Merge pull request #68 from nats-io/fix-67

various changes to enable MS FIPS tests

.github/workflows/pushes.yaml

@@ -33,19 +33,16 @@ jobs:
     strategy:
       matrix:
         include:
-          - go: '1.21.x'
+          - go: stable
             os: ubuntu-latest
             canonical: true
-          - go: '1.20.x'
-            os: ubuntu-latest
-            canonical: false
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
           # We're not doing releases, just checks, so we can live without check-latest here
@@ -66,9 +63,9 @@ jobs:
         # You can see the individual values in the "Set up Go" output, collapsed inside a "go env" group at the end.
 
       - name: Install staticcheck
-        uses: dominikh/[email protected].0
+        uses: dominikh/[email protected].1
         with:
-          version: "2022.1.1"
+          version: "2024.1.1"
 
       - name: Install additional check/lint tools
         id: tools-install

.github/workflows/release.yaml

@@ -21,7 +21,7 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           # NB: the `fetch-depth: 0` setting is documented by goreleaser
           # as a requirement, for the changelog feature to work correctly.
@@ -34,9 +34,9 @@ jobs:
       #  docker/setup-buildx-action@v1
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: stable
           check-latest: true
 
       - name: Basic integrity checks
@@ -50,7 +50,7 @@ jobs:
 
       - name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@v3
+        uses: goreleaser/goreleaser-action@v6
         with:
           args: release --clean
         env:

keypair.go

@@ -1,4 +1,4 @@
-// Copyright 2018-2022 The NATS Authors
+// Copyright 2018-2024 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -15,10 +15,9 @@ package nkeys
 
 import (
 	"bytes"
+	"crypto/ed25519"
 	"crypto/rand"
 	"io"
-
-	"golang.org/x/crypto/ed25519"
 )
 
 // kp is the internal struct for a kepypair using seed.
@@ -31,25 +30,20 @@ const seedLen = 32
 
 // CreatePair will create a KeyPair based on the rand entropy and a type/prefix byte.
 func CreatePair(prefix PrefixByte) (KeyPair, error) {
-	return CreatePairWithRand(prefix, rand.Reader)
+	return CreatePairWithRand(prefix, nil)
 }
 
 // CreatePair will create a KeyPair based on the rand reader and a type/prefix byte. rand can be nil.
 func CreatePairWithRand(prefix PrefixByte, rr io.Reader) (KeyPair, error) {
 	if prefix == PrefixByteCurve {
 		return CreateCurveKeysWithRand(rr)
 	}
-	if rr == nil {
-		rr = rand.Reader
-	}
-	var rawSeed [seedLen]byte
-
-	_, err := io.ReadFull(rr, rawSeed[:])
+	_, priv, err := ed25519.GenerateKey(rr)
 	if err != nil {
 		return nil, err
 	}
 
-	seed, err := EncodeSeed(prefix, rawSeed[:])
+	seed, err := EncodeSeed(prefix, priv.Seed())
 	if err != nil {
 		return nil, err
 	}

nkeys_test.go

@@ -1,4 +1,4 @@
-// Copyright 2018 The NATS Authors
+// Copyright 2018-2024 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -15,14 +15,13 @@ package nkeys
 
 import (
 	"bytes"
+	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/base64"
 	"io"
 	"os"
 	"regexp"
 	"testing"
-
-	"golang.org/x/crypto/ed25519"
 )
 
 func TestVersion(t *testing.T) {

public.go

@@ -1,4 +1,4 @@
-// Copyright 2018 The NATS Authors
+// Copyright 2018-2024 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -14,10 +14,9 @@
 package nkeys
 
 import (
+	"crypto/ed25519"
 	"crypto/rand"
 	"io"
-
-	"golang.org/x/crypto/ed25519"
 )
 
 // A KeyPair from a public key capable of verifying only.

xkeys.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2023 The NATS Authors
+// Copyright 2022-2024 The NATS Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
@@ -15,6 +15,7 @@ package nkeys
 
 import (
 	"bytes"
+	"crypto/ed25519"
 	"crypto/rand"
 	"encoding/binary"
 	"io"
@@ -40,17 +41,18 @@ type ckp struct {
 
 // CreateCurveKeys will create a Curve typed KeyPair.
 func CreateCurveKeys() (KeyPair, error) {
-	return CreateCurveKeysWithRand(rand.Reader)
+	return CreateCurveKeysWithRand(nil)
 }
 
 // CreateCurveKeysWithRand will create a Curve typed KeyPair
 // with specified rand source.
 func CreateCurveKeysWithRand(rr io.Reader) (KeyPair, error) {
 	var kp ckp
-	_, err := io.ReadFull(rr, kp.seed[:])
+	_, priv, err := ed25519.GenerateKey(rr)
 	if err != nil {
 		return nil, err
 	}
+	kp.seed = [curveKeyLen]byte(priv.Seed())
 	return &kp, nil
 }