From 390054b22e4cb49f01187e89339f04c7b2564d19 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 21 Mar 2022 16:22:26 -0700
Subject: [PATCH 1/3] Change go version to 1.17 and 1.18

---
 .github/workflows/release.yml | 8 ++++----
 .github/workflows/test.yml    | 6 +++---
 CHANGELOG.md                  | 1 +
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5d0416ef..2ab7084d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        go: [ '1.15', '1.16', '1.17' ]
+        go: [ '1.17', '1.18' ]
     outputs:
       is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
     steps:
@@ -33,7 +33,7 @@ jobs:
         uses: golangci/golangci-lint-action@v2
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: 'v1.44.0'
+          version: 'v1.45.0'
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir
@@ -106,7 +106,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: 1.18
       -
         name: APT Install
         id: aptInstall
@@ -159,7 +159,7 @@ jobs:
         name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.17'
+          go-version: '1.18'
       -
         name: Install cosign
         uses: sigstore/cosign-installer@v1.1.0
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f36e78ef..64cb64cd 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        go: [ '1.16', '1.17' ]
+        go: [ '1.17', '1.18' ]
     steps:
       -
         name: Checkout
@@ -33,7 +33,7 @@ jobs:
         uses: golangci/golangci-lint-action@v2
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: 'v1.44.0'
+          version: 'v1.45.0'
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir
@@ -58,7 +58,7 @@ jobs:
         run: V=1 make ci
       -
         name: Codecov
-        if: matrix.go == '1.17'
+        if: matrix.go == '1.18'
         uses: codecov/codecov-action@v1.2.1
         with:
           file: ./coverage.out # optional
diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc25c0ed..3164b3b6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added support for renew after expiry using the claim `allowRenewAfterExpiry`.
 ### Changed
 - Made SCEP CA URL paths dynamic
+- Support two latest versions of golang (1.17, 1.18)
 ### Deprecated
 ### Removed
 ### Fixed

From ad8a813abe89fc019bbb3242a3cbc48f110ccfd1 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 21 Mar 2022 16:53:57 -0700
Subject: [PATCH 2/3] Fix linter errors

---
 authority/provisioner/x5c.go      |  4 +++-
 authority/provisioner/x5c_test.go |  2 ++
 ca/ca.go                          |  3 ---
 ca/identity/client_test.go        | 23 ++++++++++++++++++++++-
 ca/identity/identity_test.go      |  2 ++
 ca/tls.go                         |  2 --
 ca/tls_options_test.go            |  1 +
 7 files changed, 30 insertions(+), 7 deletions(-)

diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go
index 6f534c76..51b5d8fd 100644
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@@ -100,6 +100,7 @@ func (p *X5C) Init(config Config) (err error) {
 	var (
 		block *pem.Block
 		rest  = p.Roots
+		count int
 	)
 	for rest != nil {
 		block, rest = pem.Decode(rest)
@@ -110,11 +111,12 @@ func (p *X5C) Init(config Config) (err error) {
 		if err != nil {
 			return errors.Wrap(err, "error parsing x509 certificate from PEM block")
 		}
+		count++
 		p.rootPool.AddCert(cert)
 	}
 
 	// Verify that at least one root was found.
-	if len(p.rootPool.Subjects()) == 0 {
+	if count == 0 {
 		return errors.Errorf("no x509 certificates found in roots attribute for provisioner '%s'", p.GetName())
 	}
 
diff --git a/authority/provisioner/x5c_test.go b/authority/provisioner/x5c_test.go
index 84e29b48..7932d045 100644
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@@ -118,6 +118,8 @@ M46l92gdOozT
 			return ProvisionerValidateTest{
 				p: p,
 				extraValid: func(p *X5C) error {
+					// nolint:staticcheck // We don't have a different way to
+					// check the number of certificates in the pool.
 					numCerts := len(p.rootPool.Subjects())
 					if numCerts != 2 {
 						return errors.Errorf("unexpected number of certs: want 2, but got %d", numCerts)
diff --git a/ca/ca.go b/ca/ca.go
index c95ba22f..dfb82731 100644
--- a/ca/ca.go
+++ b/ca/ca.go
@@ -450,9 +450,6 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, error) {
 	tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
 	tlsConfig.ClientCAs = certPool
 
-	// Use server's most preferred ciphersuite
-	tlsConfig.PreferServerCipherSuites = true
-
 	return tlsConfig, nil
 }
 
diff --git a/ca/identity/client_test.go b/ca/identity/client_test.go
index 0f1234e9..9660a3bd 100644
--- a/ca/identity/client_test.go
+++ b/ca/identity/client_test.go
@@ -8,6 +8,7 @@ import (
 	"net/url"
 	"os"
 	"reflect"
+	"sort"
 	"testing"
 )
 
@@ -196,7 +197,7 @@ func TestLoadClient(t *testing.T) {
 				switch {
 				case gotTransport.TLSClientConfig.GetClientCertificate == nil:
 					t.Error("LoadClient() transport does not define GetClientCertificate")
-				case !reflect.DeepEqual(got.CaURL, tt.want.CaURL) || !reflect.DeepEqual(gotTransport.TLSClientConfig.RootCAs.Subjects(), wantTransport.TLSClientConfig.RootCAs.Subjects()):
+				case !reflect.DeepEqual(got.CaURL, tt.want.CaURL) || !equalPools(gotTransport.TLSClientConfig.RootCAs, wantTransport.TLSClientConfig.RootCAs):
 					t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
 				default:
 					crt, err := gotTransport.TLSClientConfig.GetClientCertificate(nil)
@@ -238,3 +239,23 @@ func Test_defaultsConfig_Validate(t *testing.T) {
 		})
 	}
 }
+
+// nolint:staticcheck,gocritic
+func equalPools(a, b *x509.CertPool) bool {
+	if reflect.DeepEqual(a, b) {
+		return true
+	}
+	subjects := a.Subjects()
+	sA := make([]string, len(subjects))
+	for i := range subjects {
+		sA[i] = string(subjects[i])
+	}
+	subjects = b.Subjects()
+	sB := make([]string, len(subjects))
+	for i := range subjects {
+		sB[i] = string(subjects[i])
+	}
+	sort.Strings(sA)
+	sort.Strings(sB)
+	return reflect.DeepEqual(sA, sB)
+}
diff --git a/ca/identity/identity_test.go b/ca/identity/identity_test.go
index d3b1d541..55fc60fd 100644
--- a/ca/identity/identity_test.go
+++ b/ca/identity/identity_test.go
@@ -346,6 +346,8 @@ func TestIdentity_GetCertPool(t *testing.T) {
 				return
 			}
 			if got != nil {
+				// nolint:staticcheck // we don't have a different way to check
+				// the certificates in the pool.
 				subjects := got.Subjects()
 				if !reflect.DeepEqual(subjects, tt.wantSubjects) {
 					t.Errorf("Identity.GetCertPool() = %x, want %x", subjects, tt.wantSubjects)
diff --git a/ca/tls.go b/ca/tls.go
index 0738d0e0..7954cbdf 100644
--- a/ca/tls.go
+++ b/ca/tls.go
@@ -95,7 +95,6 @@ func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 	// Note that with GetClientCertificate tlsConfig.Certificates is not used.
 	// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
-	tlsConfig.PreferServerCipherSuites = true
 
 	// Apply options and initialize mutable tls.Config
 	tlsCtx := newTLSOptionCtx(c, tlsConfig, sign)
@@ -137,7 +136,6 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 	// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
 	tlsConfig.GetCertificate = renewer.GetCertificate
 	tlsConfig.GetClientCertificate = renewer.GetClientCertificate
-	tlsConfig.PreferServerCipherSuites = true
 	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 
 	// Apply options and initialize mutable tls.Config
diff --git a/ca/tls_options_test.go b/ca/tls_options_test.go
index 7d94926b..ca5f80b8 100644
--- a/ca/tls_options_test.go
+++ b/ca/tls_options_test.go
@@ -542,6 +542,7 @@ func TestAddFederationToCAs(t *testing.T) {
 	}
 }
 
+// nolint:staticcheck,gocritic
 func equalPools(a, b *x509.CertPool) bool {
 	if reflect.DeepEqual(a, b) {
 		return true

From f1d586bc6d3be32b536bc6d16d068d667ef24482 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Mon, 21 Mar 2022 17:59:15 -0700
Subject: [PATCH 3/3] Change golang to Go

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3164b3b6..73c338f8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Added support for renew after expiry using the claim `allowRenewAfterExpiry`.
 ### Changed
 - Made SCEP CA URL paths dynamic
-- Support two latest versions of golang (1.17, 1.18)
+- Support two latest versions of Go (1.17, 1.18)
 ### Deprecated
 ### Removed
 ### Fixed