Update to Go 1.24.0 (spiffe#5880)

* [WIP] Update to Go 1.24.0 Signed-off-by: Ryan Turner <ryan.turner253@icloud.com> * Make RSA keys in TPM unit tests larger Signed-off-by: Ryan Turner <ryan.turner253@icloud.com> * Suppress staticcheck linter warnings for deprecated OPA v1 packages Signed-off-by: Ryan Turner <ryan.turner253@icloud.com> * Fix merge Signed-off-by: Ryan Turner <ryan.turner253@icloud.com> * Replace hardcoded keys with ones generated by testkey Signed-off-by: Ryan Turner <ryan.turner253@icloud.com> --------- Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
rturner3 · Feb 28, 2025 · 90c6753 · 90c6753
1 parent 8a82538
commit 90c6753
Show file tree

Hide file tree

Showing 20 changed files with 829 additions and 478 deletions.
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.23.6
+1.24.0
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/spiffe/spire
 
-go 1.23.6
+go 1.24.0
 
 require (
 	cloud.google.com/go/iam v1.4.0

diff --git a/pkg/agent/plugin/nodeattestor/awsiid/iid_test.go b/pkg/agent/plugin/nodeattestor/awsiid/iid_test.go
@@ -22,10 +22,10 @@ import (
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
 	nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
 	"github.com/spiffe/spire/pkg/common/catalog"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/plugin/aws"
 	"github.com/spiffe/spire/test/plugintest"
 	"github.com/spiffe/spire/test/spiretest"
+	"github.com/spiffe/spire/test/testkey"
 	"google.golang.org/grpc/codes"
 )
 
@@ -38,19 +38,7 @@ const (
 )
 
 var (
-	signingKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIIBywIBAAJhAOn4rFLlxONpujl+q/h/kTQzZoqn1nQZbCKEyIPBWO6kkcSqIqON
-aB3i+xyxgZNwkGEkLGRl/Uwasbp7O/sU43wh5ywWp/AG0iFe1RhwMd8LMq5ron6o
-s2eql71hJKsGEwIDAQABAmEAoDa9YcKe8Q68C5TXE8He33z3Ealea3/hET4VxEsI
-p9mfS6kpMQ+qpRSB2aMfVKP1mrAQ4/5TarrG1ZG3T/Mt9Oy1QHbzALvz2XObIvcR
-0cnG353CLQK/nobvWcwAtac5AjEA9k+1a9R6eFaO3grl9yg5XY2+MboV4wjbsDS3
-s4+MivneTPwvK6eHxtoAlYCNOAslAjEA8yy0PJw3TLBK80DryF3r/Q4wd4uYeFhN
-G6EBF0LccLB7GbKpcDHgnNjW/wObx+LXAjBeP4/G6+3U4CIYuojWMvEIaDVPp8m6
-LuiJGxLzxUjc4NF8Gb8e8CLXJxG0IxVmTXUCMQDSPJAG5rgYoUHrVPGEZU8llSLp
-99J2GUFw5Z3f0nprIukKqqA606RxdjdKeoAwLDkCMCptc0jZR3VM4w1wnwvAe0FL
-t61Ol/Q+OqWFX74JwsUU56FqPFm3Y9k7HxDILdedoQ==
------END RSA PRIVATE KEY-----`)
-
+	signingKey    = testkey.MustRSA2048()
 	streamBuilder = nodeattestortest.ServerStream(aws.PluginName)
 )
 
@@ -180,15 +168,13 @@ func (s *Suite) buildDefaultIIDDocAndSig() (docBytes []byte, sigBytes []byte, si
 	s.Require().NoError(err)
 
 	rng := rand.Reader
-	key, err := pemutil.ParseRSAPrivateKey(signingKeyPEM)
-	s.Require().NoError(err)
 
 	// doc signature
 	docHash := sha256.Sum256(docBytes)
-	sig, err := rsa.SignPKCS1v15(rng, key, crypto.SHA256, docHash[:])
+	sig, err := rsa.SignPKCS1v15(rng, signingKey, crypto.SHA256, docHash[:])
 	s.Require().NoError(err)
 
-	sigRSA2048 = s.generatePKCS7Signature(docBytes, key)
+	sigRSA2048 = s.generatePKCS7Signature(docBytes, signingKey)
 
 	return docBytes, sig, sigRSA2048
 }

diff --git a/pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go b/pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go
@@ -13,27 +13,15 @@ import (
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
 	nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
 	"github.com/spiffe/spire/pkg/common/catalog"
-	"github.com/spiffe/spire/pkg/common/pemutil"
 	sat_common "github.com/spiffe/spire/pkg/common/plugin/k8s"
 	"github.com/spiffe/spire/test/plugintest"
 	"github.com/spiffe/spire/test/spiretest"
+	"github.com/spiffe/spire/test/testkey"
 	"google.golang.org/grpc/codes"
 )
 
-var sampleKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIIBywIBAAJhAMB4gbT09H2RKXaxbu6IV9C3WY+pvkGAbrlQRIHLHwV3Xt1HchjX
-c08v1VEoTBN2YTjhZJlDb/VUsNMJsmBFBBted5geRcbrDtXFlUJ8tQoQx1dWM4Aa
-xcdULJ83A9ICKwIDAQABAmBR1asInrIphYQEtHJ/NzdnRd3tqHV9cjch0dAfA5dA
-Ar4yBYOsrkaX37WqWSDnkYgN4FWYBWn7WxeotCtA5UQ3SM5hLld67rUqAm2dLrs1
-z8va6SwLzrPTu2+rmRgovFECMQDpbfPBRex7FY/xWu1pYv6X9XZ26SrC2Wc6RIpO
-38AhKGjTFEMAPJQlud4e2+4I3KkCMQDTFLUvBSXokw2NvcNiM9Kqo5zCnCIkgc+C
-hM3EzSh2jh4gZvRzPOhXYvNKgLx8+LMCMQDL4meXlpV45Fp3eu4GsJqi65jvP7VD
-v1P0hs0vGyvbSkpUo0vqNv9G/FNQLNR6FRECMFXEMz5wxA91OOuf8HTFg9Lr+fUl
-RcY5rJxm48kUZ12Mr3cQ/kCYvftL7HkYR/4rewIxANdritlIPu4VziaEhYZg7dvz
-pG3eEhiqPxE++QHpwU78O+F1GznOPBvpZOB3GfyjNQ==
------END RSA PRIVATE KEY-----`)
-
 var (
+	sampleKey     = testkey.MustRSA2048()
 	streamBuilder = nodeattestortest.ServerStream(pluginName)
 )
 
@@ -168,11 +156,6 @@ func createPSAT(namespace, podName string) (string, error) {
 }
 
 func createSigner() (jose.Signer, error) {
-	sampleKey, err := pemutil.ParseRSAPrivateKey(sampleKeyPEM)
-	if err != nil {
-		return nil, err
-	}
-
 	sampleSigner, err := jose.NewSigner(jose.SigningKey{
 		Algorithm: jose.RS256,
 		Key:       sampleKey,

diff --git a/pkg/common/plugin/x509pop/x509pop_test.go b/pkg/common/plugin/x509pop/x509pop_test.go
@@ -1,50 +1,28 @@
 package x509pop
 
 import (
-	"crypto/ecdsa"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/pem"
 	"math/big"
 	"testing"
 
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/agentpathtemplate"
+	"github.com/spiffe/spire/test/testkey"
 	"github.com/stretchr/testify/require"
 )
 
-const (
-	testRSAKey = `-----BEGIN PRIVATE KEY-----
-MIIB5QIBADANBgkqhkiG9w0BAQEFAASCAc8wggHLAgEAAmEAszTMHP/M0ETR5FjO
-cUpKtxMc62olnUG2F4iSiNQ2n0YuFPRId+tDsiooNze3/WxJe5U4Ljbnw+LxYIAa
-hrSbWWLbpE8ZofHmb+hNAmiXQcv40VMNtJlWHUm2O5DSsOzxAgMBAAECYCqaNpv+
-Q9aPRcafRhSwsKptJMbiaSbFZGCb2xokOQgMSxA4MrIvf9xvIThfSqI4h6mNuL0g
-F4+7QbSCM9oMi4lVxqtu9ThBeUmvCuuolOdvpSjDV8Y8yRrm9d9rti1g8QIxAMlz
-jmSLj5kjJfSVVEMXsLZkoESvymtI44+wBwRdIbKI3Jn2cDJ2VYPNsTEVXaZLRwIx
-AOO7Ob6+ya1uNLeiVtsJmaHarKn/IExvzgvr9NfNAs2PifiFKLBERSf5zh8HOocy
-BwIxAMDC9/+xo0hPX6Q3t5czdf4xL0JKS5B5AHafYzeDvhjN6PjR3O4MWStziReE
-cEYNRQIxAMiaajmOUpWFWMbSJ/R2tnCO8j4lUMxESJrT1TArlWaCJKVYlwj+enTG
-Zj2K3pGtDQIwcHg1MNxehdkTQ7qOPHce09enVjaM0+uXPKAOfSyM7jPMBn4cm/1K
-qCrBUhzFaWeg
------END PRIVATE KEY-----`
-	testECDSAKey = `-----BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMmjo28H7LEOxWD2t
-74mWp5XPrZwzb/VyukdPxHGOoOOhRANCAARhpK2KSCTiyeNZzrB8c2eZ4K+yZGrp
-4MpWREMXQMIwbP/QWGYXQ8GWhp16J6IYXkywB/SJnKPY+iV6Mnbxp31K
------END PRIVATE KEY-----`
+var (
+	testRSAKey   = testkey.MustRSA2048()
+	testECDSAKey = testkey.MustEC256()
 )
 
 func TestChallengeResponse(t *testing.T) {
 	require := require.New(t)
 
 	// load up RSA key and create a self-signed certificate over the public key
-	pemBlock, _ := pem.Decode([]byte(testRSAKey))
-	require.NotNil(pemBlock)
-	privateKey, err := x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
-	require.NoError(err)
-	rsaPrivateKey := privateKey.(*rsa.PrivateKey)
+	rsaPrivateKey := testRSAKey
 	rsaPublicKey := &rsaPrivateKey.PublicKey
 	rsaCert, err := createCertificate(rsaPrivateKey, rsaPublicKey)
 	require.NoError(err)
@@ -58,11 +36,7 @@ func TestChallengeResponse(t *testing.T) {
 	require.NoError(err)
 
 	// load up ECDSA key and create a self-signed certificate over the public key
-	pemBlock, _ = pem.Decode([]byte(testECDSAKey))
-	require.NotNil(pemBlock)
-	privateKey, err = x509.ParsePKCS8PrivateKey(pemBlock.Bytes)
-	require.NoError(err)
-	ecdsaPrivateKey := privateKey.(*ecdsa.PrivateKey)
+	ecdsaPrivateKey := testECDSAKey
 	ecdsaPublicKey := &ecdsaPrivateKey.PublicKey
 	ecdsaCert, err := createCertificate(ecdsaPrivateKey, ecdsaPublicKey)
 	require.NoError(err)

diff --git a/pkg/server/authpolicy/policy_test.go b/pkg/server/authpolicy/policy_test.go
@@ -231,11 +231,11 @@ func TestPolicy(t *testing.T) {
 
 			// Check with NewEngineFromConfigOrDefault
 			regoFile := filepath.Join(tmpDir, "rego_file")
-			err = os.WriteFile(regoFile, []byte(tt.rego), 0600)
+			err = os.WriteFile(regoFile, []byte(tt.rego), 0o600)
 			require.Nil(t, err, "failed to create rego_file")
 
 			permsFile := filepath.Join(tmpDir, "perms_file")
-			err = os.WriteFile(permsFile, []byte(tt.jsonData), 0600)
+			err = os.WriteFile(permsFile, []byte(tt.jsonData), 0o600)
 			require.Nil(t, err, "failed to create perms_file")
 
 			ec := authpolicy.OpaEngineConfig{
@@ -274,20 +274,20 @@ func TestNewEngineFromConfig(t *testing.T) {
 
 	// Create good policy/perms files
 	validRegoFile := filepath.Join(tmpDir, "valid_rego_file")
-	err = os.WriteFile(validRegoFile, []byte(rego), 0600)
+	err = os.WriteFile(validRegoFile, []byte(rego), 0o600)
 	require.Nil(t, err, "failed to create valid_rego_file")
 
 	validPermsFile := filepath.Join(tmpDir, "valid_perms_file")
-	err = os.WriteFile(validPermsFile, []byte(jsonData), 0600)
+	err = os.WriteFile(validPermsFile, []byte(jsonData), 0o600)
 	require.Nil(t, err, "failed to create valid_perms_file")
 
 	// Create bad policy/perms files
 	invalidRegoFile := filepath.Join(tmpDir, "invalid_rego_file")
-	err = os.WriteFile(invalidRegoFile, []byte("invalid rego"), 0600)
+	err = os.WriteFile(invalidRegoFile, []byte("invalid rego"), 0o600)
 	require.Nil(t, err, "failed to create invalid_rego_file")
 
 	invalidPermsFile := filepath.Join(tmpDir, "invalid_perms_file")
-	err = os.WriteFile(invalidPermsFile, []byte("{"), 0600)
+	err = os.WriteFile(invalidPermsFile, []byte("{"), 0o600)
 	require.Nil(t, err, "failed to create invalid_perms_file")
 
 	// Create permissions tmp file