Fixup staticcheck and stylecheck, and violations thereof (#5897)

Add `stylecheck` to our list of lints, since it got separated out from `staticcheck`. Fix the way we configure both to be clearer and not rely on regexes. Additionally fix a number of easy-to-change `staticcheck` and `stylecheck` violations, allowing us to reduce our number of ignored checks. Part of #5681
2022-01-20 16:22:30 -08:00 · 2022-01-20 16:22:30 -08:00 · ab79f96d7b
parent 757495f96d
commit ab79f96d7b
38 changed files with 183 additions and 203 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@ -4,13 +4,27 @@ linters:
    - errcheck
    - gofmt
    - gosec
+    - gosimple
    - govet
    - ineffassign
    - misspell
    - staticcheck
+    - stylecheck
+    - unused
 linters-settings:
  errcheck:
    ignore: fmt:[FS]?[Pp]rint*,io:Write,os:Remove,net/http:Write,github.com/miekg/dns:WriteMsg,net:Write,encoding/binary:Write
+  gosimple:
+    # S1029: Range over the string directly
+    checks: ["all", "-S1029"]
+  staticcheck:
+    # SA1019: Using a deprecated function, variable, constant or field
+    # SA6003: Converting a string to a slice of runes before ranging over it
+    checks: ["all", "-SA1019", "-SA6003"]
+  stylecheck:
+    # ST1003: Poorly chosen identifier
+    # ST1005: Incorrectly formatted error string
+    checks: ["all", "-ST1003", "-ST1005"]
 issues:
  exclude-rules:
    - linters:
@ -29,6 +43,3 @@ issues:
      # G501: Blacklisted import `crypto/md5`: weak cryptographic primitive
      # G505: Blacklisted import `crypto/sha1`: weak cryptographic primitive
      text: "G(101|102|107|201|202|306|401|402|403|404|501|505)"
-    - linters:
-      - staticcheck
-      text: "(SA1019|ST1005|ST1013|SA6003|SA5011|S1029|SA2002):"
--- a/akamai/cache-client.go
+++ b/akamai/cache-client.go
@ -96,9 +96,7 @@ func NewCachePurgeClient(
 	}, []string{"type"})
 	stats.MustRegister(purges)

-	if strings.HasSuffix(endpoint, "/") {
-		endpoint = endpoint[:len(endpoint)-1]
-	}
+	endpoint = strings.TrimSuffix(endpoint, "/")
 	apiURL, err := url.Parse(endpoint)
 	if err != nil {
 		return nil, err
--- a/ca/ocsp.go
+++ b/ca/ocsp.go
@ -206,7 +206,7 @@ func newOCSPLogQueue(
 		wg:        sync.WaitGroup{},
 		depth:     depth,
 		logger:    logger,
-		clk:       clock.Default(),
+		clk:       clock.New(),
 	}
 	olq.wg.Add(1)
 	return &olq
--- a/canceled/canceled.go
+++ b/canceled/canceled.go
@ -3,8 +3,8 @@ package canceled
 import (
 	"context"

-	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )

 // Is returns true if err is non-nil and is either context.Canceled, or has a
@ -12,5 +12,5 @@ import (
 // gRPC boundaries, and if we choose to treat in-process cancellations a certain
 // way, we usually want to treat cross-process cancellations the same way.
 func Is(err error) bool {
-	return err == context.Canceled || grpc.Code(err) == codes.Canceled
+	return err == context.Canceled || status.Code(err) == codes.Canceled
 }
--- a/canceled/canceled_test.go
+++ b/canceled/canceled_test.go
@ -5,15 +5,15 @@ import (
 	"errors"
 	"testing"

-	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )

 func TestCanceled(t *testing.T) {
 	if !Is(context.Canceled) {
 		t.Errorf("Expected context.Canceled to be canceled, but wasn't.")
 	}
-	if !Is(grpc.Errorf(codes.Canceled, "hi")) {
+	if !Is(status.Errorf(codes.Canceled, "hi")) {
 		t.Errorf("Expected gRPC cancellation to be cancelled, but wasn't.")
 	}
 	if Is(errors.New("hi")) {
--- a/cmd/boulder-wfe2/main.go
+++ b/cmd/boulder-wfe2/main.go
@ -18,7 +18,6 @@ import (
 	"github.com/letsencrypt/boulder/cmd"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
-	"github.com/letsencrypt/boulder/grpc"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/issuance"
 	blog "github.com/letsencrypt/boulder/log"
@ -286,23 +285,23 @@ func setupWFE(c Config, logger blog.Logger, stats prometheus.Registerer, clk clo
 	tlsConfig, err := c.WFE.TLS.Load()
 	cmd.FailOnError(err, "TLS config")
 	clientMetrics := bgrpc.NewClientMetrics(stats)
-	raConn, err := bgrpc.ClientSetup(c.WFE.RAService, tlsConfig, clientMetrics, clk, grpc.CancelTo408Interceptor)
+	raConn, err := bgrpc.ClientSetup(c.WFE.RAService, tlsConfig, clientMetrics, clk, bgrpc.CancelTo408Interceptor)
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to RA")
 	rac := rapb.NewRegistrationAuthorityClient(raConn)

-	saConn, err := bgrpc.ClientSetup(c.WFE.SAService, tlsConfig, clientMetrics, clk, grpc.CancelTo408Interceptor)
+	saConn, err := bgrpc.ClientSetup(c.WFE.SAService, tlsConfig, clientMetrics, clk, bgrpc.CancelTo408Interceptor)
 	cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to SA")
 	sac := sapb.NewStorageAuthorityClient(saConn)

 	var rns noncepb.NonceServiceClient
 	npm := map[string]noncepb.NonceServiceClient{}
 	if c.WFE.GetNonceService != nil {
-		rnsConn, err := bgrpc.ClientSetup(c.WFE.GetNonceService, tlsConfig, clientMetrics, clk, grpc.CancelTo408Interceptor)
+		rnsConn, err := bgrpc.ClientSetup(c.WFE.GetNonceService, tlsConfig, clientMetrics, clk, bgrpc.CancelTo408Interceptor)
 		cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to get nonce service")
 		rns = noncepb.NewNonceServiceClient(rnsConn)
 		for prefix, serviceConfig := range c.WFE.RedeemNonceServices {
 			serviceConfig := serviceConfig
-			conn, err := bgrpc.ClientSetup(&serviceConfig, tlsConfig, clientMetrics, clk, grpc.CancelTo408Interceptor)
+			conn, err := bgrpc.ClientSetup(&serviceConfig, tlsConfig, clientMetrics, clk, bgrpc.CancelTo408Interceptor)
 			cmd.FailOnError(err, "Failed to load credentials and create gRPC connection to redeem nonce service")
 			npm[prefix] = noncepb.NewNonceServiceClient(conn)
 		}
--- a/cmd/contact-auditor/main_test.go
+++ b/cmd/contact-auditor/main_test.go
@ -130,7 +130,7 @@ type testCtx struct {
 	cleanUp func()
 }

-func (c testCtx) addRegistrations(t *testing.T) {
+func (tc testCtx) addRegistrations(t *testing.T) {
 	emailA := "mailto:" + emailARaw
 	emailB := "mailto:" + emailBRaw
 	emailC := "mailto:" + emailCRaw
@ -189,17 +189,17 @@ func (c testCtx) addRegistrations(t *testing.T) {

 	// Add the four test registrations
 	ctx := context.Background()
-	regA, err = c.ssa.NewRegistration(ctx, regA)
+	regA, err = tc.ssa.NewRegistration(ctx, regA)
 	test.AssertNotError(t, err, "Couldn't store regA")
-	regB, err = c.ssa.NewRegistration(ctx, regB)
+	regB, err = tc.ssa.NewRegistration(ctx, regB)
 	test.AssertNotError(t, err, "Couldn't store regB")
-	regC, err = c.ssa.NewRegistration(ctx, regC)
+	regC, err = tc.ssa.NewRegistration(ctx, regC)
 	test.AssertNotError(t, err, "Couldn't store regC")
-	regD, err = c.ssa.NewRegistration(ctx, regD)
+	regD, err = tc.ssa.NewRegistration(ctx, regD)
 	test.AssertNotError(t, err, "Couldn't store regD")
 }

-func (ctx testCtx) addCertificates(t *testing.T) {
+func (tc testCtx) addCertificates(t *testing.T) {
 	serial1 := big.NewInt(1336)
 	serial1String := core.SerialToString(serial1)
 	serial2 := big.NewInt(1337)
@ -238,9 +238,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertA.NotAfter,
 		DER:            certDerA,
 	}
-	err := ctx.dbMap.Insert(certA)
+	err := tc.dbMap.Insert(certA)
 	test.AssertNotError(t, err, "Couldn't add certA")
-	_, err = ctx.dbMap.Exec(
+	_, err = tc.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-a",
 		serial1String,
@ -263,9 +263,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertB.NotAfter,
 		DER:            certDerB,
 	}
-	err = ctx.dbMap.Insert(certB)
+	err = tc.dbMap.Insert(certB)
 	test.AssertNotError(t, err, "Couldn't add certB")
-	_, err = ctx.dbMap.Exec(
+	_, err = tc.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-b",
 		serial2String,
@ -288,9 +288,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertC.NotAfter,
 		DER:            certDerC,
 	}
-	err = ctx.dbMap.Insert(certC)
+	err = tc.dbMap.Insert(certC)
 	test.AssertNotError(t, err, "Couldn't add certC")
-	_, err = ctx.dbMap.Exec(
+	_, err = tc.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-c",
 		serial3String,
@ -313,9 +313,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertD.NotAfter,
 		DER:            certDerD,
 	}
-	err = ctx.dbMap.Insert(certD)
+	err = tc.dbMap.Insert(certD)
 	test.AssertNotError(t, err, "Couldn't add certD")
-	_, err = ctx.dbMap.Exec(
+	_, err = tc.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-d",
 		serial4String,
--- a/cmd/id-exporter/main_test.go
+++ b/cmd/id-exporter/main_test.go
@ -244,7 +244,7 @@ type testCtx struct {
 	cleanUp func()
 }

-func (c testCtx) addRegistrations(t *testing.T) {
+func (tc testCtx) addRegistrations(t *testing.T) {
 	emailA := "mailto:" + emailARaw
 	emailB := "mailto:" + emailBRaw
 	emailC := "mailto:" + emailCRaw
@ -304,17 +304,17 @@ func (c testCtx) addRegistrations(t *testing.T) {

 	// Add the four test registrations
 	ctx := context.Background()
-	regA, err = c.ssa.NewRegistration(ctx, regA)
+	regA, err = tc.ssa.NewRegistration(ctx, regA)
 	test.AssertNotError(t, err, "Couldn't store regA")
-	regB, err = c.ssa.NewRegistration(ctx, regB)
+	regB, err = tc.ssa.NewRegistration(ctx, regB)
 	test.AssertNotError(t, err, "Couldn't store regB")
-	regC, err = c.ssa.NewRegistration(ctx, regC)
+	regC, err = tc.ssa.NewRegistration(ctx, regC)
 	test.AssertNotError(t, err, "Couldn't store regC")
-	regD, err = c.ssa.NewRegistration(ctx, regD)
+	regD, err = tc.ssa.NewRegistration(ctx, regD)
 	test.AssertNotError(t, err, "Couldn't store regD")
 }

-func (ctx testCtx) addCertificates(t *testing.T) {
+func (tc testCtx) addCertificates(t *testing.T) {
 	serial1 := big.NewInt(1336)
 	serial1String := core.SerialToString(serial1)
 	serial2 := big.NewInt(1337)
@ -353,9 +353,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertA.NotAfter,
 		DER:            certDerA,
 	}
-	err := ctx.c.dbMap.Insert(certA)
+	err := tc.c.dbMap.Insert(certA)
 	test.AssertNotError(t, err, "Couldn't add certA")
-	_, err = ctx.c.dbMap.Exec(
+	_, err = tc.c.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-a",
 		serial1String,
@ -378,9 +378,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertB.NotAfter,
 		DER:            certDerB,
 	}
-	err = ctx.c.dbMap.Insert(certB)
+	err = tc.c.dbMap.Insert(certB)
 	test.AssertNotError(t, err, "Couldn't add certB")
-	_, err = ctx.c.dbMap.Exec(
+	_, err = tc.c.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-b",
 		serial2String,
@ -403,9 +403,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertC.NotAfter,
 		DER:            certDerC,
 	}
-	err = ctx.c.dbMap.Insert(certC)
+	err = tc.c.dbMap.Insert(certC)
 	test.AssertNotError(t, err, "Couldn't add certC")
-	_, err = ctx.c.dbMap.Exec(
+	_, err = tc.c.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-c",
 		serial3String,
@ -428,9 +428,9 @@ func (ctx testCtx) addCertificates(t *testing.T) {
 		Expires:        rawCertD.NotAfter,
 		DER:            certDerD,
 	}
-	err = ctx.c.dbMap.Insert(certD)
+	err = tc.c.dbMap.Insert(certD)
 	test.AssertNotError(t, err, "Couldn't add certD")
-	_, err = ctx.c.dbMap.Exec(
+	_, err = tc.c.dbMap.Exec(
 		"INSERT INTO issuedNames (reversedName, serial, notBefore) VALUES (?,?,0)",
 		"com.example-d",
 		serial4String,
--- a/cmd/log-validator/main.go
+++ b/cmd/log-validator/main.go
@ -19,7 +19,7 @@ import (
 	blog "github.com/letsencrypt/boulder/log"
 )

-var invalidChecksumErr = errors.New("invalid checksum length")
+var errInvalidChecksum = errors.New("invalid checksum length")

 func lineValid(text string) error {
 	// Line format should match the following rsyslog omfile template:
@ -53,7 +53,7 @@ func lineValid(text string) error {
 			"%s expected a 7 character base64 raw URL decodable string, got %q: %w",
 			errorPrefix,
 			checksum,
-			invalidChecksumErr,
+			errInvalidChecksum,
 		)
 	}

@ -186,7 +186,7 @@ func main() {
 					continue
 				}
 				if err := lineValid(line.Text); err != nil {
-					if errors.Is(err, invalidChecksumErr) {
+					if errors.Is(err, errInvalidChecksum) {
 						lineCounter.WithLabelValues(t.Filename, "invalid checksum length").Inc()
 					} else {
 						lineCounter.WithLabelValues(t.Filename, "bad").Inc()
--- a/cmd/log-validator/main_test.go
+++ b/cmd/log-validator/main_test.go
@ -19,7 +19,7 @@ func TestLineValidRejects(t *testing.T) {
 func TestLineValidRejectsNotAChecksum(t *testing.T) {
 	err := lineValid("2020-07-06T18:07:43.109389+00:00 70877f679c72 datacenter 6 boulder-wfe[1595]: xxxx Caught SIGTERM")
 	test.AssertError(t, err, "didn't error on invalid checksum")
-	test.AssertErrorIs(t, err, invalidChecksumErr)
+	test.AssertErrorIs(t, err, errInvalidChecksum)
 }

 func TestLineValidNonOurobouros(t *testing.T) {
--- a/cmd/ocsp-responder/main.go
+++ b/cmd/ocsp-responder/main.go
@ -55,8 +55,8 @@ func newFilter(issuerCerts []string, serialPrefixes []string) (*ocspFilter, erro
 	if len(issuerCerts) < 1 {
 		return nil, errors.New("Filter must include at least 1 issuer cert")
 	}
-	issuerKeyHashes := make(map[issuance.IssuerID][]byte, 0)
-	issuerNameKeyHashes := make(map[issuance.IssuerNameID][]byte, 0)
+	issuerKeyHashes := make(map[issuance.IssuerID][]byte)
+	issuerNameKeyHashes := make(map[issuance.IssuerNameID][]byte)
 	for _, issuerCert := range issuerCerts {
 		// Load the certificate from the file path.
 		cert, err := core.LoadCert(issuerCert)
--- a/core/util.go
+++ b/core/util.go
@ -148,7 +148,7 @@ func PublicKeysEqual(a, b interface{}) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return bytes.Compare(aBytes, bBytes) == 0, nil
+	return bytes.Equal(aBytes, bBytes), nil
 }

 // SerialToString converts a certificate serial number (big.Int) to a String
--- a/grpc/errors.go
+++ b/grpc/errors.go
@ -10,6 +10,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"

 	berrors "github.com/letsencrypt/boulder/errors"
 )
@ -48,9 +49,9 @@ func wrapError(ctx context.Context, err error) error {
 		// fails, we'll still return an error, but it will be interpreted on the
 		// other side as an InternalServerError instead of a more specific one.
 		_ = grpc.SetTrailer(ctx, metadata.Pairs(pairs...))
-		return grpc.Errorf(codes.Unknown, err.Error())
+		return status.Errorf(codes.Unknown, err.Error())
 	}
-	return grpc.Errorf(codes.Unknown, err.Error())
+	return status.Errorf(codes.Unknown, err.Error())
 }

 // unwrapError unwraps errors returned from gRPC client calls which were wrapped
@ -61,14 +62,20 @@ func unwrapError(err error, md metadata.MD) error {
 	if err == nil {
 		return nil
 	}
-	if errTypeStrs, ok := md["errortype"]; ok {
-		unwrappedErr := grpc.ErrorDesc(err)
+
+	unwrappedErr := status.Convert(err).Message()
+
+	errTypeStrs, ok := md["errortype"]
+	if !ok {
+		return err
+	}
 	if len(errTypeStrs) != 1 {
 		return berrors.InternalServerError(
 			"multiple errorType metadata, wrapped error %q",
 			unwrappedErr,
 		)
 	}
+
 	errType, decErr := strconv.Atoi(errTypeStrs[0])
 	if decErr != nil {
 		return berrors.InternalServerError(
@ -78,21 +85,28 @@ func unwrapError(err error, md metadata.MD) error {
 		)
 	}
 	outErr := berrors.New(berrors.ErrorType(errType), unwrappedErr)
-		if subErrsJSON, ok := md["suberrors"]; ok {
+
+	subErrsJSON, ok := md["suberrors"]
+	if !ok {
+		return outErr
+	}
 	if len(subErrsJSON) != 1 {
 		return berrors.InternalServerError(
 			"multiple suberrors metadata, wrapped error %q",
 			unwrappedErr,
 		)
 	}
+
 	var suberrs []berrors.SubBoulderError
-			if err := json.Unmarshal([]byte(subErrsJSON[0]), &suberrs); err != nil {
+	err2 := json.Unmarshal([]byte(subErrsJSON[0]), &suberrs)
+	if err2 != nil {
 		return berrors.InternalServerError(
 			"error unmarshaling suberrs JSON %q, wrapped error %q",
 			subErrsJSON[0],
 			unwrappedErr,
 		)
 	}
+
 	var berr *berrors.BoulderError
 	if errors.As(outErr, &berr) {
 		outErr = berr.WithSubErrors(suberrs)
@ -103,8 +117,5 @@ func unwrapError(err error, md metadata.MD) error {
 			outErr.Error(),
 		)
 	}
-		}
 	return outErr
-	}
-	return err
 }
--- a/grpc/errors_test.go
+++ b/grpc/errors_test.go
@ -12,7 +12,6 @@ import (
 	"github.com/jmhodges/clock"
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/grpc/test_proto"
-	testproto "github.com/letsencrypt/boulder/grpc/test_proto"
 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/metrics"
 	"github.com/letsencrypt/boulder/test"
@ -23,7 +22,7 @@ type errorServer struct {
 	err error
 }

-func (s *errorServer) Chill(_ context.Context, _ *testproto.Time) (*testproto.Time, error) {
+func (s *errorServer) Chill(_ context.Context, _ *test_proto.Time) (*test_proto.Time, error) {
 	return nil, s.err
 }

@ -33,7 +32,7 @@ func TestErrorWrapping(t *testing.T) {
 	ci := clientInterceptor{time.Second, NewClientMetrics(metrics.NoopRegisterer), clock.NewFake()}
 	srv := grpc.NewServer(grpc.UnaryInterceptor(si.intercept))
 	es := &errorServer{}
-	testproto.RegisterChillerServer(srv, es)
+	test_proto.RegisterChillerServer(srv, es)
 	lis, err := net.Listen("tcp", "127.0.0.1:")
 	test.AssertNotError(t, err, "Failed to create listener")
 	go func() { _ = srv.Serve(lis) }()
@ -45,10 +44,10 @@ func TestErrorWrapping(t *testing.T) {
 		grpc.WithUnaryInterceptor(ci.intercept),
 	)
 	test.AssertNotError(t, err, "Failed to dial grpc test server")
-	client := testproto.NewChillerClient(conn)
+	client := test_proto.NewChillerClient(conn)

 	es.err = berrors.MalformedError("yup")
-	_, err = client.Chill(context.Background(), &testproto.Time{})
+	_, err = client.Chill(context.Background(), &test_proto.Time{})
 	test.Assert(t, err != nil, fmt.Sprintf("nil error returned, expected: %s", err))
 	test.AssertDeepEquals(t, err, es.err)

@ -64,7 +63,7 @@ func TestSubErrorWrapping(t *testing.T) {
 	ci := clientInterceptor{time.Second, NewClientMetrics(metrics.NoopRegisterer), clock.NewFake()}
 	srv := grpc.NewServer(grpc.UnaryInterceptor(si.intercept))
 	es := &errorServer{}
-	testproto.RegisterChillerServer(srv, es)
+	test_proto.RegisterChillerServer(srv, es)
 	lis, err := net.Listen("tcp", "127.0.0.1:")
 	test.AssertNotError(t, err, "Failed to create listener")
 	go func() { _ = srv.Serve(lis) }()
@ -76,7 +75,7 @@ func TestSubErrorWrapping(t *testing.T) {
 		grpc.WithUnaryInterceptor(ci.intercept),
 	)
 	test.AssertNotError(t, err, "Failed to dial grpc test server")
-	client := testproto.NewChillerClient(conn)
+	client := test_proto.NewChillerClient(conn)

 	subErrors := []berrors.SubBoulderError{
 		{
@ -93,7 +92,7 @@ func TestSubErrorWrapping(t *testing.T) {
 		Detail: "malformed chill req",
 	}).WithSubErrors(subErrors)

-	_, err = client.Chill(context.Background(), &testproto.Time{})
+	_, err = client.Chill(context.Background(), &test_proto.Time{})
 	test.Assert(t, err != nil, fmt.Sprintf("nil error returned, expected: %s", err))
 	test.AssertDeepEquals(t, err, es.err)
 }
--- a/grpc/interceptors.go
+++ b/grpc/interceptors.go
@ -88,7 +88,7 @@ func (si *serverInterceptor) intercept(ctx context.Context, req interface{}, inf
 	deadline = deadline.Add(-returnOverhead)
 	remaining := time.Until(deadline)
 	if remaining < meaningfulWorkOverhead {
-		return nil, grpc.Errorf(codes.DeadlineExceeded, "not enough time left on clock: %s", remaining)
+		return nil, status.Errorf(codes.DeadlineExceeded, "not enough time left on clock: %s", remaining)
 	}
 	var cancel func()
 	ctx, cancel = context.WithDeadline(ctx, deadline)
@ -166,7 +166,7 @@ func (ci *clientInterceptor) intercept(
 	defer cancel()
 	// Disable fail-fast so RPCs will retry until deadline, even if all backends
 	// are down.
-	opts = append(opts, grpc.FailFast(false))
+	opts = append(opts, grpc.WaitForReady(true))

 	// Convert the current unix nano timestamp to a string for embedding in the grpc metadata
 	nowTS := strconv.FormatInt(ci.clk.Now().UnixNano(), 10)
--- a/grpc/interceptors_test.go
+++ b/grpc/interceptors_test.go
@ -138,7 +138,7 @@ func (s *testServer) Chill(ctx context.Context, in *test_proto.Time) (*test_prot
 		spent := int64(time.Since(start) / time.Nanosecond)
 		return &test_proto.Time{Time: spent}, nil
 	case <-ctx.Done():
-		return nil, grpc.Errorf(codes.DeadlineExceeded, "the chiller overslept")
+		return nil, status.Errorf(codes.DeadlineExceeded, "the chiller overslept")
 	}
 }

@ -244,7 +244,7 @@ func TestRequestTimeTagging(t *testing.T) {
 	// requested ChillerServer delay so that the RPC completes normally
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
-	var delayTime int64 = (time.Second * 5).Nanoseconds()
+	delayTime := (time.Second * 5).Nanoseconds()
 	if _, err := c.Chill(ctx, &test_proto.Time{Time: delayTime}); err != nil {
 		t.Fatalf("Unexpected error calling Chill RPC: %s", err)
 	}
--- a/grpc/server.go
+++ b/grpc/server.go
@ -13,10 +13,11 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
+	"google.golang.org/grpc/status"
 )

 // CodedError is a alias required to appease go vet
-var CodedError = grpc.Errorf
+var CodedError = status.Errorf

 var errNilTLS = errors.New("boulder/grpc: received nil tls.Config")

--- a/issuance/issuance.go
+++ b/issuance/issuance.go
@ -136,11 +136,11 @@ func loadSigner(location IssuerLoc, cert *Certificate) (crypto.Signer, error) {
 		// us early-return once we successfully parse once.
 		signer, err := x509.ParsePKCS8PrivateKey(keyDER.Bytes)
 		if err == nil {
-			switch signer.(type) {
+			switch signer := signer.(type) {
 			case *rsa.PrivateKey:
-				return signer.(*rsa.PrivateKey), nil
+				return signer, nil
 			case *ecdsa.PrivateKey:
-				return signer.(*ecdsa.PrivateKey), nil
+				return signer, nil
 			}
 		}
 		rsaSigner, err := x509.ParsePKCS1PrivateKey(keyDER.Bytes)
--- a/linter/lints/common.go
+++ b/linter/lints/common.go
@ -11,7 +11,7 @@ const (
 	// For the purpose of calculations, a day is measured as 86,400 seconds.
 	// Any amount of time greater than this, including fractional seconds and/or
 	// leap seconds, shall represent an additional day.
-	DaySeconds time.Duration = 86400 * time.Second
+	BRDay time.Duration = 86400 * time.Second

 	// Declare our own Sources for use in zlint registry filtering.
 	LetsEncryptCPSAll          lint.LintSource = "LECPSAll"
--- a/linter/lints/intermediate/e_validity_period_greater_than_8_years.go
+++ b/linter/lints/intermediate/e_validity_period_greater_than_8_years.go
@ -33,7 +33,7 @@ func (l *certValidityTooLong) CheckApplies(c *x509.Certificate) bool {

 func (l *certValidityTooLong) Execute(c *x509.Certificate) *lint.LintResult {
 	// CPS 7.1: "Intermediate CA Certificate Validity Period: Up to 8 years."
-	maxValidity := 8 * 365 * lints.DaySeconds
+	maxValidity := 8 * 365 * lints.BRDay

 	// RFC 5280 4.1.2.5: "The validity period for a certificate is the period
 	// of time from notBefore through notAfter, inclusive."
--- a/linter/lints/root/e_validity_period_greater_than_25_years.go
+++ b/linter/lints/root/e_validity_period_greater_than_25_years.go
@ -33,7 +33,7 @@ func (l *certValidityTooLong) CheckApplies(c *x509.Certificate) bool {

 func (l *certValidityTooLong) Execute(c *x509.Certificate) *lint.LintResult {
 	// CPS 7.1: "Root CA Certificate Validity Period: Up to 25 years."
-	maxValidity := 25 * 365 * lints.DaySeconds
+	maxValidity := 25 * 365 * lints.BRDay

 	// RFC 5280 4.1.2.5: "The validity period for a certificate is the period
 	// of time from notBefore through notAfter, inclusive."
--- a/linter/lints/subscriber/e_validity_period_greater_than_100_days.go
+++ b/linter/lints/subscriber/e_validity_period_greater_than_100_days.go
@ -33,7 +33,7 @@ func (l *certValidityTooLong) CheckApplies(c *x509.Certificate) bool {

 func (l *certValidityTooLong) Execute(c *x509.Certificate) *lint.LintResult {
 	// CPS 7.1: "DV SSL End Entity Certificate Validity Period: Up to 100 days."
-	maxValidity := 100 * lints.DaySeconds
+	maxValidity := 100 * lints.BRDay

 	// RFC 5280 4.1.2.5: "The validity period for a certificate is the period
 	// of time from notBefore through notAfter, inclusive."
--- a/observer/monitor.go
+++ b/observer/monitor.go
@ -19,9 +19,7 @@ func (m monitor) start(logger blog.Logger) {
 	ticker := time.NewTicker(m.period)
 	timeout := m.period / 2
 	go func() {
-		for {
-			select {
-			case <-ticker.C:
+		for range ticker.C {
 			// Attempt to probe the configured target.
 			success, dur := m.prober.Probe(timeout)

@ -35,6 +33,5 @@ func (m monitor) start(logger blog.Logger) {
 				"kind=[%s] success=[%v] duration=[%f] name=[%s]",
 				m.prober.Kind(), success, dur.Seconds(), m.prober.Name())
 		}
-		}
 	}()
 }
--- a/ocsp/responder_test.go
+++ b/ocsp/responder_test.go
@ -259,7 +259,7 @@ func TestCacheHeaders(t *testing.T) {
 		{"Etag", "\"8169FB0843B081A76E9F6F13FD70C8411597BEACF8B182136FFDD19FBD26140A\""},
 	}
 	for _, tc := range testCases {
-		headers, ok := rw.HeaderMap[tc.header]
+		headers, ok := rw.Result().Header[tc.header]
 		if !ok {
 			t.Errorf("Header %s missing from HTTP response", tc.header)
 			continue
--- a/ocsp_updater/updater_test.go
+++ b/ocsp_updater/updater_test.go
@ -47,7 +47,7 @@ func (ca *mockOCSP) GenerateOCSP(_ context.Context, req *capb.GenerateOCSPReques
 type noopROCSP struct {
 }

-func (_ noopROCSP) StoreResponse(_ context.Context, _ []byte, _ byte, _ time.Duration) error {
+func (noopROCSP) StoreResponse(_ context.Context, _ []byte, _ byte, _ time.Duration) error {
 	return nil
 }

--- a/ra/ra_test.go
+++ b/ra/ra_test.go
@ -2179,18 +2179,18 @@ func (msa *mockSAUnsafeAuthzReuse) GetAuthorizations2(ctx context.Context, req *

 }

-func (sa *mockSAUnsafeAuthzReuse) NewAuthorizations2(_ context.Context, _ *sapb.AddPendingAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorization2IDs, error) {
+func (msa *mockSAUnsafeAuthzReuse) NewAuthorizations2(_ context.Context, _ *sapb.AddPendingAuthorizationsRequest, _ ...grpc.CallOption) (*sapb.Authorization2IDs, error) {
 	return &sapb.Authorization2IDs{
 		Ids: []int64{5},
 	}, nil
 }

-func (sa *mockSAUnsafeAuthzReuse) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
+func (msa *mockSAUnsafeAuthzReuse) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
 	r := req.NewOrder
 	for range req.NewAuthzs {
 		r.V2Authorizations = append(r.V2Authorizations, mrand.Int63())
 	}
-	return sa.NewOrder(ctx, r)
+	return msa.NewOrder(ctx, r)
 }

 // TestNewOrderAuthzReuseSafety checks that the RA's safety check for reusing an
--- a/rocsp/config/rocsp_config.go
+++ b/rocsp/config/rocsp_config.go
@ -174,7 +174,7 @@ func LoadIssuers(input map[string]int) ([]ShortIDIssuer, error) {
 		if err != nil {
 			return nil, fmt.Errorf("parsing issuer.RawSubject: %w", err)
 		}
-		var shortID byte = byte(shortID)
+		shortID := byte(shortID)
 		for _, issuer := range issuers {
 			if issuer.shortID == shortID {
 				return nil, fmt.Errorf("duplicate shortID '%d' in (for %q and %q) in config file", shortID, issuer.subject, subject)
--- a/rocsp/rocsp.go
+++ b/rocsp/rocsp.go
@ -37,7 +37,7 @@ func (m Metadata) String() string {
 func (m Metadata) Marshal() []byte {
 	var output [9]byte
 	output[0] = m.ShortIssuerID
-	var epochSeconds uint64 = uint64(m.ThisUpdate.Unix())
+	epochSeconds := uint64(m.ThisUpdate.Unix())
 	binary.LittleEndian.PutUint64(output[1:], epochSeconds)
 	return output[:]
 }
--- a/sa/database.go
+++ b/sa/database.go
@ -186,8 +186,7 @@ func (log *SQLLogger) Printf(format string, v ...interface{}) {
 // autoincremented value that resulted from the insert. See
 // https://godoc.org/github.com/coopernurse/gorp#DbMap.Insert
 func initTables(dbMap *gorp.DbMap) {
-	var regTable *gorp.TableMap
-	regTable = dbMap.AddTableWithName(regModel{}, "registrations").SetKeys(true, "ID")
+	regTable := dbMap.AddTableWithName(regModel{}, "registrations").SetKeys(true, "ID")

 	regTable.SetVersionCol("LockCol")
 	regTable.ColMap("Key").SetNotNull(true)
--- a/sa/precertificates_test.go
+++ b/sa/precertificates_test.go
@ -56,7 +56,7 @@ func TestAddPrecertificate(t *testing.T) {
 		test.AssertNotError(t, err, "Couldn't get status for test cert")
 		test.Assert(
 			t,
-			bytes.Compare(certStatus.OcspResponse, ocspResp) == 0,
+			bytes.Equal(certStatus.OcspResponse, ocspResp),
 			fmt.Sprintf("OCSP responses don't match, expected: %x, got %x", certStatus.OcspResponse, ocspResp),
 		)
 		test.AssertEquals(t, clk.Now().UnixNano(), certStatus.OcspLastUpdated)
@ -159,5 +159,5 @@ func TestAddPrecertificateKeyHash(t *testing.T) {
 	test.AssertEquals(t, keyHashes[0].CertSerial, serial)
 	test.AssertEquals(t, keyHashes[0].CertNotAfter, testCert.NotAfter)
 	spkiHash := sha256.Sum256(testCert.RawSubjectPublicKeyInfo)
-	test.Assert(t, bytes.Compare(keyHashes[0].KeyHash, spkiHash[:]) == 0, "spki hash mismatch")
+	test.Assert(t, bytes.Equal(keyHashes[0].KeyHash, spkiHash[:]), "spki hash mismatch")
 }
--- a/test/mail-test-srv/http.go
+++ b/test/mail-test-srv/http.go
@ -32,33 +32,33 @@ func (f *toFilter) Match(m rcvdMail) bool {
 /mail/1?to=foo@bar.com - second mail for foo@bar.com
 */

-func (s *mailSrv) setupHTTP(serveMux *http.ServeMux) {
-	serveMux.HandleFunc("/count", s.httpCount)
-	serveMux.HandleFunc("/clear", s.httpClear)
-	serveMux.Handle("/mail/", http.StripPrefix("/mail/", http.HandlerFunc(s.httpGetMail)))
+func (srv *mailSrv) setupHTTP(serveMux *http.ServeMux) {
+	serveMux.HandleFunc("/count", srv.httpCount)
+	serveMux.HandleFunc("/clear", srv.httpClear)
+	serveMux.Handle("/mail/", http.StripPrefix("/mail/", http.HandlerFunc(srv.httpGetMail)))
 }

-func (s *mailSrv) httpClear(w http.ResponseWriter, r *http.Request) {
+func (srv *mailSrv) httpClear(w http.ResponseWriter, r *http.Request) {
 	if r.Method == "POST" {
-		s.allMailMutex.Lock()
-		s.allReceivedMail = nil
-		s.allMailMutex.Unlock()
+		srv.allMailMutex.Lock()
+		srv.allReceivedMail = nil
+		srv.allMailMutex.Unlock()
 		w.WriteHeader(200)
 	} else {
 		w.WriteHeader(405)
 	}
 }

-func (s *mailSrv) httpCount(w http.ResponseWriter, r *http.Request) {
+func (srv *mailSrv) httpCount(w http.ResponseWriter, r *http.Request) {
 	count := 0
-	s.iterMail(extractFilter(r), func(m rcvdMail) bool {
+	srv.iterMail(extractFilter(r), func(m rcvdMail) bool {
 		count++
 		return false
 	})
 	fmt.Fprintf(w, "%d\n", count)
 }

-func (s *mailSrv) httpGetMail(w http.ResponseWriter, r *http.Request) {
+func (srv *mailSrv) httpGetMail(w http.ResponseWriter, r *http.Request) {
 	mailNum, err := strconv.Atoi(strings.Trim(r.URL.Path, "/"))
 	if err != nil {
 		w.WriteHeader(400)
@ -66,7 +66,7 @@ func (s *mailSrv) httpGetMail(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	idx := 0
-	found := s.iterMail(extractFilter(r), func(m rcvdMail) bool {
+	found := srv.iterMail(extractFilter(r), func(m rcvdMail) bool {
 		if mailNum == idx {
 			printMail(w, m)
 			return true
@ -85,10 +85,10 @@ func extractFilter(r *http.Request) toFilter {
 	return toFilter{To: to}
 }

-func (s *mailSrv) iterMail(f toFilter, cb func(rcvdMail) bool) bool {
-	s.allMailMutex.Lock()
-	defer s.allMailMutex.Unlock()
-	for _, v := range s.allReceivedMail {
+func (srv *mailSrv) iterMail(f toFilter, cb func(rcvdMail) bool) bool {
+	srv.allMailMutex.Lock()
+	defer srv.allMailMutex.Unlock()
+	for _, v := range srv.allReceivedMail {
 		if !f.Match(v) {
 			continue
 		}
--- a/va/tlsalpn.go
+++ b/va/tlsalpn.go
@ -185,7 +185,7 @@ func (va *ValidationAuthorityImpl) validateTLSALPN01(ctx context.Context, identi
 		return validationRecords, problem
 	}

-	if !cs.NegotiatedProtocolIsMutual || cs.NegotiatedProtocol != ACMETLS1Protocol {
+	if cs.NegotiatedProtocol != ACMETLS1Protocol {
 		errText := fmt.Sprintf(
 			"Cannot negotiate ALPN protocol %q for %s challenge",
 			ACMETLS1Protocol,
--- a/va/va.go
+++ b/va/va.go
@ -266,7 +266,7 @@ func detailedError(err error) *probs.ProblemDetails {
 	}

 	var tlsErr tls.RecordHeaderError
-	if errors.As(err, &tlsErr) && bytes.Compare(tlsErr.RecordHeader[:], badTLSHeader) == 0 {
+	if errors.As(err, &tlsErr) && bytes.Equal(tlsErr.RecordHeader[:], badTLSHeader) {
 		return probs.Malformed("Server only speaks HTTP, not TLS")
 	}

--- a/web/context.go
+++ b/web/context.go
@ -124,11 +124,8 @@ func (th *TopHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// We unconditionally strip :443 even when r.TLS is nil because the WFE/WFE2
 	// may be deployed HTTP-only behind another service that terminates HTTPS on
 	// its behalf.
-	if strings.HasSuffix(r.Host, ":443") {
 	r.Host = strings.TrimSuffix(r.Host, ":443")
-	} else if strings.HasSuffix(r.Host, ":80") {
 	r.Host = strings.TrimSuffix(r.Host, ":80")
-	}

 	begin := time.Now()
 	rwws := &responseWriterWithStatus{w, 0}
--- a/web/send_error.go
+++ b/web/send_error.go
@ -7,8 +7,8 @@ import (
 	"net/http"
 	"strings"

-	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"

 	blog "github.com/letsencrypt/boulder/log"
 	"github.com/letsencrypt/boulder/probs"
@ -48,7 +48,7 @@ func SendError(
 	// auditable events. Also, skip the audit log for deadline exceeded errors
 	// since we don't need to keep those long-term. Note that they are still
 	// included in the request logs.
-	deadlineExceeded := ierr == context.DeadlineExceeded || grpc.Code(ierr) == codes.DeadlineExceeded
+	deadlineExceeded := ierr == context.DeadlineExceeded || status.Code(ierr) == codes.DeadlineExceeded
 	if prob.Type == probs.ServerInternalProblem && !deadlineExceeded {
 		if ierr != nil {
 			log.AuditErrf("Internal error - %s - %s", prob.Detail, ierr)
--- a/wfe2/prod_aia.go
+++ b/wfe2/prod_aia.go
@ -17,5 +17,4 @@ func (wfe *WebFrontEndImpl) Issuer(ctx context.Context, logEvent *web.RequestEve
 	logEvent.AddError("AIA Issuer URL requested")
 	http.NotFound(response, request)
 	response.Header().Set("Content-Type", "application/problem+json")
-	return
 }
--- a/wfe2/wfe.go
+++ b/wfe2/wfe.go
@ -22,7 +22,6 @@ import (
 	berrors "github.com/letsencrypt/boulder/errors"
 	"github.com/letsencrypt/boulder/features"
 	"github.com/letsencrypt/boulder/goodkey"
-	"github.com/letsencrypt/boulder/grpc"
 	bgrpc "github.com/letsencrypt/boulder/grpc"
 	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/issuance"
@ -162,11 +161,11 @@ func NewWebFrontEndImpl(
 	sac sapb.StorageAuthorityClient,
 	accountGetter AccountGetter,
 ) (WebFrontEndImpl, error) {
-	if issuerCertificates == nil || len(issuerCertificates) == 0 {
+	if len(issuerCertificates) == 0 {
 		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
 	}

-	if certificateChains == nil || len(certificateChains) == 0 {
+	if len(certificateChains) == 0 {
 		return WebFrontEndImpl{}, errors.New("must provide at least one certificate chain")
 	}

@ -627,7 +626,7 @@ func (wfe *WebFrontEndImpl) NewAccount(
 		beeline.AddFieldToTrace(ctx, "acct.id", acctPB.Id)
 		addRequesterHeader(response, acctPB.Id)

-		acct, err := grpc.PbToRegistration(acctPB)
+		acct, err := bgrpc.PbToRegistration(acctPB)
 		if err != nil {
 			wfe.sendError(response, logEvent, probs.ServerInternal("Error marshaling account"), err)
 			return
--- a/wfe2/wfe_test.go
+++ b/wfe2/wfe_test.go
@ -155,36 +155,6 @@ EulwPw0CgYAMSzsWOt6vU+y/G5NyhUCHvY50TdnGOj2btBk9rYVwWGWxCpg2QF0R
 pcKXgGzXEVZKFAqB8V1c/mmCo8ojPgmqGM+GzX2Bj4seVBW7PsTeZUjrHpADshjV
 F7o5b7y92NlxO5kwQzRKEAhwS5PbKJdx90iCuG+JlI1YgWlA1VcJMw==
 -----END RSA PRIVATE KEY-----
-`
-
-	test4KeyPrivatePEM = `
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAqih+cx32M0wq8MhhN+kBi2xPE+wnw4/iIg1hWO5wtBfpt2Pt
-WikgPuBT6jvK9oyQwAWbSfwqlVZatMPY/+3IyytMNb9R9OatNr6o5HROBoyZnDVS
-iC4iMRd7bRl/PWSIqj/MjhPNa9cYwBdW5iC3jM5TaOgmp0+YFm4tkLGirDcIBDkQ
-Ylnv9NKILvuwqkapZ7XBixeqdCcikUcTRXW5unqygO6bnapzw+YtPsPPlj4Ih3Sv
-K4doyziPV96U8u5lbNYYEzYiW1mbu9n0KLvmKDikGcdOpf6+yRa/10kMZyYQatY1
-eclIKI0xb54kbluEl0GQDaL5FxLmiKeVnsapzwIDAQABAoIBAQCYWNsmTHwjX53O
-qUnJ2jfE0ftXNghAIvHvVRWEny+PPx3FUZWwNMQnJ4haXqCQ8DelhR+NNVYXERLz
-Z6pBMm+l4CVCtgI2B9ar/jaPHMbDPF1IK8GyJcP9Oi4K91oh6IIoFCkcSASS+imx
-yvPF5SMR0aWCduAsyqm743euZizkjIZ4ZzjJzhvtO17BLXpjD2Al8CBfeaaPFfPB
-X86BRH5khuNaRbjG9MVg4h+D752/PuivE6+wBW+F2CYCbFMCYTFSFyHzrVdkw59C
-RbHl6Pk7aTA9z0CR3zNI5k0bGd6z/o0rMei6tWO5OBTQRq5tpW9Gim0uVLH/XJlf
-XmJoze+RAoGBAMNrcbPlWlSpd3C1fwYiztXwIe7TaaJIpQ+UhCZE2NuXmEZFGqD5
-5mrZYV3iIq1cDdeV/BkzkB8ggEuQusZ4d7JfEw/j6I8C3ZRmw4W/bb8LPJMX3Ea7
-SgzFv9e+PqqX/3oHZvUN+kH1FSI+UDpkIdegqUBUyWPvd98SDH0/HaY5AoGBAN7o
-SfwWExIPEYQvpPjiSVxPuuv50z0BZB+vrQL6U2y4FIohuYSfBVvMiy/Q3Coo2yej
-Js4M2bj79lGG86/E+ejdN/YExKWK7qiVnVkOjKnQeJ+bm0+aQWxgetN7RCosqu4T
-Dp+Ih2fmhH9r5CInWjbY8js41c/KmYeMa9ZsehBHAoGAdNGg6eJ8KkoYDXdh1MAw
-FvHyxvr4lbuJeJPWn63eWP75V2Bt97cLx+nk66OICUwTNkIBrusFB6Z9Ky78iDJx
-k16EXaZnWj5jSRhZX3W83EySTHgiBOJm9NWtxgGDIqW0YjVUlb9iT9V7aboIaa98
-D5OKOdu1fBkl9mKqtqBpT/kCgYAugjT9nfV4rSAwfmhjbYN0+UW8+rEyZ1nmqpbk
-qipB4t6WO5cjrrJFhxX7cg6d1Ux0prvv/gpnaFrqg8fQgr7J8W49rJ0DFUvabO0Z
-qcl7nP2t/5+WKk9AN5kpCu0cB5nadqt0ad4mtZgrpe1BmwhdrUJNTPx/kHwcJhZR
-9Ow6/QKBgGzypcqehhIKPjOR7PR8uf0Lb8j5hlLH5akfxVDlUozr5j68cZA3nPW9
-ikuuM4LqU1dlaAp+c51nye7t4hhIw+JtGSWI2fl5NXxB71LOTvN/sN6sGCbNG3pe
-xxBoTncDuGtTpubGbzBrY5W1SlNm1gqu9oQa23WNViN2Rc4aIVm3
-----END RSA PRIVATE KEY-----
 `

 	testE1KeyPrivatePEM = `
@ -1979,7 +1949,7 @@ func TestGetCertificate(t *testing.T) {
 			if len(tc.ExpectedCert) > 0 {
 				// If the expectation was to return a certificate, check that it was the one expected
 				bodyBytes := responseWriter.Body.Bytes()
-				test.Assert(t, bytes.Compare(bodyBytes, tc.ExpectedCert) == 0, "Certificates don't match")
+				test.Assert(t, bytes.Equal(bodyBytes, tc.ExpectedCert), "Certificates don't match")

 				// Successful requests should be logged as such
 				reqlogs := mockLog.GetAllMatching(`INFO: [^ ]+ [^ ]+ [^ ]+ 200 .*`)