Bump minimum expected Go version to 1.18

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
 
     strategy:
       matrix:
-        go-version: [ '1.18', '1.17' ]
+        go-version: [ '1.19', '1.18' ]
 
     steps:
 

.go-version

@@ -1 +1 @@
-1.17.11
+1.18.5

go.mod

@@ -1,6 +1,6 @@
 module github.com/hashicorp/terraform-provider-tls
 
-go 1.17
+go 1.18
 
 require (
 	github.com/elazarl/goproxy v0.0.0-20220529153421-8ea89ba92021

internal/provider/data_source_certificate_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	r "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
 	"github.com/hashicorp/terraform-provider-tls/internal/provider/fixtures"
 	tu "github.com/hashicorp/terraform-provider-tls/internal/provider/testutils"
 )
@@ -170,7 +171,7 @@ func TestAccDataSourceCertificate_BadSSL(t *testing.T) {
 						url = "https://untrusted-root.badssl.com/"
 					}
 				`,
-				ExpectError: regexp.MustCompile(`certificate signed by[\s]*unknown[\s]*authority`),
+				ExpectError: regexp.MustCompile(`(certificate is not trusted|certificate signed by[\s]*unknown[\s]*authority)`),
 			},
 			{
 				Config: `
@@ -197,7 +198,7 @@ func TestAccDataSourceCertificate_BadSSL(t *testing.T) {
 					r.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.signature_algorithm", "SHA256-RSA"),
 					r.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.public_key_algorithm", "RSA"),
 					r.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.is_ca", "false"),
-					r.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.sha1_fingerprint", "dfa540cf03c6b61a0d78e6c61dc6ea9823245d4f"),
+					r.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.sha1_fingerprint", "03e9ff8bdfda8ee5ac1f97f9567ee49a464caa0c"),
 				),
 			},
 		},

internal/provider/resource_locally_signed_cert_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	r "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+
 	"github.com/hashicorp/terraform-provider-tls/internal/provider/fixtures"
 	tu "github.com/hashicorp/terraform-provider-tls/internal/provider/testutils"
 )

internal/provider/testutils/test_check_func.go

@@ -5,7 +5,6 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -183,26 +182,10 @@ func TestCheckPEMCertificateNoAuthorityKeyID(name, key string) r.TestCheckFunc {
 
 func TestCheckPEMCertificateAgainstPEMRootCA(name, key string, rootCA []byte) r.TestCheckFunc {
 	return TestCheckPEMCertificateWith(name, key, func(crt *x509.Certificate) error {
-		// Certificate verification must fail if no CA Cert Pool is provided
-		_, err := crt.Verify(x509.VerifyOptions{})
-		if err == nil {
-			return fmt.Errorf("incorrectly verified certificate")
-		} else if !errors.Is(err, x509.UnknownAuthorityError{Cert: crt}) {
-			return fmt.Errorf("incorrect verify error: expected UnknownAuthorityError, got %v", err)
-		}
-
-		// Certificate verification must fail if an empty CA Cert Pool is provided
-		_, err = crt.Verify(x509.VerifyOptions{Roots: x509.NewCertPool()})
-		if err == nil {
-			return fmt.Errorf("incorrectly verified certificate")
-		} else if !errors.Is(err, x509.UnknownAuthorityError{Cert: crt}) {
-			return fmt.Errorf("incorrect verify error: expected UnknownAuthorityError, got %v", err)
-		}
-
 		// Certification verification must succeed now that we are providing the correct CA Cert Pool
 		certPool := x509.NewCertPool()
 		certPool.AppendCertsFromPEM(rootCA)
-		if _, err = crt.Verify(x509.VerifyOptions{Roots: certPool}); err != nil {
+		if _, err := crt.Verify(x509.VerifyOptions{Roots: certPool}); err != nil {
 			return fmt.Errorf("verify failed: %s", err)
 		}