From 7b40361bc4122a1e82e3b5092c17acf54c971cb9 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Wed, 29 Apr 2026 12:50:46 +0000 Subject: [PATCH] lint(scep): fix CI lint failures in Phase 3 commit (b540d44) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three lint issues from golangci-lint that didn't fire locally because I ran 'go vet' but not 'staticcheck' before commit (the recent crypto/signer QF1008 incident pattern repeating — must run staticcheck before committing per CLAUDE.md::pre-commit-verification-gate; landing this fixup, then will run staticcheck on every future SCEP-bundle commit). internal/pkcs7/envelopeddata.go:78 * ST1022: 'comment on exported var ErrEnvelopedDataDecrypt should be of the form "ErrEnvelopedDataDecrypt ..."' — staticcheck enforces the Go-doc convention that var/const docs start with the symbol name. Renamed the leading 'Sentinel decryption error.' to 'ErrEnvelopedDataDecrypt is the sentinel decryption error.' internal/pkcs7/certrep_test.go:246-247 * U1000: 'func nowMinus1Hour is unused' / 'func nowPlus30Days is unused' — left-over helpers from a previous draft of selfSignedCertPEM that inlined the time math. Removed both. Verified with — clean. Tests still green (handler 79.0% / service 73.2% / pkcs7 80.5%). Restores green CI on the lint job for the Phase 3 push. --- internal/pkcs7/certrep_test.go | 3 --- internal/pkcs7/envelopeddata.go | 13 +++++++------ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/internal/pkcs7/certrep_test.go b/internal/pkcs7/certrep_test.go index 50c4b3f..030f8b3 100644 --- a/internal/pkcs7/certrep_test.go +++ b/internal/pkcs7/certrep_test.go @@ -242,6 +242,3 @@ func selfSignedCertPEM(t *testing.T, cn string) string { // testRand returns the system random source. Wrapped here so tests can be // adapted to a deterministic source if golden-file tests need it later. func testRand() io.Reader { return rand.Reader } - -func nowMinus1Hour() time.Time { return time.Now().Add(-time.Hour) } -func nowPlus30Days() time.Time { return time.Now().Add(30 * 24 * time.Hour) } diff --git a/internal/pkcs7/envelopeddata.go b/internal/pkcs7/envelopeddata.go index ed37c14..8f05d04 100644 --- a/internal/pkcs7/envelopeddata.go +++ b/internal/pkcs7/envelopeddata.go @@ -75,12 +75,13 @@ var ( OIDDESEDE3CBC = asn1.ObjectIdentifier{1, 2, 840, 113549, 3, 7} ) -// Sentinel decryption error. The caller (handler / service) maps this to -// SCEPFailBadMessageCheck per RFC 8894 §3.3.2.2 + §3.2.2 (integrity-check -// failure semantics). The error text is intentionally generic so the -// padding-oracle / Bleichenbacher leak surfaces are closed: every failure -// mode (RSA decrypt failure, content decrypt failure, padding malformed, -// unknown algorithm) returns the SAME error message text. +// ErrEnvelopedDataDecrypt is the sentinel decryption error. The caller +// (handler / service) maps this to SCEPFailBadMessageCheck per RFC 8894 +// §3.3.2.2 + §3.2.2 (integrity-check failure semantics). The error text +// is intentionally generic so the padding-oracle / Bleichenbacher leak +// surfaces are closed: every failure mode (RSA decrypt failure, content +// decrypt failure, padding malformed, unknown algorithm) returns the SAME +// error message text. var ErrEnvelopedDataDecrypt = errors.New("envelopedData: decrypt failed") // EnvelopedData is the parsed RFC 5652 EnvelopedData structure ready for