Fix linter issues

acme/api/revoke.go

@@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe
 func wrapRevokeErr(err error) *acme.Error {
 	t := err.Error()
 	if strings.Contains(t, "is already revoked") {
-		return acme.NewError(acme.ErrorAlreadyRevokedType, t) //nolint:govet // allow non-constant error messages
+		return acme.NewError(acme.ErrorAlreadyRevokedType, t)
 	}
 	return acme.WrapErrorISE(err, "error when revoking certificate")
 }
@@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error {
 func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error {
 	var acmeErr *acme.Error
 	if err == nil {
-		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg) //nolint:govet // allow non-constant error messages
+		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)
 	} else {
-		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg) //nolint:govet // allow non-constant error messages
+		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)
 	}
 	acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403
 

acme/challenge.go

@@ -39,6 +39,7 @@ import (
 	"github.com/smallstep/certificates/acme/wire"
 	"github.com/smallstep/certificates/authority/provisioner"
 	wireprovisioner "github.com/smallstep/certificates/authority/provisioner/wire"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 type ChallengeType string
@@ -229,7 +230,7 @@ func tlsAlert(err error) uint8 {
 	if errors.As(err, &opErr) {
 		v := reflect.ValueOf(opErr.Err)
 		if v.Kind() == reflect.Uint8 {
-			return uint8(v.Uint())
+			return uint8(v.Uint()) //nolint:gosec // handled by checking its type
 		}
 	}
 	return 0
@@ -978,9 +979,9 @@ type tpmAttestationData struct {
 type coseAlgorithmIdentifier int32
 
 const (
-	coseAlgES256 coseAlgorithmIdentifier = -7
-	coseAlgRS256 coseAlgorithmIdentifier = -257
-	coseAlgRS1   coseAlgorithmIdentifier = -65535 // deprecated, but (still) often used in TPMs
+	coseAlgES256 = coseAlgorithmIdentifier(-7)
+	coseAlgRS256 = coseAlgorithmIdentifier(-257)
+	coseAlgRS1   = coseAlgorithmIdentifier(-65535) // deprecated, but (still) often used in TPMs
 )
 
 func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) {
@@ -1105,8 +1106,13 @@ func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge,
 		return nil, NewDetailedError(ErrorBadAttestationStatementType, "invalid alg in attestation statement")
 	}
 
+	algI32, err := cast.SafeInt32(alg)
+	if err != nil {
+		return nil, WrapDetailedError(ErrorBadAttestationStatementType, err, "invalid alg %d in attestation statement", alg)
+	}
+
 	var hash crypto.Hash
-	switch coseAlgorithmIdentifier(alg) {
+	switch coseAlgorithmIdentifier(algI32) {
 	case coseAlgRS256, coseAlgES256:
 		hash = crypto.SHA256
 	case coseAlgRS1:

acme/linker.go

@@ -86,7 +86,7 @@ func GetUnescapedPathSuffix(typ LinkType, provisionerName string, inputs ...stri
 	case AccountLinkType, OrderLinkType, AuthzLinkType, CertificateLinkType:
 		return fmt.Sprintf("/%s/%s/%s", provisionerName, typ, inputs[0])
 	case ChallengeLinkType:
-		return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1])
+		return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1]) //nolint:gosec // operating on internally defined inputs
 	case OrdersByAccountLinkType:
 		return fmt.Sprintf("/%s/%s/%s/orders", provisionerName, AccountLinkType, inputs[0])
 	case FinalizeLinkType:

acme/order.go

@@ -309,7 +309,6 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		// Add subproblem for webhook errors, others can be added later.
 		var webhookErr *webhook.Error
 		if errors.As(err, &webhookErr) {
-			//nolint:govet // ignore non-constant format string
 			acmeError := NewDetailedError(ErrorUnauthorizedType, webhookErr.Error())
 			acmeError.AddSubproblems(Subproblem{
 				Type:   fmt.Sprintf("urn:smallstep:acme:error:%s", webhookErr.Code),

api/api.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/dsa" // support legacy algorithms
+	"crypto/dsa" //nolint:staticcheck // support legacy algorithms
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/rsa"
@@ -31,6 +31,7 @@ import (
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 	"github.com/smallstep/certificates/logging"
 )
 
@@ -595,8 +596,8 @@ func LogSSHCertificate(w http.ResponseWriter, cert *ssh.Certificate) {
 		m := map[string]interface{}{
 			"serial":           cert.Serial,
 			"principals":       cert.ValidPrincipals,
-			"valid-from":       time.Unix(int64(cert.ValidAfter), 0).Format(time.RFC3339),
-			"valid-to":         time.Unix(int64(cert.ValidBefore), 0).Format(time.RFC3339),
+			"valid-from":       time.Unix(cast.Int64(cert.ValidAfter), 0).Format(time.RFC3339),
+			"valid-to":         time.Unix(cast.Int64(cert.ValidBefore), 0).Format(time.RFC3339),
 			"certificate":      certificate,
 			"certificate-type": certificateType,
 		}

api/ssh.go

@@ -20,6 +20,7 @@ import (
 	"github.com/smallstep/certificates/authority/config"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 	"github.com/smallstep/certificates/templates"
 )
 
@@ -331,8 +332,8 @@ func SSHSign(w http.ResponseWriter, r *http.Request) {
 		// Enforce the same duration as ssh certificate.
 		signOpts = append(signOpts, &identityModifier{
 			Identity:  getIdentityURI(cr),
-			NotBefore: time.Unix(int64(cert.ValidAfter), 0),
-			NotAfter:  time.Unix(int64(cert.ValidBefore), 0),
+			NotBefore: time.Unix(cast.Int64(cert.ValidAfter), 0),
+			NotAfter:  time.Unix(cast.Int64(cert.ValidBefore), 0),
 		})
 
 		certChain, err := a.SignWithContext(ctx, cr, provisioner.SignOptions{}, signOpts...)

api/sshRekey.go

@@ -10,6 +10,7 @@ import (
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 // SSHRekeyRequest is the request body of an SSH certificate request.
@@ -80,8 +81,8 @@ func SSHRekey(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Match identity cert with the SSH cert
-	notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
-	notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
+	notBefore := time.Unix(cast.Int64(oldCert.ValidAfter), 0)
+	notAfter := time.Unix(cast.Int64(oldCert.ValidBefore), 0)
 
 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {

api/sshRenew.go

@@ -11,6 +11,7 @@ import (
 	"github.com/smallstep/certificates/api/render"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 // SSHRenewRequest is the request body of an SSH certificate request.
@@ -72,8 +73,8 @@ func SSHRenew(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Match identity cert with the SSH cert
-	notBefore := time.Unix(int64(oldCert.ValidAfter), 0)
-	notAfter := time.Unix(int64(oldCert.ValidBefore), 0)
+	notBefore := time.Unix(cast.Int64(oldCert.ValidAfter), 0)
+	notAfter := time.Unix(cast.Int64(oldCert.ValidBefore), 0)
 
 	identity, err := renewIdentityCertificate(r, notBefore, notAfter)
 	if err != nil {

authority/admin/api/webhook.go

@@ -202,7 +202,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	}
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
-		err := admin.NewError(admin.ErrorNotFoundType, msg) //nolint:govet // allow non-constant error messages
+		err := admin.NewError(admin.ErrorNotFoundType, msg)
 		render.Error(w, r, err)
 		return
 	}

authority/linkedca.go

@@ -28,6 +28,7 @@ import (
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 const uuidPattern = "^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$"
@@ -336,7 +337,7 @@ func (c *linkedCaClient) Revoke(crt *x509.Certificate, rci *db.RevokedCertificat
 		Serial:         rci.Serial,
 		PemCertificate: serializeCertificate(crt),
 		Reason:         rci.Reason,
-		ReasonCode:     linkedca.RevocationReasonCode(rci.ReasonCode),
+		ReasonCode:     linkedca.RevocationReasonCode(cast.Int32(rci.ReasonCode)),
 		Passive:        true,
 	})
 
@@ -350,7 +351,7 @@ func (c *linkedCaClient) RevokeSSH(cert *ssh.Certificate, rci *db.RevokedCertifi
 		Serial:      rci.Serial,
 		Certificate: serializeSSHCertificate(cert),
 		Reason:      rci.Reason,
-		ReasonCode:  linkedca.RevocationReasonCode(rci.ReasonCode),
+		ReasonCode:  linkedca.RevocationReasonCode(cast.Int32(rci.ReasonCode)),
 		Passive:     true,
 	})
 
@@ -403,7 +404,7 @@ func createProvisionerIdentity(p provisioner.Interface) *linkedca.ProvisionerIde
 	}
 	return &linkedca.ProvisionerIdentity{
 		Id:   p.GetID(),
-		Type: linkedca.Provisioner_Type(p.GetType()),
+		Type: linkedca.Provisioner_Type(cast.Int32(int(p.GetType()))),
 		Name: p.GetName(),
 	}
 }

authority/provisioner/collection.go

@@ -12,8 +12,10 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/smallstep/certificates/authority/admin"
 	"go.step.sm/crypto/jose"
+
+	"github.com/smallstep/certificates/authority/admin"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 // DefaultProvisionersLimit is the default limit for listing provisioners.
@@ -210,7 +212,7 @@ func (c *Collection) Store(p Interface) error {
 	// 0x00000000, 0x00000001, 0x00000002, ...
 	bi := make([]byte, 4)
 	sum := provisionerSum(p)
-	binary.BigEndian.PutUint32(bi, uint32(c.sorted.Len()))
+	binary.BigEndian.PutUint32(bi, cast.Uint32(c.sorted.Len()))
 	sum[0], sum[1], sum[2], sum[3] = bi[0], bi[1], bi[2], bi[3]
 	c.sorted = append(c.sorted, uidProvisioner{
 		provisioner: p,

authority/provisioner/controller.go

@@ -8,11 +8,14 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+
+	"github.com/smallstep/linkedca"
+
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 	"github.com/smallstep/certificates/internal/httptransport"
 	"github.com/smallstep/certificates/webhook"
-	"github.com/smallstep/linkedca"
-	"golang.org/x/crypto/ssh"
 )
 
 // Controller wraps a provisioner with other attributes useful in callback
@@ -189,10 +192,10 @@ func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certif
 	}
 
 	unixNow := time.Now().Unix()
-	if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
+	if after := cast.Int64(cert.ValidAfter); after < 0 || unixNow < cast.Int64(cert.ValidAfter) {
 		return errs.Unauthorized("certificate is not yet valid")
 	}
-	if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) && !p.Claimer.AllowRenewalAfterExpiry() {
+	if before := cast.Int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) && !p.Claimer.AllowRenewalAfterExpiry() {
 		return errs.Unauthorized("certificate has expired")
 	}
 

authority/provisioner/jwk.go

@@ -14,6 +14,7 @@ import (
 	"go.step.sm/crypto/x509util"
 
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 // jwtPayload extends jwt.Claims with step attributes.
@@ -249,7 +250,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages
+			return nil, errs.BadRequestErr(err, err.Error())
 		}
 	}
 	if opts.KeyID != "" {
@@ -274,10 +275,10 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Add modifiers from custom claims
 	t := now()
 	if !opts.ValidAfter.IsZero() {
-		signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
+		signOptions = append(signOptions, sshCertValidAfterModifier(cast.Uint64(opts.ValidAfter.RelativeTime(t).Unix())))
 	}
 	if !opts.ValidBefore.IsZero() {
-		signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
+		signOptions = append(signOptions, sshCertValidBeforeModifier(cast.Uint64(opts.ValidBefore.RelativeTime(t).Unix())))
 	}
 
 	return append(signOptions,

authority/provisioner/nebula.go

@@ -14,15 +14,16 @@ import (
 
 	"github.com/pkg/errors"
 	nebula "github.com/slackhq/nebula/cert"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/smallstep/linkedca"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x25519"
 	"go.step.sm/crypto/x509util"
-	"golang.org/x/crypto/ssh"
 
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/internal/cast"
 )
 
 const (
@@ -237,10 +238,10 @@ func (p *Nebula) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption
 		// Add modifiers from custom claims
 		t := now()
 		if !opts.ValidAfter.IsZero() {
-			signOptions = append(signOptions, sshCertValidAfterModifier(opts.ValidAfter.RelativeTime(t).Unix()))
+			signOptions = append(signOptions, sshCertValidAfterModifier(cast.Uint64(opts.ValidAfter.RelativeTime(t).Unix())))
 		}
 		if !opts.ValidBefore.IsZero() {
-			signOptions = append(signOptions, sshCertValidBeforeModifier(opts.ValidBefore.RelativeTime(t).Unix()))
+			signOptions = append(signOptions, sshCertValidBeforeModifier(cast.Uint64(opts.ValidBefore.RelativeTime(t).Unix())))
 		}
 	}