Comparing changes

As specified in draft-miller-ssh-cert-01, Section 2.1.1: Implementations MUST NOT accept certificate keys as CA keys. Change-Id: I2e559a8a58b7bceccd0d8c6b80803abdbe281067 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/678715 Reviewed-by: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: David Chase <drchase@google.com>

According to draft-miller-ssh-cert-01, Section 2.1.1, certificates with certificate keys as signature keys are invalid Change-Id: I474524ea444deb78f2fa7c2682e47c0fd057f0b8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/678716 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org>

This is an automated CL which updates the NSS root bundle. [git-generate] go generate ./x509roots Change-Id: Icb71f9f7c509dc6f49ad4385aa287bd6a8966523 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/681915 Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

Fixes golang/go#69518 Change-Id: Id9989ac9b28262df77017e97f985f67c1571c3ce Reviewed-on: https://go-review.googlesource.com/c/crypto/+/644255 Reviewed-by: Austin Clements <austin@google.com> Auto-Submit: Austin Clements <austin@google.com> Reviewed-by: Cherry Mui <cherryyz@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

This commit adds integration test coverage for a complete TLS-ALPN-01 and HTTP-01 based issuance flow. For each tested challenge type we: * Spin up a pebble/pebble-challtestsrv environment * Spin up a small challenge response server * Create an ACME account * Create an order for multiple DNS type identifiers * Provision challenge responses based on the challenge type under test * Wait for the order to become ready for issuance * Finalize the order, issuing a certificate * Check the newly issued certificate chain validates with the Pebble trust anchor, and that the certificate is valid for each of the names from our initial order These tests are skipped in short mode (Pebble has variable delays for validation requests). The Pebble source is fetched through the Go module proxy (unless a local directory is specified to aid development), similar to how the stdlib crypto packages fetch BoGo tooling. More test coverage for various other parts of the protocol (key rollover, account/authz deactivation, revocation, etc) can be added as follow-up work now that the groundwork for integration testing is laid. Fixes golang/go#73914 Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest Change-Id: I4e79f4858f31ef290a0c91d345e15fbdc510e9ab Reviewed-on: https://go-review.googlesource.com/c/crypto/+/677575 Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

When creating a TLS-ALPN-01 challenge response certificate for an IP address identifier we need to configure the template IPAddresses field, not the DNSNames/Subject.CommonName. Along the way we can do some small tidying: * Updating the draft TLS-ALPN-01 reference to the finalized RFC * Adding a reference to the IP address identifier ACME RFC * Adding a mention of the form the challenge validation request's SNI will take when verifying an IP address identifier * Tidying the private tlsChallengeCert() function to take a single identifier as arg since the only call-sites provide singular values since the removal of the TLS-SNI-[01|02] challenge helpers. This allows enabling an IP address identifier in the Pebble integration tests that otherwise caused a validation failure for TLS-ALPN-01 challenge types because the IP address was used as a DNS SAN. Updates golang/go#73914 Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-linux-amd64-longtest Change-Id: Ic671e41b585f424f821db65206c7ffcc6dd386a0 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/677576 Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com> Auto-Submit: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Fixes golang/go#61536 Change-Id: Id38cc6d46879dbe2bdea04dec061596387ec6cfe Reviewed-on: https://go-review.googlesource.com/c/crypto/+/559056 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Carlos Amedee <carlos@golang.org>

Update golang.org/x dependencies to their latest tagged versions. Change-Id: I3a89b1890ad2f7d2b2c23e1efce60c19e43dd381 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/687017 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: David Chase <drchase@google.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Comparing changes

Open a pull request

Commits on Jun 30, 2025

Commits on Jul 9, 2025

Commits on Jul 10, 2025

This comparison is taking too long to generate.

Uh oh!