From a0a6a7b599d4d6056b47e3673e8a5faecdca007e Mon Sep 17 00:00:00 2001
From: Derrick DaCosta <125311989+derrick-dacosta@users.noreply.github.com>
Date: Fri, 26 Apr 2024 12:43:18 -0400
Subject: [PATCH] update go-jose package to fix vuln CVE-2024-28180 and Mend.io
WS-2023-0431 (#72)
---
go.mod | 4 +-
go.sum | 22 +-
.../go-jose/go-jose/v3}/.gitignore | 6 -
.../go-jose/go-jose/v3/.golangci.yml | 53 ++++
.../github.com/go-jose/go-jose/v3/.travis.yml | 33 ++
.../go-jose/go-jose/v3/CHANGELOG.md | 78 +++++
.../go-jose/go-jose/v3}/CONTRIBUTING.md | 5 +-
.../go-jose/go-jose/v3}/LICENSE | 0
.../go-jose/go-jose/v3}/README.md | 66 ++--
.../github.com/go-jose/go-jose/v3/SECURITY.md | 13 +
.../go-jose/go-jose/v3}/asymmetric.go | 29 +-
.../go-jose/go-jose/v3}/cipher/cbc_hmac.go | 14 +-
.../go-jose/go-jose/v3}/cipher/concat_kdf.go | 0
.../go-jose/go-jose/v3}/cipher/ecdh_es.go | 0
.../go-jose/go-jose/v3}/cipher/key_wrap.go | 10 +-
.../go-jose/go-jose/v3}/crypter.go | 131 +++++---
.../go-jose/go-jose/v3}/doc.go | 8 +-
.../go-jose/go-jose/v3}/encoding.go | 68 ++++-
.../go-jose/go-jose/v3}/json/LICENSE | 0
.../go-jose/go-jose/v3}/json/README.md | 0
.../go-jose/go-jose/v3}/json/decode.go | 3 +-
.../go-jose/go-jose/v3}/json/encode.go | 30 +-
.../go-jose/go-jose/v3}/json/indent.go | 0
.../go-jose/go-jose/v3}/json/scanner.go | 0
.../go-jose/go-jose/v3}/json/stream.go | 1 -
.../go-jose/go-jose/v3}/json/tags.go | 0
.../go-jose/go-jose/v3}/jwe.go | 45 +--
.../go-jose/go-jose/v3}/jwk.go | 156 ++++++----
.../go-jose/go-jose/v3}/jws.go | 35 ++-
.../go-jose/go-jose/v3}/jwt/builder.go | 8 +-
.../go-jose/go-jose/v3}/jwt/claims.go | 11 +-
.../go-jose/go-jose/v3}/jwt/doc.go | 2 -
.../go-jose/go-jose/v3}/jwt/errors.go | 22 +-
.../go-jose/go-jose/v3}/jwt/jwt.go | 46 +--
.../go-jose/go-jose/v3}/jwt/validation.go | 34 ++-
.../go-jose/go-jose/v3}/opaque.go | 2 +-
.../go-jose/go-jose/v3}/shared.go | 41 +--
.../go-jose/go-jose/v3}/signing.go | 90 ++++--
.../go-jose/go-jose/v3}/symmetric.go | 65 ++--
.../hashicorp/vault/api/.copywrite.hcl | 8 +
.../github.com/hashicorp/vault/api/README.md | 2 +-
.../github.com/hashicorp/vault/api/client.go | 118 ++++++--
vendor/github.com/hashicorp/vault/api/kv.go | 4 +-
.../github.com/hashicorp/vault/api/logical.go | 19 ++
.../hashicorp/vault/api/plugin_helpers.go | 91 ++----
.../vault/api/plugin_runtime_types.go | 41 +++
.../hashicorp/vault/api/plugin_types.go | 36 ++-
.../hashicorp/vault/api/replication_status.go | 132 ++++++++
.../github.com/hashicorp/vault/api/request.go | 7 +
.../github.com/hashicorp/vault/api/secret.go | 8 +-
.../hashicorp/vault/api/sudo_paths.go | 87 ++++++
.../hashicorp/vault/api/sys_capabilities.go | 53 ++++
.../hashicorp/vault/api/sys_hastatus.go | 18 +-
.../hashicorp/vault/api/sys_health.go | 3 +
.../hashicorp/vault/api/sys_mounts.go | 6 +
.../hashicorp/vault/api/sys_plugins.go | 43 ++-
.../vault/api/sys_plugins_runtimes.go | 190 ++++++++++++
.../hashicorp/vault/api/sys_raft.go | 17 ++
.../hashicorp/vault/api/sys_seal.go | 1 +
.../vault/api/sys_ui_custom_message.go | 281 ++++++++++++++++++
vendor/golang.org/x/crypto/ed25519/ed25519.go | 71 -----
.../square/go-jose.v2/.gitcookies.sh.enc | 1 -
vendor/gopkg.in/square/go-jose.v2/.travis.yml | 45 ---
.../gopkg.in/square/go-jose.v2/BUG-BOUNTY.md | 10 -
vendor/modules.txt | 15 +-
65 files changed, 1820 insertions(+), 618 deletions(-)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/.gitignore (50%)
create mode 100644 vendor/github.com/go-jose/go-jose/v3/.golangci.yml
create mode 100644 vendor/github.com/go-jose/go-jose/v3/.travis.yml
create mode 100644 vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/CONTRIBUTING.md (75%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/LICENSE (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/README.md (55%)
create mode 100644 vendor/github.com/go-jose/go-jose/v3/SECURITY.md
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/asymmetric.go (92%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/cipher/cbc_hmac.go (91%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/cipher/concat_kdf.go (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/cipher/ecdh_es.go (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/cipher/key_wrap.go (88%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/crypter.go (76%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/doc.go (84%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/encoding.go (72%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/LICENSE (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/README.md (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/decode.go (99%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/encode.go (98%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/indent.go (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/scanner.go (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/stream.go (99%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/json/tags.go (100%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwe.go (84%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwk.go (77%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jws.go (90%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwt/builder.go (97%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwt/claims.go (91%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwt/doc.go (99%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwt/errors.go (54%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwt/jwt.go (80%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/jwt/validation.go (79%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/opaque.go (97%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/shared.go (91%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/signing.go (82%)
rename vendor/{gopkg.in/square/go-jose.v2 => github.com/go-jose/go-jose/v3}/symmetric.go (85%)
create mode 100644 vendor/github.com/hashicorp/vault/api/.copywrite.hcl
create mode 100644 vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
create mode 100644 vendor/github.com/hashicorp/vault/api/replication_status.go
create mode 100644 vendor/github.com/hashicorp/vault/api/sudo_paths.go
create mode 100644 vendor/github.com/hashicorp/vault/api/sys_plugins_runtimes.go
create mode 100644 vendor/github.com/hashicorp/vault/api/sys_ui_custom_message.go
delete mode 100644 vendor/golang.org/x/crypto/ed25519/ed25519.go
delete mode 100644 vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
delete mode 100644 vendor/gopkg.in/square/go-jose.v2/.travis.yml
delete mode 100644 vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
diff --git a/go.mod b/go.mod
index 4237ce3..04f9e29 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
github.com/gorilla/mux v1.8.0
github.com/hashicorp/go-hclog v1.5.0
github.com/hashicorp/go-retryablehttp v0.7.2
- github.com/hashicorp/vault/api v1.9.1
+ github.com/hashicorp/vault/api v1.12.0
github.com/hashicorp/vault/api/auth/approle v0.4.0
github.com/hashicorp/vault/sdk v0.11.1
github.com/prometheus/client_golang v1.14.0
@@ -32,6 +32,7 @@ require (
github.com/docker/go-connections v0.4.0 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/fatih/color v1.14.1 // indirect
+ github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/snappy v0.0.4 // indirect
@@ -79,6 +80,5 @@ require (
golang.org/x/time v0.3.0 // indirect
golang.org/x/tools v0.10.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
- gopkg.in/square/go-jose.v2 v2.6.0 // indirect
gotest.tools/v3 v3.5.1 // indirect
)
diff --git a/go.sum b/go.sum
index 2fed150..4d565a8 100644
--- a/go.sum
+++ b/go.sum
@@ -40,6 +40,8 @@ github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
+github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
+github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@@ -93,8 +95,8 @@ github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T
github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
github.com/hashicorp/vault/api v1.9.0/go.mod h1:lloELQP4EyhjnCQhF8agKvWIVTmxbpEJj70b98959sM=
-github.com/hashicorp/vault/api v1.9.1 h1:LtY/I16+5jVGU8rufyyAkwopgq/HpUnxFBg+QLOAV38=
-github.com/hashicorp/vault/api v1.9.1/go.mod h1:78kktNcQYbBGSrOjQfHjXN32OhhxXnbYl3zxpd2uPUs=
+github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
+github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
github.com/hashicorp/vault/api/auth/approle v0.4.0 h1:tjJHoUkPx8zRoFlFy86uvgg/1gpTnDPp0t0BYWTKjjw=
github.com/hashicorp/vault/api/auth/approle v0.4.0/go.mod h1:D2gEpR0aS/F/MEcSjmhUlOsuK1RMVZojsnIQAEf0EV0=
github.com/hashicorp/vault/sdk v0.11.1 h1:mH/MYHBSrl594e+KT6Qhj5+kTmG02n1aZ3mYwCL0mdI=
@@ -200,11 +202,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -214,6 +218,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -221,6 +227,7 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -241,15 +248,23 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -260,6 +275,7 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -278,8 +294,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
diff --git a/vendor/gopkg.in/square/go-jose.v2/.gitignore b/vendor/github.com/go-jose/go-jose/v3/.gitignore
similarity index 50%
rename from vendor/gopkg.in/square/go-jose.v2/.gitignore
rename to vendor/github.com/go-jose/go-jose/v3/.gitignore
index 95a8515..eb29eba 100644
--- a/vendor/gopkg.in/square/go-jose.v2/.gitignore
+++ b/vendor/github.com/go-jose/go-jose/v3/.gitignore
@@ -1,8 +1,2 @@
-*~
-.*.swp
-*.out
-*.test
-*.pem
-*.cov
jose-util/jose-util
jose-util.t.err
\ No newline at end of file
diff --git a/vendor/github.com/go-jose/go-jose/v3/.golangci.yml b/vendor/github.com/go-jose/go-jose/v3/.golangci.yml
new file mode 100644
index 0000000..2a577a8
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v3/.golangci.yml
@@ -0,0 +1,53 @@
+# https://github.com/golangci/golangci-lint
+
+run:
+ skip-files:
+ - doc_test.go
+ modules-download-mode: readonly
+
+linters:
+ enable-all: true
+ disable:
+ - gochecknoglobals
+ - goconst
+ - lll
+ - maligned
+ - nakedret
+ - scopelint
+ - unparam
+ - funlen # added in 1.18 (requires go-jose changes before it can be enabled)
+
+linters-settings:
+ gocyclo:
+ min-complexity: 35
+
+issues:
+ exclude-rules:
+ - text: "don't use ALL_CAPS in Go names"
+ linters:
+ - golint
+ - text: "hardcoded credentials"
+ linters:
+ - gosec
+ - text: "weak cryptographic primitive"
+ linters:
+ - gosec
+ - path: json/
+ linters:
+ - dupl
+ - errcheck
+ - gocritic
+ - gocyclo
+ - golint
+ - govet
+ - ineffassign
+ - staticcheck
+ - structcheck
+ - stylecheck
+ - unused
+ - path: _test\.go
+ linters:
+ - scopelint
+ - path: jwk.go
+ linters:
+ - gocyclo
diff --git a/vendor/github.com/go-jose/go-jose/v3/.travis.yml b/vendor/github.com/go-jose/go-jose/v3/.travis.yml
new file mode 100644
index 0000000..48de631
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v3/.travis.yml
@@ -0,0 +1,33 @@
+language: go
+
+matrix:
+ fast_finish: true
+ allow_failures:
+ - go: tip
+
+go:
+ - "1.13.x"
+ - "1.14.x"
+ - tip
+
+before_script:
+ - export PATH=$HOME/.local/bin:$PATH
+
+before_install:
+ - go get -u github.com/mattn/goveralls github.com/wadey/gocovmerge
+ - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.18.0
+ - pip install cram --user
+
+script:
+ - go test -v -covermode=count -coverprofile=profile.cov .
+ - go test -v -covermode=count -coverprofile=cryptosigner/profile.cov ./cryptosigner
+ - go test -v -covermode=count -coverprofile=cipher/profile.cov ./cipher
+ - go test -v -covermode=count -coverprofile=jwt/profile.cov ./jwt
+ - go test -v ./json # no coverage for forked encoding/json package
+ - golangci-lint run
+ - cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t # cram tests jose-util
+ - cd ..
+
+after_success:
+ - gocovmerge *.cov */*.cov > merged.coverprofile
+ - goveralls -coverprofile merged.coverprofile -service=travis-ci
diff --git a/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
new file mode 100644
index 0000000..ce2a54e
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v3/CHANGELOG.md
@@ -0,0 +1,78 @@
+# v4.0.1
+
+## Fixed
+
+ - An attacker could send a JWE containing compressed data that used large
+ amounts of memory and CPU when decompressed by `Decrypt` or `DecryptMulti`.
+ Those functions now return an error if the decompressed data would exceed
+ 250kB or 10x the compressed size (whichever is larger). Thanks to
+ Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj)
+ for reporting.
+
+# v4.0.0
+
+This release makes some breaking changes in order to more thoroughly
+address the vulnerabilities discussed in [Three New Attacks Against JSON Web
+Tokens][1], "Sign/encrypt confusion", "Billion hash attack", and "Polyglot
+token".
+
+## Changed
+
+ - Limit JWT encryption types (exclude password or public key types) (#78)
+ - Enforce minimum length for HMAC keys (#85)
+ - jwt: match any audience in a list, rather than requiring all audiences (#81)
+ - jwt: accept only Compact Serialization (#75)
+ - jws: Add expected algorithms for signatures (#74)
+ - Require specifying expected algorithms for ParseEncrypted,
+ ParseSigned, ParseDetached, jwt.ParseEncrypted, jwt.ParseSigned,
+ jwt.ParseSignedAndEncrypted (#69, #74)
+ - Usually there is a small, known set of appropriate algorithms for a program
+ to use and it's a mistake to allow unexpected algorithms. For instance the
+ "billion hash attack" relies in part on programs accepting the PBES2
+ encryption algorithm and doing the necessary work even if they weren't
+ specifically configured to allow PBES2.
+ - Revert "Strip padding off base64 strings" (#82)
+ - The specs require base64url encoding without padding.
+ - Minimum supported Go version is now 1.21
+
+## Added
+
+ - ParseSignedCompact, ParseSignedJSON, ParseEncryptedCompact, ParseEncryptedJSON.
+ - These allow parsing a specific serialization, as opposed to ParseSigned and
+ ParseEncrypted, which try to automatically detect which serialization was
+ provided. It's common to require a specific serialization for a specific
+ protocol - for instance JWT requires Compact serialization.
+
+[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
+
+# v3.0.3
+
+## Fixed
+
+ - Limit decompression output size to prevent a DoS. Backport from v4.0.1.
+
+# v3.0.2
+
+## Fixed
+
+ - DecryptMulti: handle decompression error (#19)
+
+## Changed
+
+ - jwe/CompactSerialize: improve performance (#67)
+ - Increase the default number of PBKDF2 iterations to 600k (#48)
+ - Return the proper algorithm for ECDSA keys (#45)
+
+## Added
+
+ - Add Thumbprint support for opaque signers (#38)
+
+# v3.0.1
+
+## Fixed
+
+ - Security issue: an attacker specifying a large "p2c" value can cause
+ JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large
+ amounts of CPU, causing a DoS. Thanks to Matt Schwager (@mschwager) for the
+ disclosure and to Tom Tervoort for originally publishing the category of attack.
+ https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
diff --git a/vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md b/vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md
similarity index 75%
rename from vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md
rename to vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md
index 61b1836..b63e1f8 100644
--- a/vendor/gopkg.in/square/go-jose.v2/CONTRIBUTING.md
+++ b/vendor/github.com/go-jose/go-jose/v3/CONTRIBUTING.md
@@ -9,6 +9,7 @@ sure all tests pass by running `go test`, and format your code with `go fmt`.
We also recommend using `golint` and `errcheck`.
Before your code can be accepted into the project you must also sign the
-[Individual Contributor License Agreement][1].
+Individual Contributor License Agreement. We use [cla-assistant.io][1] and you
+will be prompted to sign once a pull request is opened.
- [1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
+[1]: https://cla-assistant.io/
diff --git a/vendor/gopkg.in/square/go-jose.v2/LICENSE b/vendor/github.com/go-jose/go-jose/v3/LICENSE
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/LICENSE
rename to vendor/github.com/go-jose/go-jose/v3/LICENSE
diff --git a/vendor/gopkg.in/square/go-jose.v2/README.md b/vendor/github.com/go-jose/go-jose/v3/README.md
similarity index 55%
rename from vendor/gopkg.in/square/go-jose.v2/README.md
rename to vendor/github.com/go-jose/go-jose/v3/README.md
index 1791bfa..282cd9e 100644
--- a/vendor/gopkg.in/square/go-jose.v2/README.md
+++ b/vendor/github.com/go-jose/go-jose/v3/README.md
@@ -1,10 +1,17 @@
-# Go JOSE
+# Go JOSE
-[](https://godoc.org/gopkg.in/square/go-jose.v1)
-[](https://godoc.org/gopkg.in/square/go-jose.v2)
-[](https://raw.githubusercontent.com/square/go-jose/master/LICENSE)
-[](https://travis-ci.org/square/go-jose)
-[](https://coveralls.io/r/square/go-jose)
+### Versions
+
+[Version 4](https://github.com/go-jose/go-jose)
+([branch](https://github.com/go-jose/go-jose/),
+[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
+
+ import "github.com/go-jose/go-jose/v4"
+
+The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
+are deprecated.
+
+### Summary
Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. This includes support for JSON Web Encryption,
@@ -21,13 +28,13 @@ US maintained blocked list.
## Overview
The implementation follows the
-[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516) (RFC 7516),
-[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515) (RFC 7515), and
-[JSON Web Token](http://dx.doi.org/10.17487/RFC7519) (RFC 7519).
+[JSON Web Encryption](https://dx.doi.org/10.17487/RFC7516) (RFC 7516),
+[JSON Web Signature](https://dx.doi.org/10.17487/RFC7515) (RFC 7515), and
+[JSON Web Token](https://dx.doi.org/10.17487/RFC7519) (RFC 7519) specifications.
Tables of supported algorithms are shown below. The library supports both
-the compact and full serialization formats, and has optional support for
+the compact and JWS/JWE JSON Serialization formats, and has optional support for
multiple recipients. It also comes with a small command-line utility
-([`jose-util`](https://github.com/square/go-jose/tree/v2/jose-util))
+([`jose-util`](https://pkg.go.dev/github.com/go-jose/go-jose/jose-util))
for dealing with JOSE messages in a shell.
**Note**: We use a forked version of the `encoding/json` package from the Go
@@ -36,27 +43,10 @@ of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/curren
This is to avoid differences in interpretation of messages between go-jose and
libraries in other languages.
-### Versions
-
-We use [gopkg.in](https://gopkg.in) for versioning.
-
-[Version 2](https://gopkg.in/square/go-jose.v2)
-([branch](https://github.com/square/go-jose/tree/v2),
-[doc](https://godoc.org/gopkg.in/square/go-jose.v2)) is the current version:
-
- import "gopkg.in/square/go-jose.v2"
-
-The old `v1` branch ([go-jose.v1](https://gopkg.in/square/go-jose.v1)) will
-still receive backported bug fixes and security fixes, but otherwise
-development is frozen. All new feature development takes place on the `v2`
-branch. Version 2 also contains additional sub-packages such as the
-[jwt](https://godoc.org/gopkg.in/square/go-jose.v2/jwt) implementation
-contributed by [@shaxbee](https://github.com/shaxbee).
-
### Supported algorithms
See below for a table of supported algorithms. Algorithm identifiers match
-the names in the [JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518)
+the names in the [JSON Web Algorithms](https://dx.doi.org/10.17487/RFC7518)
standard where possible. The Godoc reference has a list of constants.
Key encryption | Algorithm identifier(s)
@@ -84,7 +74,7 @@ standard where possible. The Godoc reference has a list of constants.
Content encryption | Algorithm identifier(s)
:------------------------- | :------------------------------
AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- AES-GCM | A128GCM, A192GCM, A256GCM
+ AES-GCM | A128GCM, A192GCM, A256GCM
Compression | Algorithm identifiers(s)
:------------------------- | -------------------------------
@@ -99,20 +89,20 @@ allows attaching a key id.
Algorithm(s) | Corresponding types
:------------------------- | -------------------------------
- RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey)
- ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey)
- EdDSA1 | [ed25519.PublicKey](https://godoc.org/golang.org/x/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://godoc.org/golang.org/x/crypto/ed25519#PrivateKey)
+ RSA | *[rsa.PublicKey](https://pkg.go.dev/crypto/rsa/#PublicKey), *[rsa.PrivateKey](https://pkg.go.dev/crypto/rsa/#PrivateKey)
+ ECDH, ECDSA | *[ecdsa.PublicKey](https://pkg.go.dev/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](https://pkg.go.dev/crypto/ecdsa/#PrivateKey)
+ EdDSA1 | [ed25519.PublicKey](https://pkg.go.dev/crypto/ed25519#PublicKey), [ed25519.PrivateKey](https://pkg.go.dev/crypto/ed25519#PrivateKey)
AES, HMAC | []byte
-1. Only available in version 2 of the package
+1. Only available in version 2 or later of the package
## Examples
-[](https://godoc.org/gopkg.in/square/go-jose.v1)
-[](https://godoc.org/gopkg.in/square/go-jose.v2)
+[](https://pkg.go.dev/github.com/go-jose/go-jose/v3)
+[](https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt)
Examples can be found in the Godoc
reference for this package. The
-[`jose-util`](https://github.com/square/go-jose/tree/v2/jose-util)
+[`jose-util`](https://github.com/go-jose/go-jose/tree/v3/jose-util)
subdirectory also contains a small command-line utility which might be useful
-as an example.
+as an example as well.
diff --git a/vendor/github.com/go-jose/go-jose/v3/SECURITY.md b/vendor/github.com/go-jose/go-jose/v3/SECURITY.md
new file mode 100644
index 0000000..2f18a75
--- /dev/null
+++ b/vendor/github.com/go-jose/go-jose/v3/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+This document explains how to contact the Let's Encrypt security team to report security vulnerabilities.
+
+## Supported Versions
+| Version | Supported |
+| ------- | ----------|
+| >= v3 | ✓ |
+| v2 | ✗ |
+| v1 | ✗ |
+
+## Reporting a vulnerability
+
+Please see [https://letsencrypt.org/contact/#security](https://letsencrypt.org/contact/#security) for the email address to report a vulnerability. Ensure that the subject line for your report contains the word `vulnerability` and is descriptive. Your email should be acknowledged within 24 hours. If you do not receive a response within 24 hours, please follow-up again with another email.
diff --git a/vendor/gopkg.in/square/go-jose.v2/asymmetric.go b/vendor/github.com/go-jose/go-jose/v3/asymmetric.go
similarity index 92%
rename from vendor/gopkg.in/square/go-jose.v2/asymmetric.go
rename to vendor/github.com/go-jose/go-jose/v3/asymmetric.go
index b69aa03..d4d4961 100644
--- a/vendor/gopkg.in/square/go-jose.v2/asymmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v3/asymmetric.go
@@ -20,6 +20,7 @@ import (
"crypto"
"crypto/aes"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"crypto/sha1"
@@ -28,9 +29,8 @@ import (
"fmt"
"math/big"
- "golang.org/x/crypto/ed25519"
- josecipher "gopkg.in/square/go-jose.v2/cipher"
- "gopkg.in/square/go-jose.v2/json"
+ josecipher "github.com/go-jose/go-jose/v3/cipher"
+ "github.com/go-jose/go-jose/v3/json"
)
// A generic RSA-based encrypter/verifier
@@ -285,6 +285,9 @@ func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm
switch alg {
case RS256, RS384, RS512:
+ // TODO(https://github.com/go-jose/go-jose/issues/40): As of go1.20, the
+ // random parameter is legacy and ignored, and it can be nil.
+ // https://cs.opensource.google/go/go/+/refs/tags/go1.20:src/crypto/rsa/pkcs1v15.go;l=263;bpv=0;bpt=1
out, err = rsa.SignPKCS1v15(RandReader, ctx.privateKey, hash, hashed)
case PS256, PS384, PS512:
out, err = rsa.SignPSS(RandReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
@@ -413,28 +416,28 @@ func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
epk, err := headers.getEPK()
if err != nil {
- return nil, errors.New("square/go-jose: invalid epk header")
+ return nil, errors.New("go-jose/go-jose: invalid epk header")
}
if epk == nil {
- return nil, errors.New("square/go-jose: missing epk header")
+ return nil, errors.New("go-jose/go-jose: missing epk header")
}
publicKey, ok := epk.Key.(*ecdsa.PublicKey)
if publicKey == nil || !ok {
- return nil, errors.New("square/go-jose: invalid epk header")
+ return nil, errors.New("go-jose/go-jose: invalid epk header")
}
if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
- return nil, errors.New("square/go-jose: invalid public key in epk header")
+ return nil, errors.New("go-jose/go-jose: invalid public key in epk header")
}
apuData, err := headers.getAPU()
if err != nil {
- return nil, errors.New("square/go-jose: invalid apu header")
+ return nil, errors.New("go-jose/go-jose: invalid apu header")
}
apvData, err := headers.getAPV()
if err != nil {
- return nil, errors.New("square/go-jose: invalid apv header")
+ return nil, errors.New("go-jose/go-jose: invalid apv header")
}
deriveKey := func(algID string, size int) []byte {
@@ -489,7 +492,7 @@ func (ctx edEncrypterVerifier) verifyPayload(payload []byte, signature []byte, a
}
ok := ed25519.Verify(ctx.publicKey, payload, signature)
if !ok {
- return errors.New("square/go-jose: ed25519 signature failed to verify")
+ return errors.New("go-jose/go-jose: ed25519 signature failed to verify")
}
return nil
}
@@ -513,7 +516,7 @@ func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm)
curveBits := ctx.privateKey.Curve.Params().BitSize
if expectedBitSize != curveBits {
- return Signature{}, fmt.Errorf("square/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
+ return Signature{}, fmt.Errorf("go-jose/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
}
hasher := hash.New()
@@ -571,7 +574,7 @@ func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, a
}
if len(signature) != 2*keySize {
- return fmt.Errorf("square/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
+ return fmt.Errorf("go-jose/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
}
hasher := hash.New()
@@ -585,7 +588,7 @@ func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, a
match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
if !match {
- return errors.New("square/go-jose: ecdsa signature failed to verify")
+ return errors.New("go-jose/go-jose: ecdsa signature failed to verify")
}
return nil
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go b/vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go
similarity index 91%
rename from vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
rename to vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go
index f6465c0..af029ce 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
+++ b/vendor/github.com/go-jose/go-jose/v3/cipher/cbc_hmac.go
@@ -101,23 +101,23 @@ func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
// Open decrypts and authenticates the ciphertext.
func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
if len(ciphertext) < ctx.authtagBytes {
- return nil, errors.New("square/go-jose: invalid ciphertext (too short)")
+ return nil, errors.New("go-jose/go-jose: invalid ciphertext (too short)")
}
offset := len(ciphertext) - ctx.authtagBytes
expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
if match != 1 {
- return nil, errors.New("square/go-jose: invalid ciphertext (auth tag mismatch)")
+ return nil, errors.New("go-jose/go-jose: invalid ciphertext (auth tag mismatch)")
}
cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
// Make copy of ciphertext buffer, don't want to modify in place
- buffer := append([]byte{}, []byte(ciphertext[:offset])...)
+ buffer := append([]byte{}, ciphertext[:offset]...)
if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
- return nil, errors.New("square/go-jose: invalid ciphertext (invalid length)")
+ return nil, errors.New("go-jose/go-jose: invalid ciphertext (invalid length)")
}
cbc.CryptBlocks(buffer, buffer)
@@ -177,19 +177,19 @@ func padBuffer(buffer []byte, blockSize int) []byte {
// Remove padding
func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
if len(buffer)%blockSize != 0 {
- return nil, errors.New("square/go-jose: invalid padding")
+ return nil, errors.New("go-jose/go-jose: invalid padding")
}
last := buffer[len(buffer)-1]
count := int(last)
if count == 0 || count > blockSize || count > len(buffer) {
- return nil, errors.New("square/go-jose: invalid padding")
+ return nil, errors.New("go-jose/go-jose: invalid padding")
}
padding := bytes.Repeat([]byte{last}, count)
if !bytes.HasSuffix(buffer, padding) {
- return nil, errors.New("square/go-jose: invalid padding")
+ return nil, errors.New("go-jose/go-jose: invalid padding")
}
return buffer[:len(buffer)-count], nil
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go b/vendor/github.com/go-jose/go-jose/v3/cipher/concat_kdf.go
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
rename to vendor/github.com/go-jose/go-jose/v3/cipher/concat_kdf.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go b/vendor/github.com/go-jose/go-jose/v3/cipher/ecdh_es.go
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
rename to vendor/github.com/go-jose/go-jose/v3/cipher/ecdh_es.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go b/vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go
similarity index 88%
rename from vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go
rename to vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go
index 1d36d50..b9effbc 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/key_wrap.go
+++ b/vendor/github.com/go-jose/go-jose/v3/cipher/key_wrap.go
@@ -28,7 +28,7 @@ var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
if len(cek)%8 != 0 {
- return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
+ return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
}
n := len(cek) / 8
@@ -51,7 +51,7 @@ func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
binary.BigEndian.PutUint64(tBytes, uint64(t+1))
for i := 0; i < 8; i++ {
- buffer[i] = buffer[i] ^ tBytes[i]
+ buffer[i] ^= tBytes[i]
}
copy(r[t%n], buffer[8:])
}
@@ -68,7 +68,7 @@ func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
if len(ciphertext)%8 != 0 {
- return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
+ return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
}
n := (len(ciphertext) / 8) - 1
@@ -87,7 +87,7 @@ func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
binary.BigEndian.PutUint64(tBytes, uint64(t+1))
for i := 0; i < 8; i++ {
- buffer[i] = buffer[i] ^ tBytes[i]
+ buffer[i] ^= tBytes[i]
}
copy(buffer[8:], r[t%n])
@@ -97,7 +97,7 @@ func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
}
if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
- return nil, errors.New("square/go-jose: failed to unwrap key")
+ return nil, errors.New("go-jose/go-jose: failed to unwrap key")
}
out := make([]byte, n*8)
diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/github.com/go-jose/go-jose/v3/crypter.go
similarity index 76%
rename from vendor/gopkg.in/square/go-jose.v2/crypter.go
rename to vendor/github.com/go-jose/go-jose/v3/crypter.go
index be7433e..8870e89 100644
--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
+++ b/vendor/github.com/go-jose/go-jose/v3/crypter.go
@@ -21,9 +21,8 @@ import (
"crypto/rsa"
"errors"
"fmt"
- "reflect"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// Encrypter represents an encrypter which produces an encrypted JWE object.
@@ -76,14 +75,24 @@ type recipientKeyInfo struct {
type EncrypterOptions struct {
Compression CompressionAlgorithm
- // Optional map of additional keys to be inserted into the protected header
- // of a JWS object. Some specifications which make use of JWS like to insert
- // additional values here. All values must be JSON-serializable.
+ // Optional map of name/value pairs to be inserted into the protected
+ // header of a JWS object. Some specifications which make use of
+ // JWS require additional values here.
+ //
+ // Values will be serialized by [json.Marshal] and must be valid inputs to
+ // that function.
+ //
+ // [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
ExtraHeaders map[HeaderKey]interface{}
}
// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
-// if necessary. It returns itself and so can be used in a fluent style.
+// if necessary, and returns the updated EncrypterOptions.
+//
+// The v parameter will be serialized by [json.Marshal] and must be a valid
+// input to that function.
+//
+// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions {
if eo.ExtraHeaders == nil {
eo.ExtraHeaders = map[HeaderKey]interface{}{}
@@ -111,7 +120,17 @@ func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions {
// default of 100000 will be used for the count and a 128-bit random salt will
// be generated.
type Recipient struct {
- Algorithm KeyAlgorithm
+ Algorithm KeyAlgorithm
+ // Key must have one of these types:
+ // - ed25519.PublicKey
+ // - *ecdsa.PublicKey
+ // - *rsa.PublicKey
+ // - *JSONWebKey
+ // - JSONWebKey
+ // - []byte (a symmetric key)
+ // - Any type that satisfies the OpaqueKeyEncrypter interface
+ //
+ // The type of Key must match the value of Algorithm.
Key interface{}
KeyID string
PBES2Count int
@@ -150,16 +169,17 @@ func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions)
switch rcpt.Algorithm {
case DIRECT:
// Direct encryption mode must be treated differently
- if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) {
+ keyBytes, ok := rawKey.([]byte)
+ if !ok {
return nil, ErrUnsupportedKeyType
}
- if encrypter.cipher.keySize() != len(rawKey.([]byte)) {
+ if encrypter.cipher.keySize() != len(keyBytes) {
return nil, ErrInvalidKeySize
}
encrypter.keyGenerator = staticKeyGenerator{
- key: rawKey.([]byte),
+ key: keyBytes,
}
- recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, rawKey.([]byte))
+ recipientInfo, _ := newSymmetricRecipient(rcpt.Algorithm, keyBytes)
recipientInfo.keyID = keyID
if rcpt.KeyID != "" {
recipientInfo.keyID = rcpt.KeyID
@@ -168,16 +188,16 @@ func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions)
return encrypter, nil
case ECDH_ES:
// ECDH-ES (w/o key wrapping) is similar to DIRECT mode
- typeOf := reflect.TypeOf(rawKey)
- if typeOf != reflect.TypeOf(&ecdsa.PublicKey{}) {
+ keyDSA, ok := rawKey.(*ecdsa.PublicKey)
+ if !ok {
return nil, ErrUnsupportedKeyType
}
encrypter.keyGenerator = ecKeyGenerator{
size: encrypter.cipher.keySize(),
algID: string(enc),
- publicKey: rawKey.(*ecdsa.PublicKey),
+ publicKey: keyDSA,
}
- recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, rawKey.(*ecdsa.PublicKey))
+ recipientInfo, _ := newECDHRecipient(rcpt.Algorithm, keyDSA)
recipientInfo.keyID = keyID
if rcpt.KeyID != "" {
recipientInfo.keyID = rcpt.KeyID
@@ -201,8 +221,8 @@ func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *Encrypter
if cipher == nil {
return nil, ErrUnsupportedAlgorithm
}
- if rcpts == nil || len(rcpts) == 0 {
- return nil, fmt.Errorf("square/go-jose: recipients is nil or empty")
+ if len(rcpts) == 0 {
+ return nil, fmt.Errorf("go-jose/go-jose: recipients is nil or empty")
}
encrypter := &genericEncrypter{
@@ -234,7 +254,7 @@ func (ctx *genericEncrypter) addRecipient(recipient Recipient) (err error) {
switch recipient.Algorithm {
case DIRECT, ECDH_ES:
- return fmt.Errorf("square/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
+ return fmt.Errorf("go-jose/go-jose: key algorithm '%s' not supported in multi-recipient mode", recipient.Algorithm)
}
recipientInfo, err = makeJWERecipient(recipient.Algorithm, recipient.Key)
@@ -270,9 +290,8 @@ func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKey
recipient, err := makeJWERecipient(alg, encryptionKey.Key)
recipient.keyID = encryptionKey.KeyID
return recipient, err
- }
- if encrypter, ok := encryptionKey.(OpaqueKeyEncrypter); ok {
- return newOpaqueKeyEncrypter(alg, encrypter)
+ case OpaqueKeyEncrypter:
+ return newOpaqueKeyEncrypter(alg, encryptionKey)
}
return recipientKeyInfo{}, ErrUnsupportedKeyType
}
@@ -300,11 +319,11 @@ func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {
return newDecrypter(decryptionKey.Key)
case *JSONWebKey:
return newDecrypter(decryptionKey.Key)
+ case OpaqueKeyDecrypter:
+ return &opaqueKeyDecrypter{decrypter: decryptionKey}, nil
+ default:
+ return nil, ErrUnsupportedKeyType
}
- if okd, ok := decryptionKey.(OpaqueKeyDecrypter); ok {
- return &opaqueKeyDecrypter{decrypter: okd}, nil
- }
- return nil, ErrUnsupportedKeyType
}
// Implementation of encrypt method producing a JWE object.
@@ -326,7 +345,7 @@ func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWe
obj.recipients = make([]recipientInfo, len(ctx.recipients))
if len(ctx.recipients) == 0 {
- return nil, fmt.Errorf("square/go-jose: no recipients to encrypt to")
+ return nil, fmt.Errorf("go-jose/go-jose: no recipients to encrypt to")
}
cek, headers, err := ctx.keyGenerator.genKey()
@@ -403,33 +422,52 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
}
}
-// Decrypt and validate the object and return the plaintext. Note that this
-// function does not support multi-recipient, if you desire multi-recipient
+// Decrypt and validate the object and return the plaintext. This
+// function does not support multi-recipient. If you desire multi-recipient
// decryption use DecryptMulti instead.
+//
+// The decryptionKey argument must contain a private or symmetric key
+// and must have one of these types:
+// - *ecdsa.PrivateKey
+// - *rsa.PrivateKey
+// - *JSONWebKey
+// - JSONWebKey
+// - *JSONWebKeySet
+// - JSONWebKeySet
+// - []byte (a symmetric key)
+// - string (a symmetric key)
+// - Any type that satisfies the OpaqueKeyDecrypter interface.
+//
+// Note that ed25519 is only available for signatures, not encryption, so is
+// not an option here.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
headers := obj.mergedHeaders(nil)
if len(obj.recipients) > 1 {
- return nil, errors.New("square/go-jose: too many recipients in payload; expecting only one")
+ return nil, errors.New("go-jose/go-jose: too many recipients in payload; expecting only one")
}
critical, err := headers.getCritical()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid crit header")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
}
if len(critical) > 0 {
- return nil, fmt.Errorf("square/go-jose: unsupported crit header")
+ return nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
}
- decrypter, err := newDecrypter(decryptionKey)
+ key := tryJWKS(decryptionKey, obj.Header)
+ decrypter, err := newDecrypter(key)
if err != nil {
return nil, err
}
cipher := getContentCipher(headers.getEncryption())
if cipher == nil {
- return nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
+ return nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(headers.getEncryption()))
}
generator := randomKeyGenerator{
@@ -461,28 +499,38 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
// The "zip" header parameter may only be present in the protected header.
if comp := obj.protected.getCompression(); comp != "" {
plaintext, err = decompress(comp, plaintext)
+ if err != nil {
+ return nil, fmt.Errorf("go-jose/go-jose: failed to decompress plaintext: %v", err)
+ }
}
- return plaintext, err
+ return plaintext, nil
}
// DecryptMulti decrypts and validates the object and returns the plaintexts,
// with support for multiple recipients. It returns the index of the recipient
// for which the decryption was successful, the merged headers for that recipient,
// and the plaintext.
+//
+// The decryptionKey argument must have one of the types allowed for the
+// decryptionKey argument of Decrypt().
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
globalHeaders := obj.mergedHeaders(nil)
critical, err := globalHeaders.getCritical()
if err != nil {
- return -1, Header{}, nil, fmt.Errorf("square/go-jose: invalid crit header")
+ return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: invalid crit header")
}
if len(critical) > 0 {
- return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported crit header")
+ return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported crit header")
}
- decrypter, err := newDecrypter(decryptionKey)
+ key := tryJWKS(decryptionKey, obj.Header)
+ decrypter, err := newDecrypter(key)
if err != nil {
return -1, Header{}, nil, err
}
@@ -490,7 +538,7 @@ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Heade
encryption := globalHeaders.getEncryption()
cipher := getContentCipher(encryption)
if cipher == nil {
- return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(encryption))
+ return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: unsupported enc value '%s'", string(encryption))
}
generator := randomKeyGenerator{
@@ -524,18 +572,21 @@ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Heade
}
}
- if plaintext == nil || err != nil {
+ if plaintext == nil {
return -1, Header{}, nil, ErrCryptoFailure
}
// The "zip" header parameter may only be present in the protected header.
if comp := obj.protected.getCompression(); comp != "" {
plaintext, err = decompress(comp, plaintext)
+ if err != nil {
+ return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to decompress plaintext: %v", err)
+ }
}
sanitized, err := headers.sanitized()
if err != nil {
- return -1, Header{}, nil, fmt.Errorf("square/go-jose: failed to sanitize header: %v", err)
+ return -1, Header{}, nil, fmt.Errorf("go-jose/go-jose: failed to sanitize header: %v", err)
}
return index, sanitized, plaintext, err
diff --git a/vendor/gopkg.in/square/go-jose.v2/doc.go b/vendor/github.com/go-jose/go-jose/v3/doc.go
similarity index 84%
rename from vendor/gopkg.in/square/go-jose.v2/doc.go
rename to vendor/github.com/go-jose/go-jose/v3/doc.go
index dd1387f..0ad40ca 100644
--- a/vendor/gopkg.in/square/go-jose.v2/doc.go
+++ b/vendor/github.com/go-jose/go-jose/v3/doc.go
@@ -15,13 +15,11 @@
*/
/*
-
Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. It implements encryption and signing based on
-the JSON Web Encryption and JSON Web Signature standards, with optional JSON
-Web Token support available in a sub-package. The library supports both the
-compact and full serialization formats, and has optional support for multiple
+the JSON Web Encryption and JSON Web Signature standards, with optional JSON Web
+Token support available in a sub-package. The library supports both the compact
+and JWS/JWE JSON Serialization formats, and has optional support for multiple
recipients.
-
*/
package jose
diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
similarity index 72%
rename from vendor/gopkg.in/square/go-jose.v2/encoding.go
rename to vendor/github.com/go-jose/go-jose/v3/encoding.go
index 70f7385..9f07cfd 100644
--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
+++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
@@ -21,12 +21,13 @@ import (
"compress/flate"
"encoding/base64"
"encoding/binary"
+ "fmt"
"io"
"math/big"
"strings"
"unicode"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// Helper function to serialize known-good objects.
@@ -41,7 +42,7 @@ func mustSerializeJSON(value interface{}) []byte {
// MarshalJSON will happily serialize it as the top-level value "null". If
// that value is then embedded in another operation, for instance by being
// base64-encoded and fed as input to a signing algorithm
- // (https://github.com/square/go-jose/issues/22), the result will be
+ // (https://github.com/go-jose/go-jose/issues/22), the result will be
// incorrect. Because this method is intended for known-good objects, and a nil
// pointer is not a known-good object, we are free to panic in this case.
// Note: It's not possible to directly check whether the data pointed at by an
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
}
}
-// Compress with DEFLATE
+// deflate compresses the input.
func deflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
return output.Bytes(), err
}
-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger.
func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
- _, err := io.Copy(output, reader)
- if err != nil {
+ maxCompressedSize := 10 * int64(len(input))
+ if maxCompressedSize < 250000 {
+ maxCompressedSize = 250000
+ }
+
+ limit := maxCompressedSize + 1
+ n, err := io.CopyN(output, reader, limit)
+ if err != nil && err != io.EOF {
return nil, err
}
+ if n == limit {
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+ }
err = reader.Close()
return output.Bytes(), err
@@ -127,7 +140,7 @@ func newBuffer(data []byte) *byteBuffer {
func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
if len(data) > length {
- panic("square/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
+ panic("go-jose/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
}
pad := make([]byte, length-len(data))
return newBuffer(append(pad, data...))
@@ -154,7 +167,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error {
return nil
}
- decoded, err := base64.RawURLEncoding.DecodeString(encoded)
+ decoded, err := base64URLDecode(encoded)
if err != nil {
return err
}
@@ -183,3 +196,42 @@ func (b byteBuffer) bigInt() *big.Int {
func (b byteBuffer) toInt() int {
return int(b.bigInt().Int64())
}
+
+// base64URLDecode is implemented as defined in https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
+func base64URLDecode(value string) ([]byte, error) {
+ value = strings.TrimRight(value, "=")
+ return base64.RawURLEncoding.DecodeString(value)
+}
+
+func base64EncodeLen(sl []byte) int {
+ return base64.RawURLEncoding.EncodedLen(len(sl))
+}
+
+func base64JoinWithDots(inputs ...[]byte) string {
+ if len(inputs) == 0 {
+ return ""
+ }
+
+ // Count of dots.
+ totalCount := len(inputs) - 1
+
+ for _, input := range inputs {
+ totalCount += base64EncodeLen(input)
+ }
+
+ out := make([]byte, totalCount)
+ startEncode := 0
+ for i, input := range inputs {
+ base64.RawURLEncoding.Encode(out[startEncode:], input)
+
+ if i == len(inputs)-1 {
+ continue
+ }
+
+ startEncode += base64EncodeLen(input)
+ out[startEncode] = '.'
+ startEncode++
+ }
+
+ return string(out)
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/LICENSE b/vendor/github.com/go-jose/go-jose/v3/json/LICENSE
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/json/LICENSE
rename to vendor/github.com/go-jose/go-jose/v3/json/LICENSE
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/README.md b/vendor/github.com/go-jose/go-jose/v3/json/README.md
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/json/README.md
rename to vendor/github.com/go-jose/go-jose/v3/json/README.md
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/decode.go b/vendor/github.com/go-jose/go-jose/v3/json/decode.go
similarity index 99%
rename from vendor/gopkg.in/square/go-jose.v2/json/decode.go
rename to vendor/github.com/go-jose/go-jose/v3/json/decode.go
index 4dbc414..50634dd 100644
--- a/vendor/gopkg.in/square/go-jose.v2/json/decode.go
+++ b/vendor/github.com/go-jose/go-jose/v3/json/decode.go
@@ -75,14 +75,13 @@ import (
//
// The JSON null value unmarshals into an interface, map, pointer, or slice
// by setting that Go value to nil. Because null is often used in JSON to mean
-// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
+// “not present,” unmarshaling a JSON null into any other Go type has no effect
// on the value and produces no error.
//
// When unmarshaling quoted strings, invalid UTF-8 or
// invalid UTF-16 surrogate pairs are not treated as an error.
// Instead, they are replaced by the Unicode replacement
// character U+FFFD.
-//
func Unmarshal(data []byte, v interface{}) error {
// Check for well-formedness.
// Avoids filling out half a data structure
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/encode.go b/vendor/github.com/go-jose/go-jose/v3/json/encode.go
similarity index 98%
rename from vendor/gopkg.in/square/go-jose.v2/json/encode.go
rename to vendor/github.com/go-jose/go-jose/v3/json/encode.go
index 1dae8bb..98de68c 100644
--- a/vendor/gopkg.in/square/go-jose.v2/json/encode.go
+++ b/vendor/github.com/go-jose/go-jose/v3/json/encode.go
@@ -58,6 +58,7 @@ import (
// becomes a member of the object unless
// - the field's tag is "-", or
// - the field is empty and its tag specifies the "omitempty" option.
+//
// The empty values are false, 0, any
// nil pointer or interface value, and any array, slice, map, or string of
// length zero. The object's default key string is the struct field name
@@ -65,28 +66,28 @@ import (
// the struct field's tag value is the key name, followed by an optional comma
// and options. Examples:
//
-// // Field is ignored by this package.
-// Field int `json:"-"`
+// // Field is ignored by this package.
+// Field int `json:"-"`
//
-// // Field appears in JSON as key "myName".
-// Field int `json:"myName"`
+// // Field appears in JSON as key "myName".
+// Field int `json:"myName"`
//
-// // Field appears in JSON as key "myName" and
-// // the field is omitted from the object if its value is empty,
-// // as defined above.
-// Field int `json:"myName,omitempty"`
+// // Field appears in JSON as key "myName" and
+// // the field is omitted from the object if its value is empty,
+// // as defined above.
+// Field int `json:"myName,omitempty"`
//
-// // Field appears in JSON as key "Field" (the default), but
-// // the field is skipped if empty.
-// // Note the leading comma.
-// Field int `json:",omitempty"`
+// // Field appears in JSON as key "Field" (the default), but
+// // the field is skipped if empty.
+// // Note the leading comma.
+// Field int `json:",omitempty"`
//
// The "string" option signals that a field is stored as JSON inside a
// JSON-encoded string. It applies only to fields of string, floating point,
// integer, or boolean types. This extra level of encoding is sometimes used
// when communicating with JavaScript programs:
//
-// Int64String int64 `json:",string"`
+// Int64String int64 `json:",string"`
//
// The key name will be used if it's a non-empty string consisting of
// only Unicode letters, digits, dollar signs, percent signs, hyphens,
@@ -133,7 +134,6 @@ import (
// JSON cannot represent cyclic data structures and Marshal does not
// handle them. Passing cyclic structures to Marshal will result in
// an infinite recursion.
-//
func Marshal(v interface{}) ([]byte, error) {
e := &encodeState{}
err := e.marshal(v)
@@ -648,7 +648,7 @@ func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
// for large buffers, avoid unnecessary extra temporary
// buffer space.
enc := base64.NewEncoder(base64.StdEncoding, e)
- enc.Write(s)
+ _, _ = enc.Write(s)
enc.Close()
}
e.WriteByte('"')
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/indent.go b/vendor/github.com/go-jose/go-jose/v3/json/indent.go
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/json/indent.go
rename to vendor/github.com/go-jose/go-jose/v3/json/indent.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/scanner.go b/vendor/github.com/go-jose/go-jose/v3/json/scanner.go
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/json/scanner.go
rename to vendor/github.com/go-jose/go-jose/v3/json/scanner.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/stream.go b/vendor/github.com/go-jose/go-jose/v3/json/stream.go
similarity index 99%
rename from vendor/gopkg.in/square/go-jose.v2/json/stream.go
rename to vendor/github.com/go-jose/go-jose/v3/json/stream.go
index 9b2b926..f03b171 100644
--- a/vendor/gopkg.in/square/go-jose.v2/json/stream.go
+++ b/vendor/github.com/go-jose/go-jose/v3/json/stream.go
@@ -240,7 +240,6 @@ var _ Unmarshaler = (*RawMessage)(nil)
// Number, for JSON numbers
// string, for JSON string literals
// nil, for JSON null
-//
type Token interface{}
const (
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/tags.go b/vendor/github.com/go-jose/go-jose/v3/json/tags.go
similarity index 100%
rename from vendor/gopkg.in/square/go-jose.v2/json/tags.go
rename to vendor/github.com/go-jose/go-jose/v3/json/tags.go
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go
similarity index 84%
rename from vendor/gopkg.in/square/go-jose.v2/jwe.go
rename to vendor/github.com/go-jose/go-jose/v3/jwe.go
index b5a6dcd..4267ac7 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go
@@ -21,7 +21,7 @@ import (
"fmt"
"strings"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
@@ -86,11 +86,12 @@ func (obj JSONWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader {
func (obj JSONWebEncryption) computeAuthData() []byte {
var protected string
- if obj.original != nil && obj.original.Protected != nil {
+ switch {
+ case obj.original != nil && obj.original.Protected != nil:
protected = obj.original.Protected.base64()
- } else if obj.protected != nil {
+ case obj.protected != nil:
protected = base64.RawURLEncoding.EncodeToString(mustSerializeJSON((obj.protected)))
- } else {
+ default:
protected = ""
}
@@ -103,7 +104,7 @@ func (obj JSONWebEncryption) computeAuthData() []byte {
return output
}
-// ParseEncrypted parses an encrypted message in compact or full serialization format.
+// ParseEncrypted parses an encrypted message in compact or JWE JSON Serialization format.
func ParseEncrypted(input string) (*JSONWebEncryption, error) {
input = stripWhitespace(input)
if strings.HasPrefix(input, "{") {
@@ -146,7 +147,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
+ return nil, fmt.Errorf("go-jose/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
}
}
@@ -156,7 +157,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
mergedHeaders := obj.mergedHeaders(nil)
obj.Header, err = mergedHeaders.sanitized()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
+ return nil, fmt.Errorf("go-jose/go-jose: cannot sanitize merged headers: %v (%v)", err, mergedHeaders)
}
if len(parsed.Recipients) == 0 {
@@ -169,7 +170,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
} else {
obj.recipients = make([]recipientInfo, len(parsed.Recipients))
for r := range parsed.Recipients {
- encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
+ encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey)
if err != nil {
return nil, err
}
@@ -187,7 +188,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
for _, recipient := range obj.recipients {
headers := obj.mergedHeaders(&recipient)
if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
- return nil, fmt.Errorf("square/go-jose: message is missing alg/enc headers")
+ return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
}
}
@@ -203,30 +204,30 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
parts := strings.Split(input, ".")
if len(parts) != 5 {
- return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
+ return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
- rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ rawProtected, err := base64URLDecode(parts[0])
if err != nil {
return nil, err
}
- encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
+ encryptedKey, err := base64URLDecode(parts[1])
if err != nil {
return nil, err
}
- iv, err := base64.RawURLEncoding.DecodeString(parts[2])
+ iv, err := base64URLDecode(parts[2])
if err != nil {
return nil, err
}
- ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
+ ciphertext, err := base64URLDecode(parts[3])
if err != nil {
return nil, err
}
- tag, err := base64.RawURLEncoding.DecodeString(parts[4])
+ tag, err := base64URLDecode(parts[4])
if err != nil {
return nil, err
}
@@ -251,13 +252,13 @@ func (obj JSONWebEncryption) CompactSerialize() (string, error) {
serializedProtected := mustSerializeJSON(obj.protected)
- return fmt.Sprintf(
- "%s.%s.%s.%s.%s",
- base64.RawURLEncoding.EncodeToString(serializedProtected),
- base64.RawURLEncoding.EncodeToString(obj.recipients[0].encryptedKey),
- base64.RawURLEncoding.EncodeToString(obj.iv),
- base64.RawURLEncoding.EncodeToString(obj.ciphertext),
- base64.RawURLEncoding.EncodeToString(obj.tag)), nil
+ return base64JoinWithDots(
+ serializedProtected,
+ obj.recipients[0].encryptedKey,
+ obj.iv,
+ obj.ciphertext,
+ obj.tag,
+ ), nil
}
// FullSerialize serializes an object using the full JSON serialization format.
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwk.go b/vendor/github.com/go-jose/go-jose/v3/jwk.go
similarity index 77%
rename from vendor/gopkg.in/square/go-jose.v2/jwk.go
rename to vendor/github.com/go-jose/go-jose/v3/jwk.go
index 222e260..e402195 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwk.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwk.go
@@ -20,6 +20,7 @@ import (
"bytes"
"crypto"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/elliptic"
"crypto/rsa"
"crypto/sha1"
@@ -34,9 +35,7 @@ import (
"reflect"
"strings"
- "golang.org/x/crypto/ed25519"
-
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@@ -63,14 +62,26 @@ type rawJSONWebKey struct {
Qi *byteBuffer `json:"qi,omitempty"`
// Certificates
X5c []string `json:"x5c,omitempty"`
- X5u *url.URL `json:"x5u,omitempty"`
+ X5u string `json:"x5u,omitempty"`
X5tSHA1 string `json:"x5t,omitempty"`
X5tSHA256 string `json:"x5t#S256,omitempty"`
}
-// JSONWebKey represents a public or private key in JWK format.
+// JSONWebKey represents a public or private key in JWK format. It can be
+// marshaled into JSON and unmarshaled from JSON.
type JSONWebKey struct {
- // Cryptographic key, can be a symmetric or asymmetric key.
+ // Key is the Go in-memory representation of this key. It must have one
+ // of these types:
+ // - ed25519.PublicKey
+ // - ed25519.PrivateKey
+ // - *ecdsa.PublicKey
+ // - *ecdsa.PrivateKey
+ // - *rsa.PublicKey
+ // - *rsa.PrivateKey
+ // - []byte (a symmetric key)
+ //
+ // When marshaling this JSONWebKey into JSON, the "kty" header parameter
+ // will be automatically set based on the type of this field.
Key interface{}
// Key identifier, parsed from `kid` header.
KeyID string
@@ -110,7 +121,7 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
case []byte:
raw, err = fromSymmetricKey(key)
default:
- return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+ return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
}
if err != nil {
@@ -129,13 +140,13 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
x5tSHA256Len := len(k.CertificateThumbprintSHA256)
if x5tSHA1Len > 0 {
if x5tSHA1Len != sha1.Size {
- return nil, fmt.Errorf("square/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
+ return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-1 thumbprint (must be %d bytes, not %d)", sha1.Size, x5tSHA1Len)
}
raw.X5tSHA1 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA1)
}
if x5tSHA256Len > 0 {
if x5tSHA256Len != sha256.Size {
- return nil, fmt.Errorf("square/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
+ return nil, fmt.Errorf("go-jose/go-jose: invalid SHA-256 thumbprint (must be %d bytes, not %d)", sha256.Size, x5tSHA256Len)
}
raw.X5tSHA256 = base64.RawURLEncoding.EncodeToString(k.CertificateThumbprintSHA256)
}
@@ -149,14 +160,16 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
expectedSHA256 := sha256.Sum256(k.Certificates[0].Raw)
if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(k.CertificateThumbprintSHA1, expectedSHA1[:]) {
- return nil, errors.New("square/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
+ return nil, errors.New("go-jose/go-jose: invalid SHA-1 thumbprint, does not match cert chain")
}
if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(k.CertificateThumbprintSHA256, expectedSHA256[:]) {
- return nil, errors.New("square/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
+ return nil, errors.New("go-jose/go-jose: invalid or SHA-256 thumbprint, does not match cert chain")
}
}
- raw.X5u = k.CertificatesURL
+ if k.CertificatesURL != nil {
+ raw.X5u = k.CertificatesURL.String()
+ }
return json.Marshal(raw)
}
@@ -171,7 +184,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
certs, err := parseCertificateChain(raw.X5c)
if err != nil {
- return fmt.Errorf("square/go-jose: failed to unmarshal x5c field: %s", err)
+ return fmt.Errorf("go-jose/go-jose: failed to unmarshal x5c field: %s", err)
}
var key interface{}
@@ -211,7 +224,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
}
case "oct":
if certPub != nil {
- return errors.New("square/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
+ return errors.New("go-jose/go-jose: invalid JWK, found 'oct' (symmetric) key with cert chain")
}
key, err = raw.symmetricKey()
case "OKP":
@@ -226,10 +239,10 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
keyPub = key
}
} else {
- err = fmt.Errorf("square/go-jose: unknown curve %s'", raw.Crv)
+ err = fmt.Errorf("go-jose/go-jose: unknown curve %s'", raw.Crv)
}
default:
- err = fmt.Errorf("square/go-jose: unknown json web key type '%s'", raw.Kty)
+ err = fmt.Errorf("go-jose/go-jose: unknown json web key type '%s'", raw.Kty)
}
if err != nil {
@@ -238,19 +251,24 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
if certPub != nil && keyPub != nil {
if !reflect.DeepEqual(certPub, keyPub) {
- return errors.New("square/go-jose: invalid JWK, public keys in key and x5c fields do not match")
+ return errors.New("go-jose/go-jose: invalid JWK, public keys in key and x5c fields do not match")
}
}
*k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use, Certificates: certs}
- k.CertificatesURL = raw.X5u
+ if raw.X5u != "" {
+ k.CertificatesURL, err = url.Parse(raw.X5u)
+ if err != nil {
+ return fmt.Errorf("go-jose/go-jose: invalid JWK, x5u header is invalid URL: %w", err)
+ }
+ }
// x5t parameters are base64url-encoded SHA thumbprints
// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
- x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
+ x5tSHA1bytes, err := base64URLDecode(raw.X5tSHA1)
if err != nil {
- return errors.New("square/go-jose: invalid JWK, x5t header has invalid encoding")
+ return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
}
// RFC 7517, Section 4.8 is ambiguous as to whether the digest output should be byte or hex,
@@ -260,7 +278,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
if len(x5tSHA1bytes) == 2*sha1.Size {
hx, err := hex.DecodeString(string(x5tSHA1bytes))
if err != nil {
- return fmt.Errorf("square/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
+ return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t: %v", err)
}
x5tSHA1bytes = hx
@@ -268,15 +286,15 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
k.CertificateThumbprintSHA1 = x5tSHA1bytes
- x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
+ x5tSHA256bytes, err := base64URLDecode(raw.X5tSHA256)
if err != nil {
- return errors.New("square/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
+ return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
}
if len(x5tSHA256bytes) == 2*sha256.Size {
hx256, err := hex.DecodeString(string(x5tSHA256bytes))
if err != nil {
- return fmt.Errorf("square/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
+ return fmt.Errorf("go-jose/go-jose: invalid JWK, unable to hex decode x5t#S256: %v", err)
}
x5tSHA256bytes = hx256
}
@@ -286,10 +304,10 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
x5tSHA1Len := len(k.CertificateThumbprintSHA1)
x5tSHA256Len := len(k.CertificateThumbprintSHA256)
if x5tSHA1Len > 0 && x5tSHA1Len != sha1.Size {
- return errors.New("square/go-jose: invalid JWK, x5t header is of incorrect size")
+ return errors.New("go-jose/go-jose: invalid JWK, x5t header is of incorrect size")
}
if x5tSHA256Len > 0 && x5tSHA256Len != sha256.Size {
- return errors.New("square/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
+ return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header is of incorrect size")
}
// If certificate chain *and* thumbprints are set, verify correctness.
@@ -299,11 +317,11 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
sha256sum := sha256.Sum256(leaf.Raw)
if len(k.CertificateThumbprintSHA1) > 0 && !bytes.Equal(sha1sum[:], k.CertificateThumbprintSHA1) {
- return errors.New("square/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
+ return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t value")
}
if len(k.CertificateThumbprintSHA256) > 0 && !bytes.Equal(sha256sum[:], k.CertificateThumbprintSHA256) {
- return errors.New("square/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
+ return errors.New("go-jose/go-jose: invalid JWK, x5c thumbprint does not match x5t#S256 value")
}
}
@@ -342,7 +360,7 @@ func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
}
if len(x.Bytes()) > coordLength || len(y.Bytes()) > coordLength {
- return "", errors.New("square/go-jose: invalid elliptic key (too large)")
+ return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
}
return fmt.Sprintf(ecThumbprintTemplate, crv,
@@ -359,7 +377,7 @@ func rsaThumbprintInput(n *big.Int, e int) (string, error) {
func edThumbprintInput(ed ed25519.PublicKey) (string, error) {
crv := "Ed25519"
if len(ed) > 32 {
- return "", errors.New("square/go-jose: invalid elliptic key (too large)")
+ return "", errors.New("go-jose/go-jose: invalid elliptic key (too large)")
}
return fmt.Sprintf(edThumbprintTemplate, crv,
newFixedSizeBuffer(ed, 32).base64()), nil
@@ -383,8 +401,10 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
input, err = rsaThumbprintInput(key.N, key.E)
case ed25519.PrivateKey:
input, err = edThumbprintInput(ed25519.PublicKey(key[32:]))
+ case OpaqueSigner:
+ return key.Public().Thumbprint(hash)
default:
- return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
+ return nil, fmt.Errorf("go-jose/go-jose: unknown key type '%s'", reflect.TypeOf(key))
}
if err != nil {
@@ -392,7 +412,7 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
}
h := hash.New()
- h.Write([]byte(input))
+ _, _ = h.Write([]byte(input))
return h.Sum(nil), nil
}
@@ -463,7 +483,7 @@ func (k *JSONWebKey) Valid() bool {
func (key rawJSONWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
if key.N == nil || key.E == nil {
- return nil, fmt.Errorf("square/go-jose: invalid RSA key, missing n/e values")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid RSA key, missing n/e values")
}
return &rsa.PublicKey{
@@ -498,29 +518,29 @@ func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
case "P-521":
curve = elliptic.P521()
default:
- return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
+ return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
}
if key.X == nil || key.Y == nil {
- return nil, errors.New("square/go-jose: invalid EC key, missing x/y values")
+ return nil, errors.New("go-jose/go-jose: invalid EC key, missing x/y values")
}
// The length of this octet string MUST be the full size of a coordinate for
// the curve specified in the "crv" parameter.
// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
if curveSize(curve) != len(key.X.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC public key, wrong length for x")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for x")
}
if curveSize(curve) != len(key.Y.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC public key, wrong length for y")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC public key, wrong length for y")
}
x := key.X.bigInt()
y := key.Y.bigInt()
if !curve.IsOnCurve(x, y) {
- return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
+ return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
}
return &ecdsa.PublicKey{
@@ -532,7 +552,7 @@ func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
if pub == nil || pub.X == nil || pub.Y == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC key (nil, or X/Y missing)")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (nil, or X/Y missing)")
}
name, err := curveName(pub.Curve)
@@ -546,7 +566,7 @@ func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJSONWebKey, error) {
yBytes := pub.Y.Bytes()
if len(xBytes) > size || len(yBytes) > size {
- return nil, fmt.Errorf("square/go-jose: invalid EC key (X/Y too large)")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC key (X/Y too large)")
}
key := &rawJSONWebKey{
@@ -569,7 +589,7 @@ func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
}
if len(missing) > 0 {
- return nil, fmt.Errorf("square/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
+ return nil, fmt.Errorf("go-jose/go-jose: invalid Ed25519 private key, missing %s value(s)", strings.Join(missing, ", "))
}
privateKey := make([]byte, ed25519.PrivateKeySize)
@@ -581,7 +601,7 @@ func (key rawJSONWebKey) edPrivateKey() (ed25519.PrivateKey, error) {
func (key rawJSONWebKey) edPublicKey() (ed25519.PublicKey, error) {
if key.X == nil {
- return nil, fmt.Errorf("square/go-jose: invalid Ed key, missing x value")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid Ed key, missing x value")
}
publicKey := make([]byte, ed25519.PublicKeySize)
copy(publicKey[0:32], key.X.bytes())
@@ -605,7 +625,7 @@ func (key rawJSONWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
}
if len(missing) > 0 {
- return nil, fmt.Errorf("square/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
+ return nil, fmt.Errorf("go-jose/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
}
rv := &rsa.PrivateKey{
@@ -675,34 +695,34 @@ func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
case "P-521":
curve = elliptic.P521()
default:
- return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
+ return nil, fmt.Errorf("go-jose/go-jose: unsupported elliptic curve '%s'", key.Crv)
}
if key.X == nil || key.Y == nil || key.D == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, missing x/y/d values")
}
// The length of this octet string MUST be the full size of a coordinate for
// the curve specified in the "crv" parameter.
// https://tools.ietf.org/html/rfc7518#section-6.2.1.2
if curveSize(curve) != len(key.X.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for x")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for x")
}
if curveSize(curve) != len(key.Y.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for y")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for y")
}
// https://tools.ietf.org/html/rfc7518#section-6.2.2.1
if dSize(curve) != len(key.D.data) {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, wrong length for d")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key, wrong length for d")
}
x := key.X.bigInt()
y := key.Y.bigInt()
if !curve.IsOnCurve(x, y) {
- return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
+ return nil, errors.New("go-jose/go-jose: invalid EC key, X/Y are not on declared curve")
}
return &ecdsa.PrivateKey{
@@ -722,7 +742,7 @@ func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJSONWebKey, error) {
}
if ec.D == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid EC private key")
}
raw.D = newFixedSizeBuffer(ec.D.Bytes(), dSize(ec.PublicKey.Curve))
@@ -740,7 +760,7 @@ func dSize(curve elliptic.Curve) int {
bitLen := order.BitLen()
size := bitLen / 8
if bitLen%8 != 0 {
- size = size + 1
+ size++
}
return size
}
@@ -754,7 +774,39 @@ func fromSymmetricKey(key []byte) (*rawJSONWebKey, error) {
func (key rawJSONWebKey) symmetricKey() ([]byte, error) {
if key.K == nil {
- return nil, fmt.Errorf("square/go-jose: invalid OCT (symmetric) key, missing k value")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid OCT (symmetric) key, missing k value")
}
return key.K.bytes(), nil
}
+
+func tryJWKS(key interface{}, headers ...Header) interface{} {
+ var jwks JSONWebKeySet
+
+ switch jwksType := key.(type) {
+ case *JSONWebKeySet:
+ jwks = *jwksType
+ case JSONWebKeySet:
+ jwks = jwksType
+ default:
+ return key
+ }
+
+ var kid string
+ for _, header := range headers {
+ if header.KeyID != "" {
+ kid = header.KeyID
+ break
+ }
+ }
+
+ if kid == "" {
+ return key
+ }
+
+ keys := jwks.Key(kid)
+ if len(keys) == 0 {
+ return key
+ }
+
+ return keys[0].Key
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go
similarity index 90%
rename from vendor/gopkg.in/square/go-jose.v2/jws.go
rename to vendor/github.com/go-jose/go-jose/v3/jws.go
index 7e261f9..e37007d 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jws.go
@@ -23,7 +23,7 @@ import (
"fmt"
"strings"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@@ -75,7 +75,7 @@ type Signature struct {
original *rawSignatureInfo
}
-// ParseSigned parses a signed message in compact or full serialization format.
+// ParseSigned parses a signed message in compact or JWS JSON Serialization format.
func ParseSigned(signature string) (*JSONWebSignature, error) {
signature = stripWhitespace(signature)
if strings.HasPrefix(signature, "{") {
@@ -88,7 +88,7 @@ func ParseSigned(signature string) (*JSONWebSignature, error) {
// ParseDetached parses a signed message in compact serialization format with detached payload.
func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
if payload == nil {
- return nil, errors.New("square/go-jose: nil payload")
+ return nil, errors.New("go-jose/go-jose: nil payload")
}
return parseSignedCompact(stripWhitespace(signature), payload)
}
@@ -151,7 +151,7 @@ func parseSignedFull(input string) (*JSONWebSignature, error) {
// sanitized produces a cleaned-up JWS object from the raw JSON.
func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
if parsed.Payload == nil {
- return nil, fmt.Errorf("square/go-jose: missing payload in JWS message")
+ return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
}
obj := &JSONWebSignature{
@@ -215,7 +215,7 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
jwk := signature.Header.JSONWebKey
if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
- return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
+ return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
}
obj.Signatures = append(obj.Signatures, signature)
@@ -260,7 +260,7 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
// As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
jwk := obj.Signatures[i].Header.JSONWebKey
if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
- return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
+ return nil, errors.New("go-jose/go-jose: invalid embedded jwk, must be public key")
}
// Copy value of sig
@@ -277,26 +277,26 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
parts := strings.Split(input, ".")
if len(parts) != 3 {
- return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
+ return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
}
if parts[1] != "" && payload != nil {
- return nil, fmt.Errorf("square/go-jose: payload is not detached")
+ return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
}
- rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
+ rawProtected, err := base64URLDecode(parts[0])
if err != nil {
return nil, err
}
if payload == nil {
- payload, err = base64.RawURLEncoding.DecodeString(parts[1])
+ payload, err = base64URLDecode(parts[1])
if err != nil {
return nil, err
}
}
- signature, err := base64.RawURLEncoding.DecodeString(parts[2])
+ signature, err := base64URLDecode(parts[2])
if err != nil {
return nil, err
}
@@ -314,15 +314,18 @@ func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {
return "", ErrNotSupported
}
- serializedProtected := base64.RawURLEncoding.EncodeToString(mustSerializeJSON(obj.Signatures[0].protected))
- payload := ""
- signature := base64.RawURLEncoding.EncodeToString(obj.Signatures[0].Signature)
+ serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
+ var payload []byte
if !detached {
- payload = base64.RawURLEncoding.EncodeToString(obj.payload)
+ payload = obj.payload
}
- return fmt.Sprintf("%s.%s.%s", serializedProtected, payload, signature), nil
+ return base64JoinWithDots(
+ serializedProtected,
+ payload,
+ obj.Signatures[0].Signature,
+ ), nil
}
// CompactSerialize serializes an object using the compact serialization format.
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go b/vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
similarity index 97%
rename from vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
rename to vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
index 3afa903..7df270c 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwt/builder.go
@@ -21,9 +21,9 @@ import (
"bytes"
"reflect"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
- "gopkg.in/square/go-jose.v2"
+ "github.com/go-jose/go-jose/v3"
)
// Builder is a utility for making JSON Web Tokens. Calls can be chained, and
@@ -36,7 +36,7 @@ type Builder interface {
Claims(i interface{}) Builder
// Token builds a JSONWebToken from provided data.
Token() (*JSONWebToken, error)
- // FullSerialize serializes a token using the full serialization format.
+ // FullSerialize serializes a token using the JWS/JWE JSON Serialization format.
FullSerialize() (string, error)
// CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
@@ -53,7 +53,7 @@ type NestedBuilder interface {
Claims(i interface{}) NestedBuilder
// Token builds a NestedJSONWebToken from provided data.
Token() (*NestedJSONWebToken, error)
- // FullSerialize serializes a token using the full serialization format.
+ // FullSerialize serializes a token using the JSON Serialization format.
FullSerialize() (string, error)
// CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go b/vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
similarity index 91%
rename from vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
rename to vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
index 5f40ef3..b2a8dc8 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwt/claims.go
@@ -21,7 +21,7 @@ import (
"strconv"
"time"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// Claims represents public claim values (as specified in RFC 7519).
@@ -111,6 +111,15 @@ func (s *Audience) UnmarshalJSON(b []byte) error {
return nil
}
+// MarshalJSON converts audience to json representation.
+func (s Audience) MarshalJSON() ([]byte, error) {
+ if len(s) == 1 {
+ return json.Marshal(s[0])
+ }
+ return json.Marshal([]string(s))
+}
+
+// Contains checks whether a given string is included in the Audience
func (s Audience) Contains(v string) bool {
for _, a := range s {
if a == v {
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/doc.go b/vendor/github.com/go-jose/go-jose/v3/jwt/doc.go
similarity index 99%
rename from vendor/gopkg.in/square/go-jose.v2/jwt/doc.go
rename to vendor/github.com/go-jose/go-jose/v3/jwt/doc.go
index 4cf97b5..30b886e 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/doc.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwt/doc.go
@@ -15,8 +15,6 @@
*/
/*
-
Package jwt provides an implementation of the JSON Web Token standard.
-
*/
package jwt
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/errors.go b/vendor/github.com/go-jose/go-jose/v3/jwt/errors.go
similarity index 54%
rename from vendor/gopkg.in/square/go-jose.v2/jwt/errors.go
rename to vendor/github.com/go-jose/go-jose/v3/jwt/errors.go
index 09f76ae..27388e5 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/errors.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwt/errors.go
@@ -20,34 +20,34 @@ package jwt
import "errors"
// ErrUnmarshalAudience indicates that aud claim could not be unmarshalled.
-var ErrUnmarshalAudience = errors.New("square/go-jose/jwt: expected string or array value to unmarshal to Audience")
+var ErrUnmarshalAudience = errors.New("go-jose/go-jose/jwt: expected string or array value to unmarshal to Audience")
// ErrUnmarshalNumericDate indicates that JWT NumericDate could not be unmarshalled.
-var ErrUnmarshalNumericDate = errors.New("square/go-jose/jwt: expected number value to unmarshal NumericDate")
+var ErrUnmarshalNumericDate = errors.New("go-jose/go-jose/jwt: expected number value to unmarshal NumericDate")
// ErrInvalidClaims indicates that given claims have invalid type.
-var ErrInvalidClaims = errors.New("square/go-jose/jwt: expected claims to be value convertible into JSON object")
+var ErrInvalidClaims = errors.New("go-jose/go-jose/jwt: expected claims to be value convertible into JSON object")
// ErrInvalidIssuer indicates invalid iss claim.
-var ErrInvalidIssuer = errors.New("square/go-jose/jwt: validation failed, invalid issuer claim (iss)")
+var ErrInvalidIssuer = errors.New("go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)")
// ErrInvalidSubject indicates invalid sub claim.
-var ErrInvalidSubject = errors.New("square/go-jose/jwt: validation failed, invalid subject claim (sub)")
+var ErrInvalidSubject = errors.New("go-jose/go-jose/jwt: validation failed, invalid subject claim (sub)")
// ErrInvalidAudience indicated invalid aud claim.
-var ErrInvalidAudience = errors.New("square/go-jose/jwt: validation failed, invalid audience claim (aud)")
+var ErrInvalidAudience = errors.New("go-jose/go-jose/jwt: validation failed, invalid audience claim (aud)")
// ErrInvalidID indicates invalid jti claim.
-var ErrInvalidID = errors.New("square/go-jose/jwt: validation failed, invalid ID claim (jti)")
+var ErrInvalidID = errors.New("go-jose/go-jose/jwt: validation failed, invalid ID claim (jti)")
// ErrNotValidYet indicates that token is used before time indicated in nbf claim.
-var ErrNotValidYet = errors.New("square/go-jose/jwt: validation failed, token not valid yet (nbf)")
+var ErrNotValidYet = errors.New("go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)")
// ErrExpired indicates that token is used after expiry time indicated in exp claim.
-var ErrExpired = errors.New("square/go-jose/jwt: validation failed, token is expired (exp)")
+var ErrExpired = errors.New("go-jose/go-jose/jwt: validation failed, token is expired (exp)")
// ErrIssuedInTheFuture indicates that the iat field is in the future.
-var ErrIssuedInTheFuture = errors.New("square/go-jose/jwt: validation field, token issued in the future (iat)")
+var ErrIssuedInTheFuture = errors.New("go-jose/go-jose/jwt: validation field, token issued in the future (iat)")
// ErrInvalidContentType indicates that token requires JWT cty header.
-var ErrInvalidContentType = errors.New("square/go-jose/jwt: expected content type to be JWT (cty header)")
+var ErrInvalidContentType = errors.New("go-jose/go-jose/jwt: expected content type to be JWT (cty header)")
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go b/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
similarity index 80%
rename from vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
rename to vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
index 4749884..8553fc5 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwt/jwt.go
@@ -21,8 +21,8 @@ import (
"fmt"
"strings"
- jose "gopkg.in/square/go-jose.v2"
- "gopkg.in/square/go-jose.v2/json"
+ jose "github.com/go-jose/go-jose/v3"
+ "github.com/go-jose/go-jose/v3/json"
)
// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
@@ -39,9 +39,7 @@ type NestedJSONWebToken struct {
// Claims deserializes a JSONWebToken into dest using the provided key.
func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
- payloadKey := tryJWKS(t.Headers, key)
-
- b, err := t.payload(payloadKey)
+ b, err := t.payload(key)
if err != nil {
return err
}
@@ -60,7 +58,7 @@ func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
// verified. This function won't work for encrypted JWTs.
func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
if t.unverifiedPayload == nil {
- return fmt.Errorf("square/go-jose: Cannot get unverified claims")
+ return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
}
claims := t.unverifiedPayload()
for _, d := range dest {
@@ -72,9 +70,7 @@ func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) erro
}
func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
- key := tryJWKS(t.Headers, decryptionKey)
-
- b, err := t.enc.Decrypt(key)
+ b, err := t.enc.Decrypt(decryptionKey)
if err != nil {
return nil, err
}
@@ -135,35 +131,3 @@ func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) {
Headers: []jose.Header{enc.Header},
}, nil
}
-
-func tryJWKS(headers []jose.Header, key interface{}) interface{} {
- var jwks jose.JSONWebKeySet
-
- switch jwksType := key.(type) {
- case *jose.JSONWebKeySet:
- jwks = *jwksType
- case jose.JSONWebKeySet:
- jwks = jwksType
- default:
- return key
- }
-
- var kid string
- for _, header := range headers {
- if header.KeyID != "" {
- kid = header.KeyID
- break
- }
- }
-
- if kid == "" {
- return key
- }
-
- keys := jwks.Key(kid)
- if len(keys) == 0 {
- return key
- }
-
- return keys[0].Key
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go b/vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
similarity index 79%
rename from vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
rename to vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
index 6f3ff4e..09d8541 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
+++ b/vendor/github.com/go-jose/go-jose/v3/jwt/validation.go
@@ -25,7 +25,9 @@ const (
)
// Expected defines values used for protected claims validation.
-// If field has zero value then validation is skipped.
+// If field has zero value then validation is skipped, with the exception of
+// Time, where the zero value means "now." To skip validating them, set the
+// corresponding field in the Claims struct to nil.
type Expected struct {
// Issuer matches the "iss" claim exactly.
Issuer string
@@ -61,7 +63,7 @@ func (c Claims) Validate(e Expected) error {
// ValidateWithLeeway checks claims in a token against expected values. A
// custom leeway may be specified for comparing time values. You may pass a
-// zero value to check time values with no leeway, but you should not that
+// zero value to check time values with no leeway, but you should note that
// numeric date values are rounded to the nearest second and sub-second
// precision is not supported.
//
@@ -94,20 +96,24 @@ func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error {
}
}
- if !e.Time.IsZero() {
- if c.NotBefore != nil && e.Time.Add(leeway).Before(c.NotBefore.Time()) {
- return ErrNotValidYet
- }
+ // validate using the e.Time, or time.Now if not provided
+ validationTime := e.Time
+ if validationTime.IsZero() {
+ validationTime = time.Now()
+ }
- if c.Expiry != nil && e.Time.Add(-leeway).After(c.Expiry.Time()) {
- return ErrExpired
- }
+ if c.NotBefore != nil && validationTime.Add(leeway).Before(c.NotBefore.Time()) {
+ return ErrNotValidYet
+ }
- // IssuedAt is optional but cannot be in the future. This is not required by the RFC, but
- // something is misconfigured if this happens and we should not trust it.
- if c.IssuedAt != nil && e.Time.Add(leeway).Before(c.IssuedAt.Time()) {
- return ErrIssuedInTheFuture
- }
+ if c.Expiry != nil && validationTime.Add(-leeway).After(c.Expiry.Time()) {
+ return ErrExpired
+ }
+
+ // IssuedAt is optional but cannot be in the future. This is not required by the RFC, but
+ // something is misconfigured if this happens and we should not trust it.
+ if c.IssuedAt != nil && validationTime.Add(leeway).Before(c.IssuedAt.Time()) {
+ return ErrIssuedInTheFuture
}
return nil
diff --git a/vendor/gopkg.in/square/go-jose.v2/opaque.go b/vendor/github.com/go-jose/go-jose/v3/opaque.go
similarity index 97%
rename from vendor/gopkg.in/square/go-jose.v2/opaque.go
rename to vendor/github.com/go-jose/go-jose/v3/opaque.go
index fc3e8d2..68db085 100644
--- a/vendor/gopkg.in/square/go-jose.v2/opaque.go
+++ b/vendor/github.com/go-jose/go-jose/v3/opaque.go
@@ -121,7 +121,7 @@ func (oke *opaqueKeyEncrypter) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
return oke.encrypter.encryptKey(cek, alg)
}
-//OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key.
+// OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key.
type OpaqueKeyDecrypter interface {
DecryptKey(encryptedKey []byte, header Header) ([]byte, error)
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/shared.go b/vendor/github.com/go-jose/go-jose/v3/shared.go
similarity index 91%
rename from vendor/gopkg.in/square/go-jose.v2/shared.go
rename to vendor/github.com/go-jose/go-jose/v3/shared.go
index f72e5a5..489a04e 100644
--- a/vendor/gopkg.in/square/go-jose.v2/shared.go
+++ b/vendor/github.com/go-jose/go-jose/v3/shared.go
@@ -23,7 +23,7 @@ import (
"errors"
"fmt"
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// KeyAlgorithm represents a key management algorithm.
@@ -45,32 +45,32 @@ var (
// ErrCryptoFailure represents an error in cryptographic primitive. This
// occurs when, for example, a message had an invalid authentication tag or
// could not be decrypted.
- ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive")
+ ErrCryptoFailure = errors.New("go-jose/go-jose: error in cryptographic primitive")
// ErrUnsupportedAlgorithm indicates that a selected algorithm is not
// supported. This occurs when trying to instantiate an encrypter for an
// algorithm that is not yet implemented.
- ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm")
+ ErrUnsupportedAlgorithm = errors.New("go-jose/go-jose: unknown/unsupported algorithm")
// ErrUnsupportedKeyType indicates that the given key type/format is not
// supported. This occurs when trying to instantiate an encrypter and passing
// it a key of an unrecognized type or with unsupported parameters, such as
// an RSA private key with more than two primes.
- ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format")
+ ErrUnsupportedKeyType = errors.New("go-jose/go-jose: unsupported key type/format")
// ErrInvalidKeySize indicates that the given key is not the correct size
// for the selected algorithm. This can occur, for example, when trying to
// encrypt with AES-256 but passing only a 128-bit key as input.
- ErrInvalidKeySize = errors.New("square/go-jose: invalid key size for algorithm")
+ ErrInvalidKeySize = errors.New("go-jose/go-jose: invalid key size for algorithm")
// ErrNotSupported serialization of object is not supported. This occurs when
// trying to compact-serialize an object which can't be represented in
// compact form.
- ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object")
+ ErrNotSupported = errors.New("go-jose/go-jose: compact serialization not supported for object")
// ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
// nonce header parameter was included in an unprotected header object.
- ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header")
+ ErrUnprotectedNonce = errors.New("go-jose/go-jose: Nonce parameter included in unprotected header")
)
// Key management algorithms
@@ -133,8 +133,8 @@ const (
type HeaderKey string
const (
- HeaderType HeaderKey = "typ" // string
- HeaderContentType = "cty" // string
+ HeaderType = "typ" // string
+ HeaderContentType = "cty" // string
// These are set by go-jose and shouldn't need to be set by consumers of the
// library.
@@ -183,8 +183,13 @@ type Header struct {
// Unverified certificate chain parsed from x5c header.
certificates []*x509.Certificate
- // Any headers not recognised above get unmarshalled
- // from JSON in a generic manner and placed in this map.
+ // At parse time, each header parameter with a name other than "kid",
+ // "jwk", "alg", "nonce", or "x5c" will have its value passed to
+ // [json.Unmarshal] to unmarshal it into an interface value.
+ // The resulting value will be stored in this map, with the header
+ // parameter name as the key.
+ //
+ // [json.Unmarshal]: https://pkg.go.dev/encoding/json#Unmarshal
ExtraHeaders map[HeaderKey]interface{}
}
@@ -194,7 +199,7 @@ type Header struct {
// not be validated with the given verify options.
func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) {
if len(h.certificates) == 0 {
- return nil, errors.New("square/go-jose: no x5c header present in message")
+ return nil, errors.New("go-jose/go-jose: no x5c header present in message")
}
leaf := h.certificates[0]
@@ -452,8 +457,8 @@ func parseCertificateChain(chain []string) ([]*x509.Certificate, error) {
return out, nil
}
-func (dst rawHeader) isSet(k HeaderKey) bool {
- dvr := dst[k]
+func (parsed rawHeader) isSet(k HeaderKey) bool {
+ dvr := parsed[k]
if dvr == nil {
return false
}
@@ -472,17 +477,17 @@ func (dst rawHeader) isSet(k HeaderKey) bool {
}
// Merge headers from src into dst, giving precedence to headers from l.
-func (dst rawHeader) merge(src *rawHeader) {
+func (parsed rawHeader) merge(src *rawHeader) {
if src == nil {
return
}
for k, v := range *src {
- if dst.isSet(k) {
+ if parsed.isSet(k) {
continue
}
- dst[k] = v
+ parsed[k] = v
}
}
@@ -496,7 +501,7 @@ func curveName(crv elliptic.Curve) (string, error) {
case elliptic.P521():
return "P-521", nil
default:
- return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve")
+ return "", fmt.Errorf("go-jose/go-jose: unsupported/unknown elliptic curve")
}
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/signing.go b/vendor/github.com/go-jose/go-jose/v3/signing.go
similarity index 82%
rename from vendor/gopkg.in/square/go-jose.v2/signing.go
rename to vendor/github.com/go-jose/go-jose/v3/signing.go
index bad820c..52f3d85 100644
--- a/vendor/gopkg.in/square/go-jose.v2/signing.go
+++ b/vendor/github.com/go-jose/go-jose/v3/signing.go
@@ -19,14 +19,13 @@ package jose
import (
"bytes"
"crypto/ecdsa"
+ "crypto/ed25519"
"crypto/rsa"
"encoding/base64"
"errors"
"fmt"
- "golang.org/x/crypto/ed25519"
-
- "gopkg.in/square/go-jose.v2/json"
+ "github.com/go-jose/go-jose/v3/json"
)
// NonceSource represents a source of random nonces to go into JWS objects
@@ -41,6 +40,15 @@ type Signer interface {
}
// SigningKey represents an algorithm/key used to sign a message.
+//
+// Key must have one of these types:
+// - ed25519.PrivateKey
+// - *ecdsa.PrivateKey
+// - *rsa.PrivateKey
+// - *JSONWebKey
+// - JSONWebKey
+// - []byte (an HMAC key)
+// - Any type that satisfies the OpaqueSigner interface
type SigningKey struct {
Algorithm SignatureAlgorithm
Key interface{}
@@ -53,12 +61,22 @@ type SignerOptions struct {
// Optional map of additional keys to be inserted into the protected header
// of a JWS object. Some specifications which make use of JWS like to insert
- // additional values here. All values must be JSON-serializable.
+ // additional values here.
+ //
+ // Values will be serialized by [json.Marshal] and must be valid inputs to
+ // that function.
+ //
+ // [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
ExtraHeaders map[HeaderKey]interface{}
}
// WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
-// if necessary. It returns itself and so can be used in a fluent style.
+// if necessary, and returns the updated SignerOptions.
+//
+// The v argument will be serialized by [json.Marshal] and must be a valid
+// input to that function.
+//
+// [json.Marshal]: https://pkg.go.dev/encoding/json#Marshal
func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions {
if so.ExtraHeaders == nil {
so.ExtraHeaders = map[HeaderKey]interface{}{}
@@ -174,11 +192,11 @@ func newVerifier(verificationKey interface{}) (payloadVerifier, error) {
return newVerifier(verificationKey.Key)
case *JSONWebKey:
return newVerifier(verificationKey.Key)
+ case OpaqueVerifier:
+ return &opaqueVerifier{verifier: verificationKey}, nil
+ default:
+ return nil, ErrUnsupportedKeyType
}
- if ov, ok := verificationKey.(OpaqueVerifier); ok {
- return &opaqueVerifier{verifier: ov}, nil
- }
- return nil, ErrUnsupportedKeyType
}
func (ctx *genericSigner) addRecipient(alg SignatureAlgorithm, signingKey interface{}) error {
@@ -205,11 +223,11 @@ func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipient
return newJWKSigner(alg, signingKey)
case *JSONWebKey:
return newJWKSigner(alg, *signingKey)
+ case OpaqueSigner:
+ return newOpaqueSigner(alg, signingKey)
+ default:
+ return recipientSigInfo{}, ErrUnsupportedKeyType
}
- if signer, ok := signingKey.(OpaqueSigner); ok {
- return newOpaqueSigner(alg, signer)
- }
- return recipientSigInfo{}, ErrUnsupportedKeyType
}
func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigInfo, error) {
@@ -227,7 +245,7 @@ func newJWKSigner(alg SignatureAlgorithm, signingKey JSONWebKey) (recipientSigIn
// This should be impossible, but let's check anyway.
if !recipient.publicKey().IsPublic() {
- return recipientSigInfo{}, errors.New("square/go-jose: public key was unexpectedly not public")
+ return recipientSigInfo{}, errors.New("go-jose/go-jose: public key was unexpectedly not public")
}
}
return recipient, nil
@@ -251,7 +269,7 @@ func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
// result of the JOSE spec. We've decided that this library will only include one or
// the other to avoid this confusion.
//
- // See https://github.com/square/go-jose/issues/157 for more context.
+ // See https://github.com/go-jose/go-jose/issues/157 for more context.
if ctx.embedJWK {
protected[headerJWK] = recipient.publicKey()
} else {
@@ -265,7 +283,7 @@ func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
if ctx.nonceSource != nil {
nonce, err := ctx.nonceSource.Nonce()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err)
+ return nil, fmt.Errorf("go-jose/go-jose: Error generating nonce: %v", err)
}
protected[headerNonce] = nonce
}
@@ -279,7 +297,7 @@ func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
if b64, ok := protected[headerB64]; ok {
if needsBase64, ok = b64.(bool); !ok {
- return nil, errors.New("square/go-jose: Invalid b64 header parameter")
+ return nil, errors.New("go-jose/go-jose: Invalid b64 header parameter")
}
}
@@ -303,7 +321,7 @@ func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
for k, v := range protected {
b, err := json.Marshal(v)
if err != nil {
- return nil, fmt.Errorf("square/go-jose: Error marshalling item %#v: %v", k, err)
+ return nil, fmt.Errorf("go-jose/go-jose: Error marshalling item %#v: %v", k, err)
}
(*signatureInfo.protected)[k] = makeRawMessage(b)
}
@@ -322,12 +340,21 @@ func (ctx *genericSigner) Options() SignerOptions {
}
// Verify validates the signature on the object and returns the payload.
-// This function does not support multi-signature, if you desire multi-sig
+// This function does not support multi-signature. If you desire multi-signature
// verification use VerifyMulti instead.
//
// Be careful when verifying signatures based on embedded JWKs inside the
// payload header. You cannot assume that the key received in a payload is
// trusted.
+//
+// The verificationKey argument must have one of these types:
+// - ed25519.PublicKey
+// - *ecdsa.PublicKey
+// - *rsa.PublicKey
+// - *JSONWebKey
+// - JSONWebKey
+// - []byte (an HMAC key)
+// - Any type that implements the OpaqueVerifier interface.
func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
err := obj.DetachedVerify(obj.payload, verificationKey)
if err != nil {
@@ -347,14 +374,18 @@ func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte {
// most cases, you will probably want to use Verify instead. DetachedVerify
// is only useful if you have a payload and signature that are separated from
// each other.
+//
+// The verificationKey argument must have one of the types allowed for the
+// verificationKey argument of JSONWebSignature.Verify().
func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error {
- verifier, err := newVerifier(verificationKey)
+ key := tryJWKS(verificationKey, obj.headers()...)
+ verifier, err := newVerifier(key)
if err != nil {
return err
}
if len(obj.Signatures) > 1 {
- return errors.New("square/go-jose: too many signatures in payload; expecting only one")
+ return errors.New("go-jose/go-jose: too many signatures in payload; expecting only one")
}
signature := obj.Signatures[0]
@@ -388,6 +419,9 @@ func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey inter
// returns the index of the signature that was verified, along with the signature
// object and the payload. We return the signature and index to guarantee that
// callers are getting the verified value.
+//
+// The verificationKey argument must have one of the types allowed for the
+// verificationKey argument of JSONWebSignature.Verify().
func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) {
idx, sig, err := obj.DetachedVerifyMulti(obj.payload, verificationKey)
if err != nil {
@@ -405,8 +439,12 @@ func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signa
// DetachedVerifyMulti is only useful if you have a payload and signature that are
// separated from each other, and the signature can have multiple signers at the
// same time.
+//
+// The verificationKey argument must have one of the types allowed for the
+// verificationKey argument of JSONWebSignature.Verify().
func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error) {
- verifier, err := newVerifier(verificationKey)
+ key := tryJWKS(verificationKey, obj.headers()...)
+ verifier, err := newVerifier(key)
if err != nil {
return -1, Signature{}, err
}
@@ -439,3 +477,11 @@ outer:
return -1, Signature{}, ErrCryptoFailure
}
+
+func (obj JSONWebSignature) headers() []Header {
+ headers := make([]Header, len(obj.Signatures))
+ for i, sig := range obj.Signatures {
+ headers[i] = sig.Header
+ }
+ return headers
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/symmetric.go b/vendor/github.com/go-jose/go-jose/v3/symmetric.go
similarity index 85%
rename from vendor/gopkg.in/square/go-jose.v2/symmetric.go
rename to vendor/github.com/go-jose/go-jose/v3/symmetric.go
index 264a0fe..10d8e19 100644
--- a/vendor/gopkg.in/square/go-jose.v2/symmetric.go
+++ b/vendor/github.com/go-jose/go-jose/v3/symmetric.go
@@ -31,20 +31,26 @@ import (
"io"
"golang.org/x/crypto/pbkdf2"
- "gopkg.in/square/go-jose.v2/cipher"
+
+ josecipher "github.com/go-jose/go-jose/v3/cipher"
)
-// Random reader (stubbed out in tests)
+// RandReader is a cryptographically secure random number generator (stubbed out in tests).
var RandReader = rand.Reader
const (
// RFC7518 recommends a minimum of 1,000 iterations:
- // https://tools.ietf.org/html/rfc7518#section-4.8.1.2
+ // - https://tools.ietf.org/html/rfc7518#section-4.8.1.2
+ //
// NIST recommends a minimum of 10,000:
- // https://pages.nist.gov/800-63-3/sp800-63b.html
- // 1Password uses 100,000:
- // https://support.1password.com/pbkdf2/
- defaultP2C = 100000
+ // - https://pages.nist.gov/800-63-3/sp800-63b.html
+ //
+ // 1Password increased in 2023 from 100,000 to 650,000:
+ // - https://support.1password.com/pbkdf2/
+ //
+ // OWASP recommended 600,000 in Dec 2022:
+ // - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
+ defaultP2C = 600000
// Default salt size: 128 bits
defaultP2SSize = 16
)
@@ -278,8 +284,14 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
}
header := &rawHeader{}
- header.set(headerIV, newBuffer(parts.iv))
- header.set(headerTag, newBuffer(parts.tag))
+
+ if err = header.set(headerIV, newBuffer(parts.iv)); err != nil {
+ return recipientInfo{}, err
+ }
+
+ if err = header.set(headerTag, newBuffer(parts.tag)); err != nil {
+ return recipientInfo{}, err
+ }
return recipientInfo{
header: header,
@@ -332,8 +344,14 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
}
header := &rawHeader{}
- header.set(headerP2C, ctx.p2c)
- header.set(headerP2S, newBuffer(ctx.p2s))
+
+ if err = header.set(headerP2C, ctx.p2c); err != nil {
+ return recipientInfo{}, err
+ }
+
+ if err = header.set(headerP2S, newBuffer(ctx.p2s)); err != nil {
+ return recipientInfo{}, err
+ }
return recipientInfo{
encryptedKey: jek,
@@ -356,11 +374,11 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
iv, err := headers.getIV()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid IV: %v", err)
+ return nil, fmt.Errorf("go-jose/go-jose: invalid IV: %v", err)
}
tag, err := headers.getTag()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid tag: %v", err)
+ return nil, fmt.Errorf("go-jose/go-jose: invalid tag: %v", err)
}
parts := &aeadParts{
@@ -389,18 +407,23 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
case PBES2_HS256_A128KW, PBES2_HS384_A192KW, PBES2_HS512_A256KW:
p2s, err := headers.getP2S()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid P2S: %v", err)
+ return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: %v", err)
}
if p2s == nil || len(p2s.data) == 0 {
- return nil, fmt.Errorf("square/go-jose: invalid P2S: must be present")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid P2S: must be present")
}
p2c, err := headers.getP2C()
if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid P2C: %v", err)
+ return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: %v", err)
}
if p2c <= 0 {
- return nil, fmt.Errorf("square/go-jose: invalid P2C: must be a positive integer")
+ return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: must be a positive integer")
+ }
+ if p2c > 1000000 {
+ // An unauthenticated attacker can set a high P2C value. Set an upper limit to avoid
+ // DoS attacks.
+ return nil, fmt.Errorf("go-jose/go-jose: invalid P2C: too high")
}
// salt is UTF8(Alg) || 0x00 || Salt Input
@@ -431,7 +454,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
mac, err := ctx.hmac(payload, alg)
if err != nil {
- return Signature{}, errors.New("square/go-jose: failed to compute hmac")
+ return Signature{}, errors.New("go-jose/go-jose: failed to compute hmac")
}
return Signature{
@@ -444,16 +467,16 @@ func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Sig
func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
expected, err := ctx.hmac(payload, alg)
if err != nil {
- return errors.New("square/go-jose: failed to compute hmac")
+ return errors.New("go-jose/go-jose: failed to compute hmac")
}
if len(mac) != len(expected) {
- return errors.New("square/go-jose: invalid hmac")
+ return errors.New("go-jose/go-jose: invalid hmac")
}
match := subtle.ConstantTimeCompare(mac, expected)
if match != 1 {
- return errors.New("square/go-jose: invalid hmac")
+ return errors.New("go-jose/go-jose: invalid hmac")
}
return nil
diff --git a/vendor/github.com/hashicorp/vault/api/.copywrite.hcl b/vendor/github.com/hashicorp/vault/api/.copywrite.hcl
new file mode 100644
index 0000000..c4b09f3
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/.copywrite.hcl
@@ -0,0 +1,8 @@
+schema_version = 1
+
+project {
+ license = "MPL-2.0"
+ copyright_year = 2024
+
+ header_ignore = []
+}
diff --git a/vendor/github.com/hashicorp/vault/api/README.md b/vendor/github.com/hashicorp/vault/api/README.md
index 7230ce7..d21458c 100644
--- a/vendor/github.com/hashicorp/vault/api/README.md
+++ b/vendor/github.com/hashicorp/vault/api/README.md
@@ -4,6 +4,6 @@ Vault API
This provides the `github.com/hashicorp/vault/api` package which contains code useful for interacting with a Vault server.
For examples of how to use this module, see the [vault-examples](https://github.com/hashicorp/vault-examples) repo.
-For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](https://www.vaultproject.io/docs/get-started/developer-qs).
+For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](https://developer.hashicorp.com/vault/docs/get-started/developer-qs).
[](https://godoc.org/github.com/hashicorp/vault/api)
\ No newline at end of file
diff --git a/vendor/github.com/hashicorp/vault/api/client.go b/vendor/github.com/hashicorp/vault/api/client.go
index c5ddee1..52c991b 100644
--- a/vendor/github.com/hashicorp/vault/api/client.go
+++ b/vendor/github.com/hashicorp/vault/api/client.go
@@ -82,6 +82,8 @@ const (
const (
EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
EnvVaultInsecure = "VAULT_SKIP_VERIFY"
+
+ DefaultAddress = "https://127.0.0.1:8200"
)
// WrappingLookupFunc is a function that, given an HTTP verb and a path,
@@ -185,6 +187,9 @@ type Config struct {
// CloneToken from parent.
CloneToken bool
+ // CloneTLSConfig from parent (tls.Config).
+ CloneTLSConfig bool
+
// ReadYourWrites ensures isolated read-after-write semantics by
// providing discovered cluster replication states in each request.
// The shared state is automatically propagated to all Client clones.
@@ -245,7 +250,7 @@ type TLSConfig struct {
// If an error is encountered, the Error field on the returned *Config will be populated with the specific error.
func DefaultConfig() *Config {
config := &Config{
- Address: "https://127.0.0.1:8200",
+ Address: DefaultAddress,
HttpClient: cleanhttp.DefaultPooledClient(),
Timeout: time.Second * 60,
MinRetryWait: time.Millisecond * 1000,
@@ -290,7 +295,14 @@ func (c *Config) configureTLS(t *TLSConfig) error {
if c.HttpClient == nil {
c.HttpClient = DefaultConfig().HttpClient
}
- clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
+
+ transport, ok := c.HttpClient.Transport.(*http.Transport)
+ if !ok {
+ return fmt.Errorf(
+ "unsupported HTTPClient transport type %T", c.HttpClient.Transport)
+ }
+
+ clientTLSConfig := transport.TLSClientConfig
var clientCert tls.Certificate
foundClientCert := false
@@ -518,6 +530,7 @@ func (c *Config) ParseAddress(address string) (*url.URL, error) {
return nil, err
}
+ previousAddress := c.Address
c.Address = address
if strings.HasPrefix(address, "unix://") {
@@ -535,12 +548,12 @@ func (c *Config) ParseAddress(address string) (*url.URL, error) {
// be pointing to the protocol used in the application layer and not to
// the transport layer. Hence, setting the fields accordingly.
u.Scheme = "http"
- u.Host = socket
+ u.Host = "localhost"
u.Path = ""
} else {
return nil, fmt.Errorf("attempting to specify unix:// address with non-transport transport")
}
- } else if strings.HasPrefix(c.Address, "unix://") {
+ } else if strings.HasPrefix(previousAddress, "unix://") {
// When the address being set does not begin with unix:// but the previous
// address in the Config did, change the transport's DialContext back to
// use the default configuration that cleanhttp uses.
@@ -579,6 +592,7 @@ type Client struct {
requestCallbacks []RequestCallback
responseCallbacks []ResponseCallback
replicationStateStore *replicationStateStore
+ hcpCookie *http.Cookie
}
// NewClient returns a new client for the given configuration.
@@ -988,7 +1002,9 @@ func (c *Client) Namespace() string {
func (c *Client) WithNamespace(namespace string) *Client {
c2 := *c
c2.modifyLock = sync.RWMutex{}
- c2.headers = c.Headers()
+ c.modifyLock.RLock()
+ c2.headers = c.headersInternal()
+ c.modifyLock.RUnlock()
if namespace == "" {
c2.ClearNamespace()
} else {
@@ -1013,6 +1029,33 @@ func (c *Client) SetToken(v string) {
c.token = v
}
+// HCPCookie returns the HCP cookie being used by this client. It will
+// return an empty cookie when no cookie is set.
+func (c *Client) HCPCookie() string {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+
+ if c.hcpCookie == nil {
+ return ""
+ }
+ return c.hcpCookie.String()
+}
+
+// SetHCPCookie sets the hcp cookie directly. This won't perform any auth
+// verification, it simply sets the token properly for future requests.
+func (c *Client) SetHCPCookie(v *http.Cookie) error {
+ c.modifyLock.Lock()
+ defer c.modifyLock.Unlock()
+
+ if err := v.Valid(); err != nil {
+ return err
+ }
+
+ c.hcpCookie = v
+
+ return nil
+}
+
// ClearToken deletes the token if it is set or does nothing otherwise.
func (c *Client) ClearToken() {
c.modifyLock.Lock()
@@ -1025,7 +1068,12 @@ func (c *Client) ClearToken() {
func (c *Client) Headers() http.Header {
c.modifyLock.RLock()
defer c.modifyLock.RUnlock()
+ return c.headersInternal()
+}
+// headersInternal gets the current set of headers used for requests. Must be called
+// with the read modifyLock held.
+func (c *Client) headersInternal() http.Header {
if c.headers == nil {
return nil
}
@@ -1143,6 +1191,26 @@ func (c *Client) ReadYourWrites() bool {
return c.config.ReadYourWrites
}
+// SetCloneTLSConfig from parent.
+func (c *Client) SetCloneTLSConfig(clone bool) {
+ c.modifyLock.Lock()
+ defer c.modifyLock.Unlock()
+ c.config.modifyLock.Lock()
+ defer c.config.modifyLock.Unlock()
+
+ c.config.CloneTLSConfig = clone
+}
+
+// CloneTLSConfig gets the configured CloneTLSConfig value.
+func (c *Client) CloneTLSConfig() bool {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.RLock()
+ defer c.config.modifyLock.RUnlock()
+
+ return c.config.CloneTLSConfig
+}
+
// Clone creates a new client with the same configuration. Note that the same
// underlying http.Client is used; modifying the client from more than one
// goroutine at once may not be safe, so modify the client as needed and then
@@ -1153,24 +1221,28 @@ func (c *Client) ReadYourWrites() bool {
// the api.Config struct, such as policy override and wrapping function
// behavior, must currently then be set as desired on the new client.
func (c *Client) Clone() (*Client, error) {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.RLock()
+ defer c.config.modifyLock.RUnlock()
return c.clone(c.config.CloneHeaders)
}
// CloneWithHeaders creates a new client similar to Clone, with the difference
-// being that the headers are always cloned
+// being that the headers are always cloned
func (c *Client) CloneWithHeaders() (*Client, error) {
+ c.modifyLock.RLock()
+ defer c.modifyLock.RUnlock()
+ c.config.modifyLock.RLock()
+ defer c.config.modifyLock.RUnlock()
return c.clone(true)
}
// clone creates a new client, with the headers being cloned based on the
-// passed in cloneheaders boolean
+// passed in cloneheaders boolean.
+// Must be called with the read lock and config read lock held.
func (c *Client) clone(cloneHeaders bool) (*Client, error) {
- c.modifyLock.RLock()
- defer c.modifyLock.RUnlock()
-
config := c.config
- config.modifyLock.RLock()
- defer config.modifyLock.RUnlock()
newConfig := &Config{
Address: config.Address,
@@ -1189,13 +1261,18 @@ func (c *Client) clone(cloneHeaders bool) (*Client, error) {
CloneToken: config.CloneToken,
ReadYourWrites: config.ReadYourWrites,
}
+
+ if config.CloneTLSConfig {
+ newConfig.clientTLSConfig = config.clientTLSConfig
+ }
+
client, err := NewClient(newConfig)
if err != nil {
return nil, err
}
if cloneHeaders {
- client.SetHeaders(c.Headers().Clone())
+ client.SetHeaders(c.headersInternal().Clone())
}
if config.CloneToken {
@@ -1226,6 +1303,7 @@ func (c *Client) NewRequest(method, requestPath string) *Request {
mfaCreds := c.mfaCreds
wrappingLookupFunc := c.wrappingLookupFunc
policyOverride := c.policyOverride
+ headers := c.headersInternal()
c.modifyLock.RUnlock()
host := addr.Host
@@ -1252,6 +1330,8 @@ func (c *Client) NewRequest(method, requestPath string) *Request {
Params: make(map[string][]string),
}
+ req.HCPCookie = c.hcpCookie
+
var lookupPath string
switch {
case strings.HasPrefix(requestPath, "/v1/"):
@@ -1270,7 +1350,7 @@ func (c *Client) NewRequest(method, requestPath string) *Request {
req.WrapTTL = DefaultWrappingLookupFunc(method, lookupPath)
}
- req.Headers = c.Headers()
+ req.Headers = headers
req.PolicyOverride = policyOverride
return req
@@ -1280,8 +1360,9 @@ func (c *Client) NewRequest(method, requestPath string) *Request {
// a Vault server not configured with this client. This is an advanced operation
// that generally won't need to be called externally.
//
-// Deprecated: This method should not be used directly. Use higher level
-// methods instead.
+// Deprecated: RawRequest exists for historical compatibility and should not be
+// used directly. Use client.Logical().ReadRaw(...) or higher level methods
+// instead.
func (c *Client) RawRequest(r *Request) (*Response, error) {
return c.RawRequestWithContext(context.Background(), r)
}
@@ -1290,8 +1371,9 @@ func (c *Client) RawRequest(r *Request) (*Response, error) {
// a Vault server not configured with this client. This is an advanced operation
// that generally won't need to be called externally.
//
-// Deprecated: This method should not be used directly. Use higher level
-// methods instead.
+// Deprecated: RawRequestWithContext exists for historical compatibility and
+// should not be used directly. Use client.Logical().ReadRawWithContext(...)
+// or higher level methods instead.
func (c *Client) RawRequestWithContext(ctx context.Context, r *Request) (*Response, error) {
// Note: we purposefully do not call cancel manually. The reason is
// when canceled, the request.Body will EOF when reading due to the way
diff --git a/vendor/github.com/hashicorp/vault/api/kv.go b/vendor/github.com/hashicorp/vault/api/kv.go
index 20862fb..7203932 100644
--- a/vendor/github.com/hashicorp/vault/api/kv.go
+++ b/vendor/github.com/hashicorp/vault/api/kv.go
@@ -38,7 +38,7 @@ type KVSecret struct {
// by default when a server is started in -dev mode. See the kvv2 struct.
//
// Learn more about the KV secrets engine here:
-// https://www.vaultproject.io/docs/secrets/kv
+// https://developer.hashicorp.com/vault/docs/secrets/kv
func (c *Client) KVv1(mountPath string) *KVv1 {
return &KVv1{c: c, mountPath: mountPath}
}
@@ -53,7 +53,7 @@ func (c *Client) KVv1(mountPath string) *KVv1 {
// as these are the default settings when a server is started in -dev mode.
//
// Learn more about the KV secrets engine here:
-// https://www.vaultproject.io/docs/secrets/kv
+// https://developer.hashicorp.com/vault/docs/secrets/kv
func (c *Client) KVv2(mountPath string) *KVv2 {
return &KVv2{c: c, mountPath: mountPath}
}
diff --git a/vendor/github.com/hashicorp/vault/api/logical.go b/vendor/github.com/hashicorp/vault/api/logical.go
index 927dd16..068e906 100644
--- a/vendor/github.com/hashicorp/vault/api/logical.go
+++ b/vendor/github.com/hashicorp/vault/api/logical.go
@@ -212,6 +212,17 @@ func (c *Logical) WriteWithContext(ctx context.Context, path string, data map[st
return c.write(ctx, path, r)
}
+func (c *Logical) WriteRaw(path string, data []byte) (*Response, error) {
+ return c.WriteRawWithContext(context.Background(), path, data)
+}
+
+func (c *Logical) WriteRawWithContext(ctx context.Context, path string, data []byte) (*Response, error) {
+ r := c.c.NewRequest(http.MethodPut, "/v1/"+path)
+ r.BodyBytes = data
+
+ return c.writeRaw(ctx, r)
+}
+
func (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) {
r := c.c.NewRequest(http.MethodPatch, "/v1/"+path)
r.Headers.Set("Content-Type", "application/merge-patch+json")
@@ -261,6 +272,14 @@ func (c *Logical) write(ctx context.Context, path string, request *Request) (*Se
return ParseSecret(resp.Body)
}
+func (c *Logical) writeRaw(ctx context.Context, request *Request) (*Response, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ resp, err := c.c.rawRequestWithContext(ctx, request)
+ return resp, err
+}
+
func (c *Logical) Delete(path string) (*Secret, error) {
return c.DeleteWithContext(context.Background(), path)
}
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
index 2d6416d..3705c73 100644
--- a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
+++ b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go
@@ -12,13 +12,23 @@ import (
"flag"
"net/url"
"os"
- "regexp"
- squarejwt "gopkg.in/square/go-jose.v2/jwt"
+ "github.com/go-jose/go-jose/v3/jwt"
"github.com/hashicorp/errwrap"
)
+// This file contains helper code used when writing Vault auth method or secrets engine plugins.
+//
+// As such, it would be better located in the sdk module with the rest of the code which is only to support plugins,
+// rather than api, but is here for historical reasons. (The api module used to depend on the sdk module, this code
+// calls NewClient within the api package, so placing it in the sdk would have created a dependency cycle. This reason
+// is now historical, as the dependency between sdk and api has since been reversed in direction.)
+// Moving this code to the sdk would be appropriate if an api v2.0.0 release is ever planned.
+//
+// This helper code is used when a plugin is hosted by Vault 1.11 and earlier. Vault 1.12 and sdk v0.6.0 introduced
+// version 5 of the backend plugin interface, which uses go-plugin's AutoMTLS feature instead of this code.
+
const (
// PluginAutoMTLSEnv is used to ensure AutoMTLS is used. This will override
// setting a TLSProviderFunc for a plugin.
@@ -33,50 +43,6 @@ const (
PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN"
)
-// sudoPaths is a map containing the paths that require a token's policy
-// to have the "sudo" capability. The keys are the paths as strings, in
-// the same format as they are returned by the OpenAPI spec. The values
-// are the regular expressions that can be used to test whether a given
-// path matches that path or not (useful specifically for the paths that
-// contain templated fields.)
-var sudoPaths = map[string]*regexp.Regexp{
- "/auth/token/accessors/": regexp.MustCompile(`^/auth/token/accessors/?$`),
- "/pki/root": regexp.MustCompile(`^/pki/root$`),
- "/pki/root/sign-self-issued": regexp.MustCompile(`^/pki/root/sign-self-issued$`),
- "/sys/audit": regexp.MustCompile(`^/sys/audit$`),
- "/sys/audit/{path}": regexp.MustCompile(`^/sys/audit/.+$`),
- "/sys/auth/{path}": regexp.MustCompile(`^/sys/auth/.+$`),
- "/sys/auth/{path}/tune": regexp.MustCompile(`^/sys/auth/.+/tune$`),
- "/sys/config/auditing/request-headers": regexp.MustCompile(`^/sys/config/auditing/request-headers$`),
- "/sys/config/auditing/request-headers/{header}": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),
- "/sys/config/cors": regexp.MustCompile(`^/sys/config/cors$`),
- "/sys/config/ui/headers/": regexp.MustCompile(`^/sys/config/ui/headers/?$`),
- "/sys/config/ui/headers/{header}": regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
- "/sys/leases": regexp.MustCompile(`^/sys/leases$`),
- "/sys/leases/lookup/": regexp.MustCompile(`^/sys/leases/lookup/?$`),
- "/sys/leases/lookup/{prefix}": regexp.MustCompile(`^/sys/leases/lookup/.+$`),
- "/sys/leases/revoke-force/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-force/.+$`),
- "/sys/leases/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`),
- "/sys/plugins/catalog/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[^/]+$`),
- "/sys/plugins/catalog/{type}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+$`),
- "/sys/plugins/catalog/{type}/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+/[^/]+$`),
- "/sys/raw": regexp.MustCompile(`^/sys/raw$`),
- "/sys/raw/{path}": regexp.MustCompile(`^/sys/raw/.+$`),
- "/sys/remount": regexp.MustCompile(`^/sys/remount$`),
- "/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`),
- "/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`),
- "/sys/rotate": regexp.MustCompile(`^/sys/rotate$`),
- "/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
-
- // enterprise-only paths
- "/sys/replication/dr/primary/secondary-token": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),
- "/sys/replication/performance/primary/secondary-token": regexp.MustCompile(`^/sys/replication/performance/primary/secondary-token$`),
- "/sys/replication/primary/secondary-token": regexp.MustCompile(`^/sys/replication/primary/secondary-token$`),
- "/sys/replication/reindex": regexp.MustCompile(`^/sys/replication/reindex$`),
- "/sys/storage/raft/snapshot-auto/config/": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),
- "/sys/storage/raft/snapshot-auto/config/{name}": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),
-}
-
// PluginAPIClientMeta is a helper that plugins can use to configure TLS connections
// back to Vault.
type PluginAPIClientMeta struct {
@@ -85,6 +51,7 @@ type PluginAPIClientMeta struct {
flagCAPath string
flagClientCert string
flagClientKey string
+ flagServerName string
flagInsecure bool
}
@@ -96,6 +63,7 @@ func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {
fs.StringVar(&f.flagCAPath, "ca-path", "", "")
fs.StringVar(&f.flagClientCert, "client-cert", "", "")
fs.StringVar(&f.flagClientKey, "client-key", "", "")
+ fs.StringVar(&f.flagServerName, "tls-server-name", "", "")
fs.BoolVar(&f.flagInsecure, "tls-skip-verify", false, "")
return fs
@@ -104,13 +72,13 @@ func (f *PluginAPIClientMeta) FlagSet() *flag.FlagSet {
// GetTLSConfig will return a TLSConfig based off the values from the flags
func (f *PluginAPIClientMeta) GetTLSConfig() *TLSConfig {
// If we need custom TLS configuration, then set it
- if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure {
+ if f.flagCACert != "" || f.flagCAPath != "" || f.flagClientCert != "" || f.flagClientKey != "" || f.flagInsecure || f.flagServerName != "" {
t := &TLSConfig{
CACert: f.flagCACert,
CAPath: f.flagCAPath,
ClientCert: f.flagClientCert,
ClientKey: f.flagClientKey,
- TLSServerName: "",
+ TLSServerName: f.flagServerName,
Insecure: f.flagInsecure,
}
@@ -135,7 +103,7 @@ func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig)
return func() (*tls.Config, error) {
unwrapToken := os.Getenv(PluginUnwrapTokenEnv)
- parsedJWT, err := squarejwt.ParseSigned(unwrapToken)
+ parsedJWT, err := jwt.ParseSigned(unwrapToken)
if err != nil {
return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
}
@@ -244,28 +212,3 @@ func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig)
return tlsConfig, nil
}
}
-
-func SudoPaths() map[string]*regexp.Regexp {
- return sudoPaths
-}
-
-// Determine whether the given path requires the sudo capability
-func IsSudoPath(path string) bool {
- // Return early if the path is any of the non-templated sudo paths.
- if _, ok := sudoPaths[path]; ok {
- return true
- }
-
- // Some sudo paths have templated fields in them.
- // (e.g. /sys/revoke-prefix/{prefix})
- // The values in the sudoPaths map are actually regular expressions,
- // so we can check if our path matches against them.
- for _, sudoPathRegexp := range sudoPaths {
- match := sudoPathRegexp.MatchString(path)
- if match {
- return true
- }
- }
-
- return false
-}
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go b/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
new file mode 100644
index 0000000..d3acd0d
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/plugin_runtime_types.go
@@ -0,0 +1,41 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+// NOTE: this file was copied from
+// https://github.com/hashicorp/vault/blob/main/sdk/helper/consts/plugin_runtime_types.go
+// Any changes made should be made to both files at the same time.
+
+import "fmt"
+
+var PluginRuntimeTypes = []PluginRuntimeType{
+ PluginRuntimeTypeUnsupported,
+ PluginRuntimeTypeContainer,
+}
+
+type PluginRuntimeType uint32
+
+// This is a list of PluginRuntimeTypes used by Vault.
+const (
+ PluginRuntimeTypeUnsupported PluginRuntimeType = iota
+ PluginRuntimeTypeContainer
+)
+
+func (r PluginRuntimeType) String() string {
+ switch r {
+ case PluginRuntimeTypeContainer:
+ return "container"
+ default:
+ return "unsupported"
+ }
+}
+
+func ParsePluginRuntimeType(PluginRuntimeType string) (PluginRuntimeType, error) {
+ switch PluginRuntimeType {
+ case "container":
+ return PluginRuntimeTypeContainer, nil
+ default:
+ return PluginRuntimeTypeUnsupported, fmt.Errorf("%q is not a supported plugin runtime type", PluginRuntimeType)
+ }
+}
diff --git a/vendor/github.com/hashicorp/vault/api/plugin_types.go b/vendor/github.com/hashicorp/vault/api/plugin_types.go
index 4c759a2..c8f69ae 100644
--- a/vendor/github.com/hashicorp/vault/api/plugin_types.go
+++ b/vendor/github.com/hashicorp/vault/api/plugin_types.go
@@ -7,7 +7,10 @@ package api
// https://github.com/hashicorp/vault/blob/main/sdk/helper/consts/plugin_types.go
// Any changes made should be made to both files at the same time.
-import "fmt"
+import (
+ "encoding/json"
+ "fmt"
+)
var PluginTypes = []PluginType{
PluginTypeUnknown,
@@ -64,3 +67,34 @@ func ParsePluginType(pluginType string) (PluginType, error) {
return PluginTypeUnknown, fmt.Errorf("%q is not a supported plugin type", pluginType)
}
}
+
+// UnmarshalJSON implements json.Unmarshaler. It supports unmarshaling either a
+// string or a uint32. All new serialization will be as a string, but we
+// previously serialized as a uint32 so we need to support that for backwards
+// compatibility.
+func (p *PluginType) UnmarshalJSON(data []byte) error {
+ var asString string
+ err := json.Unmarshal(data, &asString)
+ if err == nil {
+ *p, err = ParsePluginType(asString)
+ return err
+ }
+
+ var asUint32 uint32
+ err = json.Unmarshal(data, &asUint32)
+ if err != nil {
+ return err
+ }
+ *p = PluginType(asUint32)
+ switch *p {
+ case PluginTypeUnknown, PluginTypeCredential, PluginTypeDatabase, PluginTypeSecrets:
+ return nil
+ default:
+ return fmt.Errorf("%d is not a supported plugin type", asUint32)
+ }
+}
+
+// MarshalJSON implements json.Marshaler.
+func (p PluginType) MarshalJSON() ([]byte, error) {
+ return json.Marshal(p.String())
+}
diff --git a/vendor/github.com/hashicorp/vault/api/replication_status.go b/vendor/github.com/hashicorp/vault/api/replication_status.go
new file mode 100644
index 0000000..9bc02d5
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/replication_status.go
@@ -0,0 +1,132 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+ "context"
+ "encoding/json"
+ "fmt"
+ "net/http"
+
+ "github.com/mitchellh/mapstructure"
+)
+
+const (
+ apiRepPerformanceStatusPath = "/v1/sys/replication/performance/status"
+ apiRepDRStatusPath = "/v1/sys/replication/dr/status"
+ apiRepStatusPath = "/v1/sys/replication/status"
+)
+
+type ClusterInfo struct {
+ APIAddr string `json:"api_address,omitempty" mapstructure:"api_address"`
+ ClusterAddress string `json:"cluster_address,omitempty" mapstructure:"cluster_address"`
+ ConnectionStatus string `json:"connection_status,omitempty" mapstructure:"connection_status"`
+ LastHeartBeat string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"`
+ LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"`
+ ClockSkewMillis string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"`
+ NodeID string `json:"node_id,omitempty" mapstructure:"node_id"`
+}
+
+type ReplicationStatusGenericResponse struct {
+ LastDRWAL uint64 `json:"last_dr_wal,omitempty" mapstructure:"last_dr_wal"`
+ LastReindexEpoch string `json:"last_reindex_epoch,omitempty" mapstructure:"last_reindex_epoch"`
+ ClusterID string `json:"cluster_id,omitempty" mapstructure:"cluster_id"`
+ LastWAL uint64 `json:"last_wal,omitempty" mapstructure:"last_wal"`
+ MerkleRoot string `json:"merkle_root,omitempty" mapstructure:"merkle_root"`
+ Mode string `json:"mode,omitempty" mapstructure:"mode"`
+ PrimaryClusterAddr string `json:"primary_cluster_addr,omitempty" mapstructure:"primary_cluster_addr"`
+ LastPerformanceWAL uint64 `json:"last_performance_wal,omitempty" mapstructure:"last_performance_wal"`
+ State string `json:"state,omitempty" mapstructure:"state"`
+ LastRemoteWAL uint64 `json:"last_remote_wal,omitempty" mapstructure:"last_remote_wal"`
+ SecondaryID string `json:"secondary_id,omitempty" mapstructure:"secondary_id"`
+ SSCTGenerationCounter uint64 `json:"ssct_generation_counter,omitempty" mapstructure:"ssct_generation_counter"`
+
+ KnownSecondaries []string `json:"known_secondaries,omitempty" mapstructure:"known_secondaries"`
+ KnownPrimaryClusterAddrs []string `json:"known_primary_cluster_addrs,omitempty" mapstructure:"known_primary_cluster_addrs"`
+ Primaries []ClusterInfo `json:"primaries,omitempty" mapstructure:"primaries"`
+ Secondaries []ClusterInfo `json:"secondaries,omitempty" mapstructure:"secondaries"`
+}
+
+type ReplicationStatusResponse struct {
+ DR ReplicationStatusGenericResponse `json:"dr,omitempty" mapstructure:"dr"`
+ Performance ReplicationStatusGenericResponse `json:"performance,omitempty" mapstructure:"performance"`
+}
+
+func (c *Sys) ReplicationStatus() (*ReplicationStatusResponse, error) {
+ return c.ReplicationStatusWithContext(context.Background(), apiRepStatusPath)
+}
+
+func (c *Sys) ReplicationPerformanceStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {
+ s, err := c.ReplicationStatusWithContext(ctx, apiRepPerformanceStatusPath)
+ if err != nil {
+ return nil, err
+ }
+
+ return &s.Performance, nil
+}
+
+func (c *Sys) ReplicationDRStatusWithContext(ctx context.Context) (*ReplicationStatusGenericResponse, error) {
+ s, err := c.ReplicationStatusWithContext(ctx, apiRepDRStatusPath)
+ if err != nil {
+ return nil, err
+ }
+
+ return &s.DR, nil
+}
+
+func (c *Sys) ReplicationStatusWithContext(ctx context.Context, path string) (*ReplicationStatusResponse, error) {
+ // default to replication/status
+ if path == "" {
+ path = apiRepStatusPath
+ }
+
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest(http.MethodGet, path)
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, err
+ }
+ defer func() { _ = resp.Body.Close() }()
+
+ // First decode response into a map[string]interface{}
+ data := make(map[string]interface{})
+ dec := json.NewDecoder(resp.Body)
+ dec.UseNumber()
+ if err := dec.Decode(&data); err != nil {
+ return nil, err
+ }
+
+ rawData, ok := data["data"]
+ if !ok {
+ return nil, fmt.Errorf("empty data in replication status response")
+ }
+
+ s := &ReplicationStatusResponse{}
+ g := &ReplicationStatusGenericResponse{}
+ switch {
+ case path == apiRepPerformanceStatusPath:
+ err = mapstructure.Decode(rawData, g)
+ if err != nil {
+ return nil, err
+ }
+ s.Performance = *g
+ case path == apiRepDRStatusPath:
+ err = mapstructure.Decode(rawData, g)
+ if err != nil {
+ return nil, err
+ }
+ s.DR = *g
+ default:
+ err = mapstructure.Decode(rawData, s)
+ if err != nil {
+ return nil, err
+ }
+ return s, err
+ }
+
+ return s, err
+}
diff --git a/vendor/github.com/hashicorp/vault/api/request.go b/vendor/github.com/hashicorp/vault/api/request.go
index ecf7837..a2d912c 100644
--- a/vendor/github.com/hashicorp/vault/api/request.go
+++ b/vendor/github.com/hashicorp/vault/api/request.go
@@ -39,6 +39,9 @@ type Request struct {
// EGPs). If set, the override flag will take effect for all policies
// evaluated during the request.
PolicyOverride bool
+
+ // HCPCookie is used to set a http cookie when client is connected to HCP
+ HCPCookie *http.Cookie
}
// SetJSONBody is used to set a request body that is a JSON-encoded value.
@@ -145,5 +148,9 @@ func (r *Request) toRetryableHTTP() (*retryablehttp.Request, error) {
req.Header.Set("X-Vault-Policy-Override", "true")
}
+ if r.HCPCookie != nil {
+ req.AddCookie(r.HCPCookie)
+ }
+
return req, nil
}
diff --git a/vendor/github.com/hashicorp/vault/api/secret.go b/vendor/github.com/hashicorp/vault/api/secret.go
index be159d7..d37bf3c 100644
--- a/vendor/github.com/hashicorp/vault/api/secret.go
+++ b/vendor/github.com/hashicorp/vault/api/secret.go
@@ -42,6 +42,10 @@ type Secret struct {
// cubbyhole of the given token (which has a TTL of the given number of
// seconds)
WrapInfo *SecretWrapInfo `json:"wrap_info,omitempty"`
+
+ // MountType, if non-empty, provides some information about what kind
+ // of mount this secret came from.
+ MountType string `json:"mount_type,omitempty"`
}
// TokenID returns the standardized token ID (token) for the given secret.
@@ -150,8 +154,8 @@ TOKEN_DONE:
// Identity policies
{
- _, ok := s.Data["identity_policies"]
- if !ok {
+ v, ok := s.Data["identity_policies"]
+ if !ok || v == nil {
goto DONE
}
diff --git a/vendor/github.com/hashicorp/vault/api/sudo_paths.go b/vendor/github.com/hashicorp/vault/api/sudo_paths.go
new file mode 100644
index 0000000..24beb4b
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/sudo_paths.go
@@ -0,0 +1,87 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+ "regexp"
+)
+
+// sudoPaths is a map containing the paths that require a token's policy
+// to have the "sudo" capability. The keys are the paths as strings, in
+// the same format as they are returned by the OpenAPI spec. The values
+// are the regular expressions that can be used to test whether a given
+// path matches that path or not (useful specifically for the paths that
+// contain templated fields.)
+var sudoPaths = map[string]*regexp.Regexp{
+ "/auth/token/accessors": regexp.MustCompile(`^/auth/token/accessors/?$`),
+ "/auth/token/revoke-orphan": regexp.MustCompile(`^/auth/token/revoke-orphan$`),
+ "/pki/root": regexp.MustCompile(`^/pki/root$`),
+ "/pki/root/sign-self-issued": regexp.MustCompile(`^/pki/root/sign-self-issued$`),
+ "/sys/audit": regexp.MustCompile(`^/sys/audit$`),
+ "/sys/audit/{path}": regexp.MustCompile(`^/sys/audit/.+$`),
+ "/sys/auth/{path}": regexp.MustCompile(`^/sys/auth/.+$`),
+ "/sys/auth/{path}/tune": regexp.MustCompile(`^/sys/auth/.+/tune$`),
+ "/sys/config/auditing/request-headers": regexp.MustCompile(`^/sys/config/auditing/request-headers$`),
+ "/sys/config/auditing/request-headers/{header}": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),
+ "/sys/config/cors": regexp.MustCompile(`^/sys/config/cors$`),
+ "/sys/config/ui/headers": regexp.MustCompile(`^/sys/config/ui/headers/?$`),
+ "/sys/config/ui/headers/{header}": regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
+ "/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
+ "/sys/leases": regexp.MustCompile(`^/sys/leases$`),
+ // This entry is a bit wrong... sys/leases/lookup does NOT require sudo. But sys/leases/lookup/ with a trailing
+ // slash DOES require sudo. But the part of the Vault CLI that uses this logic doesn't pass operation-appropriate
+ // trailing slashes, it always strips them off, so we end up giving the wrong answer for one of these.
+ "/sys/leases/lookup/{prefix}": regexp.MustCompile(`^/sys/leases/lookup(?:/.+)?$`),
+ "/sys/leases/revoke-force/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-force/.+$`),
+ "/sys/leases/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`),
+ "/sys/plugins/catalog/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[^/]+$`),
+ "/sys/plugins/catalog/{type}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+$`),
+ "/sys/plugins/catalog/{type}/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+/[^/]+$`),
+ "/sys/plugins/runtimes/catalog": regexp.MustCompile(`^/sys/plugins/runtimes/catalog/?$`),
+ "/sys/plugins/runtimes/catalog/{type}/{name}": regexp.MustCompile(`^/sys/plugins/runtimes/catalog/[\w-]+/[^/]+$`),
+ "/sys/raw/{path}": regexp.MustCompile(`^/sys/raw(?:/.+)?$`),
+ "/sys/remount": regexp.MustCompile(`^/sys/remount$`),
+ "/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`),
+ "/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`),
+ "/sys/rotate": regexp.MustCompile(`^/sys/rotate$`),
+ "/sys/seal": regexp.MustCompile(`^/sys/seal$`),
+ "/sys/step-down": regexp.MustCompile(`^/sys/step-down$`),
+
+ // enterprise-only paths
+ "/sys/replication/dr/primary/secondary-token": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),
+ "/sys/replication/performance/primary/secondary-token": regexp.MustCompile(`^/sys/replication/performance/primary/secondary-token$`),
+ "/sys/replication/primary/secondary-token": regexp.MustCompile(`^/sys/replication/primary/secondary-token$`),
+ "/sys/replication/reindex": regexp.MustCompile(`^/sys/replication/reindex$`),
+ "/sys/storage/raft/snapshot-auto/config": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),
+ "/sys/storage/raft/snapshot-auto/config/{name}": regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),
+}
+
+func SudoPaths() map[string]*regexp.Regexp {
+ return sudoPaths
+}
+
+// Determine whether the given path requires the sudo capability.
+// Note that this uses hardcoded static path information, so will return incorrect results for paths in namespaces,
+// or for secret engines mounted at non-default paths.
+// Expects to receive a path with an initial slash, but no trailing slashes, as the Vault CLI (the only known and
+// expected user of this function) sanitizes its paths that way.
+func IsSudoPath(path string) bool {
+ // Return early if the path is any of the non-templated sudo paths.
+ if _, ok := sudoPaths[path]; ok {
+ return true
+ }
+
+ // Some sudo paths have templated fields in them.
+ // (e.g. /sys/revoke-prefix/{prefix})
+ // The values in the sudoPaths map are actually regular expressions,
+ // so we can check if our path matches against them.
+ for _, sudoPathRegexp := range sudoPaths {
+ match := sudoPathRegexp.MatchString(path)
+ if match {
+ return true
+ }
+ }
+
+ return false
+}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_capabilities.go b/vendor/github.com/hashicorp/vault/api/sys_capabilities.go
index 6310d42..d57b757 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_capabilities.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_capabilities.go
@@ -78,3 +78,56 @@ func (c *Sys) CapabilitiesWithContext(ctx context.Context, token, path string) (
return res, nil
}
+
+func (c *Sys) CapabilitiesAccessor(accessor, path string) ([]string, error) {
+ return c.CapabilitiesAccessorWithContext(context.Background(), accessor, path)
+}
+
+func (c *Sys) CapabilitiesAccessorWithContext(ctx context.Context, accessor, path string) ([]string, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ body := map[string]string{
+ "accessor": accessor,
+ "path": path,
+ }
+
+ reqPath := "/v1/sys/capabilities-accessor"
+
+ r := c.c.NewRequest(http.MethodPost, reqPath)
+ if err := r.SetJSONBody(body); err != nil {
+ return nil, err
+ }
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+
+ var res []string
+ err = mapstructure.Decode(secret.Data[path], &res)
+ if err != nil {
+ return nil, err
+ }
+
+ if len(res) == 0 {
+ _, ok := secret.Data["capabilities"]
+ if ok {
+ err = mapstructure.Decode(secret.Data["capabilities"], &res)
+ if err != nil {
+ return nil, err
+ }
+ }
+ }
+
+ return res, nil
+}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_hastatus.go b/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
index 2b2aa7c..58a73b8 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_hastatus.go
@@ -35,12 +35,14 @@ type HAStatusResponse struct {
}
type HANode struct {
- Hostname string `json:"hostname"`
- APIAddress string `json:"api_address"`
- ClusterAddress string `json:"cluster_address"`
- ActiveNode bool `json:"active_node"`
- LastEcho *time.Time `json:"last_echo"`
- Version string `json:"version"`
- UpgradeVersion string `json:"upgrade_version,omitempty"`
- RedundancyZone string `json:"redundancy_zone,omitempty"`
+ Hostname string `json:"hostname"`
+ APIAddress string `json:"api_address"`
+ ClusterAddress string `json:"cluster_address"`
+ ActiveNode bool `json:"active_node"`
+ LastEcho *time.Time `json:"last_echo"`
+ EchoDurationMillis int64 `json:"echo_duration_ms"`
+ ClockSkewMillis int64 `json:"clock_skew_ms"`
+ Version string `json:"version"`
+ UpgradeVersion string `json:"upgrade_version,omitempty"`
+ RedundancyZone string `json:"redundancy_zone,omitempty"`
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_health.go b/vendor/github.com/hashicorp/vault/api/sys_health.go
index 13fd8d4..0dc8498 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_health.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_health.go
@@ -49,4 +49,7 @@ type HealthResponse struct {
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
LastWAL uint64 `json:"last_wal,omitempty"`
+ Enterprise bool `json:"enterprise"`
+ EchoDurationMillis int64 `json:"echo_duration_ms"`
+ ClockSkewMillis int64 `json:"clock_skew_ms"`
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_mounts.go b/vendor/github.com/hashicorp/vault/api/sys_mounts.go
index a6c2a0f..b9f4f8f 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_mounts.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_mounts.go
@@ -271,6 +271,9 @@ type MountConfigInput struct {
AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
PluginVersion string `json:"plugin_version,omitempty"`
UserLockoutConfig *UserLockoutConfigInput `json:"user_lockout_config,omitempty"`
+ DelegatedAuthAccessors []string `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
+ IdentityTokenKey string `json:"identity_token_key,omitempty" mapstructure:"identity_token_key"`
+
// Deprecated: This field will always be blank for newer server responses.
PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
}
@@ -303,6 +306,9 @@ type MountConfigOutput struct {
TokenType string `json:"token_type,omitempty" mapstructure:"token_type"`
AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
UserLockoutConfig *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"`
+ DelegatedAuthAccessors []string `json:"delegated_auth_accessors,omitempty" mapstructure:"delegated_auth_accessors"`
+ IdentityTokenKey string `json:"identity_token_key,omitempty" mapstructure:"identity_token_key"`
+
// Deprecated: This field will always be blank for newer server responses.
PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_plugins.go b/vendor/github.com/hashicorp/vault/api/sys_plugins.go
index 2ee024d..9d424d0 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_plugins.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_plugins.go
@@ -36,6 +36,8 @@ type ListPluginsResponse struct {
type PluginDetails struct {
Type string `json:"type"`
Name string `json:"name"`
+ OCIImage string `json:"oci_image,omitempty" mapstructure:"oci_image"`
+ Runtime string `json:"runtime,omitempty"`
Version string `json:"version,omitempty"`
Builtin bool `json:"builtin"`
DeprecationStatus string `json:"deprecation_status,omitempty" mapstructure:"deprecation_status"`
@@ -146,6 +148,8 @@ type GetPluginResponse struct {
Command string `json:"command"`
Name string `json:"name"`
SHA256 string `json:"sha256"`
+ OCIImage string `json:"oci_image,omitempty"`
+ Runtime string `json:"runtime,omitempty"`
DeprecationStatus string `json:"deprecation_status,omitempty"`
Version string `json:"version,omitempty"`
}
@@ -201,6 +205,16 @@ type RegisterPluginInput struct {
// Version is the optional version of the plugin being registered
Version string `json:"version,omitempty"`
+
+ // OCIImage specifies the container image to run as a plugin.
+ OCIImage string `json:"oci_image,omitempty"`
+
+ // Runtime is the Vault plugin runtime to use when running the plugin.
+ Runtime string `json:"runtime,omitempty"`
+
+ // Env specifies a list of key=value pairs to add to the plugin's environment
+ // variables.
+ Env []string `json:"env,omitempty"`
}
// RegisterPlugin wraps RegisterPluginWithContext using context.Background.
@@ -260,6 +274,22 @@ func (c *Sys) DeregisterPluginWithContext(ctx context.Context, i *DeregisterPlug
return err
}
+// RootReloadPluginInput is used as input to the RootReloadPlugin function.
+type RootReloadPluginInput struct {
+ Plugin string `json:"-"` // Plugin name, as registered in the plugin catalog.
+ Type PluginType `json:"-"` // Plugin type: auth, secret, or database.
+ Scope string `json:"scope,omitempty"` // Empty to reload on current node, "global" for all nodes.
+}
+
+// RootReloadPlugin reloads plugins, possibly returning reloadID for a global
+// scoped reload. This is only available in the root namespace, and reloads
+// plugins across all namespaces, whereas ReloadPlugin is available in all
+// namespaces but only reloads plugins in use in the request's namespace.
+func (c *Sys) RootReloadPlugin(ctx context.Context, i *RootReloadPluginInput) (string, error) {
+ path := fmt.Sprintf("/v1/sys/plugins/reload/%s/%s", i.Type.String(), i.Plugin)
+ return c.reloadPluginInternal(ctx, path, i, i.Scope == "global")
+}
+
// ReloadPluginInput is used as input to the ReloadPlugin function.
type ReloadPluginInput struct {
// Plugin is the name of the plugin to reload, as registered in the plugin catalog
@@ -278,15 +308,20 @@ func (c *Sys) ReloadPlugin(i *ReloadPluginInput) (string, error) {
}
// ReloadPluginWithContext reloads mounted plugin backends, possibly returning
-// reloadId for a cluster scoped reload
+// reloadID for a cluster scoped reload. It is limited to reloading plugins that
+// are in use in the request's namespace. See RootReloadPlugin for an API that
+// can reload plugins across all namespaces.
func (c *Sys) ReloadPluginWithContext(ctx context.Context, i *ReloadPluginInput) (string, error) {
+ return c.reloadPluginInternal(ctx, "/v1/sys/plugins/reload/backend", i, i.Scope == "global")
+}
+
+func (c *Sys) reloadPluginInternal(ctx context.Context, path string, body any, global bool) (string, error) {
ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
defer cancelFunc()
- path := "/v1/sys/plugins/reload/backend"
req := c.c.NewRequest(http.MethodPut, path)
- if err := req.SetJSONBody(i); err != nil {
+ if err := req.SetJSONBody(body); err != nil {
return "", err
}
@@ -296,7 +331,7 @@ func (c *Sys) ReloadPluginWithContext(ctx context.Context, i *ReloadPluginInput)
}
defer resp.Body.Close()
- if i.Scope == "global" {
+ if global {
// Get the reload id
secret, parseErr := ParseSecret(resp.Body)
if parseErr != nil {
diff --git a/vendor/github.com/hashicorp/vault/api/sys_plugins_runtimes.go b/vendor/github.com/hashicorp/vault/api/sys_plugins_runtimes.go
new file mode 100644
index 0000000..b56a899
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/sys_plugins_runtimes.go
@@ -0,0 +1,190 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "net/http"
+
+ "github.com/mitchellh/mapstructure"
+)
+
+// GetPluginRuntimeInput is used as input to the GetPluginRuntime function.
+type GetPluginRuntimeInput struct {
+ Name string `json:"-"`
+
+ // Type of the plugin runtime. Required.
+ Type PluginRuntimeType `json:"type"`
+}
+
+// GetPluginRuntimeResponse is the response from the GetPluginRuntime call.
+type GetPluginRuntimeResponse struct {
+ Type string `json:"type"`
+ Name string `json:"name"`
+ OCIRuntime string `json:"oci_runtime"`
+ CgroupParent string `json:"cgroup_parent"`
+ CPU int64 `json:"cpu_nanos"`
+ Memory int64 `json:"memory_bytes"`
+}
+
+// GetPluginRuntime retrieves information about the plugin.
+func (c *Sys) GetPluginRuntime(ctx context.Context, i *GetPluginRuntimeInput) (*GetPluginRuntimeResponse, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
+ req := c.c.NewRequest(http.MethodGet, path)
+
+ resp, err := c.c.rawRequestWithContext(ctx, req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ var result struct {
+ Data *GetPluginRuntimeResponse
+ }
+ err = resp.DecodeJSON(&result)
+ if err != nil {
+ return nil, err
+ }
+ return result.Data, err
+}
+
+// RegisterPluginRuntimeInput is used as input to the RegisterPluginRuntime function.
+type RegisterPluginRuntimeInput struct {
+ // Name is the name of the plugin. Required.
+ Name string `json:"-"`
+
+ // Type of the plugin. Required.
+ Type PluginRuntimeType `json:"type"`
+
+ OCIRuntime string `json:"oci_runtime,omitempty"`
+ CgroupParent string `json:"cgroup_parent,omitempty"`
+ CPU int64 `json:"cpu_nanos,omitempty"`
+ Memory int64 `json:"memory_bytes,omitempty"`
+ Rootless bool `json:"rootless,omitempty"`
+}
+
+// RegisterPluginRuntime registers the plugin with the given information.
+func (c *Sys) RegisterPluginRuntime(ctx context.Context, i *RegisterPluginRuntimeInput) error {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
+ req := c.c.NewRequest(http.MethodPut, path)
+
+ if err := req.SetJSONBody(i); err != nil {
+ return err
+ }
+
+ resp, err := c.c.rawRequestWithContext(ctx, req)
+ if err == nil {
+ defer resp.Body.Close()
+ }
+ return err
+}
+
+// DeregisterPluginRuntimeInput is used as input to the DeregisterPluginRuntime function.
+type DeregisterPluginRuntimeInput struct {
+ // Name is the name of the plugin runtime. Required.
+ Name string `json:"-"`
+
+ // Type of the plugin. Required.
+ Type PluginRuntimeType `json:"type"`
+}
+
+// DeregisterPluginRuntime removes the plugin with the given name from the plugin
+// catalog.
+func (c *Sys) DeregisterPluginRuntime(ctx context.Context, i *DeregisterPluginRuntimeInput) error {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ path := pluginRuntimeCatalogPathByType(i.Type, i.Name)
+ req := c.c.NewRequest(http.MethodDelete, path)
+ resp, err := c.c.rawRequestWithContext(ctx, req)
+ if err == nil {
+ defer resp.Body.Close()
+ }
+ return err
+}
+
+type PluginRuntimeDetails struct {
+ Type string `json:"type" mapstructure:"type"`
+ Name string `json:"name" mapstructure:"name"`
+ OCIRuntime string `json:"oci_runtime" mapstructure:"oci_runtime"`
+ CgroupParent string `json:"cgroup_parent" mapstructure:"cgroup_parent"`
+ CPU int64 `json:"cpu_nanos" mapstructure:"cpu_nanos"`
+ Memory int64 `json:"memory_bytes" mapstructure:"memory_bytes"`
+}
+
+// ListPluginRuntimesInput is used as input to the ListPluginRuntimes function.
+type ListPluginRuntimesInput struct {
+ // Type of the plugin. Required.
+ Type PluginRuntimeType `json:"type"`
+}
+
+// ListPluginRuntimesResponse is the response from the ListPluginRuntimes call.
+type ListPluginRuntimesResponse struct {
+ // RuntimesByType is the list of plugin runtimes by type.
+ Runtimes []PluginRuntimeDetails `json:"runtimes"`
+}
+
+// ListPluginRuntimes lists all plugin runtimes in the catalog and returns their names as a
+// list of strings.
+func (c *Sys) ListPluginRuntimes(ctx context.Context, input *ListPluginRuntimesInput) (*ListPluginRuntimesResponse, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ if input != nil && input.Type == PluginRuntimeTypeUnsupported {
+ return nil, fmt.Errorf("%q is not a supported runtime type", input.Type.String())
+ }
+
+ resp, err := c.c.rawRequestWithContext(ctx, c.c.NewRequest(http.MethodGet, "/v1/sys/plugins/runtimes/catalog"))
+ if err != nil && resp == nil {
+ return nil, err
+ }
+ if resp == nil {
+ return nil, nil
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+ if _, ok := secret.Data["runtimes"]; !ok {
+ return nil, fmt.Errorf("data from server response does not contain runtimes")
+ }
+
+ var runtimes []PluginRuntimeDetails
+ if err = mapstructure.Decode(secret.Data["runtimes"], &runtimes); err != nil {
+ return nil, err
+ }
+
+ // return all runtimes in the catalog
+ if input == nil {
+ return &ListPluginRuntimesResponse{Runtimes: runtimes}, nil
+ }
+
+ result := &ListPluginRuntimesResponse{
+ Runtimes: []PluginRuntimeDetails{},
+ }
+ for _, runtime := range runtimes {
+ if runtime.Type == input.Type.String() {
+ result.Runtimes = append(result.Runtimes, runtime)
+ }
+ }
+ return result, nil
+}
+
+// pluginRuntimeCatalogPathByType is a helper to construct the proper API path by plugin type
+func pluginRuntimeCatalogPathByType(runtimeType PluginRuntimeType, name string) string {
+ return fmt.Sprintf("/v1/sys/plugins/runtimes/catalog/%s/%s", runtimeType, name)
+}
diff --git a/vendor/github.com/hashicorp/vault/api/sys_raft.go b/vendor/github.com/hashicorp/vault/api/sys_raft.go
index 29bfed0..4b9487c 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_raft.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_raft.go
@@ -276,11 +276,19 @@ func (c *Sys) RaftAutopilotState() (*AutopilotState, error) {
return c.RaftAutopilotStateWithContext(context.Background())
}
+// RaftAutopilotStateWithToken wraps RaftAutopilotStateWithContext using the given token.
+func (c *Sys) RaftAutopilotStateWithDRToken(drToken string) (*AutopilotState, error) {
+ return c.RaftAutopilotStateWithContext(context.WithValue(context.Background(), "dr-token", drToken))
+}
+
// RaftAutopilotStateWithContext returns the state of the raft cluster as seen by autopilot.
func (c *Sys) RaftAutopilotStateWithContext(ctx context.Context) (*AutopilotState, error) {
ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
defer cancelFunc()
+ if ctx.Value("dr-token") != nil {
+ c.c.SetToken(ctx.Value("dr-token").(string))
+ }
r := c.c.NewRequest(http.MethodGet, "/v1/sys/storage/raft/autopilot/state")
resp, err := c.c.rawRequestWithContext(ctx, r)
@@ -316,11 +324,20 @@ func (c *Sys) RaftAutopilotConfiguration() (*AutopilotConfig, error) {
return c.RaftAutopilotConfigurationWithContext(context.Background())
}
+// RaftAutopilotConfigurationWithDRToken wraps RaftAutopilotConfigurationWithContext using the given token.
+func (c *Sys) RaftAutopilotConfigurationWithDRToken(drToken string) (*AutopilotConfig, error) {
+ return c.RaftAutopilotConfigurationWithContext(context.WithValue(context.Background(), "dr-token", drToken))
+}
+
// RaftAutopilotConfigurationWithContext fetches the autopilot config.
func (c *Sys) RaftAutopilotConfigurationWithContext(ctx context.Context) (*AutopilotConfig, error) {
ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
defer cancelFunc()
+ if ctx.Value("dr-token") != nil {
+ c.c.SetToken(ctx.Value("dr-token").(string))
+ }
+
r := c.c.NewRequest(http.MethodGet, "/v1/sys/storage/raft/autopilot/configuration")
resp, err := c.c.rawRequestWithContext(ctx, r)
diff --git a/vendor/github.com/hashicorp/vault/api/sys_seal.go b/vendor/github.com/hashicorp/vault/api/sys_seal.go
index 7a9c562..6200249 100644
--- a/vendor/github.com/hashicorp/vault/api/sys_seal.go
+++ b/vendor/github.com/hashicorp/vault/api/sys_seal.go
@@ -109,6 +109,7 @@ type SealStatusResponse struct {
ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"`
+ RecoverySealType string `json:"recovery_seal_type,omitempty"`
StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
diff --git a/vendor/github.com/hashicorp/vault/api/sys_ui_custom_message.go b/vendor/github.com/hashicorp/vault/api/sys_ui_custom_message.go
new file mode 100644
index 0000000..a129efe
--- /dev/null
+++ b/vendor/github.com/hashicorp/vault/api/sys_ui_custom_message.go
@@ -0,0 +1,281 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package api
+
+import (
+ "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "net/http"
+ "strconv"
+)
+
+const (
+ // baseEndpoint is the common base URL path for all endpoints used in this
+ // module.
+ baseEndpoint string = "/v1/sys/config/ui/custom-messages"
+)
+
+// ListUICustomMessages calls ListUICustomMessagesWithContext using a background
+// Context.
+func (c *Sys) ListUICustomMessages(req UICustomMessageListRequest) (*Secret, error) {
+ return c.ListUICustomMessagesWithContext(context.Background(), req)
+}
+
+// ListUICustomMessagesWithContext sends a request to the List custom messages
+// endpoint using the provided Context and UICustomMessageListRequest value as
+// the inputs. It returns a pointer to a Secret if a response was obtained from
+// the server, including error responses; or an error if a response could not be
+// obtained due to an error.
+func (c *Sys) ListUICustomMessagesWithContext(ctx context.Context, req UICustomMessageListRequest) (*Secret, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest("LIST", fmt.Sprintf("%s/", baseEndpoint))
+ if req.Active != nil {
+ r.Params.Add("active", strconv.FormatBool(*req.Active))
+ }
+ if req.Authenticated != nil {
+ r.Params.Add("authenticated", strconv.FormatBool(*req.Authenticated))
+ }
+ if req.Type != nil {
+ r.Params.Add("type", *req.Type)
+ }
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+
+ return secret, nil
+}
+
+// CreateUICustomMessage calls CreateUICustomMessageWithContext using a
+// background Context.
+func (c *Sys) CreateUICustomMessage(req UICustomMessageRequest) (*Secret, error) {
+ return c.CreateUICustomMessageWithContext(context.Background(), req)
+}
+
+// CreateUICustomMessageWithContext sends a request to the Create custom
+// messages endpoint using the provided Context and UICustomMessageRequest
+// values as the inputs. It returns a pointer to a Secret if a response was
+// obtained from the server, including error responses; or an error if a
+// response could not be obtained due to an error.
+func (c *Sys) CreateUICustomMessageWithContext(ctx context.Context, req UICustomMessageRequest) (*Secret, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest(http.MethodPost, baseEndpoint)
+ if err := r.SetJSONBody(&req); err != nil {
+ return nil, fmt.Errorf("error encoding request body to json: %w", err)
+ }
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, fmt.Errorf("error sending request to server: %w", err)
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, fmt.Errorf("could not parse secret from server response: %w", err)
+ }
+
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+
+ return secret, nil
+}
+
+// ReadUICustomMessage calls ReadUICustomMessageWithContext using a background
+// Context.
+func (c *Sys) ReadUICustomMessage(id string) (*Secret, error) {
+ return c.ReadUICustomMessageWithContext(context.Background(), id)
+}
+
+// ReadUICustomMessageWithContext sends a request to the Read custom message
+// endpoint using the provided Context and id values. It returns a pointer to a
+// Secret if a response was obtained from the server, including error responses;
+// or an error if a response could not be obtained due to an error.
+func (c *Sys) ReadUICustomMessageWithContext(ctx context.Context, id string) (*Secret, error) {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest(http.MethodGet, fmt.Sprintf("%s/%s", baseEndpoint, id))
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return nil, fmt.Errorf("error sending request to server: %w", err)
+ }
+ defer resp.Body.Close()
+
+ secret, err := ParseSecret(resp.Body)
+ if err != nil {
+ return nil, fmt.Errorf("could not parse secret from server response: %w", err)
+ }
+
+ if secret == nil || secret.Data == nil {
+ return nil, errors.New("data from server response is empty")
+ }
+
+ return secret, nil
+}
+
+// UpdateUICustomMessage calls UpdateUICustomMessageWithContext using a
+// background Context.
+func (c *Sys) UpdateUICustomMessage(id string, req UICustomMessageRequest) error {
+ return c.UpdateUICustomMessageWithContext(context.Background(), id, req)
+}
+
+// UpdateUICustomMessageWithContext sends a request to the Update custom message
+// endpoint using the provided Context, id, and UICustomMessageRequest values.
+// It returns a pointer to a Secret if a response was obtained from the server,
+// including error responses; or an error if a response could not be obtained
+// due to an error.
+func (c *Sys) UpdateUICustomMessageWithContext(ctx context.Context, id string, req UICustomMessageRequest) error {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest(http.MethodPost, fmt.Sprintf("%s/%s", baseEndpoint, id))
+ if err := r.SetJSONBody(&req); err != nil {
+ return fmt.Errorf("error encoding request body to json: %w", err)
+ }
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return fmt.Errorf("error sending request to server: %w", err)
+ }
+ defer resp.Body.Close()
+
+ return nil
+}
+
+// DeleteUICustomMessage calls DeleteUICustomMessageWithContext using a
+// background Context.
+func (c *Sys) DeleteUICustomMessage(id string) error {
+ return c.DeletePolicyWithContext(context.Background(), id)
+}
+
+// DeleteUICustomMessageWithContext sends a request to the Delete custom message
+// endpoint using the provided Context and id values. It returns a pointer to a
+// Secret if a response was obtained from the server, including error responses;
+// or an error if a response could not be obtained due to an error.
+func (c *Sys) DeleteUICustomMessageWithContext(ctx context.Context, id string) error {
+ ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+ defer cancelFunc()
+
+ r := c.c.NewRequest(http.MethodDelete, fmt.Sprintf("%s/%s", baseEndpoint, id))
+
+ resp, err := c.c.rawRequestWithContext(ctx, r)
+ if err != nil {
+ return fmt.Errorf("error sending request to server: %w", err)
+ }
+ defer resp.Body.Close()
+
+ return nil
+}
+
+// UICustomMessageListRequest is a struct used to contain inputs for the List
+// custom messages request. Each field is optional, so their types are pointers.
+// The With... methods can be used to easily set the fields with pointers to
+// values.
+type UICustomMessageListRequest struct {
+ Authenticated *bool
+ Type *string
+ Active *bool
+}
+
+// WithAuthenticated sets the Authenticated field to a pointer referencing the
+// provided bool value.
+func (r *UICustomMessageListRequest) WithAuthenticated(value bool) *UICustomMessageListRequest {
+ r.Authenticated = &value
+
+ return r
+}
+
+// WithType sets the Type field to a pointer referencing the provided string
+// value.
+func (r *UICustomMessageListRequest) WithType(value string) *UICustomMessageListRequest {
+ r.Type = &value
+
+ return r
+}
+
+// WithActive sets the Active field to a pointer referencing the provided bool
+// value.
+func (r *UICustomMessageListRequest) WithActive(value bool) *UICustomMessageListRequest {
+ r.Active = &value
+
+ return r
+}
+
+// UICustomMessageRequest is a struct containing the properties of a custom
+// message. The Link field can be set using the WithLink method.
+type UICustomMessageRequest struct {
+ Title string `json:"title"`
+ Message string `json:"message"`
+ Authenticated bool `json:"authenticated"`
+ Type string `json:"type"`
+ StartTime string `json:"start_time"`
+ EndTime string `json:"end_time,omitempty"`
+ Link *uiCustomMessageLink `json:"link,omitempty"`
+ Options map[string]any `json:"options,omitempty"`
+}
+
+// WithLink sets the Link field to the address of a new uiCustomMessageLink
+// struct constructed from the provided title and href values.
+func (r *UICustomMessageRequest) WithLink(title, href string) *UICustomMessageRequest {
+ r.Link = &uiCustomMessageLink{
+ Title: title,
+ Href: href,
+ }
+
+ return r
+}
+
+// uiCustomMessageLink is a utility struct used to represent a link associated
+// with a custom message.
+type uiCustomMessageLink struct {
+ Title string
+ Href string
+}
+
+// MarshalJSON encodes the state of the receiver uiCustomMessageLink as JSON and
+// returns those encoded bytes or an error.
+func (l uiCustomMessageLink) MarshalJSON() ([]byte, error) {
+ m := make(map[string]string)
+
+ m[l.Title] = l.Href
+
+ return json.Marshal(m)
+}
+
+// UnmarshalJSON updates the state of the receiver uiCustomMessageLink from the
+// provided JSON encoded bytes. It returns an error if there was a failure.
+func (l *uiCustomMessageLink) UnmarshalJSON(b []byte) error {
+ m := make(map[string]string)
+
+ if err := json.Unmarshal(b, &m); err != nil {
+ return err
+ }
+
+ for k, v := range m {
+ l.Title = k
+ l.Href = v
+ break
+ }
+
+ return nil
+}
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go
deleted file mode 100644
index a782834..0000000
--- a/vendor/golang.org/x/crypto/ed25519/ed25519.go
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package ed25519 implements the Ed25519 signature algorithm. See
-// https://ed25519.cr.yp.to/.
-//
-// These functions are also compatible with the “Ed25519” function defined in
-// RFC 8032. However, unlike RFC 8032's formulation, this package's private key
-// representation includes a public key suffix to make multiple signing
-// operations with the same key more efficient. This package refers to the RFC
-// 8032 private key as the “seed”.
-//
-// Beginning with Go 1.13, the functionality of this package was moved to the
-// standard library as crypto/ed25519. This package only acts as a compatibility
-// wrapper.
-package ed25519
-
-import (
- "crypto/ed25519"
- "io"
-)
-
-const (
- // PublicKeySize is the size, in bytes, of public keys as used in this package.
- PublicKeySize = 32
- // PrivateKeySize is the size, in bytes, of private keys as used in this package.
- PrivateKeySize = 64
- // SignatureSize is the size, in bytes, of signatures generated and verified by this package.
- SignatureSize = 64
- // SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
- SeedSize = 32
-)
-
-// PublicKey is the type of Ed25519 public keys.
-//
-// This type is an alias for crypto/ed25519's PublicKey type.
-// See the crypto/ed25519 package for the methods on this type.
-type PublicKey = ed25519.PublicKey
-
-// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
-//
-// This type is an alias for crypto/ed25519's PrivateKey type.
-// See the crypto/ed25519 package for the methods on this type.
-type PrivateKey = ed25519.PrivateKey
-
-// GenerateKey generates a public/private key pair using entropy from rand.
-// If rand is nil, crypto/rand.Reader will be used.
-func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) {
- return ed25519.GenerateKey(rand)
-}
-
-// NewKeyFromSeed calculates a private key from a seed. It will panic if
-// len(seed) is not SeedSize. This function is provided for interoperability
-// with RFC 8032. RFC 8032's private keys correspond to seeds in this
-// package.
-func NewKeyFromSeed(seed []byte) PrivateKey {
- return ed25519.NewKeyFromSeed(seed)
-}
-
-// Sign signs the message with privateKey and returns a signature. It will
-// panic if len(privateKey) is not PrivateKeySize.
-func Sign(privateKey PrivateKey, message []byte) []byte {
- return ed25519.Sign(privateKey, message)
-}
-
-// Verify reports whether sig is a valid signature of message by publicKey. It
-// will panic if len(publicKey) is not PublicKeySize.
-func Verify(publicKey PublicKey, message, sig []byte) bool {
- return ed25519.Verify(publicKey, message, sig)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc b/vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
deleted file mode 100644
index 730e569..0000000
--- a/vendor/gopkg.in/square/go-jose.v2/.gitcookies.sh.enc
+++ /dev/null
@@ -1 +0,0 @@
-'|&{tU|gG(�Cy=+�c:u:/p#~[�"4!nADK merged.coverprofile
-- $HOME/gopath/bin/goveralls -coverprofile merged.coverprofile -service=travis-ci
diff --git a/vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md b/vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
deleted file mode 100644
index 3305db0..0000000
--- a/vendor/gopkg.in/square/go-jose.v2/BUG-BOUNTY.md
+++ /dev/null
@@ -1,10 +0,0 @@
-Serious about security
-======================
-
-Square recognizes the important contributions the security research community
-can make. We therefore encourage reporting security issues with the code
-contained in this repository.
-
-If you believe you have discovered a security vulnerability, please follow the
-guidelines at .
-
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 668acd9..361046b 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -71,6 +71,12 @@ github.com/docker/go-units
# github.com/fatih/color v1.14.1
## explicit; go 1.17
github.com/fatih/color
+# github.com/go-jose/go-jose/v3 v3.0.3
+## explicit; go 1.12
+github.com/go-jose/go-jose/v3
+github.com/go-jose/go-jose/v3/cipher
+github.com/go-jose/go-jose/v3/json
+github.com/go-jose/go-jose/v3/jwt
# github.com/gogo/protobuf v1.3.2
## explicit; go 1.15
github.com/gogo/protobuf/proto
@@ -128,7 +134,7 @@ github.com/hashicorp/hcl/hcl/token
github.com/hashicorp/hcl/json/parser
github.com/hashicorp/hcl/json/scanner
github.com/hashicorp/hcl/json/token
-# github.com/hashicorp/vault/api v1.9.1
+# github.com/hashicorp/vault/api v1.12.0
## explicit; go 1.19
github.com/hashicorp/vault/api
# github.com/hashicorp/vault/api/auth/approle v0.4.0
@@ -258,7 +264,6 @@ go.uber.org/zap/internal/stacktrace
go.uber.org/zap/zapcore
# golang.org/x/crypto v0.21.0
## explicit; go 1.18
-golang.org/x/crypto/ed25519
golang.org/x/crypto/pbkdf2
# golang.org/x/mod v0.11.0
## explicit; go 1.17
@@ -341,12 +346,6 @@ gopkg.in/alecthomas/kingpin.v2
# gopkg.in/natefinch/lumberjack.v2 v2.2.1
## explicit; go 1.13
gopkg.in/natefinch/lumberjack.v2
-# gopkg.in/square/go-jose.v2 v2.6.0
-## explicit
-gopkg.in/square/go-jose.v2
-gopkg.in/square/go-jose.v2/cipher
-gopkg.in/square/go-jose.v2/json
-gopkg.in/square/go-jose.v2/jwt
# gopkg.in/yaml.v3 v3.0.1
## explicit
gopkg.in/yaml.v3