Address linter issues

acme/api/revoke.go

@@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe
 func wrapRevokeErr(err error) *acme.Error {
 	t := err.Error()
 	if strings.Contains(t, "is already revoked") {
-		return acme.NewError(acme.ErrorAlreadyRevokedType, t)
+		return acme.NewError(acme.ErrorAlreadyRevokedType, t) //nolint:govet // allow non-constant error messages
 	}
 	return acme.WrapErrorISE(err, "error when revoking certificate")
 }
@@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error {
 func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error {
 	var acmeErr *acme.Error
 	if err == nil {
-		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)
+		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg) //nolint:govet // allow non-constant error messages
 	} else {
-		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)
+		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg) //nolint:govet // allow non-constant error messages
 	}
 	acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403
 

acme/errors.go

@@ -294,14 +294,14 @@ type Subproblem struct {
 }
 
 // NewError creates a new Error.
-func NewError(pt ProblemType, msg string, args ...interface{}) *Error {
+func NewError(pt ProblemType, msg string, args ...any) *Error {
 	return newError(pt, errors.Errorf(msg, args...))
 }
 
 // NewDetailedError creates a new Error that includes the error
 // message in the details, providing more information to the
 // ACME client.
-func NewDetailedError(pt ProblemType, msg string, args ...interface{}) *Error {
+func NewDetailedError(pt ProblemType, msg string, args ...any) *Error {
 	return NewError(pt, msg, args...).withDetail()
 }
 
@@ -324,7 +324,7 @@ func (e *Error) AddSubproblems(subproblems ...Subproblem) *Error {
 // NewSubproblem creates a new Subproblem. The msg and args
 // are used to create a new error, which is set as the Detail, allowing
 // for more detailed error messages to be returned to the ACME client.
-func NewSubproblem(pt ProblemType, msg string, args ...interface{}) Subproblem {
+func NewSubproblem(pt ProblemType, msg string, args ...any) Subproblem {
 	e := newError(pt, fmt.Errorf(msg, args...))
 	s := Subproblem{
 		Type:   e.Type,
@@ -335,7 +335,7 @@ func NewSubproblem(pt ProblemType, msg string, args ...interface{}) Subproblem {
 
 // NewSubproblemWithIdentifier creates a new Subproblem with a specific ACME
 // Identifier. It calls NewSubproblem and sets the Identifier.
-func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...interface{}) Subproblem {
+func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...any) Subproblem {
 	s := NewSubproblem(pt, msg, args...)
 	s.Identifier = &identifier
 	return s
@@ -362,12 +362,12 @@ func newError(pt ProblemType, err error) *Error {
 }
 
 // NewErrorISE creates a new ErrorServerInternalType Error.
-func NewErrorISE(msg string, args ...interface{}) *Error {
+func NewErrorISE(msg string, args ...any) *Error {
 	return NewError(ErrorServerInternalType, msg, args...)
 }
 
 // WrapError attempts to wrap the internal error.
-func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
+func WrapError(typ ProblemType, err error, msg string, args ...any) *Error {
 	var e *Error
 	switch {
 	case err == nil:
@@ -384,12 +384,12 @@ func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Err
 	}
 }
 
-func WrapDetailedError(typ ProblemType, err error, msg string, args ...interface{}) *Error {
+func WrapDetailedError(typ ProblemType, err error, msg string, args ...any) *Error {
 	return WrapError(typ, err, msg, args...).withDetail()
 }
 
 // WrapErrorISE shortcut to wrap an internal server error type.
-func WrapErrorISE(err error, msg string, args ...interface{}) *Error {
+func WrapErrorISE(err error, msg string, args ...any) *Error {
 	return WrapError(ErrorServerInternalType, err, msg, args...)
 }
 
@@ -415,7 +415,7 @@ func (e *Error) Cause() error {
 }
 
 // ToLog implements the EnableLogger interface.
-func (e *Error) ToLog() (interface{}, error) {
+func (e *Error) ToLog() (any, error) {
 	b, err := json.Marshal(e)
 	if err != nil {
 		return nil, WrapErrorISE(err, "error marshaling acme.Error for logging")

api/api.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
+	"crypto/dsa" // support legacy algorithms
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rsa"

authority/admin/api/webhook.go

@@ -202,7 +202,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	}
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
-		err := admin.NewError(admin.ErrorNotFoundType, msg)
+		err := admin.NewError(admin.ErrorNotFoundType, msg) //nolint:govet // allow non-constant error messages
 		render.Error(w, r, err)
 		return
 	}

authority/provisioner/jwk.go

@@ -249,7 +249,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error())
+			return nil, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages
 		}
 	}
 	if opts.KeyID != "" {

authority/provisioner/provisioner.go

@@ -246,7 +246,7 @@ type Config struct {
 	Claims Claims
 	// Audiences are the audiences used in the default provisioner, (JWK).
 	Audiences Audiences
-	// SSHKeys are the root SSH public keys
+	// SSHKeys are the root SSH public keys.
 	SSHKeys *SSHKeys
 	// GetIdentityFunc is a function that returns an identity that will be
 	// used by the provisioner to populate certificate attributes.
@@ -257,11 +257,11 @@ type Config struct {
 	// AuthorizeSSHRenewFunc is a function that returns nil if a given SSH
 	// certificate can be renewed.
 	AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc
-	// WebhookClient is an http client to use in webhook request
+	// WebhookClient is an HTTP client used when performing webhook requests.
 	WebhookClient *http.Client
 	// SCEPKeyManager, if defined, is the interface used by SCEP provisioners.
 	SCEPKeyManager SCEPKeyManager
-	// HTTPClient is an HTTP client that trust the system cert pool and the CA
+	// HTTPClient is an HTTP client that trusts the system cert pool and the CA
 	// roots.
 	HTTPClient *http.Client
 }

authority/provisioner/ssh_test.go

@@ -90,7 +90,7 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 		var templErr *sshutil.TemplateError
 		if errors.As(err, &templErr) {
 			return nil, errs.NewErr(http.StatusBadRequest, templErr,
-				errs.WithMessage(templErr.Error()),
+				errs.WithMessage(templErr.Error()), //nolint:govet // allow non-constant error messages
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		}

authority/provisioner/x5c.go

@@ -301,7 +301,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error())
+			return nil, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages
 		}
 	}
 	if opts.KeyID != "" {

authority/ssh.go

@@ -214,7 +214,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	for _, v := range keyValidators {
 		if err := v.Valid(key); err != nil {
 			return nil, nil, errs.ApplyOptions(
-				errs.ForbiddenErr(err, err.Error()),
+				errs.ForbiddenErr(err, err.Error()), //nolint:govet // allow non-constant error messages
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		}
@@ -231,7 +231,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Call enriching webhooks
 	if err := a.callEnrichingWebhooksSSH(ctx, prov, webhookCtl, cr); err != nil {
 		return nil, prov, errs.ApplyOptions(
-			errs.ForbiddenErr(err, err.Error()),
+			errs.ForbiddenErr(err, err.Error()), //nolint:govet // allow non-constant error messages
 			errs.WithKeyVal("signOptions", signOpts),
 		)
 	}
@@ -243,7 +243,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 		switch {
 		case errors.As(err, &te):
 			return nil, prov, errs.ApplyOptions(
-				errs.BadRequestErr(err, err.Error()),
+				errs.BadRequestErr(err, err.Error()), //nolint:govet // allow non-constant error messages
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		case strings.HasPrefix(err.Error(), "error unmarshaling certificate"):
@@ -263,7 +263,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Use SignSSHOptions to modify the certificate validity. It will be later
 	// checked or set if not defined.
 	if err := opts.ModifyValidity(certTpl); err != nil {
-		return nil, prov, errs.BadRequestErr(err, err.Error())
+		return nil, prov, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages
 	}
 
 	// Use provisioner modifiers.

authority/tls.go

@@ -197,7 +197,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest,
 
 	if err := a.callEnrichingWebhooksX509(ctx, prov, webhookCtl, attData, csr); err != nil {
 		return nil, prov, errs.ApplyOptions(
-			errs.ForbiddenErr(err, err.Error()),
+			errs.ForbiddenErr(err, err.Error()), //nolint:govet // allow non-constant error messages
 			errs.WithKeyVal("csr", csr),
 			errs.WithKeyVal("signOptions", signOpts),
 		)
@@ -209,7 +209,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest,
 		switch {
 		case errors.As(err, &te):
 			return nil, prov, errs.ApplyOptions(
-				errs.BadRequestErr(err, err.Error()),
+				errs.BadRequestErr(err, err.Error()), //nolint:govet // allow non-constant error messages
 				errs.WithKeyVal("csr", csr),
 				errs.WithKeyVal("signOptions", signOpts),
 			)

ca/identity/identity.go

@@ -306,7 +306,7 @@ func (i *Identity) Renew(client Renewer) error {
 			return err
 		}
 
-		if sign.CertChainPEM == nil || len(sign.CertChainPEM) == 0 {
+		if len(sign.CertChainPEM) == 0 {
 			sign.CertChainPEM = []api.Certificate{sign.ServerPEM, sign.CaPEM}
 		}
 

ca/tls.go

@@ -132,7 +132,6 @@ func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse,
 	}
 
 	tr := getDefaultTransport(tlsConfig)
-	//nolint:staticcheck // Use mutable tls.Config on renew
 	tr.DialTLS = c.buildDialTLS(tlsCtx)
 	// tr.DialTLSContext = c.buildDialTLSContext(tlsCtx)
 	renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) //nolint:contextcheck // deeply nested context
@@ -180,7 +179,6 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
 
 	// Update renew function with transport
 	tr := getDefaultTransport(tlsConfig)
-	//nolint:staticcheck // Use mutable tls.Config on renew
 	tr.DialTLS = c.buildDialTLS(tlsCtx)
 	// tr.DialTLSContext = c.buildDialTLSContext(tlsCtx)
 	renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) //nolint:contextcheck // deeply nested context

errs/error.go

@@ -177,7 +177,7 @@ func StatusCodeError(code int, e error, opts ...Option) error {
 	}
 }
 
-var (
+const (
 	seeLogs = "Please see the certificate authority logs for more info."
 	// BadRequestDefaultMsg 400 default msg
 	BadRequestDefaultMsg = "The request could not be completed; malformed or missing data. " + seeLogs
@@ -193,7 +193,7 @@ var (
 	NotImplementedDefaultMsg = "The requested method is not implemented by the certificate authority. " + seeLogs
 )
 
-var (
+const (
 	// BadRequestPrefix is the prefix added to the bad request messages that are
 	// directly sent to the cli.
 	BadRequestPrefix = "The request could not be completed: "