From be6580992de9f4e6be813e55cf5f936f2068079c Mon Sep 17 00:00:00 2001 From: Lorenz Brun Date: Wed, 17 Jan 2024 23:07:46 +0100 Subject: [PATCH 01/10] Support Ed25519 signature algorithm (#248) This adds support for the Ed25519 signature algorithm which is supported by Go, but was not fully plumbed through in go-spiffe. Signed-off-by: Lorenz Brun --- v2/internal/cryptoutil/keys.go | 5 +++++ v2/svid/jwtsvid/svid_test.go | 3 +++ v2/svid/x509svid/svid.go | 5 +++++ 3 files changed, 13 insertions(+) diff --git a/v2/internal/cryptoutil/keys.go b/v2/internal/cryptoutil/keys.go index 7b34480cd..8e4e21022 100644 --- a/v2/internal/cryptoutil/keys.go +++ b/v2/internal/cryptoutil/keys.go @@ -1,8 +1,10 @@ package cryptoutil import ( + "bytes" "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/rsa" "fmt" ) @@ -15,6 +17,9 @@ func PublicKeyEqual(a, b crypto.PublicKey) (bool, error) { case *ecdsa.PublicKey: ecdsaPublicKey, ok := b.(*ecdsa.PublicKey) return ok && ECDSAPublicKeyEqual(a, ecdsaPublicKey), nil + case ed25519.PublicKey: + ed25519PublicKey, ok := b.(ed25519.PublicKey) + return ok && bytes.Equal(a, ed25519PublicKey), nil default: return false, fmt.Errorf("unsupported public key type %T", a) } diff --git a/v2/svid/jwtsvid/svid_test.go b/v2/svid/jwtsvid/svid_test.go index 1b8407a1b..be59f5b4b 100644 --- a/v2/svid/jwtsvid/svid_test.go +++ b/v2/svid/jwtsvid/svid_test.go @@ -3,6 +3,7 @@ package jwtsvid_test import ( "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/elliptic" "crypto/rand" "crypto/rsa" @@ -502,6 +503,8 @@ func getSignerAlgorithm(signer crypto.Signer) (jose.SignatureAlgorithm, error) { default: return "", fmt.Errorf("unable to determine signature algorithm for EC public key size %d", params.BitSize) } + case ed25519.PublicKey: + return jose.EdDSA, nil default: return "", fmt.Errorf("unable to determine signature algorithm for public key type %T", publicKey) } diff --git a/v2/svid/x509svid/svid.go b/v2/svid/x509svid/svid.go index eba43f568..7302f3a57 100644 --- a/v2/svid/x509svid/svid.go +++ b/v2/svid/x509svid/svid.go @@ -1,8 +1,10 @@ package x509svid import ( + "bytes" "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/rsa" "crypto/x509" "os" @@ -229,6 +231,9 @@ func keyMatches(privateKey crypto.PrivateKey, publicKey crypto.PublicKey) (bool, case *ecdsa.PrivateKey: ecdsaPublicKey, ok := publicKey.(*ecdsa.PublicKey) return ok && ecdsaPublicKeyEqual(&privateKey.PublicKey, ecdsaPublicKey), nil + case ed25519.PrivateKey: + ed25519PublicKey, ok := publicKey.(ed25519.PublicKey) + return ok && bytes.Equal(privateKey.Public().(ed25519.PublicKey), ed25519PublicKey), nil default: return false, errs.New("unsupported private key type %T", privateKey) } From 04f99837aed10405d235e658f0874f807bc81fc7 Mon Sep 17 00:00:00 2001 From: Sword Date: Thu, 18 Jan 2024 06:41:55 +0800 Subject: [PATCH 02/10] Fix the test on go1.21 (#252) Signed-off-by: sword-jin --- v2/spiffetls/tlsconfig/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/v2/spiffetls/tlsconfig/config_test.go b/v2/spiffetls/tlsconfig/config_test.go index 0d640c874..6bdb68d96 100644 --- a/v2/spiffetls/tlsconfig/config_test.go +++ b/v2/spiffetls/tlsconfig/config_test.go @@ -772,7 +772,7 @@ func testConnection(t testing.TB, serverConfig *tls.Config, clientConfig *tls.Co if conn != nil { conn.Close() } - require.EqualError(t, err, clientErr) + require.ErrorContains(t, err, clientErr) return } From 374b58fdddfe7058f9fb39f2ac56047db2c3c0b4 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Mon, 1 Apr 2024 08:42:40 -0700 Subject: [PATCH 03/10] Bump Go to 1.21 (#277) Signed-off-by: Ryan Turner --- .github/workflows/pr_build.yaml | 2 +- Makefile | 4 +-- v2/.golangci.yml | 25 +++++++++-------- .../test/fakeworkloadapi/workload_api.go | 2 +- .../fakeworkloadapi/workload_api_posix.go | 3 ++- .../fakeworkloadapi/workload_api_windows.go | 27 ++++++++++++++----- 6 files changed, 40 insertions(+), 23 deletions(-) diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 19b26e6a0..055f275f7 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -3,7 +3,7 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.19 + GO_VERSION: 1.21 jobs: lint-linux: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index 86ca59187..ee650c962 100644 --- a/Makefile +++ b/Makefile @@ -70,7 +70,7 @@ protoc_gen_go_grpc_base_dir := $(build_dir)/protoc-gen-go-grpc protoc_gen_go_grpc_dir := $(protoc_gen_go_grpc_base_dir)/$(protoc_gen_go_grpc_version)-go$(go_version) protoc_gen_go_grpc_bin := $(protoc_gen_go_grpc_dir)/protoc-gen-go-grpc -golangci_lint_version = v1.50.1 +golangci_lint_version = v1.57.2 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version) golangci_lint_bin = $(golangci_lint_dir)/golangci-lint @@ -81,7 +81,7 @@ apiprotos := \ # Toolchain ############################################################################# -go_version_full := 1.19.12 +go_version_full := 1.21.8 go_version := $(go_version_full:.0=) go_dir := $(build_dir)/go/$(go_version) diff --git a/v2/.golangci.yml b/v2/.golangci.yml index f8d7695e9..90bf4c664 100644 --- a/v2/.golangci.yml +++ b/v2/.golangci.yml @@ -2,20 +2,9 @@ run: # timeout for analysis, e.g. 30s, 5m, default is 1m deadline: 10m - # include examples - skip-dirs-use-default: false - - skip-dirs: - - testdata$ - - test/mock - - skip-files: - - ".*\\.pb\\.go" - linters: enable: - bodyclose - - depguard - goimports - revive - gosec @@ -28,6 +17,16 @@ linters: - gocritic issues: + # include examples + exclude-dirs-use-default: false + + exclude-dirs: + - testdata$ + - test/mock + + exclude-files: + - ".*\\.pb\\.go" + exclude-rules: # exclude some lints from examples test files - path: examples_test.go @@ -40,3 +39,7 @@ linters-settings: golint: # minimal confidence for issues, default is 0.8 min-confidence: 0.0 + revive: + rules: + - name: unused-parameter + disabled: true # It's useful to name parameters in library code for better readability diff --git a/v2/internal/test/fakeworkloadapi/workload_api.go b/v2/internal/test/fakeworkloadapi/workload_api.go index 0668545da..fdfefb39a 100644 --- a/v2/internal/test/fakeworkloadapi/workload_api.go +++ b/v2/internal/test/fakeworkloadapi/workload_api.go @@ -50,7 +50,7 @@ func New(tb testing.TB) *WorkloadAPI { x509BundlesChans: make(map[chan *workload.X509BundlesResponse]struct{}), } - listener, err := newListener() + listener, err := newListener(tb) require.NoError(tb, err) server := grpc.NewServer() diff --git a/v2/internal/test/fakeworkloadapi/workload_api_posix.go b/v2/internal/test/fakeworkloadapi/workload_api_posix.go index 8572e33d9..473966d8e 100644 --- a/v2/internal/test/fakeworkloadapi/workload_api_posix.go +++ b/v2/internal/test/fakeworkloadapi/workload_api_posix.go @@ -6,9 +6,10 @@ package fakeworkloadapi import ( "fmt" "net" + "testing" ) -func newListener() (net.Listener, error) { +func newListener(_ testing.TB) (net.Listener, error) { return net.Listen("tcp", "localhost:0") } diff --git a/v2/internal/test/fakeworkloadapi/workload_api_windows.go b/v2/internal/test/fakeworkloadapi/workload_api_windows.go index 6989e32b3..348eeeea4 100644 --- a/v2/internal/test/fakeworkloadapi/workload_api_windows.go +++ b/v2/internal/test/fakeworkloadapi/workload_api_windows.go @@ -4,12 +4,13 @@ package fakeworkloadapi import ( + "crypto/rand" "fmt" - "math/rand" + "math" + "math/big" "net" "strings" "testing" - "time" "github.com/Microsoft/go-winio" "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload" @@ -17,13 +18,15 @@ import ( "google.golang.org/grpc" ) +var maxUint64 = maxBigUint64() + func NewWithNamedPipeListener(tb testing.TB) *WorkloadAPI { w := &WorkloadAPI{ x509Chans: make(map[chan *workload.X509SVIDResponse]struct{}), jwtBundlesChans: make(map[chan *workload.JWTBundlesResponse]struct{}), } - listener, err := winio.ListenPipe(fmt.Sprintf(`\\.\pipe\go-spiffe-test-pipe-%x`, rand.Uint64()), nil) //nolint: gosec // not use for crypto + listener, err := winio.ListenPipe(fmt.Sprintf(`\\.\pipe\go-spiffe-test-pipe-%x`, randUint64(tb)), nil) require.NoError(tb, err) server := grpc.NewServer() @@ -45,12 +48,22 @@ func GetPipeName(s string) string { return strings.TrimPrefix(s, `\\.\pipe`) } -func init() { - rand.Seed(time.Now().UnixNano()) +func maxBigUint64() *big.Int { + n := big.NewInt(0) + return n.SetUint64(math.MaxUint64) +} + +func randUint64(t testing.TB) uint64 { + n, err := rand.Int(rand.Reader, maxUint64) + if err != nil { + t.Fail() + } + + return n.Uint64() } -func newListener() (net.Listener, error) { - return winio.ListenPipe(fmt.Sprintf(`\\.\pipe\go-spiffe-test-pipe-%x`, rand.Uint64()), nil) //nolint: gosec // not used for crypto +func newListener(tb testing.TB) (net.Listener, error) { + return winio.ListenPipe(fmt.Sprintf(`\\.\pipe\go-spiffe-test-pipe-%x`, randUint64(tb)), nil) } func getTargetName(addr net.Addr) string { From 2f21f777998c665f4ab7f7d4ae9f0954492f03c6 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Mon, 1 Apr 2024 08:49:42 -0700 Subject: [PATCH 04/10] Fix Makefile for Apple Silicon-based Macs (#275) Output of `uname -m` on my M2 Mac ``` arm64 ``` Signed-off-by: Ryan Turner --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile index ee650c962..409109867 100644 --- a/Makefile +++ b/Makefile @@ -39,6 +39,8 @@ ifeq ($(arch1),x86_64) arch2=amd64 else ifeq ($(arch1),aarch64) arch2=arm64 +else ifeq ($(arch1),arm64) +arch2=arm64 else $(error unsupported ARCH: $(arch1)) endif From 3495fea8430cd4a874135e02194a80e46f7eee31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:03:24 -0600 Subject: [PATCH 05/10] Bump github.com/stretchr/testify from 1.8.4 to 1.9.0 in /v2 (#268) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.4 to 1.9.0. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.4...v1.9.0) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- v2/go.mod | 2 +- v2/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/v2/go.mod b/v2/go.mod index be28eb765..63cbf6384 100644 --- a/v2/go.mod +++ b/v2/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( github.com/Microsoft/go-winio v0.6.1 github.com/go-jose/go-jose/v3 v3.0.1 - github.com/stretchr/testify v1.8.4 + github.com/stretchr/testify v1.9.0 github.com/zeebo/errs v1.3.0 google.golang.org/grpc v1.60.1 google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20 diff --git a/v2/go.sum b/v2/go.sum index 3311362d0..1b6069662 100644 --- a/v2/go.sum +++ b/v2/go.sum @@ -20,8 +20,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= -github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= From b4965477398d5286c27b0fe3873d9e49999fc7be Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:08:21 -0600 Subject: [PATCH 06/10] Bump google.golang.org/grpc from 1.60.1 to 1.62.1 in /v2 (#273) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.60.1 to 1.62.1. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](https://github.com/grpc/grpc-go/compare/v1.60.1...v1.62.1) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- v2/go.mod | 10 +++++----- v2/go.sum | 24 ++++++++++++------------ 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/v2/go.mod b/v2/go.mod index 63cbf6384..27bf2b336 100644 --- a/v2/go.mod +++ b/v2/go.mod @@ -7,7 +7,7 @@ require ( github.com/go-jose/go-jose/v3 v3.0.1 github.com/stretchr/testify v1.9.0 github.com/zeebo/errs v1.3.0 - google.golang.org/grpc v1.60.1 + google.golang.org/grpc v1.62.1 google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20 google.golang.org/protobuf v1.32.0 ) @@ -17,13 +17,13 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/kr/pretty v0.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - golang.org/x/crypto v0.17.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/mod v0.8.0 // indirect - golang.org/x/net v0.17.0 // indirect - golang.org/x/sys v0.15.0 // indirect + golang.org/x/net v0.20.0 // indirect + golang.org/x/sys v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/tools v0.6.0 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/v2/go.sum b/v2/go.sum index 1b6069662..b62760d5c 100644 --- a/v2/go.sum +++ b/v2/go.sum @@ -10,7 +10,7 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -26,28 +26,28 @@ github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= +golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= +golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo= -google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc= -google.golang.org/grpc v1.60.1 h1:26+wFr+cNqSGFcOXcabYC0lUVJVRa2Sb2ortSK7VrEU= -google.golang.org/grpc v1.60.1/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 h1:AjyfHzEPEFp/NpvfN5g+KDla3EMojjhRVZc1i7cj+oM= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80/go.mod h1:PAREbraiVEVGVdTZsVWjSbbTtSyGbAgIIvni8a8CD5s= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20 h1:MLBCGN1O7GzIx+cBiwfYPwtmZ41U3Mn/cotLJciaArI= google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20/go.mod h1:Nr5H8+MlGWr5+xX/STzdoEqJrO+YteqFbMyCsrb6mH0= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= From 2a8191f059c3be8d3b02fae165abdbe67e3aba66 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 10:16:34 -0600 Subject: [PATCH 07/10] Bump google.golang.org/protobuf from 1.32.0 to 1.33.0 in /v2 (#274) Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Harding --- v2/go.mod | 2 +- v2/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/v2/go.mod b/v2/go.mod index 27bf2b336..2b60c114f 100644 --- a/v2/go.mod +++ b/v2/go.mod @@ -9,7 +9,7 @@ require ( github.com/zeebo/errs v1.3.0 google.golang.org/grpc v1.62.1 google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 ) require ( diff --git a/v2/go.sum b/v2/go.sum index b62760d5c..bdbe90e9d 100644 --- a/v2/go.sum +++ b/v2/go.sum @@ -52,8 +52,8 @@ google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20 h1:MLBCGN1O7G google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20/go.mod h1:Nr5H8+MlGWr5+xX/STzdoEqJrO+YteqFbMyCsrb6mH0= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From 8e0ce79ed61267ba666f209ded60150456f2d1d5 Mon Sep 17 00:00:00 2001 From: Noah Stride Date: Mon, 1 Apr 2024 17:37:17 +0100 Subject: [PATCH 08/10] Add `-race` to Go test by default (#270) Signed-off-by: Noah Stride --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 409109867..289db3168 100644 --- a/Makefile +++ b/Makefile @@ -143,7 +143,7 @@ tidy: | go-check .PHONY: test test: | go-check - @cd ./v2; $(go_path) go test ./... + @cd ./v2; $(go_path) go test -race ./... ############################################################################# # Code Generation From bf6eecf2af614f22618f140899c504f7b66cded2 Mon Sep 17 00:00:00 2001 From: Ryan Turner Date: Mon, 1 Apr 2024 09:41:06 -0700 Subject: [PATCH 09/10] Update to go-jose v4.0.1 (#276) There are some breaking changes in v4 that affect go-spiffe code: - When parsing a JWS-protected JWT, the caller must now explicitly pass the accepted signature algorithms (corresponding to `alg` JWS header) into the parsing function. - `CompactSerialize()` was removed in favor of just `Serialize()`, which has identical behavior. go-jose v4 updates the minimum Go version requirement to 1.21, which was released 2023-08-08. Signed-off-by: Ryan Turner Co-authored-by: Andrew Harding --- v2/bundle/jwtbundle/bundle.go | 6 ++-- v2/bundle/spiffebundle/bundle.go | 6 ++-- v2/go.mod | 8 +++--- v2/go.sum | 25 ++++++----------- v2/internal/test/ca.go | 12 ++++---- v2/svid/jwtsvid/svid.go | 48 +++++++++++--------------------- v2/svid/jwtsvid/svid_test.go | 29 +++++++++++++------ 7 files changed, 58 insertions(+), 76 deletions(-) diff --git a/v2/bundle/jwtbundle/bundle.go b/v2/bundle/jwtbundle/bundle.go index 507c372dc..ff2fcd71e 100644 --- a/v2/bundle/jwtbundle/bundle.go +++ b/v2/bundle/jwtbundle/bundle.go @@ -7,15 +7,13 @@ import ( "os" "sync" - "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v4" "github.com/spiffe/go-spiffe/v2/internal/jwtutil" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/zeebo/errs" ) -var ( - jwtbundleErr = errs.Class("jwtbundle") -) +var jwtbundleErr = errs.Class("jwtbundle") // Bundle is a collection of trusted JWT authorities for a trust domain. type Bundle struct { diff --git a/v2/bundle/spiffebundle/bundle.go b/v2/bundle/spiffebundle/bundle.go index 56856fdf9..be176423c 100644 --- a/v2/bundle/spiffebundle/bundle.go +++ b/v2/bundle/spiffebundle/bundle.go @@ -9,7 +9,7 @@ import ( "sync" "time" - "github.com/go-jose/go-jose/v3" + "github.com/go-jose/go-jose/v4" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" "github.com/spiffe/go-spiffe/v2/internal/jwtutil" @@ -23,9 +23,7 @@ const ( jwtSVIDUse = "jwt-svid" ) -var ( - spiffebundleErr = errs.Class("spiffebundle") -) +var spiffebundleErr = errs.Class("spiffebundle") type bundleDoc struct { jose.JSONWebKeySet diff --git a/v2/go.mod b/v2/go.mod index 2b60c114f..4803b3654 100644 --- a/v2/go.mod +++ b/v2/go.mod @@ -1,10 +1,10 @@ module github.com/spiffe/go-spiffe/v2 -go 1.19 +go 1.21 require ( github.com/Microsoft/go-winio v0.6.1 - github.com/go-jose/go-jose/v3 v3.0.1 + github.com/go-jose/go-jose/v4 v4.0.1 github.com/stretchr/testify v1.9.0 github.com/zeebo/errs v1.3.0 google.golang.org/grpc v1.62.1 @@ -17,10 +17,10 @@ require ( github.com/golang/protobuf v1.5.3 // indirect github.com/kr/pretty v0.1.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - golang.org/x/crypto v0.18.0 // indirect + golang.org/x/crypto v0.19.0 // indirect golang.org/x/mod v0.8.0 // indirect golang.org/x/net v0.20.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.17.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/tools v0.6.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect diff --git a/v2/go.sum b/v2/go.sum index bdbe90e9d..f5f769859 100644 --- a/v2/go.sum +++ b/v2/go.sum @@ -1,16 +1,15 @@ github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA= -github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -18,27 +17,20 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= @@ -57,6 +49,5 @@ google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHh gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/v2/internal/test/ca.go b/v2/internal/test/ca.go index f4f80929d..53a291f1a 100644 --- a/v2/internal/test/ca.go +++ b/v2/internal/test/ca.go @@ -13,9 +13,9 @@ import ( "testing" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/cryptosigner" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/cryptosigner" + "github.com/go-jose/go-jose/v4/jwt" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/bundle/spiffebundle" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" @@ -26,9 +26,7 @@ import ( "github.com/stretchr/testify/require" ) -var ( - localhostIPs = []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback} -) +var localhostIPs = []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback} type CA struct { tb testing.TB @@ -101,7 +99,7 @@ func (ca *CA) CreateJWTSVID(id spiffeid.ID, audience []string, options ...SVIDOp ) require.NoError(ca.tb, err) - signedToken, err := jwt.Signed(jwtSigner).Claims(claims).CompactSerialize() + signedToken, err := jwt.Signed(jwtSigner).Claims(claims).Serialize() require.NoError(ca.tb, err) svid, err := jwtsvid.ParseInsecure(signedToken, audience) diff --git a/v2/svid/jwtsvid/svid.go b/v2/svid/jwtsvid/svid.go index ddbfac34f..d46f80035 100644 --- a/v2/svid/jwtsvid/svid.go +++ b/v2/svid/jwtsvid/svid.go @@ -1,17 +1,28 @@ package jwtsvid import ( - "fmt" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/zeebo/errs" ) var ( + allowedSignatureAlgorithms = []jose.SignatureAlgorithm{ + jose.RS256, + jose.RS384, + jose.RS512, + jose.ES256, + jose.ES384, + jose.ES512, + jose.PS256, + jose.PS384, + jose.PS512, + } + jwtsvidErr = errs.Class("jwtsvid") ) @@ -90,16 +101,11 @@ func (svid *SVID) Marshal() string { func parse(token string, audience []string, getClaims tokenValidator) (*SVID, error) { // Parse serialized token - tok, err := jwt.ParseSigned(token) + tok, err := jwt.ParseSigned(token, allowedSignatureAlgorithms) if err != nil { return nil, jwtsvidErr.New("unable to parse JWT token") } - // Validates supported token signed algorithm - if err := validateTokenAlgorithm(tok); err != nil { - return nil, err - } - // Parse out the unverified claims. We need to look up the key by the trust // domain of the SPIFFE ID. var claims jwt.Claims @@ -127,8 +133,8 @@ func parse(token string, audience []string, getClaims tokenValidator) (*SVID, er // Validate the standard claims. if err := claims.Validate(jwt.Expected{ - Audience: audience, - Time: time.Now(), + AnyAudience: audience, + Time: time.Now(), }); err != nil { // Convert expected validation errors for pretty errors switch err { @@ -148,23 +154,3 @@ func parse(token string, audience []string, getClaims tokenValidator) (*SVID, er token: token, }, nil } - -// validateTokenAlgorithm json web token have only one header, and it is signed for a supported algorithm -func validateTokenAlgorithm(tok *jwt.JSONWebToken) error { - // Only one header is expected - if len(tok.Headers) != 1 { - return fmt.Errorf("expected a single token header; got %d", len(tok.Headers)) - } - - // Make sure it has an algorithm supported by JWT-SVID - alg := tok.Headers[0].Algorithm - switch jose.SignatureAlgorithm(alg) { - case jose.RS256, jose.RS384, jose.RS512, - jose.ES256, jose.ES384, jose.ES512, - jose.PS256, jose.PS384, jose.PS512: - default: - return jwtsvidErr.New("unsupported token signature algorithm %q", alg) - } - - return nil -} diff --git a/v2/svid/jwtsvid/svid_test.go b/v2/svid/jwtsvid/svid_test.go index be59f5b4b..78c23e69b 100644 --- a/v2/svid/jwtsvid/svid_test.go +++ b/v2/svid/jwtsvid/svid_test.go @@ -11,9 +11,9 @@ import ( "testing" "time" - "github.com/go-jose/go-jose/v3" - "github.com/go-jose/go-jose/v3/cryptosigner" - "github.com/go-jose/go-jose/v3/jwt" + "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/cryptosigner" + "github.com/go-jose/go-jose/v4/jwt" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" @@ -24,8 +24,19 @@ const hs256Token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODk "4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" var ( - key1, _ = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) - key2, _ = rsa.GenerateKey(rand.Reader, 2048) + key1, _ = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + key2, _ = rsa.GenerateKey(rand.Reader, 2048) + testAllowedSignatureAlgorithms = []jose.SignatureAlgorithm{ + jose.RS256, + jose.RS384, + jose.RS512, + jose.ES256, + jose.ES384, + jose.ES512, + jose.PS256, + jose.PS384, + jose.PS512, + } ) func TestParseAndValidate(t *testing.T) { @@ -86,7 +97,7 @@ func TestParseAndValidate(t *testing.T) { generateToken: func(tb testing.TB) string { return hs256Token }, - err: `jwtsvid: unsupported token signature algorithm "HS256"`, + err: "jwtsvid: unable to parse JWT token", }, { name: "missing subject", @@ -313,7 +324,7 @@ func TestParseInsecure(t *testing.T) { generateToken: func(tb testing.TB) string { return hs256Token }, - err: `jwtsvid: unsupported token signature algorithm "HS256"`, + err: "jwtsvid: unable to parse JWT token", }, { name: "missing subject claim", @@ -450,7 +461,7 @@ func TestMarshal(t *testing.T) { } func parseToken(t testing.TB, token string) map[string]interface{} { - tok, err := jwt.ParseSigned(token) + tok, err := jwt.ParseSigned(token, testAllowedSignatureAlgorithms) require.NoError(t, err) claimsMap := make(map[string]interface{}) err = tok.UnsafeClaimsWithoutVerification(&claimsMap) @@ -478,7 +489,7 @@ func generateToken(tb testing.TB, claims jwt.Claims, signer crypto.Signer, keyID require.NoError(tb, err) // Sign and serialize token - token, err := jwt.Signed(jwtSigner).Claims(claims).CompactSerialize() + token, err := jwt.Signed(jwtSigner).Claims(claims).Serialize() require.NoError(tb, err) return token From 31d98359ff12d176a82255f1b9b208d76f3fa63d Mon Sep 17 00:00:00 2001 From: Andrew Harding Date: Mon, 1 Apr 2024 16:52:58 -0600 Subject: [PATCH 10/10] CHANGELOG for v2.2.0 (#278) Signed-off-by: Andrew Harding --- CHANGELOG.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 572a9f386..bee43eee0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,19 @@ # Changelog +## [2.2.0] - 2024-04-01 + +### Changed + +- Upgraded to go-jose v4 which has a stronger security posture than v3. Go-spiffe was not impacted by the security weaknesses of v3 due to stringing algorithm checking that is now handled by go-jose v4 (#276) + +### Fixed + +- Makefile invocation for Apple Silicon-based Macs (#275) + +### Added + +- Support Ed25519 keys for Workload SVIDs (#248) + ## [2.1.7] - 2024-01-17 ### Fixed