Update to go 1.23 (#3311)

* update to go 1.23

* add own certs to sqlserver

* remove golang.org/x/exp in favor of GO 1.23 builtin version

auth/client/iam/openid4vp.go

@@ -27,7 +27,7 @@ import (
 	"github.com/nuts-foundation/nuts-node/vcr/credential"
 	"github.com/nuts-foundation/nuts-node/vdr/didsubject"
 	"github.com/piprate/json-gold/ld"
-	"golang.org/x/exp/maps"
+	"maps"
 	"net/http"
 	"net/url"
 	"slices"
@@ -278,7 +278,11 @@ func (c *OpenID4VPClient) RequestRFC021AccessToken(ctx context.Context, clientID
 	subjectDIDs = subjectDIDs[:j]
 
 	if len(subjectDIDs) == 0 {
-		return nil, fmt.Errorf("did method mismatch, requested: %v, available: %v", metadata.DIDMethodsSupported, maps.Keys(allMethods))
+		availableMethods := make([]string, 0, len(allMethods))
+		for key := range maps.Keys(allMethods) {
+			availableMethods = append(availableMethods, key)
+		}
+		return nil, fmt.Errorf("did method mismatch, requested: %v, available: %v", metadata.DIDMethodsSupported, availableMethods)
 	}
 
 	// each additional credential can be used by each DID

e2e-tests/oauth-flow/rfc021/README.md

@@ -1,3 +1,26 @@
 This test can be executed against multiple SQL databases.
 It's executed (by running `./run-test.sh`) on all supported databases (postgres, sqlite, mysql, sqlserver) by default.
 To perform the test on a specific database, run `./do-test.sh <database>` where `<database>` is one of the supported databases (postgres, sqlite, mysql, sqlserver).
+
+### sqlserver
+By default, the container generates a new certificate at startup. 
+Currently, this generated certificate may contain a negative serial number which is against the RFC.
+Since GO 1.23, the negative serials numbers no longer pass validation. This can be disabled using `GODEBUG=x509negativeserial=1`. (In go 1.23 the default flag changed from 1 to 0.)
+As a workaround we mount our own certificate. https://github.com/microsoft/mssql-docker/issues/895
+
+Add the following config to the `sqlserver.yml`
+```yaml
+services:  
+  db:
+    volumes:
+      - "./sqlserver.conf:/var/opt/mssql/mssql.conf"
+      - "./sqlserver.key:/etc/ssl/mssql.key:ro" # technically this should be mounted under /etc/ssl/private, but that results in permission issues
+      - "./sqlserver.pem:/etc/ssl/certs/mssql.pem:ro"
+```
+
+### certificate renewal
+First check the latest version if this (and other issues) have been fixed
+If not, regen certificates using
+```bash
+openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql' -addext "subjectAltName = DNS:mssql" -keyout sqlserver.key -out sqlserver.pem -days 365
+```

e2e-tests/oauth-flow/rfc021/sqlserver.conf

@@ -0,0 +1,5 @@
+[network]
+tlscert = /etc/ssl/certs/mssql.pem
+tlskey = /etc/ssl/mssql.key
+tlsprotocols = 1.2
+forceencryption = 1

e2e-tests/oauth-flow/rfc021/sqlserver.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDcxUCdwcDdSXeA
+TXQDJQvaBBX01H6rqh7TlZjnVGoUsZFBp39ucLJqJLZWnkJfeWXaxVTAvqnkCEu2
+z8gKIBkmJTqdQa079Xio910/w++KfFKJ7BKB4d8b6PblyvaKd25mw0INngJO2Yvb
+BJmpo6oV4q2/zYS2KdWA61Yq9qC0qSV2QYKo5DBvdgwn/zUggW6wd/Qn96RyiPKi
+yLbeuainzR5q6jzUV+gkTOcNJmhYBmkX2zNe+c/OQzZPf4nx+8QVlel6UuH16oEd
+KxmutFWeReQtxbFduCGE64Ld+jXDp3B5am2jZzP0X4VoeUYIvnxgwgxTF3vkEHRC
+eWxHADQdAgMBAAECggEALknZY3pVYtBdkvQqZ+JjmsGSjPPk3z9bGUfbeF1VpKMa
+bqac7F4KuoCaDo0+I2CDv5vySjtvyZUHsvvb2GukekACCyjTFqhANUUwMwd0+Rda
+AvsRYlQmgGaXJdUpXhzuc/NqrQo9N6UbUr+jLFNZfR87COUhd0RMNKyjM3zkcxxE
+Opr34v2X+ag82ObixRngeN/uNJoHdR2Rx7MINuOVxZbpaB/fM+iCKsA4QvmbDF2F
+nfmE1DJn2DsbF6zeAMrGMwYpTwXa3V5ozxam3osHg6LdlTaRh2iZEaoPHDU6yjJe
+kILVi1boZetOuRk57D7AF+6+rludcomkPz+gTMdWjQKBgQDztLwE2ArZF/970Yme
+K0KF8LvLprkgm2NLnc3ZtjfF6o+r8HCKFHGLh/W9iH+hK6oy/4QACRJpZcKDQIwO
+BR1/1RV0tsKKDcMae631veYYXqfgw1UjL/kXPWbKbKPUjGITshiHbP1dX5PXRM33
+/4VeWD+F+2j8c7tH9efoZqtmYwKBgQDn6FMpYjtDWLndsD58tUHJRKyB2KKKVvg3
+AjUfaMkwwo46gxiXMwp8EpSMjboY58Cl4v/T5b6i0I3nAQQu0gttQtxyW2+EzUin
+HrHryPnLxvDzomcKQebmd4bK60kYqUkvo7DzTnTyYYfCsx++iT0Phq2DItvnVmqL
+zOpaaonDfwKBgAYJ/H7CO8KVbadL0fUxbTyUcpLhVsUQFK3TAz7Z3RfycAz6sE87
+onSqsdQ4hbEgu973pfW6Q9KIywEloFLYnZqFVTrHLJrvLF6DohPs2L7R2acgMAPn
+NGz3AI0TlBu4PtXuG91/PegKbkdvVQtIMa3c0fYn/LoExCdMWKrRoH2xAoGAAvgH
+cIUwawlMv9jMw/3yDKiTaMokMo8weEvP8EoAIV6sQXWCMBVYMgRu4GnEEyOMZNNG
+ISlUynLPDkEGE69etBRiDBi9kb6rCnCrKHCXOhOe7A+NMCVt1k97a0ed1PH93N1E
+m6jKeHvlKAnxAxhwrq0ztXURyaFilc2WxneMsfMCgYEAmv8aBzE+RpOPrBnr0lw7
+UDSa5ryk6M672t/nahJt+yOXYfajU9xMZFqq/wWJIxvln2coTOgTGRLlUXQwpER0
+dlMoVPDW2HbMsaQ9P5ziCvsmWUlpwbekYIamvYT33rplHfXfj6QagwkZqzleLTZ/
+KiXnd1p/dUPocO6Fmnn7yFg=
+-----END PRIVATE KEY-----

e2e-tests/oauth-flow/rfc021/sqlserver.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEzCCAfugAwIBAgIUCDOJnObAY/b4IfVy1mn6uKNozYwwDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFbXNzcWwwHhcNMjQwOTE3MDgwMjQxWhcNMjUwOTE3MDgw
+MjQxWjAQMQ4wDAYDVQQDDAVtc3NxbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBANzFQJ3BwN1Jd4BNdAMlC9oEFfTUfquqHtOVmOdUahSxkUGnf25wsmok
+tlaeQl95ZdrFVMC+qeQIS7bPyAogGSYlOp1BrTv1eKj3XT/D74p8UonsEoHh3xvo
+9uXK9op3bmbDQg2eAk7Zi9sEmamjqhXirb/NhLYp1YDrVir2oLSpJXZBgqjkMG92
+DCf/NSCBbrB39Cf3pHKI8qLItt65qKfNHmrqPNRX6CRM5w0maFgGaRfbM175z85D
+Nk9/ifH7xBWV6XpS4fXqgR0rGa60VZ5F5C3FsV24IYTrgt36NcOncHlqbaNnM/Rf
+hWh5Rgi+fGDCDFMXe+QQdEJ5bEcANB0CAwEAAaNlMGMwHQYDVR0OBBYEFM5MAIuM
+gB+Y3+n5+E6KNCydTiteMB8GA1UdIwQYMBaAFM5MAIuMgB+Y3+n5+E6KNCydTite
+MA8GA1UdEwEB/wQFMAMBAf8wEAYDVR0RBAkwB4IFbXNzcWwwDQYJKoZIhvcNAQEL
+BQADggEBACc6Le8yXeBZKPBL50D7zKZtbyLJ17tHUt8Z3I6XqMPyJ+HLUjeH9xqw
++JlmDRF0h24ZQVKhP7zc67CmNRyZoYmFLjWy9w+LGaWVsr2EMG2n4n7Ubojv+lAI
+OrZ+dh3jTl9OiIOxJg/5bTd/OJ5J0ac+Uy8HvoQmryliol1yicFlN1hDHQzaTfBB
++p7hBsxZRTG6zssbNNjrCO/ocAy+axX/1dp830FUCNemJ0IJOLoVdm/UX/YN/Lws
+wr/jzO9K504BIbahrggHNnCRJLr+zhM0rzJxorAUk4JN1rjW/ycYreAyOZpiV/QR
+WLPBukk7keWM7KQyzYyxOlbYmo8BYm4=
+-----END CERTIFICATE-----

e2e-tests/oauth-flow/rfc021/sqlserver.yml

@@ -13,7 +13,7 @@ services:
       NUTS_STORAGE_SQL_CONNECTION: sqlserver://sa:MyStrong(!)Password@db:1433?database=node_b
   db:
     # image: mcr.microsoft.com/azure-sql-edge:latest <-- "The sqlcmd utility is not included in the ARM64 version of the SQL Edge container" - https://github.com/microsoft/mssql-docker/issues/734
-    # image mcr.microsoft.com/mssql/server:2022-latest <-- They broke the sqlcmd path - https://github.com/microsoft/mssql-docker/issues/892
+#    image: mcr.microsoft.com/mssql/server:2022-latest # <-- They broke the sqlcmd path - https://github.com/microsoft/mssql-docker/issues/892
     image: mcr.microsoft.com/mssql/server:2022-CU13-ubuntu-22.04
     restart: always
     ports:
@@ -22,6 +22,10 @@ services:
       MSSQL_USER: SA
       MSSQL_SA_PASSWORD: MyStrong(!)Password
       ACCEPT_EULA: Y
+    volumes:
+      - "./sqlserver.conf:/var/opt/mssql/mssql.conf"
+      - "./sqlserver.key:/etc/ssl/mssql.key:ro"
+      - "./sqlserver.pem:/etc/ssl/certs/mssql.pem:ro"
     healthcheck:
       test:
         ["CMD", "/opt/mssql-tools/bin/sqlcmd", "-U", "sa", "-P", "MyStrong(!)Password", "-Q", "SELECT 1"]

go.mod

@@ -1,6 +1,6 @@
 module github.com/nuts-foundation/nuts-node
 
-go 1.22
+go 1.23
 
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
@@ -199,5 +199,3 @@ require (
 	modernc.org/sqlite v1.32.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
-
-require golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8