vendor: github.com/moby/swarmkit/v2 v2.0.0-20221123162438-b17f02f0a054

Conflicts:
       vendor.mod

Conflict because code.cloudfoundry.org/clock moved to a direct dependency in
vendor.mod on master branch since 342b44bf20

full diff: 6341884e5f...b17f02f0a0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 64f9ea1cf5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor.mod

@@ -7,7 +7,7 @@ module github.com/docker/docker
 go 1.18
 
 require (
-	cloud.google.com/go v0.93.3
+	cloud.google.com/go/compute v1.7.0
 	cloud.google.com/go/logging v1.4.2
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
 	github.com/Graylog2/go-gelf v0.0.0-20191017102106-1550ee647df0
@@ -54,7 +54,7 @@ require (
 	github.com/moby/locker v1.0.1
 	github.com/moby/patternmatcher v0.5.0
 	github.com/moby/pubsub v1.0.0
-	github.com/moby/swarmkit/v2 v2.0.0-20221102165002-6341884e5fc9
+	github.com/moby/swarmkit/v2 v2.0.0-20221123162438-b17f02f0a054
 	github.com/moby/sys/mount v0.3.3
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/moby/sys/sequential v0.5.0
@@ -91,6 +91,7 @@ require (
 )
 
 require (
+	cloud.google.com/go v0.102.1 // indirect
 	code.cloudfoundry.org/clock v1.0.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 // indirect
@@ -116,9 +117,10 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/certificate-transparency-go v1.1.2 // indirect; replaced; see "replace" section at the bottom of this file for the actual version.
+	github.com/google/certificate-transparency-go v1.1.4 // indirect; replaced; see "replace" section at the bottom of this file for the actual version.
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/googleapis/gax-go/v2 v2.0.5 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.1.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
@@ -140,10 +142,10 @@ require (
 	github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 // indirect
 	github.com/tinylib/msgp v1.1.0 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.5.2 // indirect
-	go.etcd.io/etcd/pkg/v3 v3.5.2 // indirect
-	go.etcd.io/etcd/raft/v3 v3.5.2 // indirect
-	go.etcd.io/etcd/server/v3 v3.5.2 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.5.6 // indirect
+	go.etcd.io/etcd/pkg/v3 v3.5.6 // indirect
+	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
+	go.etcd.io/etcd/server/v3 v3.5.6 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.29.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.29.0 // indirect
@@ -161,13 +163,8 @@ require (
 	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/oauth2 v0.1.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
-	google.golang.org/api v0.54.0 // indirect
+	google.golang.org/api v0.93.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
+	k8s.io/klog/v2 v2.80.1 // indirect
 )
-
-// Resolve dependency hell with github.com/cloudflare/cfssl (transitive via
-// swarmkit) by pinning the certificate-transparency-go version. Remove once
-// module go.etcd.io/etcd/server/v3 has upgraded its dependency on
-// go.opentelemetry.io/otel to v1.
-replace github.com/google/certificate-transparency-go => github.com/google/certificate-transparency-go v1.0.20

vendor.sum

@@ -24,17 +24,31 @@ cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAV
 cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM=
 cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY=
 cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ=
-cloud.google.com/go v0.93.3 h1:wPBktZFzYBcCZVARvwVKqH1uEj+aLXofJEtrb4oOsio=
 cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
+cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
+cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
+cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
+cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
+cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
+cloud.google.com/go v0.102.1 h1:vpK6iQWv/2uUeFJth4/cBHsQAGjn1iIE6AAlxipRaA0=
+cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
 cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/compute v0.1.0/go.mod h1:GAesmwr110a34z04OlxYkATPBEfVhkymfTBXtfbBFow=
+cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJWM7YD99wM=
+cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
+cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
+cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
+cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk=
+cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp4bnY=
 cloud.google.com/go/logging v1.4.2 h1:Mu2Q75VBDQlW1HlBMjTX4X84UFR73G1TiLlRYc/b7tA=
 cloud.google.com/go/logging v1.4.2/go.mod h1:jco9QZSx8HiVVqLJReq7z7bVdj0P1Jb9PDFs63T+axo=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
@@ -46,6 +60,7 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
 code.cloudfoundry.org/clock v1.0.0 h1:kFXWQM4bxYvdBw2X8BbBeXwQNgfoWv1vqAk2ZZyBN2o=
 code.cloudfoundry.org/clock v1.0.0/go.mod h1:QD9Lzhd/ux6eNQVUDVRJX/RKTigpewimNYBi7ivZKY8=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
@@ -496,6 +511,7 @@ github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2 h1:xisWqjiKEff2B0KfFYGpCqc3M3zdTz+OHQHRc09FeYk=
 github.com/golang/gddo v0.0.0-20190904175337-72a348e765d2/go.mod h1:xEhNfoBDX1hzLm2Nf80qUvZ2sVwoMZ8d6IE2SrsQfh4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -539,8 +555,8 @@ github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ
 github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/certificate-transparency-go v1.0.20 h1:azETE79toaBOyp+StoEBy8atzQujL0PyBPEmsEeDCXI=
-github.com/google/certificate-transparency-go v1.0.20/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
+github.com/google/certificate-transparency-go v1.1.4 h1:hCyXHDbtqlr/lMXU0D4WgbalXL0Zk4dSWWMbPV8VrqY=
+github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WVl1EVeMOyzC19mpIjMOI4nxBHtQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -554,6 +570,7 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
@@ -587,12 +604,21 @@ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0 h1:zO8WHNx/MYiAKJ3d5spxZXZE6KHmIQGQcAzwUzV7qQw=
+github.com/googleapis/enterprise-certificate-proxy v0.1.0/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5 h1:sjZBwGj9Jlw33ImPtvFviGYvseOtDM7hkSKB7+Tv3SM=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0=
+github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
+github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
+github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
+github.com/googleapis/gax-go/v2 v2.4.0 h1:dS9eYAjhrE2RjmzYw2XAPvcXfmcQLtFEQWn0CR82awk=
+github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
 github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg=
 github.com/googleapis/gnostic v0.5.1/go.mod h1:6U4PtQXGIEt/Z3h5MAT7FNofLnw9vXk2cUuW7uA/OeU=
 github.com/googleapis/gnostic v0.5.5/go.mod h1:7+EbHbldMins07ALC74bsA81Ovc97DwqyJO1AENw9kA=
+github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/handlers v0.0.0-20150720190736-60c7bfde3e33/go.mod h1:Qkdc/uu4tH4g6mTK6auzZ766c4CA0Ng8+o/OAirnOIQ=
 github.com/gorilla/mux v1.7.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
@@ -773,8 +799,8 @@ github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YO
 github.com/moby/pubsub v1.0.0 h1:jkp/imWsmJz2f6LyFsk7EkVeN2HxR/HTTOY8kHrsxfA=
 github.com/moby/pubsub v1.0.0/go.mod h1:bXSO+3h5MNXXCaEG+6/NlAIk7MMZbySZlnB+cUQhKKc=
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
-github.com/moby/swarmkit/v2 v2.0.0-20221102165002-6341884e5fc9 h1:d/XCmjx1zKZdzlBX90kSGDex7V2GE2jdGDr9nXYZg/Q=
-github.com/moby/swarmkit/v2 v2.0.0-20221102165002-6341884e5fc9/go.mod h1:/so6Lct4y1x14UprW/loFsOe6xoXVTlvh25V36ULXNQ=
+github.com/moby/swarmkit/v2 v2.0.0-20221123162438-b17f02f0a054 h1:ny1MdKQaQI/i+i7YrwO2zPpfW2ET1QBR59HqZd+ozOI=
+github.com/moby/swarmkit/v2 v2.0.0-20221123162438-b17f02f0a054/go.mod h1:rUZl7gR5C7156P2qEE6wnx4riFgBjqmsQaUqo/WeyBw=
 github.com/moby/sys/mount v0.3.3 h1:fX1SVkXFJ47XWDoeFW4Sq7PdQJnV2QIDZAqjNqgEjUs=
 github.com/moby/sys/mount v0.3.3/go.mod h1:PBaEorSNTLG5t/+4EgukEQVlAvVEc6ZjTySwKdqp5K0=
 github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
@@ -906,6 +932,7 @@ github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQ
 github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3OK1iX/F2sw+iXX5zU=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU=
 github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
@@ -1013,8 +1040,8 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.5 h1:s5PTfem8p8EbKQOctVV53k6jCJt3UX4IEJzwh+C324Q=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -1078,23 +1105,23 @@ go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3CSBatqGNg7GRmsnfLWtoW60w4eDYfh7vHDg=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
-go.etcd.io/etcd/api/v3 v3.5.2/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
+go.etcd.io/etcd/api/v3 v3.5.6/go.mod h1:KFtNaxGDw4Yx/BA4iPPwevUTAuqcsPxzyX8PHydchN8=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/pkg/v3 v3.5.2 h1:4hzqQ6hIb3blLyQ8usCU4h3NghkqcsohEQ3o3VetYxE=
-go.etcd.io/etcd/client/pkg/v3 v3.5.2/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.etcd.io/etcd/client/pkg/v3 v3.5.6 h1:TXQWYceBKqLp4sa87rcPs11SXxUA/mHwH975v+BDvLU=
+go.etcd.io/etcd/client/pkg/v3 v3.5.6/go.mod h1:ggrwbk069qxpKPq8/FKkQ3Xq9y39kbFR4LnKszpRXeQ=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
-go.etcd.io/etcd/client/v2 v2.305.2/go.mod h1:2D7ZejHVMIfog1221iLSYlQRzrtECw3kz4I4VAQm3qI=
+go.etcd.io/etcd/client/v2 v2.305.6/go.mod h1:BHha8XJGe8vCIBfWBpbBLVZ4QjOIlfoouvOwydu63E0=
 go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
-go.etcd.io/etcd/client/v3 v3.5.2/go.mod h1:kOOaWFFgHygyT0WlSmL8TJiXmMysO/nNUlEsSsN6W4o=
+go.etcd.io/etcd/client/v3 v3.5.6/go.mod h1:f6GRinRMCsFVv9Ht42EyY7nfsVGwrNO0WEoS2pRKzQk=
 go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
-go.etcd.io/etcd/pkg/v3 v3.5.2 h1:YZUojdoPhOyl5QILYnR8LTUbbNefu/sV4ma+ZMr2tto=
-go.etcd.io/etcd/pkg/v3 v3.5.2/go.mod h1:zsXz+9D/kijzRiG/UnFGDTyHKcVp0orwiO8iMLAi+k0=
+go.etcd.io/etcd/pkg/v3 v3.5.6 h1:k1GZrGrfMHy5/cg2bxNGsmLTFisatyhDYCFLRuaavWg=
+go.etcd.io/etcd/pkg/v3 v3.5.6/go.mod h1:qATwUzDb6MLyGWq2nUj+jwXqZJcxkCuabh0P7Cuff3k=
 go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
-go.etcd.io/etcd/raft/v3 v3.5.2 h1:uCC37qOXqBvKqTGHGyhASsaCsnTuJugl1GvneJNwHWo=
-go.etcd.io/etcd/raft/v3 v3.5.2/go.mod h1:G6pCP1sFgbjod7/KnEHY0vHUViqxjkdt6AiKsD0GRr8=
+go.etcd.io/etcd/raft/v3 v3.5.6 h1:tOmx6Ym6rn2GpZOrvTGJZciJHek6RnC3U/zNInzIN50=
+go.etcd.io/etcd/raft/v3 v3.5.6/go.mod h1:wL8kkRGx1Hp8FmZUuHfL3K2/OaGIDaXGr1N7i2G07J0=
 go.etcd.io/etcd/server/v3 v3.5.0/go.mod h1:3Ah5ruV+M+7RZr0+Y/5mNLwC+eQlni+mQmOVdCRJoS4=
-go.etcd.io/etcd/server/v3 v3.5.2 h1:B6ytJvS4Fmt8nkjzS2/8POf4tuPhFMluE0lWd4dx/7U=
-go.etcd.io/etcd/server/v3 v3.5.2/go.mod h1:mlG8znIEz4N/28GABrohZCBM11FqgGVQcpbcyJgh0j0=
+go.etcd.io/etcd/server/v3 v3.5.6 h1:RXuwaB8AMiV62TqcqIt4O4bG8NWjsxOkDJVT3MZI5Ds=
+go.etcd.io/etcd/server/v3 v3.5.6/go.mod h1:6/Gfe8XTGXQJgLYQ65oGKMfPivb2EASLUSMSWN9Sroo=
 go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
@@ -1106,6 +1133,7 @@ go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.25.0/go.mod h1:E5NNboN0UqSAki0Atn9kVwaN7I+l25gGxDqBueo/74E=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.29.0 h1:n9b7AAdbQtQ0k9dm0Dm2/KUcUqtG8i2O15KzNaDze8c=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.29.0/go.mod h1:LsankqVDx4W+RhZNA5uWarULII/MBhF5qwCYxTuyXjs=
@@ -1115,6 +1143,7 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0/go.mod h1:
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.29.0 h1:SLme4Porm+UwX0DdHMxlwRt7FzPSE0sys81bet2o0pU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.29.0/go.mod h1:tLYsuf2v8fZreBVwp9gVMhefZlLFZaUiNVSq8QxXRII=
 go.opentelemetry.io/otel v0.20.0/go.mod h1:Y3ugLH2oa81t5QO+Lty+zXf8zC9L26ax4Nzoxm/dooo=
+go.opentelemetry.io/otel v1.0.1/go.mod h1:OPEOD4jIT2SlZPMmwT6FqZz2C0ZNdQqiWcoK6M0SNFU=
 go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs=
 go.opentelemetry.io/otel v1.4.0/go.mod h1:jeAqMFKy2uLIxCtKxoFj0FAL5zAPKQagc3+GtBWakzk=
 go.opentelemetry.io/otel v1.4.1 h1:QbINgGDDcoQUoMJa2mMaWno49lja9sHwp6aoa2n3a4g=
@@ -1122,9 +1151,11 @@ go.opentelemetry.io/otel v1.4.1/go.mod h1:StM6F/0fSwpd8dKWDCdRr7uRvEPYdW0hBSlbdT
 go.opentelemetry.io/otel/exporters/otlp v0.20.0/go.mod h1:YIieizyaN77rtLJra0buKiNBOm9XQfkPEKBeuhoMwAM=
 go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.3.0/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4=
 go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.4.1/go.mod h1:VpP4/RMn8bv8gNo9uK7/IMY4mtWLELsS+JIP0inH0h4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.0.1/go.mod h1:Kv8liBeVNFkkkbilbgWRpV+wWuu+H5xdOT6HAgd30iw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.3.0/go.mod h1:hO1KLR7jcKaDDKDkvI9dP/FIhpmna5lkqPUQdEjFAM8=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.4.1 h1:WPpPsAAs8I2rA47v5u0558meKmmwm1Dj99ZbqCV8sZ8=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.4.1/go.mod h1:o5RW5o2pKpJLD5dNTCmjF1DorYwMeFJmb/rKr5sLaa8=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.0.1/go.mod h1:xOvWoTOrQjxjW61xtOmD/WKGRYb/P4NzRo3bs65U6Rk=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.3.0/go.mod h1:keUU7UfnwWTWpJ+FWnyqmogPa82nuU5VUANFq49hlMY=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE=
 go.opentelemetry.io/otel/internal/metric v0.27.0 h1:9dAVGAfFiiEq5NVB9FUJ5et+btbDQAUIJehJ+ikyryk=
@@ -1134,17 +1165,20 @@ go.opentelemetry.io/otel/metric v0.27.0 h1:HhJPsGhJoKRSegPQILFbODU56NS/L1UE4fS1s
 go.opentelemetry.io/otel/metric v0.27.0/go.mod h1:raXDJ7uP2/Jc0nVZWQjJtzoyssOYWu/+pjZqRzfvZ7g=
 go.opentelemetry.io/otel/oteltest v0.20.0/go.mod h1:L7bgKf9ZB7qCwT9Up7i9/pn0PWIa9FqQ2IQ8LoxiGnw=
 go.opentelemetry.io/otel/sdk v0.20.0/go.mod h1:g/IcepuwNsoiX5Byy2nNV0ySUF1em498m7hBWC279Yc=
+go.opentelemetry.io/otel/sdk v1.0.1/go.mod h1:HrdXne+BiwsOHYYkBE5ysIcv2bvdZstxzmCQhxTcZkI=
 go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs=
 go.opentelemetry.io/otel/sdk v1.4.1 h1:J7EaW71E0v87qflB4cDolaqq3AcujGrtyIPGQoZOB0Y=
 go.opentelemetry.io/otel/sdk v1.4.1/go.mod h1:NBwHDgDIBYjwK2WNu1OPgsIc2IJzmBXNnvIJxJc8BpE=
 go.opentelemetry.io/otel/sdk/export/metric v0.20.0/go.mod h1:h7RBNMsDJ5pmI1zExLi+bJK+Dr8NQCh0qGhm1KDnNlE=
 go.opentelemetry.io/otel/sdk/metric v0.20.0/go.mod h1:knxiS8Xd4E/N+ZqKmUPf3gTTZ4/0TjTXukfxjzSTpHE=
 go.opentelemetry.io/otel/trace v0.20.0/go.mod h1:6GjCW8zgDjwGHGa6GkyeB8+/5vjT16gUEi0Nf1iBdgw=
+go.opentelemetry.io/otel/trace v1.0.1/go.mod h1:5g4i4fKLaX2BQpSBsxw8YYcgKpMMSW3x7ZTuYBr3sUk=
 go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk=
 go.opentelemetry.io/otel/trace v1.4.0/go.mod h1:uc3eRsqDfWs9R7b92xbQbU42/eTNz4N+gLP8qJCi4aE=
 go.opentelemetry.io/otel/trace v1.4.1 h1:O+16qcdTrT7zxv2J6GejTPFinSwA++cYerC5iSiF8EQ=
 go.opentelemetry.io/otel/trace v1.4.1/go.mod h1:iYEVbroFCNut9QkwEczV9vMRPHNKSSwYZjulEtsmhFc=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.opentelemetry.io/proto/otlp v0.9.0/go.mod h1:1vKfU9rv61e9EVGthD1zNvUbiwPcimSsOPU9brfSHJg=
 go.opentelemetry.io/proto/otlp v0.11.0/go.mod h1:QpEjXPrNQzrFDZgoTo49dgHR9RYRSrg3NAKnUGl9YpQ=
 go.opentelemetry.io/proto/otlp v0.12.0 h1:CMJ/3Wp7iOWES+CYLfnBv+DVmPbB+kmy9PJ92XvlR6c=
 go.opentelemetry.io/proto/otlp v0.12.0/go.mod h1:TsIjwGWIx5VFYv9KGVlOpxoBl5Dy+63SUguV7GGvlSQ=
@@ -1182,6 +1216,7 @@ golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1275,10 +1310,16 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220325170049-de3da57026de/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220412020605-290c469a71a5/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -1297,7 +1338,12 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
+golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
+golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
+golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
 golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y=
 golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1311,6 +1357,7 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1411,14 +1458,27 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210903071746-97244b99971b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
@@ -1522,6 +1582,9 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 google.golang.org/api v0.0.0-20160322025152-9bf6e6e569ff/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
@@ -1549,8 +1612,22 @@ google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59t
 google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4=
 google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw=
 google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU=
-google.golang.org/api v0.54.0 h1:ECJUVngj71QI6XEm7b1sAf8BljU5inEhMbKPR8Lxhhk=
 google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k=
+google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
+google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
+google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
+google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
+google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
+google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
+google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/SkfA=
+google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
+google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
+google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
+google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
+google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
+google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
+google.golang.org/api v0.93.0 h1:T2xt9gi0gHdxdnRkVQhT8mIvPaXKNsDNWz+L696M66M=
+google.golang.org/api v0.93.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1605,6 +1682,7 @@ google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210329143202-679c6ae281ee/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210429181445-86c259c2b4ab/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
 google.golang.org/genproto v0.0.0-20210513213006-bf773b8c8384/go.mod h1:P3QM42oQyzQSnHPnZ/vqoCdDmzH28fzWByN9asMeM8A=
@@ -1618,8 +1696,35 @@ google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm
 google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
 google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
+google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
+google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20220126215142-9970aeb2e350/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20220207164111-0872dc986b00/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20220218161850-94dd64e39d7c/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
+google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
+google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
+google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
+google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
+google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
+google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 h1:7YDGQC/0sigNGzsEWyb9s72jTxlFdwVEYNJHbfQ+Dtg=
 google.golang.org/genproto v0.0.0-20220706185917-7780775163c4/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
@@ -1651,10 +1756,14 @@ google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ
 google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
+google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
 google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.43.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
+google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w=
 google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
@@ -1764,6 +1873,8 @@ k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
 k8s.io/klog/v2 v2.30.0/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
+k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
 k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=

vendor/cloud.google.com/go/.release-please-manifest-submodules.json

@@ -0,0 +1,107 @@
+{
+  "accessapproval": "1.3.0",
+  "accesscontextmanager": "1.2.0",
+  "aiplatform": "1.13.0",
+  "analytics": "0.7.0",
+  "apigateway": "1.2.0",
+  "apigeeconnect": "1.2.0",
+  "appengine": "1.3.0",
+  "area120": "0.3.0",
+  "artifactregistry": "1.3.0",
+  "asset": "1.2.0",
+  "assuredworkloads": "0.6.0",
+  "automl": "1.3.0",
+  "baremetalsolution": "0.1.0",
+  "batch": "0.1.0",
+  "billing": "1.2.0",
+  "binaryauthorization": "0.6.0",
+  "certificatemanager": "0.2.0",
+  "channel": "1.6.0",
+  "cloudbuild": "1.2.0",
+  "clouddms": "1.2.0",
+  "cloudtasks": "1.3.0",
+  "compute": "1.7.0",
+  "contactcenterinsights": "1.2.0",
+  "container": "1.2.0",
+  "containeranalysis": "0.3.0",
+  "datacatalog": "1.3.0",
+  "dataflow": "0.4.0",
+  "datafusion": "1.3.0",
+  "datalabeling": "0.3.0",
+  "dataplex": "0.4.0",
+  "dataproc": "1.5.0",
+  "dataqna": "0.3.0",
+  "datastream": "0.5.0",
+  "deploy": "1.2.0",
+  "dialogflow": "1.10.0",
+  "dlp": "1.4.0",
+  "documentai": "1.4.0",
+  "domains": "0.4.0",
+  "essentialcontacts": "1.2.0",
+  "eventarc": "1.6.0",
+  "filestore": "1.2.0",
+  "functions": "1.4.0",
+  "gaming": "1.2.0",
+  "gkebackup": "0.1.0",
+  "gkeconnect": "0.3.0",
+  "gkehub": "0.7.0",
+  "gkemulticloud": "0.2.0",
+  "grafeas": "0.2.0",
+  "gsuiteaddons": "1.2.0",
+  "iam": "0.3.0",
+  "iap": "1.3.0",
+  "ids": "0.3.0",
+  "iot": "1.2.0",
+  "kms": "1.4.0",
+  "language": "1.2.0",
+  "lifesciences": "0.3.0",
+  "managedidentities": "1.2.0",
+  "mediatranslation": "0.3.0",
+  "memcache": "1.2.0",
+  "metastore": "1.2.0",
+  "monitoring": "1.5.0",
+  "networkconnectivity": "1.2.0",
+  "networkmanagement": "1.2.0",
+  "networksecurity": "0.3.0",
+  "notebooks": "0.4.0",
+  "optimization": "0.1.0",
+  "orchestration": "1.2.0",
+  "orgpolicy": "1.3.0",
+  "osconfig": "1.5.0",
+  "oslogin": "1.2.0",
+  "phishingprotection": "0.3.0",
+  "policytroubleshooter": "1.2.0",
+  "privatecatalog": "0.3.0",
+  "recaptchaenterprise/v2": "2.0.1",
+  "recommendationengine": "0.2.0",
+  "recommender": "1.3.0",
+  "redis": "1.5.0",
+  "resourcemanager": "1.2.0",
+  "resourcesettings": "1.2.0",
+  "retail": "1.4.0",
+  "run": "0.1.1",
+  "scheduler": "1.2.0",
+  "secretmanager": "1.4.0",
+  "security": "1.4.0",
+  "securitycenter": "1.8.0",
+  "servicecontrol": "1.3.0",
+  "servicedirectory": "1.2.0",
+  "servicemanagement": "1.3.0",
+  "serviceusage": "1.2.0",
+  "shell": "1.2.0",
+  "speech": "1.4.0",
+  "storagetransfer": "1.3.0",
+  "talent": "0.8.0",
+  "texttospeech": "1.3.0",
+  "tpu": "1.2.0",
+  "trace": "1.2.0",
+  "translate": "1.2.0",
+  "video": "1.6.0",
+  "videointelligence": "1.2.0",
+  "vision/v2": "2.0.0",
+  "vmmigration": "0.3.0",
+  "vpcaccess": "1.2.0",
+  "webrisk": "1.2.0",
+  "websecurityscanner": "1.2.0",
+  "workflows": "1.4.0"
+}

vendor/cloud.google.com/go/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.102.1"
+}

vendor/cloud.google.com/go/CHANGES.md

@@ -1,5 +1,209 @@
 # Changes
 
+## [0.102.1](https://github.com/googleapis/google-cloud-go/compare/v0.102.0...v0.102.1) (2022-06-17)
+
+
+### Bug Fixes
+
+* **longrunning:** regapic remove path params duped as query params ([#6183](https://github.com/googleapis/google-cloud-go/issues/6183)) ([c963be3](https://github.com/googleapis/google-cloud-go/commit/c963be301f074779e6bb8c897d8064fa076e9e35))
+
+## [0.102.0](https://github.com/googleapis/google-cloud-go/compare/v0.101.1...v0.102.0) (2022-05-24)
+
+
+### Features
+
+* **civil:** add Before and After methods to civil.Time ([#5703](https://github.com/googleapis/google-cloud-go/issues/5703)) ([7acaaaf](https://github.com/googleapis/google-cloud-go/commit/7acaaafef47668c3e8382b8bc03475598c3db187))
+
+### [0.101.1](https://github.com/googleapis/google-cloud-go/compare/v0.101.0...v0.101.1) (2022-05-03)
+
+
+### Bug Fixes
+
+* **internal/gapicgen:** properly update modules that have no gapic changes ([#5945](https://github.com/googleapis/google-cloud-go/issues/5945)) ([de2befc](https://github.com/googleapis/google-cloud-go/commit/de2befcaa2a886499db9da6d4d04d28398c8d44b))
+
+## [0.101.0](https://github.com/googleapis/google-cloud-go/compare/v0.100.2...v0.101.0) (2022-04-20)
+
+
+### Features
+
+* **all:** bump grpc dep ([#5481](https://github.com/googleapis/google-cloud-go/issues/5481)) ([b12964d](https://github.com/googleapis/google-cloud-go/commit/b12964df5c63c647aaf204e73cfcdfd379d19682))
+* **internal/gapicgen:** change versionClient for gapics ([#5687](https://github.com/googleapis/google-cloud-go/issues/5687)) ([55f0d92](https://github.com/googleapis/google-cloud-go/commit/55f0d92bf112f14b024b4ab0076c9875a17423c9))
+
+
+### Bug Fixes
+
+* **internal/gapicgen:** add generation of internal/version.go for new client modules ([#5726](https://github.com/googleapis/google-cloud-go/issues/5726)) ([341e0df](https://github.com/googleapis/google-cloud-go/commit/341e0df1e44480706180cc5b07c49b3cee904095))
+* **internal/gapicgen:** don't gen version files for longrunning and debugger ([#5698](https://github.com/googleapis/google-cloud-go/issues/5698)) ([3a81108](https://github.com/googleapis/google-cloud-go/commit/3a81108c74cd8864c56b8ab5939afd864db3c64b))
+* **internal/gapicgen:** don't try to make snippets for non-gapics ([#5919](https://github.com/googleapis/google-cloud-go/issues/5919)) ([c94dddc](https://github.com/googleapis/google-cloud-go/commit/c94dddc60ef83a0584ba8f7dd24589d9db971672))
+* **internal/gapicgen:** move breaking change indicator if present ([#5452](https://github.com/googleapis/google-cloud-go/issues/5452)) ([e712df5](https://github.com/googleapis/google-cloud-go/commit/e712df5ebb45598a1653081d7e11e578bad22ff8))
+* **internal/godocfx:** prevent errors for filtered mods ([#5485](https://github.com/googleapis/google-cloud-go/issues/5485)) ([6cb9b89](https://github.com/googleapis/google-cloud-go/commit/6cb9b89b2d654c695eab00d8fb375cce0cd6e059))
+
+## [0.100.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.99.0...v0.100.0) (2022-01-04)
+
+
+### Features
+
+* **analytics/admin:** add the `AcknowledgeUserDataCollection` operation which acknowledges the terms of user data collection for the specified property feat: add the new resource type `DataStream`, which is planned to eventually replace `WebDataStream`, `IosAppDataStream`, `AndroidAppDataStream` resources fix!: remove `GetEnhancedMeasurementSettings`, `UpdateEnhancedMeasurementSettingsRequest`, `UpdateEnhancedMeasurementSettingsRequest` operations from the API feat: add `CreateDataStream`, `DeleteDataStream`, `UpdateDataStream`, `ListDataStreams` operations to support the new `DataStream` resource feat: add `DISPLAY_VIDEO_360_ADVERTISER_LINK`,  `DISPLAY_VIDEO_360_ADVERTISER_LINK_PROPOSAL` fields to `ChangeHistoryResourceType` enum feat: add the `account` field to the `Property` type docs: update the documentation with a new list of valid values for `UserLink.direct_roles` field ([5444809](https://www.github.com/googleapis/google-cloud-go/commit/5444809e0b7cf9f5416645ea2df6fec96f8b9023))
+* **assuredworkloads:** EU Regions and Support With Sovereign Controls ([5444809](https://www.github.com/googleapis/google-cloud-go/commit/5444809e0b7cf9f5416645ea2df6fec96f8b9023))
+* **dialogflow/cx:** added the display name of the current page in webhook requests ([e0833b2](https://www.github.com/googleapis/google-cloud-go/commit/e0833b2853834ba79fd20ca2ae9c613d585dd2a5))
+* **dialogflow/cx:** added the display name of the current page in webhook requests ([e0833b2](https://www.github.com/googleapis/google-cloud-go/commit/e0833b2853834ba79fd20ca2ae9c613d585dd2a5))
+* **dialogflow:** added export documentation method feat: added filter in list documentations request feat: added option to import custom metadata from Google Cloud Storage in reload document request feat: added option to apply partial update to the smart messaging allowlist in reload document request feat: added filter in list knowledge bases request ([5444809](https://www.github.com/googleapis/google-cloud-go/commit/5444809e0b7cf9f5416645ea2df6fec96f8b9023))
+* **dialogflow:** removed OPTIONAL for speech model variant docs: added more docs for speech model variant and improved docs format for participant ([5444809](https://www.github.com/googleapis/google-cloud-go/commit/5444809e0b7cf9f5416645ea2df6fec96f8b9023))
+* **recaptchaenterprise:** add new reCAPTCHA Enterprise fraud annotations ([3dd34a2](https://www.github.com/googleapis/google-cloud-go/commit/3dd34a262edbff63b9aece8faddc2ff0d98ce42a))
+
+
+### Bug Fixes
+
+* **artifactregistry:** fix resource pattern ID segment name ([5444809](https://www.github.com/googleapis/google-cloud-go/commit/5444809e0b7cf9f5416645ea2df6fec96f8b9023))
+* **compute:** add parameter in compute bazel rules ([#692](https://www.github.com/googleapis/google-cloud-go/issues/692)) ([5444809](https://www.github.com/googleapis/google-cloud-go/commit/5444809e0b7cf9f5416645ea2df6fec96f8b9023))
+* **profiler:** refine regular expression for parsing backoff duration in E2E tests ([#5229](https://www.github.com/googleapis/google-cloud-go/issues/5229)) ([4438aeb](https://www.github.com/googleapis/google-cloud-go/commit/4438aebca2ec01d4dbf22287aa651937a381e043))
+* **profiler:** remove certificate expiration workaround ([#5222](https://www.github.com/googleapis/google-cloud-go/issues/5222)) ([2da36c9](https://www.github.com/googleapis/google-cloud-go/commit/2da36c95f44d5f88fd93cd949ab78823cea74fe7))
+
+## [0.99.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.98.0...v0.99.0) (2021-12-06)
+
+
+### Features
+
+* **dialogflow/cx:** added `TelephonyTransferCall` in response message ([fe27098](https://www.github.com/googleapis/google-cloud-go/commit/fe27098e5d429911428821ded57384353e699774))
+
+## [0.98.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.97.0...v0.98.0) (2021-12-03)
+
+
+### Features
+
+* **aiplatform:** add enable_private_service_connect field to Endpoint feat: add id field to DeployedModel feat: add service_attachment field to PrivateEndpoints feat: add endpoint_id to CreateEndpointRequest and method signature to CreateEndpoint feat: add method signature to CreateFeatureStore, CreateEntityType, CreateFeature feat: add network and enable_private_service_connect to IndexEndpoint feat: add service_attachment to IndexPrivateEndpoints feat: add stratified_split field to training_pipeline InputDataConfig ([a2c0bef](https://www.github.com/googleapis/google-cloud-go/commit/a2c0bef551489c9f1d0d12b973d3bf095354841e))
+* **aiplatform:** add featurestore service to aiplatform v1 feat: add metadata service to aiplatform v1 ([30794e7](https://www.github.com/googleapis/google-cloud-go/commit/30794e70050b55ff87d6a80d0b4075065e9d271d))
+* **aiplatform:** Adds support for `google.protobuf.Value` pipeline parameters in the `parameter_values` field ([88a1cdb](https://www.github.com/googleapis/google-cloud-go/commit/88a1cdbef3cc337354a61bc9276725bfb9a686d8))
+* **aiplatform:** Tensorboard v1 protos release feat:Exposing a field for v1 CustomJob-Tensorboard integration. ([90e2868](https://www.github.com/googleapis/google-cloud-go/commit/90e2868a3d220aa7f897438f4917013fda7a7c59))
+* **binaryauthorization:** add new admission rule types to Policy feat: update SignatureAlgorithm enum to match algorithm names in KMS feat: add SystemPolicyV1Beta1 service ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **channel:** add resource type to ChannelPartnerLink ([c206948](https://www.github.com/googleapis/google-cloud-go/commit/c2069487f6af5bcb37d519afeb60e312e35e67d5))
+* **cloudtasks:** add C++ rules for Cloud Tasks ([90e2868](https://www.github.com/googleapis/google-cloud-go/commit/90e2868a3d220aa7f897438f4917013fda7a7c59))
+* **compute:** Move compute.v1 from googleapis-discovery to googleapis ([#675](https://www.github.com/googleapis/google-cloud-go/issues/675)) ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **compute:** Switch to string enums for compute ([#685](https://www.github.com/googleapis/google-cloud-go/issues/685)) ([c8271d4](https://www.github.com/googleapis/google-cloud-go/commit/c8271d4b217a6e6924d9f87eac9468c4b5767ba7))
+* **contactcenterinsights:** Add ability to update phrase matchers feat: Add issue model stats to time series feat: Add display name to issue model stats ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **contactcenterinsights:** Add WriteDisposition to BigQuery Export API ([a2c0bef](https://www.github.com/googleapis/google-cloud-go/commit/a2c0bef551489c9f1d0d12b973d3bf095354841e))
+* **contactcenterinsights:** deprecate issue_matches docs: if conversation medium is unspecified, it will default to PHONE_CALL ([1a0720f](https://www.github.com/googleapis/google-cloud-go/commit/1a0720f2f33bb14617f5c6a524946a93209e1266))
+* **contactcenterinsights:** new feature flag disable_issue_modeling docs: fixed formatting issues in the reference documentation ([c8271d4](https://www.github.com/googleapis/google-cloud-go/commit/c8271d4b217a6e6924d9f87eac9468c4b5767ba7))
+* **contactcenterinsights:** remove feature flag disable_issue_modeling ([c8271d4](https://www.github.com/googleapis/google-cloud-go/commit/c8271d4b217a6e6924d9f87eac9468c4b5767ba7))
+* **datacatalog:** Added BigQueryDateShardedSpec.latest_shard_resource field feat: Added SearchCatalogResult.display_name field feat: Added SearchCatalogResult.description field ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **dataproc:** add Dataproc Serverless for Spark Batches API ([30794e7](https://www.github.com/googleapis/google-cloud-go/commit/30794e70050b55ff87d6a80d0b4075065e9d271d))
+* **dataproc:** Add support for dataproc BatchController service ([8519b94](https://www.github.com/googleapis/google-cloud-go/commit/8519b948fee5dc82d39300c4d96e92c85fe78fe6))
+* **dialogflow/cx:** added API for changelogs docs: clarified semantic of the streaming APIs ([587bba5](https://www.github.com/googleapis/google-cloud-go/commit/587bba5ad792a92f252107aa38c6af50fb09fb58))
+* **dialogflow/cx:** added API for changelogs docs: clarified semantic of the streaming APIs ([587bba5](https://www.github.com/googleapis/google-cloud-go/commit/587bba5ad792a92f252107aa38c6af50fb09fb58))
+* **dialogflow/cx:** added support for comparing between versions docs: clarified security settings API reference ([83b941c](https://www.github.com/googleapis/google-cloud-go/commit/83b941c0983e44fdd18ceee8c6f3e91219d72ad1))
+* **dialogflow/cx:** added support for Deployments with ListDeployments and GetDeployment apis feat: added support for DeployFlow api under Environments feat: added support for TestCasesConfig under Environment docs: added long running operation explanation for several apis fix!: marked resource name of security setting as not-required ([8c5c6cf](https://www.github.com/googleapis/google-cloud-go/commit/8c5c6cf9df046b67998a8608d05595bd9e34feb0))
+* **dialogflow/cx:** allow setting custom CA for generic webhooks and release CompareVersions API docs: clarify DLP template reader usage ([90e2868](https://www.github.com/googleapis/google-cloud-go/commit/90e2868a3d220aa7f897438f4917013fda7a7c59))
+* **dialogflow:** added support to configure security settings, language code and time zone on conversation profile ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **dialogflow:** support document metadata filter in article suggestion and smart reply model in human agent assistant ([e33350c](https://www.github.com/googleapis/google-cloud-go/commit/e33350cfcabcddcda1a90069383d39c68deb977a))
+* **dlp:** added deidentify replacement dictionaries feat: added field for BigQuery inspect template inclusion lists feat: added field to support infotype versioning ([a2c0bef](https://www.github.com/googleapis/google-cloud-go/commit/a2c0bef551489c9f1d0d12b973d3bf095354841e))
+* **domains:** added library for Cloud Domains v1 API. Also added methods for the transfer-in flow docs: improved API comments ([8519b94](https://www.github.com/googleapis/google-cloud-go/commit/8519b948fee5dc82d39300c4d96e92c85fe78fe6))
+* **functions:** Secret Manager integration fields 'secret_environment_variables' and 'secret_volumes' added feat: CMEK integration fields 'kms_key_name' and 'docker_repository' added ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **kms:** add OAEP+SHA1 to the list of supported algorithms ([8c5c6cf](https://www.github.com/googleapis/google-cloud-go/commit/8c5c6cf9df046b67998a8608d05595bd9e34feb0))
+* **kms:** add RPC retry information for MacSign, MacVerify, and GenerateRandomBytes Committer: [@bdhess](https://www.github.com/bdhess) ([1a0720f](https://www.github.com/googleapis/google-cloud-go/commit/1a0720f2f33bb14617f5c6a524946a93209e1266))
+* **kms:** add support for Raw PKCS[#1](https://www.github.com/googleapis/google-cloud-go/issues/1) signing keys ([58bea89](https://www.github.com/googleapis/google-cloud-go/commit/58bea89a3d177d5c431ff19310794e3296253353))
+* **monitoring/apiv3:** add CreateServiceTimeSeries RPC ([9e41088](https://www.github.com/googleapis/google-cloud-go/commit/9e41088bb395fbae0e757738277d5c95fa2749c8))
+* **monitoring/dashboard:** Added support for auto-close configurations ([90e2868](https://www.github.com/googleapis/google-cloud-go/commit/90e2868a3d220aa7f897438f4917013fda7a7c59))
+* **monitoring/metricsscope:** promote apiv1 to GA ([#5135](https://www.github.com/googleapis/google-cloud-go/issues/5135)) ([33c0f63](https://www.github.com/googleapis/google-cloud-go/commit/33c0f63e0e0ce69d9ef6e57b04d1b8cc10ed2b78))
+* **osconfig:** OSConfig: add OS policy assignment rpcs ([83b941c](https://www.github.com/googleapis/google-cloud-go/commit/83b941c0983e44fdd18ceee8c6f3e91219d72ad1))
+* **osconfig:** Update OSConfig API ([e33350c](https://www.github.com/googleapis/google-cloud-go/commit/e33350cfcabcddcda1a90069383d39c68deb977a))
+* **osconfig:** Update osconfig v1 and v1alpha RecurringSchedule.Frequency with DAILY frequency ([59e548a](https://www.github.com/googleapis/google-cloud-go/commit/59e548acc249c7bddd9c884c2af35d582a408c4d))
+* **recaptchaenterprise:** add reCAPTCHA Enterprise account defender API methods ([88a1cdb](https://www.github.com/googleapis/google-cloud-go/commit/88a1cdbef3cc337354a61bc9276725bfb9a686d8))
+* **redis:** [Cloud Memorystore for Redis] Support Multiple Read Replicas when creating Instance ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **redis:** [Cloud Memorystore for Redis] Support Multiple Read Replicas when creating Instance ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **security/privateca:** add IAMPolicy & Locations mix-in support ([1a0720f](https://www.github.com/googleapis/google-cloud-go/commit/1a0720f2f33bb14617f5c6a524946a93209e1266))
+* **securitycenter:** Added a new API method UpdateExternalSystem, which enables updating a finding w/ external system metadata. External systems are a child resource under finding, and are housed on the finding itself, and can also be filtered on in Notifications, the ListFindings and GroupFindings API ([c8271d4](https://www.github.com/googleapis/google-cloud-go/commit/c8271d4b217a6e6924d9f87eac9468c4b5767ba7))
+* **securitycenter:** Added mute related APIs, proto messages and fields ([3e7185c](https://www.github.com/googleapis/google-cloud-go/commit/3e7185c241d97ee342f132ae04bc93bb79a8e897))
+* **securitycenter:** Added resource type and display_name field to the FindingResult, and supported them in the filter for ListFindings and GroupFindings. Also added display_name to the resource which is surfaced in NotificationMessage ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+* **securitycenter:** Added vulnerability field to the finding feat: Added type field to the resource which is surfaced in NotificationMessage ([090cc3a](https://www.github.com/googleapis/google-cloud-go/commit/090cc3ae0f8747a14cc904fc6d429e2f5379bb03))
+* **servicecontrol:** add C++ rules for many Cloud services ([c8271d4](https://www.github.com/googleapis/google-cloud-go/commit/c8271d4b217a6e6924d9f87eac9468c4b5767ba7))
+* **speech:** add result_end_time to SpeechRecognitionResult ([a2c0bef](https://www.github.com/googleapis/google-cloud-go/commit/a2c0bef551489c9f1d0d12b973d3bf095354841e))
+* **speech:** added alternative_language_codes to RecognitionConfig feat: WEBM_OPUS codec feat: SpeechAdaptation configuration feat: word confidence feat: spoken punctuation and spoken emojis feat: hint boost in SpeechContext ([a2c0bef](https://www.github.com/googleapis/google-cloud-go/commit/a2c0bef551489c9f1d0d12b973d3bf095354841e))
+* **texttospeech:** update v1 proto ([90e2868](https://www.github.com/googleapis/google-cloud-go/commit/90e2868a3d220aa7f897438f4917013fda7a7c59))
+* **workflows/executions:** add a stack_trace field to the Error messages specifying where the error occured feat: add call_log_level field to Execution messages doc: clarify requirement to escape strings within JSON arguments ([1f5aa78](https://www.github.com/googleapis/google-cloud-go/commit/1f5aa78a4d6633871651c89a6d9c48e3409fecc5))
+
+
+### Bug Fixes
+
+* **accesscontextmanager:** nodejs package name access-context-manager ([30794e7](https://www.github.com/googleapis/google-cloud-go/commit/30794e70050b55ff87d6a80d0b4075065e9d271d))
+* **aiplatform:** Remove invalid resource annotations ([587bba5](https://www.github.com/googleapis/google-cloud-go/commit/587bba5ad792a92f252107aa38c6af50fb09fb58))
+* **compute/metadata:** return an error when all retries have failed ([#5063](https://www.github.com/googleapis/google-cloud-go/issues/5063)) ([c792a0d](https://www.github.com/googleapis/google-cloud-go/commit/c792a0d13db019c9964efeee5c6bc85b07ca50fa)), refs [#5062](https://www.github.com/googleapis/google-cloud-go/issues/5062)
+* **compute:** make parent_id fields required compute move and insert methods ([#686](https://www.github.com/googleapis/google-cloud-go/issues/686)) ([c8271d4](https://www.github.com/googleapis/google-cloud-go/commit/c8271d4b217a6e6924d9f87eac9468c4b5767ba7))
+* **compute:** Move compute_small protos under its own directory ([#681](https://www.github.com/googleapis/google-cloud-go/issues/681)) ([3e7185c](https://www.github.com/googleapis/google-cloud-go/commit/3e7185c241d97ee342f132ae04bc93bb79a8e897))
+* **internal/gapicgen:** fix a compute filtering ([#5111](https://www.github.com/googleapis/google-cloud-go/issues/5111)) ([77aa19d](https://www.github.com/googleapis/google-cloud-go/commit/77aa19de7fc33a9e831e6b91bd324d6832b44d99))
+* **internal/godocfx:** only put TOC status on mod if all pkgs have same status ([#4974](https://www.github.com/googleapis/google-cloud-go/issues/4974)) ([309b59e](https://www.github.com/googleapis/google-cloud-go/commit/309b59e583d1bf0dd9ffe84223034eb8a2975d47))
+* **internal/godocfx:** replace * with HTML code ([#5049](https://www.github.com/googleapis/google-cloud-go/issues/5049)) ([a8f7c06](https://www.github.com/googleapis/google-cloud-go/commit/a8f7c066e8d97120ae4e12963e3c9acc8b8906c2))
+* **monitoring/apiv3:** Reintroduce deprecated field/enum for backward compatibility docs: Use absolute link targets in comments ([45fd259](https://www.github.com/googleapis/google-cloud-go/commit/45fd2594d99ef70c776df26866f0a3b537e7e69e))
+* **profiler:** workaround certificate expiration issue in integration tests ([#4955](https://www.github.com/googleapis/google-cloud-go/issues/4955)) ([de9e465](https://www.github.com/googleapis/google-cloud-go/commit/de9e465bea8cd0580c45e87d2cbc2b610615b363))
+* **security/privateca:** include mixin protos as input for mixin rpcs ([479c2f9](https://www.github.com/googleapis/google-cloud-go/commit/479c2f90d556a106b25ebcdb1539d231488182da))
+* **security/privateca:** repair service config to enable mixins ([83b941c](https://www.github.com/googleapis/google-cloud-go/commit/83b941c0983e44fdd18ceee8c6f3e91219d72ad1))
+* **video/transcoder:** update nodejs package name to video-transcoder ([30794e7](https://www.github.com/googleapis/google-cloud-go/commit/30794e70050b55ff87d6a80d0b4075065e9d271d))
+
+## [0.97.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.96.0...v0.97.0) (2021-09-29)
+
+
+### Features
+
+* **internal** add Retry func to testutil from samples repository [#4902](https://github.com/googleapis/google-cloud-go/pull/4902)
+
+## [0.96.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.95.0...v0.96.0) (2021-09-28)
+
+
+### Features
+
+* **civil:** add IsEmpty function to time, date and datetime ([#4728](https://www.github.com/googleapis/google-cloud-go/issues/4728)) ([88bfa64](https://www.github.com/googleapis/google-cloud-go/commit/88bfa64d6df2f3bb7d41e0b8f56717dd3de790e2)), refs [#4727](https://www.github.com/googleapis/google-cloud-go/issues/4727)
+* **internal/godocfx:** detect preview versions ([#4899](https://www.github.com/googleapis/google-cloud-go/issues/4899)) ([9b60844](https://www.github.com/googleapis/google-cloud-go/commit/9b608445ce9ebabbc87a50e85ce6ef89125031d2))
+* **internal:** provide wrapping for retried errors ([#4797](https://www.github.com/googleapis/google-cloud-go/issues/4797)) ([ce5f4db](https://www.github.com/googleapis/google-cloud-go/commit/ce5f4dbab884e847a2d9f1f8f3fcfd7df19a505a))
+
+
+### Bug Fixes
+
+* **internal/gapicgen:** restore fmting proto files ([#4789](https://www.github.com/googleapis/google-cloud-go/issues/4789)) ([5606b54](https://www.github.com/googleapis/google-cloud-go/commit/5606b54b97bb675487c6c138a4081c827218f933))
+* **internal/trace:** use xerrors.As for trace ([#4813](https://www.github.com/googleapis/google-cloud-go/issues/4813)) ([05fe61c](https://www.github.com/googleapis/google-cloud-go/commit/05fe61c5aa4860bdebbbe3e91a9afaba16aa6184))
+
+## [0.95.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.94.1...v0.95.0) (2021-09-21)
+
+### Bug Fixes
+
+* **internal/gapicgen:** add a temporary import ([#4756](https://www.github.com/googleapis/google-cloud-go/issues/4756)) ([4d9c046](https://www.github.com/googleapis/google-cloud-go/commit/4d9c046b66a2dc205e2c14b676995771301440da))
+* **compute/metadata:** remove heavy gax dependency ([#4784](https://www.github.com/googleapis/google-cloud-go/issues/4784)) ([ea00264](https://www.github.com/googleapis/google-cloud-go/commit/ea00264428137471805f2ec67f04f3a5a42928fa))
+
+### [0.94.1](https://www.github.com/googleapis/google-cloud-go/compare/v0.94.0...v0.94.1) (2021-09-02)
+
+
+### Bug Fixes
+
+* **compute/metadata:** fix retry logic to not panic on error ([#4714](https://www.github.com/googleapis/google-cloud-go/issues/4714)) ([75c63b9](https://www.github.com/googleapis/google-cloud-go/commit/75c63b94d2cf86606fffc3611f7e6150b667eedc)), refs [#4713](https://www.github.com/googleapis/google-cloud-go/issues/4713)
+
+## [0.94.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.92.0...v0.94.0) (2021-08-31)
+
+
+### Features
+
+* **aiplatform:** add XAI, model monitoring, and index services to aiplatform v1 ([e385b40](https://www.github.com/googleapis/google-cloud-go/commit/e385b40a1e2ecf81f5fd0910de5c37275951f86b))
+* **analytics/admin:** add `GetDataRetentionSettings`, `UpdateDataRetentionSettings` methods to the API ([8467899](https://www.github.com/googleapis/google-cloud-go/commit/8467899ab6ebf0328c543bfb5fbcddeb2f53a082))
+* **asset:** Release of relationships in v1, Add content type Relationship to support relationship export Committer: lvv@ ([d4c3340](https://www.github.com/googleapis/google-cloud-go/commit/d4c3340bfc8b6793d6d2c8a3ed8ccdb472e1efd3))
+* **assuredworkloads:** Add Canada Regions And Support compliance regime ([b9226eb](https://www.github.com/googleapis/google-cloud-go/commit/b9226eb0b34473cb6f920c2526ad0d6dacb03f3c))
+* **cloudbuild/apiv1:** Add ability to configure BuildTriggers to create Builds that require approval before executing and ApproveBuild API to approve or reject pending Builds ([d4c3340](https://www.github.com/googleapis/google-cloud-go/commit/d4c3340bfc8b6793d6d2c8a3ed8ccdb472e1efd3))
+* **cloudbuild/apiv1:** add script field to BuildStep message ([b9226eb](https://www.github.com/googleapis/google-cloud-go/commit/b9226eb0b34473cb6f920c2526ad0d6dacb03f3c))
+* **cloudbuild/apiv1:** Update cloudbuild proto with the service_account for BYOSA Triggers. ([b9226eb](https://www.github.com/googleapis/google-cloud-go/commit/b9226eb0b34473cb6f920c2526ad0d6dacb03f3c))
+* **compute/metadata:** retry error when talking to metadata service ([#4648](https://www.github.com/googleapis/google-cloud-go/issues/4648)) ([81c6039](https://www.github.com/googleapis/google-cloud-go/commit/81c6039503121f8da3de4f4cd957b8488a3ef620)), refs [#4642](https://www.github.com/googleapis/google-cloud-go/issues/4642)
+* **dataproc:** remove apiv1beta2 client ([#4682](https://www.github.com/googleapis/google-cloud-go/issues/4682)) ([2248554](https://www.github.com/googleapis/google-cloud-go/commit/22485541affb1251604df292670a20e794111d3e))
+* **gaming:** support version reporting API ([cd65cec](https://www.github.com/googleapis/google-cloud-go/commit/cd65cecf15c4a01648da7f8f4f4d497772961510))
+* **gkehub:** Add request_id under `DeleteMembershipRequest` and `UpdateMembershipRequest` ([b9226eb](https://www.github.com/googleapis/google-cloud-go/commit/b9226eb0b34473cb6f920c2526ad0d6dacb03f3c))
+* **internal/carver:** support carving batches ([#4623](https://www.github.com/googleapis/google-cloud-go/issues/4623)) ([2972d19](https://www.github.com/googleapis/google-cloud-go/commit/2972d194da19bedf16d76fda471c06a965cfdcd6))
+* **kms:** add support for Key Reimport ([bf4378b](https://www.github.com/googleapis/google-cloud-go/commit/bf4378b5b859f7b835946891dbfebfee31c4b123))
+* **metastore:** Added the Backup resource and Backup resource GetIamPolicy/SetIamPolicy to V1 feat: Added the RestoreService method to V1 ([d4c3340](https://www.github.com/googleapis/google-cloud-go/commit/d4c3340bfc8b6793d6d2c8a3ed8ccdb472e1efd3))
+* **monitoring/dashboard:** Added support for logs-based alerts: https://cloud.google.com/logging/docs/alerting/log-based-alerts feat: Added support for user-defined labels on cloud monitoring's Service and ServiceLevelObjective objects fix!: mark required fields in QueryTimeSeriesRequest as required ([b9226eb](https://www.github.com/googleapis/google-cloud-go/commit/b9226eb0b34473cb6f920c2526ad0d6dacb03f3c))
+* **osconfig:** Update osconfig v1 and v1alpha with WindowsApplication ([bf4378b](https://www.github.com/googleapis/google-cloud-go/commit/bf4378b5b859f7b835946891dbfebfee31c4b123))
+* **speech:** Add transcript normalization ([b31646d](https://www.github.com/googleapis/google-cloud-go/commit/b31646d1e12037731df4b5c0ba9f60b6434d7b9b))
+* **talent:** Add new commute methods in Search APIs feat: Add new histogram type 'publish_time_in_day' feat: Support filtering by requisitionId is ListJobs API ([d4c3340](https://www.github.com/googleapis/google-cloud-go/commit/d4c3340bfc8b6793d6d2c8a3ed8ccdb472e1efd3))
+* **translate:** added v3 proto for online/batch document translation and updated v3beta1 proto for format conversion ([bf4378b](https://www.github.com/googleapis/google-cloud-go/commit/bf4378b5b859f7b835946891dbfebfee31c4b123))
+
+
+### Bug Fixes
+
+* **datastream:** Change a few resource pattern variables from camelCase to snake_case ([bf4378b](https://www.github.com/googleapis/google-cloud-go/commit/bf4378b5b859f7b835946891dbfebfee31c4b123))
+
 ## [0.92.0](https://www.github.com/googleapis/google-cloud-go/compare/v0.91.0...v0.92.0) (2021-08-16)
 
 

vendor/cloud.google.com/go/CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 1. [File an issue](https://github.com/googleapis/google-cloud-go/issues/new/choose).
    The issue will be used to discuss the bug or feature and should be created
-   before sending a CL.
+   before sending a PR.
 
 1. [Install Go](https://golang.org/dl/).
     1. Ensure that your `GOBIN` directory (by default `$(go env GOPATH)/bin`)

vendor/cloud.google.com/go/README.md

@@ -27,67 +27,18 @@ make backwards-incompatible changes.
 
 ## Supported APIs
 
-| Google API                                      | Status | Package                                                                                                                       |
-| ----------------------------------------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------- |
-| [Asset][cloud-asset]                            | stable | [`cloud.google.com/go/asset/apiv1`](https://pkg.go.dev/cloud.google.com/go/asset/v1beta)                                      |
-| [Automl][cloud-automl]                          | stable | [`cloud.google.com/go/automl/apiv1`](https://pkg.go.dev/cloud.google.com/go/automl/apiv1)                                     |
-| [BigQuery][cloud-bigquery]                      | stable | [`cloud.google.com/go/bigquery`](https://pkg.go.dev/cloud.google.com/go/bigquery)                                             |
-| [Bigtable][cloud-bigtable]                      | stable | [`cloud.google.com/go/bigtable`](https://pkg.go.dev/cloud.google.com/go/bigtable)                                             |
-| [Cloudbuild][cloud-build]                       | stable | [`cloud.google.com/go/cloudbuild/apiv1`](https://pkg.go.dev/cloud.google.com/go/cloudbuild/apiv1)                             |
-| [Cloudtasks][cloud-tasks]                       | stable | [`cloud.google.com/go/cloudtasks/apiv2`](https://pkg.go.dev/cloud.google.com/go/cloudtasks/apiv2)                             |
-| [Compute Engine][cloud-compute]                 | alpha  | [`cloud.google.com/go/compute/apiv1`](https://pkg.go.dev/cloud.google.com/go/compute/apiv1)                                   |
-| [Container][cloud-container]                    | stable | [`cloud.google.com/go/container/apiv1`](https://pkg.go.dev/cloud.google.com/go/container/apiv1)                               |
-| [ContainerAnalysis][cloud-containeranalysis]    | beta   | [`cloud.google.com/go/containeranalysis/apiv1`](https://pkg.go.dev/cloud.google.com/go/containeranalysis/apiv1)               |
-| [Dataproc][cloud-dataproc]                      | stable | [`cloud.google.com/go/dataproc/apiv1`](https://pkg.go.dev/cloud.google.com/go/dataproc/apiv1)                                 |
-| [Datastore][cloud-datastore]                    | stable | [`cloud.google.com/go/datastore`](https://pkg.go.dev/cloud.google.com/go/datastore)                                           |
-| [Debugger][cloud-debugger]                      | stable | [`cloud.google.com/go/debugger/apiv2`](https://pkg.go.dev/cloud.google.com/go/debugger/apiv2)                                 |
-| [Dialogflow][cloud-dialogflow]                  | stable | [`cloud.google.com/go/dialogflow/apiv2`](https://pkg.go.dev/cloud.google.com/go/dialogflow/apiv2)                             |
-| [Data Loss Prevention][cloud-dlp]               | stable | [`cloud.google.com/go/dlp/apiv2`](https://pkg.go.dev/cloud.google.com/go/dlp/apiv2)                                           |
-| [ErrorReporting][cloud-errors]                  | alpha  | [`cloud.google.com/go/errorreporting`](https://pkg.go.dev/cloud.google.com/go/errorreporting)                                 |
-| [Firestore][cloud-firestore]                    | stable | [`cloud.google.com/go/firestore`](https://pkg.go.dev/cloud.google.com/go/firestore)                                           |
-| [IAM][cloud-iam]                                | stable | [`cloud.google.com/go/iam`](https://pkg.go.dev/cloud.google.com/go/iam)                                                       |
-| [IoT][cloud-iot]                                | stable | [`cloud.google.com/go/iot/apiv1`](https://pkg.go.dev/cloud.google.com/go/iot/apiv1)                                           |
-| [IRM][cloud-irm]                                | alpha  | [`cloud.google.com/go/irm/apiv1alpha2`](https://pkg.go.dev/cloud.google.com/go/irm/apiv1alpha2)                               |
-| [KMS][cloud-kms]                                | stable | [`cloud.google.com/go/kms/apiv1`](https://pkg.go.dev/cloud.google.com/go/kms/apiv1)                                           |
-| [Natural Language][cloud-natural-language]      | stable | [`cloud.google.com/go/language/apiv1`](https://pkg.go.dev/cloud.google.com/go/language/apiv1)                                 |
-| [Logging][cloud-logging]                        | stable | [`cloud.google.com/go/logging`](https://pkg.go.dev/cloud.google.com/go/logging)                                               |
-| [Memorystore][cloud-memorystore]                | alpha  | [`cloud.google.com/go/redis/apiv1`](https://pkg.go.dev/cloud.google.com/go/redis/apiv1)                                       |
-| [Monitoring][cloud-monitoring]                  | stable | [`cloud.google.com/go/monitoring/apiv3`](https://pkg.go.dev/cloud.google.com/go/monitoring/apiv3)                             |
-| [OS Login][cloud-oslogin]                       | stable | [`cloud.google.com/go/oslogin/apiv1`](https://pkg.go.dev/cloud.google.com/go/oslogin/apiv1)                                   |
-| [Pub/Sub][cloud-pubsub]                         | stable | [`cloud.google.com/go/pubsub`](https://pkg.go.dev/cloud.google.com/go/pubsub)                                                 |
-| [Pub/Sub Lite][cloud-pubsublite]                | stable | [`cloud.google.com/go/pubsublite`](https://pkg.go.dev/cloud.google.com/go/pubsublite)                                         |
-| [Phishing Protection][cloud-phishingprotection] | alpha  | [`cloud.google.com/go/phishingprotection/apiv1beta1`](https://pkg.go.dev/cloud.google.com/go/phishingprotection/apiv1beta1)   |
-| [reCAPTCHA Enterprise][cloud-recaptcha]         | alpha  | [`cloud.google.com/go/recaptchaenterprise/apiv1beta1`](https://pkg.go.dev/cloud.google.com/go/recaptchaenterprise/apiv1beta1) |
-| [Recommender][cloud-recommender]                | beta   | [`cloud.google.com/go/recommender/apiv1beta1`](https://pkg.go.dev/cloud.google.com/go/recommender/apiv1beta1)                 |
-| [Scheduler][cloud-scheduler]                    | stable | [`cloud.google.com/go/scheduler/apiv1`](https://pkg.go.dev/cloud.google.com/go/scheduler/apiv1)                               |
-| [Securitycenter][cloud-securitycenter]          | stable | [`cloud.google.com/go/securitycenter/apiv1`](https://pkg.go.dev/cloud.google.com/go/securitycenter/apiv1)                     |
-| [Spanner][cloud-spanner]                        | stable | [`cloud.google.com/go/spanner`](https://pkg.go.dev/cloud.google.com/go/spanner)                                               |
-| [Speech][cloud-speech]                          | stable | [`cloud.google.com/go/speech/apiv1`](https://pkg.go.dev/cloud.google.com/go/speech/apiv1)                                     |
-| [Storage][cloud-storage]                        | stable | [`cloud.google.com/go/storage`](https://pkg.go.dev/cloud.google.com/go/storage)                                               |
-| [Talent][cloud-talent]                          | alpha  | [`cloud.google.com/go/talent/apiv4beta1`](https://pkg.go.dev/cloud.google.com/go/talent/apiv4beta1)                           |
-| [Text To Speech][cloud-texttospeech]            | stable | [`cloud.google.com/go/texttospeech/apiv1`](https://pkg.go.dev/cloud.google.com/go/texttospeech/apiv1)                         |
-| [Trace][cloud-trace]                            | stable | [`cloud.google.com/go/trace/apiv2`](https://pkg.go.dev/cloud.google.com/go/trace/apiv2)                                       |
-| [Translate][cloud-translate]                    | stable | [`cloud.google.com/go/translate`](https://pkg.go.dev/cloud.google.com/go/translate)                                           |
-| [Video Intelligence][cloud-video]               | beta   | [`cloud.google.com/go/videointelligence/apiv1beta2`](https://pkg.go.dev/cloud.google.com/go/videointelligence/apiv1beta2)     |
-| [Vision][cloud-vision]                          | stable | [`cloud.google.com/go/vision/apiv1`](https://pkg.go.dev/cloud.google.com/go/vision/apiv1)                                     |
-| [Webrisk][cloud-webrisk]                        | alpha  | [`cloud.google.com/go/webrisk/apiv1beta1`](https://pkg.go.dev/cloud.google.com/go/webrisk/apiv1beta1)                         |
-
-> **Alpha status**: the API is still being actively developed. As a
-> result, it might change in backward-incompatible ways and is not recommended
-> for production use.
->
-> **Beta status**: the API is largely complete, but still has outstanding
-> features and bugs to be addressed. There may be minor backwards-incompatible
-> changes where necessary.
->
-> **Stable status**: the API is mature and ready for production use. We will
-> continue addressing bugs and feature requests.
-
-Documentation and examples are available at [pkg.go.dev/cloud.google.com/go](https://pkg.go.dev/cloud.google.com/go)
+For an updated list of all of our released APIs please see our
+[reference docs](https://cloud.google.com/go/docs/reference).
 
 ## [Go Versions Supported](#supported-versions)
 
-We currently support Go versions 1.11 and newer.
+Our libraries are compatible with at least the three most recent, major Go
+releases. They are currently compatible with:
+
+- Go 1.18
+- Go 1.17
+- Go 1.16
+- Go 1.15
 
 ## Authorization
 
@@ -125,12 +76,12 @@ client, err := storage.NewClient(ctx, option.WithTokenSource(tokenSource))
 ## Contributing
 
 Contributions are welcome. Please, see the
-[CONTRIBUTING](https://github.com/GoogleCloudPlatform/google-cloud-go/blob/master/CONTRIBUTING.md)
+[CONTRIBUTING](https://github.com/GoogleCloudPlatform/google-cloud-go/blob/main/CONTRIBUTING.md)
 document for details.
 
 Please note that this project is released with a Contributor Code of Conduct.
 By participating in this project you agree to abide by its terms.
-See [Contributor Code of Conduct](https://github.com/GoogleCloudPlatform/google-cloud-go/blob/master/CONTRIBUTING.md#contributor-code-of-conduct)
+See [Contributor Code of Conduct](https://github.com/GoogleCloudPlatform/google-cloud-go/blob/main/CONTRIBUTING.md#contributor-code-of-conduct)
 for more information.
 
 [cloud-asset]: https://cloud.google.com/security-command-center/docs/how-to-asset-inventory

vendor/cloud.google.com/go/RELEASING.md

@@ -79,14 +79,14 @@ here is how to manually cut a release of `cloud.google.com/go`.
    [continuous Kokoro build](http://go/google-cloud-go-continuous). If there are
    any failures in the most recent build, address them before proceeding with
    the release.
-1. Navigate to `google-cloud-go/` and switch to master.
+1. Navigate to `google-cloud-go/` and switch to main.
 1. `git pull`
 1. Run `git tag -l | grep -v beta | grep -v alpha` to see all existing releases.
    The current latest tag `$CV` is the largest tag. It should look something
    like `vX.Y.Z` (note: ignore all `LIB/vX.Y.Z` tags - these are tags for a
    specific library, not the module root). We'll call the current version `$CV`
    and the new version `$NV`.
-1. On master, run `git log $CV...` to list all the changes since the last
+1. On main, run `git log $CV...` to list all the changes since the last
    release. NOTE: You must manually visually parse out changes to submodules [1]
    (the `git log` is going to show you things in submodules, which are not going
    to be part of your release).
@@ -98,7 +98,7 @@ here is how to manually cut a release of `cloud.google.com/go`.
    and create a PR titled `chore: release $NV`.
 1. Wait for the PR to be reviewed and merged. Once it's merged, and without
    merging any other PRs in the meantime:
-   a. Switch to master.
+   a. Switch to main.
    b. `git pull`
    c. Tag the repo with the next version: `git tag $NV`.
    d. Push the tag to origin:
@@ -118,13 +118,13 @@ here is how to manually cut a release of a submodule.
    any failures in the most recent build, address them before proceeding with
    the release. (This applies even if the failures are in a different submodule
    from the one being released.)
-1. Navigate to `google-cloud-go/` and switch to master.
+1. Navigate to `google-cloud-go/` and switch to main.
 1. `git pull`
 1. Run `git tag -l | grep datastore | grep -v beta | grep -v alpha` to see all
    existing releases. The current latest tag `$CV` is the largest tag. It
    should look something like `datastore/vX.Y.Z`. We'll call the current version
    `$CV` and the new version `$NV`.
-1. On master, run `git log $CV.. -- datastore/` to list all the changes to the
+1. On main, run `git log $CV.. -- datastore/` to list all the changes to the
    submodule directory since the last release.
 1. Edit `datastore/CHANGES.md` to include a summary of the changes.
 1. In `internal/version` run `go generate`.
@@ -132,7 +132,7 @@ here is how to manually cut a release of a submodule.
    and create a PR titled `chore(datastore): release $NV`.
 1. Wait for the PR to be reviewed and merged. Once it's merged, and without
    merging any other PRs in the meantime:
-   a. Switch to master.
+   a. Switch to main.
    b. `git pull`
    c. Tag the repo with the next version: `git tag $NV`.
    d. Push the tag to origin:

vendor/cloud.google.com/go/compute/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/cloud.google.com/go/compute/metadata/metadata.go

@@ -16,7 +16,7 @@
 // metadata and API service accounts.
 //
 // This package is a wrapper around the GCE metadata service,
-// as documented at https://developers.google.com/compute/docs/metadata.
+// as documented at https://cloud.google.com/compute/docs/metadata/overview.
 package metadata // import "cloud.google.com/go/compute/metadata"
 
 import (
@@ -61,14 +61,18 @@ var (
 	instID  = &cachedValue{k: "instance/id", trim: true}
 )
 
-var defaultClient = &Client{hc: &http.Client{
+var defaultClient = &Client{hc: newDefaultHTTPClient()}
+
+func newDefaultHTTPClient() *http.Client {
+	return &http.Client{
 		Transport: &http.Transport{
 			Dial: (&net.Dialer{
 				Timeout:   2 * time.Second,
 				KeepAlive: 30 * time.Second,
 			}).Dial,
 		},
-}}
+	}
+}
 
 // NotDefinedError is returned when requested metadata is not defined.
 //
@@ -130,7 +134,7 @@ func testOnGCE() bool {
 	go func() {
 		req, _ := http.NewRequest("GET", "http://"+metadataIP, nil)
 		req.Header.Set("User-Agent", userAgent)
-		res, err := defaultClient.hc.Do(req.WithContext(ctx))
+		res, err := newDefaultHTTPClient().Do(req.WithContext(ctx))
 		if err != nil {
 			resc <- false
 			return
@@ -140,7 +144,8 @@ func testOnGCE() bool {
 	}()
 
 	go func() {
-		addrs, err := net.DefaultResolver.LookupHost(ctx, "metadata.google.internal")
+		resolver := &net.Resolver{}
+		addrs, err := resolver.LookupHost(ctx, "metadata.google.internal")
 		if err != nil || len(addrs) == 0 {
 			resc <- false
 			return
@@ -282,6 +287,7 @@ func NewClient(c *http.Client) *Client {
 // getETag returns a value from the metadata service as well as the associated ETag.
 // This func is otherwise equivalent to Get.
 func (c *Client) getETag(suffix string) (value, etag string, err error) {
+	ctx := context.TODO()
 	// Using a fixed IP makes it very difficult to spoof the metadata service in
 	// a container, which is an important use-case for local testing of cloud
 	// deployments. To enable spoofing of the metadata service, the environment
@@ -304,10 +310,26 @@ func (c *Client) getETag(suffix string) (value, etag string, err error) {
 	}
 	req.Header.Set("Metadata-Flavor", "Google")
 	req.Header.Set("User-Agent", userAgent)
-	res, err := c.hc.Do(req)
-	if err != nil {
+	var res *http.Response
+	var reqErr error
+	retryer := newRetryer()
+	for {
+		res, reqErr = c.hc.Do(req)
+		var code int
+		if res != nil {
+			code = res.StatusCode
+		}
+		if delay, shouldRetry := retryer.Retry(code, reqErr); shouldRetry {
+			if err := sleep(ctx, delay); err != nil {
 				return "", "", err
 			}
+			continue
+		}
+		break
+	}
+	if reqErr != nil {
+		return "", "", reqErr
+	}
 	defer res.Body.Close()
 	if res.StatusCode == http.StatusNotFound {
 		return "", "", NotDefinedError(suffix)

vendor/cloud.google.com/go/compute/metadata/retry.go

@@ -0,0 +1,114 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package metadata
+
+import (
+	"context"
+	"io"
+	"math/rand"
+	"net/http"
+	"time"
+)
+
+const (
+	maxRetryAttempts = 5
+)
+
+var (
+	syscallRetryable = func(err error) bool { return false }
+)
+
+// defaultBackoff is basically equivalent to gax.Backoff without the need for
+// the dependency.
+type defaultBackoff struct {
+	max time.Duration
+	mul float64
+	cur time.Duration
+}
+
+func (b *defaultBackoff) Pause() time.Duration {
+	d := time.Duration(1 + rand.Int63n(int64(b.cur)))
+	b.cur = time.Duration(float64(b.cur) * b.mul)
+	if b.cur > b.max {
+		b.cur = b.max
+	}
+	return d
+}
+
+// sleep is the equivalent of gax.Sleep without the need for the dependency.
+func sleep(ctx context.Context, d time.Duration) error {
+	t := time.NewTimer(d)
+	select {
+	case <-ctx.Done():
+		t.Stop()
+		return ctx.Err()
+	case <-t.C:
+		return nil
+	}
+}
+
+func newRetryer() *metadataRetryer {
+	return &metadataRetryer{bo: &defaultBackoff{
+		cur: 100 * time.Millisecond,
+		max: 30 * time.Second,
+		mul: 2,
+	}}
+}
+
+type backoff interface {
+	Pause() time.Duration
+}
+
+type metadataRetryer struct {
+	bo       backoff
+	attempts int
+}
+
+func (r *metadataRetryer) Retry(status int, err error) (time.Duration, bool) {
+	if status == http.StatusOK {
+		return 0, false
+	}
+	retryOk := shouldRetry(status, err)
+	if !retryOk {
+		return 0, false
+	}
+	if r.attempts == maxRetryAttempts {
+		return 0, false
+	}
+	r.attempts++
+	return r.bo.Pause(), true
+}
+
+func shouldRetry(status int, err error) bool {
+	if 500 <= status && status <= 599 {
+		return true
+	}
+	if err == io.ErrUnexpectedEOF {
+		return true
+	}
+	// Transient network errors should be retried.
+	if syscallRetryable(err) {
+		return true
+	}
+	if err, ok := err.(interface{ Temporary() bool }); ok {
+		if err.Temporary() {
+			return true
+		}
+	}
+	if err, ok := err.(interface{ Unwrap() error }); ok {
+		return shouldRetry(status, err.Unwrap())
+	}
+	return false
+}

vendor/cloud.google.com/go/compute/metadata/retry_linux.go

@@ -1,4 +1,4 @@
-// Copyright 2017 Google Inc. All Rights Reserved.
+// Copyright 2021 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -12,6 +12,15 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package configpb
+//go:build linux
+// +build linux
 
-//go:generate protoc -I=. -I=$GOPATH/src --go_out=:. multilog.proto
+package metadata
+
+import "syscall"
+
+func init() {
+	// Initialize syscallRetryable to return true on transient socket-level
+	// errors. These errors are specific to Linux.
+	syscallRetryable = func(err error) bool { return err == syscall.ECONNRESET || err == syscall.ECONNREFUSED }
+}

vendor/cloud.google.com/go/doc.go

@@ -165,10 +165,27 @@ For HTTP logging, set the GODEBUG environment variable to "http2debug=1" or "htt
 
 Inspecting errors
 
-Most of the errors returned by the generated clients can be converted into a
-`grpc.Status`. Converting your errors to this type can be a useful to get
-more information about what went wrong while debugging.
- if err != {
+Most of the errors returned by the generated clients are wrapped in an
+`apierror.APIError` (https://pkg.go.dev/github.com/googleapis/gax-go/v2/apierror)
+and can be further unwrapped into a `grpc.Status` or `googleapi.Error` depending
+on the transport used to make the call (gRPC or REST). Converting your errors to
+these types can be a useful way to get more information about what went wrong
+while debugging.
+
+`apierror.APIError` gives access to specific details in the
+error. The transport-specific errors can still be unwrapped using the
+`apierror.APIError`.
+ if err != nil {
+    var ae *apierror.APIError
+    if errors.As(err, &ae) {
+       log.Println(ae.Reason())
+       log.Println(ae.Details().Help.GetLinks())
+    }
+ }
+
+If the gRPC transport was used, the `grpc.Status` can still be parsed using the
+`status.FromError` function.
+ if err != nil {
     if s, ok := status.FromError(err); ok {
        log.Println(s.Message())
        for _, d := range s.Proto().Details {
@@ -177,6 +194,15 @@ more information about what went wrong while debugging.
     }
  }
 
+If the REST transport was used, the `googleapi.Error` can be parsed in a similar
+way.
+ if err != nil {
+    var gerr *googleapi.Error
+    if errors.As(err, &gerr) {
+       log.Println(gerr.Message)
+    }
+ }
+
 Client Stability
 
 Clients in this repository are considered alpha or beta unless otherwise

vendor/cloud.google.com/go/release-please-config-yoshi-submodules.json

@@ -0,0 +1,322 @@
+{
+    "release-type": "go-yoshi",
+    "include-component-in-tag": true,
+    "tag-separator": "/",
+    "packages": {
+        "accessapproval": {
+            "component": "accessapproval"
+        },
+        "accesscontextmanager": {
+            "component": "accesscontextmanager"
+        },
+        "aiplatform": {
+            "component": "aiplatform"
+        },
+        "analytics": {
+            "component": "analytics"
+        },
+        "apigateway": {
+            "component": "apigateway"
+        },
+        "apigeeconnect": {
+            "component": "apigeeconnect"
+        },
+        "appengine": {
+            "component": "appengine"
+        },
+        "area120": {
+            "component": "area120"
+        },
+        "artifactregistry": {
+            "component": "artifactregistry"
+        },
+        "asset": {
+            "component": "asset"
+        },
+        "assuredworkloads": {
+            "component": "assuredworkloads"
+        },
+        "automl": {
+            "component": "automl"
+        },
+        "baremetalsolution": {
+            "component": "baremetalsolution"
+        },
+        "batch": {
+            "component": "batch"
+        },
+        "billing": {
+            "component": "billing"
+        },
+        "binaryauthorization": {
+            "component": "binaryauthorization"
+        },
+        "certificatemanager": {
+            "component": "certificatemanager"
+        },
+        "channel": {
+            "component": "channel"
+        },
+        "cloudbuild": {
+            "component": "cloudbuild"
+        },
+        "clouddms": {
+            "component": "clouddms"
+        },
+        "cloudtasks": {
+            "component": "cloudtasks"
+        },
+        "compute": {
+            "component": "compute"
+        },
+        "contactcenterinsights": {
+            "component": "contactcenterinsights"
+        },
+        "container": {
+            "component": "container"
+        },
+        "containeranalysis": {
+            "component": "containeranalysis"
+        },
+        "datacatalog": {
+            "component": "datacatalog"
+        },
+        "dataflow": {
+            "component": "dataflow"
+        },
+        "datafusion": {
+            "component": "datafusion"
+        },
+        "datalabeling": {
+            "component": "datalabeling"
+        },
+        "dataplex": {
+            "component": "dataplex"
+        },
+        "dataproc": {
+            "component": "dataproc"
+        },
+        "dataqna": {
+            "component": "dataqna"
+        },
+        "datastream": {
+            "component": "datastream"
+        },
+        "deploy": {
+            "component": "deploy"
+        },
+        "dialogflow": {
+            "component": "dialogflow"
+        },
+        "dlp": {
+            "component": "dlp"
+        },
+        "documentai": {
+            "component": "documentai"
+        },
+        "domains": {
+            "component": "domains"
+        },
+        "essentialcontacts": {
+            "component": "essentialcontacts"
+        },
+        "eventarc": {
+            "component": "eventarc"
+        },
+        "filestore": {
+            "component": "filestore"
+        },
+        "functions": {
+            "component": "functions"
+        },
+        "gaming": {
+            "component": "gaming"
+        },
+        "gkebackup": {
+            "component": "gkebackup"
+        },
+        "gkeconnect": {
+            "component": "gkeconnect"
+        },
+        "gkehub": {
+            "component": "gkehub"
+        },
+        "gkemulticloud": {
+            "component": "gkemulticloud"
+        },
+        "grafeas": {
+            "component": "grafeas"
+        },
+        "gsuiteaddons": {
+            "component": "gsuiteaddons"
+        },
+        "iam": {
+            "component": "iam"
+        },
+        "iap": {
+            "component": "iap"
+        },
+        "ids": {
+            "component": "ids"
+        },
+        "iot": {
+            "component": "iot"
+        },
+        "kms": {
+            "component": "kms"
+        },
+        "language": {
+            "component": "language"
+        },
+        "lifesciences": {
+            "component": "lifesciences"
+        },
+        "managedidentities": {
+            "component": "managedidentities"
+        },
+        "mediatranslation": {
+            "component": "mediatranslation"
+        },
+        "memcache": {
+            "component": "memcache"
+        },
+        "metastore": {
+            "component": "metastore"
+        },
+        "monitoring": {
+            "component": "monitoring"
+        },
+        "networkconnectivity": {
+            "component": "networkconnectivity"
+        },
+        "networkmanagement": {
+            "component": "networkmanagement"
+        },
+        "networksecurity": {
+            "component": "networksecurity"
+        },
+        "notebooks": {
+            "component": "notebooks"
+        },
+        "optimization": {
+            "component": "optimization"
+        },
+        "orchestration": {
+            "component": "orchestration"
+        },
+        "orgpolicy": {
+            "component": "orgpolicy"
+        },
+        "osconfig": {
+            "component": "osconfig"
+        },
+        "oslogin": {
+            "component": "oslogin"
+        },
+        "phishingprotection": {
+            "component": "phishingprotection"
+        },
+        "policytroubleshooter": {
+            "component": "policytroubleshooter"
+        },
+        "privatecatalog": {
+            "component": "privatecatalog"
+        },
+        "recaptchaenterprise/v2": {
+            "component": "recaptchaenterprise"
+        },
+        "recommendationengine": {
+            "component": "recommendationengine"
+        },
+        "recommender": {
+            "component": "recommender"
+        },
+        "redis": {
+            "component": "redis"
+        },
+        "resourcemanager": {
+            "component": "resourcemanager"
+        },
+        "resourcesettings": {
+            "component": "resourcesettings"
+        },
+        "retail": {
+            "component": "retail"
+        },
+        "run": {
+            "component": "run"
+        },
+        "scheduler": {
+            "component": "scheduler"
+        },
+        "secretmanager": {
+            "component": "secretmanager"
+        },
+        "security": {
+            "component": "security"
+        },
+        "securitycenter": {
+            "component": "securitycenter"
+        },
+        "servicecontrol": {
+            "component": "servicecontrol"
+        },
+        "servicedirectory": {
+            "component": "servicedirectory"
+        },
+        "servicemanagement": {
+            "component": "servicemanagement"
+        },
+        "serviceusage": {
+            "component": "serviceusage"
+        },
+        "shell": {
+            "component": "shell"
+        },
+        "speech": {
+            "component": "speech"
+        },
+        "storagetransfer": {
+            "component": "storagetransfer"
+        },
+        "talent": {
+            "component": "talent"
+        },
+        "texttospeech": {
+            "component": "texttospeech"
+        },
+        "tpu": {
+            "component": "tpu"
+        },
+        "trace": {
+            "component": "trace"
+        },
+        "translate": {
+            "component": "translate"
+        },
+        "video": {
+            "component": "video"
+        },
+        "videointelligence": {
+            "component": "videointelligence"
+        },
+        "vision/v2": {
+            "component": "vision"
+        },
+        "vmmigration": {
+            "component": "vmmigration"
+        },
+        "vpcaccess": {
+            "component": "vpcaccess"
+        },
+        "webrisk": {
+            "component": "webrisk"
+        },
+        "websecurityscanner": {
+            "component": "websecurityscanner"
+        },
+        "workflows": {
+            "component": "workflows"
+        }
+    }
+}

vendor/cloud.google.com/go/release-please-config.json

@@ -0,0 +1,10 @@
+{
+  "release-type": "go-yoshi",
+  "separate-pull-requests": true,
+  "include-component-in-tag": false,
+  "packages": {
+    ".": {
+      "component": "main"
+    }
+  }
+}

vendor/cloud.google.com/go/testing.md

@@ -9,7 +9,7 @@ on the Go client libraries.
 ## Testing gRPC services using fakes
 
 *Note*: You can see the full
-[example code using a fake here](https://github.com/googleapis/google-cloud-go/tree/master/internal/examples/fake).
+[example code using a fake here](https://github.com/googleapis/google-cloud-go/tree/main/internal/examples/fake).
 
 The clients found in `cloud.google.com/go` are gRPC based, with a couple of
 notable exceptions being the [`storage`](https://pkg.go.dev/cloud.google.com/go/storage)
@@ -143,7 +143,7 @@ func TestTranslateTextWithConcreteClient(t *testing.T) {
 ## Testing using mocks
 
 *Note*: You can see the full
-[example code using a mock here](https://github.com/googleapis/google-cloud-go/tree/master/internal/examples/mock).
+[example code using a mock here](https://github.com/googleapis/google-cloud-go/tree/main/internal/examples/mock).
 
 When mocking code you need to work with interfaces. Let’s create an interface
 for the `cloud.google.com/go/translate/apiv3` client used in the

vendor/github.com/google/certificate-transparency-go/.gitignore

@@ -15,7 +15,6 @@
 /ct_hammer
 /data
 /dumpscts
-/etcdiscover
 /findlog
 /goshawk
 /gosmin

vendor/github.com/google/certificate-transparency-go/.golangci.yaml

@@ -0,0 +1,38 @@
+run:
+  deadline: 90s
+  skip-dirs:
+    - (^|/)x509($|/)
+    - (^|/)x509util($|/)
+    - (^|/)asn1($|/)
+
+linters-settings:
+  gocyclo:
+    min-complexity: 40
+  depguard:
+    list-type: blacklist
+    packages:
+      - ^golang.org/x/net/context$
+      - github.com/gogo/protobuf/proto
+      - encoding/asn1
+      - crypto/x509
+
+linters:
+  disable-all: true
+  enable:
+    - deadcode
+    - depguard
+    - gocyclo
+    - gofmt
+    - goimports
+    - govet
+    - ineffassign
+    - megacheck
+    - misspell
+    - revive
+    - varcheck
+    # TODO(gbelvin): write license linter and commit to upstream.
+    # ./scripts/check_license.sh is run by ./scripts/presubmit.sh
+
+issues:
+    # Don't turn off any checks by default. We can do this explicitly if needed.
+    exclude-use-default: false

vendor/github.com/google/certificate-transparency-go/.travis.yml

@@ -1,74 +0,0 @@
-sudo: true  # required for CI push into Kubernetes.
-language: go
-os: linux
-go: "1.10"
-
-go_import_path: github.com/google/certificate-transparency-go
-
-env:
-  - GCE_CI=${ENABLE_GCE_CI} GOFLAGS=
-  - GOFLAGS=-race
-  - GOFLAGS=      WITH_ETCD=true WITH_COVERAGE=true
-  - GOFLAGS=-race WITH_ETCD=true
-
-matrix:
-  fast_finish: true
-
-services:
-  - docker
-
-install:
-  - mkdir ../protoc
-  - |
-    (
-      cd ../protoc
-      wget https://github.com/google/protobuf/releases/download/v3.5.1/protoc-3.5.1-${TRAVIS_OS_NAME}-x86_64.zip
-      unzip protoc-3.5.1-${TRAVIS_OS_NAME}-x86_64.zip
-    )
-  - export PATH=$(pwd)/../protoc/bin:$PATH
-  - go get -d -t ./...
-  - go get github.com/alecthomas/gometalinter
-  - gometalinter --install
-  - go get -u github.com/golang/protobuf/proto
-  - go get -u github.com/golang/protobuf/protoc-gen-go
-  - go install github.com/golang/mock/mockgen
-  # install vendored etcd binary
-  - go install ./vendor/github.com/coreos/etcd/cmd/etcd
-  - go install ./vendor/github.com/coreos/etcd/cmd/etcdctl
-  - pushd ${GOPATH}/src/github.com/google/trillian
-  - go get -d -t ./...
-  - popd
-
-script:
-  - set -e
-  - cd $HOME/gopath/src/github.com/google/certificate-transparency-go
-  - ./scripts/presubmit.sh ${PRESUBMIT_OPTS} ${WITH_COVERAGE:+--coverage}
-  - |
-      # Check re-generation didn't change anything
-      status=$(git status --porcelain | grep -v coverage) || :
-      if [[ -n ${status} ]]; then
-        echo "Regenerated files differ from checked-in versions: ${status}"
-        git status
-        git diff
-        exit 1
-      fi
-  - |
-      if [[ "${WITH_ETCD}" == "true" ]]; then
-        export ETCD_DIR="${GOPATH}/bin"
-      fi
-  - ./trillian/integration/integration_test.sh
-  - HAMMER_OPTS="--operations=1500" ./trillian/integration/ct_hammer_test.sh
-  - set +e
-
-after_success:
-  - cp /tmp/coverage.txt .
-  - bash <(curl -s https://codecov.io/bash)
-  - |
-      # Push up to GCE CI instance if we're running after a merge to master
-      if [[ "${GCE_CI}" == "true" ]] && [[ $TRAVIS_PULL_REQUEST == "false" ]] && [[ $TRAVIS_BRANCH == "master" ]]; then
-        . scripts/install_cloud.sh
-        echo ${GCLOUD_SERVICE_KEY_CI} | base64 --decode -i > ${HOME}/gcloud-service-key.json
-        gcloud auth activate-service-account --key-file ${HOME}/gcloud-service-key.json
-        rm ${HOME}/gcloud-service-key.json
-        . scripts/deploy_gce_ci.sh
-      fi

vendor/github.com/google/certificate-transparency-go/AUTHORS

@@ -11,7 +11,7 @@
 Comodo CA Limited
 Ed Maste <emaste@freebsd.org>
 Fiaz Hossain <fiaz.hossain@salesforce.com>
-Google Inc.
+Google LLC
 Internet Security Research Group
 Jeff Trawick <trawick@gmail.com>
 Katriel Cohn-Gordon <katriel.cohn-gordon@cybersecurity.ox.ac.uk>

vendor/github.com/google/certificate-transparency-go/CHANGELOG.md

@@ -1,5 +1,398 @@
 # CERTIFICATE-TRANSPARENCY-GO Changelog
 
+## HEAD
+
+### Integration
+
+ * Breaking change to API for `integration.HammerCTLog`:
+    * Added `ctx` as first argument, and terminate loop if it becomes cancelled
+
+### JSONClient
+
+ * PostAndParseWithRetry now does backoff-and-retry upon receiving HTTP 429.
+
+### Cleanup
+
+ * `WithBalancerName` is deprecated and removed, using the recommended way.
+ * `ctfe.PEMCertPool` type has been moved to `x509util.PEMCertPool` to reduce
+   dependencies (#903).
+ * Remove log list v1 package and its dependencies.
+
+### Migrillian
+
+* #960: Skip consistency check when root is size zero.
+
+### Misc
+
+ * updated golangci-lint to v1.46.1 (developers should update to this version)
+ * update `google.golang.org/grpc` to v1.46.0
+ * `ctclient` tool now uses Cobra for better CLI experience (#901).
+ * #800: Remove dependency from `ratelimit`.
+ * #927: Add read-only mode to CTFE config.
+ * Update Trillian to [0a389c4](https://github.com/google/trillian/commit/0a389c4bb8d97fb3be8f55d7e5b428cf4304986f)
+ * Migrate loglist dependency from v1 to v3 in ctclient cmd.
+ * Migrate loglist dependency from v1 to v3 in ctutil/loginfo.go
+ * Migrate loglist dependency from v1 to v3 in ctutil/sctscan.go
+ * Migrate loglist dependency from v1 to v3 in trillian/integration/ct_hammer/main.go
+
+## v1.1.2
+
+### CTFE
+
+ * Removed the `-by_range` flag.
+
+### Updated dependencies
+
+ * Trillian from v1.3.11 to v1.4.0
+ * protobuf to v2
+
+## v1.1.1
+[Published 2020-10-06](https://github.com/google/certificate-transparency-go/releases/tag/v1.1.1)
+
+### Tools
+
+#### CT Hammer
+
+Added a flag (--strict_sth_consistency_size) which when set to true enforces the current behaviour of only request consistency proofs between tree sizes for which the hammer has seen valid STHs.
+When setting this flag to false, if no two usable STHs are available the hammer will attempt to request a consistency proof between the latest STH it's seen and a random smaller (but > 0) tree size.
+
+
+### CTFE
+
+#### Caching
+
+The CTFE now includes a Cache-Control header in responses containing purely
+immutable data, e.g. those for get-entries and get-proof-by-hash. This allows
+clients and proxies to cache these responses for up to 24 hours.
+
+#### EKU Filtering
+
+> :warning: **It is not yet recommended to enable this option in a production CT Log!**
+
+CTFE now supports filtering logging submissions by leaf certificate EKU.
+This is enabled by adding an extKeyUsage list to a log's stanza in the
+config file.
+
+The format is a list of strings corresponding to the supported golang x509 EKUs:
+  |Config string               | Extended Key Usage                     |
+  |----------------------------|----------------------------------------|
+  |`Any`                       |  ExtKeyUsageAny                        |
+  |`ServerAuth`                |  ExtKeyUsageServerAuth                 |
+  |`ClientAuth`                |  ExtKeyUsageClientAuth                 |
+  |`CodeSigning`               |  ExtKeyUsageCodeSigning                |
+  |`EmailProtection`           |  ExtKeyUsageEmailProtection            |
+  |`IPSECEndSystem`            |  ExtKeyUsageIPSECEndSystem             |
+  |`IPSECTunnel`               |  ExtKeyUsageIPSECTunnel                |
+  |`IPSECUser`                 |  ExtKeyUsageIPSECUser                  |
+  |`TimeStamping`              |  ExtKeyUsageTimeStamping               |
+  |`OCSPSigning`               |  ExtKeyUsageOCSPSigning                |
+  |`MicrosoftServerGatedCrypto`|  ExtKeyUsageMicrosoftServerGatedCrypto |
+  |`NetscapeServerGatedCrypto` |  ExtKeyUsageNetscapeServerGatedCrypto  |
+
+When an extKeyUsage list is specified, the CT Log will reject logging
+submissions for leaf certificates that do not contain an EKU present in this
+list.
+
+When enabled, EKU filtering is only performed at the leaf level (i.e. there is
+no 'nested' EKU filtering performed).
+
+If no list is specified, or the list contains an `Any` entry, no EKU
+filtering will be performed.
+
+#### GetEntries
+Calls to `get-entries` which are at (or above) the maximum permitted number of
+entries whose `start` parameter does not fall on a multiple of the maximum
+permitted number of entries, will have their responses truncated such that
+subsequent requests will align with this boundary.
+This is intended to coerce callers of `get-entries` into all using the same
+`start` and `end` parameters and thereby increase the cachability of
+these requests.
+
+e.g.:
+
+<pre>
+Old behaviour:
+             1         2         3
+             0         0         0
+Entries>-----|---------|---------|----...
+Client A -------|---------|----------|...
+Client B --|--------|---------|-------...
+           ^        ^         ^
+           `--------`---------`---- requests
+
+With coercion (max batch = 10 entries):
+             1         2         3
+             0         0         0
+Entries>-----|---------|---------|----...
+Client A ----X---------|---------|...
+Client B --|-X---------|---------|-------...
+             ^
+             `-- Requests truncated
+</pre>
+
+This behaviour can be disabled by setting the `--align_getentries`
+flag to false.
+
+#### Flags
+
+The `ct_server` binary changed the default of these flags:
+
+-   `by_range` - Now defaults to `true`
+
+The `ct_server` binary added the following flags:
+-   `align_getentries` - See GetEntries section above for details
+
+Added `backend` flag to `migrillian`, which now replaces the deprecated
+"backend" feature of Migrillian configs.
+
+#### FixedBackendResolver Replaced
+
+This was previously used in situations where a comma separated list of
+backends was provided in the `rpcBackend` flag rather than a single value.
+
+It has been replaced by equivalent functionality using a newer gRPC API.
+However this support was only intended for use in integration tests. In
+production we recommend the use of etcd or a gRPC load balancer.
+
+### LogList
+
+Log list tools updated to use the correct v2 URL (from v2_beta previously).
+
+### Libraries
+
+#### x509 fork
+
+Merged upstream Go 1.13 and Go 1.14 changes (with the exception
+of https://github.com/golang/go/commit/14521198679e, to allow
+old certs using a malformed root still to be logged).
+
+#### asn1 fork
+
+Merged upstream Go 1.14 changes.
+
+#### ctutil
+
+Added VerifySCTWithVerifier() to verify SCTs using a given ct.SignatureVerifier.
+
+### Configuration Files
+
+Configuration files that previously had to be text-encoded Protobuf messages can
+now alternatively be binary-encoded instead.
+
+### JSONClient
+
+- `PostAndParseWithRetry` error logging now includes log URI in messages.
+
+### Minimal Gossip Example
+
+All the code for this, except for the x509ext package, has been moved over
+to the [trillian-examples](https://github.com/google/trillian-examples) repository.
+
+This keeps the code together and removes a circular dependency between the
+two repositories. The package layout and structure remains the same so
+updating should just mean changing any relevant import paths.
+
+### Dependencies
+
+A circular dependency on the [monologue](https://github.com/google/monologue) repository has been removed.
+
+A circular dependency on the [trillian-examples](https://github.com/google/trillian-examples) repository has been removed.
+
+The version of trillian in use has been updated to 1.3.11. This has required
+various other dependency updates including gRPC and protobuf. This code now
+uses the v2 proto API. The Travis tests now expect the 3.11.4 version of
+protoc.
+
+The version of etcd in use has been switched to the one from `go.etcd.io`.
+
+Most of the above changes are to align versions more closely with the ones
+used in the trillian repository.
+
+## v1.1.0
+
+Published 2019-11-14 15:00:00 +0000 UTC
+
+### CTFE
+
+The `reject_expired` and `reject_unexpired` configuration fields for the CTFE
+have been changed so that their behaviour reflects their name:
+
+-   `reject_expired` only rejects expired certificates (i.e. it now allows
+    not-yet-valid certificates).
+-   `reject_unexpired` only allows expired certificates (i.e. it now rejects
+    not-yet-valid certificates).
+
+A `reject_extensions` configuration field for the CTFE was added, this allows
+submissions to be rejected if they contain an extension with any of the
+specified OIDs.
+
+A `frozen_sth` configuration field for the CTFE was added. This STH will be
+served permanently. It must be signed by the log's private key.
+
+A `/healthz` URL has been added which responds with HTTP 200 OK and the string
+"ok" when the server is up.
+
+#### Flags
+
+The `ct_server` binary has these new flags:
+
+-   `mask_internal_errors` - Removes error strings from HTTP 500 responses
+    (Internal Server Error)
+
+Removed default values for `--metrics_endpoint` and `--log_rpc_server` flags.
+This makes it easier to get the documented "unset" behaviour.
+
+#### Metrics
+
+The CTFE exports these new metrics:
+
+-   `is_mirror` - set to 1 for mirror logs (copies of logs hosted elsewhere)
+-   `frozen_sth_timestamp` - time of the frozen Signed Tree Head in milliseconds
+    since the epoch
+
+#### Kubernetes
+
+Updated prometheus-to-sd to v0.5.2.
+
+A dedicated node pool is no longer required by the Kubernetes manifests.
+
+### Log Lists
+
+A new package has been created for parsing, searching and creating JSON log
+lists compatible with the
+[v2 schema](http://www.gstatic.com/ct/log_list/v2_beta/log_list_schema.json):
+`github.com/google/certificate-transparency-go/loglist2`.
+
+### Docker Images
+
+Our Docker images have been updated to use Go 1.11 and
+[Distroless base images](https://github.com/GoogleContainerTools/distroless).
+
+The CTFE Docker image now sets `ENTRYPOINT`.
+
+### Utilities / Libraries
+
+#### jsonclient
+
+The `jsonclient` package now copes with empty HTTP responses. The user-agent
+header it sends can now be specified.
+
+#### x509 and asn1 forks
+
+Merged upstream changes from Go 1.12 into the `asn1` and `x509` packages.
+
+Added a "lax" tag to `asn1` that applies recursively and makes some checks more
+relaxed:
+
+-   parsePrintableString() copes with invalid PrintableString contents, e.g. use
+    of tagPrintableString when the string data is really ISO8859-1.
+-   checkInteger() allows integers that are not minimally encoded (and so are
+    not correct DER).
+-   OIDs are allowed to be empty.
+
+The following `x509` functions will now return `x509.NonFatalErrors` if ASN.1
+parsing fails in strict mode but succeeds in lax mode. Previously, they only
+attempted strict mode parsing.
+
+-   `x509.ParseTBSCertificate()`
+-   `x509.ParseCertificate()`
+-   `x509.ParseCertificates()`
+
+The `x509` package will now treat a negative RSA modulus as a non-fatal error.
+
+The `x509` package now supports RSASES-OAEP and Ed25519 keys.
+
+#### ctclient
+
+The `ctclient` tool now defaults to using
+[all_logs_list.json](https://www.gstatic.com/ct/log_list/all_logs_list.json)
+instead of [log_list.json](https://www.gstatic.com/ct/log_list/log_list.json).
+This can be overridden using the `--log_list` flag.
+
+It can now perform inclusion checks on pre-certificates.
+
+It has these new commands:
+
+-   `bisect` - Finds a log entry given a timestamp.
+
+It has these new flags:
+
+-   `--chain` - Displays the entire certificate chain
+-   `--dns_server` - The DNS server to direct queries to (system resolver by
+    default)
+-   `--skip_https_verify` - Skips verification of the HTTPS connection
+-   `--timestamp` - Timestamp to use for `bisect` and `inclusion` commands (for
+    `inclusion`, only if --leaf_hash is not used)
+
+It now accepts hex or base64-encoded strings for the `--tree_hash`,
+`--prev_hash` and `--leaf_hash` flags.
+
+#### certcheck
+
+The `certcheck` tool has these new flags:
+
+-   `--check_time` - Check current validity of certificate (replaces
+    `--timecheck`)
+-   `--check_name` - Check validity of certificate name
+-   `--check_eku` - Check validity of EKU nesting
+-   `--check_path_len` - Check validity of path length constraint
+-   `--check_name_constraint` - Check name constraints
+-   `--check_unknown_critical_exts` - Check for unknown critical extensions
+    (replaces `--ignore_unknown_critical_exts`)
+-   `--strict` - Set non-zero exit code for non-fatal errors in parsing
+
+#### sctcheck
+
+The `sctcheck` tool has these new flags:
+
+-   `--check_inclusion` - Checks that the SCT was honoured (i.e. the
+    corresponding certificate was included in the issuing CT log)
+
+#### ct_hammer
+
+The `ct_hammer` tool has these new flags:
+
+-   `--duplicate_chance` - Allows setting the probability of the hammer sending
+    a duplicate submission.
+
+## v1.0.21 - CTFE Logging / Path Options. Mirroring. RPKI. Non Fatal X.509 error improvements
+
+Published 2018-08-20 10:11:04 +0000 UTC
+
+### CTFE
+
+`CTFE` no longer prints certificate chains as long byte strings in messages when handler errors occur. This was obscuring the reason for the failure and wasn't particularly useful.
+
+`CTFE` now has a global log URL path prefix flag and a configuration proto for a log specific path. The latter should help for various migration strategies if existing C++ server logs are going to be converted to run on the new code.
+
+### Mirroring
+
+More progress has been made on log mirroring. We believe that it's now at the point where testing can begin.
+
+### Utilities / Libraries
+
+The `certcheck` and `ct_hammer` utilities have received more enhancements.
+
+`x509` and `x509util` now support Subject Information Access and additional extensions for [RPKI / RFC 3779](https://www.ietf.org/rfc/rfc3779.txt).
+
+`scanner` / `fixchain` and some other command line utilities now have better handling of non-fatal errors.
+
+Commit [3629d6846518309d22c16fee15d1007262a459d2](https://api.github.com/repos/google/certificate-transparency-go/commits/3629d6846518309d22c16fee15d1007262a459d2) Download [zip](https://api.github.com/repos/google/certificate-transparency-go/zipball/v1.0.21)
+
+## v1.0.20 - Minimal Gossip / Go 1.11 Fix / Utility Improvements
+
+Published 2018-07-05 09:21:34 +0000 UTC
+
+Enhancements have been made to various utilities including `scanner`, `sctcheck`, `loglist` and `x509util`.
+
+The `allow_verification_with_non_compliant_keys` flag has been removed from `signatures.go`.
+
+An implementation of Gossip has been added. See the `gossip/minimal` package for more information.
+
+An X.509 compatibility issue for Go 1.11 has been fixed. This should be backwards compatible with 1.10.
+
+Commit [37a384cd035e722ea46e55029093e26687138edf](https://api.github.com/repos/google/certificate-transparency-go/commits/37a384cd035e722ea46e55029093e26687138edf) Download [zip](https://api.github.com/repos/google/certificate-transparency-go/zipball/v1.0.20)
+
 ## v1.0.19 - CTFE User Quota
 
 Published 2018-06-01 13:51:52 +0000 UTC
@@ -60,7 +453,7 @@ Commit [684d6eee6092774e54d301ccad0ed61bc8d010c1](https://api.github.com/repos/g
 
 Published 2018-06-01 14:15:37 +0000 UTC
 
-Support for SQLlite was removed. This motivation was ongoing test flakiness caused by multi-user access. This database may work for an embedded scenario but is not suitable for use in a server environment.
+Support for SQLite was removed. This motivation was ongoing test flakiness caused by multi-user access. This database may work for an embedded scenario but is not suitable for use in a server environment.
 
 A `LeafHashForLeaf` client API was added and is now used by the CT client and integration tests.
 
@@ -191,4 +584,3 @@ Published 2018-06-01 13:59:00 +0000 UTC
 This is the point that corresponds to the 1.0 release in the trillian repo.
 
 Commit [abb79e468b6f3bbd48d1ab0c9e68febf80d52c4d](https://api.github.com/repos/google/certificate-transparency-go/commits/abb79e468b6f3bbd48d1ab0c9e68febf80d52c4d) Download [zip](https://api.github.com/repos/google/certificate-transparency-go/zipball/v1.0)
-

vendor/github.com/google/certificate-transparency-go/CODEOWNERS

@@ -0,0 +1 @@
+*	@google/certificate-transparency

vendor/github.com/google/certificate-transparency-go/CONTRIBUTORS

@@ -47,11 +47,14 @@ Oliver Weidner <Oliver.Weidner@gmail.com>
 Pascal Leroy <phl@google.com>
 Paul Hadfield <hadfieldp@google.com> <paul@phad.org.uk>
 Paul Lietar <lietar@google.com>
+Pavel Kalinnikov <pkalinnikov@google.com> <pavelkalinnikov@gmail.com>
 Pierre Phaneuf <pphaneuf@google.com>
 Rob Percival <robpercival@google.com>
 Rob Stradling <rob@comodo.com>
+Roger Ng <rogerng@google.com> <roger2hk@gmail.com>
 Roland Shoemaker <roland@letsencrypt.org>
 Ruslan Kovalov <ruslan.kovalyov@gmail.com>
 Samuel Lidén Borell <samuel@kodafritt.se>
+Tatiana Merkulova <merkulova@google.com>
 Vladimir Rutsky <vladimir@rutsky.org>
 Ximin Luo <infinity0@gmx.com>

vendor/github.com/google/certificate-transparency-go/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,16 @@
+<!---
+Describe your changes in detail here.
+If this fixes an issue, please write "Fixes #123", substituting the issue number.
+-->
+
+### Checklist
+
+<!---
+Go over all the following points, and put an `x` in all the boxes that apply.
+Feel free to not tick any boxes that don't apply to this PR (e.g. refactoring may not need a CHANGELOG update).
+If you're unsure about any of these, don't hesitate to ask. We're here to help!
+-->
+
+- [ ] I have updated the [CHANGELOG](CHANGELOG.md).
+  - Adjust the draft version number according to [semantic versioning](https://semver.org/) rules.
+- [ ] I have updated [documentation](docs/) accordingly.

vendor/github.com/google/certificate-transparency-go/README.md

@@ -6,14 +6,14 @@
 
 This repository holds Go code related to
 [Certificate Transparency](https://www.certificate-transparency.org/) (CT).  The
-repository requires Go version 1.9.
+repository requires Go version 1.17.
 
  - [Repository Structure](#repository-structure)
  - [Trillian CT Personality](#trillian-ct-personality)
  - [Working on the Code](#working-on-the-code)
+     - [Running Codebase Checks](#running-codebase-checks)
      - [Rebuilding Generated Code](#rebuilding-generated-code)
      - [Updating Vendor Code](#updating-vendor-code)
-     - [Running Codebase Checks](#running-codebase-checks)
 
 ## Repository Structure
 
@@ -29,57 +29,44 @@ The main parts of the repository are:
      [pre-certificates defined in RFC 6962](https://tools.ietf.org/html/rfc6962#section-3.1).
    - `tls` holds a library for processing TLS-encoded data as described in
      [RFC 5246](https://tools.ietf.org/html/rfc5246).
-   - `x509util` provides additional utilities for dealing with
+   - `x509util/` provides additional utilities for dealing with
      `x509.Certificate`s.
  - CT client libraries:
    - The top-level `ct` package (in `.`) holds types and utilities for working
      with CT data structures defined in
      [RFC 6962](https://tools.ietf.org/html/rfc6962).
    - `client/` and `jsonclient/` hold libraries that allow access to CT Logs
-     via entrypoints described in
+     via HTTP entrypoints described in
      [section 4 of RFC 6962](https://tools.ietf.org/html/rfc6962#section-4).
+   - `dnsclient/` has a library that allows access to CT Logs over
+     [DNS](https://github.com/google/certificate-transparency-rfcs/blob/master/dns/draft-ct-over-dns.md).
    - `scanner/` holds a library for scanning the entire contents of an existing
      CT Log.
+ - CT Personality for [Trillian](https://github.com/google/trillian):
+    - `trillian/` holds code that allows a Certificate Transparency Log to be
+      run using a Trillian Log as its back-end -- see
+      [below](#trillian-ct-personality).
  - Command line tools:
-   - `./client/ctclient` allows interaction with a CT Log
+   - `./client/ctclient` allows interaction with a CT Log.
+   - `./ctutil/sctcheck` allows SCTs (signed certificate timestamps) from a CT
+     Log to be verified.
    - `./scanner/scanlog` allows an existing CT Log to be scanned for certificates
       of interest; please be polite when running this tool against a Log.
    - `./x509util/certcheck` allows display and verification of certificates
    - `./x509util/crlcheck` allows display and verification of certificate
      revocation lists (CRLs).
- - CT Personality for [Trillian](https://github.com/google/trillian):
-    - `trillian/` holds code that allows a Certificate Transparency Log to be
-      run using a Trillian Log as its back-end -- see
-      [below](#trillian-ct-personality).
+ - Other libraries related to CT:
+   - `ctutil/` holds utility functions for validating and verifying CT data
+     structures.
+   - `loglist3/` has a library for reading
+     [v3 JSON lists of CT Logs](https://groups.google.com/a/chromium.org/g/ct-policy/c/IdbrdAcDQto/m/i5KPyzYwBAAJ).
 
 
 ## Trillian CT Personality
 
 The `trillian/` subdirectory holds code and scripts for running a CT Log based
-on the [Trillian](https://github.com/google/trillian) general transparency Log.
-
-The main code for the CT personality is held in `trillian/ctfe`; this code
-responds to HTTP requests on the
-[CT API paths](https://tools.ietf.org/html/rfc6962#section-4) and translates
-them to the equivalent gRPC API requests to the Trillian Log.
-
-This obviously relies on the gRPC API definitions at
-`github.com/google/trillian`; the code also uses common libraries from the
-Trillian project for:
- - exposing monitoring and statistics via an `interface` and corresponding
-   Prometheus implementation (`github.com/google/trillian/monitoring/...`)
- - dealing with cryptographic keys (`github.com/google/trillian/crypto/...`).
-
-The `trillian/integration/` directory holds scripts and tests for running the whole
-system locally.  In particular:
- - `trillian/integration/ct_integration_test.sh` brings up local processes
-   running a Trillian Log server, signer and a CT personality, and exercises the
-   complete set of RFC 6962 API entrypoints.
- - `trillian/integration/ct_hammer_test.sh` brings up a complete system and runs
-   a continuous randomized test of the CT entrypoints.
-
-These scripts require a local database instance to be configured as described
-in the [Trillian instructions](https://github.com/google/trillian#mysql-setup).
+on the [Trillian](https://github.com/google/trillian) general transparency Log,
+and is [documented separately](trillian/README.md).
 
 
 ## Working on the Code
@@ -90,6 +77,26 @@ dependencies and tools, described in the following sections.  The
 for the required tools and scripts, as it may be more up-to-date than this
 document.
 
+### Running Codebase Checks
+
+The [`scripts/presubmit.sh`](scripts/presubmit.sh) script runs various tools
+and tests over the codebase; please ensure this script passes before sending
+pull requests for review.
+
+```bash
+# Install golangci-lint
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.1
+
+# Run code generation, build, test and linters
+./scripts/presubmit.sh
+
+# Run build, test and linters but skip code generation
+./scripts/presubmit.sh  --no-generate
+
+# Or just run the linters alone:
+golangci-lint run
+```
+
 ### Rebuilding Generated Code
 
 Some of the CT Go code is autogenerated from other files:
@@ -102,43 +109,12 @@ Some of the CT Go code is autogenerated from other files:
 Re-generating mock or protobuffer files is only needed if you're changing
 the original files; if you do, you'll need to install the prerequisites:
 
-  - `mockgen` tool from https://github.com/golang/mock
-  - `protoc`, [Go support for protoc](https://github.com/golang/protobuf) (see
-     documentation linked from the
-     [protobuf site](https://github.com/google/protobuf))
+- tools written in `go` can be installed with a single run of `go install`
+  (courtesy of [`tools.go`](./tools/tools.go) and `go.mod`).
+- `protoc` tool: you'll need [version 3.12.4](https://github.com/protocolbuffers/protobuf/releases/tag/v3.12.4) installed, and `PATH` updated to include its `bin/` directory.
 
-and run the following:
+With tools installed, run the following:
 
 ```bash
 go generate -x ./...  # hunts for //go:generate comments and runs them
 ```
-
-### Updating Vendor Code
-
-The codebase includes a couple of external projects under the `vendor/`
-subdirectory, to ensure that builds use a fixed version (typically because the
-upstream repository does not guarantee back-compatibility between the tip
-`master` branch and the current stable release).  See
-[instructions in the Trillian repo](https://github.com/google/trillian#updating-vendor-code)
-for how to update vendored subtrees.
-
-
-### Running Codebase Checks
-
-The [`scripts/presubmit.sh`](scripts/presubmit.sh) script runs various tools
-and tests over the codebase.
-
-```bash
-# Install gometalinter and all linters
-go get -u github.com/alecthomas/gometalinter
-gometalinter --install
-
-# Run code generation, build, test and linters
-./scripts/presubmit.sh
-
-# Run build, test and linters but skip code generation
-./scripts/presubmit.sh  --no-generate
-
-# Or just run the linters alone:
-gometalinter --config=gometalinter.json ./...
-```

vendor/github.com/google/certificate-transparency-go/asn1/README.md

@@ -0,0 +1,7 @@
+# Important Notice
+
+This is a fork of the `encoding/asn1` Go package. The original source can be found on
+[GitHub](https://github.com/golang/go).
+
+Be careful about making local modifications to this code as it will
+make maintenance harder in future.

vendor/github.com/google/certificate-transparency-go/asn1/asn1.go

@@ -5,13 +5,24 @@
 // Package asn1 implements parsing of DER-encoded ASN.1 data structures,
 // as defined in ITU-T Rec X.690.
 //
-// See also ``A Layman's Guide to a Subset of ASN.1, BER, and DER,''
+// See also “A Layman's Guide to a Subset of ASN.1, BER, and DER,”
 // http://luca.ntop.org/Teaching/Appunti/asn1.html.
 //
 // This is a fork of the Go standard library ASN.1 implementation
-// (encoding/asn1).  The main difference is that this version tries to correct
-// for errors (e.g. use of tagPrintableString when the string data is really
-// ISO8859-1 - a common error present in many x509 certificates in the wild.)
+// (encoding/asn1), with the aim of relaxing checks for various things
+// that are common errors present in many X.509 certificates in the
+// wild.
+//
+// Main differences:
+//   - Extra "lax" tag that recursively applies and relaxes some strict
+//     checks:
+//   - parsePrintableString() copes with invalid PrintableString contents,
+//     e.g. use of tagPrintableString when the string data is really
+//     ISO8859-1.
+//   - checkInteger() allows integers that are not minimally encoded (and
+//     so are not correct DER).
+//   - parseObjectIdentifier() allows zero-length OIDs.
+//   - Better diagnostics on which particular field causes errors.
 package asn1
 
 // ASN.1 is a syntax for specifying abstract objects and BER, DER, PER, XER etc
@@ -31,8 +42,8 @@ import (
 	"math/big"
 	"reflect"
 	"strconv"
-	"strings"
 	"time"
+	"unicode/utf16"
 	"unicode/utf8"
 )
 
@@ -94,13 +105,16 @@ func parseBool(bytes []byte, fieldName string) (ret bool, err error) {
 
 // checkInteger returns nil if the given bytes are a valid DER-encoded
 // INTEGER and an error otherwise.
-func checkInteger(bytes []byte, fieldName string) error {
+func checkInteger(bytes []byte, lax bool, fieldName string) error {
 	if len(bytes) == 0 {
 		return StructuralError{"empty integer", fieldName}
 	}
 	if len(bytes) == 1 {
 		return nil
 	}
+	if lax {
+		return nil
+	}
 	if (bytes[0] == 0 && bytes[1]&0x80 == 0) || (bytes[0] == 0xff && bytes[1]&0x80 == 0x80) {
 		return StructuralError{"integer not minimally-encoded", fieldName}
 	}
@@ -109,8 +123,8 @@ func checkInteger(bytes []byte, fieldName string) error {
 
 // parseInt64 treats the given bytes as a big-endian, signed integer and
 // returns the result.
-func parseInt64(bytes []byte, fieldName string) (ret int64, err error) {
-	err = checkInteger(bytes, fieldName)
+func parseInt64(bytes []byte, lax bool, fieldName string) (ret int64, err error) {
+	err = checkInteger(bytes, lax, fieldName)
 	if err != nil {
 		return
 	}
@@ -132,11 +146,11 @@ func parseInt64(bytes []byte, fieldName string) (ret int64, err error) {
 
 // parseInt treats the given bytes as a big-endian, signed integer and returns
 // the result.
-func parseInt32(bytes []byte, fieldName string) (int32, error) {
-	if err := checkInteger(bytes, fieldName); err != nil {
+func parseInt32(bytes []byte, lax bool, fieldName string) (int32, error) {
+	if err := checkInteger(bytes, lax, fieldName); err != nil {
 		return 0, err
 	}
-	ret64, err := parseInt64(bytes, fieldName)
+	ret64, err := parseInt64(bytes, lax, fieldName)
 	if err != nil {
 		return 0, err
 	}
@@ -150,8 +164,8 @@ var bigOne = big.NewInt(1)
 
 // parseBigInt treats the given bytes as a big-endian, signed integer and returns
 // the result.
-func parseBigInt(bytes []byte, fieldName string) (*big.Int, error) {
-	if err := checkInteger(bytes, fieldName); err != nil {
+func parseBigInt(bytes []byte, lax bool, fieldName string) (*big.Int, error) {
+	if err := checkInteger(bytes, lax, fieldName); err != nil {
 		return nil, err
 	}
 	ret := new(big.Int)
@@ -270,8 +284,11 @@ func (oi ObjectIdentifier) String() string {
 // parseObjectIdentifier parses an OBJECT IDENTIFIER from the given bytes and
 // returns it. An object identifier is a sequence of variable length integers
 // that are assigned in a hierarchy.
-func parseObjectIdentifier(bytes []byte, fieldName string) (s []int, err error) {
+func parseObjectIdentifier(bytes []byte, lax bool, fieldName string) (s ObjectIdentifier, err error) {
 	if len(bytes) == 0 {
+		if lax {
+			return ObjectIdentifier{}, nil
+		}
 		err = SyntaxError{"zero length OBJECT IDENTIFIER", fieldName}
 		return
 	}
@@ -415,10 +432,25 @@ func isNumeric(b byte) bool {
 
 // parsePrintableString parses an ASN.1 PrintableString from the given byte
 // array and returns it.
-func parsePrintableString(bytes []byte, fieldName string) (ret string, err error) {
+func parsePrintableString(bytes []byte, lax bool, fieldName string) (ret string, err error) {
 	for _, b := range bytes {
 		if !isPrintable(b, allowAsterisk, allowAmpersand) {
+			if !lax {
 				err = SyntaxError{"PrintableString contains invalid character", fieldName}
+			} else {
+				// Might be an ISO8859-1 string stuffed in, check if it
+				// would be valid and assume that's what's happened if so,
+				// otherwise try T.61, failing that give up and just assign
+				// the bytes
+				switch {
+				case couldBeISO8859_1(bytes):
+					ret, err = iso8859_1ToUTF8(bytes), nil
+				case couldBeT61(bytes):
+					ret, err = parseT61String(bytes)
+				default:
+					err = SyntaxError{"PrintableString contains invalid character, couldn't determine correct String type", fieldName}
+				}
+			}
 			return
 		}
 	}
@@ -495,6 +527,29 @@ func parseUTF8String(bytes []byte) (ret string, err error) {
 	return string(bytes), nil
 }
 
+// BMPString
+
+// parseBMPString parses an ASN.1 BMPString (Basic Multilingual Plane of
+// ISO/IEC/ITU 10646-1) from the given byte slice and returns it.
+func parseBMPString(bmpString []byte) (string, error) {
+	if len(bmpString)%2 != 0 {
+		return "", errors.New("pkcs12: odd-length BMP string")
+	}
+
+	// Strip terminator if present.
+	if l := len(bmpString); l >= 2 && bmpString[l-1] == 0 && bmpString[l-2] == 0 {
+		bmpString = bmpString[:l-2]
+	}
+
+	s := make([]uint16, 0, len(bmpString)/2)
+	for len(bmpString) > 0 {
+		s = append(s, uint16(bmpString[0])<<8+uint16(bmpString[1]))
+		bmpString = bmpString[2:]
+	}
+
+	return string(utf16.Decode(s)), nil
+}
+
 // A RawValue represents an undecoded ASN.1 object.
 type RawValue struct {
 	Class, Tag int
@@ -592,7 +647,7 @@ func parseTagAndLength(bytes []byte, initOffset int, fieldName string) (ret tagA
 // parseSequenceOf is used for SEQUENCE OF and SET OF values. It tries to parse
 // a number of ASN.1 values from the given byte slice and returns them as a
 // slice of Go values of the given type.
-func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type, fieldName string) (ret reflect.Value, err error) {
+func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type, lax bool, fieldName string) (ret reflect.Value, err error) {
 	matchAny, expectedTag, compoundType, ok := getUniversalType(elemType)
 	if !ok {
 		err = StructuralError{"unknown Go type for slice", fieldName}
@@ -609,7 +664,7 @@ func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type
 			return
 		}
 		switch t.tag {
-		case TagIA5String, TagGeneralString, TagT61String, TagUTF8String, TagNumericString:
+		case TagIA5String, TagGeneralString, TagT61String, TagUTF8String, TagNumericString, TagBMPString:
 			// We pretend that various other string types are
 			// PRINTABLE STRINGs so that a sequence of them can be
 			// parsed into a []string.
@@ -631,7 +686,7 @@ func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type
 		numElements++
 	}
 	ret = reflect.MakeSlice(sliceType, numElements, numElements)
-	params := fieldParameters{}
+	params := fieldParameters{lax: lax}
 	offset := 0
 	for i := 0; i < numElements; i++ {
 		offset, err = parseField(ret.Index(i), bytes, offset, params)
@@ -653,7 +708,7 @@ var (
 	bigIntType           = reflect.TypeOf(new(big.Int))
 )
 
-// invalidLength returns true iff offset + length > sliceLength, or if the
+// invalidLength reports whether offset + length > sliceLength, or if the
 // addition would overflow.
 func invalidLength(offset, length, sliceLength int) bool {
 	return offset+length < offset || offset+length > sliceLength
@@ -735,22 +790,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 			innerBytes := bytes[offset : offset+t.length]
 			switch t.tag {
 			case TagPrintableString:
-				result, err = parsePrintableString(innerBytes, params.name)
-				if err != nil && strings.Contains(err.Error(), "PrintableString contains invalid character") {
-					// Probably an ISO8859-1 string stuffed in, check if it
-					// would be valid and assume that's what's happened if so,
-					// otherwise try T.61, failing that give up and just assign
-					// the bytes
-					switch {
-					case couldBeISO8859_1(innerBytes):
-						result, err = iso8859_1ToUTF8(innerBytes), nil
-					case couldBeT61(innerBytes):
-						result, err = parseT61String(innerBytes)
-					default:
-						result = nil
-						err = errors.New("PrintableString contains invalid character, but couldn't determine correct String type.")
-					}
-				}
+				result, err = parsePrintableString(innerBytes, params.lax, params.name)
 			case TagNumericString:
 				result, err = parseNumericString(innerBytes, params.name)
 			case TagIA5String:
@@ -760,17 +800,19 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 			case TagUTF8String:
 				result, err = parseUTF8String(innerBytes)
 			case TagInteger:
-				result, err = parseInt64(innerBytes, params.name)
+				result, err = parseInt64(innerBytes, params.lax, params.name)
 			case TagBitString:
 				result, err = parseBitString(innerBytes, params.name)
 			case TagOID:
-				result, err = parseObjectIdentifier(innerBytes, params.name)
+				result, err = parseObjectIdentifier(innerBytes, params.lax, params.name)
 			case TagUTCTime:
 				result, err = parseUTCTime(innerBytes)
 			case TagGeneralizedTime:
 				result, err = parseGeneralizedTime(innerBytes)
 			case TagOctetString:
 				result = innerBytes
+			case TagBMPString:
+				result, err = parseBMPString(innerBytes)
 			default:
 				// If we don't know how to handle the type, we just leave Value as nil.
 			}
@@ -839,7 +881,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 	if universalTag == TagPrintableString {
 		if t.class == ClassUniversal {
 			switch t.tag {
-			case TagIA5String, TagGeneralString, TagT61String, TagUTF8String, TagNumericString:
+			case TagIA5String, TagGeneralString, TagT61String, TagUTF8String, TagNumericString, TagBMPString:
 				universalTag = t.tag
 			}
 		} else if params.stringType != 0 {
@@ -873,6 +915,12 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 		matchAnyClassAndTag = false
 	}
 
+	if !params.explicit && params.private && params.tag != nil {
+		expectedClass = ClassPrivate
+		expectedTag = *params.tag
+		matchAnyClassAndTag = false
+	}
+
 	// We have unwrapped any explicit tagging at this point.
 	if !matchAnyClassAndTag && (t.class != expectedClass || t.tag != expectedTag) ||
 		(!matchAny && t.isCompound != compoundType) {
@@ -899,7 +947,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 		v.Set(reflect.ValueOf(result))
 		return
 	case objectIdentifierType:
-		newSlice, err1 := parseObjectIdentifier(innerBytes, params.name)
+		newSlice, err1 := parseObjectIdentifier(innerBytes, params.lax, params.name)
 		v.Set(reflect.MakeSlice(v.Type(), len(newSlice), len(newSlice)))
 		if err1 == nil {
 			reflect.Copy(v, reflect.ValueOf(newSlice))
@@ -927,7 +975,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 		err = err1
 		return
 	case enumeratedType:
-		parsedInt, err1 := parseInt32(innerBytes, params.name)
+		parsedInt, err1 := parseInt32(innerBytes, params.lax, params.name)
 		if err1 == nil {
 			v.SetInt(int64(parsedInt))
 		}
@@ -937,7 +985,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 		v.SetBool(true)
 		return
 	case bigIntType:
-		parsedInt, err1 := parseBigInt(innerBytes, params.name)
+		parsedInt, err1 := parseBigInt(innerBytes, params.lax, params.name)
 		if err1 == nil {
 			v.Set(reflect.ValueOf(parsedInt))
 		}
@@ -954,13 +1002,13 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 		return
 	case reflect.Int, reflect.Int32, reflect.Int64:
 		if val.Type().Size() == 4 {
-			parsedInt, err1 := parseInt32(innerBytes, params.name)
+			parsedInt, err1 := parseInt32(innerBytes, params.lax, params.name)
 			if err1 == nil {
 				val.SetInt(int64(parsedInt))
 			}
 			err = err1
 		} else {
-			parsedInt, err1 := parseInt64(innerBytes, params.name)
+			parsedInt, err1 := parseInt64(innerBytes, params.lax, params.name)
 			if err1 == nil {
 				val.SetInt(parsedInt)
 			}
@@ -992,6 +1040,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 			}
 			innerParams := parseFieldParameters(field.Tag.Get("asn1"))
 			innerParams.name = field.Name
+			innerParams.lax = params.lax
 			innerOffset, err = parseField(val.Field(i), innerBytes, innerOffset, innerParams)
 			if err != nil {
 				return
@@ -1008,7 +1057,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 			reflect.Copy(val, reflect.ValueOf(innerBytes))
 			return
 		}
-		newSlice, err1 := parseSequenceOf(innerBytes, sliceType, sliceType.Elem(), params.name)
+		newSlice, err1 := parseSequenceOf(innerBytes, sliceType, sliceType.Elem(), params.lax, params.name)
 		if err1 == nil {
 			val.Set(newSlice)
 		}
@@ -1018,7 +1067,7 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 		var v string
 		switch universalTag {
 		case TagPrintableString:
-			v, err = parsePrintableString(innerBytes, params.name)
+			v, err = parsePrintableString(innerBytes, params.lax, params.name)
 		case TagNumericString:
 			v, err = parseNumericString(innerBytes, params.name)
 		case TagIA5String:
@@ -1033,6 +1082,9 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
 			// that allow the encoding to change midstring and
 			// such. We give up and pass it as an 8-bit string.
 			v, err = parseT61String(innerBytes)
+		case TagBMPString:
+			v, err = parseBMPString(innerBytes)
+
 		default:
 			err = SyntaxError{fmt.Sprintf("internal error: unknown string type %d", universalTag), params.name}
 		}
@@ -1110,11 +1162,13 @@ func setDefaultValue(v reflect.Value, params fieldParameters) (ok bool) {
 // The following tags on struct fields have special meaning to Unmarshal:
 //
 //	application specifies that an APPLICATION tag is used
+//	private     specifies that a PRIVATE tag is used
 //	default:x   sets the default value for optional integer fields (only used if optional is also present)
 //	explicit    specifies that an additional, explicit tag wraps the implicit one
 //	optional    marks the field as ASN.1 OPTIONAL
 //	set         causes a SET, rather than a SEQUENCE type to be expected
 //	tag:x       specifies the ASN.1 tag number; implies ASN.1 CONTEXT SPECIFIC
+//	lax         relax strict encoding checks for this field, and for any fields within it
 //
 // If the type of the first field of a structure is RawContent then the raw
 // ASN1 contents of the struct will be stored in it.

vendor/github.com/google/certificate-transparency-go/asn1/common.go

@@ -37,6 +37,7 @@ const (
 	TagUTCTime         = 23
 	TagGeneralizedTime = 24
 	TagGeneralString   = 27
+	TagBMPString       = 30
 )
 
 // ASN.1 class types represent the namespace of the tag.
@@ -75,12 +76,14 @@ type fieldParameters struct {
 	optional     bool   // true iff the field is OPTIONAL
 	explicit     bool   // true iff an EXPLICIT tag is in use.
 	application  bool   // true iff an APPLICATION tag is in use.
+	private      bool   // true iff a PRIVATE tag is in use.
 	defaultValue *int64 // a default value for INTEGER typed fields (maybe nil).
 	tag          *int   // the EXPLICIT or IMPLICIT tag (maybe nil).
 	stringType   int    // the string tag to use when marshaling.
 	timeType     int    // the time tag to use when marshaling.
 	set          bool   // true iff this should be encoded as a SET
 	omitEmpty    bool   // true iff this should be omitted if empty when marshaling.
+	lax          bool   // true iff unmarshalling should skip some error checks
 	name         string // name of field for better diagnostics
 
 	// Invariants:
@@ -131,8 +134,15 @@ func parseFieldParameters(str string) (ret fieldParameters) {
 			if ret.tag == nil {
 				ret.tag = new(int)
 			}
+		case part == "private":
+			ret.private = true
+			if ret.tag == nil {
+				ret.tag = new(int)
+			}
 		case part == "omitempty":
 			ret.omitEmpty = true
+		case part == "lax":
+			ret.lax = true
 		}
 	}
 	return

vendor/github.com/google/certificate-transparency-go/asn1/marshal.go

@@ -631,6 +631,8 @@ func makeField(v reflect.Value, params fieldParameters) (e encoder, err error) {
 	if params.tag != nil {
 		if params.application {
 			class = ClassApplication
+		} else if params.private {
+			class = ClassPrivate
 		} else {
 			class = ClassContextSpecific
 		}

vendor/github.com/google/certificate-transparency-go/client/configpb/multilog.pb.go

@@ -1,60 +1,85 @@
+// Copyright 2017 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // Code generated by protoc-gen-go. DO NOT EDIT.
-// source: multilog.proto
+// versions:
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.20.1
+// source: client/configpb/multilog.proto
 
 package configpb
 
-import proto "github.com/golang/protobuf/proto"
-import fmt "fmt"
-import math "math"
-import timestamp "github.com/golang/protobuf/ptypes/timestamp"
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
+	reflect "reflect"
+	sync "sync"
+)
 
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
 
 // TemporalLogConfig is a set of LogShardConfig messages, whose
 // time limits should be contiguous.
 type TemporalLogConfig struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
 	Shard []*LogShardConfig `protobuf:"bytes,1,rep,name=shard,proto3" json:"shard,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}          `json:"-"`
-	XXX_unrecognized     []byte            `json:"-"`
-	XXX_sizecache        int32             `json:"-"`
 }
 
-func (m *TemporalLogConfig) Reset()         { *m = TemporalLogConfig{} }
-func (m *TemporalLogConfig) String() string { return proto.CompactTextString(m) }
+func (x *TemporalLogConfig) Reset() {
+	*x = TemporalLogConfig{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_client_configpb_multilog_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *TemporalLogConfig) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
 func (*TemporalLogConfig) ProtoMessage() {}
+
+func (x *TemporalLogConfig) ProtoReflect() protoreflect.Message {
+	mi := &file_client_configpb_multilog_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use TemporalLogConfig.ProtoReflect.Descriptor instead.
 func (*TemporalLogConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_multilog_3c9b797b88da6f07, []int{0}
-}
-func (m *TemporalLogConfig) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_TemporalLogConfig.Unmarshal(m, b)
-}
-func (m *TemporalLogConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_TemporalLogConfig.Marshal(b, m, deterministic)
-}
-func (dst *TemporalLogConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_TemporalLogConfig.Merge(dst, src)
-}
-func (m *TemporalLogConfig) XXX_Size() int {
-	return xxx_messageInfo_TemporalLogConfig.Size(m)
-}
-func (m *TemporalLogConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_TemporalLogConfig.DiscardUnknown(m)
+	return file_client_configpb_multilog_proto_rawDescGZIP(), []int{0}
 }
 
-var xxx_messageInfo_TemporalLogConfig proto.InternalMessageInfo
-
-func (m *TemporalLogConfig) GetShard() []*LogShardConfig {
-	if m != nil {
-		return m.Shard
+func (x *TemporalLogConfig) GetShard() []*LogShardConfig {
+	if x != nil {
+		return x.Shard
 	}
 	return nil
 }
@@ -62,97 +87,192 @@ func (m *TemporalLogConfig) GetShard() []*LogShardConfig {
 // LogShardConfig describes the acceptable date range for a single shard of a temporal
 // log.
 type LogShardConfig struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
 	Uri string `protobuf:"bytes,1,opt,name=uri,proto3" json:"uri,omitempty"`
 	// The log's public key in DER-encoded PKIX form.
 	PublicKeyDer []byte `protobuf:"bytes,2,opt,name=public_key_der,json=publicKeyDer,proto3" json:"public_key_der,omitempty"`
 	// not_after_start defines the start of the range of acceptable NotAfter
 	// values, inclusive.
 	// Leaving this unset implies no lower bound to the range.
-	NotAfterStart *timestamp.Timestamp `protobuf:"bytes,3,opt,name=not_after_start,json=notAfterStart,proto3" json:"not_after_start,omitempty"`
+	NotAfterStart *timestamppb.Timestamp `protobuf:"bytes,3,opt,name=not_after_start,json=notAfterStart,proto3" json:"not_after_start,omitempty"`
 	// not_after_limit defines the end of the range of acceptable NotAfter values,
 	// exclusive.
 	// Leaving this unset implies no upper bound to the range.
-	NotAfterLimit        *timestamp.Timestamp `protobuf:"bytes,4,opt,name=not_after_limit,json=notAfterLimit,proto3" json:"not_after_limit,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
-	XXX_unrecognized     []byte               `json:"-"`
-	XXX_sizecache        int32                `json:"-"`
+	NotAfterLimit *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=not_after_limit,json=notAfterLimit,proto3" json:"not_after_limit,omitempty"`
+}
+
+func (x *LogShardConfig) Reset() {
+	*x = LogShardConfig{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_client_configpb_multilog_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LogShardConfig) String() string {
+	return protoimpl.X.MessageStringOf(x)
 }
 
-func (m *LogShardConfig) Reset()         { *m = LogShardConfig{} }
-func (m *LogShardConfig) String() string { return proto.CompactTextString(m) }
 func (*LogShardConfig) ProtoMessage() {}
+
+func (x *LogShardConfig) ProtoReflect() protoreflect.Message {
+	mi := &file_client_configpb_multilog_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LogShardConfig.ProtoReflect.Descriptor instead.
 func (*LogShardConfig) Descriptor() ([]byte, []int) {
-	return fileDescriptor_multilog_3c9b797b88da6f07, []int{1}
-}
-func (m *LogShardConfig) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_LogShardConfig.Unmarshal(m, b)
-}
-func (m *LogShardConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_LogShardConfig.Marshal(b, m, deterministic)
-}
-func (dst *LogShardConfig) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_LogShardConfig.Merge(dst, src)
-}
-func (m *LogShardConfig) XXX_Size() int {
-	return xxx_messageInfo_LogShardConfig.Size(m)
-}
-func (m *LogShardConfig) XXX_DiscardUnknown() {
-	xxx_messageInfo_LogShardConfig.DiscardUnknown(m)
+	return file_client_configpb_multilog_proto_rawDescGZIP(), []int{1}
 }
 
-var xxx_messageInfo_LogShardConfig proto.InternalMessageInfo
-
-func (m *LogShardConfig) GetUri() string {
-	if m != nil {
-		return m.Uri
+func (x *LogShardConfig) GetUri() string {
+	if x != nil {
+		return x.Uri
 	}
 	return ""
 }
 
-func (m *LogShardConfig) GetPublicKeyDer() []byte {
-	if m != nil {
-		return m.PublicKeyDer
+func (x *LogShardConfig) GetPublicKeyDer() []byte {
+	if x != nil {
+		return x.PublicKeyDer
 	}
 	return nil
 }
 
-func (m *LogShardConfig) GetNotAfterStart() *timestamp.Timestamp {
-	if m != nil {
-		return m.NotAfterStart
+func (x *LogShardConfig) GetNotAfterStart() *timestamppb.Timestamp {
+	if x != nil {
+		return x.NotAfterStart
 	}
 	return nil
 }
 
-func (m *LogShardConfig) GetNotAfterLimit() *timestamp.Timestamp {
-	if m != nil {
-		return m.NotAfterLimit
+func (x *LogShardConfig) GetNotAfterLimit() *timestamppb.Timestamp {
+	if x != nil {
+		return x.NotAfterLimit
 	}
 	return nil
 }
 
-func init() {
-	proto.RegisterType((*TemporalLogConfig)(nil), "configpb.TemporalLogConfig")
-	proto.RegisterType((*LogShardConfig)(nil), "configpb.LogShardConfig")
+var File_client_configpb_multilog_proto protoreflect.FileDescriptor
+
+var file_client_configpb_multilog_proto_rawDesc = []byte{
+	0x0a, 0x1e, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x70,
+	0x62, 0x2f, 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x6c, 0x6f, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x12, 0x08, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x70, 0x62, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65,
+	0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x43, 0x0a, 0x11, 0x54,
+	0x65, 0x6d, 0x70, 0x6f, 0x72, 0x61, 0x6c, 0x4c, 0x6f, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x2e, 0x0a, 0x05, 0x73, 0x68, 0x61, 0x72, 0x64, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x18, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x70, 0x62, 0x2e, 0x4c, 0x6f, 0x67, 0x53, 0x68,
+	0x61, 0x72, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x73, 0x68, 0x61, 0x72, 0x64,
+	0x22, 0xd0, 0x01, 0x0a, 0x0e, 0x4c, 0x6f, 0x67, 0x53, 0x68, 0x61, 0x72, 0x64, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x24, 0x0a, 0x0e, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f,
+	0x6b, 0x65, 0x79, 0x5f, 0x64, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x70,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x72, 0x12, 0x42, 0x0a, 0x0f, 0x6e,
+	0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x73, 0x74, 0x61, 0x72, 0x74, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70,
+	0x52, 0x0d, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x53, 0x74, 0x61, 0x72, 0x74, 0x12,
+	0x42, 0x0a, 0x0f, 0x6e, 0x6f, 0x74, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x6c, 0x69, 0x6d,
+	0x69, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x6e, 0x6f, 0x74, 0x41, 0x66, 0x74, 0x65, 0x72, 0x4c, 0x69,
+	0x6d, 0x69, 0x74, 0x42, 0x48, 0x5a, 0x46, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
+	0x63, 0x61, 0x74, 0x65, 0x2d, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63,
+	0x79, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2f, 0x6d, 0x75, 0x6c, 0x74,
+	0x69, 0x6c, 0x6f, 0x67, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x70, 0x62, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
-func init() { proto.RegisterFile("multilog.proto", fileDescriptor_multilog_3c9b797b88da6f07) }
+var (
+	file_client_configpb_multilog_proto_rawDescOnce sync.Once
+	file_client_configpb_multilog_proto_rawDescData = file_client_configpb_multilog_proto_rawDesc
+)
 
-var fileDescriptor_multilog_3c9b797b88da6f07 = []byte{
-	// 241 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x8f, 0xb1, 0x4e, 0xc3, 0x30,
-	0x14, 0x45, 0x65, 0x02, 0x08, 0xdc, 0x12, 0xc0, 0x93, 0xd5, 0x85, 0xa8, 0x62, 0xc8, 0xe4, 0x4a,
-	0xe5, 0x0b, 0xa0, 0x6c, 0x64, 0x4a, 0xbb, 0x47, 0x4e, 0xeb, 0x18, 0x0b, 0x3b, 0xcf, 0x72, 0x5e,
-	0x86, 0xfe, 0x25, 0x9f, 0x84, 0x1c, 0x2b, 0x43, 0x37, 0xb6, 0xa7, 0x77, 0xcf, 0xb9, 0xd2, 0xa5,
-	0xb9, 0x1b, 0x2d, 0x1a, 0x0b, 0x5a, 0xf8, 0x00, 0x08, 0xec, 0xee, 0x08, 0x7d, 0x67, 0xb4, 0x6f,
-	0x57, 0x2f, 0x1a, 0x40, 0x5b, 0xb5, 0x99, 0xfe, 0xed, 0xd8, 0x6d, 0xd0, 0x38, 0x35, 0xa0, 0x74,
-	0x3e, 0xa1, 0xeb, 0x1d, 0x7d, 0x3e, 0x28, 0xe7, 0x21, 0x48, 0x5b, 0x81, 0xde, 0x4d, 0x1e, 0x13,
-	0xf4, 0x66, 0xf8, 0x96, 0xe1, 0xc4, 0x49, 0x91, 0x95, 0x8b, 0x2d, 0x17, 0x73, 0x9f, 0xa8, 0x40,
-	0xef, 0x63, 0x92, 0xc0, 0x3a, 0x61, 0xeb, 0x5f, 0x42, 0xf3, 0xcb, 0x84, 0x3d, 0xd1, 0x6c, 0x0c,
-	0x86, 0x93, 0x82, 0x94, 0xf7, 0x75, 0x3c, 0xd9, 0x2b, 0xcd, 0xfd, 0xd8, 0x5a, 0x73, 0x6c, 0x7e,
-	0xd4, 0xb9, 0x39, 0xa9, 0xc0, 0xaf, 0x0a, 0x52, 0x2e, 0xeb, 0x65, 0xfa, 0x7e, 0xa9, 0xf3, 0xa7,
-	0x0a, 0xec, 0x83, 0x3e, 0xf6, 0x80, 0x8d, 0xec, 0x50, 0x85, 0x66, 0x40, 0x19, 0x90, 0x67, 0x05,
-	0x29, 0x17, 0xdb, 0x95, 0x48, 0x53, 0xc4, 0x3c, 0x45, 0x1c, 0xe6, 0x29, 0xf5, 0x43, 0x0f, 0xf8,
-	0x1e, 0x8d, 0x7d, 0x14, 0x2e, 0x3b, 0xac, 0x71, 0x06, 0xf9, 0xf5, 0xff, 0x3b, 0xaa, 0x28, 0xb4,
-	0xb7, 0x13, 0xf2, 0xf6, 0x17, 0x00, 0x00, 0xff, 0xff, 0xf8, 0xd9, 0x50, 0x5b, 0x5b, 0x01, 0x00,
-	0x00,
+func file_client_configpb_multilog_proto_rawDescGZIP() []byte {
+	file_client_configpb_multilog_proto_rawDescOnce.Do(func() {
+		file_client_configpb_multilog_proto_rawDescData = protoimpl.X.CompressGZIP(file_client_configpb_multilog_proto_rawDescData)
+	})
+	return file_client_configpb_multilog_proto_rawDescData
+}
+
+var file_client_configpb_multilog_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_client_configpb_multilog_proto_goTypes = []interface{}{
+	(*TemporalLogConfig)(nil),     // 0: configpb.TemporalLogConfig
+	(*LogShardConfig)(nil),        // 1: configpb.LogShardConfig
+	(*timestamppb.Timestamp)(nil), // 2: google.protobuf.Timestamp
+}
+var file_client_configpb_multilog_proto_depIdxs = []int32{
+	1, // 0: configpb.TemporalLogConfig.shard:type_name -> configpb.LogShardConfig
+	2, // 1: configpb.LogShardConfig.not_after_start:type_name -> google.protobuf.Timestamp
+	2, // 2: configpb.LogShardConfig.not_after_limit:type_name -> google.protobuf.Timestamp
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_client_configpb_multilog_proto_init() }
+func file_client_configpb_multilog_proto_init() {
+	if File_client_configpb_multilog_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_client_configpb_multilog_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*TemporalLogConfig); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_client_configpb_multilog_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LogShardConfig); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_client_configpb_multilog_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_client_configpb_multilog_proto_goTypes,
+		DependencyIndexes: file_client_configpb_multilog_proto_depIdxs,
+		MessageInfos:      file_client_configpb_multilog_proto_msgTypes,
+	}.Build()
+	File_client_configpb_multilog_proto = out.File
+	file_client_configpb_multilog_proto_rawDesc = nil
+	file_client_configpb_multilog_proto_goTypes = nil
+	file_client_configpb_multilog_proto_depIdxs = nil
 }

vendor/github.com/google/certificate-transparency-go/client/configpb/multilog.proto

@@ -1,4 +1,4 @@
-// Copyright 2017 Google Inc. All Rights Reserved.
+// Copyright 2017 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,6 +16,8 @@ syntax = "proto3";
 
 package configpb;
 
+option go_package = "github.com/google/certificate-transparency-go/client/multilog/configpb";
+
 import "google/protobuf/timestamp.proto";
 
 // TemporalLogConfig is a set of LogShardConfig messages, whose

vendor/github.com/google/certificate-transparency-go/client/getentries.go

@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc. All Rights Reserved.
+// Copyright 2016 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -36,16 +36,9 @@ func (c *LogClient) GetRawEntries(ctx context.Context, start, end int64) (*ct.Ge
 		"start": strconv.FormatInt(start, 10),
 		"end":   strconv.FormatInt(end, 10),
 	}
-	if ctx == nil {
-		ctx = context.TODO()
-	}
 
 	var resp ct.GetEntriesResponse
-	httpRsp, body, err := c.GetAndParse(ctx, ct.GetEntriesPath, params, &resp)
-	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
+	if _, _, err := c.GetAndParse(ctx, ct.GetEntriesPath, params, &resp); err != nil {
 		return nil, err
 	}
 
@@ -66,7 +59,7 @@ func (c *LogClient) GetEntries(ctx context.Context, start, end int64) ([]ct.LogE
 	for i, entry := range resp.Entries {
 		index := start + int64(i)
 		logEntry, err := ct.LogEntryFromLeaf(index, &entry)
-		if _, ok := err.(x509.NonFatalErrors); !ok && err != nil {
+		if x509.IsFatal(err) {
 			return nil, err
 		}
 		entries[i] = *logEntry

vendor/github.com/google/certificate-transparency-go/client/logclient.go

@@ -1,4 +1,4 @@
-// Copyright 2014 Google Inc. All Rights Reserved.
+// Copyright 2014 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -56,18 +56,8 @@ func New(uri string, hc *http.Client, opts jsonclient.Options) (*LogClient, erro
 	return &LogClient{*logClient}, err
 }
 
-// RspError represents an error that occurred when processing a response from  a server,
-// and also includes key details from the http.Response that triggered the error.
-type RspError struct {
-	Err        error
-	StatusCode int
-	Body       []byte
-}
-
-// Error formats the RspError instance, focusing on the error.
-func (e RspError) Error() string {
-	return e.Err.Error()
-}
+// RspError represents a server error including HTTP information.
+type RspError = jsonclient.RspError
 
 // Attempts to add |chain| to the log, using the api end-point specified by
 // |path|. If provided context expires before submission is complete an
@@ -81,9 +71,6 @@ func (c *LogClient) addChainWithRetry(ctx context.Context, ctype ct.LogEntryType
 
 	httpRsp, body, err := c.PostAndParseWithRetry(ctx, path, &req, &resp)
 	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
 		return nil, err
 	}
 
@@ -132,38 +119,6 @@ func (c *LogClient) AddPreChain(ctx context.Context, chain []ct.ASN1Cert) (*ct.S
 	return c.addChainWithRetry(ctx, ct.PrecertLogEntryType, ct.AddPreChainPath, chain)
 }
 
-// AddJSON submits arbitrary data to to XJSON server.
-func (c *LogClient) AddJSON(ctx context.Context, data interface{}) (*ct.SignedCertificateTimestamp, error) {
-	req := ct.AddJSONRequest{Data: data}
-	var resp ct.AddChainResponse
-	httpRsp, body, err := c.PostAndParse(ctx, ct.AddJSONPath, &req, &resp)
-	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
-		return nil, err
-	}
-	var ds ct.DigitallySigned
-	if rest, err := tls.Unmarshal(resp.Signature, &ds); err != nil {
-		return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-	} else if len(rest) > 0 {
-		return nil, RspError{
-			Err:        fmt.Errorf("trailing data (%d bytes) after DigitallySigned", len(rest)),
-			StatusCode: httpRsp.StatusCode,
-			Body:       body,
-		}
-	}
-	var logID ct.LogID
-	copy(logID.KeyID[:], resp.ID)
-	return &ct.SignedCertificateTimestamp{
-		SCTVersion: resp.SCTVersion,
-		LogID:      logID,
-		Timestamp:  resp.Timestamp,
-		Extensions: ct.CTExtensions(resp.Extensions),
-		Signature:  ds,
-	}, nil
-}
-
 // GetSTH retrieves the current STH from the log.
 // Returns a populated SignedTreeHead, or a non-nil error (which may be of type
 // RspError if a raw http.Response is available).
@@ -171,9 +126,6 @@ func (c *LogClient) GetSTH(ctx context.Context) (*ct.SignedTreeHead, error) {
 	var resp ct.GetSTHResponse
 	httpRsp, body, err := c.GetAndParse(ctx, ct.GetSTHPath, nil, &resp)
 	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
 		return nil, err
 	}
 
@@ -220,11 +172,7 @@ func (c *LogClient) GetSTHConsistency(ctx context.Context, first, second uint64)
 		"second": strconv.FormatUint(second, base10),
 	}
 	var resp ct.GetSTHConsistencyResponse
-	httpRsp, body, err := c.GetAndParse(ctx, ct.GetSTHConsistencyPath, params, &resp)
-	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
+	if _, _, err := c.GetAndParse(ctx, ct.GetSTHConsistencyPath, params, &resp); err != nil {
 		return nil, err
 	}
 	return resp.Consistency, nil
@@ -239,11 +187,7 @@ func (c *LogClient) GetProofByHash(ctx context.Context, hash []byte, treeSize ui
 		"hash":      b64Hash,
 	}
 	var resp ct.GetProofByHashResponse
-	httpRsp, body, err := c.GetAndParse(ctx, ct.GetProofByHashPath, params, &resp)
-	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
+	if _, _, err := c.GetAndParse(ctx, ct.GetProofByHashPath, params, &resp); err != nil {
 		return nil, err
 	}
 	return &resp, nil
@@ -254,9 +198,6 @@ func (c *LogClient) GetAcceptedRoots(ctx context.Context) ([]ct.ASN1Cert, error)
 	var resp ct.GetRootsResponse
 	httpRsp, body, err := c.GetAndParse(ctx, ct.GetRootsPath, nil, &resp)
 	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
 		return nil, err
 	}
 	var roots []ct.ASN1Cert
@@ -278,11 +219,7 @@ func (c *LogClient) GetEntryAndProof(ctx context.Context, index, treeSize uint64
 		"tree_size":  strconv.FormatUint(treeSize, base10),
 	}
 	var resp ct.GetEntryAndProofResponse
-	httpRsp, body, err := c.GetAndParse(ctx, ct.GetEntryAndProofPath, params, &resp)
-	if err != nil {
-		if httpRsp != nil {
-			return nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
-		}
+	if _, _, err := c.GetAndParse(ctx, ct.GetEntryAndProofPath, params, &resp); err != nil {
 		return nil, err
 	}
 	return &resp, nil

vendor/github.com/google/certificate-transparency-go/client/multilog.go

@@ -1,4 +1,4 @@
-// Copyright 2017 Google Inc. All Rights Reserved.
+// Copyright 2017 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -19,16 +19,16 @@ import (
 	"crypto/sha256"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/http"
+	"os"
 	"time"
 
-	"github.com/golang/protobuf/proto"
-	"github.com/golang/protobuf/ptypes"
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/client/configpb"
 	"github.com/google/certificate-transparency-go/jsonclient"
 	"github.com/google/certificate-transparency-go/x509"
+	"google.golang.org/protobuf/encoding/prototext"
+	"google.golang.org/protobuf/proto"
 )
 
 type interval struct {
@@ -43,14 +43,16 @@ func TemporalLogConfigFromFile(filename string) (*configpb.TemporalLogConfig, er
 		return nil, errors.New("log config filename empty")
 	}
 
-	cfgText, err := ioutil.ReadFile(filename)
+	cfgBytes, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read log config: %v", err)
 	}
 
 	var cfg configpb.TemporalLogConfig
-	if err := proto.UnmarshalText(string(cfgText), &cfg); err != nil {
-		return nil, fmt.Errorf("failed to parse log config: %v", err)
+	if txtErr := prototext.Unmarshal(cfgBytes, &cfg); txtErr != nil {
+		if binErr := proto.Unmarshal(cfgBytes, &cfg); binErr != nil {
+			return nil, fmt.Errorf("failed to parse TemporalLogConfig from %q as text protobuf (%v) or binary protobuf (%v)", filename, txtErr, binErr)
+		}
 	}
 
 	if len(cfg.Shard) == 0 {
@@ -76,8 +78,8 @@ type TemporalLogClient struct {
 
 // NewTemporalLogClient builds a new client for interacting with a temporal log.
 // The provided config should be contiguous and chronological.
-func NewTemporalLogClient(cfg configpb.TemporalLogConfig, hc *http.Client) (*TemporalLogClient, error) {
-	if len(cfg.Shard) == 0 {
+func NewTemporalLogClient(cfg *configpb.TemporalLogConfig, hc *http.Client) (*TemporalLogClient, error) {
+	if len(cfg.GetShard()) == 0 {
 		return nil, errors.New("empty config")
 	}
 
@@ -106,7 +108,7 @@ func NewTemporalLogClient(cfg configpb.TemporalLogConfig, hc *http.Client) (*Tem
 	}
 	clients := make([]*LogClient, 0, len(cfg.Shard))
 	for i, shard := range cfg.Shard {
-		opts := jsonclient.Options{}
+		opts := jsonclient.Options{UserAgent: "ct-go-multilog/1.0"}
 		opts.PublicKeyDER = shard.GetPublicKeyDer()
 		c, err := New(shard.Uri, hc, opts)
 		if err != nil {
@@ -200,17 +202,17 @@ func (tlc *TemporalLogClient) IndexByDate(when time.Time) (int, error) {
 func shardInterval(cfg *configpb.LogShardConfig) (interval, error) {
 	var interval interval
 	if cfg.NotAfterStart != nil {
-		t, err := ptypes.Timestamp(cfg.NotAfterStart)
-		if err != nil {
+		if err := cfg.NotAfterStart.CheckValid(); err != nil {
 			return interval, fmt.Errorf("failed to parse NotAfterStart: %v", err)
 		}
+		t := cfg.NotAfterStart.AsTime()
 		interval.lower = &t
 	}
 	if cfg.NotAfterLimit != nil {
-		t, err := ptypes.Timestamp(cfg.NotAfterLimit)
-		if err != nil {
+		if err := cfg.NotAfterLimit.CheckValid(); err != nil {
 			return interval, fmt.Errorf("failed to parse NotAfterLimit: %v", err)
 		}
+		t := cfg.NotAfterLimit.AsTime()
 		interval.upper = &t
 	}
 

vendor/github.com/google/certificate-transparency-go/cloudbuild.yaml

@@ -0,0 +1,201 @@
+#############################################################################
+## The top section of this file is identical in the 3 cloudbuild.*yaml files.
+## Make sure any edits you make here are copied over to the other files too
+## if appropriate.
+##
+## TODO(al): consider if it's possible to merge these 3 files and control via
+## substitutions.
+#############################################################################
+
+timeout: 1200s
+options:
+  machineType: N1_HIGHCPU_32
+  volumes:
+  - name: go-modules
+    path: /go
+  env:
+  - GO111MODULE=on
+  - GOPROXY=https://proxy.golang.org
+  - PROJECT_ROOT=github.com/google/certificate-transparency-go
+  - GOPATH=/go
+
+substitutions:
+  _CLUSTER_NAME: trillian-opensource-ci
+  _MASTER_ZONE: us-central1-a
+
+steps:
+# First build a "ct_testbase" docker image which contains most of the tools we need for the later steps:
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/$PROJECT_ID/ct_testbase:latest || exit 0']
+- name: 'gcr.io/cloud-builders/docker'
+  args: [
+    'build',
+    '-t', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '--cache-from', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '-f', './integration/Dockerfile',
+    '.'
+  ]
+
+# prepare spins up an ephemeral trillian instance for testing use.
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  entrypoint: 'bash'
+  id: 'prepare'
+  args:
+  - '-exc'
+  - |
+    # Use latest versions of Trillian docker images built by the Trillian CI cloudbuilders.
+    docker pull gcr.io/$PROJECT_ID/log_server:latest
+    docker tag gcr.io/$PROJECT_ID/log_server:latest deployment_trillian-log-server
+    docker pull gcr.io/$PROJECT_ID/log_signer:latest
+    docker tag gcr.io/$PROJECT_ID/log_signer:latest deployment_trillian-log-signer
+
+    # Bring up an ephemeral trillian instance using the docker-compose config in the Trillian repo:
+    export TRILLIAN_LOCATION="$$(go list -f '{{.Dir}}' github.com/google/trillian)"
+
+    # We need to fix up Trillian's docker-compose to connect to the CloudBuild network to that tests can use it:
+    echo -e "networks:\n      default:\n        external:\n          name: cloudbuild" >> $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml
+
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml pull mysql trillian-log-server trillian-log-signer
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml up -d mysql trillian-log-server trillian-log-signer
+
+# Install proto related bits and block on Trillian being ready
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci-ready'
+  entrypoint: 'bash'
+  args:
+    - '-ec'
+    - |
+      go install \
+        github.com/golang/protobuf/proto \
+        github.com/golang/protobuf/protoc-gen-go \
+        github.com/golang/mock/mockgen \
+        go.etcd.io/etcd/v3 go.etcd.io/etcd/etcdctl/v3 \
+        github.com/fullstorydev/grpcurl/cmd/grpcurl
+
+
+      # Cache all the modules we'll need too
+      go mod download
+      go test -i ./...
+
+      # Wait for trillian logserver to be up
+      until nc -z deployment_trillian-log-server_1 8090; do echo .; sleep 5; done
+  waitFor: ['prepare']
+
+# Run the presubmit tests
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'default_test'
+  env:
+    - 'GOFLAGS='
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'race_detection'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_coverage'
+  env:
+    - 'GOFLAGS='
+    - 'PRESUBMIT_OPTS=--no-linters --coverage'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_race'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'with_pkcs11_and_race'
+  env:
+    - 'GOFLAGS=-race --tags=pkcs11'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'WITH_PKCS11=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+# Collect and submit codecoverage reports
+- name: 'gcr.io/cloud-builders/curl'
+  id: 'codecov.io'
+  entrypoint: bash
+  args: ['-c', 'bash <(curl -s https://codecov.io/bash)']
+  env:
+  - 'VCS_COMMIT_ID=$COMMIT_SHA'
+  - 'VCS_BRANCH_NAME=$BRANCH_NAME'
+  - 'VCS_PULL_REQUEST=$_PR_NUMBER'
+  - 'CI_BUILD_ID=$BUILD_ID'
+  - 'CODECOV_TOKEN=$_CODECOV_TOKEN' # _CODECOV_TOKEN is specified in the cloud build trigger
+  waitFor: ['etcd_with_coverage']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci_complete'
+  entrypoint: /bin/true
+  waitFor: ['codecov.io', 'default_test', 'race_detection', 'etcd_with_coverage', 'etcd_with_race', 'with_pkcs11_and_race']
+
+############################################################################
+## End of replicated section.
+## Below are deployment specific steps for the CD env.
+############################################################################
+
+- id: build_ctfe
+  name: gcr.io/cloud-builders/docker
+  args:
+  - build
+  - --file=trillian/examples/deployment/docker/ctfe/Dockerfile
+  - --tag=gcr.io/${PROJECT_ID}/ctfe:${COMMIT_SHA}
+  - --cache-from=gcr.io/${PROJECT_ID}/ctfe
+  - .
+  waitFor: [-]
+- id: build_envsubst
+  name: gcr.io/cloud-builders/docker
+  args:
+  - build
+  - trillian/examples/deployment/docker/envsubst
+  - -t
+  - envsubst
+  waitFor: ['ci_complete']
+- id: envsubst_kubernetes_configs
+  name: envsubst
+  args:
+  - trillian/examples/deployment/kubernetes/ctfe-deployment.yaml
+  - trillian/examples/deployment/kubernetes/ctfe-service.yaml
+  - trillian/examples/deployment/kubernetes/ctfe-ingress.yaml
+  env:
+  - PROJECT_ID=${PROJECT_ID}
+  - IMAGE_TAG=${COMMIT_SHA}
+  waitFor:
+  - build_envsubst
+- id: update_kubernetes_configs_dryrun
+  name: gcr.io/cloud-builders/kubectl
+  args:
+  - apply
+  - --dry-run=server
+  - -f=trillian/examples/deployment/kubernetes/ctfe-deployment.yaml
+  - -f=trillian/examples/deployment/kubernetes/ctfe-service.yaml
+  - -f=trillian/examples/deployment/kubernetes/ctfe-ingress.yaml
+  env:
+  - CLOUDSDK_COMPUTE_ZONE=${_MASTER_ZONE}
+  - CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}
+  waitFor:
+  - envsubst_kubernetes_configs
+  - build_ctfe
+
+images:
+- gcr.io/${PROJECT_ID}/ctfe:${COMMIT_SHA}
+- gcr.io/${PROJECT_ID}/ct_testbase:latest

vendor/github.com/google/certificate-transparency-go/cloudbuild_master.yaml

@@ -0,0 +1,217 @@
+#############################################################################
+## The top section of this file is identical in the 3 cloudbuild.*yaml files.
+## Make sure any edits you make here are copied over to the other files too
+## if appropriate.
+##
+## TODO(al): consider if it's possible to merge these 3 files and control via
+## substitutions.
+#############################################################################
+
+timeout: 1200s
+options:
+  machineType: N1_HIGHCPU_32
+  volumes:
+  - name: go-modules
+    path: /go
+  env:
+  - GO111MODULE=on
+  - GOPROXY=https://proxy.golang.org
+  - PROJECT_ROOT=github.com/google/certificate-transparency-go
+  - GOPATH=/go
+
+substitutions:
+  _CLUSTER_NAME: trillian-opensource-ci
+  _MASTER_ZONE: us-central1-a
+
+steps:
+# First build a "ct_testbase" docker image which contains most of the tools we need for the later steps:
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/$PROJECT_ID/ct_testbase:latest || exit 0']
+- name: 'gcr.io/cloud-builders/docker'
+  args: [
+    'build',
+    '-t', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '--cache-from', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '-f', './integration/Dockerfile',
+    '.'
+  ]
+
+# prepare spins up an ephemeral trillian instance for testing use.
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  entrypoint: 'bash'
+  id: 'prepare'
+  args:
+  - '-exc'
+  - |
+    # Use latest versions of Trillian docker images built by the Trillian CI cloudbuilders.
+    docker pull gcr.io/$PROJECT_ID/log_server:latest
+    docker tag gcr.io/$PROJECT_ID/log_server:latest deployment_trillian-log-server
+    docker pull gcr.io/$PROJECT_ID/log_signer:latest
+    docker tag gcr.io/$PROJECT_ID/log_signer:latest deployment_trillian-log-signer
+
+    # Bring up an ephemeral trillian instance using the docker-compose config in the Trillian repo:
+    export TRILLIAN_LOCATION="$$(go list -f '{{.Dir}}' github.com/google/trillian)"
+
+    # We need to fix up Trillian's docker-compose to connect to the CloudBuild network to that tests can use it:
+    echo -e "networks:\n      default:\n        external:\n          name: cloudbuild" >> $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml
+
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml pull mysql trillian-log-server trillian-log-signer
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml up -d mysql trillian-log-server trillian-log-signer
+
+# Install proto related bits and block on Trillian being ready
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci-ready'
+  entrypoint: 'bash'
+  args:
+    - '-ec'
+    - |
+      go install \
+        github.com/golang/protobuf/proto \
+        github.com/golang/protobuf/protoc-gen-go \
+        github.com/golang/mock/mockgen \
+        go.etcd.io/etcd/v3 go.etcd.io/etcd/etcdctl/v3 \
+        github.com/fullstorydev/grpcurl/cmd/grpcurl
+
+
+      # Cache all the modules we'll need too
+      go mod download
+      go test -i ./...
+
+      # Wait for trillian logserver to be up
+      until nc -z deployment_trillian-log-server_1 8090; do echo .; sleep 5; done
+  waitFor: ['prepare']
+
+# Run the presubmit tests
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'default_test'
+  env:
+    - 'GOFLAGS='
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'race_detection'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_coverage'
+  env:
+    - 'GOFLAGS='
+    - 'PRESUBMIT_OPTS=--no-linters --coverage'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_race'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'with_pkcs11_and_race'
+  env:
+    - 'GOFLAGS=-race --tags=pkcs11'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'WITH_PKCS11=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+# Collect and submit codecoverage reports
+- name: 'gcr.io/cloud-builders/curl'
+  id: 'codecov.io'
+  entrypoint: bash
+  args: ['-c', 'bash <(curl -s https://codecov.io/bash)']
+  env:
+  - 'VCS_COMMIT_ID=$COMMIT_SHA'
+  - 'VCS_BRANCH_NAME=$BRANCH_NAME'
+  - 'VCS_PULL_REQUEST=$_PR_NUMBER'
+  - 'CI_BUILD_ID=$BUILD_ID'
+  - 'CODECOV_TOKEN=$_CODECOV_TOKEN' # _CODECOV_TOKEN is specified in the cloud build trigger
+  waitFor: ['etcd_with_coverage']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci_complete'
+  entrypoint: /bin/true
+  waitFor: ['codecov.io', 'default_test', 'race_detection', 'etcd_with_coverage', 'etcd_with_race', 'with_pkcs11_and_race']
+
+############################################################################
+## End of replicated section.
+## Below are deployment specific steps for the CD env.
+############################################################################
+
+- id: build_ctfe
+  name: gcr.io/cloud-builders/docker
+  args:
+  - build
+  - --file=trillian/examples/deployment/docker/ctfe/Dockerfile
+  - --tag=gcr.io/${PROJECT_ID}/ctfe:${COMMIT_SHA}
+  - --cache-from=gcr.io/${PROJECT_ID}/ctfe
+  - .
+  waitFor: ["-"]
+- id: push_ctfe
+  name: gcr.io/cloud-builders/docker
+  args:
+  - push
+  - gcr.io/${PROJECT_ID}/ctfe:${COMMIT_SHA}
+  waitFor:
+  - build_ctfe
+- id: tag_latest_ctfe
+  name: gcr.io/cloud-builders/gcloud
+  args:
+  - container
+  - images
+  - add-tag
+  - gcr.io/${PROJECT_ID}/ctfe:${COMMIT_SHA}
+  - gcr.io/${PROJECT_ID}/ctfe:latest
+  waitFor:
+  - push_ctfe
+- id: build_envsubst
+  name: gcr.io/cloud-builders/docker
+  args:
+  - build
+  - trillian/examples/deployment/docker/envsubst
+  - -t
+  - envsubst
+  waitFor: ["-"]
+- id: envsubst_kubernetes_configs
+  name: envsubst
+  args:
+  - trillian/examples/deployment/kubernetes/ctfe-deployment.yaml
+  - trillian/examples/deployment/kubernetes/ctfe-service.yaml
+  - trillian/examples/deployment/kubernetes/ctfe-ingress.yaml
+  env:
+  - PROJECT_ID=${PROJECT_ID}
+  - IMAGE_TAG=${COMMIT_SHA}
+  waitFor:
+  - build_envsubst
+- id: update_kubernetes_configs
+  name: gcr.io/cloud-builders/kubectl
+  args:
+  - apply
+  - -f=trillian/examples/deployment/kubernetes/ctfe-deployment.yaml
+  - -f=trillian/examples/deployment/kubernetes/ctfe-service.yaml
+  - -f=trillian/examples/deployment/kubernetes/ctfe-ingress.yaml
+  env:
+  - CLOUDSDK_COMPUTE_ZONE=${_MASTER_ZONE}
+  - CLOUDSDK_CONTAINER_CLUSTER=${_CLUSTER_NAME}
+  waitFor:
+  - envsubst_kubernetes_configs
+  - push_ctfe
+
+images:
+- gcr.io/${PROJECT_ID}/ctfe:${COMMIT_SHA}
+- gcr.io/${PROJECT_ID}/ct_testbase:latest

vendor/github.com/google/certificate-transparency-go/cloudbuild_tag.yaml

@@ -1,10 +1,167 @@
+#############################################################################
+## The top section of this file is identical in the 3 cloudbuild.*yaml files.
+## Make sure any edits you make here are copied over to the other files too
+## if appropriate.
+##
+## TODO(al): consider if it's possible to merge these 3 files and control via
+## substitutions.
+#############################################################################
+
+timeout: 1200s
+options:
+  machineType: N1_HIGHCPU_32
+  volumes:
+  - name: go-modules
+    path: /go
+  env:
+  - GO111MODULE=on
+  - GOPROXY=https://proxy.golang.org
+  - PROJECT_ROOT=github.com/google/certificate-transparency-go
+  - GOPATH=/go
+
+substitutions:
+  _CLUSTER_NAME: trillian-opensource-ci
+  _MASTER_ZONE: us-central1-a
+
 steps:
+# First build a "ct_testbase" docker image which contains most of the tools we need for the later steps:
+- name: 'gcr.io/cloud-builders/docker'
+  entrypoint: 'bash'
+  args: ['-c', 'docker pull gcr.io/$PROJECT_ID/ct_testbase:latest || exit 0']
+- name: 'gcr.io/cloud-builders/docker'
+  args: [
+    'build',
+    '-t', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '--cache-from', 'gcr.io/$PROJECT_ID/ct_testbase:latest',
+    '-f', './integration/Dockerfile',
+    '.'
+  ]
+
+# prepare spins up an ephemeral trillian instance for testing use.
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  entrypoint: 'bash'
+  id: 'prepare'
+  args:
+  - '-exc'
+  - |
+    # Use latest versions of Trillian docker images built by the Trillian CI cloudbuilders.
+    docker pull gcr.io/$PROJECT_ID/log_server:latest
+    docker tag gcr.io/$PROJECT_ID/log_server:latest deployment_trillian-log-server
+    docker pull gcr.io/$PROJECT_ID/log_signer:latest
+    docker tag gcr.io/$PROJECT_ID/log_signer:latest deployment_trillian-log-signer
+
+    # Bring up an ephemeral trillian instance using the docker-compose config in the Trillian repo:
+    export TRILLIAN_LOCATION="$$(go list -f '{{.Dir}}' github.com/google/trillian)"
+
+    # We need to fix up Trillian's docker-compose to connect to the CloudBuild network to that tests can use it:
+    echo -e "networks:\n      default:\n        external:\n          name: cloudbuild" >> $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml
+
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml pull mysql trillian-log-server trillian-log-signer
+    docker-compose -f $${TRILLIAN_LOCATION}/examples/deployment/docker-compose.yml up -d mysql trillian-log-server trillian-log-signer
+
+# Install proto related bits and block on Trillian being ready
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci-ready'
+  entrypoint: 'bash'
+  args:
+    - '-ec'
+    - |
+      go install \
+        github.com/golang/protobuf/proto \
+        github.com/golang/protobuf/protoc-gen-go \
+        github.com/golang/mock/mockgen \
+        go.etcd.io/etcd/v3 go.etcd.io/etcd/etcdctl/v3 \
+        github.com/fullstorydev/grpcurl/cmd/grpcurl
+
+
+      # Cache all the modules we'll need too
+      go mod download
+      go test -i ./...
+
+      # Wait for trillian logserver to be up
+      until nc -z deployment_trillian-log-server_1 8090; do echo .; sleep 5; done
+  waitFor: ['prepare']
+
+# Run the presubmit tests
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'default_test'
+  env:
+    - 'GOFLAGS='
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'race_detection'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_coverage'
+  env:
+    - 'GOFLAGS='
+    - 'PRESUBMIT_OPTS=--no-linters --coverage'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'etcd_with_race'
+  env:
+    - 'GOFLAGS=-race'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'WITH_ETCD=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'with_pkcs11_and_race'
+  env:
+    - 'GOFLAGS=-race --tags=pkcs11'
+    - 'PRESUBMIT_OPTS=--no-linters'
+    - 'WITH_PKCS11=true'
+    - 'TRILLIAN_LOG_SERVERS=deployment_trillian-log-server_1:8090'
+    - 'TRILLIAN_LOG_SERVER_1=deployment_trillian-log-server_1:8090'
+  waitFor: ['ci-ready']
+
+# Collect and submit codecoverage reports
+- name: 'gcr.io/cloud-builders/curl'
+  id: 'codecov.io'
+  entrypoint: bash
+  args: ['-c', 'bash <(curl -s https://codecov.io/bash)']
+  env:
+  - 'VCS_COMMIT_ID=$COMMIT_SHA'
+  - 'VCS_BRANCH_NAME=$BRANCH_NAME'
+  - 'VCS_PULL_REQUEST=$_PR_NUMBER'
+  - 'CI_BUILD_ID=$BUILD_ID'
+  - 'CODECOV_TOKEN=$_CODECOV_TOKEN' # _CODECOV_TOKEN is specified in the cloud build trigger
+  waitFor: ['etcd_with_coverage']
+
+- name: gcr.io/$PROJECT_ID/ct_testbase
+  id: 'ci_complete'
+  entrypoint: /bin/true
+  waitFor: ['codecov.io', 'default_test', 'race_detection', 'etcd_with_coverage', 'etcd_with_race', 'with_pkcs11_and_race']
+
+############################################################################
+## End of replicated section.
+## Below are deployment specific steps for the CD env.
+############################################################################
+
 - id: build_ctfe
   name: gcr.io/cloud-builders/docker
   args:
   - build
   - --file=trillian/examples/deployment/docker/ctfe/Dockerfile
   - --tag=gcr.io/${PROJECT_ID}/ctfe:${TAG_NAME}
+  - --cache-from=gcr.io/${PROJECT_ID}/ctfe
   - .
+
 images:
 - gcr.io/${PROJECT_ID}/ctfe:${TAG_NAME}
+- gcr.io/${PROJECT_ID}/ct_testbase:latest

vendor/github.com/google/certificate-transparency-go/codecov.yml

@@ -0,0 +1,19 @@
+# Customizations to codecov for c-t-go repo. This will be merged into
+# the team / default codecov yaml file.
+#
+# Validate changes with:
+# curl --data-binary @codecov.yml https://codecov.io/validate
+
+# Exclude code that's for testing, demos or utilities that aren't really
+# part of production releases.
+ignore:
+  - "**/mock_*.go"
+  - "**/testonly"
+  - "trillian/integration"
+
+coverage:
+  status:
+    project:
+      default:
+        # Allow 1% coverage drop without complaining, to avoid being too noisy.
+        threshold: 1%

vendor/github.com/google/certificate-transparency-go/gometalinter.json

@@ -1,28 +0,0 @@
-{
-  "Deadline": "60s",
-  "Linters": {
-    "license": "./scripts/check_license.sh:PATH:LINE:MESSAGE",
-    "forked": "./scripts/check_forked.sh:PATH:LINE:MESSAGE",
-    "unforked": "./scripts/check_unforked.sh:PATH:LINE:MESSAGE"
-  },
-  "Enable": [
-    "forked",
-    "gocyclo",
-    "gofmt",
-    "goimports",
-    "golint",
-    "license",
-    "misspell",
-    "unforked",
-    "vet"
-  ],
-  "Exclude": [
-    "x509/",
-    "asn1/",
-    ".+\\.pb\\.go",
-    ".+\\.pb\\.gw\\.go",
-    "mock_.+\\.go"
-  ],
-  "Cyclo": 40,
-  "Vendor": true
-}

vendor/github.com/google/certificate-transparency-go/jsonclient/backoff.go

@@ -1,4 +1,4 @@
-// Copyright 2017 Google Inc. All Rights Reserved.
+// Copyright 2017 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

vendor/github.com/google/certificate-transparency-go/jsonclient/client.go

@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc. All Rights Reserved.
+// Copyright 2016 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -21,7 +21,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"log"
 	"math/rand"
 	"net/http"
@@ -33,6 +33,7 @@ import (
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/x509"
 	"golang.org/x/net/context/ctxhttp"
+	"k8s.io/klog/v2"
 )
 
 const maxJitter = 250 * time.Millisecond
@@ -58,6 +59,7 @@ type JSONClient struct {
 	Verifier   *ct.SignatureVerifier // nil for no verification (e.g. no public key available)
 	logger     Logger                // interface to use for logging warnings and errors
 	backoff    backoffer             // object used to store and calculate backoff information
+	userAgent  string                // If set, this is sent as the UserAgent header.
 }
 
 // Logger is a simple logging interface used to log internal errors and warnings
@@ -75,6 +77,8 @@ type Options struct {
 	PublicKey string
 	// DER format public key to use for signature verification.
 	PublicKeyDER []byte
+	// UserAgent, if set, will be sent as the User-Agent header with each request.
+	UserAgent string
 }
 
 // ParsePublicKey parses and returns the public key contained in opts.
@@ -105,6 +109,19 @@ func (bl *basicLogger) Printf(msg string, args ...interface{}) {
 	log.Printf(msg, args...)
 }
 
+// RspError represents an error that occurred when processing a response from a server,
+// and also includes key details from the http.Response that triggered the error.
+type RspError struct {
+	Err        error
+	StatusCode int
+	Body       []byte
+}
+
+// Error formats the RspError instance, focusing on the error.
+func (e RspError) Error() string {
+	return e.Err.Error()
+}
+
 // New constructs a new JSONClient instance, for the given base URI, using the
 // given http.Client object (if provided) and the Options object.
 // If opts does not specify a public key, signatures will not be verified.
@@ -136,6 +153,7 @@ func New(uri string, hc *http.Client, opts Options) (*JSONClient, error) {
 		Verifier:   verifier,
 		logger:     logger,
 		backoff:    &backoff{},
+		userAgent:  opts.UserAgent,
 	}, nil
 }
 
@@ -144,11 +162,10 @@ func (c *JSONClient) BaseURI() string {
 	return c.uri
 }
 
-// GetAndParse makes a HTTP GET call to the given path, and attempta to parse
+// GetAndParse makes a HTTP GET call to the given path, and attempts to parse
 // the response as a JSON representation of the rsp structure.  Returns the
-// http.Response, the body of the response, and an error.  Note that the
-// returned http.Response can be non-nil even when an error is returned,
-// in particular when the HTTP status is not OK or when the JSON parsing fails.
+// http.Response, the body of the response, and an error (which may be of
+// type RspError if the HTTP response was available).
 func (c *JSONClient) GetAndParse(ctx context.Context, path string, params map[string]string, rsp interface{}) (*http.Response, []byte, error) {
 	if ctx == nil {
 		return nil, nil, errors.New("context.Context required")
@@ -159,10 +176,14 @@ func (c *JSONClient) GetAndParse(ctx context.Context, path string, params map[st
 		vals.Add(k, v)
 	}
 	fullURI := fmt.Sprintf("%s%s?%s", c.uri, path, vals.Encode())
+	klog.V(2).Infof("GET %s", fullURI)
 	httpReq, err := http.NewRequest(http.MethodGet, fullURI, nil)
 	if err != nil {
 		return nil, nil, err
 	}
+	if len(c.userAgent) != 0 {
+		httpReq.Header.Set("User-Agent", c.userAgent)
+	}
 
 	httpRsp, err := ctxhttp.Do(ctx, c.httpClient, httpReq)
 	if err != nil {
@@ -170,18 +191,18 @@ func (c *JSONClient) GetAndParse(ctx context.Context, path string, params map[st
 	}
 
 	// Read everything now so http.Client can reuse the connection.
-	body, err := ioutil.ReadAll(httpRsp.Body)
+	body, err := io.ReadAll(httpRsp.Body)
 	httpRsp.Body.Close()
 	if err != nil {
-		return httpRsp, body, fmt.Errorf("failed to read response body: %v", err)
+		return nil, nil, RspError{Err: fmt.Errorf("failed to read response body: %v", err), StatusCode: httpRsp.StatusCode, Body: body}
 	}
 
 	if httpRsp.StatusCode != http.StatusOK {
-		return httpRsp, body, fmt.Errorf("got HTTP Status %q", httpRsp.Status)
+		return nil, nil, RspError{Err: fmt.Errorf("got HTTP Status %q", httpRsp.Status), StatusCode: httpRsp.StatusCode, Body: body}
 	}
 
 	if err := json.NewDecoder(bytes.NewReader(body)).Decode(rsp); err != nil {
-		return httpRsp, body, err
+		return nil, nil, RspError{Err: err, StatusCode: httpRsp.StatusCode, Body: body}
 	}
 
 	return httpRsp, body, nil
@@ -190,9 +211,7 @@ func (c *JSONClient) GetAndParse(ctx context.Context, path string, params map[st
 // PostAndParse makes a HTTP POST call to the given path, including the request
 // parameters, and attempts to parse the response as a JSON representation of
 // the rsp structure. Returns the http.Response, the body of the response, and
-// an error.  Note that the returned http.Response can be non-nil even when an
-// error is returned, in particular when the HTTP status is not OK or when the
-// JSON parsing fails.
+// an error (which may be of type RspError if the HTTP response was available).
 func (c *JSONClient) PostAndParse(ctx context.Context, path string, req, rsp interface{}) (*http.Response, []byte, error) {
 	if ctx == nil {
 		return nil, nil, errors.New("context.Context required")
@@ -203,10 +222,14 @@ func (c *JSONClient) PostAndParse(ctx context.Context, path string, req, rsp int
 		return nil, nil, err
 	}
 	fullURI := fmt.Sprintf("%s%s", c.uri, path)
+	klog.V(2).Infof("POST %s", fullURI)
 	httpReq, err := http.NewRequest(http.MethodPost, fullURI, bytes.NewReader(postBody))
 	if err != nil {
 		return nil, nil, err
 	}
+	if len(c.userAgent) != 0 {
+		httpReq.Header.Set("User-Agent", c.userAgent)
+	}
 	httpReq.Header.Set("Content-Type", "application/json")
 
 	httpRsp, err := ctxhttp.Do(ctx, c.httpClient, httpReq)
@@ -214,16 +237,19 @@ func (c *JSONClient) PostAndParse(ctx context.Context, path string, req, rsp int
 	// Read all of the body, if there is one, so that the http.Client can do Keep-Alive.
 	var body []byte
 	if httpRsp != nil {
-		body, err = ioutil.ReadAll(httpRsp.Body)
+		body, err = io.ReadAll(httpRsp.Body)
 		httpRsp.Body.Close()
 	}
 	if err != nil {
-		return httpRsp, body, err
+		if httpRsp != nil {
+			return nil, nil, RspError{StatusCode: httpRsp.StatusCode, Body: body, Err: err}
+		}
+		return nil, nil, err
 	}
 
 	if httpRsp.StatusCode == http.StatusOK {
 		if err = json.Unmarshal(body, &rsp); err != nil {
-			return httpRsp, body, err
+			return nil, nil, RspError{StatusCode: httpRsp.StatusCode, Body: body, Err: err}
 		}
 	}
 	return httpRsp, body, nil
@@ -260,15 +286,17 @@ func (c *JSONClient) PostAndParseWithRetry(ctx context.Context, path string, req
 				return nil, nil, err
 			}
 			wait := c.backoff.set(nil)
-			c.logger.Printf("Request failed, backing-off for %s: %s", wait, err)
+			c.logger.Printf("Request to %s failed, backing-off %s: %s", c.uri, wait, err)
 		} else {
 			switch {
 			case httpRsp.StatusCode == http.StatusOK:
 				return httpRsp, body, nil
 			case httpRsp.StatusCode == http.StatusRequestTimeout:
 				// Request timeout, retry immediately
-				c.logger.Printf("Request timed out, retrying immediately")
+				c.logger.Printf("Request to %s timed out, retrying immediately", c.uri)
 			case httpRsp.StatusCode == http.StatusServiceUnavailable:
+				fallthrough
+			case httpRsp.StatusCode == http.StatusTooManyRequests:
 				var backoff *time.Duration
 				// Retry-After may be either a number of seconds as a int or a RFC 1123
 				// date string (RFC 7231 Section 7.1.3)
@@ -277,14 +305,17 @@ func (c *JSONClient) PostAndParseWithRetry(ctx context.Context, path string, req
 						b := time.Duration(seconds) * time.Second
 						backoff = &b
 					} else if date, err := time.Parse(time.RFC1123, retryAfter); err == nil {
-						b := date.Sub(time.Now())
+						b := time.Until(date)
 						backoff = &b
 					}
 				}
 				wait := c.backoff.set(backoff)
-				c.logger.Printf("Request failed, backing-off for %s: got HTTP status %s", wait, httpRsp.Status)
+				c.logger.Printf("Request to %s failed, backing-off for %s: got HTTP status %s", c.uri, wait, httpRsp.Status)
 			default:
-				return httpRsp, body, fmt.Errorf("got HTTP Status %q", httpRsp.Status)
+				return nil, nil, RspError{
+					StatusCode: httpRsp.StatusCode,
+					Body:       body,
+					Err:        fmt.Errorf("got HTTP status %q", httpRsp.Status)}
 			}
 		}
 		if err := c.waitForBackoff(ctx); err != nil {

vendor/github.com/google/certificate-transparency-go/proto_gen.go

@@ -0,0 +1,25 @@
+// Copyright 2021 Google LLC. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ct
+
+// We do the protoc generation here (rather than in the individual directories)
+// in order to work around the newly-enforced rule that all protobuf file "names"
+// must be unique.
+// See https://developers.google.com/protocol-buffers/docs/proto#packages and
+// https://github.com/golang/protobuf/issues/1122
+
+//go:generate sh -c "protoc -I=. -I$(go list -f '{{ .Dir }}' github.com/google/trillian) -I$(go list -f '{{ .Dir }}' github.com/google/certificate-transparency-go) --go_out=paths=source_relative:. trillian/ctfe/configpb/config.proto"
+//go:generate sh -c "protoc -I=. -I$(go list -f '{{ .Dir }}' github.com/google/trillian) -I$(go list -f '{{ .Dir }}' github.com/google/certificate-transparency-go) --go_out=paths=source_relative:. trillian/migrillian/configpb/config.proto"
+//go:generate sh -c "protoc -I=. -I$(go list -f '{{ .Dir }}' github.com/google/certificate-transparency-go) --go_out=paths=source_relative:. client/configpb/multilog.proto"

vendor/github.com/google/certificate-transparency-go/serialization.go

@@ -1,4 +1,4 @@
-// Copyright 2015 Google Inc. All Rights Reserved.
+// Copyright 2015 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,9 +17,7 @@ package ct
 import (
 	"crypto"
 	"crypto/sha256"
-	"encoding/json"
 	"fmt"
-	"strings"
 	"time"
 
 	"github.com/google/certificate-transparency-go/tls"
@@ -46,8 +44,6 @@ func SerializeSCTSignatureInput(sct SignedCertificateTimestamp, entry LogEntry)
 				IssuerKeyHash:  entry.Leaf.TimestampedEntry.PrecertEntry.IssuerKeyHash,
 				TBSCertificate: entry.Leaf.TimestampedEntry.PrecertEntry.TBSCertificate,
 			}
-		case XJSONLogEntryType:
-			input.JSONEntry = entry.Leaf.TimestampedEntry.JSONEntry
 		default:
 			return nil, fmt.Errorf("unsupported entry type %s", entry.Leaf.TimestampedEntry.EntryType)
 		}
@@ -92,32 +88,6 @@ func CreateX509MerkleTreeLeaf(cert ASN1Cert, timestamp uint64) *MerkleTreeLeaf {
 	}
 }
 
-// CreateJSONMerkleTreeLeaf creates the merkle tree leaf for json data.
-func CreateJSONMerkleTreeLeaf(data interface{}, timestamp uint64) *MerkleTreeLeaf {
-	jsonData, err := json.Marshal(AddJSONRequest{Data: data})
-	if err != nil {
-		return nil
-	}
-	// Match the JSON serialization implemented by json-c
-	jsonStr := strings.Replace(string(jsonData), ":", ": ", -1)
-	jsonStr = strings.Replace(jsonStr, ",", ", ", -1)
-	jsonStr = strings.Replace(jsonStr, "{", "{ ", -1)
-	jsonStr = strings.Replace(jsonStr, "}", " }", -1)
-	jsonStr = strings.Replace(jsonStr, "/", `\/`, -1)
-	// TODO: Pending google/certificate-transparency#1243, replace with
-	// ObjectHash once supported by CT server.
-
-	return &MerkleTreeLeaf{
-		Version:  V1,
-		LeafType: TimestampedEntryLeafType,
-		TimestampedEntry: &TimestampedEntry{
-			Timestamp: timestamp,
-			EntryType: XJSONLogEntryType,
-			JSONEntry: &JSONDataEntry{Data: []byte(jsonStr)},
-		},
-	}
-}
-
 // MerkleTreeLeafFromRawChain generates a MerkleTreeLeaf from a chain (in DER-encoded form) and timestamp.
 func MerkleTreeLeafFromRawChain(rawChain []ASN1Cert, etype LogEntryType, timestamp uint64) (*MerkleTreeLeaf, error) {
 	// Need at most 3 of the chain
@@ -128,7 +98,7 @@ func MerkleTreeLeafFromRawChain(rawChain []ASN1Cert, etype LogEntryType, timesta
 	chain := make([]*x509.Certificate, count)
 	for i := range chain {
 		cert, err := x509.ParseCertificate(rawChain[i].Data)
-		if err != nil {
+		if x509.IsFatal(err) {
 			return nil, fmt.Errorf("failed to parse chain[%d] cert: %v", i, err)
 		}
 		chain[i] = cert
@@ -248,60 +218,96 @@ func IsPreIssuer(issuer *x509.Certificate) bool {
 	return false
 }
 
-// LogEntryFromLeaf converts a LeafEntry object (which has the raw leaf data after JSON parsing)
-// into a LogEntry object (which includes x509.Certificate objects, after TLS and ASN.1 parsing).
-// Note that this function may return a valid LogEntry object and a non-nil error value, when
-// the error indicates a non-fatal parsing error (of type x509.NonFatalErrors).
-func LogEntryFromLeaf(index int64, leafEntry *LeafEntry) (*LogEntry, error) {
-	var leaf MerkleTreeLeaf
-	if rest, err := tls.Unmarshal(leafEntry.LeafInput, &leaf); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal MerkleTreeLeaf for index %d: %v", index, err)
+// RawLogEntryFromLeaf converts a LeafEntry object (which has the raw leaf data
+// after JSON parsing) into a RawLogEntry object (i.e. a TLS-parsed structure).
+func RawLogEntryFromLeaf(index int64, entry *LeafEntry) (*RawLogEntry, error) {
+	ret := RawLogEntry{Index: index}
+	if rest, err := tls.Unmarshal(entry.LeafInput, &ret.Leaf); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal MerkleTreeLeaf: %v", err)
 	} else if len(rest) > 0 {
-		return nil, fmt.Errorf("trailing data (%d bytes) after MerkleTreeLeaf for index %d", len(rest), index)
+		return nil, fmt.Errorf("MerkleTreeLeaf: trailing data %d bytes", len(rest))
 	}
 
-	var err error
-	entry := LogEntry{Index: index, Leaf: leaf}
-	switch leaf.TimestampedEntry.EntryType {
+	switch eType := ret.Leaf.TimestampedEntry.EntryType; eType {
 	case X509LogEntryType:
 		var certChain CertificateChain
-		if rest, err := tls.Unmarshal(leafEntry.ExtraData, &certChain); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal ExtraData for index %d: %v", index, err)
+		if rest, err := tls.Unmarshal(entry.ExtraData, &certChain); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal CertificateChain: %v", err)
 		} else if len(rest) > 0 {
-			return nil, fmt.Errorf("trailing data (%d bytes) after CertificateChain for index %d", len(rest), index)
-		}
-		entry.Chain = certChain.Entries
-		entry.X509Cert, err = leaf.X509Certificate()
-		if _, ok := err.(x509.NonFatalErrors); !ok && err != nil {
-			return nil, fmt.Errorf("failed to parse certificate in MerkleTreeLeaf for index %d: %v", index, err)
+			return nil, fmt.Errorf("CertificateChain: trailing data %d bytes", len(rest))
 		}
+		ret.Cert = *ret.Leaf.TimestampedEntry.X509Entry
+		ret.Chain = certChain.Entries
 
 	case PrecertLogEntryType:
 		var precertChain PrecertChainEntry
-		if rest, err := tls.Unmarshal(leafEntry.ExtraData, &precertChain); err != nil {
-			return nil, fmt.Errorf("failed to unmarshal PrecertChainEntry for index %d: %v", index, err)
+		if rest, err := tls.Unmarshal(entry.ExtraData, &precertChain); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal PrecertChainEntry: %v", err)
 		} else if len(rest) > 0 {
-			return nil, fmt.Errorf("trailing data (%d bytes) after PrecertChainEntry for index %d", len(rest), index)
+			return nil, fmt.Errorf("PrecertChainEntry: trailing data %d bytes", len(rest))
 		}
-		entry.Chain = precertChain.CertificateChain
+		ret.Cert = precertChain.PreCertificate
+		ret.Chain = precertChain.CertificateChain
+
+	default:
+		// TODO(pavelkalinnikov): Section 4.6 of RFC6962 implies that unknown types
+		// are not errors. We should revisit how we process this case.
+		return nil, fmt.Errorf("unknown entry type: %v", eType)
+	}
+
+	return &ret, nil
+}
+
+// ToLogEntry converts RawLogEntry to a LogEntry, which includes an x509-parsed
+// (pre-)certificate.
+//
+// Note that this function may return a valid LogEntry object and a non-nil
+// error value, when the error indicates a non-fatal parsing error.
+func (rle *RawLogEntry) ToLogEntry() (*LogEntry, error) {
+	var err error
+	entry := LogEntry{Index: rle.Index, Leaf: rle.Leaf, Chain: rle.Chain}
+
+	switch eType := rle.Leaf.TimestampedEntry.EntryType; eType {
+	case X509LogEntryType:
+		entry.X509Cert, err = rle.Leaf.X509Certificate()
+		if x509.IsFatal(err) {
+			return nil, fmt.Errorf("failed to parse certificate: %v", err)
+		}
+
+	case PrecertLogEntryType:
 		var tbsCert *x509.Certificate
-		tbsCert, err = leaf.Precertificate()
-		if _, ok := err.(x509.NonFatalErrors); !ok && err != nil {
-			return nil, fmt.Errorf("failed to parse precertificate in MerkleTreeLeaf for index %d: %v", index, err)
+		tbsCert, err = rle.Leaf.Precertificate()
+		if x509.IsFatal(err) {
+			return nil, fmt.Errorf("failed to parse precertificate: %v", err)
 		}
 		entry.Precert = &Precertificate{
-			Submitted:      precertChain.PreCertificate,
-			IssuerKeyHash:  leaf.TimestampedEntry.PrecertEntry.IssuerKeyHash,
+			Submitted:      rle.Cert,
+			IssuerKeyHash:  rle.Leaf.TimestampedEntry.PrecertEntry.IssuerKeyHash,
 			TBSCertificate: tbsCert,
 		}
 
 	default:
-		return nil, fmt.Errorf("saw unknown entry type at index %d: %v", index, leaf.TimestampedEntry.EntryType)
+		return nil, fmt.Errorf("unknown entry type: %v", eType)
 	}
-	// err may hold a x509.NonFatalErrors object.
+
+	// err may be non-nil for a non-fatal error.
 	return &entry, err
 }
 
+// LogEntryFromLeaf converts a LeafEntry object (which has the raw leaf data
+// after JSON parsing) into a LogEntry object (which includes x509.Certificate
+// objects, after TLS and ASN.1 parsing).
+//
+// Note that this function may return a valid LogEntry object and a non-nil
+// error value, when the error indicates a non-fatal parsing error.
+func LogEntryFromLeaf(index int64, leaf *LeafEntry) (*LogEntry, error) {
+	rle, err := RawLogEntryFromLeaf(index, leaf)
+	if err != nil {
+		return nil, err
+	}
+	return rle.ToLogEntry()
+}
+
 // TimestampToTime converts a timestamp in the style of RFC 6962 (milliseconds
 // since UNIX epoch) to a Go Time.
 func TimestampToTime(ts uint64) time.Time {

vendor/github.com/google/certificate-transparency-go/signatures.go

@@ -1,4 +1,4 @@
-// Copyright 2015 Google Inc. All Rights Reserved.
+// Copyright 2015 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -55,7 +55,7 @@ func PublicKeyFromB64(b64PubKey string) (crypto.PublicKey, error) {
 
 // SignatureVerifier can verify signatures on SCTs and STHs
 type SignatureVerifier struct {
-	pubKey crypto.PublicKey
+	PubKey crypto.PublicKey
 }
 
 // NewSignatureVerifier creates a new SignatureVerifier using the passed in PublicKey.
@@ -80,17 +80,15 @@ func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error) {
 
 		}
 	default:
-		return nil, fmt.Errorf("Unsupported public key type %v", pkType)
+		return nil, fmt.Errorf("unsupported public key type %v", pkType)
 	}
 
-	return &SignatureVerifier{
-		pubKey: pk,
-	}, nil
+	return &SignatureVerifier{PubKey: pk}, nil
 }
 
 // VerifySignature verifies the given signature sig matches the data.
 func (s SignatureVerifier) VerifySignature(data []byte, sig tls.DigitallySigned) error {
-	return tls.VerifySignature(s.pubKey, data, sig)
+	return tls.VerifySignature(s.PubKey, data, sig)
 }
 
 // VerifySCTSignature verifies that the SCT's signature is valid for the given LogEntry.

vendor/github.com/google/certificate-transparency-go/tls/signature.go

@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc. All Rights Reserved.
+// Copyright 2016 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ package tls
 
 import (
 	"crypto"
-	"crypto/dsa"
+	"crypto/dsa" //nolint:staticcheck
 	"crypto/ecdsa"
 	_ "crypto/md5" // For registration side-effect
 	"crypto/rand"

vendor/github.com/google/certificate-transparency-go/tls/tls.go

@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc. All Rights Reserved.
+// Copyright 2016 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

vendor/github.com/google/certificate-transparency-go/tls/types.go

@@ -1,4 +1,4 @@
-// Copyright 2016 Google Inc. All Rights Reserved.
+// Copyright 2016 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@ package tls
 
 import (
 	"crypto"
-	"crypto/dsa"
+	"crypto/dsa" //nolint:staticcheck
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"fmt"

vendor/github.com/google/certificate-transparency-go/types.go

@@ -1,4 +1,4 @@
-// Copyright 2015 Google Inc. All Rights Reserved.
+// Copyright 2015 Google LLC. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@ import (
 ///////////////////////////////////////////////////////////////////////////////
 
 // LogEntryType represents the LogEntryType enum from section 3.1:
+//
 //	enum { x509_entry(0), precert_entry(1), (65535) } LogEntryType;
 type LogEntryType tls.Enum // tls:"maxval:65535"
 
@@ -38,7 +39,6 @@ type LogEntryType tls.Enum // tls:"maxval:65535"
 const (
 	X509LogEntryType    LogEntryType = 0
 	PrecertLogEntryType LogEntryType = 1
-	XJSONLogEntryType   LogEntryType = 0x8000 // Experimental.  Don't rely on this!
 )
 
 func (e LogEntryType) String() string {
@@ -47,8 +47,6 @@ func (e LogEntryType) String() string {
 		return "X509LogEntryType"
 	case PrecertLogEntryType:
 		return "PrecertLogEntryType"
-	case XJSONLogEntryType:
-		return "XJSONLogEntryType"
 	default:
 		return fmt.Sprintf("UnknownEntryType(%d)", e)
 	}
@@ -61,6 +59,7 @@ const (
 )
 
 // MerkleLeafType represents the MerkleLeafType enum from section 3.4:
+//
 //	enum { timestamped_entry(0), (255) } MerkleLeafType;
 type MerkleLeafType tls.Enum // tls:"maxval:255"
 
@@ -77,6 +76,7 @@ func (m MerkleLeafType) String() string {
 }
 
 // Version represents the Version enum from section 3.2:
+//
 //	enum { v1(0), (255) } Version;
 type Version tls.Enum // tls:"maxval:255"
 
@@ -95,6 +95,7 @@ func (v Version) String() string {
 }
 
 // SignatureType differentiates STH signatures from SCT signatures, see section 3.2.
+//
 //	enum { certificate_timestamp(0), tree_hash(1), (255) } SignatureType;
 type SignatureType tls.Enum // tls:"maxval:255"
 
@@ -135,7 +136,7 @@ type PreCert struct {
 
 // CTExtensions is a representation of the raw bytes of any CtExtension
 // structure (see section 3.2).
-// nolint: golint
+// nolint: revive
 type CTExtensions []byte // tls:"minlen:0,maxlen:65535"`
 
 // MerkleTreeNode represents an internal node in the CT tree.
@@ -199,6 +200,25 @@ func (d *DigitallySigned) UnmarshalJSON(b []byte) error {
 	return d.FromBase64String(content)
 }
 
+// RawLogEntry represents the (TLS-parsed) contents of an entry in a CT log.
+type RawLogEntry struct {
+	// Index is a position of the entry in the log.
+	Index int64
+	// Leaf is a parsed Merkle leaf hash input.
+	Leaf MerkleTreeLeaf
+	// Cert is:
+	// - A certificate if Leaf.TimestampedEntry.EntryType is X509LogEntryType.
+	// - A precertificate if Leaf.TimestampedEntry.EntryType is
+	//   PrecertLogEntryType, in the form of a DER-encoded Certificate as
+	//   originally added (which includes the poison extension and a signature
+	//   generated over the pre-cert by the pre-cert issuer).
+	// - Empty otherwise.
+	Cert ASN1Cert
+	// Chain is the issuing certificate chain starting with the issuer of Cert,
+	// or an empty slice if Cert is empty.
+	Chain []ASN1Cert
+}
+
 // LogEntry represents the (parsed) contents of an entry in a CT log.  This is described
 // in section 3.1, but note that this structure does *not* match the TLS structure
 // defined there (the TLS structure is never used directly in RFC6962).
@@ -279,6 +299,23 @@ type SignedTreeHead struct {
 	LogID             SHA256Hash      `json:"log_id"`              // The SHA256 hash of the log's public key
 }
 
+func (s SignedTreeHead) String() string {
+	sigStr, err := s.TreeHeadSignature.Base64String()
+	if err != nil {
+		sigStr = tls.DigitallySigned(s.TreeHeadSignature).String()
+	}
+
+	// If the LogID field in the SignedTreeHead is empty, don't include it in
+	// the string.
+	var logIDStr string
+	if id, empty := s.LogID, (SHA256Hash{}); id != empty {
+		logIDStr = fmt.Sprintf("LogID:%s, ", id.Base64String())
+	}
+
+	return fmt.Sprintf("{%sTreeSize:%d, Timestamp:%d, SHA256RootHash:%q, TreeHeadSignature:%q}",
+		logIDStr, s.TreeSize, s.Timestamp, s.SHA256RootHash.Base64String(), sigStr)
+}
+
 // TreeHeadSignature holds the data over which the signature in an STH is
 // generated; see section 3.5
 type TreeHeadSignature struct {
@@ -426,6 +463,36 @@ type AddChainResponse struct {
 	Signature  []byte  `json:"signature"`   // Log signature for this SCT
 }
 
+// ToSignedCertificateTimestamp creates a SignedCertificateTimestamp from the
+// AddChainResponse.
+func (r *AddChainResponse) ToSignedCertificateTimestamp() (*SignedCertificateTimestamp, error) {
+	sct := SignedCertificateTimestamp{
+		SCTVersion: r.SCTVersion,
+		Timestamp:  r.Timestamp,
+	}
+
+	if len(r.ID) != sha256.Size {
+		return nil, fmt.Errorf("id is invalid length, expected %d got %d", sha256.Size, len(r.ID))
+	}
+	copy(sct.LogID.KeyID[:], r.ID)
+
+	exts, err := base64.StdEncoding.DecodeString(r.Extensions)
+	if err != nil {
+		return nil, fmt.Errorf("invalid base64 data in Extensions (%q): %v", r.Extensions, err)
+	}
+	sct.Extensions = CTExtensions(exts)
+
+	var ds DigitallySigned
+	if rest, err := tls.Unmarshal(r.Signature, &ds); err != nil {
+		return nil, fmt.Errorf("tls.Unmarshal(): %s", err)
+	} else if len(rest) > 0 {
+		return nil, fmt.Errorf("trailing data (%d bytes) after DigitallySigned", len(rest))
+	}
+	sct.Signature = ds
+
+	return &sct, nil
+}
+
 // AddJSONRequest represents the JSON request body sent to the add-json POST method.
 // The corresponding response re-uses AddChainResponse.
 // This is an experimental addition not covered by RFC6962.
@@ -433,7 +500,7 @@ type AddJSONRequest struct {
 	Data interface{} `json:"data"`
 }
 
-// GetSTHResponse respresents the JSON response to the get-sth GET method from section 4.3.
+// GetSTHResponse represents the JSON response to the get-sth GET method from section 4.3.
 type GetSTHResponse struct {
 	TreeSize          uint64 `json:"tree_size"`           // Number of certs in the current tree
 	Timestamp         uint64 `json:"timestamp"`           // Time that the tree was created

vendor/github.com/google/certificate-transparency-go/x509/README.md

@@ -0,0 +1,7 @@
+# Important Notice
+
+This is a fork of the `crypto/x509` Go package. The original source can be found on
+[GitHub](https://github.com/golang/go).
+
+Be careful about making local modifications to this code as it will
+make maintenance harder in future.

vendor/github.com/google/certificate-transparency-go/x509/cert_pool.go

@@ -25,45 +25,61 @@ func NewCertPool() *CertPool {
 	}
 }
 
+func (s *CertPool) copy() *CertPool {
+	p := &CertPool{
+		bySubjectKeyId: make(map[string][]int, len(s.bySubjectKeyId)),
+		byName:         make(map[string][]int, len(s.byName)),
+		certs:          make([]*Certificate, len(s.certs)),
+	}
+	for k, v := range s.bySubjectKeyId {
+		indexes := make([]int, len(v))
+		copy(indexes, v)
+		p.bySubjectKeyId[k] = indexes
+	}
+	for k, v := range s.byName {
+		indexes := make([]int, len(v))
+		copy(indexes, v)
+		p.byName[k] = indexes
+	}
+	copy(p.certs, s.certs)
+	return p
+}
+
 // SystemCertPool returns a copy of the system cert pool.
 //
 // Any mutations to the returned pool are not written to disk and do
-// not affect any other pool.
+// not affect any other pool returned by SystemCertPool.
+//
+// New changes in the system cert pool might not be reflected
+// in subsequent calls.
 func SystemCertPool() (*CertPool, error) {
 	if runtime.GOOS == "windows" {
 		// Issue 16736, 18609:
 		return nil, errors.New("crypto/x509: system root pool is not available on Windows")
 	}
 
+	if sysRoots := systemRootsPool(); sysRoots != nil {
+		return sysRoots.copy(), nil
+	}
+
 	return loadSystemRoots()
 }
 
-// findVerifiedParents attempts to find certificates in s which have signed the
-// given certificate. If any candidates were rejected then errCert will be set
-// to one of them, arbitrarily, and err will contain the reason that it was
-// rejected.
-func (s *CertPool) findVerifiedParents(cert *Certificate) (parents []int, errCert *Certificate, err error) {
+// findPotentialParents returns the indexes of certificates in s which might
+// have signed cert. The caller must not modify the returned slice.
+func (s *CertPool) findPotentialParents(cert *Certificate) []int {
 	if s == nil {
-		return
+		return nil
 	}
-	var candidates []int
 
+	var candidates []int
 	if len(cert.AuthorityKeyId) > 0 {
 		candidates = s.bySubjectKeyId[string(cert.AuthorityKeyId)]
 	}
 	if len(candidates) == 0 {
 		candidates = s.byName[string(cert.RawIssuer)]
 	}
-
-	for _, c := range candidates {
-		if err = cert.CheckSignatureFrom(s.certs[c]); err == nil {
-			parents = append(parents, c)
-		} else {
-			errCert = s.certs[c]
-		}
-	}
-
-	return
+	return candidates
 }
 
 func (s *CertPool) contains(cert *Certificate) bool {
@@ -121,7 +137,7 @@ func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool) {
 		}
 
 		cert, err := ParseCertificate(block.Bytes)
-		if err != nil {
+		if IsFatal(err) {
 			continue
 		}
 

vendor/github.com/google/certificate-transparency-go/x509/curves.go

@@ -0,0 +1,37 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package x509
+
+import (
+	"crypto/elliptic"
+	"math/big"
+	"sync"
+)
+
+// This file holds ECC curves that are not supported by the main Go crypto/elliptic
+// library, but which have been observed in certificates in the wild.
+
+var initonce sync.Once
+var p192r1 *elliptic.CurveParams
+
+func initAllCurves() {
+	initSECP192R1()
+}
+
+func initSECP192R1() {
+	// See SEC-2, section 2.2.2
+	p192r1 = &elliptic.CurveParams{Name: "P-192"}
+	p192r1.P, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF", 16)
+	p192r1.N, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 16)
+	p192r1.B, _ = new(big.Int).SetString("64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1", 16)
+	p192r1.Gx, _ = new(big.Int).SetString("188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012", 16)
+	p192r1.Gy, _ = new(big.Int).SetString("07192B95FFC8DA78631011ED6B24CDD573F977A11E794811", 16)
+	p192r1.BitSize = 192
+}
+
+func secp192r1() elliptic.Curve {
+	initonce.Do(initAllCurves)
+	return p192r1
+}

vendor/github.com/google/certificate-transparency-go/x509/error.go

@@ -163,12 +163,18 @@ func (e *Errors) Fatal() bool {
 
 // Empty indicates whether e has no errors.
 func (e *Errors) Empty() bool {
+	if e == nil {
+		return true
+	}
 	return len(e.Errs) == 0
 }
 
 // FirstFatal returns the first fatal error in e, or nil
 // if there is no fatal error.
 func (e *Errors) FirstFatal() error {
+	if e == nil {
+		return nil
+	}
 	for _, err := range e.Errs {
 		if err.Fatal {
 			return err

vendor/github.com/google/certificate-transparency-go/x509/names.go

@@ -27,6 +27,7 @@ const (
 
 // OtherName describes a name related to a certificate which is not in one
 // of the standard name formats. RFC 5280, 4.2.1.6:
+//
 //	OtherName ::= SEQUENCE {
 //	     type-id    OBJECT IDENTIFIER,
 //	     value      [0] EXPLICIT ANY DEFINED BY type-id }

vendor/github.com/google/certificate-transparency-go/x509/nilref_nil_darwin.go

@@ -1,26 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build cgo,!arm,!arm64,!ios,!go1.10
-
-package x509
-
-/*
-#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080
-#cgo LDFLAGS: -framework CoreFoundation -framework Security
-
-#include <CoreFoundation/CoreFoundation.h>
-*/
-import "C"
-
-// For Go versions before 1.10, nil values for Apple's CoreFoundation
-// CF*Ref types were represented by nil.  See:
-//   https://github.com/golang/go/commit/b868616b63a8
-func setNilCFRef(v *C.CFDataRef) {
-	*v = nil
-}
-
-func isNilCFRef(v C.CFDataRef) bool {
-	return v == nil
-}

vendor/github.com/google/certificate-transparency-go/x509/nilref_zero_darwin.go

@@ -1,26 +0,0 @@
-// Copyright 2018 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build cgo,!arm,!arm64,!ios,go1.10
-
-package x509
-
-/*
-#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080
-#cgo LDFLAGS: -framework CoreFoundation -framework Security
-
-#include <CoreFoundation/CoreFoundation.h>
-*/
-import "C"
-
-// For Go versions >= 1.10, nil values for Apple's CoreFoundation
-// CF*Ref types are represented by zero.  See:
-//   https://github.com/golang/go/commit/b868616b63a8
-func setNilCFRef(v *C.CFDataRef) {
-	*v = 0
-}
-
-func isNilCFRef(v C.CFDataRef) bool {
-	return v == 0
-}

vendor/github.com/google/certificate-transparency-go/x509/pem_decrypt.go

@@ -203,7 +203,7 @@ func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, al
 	// the data separately, but it doesn't seem worth the additional
 	// code.
 	copy(encrypted, data)
-	// See RFC 1423, section 1.1
+	// See RFC 1423, Section 1.1.
 	for i := 0; i < pad; i++ {
 		encrypted = append(encrypted, byte(pad))
 	}

vendor/github.com/google/certificate-transparency-go/x509/pkcs1.go

@@ -42,7 +42,9 @@ type pkcs1PublicKey struct {
 	E int
 }
 
-// ParsePKCS1PrivateKey returns an RSA private key from its ASN.1 PKCS#1 DER encoded form.
+// ParsePKCS1PrivateKey parses an RSA private key in PKCS#1, ASN.1 DER form.
+//
+// This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY".
 func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error) {
 	var priv pkcs1PrivateKey
 	rest, err := asn1.Unmarshal(der, &priv)
@@ -50,6 +52,12 @@ func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error) {
 		return nil, asn1.SyntaxError{Msg: "trailing data"}
 	}
 	if err != nil {
+		if _, err := asn1.Unmarshal(der, &ecPrivateKey{}); err == nil {
+			return nil, errors.New("x509: failed to parse private key (use ParseECPrivateKey instead for this key format)")
+		}
+		if _, err := asn1.Unmarshal(der, &pkcs8{}); err == nil {
+			return nil, errors.New("x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)")
+		}
 		return nil, err
 	}
 
@@ -89,7 +97,11 @@ func ParsePKCS1PrivateKey(der []byte) (*rsa.PrivateKey, error) {
 	return key, nil
 }
 
-// MarshalPKCS1PrivateKey converts a private key to ASN.1 DER encoded form.
+// MarshalPKCS1PrivateKey converts an RSA private key to PKCS#1, ASN.1 DER form.
+//
+// This kind of key is commonly encoded in PEM blocks of type "RSA PRIVATE KEY".
+// For a more flexible key format which is not RSA specific, use
+// MarshalPKCS8PrivateKey.
 func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte {
 	key.Precompute()
 
@@ -121,11 +133,16 @@ func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte {
 	return b
 }
 
-// ParsePKCS1PublicKey parses a PKCS#1 public key in ASN.1 DER form.
+// ParsePKCS1PublicKey parses an RSA public key in PKCS#1, ASN.1 DER form.
+//
+// This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".
 func ParsePKCS1PublicKey(der []byte) (*rsa.PublicKey, error) {
 	var pub pkcs1PublicKey
 	rest, err := asn1.Unmarshal(der, &pub)
 	if err != nil {
+		if _, err := asn1.Unmarshal(der, &publicKeyInfo{}); err == nil {
+			return nil, errors.New("x509: failed to parse public key (use ParsePKIXPublicKey instead for this key format)")
+		}
 		return nil, err
 	}
 	if len(rest) > 0 {
@@ -146,6 +163,8 @@ func ParsePKCS1PublicKey(der []byte) (*rsa.PublicKey, error) {
 }
 
 // MarshalPKCS1PublicKey converts an RSA public key to PKCS#1, ASN.1 DER form.
+//
+// This kind of key is commonly encoded in PEM blocks of type "RSA PUBLIC KEY".
 func MarshalPKCS1PublicKey(key *rsa.PublicKey) []byte {
 	derBytes, _ := asn1.Marshal(pkcs1PublicKey{
 		N: key.N,

vendor/github.com/google/certificate-transparency-go/x509/pkcs8.go

@@ -12,6 +12,9 @@ import (
 
 	"github.com/google/certificate-transparency-go/asn1"
 	"github.com/google/certificate-transparency-go/x509/pkix"
+
+	// TODO(robpercival): change this to crypto/ed25519 when Go 1.13 is min version
+	"golang.org/x/crypto/ed25519"
 )
 
 // pkcs8 reflects an ASN.1, PKCS#8 PrivateKey. See
@@ -24,11 +27,21 @@ type pkcs8 struct {
 	// optional attributes omitted.
 }
 
-// ParsePKCS8PrivateKey parses an unencrypted, PKCS#8 private key.
-// See RFC 5208.
+// ParsePKCS8PrivateKey parses an unencrypted private key in PKCS#8, ASN.1 DER form.
+//
+// It returns a *rsa.PrivateKey, a *ecdsa.PrivateKey, or a ed25519.PrivateKey.
+// More types might be supported in the future.
+//
+// This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
 func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error) {
 	var privKey pkcs8
 	if _, err := asn1.Unmarshal(der, &privKey); err != nil {
+		if _, err := asn1.Unmarshal(der, &ecPrivateKey{}); err == nil {
+			return nil, errors.New("x509: failed to parse private key (use ParseECPrivateKey instead for this key format)")
+		}
+		if _, err := asn1.Unmarshal(der, &pkcs1PrivateKey{}); err == nil {
+			return nil, errors.New("x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)")
+		}
 		return nil, err
 	}
 	switch {
@@ -51,16 +64,30 @@ func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error) {
 		}
 		return key, nil
 
+	case privKey.Algo.Algorithm.Equal(OIDPublicKeyEd25519):
+		if l := len(privKey.Algo.Parameters.FullBytes); l != 0 {
+			return nil, errors.New("x509: invalid Ed25519 private key parameters")
+		}
+		var curvePrivateKey []byte
+		if _, err := asn1.Unmarshal(privKey.PrivateKey, &curvePrivateKey); err != nil {
+			return nil, fmt.Errorf("x509: invalid Ed25519 private key: %v", err)
+		}
+		if l := len(curvePrivateKey); l != ed25519.SeedSize {
+			return nil, fmt.Errorf("x509: invalid Ed25519 private key length: %d", l)
+		}
+		return ed25519.NewKeyFromSeed(curvePrivateKey), nil
+
 	default:
 		return nil, fmt.Errorf("x509: PKCS#8 wrapping contained private key with unknown algorithm: %v", privKey.Algo.Algorithm)
 	}
 }
 
-// MarshalPKCS8PrivateKey converts a private key to PKCS#8 encoded form.
-// The following key types are supported: *rsa.PrivateKey, *ecdsa.PublicKey.
-// Unsupported key types result in an error.
+// MarshalPKCS8PrivateKey converts a private key to PKCS#8, ASN.1 DER form.
 //
-// See RFC 5208.
+// The following key types are currently supported: *rsa.PrivateKey, *ecdsa.PrivateKey
+// and ed25519.PrivateKey. Unsupported key types result in an error.
+//
+// This kind of key is commonly encoded in PEM blocks of type "PRIVATE KEY".
 func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error) {
 	var privKey pkcs8
 
@@ -75,7 +102,7 @@ func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error) {
 	case *ecdsa.PrivateKey:
 		oid, ok := OIDFromNamedCurve(k.Curve)
 		if !ok {
-			return nil, errors.New("x509: unknown curve while marshalling to PKCS#8")
+			return nil, errors.New("x509: unknown curve while marshaling to PKCS#8")
 		}
 
 		oidBytes, err := asn1.Marshal(oid)
@@ -94,8 +121,18 @@ func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error) {
 			return nil, errors.New("x509: failed to marshal EC private key while building PKCS#8: " + err.Error())
 		}
 
+	case ed25519.PrivateKey:
+		privKey.Algo = pkix.AlgorithmIdentifier{
+			Algorithm: OIDPublicKeyEd25519,
+		}
+		curvePrivateKey, err := asn1.Marshal(k.Seed())
+		if err != nil {
+			return nil, fmt.Errorf("x509: failed to marshal private key: %v", err)
+		}
+		privKey.PrivateKey = curvePrivateKey
+
 	default:
-		return nil, fmt.Errorf("x509: unknown key type while marshalling PKCS#8: %T", key)
+		return nil, fmt.Errorf("x509: unknown key type while marshaling PKCS#8: %T", key)
 	}
 
 	return asn1.Marshal(privKey)

vendor/github.com/google/certificate-transparency-go/x509/pkix/pkix.go

@@ -7,14 +7,12 @@
 package pkix
 
 import (
-	// START CT CHANGES
 	"encoding/hex"
 	"fmt"
-
-	"github.com/google/certificate-transparency-go/asn1"
-	// END CT CHANGES
 	"math/big"
 	"time"
+
+	"github.com/google/certificate-transparency-go/asn1"
 )
 
 // AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
@@ -98,7 +96,7 @@ func (r RDNSequence) String() string {
 type RelativeDistinguishedNameSET []AttributeTypeAndValue
 
 // AttributeTypeAndValue mirrors the ASN.1 structure of the same name in
-// http://tools.ietf.org/html/rfc5280#section-4.1.2.4
+// RFC 5280, Section 4.1.2.4.
 type AttributeTypeAndValue struct {
 	Type  asn1.ObjectIdentifier
 	Value interface{}
@@ -240,7 +238,7 @@ func (n Name) String() string {
 	return n.ToRDNSequence().String()
 }
 
-// oidInAttributeTypeAndValue returns whether a type with the given OID exists
+// oidInAttributeTypeAndValue reports whether a type with the given OID exists
 // in atv.
 func oidInAttributeTypeAndValue(oid asn1.ObjectIdentifier, atv []AttributeTypeAndValue) bool {
 	for _, a := range atv {

vendor/github.com/google/certificate-transparency-go/x509/ptr_sysptr_windows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build go1.11
 // +build go1.11
 
 package x509

vendor/github.com/google/certificate-transparency-go/x509/ptr_uint_windows.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !go1.11
 // +build !go1.11
 
 package x509

vendor/github.com/google/certificate-transparency-go/x509/revoked.go

@@ -1,4 +1,4 @@
-// Copyright 2017 Google Inc. All Rights Reserved.
+// Copyright 2017 Google LLC. All Rights Reserved.
 //
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
@@ -14,12 +14,15 @@ import (
 	"github.com/google/certificate-transparency-go/x509/pkix"
 )
 
-var (
 // OID values for CRL extensions (TBSCertList.Extensions), RFC 5280 s5.2.
+var (
 	OIDExtensionCRLNumber                = asn1.ObjectIdentifier{2, 5, 29, 20}
 	OIDExtensionDeltaCRLIndicator        = asn1.ObjectIdentifier{2, 5, 29, 27}
 	OIDExtensionIssuingDistributionPoint = asn1.ObjectIdentifier{2, 5, 29, 28}
+)
+
 // OID values for CRL entry extensions (RevokedCertificate.Extensions), RFC 5280 s5.3
+var (
 	OIDExtensionCRLReasons        = asn1.ObjectIdentifier{2, 5, 29, 21}
 	OIDExtensionInvalidityDate    = asn1.ObjectIdentifier{2, 5, 29, 24}
 	OIDExtensionCertificateIssuer = asn1.ObjectIdentifier{2, 5, 29, 29}
@@ -238,7 +241,7 @@ func ParseCertificateListDER(derBytes []byte) (*CertificateList, error) {
 			}
 		case e.Id.Equal(OIDExtensionAuthorityInfoAccess):
 			// RFC 5280 s5.2.7
-			var aia []authorityInfoAccess
+			var aia []accessDescription
 			if rest, err := asn1.Unmarshal(e.Value, &aia); err != nil {
 				errs.AddID(ErrInvalidCertListAuthInfoAccess, err)
 			} else if len(rest) != 0 {

vendor/github.com/google/certificate-transparency-go/x509/root.go

@@ -19,4 +19,7 @@ func systemRootsPool() *CertPool {
 
 func initSystemRoots() {
 	systemRoots, systemRootsErr = loadSystemRoots()
+	if systemRootsErr != nil {
+		systemRoots = nil
+	}
 }

vendor/github.com/google/certificate-transparency-go/x509/root_bsd.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build dragonfly || freebsd || netbsd || openbsd
 // +build dragonfly freebsd netbsd openbsd
 
 package x509

vendor/github.com/google/certificate-transparency-go/x509/root_cgo_darwin.go

@@ -2,12 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build cgo && !arm && !arm64 && !ios
 // +build cgo,!arm,!arm64,!ios
 
 package x509
 
 /*
-#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080
+#cgo CFLAGS: -mmacosx-version-min=10.10 -D__MAC_OS_X_VERSION_MAX_ALLOWED=101300
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
 
 #include <errno.h>
@@ -16,60 +17,142 @@ package x509
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 
-// FetchPEMRootsCTX509_MountainLion is the version of FetchPEMRoots from Go 1.6
-// which still works on OS X 10.8 (Mountain Lion).
-// It lacks support for admin & user cert domains.
-// See golang.org/issue/16473
-int FetchPEMRootsCTX509_MountainLion(CFDataRef *pemRoots) {
-	if (pemRoots == NULL) {
-		return -1;
+static Boolean isSSLPolicy(SecPolicyRef policyRef) {
+	if (!policyRef) {
+		return false;
 	}
-	CFArrayRef certs = NULL;
-	OSStatus err = SecTrustCopyAnchorCertificates(&certs);
-	if (err != noErr) {
-		return -1;
+	CFDictionaryRef properties = SecPolicyCopyProperties(policyRef);
+	if (properties == NULL) {
+		return false;
 	}
-	CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
-	int i, ncerts = CFArrayGetCount(certs);
-	for (i = 0; i < ncerts; i++) {
-		CFDataRef data = NULL;
-		SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, i);
-		if (cert == NULL) {
-			continue;
+	Boolean isSSL = false;
+	CFTypeRef value = NULL;
+	if (CFDictionaryGetValueIfPresent(properties, kSecPolicyOid, (const void **)&value)) {
+		isSSL = CFEqual(value, kSecPolicyAppleSSL);
 	}
-		// Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
-		// Once we support weak imports via cgo we should prefer that, and fall back to this
-		// for older systems.
-		err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
-		if (err != noErr) {
-			continue;
-		}
-		if (data != NULL) {
-			CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));
-			CFRelease(data);
-		}
-	}
-	CFRelease(certs);
-	*pemRoots = combinedData;
-	return 0;
+	CFRelease(properties);
+	return isSSL;
 }
 
-// useOldCodeCTX509 reports whether the running machine is OS X 10.8 Mountain Lion
-// or older. We only support Mountain Lion and higher, but we'll at least try our
-// best on older machines and continue to use the old code path.
+// sslTrustSettingsResult obtains the final kSecTrustSettingsResult value
+// for a certificate in the user or admin domain, combining usage constraints
+// for the SSL SecTrustSettingsPolicy, ignoring SecTrustSettingsKeyUsage and
+// kSecTrustSettingsAllowedError.
+// https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting
+static SInt32 sslTrustSettingsResult(SecCertificateRef cert) {
+	CFArrayRef trustSettings = NULL;
+	OSStatus err = SecTrustSettingsCopyTrustSettings(cert, kSecTrustSettingsDomainUser, &trustSettings);
+
+	// According to Apple's SecTrustServer.c, "user trust settings overrule admin trust settings",
+	// but the rules of the override are unclear. Let's assume admin trust settings are applicable
+	// if and only if user trust settings fail to load or are NULL.
+	if (err != errSecSuccess || trustSettings == NULL) {
+		if (trustSettings != NULL) CFRelease(trustSettings);
+		err = SecTrustSettingsCopyTrustSettings(cert, kSecTrustSettingsDomainAdmin, &trustSettings);
+	}
+
+	// > no trust settings [...] means "this certificate must be verified to a known trusted certificate”
+	// (Should this cause a fallback from user to admin domain? It's unclear.)
+	if (err != errSecSuccess || trustSettings == NULL) {
+		if (trustSettings != NULL) CFRelease(trustSettings);
+		return kSecTrustSettingsResultUnspecified;
+	}
+
+	// > An empty trust settings array means "always trust this certificate” with an
+	// > overall trust setting for the certificate of kSecTrustSettingsResultTrustRoot.
+	if (CFArrayGetCount(trustSettings) == 0) {
+		CFRelease(trustSettings);
+		return kSecTrustSettingsResultTrustRoot;
+	}
+
+	// kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"),
+	// but the Go linker's internal linking mode can't handle CFSTR relocations.
+	// Create our own dynamic string instead and release it below.
+	CFStringRef _kSecTrustSettingsResult = CFStringCreateWithCString(
+		NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8);
+	CFStringRef _kSecTrustSettingsPolicy = CFStringCreateWithCString(
+		NULL, "kSecTrustSettingsPolicy", kCFStringEncodingUTF8);
+	CFStringRef _kSecTrustSettingsPolicyString = CFStringCreateWithCString(
+		NULL, "kSecTrustSettingsPolicyString", kCFStringEncodingUTF8);
+
+	CFIndex m; SInt32 result = 0;
+	for (m = 0; m < CFArrayGetCount(trustSettings); m++) {
+		CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, m);
+
+		// First, check if this trust setting is constrained to a non-SSL policy.
+		SecPolicyRef policyRef;
+		if (CFDictionaryGetValueIfPresent(tSetting, _kSecTrustSettingsPolicy, (const void**)&policyRef)) {
+			if (!isSSLPolicy(policyRef)) {
+				continue;
+			}
+		}
+
+		if (CFDictionaryContainsKey(tSetting, _kSecTrustSettingsPolicyString)) {
+			// Restricted to a hostname, not a root.
+			continue;
+		}
+
+		CFNumberRef cfNum;
+		if (CFDictionaryGetValueIfPresent(tSetting, _kSecTrustSettingsResult, (const void**)&cfNum)) {
+			CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
+		} else {
+			// > If this key is not present, a default value of
+			// > kSecTrustSettingsResultTrustRoot is assumed.
+			result = kSecTrustSettingsResultTrustRoot;
+		}
+
+		// If multiple dictionaries match, we are supposed to "OR" them,
+		// the semantics of which are not clear. Since TrustRoot and TrustAsRoot
+		// are mutually exclusive, Deny should probably override, and Invalid and
+		// Unspecified be overridden, approximate this by stopping at the first
+		// TrustRoot, TrustAsRoot or Deny.
+		if (result == kSecTrustSettingsResultTrustRoot) {
+			break;
+		} else if (result == kSecTrustSettingsResultTrustAsRoot) {
+			break;
+		} else if (result == kSecTrustSettingsResultDeny) {
+			break;
+		}
+	}
+
+	// If trust settings are present, but none of them match the policy...
+	// the docs don't tell us what to do.
 	//
-// See golang.org/issue/16473
-int useOldCodeCTX509() {
-	char str[256];
-	size_t size = sizeof(str);
-	memset(str, 0, size);
-	sysctlbyname("kern.osrelease", str, &size, NULL, 0);
-	// OS X 10.8 is osrelease "12.*", 10.7 is 11.*, 10.6 is 10.*.
-	// We never supported things before that.
-	return memcmp(str, "12.", 3) == 0 || memcmp(str, "11.", 3) == 0 || memcmp(str, "10.", 3) == 0;
+	// "Trust settings for a given use apply if any of the dictionaries in the
+	// certificate’s trust settings array satisfies the specified use." suggests
+	// that it's as if there were no trust settings at all, so we should probably
+	// fallback to the admin trust settings. TODO.
+	if (result == 0) {
+		result = kSecTrustSettingsResultUnspecified;
 	}
 
-// FetchPEMRootsCTX509 fetches the system's list of trusted X.509 root certificates.
+	CFRelease(_kSecTrustSettingsPolicy);
+	CFRelease(_kSecTrustSettingsPolicyString);
+	CFRelease(_kSecTrustSettingsResult);
+	CFRelease(trustSettings);
+
+	return result;
+}
+
+// isRootCertificate reports whether Subject and Issuer match.
+static Boolean isRootCertificate(SecCertificateRef cert, CFErrorRef *errRef) {
+	CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, errRef);
+	if (*errRef != NULL) {
+		return false;
+	}
+	CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, errRef);
+	if (*errRef != NULL) {
+		CFRelease(subjectName);
+		return false;
+	}
+	Boolean equal = CFEqual(subjectName, issuerName);
+	CFRelease(subjectName);
+	CFRelease(issuerName);
+	return equal;
+}
+
+// CopyPEMRootsCTX509 fetches the system's list of trusted X.509 root certificates
+// for the kSecTrustSettingsPolicy SSL.
 //
 // On success it returns 0 and fills pemRoots with a CFDataRef that contains the extracted root
 // certificates of the system. On failure, the function returns -1.
@@ -77,31 +160,32 @@ int useOldCodeCTX509() {
 //
 // Note: The CFDataRef returned in pemRoots and untrustedPemRoots must
 // be released (using CFRelease) after we've consumed its content.
-int FetchPEMRootsCTX509(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
-	if (useOldCodeCTX509()) {
-		return FetchPEMRootsCTX509_MountainLion(pemRoots);
+static int CopyPEMRootsCTX509(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots, bool debugDarwinRoots) {
+	int i;
+
+	if (debugDarwinRoots) {
+		fprintf(stderr, "crypto/x509: kSecTrustSettingsResultInvalid = %d\n", kSecTrustSettingsResultInvalid);
+		fprintf(stderr, "crypto/x509: kSecTrustSettingsResultTrustRoot = %d\n", kSecTrustSettingsResultTrustRoot);
+		fprintf(stderr, "crypto/x509: kSecTrustSettingsResultTrustAsRoot = %d\n", kSecTrustSettingsResultTrustAsRoot);
+		fprintf(stderr, "crypto/x509: kSecTrustSettingsResultDeny = %d\n", kSecTrustSettingsResultDeny);
+		fprintf(stderr, "crypto/x509: kSecTrustSettingsResultUnspecified = %d\n", kSecTrustSettingsResultUnspecified);
 	}
 
 	// Get certificates from all domains, not just System, this lets
 	// the user add CAs to their "login" keychain, and Admins to add
 	// to the "System" keychain
 	SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem,
-					     kSecTrustSettingsDomainAdmin,
-					     kSecTrustSettingsDomainUser };
+		kSecTrustSettingsDomainAdmin, kSecTrustSettingsDomainUser };
 
 	int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain);
-	if (pemRoots == NULL) {
+	if (pemRoots == NULL || untrustedPemRoots == NULL) {
 		return -1;
 	}
 
-	// kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"),
-	// but the Go linker's internal linking mode can't handle CFSTR relocations.
-	// Create our own dynamic string instead and release it below.
-	CFStringRef policy = CFStringCreateWithCString(NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8);
-
 	CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
 	CFMutableDataRef combinedUntrustedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
-	for (int i = 0; i < numDomains; i++) {
+	for (i = 0; i < numDomains; i++) {
+		int j;
 		CFArrayRef certs = NULL;
 		OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs);
 		if (err != noErr) {
@@ -109,104 +193,86 @@ int FetchPEMRootsCTX509(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
 		}
 
 		CFIndex numCerts = CFArrayGetCount(certs);
-		for (int j = 0; j < numCerts; j++) {
-			CFDataRef data = NULL;
-			CFErrorRef errRef = NULL;
-			CFArrayRef trustSettings = NULL;
+		for (j = 0; j < numCerts; j++) {
 			SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j);
 			if (cert == NULL) {
 				continue;
 			}
-			// We only want trusted certs.
-			int untrusted = 0;
-			int trustAsRoot = 0;
-			int trustRoot = 0;
-			if (i == 0) {
-				trustAsRoot = 1;
-			} else {
+
+			SInt32 result;
+			if (domains[i] == kSecTrustSettingsDomainSystem) {
 				// Certs found in the system domain are always trusted. If the user
 				// configures "Never Trust" on such a cert, it will also be found in the
 				// admin or user domain, causing it to be added to untrustedPemRoots. The
 				// Go code will then clean this up.
-
-				// Trust may be stored in any of the domains. According to Apple's
-				// SecTrustServer.c, "user trust settings overrule admin trust settings",
-				// so take the last trust settings array we find.
-				// Skip the system domain since it is always trusted.
-				for (int k = i; k < numDomains; k++) {
-					CFArrayRef domainTrustSettings = NULL;
-					err = SecTrustSettingsCopyTrustSettings(cert, domains[k], &domainTrustSettings);
-					if (err == errSecSuccess && domainTrustSettings != NULL) {
-						if (trustSettings) {
-							CFRelease(trustSettings);
-						}
-						trustSettings = domainTrustSettings;
-					}
-				}
-				if (trustSettings == NULL) {
-					// "this certificate must be verified to a known trusted certificate"; aka not a root.
+				result = kSecTrustSettingsResultTrustRoot;
+			} else {
+				result = sslTrustSettingsResult(cert);
+				if (debugDarwinRoots) {
+					CFErrorRef errRef = NULL;
+					CFStringRef summary = SecCertificateCopyShortDescription(NULL, cert, &errRef);
+					if (errRef != NULL) {
+						fprintf(stderr, "crypto/x509: SecCertificateCopyShortDescription failed\n");
+						CFRelease(errRef);
 						continue;
 					}
-				for (CFIndex k = 0; k < CFArrayGetCount(trustSettings); k++) {
-					CFNumberRef cfNum;
-					CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, k);
-					if (CFDictionaryGetValueIfPresent(tSetting, policy, (const void**)&cfNum)){
-						SInt32 result = 0;
-						CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
-						// TODO: The rest of the dictionary specifies conditions for evaluation.
-						if (result == kSecTrustSettingsResultDeny) {
-							untrusted = 1;
+
+					CFIndex length = CFStringGetLength(summary);
+					CFIndex maxSize = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1;
+					char *buffer = malloc(maxSize);
+					if (CFStringGetCString(summary, buffer, maxSize, kCFStringEncodingUTF8)) {
+						fprintf(stderr, "crypto/x509: %s returned %d\n", buffer, (int)result);
+					}
+					free(buffer);
+					CFRelease(summary);
+				}
+			}
+
+			CFMutableDataRef appendTo;
+			// > Note the distinction between the results kSecTrustSettingsResultTrustRoot
+			// > and kSecTrustSettingsResultTrustAsRoot: The former can only be applied to
+			// > root (self-signed) certificates; the latter can only be applied to
+			// > non-root certificates.
+			if (result == kSecTrustSettingsResultTrustRoot) {
+				CFErrorRef errRef = NULL;
+				if (!isRootCertificate(cert, &errRef) || errRef != NULL) {
+					if (errRef != NULL) CFRelease(errRef);
+					continue;
+				}
+
+				appendTo = combinedData;
 			} else if (result == kSecTrustSettingsResultTrustAsRoot) {
-							trustAsRoot = 1;
-						} else if (result == kSecTrustSettingsResultTrustRoot) {
-							trustRoot = 1;
-						}
-					}
-				}
-				CFRelease(trustSettings);
+				CFErrorRef errRef = NULL;
+				if (isRootCertificate(cert, &errRef) || errRef != NULL) {
+					if (errRef != NULL) CFRelease(errRef);
+					continue;
 				}
 
-			if (trustRoot) {
-				// We only want to add Root CAs, so make sure Subject and Issuer Name match
-				CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef);
-				if (errRef != NULL) {
-					CFRelease(errRef);
+				appendTo = combinedData;
+			} else if (result == kSecTrustSettingsResultDeny) {
+				appendTo = combinedUntrustedData;
+			} else if (result == kSecTrustSettingsResultUnspecified) {
+				// Certificates with unspecified trust should probably be added to a pool of
+				// intermediates for chain building, or checked for transitive trust and
+				// added to the root pool (which is an imprecise approximation because it
+				// cuts chains short) but we don't support either at the moment. TODO.
 				continue;
-				}
-				CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef);
-				if (errRef != NULL) {
-					CFRelease(subjectName);
-					CFRelease(errRef);
+			} else {
 				continue;
 			}
-				Boolean equal = CFEqual(subjectName, issuerName);
-				CFRelease(subjectName);
-				CFRelease(issuerName);
-				if (!equal) {
-					continue;
-				}
-			}
 
-			// Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
-			// Once we support weak imports via cgo we should prefer that, and fall back to this
-			// for older systems.
-			err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
+			CFDataRef data = NULL;
+			err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
 			if (err != noErr) {
 				continue;
 			}
-
 			if (data != NULL) {
-				if (!trustRoot && !trustAsRoot) {
-					untrusted = 1;
-				}
-				CFMutableDataRef appendTo = untrusted ? combinedUntrustedData : combinedData;
 				CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data));
 				CFRelease(data);
 			}
 		}
 		CFRelease(certs);
 	}
-	CFRelease(policy);
 	*pemRoots = combinedData;
 	*untrustedPemRoots = combinedUntrustedData;
 	return 0;
@@ -219,25 +285,22 @@ import (
 )
 
 func loadSystemRoots() (*CertPool, error) {
-	roots := NewCertPool()
-
-	var data C.CFDataRef
-	setNilCFRef(&data)
-	var untrustedData C.CFDataRef
-	setNilCFRef(&untrustedData)
-	err := C.FetchPEMRootsCTX509(&data, &untrustedData)
+	var data, untrustedData C.CFDataRef
+	err := C.CopyPEMRootsCTX509(&data, &untrustedData, C.bool(debugDarwinRoots))
 	if err == -1 {
-		// TODO: better error message
 		return nil, errors.New("crypto/x509: failed to load darwin system roots with cgo")
 	}
-
 	defer C.CFRelease(C.CFTypeRef(data))
+	defer C.CFRelease(C.CFTypeRef(untrustedData))
+
 	buf := C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(data)), C.int(C.CFDataGetLength(data)))
+	roots := NewCertPool()
 	roots.AppendCertsFromPEM(buf)
-	if isNilCFRef(untrustedData) {
+
+	if C.CFDataGetLength(untrustedData) == 0 {
 		return roots, nil
 	}
-	defer C.CFRelease(C.CFTypeRef(untrustedData))
+
 	buf = C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(untrustedData)), C.int(C.CFDataGetLength(untrustedData)))
 	untrustedRoots := NewCertPool()
 	untrustedRoots.AppendCertsFromPEM(buf)

vendor/github.com/google/certificate-transparency-go/x509/root_darwin.go

@@ -13,7 +13,6 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/user"
@@ -22,7 +21,7 @@ import (
 	"sync"
 )
 
-var debugExecDarwinRoots = strings.Contains(os.Getenv("GODEBUG"), "x509roots=1")
+var debugDarwinRoots = strings.Contains(os.Getenv("GODEBUG"), "x509roots=1")
 
 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
 	return nil, nil
@@ -40,8 +39,8 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 //
 //  1. Run "security trust-settings-export" and "security
 //     trust-settings-export -d" to discover the set of certs with some
-//    user-tweaked trust policy. We're too lazy to parse the XML (at
-//    least at this stage of Go 1.8) to understand what the trust
+//     user-tweaked trust policy. We're too lazy to parse the XML
+//     (Issue 26830) to understand what the trust
 //     policy actually is. We just learn that there is _some_ policy.
 //
 //  2. Run "security find-certificate" to dump the list of system root
@@ -58,22 +57,21 @@ func execSecurityRoots() (*CertPool, error) {
 	if err != nil {
 		return nil, err
 	}
-	if debugExecDarwinRoots {
-		println(fmt.Sprintf("crypto/x509: %d certs have a trust policy", len(hasPolicy)))
+	if debugDarwinRoots {
+		fmt.Fprintf(os.Stderr, "crypto/x509: %d certs have a trust policy\n", len(hasPolicy))
 	}
 
-	args := []string{"find-certificate", "-a", "-p",
-		"/System/Library/Keychains/SystemRootCertificates.keychain",
-		"/Library/Keychains/System.keychain",
-	}
+	keychains := []string{"/Library/Keychains/System.keychain"}
 
+	// Note that this results in trusting roots from $HOME/... (the environment
+	// variable), which might not be expected.
 	u, err := user.Current()
 	if err != nil {
-		if debugExecDarwinRoots {
-			println(fmt.Sprintf("crypto/x509: get current user: %v", err))
+		if debugDarwinRoots {
+			fmt.Fprintf(os.Stderr, "crypto/x509: can't get user home directory: %v\n", err)
 		}
 	} else {
-		args = append(args,
+		keychains = append(keychains,
 			filepath.Join(u.HomeDir, "/Library/Keychains/login.keychain"),
 
 			// Fresh installs of Sierra use a slightly different path for the login keychain
@@ -81,21 +79,19 @@ func execSecurityRoots() (*CertPool, error) {
 		)
 	}
 
-	cmd := exec.Command("/usr/bin/security", args...)
-	data, err := cmd.Output()
-	if err != nil {
-		return nil, err
+	type rootCandidate struct {
+		c      *Certificate
+		system bool
 	}
 
 	var (
 		mu          sync.Mutex
 		roots       = NewCertPool()
 		numVerified int // number of execs of 'security verify-cert', for debug stats
+		wg          sync.WaitGroup
+		verifyCh    = make(chan rootCandidate)
 	)
 
-	blockCh := make(chan *pem.Block)
-	var wg sync.WaitGroup
-
 	// Using 4 goroutines to pipe into verify-cert seems to be
 	// about the best we can do. The verify-cert binary seems to
 	// just RPC to another server with coarse locking anyway, so
@@ -109,31 +105,62 @@ func execSecurityRoots() (*CertPool, error) {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			for block := range blockCh {
-				cert, err := ParseCertificate(block.Bytes)
-				if err != nil {
-					continue
-				}
-				sha1CapHex := fmt.Sprintf("%X", sha1.Sum(block.Bytes))
+			for cert := range verifyCh {
+				sha1CapHex := fmt.Sprintf("%X", sha1.Sum(cert.c.Raw))
 
-				valid := true
+				var valid bool
 				verifyChecks := 0
 				if hasPolicy[sha1CapHex] {
 					verifyChecks++
-					if !verifyCertWithSystem(block, cert) {
-						valid = false
-					}
+					valid = verifyCertWithSystem(cert.c)
+				} else {
+					// Certificates not in SystemRootCertificates without user
+					// or admin trust settings are not trusted.
+					valid = cert.system
 				}
 
 				mu.Lock()
 				numVerified += verifyChecks
 				if valid {
-					roots.AddCert(cert)
+					roots.AddCert(cert.c)
 				}
 				mu.Unlock()
 			}
 		}()
 	}
+	err = forEachCertInKeychains(keychains, func(cert *Certificate) {
+		verifyCh <- rootCandidate{c: cert, system: false}
+	})
+	if err != nil {
+		close(verifyCh)
+		return nil, err
+	}
+	err = forEachCertInKeychains([]string{
+		"/System/Library/Keychains/SystemRootCertificates.keychain",
+	}, func(cert *Certificate) {
+		verifyCh <- rootCandidate{c: cert, system: true}
+	})
+	if err != nil {
+		close(verifyCh)
+		return nil, err
+	}
+	close(verifyCh)
+	wg.Wait()
+
+	if debugDarwinRoots {
+		fmt.Fprintf(os.Stderr, "crypto/x509: ran security verify-cert %d times\n", numVerified)
+	}
+
+	return roots, nil
+}
+
+func forEachCertInKeychains(paths []string, f func(*Certificate)) error {
+	args := append([]string{"find-certificate", "-a", "-p"}, paths...)
+	cmd := exec.Command("/usr/bin/security", args...)
+	data, err := cmd.Output()
+	if err != nil {
+		return err
+	}
 	for len(data) > 0 {
 		var block *pem.Block
 		block, data = pem.Decode(data)
@@ -143,24 +170,21 @@ func execSecurityRoots() (*CertPool, error) {
 		if block.Type != "CERTIFICATE" || len(block.Headers) != 0 {
 			continue
 		}
-		blockCh <- block
+		cert, err := ParseCertificate(block.Bytes)
+		if err != nil {
+			continue
 		}
-	close(blockCh)
-	wg.Wait()
-
-	if debugExecDarwinRoots {
-		mu.Lock()
-		defer mu.Unlock()
-		println(fmt.Sprintf("crypto/x509: ran security verify-cert %d times", numVerified))
+		f(cert)
+	}
+	return nil
 }
 
-	return roots, nil
-}
+func verifyCertWithSystem(cert *Certificate) bool {
+	data := pem.EncodeToMemory(&pem.Block{
+		Type: "CERTIFICATE", Bytes: cert.Raw,
+	})
 
-func verifyCertWithSystem(block *pem.Block, cert *Certificate) bool {
-	data := pem.EncodeToMemory(block)
-
-	f, err := ioutil.TempFile("", "cert")
+	f, err := os.CreateTemp("", "cert")
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "can't create temporary file for cert: %v", err)
 		return false
@@ -174,19 +198,19 @@ func verifyCertWithSystem(block *pem.Block, cert *Certificate) bool {
 		fmt.Fprintf(os.Stderr, "can't write temporary file for cert: %v", err)
 		return false
 	}
-	cmd := exec.Command("/usr/bin/security", "verify-cert", "-c", f.Name(), "-l", "-L")
+	cmd := exec.Command("/usr/bin/security", "verify-cert", "-p", "ssl", "-c", f.Name(), "-l", "-L")
 	var stderr bytes.Buffer
-	if debugExecDarwinRoots {
+	if debugDarwinRoots {
 		cmd.Stderr = &stderr
 	}
 	if err := cmd.Run(); err != nil {
-		if debugExecDarwinRoots {
-			println(fmt.Sprintf("crypto/x509: verify-cert rejected %s: %q", cert.Subject.CommonName, bytes.TrimSpace(stderr.Bytes())))
+		if debugDarwinRoots {
+			fmt.Fprintf(os.Stderr, "crypto/x509: verify-cert rejected %s: %q\n", cert.Subject, bytes.TrimSpace(stderr.Bytes()))
 		}
 		return false
 	}
-	if debugExecDarwinRoots {
-		println(fmt.Sprintf("crypto/x509: verify-cert approved %s", cert.Subject.CommonName))
+	if debugDarwinRoots {
+		fmt.Fprintf(os.Stderr, "crypto/x509: verify-cert approved %s\n", cert.Subject)
 	}
 	return true
 }
@@ -199,7 +223,7 @@ func verifyCertWithSystem(block *pem.Block, cert *Certificate) bool {
 // settings. This code is only used for cgo-disabled builds.
 func getCertsWithTrustPolicy() (map[string]bool, error) {
 	set := map[string]bool{}
-	td, err := ioutil.TempDir("", "x509trustpolicy")
+	td, err := os.MkdirTemp("", "x509trustpolicy")
 	if err != nil {
 		return nil, err
 	}
@@ -218,8 +242,8 @@ func getCertsWithTrustPolicy() (map[string]bool, error) {
 			// Rather than match on English substrings that are probably
 			// localized on macOS, just interpret any failure to mean that
 			// there are no trust settings.
-			if debugExecDarwinRoots {
-				println(fmt.Sprintf("crypto/x509: exec %q: %v, %s", cmd.Args, err, stderr.Bytes()))
+			if debugDarwinRoots {
+				fmt.Fprintf(os.Stderr, "crypto/x509: exec %q: %v, %s\n", cmd.Args, err, stderr.Bytes())
 			}
 			return nil
 		}

vendor/github.com/google/certificate-transparency-go/x509/root_darwin_armx.go

@@ -4,6 +4,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build cgo && darwin && (arm || arm64 || ios)
 // +build cgo
 // +build darwin
 // +build arm arm64 ios

vendor/github.com/google/certificate-transparency-go/x509/root_js.go

@@ -0,0 +1,19 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build js && wasm
+// +build js,wasm
+
+package x509
+
+// Possible certificate files; stop after finding one.
+var certFiles = []string{}
+
+func loadSystemRoots() (*CertPool, error) {
+	return NewCertPool(), nil
+}
+
+func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
+	return nil, nil
+}

vendor/github.com/google/certificate-transparency-go/x509/root_linux.go

@@ -11,4 +11,5 @@ var certFiles = []string{
 	"/etc/ssl/ca-bundle.pem",                            // OpenSUSE
 	"/etc/pki/tls/cacert.pem",                           // OpenELEC
 	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", // CentOS/RHEL 7
+	"/etc/ssl/cert.pem",                                 // Alpine Linux
 }

vendor/github.com/google/certificate-transparency-go/x509/root_nacl.go

@@ -1,8 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package x509
-
-// Possible certificate files; stop after finding one.
-var certFiles = []string{}

vendor/github.com/google/certificate-transparency-go/x509/root_nocgo_darwin.go

@@ -2,6 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !cgo
 // +build !cgo
 
 package x509

vendor/github.com/google/certificate-transparency-go/x509/root_plan9.go

@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build plan9
 // +build plan9
 
 package x509
 
 import (
-	"io/ioutil"
 	"os"
 )
 
@@ -24,7 +24,7 @@ func loadSystemRoots() (*CertPool, error) {
 	roots := NewCertPool()
 	var bestErr error
 	for _, file := range certFiles {
-		data, err := ioutil.ReadFile(file)
+		data, err := os.ReadFile(file)
 		if err == nil {
 			roots.AppendCertsFromPEM(data)
 			return roots, nil
@@ -33,5 +33,8 @@ func loadSystemRoots() (*CertPool, error) {
 			bestErr = err
 		}
 	}
+	if bestErr == nil {
+		return roots, nil
+	}
 	return nil, bestErr
 }

vendor/github.com/google/certificate-transparency-go/x509/root_unix.go

@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build dragonfly freebsd linux nacl netbsd openbsd solaris
+//go:build dragonfly || freebsd || linux || netbsd || openbsd || solaris
+// +build dragonfly freebsd linux netbsd openbsd solaris
 
 package x509
 
 import (
-	"io/ioutil"
 	"os"
 )
 
@@ -45,7 +45,7 @@ func loadSystemRoots() (*CertPool, error) {
 
 	var firstErr error
 	for _, file := range files {
-		data, err := ioutil.ReadFile(file)
+		data, err := os.ReadFile(file)
 		if err == nil {
 			roots.AppendCertsFromPEM(data)
 			break
@@ -61,7 +61,7 @@ func loadSystemRoots() (*CertPool, error) {
 	}
 
 	for _, directory := range dirs {
-		fis, err := ioutil.ReadDir(directory)
+		fis, err := os.ReadDir(directory)
 		if err != nil {
 			if firstErr == nil && !os.IsNotExist(err) {
 				firstErr = err
@@ -70,7 +70,7 @@ func loadSystemRoots() (*CertPool, error) {
 		}
 		rootsAdded := false
 		for _, fi := range fis {
-			data, err := ioutil.ReadFile(directory + "/" + fi.Name())
+			data, err := os.ReadFile(directory + "/" + fi.Name())
 			if err == nil && roots.AppendCertsFromPEM(data) {
 				rootsAdded = true
 			}
@@ -80,7 +80,7 @@ func loadSystemRoots() (*CertPool, error) {
 		}
 	}
 
-	if len(roots.certs) > 0 {
+	if len(roots.certs) > 0 || firstErr == nil {
 		return roots, nil
 	}
 

vendor/github.com/google/certificate-transparency-go/x509/root_windows.go

@@ -61,15 +61,15 @@ func extractSimpleChain(simpleChain **syscall.CertSimpleChain, count int) (chain
 		return nil, errors.New("x509: invalid simple chain")
 	}
 
-	simpleChains := (*[1 << 20]*syscall.CertSimpleChain)(unsafe.Pointer(simpleChain))[:]
+	simpleChains := (*[1 << 20]*syscall.CertSimpleChain)(unsafe.Pointer(simpleChain))[:count:count]
 	lastChain := simpleChains[count-1]
-	elements := (*[1 << 20]*syscall.CertChainElement)(unsafe.Pointer(lastChain.Elements))[:]
+	elements := (*[1 << 20]*syscall.CertChainElement)(unsafe.Pointer(lastChain.Elements))[:lastChain.NumElements:lastChain.NumElements]
 	for i := 0; i < int(lastChain.NumElements); i++ {
 		// Copy the buf, since ParseCertificate does not create its own copy.
 		cert := elements[i].CertContext
-		encodedCert := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
+		encodedCert := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:cert.Length:cert.Length]
 		buf := make([]byte, cert.Length)
-		copy(buf, encodedCert[:])
+		copy(buf, encodedCert)
 		parsedCert, err := ParseCertificate(buf)
 		if err != nil {
 			return nil, err
@@ -219,17 +219,37 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
 	if err != nil {
 		return nil, err
 	}
+	if len(chain) < 1 {
+		return nil, errors.New("x509: internal error: system verifier returned an empty chain")
+	}
 
-	chains = append(chains, chain)
+	// Mitigate CVE-2020-0601, where the Windows system verifier might be
+	// tricked into using custom curve parameters for a trusted root, by
+	// double-checking all ECDSA signatures. If the system was tricked into
+	// using spoofed parameters, the signature will be invalid for the correct
+	// ones we parsed. (We don't support custom curves ourselves.)
+	for i, parent := range chain[1:] {
+		if parent.PublicKeyAlgorithm != ECDSA {
+			continue
+		}
+		if err := parent.CheckSignature(chain[i].SignatureAlgorithm,
+			chain[i].RawTBSCertificate, chain[i].Signature); err != nil {
+			return nil, err
+		}
+	}
 
-	return chains, nil
+	return [][]*Certificate{chain}, nil
 }
 
 func loadSystemRoots() (*CertPool, error) {
 	// TODO: restore this functionality on Windows. We tried to do
 	// it in Go 1.8 but had to revert it. See Issue 18609.
 	// Returning (nil, nil) was the old behavior, prior to CL 30578.
+	// The if statement here avoids vet complaining about
+	// unreachable code below.
+	if true {
 		return nil, nil
+	}
 
 	const CRYPT_E_NOT_FOUND = 0x80092004
 
@@ -255,7 +275,7 @@ func loadSystemRoots() (*CertPool, error) {
 			break
 		}
 		// Copy the buf, since ParseCertificate does not create its own copy.
-		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
+		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:cert.Length:cert.Length]
 		buf2 := make([]byte, cert.Length)
 		copy(buf2, buf)
 		if c, err := ParseCertificate(buf2); err == nil {

vendor/github.com/google/certificate-transparency-go/x509/rpki.go

@@ -0,0 +1,242 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package x509
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+
+	"github.com/google/certificate-transparency-go/asn1"
+)
+
+// IPAddressPrefix describes an IP address prefix as an ASN.1 bit string,
+// where the BitLength field holds the prefix length.
+type IPAddressPrefix asn1.BitString
+
+// IPAddressRange describes an (inclusive) IP address range.
+type IPAddressRange struct {
+	Min IPAddressPrefix
+	Max IPAddressPrefix
+}
+
+// Most relevant values for AFI from:
+// http://www.iana.org/assignments/address-family-numbers.
+const (
+	IPv4AddressFamilyIndicator = uint16(1)
+	IPv6AddressFamilyIndicator = uint16(2)
+)
+
+// IPAddressFamilyBlocks describes a set of ranges of IP addresses.
+type IPAddressFamilyBlocks struct {
+	// AFI holds an address family indicator from
+	// http://www.iana.org/assignments/address-family-numbers.
+	AFI uint16
+	// SAFI holds a subsequent address family indicator from
+	// http://www.iana.org/assignments/safi-namespace.
+	SAFI byte
+	// InheritFromIssuer indicates that the set of addresses should
+	// be taken from the issuer's certificate.
+	InheritFromIssuer bool
+	// AddressPrefixes holds prefixes if InheritFromIssuer is false.
+	AddressPrefixes []IPAddressPrefix
+	// AddressRanges holds ranges if InheritFromIssuer is false.
+	AddressRanges []IPAddressRange
+}
+
+// Internal types for asn1 unmarshalling.
+type ipAddressFamily struct {
+	AddressFamily []byte // 2-byte AFI plus optional 1 byte SAFI
+	Choice        asn1.RawValue
+}
+
+// Internally, use raw asn1.BitString rather than the IPAddressPrefix
+// type alias (so that asn1.Unmarshal() decodes properly).
+type ipAddressRange struct {
+	Min asn1.BitString
+	Max asn1.BitString
+}
+
+func parseRPKIAddrBlocks(data []byte, nfe *NonFatalErrors) []*IPAddressFamilyBlocks {
+	// RFC 3779 2.2.3
+	//   IPAddrBlocks        ::= SEQUENCE OF IPAddressFamily
+	//
+	//   IPAddressFamily     ::= SEQUENCE {    -- AFI & optional SAFI --
+	//      addressFamily        OCTET STRING (SIZE (2..3)),
+	//      ipAddressChoice      IPAddressChoice }
+	//
+	//   IPAddressChoice     ::= CHOICE {
+	//      inherit              NULL, -- inherit from issuer --
+	//      addressesOrRanges    SEQUENCE OF IPAddressOrRange }
+	//
+	//   IPAddressOrRange    ::= CHOICE {
+	//      addressPrefix        IPAddress,
+	//      addressRange         IPAddressRange }
+	//
+	//   IPAddressRange      ::= SEQUENCE {
+	//      min                  IPAddress,
+	//      max                  IPAddress }
+	//
+	//   IPAddress           ::= BIT STRING
+
+	var addrBlocks []ipAddressFamily
+	if rest, err := asn1.Unmarshal(data, &addrBlocks); err != nil {
+		nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks extension: %v", err))
+		return nil
+	} else if len(rest) != 0 {
+		nfe.AddError(errors.New("trailing data after ipAddrBlocks extension"))
+		return nil
+	}
+
+	var results []*IPAddressFamilyBlocks
+	for i, block := range addrBlocks {
+		var fam IPAddressFamilyBlocks
+		if l := len(block.AddressFamily); l < 2 || l > 3 {
+			nfe.AddError(fmt.Errorf("invalid address family length (%d) for ipAddrBlock.addressFamily", l))
+			continue
+		}
+		fam.AFI = binary.BigEndian.Uint16(block.AddressFamily[0:2])
+		if len(block.AddressFamily) > 2 {
+			fam.SAFI = block.AddressFamily[2]
+		}
+		// IPAddressChoice is an ASN.1 CHOICE where the chosen alternative is indicated by (implicit)
+		// tagging of the alternatives -- here, either NULL or SEQUENCE OF.
+		if bytes.Equal(block.Choice.FullBytes, asn1.NullBytes) {
+			fam.InheritFromIssuer = true
+			results = append(results, &fam)
+			continue
+		}
+
+		var addrRanges []asn1.RawValue
+		if _, err := asn1.Unmarshal(block.Choice.FullBytes, &addrRanges); err != nil {
+			nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges: %v", i, err))
+			continue
+		}
+		for j, ar := range addrRanges {
+			// Each IPAddressOrRange is a CHOICE where the alternatives have distinct (implicit)
+			// tags -- here, either BIT STRING or SEQUENCE.
+			switch ar.Tag {
+			case asn1.TagBitString:
+				// BIT STRING for single prefix IPAddress
+				var val asn1.BitString
+				if _, err := asn1.Unmarshal(ar.FullBytes, &val); err != nil {
+					nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges[%d].addressPrefix: %v", i, j, err))
+					continue
+				}
+				fam.AddressPrefixes = append(fam.AddressPrefixes, IPAddressPrefix(val))
+
+			case asn1.TagSequence:
+				var val ipAddressRange
+				if _, err := asn1.Unmarshal(ar.FullBytes, &val); err != nil {
+					nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges[%d].addressRange: %v", i, j, err))
+					continue
+				}
+				fam.AddressRanges = append(fam.AddressRanges, IPAddressRange{Min: IPAddressPrefix(val.Min), Max: IPAddressPrefix(val.Max)})
+
+			default:
+				nfe.AddError(fmt.Errorf("unexpected ASN.1 type in ipAddrBlocks[%d].ipAddressChoice.addressesOrRanges[%d]: %+v", i, j, ar))
+			}
+		}
+		results = append(results, &fam)
+	}
+	return results
+}
+
+// ASIDRange describes an inclusive range of AS Identifiers (AS numbers or routing
+// domain identifiers).
+type ASIDRange struct {
+	Min int
+	Max int
+}
+
+// ASIdentifiers describes a collection of AS Identifiers (AS numbers or routing
+// domain identifiers).
+type ASIdentifiers struct {
+	// InheritFromIssuer indicates that the set of AS identifiers should
+	// be taken from the issuer's certificate.
+	InheritFromIssuer bool
+	// ASIDs holds AS identifiers if InheritFromIssuer is false.
+	ASIDs []int
+	// ASIDs holds AS identifier ranges (inclusive) if InheritFromIssuer is false.
+	ASIDRanges []ASIDRange
+}
+
+type asIdentifiers struct {
+	ASNum asn1.RawValue `asn1:"optional,tag:0"`
+	RDI   asn1.RawValue `asn1:"optional,tag:1"`
+}
+
+func parseASIDChoice(val asn1.RawValue, nfe *NonFatalErrors) *ASIdentifiers {
+	// RFC 3779 2.3.2
+	//   ASIdentifierChoice  ::= CHOICE {
+	//      inherit              NULL, -- inherit from issuer --
+	//      asIdsOrRanges        SEQUENCE OF ASIdOrRange }
+	//   ASIdOrRange         ::= CHOICE {
+	//       id                  ASId,
+	//       range               ASRange }
+	//   ASRange             ::= SEQUENCE {
+	//       min                 ASId,
+	//       max                 ASId }
+	//   ASId                ::= INTEGER
+	if len(val.FullBytes) == 0 { // OPTIONAL
+		return nil
+	}
+	// ASIdentifierChoice is an ASN.1 CHOICE where the chosen alternative is indicated by (implicit)
+	// tagging of the alternatives -- here, either NULL or SEQUENCE OF.
+	if bytes.Equal(val.Bytes, asn1.NullBytes) {
+		return &ASIdentifiers{InheritFromIssuer: true}
+	}
+	var ids []asn1.RawValue
+	if rest, err := asn1.Unmarshal(val.Bytes, &ids); err != nil {
+		nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers.asIdsOrRanges: %v", err))
+		return nil
+	} else if len(rest) != 0 {
+		nfe.AddError(errors.New("trailing data after ASIdentifiers.asIdsOrRanges"))
+		return nil
+	}
+	var asID ASIdentifiers
+	for i, id := range ids {
+		// Each ASIdOrRange is a CHOICE where the alternatives have distinct (implicit)
+		// tags -- here, either INTEGER or SEQUENCE.
+		switch id.Tag {
+		case asn1.TagInteger:
+			var val int
+			if _, err := asn1.Unmarshal(id.FullBytes, &val); err != nil {
+				nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers.asIdsOrRanges[%d].id: %v", i, err))
+				continue
+			}
+			asID.ASIDs = append(asID.ASIDs, val)
+
+		case asn1.TagSequence:
+			var val ASIDRange
+			if _, err := asn1.Unmarshal(id.FullBytes, &val); err != nil {
+				nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers.asIdsOrRanges[%d].range: %v", i, err))
+				continue
+			}
+			asID.ASIDRanges = append(asID.ASIDRanges, val)
+
+		default:
+			nfe.AddError(fmt.Errorf("unexpected value in ASIdentifiers.asIdsOrRanges[%d]: %+v", i, id))
+		}
+	}
+	return &asID
+}
+
+func parseRPKIASIdentifiers(data []byte, nfe *NonFatalErrors) (*ASIdentifiers, *ASIdentifiers) {
+	// RFC 3779 2.3.2
+	//   ASIdentifiers       ::= SEQUENCE {
+	//       asnum               [0] EXPLICIT ASIdentifierChoice OPTIONAL,
+	//       rdi                 [1] EXPLICIT ASIdentifierChoice OPTIONAL}
+	var asIDs asIdentifiers
+	if rest, err := asn1.Unmarshal(data, &asIDs); err != nil {
+		nfe.AddError(fmt.Errorf("failed to asn1.Unmarshal ASIdentifiers extension: %v", err))
+		return nil, nil
+	} else if len(rest) != 0 {
+		nfe.AddError(errors.New("trailing data after ASIdentifiers extension"))
+		return nil, nil
+	}
+	return parseASIDChoice(asIDs.ASNum, nfe), parseASIDChoice(asIDs.RDI, nfe)
+}

vendor/github.com/google/certificate-transparency-go/x509/sec1.go

@@ -18,8 +18,10 @@ const ecPrivKeyVersion = 1
 
 // ecPrivateKey reflects an ASN.1 Elliptic Curve Private Key Structure.
 // References:
+//
 //	RFC 5915
 //	SEC1 - http://www.secg.org/sec1-v2.pdf
+//
 // Per RFC 5915 the NamedCurveOID is marked as ASN.1 OPTIONAL, however in
 // most cases it is not.
 type ecPrivateKey struct {
@@ -29,12 +31,18 @@ type ecPrivateKey struct {
 	PublicKey     asn1.BitString        `asn1:"optional,explicit,tag:1"`
 }
 
-// ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.
+// ParseECPrivateKey parses an EC private key in SEC 1, ASN.1 DER form.
+//
+// This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".
 func ParseECPrivateKey(der []byte) (*ecdsa.PrivateKey, error) {
 	return parseECPrivateKey(nil, der)
 }
 
-// MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.
+// MarshalECPrivateKey converts an EC private key to SEC 1, ASN.1 DER form.
+//
+// This kind of key is commonly encoded in PEM blocks of type "EC PRIVATE KEY".
+// For a more flexible key format which is not EC specific, use
+// MarshalPKCS8PrivateKey.
 func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error) {
 	oid, ok := OIDFromNamedCurve(key.Curve)
 	if !ok {
@@ -66,17 +74,24 @@ func marshalECPrivateKeyWithOID(key *ecdsa.PrivateKey, oid asn1.ObjectIdentifier
 func parseECPrivateKey(namedCurveOID *asn1.ObjectIdentifier, der []byte) (key *ecdsa.PrivateKey, err error) {
 	var privKey ecPrivateKey
 	if _, err := asn1.Unmarshal(der, &privKey); err != nil {
+		if _, err := asn1.Unmarshal(der, &pkcs8{}); err == nil {
+			return nil, errors.New("x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)")
+		}
+		if _, err := asn1.Unmarshal(der, &pkcs1PrivateKey{}); err == nil {
+			return nil, errors.New("x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format)")
+		}
 		return nil, errors.New("x509: failed to parse EC private key: " + err.Error())
 	}
 	if privKey.Version != ecPrivKeyVersion {
 		return nil, fmt.Errorf("x509: unknown EC private key version %d", privKey.Version)
 	}
 
+	var nfe NonFatalErrors
 	var curve elliptic.Curve
 	if namedCurveOID != nil {
-		curve = namedCurveFromOID(*namedCurveOID)
+		curve = namedCurveFromOID(*namedCurveOID, &nfe)
 	} else {
-		curve = namedCurveFromOID(privKey.NamedCurveOID)
+		curve = namedCurveFromOID(privKey.NamedCurveOID, &nfe)
 	}
 	if curve == nil {
 		return nil, errors.New("x509: unknown elliptic curve")

vendor/github.com/google/certificate-transparency-go/x509/verify.go

@@ -10,16 +10,17 @@ import (
 	"fmt"
 	"net"
 	"net/url"
+	"os"
 	"reflect"
 	"runtime"
-	"strconv"
 	"strings"
 	"time"
 	"unicode/utf8"
-
-	"github.com/google/certificate-transparency-go/asn1"
 )
 
+// ignoreCN disables interpreting Common Name as a hostname. See issue 24151.
+var ignoreCN = strings.Contains(os.Getenv("GODEBUG"), "x509ignoreCN=1")
+
 type InvalidReason int
 
 const (
@@ -44,21 +45,25 @@ const (
 	NameMismatch
 	// NameConstraintsWithoutSANs results when a leaf certificate doesn't
 	// contain a Subject Alternative Name extension, but a CA certificate
-	// contains name constraints.
+	// contains name constraints, and the Common Name can be interpreted as
+	// a hostname.
+	//
+	// You can avoid this error by setting the experimental GODEBUG environment
+	// variable to "x509ignoreCN=1", disabling Common Name matching entirely.
+	// This behavior might become the default in the future.
 	NameConstraintsWithoutSANs
 	// UnconstrainedName results when a CA certificate contains permitted
 	// name constraints, but leaf certificate contains a name of an
 	// unsupported or unconstrained type.
 	UnconstrainedName
-	// TooManyConstraints results when the number of comparision operations
+	// TooManyConstraints results when the number of comparison operations
 	// needed to check a certificate exceeds the limit set by
 	// VerifyOptions.MaxConstraintComparisions. This limit exists to
 	// prevent pathological certificates can consuming excessive amounts of
 	// CPU time to verify.
 	TooManyConstraints
 	// CANotAuthorizedForExtKeyUsage results when an intermediate or root
-	// certificate does not permit an extended key usage that is claimed by
-	// the leaf certificate.
+	// certificate does not permit a requested extended key usage.
 	CANotAuthorizedForExtKeyUsage
 )
 
@@ -75,7 +80,7 @@ func (e CertificateInvalidError) Error() string {
 	case NotAuthorizedToSign:
 		return "x509: certificate is not authorized to sign other certificates"
 	case Expired:
-		return "x509: certificate has expired or is not yet valid"
+		return "x509: certificate has expired or is not yet valid: " + e.Detail
 	case CANotAuthorizedForThisName:
 		return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail
 	case CANotAuthorizedForExtKeyUsage:
@@ -83,7 +88,7 @@ func (e CertificateInvalidError) Error() string {
 	case TooManyIntermediates:
 		return "x509: too many intermediates for path length constraint"
 	case IncompatibleUsage:
-		return "x509: certificate specifies an incompatible key usage: " + e.Detail
+		return "x509: certificate specifies an incompatible key usage"
 	case NameMismatch:
 		return "x509: issuer name does not match subject from issuing certificate"
 	case NameConstraintsWithoutSANs:
@@ -104,6 +109,12 @@ type HostnameError struct {
 func (h HostnameError) Error() string {
 	c := h.Certificate
 
+	if !c.hasSANExtension() && !validHostname(c.Subject.CommonName) &&
+		matchHostnames(toLowerCaseASCII(c.Subject.CommonName), toLowerCaseASCII(h.Host)) {
+		// This would have validated, if it weren't for the validHostname check on Common Name.
+		return "x509: Common Name is not a valid hostname: " + c.Subject.CommonName
+	}
+
 	var valid string
 	if ip := net.ParseIP(h.Host); ip != nil {
 		// Trying to validate an IP
@@ -117,10 +128,10 @@ func (h HostnameError) Error() string {
 			valid += san.String()
 		}
 	} else {
-		if c.hasSANExtension() {
-			valid = strings.Join(c.DNSNames, ", ")
-		} else {
+		if c.commonNameAsHostname() {
 			valid = c.Subject.CommonName
+		} else {
+			valid = strings.Join(c.DNSNames, ", ")
 		}
 	}
 
@@ -193,9 +204,8 @@ type VerifyOptions struct {
 	// list means ExtKeyUsageServerAuth. To accept any key usage, include
 	// ExtKeyUsageAny.
 	//
-	// Certificate chains are required to nest extended key usage values,
-	// irrespective of this value. This matches the Windows CryptoAPI behavior,
-	// but not the spec.
+	// Certificate chains are required to nest these extended key usage values.
+	// (This matches the Windows CryptoAPI behavior, but not the spec.)
 	KeyUsages []ExtKeyUsage
 	// MaxConstraintComparisions is the maximum number of comparisons to
 	// perform when checking a given certificate's name constraints. If
@@ -219,10 +229,9 @@ type rfc2821Mailbox struct {
 }
 
 // parseRFC2821Mailbox parses an email address into local and domain parts,
-// based on the ABNF for a “Mailbox” from RFC 2821. According to
-// https://tools.ietf.org/html/rfc5280#section-4.2.1.6 that's correct for an
-// rfc822Name from a certificate: “The format of an rfc822Name is a "Mailbox"
-// as defined in https://tools.ietf.org/html/rfc2821#section-4.1.2”.
+// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280,
+// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The
+// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”.
 func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 	if len(in) == 0 {
 		return mailbox, false
@@ -239,9 +248,8 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 		// quoted-pair = ("\" text) / obs-qp
 		// text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text
 		//
-		// (Names beginning with “obs-” are the obsolete syntax from
-		// https://tools.ietf.org/html/rfc2822#section-4. Since it has
-		// been 16 years, we no longer accept that.)
+		// (Names beginning with “obs-” are the obsolete syntax from RFC 2822,
+		// Section 4. Since it has been 16 years, we no longer accept that.)
 		in = in[1:]
 	QuotedString:
 		for {
@@ -295,7 +303,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 		// Atom ("." Atom)*
 	NextChar:
 		for len(in) > 0 {
-			// atext from https://tools.ietf.org/html/rfc2822#section-3.2.4
+			// atext from RFC 2822, Section 3.2.4
 			c := in[0]
 
 			switch {
@@ -331,7 +339,7 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 			return mailbox, false
 		}
 
-		// https://tools.ietf.org/html/rfc3696#section-3
+		// From RFC 3696, Section 3:
 		// “period (".") may also appear, but may not be used to start
 		// or end the local part, nor may two or more consecutive
 		// periods appear.”
@@ -368,7 +376,7 @@ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
 			reverseLabels = append(reverseLabels, domain)
 			domain = ""
 		} else {
-			reverseLabels = append(reverseLabels, domain[i+1:len(domain)])
+			reverseLabels = append(reverseLabels, domain[i+1:])
 			domain = domain[:i]
 		}
 	}
@@ -412,7 +420,7 @@ func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, erro
 }
 
 func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
-	// https://tools.ietf.org/html/rfc5280#section-4.2.1.10
+	// From RFC 5280, Section 4.2.1.10:
 	// “a uniformResourceIdentifier that does not include an authority
 	// component with a host name specified as a fully qualified domain
 	// name (e.g., if the URI either does not include an authority
@@ -557,51 +565,6 @@ func (c *Certificate) checkNameConstraints(count *int,
 	return nil
 }
 
-const (
-	checkingAgainstIssuerCert = iota
-	checkingAgainstLeafCert
-)
-
-// ekuPermittedBy returns true iff the given extended key usage is permitted by
-// the given EKU from a certificate. Normally, this would be a simple
-// comparison plus a special case for the “any” EKU. But, in order to support
-// existing certificates, some exceptions are made.
-func ekuPermittedBy(eku, certEKU ExtKeyUsage, context int) bool {
-	if certEKU == ExtKeyUsageAny || eku == certEKU {
-		return true
-	}
-
-	// Some exceptions are made to support existing certificates. Firstly,
-	// the ServerAuth and SGC EKUs are treated as a group.
-	mapServerAuthEKUs := func(eku ExtKeyUsage) ExtKeyUsage {
-		if eku == ExtKeyUsageNetscapeServerGatedCrypto || eku == ExtKeyUsageMicrosoftServerGatedCrypto {
-			return ExtKeyUsageServerAuth
-		}
-		return eku
-	}
-
-	eku = mapServerAuthEKUs(eku)
-	certEKU = mapServerAuthEKUs(certEKU)
-
-	if eku == certEKU {
-		return true
-	}
-
-	// If checking a requested EKU against the list in a leaf certificate there
-	// are fewer exceptions.
-	if context == checkingAgainstLeafCert {
-		return false
-	}
-
-	// ServerAuth in a CA permits ClientAuth in the leaf.
-	return (eku == ExtKeyUsageClientAuth && certEKU == ExtKeyUsageServerAuth) ||
-		// Any CA may issue an OCSP responder certificate.
-		eku == ExtKeyUsageOCSPSigning ||
-		// Code-signing CAs can use Microsoft's commercial and
-		// kernel-mode EKUs.
-		(eku == ExtKeyUsageMicrosoftCommercialCodeSigning || eku == ExtKeyUsageMicrosoftKernelCodeSigning) && certEKU == ExtKeyUsageCodeSigning
-}
-
 // isValid performs validity checks on c given that it is a candidate to append
 // to the chain in currentChain.
 func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *VerifyOptions) error {
@@ -621,8 +584,18 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 		if now.IsZero() {
 			now = time.Now()
 		}
-		if now.Before(c.NotBefore) || now.After(c.NotAfter) {
-			return CertificateInvalidError{c, Expired, ""}
+		if now.Before(c.NotBefore) {
+			return CertificateInvalidError{
+				Cert:   c,
+				Reason: Expired,
+				Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)),
+			}
+		} else if now.After(c.NotAfter) {
+			return CertificateInvalidError{
+				Cert:   c,
+				Reason: Expired,
+				Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)),
+			}
 		}
 	}
 
@@ -640,17 +613,16 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 		leaf = currentChain[0]
 	}
 
-	if !opts.DisableNameConstraintChecks && (certType == intermediateCertificate || certType == rootCertificate) && c.hasNameConstraints() {
-		sanExtension, ok := leaf.getSANExtension()
-		if !ok {
-			// This is the deprecated, legacy case of depending on
-			// the CN as a hostname. Chains modern enough to be
-			// using name constraints should not be depending on
-			// CNs.
+	checkNameConstraints := !opts.DisableNameConstraintChecks && (certType == intermediateCertificate || certType == rootCertificate) && c.hasNameConstraints()
+	if checkNameConstraints && leaf.commonNameAsHostname() {
+		// This is the deprecated, legacy case of depending on the commonName as
+		// a hostname. We don't enforce name constraints against the CN, but
+		// VerifyHostname will look for hostnames in there if there are no SANs.
+		// In order to ensure VerifyHostname will not accept an unchecked name,
+		// return an error here.
 		return CertificateInvalidError{c, NameConstraintsWithoutSANs, ""}
-		}
-
-		err := forEachSAN(sanExtension, func(tag int, data []byte) error {
+	} else if checkNameConstraints && leaf.hasSANExtension() {
+		err := forEachSAN(leaf.getSANExtension(), func(tag int, data []byte) error {
 			switch tag {
 			case nameTypeEmail:
 				name := string(data)
@@ -718,59 +690,6 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 		}
 	}
 
-	checkEKUs := !opts.DisableEKUChecks && certType == intermediateCertificate
-
-	// If no extended key usages are specified, then all are acceptable.
-	if checkEKUs && (len(c.ExtKeyUsage) == 0 && len(c.UnknownExtKeyUsage) == 0) {
-		checkEKUs = false
-	}
-
-	// If the “any” key usage is permitted, then no more checks are needed.
-	if checkEKUs {
-		for _, caEKU := range c.ExtKeyUsage {
-			comparisonCount++
-			if caEKU == ExtKeyUsageAny {
-				checkEKUs = false
-				break
-			}
-		}
-	}
-
-	if checkEKUs {
-	NextEKU:
-		for _, eku := range leaf.ExtKeyUsage {
-			if comparisonCount > maxConstraintComparisons {
-				return CertificateInvalidError{c, TooManyConstraints, ""}
-			}
-
-			for _, caEKU := range c.ExtKeyUsage {
-				comparisonCount++
-				if ekuPermittedBy(eku, caEKU, checkingAgainstIssuerCert) {
-					continue NextEKU
-				}
-			}
-
-			oid, _ := oidFromExtKeyUsage(eku)
-			return CertificateInvalidError{c, CANotAuthorizedForExtKeyUsage, fmt.Sprintf("EKU not permitted: %#v", oid)}
-		}
-
-	NextUnknownEKU:
-		for _, eku := range leaf.UnknownExtKeyUsage {
-			if comparisonCount > maxConstraintComparisons {
-				return CertificateInvalidError{c, TooManyConstraints, ""}
-			}
-
-			for _, caEKU := range c.UnknownExtKeyUsage {
-				comparisonCount++
-				if caEKU.Equal(eku) {
-					continue NextUnknownEKU
-				}
-			}
-
-			return CertificateInvalidError{c, CANotAuthorizedForExtKeyUsage, fmt.Sprintf("EKU not permitted: %#v", eku)}
-		}
-	}
-
 	// KeyUsage status flags are ignored. From Engineering Security, Peter
 	// Gutmann: A European government CA marked its signing certificates as
 	// being valid for encryption only, but no-one noticed. Another
@@ -802,18 +721,6 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 	return nil
 }
 
-// formatOID formats an ASN.1 OBJECT IDENTIFER in the common, dotted style.
-func formatOID(oid asn1.ObjectIdentifier) string {
-	ret := ""
-	for i, v := range oid {
-		if i > 0 {
-			ret += "."
-		}
-		ret += strconv.Itoa(v)
-	}
-	return ret
-}
-
 // Verify attempts to verify c by building one or more chains from c to a
 // certificate in opts.Roots, using certificates in opts.Intermediates if
 // needed. If successful, it returns one or more chains where the first
@@ -871,64 +778,39 @@ func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err e
 		}
 	}
 
-	requestedKeyUsages := make([]ExtKeyUsage, len(opts.KeyUsages))
-	copy(requestedKeyUsages, opts.KeyUsages)
-	if len(requestedKeyUsages) == 0 {
-		requestedKeyUsages = append(requestedKeyUsages, ExtKeyUsageServerAuth)
-	}
-
-	// If no key usages are specified, then any are acceptable.
-	checkEKU := !opts.DisableEKUChecks && len(c.ExtKeyUsage) > 0
-
-	for _, eku := range requestedKeyUsages {
-		if eku == ExtKeyUsageAny {
-			checkEKU = false
-			break
-		}
-	}
-
-	if checkEKU {
-		foundMatch := false
-	NextUsage:
-		for _, eku := range requestedKeyUsages {
-			for _, leafEKU := range c.ExtKeyUsage {
-				if ekuPermittedBy(eku, leafEKU, checkingAgainstLeafCert) {
-					foundMatch = true
-					break NextUsage
-				}
-			}
-		}
-
-		if !foundMatch {
-			msg := "leaf contains the following, recognized EKUs: "
-
-			for i, leafEKU := range c.ExtKeyUsage {
-				oid, ok := oidFromExtKeyUsage(leafEKU)
-				if !ok {
-					continue
-				}
-
-				if i > 0 {
-					msg += ", "
-				}
-				msg += formatOID(oid)
-			}
-
-			return nil, CertificateInvalidError{c, IncompatibleUsage, msg}
-		}
-	}
-
 	var candidateChains [][]*Certificate
 	if opts.Roots.contains(c) {
 		candidateChains = append(candidateChains, []*Certificate{c})
 	} else {
-		if candidateChains, err = c.buildChains(make(map[int][][]*Certificate), []*Certificate{c}, &opts); err != nil {
+		if candidateChains, err = c.buildChains(nil, []*Certificate{c}, nil, &opts); err != nil {
 			return nil, err
 		}
 	}
 
+	keyUsages := opts.KeyUsages
+	if len(keyUsages) == 0 {
+		keyUsages = []ExtKeyUsage{ExtKeyUsageServerAuth}
+	}
+
+	// If any key usage is acceptable then we're done.
+	for _, usage := range keyUsages {
+		if usage == ExtKeyUsageAny {
 			return candidateChains, nil
 		}
+	}
+
+	for _, candidate := range candidateChains {
+		if opts.DisableEKUChecks || checkChainForKeyUsage(candidate, keyUsages) {
+			chains = append(chains, candidate)
+		}
+	}
+
+	if len(chains) == 0 {
+		return nil, CertificateInvalidError{c, IncompatibleUsage, ""}
+	}
+
+	return chains, nil
+}
 
 func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate {
 	n := make([]*Certificate, len(chain)+1)
@@ -937,64 +819,138 @@ func appendToFreshChain(chain []*Certificate, cert *Certificate) []*Certificate
 	return n
 }
 
-func (c *Certificate) buildChains(cache map[int][][]*Certificate, currentChain []*Certificate, opts *VerifyOptions) (chains [][]*Certificate, err error) {
-	possibleRoots, failedRoot, rootErr := opts.Roots.findVerifiedParents(c)
-nextRoot:
-	for _, rootNum := range possibleRoots {
-		root := opts.Roots.certs[rootNum]
+// maxChainSignatureChecks is the maximum number of CheckSignatureFrom calls
+// that an invocation of buildChains will (tranistively) make. Most chains are
+// less than 15 certificates long, so this leaves space for multiple chains and
+// for failed checks due to different intermediates having the same Subject.
+const maxChainSignatureChecks = 100
 
+func (c *Certificate) buildChains(cache map[*Certificate][][]*Certificate, currentChain []*Certificate, sigChecks *int, opts *VerifyOptions) (chains [][]*Certificate, err error) {
+	var (
+		hintErr  error
+		hintCert *Certificate
+	)
+
+	considerCandidate := func(certType int, candidate *Certificate) {
 		for _, cert := range currentChain {
-			if cert.Equal(root) {
-				continue nextRoot
+			if cert.Equal(candidate) {
+				return
 			}
 		}
 
-		err = root.isValid(rootCertificate, currentChain, opts)
-		if err != nil {
-			continue
+		if sigChecks == nil {
+			sigChecks = new(int)
 		}
-		chains = append(chains, appendToFreshChain(currentChain, root))
+		*sigChecks++
+		if *sigChecks > maxChainSignatureChecks {
+			err = errors.New("x509: signature check attempts limit reached while verifying certificate chain")
+			return
 		}
 
-	possibleIntermediates, failedIntermediate, intermediateErr := opts.Intermediates.findVerifiedParents(c)
-nextIntermediate:
-	for _, intermediateNum := range possibleIntermediates {
-		intermediate := opts.Intermediates.certs[intermediateNum]
-		for _, cert := range currentChain {
-			if cert.Equal(intermediate) {
-				continue nextIntermediate
+		if err := c.CheckSignatureFrom(candidate); err != nil {
+			if hintErr == nil {
+				hintErr = err
+				hintCert = candidate
 			}
+			return
 		}
-		err = intermediate.isValid(intermediateCertificate, currentChain, opts)
+
+		err = candidate.isValid(certType, currentChain, opts)
 		if err != nil {
-			continue
+			return
 		}
-		var childChains [][]*Certificate
-		childChains, ok := cache[intermediateNum]
+
+		switch certType {
+		case rootCertificate:
+			chains = append(chains, appendToFreshChain(currentChain, candidate))
+		case intermediateCertificate:
+			if cache == nil {
+				cache = make(map[*Certificate][][]*Certificate)
+			}
+			childChains, ok := cache[candidate]
 			if !ok {
-			childChains, err = intermediate.buildChains(cache, appendToFreshChain(currentChain, intermediate), opts)
-			cache[intermediateNum] = childChains
+				childChains, err = candidate.buildChains(cache, appendToFreshChain(currentChain, candidate), sigChecks, opts)
+				cache[candidate] = childChains
 			}
 			chains = append(chains, childChains...)
 		}
+	}
+
+	for _, rootNum := range opts.Roots.findPotentialParents(c) {
+		considerCandidate(rootCertificate, opts.Roots.certs[rootNum])
+	}
+	for _, intermediateNum := range opts.Intermediates.findPotentialParents(c) {
+		considerCandidate(intermediateCertificate, opts.Intermediates.certs[intermediateNum])
+	}
 
 	if len(chains) > 0 {
 		err = nil
 	}
-
 	if len(chains) == 0 && err == nil {
-		hintErr := rootErr
-		hintCert := failedRoot
-		if hintErr == nil {
-			hintErr = intermediateErr
-			hintCert = failedIntermediate
-		}
 		err = UnknownAuthorityError{c, hintErr, hintCert}
 	}
 
 	return
 }
 
+// validHostname reports whether host is a valid hostname that can be matched or
+// matched against according to RFC 6125 2.2, with some leniency to accommodate
+// legacy values.
+func validHostname(host string) bool {
+	host = strings.TrimSuffix(host, ".")
+
+	if len(host) == 0 {
+		return false
+	}
+
+	for i, part := range strings.Split(host, ".") {
+		if part == "" {
+			// Empty label.
+			return false
+		}
+		if i == 0 && part == "*" {
+			// Only allow full left-most wildcards, as those are the only ones
+			// we match, and matching literal '*' characters is probably never
+			// the expected behavior.
+			continue
+		}
+		for j, c := range part {
+			if 'a' <= c && c <= 'z' {
+				continue
+			}
+			if '0' <= c && c <= '9' {
+				continue
+			}
+			if 'A' <= c && c <= 'Z' {
+				continue
+			}
+			if c == '-' && j != 0 {
+				continue
+			}
+			if c == '_' || c == ':' {
+				// Not valid characters in hostnames, but commonly
+				// found in deployments outside the WebPKI.
+				continue
+			}
+			return false
+		}
+	}
+
+	return true
+}
+
+// commonNameAsHostname reports whether the Common Name field should be
+// considered the hostname that the certificate is valid for. This is a legacy
+// behavior, disabled if the Subject Alt Name extension is present.
+//
+// It applies the strict validHostname check to the Common Name field, so that
+// certificates without SANs can still be validated against CAs with name
+// constraints if there is no risk the CN would be matched as a hostname.
+// See NameConstraintsWithoutSANs and issue 24151.
+func (c *Certificate) commonNameAsHostname() bool {
+	return !ignoreCN && !c.hasSANExtension() && validHostname(c.Subject.CommonName)
+}
+
 func matchHostnames(pattern, host string) bool {
 	host = strings.TrimSuffix(host, ".")
 	pattern = strings.TrimSuffix(pattern, ".")
@@ -1064,7 +1020,7 @@ func (c *Certificate) VerifyHostname(h string) error {
 	}
 	if ip := net.ParseIP(candidateIP); ip != nil {
 		// We only match IP addresses against IP SANs.
-		// https://tools.ietf.org/html/rfc6125#appendix-B.2
+		// See RFC 6125, Appendix B.2.
 		for _, candidate := range c.IPAddresses {
 			if ip.Equal(candidate) {
 				return nil
@@ -1075,16 +1031,79 @@ func (c *Certificate) VerifyHostname(h string) error {
 
 	lowered := toLowerCaseASCII(h)
 
-	if c.hasSANExtension() {
+	if c.commonNameAsHostname() {
+		if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {
+			return nil
+		}
+	} else {
 		for _, match := range c.DNSNames {
 			if matchHostnames(toLowerCaseASCII(match), lowered) {
 				return nil
 			}
 		}
-		// If Subject Alt Name is given, we ignore the common name.
-	} else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {
-		return nil
 	}
 
 	return HostnameError{c, h}
 }
+
+func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
+	usages := make([]ExtKeyUsage, len(keyUsages))
+	copy(usages, keyUsages)
+
+	if len(chain) == 0 {
+		return false
+	}
+
+	usagesRemaining := len(usages)
+
+	// We walk down the list and cross out any usages that aren't supported
+	// by each certificate. If we cross out all the usages, then the chain
+	// is unacceptable.
+
+NextCert:
+	for i := len(chain) - 1; i >= 0; i-- {
+		cert := chain[i]
+		if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 {
+			// The certificate doesn't have any extended key usage specified.
+			continue
+		}
+
+		for _, usage := range cert.ExtKeyUsage {
+			if usage == ExtKeyUsageAny {
+				// The certificate is explicitly good for any usage.
+				continue NextCert
+			}
+		}
+
+		const invalidUsage ExtKeyUsage = -1
+
+	NextRequestedUsage:
+		for i, requestedUsage := range usages {
+			if requestedUsage == invalidUsage {
+				continue
+			}
+
+			for _, usage := range cert.ExtKeyUsage {
+				if requestedUsage == usage {
+					continue NextRequestedUsage
+				} else if requestedUsage == ExtKeyUsageServerAuth &&
+					(usage == ExtKeyUsageNetscapeServerGatedCrypto ||
+						usage == ExtKeyUsageMicrosoftServerGatedCrypto) {
+					// In order to support COMODO
+					// certificate chains, we have to
+					// accept Netscape or Microsoft SGC
+					// usages as equal to ServerAuth.
+					continue NextRequestedUsage
+				}
+			}
+
+			usages[i] = invalidUsage
+			usagesRemaining--
+			if usagesRemaining == 0 {
+				return false
+			}
+		}
+	}
+
+	return true
+}

vendor/github.com/googleapis/enterprise-certificate-proxy/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/googleapis/enterprise-certificate-proxy/client/client.go

@@ -0,0 +1,151 @@
+// Copyright 2022 Google LLC.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+//
+// Client is a cross-platform client for the signer binary (a.k.a."EnterpriseCertSigner").
+// The signer binary is OS-specific, but exposes a standard set of APIs for the client to use.
+package client
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/gob"
+	"fmt"
+	"io"
+	"net/rpc"
+	"os"
+	"os/exec"
+
+	"github.com/googleapis/enterprise-certificate-proxy/client/util"
+)
+
+const signAPI = "EnterpriseCertSigner.Sign"
+const certificateChainAPI = "EnterpriseCertSigner.CertificateChain"
+const publicKeyAPI = "EnterpriseCertSigner.Public"
+
+// A Connection wraps a pair of unidirectional streams as an io.ReadWriteCloser.
+type Connection struct {
+	io.ReadCloser
+	io.WriteCloser
+}
+
+// Close closes c's underlying ReadCloser and WriteCloser.
+func (c *Connection) Close() error {
+	rerr := c.ReadCloser.Close()
+	werr := c.WriteCloser.Close()
+	if rerr != nil {
+		return rerr
+	}
+	return werr
+}
+
+func init() {
+	gob.Register(crypto.SHA256)
+	gob.Register(&rsa.PSSOptions{})
+}
+
+// SignArgs contains arguments to a crypto Signer.Sign method.
+type SignArgs struct {
+	Digest []byte            // The content to sign.
+	Opts   crypto.SignerOpts // Options for signing, such as Hash identifier.
+}
+
+// Key implements credential.Credential by holding the executed signer subprocess.
+type Key struct {
+	cmd       *exec.Cmd        // Pointer to the signer subprocess.
+	client    *rpc.Client      // Pointer to the rpc client that communicates with the signer subprocess.
+	publicKey crypto.PublicKey // Public key of loaded certificate.
+	chain     [][]byte         // Certificate chain of loaded certificate.
+}
+
+// CertificateChain returns the credential as a raw X509 cert chain. This contains the public key.
+func (k *Key) CertificateChain() [][]byte {
+	return k.chain
+}
+
+// Close closes the RPC connection and kills the signer subprocess.
+// Call this to free up resources when the Key object is no longer needed.
+func (k *Key) Close() error {
+	if err := k.client.Close(); err != nil {
+		return fmt.Errorf("failed to close RPC connection: %w", err)
+	}
+	if err := k.cmd.Process.Kill(); err != nil {
+		return fmt.Errorf("failed to kill signer process: %w", err)
+	}
+	if err := k.cmd.Wait(); err.Error() != "signal: killed" {
+		return fmt.Errorf("signer process was not killed: %w", err)
+	}
+	return nil
+}
+
+// Public returns the public key for this Key.
+func (k *Key) Public() crypto.PublicKey {
+	return k.publicKey
+}
+
+// Sign signs a message by encrypting a message digest, using the specified signer options.
+func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed []byte, err error) {
+	err = k.client.Call(signAPI, SignArgs{Digest: digest, Opts: opts}, &signed)
+	return
+}
+
+// Cred spawns a signer subprocess that listens on stdin/stdout to perform certificate
+// related operations, including signing messages with the private key.
+//
+// The signer binary path is read from the specified configFilePath, if provided.
+// Otherwise, use the default config file path.
+//
+// The config file also specifies which certificate the signer should use.
+func Cred(configFilePath string) (*Key, error) {
+	if configFilePath == "" {
+		configFilePath = util.GetDefaultConfigFilePath()
+	}
+	enterpriseCertSignerPath, err := util.LoadSignerBinaryPath(configFilePath)
+	if err != nil {
+		return nil, err
+	}
+	k := &Key{
+		cmd: exec.Command(enterpriseCertSignerPath, configFilePath),
+	}
+
+	// Redirect errors from subprocess to parent process.
+	k.cmd.Stderr = os.Stderr
+
+	// RPC client will communicate with subprocess over stdin/stdout.
+	kin, err := k.cmd.StdinPipe()
+	if err != nil {
+		return nil, err
+	}
+	kout, err := k.cmd.StdoutPipe()
+	if err != nil {
+		return nil, err
+	}
+	k.client = rpc.NewClient(&Connection{kout, kin})
+
+	if err := k.cmd.Start(); err != nil {
+		return nil, fmt.Errorf("starting enterprise cert signer subprocess: %w", err)
+	}
+
+	if err := k.client.Call(certificateChainAPI, struct{}{}, &k.chain); err != nil {
+		return nil, fmt.Errorf("failed to retrieve certificate chain: %w", err)
+	}
+
+	var publicKeyBytes []byte
+	if err := k.client.Call(publicKeyAPI, struct{}{}, &publicKeyBytes); err != nil {
+		return nil, fmt.Errorf("failed to retrieve public key: %w", err)
+	}
+
+	publicKey, err := x509.ParsePKIXPublicKey(publicKeyBytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	var ok bool
+	k.publicKey, ok = publicKey.(crypto.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("invalid public key type: %T", publicKey)
+	}
+
+	return k, nil
+}

vendor/github.com/googleapis/enterprise-certificate-proxy/client/util/util.go

@@ -0,0 +1,72 @@
+// Package util provides helper functions for the client.
+package util
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"os"
+	"os/user"
+	"path/filepath"
+	"runtime"
+)
+
+const configFileName = "enterprise_certificate_config.json"
+
+// EnterpriseCertificateConfig contains parameters for initializing signer.
+type EnterpriseCertificateConfig struct {
+	Libs Libs `json:"libs"`
+}
+
+// Libs specifies the locations of helper libraries.
+type Libs struct {
+	SignerBinary string `json:"signer_binary"`
+}
+
+// LoadSignerBinaryPath retrieves the path of the signer binary from the config file.
+func LoadSignerBinaryPath(configFilePath string) (path string, err error) {
+	jsonFile, err := os.Open(configFilePath)
+	if err != nil {
+		return "", err
+	}
+
+	byteValue, err := ioutil.ReadAll(jsonFile)
+	if err != nil {
+		return "", err
+	}
+	var config EnterpriseCertificateConfig
+	err = json.Unmarshal(byteValue, &config)
+	if err != nil {
+		return "", err
+	}
+	signerBinaryPath := config.Libs.SignerBinary
+	if signerBinaryPath == "" {
+		return "", errors.New("Signer binary path is missing.")
+	}
+	return signerBinaryPath, nil
+}
+
+func guessHomeDir() string {
+	// Prefer $HOME over user.Current due to glibc bug: golang.org/issue/13470
+	if v := os.Getenv("HOME"); v != "" {
+		return v
+	}
+	// Else, fall back to user.Current:
+	if u, err := user.Current(); err == nil {
+		return u.HomeDir
+	}
+	return ""
+}
+
+func getDefaultConfigFileDirectory() (directory string) {
+	if runtime.GOOS == "windows" {
+		return filepath.Join(os.Getenv("APPDATA"), "gcloud")
+	} else {
+		return filepath.Join(guessHomeDir(), ".config/gcloud")
+	}
+}
+
+// GetDefaultConfigFilePath returns the default path of the enterprise certificate config file created by gCloud.
+func GetDefaultConfigFilePath() (path string) {
+	return filepath.Join(getDefaultConfigFileDirectory(), configFileName)
+}

vendor/github.com/googleapis/gax-go/v2/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+    "v2": "2.4.0"
+}

vendor/github.com/googleapis/gax-go/v2/CHANGES.md

@@ -0,0 +1,18 @@
+# Changelog
+
+## [2.4.0](https://github.com/googleapis/gax-go/compare/v2.3.0...v2.4.0) (2022-05-09)
+
+
+### Features
+
+* **v2:** add OnHTTPCodes CallOption ([#188](https://github.com/googleapis/gax-go/issues/188)) ([ba7c534](https://github.com/googleapis/gax-go/commit/ba7c5348363ab6c33e1cee3c03c0be68a46ca07c))
+
+
+### Bug Fixes
+
+* **v2/apierror:** use errors.As in FromError ([#189](https://github.com/googleapis/gax-go/issues/189)) ([f30f05b](https://github.com/googleapis/gax-go/commit/f30f05be583828f4c09cca4091333ea88ff8d79e))
+
+
+### Miscellaneous Chores
+
+* **v2:** bump release-please processing ([#192](https://github.com/googleapis/gax-go/issues/192)) ([56172f9](https://github.com/googleapis/gax-go/commit/56172f971d1141d7687edaac053ad3470af76719))

vendor/github.com/googleapis/gax-go/v2/apierror/apierror.go

@@ -0,0 +1,298 @@
+// Copyright 2021, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// Package apierror implements a wrapper error for parsing error details from
+// API calls. Both HTTP & gRPC status errors are supported.
+package apierror
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	jsonerror "github.com/googleapis/gax-go/v2/apierror/internal/proto"
+	"google.golang.org/api/googleapi"
+	"google.golang.org/genproto/googleapis/rpc/errdetails"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+// ErrDetails holds the google/rpc/error_details.proto messages.
+type ErrDetails struct {
+	ErrorInfo           *errdetails.ErrorInfo
+	BadRequest          *errdetails.BadRequest
+	PreconditionFailure *errdetails.PreconditionFailure
+	QuotaFailure        *errdetails.QuotaFailure
+	RetryInfo           *errdetails.RetryInfo
+	ResourceInfo        *errdetails.ResourceInfo
+	RequestInfo         *errdetails.RequestInfo
+	DebugInfo           *errdetails.DebugInfo
+	Help                *errdetails.Help
+	LocalizedMessage    *errdetails.LocalizedMessage
+
+	// Unknown stores unidentifiable error details.
+	Unknown []interface{}
+}
+
+func (e ErrDetails) String() string {
+	var d strings.Builder
+	if e.ErrorInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = ErrorInfo reason = %s domain = %s metadata = %s\n",
+			e.ErrorInfo.GetReason(), e.ErrorInfo.GetDomain(), e.ErrorInfo.GetMetadata()))
+	}
+
+	if e.BadRequest != nil {
+		v := e.BadRequest.GetFieldViolations()
+		var f []string
+		var desc []string
+		for _, x := range v {
+			f = append(f, x.GetField())
+			desc = append(desc, x.GetDescription())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = BadRequest field = %s desc = %s\n",
+			strings.Join(f, " "), strings.Join(desc, " ")))
+	}
+
+	if e.PreconditionFailure != nil {
+		v := e.PreconditionFailure.GetViolations()
+		var t []string
+		var s []string
+		var desc []string
+		for _, x := range v {
+			t = append(t, x.GetType())
+			s = append(s, x.GetSubject())
+			desc = append(desc, x.GetDescription())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = PreconditionFailure type = %s subj = %s desc = %s\n", strings.Join(t, " "),
+			strings.Join(s, " "), strings.Join(desc, " ")))
+	}
+
+	if e.QuotaFailure != nil {
+		v := e.QuotaFailure.GetViolations()
+		var s []string
+		var desc []string
+		for _, x := range v {
+			s = append(s, x.GetSubject())
+			desc = append(desc, x.GetDescription())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = QuotaFailure subj = %s desc = %s\n",
+			strings.Join(s, " "), strings.Join(desc, " ")))
+	}
+
+	if e.RequestInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = RequestInfo id = %s data = %s\n",
+			e.RequestInfo.GetRequestId(), e.RequestInfo.GetServingData()))
+	}
+
+	if e.ResourceInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = ResourceInfo type = %s resourcename = %s owner = %s desc = %s\n",
+			e.ResourceInfo.GetResourceType(), e.ResourceInfo.GetResourceName(),
+			e.ResourceInfo.GetOwner(), e.ResourceInfo.GetDescription()))
+
+	}
+	if e.RetryInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: retry in %s\n", e.RetryInfo.GetRetryDelay().AsDuration()))
+
+	}
+	if e.Unknown != nil {
+		var s []string
+		for _, x := range e.Unknown {
+			s = append(s, fmt.Sprintf("%v", x))
+		}
+		d.WriteString(fmt.Sprintf("error details: name = Unknown  desc = %s\n", strings.Join(s, " ")))
+	}
+
+	if e.DebugInfo != nil {
+		d.WriteString(fmt.Sprintf("error details: name = DebugInfo detail = %s stack = %s\n", e.DebugInfo.GetDetail(),
+			strings.Join(e.DebugInfo.GetStackEntries(), " ")))
+	}
+	if e.Help != nil {
+		var desc []string
+		var url []string
+		for _, x := range e.Help.Links {
+			desc = append(desc, x.GetDescription())
+			url = append(url, x.GetUrl())
+		}
+		d.WriteString(fmt.Sprintf("error details: name = Help desc = %s url = %s\n",
+			strings.Join(desc, " "), strings.Join(url, " ")))
+	}
+	if e.LocalizedMessage != nil {
+		d.WriteString(fmt.Sprintf("error details: name = LocalizedMessage locale = %s msg = %s\n",
+			e.LocalizedMessage.GetLocale(), e.LocalizedMessage.GetMessage()))
+	}
+
+	return d.String()
+}
+
+// APIError wraps either a gRPC Status error or a HTTP googleapi.Error. It
+// implements error and Status interfaces.
+type APIError struct {
+	err     error
+	status  *status.Status
+	httpErr *googleapi.Error
+	details ErrDetails
+}
+
+// Details presents the error details of the APIError.
+func (a *APIError) Details() ErrDetails {
+	return a.details
+}
+
+// Unwrap extracts the original error.
+func (a *APIError) Unwrap() error {
+	return a.err
+}
+
+// Error returns a readable representation of the APIError.
+func (a *APIError) Error() string {
+	var msg string
+	if a.status != nil {
+		msg = a.err.Error()
+	} else if a.httpErr != nil {
+		// Truncate the googleapi.Error message because it dumps the Details in
+		// an ugly way.
+		msg = fmt.Sprintf("googleapi: Error %d: %s", a.httpErr.Code, a.httpErr.Message)
+	}
+	return strings.TrimSpace(fmt.Sprintf("%s\n%s", msg, a.details))
+}
+
+// GRPCStatus extracts the underlying gRPC Status error.
+// This method is necessary to fulfill the interface
+// described in https://pkg.go.dev/google.golang.org/grpc/status#FromError.
+func (a *APIError) GRPCStatus() *status.Status {
+	return a.status
+}
+
+// Reason returns the reason in an ErrorInfo.
+// If ErrorInfo is nil, it returns an empty string.
+func (a *APIError) Reason() string {
+	return a.details.ErrorInfo.GetReason()
+}
+
+// Domain returns the domain in an ErrorInfo.
+// If ErrorInfo is nil, it returns an empty string.
+func (a *APIError) Domain() string {
+	return a.details.ErrorInfo.GetDomain()
+}
+
+// Metadata returns the metadata in an ErrorInfo.
+// If ErrorInfo is nil, it returns nil.
+func (a *APIError) Metadata() map[string]string {
+	return a.details.ErrorInfo.GetMetadata()
+
+}
+
+// FromError parses a Status error or a googleapi.Error and builds an APIError.
+func FromError(err error) (*APIError, bool) {
+	if err == nil {
+		return nil, false
+	}
+
+	ae := APIError{err: err}
+	st, isStatus := status.FromError(err)
+	var herr *googleapi.Error
+	isHTTPErr := errors.As(err, &herr)
+
+	switch {
+	case isStatus:
+		ae.status = st
+		ae.details = parseDetails(st.Details())
+	case isHTTPErr:
+		ae.httpErr = herr
+		ae.details = parseHTTPDetails(herr)
+	default:
+		return nil, false
+	}
+
+	return &ae, true
+
+}
+
+// parseDetails accepts a slice of interface{} that should be backed by some
+// sort of proto.Message that can be cast to the google/rpc/error_details.proto
+// types.
+//
+// This is for internal use only.
+func parseDetails(details []interface{}) ErrDetails {
+	var ed ErrDetails
+	for _, d := range details {
+		switch d := d.(type) {
+		case *errdetails.ErrorInfo:
+			ed.ErrorInfo = d
+		case *errdetails.BadRequest:
+			ed.BadRequest = d
+		case *errdetails.PreconditionFailure:
+			ed.PreconditionFailure = d
+		case *errdetails.QuotaFailure:
+			ed.QuotaFailure = d
+		case *errdetails.RetryInfo:
+			ed.RetryInfo = d
+		case *errdetails.ResourceInfo:
+			ed.ResourceInfo = d
+		case *errdetails.RequestInfo:
+			ed.RequestInfo = d
+		case *errdetails.DebugInfo:
+			ed.DebugInfo = d
+		case *errdetails.Help:
+			ed.Help = d
+		case *errdetails.LocalizedMessage:
+			ed.LocalizedMessage = d
+		default:
+			ed.Unknown = append(ed.Unknown, d)
+		}
+	}
+
+	return ed
+}
+
+// parseHTTPDetails will convert the given googleapi.Error into the protobuf
+// representation then parse the Any values that contain the error details.
+//
+// This is for internal use only.
+func parseHTTPDetails(gae *googleapi.Error) ErrDetails {
+	e := &jsonerror.Error{}
+	if err := protojson.Unmarshal([]byte(gae.Body), e); err != nil {
+		// If the error body does not conform to the error schema, ignore it
+		// altogther. See https://cloud.google.com/apis/design/errors#http_mapping.
+		return ErrDetails{}
+	}
+
+	// Coerce the Any messages into proto.Message then parse the details.
+	details := []interface{}{}
+	for _, any := range e.GetError().GetDetails() {
+		m, err := any.UnmarshalNew()
+		if err != nil {
+			// Ignore malformed Any values.
+			continue
+		}
+		details = append(details, m)
+	}
+
+	return parseDetails(details)
+}

vendor/github.com/googleapis/gax-go/v2/apierror/internal/proto/README.md

@@ -0,0 +1,30 @@
+# HTTP JSON Error Schema
+
+The `error.proto` represents the HTTP-JSON schema used by Google APIs to convey
+error payloads as described by https://cloud.google.com/apis/design/errors#http_mapping.
+This package is for internal parsing logic only and should not be used in any
+other context.
+
+## Regeneration
+
+To regenerate the protobuf Go code you will need the following:
+
+* A local copy of [googleapis], the absolute path to which should be exported to
+the environment variable `GOOGLEAPIS`
+* The protobuf compiler [protoc]
+* The Go [protobuf plugin]
+* The [goimports] tool
+
+From this directory run the following command:
+```sh
+protoc -I $GOOGLEAPIS -I. --go_out=. --go_opt=module=github.com/googleapis/gax-go/v2/apierror/internal/proto error.proto
+goimports -w .
+```
+
+Note: the `module` plugin option ensures the generated code is placed in this
+directory, and not in several nested directories defined by `go_package` option.
+
+[googleapis]: https://github.com/googleapis/googleapis
+[protoc]: https://github.com/protocolbuffers/protobuf#protocol-compiler-installation
+[protobuf plugin]: https://developers.google.com/protocol-buffers/docs/reference/go-generated
+[goimports]: https://pkg.go.dev/golang.org/x/tools/cmd/goimports

vendor/github.com/googleapis/gax-go/v2/apierror/internal/proto/error.pb.go

@@ -0,0 +1,280 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.15.8
+// source: apierror/internal/proto/error.proto
+
+package jsonerror
+
+import (
+	reflect "reflect"
+	sync "sync"
+
+	code "google.golang.org/genproto/googleapis/rpc/code"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	anypb "google.golang.org/protobuf/types/known/anypb"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// The error format v2 for Google JSON REST APIs.
+// Copied from https://cloud.google.com/apis/design/errors#http_mapping.
+//
+// NOTE: This schema is not used for other wire protocols.
+type Error struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The actual error payload. The nested message structure is for backward
+	// compatibility with Google API client libraries. It also makes the error
+	// more readable to developers.
+	Error *Error_Status `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *Error) Reset() {
+	*x = Error{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_apierror_internal_proto_error_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Error) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Error) ProtoMessage() {}
+
+func (x *Error) ProtoReflect() protoreflect.Message {
+	mi := &file_apierror_internal_proto_error_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Error.ProtoReflect.Descriptor instead.
+func (*Error) Descriptor() ([]byte, []int) {
+	return file_apierror_internal_proto_error_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Error) GetError() *Error_Status {
+	if x != nil {
+		return x.Error
+	}
+	return nil
+}
+
+// This message has the same semantics as `google.rpc.Status`. It uses HTTP
+// status code instead of gRPC status code. It has an extra field `status`
+// for backward compatibility with Google API Client Libraries.
+type Error_Status struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// The HTTP status code that corresponds to `google.rpc.Status.code`.
+	Code int32 `protobuf:"varint,1,opt,name=code,proto3" json:"code,omitempty"`
+	// This corresponds to `google.rpc.Status.message`.
+	Message string `protobuf:"bytes,2,opt,name=message,proto3" json:"message,omitempty"`
+	// This is the enum version for `google.rpc.Status.code`.
+	Status code.Code `protobuf:"varint,4,opt,name=status,proto3,enum=google.rpc.Code" json:"status,omitempty"`
+	// This corresponds to `google.rpc.Status.details`.
+	Details []*anypb.Any `protobuf:"bytes,5,rep,name=details,proto3" json:"details,omitempty"`
+}
+
+func (x *Error_Status) Reset() {
+	*x = Error_Status{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_apierror_internal_proto_error_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Error_Status) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Error_Status) ProtoMessage() {}
+
+func (x *Error_Status) ProtoReflect() protoreflect.Message {
+	mi := &file_apierror_internal_proto_error_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Error_Status.ProtoReflect.Descriptor instead.
+func (*Error_Status) Descriptor() ([]byte, []int) {
+	return file_apierror_internal_proto_error_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *Error_Status) GetCode() int32 {
+	if x != nil {
+		return x.Code
+	}
+	return 0
+}
+
+func (x *Error_Status) GetMessage() string {
+	if x != nil {
+		return x.Message
+	}
+	return ""
+}
+
+func (x *Error_Status) GetStatus() code.Code {
+	if x != nil {
+		return x.Status
+	}
+	return code.Code(0)
+}
+
+func (x *Error_Status) GetDetails() []*anypb.Any {
+	if x != nil {
+		return x.Details
+	}
+	return nil
+}
+
+var File_apierror_internal_proto_error_proto protoreflect.FileDescriptor
+
+var file_apierror_internal_proto_error_proto_rawDesc = []byte{
+	0x0a, 0x23, 0x61, 0x70, 0x69, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72,
+	0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2f, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x1a, 0x19, 0x67, 0x6f,
+	0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x61, 0x6e,
+	0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f,
+	0x72, 0x70, 0x63, 0x2f, 0x63, 0x6f, 0x64, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc5,
+	0x01, 0x0a, 0x05, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x29, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f,
+	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x2e,
+	0x45, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x05, 0x65, 0x72,
+	0x72, 0x6f, 0x72, 0x1a, 0x90, 0x01, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x12,
+	0x0a, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x04, 0x63, 0x6f,
+	0x64, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x28, 0x0a, 0x06,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x10, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x43, 0x6f, 0x64, 0x65, 0x52, 0x06,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x2e, 0x0a, 0x07, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c,
+	0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x41, 0x6e, 0x79, 0x52, 0x07, 0x64,
+	0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x42, 0x43, 0x5a, 0x41, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x61, 0x70, 0x69, 0x73, 0x2f,
+	0x67, 0x61, 0x78, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x70, 0x69, 0x65, 0x72, 0x72,
+	0x6f, 0x72, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x3b, 0x6a, 0x73, 0x6f, 0x6e, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
+}
+
+var (
+	file_apierror_internal_proto_error_proto_rawDescOnce sync.Once
+	file_apierror_internal_proto_error_proto_rawDescData = file_apierror_internal_proto_error_proto_rawDesc
+)
+
+func file_apierror_internal_proto_error_proto_rawDescGZIP() []byte {
+	file_apierror_internal_proto_error_proto_rawDescOnce.Do(func() {
+		file_apierror_internal_proto_error_proto_rawDescData = protoimpl.X.CompressGZIP(file_apierror_internal_proto_error_proto_rawDescData)
+	})
+	return file_apierror_internal_proto_error_proto_rawDescData
+}
+
+var file_apierror_internal_proto_error_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_apierror_internal_proto_error_proto_goTypes = []interface{}{
+	(*Error)(nil),        // 0: error.Error
+	(*Error_Status)(nil), // 1: error.Error.Status
+	(code.Code)(0),       // 2: google.rpc.Code
+	(*anypb.Any)(nil),    // 3: google.protobuf.Any
+}
+var file_apierror_internal_proto_error_proto_depIdxs = []int32{
+	1, // 0: error.Error.error:type_name -> error.Error.Status
+	2, // 1: error.Error.Status.status:type_name -> google.rpc.Code
+	3, // 2: error.Error.Status.details:type_name -> google.protobuf.Any
+	3, // [3:3] is the sub-list for method output_type
+	3, // [3:3] is the sub-list for method input_type
+	3, // [3:3] is the sub-list for extension type_name
+	3, // [3:3] is the sub-list for extension extendee
+	0, // [0:3] is the sub-list for field type_name
+}
+
+func init() { file_apierror_internal_proto_error_proto_init() }
+func file_apierror_internal_proto_error_proto_init() {
+	if File_apierror_internal_proto_error_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_apierror_internal_proto_error_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Error); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_apierror_internal_proto_error_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Error_Status); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_apierror_internal_proto_error_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_apierror_internal_proto_error_proto_goTypes,
+		DependencyIndexes: file_apierror_internal_proto_error_proto_depIdxs,
+		MessageInfos:      file_apierror_internal_proto_error_proto_msgTypes,
+	}.Build()
+	File_apierror_internal_proto_error_proto = out.File
+	file_apierror_internal_proto_error_proto_rawDesc = nil
+	file_apierror_internal_proto_error_proto_goTypes = nil
+	file_apierror_internal_proto_error_proto_depIdxs = nil
+}

vendor/github.com/googleapis/gax-go/v2/apierror/internal/proto/error.proto

@@ -0,0 +1,46 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package error;
+
+import "google/protobuf/any.proto";
+import "google/rpc/code.proto";
+
+option go_package = "github.com/googleapis/gax-go/v2/apierror/internal/proto;jsonerror";
+
+// The error format v2 for Google JSON REST APIs.
+// Copied from https://cloud.google.com/apis/design/errors#http_mapping.
+//
+// NOTE: This schema is not used for other wire protocols.
+message Error {
+  // This message has the same semantics as `google.rpc.Status`. It uses HTTP
+  // status code instead of gRPC status code. It has an extra field `status`
+  // for backward compatibility with Google API Client Libraries.
+  message Status {
+    // The HTTP status code that corresponds to `google.rpc.Status.code`.
+    int32 code = 1;
+    // This corresponds to `google.rpc.Status.message`.
+    string message = 2;
+    // This is the enum version for `google.rpc.Status.code`.
+    google.rpc.Code status = 4;
+    // This corresponds to `google.rpc.Status.details`.
+    repeated google.protobuf.Any details = 5;
+  }
+  // The actual error payload. The nested message structure is for backward
+  // compatibility with Google API client libraries. It also makes the error
+  // more readable to developers.
+  Status error = 1;
+}

vendor/github.com/googleapis/gax-go/v2/call_option.go

@@ -30,9 +30,11 @@
 package gax
 
 import (
+	"errors"
 	"math/rand"
 	"time"
 
+	"google.golang.org/api/googleapi"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -63,6 +65,31 @@ func WithRetry(fn func() Retryer) CallOption {
 	return retryerOption(fn)
 }
 
+// OnErrorFunc returns a Retryer that retries if and only if the previous attempt
+// returns an error that satisfies shouldRetry.
+//
+// Pause times between retries are specified by bo. bo is only used for its
+// parameters; each Retryer has its own copy.
+func OnErrorFunc(bo Backoff, shouldRetry func(err error) bool) Retryer {
+	return &errorRetryer{
+		shouldRetry: shouldRetry,
+		backoff:     bo,
+	}
+}
+
+type errorRetryer struct {
+	backoff     Backoff
+	shouldRetry func(err error) bool
+}
+
+func (r *errorRetryer) Retry(err error) (time.Duration, bool) {
+	if r.shouldRetry(err) {
+		return r.backoff.Pause(), true
+	}
+
+	return 0, false
+}
+
 // OnCodes returns a Retryer that retries if and only if
 // the previous attempt returns a GRPC error whose error code is stored in cc.
 // Pause times between retries are specified by bo.
@@ -94,22 +121,60 @@ func (r *boRetryer) Retry(err error) (time.Duration, bool) {
 	return 0, false
 }
 
-// Backoff implements exponential backoff.
-// The wait time between retries is a random value between 0 and the "retry envelope".
-// The envelope starts at Initial and increases by the factor of Multiplier every retry,
-// but is capped at Max.
+// OnHTTPCodes returns a Retryer that retries if and only if
+// the previous attempt returns a googleapi.Error whose status code is stored in
+// cc. Pause times between retries are specified by bo.
+//
+// bo is only used for its parameters; each Retryer has its own copy.
+func OnHTTPCodes(bo Backoff, cc ...int) Retryer {
+	codes := make(map[int]bool, len(cc))
+	for _, c := range cc {
+		codes[c] = true
+	}
+
+	return &httpRetryer{
+		backoff: bo,
+		codes:   codes,
+	}
+}
+
+type httpRetryer struct {
+	backoff Backoff
+	codes   map[int]bool
+}
+
+func (r *httpRetryer) Retry(err error) (time.Duration, bool) {
+	var gerr *googleapi.Error
+	if !errors.As(err, &gerr) {
+		return 0, false
+	}
+
+	if r.codes[gerr.Code] {
+		return r.backoff.Pause(), true
+	}
+
+	return 0, false
+}
+
+// Backoff implements exponential backoff. The wait time between retries is a
+// random value between 0 and the "retry period" - the time between retries. The
+// retry period starts at Initial and increases by the factor of Multiplier
+// every retry, but is capped at Max.
+//
+// Note: MaxNumRetries / RPCDeadline is specifically not provided. These should
+// be built on top of Backoff.
 type Backoff struct {
-	// Initial is the initial value of the retry envelope, defaults to 1 second.
+	// Initial is the initial value of the retry period, defaults to 1 second.
 	Initial time.Duration
 
-	// Max is the maximum value of the retry envelope, defaults to 30 seconds.
+	// Max is the maximum value of the retry period, defaults to 30 seconds.
 	Max time.Duration
 
-	// Multiplier is the factor by which the retry envelope increases.
+	// Multiplier is the factor by which the retry period increases.
 	// It should be greater than 1 and defaults to 2.
 	Multiplier float64
 
-	// cur is the current retry envelope
+	// cur is the current retry period.
 	cur time.Duration
 }
 
@@ -145,6 +210,21 @@ func (o grpcOpt) Resolve(s *CallSettings) {
 	s.GRPC = o
 }
 
+type pathOpt struct {
+	p string
+}
+
+func (p pathOpt) Resolve(s *CallSettings) {
+	s.Path = p.p
+}
+
+// WithPath applies a Path override to the HTTP-based APICall.
+//
+// This is for internal use only.
+func WithPath(p string) CallOption {
+	return &pathOpt{p: p}
+}
+
 // WithGRPCOptions allows passing gRPC call options during client creation.
 func WithGRPCOptions(opt ...grpc.CallOption) CallOption {
 	return grpcOpt(append([]grpc.CallOption(nil), opt...))
@@ -158,4 +238,7 @@ type CallSettings struct {
 
 	// CallOptions to be forwarded to GRPC.
 	GRPC []grpc.CallOption
+
+	// Path is an HTTP override for an APICall.
+	Path string
 }

vendor/github.com/googleapis/gax-go/v2/gax.go

@@ -35,5 +35,7 @@
 // to simplify code generation and to provide more convenient and idiomatic API surfaces.
 package gax
 
+import "github.com/googleapis/gax-go/v2/internal"
+
 // Version specifies the gax-go version being used.
-const Version = "2.0.4"
+const Version = internal.Version

vendor/github.com/googleapis/gax-go/v2/internal/version.go

@@ -0,0 +1,33 @@
+// Copyright 2022, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package internal
+
+// Version is the current tagged release of the library.
+const Version = "2.4.0"

vendor/github.com/googleapis/gax-go/v2/invoke.go

@@ -33,13 +33,15 @@ import (
 	"context"
 	"strings"
 	"time"
+
+	"github.com/googleapis/gax-go/v2/apierror"
 )
 
 // APICall is a user defined call stub.
 type APICall func(context.Context, CallSettings) error
 
-// Invoke calls the given APICall,
-// performing retries as specified by opts, if any.
+// Invoke calls the given APICall, performing retries as specified by opts, if
+// any.
 func Invoke(ctx context.Context, call APICall, opts ...CallOption) error {
 	var settings CallSettings
 	for _, opt := range opts {
@@ -71,9 +73,6 @@ func invoke(ctx context.Context, call APICall, settings CallSettings, sp sleeper
 		if err == nil {
 			return nil
 		}
-		if settings.Retry == nil {
-			return err
-		}
 		// Never retry permanent certificate errors. (e.x. if ca-certificates
 		// are not installed). We should only make very few, targeted
 		// exceptions: many (other) status=Unavailable should be retried, such
@@ -83,6 +82,12 @@ func invoke(ctx context.Context, call APICall, settings CallSettings, sp sleeper
 		if strings.Contains(err.Error(), "x509: certificate signed by unknown authority") {
 			return err
 		}
+		if apierr, ok := apierror.FromError(err); ok {
+			err = apierr
+		}
+		if settings.Retry == nil {
+			return err
+		}
 		if retryer == nil {
 			if r := settings.Retry(); r != nil {
 				retryer = r

vendor/github.com/googleapis/gax-go/v2/proto_json_stream.go

@@ -0,0 +1,126 @@
+// Copyright 2022, Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package gax
+
+import (
+	"encoding/json"
+	"errors"
+	"io"
+
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/reflect/protoreflect"
+)
+
+var (
+	arrayOpen     = json.Delim('[')
+	arrayClose    = json.Delim(']')
+	errBadOpening = errors.New("unexpected opening token, expected '['")
+)
+
+// ProtoJSONStream represents a wrapper for consuming a stream of protobuf
+// messages encoded using protobuf-JSON format. More information on this format
+// can be found at https://developers.google.com/protocol-buffers/docs/proto3#json.
+// The stream must appear as a comma-delimited, JSON array of obbjects with
+// opening and closing square braces.
+//
+// This is for internal use only.
+type ProtoJSONStream struct {
+	first, closed bool
+	reader        io.ReadCloser
+	stream        *json.Decoder
+	typ           protoreflect.MessageType
+}
+
+// NewProtoJSONStreamReader accepts a stream of bytes via an io.ReadCloser that are
+// protobuf-JSON encoded protobuf messages of the given type. The ProtoJSONStream
+// must be closed when done.
+//
+// This is for internal use only.
+func NewProtoJSONStreamReader(rc io.ReadCloser, typ protoreflect.MessageType) *ProtoJSONStream {
+	return &ProtoJSONStream{
+		first:  true,
+		reader: rc,
+		stream: json.NewDecoder(rc),
+		typ:    typ,
+	}
+}
+
+// Recv decodes the next protobuf message in the stream or returns io.EOF if
+// the stream is done. It is not safe to call Recv on the same stream from
+// different goroutines, just like it is not safe to do so with a single gRPC
+// stream. Type-cast the protobuf message returned to the type provided at
+// ProtoJSONStream creation.
+// Calls to Recv after calling Close will produce io.EOF.
+func (s *ProtoJSONStream) Recv() (proto.Message, error) {
+	if s.closed {
+		return nil, io.EOF
+	}
+	if s.first {
+		s.first = false
+
+		// Consume the opening '[' so Decode gets one object at a time.
+		if t, err := s.stream.Token(); err != nil {
+			return nil, err
+		} else if t != arrayOpen {
+			return nil, errBadOpening
+		}
+	}
+
+	// Capture the next block of data for the item (a JSON object) in the stream.
+	var raw json.RawMessage
+	if err := s.stream.Decode(&raw); err != nil {
+		e := err
+		// To avoid checking the first token of each stream, just attempt to
+		// Decode the next blob and if that fails, double check if it is just
+		// the closing token ']'. If it is the closing, return io.EOF. If it
+		// isn't, return the original error.
+		if t, _ := s.stream.Token(); t == arrayClose {
+			e = io.EOF
+		}
+		return nil, e
+	}
+
+	// Initialize a new instance of the protobuf message to unmarshal the
+	// raw data into.
+	m := s.typ.New().Interface()
+	err := protojson.Unmarshal(raw, m)
+
+	return m, err
+}
+
+// Close closes the stream so that resources are cleaned up.
+func (s *ProtoJSONStream) Close() error {
+	// Dereference the *json.Decoder so that the memory is gc'd.
+	s.stream = nil
+	s.closed = true
+
+	return s.reader.Close()
+}

vendor/github.com/googleapis/gax-go/v2/release-please-config.json

@@ -0,0 +1,10 @@
+{
+    "release-type": "go-yoshi",
+    "separate-pull-requests": true,
+    "include-component-in-tag": false,
+    "packages": {
+        "v2": {
+            "component": "v2"
+        }
+    }
+}

vendor/github.com/moby/swarmkit/v2/agent/csi/plugin/manager.go

@@ -18,9 +18,9 @@ const (
 	DockerCSIPluginCap = "csinode"
 )
 
-// PluginManager manages the multiple CSI plugins that may be in use on the
-// node. PluginManager should be thread-safe.
-type PluginManager interface {
+// Manager manages the multiple CSI plugins that may be in use on the
+// node. Manager should be thread-safe.
+type Manager interface {
 	// Get gets the plugin with the given name
 	Get(name string) (NodePlugin, error)
 
@@ -43,7 +43,7 @@ type pluginManager struct {
 	pg plugingetter.PluginGetter
 }
 
-func NewPluginManager(pg plugingetter.PluginGetter, secrets SecretGetter) PluginManager {
+func NewManager(pg plugingetter.PluginGetter, secrets SecretGetter) Manager {
 	return &pluginManager{
 		plugins:           map[string]NodePlugin{},
 		newNodePluginFunc: NewNodePlugin,

vendor/github.com/moby/swarmkit/v2/agent/csi/plugin/manager_deprecated.go

@@ -0,0 +1,11 @@
+package plugin
+
+// Deprecated: use [Manager].
+//
+//nolint:revive // exported: type name will be used as plugin.PluginManager by other packages
+type PluginManager = Manager
+
+// Deprecated: use [NewManager].
+//
+//nolint:unused
+var NewPluginManager = NewManager

vendor/github.com/moby/swarmkit/v2/agent/csi/volumes.go

@@ -17,7 +17,7 @@ import (
 	"github.com/moby/swarmkit/v2/volumequeue"
 )
 
-const CSI_CALL_TIMEOUT = 15 * time.Second
+const csiCallTimeout = 15 * time.Second
 
 // volumeState keeps track of the state of a volume on this node.
 type volumeState struct {
@@ -39,8 +39,8 @@ type volumes struct {
 	// volumes is a mapping of volume ID to volumeState
 	volumes map[string]volumeState
 
-	// plugins is the PluginManager, which provides translation to the CSI RPCs
-	plugins plugin.PluginManager
+	// plugins is the Manager, which provides translation to the CSI RPCs
+	plugins plugin.Manager
 
 	// pendingVolumes is a VolumeQueue which manages which volumes are
 	// processed and when.
@@ -51,7 +51,7 @@ type volumes struct {
 func NewManager(pg plugingetter.PluginGetter, secrets exec.SecretGetter) exec.VolumesManager {
 	r := &volumes{
 		volumes:        map[string]volumeState{},
-		plugins:        plugin.NewPluginManager(pg, secrets),
+		plugins:        plugin.NewManager(pg, secrets),
 		pendingVolumes: volumequeue.NewVolumeQueue(),
 	}
 	go r.retryVolumes()
@@ -107,7 +107,7 @@ func (r *volumes) tryVolume(ctx context.Context, id string, attempt uint) {
 	// These are too complicated to be worth the engineering effort at this
 	// time.
 
-	timeoutCtx, cancel := context.WithTimeout(ctx, CSI_CALL_TIMEOUT)
+	timeoutCtx, cancel := context.WithTimeout(ctx, csiCallTimeout)
 	// always gotta call the WithTimeout cancel
 	defer cancel()
 

vendor/github.com/moby/swarmkit/v2/agent/exec/controller_stub.go

@@ -21,7 +21,6 @@ type StubController struct {
 	RemoveFn    func(ctx context.Context) error
 	CloseFn     func() error
 	calls       map[string]int
-	cstatus     *api.ContainerStatus
 }
 
 // NewStubController returns an initialized StubController
@@ -38,7 +37,7 @@ func (sc *StubController) called() {
 	if !ok {
 		panic("Failed to find caller of function")
 	}
-	// longName looks like 'github.com/docker/swarmkit/agent/exec.(*StubController).Prepare:1'
+	// longName looks like 'github.com/moby/swarmkit/agent/exec.(*StubController).Prepare:1'
 	longName := runtime.FuncForPC(pc).Name()
 	parts := strings.Split(longName, ".")
 	tail := strings.Split(parts[len(parts)-1], ":")

vendor/github.com/moby/swarmkit/v2/agent/exec/executor.go

@@ -112,9 +112,9 @@ type VolumesManager interface {
 	Plugins() VolumePluginManager
 }
 
-// PluginManager is the interface for accessing the volume plugin manager from
+// VolumePluginManager is the interface for accessing the volume plugin manager from
 // the executor. This is identical to
-// github.com/docker/swarmkit/agent/csi/plugin.PluginManager, except the former
+// github.com/moby/swarmkit/agent/csi/plugin.PluginManager, except the former
 // also includes a Get method for the VolumesManager to use. This does not
 // contain that Get method, to avoid having to import the Plugin type, and
 // because in this context, it is not needed.

vendor/github.com/moby/swarmkit/v2/agent/reporter.go

@@ -15,7 +15,7 @@ type StatusReporter interface {
 	UpdateTaskStatus(ctx context.Context, taskID string, status *api.TaskStatus) error
 }
 
-// Reporter recieves update to both task and volume status.
+// Reporter receives update to both task and volume status.
 type Reporter interface {
 	StatusReporter
 	ReportVolumeUnpublished(ctx context.Context, volumeID string) error
@@ -27,12 +27,15 @@ func (fn statusReporterFunc) UpdateTaskStatus(ctx context.Context, taskID string
 	return fn(ctx, taskID, status)
 }
 
+//nolint:unused // currently only used in tests.
 type volumeReporterFunc func(ctx context.Context, volumeID string) error
 
+//nolint:unused // currently only used in tests.
 func (fn volumeReporterFunc) ReportVolumeUnpublished(ctx context.Context, volumeID string) error {
 	return fn(ctx, volumeID)
 }
 
+//nolint:unused // currently only used in tests.
 type statusReporterCombined struct {
 	statusReporterFunc
 	volumeReporterFunc

vendor/github.com/moby/swarmkit/v2/agent/session.go

@@ -391,6 +391,7 @@ func (s *session) sendTaskStatus(ctx context.Context, taskID string, taskStatus
 	return nil
 }
 
+//nolint:unused // TODO(thaJeztah) this is currently unused: is it safe to remove?
 func (s *session) sendTaskStatuses(ctx context.Context, updates ...*api.UpdateTaskStatusRequest_TaskStatusUpdate) ([]*api.UpdateTaskStatusRequest_TaskStatusUpdate, error) {
 	if len(updates) < 1 {
 		return nil, nil