forked from TrueCloudLab/certificates
Merge branch 'master' into crl-support
This commit is contained in:
150 changed files with 3994 additions and 1569 deletions
Normal file
Normal file
@ -0,0 +1,11 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
version: 2
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/" # Location of package manifests
interval: "weekly"
Normal file
Normal file
@ -0,0 +1,27 @@
name: CI
- 'v*'
- "master"
required: true
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
uses: smallstep/workflows/.github/workflows/goCI.yml@main
os-dependencies: "libpcsclite-dev"
run-gitleaks: true
run-codeql: true
Normal file
Normal file
@ -0,0 +1,9 @@
- cron: '0 0 * * *'
uses: smallstep/workflows/.github/workflows/code-scan.yml@main
@ -1,72 +0,0 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
name: "CodeQL"
branches: [ "master" ]
# The branches below must be a subset of the branches above
branches: [ "master" ]
- cron: '30 3 * * 3'
name: Analyze
runs-on: ubuntu-latest
actions: read
contents: read
security-events: write
fail-fast: false
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to :
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
@ -7,41 +7,13 @@ on:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
name: Lint, Test, Build
uses: smallstep/certificates/.github/workflows/ci.yml@main
runs-on: ubuntu-20.04
secrets: inherit
go: [ '1.18', '1.19' ]
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
name: Checkout
uses: actions/checkout@v2
name: Setup Go
uses: actions/setup-go@v2
go-version: ${{ matrix.go }}
name: Install Deps
id: install-deps
run: sudo apt-get -y install libpcsclite-dev
name: golangci-lint
uses: golangci/golangci-lint-action@v2
version: ${{ secrets.GOLANGCI_LINT_VERSION }}
args: --timeout=30m
name: Test, Build
id: lint_test_build
run: V=1 make ci
name: Create Release
name: Create Release
needs: test
needs: ci
runs-on: ubuntu-20.04
runs-on: ubuntu-20.04
debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }}
debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }}
@ -132,7 +104,7 @@ jobs:
name: Build & Upload Docker Images
name: Build & Upload Docker Images
runs-on: ubuntu-20.04
runs-on: ubuntu-20.04
needs: test
needs: ci
name: Checkout
name: Checkout
@ -1,49 +0,0 @@
name: Lint, Test, Build
- 'v*'
- "**"
name: Lint, Test, Build
runs-on: ubuntu-20.04
go: [ '1.18', '1.19' ]
name: Checkout
uses: actions/checkout@v2
name: Setup Go
uses: actions/setup-go@v2
go-version: ${{ matrix.go }}
name: Install Deps
id: install-deps
run: sudo apt-get -y install libpcsclite-dev
name: golangci-lint
uses: golangci/golangci-lint-action@v2
version: ${{ secrets.GOLANGCI_LINT_VERSION }}
args: --timeout=30m
name: Test, Build
id: lint_test_build
run: V=1 make ci
name: Codecov
if: matrix.go == '1.19'
uses: codecov/codecov-action@v2
token: ${{ secrets.CODECOV_TOKEN }}
files: ./coverage.out # optional
name: codecov-umbrella # optional
fail_ci_if_error: true # optional (default = false)
@ -6,6 +6,10 @@
# Go Workspaces
# Test binary, build with `go test -c`
# Test binary, build with `go test -c`
Normal file
Normal file
@ -0,0 +1,18 @@
@ -1,74 +0,0 @@
check-shadowing: true
- (
- (
- (
- (
min-confidence: 0
min-complexity: 10
suggest-new: true
threshold: 100
min-len: 2
min-occurrences: 2
list-type: blacklist
# logging is allowed only by logutils.Log, logrus
# is allowed to use only in logutils package
locale: US
line-length: 140
- performance
- style
- experimental
- diagnostic
- commentFormatting
- commentedOutCode
- evalOrder
- hugeParam
- octalLiteral
- rangeValCopy
- tooManyResultsChecker
- unnamedResult
disable-all: true
- gocritic
- gofmt
- gosimple
- govet
- ineffassign
- misspell
- revive
- staticcheck
- unused
- pkg
- can't lint
- declaration of "err" shadows declaration at line
- should have a package comment, unless it's in another file for this package
- error strings should not be capitalized or end with punctuation or a newline
- Wrapf call needs 1 arg but has 2 args
- cs.NegotiatedProtocolIsMutual is deprecated
@ -16,6 +16,10 @@ and this project adheres to [Semantic Versioning](
## [Unreleased]
## [Unreleased]
### Added
- Added support for ACME device-attest-01 challenge.
- Added name constraints evaluation and enforcement when issuing or renewing
X.509 certificates.
## [0.22.1] - 2022-08-31
## [0.22.1] - 2022-08-31
### Fixed
### Fixed
@ -28,8 +28,9 @@ ci: testcgo build
# Using a released version of golangci-lint to take into account custom replacements in their go.mod
$Q curl -sSfL | sh -s -- -b $$(go env GOPATH)/bin latest
$Q curl -sSfL | sh -s -- -b $(shell go env GOPATH)/bin v1.42.0
$Q go install
$Q go install
.PHONY: bootstra%
.PHONY: bootstra%
@ -132,17 +133,18 @@ generate:
# Test
# Test
$Q $(GOFLAGS) go test -short -coverprofile=coverage.out ./...
$Q $(GOFLAGS) gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...
$Q go test -short -coverprofile=coverage.out ./...
$Q gotestsum -- -coverprofile=coverage.out -short -covermode=atomic ./...
.PHONY: test testcgo
.PHONY: test testcgo
integrate: integration
integrate: integration
integration: bin/$(BINNAME)
integration: bin/$(BINNAME)
$Q $(GOFLAGS) go test -tags=integration ./integration/...
$Q $(GOFLAGS) gotestsum -- -tags=integration ./integration/...
.PHONY: integrate integration
.PHONY: integrate integration
@ -151,15 +153,14 @@ integration: bin/$(BINNAME)
$Q gofmt -l -s -w $(SRC)
$Q goimports -l -w $(SRC)
lint: SHELL:=/bin/bash
$Q golangci-lint run --timeout=30m
$Q LOG_LEVEL=error golangci-lint run --config <(curl -s --timeout=30m
$Q govulncheck ./...
.PHONY: fmt lint
$Q LOG_LEVEL=error golangci-lint run --timeout=30m
.PHONY: fmt lint lintcgo
# Install
# Install
@ -35,7 +35,7 @@ To get up and running quickly, or as an alternative to running your own `step-ca
[![GitHub release](](
[![GitHub release](](
[![Go Report Card](](
[![Go Report Card](](
[![Build Status](](
[![Build Status](](
[![CLA assistant](](
[![CLA assistant](](
@ -33,7 +33,7 @@ func (a *Account) ToLog() (interface{}, error) {
// IsValid returns true if the Account is valid.
// IsValid returns true if the Account is valid.
func (a *Account) IsValid() bool {
func (a *Account) IsValid() bool {
return Status(a.Status) == StatusValid
return a.Status == StatusValid
// KeyToID converts a JWK to a thumbprint.
// KeyToID converts a JWK to a thumbprint.
@ -46,14 +46,14 @@ func TestKeyToID(t *testing.T) {
tc := run(t)
tc := run(t)
if id, err := KeyToID(tc.jwk); err != nil {
if id, err := KeyToID(tc.jwk); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -131,12 +131,13 @@ func TestExternalAccountKey_BindTo(t *testing.T) {
if wantErr {
if wantErr {
assert.NotNil(t, err)
assert.NotNil(t, err)
assert.Type(t, &Error{}, err)
var ae *Error
ae, _ := err.(*Error)
if assert.True(t, errors.As(err, &ae)) {
assert.Equals(t, ae.Type, tt.err.Type)
assert.Equals(t, ae.Type, tt.err.Type)
assert.Equals(t, ae.Detail, tt.err.Detail)
assert.Equals(t, ae.Detail, tt.err.Detail)
assert.Equals(t, ae.Identifier, tt.err.Identifier)
assert.Equals(t, ae.Identifier, tt.err.Identifier)
assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
assert.Equals(t, ae.Subproblems, tt.err.Subproblems)
} else {
} else {
assert.Equals(t, eak.AccountID, acct.ID)
assert.Equals(t, eak.AccountID, acct.ID)
assert.Equals(t, eak.HmacKey, []byte{})
assert.Equals(t, eak.HmacKey, []byte{})
@ -2,6 +2,7 @@ package api
import (
import (
@ -97,8 +98,8 @@ func NewAccount(w http.ResponseWriter, r *http.Request) {
httpStatus := http.StatusCreated
httpStatus := http.StatusCreated
acc, err := accountFromContext(ctx)
acc, err := accountFromContext(ctx)
if err != nil {
if err != nil {
acmeErr, ok := err.(*acme.Error)
var acmeErr *acme.Error
if !ok || acmeErr.Status != http.StatusBadRequest {
if !errors.As(err, &acmeErr) || acmeErr.Status != http.StatusBadRequest {
// Something went wrong ...
// Something went wrong ...
render.Error(w, err)
render.Error(w, err)
@ -3,6 +3,7 @@ package api
import (
import (
@ -41,6 +42,18 @@ func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]prov
return nil, nil
return nil, nil
func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
return true
func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
return true
func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) {
return nil, false
func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil }
func (*fakeProvisioner) GetID() string { return "" }
func (*fakeProvisioner) GetID() string { return "" }
func (*fakeProvisioner) GetName() string { return "" }
func (*fakeProvisioner) GetName() string { return "" }
@ -184,11 +197,12 @@ func TestNewAccountRequest_Validate(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
if err := tc.nar.Validate(); err != nil {
if err := tc.nar.Validate(); err != nil {
if assert.NotNil(t, err) {
if assert.NotNil(t, err) {
ae, ok := err.(*acme.Error)
var ae *acme.Error
assert.True(t, ok)
if assert.True(t, errors.As(err, &ae)) {
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.Type, tc.err.Type)
assert.Equals(t, ae.Type, tc.err.Type)
} else {
} else {
assert.Nil(t, tc.err)
assert.Nil(t, tc.err)
@ -255,11 +269,12 @@ func TestUpdateAccountRequest_Validate(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
if err := tc.uar.Validate(); err != nil {
if err := tc.uar.Validate(); err != nil {
if assert.NotNil(t, err) {
if assert.NotNil(t, err) {
ae, ok := err.(*acme.Error)
var ae *acme.Error
assert.True(t, ok)
if assert.True(t, errors.As(err, &ae)) {
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.Type, tc.err.Type)
assert.Equals(t, ae.Type, tc.err.Type)
} else {
} else {
assert.Nil(t, tc.err)
assert.Nil(t, tc.err)
@ -3,6 +3,7 @@ package api
import (
import (
@ -24,6 +25,7 @@ func validateExternalAccountBinding(ctx context.Context, nar *NewAccountRequest)
if !acmeProv.RequireEAB {
if !acmeProv.RequireEAB {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
@ -51,7 +53,8 @@ func validateExternalAccountBinding(ctx context.Context, nar *NewAccountRequest)
db := acme.MustDatabaseFromContext(ctx)
db := acme.MustDatabaseFromContext(ctx)
externalAccountKey, err := db.GetExternalAccountKey(ctx, acmeProv.ID, keyID)
externalAccountKey, err := db.GetExternalAccountKey(ctx, acmeProv.ID, keyID)
if err != nil {
if err != nil {
if _, ok := err.(*acme.Error); ok {
var ae *acme.Error
if errors.As(err, &ae) {
return nil, acme.WrapError(acme.ErrorUnauthorizedType, err, "the field 'kid' references an unknown key")
return nil, acme.WrapError(acme.ErrorUnauthorizedType, err, "the field 'kid' references an unknown key")
return nil, acme.WrapErrorISE(err, "error retrieving external account key")
return nil, acme.WrapErrorISE(err, "error retrieving external account key")
@ -860,13 +860,15 @@ func TestHandler_validateExternalAccountBinding(t *testing.T) {
if wantErr {
if wantErr {
assert.NotNil(t, err)
assert.NotNil(t, err)
assert.Type(t, &acme.Error{}, err)
assert.Type(t, &acme.Error{}, err)
ae, _ := err.(*acme.Error)
var ae *acme.Error
assert.Equals(t, ae.Type, tc.err.Type)
if assert.True(t, errors.As(err, &ae)) {
assert.Equals(t, ae.Status, tc.err.Status)
assert.Equals(t, ae.Type, tc.err.Type)
assert.HasPrefix(t, ae.Err.Error(), tc.err.Err.Error())
assert.Equals(t, ae.Status, tc.err.Status)
assert.Equals(t, ae.Detail, tc.err.Detail)
assert.HasPrefix(t, ae.Err.Error(), tc.err.Err.Error())
assert.Equals(t, ae.Identifier, tc.err.Identifier)
assert.Equals(t, ae.Detail, tc.err.Detail)
assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
assert.Equals(t, ae.Identifier, tc.err.Identifier)
assert.Equals(t, ae.Subproblems, tc.err.Subproblems)
} else {
} else {
if got == nil {
if got == nil {
assert.Nil(t, tc.eak)
assert.Nil(t, tc.eak)
@ -289,19 +289,18 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
render.Error(w, err)
render.Error(w, err)
// Just verify that the payload was set, since we're not strictly adhering
// to ACME V2 spec for reasons specified below.
payload, err := payloadFromContext(ctx)
_, err = payloadFromContext(ctx)
if err != nil {
if err != nil {
render.Error(w, err)
render.Error(w, err)
// NOTE: We should be checking ^^^ that the request is either a POST-as-GET, or
// NOTE: We should be checking that the request is either a POST-as-GET, or
// that the payload is an empty JSON block ({}). However, older ACME clients
// that for all challenges except for device-attest-01, the payload is an
// still send a vestigial body (rather than an empty JSON block) and
// empty JSON block ({}). However, older ACME clients still send a vestigial
// strict enforcement would render these clients broken. For the time being
// body (rather than an empty JSON block) and strict enforcement would
// we'll just ignore the body.
// render these clients broken.
azID := chi.URLParam(r, "authzID")
azID := chi.URLParam(r, "authzID")
ch, err := db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID)
ch, err := db.GetChallenge(ctx, chi.URLParam(r, "chID"), azID)
@ -320,7 +319,7 @@ func GetChallenge(w http.ResponseWriter, r *http.Request) {
render.Error(w, err)
render.Error(w, err)
if err = ch.Validate(ctx, db, jwk); err != nil {
if err = ch.Validate(ctx, db, jwk, payload.value); err != nil {
render.Error(w, acme.WrapErrorISE(err, "error validating challenge"))
render.Error(w, acme.WrapErrorISE(err, "error validating challenge"))
@ -518,9 +518,6 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
"ok/empty-algorithm-in-jwk": func(t *testing.T) test {
"ok/empty-algorithm-in-jwk": func(t *testing.T) test {
_pub := *pub
clone := &_pub
clone.Algorithm = ""
ctx := context.WithValue(context.Background(), jwsContextKey, parsedJWS)
ctx := context.WithValue(context.Background(), jwsContextKey, parsedJWS)
ctx = context.WithValue(ctx, jwkContextKey, pub)
ctx = context.WithValue(ctx, jwkContextKey, pub)
return test{
return test{
@ -44,6 +44,10 @@ func (n *NewOrderRequest) Validate() error {
if _, err := x509util.SanitizeName(value); err != nil {
if _, err := x509util.SanitizeName(value); err != nil {
return acme.NewError(acme.ErrorMalformedType, "invalid DNS name: %s", id.Value)
return acme.NewError(acme.ErrorMalformedType, "invalid DNS name: %s", id.Value)
case acme.PermanentIdentifier:
if id.Value == "" {
return acme.NewError(acme.ErrorMalformedType, "permanent identifier cannot be empty")
return acme.NewError(acme.ErrorMalformedType, "identifier type unsupported: %s", id.Type)
return acme.NewError(acme.ErrorMalformedType, "identifier type unsupported: %s", id.Type)
@ -251,8 +255,13 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
db := acme.MustDatabaseFromContext(ctx)
db := acme.MustDatabaseFromContext(ctx)
az.Challenges = make([]*acme.Challenge, len(chTypes))
prov := acme.MustProvisionerFromContext(ctx)
for i, typ := range chTypes {
az.Challenges = make([]*acme.Challenge, 0, len(chTypes))
for _, typ := range chTypes {
if !prov.IsChallengeEnabled(ctx, provisioner.ACMEChallenge(typ)) {
ch := &acme.Challenge{
ch := &acme.Challenge{
AccountID: az.AccountID,
AccountID: az.AccountID,
Value: az.Identifier.Value,
Value: az.Identifier.Value,
@ -263,7 +272,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
if err := db.CreateChallenge(ctx, ch); err != nil {
if err := db.CreateChallenge(ctx, ch); err != nil {
return acme.WrapErrorISE(err, "error creating challenge")
return acme.WrapErrorISE(err, "error creating challenge")
az.Challenges[i] = ch
az.Challenges = append(az.Challenges, ch)
if err = db.CreateAuthorization(ctx, az); err != nil {
if err = db.CreateAuthorization(ctx, az); err != nil {
return acme.WrapErrorISE(err, "error creating authorization")
return acme.WrapErrorISE(err, "error creating authorization")
@ -388,6 +397,8 @@ func challengeTypes(az *acme.Authorization) []acme.ChallengeType {
if !az.Wildcard {
if !az.Wildcard {
chTypes = append(chTypes, []acme.ChallengeType{acme.HTTP01, acme.TLSALPN01}...)
chTypes = append(chTypes, []acme.ChallengeType{acme.HTTP01, acme.TLSALPN01}...)
case acme.PermanentIdentifier:
chTypes = []acme.ChallengeType{acme.DEVICEATTEST01}
chTypes = []acme.ChallengeType{}
chTypes = []acme.ChallengeType{}
@ -179,11 +179,12 @@ func TestNewOrderRequest_Validate(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
if err := tc.nor.Validate(); err != nil {
if err := tc.nor.Validate(); err != nil {
if assert.NotNil(t, err) {
if assert.NotNil(t, err) {
ae, ok := err.(*acme.Error)
var ae *acme.Error
assert.True(t, ok)
if assert.True(t, errors.As(err, &ae)) {
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.Type, tc.err.Type)
assert.Equals(t, ae.Type, tc.err.Type)
} else {
} else {
if assert.Nil(t, tc.err) {
if assert.Nil(t, tc.err) {
@ -253,11 +254,12 @@ func TestFinalizeRequestValidate(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
if err :=; err != nil {
if err :=; err != nil {
if assert.NotNil(t, err) {
if assert.NotNil(t, err) {
ae, ok := err.(*acme.Error)
var ae *acme.Error
assert.True(t, ok)
if assert.True(t, errors.As(err, &ae)) {
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.HasPrefix(t, ae.Error(), tc.err.Error())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.StatusCode(), tc.err.StatusCode())
assert.Equals(t, ae.Type, tc.err.Type)
assert.Equals(t, ae.Type, tc.err.Type)
} else {
} else {
if assert.Nil(t, tc.err) {
if assert.Nil(t, tc.err) {
@ -500,10 +502,12 @@ func TestHandler_GetOrder(t *testing.T) {
func TestHandler_newAuthorization(t *testing.T) {
func TestHandler_newAuthorization(t *testing.T) {
defaultProvisioner := newProv()
type test struct {
type test struct {
az *acme.Authorization
az *acme.Authorization
db acme.DB
prov acme.Provisioner
err *acme.Error
db acme.DB
err *acme.Error
var tests = map[string]func(t *testing.T) test{
var tests = map[string]func(t *testing.T) test{
"fail/error-db.CreateChallenge": func(t *testing.T) test {
"fail/error-db.CreateChallenge": func(t *testing.T) test {
@ -515,6 +519,7 @@ func TestHandler_newAuthorization(t *testing.T) {
return test{
return test{
prov: defaultProvisioner,
db: &acme.MockDB{
db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
assert.Equals(t, ch.AccountID, az.AccountID)
assert.Equals(t, ch.AccountID, az.AccountID)
@ -542,6 +547,7 @@ func TestHandler_newAuthorization(t *testing.T) {
count := 0
count := 0
var ch1, ch2, ch3 **acme.Challenge
var ch1, ch2, ch3 **acme.Challenge
return test{
return test{
prov: defaultProvisioner,
db: &acme.MockDB{
db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count {
switch count {
@ -596,6 +602,7 @@ func TestHandler_newAuthorization(t *testing.T) {
count := 0
count := 0
var ch1, ch2, ch3 **acme.Challenge
var ch1, ch2, ch3 **acme.Challenge
return test{
return test{
prov: defaultProvisioner,
db: &acme.MockDB{
db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
switch count {
switch count {
@ -648,6 +655,7 @@ func TestHandler_newAuthorization(t *testing.T) {
var ch1 **acme.Challenge
var ch1 **acme.Challenge
return test{
return test{
prov: defaultProvisioner,
db: &acme.MockDB{
db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
ch.ID = "dns"
ch.ID = "dns"
@ -676,21 +684,96 @@ func TestHandler_newAuthorization(t *testing.T) {
az: az,
az: az,
"ok/permanent-identifier-disabled": func(t *testing.T) test {
az := &acme.Authorization{
AccountID: "accID",
Identifier: acme.Identifier{
Type: "permanent-identifier",
Value: "7b53aa19-26f7-4fac-824f-7a781de0dab0",
Status: acme.StatusPending,
ExpiresAt: clock.Now(),
return test{
prov: defaultProvisioner,
db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
t.Errorf("createChallenge should not be called")
return nil
MockCreateAuthorization: func(ctx context.Context, _az *acme.Authorization) error {
assert.Equals(t, _az.AccountID, az.AccountID)
assert.Equals(t, _az.Token, az.Token)
assert.Equals(t, _az.Status, acme.StatusPending)
assert.Equals(t, _az.Identifier, az.Identifier)
assert.Equals(t, _az.ExpiresAt, az.ExpiresAt)
assert.Equals(t, _az.Challenges, []*acme.Challenge{})
assert.Equals(t, _az.Wildcard, false)
return nil
az: az,
"ok/permanent-identifier-enabled": func(t *testing.T) test {
var ch1 *acme.Challenge
az := &acme.Authorization{
AccountID: "accID",
Identifier: acme.Identifier{
Type: "permanent-identifier",
Value: "7b53aa19-26f7-4fac-824f-7a781de0dab0",
Status: acme.StatusPending,
ExpiresAt: clock.Now(),
deviceAttestProv := newProv()
deviceAttestProv.(*provisioner.ACME).Challenges = []provisioner.ACMEChallenge{provisioner.DEVICE_ATTEST_01}
return test{
prov: deviceAttestProv,
db: &acme.MockDB{
MockCreateChallenge: func(ctx context.Context, ch *acme.Challenge) error {
ch.ID = "997bacc2-c175-4214-a3b4-a229ada5f671"
assert.Equals(t, ch.Type, acme.DEVICEATTEST01)
assert.Equals(t, ch.AccountID, az.AccountID)
assert.Equals(t, ch.Token, az.Token)
assert.Equals(t, ch.Status, acme.StatusPending)
assert.Equals(t, ch.Value, "7b53aa19-26f7-4fac-824f-7a781de0dab0")
ch1 = ch
return nil
MockCreateAuthorization: func(ctx context.Context, _az *acme.Authorization) error {
assert.Equals(t, _az.AccountID, az.AccountID)
assert.Equals(t, _az.Token, az.Token)
assert.Equals(t, _az.Status, acme.StatusPending)
assert.Equals(t, _az.Identifier, az.Identifier)
assert.Equals(t, _az.ExpiresAt, az.ExpiresAt)
assert.Equals(t, _az.Challenges, []*acme.Challenge{ch1})
assert.Equals(t, _az.Wildcard, false)
return nil
az: az,
for name, run := range tests {
for name, run := range tests {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
if name == "ok/permanent-identifier-enabled" {
tc := run(t)
tc := run(t)
ctx := newBaseContext(context.Background(), tc.db)
ctx := newBaseContext(context.Background(), tc.db)
ctx = acme.NewProvisionerContext(ctx, tc.prov)
if err := newAuthorization(ctx,; err != nil {
if err := newAuthorization(ctx,; err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *acme.Error
case *acme.Error:
if assert.True(t, errors.As(err, &k)) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -130,14 +130,14 @@ func TestAuthorization_UpdateStatus(t *testing.T) {
tc := run(t)
tc := run(t)
if err :=, tc.db); err != nil {
if err :=, tc.db); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -3,9 +3,14 @@ package acme
import (
import (
@ -16,10 +21,14 @@ import (
type ChallengeType string
type ChallengeType string
@ -31,6 +40,8 @@ const (
DNS01 ChallengeType = "dns-01"
DNS01 ChallengeType = "dns-01"
// TLSALPN01 is the tls-alpn-01 ACME challenge type
// TLSALPN01 is the tls-alpn-01 ACME challenge type
TLSALPN01 ChallengeType = "tls-alpn-01"
TLSALPN01 ChallengeType = "tls-alpn-01"
// DEVICEATTEST01 is the device-attest-01 ACME challenge type
DEVICEATTEST01 ChallengeType = "device-attest-01"
// Challenge represents an ACME response Challenge type.
// Challenge represents an ACME response Challenge type.
@ -60,7 +71,7 @@ func (ch *Challenge) ToLog() (interface{}, error) {
// type using the DB interface.
// type using the DB interface.
// satisfactorily validated, the 'status' and 'validated' attributes are
// satisfactorily validated, the 'status' and 'validated' attributes are
// updated.
// updated.
func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey) error {
func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey, payload []byte) error {
// If already valid or invalid then return without performing validation.
// If already valid or invalid then return without performing validation.
if ch.Status != StatusPending {
if ch.Status != StatusPending {
return nil
return nil
@ -72,6 +83,8 @@ func (ch *Challenge) Validate(ctx context.Context, db DB, jwk *jose.JSONWebKey)
return dns01Validate(ctx, ch, db, jwk)
return dns01Validate(ctx, ch, db, jwk)
case TLSALPN01:
case TLSALPN01:
return tlsalpn01Validate(ctx, ch, db, jwk)
return tlsalpn01Validate(ctx, ch, db, jwk)
return deviceAttest01Validate(ctx, ch, db, jwk, payload)
return NewErrorISE("unexpected challenge type '%s'", ch.Type)
return NewErrorISE("unexpected challenge type '%s'", ch.Type)
@ -149,7 +162,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
// [RFC5246] or higher when connecting to clients for validation.
// [RFC5246] or higher when connecting to clients for validation.
MinVersion: tls.VersionTLS12,
MinVersion: tls.VersionTLS12,
ServerName: serverName(ch),
ServerName: serverName(ch),
InsecureSkipVerify: true, // nolint:gosec // we expect a self-signed challenge certificate
InsecureSkipVerify: true, //nolint:gosec // we expect a self-signed challenge certificate
hostPort := net.JoinHostPort(ch.Value, "443")
hostPort := net.JoinHostPort(ch.Value, "443")
@ -297,6 +310,350 @@ func dns01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebK
return nil
return nil
type Payload struct {
AttObj string `json:"attObj"`
Error string `json:"error"`
type AttestationObject struct {
Format string `json:"fmt"`
AttStatement map[string]interface{} `json:"attStmt,omitempty"`
// TODO(bweeks): move attestation verification to a shared package.
// TODO(bweeks): define new error type for failed attestation validation.
func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSONWebKey, payload []byte) error {
var p Payload
if err := json.Unmarshal(payload, &p); err != nil {
return WrapErrorISE(err, "error unmarshalling JSON")
if p.Error != "" {
return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType,
"payload contained error: %v", p.Error))
attObj, err := base64.RawURLEncoding.DecodeString(p.AttObj)
if err != nil {
return WrapErrorISE(err, "error base64 decoding attObj")
att := AttestationObject{}
if err := cbor.Unmarshal(attObj, &att); err != nil {
return WrapErrorISE(err, "error unmarshalling CBOR")
prov := MustProvisionerFromContext(ctx)
if !prov.IsAttestationFormatEnabled(ctx, provisioner.ACMEAttestationFormat(att.Format)) {
return storeError(ctx, db, ch, true,
NewError(ErrorBadAttestationStatementType, "attestation format %q is not enabled", att.Format))
switch att.Format {
case "apple":
data, err := doAppleAttestationFormat(ctx, prov, ch, &att)
if err != nil {
var acmeError *Error
if errors.As(err, &acmeError) {
if acmeError.Status == 500 {
return acmeError
return storeError(ctx, db, ch, true, acmeError)
return WrapErrorISE(err, "error validating attestation")
// Validate nonce with SHA-256 of the token.
if len(data.Nonce) != 0 {
sum := sha256.Sum256([]byte(ch.Token))
if subtle.ConstantTimeCompare(data.Nonce, sum[:]) != 1 {
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "challenge token does not match"))
// Validate Apple's ClientIdentifier (Identifier.Value) with device
// identifiers.
// Note: We might want to use an external service for this.
if data.UDID != ch.Value && data.SerialNumber != ch.Value {
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match"))
case "step":
data, err := doStepAttestationFormat(ctx, prov, ch, jwk, &att)
if err != nil {
var acmeError *Error
if errors.As(err, &acmeError) {
if acmeError.Status == 500 {
return acmeError
return storeError(ctx, db, ch, true, acmeError)
return WrapErrorISE(err, "error validating attestation")
// Validate Apple's ClientIdentifier (Identifier.Value) with device
// identifiers.
// Note: We might want to use an external service for this.
if data.SerialNumber != ch.Value {
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match"))
return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "unexpected attestation object format"))
// Update and store the challenge.
ch.Status = StatusValid
ch.Error = nil
ch.ValidatedAt = clock.Now().Format(time.RFC3339)
if err := db.UpdateChallenge(ctx, ch); err != nil {
return WrapErrorISE(err, "error updating challenge")
return nil
// Apple Enterprise Attestation Root CA from
const appleEnterpriseAttestationRootCA = `-----BEGIN CERTIFICATE-----
var (
oidAppleSerialNumber = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 9, 1}
oidAppleUniqueDeviceIdentifier = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 9, 2}
oidAppleSecureEnclaveProcessorOSVersion = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 10, 2}
oidAppleNonce = asn1.ObjectIdentifier{1, 2, 840, 113635, 100, 8, 11, 1}
type appleAttestationData struct {
Nonce []byte
SerialNumber string
UDID string
SEPVersion string
Certificate *x509.Certificate
func doAppleAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, att *AttestationObject) (*appleAttestationData, error) {
// Use configured or default attestation roots if none is configured.
roots, ok := prov.GetAttestationRoots()
if !ok {
root, err := pemutil.ParseCertificate([]byte(appleEnterpriseAttestationRootCA))
if err != nil {
return nil, WrapErrorISE(err, "error parsing apple enterprise ca")
roots = x509.NewCertPool()
x5c, ok := att.AttStatement["x5c"].([]interface{})
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "x5c not present")
if len(x5c) == 0 {
return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty")
der, ok := x5c[0].([]byte)
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
leaf, err := x509.ParseCertificate(der)
if err != nil {
return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
intermediates := x509.NewCertPool()
for _, v := range x5c[1:] {
der, ok = v.([]byte)
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
cert, err := x509.ParseCertificate(der)
if err != nil {
return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
if _, err := leaf.Verify(x509.VerifyOptions{
Intermediates: intermediates,
Roots: roots,
CurrentTime: time.Now().Truncate(time.Second),
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
}); err != nil {
return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid")
data := &appleAttestationData{
Certificate: leaf,
for _, ext := range leaf.Extensions {
switch {
case ext.Id.Equal(oidAppleSerialNumber):
data.SerialNumber = string(ext.Value)
case ext.Id.Equal(oidAppleUniqueDeviceIdentifier):
data.UDID = string(ext.Value)
case ext.Id.Equal(oidAppleSecureEnclaveProcessorOSVersion):
data.SEPVersion = string(ext.Value)
case ext.Id.Equal(oidAppleNonce):
data.Nonce = ext.Value
return data, nil
// Yubico PIV Root CA Serial 263751
const yubicoPIVRootCA = `-----BEGIN CERTIFICATE-----
// Serial number of the YubiKey, encoded as an integer.
var oidYubicoSerialNumber = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 41482, 3, 7}
type stepAttestationData struct {
Certificate *x509.Certificate
SerialNumber string
func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *AttestationObject) (*stepAttestationData, error) {
// Use configured or default attestation roots if none is configured.
roots, ok := prov.GetAttestationRoots()
if !ok {
root, err := pemutil.ParseCertificate([]byte(yubicoPIVRootCA))
if err != nil {
return nil, WrapErrorISE(err, "error parsing root ca")
roots = x509.NewCertPool()
// Extract x5c and verify certificate
x5c, ok := att.AttStatement["x5c"].([]interface{})
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "x5c not present")
if len(x5c) == 0 {
return nil, NewError(ErrorRejectedIdentifierType, "x5c is empty")
der, ok := x5c[0].([]byte)
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
leaf, err := x509.ParseCertificate(der)
if err != nil {
return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
intermediates := x509.NewCertPool()
for _, v := range x5c[1:] {
der, ok = v.([]byte)
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "x5c is malformed")
cert, err := x509.ParseCertificate(der)
if err != nil {
return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is malformed")
if _, err := leaf.Verify(x509.VerifyOptions{
Intermediates: intermediates,
Roots: roots,
CurrentTime: time.Now().Truncate(time.Second),
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
}); err != nil {
return nil, WrapError(ErrorBadAttestationStatementType, err, "x5c is not valid")
// Verify proof of possession of private key validating the key
// authorization. Per recommendation at
// the
// signature is CBOR-encoded.
var sig []byte
csig, ok := att.AttStatement["sig"].([]byte)
if !ok {
return nil, NewError(ErrorBadAttestationStatementType, "sig not present")
if err := cbor.Unmarshal(csig, &sig); err != nil {
return nil, NewError(ErrorBadAttestationStatementType, "sig is malformed")
keyAuth, err := KeyAuthorization(ch.Token, jwk)
if err != nil {
return nil, err
switch pub := leaf.PublicKey.(type) {
case *ecdsa.PublicKey:
if pub.Curve != elliptic.P256() {
return nil, WrapError(ErrorBadAttestationStatementType, err, "unsupported elliptic curve %s", pub.Curve)
sum := sha256.Sum256([]byte(keyAuth))
if !ecdsa.VerifyASN1(pub, sum[:], sig) {
return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature")
case *rsa.PublicKey:
sum := sha256.Sum256([]byte(keyAuth))
if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, sum[:], sig); err != nil {
return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature")
case ed25519.PublicKey:
if !ed25519.Verify(pub, []byte(keyAuth), sig) {
return nil, NewError(ErrorBadAttestationStatementType, "failed to validate signature")
return nil, NewError(ErrorBadAttestationStatementType, "unsupported public key type %T", pub)
// Parse attestation data:
// TODO(mariano): add support for other extensions.
data := &stepAttestationData{
Certificate: leaf,
for _, ext := range leaf.Extensions {
if !ext.Id.Equal(oidYubicoSerialNumber) {
var serialNumber int
rest, err := asn1.Unmarshal(ext.Value, &serialNumber)
if err != nil || len(rest) > 0 {
return nil, WrapError(ErrorBadAttestationStatementType, err, "error parsing serial number")
data.SerialNumber = strconv.Itoa(serialNumber)
return data, nil
// serverName determines the SNI HostName to set based on an acme.Challenge
// serverName determines the SNI HostName to set based on an acme.Challenge
// for TLS-ALPN-01 challenges RFC8738 states that, if HostName is an IP, it
// for TLS-ALPN-01 challenges RFC8738 states that, if HostName is an IP, it
// should be the ARPA address
// should be the ARPA address
@ -4,6 +4,8 @@ import (
@ -13,6 +15,7 @@ import (
@ -20,13 +23,18 @@ import (
type mockClient struct {
type mockClient struct {
@ -37,8 +45,25 @@ type mockClient struct {
func (m *mockClient) Get(url string) (*http.Response, error) { return m.get(url) }
func (m *mockClient) Get(url string) (*http.Response, error) { return m.get(url) }
func (m *mockClient) LookupTxt(name string) ([]string, error) { return m.lookupTxt(name) }
func (m *mockClient) LookupTxt(name string) ([]string, error) { return m.lookupTxt(name) }
func (m *mockClient) TLSDial(network, addr string, config *tls.Config) (*tls.Conn, error) {
func (m *mockClient) TLSDial(network, addr string, tlsConfig *tls.Config) (*tls.Conn, error) {
return m.tlsDial(network, addr, config)
return m.tlsDial(network, addr, tlsConfig)
func mustAttestationProvisioner(t *testing.T, roots []byte) Provisioner {
prov := &provisioner.ACME{
Type: "ACME",
Name: "acme",
Challenges: []provisioner.ACMEChallenge{provisioner.DEVICE_ATTEST_01},
AttestationRoots: roots,
if err := prov.Init(provisioner.Config{
Claims: config.GlobalProvisionerClaims,
}); err != nil {
return prov
func Test_storeError(t *testing.T) {
func Test_storeError(t *testing.T) {
@ -163,14 +188,14 @@ func Test_storeError(t *testing.T) {
tc := run(t)
tc := run(t)
if err := storeError(context.Background(), tc.db,, tc.markInvalid, err); err != nil {
if err := storeError(context.Background(), tc.db,, tc.markInvalid, err); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -218,14 +243,14 @@ func TestKeyAuthorization(t *testing.T) {
tc := run(t)
tc := run(t)
if ka, err := KeyAuthorization(tc.token, tc.jwk); err != nil {
if ka, err := KeyAuthorization(tc.token, tc.jwk); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -506,16 +531,16 @@ func TestChallenge_Validate(t *testing.T) {
ctx := NewClientContext(context.Background(),
ctx := NewClientContext(context.Background(),
if err :=, tc.db, tc.jwk); err != nil {
if err :=, tc.db, tc.jwk, nil); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -903,14 +928,14 @@ func TestHTTP01Validate(t *testing.T) {
ctx := NewClientContext(context.Background(),
ctx := NewClientContext(context.Background(),
if err := http01Validate(ctx,, tc.db, tc.jwk); err != nil {
if err := http01Validate(ctx,, tc.db, tc.jwk); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -1203,14 +1228,14 @@ func TestDNS01Validate(t *testing.T) {
ctx := NewClientContext(context.Background(),
ctx := NewClientContext(context.Background(),
if err := dns01Validate(ctx,, tc.db, tc.jwk); err != nil {
if err := dns01Validate(ctx,, tc.db, tc.jwk); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -2273,14 +2298,14 @@ func TestTLSALPN01Validate(t *testing.T) {
ctx := NewClientContext(context.Background(),
ctx := NewClientContext(context.Background(),
if err := tlsalpn01Validate(ctx,, tc.db, tc.jwk); err != nil {
if err := tlsalpn01Validate(ctx,, tc.db, tc.jwk); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -2400,3 +2425,352 @@ func Test_http01ChallengeHost(t *testing.T) {
func Test_doAppleAttestationFormat(t *testing.T) {
ctx := context.Background()
ca, err := minica.New()
if err != nil {
caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ca.Root.Raw})
signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
leaf, err := ca.Sign(&x509.Certificate{
Subject: pkix.Name{CommonName: "attestation cert"},
PublicKey: signer.Public(),
ExtraExtensions: []pkix.Extension{
{Id: oidAppleSerialNumber, Value: []byte("serial-number")},
{Id: oidAppleUniqueDeviceIdentifier, Value: []byte("udid")},
{Id: oidAppleSecureEnclaveProcessorOSVersion, Value: []byte("16.0")},
{Id: oidAppleNonce, Value: []byte("nonce")},
if err != nil {
type args struct {
ctx context.Context
prov Provisioner
ch *Challenge
att *AttestationObject
tests := []struct {
name string
args args
want *appleAttestationData
wantErr bool
{"ok", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
}}, &appleAttestationData{
Nonce: []byte("nonce"),
SerialNumber: "serial-number",
UDID: "udid",
SEPVersion: "16.0",
Certificate: leaf,
}, false},
{"fail apple issuer", args{ctx, mustAttestationProvisioner(t, nil), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
}}, nil, true},
{"fail missing x5c", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"foo": "bar",
}}, nil, true},
{"fail empty issuer", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{},
}}, nil, true},
{"fail leaf type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{"leaf", ca.Intermediate.Raw},
}}, nil, true},
{"fail leaf parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw[:100], ca.Intermediate.Raw},
}}, nil, true},
{"fail intermediate type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, "intermediate"},
}}, nil, true},
{"fail intermediate parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw[:100]},
}}, nil, true},
{"fail verify", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{}, &AttestationObject{
Format: "apple",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw},
}}, nil, true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
got, err := doAppleAttestationFormat(tt.args.ctx, tt.args.prov,, tt.args.att)
if (err != nil) != tt.wantErr {
t.Errorf("doAppleAttestationFormat() error = %v, wantErr %v", err, tt.wantErr)
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("doAppleAttestationFormat() = %v, want %v", got, tt.want)
func Test_doStepAttestationFormat(t *testing.T) {
ctx := context.Background()
ca, err := minica.New()
if err != nil {
caRoot := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ca.Root.Raw})
makeLeaf := func(signer crypto.Signer, serialNumber []byte) *x509.Certificate {
leaf, err := ca.Sign(&x509.Certificate{
Subject: pkix.Name{CommonName: "attestation cert"},
PublicKey: signer.Public(),
ExtraExtensions: []pkix.Extension{
{Id: oidYubicoSerialNumber, Value: serialNumber},
if err != nil {
return leaf
mustSigner := func(kty, crv string, size int) crypto.Signer {
s, err := keyutil.GenerateSigner(kty, crv, size)
if err != nil {
return s
signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
serialNumber, err := asn1.Marshal(1234)
if err != nil {
leaf := makeLeaf(signer, serialNumber)
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
if err != nil {
keyAuth, err := KeyAuthorization("token", jwk)
if err != nil {
keyAuthSum := sha256.Sum256([]byte(keyAuth))
sig, err := signer.Sign(rand.Reader, keyAuthSum[:], crypto.SHA256)
if err != nil {
cborSig, err := cbor.Marshal(sig)
if err != nil {
otherSigner, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
otherSig, err := otherSigner.Sign(rand.Reader, keyAuthSum[:], crypto.SHA256)
if err != nil {
otherCBORSig, err := cbor.Marshal(otherSig)
if err != nil {
type args struct {
ctx context.Context
prov Provisioner
ch *Challenge
jwk *jose.JSONWebKey
att *AttestationObject
tests := []struct {
name string
args args
want *stepAttestationData
wantErr bool
{"ok", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, &stepAttestationData{
SerialNumber: "1234",
Certificate: leaf,
}, false},
{"fail yubico issuer", args{ctx, mustAttestationProvisioner(t, nil), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail x5c type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": [][]byte{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail x5c empty", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail leaf type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{"leaf", ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail leaf parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw[:100], ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail intermediate type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, "intermediate"},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail intermediate parse", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw[:100]},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail verify", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail sig type", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": string(cborSig),
}}, nil, true},
{"fail sig unmarshal", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": []byte("bad-sig"),
}}, nil, true},
{"fail keyAuthorization", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, &jose.JSONWebKey{Key: []byte("not an asymmetric key")}, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail sig verify P-256", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{leaf.Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": otherCBORSig,
}}, nil, true},
{"fail sig verify P-384", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{makeLeaf(mustSigner("EC", "P-384", 0), serialNumber).Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail sig verify RSA", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{makeLeaf(mustSigner("RSA", "", 2048), serialNumber).Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail sig verify Ed25519", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{makeLeaf(mustSigner("OKP", "Ed25519", 0), serialNumber).Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
{"fail unmarshal serial number", args{ctx, mustAttestationProvisioner(t, caRoot), &Challenge{Token: "token"}, jwk, &AttestationObject{
Format: "step",
AttStatement: map[string]interface{}{
"x5c": []interface{}{makeLeaf(signer, []byte("bad-serial")).Raw, ca.Intermediate.Raw},
"alg": -7,
"sig": cborSig,
}}, nil, true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
got, err := doStepAttestationFormat(tt.args.ctx, tt.args.prov,, tt.args.jwk, tt.args.att)
if (err != nil) != tt.wantErr {
t.Errorf("doStepAttestationFormat() error = %#v, wantErr %v", err, tt.wantErr)
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("doStepAttestationFormat() = %v, want %v", got, tt.want)
@ -56,7 +56,7 @@ func NewClient() Client {
Timeout: 30 * time.Second,
Timeout: 30 * time.Second,
Transport: &http.Transport{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
TLSClientConfig: &tls.Config{
// nolint:gosec // used on tls-alpn-01 challenge
//nolint:gosec // used on tls-alpn-01 challenge
InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
@ -71,6 +71,9 @@ type Provisioner interface {
AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error
AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error)
AuthorizeRevoke(ctx context.Context, token string) error
AuthorizeRevoke(ctx context.Context, token string) error
IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool
IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
GetAttestationRoots() (*x509.CertPool, bool)
GetID() string
GetID() string
GetName() string
GetName() string
DefaultTLSCertDuration() time.Duration
DefaultTLSCertDuration() time.Duration
@ -109,6 +112,9 @@ type MockProvisioner struct {
MauthorizeOrderIdentifier func(ctx context.Context, identifier provisioner.ACMEIdentifier) error
MauthorizeOrderIdentifier func(ctx context.Context, identifier provisioner.ACMEIdentifier) error
MauthorizeSign func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
MauthorizeSign func(ctx context.Context, ott string) ([]provisioner.SignOption, error)
MauthorizeRevoke func(ctx context.Context, token string) error
MauthorizeRevoke func(ctx context.Context, token string) error
MisChallengeEnabled func(ctx context.Context, challenge provisioner.ACMEChallenge) bool
MisAttFormatEnabled func(ctx context.Context, format provisioner.ACMEAttestationFormat) bool
MgetAttestationRoots func() (*x509.CertPool, bool)
MdefaultTLSCertDuration func() time.Duration
MdefaultTLSCertDuration func() time.Duration
MgetOptions func() *provisioner.Options
MgetOptions func() *provisioner.Options
@ -145,6 +151,29 @@ func (m *MockProvisioner) AuthorizeRevoke(ctx context.Context, token string) err
return m.Merr
return m.Merr
// IsChallengeEnabled mock
func (m *MockProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool {
if m.MisChallengeEnabled != nil {
return m.MisChallengeEnabled(ctx, challenge)
return m.Merr == nil
// IsAttestationFormatEnabled mock
func (m *MockProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool {
if m.MisAttFormatEnabled != nil {
return m.MisAttFormatEnabled(ctx, format)
return m.Merr == nil
func (m *MockProvisioner) GetAttestationRoots() (*x509.CertPool, bool) {
if m.MgetAttestationRoots != nil {
return m.MgetAttestationRoots()
return m.Mret1.(*x509.CertPool), m.Mret1 != nil
// DefaultTLSCertDuration mock
// DefaultTLSCertDuration mock
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration {
func (m *MockProvisioner) DefaultTLSCertDuration() time.Duration {
if m.MdefaultTLSCertDuration != nil {
if m.MdefaultTLSCertDuration != nil {
@ -95,16 +95,16 @@ func TestDB_getDBAccount(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if dbacc, err := d.getDBAccount(context.Background(), accID); err != nil {
if dbacc, err := d.getDBAccount(context.Background(), accID); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -174,16 +174,16 @@ func TestDB_getAccountIDByKeyID(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if retAccID, err := d.getAccountIDByKeyID(context.Background(), kid); err != nil {
if retAccID, err := d.getAccountIDByKeyID(context.Background(), kid); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -248,16 +248,16 @@ func TestDB_GetAccount(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if acc, err := d.GetAccount(context.Background(), accID); err != nil {
if acc, err := d.GetAccount(context.Background(), accID); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -354,16 +354,16 @@ func TestDB_GetAccountByKeyID(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if acc, err := d.GetAccountByKeyID(context.Background(), kid); err != nil {
if acc, err := d.GetAccountByKeyID(context.Background(), kid); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -77,7 +77,7 @@ func TestDB_getDBAuthz(t *testing.T) {
Token: "token",
Token: "token",
CreatedAt: now,
CreatedAt: now,
ExpiresAt: now.Add(5 * time.Minute),
ExpiresAt: now.Add(5 * time.Minute),
Error: acme.NewErrorISE("force"),
Error: acme.NewErrorISE("The server experienced an internal error"),
ChallengeIDs: []string{"foo", "bar"},
ChallengeIDs: []string{"foo", "bar"},
Wildcard: true,
Wildcard: true,
@ -101,16 +101,16 @@ func TestDB_getDBAuthz(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if dbaz, err := d.getDBAuthz(context.Background(), azID); err != nil {
if dbaz, err := d.getDBAuthz(context.Background(), azID); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -254,7 +254,7 @@ func TestDB_GetAuthorization(t *testing.T) {
Token: "token",
Token: "token",
CreatedAt: now,
CreatedAt: now,
ExpiresAt: now.Add(5 * time.Minute),
ExpiresAt: now.Add(5 * time.Minute),
Error: acme.NewErrorISE("force"),
Error: acme.NewErrorISE("The server experienced an internal error"),
ChallengeIDs: []string{"foo", "bar"},
ChallengeIDs: []string{"foo", "bar"},
Wildcard: true,
Wildcard: true,
@ -295,16 +295,16 @@ func TestDB_GetAuthorization(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if az, err := d.GetAuthorization(context.Background(), azID); err != nil {
if az, err := d.GetAuthorization(context.Background(), azID); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -532,7 +532,7 @@ func TestDB_UpdateAuthorization(t *testing.T) {
assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard)
assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard)
assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt)
assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt)
assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt)
assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt)
assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "malformed").Error())
assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
return nil, false, errors.New("force")
return nil, false, errors.New("force")
@ -582,7 +582,7 @@ func TestDB_UpdateAuthorization(t *testing.T) {
assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard)
assert.Equals(t, dbNew.Wildcard, dbaz.Wildcard)
assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt)
assert.Equals(t, dbNew.CreatedAt, dbaz.CreatedAt)
assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt)
assert.Equals(t, dbNew.ExpiresAt, dbaz.ExpiresAt)
assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "malformed").Error())
assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
return nu, true, nil
return nu, true, nil
@ -745,16 +745,16 @@ func TestDB_GetAuthorizationsByAccountID(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if azs, err := d.GetAuthorizationsByAccountID(context.Background(), accountID); err != nil {
if azs, err := d.GetAuthorizationsByAccountID(context.Background(), accountID); err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -138,5 +138,4 @@ func parseBundle(b []byte) ([]*x509.Certificate, error) {
return nil, errors.New("error decoding PEM: unexpected data")
return nil, errors.New("error decoding PEM: unexpected data")
return bundle, nil
return bundle, nil
@ -250,16 +250,16 @@ func TestDB_GetCertificate(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
cert, err := d.GetCertificate(context.Background(), certID)
cert, err := d.GetCertificate(context.Background(), certID)
if err != nil {
if err != nil {
switch k := err.(type) {
var acmeErr *acme.Error
case *acme.Error:
if errors.As(err, &acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, acmeErr.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, acmeErr.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, acmeErr.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, acmeErr.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -444,16 +444,16 @@ func TestDB_GetCertificateBySerial(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
cert, err := d.GetCertificateBySerial(context.Background(), serial)
cert, err := d.GetCertificateBySerial(context.Background(), serial)
if err != nil {
if err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -72,7 +72,7 @@ func TestDB_getDBChallenge(t *testing.T) {
Value: "",
Value: "",
CreatedAt: clock.Now(),
CreatedAt: clock.Now(),
ValidatedAt: "foobar",
ValidatedAt: "foobar",
Error: acme.NewErrorISE("force"),
Error: acme.NewErrorISE("The server experienced an internal error"),
b, err := json.Marshal(dbc)
b, err := json.Marshal(dbc)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -94,16 +94,16 @@ func TestDB_getDBChallenge(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if ch, err := d.getDBChallenge(context.Background(), chID); err != nil {
if ch, err := d.getDBChallenge(context.Background(), chID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -264,7 +264,7 @@ func TestDB_GetChallenge(t *testing.T) {
Value: "",
Value: "",
CreatedAt: clock.Now(),
CreatedAt: clock.Now(),
ValidatedAt: "foobar",
ValidatedAt: "foobar",
Error: acme.NewErrorISE("force"),
Error: acme.NewErrorISE("The server experienced an internal error"),
b, err := json.Marshal(dbc)
b, err := json.Marshal(dbc)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -286,16 +286,16 @@ func TestDB_GetChallenge(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if ch, err := d.GetChallenge(context.Background(), chID, azID); err != nil {
if ch, err := d.GetChallenge(context.Background(), chID, azID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -354,7 +354,7 @@ func TestDB_UpdateChallenge(t *testing.T) {
ID: chID,
ID: chID,
Status: acme.StatusValid,
Status: acme.StatusValid,
ValidatedAt: "foobar",
ValidatedAt: "foobar",
Error: acme.NewError(acme.ErrorMalformedType, "malformed"),
Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"),
return test{
return test{
ch: updCh,
ch: updCh,
@ -428,7 +428,7 @@ func TestDB_UpdateChallenge(t *testing.T) {
assert.Equals(t, dbNew.CreatedAt, dbc.CreatedAt)
assert.Equals(t, dbNew.CreatedAt, dbc.CreatedAt)
assert.Equals(t, dbNew.Status, acme.StatusValid)
assert.Equals(t, dbNew.Status, acme.StatusValid)
assert.Equals(t, dbNew.ValidatedAt, "foobar")
assert.Equals(t, dbNew.ValidatedAt, "foobar")
assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "malformed").Error())
assert.Equals(t, dbNew.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
return nu, true, nil
return nu, true, nil
@ -54,7 +54,6 @@ func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExtern
// CreateExternalAccountKey creates a new External Account Binding key with a name
// CreateExternalAccountKey creates a new External Account Binding key with a name
func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, reference string) (*acme.ExternalAccountKey, error) {
defer externalAccountKeyMutex.Unlock()
defer externalAccountKeyMutex.Unlock()
@ -210,6 +209,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI
defer externalAccountKeyMutex.RUnlock()
defer externalAccountKeyMutex.RUnlock()
if reference == "" {
if reference == "" {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
@ -228,6 +228,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI
func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
@ -371,7 +372,6 @@ func sliceIndex(slice []string, item string) int {
// removeElement deletes the item if it exists in the
// removeElement deletes the item if it exists in the
// slice. It returns a new slice, keeping the old one intact.
// slice. It returns a new slice, keeping the old one intact.
func removeElement(slice []string, item string) []string {
func removeElement(slice []string, item string) []string {
newSlice := make([]string, 0)
newSlice := make([]string, 0)
index := sliceIndex(slice, item)
index := sliceIndex(slice, item)
if index < 0 {
if index < 0 {
@ -93,16 +93,16 @@ func TestDB_getDBExternalAccountKey(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if dbeak, err := d.getDBExternalAccountKey(context.Background(), keyID); err != nil {
if dbeak, err := d.getDBExternalAccountKey(context.Background(), keyID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -210,16 +210,16 @@ func TestDB_GetExternalAccountKey(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if eak, err := d.GetExternalAccountKey(context.Background(), provID, keyID); err != nil {
if eak, err := d.GetExternalAccountKey(context.Background(), provID, keyID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -374,16 +374,16 @@ func TestDB_GetExternalAccountKeyByReference(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if eak, err := d.GetExternalAccountKeyByReference(context.Background(), provID, tc.ref); err != nil {
if eak, err := d.GetExternalAccountKeyByReference(context.Background(), provID, tc.ref); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -580,16 +580,16 @@ func TestDB_GetExternalAccountKeys(t *testing.T) {
cursor, limit := "", 0
cursor, limit := "", 0
if eaks, nextCursor, err := d.GetExternalAccountKeys(context.Background(), provID, cursor, limit); err != nil {
if eaks, nextCursor, err := d.GetExternalAccountKeys(context.Background(), provID, cursor, limit); err != nil {
assert.Equals(t, "", nextCursor)
assert.Equals(t, "", nextCursor)
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.Equals(t, tc.err.Error(), err.Error())
assert.Equals(t, tc.err.Error(), err.Error())
@ -672,7 +672,7 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
return errors.New("force default")
return errors.New("force default")
MCmpAndSwap: func(bucket, key, old, new []byte) ([]byte, bool, error) {
MCmpAndSwap: func(bucket, key, old, nu []byte) ([]byte, bool, error) {
switch string(bucket) {
switch string(bucket) {
case string(externalAccountKeyIDsByReferenceTable):
case string(externalAccountKeyIDsByReferenceTable):
@ -882,16 +882,16 @@ func TestDB_DeleteExternalAccountKey(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if err := d.DeleteExternalAccountKey(context.Background(), provID, keyID); err != nil {
if err := d.DeleteExternalAccountKey(context.Background(), provID, keyID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.Equals(t, err.Error(), tc.err.Error())
assert.Equals(t, err.Error(), tc.err.Error())
@ -146,16 +146,16 @@ func TestDB_DeleteNonce(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if err := d.DeleteNonce(context.Background(), acme.Nonce(nonceID)); err != nil {
if err := d.DeleteNonce(context.Background(), acme.Nonce(nonceID)); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -80,7 +80,7 @@ func TestDB_getDBOrder(t *testing.T) {
{Type: "dns", Value: ""},
{Type: "dns", Value: ""},
AuthorizationIDs: []string{"foo", "bar"},
AuthorizationIDs: []string{"foo", "bar"},
Error: acme.NewError(acme.ErrorMalformedType, "force"),
Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"),
b, err := json.Marshal(dbo)
b, err := json.Marshal(dbo)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -102,16 +102,16 @@ func TestDB_getDBOrder(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if dbo, err := d.getDBOrder(context.Background(), orderID); err != nil {
if dbo, err := d.getDBOrder(context.Background(), orderID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -185,7 +185,7 @@ func TestDB_GetOrder(t *testing.T) {
{Type: "dns", Value: ""},
{Type: "dns", Value: ""},
AuthorizationIDs: []string{"foo", "bar"},
AuthorizationIDs: []string{"foo", "bar"},
Error: acme.NewError(acme.ErrorMalformedType, "force"),
Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"),
b, err := json.Marshal(dbo)
b, err := json.Marshal(dbo)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -206,16 +206,16 @@ func TestDB_GetOrder(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if o, err := d.GetOrder(context.Background(), orderID); err != nil {
if o, err := d.GetOrder(context.Background(), orderID); err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -284,7 +284,7 @@ func TestDB_UpdateOrder(t *testing.T) {
ID: orderID,
ID: orderID,
Status: acme.StatusValid,
Status: acme.StatusValid,
CertificateID: "certID",
CertificateID: "certID",
Error: acme.NewError(acme.ErrorMalformedType, "force"),
Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"),
return test{
return test{
o: o,
o: o,
@ -324,7 +324,7 @@ func TestDB_UpdateOrder(t *testing.T) {
ID: orderID,
ID: orderID,
Status: acme.StatusValid,
Status: acme.StatusValid,
CertificateID: "certID",
CertificateID: "certID",
Error: acme.NewError(acme.ErrorMalformedType, "force"),
Error: acme.NewError(acme.ErrorMalformedType, "The request message was malformed"),
return test{
return test{
o: o,
o: o,
@ -372,7 +372,7 @@ func TestDB_UpdateOrder(t *testing.T) {
assert.Equals(t, tc.o.ID, dbo.ID)
assert.Equals(t, tc.o.ID, dbo.ID)
assert.Equals(t, tc.o.CertificateID, "certID")
assert.Equals(t, tc.o.CertificateID, "certID")
assert.Equals(t, tc.o.Status, acme.StatusValid)
assert.Equals(t, tc.o.Status, acme.StatusValid)
assert.Equals(t, tc.o.Error.Error(), acme.NewError(acme.ErrorMalformedType, "force").Error())
assert.Equals(t, tc.o.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
@ -659,7 +659,7 @@ func TestDB_updateAddOrderIDs(t *testing.T) {
assert.Equals(t, newdbo.ID, "foo")
assert.Equals(t, newdbo.ID, "foo")
assert.Equals(t, newdbo.Status, acme.StatusInvalid)
assert.Equals(t, newdbo.Status, acme.StatusInvalid)
assert.Equals(t, newdbo.ExpiresAt, expiry)
assert.Equals(t, newdbo.ExpiresAt, expiry)
assert.Equals(t, newdbo.Error.Error(), acme.NewError(acme.ErrorMalformedType, "order has expired").Error())
assert.Equals(t, newdbo.Error.Error(), acme.NewError(acme.ErrorMalformedType, "The request message was malformed").Error())
return nil, false, errors.New("force")
return nil, false, errors.New("force")
@ -1003,16 +1003,16 @@ func TestDB_updateAddOrderIDs(t *testing.T) {
if err != nil {
if err != nil {
switch k := err.(type) {
var ae *acme.Error
case *acme.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.acmeErr) {
if assert.NotNil(t, tc.acmeErr) {
assert.Equals(t, k.Type, tc.acmeErr.Type)
assert.Equals(t, ae.Type, tc.acmeErr.Type)
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
assert.Equals(t, k.Status, tc.acmeErr.Status)
assert.Equals(t, ae.Status, tc.acmeErr.Status)
assert.Equals(t, k.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.acmeErr.Err.Error())
assert.Equals(t, k.Detail, tc.acmeErr.Detail)
assert.Equals(t, ae.Detail, tc.acmeErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -17,6 +17,8 @@ const (
ErrorAccountDoesNotExistType ProblemType = iota
ErrorAccountDoesNotExistType ProblemType = iota
// ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked
// ErrorAlreadyRevokedType request specified a certificate to be revoked that has already been revoked
// ErrorBadAttestationStatementType WebAuthn attestation statement could not be verified
// ErrorBadCSRType CSR is unacceptable (e.g., due to a short key)
// ErrorBadCSRType CSR is unacceptable (e.g., due to a short key)
// ErrorBadNonceType client sent an unacceptable anti-replay nonce
// ErrorBadNonceType client sent an unacceptable anti-replay nonce
@ -172,6 +174,11 @@ var (
details: "The JWS was signed with an algorithm the server does not support",
details: "The JWS was signed with an algorithm the server does not support",
status: 400,
status: 400,
ErrorBadAttestationStatementType: {
typ: officialACMEPrefix + ErrorBadAttestationStatementType.String(),
details: "Attestation statement cannot be verified",
status: 400,
ErrorCaaType: {
ErrorCaaType: {
typ: officialACMEPrefix + ErrorCaaType.String(),
typ: officialACMEPrefix + ErrorCaaType.String(),
details: "Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate",
details: "Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate",
@ -303,10 +310,11 @@ func NewErrorISE(msg string, args ...interface{}) *Error {
// WrapError attempts to wrap the internal error.
// WrapError attempts to wrap the internal error.
func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
switch e := err.(type) {
var e *Error
case nil:
switch {
case err == nil:
return nil
return nil
case *Error:
case errors.As(err, &e):
if e.Err == nil {
if e.Err == nil {
e.Err = errors.Errorf(msg+"; "+e.Detail, args...)
e.Err = errors.Errorf(msg+"; "+e.Detail, args...)
} else {
} else {
@ -328,9 +336,12 @@ func (e *Error) StatusCode() int {
return e.Status
return e.Status
// Error allows AError to implement the error interface.
// Error implements the error interface.
func (e *Error) Error() string {
func (e *Error) Error() string {
return e.Detail
if e.Err == nil {
return e.Detail
return e.Err.Error()
// Cause returns the internal error and implements the Causer interface.
// Cause returns the internal error and implements the Causer interface.
@ -21,6 +21,9 @@ const (
IP IdentifierType = "ip"
IP IdentifierType = "ip"
// DNS is the ACME dns identifier type
// DNS is the ACME dns identifier type
DNS IdentifierType = "dns"
DNS IdentifierType = "dns"
// PermanentIdentifier is the ACME permanent-identifier identifier type
// defined in
PermanentIdentifier IdentifierType = "permanent-identifier"
// Identifier encodes the type that an order pertains to.
// Identifier encodes the type that an order pertains to.
@ -124,6 +127,11 @@ func (o *Order) UpdateStatus(ctx context.Context, db DB) error {
// Finalize signs a certificate if the necessary conditions for Order completion
// Finalize signs a certificate if the necessary conditions for Order completion
// have been met.
// have been met.
// TODO(mariano): Here or in the challenge validation we should perform some
// external validation using the identifier value and the attestation data. From
// a validation service we can get the list of SANs to set in the final
// certificate.
func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error {
func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateRequest, auth CertificateAuthority, p Provisioner) error {
if err := o.UpdateStatus(ctx, db); err != nil {
if err := o.UpdateStatus(ctx, db); err != nil {
return err
return err
@ -145,10 +153,39 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
// canonicalize the CSR to allow for comparison
// canonicalize the CSR to allow for comparison
csr = canonicalize(csr)
csr = canonicalize(csr)
// retrieve the requested SANs for the Order
// Template data
sans, err := o.sans(csr)
data := x509util.NewTemplateData()
if err != nil {
return err
// Custom sign options passed to authority.Sign
var extraOptions []provisioner.SignOption
// TODO: support for multiple identifiers?
var permanentIdentifier string
for i := range o.Identifiers {
if o.Identifiers[i].Type == PermanentIdentifier {
permanentIdentifier = o.Identifiers[i].Value
var defaultTemplate string
if permanentIdentifier != "" {
defaultTemplate = x509util.DefaultAttestedLeafTemplate
Type: x509util.PermanentIdentifierType,
Value: permanentIdentifier,
extraOptions = append(extraOptions, provisioner.AttestationData{
PermanentIdentifier: permanentIdentifier,
} else {
defaultTemplate = x509util.DefaultLeafTemplate
sans, err := o.sans(csr)
if err != nil {
return err
// Get authorizations from the ACME provisioner.
// Get authorizations from the ACME provisioner.
@ -158,16 +195,14 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
return WrapErrorISE(err, "error retrieving authorization options from ACME provisioner")
return WrapErrorISE(err, "error retrieving authorization options from ACME provisioner")
// Template data
templateOptions, err := provisioner.CustomTemplateOptions(p.GetOptions(), data, defaultTemplate)
data := x509util.NewTemplateData()
data.Set(x509util.SANsKey, sans)
templateOptions, err := provisioner.TemplateOptions(p.GetOptions(), data)
if err != nil {
if err != nil {
return WrapErrorISE(err, "error creating template options from ACME provisioner")
return WrapErrorISE(err, "error creating template options from ACME provisioner")
// Build extra signing options.
signOps = append(signOps, templateOptions)
signOps = append(signOps, templateOptions)
signOps = append(signOps, extraOptions...)
// Sign a new certificate.
// Sign a new certificate.
certChain, err := auth.Sign(csr, provisioner.SignOptions{
certChain, err := auth.Sign(csr, provisioner.SignOptions{
@ -197,9 +232,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativeName, error) {
func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativeName, error) {
var sans []x509util.SubjectAlternativeName
var sans []x509util.SubjectAlternativeName
if len(csr.EmailAddresses) > 0 || len(csr.URIs) > 0 {
if len(csr.EmailAddresses) > 0 || len(csr.URIs) > 0 {
return sans, NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed")
return sans, NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed")
@ -207,7 +240,8 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
// order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR
// order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR
orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))
orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))
indexDNS, indexIP := 0, 0
orderPIDs := make([]string, numberOfIdentifierType(PermanentIdentifier, o.Identifiers))
indexDNS, indexIP, indexPID := 0, 0, 0
for _, n := range o.Identifiers {
for _, n := range o.Identifiers {
switch n.Type {
switch n.Type {
case DNS:
case DNS:
@ -216,6 +250,9 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
case IP:
case IP:
orderIPs[indexIP] = net.ParseIP(n.Value) // NOTE: this assumes are all valid IPs at this time; or will result in nil entries
orderIPs[indexIP] = net.ParseIP(n.Value) // NOTE: this assumes are all valid IPs at this time; or will result in nil entries
case PermanentIdentifier:
orderPIDs[indexPID] = n.Value
return sans, NewErrorISE("unsupported identifier type in order: %s", n.Type)
return sans, NewErrorISE("unsupported identifier type in order: %s", n.Type)
@ -287,7 +324,6 @@ func numberOfIdentifierType(typ IdentifierType, ids []Identifier) int {
// addresses or DNS names slice, depending on whether it can be parsed as an IP
// addresses or DNS names slice, depending on whether it can be parsed as an IP
// or not. This might result in an additional SAN in the final certificate.
// or not. This might result in an additional SAN in the final certificate.
func canonicalize(csr *x509.CertificateRequest) (canonicalized *x509.CertificateRequest) {
func canonicalize(csr *x509.CertificateRequest) (canonicalized *x509.CertificateRequest) {
// for clarity only; we're operating on the same object by pointer
// for clarity only; we're operating on the same object by pointer
canonicalized = csr
canonicalized = csr
@ -247,14 +247,14 @@ func TestOrder_UpdateStatus(t *testing.T) {
tc := run(t)
tc := run(t)
if err := tc.o.UpdateStatus(context.Background(), tc.db); err != nil {
if err := tc.o.UpdateStatus(context.Background(), tc.db); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -812,14 +812,14 @@ func TestOrder_Finalize(t *testing.T) {
tc := run(t)
tc := run(t)
if err := tc.o.Finalize(context.Background(), tc.db, tc.csr,, tc.prov); err != nil {
if err := tc.o.Finalize(context.Background(), tc.db, tc.csr,, tc.prov); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Type, tc.err.Type)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Status, tc.err.Status)
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Err.Error(), tc.err.Err.Error())
assert.Equals(t, k.Detail, tc.err.Detail)
assert.Equals(t, k.Detail, tc.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -1474,14 +1474,14 @@ func TestOrder_sans(t *testing.T) {
t.Errorf("Order.sans() = %v, want error; got none", got)
t.Errorf("Order.sans() = %v, want error; got none", got)
switch k := err.(type) {
var k *Error
case *Error:
if errors.As(err, &k) {
assert.Equals(t, k.Type, tt.err.Type)
assert.Equals(t, k.Type, tt.err.Type)
assert.Equals(t, k.Detail, tt.err.Detail)
assert.Equals(t, k.Detail, tt.err.Detail)
assert.Equals(t, k.Status, tt.err.Status)
assert.Equals(t, k.Status, tt.err.Status)
assert.Equals(t, k.Err.Error(), tt.err.Err.Error())
assert.Equals(t, k.Err.Error(), tt.err.Err.Error())
assert.Equals(t, k.Detail, tt.err.Detail)
assert.Equals(t, k.Detail, tt.err.Detail)
} else {
assert.FatalError(t, errors.New("unexpected error type"))
assert.FatalError(t, errors.New("unexpected error type"))
@ -3,7 +3,7 @@ package api
import (
import (
"crypto/dsa" //nolint
"crypto/dsa" //nolint:staticcheck // support legacy algorithms
@ -38,14 +38,10 @@ func Error(rw http.ResponseWriter, err error) {
e, ok := err.(StackTracedError)
var st StackTracedError
if !ok {
if !errors.As(err, &st) {
e, ok = errors.Cause(err).(StackTracedError)
if ok {
"stack-trace": fmt.Sprintf("%+v", e.StackTrace()),
"stack-trace": fmt.Sprintf("%+v", st.StackTrace()),
@ -41,8 +41,8 @@ func TestJSON(t *testing.T) {
if tt.wantErr {
if tt.wantErr {
e, ok := err.(*errs.Error)
var e *errs.Error
if ok {
if errors.As(err, &e) {
if code := e.StatusCode(); code != 400 {
if code := e.StatusCode(); code != 400 {
t.Errorf("error.StatusCode() = %v, wants 400", code)
t.Errorf("error.StatusCode() = %v, wants 400", code)
@ -102,14 +102,15 @@ func TestProtoJSON(t *testing.T) {
if tt.wantErr {
if tt.wantErr {
switch err.(type) {
var (
case badProtoJSONError:
ee *errs.Error
bpe badProtoJSONError
switch {
case errors.As(err, &bpe):
assert.Contains(t, err.Error(), "syntax error")
assert.Contains(t, err.Error(), "syntax error")
case *errs.Error:
case errors.As(err, &ee):
var ee *errs.Error
assert.Equal(t, http.StatusBadRequest, ee.Status)
if errors.As(err, &ee) {
assert.Equal(t, http.StatusBadRequest, ee.Status)
@ -4,6 +4,7 @@ package render
import (
import (
@ -77,8 +78,9 @@ type RenderableError interface {
func Error(w http.ResponseWriter, err error) {
func Error(w http.ResponseWriter, err error) {
log.Error(w, err)
log.Error(w, err)
if e, ok := err.(RenderableError); ok {
var r RenderableError
if errors.As(err, &r) {
@ -105,17 +107,18 @@ func statusCodeFromError(err error) (code int) {
for err != nil {
for err != nil {
if sc, ok := err.(StatusCodedError); ok {
var sc StatusCodedError
if errors.As(err, &sc) {
code = sc.StatusCode()
code = sc.StatusCode()
cause, ok := err.(causer)
var c causer
if !ok {
if !errors.As(err, &c) {
err = cause.Cause()
err = c.Cause()
@ -17,6 +17,7 @@ const (
// Renew uses the information of certificate in the TLS connection to create a
// Renew uses the information of certificate in the TLS connection to create a
// new one.
// new one.
func Renew(w http.ResponseWriter, r *http.Request) {
func Renew(w http.ResponseWriter, r *http.Request) {
//nolint:contextcheck // the reqest has the context
cert, err := getPeerCertificate(r)
cert, err := getPeerCertificate(r)
if err != nil {
if err != nil {
render.Error(w, err)
render.Error(w, err)
@ -62,12 +62,12 @@ func TestRevokeRequestValidate(t *testing.T) {
for name, tc := range tests {
for name, tc := range tests {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
if err := tc.rr.Validate(); err != nil {
if err := tc.rr.Validate(); err != nil {
switch v := err.(type) {
var ee *errs.Error
case *errs.Error:
if errors.As(err, &ee) {
assert.HasPrefix(t, v.Error(), tc.err.Error())
assert.HasPrefix(t, ee.Error(), tc.err.Error())
assert.Equals(t, v.StatusCode(), tc.err.Status)
assert.Equals(t, ee.StatusCode(), tc.err.Status)
} else {
t.Errorf("unexpected error type: %T", v)
t.Errorf("unexpected error type: %T", err)
} else {
} else {
assert.Nil(t, tc.err)
assert.Nil(t, tc.err)
@ -83,6 +83,7 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
//nolint:contextcheck // the reqest has the context
identity, err := renewIdentityCertificate(r, notBefore, notAfter)
identity, err := renewIdentityCertificate(r, notBefore, notAfter)
if err != nil {
if err != nil {
render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
@ -75,6 +75,7 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
//nolint:contextcheck // the reqest has the context
identity, err := renewIdentityCertificate(r, notBefore, notAfter)
identity, err := renewIdentityCertificate(r, notBefore, notAfter)
if err != nil {
if err != nil {
render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
render.Error(w, errs.ForbiddenErr(err, "error renewing identity certificate"))
@ -84,7 +84,6 @@ func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *
func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
func eakToLinked(k *acme.ExternalAccountKey) *linkedca.EABKey {
if k == nil {
if k == nil {
return nil
return nil
@ -229,11 +229,13 @@ func TestCreateAdminRequest_Validate(t *testing.T) {
if err != nil {
if err != nil {
assert.Type(t, &admin.Error{}, err)
assert.Type(t, &admin.Error{}, err)
adminErr, _ := err.(*admin.Error)
var adminErr *admin.Error
assert.Equals(t, tt.err.Type, adminErr.Type)
if assert.True(t, errors.As(err, &adminErr)) {
assert.Equals(t, tt.err.Detail, adminErr.Detail)
assert.Equals(t, tt.err.Type, adminErr.Type)
assert.Equals(t, tt.err.Status, adminErr.Status)
assert.Equals(t, tt.err.Detail, adminErr.Detail)
assert.Equals(t, tt.err.Message, adminErr.Message)
assert.Equals(t, tt.err.Status, adminErr.Status)
assert.Equals(t, tt.err.Message, adminErr.Message)
@ -278,11 +280,13 @@ func TestUpdateAdminRequest_Validate(t *testing.T) {
if err != nil {
if err != nil {
assert.Type(t, &admin.Error{}, err)
assert.Type(t, &admin.Error{}, err)
adminErr, _ := err.(*admin.Error)
var ae *admin.Error
assert.Equals(t, tt.err.Type, adminErr.Type)
if assert.True(t, errors.As(err, &ae)) {
assert.Equals(t, tt.err.Detail, adminErr.Detail)
assert.Equals(t, tt.err.Type, ae.Type)
assert.Equals(t, tt.err.Status, adminErr.Status)
assert.Equals(t, tt.err.Detail, ae.Detail)
assert.Equals(t, tt.err.Message, adminErr.Message)
assert.Equals(t, tt.err.Status, ae.Status)
assert.Equals(t, tt.err.Message, ae.Message)
@ -30,7 +30,6 @@ func requireAPIEnabled(next http.HandlerFunc) http.HandlerFunc {
// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.
// extractAuthorizeTokenAdmin is a middleware that extracts and caches the bearer token.
func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
func extractAuthorizeTokenAdmin(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
tok := r.Header.Get("Authorization")
tok := r.Header.Get("Authorization")
if tok == "" {
if tok == "" {
render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
render.Error(w, admin.NewError(admin.ErrorUnauthorizedType,
@ -50,7 +50,8 @@ func (par *policyAdminResponder) GetAuthorityPolicy(w http.ResponseWriter, r *ht
auth := mustAuthority(ctx)
auth := mustAuthority(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(r.Context())
authorityPolicy, err := auth.GetAuthorityPolicy(r.Context())
if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) {
var ae *admin.Error
if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
@ -74,7 +75,8 @@ func (par *policyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
auth := mustAuthority(ctx)
auth := mustAuthority(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(ctx)
if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) {
var ae *admin.Error
if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
@ -125,7 +127,8 @@ func (par *policyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
auth := mustAuthority(ctx)
auth := mustAuthority(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(ctx)
if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) {
var ae *admin.Error
if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
render.Error(w, admin.WrapErrorISE(err, "error retrieving authority policy"))
@ -175,7 +178,8 @@ func (par *policyAdminResponder) DeleteAuthorityPolicy(w http.ResponseWriter, r
auth := mustAuthority(ctx)
auth := mustAuthority(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(ctx)
authorityPolicy, err := auth.GetAuthorityPolicy(ctx)
if ae, ok := err.(*admin.Error); ok && !ae.IsType(admin.ErrorNotFoundType) {
var ae *admin.Error
if errors.As(err, &ae) && !ae.IsType(admin.ErrorNotFoundType) {
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
render.Error(w, admin.WrapErrorISE(ae, "error retrieving authority policy"))
@ -468,7 +472,6 @@ func isBadRequest(err error) bool {
func validatePolicy(p *linkedca.Policy) error {
func validatePolicy(p *linkedca.Policy) error {
// convert the policy; return early if nil
// convert the policy; return early if nil
options := policy.LinkedToCertificates(p)
options := policy.LinkedToCertificates(p)
if options == nil {
if options == nil {
@ -111,14 +111,14 @@ func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) {
for _, entry := range dbEntries {
for _, entry := range dbEntries {
adm, err := db.unmarshalAdmin(entry.Value, string(entry.Key))
adm, err := db.unmarshalAdmin(entry.Value, string(entry.Key))
if err != nil {
if err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if k.IsType(admin.ErrorDeletedType) || k.IsType(admin.ErrorAuthorityMismatchType) {
if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
} else {
} else {
return nil, err
return nil, err
} else {
return nil, err
return nil, err
@ -68,16 +68,16 @@ func TestDB_getDBAdminBytes(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if b, err := d.getDBAdminBytes(context.Background(), adminID); err != nil {
if b, err := d.getDBAdminBytes(context.Background(), adminID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -192,16 +192,16 @@ func TestDB_getDBAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if dba, err := d.getDBAdmin(context.Background(), adminID); err != nil {
if dba, err := d.getDBAdmin(context.Background(), adminID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -280,16 +280,16 @@ func TestDB_unmarshalDBAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{authorityID: admin.DefaultAuthorityID}
d := DB{authorityID: admin.DefaultAuthorityID}
if dba, err := d.unmarshalDBAdmin(, adminID); err != nil {
if dba, err := d.unmarshalDBAdmin(, adminID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -355,16 +355,16 @@ func TestDB_unmarshalAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{authorityID: admin.DefaultAuthorityID}
d := DB{authorityID: admin.DefaultAuthorityID}
if adm, err := d.unmarshalAdmin(, adminID); err != nil {
if adm, err := d.unmarshalAdmin(, adminID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -509,16 +509,16 @@ func TestDB_GetAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if adm, err := d.GetAdmin(context.Background(), adminID); err != nil {
if adm, err := d.GetAdmin(context.Background(), adminID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -661,16 +661,16 @@ func TestDB_DeleteAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if err := d.DeleteAdmin(context.Background(), adminID); err != nil {
if err := d.DeleteAdmin(context.Background(), adminID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -812,16 +812,16 @@ func TestDB_UpdateAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if err := d.UpdateAdmin(context.Background(), tc.adm); err != nil {
if err := d.UpdateAdmin(context.Background(), tc.adm); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -910,16 +910,16 @@ func TestDB_CreateAdmin(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if err := d.CreateAdmin(context.Background(), tc.adm); err != nil {
if err := d.CreateAdmin(context.Background(), tc.adm); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -1086,16 +1086,16 @@ func TestDB_GetAdmins(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if admins, err := d.GetAdmins(context.Background()); err != nil {
if admins, err := d.GetAdmins(context.Background()); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -83,6 +83,7 @@ func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string)
func (db *DB) unmarshalDBAuthorityPolicy(data []byte) (*dbAuthorityPolicy, error) {
func (db *DB) unmarshalDBAuthorityPolicy(data []byte) (*dbAuthorityPolicy, error) {
if len(data) == 0 {
if len(data) == 0 {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
var dba = new(dbAuthorityPolicy)
var dba = new(dbAuthorityPolicy)
@ -102,6 +103,7 @@ func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*db
return nil, err
return nil, err
if dbap == nil {
if dbap == nil {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
if dbap.AuthorityID != authorityID {
if dbap.AuthorityID != authorityID {
@ -112,7 +114,6 @@ func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*db
func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {
dbap := &dbAuthorityPolicy{
dbap := &dbAuthorityPolicy{
ID: db.authorityID,
ID: db.authorityID,
AuthorityID: db.authorityID,
AuthorityID: db.authorityID,
@ -228,7 +229,6 @@ func dbToLinked(p *dbPolicy) *linkedca.Policy {
func linkedToDB(p *linkedca.Policy) *dbPolicy {
func linkedToDB(p *linkedca.Policy) *dbPolicy {
if p == nil {
if p == nil {
return nil
return nil
@ -72,16 +72,16 @@ func TestDB_getDBAuthorityPolicyBytes(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if b, err := d.getDBAuthorityPolicyBytes(tc.ctx, tc.authorityID); err != nil {
if b, err := d.getDBAuthorityPolicyBytes(tc.ctx, tc.authorityID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -208,16 +208,16 @@ func TestDB_getDBAuthorityPolicy(t *testing.T) {
dbp, err := d.getDBAuthorityPolicy(tc.ctx, tc.authorityID)
dbp, err := d.getDBAuthorityPolicy(tc.ctx, tc.authorityID)
switch {
switch {
case err != nil:
case err != nil:
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -309,16 +309,16 @@ func TestDB_CreateAuthorityPolicy(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: tc.authorityID}
d := DB{db: tc.db, authorityID: tc.authorityID}
if err := d.CreateAuthorityPolicy(tc.ctx, tc.policy); err != nil {
if err := d.CreateAuthorityPolicy(tc.ctx, tc.policy); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -406,16 +406,16 @@ func TestDB_GetAuthorityPolicy(t *testing.T) {
d := DB{db: tc.db, authorityID: tc.authorityID}
d := DB{db: tc.db, authorityID: tc.authorityID}
got, err := d.GetAuthorityPolicy(tc.ctx)
got, err := d.GetAuthorityPolicy(tc.ctx)
if err != nil {
if err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -578,16 +578,16 @@ func TestDB_UpdateAuthorityPolicy(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: tc.authorityID}
d := DB{db: tc.db, authorityID: tc.authorityID}
if err := d.UpdateAuthorityPolicy(tc.ctx, tc.policy); err != nil {
if err := d.UpdateAuthorityPolicy(tc.ctx, tc.policy); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -718,16 +718,16 @@ func TestDB_DeleteAuthorityPolicy(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: tc.authorityID}
d := DB{db: tc.db, authorityID: tc.authorityID}
if err := d.DeleteAuthorityPolicy(tc.ctx); err != nil {
if err := d.DeleteAuthorityPolicy(tc.ctx); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -122,14 +122,14 @@ func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, err
for _, entry := range dbEntries {
for _, entry := range dbEntries {
prov, err := db.unmarshalProvisioner(entry.Value, string(entry.Key))
prov, err := db.unmarshalProvisioner(entry.Value, string(entry.Key))
if err != nil {
if err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if k.IsType(admin.ErrorDeletedType) || k.IsType(admin.ErrorAuthorityMismatchType) {
if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) {
} else {
} else {
return nil, err
return nil, err
} else {
return nil, err
return nil, err
@ -67,16 +67,16 @@ func TestDB_getDBProvisionerBytes(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db}
d := DB{db: tc.db}
if b, err := d.getDBProvisionerBytes(context.Background(), provID); err != nil {
if b, err := d.getDBProvisionerBytes(context.Background(), provID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -189,16 +189,16 @@ func TestDB_getDBProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if dbp, err := d.getDBProvisioner(context.Background(), provID); err != nil {
if dbp, err := d.getDBProvisioner(context.Background(), provID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -275,16 +275,16 @@ func TestDB_unmarshalDBProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{authorityID: admin.DefaultAuthorityID}
d := DB{authorityID: admin.DefaultAuthorityID}
if dbp, err := d.unmarshalDBProvisioner(, provID); err != nil {
if dbp, err := d.unmarshalDBProvisioner(, provID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -397,16 +397,16 @@ func TestDB_unmarshalProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{authorityID: admin.DefaultAuthorityID}
d := DB{authorityID: admin.DefaultAuthorityID}
if prov, err := d.unmarshalProvisioner(, provID); err != nil {
if prov, err := d.unmarshalProvisioner(, provID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -535,16 +535,16 @@ func TestDB_GetProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if prov, err := d.GetProvisioner(context.Background(), provID); err != nil {
if prov, err := d.GetProvisioner(context.Background(), provID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -683,16 +683,16 @@ func TestDB_DeleteProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if err := d.DeleteProvisioner(context.Background(), provID); err != nil {
if err := d.DeleteProvisioner(context.Background(), provID); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -844,16 +844,16 @@ func TestDB_GetProvisioners(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if provs, err := d.GetProvisioners(context.Background()); err != nil {
if provs, err := d.GetProvisioners(context.Background()); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -952,16 +952,16 @@ func TestDB_CreateProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if err := d.CreateProvisioner(context.Background(), tc.prov); err != nil {
if err := d.CreateProvisioner(context.Background(), tc.prov); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -1188,16 +1188,16 @@ func TestDB_UpdateProvisioner(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
d := DB{db: tc.db, authorityID: admin.DefaultAuthorityID}
if err := d.UpdateProvisioner(context.Background(), tc.prov); err != nil {
if err := d.UpdateProvisioner(context.Background(), tc.prov); err != nil {
switch k := err.(type) {
var ae *admin.Error
case *admin.Error:
if errors.As(err, &ae) {
if assert.NotNil(t, tc.adminErr) {
if assert.NotNil(t, tc.adminErr) {
assert.Equals(t, k.Type, tc.adminErr.Type)
assert.Equals(t, ae.Type, tc.adminErr.Type)
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
assert.Equals(t, k.Status, tc.adminErr.Status)
assert.Equals(t, ae.Status, tc.adminErr.Status)
assert.Equals(t, k.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, ae.Err.Error(), tc.adminErr.Err.Error())
assert.Equals(t, k.Detail, tc.adminErr.Detail)
assert.Equals(t, ae.Detail, tc.adminErr.Detail)
} else {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -156,16 +156,17 @@ func NewErrorISE(msg string, args ...interface{}) *Error {
// WrapError attempts to wrap the internal error.
// WrapError attempts to wrap the internal error.
func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
switch e := err.(type) {
var ee *Error
case nil:
switch {
case err == nil:
return nil
return nil
case *Error:
case errors.As(err, &ee):
if e.Err == nil {
if ee.Err == nil {
e.Err = errors.Errorf(msg+"; "+e.Detail, args...)
ee.Err = errors.Errorf(msg+"; "+ee.Detail, args...)
} else {
} else {
e.Err = errors.Wrapf(e.Err, msg, args...)
ee.Err = errors.Wrapf(ee.Err, msg, args...)
return e
return ee
return newError(typ, errors.Wrapf(err, msg, args...))
return newError(typ, errors.Wrapf(err, msg, args...))
@ -1,6 +1,7 @@
package authority
package authority
import (
import (
@ -25,6 +26,7 @@ import (
adminDBNosql ""
adminDBNosql ""
@ -47,14 +49,15 @@ type Authority struct {
linkedCAToken string
linkedCAToken string
// X509 CA
// X509 CA
password []byte
password []byte
issuerPassword []byte
issuerPassword []byte
x509CAService cas.CertificateAuthorityService
x509CAService cas.CertificateAuthorityService
rootX509Certs []*x509.Certificate
rootX509Certs []*x509.Certificate
rootX509CertPool *x509.CertPool
rootX509CertPool *x509.CertPool
federatedX509Certs []*x509.Certificate
federatedX509Certs []*x509.Certificate
certificates *sync.Map
intermediateX509Certs []*x509.Certificate
x509Enforcers []provisioner.CertificateEnforcer
certificates *sync.Map
x509Enforcers []provisioner.CertificateEnforcer
scepService *scep.Service
scepService *scep.Service
@ -85,8 +88,9 @@ type Authority struct {
authorizeRenewFunc provisioner.AuthorizeRenewFunc
authorizeRenewFunc provisioner.AuthorizeRenewFunc
authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc
authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc
// Policy engines
// Constraints and Policy engines
policyEngine *policy.Engine
constraintsEngine *constraints.Engine
policyEngine *policy.Engine
adminMutex sync.RWMutex
adminMutex sync.RWMutex
@ -373,11 +377,17 @@ func (a *Authority) init() error {
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
SigningKey: a.config.IntermediateKey,
Password: []byte(a.password),
Password: a.password,
if err != nil {
if err != nil {
return err
return err
// If not defined with an option, add intermediates to the list of
// certificates used for name constraints validation at issuance
// time.
if len(a.intermediateX509Certs) == 0 {
a.intermediateX509Certs = append(a.intermediateX509Certs, options.CertificateChain...)
a.x509CAService, err = cas.New(ctx, options)
a.x509CAService, err = cas.New(ctx, options)
if err != nil {
if err != nil {
@ -439,7 +449,7 @@ func (a *Authority) init() error {
if a.config.SSH.HostKey != "" {
if a.config.SSH.HostKey != "" {
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.SSH.HostKey,
SigningKey: a.config.SSH.HostKey,
Password: []byte(a.sshHostPassword),
Password: a.sshHostPassword,
if err != nil {
if err != nil {
return err
return err
@ -465,7 +475,7 @@ func (a *Authority) init() error {
if a.config.SSH.UserKey != "" {
if a.config.SSH.UserKey != "" {
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
signer, err := a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.SSH.UserKey,
SigningKey: a.config.SSH.UserKey,
Password: []byte(a.sshUserPassword),
Password: a.sshUserPassword,
if err != nil {
if err != nil {
return err
return err
@ -550,7 +560,7 @@ func (a *Authority) init() error {
options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...)
options.CertificateChain = append(options.CertificateChain, a.rootX509Certs...)
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
SigningKey: a.config.IntermediateKey,
Password: []byte(a.password),
Password: a.password,
if err != nil {
if err != nil {
return err
return err
@ -559,7 +569,7 @@ func (a *Authority) init() error {
if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
DecryptionKey: a.config.IntermediateKey,
DecryptionKey: a.config.IntermediateKey,
Password: []byte(a.password),
Password: a.password,
if err != nil {
if err != nil {
return err
return err
@ -615,6 +625,21 @@ func (a *Authority) init() error {
return err
return err
// Load X509 constraints engine.
// This is currently only available in CA mode.
if size := len(a.intermediateX509Certs); size > 0 {
last := a.intermediateX509Certs[size-1]
constraintCerts := make([]*x509.Certificate, 0, size+1)
constraintCerts = append(constraintCerts, a.intermediateX509Certs...)
for _, root := range a.rootX509Certs {
if bytes.Equal(last.RawIssuer, root.RawSubject) && bytes.Equal(last.AuthorityKeyId, root.SubjectKeyId) {
constraintCerts = append(constraintCerts, root)
a.constraintsEngine = constraints.New(constraintCerts...)
// Load x509 and SSH Policy Engines
// Load x509 and SSH Policy Engines
if err := a.reloadPolicyEngines(ctx); err != nil {
if err := a.reloadPolicyEngines(ctx); err != nil {
return err
return err
@ -12,6 +12,7 @@ import (
@ -416,16 +417,16 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.
Subject: leaf.Subject.CommonName,
Subject: leaf.Subject.CommonName,
Time: time.Now().UTC(),
Time: time.Now().UTC(),
}, time.Minute); err != nil {
}, time.Minute); err != nil {
switch err {
switch {
case jose.ErrInvalidIssuer:
case errors.Is(err, jose.ErrInvalidIssuer):
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: invalid issuer claim (iss)"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: invalid issuer claim (iss)"))
case jose.ErrInvalidSubject:
case errors.Is(err, jose.ErrInvalidSubject):
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: invalid subject claim (sub)"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: invalid subject claim (sub)"))
case jose.ErrNotValidYet:
case errors.Is(err, jose.ErrNotValidYet):
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token not valid yet (nbf)"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token not valid yet (nbf)"))
case jose.ErrExpired:
case errors.Is(err, jose.ErrExpired):
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token is expired (exp)"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token is expired (exp)"))
case jose.ErrIssuedInTheFuture:
case errors.Is(err, jose.ErrIssuedInTheFuture):
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token issued in the future (iat)"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token: token issued in the future (iat)"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token"))
return nil, errs.UnauthorizedErr(err, errs.WithMessage("error validating renew token"))
@ -434,7 +435,7 @@ func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.
audiences := a.config.GetAudiences().Renew
audiences := a.config.GetAudiences().Renew
if !matchesAudience(claims.Audience, audiences) {
if !matchesAudience(claims.Audience, audiences) {
return nil, errs.InternalServerErr(err, errs.WithMessage("error validating renew token: invalid audience claim (aud)"))
return nil, errs.InternalServerErr(jose.ErrInvalidAudience, errs.WithMessage("error validating renew token: invalid audience claim (aud)"))
// validate issuer: old versions used the provisioner name, new version uses
// validate issuer: old versions used the provisioner name, new version uses
@ -313,8 +313,8 @@ func TestAuthority_authorizeToken(t *testing.T) {
p, err := tc.auth.authorizeToken(context.Background(), tc.token)
p, err := tc.auth.authorizeToken(context.Background(), tc.token)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -399,8 +399,8 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
if err := tc.auth.authorizeRevoke(context.Background(), tc.token); err != nil {
if err := tc.auth.authorizeRevoke(context.Background(), tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -484,8 +484,8 @@ func TestAuthority_authorizeSign(t *testing.T) {
got, err := tc.auth.authorizeSign(context.Background(), tc.token)
got, err := tc.auth.authorizeSign(context.Background(), tc.token)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -743,13 +743,13 @@ func TestAuthority_Authorize(t *testing.T) {
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
if assert.NotNil(t, tc.err, fmt.Sprintf("unexpected error: %s", err)) {
assert.Nil(t, got)
assert.Nil(t, got)
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
ctxErr, ok := err.(*errs.Error)
var ctxErr *errs.Error
assert.Fatal(t, ok, "error is not of type *errs.Error")
assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
assert.Equals(t, ctxErr.Details["token"], tc.token)
assert.Equals(t, ctxErr.Details["token"], tc.token)
} else {
} else {
@ -879,13 +879,13 @@ func TestAuthority_authorizeRenew(t *testing.T) {
err := tc.auth.authorizeRenew(tc.cert)
err := tc.auth.authorizeRenew(tc.cert)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCoder interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
ctxErr, ok := err.(*errs.Error)
var ctxErr *errs.Error
assert.Fatal(t, ok, "error is not of type *errs.Error")
assert.Fatal(t, errors.As(err, &ctxErr), "error is not of type *errs.Error")
assert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String())
assert.Equals(t, ctxErr.Details["serialNumber"], tc.cert.SerialNumber.String())
} else {
} else {
@ -1027,8 +1027,8 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
got, err := tc.auth.authorizeSSHSign(context.Background(), tc.token)
got, err := tc.auth.authorizeSSHSign(context.Background(), tc.token)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -1144,8 +1144,8 @@ func TestAuthority_authorizeSSHRenew(t *testing.T) {
got, err := tc.auth.authorizeSSHRenew(context.Background(), tc.token)
got, err := tc.auth.authorizeSSHRenew(context.Background(), tc.token)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -1244,8 +1244,8 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
if err := tc.auth.authorizeSSHRevoke(context.Background(), tc.token); err != nil {
if err := tc.auth.authorizeSSHRevoke(context.Background(), tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -1337,8 +1337,8 @@ func TestAuthority_authorizeSSHRekey(t *testing.T) {
cert, signOpts, err := tc.auth.authorizeSSHRekey(context.Background(), tc.token)
cert, signOpts, err := tc.auth.authorizeSSHRekey(context.Background(), tc.token)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -169,7 +169,7 @@ func (t *TLSOptions) TLSConfig() *tls.Config {
rs = tls.RenegotiateNever
rs = tls.RenegotiateNever
// nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used
//nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used
return &tls.Config{
return &tls.Config{
CipherSuites: t.CipherSuites.Value(),
CipherSuites: t.CipherSuites.Value(),
MinVersion: t.MinVersion.Value(),
MinVersion: t.MinVersion.Value(),
Normal file
Normal file
@ -0,0 +1,135 @@
package constraints
import (
// ConstraintError is the typed error that will be returned if a constraint
// error is found.
type ConstraintError struct {
Type string
Name string
Detail string
// Error implements the error interface.
func (e ConstraintError) Error() string {
return e.Detail
// As implements the As(any) bool interface and allows to use "errors.As()" to
// convert the ConstraintError to an errs.Error.
func (e ConstraintError) As(v any) bool {
if err, ok := v.(**errs.Error); ok {
*err = &errs.Error{
Status: http.StatusForbidden,
Msg: e.Detail,
Err: e,
return true
return false
// Engine implements a constraint validator for DNS names, IP addresses, Email
// addresses and URIs.
type Engine struct {
hasNameConstraints bool
permittedDNSDomains []string
excludedDNSDomains []string
permittedIPRanges []*net.IPNet
excludedIPRanges []*net.IPNet
permittedEmailAddresses []string
excludedEmailAddresses []string
permittedURIDomains []string
excludedURIDomains []string
// New creates a constraint validation engine that contains the given chain of
// certificates.
func New(chain ...*x509.Certificate) *Engine {
e := new(Engine)
for _, crt := range chain {
e.permittedDNSDomains = append(e.permittedDNSDomains, crt.PermittedDNSDomains...)
e.excludedDNSDomains = append(e.excludedDNSDomains, crt.ExcludedDNSDomains...)
e.permittedIPRanges = append(e.permittedIPRanges, crt.PermittedIPRanges...)
e.excludedIPRanges = append(e.excludedIPRanges, crt.ExcludedIPRanges...)
e.permittedEmailAddresses = append(e.permittedEmailAddresses, crt.PermittedEmailAddresses...)
e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...)
e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...)
e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...)
e.hasNameConstraints = len(e.permittedDNSDomains) > 0 || len(e.excludedDNSDomains) > 0 ||
len(e.permittedIPRanges) > 0 || len(e.excludedIPRanges) > 0 ||
len(e.permittedEmailAddresses) > 0 || len(e.excludedEmailAddresses) > 0 ||
len(e.permittedURIDomains) > 0 || len(e.excludedURIDomains) > 0
return e
// Validate checks the given names with the name constraints defined in the
// service.
func (e *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
if e == nil || !e.hasNameConstraints {
return nil
for _, name := range dnsNames {
if err := checkNameConstraints("DNS name", name, name, e.permittedDNSDomains, e.excludedDNSDomains,
func(parsedName, constraint any) (bool, error) {
return matchDomainConstraint(parsedName.(string), constraint.(string))
); err != nil {
return err
for _, ip := range ipAddresses {
if err := checkNameConstraints("IP address", ip.String(), ip, e.permittedIPRanges, e.excludedIPRanges,
func(parsedName, constraint any) (bool, error) {
return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))
); err != nil {
return err
for _, email := range emailAddresses {
mailbox, ok := parseRFC2821Mailbox(email)
if !ok {
return fmt.Errorf("cannot parse rfc822Name %q", email)
if err := checkNameConstraints("Email address", email, mailbox, e.permittedEmailAddresses, e.excludedEmailAddresses,
func(parsedName, constraint any) (bool, error) {
return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
); err != nil {
return err
for _, uri := range uris {
if err := checkNameConstraints("URI", uri.String(), uri, e.permittedURIDomains, e.excludedURIDomains,
func(parsedName, constraint any) (bool, error) {
return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
); err != nil {
return err
return nil
// ValidateCertificate validates the DNS names, IP addresses, Email addresses
// and URIs present in the given certificate.
func (e *Engine) ValidateCertificate(cert *x509.Certificate) error {
return e.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs)
Normal file
Normal file
@ -0,0 +1,334 @@
package constraints
import (
func TestNew(t *testing.T) {
ca1, err := minica.New()
if err != nil {
ca2, err := minica.New(
"subject": {{ toJson .Subject }},
"keyUsage": ["certSign", "crlSign"],
"basicConstraints": {
"isCA": true,
"maxPathLen": 0
"nameConstraints": {
"critical": true,
"permittedDNSDomains": [""],
"excludedDNSDomains": [""],
"permittedIPRanges": ["", ""],
"excludedIPRanges": ["", ""],
"permittedEmailAddresses": ["", "", ""],
"excludedEmailAddresses": ["", "", ""],
"permittedURIDomains": ["", ""],
"excludedURIDomains": ["", ""]
if err != nil {
type args struct {
chain []*x509.Certificate
tests := []struct {
name string
args args
want *Engine
{"ok", args{[]*x509.Certificate{ca1.Intermediate, ca1.Root}}, &Engine{
hasNameConstraints: false,
{"ok with constraints", args{[]*x509.Certificate{ca2.Intermediate, ca2.Root}}, &Engine{
hasNameConstraints: true,
permittedDNSDomains: []string{""},
excludedDNSDomains: []string{""},
permittedIPRanges: []*net.IPNet{
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 0}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 255}},
excludedIPRanges: []*net.IPNet{
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 0}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 240}},
permittedEmailAddresses: []string{"", "", ""},
excludedEmailAddresses: []string{"", "", ""},
permittedURIDomains: []string{"", ""},
excludedURIDomains: []string{"", ""},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
if got := New(tt.args.chain...); !reflect.DeepEqual(got, tt.want) {
t.Errorf("New() = %v, want %v", got, tt.want)
func TestNew_hasNameConstraints(t *testing.T) {
tests := []struct {
name string
fn func(c *x509.Certificate)
want bool
{"no constraints", func(c *x509.Certificate) {}, false},
{"permittedDNSDomains", func(c *x509.Certificate) { c.PermittedDNSDomains = []string{"constraint"} }, true},
{"excludedDNSDomains", func(c *x509.Certificate) { c.ExcludedDNSDomains = []string{"constraint"} }, true},
{"permittedIPRanges", func(c *x509.Certificate) {
c.PermittedIPRanges = []*net.IPNet{{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 0}}}
}, true},
{"excludedIPRanges", func(c *x509.Certificate) {
c.ExcludedIPRanges = []*net.IPNet{{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 0}}}
}, true},
{"permittedEmailAddresses", func(c *x509.Certificate) { c.PermittedEmailAddresses = []string{"constraint"} }, true},
{"excludedEmailAddresses", func(c *x509.Certificate) { c.ExcludedEmailAddresses = []string{"constraint"} }, true},
{"permittedURIDomains", func(c *x509.Certificate) { c.PermittedURIDomains = []string{"constraint"} }, true},
{"excludedURIDomains", func(c *x509.Certificate) { c.ExcludedURIDomains = []string{"constraint"} }, true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
cert := &x509.Certificate{}
if e := New(cert); e.hasNameConstraints != tt.want {
t.Errorf("Engine.hasNameConstraints = %v, want %v", e.hasNameConstraints, tt.want)
func TestEngine_Validate(t *testing.T) {
type fields struct {
hasNameConstraints bool
permittedDNSDomains []string
excludedDNSDomains []string
permittedIPRanges []*net.IPNet
excludedIPRanges []*net.IPNet
permittedEmailAddresses []string
excludedEmailAddresses []string
permittedURIDomains []string
excludedURIDomains []string
type args struct {
dnsNames []string
ipAddresses []net.IP
emailAddresses []string
uris []*url.URL
tests := []struct {
name string
fields fields
args args
wantErr bool
{"ok", fields{hasNameConstraints: false}, args{
dnsNames: []string{"", ""},
ipAddresses: []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x01, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}},
emailAddresses: []string{""},
uris: []*url.URL{{Scheme: "https", Host: "", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}},
}, false},
{"ok permitted dns", fields{
hasNameConstraints: true,
permittedDNSDomains: []string{""},
}, args{dnsNames: []string{"", ""}}, false},
{"ok not excluded dns", fields{
hasNameConstraints: true,
excludedDNSDomains: []string{""},
}, args{dnsNames: []string{"", ""}}, false},
{"ok permitted ip", fields{
hasNameConstraints: true,
permittedIPRanges: []*net.IPNet{
{IP: net.ParseIP(""), Mask: net.IPMask{255, 255, 255, 0}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 255}},
{IP: net.ParseIP("2600:1700:22f8:2600:e559:bd88:350a:34d6"), Mask: net.IPMask{255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}},
}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}, {0x26, 0x0, 0x17, 0x00, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}}}, false},
{"ok not excluded ip", fields{
hasNameConstraints: true,
excludedIPRanges: []*net.IPNet{
{IP: net.ParseIP(""), Mask: net.IPMask{255, 255, 255, 0}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 255}},
}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 3, 1}}}, false},
{"ok permitted emails", fields{
hasNameConstraints: true,
permittedEmailAddresses: []string{"", "", ""},
}, args{emailAddresses: []string{"", "", "", `"(quoted)"`}}, false},
{"ok not excluded emails", fields{
hasNameConstraints: true,
excludedEmailAddresses: []string{"", "", ""},
}, args{emailAddresses: []string{"", "", ""}}, false},
{"ok permitted uris", fields{
hasNameConstraints: true,
permittedURIDomains: []string{"", ""},
}, args{uris: []*url.URL{{Scheme: "https", Host: "", Path: "/path"}, {Scheme: "https", Host: "", Path: "/path"}}}, false},
{"ok not excluded uris", fields{
hasNameConstraints: true,
excludedURIDomains: []string{"", ""},
}, args{uris: []*url.URL{{Scheme: "https", Host: "", Path: "/path"}, {Scheme: "https", Host: "", Path: "/path"}}}, false},
{"fail permitted dns", fields{
hasNameConstraints: true,
permittedDNSDomains: []string{""},
}, args{dnsNames: []string{"", ""}}, true},
{"fail not excluded dns", fields{
hasNameConstraints: true,
excludedDNSDomains: []string{""},
}, args{dnsNames: []string{"", ""}}, true},
{"fail permitted ip", fields{
hasNameConstraints: true,
permittedIPRanges: []*net.IPNet{
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 0}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 255}},
}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 10}}}, true},
{"fail not excluded ip", fields{
hasNameConstraints: true,
excludedIPRanges: []*net.IPNet{
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 0}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 255}},
}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 1, 1}}}, true},
{"fail permitted emails", fields{
hasNameConstraints: true,
permittedEmailAddresses: []string{"", "", ""},
}, args{emailAddresses: []string{"", "", ""}}, true},
{"fail not excluded emails", fields{
hasNameConstraints: true,
excludedEmailAddresses: []string{"", "", ""},
}, args{emailAddresses: []string{"", ""}}, true},
{"fail permitted uris", fields{
hasNameConstraints: true,
permittedURIDomains: []string{"", ""},
}, args{uris: []*url.URL{{Scheme: "https", Host: "", Path: "/path"}, {Scheme: "https", Host: "", Path: "/path"}}}, true},
{"fail not excluded uris", fields{
hasNameConstraints: true,
excludedURIDomains: []string{"", ""},
}, args{uris: []*url.URL{{Scheme: "https", Host: "", Path: "/path"}, {Scheme: "https", Host: "", Path: "/path"}}}, true},
{"fail parse emails", fields{
hasNameConstraints: true,
permittedEmailAddresses: []string{""},
}, args{emailAddresses: []string{`(notquoted)`}}, true},
{"fail match dns", fields{
hasNameConstraints: true,
permittedDNSDomains: []string{""},
}, args{dnsNames: []string{``}}, true},
{"fail match email", fields{
hasNameConstraints: true,
excludedEmailAddresses: []string{`(notquoted)`},
}, args{emailAddresses: []string{``}}, true},
{"fail match uri", fields{
hasNameConstraints: true,
permittedURIDomains: []string{""},
}, args{uris: []*url.URL{{Scheme: "urn", Opaque: "uuid:36efb1ae-6617-4b23-b799-874a37aaea1c"}}}, true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
e := &Engine{
hasNameConstraints: tt.fields.hasNameConstraints,
permittedDNSDomains: tt.fields.permittedDNSDomains,
excludedDNSDomains: tt.fields.excludedDNSDomains,
permittedIPRanges: tt.fields.permittedIPRanges,
excludedIPRanges: tt.fields.excludedIPRanges,
permittedEmailAddresses: tt.fields.permittedEmailAddresses,
excludedEmailAddresses: tt.fields.excludedEmailAddresses,
permittedURIDomains: tt.fields.permittedURIDomains,
excludedURIDomains: tt.fields.excludedURIDomains,
if err := e.Validate(tt.args.dnsNames, tt.args.ipAddresses, tt.args.emailAddresses, tt.args.uris); (err != nil) != tt.wantErr {
t.Errorf("service.Validate() error = %v, wantErr %v", err, tt.wantErr)
func TestEngine_Validate_nil(t *testing.T) {
var e *Engine
if err := e.Validate([]string{""}, nil, nil, nil); err != nil {
t.Errorf("service.Validate() error = %v, wantErr false", err)
func TestEngine_ValidateCertificate(t *testing.T) {
type fields struct {
hasNameConstraints bool
permittedDNSDomains []string
excludedDNSDomains []string
permittedIPRanges []*net.IPNet
excludedIPRanges []*net.IPNet
permittedEmailAddresses []string
excludedEmailAddresses []string
permittedURIDomains []string
excludedURIDomains []string
type args struct {
cert *x509.Certificate
tests := []struct {
name string
fields fields
args args
wantErr bool
{"ok", fields{hasNameConstraints: false}, args{&x509.Certificate{
DNSNames: []string{""},
IPAddresses: []net.IP{{127, 0, 0, 1}},
EmailAddresses: []string{""},
URIs: []*url.URL{{Scheme: "https", Host: "", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}},
}}, false},
{"ok with constraints", fields{
hasNameConstraints: true,
permittedDNSDomains: []string{""},
permittedIPRanges: []*net.IPNet{
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 255, 255}},
{IP: net.ParseIP("").To4(), Mask: net.IPMask{255, 255, 0, 0}},
permittedEmailAddresses: []string{""},
permittedURIDomains: []string{""},
}, args{&x509.Certificate{
DNSNames: []string{""},
IPAddresses: []net.IP{{127, 0, 0, 1}, {10, 3, 1, 1}},
EmailAddresses: []string{""},
URIs: []*url.URL{{Scheme: "https", Host: "", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}},
}}, false},
{"fail", fields{
hasNameConstraints: true,
permittedURIDomains: []string{""},
}, args{&x509.Certificate{
DNSNames: []string{""},
IPAddresses: []net.IP{{127, 0, 0, 1}},
EmailAddresses: []string{""},
URIs: []*url.URL{{Scheme: "https", Host: "", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}},
}}, true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
e := &Engine{
hasNameConstraints: tt.fields.hasNameConstraints,
permittedDNSDomains: tt.fields.permittedDNSDomains,
excludedDNSDomains: tt.fields.excludedDNSDomains,
permittedIPRanges: tt.fields.permittedIPRanges,
excludedIPRanges: tt.fields.excludedIPRanges,
permittedEmailAddresses: tt.fields.permittedEmailAddresses,
excludedEmailAddresses: tt.fields.excludedEmailAddresses,
permittedURIDomains: tt.fields.permittedURIDomains,
excludedURIDomains: tt.fields.excludedURIDomains,
if err := e.ValidateCertificate(tt.args.cert); (err != nil) != tt.wantErr {
t.Errorf("Engine.ValidateCertificate() error = %v, wantErr %v", err, tt.wantErr)
Normal file
Normal file
@ -0,0 +1,383 @@
// Copyright (c) 2009 The Go Authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
package constraints
import (
func checkNameConstraints(nameType, name string, parsedName, permitted, excluded any, match func(name, constraint any) (bool, error)) error {
excludedValue := reflect.ValueOf(excluded)
for i := 0; i < excludedValue.Len(); i++ {
constraint := excludedValue.Index(i).Interface()
match, err := match(parsedName, constraint)
if err != nil {
return ConstraintError{
Type: nameType,
Name: name,
Detail: err.Error(),
if match {
return ConstraintError{
Type: nameType,
Name: name,
Detail: fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint),
var (
err error
ok = true
permittedValue := reflect.ValueOf(permitted)
for i := 0; i < permittedValue.Len(); i++ {
constraint := permittedValue.Index(i).Interface()
if ok, err = match(parsedName, constraint); err != nil {
return ConstraintError{
Type: nameType,
Name: name,
Detail: err.Error(),
if ok {
if !ok {
return ConstraintError{
Type: nameType,
Name: name,
Detail: fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name),
return nil
func matchDomainConstraint(domain, constraint string) (bool, error) {
// The meaning of zero length constraints is not specified, but this
// code follows NSS and accepts them as matching everything.
if constraint == "" {
return true, nil
domainLabels, ok := domainToReverseLabels(domain)
if !ok {
return false, fmt.Errorf("internal error: cannot parse domain %q", domain)
// RFC 5280 says that a leading period in a domain name means that at least
// one label must be prepended, but only for URI and email constraints, not
// DNS constraints. The code also supports that behavior for DNS
// constraints.
mustHaveSubdomains := false
if constraint[0] == '.' {
mustHaveSubdomains = true
constraint = constraint[1:]
constraintLabels, ok := domainToReverseLabels(constraint)
if !ok {
return false, fmt.Errorf("internal error: cannot parse domain %q", constraint)
if len(domainLabels) < len(constraintLabels) ||
(mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) {
return false, nil
for i, constraintLabel := range constraintLabels {
if !strings.EqualFold(constraintLabel, domainLabels[i]) {
return false, nil
return true, nil
func normalizeIP(ip net.IP) net.IP {
if ip4 := ip.To4(); ip4 != nil {
return ip4
return ip
func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) {
ip = normalizeIP(ip)
constraintIP := normalizeIP(constraint.IP)
if len(ip) != len(constraintIP) {
return false, nil
for i := range ip {
if mask := constraint.Mask[i]; ip[i]&mask != constraintIP[i]&mask {
return false, nil
return true, nil
func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) {
// If the constraint contains an @, then it specifies an exact mailbox
// name.
if strings.Contains(constraint, "@") {
constraintMailbox, ok := parseRFC2821Mailbox(constraint)
if !ok {
return false, fmt.Errorf("internal error: cannot parse constraint %q", constraint)
return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil
// Otherwise the constraint is like a DNS constraint of the domain part
// of the mailbox.
return matchDomainConstraint(mailbox.domain, constraint)
func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
// From RFC 5280, Section
// “a uniformResourceIdentifier that does not include an authority
// component with a host name specified as a fully qualified domain
// name (e.g., if the URI either does not include an authority
// component or includes an authority component in which the host name
// is specified as an IP address), then the application MUST reject the
// certificate.”
host := uri.Host
if host == "" {
return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String())
if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") {
var err error
host, _, err = net.SplitHostPort(uri.Host)
if err != nil {
return false, err
if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") ||
net.ParseIP(host) != nil {
return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
return matchDomainConstraint(host, constraint)
// domainToReverseLabels converts a textual domain name like to
// the list of labels in reverse order, e.g. ["com", "example", "foo"].
func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
for len(domain) > 0 {
if i := strings.LastIndexByte(domain, '.'); i == -1 {
reverseLabels = append(reverseLabels, domain)
domain = ""
} else {
reverseLabels = append(reverseLabels, domain[i+1:])
domain = domain[:i]
if len(reverseLabels) > 0 && reverseLabels[0] == "" {
// An empty label at the end indicates an absolute value.
return nil, false
for _, label := range reverseLabels {
if label == "" {
// Empty labels are otherwise invalid.
return nil, false
for _, c := range label {
if c < 33 || c > 126 {
// Invalid character.
return nil, false
return reverseLabels, true
// rfc2821Mailbox represents a “mailbox” (which is an email address to most
// people) by breaking it into the “local” (i.e. before the '@') and “domain”
// parts.
type rfc2821Mailbox struct {
local, domain string
// parseRFC2821Mailbox parses an email address into local and domain parts,
// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280,
// Section that's correct for an rfc822Name from a certificate: “The
// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”.
func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
if in == "" {
return mailbox, false
localPartBytes := make([]byte, 0, len(in)/2)
if in[0] == '"' {
// Quoted-string = DQUOTE *qcontent DQUOTE
// non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127
// qcontent = qtext / quoted-pair
// qtext = non-whitespace-control /
// %d33 / %d35-91 / %d93-126
// quoted-pair = ("\" text) / obs-qp
// text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text
// (Names beginning with “obs-” are the obsolete syntax from RFC 2822,
// Section 4. Since it has been 16 years, we no longer accept that.)
in = in[1:]
for {
if in == "" {
return mailbox, false
c := in[0]
in = in[1:]
switch {
case c == '"':
break QuotedString
case c == '\\':
// quoted-pair
if in == "" {
return mailbox, false
if in[0] == 11 ||
in[0] == 12 ||
(1 <= in[0] && in[0] <= 9) ||
(14 <= in[0] && in[0] <= 127) {
localPartBytes = append(localPartBytes, in[0])
in = in[1:]
} else {
return mailbox, false
case c == 11 ||
c == 12 ||
// Space (char 32) is not allowed based on the
// BNF, but RFC 3696 gives an example that
// assumes that it is. Several “verified”
// errata continue to argue about this point.
// We choose to accept it.
c == 32 ||
c == 33 ||
c == 127 ||
(1 <= c && c <= 8) ||
(14 <= c && c <= 31) ||
(35 <= c && c <= 91) ||
(93 <= c && c <= 126):
// qtext
localPartBytes = append(localPartBytes, c)
return mailbox, false
} else {
// Atom ("." Atom)*
for len(in) > 0 {
// atext from RFC 2822, Section 3.2.4
c := in[0]
switch {
case c == '\\':
// Examples given in RFC 3696 suggest that
// escaped characters can appear outside of a
// quoted string. Several “verified” errata
// continue to argue the point. We choose to
// accept it.
in = in[1:]
if in == "" {
return mailbox, false
case ('0' <= c && c <= '9') ||
('a' <= c && c <= 'z') ||
('A' <= c && c <= 'Z') ||
c == '!' || c == '#' || c == '$' || c == '%' ||
c == '&' || c == '\'' || c == '*' || c == '+' ||
c == '-' || c == '/' || c == '=' || c == '?' ||
c == '^' || c == '_' || c == '`' || c == '{' ||
c == '|' || c == '}' || c == '~' || c == '.':
localPartBytes = append(localPartBytes, in[0])
in = in[1:]
break NextChar
if len(localPartBytes) == 0 {
return mailbox, false
// From RFC 3696, Section 3:
// “period (".") may also appear, but may not be used to start
// or end the local part, nor may two or more consecutive
// periods appear.”
twoDots := []byte{'.', '.'}
if localPartBytes[0] == '.' ||
localPartBytes[len(localPartBytes)-1] == '.' ||
bytes.Contains(localPartBytes, twoDots) {
return mailbox, false
if in == "" || in[0] != '@' {
return mailbox, false
in = in[1:]
// The RFC species a format for domains, but that's known to be
// violated in practice so we accept that anything after an '@' is the
// domain part.
if _, ok := domainToReverseLabels(in); !ok {
return mailbox, false
mailbox.local = string(localPartBytes)
mailbox.domain = in
return mailbox, true
@ -461,7 +461,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
defer cancel()
defer cancel()
conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
// nolint:gosec // used in bootstrap protocol
//nolint:gosec // used in bootstrap protocol
InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
if err != nil {
if err != nil {
@ -151,16 +151,23 @@ func WithKeyManager(k kms.KeyManager) Option {
// WithX509Signer defines the signer used to sign X509 certificates.
// WithX509Signer defines the signer used to sign X509 certificates.
func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
return WithX509SignerChain([]*x509.Certificate{crt}, s)
// WithX509SignerChain defines the signer used to sign X509 certificates. This
// option is similar to WithX509Signer but it supports a chain of intermediates.
func WithX509SignerChain(issuerChain []*x509.Certificate, s crypto.Signer) Option {
return func(a *Authority) error {
return func(a *Authority) error {
srv, err := cas.New(context.Background(), casapi.Options{
srv, err := cas.New(context.Background(), casapi.Options{
Type: casapi.SoftCAS,
Type: casapi.SoftCAS,
Signer: s,
Signer: s,
CertificateChain: []*x509.Certificate{crt},
CertificateChain: issuerChain,
if err != nil {
if err != nil {
return err
return err
a.x509CAService = srv
a.x509CAService = srv
a.intermediateX509Certs = append(a.intermediateX509Certs, issuerChain...)
return nil
return nil
@ -233,6 +240,25 @@ func WithX509FederatedCerts(certs ...*x509.Certificate) Option {
// WithX509IntermediateCerts is an option that allows to define the list of
// intermediate certificates that the CA will be using. This option will replace
// any intermediate certificate defined before.
// Note that these certificates will not be bundled with the certificates signed
// by the CA, because the CAS service will take care of that. They should match,
// but that's not guaranteed. These certificates will be mainly used for name
// constraint validation before a certificate is issued.
// This option should only be used on specific configurations, for example when
// WithX509SignerFunc is used, as we don't know the list of intermediates in
// advance.
func WithX509IntermediateCerts(intermediateCerts ...*x509.Certificate) Option {
return func(a *Authority) error {
a.intermediateX509Certs = intermediateCerts
return nil
// WithX509RootBundle is an option that allows to define the list of root
// WithX509RootBundle is an option that allows to define the list of root
// certificates. This option will replace any root certificate defined before.
// certificates. This option will replace any root certificate defined before.
func WithX509RootBundle(pemCerts []byte) Option {
func WithX509RootBundle(pemCerts []byte) Option {
@ -119,7 +119,6 @@ func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error {
func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *linkedca.Admin, p *linkedca.Policy) error {
func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *linkedca.Admin, p *linkedca.Policy) error {
// no policy and thus nothing to evaluate; return early
// no policy and thus nothing to evaluate; return early
if p == nil {
if p == nil {
return nil
return nil
@ -138,7 +137,6 @@ func (a *Authority) checkAuthorityPolicy(ctx context.Context, currentAdmin *link
func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string, p *linkedca.Policy) error {
func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string, p *linkedca.Policy) error {
// no policy and thus nothing to evaluate; return early
// no policy and thus nothing to evaluate; return early
if p == nil {
if p == nil {
return nil
return nil
@ -157,7 +155,6 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string,
// checkPolicy checks if a new or updated policy configuration results in the user
// checkPolicy checks if a new or updated policy configuration results in the user
// locking themselves or other admins out of the CA.
// locking themselves or other admins out of the CA.
func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error {
// convert the policy; return early if nil
// convert the policy; return early if nil
policyOptions := authPolicy.LinkedToCertificates(p)
policyOptions := authPolicy.LinkedToCertificates(p)
if policyOptions == nil {
if policyOptions == nil {
@ -216,7 +213,6 @@ func (a *Authority) reloadPolicyEngines(ctx context.Context) error {
if a.config.AuthorityConfig.EnableAdmin {
if a.config.AuthorityConfig.EnableAdmin {
// temporarily disable policy loading when LinkedCA is in use
// temporarily disable policy loading when LinkedCA is in use
if _, ok := a.adminDB.(*linkedCaClient); ok {
if _, ok := a.adminDB.(*linkedCaClient); ok {
return nil
return nil
@ -17,9 +17,9 @@ type Engine struct {
// New returns a new Engine using Options.
// New returns a new Engine using Options.
func New(options *Options) (*Engine, error) {
func New(options *Options) (*Engine, error) {
// if no options provided, return early
// if no options provided, return early
if options == nil {
if options == nil {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
@ -56,7 +56,6 @@ func New(options *Options) (*Engine, error) {
// the X.509 policy (if available) and returns an error if one of the
// the X.509 policy (if available) and returns an error if one of the
// names in the certificate is not allowed.
// names in the certificate is not allowed.
func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error {
func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error {
// return early if there's no policy to evaluate
// return early if there's no policy to evaluate
if e == nil || e.x509Policy == nil {
if e == nil || e.x509Policy == nil {
return nil
return nil
@ -69,7 +68,6 @@ func (e *Engine) IsX509CertificateAllowed(cert *x509.Certificate) error {
// AreSANsAllowed evaluates the slice of SANs against the X.509 policy
// AreSANsAllowed evaluates the slice of SANs against the X.509 policy
// (if available) and returns an error if one of the SANs is not allowed.
// (if available) and returns an error if one of the SANs is not allowed.
func (e *Engine) AreSANsAllowed(sans []string) error {
func (e *Engine) AreSANsAllowed(sans []string) error {
// return early if there's no policy to evaluate
// return early if there's no policy to evaluate
if e == nil || e.x509Policy == nil {
if e == nil || e.x509Policy == nil {
return nil
return nil
@ -83,7 +81,6 @@ func (e *Engine) AreSANsAllowed(sans []string) error {
// user or host policy (if configured) and returns an error if one of the
// user or host policy (if configured) and returns an error if one of the
// principals in the certificate is not allowed.
// principals in the certificate is not allowed.
func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error {
func (e *Engine) IsSSHCertificateAllowed(cert *ssh.Certificate) error {
// return early if there's no policy to evaluate
// return early if there's no policy to evaluate
if e == nil || (e.sshHostPolicy == nil && e.sshUserPolicy == nil) {
if e == nil || (e.sshHostPolicy == nil && e.sshUserPolicy == nil) {
return nil
return nil
@ -19,7 +19,6 @@ type HostPolicy policy.SSHNamePolicyEngine
// NewX509PolicyEngine creates a new x509 name policy engine
// NewX509PolicyEngine creates a new x509 name policy engine
func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error) {
func NewX509PolicyEngine(policyOptions X509PolicyOptionsInterface) (X509Policy, error) {
// return early if no policy engine options to configure
// return early if no policy engine options to configure
if policyOptions == nil {
if policyOptions == nil {
return nil, nil
return nil, nil
@ -92,7 +91,6 @@ func NewSSHHostPolicyEngine(policyOptions SSHPolicyOptionsInterface) (HostPolicy
// newSSHPolicyEngine creates a new SSH name policy engine
// newSSHPolicyEngine creates a new SSH name policy engine
func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEngineType) (policy.SSHNamePolicyEngine, error) {
func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEngineType) (policy.SSHNamePolicyEngine, error) {
// return early if no policy engine options to configure
// return early if no policy engine options to configure
if policyOptions == nil {
if policyOptions == nil {
return nil, nil
return nil, nil
@ -143,7 +141,6 @@ func newSSHPolicyEngine(policyOptions SSHPolicyOptionsInterface, typ sshPolicyEn
func LinkedToCertificates(p *linkedca.Policy) *Options {
func LinkedToCertificates(p *linkedca.Policy) *Options {
// return early
// return early
if p == nil {
if p == nil {
return nil
return nil
@ -185,11 +185,11 @@ func TestAuthority_checkPolicy(t *testing.T) {
} else {
} else {
assert.IsType(t, &PolicyError{}, err)
assert.IsType(t, &PolicyError{}, err)
pe, ok := err.(*PolicyError)
var pe *PolicyError
assert.True(t, ok)
if assert.True(t, errors.As(err, &pe)) {
assert.Equal(t, tc.err.Typ, pe.Typ)
assert.Equal(t, tc.err.Typ, pe.Typ)
assert.Equal(t, tc.err.Error(), pe.Error())
assert.Equal(t, tc.err.Error(), pe.Error())
@ -1179,10 +1179,11 @@ func TestAuthority_RemoveAuthorityPolicy(t *testing.T) {
err := a.RemoveAuthorityPolicy(tt.args.ctx)
err := a.RemoveAuthorityPolicy(tt.args.ctx)
if err != nil {
if err != nil {
pe, ok := err.(*PolicyError)
var pe *PolicyError
assert.True(t, ok)
if assert.True(t, errors.As(err, &pe)) {
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
@ -1250,10 +1251,11 @@ func TestAuthority_GetAuthorityPolicy(t *testing.T) {
got, err := a.GetAuthorityPolicy(tt.args.ctx)
got, err := a.GetAuthorityPolicy(tt.args.ctx)
if err != nil {
if err != nil {
pe, ok := err.(*PolicyError)
var pe *PolicyError
assert.True(t, ok)
if assert.True(t, errors.As(err, &pe)) {
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
if !reflect.DeepEqual(got, tt.want) {
if !reflect.DeepEqual(got, tt.want) {
@ -1429,10 +1431,11 @@ func TestAuthority_CreateAuthorityPolicy(t *testing.T) {
got, err := a.CreateAuthorityPolicy(tt.args.ctx, tt.args.adm, tt.args.p)
got, err := a.CreateAuthorityPolicy(tt.args.ctx, tt.args.adm, tt.args.p)
if err != nil {
if err != nil {
pe, ok := err.(*PolicyError)
var pe *PolicyError
assert.True(t, ok)
if assert.True(t, errors.As(err, &pe)) {
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
if !reflect.DeepEqual(got, tt.want) {
if !reflect.DeepEqual(got, tt.want) {
@ -1611,10 +1614,11 @@ func TestAuthority_UpdateAuthorityPolicy(t *testing.T) {
got, err := a.UpdateAuthorityPolicy(tt.args.ctx, tt.args.adm, tt.args.p)
got, err := a.UpdateAuthorityPolicy(tt.args.ctx, tt.args.adm, tt.args.p)
if err != nil {
if err != nil {
pe, ok := err.(*PolicyError)
var pe *PolicyError
assert.True(t, ok)
if assert.True(t, errors.As(err, &pe)) {
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Typ, pe.Typ)
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
assert.Equal(t, tt.wantErr.Err.Error(), pe.Err.Error())
if !reflect.DeepEqual(got, tt.want) {
if !reflect.DeepEqual(got, tt.want) {
@ -3,13 +3,78 @@ package provisioner
import (
import (
// ACMEChallenge represents the supported acme challenges.
type ACMEChallenge string
//nolint:stylecheck,revive // better names
const (
// HTTP_01 is the http-01 ACME challenge.
HTTP_01 ACMEChallenge = "http-01"
// DNS_01 is the dns-01 ACME challenge.
DNS_01 ACMEChallenge = "dns-01"
// TLS_ALPN_01 is the tls-alpn-01 ACME challenge.
TLS_ALPN_01 ACMEChallenge = "tls-alpn-01"
// DEVICE_ATTEST_01 is the device-attest-01 ACME challenge.
DEVICE_ATTEST_01 ACMEChallenge = "device-attest-01"
// String returns a normalized version of the challenge.
func (c ACMEChallenge) String() string {
return strings.ToLower(string(c))
// Validate returns an error if the acme challenge is not a valid one.
func (c ACMEChallenge) Validate() error {
switch ACMEChallenge(c.String()) {
case HTTP_01, DNS_01, TLS_ALPN_01, DEVICE_ATTEST_01:
return nil
return fmt.Errorf("acme challenge %q is not supported", c)
// ACMEAttestationFormat represents the format used on a device-attest-01
// challenge.
type ACMEAttestationFormat string
const (
// APPLE is the format used to enable device-attest-01 on apple devices.
APPLE ACMEAttestationFormat = "apple"
// STEP is the format used to enable device-attest-01 on devices that
// provide attestation certificates like the PIV interface on YubiKeys.
// TODO(mariano): should we rename this to something else.
STEP ACMEAttestationFormat = "step"
// TPM is the format used to enable device-attest-01 on TPMs.
TPM ACMEAttestationFormat = "tpm"
// String returns a normalized version of the attestation format.
func (f ACMEAttestationFormat) String() string {
return strings.ToLower(string(f))
// Validate returns an error if the attestation format is not a valid one.
func (f ACMEAttestationFormat) Validate() error {
switch ACMEAttestationFormat(f.String()) {
return nil
return fmt.Errorf("acme attestation format %q is not supported", f)
// ACME is the acme provisioner type, an entity that can authorize the ACME
// ACME is the acme provisioner type, an entity that can authorize the ACME
// provisioning flow.
// provisioning flow.
type ACME struct {
type ACME struct {
@ -22,11 +87,23 @@ type ACME struct {
// by clients when creating a new Account. If set to true, the provided
// by clients when creating a new Account. If set to true, the provided
// EAB will be verified. If set to false and an EAB is provided, it is
// EAB will be verified. If set to false and an EAB is provided, it is
// not verified. Defaults to false.
// not verified. Defaults to false.
RequireEAB bool `json:"requireEAB,omitempty"`
RequireEAB bool `json:"requireEAB,omitempty"`
Claims *Claims `json:"claims,omitempty"`
// Challenges contains the enabled challenges for this provisioner. If this
Options *Options `json:"options,omitempty"`
// value is not set the default http-01, dns-01 and tls-alpn-01 challenges
// will be enabled, device-attest-01 will be disabled.
ctl *Controller
Challenges []ACMEChallenge `json:"challenges,omitempty"`
// AttestationFormats contains the enabled attestation formats for this
// provisioner. If this value is not set the default apple, step and tpm
// will be used.
AttestationFormats []ACMEAttestationFormat `json:"attestationFormats,omitempty"`
// AttestationRoots contains a bundle of root certificates in PEM format
// that will be used to verify the attestation certificates. If provided,
// this bundle will be used even for well-known CAs like Apple and Yubico.
AttestationRoots []byte `json:"attestationRoots,omitempty"`
Claims *Claims `json:"claims,omitempty"`
Options *Options `json:"options,omitempty"`
attestationRootPool *x509.CertPool
ctl *Controller
// GetID returns the provisioner unique identifier.
// GetID returns the provisioner unique identifier.
@ -83,6 +160,40 @@ func (p *ACME) Init(config Config) (err error) {
return errors.New("provisioner name cannot be empty")
return errors.New("provisioner name cannot be empty")
for _, c := range p.Challenges {
if err := c.Validate(); err != nil {
return err
for _, f := range p.AttestationFormats {
if err := f.Validate(); err != nil {
return err
// Parse attestation roots.
// The pool will be nil if the there are not roots.
if rest := p.AttestationRoots; len(rest) > 0 {
var block *pem.Block
var hasCert bool
p.attestationRootPool = x509.NewCertPool()
for rest != nil {
block, rest = pem.Decode(rest)
if block == nil {
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return errors.New("error parsing attestationRoots: malformed certificate")
hasCert = true
if !hasCert {
return errors.New("error parsing attestationRoots: no certificates found")
p.ctl, err = NewController(p, p.Claims, config, p.Options)
p.ctl, err = NewController(p, p.Claims, config, p.Options)
@ -106,7 +217,6 @@ type ACMEIdentifier struct {
// AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
// AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a
// certificate for an ACME Order Identifier.
// certificate for an ACME Order Identifier.
func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error {
func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error {
x509Policy := p.ctl.getPolicy().getX509()
x509Policy := p.ctl.getPolicy().getX509()
// identifier is allowed if no policy is configured
// identifier is allowed if no policy is configured
@ -163,3 +273,48 @@ func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error {
func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error {
return p.ctl.AuthorizeRenew(ctx, cert)
return p.ctl.AuthorizeRenew(ctx, cert)
// IsChallengeEnabled checks if the given challenge is enabled. By default
// http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the
// Challenge provisioner property should have at least one element.
func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) bool {
enabledChallenges := []ACMEChallenge{
HTTP_01, DNS_01, TLS_ALPN_01,
if len(p.Challenges) > 0 {
enabledChallenges = p.Challenges
for _, ch := range enabledChallenges {
if strings.EqualFold(string(ch), string(challenge)) {
return true
return false
// IsAttestationFormatEnabled checks if the given attestation format is enabled.
// By default apple, step and tpm are enabled, to disable any of them the
// AttestationFormat provisioner property should have at least one element.
func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttestationFormat) bool {
enabledFormats := []ACMEAttestationFormat{
if len(p.AttestationFormats) > 0 {
enabledFormats = p.AttestationFormats
for _, f := range enabledFormats {
if strings.EqualFold(string(f), string(format)) {
return true
return false
// GetAttestationRoots returns certificate pool with the configured attestation
// roots and reports if the pool contains at least one certificate.
// TODO(hs): we may not want to expose the root pool like this; call into an
// interface function instead to authorize?
func (p *ACME) GetAttestationRoots() (*x509.CertPool, bool) {
return p.attestationRootPool, p.attestationRootPool != nil
Normal file
Normal file
@ -0,0 +1,82 @@
//go:build go1.18
// +build go1.18
package provisioner
import (
func TestACME_GetAttestationRoots(t *testing.T) {
appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
if err != nil {
yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
if err != nil {
pool := x509.NewCertPool()
type fields struct {
Type string
Name string
AttestationRoots []byte
tests := []struct {
name string
fields fields
want *x509.CertPool
want1 bool
{"ok", fields{"ACME", "acme", bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n"))}, pool, true},
{"nil", fields{"ACME", "acme", nil}, nil, false},
{"empty", fields{"ACME", "acme", []byte{}}, nil, false},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
p := &ACME{
Type: tt.fields.Type,
Name: tt.fields.Name,
AttestationRoots: tt.fields.AttestationRoots,
if err := p.Init(Config{
Claims: globalProvisionerClaims,
Audiences: testAudiences,
}); err != nil {
got, got1 := p.GetAttestationRoots()
switch {
case tt.want == nil && got == nil:
case tt.want == nil && got != nil, tt.want != nil && got == nil:
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
//nolint:staticcheck // this file only runs in go1.18
gotSubjects := got.Subjects()
//nolint:staticcheck // this file only runs in go1.18
wantSubjects := tt.want.Subjects()
if len(gotSubjects) != len(wantSubjects) {
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
} else {
for i, gotSub := range gotSubjects {
if !bytes.Equal(gotSub, wantSubjects[i]) {
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
if got1 != tt.want1 {
t.Errorf("ACME.GetAttestationRoots() got1 = %v, want %v", got1, tt.want1)
Normal file
Normal file
@ -0,0 +1,66 @@
//go:build !go1.18
// +build !go1.18
package provisioner
import (
func TestACME_GetAttestationRoots(t *testing.T) {
appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
if err != nil {
yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
if err != nil {
pool := x509.NewCertPool()
type fields struct {
Type string
Name string
AttestationRoots []byte
tests := []struct {
name string
fields fields
want *x509.CertPool
want1 bool
{"ok", fields{"ACME", "acme", bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n"))}, pool, true},
{"nil", fields{"ACME", "acme", nil}, nil, false},
{"empty", fields{"ACME", "acme", []byte{}}, nil, false},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
p := &ACME{
Type: tt.fields.Type,
Name: tt.fields.Name,
AttestationRoots: tt.fields.AttestationRoots,
if err := p.Init(Config{
Claims: globalProvisionerClaims,
Audiences: testAudiences,
}); err != nil {
got, got1 := p.GetAttestationRoots()
if tt.want == nil && got != nil {
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
} else if !tt.want.Equal(got) {
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
if got1 != tt.want1 {
t.Errorf("ACME.GetAttestationRoots() got1 = %v, want %v", got1, tt.want1)
@ -1,11 +1,16 @@
//go:build !go1.18
// +build !go1.18
package provisioner
package provisioner
import (
import (
@ -13,6 +18,49 @@ import (
func TestACMEChallenge_Validate(t *testing.T) {
tests := []struct {
name string
c ACMEChallenge
wantErr bool
{"http-01", HTTP_01, false},
{"dns-01", DNS_01, false},
{"tls-alpn-01", TLS_ALPN_01, false},
{"device-attest-01", DEVICE_ATTEST_01, false},
{"uppercase", "HTTP-01", false},
{"fail", "http-02", true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
if err := tt.c.Validate(); (err != nil) != tt.wantErr {
t.Errorf("ACMEChallenge.Validate() error = %v, wantErr %v", err, tt.wantErr)
func TestACMEAttestationFormat_Validate(t *testing.T) {
tests := []struct {
name string
f ACMEAttestationFormat
wantErr bool
{"apple", APPLE, false},
{"step", STEP, false},
{"tpm", TPM, false},
{"uppercase", "APPLE", false},
{"fail", "FOO", true},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
if err := tt.f.Validate(); (err != nil) != tt.wantErr {
t.Errorf("ACMEAttestationFormat.Validate() error = %v, wantErr %v", err, tt.wantErr)
func TestACME_Getters(t *testing.T) {
func TestACME_Getters(t *testing.T) {
p, err := generateACME()
p, err := generateACME()
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -34,6 +82,15 @@ func TestACME_Getters(t *testing.T) {
func TestACME_Init(t *testing.T) {
func TestACME_Init(t *testing.T) {
appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
if err != nil {
yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
if err != nil {
type ProvisionerValidateTest struct {
type ProvisionerValidateTest struct {
err error
err error
@ -65,11 +122,46 @@ func TestACME_Init(t *testing.T) {
err: errors.New("claims: MinTLSCertDuration must be greater than 0"),
err: errors.New("claims: MinTLSCertDuration must be greater than 0"),
"fail-bad-challenge": func(t *testing.T) ProvisionerValidateTest {
return ProvisionerValidateTest{
p: &ACME{Name: "foo", Type: "bar", Challenges: []ACMEChallenge{HTTP_01, "zar"}},
err: errors.New("acme challenge \"zar\" is not supported"),
"fail-bad-attestation-format": func(t *testing.T) ProvisionerValidateTest {
return ProvisionerValidateTest{
p: &ACME{Name: "foo", Type: "bar", AttestationFormats: []ACMEAttestationFormat{APPLE, "zar"}},
err: errors.New("acme attestation format \"zar\" is not supported"),
"fail-parse-attestation-roots": func(t *testing.T) ProvisionerValidateTest {
return ProvisionerValidateTest{
p: &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("-----BEGIN CERTIFICATE-----\nZm9v\n-----END CERTIFICATE-----")},
err: errors.New("error parsing attestationRoots: malformed certificate"),
"fail-empty-attestation-roots": func(t *testing.T) ProvisionerValidateTest {
return ProvisionerValidateTest{
p: &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("\n")},
err: errors.New("error parsing attestationRoots: no certificates found"),
"ok": func(t *testing.T) ProvisionerValidateTest {
"ok": func(t *testing.T) ProvisionerValidateTest {
return ProvisionerValidateTest{
return ProvisionerValidateTest{
p: &ACME{Name: "foo", Type: "bar"},
p: &ACME{Name: "foo", Type: "bar"},
"ok attestation": func(t *testing.T) ProvisionerValidateTest {
return ProvisionerValidateTest{
p: &ACME{
Name: "foo",
Type: "bar",
Challenges: []ACMEChallenge{DNS_01, DEVICE_ATTEST_01},
AttestationFormats: []ACMEAttestationFormat{APPLE, STEP},
AttestationRoots: bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n")),
config := Config{
config := Config{
@ -79,6 +171,7 @@ func TestACME_Init(t *testing.T) {
for name, get := range tests {
for name, get := range tests {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
tc := get(t)
tc := get(t)
err := tc.p.Init(config)
err := tc.p.Init(config)
if err != nil {
if err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
@ -204,3 +297,80 @@ func TestACME_AuthorizeSign(t *testing.T) {
func TestACME_IsChallengeEnabled(t *testing.T) {
ctx := context.Background()
type fields struct {
Challenges []ACMEChallenge
type args struct {
ctx context.Context
challenge ACMEChallenge
tests := []struct {
name string
fields fields
args args
want bool
{"ok http-01", fields{nil}, args{ctx, HTTP_01}, true},
{"ok dns-01", fields{nil}, args{ctx, DNS_01}, true},
{"ok tls-alpn-01", fields{[]ACMEChallenge{}}, args{ctx, TLS_ALPN_01}, true},
{"fail device-attest-01", fields{[]ACMEChallenge{}}, args{ctx, "device-attest-01"}, false},
{"ok http-01 enabled", fields{[]ACMEChallenge{"http-01"}}, args{ctx, "HTTP-01"}, true},
{"ok dns-01 enabled", fields{[]ACMEChallenge{"http-01", "dns-01"}}, args{ctx, DNS_01}, true},
{"ok tls-alpn-01 enabled", fields{[]ACMEChallenge{"http-01", "dns-01", "tls-alpn-01"}}, args{ctx, TLS_ALPN_01}, true},
{"ok device-attest-01 enabled", fields{[]ACMEChallenge{"device-attest-01", "dns-01"}}, args{ctx, DEVICE_ATTEST_01}, true},
{"fail http-01", fields{[]ACMEChallenge{"dns-01"}}, args{ctx, "http-01"}, false},
{"fail dns-01", fields{[]ACMEChallenge{"http-01", "tls-alpn-01"}}, args{ctx, "dns-01"}, false},
{"fail tls-alpn-01", fields{[]ACMEChallenge{"http-01", "dns-01", "device-attest-01"}}, args{ctx, "tls-alpn-01"}, false},
{"fail device-attest-01", fields{[]ACMEChallenge{"http-01", "dns-01"}}, args{ctx, "device-attest-01"}, false},
{"fail unknown", fields{[]ACMEChallenge{"http-01", "dns-01", "tls-alpn-01", "device-attest-01"}}, args{ctx, "unknown"}, false},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
p := &ACME{
Challenges: tt.fields.Challenges,
if got := p.IsChallengeEnabled(tt.args.ctx, tt.args.challenge); got != tt.want {
t.Errorf("ACME.AuthorizeChallenge() = %v, want %v", got, tt.want)
func TestACME_IsAttestationFormatEnabled(t *testing.T) {
ctx := context.Background()
type fields struct {
AttestationFormats []ACMEAttestationFormat
type args struct {
ctx context.Context
format ACMEAttestationFormat
tests := []struct {
name string
fields fields
args args
want bool
{"ok", fields{[]ACMEAttestationFormat{APPLE, STEP, TPM}}, args{ctx, TPM}, true},
{"ok empty apple", fields{nil}, args{ctx, APPLE}, true},
{"ok empty step", fields{nil}, args{ctx, STEP}, true},
{"ok empty tpm", fields{[]ACMEAttestationFormat{}}, args{ctx, "tpm"}, true},
{"ok uppercase", fields{[]ACMEAttestationFormat{APPLE, STEP, TPM}}, args{ctx, "STEP"}, true},
{"fail apple", fields{[]ACMEAttestationFormat{STEP, TPM}}, args{ctx, APPLE}, false},
{"fail step", fields{[]ACMEAttestationFormat{APPLE, TPM}}, args{ctx, STEP}, false},
{"fail step", fields{[]ACMEAttestationFormat{APPLE, STEP}}, args{ctx, TPM}, false},
for _, tt := range tests {
t.Run(, func(t *testing.T) {
p := &ACME{
AttestationFormats: tt.fields.AttestationFormats,
if got := p.IsAttestationFormatEnabled(tt.args.ctx, tt.args.format); got != tt.want {
t.Errorf("ACME.IsAttestationFormatEnabled() = %v, want %v", got, tt.want)
@ -35,20 +35,17 @@ const awsIdentityURL = "
const awsSignatureURL = ""
const awsSignatureURL = ""
// awsAPITokenURL is the url used to get the IMDSv2 API token
// awsAPITokenURL is the url used to get the IMDSv2 API token
// nolint:gosec // no credentials here
const awsAPITokenURL = "" //nolint:gosec // no credentials here
const awsAPITokenURL = ""
// awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
// awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
// -- we keep this short-lived since we get a new token with every call to readURL()
// -- we keep this short-lived since we get a new token with every call to readURL()
const awsAPITokenTTL = "30"
const awsAPITokenTTL = "30"
// awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
// awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
// nolint:gosec // no credentials here
const awsMetadataTokenHeader = "X-aws-ec2-metadata-token" //nolint:gosec // no credentials here
const awsMetadataTokenHeader = "X-aws-ec2-metadata-token"
// awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
// awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
// nolint:gosec // no credentials here
const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" //nolint:gosec // no credentials here
const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
// awsCertificate is the certificate used to validate the instance identity
// awsCertificate is the certificate used to validate the instance identity
// signature.
// signature.
@ -522,8 +522,8 @@ func TestAWS_authorizeToken(t *testing.T) {
tc := tt(t)
tc := tt(t)
if claims, err := tc.p.authorizeToken(tc.token); err != nil {
if claims, err := tc.p.authorizeToken(tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -669,8 +669,8 @@ func TestAWS_AuthorizeSign(t *testing.T) {
t.Errorf("AWS.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("AWS.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
case err != nil:
case err != nil:
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, tt.wantLen, len(got))
assert.Equals(t, tt.wantLen, len(got))
@ -748,7 +748,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key
pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err)
assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
//nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -807,8 +807,8 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
} else if assert.NotNil(t, got) {
@ -864,8 +864,8 @@ func TestAWS_AuthorizeRenew(t *testing.T) {
if err :=, tt.args.cert); (err != nil) != tt.wantErr {
if err :=, tt.args.cert); (err != nil) != tt.wantErr {
t.Errorf("AWS.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("AWS.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -24,8 +24,7 @@ import (
// azureOIDCBaseURL is the base discovery url for Microsoft Azure tokens.
// azureOIDCBaseURL is the base discovery url for Microsoft Azure tokens.
const azureOIDCBaseURL = ""
const azureOIDCBaseURL = ""
// azureIdentityTokenURL is the URL to get the identity token for an instance.
//nolint:gosec // azureIdentityTokenURL is the URL to get the identity token for an instance.
// nolint:gosec // no credentials here
const azureIdentityTokenURL = ""
const azureIdentityTokenURL = ""
// azureDefaultAudience is the default audience used.
// azureDefaultAudience is the default audience used.
@ -336,8 +336,8 @@ func TestAzure_authorizeToken(t *testing.T) {
tc := tt(t)
tc := tt(t)
if claims, name, group, subscriptionID, objectID, err := tc.p.authorizeToken(tc.token); err != nil {
if claims, name, group, subscriptionID, objectID, err := tc.p.authorizeToken(tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -498,8 +498,8 @@ func TestAzure_AuthorizeSign(t *testing.T) {
t.Errorf("Azure.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("Azure.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
case err != nil:
case err != nil:
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, tt.wantLen, len(got))
assert.Equals(t, tt.wantLen, len(got))
@ -576,8 +576,8 @@ func TestAzure_AuthorizeRenew(t *testing.T) {
if err :=, tt.args.cert); (err != nil) != tt.wantErr {
if err :=, tt.args.cert); (err != nil) != tt.wantErr {
t.Errorf("Azure.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("Azure.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -624,7 +624,7 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key
pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err)
assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
//nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -673,8 +673,8 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
} else if assert.NotNil(t, got) {
@ -38,7 +38,8 @@ type Claimer struct {
// NewClaimer initializes a new claimer with the given claims.
// NewClaimer initializes a new claimer with the given claims.
func NewClaimer(claims *Claims, global Claims) (*Claimer, error) {
func NewClaimer(claims *Claims, global Claims) (*Claimer, error) {
c := &Claimer{global: global, claims: claims}
c := &Claimer{global: global, claims: claims}
return c, c.Validate()
err := c.Validate()
return c, err
// Claims returns the merge of the inner and global claims.
// Claims returns the merge of the inner and global claims.
@ -1,7 +1,7 @@
package provisioner
package provisioner
import (
import (
"crypto/sha1" // nolint:gosec // not used for cryptographic security
"crypto/sha1" //nolint:gosec // not used for cryptographic security
@ -319,7 +319,7 @@ func loadProvisioner(m *sync.Map, key string) (Interface, bool) {
// provisionerSum returns the SHA1 of the provisioners ID. From this we will
// provisionerSum returns the SHA1 of the provisioners ID. From this we will
// create the unique and sorted id.
// create the unique and sorted id.
func provisionerSum(p Interface) []byte {
func provisionerSum(p Interface) []byte {
// nolint:gosec // not used for cryptographic security
//nolint:gosec // not used for cryptographic security
sum := sha1.Sum([]byte(p.GetID()))
sum := sha1.Sum([]byte(p.GetID()))
return sum[:]
return sum[:]
@ -102,7 +102,6 @@ func (p *GCP) GetID() string {
return p.ID
return p.ID
return p.GetIDForToken()
return p.GetIDForToken()
// GetIDForToken returns an identifier that will be used to load the provisioner
// GetIDForToken returns an identifier that will be used to load the provisioner
@ -391,8 +391,8 @@ func TestGCP_authorizeToken(t *testing.T) {
tc := tt(t)
tc := tt(t)
if claims, err := tc.p.authorizeToken(tc.token); err != nil {
if claims, err := tc.p.authorizeToken(tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -541,8 +541,8 @@ func TestGCP_AuthorizeSign(t *testing.T) {
t.Errorf("GCP.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("GCP.AuthorizeSign() error = %v, wantErr %v", err, tt.wantErr)
case err != nil:
case err != nil:
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, tt.wantLen, len(got))
assert.Equals(t, tt.wantLen, len(got))
@ -623,7 +623,7 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key
pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err)
assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
//nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -682,8 +682,8 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
} else if assert.NotNil(t, got) {
@ -739,8 +739,8 @@ func TestGCP_AuthorizeRenew(t *testing.T) {
if err := tt.prov.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr {
if err := tt.prov.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr {
t.Errorf("GCP.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("GCP.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCoder interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -185,8 +185,8 @@ func TestJWK_authorizeToken(t *testing.T) {
t.Run(, func(t *testing.T) {
t.Run(, func(t *testing.T) {
if got, err := tt.prov.authorizeToken(tt.args.token, testAudiences.Sign); err != nil {
if got, err := tt.prov.authorizeToken(tt.args.token, testAudiences.Sign); err != nil {
if assert.NotNil(t, tt.err) {
if assert.NotNil(t, tt.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.HasPrefix(t, err.Error(), tt.err.Error())
assert.HasPrefix(t, err.Error(), tt.err.Error())
@ -225,8 +225,8 @@ func TestJWK_AuthorizeRevoke(t *testing.T) {
t.Run(, func(t *testing.T) {
t.Run(, func(t *testing.T) {
if err := tt.prov.AuthorizeRevoke(context.Background(), tt.args.token); err != nil {
if err := tt.prov.AuthorizeRevoke(context.Background(), tt.args.token); err != nil {
if assert.NotNil(t, tt.err) {
if assert.NotNil(t, tt.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.HasPrefix(t, err.Error(), tt.err.Error())
assert.HasPrefix(t, err.Error(), tt.err.Error())
@ -290,8 +290,8 @@ func TestJWK_AuthorizeSign(t *testing.T) {
ctx := NewContextWithMethod(context.Background(), SignMethod)
ctx := NewContextWithMethod(context.Background(), SignMethod)
if got, err := tt.prov.AuthorizeSign(ctx, tt.args.token); err != nil {
if got, err := tt.prov.AuthorizeSign(ctx, tt.args.token); err != nil {
if assert.NotNil(t, tt.err) {
if assert.NotNil(t, tt.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.HasPrefix(t, err.Error(), tt.err.Error())
assert.HasPrefix(t, err.Error(), tt.err.Error())
@ -366,8 +366,8 @@ func TestJWK_AuthorizeRenew(t *testing.T) {
if err := tt.prov.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr {
if err := tt.prov.AuthorizeRenew(context.Background(), tt.args.cert); (err != nil) != tt.wantErr {
t.Errorf("JWK.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("JWK.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -411,7 +411,7 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key
pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err)
assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
//nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -461,8 +461,8 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
} else if assert.NotNil(t, got) {
@ -626,8 +626,8 @@ func TestJWK_AuthorizeSSHRevoke(t *testing.T) {
tc := tt(t)
tc := tt(t)
if err := tc.p.AuthorizeSSHRevoke(context.Background(), tc.token); err != nil {
if err := tc.p.AuthorizeSSHRevoke(context.Background(), tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -93,7 +93,6 @@ func (p *K8sSA) GetEncryptedKey() (string, string, bool) {
// Init initializes and validates the fields of a K8sSA type.
// Init initializes and validates the fields of a K8sSA type.
func (p *K8sSA) Init(config Config) (err error) {
func (p *K8sSA) Init(config Config) (err error) {
switch {
switch {
case p.Type == "":
case p.Type == "":
return errors.New("provisioner type cannot be empty")
return errors.New("provisioner type cannot be empty")
@ -118,8 +118,8 @@ func TestK8sSA_authorizeToken(t *testing.T) {
tc := tt(t)
tc := tt(t)
if claims, err := tc.p.authorizeToken(tc.token, testAudiences.Sign); err != nil {
if claims, err := tc.p.authorizeToken(tc.token, testAudiences.Sign); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -167,8 +167,8 @@ func TestK8sSA_AuthorizeRevoke(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
tc := tt(t)
tc := tt(t)
if err := tc.p.AuthorizeRevoke(context.Background(), tc.token); err != nil {
if err := tc.p.AuthorizeRevoke(context.Background(), tc.token); err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -223,8 +223,8 @@ func TestK8sSA_AuthorizeRenew(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
tc := tt(t)
tc := tt(t)
if err := tc.p.AuthorizeRenew(context.Background(), tc.cert); err != nil {
if err := tc.p.AuthorizeRenew(context.Background(), tc.cert); err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -272,8 +272,8 @@ func TestK8sSA_AuthorizeSign(t *testing.T) {
tc := tt(t)
tc := tt(t)
if opts, err := tc.p.AuthorizeSign(context.Background(), tc.token); err != nil {
if opts, err := tc.p.AuthorizeSign(context.Background(), tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -360,8 +360,8 @@ func TestK8sSA_AuthorizeSSHSign(t *testing.T) {
tc := tt(t)
tc := tt(t)
if opts, err := tc.p.AuthorizeSSHSign(context.Background(), tc.token); err != nil {
if opts, err := tc.p.AuthorizeSSHSign(context.Background(), tc.token); err != nil {
if assert.NotNil(t, tc.err) {
if assert.NotNil(t, tc.err) {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tc.code)
assert.Equals(t, sc.StatusCode(), tc.code)
assert.HasPrefix(t, err.Error(), tc.err.Error())
assert.HasPrefix(t, err.Error(), tc.err.Error())
@ -85,14 +85,14 @@ func (ks *keyStore) reload() {
// 0 it will randomly rotate between 0-12 hours, but every time we call to Get
// 0 it will randomly rotate between 0-12 hours, but every time we call to Get
// it will automatically rotate.
// it will automatically rotate.
func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration {
func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration {
n := rand.Int63n(int64(ks.jitter)) // nolint:gosec // not used for cryptographic security
n := rand.Int63n(int64(ks.jitter)) //nolint:gosec // not used for cryptographic security
age -= time.Duration(n)
age -= time.Duration(n)
return abs(age)
return abs(age)
func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {
func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {
var keys jose.JSONWebKeySet
var keys jose.JSONWebKeySet
resp, err := http.Get(uri) // nolint:gosec // openid-configuration jwks_uri
resp, err := http.Get(uri) //nolint:gosec // openid-configuration jwks_uri
if err != nil {
if err != nil {
return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri)
return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri)
@ -54,6 +54,7 @@ func (p *noop) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) {
//nolint:nilnil // fine for noop
return nil, nil
return nil, nil
@ -479,7 +479,7 @@ func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error {
func getAndDecode(uri string, v interface{}) error {
func getAndDecode(uri string, v interface{}) error {
resp, err := http.Get(uri) // nolint:gosec // openid-configuration uri
resp, err := http.Get(uri) //nolint:gosec // openid-configuration uri
if err != nil {
if err != nil {
return errors.Wrapf(err, "failed to connect to %s", uri)
return errors.Wrapf(err, "failed to connect to %s", uri)
@ -247,8 +247,8 @@ func TestOIDC_authorizeToken(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else {
} else {
@ -318,8 +318,8 @@ func TestOIDC_AuthorizeSign(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
} else if assert.NotNil(t, got) {
@ -406,8 +406,8 @@ func TestOIDC_AuthorizeRevoke(t *testing.T) {
t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("OIDC.Authorize() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -452,8 +452,8 @@ func TestOIDC_AuthorizeRenew(t *testing.T) {
if (err != nil) != tt.wantErr {
if (err != nil) != tt.wantErr {
t.Errorf("OIDC.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("OIDC.AuthorizeRenew() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -540,7 +540,7 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key
pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err)
assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
//nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err)
assert.FatalError(t, err)
@ -614,8 +614,8 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
if err != nil {
if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Nil(t, got)
assert.Nil(t, got)
} else if assert.NotNil(t, got) {
} else if assert.NotNil(t, got) {
@ -682,8 +682,8 @@ func TestOIDC_AuthorizeSSHRevoke(t *testing.T) {
if (err != nil) != tt.wantErr {
if (err != nil) != tt.wantErr {
t.Errorf("OIDC.AuthorizeSSHRevoke() error = %v, wantErr %v", err, tt.wantErr)
t.Errorf("OIDC.AuthorizeSSHRevoke() error = %v, wantErr %v", err, tt.wantErr)
} else if err != nil {
} else if err != nil {
sc, ok := err.(render.StatusCodedError)
var sc render.StatusCodedError
assert.Fatal(t, ok, "error does not implement StatusCodedError interface")
assert.Fatal(t, errors.As(err, &sc), "error does not implement StatusCodedError interface")
assert.Equals(t, sc.StatusCode(), tt.code)
assert.Equals(t, sc.StatusCode(), tt.code)
@ -254,7 +254,7 @@ func TestCustomTemplateOptions(t *testing.T) {
func Test_unsafeParseSigned(t *testing.T) {
func Test_unsafeParseSigned(t *testing.T) {
// nolint:gosec // no credentials here
//nolint:gosec // no credentials here
okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw"
okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw"
type args struct {
type args struct {
s string
s string
@ -9,8 +9,8 @@ type policyEngine struct {
func newPolicyEngine(options *Options) (*policyEngine, error) {
func newPolicyEngine(options *Options) (*policyEngine, error) {
if options == nil {
if options == nil {
//nolint:nilnil // legacy
return nil, nil
return nil, nil
@ -5,7 +5,6 @@ import (
@ -78,6 +77,12 @@ func (fn CertificateEnforcerFunc) Enforce(cert *x509.Certificate) error {
return fn(cert)
return fn(cert)
// AttestationData is a SignOption used to pass attestation information to the
// sign methods.
type AttestationData struct {
PermanentIdentifier string
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
// emailOnlyIdentity is a CertificateRequestValidator that checks that the only
// SAN provided is the given email address.
// SAN provided is the given email address.
type emailOnlyIdentity string
type emailOnlyIdentity string
@ -305,7 +310,6 @@ func (v profileDefaultDuration) Modify(cert *x509.Certificate, so SignOptions) e
if notBefore.IsZero() {
if notBefore.IsZero() {
notBefore = now()
notBefore = now()
backdate = -1 * so.Backdate
backdate = -1 * so.Backdate
notAfter := so.NotAfter.RelativeTime(notBefore)
notAfter := so.NotAfter.RelativeTime(notBefore)
if notAfter.IsZero() {
if notAfter.IsZero() {
@ -425,18 +429,6 @@ func (v *x509NamePolicyValidator) Valid(cert *x509.Certificate, _ SignOptions) e
return v.policyEngine.IsX509CertificateAllowed(cert)
return v.policyEngine.IsX509CertificateAllowed(cert)
// var (
// stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64}
// stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...)
// )
// type stepProvisionerASN1 struct {
// Type int
// Name []byte
// CredentialID []byte
// KeyValuePairs []string `asn1:"optional,omitempty"`
// }
type forceCNOption struct {
type forceCNOption struct {
ForceCN bool
ForceCN bool
@ -481,13 +473,14 @@ func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOption
if err != nil {
if err != nil {
return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")
return errs.NewError(http.StatusInternalServerError, err, "error creating certificate")
// Prepend the provisioner extension. In the auth.Sign code we will
// Replace or append the provisioner extension to avoid the inclusions of
// force the resulting certificate to only have one extension, the
// malicious stepOIDProvisioner using templates.
// first stepOIDProvisioner that is found in the ExtraExtensions.
for i, e := range cert.ExtraExtensions {
// A client could pass a csr containing a malicious stepOIDProvisioner
if e.Id.Equal(StepOIDProvisioner) {
// ExtraExtension. If we were to append (rather than prepend) the correct
cert.ExtraExtensions[i] = ext
// stepOIDProvisioner extension, then the resulting certificate would
return nil
// contain the malicious extension, rather than the one applied by step-ca.
cert.ExtraExtensions = append([]pkix.Extension{ext}, cert.ExtraExtensions...)
cert.ExtraExtensions = append(cert.ExtraExtensions, ext)
return nil
return nil
@ -3,6 +3,7 @@ package provisioner
import (
import (
@ -625,6 +626,16 @@ func Test_profileDefaultDuration_Option(t *testing.T) {
func Test_newProvisionerExtension_Option(t *testing.T) {
func Test_newProvisionerExtension_Option(t *testing.T) {
expectedValue, err := asn1.Marshal(extensionASN1{
Type: int(TypeJWK),
Name: []byte("name"),
CredentialID: []byte("credentialId"),
KeyValuePairs: []string{"key", "value"},
if err != nil {
type test struct {
type test struct {
cert *x509.Certificate
cert *x509.Certificate
valid func(*x509.Certificate)
valid func(*x509.Certificate)
@ -636,18 +647,22 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
valid: func(cert *x509.Certificate) {
valid: func(cert *x509.Certificate) {
if assert.Len(t, 1, cert.ExtraExtensions) {
if assert.Len(t, 1, cert.ExtraExtensions) {
ext := cert.ExtraExtensions[0]
ext := cert.ExtraExtensions[0]
assert.Equals(t, ext.Id, StepOIDProvisioner)
assert.Equals(t, StepOIDProvisioner, ext.Id)
assert.Equals(t, expectedValue, ext.Value)
assert.False(t, ext.Critical)
"ok/prepend": func() test {
"ok/replace": func() test {
return test{
return test{
cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}},
valid: func(cert *x509.Certificate) {
valid: func(cert *x509.Certificate) {
if assert.Len(t, 3, cert.ExtraExtensions) {
if assert.Len(t, 2, cert.ExtraExtensions) {
ext := cert.ExtraExtensions[0]
ext := cert.ExtraExtensions[0]
assert.Equals(t, ext.Id, StepOIDProvisioner)
assert.Equals(t, StepOIDProvisioner, ext.Id)
assert.Equals(t, expectedValue, ext.Value)
assert.False(t, ext.Critical)
assert.False(t, ext.Critical)
@ -657,7 +672,7 @@ func Test_newProvisionerExtension_Option(t *testing.T) {
for name, run := range tests {
for name, run := range tests {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
tt := run()
tt := run()
assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "foo", "bar", "baz", "zap").Modify(tt.cert, SignOptions{}))
assert.FatalError(t, newProvisionerExtensionOption(TypeJWK, "name", "credentialId", "key", "value").Modify(tt.cert, SignOptions{}))
@ -287,7 +287,7 @@ func Test_sshCertTypeModifier_Modify(t *testing.T) {
t.Run(name, func(t *testing.T) {
t.Run(name, func(t *testing.T) {
tc := run()
tc := run()
if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
if assert.Nil(t, tc.modifier.Modify(tc.cert, SignSSHOptions{})) {
assert.Equals(t, tc.cert.CertType, uint32(tc.expected))
assert.Equals(t, tc.cert.CertType, tc.expected)
@ -2,6 +2,7 @@ package provisioner
import (
import (
@ -84,9 +85,10 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
// Create certificate from template.
// Create certificate from template.
certificate, err := sshutil.NewCertificate(cr, certOptions...)
certificate, err := sshutil.NewCertificate(cr, certOptions...)
if err != nil {
if err != nil {
if _, ok := err.(*sshutil.TemplateError); ok {
var templErr *sshutil.TemplateError
return nil, errs.NewErr(http.StatusBadRequest, err,
if errors.As(err, &templErr) {
return nil, errs.NewErr(http.StatusBadRequest, templErr,
errs.WithKeyVal("signOptions", signOpts),
errs.WithKeyVal("signOptions", signOpts),
Normal file
Normal file
@ -0,0 +1,14 @@
Normal file
Normal file
@ -0,0 +1,19 @@
@ -100,7 +100,7 @@ func generateJSONWebKey() (*jose.JSONWebKey, error) {
if err != nil {
if err != nil {
return nil, err
return nil, err
jwk.KeyID = string(hex.EncodeToString(fp))
jwk.KeyID = hex.EncodeToString(fp)
return jwk, nil
return jwk, nil
@ -449,7 +449,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
if err != nil {
if err != nil {
return nil, nil, errors.Wrap(err, "error signing document")
return nil, nil, errors.Wrap(err, "error signing document")
// nolint:gosec // tests minimum size of the key
//nolint:gosec // tests minimum size of the key
token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path {
switch r.URL.Path {
@ -120,7 +120,7 @@ M46l92gdOozT
return ProvisionerValidateTest{
return ProvisionerValidateTest{
p: p,
p: p,
extraValid: func(p *X5C) error {
extraValid: func(p *X5C) error {
// nolint:staticcheck // We don't have a different way to
//nolint:staticcheck // We don't have a different way to
// check the number of certificates in the pool.
// check the number of certificates in the pool.
numCerts := len(p.rootPool.Subjects())
numCerts := len(p.rootPool.Subjects())
if numCerts != 2 {
if numCerts != 2 {
Some files were not shown because too many files have changed in this diff Show more
Add table
Reference in a new issue