diff --git a/src/go.mod b/src/go.mod index 37010bd49..55fd388f7 100644 --- a/src/go.mod +++ b/src/go.mod @@ -11,7 +11,7 @@ require ( code.cloudfoundry.org/go-loggregator/v9 v9.2.1 code.cloudfoundry.org/go-metric-registry v0.0.0-20240604201903-7cef498efb7a code.cloudfoundry.org/go-pubsub v0.0.0-20240509170011-216eb11c629b - code.cloudfoundry.org/tlsconfig v0.0.0-20240705175211-7a5a6eee6ef2 + code.cloudfoundry.org/tlsconfig v0.0.0-20240710175717-1267031d8b88 github.com/cloudfoundry/noaa/v2 v2.4.0 github.com/cloudfoundry/sonde-go v0.0.0-20240620221854-09ef53324489 github.com/gorilla/handlers v1.5.2 @@ -44,12 +44,12 @@ require ( github.com/prometheus/common v0.55.0 // indirect github.com/prometheus/procfs v0.15.1 // indirect github.com/square/certstrap v1.3.0 // indirect - go.step.sm/crypto v0.48.1 // indirect + go.step.sm/crypto v0.49.0 // indirect golang.org/x/crypto v0.25.0 // indirect golang.org/x/sys v0.22.0 // indirect golang.org/x/text v0.16.0 // indirect golang.org/x/tools v0.23.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240709173604-40e1e62336c5 // indirect gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/src/go.sum b/src/go.sum index 129f4e655..bfc919e91 100644 --- a/src/go.sum +++ b/src/go.sum @@ -10,8 +10,8 @@ code.cloudfoundry.org/go-metric-registry v0.0.0-20240604201903-7cef498efb7a h1:X code.cloudfoundry.org/go-metric-registry v0.0.0-20240604201903-7cef498efb7a/go.mod h1:/Be8VtLiCeMUoYdUzFtmW8GGkk89HAy3zD79KUXzbhs= code.cloudfoundry.org/go-pubsub v0.0.0-20240509170011-216eb11c629b h1:BU6KPaRKN6oV7Diy/Qtf6JOW70S8qLYVtV1KNdjPiKo= code.cloudfoundry.org/go-pubsub v0.0.0-20240509170011-216eb11c629b/go.mod h1:QxOFtPAFdKuZ2+ZsNW9GcMfxc8wAucVJ7dCuai+H6+s= -code.cloudfoundry.org/tlsconfig v0.0.0-20240705175211-7a5a6eee6ef2 h1:NshqakKzYrzWzyS4/s8dOnApz3K+JQaH08PLJFCNCvc= -code.cloudfoundry.org/tlsconfig v0.0.0-20240705175211-7a5a6eee6ef2/go.mod h1:iEDSnf9426uabZKMY+OdX3nnkJiwBgx1FK6IVfdiZxo= +code.cloudfoundry.org/tlsconfig v0.0.0-20240710175717-1267031d8b88 h1:JxjCPf3ECmPGP1FEfHhfQ/OuJ1QmCqo9iHz2mT9mny4= +code.cloudfoundry.org/tlsconfig v0.0.0-20240710175717-1267031d8b88/go.mod h1:n7UurXnHf6MFMvzfLN1VGT9W7hwL8Pm5EMrURWs6Yig= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM= @@ -112,8 +112,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.step.sm/crypto v0.48.1 h1:Z13PjRjL4bQN44L1mOIABUYLrpDQexam3yAEcf3q9hE= -go.step.sm/crypto v0.48.1/go.mod h1:np/n/iXF3tBX/WXKyDIgz8iHT7mqmGHppTr9MKqw5gY= +go.step.sm/crypto v0.49.0 h1:J4qW5/ODYeHJFAM4PuNLSHKBMGWh4iwX6Tcrsp42r+U= +go.step.sm/crypto v0.49.0/go.mod h1:NCFMhLS6FJXQ9sD9PP282oHtsBWLrI6wXZY0eOkq7t8= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= @@ -157,8 +157,8 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b h1:04+jVzTs2XBnOZcPsLnmrTGqltqJbZQ1Ey26hjYdQQ0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240709173604-40e1e62336c5 h1:SbSDUWW1PAO24TNpLdeheoYPd7kllICcLU52x6eD4kQ= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240709173604-40e1e62336c5/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc= google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= diff --git a/src/vendor/go.step.sm/crypto/pemutil/pem.go b/src/vendor/go.step.sm/crypto/pemutil/pem.go index 0ca385c44..2ad4ce703 100644 --- a/src/vendor/go.step.sm/crypto/pemutil/pem.go +++ b/src/vendor/go.step.sm/crypto/pemutil/pem.go @@ -5,6 +5,7 @@ package pemutil import ( "bytes" + "crypto/ecdh" "crypto/ecdsa" "crypto/ed25519" "crypto/elliptic" @@ -732,24 +733,48 @@ func ParseSSH(b []byte) (interface{}, error) { return nil, errors.Wrap(err, "error unmarshaling key") } - key := new(ecdsa.PublicKey) + var c ecdh.Curve switch w.Name { case ssh.KeyAlgoECDSA256: - key.Curve = elliptic.P256() + c = ecdh.P256() case ssh.KeyAlgoECDSA384: - key.Curve = elliptic.P384() + c = ecdh.P384() case ssh.KeyAlgoECDSA521: - key.Curve = elliptic.P521() + c = ecdh.P521() default: return nil, errors.Errorf("unsupported ecdsa curve %s", w.Name) } - key.X, key.Y = elliptic.Unmarshal(key.Curve, w.KeyBytes) - if key.X == nil || key.Y == nil { - return nil, errors.New("invalid ecdsa curve point") + var p *ecdh.PublicKey + if p, err = c.NewPublicKey(w.KeyBytes); err != nil { + return nil, errors.Wrapf(err, "failed decoding %s key", w.Name) + } + + // convert ECDH public key to ECDSA public key to keep + // the returned type backwards compatible. + rawKey := p.Bytes() + switch p.Curve() { + case ecdh.P256(): + return &ecdsa.PublicKey{ + Curve: elliptic.P256(), + X: big.NewInt(0).SetBytes(rawKey[1:33]), + Y: big.NewInt(0).SetBytes(rawKey[33:]), + }, nil + case ecdh.P384(): + return &ecdsa.PublicKey{ + Curve: elliptic.P384(), + X: big.NewInt(0).SetBytes(rawKey[1:49]), + Y: big.NewInt(0).SetBytes(rawKey[49:]), + }, nil + case ecdh.P521(): + return &ecdsa.PublicKey{ + Curve: elliptic.P521(), + X: big.NewInt(0).SetBytes(rawKey[1:67]), + Y: big.NewInt(0).SetBytes(rawKey[67:]), + }, nil + default: + return nil, errors.New("cannot convert non-NIST *ecdh.PublicKey to *ecdsa.PublicKey") } - return key, nil - case ssh.KeyAlgoED25519: var w struct { Name string @@ -759,10 +784,8 @@ func ParseSSH(b []byte) (interface{}, error) { return nil, errors.Wrap(err, "error unmarshaling key") } return ed25519.PublicKey(w.KeyBytes), nil - case ssh.KeyAlgoDSA: - return nil, errors.Errorf("step does not support DSA keys") - + return nil, errors.Errorf("DSA keys not supported") default: return nil, errors.Errorf("unsupported key type %T", key) } diff --git a/src/vendor/go.step.sm/crypto/pemutil/ssh.go b/src/vendor/go.step.sm/crypto/pemutil/ssh.go index e31258e1d..00698dae1 100644 --- a/src/vendor/go.step.sm/crypto/pemutil/ssh.go +++ b/src/vendor/go.step.sm/crypto/pemutil/ssh.go @@ -10,7 +10,6 @@ import ( "crypto/cipher" "crypto/ecdsa" "crypto/ed25519" - "crypto/elliptic" "crypto/rand" "crypto/rsa" "encoding/binary" @@ -188,7 +187,10 @@ func SerializeOpenSSHPrivateKey(key crypto.PrivateKey, opts ...Options) (*pem.Bl return nil, errors.Errorf("error serializing key: unsupported curve %s", k.Curve.Params().Name) } - pub := elliptic.Marshal(k.Curve, k.PublicKey.X, k.PublicKey.Y) + p, err := k.PublicKey.ECDH() + if err != nil { + return nil, errors.Wrapf(err, "failed converting *ecdsa.PublicKey to *ecdh.PublicKey") + } // Marshal public key. pubKey := struct { @@ -196,7 +198,7 @@ func SerializeOpenSSHPrivateKey(key crypto.PrivateKey, opts ...Options) (*pem.Bl Curve string Pub []byte }{ - keyType, curve, pub, + keyType, curve, p.Bytes(), } w.PubKey = ssh.Marshal(pubKey) @@ -207,7 +209,7 @@ func SerializeOpenSSHPrivateKey(key crypto.PrivateKey, opts ...Options) (*pem.Bl D *big.Int Comment string }{ - curve, pub, k.D, + curve, p.Bytes(), k.D, ctx.comment, } pk1.Keytype = keyType diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt index c7923078e..edf7ac9bf 100644 --- a/src/vendor/modules.txt +++ b/src/vendor/modules.txt @@ -19,8 +19,8 @@ code.cloudfoundry.org/go-metric-registry code.cloudfoundry.org/go-pubsub code.cloudfoundry.org/go-pubsub/internal/node code.cloudfoundry.org/go-pubsub/pubsub-gen/setters -# code.cloudfoundry.org/tlsconfig v0.0.0-20240705175211-7a5a6eee6ef2 -## explicit; go 1.19 +# code.cloudfoundry.org/tlsconfig v0.0.0-20240710175717-1267031d8b88 +## explicit; go 1.21 code.cloudfoundry.org/tlsconfig code.cloudfoundry.org/tlsconfig/certtest # filippo.io/edwards25519 v1.1.0 @@ -172,8 +172,8 @@ github.com/prometheus/procfs/internal/util # github.com/square/certstrap v1.3.0 ## explicit; go 1.18 github.com/square/certstrap/pkix -# go.step.sm/crypto v0.48.1 -## explicit; go 1.20 +# go.step.sm/crypto v0.49.0 +## explicit; go 1.21 go.step.sm/crypto/fingerprint go.step.sm/crypto/internal/bcrypt_pbkdf go.step.sm/crypto/internal/emoji @@ -240,7 +240,7 @@ golang.org/x/text/unicode/norm ## explicit; go 1.19 golang.org/x/tools/cover golang.org/x/tools/go/ast/inspector -# google.golang.org/genproto/googleapis/rpc v0.0.0-20240708141625-4ad9e859172b +# google.golang.org/genproto/googleapis/rpc v0.0.0-20240709173604-40e1e62336c5 ## explicit; go 1.20 google.golang.org/genproto/googleapis/rpc/status # google.golang.org/grpc v1.65.0