Update go versions in CI and release

[aarongable]

Update from go1.23.1 to go1.23.6 for our primary CI and release builds. This brings in a few security fixes that aren't directly relevant to us.

Add go1.24.0 to our matrix of CI and release versions, to prepare for switching to this next major version in prod.

[aarongable]

Three classes of errors currently:

1. Lint errors from typecheck, which is expected since golangci-lint doesn't actually support go1.24 yet
2. The best worst kind of error: we're doing something bad in tests to ensure our code stops it, and now go itself won't even let us do the test setup:

--- FAIL: TestFermat (0.00s)
    --- FAIL: TestFermat/innsbruck_printer_(4096_bit,_1_round) (0.54s)
        bad_key_test.go:108: creating CSR: crypto/rsa: |p - q| too small
    --- FAIL: TestFermat/canon_printer_(2048_bit,_1_round) (0.53s)
        bad_key_test.go:108: creating CSR: crypto/rsa: |p - q| too small

--- FAIL: TestTLSALPN01FailIP (0.00s)
    tlsalpn_test.go:138: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01Refused (0.00s)
    tlsalpn_test.go:250: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01TalkingToHTTP (0.00s)
    tlsalpn_test.go:269: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestCertNames (0.00s)
    tlsalpn_test.go:376: Error creating certificate: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01Success (0.00s)
    tlsalpn_test.go:387: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestTLSALPN01ObsoleteFailure (0.00s)
    tlsalpn_test.go:412: Error creating test server: crypto/rsa: p * q != n
--- FAIL: TestValidateTLSALPN01BadChallenge (0.00s)
    tlsalpn_test.go:424: Error creating test server: crypto/rsa: p * q != n

3. And two other things I don't wholly understand yet:

2025/01/23 00:36:53 httptest.Server blocked in Close after 5 seconds, waiting for connections:
  *net.TCPConn 0xc000064560 127.0.0.1:44046 in state active
2025/01/23 00:36:58 http: TLS handshake error from 127.0.0.1:32966: tls: failed to sign handshake: crypto/rsa: p * q != n
2025/01/23 00:36:58 http: TLS handshake error from 127.0.0.1:48694: tls: client requested unsupported application protocols ([acme-tls/1])
2025/01/23 00:36:58 http: TLS handshake error from 127.0.0.1:34920: tls: client requested unsupported application protocols ([acme-tls/1])
--- FAIL: TestValidateTLSALPN01UnawareSrv (0.00s)
panic: httptest: NewTLSServer: x509: malformed certificate [recovered]
	panic: httptest: NewTLSServer: x509: malformed certificate

goroutine 1295 [running]:
testing.tRunner.func1.2({0x116d4e0, 0xc000751430})
	/usr/local/go/src/testing/testing.go:1734 +0x3eb
testing.tRunner.func1()
	/usr/local/go/src/testing/testing.go:1737 +0x696
panic({0x116d4e0?, 0xc000751430?})
	/usr/local/go/src/runtime/panic.go:787 +0x132
net/http/httptest.(*Server).StartTLS(0xc000344620)
	/usr/local/go/src/net/http/httptest/server.go:172 +0xe49
github.com/letsencrypt/boulder/va.tlssniSrvWithNames(0xc0004baa80, {0xc0007512c0, 0x1, 0x1})
	/boulder/va/tlsalpn_test.go:74 +0x4e5
github.com/letsencrypt/boulder/va.TestValidateTLSALPN01UnawareSrv(0xc0004baa80)
	/boulder/va/tlsalpn_test.go:459 +0x87
testing.tRunner(0xc0004baa80, 0x134a110)
	/usr/local/go/src/testing/testing.go:1792 +0x226
created by testing.(*T).Run in goroutine 1
	/usr/local/go/src/testing/testing.go:1851 +0x8f3

--- FAIL: TestCertificatesTableContainsDuplicateSerials (0.11s)
    model_test.go:313: couldn't insert valid certificate: failed to insert *core.Certificate: Error 1048: Column 'der' cannot be null

[aarongable]

I've fixed the |p - q| too small issues. As of https://go-review.googlesource.com/c/go/+/632476, go1.24's FIPS-compliant crypt/rsa package simply refuses to work with the degenerate keys that we were using to integration-test our Fermat code. So I've moved those integration test cases into the unit test instead, which still works.

[aarongable]

I've fixed all the remaining code errors -- all that's left is the golangci-lint failure.

[aarongable]

Updated to go1.23.6 and go1.24.0, now that it's been officially released. Updated golangci-lint to 1.64.0, which supports go1.24.0. Updated staticcheck to 2025.1, which supports go1.24.0. Fixed a lot of lint complaints, and added a new linter which will help us more narrowly target and document our lint exceptions.

Now just waiting on the official go1.24.0 docker image for the release workflows.

[Juneezee]

golang:1.24.0 Docker image is now available https://hub.docker.com/layers/library/golang/1.24.0/images/sha256-b95002399f27188790f0a2b598bee84ae7bfbf1043fb60921da3b81928e303ba

[jsha]

I like the revamped Fermat-factorizable integration test 👍🏻

[jsha]

It looks like you updated the test to also check the case where the cert is signed by a different key, but this comment needs to be updated (it appears to be a copy-paste of the one below).

[jsha]

The public and private key here are eeKey.Public() and issuerKey. Those don't match! I think that's not what this test is intending to test.

[jsha]

above on line 340, you made a change to check the error return; here you left it as _. Probably we should be consistent one way or the other.

[jsha]

Seeing this removal makes me think we could use an improved makeKey() that runs ecdsa.GenerateKey and panics on error. Could save us a few lines of boilerplate here and there.

[jsha]

Since Newf is internal-only, this could be unexported.

Though also I note that the new, constant New() is only used one place; that place could use "%s", inErrMsg instead.