From 2ae540df755b84867b4e73823c38aa6d371d4528 Mon Sep 17 00:00:00 2001 From: Yusuke Suzuki Date: Fri, 1 Oct 2021 11:35:00 +0900 Subject: [PATCH] go.mod,go.sum: Replace github.com/dgrijalva/jwt-go with github.com/golang-jwt/jwt github.com/dgrijalva/jwt-go has CVE https://github.com/advisories/GHSA-w73w-5m7g-f7qc and is already archived. etcd v3.4 should use a community maintained fork github.com/golang-jwt/jwt which provides the fixed version of the CVE. Signed-off-by: Yusuke Suzuki --- auth/jwt.go | 2 +- auth/options.go | 2 +- bill-of-materials.json | 16 ++++---- go.mod | 6 +-- go.sum | 20 +++++----- .../jwt-go => golang-jwt/jwt}/LICENSE | 1 + .../jwt-go => golang-jwt/jwt}/claims.go | 32 +++++++++++----- .../jwt-go => golang-jwt/jwt}/doc.go | 0 .../jwt-go => golang-jwt/jwt}/ecdsa.go | 6 +-- .../jwt-go => golang-jwt/jwt}/ecdsa_utils.go | 4 +- .../jwt-go => golang-jwt/jwt}/errors.go | 0 .../jwt-go => golang-jwt/jwt}/hmac.go | 0 .../jwt-go => golang-jwt/jwt}/map_claims.go | 30 +++++++++++---- .../jwt-go => golang-jwt/jwt}/none.go | 0 .../jwt-go => golang-jwt/jwt}/parser.go | 0 .../jwt-go => golang-jwt/jwt}/rsa.go | 0 .../jwt-go => golang-jwt/jwt}/rsa_pss.go | 38 +++++++++++++------ .../jwt-go => golang-jwt/jwt}/rsa_utils.go | 2 +- .../jwt}/signing_method.go | 0 .../jwt-go => golang-jwt/jwt}/token.go | 2 +- vendor/modules.txt | 4 +- 21 files changed, 106 insertions(+), 59 deletions(-) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/LICENSE (96%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/claims.go (83%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/doc.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/ecdsa.go (98%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/ecdsa_utils.go (93%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/errors.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/hmac.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/map_claims.go (84%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/none.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/parser.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/rsa.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/rsa_pss.go (71%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/rsa_utils.go (95%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/signing_method.go (100%) rename vendor/github.com/{dgrijalva/jwt-go => golang-jwt/jwt}/token.go (99%) diff --git a/auth/jwt.go b/auth/jwt.go index 52cafe4aafb..3acec8e69be 100644 --- a/auth/jwt.go +++ b/auth/jwt.go @@ -21,7 +21,7 @@ import ( "errors" "time" - jwt "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" "go.uber.org/zap" ) diff --git a/auth/options.go b/auth/options.go index f40b92de6b3..c1d7578ad41 100644 --- a/auth/options.go +++ b/auth/options.go @@ -21,7 +21,7 @@ import ( "io/ioutil" "time" - jwt "github.com/dgrijalva/jwt-go" + "github.com/golang-jwt/jwt" ) const ( diff --git a/bill-of-materials.json b/bill-of-materials.json index a9e14643875..e72b0bd89d6 100644 --- a/bill-of-materials.json +++ b/bill-of-materials.json @@ -45,29 +45,29 @@ ] }, { - "project": "github.com/dgrijalva/jwt-go", + "project": "github.com/dustin/go-humanize", "licenses": [ { "type": "MIT License", - "confidence": 0.9891304347826086 + "confidence": 0.96875 } ] }, { - "project": "github.com/dustin/go-humanize", + "project": "github.com/gogo/protobuf", "licenses": [ { - "type": "MIT License", - "confidence": 0.96875 + "type": "BSD 3-clause \"New\" or \"Revised\" License", + "confidence": 0.9163346613545816 } ] }, { - "project": "github.com/gogo/protobuf", + "project": "github.com/golang-jwt/jwt", "licenses": [ { - "type": "BSD 3-clause \"New\" or \"Revised\" License", - "confidence": 0.9163346613545816 + "type": "MIT License", + "confidence": 0.9891304347826086 } ] }, diff --git a/go.mod b/go.mod index aa1475a9fee..f512633e30d 100644 --- a/go.mod +++ b/go.mod @@ -9,10 +9,10 @@ require ( github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf github.com/creack/pty v1.1.11 - github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/fatih/color v1.7.0 // indirect github.com/gogo/protobuf v1.2.1 + github.com/golang-jwt/jwt v3.2.1+incompatible github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 github.com/golang/protobuf v1.3.2 github.com/google/btree v1.0.0 @@ -43,8 +43,8 @@ require ( go.uber.org/multierr v1.1.0 // indirect go.uber.org/zap v1.10.0 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 - golang.org/x/net v0.0.0-20201021035429-f5854403a974 - golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 + golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d + golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 google.golang.org/grpc v1.26.0 gopkg.in/cheggaaa/pb.v1 v1.0.25 diff --git a/go.sum b/go.sum index c91366cfa7a..09859c474ae 100644 --- a/go.sum +++ b/go.sum @@ -22,8 +22,6 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= -github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 h1:qk/FSDDxo05wdJH28W+p5yivv7LuLYLRXPPD8KQCtZs= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -37,6 +35,8 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE= github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 h1:LbsanbbD6LieFkXbj9YNNBupiGHJgFeLpO0j0Fza1h8= @@ -157,8 +157,8 @@ golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73r golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d h1:20cMwl2fHAzkJMEA+8J4JgqBQcQGzbisXo31MIeenXI= +golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -171,12 +171,14 @@ golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5h golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e h1:WUoyKPm6nCo1BnNUvPGnFG3T5DUVem42yDJZZ4CNxMA= +golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2 h1:+DCIGbF/swA92ohVg0//6X2IVY3KZs6p9mix0ziNYJM= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= diff --git a/vendor/github.com/dgrijalva/jwt-go/LICENSE b/vendor/github.com/golang-jwt/jwt/LICENSE similarity index 96% rename from vendor/github.com/dgrijalva/jwt-go/LICENSE rename to vendor/github.com/golang-jwt/jwt/LICENSE index df83a9c2f01..35dbc252041 100644 --- a/vendor/github.com/dgrijalva/jwt-go/LICENSE +++ b/vendor/github.com/golang-jwt/jwt/LICENSE @@ -1,4 +1,5 @@ Copyright (c) 2012 Dave Grijalva +Copyright (c) 2021 golang-jwt maintainers Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: diff --git a/vendor/github.com/dgrijalva/jwt-go/claims.go b/vendor/github.com/golang-jwt/jwt/claims.go similarity index 83% rename from vendor/github.com/dgrijalva/jwt-go/claims.go rename to vendor/github.com/golang-jwt/jwt/claims.go index f0228f02e03..f1dba3cb916 100644 --- a/vendor/github.com/dgrijalva/jwt-go/claims.go +++ b/vendor/github.com/golang-jwt/jwt/claims.go @@ -35,18 +35,18 @@ func (c StandardClaims) Valid() error { // The claims below are optional, by default, so if they are set to the // default value in Go, let's not fail the verification for them. - if c.VerifyExpiresAt(now, false) == false { + if !c.VerifyExpiresAt(now, false) { delta := time.Unix(now, 0).Sub(time.Unix(c.ExpiresAt, 0)) vErr.Inner = fmt.Errorf("token is expired by %v", delta) vErr.Errors |= ValidationErrorExpired } - if c.VerifyIssuedAt(now, false) == false { + if !c.VerifyIssuedAt(now, false) { vErr.Inner = fmt.Errorf("Token used before issued") vErr.Errors |= ValidationErrorIssuedAt } - if c.VerifyNotBefore(now, false) == false { + if !c.VerifyNotBefore(now, false) { vErr.Inner = fmt.Errorf("token is not valid yet") vErr.Errors |= ValidationErrorNotValidYet } @@ -61,7 +61,7 @@ func (c StandardClaims) Valid() error { // Compares the aud claim against cmp. // If required is false, this method will return true if the value matches or is unset func (c *StandardClaims) VerifyAudience(cmp string, req bool) bool { - return verifyAud(c.Audience, cmp, req) + return verifyAud([]string{c.Audience}, cmp, req) } // Compares the exp claim against cmp. @@ -90,15 +90,27 @@ func (c *StandardClaims) VerifyNotBefore(cmp int64, req bool) bool { // ----- helpers -func verifyAud(aud string, cmp string, required bool) bool { - if aud == "" { +func verifyAud(aud []string, cmp string, required bool) bool { + if len(aud) == 0 { return !required } - if subtle.ConstantTimeCompare([]byte(aud), []byte(cmp)) != 0 { - return true - } else { - return false + // use a var here to keep constant time compare when looping over a number of claims + result := false + + var stringClaims string + for _, a := range aud { + if subtle.ConstantTimeCompare([]byte(a), []byte(cmp)) != 0 { + result = true + } + stringClaims = stringClaims + a } + + // case where "" is sent in one or many aud claims + if len(stringClaims) == 0 { + return !required + } + + return result } func verifyExp(exp int64, now int64, required bool) bool { diff --git a/vendor/github.com/dgrijalva/jwt-go/doc.go b/vendor/github.com/golang-jwt/jwt/doc.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/doc.go rename to vendor/github.com/golang-jwt/jwt/doc.go diff --git a/vendor/github.com/dgrijalva/jwt-go/ecdsa.go b/vendor/github.com/golang-jwt/jwt/ecdsa.go similarity index 98% rename from vendor/github.com/dgrijalva/jwt-go/ecdsa.go rename to vendor/github.com/golang-jwt/jwt/ecdsa.go index f977381240e..d310af1c7c0 100644 --- a/vendor/github.com/dgrijalva/jwt-go/ecdsa.go +++ b/vendor/github.com/golang-jwt/jwt/ecdsa.go @@ -88,11 +88,11 @@ func (m *SigningMethodECDSA) Verify(signingString, signature string, key interfa hasher.Write([]byte(signingString)) // Verify the signature - if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus == true { + if verifystatus := ecdsa.Verify(ecdsaKey, hasher.Sum(nil), r, s); verifystatus { return nil - } else { - return ErrECDSAVerification } + + return ErrECDSAVerification } // Implements the Sign method from SigningMethod diff --git a/vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go b/vendor/github.com/golang-jwt/jwt/ecdsa_utils.go similarity index 93% rename from vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go rename to vendor/github.com/golang-jwt/jwt/ecdsa_utils.go index d19624b7264..db9f4be7d8e 100644 --- a/vendor/github.com/dgrijalva/jwt-go/ecdsa_utils.go +++ b/vendor/github.com/golang-jwt/jwt/ecdsa_utils.go @@ -25,7 +25,9 @@ func ParseECPrivateKeyFromPEM(key []byte) (*ecdsa.PrivateKey, error) { // Parse the key var parsedKey interface{} if parsedKey, err = x509.ParseECPrivateKey(block.Bytes); err != nil { - return nil, err + if parsedKey, err = x509.ParsePKCS8PrivateKey(block.Bytes); err != nil { + return nil, err + } } var pkey *ecdsa.PrivateKey diff --git a/vendor/github.com/dgrijalva/jwt-go/errors.go b/vendor/github.com/golang-jwt/jwt/errors.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/errors.go rename to vendor/github.com/golang-jwt/jwt/errors.go diff --git a/vendor/github.com/dgrijalva/jwt-go/hmac.go b/vendor/github.com/golang-jwt/jwt/hmac.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/hmac.go rename to vendor/github.com/golang-jwt/jwt/hmac.go diff --git a/vendor/github.com/dgrijalva/jwt-go/map_claims.go b/vendor/github.com/golang-jwt/jwt/map_claims.go similarity index 84% rename from vendor/github.com/dgrijalva/jwt-go/map_claims.go rename to vendor/github.com/golang-jwt/jwt/map_claims.go index 291213c460d..ba290f429af 100644 --- a/vendor/github.com/dgrijalva/jwt-go/map_claims.go +++ b/vendor/github.com/golang-jwt/jwt/map_claims.go @@ -10,10 +10,24 @@ import ( // This is the default claims type if you don't supply one type MapClaims map[string]interface{} -// Compares the aud claim against cmp. +// VerifyAudience Compares the aud claim against cmp. // If required is false, this method will return true if the value matches or is unset func (m MapClaims) VerifyAudience(cmp string, req bool) bool { - aud, _ := m["aud"].(string) + var aud []string + switch v := m["aud"].(type) { + case string: + aud = append(aud, v) + case []string: + aud = v + case []interface{}: + for _, a := range v { + vs, ok := a.(string) + if !ok { + return false + } + aud = append(aud, vs) + } + } return verifyAud(aud, cmp, req) } @@ -27,7 +41,7 @@ func (m MapClaims) VerifyExpiresAt(cmp int64, req bool) bool { v, _ := exp.Int64() return verifyExp(v, cmp, req) } - return req == false + return !req } // Compares the iat claim against cmp. @@ -40,7 +54,7 @@ func (m MapClaims) VerifyIssuedAt(cmp int64, req bool) bool { v, _ := iat.Int64() return verifyIat(v, cmp, req) } - return req == false + return !req } // Compares the iss claim against cmp. @@ -60,7 +74,7 @@ func (m MapClaims) VerifyNotBefore(cmp int64, req bool) bool { v, _ := nbf.Int64() return verifyNbf(v, cmp, req) } - return req == false + return !req } // Validates time based claims "exp, iat, nbf". @@ -71,17 +85,17 @@ func (m MapClaims) Valid() error { vErr := new(ValidationError) now := TimeFunc().Unix() - if m.VerifyExpiresAt(now, false) == false { + if !m.VerifyExpiresAt(now, false) { vErr.Inner = errors.New("Token is expired") vErr.Errors |= ValidationErrorExpired } - if m.VerifyIssuedAt(now, false) == false { + if !m.VerifyIssuedAt(now, false) { vErr.Inner = errors.New("Token used before issued") vErr.Errors |= ValidationErrorIssuedAt } - if m.VerifyNotBefore(now, false) == false { + if !m.VerifyNotBefore(now, false) { vErr.Inner = errors.New("Token is not valid yet") vErr.Errors |= ValidationErrorNotValidYet } diff --git a/vendor/github.com/dgrijalva/jwt-go/none.go b/vendor/github.com/golang-jwt/jwt/none.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/none.go rename to vendor/github.com/golang-jwt/jwt/none.go diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/golang-jwt/jwt/parser.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/parser.go rename to vendor/github.com/golang-jwt/jwt/parser.go diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa.go b/vendor/github.com/golang-jwt/jwt/rsa.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/rsa.go rename to vendor/github.com/golang-jwt/jwt/rsa.go diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa_pss.go b/vendor/github.com/golang-jwt/jwt/rsa_pss.go similarity index 71% rename from vendor/github.com/dgrijalva/jwt-go/rsa_pss.go rename to vendor/github.com/golang-jwt/jwt/rsa_pss.go index 10ee9db8a4e..c0147086480 100644 --- a/vendor/github.com/dgrijalva/jwt-go/rsa_pss.go +++ b/vendor/github.com/golang-jwt/jwt/rsa_pss.go @@ -12,9 +12,14 @@ import ( type SigningMethodRSAPSS struct { *SigningMethodRSA Options *rsa.PSSOptions + // VerifyOptions is optional. If set overrides Options for rsa.VerifyPPS. + // Used to accept tokens signed with rsa.PSSSaltLengthAuto, what doesn't follow + // https://tools.ietf.org/html/rfc7518#section-3.5 but was used previously. + // See https://github.com/dgrijalva/jwt-go/issues/285#issuecomment-437451244 for details. + VerifyOptions *rsa.PSSOptions } -// Specific instances for RS/PS and company +// Specific instances for RS/PS and company. var ( SigningMethodPS256 *SigningMethodRSAPSS SigningMethodPS384 *SigningMethodRSAPSS @@ -24,13 +29,15 @@ var ( func init() { // PS256 SigningMethodPS256 = &SigningMethodRSAPSS{ - &SigningMethodRSA{ + SigningMethodRSA: &SigningMethodRSA{ Name: "PS256", Hash: crypto.SHA256, }, - &rsa.PSSOptions{ + Options: &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthEqualsHash, + }, + VerifyOptions: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthAuto, - Hash: crypto.SHA256, }, } RegisterSigningMethod(SigningMethodPS256.Alg(), func() SigningMethod { @@ -39,13 +46,15 @@ func init() { // PS384 SigningMethodPS384 = &SigningMethodRSAPSS{ - &SigningMethodRSA{ + SigningMethodRSA: &SigningMethodRSA{ Name: "PS384", Hash: crypto.SHA384, }, - &rsa.PSSOptions{ + Options: &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthEqualsHash, + }, + VerifyOptions: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthAuto, - Hash: crypto.SHA384, }, } RegisterSigningMethod(SigningMethodPS384.Alg(), func() SigningMethod { @@ -54,13 +63,15 @@ func init() { // PS512 SigningMethodPS512 = &SigningMethodRSAPSS{ - &SigningMethodRSA{ + SigningMethodRSA: &SigningMethodRSA{ Name: "PS512", Hash: crypto.SHA512, }, - &rsa.PSSOptions{ + Options: &rsa.PSSOptions{ + SaltLength: rsa.PSSSaltLengthEqualsHash, + }, + VerifyOptions: &rsa.PSSOptions{ SaltLength: rsa.PSSSaltLengthAuto, - Hash: crypto.SHA512, }, } RegisterSigningMethod(SigningMethodPS512.Alg(), func() SigningMethod { @@ -94,7 +105,12 @@ func (m *SigningMethodRSAPSS) Verify(signingString, signature string, key interf hasher := m.Hash.New() hasher.Write([]byte(signingString)) - return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, m.Options) + opts := m.Options + if m.VerifyOptions != nil { + opts = m.VerifyOptions + } + + return rsa.VerifyPSS(rsaKey, m.Hash, hasher.Sum(nil), sig, opts) } // Implements the Sign method from SigningMethod diff --git a/vendor/github.com/dgrijalva/jwt-go/rsa_utils.go b/vendor/github.com/golang-jwt/jwt/rsa_utils.go similarity index 95% rename from vendor/github.com/dgrijalva/jwt-go/rsa_utils.go rename to vendor/github.com/golang-jwt/jwt/rsa_utils.go index a5ababf956c..14c78c292a9 100644 --- a/vendor/github.com/dgrijalva/jwt-go/rsa_utils.go +++ b/vendor/github.com/golang-jwt/jwt/rsa_utils.go @@ -8,7 +8,7 @@ import ( ) var ( - ErrKeyMustBePEMEncoded = errors.New("Invalid Key: Key must be PEM encoded PKCS1 or PKCS8 private key") + ErrKeyMustBePEMEncoded = errors.New("Invalid Key: Key must be a PEM encoded PKCS1 or PKCS8 key") ErrNotRSAPrivateKey = errors.New("Key is not a valid RSA private key") ErrNotRSAPublicKey = errors.New("Key is not a valid RSA public key") ) diff --git a/vendor/github.com/dgrijalva/jwt-go/signing_method.go b/vendor/github.com/golang-jwt/jwt/signing_method.go similarity index 100% rename from vendor/github.com/dgrijalva/jwt-go/signing_method.go rename to vendor/github.com/golang-jwt/jwt/signing_method.go diff --git a/vendor/github.com/dgrijalva/jwt-go/token.go b/vendor/github.com/golang-jwt/jwt/token.go similarity index 99% rename from vendor/github.com/dgrijalva/jwt-go/token.go rename to vendor/github.com/golang-jwt/jwt/token.go index d637e0867c6..99868d29b9f 100644 --- a/vendor/github.com/dgrijalva/jwt-go/token.go +++ b/vendor/github.com/golang-jwt/jwt/token.go @@ -65,7 +65,7 @@ func (t *Token) SignedString(key interface{}) (string, error) { func (t *Token) SigningString() (string, error) { var err error parts := make([]string, 2) - for i, _ := range parts { + for i := range parts { var jsonValue []byte if i == 0 { if jsonValue, err = json.Marshal(t.Header); err != nil { diff --git a/vendor/modules.txt b/vendor/modules.txt index 71e7b7f599f..48c7e48624e 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -13,14 +13,14 @@ github.com/coreos/go-systemd/journal github.com/coreos/pkg/capnslog # github.com/creack/pty v1.1.11 github.com/creack/pty -# github.com/dgrijalva/jwt-go v3.2.0+incompatible -github.com/dgrijalva/jwt-go # github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4 github.com/dustin/go-humanize # github.com/gogo/protobuf v1.2.1 github.com/gogo/protobuf/gogoproto github.com/gogo/protobuf/proto github.com/gogo/protobuf/protoc-gen-gogo/descriptor +# github.com/golang-jwt/jwt v3.2.1+incompatible +github.com/golang-jwt/jwt # github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903 github.com/golang/groupcache/lru # github.com/golang/protobuf v1.3.2