Merge branch 'master' into max/steppath

2025-08-09 03:22:43 +03:00 · 2021-11-17 12:39:07 -08:00
parent 85db9d52ef d2e8ce497d
commit e1ce7de736
60 changed files with 169 additions and 220 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-20.04
    strategy:
      matrix:
-        go: [ '1.15', '1.16', '1.17' ]
+        go: [ '1.16', '1.17' ]
    steps:
      -
        name: Checkout
@@ -26,26 +26,8 @@ jobs:
        name: golangci-lint
        uses: golangci/golangci-lint-action@v2
        with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: 'latest'
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
+          version: 'v1.43.0'
          args: --timeout=30m
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          # only-new-issues: true
-
-          # Optional: if set to true then the action will use pre-installed Go.
-          # skip-go-installation: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true
      -
        name: Test, Build
        id: lintTestBuild
@@ -251,7 +233,7 @@ jobs:
        name: Update Reference
        id: update_refrence
        run: |
-          ./bin/step help --markdown ./docs/step-cli/reference
+          ./bin/step help --markdown ./docs/src/pages/docs/step-cli/reference
          cd ./docs
          git config user.email "eng@smallstep.com"
          git config user.name "Github Action CI"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ jobs:
    runs-on: ubuntu-20.04
    strategy:
      matrix:
-        go: [ '1.15', '1.16', '1.17' ]
+        go: [ '1.16', '1.17' ]
    steps:
      -
        name: Checkout
@@ -28,26 +28,8 @@ jobs:
        name: golangci-lint
        uses: golangci/golangci-lint-action@v2
        with:
-          # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: 'latest'
-
-          # Optional: working directory, useful for monorepos
-          # working-directory: somedir
-
-          # Optional: golangci-lint command line arguments.
+          version: 'v1.43.0'
          args: --timeout=30m
-
-          # Optional: show only new issues if it's a pull request. The default value is `false`.
-          # only-new-issues: true
-
-          # Optional: if set to true then the action will use pre-installed Go.
-          # skip-go-installation: true
-
-          # Optional: if set to true then the action don't cache or restore ~/go/pkg.
-          # skip-pkg-cache: true
-
-          # Optional: if set to true then the action don't cache or restore ~/.cache/go-build.
-          # skip-build-cache: true
      -
        name: Test, Build
        id: lintTestBuild
@@ -55,7 +37,8 @@ jobs:
      -
        name: Codecov
        uses: codecov/codecov-action@v1.2.1
+        if: matrix.go == '1.17'
        with:
-          file: ./coverage.out # optional
-          name: codecov-umbrella # optional
-          fail_ci_if_error: true # optional (default = false)
+          file: ./coverage.out
+          name: codecov-umbrella
+          fail_ci_if_error: true
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -71,9 +71,3 @@ issues:
    - should have a package comment, unless it's in another file for this package
    - func `CLICommand.
    - error strings should not be capitalized or end with punctuation or a newline
-# golangci.com configuration
-# https://github.com/golangci/golangci/wiki/Configuration
-service:
-  golangci-lint-version: 1.19.x # use the fixed version to not introduce new linters unexpectedly
-  prepare:
-    - echo "here I can run custom commands, but no preparation needed for this repo"
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
 # Step CLI

 [![GitHub release](https://img.shields.io/github/release/smallstep/cli.svg)](https://github.com/smallstep/cli/releases)
-[![CA Image](https://images.microbadger.com/badges/image/smallstep/step-cli.svg)](https://microbadger.com/images/smallstep/step-cli)
 [![Go Report Card](https://goreportcard.com/badge/github.com/smallstep/cli)](https://goreportcard.com/report/github.com/smallstep/cli)
 [![Build Status](https://travis-ci.com/smallstep/cli.svg?branch=master)](https://travis-ci.com/smallstep/cli)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
@@ -10,27 +9,26 @@
 [![GitHub stars](https://img.shields.io/github/stars/smallstep/cli.svg?style=social)](https://github.com/smallstep/cli/stargazers)
 [![Twitter followers](https://img.shields.io/twitter/follow/smallsteplabs.svg?label=Follow&style=social)](https://twitter.com/intent/follow?screen_name=smallsteplabs)

-`step` is a toolkit for working with your *public key infrastructure* (PKI). 
-It's also the client counterpart to the [`step-ca`](https://github.com/smallstep/certificates) online Certificate Authority (CA).
-
-Here's a quick example, combining `step oauth` and `step crypto` to get and verify the signature of a Google OAuth OIDC token:
-
-![Animated terminal showing step in practice](https://smallstep.com/images/blog/2018-08-07-unfurl.gif)
+`step` is an easy-to-use CLI tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows.
+It's the client counterpart to the [`step-ca` online Certificate Authority (CA)](https://github.com/smallstep/certificates).
+You can use it for many common crypto and X.509 operations—independently, or with a CA.

 **Questions? Ask us on [GitHub Discussions](https://github.com/smallstep/certificates/discussions) or [Discord](https://bit.ly/step-discord).**

 [Website](https://smallstep.com) |
 [Documentation](https://smallstep.com/docs/step-cli) |
 [Installation](https://smallstep.com/docs/step-cli/installation) |
-[Getting Started](https://smallstep.com/docs/step-cli/basic-crypto-operations) |
+[Basic Crypto Operations](https://smallstep.com/docs/step-cli/basic-crypto-operations) |
 [Contributor's Guide](./docs/CONTRIBUTING.md)

 ## Features

-Step CLI's command groups illustrate some of its uses:
+Step CLI's command groups illustrate its wide-ranging uses:
+
 - [`step certificate`](https://smallstep.com/docs/step-cli/reference/certificate/): Work with X.509 (TLS/HTTPS) certificates.
  - Create, revoke, validate, lint, and bundle X.509 certificates.
  - Install (and remove) X.509 certificates into your system's (and brower's) trust store.
+  - Validate certificate deployment and renewal status for automation
  - Create key pairs (RSA, ECDSA, EdDSA) and certificate signing requests (CSRs)
  - [Sign CSRs](https://smallstep.com/docs/step-cli/reference/certificate/sign/)
  - Create [RFC5280](https://tools.ietf.org/html/rfc5280) and [CA/Browser Forum](https://cabforum.org/baseline-requirements-documents/)-compliant certificates that work for TLS and HTTPS
@@ -45,6 +43,7 @@ Step CLI's command groups illustrate some of its uses:
  - Securely [distribute root certificates](https://smallstep.com/docs/step-cli/reference/ca/root/) and [bootstrap](https://smallstep.com/docs/step-cli/reference/ca/bootstrap/) PKI relying parties
  - [Renew](https://smallstep.com/docs/step-cli/reference/ca/renew/) and [revoke](https://smallstep.com/docs/step-cli/reference/ca/revoke/) certificates issued by [`step-ca`](https://github.com/smallstep/certificates)
  - [Submit CSRs](https://smallstep.com/docs/step-cli/reference/ca/sign/) to be signed by [`step-ca`](https://github.com/smallstep/certificates)
+  - With an ACME CA, `step` supports the `http-01` challenge type

 - [`step crypto`](https://smallstep.com/docs/step-cli/reference/crypto/): A general-purpose crypto toolkit
  - Work with [JWTs](https://jwt.io) ([RFC7519](https://tools.ietf.org/html/rfc7519)) and [other JOSE constructs](https://datatracker.ietf.org/wg/jose/documents/)
@@ -57,10 +56,12 @@ Step CLI's command groups illustrate some of its uses:
      signing
  - [Apply key derivation functions](https://smallstep.com/docs/step-cli/reference/crypto/kdf/) (KDFs) and [verify passwords](https://smallstep.com/docs/step-cli/reference/crypto/kdf/compare/) using `scrypt`, `bcrypt`, and `argo2`
  - Generate and check [file hashes](https://smallstep.com/docs/step-cli/reference/crypto/hash/)
+
 - [`step oauth`](https://smallstep.com/docs/step-cli/reference/oauth/): Add an OAuth 2.0 single sign-on flow to any CLI application.
  - Supports OAuth authorization code, out-of-band (OOB), JWT bearer, and refresh token flows
  - Get OAuth access tokens and OIDC identity tokens at the command line from any provider.
  - Verify OIDC identity tokens (`step crypto jwt verify`)
+
 - [`step ssh`](https://smallstep.com/docs/step-cli/reference/ssh/): Create and manage SSH certificates (requires an online or offline [`step-ca`](https://github.com/smallstep/certificates) instance)
  - Generate SSH user and host key pairs and short-lived certificates
  - Add and remove certificates to the SSH agent
@@ -71,6 +72,12 @@ Step CLI's command groups illustrate some of its uses:

 See our installation docs [here](https://smallstep.com/docs/step-cli/installation).

+## Example
+
+Here's a quick example, combining `step oauth` and `step crypto` to get and verify the signature of a Google OAuth OIDC token:
+
+![Animated terminal showing step in practice](https://smallstep.com/images/blog/2018-08-07-unfurl.gif)
+
 ## Community

 * Connect with `step` users on [GitHub Discussions](https://github.com/smallstep/certificates/discussions) or [Discord](https://bit.ly/step-discord)
--- a/command/ca/init.go
+++ b/command/ca/init.go
@@ -724,7 +724,7 @@ func promptDeploymentType(ctx *cli.Context, isRA bool) (pki.DeploymentType, erro
 		ui.WithSelectTemplates(&promptui.SelectTemplates{
 			Active:   fmt.Sprintf("%s {{ printf \"%%s - %%s\" .Name .Description | underline }}", ui.IconSelect),
 			Inactive: "  {{ .Name }} - {{ .Description }}",
-			Selected: fmt.Sprintf(`{{ "%s" | green }} {{ "Deployment Type:" | bold }} {{ .Name }}`, ui.IconGood),
+			Selected: fmt.Sprintf(`{{ %q | green }} {{ "Deployment Type:" | bold }} {{ .Name }}`, ui.IconGood),
 		}))
 	if err != nil {
 		return 0, err
--- a/command/ca/provisioner/add.go
+++ b/command/ca/provisioner/add.go
@@ -6,8 +6,8 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
 	"net/url"
+	"os"
 	"strings"

 	"github.com/pkg/errors"
@@ -662,7 +662,7 @@ func addK8sSAProvisioner(ctx *cli.Context, name string, provMap map[string]bool)
 		return nil, errs.RequiredWithFlagValue(ctx, "type", "k8sSA", "pem-keys")
 	}

-	pemKeysB, err := ioutil.ReadFile(pemKeysF)
+	pemKeysB, err := os.ReadFile(pemKeysF)
 	if err != nil {
 		return nil, errors.Wrap(err, "error reading pem keys")
 	}
--- a/command/ca/provisionerbeta/add.go
+++ b/command/ca/provisionerbeta/add.go
@@ -9,8 +9,8 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"net/url"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
@@ -473,7 +473,7 @@ func createJWKDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {

 		if ctx.IsSet("private-key") {
 			jwkFile = ctx.String("private-key")
-			b, err := ioutil.ReadFile(jwkFile)
+			b, err := os.ReadFile(jwkFile)
 			if err != nil {
 				return nil, errors.Wrapf(err, "error reading %s", jwkFile)
 			}
@@ -587,7 +587,7 @@ func createK8SSADetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error)
 		return nil, errs.RequiredWithFlagValue(ctx, "type", "k8sSA", "public-key")
 	}

-	pemKeysB, err := ioutil.ReadFile(pemKeysF)
+	pemKeysB, err := os.ReadFile(pemKeysF)
 	if err != nil {
 		return nil, errors.Wrap(err, "error reading pem keys")
 	}
--- a/command/ca/provisionerbeta/update.go
+++ b/command/ca/provisionerbeta/update.go
@@ -9,8 +9,8 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"net/url"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/ca"
@@ -511,7 +511,7 @@ func updateJWKDetails(ctx *cli.Context, p *linkedca.Provisioner) error {

 		if ctx.IsSet("private-key") {
 			jwkFile := ctx.String("private-key")
-			b, err := ioutil.ReadFile(jwkFile)
+			b, err := os.ReadFile(jwkFile)
 			if err != nil {
 				return errors.Wrapf(err, "error reading %s", jwkFile)
 			}
@@ -619,7 +619,7 @@ func updateK8SSADetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 	details := data.K8SSA
 	if ctx.IsSet("public-key") {
 		pemKeysF := ctx.String("public-key")
-		pemKeysB, err := ioutil.ReadFile(pemKeysF)
+		pemKeysB, err := os.ReadFile(pemKeysF)
 		if err != nil {
 			return errors.Wrap(err, "error reading pem keys")
 		}
--- a/command/ca/rekey.go
+++ b/command/ca/rekey.go
@@ -2,8 +2,8 @@ package ca

 import (
 	"crypto"
-	"io/ioutil"
 	"math/rand"
+	"os"
 	"strconv"
 	"strings"
 	"syscall"
@@ -267,7 +267,7 @@ func rekeyCertificateAction(ctx *cli.Context) error {

 	pidFile := ctx.String("pid-file")
 	if len(pidFile) > 0 {
-		pidB, err := ioutil.ReadFile(pidFile)
+		pidB, err := os.ReadFile(pidFile)
 		if err != nil {
 			return errs.FileError(err, pidFile)
 		}
--- a/command/ca/renew.go
+++ b/command/ca/renew.go
@@ -6,7 +6,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
 	"log"
 	"math/rand"
 	"net/http"
@@ -248,7 +247,7 @@ func renewCertificateAction(ctx *cli.Context) error {

 	pidFile := ctx.String("pid-file")
 	if len(pidFile) > 0 {
-		pidB, err := ioutil.ReadFile(pidFile)
+		pidB, err := os.ReadFile(pidFile)
 		if err != nil {
 			return errs.FileError(err, pidFile)
 		}
--- a/command/ca/revoke.go
+++ b/command/ca/revoke.go
@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"strconv"
@@ -405,7 +404,7 @@ func (f *revokeFlow) Revoke(ctx *cli.Context, serial, token string) error {
 	if token == "" {
 		certFile, keyFile := ctx.String("cert"), ctx.String("key")

-		certPEMBytes, err := ioutil.ReadFile(certFile)
+		certPEMBytes, err := os.ReadFile(certFile)
 		if err != nil {
 			return errors.Wrap(err, "error reading certificate")
 		}
--- a/command/certificate/bundle.go
+++ b/command/certificate/bundle.go
@@ -2,7 +2,7 @@ package certificate

 import (
 	"encoding/pem"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/flags"
@@ -55,7 +55,7 @@ func bundleAction(ctx *cli.Context) error {
 	}

 	crtFile := ctx.Args().Get(0)
-	crtBytes, err := ioutil.ReadFile(crtFile)
+	crtBytes, err := os.ReadFile(crtFile)
 	if err != nil {
 		return errs.FileError(err, crtFile)
 	}
@@ -65,7 +65,7 @@ func bundleAction(ctx *cli.Context) error {
 	}

 	caFile := ctx.Args().Get(1)
-	caBytes, err := ioutil.ReadFile(caFile)
+	caBytes, err := os.ReadFile(caFile)
 	if err != nil {
 		return errs.FileError(err, caFile)
 	}
--- a/command/certificate/lint.go
+++ b/command/certificate/lint.go
@@ -3,7 +3,6 @@ package certificate
 import (
 	"encoding/json"
 	"encoding/pem"
-	"io/ioutil"
 	"os"

 	"github.com/pkg/errors"
@@ -117,7 +116,7 @@ func lintAction(ctx *cli.Context) error {
 			Bytes: crt.Raw,
 		}
 	default: // is not URL
-		crtBytes, err := ioutil.ReadFile(crtFile)
+		crtBytes, err := os.ReadFile(crtFile)
 		if err != nil {
 			return errs.FileError(err, crtFile)
 		}
--- a/command/certificate/verify.go
+++ b/command/certificate/verify.go
@@ -3,7 +3,7 @@ package certificate
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/crypto/x509util"
@@ -120,7 +120,7 @@ func verifyAction(ctx *cli.Context) error {
 			intermediatePool.AddCert(pc)
 		}
 	default:
-		crtBytes, err := ioutil.ReadFile(crtFile)
+		crtBytes, err := os.ReadFile(crtFile)
 		if err != nil {
 			return errs.FileError(err, crtFile)
 		}
--- a/command/command.go
+++ b/command/command.go
@@ -3,7 +3,6 @@ package command
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"reflect"
 	"strings"
@@ -63,7 +62,7 @@ func getConfigVars(ctx *cli.Context) error {
 		configFile = step.DefaultsFile()
 	}

-	b, err := ioutil.ReadFile(configFile)
+	b, err := os.ReadFile(configFile)
 	if err != nil {
 		return nil
 	}
--- a/command/crypto/change-pass.go
+++ b/command/crypto/change-pass.go
@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
@@ -109,7 +109,7 @@ func changePassAction(ctx *cli.Context) error {
 		newKeyPath = keyPath
 	}

-	b, err := ioutil.ReadFile(keyPath)
+	b, err := os.ReadFile(keyPath)
 	if err != nil {
 		return errs.FileError(err, keyPath)
 	}
--- a/command/crypto/hash/hash.go
+++ b/command/crypto/hash/hash.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"hash"
 	"io"
-	"io/ioutil"
 	"os"
 	"path"
 	"strings"
@@ -320,7 +319,7 @@ func hashFile(h hash.Hash, filename string) ([]byte, error) {
 //   3. return sum
 func hashDir(hc hashConstructor, dirname string) ([]byte, error) {
 	// ReadDir returns the entries sorted by filename
-	files, err := ioutil.ReadDir(dirname)
+	dirEntries, err := os.ReadDir(dirname)
 	if err != nil {
 		return nil, errs.FileError(err, dirname)
 	}
@@ -336,7 +335,11 @@ func hashDir(hc hashConstructor, dirname string) ([]byte, error) {
 	h := hc()
 	binary.LittleEndian.PutUint32(mode, uint32(st.Mode()))
 	h.Write(mode)
-	for _, fi := range files {
+	for _, dirEntry := range dirEntries {
+		fi, err := dirEntry.Info()
+		if err != nil {
+			return nil, errs.FileError(err, dirEntry.Name())
+		}
 		name := path.Join(dirname, fi.Name())
 		switch {
 		case fi.IsDir():
--- a/command/crypto/jose/jose.go
+++ b/command/crypto/jose/jose.go
@@ -2,7 +2,7 @@ package jose

 import (
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"regexp"
 	"strings"
@@ -65,7 +65,7 @@ $ step crypto jwt sign --key p256.priv.json --iss "joe" --aud "bob" \
 }

 func formatAction(ctx *cli.Context) error {
-	input, err := ioutil.ReadAll(os.Stdin)
+	input, err := io.ReadAll(os.Stdin)
 	if err != nil {
 		return errors.Wrap(err, "error reading input")
 	}
--- a/command/crypto/jwk/keyset.go
+++ b/command/crypto/jwk/keyset.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"syscall"

@@ -124,7 +123,7 @@ func keysetAddAction(ctx *cli.Context) error {
 		return err
 	}

-	b, err := ioutil.ReadAll(os.Stdin)
+	b, err := io.ReadAll(os.Stdin)
 	if err != nil {
 		return errors.Wrap(err, "error reading STDIN")
 	}
@@ -256,7 +255,7 @@ func rwLockKeySet(filename string) (jwks *jose.JSONWebKeySet, writeFunc func(boo

 	// Read key set
 	var b []byte
-	b, err = ioutil.ReadAll(f)
+	b, err = io.ReadAll(f)
 	if err != nil {
 		err = errors.Wrapf(err, "error reading %s", filename)
 		return
--- a/command/crypto/jwk/public.go
+++ b/command/crypto/jwk/public.go
@@ -3,7 +3,7 @@ package jwk
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"

 	"github.com/pkg/errors"
@@ -25,7 +25,7 @@ For examples, see **step help crypto jwk**.`,
 }

 func publicAction(ctx *cli.Context) error {
-	b, err := ioutil.ReadAll(os.Stdin)
+	b, err := io.ReadAll(os.Stdin)
 	if err != nil {
 		return errors.Wrap(err, "error reading from STDIN")
 	}
--- a/command/crypto/jwk/thumbprint.go
+++ b/command/crypto/jwk/thumbprint.go
@@ -5,7 +5,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"

 	"github.com/pkg/errors"
@@ -28,7 +28,7 @@ For examples, see **step help crypto jwk**.`,
 }

 func thumbprintAction(ctx *cli.Context) error {
-	b, err := ioutil.ReadAll(os.Stdin)
+	b, err := io.ReadAll(os.Stdin)
 	if err != nil {
 		return errors.Wrap(err, "error reading from STDIN")
 	}
--- a/command/crypto/jws/sign.go
+++ b/command/crypto/jws/sign.go
@@ -2,7 +2,6 @@ package jws

 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"

@@ -361,7 +360,7 @@ func readPayload(filename string) ([]byte, error) {
 	case "-":
 		return utils.ReadAll(os.Stdin)
 	default:
-		b, err := ioutil.ReadFile(filename)
+		b, err := os.ReadFile(filename)
 		if err != nil {
 			return nil, errs.FileError(err, filename)
 		}
--- a/command/crypto/jwt/sign.go
+++ b/command/crypto/jwt/sign.go
@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 	"time"
@@ -467,7 +466,7 @@ func readPayload(filename string) (interface{}, error) {
 	case "-":
 		r = os.Stdin
 	default:
-		b, err := ioutil.ReadFile(filename)
+		b, err := os.ReadFile(filename)
 		if err != nil {
 			return nil, errs.FileError(err, filename)
 		}
--- a/command/crypto/nacl/auth.go
+++ b/command/crypto/nacl/auth.go
@@ -3,7 +3,7 @@ package nacl
 import (
 	"encoding/hex"
 	"fmt"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/utils"
@@ -107,7 +107,7 @@ func authDigestAction(ctx *cli.Context) error {

 	keyFile := ctx.Args().Get(0)

-	key, err := ioutil.ReadFile(keyFile)
+	key, err := os.ReadFile(keyFile)
 	if err != nil {
 		return errs.FileError(err, keyFile)
 	} else if len(key) != auth.KeySize {
@@ -135,7 +135,7 @@ func authVerifyAction(ctx *cli.Context) error {
 	args := ctx.Args()
 	keyFile, digest := args[0], args[1]

-	key, err := ioutil.ReadFile(keyFile)
+	key, err := os.ReadFile(keyFile)
 	if err != nil {
 		return errs.FileError(err, keyFile)
 	} else if len(key) != auth.KeySize {
--- a/command/crypto/nacl/box.go
+++ b/command/crypto/nacl/box.go
@@ -3,7 +3,6 @@ package nacl
 import (
 	"crypto/rand"
 	"fmt"
-	"io/ioutil"
 	"os"

 	"github.com/pkg/errors"
@@ -248,14 +247,14 @@ func boxOpenAction(ctx *cli.Context) error {
 		return errors.New("nonce cannot be longer than 24 bytes")
 	}

-	pub, err := ioutil.ReadFile(pubFile)
+	pub, err := os.ReadFile(pubFile)
 	if err != nil {
 		return errs.FileError(err, pubFile)
 	} else if len(pub) != 32 {
 		return errors.New("invalid public key: key size is not 32 bytes")
 	}

-	priv, err := ioutil.ReadFile(privFile)
+	priv, err := os.ReadFile(privFile)
 	if err != nil {
 		return errs.FileError(err, privFile)
 	} else if len(priv) != 32 {
@@ -314,14 +313,14 @@ func boxSealAction(ctx *cli.Context) error {
 		return errors.New("nonce cannot be longer than 24 bytes")
 	}

-	pub, err := ioutil.ReadFile(pubFile)
+	pub, err := os.ReadFile(pubFile)
 	if err != nil {
 		return errs.FileError(err, pubFile)
 	} else if len(pub) != 32 {
 		return errors.New("invalid public key: key size is not 32 bytes")
 	}

-	priv, err := ioutil.ReadFile(privFile)
+	priv, err := os.ReadFile(privFile)
 	if err != nil {
 		return errs.FileError(err, privFile)
 	} else if len(priv) != 32 {
--- a/command/crypto/nacl/secretbox.go
+++ b/command/crypto/nacl/secretbox.go
@@ -2,7 +2,6 @@ package nacl

 import (
 	"fmt"
-	"io/ioutil"
 	"os"

 	"github.com/pkg/errors"
@@ -158,7 +157,7 @@ func secretboxOpenAction(ctx *cli.Context) error {
 		return errors.New("nonce cannot be longer than 24 bytes")
 	}

-	key, err := ioutil.ReadFile(keyFile)
+	key, err := os.ReadFile(keyFile)
 	if err != nil {
 		return errs.FileError(err, keyFile)
 	} else if len(key) != 32 {
@@ -216,7 +215,7 @@ func secretboxSealAction(ctx *cli.Context) error {
 		return errors.New("nonce cannot be longer than 24 bytes")
 	}

-	key, err := ioutil.ReadFile(keyFile)
+	key, err := os.ReadFile(keyFile)
 	if err != nil {
 		return errs.FileError(err, keyFile)
 	} else if len(key) != 32 {
--- a/command/crypto/nacl/sign.go
+++ b/command/crypto/nacl/sign.go
@@ -3,7 +3,6 @@ package nacl
 import (
 	"crypto/rand"
 	"fmt"
-	"io/ioutil"
 	"os"

 	"github.com/pkg/errors"
@@ -155,7 +154,7 @@ func signOpenAction(ctx *cli.Context) error {
 	}

 	pubFile := ctx.Args().Get(0)
-	pub, err := ioutil.ReadFile(pubFile)
+	pub, err := os.ReadFile(pubFile)
 	if err != nil {
 		return errs.FileError(err, pubFile)
 	} else if len(pub) != 32 {
@@ -199,7 +198,7 @@ func signSignAction(ctx *cli.Context) error {
 	}

 	privFile := ctx.Args().Get(0)
-	priv, err := ioutil.ReadFile(privFile)
+	priv, err := os.ReadFile(privFile)
 	if err != nil {
 		return errs.FileError(err, privFile)
 	} else if len(priv) != 64 {
--- a/command/crypto/otp/verify.go
+++ b/command/crypto/otp/verify.go
@@ -2,7 +2,6 @@ package otp

 import (
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"strconv"
@@ -89,7 +88,7 @@ func verifyAction(ctx *cli.Context) error {
 		}
 		secretFile = args[0]
 	}
-	b, err := ioutil.ReadFile(secretFile)
+	b, err := os.ReadFile(secretFile)
 	if err != nil {
 		return errs.FileError(err, secretFile)
 	}
--- a/command/crypto/winpe/winpe_test.go
+++ b/command/crypto/winpe/winpe_test.go
@@ -3,17 +3,17 @@ package winpe
 import (
 	"bytes"
 	"encoding/base64"
-	"github.com/smallstep/assert"
 	"io"
-	"io/ioutil"
 	"os"
 	"testing"
+
+	"github.com/smallstep/assert"
 )

 // This test will write the chrome.exe installer into a temporary file
 // Then it will just run the extractPE function.
 func TestExtract(t *testing.T) {
-	tmpfile, err := ioutil.TempFile("", "step-crypto-winpe-extract-chrome.*.exe")
+	tmpfile, err := os.CreateTemp("", "step-crypto-winpe-extract-chrome.*.exe")
 	assert.NoError(t, err)
 	defer os.Remove(tmpfile.Name())
 	defer tmpfile.Close()
--- a/command/oauth/cmd.go
+++ b/command/oauth/cmd.go
@@ -7,7 +7,7 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -300,7 +300,7 @@ func oauthCmd(c *cli.Context) error {
 	if c.IsSet("account") {
 		opts.Provider = ""
 		filename := c.String("account")
-		b, err := ioutil.ReadFile(filename)
+		b, err := os.ReadFile(filename)
 		if err != nil {
 			return errors.Wrapf(err, "error reading account from %s", filename)
 		}
@@ -541,7 +541,7 @@ func disco(provider string) (map[string]interface{}, error) {
 		return nil, errors.Wrapf(err, "error retrieving %s", u.String())
 	}
 	defer resp.Body.Close()
-	b, err := ioutil.ReadAll(resp.Body)
+	b, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error retrieving %s", u.String())
 	}
@@ -866,7 +866,7 @@ func (o *oauth) implicitHandler(w http.ResponseWriter, req *http.Request) {
 	w.Write([]byte(`<html><head><title>Processing OAuth Request</title>`))
 	w.Write([]byte(`</head>`))
 	w.Write([]byte(`<script type="text/javascript">`))
-	w.Write([]byte(fmt.Sprintf(`function redirect(){var hash = window.location.hash.substr(1); document.location.href = "%s?urlhash=true&"+hash;}`, o.redirectURI)))
+	fmt.Fprintf(w, `function redirect(){var hash = window.location.hash.substr(1); document.location.href = "%s?urlhash=true&"+hash;}`, o.redirectURI)
 	w.Write([]byte(`if (window.addEventListener) window.addEventListener("load", redirect, false); else if (window.attachEvent) window.attachEvent("onload", redirect); else window.onload = redirect;`))
 	w.Write([]byte("</script>"))
 	w.Write([]byte(`<body><p style='font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 22px; color: #333; width: 400px; margin: 0 auto; text-align: center; line-height: 1.7; padding: 20px;'>`))
--- a/command/ssh/certificate.go
+++ b/command/ssh/certificate.go
@@ -5,8 +5,8 @@ import (
 	"crypto"
 	"crypto/rand"
 	"crypto/x509"
-	"io/ioutil"
 	"net/url"
+	"os"
 	"strings"

 	"github.com/google/uuid"
@@ -492,7 +492,7 @@ func marshalPublicKey(key ssh.PublicKey, subject string) []byte {

 func deriveMachineID() (uuid.UUID, error) {
 	// use /etc/machine-id
-	machineID, err := ioutil.ReadFile("/etc/machine-id")
+	machineID, err := os.ReadFile("/etc/machine-id")
 	if err != nil {
 		return uuid.Nil, err
 	}
--- a/command/ssh/rekey.go
+++ b/command/ssh/rekey.go
@@ -1,7 +1,7 @@
 package ssh

 import (
-	"io/ioutil"
+	"os"
 	"strconv"

 	"github.com/pkg/errors"
@@ -106,7 +106,7 @@ func rekeyAction(ctx *cli.Context) error {
 	}

 	// Load the cert, because we need the serial number.
-	certBytes, err := ioutil.ReadFile(certFile)
+	certBytes, err := os.ReadFile(certFile)
 	if err != nil {
 		return errors.Wrapf(err, "error reading ssh certificate from %s", certFile)
 	}
--- a/command/ssh/renew.go
+++ b/command/ssh/renew.go
@@ -1,7 +1,7 @@
 package ssh

 import (
-	"io/ioutil"
+	"os"
 	"strconv"

 	"github.com/smallstep/certificates/ca/identity"
@@ -28,10 +28,11 @@ func renewCommand() cli.Command {
 [**--issuer**=<name>] [**--password-file**=<file>] [**--force**] [**--offline**]
 [**--ca-config**=<file>] [**--ca-url**=<uri>] [**--root**=<file>]
 [**--context**=<name>]`,
-		Description: `**step ssh renew** command renews an SSH Cerfificate
+		Description: `**step ssh renew** command renews an SSH Host Cerfificate
 using [step certificates](https://github.com/smallstep/certificates).
 It writes the new certificate to disk - either overwriting <ssh-cert> or
-using a new file when the **--out**=<file> flag is used.
+using a new file when the **--out**=<file> flag is used. This command cannot
+be used to renew SSH User Certificates.

 ## POSITIONAL ARGUMENTS

@@ -92,7 +93,7 @@ func renewAction(ctx *cli.Context) error {
 	}

 	// Load the cert, because we need the serial number.
-	certBytes, err := ioutil.ReadFile(certFile)
+	certBytes, err := os.ReadFile(certFile)
 	if err != nil {
 		return errors.Wrapf(err, "error reading ssh certificate from %s", certFile)
 	}
--- a/command/ssh/revoke.go
+++ b/command/ssh/revoke.go
@@ -1,7 +1,7 @@
 package ssh

 import (
-	"io/ioutil"
+	"os"
 	"strconv"

 	"github.com/pkg/errors"
@@ -132,7 +132,7 @@ func revokeAction(ctx *cli.Context) error {
 			return errors.New("--sshpop-cert and --sshpop-key must be supplied if serial number is not supplied as first argument")
 		}
 		// Load the cert, because we need the serial number.
-		certBytes, err := ioutil.ReadFile(certFile)
+		certBytes, err := os.ReadFile(certFile)
 		if err != nil {
 			return errors.Wrapf(err, "error reading ssh certificate from %s", certFile)
 		}
--- a/crypto/keys/clean_test.go
+++ b/crypto/keys/clean_test.go
@@ -1,7 +1,7 @@
 package keys

 import (
-	"io/ioutil"
+	"io"
 	"log"
 	"os"
 	"testing"
@@ -9,7 +9,7 @@ import (

 func TestMain(m *testing.M) {
 	// discard log output when testing
-	log.SetOutput(ioutil.Discard)
+	log.SetOutput(io.Discard)

 	result := m.Run()

--- a/crypto/pemutil/pem.go
+++ b/crypto/pemutil/pem.go
@@ -11,7 +11,6 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"math/big"
 	"os"

@@ -161,7 +160,7 @@ func WithFirstBlock() Options {
 // ReadCertificate returns a *x509.Certificate from the given filename. It
 // supports certificates formats PEM and DER.
 func ReadCertificate(filename string, opts ...Options) (*x509.Certificate, error) {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errs.FileError(err, filename)
 	}
@@ -190,7 +189,7 @@ func ReadCertificate(filename string, opts ...Options) (*x509.Certificate, error
 // filename. It supports certificates formats PEM and DER. If a DER-formatted
 // file is given only one certificate will be returned.
 func ReadCertificateBundle(filename string) ([]*x509.Certificate, error) {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errs.FileError(err, filename)
 	}
@@ -309,7 +308,7 @@ func ParseKey(b []byte, opts ...Options) (interface{}, error) {
 // keys are PKCS#1, PKCS#8, RFC5915 for EC, and base64-encoded DER for
 // certificates and public keys.
 func Read(filename string, opts ...Options) (interface{}, error) {
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errs.FileError(err, filename)
 	}
--- a/crypto/pemutil/pem_test.go
+++ b/crypto/pemutil/pem_test.go
@@ -11,7 +11,6 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/pem"
-	"io/ioutil"
 	"math/big"
 	"os"
 	"reflect"
@@ -125,7 +124,7 @@ var files = map[string]testdata{

 func readOrParseSSH(fn string) (interface{}, error) {
 	if strings.HasPrefix(fn, "testdata/openssh") && strings.HasSuffix(fn, ".pub.pem") {
-		b, err := ioutil.ReadFile(fn)
+		b, err := os.ReadFile(fn)
 		if err != nil {
 			return nil, err
 		}
@@ -288,7 +287,7 @@ func TestParsePEM(t *testing.T) {
 	}
 	tests := map[string]func(t *testing.T) *ParseTest{
 		"success-ecdsa-public-key": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/openssl.p256.pub.pem")
+			b, err := os.ReadFile("testdata/openssl.p256.pub.pem")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -297,7 +296,7 @@ func TestParsePEM(t *testing.T) {
 			}
 		},
 		"success-rsa-public-key": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/openssl.rsa1024.pub.pem")
+			b, err := os.ReadFile("testdata/openssl.rsa1024.pub.pem")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -306,7 +305,7 @@ func TestParsePEM(t *testing.T) {
 			}
 		},
 		"success-rsa-private-key": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/openssl.rsa1024.pem")
+			b, err := os.ReadFile("testdata/openssl.rsa1024.pem")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -315,7 +314,7 @@ func TestParsePEM(t *testing.T) {
 			}
 		},
 		"success-ecdsa-private-key": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/openssl.p256.pem")
+			b, err := os.ReadFile("testdata/openssl.p256.pem")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -324,7 +323,7 @@ func TestParsePEM(t *testing.T) {
 			}
 		},
 		"success-ed25519-private-key": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/pkcs8/openssl.ed25519.pem")
+			b, err := os.ReadFile("testdata/pkcs8/openssl.ed25519.pem")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -333,7 +332,7 @@ func TestParsePEM(t *testing.T) {
 			}
 		},
 		"success-ed25519-enc-private-key": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/pkcs8/openssl.ed25519.enc.pem")
+			b, err := os.ReadFile("testdata/pkcs8/openssl.ed25519.enc.pem")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -342,7 +341,7 @@ func TestParsePEM(t *testing.T) {
 			}
 		},
 		"success-x509-crt": func(t *testing.T) *ParseTest {
-			b, err := ioutil.ReadFile("testdata/ca.crt")
+			b, err := os.ReadFile("testdata/ca.crt")
 			assert.FatalError(t, err)
 			return &ParseTest{
 				in:      b,
@@ -528,7 +527,7 @@ func TestSerialize(t *testing.T) {
 						assert.Equals(t, fileInfo.Mode(), os.FileMode(0600))
 						// Verify that key written to file is correct
 						var keyFileBytes []byte
-						keyFileBytes, err = ioutil.ReadFile(test.file)
+						keyFileBytes, err = os.ReadFile(test.file)
 						assert.FatalError(t, err)
 						pemKey, _ := pem.Decode(keyFileBytes)
 						assert.Equals(t, pemKey.Type, "EC PRIVATE KEY")
@@ -608,9 +607,9 @@ func TestParseDER(t *testing.T) {
 	ecdsaKey := k2.(*ecdsa.PrivateKey)
 	edKey := k3.(ed25519.PrivateKey)
 	// Ed25519 der files
-	edPubDer, err := ioutil.ReadFile("testdata/pkcs8/openssl.ed25519.pub.der")
+	edPubDer, err := os.ReadFile("testdata/pkcs8/openssl.ed25519.pub.der")
 	assert.FatalError(t, err)
-	edPrivDer, err := ioutil.ReadFile("testdata/pkcs8/openssl.ed25519.der")
+	edPrivDer, err := os.ReadFile("testdata/pkcs8/openssl.ed25519.der")
 	assert.FatalError(t, err)

 	toDER := func(k interface{}) []byte {
@@ -671,7 +670,7 @@ func TestParseKey(t *testing.T) {
 			continue
 		}
 		t.Run(fn, func(t *testing.T) {
-			data, err := ioutil.ReadFile(fn)
+			data, err := os.ReadFile(fn)
 			assert.FatalError(t, err)
 			if td.encrypted {
 				key, err = ParseKey(data, WithPassword([]byte("mypassword")))
@@ -731,7 +730,7 @@ func TestParseSSH(t *testing.T) {
 			continue
 		}
 		t.Run(fn, func(t *testing.T) {
-			data, err := ioutil.ReadFile(fn)
+			data, err := os.ReadFile(fn)
 			assert.FatalError(t, err)
 			key, err = ParseSSH(data)
 			assert.FatalError(t, err)
--- a/crypto/pemutil/pkcs8_test.go
+++ b/crypto/pemutil/pkcs8_test.go
@@ -4,7 +4,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rand"
 	"crypto/x509"
-	"io/ioutil"
+	"os"
 	"reflect"
 	"testing"

@@ -19,7 +19,7 @@ func TestEncryptDecryptPKCS8(t *testing.T) {
 			continue
 		}

-		data, err := ioutil.ReadFile(fn)
+		data, err := os.ReadFile(fn)
 		assert.FatalError(t, err)

 		key1, err := Parse(data)
@@ -74,7 +74,7 @@ func TestMarshalPKIXPublicKey(t *testing.T) {
 	assert.FatalError(t, err)
 	edKey, err := Read("testdata/pkcs8/openssl.ed25519.pem")
 	assert.FatalError(t, err)
-	edPubDer, err := ioutil.ReadFile("testdata/pkcs8/openssl.ed25519.pub.der")
+	edPubDer, err := os.ReadFile("testdata/pkcs8/openssl.ed25519.pub.der")
 	assert.FatalError(t, err)

 	type args struct {
@@ -118,7 +118,7 @@ func TestMarshalPKCS8PrivateKey(t *testing.T) {
 	assert.FatalError(t, err)
 	edKey, err := Read("testdata/pkcs8/openssl.ed25519.pem")
 	assert.FatalError(t, err)
-	edPrivDer, err := ioutil.ReadFile("testdata/pkcs8/openssl.ed25519.der")
+	edPrivDer, err := os.ReadFile("testdata/pkcs8/openssl.ed25519.der")
 	assert.FatalError(t, err)

 	type args struct {
--- a/crypto/x509util/clean_test.go
+++ b/crypto/x509util/clean_test.go
@@ -1,7 +1,7 @@
 package x509util

 import (
-	"io/ioutil"
+	"io"
 	"log"
 	"os"
 	"testing"
@@ -9,7 +9,7 @@ import (

 func TestMain(m *testing.M) {
 	// discard log output when testing
-	log.SetOutput(ioutil.Discard)
+	log.SetOutput(io.Discard)

 	result := m.Run()

--- a/crypto/x509util/crt.go
+++ b/crypto/x509util/crt.go
@@ -6,7 +6,6 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/pem"
-	"io/ioutil"
 	"net"
 	"net/url"
 	"os"
@@ -94,7 +93,7 @@ func ReadCertPool(path string) (*x509.CertPool, error) {
 		pool  = x509.NewCertPool()
 	)
 	if info != nil && info.IsDir() {
-		finfos, err := ioutil.ReadDir(path)
+		finfos, err := os.ReadDir(path)
 		if err != nil {
 			return nil, errs.FileError(err, path)
 		}
@@ -110,7 +109,7 @@ func ReadCertPool(path string) (*x509.CertPool, error) {

 	var pems []byte
 	for _, f := range files {
-		bytes, err := ioutil.ReadFile(f)
+		bytes, err := os.ReadFile(f)
 		if err != nil {
 			return nil, errs.FileError(err, f)
 		}
--- a/crypto/x509util/crt_test.go
+++ b/crypto/x509util/crt_test.go
@@ -3,9 +3,9 @@ package x509util
 import (
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
 	"net"
 	"net/url"
+	"os"
 	"testing"

 	"github.com/smallstep/assert"
@@ -51,7 +51,7 @@ func TestEncodedFingerprint(t *testing.T) {
 }

 func mustParseCertificate(t *testing.T, filename string) *x509.Certificate {
-	pemData, err := ioutil.ReadFile(filename)
+	pemData, err := os.ReadFile(filename)
 	if err != nil {
 		t.Fatalf("failed to read %s: %v", filename, err)
 	}
--- a/crypto/x509util/identity.go
+++ b/crypto/x509util/identity.go
@@ -2,7 +2,7 @@ package x509util

 import (
 	"crypto/x509"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/crypto/pemutil"
@@ -30,7 +30,7 @@ func LoadIdentityFromDisk(crtPath, keyPath string, pemOpts ...pemutil.Options) (
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
-	keyBytes, err := ioutil.ReadFile(keyPath)
+	keyBytes, err := os.ReadFile(keyPath)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
--- a/crypto/x509util/profile_test.go
+++ b/crypto/x509util/profile_test.go
@@ -11,9 +11,9 @@ import (
 	"crypto/x509/pkix"
 	"encoding/asn1"
 	"encoding/pem"
-	"io/ioutil"
 	"net"
 	"net/url"
+	"os"
 	"reflect"
 	"testing"

@@ -24,7 +24,7 @@ import (
 func mustParseRSAKey(t *testing.T, filename string) *rsa.PrivateKey {
 	t.Helper()

-	b, err := ioutil.ReadFile("test_files/noPasscodeCa.key")
+	b, err := os.ReadFile("test_files/noPasscodeCa.key")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -41,7 +41,7 @@ func mustParseRSAKey(t *testing.T, filename string) *rsa.PrivateKey {

 func decodeCertificateFile(t *testing.T, filename string) *x509.Certificate {
 	t.Helper()
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/exec/exec.go
+++ b/exec/exec.go
@@ -3,7 +3,6 @@ package exec
 import (
 	"bytes"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"os/signal"
@@ -30,7 +29,7 @@ func LookPath(file string) (string, error) {
 // "Official" way of detecting WSL
 // https://github.com/Microsoft/WSL/issues/423#issuecomment-221627364
 func IsWSL() bool {
-	b, err := ioutil.ReadFile("/proc/sys/kernel/osrelease")
+	b, err := os.ReadFile("/proc/sys/kernel/osrelease")
 	if err != nil {
 		return false
 	}
@@ -85,7 +84,8 @@ func RunWithPid(pidFile, name string, arg ...string) {
 	}

 	// Write pid
-	f.Write([]byte(strconv.Itoa(cmd.Process.Pid)))
+	f.WriteString(strconv.Itoa(cmd.Process.Pid))
+
 	f.Close()

 	// Wait until it finishes
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/smallstep/cli

-go 1.13
+go 1.16

 require (
 	github.com/Microsoft/go-winio v0.4.14
--- a/integration/help_quality_test.go
+++ b/integration/help_quality_test.go
@@ -5,7 +5,7 @@ package integration
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"sort"
 	"strings"
 	"testing"
@@ -18,7 +18,7 @@ func TestHelpQuality(t *testing.T) {
 	cmd := NewCLICommand().setCommand("../bin/step help").setFlag("html", "./html").setFlag("report", "")
 	cmd.run()

-	raw, _ := ioutil.ReadFile("./html/report.json")
+	raw, _ := os.ReadFile("./html/report.json")
 	var report *usage.Report
 	json.Unmarshal([]byte(raw), &report)

--- a/integration/jwk_test.go
+++ b/integration/jwk_test.go
@@ -6,7 +6,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strconv"
 	"testing"
@@ -82,7 +81,7 @@ func (j JWKTest) test(t *testing.T, msg ...interface{}) (CLIOutput, string) {
 }

 func (j JWKTest) readJson(t *testing.T, name string) map[string]interface{} {
-	dat, err := ioutil.ReadFile(name)
+	dat, err := os.ReadFile(name)
 	assert.FatalError(t, err)
 	m := make(map[string]interface{})
 	assert.FatalError(t, json.Unmarshal(dat, &m))
@@ -256,7 +255,7 @@ func isJWE(m map[string]interface{}) bool {
 }

 func (j JWKTest) decryptJWEPayload(t *testing.T, password string) map[string]interface{} {
-	dat, err := ioutil.ReadFile(j.prvfile)
+	dat, err := os.ReadFile(j.prvfile)
 	assert.FatalError(t, err)
 	enc, err := jose.ParseEncrypted(string(dat))
 	assert.FatalError(t, err)
--- a/integration/jwt_test.go
+++ b/integration/jwt_test.go
@@ -9,9 +9,9 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"math"
 	"math/rand"
+	"os"
 	"os/exec"
 	"reflect"
 	"regexp"
@@ -38,7 +38,7 @@ type JWK struct {

 func (j JWK) jwk() (*jose.JSONWebKey, error) {
 	jwk := new(jose.JSONWebKey)
-	b, err := ioutil.ReadFile(j.prvfile)
+	b, err := os.ReadFile(j.prvfile)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +67,7 @@ func (j JWK) pem() (string, error) {
 }

 func readJSON(name string) (map[string]interface{}, error) {
-	dat, err := ioutil.ReadFile(name)
+	dat, err := os.ReadFile(name)
 	if err != nil {
 		return nil, err
 	}
@@ -696,11 +696,11 @@ func TestCryptoJWT(t *testing.T) {
 			// We don't currently support JSON Serialization, Flattened JSON Serialzation, or multiple signatures
 			// TODO: Right now these are parse failures. They should probably parse correctly and give more helpful error messages.
 			vtst := NewJWTVerifyTest(JWK{"testdata/rsa2048.pub", "testdata/rsa2048.pem", "", true, false}).setFlag("iss", "foo").setFlag("aud", "bar").setFlag("alg", "RS256")
-			jwtb, _ := ioutil.ReadFile("testdata/jwt-json-serialization.json")
+			jwtb, _ := os.ReadFile("testdata/jwt-json-serialization.json")
 			vtst.fail(t, "json-serialization", string(jwtb), "error parsing token: unexpected end of JSON input\n")
-			jwtb, _ = ioutil.ReadFile("testdata/jwt-json-serialization-flattened.json")
+			jwtb, _ = os.ReadFile("testdata/jwt-json-serialization-flattened.json")
 			vtst.fail(t, "json-serialization-flattened", string(jwtb), "error parsing token: unexpected end of JSON input\n")
-			jwtb, _ = ioutil.ReadFile("testdata/jwt-json-serialization-multi.json")
+			jwtb, _ = os.ReadFile("testdata/jwt-json-serialization-multi.json")
 			vtst.fail(t, "json-serialization-multi", string(jwtb), "error parsing token: unexpected end of JSON input\n")
 		})

--- a/jose/generate_test.go
+++ b/jose/generate_test.go
@@ -8,7 +8,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
 	"math/big"
 	"os"
 	"testing"
@@ -216,7 +215,7 @@ func newCert(t *testing.T, keyUsage x509.KeyUsage) []byte {
 }

 func tempFile(t *testing.T) (_ *os.File, cleanup func()) {
-	f, err := ioutil.TempFile("" /* use default tmp dir */, "jose-generate-test")
+	f, err := os.CreateTemp("" /* use default tmp dir */, "jose-generate-test")
 	assert.NoError(t, err)
 	return f, func() {
 		f.Close()
--- a/jose/parse.go
+++ b/jose/parse.go
@@ -11,8 +11,9 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
+	"os"
 	"strings"
 	"time"

@@ -89,7 +90,7 @@ func ParseKey(filename string, opts ...Option) (*JSONWebKey, error) {
 		return nil, err
 	}

-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error reading %s", filename)
 	}
@@ -164,13 +165,13 @@ func ReadJWKSet(filename string) ([]byte, error) {
 			return nil, errors.Wrapf(err, "error retrieving %s", filename)
 		}
 		defer resp.Body.Close()
-		b, err := ioutil.ReadAll(resp.Body)
+		b, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return nil, errors.Wrapf(err, "error retrieving %s", filename)
 		}
 		return b, nil
 	}
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error reading %s", filename)
 	}
--- a/jose/validate.go
+++ b/jose/validate.go
@@ -8,7 +8,7 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
+	"os"

 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/crypto/keys"
@@ -22,7 +22,7 @@ func ValidateSSHPOP(certFile string, key interface{}) (string, error) {
 	if certFile == "" {
 		return "", errors.New("ssh certfile cannot be empty")
 	}
-	certBytes, err := ioutil.ReadFile(certFile)
+	certBytes, err := os.ReadFile(certFile)
 	if err != nil {
 		return "", errors.Wrapf(err, "error reading ssh certificate from %s", certFile)
 	}
--- a/pkg/blackfriday/helpers_test.go
+++ b/pkg/blackfriday/helpers_test.go
@@ -14,7 +14,7 @@
 package blackfriday

 import (
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"regexp"
 	"testing"
@@ -151,7 +151,7 @@ func doTestsReference(t *testing.T, files []string, flag Extensions) {
 	execRecoverableTestSuite(t, files, params, func(candidate *string) {
 		for _, basename := range files {
 			filename := filepath.Join("testdata", basename+".text")
-			inputBytes, err := ioutil.ReadFile(filename)
+			inputBytes, err := os.ReadFile(filename)
 			if err != nil {
 				t.Errorf("Couldn't open '%s', error: %v\n", filename, err)
 				continue
@@ -159,7 +159,7 @@ func doTestsReference(t *testing.T, files []string, flag Extensions) {
 			input := string(inputBytes)

 			filename = filepath.Join("testdata", basename+".html")
-			expectedBytes, err := ioutil.ReadFile(filename)
+			expectedBytes, err := os.ReadFile(filename)
 			if err != nil {
 				t.Errorf("Couldn't open '%s', error: %v\n", filename, err)
 				continue
--- a/pkg/blackfriday/ref_test.go
+++ b/pkg/blackfriday/ref_test.go
@@ -14,7 +14,7 @@
 package blackfriday

 import (
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"testing"
 )
@@ -108,7 +108,7 @@ func BenchmarkReference(b *testing.B) {
 	var tests []string
 	for _, basename := range files {
 		filename := filepath.Join("testdata", basename+".text")
-		inputBytes, err := ioutil.ReadFile(filename)
+		inputBytes, err := os.ReadFile(filename)
 		if err != nil {
 			b.Errorf("Couldn't open '%s', error: %v\n", filename, err)
 			continue
--- a/ui/templates.go
+++ b/ui/templates.go
@@ -44,7 +44,7 @@ func init() {

 // PrintSelectedTemplate returns the default template used in PrintSelected.
 func PrintSelectedTemplate() string {
-	return fmt.Sprintf(`{{ "%s" | green }} {{ .Name | bold }}{{ ":" | bold }} {{ .Value }}`, IconGood) + "\n"
+	return fmt.Sprintf(`{{ %q | green }} {{ .Name | bold }}{{ ":" | bold }} {{ .Value }}`, IconGood) + "\n"
 }

 // PromptTemplates is the default style for a prompt.
@@ -76,7 +76,7 @@ func SelectTemplates(name string) *promptui.SelectTemplates {
 		Label:    fmt.Sprintf("%s {{ . }}: ", IconInitial),
 		Active:   fmt.Sprintf("%s {{ . | underline }}", IconSelect),
 		Inactive: "  {{ . }}",
-		Selected: fmt.Sprintf(`{{ "%s" | green }} {{ "%s:" | bold }} {{ .Name }}`, IconGood, name),
+		Selected: fmt.Sprintf(`{{ %q | green }} {{ "%s:" | bold }} {{ .Name }}`, IconGood, name),
 	}
 }

@@ -88,6 +88,6 @@ func NamedSelectTemplates(name string) *promptui.SelectTemplates {
 		Label:    fmt.Sprintf("%s {{.Name}}: ", IconInitial),
 		Active:   fmt.Sprintf("%s {{ .Name | underline }}", IconSelect),
 		Inactive: "  {{.Name}}",
-		Selected: fmt.Sprintf(`{{ "%s" | green }} {{ "%s:" | bold }} {{ .Name }}`, IconGood, name),
+		Selected: fmt.Sprintf(`{{ %q | green }} {{ "%s:" | bold }} {{ .Name }}`, IconGood, name),
 	}
 }
--- a/usage/html.go
+++ b/usage/html.go
@@ -2,7 +2,6 @@ package usage

 import (
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"path"
@@ -122,7 +121,7 @@ func htmlHelpAction(ctx *cli.Context) error {

 	// css style
 	cssFile := path.Join(dir, "style.css")
-	if err := ioutil.WriteFile(cssFile, []byte(css), 0666); err != nil {
+	if err := os.WriteFile(cssFile, []byte(css), 0666); err != nil {
 		return errs.FileError(err, cssFile)
 	}

--- a/utils/cautils/acmeutils.go
+++ b/utils/cautils/acmeutils.go
@@ -8,7 +8,6 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"strings"
@@ -127,7 +126,7 @@ func (wm *webrootMode) Run() error {
 		}
 	}

-	return errors.Wrapf(ioutil.WriteFile(fmt.Sprintf("%s/%s", chPath, wm.token), []byte(keyAuth), 0644),
+	return errors.Wrapf(os.WriteFile(fmt.Sprintf("%s/%s", chPath, wm.token), []byte(keyAuth), 0644),
 		"error writing key authorization file %s", chPath+wm.token)
 }

--- a/utils/cautils/token_generator.go
+++ b/utils/cautils/token_generator.go
@@ -5,7 +5,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"strings"
 	"time"
@@ -149,7 +148,7 @@ func generateK8sSAToken(ctx *cli.Context, p *provisioner.K8sSA) (string, error)
 	if path == "" {
 		path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 	}
-	tokBytes, err := ioutil.ReadFile(path)
+	tokBytes, err := os.ReadFile(path)
 	if err != nil {
 		return "", errors.Wrap(err, "error reading kubernetes service account token")
 	}
--- a/utils/read.go
+++ b/utils/read.go
@@ -4,7 +4,6 @@ import (
 	"bufio"
 	"bytes"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 	"unicode"
@@ -34,7 +33,7 @@ func FileExists(path string) bool {

 // ReadAll returns a slice of bytes with the content of the given reader.
 func ReadAll(r io.Reader) ([]byte, error) {
-	b, err := ioutil.ReadAll(r)
+	b, err := io.ReadAll(r)
 	return b, errors.Wrap(err, "error reading data")
 }

@@ -51,7 +50,7 @@ func ReadString(r io.Reader) (string, error) {
 // ReadPasswordFromFile reads and returns the password from the given filename.
 // The contents of the file will be trimmed at the right.
 func ReadPasswordFromFile(filename string) ([]byte, error) {
-	password, err := ioutil.ReadFile(filename)
+	password, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, errs.FileError(err, filename)
 	}
@@ -89,9 +88,9 @@ func ReadInput(prompt string) ([]byte, error) {
 func ReadFile(name string) (b []byte, err error) {
 	if name == stdinFilename {
 		name = "/dev/stdin"
-		b, err = ioutil.ReadAll(stdin)
+		b, err = io.ReadAll(stdin)
 	} else {
-		b, err = ioutil.ReadFile(name)
+		b, err = os.ReadFile(name)
 	}
 	if err != nil {
 		return nil, errs.FileError(err, name)
--- a/utils/read_test.go
+++ b/utils/read_test.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"reflect"
 	"testing"
@@ -30,7 +29,7 @@ func setStdin(f *os.File) (cleanup func()) {

 // Returns a temp file and a cleanup function to delete it.
 func newFile(t *testing.T, data []byte) (file *os.File, cleanup func()) {
-	f, err := ioutil.TempFile("" /* dir */, "utils-read-test")
+	f, err := os.CreateTemp("" /* dir */, "utils-read-test")
 	require.NoError(t, err)
 	// write to temp file and reset read cursor to beginning of file
 	_, err = f.Write(data)
--- a/utils/write.go
+++ b/utils/write.go
@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"strings"
 	"time"
@@ -32,19 +31,19 @@ var (
 	SnippetFooter = "# end"
 )

-// WriteFile wraps ioutil.WriteFile with a prompt to overwrite a file if
+// WriteFile wraps os.WriteFile with a prompt to overwrite a file if
 // the file exists. It returns ErrFileExists if the user picks to not overwrite
 // the file. If force is set to true, the prompt will not be presented and the
 // file if exists will be overwritten.
 func WriteFile(filename string, data []byte, perm os.FileMode) error {
 	if command.IsForce() {
-		return ioutil.WriteFile(filename, data, perm)
+		return os.WriteFile(filename, data, perm)
 	}

 	st, err := os.Stat(filename)
 	if err != nil {
 		if os.IsNotExist(err) {
-			return ioutil.WriteFile(filename, data, perm)
+			return os.WriteFile(filename, data, perm)
 		}
 		return errors.Wrapf(err, "error reading information for %s", filename)
 	}
@@ -63,7 +62,7 @@ func WriteFile(filename string, data []byte, perm os.FileMode) error {
 		return ErrFileExists
 	}

-	return ioutil.WriteFile(filename, data, perm)
+	return os.WriteFile(filename, data, perm)
 }

 // AppendNewLine appends the given data at the end of the file. If the last
@@ -97,7 +96,7 @@ func WriteSnippet(filename string, data []byte, perm os.FileMode) error {
 	}

 	// Read file contents
-	b, err := ioutil.ReadFile(filename)
+	b, err := os.ReadFile(filename)
 	if err != nil && !os.IsNotExist(err) {
 		return errs.FileError(err, filename)
 	}