Le mer. 2 avr. 2025 à 10:39, Simon Josefsson <si...@josefsson.org> a écrit :
> A short-term fix to resolve the RC bug may be to simply add a
> 'Conflicts: golang-step-crypto-dev' to
> golang-github-smallstep-crypto-dev? Or is there a need to be able to
> co-install these two packages?
>
> Meanwhile I looked into updating golang-github-smallstep-certificates to
> latest version and ran into what I think is a build dependency issue
> with golang-step-linkedca which would needs a package rename/reupload to
> get the latest version. The name name ought to be
> golang-github-smallstep-linkedca instead which is the new namespace. It
> seems most if not all of go.step.sm moved to github.com/smallstep
> namespace. I doubt we can finish that transition before trixie though.
I had a look at another approach, just upgrading the dependency to
golang-github-smallstep-crypto-dev
for these two packages:
- golang-step-cli-utils: all fine, level1
- golang-github-smallstep-certificates: level 2, needs the previous one
rebuilt first, and the attached patch.
There are probably mistakes in that patch.
This would allow removal of golang-step-crypto-dev.
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@@ -10,7 +10,6 @@
"os"
"github.com/pkg/errors"
- "gopkg.in/square/go-jose.v2/jwt"
"go.step.sm/cli-utils/step"
"go.step.sm/cli-utils/ui"
@@ -89,7 +88,7 @@
// LoadProvisionerByToken returns an interface to the provisioner that
// provisioned the token.
-func (a *Authority) LoadProvisionerByToken(token *jwt.JSONWebToken, claims *jwt.Claims) (provisioner.Interface, error) {
+func (a *Authority) LoadProvisionerByToken(token *jose.JSONWebToken, claims *jose.Claims) (provisioner.Interface, error) {
a.adminMutex.RLock()
defer a.adminMutex.RUnlock()
p, ok := a.provisioners.LoadByToken(token, claims)
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@@ -171,10 +171,10 @@
{"fail-token", p1, args{failTok}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk token")},
{"fail-key", p1, args{failKey}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")},
{"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")},
- {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")},
- {"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)")},
- {"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token is expired (exp)")},
- {"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token not valid yet (nbf)")},
+ {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")},
+ {"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)")},
+ {"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token is expired (exp)")},
+ {"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)")},
{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk token audience claim (aud)")},
{"fail-subject", p1, args{failSub}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; jwk token subject cannot be empty")},
{"ok", p1, args{t1}, http.StatusOK, nil},
@@ -218,7 +218,7 @@
code int
err error
}{
- {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")},
+ {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")},
{"ok", p1, args{t1}, http.StatusOK, nil},
}
for _, tt := range tests {
@@ -266,7 +266,7 @@
prov: p1,
args: args{failSig},
code: http.StatusUnauthorized,
- err: errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive"),
+ err: errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive"),
},
{
name: "ok-sans",
--- a/authority/provisioner/k8sSA_test.go
+++ b/authority/provisioner/k8sSA_test.go
@@ -97,7 +97,7 @@
p: p,
token: tok,
code: http.StatusUnauthorized,
- err: errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)"),
+ err: errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)"),
}
},
"ok": func(t *testing.T) test {
--- a/acme/account_test.go
+++ b/acme/account_test.go
@@ -25,7 +25,7 @@
jwk.Key = "foo"
return test{
jwk: jwk,
- err: NewErrorISE("error generating jwk thumbprint: square/go-jose: unknown key type 'string'"),
+ err: NewErrorISE("error generating jwk thumbprint: go-jose/go-jose: unknown key type 'string'"),
}
},
"ok": func(t *testing.T) test {
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@@ -358,7 +358,7 @@
return test{
body: strings.NewReader("foo"),
statusCode: 400,
- err: acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: square/go-jose: compact JWS format must have three parts"),
+ err: acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: go-jose/go-jose: compact JWS format must have three parts"),
}
},
"ok": func(t *testing.T) test {
@@ -483,7 +483,7 @@
return test{
ctx: ctx,
statusCode: 400,
- err: acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"),
+ err: acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
}
},
"fail/algorithm-mismatch": func(t *testing.T) test {
--- a/acme/api/revoke_test.go
+++ b/acme/api/revoke_test.go
@@ -1281,7 +1281,7 @@
}
},
"wrap-subject": func(t *testing.T) test {
- acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: square/go-jose: error in cryptographic primitive")
+ acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: go-jose/go-jose: error in cryptographic primitive")
acmeErr.Status = http.StatusForbidden
acmeErr.Detail = "No authorization provided for name test.example.com"
cert := &x509.Certificate{
@@ -1290,7 +1290,7 @@
},
}
return test{
- err: errors.New("square/go-jose: error in cryptographic primitive"),
+ err: errors.New("go-jose/go-jose: error in cryptographic primitive"),
cert: cert,
unauthorizedIdentifiers: []acme.Identifier{},
msg: "verification of jws using certificate public key failed",
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@@ -196,7 +196,7 @@
return test{
token: "1234",
jwk: jwk,
- err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+ err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
}
},
"ok": func(t *testing.T) test {
@@ -725,7 +725,7 @@
},
},
jwk: jwk,
- err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+ err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
}
},
"ok/key-auth-mismatch": func(t *testing.T) test {
@@ -1021,7 +1021,7 @@
},
},
jwk: jwk,
- err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+ err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
}
},
"fail/key-auth-mismatch-store-error": func(t *testing.T) test {
@@ -1758,7 +1758,7 @@
},
srv: srv,
jwk: jwk,
- err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+ err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
}
},
"ok/error-no-extension": func(t *testing.T) test {
--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@@ -7,9 +7,9 @@
"testing"
"github.com/stretchr/testify/assert"
- "gopkg.in/square/go-jose.v2"
"go.step.sm/linkedca"
+ "go.step.sm/crypto/jose"
"github.com/smallstep/certificates/authority/admin"
"github.com/smallstep/certificates/authority/administrator"
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@@ -18,8 +18,6 @@
"testing"
"time"
- "gopkg.in/square/go-jose.v2/jwt"
-
"go.step.sm/crypto/jose"
"go.step.sm/crypto/keyutil"
"go.step.sm/crypto/pemutil"
@@ -1327,15 +1325,15 @@
}
},
"fail/nil-db": func() test {
- cl := jwt.Claims{
+ cl := jose.Claims{
Subject: "sn",
Issuer: validIssuer,
- NotBefore: jwt.NewNumericDate(now),
- Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
+ NotBefore: jose.NewNumericDate(now),
+ Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
ID: "44",
}
- raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+ raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
return test{
@@ -1367,15 +1365,15 @@
Err: errors.New("force"),
}))
- cl := jwt.Claims{
+ cl := jose.Claims{
Subject: "sn",
Issuer: validIssuer,
- NotBefore: jwt.NewNumericDate(now),
- Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
+ NotBefore: jose.NewNumericDate(now),
+ Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
ID: "44",
}
- raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+ raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
return test{
@@ -1407,15 +1405,15 @@
Err: db.ErrAlreadyExists,
}))
- cl := jwt.Claims{
+ cl := jose.Claims{
Subject: "sn",
Issuer: validIssuer,
- NotBefore: jwt.NewNumericDate(now),
- Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
+ NotBefore: jose.NewNumericDate(now),
+ Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
ID: "44",
}
- raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+ raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
return test{
@@ -1446,15 +1444,15 @@
},
}))
- cl := jwt.Claims{
+ cl := jose.Claims{
Subject: "sn",
Issuer: validIssuer,
- NotBefore: jwt.NewNumericDate(now),
- Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
+ NotBefore: jose.NewNumericDate(now),
+ Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
ID: "44",
}
- raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+ raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
return test{
auth: _a,
@@ -1538,15 +1536,15 @@
},
}))
- cl := jwt.Claims{
+ cl := jose.Claims{
Subject: "sn",
Issuer: validIssuer,
- NotBefore: jwt.NewNumericDate(now),
- Expiry: jwt.NewNumericDate(now.Add(time.Minute)),
+ NotBefore: jose.NewNumericDate(now),
+ Expiry: jose.NewNumericDate(now.Add(time.Minute)),
Audience: validAudience,
ID: "44",
}
- raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+ raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
assert.FatalError(t, err)
return test{
auth: a,
--- a/ca/acmeClient.go
+++ b/ca/acmeClient.go
@@ -173,7 +173,7 @@
}
signed, err := signer.Sign(payload)
if err != nil {
- return nil, errors.Errorf("error signing payload: %s", strings.TrimPrefix(err.Error(), "square/go-jose: "))
+ return nil, errors.Errorf("error signing payload: %s", strings.TrimPrefix(err.Error(), "go-jose/go-jose: "))
}
raw, err := serialize(signed)
if err != nil {
--- a/ca/client.go
+++ b/ca/client.go
@@ -35,7 +35,6 @@
"golang.org/x/net/http2"
"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto"
- "gopkg.in/square/go-jose.v2/jwt"
)
// DisableIdentity is a global variable to disable the identity.
@@ -1207,7 +1206,7 @@
// CreateSignRequest is a helper function that given an x509 OTT returns a
// simple but secure sign request as well as the private key used.
func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error) {
- token, err := jwt.ParseSigned(ott)
+ token, err := jose.ParseSigned(ott)
if err != nil {
return nil, nil, errors.Wrap(err, "error parsing ott")
}
--- a/kms/azurekms/key_vault_test.go
+++ b/kms/azurekms/key_vault_test.go
@@ -16,7 +16,6 @@
"github.com/smallstep/certificates/kms/apiv1"
"github.com/smallstep/certificates/kms/azurekms/internal/mock"
"go.step.sm/crypto/keyutil"
- "gopkg.in/square/go-jose.v2"
)
var errTest = fmt.Errorf("test error")
--- a/authority/provisioner/options_test.go
+++ b/authority/provisioner/options_test.go
@@ -159,7 +159,7 @@
func TestCustomTemplateOptions(t *testing.T) {
csr := parseCertificateRequest(t, "testdata/certs/ecdsa.csr")
- csrCertificate := `{"version":0,"subject":{"commonName":"foo"},"dnsNames":["foo"],"emailAddresses":null,"ipAddresses":null,"uris":null,"sans":null,"extensions":[{"id":"2.5.29.17","critical":false,"value":"MAWCA2Zvbw=="}],"signatureAlgorithm":""}`
+ csrCertificate := `{"version":0,"subject":{"commonName":"foo"},"rawSubject":"MA4xDDAKBgNVBAMTA2Zvbw==","dnsNames":["foo"],"emailAddresses":null,"ipAddresses":null,"uris":null,"sans":null,"extensions":[{"id":"2.5.29.17","critical":false,"value":"MAWCA2Zvbw=="}],"signatureAlgorithm":""}`
data := x509util.TemplateData{
x509util.SubjectKey: x509util.Subject{
CommonName: "foobar",
--- a/cas/stepcas/x5c_issuer_test.go
+++ b/cas/stepcas/x5c_issuer_test.go
@@ -53,7 +53,7 @@
sans []string
}
type claims struct {
- Aud []string `json:"aud"`
+ Aud string `json:"aud"`
Sub string `json:"sub"`
Sans []string `json:"sans"`
}
@@ -87,7 +87,7 @@
}
var c claims
want := claims{
- Aud: []string{tt.fields.caURL.String() + "/1.0/sign#x5c/X5C"},
+ Aud: string{tt.fields.caURL.String() + "/1.0/sign#x5c/X5C"},
Sub: tt.args.subject,
Sans: tt.args.sans,
}
@@ -117,7 +117,7 @@
subject string
}
type claims struct {
- Aud []string `json:"aud"`
+ Aud string `json:"aud"`
Sub string `json:"sub"`
Sans []string `json:"sans"`
}
@@ -152,7 +152,7 @@
}
var c claims
want := claims{
- Aud: []string{tt.fields.caURL.String() + "/1.0/revoke#x5c/X5C"},
+ Aud: string{tt.fields.caURL.String() + "/1.0/revoke#x5c/X5C"},
Sub: tt.args.subject,
}
if err := jwt.Claims(testX5CKey.Public(), &c); err != nil {
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@@ -109,7 +109,7 @@
c.Root = []string{"foo"}
return &newTest{
config: c,
- err: errors.New("error reading foo: no such file or directory"),
+ err: errors.New("error reading \"foo\": no such file or directory"),
}
},
"fail bad password": func(t *testing.T) *newTest {
@@ -127,7 +127,7 @@
c.IntermediateCert = "wrong"
return &newTest{
config: c,
- err: errors.New("error reading wrong: no such file or directory"),
+ err: errors.New("error reading \"wrong\": no such file or directory"),
}
},
}
