Synchronize with upstream

.dockerignore

@@ -2,3 +2,4 @@ cfssl_*
 *-amd64
 *-386
 dist/*
+.git

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+

.github/workflows/docker-builds.yml

@@ -1,42 +1,59 @@
-name: Build and publish cfssl docker image
+name: cfssl docker
 
 on:
+  workflow_dispatch:
   push:
+    branches:
+      - "master"
     tags:
-      - 'v*.*.*'
-
+      - "v*"
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+    strategy:
+      matrix:
+        include:
+          # github container registry
+          - registry: "ghcr.io"
+            username: ${{ github.actor }}
+            password_secret: GITHUB_TOKEN
+            image: ghcr.io/cloudflare/cfssl
+          # docker test publish, todo: switch to service account
+          - registry: ""
+            username: nicky
+            password_secret: DOCKER_REGISTRY_TOKEN_NICKY
+            image: cfssl/cfssl
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Get tag
-        id: cfssl
-        run: echo  "::set-output name=tag::$(git describe --tags HEAD)"
-
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Docker hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
+          registry: ${{ matrix.registry }}
+          username: ${{ matrix.username }}
+          password: ${{ secrets[matrix.password_secret] }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.image }}
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/s390x
           push: true
-          tags: cfssl:${{ steps.cfssl.outputs.tag }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/go.yml

@@ -10,7 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: ["1.18", "1.19"]
+        # starting with go 1.24 the GODEBUG=x509sha1=1 flag has been removed.
+        # many tests rely on sha1 certificates. After resolving #1413 we can
+        # run these on stable and oldstable again. Min version (1.20) can
+        # always be run.
+        go: ['1.23', '1.22', '1.20']
     services:
       # Label used to access the service container
       postgres:
@@ -50,10 +54,10 @@ jobs:
       - run: psql -c 'create database certdb_development;' -U postgres;
       - run: mysql -e 'create database certdb_development;' -u root;
       - run: mysql -e 'SET global sql_mode = 0;' -u root;
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
 
@@ -64,15 +68,21 @@ jobs:
       - run: ./bin/goose -path certdb/mysql up;
       - name: Test
         run: ./test.sh
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@v4
 
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.18
-      - uses: actions/checkout@v3
+          go-version: "1.20"
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v6
+        with:
+          # There is a breaking change in 1.58 that causes the linter not to recognize 
+          # internal imports or standard library imports and results in linting errors
+          # that cannot be ignored.
+          # e.g certdb/certdb.go:5:2: could not import encoding/json (Config.Importer.Import(encoding/json) returned nil but no error) (typecheck)
+          version: v1.57

.github/workflows/semgrep.yml

@@ -0,0 +1,24 @@
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push: 
+    branches:
+      - main
+      - master
+  schedule:
+    - cron: '0 0 * * *'
+name: Semgrep config
+jobs:
+  semgrep:
+    name: semgrep/ci
+    runs-on: ubuntu-latest
+    env:
+      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      SEMGREP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_APP_URL: https://cloudflare.semgrep.dev
+      SEMGREP_VERSION_CHECK_URL: https://cloudflare.semgrep.dev/api/check-version
+    container:
+      image: semgrep/semgrep
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep ci

.github/workflows/snapshot.yml

@@ -0,0 +1,18 @@
+name: Image snapshots
+
+on:
+  push:
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make snapshot
+      - name: Archive snapshot artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries
+          path: dist/

.golangci.yaml

@@ -5,6 +5,4 @@ linters:
     - gosimple
     - ineffassign
     - unused
-    - deadcode
     - errcheck
-    - varcheck

.goreleaser.yml

@@ -24,6 +24,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl
@@ -60,6 +61,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-bundle
@@ -96,6 +98,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-certinfo
@@ -132,6 +135,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-newkey
@@ -168,6 +172,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-scan
@@ -204,6 +209,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssljson
@@ -240,6 +246,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/mkbundle
@@ -276,6 +283,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/multirootca

Dockerfile

@@ -1,4 +1,11 @@
-FROM --platform=${BUILDPLATFORM} golang:1.19.3
+FROM --platform=${TARGETPLATFORM} golang:1.20
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" 
+
+LABEL org.opencontainers.image.source https://github.com/cloudflare/cfssl
+LABEL org.opencontainers.image.description "Cloudflare's PKI toolkit"
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile.alpine

@@ -1,4 +1,4 @@
-FROM golang:1.16.15-alpine3.15@sha256:9743f230f26d1e300545f0330fd4a514f554c535d967563ee77bf634906502b6 as builder
+FROM golang:1.20-alpine AS builder
 
 WORKDIR /workdir
 COPY . /workdir

Makefile

@@ -60,7 +60,7 @@ snapshot:
 	--rm \
     -v $(PWD):/cross \
     -w /cross \
-    ghcr.io/gythialy/golang-cross:v1.18 --rm-dist --snapshot --skip-publish
+    ghcr.io/goreleaser/goreleaser-cross:latest --clean --snapshot --skip=publish
 
 .PHONY: github-release
 github-release:
@@ -71,17 +71,10 @@ github-release:
 	-e GITHUB_TOKEN=$(GITHUB_TOKEN) \
     -v $(PWD):/cross \
     -w /cross \
-    ghcr.io/gythialy/golang-cross:v1.18 --rm-dist
-
-.PHONY: docker-build
-docker-build:
-	docker build -f Dockerfile -t cfssl/cfssl:$(VERSION) .
-.PHONY: docker-push
-docker-push:
-	docker push cfssl/cfssl:$(VERSION)
+    ghcr.io/goreleaser/goreleaser-cross:latest --clean
 
 .PHONY: release
-release: github-release docker-build docker-push
+release: github-release
 
 BUILD_PATH   := $(CURDIR)/build
 INSTALL_PATH := $(BUILD_PATH)/usr/local/bin

README.md

@@ -8,7 +8,7 @@
 
 CFSSL is CloudFlare's PKI/TLS swiss army knife. It is both a command line
 tool and an HTTP API server for signing, verifying, and bundling TLS
-certificates. It requires Go 1.16+ to build.
+certificates. It requires Go 1.20+ to build.
 
 Note that certain linux distributions have certain algorithms removed
 (RHEL-based distributions in particular), so the golang from the
@@ -30,12 +30,13 @@ CFSSL consists of:
 ### Building
 
 Building cfssl requires a
-[working Go 1.16+ installation](http://golang.org/doc/install).
+[working Go 1.20+ installation](http://golang.org/doc/install).
 
 ```
 $ git clone git@github.com:cloudflare/cfssl.git
 $ cd cfssl
 $ make
+$ make install
 ```
 
 The resulting binaries will be in the bin folder:
@@ -60,32 +61,9 @@ You can set the `GOOS` and `GOARCH` environment variables to have Go cross compi
 
 ### Installation
 
-Installation requires a [working Go 1.16+ installation](http://golang.org/doc/install).
+Installation requires a [working Go 1.20+ installation](http://golang.org/doc/install).
 Alternatively, [prebuilt binaries are available](https://github.com/cloudflare/cfssl/releases)
 
-```
-$ go get github.com/cloudflare/cfssl/cmd/cfssl
-```
-
-will download, build, and install the CFSSL tool.
-
-To install any of the other utility programs that are
-in this repo (for instance `cfssljson` in this case):
-
-```
-$ go get github.com/cloudflare/cfssl/cmd/cfssljson
-```
-
-This will download, build, and install the CFSSLJSON tool.
-
-And to simply install __all__ of the programs in this repo:
-
-```
-$ go get github.com/cloudflare/cfssl/cmd/...
-```
-
-if you are above go 1.18:
-
 ```
 $ go install github.com/cloudflare/cfssl/cmd/...@latest
 ```

api/bundle/bundle_test.go

@@ -184,7 +184,6 @@ var bundleTests = []bundleTest{
 }
 
 func TestBundle(t *testing.T) {
-	t.Skip("expired cert https://github.com/cloudflare/cfssl/issues/1237")
 	for i, test := range bundleTests {
 		resp, body := testBundleFile(t, test.Domain, test.IP, test.CertFile, test.KeyFile, test.Flavor)
 		if resp.StatusCode != test.ExpectedHTTPStatus {