Merge pull request #1647 from smallstep/go-jose

Upgrade go.step.sm/crypto to use go-jose/v3

Author: maraino

acme/account_test.go

@@ -25,7 +25,7 @@ func TestKeyToID(t *testing.T) {
 			jwk.Key = "foo"
 			return test{
 				jwk: jwk,
-				err: NewErrorISE("error generating jwk thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating jwk thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok": func(t *testing.T) test {

acme/api/middleware.go

@@ -449,11 +449,11 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 // the JWK by patching the JWS signatures if they're determined to be too short.
 //
 // Generally this shouldn't happen, but we've observed this to be the case with
-// the macOS ACME client, which seems to omit (at least one) leading null byte(s).
-// The error returned is `square/go-jose: error in cryptographic primitive`, which
-// is a sentinel error that hides the details of the actual underlying error, which
-// is as follows: `square/go-jose: invalid signature size, have 63 bytes, wanted 64`,
-// for ES256.
+// the macOS ACME client, which seems to omit (at least one) leading null
+// byte(s). The error returned is `go-jose/go-jose: error in cryptographic
+// primitive`, which is a sentinel error that hides the details of the actual
+// underlying error, which is as follows: `go-jose/go-jose: invalid signature
+// size, have 63 bytes, wanted 64`, for ES256.
 func retryVerificationWithPatchedSignatures(jws *jose.JSONWebSignature, jwk *jose.JSONWebKey) (data []byte, err error) {
 	originalSignatureValues := make([][]byte, len(jws.Signatures))
 	patched := false

acme/api/middleware_test.go

@@ -356,7 +356,7 @@ func TestHandler_parseJWS(t *testing.T) {
 			return test{
 				body:       strings.NewReader("foo"),
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: square/go-jose: compact JWS format must have three parts"),
+				err:        acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: go-jose/go-jose: compact JWS format must have three parts"),
 			}
 		},
 		"ok": func(t *testing.T) test {
@@ -480,7 +480,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
 			}
 		},
 		"fail/verify-jws-failure-too-many-signatures": func(t *testing.T) test {
@@ -492,7 +492,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: too many signatures in payload; expecting only one"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: too many signatures in payload; expecting only one"),
 			}
 		},
 		"fail/apple-acmeclient-omitting-leading-null-byte-in-signature-with-wrong-jwk": func(t *testing.T) test {
@@ -507,7 +507,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
 			}
 		},
 		"fail/algorithm-mismatch": func(t *testing.T) test {
@@ -1817,7 +1817,7 @@ func Test_retryVerificationWithPatchedSignatures(t *testing.T) {
 		{"ok/patched-r", patchedR, patchedRJWK, []byte(`test-1105`), `AK0D2CmH5Xyp5YASqg3lrCR9kyeohwJ6Lu7Bc15ZmA-AK16i32LqqLVhESq52tsH84dKbu1EljtoM5TqkSvaqg`, nil},
 		{"ok/patched-s", patchedS, patchedSJWK, []byte(`test-66`), `krtSKSgVB04oqx6i9QLeal_wZSnjV1_PSIM3AubT0WQASMZ4Zf8mG1aWt4ud6d3VFuek7T-v0lGW6B-kryxzMw`, nil},
 		{"ok/patched-rs", patchedRS, patchedRSJWK, []byte(`test-9067`), `ANq_zMtfaEYO5ln_SOSU5DWKfKLXxDM_sl0QPJbWUwAApnHIku6ulUSCJyY0i27uV9wKsatOAjc5vJ7-BJojJw`, nil},
-		{"fail/patched-r-wrong-jwk", patchedRWithWrongJWK, patchedRSJWK, nil, `rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq`, errors.New("square/go-jose: error in cryptographic primitive")},
+		{"fail/patched-r-wrong-jwk", patchedRWithWrongJWK, patchedRSJWK, nil, `rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq`, errors.New("go-jose/go-jose: error in cryptographic primitive")},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

acme/api/revoke_test.go

@@ -1279,7 +1279,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 			}
 		},
 		"wrap-subject": func(t *testing.T) test {
-			acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: square/go-jose: error in cryptographic primitive")
+			acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: go-jose/go-jose: error in cryptographic primitive")
 			acmeErr.Status = http.StatusForbidden
 			acmeErr.Detail = "No authorization provided for name test.example.com"
 			cert := &x509.Certificate{
@@ -1288,7 +1288,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 				},
 			}
 			return test{
-				err:                     errors.New("square/go-jose: error in cryptographic primitive"),
+				err:                     errors.New("go-jose/go-jose: error in cryptographic primitive"),
 				cert:                    cert,
 				unauthorizedIdentifiers: []acme.Identifier{},
 				msg:                     "verification of jws using certificate public key failed",

acme/challenge_test.go

@@ -354,7 +354,7 @@ func TestKeyAuthorization(t *testing.T) {
 			return test{
 				token: "1234",
 				jwk:   jwk,
-				err:   NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err:   NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok": func(t *testing.T) test {
@@ -1089,7 +1089,7 @@ func TestHTTP01Validate(t *testing.T) {
 					},
 				},
 				jwk: jwk,
-				err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok/key-auth-mismatch": func(t *testing.T) test {
@@ -1389,7 +1389,7 @@ func TestDNS01Validate(t *testing.T) {
 					},
 				},
 				jwk: jwk,
-				err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"fail/key-auth-mismatch-store-error": func(t *testing.T) test {
@@ -2141,7 +2141,7 @@ func TestTLSALPN01Validate(t *testing.T) {
 				},
 				srv: srv,
 				jwk: jwk,
-				err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok/error-no-extension": func(t *testing.T) test {

acme/challenge_tpmsimulator_test.go

@@ -817,7 +817,7 @@ func Test_doTPMAttestationFormat(t *testing.T) {
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
-		}}, nil, newInternalServerError("failed creating key auth digest: error generating JWK thumbprint: square/go-jose: unknown key type '[]uint8'")},
+		}}, nil, newInternalServerError("failed creating key auth digest: error generating JWK thumbprint: go-jose/go-jose: unknown key type '[]uint8'")},
 		{"fail different keyAuthorization", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "aDifferentToken"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{

api/api_test.go

@@ -28,14 +28,11 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/pkg/errors"
-	sassert "github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/crypto/ssh"
-	squarejose "gopkg.in/square/go-jose.v2"
-
-	"github.com/smallstep/assert"
 
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
@@ -658,7 +655,7 @@ func TestSignRequest_Validate(t *testing.T) {
 			}
 			if err := s.Validate(); err != nil {
 				if assert.NotNil(t, tt.err) {
-					assert.HasPrefix(t, err.Error(), tt.err.Error())
+					assert.True(t, strings.HasPrefix(err.Error(), tt.err.Error()))
 				}
 			} else {
 				assert.Nil(t, tt.err)
@@ -1259,10 +1256,10 @@ func Test_Provisioners(t *testing.T) {
 
 	expectedError400 := errs.BadRequest("limit 'abc' is not an integer")
 	expectedError400Bytes, err := json.Marshal(expectedError400)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	expectedError500 := errs.InternalServer("force")
 	expectedError500Bytes, err := json.Marshal(expectedError500)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockMustAuthority(t, tt.fields.Authority)
@@ -1329,7 +1326,7 @@ func Test_ProvisionerKey(t *testing.T) {
 	expected := []byte(`{"key":"` + privKey + `"}`)
 	expectedError404 := errs.NotFound("force")
 	expectedError404Bytes, err := json.Marshal(expectedError404)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1578,7 +1575,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 		"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
 		"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
 	}
-	key := squarejose.JSONWebKey{}
+	key := jose.JSONWebKey{}
 	b, err := json.Marshal(k)
 	require.NoError(t, err)
 	err = json.Unmarshal(b, &key)
@@ -1644,11 +1641,11 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	}
 
 	expBytes, err := json.Marshal(expected)
-	sassert.NoError(t, err)
+	assert.NoError(t, err)
 
 	br, err := r.MarshalJSON()
-	sassert.NoError(t, err)
-	sassert.JSONEq(t, string(expBytes), string(br))
+	assert.NoError(t, err)
+	assert.JSONEq(t, string(expBytes), string(br))
 
 	keyCopy := key
 	expList := provisioner.List{
@@ -1674,7 +1671,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	}
 
 	// MarshalJSON must not affect the struct properties itself
-	sassert.Equal(t, expList, r.Provisioners)
+	assert.Equal(t, expList, r.Provisioners)
 }
 
 const (
@@ -1693,14 +1690,14 @@ func TestLogSSHCertificate(t *testing.T) {
 	rl := logging.NewResponseLogger(w)
 	LogSSHCertificate(rl, cert)
 
-	sassert.Equal(t, 200, w.Result().StatusCode)
+	assert.Equal(t, 200, w.Result().StatusCode)
 
 	fields := rl.Fields()
-	sassert.Equal(t, uint64(14376510277651266987), fields["serial"])
-	sassert.Equal(t, []string{"herman"}, fields["principals"])
-	sassert.Equal(t, "[email protected] user certificate", fields["certificate-type"])
-	sassert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
-	sassert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
-	sassert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
-	sassert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
+	assert.Equal(t, uint64(14376510277651266987), fields["serial"])
+	assert.Equal(t, []string{"herman"}, fields["principals"])
+	assert.Equal(t, "[email protected] user certificate", fields["certificate-type"])
+	assert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
+	assert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
+	assert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
+	assert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
 }

authority/policy_test.go

@@ -6,8 +6,8 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/stretchr/testify/assert"
-	"gopkg.in/square/go-jose.v2"
 
 	"go.step.sm/linkedca"
 

authority/provisioner/jwk_test.go

@@ -171,10 +171,10 @@ func TestJWK_authorizeToken(t *testing.T) {
 		{"fail-token", p1, args{failTok}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk token")},
 		{"fail-key", p1, args{failKey}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")},
 		{"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")},
-		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")},
-		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)")},
-		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token is expired (exp)")},
-		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token not valid yet (nbf)")},
+		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")},
+		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)")},
+		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token is expired (exp)")},
+		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)")},
 		{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk token audience claim (aud)")},
 		{"fail-subject", p1, args{failSub}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; jwk token subject cannot be empty")},
 		{"ok", p1, args{t1}, http.StatusOK, nil},
@@ -218,7 +218,7 @@ func TestJWK_AuthorizeRevoke(t *testing.T) {
 		code int
 		err  error
 	}{
-		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")},
+		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")},
 		{"ok", p1, args{t1}, http.StatusOK, nil},
 	}
 	for _, tt := range tests {
@@ -266,7 +266,7 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 			prov: p1,
 			args: args{failSig},
 			code: http.StatusUnauthorized,
-			err:  errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive"),
+			err:  errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive"),
 		},
 		{
 			name: "ok-sans",

authority/provisioner/k8sSA_test.go

@@ -97,7 +97,7 @@ func TestK8sSA_authorizeToken(t *testing.T) {
 				p:     p,
 				token: tok,
 				code:  http.StatusUnauthorized,
-				err:   errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)"),
+				err:   errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)"),
 			}
 		},
 		"ok": func(t *testing.T) test {