diff --git a/ca/ca_test.go b/ca/ca_test.go index 81f4737c6f7..b3b6039b316 100644 --- a/ca/ca_test.go +++ b/ca/ca_test.go @@ -5,7 +5,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -943,7 +942,7 @@ func TestNoteSignError(t *testing.T) { func TestGenerateSKID(t *testing.T) { t.Parallel() - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Error generating key") sha256skid, err := generateSKID(key.Public()) @@ -957,25 +956,25 @@ func TestVerifyTBSCertIsDeterministic(t *testing.T) { t.Parallel() // Create first keypair and cert - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unable to generate ECDSA private key") template := &x509.Certificate{ NotAfter: time.Now().Add(1 * time.Hour), DNSNames: []string{"example.com"}, SerialNumber: big.NewInt(1), } - certDer1, err := x509.CreateCertificate(rand.Reader, template, template, &testKey.PublicKey, testKey) + certDer1, err := x509.CreateCertificate(nil, template, template, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "unable to create certificate") // Create second keypair and cert - testKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey2, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unable to generate ECDSA private key") template2 := &x509.Certificate{ NotAfter: time.Now().Add(2 * time.Hour), DNSNames: []string{"example.net"}, SerialNumber: big.NewInt(2), } - certDer2, err := x509.CreateCertificate(rand.Reader, template2, template2, &testKey2.PublicKey, testKey2) + certDer2, err := x509.CreateCertificate(nil, template2, template2, &testKey2.PublicKey, testKey2) test.AssertNotError(t, err, "unable to create certificate") testCases := []struct { diff --git a/ca/testdata/testcsr.go b/ca/testdata/testcsr.go index cd22487cde0..ce84897092b 100644 --- a/ca/testdata/testcsr.go +++ b/ca/testdata/testcsr.go @@ -5,7 +5,6 @@ package main import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "log" @@ -13,7 +12,7 @@ import ( ) func main() { - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { log.Fatalf("Failed to parse private key: %s", err) } @@ -29,7 +28,7 @@ func main() { "Capitalizedletters.COM", }, } - csr, err := x509.CreateCertificateRequest(rand.Reader, req, priv) + csr, err := x509.CreateCertificateRequest(nil, req, priv) if err != nil { log.Fatalf("unable to create CSR: %s", err) } diff --git a/cmd/admin/cert_test.go b/cmd/admin/cert_test.go index 7a42898703d..8f0496f77c9 100644 --- a/cmd/admin/cert_test.go +++ b/cmd/admin/cert_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "encoding/pem" "errors" @@ -105,7 +104,7 @@ func TestSerialsFromPrivateKey(t *testing.T) { fc := clock.NewFake() fc.Set(time.Now()) - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test private key") keyBytes, err := x509.MarshalPKCS8PrivateKey(privKey) test.AssertNotError(t, err, "marshalling test private key bytes") diff --git a/cmd/admin/key_test.go b/cmd/admin/key_test.go index 6a41b687c02..1a036bfe937 100644 --- a/cmd/admin/key_test.go +++ b/cmd/admin/key_test.go @@ -5,7 +5,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/sha256" "crypto/x509" @@ -32,12 +31,12 @@ import ( func TestSPKIHashesFromPrivateKeys(t *testing.T) { - ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Generating ECDSA key") pkcs8ecdsa, err := x509.MarshalPKCS8PrivateKey(ecdsaKey) test.AssertNotError(t, err, "Marshalling PKCS8 private key") - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Generating RSA key") pkcs8rsa, err := x509.MarshalPKCS8PrivateKey(rsaKey) test.AssertNotError(t, err, "Marshalling PKCS8 private key") @@ -166,7 +165,7 @@ func TestBlockSPKIHash(t *testing.T) { log := blog.NewMock() msa := mockSARecordingBlocks{} - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test private key") keyHash, err := core.KeyDigest(privKey.Public()) test.AssertNotError(t, err, "computing test SPKI hash") diff --git a/cmd/ceremony/cert_test.go b/cmd/ceremony/cert_test.go index 2fd8f8c11f9..990760c6d9b 100644 --- a/cmd/ceremony/cert_test.go +++ b/cmd/ceremony/cert_test.go @@ -549,7 +549,7 @@ func TestGenerateCSR(t *testing.T) { Country: "country", } - signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + signer, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") csrBytes, err := generateCSR(profile, &wrappedSigner{signer}) diff --git a/cmd/ceremony/crl_test.go b/cmd/ceremony/crl_test.go index 60f951af1ea..d2bcc5e0b90 100644 --- a/cmd/ceremony/crl_test.go +++ b/cmd/ceremony/crl_test.go @@ -4,7 +4,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -53,7 +52,7 @@ func TestGenerateCRLTimeBounds(t *testing.T) { type wrappedSigner struct{ k crypto.Signer } func (p wrappedSigner) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { - return p.k.Sign(rand.Reader, digest, opts) + return p.k.Sign(nil, digest, opts) } func (p wrappedSigner) Public() crypto.PublicKey { @@ -61,7 +60,7 @@ func (p wrappedSigner) Public() crypto.PublicKey { } func TestGenerateCRLLints(t *testing.T) { - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") cert := &x509.Certificate{ @@ -74,7 +73,7 @@ func TestGenerateCRLLints(t *testing.T) { SubjectKeyId: []byte{1, 2, 3}, } - certBytes, err := x509.CreateCertificate(rand.Reader, cert, cert, k.Public(), k) + certBytes, err := x509.CreateCertificate(nil, cert, cert, k.Public(), k) test.AssertNotError(t, err, "failed to generate test cert") cert, err = x509.ParseCertificate(certBytes) test.AssertNotError(t, err, "failed to parse test cert") @@ -102,7 +101,7 @@ func TestGenerateCRLLints(t *testing.T) { } func TestGenerateCRL(t *testing.T) { - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") template := &x509.Certificate{ @@ -116,7 +115,7 @@ func TestGenerateCRL(t *testing.T) { SubjectKeyId: []byte{1, 2, 3}, } - certBytes, err := x509.CreateCertificate(rand.Reader, template, template, k.Public(), k) + certBytes, err := x509.CreateCertificate(nil, template, template, k.Public(), k) test.AssertNotError(t, err, "failed to generate test cert") cert, err := x509.ParseCertificate(certBytes) test.AssertNotError(t, err, "failed to parse test cert") diff --git a/cmd/ceremony/ecdsa_test.go b/cmd/ceremony/ecdsa_test.go index 8bd34867581..752918e07c8 100644 --- a/cmd/ceremony/ecdsa_test.go +++ b/cmd/ceremony/ecdsa_test.go @@ -3,7 +3,6 @@ package main import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "errors" "testing" @@ -40,7 +39,7 @@ func TestECGenerate(t *testing.T) { ctx.GenerateRandomFunc = func(pkcs11.SessionHandle, int) ([]byte, error) { return []byte{1, 2, 3}, nil } - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed to generate a ECDSA test key") // Test ecGenerate fails with unknown curve @@ -92,7 +91,7 @@ func TestECGenerate(t *testing.T) { } func ecPKCS11Sign(priv *ecdsa.PrivateKey, msg []byte) ([]byte, error) { - r, s, err := ecdsa.Sign(rand.Reader, priv, msg[:]) + r, s, err := ecdsa.Sign(nil, priv, msg[:]) if err != nil { return nil, err } diff --git a/cmd/ceremony/key_test.go b/cmd/ceremony/key_test.go index 5a1768c491d..da7907fd07d 100644 --- a/cmd/ceremony/key_test.go +++ b/cmd/ceremony/key_test.go @@ -4,7 +4,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/pem" @@ -46,7 +45,7 @@ func TestGenerateKeyRSA(t *testing.T) { tmp := t.TempDir() ctx := setupCtx() - rsaPriv, err := rsa.GenerateKey(rand.Reader, 1024) + rsaPriv, err := rsa.GenerateKey(nil, 1024) test.AssertNotError(t, err, "Failed to generate a test RSA key") ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) { return []*pkcs11.Attribute{ @@ -56,7 +55,7 @@ func TestGenerateKeyRSA(t *testing.T) { } ctx.SignFunc = func(_ pkcs11.SessionHandle, msg []byte) ([]byte, error) { // Chop of the hash identifier and feed back into rsa.SignPKCS1v15 - return rsa.SignPKCS1v15(rand.Reader, rsaPriv, crypto.SHA256, msg[19:]) + return rsa.SignPKCS1v15(nil, rsaPriv, crypto.SHA256, msg[19:]) } s := &pkcs11helpers.Session{Module: &ctx, Session: 0} keyPath := path.Join(tmp, "test-rsa-key.pem") @@ -74,7 +73,7 @@ func TestGenerateKeyRSA(t *testing.T) { } func setECGenerateFuncs(ctx *pkcs11helpers.MockCtx) { - ecPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + ecPriv, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { panic(err) } diff --git a/cmd/ceremony/main_test.go b/cmd/ceremony/main_test.go index 899cb2909cc..6ae0d657d6c 100644 --- a/cmd/ceremony/main_test.go +++ b/cmd/ceremony/main_test.go @@ -3,7 +3,6 @@ package main import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "encoding/pem" "fmt" @@ -22,7 +21,7 @@ import ( func TestLoadPubKey(t *testing.T) { tmp := t.TempDir() - key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, _ := ecdsa.GenerateKey(elliptic.P256(), nil) _, _, err := loadPubKey(path.Join(tmp, "does", "not", "exist")) test.AssertError(t, err, "should fail on non-existent file") @@ -1295,14 +1294,14 @@ func TestPostIssuanceLinting(t *testing.T) { err := postIssuanceLinting(nil, nil) test.AssertError(t, err, "should have failed because no certificate was provided") - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unable to generate ECDSA private key") template := &x509.Certificate{ NotAfter: clk.Now().Add(1 * time.Hour), DNSNames: []string{"example.com"}, SerialNumber: big.NewInt(1), } - certDer, err := x509.CreateCertificate(rand.Reader, template, template, &testKey.PublicKey, testKey) + certDer, err := x509.CreateCertificate(nil, template, template, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "unable to create certificate") parsedCert, err := x509.ParseCertificate(certDer) test.AssertNotError(t, err, "unable to parse DER bytes") diff --git a/cmd/ceremony/rsa_test.go b/cmd/ceremony/rsa_test.go index 40eb9d5df90..8fe9ffdb5cd 100644 --- a/cmd/ceremony/rsa_test.go +++ b/cmd/ceremony/rsa_test.go @@ -2,7 +2,6 @@ package main import ( "crypto" - "crypto/rand" "crypto/rsa" "errors" "math/big" @@ -44,7 +43,7 @@ func TestRSAGenerate(t *testing.T) { return []byte{1, 2, 3}, nil } - priv, err := rsa.GenerateKey(rand.Reader, 1024) + priv, err := rsa.GenerateKey(nil, 1024) test.AssertNotError(t, err, "Failed to generate a RSA test key") // Test rsaGenerate fails when GenerateKeyPair fails @@ -86,7 +85,7 @@ func TestRSAGenerate(t *testing.T) { } ctx.SignFunc = func(_ pkcs11.SessionHandle, msg []byte) ([]byte, error) { // Chop of the hash identifier and feed back into rsa.SignPKCS1v15 - return rsa.SignPKCS1v15(rand.Reader, priv, crypto.SHA256, msg[19:]) + return rsa.SignPKCS1v15(nil, priv, crypto.SHA256, msg[19:]) } _, _, err = rsaGenerate(s, "", 1024) test.AssertNotError(t, err, "rsaGenerate didn't succeed when everything worked as expected") diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go index 47d49994d33..4b6d5b5d19d 100644 --- a/cmd/cert-checker/main_test.go +++ b/cmd/cert-checker/main_test.go @@ -5,7 +5,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" @@ -73,7 +72,7 @@ func init() { func BenchmarkCheckCert(b *testing.B) { checker := newChecker(nil, clock.New(), pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock()) - testKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, _ := ecdsa.GenerateKey(elliptic.P256(), nil) expiry := time.Now().AddDate(0, 0, 1) serial := big.NewInt(1337) rawCert := x509.Certificate{ @@ -84,7 +83,7 @@ func BenchmarkCheckCert(b *testing.B) { DNSNames: []string{"example-a.com"}, SerialNumber: serial, } - certDer, _ := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) + certDer, _ := x509.CreateCertificate(nil, &rawCert, &rawCert, &testKey.PublicKey, testKey) cert := &corepb.Certificate{ Serial: core.SerialToString(serial), Digest: core.Fingerprint256(certDer), @@ -106,7 +105,7 @@ func TestCheckWildcardCert(t *testing.T) { saCleanup() }() - testKey, _ := rsa.GenerateKey(rand.Reader, 2048) + testKey, _ := rsa.GenerateKey(nil, 2048) fc := clock.NewFake() checker := newChecker(saDbMap, fc, pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock()) issued := checker.clock.Now().Add(-time.Minute) @@ -127,7 +126,7 @@ func TestCheckWildcardCert(t *testing.T) { OCSPServer: []string{"http://example.com/ocsp"}, IssuingCertificateURL: []string{"http://example.com/cert"}, } - wildcardCertDer, err := x509.CreateCertificate(rand.Reader, &wildcardCert, &wildcardCert, &testKey.PublicKey, testKey) + wildcardCertDer, err := x509.CreateCertificate(nil, &wildcardCert, &wildcardCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "Couldn't create certificate") parsed, err := x509.ParseCertificate(wildcardCertDer) test.AssertNotError(t, err, "Couldn't parse created certificate") @@ -184,13 +183,13 @@ type keyGen interface { type ecP256Generator struct{} func (*ecP256Generator) genKey() (crypto.Signer, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + return ecdsa.GenerateKey(elliptic.P256(), nil) } type rsa2048Generator struct{} func (*rsa2048Generator) genKey() (crypto.Signer, error) { - return rsa.GenerateKey(rand.Reader, 2048) + return rsa.GenerateKey(nil, 2048) } func TestCheckCert(t *testing.T) { @@ -261,7 +260,7 @@ func TestCheckCert(t *testing.T) { IssuingCertificateURL: []string{"http://example.com/cert"}, ExtraExtensions: []pkix.Extension{ocspMustStaple, imaginaryExtension}, } - brokenCertDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, testKey.Public(), testKey) + brokenCertDer, err := x509.CreateCertificate(nil, &rawCert, &rawCert, testKey.Public(), testKey) test.AssertNotError(t, err, "Couldn't create certificate") // Problems // Digest doesn't match @@ -318,7 +317,7 @@ func TestCheckCert(t *testing.T) { rawCert.BasicConstraintsValid = true rawCert.ExtraExtensions = []pkix.Extension{ocspMustStaple} rawCert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} - goodCertDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, testKey.Public(), testKey) + goodCertDer, err := x509.CreateCertificate(nil, &rawCert, &rawCert, testKey.Public(), testKey) test.AssertNotError(t, err, "Couldn't create certificate") parsed, err := x509.ParseCertificate(goodCertDer) test.AssertNotError(t, err, "Couldn't parse created certificate") @@ -348,7 +347,7 @@ func TestGetAndProcessCerts(t *testing.T) { saCleanUp() }() - testKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, _ := ecdsa.GenerateKey(elliptic.P256(), nil) // Problems // Expiry period is too long rawCert := x509.Certificate{ @@ -365,7 +364,7 @@ func TestGetAndProcessCerts(t *testing.T) { test.AssertNotError(t, err, "Couldn't create registration") for range 5 { rawCert.SerialNumber = big.NewInt(mrand.Int64()) - certDER, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) + certDER, err := x509.CreateCertificate(nil, &rawCert, &rawCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "Couldn't create certificate") _, err = sa.AddCertificate(context.Background(), &sapb.AddCertificateRequest{ Der: certDER, @@ -559,7 +558,7 @@ func TestIgnoredLint(t *testing.T) { err = loglist.InitLintList("../../test/ct-test-srv/log_list.json", false) test.AssertNotError(t, err, "failed to load ct log list") - testKey, _ := rsa.GenerateKey(rand.Reader, 2048) + testKey, _ := rsa.GenerateKey(nil, 2048) checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock()) serial := big.NewInt(1337) @@ -583,7 +582,7 @@ func TestIgnoredLint(t *testing.T) { } // Create a self-signed issuer certificate to use - issuerDer, err := x509.CreateCertificate(rand.Reader, template, template, testKey.Public(), testKey) + issuerDer, err := x509.CreateCertificate(nil, template, template, testKey.Public(), testKey) test.AssertNotError(t, err, "failed to create self-signed issuer cert") issuerCert, err := x509.ParseCertificate(issuerDer) test.AssertNotError(t, err, "failed to parse self-signed issuer cert") @@ -598,7 +597,7 @@ func TestIgnoredLint(t *testing.T) { template.CRLDistributionPoints = []string{"http://crl.example.org"} template.IsCA = false - subjectCertDer, err := x509.CreateCertificate(rand.Reader, template, issuerCert, testKey.Public(), testKey) + subjectCertDer, err := x509.CreateCertificate(nil, template, issuerCert, testKey.Public(), testKey) test.AssertNotError(t, err, "failed to create EE cert") subjectCert, err := x509.ParseCertificate(subjectCertDer) test.AssertNotError(t, err, "failed to parse EE cert") @@ -646,7 +645,7 @@ func TestPrecertCorrespond(t *testing.T) { checker.getPrecert = func(_ context.Context, _ string) ([]byte, error) { return []byte("hello"), nil } - testKey, _ := rsa.GenerateKey(rand.Reader, 2048) + testKey, _ := rsa.GenerateKey(nil, 2048) expiry := time.Now().AddDate(0, 0, 1) serial := big.NewInt(1337) rawCert := x509.Certificate{ @@ -657,7 +656,7 @@ func TestPrecertCorrespond(t *testing.T) { DNSNames: []string{"example-a.com"}, SerialNumber: serial, } - certDer, _ := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) + certDer, _ := x509.CreateCertificate(nil, &rawCert, &rawCert, &testKey.PublicKey, testKey) cert := &corepb.Certificate{ Serial: core.SerialToString(serial), Digest: core.Fingerprint256(certDer), diff --git a/cmd/config_test.go b/cmd/config_test.go index 2935889b507..30ac9c52bf2 100644 --- a/cmd/config_test.go +++ b/cmd/config_test.go @@ -3,7 +3,6 @@ package cmd import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -67,7 +66,7 @@ func TestTLSConfigLoad(t *testing.T) { key := path.Join(tmp, "TestTLSConfigLoad.key.pem") caCert := path.Join(tmp, "TestTLSConfigLoad.cacert.pem") - rootKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + rootKey, err := ecdsa.GenerateKey(elliptic.P224(), nil) test.AssertNotError(t, err, "creating test root key") rootTemplate := &x509.Certificate{ Subject: pkix.Name{CommonName: "test root"}, @@ -76,12 +75,12 @@ func TestTLSConfigLoad(t *testing.T) { NotAfter: time.Now().Add(24 * time.Hour), IsCA: true, } - rootCert, err := x509.CreateCertificate(rand.Reader, rootTemplate, rootTemplate, rootKey.Public(), rootKey) + rootCert, err := x509.CreateCertificate(nil, rootTemplate, rootTemplate, rootKey.Public(), rootKey) test.AssertNotError(t, err, "creating test root cert") err = os.WriteFile(caCert, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert}), os.ModeAppend) test.AssertNotError(t, err, "writing test root cert to disk") - intKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + intKey, err := ecdsa.GenerateKey(elliptic.P224(), nil) test.AssertNotError(t, err, "creating test intermediate key") intKeyBytes, err := x509.MarshalECPrivateKey(intKey) test.AssertNotError(t, err, "marshalling test intermediate key") @@ -95,7 +94,7 @@ func TestTLSConfigLoad(t *testing.T) { NotAfter: time.Now().Add(12 * time.Hour), IsCA: true, } - intCert, err := x509.CreateCertificate(rand.Reader, intTemplate, rootTemplate, intKey.Public(), rootKey) + intCert, err := x509.CreateCertificate(nil, intTemplate, rootTemplate, intKey.Public(), rootKey) test.AssertNotError(t, err, "creating test intermediate cert") err = os.WriteFile(cert, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: intCert}), os.ModeAppend) test.AssertNotError(t, err, "writing test intermediate cert to disk") diff --git a/crl/checker/checker_test.go b/crl/checker/checker_test.go index 53fc507f219..b4a82ced148 100644 --- a/crl/checker/checker_test.go +++ b/crl/checker/checker_test.go @@ -1,7 +1,6 @@ package checker import ( - "crypto/rand" "crypto/x509" "encoding/pem" "io" @@ -83,7 +82,7 @@ func TestDiff(t *testing.T) { }, } - oldCRLDER, err := x509.CreateRevocationList(rand.Reader, &template, issuer.Cert.Certificate, issuer.Signer) + oldCRLDER, err := x509.CreateRevocationList(nil, &template, issuer.Cert.Certificate, issuer.Signer) test.AssertNotError(t, err, "creating old crl") oldCRL, err := x509.ParseRevocationList(oldCRLDER) test.AssertNotError(t, err, "parsing old crl") @@ -105,7 +104,7 @@ func TestDiff(t *testing.T) { }, } - newCRLDER, err := x509.CreateRevocationList(rand.Reader, &template, issuer.Cert.Certificate, issuer.Signer) + newCRLDER, err := x509.CreateRevocationList(nil, &template, issuer.Cert.Certificate, issuer.Signer) test.AssertNotError(t, err, "creating old crl") newCRL, err := x509.ParseRevocationList(newCRLDER) test.AssertNotError(t, err, "parsing old crl") diff --git a/crl/storer/storer_test.go b/crl/storer/storer_test.go index 22654b9ebcc..eff2f75e455 100644 --- a/crl/storer/storer_test.go +++ b/crl/storer/storer_test.go @@ -5,7 +5,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "errors" @@ -212,10 +211,10 @@ func TestUploadCRLInvalidSignature(t *testing.T) { }, }, } - fakeSigner, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + fakeSigner, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating throwaway signer") crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: time.Now(), NextUpdate: time.Now().Add(time.Hour), @@ -254,7 +253,7 @@ func TestUploadCRLMismatchedNumbers(t *testing.T) { }, } crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: time.Now(), NextUpdate: time.Now().Add(time.Hour), @@ -322,7 +321,7 @@ func TestUploadCRLSuccess(t *testing.T) { } prevCRLBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: storer.clk.Now(), NextUpdate: storer.clk.Now().Add(time.Hour), @@ -340,7 +339,7 @@ func TestUploadCRLSuccess(t *testing.T) { storer.clk.Sleep(time.Minute) crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: storer.clk.Now(), NextUpdate: storer.clk.Now().Add(time.Hour), @@ -385,7 +384,7 @@ func TestUploadNewCRLSuccess(t *testing.T) { } crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: time.Now(), NextUpdate: time.Now().Add(time.Hour), @@ -429,7 +428,7 @@ func TestUploadCRLBackwardsNumber(t *testing.T) { } prevCRLBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: storer.clk.Now(), NextUpdate: storer.clk.Now().Add(time.Hour), @@ -446,7 +445,7 @@ func TestUploadCRLBackwardsNumber(t *testing.T) { storer.clk.Sleep(time.Minute) crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: storer.clk.Now(), NextUpdate: storer.clk.Now().Add(time.Hour), @@ -502,7 +501,7 @@ func TestUploadCRLBrokenS3(t *testing.T) { }, } crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, &x509.RevocationList{ ThisUpdate: time.Now(), NextUpdate: time.Now().Add(time.Hour), diff --git a/csr/csr_test.go b/csr/csr_test.go index 6f1936449a1..eda5f6bbaf3 100644 --- a/csr/csr_test.go +++ b/csr/csr_test.go @@ -2,7 +2,6 @@ package csr import ( "context" - "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" @@ -45,9 +44,9 @@ func (pa *mockPA) CheckAuthzChallenges(a *core.Authorization) error { } func TestVerifyCSR(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") - signedReqBytes, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{PublicKey: private.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA}, private) + signedReqBytes, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{PublicKey: private.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA}, private) test.AssertNotError(t, err, "error generating test CSR") signedReq, err := x509.ParseCertificateRequest(signedReqBytes) test.AssertNotError(t, err, "error parsing test CSR") @@ -257,11 +256,11 @@ func TestSHA1Deprecation(t *testing.T) { keyPolicy, err := goodkey.NewPolicy(nil, nil) test.AssertNotError(t, err, "creating test keypolicy") - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") makeAndVerifyCsr := func(alg x509.SignatureAlgorithm) error { - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, + csrBytes, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ DNSNames: []string{"example.com"}, SignatureAlgorithm: alg, @@ -283,10 +282,10 @@ func TestSHA1Deprecation(t *testing.T) { } func TestDuplicateExtensionRejection(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, + csrBytes, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ DNSNames: []string{"example.com"}, SignatureAlgorithm: x509.SHA256WithRSA, diff --git a/goodkey/good_key_test.go b/goodkey/good_key_test.go index 133b6ac11ef..7841d51f445 100644 --- a/goodkey/good_key_test.go +++ b/goodkey/good_key_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "fmt" "math/big" @@ -123,14 +122,14 @@ func TestROCA(t *testing.T) { } func TestGoodKey(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error generating key") test.AssertNotError(t, testingPolicy.GoodKey(context.Background(), &private.PublicKey), "Should have accepted good key") } func TestECDSABadCurve(t *testing.T) { for _, curve := range invalidCurves { - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") err = testingPolicy.GoodKey(context.Background(), &private.PublicKey) test.AssertError(t, err, "Should have rejected key with unsupported curve") @@ -150,7 +149,7 @@ var validCurves = []elliptic.Curve{ func TestECDSAGoodKey(t *testing.T) { for _, curve := range validCurves { - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") test.AssertNotError(t, testingPolicy.GoodKey(context.Background(), &private.PublicKey), "Should have accepted good key") } @@ -159,7 +158,7 @@ func TestECDSAGoodKey(t *testing.T) { func TestECDSANotOnCurveX(t *testing.T) { for _, curve := range validCurves { // Change a public key so that it is no longer on the curve. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Add(private.X, big.NewInt(1)) @@ -172,7 +171,7 @@ func TestECDSANotOnCurveX(t *testing.T) { func TestECDSANotOnCurveY(t *testing.T) { for _, curve := range validCurves { // Again with Y. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") // Change the public key so that it is no longer on the curve. @@ -186,7 +185,7 @@ func TestECDSANotOnCurveY(t *testing.T) { func TestECDSANegative(t *testing.T) { for _, curve := range validCurves { // Check that negative X is not accepted. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Neg(private.X) @@ -206,7 +205,7 @@ func TestECDSANegative(t *testing.T) { func TestECDSAXOutsideField(t *testing.T) { for _, curve := range validCurves { // Check that X outside [0, p-1] is not accepted. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Mul(private.X, private.Curve.Params().P) @@ -219,7 +218,7 @@ func TestECDSAXOutsideField(t *testing.T) { func TestECDSAYOutsideField(t *testing.T) { for _, curve := range validCurves { // Check that Y outside [0, p-1] is not accepted. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Mul(private.Y, private.Curve.Params().P) @@ -245,7 +244,7 @@ func TestECDSAIdentity(t *testing.T) { } func TestNonRefKey(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error generating key") test.AssertError(t, testingPolicy.GoodKey(context.Background(), private.PublicKey), "Accepted non-reference key") } @@ -260,7 +259,7 @@ func TestDBBlocklistAccept(t *testing.T) { policy, err := NewPolicy(nil, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertNotError(t, err, "GoodKey failed with a non-blocked key") @@ -275,7 +274,7 @@ func TestDBBlocklistReject(t *testing.T) { policy, err := NewPolicy(nil, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertError(t, err, "GoodKey didn't fail with a blocked key") diff --git a/goodkey/sagoodkey/good_key_test.go b/goodkey/sagoodkey/good_key_test.go index 814804d3d16..5d7d99a29a5 100644 --- a/goodkey/sagoodkey/good_key_test.go +++ b/goodkey/sagoodkey/good_key_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "testing" "google.golang.org/grpc" @@ -24,7 +23,7 @@ func TestDBBlocklistAccept(t *testing.T) { policy, err := NewPolicy(&goodkey.Config{}, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertNotError(t, err, "GoodKey failed with a non-blocked key") @@ -39,7 +38,7 @@ func TestDBBlocklistReject(t *testing.T) { policy, err := NewPolicy(&goodkey.Config{}, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertError(t, err, "GoodKey didn't fail with a blocked key") diff --git a/grpc/creds/creds_test.go b/grpc/creds/creds_test.go index d8bc7ce15c4..398ceda7585 100644 --- a/grpc/creds/creds_test.go +++ b/grpc/creds/creds_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/tls" "crypto/x509" "math/big" @@ -80,7 +79,7 @@ func TestServerTransportCredentials(t *testing.T) { } func TestClientTransportCredentials(t *testing.T) { - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") temp := &x509.Certificate{ @@ -91,12 +90,12 @@ func TestClientTransportCredentials(t *testing.T) { BasicConstraintsValid: true, IsCA: true, } - derA, err := x509.CreateCertificate(rand.Reader, temp, temp, priv.Public(), priv) + derA, err := x509.CreateCertificate(nil, temp, temp, priv.Public(), priv) test.AssertNotError(t, err, "x509.CreateCertificate failed") certA, err := x509.ParseCertificate(derA) test.AssertNotError(t, err, "x509.ParserCertificate failed") temp.DNSNames[0] = "B" - derB, err := x509.CreateCertificate(rand.Reader, temp, temp, priv.Public(), priv) + derB, err := x509.CreateCertificate(nil, temp, temp, priv.Public(), priv) test.AssertNotError(t, err, "x509.CreateCertificate failed") certB, err := x509.ParseCertificate(derB) test.AssertNotError(t, err, "x509.ParserCertificate failed") diff --git a/issuance/cert.go b/issuance/cert.go index 9be35237c9a..9d0e734e65e 100644 --- a/issuance/cert.go +++ b/issuance/cert.go @@ -4,7 +4,6 @@ import ( "bytes" "crypto" "crypto/ecdsa" - "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" @@ -391,7 +390,7 @@ func (i *Issuer) Issue(token *issuanceToken) ([]byte, error) { return nil, errors.New("tried to redeem issuance token with the wrong issuer") } - return x509.CreateCertificate(rand.Reader, template, i.Cert.Certificate, token.pubKey.PublicKey, i.Signer) + return x509.CreateCertificate(nil, template, i.Cert.Certificate, token.pubKey.PublicKey, i.Signer) } // containsCTPoison returns true if the provided set of extensions includes diff --git a/issuance/cert_test.go b/issuance/cert_test.go index 4e986290d39..6d73a5b4892 100644 --- a/issuance/cert_test.go +++ b/issuance/cert_test.go @@ -5,7 +5,6 @@ import ( "crypto/dsa" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" @@ -337,14 +336,14 @@ func TestIssue(t *testing.T) { { name: "RSA", generateFunc: func() (crypto.Signer, error) { - return rsa.GenerateKey(rand.Reader, 2048) + return rsa.GenerateKey(nil, 2048) }, ku: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, }, { name: "ECDSA", generateFunc: func() (crypto.Signer, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + return ecdsa.GenerateKey(elliptic.P256(), nil) }, ku: x509.KeyUsageDigitalSignature, }, @@ -401,7 +400,7 @@ func TestIssueDNSNamesOnly(t *testing.T) { if err != nil { t.Fatalf("newIssuer: %s", err) } - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("ecdsa.GenerateKey: %s", err) } @@ -440,7 +439,7 @@ func TestIssueIPAddressesOnly(t *testing.T) { if err != nil { t.Fatalf("newIssuer: %s", err) } - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("ecdsa.GenerateKey: %s", err) } @@ -482,7 +481,7 @@ func TestIssueWithCRLDP(t *testing.T) { if err != nil { t.Fatalf("newIssuer: %s", err) } - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("ecdsa.GenerateKey: %s", err) } @@ -524,7 +523,7 @@ func TestIssueCommonName(t *testing.T) { test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") ir := &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -591,7 +590,7 @@ func TestIssueOmissions(t *testing.T) { signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := rsa.GenerateKey(rand.Reader, 2048) + pk, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(prof, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -620,7 +619,7 @@ func TestIssueCTPoison(t *testing.T) { fc.Set(time.Now()) signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(defaultProfile(), &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -668,7 +667,7 @@ func TestIssueSCTList(t *testing.T) { test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(enforceSCTsProfile, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -736,7 +735,7 @@ func TestIssueBadLint(t *testing.T) { test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, _, err = signer.Prepare(noSkipLintsProfile, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -765,7 +764,7 @@ func TestIssuanceToken(t *testing.T) { _, err = signer.Issue(nil) test.AssertError(t, err, "expected issuance with a nil token to fail") - pk, err := rsa.GenerateKey(rand.Reader, 2048) + pk, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(defaultProfile(), &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -812,7 +811,7 @@ func TestInvalidProfile(t *testing.T) { signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, _, err = signer.Prepare(defaultProfile(), &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -861,7 +860,7 @@ func TestMismatchedProfiles(t *testing.T) { cnProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := issuer1.Prepare(cnProfile, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, diff --git a/issuance/crl.go b/issuance/crl.go index f33af188393..ffb042a3bcd 100644 --- a/issuance/crl.go +++ b/issuance/crl.go @@ -1,7 +1,6 @@ package issuance import ( - "crypto/rand" "crypto/x509" "fmt" "math/big" @@ -114,7 +113,7 @@ func (i *Issuer) IssueCRL(prof *CRLProfile, req *CRLRequest) ([]byte, error) { } crlBytes, err := x509.CreateRevocationList( - rand.Reader, + nil, template, i.Cert.Certificate, i.Signer, diff --git a/issuance/issuer_test.go b/issuance/issuer_test.go index aa9911c4e57..6aff9a6f215 100644 --- a/issuance/issuer_test.go +++ b/issuance/issuer_test.go @@ -4,7 +4,6 @@ import ( "crypto/ecdsa" "crypto/ed25519" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "fmt" @@ -50,7 +49,7 @@ var issuerCert *Certificate var issuerSigner *ecdsa.PrivateKey func TestMain(m *testing.M) { - tk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + tk, err := ecdsa.GenerateKey(elliptic.P256(), nil) cmd.FailOnError(err, "failed to generate test key") issuerSigner = tk template := &x509.Certificate{ @@ -62,7 +61,7 @@ func TestMain(m *testing.M) { }, KeyUsage: x509.KeyUsageCRLSign | x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature, } - issuer, err := x509.CreateCertificate(rand.Reader, template, template, tk.Public(), tk) + issuer, err := x509.CreateCertificate(nil, template, template, tk.Public(), tk) cmd.FailOnError(err, "failed to generate test issuer") cert, err := x509.ParseCertificate(issuer) cmd.FailOnError(err, "failed to parse test issuer") @@ -106,7 +105,7 @@ func TestLoadSigner(t *testing.T) { // We're using this for its pubkey. This definitely doesn't match the private // key loaded in any of the tests below, but that's okay because it still gets // us through all the logic in loadSigner. - fakeKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + fakeKey, err := ecdsa.GenerateKey(elliptic.P224(), nil) test.AssertNotError(t, err, "generating test key") tests := []struct { diff --git a/linter/linter.go b/linter/linter.go index a3befcc0797..335a7627f07 100644 --- a/linter/linter.go +++ b/linter/linter.go @@ -3,7 +3,6 @@ package linter import ( "bytes" "crypto" - "crypto/rand" "crypto/x509" "fmt" "strings" @@ -179,7 +178,7 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C URIs: realIssuer.URIs, UnknownExtKeyUsage: realIssuer.UnknownExtKeyUsage, } - lintIssuerBytes, err := x509.CreateCertificate(rand.Reader, lintIssuerTBS, lintIssuerTBS, lintSigner.Public(), lintSigner) + lintIssuerBytes, err := x509.CreateCertificate(nil, lintIssuerTBS, lintIssuerTBS, lintSigner.Public(), lintSigner) if err != nil { return nil, fmt.Errorf("failed to create lint issuer: %w", err) } @@ -210,7 +209,7 @@ func NewRegistry(skipLints []string) (lint.Registry, error) { } func makeLintCert(tbs *x509.Certificate, subjectPubKey crypto.PublicKey, issuer *x509.Certificate, signer crypto.Signer) ([]byte, *zlintx509.Certificate, error) { - lintCertBytes, err := x509.CreateCertificate(rand.Reader, tbs, issuer, subjectPubKey, signer) + lintCertBytes, err := x509.CreateCertificate(nil, tbs, issuer, subjectPubKey, signer) if err != nil { return nil, nil, fmt.Errorf("failed to create lint certificate: %w", err) } @@ -245,7 +244,7 @@ func ProcessResultSet(lintRes *zlint.ResultSet) error { } func makeLintCRL(tbs *x509.RevocationList, issuer *x509.Certificate, signer crypto.Signer) (*zlintx509.RevocationList, error) { - lintCRLBytes, err := x509.CreateRevocationList(rand.Reader, tbs, issuer, signer) + lintCRLBytes, err := x509.CreateRevocationList(nil, tbs, issuer, signer) if err != nil { return nil, err } diff --git a/linter/makesigner.go b/linter/makesigner.go index 3ab91a1236d..3676294a2f6 100644 --- a/linter/makesigner.go +++ b/linter/makesigner.go @@ -5,7 +5,6 @@ package linter import ( "crypto" "crypto/ecdsa" - "crypto/rand" "crypto/rsa" "fmt" ) @@ -15,12 +14,12 @@ func makeSigner(realSigner crypto.Signer) (crypto.Signer, error) { var err error switch k := realSigner.Public().(type) { case *rsa.PublicKey: - lintSigner, err = rsa.GenerateKey(rand.Reader, k.Size()*8) + lintSigner, err = rsa.GenerateKey(nil, k.Size()*8) if err != nil { return nil, fmt.Errorf("failed to create RSA lint signer: %w", err) } case *ecdsa.PublicKey: - lintSigner, err = ecdsa.GenerateKey(k.Curve, rand.Reader) + lintSigner, err = ecdsa.GenerateKey(k.Curve, nil) if err != nil { return nil, fmt.Errorf("failed to create ECDSA lint signer: %w", err) } diff --git a/linter/makesigner_go127.go b/linter/makesigner_go127.go index d5c15e0062a..7cd591282a0 100644 --- a/linter/makesigner_go127.go +++ b/linter/makesigner_go127.go @@ -6,7 +6,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/mldsa" - "crypto/rand" "crypto/rsa" "fmt" ) @@ -19,12 +18,12 @@ func makeSigner(realSigner crypto.Signer) (crypto.Signer, error) { var err error switch k := realSigner.Public().(type) { case *rsa.PublicKey: - lintSigner, err = rsa.GenerateKey(rand.Reader, k.Size()*8) + lintSigner, err = rsa.GenerateKey(nil, k.Size()*8) if err != nil { return nil, fmt.Errorf("failed to create RSA lint signer: %w", err) } case *ecdsa.PublicKey: - lintSigner, err = ecdsa.GenerateKey(k.Curve, rand.Reader) + lintSigner, err = ecdsa.GenerateKey(k.Curve, nil) if err != nil { return nil, fmt.Errorf("failed to create ECDSA lint signer: %w", err) } diff --git a/observer/probers/aia/aia_test.go b/observer/probers/aia/aia_test.go index 1a4f1f1feaa..84dfc62b3a9 100644 --- a/observer/probers/aia/aia_test.go +++ b/observer/probers/aia/aia_test.go @@ -3,7 +3,6 @@ package probers import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "math/big" @@ -21,7 +20,7 @@ import ( // TestAIAProbe_Probe tests the Probe method of AIAProbe func TestAIAProbe_Probe(t *testing.T) { // Create a test CA certificate - privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating private key") template := x509.Certificate{ @@ -37,7 +36,7 @@ func TestAIAProbe_Probe(t *testing.T) { IsCA: true, } - certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey) + certDER, err := x509.CreateCertificate(nil, &template, &template, &privateKey.PublicKey, privateKey) test.AssertNotError(t, err, "creating certificate") // Create a test non-CA certificate @@ -54,7 +53,7 @@ func TestAIAProbe_Probe(t *testing.T) { IsCA: false, } - nonCACertDER, err := x509.CreateCertificate(rand.Reader, &nonCATemplate, &nonCATemplate, &privateKey.PublicKey, privateKey) + nonCACertDER, err := x509.CreateCertificate(nil, &nonCATemplate, &nonCATemplate, &privateKey.PublicKey, privateKey) test.AssertNotError(t, err, "creating non-CA certificate") // Test with valid CA certificate and correct content-type diff --git a/pkcs11helpers/helpers_test.go b/pkcs11helpers/helpers_test.go index f7a252bdb0c..b4aa95fdee0 100644 --- a/pkcs11helpers/helpers_test.go +++ b/pkcs11helpers/helpers_test.go @@ -5,7 +5,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/sha256" "encoding/asn1" @@ -249,10 +248,10 @@ func TestX509Signer(t *testing.T) { ctx.SignInitFunc = func(pkcs11.SessionHandle, []*pkcs11.Mechanism, pkcs11.ObjectHandle) error { return nil } - tk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + tk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed to generate test key") ctx.SignFunc = func(_ pkcs11.SessionHandle, digest []byte) ([]byte, error) { - r, s, err := ecdsa.Sign(rand.Reader, tk, digest[:]) + r, s, err := ecdsa.Sign(nil, tk, digest[:]) if err != nil { return nil, err } diff --git a/precert/corr_test.go b/precert/corr_test.go index 8d29ee077e4..6a18aabf25c 100644 --- a/precert/corr_test.go +++ b/precert/corr_test.go @@ -3,7 +3,6 @@ package precert import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -102,19 +101,19 @@ func derFromPEMFile(filename string) ([]byte, error) { func TestMismatches(t *testing.T) { now := time.Now() - issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatal(err) } // A separate issuer key, used for signing the final certificate, but // using the same simulated issuer certificate. - untrustedIssuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + untrustedIssuerKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatal(err) } - subscriberKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + subscriberKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatal(err) } @@ -141,7 +140,7 @@ func TestMismatches(t *testing.T) { }, } - precertDER, err := x509.CreateCertificate(rand.Reader, &precertTemplate, &issuer, &subscriberKey.PublicKey, issuerKey) + precertDER, err := x509.CreateCertificate(nil, &precertTemplate, &issuer, &subscriberKey.PublicKey, issuerKey) if err != nil { t.Fatal(err) } @@ -165,7 +164,7 @@ func TestMismatches(t *testing.T) { modify(finalCertTemplate) - finalCertDER, err := x509.CreateCertificate(rand.Reader, finalCertTemplate, + finalCertDER, err := x509.CreateCertificate(nil, finalCertTemplate, &issuer, &subscriberKey.PublicKey, untrustedIssuerKey) if err != nil { t.Fatal(err) @@ -201,7 +200,7 @@ func TestMismatches(t *testing.T) { }, } - precertDER2, err := x509.CreateCertificate(rand.Reader, &precertTemplate2, &issuer, &subscriberKey.PublicKey, issuerKey) + precertDER2, err := x509.CreateCertificate(nil, &precertTemplate2, &issuer, &subscriberKey.PublicKey, issuerKey) if err != nil { t.Fatal(err) } diff --git a/privatekey/privatekey_test.go b/privatekey/privatekey_test.go index bcc2ecf3873..14b736c9811 100644 --- a/privatekey/privatekey_test.go +++ b/privatekey/privatekey_test.go @@ -3,7 +3,6 @@ package privatekey import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "testing" @@ -11,13 +10,13 @@ import ( ) func TestVerifyRSAKeyPair(t *testing.T) { - privKey1, err := rsa.GenerateKey(rand.Reader, 2048) + privKey1, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Failed while generating test key 1") _, _, err = verify(privKey1) test.AssertNotError(t, err, "Failed to verify valid key") - privKey2, err := rsa.GenerateKey(rand.Reader, 2048) + privKey2, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Failed while generating test key 2") verifyHash, err := makeVerifyHash() @@ -28,13 +27,13 @@ func TestVerifyRSAKeyPair(t *testing.T) { } func TestVerifyECDSAKeyPair(t *testing.T) { - privKey1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey1, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed while generating test key 1") _, _, err = verify(privKey1) test.AssertNotError(t, err, "Failed to verify valid key") - privKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey2, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed while generating test key 2") verifyHash, err := makeVerifyHash() diff --git a/publisher/publisher.go b/publisher/publisher.go index de88bff92b4..658d9f5a7c1 100644 --- a/publisher/publisher.go +++ b/publisher/publisher.go @@ -3,7 +3,6 @@ package publisher import ( "context" "crypto/ecdsa" - "crypto/rand" "crypto/sha256" "crypto/tls" "crypto/x509" @@ -375,7 +374,7 @@ func CreateTestingSignedSCT(req []string, k *ecdsa.PrivateKey, precert bool, tim var ecdsaSig struct { R, S *big.Int } - ecdsaSig.R, ecdsaSig.S, _ = ecdsa.Sign(rand.Reader, k, hashed[:]) + ecdsaSig.R, ecdsaSig.S, _ = ecdsa.Sign(nil, k, hashed[:]) sig, _ := asn1.Marshal(ecdsaSig) // The ct.SignedCertificateTimestamp object doesn't have the needed diff --git a/publisher/publisher_test.go b/publisher/publisher_test.go index 98a501989fd..e04205a1a6a 100644 --- a/publisher/publisher_test.go +++ b/publisher/publisher_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -150,7 +149,7 @@ func setup(t *testing.T) (*Impl, *x509.Certificate, *ecdsa.PrivateKey) { leaf, err := core.LoadCert("../test/hierarchy/ee-r3.cert.pem") test.AssertNotError(t, err, "unable to load leaf certificate.") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Couldn't generate test key") return pub, leaf, k @@ -173,7 +172,7 @@ func makePrecert(k *ecdsa.PrivateKey) (map[issuance.NameID][]ct.ASN1Cert, []byte BasicConstraintsValid: true, IsCA: true, } - rootBytes, err := x509.CreateCertificate(rand.Reader, &rootTmpl, &rootTmpl, k.Public(), k) + rootBytes, err := x509.CreateCertificate(nil, &rootTmpl, &rootTmpl, k.Public(), k) if err != nil { return nil, nil, err } @@ -187,7 +186,7 @@ func makePrecert(k *ecdsa.PrivateKey) (map[issuance.NameID][]ct.ASN1Cert, []byte {Id: asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 11129, 2, 4, 3}, Critical: true, Value: []byte{0x05, 0x00}}, }, } - precert, err := x509.CreateCertificate(rand.Reader, &precertTmpl, root, k.Public(), k) + precert, err := x509.CreateCertificate(nil, &precertTmpl, root, k.Public(), k) if err != nil { return nil, nil, err } @@ -275,14 +274,14 @@ func TestLogCache(t *testing.T) { test.AssertError(t, err, "AddLog() with an invalid log URI didn't error") // Create one keypair & base 64 public key - k1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k1, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey() failed for k1") der1, err := x509.MarshalPKIXPublicKey(&k1.PublicKey) test.AssertNotError(t, err, "x509.MarshalPKIXPublicKey(der1) failed") k1b64 := base64.StdEncoding.EncodeToString(der1) // Create a second keypair & base64 public key - k2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k2, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey() failed for k2") der2, err := x509.MarshalPKIXPublicKey(&k2.PublicKey) test.AssertNotError(t, err, "x509.MarshalPKIXPublicKey(der2) failed") diff --git a/ra/ra_test.go b/ra/ra_test.go index b7957db7316..f33744ec79a 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -15,7 +15,6 @@ import ( "encoding/pem" "errors" "fmt" - "math" "math/big" mrand "math/rand/v2" "net/netip" @@ -824,7 +823,7 @@ func TestCertificateKeyNotEqualAccountKey(t *testing.T) { }) test.AssertNotError(t, err, "Could not add test order with finalized authz IDs, ready status") - csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + csrBytes, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ // Registration has key == AccountKeyA PublicKey: AccountKeyA.Key, SignatureAlgorithm: x509.SHA256WithRSA, @@ -2363,31 +2362,31 @@ func TestFinalizeOrder(t *testing.T) { authzIDA := createFinalizedAuthorization(t, sa, registration.Id, identifier.NewDNS("not-example.com"), exp, core.ChallengeTypeHTTP01, ra.clk.Now()) authzIDB := createFinalizedAuthorization(t, sa, registration.Id, identifier.NewDNS("www.not-example.com"), exp, core.ChallengeTypeHTTP01, ra.clk.Now()) - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") - policyForbidCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + policyForbidCSR, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, DNSNames: []string{"example.org"}, }, testKey) test.AssertNotError(t, err, "Error creating policy forbid CSR") - oneDomainCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + oneDomainCSR, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, DNSNames: []string{"a.com"}, }, testKey) test.AssertNotError(t, err, "Error creating CSR with one DNS name") - twoDomainCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + twoDomainCSR, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, DNSNames: []string{"a.com", "b.com"}, }, testKey) test.AssertNotError(t, err, "Error creating CSR with two DNS names") - validCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + validCSR, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.Public(), SignatureAlgorithm: x509.SHA256WithRSA, DNSNames: []string{"not-example.com", "www.not-example.com"}, @@ -2403,7 +2402,7 @@ func TestFinalizeOrder(t *testing.T) { BasicConstraintsValid: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } - certDER, err := x509.CreateCertificate(rand.Reader, expectedCert, expectedCert, testKey.Public(), testKey) + certDER, err := x509.CreateCertificate(nil, expectedCert, expectedCert, testKey.Public(), testKey) test.AssertNotError(t, err, "failed to construct test certificate") ra.CA.(*mocks.MockCA).PEM = pem.EncodeToMemory(&pem.Block{Bytes: certDER, Type: "CERTIFICATE"}) @@ -2672,9 +2671,9 @@ func TestFinalizeOrderWithMixedSANAndCN(t *testing.T) { }, }) test.AssertNotError(t, err, "Could not add test order with finalized authz IDs") - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") - mixedCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + mixedCSR, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, Subject: pkix.Name{CommonName: "not-example.com"}, @@ -2690,7 +2689,7 @@ func TestFinalizeOrderWithMixedSANAndCN(t *testing.T) { BasicConstraintsValid: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } - cert, err := x509.CreateCertificate(rand.Reader, template, template, testKey.Public(), testKey) + cert, err := x509.CreateCertificate(nil, template, template, testKey.Public(), testKey) test.AssertNotError(t, err, "Failed to create mixed cert") ra.CA = &mocks.MockCA{ @@ -2718,9 +2717,9 @@ func TestFinalizeOrderWildcard(t *testing.T) { now := ra.clk.Now() exp := now.Add(365 * 24 * time.Hour) - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error creating test RSA key") - wildcardCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + wildcardCSR, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, DNSNames: []string{"*.zombo.com"}, @@ -2738,7 +2737,7 @@ func TestFinalizeOrderWildcard(t *testing.T) { DNSNames: []string{"*.zombo.com"}, } - certBytes, err := x509.CreateCertificate(rand.Reader, template, template, testKey.Public(), testKey) + certBytes, err := x509.CreateCertificate(nil, template, template, testKey.Public(), testKey) test.AssertNotError(t, err, "Error creating test certificate") certPEM := pem.EncodeToMemory(&pem.Block{ @@ -2833,9 +2832,9 @@ func TestFinalizeOrderDisabledChallenge(t *testing.T) { test.AssertEquals(t, order.V2Authorizations[0], authzID) // Create a CSR for this order - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating test key") - csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + csr, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, DNSNames: []string{domain}, }, testKey) @@ -2897,37 +2896,16 @@ func TestFinalizeWithMustStaple(t *testing.T) { test.AssertNotError(t, err, "creating test order") test.AssertEquals(t, order.V2Authorizations[0], authzID) - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating test key") - csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + csr, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.Public(), DNSNames: []string{domain}, ExtraExtensions: []pkix.Extension{ocspMustStapleExt}, }, testKey) test.AssertNotError(t, err, "creating must-staple CSR") - serial, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt64)) - test.AssertNotError(t, err, "generating random serial number") - template := &x509.Certificate{ - SerialNumber: serial, - Subject: pkix.Name{CommonName: domain}, - DNSNames: []string{domain}, - NotBefore: fc.Now(), - NotAfter: fc.Now().Add(365 * 24 * time.Hour), - BasicConstraintsValid: true, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, - ExtraExtensions: []pkix.Extension{ocspMustStapleExt}, - } - cert, err := x509.CreateCertificate(rand.Reader, template, template, testKey.Public(), testKey) - test.AssertNotError(t, err, "creating certificate") - ra.CA = &mocks.MockCA{ - PEM: pem.EncodeToMemory(&pem.Block{ - Bytes: cert, - Type: "CERTIFICATE", - }), - } - _, err = ra.FinalizeOrder(context.Background(), &rapb.FinalizeOrderRequest{ Order: order, Csr: csr, @@ -2967,9 +2945,9 @@ func TestIssueCertificateAuditLog(t *testing.T) { test.AssertNotError(t, err, "Could not add test order with finalized authz IDs") // Generate a CSR covering the order names with a random RSA key - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") - csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + csr, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, Subject: pkix.Name{CommonName: "not-example.com"}, @@ -2989,7 +2967,7 @@ func TestIssueCertificateAuditLog(t *testing.T) { BasicConstraintsValid: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } - cert, err := x509.CreateCertificate(rand.Reader, template, template, testKey.Public(), testKey) + cert, err := x509.CreateCertificate(nil, template, template, testKey.Public(), testKey) test.AssertNotError(t, err, "Failed to create mock cert for test CA") // Set up the RA's CA with a mock that returns the cert from above @@ -3109,9 +3087,9 @@ func TestIssueCertificateCAACheckLog(t *testing.T) { test.AssertNotError(t, err, "Could not add test order with finalized authz IDs") // Generate a CSR covering the order names with a random RSA key. - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") - csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ + csr, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA, Subject: pkix.Name{CommonName: "not-example.com"}, @@ -3131,7 +3109,7 @@ func TestIssueCertificateCAACheckLog(t *testing.T) { BasicConstraintsValid: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } - cert, err := x509.CreateCertificate(rand.Reader, template, template, testKey.Public(), testKey) + cert, err := x509.CreateCertificate(nil, template, template, testKey.Public(), testKey) test.AssertNotError(t, err, "Failed to create mock cert for test CA") // Set up the RA's CA with a mock that returns the cert from above. @@ -3294,13 +3272,13 @@ func TestIssueCertificateOuter(t *testing.T) { ra.SA = &mockSAWithFinalize{} // Create a CSR to submit and a certificate for the fake CA to return. - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating test key") - csrDER, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{DNSNames: []string{"example.com"}}, testKey) + csrDER, err := x509.CreateCertificateRequest(nil, &x509.CertificateRequest{DNSNames: []string{"example.com"}}, testKey) test.AssertNotError(t, err, "creating test csr") csr, err := x509.ParseCertificateRequest(csrDER) test.AssertNotError(t, err, "parsing test csr") - certDER, err := x509.CreateCertificate(rand.Reader, &x509.Certificate{ + certDER, err := x509.CreateCertificate(nil, &x509.Certificate{ SerialNumber: big.NewInt(1), DNSNames: []string{"example.com"}, NotBefore: fc.Now(), @@ -3501,7 +3479,7 @@ func (msar *mockSARevocation) GetCertificate(_ context.Context, req *sapb.Serial _, _ = rand.Read(serialBytes[:]) serial := big.NewInt(0).SetBytes(serialBytes[:]) - key, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P224(), nil) if err != nil { return nil, err } @@ -3515,7 +3493,7 @@ func (msar *mockSARevocation) GetCertificate(_ context.Context, req *sapb.Serial CRLDistributionPoints: []string{"http://example.com/123.crl"}, } - testCertDER, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) + testCertDER, err := x509.CreateCertificate(nil, template, template, key.Public(), key) if err != nil { return nil, err } diff --git a/sa/model_test.go b/sa/model_test.go index 50901aeaae1..e033c422a6d 100644 --- a/sa/model_test.go +++ b/sa/model_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "database/sql" @@ -373,11 +372,11 @@ func insertCertificate(ctx context.Context, dbMap *db.WrappedMap, fc clock.FakeC SerialNumber: serialBigInt, } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return fmt.Errorf("generating test key: %w", err) } - certDer, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key) + certDer, err := x509.CreateCertificate(nil, &template, &template, key.Public(), key) if err != nil { return fmt.Errorf("generating test cert: %w", err) } diff --git a/sa/sa_test.go b/sa/sa_test.go index d9040e1de70..6a484d11bcb 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -5,7 +5,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/sha256" "crypto/x509" "database/sql" @@ -125,7 +124,7 @@ func initSA(t testing.TB) (*SQLStorageAuthority, clock.FakeClock) { // CreateWorkingTestRegistration inserts a new, correct Registration into the // given SA. func createWorkingRegistration(t testing.TB, sa *SQLStorageAuthority) *corepb.Registration { - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("Failed to generate ECDSA key: %s", err) } @@ -4359,7 +4358,7 @@ func TestGetPausedIdentifiersOnlyUnpausesOneAccount(t *testing.T) { } func newAcctKey(t *testing.T) []byte { - key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, _ := ecdsa.GenerateKey(elliptic.P256(), nil) jwk := &jose.JSONWebKey{Key: key.Public()} acctKey, err := jwk.MarshalJSON() test.AssertNotError(t, err, "failed to marshal account key") diff --git a/test/certs.go b/test/certs.go index add38e4d1b3..fdf270f5291 100644 --- a/test/certs.go +++ b/test/certs.go @@ -37,7 +37,7 @@ func ThrowAwayCert(t *testing.T, clk clock.Clock) (string, *x509.Certificate) { _, _ = rand.Read(serialBytes[:]) serial := big.NewInt(0).SetBytes(serialBytes[:]) - key, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P224(), nil) AssertNotError(t, err, "rsa.GenerateKey failed") template := &x509.Certificate{ @@ -50,7 +50,7 @@ func ThrowAwayCert(t *testing.T, clk clock.Clock) (string, *x509.Certificate) { CRLDistributionPoints: []string{"http://localhost:4002/issuer/1234/crl/1"}, } - testCertDER, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) + testCertDER, err := x509.CreateCertificate(nil, template, template, key.Public(), key) AssertNotError(t, err, "x509.CreateCertificate failed") testCert, err := x509.ParseCertificate(testCertDER) AssertNotError(t, err, "failed to parse self-signed cert DER") diff --git a/test/certs/genmtpki/genmtpki.go b/test/certs/genmtpki/genmtpki.go index a72ebf407ee..208c64a184a 100644 --- a/test/certs/genmtpki/genmtpki.go +++ b/test/certs/genmtpki/genmtpki.go @@ -4,7 +4,6 @@ package main import ( "crypto/mldsa" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "encoding/asn1" @@ -80,7 +79,7 @@ func main2() error { BasicConstraintsValid: true, ExtraExtensions: []pkix.Extension{extn}, } - certBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) + certBytes, err := x509.CreateCertificate(nil, template, template, key.Public(), key) if err != nil { return err } diff --git a/test/integration/account_test.go b/test/integration/account_test.go index cf92764fce7..bab3bd90282 100644 --- a/test/integration/account_test.go +++ b/test/integration/account_test.go @@ -5,7 +5,6 @@ package integration import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "strings" "testing" @@ -54,7 +53,7 @@ func TestNewAccount(t *testing.T) { }, } { t.Run(tc.name, func(t *testing.T) { - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } @@ -90,7 +89,7 @@ func TestNewAccount_DuplicateKey(t *testing.T) { t.Fatalf("failed to connect to acme directory: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } @@ -149,7 +148,7 @@ func TestAccountDeactivate(t *testing.T) { t.Fatalf("failed to connect to acme directory: %s", err) } - acctKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + acctKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } diff --git a/test/integration/ari_test.go b/test/integration/ari_test.go index 88fe833d95e..874d6876cde 100644 --- a/test/integration/ari_test.go +++ b/test/integration/ari_test.go @@ -5,7 +5,6 @@ package integration import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "testing" "time" @@ -20,7 +19,7 @@ func TestARIAndReplacement(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Issue a cert, request ARI, and check that both the suggested window and @@ -68,7 +67,7 @@ func TestARIShortLived(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Issue a short-lived cert, request ARI, and check that both the suggested @@ -94,7 +93,7 @@ func TestARIRevoked(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Issue a cert, revoke it, request ARI, and check that the suggested window @@ -118,7 +117,7 @@ func TestARIForPrecert(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Try to make a new cert for a new domain, but sabotage the CT logs so diff --git a/test/integration/cert_storage_failed_test.go b/test/integration/cert_storage_failed_test.go index c6839f338f3..4b210cc319e 100644 --- a/test/integration/cert_storage_failed_test.go +++ b/test/integration/cert_storage_failed_test.go @@ -6,7 +6,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "database/sql" "fmt" @@ -118,7 +117,7 @@ func TestIssuanceCertStorageFailed(t *testing.T) { defer db.ExecContext(ctx, `DROP TRIGGER IF EXISTS fail_ready`) } - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // ---- Test revocation by serial ---- diff --git a/test/integration/common_test.go b/test/integration/common_test.go index 557bc8f907d..c9c931c841e 100644 --- a/test/integration/common_test.go +++ b/test/integration/common_test.go @@ -49,7 +49,7 @@ func makeClient(contacts ...string) (*client, error) { if err != nil { return nil, fmt.Errorf("Error connecting to acme directory: %v", err) } - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, fmt.Errorf("error creating private key: %v", err) } @@ -161,7 +161,7 @@ func authAndIssueFetchAllChains(c *client, csrKey *ecdsa.PrivateKey, idents []ac func makeCSR(k *ecdsa.PrivateKey, idents []acme.Identifier, cn bool) (*x509.CertificateRequest, error) { var err error if k == nil { - k, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err = ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, fmt.Errorf("generating certificate key: %s", err) } @@ -191,7 +191,7 @@ func makeCSR(k *ecdsa.PrivateKey, idents []acme.Identifier, cn bool) (*x509.Cert tmpl.Subject = pkix.Name{CommonName: names[0]} } - csrDer, err := x509.CreateCertificateRequest(rand.Reader, tmpl, k) + csrDer, err := x509.CreateCertificateRequest(nil, tmpl, k) if err != nil { return nil, fmt.Errorf("making csr: %s", err) } diff --git a/test/integration/email_exporter_test.go b/test/integration/email_exporter_test.go index 64ebe191dd3..ff9c43b55d8 100644 --- a/test/integration/email_exporter_test.go +++ b/test/integration/email_exporter_test.go @@ -154,7 +154,7 @@ func TestContactsSentForNewAccount(t *testing.T) { t.Fatalf("failed to connect to acme directory: %s", err) } - acctKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + acctKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } @@ -165,4 +165,3 @@ func TestContactsSentForNewAccount(t *testing.T) { }) } } - diff --git a/test/integration/errors_test.go b/test/integration/errors_test.go index 83eab5f71a4..200c54d114e 100644 --- a/test/integration/errors_test.go +++ b/test/integration/errors_test.go @@ -7,7 +7,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "encoding/base64" "encoding/json" "errors" @@ -194,7 +193,7 @@ func TestBadSignatureAlgorithm(t *testing.T) { payload := base64.RawURLEncoding.EncodeToString([]byte(`{"onlyReturnExisting": true}`)) hash := crypto.SHA512.New() hash.Write([]byte(protected + "." + payload)) - sig, err := client.Account.PrivateKey.Sign(rand.Reader, hash.Sum(nil), crypto.SHA512) + sig, err := client.Account.PrivateKey.Sign(nil, hash.Sum(nil), crypto.SHA512) if err != nil { t.Fatalf("creating fake signature: %s", err) } @@ -264,7 +263,7 @@ func TestOrderFinalizeEarly(t *testing.T) { if err != nil { t.Fatalf("creating order: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating key: %s", err) } diff --git a/test/integration/issuance_test.go b/test/integration/issuance_test.go index f931c0236b4..2e839773ca8 100644 --- a/test/integration/issuance_test.go +++ b/test/integration/issuance_test.go @@ -5,7 +5,6 @@ package integration import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "crypto/x509/pkix" "fmt" @@ -29,7 +28,7 @@ func TestCommonNameInCSR(t *testing.T) { test.AssertNotError(t, err, "creating acme client") // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Put together some names. @@ -66,7 +65,7 @@ func TestFirstCSRSANHoistedToCN(t *testing.T) { test.AssertNotError(t, err, "creating acme client") // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Create some names that we can sort. @@ -100,7 +99,7 @@ func TestCommonNameSANsTooLong(t *testing.T) { test.AssertNotError(t, err, "creating acme client") // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Put together some names. @@ -142,7 +141,7 @@ func TestIssuanceProfiles(t *testing.T) { } // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Create a set of identifiers to request. @@ -184,7 +183,7 @@ func TestIssuanceMTC(t *testing.T) { t.Fatalf("creating acme client: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating keypair: %s", err) } @@ -211,7 +210,7 @@ func TestIPShortLived(t *testing.T) { } // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("creating random cert key: %s", err) } @@ -298,7 +297,7 @@ func TestIPCNRejected(t *testing.T) { t.Fatalf("updating challenge: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("creating random cert key: %s", err) } @@ -309,7 +308,7 @@ func TestIPCNRejected(t *testing.T) { PublicKey: key.Public(), IPAddresses: []net.IP{ipParsed}, } - csrDer, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, key) + csrDer, err := x509.CreateCertificateRequest(nil, csrTemplate, key) if err != nil { t.Fatalf("making csr: %s", err) } diff --git a/test/integration/key_rollover_test.go b/test/integration/key_rollover_test.go index 1873864e309..f2963279fb3 100644 --- a/test/integration/key_rollover_test.go +++ b/test/integration/key_rollover_test.go @@ -5,7 +5,6 @@ package integration import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "testing" @@ -25,20 +24,20 @@ func TestAccountKeyChange(t *testing.T) { // and P-384) supported by go-jose and goodkey, but doing so results in a very // slow integration test. Instead, just test rollover once in each direction, // ECDSA->RSA and vice versa. - key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key1, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating P-256 account key") acct1, err := c.NewAccount(key1, false, true) test.AssertNotError(t, err, "creating account") - key2, err := rsa.GenerateKey(rand.Reader, 2048) + key2, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "creating RSA 2048 account key") acct2, err := c.AccountKeyChange(acct1, key2) test.AssertNotError(t, err, "rolling over account key") test.AssertEquals(t, acct2.URL, acct1.URL) - key3, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + key3, err := ecdsa.GenerateKey(elliptic.P384(), nil) test.AssertNotError(t, err, "creating P-384 account key") acct3, err := c.AccountKeyChange(acct1, key3) diff --git a/test/integration/observer_test.go b/test/integration/observer_test.go index 9c3b72659ba..84040efa3b4 100644 --- a/test/integration/observer_test.go +++ b/test/integration/observer_test.go @@ -6,7 +6,6 @@ import ( "bufio" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "encoding/pem" "fmt" @@ -75,7 +74,7 @@ func TestTLSProbe(t *testing.T) { t.Fatalf("creating test acme client: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating test key: %s", err) } diff --git a/test/integration/otel_test.go b/test/integration/otel_test.go index 066099a549e..103678b158a 100644 --- a/test/integration/otel_test.go +++ b/test/integration/otel_test.go @@ -6,7 +6,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "encoding/json" "fmt" "io" @@ -282,7 +281,7 @@ func traceIssuingTestCert(t *testing.T) trace.TraceID { c, err := acme.NewClient("http://boulder.service.consul:4001/directory", option) test.AssertNotError(t, err, "acme.NewClient failed") - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Generating ECDSA key failed") account, err := c.NewAccount(privKey, false, true) diff --git a/test/integration/revocation_test.go b/test/integration/revocation_test.go index 8ae4b0c495e..51f6bf95ab3 100644 --- a/test/integration/revocation_test.go +++ b/test/integration/revocation_test.go @@ -6,7 +6,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/x509" "encoding/hex" "encoding/json" @@ -272,7 +271,7 @@ func TestRevocation(t *testing.T) { issueClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") domain := random_domain() @@ -475,7 +474,7 @@ func TestReRevocation(t *testing.T) { issueClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Try to issue a certificate for the name. @@ -578,7 +577,7 @@ func TestRevokeWithKeyCompromiseBlocksKey(t *testing.T) { c, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate cert key") res, err := authAndIssue(c, certKey, []acme.Identifier{{Type: "dns", Value: random_domain()}}, true, "") @@ -621,7 +620,7 @@ func TestBadKeyRevoker(t *testing.T) { neutralClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate cert key") // Issue a cert from the revokee client, which we'll revoke soon @@ -662,7 +661,7 @@ func TestBadKeyRevokerByAccount(t *testing.T) { neutralClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate cert key") // Issue a cert from the revoke client, which we'll revoke soon diff --git a/test/integration/subordinate_ca_chains_test.go b/test/integration/subordinate_ca_chains_test.go index f54069c4f1f..729e8ed5951 100644 --- a/test/integration/subordinate_ca_chains_test.go +++ b/test/integration/subordinate_ca_chains_test.go @@ -5,7 +5,6 @@ package integration import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "strings" "testing" @@ -20,7 +19,7 @@ func TestSubordinateCAChainsServedByWFE(t *testing.T) { client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") chains, err := authAndIssueFetchAllChains(client, key, []acme.Identifier{{Type: "dns", Value: random_domain()}}, true) diff --git a/test/integration/testdata/fermat_csr.go b/test/integration/testdata/fermat_csr.go index d9a68bd1954..e0ff3b717ad 100644 --- a/test/integration/testdata/fermat_csr.go +++ b/test/integration/testdata/fermat_csr.go @@ -25,7 +25,7 @@ func main() { // Generate q, which will be the smaller of the two factors. We set its length // so that the product of two similarly-sized factors will be the desired // bit length. - q, err := rand.Prime(rand.Reader, (bits+1)/2) + q, err := rand.Prime(nil, (bits+1)/2) if err != nil { log.Fatalln(err) } @@ -81,7 +81,7 @@ func main() { // go detect that the prime factors are too close together and refuse to // produce a signature. csrDER, err := x509.CreateCertificateRequest( - rand.Reader, + nil, &x509.CertificateRequest{ Subject: pkix.Name{CommonName: "example.com"}, PublicKey: &pubkey, diff --git a/test/integration/validation_test.go b/test/integration/validation_test.go index 29e7a69c815..6c4b7166801 100644 --- a/test/integration/validation_test.go +++ b/test/integration/validation_test.go @@ -5,7 +5,6 @@ package integration import ( "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "database/sql" "fmt" "slices" @@ -326,7 +325,7 @@ func TestCAARechecking(t *testing.T) { // Try to finalize the order created above. Due to our db manipulation, this // should trigger a CAA recheck. And due to our challtestsrv manipulation, // that CAA recheck should fail. Therefore the whole finalize should fail. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating cert key: %s", err) } diff --git a/test/load-generator/boulder-calls.go b/test/load-generator/boulder-calls.go index c395a6ee3d6..eb47db7232d 100644 --- a/test/load-generator/boulder-calls.go +++ b/test/load-generator/boulder-calls.go @@ -88,7 +88,7 @@ func newAccount(s *State, c *acmeCache) error { } // Create a random signing key - signKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + signKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return err } @@ -495,7 +495,7 @@ func finalizeOrder(s *State, c *acmeCache) error { // Create a CSR using the state's certKey csr, err := x509.CreateCertificateRequest( - rand.Reader, + nil, &x509.CertificateRequest{DNSNames: dnsNames}, s.certKey, ) diff --git a/test/load-generator/state.go b/test/load-generator/state.go index 6d075740726..62bc08c6e06 100644 --- a/test/load-generator/state.go +++ b/test/load-generator/state.go @@ -5,7 +5,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/tls" "crypto/x509" "encoding/json" @@ -281,7 +280,7 @@ func New( operations []string, challStrat string, revokeChance float32) (*State, error) { - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, err } diff --git a/va/tlsalpn_test.go b/va/tlsalpn_test.go index ec6af5cd8f8..9dd732c9435 100644 --- a/va/tlsalpn_test.go +++ b/va/tlsalpn_test.go @@ -4,7 +4,6 @@ import ( "context" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/sha256" "crypto/tls" "crypto/x509" @@ -65,8 +64,8 @@ func testTLSCert(names []string, ips []net.IP, extensions []pkix.Extension) *tls IPAddresses: ips, ExtraExtensions: extensions, } - key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - certBytes, _ := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) + key, _ := ecdsa.GenerateKey(elliptic.P256(), nil) + certBytes, _ := x509.CreateCertificate(nil, template, template, key.Public(), key) return &tls.Certificate{ Certificate: [][]byte{certBytes}, @@ -338,9 +337,9 @@ func TestCertNames(t *testing.T) { // Round-trip the certificate through generation and parsing, to make sure // certAltNames can handle "real" certificates and not just templates. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Error creating test key") - certBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) + certBytes, err := x509.CreateCertificate(nil, template, template, key.Public(), key) test.AssertNotError(t, err, "Error creating certificate") cert, err := x509.ParseCertificate(certBytes) @@ -673,7 +672,7 @@ func TestTLSALPN01NotSelfSigned(t *testing.T) { ExtraExtensions: []pkix.Extension{testACMEExt}, } - eeKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + eeKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test key") issuerCert := &x509.Certificate{ @@ -686,12 +685,12 @@ func TestTLSALPN01NotSelfSigned(t *testing.T) { BasicConstraintsValid: true, } - issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test key") // Test that a cert with mismatched subject and issuer fields is rejected, // even though its signature is produced with the right (self-signed) key. - certBytes, err := x509.CreateCertificate(rand.Reader, eeTemplate, issuerCert, eeKey.Public(), eeKey) + certBytes, err := x509.CreateCertificate(nil, eeTemplate, issuerCert, eeKey.Public(), eeKey) test.AssertNotError(t, err, "failed to create acme-tls/1 cert") acmeCert := &tls.Certificate{ @@ -709,7 +708,7 @@ func TestTLSALPN01NotSelfSigned(t *testing.T) { // Test that a cert whose signature was produced by some other key is rejected, // even though its subject and issuer fields claim that it is self-signed. - certBytes, err = x509.CreateCertificate(rand.Reader, eeTemplate, eeTemplate, eeKey.Public(), issuerKey) + certBytes, err = x509.CreateCertificate(nil, eeTemplate, eeTemplate, eeKey.Public(), issuerKey) test.AssertNotError(t, err, "failed to create acme-tls/1 cert") acmeCert = &tls.Certificate{ @@ -746,9 +745,9 @@ func TestTLSALPN01ExtraIdentifiers(t *testing.T) { ExtraExtensions: []pkix.Extension{testACMEExt}, } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test key") - certBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) + certBytes, err := x509.CreateCertificate(nil, template, template, key.Public(), key) test.AssertNotError(t, err, "failed to create acme-tls/1 cert") acmeCert := &tls.Certificate{ diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index 68198087583..f943bb5ec66 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -6,7 +6,6 @@ import ( "crypto" "crypto/ecdsa" "crypto/elliptic" - "crypto/rand" "crypto/rsa" "crypto/x509" "encoding/asn1" @@ -804,8 +803,11 @@ func (fr fakeRand) Read(p []byte) (int, error) { func TestDirectory(t *testing.T) { wfe, _, signer := setupWFE(t) mux := wfe.Handler(metrics.NoopRegisterer) + + // We need deterministic randomness for the random directory entry. + origRand := core.RandReader core.RandReader = fakeRand{} - defer func() { core.RandReader = rand.Reader }() + defer func() { core.RandReader = origRand }() dirURL, _ := url.Parse("/directory") @@ -921,8 +923,11 @@ func TestDirectory(t *testing.T) { func TestRelativeDirectory(t *testing.T) { wfe, _, _ := setupWFE(t) mux := wfe.Handler(metrics.NoopRegisterer) + + // We need deterministic randomness for the random directory entry. + origRand := core.RandReader core.RandReader = fakeRand{} - defer func() { core.RandReader = rand.Reader }() + defer func() { core.RandReader = origRand }() expectedDirectory := func(hostname string) string { expected := new(bytes.Buffer) @@ -2407,7 +2412,7 @@ func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, req *sapb.Serial, } issuerKey := loadKey(&testing.T{}, issuerKeyPem) - newKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + newKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, fmt.Errorf("failed to create test key: %w", err) } @@ -2422,7 +2427,7 @@ func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, req *sapb.Serial, DNSNames: []string{"new.ee.boulder.test"}, } - certDER, err := x509.CreateCertificate(rand.Reader, template, issuer, &newKey.PublicKey, issuerKey) + certDER, err := x509.CreateCertificate(nil, template, issuer, &newKey.PublicKey, issuerKey) if err != nil { return nil, fmt.Errorf("failed to issue test cert: %w", err) } @@ -3124,7 +3129,7 @@ func TestKeyRollover(t *testing.T) { responseWriter := httptest.NewRecorder() wfe, _, signer := setupWFE(t) - existingKey, err := rsa.GenerateKey(rand.Reader, 2048) + existingKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error creating random 2048 RSA key") newKeyBytes, err := os.ReadFile("../test/test-key-5.der") @@ -3416,7 +3421,7 @@ func TestRevokeCertificateNotIssued(t *testing.T) { wfe.sa = newMockSAWithCert(t, wfe.sa) // Make a self-signed junk certificate - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unexpected error making random private key") // Use a known serial from the mockSAWithValidCert mock. // This ensures that any failures here are due to the certificate's issuer @@ -3427,7 +3432,7 @@ func TestRevokeCertificateNotIssued(t *testing.T) { template := &x509.Certificate{ SerialNumber: knownCert.SerialNumber, } - certDER, err := x509.CreateCertificate(rand.Reader, template, template, k.Public(), k) + certDER, err := x509.CreateCertificate(nil, template, template, k.Public(), k) test.AssertNotError(t, err, "Unexpected error creating self-signed junk cert") keyPemBytes, err := os.ReadFile("../test/hierarchy/ee-r3.key.pem") @@ -4069,13 +4074,13 @@ func TestOrderMatchesReplacement(t *testing.T) { expectExpiry := time.Now().AddDate(0, 0, 1) expectSerial := big.NewInt(1337) - testKey, _ := rsa.GenerateKey(rand.Reader, 1024) + testKey, _ := rsa.GenerateKey(nil, 1024) rawCert := x509.Certificate{ NotAfter: expectExpiry, DNSNames: []string{"example.com", "example-a.com"}, SerialNumber: expectSerial, } - mockDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) + mockDer, err := x509.CreateCertificate(nil, &rawCert, &rawCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "failed to create test certificate") wfe.sa = &mockSAForARI{ @@ -4230,7 +4235,7 @@ func TestCountNewOrderWithReplaces(t *testing.T) { issuer = v break } - testKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, _ := ecdsa.GenerateKey(elliptic.P256(), nil) expectSerial := big.NewInt(1337) expectCert := &x509.Certificate{ NotBefore: fc.Now(), @@ -4241,7 +4246,7 @@ func TestCountNewOrderWithReplaces(t *testing.T) { } expectCertId, err := makeARICertID(expectCert) test.AssertNotError(t, err, "failed to create test cert id") - expectDer, err := x509.CreateCertificate(rand.Reader, expectCert, expectCert, &testKey.PublicKey, testKey) + expectDer, err := x509.CreateCertificate(nil, expectCert, expectCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "failed to create test certificate") // MockSA that returns the certificate with the expected serial. @@ -4296,7 +4301,7 @@ func TestNewOrderRateLimits(t *testing.T) { issuer = v break } - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to create test key") extantCert := &x509.Certificate{ NotBefore: fc.Now(), @@ -4307,7 +4312,7 @@ func TestNewOrderRateLimits(t *testing.T) { } extantCertId, err := makeARICertID(extantCert) test.AssertNotError(t, err, "failed to create test cert id") - extantDer, err := x509.CreateCertificate(rand.Reader, extantCert, extantCert, &testKey.PublicKey, testKey) + extantDer, err := x509.CreateCertificate(nil, extantCert, extantCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "failed to create test certificate") // Mock SA that returns the certificate with the expected serial.