Merge pull request #1568 from smallstep/herman/fix-nebula-certificate-handling

Upgrade `github.com/slackhq/nebula` and fix breaking changes

Author: hslatman

command/ca/provisioner/provisioner.go

@@ -651,14 +651,14 @@ func readNebulaRoots(rootFile string) ([][]byte, error) {
 		return nil, err
 	}
 
-	var crt *nebula.NebulaCertificate
-	var certs []*nebula.NebulaCertificate
+	var crt nebula.Certificate
+	var certs []nebula.Certificate
 	for len(b) > 0 {
-		crt, b, err = nebula.UnmarshalNebulaCertificateFromPEM(b)
+		crt, b, err = nebula.UnmarshalCertificateFromPEM(b)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error reading %s", rootFile)
 		}
-		if crt.Details.IsCA {
+		if crt.IsCA() {
 			certs = append(certs, crt)
 		}
 	}
@@ -668,7 +668,7 @@ func readNebulaRoots(rootFile string) ([][]byte, error) {
 
 	rootBytes := make([][]byte, len(certs))
 	for i, crt := range certs {
-		b, err = crt.MarshalToPEM()
+		b, err = crt.MarshalPEM()
 		if err != nil {
 			return nil, errors.Wrap(err, "error marshaling certificate")
 		}

command/ca/provisioner/provisioner_test.go

@@ -0,0 +1,97 @@
+package provisioner
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"net/netip"
+	"os"
+	"testing"
+	"time"
+
+	nebula "github.com/slackhq/nebula/cert"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestReadNebulaRoots(t *testing.T) {
+	t.Run("ok", func(t *testing.T) {
+		tempDir := t.TempDir()
+		ca, _ := mustNebulaCurve25519CA(t)
+		file, _ := serializeAndWriteNebulaCert(t, tempDir, ca)
+
+		roots, err := readNebulaRoots(file)
+		assert.NoError(t, err)
+		assert.Len(t, roots, 1)
+	})
+
+	t.Run("fail/reading", func(t *testing.T) {
+		roots, err := readNebulaRoots("non-existing-file")
+		assert.Error(t, err)
+		assert.Empty(t, roots)
+	})
+
+	t.Run("fail/invalid-pem", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		file, err := os.CreateTemp(tempDir, "nebula-test-cert-*")
+		require.NoError(t, err)
+		defer file.Close()
+
+		_, err = file.Write([]byte{0})
+		require.NoError(t, err)
+
+		roots, err := readNebulaRoots(file.Name())
+		assert.Error(t, err)
+		assert.Empty(t, roots)
+	})
+
+	t.Run("fail/no-certificates", func(t *testing.T) {
+		tempDir := t.TempDir()
+
+		file, err := os.CreateTemp(tempDir, "nebula-test-cert-*")
+		require.NoError(t, err)
+		defer file.Close()
+
+		roots, err := readNebulaRoots(file.Name())
+		assert.Error(t, err)
+		assert.Empty(t, roots)
+	})
+}
+
+func mustNebulaCurve25519CA(t *testing.T) (nebula.Certificate, ed25519.PrivateKey) {
+	t.Helper()
+
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	require.NoError(t, err)
+
+	tbs := &nebula.TBSCertificate{
+		Version:   nebula.Version1,
+		Name:      "TestCA",
+		Groups:    []string{"test"},
+		Networks:  []netip.Prefix{netip.MustParsePrefix("10.1.0.0/16")},
+		NotBefore: time.Now().Add(-1 * time.Minute),
+		NotAfter:  time.Now().Add(10 * time.Minute),
+		PublicKey: pub,
+		IsCA:      true,
+		Curve:     nebula.Curve_CURVE25519,
+	}
+	nc, err := tbs.Sign(nil, nebula.Curve_CURVE25519, priv)
+	require.NoError(t, err)
+
+	return nc, priv
+}
+
+func serializeAndWriteNebulaCert(t *testing.T, tempDir string, cert nebula.Certificate) (string, []byte) {
+	file, err := os.CreateTemp(tempDir, "nebula-test-cert-*")
+	require.NoError(t, err)
+	defer file.Close()
+
+	pem, err := cert.MarshalPEM()
+	require.NoError(t, err)
+	data, err := cert.Marshal()
+	require.NoError(t, err)
+	_, err = file.Write(pem)
+	require.NoError(t, err)
+
+	return file.Name(), data
+}

go.mod

@@ -1,6 +1,6 @@
 module github.com/smallstep/cli
 
-go 1.24.0
+go 1.25
 
 require (
 	github.com/Microsoft/go-winio v0.6.2
@@ -14,9 +14,9 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rogpeppe/go-internal v1.14.1
-	github.com/slackhq/nebula v1.9.7
+	github.com/slackhq/nebula v1.10.3
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
-	github.com/smallstep/certificates v0.29.0
+	github.com/smallstep/certificates v0.30.0-rc2.0.20260217112636-bb94179fa4c6
 	github.com/smallstep/certinfo v1.15.0
 	github.com/smallstep/cli-utils v0.12.2
 	github.com/smallstep/go-attestation v0.4.4-0.20241119153605-2306d5b464ca
@@ -43,7 +43,8 @@ require (
 	cloud.google.com/go/iam v1.5.3 // indirect
 	cloud.google.com/go/longrunning v0.8.0 // indirect
 	cloud.google.com/go/security v1.19.2 // indirect
-	dario.cat/mergo v1.0.1 // indirect
+	dario.cat/mergo v1.0.2 // indirect
+	filippo.io/bigmod v0.1.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 // indirect
@@ -62,7 +63,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/coreos/go-oidc/v3 v3.17.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.6.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.7.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgraph-io/badger v1.6.2 // indirect
@@ -71,7 +72,7 @@ require (
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-chi/chi/v5 v5.2.5 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -106,14 +107,14 @@ require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_golang v1.23.2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/schollz/jsonstore v1.1.0 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/smallstep/nosql v0.7.0 // indirect
 	github.com/smallstep/pkcs7 v0.2.1 // indirect
 	github.com/smallstep/scep v0.0.0-20250318231241-a25cabb69492 // indirect
@@ -127,18 +128,18 @@ require (
 	go.opentelemetry.io/otel v1.39.0 // indirect
 	go.opentelemetry.io/otel/metric v1.39.0 // indirect
 	go.opentelemetry.io/otel/trace v1.39.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
-	google.golang.org/api v0.264.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
+	google.golang.org/api v0.266.0 // indirect
 	google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
-	google.golang.org/grpc v1.78.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260203192932-546029d2fa20 // indirect
+	google.golang.org/grpc v1.79.1 // indirect
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect