Fork of golang.org/x/crypto with my patches. http://git.kilabit.info/go-x-crypto/atom?h=v0.40.0 2025-07-10T17:21:43Z 2025-07-10T17:21:43Z Gopher Robot gobot@golang.org 2025-07-09T21:06:42Z urn:sha1:459a9db11b9c43bb1d61722bfd371751d6de05c9 Update golang.org/x dependencies to their latest tagged versions. Change-Id: I3a89b1890ad2f7d2b2c23e1efce60c19e43dd381 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/687017 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: David Chase <drchase@google.com> 2025-07-09T15:43:26Z Nicola Murino nicola.murino@gmail.com 2024-01-27T18:29:59Z urn:sha1:74e709ad8a8068445173aa5f3e8d7c89caf510c3 Fixes golang/go#61536 Change-Id: Id38cc6d46879dbe2bdea04dec061596387ec6cfe Reviewed-on: https://go-review.googlesource.com/c/crypto/+/559056 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Carlos Amedee <carlos@golang.org> 2025-06-30T19:50:50Z Daniel McCarney daniel@binaryparadox.net 2025-05-30T16:42:24Z urn:sha1:b3790b8d914304c8187dc2c86800101c329d77cd When creating a TLS-ALPN-01 challenge response certificate for an IP address identifier we need to configure the template IPAddresses field, not the DNSNames/Subject.CommonName. Along the way we can do some small tidying: * Updating the draft TLS-ALPN-01 reference to the finalized RFC * Adding a reference to the IP address identifier ACME RFC * Adding a mention of the form the challenge validation request's SNI will take when verifying an IP address identifier * Tidying the private tlsChallengeCert() function to take a single identifier as arg since the only call-sites provide singular values since the removal of the TLS-SNI-[01|02] challenge helpers. This allows enabling an IP address identifier in the Pebble integration tests that otherwise caused a validation failure for TLS-ALPN-01 challenge types because the IP address was used as a DNS SAN. Updates golang/go#73914 Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest Change-Id: Ic671e41b585f424f821db65206c7ffcc6dd386a0 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/677576 Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com> Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> 2025-06-30T16:51:57Z Daniel McCarney daniel@binaryparadox.net 2025-05-29T18:34:34Z urn:sha1:1dc4269656dd23b2c4e71c51b8af6bc2b63eecb7 This commit adds integration test coverage for a complete TLS-ALPN-01 and HTTP-01 based issuance flow. For each tested challenge type we: * Spin up a pebble/pebble-challtestsrv environment * Spin up a small challenge response server * Create an ACME account * Create an order for multiple DNS type identifiers * Provision challenge responses based on the challenge type under test * Wait for the order to become ready for issuance * Finalize the order, issuing a certificate * Check the newly issued certificate chain validates with the Pebble trust anchor, and that the certificate is valid for each of the names from our initial order These tests are skipped in short mode (Pebble has variable delays for validation requests). The Pebble source is fetched through the Go module proxy (unless a local directory is specified to aid development), similar to how the stdlib crypto packages fetch BoGo tooling. More test coverage for various other parts of the protocol (key rollover, account/authz deactivation, revocation, etc) can be added as follow-up work now that the groundwork for integration testing is laid. Fixes golang/go#73914 Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest Change-Id: I4e79f4858f31ef290a0c91d345e15fbdc510e9ab Reviewed-on: https://go-review.googlesource.com/c/crypto/+/677575 Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2025-06-30T16:39:26Z qiulaidongfeng 2645477756@qq.com 2025-01-25T09:26:55Z urn:sha1:97bf78725562ce22e18036873215f2203b3e0e1e Fixes golang/go#69518 Change-Id: Id9989ac9b28262df77017e97f985f67c1571c3ce Reviewed-on: https://go-review.googlesource.com/c/crypto/+/644255 Reviewed-by: Austin Clements <austin@google.com> Auto-Submit: Austin Clements <austin@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> 2025-06-30T16:08:05Z Gopher Robot gobot@golang.org 2025-06-16T16:01:14Z urn:sha1:952517d181d424f6c77f7460bf728205cb048411 This is an automated CL which updates the NSS root bundle. [git-generate] go generate ./x509roots Change-Id: Icb71f9f7c509dc6f49ad4385aa287bd6a8966523 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/681915 Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> 2025-06-30T16:02:50Z Nicola Murino nicola.murino@gmail.com 2025-06-04T10:39:12Z urn:sha1:c6fce028266aa1271946a7dfde94cd71cf077d5e According to draft-miller-ssh-cert-01, Section 2.1.1, certificates with certificate keys as signature keys are invalid Change-Id: I474524ea444deb78f2fa7c2682e47c0fd057f0b8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/678716 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> 2025-06-30T16:02:45Z Nicola Murino nicola.murino@gmail.com 2025-06-04T09:54:11Z urn:sha1:0ae49b8145643036e0e6c266cf4edc0f543ea9e0 As specified in draft-miller-ssh-cert-01, Section 2.1.1: Implementations MUST NOT accept certificate keys as CA keys. Change-Id: I2e559a8a58b7bceccd0d8c6b80803abdbe281067 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/678715 Reviewed-by: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com> 2025-06-05T17:42:09Z Nicola Murino nicola.murino@gmail.com 2025-06-05T16:49:31Z urn:sha1:3bf9d2afd4f01ad3d1f1e2e19ea6ee7ea27f8384 Skip the key exchange test when using the system's ssh CLI if the required KEX algorithm (e.g., mlkem768x25519-sha256) is not supported. This is determined by running ssh -Q kex and checking for the presence of the target algorithm. Prevents false test failures in CI environments with older or limited SSH implementations. Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-darwin-amd64-longtest,x_crypto-gotip-linux-amd64-longtest,x_crypto-gotip-windows-amd64-longtest Change-Id: I3fac703ec70559e18b30d5fff88274335a7c3952 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/679195 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> 2025-06-05T15:51:54Z Gopher Robot gobot@golang.org 2025-06-05T15:18:22Z urn:sha1:9bab96736ccafb2ee12ac5f5ac3655c5491825dd Update golang.org/x dependencies to their latest tagged versions. Change-Id: Icbe0bf922207aefa5ee047a35dfb71843ec75306 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/679135 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org>