Merge pull request #1024 from smallstep/gosec

Address gosec warnings
This commit is contained in:
Mariano Cano 2022-08-22 14:19:50 -07:00 committed by GitHub
commit dd6f59b538
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
34 changed files with 93 additions and 30 deletions

View file

@ -149,7 +149,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
// [RFC5246] or higher when connecting to clients for validation. // [RFC5246] or higher when connecting to clients for validation.
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
ServerName: serverName(ch), ServerName: serverName(ch),
InsecureSkipVerify: true, // we expect a self-signed challenge certificate InsecureSkipVerify: true, // nolint:gosec // we expect a self-signed challenge certificate
} }
hostPort := net.JoinHostPort(ch.Value, "443") hostPort := net.JoinHostPort(ch.Value, "443")

View file

@ -56,6 +56,7 @@ func NewClient() Client {
Timeout: 30 * time.Second, Timeout: 30 * time.Second,
Transport: &http.Transport{ Transport: &http.Transport{
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{
// nolint:gosec // used on tls-alpn-01 challenge
InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
}, },
}, },

View file

@ -1437,7 +1437,7 @@ func Test_fmtPublicKey(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -1463,7 +1463,7 @@ func Test_fmtPublicKey(t *testing.T) {
want string want string
}{ }{
{"p256", args{p256.Public(), p256, nil}, "ECDSA P-256"}, {"p256", args{p256.Public(), p256, nil}, "ECDSA P-256"},
{"rsa1024", args{rsa1024.Public(), rsa1024, nil}, "RSA 1024"}, {"rsa2048", args{rsa2048.Public(), rsa2048, nil}, "RSA 2048"},
{"ed25519", args{edPub, edPriv, nil}, "Ed25519"}, {"ed25519", args{edPub, edPriv, nil}, "Ed25519"},
{"dsa2048", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.DSA, PublicKey: &dsa2048.PublicKey}}, "DSA 2048"}, {"dsa2048", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.DSA, PublicKey: &dsa2048.PublicKey}}, "DSA 2048"},
{"unknown", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.ECDSA, PublicKey: []byte("12345678")}}, "ECDSA unknown"}, {"unknown", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.ECDSA, PublicKey: []byte("12345678")}}, "ECDSA unknown"},

View file

@ -169,6 +169,7 @@ func (t *TLSOptions) TLSConfig() *tls.Config {
rs = tls.RenegotiateNever rs = tls.RenegotiateNever
} }
// nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used
return &tls.Config{ return &tls.Config{
CipherSuites: t.CipherSuites.Value(), CipherSuites: t.CipherSuites.Value(),
MinVersion: t.MinVersion.Value(), MinVersion: t.MinVersion.Value(),

View file

@ -461,6 +461,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
defer cancel() defer cancel()
conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
// nolint:gosec // used in bootstrap protocol
InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
}))) })))
if err != nil { if err != nil {
@ -514,7 +515,8 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
defer cancel() defer cancel()
conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
RootCAs: rootCAs, MinVersion: tls.VersionTLS12,
RootCAs: rootCAs,
}))) })))
if err != nil { if err != nil {
return nil, nil, errors.Wrapf(err, "error connecting %s", endpoint) return nil, nil, errors.Wrapf(err, "error connecting %s", endpoint)
@ -590,6 +592,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
rootCAs.AddCert(bundle[last]) rootCAs.AddCert(bundle[last])
return cert, &tls.Config{ return cert, &tls.Config{
RootCAs: rootCAs, MinVersion: tls.VersionTLS12,
RootCAs: rootCAs,
}, nil }, nil
} }

View file

@ -35,6 +35,7 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/
const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature" const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature"
// awsAPITokenURL is the url used to get the IMDSv2 API token // awsAPITokenURL is the url used to get the IMDSv2 API token
// nolint:gosec // no credentials here
const awsAPITokenURL = "http://169.254.169.254/latest/api/token" const awsAPITokenURL = "http://169.254.169.254/latest/api/token"
// awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens // awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
@ -42,9 +43,11 @@ const awsAPITokenURL = "http://169.254.169.254/latest/api/token"
const awsAPITokenTTL = "30" const awsAPITokenTTL = "30"
// awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request // awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
// nolint:gosec // no credentials here
const awsMetadataTokenHeader = "X-aws-ec2-metadata-token" const awsMetadataTokenHeader = "X-aws-ec2-metadata-token"
// awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested // awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
// nolint:gosec // no credentials here
const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds" const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
// awsCertificate is the certificate used to validate the instance identity // awsCertificate is the certificate used to validate the instance identity

View file

@ -316,7 +316,7 @@ func TestAWS_authorizeToken(t *testing.T) {
} }
key, err := x509.ParsePKCS1PrivateKey(block.Bytes) key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
assert.FatalError(t, err) assert.FatalError(t, err)
badKey, err := rsa.GenerateKey(rand.Reader, 1024) badKey, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
type test struct { type test struct {
@ -579,7 +579,7 @@ func TestAWS_AuthorizeSign(t *testing.T) {
key, err := x509.ParsePKCS1PrivateKey(block.Bytes) key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
assert.FatalError(t, err) assert.FatalError(t, err)
badKey, err := rsa.GenerateKey(rand.Reader, 1024) badKey, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
t4, err := generateAWSToken( t4, err := generateAWSToken(
@ -748,6 +748,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err) assert.FatalError(t, err)

View file

@ -25,6 +25,7 @@ import (
const azureOIDCBaseURL = "https://login.microsoftonline.com" const azureOIDCBaseURL = "https://login.microsoftonline.com"
// azureIdentityTokenURL is the URL to get the identity token for an instance. // azureIdentityTokenURL is the URL to get the identity token for an instance.
// nolint:gosec // no credentials here
const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F" const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F"
// azureDefaultAudience is the default audience used. // azureDefaultAudience is the default audience used.

View file

@ -624,6 +624,7 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err) assert.FatalError(t, err)

View file

@ -1,7 +1,7 @@
package provisioner package provisioner
import ( import (
"crypto/sha1" "crypto/sha1" // nolint:gosec // not used for cryptographic security
"crypto/x509" "crypto/x509"
"encoding/asn1" "encoding/asn1"
"encoding/binary" "encoding/binary"
@ -319,6 +319,7 @@ func loadProvisioner(m *sync.Map, key string) (Interface, bool) {
// provisionerSum returns the SHA1 of the provisioners ID. From this we will // provisionerSum returns the SHA1 of the provisioners ID. From this we will
// create the unique and sorted id. // create the unique and sorted id.
func provisionerSum(p Interface) []byte { func provisionerSum(p Interface) []byte {
// nolint:gosec // not used for cryptographic security
sum := sha1.Sum([]byte(p.GetID())) sum := sha1.Sum([]byte(p.GetID()))
return sum[:] return sum[:]
} }

View file

@ -623,6 +623,7 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err) assert.FatalError(t, err)

View file

@ -411,6 +411,7 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err) assert.FatalError(t, err)

View file

@ -85,14 +85,14 @@ func (ks *keyStore) reload() {
// 0 it will randomly rotate between 0-12 hours, but every time we call to Get // 0 it will randomly rotate between 0-12 hours, but every time we call to Get
// it will automatically rotate. // it will automatically rotate.
func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration { func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration {
n := rand.Int63n(int64(ks.jitter)) n := rand.Int63n(int64(ks.jitter)) // nolint:gosec // not used for cryptographic security
age -= time.Duration(n) age -= time.Duration(n)
return abs(age) return abs(age)
} }
func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) { func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {
var keys jose.JSONWebKeySet var keys jose.JSONWebKeySet
resp, err := http.Get(uri) resp, err := http.Get(uri) // nolint:gosec // openid-configuration jwks_uri
if err != nil { if err != nil {
return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri) return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri)
} }

View file

@ -464,7 +464,7 @@ func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error {
} }
func getAndDecode(uri string, v interface{}) error { func getAndDecode(uri string, v interface{}) error {
resp, err := http.Get(uri) resp, err := http.Get(uri) // nolint:gosec // openid-configuration uri
if err != nil { if err != nil {
return errors.Wrapf(err, "failed to connect to %s", uri) return errors.Wrapf(err, "failed to connect to %s", uri)
} }

View file

@ -535,6 +535,7 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
pub := key.Public().Key pub := key.Public().Key
rsa2048, err := rsa.GenerateKey(rand.Reader, 2048) rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
assert.FatalError(t, err) assert.FatalError(t, err)
// nolint:gosec // tests minimum size of the key
rsa1024, err := rsa.GenerateKey(rand.Reader, 1024) rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
assert.FatalError(t, err) assert.FatalError(t, err)

View file

@ -254,6 +254,7 @@ func TestCustomTemplateOptions(t *testing.T) {
} }
func Test_unsafeParseSigned(t *testing.T) { func Test_unsafeParseSigned(t *testing.T) {
// nolint:gosec // no credentials here
okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw" okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw"
type args struct { type args struct {
s string s string

View file

@ -449,6 +449,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
if err != nil { if err != nil {
return nil, nil, errors.Wrap(err, "error signing document") return nil, nil, errors.Wrap(err, "error signing document")
} }
// nolint:gosec // tests minimum size of the key
token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw==" token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
switch r.URL.Path { switch r.URL.Path {

View file

@ -6,7 +6,7 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha1" "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/asn1" "encoding/asn1"
@ -199,6 +199,7 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
if _, err = asn1.Unmarshal(b, &info); err != nil { if _, err = asn1.Unmarshal(b, &info); err != nil {
return nil, fmt.Errorf("error unmarshaling public key: %w", err) return nil, fmt.Errorf("error unmarshaling public key: %w", err)
} }
// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
hash := sha1.Sum(info.SubjectPublicKey.Bytes) hash := sha1.Sum(info.SubjectPublicKey.Bytes)
return hash[:], nil return hash[:], nil
} }

View file

@ -200,6 +200,7 @@ func TestBootstrap(t *testing.T) {
} }
} }
// nolint:gosec // insecure test servers
func TestBootstrapServerWithoutMTLS(t *testing.T) { func TestBootstrapServerWithoutMTLS(t *testing.T) {
srv := startCABootstrapServer() srv := startCABootstrapServer()
defer srv.Close() defer srv.Close()
@ -256,6 +257,7 @@ func TestBootstrapServerWithoutMTLS(t *testing.T) {
} }
} }
// nolint:gosec // insecure test servers
func TestBootstrapServerWithMTLS(t *testing.T) { func TestBootstrapServerWithMTLS(t *testing.T) {
srv := startCABootstrapServer() srv := startCABootstrapServer()
defer srv.Close() defer srv.Close()
@ -405,6 +407,7 @@ func TestBootstrapClientServerRotation(t *testing.T) {
// Create bootstrap server // Create bootstrap server
token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7") token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
// nolint:gosec // insecure test server
server, err := BootstrapServer(context.Background(), token, &http.Server{ server, err := BootstrapServer(context.Background(), token, &http.Server{
Addr: ":0", Addr: ":0",
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
@ -523,6 +526,7 @@ func TestBootstrapClientServerFederation(t *testing.T) {
// Create bootstrap server // Create bootstrap server
token := generateBootstrapToken(caURL1, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7") token := generateBootstrapToken(caURL1, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
// nolint:gosec // insecure test server
server, err := BootstrapServer(context.Background(), token, &http.Server{ server, err := BootstrapServer(context.Background(), token, &http.Server{
Addr: ":0", Addr: ":0",
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"crypto" "crypto"
"crypto/rand" "crypto/rand"
"crypto/sha1" "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
@ -65,6 +65,8 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
if _, err = asn1.Unmarshal(b, &info); err != nil { if _, err = asn1.Unmarshal(b, &info); err != nil {
return nil, errors.Wrap(err, "error unmarshaling public key") return nil, errors.Wrap(err, "error unmarshaling public key")
} }
// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
hash := sha1.Sum(info.SubjectPublicKey.Bytes) hash := sha1.Sum(info.SubjectPublicKey.Bytes)
return hash[:], nil return hash[:], nil
} }

View file

@ -56,6 +56,7 @@ func newClient(transport http.RoundTripper) *uaClient {
} }
} }
// nolint:gosec // used in bootstrap protocol
func newInsecureClient() *uaClient { func newInsecureClient() *uaClient {
return &uaClient{ return &uaClient{
Client: &http.Client{ Client: &http.Client{
@ -201,7 +202,9 @@ func (o *clientOptions) getTransport(endpoint string) (tr http.RoundTripper, err
switch tr := tr.(type) { switch tr := tr.(type) {
case *http.Transport: case *http.Transport:
if tr.TLSClientConfig == nil { if tr.TLSClientConfig == nil {
tr.TLSClientConfig = &tls.Config{} tr.TLSClientConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
}
} }
if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil { if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil {
tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate} tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate}
@ -209,7 +212,9 @@ func (o *clientOptions) getTransport(endpoint string) (tr http.RoundTripper, err
} }
case *http2.Transport: case *http2.Transport:
if tr.TLSClientConfig == nil { if tr.TLSClientConfig == nil {
tr.TLSClientConfig = &tls.Config{} tr.TLSClientConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
}
} }
if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil { if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil {
tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate} tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate}
@ -236,11 +241,15 @@ func WithTransport(tr http.RoundTripper) ClientOption {
} }
// WithInsecure adds a insecure transport that bypasses TLS verification. // WithInsecure adds a insecure transport that bypasses TLS verification.
// nolint:gosec // insecure option
func WithInsecure() ClientOption { func WithInsecure() ClientOption {
return func(o *clientOptions) error { return func(o *clientOptions) error {
o.transport = &http.Transport{ o.transport = &http.Transport{
Proxy: http.ProxyFromEnvironment, Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: true,
},
} }
return nil return nil
} }

View file

@ -62,6 +62,7 @@ func LoadClient() (*Client, error) {
// Prepare transport with information in defaults.json and identity.json // Prepare transport with information in defaults.json and identity.json
tr := http.DefaultTransport.(*http.Transport).Clone() tr := http.DefaultTransport.(*http.Transport).Clone()
tr.TLSClientConfig = &tls.Config{ tr.TLSClientConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
GetClientCertificate: identity.GetClientCertificateFunc(), GetClientCertificate: identity.GetClientCertificateFunc(),
} }

View file

@ -58,6 +58,7 @@ func TestClient(t *testing.T) {
Certificates: []tls.Certificate{crt}, Certificates: []tls.Certificate{crt},
ClientCAs: pool, ClientCAs: pool,
ClientAuth: tls.VerifyClientCertIfGiven, ClientAuth: tls.VerifyClientCertIfGiven,
MinVersion: tls.VersionTLS12,
} }
okServer.StartTLS() okServer.StartTLS()
@ -132,6 +133,7 @@ func TestLoadClient(t *testing.T) {
tr.TLSClientConfig = &tls.Config{ tr.TLSClientConfig = &tls.Config{
Certificates: []tls.Certificate{crt}, Certificates: []tls.Certificate{crt},
RootCAs: pool, RootCAs: pool,
MinVersion: tls.VersionTLS12,
} }
expected := &Client{ expected := &Client{
CaURL: &url.URL{Scheme: "https", Host: "127.0.0.1"}, CaURL: &url.URL{Scheme: "https", Host: "127.0.0.1"},

View file

@ -296,6 +296,7 @@ func (i *Identity) Renew(client Renewer) error {
tr.TLSClientConfig = &tls.Config{ tr.TLSClientConfig = &tls.Config{
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
RootCAs: client.GetRootCAs(), RootCAs: client.GetRootCAs(),
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true, PreferServerCipherSuites: true,
} }

View file

@ -173,7 +173,7 @@ func (r *TLSRenewer) renewCertificate() {
cert, err := r.RenewCertificate() cert, err := r.RenewCertificate()
if err != nil { if err != nil {
next = r.renewJitter / 2 next = r.renewJitter / 2
next += time.Duration(rand.Int63n(int64(next))) next += time.Duration(mathRandInt63n(int64(next)))
} else { } else {
r.setCertificate(cert) r.setCertificate(cert)
next = r.nextRenewDuration(cert.Leaf.NotAfter) next = r.nextRenewDuration(cert.Leaf.NotAfter)
@ -185,10 +185,15 @@ func (r *TLSRenewer) renewCertificate() {
func (r *TLSRenewer) nextRenewDuration(notAfter time.Time) time.Duration { func (r *TLSRenewer) nextRenewDuration(notAfter time.Time) time.Duration {
d := time.Until(notAfter).Truncate(time.Second) - r.renewBefore d := time.Until(notAfter).Truncate(time.Second) - r.renewBefore
n := rand.Int63n(int64(r.renewJitter)) n := mathRandInt63n(int64(r.renewJitter))
d -= time.Duration(n) d -= time.Duration(n)
if d < 0 { if d < 0 {
d = 0 d = 0
} }
return d return d
} }
// nolint:gosec // not used for cryptographic security
func mathRandInt63n(n int64) int64 {
return rand.Int63n(n)
}

View file

@ -60,6 +60,7 @@ func init() {
d := &tls.Dialer{ d := &tls.Dialer{
NetDialer: getDefaultDialer(), NetDialer: getDefaultDialer(),
Config: &tls.Config{ Config: &tls.Config{
MinVersion: tls.VersionTLS12,
RootCAs: pool, RootCAs: pool,
GetClientCertificate: id.GetClientCertificateFunc(), GetClientCertificate: id.GetClientCertificateFunc(),
}, },

View file

@ -13,6 +13,7 @@ import (
"github.com/smallstep/certificates/api" "github.com/smallstep/certificates/api"
) )
// nolint:gosec // test tls config
func Test_newTLSOptionCtx(t *testing.T) { func Test_newTLSOptionCtx(t *testing.T) {
client, err := NewClient("https://ca.smallstep.com", WithTransport(http.DefaultTransport)) client, err := NewClient("https://ca.smallstep.com", WithTransport(http.DefaultTransport))
if err != nil { if err != nil {
@ -40,6 +41,7 @@ func Test_newTLSOptionCtx(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestTLSOptionCtx_apply(t *testing.T) { func TestTLSOptionCtx_apply(t *testing.T) {
fail := func() TLSOption { fail := func() TLSOption {
return func(ctx *TLSOptionCtx) error { return func(ctx *TLSOptionCtx) error {
@ -76,6 +78,7 @@ func TestTLSOptionCtx_apply(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestRequireAndVerifyClientCert(t *testing.T) { func TestRequireAndVerifyClientCert(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
@ -100,6 +103,7 @@ func TestRequireAndVerifyClientCert(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestVerifyClientCertIfGiven(t *testing.T) { func TestVerifyClientCertIfGiven(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
@ -124,6 +128,7 @@ func TestVerifyClientCertIfGiven(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddRootCA(t *testing.T) { func TestAddRootCA(t *testing.T) {
cert := parseCertificate(rootPEM) cert := parseCertificate(rootPEM)
pool := x509.NewCertPool() pool := x509.NewCertPool()
@ -156,6 +161,7 @@ func TestAddRootCA(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddClientCA(t *testing.T) { func TestAddClientCA(t *testing.T) {
cert := parseCertificate(rootPEM) cert := parseCertificate(rootPEM)
pool := x509.NewCertPool() pool := x509.NewCertPool()
@ -188,6 +194,7 @@ func TestAddClientCA(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddRootsToRootCAs(t *testing.T) { func TestAddRootsToRootCAs(t *testing.T) {
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()
@ -242,6 +249,7 @@ func TestAddRootsToRootCAs(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddRootsToClientCAs(t *testing.T) { func TestAddRootsToClientCAs(t *testing.T) {
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()
@ -296,6 +304,7 @@ func TestAddRootsToClientCAs(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddFederationToRootCAs(t *testing.T) { func TestAddFederationToRootCAs(t *testing.T) {
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()
@ -360,6 +369,7 @@ func TestAddFederationToRootCAs(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddFederationToClientCAs(t *testing.T) { func TestAddFederationToClientCAs(t *testing.T) {
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()
@ -424,6 +434,7 @@ func TestAddFederationToClientCAs(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddRootsToCAs(t *testing.T) { func TestAddRootsToCAs(t *testing.T) {
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()
@ -478,6 +489,7 @@ func TestAddRootsToCAs(t *testing.T) {
} }
} }
// nolint:gosec // test tls config
func TestAddFederationToCAs(t *testing.T) { func TestAddFederationToCAs(t *testing.T) {
ca := startCATestServer() ca := startCATestServer()
defer ca.Close() defer ca.Close()

View file

@ -4,7 +4,7 @@ import (
"context" "context"
"crypto" "crypto"
"crypto/rand" "crypto/rand"
"crypto/sha1" "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
@ -239,6 +239,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte {
if err != nil { if err != nil {
panic(err) panic(err)
} }
// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
hash := sha1.Sum(b) hash := sha1.Sum(b)
return hash[:] return hash[:]
} }

View file

@ -14,6 +14,7 @@ import (
"time" "time"
// Server profiler // Server profiler
// nolint:gosec // profile server, if enabled runs on a different port
_ "net/http/pprof" _ "net/http/pprof"
"github.com/smallstep/certificates/authority" "github.com/smallstep/certificates/authority"

View file

@ -4,7 +4,7 @@ import (
"context" "context"
"crypto" "crypto"
"crypto/rand" "crypto/rand"
"crypto/sha1" "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
@ -277,6 +277,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte {
if err != nil { if err != nil {
panic(err) panic(err)
} }
// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
hash := sha1.Sum(b) hash := sha1.Sum(b)
return hash[:] return hash[:]
} }

View file

@ -6,7 +6,7 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha1" "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/pem" "encoding/pem"
@ -544,6 +544,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte {
if err != nil { if err != nil {
panic(err) panic(err)
} }
// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
hash := sha1.Sum(b) hash := sha1.Sum(b)
return hash[:] return hash[:]
} }

View file

@ -6,7 +6,7 @@ import (
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic" "crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/sha1" "crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
"encoding/hex" "encoding/hex"
@ -346,6 +346,7 @@ func mustSubjectKeyID(key crypto.PublicKey) []byte {
if err != nil { if err != nil {
panic(err) panic(err)
} }
// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
hash := sha1.Sum(b) hash := sha1.Sum(b)
return hash[:] return hash[:]
} }

View file

@ -92,6 +92,7 @@ func onboardAction(ctx *cli.Context) error {
token := ctx.Args().Get(0) token := ctx.Args().Get(0)
onboardingURL := u.ResolveReference(&url.URL{Path: token}).String() onboardingURL := u.ResolveReference(&url.URL{Path: token}).String()
// nolint:gosec // onboarding url
res, err := http.Get(onboardingURL) res, err := http.Get(onboardingURL)
if err != nil { if err != nil {
return errors.Wrap(err, "error connecting onboarding guide") return errors.Wrap(err, "error connecting onboarding guide")
@ -132,6 +133,7 @@ func onboardAction(ctx *cli.Context) error {
return errors.Wrap(err, "error marshaling payload") return errors.Wrap(err, "error marshaling payload")
} }
// nolint:gosec // onboarding url
resp, err := http.Post(onboardingURL, "application/json", bytes.NewBuffer(payload)) resp, err := http.Post(onboardingURL, "application/json", bytes.NewBuffer(payload))
if err != nil { if err != nil {
return errors.Wrap(err, "error connecting onboarding guide") return errors.Wrap(err, "error connecting onboarding guide")

View file

@ -39,13 +39,14 @@ func New(addr string, handler http.Handler, tlsConfig *tls.Config) *Server {
// tls.Config. // tls.Config.
func newHTTPServer(addr string, handler http.Handler, tlsConfig *tls.Config) *http.Server { func newHTTPServer(addr string, handler http.Handler, tlsConfig *tls.Config) *http.Server {
return &http.Server{ return &http.Server{
Addr: addr, Addr: addr,
Handler: handler, Handler: handler,
TLSConfig: tlsConfig, TLSConfig: tlsConfig,
WriteTimeout: 15 * time.Second, WriteTimeout: 15 * time.Second,
ReadTimeout: 15 * time.Second, ReadTimeout: 15 * time.Second,
IdleTimeout: 15 * time.Second, ReadHeaderTimeout: 15 * time.Second,
ErrorLog: log.New(os.Stderr, "", log.Ldate|log.Ltime|log.Llongfile), IdleTimeout: 15 * time.Second,
ErrorLog: log.New(os.Stderr, "", log.Ldate|log.Ltime|log.Llongfile),
} }
} }