From 6e0c4f4e1d21a15596899f09ac5bcb7367d15125 Mon Sep 17 00:00:00 2001 From: Ian Roberts Date: Fri, 3 Apr 2026 11:21:40 +0100 Subject: [PATCH] feat: update to openpubkey 0.23.0 Upgrade openpubkey dependency to 0.23.0, and fix the breaking changes resulting from the upgrade from jwx v2 to v3 - `jwa.SignatureAlgorithm` -> `jose.KeyAlgorithm` - `clientinstance.Claims.PublicKey()` is now a `crypto.PublicKey`, not a `jwk.Key` - fixed expected chooser JSON in `login_test` to include the `DeviceFlow` and `CallbackHTML` keys that were not previously present Signed-off-by: Ian Roberts --- commands/login.go | 13 +++++----- commands/login_test.go | 14 +++++------ commands/verify_test.go | 4 ++-- go.mod | 24 ++++++++++++------- go.sum | 44 +++++++++++++++++++++------------- policy/plugins/plugins_test.go | 4 ++-- sshcert/sshcert.go | 15 ++++++------ sshcert/sshcert_test.go | 7 +++--- 8 files changed, 71 insertions(+), 54 deletions(-) diff --git a/commands/login.go b/commands/login.go index fb5987cd..b307421f 100644 --- a/commands/login.go +++ b/commands/login.go @@ -35,9 +35,9 @@ import ( "strings" "time" - "github.com/lestrrat-go/jwx/v2/jwa" "github.com/openpubkey/openpubkey/client" "github.com/openpubkey/openpubkey/client/choosers" + "github.com/openpubkey/openpubkey/jose" "github.com/openpubkey/openpubkey/oidc" "github.com/openpubkey/openpubkey/pktoken" "github.com/openpubkey/openpubkey/providers" @@ -106,7 +106,7 @@ type LoginCmd struct { // Outputs pkt *pktoken.PKToken signer crypto.Signer - alg jwa.SignatureAlgorithm + alg jose.KeyAlgorithm client *client.OpkClient principals []string @@ -443,12 +443,12 @@ func (l *LoginCmd) determineProvider() (providers.OpenIdProvider, *choosers.WebC func (l *LoginCmd) login(ctx context.Context, provider providers.OpenIdProvider, printIdToken bool, seckeyPath string) (*LoginCmd, error) { var err error - var alg jwa.SignatureAlgorithm + var alg jose.KeyAlgorithm switch l.KeyTypeArg { case ECDSA: - alg = jwa.ES256 + alg = jose.ES256 case ED25519: - alg = jwa.EdDSA + alg = jose.EdDSA default: return nil, fmt.Errorf("unsupported key type (%s); use -t <%s|%s>", l.KeyTypeArg.String(), ECDSA.String(), ED25519.String()) } @@ -863,8 +863,7 @@ Check if your client config (~/.opk/config.yml) has the correct scopes configure Sub, issuer, audience: %s %s %s`, claims.Subject, claims.Issuer, claims.Audience), nil } else { - return fmt.Sprintf(`Email, sub, issuer, audience: -%s %s %s %s`, claims.Email, claims.Subject, claims.Issuer, claims.Audience), nil + return fmt.Sprintf("Email, sub, issuer, audience: \n%s %s %s %s", claims.Email, claims.Subject, claims.Issuer, claims.Audience), nil } } diff --git a/commands/login_test.go b/commands/login_test.go index b99b6a47..2abc9169 100644 --- a/commands/login_test.go +++ b/commands/login_test.go @@ -30,8 +30,8 @@ import ( "golang.org/x/crypto/ed25519" - "github.com/lestrrat-go/jwx/v2/jwa" "github.com/openpubkey/openpubkey/client" + "github.com/openpubkey/openpubkey/jose" "github.com/openpubkey/openpubkey/pktoken" "github.com/openpubkey/openpubkey/providers" "github.com/openpubkey/openpubkey/util" @@ -61,15 +61,15 @@ const allProvidersStr = providerStr1 + ";" + providerStr2 + ";" + providerStr3 func Mocks(t *testing.T, keyType KeyType, extraClaims ...map[string]any) (*pktoken.PKToken, crypto.Signer, providers.OpenIdProvider) { var err error - var alg jwa.SignatureAlgorithm + var alg jose.KeyAlgorithm var signer crypto.Signer switch keyType { case ECDSA: - alg = jwa.ES256 + alg = jose.ES256 signer, err = util.GenKeyPair(alg) case ED25519: - alg = jwa.EdDSA + alg = jose.EdDSA _, signer, err = ed25519.GenerateKey(rand.Reader) } require.NoError(t, err) @@ -332,7 +332,7 @@ func TestDetermineProvider(t *testing.T) { wantIssuer: "", wantError: false, errorString: "", - wantChooser: `[{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null}]`, + wantChooser: `[{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}}]`, }, { name: "Good path with env vars many providers and no default", @@ -341,7 +341,7 @@ func TestDetermineProvider(t *testing.T) { providerAlias: "", wantIssuer: "", wantError: false, - wantChooser: `[{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null}]`, + wantChooser: `[{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}}]`, }, { name: "Good path with env vars many providers and providerAlias", @@ -365,7 +365,7 @@ func TestDetermineProvider(t *testing.T) { providerArg: "", providerAlias: "", remoteRedirectURI: "https://example.com/login_callback", - wantChooser: `[{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"https://example.com/login_callback","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"https://example.com/login_callback","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"https://example.com/login_callback","GQSign":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"ExtraURLParamOpts":null}]`, + wantChooser: `[{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"https://example.com/login_callback","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"https://example.com/login_callback","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}},{"ClientSecret":"","Scopes":["openid profile email"],"PromptType":"consent","AccessType":"offline","RedirectURIs":["http://localhost:3000/login-callback","http://localhost:10001/login-callback","http://localhost:11110/login-callback"],"RemoteRedirectURI":"https://example.com/login_callback","GQSign":false,"DeviceFlow":false,"OpenBrowser":false,"HttpClient":null,"IssuedAtOffset":60000000000,"CallbackHTML":"You may now close this window","ExtraURLParamOpts":{}}]`, wantError: false, }, { diff --git a/commands/verify_test.go b/commands/verify_test.go index bcc42e5c..f72f05cd 100644 --- a/commands/verify_test.go +++ b/commands/verify_test.go @@ -26,8 +26,8 @@ import ( "strings" "testing" - "github.com/lestrrat-go/jwx/v2/jwa" "github.com/openpubkey/openpubkey/client" + "github.com/openpubkey/openpubkey/jose" "github.com/openpubkey/openpubkey/pktoken" "github.com/openpubkey/openpubkey/providers" "github.com/openpubkey/openpubkey/providers/mocks" @@ -66,7 +66,7 @@ func TestAuthorizedKeysCommand(t *testing.T) { t.Parallel() expectedAccessToken := "fake-auth-token" - alg := jwa.ES256 + alg := jose.ES256 signer, err := util.GenKeyPair(alg) require.NoError(t, err) diff --git a/go.mod b/go.mod index d95a2fc1..8293a7e8 100644 --- a/go.mod +++ b/go.mod @@ -8,11 +8,11 @@ require ( github.com/docker/go-connections v0.5.0 github.com/jeremija/gosubmit v0.2.8 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 - github.com/lestrrat-go/jwx/v2 v2.1.6 + github.com/lestrrat-go/jwx/v3 v3.0.12 github.com/melbahja/goph v1.4.0 - github.com/openpubkey/openpubkey v0.22.0 + github.com/openpubkey/openpubkey v0.23.0 github.com/spf13/cobra v1.9.1 - github.com/stretchr/testify v1.10.0 + github.com/stretchr/testify v1.11.1 github.com/testcontainers/testcontainers-go v0.38.0 github.com/thediveo/enumflag/v2 v2.0.7 github.com/zitadel/oidc/v3 v3.41.0 @@ -27,6 +27,7 @@ require ( github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/awnumar/memguard v0.22.3 // indirect + github.com/bits-and-blooms/bitset v1.24.1 // indirect github.com/bmatcuk/doublestar/v4 v4.9.0 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/containerd/errdefs v1.0.0 // indirect @@ -51,6 +52,10 @@ require ( github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/klauspost/compress v1.18.0 // indirect github.com/kr/fs v0.1.0 // indirect + github.com/lestrrat-go/dsig v1.0.0 // indirect + github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect + github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect + github.com/lestrrat-go/option/v2 v2.0.0 // indirect github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect github.com/magiconair/properties v1.8.10 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect @@ -74,6 +79,9 @@ require ( github.com/spf13/pflag v1.0.6 // indirect github.com/tklauser/go-sysconf v0.3.12 // indirect github.com/tklauser/numcpus v0.6.1 // indirect + github.com/valyala/fastjson v1.6.4 // indirect + github.com/yeqown/go-qrcode/v2 v2.2.5 // indirect + github.com/yeqown/reedsolomon v1.0.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect github.com/zitadel/logging v0.6.2 // indirect github.com/zitadel/schema v1.3.1 // indirect @@ -91,19 +99,17 @@ require ( github.com/awnumar/memcall v0.1.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect - github.com/goccy/go-json v0.10.3 // indirect - github.com/lestrrat-go/blackmagic v1.0.3 // indirect + github.com/goccy/go-json v0.10.5 // indirect + github.com/lestrrat-go/blackmagic v1.0.4 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect - github.com/lestrrat-go/httprc v1.0.6 // indirect - github.com/lestrrat-go/iter v1.0.2 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/muhlemmer/gu v0.3.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/segmentio/asm v1.2.0 // indirect + github.com/segmentio/asm v1.2.1 // indirect github.com/spf13/afero v1.14.0 golang.org/x/exp v0.0.0-20250717185816-542afb5b7346 golang.org/x/oauth2 v0.30.0 // indirect - golang.org/x/sys v0.38.0 // indirect + golang.org/x/sys v0.38.0 golang.org/x/text v0.31.0 // indirect gopkg.in/yaml.v3 v3.0.1 ) diff --git a/go.sum b/go.sum index eb3b6f44..c7d6ac9d 100644 --- a/go.sum +++ b/go.sum @@ -12,6 +12,8 @@ github.com/awnumar/memcall v0.1.2 h1:7gOfDTL+BJ6nnbtAp9+HQzUFjtP1hEseRQq8eP055QY github.com/awnumar/memcall v0.1.2/go.mod h1:S911igBPR9CThzd/hYQQmTc9SWNu3ZHIlCGaWsWsoJo= github.com/awnumar/memguard v0.22.3 h1:b4sgUXtbUjhrGELPbuC62wU+BsPQy+8lkWed9Z+pj0Y= github.com/awnumar/memguard v0.22.3/go.mod h1:mmGunnffnLHlxE5rRgQc3j+uwPZ27eYb61ccr8Clz2Y= +github.com/bits-and-blooms/bitset v1.24.1 h1:hqnfFbjjk3pxGa5E9Ho3hjoU7odtUuNmJ9Ao+Bo8s1c= +github.com/bits-and-blooms/bitset v1.24.1/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8= github.com/bmatcuk/doublestar/v4 v4.9.0 h1:DBvuZxjdKkRP/dr4GVV4w2fnmrk5Hxc90T51LZjv0JA= github.com/bmatcuk/doublestar/v4 v4.9.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= @@ -61,8 +63,8 @@ github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiU github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA= -github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= +github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4= +github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc= @@ -96,18 +98,22 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs= -github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw= +github.com/lestrrat-go/blackmagic v1.0.4 h1:IwQibdnf8l2KoO+qC3uT4OaTWsW7tuRQXy9TRN9QanA= +github.com/lestrrat-go/blackmagic v1.0.4/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw= +github.com/lestrrat-go/dsig v1.0.0 h1:OE09s2r9Z81kxzJYRn07TFM9XA4akrUdoMwr0L8xj38= +github.com/lestrrat-go/dsig v1.0.0/go.mod h1:dEgoOYYEJvW6XGbLasr8TFcAxoWrKlbQvmJgCR0qkDo= +github.com/lestrrat-go/dsig-secp256k1 v1.0.0 h1:JpDe4Aybfl0soBvoVwjqDbp+9S1Y2OM7gcrVVMFPOzY= +github.com/lestrrat-go/dsig-secp256k1 v1.0.0/go.mod h1:CxUgAhssb8FToqbL8NjSPoGQlnO4w3LG1P0qPWQm/NU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= -github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k= -github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= -github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= -github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA= -github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU= +github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI= +github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk= +github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg= +github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= +github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss= +github.com/lestrrat-go/option/v2 v2.0.0/go.mod h1:oSySsmzMoR0iRzCDCaUfsCzxQHUEuhOViQObyy7S6Vg= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4= github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I= github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE= @@ -144,8 +150,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= -github.com/openpubkey/openpubkey v0.22.0 h1:KQwWJxpcvaHy2oSL+r0KCl1fU8f5ueUN3ZP2dK5YlvQ= -github.com/openpubkey/openpubkey v0.22.0/go.mod h1:mdwk/Xsr/IsnKSQ6/FIvhAGehe3NbR8BxuAbdouGXrs= +github.com/openpubkey/openpubkey v0.23.0 h1:E4CaQnMH6Fwk83Rk22WIObYmlZf9kKM2ZZWGvxY/t9I= +github.com/openpubkey/openpubkey v0.23.0/go.mod h1:mxb80p5GTrKF+s/HluHFWlzG3GTHBC1eO+g2n8maG+E= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/sftp v1.13.5/go.mod h1:wHDZ0IZX6JcBYRK1TH9bcVq8G7TLpVHYIGJRFnmPfxg= @@ -161,8 +167,8 @@ github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA= github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= -github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0= +github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= github.com/shirou/gopsutil/v4 v4.25.5 h1:rtd9piuSMGeU8g1RMXjZs9y9luK5BwtnG7dZaQUJAsc= github.com/shirou/gopsutil/v4 v4.25.5/go.mod h1:PfybzyydfZcN+JMMjkF6Zb8Mq1A/VcogFFg7hj50W9c= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= @@ -181,8 +187,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= +github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= +github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/testcontainers/testcontainers-go v0.38.0 h1:d7uEapLcv2P8AvH8ahLqDMMxda2W9gQN1nRbHS28HBw= github.com/testcontainers/testcontainers-go v0.38.0/go.mod h1:C52c9MoHpWO+C4aqmgSU+hxlR5jlEayWtgYrb8Pzz1w= github.com/thediveo/enumflag/v2 v2.0.7 h1:uxXDU+rTel7Hg4X0xdqICpG9rzuI/mzLAEYXWLflOfs= @@ -193,6 +199,12 @@ github.com/tklauser/go-sysconf v0.3.12 h1:0QaGUFOdQaIVdPgfITYzaTegZvdCjmYO52cSFA github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI= github.com/tklauser/numcpus v0.6.1 h1:ng9scYS7az0Bk4OZLvrNXNSAO2Pxr1XXRAPyjhIx+Fk= github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY= +github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXVQ= +github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= +github.com/yeqown/go-qrcode/v2 v2.2.5 h1:HCOe2bSjkhZyYoyyNaXNzh4DJZll6inVJQQw+8228Zk= +github.com/yeqown/go-qrcode/v2 v2.2.5/go.mod h1:uHpt9CM0V1HeXLz+Wg5MN50/sI/fQhfkZlOM+cOTHxw= +github.com/yeqown/reedsolomon v1.0.0 h1:x1h/Ej/uJnNu8jaX7GLHBWmZKCAWjEJTetkqaabr4B0= +github.com/yeqown/reedsolomon v1.0.0/go.mod h1:P76zpcn2TCuL0ul1Fso373qHRc69LKwAw/Iy6g1WiiM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= diff --git a/policy/plugins/plugins_test.go b/policy/plugins/plugins_test.go index b39b869f..bace0975 100644 --- a/policy/plugins/plugins_test.go +++ b/policy/plugins/plugins_test.go @@ -25,8 +25,8 @@ import ( "strings" "testing" - "github.com/lestrrat-go/jwx/v2/jwa" "github.com/openpubkey/openpubkey/client" + "github.com/openpubkey/openpubkey/jose" "github.com/openpubkey/openpubkey/providers" "github.com/openpubkey/openpubkey/util" "github.com/openpubkey/opkssh/policy/files" @@ -446,7 +446,7 @@ enforce_providers: true command: /usr/bin/local/opk/policy-cmd arg1 arg2 arg3`), 0640) require.NoError(t, err) - alg := jwa.ES256 + alg := jose.ES256 signer, err := util.GenKeyPair(alg) require.NoError(t, err) diff --git a/sshcert/sshcert.go b/sshcert/sshcert.go index 2b3e7f93..89236392 100644 --- a/sshcert/sshcert.go +++ b/sshcert/sshcert.go @@ -23,7 +23,7 @@ import ( "fmt" "time" - "github.com/lestrrat-go/jwx/v2/jwk" + "github.com/lestrrat-go/jwx/v3/jwk" "github.com/openpubkey/openpubkey/pktoken" "github.com/openpubkey/openpubkey/verifier" "golang.org/x/crypto/ssh" @@ -148,10 +148,13 @@ func (s *SshCertSmuggler) VerifySshPktCert(ctx context.Context, pktVerifier veri if err != nil { return nil, err } - upk := cic.PublicKey() + upk, err := jwk.Import(cic.PublicKey()) + if err != nil { + return nil, err + } cryptoCertKey := (s.SshCert.Key.(ssh.CryptoPublicKey)).CryptoPublicKey() - jwkCertKey, err := jwk.FromRaw(cryptoCertKey) + jwkCertKey, err := jwk.Import(cryptoCertKey) if err != nil { return nil, err } @@ -170,9 +173,5 @@ func sshPubkeyFromPKT(pkt *pktoken.PKToken) (ssh.PublicKey, error) { } upk := cic.PublicKey() - var rawkey any - if err := upk.Raw(&rawkey); err != nil { - return nil, err - } - return ssh.NewPublicKey(rawkey) + return ssh.NewPublicKey(upk) } diff --git a/sshcert/sshcert_test.go b/sshcert/sshcert_test.go index aaafd2e0..659d6eb2 100644 --- a/sshcert/sshcert_test.go +++ b/sshcert/sshcert_test.go @@ -24,7 +24,7 @@ import ( "strings" "testing" - "github.com/lestrrat-go/jwx/v2/jwk" + "github.com/lestrrat-go/jwx/v3/jwk" "github.com/openpubkey/openpubkey/client" "github.com/openpubkey/openpubkey/pktoken" "github.com/openpubkey/openpubkey/providers" @@ -207,10 +207,11 @@ func TestSshCertCreation(t *testing.T) { cic, err := pktExt.GetCicValues() require.NoError(t, err) - upk := cic.PublicKey() + upk, err := jwk.PublicKeyOf(cic.PublicKey()) + require.NoError(t, err) cryptoCertKey := (sshCert.Key.(ssh.CryptoPublicKey)).CryptoPublicKey() - jwkCertKey, err := jwk.FromRaw(cryptoCertKey) + jwkCertKey, err := jwk.PublicKeyOf(cryptoCertKey) require.NoError(t, err) if !jwk.Equal(upk, jwkCertKey) { t.Error(fmt.Errorf("expected upk to be equal to the value in sshCert.Key"))