Go 1.24 Features

.github/workflows/test.yml

@@ -38,8 +38,10 @@ jobs:
     name: Test Go packages (TinyGo)
     runs-on: ubuntu-latest
     container:
-      image: tinygo/tinygo:0.35.0
+      image: tinygo/tinygo:0.37.0
       options: --user root
+    env:
+      GOFLAGS: -buildvcs=false
     steps:
       - name: Check out repository code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.golangci.yml

@@ -1,36 +1,46 @@
+version: "2"
 run:
-  timeout: 5m
   modules-download-mode: readonly
-
 linters:
   enable:
-    - errcheck
     - gocyclo
-    - gofmt
-    - goimports
-    - govet
-    - revive
-    - staticcheck
     - gosec
     - misspell
-
-linters-settings:
-  gocyclo:
-    min-complexity: 15
-  goimports:
-    local-prefixes: github.com/fido-device-onboard/go-fdo
-  misspell:
-    locale: US
-
+    - revive
+  settings:
+    gocyclo:
+      min-complexity: 15
+    misspell:
+      locale: US
+  exclusions:
+    generated: lax
+    rules:
+      - linters:
+          - gocyclo
+          - gosec
+        path: _test\.go
+      - path: (.+)\.go$
+        text: declaration of "(err|ctx)" shadows declaration at
+      - path: (.+)\.go$
+        text: '^unused-parameter: '
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  exclude-use-default: false
   max-issues-per-linter: 0
   max-same-issues: 0
-  exclude:
-    - 'declaration of "(err|ctx)" shadows declaration at'
-    - "^unused-parameter: "
-  exclude-rules:
-    - path: _test\.go
-      linters:
-        - gocyclo
-        - gosec
+formatters:
+  enable:
+    - gofmt
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/fido-device-onboard/go-fdo
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

README.md

@@ -4,7 +4,7 @@
 [![Lint](https://github.com/fido-device-onboard/go-fdo/actions/workflows/lint.yml/badge.svg)](https://github.com/fido-device-onboard/go-fdo/actions/workflows/lint.yml)
 [![Test](https://github.com/fido-device-onboard/go-fdo/actions/workflows/test.yml/badge.svg)](https://github.com/fido-device-onboard/go-fdo/actions/workflows/test.yml)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://raw.githubusercontent.com/fido-device-onboard/go-fdo/main/LICENSE)
-[![Building](https://img.shields.io/badge/go-%3E%3D%201.23-blue)](#building-the-example-application)
+[![Building](https://img.shields.io/badge/go-%3E%3D%201.24-blue)](#building-the-example-application)
 [![Go Reference](https://pkg.go.dev/badge/github.com/fido-device-onboard/go-fdo.svg)](https://pkg.go.dev/github.com/fido-device-onboard/go-fdo)
 
 > [!WARNING]
@@ -370,23 +370,4 @@ Success
 
 ## FIPS Compliance
 
-To build a FIPS 140-2 certifiable binary, use the [Microsoft Go][Microsoft Go] toolchain and be sure to deploy with a FIPS-compliant version of OpenSSL 3.0.
-
-As an example, the following multi-stage `Dockerfile` will build the included example FDO application with FIPS-compliant crypto.
-
-```Dockerfile
-FROM mcr.microsoft.com/oss/go/microsoft/golang:1.23-fips-cbl-mariner2.0 AS build
-WORKDIR /build
-COPY . .
-RUN go work; go work use -r . && \
-    go build -tags=requirefips -o fdo ./examples/cmd
-
-FROM gcr.io/distroless/cc-debian12
-COPY --from=build /build/fdo .
-# COPY in a FIPS-compliant OpenSSL 3.0 library!
-ENTRYPOINT [ "./fdo" ]
-```
-
-Note that for FIPS certification, the NIST 800-108 key derivation function in `internal/nistkdf/kdf.go` would still need to be inspected.
-
-[Microsoft Go]: https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md
+To build a FIPS 140-3 certifiable binary, see [FIPS 140-3 compliance](https://go.dev/doc/security/fips140).

cbor/cbor.go

@@ -461,7 +461,7 @@ func (d *Decoder) decodeRawVal(highThreeBits, lowFiveBits byte, additional []byt
 		}
 
 		decoded := head
-		for i := 0; i < int(length); i++ {
+		for i := range length {
 			b, err := d.decodeRaw()
 			if err != nil {
 				return nil, fmt.Errorf("error decoding array/map at item %d: %w", i, err)
@@ -781,7 +781,7 @@ func (d *Decoder) decodeArrayToStruct(rv reflect.Value, additional []byte) error
 				}
 
 				omittedOne = true
-				indices = append(indices[:i], indices[i+1:]...)
+				indices = slices.Delete(indices, i, i+1)
 			}
 		}
 	}
@@ -890,7 +890,7 @@ func (d *Decoder) decodeArrayToSlice(rv reflect.Value, additional []byte) error
 
 	// Decode each item into the correctly sized slice
 	itemType := slice.Type().Elem()
-	for i := 0; i < int(length); i++ {
+	for i := range int(length) {
 		newVal := reflect.New(itemType)
 		if err := d.Decode(newVal.Interface()); err != nil {
 			return fmt.Errorf("error decoding array item %d: %w", i, err)
@@ -930,7 +930,7 @@ func (d *Decoder) decodeMap(rv reflect.Value, additional []byte) error {
 	if length > math.MaxInt || length >= MaxArrayDecodeLength/2 {
 		return fmt.Errorf("map exceeds max size: %d", length)
 	}
-	for i := 0; i < int(length); i++ {
+	for i := range length {
 		newKey := reflect.New(keyType)
 		if err := d.Decode(newKey.Interface()); err != nil {
 			return fmt.Errorf("error decoding map key %d: %w", i, err)
@@ -1274,7 +1274,7 @@ func (e *Encoder) encodeArray(size int, get func(int) reflect.Value) error {
 	}
 
 	// Write each item
-	for i := 0; i < size; i++ {
+	for i := range size {
 		if err := e.Encode(get(i).Interface()); err != nil {
 			return err
 		}
@@ -1297,7 +1297,7 @@ func (e *Encoder) encodeStruct(size int, get func([]int) reflect.Value, field fu
 	// Filter omittable fields which are the zero value for the associated type
 	for i, idx := range indices {
 		if omittable(idx) && isEmpty(get(idx)) {
-			indices = append(indices[:i], indices[i+1:]...)
+			indices = slices.Delete(indices, i, i+1)
 		}
 	}
 
@@ -1440,7 +1440,7 @@ func fieldOrder(n int, field func(int) reflect.StructField) (indices [][]int, om
 		if fields[i].weight != fields[j].weight {
 			return fields[i].weight < fields[j].weight
 		}
-		for k := 0; k < len(fields[i].index); k++ {
+		for k := range len(fields[i].index) {
 			if k+1 > len(fields[i].index) || k+1 > len(fields[j].index) {
 				panic("programming error - indices to sort cannot be a parent embedded field of another")
 			}
@@ -1502,7 +1502,7 @@ func collectFieldWeights(parents []int, i, upper int, field func(int) reflect.St
 
 	// Return duplicate indices if flat (un)marshaling
 	if n, ok := flatN(f); ok {
-		for j := 0; j < n; j++ {
+		for range n {
 			fields = append(fields, weightedField{
 				index:  append(parents, i),
 				weight: weight,
@@ -1570,7 +1570,7 @@ func (o OmitEmpty[T]) isOmitEmpty() {}
 func BytewiseLexicalSort(indices []int, keys [][]byte) func(i, j int) bool {
 	return func(i, j int) bool {
 		left, right := keys[indices[i]], keys[indices[j]]
-		for k := 0; k < len(left); k++ {
+		for k := range len(left) {
 			if left[k] != right[k] {
 				return left[k] < right[k]
 			}

cbor/cdn/cdn.go

@@ -103,9 +103,9 @@ func encodeValue(b *bytes.Buffer, v any) error { //nolint:gocyclo
 		_, _ = b.WriteString("null")
 
 	case int64, uint64:
-		_, _ = b.WriteString(fmt.Sprintf("%d", v))
+		_, _ = fmt.Fprintf(b, "%d", v)
 
-	case []interface{}:
+	case []any:
 		_, _ = b.WriteString("[")
 		for index, element := range v {
 			if index > 0 {
@@ -117,7 +117,7 @@ func encodeValue(b *bytes.Buffer, v any) error { //nolint:gocyclo
 		}
 		_, _ = b.WriteString("]")
 
-	case map[interface{}]interface{}:
+	case map[any]any:
 		_, _ = b.WriteString("{")
 		c := 0
 		for key, value := range sortMap(v) {
@@ -370,7 +370,7 @@ func decodeArray(r *bufio.Reader) (any, error) {
 		return nil, err
 	}
 
-	a := []interface{}{}
+	a := []any{}
 	for {
 		v, err := decodeValue(r)
 		if err != nil {
@@ -404,7 +404,7 @@ func decodeMap(r *bufio.Reader) (any, error) { //nolint:gocyclo
 		return nil, err
 	}
 
-	m := make(map[interface{}]interface{})
+	m := make(map[any]any)
 	for {
 		k, err := decodeValue(r)
 		if err != nil {

devmod.go

@@ -35,7 +35,7 @@ func (d *devmodOwnerModule) HandleInfo(ctx context.Context, messageName string,
 	}
 
 	dm := reflect.ValueOf(&d.Devmod).Elem()
-	for i := 0; i < dm.NumField(); i++ {
+	for i := range dm.NumField() {
 		tag := dm.Type().Field(i).Tag.Get("devmod")
 		fieldMessageName, _, _ := strings.Cut(tag, ",")
 		if fieldMessageName != messageName {
@@ -78,7 +78,7 @@ func (d *devmodOwnerModule) parseModules(messageBody io.Reader) error {
 func (d *devmodOwnerModule) ProduceInfo(_ context.Context, _ *serviceinfo.Producer) (bool, bool, error) {
 	// Validate required fields were sent before sending IsDone
 	if d.done {
-		if err := d.Devmod.Validate(); err != nil {
+		if err := d.Validate(); err != nil {
 			return false, false, err
 		}
 		if slices.Contains(d.Modules, "") {

examples/go.mod

@@ -1,6 +1,6 @@
 module github.com/fido-device-onboard/go-fdo/examples
 
-go 1.23.0
+go 1.24.0
 
 replace github.com/fido-device-onboard/go-fdo/sqlite => ../sqlite
 

fsim/go.mod

@@ -1,6 +1,6 @@
 module github.com/fido-device-onboard/go-fdo/fsim
 
-go 1.23.0
+go 1.24.0
 
 replace github.com/fido-device-onboard/go-fdo => ../
 

go.mod

@@ -1,3 +1,3 @@
 module github.com/fido-device-onboard/go-fdo
 
-go 1.23.0
+go 1.24.0

sqlite/go.mod

@@ -1,6 +1,6 @@
 module github.com/fido-device-onboard/go-fdo/sqlite
 
-go 1.23.0
+go 1.24.0
 
 replace github.com/fido-device-onboard/go-fdo => ../
 

to2.go

@@ -292,7 +292,7 @@ func verifyOwner(ctx context.Context, transport Transport, to1d *cose.Sign1[prot
 func verifyVoucher(ctx context.Context, transport Transport, to1d *cose.Sign1[protocol.To1d, []byte], info *ovhValidationContext, c *TO2Config) error {
 	// Construct ownership voucher from parts received from the owner service
 	var entries []cose.Sign1Tag[VoucherEntryPayload, []byte]
-	for i := 0; i < info.NumVoucherEntries; i++ {
+	for i := range info.NumVoucherEntries {
 		entry, err := sendNextOVEntry(ctx, transport, i)
 		if err != nil {
 			return err
@@ -665,9 +665,7 @@ func (s *TO2Server) proveOVHdr(ctx context.Context, msg io.Reader) (*cose.Sign1T
 	// The lifetime of xA is until the transport has marshaled and sent the proof. Therefore, the
 	// best option for clearing the secret is to set a finalizer (unfortunately).
 	proof := s1.Tag()
-	runtime.SetFinalizer(proof, func(proof *cose.Sign1Tag[ovhProof, []byte]) {
-		clear(proof.Payload.Val.KeyExchangeA)
-	})
+	runtime.AddCleanup(proof, func(secret []byte) { clear(secret) }, proof.Payload.Val.KeyExchangeA)
 	return proof, nil
 }
 

tpm/go.mod

@@ -1,6 +1,6 @@
 module github.com/fido-device-onboard/go-fdo/tpm
 
-go 1.23.0
+go 1.24.0
 
 replace github.com/fido-device-onboard/go-fdo => ../