upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

audit/format.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 	"time"
 
-	squarejwt "gopkg.in/square/go-jose.v2/jwt"
+	"github.com/go-jose/go-jose/v3/jwt"
 
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/salt"
@@ -537,12 +537,12 @@ func parseVaultTokenFromJWT(token string) *string {
 		return nil
 	}
 
-	parsedJWT, err := squarejwt.ParseSigned(token)
+	parsedJWT, err := jwt.ParseSigned(token)
 	if err != nil {
 		return nil
 	}
 
-	var claims squarejwt.Claims
+	var claims jwt.Claims
 	if err = parsedJWT.UnsafeClaimsWithoutVerification(&claims); err != nil {
 		return nil
 	}

builtin/logical/pki/acme_jws.go

@@ -11,7 +11,7 @@ import (
 	"fmt"
 	"strings"
 
-	jose "gopkg.in/square/go-jose.v2"
+	"github.com/go-jose/go-jose/v3"
 )
 
 var AllowedOuterJWSTypes = map[string]interface{}{

builtin/logical/pki/path_acme_test.go

@@ -21,20 +21,19 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3/json"
+	"github.com/go-test/deep"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/net/http2"
 
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/helper/constants"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/vault"
-
-	"github.com/go-test/deep"
-	"github.com/hashicorp/go-cleanhttp"
-	"github.com/stretchr/testify/require"
-	"gopkg.in/square/go-jose.v2/json"
 )
 
 // TestAcmeBasicWorkflow a basic test that will validate a basic ACME workflow using the Golang ACME client.

command/agent/testing.go

@@ -13,9 +13,10 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
+
 	"github.com/hashicorp/vault/sdk/logical"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const envVarRunAccTests = "VAULT_ACC"

go.mod

@@ -56,6 +56,7 @@ require (
 	github.com/favadi/protoc-go-inject-tag v1.3.0
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-errors/errors v1.4.2
+	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/go-ldap/ldap/v3 v3.4.4
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/go-test/deep v1.1.0
@@ -214,7 +215,6 @@ require (
 	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/ory-am/dockertest.v3 v3.3.4
-	gopkg.in/square/go-jose.v2 v2.6.0
 	gotest.tools/gotestsum v1.9.0
 	honnef.co/go/tools v0.4.3
 	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
@@ -320,7 +320,6 @@ require (
 	github.com/gammazero/deque v0.0.0-20190130191400-2afb3858e9c7 // indirect
 	github.com/gammazero/workerpool v0.0.0-20190406235159-88d534f22b56 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -471,6 +470,7 @@ require (
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/jcmturner/goidentity.v3 v3.0.0 // indirect
 	gopkg.in/resty.v1 v1.12.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/api v0.26.2 // indirect

vault/identity_store_oidc.go

@@ -20,6 +20,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/base62"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
@@ -32,8 +34,6 @@ import (
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/patrickmn/go-cache"
 	"golang.org/x/crypto/ed25519"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 type oidcConfig struct {

vault/identity_store_oidc_provider.go

@@ -16,6 +16,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/hashicorp/go-memdb"
 	"github.com/hashicorp/go-secure-stdlib/base62"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
@@ -24,7 +25,6 @@ import (
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/identitytpl"
 	"github.com/hashicorp/vault/sdk/logical"
-	"gopkg.in/square/go-jose.v2"
 )
 
 const (

vault/identity_store_oidc_provider_util.go

@@ -12,9 +12,9 @@ import (
 	"net/http"
 	"net/url"
 
+	"github.com/go-jose/go-jose/v3"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/sdk/logical"
-	"gopkg.in/square/go-jose.v2"
 )
 
 // validRedirect checks whether uri is in allowed using special handling for loopback uris.

vault/identity_store_oidc_test.go

@@ -11,15 +11,15 @@ import (
 	"testing"
 	"time"
 
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/go-test/deep"
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/helper/identity"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 	gocache "github.com/patrickmn/go-cache"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 // TestOIDC_Path_OIDC_RoleNoKeyParameter tests that a role cannot be created

vault/wrapping.go

@@ -13,14 +13,14 @@ import (
 	"time"
 
 	"github.com/armon/go-metrics"
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/hashicorp/vault/helper/metricsutil"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/logical"
-	"gopkg.in/square/go-jose.v2"
-	squarejwt "gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (
@@ -194,16 +194,16 @@ DONELISTHANDLING:
 	switch resp.WrapInfo.Format {
 	case "jwt":
 		// Create the JWT
-		claims := squarejwt.Claims{
+		claims := jwt.Claims{
 			// Map the JWT ID to the token ID for ease of use
 			ID: te.ID,
 			// Set the issue time to the creation time
-			IssuedAt: squarejwt.NewNumericDate(creationTime),
+			IssuedAt: jwt.NewNumericDate(creationTime),
 			// Set the expiration to the TTL
-			Expiry: squarejwt.NewNumericDate(creationTime.Add(resp.WrapInfo.TTL)),
+			Expiry: jwt.NewNumericDate(creationTime.Add(resp.WrapInfo.TTL)),
 			// Set a reasonable not-before time; since unwrapping happens on this
 			// node we shouldn't have to worry much about drift
-			NotBefore: squarejwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
+			NotBefore: jwt.NewNumericDate(time.Now().Add(-5 * time.Second)),
 		}
 		type privateClaims struct {
 			Accessor string `json:"accessor"`
@@ -225,7 +225,7 @@ DONELISTHANDLING:
 			c.logger.Error("failed to create JWT builder", "error", err)
 			return nil, ErrInternalError
 		}
-		ser, err := squarejwt.Signed(sig).Claims(claims).Claims(priClaims).CompactSerialize()
+		ser, err := jwt.Signed(sig).Claims(claims).Claims(priClaims).CompactSerialize()
 		if err != nil {
 			c.tokenStore.revokeOrphan(ctx, te.ID)
 			c.logger.Error("failed to serialize JWT", "error", err)
@@ -407,11 +407,11 @@ func (c *Core) validateWrappingToken(ctx context.Context, req *logical.Request)
 	// and then a dot.
 	if IsJWT(token) {
 		// Implement the jose library way
-		parsedJWT, err := squarejwt.ParseSigned(token)
+		parsedJWT, err := jwt.ParseSigned(token)
 		if err != nil {
 			return false, fmt.Errorf("wrapping token could not be parsed: %w", err)
 		}
-		var claims squarejwt.Claims
+		var claims jwt.Claims
 		allClaims := make(map[string]interface{})
 		if err = parsedJWT.Claims(&c.wrappingJWTKey.PublicKey, &claims, &allClaims); err != nil {
 			return false, fmt.Errorf("wrapping token signature could not be validated: %w", err)