diff --git a/ca/ca_test.go b/ca/ca_test.go index 81f4737c6f7..ecb78091cef 100644 --- a/ca/ca_test.go +++ b/ca/ca_test.go @@ -943,7 +943,7 @@ func TestNoteSignError(t *testing.T) { func TestGenerateSKID(t *testing.T) { t.Parallel() - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Error generating key") sha256skid, err := generateSKID(key.Public()) @@ -957,7 +957,7 @@ func TestVerifyTBSCertIsDeterministic(t *testing.T) { t.Parallel() // Create first keypair and cert - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unable to generate ECDSA private key") template := &x509.Certificate{ NotAfter: time.Now().Add(1 * time.Hour), @@ -968,7 +968,7 @@ func TestVerifyTBSCertIsDeterministic(t *testing.T) { test.AssertNotError(t, err, "unable to create certificate") // Create second keypair and cert - testKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey2, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unable to generate ECDSA private key") template2 := &x509.Certificate{ NotAfter: time.Now().Add(2 * time.Hour), diff --git a/ca/testdata/testcsr.go b/ca/testdata/testcsr.go index cd22487cde0..aaa527584b5 100644 --- a/ca/testdata/testcsr.go +++ b/ca/testdata/testcsr.go @@ -13,7 +13,7 @@ import ( ) func main() { - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { log.Fatalf("Failed to parse private key: %s", err) } diff --git a/cmd/admin/cert_test.go b/cmd/admin/cert_test.go index 7a42898703d..d1069fccc17 100644 --- a/cmd/admin/cert_test.go +++ b/cmd/admin/cert_test.go @@ -105,7 +105,7 @@ func TestSerialsFromPrivateKey(t *testing.T) { fc := clock.NewFake() fc.Set(time.Now()) - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test private key") keyBytes, err := x509.MarshalPKCS8PrivateKey(privKey) test.AssertNotError(t, err, "marshalling test private key bytes") diff --git a/cmd/admin/key_test.go b/cmd/admin/key_test.go index 6a41b687c02..0fc1fcf9def 100644 --- a/cmd/admin/key_test.go +++ b/cmd/admin/key_test.go @@ -32,12 +32,12 @@ import ( func TestSPKIHashesFromPrivateKeys(t *testing.T) { - ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Generating ECDSA key") pkcs8ecdsa, err := x509.MarshalPKCS8PrivateKey(ecdsaKey) test.AssertNotError(t, err, "Marshalling PKCS8 private key") - rsaKey, err := rsa.GenerateKey(rand.Reader, 2048) + rsaKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Generating RSA key") pkcs8rsa, err := x509.MarshalPKCS8PrivateKey(rsaKey) test.AssertNotError(t, err, "Marshalling PKCS8 private key") @@ -166,7 +166,7 @@ func TestBlockSPKIHash(t *testing.T) { log := blog.NewMock() msa := mockSARecordingBlocks{} - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test private key") keyHash, err := core.KeyDigest(privKey.Public()) test.AssertNotError(t, err, "computing test SPKI hash") diff --git a/cmd/ceremony/cert_test.go b/cmd/ceremony/cert_test.go index 2fd8f8c11f9..990760c6d9b 100644 --- a/cmd/ceremony/cert_test.go +++ b/cmd/ceremony/cert_test.go @@ -549,7 +549,7 @@ func TestGenerateCSR(t *testing.T) { Country: "country", } - signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + signer, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") csrBytes, err := generateCSR(profile, &wrappedSigner{signer}) diff --git a/cmd/ceremony/crl_test.go b/cmd/ceremony/crl_test.go index 60f951af1ea..77603aa6c61 100644 --- a/cmd/ceremony/crl_test.go +++ b/cmd/ceremony/crl_test.go @@ -61,7 +61,7 @@ func (p wrappedSigner) Public() crypto.PublicKey { } func TestGenerateCRLLints(t *testing.T) { - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") cert := &x509.Certificate{ @@ -102,7 +102,7 @@ func TestGenerateCRLLints(t *testing.T) { } func TestGenerateCRL(t *testing.T) { - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") template := &x509.Certificate{ diff --git a/cmd/ceremony/ecdsa_test.go b/cmd/ceremony/ecdsa_test.go index 8bd34867581..ef3678cfe62 100644 --- a/cmd/ceremony/ecdsa_test.go +++ b/cmd/ceremony/ecdsa_test.go @@ -40,7 +40,7 @@ func TestECGenerate(t *testing.T) { ctx.GenerateRandomFunc = func(pkcs11.SessionHandle, int) ([]byte, error) { return []byte{1, 2, 3}, nil } - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed to generate a ECDSA test key") // Test ecGenerate fails with unknown curve diff --git a/cmd/ceremony/key_test.go b/cmd/ceremony/key_test.go index 5a1768c491d..c57cf760d1c 100644 --- a/cmd/ceremony/key_test.go +++ b/cmd/ceremony/key_test.go @@ -46,7 +46,7 @@ func TestGenerateKeyRSA(t *testing.T) { tmp := t.TempDir() ctx := setupCtx() - rsaPriv, err := rsa.GenerateKey(rand.Reader, 1024) + rsaPriv, err := rsa.GenerateKey(nil, 1024) test.AssertNotError(t, err, "Failed to generate a test RSA key") ctx.GetAttributeValueFunc = func(pkcs11.SessionHandle, pkcs11.ObjectHandle, []*pkcs11.Attribute) ([]*pkcs11.Attribute, error) { return []*pkcs11.Attribute{ @@ -74,7 +74,7 @@ func TestGenerateKeyRSA(t *testing.T) { } func setECGenerateFuncs(ctx *pkcs11helpers.MockCtx) { - ecPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + ecPriv, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { panic(err) } diff --git a/cmd/ceremony/main_test.go b/cmd/ceremony/main_test.go index 899cb2909cc..ae2ff6396c5 100644 --- a/cmd/ceremony/main_test.go +++ b/cmd/ceremony/main_test.go @@ -22,7 +22,7 @@ import ( func TestLoadPubKey(t *testing.T) { tmp := t.TempDir() - key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, _ := ecdsa.GenerateKey(elliptic.P256(), nil) _, _, err := loadPubKey(path.Join(tmp, "does", "not", "exist")) test.AssertError(t, err, "should fail on non-existent file") @@ -1295,7 +1295,7 @@ func TestPostIssuanceLinting(t *testing.T) { err := postIssuanceLinting(nil, nil) test.AssertError(t, err, "should have failed because no certificate was provided") - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unable to generate ECDSA private key") template := &x509.Certificate{ NotAfter: clk.Now().Add(1 * time.Hour), diff --git a/cmd/ceremony/rsa_test.go b/cmd/ceremony/rsa_test.go index 40eb9d5df90..6a6773e7c4f 100644 --- a/cmd/ceremony/rsa_test.go +++ b/cmd/ceremony/rsa_test.go @@ -44,7 +44,7 @@ func TestRSAGenerate(t *testing.T) { return []byte{1, 2, 3}, nil } - priv, err := rsa.GenerateKey(rand.Reader, 1024) + priv, err := rsa.GenerateKey(nil, 1024) test.AssertNotError(t, err, "Failed to generate a RSA test key") // Test rsaGenerate fails when GenerateKeyPair fails diff --git a/cmd/cert-checker/main_test.go b/cmd/cert-checker/main_test.go index 47d49994d33..28f9c8e58a9 100644 --- a/cmd/cert-checker/main_test.go +++ b/cmd/cert-checker/main_test.go @@ -73,7 +73,7 @@ func init() { func BenchmarkCheckCert(b *testing.B) { checker := newChecker(nil, clock.New(), pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock()) - testKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, _ := ecdsa.GenerateKey(elliptic.P256(), nil) expiry := time.Now().AddDate(0, 0, 1) serial := big.NewInt(1337) rawCert := x509.Certificate{ @@ -106,7 +106,7 @@ func TestCheckWildcardCert(t *testing.T) { saCleanup() }() - testKey, _ := rsa.GenerateKey(rand.Reader, 2048) + testKey, _ := rsa.GenerateKey(nil, 2048) fc := clock.NewFake() checker := newChecker(saDbMap, fc, pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock()) issued := checker.clock.Now().Add(-time.Minute) @@ -184,13 +184,13 @@ type keyGen interface { type ecP256Generator struct{} func (*ecP256Generator) genKey() (crypto.Signer, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + return ecdsa.GenerateKey(elliptic.P256(), nil) } type rsa2048Generator struct{} func (*rsa2048Generator) genKey() (crypto.Signer, error) { - return rsa.GenerateKey(rand.Reader, 2048) + return rsa.GenerateKey(nil, 2048) } func TestCheckCert(t *testing.T) { @@ -348,7 +348,7 @@ func TestGetAndProcessCerts(t *testing.T) { saCleanUp() }() - testKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, _ := ecdsa.GenerateKey(elliptic.P256(), nil) // Problems // Expiry period is too long rawCert := x509.Certificate{ @@ -559,7 +559,7 @@ func TestIgnoredLint(t *testing.T) { err = loglist.InitLintList("../../test/ct-test-srv/log_list.json", false) test.AssertNotError(t, err, "failed to load ct log list") - testKey, _ := rsa.GenerateKey(rand.Reader, 2048) + testKey, _ := rsa.GenerateKey(nil, 2048) checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, nil, blog.NewMock()) serial := big.NewInt(1337) @@ -646,7 +646,7 @@ func TestPrecertCorrespond(t *testing.T) { checker.getPrecert = func(_ context.Context, _ string) ([]byte, error) { return []byte("hello"), nil } - testKey, _ := rsa.GenerateKey(rand.Reader, 2048) + testKey, _ := rsa.GenerateKey(nil, 2048) expiry := time.Now().AddDate(0, 0, 1) serial := big.NewInt(1337) rawCert := x509.Certificate{ diff --git a/cmd/config_test.go b/cmd/config_test.go index 2935889b507..a1f7047673f 100644 --- a/cmd/config_test.go +++ b/cmd/config_test.go @@ -67,7 +67,7 @@ func TestTLSConfigLoad(t *testing.T) { key := path.Join(tmp, "TestTLSConfigLoad.key.pem") caCert := path.Join(tmp, "TestTLSConfigLoad.cacert.pem") - rootKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + rootKey, err := ecdsa.GenerateKey(elliptic.P224(), nil) test.AssertNotError(t, err, "creating test root key") rootTemplate := &x509.Certificate{ Subject: pkix.Name{CommonName: "test root"}, @@ -81,7 +81,7 @@ func TestTLSConfigLoad(t *testing.T) { err = os.WriteFile(caCert, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rootCert}), os.ModeAppend) test.AssertNotError(t, err, "writing test root cert to disk") - intKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + intKey, err := ecdsa.GenerateKey(elliptic.P224(), nil) test.AssertNotError(t, err, "creating test intermediate key") intKeyBytes, err := x509.MarshalECPrivateKey(intKey) test.AssertNotError(t, err, "marshalling test intermediate key") diff --git a/crl/storer/storer_test.go b/crl/storer/storer_test.go index 22654b9ebcc..c37500d0709 100644 --- a/crl/storer/storer_test.go +++ b/crl/storer/storer_test.go @@ -212,7 +212,7 @@ func TestUploadCRLInvalidSignature(t *testing.T) { }, }, } - fakeSigner, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + fakeSigner, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating throwaway signer") crlBytes, err := x509.CreateRevocationList( rand.Reader, diff --git a/csr/csr_test.go b/csr/csr_test.go index 6f1936449a1..d2e3b98c056 100644 --- a/csr/csr_test.go +++ b/csr/csr_test.go @@ -45,7 +45,7 @@ func (pa *mockPA) CheckAuthzChallenges(a *core.Authorization) error { } func TestVerifyCSR(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") signedReqBytes, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{PublicKey: private.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA}, private) test.AssertNotError(t, err, "error generating test CSR") @@ -257,7 +257,7 @@ func TestSHA1Deprecation(t *testing.T) { keyPolicy, err := goodkey.NewPolicy(nil, nil) test.AssertNotError(t, err, "creating test keypolicy") - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") makeAndVerifyCsr := func(alg x509.SignatureAlgorithm) error { @@ -283,7 +283,7 @@ func TestSHA1Deprecation(t *testing.T) { } func TestDuplicateExtensionRejection(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") csrBytes, err := x509.CreateCertificateRequest(rand.Reader, diff --git a/goodkey/good_key_test.go b/goodkey/good_key_test.go index 133b6ac11ef..fa674770a64 100644 --- a/goodkey/good_key_test.go +++ b/goodkey/good_key_test.go @@ -123,14 +123,14 @@ func TestROCA(t *testing.T) { } func TestGoodKey(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error generating key") test.AssertNotError(t, testingPolicy.GoodKey(context.Background(), &private.PublicKey), "Should have accepted good key") } func TestECDSABadCurve(t *testing.T) { for _, curve := range invalidCurves { - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") err = testingPolicy.GoodKey(context.Background(), &private.PublicKey) test.AssertError(t, err, "Should have rejected key with unsupported curve") @@ -150,7 +150,7 @@ var validCurves = []elliptic.Curve{ func TestECDSAGoodKey(t *testing.T) { for _, curve := range validCurves { - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") test.AssertNotError(t, testingPolicy.GoodKey(context.Background(), &private.PublicKey), "Should have accepted good key") } @@ -159,7 +159,7 @@ func TestECDSAGoodKey(t *testing.T) { func TestECDSANotOnCurveX(t *testing.T) { for _, curve := range validCurves { // Change a public key so that it is no longer on the curve. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Add(private.X, big.NewInt(1)) @@ -172,7 +172,7 @@ func TestECDSANotOnCurveX(t *testing.T) { func TestECDSANotOnCurveY(t *testing.T) { for _, curve := range validCurves { // Again with Y. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") // Change the public key so that it is no longer on the curve. @@ -186,7 +186,7 @@ func TestECDSANotOnCurveY(t *testing.T) { func TestECDSANegative(t *testing.T) { for _, curve := range validCurves { // Check that negative X is not accepted. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Neg(private.X) @@ -206,7 +206,7 @@ func TestECDSANegative(t *testing.T) { func TestECDSAXOutsideField(t *testing.T) { for _, curve := range validCurves { // Check that X outside [0, p-1] is not accepted. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Mul(private.X, private.Curve.Params().P) @@ -219,7 +219,7 @@ func TestECDSAXOutsideField(t *testing.T) { func TestECDSAYOutsideField(t *testing.T) { for _, curve := range validCurves { // Check that Y outside [0, p-1] is not accepted. - private, err := ecdsa.GenerateKey(curve, rand.Reader) + private, err := ecdsa.GenerateKey(curve, nil) test.AssertNotError(t, err, "Error generating key") private.X.Mul(private.Y, private.Curve.Params().P) @@ -245,7 +245,7 @@ func TestECDSAIdentity(t *testing.T) { } func TestNonRefKey(t *testing.T) { - private, err := rsa.GenerateKey(rand.Reader, 2048) + private, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error generating key") test.AssertError(t, testingPolicy.GoodKey(context.Background(), private.PublicKey), "Accepted non-reference key") } @@ -260,7 +260,7 @@ func TestDBBlocklistAccept(t *testing.T) { policy, err := NewPolicy(nil, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertNotError(t, err, "GoodKey failed with a non-blocked key") @@ -275,7 +275,7 @@ func TestDBBlocklistReject(t *testing.T) { policy, err := NewPolicy(nil, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertError(t, err, "GoodKey didn't fail with a blocked key") diff --git a/goodkey/sagoodkey/good_key_test.go b/goodkey/sagoodkey/good_key_test.go index 814804d3d16..a88c8ed42d4 100644 --- a/goodkey/sagoodkey/good_key_test.go +++ b/goodkey/sagoodkey/good_key_test.go @@ -24,7 +24,7 @@ func TestDBBlocklistAccept(t *testing.T) { policy, err := NewPolicy(&goodkey.Config{}, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertNotError(t, err, "GoodKey failed with a non-blocked key") @@ -39,7 +39,7 @@ func TestDBBlocklistReject(t *testing.T) { policy, err := NewPolicy(&goodkey.Config{}, testCheck) test.AssertNotError(t, err, "NewKeyPolicy failed") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey failed") err = policy.GoodKey(context.Background(), k.Public()) test.AssertError(t, err, "GoodKey didn't fail with a blocked key") diff --git a/grpc/creds/creds_test.go b/grpc/creds/creds_test.go index d8bc7ce15c4..88eb5892245 100644 --- a/grpc/creds/creds_test.go +++ b/grpc/creds/creds_test.go @@ -80,7 +80,7 @@ func TestServerTransportCredentials(t *testing.T) { } func TestClientTransportCredentials(t *testing.T) { - priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + priv, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") temp := &x509.Certificate{ diff --git a/issuance/cert_test.go b/issuance/cert_test.go index 4e986290d39..e6b89c65104 100644 --- a/issuance/cert_test.go +++ b/issuance/cert_test.go @@ -337,14 +337,14 @@ func TestIssue(t *testing.T) { { name: "RSA", generateFunc: func() (crypto.Signer, error) { - return rsa.GenerateKey(rand.Reader, 2048) + return rsa.GenerateKey(nil, 2048) }, ku: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, }, { name: "ECDSA", generateFunc: func() (crypto.Signer, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + return ecdsa.GenerateKey(elliptic.P256(), nil) }, ku: x509.KeyUsageDigitalSignature, }, @@ -401,7 +401,7 @@ func TestIssueDNSNamesOnly(t *testing.T) { if err != nil { t.Fatalf("newIssuer: %s", err) } - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("ecdsa.GenerateKey: %s", err) } @@ -440,7 +440,7 @@ func TestIssueIPAddressesOnly(t *testing.T) { if err != nil { t.Fatalf("newIssuer: %s", err) } - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("ecdsa.GenerateKey: %s", err) } @@ -482,7 +482,7 @@ func TestIssueWithCRLDP(t *testing.T) { if err != nil { t.Fatalf("newIssuer: %s", err) } - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("ecdsa.GenerateKey: %s", err) } @@ -524,7 +524,7 @@ func TestIssueCommonName(t *testing.T) { test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") ir := &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -591,7 +591,7 @@ func TestIssueOmissions(t *testing.T) { signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := rsa.GenerateKey(rand.Reader, 2048) + pk, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(prof, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -620,7 +620,7 @@ func TestIssueCTPoison(t *testing.T) { fc.Set(time.Now()) signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(defaultProfile(), &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -668,7 +668,7 @@ func TestIssueSCTList(t *testing.T) { test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(enforceSCTsProfile, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -736,7 +736,7 @@ func TestIssueBadLint(t *testing.T) { test.AssertNotError(t, err, "NewProfile failed") signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, _, err = signer.Prepare(noSkipLintsProfile, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -765,7 +765,7 @@ func TestIssuanceToken(t *testing.T) { _, err = signer.Issue(nil) test.AssertError(t, err, "expected issuance with a nil token to fail") - pk, err := rsa.GenerateKey(rand.Reader, 2048) + pk, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := signer.Prepare(defaultProfile(), &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -812,7 +812,7 @@ func TestInvalidProfile(t *testing.T) { signer, err := newIssuer(defaultIssuerConfig(), issuerCert, issuerSigner, fc) test.AssertNotError(t, err, "NewIssuer failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, _, err = signer.Prepare(defaultProfile(), &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, @@ -861,7 +861,7 @@ func TestMismatchedProfiles(t *testing.T) { cnProfile, err := NewProfile(pc) test.AssertNotError(t, err, "NewProfile failed") - pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + pk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate test key") _, issuanceToken, err := issuer1.Prepare(cnProfile, &IssuanceRequest{ PublicKey: MarshalablePublicKey{pk.Public()}, diff --git a/issuance/issuer_test.go b/issuance/issuer_test.go index aa9911c4e57..81cba9f275c 100644 --- a/issuance/issuer_test.go +++ b/issuance/issuer_test.go @@ -50,7 +50,7 @@ var issuerCert *Certificate var issuerSigner *ecdsa.PrivateKey func TestMain(m *testing.M) { - tk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + tk, err := ecdsa.GenerateKey(elliptic.P256(), nil) cmd.FailOnError(err, "failed to generate test key") issuerSigner = tk template := &x509.Certificate{ @@ -106,7 +106,7 @@ func TestLoadSigner(t *testing.T) { // We're using this for its pubkey. This definitely doesn't match the private // key loaded in any of the tests below, but that's okay because it still gets // us through all the logic in loadSigner. - fakeKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + fakeKey, err := ecdsa.GenerateKey(elliptic.P224(), nil) test.AssertNotError(t, err, "generating test key") tests := []struct { diff --git a/observer/probers/aia/aia_test.go b/observer/probers/aia/aia_test.go index 1a4f1f1feaa..12755953137 100644 --- a/observer/probers/aia/aia_test.go +++ b/observer/probers/aia/aia_test.go @@ -21,7 +21,7 @@ import ( // TestAIAProbe_Probe tests the Probe method of AIAProbe func TestAIAProbe_Probe(t *testing.T) { // Create a test CA certificate - privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating private key") template := x509.Certificate{ diff --git a/pkcs11helpers/helpers_test.go b/pkcs11helpers/helpers_test.go index f7a252bdb0c..8fb3acf19f9 100644 --- a/pkcs11helpers/helpers_test.go +++ b/pkcs11helpers/helpers_test.go @@ -249,7 +249,7 @@ func TestX509Signer(t *testing.T) { ctx.SignInitFunc = func(pkcs11.SessionHandle, []*pkcs11.Mechanism, pkcs11.ObjectHandle) error { return nil } - tk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + tk, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed to generate test key") ctx.SignFunc = func(_ pkcs11.SessionHandle, digest []byte) ([]byte, error) { r, s, err := ecdsa.Sign(rand.Reader, tk, digest[:]) diff --git a/precert/corr_test.go b/precert/corr_test.go index 8d29ee077e4..d8bce5f20bf 100644 --- a/precert/corr_test.go +++ b/precert/corr_test.go @@ -102,19 +102,19 @@ func derFromPEMFile(filename string) ([]byte, error) { func TestMismatches(t *testing.T) { now := time.Now() - issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatal(err) } // A separate issuer key, used for signing the final certificate, but // using the same simulated issuer certificate. - untrustedIssuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + untrustedIssuerKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatal(err) } - subscriberKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + subscriberKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatal(err) } diff --git a/privatekey/privatekey_test.go b/privatekey/privatekey_test.go index bcc2ecf3873..89b14396644 100644 --- a/privatekey/privatekey_test.go +++ b/privatekey/privatekey_test.go @@ -11,13 +11,13 @@ import ( ) func TestVerifyRSAKeyPair(t *testing.T) { - privKey1, err := rsa.GenerateKey(rand.Reader, 2048) + privKey1, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Failed while generating test key 1") _, _, err = verify(privKey1) test.AssertNotError(t, err, "Failed to verify valid key") - privKey2, err := rsa.GenerateKey(rand.Reader, 2048) + privKey2, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Failed while generating test key 2") verifyHash, err := makeVerifyHash() @@ -28,13 +28,13 @@ func TestVerifyRSAKeyPair(t *testing.T) { } func TestVerifyECDSAKeyPair(t *testing.T) { - privKey1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey1, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed while generating test key 1") _, _, err = verify(privKey1) test.AssertNotError(t, err, "Failed to verify valid key") - privKey2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey2, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Failed while generating test key 2") verifyHash, err := makeVerifyHash() diff --git a/publisher/publisher_test.go b/publisher/publisher_test.go index 98a501989fd..0a1355f69ab 100644 --- a/publisher/publisher_test.go +++ b/publisher/publisher_test.go @@ -150,7 +150,7 @@ func setup(t *testing.T) (*Impl, *x509.Certificate, *ecdsa.PrivateKey) { leaf, err := core.LoadCert("../test/hierarchy/ee-r3.cert.pem") test.AssertNotError(t, err, "unable to load leaf certificate.") - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Couldn't generate test key") return pub, leaf, k @@ -275,14 +275,14 @@ func TestLogCache(t *testing.T) { test.AssertError(t, err, "AddLog() with an invalid log URI didn't error") // Create one keypair & base 64 public key - k1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k1, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey() failed for k1") der1, err := x509.MarshalPKIXPublicKey(&k1.PublicKey) test.AssertNotError(t, err, "x509.MarshalPKIXPublicKey(der1) failed") k1b64 := base64.StdEncoding.EncodeToString(der1) // Create a second keypair & base64 public key - k2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k2, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "ecdsa.GenerateKey() failed for k2") der2, err := x509.MarshalPKIXPublicKey(&k2.PublicKey) test.AssertNotError(t, err, "x509.MarshalPKIXPublicKey(der2) failed") diff --git a/ra/ra_test.go b/ra/ra_test.go index b7957db7316..29d51942b3c 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -2363,7 +2363,7 @@ func TestFinalizeOrder(t *testing.T) { authzIDA := createFinalizedAuthorization(t, sa, registration.Id, identifier.NewDNS("not-example.com"), exp, core.ChallengeTypeHTTP01, ra.clk.Now()) authzIDB := createFinalizedAuthorization(t, sa, registration.Id, identifier.NewDNS("www.not-example.com"), exp, core.ChallengeTypeHTTP01, ra.clk.Now()) - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") policyForbidCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ @@ -2672,7 +2672,7 @@ func TestFinalizeOrderWithMixedSANAndCN(t *testing.T) { }, }) test.AssertNotError(t, err, "Could not add test order with finalized authz IDs") - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") mixedCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, @@ -2718,7 +2718,7 @@ func TestFinalizeOrderWildcard(t *testing.T) { now := ra.clk.Now() exp := now.Add(365 * 24 * time.Hour) - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error creating test RSA key") wildcardCSR, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, @@ -2833,7 +2833,7 @@ func TestFinalizeOrderDisabledChallenge(t *testing.T) { test.AssertEquals(t, order.V2Authorizations[0], authzID) // Create a CSR for this order - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating test key") csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, @@ -2897,7 +2897,7 @@ func TestFinalizeWithMustStaple(t *testing.T) { test.AssertNotError(t, err, "creating test order") test.AssertEquals(t, order.V2Authorizations[0], authzID) - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating test key") csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ @@ -2967,7 +2967,7 @@ func TestIssueCertificateAuditLog(t *testing.T) { test.AssertNotError(t, err, "Could not add test order with finalized authz IDs") // Generate a CSR covering the order names with a random RSA key - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, @@ -3109,7 +3109,7 @@ func TestIssueCertificateCAACheckLog(t *testing.T) { test.AssertNotError(t, err, "Could not add test order with finalized authz IDs") // Generate a CSR covering the order names with a random RSA key. - testKey, err := rsa.GenerateKey(rand.Reader, 2048) + testKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "error generating test key") csr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{ PublicKey: testKey.PublicKey, @@ -3294,7 +3294,7 @@ func TestIssueCertificateOuter(t *testing.T) { ra.SA = &mockSAWithFinalize{} // Create a CSR to submit and a certificate for the fake CA to return. - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "generating test key") csrDER, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{DNSNames: []string{"example.com"}}, testKey) test.AssertNotError(t, err, "creating test csr") @@ -3501,7 +3501,7 @@ func (msar *mockSARevocation) GetCertificate(_ context.Context, req *sapb.Serial _, _ = rand.Read(serialBytes[:]) serial := big.NewInt(0).SetBytes(serialBytes[:]) - key, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P224(), nil) if err != nil { return nil, err } diff --git a/sa/model_test.go b/sa/model_test.go index 50901aeaae1..66872b480e4 100644 --- a/sa/model_test.go +++ b/sa/model_test.go @@ -373,7 +373,7 @@ func insertCertificate(ctx context.Context, dbMap *db.WrappedMap, fc clock.FakeC SerialNumber: serialBigInt, } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return fmt.Errorf("generating test key: %w", err) } diff --git a/sa/sa_test.go b/sa/sa_test.go index d9040e1de70..555252e3796 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -125,7 +125,7 @@ func initSA(t testing.TB) (*SQLStorageAuthority, clock.FakeClock) { // CreateWorkingTestRegistration inserts a new, correct Registration into the // given SA. func createWorkingRegistration(t testing.TB, sa *SQLStorageAuthority) *corepb.Registration { - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("Failed to generate ECDSA key: %s", err) } @@ -4359,7 +4359,7 @@ func TestGetPausedIdentifiersOnlyUnpausesOneAccount(t *testing.T) { } func newAcctKey(t *testing.T) []byte { - key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, _ := ecdsa.GenerateKey(elliptic.P256(), nil) jwk := &jose.JSONWebKey{Key: key.Public()} acctKey, err := jwk.MarshalJSON() test.AssertNotError(t, err, "failed to marshal account key") diff --git a/test/certs.go b/test/certs.go index add38e4d1b3..e4c4ab222be 100644 --- a/test/certs.go +++ b/test/certs.go @@ -37,7 +37,7 @@ func ThrowAwayCert(t *testing.T, clk clock.Clock) (string, *x509.Certificate) { _, _ = rand.Read(serialBytes[:]) serial := big.NewInt(0).SetBytes(serialBytes[:]) - key, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P224(), nil) AssertNotError(t, err, "rsa.GenerateKey failed") template := &x509.Certificate{ diff --git a/test/integration/account_test.go b/test/integration/account_test.go index cf92764fce7..987e77fc1f4 100644 --- a/test/integration/account_test.go +++ b/test/integration/account_test.go @@ -54,7 +54,7 @@ func TestNewAccount(t *testing.T) { }, } { t.Run(tc.name, func(t *testing.T) { - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } @@ -90,7 +90,7 @@ func TestNewAccount_DuplicateKey(t *testing.T) { t.Fatalf("failed to connect to acme directory: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } @@ -149,7 +149,7 @@ func TestAccountDeactivate(t *testing.T) { t.Fatalf("failed to connect to acme directory: %s", err) } - acctKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + acctKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } diff --git a/test/integration/ari_test.go b/test/integration/ari_test.go index 88fe833d95e..8e14be62297 100644 --- a/test/integration/ari_test.go +++ b/test/integration/ari_test.go @@ -20,7 +20,7 @@ func TestARIAndReplacement(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Issue a cert, request ARI, and check that both the suggested window and @@ -68,7 +68,7 @@ func TestARIShortLived(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Issue a short-lived cert, request ARI, and check that both the suggested @@ -94,7 +94,7 @@ func TestARIRevoked(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Issue a cert, revoke it, request ARI, and check that the suggested window @@ -118,7 +118,7 @@ func TestARIForPrecert(t *testing.T) { // Setup client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Try to make a new cert for a new domain, but sabotage the CT logs so diff --git a/test/integration/cert_storage_failed_test.go b/test/integration/cert_storage_failed_test.go index c6839f338f3..54c04ed3d1d 100644 --- a/test/integration/cert_storage_failed_test.go +++ b/test/integration/cert_storage_failed_test.go @@ -118,7 +118,7 @@ func TestIssuanceCertStorageFailed(t *testing.T) { defer db.ExecContext(ctx, `DROP TRIGGER IF EXISTS fail_ready`) } - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // ---- Test revocation by serial ---- diff --git a/test/integration/common_test.go b/test/integration/common_test.go index 557bc8f907d..eba5cd218a6 100644 --- a/test/integration/common_test.go +++ b/test/integration/common_test.go @@ -49,7 +49,7 @@ func makeClient(contacts ...string) (*client, error) { if err != nil { return nil, fmt.Errorf("Error connecting to acme directory: %v", err) } - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, fmt.Errorf("error creating private key: %v", err) } @@ -161,7 +161,7 @@ func authAndIssueFetchAllChains(c *client, csrKey *ecdsa.PrivateKey, idents []ac func makeCSR(k *ecdsa.PrivateKey, idents []acme.Identifier, cn bool) (*x509.CertificateRequest, error) { var err error if k == nil { - k, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err = ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, fmt.Errorf("generating certificate key: %s", err) } diff --git a/test/integration/email_exporter_test.go b/test/integration/email_exporter_test.go index 64ebe191dd3..0975ef9e534 100644 --- a/test/integration/email_exporter_test.go +++ b/test/integration/email_exporter_test.go @@ -154,7 +154,7 @@ func TestContactsSentForNewAccount(t *testing.T) { t.Fatalf("failed to connect to acme directory: %s", err) } - acctKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + acctKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("failed to generate account key: %s", err) } diff --git a/test/integration/errors_test.go b/test/integration/errors_test.go index 83eab5f71a4..4d71d3d4f3e 100644 --- a/test/integration/errors_test.go +++ b/test/integration/errors_test.go @@ -264,7 +264,7 @@ func TestOrderFinalizeEarly(t *testing.T) { if err != nil { t.Fatalf("creating order: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating key: %s", err) } diff --git a/test/integration/issuance_test.go b/test/integration/issuance_test.go index f931c0236b4..3266ebfbdba 100644 --- a/test/integration/issuance_test.go +++ b/test/integration/issuance_test.go @@ -29,7 +29,7 @@ func TestCommonNameInCSR(t *testing.T) { test.AssertNotError(t, err, "creating acme client") // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Put together some names. @@ -66,7 +66,7 @@ func TestFirstCSRSANHoistedToCN(t *testing.T) { test.AssertNotError(t, err, "creating acme client") // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Create some names that we can sort. @@ -100,7 +100,7 @@ func TestCommonNameSANsTooLong(t *testing.T) { test.AssertNotError(t, err, "creating acme client") // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Put together some names. @@ -142,7 +142,7 @@ func TestIssuanceProfiles(t *testing.T) { } // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Create a set of identifiers to request. @@ -184,7 +184,7 @@ func TestIssuanceMTC(t *testing.T) { t.Fatalf("creating acme client: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating keypair: %s", err) } @@ -211,7 +211,7 @@ func TestIPShortLived(t *testing.T) { } // Create a private key. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("creating random cert key: %s", err) } @@ -298,7 +298,7 @@ func TestIPCNRejected(t *testing.T) { t.Fatalf("updating challenge: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("creating random cert key: %s", err) } diff --git a/test/integration/key_rollover_test.go b/test/integration/key_rollover_test.go index 1873864e309..8088a3bab12 100644 --- a/test/integration/key_rollover_test.go +++ b/test/integration/key_rollover_test.go @@ -25,20 +25,20 @@ func TestAccountKeyChange(t *testing.T) { // and P-384) supported by go-jose and goodkey, but doing so results in a very // slow integration test. Instead, just test rollover once in each direction, // ECDSA->RSA and vice versa. - key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key1, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating P-256 account key") acct1, err := c.NewAccount(key1, false, true) test.AssertNotError(t, err, "creating account") - key2, err := rsa.GenerateKey(rand.Reader, 2048) + key2, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "creating RSA 2048 account key") acct2, err := c.AccountKeyChange(acct1, key2) test.AssertNotError(t, err, "rolling over account key") test.AssertEquals(t, acct2.URL, acct1.URL) - key3, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + key3, err := ecdsa.GenerateKey(elliptic.P384(), nil) test.AssertNotError(t, err, "creating P-384 account key") acct3, err := c.AccountKeyChange(acct1, key3) diff --git a/test/integration/observer_test.go b/test/integration/observer_test.go index 9c3b72659ba..20d193587c1 100644 --- a/test/integration/observer_test.go +++ b/test/integration/observer_test.go @@ -75,7 +75,7 @@ func TestTLSProbe(t *testing.T) { t.Fatalf("creating test acme client: %s", err) } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating test key: %s", err) } diff --git a/test/integration/otel_test.go b/test/integration/otel_test.go index 066099a549e..8650f17156b 100644 --- a/test/integration/otel_test.go +++ b/test/integration/otel_test.go @@ -282,7 +282,7 @@ func traceIssuingTestCert(t *testing.T) trace.TraceID { c, err := acme.NewClient("http://boulder.service.consul:4001/directory", option) test.AssertNotError(t, err, "acme.NewClient failed") - privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + privKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Generating ECDSA key failed") account, err := c.NewAccount(privKey, false, true) diff --git a/test/integration/revocation_test.go b/test/integration/revocation_test.go index 8ae4b0c495e..e0c325e7424 100644 --- a/test/integration/revocation_test.go +++ b/test/integration/revocation_test.go @@ -272,7 +272,7 @@ func TestRevocation(t *testing.T) { issueClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") domain := random_domain() @@ -475,7 +475,7 @@ func TestReRevocation(t *testing.T) { issueClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") // Try to issue a certificate for the name. @@ -578,7 +578,7 @@ func TestRevokeWithKeyCompromiseBlocksKey(t *testing.T) { c, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate cert key") res, err := authAndIssue(c, certKey, []acme.Identifier{{Type: "dns", Value: random_domain()}}, true, "") @@ -621,7 +621,7 @@ func TestBadKeyRevoker(t *testing.T) { neutralClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate cert key") // Issue a cert from the revokee client, which we'll revoke soon @@ -662,7 +662,7 @@ func TestBadKeyRevokerByAccount(t *testing.T) { neutralClient, err := makeClient() test.AssertNotError(t, err, "creating acme client") - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to generate cert key") // Issue a cert from the revoke client, which we'll revoke soon diff --git a/test/integration/subordinate_ca_chains_test.go b/test/integration/subordinate_ca_chains_test.go index f54069c4f1f..abf89e1eac4 100644 --- a/test/integration/subordinate_ca_chains_test.go +++ b/test/integration/subordinate_ca_chains_test.go @@ -20,7 +20,7 @@ func TestSubordinateCAChainsServedByWFE(t *testing.T) { client, err := makeClient("mailto:example@letsencrypt.org") test.AssertNotError(t, err, "creating acme client") - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating random cert key") chains, err := authAndIssueFetchAllChains(client, key, []acme.Identifier{{Type: "dns", Value: random_domain()}}, true) diff --git a/test/integration/validation_test.go b/test/integration/validation_test.go index 29e7a69c815..0b9c9516e32 100644 --- a/test/integration/validation_test.go +++ b/test/integration/validation_test.go @@ -326,7 +326,7 @@ func TestCAARechecking(t *testing.T) { // Try to finalize the order created above. Due to our db manipulation, this // should trigger a CAA recheck. And due to our challtestsrv manipulation, // that CAA recheck should fail. Therefore the whole finalize should fail. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { t.Fatalf("generating cert key: %s", err) } diff --git a/test/load-generator/boulder-calls.go b/test/load-generator/boulder-calls.go index c395a6ee3d6..3e8b00dcbf3 100644 --- a/test/load-generator/boulder-calls.go +++ b/test/load-generator/boulder-calls.go @@ -88,7 +88,7 @@ func newAccount(s *State, c *acmeCache) error { } // Create a random signing key - signKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + signKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return err } diff --git a/test/load-generator/state.go b/test/load-generator/state.go index 6d075740726..1dcc9f0dfa1 100644 --- a/test/load-generator/state.go +++ b/test/load-generator/state.go @@ -281,7 +281,7 @@ func New( operations []string, challStrat string, revokeChance float32) (*State, error) { - certKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + certKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, err } diff --git a/va/tlsalpn_test.go b/va/tlsalpn_test.go index ec6af5cd8f8..c3c041e67ee 100644 --- a/va/tlsalpn_test.go +++ b/va/tlsalpn_test.go @@ -65,7 +65,7 @@ func testTLSCert(names []string, ips []net.IP, extensions []pkix.Extension) *tls IPAddresses: ips, ExtraExtensions: extensions, } - key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, _ := ecdsa.GenerateKey(elliptic.P256(), nil) certBytes, _ := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) return &tls.Certificate{ @@ -338,7 +338,7 @@ func TestCertNames(t *testing.T) { // Round-trip the certificate through generation and parsing, to make sure // certAltNames can handle "real" certificates and not just templates. - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "Error creating test key") certBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) test.AssertNotError(t, err, "Error creating certificate") @@ -673,7 +673,7 @@ func TestTLSALPN01NotSelfSigned(t *testing.T) { ExtraExtensions: []pkix.Extension{testACMEExt}, } - eeKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + eeKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test key") issuerCert := &x509.Certificate{ @@ -686,7 +686,7 @@ func TestTLSALPN01NotSelfSigned(t *testing.T) { BasicConstraintsValid: true, } - issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + issuerKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test key") // Test that a cert with mismatched subject and issuer fields is rejected, @@ -746,7 +746,7 @@ func TestTLSALPN01ExtraIdentifiers(t *testing.T) { ExtraExtensions: []pkix.Extension{testACMEExt}, } - key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + key, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "creating test key") certBytes, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) test.AssertNotError(t, err, "failed to create acme-tls/1 cert") diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go index 68198087583..67de3307cc9 100644 --- a/wfe2/wfe_test.go +++ b/wfe2/wfe_test.go @@ -2407,7 +2407,7 @@ func (sa *mockSAWithNewCert) GetCertificate(_ context.Context, req *sapb.Serial, } issuerKey := loadKey(&testing.T{}, issuerKeyPem) - newKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + newKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) if err != nil { return nil, fmt.Errorf("failed to create test key: %w", err) } @@ -3124,7 +3124,7 @@ func TestKeyRollover(t *testing.T) { responseWriter := httptest.NewRecorder() wfe, _, signer := setupWFE(t) - existingKey, err := rsa.GenerateKey(rand.Reader, 2048) + existingKey, err := rsa.GenerateKey(nil, 2048) test.AssertNotError(t, err, "Error creating random 2048 RSA key") newKeyBytes, err := os.ReadFile("../test/test-key-5.der") @@ -3416,7 +3416,7 @@ func TestRevokeCertificateNotIssued(t *testing.T) { wfe.sa = newMockSAWithCert(t, wfe.sa) // Make a self-signed junk certificate - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + k, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "unexpected error making random private key") // Use a known serial from the mockSAWithValidCert mock. // This ensures that any failures here are due to the certificate's issuer @@ -4069,7 +4069,7 @@ func TestOrderMatchesReplacement(t *testing.T) { expectExpiry := time.Now().AddDate(0, 0, 1) expectSerial := big.NewInt(1337) - testKey, _ := rsa.GenerateKey(rand.Reader, 1024) + testKey, _ := rsa.GenerateKey(nil, 1024) rawCert := x509.Certificate{ NotAfter: expectExpiry, DNSNames: []string{"example.com", "example-a.com"}, @@ -4230,7 +4230,7 @@ func TestCountNewOrderWithReplaces(t *testing.T) { issuer = v break } - testKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, _ := ecdsa.GenerateKey(elliptic.P256(), nil) expectSerial := big.NewInt(1337) expectCert := &x509.Certificate{ NotBefore: fc.Now(), @@ -4296,7 +4296,7 @@ func TestNewOrderRateLimits(t *testing.T) { issuer = v break } - testKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + testKey, err := ecdsa.GenerateKey(elliptic.P256(), nil) test.AssertNotError(t, err, "failed to create test key") extantCert := &x509.Certificate{ NotBefore: fc.Now(),