cloudflare · mitch292 · Mar 11, 2025
diff --git a/client/client.go b/client/client.go
@@ -388,6 +388,9 @@ func (c *Client) LoadTLSCertificate(server, certFile string) (cert tls.Certifica
 	return cert, nil
 }
 
+// DefaultLoadPubKey will parse a public key from the provided bytes.
+// The function used to load the public key in ScanDir if no LoadPubKey
+// argument is provided
 func DefaultLoadPubKey(in []byte) (crypto.PublicKey, error) {
 	block, _ := pem.Decode(in)
 	if block == nil {

diff --git a/client/keys.go b/client/keys.go
@@ -66,15 +66,13 @@ func signOpFromSignerOpts(key *PrivateKey, opts crypto.SignerOpts) protocol.Op {
 	case *rsa.PublicKey:
 		if value, ok := rsaCrypto[opts.HashFunc()]; ok {
 			return value
-		} else {
-			return protocol.OpError
 		}
+		return protocol.OpError
 	case *ecdsa.PublicKey:
 		if value, ok := ecdsaCrypto[opts.HashFunc()]; ok {
 			return value
-		} else {
-			return protocol.OpError
 		}
+		return protocol.OpError
 	case ed25519.PublicKey:
 		return protocol.OpEd25519Sign
 	default:

diff --git a/cmd/gokeyless/gokeyless.go b/cmd/gokeyless/gokeyless.go
@@ -240,7 +240,7 @@ func runMain() error {
 
 		return nil
 	case manualMode && configMode:
-		return fmt.Errorf("can't specify both --manual-activation and --config-only!")
+		return fmt.Errorf("can't specify both --manual-activation and --config-only")
 	case manualMode:
 		// Allow manual activation (requires the CSR to be manually signed).
 		// manual activation won't proceed to start the server
@@ -403,15 +403,15 @@ func validCertExpiry(cert *x509.Certificate) bool {
 }
 
 // needNewCertAndKey checks the validity of certificate and key
-func (config Config) needNewCertAndKey() bool {
-	_, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
+func (c Config) needNewCertAndKey() bool {
+	_, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
 	if err != nil {
 		log.Errorf("cannot load server cert/key: %v", err)
 		return true
 	}
 
 	// error is ignore because tls.LoadX509KeyPair already verify the existence of the file
-	certBytes, _ := os.ReadFile(config.CertFile)
+	certBytes, _ := os.ReadFile(c.CertFile)
 	// error is ignore because tls.LoadX509KeyPair already verify the file can be parsed
 	cert, _ := helpers.ParseCertificatePEM(certBytes)
 	// verify the leaf certificate
@@ -424,8 +424,8 @@ func (config Config) needNewCertAndKey() bool {
 }
 
 // verifyCSRAndKey checks if csr and key files exist and if they match
-func (config Config) verifyCSRAndKey() bool {
-	csrBytes, err := os.ReadFile(config.CSRFile)
+func (c Config) verifyCSRAndKey() bool {
+	csrBytes, err := os.ReadFile(c.CSRFile)
 	if err != nil {
 		log.Errorf("cannot read csr file: %v", err)
 		return false
@@ -448,7 +448,7 @@ func (config Config) verifyCSRAndKey() bool {
 		return false
 	}
 
-	keyBytes, err := os.ReadFile(config.KeyFile)
+	keyBytes, err := os.ReadFile(c.KeyFile)
 	if err != nil {
 		log.Errorf("cannot read private key file: %v", err)
 		return false

diff --git a/internal/test/params/params.go b/internal/test/params/params.go
@@ -22,7 +22,7 @@
 // (the size of an MD5 hash) and 20 (the size of a SHA1 hash).

 var (
 	RSAMD5SHA1Params   = RSASignParams{Opcode: protocol.OpRSASignMD5SHA1, Opts: crypto.MD5SHA1, PayloadSize: 36}
 	RSASHA1Params      = RSASignParams{Opcode: protocol.OpRSASignSHA1, Opts: crypto.SHA1, PayloadSize: 20}
 	RSASHA224Params    = RSASignParams{Opcode: protocol.OpRSASignSHA224, Opts: crypto.SHA224, PayloadSize: 28}
 	RSASHA256Params    = RSASignParams{Opcode: protocol.OpRSASignSHA256, Opts: crypto.SHA256, PayloadSize: 32}
@@ -46,7 +46,7 @@
 }

 var (
 	ECDSASHA224Params = ECDSASignParams{Opcode: protocol.OpECDSASignSHA224, Curve: elliptic.P256(), Opts: crypto.SHA224, PayloadSize: 28}
 	ECDSASHA256Params = ECDSASignParams{Opcode: protocol.OpECDSASignSHA256, Curve: elliptic.P256(), Opts: crypto.SHA256, PayloadSize: 32}
 	ECDSASHA384Params = ECDSASignParams{Opcode: protocol.OpECDSASignSHA384, Curve: elliptic.P384(), Opts: crypto.SHA384, PayloadSize: 48}
 	ECDSASHA512Params = ECDSASignParams{Opcode: protocol.OpECDSASignSHA512, Curve: elliptic.P521(), Opts: crypto.SHA512, PayloadSize: 64}
@@ -65,7 +65,8 @@
 	// Compatibility. Before running tests, copy the contents of the
 	// testdata/tokens/ directory to your SoftHSM2 token directory, usually
 	// located at /var/lib/softhsm/tokens/, and run `make test-softhsm`
-	RSAURI   = "pkcs11:token=SoftHSM2%20Token;id=%03?module-path=" + getSoftHSMModulePath() + "&pin-value=1234"
+	RSAURI = "pkcs11:token=SoftHSM2%20Token;id=%03?module-path=" + getSoftHSMModulePath() + "&pin-value=1234"
+	// ECDSAURI is a sample PKCS #11 URIs used for testing HSM Compatibility
 	ECDSAURI = "pkcs11:token=SoftHSM2%20Token;id=%02?module-path=" + getSoftHSMModulePath() + "&pin-value=1234"
 )
 
@@ -78,6 +79,6 @@
 }

 var (
 	HSMECDSASHA256Params = HSMSignParams{Opcode: protocol.OpECDSASignSHA256, URI: ECDSAURI, Opts: crypto.SHA256, PayloadSize: 32}
 	HSMRSASHA512Params   = HSMSignParams{Opcode: protocol.OpRSASignSHA512, URI: RSAURI, Opts: crypto.SHA512, PayloadSize: 64}
 )