From 74679965061e998135e874d72ebba088040d1f0d Mon Sep 17 00:00:00 2001 From: Thibault Normand Date: Mon, 17 Jun 2024 09:27:50 +0200 Subject: [PATCH] feat(jwt): migrate to github.com/go-jose/go-jose/v4 --- client/api.go | 2 +- client/claims.go | 2 +- client/http.go | 6 ++--- examples/attestationclient/main.go | 6 ++--- examples/attestationserver/main.go | 6 ++--- .../handlers/authorization.go | 4 ++-- examples/authorizationserver/handlers/par.go | 4 ++-- examples/authorizationserver/main.go | 6 ++--- .../middleware/client_auth.go | 7 +++--- examples/authorizationserver/settings.go | 2 +- examples/resourceserver/middleware.go | 3 ++- go.mod | 6 +++-- go.sum | 21 ++++++++++++++++-- sdk/jwk/api.go | 2 +- sdk/jwk/signature.go | 4 ++-- sdk/token/jwt/builders.go | 2 +- sdk/token/jwt/embedded_verifier.go | 19 +++++++--------- sdk/token/jwt/signer.go | 6 ++--- sdk/token/jwt/signer_test.go | 2 +- sdk/token/jwt/token_adapter.go | 2 +- sdk/token/jwt/verifier.go | 22 +++++++------------ sdk/token/jwt/verifier_test.go | 13 ++++++----- sdk/token/paseto/signer_test.go | 2 +- .../client_attestation.go | 16 ++++++++------ .../clientauthentication/private_key_jwt.go | 12 +++++----- .../private_key_jwt_test.go | 8 +++---- 26 files changed, 102 insertions(+), 83 deletions(-) diff --git a/client/api.go b/client/api.go index 6717cfb..35dfc91 100644 --- a/client/api.go +++ b/client/api.go @@ -20,8 +20,8 @@ package client import ( "context" + "github.com/go-jose/go-jose/v4" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" discoveryv1 "zntr.io/solid/api/oidc/discovery/v1" tokenv1 "zntr.io/solid/api/oidc/token/v1" diff --git a/client/claims.go b/client/claims.go index 0267dbb..f00bd7d 100644 --- a/client/claims.go +++ b/client/claims.go @@ -18,7 +18,7 @@ package client import ( - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" tokenv1 "zntr.io/solid/api/oidc/token/v1" ) diff --git a/client/http.go b/client/http.go index 7c95620..a67df99 100644 --- a/client/http.go +++ b/client/http.go @@ -28,9 +28,9 @@ import ( "time" "github.com/dchest/uniuri" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" corev1 "zntr.io/solid/api/oidc/core/v1" discoveryv1 "zntr.io/solid/api/oidc/discovery/v1" @@ -119,7 +119,7 @@ func (c *httpClient) Assertion() (string, error) { Audience: c.issuer, Expires: uint64(time.Now().Add(30 * time.Second).Unix()), IssuedAt: uint64(time.Now().Unix()), - }).CompactSerialize() + }).Serialize() if err != nil { return "", fmt.Errorf("unable to sign client assertion: %w", err) } diff --git a/examples/attestationclient/main.go b/examples/attestationclient/main.go index d02b38b..72ea9ba 100644 --- a/examples/attestationclient/main.go +++ b/examples/attestationclient/main.go @@ -17,9 +17,9 @@ import ( "time" "github.com/dchest/uniuri" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "golang.org/x/oauth2" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" corev1 "zntr.io/solid/api/oidc/core/v1" "zntr.io/solid/oidc" @@ -92,7 +92,7 @@ func computeClientPOP(priv *ecdsa.PrivateKey) (string, error) { "nbf": now - 1, "exp": now + 30, // Valid for 30s "jti": uniuri.NewLen(8), - }).CompactSerialize() + }).Serialize() } func getToken(ctx context.Context, assertion string) (*oauth2.Token, error) { diff --git a/examples/attestationserver/main.go b/examples/attestationserver/main.go index d3bb645..7240e0c 100644 --- a/examples/attestationserver/main.go +++ b/examples/attestationserver/main.go @@ -10,8 +10,8 @@ import ( "strings" "time" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" ) type attestationData struct { @@ -60,7 +60,7 @@ func signHandler(priv ed25519.PrivateKey) http.Handler { "cnf": map[string]any{ "jwk": data.ClientPublicKey.Public(), }, - }).CompactSerialize() + }).Serialize() // Set response type w.Header().Set("Content-Type", "application/client-attestation+jwt; charset=utf-8") diff --git a/examples/authorizationserver/handlers/authorization.go b/examples/authorizationserver/handlers/authorization.go index 22e7a39..dfe8441 100644 --- a/examples/authorizationserver/handlers/authorization.go +++ b/examples/authorizationserver/handlers/authorization.go @@ -28,7 +28,7 @@ import ( "net/url" "github.com/dchest/uniuri" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" flowv1 "zntr.io/solid/api/oidc/flow/v1" "zntr.io/solid/examples/authorizationserver/middleware" @@ -92,7 +92,7 @@ func Authorization(issuer string, authz services.Authorization, clients storage. // No error return &jwks, nil - }, []string{"ES384"})) + }, []jose.SignatureAlgorithm{jose.ES384})) // Decode request ar, err := clientRequestDecoder.Decode(ctx, requestRaw) diff --git a/examples/authorizationserver/handlers/par.go b/examples/authorizationserver/handlers/par.go index ddbaf15..3d25c71 100644 --- a/examples/authorizationserver/handlers/par.go +++ b/examples/authorizationserver/handlers/par.go @@ -24,7 +24,7 @@ import ( "log" "net/http" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" flowv1 "zntr.io/solid/api/oidc/flow/v1" tokenv1 "zntr.io/solid/api/oidc/token/v1" @@ -83,7 +83,7 @@ func PushedAuthorizationRequest(issuer string, authz services.Authorization, dpo // No error return &jwks, nil - }, []string{"ES384"})) + }, []jose.SignatureAlgorithm{jose.ES384})) // Decode request ar, err := clientRequestDecoder.Decode(ctx, requestRaw) diff --git a/examples/authorizationserver/main.go b/examples/authorizationserver/main.go index 8bebfee..7bed4c0 100644 --- a/examples/authorizationserver/main.go +++ b/examples/authorizationserver/main.go @@ -4,7 +4,7 @@ import ( "log" "net/http" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" "zntr.io/solid/examples/authorizationserver/handlers" "zntr.io/solid/examples/authorizationserver/middleware" @@ -48,13 +48,13 @@ func main() { // Middlewares secHeaders := middleware.SecurityHaders() basicAuth := middleware.BasicAuthentication() - clientAuth := middleware.ClientAuthentication(clients) + clientAuth := middleware.ClientAuthentication(clients, []jose.SignatureAlgorithm{jose.ES256, jose.ES384}) // Request encoders keys := keyProvider() keySet := keySetProvider() jarmEncoder := jarm.Encoder(jwt.JARMSigner(jose.ES384, keys)) - dpopVerifier := dpop.DefaultVerifier(proofs, jwt.DefaultVerifier(keySet, []string{"ES384"})) + dpopVerifier := dpop.DefaultVerifier(proofs, jwt.DefaultVerifier(keySet, []jose.SignatureAlgorithm{jose.ES384})) pairwiseEncoder := pairwise.Hash([]byte("U|(vBPu45_Vkvv*Tr*8Y[^s?,$ka@bQziM5]9.+[{.n47]'zokA7-j8ypJ=W]WS")) issuer := "http://127.0.0.1:8080" diff --git a/examples/authorizationserver/middleware/client_auth.go b/examples/authorizationserver/middleware/client_auth.go index 799f31e..dcda02e 100644 --- a/examples/authorizationserver/middleware/client_auth.go +++ b/examples/authorizationserver/middleware/client_auth.go @@ -21,6 +21,7 @@ import ( "log" "net/http" + "github.com/go-jose/go-jose/v4" clientv1 "zntr.io/solid/api/oidc/client/v1" "zntr.io/solid/examples/authorizationserver/respond" "zntr.io/solid/oidc" @@ -31,10 +32,10 @@ import ( ) // ClientAuthentication is a middleware to handle client authentication. -func ClientAuthentication(clients storage.ClientReader) Adapter { +func ClientAuthentication(clients storage.ClientReader, supportedAlgorithms []jose.SignatureAlgorithm) Adapter { // Prepare client authentication - clientAuth := clientauthentication.PrivateKeyJWT(clients) - clientAttestationAuth := clientauthentication.ClientAttestation(clients) + clientAuth := clientauthentication.PrivateKeyJWT(clients, supportedAlgorithms) + clientAttestationAuth := clientauthentication.ClientAttestation(clients, supportedAlgorithms) // Return middleware return func(h http.Handler) http.Handler { diff --git a/examples/authorizationserver/settings.go b/examples/authorizationserver/settings.go index 0e47d92..b8a160f 100644 --- a/examples/authorizationserver/settings.go +++ b/examples/authorizationserver/settings.go @@ -4,7 +4,7 @@ import ( "context" "encoding/json" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" "zntr.io/solid/sdk/jwk" ) diff --git a/examples/resourceserver/middleware.go b/examples/resourceserver/middleware.go index 19040ae..736b1b9 100644 --- a/examples/resourceserver/middleware.go +++ b/examples/resourceserver/middleware.go @@ -8,6 +8,7 @@ import ( "strings" "time" + "github.com/go-jose/go-jose/v4" tokenv1 "zntr.io/solid/api/oidc/token/v1" "zntr.io/solid/client" "zntr.io/solid/sdk/dpop" @@ -141,7 +142,7 @@ func authenticateWithDPoP(w http.ResponseWriter, req *http.Request, cli client.C func Authorizer(next http.Handler, intent string, cli client.Client, acrValues types.StringArray, maxAuthAge uint64) http.Handler { // Initialize the DPoP verifier. - dpopVerifier := dpop.DefaultVerifier(inmemory.DPoPProofs(), jwt.EmbeddedKeyVerifier([]string{"ES384"})) + dpopVerifier := dpop.DefaultVerifier(inmemory.DPoPProofs(), jwt.EmbeddedKeyVerifier([]jose.SignatureAlgorithm{jose.ES256, jose.ES384})) return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { var ( diff --git a/go.mod b/go.mod index 4e78481..12792e7 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,8 @@ module zntr.io/solid -go 1.20 +go 1.21 + +toolchain go1.22.3 require ( github.com/daixiang0/gci v0.13.4 @@ -8,6 +10,7 @@ require ( github.com/dchest/uniuri v1.2.0 github.com/frapposelli/wwhrd v0.4.0 github.com/fxamacker/cbor/v2 v2.5.0 + github.com/go-jose/go-jose/v4 v4.0.2 github.com/go-ozzo/ozzo-validation/v4 v4.3.0 github.com/gofrs/uuid v4.4.0+incompatible github.com/golang/mock v1.6.0 @@ -24,7 +27,6 @@ require ( google.golang.org/grpc v1.61.0 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.3.0 google.golang.org/protobuf v1.34.0 - gopkg.in/square/go-jose.v2 v2.6.0 gotest.tools/gotestsum v1.11.0 mvdan.cc/gofumpt v0.6.0 zntr.io/paseto v1.2.0 diff --git a/go.sum b/go.sum index 4f2029f..bf68182 100644 --- a/go.sum +++ b/go.sum @@ -60,9 +60,11 @@ github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYr github.com/OpenPeeDeeP/depguard/v2 v2.2.0 h1:vDfG60vDtIuf0MEOhmLlLLSzqaRM8EMcgJPdp74zmpA= github.com/OpenPeeDeeP/depguard/v2 v2.2.0/go.mod h1:CIzddKRvLBC4Au5aYP/i3nyaWQ+ClszLIuVocRiCYFQ= github.com/alecthomas/assert/v2 v2.2.2 h1:Z/iVC0xZfWTaFNE6bA3z07T86hd45Xe2eLt6WVy2bbk= +github.com/alecthomas/assert/v2 v2.2.2/go.mod h1:pXcQ2Asjp247dahGEmsZ6ru0UVwnkhktn7S0bBDLxvQ= github.com/alecthomas/go-check-sumtype v0.1.4 h1:WCvlB3l5Vq5dZQTFmodqL2g68uHiSwwlWcT5a2FGK0c= github.com/alecthomas/go-check-sumtype v0.1.4/go.mod h1:WyYPfhfkdhyrdaligV6svFopZV8Lqdzn5pyVBaV6jhQ= github.com/alecthomas/repr v0.2.0 h1:HAzS41CIzNW5syS8Mf9UwXhNH1J9aix/BvDRf1Ml2Yk= +github.com/alecthomas/repr v0.2.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= @@ -81,6 +83,7 @@ github.com/ashanbrown/forbidigo v1.6.0/go.mod h1:Y8j9jy9ZYAEHXdu723cUlraTqbzjKF1 github.com/ashanbrown/makezero v1.1.1 h1:iCQ87C0V0vSyO+M9E/FZYbu65auqH0lnsOkf5FcB28s= github.com/ashanbrown/makezero v1.1.1/go.mod h1:i1bJLCRSCHOcOa9Y6MyF2FTfMZMFdHvxKHxgO5Z1axI= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -152,6 +155,7 @@ github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4 github.com/firefart/nonamedreturns v1.0.5 h1:tM+Me2ZaXs8tfdDw3X6DOX++wMCOqzYUho6tUTYIdRA= github.com/firefart/nonamedreturns v1.0.5/go.mod h1:gHJjDqhGM4WyPt639SOZs+G89Ko7QKH5R5BhnO6xJhw= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/frapposelli/wwhrd v0.4.0 h1:Vn4hjT/tHNeOnTxFBO0ys1NBH8/Inxqqi1Q0eJmCImo= github.com/frapposelli/wwhrd v0.4.0/go.mod h1:Bzwvr3hY1yoBsBbIMkckeHUI6jf1cLRueaaMxZ3N9FY= github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI= @@ -168,6 +172,8 @@ github.com/go-critic/go-critic v0.11.4/go.mod h1:2QAdo4iuLik5S9YG0rT4wcZ8QxwHYkr github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk= +github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= @@ -175,10 +181,12 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-ozzo/ozzo-validation/v4 v4.3.0 h1:byhDUpfEwjsVQb1vBunvIjh2BHQ9ead57VkAEY4V+Es= github.com/go-ozzo/ozzo-validation/v4 v4.3.0/go.mod h1:2NKgrcHl3z6cJs+3Oo940FPRiTzuqKbvfrL2RxCj6Ew= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= +github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= github.com/go-toolsmith/astcast v1.1.0 h1:+JN9xZV1A+Re+95pgnMgDboWNVnIMMQXwfBwLRPgSC8= github.com/go-toolsmith/astcast v1.1.0/go.mod h1:qdcuFWeGGS2xX5bLM/c3U9lewg7+Zu4mr+xPwZIB4ZU= github.com/go-toolsmith/astcopy v1.1.0 h1:YGwBN0WM+ekI/6SS6+52zLDEf8Yvp3n2seZITCUBt5s= @@ -192,6 +200,7 @@ github.com/go-toolsmith/astfmt v1.1.0/go.mod h1:OrcLlRwu0CuiIBp/8b5PYF9ktGVZUjlN github.com/go-toolsmith/astp v1.1.0 h1:dXPuCl6u2llURjdPLLDxJeZInAeZ0/eZwFJmqZMnpQA= github.com/go-toolsmith/astp v1.1.0/go.mod h1:0T1xFGz9hicKs8Z5MfAqSUitoUYS30pDMsRVIDHs8CA= github.com/go-toolsmith/pkgload v1.2.2 h1:0CtmHq/02QhxcF7E9N5LIFcYFsMR5rdovfqTtRKkgIk= +github.com/go-toolsmith/pkgload v1.2.2/go.mod h1:R2hxLNRKuAsiXCo2i5J6ZQPhnPMOVtU+f0arbFPWCus= github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8= github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQiyP2Bvw= github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ= @@ -287,6 +296,7 @@ github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= +github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= @@ -305,6 +315,7 @@ github.com/gostaticanalysis/nilerr v0.1.1 h1:ThE+hJP0fEp4zWLkWHWcRyI2Od0p7DlgYG3 github.com/gostaticanalysis/nilerr v0.1.1/go.mod h1:wZYb6YI5YAxxq0i1+VJbY0s2YONW0HU0GPE3+5PWN4A= github.com/gostaticanalysis/testutil v0.3.1-0.20210208050101-bfb5c8eec0e4/go.mod h1:D+FIZ+7OahH3ePw/izIEeH5I06eKs1IKI4Xr64/Am3M= github.com/gostaticanalysis/testutil v0.4.0 h1:nhdCmubdmDF6VEatUNjgUZBJKWRqugoISdUv3PPQgHY= +github.com/gostaticanalysis/testutil v0.4.0/go.mod h1:bLIoPefWXrRi/ssLFWX1dx7Repi5x3CuviD3dgAZaBU= github.com/hashicorp/go-version v1.2.1/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= @@ -351,6 +362,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -424,9 +436,12 @@ github.com/nunnatsa/ginkgolinter v0.16.2/go.mod h1:4tWRinDN1FeJgU+iJANW/kz7xKN5n github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU= +github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= +github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw= github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU= +github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= @@ -446,6 +461,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN github.com/polyfloyd/go-errorlint v1.5.2 h1:SJhVik3Umsjh7mte1vE0fVZ5T1gznasQG3PV7U5xFdA= github.com/polyfloyd/go-errorlint v1.5.2/go.mod h1:sH1QC1pxxi0fFecsVIzBmxtrgd9IF/SkJpA6wqyKAJs= github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g= +github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M= @@ -481,6 +497,7 @@ github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567/go.mod h1:DWNGW8 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryancurrah/gomodguard v1.3.2 h1:CuG27ulzEB1Gu5Dk5gP8PFxSOZ3ptSdP5iI/3IXxM18= github.com/ryancurrah/gomodguard v1.3.2/go.mod h1:LqdemiFomEjcxOqirbQCb3JFvSxH2JUYMerTFd3sF2o= @@ -595,6 +612,7 @@ github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5t gitlab.com/bosi/decorder v0.4.2 h1:qbQaV3zgwnBZ4zPMhGLW4KZe7A7NwxEhJx39R3shffo= gitlab.com/bosi/decorder v0.4.2/go.mod h1:muuhHoaJkA9QLcYHq4Mj8FJUwDZ+EirSHRiaTcTf6T8= go-simpler.org/assert v0.9.0 h1:PfpmcSvL7yAnWyChSjOz6Sp6m9j5lyK8Ok9pEL31YkQ= +go-simpler.org/assert v0.9.0/go.mod h1:74Eqh5eI6vCK6Y5l3PI8ZYFXG4Sa+tkr70OIPJAUr28= go-simpler.org/musttag v0.12.2 h1:J7lRc2ysXOq7eM8rwaTYnNrHd5JwjppzB6mScysB2Cs= go-simpler.org/musttag v0.12.2/go.mod h1:uN1DVIasMTQKk6XSik7yrJoEysGtR2GRqvWnI9S7TYM= go-simpler.org/sloglint v0.7.1 h1:qlGLiqHbN5islOxjeLXoPtUdZXb669RW+BDQ+xOSNoU= @@ -611,6 +629,7 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8= go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0= go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI= +go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4= go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= @@ -989,8 +1008,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA= gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= -gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= -gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/sdk/jwk/api.go b/sdk/jwk/api.go index 0f059ab..a0fba67 100644 --- a/sdk/jwk/api.go +++ b/sdk/jwk/api.go @@ -20,7 +20,7 @@ package jwk import ( "context" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" ) // KeySetProviderFunc defines key set provider contract. diff --git a/sdk/jwk/signature.go b/sdk/jwk/signature.go index fdd9cb0..7abdc0b 100644 --- a/sdk/jwk/signature.go +++ b/sdk/jwk/signature.go @@ -20,8 +20,8 @@ package jwk import ( "errors" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" ) // ErrInvalidTokenSignature is raised when token is signed with a private key diff --git a/sdk/token/jwt/builders.go b/sdk/token/jwt/builders.go index 121ffd6..7f8614f 100644 --- a/sdk/token/jwt/builders.go +++ b/sdk/token/jwt/builders.go @@ -18,7 +18,7 @@ package jwt import ( - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" "zntr.io/solid/sdk/jwk" "zntr.io/solid/sdk/token" diff --git a/sdk/token/jwt/embedded_verifier.go b/sdk/token/jwt/embedded_verifier.go index 5f6f9a9..b0e88dc 100644 --- a/sdk/token/jwt/embedded_verifier.go +++ b/sdk/token/jwt/embedded_verifier.go @@ -22,28 +22,28 @@ import ( "errors" "fmt" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "zntr.io/solid/sdk/token" - "zntr.io/solid/sdk/types" ) // EmbeddedKeyVerifier declare an embedded Key JWT verifier. -func EmbeddedKeyVerifier(supportedAlgorithms []string) token.Verifier { +func EmbeddedKeyVerifier(supportedAlgorithms []jose.SignatureAlgorithm) token.Verifier { return &embeddedKeyVerifier{ - supportedAlgorithms: types.StringArray(supportedAlgorithms), + supportedAlgorithms: supportedAlgorithms, } } // ----------------------------------------------------------------------------- type embeddedKeyVerifier struct { - supportedAlgorithms types.StringArray + supportedAlgorithms []jose.SignatureAlgorithm } func (v *embeddedKeyVerifier) Parse(token string) (token.Token, error) { // Parse JWT token - t, err := jwt.ParseSigned(token) + t, err := jwt.ParseSigned(token, v.supportedAlgorithms) if err != nil { return nil, errors.New("unable to parse signed token") } @@ -56,7 +56,7 @@ func (v *embeddedKeyVerifier) Parse(token string) (token.Token, error) { func (v *embeddedKeyVerifier) Verify(token string) error { // Parse JWT token - t, err := jwt.ParseSigned(token) + t, err := jwt.ParseSigned(token, v.supportedAlgorithms) if err != nil { return fmt.Errorf("unable to parse signed token: %w", err) } @@ -68,9 +68,6 @@ func (v *embeddedKeyVerifier) Verify(token string) error { // Validate algorithm alg := t.Headers[0].Algorithm - if !v.supportedAlgorithms.Contains(alg) { - return fmt.Errorf("token uses an invalid or not supported algorithm `%s`", alg) - } // Validate embedded key existence k := t.Headers[0].JSONWebKey @@ -90,7 +87,7 @@ func (v *embeddedKeyVerifier) Verify(token string) error { // Claims extracts claims from given raw token with verifier keyset provider. func (v *embeddedKeyVerifier) Claims(ctx context.Context, raw string, claims any) error { // Parse JWT token - t, err := jwt.ParseSigned(raw) + t, err := jwt.ParseSigned(raw, v.supportedAlgorithms) if err != nil { return fmt.Errorf("unable to parse signed token: %w", err) } diff --git a/sdk/token/jwt/signer.go b/sdk/token/jwt/signer.go index b4cfb88..822e031 100644 --- a/sdk/token/jwt/signer.go +++ b/sdk/token/jwt/signer.go @@ -22,8 +22,8 @@ import ( "errors" "fmt" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "zntr.io/solid/sdk/jwk" "zntr.io/solid/sdk/types" @@ -70,7 +70,7 @@ func (ds *defaultSigner) Serialize(ctx context.Context, claims any) (string, err } // Generate the final proof - raw, err := jwt.Signed(sig).Claims(claims).CompactSerialize() + raw, err := jwt.Signed(sig).Claims(claims).Serialize() if err != nil { return "", fmt.Errorf("unable to generate JWT: %w", err) } diff --git a/sdk/token/jwt/signer_test.go b/sdk/token/jwt/signer_test.go index 472faa2..6a036f5 100644 --- a/sdk/token/jwt/signer_test.go +++ b/sdk/token/jwt/signer_test.go @@ -23,7 +23,7 @@ import ( "errors" "testing" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" "zntr.io/solid/sdk/jwk" ) diff --git a/sdk/token/jwt/token_adapter.go b/sdk/token/jwt/token_adapter.go index 92d750e..962f65f 100644 --- a/sdk/token/jwt/token_adapter.go +++ b/sdk/token/jwt/token_adapter.go @@ -22,7 +22,7 @@ import ( "encoding/base64" "fmt" - josejwt "gopkg.in/square/go-jose.v2/jwt" + josejwt "github.com/go-jose/go-jose/v4/jwt" ) type tokenAdapter struct { diff --git a/sdk/token/jwt/verifier.go b/sdk/token/jwt/verifier.go index 275d8cd..f2d1e3c 100644 --- a/sdk/token/jwt/verifier.go +++ b/sdk/token/jwt/verifier.go @@ -22,18 +22,18 @@ import ( "errors" "fmt" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "zntr.io/solid/sdk/jwk" "zntr.io/solid/sdk/token" - "zntr.io/solid/sdk/types" ) // DefaultVerifier declare a default JWT verifier. -func DefaultVerifier(keySetProvider jwk.KeySetProviderFunc, supportedAlgorithms []string) token.Verifier { +func DefaultVerifier(keySetProvider jwk.KeySetProviderFunc, supportedAlgorithms []jose.SignatureAlgorithm) token.Verifier { return &defaultVerifier{ keySetProvider: keySetProvider, - supportedAlgorithms: types.StringArray(supportedAlgorithms), + supportedAlgorithms: supportedAlgorithms, } } @@ -41,12 +41,12 @@ func DefaultVerifier(keySetProvider jwk.KeySetProviderFunc, supportedAlgorithms type defaultVerifier struct { keySetProvider jwk.KeySetProviderFunc - supportedAlgorithms types.StringArray + supportedAlgorithms []jose.SignatureAlgorithm } func (v *defaultVerifier) Parse(token string) (token.Token, error) { // Parse JWT token - t, err := jwt.ParseSigned(token) + t, err := jwt.ParseSigned(token, v.supportedAlgorithms) if err != nil { return nil, errors.New("unable to parse signed token") } @@ -59,7 +59,7 @@ func (v *defaultVerifier) Parse(token string) (token.Token, error) { func (v *defaultVerifier) Verify(token string) error { // Parse JWT token - t, err := jwt.ParseSigned(token) + t, err := jwt.ParseSigned(token, v.supportedAlgorithms) if err != nil { return fmt.Errorf("unable to parse signed token: %w", err) } @@ -69,12 +69,6 @@ func (v *defaultVerifier) Verify(token string) error { return fmt.Errorf("unable to process token without header") } - // Validate algorithm - alg := t.Headers[0].Algorithm - if !v.supportedAlgorithms.Contains(alg) { - return fmt.Errorf("token uses an invalid or not supported algorithm `%s`", alg) - } - // No error return nil } @@ -82,7 +76,7 @@ func (v *defaultVerifier) Verify(token string) error { // Claims extracts claims from given raw token with verifier keyset provider. func (v *defaultVerifier) Claims(ctx context.Context, raw string, claims any) error { // Parse JWT token - t, err := jwt.ParseSigned(raw) + t, err := jwt.ParseSigned(raw, v.supportedAlgorithms) if err != nil { return fmt.Errorf("unable to parse signed token: %w", err) } diff --git a/sdk/token/jwt/verifier_test.go b/sdk/token/jwt/verifier_test.go index 06e124d..18f62a6 100644 --- a/sdk/token/jwt/verifier_test.go +++ b/sdk/token/jwt/verifier_test.go @@ -20,15 +20,15 @@ package jwt import ( "testing" + "github.com/go-jose/go-jose/v4" "zntr.io/solid/sdk/jwk" "zntr.io/solid/sdk/token" - "zntr.io/solid/sdk/types" ) func Test_defaultVerifier_Parse(t *testing.T) { type fields struct { keySetProvider jwk.KeySetProviderFunc - supportedAlgorithms types.StringArray + supportedAlgorithms []jose.SignatureAlgorithm } type args struct { token string @@ -60,6 +60,9 @@ func Test_defaultVerifier_Parse(t *testing.T) { }, { name: "valid", + fields: fields{ + supportedAlgorithms: []jose.SignatureAlgorithm{jose.ES384}, + }, args: args{ token: "eyJhbGciOiJFUzM4NCIsImtpZCI6ImZvbyIsInR5cCI6IiJ9.eyJ0ZXN0IjoiZXhhbXBsZSJ9.a-vdiRCDSIlZdm-gRIk4dxfvsHT90W6a-Lt9JiGF4CMJCrLgl0zZAI57rjTRZXGd3PB0tAoZ8dM0OUQTOIxORkdvQlPYpvM_fEppcYfRkwUO8n7iswsvS4GqSJgotacf", }, @@ -84,7 +87,7 @@ func Test_defaultVerifier_Parse(t *testing.T) { func Test_defaultVerifier_Verify(t *testing.T) { type fields struct { keySetProvider jwk.KeySetProviderFunc - supportedAlgorithms types.StringArray + supportedAlgorithms []jose.SignatureAlgorithm } type args struct { token string @@ -112,7 +115,7 @@ func Test_defaultVerifier_Verify(t *testing.T) { { name: "alg not supported", fields: fields{ - supportedAlgorithms: types.StringArray([]string{"ES256"}), + supportedAlgorithms: []jose.SignatureAlgorithm{jose.ES256}, }, args: args{ token: "eyJhbGciOiJFUzM4NCIsImtpZCI6ImZvbyIsInR5cCI6IiJ9.eyJ0ZXN0IjoiZXhhbXBsZSJ9.a-vdiRCDSIlZdm-gRIk4dxfvsHT90W6a-Lt9JiGF4CMJCrLgl0zZAI57rjTRZXGd3PB0tAoZ8dM0OUQTOIxORkdvQlPYpvM_fEppcYfRkwUO8n7iswsvS4GqSJgotacf", @@ -122,7 +125,7 @@ func Test_defaultVerifier_Verify(t *testing.T) { { name: "valid", fields: fields{ - supportedAlgorithms: types.StringArray([]string{"ES384"}), + supportedAlgorithms: []jose.SignatureAlgorithm{jose.ES384}, }, args: args{ token: "eyJhbGciOiJFUzM4NCIsImtpZCI6ImZvbyIsInR5cCI6IiJ9.eyJ0ZXN0IjoiZXhhbXBsZSJ9.a-vdiRCDSIlZdm-gRIk4dxfvsHT90W6a-Lt9JiGF4CMJCrLgl0zZAI57rjTRZXGd3PB0tAoZ8dM0OUQTOIxORkdvQlPYpvM_fEppcYfRkwUO8n7iswsvS4GqSJgotacf", diff --git a/sdk/token/paseto/signer_test.go b/sdk/token/paseto/signer_test.go index b1a8f76..bbae47e 100644 --- a/sdk/token/paseto/signer_test.go +++ b/sdk/token/paseto/signer_test.go @@ -23,7 +23,7 @@ import ( "errors" "testing" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" "zntr.io/solid/sdk/jwk" ) diff --git a/server/clientauthentication/client_attestation.go b/server/clientauthentication/client_attestation.go index e1f262f..be1662a 100644 --- a/server/clientauthentication/client_attestation.go +++ b/server/clientauthentication/client_attestation.go @@ -8,8 +8,8 @@ import ( "strings" "time" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" clientv1 "zntr.io/solid/api/oidc/client/v1" "zntr.io/solid/oidc" @@ -19,9 +19,10 @@ import ( ) // ClientAttestation authentication method. -func ClientAttestation(clients storage.ClientReader) AuthenticationProcessor { +func ClientAttestation(clients storage.ClientReader, supportedAlgorithms []jose.SignatureAlgorithm) AuthenticationProcessor { return &clientAttestationAuthentication{ - clients: clients, + clients: clients, + supportedAlgorithms: supportedAlgorithms, } } @@ -40,7 +41,8 @@ type clientAttestationClaims struct { } type clientAttestationAuthentication struct { - clients storage.ClientReader + clients storage.ClientReader + supportedAlgorithms []jose.SignatureAlgorithm } type clientAttestationPOPClaims struct { @@ -89,7 +91,7 @@ func (p *clientAttestationAuthentication) Authenticate(ctx context.Context, req } // Decode PoP - rawPoP, err := jwt.ParseSigned(assertions[1]) + rawPoP, err := jwt.ParseSigned(assertions[1], p.supportedAlgorithms) if err != nil { res.Error = rfcerrors.InvalidRequest().Build() return res, errors.New("invalid client attestation PoP") @@ -134,7 +136,7 @@ func (p *clientAttestationAuthentication) Authenticate(ctx context.Context, req func (p *clientAttestationAuthentication) validateClientAttestation(ctx context.Context, clientAttestation string) (*jose.JSONWebKey, error) { // Parse attestation without cryptogrpahic verification first - rawAttestation, err := jose.ParseSigned(clientAttestation) + rawAttestation, err := jose.ParseSigned(clientAttestation, p.supportedAlgorithms) if err != nil { return nil, fmt.Errorf("client attestation is syntaxically invalid: %w", err) } diff --git a/server/clientauthentication/private_key_jwt.go b/server/clientauthentication/private_key_jwt.go index c8265a1..748c56b 100644 --- a/server/clientauthentication/private_key_jwt.go +++ b/server/clientauthentication/private_key_jwt.go @@ -23,7 +23,7 @@ import ( "fmt" "time" - "gopkg.in/square/go-jose.v2" + "github.com/go-jose/go-jose/v4" clientv1 "zntr.io/solid/api/oidc/client/v1" "zntr.io/solid/oidc" @@ -33,9 +33,10 @@ import ( ) // PrivateKeyJWT authentication method. -func PrivateKeyJWT(clients storage.ClientReader) AuthenticationProcessor { +func PrivateKeyJWT(clients storage.ClientReader, supportedAlgorithms []jose.SignatureAlgorithm) AuthenticationProcessor { return &privateKeyJWTAuthentication{ - clients: clients, + clients: clients, + supportedAlgorithms: supportedAlgorithms, } } @@ -49,7 +50,8 @@ type privateJWTClaims struct { } type privateKeyJWTAuthentication struct { - clients storage.ClientReader + clients storage.ClientReader + supportedAlgorithms []jose.SignatureAlgorithm } //nolint:funlen,gocyclo // to refactor @@ -81,7 +83,7 @@ func (p *privateKeyJWTAuthentication) Authenticate(ctx context.Context, req *cli } // Decode assertion without validation first - rawAssertion, err := jose.ParseSigned(*req.ClientAssertion) + rawAssertion, err := jose.ParseSigned(*req.ClientAssertion, p.supportedAlgorithms) if err != nil { res.Error = rfcerrors.InvalidRequest().Build() return res, fmt.Errorf("assertion is syntaxically invalid: %w", err) diff --git a/server/clientauthentication/private_key_jwt_test.go b/server/clientauthentication/private_key_jwt_test.go index 622d2d0..1c2328c 100644 --- a/server/clientauthentication/private_key_jwt_test.go +++ b/server/clientauthentication/private_key_jwt_test.go @@ -25,9 +25,9 @@ import ( "testing" "time" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/golang/mock/gomock" - "gopkg.in/square/go-jose.v2" - "gopkg.in/square/go-jose.v2/jwt" clientv1 "zntr.io/solid/api/oidc/client/v1" "zntr.io/solid/oidc" @@ -510,7 +510,7 @@ func Test_privateKeyJWTAuthentication_Authenticate(t *testing.T) { } // Prepare service - underTest := PrivateKeyJWT(clients) + underTest := PrivateKeyJWT(clients, []jose.SignatureAlgorithm{jose.ES256}) got, err := underTest.Authenticate(tt.args.ctx, tt.args.req) if (err != nil) != tt.wantErr { @@ -548,7 +548,7 @@ func generateAssertion(t *testing.T, claims *privateJWTClaims) string { return "" } - raw, err := jwt.Signed(sig).Claims(claims).CompactSerialize() + raw, err := jwt.Signed(sig).Claims(claims).Serialize() if err != nil { t.Fatalf("unable to generate final assertion") }