From 0c685ce812bd2beca593f0723c4ee1eddefa6c86 Mon Sep 17 00:00:00 2001
From: "opentdf-automation[bot]"
 <149537512+opentdf-automation[bot]@users.noreply.github.com>
Date: Mon, 3 Nov 2025 19:16:36 +0000
Subject: [PATCH] fix(deps): bump toolchain to go1.24.9 for CVEs found by
 govulncheck (#2849)

```

go env
Run go install golang.org/x/vuln/cmd/govulncheck@latest
Run govulncheck -C lib/ocrypto -format text ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/asn1@go1.24.6
    Fixed in: encoding/asn1@go1.24.8
    Example traces found:
Error:       #1: ec_key_pair.go:471:37: ocrypto.GetECKeySize calls x509.ParsePKIXPublicKey, which calls asn1.Unmarshal

Vulnerability #2: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/url@go1.24.6
    Fixed in: net/url@go1.24.8
    Example traces found:
Error:       #1: ec_key_pair.go:318:37: ocrypto.ECPubKeyFromPem calls x509.ParseCertificate, which eventually calls url.Parse

Vulnerability #3: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/pem@go1.24.6
    Fixed in: encoding/pem@go1.24.8
    Example traces found:
Error:       #1: ec_key_pair.go:466:24: ocrypto.GetECKeySize calls pem.Decode

Vulnerability #4: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.9
    Example traces found:
Error:       #1: ec_key_pair.go:433:53: ocrypto.ECPrivateKeyInPemFormat calls x509.MarshalPKCS8PrivateKey
Error:       #2: ec_key_pair.go:449:39: ocrypto.ECPublicKeyInPemFormat calls x509.MarshalPKIXPublicKey
Error:       #3: ec_key_pair.go:318:37: ocrypto.ECPubKeyFromPem calls x509.ParseCertificate
Error:       #4: asym_decryption.go:57:37: ocrypto.FromPrivatePEMWithSalt calls x509.ParseECPrivateKey
Error:       #5: asym_decryption.go:52:40: ocrypto.FromPrivatePEMWithSalt calls x509.ParsePKCS1PrivateKey
Error:       #6: ec_key_pair.go:352:40: ocrypto.ECPrivateKeyFromPem calls x509.ParsePKCS8PrivateKey
Error:       #7: ec_key_pair.go:471:37: ocrypto.GetECKeySize calls x509.ParsePKIXPublicKey

Your code is affected by 4 vulnerabilities from the Go standard library.
This scan also found 1 vulnerability in packages you import and 5
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
```

(cherry picked from commit 23f76c034cfb4c325d868eb96c95ba616e362db4)
---
 examples/go.mod     | 2 +-
 go.work             | 2 +-
 lib/fixtures/go.mod | 2 +-
 lib/ocrypto/go.mod  | 2 +-
 protocol/go/go.mod  | 2 +-
 sdk/go.mod          | 2 +-
 service/go.mod      | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/examples/go.mod b/examples/go.mod
index e5c790dc1d..c030b82a3e 100644
--- a/examples/go.mod
+++ b/examples/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/examples
 
 go 1.24.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 require (
 	github.com/opentdf/platform/lib/ocrypto v0.6.0
diff --git a/go.work b/go.work
index 84af48ef0b..1e0f74f548 100644
--- a/go.work
+++ b/go.work
@@ -1,6 +1,6 @@
 go 1.24.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 use (
 	./examples
diff --git a/lib/fixtures/go.mod b/lib/fixtures/go.mod
index 965f145374..f1d071ddf7 100644
--- a/lib/fixtures/go.mod
+++ b/lib/fixtures/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/lib/fixtures
 
 go 1.23.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 require github.com/Nerzal/gocloak/v13 v13.9.0
 
diff --git a/lib/ocrypto/go.mod b/lib/ocrypto/go.mod
index e79fa510ba..c5f1092cda 100644
--- a/lib/ocrypto/go.mod
+++ b/lib/ocrypto/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/lib/ocrypto
 
 go 1.23.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 require (
 	github.com/stretchr/testify v1.10.0
diff --git a/protocol/go/go.mod b/protocol/go/go.mod
index 88581d4858..e325d05bce 100644
--- a/protocol/go/go.mod
+++ b/protocol/go/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/protocol/go
 
 go 1.24.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.1-20240508200655-46a4cf4ba109.1
diff --git a/sdk/go.mod b/sdk/go.mod
index cf72b47a1a..410873af43 100644
--- a/sdk/go.mod
+++ b/sdk/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/sdk
 
 go 1.24.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 require (
 	connectrpc.com/connect v1.18.1
diff --git a/service/go.mod b/service/go.mod
index 7d34328c0e..6168a0da43 100644
--- a/service/go.mod
+++ b/service/go.mod
@@ -2,7 +2,7 @@ module github.com/opentdf/platform/service
 
 go 1.24.0
 
-toolchain go1.24.6
+toolchain go1.24.9
 
 require (
 	buf.build/go/protovalidate v0.13.1