move from gopkg.in/square/go-jose.v2 to go-jose/go-jose (spiffe#4688)

* move from gopkg.in/square/go-jose.v2 to go-jose/go-jose

Signed-off-by: ajayk <[email protected]>

* maintain backcompat on aud claim

Signed-off-by: Andrew Harding <[email protected]>

---------

Signed-off-by: ajayk <[email protected]>
Signed-off-by: Andrew Harding <[email protected]>
Co-authored-by: Andrew Harding <[email protected]>

cmd/spire-server/cli/jwt/mint.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/mitchellh/cli"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
@@ -15,7 +16,6 @@ import (
 	commoncli "github.com/spiffe/spire/pkg/common/cli"
 	"github.com/spiffe/spire/pkg/common/cliprinter"
 	"github.com/spiffe/spire/pkg/common/diskutil"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 func NewMintCommand() cli.Command {

cmd/spire-server/cli/jwt/mint_test.go

@@ -12,6 +12,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/cli/common"
@@ -21,8 +23,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var (
@@ -249,7 +249,7 @@ func TestMintRun(t *testing.T) {
     "issued_at": "0"
   }
 }`,
-			expStderr: "Unable to determine JWT-SVID lifetime: square/go-jose: compact JWS format must have three parts\n",
+			expStderr: "Unable to determine JWT-SVID lifetime: go-jose/go-jose: compact JWS format must have three parts\n",
 		},
 		{
 			name:     "expired token",

go.mod

@@ -35,6 +35,7 @@ require (
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/envoyproxy/go-control-plane v0.11.1
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
+	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/gofrs/uuid v4.4.0+incompatible
@@ -82,7 +83,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231120223509-83a465c0220f
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
-	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.28.4
 	k8s.io/apimachinery v0.28.4
 	k8s.io/client-go v0.28.4
@@ -177,7 +177,6 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
@@ -330,6 +329,7 @@ require (
 	gopkg.in/go-jose/go-jose.v2 v2.6.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect

pkg/agent/endpoints/workload/handler.go

@@ -185,6 +185,16 @@ func (h *Handler) ValidateJWTSVID(ctx context.Context, req *workload.ValidateJWT
 		}
 	}
 
+	// RFC 7519 structures `aud` as an array of StringOrURIs but has a special
+	// case where it MAY be specified as a single StringOrURI if there is only
+	// one audience. We have traditionally always returned it as an array but
+	// the JWT library we use now returns a single string when there is only
+	// one. To maintain backcompat, convert a single string value for the
+	// audience to a list.
+	if aud, ok := claims["aud"].(string); ok {
+		claims["aud"] = []string{aud}
+	}
+
 	s, err := structFromValues(claims)
 	if err != nil {
 		log.WithError(err).Error("Error deserializing claims from JWT-SVID")

pkg/agent/plugin/nodeattestor/azuremsi/msi_test.go

@@ -7,14 +7,14 @@ import (
 	"net/http"
 	"testing"
 
+	jose "github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
 	nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
 	"github.com/spiffe/spire/pkg/common/plugin/azure"
 	"github.com/spiffe/spire/test/plugintest"
 	"github.com/spiffe/spire/test/spiretest"
 	"google.golang.org/grpc/codes"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var (

pkg/agent/plugin/nodeattestor/gcpiit/iit_test.go

@@ -8,6 +8,9 @@ import (
 	"net/http/httptest"
 	"testing"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/cryptosigner"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
 	nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
 	"github.com/spiffe/spire/pkg/common/plugin/gcp"
@@ -16,9 +19,6 @@ import (
 	"github.com/spiffe/spire/test/testkey"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/cryptosigner"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const testServiceAccount = "test-service-account"

pkg/agent/plugin/nodeattestor/k8spsat/psat_test.go

@@ -7,15 +7,15 @@ import (
 	"path/filepath"
 	"testing"
 
+	jose "github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
 	nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
 	"github.com/spiffe/spire/pkg/common/pemutil"
 	sat_common "github.com/spiffe/spire/pkg/common/plugin/k8s"
 	"github.com/spiffe/spire/test/plugintest"
 	"github.com/spiffe/spire/test/spiretest"
 	"google.golang.org/grpc/codes"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var sampleKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY-----

pkg/common/bundleutil/marshal.go

@@ -5,8 +5,8 @@ import (
 	"encoding/json"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
-	"gopkg.in/square/go-jose.v2"
 )
 
 type marshalConfig struct {

pkg/common/bundleutil/types.go

@@ -1,7 +1,7 @@
 package bundleutil
 
 import (
-	"gopkg.in/square/go-jose.v2"
+	"github.com/go-jose/go-jose/v3"
 )
 
 const (

pkg/common/cryptoutil/keys.go

@@ -6,8 +6,8 @@ import (
 	"crypto/rsa"
 	"fmt"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/zeebo/errs"
-	"gopkg.in/square/go-jose.v2"
 )
 
 func RSAPublicKeyEqual(a, b *rsa.PublicKey) bool {

pkg/common/cryptoutil/keys_test.go

@@ -7,9 +7,9 @@ import (
 	"crypto/rsa"
 	"testing"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/spiffe/spire/test/testkey"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2"
 )
 
 func TestJoseAlgFromPublicKey(t *testing.T) {

pkg/common/jwtsvid/common.go

@@ -4,8 +4,8 @@ import (
 	"errors"
 	"time"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/zeebo/errs"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 func GetTokenExpiry(token string) (time.Time, time.Time, error) {

pkg/common/jwtsvid/validate.go

@@ -7,10 +7,10 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/zeebo/errs"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 type KeyStore interface {

pkg/common/jwtsvid/validate_test.go

@@ -6,15 +6,15 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/cryptosigner"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/cryptoutil"
 	"github.com/spiffe/spire/test/clock"
 	"github.com/spiffe/spire/test/spiretest"
 	"github.com/spiffe/spire/test/testkey"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/cryptosigner"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var (

pkg/common/jwtutil/keyset.go

@@ -10,9 +10,9 @@ import (
 	"sync"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/sirupsen/logrus"
 	"github.com/zeebo/errs"
-	"gopkg.in/square/go-jose.v2"
 )
 
 const (

pkg/common/jwtutil/keyset_test.go

@@ -9,8 +9,8 @@ import (
 	"testing"
 	"time"
 
+	jose "github.com/go-jose/go-jose/v3"
 	"github.com/stretchr/testify/require"
-	jose "gopkg.in/square/go-jose.v2"
 )
 
 func TestDiscoverKeySetURI(t *testing.T) {

pkg/common/plugin/azure/msi.go

@@ -5,11 +5,11 @@ import (
 	"io"
 	"net/http"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/agentpathtemplate"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/zeebo/errs"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (

pkg/common/plugin/azure/msi_test.go

@@ -8,11 +8,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/agentpathtemplate"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 func TestFetchMSIToken(t *testing.T) {

pkg/common/plugin/gcp/iit.go

@@ -1,10 +1,10 @@
 package gcp
 
 import (
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/agentpathtemplate"
 	"github.com/spiffe/spire/pkg/common/idutil"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (

pkg/common/plugin/k8s/utils.go

@@ -7,7 +7,7 @@ import (
 	"path"
 	"strings"
 
-	"gopkg.in/square/go-jose.v2/jwt"
+	"github.com/go-jose/go-jose/v3/jwt"
 	authv1 "k8s.io/api/authentication/v1"
 )
 

pkg/common/plugin/k8s/utils_test.go

@@ -6,8 +6,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	authv1 "k8s.io/api/authentication/v1"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (

pkg/server/api/svid/v1/service_test.go

@@ -34,10 +34,10 @@ import (
 	"github.com/spiffe/spire/test/testkey"
 	"github.com/stretchr/testify/require"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var (

pkg/server/ca/ca.go

@@ -11,6 +11,9 @@ import (
 	"time"
 
 	"github.com/andres-erbsen/clock"
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/cryptosigner"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/sirupsen/logrus"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/cryptoutil"
@@ -20,9 +23,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/pkg/server/credtemplate"
 	"github.com/spiffe/spire/pkg/server/credvalidator"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/cryptosigner"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (

pkg/server/credtemplate/builder.go

@@ -12,13 +12,13 @@ import (
 	"time"
 
 	"github.com/andres-erbsen/clock"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/idutil"
 	"github.com/spiffe/spire/pkg/common/x509svid"
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/pkg/server/api"
 	"github.com/spiffe/spire/pkg/server/plugin/credentialcomposer"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (

pkg/server/credtemplate/builder_test.go

@@ -13,6 +13,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	credentialcomposerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/credentialcomposer/v1"
 	"github.com/spiffe/spire/pkg/common/catalog"
@@ -25,7 +26,6 @@ import (
 	"github.com/spiffe/spire/test/testkey"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var (

pkg/server/credvalidator/validator.go

@@ -7,9 +7,9 @@ import (
 	"time"
 
 	"github.com/andres-erbsen/clock"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire/pkg/common/idutil"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 type Config struct {