
 type erroneousJSONMarshaler struct{}
 func (erroneousJSONMarshaler) MarshalJSON() ([]byte, error) {
 	return nil, assert.AnError
 }
 func jsonPanicTest[T json.UnsupportedTypeError | json.UnsupportedValueError | json.MarshalerError](t *testing.T, v any) {
 	t.Helper()
 	defer func() {
 		var err error
 		if r := recover(); r == nil {
 			t.Fatal("expected panic")
 		} else if e, ok := r.(error); !ok {
 			t.Fatalf("did not panic with an error (%T)", r)
 		} else {
 			err = e
 		}
 		var e *T
 		assert.ErrorAs(t, err, &e)
 	}()
 	JSON(httptest.NewRecorder(), v)
 }
 type renderableError struct {
--- a/api/sign.go
+++ b/api/sign.go
@ -88,7 +88,6 @@ func Sign(w http.ResponseWriter, r *http.Request) {
 	if len(certChainPEM) > 1 {
 		caPEM = certChainPEM[1]
 	}
 	LogCertificate(w, certChain[0])
 	render.JSONStatus(w, &SignResponse{
 		ServerPEM:    certChainPEM[0],
--- a/api/ssh.go
+++ b/api/ssh.go
@ -338,7 +338,6 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 		identityCertificate = certChainToPEM(certChain)
 	}
 	LogSSHCertificate(w, cert)
 	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{cert},
 		AddUserCertificate:  addUserCertificate,
--- a/api/sshRekey.go
+++ b/api/sshRekey.go
@ -89,7 +89,6 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	LogSSHCertificate(w, newCert)
 	render.JSONStatus(w, &SSHRekeyResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
--- a/api/sshRenew.go
+++ b/api/sshRenew.go
@ -81,7 +81,6 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	LogSSHCertificate(w, newCert)
 	render.JSONStatus(w, &SSHSignResponse{
 		Certificate:         SSHCertificate{newCert},
 		IdentityCertificate: identity,
--- a/authority/admin/api/acme.go
+++ b/authority/admin/api/acme.go
@ -69,17 +69,17 @@ func NewACMEAdminResponder() ACMEAdminResponder {
 }
 // GetExternalAccountKeys writes the response for the EAB keys GET endpoint
-func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, _ *http.Request) {
+func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) {
 	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }
 // CreateExternalAccountKey writes the response for the EAB key POST endpoint
-func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
+func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) {
 	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }
 // DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint
-func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, _ *http.Request) {
+func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) {
 	render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm"))
 }
--- a/authority/admin/api/webhook.go
+++ b/authority/admin/api/webhook.go
@ -57,9 +57,9 @@ func validateWebhook(webhook *linkedca.Webhook) error {
 	// kind
 	switch webhook.Kind {
-	case linkedca.Webhook_ENRICHING, linkedca.Webhook_AUTHORIZING, linkedca.Webhook_SCEPCHALLENGE:
+	case linkedca.Webhook_ENRICHING, linkedca.Webhook_AUTHORIZING:
 	default:
-		return admin.NewError(admin.ErrorBadRequestType, "webhook kind %q is invalid", webhook.Kind)
+		return admin.NewError(admin.ErrorBadRequestType, "webhook kind is invalid")
 	}
 	return nil
--- a/authority/admin/api/webhook_test.go
+++ b/authority/admin/api/webhook_test.go
@ -180,26 +180,6 @@ func TestWebhookAdminResponder_CreateProvisionerWebhook(t *testing.T) {
 				statusCode: 400,
 			}
 		},
 		"fail/unsupported-webhook-kind": func(t *testing.T) test {
 			prov := &linkedca.Provisioner{
 				Name: "provName",
 			}
 			ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
 			adminErr := admin.NewError(admin.ErrorBadRequestType, `(line 5:13): invalid value for enum type: "UNSUPPORTED"`)
 			adminErr.Message = `(line 5:13): invalid value for enum type: "UNSUPPORTED"`
 			body := []byte(`
 			{
 				"name": "metadata",
 				"url": "https://example.com",
 				"kind": "UNSUPPORTED",
 			}`)
 			return test{
 				ctx:        ctx,
 				body:       body,
 				err:        adminErr,
 				statusCode: 400,
 			}
 		},
 		"fail/auth.UpdateProvisioner-error": func(t *testing.T) test {
 			adm := &linkedca.Admin{
 				Subject: "step",
--- a/authority/admin/db/nosql/admin.go
+++ b/authority/admin/db/nosql/admin.go
@ -40,7 +40,7 @@ func (dba *dbAdmin) clone() *dbAdmin {
 	return &u
 }
-func (db *DB) getDBAdminBytes(_ context.Context, id string) ([]byte, error) {
+func (db *DB) getDBAdminBytes(ctx context.Context, id string) ([]byte, error) {
 	data, err := db.db.Get(adminsTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, admin.NewError(admin.ErrorNotFoundType, "admin %s not found", id)
@ -102,7 +102,7 @@ func (db *DB) GetAdmin(ctx context.Context, id string) (*linkedca.Admin, error)
 // GetAdmins retrieves and unmarshals all active (not deleted) admins
 // from the database.
 // TODO should we be paginating?
-func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) {
+func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
 	dbEntries, err := db.db.List(adminsTable)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading admins")
@ -115,11 +115,13 @@ func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) {
 			if errors.As(err, &ae) {
 				if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
 					continue
-				}
+				} else {
 					return nil, err
 				}
 			} else {
 				return nil, err
 			}
 		}
 		if adm.AuthorityId != db.authorityID {
 			continue
 		}
--- a/authority/admin/db/nosql/nosql.go
+++ b/authority/admin/db/nosql/nosql.go
@ -36,7 +36,7 @@ func New(db nosqlDB.DB, authorityID string) (*DB, error) {
 // save writes the new data to the database, overwriting the old data if it
 // existed.
-func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error {
+func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error {
 	var (
 		err  error
 		newB []byte
--- a/authority/admin/db/nosql/policy.go
+++ b/authority/admin/db/nosql/policy.go
@ -71,7 +71,7 @@ func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy {
 	return dbToLinked(dbap.Policy)
 }
-func (db *DB) getDBAuthorityPolicyBytes(_ context.Context, authorityID string) ([]byte, error) {
+func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) {
 	data, err := db.db.Get(authorityPoliciesTable, []byte(authorityID))
 	if nosql.IsErrNotFound(err) {
 		return nil, admin.NewError(admin.ErrorNotFoundType, "authority policy not found")
--- a/authority/admin/db/nosql/provisioner.go
+++ b/authority/admin/db/nosql/provisioner.go
@ -70,7 +70,7 @@ func (dbp *dbProvisioner) convert2linkedca() (*linkedca.Provisioner, error) {
 	}, nil
 }
-func (db *DB) getDBProvisionerBytes(_ context.Context, id string) ([]byte, error) {
+func (db *DB) getDBProvisionerBytes(ctx context.Context, id string) ([]byte, error) {
 	data, err := db.db.Get(provisionersTable, []byte(id))
 	if nosql.IsErrNotFound(err) {
 		return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", id)
@ -132,7 +132,7 @@ func (db *DB) GetProvisioner(ctx context.Context, id string) (*linkedca.Provisio
 // GetProvisioners retrieves and unmarshals all active (not deleted) provisioners
 // from the database.
-func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error) {
+func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error) {
 	dbEntries, err := db.db.List(provisionersTable)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading provisioners")
@ -145,11 +145,13 @@ func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error
 			if errors.As(err, &ae) {
 				if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
 					continue
-				}
+				} else {
 					return nil, err
 				}
 			} else {
 				return nil, err
 			}
 		}
 		if prov.AuthorityId != db.authorityID {
 			continue
 		}
--- a/authority/authority.go
+++ b/authority/authority.go
@ -545,6 +545,50 @@ func (a *Authority) init() error {
 		tmplVars.SSH.UserFederatedKeys = append(tmplVars.SSH.UserFederatedKeys, a.sshCAUserFederatedCerts...)
 	}
 	// Check if a KMS with decryption capability is required and available
 	if a.requiresDecrypter() {
 		if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
 			return errors.New("keymanager doesn't provide crypto.Decrypter")
 		}
 	}
 	// TODO: decide if this is a good approach for providing the SCEP functionality
 	// It currently mirrors the logic for the x509CAService
 	if a.requiresSCEPService() && a.scepService == nil {
 		var options scep.Options
 		// Read intermediate and create X509 signer and decrypter for default CAS.
 		options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
 		if err != nil {
 			return err
 		}
 		options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...)
 		options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
 			SigningKey: a.config.IntermediateKey,
 			Password:   a.password,
 		})
 		if err != nil {
 			return err
 		}
 		if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
 			options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 				DecryptionKey: a.config.IntermediateKey,
 				Password:      a.password,
 			})
 			if err != nil {
 				return err
 			}
 		}
 		a.scepService, err = scep.NewService(ctx, options)
 		if err != nil {
 			return err
 		}
 		// TODO: mimick the x509CAService GetCertificateAuthority here too?
 	}
 	if a.config.AuthorityConfig.EnableAdmin {
 		// Initialize step-ca Admin Database if it's not already initialized using
 		// WithAdminDB.
@ -640,50 +684,6 @@ func (a *Authority) init() error {
 		return err
 	}
 	// Check if a KMS with decryption capability is required and available
 	if a.requiresDecrypter() {
 		if _, ok := a.keyManager.(kmsapi.Decrypter); !ok {
 			return errors.New("keymanager doesn't provide crypto.Decrypter")
 		}
 	}
 	// TODO: decide if this is a good approach for providing the SCEP functionality
 	// It currently mirrors the logic for the x509CAService
 	if a.requiresSCEPService() && a.scepService == nil {
 		var options scep.Options
 		// Read intermediate and create X509 signer and decrypter for default CAS.
 		options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
 		if err != nil {
 			return err
 		}
 		options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...)
 		options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
 			SigningKey: a.config.IntermediateKey,
 			Password:   a.password,
 		})
 		if err != nil {
 			return err
 		}
 		if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
 			options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 				DecryptionKey: a.config.IntermediateKey,
 				Password:      a.password,
 			})
 			if err != nil {
 				return err
 			}
 		}
 		a.scepService, err = scep.NewService(ctx, options)
 		if err != nil {
 			return err
 		}
 		// TODO: mimick the x509CAService GetCertificateAuthority here too?
 	}
 	// Load X509 constraints engine.
 	//
 	// This is currently only available in CA mode.
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -315,7 +315,7 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate)
 }
 // authorizeSSHCertificate returns an error if the given certificate is revoked.
-func (a *Authority) authorizeSSHCertificate(_ context.Context, cert *ssh.Certificate) error {
+func (a *Authority) authorizeSSHCertificate(ctx context.Context, cert *ssh.Certificate) error {
 	var err error
 	var isRevoked bool
@ -394,7 +394,7 @@ func (a *Authority) authorizeSSHRevoke(ctx context.Context, token string) error
 // AuthorizeRenewToken validates the renew token and returns the leaf
 // certificate in the x5cInsecure header.
-func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error) {
+func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error) {
 	var claims jose.Claims
 	jwt, chain, err := jose.ParseX5cInsecure(ott, a.rootX509Certs)
 	if err != nil {
--- a/authority/capabilities.go
+++ b/authority/capabilities.go
@ -0,0 +1,15 @@
 package authority
 // Capabilities defines the capabilities of the authority.
 type Capabilities struct {
 	RemoteConfigurationManagement bool `json:"remoteConfigurationManagement,omitempty"`
 	RequireClientAuthentication   bool `json:"requireClientAuthentication,omitempty"`
 }
 // Capabilities returns the capabilities information of the authority.
 func (a *Authority) Capabilities() Capabilities {
 	return Capabilities{
 		RemoteConfigurationManagement: a.config.AuthorityConfig.EnableAdmin,
 		RequireClientAuthentication:   GlobalVersion.RequireClientAuthentication,
 	}
 }
--- a/authority/config/config.go
+++ b/authority/config/config.go
@ -79,7 +79,6 @@ type Config struct {
 	CommonName       string               `json:"commonName,omitempty"`
 	CRL              *CRLConfig           `json:"crl,omitempty"`
 	SkipValidation   bool                 `json:"-"`
 	NNSServer        string               `json:"nnsServer,omitempty"`
 	// Keeps record of the filename the Config is read from
 	loadedFromFilepath string
@ -91,7 +90,6 @@ type CRLConfig struct {
 	GenerateOnRevoke bool                  `json:"generateOnRevoke,omitempty"`
 	CacheDuration    *provisioner.Duration `json:"cacheDuration,omitempty"`
 	RenewPeriod      *provisioner.Duration `json:"renewPeriod,omitempty"`
 	IDPurl           string                `json:"idpURL,omitempty"`
 }
 // IsEnabled returns if the CRL is enabled.
@ -183,7 +181,7 @@ func (c *AuthConfig) init() {
 }
 // Validate validates the authority configuration.
-func (c *AuthConfig) Validate(provisioner.Audiences) error {
+func (c *AuthConfig) Validate(audiences provisioner.Audiences) error {
 	if c == nil {
 		return errors.New("authority cannot be undefined")
 	}
--- a/authority/linkedca.go
+++ b/authority/linkedca.go
@ -381,19 +381,19 @@ func (c *linkedCaClient) IsSSHRevoked(serial string) (bool, error) {
 	return resp.Status != linkedca.RevocationStatus_ACTIVE, nil
 }
-func (c *linkedCaClient) CreateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error {
+func (c *linkedCaClient) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
 	return errors.New("not implemented yet")
 }
-func (c *linkedCaClient) GetAuthorityPolicy(context.Context) (*linkedca.Policy, error) {
+func (c *linkedCaClient) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) {
 	return nil, errors.New("not implemented yet")
 }
-func (c *linkedCaClient) UpdateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error {
+func (c *linkedCaClient) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
 	return errors.New("not implemented yet")
 }
-func (c *linkedCaClient) DeleteAuthorityPolicy(context.Context) error {
+func (c *linkedCaClient) DeleteAuthorityPolicy(ctx context.Context) error {
 	return errors.New("not implemented yet")
 }
--- a/authority/policy.go
+++ b/authority/policy.go
@ -154,7 +154,7 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string,
 // checkPolicy checks if a new or updated policy configuration results in the user
 // locking themselves or other admins out of the CA.
-func (a *Authority) checkPolicy(_ context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
+func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
 	// convert the policy; return early if nil
 	policyOptions := authPolicy.LinkedToCertificates(p)
 	if policyOptions == nil {
@ -248,7 +248,7 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
 			return &PolicyError{
 				Typ: AdminLockOut,
-				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name", sans, sans),
+				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
 			}
 		}
 		return &PolicyError{
--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@ -80,7 +80,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [step] from the CA. Please create an x509 policy to include [step] as an allowed DNS name"),
+					Err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
 				},
 			}
 		},
@ -127,7 +127,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please create an x509 policy to include [otherAdmin] as an allowed DNS name"),
+					Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"),
 				},
 			}
 		},
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@ -26,8 +26,6 @@ const (
 	TLS_ALPN_01 ACMEChallenge = "tls-alpn-01"
 	// DEVICE_ATTEST_01 is the device-attest-01 ACME challenge.
 	DEVICE_ATTEST_01 ACMEChallenge = "device-attest-01"
 	// NNS_01 is the nns-01 ACME challenge.
 	NNS_01 ACMEChallenge = "nns-01"
 )
 // String returns a normalized version of the challenge.
@ -38,7 +36,7 @@ func (c ACMEChallenge) String() string {
 // Validate returns an error if the acme challenge is not a valid one.
 func (c ACMEChallenge) Validate() error {
 	switch ACMEChallenge(c.String()) {
-	case HTTP_01, DNS_01, TLS_ALPN_01, DEVICE_ATTEST_01, NNS_01:
+	case HTTP_01, DNS_01, TLS_ALPN_01, DEVICE_ATTEST_01:
 		return nil
 	default:
 		return fmt.Errorf("acme challenge %q is not supported", c)
@ -50,7 +48,7 @@ func (c ACMEChallenge) Validate() error {
 type ACMEAttestationFormat string
 const (
-	// APPLE is the format used to enable device-attest-01 on Apple devices.
+	// APPLE is the format used to enable device-attest-01 on apple devices.
 	APPLE ACMEAttestationFormat = "apple"
 	// STEP is the format used to enable device-attest-01 on devices that
@ -59,7 +57,7 @@ const (
 	// TODO(mariano): should we rename this to something else.
 	STEP ACMEAttestationFormat = "step"
-	// TPM is the format used to enable device-attest-01 with TPMs.
+	// TPM is the format used to enable device-attest-01 on TPMs.
 	TPM ACMEAttestationFormat = "tpm"
 )
@ -135,7 +133,7 @@ func (p *ACME) GetIDForToken() string {
 }
 // GetTokenID returns the identifier of the token.
-func (p *ACME) GetTokenID(string) (string, error) {
+func (p *ACME) GetTokenID(ott string) (string, error) {
 	return "", errors.New("acme provisioner does not implement GetTokenID")
 }
@ -186,7 +184,7 @@ func (p *ACME) Init(config Config) (err error) {
 	}
 	// Parse attestation roots.
-	// The pool will be nil if there are no roots.
+	// The pool will be nil if the there are not roots.
 	if rest := p.AttestationRoots; len(rest) > 0 {
 		var block *pem.Block
 		var hasCert bool
@ -230,7 +228,7 @@ type ACMEIdentifier struct {
 // AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
 // certificate for an ACME Order Identifier.
-func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error {
+func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error {
 	x509Policy := p.ctl.getPolicy().getX509()
 	// identifier is allowed if no policy is configured
@ -255,7 +253,7 @@ func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdenti
 // AuthorizeSign does not do any validation, because all validation is handled
 // in the ACME protocol. This method returns a list of modifiers / constraints
 // on the resulting certificate.
-func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
+func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	opts := []SignOption{
 		p,
 		// modifiers / withOptions
@ -276,7 +274,7 @@ func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 // the CA. It can be used to authorize revocation of a certificate. With the
 // ACME protocol, revocation authorization is specified and performed as part
 // of the client/server interaction, so this is a no-op.
-func (p *ACME) AuthorizeRevoke(context.Context, string) error {
+func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
 	return nil
 }
@ -291,9 +289,9 @@ func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
 // IsChallengeEnabled checks if the given challenge is enabled. By default
 // http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the
 // Challenge provisioner property should have at least one element.
-func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool {
+func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) bool {
 	enabledChallenges := []ACMEChallenge{
-		HTTP_01, DNS_01, TLS_ALPN_01, NNS_01,
+		HTTP_01, DNS_01, TLS_ALPN_01,
 	}
 	if len(p.Challenges) > 0 {
 		enabledChallenges = p.Challenges
@ -309,7 +307,7 @@ func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bo
 // IsAttestationFormatEnabled checks if the given attestation format is enabled.
 // By default apple, step and tpm are enabled, to disable any of them the
 // AttestationFormat provisioner property should have at least one element.
-func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool {
+func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttestationFormat) bool {
 	enabledFormats := []ACMEAttestationFormat{
 		APPLE, STEP, TPM,
 	}
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -24,7 +24,6 @@ import (
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/webhook"
 )
 // awsIssuer is the string used as issuer in the generated tokens.
@ -74,14 +73,6 @@ const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" //nolin
 // The fifth certificate is used in:
 //
 //	me-south-1
 //
 // The sixth certificate is used in:
 //
 //	me-central-1
 //
 // The seventh certificate is used in:
 //
 //	ap-southeast-3
 const awsCertificate = `-----BEGIN CERTIFICATE-----
 MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
 BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
@ -163,34 +154,6 @@ DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBhkNTBIFgWFd+ZhC/LhRUY
 4OjEiykmbEp6hlzQ79T0Tfbn5A4NYDI2icBP0+hmf6qSnIhwJF6typyd1yPK5Fqt
 NTpxxcXmUKquX+pHmIkK1LKDO8rNE84jqxrxRsfDi6by82fjVYf2pgjJW8R1FAw+
 mL5WQRFexbfB5aXhcMo0AA==
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXjRrnDjMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
 AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
 MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTA0MTQxODM5
 MzNaGA8yMjAwMDQxNDE4MzkzM1owXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
 c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
 biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc
 aTgW/KyA6zyruJQrYy00a6wqLA7eeUzk3bMiTkLsTeDQfrkaZMfBAjGaaOymRo1C
 3qzE4rIenmahvUplu9ZmLwL1idWXMRX2RlSvIt+d2SeoKOKQWoc2UOFZMHYxDue7
 zkyk1CIRaBukTeY13/RIrlc6X61zJ5BBtZXlHwayjQIDAQABMA0GCSqGSIb3DQEB
 BQUAA4GBABTqTy3R6RXKPW45FA+cgo7YZEj/Cnz5YaoUivRRdX2A83BHuBTvJE2+
 WX00FTEj4hRVjameE1nENoO8Z7fUVloAFDlDo69fhkJeSvn51D1WRrPnoWGgEfr1
 +OfK1bAcKTtfkkkP9r4RdwSjKzO5Zu/B+Wqm3kVEz/QNcz6npmA6
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICMzCCAZygAwIBAgIGAXbVDG2yMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
 AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
 MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTAxMDYwMDE1
 MzBaGA8yMjAwMDEwNjAwMTUzMFowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
 c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
 biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn
 CS/Vbt0gQ1ebWcur2hSO7PnJifE4OPxQ7RgSAlc4/spJp1sDP+ZrS0LO1ZJfKhXf
 1R9S3AUwLnsc7b+IuVXdY5LK9RKqu64nyXP5dx170zoL8loEyCSuRR2fs+04i2Qs
 WBVP+KFNAn7P5L1EHRjkgTO8kjNKviwRV+OkP9ab5wIDAQABMA0GCSqGSIb3DQEB
 BQUAA4GBAI4WUy6+DKh0JDSzQEZNyBgNlSoSuC2owtMxCwGB6nBfzzfcekWvs6eo
 fLTSGovrReX7MtVgrcJBZjmPIentw5dWUs+87w/g9lNwUnUt0ZHYyh2tuBG6hVJu
 UEwDJ/z3wDd6wQviLOTF3MITawt9P8siR1hXqLJNxpjRQFZrgHqi
 -----END CERTIFICATE-----`
 // awsSignatureAlgorithm is the signature algorithm used to verify the identity
@ -472,7 +435,7 @@ func (p *AWS) Init(config Config) (err error) {
 // AuthorizeSign validates the given token and returns the sign options that
 // will be used on certificate creation.
-func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	payload, err := p.authorizeToken(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSign")
@ -522,11 +485,7 @@ func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		commonNameValidator(payload.Claims.Subject),
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 			data,
 			linkedca.Webhook_X509,
 			webhook.WithAuthorizationPrincipal(doc.InstanceID),
 		),
 	), nil
 }
@ -749,7 +708,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) {
 }
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
-func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("aws.AuthorizeSSHSign; ssh ca is disabled for aws provisioner '%s'", p.GetName())
 	}
@ -809,10 +768,6 @@ func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 			data,
 			linkedca.Webhook_SSH,
 			webhook.WithAuthorizationPrincipal(doc.InstanceID),
 		),
 	), nil
 }
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@ -20,19 +20,13 @@ import (
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/webhook"
 )
 // azureOIDCBaseURL is the base discovery url for Microsoft Azure tokens.
 const azureOIDCBaseURL = "https://login.microsoftonline.com"
 //nolint:gosec // azureIdentityTokenURL is the URL to get the identity token for an instance.
-const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token"
+const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F"
 const azureIdentityTokenAPIVersion = "2018-02-01"
 // azureInstanceComputeURL is the URL to get the instance compute metadata.
 const azureInstanceComputeURL = "http://169.254.169.254/metadata/instance/compute/azEnvironment"
 // azureDefaultAudience is the default audience used.
 const azureDefaultAudience = "https://management.azure.com/"
@ -41,27 +35,15 @@ const azureDefaultAudience = "https://management.azure.com/"
 // Using case insensitive as resourceGroups appears as resourcegroups.
 var azureXMSMirIDRegExp = regexp.MustCompile(`(?i)^/subscriptions/([^/]+)/resourceGroups/([^/]+)/providers/Microsoft.(Compute/virtualMachines|ManagedIdentity/userAssignedIdentities)/([^/]+)$`)
 // azureEnvironments is the list of all Azure environments.
 var azureEnvironments = map[string]string{
 	"AzurePublicCloud":       "https://management.azure.com/",
 	"AzureCloud":             "https://management.azure.com/",
 	"AzureUSGovernmentCloud": "https://management.usgovcloudapi.net/",
 	"AzureUSGovernment":      "https://management.usgovcloudapi.net/",
 	"AzureChinaCloud":        "https://management.chinacloudapi.cn/",
 	"AzureGermanCloud":       "https://management.microsoftazure.de/",
 }
 type azureConfig struct {
 	oidcDiscoveryURL string
 	identityTokenURL string
 	instanceComputeURL string
 }
 func newAzureConfig(tenantID string) *azureConfig {
 	return &azureConfig{
 		oidcDiscoveryURL: azureOIDCBaseURL + "/" + tenantID + "/.well-known/openid-configuration",
 		identityTokenURL: azureIdentityTokenURL,
 		instanceComputeURL: azureInstanceComputeURL,
 	}
 }
@ -121,7 +103,6 @@ type Azure struct {
 	oidcConfig             openIDConfiguration
 	keyStore               *keyStore
 	ctl                    *Controller
 	environment            string
 }
 // GetID returns the provisioner unique identifier.
@ -183,35 +164,14 @@ func (p *Azure) GetEncryptedKey() (kid, key string, ok bool) {
 // GetIdentityToken retrieves from the metadata service the identity token and
 // returns it.
 func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) {
 	_, _ = subject, caURL // unused input
 	// Initialize the config if this method is used from the cli.
 	p.assertConfig()
 	// default to AzurePublicCloud to keep existing behavior
 	identityTokenResource := azureEnvironments["AzurePublicCloud"]
 	var err error
 	p.environment, err = p.getAzureEnvironment()
 	if err != nil {
 		return "", errors.Wrap(err, "error getting azure environment")
 	}
 	if resource, ok := azureEnvironments[p.environment]; ok {
 		identityTokenResource = resource
 	}
 	req, err := http.NewRequest("GET", p.config.identityTokenURL, http.NoBody)
 	if err != nil {
 		return "", errors.Wrap(err, "error creating request")
 	}
 	req.Header.Set("Metadata", "true")
 	query := req.URL.Query()
 	query.Add("resource", identityTokenResource)
 	query.Add("api-version", azureIdentityTokenAPIVersion)
 	req.URL.RawQuery = query.Encode()
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", errors.Wrap(err, "error getting identity token, are you in a Azure VM?")
@ -316,7 +276,7 @@ func (p *Azure) authorizeToken(token string) (*azurePayload, string, string, str
 // AuthorizeSign validates the given token and returns the sign options that
 // will be used on certificate creation.
-func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	_, name, group, subscription, identityObjectID, err := p.authorizeToken(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign")
@ -404,11 +364,7 @@ func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, er
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 			data,
 			linkedca.Webhook_X509,
 			webhook.WithAuthorizationPrincipal(identityObjectID),
 		),
 	), nil
 }
@ -421,12 +377,12 @@ func (p *Azure) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) erro
 }
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
-func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("azure.AuthorizeSSHSign; sshCA is disabled for provisioner '%s'", p.GetName())
 	}
-	_, name, _, _, identityObjectID, err := p.authorizeToken(token)
+	_, name, _, _, _, err := p.authorizeToken(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSSHSign")
 	}
@ -478,11 +434,7 @@ func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption,
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 			data,
 			linkedca.Webhook_SSH,
 			webhook.WithAuthorizationPrincipal(identityObjectID),
 		),
 	), nil
 }
@ -492,37 +444,3 @@ func (p *Azure) assertConfig() {
 		p.config = newAzureConfig(p.TenantID)
 	}
 }
 // getAzureEnvironment returns the Azure environment for the current instance
 func (p *Azure) getAzureEnvironment() (string, error) {
 	if p.environment != "" {
 		return p.environment, nil
 	}
 	req, err := http.NewRequest("GET", p.config.instanceComputeURL, http.NoBody)
 	if err != nil {
 		return "", errors.Wrap(err, "error creating request")
 	}
 	req.Header.Add("Metadata", "True")
 	query := req.URL.Query()
 	query.Add("format", "text")
 	query.Add("api-version", "2021-02-01")
 	req.URL.RawQuery = query.Encode()
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", errors.Wrap(err, "error getting azure instance environment, are you in a Azure VM?")
 	}
 	defer resp.Body.Close()
 	b, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", errors.Wrap(err, "error reading azure environment response")
 	}
 	if resp.StatusCode >= 400 {
 		return "", errors.Errorf("error getting azure environment: status=%d, response=%s", resp.StatusCode, b)
 	}
 	return string(b), nil
 }
--- a/authority/provisioner/azure_test.go
+++ b/authority/provisioner/azure_test.go
@ -100,14 +100,7 @@ func TestAzure_GetIdentityToken(t *testing.T) {
 		time.Now(), &p1.keyStore.keySet.Keys[0])
 	assert.FatalError(t, err)
-	srvIdentity := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		wantResource := r.URL.Query().Get("want_resource")
 		resource := r.URL.Query().Get("resource")
 		if wantResource == "" || resource != wantResource {
 			http.Error(w, fmt.Sprintf("Azure query param resource = %s, wantResource %s", resource, wantResource), http.StatusBadRequest)
 			return
 		}
 		switch r.URL.Path {
 		case "/bad-request":
 			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
@ -118,27 +111,7 @@ func TestAzure_GetIdentityToken(t *testing.T) {
 			fmt.Fprintf(w, `{"access_token":"%s"}`, t1)
 		}
 	}))
-	defer srvIdentity.Close()
+	defer srv.Close()
 	srvInstance := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/bad-request":
 			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
 		case "/AzureChinaCloud":
 			w.Header().Add("Content-Type", "text/plain")
 			w.Write([]byte("AzureChinaCloud"))
 		case "/AzureGermanCloud":
 			w.Header().Add("Content-Type", "text/plain")
 			w.Write([]byte("AzureGermanCloud"))
 		case "/AzureUSGovernmentCloud":
 			w.Header().Add("Content-Type", "text/plain")
 			w.Write([]byte("AzureUSGovernmentCloud"))
 		default:
 			w.Header().Add("Content-Type", "text/plain")
 			w.Write([]byte("AzurePublicCloud"))
 		}
 	}))
 	defer srvInstance.Close()
 	type args struct {
 		subject string
@ -149,27 +122,18 @@ func TestAzure_GetIdentityToken(t *testing.T) {
 		azure            *Azure
 		args             args
 		identityTokenURL string
 		instanceComputeURL string
 		wantEnvironment    string
 		want             string
 		wantErr          bool
 	}{
-		{"ok", p1, args{"subject", "caURL"}, srvIdentity.URL, srvInstance.URL, "AzurePublicCloud", t1, false},
+		{"ok", p1, args{"subject", "caURL"}, srv.URL, t1, false},
-		{"ok azure china", p1, args{"subject", "caURL"}, srvIdentity.URL, srvInstance.URL, "AzurePublicCloud", t1, false},
+		{"fail request", p1, args{"subject", "caURL"}, srv.URL + "/bad-request", "", true},
-		{"ok azure germany", p1, args{"subject", "caURL"}, srvIdentity.URL, srvInstance.URL, "AzureGermanCloud", t1, false},
+		{"fail unmarshal", p1, args{"subject", "caURL"}, srv.URL + "/bad-json", "", true},
-		{"ok azure us gov", p1, args{"subject", "caURL"}, srvIdentity.URL, srvInstance.URL, "AzureUSGovernmentCloud", t1, false},
+		{"fail url", p1, args{"subject", "caURL"}, "://ca.smallstep.com", "", true},
-		{"fail instance request", p1, args{"subject", "caURL"}, srvIdentity.URL + "/bad-request", srvInstance.URL + "/bad-request", "AzurePublicCloud", "", true},
+		{"fail connect", p1, args{"subject", "caURL"}, "foobarzar", "", true},
 		{"fail request", p1, args{"subject", "caURL"}, srvIdentity.URL + "/bad-request", srvInstance.URL, "AzurePublicCloud", "", true},
 		{"fail unmarshal", p1, args{"subject", "caURL"}, srvIdentity.URL + "/bad-json", srvInstance.URL, "AzurePublicCloud", "", true},
 		{"fail url", p1, args{"subject", "caURL"}, "://ca.smallstep.com", srvInstance.URL, "AzurePublicCloud", "", true},
 		{"fail connect", p1, args{"subject", "caURL"}, "foobarzar", srvInstance.URL, "AzurePublicCloud", "", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			// reset environment between tests to avoid caching issues
+			tt.azure.config.identityTokenURL = tt.identityTokenURL
 			p1.environment = ""
 			tt.azure.config.identityTokenURL = tt.identityTokenURL + "?want_resource=" + azureEnvironments[tt.wantEnvironment]
 			tt.azure.config.instanceComputeURL = tt.instanceComputeURL + "/" + tt.wantEnvironment
 			got, err := tt.azure.GetIdentityToken(tt.args.subject, tt.args.caURL)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Azure.GetIdentityToken() error = %v, wantErr %v", err, tt.wantErr)
--- a/authority/provisioner/controller.go
+++ b/authority/provisioner/controller.go
@ -10,7 +10,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/webhook"
 	"go.step.sm/linkedca"
 	"golang.org/x/crypto/ssh"
 )
@ -78,7 +77,7 @@ func (c *Controller) AuthorizeSSHRenew(ctx context.Context, cert *ssh.Certificat
 	return DefaultAuthorizeSSHRenew(ctx, c, cert)
 }
-func (c *Controller) newWebhookController(templateData WebhookSetter, certType linkedca.Webhook_CertType, opts ...webhook.RequestBodyOption) *WebhookController {
+func (c *Controller) newWebhookController(templateData WebhookSetter, certType linkedca.Webhook_CertType) *WebhookController {
 	client := c.webhookClient
 	if client == nil {
 		client = http.DefaultClient
@ -88,7 +87,6 @@ func (c *Controller) newWebhookController(templateData WebhookSetter, certType l
 		client:       client,
 		webhooks:     c.webhooks,
 		certType:     certType,
 		options:      opts,
 	}
 }
@ -113,7 +111,7 @@ type AuthorizeSSHRenewFunc func(ctx context.Context, p *Controller, cert *ssh.Ce
 // DefaultIdentityFunc return a default identity depending on the provisioner
 // type. For OIDC email is always present and the usernames might
 // contain empty strings.
-func DefaultIdentityFunc(_ context.Context, p Interface, email string) (*Identity, error) {
+func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error) {
 	switch k := p.(type) {
 	case *OIDC:
 		// OIDC principals would be:
@ -142,7 +140,7 @@ func DefaultIdentityFunc(_ context.Context, p Interface, email string) (*Identit
 // will return an error if the provisioner has the renewal disabled, if the
 // certificate is not yet valid or if the certificate is expired and renew after
 // expiry is disabled.
-func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certificate) error {
+func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certificate) error {
 	if p.Claimer.IsDisableRenewal() {
 		return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName())
 	}
@ -164,7 +162,7 @@ func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certific
 // will return an error if the provisioner has the renewal disabled, if the
 // certificate is not yet valid or if the certificate is expired and renew after
 // expiry is disabled.
-func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certificate) error {
+func DefaultAuthorizeSSHRenew(ctx context.Context, p *Controller, cert *ssh.Certificate) error {
 	if p.Claimer.IsDisableRenewal() {
 		return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName())
 	}
--- a/authority/provisioner/controller_test.go
+++ b/authority/provisioner/controller_test.go
@ -4,18 +4,15 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
 	"net/http"
 	"reflect"
 	"testing"
 	"time"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"go.step.sm/linkedca"
 	"golang.org/x/crypto/ssh"
 	"github.com/smallstep/certificates/authority/policy"
 	"github.com/smallstep/certificates/webhook"
 )
 var trueValue = true
@ -452,39 +449,16 @@ func TestDefaultAuthorizeSSHRenew(t *testing.T) {
 }
 func Test_newWebhookController(t *testing.T) {
 	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
 	if err != nil {
 		t.Fatal(err)
 	}
 	opts := []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)}
 	type args struct {
 		templateData WebhookSetter
 		certType     linkedca.Webhook_CertType
 		opts         []webhook.RequestBodyOption
 	}
 	tests := []struct {
 		name string
 		args args
 		want *WebhookController
 	}{
 		{"ok", args{x509util.TemplateData{"foo": "bar"}, linkedca.Webhook_X509, nil}, &WebhookController{
 			TemplateData: x509util.TemplateData{"foo": "bar"},
 			certType:     linkedca.Webhook_X509,
 			client:       http.DefaultClient,
 		}},
 		{"ok with options", args{x509util.TemplateData{"foo": "bar"}, linkedca.Webhook_SSH, opts}, &WebhookController{
 			TemplateData: x509util.TemplateData{"foo": "bar"},
 			certType:     linkedca.Webhook_SSH,
 			client:       http.DefaultClient,
 			options:      opts,
 		}},
 	}
 	for _, tt := range tests {
 	c := &Controller{}
-		got := c.newWebhookController(tt.args.templateData, tt.args.certType, tt.args.opts...)
+	data := x509util.TemplateData{"foo": "bar"}
-		if !reflect.DeepEqual(got, tt.want) {
+	ctl := c.newWebhookController(data, linkedca.Webhook_X509)
-			t.Errorf("newWebhookController() = %v, want %v", got, tt.want)
+	if !reflect.DeepEqual(ctl.TemplateData, data) {
-		}
+		t.Error("Failed to set templateData")
 	}
 	if ctl.certType != linkedca.Webhook_X509 {
 		t.Error("Failed to set certType")
 	}
 	if ctl.client == nil {
 		t.Error("Failed to set client")
 	}
 }
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -21,7 +21,6 @@ import (
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/webhook"
 )
 // gcpCertsURL is the url that serves Google OAuth2 public keys.
@ -170,8 +169,6 @@ func (p *GCP) GetIdentityURL(audience string) string {
 // GetIdentityToken does an HTTP request to the identity url.
 func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) {
 	_ = subject // unused input
 	audience, err := generateSignAudience(caURL, p.GetIDForToken())
 	if err != nil {
 		return "", err
@ -223,7 +220,7 @@ func (p *GCP) Init(config Config) (err error) {
 // AuthorizeSign validates the given token and returns the sign options that
 // will be used on certificate creation.
-func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	claims, err := p.authorizeToken(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSign")
@ -276,11 +273,7 @@ func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 			data,
 			linkedca.Webhook_X509,
 			webhook.WithAuthorizationPrincipal(ce.InstanceID),
 		),
 	), nil
 }
@ -387,7 +380,7 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) {
 }
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
-func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("gcp.AuthorizeSSHSign; sshCA is disabled for gcp provisioner '%s'", p.GetName())
 	}
@ -447,10 +440,6 @@ func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), nil),
 		// Call webhooks
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 			data,
 			linkedca.Webhook_SSH,
 			webhook.WithAuthorizationPrincipal(ce.InstanceID),
 		),
 	), nil
 }
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -143,14 +143,14 @@ func (p *JWK) authorizeToken(token string, audiences []string) (*jwtPayload, err
 // AuthorizeRevoke returns an error if the provisioner does not have rights to
 // revoke the certificate with serial number in the `sub` property.
-func (p *JWK) AuthorizeRevoke(_ context.Context, token string) error {
+func (p *JWK) AuthorizeRevoke(ctx context.Context, token string) error {
 	_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
 	// TODO(hs): authorize the SANs using x509 name policy allow/deny rules (also for other provisioners with AuthorizeRevoke)
 	return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeRevoke")
 }
 // AuthorizeSign validates the given token.
-func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
@ -209,7 +209,7 @@ func (p *JWK) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
 }
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
-func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("jwk.AuthorizeSSHSign; sshCA is disabled for jwk provisioner '%s'", p.GetName())
 	}
@ -286,7 +286,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 }
 // AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
-func (p *JWK) AuthorizeSSHRevoke(_ context.Context, token string) error {
+func (p *JWK) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 	_, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke)
 	// TODO(hs): authorize the principals using SSH name policy allow/deny rules (also for other provisioners with AuthorizeSSHRevoke)
 	return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSSHRevoke")
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -72,7 +72,7 @@ func (p *K8sSA) GetIDForToken() string {
 }
 // GetTokenID returns an unimplemented error and does not use the input ott.
-func (p *K8sSA) GetTokenID(string) (string, error) {
+func (p *K8sSA) GetTokenID(ott string) (string, error) {
 	return "", errors.New("not implemented")
 }
@ -148,7 +148,6 @@ func (p *K8sSA) Init(config Config) (err error) {
 // claims for case specific downstream parsing.
 // e.g. a Sign request will auth/validate different fields than a Revoke request.
 func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload, error) {
 	_ = audiences // unused input
 	jwt, err := jose.ParseSigned(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusUnauthorized, err,
@ -208,13 +207,13 @@ func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload,
 // AuthorizeRevoke returns an error if the provisioner does not have rights to
 // revoke the certificate with serial number in the `sub` property.
-func (p *K8sSA) AuthorizeRevoke(_ context.Context, token string) error {
+func (p *K8sSA) AuthorizeRevoke(ctx context.Context, token string) error {
 	_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
 	return errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeRevoke")
 }
 // AuthorizeSign validates the given token.
-func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
@ -254,7 +253,7 @@ func (p *K8sSA) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) erro
 }
 // AuthorizeSSHSign validates an request for an SSH certificate.
-func (p *K8sSA) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("k8ssa.AuthorizeSSHSign; sshCA is disabled for k8sSA provisioner '%s'", p.GetName())
 	}
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@ -116,7 +116,7 @@ func (p *Nebula) GetEncryptedKey() (kid, key string, ok bool) {
 }
 // AuthorizeSign returns the list of SignOption for a Sign request.
-func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	crt, claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
 	if err != nil {
 		return nil, err
@ -171,7 +171,7 @@ func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, e
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
 // Currently the Nebula provisioner only grants host SSH certificates.
-func (p *Nebula) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
 	}
@ -275,12 +275,12 @@ func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) erro
 }
 // AuthorizeRevoke returns an error if the token is not valid.
-func (p *Nebula) AuthorizeRevoke(_ context.Context, token string) error {
+func (p *Nebula) AuthorizeRevoke(ctx context.Context, token string) error {
 	return p.validateToken(token, p.ctl.Audiences.Revoke)
 }
 // AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid.
-func (p *Nebula) AuthorizeSSHRevoke(_ context.Context, token string) error {
+func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name)
 	}
@ -291,12 +291,12 @@ func (p *Nebula) AuthorizeSSHRevoke(_ context.Context, token string) error {
 }
 // AuthorizeSSHRenew returns an unauthorized error.
-func (p *Nebula) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
+func (p *Nebula) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
 	return nil, errs.Unauthorized("nebula provisioner does not support SSH renew")
 }
 // AuthorizeSSHRekey returns an unauthorized error.
-func (p *Nebula) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) {
+func (p *Nebula) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
 	return nil, nil, errs.Unauthorized("nebula provisioner does not support SSH rekey")
 }
--- a/authority/provisioner/noop.go
+++ b/authority/provisioner/noop.go
@ -18,7 +18,7 @@ func (p *noop) GetIDForToken() string {
 	return "noop"
 }
-func (p *noop) GetTokenID(string) (string, error) {
+func (p *noop) GetTokenID(token string) (string, error) {
 	return "", nil
 }
@ -33,35 +33,35 @@ func (p *noop) GetEncryptedKey() (kid, key string, ok bool) {
 	return "", "", false
 }
-func (p *noop) Init(Config) error {
+func (p *noop) Init(config Config) error {
 	return nil
 }
-func (p *noop) AuthorizeSign(context.Context, string) ([]SignOption, error) {
+func (p *noop) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	return []SignOption{p}, nil
 }
-func (p *noop) AuthorizeRenew(context.Context, *x509.Certificate) error {
+func (p *noop) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
 	return nil
 }
-func (p *noop) AuthorizeRevoke(context.Context, string) error {
+func (p *noop) AuthorizeRevoke(ctx context.Context, token string) error {
 	return nil
 }
-func (p *noop) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) {
+func (p *noop) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	return []SignOption{p}, nil
 }
-func (p *noop) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
+func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
 	//nolint:nilnil // fine for noop
 	return nil, nil
 }
-func (p *noop) AuthorizeSSHRevoke(context.Context, string) error {
+func (p *noop) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 	return nil
 }
-func (p *noop) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) {
+func (p *noop) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
 	return nil, []SignOption{}, nil
 }
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -230,7 +230,7 @@ func (o *OIDC) ValidatePayload(p openIDPayload) error {
 			}
 		}
 		if !found {
-			return errs.Unauthorized("validatePayload: failed to validate oidc token payload: email %q is not allowed", p.Email)
+			return errs.Unauthorized("validatePayload: failed to validate oidc token payload: email is not allowed")
 		}
 	}
@ -292,7 +292,7 @@ func (o *OIDC) authorizeToken(token string) (*openIDPayload, error) {
 // AuthorizeRevoke returns an error if the provisioner does not have rights to
 // revoke the certificate with serial number in the `sub` property.
 // Only tokens generated by an admin have the right to revoke a certificate.
-func (o *OIDC) AuthorizeRevoke(_ context.Context, token string) error {
+func (o *OIDC) AuthorizeRevoke(ctx context.Context, token string) error {
 	claims, err := o.authorizeToken(token)
 	if err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeRevoke")
@ -307,7 +307,7 @@ func (o *OIDC) AuthorizeRevoke(_ context.Context, token string) error {
 }
 // AuthorizeSign validates the given token.
-func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	claims, err := o.authorizeToken(token)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
@ -385,13 +385,16 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 	}
 	var data sshutil.TemplateData
 	var principals []string
 	if claims.Email == "" {
-		// If email is empty, use the Subject claim instead to create minimal
+		// If email is empty, use the Subject claim instead to create minimal data for the template to use
 		// data for the template to use.
 		data = sshutil.CreateTemplateData(sshutil.UserCert, claims.Subject, nil)
 		if v, err := unsafeParseSigned(token); err == nil {
 			data.SetToken(v)
 		}
 		principals = nil
 	} else {
 		// Get the identity using either the default identityFunc or one injected
 		// externally. Note that the PreferredUsername might be empty.
@ -414,6 +417,8 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 		for k, v := range iden.Permissions.CriticalOptions {
 			data.AddCriticalOption(k, v)
 		}
 		principals = iden.Usernames
 	}
 	// Use the default template unless no-templates are configured and email is
@ -442,6 +447,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 	} else {
 		signOptions = append(signOptions, sshCertOptionsValidator(SignSSHOptions{
 			CertType:   SSHUserCert,
 			Principals: principals,
 		}))
 	}
@ -463,7 +469,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 }
 // AuthorizeSSHRevoke returns nil if the token is valid, false otherwise.
-func (o *OIDC) AuthorizeSSHRevoke(_ context.Context, token string) error {
+func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 	claims, err := o.authorizeToken(token)
 	if err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHRevoke")
--- a/authority/provisioner/oidc_test.go
+++ b/authority/provisioner/oidc_test.go
@ -13,7 +13,6 @@ import (
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/jose"
 	"github.com/smallstep/assert"
@ -222,37 +221,39 @@ func TestOIDC_authorizeToken(t *testing.T) {
 		args       args
 		code       int
 		wantIssuer string
-		expErr     error
+		wantErr    bool
 	}{
-		{"ok1", p1, args{t1}, http.StatusOK, issuer, nil},
+		{"ok1", p1, args{t1}, http.StatusOK, issuer, false},
-		{"ok tenantid", p2, args{t2}, http.StatusOK, tenantIssuer, nil},
+		{"ok tenantid", p2, args{t2}, http.StatusOK, tenantIssuer, false},
-		{"ok admin", p3, args{t3}, http.StatusOK, issuer, nil},
+		{"ok admin", p3, args{t3}, http.StatusOK, issuer, false},
-		{"ok domain", p3, args{t4}, http.StatusOK, issuer, nil},
+		{"ok domain", p3, args{t4}, http.StatusOK, issuer, false},
-		{"ok no email", p3, args{t5}, http.StatusOK, issuer, nil},
+		{"ok no email", p3, args{t5}, http.StatusOK, issuer, false},
-		{"fail-domain", p3, args{failDomain}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: email "name@example.com" is not allowed`)},
+		{"fail-domain", p3, args{failDomain}, http.StatusUnauthorized, "", true},
-		{"fail-key", p1, args{failKey}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; cannot validate oidc token`)},
+		{"fail-key", p1, args{failKey}, http.StatusUnauthorized, "", true},
-		{"fail-token", p1, args{failTok}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; error parsing oidc token: invalid character '~' looking for beginning of value`)},
+		{"fail-token", p1, args{failTok}, http.StatusUnauthorized, "", true},
-		{"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; error parsing oidc token claims: invalid character '~' looking for beginning of value`)},
+		{"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, "", true},
-		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, invalid issuer claim (iss)`)},
+		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, "", true},
-		{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, invalid audience claim (aud)`)},
+		{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, "", true},
-		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; cannot validate oidc token`)},
+		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, "", true},
-		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, token is expired (exp)`)},
+		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, "", true},
-		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, token not valid yet (nbf)`)},
+		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, "", true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := tt.prov.authorizeToken(tt.args.token)
-			if tt.expErr != nil {
+			if (err != nil) != tt.wantErr {
-				require.Error(t, err)
+				fmt.Println(tt)
-				require.EqualError(t, err, tt.expErr.Error())
+				t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
-
+				return
 			}
 			if err != nil {
 				var sc render.StatusCodedError
-				require.ErrorAs(t, err, &sc, "error does not implement StatusCodedError interface")
+				assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
-				require.Equal(t, tt.code, sc.StatusCode())
+				assert.Equals(t, sc.StatusCode(), tt.code)
-				require.Nil(t, got)
+				assert.Nil(t, got)
 			} else {
-				require.NotNil(t, got)
+				assert.NotNil(t, got)
-				require.Equal(t, tt.wantIssuer, got.Issuer)
+				assert.Equals(t, got.Issuer, tt.wantIssuer)
 			}
 		})
 	}
@ -338,6 +339,8 @@ func TestOIDC_AuthorizeSign(t *testing.T) {
 					case *validityValidator:
 						assert.Equals(t, v.min, tt.prov.ctl.Claimer.MinTLSCertDuration())
 						assert.Equals(t, v.max, tt.prov.ctl.Claimer.MaxTLSCertDuration())
 					case emailOnlyIdentity:
 						assert.Equals(t, string(v), "name@smallstep.com")
 					case *x509NamePolicyValidator:
 						assert.Equals(t, nil, v.policyEngine)
 					case *WebhookController:
@ -579,9 +582,6 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
 		{"ok-principals", p1, args{t1, SignSSHOptions{Principals: []string{"name"}}, pub},
 			&SignSSHOptions{CertType: "user", Principals: []string{"name", "name@smallstep.com"},
 				ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
 		{"ok-principals-ignore-passed", p1, args{t1, SignSSHOptions{Principals: []string{"root"}}, pub},
 			&SignSSHOptions{CertType: "user", Principals: []string{"name", "name@smallstep.com"},
 				ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
 		{"ok-principals-getIdentity", p4, args{okGetIdentityToken, SignSSHOptions{Principals: []string{"mariano"}}, pub},
 			&SignSSHOptions{CertType: "user", Principals: []string{"max", "mariano"},
 				ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
@ -600,6 +600,7 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
 				ValidAfter: NewTimeDuration(tm), ValidBefore: NewTimeDuration(tm.Add(userDuration))}, http.StatusOK, false, false},
 		{"fail-rsa1024", p1, args{t1, SignSSHOptions{}, rsa1024.Public()}, expectedUserOptions, http.StatusOK, false, true},
 		{"fail-user-host", p1, args{t1, SignSSHOptions{CertType: "host"}, pub}, nil, http.StatusOK, false, true},
 		{"fail-user-principals", p1, args{t1, SignSSHOptions{Principals: []string{"root"}}, pub}, nil, http.StatusOK, false, true},
 		{"fail-getIdentity", p5, args{failGetIdentityToken, SignSSHOptions{}, pub}, nil, http.StatusInternalServerError, true, false},
 		{"fail-sshCA-disabled", p6, args{"foo", SignSSHOptions{}, pub}, nil, http.StatusUnauthorized, true, false},
 		// Missing parametrs
--- a/authority/provisioner/provisioner.go
+++ b/authority/provisioner/provisioner.go
@ -10,9 +10,8 @@ import (
 	"strings"
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ssh"
 	"github.com/smallstep/certificates/errs"
 	"golang.org/x/crypto/ssh"
 )
 // Interface is the interface that all provisioner types must implement.
@ -298,43 +297,43 @@ type base struct{}
 // AuthorizeSign returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for signing x509 Certificates.
-func (b *base) AuthorizeSign(context.Context, string) ([]SignOption, error) {
+func (b *base) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	return nil, errs.Unauthorized("provisioner.AuthorizeSign not implemented")
 }
 // AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for revoking x509 Certificates.
-func (b *base) AuthorizeRevoke(context.Context, string) error {
+func (b *base) AuthorizeRevoke(ctx context.Context, token string) error {
 	return errs.Unauthorized("provisioner.AuthorizeRevoke not implemented")
 }
 // AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for renewing x509 Certificates.
-func (b *base) AuthorizeRenew(context.Context, *x509.Certificate) error {
+func (b *base) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
 	return errs.Unauthorized("provisioner.AuthorizeRenew not implemented")
 }
 // AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for signing SSH Certificates.
-func (b *base) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) {
+func (b *base) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented")
 }
 // AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for revoking SSH Certificates.
-func (b *base) AuthorizeSSHRevoke(context.Context, string) error {
+func (b *base) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 	return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented")
 }
 // AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for renewing SSH Certificates.
-func (b *base) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
+func (b *base) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
 	return nil, errs.Unauthorized("provisioner.AuthorizeSSHRenew not implemented")
 }
 // AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
 // this method if they will support authorizing tokens for rekeying SSH Certificates.
-func (b *base) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) {
+func (b *base) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
 	return nil, nil, errs.Unauthorized("provisioner.AuthorizeSSHRekey not implemented")
 }
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -2,16 +2,10 @@ package provisioner
 import (
 	"context"
 	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/pkg/errors"
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/webhook"
 )
 // SCEP is the SCEP provisioner type, an entity that can authorize the
@ -39,8 +33,8 @@ type SCEP struct {
 	Options                       *Options `json:"options,omitempty"`
 	Claims                        *Claims  `json:"claims,omitempty"`
 	ctl                           *Controller
 	secretChallengePassword       string
 	encryptionAlgorithm           int
 	challengeValidationController *challengeValidationController
 }
 // GetID returns the provisioner unique identifier.
@ -73,7 +67,7 @@ func (s *SCEP) GetEncryptedKey() (string, string, bool) {
 }
 // GetTokenID returns the identifier of the token.
-func (s *SCEP) GetTokenID(string) (string, error) {
+func (s *SCEP) GetTokenID(ott string) (string, error) {
 	return "", errors.New("scep provisioner does not implement GetTokenID")
 }
@ -88,67 +82,6 @@ func (s *SCEP) DefaultTLSCertDuration() time.Duration {
 	return s.ctl.Claimer.DefaultTLSCertDuration()
 }
 type challengeValidationController struct {
 	client   *http.Client
 	webhooks []*Webhook
 }
 // newChallengeValidationController creates a new challengeValidationController
 // that performs challenge validation through webhooks.
 func newChallengeValidationController(client *http.Client, webhooks []*Webhook) *challengeValidationController {
 	scepHooks := []*Webhook{}
 	for _, wh := range webhooks {
 		if wh.Kind != linkedca.Webhook_SCEPCHALLENGE.String() {
 			continue
 		}
 		if !isCertTypeOK(wh) {
 			continue
 		}
 		scepHooks = append(scepHooks, wh)
 	}
 	return &challengeValidationController{
 		client:   client,
 		webhooks: scepHooks,
 	}
 }
 var (
 	ErrSCEPChallengeInvalid = errors.New("webhook server did not allow request")
 )
 // Validate executes zero or more configured webhooks to
 // validate the SCEP challenge. If at least one of them indicates
 // the challenge value is accepted, validation succeeds. In
 // that case, the other webhooks will be skipped. If none of
 // the webhooks indicates the value of the challenge was accepted,
 // an error is returned.
 func (c *challengeValidationController) Validate(ctx context.Context, challenge, transactionID string) error {
 	for _, wh := range c.webhooks {
 		req := &webhook.RequestBody{
 			SCEPChallenge:     challenge,
 			SCEPTransactionID: transactionID,
 		}
 		resp, err := wh.DoWithContext(ctx, c.client, req, nil) // TODO(hs): support templated URL? Requires some refactoring
 		if err != nil {
 			return fmt.Errorf("failed executing webhook request: %w", err)
 		}
 		if resp.Allow {
 			return nil // return early when response is positive
 		}
 	}
 	return ErrSCEPChallengeInvalid
 }
 // isCertTypeOK returns whether or not the webhook can be used
 // with the SCEP challenge validation webhook controller.
 func isCertTypeOK(wh *Webhook) bool {
 	if wh.CertType == linkedca.Webhook_ALL.String() || wh.CertType == "" {
 		return true
 	}
 	return linkedca.Webhook_X509.String() == wh.CertType
 }
 // Init initializes and validates the fields of a SCEP type.
 func (s *SCEP) Init(config Config) (err error) {
 	switch {
@ -158,6 +91,10 @@ func (s *SCEP) Init(config Config) (err error) {
 		return errors.New("provisioner name cannot be empty")
 	}
 	// Mask the actual challenge value, so it won't be marshaled
 	s.secretChallengePassword = s.ChallengePassword
 	s.ChallengePassword = "*** redacted ***"
 	// Default to 2048 bits minimum public key length (for CSRs) if not set
 	if s.MinimumPublicKeyLength == 0 {
 		s.MinimumPublicKeyLength = 2048
@ -172,11 +109,6 @@ func (s *SCEP) Init(config Config) (err error) {
 		return errors.New("only encryption algorithm identifiers from 0 to 4 are valid")
 	}
 	s.challengeValidationController = newChallengeValidationController(
 		config.WebhookClient,
 		s.GetOptions().GetWebhooks(),
 	)
 	// TODO: add other, SCEP specific, options?
 	s.ctl, err = NewController(s, s.Claims, config, s.Options)
@ -186,7 +118,7 @@ func (s *SCEP) Init(config Config) (err error) {
 // AuthorizeSign does not do any verification, because all verification is handled
 // in the SCEP protocol. This method returns a list of modifiers / constraints
 // on the resulting certificate.
-func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) {
+func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	return []SignOption{
 		s,
 		// modifiers / withOptions
@ -201,6 +133,11 @@ func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) {
 	}, nil
 }
 // GetChallengePassword returns the challenge password
 func (s *SCEP) GetChallengePassword() string {
 	return s.secretChallengePassword
 }
 // GetCapabilities returns the CA capabilities
 func (s *SCEP) GetCapabilities() []string {
 	return s.Capabilities
@ -219,43 +156,3 @@ func (s *SCEP) ShouldIncludeRootInChain() bool {
 func (s *SCEP) GetContentEncryptionAlgorithm() int {
 	return s.encryptionAlgorithm
 }
 // ValidateChallenge validates the provided challenge. It starts by
 // selecting the validation method to use, then performs validation
 // according to that method.
 func (s *SCEP) ValidateChallenge(ctx context.Context, challenge, transactionID string) error {
 	if s.challengeValidationController == nil {
 		return fmt.Errorf("provisioner %q wasn't initialized", s.Name)
 	}
 	switch s.selectValidationMethod() {
 	case validationMethodWebhook:
 		return s.challengeValidationController.Validate(ctx, challenge, transactionID)
 	default:
 		if subtle.ConstantTimeCompare([]byte(s.ChallengePassword), []byte(challenge)) == 0 {
 			return errors.New("invalid challenge password provided")
 		}
 		return nil
 	}
 }
 type validationMethod string
 const (
 	validationMethodNone    validationMethod = "none"
 	validationMethodStatic  validationMethod = "static"
 	validationMethodWebhook validationMethod = "webhook"
 )
 // selectValidationMethod returns the method to validate SCEP
 // challenges. If a webhook is configured with kind `SCEPCHALLENGE`,
 // the webhook method will be used. If a challenge password is set,
 // the static method is used. It will default to the `none` method.
 func (s *SCEP) selectValidationMethod() validationMethod {
 	if len(s.challengeValidationController.webhooks) > 0 {
 		return validationMethodWebhook
 	}
 	if s.ChallengePassword != "" {
 		return validationMethodStatic
 	}
 	return validationMethodNone
 }
--- a/authority/provisioner/scep_test.go
+++ b/authority/provisioner/scep_test.go
@ -1,342 +0,0 @@
 package provisioner
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/linkedca"
 )
 func Test_challengeValidationController_Validate(t *testing.T) {
 	type request struct {
 		Challenge     string `json:"scepChallenge"`
 		TransactionID string `json:"scepTransactionID"`
 	}
 	type response struct {
 		Allow bool `json:"allow"`
 	}
 	nokServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		req := &request{}
 		err := json.NewDecoder(r.Body).Decode(req)
 		require.NoError(t, err)
 		assert.Equal(t, "not-allowed", req.Challenge)
 		assert.Equal(t, "transaction-1", req.TransactionID)
 		b, err := json.Marshal(response{Allow: false})
 		require.NoError(t, err)
 		w.WriteHeader(200)
 		w.Write(b)
 	}))
 	okServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		req := &request{}
 		err := json.NewDecoder(r.Body).Decode(req)
 		require.NoError(t, err)
 		assert.Equal(t, "challenge", req.Challenge)
 		assert.Equal(t, "transaction-1", req.TransactionID)
 		b, err := json.Marshal(response{Allow: true})
 		require.NoError(t, err)
 		w.WriteHeader(200)
 		w.Write(b)
 	}))
 	type fields struct {
 		client   *http.Client
 		webhooks []*Webhook
 	}
 	type args struct {
 		challenge     string
 		transactionID string
 	}
 	tests := []struct {
 		name   string
 		fields fields
 		args   args
 		server *httptest.Server
 		expErr error
 	}{
 		{
 			name:   "fail/no-webhook",
 			fields: fields{http.DefaultClient, nil},
 			args:   args{"no-webhook", "transaction-1"},
 			expErr: errors.New("webhook server did not allow request"),
 		},
 		{
 			name: "fail/wrong-cert-type",
 			fields: fields{http.DefaultClient, []*Webhook{
 				{
 					Kind:     linkedca.Webhook_SCEPCHALLENGE.String(),
 					CertType: linkedca.Webhook_SSH.String(),
 				},
 			}},
 			args:   args{"wrong-cert-type", "transaction-1"},
 			expErr: errors.New("webhook server did not allow request"),
 		},
 		{
 			name: "fail/wrong-secret-value",
 			fields: fields{http.DefaultClient, []*Webhook{
 				{
 					ID:       "webhook-id-1",
 					Name:     "webhook-name-1",
 					Secret:   "{{}}",
 					Kind:     linkedca.Webhook_SCEPCHALLENGE.String(),
 					CertType: linkedca.Webhook_X509.String(),
 					URL:      okServer.URL,
 				},
 			}},
 			args: args{
 				challenge:     "wrong-secret-value",
 				transactionID: "transaction-1",
 			},
 			expErr: errors.New("failed executing webhook request: illegal base64 data at input byte 0"),
 		},
 		{
 			name: "fail/not-allowed",
 			fields: fields{http.DefaultClient, []*Webhook{
 				{
 					ID:       "webhook-id-1",
 					Name:     "webhook-name-1",
 					Secret:   "MTIzNAo=",
 					Kind:     linkedca.Webhook_SCEPCHALLENGE.String(),
 					CertType: linkedca.Webhook_X509.String(),
 					URL:      nokServer.URL,
 				},
 			}},
 			args: args{
 				challenge:     "not-allowed",
 				transactionID: "transaction-1",
 			},
 			server: nokServer,
 			expErr: errors.New("webhook server did not allow request"),
 		},
 		{
 			name: "ok",
 			fields: fields{http.DefaultClient, []*Webhook{
 				{
 					ID:       "webhook-id-1",
 					Name:     "webhook-name-1",
 					Secret:   "MTIzNAo=",
 					Kind:     linkedca.Webhook_SCEPCHALLENGE.String(),
 					CertType: linkedca.Webhook_X509.String(),
 					URL:      okServer.URL,
 				},
 			}},
 			args: args{
 				challenge:     "challenge",
 				transactionID: "transaction-1",
 			},
 			server: okServer,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := newChallengeValidationController(tt.fields.client, tt.fields.webhooks)
 			if tt.server != nil {
 				defer tt.server.Close()
 			}
 			ctx := context.Background()
 			err := c.Validate(ctx, tt.args.challenge, tt.args.transactionID)
 			if tt.expErr != nil {
 				assert.EqualError(t, err, tt.expErr.Error())
 				return
 			}
 			assert.NoError(t, err)
 		})
 	}
 }
 func TestController_isCertTypeOK(t *testing.T) {
 	assert.True(t, isCertTypeOK(&Webhook{CertType: linkedca.Webhook_X509.String()}))
 	assert.True(t, isCertTypeOK(&Webhook{CertType: linkedca.Webhook_ALL.String()}))
 	assert.True(t, isCertTypeOK(&Webhook{CertType: ""}))
 	assert.False(t, isCertTypeOK(&Webhook{CertType: linkedca.Webhook_SSH.String()}))
 }
 func Test_selectValidationMethod(t *testing.T) {
 	tests := []struct {
 		name string
 		p    *SCEP
 		want validationMethod
 	}{
 		{"webhooks", &SCEP{
 			Name: "SCEP",
 			Type: "SCEP",
 			Options: &Options{
 				Webhooks: []*Webhook{
 					{
 						Kind: linkedca.Webhook_SCEPCHALLENGE.String(),
 					},
 				},
 			},
 		}, "webhook"},
 		{"challenge", &SCEP{
 			Name:              "SCEP",
 			Type:              "SCEP",
 			ChallengePassword: "pass",
 		}, "static"},
 		{"challenge-with-different-webhook", &SCEP{
 			Name: "SCEP",
 			Type: "SCEP",
 			Options: &Options{
 				Webhooks: []*Webhook{
 					{
 						Kind: linkedca.Webhook_AUTHORIZING.String(),
 					},
 				},
 			},
 			ChallengePassword: "pass",
 		}, "static"},
 		{"none", &SCEP{
 			Name: "SCEP",
 			Type: "SCEP",
 		}, "none"},
 		{"none-with-different-webhook", &SCEP{
 			Name: "SCEP",
 			Type: "SCEP",
 			Options: &Options{
 				Webhooks: []*Webhook{
 					{
 						Kind: linkedca.Webhook_AUTHORIZING.String(),
 					},
 				},
 			},
 		}, "none"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			err := tt.p.Init(Config{Claims: globalProvisionerClaims})
 			require.NoError(t, err)
 			got := tt.p.selectValidationMethod()
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
 func TestSCEP_ValidateChallenge(t *testing.T) {
 	type request struct {
 		Challenge     string `json:"scepChallenge"`
 		TransactionID string `json:"scepTransactionID"`
 	}
 	type response struct {
 		Allow bool `json:"allow"`
 	}
 	okServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		req := &request{}
 		err := json.NewDecoder(r.Body).Decode(req)
 		require.NoError(t, err)
 		assert.Equal(t, "webhook-challenge", req.Challenge)
 		assert.Equal(t, "webhook-transaction-1", req.TransactionID)
 		b, err := json.Marshal(response{Allow: true})
 		require.NoError(t, err)
 		w.WriteHeader(200)
 		w.Write(b)
 	}))
 	type args struct {
 		challenge     string
 		transactionID string
 	}
 	tests := []struct {
 		name   string
 		p      *SCEP
 		server *httptest.Server
 		args   args
 		expErr error
 	}{
 		{"ok/webhooks", &SCEP{
 			Name: "SCEP",
 			Type: "SCEP",
 			Options: &Options{
 				Webhooks: []*Webhook{
 					{
 						ID:       "webhook-id-1",
 						Name:     "webhook-name-1",
 						Secret:   "MTIzNAo=",
 						Kind:     linkedca.Webhook_SCEPCHALLENGE.String(),
 						CertType: linkedca.Webhook_X509.String(),
 						URL:      okServer.URL,
 					},
 				},
 			},
 		}, okServer, args{"webhook-challenge", "webhook-transaction-1"},
 			nil,
 		},
 		{"fail/webhooks-secret-configuration", &SCEP{
 			Name: "SCEP",
 			Type: "SCEP",
 			Options: &Options{
 				Webhooks: []*Webhook{
 					{
 						ID:       "webhook-id-1",
 						Name:     "webhook-name-1",
 						Secret:   "{{}}",
 						Kind:     linkedca.Webhook_SCEPCHALLENGE.String(),
 						CertType: linkedca.Webhook_X509.String(),
 						URL:      okServer.URL,
 					},
 				},
 			},
 		}, nil, args{"webhook-challenge", "webhook-transaction-1"},
 			errors.New("failed executing webhook request: illegal base64 data at input byte 0"),
 		},
 		{"ok/static-challenge", &SCEP{
 			Name:              "SCEP",
 			Type:              "SCEP",
 			Options:           &Options{},
 			ChallengePassword: "secret-static-challenge",
 		}, nil, args{"secret-static-challenge", "static-transaction-1"},
 			nil,
 		},
 		{"fail/wrong-static-challenge", &SCEP{
 			Name:              "SCEP",
 			Type:              "SCEP",
 			Options:           &Options{},
 			ChallengePassword: "secret-static-challenge",
 		}, nil, args{"the-wrong-challenge-secret", "static-transaction-1"},
 			errors.New("invalid challenge password provided"),
 		},
 		{"ok/no-challenge", &SCEP{
 			Name:              "SCEP",
 			Type:              "SCEP",
 			Options:           &Options{},
 			ChallengePassword: "",
 		}, nil, args{"", "static-transaction-1"},
 			nil,
 		},
 		{"fail/no-challenge-but-provided", &SCEP{
 			Name:              "SCEP",
 			Type:              "SCEP",
 			Options:           &Options{},
 			ChallengePassword: "",
 		}, nil, args{"a-challenge-value", "static-transaction-1"},
 			errors.New("invalid challenge password provided"),
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.server != nil {
 				defer tt.server.Close()
 			}
 			err := tt.p.Init(Config{Claims: globalProvisionerClaims, WebhookClient: http.DefaultClient})
 			require.NoError(t, err)
 			ctx := context.Background()
 			err = tt.p.ValidateChallenge(ctx, tt.args.challenge, tt.args.transactionID)
 			if tt.expErr != nil {
 				assert.EqualError(t, err, tt.expErr.Error())
 				return
 			}
 			assert.NoError(t, err)
 		})
 	}
 }
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -83,6 +83,31 @@ type AttestationData struct {
 	PermanentIdentifier string
 }
 // emailOnlyIdentity is a CertificateRequestValidator that checks that the only
 // SAN provided is the given email address.
 type emailOnlyIdentity string
 func (e emailOnlyIdentity) Valid(req *x509.CertificateRequest) error {
 	switch {
 	case len(req.DNSNames) > 0:
 		return errs.Forbidden("certificate request cannot contain DNS names")
 	case len(req.IPAddresses) > 0:
 		return errs.Forbidden("certificate request cannot contain IP addresses")
 	case len(req.URIs) > 0:
 		return errs.Forbidden("certificate request cannot contain URIs")
 	case len(req.EmailAddresses) == 0:
 		return errs.Forbidden("certificate request does not contain any email address")
 	case len(req.EmailAddresses) > 1:
 		return errs.Forbidden("certificate request contains too many email addresses")
 	case req.EmailAddresses[0] == "":
 		return errs.Forbidden("certificate request cannot contain an empty email address")
 	case req.EmailAddresses[0] != string(e):
 		return errs.Forbidden("certificate request does not contain the valid email address - got %s, want %s", req.EmailAddresses[0], e)
 	default:
 		return nil
 	}
 }
 // defaultPublicKeyValidator validates the public key of a certificate request.
 type defaultPublicKeyValidator struct{}
--- a/authority/provisioner/sign_options_test.go
+++ b/authority/provisioner/sign_options_test.go
@ -16,6 +16,38 @@ import (
 	"go.step.sm/crypto/pemutil"
 )
 func Test_emailOnlyIdentity_Valid(t *testing.T) {
 	uri, err := url.Parse("https://example.com/1.0/getUser")
 	if err != nil {
 		t.Fatal(err)
 	}
 	type args struct {
 		req *x509.CertificateRequest
 	}
 	tests := []struct {
 		name    string
 		e       emailOnlyIdentity
 		args    args
 		wantErr bool
 	}{
 		{"ok", "name@smallstep.com", args{&x509.CertificateRequest{EmailAddresses: []string{"name@smallstep.com"}}}, false},
 		{"DNSNames", "name@smallstep.com", args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar"}}}, true},
 		{"IPAddresses", "name@smallstep.com", args{&x509.CertificateRequest{IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)}}}, true},
 		{"URIs", "name@smallstep.com", args{&x509.CertificateRequest{URIs: []*url.URL{uri}}}, true},
 		{"no-emails", "name@smallstep.com", args{&x509.CertificateRequest{EmailAddresses: []string{}}}, true},
 		{"empty-email", "", args{&x509.CertificateRequest{EmailAddresses: []string{""}}}, true},
 		{"multiple-emails", "name@smallstep.com", args{&x509.CertificateRequest{EmailAddresses: []string{"name@smallstep.com", "foo@smallstep.com"}}}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if err := tt.e.Valid(tt.args.req); (err != nil) != tt.wantErr {
 				t.Errorf("emailOnlyIdentity.Valid() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
 func Test_defaultPublicKeyValidator_Valid(t *testing.T) {
 	_shortRSA, err := pemutil.Read("./testdata/certs/short-rsa.csr")
 	assert.FatalError(t, err)
--- a/authority/provisioner/sign_ssh_options.go
+++ b/authority/provisioner/sign_ssh_options.go
@ -125,6 +125,35 @@ func (o SignSSHOptions) match(got SignSSHOptions) error {
 	return nil
 }
 // sshCertPrincipalsModifier is an SSHCertModifier that sets the
 // principals to the SSH certificate.
 type sshCertPrincipalsModifier []string
 // Modify the ValidPrincipals value of the cert.
 func (o sshCertPrincipalsModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
 	cert.ValidPrincipals = []string(o)
 	return nil
 }
 // sshCertKeyIDModifier is an SSHCertModifier that sets the given
 // Key ID in the SSH certificate.
 type sshCertKeyIDModifier string
 func (m sshCertKeyIDModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
 	cert.KeyId = string(m)
 	return nil
 }
 // sshCertTypeModifier is an SSHCertModifier that sets the
 // certificate type.
 type sshCertTypeModifier string
 // Modify sets the CertType for the ssh certificate.
 func (m sshCertTypeModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
 	cert.CertType = sshCertTypeUInt32(string(m))
 	return nil
 }
 // sshCertValidAfterModifier is an SSHCertModifier that sets the
 // ValidAfter in the SSH certificate.
 type sshCertValidAfterModifier uint64
@ -143,6 +172,51 @@ func (m sshCertValidBeforeModifier) Modify(cert *ssh.Certificate, _ SignSSHOptio
 	return nil
 }
 // sshCertDefaultsModifier implements a SSHCertModifier that
 // modifies the certificate with the given options if they are not set.
 type sshCertDefaultsModifier SignSSHOptions
 // Modify implements the SSHCertModifier interface.
 func (m sshCertDefaultsModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
 	if cert.CertType == 0 {
 		cert.CertType = sshCertTypeUInt32(m.CertType)
 	}
 	if len(cert.ValidPrincipals) == 0 {
 		cert.ValidPrincipals = m.Principals
 	}
 	if cert.ValidAfter == 0 && !m.ValidAfter.IsZero() {
 		cert.ValidAfter = uint64(m.ValidAfter.Unix())
 	}
 	if cert.ValidBefore == 0 && !m.ValidBefore.IsZero() {
 		cert.ValidBefore = uint64(m.ValidBefore.Unix())
 	}
 	return nil
 }
 // sshDefaultExtensionModifier implements an SSHCertModifier that sets
 // the default extensions in an SSH certificate.
 type sshDefaultExtensionModifier struct{}
 func (m *sshDefaultExtensionModifier) Modify(cert *ssh.Certificate, _ SignSSHOptions) error {
 	switch cert.CertType {
 	// Default to no extensions for HostCert.
 	case ssh.HostCert:
 		return nil
 	case ssh.UserCert:
 		if cert.Extensions == nil {
 			cert.Extensions = make(map[string]string)
 		}
 		cert.Extensions["permit-X11-forwarding"] = ""
 		cert.Extensions["permit-agent-forwarding"] = ""
 		cert.Extensions["permit-port-forwarding"] = ""
 		cert.Extensions["permit-pty"] = ""
 		cert.Extensions["permit-user-rc"] = ""
 		return nil
 	default:
 		return errs.BadRequest("ssh certificate has an unknown type '%d'", cert.CertType)
 	}
 }
 // sshDefaultDuration is an SSHCertModifier that sets the certificate
 // ValidAfter and ValidBefore if they have not been set. It will fail if a
 // CertType has not been set or is not valid.
@ -311,7 +385,7 @@ type sshCertDefaultValidator struct{}
 // Valid returns an error if the given certificate does not contain the
 // necessary fields. We skip ValidPrincipals and Extensions as with custom
 // templates you can set them empty.
-func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
+func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error {
 	switch {
 	case len(cert.Nonce) == 0:
 		return errs.Forbidden("ssh certificate nonce cannot be empty")
@ -346,7 +420,7 @@ type sshDefaultPublicKeyValidator struct{}
 // TODO: this is the only validator that checks the key type. We should execute
 // this before the signing. We should add a new validations interface or extend
 // SSHCertOptionsValidator with the key.
-func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error {
+func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error {
 	if cert.Key == nil {
 		return errs.BadRequest("ssh certificate key cannot be nil")
 	}
--- a/authority/provisioner/sign_ssh_options_test.go
+++ b/authority/provisioner/sign_ssh_options_test.go
@ -202,6 +202,97 @@ func TestSSHOptions_Match(t *testing.T) {
 	}
 }
 func Test_sshCertPrincipalsModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshCertPrincipalsModifier
 		cert     *ssh.Certificate
 		expected []string
 	}
 	tests := map[string]func() test{
 		"ok": func() test {
 			a := []string{"foo", "bar"}
 			return test{
 				modifier: sshCertPrincipalsModifier(a),
 				cert:     new(ssh.Certificate),
 				expected: a,
 			}
 		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
 			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.ValidPrincipals, tc.expected)
 			}
 		})
 	}
 }
 func Test_sshCertKeyIDModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshCertKeyIDModifier
 		cert     *ssh.Certificate
 		expected string
 	}
 	tests := map[string]func() test{
 		"ok": func() test {
 			a := "foo"
 			return test{
 				modifier: sshCertKeyIDModifier(a),
 				cert:     new(ssh.Certificate),
 				expected: a,
 			}
 		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
 			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.KeyId, tc.expected)
 			}
 		})
 	}
 }
 func Test_sshCertTypeModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshCertTypeModifier
 		cert     *ssh.Certificate
 		expected uint32
 	}
 	tests := map[string]func() test{
 		"ok/user": func() test {
 			return test{
 				modifier: sshCertTypeModifier("user"),
 				cert:     new(ssh.Certificate),
 				expected: ssh.UserCert,
 			}
 		},
 		"ok/host": func() test {
 			return test{
 				modifier: sshCertTypeModifier("host"),
 				cert:     new(ssh.Certificate),
 				expected: ssh.HostCert,
 			}
 		},
 		"ok/default": func() test {
 			return test{
 				modifier: sshCertTypeModifier("foo"),
 				cert:     new(ssh.Certificate),
 				expected: 0,
 			}
 		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
 			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				assert.Equals(t, tc.cert.CertType, tc.expected)
 			}
 		})
 	}
 }
 func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshCertValidAfterModifier
@ -227,6 +318,176 @@ func Test_sshCertValidAfterModifier_Modify(t *testing.T) {
 	}
 }
 func Test_sshCertDefaultsModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshCertDefaultsModifier
 		cert     *ssh.Certificate
 		valid    func(*ssh.Certificate)
 	}
 	tests := map[string]func() test{
 		"ok/changes": func() test {
 			n := time.Now()
 			va := NewTimeDuration(n.Add(1 * time.Minute))
 			vb := NewTimeDuration(n.Add(5 * time.Minute))
 			so := SignSSHOptions{
 				Principals:  []string{"foo", "bar"},
 				CertType:    "host",
 				ValidAfter:  va,
 				ValidBefore: vb,
 			}
 			return test{
 				modifier: sshCertDefaultsModifier(so),
 				cert:     new(ssh.Certificate),
 				valid: func(cert *ssh.Certificate) {
 					assert.Equals(t, cert.ValidPrincipals, so.Principals)
 					assert.Equals(t, cert.CertType, uint32(ssh.HostCert))
 					assert.Equals(t, cert.ValidAfter, uint64(so.ValidAfter.RelativeTime(time.Now()).Unix()))
 					assert.Equals(t, cert.ValidBefore, uint64(so.ValidBefore.RelativeTime(time.Now()).Unix()))
 				},
 			}
 		},
 		"ok/no-changes": func() test {
 			n := time.Now()
 			so := SignSSHOptions{
 				Principals:  []string{"foo", "bar"},
 				CertType:    "host",
 				ValidAfter:  NewTimeDuration(n.Add(15 * time.Minute)),
 				ValidBefore: NewTimeDuration(n.Add(25 * time.Minute)),
 			}
 			return test{
 				modifier: sshCertDefaultsModifier(so),
 				cert: &ssh.Certificate{
 					CertType:        uint32(ssh.UserCert),
 					ValidPrincipals: []string{"zap", "zoop"},
 					ValidAfter:      15,
 					ValidBefore:     25,
 				},
 				valid: func(cert *ssh.Certificate) {
 					assert.Equals(t, cert.ValidPrincipals, []string{"zap", "zoop"})
 					assert.Equals(t, cert.CertType, uint32(ssh.UserCert))
 					assert.Equals(t, cert.ValidAfter, uint64(15))
 					assert.Equals(t, cert.ValidBefore, uint64(25))
 				},
 			}
 		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
 			if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
 				tc.valid(tc.cert)
 			}
 		})
 	}
 }
 func Test_sshDefaultExtensionModifier_Modify(t *testing.T) {
 	type test struct {
 		modifier sshDefaultExtensionModifier
 		cert     *ssh.Certificate
 		valid    func(*ssh.Certificate)
 		err      error
 	}
 	tests := map[string]func() test{
 		"fail/unexpected-cert-type": func() test {
 			cert := &ssh.Certificate{CertType: 3}
 			return test{
 				modifier: sshDefaultExtensionModifier{},
 				cert:     cert,
 				err:      errors.New("ssh certificate has an unknown type '3'"),
 			}
 		},
 		"ok/host": func() test {
 			cert := &ssh.Certificate{CertType: ssh.HostCert}
 			return test{
 				modifier: sshDefaultExtensionModifier{},
 				cert:     cert,
 				valid: func(cert *ssh.Certificate) {
 					assert.Len(t, 0, cert.Extensions)
 				},
 			}
 		},
 		"ok/user/extensions-exists": func() test {
 			cert := &ssh.Certificate{CertType: ssh.UserCert, Permissions: ssh.Permissions{Extensions: map[string]string{
 				"foo": "bar",
 			}}}
 			return test{
 				modifier: sshDefaultExtensionModifier{},
 				cert:     cert,
 				valid: func(cert *ssh.Certificate) {
 					val, ok := cert.Extensions["foo"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "bar")
 					val, ok = cert.Extensions["permit-X11-forwarding"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-agent-forwarding"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-port-forwarding"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-pty"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-user-rc"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 				},
 			}
 		},
 		"ok/user/no-extensions": func() test {
 			return test{
 				modifier: sshDefaultExtensionModifier{},
 				cert:     &ssh.Certificate{CertType: ssh.UserCert},
 				valid: func(cert *ssh.Certificate) {
 					_, ok := cert.Extensions["foo"]
 					assert.False(t, ok)
 					val, ok := cert.Extensions["permit-X11-forwarding"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-agent-forwarding"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-port-forwarding"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-pty"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 					val, ok = cert.Extensions["permit-user-rc"]
 					assert.True(t, ok)
 					assert.Equals(t, val, "")
 				},
 			}
 		},
 	}
 	for name, run := range tests {
 		t.Run(name, func(t *testing.T) {
 			tc := run()
 			if err := tc.modifier.Modify(tc.cert, SignSSHOptions{}); err != nil {
 				if assert.NotNil(t, tc.err) {
 					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
 			} else {
 				if assert.Nil(t, tc.err) {
 					tc.valid(tc.cert)
 				}
 			}
 		})
 	}
 }
 func Test_sshCertDefaultValidator_Valid(t *testing.T) {
 	pub, _, err := keyutil.GenerateDefaultKeyPair()
 	assert.FatalError(t, err)
--- a/authority/provisioner/sshpop.go
+++ b/authority/provisioner/sshpop.go
@ -187,7 +187,7 @@ func (p *SSHPOP) authorizeToken(token string, audiences []string, checkValidity
 // AuthorizeSSHRevoke validates the authorization token and extracts/validates
 // the SSH certificate from the ssh-pop header.
-func (p *SSHPOP) AuthorizeSSHRevoke(_ context.Context, token string) error {
+func (p *SSHPOP) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 	claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke, true)
 	if err != nil {
 		return errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRevoke")
@ -213,7 +213,7 @@ func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Cert
 // AuthorizeSSHRekey validates the authorization token and extracts/validates
 // the SSH certificate from the ssh-pop header.
-func (p *SSHPOP) AuthorizeSSHRekey(_ context.Context, token string) (*ssh.Certificate, []SignOption, error) {
+func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) {
 	claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRekey, true)
 	if err != nil {
 		return nil, nil, errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRekey")
--- a/authority/provisioner/utils_test.go
+++ b/authority/provisioner/utils_test.go
@ -665,9 +665,6 @@ func generateAzureWithServer() (*Azure, *httptest.Server, error) {
 					AccessToken: tok,
 				})
 			}
 		case "/metadata/instance/compute/azEnvironment":
 			w.Header().Add("Content-Type", "text/plain")
 			w.Write([]byte("AzurePublicCloud"))
 		default:
 			http.NotFound(w, r)
 		}
@ -675,7 +672,6 @@ func generateAzureWithServer() (*Azure, *httptest.Server, error) {
 	srv.Start()
 	az.config.oidcDiscoveryURL = srv.URL + "/" + az.TenantID + "/.well-known/openid-configuration"
 	az.config.identityTokenURL = srv.URL + "/metadata/identity/oauth2/token"
 	az.config.instanceComputeURL = srv.URL + "/metadata/instance/compute/azEnvironment"
 	return az, srv, nil
 }
--- a/authority/provisioner/webhook.go
+++ b/authority/provisioner/webhook.go
@ -30,7 +30,6 @@ type WebhookController struct {
 	client       *http.Client
 	webhooks     []*Webhook
 	certType     linkedca.Webhook_CertType
 	options      []webhook.RequestBodyOption
 	TemplateData WebhookSetter
 }
@ -40,14 +39,6 @@ func (wc *WebhookController) Enrich(req *webhook.RequestBody) error {
 	if wc == nil {
 		return nil
 	}
 	// Apply extra options in the webhook controller
 	for _, fn := range wc.options {
 		if err := fn(req); err != nil {
 			return err
 		}
 	}
 	for _, wh := range wc.webhooks {
 		if wh.Kind != linkedca.Webhook_ENRICHING.String() {
 			continue
@ -72,14 +63,6 @@ func (wc *WebhookController) Authorize(req *webhook.RequestBody) error {
 	if wc == nil {
 		return nil
 	}
 	// Apply extra options in the webhook controller
 	for _, fn := range wc.options {
 		if err := fn(req); err != nil {
 			return err
 		}
 	}
 	for _, wh := range wc.webhooks {
 		if wh.Kind != linkedca.Webhook_AUTHORIZING.String() {
 			continue
@ -124,13 +107,6 @@ type Webhook struct {
 }
 func (w *Webhook) Do(client *http.Client, reqBody *webhook.RequestBody, data any) (*webhook.ResponseBody, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
 	defer cancel()
 	return w.DoWithContext(ctx, client, reqBody, data)
 }
 func (w *Webhook) DoWithContext(ctx context.Context, client *http.Client, reqBody *webhook.RequestBody, data any) (*webhook.ResponseBody, error) {
 	tmpl, err := template.New("url").Funcs(templates.StepFuncMap()).Parse(w.URL)
 	if err != nil {
 		return nil, err
@ -153,6 +129,8 @@ func (w *Webhook) DoWithContext(ctx context.Context, client *http.Client, reqBod
 			reqBody.Token = tmpl[sshutil.TokenKey]
 		}
 	*/
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
 	defer cancel()
 	reqBody.Timestamp = time.Now()
--- a/authority/provisioner/webhook_test.go
+++ b/authority/provisioner/webhook_test.go
@ -4,7 +4,6 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@ -17,7 +16,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/webhook"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 	"go.step.sm/linkedca"
 )
@ -98,18 +96,12 @@ func TestWebhookController_isCertTypeOK(t *testing.T) {
 }
 func TestWebhookController_Enrich(t *testing.T) {
 	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
 	if err != nil {
 		t.Fatal(err)
 	}
 	type test struct {
 		ctl                *WebhookController
 		req                *webhook.RequestBody
 		responses          []*webhook.ResponseBody
 		expectErr          bool
 		expectTemplateData any
 		assertRequest      func(t *testing.T, req *webhook.RequestBody)
 	}
 	tests := map[string]test{
 		"ok/no enriching webhooks": {
@ -178,29 +170,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 				},
 			},
 		},
 		"ok/with options": {
 			ctl: &WebhookController{
 				client:       http.DefaultClient,
 				webhooks:     []*Webhook{{Name: "people", Kind: "ENRICHING"}},
 				TemplateData: x509util.TemplateData{},
 				options:      []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)},
 			},
 			req:                &webhook.RequestBody{},
 			responses:          []*webhook.ResponseBody{{Allow: true, Data: map[string]any{"role": "bar"}}},
 			expectErr:          false,
 			expectTemplateData: x509util.TemplateData{"Webhooks": map[string]any{"people": map[string]any{"role": "bar"}}},
 			assertRequest: func(t *testing.T, req *webhook.RequestBody) {
 				key, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
 				assert.FatalError(t, err)
 				assert.Equals(t, &webhook.X5CCertificate{
 					Raw:                cert.Raw,
 					PublicKey:          key,
 					PublicKeyAlgorithm: cert.PublicKeyAlgorithm.String(),
 					NotBefore:          cert.NotBefore,
 					NotAfter:           cert.NotAfter,
 				}, req.X5CCertificate)
 			},
 		},
 		"deny": {
 			ctl: &WebhookController{
 				client:       http.DefaultClient,
@ -212,20 +181,6 @@ func TestWebhookController_Enrich(t *testing.T) {
 			expectErr:          true,
 			expectTemplateData: x509util.TemplateData{},
 		},
 		"fail/with options": {
 			ctl: &WebhookController{
 				client:       http.DefaultClient,
 				webhooks:     []*Webhook{{Name: "people", Kind: "ENRICHING"}},
 				TemplateData: x509util.TemplateData{},
 				options: []webhook.RequestBodyOption{webhook.WithX5CCertificate(&x509.Certificate{
 					PublicKey: []byte("bad"),
 				})},
 			},
 			req:                &webhook.RequestBody{},
 			responses:          []*webhook.ResponseBody{{Allow: false}},
 			expectErr:          true,
 			expectTemplateData: x509util.TemplateData{},
 		},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
@ -245,25 +200,16 @@ func TestWebhookController_Enrich(t *testing.T) {
 				t.Fatalf("Got err %v, want %v", err, test.expectErr)
 			}
 			assert.Equals(t, test.expectTemplateData, test.ctl.TemplateData)
 			if test.assertRequest != nil {
 				test.assertRequest(t, test.req)
 			}
 		})
 	}
 }
 func TestWebhookController_Authorize(t *testing.T) {
 	cert, err := pemutil.ReadCertificate("testdata/certs/x5c-leaf.crt", pemutil.WithFirstBlock())
 	if err != nil {
 		t.Fatal(err)
 	}
 	type test struct {
 		ctl       *WebhookController
 		req       *webhook.RequestBody
 		responses []*webhook.ResponseBody
 		expectErr bool
 		assertRequest func(t *testing.T, req *webhook.RequestBody)
 	}
 	tests := map[string]test{
 		"ok/no enriching webhooks": {
@ -294,27 +240,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: false,
 		},
 		"ok/with options": {
 			ctl: &WebhookController{
 				client:   http.DefaultClient,
 				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
 				options:  []webhook.RequestBodyOption{webhook.WithX5CCertificate(cert)},
 			},
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: true}},
 			expectErr: false,
 			assertRequest: func(t *testing.T, req *webhook.RequestBody) {
 				key, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
 				assert.FatalError(t, err)
 				assert.Equals(t, &webhook.X5CCertificate{
 					Raw:                cert.Raw,
 					PublicKey:          key,
 					PublicKeyAlgorithm: cert.PublicKeyAlgorithm.String(),
 					NotBefore:          cert.NotBefore,
 					NotAfter:           cert.NotAfter,
 				}, req.X5CCertificate)
 			},
 		},
 		"deny": {
 			ctl: &WebhookController{
 				client:   http.DefaultClient,
@ -324,18 +249,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: true,
 		},
 		"fail/with options": {
 			ctl: &WebhookController{
 				client:   http.DefaultClient,
 				webhooks: []*Webhook{{Name: "people", Kind: "AUTHORIZING"}},
 				options: []webhook.RequestBodyOption{webhook.WithX5CCertificate(&x509.Certificate{
 					PublicKey: []byte("bad"),
 				})},
 			},
 			req:       &webhook.RequestBody{},
 			responses: []*webhook.ResponseBody{{Allow: false}},
 			expectErr: true,
 		},
 	}
 	for name, test := range tests {
 		t.Run(name, func(t *testing.T) {
@ -354,9 +267,6 @@ func TestWebhookController_Authorize(t *testing.T) {
 			if (err != nil) != test.expectErr {
 				t.Fatalf("Got err %v, want %v", err, test.expectErr)
 			}
 			if test.assertRequest != nil {
 				test.assertRequest(t, test.req)
 			}
 		})
 	}
 }
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -15,7 +15,6 @@ import (
 	"go.step.sm/linkedca"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/webhook"
 )
 // x5cPayload extends jwt.Claims with step attributes.
@ -188,13 +187,13 @@ func (p *X5C) authorizeToken(token string, audiences []string) (*x5cPayload, err
 // AuthorizeRevoke returns an error if the provisioner does not have rights to
 // revoke the certificate with serial number in the `sub` property.
-func (p *X5C) AuthorizeRevoke(_ context.Context, token string) error {
+func (p *X5C) AuthorizeRevoke(ctx context.Context, token string) error {
 	_, err := p.authorizeToken(token, p.ctl.Audiences.Revoke)
 	return errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeRevoke")
 }
 // AuthorizeSign validates the given token.
-func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSign")
@ -216,8 +215,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 	// The X509 certificate will be available using the template variable
 	// AuthorizationCrt. For example {{ .AuthorizationCrt.DNSNames }} can be
 	// used to get all the domains.
-	x5cLeaf := claims.chains[0][0]
+	data.SetAuthorizationCertificate(claims.chains[0][0])
 	data.SetAuthorizationCertificate(x5cLeaf)
 	templateOptions, err := TemplateOptions(p.Options, data)
 	if err != nil {
@ -240,7 +238,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		newProvisionerExtensionOption(TypeX5C, p.Name, ""),
 		profileLimitDuration{
 			p.ctl.Claimer.DefaultTLSCertDuration(),
-			x5cLeaf.NotBefore, x5cLeaf.NotAfter,
+			claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter,
 		},
 		// validators
 		commonNameValidator(claims.Subject),
@ -248,12 +246,7 @@ func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, erro
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
 		newX509NamePolicyValidator(p.ctl.getPolicy().getX509()),
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_X509),
 			data,
 			linkedca.Webhook_X509,
 			webhook.WithX5CCertificate(x5cLeaf),
 			webhook.WithAuthorizationPrincipal(x5cLeaf.Subject.CommonName),
 		),
 	}, nil
 }
@ -263,7 +256,7 @@ func (p *X5C) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error
 }
 // AuthorizeSSHSign returns the list of SignOption for a SignSSH request.
-func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) {
+func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) {
 	if !p.ctl.Claimer.IsSSHCAEnabled() {
 		return nil, errs.Unauthorized("x5c.AuthorizeSSHSign; sshCA is disabled for x5c provisioner '%s'", p.GetName())
 	}
@ -312,8 +305,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// The X509 certificate will be available using the template variable
 	// AuthorizationCrt. For example {{ .AuthorizationCrt.DNSNames }} can be
 	// used to get all the domains.
-	x5cLeaf := claims.chains[0][0]
+	data.SetAuthorizationCertificate(claims.chains[0][0])
 	data.SetAuthorizationCertificate(x5cLeaf)
 	templateOptions, err := TemplateSSHOptions(p.Options, data)
 	if err != nil {
@ -333,7 +325,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	return append(signOptions,
 		p,
 		// Checks the validity bounds, and set the validity if has not been set.
-		&sshLimitDuration{p.ctl.Claimer, x5cLeaf.NotAfter},
+		&sshLimitDuration{p.ctl.Claimer, claims.chains[0][0].NotAfter},
 		// Validate public key.
 		&sshDefaultPublicKeyValidator{},
 		// Validate the validity period.
@ -343,11 +335,6 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 		// Ensure that all principal names are allowed
 		newSSHNamePolicyValidator(p.ctl.getPolicy().getSSHHost(), p.ctl.getPolicy().getSSHUser()),
 		// Call webhooks
-		p.ctl.newWebhookController(
+		p.ctl.newWebhookController(data, linkedca.Webhook_SSH),
 			data,
 			linkedca.Webhook_SSH,
 			webhook.WithX5CCertificate(x5cLeaf),
 			webhook.WithAuthorizationPrincipal(x5cLeaf.Subject.CommonName),
 		),
 	), nil
 }
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@ -12,7 +12,6 @@ import (
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/linkedca"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
@ -498,8 +497,6 @@ func TestX5C_AuthorizeSign(t *testing.T) {
 								assert.Equals(t, nil, v.policyEngine)
 							case *WebhookController:
 								assert.Len(t, 0, v.webhooks)
 								assert.Equals(t, linkedca.Webhook_X509, v.certType)
 								assert.Len(t, 2, v.options)
 							default:
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
 							}
@ -793,6 +790,8 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 								assert.Equals(t, int64(v), tc.claims.Step.SSH.ValidAfter.RelativeTime(nw).Unix())
 							case sshCertValidBeforeModifier:
 								assert.Equals(t, int64(v), tc.claims.Step.SSH.ValidBefore.RelativeTime(nw).Unix())
 							case sshCertDefaultsModifier:
 								assert.Equals(t, SignSSHOptions(v), SignSSHOptions{CertType: SSHUserCert})
 							case *sshLimitDuration:
 								assert.Equals(t, v.Claimer, tc.p.ctl.Claimer)
 								assert.Equals(t, v.NotAfter, x5cCerts[0].NotAfter)
@ -804,8 +803,6 @@ func TestX5C_AuthorizeSSHSign(t *testing.T) {
 							case *sshDefaultPublicKeyValidator, *sshCertDefaultValidator, sshCertificateOptionsFunc:
 							case *WebhookController:
 								assert.Len(t, 0, v.webhooks)
 								assert.Equals(t, linkedca.Webhook_SSH, v.certType)
 								assert.Len(t, 2, v.options)
 							default:
 								assert.FatalError(t, fmt.Errorf("unexpected sign option of type %T", v))
 							}
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -1223,7 +1223,7 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 				Data: &linkedca.ProvisionerDetails_SCEP{
 					SCEP: &linkedca.SCEPProvisioner{
 						ForceCn:                       p.ForceCN,
-						Challenge:                     p.ChallengePassword,
+						Challenge:                     p.GetChallengePassword(),
 						Capabilities:                  p.Capabilities,
 						MinimumPublicKeyLength:        int32(p.MinimumPublicKeyLength),
 						IncludeRoot:                   p.IncludeRoot,
--- a/authority/provisioners_test.go
+++ b/authority/provisioners_test.go
@ -9,17 +9,14 @@ import (
 	"testing"
 	"time"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/linkedca"
 	"github.com/stretchr/testify/require"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/linkedca"
 )
 func TestGetEncryptedKey(t *testing.T) {
@ -32,9 +29,9 @@ func TestGetEncryptedKey(t *testing.T) {
 	tests := map[string]func(t *testing.T) *ek{
 		"ok": func(t *testing.T) *ek {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
-			require.NoError(t, err)
+			assert.FatalError(t, err)
 			a, err := New(c)
-			require.NoError(t, err)
+			assert.FatalError(t, err)
 			return &ek{
 				a:   a,
 				kid: c.AuthorityConfig.Provisioners[1].(*provisioner.JWK).Key.KeyID,
@ -42,9 +39,9 @@ func TestGetEncryptedKey(t *testing.T) {
 		},
 		"fail-not-found": func(t *testing.T) *ek {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
-			require.NoError(t, err)
+			assert.FatalError(t, err)
 			a, err := New(c)
-			require.NoError(t, err)
+			assert.FatalError(t, err)
 			return &ek{
 				a:    a,
 				kid:  "foo",
@ -98,16 +95,9 @@ func TestGetProvisioners(t *testing.T) {
 	tests := map[string]func(t *testing.T) *gp{
 		"ok": func(t *testing.T) *gp {
 			c, err := LoadConfiguration("../ca/testdata/ca.json")
-			require.NoError(t, err)
+			assert.FatalError(t, err)
 			a, err := New(c)
-			require.NoError(t, err)
+			assert.FatalError(t, err)
 			return &gp{a: a}
 		},
 		"ok/rsa": func(t *testing.T) *gp {
 			c, err := LoadConfiguration("../ca/testdata/rsaca.json")
 			require.NoError(t, err)
 			a, err := New(c)
 			require.NoError(t, err)
 			return &gp{a: a}
 		},
 	}
@ -121,13 +111,13 @@ func TestGetProvisioners(t *testing.T) {
 				if assert.NotNil(t, tc.err) {
 					var sc render.StatusCodedError
 					if assert.True(t, errors.As(err, &sc), "error does not implement StatusCodedError interface") {
-						assert.Equals(t, tc.code, sc.StatusCode())
+						assert.Equals(t, sc.StatusCode(), tc.code)
 					}
-					assert.HasPrefix(t, tc.err.Error(), err.Error())
+					assert.HasPrefix(t, err.Error(), tc.err.Error())
 				}
 			} else {
 				if assert.Nil(t, tc.err) {
-					assert.Equals(t, tc.a.config.AuthorityConfig.Provisioners, ps)
+					assert.Equals(t, ps, tc.a.config.AuthorityConfig.Provisioners)
 					assert.Equals(t, "", next)
 				}
 			}
@ -137,20 +127,20 @@ func TestGetProvisioners(t *testing.T) {
 func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 	_, priv, err := keyutil.GenerateDefaultKeyPair()
-	require.NoError(t, err)
+	assert.FatalError(t, err)
 	csr := getCSR(t, priv)
 	sign := func(a *Authority, extraOpts ...provisioner.SignOption) *x509.Certificate {
 		key, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
-		require.NoError(t, err)
+		assert.FatalError(t, err)
 		token, err := generateToken("smallstep test", "step-cli", testAudiences.Sign[0], []string{"test.smallstep.com"}, time.Now(), key)
-		require.NoError(t, err)
+		assert.FatalError(t, err)
 		ctx := provisioner.NewContextWithMethod(context.Background(), provisioner.SignMethod)
 		opts, err := a.Authorize(ctx, token)
-		require.NoError(t, err)
+		assert.FatalError(t, err)
 		opts = append(opts, extraOpts...)
 		certs, err := a.Sign(csr, provisioner.SignOptions{}, opts...)
-		require.NoError(t, err)
+		assert.FatalError(t, err)
 		return certs[0]
 	}
 	getProvisioner := func(a *Authority, name string) provisioner.Interface {
@ -179,7 +169,9 @@ func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 		},
 		MGetCertificateData: func(serialNumber string) (*db.CertificateData, error) {
 			p, err := a1.LoadProvisionerByName("dev")
-			require.NoError(t, err)
+			if err != nil {
 				t.Fatal(err)
 			}
 			return &db.CertificateData{
 				Provisioner: &db.ProvisionerData{
 					ID:   p.GetID(),
@ -194,7 +186,9 @@ func TestAuthority_LoadProvisionerByCertificate(t *testing.T) {
 	a2.adminDB = &mockAdminDB{
 		MGetCertificateData: (func(s string) (*db.CertificateData, error) {
 			p, err := a2.LoadProvisionerByName("dev")
-			require.NoError(t, err)
+			if err != nil {
 				t.Fatal(err)
 			}
 			return &db.CertificateData{
 				Provisioner: &db.ProvisionerData{
 					ID:   p.GetID(),
--- a/authority/ssh.go
+++ b/authority/ssh.go
@ -52,7 +52,7 @@ func (a *Authority) GetSSHFederation(context.Context) (*config.SSHKeys, error) {
 }
 // GetSSHConfig returns rendered templates for clients (user) or servers (host).
-func (a *Authority) GetSSHConfig(_ context.Context, typ string, data map[string]string) ([]templates.Output, error) {
+func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error) {
 	if a.sshCAUserCertSignKey == nil && a.sshCAHostCertSignKey == nil {
 		return nil, errs.NotFound("getSSHConfig: ssh is not configured")
 	}
@ -146,7 +146,7 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (*
 }
 // SignSSH creates a signed SSH certificate with the given public key and options.
-func (a *Authority) SignSSH(_ context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
+func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) {
 	var (
 		certOptions []sshutil.Option
 		mods        []provisioner.SSHCertModifier
@ -663,7 +663,11 @@ func callEnrichingWebhooksSSH(webhookCtl webhookController, cr sshutil.Certifica
 	if err != nil {
 		return err
 	}
-	return webhookCtl.Enrich(whEnrichReq)
+	if err := webhookCtl.Enrich(whEnrichReq); err != nil {
 		return err
 	}
 	return nil
 }
 func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Certificate, certTpl *ssh.Certificate) error {
@ -676,5 +680,9 @@ func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Cert
 	if err != nil {
 		return err
 	}
-	return webhookCtl.Authorize(whAuthBody)
+	if err := webhookCtl.Authorize(whAuthBody); err != nil {
 		return err
 	}
 	return nil
 }
--- a/authority/ssh_test.go
+++ b/authority/ssh_test.go
@ -55,7 +55,7 @@ func (m sshTestModifier) Modify(cert *ssh.Certificate, _ provisioner.SignSSHOpti
 type sshTestCertModifier string
-func (m sshTestCertModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions) error {
+func (m sshTestCertModifier) Modify(cert *ssh.Certificate, opts provisioner.SignSSHOptions) error {
 	if m == "" {
 		return nil
 	}
@ -64,7 +64,7 @@ func (m sshTestCertModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions
 type sshTestCertValidator string
-func (v sshTestCertValidator) Valid(*ssh.Certificate, provisioner.SignSSHOptions) error {
+func (v sshTestCertValidator) Valid(crt *ssh.Certificate, opts provisioner.SignSSHOptions) error {
 	if v == "" {
 		return nil
 	}
@ -73,7 +73,7 @@ func (v sshTestCertValidator) Valid(*ssh.Certificate, provisioner.SignSSHOptions
 type sshTestOptionsValidator string
-func (v sshTestOptionsValidator) Valid(provisioner.SignSSHOptions) error {
+func (v sshTestOptionsValidator) Valid(opts provisioner.SignSSHOptions) error {
 	if v == "" {
 		return nil
 	}
@ -82,7 +82,7 @@ func (v sshTestOptionsValidator) Valid(provisioner.SignSSHOptions) error {
 type sshTestOptionsModifier string
-func (m sshTestOptionsModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions) error {
+func (m sshTestOptionsModifier) Modify(cert *ssh.Certificate, opts provisioner.SignSSHOptions) error {
 	if m == "" {
 		return nil
 	}
--- a/authority/tls.go
+++ b/authority/tls.go
@ -303,7 +303,7 @@ func (a *Authority) isAllowedToSignX509Certificate(cert *x509.Certificate) error
 // AreSANsAllowed evaluates the provided sans against the
 // authority X.509 policy.
-func (a *Authority) AreSANsAllowed(_ context.Context, sans []string) error {
+func (a *Authority) AreSANsAllowed(ctx context.Context, sans []string) error {
 	return a.policyEngine.AreSANsAllowed(sans)
 }
@ -773,20 +773,13 @@ func (a *Authority) GenerateCertificateRevocationList() error {
 		NextUpdate:          now.Add(updateDuration),
 	}
 	// Set CRL IDP to config item, otherwise, leave as default
 	var fullName string
 	if a.config.CRL.IDPurl != "" {
 		fullName = a.config.CRL.IDPurl
 	} else {
 		fullName = a.config.Audience("/1.0/crl")[0]
 	}
 	// Add distribution point.
 	//
 	// Note that this is currently using the port 443 by default.
 	fullName := a.config.Audience("/1.0/crl")[0]
 	if b, err := marshalDistributionPoint(fullName, false); err == nil {
 		revocationList.ExtraExtensions = []pkix.Extension{
-			{Id: oidExtensionIssuingDistributionPoint, Critical: true, Value: b},
+			{Id: oidExtensionIssuingDistributionPoint, Value: b},
 		}
 	}
@ -969,7 +962,11 @@ func callEnrichingWebhooksX509(webhookCtl webhookController, attData *provisione
 	if err != nil {
 		return err
 	}
-	return webhookCtl.Enrich(whEnrichReq)
+	if err := webhookCtl.Enrich(whEnrichReq); err != nil {
 		return err
 	}
 	return nil
 }
 func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Certificate, leaf *x509.Certificate, attData *provisioner.AttestationData) error {
@ -989,5 +986,9 @@ func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Ce
 	if err != nil {
 		return err
 	}
-	return webhookCtl.Authorize(whAuthBody)
+	if err := webhookCtl.Authorize(whAuthBody); err != nil {
 		return err
 	}
 	return nil
 }
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -1146,7 +1146,7 @@ func TestAuthority_Renew(t *testing.T) {
 									assert.False(t, reflect.DeepEqual(ext1, ext2))
 								}
 								continue
-							}
+							} else {
 								found := false
 								for _, ext2 := range leaf.Extensions {
 									if reflect.DeepEqual(ext1, ext2) {
@ -1159,6 +1159,7 @@ func TestAuthority_Renew(t *testing.T) {
 								}
 							}
 						}
 					}
 					realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
 					assert.FatalError(t, err)
@ -1362,7 +1363,7 @@ func TestAuthority_Rekey(t *testing.T) {
 									assert.False(t, reflect.DeepEqual(ext1, ext2))
 								}
 								continue
-							}
+							} else {
 								found := false
 								for _, ext2 := range leaf.Extensions {
 									if reflect.DeepEqual(ext1, ext2) {
@ -1375,6 +1376,7 @@ func TestAuthority_Rekey(t *testing.T) {
 								}
 							}
 						}
 					}
 					realIntermediate, err := x509.ParseCertificate(authIssuer.Raw)
 					assert.FatalError(t, err)
@ -1934,14 +1936,14 @@ func TestAuthority_CRL(t *testing.T) {
 		tc := f()
 		t.Run(name, func(t *testing.T) {
 			if crlBytes, err := tc.auth.GetCertificateRevocationList(); err == nil {
-				crl, parseErr := x509.ParseRevocationList(crlBytes)
+				crl, parseErr := x509.ParseCRL(crlBytes)
 				if parseErr != nil {
 					t.Errorf("x509.ParseCertificateRequest() error = %v, wantErr %v", parseErr, nil)
 					return
 				}
 				var cmpList []string
-				for _, c := range crl.RevokedCertificates {
+				for _, c := range crl.TBSCertList.RevokedCertificates {
 					cmpList = append(cmpList, c.SerialNumber.String())
 				}
--- a/authority/webhook_test.go
+++ b/authority/webhook_test.go
@ -14,7 +14,7 @@ type mockWebhookController struct {
 var _ webhookController = &mockWebhookController{}
-func (wc *mockWebhookController) Enrich(*webhook.RequestBody) error {
+func (wc *mockWebhookController) Enrich(req *webhook.RequestBody) error {
 	for key, data := range wc.respData {
 		wc.templateData.SetWebhook(key, data)
 	}
@ -22,6 +22,6 @@ func (wc *mockWebhookController) Enrich(*webhook.RequestBody) error {
 	return wc.enrichErr
 }
-func (wc *mockWebhookController) Authorize(*webhook.RequestBody) error {
+func (wc *mockWebhookController) Authorize(req *webhook.RequestBody) error {
 	return wc.authorizeErr
 }
--- a/ca/adminClient.go
+++ b/ca/adminClient.go
@ -44,9 +44,6 @@ type AdminClient struct {
 	x5cSubject  string
 }
 var ErrAdminAPINotImplemented = errors.New("admin API not implemented")
 var ErrAdminAPINotAuthorized = errors.New("admin API not authorized")
 // AdminClientError is the client side representation of an
 // AdminError returned by the CA.
 type AdminClientError struct {
@ -140,28 +137,6 @@ func (c *AdminClient) retryOnError(r *http.Response) bool {
 	return false
 }
 // IsEnabled checks if the admin API is enabled.
 func (c *AdminClient) IsEnabled() error {
 	u := c.endpoint.ResolveReference(&url.URL{Path: path.Join(adminURLPrefix, "admins")})
 	resp, err := c.client.Get(u.String())
 	if err != nil {
 		return clientError(err)
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode < http.StatusBadRequest {
 		return nil
 	}
 	switch resp.StatusCode {
 	case http.StatusNotFound, http.StatusNotImplemented:
 		return ErrAdminAPINotImplemented
 	case http.StatusUnauthorized:
 		return ErrAdminAPINotAuthorized
 	default:
 		return errors.Errorf("unexpected status code when performing is-enabled check for Admin API: %d", resp.StatusCode)
 	}
 }
 // GetAdmin performs the GET /admin/admin/{id} request to the CA.
 func (c *AdminClient) GetAdmin(id string) (*linkedca.Admin, error) {
 	var retried bool
@ -269,7 +244,7 @@ retry:
 }
 // GetAdmins returns all admins from the GET /admin/admins request to the CA.
-func (c *AdminClient) GetAdmins(...AdminOption) ([]*linkedca.Admin, error) {
+func (c *AdminClient) GetAdmins(opts ...AdminOption) ([]*linkedca.Admin, error) {
 	var (
 		cursor = ""
 		admins = []*linkedca.Admin{}
@ -474,7 +449,7 @@ retry:
 }
 // GetProvisioners returns all admins from the GET /admin/admins request to the CA.
-func (c *AdminClient) GetProvisioners(...AdminOption) (provisioner.List, error) {
+func (c *AdminClient) GetProvisioners(opts ...AdminOption) (provisioner.List, error) {
 	var (
 		cursor = ""
 		provs  = provisioner.List{}
--- a/ca/bootstrap.go
+++ b/ca/bootstrap.go
@ -61,7 +61,7 @@ func Bootstrap(token string) (*Client, error) {
 //	}
 //	resp, err := client.Get("https://internal.smallstep.com")
 func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*http.Client, error) {
-	b, err := createBootstrap(token) //nolint:contextcheck // deeply nested context; temporary
+	b, err := createBootstrap(token)
 	if err != nil {
 		return nil, err
 	}
@ -120,7 +120,7 @@ func BootstrapServer(ctx context.Context, token string, base *http.Server, optio
 		return nil, errors.New("server TLSConfig is already set")
 	}
-	b, err := createBootstrap(token) //nolint:contextcheck // deeply nested context; temporary
+	b, err := createBootstrap(token)
 	if err != nil {
 		return nil, err
 	}
@ -169,7 +169,7 @@ func BootstrapServer(ctx context.Context, token string, base *http.Server, optio
 //	... // register services
 //	srv.Serve(lis)
 func BootstrapListener(ctx context.Context, token string, inner net.Listener, options ...TLSOption) (net.Listener, error) {
-	b, err := createBootstrap(token) //nolint:contextcheck // deeply nested context; temporary
+	b, err := createBootstrap(token)
 	if err != nil {
 		return nil, err
 	}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
max furman	5637e4ac65	Add authority.Capabilities implementation	2022-11-29 10:26:06 -08:00
Max	8df01c60c1	Update api/api_test.go Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	2022-11-29 10:18:33 -08:00
Max	2349a7a7fb	Update ca/client.go Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	2022-11-29 10:17:58 -08:00
Max	f19b49cefb	Update ca/client_test.go Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	2022-11-29 10:17:25 -08:00
Max	78d93dcdfe	Update ca/client.go Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>	2022-11-29 10:17:17 -08:00
max furman	7c53fe32c3	Add capabilities endpoint and client integration	2022-11-26 12:16:59 -08:00