Update cfssl

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: weekly
+

.github/workflows/docker-builds.yml

@@ -1,42 +1,59 @@
-name: Build and publish cfssl docker image
+name: cfssl docker
 
 on:
+  workflow_dispatch:
   push:
+    branches:
+      - "master"
     tags:
-      - 'v*.*.*'
-
+      - "v*"
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+    strategy:
+      matrix:
+        include:
+          # github container registry
+          - registry: "ghcr.io"
+            username: ${{ github.actor }}
+            password_secret: GITHUB_TOKEN
+            image: ghcr.io/cloudflare/cfssl
+          # docker test publish, todo: switch to service account
+          - registry: ""
+            username: nicky
+            password_secret: DOCKER_REGISTRY_TOKEN_NICKY
+            image: cfssl/cfssl
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Get tag
-        id: cfssl
-        run: echo  "::set-output name=tag::$(git describe --tags HEAD)"
-
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Docker hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
+          registry: ${{ matrix.registry }}
+          username: ${{ matrix.username }}
+          password: ${{ secrets[matrix.password_secret] }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ matrix.image }}
       - name: Build and push
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/s390x
           push: true
-          tags: cfssl:${{ steps.cfssl.outputs.tag }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/go.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: ["1.18", "1.19"]
+        go: [stable, oldstable]
     services:
       # Label used to access the service container
       postgres:
@@ -50,10 +50,10 @@ jobs:
       - run: psql -c 'create database certdb_development;' -U postgres;
       - run: mysql -e 'create database certdb_development;' -u root;
       - run: mysql -e 'SET global sql_mode = 0;' -u root;
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
 
@@ -64,15 +64,15 @@ jobs:
       - run: ./bin/goose -path certdb/mysql up;
       - name: Test
         run: ./test.sh
-      - uses: codecov/codecov-action@v3
+      - uses: codecov/codecov-action@v4
 
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@v5
         with:
           go-version: 1.18
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v4

.github/workflows/snapshot.yml

@@ -0,0 +1,18 @@
+name: Image snapshots
+
+on:
+  push:
+  pull_request:
+    branches: [master]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: make snapshot
+      - name: Archive snapshot artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: binaries
+          path: dist/

.goreleaser.yml

@@ -24,6 +24,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl
@@ -60,6 +61,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-bundle
@@ -96,6 +98,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-certinfo
@@ -132,6 +135,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-newkey
@@ -168,6 +172,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssl-scan
@@ -204,6 +209,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/cfssljson
@@ -240,6 +246,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/mkbundle
@@ -276,6 +283,7 @@ builds:
       - linux
     goarch:
       - amd64
+      - arm
       - arm64
       - s390x
     main: ./cmd/multirootca

Dockerfile

@@ -1,4 +1,11 @@
-FROM --platform=${BUILDPLATFORM} golang:1.19.3
+FROM --platform=${TARGETPLATFORM} golang:1.20
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" 
+
+LABEL org.opencontainers.image.source https://github.com/cloudflare/cfssl
+LABEL org.opencontainers.image.description "Cloudflare's PKI toolkit"
 
 ARG TARGETOS
 ARG TARGETARCH

Makefile

@@ -60,7 +60,7 @@ snapshot:
 	--rm \
     -v $(PWD):/cross \
     -w /cross \
-    ghcr.io/gythialy/golang-cross:v1.18 --rm-dist --snapshot --skip-publish
+    ghcr.io/goreleaser/goreleaser-cross:latest --clean --snapshot --skip-publish
 
 .PHONY: github-release
 github-release:
@@ -71,7 +71,7 @@ github-release:
 	-e GITHUB_TOKEN=$(GITHUB_TOKEN) \
     -v $(PWD):/cross \
     -w /cross \
-    ghcr.io/gythialy/golang-cross:v1.18 --rm-dist
+    ghcr.io/goreleaser/goreleaser-cross:latest --clean
 
 .PHONY: docker-build
 docker-build:

README.md

@@ -36,6 +36,7 @@ Building cfssl requires a
 $ git clone git@github.com:cloudflare/cfssl.git
 $ cd cfssl
 $ make
+$ make install
 ```
 
 The resulting binaries will be in the bin folder:

api/generator/generator.go

@@ -4,6 +4,7 @@ package generator
 import (
 	"crypto/md5"
 	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@@ -35,6 +36,7 @@ specifically, section 10.2.3 ("Information Requirements").`
 type Sum struct {
 	MD5  string `json:"md5"`
 	SHA1 string `json:"sha-1"`
+	SHA256 string `json:"sha-256"`
 }
 
 // Validator is a type of function that contains the logic for validating
@@ -97,8 +99,10 @@ func computeSum(in []byte) (sum Sum, err error) {
 
 	md5Sum := md5.Sum(data)
 	sha1Sum := sha1.Sum(data)
+	sha256Sum := sha256.Sum256(data)
 	sum.MD5 = fmt.Sprintf("%X", md5Sum[:])
 	sum.SHA1 = fmt.Sprintf("%X", sha1Sum[:])
+	sum.SHA256 = fmt.Sprintf("%X", sha256Sum[:])
 	return
 }
 

bundler/bundle.go

@@ -3,6 +3,7 @@ package bundler
 import (
 	"bytes"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -13,6 +14,7 @@ import (
 	"time"
 
 	"github.com/cloudflare/cfssl/helpers"
+	"github.com/cloudflare/cfssl/helpers/derhelpers"
 )
 
 // A Bundle contains a certificate and its trust chain. It is intended
@@ -108,6 +110,8 @@ func (b *Bundle) MarshalJSON() ([]byte, error) {
 		keyType = fmt.Sprintf("%d-bit RSA", keyLength)
 	case x509.DSA:
 		keyType = "DSA"
+	case x509.Ed25519:
+		keyType = "Ed25519"
 	default:
 		keyType = "Unknown"
 	}
@@ -119,6 +123,9 @@ func (b *Bundle) MarshalJSON() ([]byte, error) {
 	case *ecdsa.PrivateKey:
 		keyBytes, _ = x509.MarshalECPrivateKey(key)
 		keyString = PemBlockToString(&pem.Block{Type: "EC PRIVATE KEY", Bytes: keyBytes})
+	case ed25519.PrivateKey:
+		keyBytes, _ = derhelpers.MarshalEd25519PrivateKey(key)
+		keyString = PemBlockToString(&pem.Block{Type: "Ed25519 PRIVATE KEY", Bytes: keyBytes})
 	case fmt.Stringer:
 		keyString = key.String()
 	}

bundler/bundle_from_file_test.go

@@ -260,12 +260,12 @@ var fileTests = []fileTest{
 	},
 
 	// DSA is NOT supported.
-	// Keyless bundling, expect private key error "NotRSAOrECC"
+	// Keyless bundling, expect private key error "NotRSAOrECCOrEd25519"
 	{
 		cert:          certDSA2048,
 		caBundleFile:  testCFSSLRootBundle,
 		intBundleFile: testCFSSLIntBundle,
-		errorCallback: ExpectErrorMessages([]string{`"code":2200,`, `"message":"Private key algorithm is not RSA or ECC"`}),
+		errorCallback: ExpectErrorMessages([]string{`"code":2200,`, `"message":"Private key algorithm is not RSA or ECC or Ed25519"`}),
 	},
 	// Bundling with DSA private key, expect error "Failed to parse private key"
 	{

bundler/bundler.go

@@ -6,6 +6,7 @@ import (
 	"bytes"
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
@@ -398,10 +399,7 @@ func isSelfSigned(cert *x509.Certificate) bool {
 }
 
 func isChainRootNode(cert *x509.Certificate) bool {
-	if isSelfSigned(cert) {
-		return true
-	}
-	return false
+	return isSelfSigned(cert)
 }
 
 func (b *Bundler) verifyChain(chain []*fetchedIntermediate) bool {
@@ -555,7 +553,7 @@ func (b *Bundler) fetchIntermediates(certs []*x509.Certificate) (err error) {
 
 // Bundle takes an X509 certificate (already in the
 // Certificate structure), a private key as crypto.Signer in one of the appropriate
-// formats (i.e. *rsa.PrivateKey or *ecdsa.PrivateKey, or even a opaque key), using them to
+// formats (i.e. *rsa.PrivateKey, *ecdsa.PrivateKey or ed25519.PrivateKey, or even a opaque key), using them to
 // build a certificate bundle.
 func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor BundleFlavor) (*Bundle, error) {
 	log.Infof("bundling certificate for %+v", certs[0].Subject)
@@ -576,7 +574,6 @@ func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor Bu
 	if key != nil {
 		switch {
 		case cert.PublicKeyAlgorithm == x509.RSA:
-
 			var rsaPublicKey *rsa.PublicKey
 			if rsaPublicKey, ok = key.Public().(*rsa.PublicKey); !ok {
 				return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
@@ -592,15 +589,24 @@ func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor Bu
 			if cert.PublicKey.(*ecdsa.PublicKey).X.Cmp(ecdsaPublicKey.X) != 0 {
 				return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
 			}
+		case cert.PublicKeyAlgorithm == x509.Ed25519:
+			var ed25519PublicKey ed25519.PublicKey
+			if ed25519PublicKey, ok = key.Public().(ed25519.PublicKey); !ok {
+				return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
+			}
+			if !(bytes.Equal(cert.PublicKey.(ed25519.PublicKey), ed25519PublicKey)) {
+				return nil, errors.New(errors.PrivateKeyError, errors.KeyMismatch)
+			}
 		default:
-			return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECC)
+			return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECCOrEd25519)
 		}
 	} else {
 		switch {
 		case cert.PublicKeyAlgorithm == x509.RSA:
 		case cert.PublicKeyAlgorithm == x509.ECDSA:
+		case cert.PublicKeyAlgorithm == x509.Ed25519:
 		default:
-			return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECC)
+			return nil, errors.New(errors.PrivateKeyError, errors.NotRSAOrECCOrEd25519)
 		}
 	}