From 23b8f45b37e8541de9d08aeb4e7e17fa260fcf27 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Thu, 18 Aug 2022 17:46:20 -0700 Subject: [PATCH] Address gosec warnings Most if not all false positives --- acme/challenge.go | 2 +- acme/client.go | 1 + api/api_test.go | 4 ++-- authority/config/tls_options.go | 1 + authority/linkedca.go | 7 +++++-- authority/provisioner/aws.go | 3 +++ authority/provisioner/aws_test.go | 5 +++-- authority/provisioner/azure.go | 1 + authority/provisioner/azure_test.go | 1 + authority/provisioner/collection.go | 3 ++- authority/provisioner/gcp_test.go | 1 + authority/provisioner/jwk_test.go | 1 + authority/provisioner/keystore.go | 4 ++-- authority/provisioner/oidc.go | 2 +- authority/provisioner/oidc_test.go | 1 + authority/provisioner/options_test.go | 1 + authority/provisioner/utils_test.go | 1 + authority/tls_test.go | 3 ++- ca/bootstrap_test.go | 4 ++++ ca/ca_test.go | 4 +++- ca/client.go | 17 +++++++++++++---- ca/identity/client.go | 1 + ca/identity/client_test.go | 2 ++ ca/identity/identity.go | 1 + ca/renew.go | 9 +++++++-- ca/tls.go | 1 + ca/tls_options_test.go | 12 ++++++++++++ cmd/step-awskms-init/main.go | 3 ++- cmd/step-ca/main.go | 1 + cmd/step-cloudkms-init/main.go | 3 ++- cmd/step-pkcs11-init/main.go | 3 ++- cmd/step-yubikey-init/main.go | 3 ++- commands/onboard.go | 2 ++ server/server.go | 15 ++++++++------- 34 files changed, 93 insertions(+), 30 deletions(-) diff --git a/acme/challenge.go b/acme/challenge.go index 8d8466bd..96637627 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -149,7 +149,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON // [RFC5246] or higher when connecting to clients for validation. MinVersion: tls.VersionTLS12, ServerName: serverName(ch), - InsecureSkipVerify: true, // we expect a self-signed challenge certificate + InsecureSkipVerify: true, // nolint:gosec // we expect a self-signed challenge certificate } hostPort := net.JoinHostPort(ch.Value, "443") diff --git a/acme/client.go b/acme/client.go index aaf4c85e..cf5f8c09 100644 --- a/acme/client.go +++ b/acme/client.go @@ -56,6 +56,7 @@ func NewClient() Client { Timeout: 30 * time.Second, Transport: &http.Transport{ TLSClientConfig: &tls.Config{ + // nolint:gosec // used on tls-alpn-01 challenge InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] }, }, diff --git a/api/api_test.go b/api/api_test.go index 1f27ab8c..4c84871a 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -1437,7 +1437,7 @@ func Test_fmtPublicKey(t *testing.T) { if err != nil { t.Fatal(err) } - rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) + rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { t.Fatal(err) } @@ -1463,7 +1463,7 @@ func Test_fmtPublicKey(t *testing.T) { want string }{ {"p256", args{p256.Public(), p256, nil}, "ECDSA P-256"}, - {"rsa1024", args{rsa1024.Public(), rsa1024, nil}, "RSA 1024"}, + {"rsa2048", args{rsa2048.Public(), rsa2048, nil}, "RSA 2048"}, {"ed25519", args{edPub, edPriv, nil}, "Ed25519"}, {"dsa2048", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.DSA, PublicKey: &dsa2048.PublicKey}}, "DSA 2048"}, {"unknown", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.ECDSA, PublicKey: []byte("12345678")}}, "ECDSA unknown"}, diff --git a/authority/config/tls_options.go b/authority/config/tls_options.go index 2d6de084..01ab3d0a 100644 --- a/authority/config/tls_options.go +++ b/authority/config/tls_options.go @@ -169,6 +169,7 @@ func (t *TLSOptions) TLSConfig() *tls.Config { rs = tls.RenegotiateNever } + // nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used return &tls.Config{ CipherSuites: t.CipherSuites.Value(), MinVersion: t.MinVersion.Value(), diff --git a/authority/linkedca.go b/authority/linkedca.go index 5829f341..133ae616 100644 --- a/authority/linkedca.go +++ b/authority/linkedca.go @@ -461,6 +461,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) defer cancel() conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ + // nolint:gosec // used in bootstrap protocol InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] }))) if err != nil { @@ -514,7 +515,8 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto. defer cancel() conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ - RootCAs: rootCAs, + MinVersion: tls.VersionTLS12, + RootCAs: rootCAs, }))) if err != nil { return nil, nil, errors.Wrapf(err, "error connecting %s", endpoint) @@ -590,6 +592,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto. rootCAs.AddCert(bundle[last]) return cert, &tls.Config{ - RootCAs: rootCAs, + MinVersion: tls.VersionTLS12, + RootCAs: rootCAs, }, nil } diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index a5b403a4..463a4aee 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -35,6 +35,7 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/ const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature" // awsAPITokenURL is the url used to get the IMDSv2 API token +// nolint:gosec // no credentials here const awsAPITokenURL = "http://169.254.169.254/latest/api/token" // awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens @@ -42,9 +43,11 @@ const awsAPITokenURL = "http://169.254.169.254/latest/api/token" const awsAPITokenTTL = "30" // awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request +// nolint:gosec // no credentials here const awsMetadataTokenHeader = "X-aws-ec2-metadata-token" // awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested +// nolint:gosec // no credentials here const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" // awsCertificate is the certificate used to validate the instance identity diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go index d12d0626..0660c3f0 100644 --- a/authority/provisioner/aws_test.go +++ b/authority/provisioner/aws_test.go @@ -316,7 +316,7 @@ func TestAWS_authorizeToken(t *testing.T) { } key, err := x509.ParsePKCS1PrivateKey(block.Bytes) assert.FatalError(t, err) - badKey, err := rsa.GenerateKey(rand.Reader, 1024) + badKey, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) type test struct { @@ -579,7 +579,7 @@ func TestAWS_AuthorizeSign(t *testing.T) { key, err := x509.ParsePKCS1PrivateKey(block.Bytes) assert.FatalError(t, err) - badKey, err := rsa.GenerateKey(rand.Reader, 1024) + badKey, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) t4, err := generateAWSToken( @@ -748,6 +748,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) + // nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index b6f7ec91..3f714a3e 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -25,6 +25,7 @@ import ( const azureOIDCBaseURL = "https://login.microsoftonline.com" // azureIdentityTokenURL is the URL to get the identity token for an instance. +// nolint:gosec // no credentials here const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" // azureDefaultAudience is the default audience used. diff --git a/authority/provisioner/azure_test.go b/authority/provisioner/azure_test.go index 3e745a5b..7f8b70d0 100644 --- a/authority/provisioner/azure_test.go +++ b/authority/provisioner/azure_test.go @@ -624,6 +624,7 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) + // nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go index 8bbace5f..85b489c1 100644 --- a/authority/provisioner/collection.go +++ b/authority/provisioner/collection.go @@ -1,7 +1,7 @@ package provisioner import ( - "crypto/sha1" + "crypto/sha1" // nolint:gosec // not used for cryptographic security "crypto/x509" "encoding/asn1" "encoding/binary" @@ -319,6 +319,7 @@ func loadProvisioner(m *sync.Map, key string) (Interface, bool) { // provisionerSum returns the SHA1 of the provisioners ID. From this we will // create the unique and sorted id. func provisionerSum(p Interface) []byte { + // nolint:gosec // not used for cryptographic security sum := sha1.Sum([]byte(p.GetID())) return sum[:] } diff --git a/authority/provisioner/gcp_test.go b/authority/provisioner/gcp_test.go index 3c0bf92e..3d6b5d75 100644 --- a/authority/provisioner/gcp_test.go +++ b/authority/provisioner/gcp_test.go @@ -623,6 +623,7 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) + // nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go index bd8b542b..723ccf56 100644 --- a/authority/provisioner/jwk_test.go +++ b/authority/provisioner/jwk_test.go @@ -411,6 +411,7 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) + // nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) diff --git a/authority/provisioner/keystore.go b/authority/provisioner/keystore.go index d1811fab..8b276a75 100644 --- a/authority/provisioner/keystore.go +++ b/authority/provisioner/keystore.go @@ -85,14 +85,14 @@ func (ks *keyStore) reload() { // 0 it will randomly rotate between 0-12 hours, but every time we call to Get // it will automatically rotate. func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration { - n := rand.Int63n(int64(ks.jitter)) + n := rand.Int63n(int64(ks.jitter)) // nolint:gosec // not used for cryptographic security age -= time.Duration(n) return abs(age) } func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) { var keys jose.JSONWebKeySet - resp, err := http.Get(uri) + resp, err := http.Get(uri) // nolint:gosec // openid-configuration jwks_uri if err != nil { return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri) } diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index e64d98d9..c1bcc741 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -464,7 +464,7 @@ func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error { } func getAndDecode(uri string, v interface{}) error { - resp, err := http.Get(uri) + resp, err := http.Get(uri) // nolint:gosec // openid-configuration uri if err != nil { return errors.Wrapf(err, "failed to connect to %s", uri) } diff --git a/authority/provisioner/oidc_test.go b/authority/provisioner/oidc_test.go index 3d039496..62ea3f24 100644 --- a/authority/provisioner/oidc_test.go +++ b/authority/provisioner/oidc_test.go @@ -535,6 +535,7 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) { pub := key.Public().Key rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) assert.FatalError(t, err) + // nolint:gosec // tests minimum size of the key rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) assert.FatalError(t, err) diff --git a/authority/provisioner/options_test.go b/authority/provisioner/options_test.go index 0bcf9ec3..652fff73 100644 --- a/authority/provisioner/options_test.go +++ b/authority/provisioner/options_test.go @@ -254,6 +254,7 @@ func TestCustomTemplateOptions(t *testing.T) { } func Test_unsafeParseSigned(t *testing.T) { + // nolint:gosec // no credentials here okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw" type args struct { s string diff --git a/authority/provisioner/utils_test.go b/authority/provisioner/utils_test.go index 0a1d176c..265c7b08 100644 --- a/authority/provisioner/utils_test.go +++ b/authority/provisioner/utils_test.go @@ -449,6 +449,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) { if err != nil { return nil, nil, errors.Wrap(err, "error signing document") } + // nolint:gosec // tests minimum size of the key token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw==" srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { switch r.URL.Path { diff --git a/authority/tls_test.go b/authority/tls_test.go index 23d2f8fa..a8521b51 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -6,7 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha1" + "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -199,6 +199,7 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) { if _, err = asn1.Unmarshal(b, &info); err != nil { return nil, fmt.Errorf("error unmarshaling public key: %w", err) } + // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(info.SubjectPublicKey.Bytes) return hash[:], nil } diff --git a/ca/bootstrap_test.go b/ca/bootstrap_test.go index ccbdbc22..2a837a3d 100644 --- a/ca/bootstrap_test.go +++ b/ca/bootstrap_test.go @@ -200,6 +200,7 @@ func TestBootstrap(t *testing.T) { } } +// nolint:gosec // insecure test servers func TestBootstrapServerWithoutMTLS(t *testing.T) { srv := startCABootstrapServer() defer srv.Close() @@ -256,6 +257,7 @@ func TestBootstrapServerWithoutMTLS(t *testing.T) { } } +// nolint:gosec // insecure test servers func TestBootstrapServerWithMTLS(t *testing.T) { srv := startCABootstrapServer() defer srv.Close() @@ -405,6 +407,7 @@ func TestBootstrapClientServerRotation(t *testing.T) { // Create bootstrap server token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7") + // nolint:gosec // insecure test server server, err := BootstrapServer(context.Background(), token, &http.Server{ Addr: ":0", Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { @@ -523,6 +526,7 @@ func TestBootstrapClientServerFederation(t *testing.T) { // Create bootstrap server token := generateBootstrapToken(caURL1, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7") + // nolint:gosec // insecure test server server, err := BootstrapServer(context.Background(), token, &http.Server{ Addr: ":0", Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { diff --git a/ca/ca_test.go b/ca/ca_test.go index 29eac575..e76ca8ff 100644 --- a/ca/ca_test.go +++ b/ca/ca_test.go @@ -5,7 +5,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/sha1" + "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/tls" "crypto/x509" "crypto/x509/pkix" @@ -65,6 +65,8 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) { if _, err = asn1.Unmarshal(b, &info); err != nil { return nil, errors.Wrap(err, "error unmarshaling public key") } + + // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(info.SubjectPublicKey.Bytes) return hash[:], nil } diff --git a/ca/client.go b/ca/client.go index 44961357..19fcd0bd 100644 --- a/ca/client.go +++ b/ca/client.go @@ -56,6 +56,7 @@ func newClient(transport http.RoundTripper) *uaClient { } } +// nolint:gosec // used in bootstrap protocol func newInsecureClient() *uaClient { return &uaClient{ Client: &http.Client{ @@ -201,7 +202,9 @@ func (o *clientOptions) getTransport(endpoint string) (tr http.RoundTripper, err switch tr := tr.(type) { case *http.Transport: if tr.TLSClientConfig == nil { - tr.TLSClientConfig = &tls.Config{} + tr.TLSClientConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + } } if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil { tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate} @@ -209,7 +212,9 @@ func (o *clientOptions) getTransport(endpoint string) (tr http.RoundTripper, err } case *http2.Transport: if tr.TLSClientConfig == nil { - tr.TLSClientConfig = &tls.Config{} + tr.TLSClientConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + } } if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil { tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate} @@ -236,11 +241,15 @@ func WithTransport(tr http.RoundTripper) ClientOption { } // WithInsecure adds a insecure transport that bypasses TLS verification. +// nolint:gosec // insecure option func WithInsecure() ClientOption { return func(o *clientOptions) error { o.transport = &http.Transport{ - Proxy: http.ProxyFromEnvironment, - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: true, + }, } return nil } diff --git a/ca/identity/client.go b/ca/identity/client.go index e38529ca..4b0aee82 100644 --- a/ca/identity/client.go +++ b/ca/identity/client.go @@ -62,6 +62,7 @@ func LoadClient() (*Client, error) { // Prepare transport with information in defaults.json and identity.json tr := http.DefaultTransport.(*http.Transport).Clone() tr.TLSClientConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, GetClientCertificate: identity.GetClientCertificateFunc(), } diff --git a/ca/identity/client_test.go b/ca/identity/client_test.go index 9660a3bd..14e6da6c 100644 --- a/ca/identity/client_test.go +++ b/ca/identity/client_test.go @@ -58,6 +58,7 @@ func TestClient(t *testing.T) { Certificates: []tls.Certificate{crt}, ClientCAs: pool, ClientAuth: tls.VerifyClientCertIfGiven, + MinVersion: tls.VersionTLS12, } okServer.StartTLS() @@ -132,6 +133,7 @@ func TestLoadClient(t *testing.T) { tr.TLSClientConfig = &tls.Config{ Certificates: []tls.Certificate{crt}, RootCAs: pool, + MinVersion: tls.VersionTLS12, } expected := &Client{ CaURL: &url.URL{Scheme: "https", Host: "127.0.0.1"}, diff --git a/ca/identity/identity.go b/ca/identity/identity.go index 8aa4b441..2a6b4c39 100644 --- a/ca/identity/identity.go +++ b/ca/identity/identity.go @@ -296,6 +296,7 @@ func (i *Identity) Renew(client Renewer) error { tr.TLSClientConfig = &tls.Config{ Certificates: []tls.Certificate{cert}, RootCAs: client.GetRootCAs(), + MinVersion: tls.VersionTLS12, PreferServerCipherSuites: true, } diff --git a/ca/renew.go b/ca/renew.go index 27898993..a913e59c 100644 --- a/ca/renew.go +++ b/ca/renew.go @@ -173,7 +173,7 @@ func (r *TLSRenewer) renewCertificate() { cert, err := r.RenewCertificate() if err != nil { next = r.renewJitter / 2 - next += time.Duration(rand.Int63n(int64(next))) + next += time.Duration(mathRandInt63n(int64(next))) } else { r.setCertificate(cert) next = r.nextRenewDuration(cert.Leaf.NotAfter) @@ -185,10 +185,15 @@ func (r *TLSRenewer) renewCertificate() { func (r *TLSRenewer) nextRenewDuration(notAfter time.Time) time.Duration { d := time.Until(notAfter).Truncate(time.Second) - r.renewBefore - n := rand.Int63n(int64(r.renewJitter)) + n := mathRandInt63n(int64(r.renewJitter)) d -= time.Duration(n) if d < 0 { d = 0 } return d } + +// nolint:gosec // not used for cryptographic security +func mathRandInt63n(n int64) int64 { + return rand.Int63n(n) +} diff --git a/ca/tls.go b/ca/tls.go index 57440bad..b4d54952 100644 --- a/ca/tls.go +++ b/ca/tls.go @@ -60,6 +60,7 @@ func init() { d := &tls.Dialer{ NetDialer: getDefaultDialer(), Config: &tls.Config{ + MinVersion: tls.VersionTLS12, RootCAs: pool, GetClientCertificate: id.GetClientCertificateFunc(), }, diff --git a/ca/tls_options_test.go b/ca/tls_options_test.go index ca5f80b8..65086315 100644 --- a/ca/tls_options_test.go +++ b/ca/tls_options_test.go @@ -13,6 +13,7 @@ import ( "github.com/smallstep/certificates/api" ) +// nolint:gosec // test tls config func Test_newTLSOptionCtx(t *testing.T) { client, err := NewClient("https://ca.smallstep.com", WithTransport(http.DefaultTransport)) if err != nil { @@ -40,6 +41,7 @@ func Test_newTLSOptionCtx(t *testing.T) { } } +// nolint:gosec // test tls config func TestTLSOptionCtx_apply(t *testing.T) { fail := func() TLSOption { return func(ctx *TLSOptionCtx) error { @@ -76,6 +78,7 @@ func TestTLSOptionCtx_apply(t *testing.T) { } } +// nolint:gosec // test tls config func TestRequireAndVerifyClientCert(t *testing.T) { tests := []struct { name string @@ -100,6 +103,7 @@ func TestRequireAndVerifyClientCert(t *testing.T) { } } +// nolint:gosec // test tls config func TestVerifyClientCertIfGiven(t *testing.T) { tests := []struct { name string @@ -124,6 +128,7 @@ func TestVerifyClientCertIfGiven(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddRootCA(t *testing.T) { cert := parseCertificate(rootPEM) pool := x509.NewCertPool() @@ -156,6 +161,7 @@ func TestAddRootCA(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddClientCA(t *testing.T) { cert := parseCertificate(rootPEM) pool := x509.NewCertPool() @@ -188,6 +194,7 @@ func TestAddClientCA(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddRootsToRootCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -242,6 +249,7 @@ func TestAddRootsToRootCAs(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddRootsToClientCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -296,6 +304,7 @@ func TestAddRootsToClientCAs(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddFederationToRootCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -360,6 +369,7 @@ func TestAddFederationToRootCAs(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddFederationToClientCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -424,6 +434,7 @@ func TestAddFederationToClientCAs(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddRootsToCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() @@ -478,6 +489,7 @@ func TestAddRootsToCAs(t *testing.T) { } } +// nolint:gosec // test tls config func TestAddFederationToCAs(t *testing.T) { ca := startCATestServer() defer ca.Close() diff --git a/cmd/step-awskms-init/main.go b/cmd/step-awskms-init/main.go index 378ef788..48e2aa01 100644 --- a/cmd/step-awskms-init/main.go +++ b/cmd/step-awskms-init/main.go @@ -4,7 +4,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/sha1" + "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -239,6 +239,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } + // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/cmd/step-ca/main.go b/cmd/step-ca/main.go index 8734608c..d070b6cf 100644 --- a/cmd/step-ca/main.go +++ b/cmd/step-ca/main.go @@ -14,6 +14,7 @@ import ( "time" // Server profiler + // nolint:gosec // profile server, if enabled runs on a different port _ "net/http/pprof" "github.com/smallstep/certificates/authority" diff --git a/cmd/step-cloudkms-init/main.go b/cmd/step-cloudkms-init/main.go index eb63f39e..aa483fc7 100644 --- a/cmd/step-cloudkms-init/main.go +++ b/cmd/step-cloudkms-init/main.go @@ -4,7 +4,7 @@ import ( "context" "crypto" "crypto/rand" - "crypto/sha1" + "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -277,6 +277,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } + // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index b2f0595a..ed64e285 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -6,7 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha1" + "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -544,6 +544,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } + // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/cmd/step-yubikey-init/main.go b/cmd/step-yubikey-init/main.go index 4a0f13fe..62b18848 100644 --- a/cmd/step-yubikey-init/main.go +++ b/cmd/step-yubikey-init/main.go @@ -6,7 +6,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" - "crypto/sha1" + "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 "crypto/x509" "crypto/x509/pkix" "encoding/hex" @@ -346,6 +346,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte { if err != nil { panic(err) } + // nolint:gosec // used to create the Subject Key Identifier by RFC 5280 hash := sha1.Sum(b) return hash[:] } diff --git a/commands/onboard.go b/commands/onboard.go index afecba9d..bb704fd4 100644 --- a/commands/onboard.go +++ b/commands/onboard.go @@ -92,6 +92,7 @@ func onboardAction(ctx *cli.Context) error { token := ctx.Args().Get(0) onboardingURL := u.ResolveReference(&url.URL{Path: token}).String() + // nolint:gosec // onboarding url res, err := http.Get(onboardingURL) if err != nil { return errors.Wrap(err, "error connecting onboarding guide") @@ -132,6 +133,7 @@ func onboardAction(ctx *cli.Context) error { return errors.Wrap(err, "error marshaling payload") } + // nolint:gosec // onboarding url resp, err := http.Post(onboardingURL, "application/json", bytes.NewBuffer(payload)) if err != nil { return errors.Wrap(err, "error connecting onboarding guide") diff --git a/server/server.go b/server/server.go index 2b864148..e12c792c 100644 --- a/server/server.go +++ b/server/server.go @@ -39,13 +39,14 @@ func New(addr string, handler http.Handler, tlsConfig *tls.Config) *Server { // tls.Config. func newHTTPServer(addr string, handler http.Handler, tlsConfig *tls.Config) *http.Server { return &http.Server{ - Addr: addr, - Handler: handler, - TLSConfig: tlsConfig, - WriteTimeout: 15 * time.Second, - ReadTimeout: 15 * time.Second, - IdleTimeout: 15 * time.Second, - ErrorLog: log.New(os.Stderr, "", log.Ldate|log.Ltime|log.Llongfile), + Addr: addr, + Handler: handler, + TLSConfig: tlsConfig, + WriteTimeout: 15 * time.Second, + ReadTimeout: 15 * time.Second, + ReadHeaderTimeout: 15 * time.Second, + IdleTimeout: 15 * time.Second, + ErrorLog: log.New(os.Stderr, "", log.Ldate|log.Ltime|log.Llongfile), } }