Address gosec warnings

Most if not all false positives

Author: maraino

acme/challenge.go

@@ -149,7 +149,7 @@ func tlsalpn01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose.JSON
 		// [RFC5246] or higher when connecting to clients for validation.
 		MinVersion:         tls.VersionTLS12,
 		ServerName:         serverName(ch),
-		InsecureSkipVerify: true, // we expect a self-signed challenge certificate
+		InsecureSkipVerify: true, // nolint:gosec // we expect a self-signed challenge certificate
 	}
 
 	hostPort := net.JoinHostPort(ch.Value, "443")

acme/client.go

@@ -56,6 +56,7 @@ func NewClient() Client {
 			Timeout: 30 * time.Second,
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
+					// nolint:gosec // used on tls-alpn-01 challenge
 					InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
 				},
 			},

api/api_test.go

@@ -1437,7 +1437,7 @@ func Test_fmtPublicKey(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
+	rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -1463,7 +1463,7 @@ func Test_fmtPublicKey(t *testing.T) {
 		want string
 	}{
 		{"p256", args{p256.Public(), p256, nil}, "ECDSA P-256"},
-		{"rsa1024", args{rsa1024.Public(), rsa1024, nil}, "RSA 1024"},
+		{"rsa2048", args{rsa2048.Public(), rsa2048, nil}, "RSA 2048"},
 		{"ed25519", args{edPub, edPriv, nil}, "Ed25519"},
 		{"dsa2048", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.DSA, PublicKey: &dsa2048.PublicKey}}, "DSA 2048"},
 		{"unknown", args{cert: &x509.Certificate{PublicKeyAlgorithm: x509.ECDSA, PublicKey: []byte("12345678")}}, "ECDSA unknown"},

authority/config/tls_options.go

@@ -169,6 +169,7 @@ func (t *TLSOptions) TLSConfig() *tls.Config {
 		rs = tls.RenegotiateNever
 	}
 
+	// nolint:gosec // default MinVersion 1.2, if defined but empty 1.3 is used
 	return &tls.Config{
 		CipherSuites:  t.CipherSuites.Value(),
 		MinVersion:    t.MinVersion.Value(),

authority/linkedca.go

@@ -461,6 +461,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error)
 	defer cancel()
 
 	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
+		// nolint:gosec // used in bootstrap protocol
 		InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check]
 	})))
 	if err != nil {
@@ -514,7 +515,8 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
 	defer cancel()
 
 	conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
-		RootCAs: rootCAs,
+		MinVersion: tls.VersionTLS12,
+		RootCAs:    rootCAs,
 	})))
 	if err != nil {
 		return nil, nil, errors.Wrapf(err, "error connecting %s", endpoint)
@@ -590,6 +592,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto.
 	rootCAs.AddCert(bundle[last])
 
 	return cert, &tls.Config{
-		RootCAs: rootCAs,
+		MinVersion: tls.VersionTLS12,
+		RootCAs:    rootCAs,
 	}, nil
 }

authority/provisioner/aws.go

@@ -35,16 +35,19 @@ const awsIdentityURL = "http://169.254.169.254/latest/dynamic/instance-identity/
 const awsSignatureURL = "http://169.254.169.254/latest/dynamic/instance-identity/signature"
 
 // awsAPITokenURL is the url used to get the IMDSv2 API token
+// nolint:gosec // no credentials here
 const awsAPITokenURL = "http://169.254.169.254/latest/api/token"
 
 // awsAPITokenTTL is the default TTL to use when requesting IMDSv2 API tokens
 // -- we keep this short-lived since we get a new token with every call to readURL()
 const awsAPITokenTTL = "30"
 
 // awsMetadataTokenHeader is the header that must be passed with every IMDSv2 request
+// nolint:gosec // no credentials here
 const awsMetadataTokenHeader = "X-aws-ec2-metadata-token"
 
 // awsMetadataTokenTTLHeader is the header used to indicate the token TTL requested
+// nolint:gosec // no credentials here
 const awsMetadataTokenTTLHeader = "X-aws-ec2-metadata-token-ttl-seconds"
 
 // awsCertificate is the certificate used to validate the instance identity

authority/provisioner/aws_test.go

@@ -316,7 +316,7 @@ func TestAWS_authorizeToken(t *testing.T) {
 	}
 	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 	assert.FatalError(t, err)
-	badKey, err := rsa.GenerateKey(rand.Reader, 1024)
+	badKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
 
 	type test struct {
@@ -579,7 +579,7 @@ func TestAWS_AuthorizeSign(t *testing.T) {
 	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
 	assert.FatalError(t, err)
 
-	badKey, err := rsa.GenerateKey(rand.Reader, 1024)
+	badKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
 
 	t4, err := generateAWSToken(
@@ -748,6 +748,7 @@ func TestAWS_AuthorizeSSHSign(t *testing.T) {
 	pub := key.Public().Key
 	rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
+	// nolint:gosec // tests minimum size of the key
 	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
 	assert.FatalError(t, err)
 

authority/provisioner/azure.go

@@ -25,6 +25,7 @@ import (
 const azureOIDCBaseURL = "https://login.microsoftonline.com"
 
 // azureIdentityTokenURL is the URL to get the identity token for an instance.
+// nolint:gosec // no credentials here
 const azureIdentityTokenURL = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F"
 
 // azureDefaultAudience is the default audience used.

authority/provisioner/azure_test.go

@@ -624,6 +624,7 @@ func TestAzure_AuthorizeSSHSign(t *testing.T) {
 	pub := key.Public().Key
 	rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
+	// nolint:gosec // tests minimum size of the key
 	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
 	assert.FatalError(t, err)
 

authority/provisioner/collection.go

@@ -1,7 +1,7 @@
 package provisioner
 
 import (
-	"crypto/sha1"
+	"crypto/sha1" // nolint:gosec // not used for cryptographic security
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/binary"
@@ -319,6 +319,7 @@ func loadProvisioner(m *sync.Map, key string) (Interface, bool) {
 // provisionerSum returns the SHA1 of the provisioners ID. From this we will
 // create the unique and sorted id.
 func provisionerSum(p Interface) []byte {
+	// nolint:gosec // not used for cryptographic security
 	sum := sha1.Sum([]byte(p.GetID()))
 	return sum[:]
 }

authority/provisioner/gcp_test.go

@@ -623,6 +623,7 @@ func TestGCP_AuthorizeSSHSign(t *testing.T) {
 	pub := key.Public().Key
 	rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
+	// nolint:gosec // tests minimum size of the key
 	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
 	assert.FatalError(t, err)
 

authority/provisioner/jwk_test.go

@@ -411,6 +411,7 @@ func TestJWK_AuthorizeSSHSign(t *testing.T) {
 	pub := key.Public().Key
 	rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
+	// nolint:gosec // tests minimum size of the key
 	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
 	assert.FatalError(t, err)
 

authority/provisioner/keystore.go

@@ -85,14 +85,14 @@ func (ks *keyStore) reload() {
 // 0 it will randomly rotate between 0-12 hours, but every time we call to Get
 // it will automatically rotate.
 func (ks *keyStore) nextReloadDuration(age time.Duration) time.Duration {
-	n := rand.Int63n(int64(ks.jitter))
+	n := rand.Int63n(int64(ks.jitter)) // nolint:gosec // not used for cryptographic security
 	age -= time.Duration(n)
 	return abs(age)
 }
 
 func getKeysFromJWKsURI(uri string) (jose.JSONWebKeySet, time.Duration, error) {
 	var keys jose.JSONWebKeySet
-	resp, err := http.Get(uri)
+	resp, err := http.Get(uri) // nolint:gosec // openid-configuration jwks_uri
 	if err != nil {
 		return keys, 0, errors.Wrapf(err, "failed to connect to %s", uri)
 	}

authority/provisioner/oidc.go

@@ -464,7 +464,7 @@ func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error {
 }
 
 func getAndDecode(uri string, v interface{}) error {
-	resp, err := http.Get(uri)
+	resp, err := http.Get(uri) // nolint:gosec // openid-configuration uri
 	if err != nil {
 		return errors.Wrapf(err, "failed to connect to %s", uri)
 	}

authority/provisioner/oidc_test.go

@@ -535,6 +535,7 @@ func TestOIDC_AuthorizeSSHSign(t *testing.T) {
 	pub := key.Public().Key
 	rsa2048, err := rsa.GenerateKey(rand.Reader, 2048)
 	assert.FatalError(t, err)
+	// nolint:gosec // tests minimum size of the key
 	rsa1024, err := rsa.GenerateKey(rand.Reader, 1024)
 	assert.FatalError(t, err)
 

authority/provisioner/options_test.go

@@ -254,6 +254,7 @@ func TestCustomTemplateOptions(t *testing.T) {
 }
 
 func Test_unsafeParseSigned(t *testing.T) {
+	// nolint:gosec // no credentials here
 	okToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJqYW5lQGRvZS5jb20iLCJpc3MiOiJodHRwczovL2RvZS5jb20iLCJqdGkiOiI4ZmYzMjQ4MS1mZDVmLTRlMmUtOTZkZi05MDhjMTI3Yzg1ZjciLCJpYXQiOjE1OTUzNjAwMjgsImV4cCI6MTU5NTM2MzYyOH0.aid8UuhFucJOFHXaob9zpNtVvhul9ulTGsA52mU6XIw"
 	type args struct {
 		s string

authority/provisioner/utils_test.go

@@ -449,6 +449,7 @@ func generateAWSWithServer() (*AWS, *httptest.Server, error) {
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "error signing document")
 	}
+	// nolint:gosec // tests minimum size of the key
 	token := "AQAEAEEO9-7Z88ewKFpboZuDlFYWz9A3AN-wMOVzjEhfAyXW31BvVw=="
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {

authority/tls_test.go

@@ -6,7 +6,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/sha1"
+	"crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
@@ -199,6 +199,7 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
 	if _, err = asn1.Unmarshal(b, &info); err != nil {
 		return nil, fmt.Errorf("error unmarshaling public key: %w", err)
 	}
+	// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
 	hash := sha1.Sum(info.SubjectPublicKey.Bytes)
 	return hash[:], nil
 }

ca/bootstrap_test.go

@@ -200,6 +200,7 @@ func TestBootstrap(t *testing.T) {
 	}
 }
 
+// nolint:gosec // insecure test servers
 func TestBootstrapServerWithoutMTLS(t *testing.T) {
 	srv := startCABootstrapServer()
 	defer srv.Close()
@@ -256,6 +257,7 @@ func TestBootstrapServerWithoutMTLS(t *testing.T) {
 	}
 }
 
+// nolint:gosec // insecure test servers
 func TestBootstrapServerWithMTLS(t *testing.T) {
 	srv := startCABootstrapServer()
 	defer srv.Close()
@@ -405,6 +407,7 @@ func TestBootstrapClientServerRotation(t *testing.T) {
 
 	// Create bootstrap server
 	token := generateBootstrapToken(caURL, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
+	// nolint:gosec // insecure test server
 	server, err := BootstrapServer(context.Background(), token, &http.Server{
 		Addr: ":0",
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
@@ -523,6 +526,7 @@ func TestBootstrapClientServerFederation(t *testing.T) {
 
 	// Create bootstrap server
 	token := generateBootstrapToken(caURL1, "127.0.0.1", "ef742f95dc0d8aa82d3cca4017af6dac3fce84290344159891952d18c53eefe7")
+	// nolint:gosec // insecure test server
 	server, err := BootstrapServer(context.Background(), token, &http.Server{
 		Addr: ":0",
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {

ca/ca_test.go

@@ -5,7 +5,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/rand"
-	"crypto/sha1"
+	"crypto/sha1" // nolint:gosec // used to create the Subject Key Identifier by RFC 5280
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -65,6 +65,8 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
 	if _, err = asn1.Unmarshal(b, &info); err != nil {
 		return nil, errors.Wrap(err, "error unmarshaling public key")
 	}
+
+	// nolint:gosec // used to create the Subject Key Identifier by RFC 5280
 	hash := sha1.Sum(info.SubjectPublicKey.Bytes)
 	return hash[:], nil
 }

ca/client.go

@@ -56,6 +56,7 @@ func newClient(transport http.RoundTripper) *uaClient {
 	}
 }
 
+// nolint:gosec // used in bootstrap protocol
 func newInsecureClient() *uaClient {
 	return &uaClient{
 		Client: &http.Client{
@@ -201,15 +202,19 @@ func (o *clientOptions) getTransport(endpoint string) (tr http.RoundTripper, err
 		switch tr := tr.(type) {
 		case *http.Transport:
 			if tr.TLSClientConfig == nil {
-				tr.TLSClientConfig = &tls.Config{}
+				tr.TLSClientConfig = &tls.Config{
+					MinVersion: tls.VersionTLS12,
+				}
 			}
 			if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil {
 				tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate}
 				tr.TLSClientConfig.GetClientCertificate = o.getClientCertificate
 			}
 		case *http2.Transport:
 			if tr.TLSClientConfig == nil {
-				tr.TLSClientConfig = &tls.Config{}
+				tr.TLSClientConfig = &tls.Config{
+					MinVersion: tls.VersionTLS12,
+				}
 			}
 			if len(tr.TLSClientConfig.Certificates) == 0 && tr.TLSClientConfig.GetClientCertificate == nil {
 				tr.TLSClientConfig.Certificates = []tls.Certificate{o.certificate}
@@ -236,11 +241,15 @@ func WithTransport(tr http.RoundTripper) ClientOption {
 }
 
 // WithInsecure adds a insecure transport that bypasses TLS verification.
+// nolint:gosec // insecure option
 func WithInsecure() ClientOption {
 	return func(o *clientOptions) error {
 		o.transport = &http.Transport{
-			Proxy:           http.ProxyFromEnvironment,
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			Proxy: http.ProxyFromEnvironment,
+			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
+				InsecureSkipVerify: true,
+			},
 		}
 		return nil
 	}

ca/identity/client.go

@@ -62,6 +62,7 @@ func LoadClient() (*Client, error) {
 	// Prepare transport with information in defaults.json and identity.json
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	tr.TLSClientConfig = &tls.Config{
+		MinVersion:           tls.VersionTLS12,
 		GetClientCertificate: identity.GetClientCertificateFunc(),
 	}
 

ca/identity/client_test.go

@@ -58,6 +58,7 @@ func TestClient(t *testing.T) {
 		Certificates: []tls.Certificate{crt},
 		ClientCAs:    pool,
 		ClientAuth:   tls.VerifyClientCertIfGiven,
+		MinVersion:   tls.VersionTLS12,
 	}
 	okServer.StartTLS()
 
@@ -132,6 +133,7 @@ func TestLoadClient(t *testing.T) {
 	tr.TLSClientConfig = &tls.Config{
 		Certificates: []tls.Certificate{crt},
 		RootCAs:      pool,
+		MinVersion:   tls.VersionTLS12,
 	}
 	expected := &Client{
 		CaURL: &url.URL{Scheme: "https", Host: "127.0.0.1"},

ca/identity/identity.go

@@ -296,6 +296,7 @@ func (i *Identity) Renew(client Renewer) error {
 		tr.TLSClientConfig = &tls.Config{
 			Certificates:             []tls.Certificate{cert},
 			RootCAs:                  client.GetRootCAs(),
+			MinVersion:               tls.VersionTLS12,
 			PreferServerCipherSuites: true,
 		}
 

ca/renew.go

@@ -173,7 +173,7 @@ func (r *TLSRenewer) renewCertificate() {
 	cert, err := r.RenewCertificate()
 	if err != nil {
 		next = r.renewJitter / 2
-		next += time.Duration(rand.Int63n(int64(next)))
+		next += time.Duration(mathRandInt63n(int64(next)))
 	} else {
 		r.setCertificate(cert)
 		next = r.nextRenewDuration(cert.Leaf.NotAfter)
@@ -185,10 +185,15 @@ func (r *TLSRenewer) renewCertificate() {
 
 func (r *TLSRenewer) nextRenewDuration(notAfter time.Time) time.Duration {
 	d := time.Until(notAfter).Truncate(time.Second) - r.renewBefore
-	n := rand.Int63n(int64(r.renewJitter))
+	n := mathRandInt63n(int64(r.renewJitter))
 	d -= time.Duration(n)
 	if d < 0 {
 		d = 0
 	}
 	return d
 }
+
+// nolint:gosec // not used for cryptographic security
+func mathRandInt63n(n int64) int64 {
+	return rand.Int63n(n)
+}

ca/tls.go

@@ -60,6 +60,7 @@ func init() {
 			d := &tls.Dialer{
 				NetDialer: getDefaultDialer(),
 				Config: &tls.Config{
+					MinVersion:           tls.VersionTLS12,
 					RootCAs:              pool,
 					GetClientCertificate: id.GetClientCertificateFunc(),
 				},