ReadCertificate[Bundle|Request] PEM check whole file for PEM header. (#…

…311)

* linter fixes

go.mod

@@ -1,6 +1,6 @@
 module go.step.sm/crypto
 
-go 1.18
+go 1.20
 
 require (
 	cloud.google.com/go/kms v1.15.1

jose/parse.go

@@ -375,7 +375,7 @@ func guessSignatureAlgorithm(key crypto.PrivateKey) SignatureAlgorithm {
 
 // guessKnownJWKAlgorithm sets the algorithm for keys that only have one
 // possible algorithm.
-func guessKnownJWKAlgorithm(ctx *context, jwk *JSONWebKey) {
+func guessKnownJWKAlgorithm(_ *context, jwk *JSONWebKey) {
 	if jwk.Algorithm == "" && jwk.Use != "enc" {
 		switch k := jwk.Key.(type) {
 		case *ecdsa.PrivateKey:

keyutil/key_test.go

@@ -50,9 +50,9 @@ yBf6oiIb/beb/pTFqSy86KUe+E4Y5SSlEz2lqg79WIosZgkHbSBsmU7hGg==
 
 type badSSHPublicKey struct{}
 
-func (k *badSSHPublicKey) Type() string                                 { return "foo" }
-func (k *badSSHPublicKey) Marshal() []byte                              { return []byte("bar") }
-func (k *badSSHPublicKey) Verify(data []byte, sig *ssh.Signature) error { return nil }
+func (k *badSSHPublicKey) Type() string                            { return "foo" }
+func (k *badSSHPublicKey) Marshal() []byte                         { return []byte("bar") }
+func (k *badSSHPublicKey) Verify(_ []byte, _ *ssh.Signature) error { return nil }
 
 func must(args ...interface{}) interface{} {
 	if err := args[len(args)-1]; err != nil {
@@ -63,6 +63,7 @@ func must(args ...interface{}) interface{} {
 
 var randReader = rand.Reader
 
+//nolint:gocritic // ignore sloppy func name due to function signature
 func cleanupRandReader(t *testing.T) {
 	rr := rand.Reader
 	t.Cleanup(func() {
@@ -81,7 +82,7 @@ func (zeroReader) Read(buf []byte) (int, error) {
 
 type eofReader struct{}
 
-func (eofReader) Read(buf []byte) (int, error) {
+func (eofReader) Read(_ []byte) (int, error) {
 	return 0, io.EOF
 }
 

kms/awskms/awskms.go

@@ -74,7 +74,7 @@ var customerMasterKeySpecMapping = map[apiv1.SignatureAlgorithm]interface{}{
 //
 // AWS sessions can also be configured with environment variables, see docs at
 // https://docs.aws.amazon.com/sdk-for-go/api/aws/session/ for all the options.
-func New(ctx context.Context, opts apiv1.Options) (*KMS, error) {
+func New(_ context.Context, opts apiv1.Options) (*KMS, error) {
 	var o session.Options
 
 	if opts.URI != "" {

kms/awskms/signer.go

@@ -61,7 +61,7 @@ func (s *Signer) Public() crypto.PublicKey {
 }
 
 // Sign signs digest with the private key stored in the AWS KMS.
-func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
 	alg, err := getSigningAlgorithm(s.Public(), opts)
 	if err != nil {
 		return nil, err

kms/azurekms/signer.go

@@ -70,7 +70,7 @@ func (s *Signer) Public() crypto.PublicKey {
 }
 
 // Sign signs digest with the private key stored in the Azure Key Vault.
-func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
 	alg, err := getSigningAlgorithm(s.Public(), opts)
 	if err != nil {
 		return nil, err

kms/cloudkms/decrypter.go

@@ -90,7 +90,7 @@ func validateOAEPOptions(o *rsa.OAEPOptions) error {
 // for those cases.
 //
 // Also see https://cloud.google.com/kms/docs/algorithms#asymmetric_encryption_algorithms.
-func (d *Decrypter) Decrypt(rand io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error) {
+func (d *Decrypter) Decrypt(_ io.Reader, ciphertext []byte, opts crypto.DecrypterOpts) ([]byte, error) {
 	if opts == nil {
 		opts = &rsa.OAEPOptions{}
 	}

kms/cloudkms/signer.go

@@ -56,7 +56,7 @@ func (s *Signer) Public() crypto.PublicKey {
 }
 
 // Sign signs digest with the private key stored in Google's Cloud KMS.
-func (s *Signer) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
+func (s *Signer) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
 	req := &kmspb.AsymmetricSignRequest{
 		Name:   s.signingKey,
 		Digest: &kmspb.Digest{},

kms/pkcs11/other_test.go

@@ -124,7 +124,7 @@ func (s *stubPKCS11) DeleteCertificate(id, label []byte, serial *big.Int) error
 	return nil
 }
 
-func (s *stubPKCS11) GenerateRSAKeyPairWithAttributes(public, private crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error) {
+func (s *stubPKCS11) GenerateRSAKeyPairWithAttributes(public, _ crypto11.AttributeSet, bits int) (crypto11.SignerDecrypter, error) {
 	var id, label []byte
 	if v := public[crypto11.CkaId]; v != nil {
 		id = v.Value

kms/pkcs11/pkcs11.go

@@ -76,7 +76,7 @@ type PKCS11 struct {
 //   - pkcs11:token=smallstep;id=0a10;object=ec-key?pin-value=password
 //   - pkcs11:token=smallstep;id=%0a%10?pin-source=/path/to/pin.txt
 //   - pkcs11:token=smallstep;object=ec-key?pin-value=password
-func New(ctx context.Context, opts apiv1.Options) (*PKCS11, error) {
+func New(_ context.Context, opts apiv1.Options) (*PKCS11, error) {
 	if opts.URI == "" {
 		return nil, errors.New("kms uri is required")
 	}

kms/softkms/softkms.go

@@ -53,7 +53,7 @@ var generateKey = func(kty, crv string, size int) (interface{}, interface{}, err
 type SoftKMS struct{}
 
 // New returns a new SoftKMS.
-func New(ctx context.Context, opts apiv1.Options) (*SoftKMS, error) {
+func New(_ context.Context, _ apiv1.Options) (*SoftKMS, error) {
 	return &SoftKMS{}, nil
 }
 

kms/sshagentkms/sshagentkms.go

@@ -35,7 +35,7 @@ type SSHAgentKMS struct {
 }
 
 // New returns a new SSHAgentKMS.
-func New(ctx context.Context, opts apiv1.Options) (*SSHAgentKMS, error) {
+func New(_ context.Context, _ apiv1.Options) (*SSHAgentKMS, error) {
 	socket := os.Getenv("SSH_AUTH_SOCK")
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
@@ -51,7 +51,7 @@ func New(ctx context.Context, opts apiv1.Options) (*SSHAgentKMS, error) {
 
 // NewFromAgent initializes an SSHAgentKMS from a given agent, this method is
 // used for testing purposes.
-func NewFromAgent(ctx context.Context, opts apiv1.Options, agentClient agent.Agent) (*SSHAgentKMS, error) {
+func NewFromAgent(_ context.Context, _ apiv1.Options, agentClient agent.Agent) (*SSHAgentKMS, error) {
 	return &SSHAgentKMS{
 		agentClient: agentClient,
 	}, nil
@@ -193,7 +193,7 @@ func (k *SSHAgentKMS) CreateSigner(req *apiv1.CreateSignerRequest) (crypto.Signe
 }
 
 // CreateKey generates a new key and returns both public and private key.
-func (k *SSHAgentKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
+func (k *SSHAgentKMS) CreateKey(_ *apiv1.CreateKeyRequest) (*apiv1.CreateKeyResponse, error) {
 	return nil, errors.Errorf("SSHAgentKMS doesn't support generating keys")
 }
 

kms/tpmkms/tpmkms.go

@@ -139,7 +139,7 @@ var signatureAlgorithmMapping = map[apiv1.SignatureAlgorithm]algorithmAttributes
 // The TPMKMS implementation is backed by an instance of the TPM from
 // the `tpm` package. If the TPMKMS operations aren't sufficient for
 // your use case, use a tpm.TPM instance instead.
-func New(ctx context.Context, opts apiv1.Options) (kms *TPMKMS, err error) {
+func New(_ context.Context, opts apiv1.Options) (kms *TPMKMS, err error) {
 	kms = &TPMKMS{
 		identityEarlyRenewalEnabled:     true,
 		identityRenewalPeriodPercentage: 60, // default to AK certificate renewal at 60% of lifetime

kms/yubikey/yubikey.go

@@ -72,7 +72,7 @@ var pivOpen = func(card string) (pivKey, error) {
 //
 // If the pin or the management-key are not provided, we will use the default
 // ones.
-func New(ctx context.Context, opts apiv1.Options) (*YubiKey, error) {
+func New(_ context.Context, opts apiv1.Options) (*YubiKey, error) {
 	pin := "123456"
 	managementKey := piv.DefaultManagementKey
 

minica/minica_test.go

@@ -23,7 +23,7 @@ func (p badSigner) Public() crypto.PublicKey {
 	return []byte("foo")
 }
 
-func (p badSigner) Sign(r io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
+func (p badSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
 	return nil, errors.New("foo")
 }
 

pemutil/pem.go

@@ -44,6 +44,9 @@ var PromptPassword PasswordPrompter
 // check if a file exists and prompts the user if it should be overwritten.
 var WriteFile FileWriter = utils.WriteFile
 
+// PEMBlockHeader is the expected header for any PEM formatted block.
+var PEMBlockHeader = []byte("-----BEGIN ")
+
 // context add options to the pem methods.
 type context struct {
 	filename         string
@@ -282,7 +285,7 @@ func ReadCertificate(filename string, opts ...Options) (*x509.Certificate, error
 	}
 
 	// PEM format
-	if bytes.HasPrefix(b, []byte("-----BEGIN ")) {
+	if bytes.Contains(b, PEMBlockHeader) {
 		var crt interface{}
 		crt, err = Read(filename, opts...)
 		if err != nil {
@@ -311,7 +314,7 @@ func ReadCertificateBundle(filename string) ([]*x509.Certificate, error) {
 	}
 
 	// PEM format
-	if bytes.HasPrefix(b, []byte("-----BEGIN ")) {
+	if bytes.Contains(b, PEMBlockHeader) {
 		var block *pem.Block
 		var bundle []*x509.Certificate
 		for len(b) > 0 {
@@ -352,7 +355,7 @@ func ReadCertificateRequest(filename string) (*x509.CertificateRequest, error) {
 	}
 
 	// PEM format
-	if bytes.HasPrefix(b, []byte("-----BEGIN ")) {
+	if bytes.Contains(b, PEMBlockHeader) {
 		csr, err := Parse(b, WithFilename(filename))
 		if err != nil {
 			return nil, err

pemutil/pem_test.go

@@ -338,6 +338,7 @@ func TestReadCertificate(t *testing.T) {
 		err  error
 	}{
 		{"testdata/ca.crt", nil, nil},
+		{"testdata/nonPEMHeaderCa.crt", nil, nil},
 		{"testdata/ca.der", nil, nil},
 		{"testdata/bundle.crt", []Options{WithFirstBlock()}, nil},
 		{"testdata/bundle.crt", nil, errors.New("error decoding testdata/bundle.crt: contains more than one PEM encoded block")},
@@ -370,6 +371,7 @@ func TestReadCertificateBundle(t *testing.T) {
 		err error
 	}{
 		{"testdata/ca.crt", 1, nil},
+		{"testdata/nonPEMHeaderCa.crt", 1, nil},
 		{"testdata/ca.der", 1, nil},
 		{"testdata/bundle.crt", 2, nil},
 		{"testdata/notexists.crt", 0, errors.New("error reading testdata/notexists.crt: no such file or directory")},

pemutil/testdata/nonPEMHeaderCa.crt

@@ -0,0 +1,45 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            fe:9f:60:35:b0:13:ba:d4:be:fb:84:ec:70:ed:3d:ed
+        Signature Algorithm: ecdsa-with-SHA256
+        Issuer: CN = testroot
+        Validity
+            Not Before: Aug 15 17:50:02 2023 GMT
+            Not After : Aug 16 17:50:02 2023 GMT
+        Subject: CN = testroot
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                pub:
+                    04:bf:f8:db:3c:7a:c2:a4:b2:f5:51:e9:43:80:98:
+                    68:b2:1b:62:25:11:a7:de:03:74:27:6a:04:82:99:
+                    9a:7d:da:e7:a6:a6:a5:12:ad:c9:de:65:61:12:00:
+                    a6:6d:39:b6:46:d8:f5:b4:a8:77:69:da:1f:35:2b:
+                    28:70:33:1e:90
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE, pathlen:1
+            X509v3 Subject Key Identifier:
+                38:E0:29:66:91:8C:E3:42:0F:85:A5:BA:78:B6:1F:49:E3:34:33:D5
+    Signature Algorithm: ecdsa-with-SHA256
+    Signature Value:
+        30:45:02:20:37:78:01:d9:e7:4d:9c:2c:2f:3c:09:41:8a:2f:
+        3f:65:b5:6a:31:eb:10:a9:92:a0:74:98:d6:9c:50:45:1c:56:
+        02:21:00:bf:b5:53:37:97:f0:f5:14:df:22:00:22:47:4f:7d:
+        41:c5:5d:b6:24:58:e4:d2:09:b1:3d:9b:7b:0f:3f:cb:ba
+-----BEGIN CERTIFICATE-----
+MIIBajCCARCgAwIBAgIRAP6fYDWwE7rUvvuE7HDtPe0wCgYIKoZIzj0EAwIwEzER
+MA8GA1UEAxMIdGVzdHJvb3QwHhcNMjMwODE1MTc1MDAyWhcNMjMwODE2MTc1MDAy
+WjATMREwDwYDVQQDEwh0ZXN0cm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA
+BL/42zx6wqSy9VHpQ4CYaLIbYiURp94DdCdqBIKZmn3a56ampRKtyd5lYRIApm05
+tkbY9bSod2naHzUrKHAzHpCjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
+CDAGAQH/AgEBMB0GA1UdDgQWBBQ44ClmkYzjQg+Fpbp4th9J4zQz1TAKBggqhkjO
+PQQDAgNIADBFAiA3eAHZ502cLC88CUGKLz9ltWox6xCpkqB0mNacUEUcVgIhAL+1
+UzeX8PUU3yIAIkdPfUHFXbYkWOTSCbE9m3sPP8u6
+-----END CERTIFICATE-----

sshutil/certificate_test.go

@@ -26,7 +26,7 @@ func (b *badSigner) Sign(r io.Reader, data []byte) (*ssh.Signature, error) {
 	return nil, fmt.Errorf("an error")
 }
 
-func (b *badSigner) SignWithAlgorithm(r io.Reader, data []byte, algorithm string) (*ssh.Signature, error) {
+func (b *badSigner) SignWithAlgorithm(_ io.Reader, data []byte, algorithm string) (*ssh.Signature, error) {
 	return nil, fmt.Errorf("an error")
 }
 

tlsutil/renewer.go

@@ -127,21 +127,21 @@ func (r *Renewer) Stop() bool {
 // GetCertificate returns the current server certificate.
 //
 // This method is set in the tls.Config GetCertificate property.
-func (r *Renewer) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+func (r *Renewer) GetCertificate(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
 	return r.getCertificate(), nil
 }
 
 // GetClientCertificate returns the current client certificate.
 //
 // This method is set in the tls.Config GetClientCertificate property.
-func (r *Renewer) GetClientCertificate(hello *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+func (r *Renewer) GetClientCertificate(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
 	return r.getCertificate(), nil
 }
 
 // GetConfigForClient returns the tls.Config used per request.
 //
 // This method is set in the tls.Config GetConfigForClient property.
-func (r *Renewer) GetConfigForClient(hello *tls.ClientHelloInfo) (*tls.Config, error) {
+func (r *Renewer) GetConfigForClient(_ *tls.ClientHelloInfo) (*tls.Config, error) {
 	return r.getConfigForClient(), nil
 }
 

tpm/random.go

@@ -29,7 +29,7 @@ func (t *TPM) GenerateRandom(ctx context.Context, size uint16) (random []byte, e
 	return t.generateRandom(ctx, size)
 }
 
-func (t *TPM) generateRandom(ctx context.Context, size uint16) (random []byte, err error) {
+func (t *TPM) generateRandom(_ context.Context, size uint16) (random []byte, err error) {
 	random, err = tpm2.GetRandom(t.rwc, size)
 	if err != nil {
 		return nil, fmt.Errorf("failed generating random data: %w", err)