replace frozen crypto/pkcs12 library with software.sslmate.com/src/go-pkcs12

.dockerignore

@@ -2,3 +2,4 @@ cfssl_*
 *-amd64
 *-386
 dist/*
+.git

.github/workflows/go.yml

@@ -10,7 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [stable, oldstable]
+        # starting with go 1.24 the GODEBUG=x509sha1=1 flag has been removed.
+        # many tests rely on sha1 certificates. After resolving #1413 we can
+        # run these on stable and oldstable again. Min version (1.20) can
+        # always be run.
+        go: ['1.23', '1.22', '1.20']
     services:
       # Label used to access the service container
       postgres:
@@ -70,9 +74,15 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
+      - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: 1.18
-      - uses: actions/checkout@v4
+          go-version: "1.20"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
+        with:
+          # There is a breaking change in 1.58 that causes the linter not to recognize 
+          # internal imports or standard library imports and results in linting errors
+          # that cannot be ignored.
+          # e.g certdb/certdb.go:5:2: could not import encoding/json (Config.Importer.Import(encoding/json) returned nil but no error) (typecheck)
+          version: v1.57

.github/workflows/semgrep.yml

@@ -0,0 +1,24 @@
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push: 
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '0 0 * * *'
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci

.golangci.yaml

@@ -5,6 +5,4 @@ linters:
     - gosimple
     - ineffassign
     - unused
-    - deadcode
     - errcheck
-    - varcheck

Dockerfile.alpine

@@ -1,4 +1,4 @@
-FROM golang:1.16.15-alpine3.15@sha256:9743f230f26d1e300545f0330fd4a514f554c535d967563ee77bf634906502b6 as builder
+FROM golang:1.20-alpine AS builder
 
 WORKDIR /workdir
 COPY . /workdir

Makefile

@@ -60,7 +60,7 @@ snapshot:
 	--rm \
     -v $(PWD):/cross \
     -w /cross \
-    ghcr.io/goreleaser/goreleaser-cross:latest --clean --snapshot --skip-publish
+    ghcr.io/goreleaser/goreleaser-cross:latest --clean --snapshot --skip=publish
 
 .PHONY: github-release
 github-release:
@@ -73,15 +73,8 @@ github-release:
     -w /cross \
     ghcr.io/goreleaser/goreleaser-cross:latest --clean
 
-.PHONY: docker-build
-docker-build:
-	docker build -f Dockerfile -t cfssl/cfssl:$(VERSION) .
-.PHONY: docker-push
-docker-push:
-	docker push cfssl/cfssl:$(VERSION)
-
 .PHONY: release
-release: github-release docker-build docker-push
+release: github-release
 
 BUILD_PATH   := $(CURDIR)/build
 INSTALL_PATH := $(BUILD_PATH)/usr/local/bin

README.md

@@ -8,7 +8,7 @@
 
 CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line
 tool and an HTTP API server for signing, verifying, and bundling TLS
-certificates. It requires Go 1.16+ to build.
+certificates. It requires Go 1.20+ to build.
 
 Note that certain linux distributions have certain algorithms removed
 (RHEL-based distributions in particular), so the golang from the
@@ -30,12 +30,13 @@ CFSSL consists of:
 ### Building
 
 Building cfssl requires a
-[working Go 1.16+ installation](http://golang.org/doc/install).
+[working Go 1.20+ installation](http://golang.org/doc/install).
 
 ```
 $ git clone git@github.com:cloudflare/cfssl.git
 $ cd cfssl
 $ make
+$ make install
 ```
 
 The resulting binaries will be in the bin folder:
@@ -60,32 +61,9 @@ You can set the `GOOS` and `GOARCH` environment variables to have Go cross compi
 
 ### Installation
 
-Installation requires a [working Go 1.16+ installation](http://golang.org/doc/install).
+Installation requires a [working Go 1.20+ installation](http://golang.org/doc/install).
 Alternatively, [prebuilt binaries are available](https://github.com/cloudflare/cfssl/releases)
 
-```
-$ go get github.com/cloudflare/cfssl/cmd/cfssl
-```
-
-will download, build, and install the CFSSL tool.
-
-To install any of the other utility programs that are
-in this repo (for instance `cfssljson` in this case):
-
-```
-$ go get github.com/cloudflare/cfssl/cmd/cfssljson
-```
-
-This will download, build, and install the CFSSLJSON tool.
-
-And to simply install __all__ of the programs in this repo:
-
-```
-$ go get github.com/cloudflare/cfssl/cmd/...
-```
-
-if you are above go 1.18:
-
 ```
 $ go install github.com/cloudflare/cfssl/cmd/...@latest
 ```

api/bundle/bundle_test.go

@@ -184,7 +184,6 @@ var bundleTests = []bundleTest{
 }
 
 func TestBundle(t *testing.T) {
-	t.Skip("expired cert https://github.com/cloudflare/cfssl/issues/1237")
 	for i, test := range bundleTests {
 		resp, body := testBundleFile(t, test.Domain, test.IP, test.CertFile, test.KeyFile, test.Flavor)
 		if resp.StatusCode != test.ExpectedHTTPStatus {

api/testdata/ca-bundle.pem

@@ -1,17 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIICyDCCAjGgAwIBAgIJAPCgd7rafQZGMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
-c2NvMRMwEQYDVQQKDApDbG91ZEZsYXJlMRQwEgYDVQQLDAtERVZfVEVTVElORzEW
-MBQGA1UEAwwNQ0ZTU0xfVEVTVF9DQTAeFw0xNDA0MTExNjQyMjBaFw0yNDA0MDgx
-NjQyMjBaMH0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYD
-VQQHDA1TYW4gRnJhbmNpc2NvMRMwEQYDVQQKDApDbG91ZEZsYXJlMRQwEgYDVQQL
-DAtERVZfVEVTVElORzEWMBQGA1UEAwwNQ0ZTU0xfVEVTVF9DQTCBnzANBgkqhkiG
-9w0BAQEFAAOBjQAwgYkCgYEAm6f+jkP2t5q/vM0YAUZZkhq/EAYD+L1CMS59jJOL
-omfDnKUWOGKi/k7URBg1HNL3vm7/ESDazZWFy9l/nibWxNkSUPkQIrvrGsNivkRU
-zXkwgNX8IN8LOYAQ3BWxAqitXTpLjf4FeCTB6G59v9eYlAX3kicXRdY+cqhEvLFb
-u3MCAwEAAaNQME4wHQYDVR0OBBYEFLhe765nULfW8wflar5Vs2c6DZI+MB8GA1Ud
-IwQYMBaAFLhe765nULfW8wflar5Vs2c6DZI+MAwGA1UdEwQFMAMBAf8wDQYJKoZI
-hvcNAQEFBQADgYEABYqqOUq3ZrtMYaTAoeA7Cr/OBMjBV+/TiOe8fRNoPZ7+aKSg
-E1baohCGqougm+/XOtBXeLv5tVQihz/2iKdwHmX4HjkxzevAXyazjxeW4IDA21Jl
-fKd7xUJHM0Du/opoDkXWr/vRVztOB33ndlAK7ruSLfTR3E9HoUe3aRH7ceQ=
+MIIC1jCCAj+gAwIBAgIUJhxh1ENJRZoFuCN+XB0xlP1zgeYwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkNsb3VkRmxhcmUxFDASBgNVBAsMC0RF
+Vl9URVNUSU5HMRYwFAYDVQQDDA1DRlNTTF9URVNUX0NBMB4XDTI1MDIwODIwMTYy
+N1oXDTM1MDIwNjIwMTYyN1owfTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
+b3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCkNsb3VkRmxh
+cmUxFDASBgNVBAsMC0RFVl9URVNUSU5HMRYwFAYDVQQDDA1DRlNTTF9URVNUX0NB
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbp/6OQ/a3mr+8zRgBRlmSGr8Q
+BgP4vUIxLn2Mk4uiZ8OcpRY4YqL+TtREGDUc0ve+bv8RINrNlYXL2X+eJtbE2RJQ
++RAiu+saw2K+RFTNeTCA1fwg3ws5gBDcFbECqK1dOkuN/gV4JMHobn2/15iUBfeS
+JxdF1j5yqES8sVu7cwIDAQABo1MwUTAdBgNVHQ4EFgQUuF7vrmdQt9bzB+VqvlWz
+ZzoNkj4wHwYDVR0jBBgwFoAUuF7vrmdQt9bzB+VqvlWzZzoNkj4wDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQALmrNPUPlCyhabvgC8RsMZPhJjtxr9
+TotLuoa49zsHH18djRZLrm8mNzBwUVVNJ1hgwSpRnyrc7T4HQTTvjpCnyXEVRil/
+9HQbpVPBSw5W6oK3koLG0rFnZXHocqK+Qri4FkbwsTK5qlea35OJWkODiUY/ykVM
+E4sm6QDE79e0Iw==
 -----END CERTIFICATE-----

bundler/bundle_from_remote_test.go

@@ -103,7 +103,6 @@ var remoteTests = []remoteTest{
 
 // TestBundleFromRemote goes through the test cases defined in remoteTests and run them through. See above for test case definitions.
 func TestBundleFromRemote(t *testing.T) {
-	t.Skip("expired cert https://github.com/cloudflare/cfssl/issues/1237")
 	for _, bf := range []BundleFlavor{Ubiquitous, Optimal} {
 		for _, test := range remoteTests {
 			b := test.bundlerConstructor(t)
@@ -164,7 +163,6 @@ var remoteSNITests = []remoteTest{
 
 // TestBundleFromRemoteSNI goes through the test cases defined in remoteSNITests and run them through. See above for test case definitions.
 func TestBundleFromRemoteSNI(t *testing.T) {
-	t.Skip("expired cert https://github.com/cloudflare/cfssl/issues/1237")
 	for _, bf := range []BundleFlavor{Ubiquitous, Optimal} {
 		for _, test := range remoteSNITests {
 			b := test.bundlerConstructor(t)

bundler/bundler_test.go

@@ -916,7 +916,6 @@ func TestBundlerWithEmptyRootInfo(t *testing.T) {
 }
 
 func TestBundlerClientAuth(t *testing.T) {
-	t.Skip("expired cert https://github.com/cloudflare/cfssl/issues/1237")
 	b, err := NewBundler("testdata/client-auth/root.pem", "testdata/client-auth/int.pem")
 	if err != nil {
 		t.Fatal(err)