Upgrade to caddy v2.10.0

author: Felix Hanley <felix@userspace.com.au> 2025-07-22 07:50:24 +0000
committer: Felix Hanley <felix@userspace.com.au> 2025-07-22 07:50:24 +0000
commit: faa33e32b5e967fdfeac96bfc39ed3d94f9514ac (patch)
tree: b7605c2443a054daf1dfceca2d415d5b86445166 /vendor/go.step.sm/crypto
parent: f82adc0030a993ff25cbf70cf81d75900f455e6a (diff)
download: caddy-faa33e32b5e967fdfeac96bfc39ed3d94f9514ac.tar.gz
caddy-faa33e32b5e967fdfeac96bfc39ed3d94f9514ac.tar.bz2
14 files changed, 141 insertions, 371 deletions
diff --git a/vendor/go.step.sm/crypto/internal/templates/funcmap.go b/vendor/go.step.sm/crypto/internal/templates/funcmap.go
index 45c1375..01b6866 100644
--- a/vendor/go.step.sm/crypto/internal/templates/funcmap.go
+++ b/vendor/go.step.sm/crypto/internal/templates/funcmap.go
@@ -2,42 +2,15 @@ package templates
 
 import (
 	"errors"
-	"strings"
 	"text/template"
-	"time"
 
 	"github.com/Masterminds/sprig/v3"
-	"go.step.sm/crypto/jose"
 )
 
-// GetFuncMap returns the list of functions provided by sprig. It adds the
-// functions "toTime", "formatTime", "parseTime", "mustParseTime",
-// "toTimeLayout" and changes the function "fail".
-//
-// The "toTime" function receives a time or a Unix epoch and returns a time.Time
-// in UTC. The "formatTime" function uses "toTime" and formats the resulting
-// time using RFC3339. The functions "parseTime" and "mustParseTime" parse a
-// string and return the time.Time it represents. The "toTimeLayout" function
-// converts strings like "time.RFC3339" or "UnixDate" to the actual layout
-// represented by the Go constant with the same name. The "fail" function sets
-// the provided message, so that template errors are reported directly to the
-// template without having the wrapper that text/template adds.
-//
-//	{{ toTime }}
-//	    => time.Now().UTC()
-//	{{ .Token.nbf | toTime }}
-//	    => time.Unix(.Token.nbf, 0).UTC()
-//	{{ .Token.nbf | formatTime }}
-//	    => time.Unix(.Token.nbf, 0).UTC().Format(time.RFC3339)
-//	{{ "2024-07-02T23:16:02Z" | parseTime }}
-//	    => time.Parse(time.RFC3339, "2024-07-02T23:16:02Z")
-//	{{ parseTime "time.RFC339" "2024-07-02T23:16:02Z" }}
-//	    => time.Parse(time.RFC3339, "2024-07-02T23:16:02Z")
-//	{{ parseTime "time.UnixDate" "Tue Jul  2 16:20:48 PDT 2024" "America/Los_Angeles" }}
-//	    => loc, _ := time.LoadLocation("America/Los_Angeles")
-//	       time.ParseInLocation(time.UnixDate, "Tue Jul  2 16:20:48 PDT 2024", loc)
-//	{{ toTimeLayout "RFC3339" }}
-//	    => time.RFC3339
+// GetFuncMap returns the list of functions provided by sprig. It changes the
+// function "fail" to set the given string, this way we can report template
+// errors directly to the template without having the wrapper that text/template
+// adds.
 //
 // sprig "env" and "expandenv" functions are removed to avoid the leak of
 // information.
@@ -49,111 +22,5 @@ func GetFuncMap(failMessage *string) template.FuncMap {
 		*failMessage = msg
 		return "", errors.New(msg)
 	}
-	m["formatTime"] = formatTime
-	m["toTime"] = toTime
-	m["parseTime"] = parseTime
-	m["mustParseTime"] = mustParseTime
-	m["toTimeLayout"] = toTimeLayout
 	return m
 }
-
-func toTime(v any) time.Time {
-	var t time.Time
-	switch date := v.(type) {
-	case time.Time:
-		t = date
-	case *time.Time:
-		t = *date
-	case int64:
-		t = time.Unix(date, 0)
-	case float64: // from json
-		t = time.Unix(int64(date), 0)
-	case int:
-		t = time.Unix(int64(date), 0)
-	case int32:
-		t = time.Unix(int64(date), 0)
-	case jose.NumericDate:
-		t = date.Time()
-	case *jose.NumericDate:
-		t = date.Time()
-	default:
-		t = time.Now()
-	}
-	return t.UTC()
-}
-
-func formatTime(v any) string {
-	return toTime(v).Format(time.RFC3339)
-}
-
-func parseTime(v ...string) time.Time {
-	t, _ := mustParseTime(v...)
-	return t
-}
-
-func mustParseTime(v ...string) (time.Time, error) {
-	switch len(v) {
-	case 0:
-		return time.Now().UTC(), nil
-	case 1:
-		return time.Parse(time.RFC3339, v[0])
-	case 2:
-		layout := toTimeLayout(v[0])
-		return time.Parse(layout, v[1])
-	case 3:
-		layout := toTimeLayout(v[0])
-		loc, err := time.LoadLocation(v[2])
-		if err != nil {
-			return time.Time{}, err
-		}
-		return time.ParseInLocation(layout, v[1], loc)
-	default:
-		return time.Time{}, errors.New("unsupported number of parameters")
-	}
-}
-
-func toTimeLayout(fmt string) string {
-	switch strings.ToUpper(strings.TrimPrefix(fmt, "time.")) {
-	case "LAYOUT":
-		return time.Layout
-	case "ANSIC":
-		return time.ANSIC
-	case "UNIXDATE":
-		return time.UnixDate
-	case "RUBYDATE":
-		return time.RubyDate
-	case "RFC822":
-		return time.RFC822
-	case "RFC822Z":
-		return time.RFC822Z
-	case "RFC850":
-		return time.RFC850
-	case "RFC1123":
-		return time.RFC1123
-	case "RFC1123Z":
-		return time.RFC1123Z
-	case "RFC3339":
-		return time.RFC3339
-	case "RFC3339NANO":
-		return time.RFC3339Nano
-	// From the ones below, only time.DateTime will parse a complete date.
-	case "KITCHEN":
-		return time.Kitchen
-	case "STAMP":
-		return time.Stamp
-	case "STAMPMILLI":
-		return time.StampMilli
-	case "STAMPMICRO":
-		return time.StampMicro
-	case "STAMPNANO":
-		return time.StampNano
-	case "DATETIME":
-		return time.DateTime
-	case "DATEONLY":
-		return time.DateOnly
-	case "TIMEONLY":
-		return time.TimeOnly
-	default:
-		return fmt
-	}
-}
diff --git a/vendor/go.step.sm/crypto/keyutil/key.go b/vendor/go.step.sm/crypto/keyutil/key.go
index 171cdf3..76e15ae 100644
--- a/vendor/go.step.sm/crypto/keyutil/key.go
+++ b/vendor/go.step.sm/crypto/keyutil/key.go
@@ -219,8 +219,8 @@ func generateECKey(crv string) (crypto.Signer, error) {
 }
 
 func generateRSAKey(bits int) (crypto.Signer, error) {
-	if minBits := MinRSAKeyBytes * 8; !insecureMode.isSet() && bits < minBits {
-		return nil, errors.Errorf("the size of the RSA key should be at least %d bits", minBits)
+	if min := MinRSAKeyBytes * 8; !insecureMode.isSet() && bits < min {
+		return nil, errors.Errorf("the size of the RSA key should be at least %d bits", min)
 	}
 
 	key, err := rsa.GenerateKey(rand.Reader, bits)
diff --git a/vendor/go.step.sm/crypto/kms/apiv1/options.go b/vendor/go.step.sm/crypto/kms/apiv1/options.go
index 3b50b94..faa7737 100644
--- a/vendor/go.step.sm/crypto/kms/apiv1/options.go
+++ b/vendor/go.step.sm/crypto/kms/apiv1/options.go
@@ -18,18 +18,6 @@ type KeyManager interface {
 	Close() error
 }
 
-// SearchableKeyManager is an optional interface for KMS implementations
-// that support searching for keys based on certain attributes.
-//
-// # Experimental
-//
-// Notice: This API is EXPERIMENTAL and may be changed or removed in a later
-// release.
-type SearchableKeyManager interface {
-	KeyManager
-	SearchKeys(req *SearchKeysRequest) (*SearchKeysResponse, error)
-}
-
 // Decrypter is an interface implemented by KMSes that are used
 // in operations that require decryption
 type Decrypter interface {
diff --git a/vendor/go.step.sm/crypto/kms/apiv1/requests.go b/vendor/go.step.sm/crypto/kms/apiv1/requests.go
index 394dd0a..f1430e1 100644
--- a/vendor/go.step.sm/crypto/kms/apiv1/requests.go
+++ b/vendor/go.step.sm/crypto/kms/apiv1/requests.go
@@ -178,24 +178,6 @@ type CreateKeyResponse struct {
 	CreateSignerRequest CreateSignerRequest
 }
 
-// SearchKeysRequest is the request for the SearchKeys method. It takes
-// a Query string with the attributes to match when searching the
-// KMS.
-type SearchKeysRequest struct {
-	Query string
-}
-
-// SearchKeyResult is a single result returned from the SearchKeys
-// method.
-type SearchKeyResult CreateKeyResponse
-
-// SearchKeysResponse is the response for the SearchKeys method. It
-// wraps a slice of SearchKeyResult structs. The Results slice can
-// be empty in case no key was found for the search query.
-type SearchKeysResponse struct {
-	Results []SearchKeyResult
-}
-
 // CreateSignerRequest is the parameter used in the kms.CreateSigner method.
 type CreateSignerRequest struct {
 	Signer           crypto.Signer
diff --git a/vendor/go.step.sm/crypto/kms/uri/uri.go b/vendor/go.step.sm/crypto/kms/uri/uri.go
index 7700d82..a3e325b 100644
--- a/vendor/go.step.sm/crypto/kms/uri/uri.go
+++ b/vendor/go.step.sm/crypto/kms/uri/uri.go
@@ -105,11 +105,6 @@ func (u *URI) String() string {
 	return u.URL.String()
 }
 
-// Has checks whether a given key is set.
-func (u *URI) Has(key string) bool {
-	return u.Values.Has(key) || u.URL.Query().Has(key)
-}
-
 // Get returns the first value in the uri with the given key, it will return
 // empty string if that field is not present.
 func (u *URI) Get(key string) string {
@@ -194,25 +189,10 @@ func (u *URI) Pin() string {
 	return ""
 }
 
-// Read returns the raw content of the file in the given attribute key. This
-// method will return nil if the key is missing.
-func (u *URI) Read(key string) ([]byte, error) {
-	path := u.Get(key)
-	if path == "" {
-		return nil, nil
-	}
-	return readFile(path)
-}
-
 func readFile(path string) ([]byte, error) {
 	u, err := url.Parse(path)
-	if err == nil && (u.Scheme == "" || u.Scheme == "file") {
-		switch {
-		case u.Path != "":
-			path = u.Path
-		case u.Opaque != "":
-			path = u.Opaque
-		}
+	if err == nil && (u.Scheme == "" || u.Scheme == "file") && u.Path != "" {
+		path = u.Path
 	}
 	b, err := os.ReadFile(path)
 	if err != nil {
diff --git a/vendor/go.step.sm/crypto/pemutil/pem.go b/vendor/go.step.sm/crypto/pemutil/pem.go
index 9202510..0ca385c 100644
--- a/vendor/go.step.sm/crypto/pemutil/pem.go
+++ b/vendor/go.step.sm/crypto/pemutil/pem.go
@@ -5,7 +5,6 @@ package pemutil
 
 import (
 	"bytes"
-	"crypto/ecdh"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
@@ -231,93 +230,52 @@ func ParseCertificate(pemData []byte) (*x509.Certificate, error) {
 	return nil, errors.New("error parsing certificate: no certificate found")
 }
 
-// ParseCertificateBundle returns a list of *x509.Certificate parsed from
-// the given bytes.
-//
-// - supports PEM and DER certificate formats
-//   - If a DER-formatted file is given only one certificate will be returned.
-func ParseCertificateBundle(data []byte) ([]*x509.Certificate, error) {
-	var err error
-
-	// PEM format
-	if bytes.Contains(data, PEMBlockHeader) {
-		var block *pem.Block
-		var bundle []*x509.Certificate
-		for len(data) > 0 {
-			block, data = pem.Decode(data)
-			if block == nil {
-				break
-			}
-			if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
-				continue
-			}
-			var crt *x509.Certificate
-			crt, err = x509.ParseCertificate(block.Bytes)
-			if err != nil {
-				return nil, &InvalidPEMError{
-					Err:  err,
-					Type: PEMTypeCertificate,
-				}
-			}
-			bundle = append(bundle, crt)
+// ParseCertificateBundle extracts all the certificates in the given data.
+func ParseCertificateBundle(pemData []byte) ([]*x509.Certificate, error) {
+	var block *pem.Block
+	var certs []*x509.Certificate
+	for len(pemData) > 0 {
+		block, pemData = pem.Decode(pemData)
+		if block == nil {
+			return nil, errors.New("error decoding pem block")
 		}
-		if len(bundle) == 0 {
-			return nil, &InvalidPEMError{
-				Type: PEMTypeCertificate,
-			}
+		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
+			continue
 		}
-		return bundle, nil
-	}
 
-	// DER format (binary)
-	crt, err := x509.ParseCertificate(data)
-	if err != nil {
-		return nil, &InvalidPEMError{
-			Message: fmt.Sprintf("error parsing certificate as DER format: %v", err),
-			Type:    PEMTypeCertificate,
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return nil, errors.Wrap(err, "error parsing certificate")
 		}
+		certs = append(certs, cert)
 	}
-	return []*x509.Certificate{crt}, nil
+	if len(certs) == 0 {
+		return nil, errors.New("error parsing certificate: no certificate found")
+	}
+	return certs, nil
 }
 
-// ParseCertificateRequest extracts the first *x509.CertificateRequest
-// from the given data.
-//
-// - supports PEM and DER certificate formats
-//   - If a DER-formatted file is given only one certificate will be returned.
-func ParseCertificateRequest(data []byte) (*x509.CertificateRequest, error) {
-	// PEM format
-	if bytes.Contains(data, PEMBlockHeader) {
-		var block *pem.Block
-		for len(data) > 0 {
-			block, data = pem.Decode(data)
-			if block == nil {
-				break
-			}
-			if !strings.HasSuffix(block.Type, "CERTIFICATE REQUEST") {
-				continue
-			}
-			csr, err := x509.ParseCertificateRequest(block.Bytes)
-			if err != nil {
-				return nil, &InvalidPEMError{
-					Type: PEMTypeCertificateRequest,
-					Err:  err,
-				}
-			}
-
-			return csr, nil
+// ParseCertificateRequest extracts the first certificate from the given pem.
+func ParseCertificateRequest(pemData []byte) (*x509.CertificateRequest, error) {
+	var block *pem.Block
+	for len(pemData) > 0 {
+		block, pemData = pem.Decode(pemData)
+		if block == nil {
+			return nil, errors.New("error decoding pem block")
+		}
+		if (block.Type != "CERTIFICATE REQUEST" && block.Type != "NEW CERTIFICATE REQUEST") ||
+			len(block.Headers) != 0 {
+			continue
 		}
-	}
 
-	// DER format (binary)
-	csr, err := x509.ParseCertificateRequest(data)
-	if err != nil {
-		return nil, &InvalidPEMError{
-			Message: fmt.Sprintf("error parsing certificate request as DER format: %v", err),
-			Type:    PEMTypeCertificateRequest,
+		csr, err := x509.ParseCertificateRequest(block.Bytes)
+		if err != nil {
+			return nil, errors.Wrap(err, "error parsing certificate request")
 		}
+		return csr, nil
 	}
-	return csr, nil
+
+	return nil, errors.New("error parsing certificate request: no certificate found")
 }
 
 // PEMType represents a PEM block type. (e.g., CERTIFICATE, CERTIFICATE REQUEST, etc.)
@@ -359,10 +317,14 @@ func (e *InvalidPEMError) Error() string {
 	case e.Err != nil:
 		return fmt.Sprintf("error decoding PEM data: %v", e.Err)
 	default:
+		var prefix = "input"
+		if e.File != "" {
+			prefix = fmt.Sprintf("file %s", e.File)
+		}
 		if e.Type == PEMTypeUndefined {
-			return "does not contain valid PEM encoded data"
+			return fmt.Sprintf("%s does not contain valid PEM encoded data", prefix)
 		}
-		return fmt.Sprintf("does not contain a valid PEM encoded %s", e.Type)
+		return fmt.Sprintf("%s does not contain a valid PEM encoded %s", prefix, e.Type)
 	}
 }
 
@@ -392,40 +354,83 @@ func ReadCertificate(filename string, opts ...Options) (*x509.Certificate, error
 	}
 }
 
-// ReadCertificateBundle reads the given filename and returns a list of
-// *x509.Certificate.
-//
-// - supports PEM and DER certificate formats
-//   - If a DER-formatted file is given only one certificate will be returned.
+// ReadCertificateBundle returns a list of *x509.Certificate from the given
+// filename. It supports certificates formats PEM and DER. If a DER-formatted
+// file is given only one certificate will be returned.
 func ReadCertificateBundle(filename string) ([]*x509.Certificate, error) {
 	b, err := utils.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
 
-	bundle, err := ParseCertificateBundle(b)
+	// PEM format
+	if bytes.Contains(b, PEMBlockHeader) {
+		var block *pem.Block
+		var bundle []*x509.Certificate
+		for len(b) > 0 {
+			block, b = pem.Decode(b)
+			if block == nil {
+				break
+			}
+			if block.Type != "CERTIFICATE" {
+				continue
+			}
+			var crt *x509.Certificate
+			crt, err = x509.ParseCertificate(block.Bytes)
+			if err != nil {
+				return nil, errors.Wrapf(err, "error parsing %s", filename)
+			}
+			bundle = append(bundle, crt)
+		}
+		if len(bundle) == 0 {
+			return nil, &InvalidPEMError{File: filename, Type: PEMTypeCertificate}
+		}
+		return bundle, nil
+	}
+
+	// DER format (binary)
+	crt, err := x509.ParseCertificate(b)
 	if err != nil {
-		return nil, fmt.Errorf("error parsing %s: %w", filename, err)
+		return nil, errors.Wrapf(err, "error parsing %s", filename)
 	}
-	return bundle, nil
+	return []*x509.Certificate{crt}, nil
 }
 
-// ReadCertificateRequest reads the given filename and returns a
-// *x509.CertificateRequest.
-//
-// - supports PEM and DER Certificate formats.
-// - supports reading from STDIN with filename `-`.
+// ReadCertificateRequest returns a *x509.CertificateRequest from the given
+// filename. It supports certificates formats PEM and DER.
 func ReadCertificateRequest(filename string) (*x509.CertificateRequest, error) {
 	b, err := utils.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
 
-	cr, err := ParseCertificateRequest(b)
-	if err != nil {
-		return nil, fmt.Errorf("error parsing %s: %w", filename, err)
+	// PEM format
+	if bytes.Contains(b, PEMBlockHeader) {
+		var block *pem.Block
+		for len(b) > 0 {
+			block, b = pem.Decode(b)
+			if block == nil {
+				break
+			}
+			if !strings.HasSuffix(block.Type, "CERTIFICATE REQUEST") {
+				continue
+			}
+			csr, err := x509.ParseCertificateRequest(block.Bytes)
+			if err != nil {
+				return nil, &InvalidPEMError{
+					File: filename, Type: PEMTypeCertificateRequest,
+					Message: fmt.Sprintf("error parsing %s: CSR PEM block is invalid: %v", filename, err),
+					Err:     err,
+				}
+			}
+
+			return csr, nil
+		}
 	}
-	return cr, nil
+
+	// DER format (binary)
+	csr, err := x509.ParseCertificateRequest(b)
+	return csr, errors.Wrapf(err, "error parsing %s", filename)
 }
 
 // Parse returns the key or certificate PEM-encoded in the given bytes.
@@ -640,6 +645,7 @@ func Serialize(in interface{}, opts ...Options) (*pem.Block, error) {
 				}
 			} else {
 				var err error
+				//nolint:staticcheck // required for legacy compatibility
 				p, err = x509.EncryptPEMBlock(rand.Reader, p.Type, p.Bytes, password, DefaultEncCipher)
 				if err != nil {
 					return nil, errors.Wrap(err, "failed to serialize to PEM")
@@ -726,48 +732,24 @@ func ParseSSH(b []byte) (interface{}, error) {
 			return nil, errors.Wrap(err, "error unmarshaling key")
 		}
 
-		var c ecdh.Curve
+		key := new(ecdsa.PublicKey)
 		switch w.Name {
 		case ssh.KeyAlgoECDSA256:
-			c = ecdh.P256()
+			key.Curve = elliptic.P256()
 		case ssh.KeyAlgoECDSA384:
-			c = ecdh.P384()
+			key.Curve = elliptic.P384()
 		case ssh.KeyAlgoECDSA521:
-			c = ecdh.P521()
+			key.Curve = elliptic.P521()
 		default:
 			return nil, errors.Errorf("unsupported ecdsa curve %s", w.Name)
 		}
 
-		var p *ecdh.PublicKey
-		if p, err = c.NewPublicKey(w.KeyBytes); err != nil {
-			return nil, errors.Wrapf(err, "failed decoding %s key", w.Name)
-		}
-
-		// convert ECDH public key to ECDSA public key to keep
-		// the returned type backwards compatible.
-		rawKey := p.Bytes()
-		switch p.Curve() {
-		case ecdh.P256():
-			return &ecdsa.PublicKey{
-				Curve: elliptic.P256(),
-				X:     big.NewInt(0).SetBytes(rawKey[1:33]),
-				Y:     big.NewInt(0).SetBytes(rawKey[33:]),
-			}, nil
-		case ecdh.P384():
-			return &ecdsa.PublicKey{
-				Curve: elliptic.P384(),
-				X:     big.NewInt(0).SetBytes(rawKey[1:49]),
-				Y:     big.NewInt(0).SetBytes(rawKey[49:]),
-			}, nil
-		case ecdh.P521():
-			return &ecdsa.PublicKey{
-				Curve: elliptic.P521(),
-				X:     big.NewInt(0).SetBytes(rawKey[1:67]),
-				Y:     big.NewInt(0).SetBytes(rawKey[67:]),
-			}, nil
-		default:
-			return nil, errors.New("cannot convert non-NIST *ecdh.PublicKey to *ecdsa.PublicKey")
+		key.X, key.Y = elliptic.Unmarshal(key.Curve, w.KeyBytes)
+		if key.X == nil || key.Y == nil {
+			return nil, errors.New("invalid ecdsa curve point")
 		}
+		return key, nil
+
 	case ssh.KeyAlgoED25519:
 		var w struct {
 			Name     string
@@ -777,8 +759,10 @@ func ParseSSH(b []byte) (interface{}, error) {
 			return nil, errors.Wrap(err, "error unmarshaling key")
 		}
 		return ed25519.PublicKey(w.KeyBytes), nil
+
 	case ssh.KeyAlgoDSA:
-		return nil, errors.Errorf("DSA keys not supported")
+		return nil, errors.Errorf("step does not support DSA keys")
+
 	default:
 		return nil, errors.Errorf("unsupported key type %T", key)
 	}
diff --git a/vendor/go.step.sm/crypto/pemutil/pkcs8.go b/vendor/go.step.sm/crypto/pemutil/pkcs8.go
index fb6c96c..35d30db 100644
--- a/vendor/go.step.sm/crypto/pemutil/pkcs8.go
+++ b/vendor/go.step.sm/crypto/pemutil/pkcs8.go
@@ -174,6 +174,7 @@ func (c rfc1423Algo) deriveKey(password, salt []byte, h func() hash.Hash) []byte
 // key derived using PBKDF2 over the given password.
 func DecryptPEMBlock(block *pem.Block, password []byte) ([]byte, error) {
 	if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
+		//nolint:staticcheck // required for legacy compatibility
 		return x509.DecryptPEMBlock(block, password)
 	}
 
diff --git a/vendor/go.step.sm/crypto/pemutil/ssh.go b/vendor/go.step.sm/crypto/pemutil/ssh.go
index 00698da..e31258e 100644
--- a/vendor/go.step.sm/crypto/pemutil/ssh.go
+++ b/vendor/go.step.sm/crypto/pemutil/ssh.go
@@ -10,6 +10,7 @@ import (
 	"crypto/cipher"
 	"crypto/ecdsa"
 	"crypto/ed25519"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"encoding/binary"
@@ -187,10 +188,7 @@ func SerializeOpenSSHPrivateKey(key crypto.PrivateKey, opts ...Options) (*pem.Bl
 			return nil, errors.Errorf("error serializing key: unsupported curve %s", k.Curve.Params().Name)
 		}
 
-		p, err := k.PublicKey.ECDH()
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed converting *ecdsa.PublicKey to *ecdh.PublicKey")
-		}
+		pub := elliptic.Marshal(k.Curve, k.PublicKey.X, k.PublicKey.Y)
 
 		// Marshal public key.
 		pubKey := struct {
@@ -198,7 +196,7 @@ func SerializeOpenSSHPrivateKey(key crypto.PrivateKey, opts ...Options) (*pem.Bl
 			Curve   string
 			Pub     []byte
 		}{
-			keyType, curve, p.Bytes(),
+			keyType, curve, pub,
 		}
 		w.PubKey = ssh.Marshal(pubKey)
 
@@ -209,7 +207,7 @@ func SerializeOpenSSHPrivateKey(key crypto.PrivateKey, opts ...Options) (*pem.Bl
 			D       *big.Int
 			Comment string
 		}{
-			curve, p.Bytes(), k.D,
+			curve, pub, k.D,
 			ctx.comment,
 		}
 		pk1.Keytype = keyType
diff --git a/vendor/go.step.sm/crypto/sshutil/certificate.go b/vendor/go.step.sm/crypto/sshutil/certificate.go
index a2367dd..1bc59fb 100644
--- a/vendor/go.step.sm/crypto/sshutil/certificate.go
+++ b/vendor/go.step.sm/crypto/sshutil/certificate.go
@@ -6,7 +6,6 @@ import (
 	"crypto/rand"
 	"encoding/binary"
 	"encoding/json"
-	"time"
 
 	"github.com/pkg/errors"
 	"go.step.sm/crypto/randutil"
@@ -21,8 +20,8 @@ type Certificate struct {
 	Type            CertType          `json:"type"`
 	KeyID           string            `json:"keyId"`
 	Principals      []string          `json:"principals"`
-	ValidAfter      time.Time         `json:"validAfter"`
-	ValidBefore     time.Time         `json:"validBefore"`
+	ValidAfter      uint64            `json:"-"`
+	ValidBefore     uint64            `json:"-"`
 	CriticalOptions map[string]string `json:"criticalOptions"`
 	Extensions      map[string]string `json:"extensions"`
 	Reserved        []byte            `json:"reserved"`
@@ -63,8 +62,8 @@ func (c *Certificate) GetCertificate() *ssh.Certificate {
 		CertType:        uint32(c.Type),
 		KeyId:           c.KeyID,
 		ValidPrincipals: c.Principals,
-		ValidAfter:      toValidity(c.ValidAfter),
-		ValidBefore:     toValidity(c.ValidBefore),
+		ValidAfter:      c.ValidAfter,
+		ValidBefore:     c.ValidBefore,
 		Permissions: ssh.Permissions{
 			CriticalOptions: c.CriticalOptions,
 			Extensions:      c.Extensions,
@@ -125,10 +124,3 @@ func CreateCertificate(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certifica
 
 	return cert, nil
 }
-
-func toValidity(t time.Time) uint64 {
-	if t.IsZero() {
-		return 0
-	}
-	return uint64(t.Unix())
-}
diff --git a/vendor/go.step.sm/crypto/sshutil/fingerprint.go b/vendor/go.step.sm/crypto/sshutil/fingerprint.go
index 9e1cd9a..ffe983c 100644
--- a/vendor/go.step.sm/crypto/sshutil/fingerprint.go
+++ b/vendor/go.step.sm/crypto/sshutil/fingerprint.go
@@ -1,7 +1,7 @@
 package sshutil
 
 import (
-	"crypto/dsa" // support for DSA fingerprints
+	"crypto/dsa" //nolint:staticcheck // support for DSA fingerprints
 	"crypto/rsa"
 	"crypto/sha256"
 	"fmt"
diff --git a/vendor/go.step.sm/crypto/sshutil/sshutil.go b/vendor/go.step.sm/crypto/sshutil/sshutil.go
index b21ff65..c309c2d 100644
--- a/vendor/go.step.sm/crypto/sshutil/sshutil.go
+++ b/vendor/go.step.sm/crypto/sshutil/sshutil.go
@@ -2,14 +2,12 @@ package sshutil
 
 import (
 	"crypto"
-	"crypto/dsa" // support for DSA fingerprints
-	"crypto/ecdh"
+	"crypto/dsa" //nolint:staticcheck // support for DSA fingerprints
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/elliptic"
 	"crypto/rsa"
 	"fmt"
-	"math/big"
 
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/agent"
@@ -50,17 +48,13 @@ func cryptoSKPublicKey(pub ssh.PublicKey) (crypto.PublicKey, error) {
 		if err := ssh.Unmarshal(pub.Marshal(), &w); err != nil {
 			return nil, err
 		}
-
-		p, err := ecdh.P256().NewPublicKey(w.Key)
-		if err != nil {
-			return nil, fmt.Errorf("failed decoding ECDSA key: %w", err)
+		key := new(ecdsa.PublicKey)
+		key.Curve = elliptic.P256()
+		key.X, key.Y = elliptic.Unmarshal(key.Curve, w.Key)
+		if key.X == nil || key.Y == nil {
+			return nil, fmt.Errorf("invalid curve point")
 		}
-
-		return &ecdsa.PublicKey{
-			Curve: elliptic.P256(),
-			X:     big.NewInt(0).SetBytes(p.Bytes()[1:33]),
-			Y:     big.NewInt(0).SetBytes(p.Bytes()[33:]),
-		}, nil
+		return key, nil
 	case "sk-ssh-ed25519@openssh.com":
 		var w struct {
 			Name        string
diff --git a/vendor/go.step.sm/crypto/x509util/algorithms.go b/vendor/go.step.sm/crypto/x509util/algorithms.go
index be18e61..53c0851 100644
--- a/vendor/go.step.sm/crypto/x509util/algorithms.go
+++ b/vendor/go.step.sm/crypto/x509util/algorithms.go
@@ -87,14 +87,10 @@ func (s SignatureAlgorithm) Set(c *x509.Certificate) {
 
 // MarshalJSON implements the json.Marshaller interface.
 func (s SignatureAlgorithm) MarshalJSON() ([]byte, error) {
-	switch s {
-	case SignatureAlgorithm(x509.UnknownSignatureAlgorithm):
+	if s == SignatureAlgorithm(x509.UnknownSignatureAlgorithm) {
 		return []byte(`""`), nil
-	case SignatureAlgorithm(x509.MD2WithRSA): // removed from stdlib in https://github.com/golang/go/commit/c96159c25217c84a252be5d74d48861af715ecf8
-		return []byte(`"` + MD2WithRSA + `"`), nil
-	default:
-		return []byte(`"` + x509.SignatureAlgorithm(s).String() + `"`), nil
 	}
+	return []byte(`"` + x509.SignatureAlgorithm(s).String() + `"`), nil
 }
 
 // UnmarshalJSON implements the json.Unmarshal interface and unmarshals and
diff --git a/vendor/go.step.sm/crypto/x509util/certificate.go b/vendor/go.step.sm/crypto/x509util/certificate.go
index a1d8fe1..918e28d 100644
--- a/vendor/go.step.sm/crypto/x509util/certificate.go
+++ b/vendor/go.step.sm/crypto/x509util/certificate.go
@@ -7,7 +7,6 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"encoding/json"
-	"time"
 
 	"github.com/pkg/errors"
 )
@@ -17,7 +16,6 @@ import (
 type Certificate struct {
 	Version               int                      `json:"version"`
 	Subject               Subject                  `json:"subject"`
-	RawSubject            []byte                   `json:"rawSubject"`
 	Issuer                Issuer                   `json:"issuer"`
 	SerialNumber          SerialNumber             `json:"serialNumber"`
 	DNSNames              MultiString              `json:"dnsNames"`
@@ -25,8 +23,6 @@ type Certificate struct {
 	IPAddresses           MultiIP                  `json:"ipAddresses"`
 	URIs                  MultiURL                 `json:"uris"`
 	SANs                  []SubjectAlternativeName `json:"sans"`
-	NotBefore             time.Time                `json:"notBefore"`
-	NotAfter              time.Time                `json:"notAfter"`
 	Extensions            []Extension              `json:"extensions"`
 	KeyUsage              KeyUsage                 `json:"keyUsage"`
 	ExtKeyUsage           ExtKeyUsage              `json:"extKeyUsage"`
@@ -129,7 +125,6 @@ func (c *Certificate) GetCertificate() *x509.Certificate {
 	// Unparsed data
 	cert.PublicKey = c.PublicKey
 	cert.PublicKeyAlgorithm = c.PublicKeyAlgorithm
-	cert.RawSubject = c.RawSubject
 
 	// Subject
 	c.Subject.Set(cert)
@@ -170,10 +165,6 @@ func (c *Certificate) GetCertificate() *x509.Certificate {
 		e.Set(cert)
 	}
 
-	// Validity bounds.
-	cert.NotBefore = c.NotBefore
-	cert.NotAfter = c.NotAfter
-
 	// Others.
 	c.SerialNumber.Set(cert)
 	c.SignatureAlgorithm.Set(cert)
diff --git a/vendor/go.step.sm/crypto/x509util/certificate_request.go b/vendor/go.step.sm/crypto/x509util/certificate_request.go
index b2ade54..24861e0 100644
--- a/vendor/go.step.sm/crypto/x509util/certificate_request.go
+++ b/vendor/go.step.sm/crypto/x509util/certificate_request.go
@@ -45,7 +45,6 @@ type certificateRequest struct {
 type CertificateRequest struct {
 	Version            int                      `json:"version"`
 	Subject            Subject                  `json:"subject"`
-	RawSubject         []byte                   `json:"rawSubject"`
 	DNSNames           MultiString              `json:"dnsNames"`
 	EmailAddresses     MultiString              `json:"emailAddresses"`
 	IPAddresses        MultiIP                  `json:"ipAddresses"`
@@ -116,7 +115,6 @@ func NewCertificateRequestFromX509(cr *x509.CertificateRequest) *CertificateRequ
 	return &CertificateRequest{
 		Version:            cr.Version,
 		Subject:            newSubject(cr.Subject),
-		RawSubject:         cr.RawSubject,
 		DNSNames:           cr.DNSNames,
 		EmailAddresses:     cr.EmailAddresses,
 		IPAddresses:        cr.IPAddresses,
@@ -136,7 +134,6 @@ func (c *CertificateRequest) GetCertificateRequest() (*x509.CertificateRequest,
 	cert := c.GetCertificate().GetCertificate()
 	asn1Data, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{
 		Subject:            cert.Subject,
-		RawSubject:         cert.RawSubject,
 		DNSNames:           cert.DNSNames,
 		IPAddresses:        cert.IPAddresses,
 		EmailAddresses:     cert.EmailAddresses,
author	Felix Hanley <felix@userspace.com.au>	2025-07-22 07:50:24 +0000
committer	Felix Hanley <felix@userspace.com.au>	2025-07-22 07:50:24 +0000
commit	faa33e32b5e967fdfeac96bfc39ed3d94f9514ac (patch)
tree	b7605c2443a054daf1dfceca2d415d5b86445166 /vendor/go.step.sm/crypto
parent	f82adc0030a993ff25cbf70cf81d75900f455e6a (diff)
download	caddy-faa33e32b5e967fdfeac96bfc39ed3d94f9514ac.tar.gz caddy-faa33e32b5e967fdfeac96bfc39ed3d94f9514ac.tar.bz2