feat: Support JWT Assertion Grant Floew

With the release of UAA 76.23.0, Cloud Foundry support JWT Assertion Grant Flow
Refer:
- [What is JWT Bearer flow](https://docs.secureauth.com/ciam/en/using-jwt-profile-for-oauth-2-0-authorization-flows.html)
- [UAA](https://docs.cloudfoundry.org/api/uaa/version/77.34.0/index.html#jwt-bearer-token-grant)
- [RFC-7523](https://datatracker.ietf.org/doc/html/rfc7523)

In this PR:
- Basic code refactoring
- Add `assertion_token` field for the provider
- Add case for creating session with assertion token
- Add example in Authentication Docs
- Update go mod to the latest version of the go-cfclient fork
  Replace this in future to the main go-cfclient library when [fork not needed](cloudfoundry/go-cfclient#477)

Author: vipinvkmenon

Authentication.md

@@ -30,6 +30,25 @@ provider "cloudfoundry" {
 }
 ```
 
+## OAuth JWT Assertion Bearer Flow
+
+Use the env variable `CF_ASSERTION_TOKEN`. Typically for cloudfoundry, this login also would use a custom `origin` (unless the default `origin` is configured to support this method)
+
+Refer [this document](https://docs.secureauth.com/ciam/en/using-jwt-profile-for-oauth-2-0-authorization-flows.html) to understand the JWT Assertion Bearer Flow.
+
+This flow can be used in automated scenarios where the OIDC provider that is trusted by UAA has a secure means of providing assertion tokens. These tokens are short lived. 
+
+A typical example would be using the the Open-ID Connect feature of [github](https://docs.github.com/en/actions/concepts/security/openid-connect) 
+In this scenario, an `origin` in UAA would be configured to use Github OIDC as an [identity provider](https://docs.cloudfoundry.org/uaa/identity-providers.html#oidc). Refer this [blog](https://community.sap.com/t5/technology-blog-posts-by-sap/authenticating-github-actions-workflows-deploying-to-the-sap-btp-cloud/ba-p/14075047) where a similar setup is done with the cf cli. **Similarly**, the terraform provider can then use assertion tokens provided by github in a github action to login to Cloud Foundry with that specific `origin`
+
+```hcl
+provider "cloudfoundry" {
+    api_url = "<CF-API-URL>"
+    cf_client_id = "<CF-ASSERTION-TOKEN>"
+    origin = "<CF-ORIGIN>"
+}
+```
+
 ## Using cf-cli configuration.
 
 If you have installed the [cf-cli](https://docs.cloudfoundry.org/cf-cli/) and have [logged into the environment](https://docs.cloudfoundry.org/cf-cli/getting-started.html#login), the the cloudfoundry terraform provider can use the default configuration of the cf-cli (present in `~/.cf` folder) to connect to the environment.

cloudfoundry/provider/fixtures/provider.assertion_token.yaml

@@ -23,6 +23,7 @@ type CloudFoundryProviderConfig struct {
 	Origin            string
 	AccessToken       string
 	RefreshToken      string
+	AssertionToken    string
 }
 
 type Session struct {
@@ -52,19 +53,22 @@ func (c *CloudFoundryProviderConfig) NewSession(httpClient *http.Client, req pro
 	if c.SkipSslValidation {
 		opts = append(opts, config.SkipTLSValidation())
 	}
+	if c.Origin != "" {
+		opts = append(opts, config.Origin(c.Origin))
+	}
 	switch {
 	case c.User != "" && c.Password != "":
 		opts = append(opts, config.UserPassword(c.User, c.Password))
-		if c.Origin != "" {
-			opts = append(opts, config.Origin(c.Origin))
-		}
 		cfg, err = config.New(c.Endpoint, opts...)
 	case c.CFClientID != "" && c.CFClientSecret != "":
 		opts = append(opts, config.ClientCredentials(c.CFClientID, c.CFClientSecret))
 		cfg, err = config.New(c.Endpoint, opts...)
 	case c.AccessToken != "":
 		opts = append(opts, config.Token(c.AccessToken, c.RefreshToken))
 		cfg, err = config.New(c.Endpoint, opts...)
+	case c.AssertionToken != "":
+		opts = append(opts, config.JWTBearerAssertion(c.AssertionToken))
+		cfg, err = config.New(c.Endpoint, opts...)
 	default:
 		cfg, err = config.NewFromCFHome(opts...)
 	}

cloudfoundry/provider/managers/session.go

@@ -37,6 +37,7 @@ type CloudFoundryProviderModel struct {
 	Origin            types.String `tfsdk:"origin"`
 	AccessToken       types.String `tfsdk:"access_token"`
 	RefreshToken      types.String `tfsdk:"refresh_token"`
+	AssertionToken    types.String `tfsdk:"assertion_token"`
 }
 
 func (p *CloudFoundryProvider) Metadata(ctx context.Context, req provider.MetadataRequest, resp *provider.MetadataResponse) {
@@ -112,6 +113,14 @@ func (p *CloudFoundryProvider) Schema(ctx context.Context, req provider.SchemaRe
 					stringvalidator.LengthAtLeast(1),
 				},
 			},
+			"assertion_token": schema.StringAttribute{
+				MarkdownDescription: "OAuth JWT assertion token. Used for OAuth 2.0 JWT Bearer Assertion Grant flow to authenticate with Cloud Foundry. Typically used with a custom origin.",
+				Optional:            true,
+				Sensitive:           true,
+				Validators: []validator.String{
+					stringvalidator.LengthAtLeast(1),
+				},
+			},
 		},
 	}
 }
@@ -134,7 +143,7 @@ func addTypeCastAttributeError(resp *provider.ConfigureResponse, expectedType st
 func checkConfigUnknown(config *CloudFoundryProviderModel, resp *provider.ConfigureResponse) {
 	_, cfconfigerr := cfconfig.NewFromCFHome()
 
-	anyParamExists := !config.User.IsUnknown() || !config.Password.IsUnknown() || !config.CFClientID.IsUnknown() || !config.CFClientSecret.IsUnknown() || !config.AccessToken.IsUnknown()
+	anyParamExists := !config.User.IsUnknown() || !config.Password.IsUnknown() || !config.CFClientID.IsUnknown() || !config.CFClientSecret.IsUnknown() || !config.AccessToken.IsUnknown() || !config.RefreshToken.IsUnknown() || !config.AssertionToken.IsUnknown()
 
 	/*
 		There can be 3 cases of error:
@@ -162,27 +171,30 @@ func checkConfigUnknown(config *CloudFoundryProviderModel, resp *provider.Config
 	}
 }
 
-func checkConfig(resp *provider.ConfigureResponse, endpoint string, user string, password string, cfclientid string, cfclientsecret string, accesstoken string) {
+func checkConfig(resp *provider.ConfigureResponse, config managers.CloudFoundryProviderConfig) {
 	_, cfconfigerr := cfconfig.NewFromCFHome()
 
-	anyParamExists := user != "" || password != "" || cfclientid != "" || cfclientsecret != "" || accesstoken != ""
-
-	if (endpoint == "" && anyParamExists) || (endpoint != "" && !anyParamExists) || (!anyParamExists && cfconfigerr != nil) {
+	anyParamExists := config.User != "" || config.Password != "" || config.CFClientID != "" || config.CFClientSecret != "" || config.AccessToken != "" || config.RefreshToken != "" || config.AssertionToken != ""
+	// There can be 3 cases of error:
+	// 1. If endpoint is empty and any other parameter is set
+	// 2. If endpoint is set and all other parameter is empty
+	// 3. If all parameters are empty and CF config is not correctly set
+	if (config.Endpoint == "" && anyParamExists) || (config.Endpoint != "" && !anyParamExists) || (!anyParamExists && cfconfigerr != nil) {
 		resp.Diagnostics.AddError(
 			"Unable to create CF Client due to missing values",
 			"Either user/password or client_id/client_secret or access_token must be set with api_url or CF config must exist in path (default ~/.cf/config.json)",
 		)
 	}
 
-	if endpoint != "" {
+	if config.Endpoint != "" {
 		switch {
-		case user == "" && password != "":
+		case config.User == "" && config.Password != "":
 			addGenericAttributeError(resp, "Missing", "user", "Username", "CF_USER")
-		case user != "" && password == "":
+		case config.User != "" && config.Password == "":
 			addGenericAttributeError(resp, "Missing", "password", "Password", "CF_PASSWORD")
-		case cfclientid == "" && cfclientsecret != "":
+		case config.CFClientID == "" && config.CFClientSecret != "":
 			addGenericAttributeError(resp, "Missing", "cf_client_id", "Client ID", "CF_CLIENT_ID")
-		case cfclientid != "" && cfclientsecret == "":
+		case config.CFClientID != "" && config.CFClientSecret == "":
 			addGenericAttributeError(resp, "Missing", "cf_client_secret", " Client Secret", "CF_CLIENT_SECRET")
 		}
 	}
@@ -192,67 +204,63 @@ func getAndSetProviderValues(config *CloudFoundryProviderModel, resp *provider.C
 	// Default values to environment variables, but override
 	// with Terraform configuration value if set.
 
-	endpoint := os.Getenv("CF_API_URL")
-	user := os.Getenv("CF_USER")
-	password := os.Getenv("CF_PASSWORD")
-	origin := os.Getenv("CF_ORIGIN")
-	cfclientid := os.Getenv("CF_CLIENT_ID")
-	cfclientsecret := os.Getenv("CF_CLIENT_SECRET")
-	cfaccesstoken := os.Getenv("CF_ACCESS_TOKEN")
-	cfrefreshtoken := os.Getenv("CF_REFRESH_TOKEN")
+	c := managers.CloudFoundryProviderConfig{
+		Endpoint:       os.Getenv("CF_API_URL"),
+		User:           os.Getenv("CF_USER"),
+		Password:       os.Getenv("CF_PASSWORD"),
+		CFClientID:     os.Getenv("CF_CLIENT_ID"),
+		CFClientSecret: os.Getenv("CF_CLIENT_SECRET"),
+		Origin:         os.Getenv("CF_ORIGIN"),
+		AccessToken:    os.Getenv("CF_ACCESS_TOKEN"),
+		RefreshToken:   os.Getenv("CF_REFRESH_TOKEN"),
+		AssertionToken: os.Getenv("CF_ASSERTION_TOKEN"),
+	}
 
-	var skipsslvalidation bool
 	var err error
 	if os.Getenv("CF_SKIP_SSL_VALIDATION") != "" {
-		skipsslvalidation, err = strconv.ParseBool(os.Getenv("CF_SKIP_SSL_VALIDATION"))
+		c.SkipSslValidation, err = strconv.ParseBool(os.Getenv("CF_SKIP_SSL_VALIDATION"))
 		if err != nil {
 			addTypeCastAttributeError(resp, "Boolean", "skip_ssl_validation", "Skip SSL Validation", "CF_SKIP_SSL_VALIDATION")
 			return nil
 		}
 	}
 	if !config.Endpoint.IsNull() {
-		endpoint = config.Endpoint.ValueString()
+		c.Endpoint = config.Endpoint.ValueString()
 	}
 	if !config.User.IsNull() {
-		user = config.User.ValueString()
+		c.User = config.User.ValueString()
 	}
 	if !config.Password.IsNull() {
-		password = config.Password.ValueString()
+		c.Password = config.Password.ValueString()
 	}
 	if !config.CFClientID.IsNull() {
-		cfclientid = config.CFClientID.ValueString()
+		c.CFClientID = config.CFClientID.ValueString()
 	}
 	if !config.CFClientSecret.IsNull() {
-		cfclientsecret = config.CFClientSecret.ValueString()
+		c.CFClientSecret = config.CFClientSecret.ValueString()
 	}
 	if !config.Origin.IsNull() {
-		origin = config.Origin.ValueString()
+		c.Origin = config.Origin.ValueString()
 	}
 	if !config.AccessToken.IsNull() {
-		cfaccesstoken = config.AccessToken.ValueString()
+		c.AccessToken = config.AccessToken.ValueString()
 	}
 	if !config.RefreshToken.IsNull() {
-		cfrefreshtoken = config.RefreshToken.ValueString()
+		c.RefreshToken = config.RefreshToken.ValueString()
+	}
+	if !config.AssertionToken.IsNull() {
+		c.AssertionToken = config.AssertionToken.ValueString()
 	}
-	checkConfig(resp, endpoint, user, password, cfclientid, cfclientsecret, cfaccesstoken)
+
+	checkConfig(resp, c)
 	if resp.Diagnostics.HasError() {
 		return nil
 	}
 	if !config.SkipSslValidation.IsNull() {
-		skipsslvalidation = config.SkipSslValidation.ValueBool()
+		c.SkipSslValidation = config.SkipSslValidation.ValueBool()
 	}
+	c.Endpoint = strings.TrimSuffix(c.Endpoint, "/")
 
-	c := managers.CloudFoundryProviderConfig{
-		Endpoint:          strings.TrimSuffix(endpoint, "/"),
-		User:              user,
-		Password:          password,
-		CFClientID:        cfclientid,
-		CFClientSecret:    cfclientsecret,
-		SkipSslValidation: skipsslvalidation,
-		Origin:            origin,
-		AccessToken:       cfaccesstoken,
-		RefreshToken:      cfrefreshtoken,
-	}
 	return &c
 }
 func (p *CloudFoundryProvider) Configure(ctx context.Context, req provider.ConfigureRequest, resp *provider.ConfigureResponse) {

cloudfoundry/provider/provider.go

@@ -30,6 +30,7 @@ type CloudFoundryProviderConfigPtr struct {
 	Origin            *string
 	AccessToken       *string
 	RefreshToken      *string
+	AssertionToken    *string
 }
 
 var redactedTestUser = CloudFoundryProviderConfigPtr{
@@ -40,6 +41,8 @@ var redactedTestUser = CloudFoundryProviderConfigPtr{
 	CFClientSecret: strtostrptr("xxxx"),
 	AccessToken:    strtostrptr("bearer eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vdWFhLngueC54LnguY29tL3Rva2VuX2tleXMiLCJraWQiOiJrZXktMSIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI0YmYyMmRhYjNiYmU0NTg1OTUwM2Y0MWExZmRkZmFmOCIsImNsaWVudF9hdXRoX21ldGhvZCI6Im5vbmUiLCJzdWIiOiIxZjI2M2UwMC05YTA3LTQyZDgtYmU3MS1iMThiZTZkMTBiNDUiLCJzY29wZSI6WyJvcGVuaWQiLCJ1YWEudXNlciIsImNsb3VkX2NvbnRyb2xsZXIucmVhZCIsInBhc3N3b3JkLndyaXRlIiwiY2xvdWRfY29udHJvbGxlci53cml0ZSJdLCJjbGllbnRfaWQiOiJjZiIsImNpZCI6ImNmIiwiYXpwIjoiY2YiLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMWYyNjNlMDAtOWEwNy00MmQ4LWJlNzEtYjE4YmU2ZDEwYjQ1Iiwib3JpZ2luIjoic2FwLmlkcyIsInVzZXJfbmFtZSI6InRlc3RfdXNlckB4LmNvbSIsImVtYWlsIjoidGVzdF91c2VyQHguY29tIiwiYXV0aF90aW1lIjoxNzA1MDYwOTM2LCJyZXZfc2lnIjoiZGUxMDU3ZDEiLCJpYXQiOjE3MDUwNjA5MzYsImV4cCI6MjcwNTA2MjEzNiwiaXNzIjoiaHR0cHM6Ly91YWEueC54LngueC5jb20vb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsiY2xvdWRfY29udHJvbGxlciIsInBhc3N3b3JkIiwiY2YiLCJ1YWEiLCJvcGVuaWQiXX0.DADNqcmHbP8R0Dp3pMZVE7OeD5eTmcwh5dyFKFpryGEl3QqXKd1Af3raTFnJe1SRi66qjkvpdLub31Fh3LDdkAPAoFYshvwxozCdEinGYEx-qlW1Ttt6qyk_0y3CjKDExv43F8CpHwqD41A57IOAbz14revnb6tbW9pA_dBxhF9sYdXJvhPOnGUDKgv5SIYNUyt0_ekEaHNMVHp__4dnaCw7qdMkJ7Y7Pn4ES3KJqc88Ed9PzRJw0WQzwvHlJbQyCtpBXFx_ZzIEFNjcXo9p-YbezEKVypKlREs59h-HzpbhLwjW9_MzuY3wFveYT4FLsF-U0s0KeQq83E8J_zWRhw"),
 	RefreshToken:   strtostrptr("xxxx"),
+	Origin:         strtostrptr("dummy-origin"),
+	AssertionToken: strtostrptr("eyJhbGciOiJSUzI1NiIsImtpZDI6Im1vY2sta2V5LWlkIiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3RlcnJhZm9ybWVkcy5hY2NvdW50cy5vbmRlbWFuZC5jb20iLCJleHAiOjE3NTI3NTU1NjYsImlhdCI6MTc1Mjc1MTk2NiwiaXNzIjoiaHR0cHM6Ly9tb2NrLW9pZGMtcHJvdmlkZXItc2lsbHktYWxsaWdhdG9yLW9hLmNmYXBwcy51czEwLmhhbmEub25kZW1hbmQuY29tIiwicmVwb3NpdG9yeSI6Im1vY2svcmVwbyIsInN1YiI6Im1vY2svcmVwb0BhLmNvbSJ9.M5fpxHntMa4454z97z5fU0DYbbre02LFCivVShPjwssP2b6if7zMRzpX31OUOW3QdtQO3X2tHZfOx6cF4ya-LrkJRmZrL_OVW2inaY3_o3vYFH50tXXinmy7X4mHPLg93eDZq-sEMNrRWTKomrG_3Nj8wySyHpAUWtGd5bYOf2fD4t6WTHgOgjXBnmREIP_HU95yE3XiP1CggJfb-ll7MApxfivw_sZUbSL_Vd5pvwMcZzTji_mTGoT6zIbYg4ndkk_m_RD9GBz-lqfL6BcGe_fYJAdFtZkZ2ws6utioKFN93mdUXazTeDIyi-G1uL0LcqUVx9wGrjcHUa8GPfh5hA"),
 }
 
 func hclProvider(cfConfig *CloudFoundryProviderConfigPtr) string {
@@ -73,6 +76,9 @@ func hclProvider(cfConfig *CloudFoundryProviderConfigPtr) string {
 			{{if .RefreshToken}}
 				refresh_token = "{{.RefreshToken}}"
 			{{- end }}
+			{{if .AssertionToken}}
+				assertion_token = "{{.AssertionToken}}"
+			{{- end }}
 			}`
 		tmpl, err := template.New("provider").Parse(s)
 		if err != nil {
@@ -212,6 +218,38 @@ func TestCloudFoundryProvider_Configure(t *testing.T) {
 			},
 		})
 	})
+	t.Run("user login with valid assertion token", func(t *testing.T) {
+		endpoint := strtostrptr(os.Getenv("TEST_CF_API_URL"))
+		assertionToken := strtostrptr(os.Getenv("TEST_CF_ASSERTION_TOKEN"))
+		origin := strtostrptr(os.Getenv("TEST_CF_ORIGIN"))
+		if *endpoint == "" || *assertionToken == "" || *origin == "" {
+			t.Logf("\nATTENTION: Using redacted user credentials since endpoint, assertion & origin not set as env \n Make sure you are not triggering a recording else test will fail")
+			endpoint = redactedTestUser.Endpoint
+			assertionToken = redactedTestUser.AssertionToken
+			origin = redactedTestUser.Origin
+		}
+		cfg := CloudFoundryProviderConfigPtr{
+			Endpoint:       endpoint,
+			AssertionToken: assertionToken,
+			Origin:         origin,
+		}
+
+		recUserPass := cfg.SetupVCR(t, "fixtures/provider.assertion_token")
+		defer stopQuietly(recUserPass)
+
+		testingResource.Test(t, testingResource.TestCase{
+			IsUnitTest:               true,
+			ProtoV6ProviderFactories: getProviders(recUserPass.GetDefaultClient()),
+			Steps: []testingResource.TestStep{
+				{
+					Config: hclProvider(&cfg) + `
+				data "cloudfoundry_org" "org" {
+					name = "BTP-Terraformers-Prod_mock-github-oidc-test"
+				}`,
+				},
+			},
+		})
+	})
 	t.Run("user login with valid home directory", func(t *testing.T) {
 		cfg := getCFHomeConf()
 		recHomeDir := cfg.SetupVCR(t, "fixtures/provider.home_dir")

cloudfoundry/provider/provider_test.go

@@ -153,6 +153,16 @@ func (cfg *CloudFoundryProviderConfigPtr) GetHook() func(i *cassette.Interaction
 			}
 			regList = append(regList, reg)
 		}
+		if cfg.AssertionToken != nil {
+			reg := reg{
+				regexpattern: []*regexp.Regexp{
+					regexp.MustCompile(*cfg.AssertionToken),
+					regexp.MustCompile(url.QueryEscape(*cfg.AssertionToken)),
+				},
+				redactString: *redactedTestUser.AssertionToken,
+			}
+			regList = append(regList, reg)
+		}
 		interactionJson, err := json.Marshal(i)
 		if err != nil {
 			panic(err)

cloudfoundry/provider/utils_test.go

@@ -33,6 +33,7 @@ provider "cloudfoundry" {
 
 - `access_token` (String, Sensitive) OAuth token to authenticate with Cloud Foundry
 - `api_url` (String) Specific URL representing the entry point for communication between the client and a Cloud Foundry instance.
+- `assertion_token` (String, Sensitive) OAuth JWT assertion token. Used for OAuth 2.0 JWT Bearer Assertion Grant flow to authenticate with Cloud Foundry. Typically used with a custom origin.
 - `cf_client_id` (String) Unique identifier for a client application used in authentication and authorization processes
 - `cf_client_secret` (String, Sensitive) A confidential string used by a client application for secure authentication and authorization, requires cf_client_id to authenticate
 - `origin` (String) Indicates the identity provider to be used for login

docs/index.md

@@ -22,7 +22,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 )
 
-replace github.com/cloudfoundry/go-cfclient/v3 v3.0.0-alpha.11.0.20250320145327-6946bc732186 => github.com/ANUGRAHG/go-cfclient/v3 v3.0.0-20250619101525-5bab1c3424d6
+replace github.com/cloudfoundry/go-cfclient/v3 v3.0.0-alpha.11.0.20250320145327-6946bc732186 => github.com/ANUGRAHG/go-cfclient/v3 v3.0.0-20250715085712-0c590acfa414
 
 require (
 	code.cloudfoundry.org/cf-networking-helpers v0.49.0 // indirect

go.mod

@@ -8,8 +8,8 @@ dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-github.com/ANUGRAHG/go-cfclient/v3 v3.0.0-20250619101525-5bab1c3424d6 h1:URwb3r4R1Axb6PdxGCozg/IyWBTH86emWWSteIFuRHA=
-github.com/ANUGRAHG/go-cfclient/v3 v3.0.0-20250619101525-5bab1c3424d6/go.mod h1:+sY77PKx6xxDyApQ07webuPs80UMefAOTMPFuwXUerM=
+github.com/ANUGRAHG/go-cfclient/v3 v3.0.0-20250715085712-0c590acfa414 h1:HKM4l1w496sABMBkAtEqLiB7CBD88sT1N36nFWStjeQ=
+github.com/ANUGRAHG/go-cfclient/v3 v3.0.0-20250715085712-0c590acfa414/go.mod h1:+sY77PKx6xxDyApQ07webuPs80UMefAOTMPFuwXUerM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=