smallstep · marten-seemann · Jun 6, 2025
diff --git a/acme/api/order.go b/acme/api/order.go
@@ -321,11 +321,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 
 	chTypes := challengeTypes(az)
 
-	var err error
-	az.Token, err = randutil.Alphanumeric(32)
-	if err != nil {
-		return acme.WrapErrorISE(err, "error generating random alphanumeric ID")
-	}
+	az.Token = randutil.Alphanumeric(32)
 
 	db := acme.MustDatabaseFromContext(ctx)
 	prov := acme.MustProvisionerFromContext(ctx)
@@ -378,7 +374,7 @@ func newAuthorization(ctx context.Context, az *acme.Authorization) error {
 		}
 		az.Challenges = append(az.Challenges, ch)
 	}
-	if err = db.CreateAuthorization(ctx, az); err != nil {
+	if err := db.CreateAuthorization(ctx, az); err != nil {
 		return acme.WrapErrorISE(err, "error creating authorization")
 	}
 	return nil

diff --git a/acme/db/nosql/account.go b/acme/db/nosql/account.go
@@ -86,11 +86,7 @@ func (db *DB) GetAccountByKeyID(ctx context.Context, kid string) (*acme.Account,
 
 // CreateAccount imlements the AcmeDB.CreateAccount interface.
 func (db *DB) CreateAccount(ctx context.Context, acc *acme.Account) error {
-	var err error
-	acc.ID, err = randID()
-	if err != nil {
-		return err
-	}
+	acc.ID = randID()
 
 	dba := &dbAccount{
 		ID:              acc.ID,

diff --git a/acme/db/nosql/authz.go b/acme/db/nosql/authz.go
@@ -78,11 +78,7 @@ func (db *DB) GetAuthorization(ctx context.Context, id string) (*acme.Authorizat
 // CreateAuthorization creates an entry in the database for the Authorization.
 // Implements the acme.DB.CreateAuthorization interface.
 func (db *DB) CreateAuthorization(ctx context.Context, az *acme.Authorization) error {
-	var err error
-	az.ID, err = randID()
-	if err != nil {
-		return err
-	}
+	az.ID = randID()
 
 	chIDs := make([]string, len(az.Challenges))
 	for i, ch := range az.Challenges {

diff --git a/acme/db/nosql/certificate.go b/acme/db/nosql/certificate.go
@@ -28,11 +28,7 @@ type dbSerial struct {
 
 // CreateCertificate creates and stores an ACME certificate type.
 func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) error {
-	var err error
-	cert.ID, err = randID()
-	if err != nil {
-		return err
-	}
+	cert.ID = randID()
 
 	leaf := pem.EncodeToMemory(&pem.Block{
 		Type:  "CERTIFICATE",
@@ -54,8 +50,7 @@ func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) err
 		Intermediates: intermediates,
 		CreatedAt:     time.Now().UTC(),
 	}
-	err = db.save(ctx, cert.ID, dbch, nil, "certificate", certTable)
-	if err != nil {
+	if err := db.save(ctx, cert.ID, dbch, nil, "certificate", certTable); err != nil {
 		return err
 	}
 

diff --git a/acme/db/nosql/challenge.go b/acme/db/nosql/challenge.go
@@ -48,11 +48,7 @@ func (db *DB) getDBChallenge(_ context.Context, id string) (*dbChallenge, error)
 // CreateChallenge creates a new ACME challenge data structure in the database.
 // Implements acme.DB.CreateChallenge interface.
 func (db *DB) CreateChallenge(ctx context.Context, ch *acme.Challenge) error {
-	var err error
-	ch.ID, err = randID()
-	if err != nil {
-		return errors.Wrap(err, "error generating random id for ACME challenge")
-	}
+	ch.ID = randID()
 
 	dbch := &dbChallenge{
 		ID:        ch.ID,

diff --git a/acme/db/nosql/eab.go b/acme/db/nosql/eab.go
@@ -2,11 +2,12 @@ package nosql
 
 import (
 	"context"
-	"crypto/rand"
 	"encoding/json"
 	"sync"
 	"time"
 
+	"go.step.sm/crypto/randutil"
+
 	"github.com/pkg/errors"
 
 	"github.com/smallstep/certificates/acme"
@@ -57,22 +58,12 @@ func (db *DB) CreateExternalAccountKey(ctx context.Context, provisionerID, refer
 	externalAccountKeyMutex.Lock()
 	defer externalAccountKeyMutex.Unlock()
 
-	keyID, err := randID()
-	if err != nil {
-		return nil, err
-	}
-
-	random := make([]byte, 32)
-	_, err = rand.Read(random)
-	if err != nil {
-		return nil, err
-	}
-
+	keyID := randID()
 	dbeak := &dbExternalAccountKey{
 		ID:            keyID,
 		ProvisionerID: provisionerID,
 		Reference:     reference,
-		HmacKey:       random,
+		HmacKey:       randutil.Bytes(32),
 		CreatedAt:     clock.Now(),
 	}
 

diff --git a/acme/db/nosql/nonce.go b/acme/db/nosql/nonce.go
@@ -21,12 +21,7 @@ type dbNonce struct {
 // CreateNonce creates, stores, and returns an ACME replay-nonce.
 // Implements the acme.DB interface.
 func (db *DB) CreateNonce(ctx context.Context) (acme.Nonce, error) {
-	_id, err := randID()
-	if err != nil {
-		return "", err
-	}
-
-	id := base64.RawURLEncoding.EncodeToString([]byte(_id))
+	id := base64.RawURLEncoding.EncodeToString([]byte(randID()))
 	n := &dbNonce{
 		ID:        id,
 		CreatedAt: clock.Now(),

diff --git a/acme/db/nosql/nosql.go b/acme/db/nosql/nosql.go
@@ -86,12 +86,8 @@ func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string
 
 var idLen = 32
 
-func randID() (val string, err error) {
-	val, err = randutil.Alphanumeric(idLen)
-	if err != nil {
-		return "", errors.Wrap(err, "error generating random alphanumeric ID")
-	}
-	return val, nil
+func randID() string {
+	return randutil.Alphanumeric(idLen)
 }
 
 // Clock that returns time in UTC rounded to seconds.

diff --git a/acme/db/nosql/order.go b/acme/db/nosql/order.go
@@ -75,11 +75,7 @@ func (db *DB) GetOrder(ctx context.Context, id string) (*acme.Order, error) {
 
 // CreateOrder creates ACME Order resources and saves them to the DB.
 func (db *DB) CreateOrder(ctx context.Context, o *acme.Order) error {
-	var err error
-	o.ID, err = randID()
-	if err != nil {
-		return err
-	}
+	o.ID = randID()
 
 	now := clock.Now()
 	dbo := &dbOrder{
@@ -98,11 +94,8 @@ func (db *DB) CreateOrder(ctx context.Context, o *acme.Order) error {
 		return err
 	}
 
-	_, err = db.updateAddOrderIDs(ctx, o.AccountID, false, o.ID)
-	if err != nil {
-		return err
-	}
-	return nil
+	_, err := db.updateAddOrderIDs(ctx, o.AccountID, false, o.ID)
+	return err
 }
 
 // UpdateOrder saves an updated ACME Order to the database.

diff --git a/authority/admin/api/webhook.go b/authority/admin/api/webhook.go
@@ -90,12 +90,7 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 		return
 	}
 
-	id, err := randutil.UUIDv4()
-	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook id"))
-		return
-	}
-	newWebhook.Id = id
+	newWebhook.Id = randutil.UUIDv4()
 
 	// verify the name is unique
 	for _, wh := range prov.Webhooks {
@@ -106,12 +101,7 @@ func (war *webhookAdminResponder) CreateProvisionerWebhook(w http.ResponseWriter
 		}
 	}
 
-	secret, err := randutil.Bytes(64)
-	if err != nil {
-		render.Error(w, r, admin.WrapErrorISE(err, "error generating webhook secret"))
-		return
-	}
-	newWebhook.Secret = base64.StdEncoding.EncodeToString(secret)
+	newWebhook.Secret = base64.StdEncoding.EncodeToString(randutil.Bytes(64))
 
 	prov.Webhooks = append(prov.Webhooks, newWebhook)
 

diff --git a/authority/admin/db/nosql/admin.go b/authority/admin/db/nosql/admin.go
@@ -130,11 +130,7 @@ func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) {
 
 // CreateAdmin stores a new admin to the database.
 func (db *DB) CreateAdmin(ctx context.Context, adm *linkedca.Admin) error {
-	var err error
-	adm.Id, err = randID()
-	if err != nil {
-		return admin.WrapErrorISE(err, "error generating random id for admin")
-	}
+	adm.Id = randID()
 	adm.AuthorityId = db.authorityID
 
 	dba := &dbAdmin{

diff --git a/authority/admin/db/nosql/nosql.go b/authority/admin/db/nosql/nosql.go
@@ -70,13 +70,7 @@ func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string
 	}
 }
 
-func randID() (val string, err error) {
-	val, err = randutil.UUIDv4()
-	if err != nil {
-		return "", errors.Wrap(err, "error generating random alphanumeric ID")
-	}
-	return val, nil
-}
+func randID() string { return randutil.UUIDv4() }
 
 // Clock that returns time in UTC rounded to seconds.
 type Clock struct{}

diff --git a/authority/admin/db/nosql/provisioner.go b/authority/admin/db/nosql/provisioner.go
@@ -160,11 +160,7 @@ func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error
 
 // CreateProvisioner stores a new provisioner to the database.
 func (db *DB) CreateProvisioner(ctx context.Context, prov *linkedca.Provisioner) error {
-	var err error
-	prov.Id, err = randID()
-	if err != nil {
-		return admin.WrapErrorISE(err, "error generating random id for provisioner")
-	}
+	prov.Id = randID()
 
 	details, err := json.Marshal(prov.Details.GetData())
 	if err != nil {

diff --git a/authority/authorize_test.go b/authority/authorize_test.go
@@ -66,17 +66,12 @@ func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose
 		return "", err
 	}
 
-	id, err := randutil.ASCII(64)
-	if err != nil {
-		return "", err
-	}
-
 	claims := struct {
 		jose.Claims
 		SANS []string `json:"sans"`
 	}{
 		Claims: jose.Claims{
-			ID:        id,
+			ID:        randutil.ASCII(64),
 			Subject:   sub,
 			Issuer:    iss,
 			IssuedAt:  jose.NewNumericDate(iat),
@@ -103,14 +98,9 @@ func generateCustomToken(sub, iss, aud string, jwk *jose.JSONWebKey, extraHeader
 		return "", err
 	}
 
-	id, err := randutil.ASCII(64)
-	if err != nil {
-		return "", err
-	}
-
 	iat := time.Now()
 	claims := jose.Claims{
-		ID:        id,
+		ID:        randutil.ASCII(64),
 		Subject:   sub,
 		Issuer:    iss,
 		IssuedAt:  jose.NewNumericDate(iat),
@@ -967,17 +957,12 @@ func generateSSHToken(sub, iss, aud string, iat time.Time, sshOpts *provisioner.
 		return "", err
 	}
 
-	id, err := randutil.ASCII(64)
-	if err != nil {
-		return "", err
-	}
-
 	claims := struct {
 		jose.Claims
 		Step *stepPayload `json:"step,omitempty"`
 	}{
 		Claims: jose.Claims{
-			ID:        id,
+			ID:        randutil.ASCII(64),
 			Subject:   sub,
 			Issuer:    iss,
 			IssuedAt:  jose.NewNumericDate(iat),

diff --git a/authority/provisioner/nebula_test.go b/authority/provisioner/nebula_test.go
@@ -254,15 +254,12 @@ func mustNebulaToken(t *testing.T, sub, iss, aud string, iat time.Time, sans []s
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: algorithm, Key: key}, so)
 	require.NoError(t, err)
 
-	id, err := randutil.ASCII(64)
-	require.NoError(t, err)
-
 	claims := struct {
 		jose.Claims
 		SANS []string `json:"sans"`
 	}{
 		Claims: jose.Claims{
-			ID:        id,
+			ID:        randutil.ASCII(64),
 			Subject:   sub,
 			Issuer:    iss,
 			IssuedAt:  jose.NewNumericDate(iat),
@@ -290,15 +287,12 @@ func mustNebulaSSHToken(t *testing.T, sub, iss, aud string, iat time.Time, opts
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: algorithm, Key: key}, so)
 	require.NoError(t, err)
 
-	id, err := randutil.ASCII(64)
-	require.NoError(t, err)
-
 	claims := struct {
 		jose.Claims
 		Step *stepPayload `json:"step,omitempty"`
 	}{
 		Claims: jose.Claims{
-			ID:        id,
+			ID:        randutil.ASCII(64),
 			Subject:   sub,
 			Issuer:    iss,
 			IssuedAt:  jose.NewNumericDate(iat),