Update to Go 1.24.2 (#30272)

.go-version

@@ -1 +1 @@
-1.23.8
+1.24.2

builtin/logical/pki/backend_test.go

@@ -4939,7 +4939,7 @@ func TestBackend_Roles_KeySizeRegression(t *testing.T) {
 		/*  8 */ {"ed25519", []int{0}, []int{0}, false, []string{"ed25519"}, []int{0}, false},
 
 		// Any key type should reject insecure RSA key sizes.
-		/*  9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{512, 1024}, true},
+		/*  9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa"}, []int{1024}, true},
 		// But work for everything else.
 		/* 10 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{2048, 3072, 224, 256, 384, 521, 0}, false},
 

builtin/logical/pki/path_roles_test.go

@@ -1145,8 +1145,8 @@ func getPolicyIdentifiersOffCertificate(resp logical.Response) ([]string, error)
 	if err != nil {
 		return nil, err
 	}
-	policyIdentifierStrings := make([]string, len(certificate.PolicyIdentifiers))
+	policyIdentifierStrings := make([]string, len(certificate.Policies))
-	for index, asnOid := range certificate.PolicyIdentifiers {
+	for index, asnOid := range certificate.Policies {
 		policyIdentifierStrings[index] = asnOid.String()
 	}
 	return policyIdentifierStrings, nil

builtin/logical/pki/path_root.go

@@ -658,7 +658,7 @@ func validateCaKeyUsages(keyUsages []string) error {
 		}
 	}
 	if invalidKeyUsages != nil {
-		return fmt.Errorf(strings.Join(invalidKeyUsages, "; "))
+		return errors.New(strings.Join(invalidKeyUsages, "; "))
 	}
 	return nil
 }

changelog/_go-ver-1200.txt

@@ -1,3 +1,3 @@
 ```release-note:change
-core: Bump Go version to 1.23.7.
+core: Bump Go version to 1.24.2.
 ```

go.mod

@@ -10,7 +10,7 @@ module github.com/hashicorp/vault
 // semantic related to Go module handling), this comment should be updated to explain that.
 //
 // Whenever this value gets updated, sdk/go.mod should be updated to the same value.
-go 1.23.8
+go 1.24.0
 
 replace github.com/hashicorp/vault/api => ./api
 

sdk/go.mod

@@ -1,6 +1,6 @@
 module github.com/hashicorp/vault/sdk
 
-go 1.23.3
+go 1.24.0
 
 require (
 	cloud.google.com/go/cloudsqlconn v1.4.3

sdk/helper/certutil/helpers.go

@@ -536,9 +536,10 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
 func AddPolicyIdentifiers(data *CreationBundle, certTemplate *x509.Certificate) {
 	oidOnly := true
 	for _, oidStr := range data.Params.PolicyIdentifiers {
-		oid, err := StringToOid(oidStr)
+		// Compatible with Go 1.24 and higher only (or 1.22 with x509usepolicies=1)
+		x509Oid, err := x509.ParseOID(oidStr)
 		if err == nil {
-			certTemplate.PolicyIdentifiers = append(certTemplate.PolicyIdentifiers, oid)
+			certTemplate.Policies = append(certTemplate.Policies, x509Oid)
 		}
 		if err != nil {
 			oidOnly = false

sdk/plugin/grpc_system.go

@@ -483,8 +483,7 @@ func (s *gRPCSystemViewServer) RegisterRotationJob(ctx context.Context, req *pb.
 
 	rotationID, err := s.impl.RegisterRotationJob(ctx, cfgReq)
 	if err != nil {
-		return &pb.RegisterRotationJobResponse{}, status.Errorf(codes.Internal,
+		return &pb.RegisterRotationJobResponse{}, status.Error(codes.Internal, err.Error())
-			err.Error())
 	}
 
 	return &pb.RegisterRotationJobResponse{
@@ -504,8 +503,7 @@ func (s *gRPCSystemViewServer) DeregisterRotationJob(ctx context.Context, req *p
 
 	err := s.impl.DeregisterRotationJob(ctx, cfgReq)
 	if err != nil {
-		return &pb.Empty{}, status.Errorf(codes.Internal,
+		return &pb.Empty{}, status.Error(codes.Internal, err.Error())
-			err.Error())
 	}
 
 	return &pb.Empty{}, nil

vault/auth_test.go

@@ -5,12 +5,12 @@ package vault
 
 import (
 	"context"
-	"reflect"
 	"strings"
 	"testing"
 	"time"
 
 	"github.com/armon/go-metrics"
+	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
@@ -142,8 +142,8 @@ func TestCore_DefaultAuthTable(t *testing.T) {
 	}
 
 	// Verify matching mount tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+		t.Fatalf("mismatch: %v %v:\nDiffs: %v", c.auth, c2.auth, diffs)
 	}
 }
 
@@ -230,8 +230,8 @@ func TestCore_EnableCredential(t *testing.T) {
 	}
 
 	// Verify matching auth tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+		t.Fatalf("mismatch: %v %v:\nDiffs: %v", c.auth, c2.auth, diffs)
 	}
 }
 
@@ -289,8 +289,8 @@ func TestCore_EnableCredential_aws_ec2(t *testing.T) {
 	}
 
 	// Verify matching auth tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+		t.Fatalf("mismatch: %v %v:\n%v", c.auth, c2.auth, diffs)
 	}
 }
 
@@ -377,8 +377,8 @@ func TestCore_EnableCredential_Local(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	if !reflect.DeepEqual(oldCredential, c.auth) {
+	if diffs := deep.Equal(oldCredential, c.auth); len(diffs) != 0 {
-		t.Fatalf("expected\n%#v\ngot\n%#v\n", oldCredential, c.auth)
+		t.Fatalf("expected\n%#v\ngot\n%#v:\nDiffs: %v", oldCredential, c.auth, diffs)
 	}
 
 	if len(c.auth.Entries) != 2 {
@@ -486,8 +486,8 @@ func TestCore_DisableCredential(t *testing.T) {
 	}
 
 	// Verify matching mount tables
-	if !reflect.DeepEqual(c.auth, c2.auth) {
+	if diffs := deep.Equal(c.auth, c2.auth); len(diffs) != 0 {
-		t.Fatalf("mismatch: %v %v", c.auth, c2.auth)
+		t.Fatalf("mismatch: %v %v:\nDiffs: %v", c.auth, c2.auth, diffs)
 	}
 }
 

vault/mount_test.go

@@ -370,8 +370,8 @@ func TestCore_Mount_Local(t *testing.T) {
 	}
 	c.mounts.Entries = compEntries
 
-	if !reflect.DeepEqual(oldMounts, c.mounts) {
+	if diffs := deep.Equal(oldMounts, c.mounts); len(diffs) != 0 {
-		t.Fatalf("expected\n%#v\ngot\n%#v\n", oldMounts, c.mounts)
+		t.Fatalf("expected\n%#v\ngot\n%#v:\nDiffs: %v", oldMounts, c.mounts, diffs)
 	}
 
 	if len(c.mounts.Entries) != 2 {