[8.16] Bump json-smart and oauth2-oidc-sdk (#122737) (#122915)

jfreden · web-flow · commit 33f973ba70a0 · 2025-02-19T09:54:53.000+01:00
* Bump json-smart and oauth2-oidc-sdk (#122737) * Bump json-smart and oauth2-oidc-sdk --------- Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co> (cherry picked from commit e166645) # Conflicts: # gradle/verification-metadata.xml * fixup! Add back verification data for test dep
diff --git a/docs/changelog/122737.yaml b/docs/changelog/122737.yaml
@@ -0,0 +1,5 @@
+pr: 122737
+summary: Bump json-smart and oauth2-oidc-sdk
+area: Authentication
+type: upgrade
+issues: []
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -974,36 +974,24 @@
             <sha256 value="e8c1c594e2425bdbea2d860de55c69b69fc5d59454452449a0f0913c2a5b8a31" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.nimbusds" name="nimbus-jose-jwt" version="10.0.1">
+         <artifact name="nimbus-jose-jwt-10.0.1.jar">
+            <sha256 value="f28dbd9ab128324f05050d76b78469d3a9cd83e0319aabc68d1c276e3923e13a" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.nimbusds" name="nimbus-jose-jwt" version="4.41.1">
          <artifact name="nimbus-jose-jwt-4.41.1.jar">
             <sha256 value="fbfd0d5f2b2f86758b821daa5e79b5d7c965edd9dc1b2cc80b515df1c6ddc22d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.37.3">
-         <artifact name="nimbus-jose-jwt-9.37.3.jar">
-            <sha256 value="12ae4a3a260095d7aeba2adea7ae396e8b9570db8b7b409e09a824c219cc0444" origin="Generated by Gradle">
-               <also-trust value="afc63b689d881439b95f343b1dca750391edac63b87392be4d90d19c94ccafbe"/>
-            </sha256>
-         </artifact>
-      </component>
       <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.8.1">
          <artifact name="nimbus-jose-jwt-9.8.1.jar">
             <sha256 value="7664cf8c6f2adadf600287812b32878277beda54912eab9d4c2932cd50cb704a" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.10.1">
-         <artifact name="oauth2-oidc-sdk-11.10.1.jar">
-            <sha256 value="9e51b2c17503cdd3eb97f41491c712aff7783bb3c67185d789f44ccf2a603b26" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.9.1">
-         <artifact name="oauth2-oidc-sdk-11.9.1.jar">
-            <sha256 value="0820c9690966304d075347b88e81ae490213440fc4d2c84f3d370d41941b2b9c" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="9.37">
-         <artifact name="oauth2-oidc-sdk-9.37.jar">
-            <sha256 value="44a04bbed5ae3f6d198aa73ee6b545c476e528ec1a267ef3e9f7033f886dd6fe" origin="Generated by Gradle"/>
+      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.22.2">
+         <artifact name="oauth2-oidc-sdk-11.22.2.jar">
+            <sha256 value="64fab42f17bf8e0efb193dd34da716ef7abb7515234036119df1776b808dc066" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="com.perforce" name="p4java" version="2015.2.1365273">
@@ -1759,34 +1747,24 @@
             <sha256 value="0972bbc99437c4163acd09b630e6c77eab4cfab8a9594621c95466c0c6645396" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="net.minidev" name="accessors-smart" version="2.5.0">
-         <artifact name="accessors-smart-2.5.0.jar">
-            <sha256 value="12314fc6881d66a413fd66370787adba16e504fbf7e138690b0f3952e3fbd321" origin="Generated by Gradle"/>
+      <component group="net.minidev" name="accessors-smart" version="2.5.2">
+         <artifact name="accessors-smart-2.5.2.jar">
+            <sha256 value="9b8a7bc43861d6156c021166d941fb7dddbe4463e2fa5ee88077e4b01452a836" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="net.minidev" name="json-smart" version="2.3">
          <artifact name="json-smart-2.3.jar">
             <sha256 value="903f48c8aa4c3f6426440b8d32de89fa1dc23b1169abde25e4e1d068aa67708b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="net.minidev" name="json-smart" version="2.4.10">
-         <artifact name="json-smart-2.4.10.jar">
-            <sha256 value="70cab5e9488630dc631b1fc6e7fa550d95cddd19ba14db39ceca7cabfbd4e5ae" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
       <component group="net.minidev" name="json-smart" version="2.4.2">
          <artifact name="json-smart-2.4.2.jar">
             <sha256 value="64072f56d9dff5040b2acec477c5d5e6bcebfc88c508f12acb26072d07942146" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="net.minidev" name="json-smart" version="2.5.0">
-         <artifact name="json-smart-2.5.0.jar">
-            <sha256 value="432b9e545848c4141b80717b26e367f83bf33f19250a228ce75da6e967da2bc7" origin="Generated by Gradle"/>
-         </artifact>
-      </component>
-      <component group="net.minidev" name="json-smart" version="2.5.1">
-         <artifact name="json-smart-2.5.1.jar">
-            <sha256 value="86c0c189581b79b57b0719f443a724e9f628ffbb9eef645cf79194f5973a1001" origin="Generated by Gradle"/>
+      <component group="net.minidev" name="json-smart" version="2.5.2">
+         <artifact name="json-smart-2.5.2.jar">
+            <sha256 value="4fbdedb0105cedc7f766b95c297d2e88fb6a560da48f3bbaa0cc538ea8b7bf71" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="net.nextencia" name="rrdiagram" version="0.9.4">
diff --git a/modules/repository-azure/build.gradle b/modules/repository-azure/build.gradle
@@ -62,20 +62,20 @@ dependencies {
   api "com.github.stephenc.jcip:jcip-annotations:1.0-1"
   api "com.nimbusds:content-type:2.3"
   api "com.nimbusds:lang-tag:1.7"
-  api("com.nimbusds:nimbus-jose-jwt:9.37.3"){
+  api("com.nimbusds:nimbus-jose-jwt:10.0.1"){
     exclude group: 'com.google.crypto.tink', module: 'tink' // it's an optional dependency on which we don't rely
   }
-  api("com.nimbusds:oauth2-oidc-sdk:11.9.1"){
+  api("com.nimbusds:oauth2-oidc-sdk:11.22.2"){
     exclude group: 'com.google.crypto.tink', module: 'tink' // it's an optional dependency on which we don't rely
   }
   api "jakarta.activation:jakarta.activation-api:1.2.1"
   api "jakarta.xml.bind:jakarta.xml.bind-api:2.3.3"
   api "net.java.dev.jna:jna-platform:${versions.jna}" // Maven says 5.14.0 but this aligns with the Elasticsearch-wide version
   api "net.java.dev.jna:jna:${versions.jna}" // Maven says 5.14.0 but this aligns with the Elasticsearch-wide version
-  api "net.minidev:accessors-smart:2.5.0"
-  api "net.minidev:json-smart:2.5.0"
+  api "net.minidev:accessors-smart:2.5.2"
+  api "net.minidev:json-smart:2.5.2"
   api "org.codehaus.woodstox:stax2-api:4.2.2"
-  api "org.ow2.asm:asm:9.3"
+  api "org.ow2.asm:asm:9.7.1"
 
   runtimeOnly "com.google.code.gson:gson:2.11.0"
   runtimeOnly "org.cryptomator:siv-mode:1.5.2"
@@ -189,11 +189,6 @@ tasks.named("thirdPartyAudit").configure {
     'org.bouncycastle.cert.X509CertificateHolder',
     'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder',
     'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
-    'org.bouncycastle.crypto.InvalidCipherTextException',
-    'org.bouncycastle.crypto.engines.AESEngine',
-    'org.bouncycastle.crypto.modes.GCMBlockCipher',
-    'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider',
-    'org.bouncycastle.jce.provider.BouncyCastleProvider',
     'org.bouncycastle.openssl.PEMKeyPair',
     'org.bouncycastle.openssl.PEMParser',
     'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle
@@ -79,21 +79,21 @@ dependencies {
   runtimeOnly "joda-time:joda-time:2.10.10"
 
   // Dependencies for oidc
-  api "com.nimbusds:oauth2-oidc-sdk:11.10.1"
+  api "com.nimbusds:oauth2-oidc-sdk:11.22.2"
   api project(path: xpackModule('security:lib:nimbus-jose-jwt-modified'), configuration: 'shadow')
   if (isEclipse) {
     /*
      * Eclipse can't pick up the shadow dependency so we point it at the unmodified version of the library
      * so it can compile things.
      */
-    api "com.nimbusds:nimbus-jose-jwt:9.37.3"
+    api "com.nimbusds:nimbus-jose-jwt:10.0.1"
   }
-  api "com.nimbusds:lang-tag:1.4.4"
+  api "com.nimbusds:lang-tag:1.7"
   api "com.sun.mail:jakarta.mail:1.6.3"
   api "net.jcip:jcip-annotations:1.0"
-  api "net.minidev:json-smart:2.5.1"
-  api "net.minidev:accessors-smart:2.4.2"
-  api "org.ow2.asm:asm:8.0.1"
+  api "net.minidev:json-smart:2.5.2"
+  api "net.minidev:accessors-smart:2.5.2"
+  api "org.ow2.asm:asm:9.7.1"
 
   testImplementation "org.elasticsearch:mocksocket:${versions.mocksocket}"
 
diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle
@@ -11,7 +11,7 @@ apply plugin: 'com.gradleup.shadow'
 // See the build.gradle file in the parent directory for an explanation of this unusual build
 
 dependencies {
-  implementation "com.nimbusds:nimbus-jose-jwt:9.37.3"
+  implementation "com.nimbusds:nimbus-jose-jwt:10.0.1"
 }
 
 tasks.named('shadowJar').configure {
diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/build.gradle
@@ -11,7 +11,7 @@ apply plugin: 'com.gradleup.shadow'
 // See the build.gradle file in the parent directory for an explanation of this unusual build
 
 dependencies {
-  implementation "com.nimbusds:nimbus-jose-jwt:9.37.3"
+  implementation "com.nimbusds:nimbus-jose-jwt:10.0.1"
   implementation project(path: xpackModule('security:lib:nimbus-jose-jwt-modified-part2'), configuration: 'shadow')
 }
 
diff --git a/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java b/x-pack/plugin/security/lib/nimbus-jose-jwt-modified/src/main/java/com/nimbusds/jose/util/JSONObjectUtils.java
@@ -13,6 +13,7 @@
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.text.ParseException;
+import java.util.Date;
 import java.util.List;
 import java.util.Map;
 
@@ -192,6 +193,16 @@ public static Base64URL getBase64URL(final Map<String, Object> o, final String k
         }
     }
 
+    public static Date getEpochSecondAsDate(final Map<String, Object> o, final String key) throws ParseException {
+        try {
+            return AccessController.doPrivileged(
+                (PrivilegedExceptionAction<Date>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.getEpochSecondAsDate(o, key)
+            );
+        } catch (PrivilegedActionException e) {
+            throw (ParseException) e.getException();
+        }
+    }
+
     public static String toJSONString(final Map<String, ?> o) {
         return AccessController.doPrivileged(
             (PrivilegedAction<String>) () -> org.elasticsearch.nimbus.jose.util.JSONObjectUtils.toJSONString(o)

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ apply plugin: 'com.gradleup.shadow'`
`11`	`11`	`// See the build.gradle file in the parent directory for an explanation of this unusual build`
`12`	`12`
`13`	`13`	`dependencies {`
`14`		`- implementation "com.nimbusds:nimbus-jose-jwt:9.37.3"`
	`14`	`+ implementation "com.nimbusds:nimbus-jose-jwt:10.0.1"`
`15`	`15`	`}`
`16`	`16`
`17`	`17`	`tasks.named('shadowJar').configure {`