From 96d300e9d7177dfb98439d18af8ca4f828f33075 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 24 Jan 2024 01:17:57 -0700 Subject: [PATCH] Bump github.com/lestrrat-go/jwx from 1.2.26 to 1.2.27 (#7924) Bumps [github.com/lestrrat-go/jwx](https://github.com/lestrrat-go/jwx) from 1.2.26 to 1.2.27. - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/v1.2.27/Changes) - [Commits](https://github.com/lestrrat-go/jwx/compare/v1.2.26...v1.2.27) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/jwx dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 ++-- go.sum | 19 ++++---- .../lestrrat-go/blackmagic/blackmagic.go | 46 +++++++++++++++++-- .../github.com/lestrrat-go/jwx/.golangci.yml | 10 ++++ vendor/github.com/lestrrat-go/jwx/Changes | 12 +++++ .../github.com/lestrrat-go/jwx/jwe/decrypt.go | 1 + .../github.com/lestrrat-go/jwx/jwe/headers.go | 2 +- .../lestrrat-go/jwx/jwe/interface.go | 7 +-- .../jwx/jwe/internal/keyenc/keyenc.go | 2 +- vendor/github.com/lestrrat-go/jwx/jwe/jwe.go | 6 +-- .../github.com/lestrrat-go/jwx/jwe/message.go | 5 ++ .../lestrrat-go/jwx/jwk/interface.go | 1 - vendor/github.com/lestrrat-go/jwx/jwk/jwk.go | 18 ++++---- .../github.com/lestrrat-go/jwx/jwk/key_ops.go | 2 + .../github.com/lestrrat-go/jwx/jwk/refresh.go | 25 +++++----- vendor/github.com/lestrrat-go/jwx/jwk/set.go | 4 +- .../github.com/lestrrat-go/jwx/jws/es256k.go | 1 + .../github.com/lestrrat-go/jwx/jws/headers.go | 2 +- .../lestrrat-go/jwx/jws/interface.go | 8 ++-- vendor/github.com/lestrrat-go/jwx/jws/jws.go | 11 ++--- vendor/github.com/lestrrat-go/jwx/jwt/http.go | 12 ++--- vendor/github.com/lestrrat-go/jwx/jwt/jwt.go | 9 ++-- .../github.com/lestrrat-go/jwx/jwt/options.go | 20 ++++---- .../lestrrat-go/jwx/jwt/serialize.go | 14 +++--- vendor/github.com/lestrrat-go/jwx/jwx.go | 10 ++-- vendor/modules.txt | 17 ++++--- 26 files changed, 168 insertions(+), 106 deletions(-) diff --git a/go.mod b/go.mod index 4b141c3d42..c15dfde074 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( github.com/json-iterator/go v1.1.12 github.com/kelseyhightower/envconfig v1.4.0 github.com/kylelemons/godebug v1.1.1-0.20201107061927-e693023230a4 - github.com/lestrrat-go/jwx v1.2.26 + github.com/lestrrat-go/jwx v1.2.27 github.com/lib/pq v1.10.4 github.com/miekg/dns v1.1.43 github.com/onsi/ginkgo v1.16.5 @@ -48,9 +48,9 @@ require ( github.com/pborman/getopt/v2 v2.1.0 github.com/pkg/errors v0.9.1 go.etcd.io/bbolt v1.3.6 - golang.org/x/crypto v0.9.0 + golang.org/x/crypto v0.16.0 golang.org/x/net v0.10.0 - golang.org/x/sys v0.8.0 + golang.org/x/sys v0.15.0 gopkg.in/DATA-DOG/go-sqlmock.v1 v1.3.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 @@ -67,7 +67,7 @@ require ( github.com/hashicorp/errwrap v1.0.0 // indirect github.com/hashicorp/go-multierror v1.1.0 // indirect github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect - github.com/lestrrat-go/blackmagic v1.0.1 // indirect + github.com/lestrrat-go/blackmagic v1.0.2 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/iter v1.0.2 // indirect github.com/lestrrat-go/option v1.0.1 // indirect @@ -95,7 +95,7 @@ require ( github.com/jcmturner/gofork v1.0.0 // indirect github.com/pierrec/lz4 v2.5.2+incompatible // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/text v0.14.0 // indirect gopkg.in/jcmturner/aescts.v1 v1.0.1 // indirect gopkg.in/jcmturner/dnsutils.v1 v1.0.1 // indirect gopkg.in/jcmturner/gokrb5.v7 v7.5.0 // indirect diff --git a/go.sum b/go.sum index 1b5971b37e..e4e316b934 100644 --- a/go.sum +++ b/go.sum @@ -938,14 +938,14 @@ github.com/labstack/echo/v4 v4.2.1/go.mod h1:AA49e0DZ8kk5jTOOCKNuPR6oTnBS0dYiM4F github.com/labstack/gommon v0.3.0/go.mod h1:MULnywXg0yavhxWKc+lOruYdAhDwPK9wf0OL7NoOu+k= github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= -github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= -github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= +github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k= +github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx v1.2.26 h1:4iFo8FPRZGDYe1t19mQP0zTRqA7n8HnJ5lkIiDvJcB0= -github.com/lestrrat-go/jwx v1.2.26/go.mod h1:MaiCdGbn3/cckbOFSCluJlJMmp9dmZm5hDuIkx8ftpQ= +github.com/lestrrat-go/jwx v1.2.27 h1:cvnTnda/YzdyFuWdEAMkI6BsLtItSrASEVCI3C/IUEQ= +github.com/lestrrat-go/jwx v1.2.27/go.mod h1:Stob9LjSqR3lOmNdxF0/TvZo60V3hUGv8Fr7Bwzla3k= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= @@ -1429,8 +1429,8 @@ golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= -golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= +golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY= +golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -1699,13 +1699,15 @@ golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= +golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1717,8 +1719,9 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/vendor/github.com/lestrrat-go/blackmagic/blackmagic.go b/vendor/github.com/lestrrat-go/blackmagic/blackmagic.go index 8d1d468543..aa5704a21a 100644 --- a/vendor/github.com/lestrrat-go/blackmagic/blackmagic.go +++ b/vendor/github.com/lestrrat-go/blackmagic/blackmagic.go @@ -5,6 +5,43 @@ import ( "reflect" ) +// AssignField is a convenience function to assign a value to +// an optional struct field. In Go, an optional struct field is +// usually denoted by a pointer to T instead of T: +// +// type Object struct { +// Optional *T +// } +// +// This gets a bit cumbersome when you want to assign literals +// or you do not want to worry about taking the address of a +// variable. +// +// Object.Optional = &"foo" // doesn't compile! +// +// Instead you can use this function to do it in one line: +// +// blackmagic.AssignOptionalField(&Object.Optionl, "foo") +func AssignOptionalField(dst, src interface{}) error { + dstRV := reflect.ValueOf(dst) + srcRV := reflect.ValueOf(src) + if dstRV.Kind() != reflect.Pointer || dstRV.Elem().Kind() != reflect.Pointer { + return fmt.Errorf(`dst must be a pointer to a field that is turn a pointer of src (%T)`, src) + } + + if !dstRV.Elem().CanSet() { + return fmt.Errorf(`dst (%T) is not assignable`, dstRV.Elem().Interface()) + } + if !reflect.PtrTo(srcRV.Type()).AssignableTo(dstRV.Elem().Type()) { + return fmt.Errorf(`cannot assign src (%T) to dst (%T)`, src, dst) + } + + ptr := reflect.New(srcRV.Type()) + ptr.Elem().Set(srcRV) + dstRV.Elem().Set(ptr) + return nil +} + // AssignIfCompatible is a convenience function to safely // assign arbitrary values. dst must be a pointer to an // empty interface, or it must be a pointer to a compatible @@ -15,19 +52,18 @@ func AssignIfCompatible(dst, src interface{}) error { // t can be a pointer or a slice, and the code will slightly change // depending on this + var isPtr bool var isSlice bool switch result.Kind() { case reflect.Ptr: - // no op + isPtr = true case reflect.Slice: isSlice = true - default: - return fmt.Errorf("argument t to AssignIfCompatible must be a pointer or a slice: %T", src) } rv := reflect.ValueOf(dst) if rv.Kind() != reflect.Ptr { - return fmt.Errorf(`argument to AssignIfCompatible() must be a pointer: %T`, dst) + return fmt.Errorf(`destination argument to AssignIfCompatible() must be a pointer: %T`, dst) } actualDst := rv.Elem() @@ -37,7 +73,7 @@ func AssignIfCompatible(dst, src interface{}) error { default: // If it's a pointer to the struct we're looking for, we need to set // the de-referenced struct - if !isSlice { + if !isSlice && isPtr { result = result.Elem() } } diff --git a/vendor/github.com/lestrrat-go/jwx/.golangci.yml b/vendor/github.com/lestrrat-go/jwx/.golangci.yml index f2b0845290..b07a8c3bbd 100644 --- a/vendor/github.com/lestrrat-go/jwx/.golangci.yml +++ b/vendor/github.com/lestrrat-go/jwx/.golangci.yml @@ -10,10 +10,14 @@ linters-settings: linters: enable-all: true disable: + - contextcheck - cyclop + - depguard + - deadcode # deprecated - dupl - exhaustive - exhaustivestruct + - exhaustruct - errorlint - funlen - gci @@ -30,22 +34,28 @@ linters: - gomnd - gomoddirectives # I think it's broken - gosec + - gosmopolitan - govet - interfacer # deprecated + - interfacebloat - ifshort - ireturn # No, I _LIKE_ returning interfaces - lll - maintidx # Do this in code review - maligned # deprecated - makezero + - nonamedreturns - nakedret - nestif - nlreturn + - nosnakecase # deprecated - paralleltest - scopelint # deprecated + - structcheck # deprecated - tagliatelle - testpackage - thelper # Tests are fine + - varcheck # deprecated - varnamelen # Short names are ok - wrapcheck - wsl diff --git a/vendor/github.com/lestrrat-go/jwx/Changes b/vendor/github.com/lestrrat-go/jwx/Changes index 428b16f65e..b5ad318258 100644 --- a/vendor/github.com/lestrrat-go/jwx/Changes +++ b/vendor/github.com/lestrrat-go/jwx/Changes @@ -1,6 +1,18 @@ Changes ======= +v1.2.27 - 03 Dec 2023 +[Security] + * [jwe] A large number in p2c parameter for PBKDF2 based encryptions could cause a DoS attack, + similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users should upgrade, as + unlike v2, v1 attempts to decrypt JWEs on JWTs by default. + [GHSA-7f9x-gw85-8grf] + +[Bug Fixes] + * [jwk] jwk.Set(jwk.KeyOpsKey, ) now works (previously, either + Set(.., ) or Set(..., []jwk.KeyOperation{...}) worked, but not a single + jwk.KeyOperation + v1.2.26 - 14 Jun 2023 [Security] * Potential Padding Oracle Attack Vulnerability and Timing Attack Vulnerability diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/decrypt.go b/vendor/github.com/lestrrat-go/jwx/jwe/decrypt.go index 4fc2ef30d6..863f59156b 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/decrypt.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/decrypt.go @@ -22,6 +22,7 @@ import ( // Decrypter is responsible for taking various components to decrypt a message. // its operation is not concurrency safe. You must provide locking yourself +// //nolint:govet type Decrypter struct { aad []byte diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/headers.go b/vendor/github.com/lestrrat-go/jwx/jwe/headers.go index eacbfda011..3310240f0f 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/headers.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/headers.go @@ -69,7 +69,7 @@ func (h *stdHeaders) Clone(ctx context.Context) (Headers, error) { return dst, nil } -func (h *stdHeaders) Copy(ctx context.Context, dst Headers) error { +func (h *stdHeaders) Copy(_ context.Context, dst Headers) error { for _, pair := range h.makePairs() { //nolint:forcetypeassert key := pair.Key.(string) diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/interface.go b/vendor/github.com/lestrrat-go/jwx/jwe/interface.go index c231208832..0807413326 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/interface.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/interface.go @@ -31,15 +31,16 @@ type stdRecipient struct { // For example, it is totally valid for if the protected header's // integrity was calculated using a non-standard line breaks: // -// {"a dummy": -// "protected header"} +// {"a dummy": +// "protected header"} // // Once parsed, though, we can only serialize the protected header as: // -// {"a dummy":"protected header"} +// {"a dummy":"protected header"} // // which would obviously result in a contradicting integrity value // if we tried to re-calculate it from a parsed message. +// //nolint:govet type Message struct { authenticatedData []byte diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/internal/keyenc/keyenc.go b/vendor/github.com/lestrrat-go/jwx/jwe/internal/keyenc/keyenc.go index 706816ee42..8593212718 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/internal/keyenc/keyenc.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/internal/keyenc/keyenc.go @@ -47,7 +47,7 @@ func (kw *Noop) KeyID() string { return kw.keyID } -func (kw *Noop) Encrypt(cek []byte) (keygen.ByteSource, error) { +func (kw *Noop) Encrypt(_ []byte) (keygen.ByteSource, error) { return keygen.ByteKey(kw.sharedkey), nil } diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go b/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go index 8b45287f26..d26d14c222 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/jwe.go @@ -365,13 +365,13 @@ func parseCompact(buf []byte, storeProtectedHeaders bool) (*Message, error) { // // In that case you would register a custom field as follows // -// jwe.RegisterCustomField(`x-birthday`, timeT) +// jwe.RegisterCustomField(`x-birthday`, timeT) // // Then `hdr.Get("x-birthday")` will still return an `interface{}`, // but you can convert its type to `time.Time` // -// bdayif, _ := hdr.Get(`x-birthday`) -// bday := bdayif.(time.Time) +// bdayif, _ := hdr.Get(`x-birthday`) +// bday := bdayif.(time.Time) func RegisterCustomField(name string, object interface{}) { registry.Register(name, object) } diff --git a/vendor/github.com/lestrrat-go/jwx/jwe/message.go b/vendor/github.com/lestrrat-go/jwx/jwe/message.go index 6609a69240..9559877e33 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwe/message.go +++ b/vendor/github.com/lestrrat-go/jwx/jwe/message.go @@ -612,6 +612,11 @@ func doDecryptCtx(dctx *decryptCtx) ([]byte, error) { if !ok { return nil, errors.Errorf("unexpected type for 'p2c': %T", count) } + // in v1, this number is hardcoded to 10000. Use v2 if you need to + // finetune this value + if countFlt > 10000 { + return nil, errors.Errorf("invalid value for 'p2c'") + } salt, err := base64.DecodeString(saltB64Str) if err != nil { return nil, errors.Wrap(err, "failed to b64-decode 'salt'") diff --git a/vendor/github.com/lestrrat-go/jwx/jwk/interface.go b/vendor/github.com/lestrrat-go/jwx/jwk/interface.go index 9182f71242..326097dcdd 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwk/interface.go +++ b/vendor/github.com/lestrrat-go/jwx/jwk/interface.go @@ -53,7 +53,6 @@ const ( // Such private parameters can be accessed via the `Field()` method. // If a resource contains a single JWK instead of a JWK set, private parameters // are stored in _both_ the resulting `jwk.Set` object and the `jwk.Key` object . -// type Set interface { // Add adds the specified key. If the key already exists in the set, it is // not added. diff --git a/vendor/github.com/lestrrat-go/jwx/jwk/jwk.go b/vendor/github.com/lestrrat-go/jwx/jwk/jwk.go index 0ef377c959..453ecf4431 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwk/jwk.go +++ b/vendor/github.com/lestrrat-go/jwx/jwk/jwk.go @@ -39,10 +39,10 @@ func bigIntToBytes(n *big.Int) ([]byte, error) { // The constructor auto-detects the type of key to be instantiated // based on the input type: // -// * "crypto/rsa".PrivateKey and "crypto/rsa".PublicKey creates an RSA based key -// * "crypto/ecdsa".PrivateKey and "crypto/ecdsa".PublicKey creates an EC based key -// * "crypto/ed25519".PrivateKey and "crypto/ed25519".PublicKey creates an OKP based key -// * []byte creates a symmetric key +// - "crypto/rsa".PrivateKey and "crypto/rsa".PublicKey creates an RSA based key +// - "crypto/ecdsa".PrivateKey and "crypto/ecdsa".PublicKey creates an EC based key +// - "crypto/ed25519".PrivateKey and "crypto/ed25519".PublicKey creates an OKP based key +// - []byte creates a symmetric key func New(key interface{}) (Key, error) { if key == nil { return nil, errors.New(`jwk.New requires a non-nil key`) @@ -636,8 +636,7 @@ func cloneKey(src Key) (Key, error) { // Pem serializes the given jwk.Key in PEM encoded ASN.1 DER format, // using either PKCS8 for private keys and PKIX for public keys. // If you need to encode using PKCS1 or SEC1, you must do it yourself. -// -// Argument must be of type jwk.Key or jwk.Set +// The argument to this function must be of type jwk.Key or jwk.Set // // Currently only EC (including Ed25519) and RSA keys (and jwk.Set // comprised of these key types) are supported. @@ -706,14 +705,13 @@ func asnEncode(key Key) (string, []byte, error) { // // In that case you would register a custom field as follows // -// jwk.RegisterCustomField(`x-birthday`, timeT) +// jwk.RegisterCustomField(`x-birthday`, timeT) // // Then `key.Get("x-birthday")` will still return an `interface{}`, // but you can convert its type to `time.Time` // -// bdayif, _ := key.Get(`x-birthday`) -// bday := bdayif.(time.Time) -// +// bdayif, _ := key.Get(`x-birthday`) +// bday := bdayif.(time.Time) func RegisterCustomField(name string, object interface{}) { registry.Register(name, object) } diff --git a/vendor/github.com/lestrrat-go/jwx/jwk/key_ops.go b/vendor/github.com/lestrrat-go/jwx/jwk/key_ops.go index 01435f3c42..bc12efa5be 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwk/key_ops.go +++ b/vendor/github.com/lestrrat-go/jwx/jwk/key_ops.go @@ -13,6 +13,8 @@ func (ops *KeyOperationList) Accept(v interface{}) error { switch x := v.(type) { case string: return ops.Accept([]string{x}) + case KeyOperation: + return ops.Accept([]KeyOperation{x}) case []interface{}: l := make([]string, len(x)) for i, e := range x { diff --git a/vendor/github.com/lestrrat-go/jwx/jwk/refresh.go b/vendor/github.com/lestrrat-go/jwx/jwk/refresh.go index 0a8f75452a..e79ab7e819 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwk/refresh.go +++ b/vendor/github.com/lestrrat-go/jwx/jwk/refresh.go @@ -18,8 +18,8 @@ import ( // Before retrieving the jwk.Set objects, the user must pre-register the // URLs they intend to use by calling `Configure()` // -// ar := jwk.NewAutoRefresh(ctx) -// ar.Configure(url, options...) +// ar := jwk.NewAutoRefresh(ctx) +// ar.Configure(url, options...) // // Once registered, you can call `Fetch()` to retrieve the jwk.Set object. // @@ -104,14 +104,14 @@ type resetTimerReq struct { // should mostly be set to a context that ends when the main loop/part of your // program exits: // -// func MainLoop() { -// ctx, cancel := context.WithCancel(context.Background()) -// defer cancel() -// ar := jwk.AutoRefresh(ctx) -// for ... { -// ... -// } -// } +// func MainLoop() { +// ctx, cancel := context.WithCancel(context.Background()) +// defer cancel() +// ar := jwk.AutoRefresh(ctx) +// for ... { +// ... +// } +// } func NewAutoRefresh(ctx context.Context) *AutoRefresh { af := &AutoRefresh{ cache: make(map[string]Set), @@ -154,8 +154,9 @@ func (af *AutoRefresh) Remove(url string) error { // Note that options are treated as a whole -- you can't just update // one value. For example, if you did: // -// ar.Configure(url, jwk.WithHTTPClient(...)) -// ar.Configure(url, jwk.WithRefreshInterval(...)) +// ar.Configure(url, jwk.WithHTTPClient(...)) +// ar.Configure(url, jwk.WithRefreshInterval(...)) +// // The the end result is that `url` is ONLY associated with the options // given in the second call to `Configure()`, i.e. `jwk.WithRefreshInterval`. // The other unspecified options, including the HTTP client, is set to diff --git a/vendor/github.com/lestrrat-go/jwx/jwk/set.go b/vendor/github.com/lestrrat-go/jwx/jwk/set.go index d5e844af75..73ffcf540d 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwk/set.go +++ b/vendor/github.com/lestrrat-go/jwx/jwk/set.go @@ -296,8 +296,6 @@ func (s *set) Clone() (Set, error) { s2.keys = make([]Key, len(s.keys)) - for i := 0; i < len(s.keys); i++ { - s2.keys[i] = s.keys[i] - } + copy(s2.keys, s.keys) return s2, nil } diff --git a/vendor/github.com/lestrrat-go/jwx/jws/es256k.go b/vendor/github.com/lestrrat-go/jwx/jws/es256k.go index fd5db88e80..d421988c6d 100644 --- a/vendor/github.com/lestrrat-go/jwx/jws/es256k.go +++ b/vendor/github.com/lestrrat-go/jwx/jws/es256k.go @@ -1,3 +1,4 @@ +//go:build jwx_es256k // +build jwx_es256k package jws diff --git a/vendor/github.com/lestrrat-go/jwx/jws/headers.go b/vendor/github.com/lestrrat-go/jwx/jws/headers.go index 9ca8f656e9..744f0071eb 100644 --- a/vendor/github.com/lestrrat-go/jwx/jws/headers.go +++ b/vendor/github.com/lestrrat-go/jwx/jws/headers.go @@ -34,7 +34,7 @@ func (h *stdHeaders) AsMap(ctx context.Context) (map[string]interface{}, error) return iter.AsMap(ctx, h) } -func (h *stdHeaders) Copy(ctx context.Context, dst Headers) error { +func (h *stdHeaders) Copy(_ context.Context, dst Headers) error { for _, pair := range h.makePairs() { //nolint:forcetypeassert key := pair.Key.(string) diff --git a/vendor/github.com/lestrrat-go/jwx/jws/interface.go b/vendor/github.com/lestrrat-go/jwx/jws/interface.go index aeee42b48f..407353c4d2 100644 --- a/vendor/github.com/lestrrat-go/jwx/jws/interface.go +++ b/vendor/github.com/lestrrat-go/jwx/jws/interface.go @@ -26,13 +26,13 @@ type DecodeCtx interface { // For example, the protected header `eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9` // decodes to // -// {"typ":"JWT", -// "alg":"HS256"} +// {"typ":"JWT", +// "alg":"HS256"} // // However, when we parse this into a message, we create a jws.Header object, // which, when we marshal into a JSON object again, becomes // -// {"typ":"JWT","alg":"HS256"} +// {"typ":"JWT","alg":"HS256"} // // Notice that serialization lacks a line break and a space between `"JWT",` // and `"alg"`. This causes a problem when verifying the signatures AFTER @@ -42,7 +42,7 @@ type DecodeCtx interface { // manifest itself. However, you may see this discrepancy when you manually // go through these conversions, and/or use the `jwx` tool like so: // -// jwx jws parse message.jws | jwx jws verify --key somekey.jwk --stdin +// jwx jws parse message.jws | jwx jws verify --key somekey.jwk --stdin // // In this scenario, the first `jwx jws parse` outputs a parsed jws.Message // which is marshaled into JSON. At this point the message's protected diff --git a/vendor/github.com/lestrrat-go/jwx/jws/jws.go b/vendor/github.com/lestrrat-go/jwx/jws/jws.go index 6908dd6bd1..4e00b6dd51 100644 --- a/vendor/github.com/lestrrat-go/jwx/jws/jws.go +++ b/vendor/github.com/lestrrat-go/jwx/jws/jws.go @@ -6,8 +6,8 @@ // If you do not care about the details, the only things that you // would need to use are the following functions: // -// jws.Sign(payload, algorithm, key) -// jws.Verify(encodedjws, algorithm, key) +// jws.Sign(payload, algorithm, key) +// jws.Verify(encodedjws, algorithm, key) // // To sign, simply use `jws.Sign`. `payload` is a []byte buffer that // contains whatever data you want to sign. `alg` is one of the @@ -892,14 +892,13 @@ func parse(protected, payload, signature []byte) (*Message, error) { // // In that case you would register a custom field as follows // -// jwe.RegisterCustomField(`x-birthday`, timeT) +// jwe.RegisterCustomField(`x-birthday`, timeT) // // Then `hdr.Get("x-birthday")` will still return an `interface{}`, // but you can convert its type to `time.Time` // -// bdayif, _ := hdr.Get(`x-birthday`) -// bday := bdayif.(time.Time) -// +// bdayif, _ := hdr.Get(`x-birthday`) +// bday := bdayif.(time.Time) func RegisterCustomField(name string, object interface{}) { registry.Register(name, object) } diff --git a/vendor/github.com/lestrrat-go/jwx/jwt/http.go b/vendor/github.com/lestrrat-go/jwx/jwt/http.go index aaaf27f134..09b43155d8 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwt/http.go +++ b/vendor/github.com/lestrrat-go/jwx/jwt/http.go @@ -50,14 +50,14 @@ func ParseForm(values url.Values, name string, options ...ParseOption) (Token, e // // If WithHeaderKey() is used, you must explicitly re-enable searching for "Authorization" header. // -// # searches for "Authorization" -// jwt.ParseRequest(req) +// # searches for "Authorization" +// jwt.ParseRequest(req) // -// # searches for "x-my-token" ONLY. -// jwt.ParseRequest(req, jwt.WithHeaderKey("x-my-token")) +// # searches for "x-my-token" ONLY. +// jwt.ParseRequest(req, jwt.WithHeaderKey("x-my-token")) // -// # searches for "Authorization" AND "x-my-token" -// jwt.ParseRequest(req, jwt.WithHeaderKey("Authorization"), jwt.WithHeaderKey("x-my-token")) +// # searches for "Authorization" AND "x-my-token" +// jwt.ParseRequest(req, jwt.WithHeaderKey("Authorization"), jwt.WithHeaderKey("x-my-token")) func ParseRequest(req *http.Request, options ...ParseOption) (Token, error) { var hdrkeys []string var formkeys []string diff --git a/vendor/github.com/lestrrat-go/jwx/jwt/jwt.go b/vendor/github.com/lestrrat-go/jwx/jwt/jwt.go index 13c153934a..332483362f 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwt/jwt.go +++ b/vendor/github.com/lestrrat-go/jwx/jwt/jwt.go @@ -264,7 +264,7 @@ func verifyJWSWithKeySet(ctx *parseCtx, payload []byte) ([]byte, int, error) { return nil, _JwsVerifyInvalid, errors.Wrapf(err, `invalid signature algorithm %s`, key.Algorithm()) } - // Okay, we have a valid algorithm, go go + // Okay, we have a valid algorithm return verifyJWSWithParams(ctx, payload, alg, key) } @@ -548,14 +548,13 @@ func (t *stdToken) Clone() (Token, error) { // // In that case you would register a custom field as follows // -// jwt.RegisterCustomField(`x-birthday`, timeT) +// jwt.RegisterCustomField(`x-birthday`, timeT) // // Then `token.Get("x-birthday")` will still return an `interface{}`, // but you can convert its type to `time.Time` // -// bdayif, _ := token.Get(`x-birthday`) -// bday := bdayif.(time.Time) -// +// bdayif, _ := token.Get(`x-birthday`) +// bday := bdayif.(time.Time) func RegisterCustomField(name string, object interface{}) { registry.Register(name, object) } diff --git a/vendor/github.com/lestrrat-go/jwx/jwt/options.go b/vendor/github.com/lestrrat-go/jwx/jwt/options.go index e905c356af..2f076a0041 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwt/options.go +++ b/vendor/github.com/lestrrat-go/jwx/jwt/options.go @@ -362,7 +362,7 @@ func WithRequiredClaim(name string) ValidateOption { // // For example, in order to specify that `exp` - `iat` should be less than 10*time.Second, you would write // -// jwt.Validate(token, jwt.WithMaxDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey)) +// jwt.Validate(token, jwt.WithMaxDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey)) // // If AcceptableSkew of 2 second is specified, the above will return valid for any value of // `exp` - `iat` between 8 (10-2) and 12 (10+2). @@ -375,10 +375,9 @@ func WithMaxDelta(dur time.Duration, c1, c2 string) ValidateOption { // // For example, in order to specify that `exp` - `iat` should be greater than 10*time.Second, you would write // -// jwt.Validate(token, jwt.WithMinDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey)) +// jwt.Validate(token, jwt.WithMinDelta(10*time.Second, jwt.ExpirationKey, jwt.IssuedAtKey)) // // The validation would fail if the difference is less than 10 seconds. -// func WithMinDelta(dur time.Duration, c1, c2 string) ValidateOption { return WithValidator(MinDeltaIs(c1, c2, dur)) } @@ -387,14 +386,13 @@ func WithMinDelta(dur time.Duration, c1, c2 string) ValidateOption { // // For example, in order to validate tokens that are only valid during August, you would write // -// validator := jwt.ValidatorFunc(func(_ context.Context, t jwt.Token) error { -// if time.Now().Month() != 8 { -// return fmt.Errorf(`tokens are only valid during August!`) -// } -// return nil -// }) -// err := jwt.Validate(token, jwt.WithValidator(validator)) -// +// validator := jwt.ValidatorFunc(func(_ context.Context, t jwt.Token) error { +// if time.Now().Month() != 8 { +// return fmt.Errorf(`tokens are only valid during August!`) +// } +// return nil +// }) +// err := jwt.Validate(token, jwt.WithValidator(validator)) func WithValidator(v Validator) ValidateOption { return newValidateOption(identValidator{}, v) } diff --git a/vendor/github.com/lestrrat-go/jwx/jwt/serialize.go b/vendor/github.com/lestrrat-go/jwx/jwt/serialize.go index a3665ce62d..c9b80e3fe9 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwt/serialize.go +++ b/vendor/github.com/lestrrat-go/jwx/jwt/serialize.go @@ -43,16 +43,16 @@ type SerializeStep interface { // For example, to marshal the token into JSON, then apply JWS and JWE // in that order, you would do: // -// serialized, err := jwt.NewSerialer(). -// Sign(jwa.RS256, key). -// Encrypt(jwa.RSA_OAEP, key.PublicKey). -// Serialize(token) +// serialized, err := jwt.NewSerialer(). +// Sign(jwa.RS256, key). +// Encrypt(jwa.RSA_OAEP, key.PublicKey). +// Serialize(token) // // The `jwt.Sign()` function is equivalent to // -// serialized, err := jwt.NewSerializer(). -// Sign(...args...). -// Serialize(token) +// serialized, err := jwt.NewSerializer(). +// Sign(...args...). +// Serialize(token) type Serializer struct { steps []SerializeStep } diff --git a/vendor/github.com/lestrrat-go/jwx/jwx.go b/vendor/github.com/lestrrat-go/jwx/jwx.go index 24c96539c3..d3aae35f6b 100644 --- a/vendor/github.com/lestrrat-go/jwx/jwx.go +++ b/vendor/github.com/lestrrat-go/jwx/jwx.go @@ -5,11 +5,11 @@ // Package jwx contains tools that deal with the various JWx (JOSE) // technologies such as JWT, JWS, JWE, etc in Go. // -// JWS (https://tools.ietf.org/html/rfc7515) -// JWE (https://tools.ietf.org/html/rfc7516) -// JWK (https://tools.ietf.org/html/rfc7517) -// JWA (https://tools.ietf.org/html/rfc7518) -// JWT (https://tools.ietf.org/html/rfc7519) +// JWS (https://tools.ietf.org/html/rfc7515) +// JWE (https://tools.ietf.org/html/rfc7516) +// JWK (https://tools.ietf.org/html/rfc7517) +// JWA (https://tools.ietf.org/html/rfc7518) +// JWT (https://tools.ietf.org/html/rfc7519) // // Examples are stored in a separate Go module (to avoid adding // dependencies to this module), and thus does not appear in the diff --git a/vendor/modules.txt b/vendor/modules.txt index 42c6af1f02..86ee9c4119 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -168,7 +168,7 @@ github.com/kylelemons/godebug/diff # github.com/lestrrat-go/backoff/v2 v2.0.8 ## explicit; go 1.16 github.com/lestrrat-go/backoff/v2 -# github.com/lestrrat-go/blackmagic v1.0.1 +# github.com/lestrrat-go/blackmagic v1.0.2 ## explicit; go 1.16 github.com/lestrrat-go/blackmagic # github.com/lestrrat-go/httpcc v1.0.1 @@ -178,7 +178,7 @@ github.com/lestrrat-go/httpcc ## explicit; go 1.13 github.com/lestrrat-go/iter/arrayiter github.com/lestrrat-go/iter/mapiter -# github.com/lestrrat-go/jwx v1.2.26 +# github.com/lestrrat-go/jwx v1.2.27 ## explicit; go 1.15 github.com/lestrrat-go/jwx github.com/lestrrat-go/jwx/internal/base64 @@ -276,8 +276,8 @@ go.etcd.io/bbolt # go.uber.org/atomic v1.6.0 ## explicit; go 1.13 go.uber.org/atomic -# golang.org/x/crypto v0.9.0 -## explicit; go 1.17 +# golang.org/x/crypto v0.16.0 +## explicit; go 1.18 golang.org/x/crypto/curve25519 golang.org/x/crypto/curve25519/internal/field golang.org/x/crypto/ed25519 @@ -302,13 +302,12 @@ golang.org/x/net/ipv4 golang.org/x/net/ipv6 golang.org/x/net/proxy golang.org/x/net/publicsuffix -# golang.org/x/sys v0.8.0 -## explicit; go 1.17 -golang.org/x/sys/internal/unsafeheader +# golang.org/x/sys v0.15.0 +## explicit; go 1.18 golang.org/x/sys/unix golang.org/x/sys/windows -# golang.org/x/text v0.9.0 -## explicit; go 1.17 +# golang.org/x/text v0.14.0 +## explicit; go 1.18 golang.org/x/text/encoding golang.org/x/text/encoding/charmap golang.org/x/text/encoding/htmlindex