Potential fix for code scanning alert no. 11: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: akabarki76

third-party/github.com/letsencrypt/boulder/akamai/cache-client.go

@@ -331,8 +331,9 @@ func CheckSignature(secret string, url string, r *http.Request, body []byte) err
 	h.Write(input)
 	expectedSignature := base64.StdEncoding.EncodeToString(h.Sum(nil))
 	if signature != expectedSignature {
-		return fmt.Errorf("expected signature %q, got %q in %q",
-			signature, authorization, expectedSignature)
+		sanitizedAuth := sanitizeAuthorizationHeader(authorization)
+		return fmt.Errorf("expected signature %q, got sanitized authorization header %q in %q",
+			signature, sanitizedAuth, expectedSignature)
 	}
 	return nil
 }
@@ -344,6 +345,14 @@ func reverseBytes(b []byte) []byte {
 	return b
 }
 
+// sanitizeAuthorizationHeader obfuscates sensitive parts of the Authorization header.
+func sanitizeAuthorizationHeader(authHeader string) string {
+	if len(authHeader) > 10 {
+		return authHeader[:5] + "..." + authHeader[len(authHeader)-5:]
+	}
+	return "REDACTED"
+}
+
 // makeOCSPCacheURLs constructs the 3 URLs associated with each cached OCSP
 // response.
 func makeOCSPCacheURLs(req []byte, ocspServer string) []string {

third-party/github.com/letsencrypt/boulder/test/akamai-test-srv/main.go

@@ -61,7 +61,7 @@ func main() {
 		}
 		if err = akamai.CheckSignature(*secret, "http://"+*listenAddr, r, body); err != nil {
 			w.WriteHeader(http.StatusUnauthorized)
-			fmt.Println("Bad signature:", err)
+			fmt.Println("Bad signature error:", err)
 			return
 		}
 		if err = json.Unmarshal(body, &purgeRequest); err != nil {