Rebase on Go 1.22.5, silence false positive secret warnings

[Lekensteyn]

Changes:

• Rebased on Go 1.22.5.
• Squashed the Eddilithium fix from tls: add eddilithium2 support and fix eddilithium3 #176.
• Converted PRIVATE KEY to TESTING KEY in the DC and ECH patches to silence leaked secrets warnings such as the one from Rebase on 1.22.3 #171 (comment). Squashed these two new commits: 4cd3476 and 1e820bb (compare).

range diff between cf and pwu/cf-1.22.5 (based on go1.22.4 and go1.22.5 respectively)

$ git range-diff go1.22.4..a920985875 go1.22.5..f4334cdc0c
 1:  24760cc94a =  1:  ad6d8311cc Add README (#158)
 2:  77a860bf30 <  -:  ---------- VERSION: add cf tag
 -:  ---------- >  2:  f6c2818f00 VERSION: add cf tag
 3:  ab1508a0d7 =  3:  12d930db85 cmd/go/internal/imports, go/build: add cfgo build tag
 4:  2c07b8a30b =  4:  98209d8da8 .github: add docker-compose.yaml and GitHub Action for CI
 5:  b54199b9a1 =  5:  8846cd808b .github: replace upstream templates and CODE_OF_CONDUCT.md
 6:  858bdcdd62 =  6:  885e769d30 cmd/api: ignore CF-specific API changes
 7:  a2a278de68 =  7:  10395434c5 go/build: don't check dependencies of vendored circl library
 8:  3e98c95c58 =  8:  b5d791215e crypto/tls: expose inter-handshake timing via CFEventHandlerContextKey
 9:  6991a106a8 =  9:  32f83b78a3 crypto/tls: Add hybrid post-quantum key agreements
10:  0569d2adc5 ! 10:  f2bfd08e62 crypto: add support for CIRCL signature schemes
    @@ Commit message
         Since Go 1.19, FIPS-only mode must remain disabled to enable PQ sigalgs.
     
          [pwu: Go 1.17: moved parsePublicKey changes from x509/x509.go to x509/parser.go]
    +     [pwu: Go 1.22.5: add eddilithium2 support, fix eddilithium3, by Bas in #176]
     
         Co-authored-by: Christopher Patton <chrispatton@gmail.com>
         Co-authored-by: Peter Wu <pwu@cloudflare.com>
    @@ src/crypto/tls/common.go: const (
      	signatureRSAPSS
      	signatureECDSA
      	signatureEd25519
    ++	signatureEdDilithium2
     +	signatureEdDilithium3
      )
      
    @@ src/crypto/tls/tls_cf.go (new)
     +import (
     +	circlPki "github.com/cloudflare/circl/pki"
     +	circlSign "github.com/cloudflare/circl/sign"
    ++	"github.com/cloudflare/circl/sign/eddilithium2"
     +	"github.com/cloudflare/circl/sign/eddilithium3"
     +)
     +
    @@ src/crypto/tls/tls_cf.go (new)
     +	sigType uint8
     +	scheme  circlSign.Scheme
     +}{
    ++	{signatureEdDilithium2, eddilithium2.Scheme()},
     +	{signatureEdDilithium3, eddilithium3.Scheme()},
     +}
     +
    @@ src/crypto/tls/tls_cf_circl_test.go (new)
     +	"time"
     +
     +	"github.com/cloudflare/circl/sign"
    -+	"github.com/cloudflare/circl/sign/eddilithium3"
    ++	"github.com/cloudflare/circl/sign/eddilithium2"
     +)
     +
     +func TestPQSignatureSchemes(t *testing.T) {
    -+	pqCert := createPQCert(t, eddilithium3.Scheme())
    ++	pqCert := createPQCert(t, eddilithium2.Scheme())
     +	rsaCert := Certificate{
     +		Certificate: [][]byte{testRSACertificate},
     +		PrivateKey:  testRSAPrivateKey,
    @@ src/crypto/tls/tls_cf_circl_test.go (new)
     +			clientPQ:           true,
     +			serverPQ:           false,
     +			serverCerts:        pqAndRsaCerts,
    -+			expectedCertSigAlg: x509.PureEdDilithium3,
    ++			expectedCertSigAlg: x509.PureEdDilithium2,
     +		},
     +		{
     +			clientPQ:           true,
     +			serverPQ:           true,
     +			serverCerts:        pqAndRsaCerts,
    -+			expectedCertSigAlg: x509.PureEdDilithium3,
    ++			expectedCertSigAlg: x509.PureEdDilithium2,
     +		},
     +		{
     +			clientPQ:           true,
    @@ src/crypto/x509/x509.go: const (
      	SHA384WithRSAPSS
      	SHA512WithRSAPSS
      	PureEd25519
    ++	PureEdDilithium2
     +	PureEdDilithium3
      )
      
    @@ src/crypto/x509/x509.go: const (
      	DSA // Only supported for parsing.
      	ECDSA
      	Ed25519
    ++	EdDilithium2
     +	EdDilithium3
      )
      
    @@ src/crypto/x509/x509.go: const (
     +	DSA:          "DSA",
     +	ECDSA:        "ECDSA",
     +	Ed25519:      "Ed25519",
    -+	EdDilithium3: "Ed25519-Dilithium3",
    ++	EdDilithium2: "Ed25519-Dilithium2",
    ++	EdDilithium3: "Ed448-Dilithium3",
      }
      
      func (algo PublicKeyAlgorithm) String() string {
    @@ src/crypto/x509/x509_cf.go (new)
     +	circlPki "github.com/cloudflare/circl/pki"
     +	circlSign "github.com/cloudflare/circl/sign"
     +	"github.com/cloudflare/circl/sign/eddilithium3"
    ++	"github.com/cloudflare/circl/sign/eddilithium2"
     +)
     +
     +// To add a signature scheme from Circl
    @@ src/crypto/x509/x509_cf.go (new)
     +	alg    PublicKeyAlgorithm
     +	scheme circlSign.Scheme
     +}{
    ++	{PureEdDilithium2, EdDilithium2, eddilithium2.Scheme()},
     +	{PureEdDilithium3, EdDilithium3, eddilithium3.Scheme()},
     +}
     +
11:  eab2535c00 ! 11:  1169950a0d crypto/tls: implement draft-ietf-tls-subcerts-10
    @@ src/crypto/tls/delegated_credentials_test.go (new)
     +-----END CERTIFICATE-----
     +`
     +
    -+var delegatorKeyPEMP256 = `-----BEGIN EC PRIVATE KEY-----
    ++var delegatorKeyPEMP256 = testingKey(`-----BEGIN EC TESTING KEY-----
     +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg4OgO7q8sUUZaYjEp
     +JuLzlXH0qmTZ1k3UHgPYbAmRFOWhRANCAASU3m1NGJ8umjL2nt85TY9d+Ze10s6j
     +w2Y2IdT6iKmPz9jeTz5g9Onx0Ng+8WUVMP2uc1uyjMEVV677q/k1Z+Ph
    -+-----END EC PRIVATE KEY-----
    -+`
    ++-----END EC TESTING KEY-----
    ++`)
     +
     +//	go run generate_cert.go -ecdsa-curve P384 -host 127.0.0.1 -allowDC
     +
    @@ src/crypto/tls/delegated_credentials_test.go (new)
     +-----END CERTIFICATE-----
     +`
     +
    -+var delegatorKeyPEMP384 = `-----BEGIN EC PRIVATE KEY-----
    ++var delegatorKeyPEMP384 = testingKey(`-----BEGIN EC TESTING KEY-----
     +MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDA1ouSiH174RBEvZBch
     +QQnl5iYWTpdCa+EHjexYzhQ9HHMcU7nKCk7OXRod3kAVcUahZANiAARzZspIuV8X
     +5sca5OEEaF31O4ZNKNoCVk5AlAMs5VTXEmlEx7m+uL9nMJ/fy226KBQZYcM+J5+9
     +Osh7c5kkB05AipnBti8Eu+VPmWo8z1yqEqmsxoWqQS0G+0ewPrkUBr4=
    -+-----END EC PRIVATE KEY-----
    -+`
    ++-----END EC TESTING KEY-----
    ++`)
     +
     +//	go run generate_cert.go -ecdsa-curve P521 -host 127.0.0.1 -allowDC
     +
    @@ src/crypto/tls/delegated_credentials_test.go (new)
     +-----END CERTIFICATE-----
     +`
     +
    -+var delegatorKeyPEMP521 = `-----BEGIN EC PRIVATE KEY-----
    ++var delegatorKeyPEMP521 = testingKey(`-----BEGIN EC TESTING KEY-----
     +MIHuAgEAMBAGByqGSM49AgEGBSuBBAAjBIHWMIHTAgEBBEIA4X72HzMvgBj//dX/
     +SLkA2+oQ93l2eB2jXVRFST/mQj5NSSt8TNcIqW+TaxSejst7+jAQgnH2Zrith8zK
     +r2/Gy/6hgYkDgYYABADN59cQMUS2IZwzUanNKJ5jTPSJNCXI2untG2GvZqNKFf8u
     +Qz3jC91CQdQjSJhaQJMetsC4mZpPwYXD0tBLLSwMFwEwZG/6tH2ylGVxR3eIK+bK
     +UXwKLF8+b4NVS3ih6qVJLrciY4HRb7gWc5qdqJahimwUilBJbwxZGVpGZObhhJwr
     +CA==
    -+-----END EC PRIVATE KEY-----
    -+`
    ++-----END EC TESTING KEY-----
    ++`)
     +
     +//	go run generate_cert.go -ed25519 -host 127.0.0.1 -allowDC
     +
    @@ src/crypto/tls/delegated_credentials_test.go (new)
     +-----END CERTIFICATE-----
     +`
     +
    -+var delegatorKeyPEMEd25519 = `-----BEGIN EC PRIVATE KEY-----
    ++var delegatorKeyPEMEd25519 = testingKey(`-----BEGIN EC TESTING KEY-----
     +MC4CAQAwBQYDK2VwBCIEILsRn/g0To97rbKf+2zV+sr6ZmrqcEiLRK2/rD7r+xDZ
    -+-----END EC PRIVATE KEY-----
    -+`
    ++-----END EC TESTING KEY-----
    ++`)
     +
     +var nonDelegatorCertPEM = `-----BEGIN CERTIFICATE-----
     +MIIBaDCCAQ6gAwIBAgIQcMnAGu3NQYTGYf2HK+JodTAKBggqhkjOPQQDAjASMRAw
    @@ src/crypto/tls/delegated_credentials_test.go (new)
     +-----END CERTIFICATE-----
     +`
     +
    -+var nonDelegatorKeyPEM = `-----BEGIN EC PRIVATE KEY-----
    ++var nonDelegatorKeyPEM = testingKey(`-----BEGIN EC TESTING KEY-----
     +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgD9Q9131NamLDe4ud
     +dU9rg+gO0vv8lXYErf7P5GQlZD6hRANCAATwIkMzrYR1HcC0z6PT+1ZNSNluUR1u
     +ZyJKvc2KqjGeZh0Or5pq6ZJb0zR7WPdz5aJIzaZ5YcxLMSv0KwaAEPH2
    -+-----END EC PRIVATE KEY-----
    -+`
    ++-----END EC TESTING KEY-----
    ++`)
     +
     +var (
     +	dcTestConfig            *Config
12:  30d3b5053e ! 12:  0e7b54069b crypto/tls: implement draft-ietf-tls-esni-13
    @@ src/crypto/tls/ech_test.go (new)
     +-----END CERTIFICATE-----`
     +
     +// Signing key of the client-facing server.
    -+const echTestKeyClientFacingPEM = `
    -+-----BEGIN PRIVATE KEY-----
    ++var echTestKeyClientFacingPEM = testingKey(`
    ++-----BEGIN TESTING KEY-----
     +MHcCAQEEIPpCcU8mu+h4xHAm18NJvn73Ko9fjH9QxDCpRt7kCIq9oAoGCCqGSM49
     +AwEHoUQDQgAE7nP/Txinb0JPE/xdjv5d3zrWJqXo7qwP67oVaMKJp5ausJ+0IZfi
     +MWz8pa6T7pyyLrC5xvQNkfVkpP9/FxmNFQ==
    -+-----END PRIVATE KEY-----`
    ++-----END TESTING KEY-----`)
     +
     +// Certificate of the backend server. The server name is "example.com".
     +const echTestCertBackendPEM = `
    @@ src/crypto/tls/ech_test.go (new)
     +-----END CERTIFICATE-----`
     +
     +// Signing key of the backend server.
    -+const echTestKeyBackendPEM = `
    -+-----BEGIN PRIVATE KEY-----
    ++var echTestKeyBackendPEM = testingKey(`
    ++-----BEGIN TESTING KEY-----
     +MHcCAQEEIIJsLXmfzw6FDlqyRRLhY6lVB6ws5ewjUQjnS4DXsQ60oAoGCCqGSM49
     +AwEHoUQDQgAElq+qE01Z87KIPHWdEAk0cWssHkRnS4aQCDfstoxDIWQ4rMwHvrWG
     +Fy/vytRwyjhHuX9ntc5ArCpwbAmY+oW/4w==
    -+-----END PRIVATE KEY-----`
    ++-----END TESTING KEY-----`)
     +
     +// The ECH keys used by the client-facing server.
     +const echTestKeys = `-----BEGIN ECH KEYS-----
13:  09f4554dbc = 13:  b935551fd7 Set GOTOOLCHAIN to local to prevent auto-download of new Go
14:  4f304f20a8 = 14:  d26ab7234d Add tls.Config.ClientCurveGuess to allow specifying which keyshares to send
15:  3fa2427914 = 15:  9f08975994 Use server's preferred key agreement
16:  962efcd465 = 16:  f4334cdc0c Add dummy key agreement with codepoint 0xfe33 (#162)
17:  a920985875 <  -:  ---------- tls: add eddilithium2 support and fix eddilithium3 (#176)