diff --git a/cmd/example-app/main.go b/cmd/example-app/main.go
index d2ada840..32728841 100644
--- a/cmd/example-app/main.go
+++ b/cmd/example-app/main.go
@@ -17,7 +17,7 @@ import (
"strings"
"time"
- "github.com/ericchiang/oidc"
+ "github.com/coreos/go-oidc"
"github.com/spf13/cobra"
"golang.org/x/net/context"
"golang.org/x/oauth2"
@@ -173,7 +173,7 @@ func cmd() *cobra.Command {
}
a.provider = provider
- a.verifier = provider.NewVerifier(a.ctx, oidc.VerifyAudience(a.clientID))
+ a.verifier = provider.Verifier(oidc.VerifyAudience(a.clientID))
http.HandleFunc("/", a.handleIndex)
http.HandleFunc("/login", a.handleLogin)
@@ -269,7 +269,7 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) {
RefreshToken: refresh,
Expiry: time.Now().Add(-time.Hour),
}
- token, err = oauth2Config.TokenSource(a.ctx, t).Token()
+ token, err = oauth2Config.TokenSource(r.Context(), t).Token()
default:
http.Error(w, fmt.Sprintf("no code in request: %q", r.Form), http.StatusBadRequest)
return
@@ -286,7 +286,7 @@ func (a *app) handleCallback(w http.ResponseWriter, r *http.Request) {
return
}
- idToken, err := a.verifier.Verify(rawIDToken)
+ idToken, err := a.verifier.Verify(r.Context(), rawIDToken)
if err != nil {
http.Error(w, fmt.Sprintf("Failed to verify ID token: %v", err), http.StatusInternalServerError)
return
diff --git a/connector/oidc/oidc.go b/connector/oidc/oidc.go
index c9d88191..6a71d017 100644
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@@ -6,7 +6,7 @@ import (
"fmt"
"net/http"
- "github.com/ericchiang/oidc"
+ "github.com/coreos/go-oidc"
"golang.org/x/net/context"
"golang.org/x/oauth2"
@@ -51,7 +51,7 @@ func (c *Config) Open() (conn connector.Connector, err error) {
Scopes: scopes,
RedirectURL: c.RedirectURI,
},
- verifier: provider.NewVerifier(ctx,
+ verifier: provider.Verifier(
oidc.VerifyExpiry(),
oidc.VerifyAudience(clientID),
),
@@ -99,7 +99,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
if errType := q.Get("error"); errType != "" {
return identity, &oauth2Error{errType, q.Get("error_description")}
}
- token, err := c.oauth2Config.Exchange(c.ctx, q.Get("code"))
+ token, err := c.oauth2Config.Exchange(r.Context(), q.Get("code"))
if err != nil {
return identity, fmt.Errorf("oidc: failed to get token: %v", err)
}
@@ -108,7 +108,7 @@ func (c *oidcConnector) HandleCallback(s connector.Scopes, r *http.Request) (ide
if !ok {
return identity, errors.New("oidc: no id_token in token response")
}
- idToken, err := c.verifier.Verify(rawIDToken)
+ idToken, err := c.verifier.Verify(r.Context(), rawIDToken)
if err != nil {
return identity, fmt.Errorf("oidc: failed to verify ID Token: %v", err)
}
diff --git a/glide.lock b/glide.lock
index 41f250fa..0c79505e 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,12 +1,12 @@
-hash: bc7fa6bbfddcb39710064a9d6dab090d49bd88486571cae12c68c4b70093e716
-updated: 2016-11-03T14:31:37.323302694-07:00
+hash: c3530f2a60a64c2efc4c3ac499fcd15f79de2a532715ba2b9841c1d404942b2e
+updated: 2016-11-17T15:18:56.701287533-08:00
imports:
- name: github.com/cockroachdb/cockroach-go
version: 31611c0501c812f437d4861d87d117053967c955
subpackages:
- crdb
-- name: github.com/ericchiang/oidc
- version: 1907f0e61549f9081f26bdf269f11603496c9dee
+- name: github.com/coreos/go-oidc
+ version: 5a7f09ab5787e846efa7f56f4a08b6d6926d08c4
- name: github.com/ghodss/yaml
version: bea76d6a4713e18b7f5321a2b020738552def3ea
- name: github.com/go-sql-driver/mysql
@@ -52,6 +52,7 @@ imports:
version: 6a513affb38dc9788b449d59ffed099b8de18fa0
subpackages:
- context
+ - context/ctxhttp
- http2
- http2/hpack
- internal/timeseries
@@ -87,13 +88,8 @@ imports:
version: 4e86f4367175e39f69d9358a5f17b4dda270378d
- name: gopkg.in/ldap.v2
version: 0e7db8eb77695b5a952f0e5d78df9ab160050c73
-- name: gopkg.in/square/go-jose.v1
- version: e3f973b66b91445ec816dd7411ad1b6495a5a2fc
- subpackages:
- - cipher
- - json
- name: gopkg.in/square/go-jose.v2
- version: f209f41628247c56938cb20ef51d589ddad6c30b
+ version: 8c5257b2f658f86d174ae68c6a592eaf6a9608d9
subpackages:
- cipher
- json
diff --git a/glide.yaml b/glide.yaml
index 73be313a..bd16dab6 100644
--- a/glide.yaml
+++ b/glide.yaml
@@ -17,7 +17,7 @@ import:
version: 4e86f4367175e39f69d9358a5f17b4dda270378d
- package: gopkg.in/square/go-jose.v2
- version: f209f41628247c56938cb20ef51d589ddad6c30b
+ version: v2.0.0
subpackages:
- cipher
- json
@@ -26,6 +26,7 @@ import:
version: 6a513affb38dc9788b449d59ffed099b8de18fa0
subpackages:
- context
+ - context/ctxhttp
- http2
- http2/hpack
- internal/timeseries
@@ -49,16 +50,17 @@ import:
subpackages:
- bcrypt
-- package: github.com/ericchiang/oidc
- version: 1907f0e61549f9081f26bdf269f11603496c9dee
+- package: github.com/coreos/go-oidc
+ version: 5a7f09ab5787e846efa7f56f4a08b6d6926d08c4
- package: github.com/pquerna/cachecontrol
version: c97913dcbd76de40b051a9b4cd827f7eaeb7a868
-- package: gopkg.in/square/go-jose.v1
- version: v1.0.2
- package: golang.org/x/oauth2
version: 08c8d727d2392d18286f9f88ad775ad98f09ab33
-# Not actually imported but glide detects it. Consider adding subpackages to
-# the oauth2 package to eliminate.
+ subpackages: []
+# The oauth2 package only imports the appengine code when it's given a
+# specific build tags, but glide detects it anyway.
+#
+# https://github.com/golang/oauth2/blob/d5040cdd/client_appengine.go
- package: google.golang.org/appengine
version: 267c27e7492265b84fc6719503b14a1e17975d79
subpackages:
diff --git a/server/server_test.go b/server/server_test.go
index 6db67d5c..a5865dfa 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -3,6 +3,7 @@ package server
import (
"crypto/rsa"
"crypto/x509"
+ "encoding/json"
"encoding/pem"
"errors"
"fmt"
@@ -17,7 +18,7 @@ import (
"testing"
"time"
- "github.com/ericchiang/oidc"
+ oidc "github.com/coreos/go-oidc"
"github.com/kylelemons/godebug/pretty"
"golang.org/x/crypto/bcrypt"
"golang.org/x/net/context"
@@ -117,17 +118,21 @@ func TestDiscovery(t *testing.T) {
if err != nil {
t.Fatalf("failed to get provider: %v", err)
}
- required := []struct {
- name, val string
- }{
- {"issuer", p.Issuer},
- {"authorization_endpoint", p.AuthURL},
- {"token_endpoint", p.TokenURL},
- {"jwks_uri", p.JWKSURL},
+
+ var got map[string]*json.RawMessage
+ if err := p.Claims(&got); err != nil {
+ t.Fatalf("failed to decode claims: %v", err)
+ }
+
+ required := []string{
+ "issuer",
+ "authorization_endpoint",
+ "token_endpoint",
+ "jwks_uri",
}
for _, field := range required {
- if field.val == "" {
- t.Errorf("server discovery is missing required field %q", field.name)
+ if _, ok := got[field]; !ok {
+ t.Errorf("server discovery is missing required field %q", field)
}
}
}
@@ -169,7 +174,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
if !ok {
return fmt.Errorf("no id token found")
}
- if _, err := p.NewVerifier(ctx).Verify(idToken); err != nil {
+ if _, err := p.Verifier().Verify(ctx, idToken); err != nil {
return fmt.Errorf("failed to verify id token: %v", err)
}
return nil
@@ -192,7 +197,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
if !ok {
return fmt.Errorf("no id token found")
}
- idToken, err := p.NewVerifier(ctx).Verify(rawIDToken)
+ idToken, err := p.Verifier().Verify(ctx, rawIDToken)
if err != nil {
return fmt.Errorf("failed to verify id token: %v", err)
}
@@ -230,7 +235,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
v.Add("grant_type", "refresh_token")
v.Add("refresh_token", token.RefreshToken)
v.Add("scope", strings.Join(requestedScopes, " "))
- resp, err := http.PostForm(p.TokenURL, v)
+ resp, err := http.PostForm(p.Endpoint().TokenURL, v)
if err != nil {
return err
}
@@ -258,7 +263,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
// Since we support that client we choose to be more relaxed about
// scope parsing, disregarding extra whitespace.
v.Add("scope", " "+strings.Join(requestedScopes, " "))
- resp, err := http.PostForm(p.TokenURL, v)
+ resp, err := http.PostForm(p.Endpoint().TokenURL, v)
if err != nil {
return err
}
@@ -284,7 +289,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
v.Add("refresh_token", token.RefreshToken)
// Request a scope that wasn't requestd initially.
v.Add("scope", "oidc email profile")
- resp, err := http.PostForm(p.TokenURL, v)
+ resp, err := http.PostForm(p.Endpoint().TokenURL, v)
if err != nil {
return err
}
@@ -335,7 +340,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
if !ok {
return fmt.Errorf("no id_token in refreshed token")
}
- idToken, err := p.NewVerifier(ctx).Verify(rawIDToken)
+ idToken, err := p.Verifier().Verify(ctx, rawIDToken)
if err != nil {
return fmt.Errorf("failed to verify id token: %v", err)
}
@@ -547,7 +552,7 @@ func TestOAuth2ImplicitFlow(t *testing.T) {
src := &nonceSource{nonce: nonce}
- idTokenVerifier := p.NewVerifier(ctx, oidc.VerifyAudience(client.ID), oidc.VerifyNonce(src))
+ idTokenVerifier := p.Verifier(oidc.VerifyAudience(client.ID), oidc.VerifyNonce(src))
oauth2Config = &oauth2.Config{
ClientID: client.ID,
@@ -569,7 +574,7 @@ func TestOAuth2ImplicitFlow(t *testing.T) {
if idToken == "" {
return errors.New("no id_token in fragment")
}
- if _, err := idTokenVerifier.Verify(idToken); err != nil {
+ if _, err := idTokenVerifier.Verify(ctx, idToken); err != nil {
return fmt.Errorf("failed to verify id_token: %v", err)
}
return nil
@@ -664,7 +669,7 @@ func TestCrossClientScopes(t *testing.T) {
t.Errorf("no id token found: %v", err)
return
}
- idToken, err := p.NewVerifier(ctx).Verify(rawIDToken)
+ idToken, err := p.Verifier().Verify(ctx, rawIDToken)
if err != nil {
t.Errorf("failed to parse ID Token: %v", err)
return
diff --git a/vendor/github.com/coreos/go-oidc/.gitignore b/vendor/github.com/coreos/go-oidc/.gitignore
new file mode 100644
index 00000000..c96f2f47
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/.gitignore
@@ -0,0 +1,2 @@
+/bin
+/gopath
diff --git a/vendor/github.com/coreos/go-oidc/.travis.yml b/vendor/github.com/coreos/go-oidc/.travis.yml
new file mode 100644
index 00000000..fb89294c
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/.travis.yml
@@ -0,0 +1,16 @@
+language: go
+
+go:
+ - 1.7.3
+ - 1.6.3
+
+install:
+ - go get -v -t github.com/coreos/go-oidc
+ - go get golang.org/x/tools/cmd/cover
+ - go get github.com/golang/lint/golint
+
+script:
+ - ./test
+
+notifications:
+ email: false
diff --git a/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md b/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md
new file mode 100644
index 00000000..6662073a
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/CONTRIBUTING.md
@@ -0,0 +1,71 @@
+# How to Contribute
+
+CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
+GitHub pull requests. This document outlines some of the conventions on
+development workflow, commit message formatting, contact points and other
+resources to make it easier to get your contribution accepted.
+
+# Certificate of Origin
+
+By contributing to this project you agree to the Developer Certificate of
+Origin (DCO). This document was created by the Linux Kernel community and is a
+simple statement that you, as a contributor, have the legal right to make the
+contribution. See the [DCO](DCO) file for details.
+
+# Email and Chat
+
+The project currently uses the general CoreOS email list and IRC channel:
+- Email: [coreos-dev](https://groups.google.com/forum/#!forum/coreos-dev)
+- IRC: #[coreos](irc://irc.freenode.org:6667/#coreos) IRC channel on freenode.org
+
+Please avoid emailing maintainers found in the MAINTAINERS file directly. They
+are very busy and read the mailing lists.
+
+## Getting Started
+
+- Fork the repository on GitHub
+- Read the [README](README.md) for build and test instructions
+- Play with the project, submit bugs, submit patches!
+
+## Contribution Flow
+
+This is a rough outline of what a contributor's workflow looks like:
+
+- Create a topic branch from where you want to base your work (usually master).
+- Make commits of logical units.
+- Make sure your commit messages are in the proper format (see below).
+- Push your changes to a topic branch in your fork of the repository.
+- Make sure the tests pass, and add any new tests as appropriate.
+- Submit a pull request to the original repository.
+
+Thanks for your contributions!
+
+### Format of the Commit Message
+
+We follow a rough convention for commit messages that is designed to answer two
+questions: what changed and why. The subject line should feature the what and
+the body of the commit should describe the why.
+
+```
+scripts: add the test-cluster command
+
+this uses tmux to setup a test cluster that you can easily kill and
+start for debugging.
+
+Fixes #38
+```
+
+The format can be described more formally as follows:
+
+```
+<subsystem>: <what changed>
+<BLANK LINE>
+<why this change was made>
+<BLANK LINE>
+<footer>
+```
+
+The first line is the subject and should be no longer than 70 characters, the
+second line is always blank, and other lines should be wrapped at 80 characters.
+This allows the message to be easier to read on GitHub as well as in various
+git tools.
diff --git a/vendor/github.com/coreos/go-oidc/DCO b/vendor/github.com/coreos/go-oidc/DCO
new file mode 100644
index 00000000..716561d5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/DCO
@@ -0,0 +1,36 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+660 York Street, Suite 102,
+San Francisco, CA 94110 USA
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+ have the right to submit it under the open source license
+ indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+ of my knowledge, is covered under an appropriate open source
+ license and I have the right under that license to submit that
+ work with modifications, whether created in whole or in part
+ by me, under the same open source license (unless I am
+ permitted to submit under a different license), as indicated
+ in the file; or
+
+(c) The contribution was provided directly to me by some other
+ person who certified (a), (b) or (c) and I have not modified
+ it.
+
+(d) I understand and agree that this project and the contribution
+ are public and that a record of the contribution (including all
+ personal information I submit with it, including my sign-off) is
+ maintained indefinitely and may be redistributed consistent with
+ this project or the open source license(s) involved.
diff --git a/vendor/github.com/ericchiang/oidc/LICENSE b/vendor/github.com/coreos/go-oidc/LICENSE
similarity index 100%
rename from vendor/github.com/ericchiang/oidc/LICENSE
rename to vendor/github.com/coreos/go-oidc/LICENSE
diff --git a/vendor/github.com/coreos/go-oidc/MAINTAINERS b/vendor/github.com/coreos/go-oidc/MAINTAINERS
new file mode 100644
index 00000000..68079f1e
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/MAINTAINERS
@@ -0,0 +1,3 @@
+Bobby Rullo <bobby.rullo@coreos.com> (@bobbyrullo)
+Ed Rooth <ed.rooth@coreos.com> (@sym3tri)
+Eric Chiang <eric.chiang@coreos.com> (@ericchiang)
diff --git a/vendor/github.com/coreos/go-oidc/NOTICE b/vendor/github.com/coreos/go-oidc/NOTICE
new file mode 100644
index 00000000..b39ddfa5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/NOTICE
@@ -0,0 +1,5 @@
+CoreOS Project
+Copyright 2014 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).
diff --git a/vendor/github.com/coreos/go-oidc/README.md b/vendor/github.com/coreos/go-oidc/README.md
new file mode 100644
index 00000000..2a5c13e5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/README.md
@@ -0,0 +1,72 @@
+# go-oidc
+
+[](https://godoc.org/github.com/coreos/go-oidc)
+[](https://travis-ci.org/coreos/go-oidc)
+
+## OpenID Connect support for Go
+
+This package enables OpenID Connect support for the [golang.org/x/oauth2](https://godoc.org/golang.org/x/oauth2) package.
+
+```go
+provider, err := oidc.NewProvider(ctx, "https://accounts.google.com")
+if err != nil {
+ // handle error
+}
+
+// Configure an OpenID Connect aware OAuth2 client.
+oauth2Config := oauth2.Config{
+ ClientID: clientID,
+ ClientSecret: clientSecret,
+ RedirectURL: redirectURL,
+
+ // Discovery returns the OAuth2 endpoints.
+ Endpoint: provider.Endpoint(),
+
+ // "openid" is a required scope for OpenID Connect flows.
+ Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+}
+```
+
+OAuth2 redirects are unchanged.
+
+```go
+func handleRedirect(w http.ResponseWriter, r *http.Request) {
+ http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
+}
+```
+
+The on responses, the provider can be used to verify ID Tokens.
+
+```go
+var verifier = provider.Verifier()
+
+func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
+ // Verify state and errors.
+
+ oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
+ if err != nil {
+ // handle error
+ }
+
+ // Extract the ID Token from OAuth2 token.
+ rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+ if !ok {
+ // handle missing token
+ }
+
+ // Parse and verify ID Token payload.
+ idToken, err := verifier.Verify(ctx, rawIDToken)
+ if err != nil {
+ // handle error
+ }
+
+ // Extract custom claims
+ var claims struct {
+ Email string `json:"email"`
+ Verified bool `json:"email_verified"`
+ }
+ if err := idToken.Claims(&claims); err != nil {
+ // handle error
+ }
+}
+```
diff --git a/vendor/github.com/coreos/go-oidc/example/README.md b/vendor/github.com/coreos/go-oidc/example/README.md
new file mode 100644
index 00000000..765a4ea0
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/example/README.md
@@ -0,0 +1,21 @@
+# Examples
+
+These are example uses of the oidc package. Each requires a Google account and the client ID and secret of a registered OAuth2 application. To create one:
+
+1. Visit your [Google Developer Console][google-developer-console].
+2. Click "Credentials" on the left column.
+3. Click the "Create credentials" button followed by "OAuth client ID".
+4. Select "Web application" and add "http://127.0.0.1:5556/auth/google/callback" as an authorized redirect URI.
+5. Click create and add the printed client ID and secret to your environment using the following variables:
+
+```
+GOOGLE_OAUTH2_CLIENT_ID
+GOOGLE_OAUTH2_CLIENT_SECRET
+```
+
+Finally run the examples using the Go tool and navigate to http://127.0.0.1:5556.
+
+```
+go run ./examples/idtoken/app.go
+```
+[google-developer-console]: https://console.developers.google.com/apis/dashboard
diff --git a/vendor/github.com/ericchiang/oidc/examples/idtoken/app.go b/vendor/github.com/coreos/go-oidc/example/idtoken/app.go
similarity index 94%
rename from vendor/github.com/ericchiang/oidc/examples/idtoken/app.go
rename to vendor/github.com/coreos/go-oidc/example/idtoken/app.go
index b2a42a76..fe5859e9 100644
--- a/vendor/github.com/ericchiang/oidc/examples/idtoken/app.go
+++ b/vendor/github.com/coreos/go-oidc/example/idtoken/app.go
@@ -9,7 +9,7 @@ import (
"net/http"
"os"
- "github.com/ericchiang/oidc"
+ oidc "github.com/coreos/go-oidc"
"golang.org/x/net/context"
"golang.org/x/oauth2"
@@ -27,7 +27,7 @@ func main() {
if err != nil {
log.Fatal(err)
}
- verifier := provider.NewVerifier(ctx)
+ verifier := provider.Verifier()
config := oauth2.Config{
ClientID: clientID,
@@ -59,7 +59,7 @@ func main() {
http.Error(w, "No id_token field in oauth2 token.", http.StatusInternalServerError)
return
}
- idToken, err := verifier.Verify(rawIDToken)
+ idToken, err := verifier.Verify(ctx, rawIDToken)
if err != nil {
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
return
diff --git a/vendor/github.com/ericchiang/oidc/examples/nonce/app.go b/vendor/github.com/coreos/go-oidc/example/nonce/app.go
similarity index 93%
rename from vendor/github.com/ericchiang/oidc/examples/nonce/app.go
rename to vendor/github.com/coreos/go-oidc/example/nonce/app.go
index 2167f962..8a78db9f 100644
--- a/vendor/github.com/ericchiang/oidc/examples/nonce/app.go
+++ b/vendor/github.com/coreos/go-oidc/example/nonce/app.go
@@ -10,7 +10,7 @@ import (
"net/http"
"os"
- "github.com/ericchiang/oidc"
+ oidc "github.com/coreos/go-oidc"
"golang.org/x/net/context"
"golang.org/x/oauth2"
@@ -42,7 +42,7 @@ func main() {
}
// Use the nonce source to create a custom ID Token verifier.
- nonceEnabledVerifier := provider.NewVerifier(ctx, oidc.VerifyNonce(nonceSource{}))
+ nonceEnabledVerifier := provider.Verifier(oidc.VerifyNonce(nonceSource{}))
config := oauth2.Config{
ClientID: clientID,
@@ -76,7 +76,7 @@ func main() {
return
}
// Verify the ID Token signature and nonce.
- idToken, err := nonceEnabledVerifier.Verify(rawIDToken)
+ idToken, err := nonceEnabledVerifier.Verify(ctx, rawIDToken)
if err != nil {
http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
return
diff --git a/vendor/github.com/ericchiang/oidc/examples/userinfo/app.go b/vendor/github.com/coreos/go-oidc/example/userinfo/app.go
similarity index 98%
rename from vendor/github.com/ericchiang/oidc/examples/userinfo/app.go
rename to vendor/github.com/coreos/go-oidc/example/userinfo/app.go
index a4d55c52..0039088e 100644
--- a/vendor/github.com/ericchiang/oidc/examples/userinfo/app.go
+++ b/vendor/github.com/coreos/go-oidc/example/userinfo/app.go
@@ -9,7 +9,7 @@ import (
"net/http"
"os"
- "github.com/ericchiang/oidc"
+ oidc "github.com/coreos/go-oidc"
"golang.org/x/net/context"
"golang.org/x/oauth2"
diff --git a/vendor/github.com/coreos/go-oidc/gen.go b/vendor/github.com/coreos/go-oidc/gen.go
new file mode 100644
index 00000000..0c798f67
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/gen.go
@@ -0,0 +1,150 @@
+// +build ignore
+
+// This file is used to generate keys for tests.
+
+package main
+
+import (
+ "bytes"
+ "crypto"
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/rand"
+ "crypto/rsa"
+ "encoding/hex"
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "log"
+ "text/template"
+
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+type key struct {
+ name string
+ new func() (crypto.Signer, error)
+}
+
+var keys = []key{
+ {
+ "ECDSA_256", func() (crypto.Signer, error) {
+ return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+ },
+ },
+ {
+ "ECDSA_384", func() (crypto.Signer, error) {
+ return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+ },
+ },
+ {
+ "ECDSA_521", func() (crypto.Signer, error) {
+ return ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+ },
+ },
+ {
+ "RSA_1024", func() (crypto.Signer, error) {
+ return rsa.GenerateKey(rand.Reader, 1024)
+ },
+ },
+ {
+ "RSA_2048", func() (crypto.Signer, error) {
+ return rsa.GenerateKey(rand.Reader, 2048)
+ },
+ },
+ {
+ "RSA_4096", func() (crypto.Signer, error) {
+ return rsa.GenerateKey(rand.Reader, 4096)
+ },
+ },
+}
+
+func newJWK(k key, prefix, ident string) (privBytes, pubBytes []byte, err error) {
+ priv, err := k.new()
+ if err != nil {
+ return nil, nil, fmt.Errorf("generate %s: %v", k.name, err)
+ }
+ pub := priv.Public()
+
+ privKey := &jose.JSONWebKey{Key: priv}
+ thumbprint, err := privKey.Thumbprint(crypto.SHA256)
+ if err != nil {
+ return nil, nil, fmt.Errorf("computing thumbprint: %v", err)
+ }
+
+ keyID := hex.EncodeToString(thumbprint)
+ privKey.KeyID = keyID
+ pubKey := &jose.JSONWebKey{Key: pub, KeyID: keyID}
+
+ privBytes, err = json.MarshalIndent(privKey, prefix, ident)
+ if err != nil {
+ return
+ }
+ pubBytes, err = json.MarshalIndent(pubKey, prefix, ident)
+ return
+}
+
+type keyData struct {
+ Name string
+ Priv string
+ Pub string
+}
+
+var tmpl = template.Must(template.New("").Parse(`// +build !golint
+
+// This file contains statically created JWKs for tests created by gen.go
+
+package oidc
+
+import (
+ "encoding/json"
+
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+func mustLoadJWK(s string) jose.JSONWebKey {
+ var jwk jose.JSONWebKey
+ if err := json.Unmarshal([]byte(s), &jwk); err != nil {
+ panic(err)
+ }
+ return jwk
+}
+
+var (
+{{- range $i, $key := .Keys }}
+ testKey{{ $key.Name }} = mustLoadJWK(` + "`" + `{{ $key.Pub }}` + "`" + `)
+ testKey{{ $key.Name }}_Priv = mustLoadJWK(` + "`" + `{{ $key.Priv }}` + "`" + `)
+{{ end -}}
+)
+`))
+
+func main() {
+ var tmplData struct {
+ Keys []keyData
+ }
+ for _, k := range keys {
+ for i := 0; i < 4; i++ {
+ log.Printf("generating %s", k.name)
+ priv, pub, err := newJWK(k, "\t", "\t")
+ if err != nil {
+ log.Fatal(err)
+ }
+ name := fmt.Sprintf("%s_%d", k.name, i)
+
+ tmplData.Keys = append(tmplData.Keys, keyData{
+ Name: name,
+ Priv: string(priv),
+ Pub: string(pub),
+ })
+ }
+ }
+
+ buff := new(bytes.Buffer)
+ if err := tmpl.Execute(buff, tmplData); err != nil {
+ log.Fatalf("excuting template: %v", err)
+ }
+
+ if err := ioutil.WriteFile("jose_test.go", buff.Bytes(), 0644); err != nil {
+ log.Fatal(err)
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/http/client.go b/vendor/github.com/coreos/go-oidc/http/client.go
new file mode 100644
index 00000000..fd079b49
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/http/client.go
@@ -0,0 +1,7 @@
+package http
+
+import "net/http"
+
+type Client interface {
+ Do(*http.Request) (*http.Response, error)
+}
diff --git a/vendor/github.com/coreos/go-oidc/http/doc.go b/vendor/github.com/coreos/go-oidc/http/doc.go
new file mode 100644
index 00000000..5687e8b8
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/http/doc.go
@@ -0,0 +1,2 @@
+// Package http is DEPRECATED. Use net/http instead.
+package http
diff --git a/vendor/github.com/coreos/go-oidc/http/http.go b/vendor/github.com/coreos/go-oidc/http/http.go
new file mode 100644
index 00000000..c3f51215
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/http/http.go
@@ -0,0 +1,156 @@
+package http
+
+import (
+ "encoding/base64"
+ "encoding/json"
+ "errors"
+ "log"
+ "net/http"
+ "net/url"
+ "path"
+ "strconv"
+ "strings"
+ "time"
+)
+
+func WriteError(w http.ResponseWriter, code int, msg string) {
+ e := struct {
+ Error string `json:"error"`
+ }{
+ Error: msg,
+ }
+ b, err := json.Marshal(e)
+ if err != nil {
+ log.Printf("go-oidc: failed to marshal %#v: %v", e, err)
+ code = http.StatusInternalServerError
+ b = []byte(`{"error":"server_error"}`)
+ }
+ w.Header().Set("Content-Type", "application/json")
+ w.WriteHeader(code)
+ w.Write(b)
+}
+
+// BasicAuth parses a username and password from the request's
+// Authorization header. This was pulled from golang master:
+// https://codereview.appspot.com/76540043
+func BasicAuth(r *http.Request) (username, password string, ok bool) {
+ auth := r.Header.Get("Authorization")
+ if auth == "" {
+ return
+ }
+
+ if !strings.HasPrefix(auth, "Basic ") {
+ return
+ }
+ c, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(auth, "Basic "))
+ if err != nil {
+ return
+ }
+ cs := string(c)
+ s := strings.IndexByte(cs, ':')
+ if s < 0 {
+ return
+ }
+ return cs[:s], cs[s+1:], true
+}
+
+func cacheControlMaxAge(hdr string) (time.Duration, bool, error) {
+ for _, field := range strings.Split(hdr, ",") {
+ parts := strings.SplitN(strings.TrimSpace(field), "=", 2)
+ k := strings.ToLower(strings.TrimSpace(parts[0]))
+ if k != "max-age" {
+ continue
+ }
+
+ if len(parts) == 1 {
+ return 0, false, errors.New("max-age has no value")
+ }
+
+ v := strings.TrimSpace(parts[1])
+ if v == "" {
+ return 0, false, errors.New("max-age has empty value")
+ }
+
+ age, err := strconv.Atoi(v)
+ if err != nil {
+ return 0, false, err
+ }
+
+ if age <= 0 {
+ return 0, false, nil
+ }
+
+ return time.Duration(age) * time.Second, true, nil
+ }
+
+ return 0, false, nil
+}
+
+func expires(date, expires string) (time.Duration, bool, error) {
+ if date == "" || expires == "" {
+ return 0, false, nil
+ }
+
+ te, err := time.Parse(time.RFC1123, expires)
+ if err != nil {
+ return 0, false, err
+ }
+
+ td, err := time.Parse(time.RFC1123, date)
+ if err != nil {
+ return 0, false, err
+ }
+
+ ttl := te.Sub(td)
+
+ // headers indicate data already expired, caller should not
+ // have to care about this case
+ if ttl <= 0 {
+ return 0, false, nil
+ }
+
+ return ttl, true, nil
+}
+
+func Cacheable(hdr http.Header) (time.Duration, bool, error) {
+ ttl, ok, err := cacheControlMaxAge(hdr.Get("Cache-Control"))
+ if err != nil || ok {
+ return ttl, ok, err
+ }
+
+ return expires(hdr.Get("Date"), hdr.Get("Expires"))
+}
+
+// MergeQuery appends additional query values to an existing URL.
+func MergeQuery(u url.URL, q url.Values) url.URL {
+ uv := u.Query()
+ for k, vs := range q {
+ for _, v := range vs {
+ uv.Add(k, v)
+ }
+ }
+ u.RawQuery = uv.Encode()
+ return u
+}
+
+// NewResourceLocation appends a resource id to the end of the requested URL path.
+func NewResourceLocation(reqURL *url.URL, id string) string {
+ var u url.URL
+ u = *reqURL
+ u.Path = path.Join(u.Path, id)
+ u.RawQuery = ""
+ u.Fragment = ""
+ return u.String()
+}
+
+// CopyRequest returns a clone of the provided *http.Request.
+// The returned object is a shallow copy of the struct and a
+// deep copy of its Header field.
+func CopyRequest(r *http.Request) *http.Request {
+ r2 := *r
+ r2.Header = make(http.Header)
+ for k, s := range r.Header {
+ r2.Header[k] = s
+ }
+ return &r2
+}
diff --git a/vendor/github.com/coreos/go-oidc/http/http_test.go b/vendor/github.com/coreos/go-oidc/http/http_test.go
new file mode 100644
index 00000000..8ec76a24
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/http/http_test.go
@@ -0,0 +1,380 @@
+package http
+
+import (
+ "net/http"
+ "net/url"
+ "reflect"
+ "strings"
+ "testing"
+ "time"
+)
+
+func TestCacheControlMaxAgeSuccess(t *testing.T) {
+ tests := []struct {
+ hdr string
+ wantAge time.Duration
+ wantOK bool
+ }{
+ {"max-age=12", 12 * time.Second, true},
+ {"max-age=-12", 0, false},
+ {"max-age=0", 0, false},
+ {"public, max-age=12", 12 * time.Second, true},
+ {"public, max-age=40192, must-revalidate", 40192 * time.Second, true},
+ {"public, not-max-age=12, must-revalidate", time.Duration(0), false},
+ }
+
+ for i, tt := range tests {
+ maxAge, ok, err := cacheControlMaxAge(tt.hdr)
+ if err != nil {
+ t.Errorf("case %d: err=%v", i, err)
+ }
+ if tt.wantAge != maxAge {
+ t.Errorf("case %d: want=%d got=%d", i, tt.wantAge, maxAge)
+ }
+ if tt.wantOK != ok {
+ t.Errorf("case %d: incorrect ok value: want=%t got=%t", i, tt.wantOK, ok)
+ }
+ }
+}
+
+func TestCacheControlMaxAgeFail(t *testing.T) {
+ tests := []string{
+ "max-age=aasdf",
+ "max-age=",
+ "max-age",
+ }
+
+ for i, tt := range tests {
+ _, ok, err := cacheControlMaxAge(tt)
+ if ok {
+ t.Errorf("case %d: want ok=false, got true", i)
+ }
+ if err == nil {
+ t.Errorf("case %d: want non-nil err", i)
+ }
+ }
+}
+
+func TestMergeQuery(t *testing.T) {
+ tests := []struct {
+ u string
+ q url.Values
+ w string
+ }{
+ // No values
+ {
+ u: "http://example.com",
+ q: nil,
+ w: "http://example.com",
+ },
+ // No additional values
+ {
+ u: "http://example.com?foo=bar",
+ q: nil,
+ w: "http://example.com?foo=bar",
+ },
+ // Simple addition
+ {
+ u: "http://example.com",
+ q: url.Values{
+ "foo": []string{"bar"},
+ },
+ w: "http://example.com?foo=bar",
+ },
+ // Addition with existing values
+ {
+ u: "http://example.com?dog=boo",
+ q: url.Values{
+ "foo": []string{"bar"},
+ },
+ w: "http://example.com?dog=boo&foo=bar",
+ },
+ // Merge
+ {
+ u: "http://example.com?dog=boo",
+ q: url.Values{
+ "dog": []string{"elroy"},
+ },
+ w: "http://example.com?dog=boo&dog=elroy",
+ },
+ // Add and merge
+ {
+ u: "http://example.com?dog=boo",
+ q: url.Values{
+ "dog": []string{"elroy"},
+ "foo": []string{"bar"},
+ },
+ w: "http://example.com?dog=boo&dog=elroy&foo=bar",
+ },
+ // Multivalue merge
+ {
+ u: "http://example.com?dog=boo",
+ q: url.Values{
+ "dog": []string{"elroy", "penny"},
+ },
+ w: "http://example.com?dog=boo&dog=elroy&dog=penny",
+ },
+ }
+
+ for i, tt := range tests {
+ ur, err := url.Parse(tt.u)
+ if err != nil {
+ t.Errorf("case %d: failed parsing test url: %v, error: %v", i, tt.u, err)
+ }
+
+ got := MergeQuery(*ur, tt.q)
+ want, err := url.Parse(tt.w)
+ if err != nil {
+ t.Errorf("case %d: failed parsing want url: %v, error: %v", i, tt.w, err)
+ }
+
+ if !reflect.DeepEqual(*want, got) {
+ t.Errorf("case %d: want: %v, got: %v", i, *want, got)
+ }
+ }
+}
+
+func TestExpiresPass(t *testing.T) {
+ tests := []struct {
+ date string
+ exp string
+ wantTTL time.Duration
+ wantOK bool
+ }{
+ // Expires and Date properly set
+ {
+ date: "Thu, 01 Dec 1983 22:00:00 GMT",
+ exp: "Fri, 02 Dec 1983 01:00:00 GMT",
+ wantTTL: 10800 * time.Second,
+ wantOK: true,
+ },
+ // empty headers
+ {
+ date: "",
+ exp: "",
+ wantOK: false,
+ },
+ // lack of Expirs short-ciruits Date parsing
+ {
+ date: "foo",
+ exp: "",
+ wantOK: false,
+ },
+ // lack of Date short-ciruits Expires parsing
+ {
+ date: "",
+ exp: "foo",
+ wantOK: false,
+ },
+ // no Date
+ {
+ exp: "Thu, 01 Dec 1983 22:00:00 GMT",
+ wantTTL: 0,
+ wantOK: false,
+ },
+ // no Expires
+ {
+ date: "Thu, 01 Dec 1983 22:00:00 GMT",
+ wantTTL: 0,
+ wantOK: false,
+ },
+ // Expires < Date
+ {
+ date: "Fri, 02 Dec 1983 01:00:00 GMT",
+ exp: "Thu, 01 Dec 1983 22:00:00 GMT",
+ wantTTL: 0,
+ wantOK: false,
+ },
+ }
+
+ for i, tt := range tests {
+ ttl, ok, err := expires(tt.date, tt.exp)
+ if err != nil {
+ t.Errorf("case %d: err=%v", i, err)
+ }
+ if tt.wantTTL != ttl {
+ t.Errorf("case %d: want=%d got=%d", i, tt.wantTTL, ttl)
+ }
+ if tt.wantOK != ok {
+ t.Errorf("case %d: incorrect ok value: want=%t got=%t", i, tt.wantOK, ok)
+ }
+ }
+}
+
+func TestExpiresFail(t *testing.T) {
+ tests := []struct {
+ date string
+ exp string
+ }{
+ // malformed Date header
+ {
+ date: "foo",
+ exp: "Fri, 02 Dec 1983 01:00:00 GMT",
+ },
+ // malformed exp header
+ {
+ date: "Fri, 02 Dec 1983 01:00:00 GMT",
+ exp: "bar",
+ },
+ }
+
+ for i, tt := range tests {
+ _, _, err := expires(tt.date, tt.exp)
+ if err == nil {
+ t.Errorf("case %d: expected non-nil error", i)
+ }
+ }
+}
+
+func TestCacheablePass(t *testing.T) {
+ tests := []struct {
+ headers http.Header
+ wantTTL time.Duration
+ wantOK bool
+ }{
+ // valid Cache-Control
+ {
+ headers: http.Header{
+ "Cache-Control": []string{"max-age=100"},
+ },
+ wantTTL: 100 * time.Second,
+ wantOK: true,
+ },
+ // valid Date/Expires
+ {
+ headers: http.Header{
+ "Date": []string{"Thu, 01 Dec 1983 22:00:00 GMT"},
+ "Expires": []string{"Fri, 02 Dec 1983 01:00:00 GMT"},
+ },
+ wantTTL: 10800 * time.Second,
+ wantOK: true,
+ },
+ // Cache-Control supersedes Date/Expires
+ {
+ headers: http.Header{
+ "Cache-Control": []string{"max-age=100"},
+ "Date": []string{"Thu, 01 Dec 1983 22:00:00 GMT"},
+ "Expires": []string{"Fri, 02 Dec 1983 01:00:00 GMT"},
+ },
+ wantTTL: 100 * time.Second,
+ wantOK: true,
+ },
+ // no caching headers
+ {
+ headers: http.Header{},
+ wantOK: false,
+ },
+ }
+
+ for i, tt := range tests {
+ ttl, ok, err := Cacheable(tt.headers)
+ if err != nil {
+ t.Errorf("case %d: err=%v", i, err)
+ continue
+ }
+ if tt.wantTTL != ttl {
+ t.Errorf("case %d: want=%d got=%d", i, tt.wantTTL, ttl)
+ }
+ if tt.wantOK != ok {
+ t.Errorf("case %d: incorrect ok value: want=%t got=%t", i, tt.wantOK, ok)
+ }
+ }
+}
+
+func TestCacheableFail(t *testing.T) {
+ tests := []http.Header{
+ // invalid Cache-Control short-circuits
+ http.Header{
+ "Cache-Control": []string{"max-age"},
+ "Date": []string{"Thu, 01 Dec 1983 22:00:00 GMT"},
+ "Expires": []string{"Fri, 02 Dec 1983 01:00:00 GMT"},
+ },
+ // no Cache-Control, invalid Expires
+ http.Header{
+ "Date": []string{"Thu, 01 Dec 1983 22:00:00 GMT"},
+ "Expires": []string{"boo"},
+ },
+ }
+
+ for i, tt := range tests {
+ _, _, err := Cacheable(tt)
+ if err == nil {
+ t.Errorf("case %d: want non-nil err", i)
+ }
+ }
+}
+
+func TestNewResourceLocation(t *testing.T) {
+ tests := []struct {
+ ru *url.URL
+ id string
+ want string
+ }{
+ {
+ ru: &url.URL{
+ Scheme: "http",
+ Host: "example.com",
+ },
+ id: "foo",
+ want: "http://example.com/foo",
+ },
+ // https
+ {
+ ru: &url.URL{
+ Scheme: "https",
+ Host: "example.com",
+ },
+ id: "foo",
+ want: "https://example.com/foo",
+ },
+ // with path
+ {
+ ru: &url.URL{
+ Scheme: "http",
+ Host: "example.com",
+ Path: "one/two/three",
+ },
+ id: "foo",
+ want: "http://example.com/one/two/three/foo",
+ },
+ // with fragment
+ {
+ ru: &url.URL{
+ Scheme: "http",
+ Host: "example.com",
+ Fragment: "frag",
+ },
+ id: "foo",
+ want: "http://example.com/foo",
+ },
+ // with query
+ {
+ ru: &url.URL{
+ Scheme: "http",
+ Host: "example.com",
+ RawQuery: "dog=elroy",
+ },
+ id: "foo",
+ want: "http://example.com/foo",
+ },
+ }
+
+ for i, tt := range tests {
+ got := NewResourceLocation(tt.ru, tt.id)
+ if tt.want != got {
+ t.Errorf("case %d: want=%s, got=%s", i, tt.want, got)
+ }
+ }
+}
+
+func TestCopyRequest(t *testing.T) {
+ r1, err := http.NewRequest("GET", "http://example.com", strings.NewReader("foo"))
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ r2 := CopyRequest(r1)
+ if !reflect.DeepEqual(r1, r2) {
+ t.Fatalf("Result of CopyRequest incorrect: %#v != %#v", r1, r2)
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/http/url.go b/vendor/github.com/coreos/go-oidc/http/url.go
new file mode 100644
index 00000000..df60eb1a
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/http/url.go
@@ -0,0 +1,29 @@
+package http
+
+import (
+ "errors"
+ "net/url"
+)
+
+// ParseNonEmptyURL checks that a string is a parsable URL which is also not empty
+// since `url.Parse("")` does not return an error. Must contian a scheme and a host.
+func ParseNonEmptyURL(u string) (*url.URL, error) {
+ if u == "" {
+ return nil, errors.New("url is empty")
+ }
+
+ ur, err := url.Parse(u)
+ if err != nil {
+ return nil, err
+ }
+
+ if ur.Scheme == "" {
+ return nil, errors.New("url scheme is empty")
+ }
+
+ if ur.Host == "" {
+ return nil, errors.New("url host is empty")
+ }
+
+ return ur, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/http/url_test.go b/vendor/github.com/coreos/go-oidc/http/url_test.go
new file mode 100644
index 00000000..2ab25052
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/http/url_test.go
@@ -0,0 +1,49 @@
+package http
+
+import (
+ "net/url"
+ "testing"
+)
+
+func TestParseNonEmptyURL(t *testing.T) {
+ tests := []struct {
+ u string
+ ok bool
+ }{
+ {"", false},
+ {"http://", false},
+ {"example.com", false},
+ {"example", false},
+ {"http://example", true},
+ {"http://example:1234", true},
+ {"http://example.com", true},
+ {"http://example.com:1234", true},
+ }
+
+ for i, tt := range tests {
+ u, err := ParseNonEmptyURL(tt.u)
+ if err != nil {
+ t.Logf("err: %v", err)
+ if tt.ok {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ } else {
+ continue
+ }
+ }
+
+ if !tt.ok {
+ t.Errorf("case %d: expected error but got none", i)
+ continue
+ }
+
+ uu, err := url.Parse(tt.u)
+ if err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ continue
+ }
+
+ if uu.String() != u.String() {
+ t.Errorf("case %d: incorrect url value, want: %q, got: %q", i, uu.String(), u.String())
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose.go b/vendor/github.com/coreos/go-oidc/jose.go
new file mode 100644
index 00000000..f2e6bf43
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose.go
@@ -0,0 +1,20 @@
+// +build !golint
+
+// Don't lint this file. We don't want to have to add a comment to each constant.
+
+package oidc
+
+const (
+ // JOSE asymmetric signing algorithm values as defined by RFC 7518
+ //
+ // see: https://tools.ietf.org/html/rfc7518#section-3.1
+ RS256 = "RS256" // RSASSA-PKCS-v1.5 using SHA-256
+ RS384 = "RS384" // RSASSA-PKCS-v1.5 using SHA-384
+ RS512 = "RS512" // RSASSA-PKCS-v1.5 using SHA-512
+ ES256 = "ES256" // ECDSA using P-256 and SHA-256
+ ES384 = "ES384" // ECDSA using P-384 and SHA-384
+ ES512 = "ES512" // ECDSA using P-521 and SHA-512
+ PS256 = "PS256" // RSASSA-PSS using SHA256 and MGF1-SHA256
+ PS384 = "PS384" // RSASSA-PSS using SHA384 and MGF1-SHA384
+ PS512 = "PS512" // RSASSA-PSS using SHA512 and MGF1-SHA512
+)
diff --git a/vendor/github.com/coreos/go-oidc/jose/claims.go b/vendor/github.com/coreos/go-oidc/jose/claims.go
new file mode 100644
index 00000000..8b48bfd2
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/claims.go
@@ -0,0 +1,126 @@
+package jose
+
+import (
+ "encoding/json"
+ "fmt"
+ "math"
+ "time"
+)
+
+type Claims map[string]interface{}
+
+func (c Claims) Add(name string, value interface{}) {
+ c[name] = value
+}
+
+func (c Claims) StringClaim(name string) (string, bool, error) {
+ cl, ok := c[name]
+ if !ok {
+ return "", false, nil
+ }
+
+ v, ok := cl.(string)
+ if !ok {
+ return "", false, fmt.Errorf("unable to parse claim as string: %v", name)
+ }
+
+ return v, true, nil
+}
+
+func (c Claims) StringsClaim(name string) ([]string, bool, error) {
+ cl, ok := c[name]
+ if !ok {
+ return nil, false, nil
+ }
+
+ if v, ok := cl.([]string); ok {
+ return v, true, nil
+ }
+
+ // When unmarshaled, []string will become []interface{}.
+ if v, ok := cl.([]interface{}); ok {
+ var ret []string
+ for _, vv := range v {
+ str, ok := vv.(string)
+ if !ok {
+ return nil, false, fmt.Errorf("unable to parse claim as string array: %v", name)
+ }
+ ret = append(ret, str)
+ }
+ return ret, true, nil
+ }
+
+ return nil, false, fmt.Errorf("unable to parse claim as string array: %v", name)
+}
+
+func (c Claims) Int64Claim(name string) (int64, bool, error) {
+ cl, ok := c[name]
+ if !ok {
+ return 0, false, nil
+ }
+
+ v, ok := cl.(int64)
+ if !ok {
+ vf, ok := cl.(float64)
+ if !ok {
+ return 0, false, fmt.Errorf("unable to parse claim as int64: %v", name)
+ }
+ v = int64(vf)
+ }
+
+ return v, true, nil
+}
+
+func (c Claims) Float64Claim(name string) (float64, bool, error) {
+ cl, ok := c[name]
+ if !ok {
+ return 0, false, nil
+ }
+
+ v, ok := cl.(float64)
+ if !ok {
+ vi, ok := cl.(int64)
+ if !ok {
+ return 0, false, fmt.Errorf("unable to parse claim as float64: %v", name)
+ }
+ v = float64(vi)
+ }
+
+ return v, true, nil
+}
+
+func (c Claims) TimeClaim(name string) (time.Time, bool, error) {
+ v, ok, err := c.Float64Claim(name)
+ if !ok || err != nil {
+ return time.Time{}, ok, err
+ }
+
+ s := math.Trunc(v)
+ ns := (v - s) * math.Pow(10, 9)
+ return time.Unix(int64(s), int64(ns)).UTC(), true, nil
+}
+
+func decodeClaims(payload []byte) (Claims, error) {
+ var c Claims
+ if err := json.Unmarshal(payload, &c); err != nil {
+ return nil, fmt.Errorf("malformed JWT claims, unable to decode: %v", err)
+ }
+ return c, nil
+}
+
+func marshalClaims(c Claims) ([]byte, error) {
+ b, err := json.Marshal(c)
+ if err != nil {
+ return nil, err
+ }
+ return b, nil
+}
+
+func encodeClaims(c Claims) (string, error) {
+ b, err := marshalClaims(c)
+ if err != nil {
+ return "", err
+ }
+
+ return encodeSegment(b), nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/claims_test.go b/vendor/github.com/coreos/go-oidc/jose/claims_test.go
new file mode 100644
index 00000000..e0958a9c
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/claims_test.go
@@ -0,0 +1,328 @@
+package jose
+
+import (
+ "reflect"
+ "testing"
+ "time"
+)
+
+func TestString(t *testing.T) {
+ tests := []struct {
+ cl Claims
+ key string
+ ok bool
+ err bool
+ val string
+ }{
+ // ok, no err, claim exists
+ {
+ cl: Claims{
+ "foo": "bar",
+ },
+ key: "foo",
+ val: "bar",
+ ok: true,
+ err: false,
+ },
+ // no claims
+ {
+ cl: Claims{},
+ key: "foo",
+ val: "",
+ ok: false,
+ err: false,
+ },
+ // missing claim
+ {
+ cl: Claims{
+ "foo": "bar",
+ },
+ key: "xxx",
+ val: "",
+ ok: false,
+ err: false,
+ },
+ // unparsable: type
+ {
+ cl: Claims{
+ "foo": struct{}{},
+ },
+ key: "foo",
+ val: "",
+ ok: false,
+ err: true,
+ },
+ // unparsable: nil value
+ {
+ cl: Claims{
+ "foo": nil,
+ },
+ key: "foo",
+ val: "",
+ ok: false,
+ err: true,
+ },
+ }
+
+ for i, tt := range tests {
+ val, ok, err := tt.cl.StringClaim(tt.key)
+
+ if tt.err && err == nil {
+ t.Errorf("case %d: want err=non-nil, got err=nil", i)
+ } else if !tt.err && err != nil {
+ t.Errorf("case %d: want err=nil, got err=%v", i, err)
+ }
+
+ if tt.ok != ok {
+ t.Errorf("case %d: want ok=%v, got ok=%v", i, tt.ok, ok)
+ }
+
+ if tt.val != val {
+ t.Errorf("case %d: want val=%v, got val=%v", i, tt.val, val)
+ }
+ }
+}
+
+func TestInt64(t *testing.T) {
+ tests := []struct {
+ cl Claims
+ key string
+ ok bool
+ err bool
+ val int64
+ }{
+ // ok, no err, claim exists
+ {
+ cl: Claims{
+ "foo": int64(100),
+ },
+ key: "foo",
+ val: int64(100),
+ ok: true,
+ err: false,
+ },
+ // no claims
+ {
+ cl: Claims{},
+ key: "foo",
+ val: 0,
+ ok: false,
+ err: false,
+ },
+ // missing claim
+ {
+ cl: Claims{
+ "foo": "bar",
+ },
+ key: "xxx",
+ val: 0,
+ ok: false,
+ err: false,
+ },
+ // unparsable: type
+ {
+ cl: Claims{
+ "foo": struct{}{},
+ },
+ key: "foo",
+ val: 0,
+ ok: false,
+ err: true,
+ },
+ // unparsable: nil value
+ {
+ cl: Claims{
+ "foo": nil,
+ },
+ key: "foo",
+ val: 0,
+ ok: false,
+ err: true,
+ },
+ }
+
+ for i, tt := range tests {
+ val, ok, err := tt.cl.Int64Claim(tt.key)
+
+ if tt.err && err == nil {
+ t.Errorf("case %d: want err=non-nil, got err=nil", i)
+ } else if !tt.err && err != nil {
+ t.Errorf("case %d: want err=nil, got err=%v", i, err)
+ }
+
+ if tt.ok != ok {
+ t.Errorf("case %d: want ok=%v, got ok=%v", i, tt.ok, ok)
+ }
+
+ if tt.val != val {
+ t.Errorf("case %d: want val=%v, got val=%v", i, tt.val, val)
+ }
+ }
+}
+
+func TestTime(t *testing.T) {
+ now := time.Now().UTC()
+ unixNow := now.Unix()
+
+ tests := []struct {
+ cl Claims
+ key string
+ ok bool
+ err bool
+ val time.Time
+ }{
+ // ok, no err, claim exists
+ {
+ cl: Claims{
+ "foo": unixNow,
+ },
+ key: "foo",
+ val: time.Unix(now.Unix(), 0).UTC(),
+ ok: true,
+ err: false,
+ },
+ // no claims
+ {
+ cl: Claims{},
+ key: "foo",
+ val: time.Time{},
+ ok: false,
+ err: false,
+ },
+ // missing claim
+ {
+ cl: Claims{
+ "foo": "bar",
+ },
+ key: "xxx",
+ val: time.Time{},
+ ok: false,
+ err: false,
+ },
+ // unparsable: type
+ {
+ cl: Claims{
+ "foo": struct{}{},
+ },
+ key: "foo",
+ val: time.Time{},
+ ok: false,
+ err: true,
+ },
+ // unparsable: nil value
+ {
+ cl: Claims{
+ "foo": nil,
+ },
+ key: "foo",
+ val: time.Time{},
+ ok: false,
+ err: true,
+ },
+ }
+
+ for i, tt := range tests {
+ val, ok, err := tt.cl.TimeClaim(tt.key)
+
+ if tt.err && err == nil {
+ t.Errorf("case %d: want err=non-nil, got err=nil", i)
+ } else if !tt.err && err != nil {
+ t.Errorf("case %d: want err=nil, got err=%v", i, err)
+ }
+
+ if tt.ok != ok {
+ t.Errorf("case %d: want ok=%v, got ok=%v", i, tt.ok, ok)
+ }
+
+ if tt.val != val {
+ t.Errorf("case %d: want val=%v, got val=%v", i, tt.val, val)
+ }
+ }
+}
+
+func TestStringArray(t *testing.T) {
+ tests := []struct {
+ cl Claims
+ key string
+ ok bool
+ err bool
+ val []string
+ }{
+ // ok, no err, claim exists
+ {
+ cl: Claims{
+ "foo": []string{"bar", "faf"},
+ },
+ key: "foo",
+ val: []string{"bar", "faf"},
+ ok: true,
+ err: false,
+ },
+ // ok, no err, []interface{}
+ {
+ cl: Claims{
+ "foo": []interface{}{"bar", "faf"},
+ },
+ key: "foo",
+ val: []string{"bar", "faf"},
+ ok: true,
+ err: false,
+ },
+ // no claims
+ {
+ cl: Claims{},
+ key: "foo",
+ val: nil,
+ ok: false,
+ err: false,
+ },
+ // missing claim
+ {
+ cl: Claims{
+ "foo": "bar",
+ },
+ key: "xxx",
+ val: nil,
+ ok: false,
+ err: false,
+ },
+ // unparsable: type
+ {
+ cl: Claims{
+ "foo": struct{}{},
+ },
+ key: "foo",
+ val: nil,
+ ok: false,
+ err: true,
+ },
+ // unparsable: nil value
+ {
+ cl: Claims{
+ "foo": nil,
+ },
+ key: "foo",
+ val: nil,
+ ok: false,
+ err: true,
+ },
+ }
+
+ for i, tt := range tests {
+ val, ok, err := tt.cl.StringsClaim(tt.key)
+
+ if tt.err && err == nil {
+ t.Errorf("case %d: want err=non-nil, got err=nil", i)
+ } else if !tt.err && err != nil {
+ t.Errorf("case %d: want err=nil, got err=%v", i, err)
+ }
+
+ if tt.ok != ok {
+ t.Errorf("case %d: want ok=%v, got ok=%v", i, tt.ok, ok)
+ }
+
+ if !reflect.DeepEqual(tt.val, val) {
+ t.Errorf("case %d: want val=%v, got val=%v", i, tt.val, val)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/doc.go b/vendor/github.com/coreos/go-oidc/jose/doc.go
new file mode 100644
index 00000000..b5e13217
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/doc.go
@@ -0,0 +1,2 @@
+// Package jose is DEPRECATED. Use gopkg.in/square/go-jose.v2 instead.
+package jose
diff --git a/vendor/github.com/coreos/go-oidc/jose/jose.go b/vendor/github.com/coreos/go-oidc/jose/jose.go
new file mode 100644
index 00000000..62099265
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jose.go
@@ -0,0 +1,112 @@
+package jose
+
+import (
+ "encoding/base64"
+ "encoding/json"
+ "fmt"
+ "strings"
+)
+
+const (
+ HeaderMediaType = "typ"
+ HeaderKeyAlgorithm = "alg"
+ HeaderKeyID = "kid"
+)
+
+const (
+ // Encryption Algorithm Header Parameter Values for JWS
+ // See: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#page-6
+ AlgHS256 = "HS256"
+ AlgHS384 = "HS384"
+ AlgHS512 = "HS512"
+ AlgRS256 = "RS256"
+ AlgRS384 = "RS384"
+ AlgRS512 = "RS512"
+ AlgES256 = "ES256"
+ AlgES384 = "ES384"
+ AlgES512 = "ES512"
+ AlgPS256 = "PS256"
+ AlgPS384 = "PS384"
+ AlgPS512 = "PS512"
+ AlgNone = "none"
+)
+
+const (
+ // Algorithm Header Parameter Values for JWE
+ // See: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-4.1
+ AlgRSA15 = "RSA1_5"
+ AlgRSAOAEP = "RSA-OAEP"
+ AlgRSAOAEP256 = "RSA-OAEP-256"
+ AlgA128KW = "A128KW"
+ AlgA192KW = "A192KW"
+ AlgA256KW = "A256KW"
+ AlgDir = "dir"
+ AlgECDHES = "ECDH-ES"
+ AlgECDHESA128KW = "ECDH-ES+A128KW"
+ AlgECDHESA192KW = "ECDH-ES+A192KW"
+ AlgECDHESA256KW = "ECDH-ES+A256KW"
+ AlgA128GCMKW = "A128GCMKW"
+ AlgA192GCMKW = "A192GCMKW"
+ AlgA256GCMKW = "A256GCMKW"
+ AlgPBES2HS256A128KW = "PBES2-HS256+A128KW"
+ AlgPBES2HS384A192KW = "PBES2-HS384+A192KW"
+ AlgPBES2HS512A256KW = "PBES2-HS512+A256KW"
+)
+
+const (
+ // Encryption Algorithm Header Parameter Values for JWE
+ // See: https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#page-22
+ EncA128CBCHS256 = "A128CBC-HS256"
+ EncA128CBCHS384 = "A128CBC-HS384"
+ EncA256CBCHS512 = "A256CBC-HS512"
+ EncA128GCM = "A128GCM"
+ EncA192GCM = "A192GCM"
+ EncA256GCM = "A256GCM"
+)
+
+type JOSEHeader map[string]string
+
+func (j JOSEHeader) Validate() error {
+ if _, exists := j[HeaderKeyAlgorithm]; !exists {
+ return fmt.Errorf("header missing %q parameter", HeaderKeyAlgorithm)
+ }
+
+ return nil
+}
+
+func decodeHeader(seg string) (JOSEHeader, error) {
+ b, err := decodeSegment(seg)
+ if err != nil {
+ return nil, err
+ }
+
+ var h JOSEHeader
+ err = json.Unmarshal(b, &h)
+ if err != nil {
+ return nil, err
+ }
+
+ return h, nil
+}
+
+func encodeHeader(h JOSEHeader) (string, error) {
+ b, err := json.Marshal(h)
+ if err != nil {
+ return "", err
+ }
+
+ return encodeSegment(b), nil
+}
+
+// Decode JWT specific base64url encoding with padding stripped
+func decodeSegment(seg string) ([]byte, error) {
+ if l := len(seg) % 4; l != 0 {
+ seg += strings.Repeat("=", 4-l)
+ }
+ return base64.URLEncoding.DecodeString(seg)
+}
+
+// Encode JWT specific base64url encoding with padding stripped
+func encodeSegment(seg []byte) string {
+ return strings.TrimRight(base64.URLEncoding.EncodeToString(seg), "=")
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/jwk.go b/vendor/github.com/coreos/go-oidc/jose/jwk.go
new file mode 100644
index 00000000..b7a8e235
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jwk.go
@@ -0,0 +1,135 @@
+package jose
+
+import (
+ "bytes"
+ "encoding/base64"
+ "encoding/binary"
+ "encoding/json"
+ "math/big"
+ "strings"
+)
+
+// JSON Web Key
+// https://tools.ietf.org/html/draft-ietf-jose-json-web-key-36#page-5
+type JWK struct {
+ ID string
+ Type string
+ Alg string
+ Use string
+ Exponent int
+ Modulus *big.Int
+ Secret []byte
+}
+
+type jwkJSON struct {
+ ID string `json:"kid"`
+ Type string `json:"kty"`
+ Alg string `json:"alg"`
+ Use string `json:"use"`
+ Exponent string `json:"e"`
+ Modulus string `json:"n"`
+}
+
+func (j *JWK) MarshalJSON() ([]byte, error) {
+ t := jwkJSON{
+ ID: j.ID,
+ Type: j.Type,
+ Alg: j.Alg,
+ Use: j.Use,
+ Exponent: encodeExponent(j.Exponent),
+ Modulus: encodeModulus(j.Modulus),
+ }
+
+ return json.Marshal(&t)
+}
+
+func (j *JWK) UnmarshalJSON(data []byte) error {
+ var t jwkJSON
+ err := json.Unmarshal(data, &t)
+ if err != nil {
+ return err
+ }
+
+ e, err := decodeExponent(t.Exponent)
+ if err != nil {
+ return err
+ }
+
+ n, err := decodeModulus(t.Modulus)
+ if err != nil {
+ return err
+ }
+
+ j.ID = t.ID
+ j.Type = t.Type
+ j.Alg = t.Alg
+ j.Use = t.Use
+ j.Exponent = e
+ j.Modulus = n
+
+ return nil
+}
+
+type JWKSet struct {
+ Keys []JWK `json:"keys"`
+}
+
+func decodeExponent(e string) (int, error) {
+ decE, err := decodeBase64URLPaddingOptional(e)
+ if err != nil {
+ return 0, err
+ }
+ var eBytes []byte
+ if len(decE) < 8 {
+ eBytes = make([]byte, 8-len(decE), 8)
+ eBytes = append(eBytes, decE...)
+ } else {
+ eBytes = decE
+ }
+ eReader := bytes.NewReader(eBytes)
+ var E uint64
+ err = binary.Read(eReader, binary.BigEndian, &E)
+ if err != nil {
+ return 0, err
+ }
+ return int(E), nil
+}
+
+func encodeExponent(e int) string {
+ b := make([]byte, 8)
+ binary.BigEndian.PutUint64(b, uint64(e))
+ var idx int
+ for ; idx < 8; idx++ {
+ if b[idx] != 0x0 {
+ break
+ }
+ }
+ return base64.URLEncoding.EncodeToString(b[idx:])
+}
+
+// Turns a URL encoded modulus of a key into a big int.
+func decodeModulus(n string) (*big.Int, error) {
+ decN, err := decodeBase64URLPaddingOptional(n)
+ if err != nil {
+ return nil, err
+ }
+ N := big.NewInt(0)
+ N.SetBytes(decN)
+ return N, nil
+}
+
+func encodeModulus(n *big.Int) string {
+ return base64.URLEncoding.EncodeToString(n.Bytes())
+}
+
+// decodeBase64URLPaddingOptional decodes Base64 whether there is padding or not.
+// The stdlib version currently doesn't handle this.
+// We can get rid of this is if this bug:
+// https://github.com/golang/go/issues/4237
+// ever closes.
+func decodeBase64URLPaddingOptional(e string) ([]byte, error) {
+ if m := len(e) % 4; m != 0 {
+ e += strings.Repeat("=", 4-m)
+ }
+ return base64.URLEncoding.DecodeString(e)
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/jwk_test.go b/vendor/github.com/coreos/go-oidc/jose/jwk_test.go
new file mode 100644
index 00000000..63351c45
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jwk_test.go
@@ -0,0 +1,64 @@
+package jose
+
+import (
+ "testing"
+)
+
+func TestDecodeBase64URLPaddingOptional(t *testing.T) {
+ tests := []struct {
+ encoded string
+ decoded string
+ err bool
+ }{
+ {
+ // With padding
+ encoded: "VGVjdG9uaWM=",
+ decoded: "Tectonic",
+ },
+ {
+ // Without padding
+ encoded: "VGVjdG9uaWM",
+ decoded: "Tectonic",
+ },
+ {
+ // Even More padding
+ encoded: "VGVjdG9uaQ==",
+ decoded: "Tectoni",
+ },
+ {
+ // And take it away!
+ encoded: "VGVjdG9uaQ",
+ decoded: "Tectoni",
+ },
+ {
+ // Too much padding.
+ encoded: "VGVjdG9uaWNh=",
+ decoded: "",
+ err: true,
+ },
+ {
+ // Too much padding.
+ encoded: "VGVjdG9uaWNh=",
+ decoded: "",
+ err: true,
+ },
+ }
+
+ for i, tt := range tests {
+ got, err := decodeBase64URLPaddingOptional(tt.encoded)
+ if tt.err {
+ if err == nil {
+ t.Errorf("case %d: expected non-nil err", i)
+ }
+ continue
+ }
+
+ if err != nil {
+ t.Errorf("case %d: want nil err, got: %v", i, err)
+ }
+
+ if string(got) != tt.decoded {
+ t.Errorf("case %d: want=%q, got=%q", i, tt.decoded, got)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/jws.go b/vendor/github.com/coreos/go-oidc/jose/jws.go
new file mode 100644
index 00000000..1049ece8
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jws.go
@@ -0,0 +1,51 @@
+package jose
+
+import (
+ "fmt"
+ "strings"
+)
+
+type JWS struct {
+ RawHeader string
+ Header JOSEHeader
+ RawPayload string
+ Payload []byte
+ Signature []byte
+}
+
+// Given a raw encoded JWS token parses it and verifies the structure.
+func ParseJWS(raw string) (JWS, error) {
+ parts := strings.Split(raw, ".")
+ if len(parts) != 3 {
+ return JWS{}, fmt.Errorf("malformed JWS, only %d segments", len(parts))
+ }
+
+ rawSig := parts[2]
+ jws := JWS{
+ RawHeader: parts[0],
+ RawPayload: parts[1],
+ }
+
+ header, err := decodeHeader(jws.RawHeader)
+ if err != nil {
+ return JWS{}, fmt.Errorf("malformed JWS, unable to decode header, %s", err)
+ }
+ if err = header.Validate(); err != nil {
+ return JWS{}, fmt.Errorf("malformed JWS, %s", err)
+ }
+ jws.Header = header
+
+ payload, err := decodeSegment(jws.RawPayload)
+ if err != nil {
+ return JWS{}, fmt.Errorf("malformed JWS, unable to decode payload: %s", err)
+ }
+ jws.Payload = payload
+
+ sig, err := decodeSegment(rawSig)
+ if err != nil {
+ return JWS{}, fmt.Errorf("malformed JWS, unable to decode signature: %s", err)
+ }
+ jws.Signature = sig
+
+ return jws, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/jws_test.go b/vendor/github.com/coreos/go-oidc/jose/jws_test.go
new file mode 100644
index 00000000..78c81261
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jws_test.go
@@ -0,0 +1,74 @@
+package jose
+
+import (
+ "strings"
+ "testing"
+)
+
+type testCase struct{ t string }
+
+var validInput []testCase
+
+var invalidInput []testCase
+
+func init() {
+ validInput = []testCase{
+ {
+ "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+ },
+ }
+
+ invalidInput = []testCase{
+ // empty
+ {
+ "",
+ },
+ // undecodeable
+ {
+ "aaa.bbb.ccc",
+ },
+ // missing parts
+ {
+ "aaa",
+ },
+ // missing parts
+ {
+ "aaa.bbb",
+ },
+ // too many parts
+ {
+ "aaa.bbb.ccc.ddd",
+ },
+ // invalid header
+ // EncodeHeader(map[string]string{"foo": "bar"})
+ {
+ "eyJmb28iOiJiYXIifQ.bbb.ccc",
+ },
+ }
+}
+
+func TestParseJWS(t *testing.T) {
+ for i, tt := range validInput {
+ jws, err := ParseJWS(tt.t)
+ if err != nil {
+ t.Errorf("test: %d. expected: valid, actual: invalid", i)
+ }
+
+ expectedHeader := strings.Split(tt.t, ".")[0]
+ if jws.RawHeader != expectedHeader {
+ t.Errorf("test: %d. expected: %s, actual: %s", i, expectedHeader, jws.RawHeader)
+ }
+
+ expectedPayload := strings.Split(tt.t, ".")[1]
+ if jws.RawPayload != expectedPayload {
+ t.Errorf("test: %d. expected: %s, actual: %s", i, expectedPayload, jws.RawPayload)
+ }
+ }
+
+ for i, tt := range invalidInput {
+ _, err := ParseJWS(tt.t)
+ if err == nil {
+ t.Errorf("test: %d. expected: invalid, actual: valid", i)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/jwt.go b/vendor/github.com/coreos/go-oidc/jose/jwt.go
new file mode 100644
index 00000000..3b3e9634
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jwt.go
@@ -0,0 +1,82 @@
+package jose
+
+import "strings"
+
+type JWT JWS
+
+func ParseJWT(token string) (jwt JWT, err error) {
+ jws, err := ParseJWS(token)
+ if err != nil {
+ return
+ }
+
+ return JWT(jws), nil
+}
+
+func NewJWT(header JOSEHeader, claims Claims) (jwt JWT, err error) {
+ jwt = JWT{}
+
+ jwt.Header = header
+ jwt.Header[HeaderMediaType] = "JWT"
+
+ claimBytes, err := marshalClaims(claims)
+ if err != nil {
+ return
+ }
+ jwt.Payload = claimBytes
+
+ eh, err := encodeHeader(header)
+ if err != nil {
+ return
+ }
+ jwt.RawHeader = eh
+
+ ec, err := encodeClaims(claims)
+ if err != nil {
+ return
+ }
+ jwt.RawPayload = ec
+
+ return
+}
+
+func (j *JWT) KeyID() (string, bool) {
+ kID, ok := j.Header[HeaderKeyID]
+ return kID, ok
+}
+
+func (j *JWT) Claims() (Claims, error) {
+ return decodeClaims(j.Payload)
+}
+
+// Encoded data part of the token which may be signed.
+func (j *JWT) Data() string {
+ return strings.Join([]string{j.RawHeader, j.RawPayload}, ".")
+}
+
+// Full encoded JWT token string in format: header.claims.signature
+func (j *JWT) Encode() string {
+ d := j.Data()
+ s := encodeSegment(j.Signature)
+ return strings.Join([]string{d, s}, ".")
+}
+
+func NewSignedJWT(claims Claims, s Signer) (*JWT, error) {
+ header := JOSEHeader{
+ HeaderKeyAlgorithm: s.Alg(),
+ HeaderKeyID: s.ID(),
+ }
+
+ jwt, err := NewJWT(header, claims)
+ if err != nil {
+ return nil, err
+ }
+
+ sig, err := s.Sign([]byte(jwt.Data()))
+ if err != nil {
+ return nil, err
+ }
+ jwt.Signature = sig
+
+ return &jwt, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/jwt_test.go b/vendor/github.com/coreos/go-oidc/jose/jwt_test.go
new file mode 100644
index 00000000..74691769
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/jwt_test.go
@@ -0,0 +1,94 @@
+package jose
+
+import (
+ "reflect"
+ "testing"
+)
+
+func TestParseJWT(t *testing.T) {
+ tests := []struct {
+ r string
+ h JOSEHeader
+ c Claims
+ }{
+ {
+ // Example from JWT spec:
+ // http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#ExampleJWT
+ "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+ JOSEHeader{
+ HeaderMediaType: "JWT",
+ HeaderKeyAlgorithm: "HS256",
+ },
+ Claims{
+ "iss": "joe",
+ // NOTE: test numbers must be floats for equality checks to work since values are converted form interface{} to float64 by default.
+ "exp": 1300819380.0,
+ "http://example.com/is_root": true,
+ },
+ },
+ }
+
+ for i, tt := range tests {
+ jwt, err := ParseJWT(tt.r)
+ if err != nil {
+ t.Errorf("raw token should parse. test: %d. expected: valid, actual: invalid. err=%v", i, err)
+ }
+
+ if !reflect.DeepEqual(tt.h, jwt.Header) {
+ t.Errorf("JOSE headers should match. test: %d. expected: %v, actual: %v", i, tt.h, jwt.Header)
+ }
+
+ claims, err := jwt.Claims()
+ if err != nil {
+ t.Errorf("test: %d. expected: valid claim parsing. err=%v", i, err)
+ }
+ if !reflect.DeepEqual(tt.c, claims) {
+ t.Errorf("claims should match. test: %d. expected: %v, actual: %v", i, tt.c, claims)
+ }
+
+ enc := jwt.Encode()
+ if enc != tt.r {
+ t.Errorf("encoded jwt should match raw jwt. test: %d. expected: %v, actual: %v", i, tt.r, enc)
+ }
+ }
+}
+
+func TestNewJWTHeaderType(t *testing.T) {
+ jwt, err := NewJWT(JOSEHeader{}, Claims{})
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ want := "JWT"
+ got := jwt.Header[HeaderMediaType]
+ if want != got {
+ t.Fatalf("Header %q incorrect: want=%s got=%s", HeaderMediaType, want, got)
+ }
+
+}
+
+func TestNewJWTHeaderKeyID(t *testing.T) {
+ jwt, err := NewJWT(JOSEHeader{HeaderKeyID: "foo"}, Claims{})
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ want := "foo"
+ got, ok := jwt.KeyID()
+ if !ok {
+ t.Fatalf("KeyID not set")
+ } else if want != got {
+ t.Fatalf("KeyID incorrect: want=%s got=%s", want, got)
+ }
+}
+
+func TestNewJWTHeaderKeyIDNotSet(t *testing.T) {
+ jwt, err := NewJWT(JOSEHeader{}, Claims{})
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ if _, ok := jwt.KeyID(); ok {
+ t.Fatalf("KeyID set, but should not be")
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/sig.go b/vendor/github.com/coreos/go-oidc/jose/sig.go
new file mode 100755
index 00000000..7b2b253c
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/sig.go
@@ -0,0 +1,24 @@
+package jose
+
+import (
+ "fmt"
+)
+
+type Verifier interface {
+ ID() string
+ Alg() string
+ Verify(sig []byte, data []byte) error
+}
+
+type Signer interface {
+ Verifier
+ Sign(data []byte) (sig []byte, err error)
+}
+
+func NewVerifier(jwk JWK) (Verifier, error) {
+ if jwk.Type != "RSA" {
+ return nil, fmt.Errorf("unsupported key type %q", jwk.Type)
+ }
+
+ return NewVerifierRSA(jwk)
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose/sig_rsa.go b/vendor/github.com/coreos/go-oidc/jose/sig_rsa.go
new file mode 100755
index 00000000..004e45dd
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose/sig_rsa.go
@@ -0,0 +1,67 @@
+package jose
+
+import (
+ "crypto"
+ "crypto/rand"
+ "crypto/rsa"
+ "fmt"
+)
+
+type VerifierRSA struct {
+ KeyID string
+ Hash crypto.Hash
+ PublicKey rsa.PublicKey
+}
+
+type SignerRSA struct {
+ PrivateKey rsa.PrivateKey
+ VerifierRSA
+}
+
+func NewVerifierRSA(jwk JWK) (*VerifierRSA, error) {
+ if jwk.Alg != "" && jwk.Alg != "RS256" {
+ return nil, fmt.Errorf("unsupported key algorithm %q", jwk.Alg)
+ }
+
+ v := VerifierRSA{
+ KeyID: jwk.ID,
+ PublicKey: rsa.PublicKey{
+ N: jwk.Modulus,
+ E: jwk.Exponent,
+ },
+ Hash: crypto.SHA256,
+ }
+
+ return &v, nil
+}
+
+func NewSignerRSA(kid string, key rsa.PrivateKey) *SignerRSA {
+ return &SignerRSA{
+ PrivateKey: key,
+ VerifierRSA: VerifierRSA{
+ KeyID: kid,
+ PublicKey: key.PublicKey,
+ Hash: crypto.SHA256,
+ },
+ }
+}
+
+func (v *VerifierRSA) ID() string {
+ return v.KeyID
+}
+
+func (v *VerifierRSA) Alg() string {
+ return "RS256"
+}
+
+func (v *VerifierRSA) Verify(sig []byte, data []byte) error {
+ h := v.Hash.New()
+ h.Write(data)
+ return rsa.VerifyPKCS1v15(&v.PublicKey, v.Hash, h.Sum(nil), sig)
+}
+
+func (s *SignerRSA) Sign(data []byte) ([]byte, error) {
+ h := s.Hash.New()
+ h.Write(data)
+ return rsa.SignPKCS1v15(rand.Reader, &s.PrivateKey, s.Hash, h.Sum(nil))
+}
diff --git a/vendor/github.com/coreos/go-oidc/jose_test.go b/vendor/github.com/coreos/go-oidc/jose_test.go
new file mode 100644
index 00000000..ae5ca0e5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jose_test.go
@@ -0,0 +1,405 @@
+// +build !golint
+
+// This file contains statically created JWKs for tests created by gen.go
+
+package oidc
+
+import (
+ "encoding/json"
+
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+func mustLoadJWK(s string) jose.JSONWebKey {
+ var jwk jose.JSONWebKey
+ if err := json.Unmarshal([]byte(s), &jwk); err != nil {
+ panic(err)
+ }
+ return jwk
+}
+
+var (
+ testKeyECDSA_256_0 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "bd06f3e11f523e310f8c2c8b20a892727fb558e0e23602312568b20a41e11188",
+ "crv": "P-256",
+ "x": "xK5N69f0-SAgWbjw2otcQeCGs3qqYMyqOWk4Os5Z_Xc",
+ "y": "AXSaOPcMklJY9UKZhkGzVevqhAIUEzE3cfZ8o-ML5xE"
+ }`)
+ testKeyECDSA_256_0_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "bd06f3e11f523e310f8c2c8b20a892727fb558e0e23602312568b20a41e11188",
+ "crv": "P-256",
+ "x": "xK5N69f0-SAgWbjw2otcQeCGs3qqYMyqOWk4Os5Z_Xc",
+ "y": "AXSaOPcMklJY9UKZhkGzVevqhAIUEzE3cfZ8o-ML5xE",
+ "d": "L7jynYt-fMRPqw1e9vgXCGTg4yhGU4tlLxiFyNVimG4"
+ }`)
+
+ testKeyECDSA_256_1 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "27ebd2f5bf6723e4de06caaab03703be458a37bf28a9fa748576a0826acb6ec2",
+ "crv": "P-256",
+ "x": "KZisP6wLCph4q6056jr7BH_asiX9RcLcS3HrNjdCpkw",
+ "y": "5DrW-kEge0sePHlKmh1d2kqd10r32JEW6eyyewy18j8"
+ }`)
+ testKeyECDSA_256_1_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "27ebd2f5bf6723e4de06caaab03703be458a37bf28a9fa748576a0826acb6ec2",
+ "crv": "P-256",
+ "x": "KZisP6wLCph4q6056jr7BH_asiX9RcLcS3HrNjdCpkw",
+ "y": "5DrW-kEge0sePHlKmh1d2kqd10r32JEW6eyyewy18j8",
+ "d": "r6CiIpv0icIq5U4LYO39nBDVhCHCLObDFYC5IG9Y8Hk"
+ }`)
+
+ testKeyECDSA_256_2 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "2c7d179db6006c90ece4d91f554791ff35156693c693102c00f66f473d15df17",
+ "crv": "P-256",
+ "x": "oDwcKp7SqgeRvycK5GgYjrlW4fbHn2Ybfd5iG7kDiPc",
+ "y": "qazib9UwdUdbHSFzdy_HN10xZEItLvufPw0v7nIJOWA"
+ }`)
+ testKeyECDSA_256_2_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "2c7d179db6006c90ece4d91f554791ff35156693c693102c00f66f473d15df17",
+ "crv": "P-256",
+ "x": "oDwcKp7SqgeRvycK5GgYjrlW4fbHn2Ybfd5iG7kDiPc",
+ "y": "qazib9UwdUdbHSFzdy_HN10xZEItLvufPw0v7nIJOWA",
+ "d": "p79U6biKrOyrKzg-i3C7FVJiqzlqBhYQqmyOiZ9bhVM"
+ }`)
+
+ testKeyECDSA_256_3 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "aba0a256999af470c8b2449103ae75b257d907da4d1cbfc73c1d45ab1098f544",
+ "crv": "P-256",
+ "x": "CKRYWVt1R7FzuJ43vEprfIzgB-KgIhRDhxLmd5ixiXY",
+ "y": "QCxTVmK31ee710OYkNqdqEgHH3rqRQNQj3Wyq0xtYq0"
+ }`)
+ testKeyECDSA_256_3_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "aba0a256999af470c8b2449103ae75b257d907da4d1cbfc73c1d45ab1098f544",
+ "crv": "P-256",
+ "x": "CKRYWVt1R7FzuJ43vEprfIzgB-KgIhRDhxLmd5ixiXY",
+ "y": "QCxTVmK31ee710OYkNqdqEgHH3rqRQNQj3Wyq0xtYq0",
+ "d": "c_WflwwUxT_B5izk4iET49qoob0RH5hccnEScfBS9Qk"
+ }`)
+
+ testKeyECDSA_384_0 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "bc271d0a68251171e0c5edfd384b32d154e1717af27c5089bda8fb598a474b7b",
+ "crv": "P-384",
+ "x": "FZEhxw06oB86xCAZCtKTfX3ze9tgxkdN199g-cWrpQTWF-2m6Blg1MN5D60Z9KoX",
+ "y": "EyWjZ46gLlqfoU08iv0zcDWut1nbfoUoTd-7La2VY4PqQeDSFrxPCOyplxFMGJIW"
+ }`)
+ testKeyECDSA_384_0_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "bc271d0a68251171e0c5edfd384b32d154e1717af27c5089bda8fb598a474b7b",
+ "crv": "P-384",
+ "x": "FZEhxw06oB86xCAZCtKTfX3ze9tgxkdN199g-cWrpQTWF-2m6Blg1MN5D60Z9KoX",
+ "y": "EyWjZ46gLlqfoU08iv0zcDWut1nbfoUoTd-7La2VY4PqQeDSFrxPCOyplxFMGJIW",
+ "d": "t6oJHJBH2rvH3uyQkK_JwoUEwE1QHjwTnGLSDMZbNEDrEaR8BBiAo3s0p8rzGz5-"
+ }`)
+
+ testKeyECDSA_384_1 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "58ef375d6e63cedc637fed59f4012a779cd749a83373237cf3972bba74ebd738",
+ "crv": "P-384",
+ "x": "Gj3zkiRR4RCJb0Tke3lD2spG2jzuXgX50fEwDZTRjlQIzz3Rc96Fw32FCSDectxQ",
+ "y": "6alqN7ilqJAmqCU1BFrJJeivJiM0s1-RqBewRoNkTQinOLLbaiZlBAQxS4iq2dRv"
+ }`)
+ testKeyECDSA_384_1_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "58ef375d6e63cedc637fed59f4012a779cd749a83373237cf3972bba74ebd738",
+ "crv": "P-384",
+ "x": "Gj3zkiRR4RCJb0Tke3lD2spG2jzuXgX50fEwDZTRjlQIzz3Rc96Fw32FCSDectxQ",
+ "y": "6alqN7ilqJAmqCU1BFrJJeivJiM0s1-RqBewRoNkTQinOLLbaiZlBAQxS4iq2dRv",
+ "d": "-4eaoElyb_YANRownMtId_-glX2o45oc4_L_vgo3YOW5hxCq3KIBIdrhvBx1nw8B"
+ }`)
+
+ testKeyECDSA_384_2 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "a8bab6f438b6cd2080711404549c978d1c00dd77a3c532bba12c964c4883b2ec",
+ "crv": "P-384",
+ "x": "CBKwYgZFLdTBBFnWD20q2YNUnRnOsDgTxG3y-dzCUrb65kOKm0ZFaZQPe5ZPjvDS",
+ "y": "WlubxLv2qH-Aw-LsESKXAwm4HF3l4H1rVn3DZRpqcac6p-QSrXmfKCtxJVHDaTNi"
+ }`)
+ testKeyECDSA_384_2_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "a8bab6f438b6cd2080711404549c978d1c00dd77a3c532bba12c964c4883b2ec",
+ "crv": "P-384",
+ "x": "CBKwYgZFLdTBBFnWD20q2YNUnRnOsDgTxG3y-dzCUrb65kOKm0ZFaZQPe5ZPjvDS",
+ "y": "WlubxLv2qH-Aw-LsESKXAwm4HF3l4H1rVn3DZRpqcac6p-QSrXmfKCtxJVHDaTNi",
+ "d": "XfoOcxV3yfoAcRquJ9eaBvcY-H71B0XzXwx2eidolHDKLK7GHygEt9ToYSY_DvxO"
+ }`)
+
+ testKeyECDSA_384_3 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "32f0cfc686455840530d727fb029002b9757ffff15272f98f53be9f77560718a",
+ "crv": "P-384",
+ "x": "xxED1z8EUCOUQ_jwS9nuVUDVzxs-U1rl19y8jMWrv4TdPeGHTRTgNUE57-YAL3ly",
+ "y": "OsCN6-HmM-LP1itE5eW15WsSQoe3dZBX7AoHyKJUKtjzWKCJNUcyu3Np07xta1Cr"
+ }`)
+ testKeyECDSA_384_3_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "32f0cfc686455840530d727fb029002b9757ffff15272f98f53be9f77560718a",
+ "crv": "P-384",
+ "x": "xxED1z8EUCOUQ_jwS9nuVUDVzxs-U1rl19y8jMWrv4TdPeGHTRTgNUE57-YAL3ly",
+ "y": "OsCN6-HmM-LP1itE5eW15WsSQoe3dZBX7AoHyKJUKtjzWKCJNUcyu3Np07xta1Cr",
+ "d": "gfQA6wn4brWVT3OkeGiaCXGsQyTybZB9SdqTULsiSg8n6FS2T8hvK0doPwMTT5Gw"
+ }`)
+
+ testKeyECDSA_521_0 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "f7b325c848a6c9fc5b72f131f179d2f37296837262797983c632597a4927726e",
+ "crv": "P-521",
+ "x": "AUaLqCAMEWPqiYgd-D_6F5kxpOgqnbQnjIHZ-NhjRnKKYuij9Iz7bq9pZU4F79wsODFpWxMFfISrveUfgEGt4Hy2",
+ "y": "AeAKfmFsfcFttwQqv2B-fUfgLhw837YoGoNWh5qNE_LqTBxbYKRUkbSLxVRHEcVNnU1t3z9yMMdYXtuMlfJ0bhjr"
+ }`)
+ testKeyECDSA_521_0_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "f7b325c848a6c9fc5b72f131f179d2f37296837262797983c632597a4927726e",
+ "crv": "P-521",
+ "x": "AUaLqCAMEWPqiYgd-D_6F5kxpOgqnbQnjIHZ-NhjRnKKYuij9Iz7bq9pZU4F79wsODFpWxMFfISrveUfgEGt4Hy2",
+ "y": "AeAKfmFsfcFttwQqv2B-fUfgLhw837YoGoNWh5qNE_LqTBxbYKRUkbSLxVRHEcVNnU1t3z9yMMdYXtuMlfJ0bhjr",
+ "d": "AbD3guIvlVd8CZD0xUNuebgnQkE24XJnxCQ69P5VL3etEMmdr4HPJLPMQfMs10Gz8RTmrGKo-bdsU-cjS3d7dKIC"
+ }`)
+
+ testKeyECDSA_521_1 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "4ea260ba2c9ed5fe9d6adeb998bb68b3edbab839d8bfd2be09fa628680793b90",
+ "crv": "P-521",
+ "x": "AE8-53o64GiywneanVZAHb96NcPbq0Ml6zynIcgLdKUiHGVs2te7SABq_9keFZJC6wooACeNWWT7VDK3kY77fjdh",
+ "y": "AAnrIu0-D7JEd3-mqTR8Rdz53kw7DLAIypv0-_u4rqn0glwTZCkMpQ17wFH71bMInXaTi2Z_uq67NuVxFvUCaTvS"
+ }`)
+ testKeyECDSA_521_1_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "4ea260ba2c9ed5fe9d6adeb998bb68b3edbab839d8bfd2be09fa628680793b90",
+ "crv": "P-521",
+ "x": "AE8-53o64GiywneanVZAHb96NcPbq0Ml6zynIcgLdKUiHGVs2te7SABq_9keFZJC6wooACeNWWT7VDK3kY77fjdh",
+ "y": "AAnrIu0-D7JEd3-mqTR8Rdz53kw7DLAIypv0-_u4rqn0glwTZCkMpQ17wFH71bMInXaTi2Z_uq67NuVxFvUCaTvS",
+ "d": "AVVL9TIWcJCYH5r3QUhHXtsbkVXhLQSpp4sL1ta_H2_3bpRb9ZdVv10YOA-xN7Yz2wa-FMhIhj1ULe9z18ZM8dDF"
+ }`)
+
+ testKeyECDSA_521_2 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "d69caddc821807ea63a46519b538a7d2f3135dbdda1ba628781f8567a47893d8",
+ "crv": "P-521",
+ "x": "AO618rH8GP78-mi9Z5FaPGqpyc_OVMK-BajZK-pwL89ZQdOvFa0fY0ENpB_KaRf5ELw9IP17lQh3T-O9O7jePDFj",
+ "y": "AT1x9pCMbY-BXqAJPQDQxp6j8Gca7IpdxL8OS4td_XPiwXtX4JKcj_VKxtOw6k64yr_VuFYCs6wImOc72jNRBjA7"
+ }`)
+ testKeyECDSA_521_2_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "d69caddc821807ea63a46519b538a7d2f3135dbdda1ba628781f8567a47893d8",
+ "crv": "P-521",
+ "x": "AO618rH8GP78-mi9Z5FaPGqpyc_OVMK-BajZK-pwL89ZQdOvFa0fY0ENpB_KaRf5ELw9IP17lQh3T-O9O7jePDFj",
+ "y": "AT1x9pCMbY-BXqAJPQDQxp6j8Gca7IpdxL8OS4td_XPiwXtX4JKcj_VKxtOw6k64yr_VuFYCs6wImOc72jNRBjA7",
+ "d": "AYmtaW9ojb0Gb8zSqrlRnEKzRVIBIM5dsb1qWkd3mfr4Wl5tbPuiEctGLN9s6LDtY0JOL3nukOVoDbrmS4qCW64"
+ }`)
+
+ testKeyECDSA_521_3 = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "7193cba4fd9c72153133ce5cffc423857517ab8eb176a827e1a002eb5621edca",
+ "crv": "P-521",
+ "x": "AQfpLehZCER3ZTw1V1pN0RsX8-4WEW4IDxFDSGwrULQ79YHiLNmubrOSlSxiOSv2S-tHq-hxgma1PZlQRghJfemx",
+ "y": "AAF41XT7jptLsy8FAaVRnex2WcSfdebcjjXMGO4rn6IlD3u9qnvrpR8MBp1gz5G1C5S7_NVgIeLSIYbdfd_wjVkd"
+ }`)
+ testKeyECDSA_521_3_Priv = mustLoadJWK(`{
+ "kty": "EC",
+ "kid": "7193cba4fd9c72153133ce5cffc423857517ab8eb176a827e1a002eb5621edca",
+ "crv": "P-521",
+ "x": "AQfpLehZCER3ZTw1V1pN0RsX8-4WEW4IDxFDSGwrULQ79YHiLNmubrOSlSxiOSv2S-tHq-hxgma1PZlQRghJfemx",
+ "y": "AAF41XT7jptLsy8FAaVRnex2WcSfdebcjjXMGO4rn6IlD3u9qnvrpR8MBp1gz5G1C5S7_NVgIeLSIYbdfd_wjVkd",
+ "d": "hzh0loqrhYFUik86SYBv3CC_GKNYankLMK95-Cfr1gLBD1l0M6W-7gn3XlyaQEInz0TBIbaQ1fL78HHjbVsNLrY"
+ }`)
+
+ testKeyRSA_1024_0 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "979d62e7114052027b11bcb51282d8228790134ef34e746f6372fa5aadaa9bf2",
+ "n": "6zxmGE5X74SUBWfDEo8Tl-YxrkVfvxljQG9vKmNPQ2RhEmJ8eplZpKn9_nlxVDHGLzfJMqqUBS19EarIfDnOqyFBRkyKRbsQdUVU9XLjDIXqImJ8aN-UmShAYoeOClJVDsBJuxBGgS3pdgG7u3YQpvTV_hGuMoJr7UYgIrqb0qc",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_1024_0_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "979d62e7114052027b11bcb51282d8228790134ef34e746f6372fa5aadaa9bf2",
+ "n": "6zxmGE5X74SUBWfDEo8Tl-YxrkVfvxljQG9vKmNPQ2RhEmJ8eplZpKn9_nlxVDHGLzfJMqqUBS19EarIfDnOqyFBRkyKRbsQdUVU9XLjDIXqImJ8aN-UmShAYoeOClJVDsBJuxBGgS3pdgG7u3YQpvTV_hGuMoJr7UYgIrqb0qc",
+ "e": "AQAB",
+ "d": "IARggP5oyZjp7LJqwqPmrs4OBQI8Pe5eq-5-2u4ZY7rN24q8FpO4t8jLYU92NVdw-gxFvjepXesLEtSD5SSZFD7s-5rqmX9tW_t5t1a1sBY6IKz_YBSf2p2LtdTyrqgo4nRD0nYH3sMvGtOKCTV4K_vwfWPD3elXq752trG-HwE",
+ "p": "9tgo12L3earNNrJfyIIDD2dqgKuNfWhQzhbe-Ju17dF37uGF6xnLqR0WXU-agGpUdYTMOd7IQi_bX_xkjQBYlw",
+ "q": "8_YDvufPdccjGM2rAXs-2LbeP_LrzLUk1uGNpEjIt2lXEm6sQKjIfNLcAfVKh9zsqwqroveL2iI1ijsDgNAIcQ"
+ }`)
+
+ testKeyRSA_1024_1 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "4a3a37dc10aec5f427509e4014683102a0fafa32bec2ff9921ff19e1a55c79e8",
+ "n": "sn7sU7dBEkU1RBIz_LKgrswSS7-68vTlOe7n-lanAqAlczm01_6IWrvcIC7lPv1iHQqWngusskANZirCZGTv6kK8kJLHBVRSROB9VkPTPNFYnSB6dacyPa0ty0otsaYOVM2RFvcCX7lBKKat2Tmst8vITdpvnoEzTgT_eGOKGAs",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_1024_1_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "4a3a37dc10aec5f427509e4014683102a0fafa32bec2ff9921ff19e1a55c79e8",
+ "n": "sn7sU7dBEkU1RBIz_LKgrswSS7-68vTlOe7n-lanAqAlczm01_6IWrvcIC7lPv1iHQqWngusskANZirCZGTv6kK8kJLHBVRSROB9VkPTPNFYnSB6dacyPa0ty0otsaYOVM2RFvcCX7lBKKat2Tmst8vITdpvnoEzTgT_eGOKGAs",
+ "e": "AQAB",
+ "d": "KTXqpE1sBaba7HNzc0Vemdzd4IVMyWlHPz_saTz2ZEHLQ7YwDapjmudCpF-PaCKiM2hNbAHwBluJfGwk4372cPHcJyri3Gs4GGj-cOlbXJh9aUp5o8fqn904B1UcPxMZ2DrZAKjseuLj3zyJgCsSJOGU1kJFRAkM8UN4a9cE8sE",
+ "p": "3ntHMGDJEXwqldLNR-DucKGp32aJVAaKnn4j9qy1Tj6KhH70o3HyFVO_TKYxGg-pG3zTV-VzyMqmeh9hDdnyKw",
+ "q": "zWMxEjyxvp-P-mNxhWQe1pJXZi6iPpcnt0SZLfweT3AtAzEaoSs4-4D1jT911LD4xDI8_a7-gYHgD8ME62PhoQ"
+ }`)
+
+ testKeyRSA_1024_2 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "d1c32aaea6c9527038e589dd94a546ca1beedb90f90e073228986cc258cf1fda",
+ "n": "3mZrDaB5-7e29zok9XkGuu6FXYB00FqFgnGTJAGCMpql5uHz1h9p0DljZL4vsGkkYOZUMvqFS1pCEuzdSsupPNClf0NKMRux6yLv6iIR9C4pE9RBKPUrinzJuYs634rq5JOEP4IpP_fJfKxMw4Na85otd9KposKwP14cCkOibYM",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_1024_2_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "d1c32aaea6c9527038e589dd94a546ca1beedb90f90e073228986cc258cf1fda",
+ "n": "3mZrDaB5-7e29zok9XkGuu6FXYB00FqFgnGTJAGCMpql5uHz1h9p0DljZL4vsGkkYOZUMvqFS1pCEuzdSsupPNClf0NKMRux6yLv6iIR9C4pE9RBKPUrinzJuYs634rq5JOEP4IpP_fJfKxMw4Na85otd9KposKwP14cCkOibYM",
+ "e": "AQAB",
+ "d": "Ft2M0B_ZqsmepBh0SFCjIoD3cT-NwwYrh9fJewA0tKM1v2EnwrIEHQZpc6giGw8UUGod6gfbwH2NIYj8z33U7lyrKWPR7F8gJRm1KR5NLCBCnAnz0ukhsg24ktB25LZLZRCStRRhtCev95Vvmew0ip5081hv730Z2T_PsEyOU6E",
+ "p": "8moFzLKJSQuhaIYTo1qNX0w8o4NBFb1atOlthHmq6Y6rdYTm_nyM9Q3mrNBolPS7LHTiBXtCEJ_m4V5hWDuGKw",
+ "q": "6t0_mZKOoZ5NAE--MxkuOCcRhuqNo9VoacfPEH39CeoKAam4v5k56R7aQcb_raQK396pgV-evM2dpfdUaasiCQ"
+ }`)
+
+ testKeyRSA_1024_3 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "838742d0e3195b19f974fa30352db79070fa19aaaeb678ec95c499de7bd48d52",
+ "n": "17Uc89-QvCjqBLXDJSCWxUoohjwFPI63Gub8g-lH1GSK3flXqiohz33KfKhqrdKsLrpRjskGTMg3Vo0IcLBnMYdp1i1nceORghtYLQsDNS7tqlHiKx725fLmWldGgiuP_0Ak0Knisw-j_q7Jx3OVAJnuS1o3vPLfJxJdyq6yV1k",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_1024_3_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "838742d0e3195b19f974fa30352db79070fa19aaaeb678ec95c499de7bd48d52",
+ "n": "17Uc89-QvCjqBLXDJSCWxUoohjwFPI63Gub8g-lH1GSK3flXqiohz33KfKhqrdKsLrpRjskGTMg3Vo0IcLBnMYdp1i1nceORghtYLQsDNS7tqlHiKx725fLmWldGgiuP_0Ak0Knisw-j_q7Jx3OVAJnuS1o3vPLfJxJdyq6yV1k",
+ "e": "AQAB",
+ "d": "B8cM-zIVauNixLa1CZKqPQTWfziMy8ktivfHJQ51O5BAfY5u_cC1JWEYuvPrnMba1Hh9VlOjOYOCk0lUg5OotMx5hxym6M5y_2rIrW90a8r3gGttPlZmyHQnFIgj2QZHlEyZGU1SIPTOtoECW5RGk7cYpA1s1_zfz8uyG-MiCPE",
+ "p": "2dwia5iWWLZwFcCVylPh_7QDr3Wxt3kW_TmHIbaRT10Rborj1lAwltyEx7aVpHq-aNfvrYIEBbOXWwUU8PDUrQ",
+ "q": "_XiDT55hn-Txi2C_peMVSDgXozf01qHKvdLirXM2uT_CI8kruYZYjWYn6_cSUptJ60eioM3WNTxjrSxWRS923Q"
+ }`)
+
+ testKeyRSA_2048_0 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "13b668c7b4f5d46d53de65e4b9f9c522fad4870e4d1656e459c88de6e90984d6",
+ "n": "1j-CxBxkn20C_M24t6ueLp02T4MMAiPLXf5yaDcj7EcsXGbnsGEhrAUwCZwdEJAxeZ0PolmlE0XBOhQfRtsCVJmwu918aknptToyDbOUBr6WtPIK_c_BuGVanLCx3SnczV4jle9Bz7tGfpj2vAXytSBrfnZhdCHNEFeefQTQMnavfMhfWf_njiTa76BRyAHjb-XZIJHKovwBu0y3glmzhSKYNsUrW11RsWx6DbueWEbE3FpsHTiEdnJipcP3UKl3Z2z6t6n9ZYtFWkx4zCVVBQu-RWUQwjr2XnR1LFwXgL9xQocDBmS1O-wMTHqL3_oosNUdV3vuMPdxs_SEoys2rQ",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_2048_0_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "13b668c7b4f5d46d53de65e4b9f9c522fad4870e4d1656e459c88de6e90984d6",
+ "n": "1j-CxBxkn20C_M24t6ueLp02T4MMAiPLXf5yaDcj7EcsXGbnsGEhrAUwCZwdEJAxeZ0PolmlE0XBOhQfRtsCVJmwu918aknptToyDbOUBr6WtPIK_c_BuGVanLCx3SnczV4jle9Bz7tGfpj2vAXytSBrfnZhdCHNEFeefQTQMnavfMhfWf_njiTa76BRyAHjb-XZIJHKovwBu0y3glmzhSKYNsUrW11RsWx6DbueWEbE3FpsHTiEdnJipcP3UKl3Z2z6t6n9ZYtFWkx4zCVVBQu-RWUQwjr2XnR1LFwXgL9xQocDBmS1O-wMTHqL3_oosNUdV3vuMPdxs_SEoys2rQ",
+ "e": "AQAB",
+ "d": "C8F4X2Jfcw_8Nfrjw9A64bvmmv5JzmRAaGvpwyYjZneRS5Cp7demjVXLiPtz7NC8pjuj-_iHQkN1ksY_4RdrTVERjX1dskdT94m17WKJIMWcZ1lQmRSpQIDvM-HOIKCHaQ1dToDOT6Oq_o9OGosJAj9BJrNALasdIWRtYda9xcb7roLl_U3AtOlK9RiFygtt5uVBIPh1rsxaT0Y1MvMk4EMbFnv7NXXk65UM_3p2leSoPpO7LvlYs3WoRRX9ABH7zI-ppwLGEDuxfnwKzAOaRBe9oUh5rTYdazaY9XqofvekBc9Xqa2HpjkYX-L4Zy3oj04u-u5zX8KTh25jFC2a0Q",
+ "p": "6L6icXqV7jLSXHrhMyLpW-tdFFp2XRQ_uKk972jmUJ-sEeh1YYSx_JpK6oaUnYshGbRLfEAOLy03iweAL4uMZJcASOR44TwSnn_qJZ72PkwhD42uKhE0eJRpxVht6jf5qhsynaMNUWc_FIW5ESpQIf6j4rqFV5WrKHAt0ypChTc",
+ "q": "66fAza4rLvyjqQAIGQ07RiRYW4no1h4cK8RH_CDUgI3CCFQSuqTB8ZqM38r2u0tZoKzCNgHcnde6Jk07X6-LSQW2kypMXt3idbgaeVSYSbdZndgG_jTibJvoybxSjo6HfLpPvCrfsihXo7O5M13LE7VqBLbGTLI5iubOxcrfFTs"
+ }`)
+
+ testKeyRSA_2048_1 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "6d2b0efff0011bbbbf694de684b5b97cf454fd4086fa53b9af92545f3fa65459",
+ "n": "1CmSBUbxU1jjnmaBG0r0cLLmyZgCOMbfpG6Z3HwfVDgCK6P-rU3F6QQazrOgGJJ0sz6vP50VK5u7BR6vSrPBBX5CicJPM2iNdz2JuV9ODEIkDQBLeI6TfIGhNOls-14tXKOPExY8b6JdyDMP31Hwo_0pF1FaunZ7yY1bgoKCtDV5-RKGd2EgylDGNPu0Ilr92MqCsAntBC8eQSkO4CcTcti4t9cX45VY5nPtwQRmp5zIgUHnU4LV3QVTLJnU-uidaAxRVQbS1pVql5xR6nYZHYvFk1IU-wTY6gGk5WvGWWQ440UTTaMAfnJP6VFDggUXeGSlKfKkDcz7JLT2Ma2KXQ",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_2048_1_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "6d2b0efff0011bbbbf694de684b5b97cf454fd4086fa53b9af92545f3fa65459",
+ "n": "1CmSBUbxU1jjnmaBG0r0cLLmyZgCOMbfpG6Z3HwfVDgCK6P-rU3F6QQazrOgGJJ0sz6vP50VK5u7BR6vSrPBBX5CicJPM2iNdz2JuV9ODEIkDQBLeI6TfIGhNOls-14tXKOPExY8b6JdyDMP31Hwo_0pF1FaunZ7yY1bgoKCtDV5-RKGd2EgylDGNPu0Ilr92MqCsAntBC8eQSkO4CcTcti4t9cX45VY5nPtwQRmp5zIgUHnU4LV3QVTLJnU-uidaAxRVQbS1pVql5xR6nYZHYvFk1IU-wTY6gGk5WvGWWQ440UTTaMAfnJP6VFDggUXeGSlKfKkDcz7JLT2Ma2KXQ",
+ "e": "AQAB",
+ "d": "DYJcHuPmh-UYEUT7oY5DRE3P7jQ0qALZyLGWMHji0c0DLl4x4D0chfrR7il33zisH6G1LPrGl1FCNlA-3yXU-5GPkRADVQWqRFZxx5Du-k7X1tAW_iUt9PaYGjNm0hasEsMDYDbBQGZ5TD8cGp8wEHEVRbvTaB4VQb8zfXrr8ad8XCFdtYQF5Sw_VuvUBcn-50kdl7S0MmQiwLx5xkisJHkVdVsrWbq-JJPMYrjYzPGo07kt8pQH2ecxrQD2waTzkLiAg-nytPBkAyMIFQ-XCulWCNiI-V_HJ0pqNctgVpdaSihlPCYhfllxUSU8yg4UvcfFEAN2S5yjvPyrJeJLAQ",
+ "p": "4db4J-vxAyb_3otKidzYISIo8NuPxPXuYeImbvVbY6CWHdAYAkPgbwADh592D1vM6kwqZLot4VQ4XUVtX7Vf8tCaq5BAzcVAslK0rhK86kSmzuvtpS1ruzm1DGwJcQWOl_9qYnaAov8Ny0NG8fTm8iwvWJH7rVa3XNtPL0t_fx0",
+ "q": "8H7_sX4kY3_4t90HbA8IvVkTf3-OGaIjtcDn2J3HLq1wMKAtdxwsbMtjhLYP70PPBe_FBNpcWhE7p-tOVhH1i0N0wwFqwlRQy-3Z4oiLeSsy0Npl29cfP7teO5UTrbrqfmHB0j2u_nEqA4n4iDF5QhPr_9yzxSR4Pg56z4PgFEE"
+ }`)
+
+ testKeyRSA_2048_2 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "7988e9dea9647281b04d094e4dc5737eaf739a412a570aa4d6deed7ee5640c30",
+ "n": "wWOFgHHiJ54ZjQEKxvfqYDuhYymbfvYxvreroqx7E-cAuU4QBsOvKV3HNnH_vDRQE1AlqihNWmPFLptp7wxdMrLEtDnRFqTxyTXJ7wLCaaaB6Wwx1dhpr9QEG5-8rxLGFYv2w5i0-o76JPHG0tuqf0YNmHp9oWcv524XnDBuji4-u6km1KynT1EQKHYgy57JWgUpukgJGImBEvf0hC2Y5s5mHvVby3xAD9-cFa2o9Vj3G-SBYFsrRIVR8GcVNwo88oj8F7-2nGD_wOOu_qT_5I3vfToUYGj5-2rAK1ja0bZpXFibrkPrW4w9paG-3F7I0sPeL3e_BDC_rQ8TgL03uQ",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_2048_2_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "7988e9dea9647281b04d094e4dc5737eaf739a412a570aa4d6deed7ee5640c30",
+ "n": "wWOFgHHiJ54ZjQEKxvfqYDuhYymbfvYxvreroqx7E-cAuU4QBsOvKV3HNnH_vDRQE1AlqihNWmPFLptp7wxdMrLEtDnRFqTxyTXJ7wLCaaaB6Wwx1dhpr9QEG5-8rxLGFYv2w5i0-o76JPHG0tuqf0YNmHp9oWcv524XnDBuji4-u6km1KynT1EQKHYgy57JWgUpukgJGImBEvf0hC2Y5s5mHvVby3xAD9-cFa2o9Vj3G-SBYFsrRIVR8GcVNwo88oj8F7-2nGD_wOOu_qT_5I3vfToUYGj5-2rAK1ja0bZpXFibrkPrW4w9paG-3F7I0sPeL3e_BDC_rQ8TgL03uQ",
+ "e": "AQAB",
+ "d": "RPC4j-CJUbw_uY-Miv-oMuQvFU2o3Crh8u5BJn28ZozsKiMU_YRW9jUzJkqfczVm8muY8b7qTHXSvlmy-v_6XW9zRhhyXFMyypr9QNJIAifUmiTy4xwCGSdIy5w3RGY57UZ3EqVmpwe_TtpOGa8rabHMePX5wUcqwaLykcCGOPLOFKfPF93GqZYi2StS1IaiijLi2IAMhxQGqS6Ct3dA7yacQwegPiDzjb4Is3V9UQ9k_aS3I1w56tz5qspVmfDEuuWToc-2Qyk-eMKWl1tTDJuGTCiS5IFtMPerRpPq9GCpycV0csIW-6AnW79b038DxWjDAUsNnDPnX0y1dQ1G3Q",
+ "p": "yh2KH_JqU29L2SLG5-ul1EBbaSbt3F5UUZbCvm_MIsiH1TzafVyBd8FeG1d-pMR8bgGjaDSA-DNkOEDAeAlLx-UCTl2Uk2ySoMnZr5JjVLW2DTuF7e8ySKrKQSSLe63aQyKuIZh9P1RNrwrmFwvJgXdzudVjirmdTwxAN0lijE8",
+ "q": "9PJitAE_kk6SoKvJisXbDb7Xursj26xiYIdWuzlzQ1CbwYcJ1oORDpo0bEpy0BfIbZDiJJ79Xrh5Lo1BVysQ-IZJCXK7mavqiSa8g3B8rmqLXmAtjDbwLGsJOayCpYnsGgOLT7XIUYXCFH7C-tSSydhJ1j8JAbsJveMiBPKnUXc"
+ }`)
+
+ testKeyRSA_2048_3 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "d214aea9b78d15dd2667f5d19c36df6647fa50023140fd4f5866d285718b897c",
+ "n": "qFnqWpBOZ_5jnIr_XkXnonmHII5gKzxPhUBfvWBhGN2eH8nmnGh6aUnKyKuCLP_qfYLU7cf9bah-e00451iGite8Tg9ZMYAPFX4NM5j0rGWNv9Z6lSn1xXezJv-FU9VUwXm0DG5eVcB8OV99JWxHivQUSBzY0Q3DUlgrD7FhMd7BrrcmTUO07KnW6SxN3oTbT7fNMxfJSTRxmvU-t-6sLhYP4Wbg39zEUgI8M7b7tvHp34klSqOn2DibVBhvWGF1-IgNT7ng6pS5iAZN7Cz7NjPc9ZM_IWyngPKZV49Tf-ikX2O8uiCb4ccgRur6znwkE7MPrDTXSMHALn10sUcO_w",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_2048_3_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "d214aea9b78d15dd2667f5d19c36df6647fa50023140fd4f5866d285718b897c",
+ "n": "qFnqWpBOZ_5jnIr_XkXnonmHII5gKzxPhUBfvWBhGN2eH8nmnGh6aUnKyKuCLP_qfYLU7cf9bah-e00451iGite8Tg9ZMYAPFX4NM5j0rGWNv9Z6lSn1xXezJv-FU9VUwXm0DG5eVcB8OV99JWxHivQUSBzY0Q3DUlgrD7FhMd7BrrcmTUO07KnW6SxN3oTbT7fNMxfJSTRxmvU-t-6sLhYP4Wbg39zEUgI8M7b7tvHp34klSqOn2DibVBhvWGF1-IgNT7ng6pS5iAZN7Cz7NjPc9ZM_IWyngPKZV49Tf-ikX2O8uiCb4ccgRur6znwkE7MPrDTXSMHALn10sUcO_w",
+ "e": "AQAB",
+ "d": "cCIT2uarktD6gFaE6cIeGzZfLuwmWiX9wX-zRWxgwDM9E2dj12IvxtmD3E2Ak4CSK69tLEQ9JUFJnc89y7pHQ0uW_VdzzWjCo0omeOu0bO_njpPJanlcXn7wMVWY9NHvdj8eEfmhk_R1ybE0piyNKpyQtcehEv3bz4kyhW1ck936zafn5GWxCEWKIF-7OcotxtOl6z1GrJ7WqglMk8ooLucnAXzaPtcvD6seUhVH0vG60yI2AEInI_jMHR-mfDxrebG2xPPJLsqH3GChqTsxG5vjuaq71sNBiY_TbaUDbmWZxV66zdjhN93Rw-lc3vCPwG5vmuA2igWH7SKsHmQOAQ",
+ "p": "xvTQi8nCJGyZQm3fr7HU23FkSUYkKFUN1FRDWqjyz7kFj5rJxq5dSsNrrgVBvIBNY4TwDDcYia4rvx7KSRRwfV_rsU2-TCOxBebqVlbeV0HI7xMcVZXsv61Eugz-dznUU4wqmP_rCQ8vyNcVvCBbBLBW92n-IRQXsfuSUfuHnT8",
+ "q": "2J64YbgvH62PB4h-0iYuaykgUzWVSrXENg3_GaF8877AMTe98gjcH7HzTDW1fOhIcNZtmYTwlA2SgFudLsIJLoOn0-kmHzZjZJTWcsZsfTVwKhHD8Lzic7QkrrlbTIZlVu4mfT2f0kvaQiZp6zDCke3SLvVjlD-ebqTFCDIlXkE"
+ }`)
+
+ testKeyRSA_4096_0 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "4941c1e95df518587e54ddde3510c084fedf92098473537fb3fe022eaece9b42",
+ "n": "ypJYaH9_PLdEgGN3WFPL1V9qhC2BRXr24f1kGocaQe7wORFlZGX6gRpOCQ1lLmziLafERoSqZuBWF4vSGLeanCRQ7UKObYalMRR_rTJk6D_VD95LNOmtR4DrucdZvjQrAuLXhM5dNLGVoSq_zQowLDMeLWDUBB_TK4WlofoxI0RVoUOt4UXnSev8M_6yIYASpOAk8gG4FAqRfmU-3JhgkZOQCD0BhKYZVw_kEhRBrS3aik-1pQkan9hYIxWwc4KKtrLHNls7--vk5xDk2Vod5sZYRLlimbqHavN2IBeAeJGJqt1grXOVlnagKqmyq2MoPKufwptJBiVrVsTplyUB9FZe9FxUfxrkkxYJHufwP-3wXhaXpPFdL86TCUuOz-jTfng1rsTpwzmwm3RqFzz01yMc1RhaeWininQqj42bhW4bgFGVRP2QqSFbCbRZ4WMW3qWr3aR2QpJ7b8ac7JUhAJoh7-UtMmyGx9UJP0gjA8Wm-O81UENoDjMMdNUaVTfpSUKB7xZppg244jNZDIm1ptq4QyvvWkr0brp9Ymxpu0e3g2HyywyPjbeyNrIelb4E2tU5vCR4Fs_zGFG71AieruJGfzPTXE7ZaiLhP8n1652NCzIH76Y7OGz4ap2D55-RKpUkSI3KqWxUKxkM0tuZ7LS2F-1wEVs8P01K6RuQpxE",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_4096_0_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "4941c1e95df518587e54ddde3510c084fedf92098473537fb3fe022eaece9b42",
+ "n": "ypJYaH9_PLdEgGN3WFPL1V9qhC2BRXr24f1kGocaQe7wORFlZGX6gRpOCQ1lLmziLafERoSqZuBWF4vSGLeanCRQ7UKObYalMRR_rTJk6D_VD95LNOmtR4DrucdZvjQrAuLXhM5dNLGVoSq_zQowLDMeLWDUBB_TK4WlofoxI0RVoUOt4UXnSev8M_6yIYASpOAk8gG4FAqRfmU-3JhgkZOQCD0BhKYZVw_kEhRBrS3aik-1pQkan9hYIxWwc4KKtrLHNls7--vk5xDk2Vod5sZYRLlimbqHavN2IBeAeJGJqt1grXOVlnagKqmyq2MoPKufwptJBiVrVsTplyUB9FZe9FxUfxrkkxYJHufwP-3wXhaXpPFdL86TCUuOz-jTfng1rsTpwzmwm3RqFzz01yMc1RhaeWininQqj42bhW4bgFGVRP2QqSFbCbRZ4WMW3qWr3aR2QpJ7b8ac7JUhAJoh7-UtMmyGx9UJP0gjA8Wm-O81UENoDjMMdNUaVTfpSUKB7xZppg244jNZDIm1ptq4QyvvWkr0brp9Ymxpu0e3g2HyywyPjbeyNrIelb4E2tU5vCR4Fs_zGFG71AieruJGfzPTXE7ZaiLhP8n1652NCzIH76Y7OGz4ap2D55-RKpUkSI3KqWxUKxkM0tuZ7LS2F-1wEVs8P01K6RuQpxE",
+ "e": "AQAB",
+ "d": "VQagPRxm16FFC260hUqG4ASwvNIs1HEMd0bYYZobl1knU4zNthpnzxCveHU65wWk2ez1IXRF4fB_slpp0R4fszI7FZs-FRLS-4rTHGtul11TnNl9T7RVmxGt38ihDojvFMMKGyBTVu7DE2bSIsoH9kVugTWHSEPjav0pzJcrUNY56vpxXYDt18VJkrlxI0aSjMnYOAwoq6DT-O2eORFsVy5M4mhY3sipEjYFUOFXv8zjUfKrF55-omE4fWF5MsK0XoMjwtkAkHkvFx2sMN72dgsCubXmgQgeFvIhvs6eifzsf99z2NoPC5y3FbEs4Ws5VF3lLNXpDL9gEoeMVHigHKNoztIzbJnFLjzEag4wOBqbig4nWIlYEcLwd5-E0oQ8GHAhWtJn5AJQKOwTcasRWiUnRAulCcI8f9R2ATTSjAGU-juFUfhProp4w3ZlnUbO6U3tbh90KdFSJa-Bapts6ijPgEp6MHubVCHIxh1KGmod_CuGGjze1GuISEwI_4Yh0SrFlp4Wy6ecg7mKNnXvkBMd6h90LJaTzubnts33cCs-5UzCtYqmWHwXrMA6dRJuicY6su3NXxStuZn2bxU_Dn8LrS1vx_lhDU__NqMNbYj5ZvHkPvZiJNBI6Z1R5SY3pQzpH6vh9W2KRKF8cKOkushIaHNnHo7W5o4eZ9HjJFE",
+ "p": "7Bxd2wTrXfeSZAEGZEnfoJaMh6hKFG-fx0wLmF9U-Myq1fCIQ-gdl_Atqy0xQxYtQl2lOPUWfySegJSxpdRF8pwvLq9Yt7xFQDrV0B8d5-FjYJ_Mk2bbyHv_PhNmnfcYHqE_VdADeSaU-MRV1iknvjdbxSxYUF-U2C6llfJhn-ZbGPmZJyz8fTWHSh8aKLPJkuYV84wcNL04hpFPJq7Bhy7HAFhRYNpxXyDO3I36DCU94uvUCY758VKLl8IYMMSqjh-thluKJSkWibo85ZOJR38XFksMr70pH-DkT0WMv3PpLtNu6ac6Ry4CEkZexSWmbVk-pduRooo0On1CMsrsLw",
+ "q": "26K4gFJ0Ygqr4KaJ4QcRGN29XcjDpX5XTlHy3hCs_wEWc5wedydVgIH4tadiZcu0WinTtl0I6FYewWNpI8nFh8XJXsLOLepdKKR798zW8kEhzxdYdP1MTtGfy12KUCMeS2RQRsBJlmNdgrI0_m0JvW2LlGeK0EqvrqeS06L8bKGXkfY2aFGHl6ipSfUd5OpuSUqgfrj4-HgB8zywm-yAvn7UK-ySyQrP3K4PuOiY5QZmcPDxl8yqDAjorStrjPieYrlMqREHMsyq2FtAXhx4FzpKN7OljbE3EpgyFKkFN-wDTWRGxu3au0hQJx0-XthZ9i5r8zGcEbArQ5jZH7CQvw"
+ }`)
+
+ testKeyRSA_4096_1 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "d01929d205e83facdc5080a0a4ade80853978298a5c73780e863c035d32127c9",
+ "n": "ve_rSTi1vwfV2Oj7YNu1kv8Xz2ImAEqf7qo2RehTYW4FJpbj0wkMBVGmAulm4dz-1knnaPdpbrrIwkEYr1XR6kSIeB8aXkCZqDGZATxLSRqGEzu2J8Xt9z_qTQLWYD-NuMEf9H3B1CiP3Q2RnoWUlGvOr_KI5h6anzeqgZxlQLgqQujXscwqWpX7MVh3sheZ5SbyTkDcFWvQS_NEPaBGso-Au9X-yhZsHU1Ky02Nd_DPOrrRzl7uymE07hy3bIbxmrh4ZeEz6P2ixsHHYbd15GNMRlr1cWbg91RBB-akSxX0VYoLjjuqwo33UHk1hBbSATbobfpOKRruuZPZ_xOiPi-m0tUdD1Pj-h6xRcA5sZ1d55IdL8IY_9kgLc_WyU2RWFTXV6zA2SDDdE6EdEB_8q6U0oLU5T-YRxd-V2qOTqW1388qUaL5BalSvqM0g8kVfBYIM3uwLqQI_hCer4CL7_0DGlUtheye3qcoyqWVJd9iqfcWC-1S8NljAJwM9sehx6kOSM85UuUTH89VM35oAVp0rSPcLy20dPzEVQ0LAcy_iRHTkqy9nZ1z6mo-IWQE2ZyPCuESEfG7nFJ3YlUfwBJ5uZnk0N1FVYX5zgEKdkP322vShrv1blB_JtUedpbCcuS-qCaywpwjL0pzTDKpJMEqHds0-DFT7AbULcujw_U",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_4096_1_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "d01929d205e83facdc5080a0a4ade80853978298a5c73780e863c035d32127c9",
+ "n": "ve_rSTi1vwfV2Oj7YNu1kv8Xz2ImAEqf7qo2RehTYW4FJpbj0wkMBVGmAulm4dz-1knnaPdpbrrIwkEYr1XR6kSIeB8aXkCZqDGZATxLSRqGEzu2J8Xt9z_qTQLWYD-NuMEf9H3B1CiP3Q2RnoWUlGvOr_KI5h6anzeqgZxlQLgqQujXscwqWpX7MVh3sheZ5SbyTkDcFWvQS_NEPaBGso-Au9X-yhZsHU1Ky02Nd_DPOrrRzl7uymE07hy3bIbxmrh4ZeEz6P2ixsHHYbd15GNMRlr1cWbg91RBB-akSxX0VYoLjjuqwo33UHk1hBbSATbobfpOKRruuZPZ_xOiPi-m0tUdD1Pj-h6xRcA5sZ1d55IdL8IY_9kgLc_WyU2RWFTXV6zA2SDDdE6EdEB_8q6U0oLU5T-YRxd-V2qOTqW1388qUaL5BalSvqM0g8kVfBYIM3uwLqQI_hCer4CL7_0DGlUtheye3qcoyqWVJd9iqfcWC-1S8NljAJwM9sehx6kOSM85UuUTH89VM35oAVp0rSPcLy20dPzEVQ0LAcy_iRHTkqy9nZ1z6mo-IWQE2ZyPCuESEfG7nFJ3YlUfwBJ5uZnk0N1FVYX5zgEKdkP322vShrv1blB_JtUedpbCcuS-qCaywpwjL0pzTDKpJMEqHds0-DFT7AbULcujw_U",
+ "e": "AQAB",
+ "d": "mCjZ3wDVaMJIKMsMhx28KpS9aGACfX1K_pHRhNOH6KeQ7Mc4oFnBDYnJas-8ofi_FsCB6G88QX7VUfmAYwZncjuQ8FpKb3NlJX8GSh0ZWukqu8G8PcSszMShWSyKvPRs_rOIe_87BlGwXrB-FfaBfx2WqRGtZlziFecsa0T1QJHJGW0bTs52p7c7Ut7ClSOfIBrBRrtjFK4YYp_x7US3HlkkElZvFUo9NoQzBQeN66Y4_Z2ocqFOv0Z8drz-nKzGZOKfYU62nVKD0qJurfOhOGPsOPipZD28v6b5qfC1cYmXAefjNgDK3a2JkShpHPaDKoHoViKN9xQiZvzxSQ1bjQCgB6xQWk61YwmiB44gFLshXvXkx_wcccO2XC4m-Pk0r-Uj9Ugvgizk8HYp1H9eqnp8A6sqU44mrmdt14vM68SGzEqYpLoUkcxPttHvNoORAzgQfuK3SOIFyuwFqKTMBupR4A42XvxLj_PuKEKFekS2JEK8fON2t_LuUDVemjMxwXD0gjljHSKD9HnguihI5IEd6Kgr-HlTwiiDQfzcmWQdoFUs_Je4tVCSbGRrJYju01gLouDu7gzN14pZcEyoBLPkj-_MDiiymvlBLOBU2s5nQRZCaC_0IKgHLaT_rzQaXwmVhU-OURdwdoViMVc_cdXtle4TqU1g41nNE_0tiwE",
+ "p": "2h_9HZCOpf3S9qpAkNS2ncMsRjBlWCpRltoCs-XBF_IgOJlCkJ-42k_V1zaf6YrgMy00XD4Ij5MMiUOharvc3w_WKJF-AwGu9JEpi38Wzj1nkY86sdB1ZPu4ihSRZm81jIjuLZ2siILqkupXaY0S_0CeNLKPoVpvfPWCb3psCWuLVRDhYECPCx9FYg2tzisbFpVAPPqNCFswMYNvhyJ2NQ0hzueKDc1uHBUanCSG6gIbeY1bQvYYFGySYkWZcQg98RSeDbLysHalCSQCgPjss3likTT9OjWLv23vpXURFhgywv6Phx4He0yWB8ZRrnskfW0S76kZ325SPUlnOhf31Q",
+ "q": "3urwELOa7TDpwLMeMEOf2aspz1gkMjoN-V4SMzRGxIoPy93-bQ62Z8nPduma1gK0zHOIs0gU8dDqjy8P8Z7vudJqRFJIrzjD-RnDqQDz7KM_6x0kbEN4GLQiNGVAckRhoEmYjDXXkG3teD2ST5NqlYwxGvFmCvw5RCJZG7eNjXY3KnJQrDyx61NIFEvSm3sBlJkOVhSanuqHBL6T-efaBkUcQ7mY7_iYtCt7cjMG8qQtF0KovVsMF6BUc9KDobpUvDsvPrSTAzsYJvVNkzGJtF8Strr-61VA6qZnRcDW3ukYvmJp_SdAcv3KzSkWwEmJEaAtaiOh2jWkRG9QpV_LoQ"
+ }`)
+
+ testKeyRSA_4096_2 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "822512e8098b9fa56c9152a56d2607bda912c89f6f4fe1b6ccf41627bf06de29",
+ "n": "3bcg0diA0TPvK283P02o5UT8cBf5q48uUsfuCkIbLqNFtskGuoft8OJLmik7c7pLNSK3Jad_-xRlfsrcV1fDBs8EJDFnoY-4r_xk_-GQl-OsHzuz7HMvjVYUSYeVZMtzPAfCIFJxSIaiIW9MEwCwYyrtRefedfKUV7Ax6hjOUXtyRZ5DRHj2FnNl6MjE8mTSJ8OQI9ETErg0wF448fJb6hYCidVHfeBSCOceljXMg8a9iDYHVnzsUb9ETl7xlRZDvUpIoG0jU-aC3oZdM0YgXspvw4FcXg1-ad-TbgRjEm_iJ-4KUhAYso6-Y6eimDT_TMhbKBLGE86pUjRPIXVNl6odjkXmcmh7bz9v0-gIfHB9zVbrqE8i8iIwkux-Uhq_VMiIFikjtjmDo5W-7qA_cjvq1dA1QqOJ54ijbdvglUtneuA5CnwfGHAvf94lEPebgP5eCMZjz_Dtl0FTX0u5lOVBs4qeyEfV1XANOq_h1gHmwJDlspGZVuPfSk4-YMCeBy5Ua_gNDqOIQo3EQbmjyN5yD9byFh3WDSQJN1kKT3BZSou-Q8-KT2lu9KT_CpTfVMaNXnPpXJ_H0S9Q7sbUzA6dF1h0Q_mu_bOlWTRlH3vXfZ3_3Vikjk-jhQdaRv8yjTdhX33wAVHk7omKlo76G3QJdnvjysJ6aagFPZ3qhmc",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_4096_2_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "822512e8098b9fa56c9152a56d2607bda912c89f6f4fe1b6ccf41627bf06de29",
+ "n": "3bcg0diA0TPvK283P02o5UT8cBf5q48uUsfuCkIbLqNFtskGuoft8OJLmik7c7pLNSK3Jad_-xRlfsrcV1fDBs8EJDFnoY-4r_xk_-GQl-OsHzuz7HMvjVYUSYeVZMtzPAfCIFJxSIaiIW9MEwCwYyrtRefedfKUV7Ax6hjOUXtyRZ5DRHj2FnNl6MjE8mTSJ8OQI9ETErg0wF448fJb6hYCidVHfeBSCOceljXMg8a9iDYHVnzsUb9ETl7xlRZDvUpIoG0jU-aC3oZdM0YgXspvw4FcXg1-ad-TbgRjEm_iJ-4KUhAYso6-Y6eimDT_TMhbKBLGE86pUjRPIXVNl6odjkXmcmh7bz9v0-gIfHB9zVbrqE8i8iIwkux-Uhq_VMiIFikjtjmDo5W-7qA_cjvq1dA1QqOJ54ijbdvglUtneuA5CnwfGHAvf94lEPebgP5eCMZjz_Dtl0FTX0u5lOVBs4qeyEfV1XANOq_h1gHmwJDlspGZVuPfSk4-YMCeBy5Ua_gNDqOIQo3EQbmjyN5yD9byFh3WDSQJN1kKT3BZSou-Q8-KT2lu9KT_CpTfVMaNXnPpXJ_H0S9Q7sbUzA6dF1h0Q_mu_bOlWTRlH3vXfZ3_3Vikjk-jhQdaRv8yjTdhX33wAVHk7omKlo76G3QJdnvjysJ6aagFPZ3qhmc",
+ "e": "AQAB",
+ "d": "wcO4mAxJUAu-OsxgkR9SusPWhjQ9y5Q_XLNDso1hahng5ES9b6k55mouvlTIk3Q9I_vp6auAKrMBnJS3ilG1rK6hJOxUcBrFwm-m6QV9s3CSzV0E-mEULsYKxtQKWOOBGvaAznSeck7PRL8a0gSpIpGyeYSRo6zTverLRJZXQVjMXlFY4m-ASdCiQJWtoVVBYOUFhHfE3nhECdaOl8xCTcrcfw75AuZXa1ZpIcd0q7m1jGQDd6-HbE3m6UMKiEvD-ZsA68tVs45h0w3ER_pCcfUjRc45Ji1OzEJLezu0RbmoAVOEi4FrxCkB9N_dNn4inD0BhX0axNa4nZH_kfMNUh06081FaBiBq5bNBPQF7lWIYxAhtd2VgsUTZtNxMfHDTllt5fvbCogYngU5-Wj3UM33R_es_aakt_CFndJPmyenP0J7KEBmf4qnlrbxun-jQNV_cbEzgQA_Pt5RIhB5jgofYzT72Ib-lViZUolXpxg8mFQ5BPghqriuaX8eSc85y5rbu-nEvheDkIC7xjTtDBShXMvKKokx6t4d-x_W4sWDuLKsVNn3Veg6mbbl3O74Fr-joEM9unMg-9KCapAuBKmMv4GejOVOIj43i0lm8dsuMslNKsThWpjApE50-VBuySi1f0jD2HNEzjMTt5ZrlNi9bRFzAht46kdc_g4TWLE",
+ "p": "7cl5QebQldiOrfe2Z7E2aP4d1GIuX4b3u-kXUDa73HI4S2u9TooJF8lfsbrtzJIG60iIzio9Pej8R4ss2_1TPC_F7gQS67ST5yY2zuwUH6jwpt8KtVO3NKd9SNfVJse_mZLp7eAeH8CMq4bqkDig8ZI_Sp1LQtWXvhvhju40i0h1ef-MD36wbc26BE1L6tQMAoJIU-pMDawmWMGG3Q5_LxKHb1cxvV8gVfFgsJbAHMPXxcmpCdp1FqeqpvRs3bch3AMxHwjy1SFRK6lhvliS2ZvD7fdupA09PGJ-cNO3S9iHdCvsnyOHg9pMbxxcYW8Io_t1ihk6JYFvZlDIYvukXw",
+ "q": "7rKFf6190MlunvlLSdMvN_E2Xuow35_EThaxQ9e_7FS32LKPy847vFreXzVivVW1IVXrRSDgU8VIEyBQzftliLSriefKYdx2jtd_A84baha4p6CAK9SwfZcVEcIuU2Ul8XcUpbg53_bxUWDv4mYewZW_AqaZ0ZR1Ug14gCGHELvjs7MmWkCkJB6lEenRQZvzwcmA8tWzZ6Dlqb_RyLtxcVPbeSuc3t6YxbB1-pquwXoQLB9-XvgR_4L6vuGZrp1D-C0lzboUPoftkC_hKYb_xY6LPJTsL8LUypATcTrAnD0TBrqj5-Oy_4dMin6OcsXrfdxflxaJqkh7B-kz20oa-Q"
+ }`)
+
+ testKeyRSA_4096_3 = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "ad60df152305985e6bdd8cb1d1f496f766aed097b7464b8b821a09b27f054dcb",
+ "n": "q8mHub9-A7LH2ykklO52CRQ9KYeM9FlHaoLJCMokmwdb8FF8cAMOPDQ4lx7rB107vwX5oHS6T4uhOUH6ppgZnvB083-f5cBfvZPSwvKg1csOPI3Llp-hIO3vnu7v4M-dXRJevmNdTAoHINXP8mJ1KfGL6BuxckxLEOoIX0suSmyudAE_lc6ioMAfwehkH7qTWwllIuReGwxHHYapM0AFIYysJ0z96l-WNkO3ssLm6Q7txpumM_b0d58OkdezBLujEfn0t5H8hsml_LUSE4TfWcGwm3oDBB2q5tsI2_QmVwdV6BcP43Sm8R7EbJvTQq3YXKLlC-Et4-3CDGaMV6z1eFmHBs_FMGzto-kg9MUFockOe0vkfjHj6AafNw7AFyBJRvV3EdMM-O1ysiC5cs45aowbfQIz_9H9RVbR9iMiEjq6nM34bhgfu-FvOmAcliCOJnDlBy2wWe2XyXTLQVkmn1C_w2mitcQAkP-LiktypUwSIbyDqfBai1_imO1SIVzomRLvzSju5qGrcm0ROV6o9zKXCVc546g9la9FUTTPZsI0_s3hcVRVMaF3fa122hE848serjCqNJ0Nb3CYOlVCc6JrkUdeuCj0Y-on6V6aeCFAQxFb1z_p88STsNJkrcNZp87f1JUaSB4POF01dLNQ2HTe7xJCMRmK-fpNuDCOzNM",
+ "e": "AQAB"
+ }`)
+ testKeyRSA_4096_3_Priv = mustLoadJWK(`{
+ "kty": "RSA",
+ "kid": "ad60df152305985e6bdd8cb1d1f496f766aed097b7464b8b821a09b27f054dcb",
+ "n": "q8mHub9-A7LH2ykklO52CRQ9KYeM9FlHaoLJCMokmwdb8FF8cAMOPDQ4lx7rB107vwX5oHS6T4uhOUH6ppgZnvB083-f5cBfvZPSwvKg1csOPI3Llp-hIO3vnu7v4M-dXRJevmNdTAoHINXP8mJ1KfGL6BuxckxLEOoIX0suSmyudAE_lc6ioMAfwehkH7qTWwllIuReGwxHHYapM0AFIYysJ0z96l-WNkO3ssLm6Q7txpumM_b0d58OkdezBLujEfn0t5H8hsml_LUSE4TfWcGwm3oDBB2q5tsI2_QmVwdV6BcP43Sm8R7EbJvTQq3YXKLlC-Et4-3CDGaMV6z1eFmHBs_FMGzto-kg9MUFockOe0vkfjHj6AafNw7AFyBJRvV3EdMM-O1ysiC5cs45aowbfQIz_9H9RVbR9iMiEjq6nM34bhgfu-FvOmAcliCOJnDlBy2wWe2XyXTLQVkmn1C_w2mitcQAkP-LiktypUwSIbyDqfBai1_imO1SIVzomRLvzSju5qGrcm0ROV6o9zKXCVc546g9la9FUTTPZsI0_s3hcVRVMaF3fa122hE848serjCqNJ0Nb3CYOlVCc6JrkUdeuCj0Y-on6V6aeCFAQxFb1z_p88STsNJkrcNZp87f1JUaSB4POF01dLNQ2HTe7xJCMRmK-fpNuDCOzNM",
+ "e": "AQAB",
+ "d": "QFcw8I8aQYRaemlEfEt8BhaAeed9EZ_GscveQ96CK1ZsRuweMU3TrRTaBS_dU1rGH9u7DS_rABQKBIoDuRXKss7Y3sJ0Pvb4ZObSz5VUS_7LjD6HfBi5nr2_O8W-LnNUOyHAPoq0zOAMn221ftEFlPoVLpAAvBB7JRCiph5gbhuak3RMPm2wV4jd3CCQL5oPys8QBCuIW5UTpalkAf_-a_xmFiouB_RZLGXcjaWWGsAuqm5tp5TdJ1h5eoJRWHp2ryrxTzfsXwdzldyzsn_Xr6Rt4y2lp4r9EY4EGW2uVnY25MCOgOCWDkU5yHvselLmcHvKUdK6_11zinV2Jvhuz1FaW10P6lRXxhjuuT4bT7XmY6WkJCUvWf8w_NYrGwDbRvQa6YZcZZWKZ1l2Enkgd_P4qwtrnROQSCe0dJdNG3lSq90lrAwuvb8AhKhpQ8nJSaSQc_h2pa4NJZ-R__9m0_7CRUuEEg9k47AtgdIe09KLSpcACc3W5cBXEw2pL8ihqcf9AVgM0TFQQVrUdIst3YjUiB6r2zLVCRx8KjtT8Pmz6YtMQwDIFTrUopwwai5PEP3QEdxdNF39W1iwkqjA8uw4IlXgZAr4-9s3x617XUL0BQ4TgMpTsEghpV1U8U2HQfYGUKBcAlSqIlAi0MU4QRwcsAJrcoTIi-e34NFMbHE",
+ "p": "xvZ1BKzaRfrmQT2mmbK1MzKdr4amHrx4EJ_4fRsCRBj8MqB92y4Bp0iuO8rZ3iK_yOOgQQTcr4UP5UEACLOqGDPNa92UUpHu1U5XR3MiIY0kGcdovpkkGU8fq78VRpyofc1b9kvZsy4eL0e7W7jApjGu479D_evnpT7lqSOGRl1Z0QHdI3ctKmKw48-AmQWL4BibXTyaXOfRgTHm4AtbrvFshwCZ43QgzrCrwbhZlOfiIIW9wXa_OqqOhV11BLF72qTglecfTgUOxY0W5GWgbwXCVZ8Lwr6cxYKGrKjmny9UNOIjABGsJjZm5egwDNUhhoaEeXXyzXbCKynvUCDxZw",
+ "q": "3Qi1bRzj3TYW3Iw9KSDCuuHWBJRO_3Ke-JLB7PHEXc1hsPwF_XDqXPaBbIUtgKaqNzUehYAQbtHHhJVGqZadTKjsNkO4sO_r5nRoxUpFuGgUEmKNN0QeJa_llHzAZ9JpvUrtoyzVZX-2Em_3aAhtV5pZ6t22YToPDjZIBgqL96MQRCyKsv2FS_dbpoYKdXlG6phzkzKPn3oaWkh-VwmgAsFg7uXdiquQEsXYcOq3-77Umiuke6SBbaHLryLflTzOV7YvY7Kw3s3NycS9MDBESKYXqqX3YKvS25ZFFjYbrVOx5AluLiwajZu2biIPZb9rNbSXE77Hll3tAbmA5syJtQ"
+ }`)
+)
diff --git a/vendor/github.com/coreos/go-oidc/jwks.go b/vendor/github.com/coreos/go-oidc/jwks.go
new file mode 100644
index 00000000..4ec6c3f1
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jwks.go
@@ -0,0 +1,199 @@
+package oidc
+
+import (
+ "encoding/json"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "sync"
+ "time"
+
+ "github.com/pquerna/cachecontrol"
+ "golang.org/x/net/context"
+ "golang.org/x/net/context/ctxhttp"
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+// keysExpiryDelta is the allowed clock skew between a client and the OpenID Connect
+// server.
+//
+// When keys expire, they are valid for this amount of time after.
+//
+// If the keys have not expired, and an ID Token claims it was signed by a key not in
+// the cache, if and only if the keys expire in this amount of time, the keys will be
+// updated.
+const keysExpiryDelta = 30 * time.Second
+
+func newRemoteKeySet(ctx context.Context, jwksURL string, now func() time.Time) *remoteKeySet {
+ if now == nil {
+ now = time.Now
+ }
+ return &remoteKeySet{jwksURL: jwksURL, ctx: ctx, now: now}
+}
+
+type remoteKeySet struct {
+ jwksURL string
+ ctx context.Context
+ now func() time.Time
+
+ // guard all other fields
+ mu sync.Mutex
+
+ // inflightCtx is the context of the current HTTP request to update the keys.
+ // Its Err() method returns any errors encountered during that attempt.
+ //
+ // If nil, there is no inflight request.
+ inflightCtx context.Context
+
+ // A set of cached keys and their expiry.
+ cachedKeys []jose.JSONWebKey
+ expiry time.Time
+}
+
+// errContext is a context with a customizable Err() return value.
+type errContext struct {
+ context.Context
+
+ cf context.CancelFunc
+ err error
+}
+
+func newErrContext(parent context.Context) *errContext {
+ ctx, cancel := context.WithCancel(parent)
+ return &errContext{ctx, cancel, nil}
+}
+
+func (e errContext) Err() error {
+ return e.err
+}
+
+// cancel cancels the errContext causing listeners on Done() to return.
+func (e errContext) cancel(err error) {
+ e.err = err
+ e.cf()
+}
+
+func (r *remoteKeySet) keysWithIDFromCache(keyIDs []string) ([]jose.JSONWebKey, bool) {
+ r.mu.Lock()
+ keys, expiry := r.cachedKeys, r.expiry
+ r.mu.Unlock()
+
+ // Have the keys expired?
+ if expiry.Add(keysExpiryDelta).Before(r.now()) {
+ return nil, false
+ }
+
+ var signingKeys []jose.JSONWebKey
+ for _, key := range keys {
+ if contains(keyIDs, key.KeyID) {
+ signingKeys = append(signingKeys, key)
+ }
+ }
+
+ if len(signingKeys) == 0 {
+ // Are the keys about to expire?
+ if r.now().Add(keysExpiryDelta).After(expiry) {
+ return nil, false
+ }
+ }
+
+ return signingKeys, true
+}
+func (r *remoteKeySet) keysWithID(ctx context.Context, keyIDs []string) ([]jose.JSONWebKey, error) {
+ keys, ok := r.keysWithIDFromCache(keyIDs)
+ if ok {
+ return keys, nil
+ }
+
+ var inflightCtx context.Context
+ func() {
+ r.mu.Lock()
+ defer r.mu.Unlock()
+
+ // If there's not a current inflight request, create one.
+ if r.inflightCtx == nil {
+ // Use the remoteKeySet's context instead of the requests context
+ // because a re-sync is unique to the keys set and will span multiple
+ // requests.
+ errCtx := newErrContext(r.ctx)
+ r.inflightCtx = errCtx
+
+ go func() {
+ // TODO(ericchiang): Upstream Kubernetes request that we recover every time
+ // we spawn a goroutine, because panics in a goroutine will bring down the
+ // entire program. There's no way to recover from another goroutine's panic.
+ //
+ // Most users actually want to let the panic propagate and bring down the
+ // program because it implies some unrecoverable state.
+ //
+ // Add a context key to allow the recover behavior.
+ //
+ // See: https://github.com/coreos/go-oidc/issues/89
+
+ // Sync keys and close inflightCtx when that's done.
+ errCtx.cancel(r.updateKeys(r.inflightCtx))
+
+ r.mu.Lock()
+ defer r.mu.Unlock()
+ r.inflightCtx = nil
+ }()
+ }
+
+ inflightCtx = r.inflightCtx
+ }()
+
+ select {
+ case <-ctx.Done():
+ return nil, ctx.Err()
+ case <-inflightCtx.Done():
+ if err := inflightCtx.Err(); err != nil {
+ return nil, err
+ }
+ }
+
+ // Since we've just updated keys, we don't care about the cache miss.
+ keys, _ = r.keysWithIDFromCache(keyIDs)
+ return keys, nil
+}
+
+func (r *remoteKeySet) updateKeys(ctx context.Context) error {
+ req, err := http.NewRequest("GET", r.jwksURL, nil)
+ if err != nil {
+ return fmt.Errorf("oidc: can't create request: %v", err)
+ }
+
+ resp, err := ctxhttp.Do(ctx, clientFromContext(ctx), req)
+ if err != nil {
+ return fmt.Errorf("oidc: get keys failed %v", err)
+ }
+ defer resp.Body.Close()
+
+ body, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return fmt.Errorf("oidc: read response body: %v", err)
+ }
+ if resp.StatusCode != http.StatusOK {
+ return fmt.Errorf("oidc: get keys failed: %s %s", resp.Status, body)
+ }
+
+ var keySet jose.JSONWebKeySet
+ if err := json.Unmarshal(body, &keySet); err != nil {
+ return fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)
+ }
+
+ // If the server doesn't provide cache control headers, assume the
+ // keys expire immediately.
+ expiry := r.now()
+
+ _, e, err := cachecontrol.CachableResponse(req, resp, cachecontrol.Options{})
+ if err == nil && e.After(expiry) {
+ expiry = e
+ }
+
+ r.mu.Lock()
+ defer r.mu.Unlock()
+ r.cachedKeys = keySet.Keys
+ r.expiry = expiry
+
+ return nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/jwks_test.go b/vendor/github.com/coreos/go-oidc/jwks_test.go
new file mode 100644
index 00000000..d9735b2d
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/jwks_test.go
@@ -0,0 +1,99 @@
+package oidc
+
+import (
+ "encoding/json"
+ "net/http"
+ "net/http/httptest"
+ "reflect"
+ "testing"
+ "time"
+
+ "golang.org/x/net/context"
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+type keyServer struct {
+ keys jose.JSONWebKeySet
+}
+
+func newKeyServer(keys ...jose.JSONWebKey) keyServer {
+ return keyServer{
+ keys: jose.JSONWebKeySet{Keys: keys},
+ }
+}
+
+func (k keyServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+ if err := json.NewEncoder(w).Encode(k.keys); err != nil {
+ panic(err)
+ }
+}
+
+func TestKeysFormID(t *testing.T) {
+ tests := []struct {
+ name string
+ keys []jose.JSONWebKey
+ keyIDs []string
+ wantKeys []jose.JSONWebKey
+ }{
+ {
+ name: "single key",
+ keys: []jose.JSONWebKey{
+ testKeyRSA_2048_0,
+ testKeyECDSA_256_0,
+ },
+ keyIDs: []string{
+ testKeyRSA_2048_0.KeyID,
+ },
+ wantKeys: []jose.JSONWebKey{
+ testKeyRSA_2048_0,
+ },
+ },
+ {
+ name: "one key id matches",
+ keys: []jose.JSONWebKey{
+ testKeyRSA_2048_0,
+ testKeyECDSA_256_0,
+ },
+ keyIDs: []string{
+ testKeyRSA_2048_0.KeyID,
+ testKeyRSA_2048_1.KeyID,
+ },
+ wantKeys: []jose.JSONWebKey{
+ testKeyRSA_2048_0,
+ },
+ },
+ {
+ name: "no valid keys",
+ keys: []jose.JSONWebKey{
+ testKeyRSA_2048_1,
+ testKeyECDSA_256_0,
+ },
+ keyIDs: []string{
+ testKeyRSA_2048_0.KeyID,
+ },
+ },
+ }
+
+ t0 := time.Now()
+ now := func() time.Time { return t0 }
+
+ for _, test := range tests {
+ func() {
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ server := httptest.NewServer(newKeyServer(test.keys...))
+ defer server.Close()
+
+ keySet := newRemoteKeySet(ctx, server.URL, now)
+ gotKeys, err := keySet.keysWithID(ctx, test.keyIDs)
+ if err != nil {
+ t.Errorf("%s: %v", test.name, err)
+ return
+ }
+ if !reflect.DeepEqual(gotKeys, test.wantKeys) {
+ t.Errorf("%s: expected keys=%#v, got=%#v", test.name, test.wantKeys, gotKeys)
+ }
+ }()
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/doc.go b/vendor/github.com/coreos/go-oidc/key/doc.go
new file mode 100644
index 00000000..936eec74
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/doc.go
@@ -0,0 +1,2 @@
+// Package key is DEPRECATED. Use github.com/coreos/go-oidc instead.
+package key
diff --git a/vendor/github.com/coreos/go-oidc/key/key.go b/vendor/github.com/coreos/go-oidc/key/key.go
new file mode 100644
index 00000000..208c1fc1
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/key.go
@@ -0,0 +1,153 @@
+package key
+
+import (
+ "crypto/rand"
+ "crypto/rsa"
+ "encoding/hex"
+ "encoding/json"
+ "io"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+func NewPublicKey(jwk jose.JWK) *PublicKey {
+ return &PublicKey{jwk: jwk}
+}
+
+type PublicKey struct {
+ jwk jose.JWK
+}
+
+func (k *PublicKey) MarshalJSON() ([]byte, error) {
+ return json.Marshal(&k.jwk)
+}
+
+func (k *PublicKey) UnmarshalJSON(data []byte) error {
+ var jwk jose.JWK
+ if err := json.Unmarshal(data, &jwk); err != nil {
+ return err
+ }
+ k.jwk = jwk
+ return nil
+}
+
+func (k *PublicKey) ID() string {
+ return k.jwk.ID
+}
+
+func (k *PublicKey) Verifier() (jose.Verifier, error) {
+ return jose.NewVerifierRSA(k.jwk)
+}
+
+type PrivateKey struct {
+ KeyID string
+ PrivateKey *rsa.PrivateKey
+}
+
+func (k *PrivateKey) ID() string {
+ return k.KeyID
+}
+
+func (k *PrivateKey) Signer() jose.Signer {
+ return jose.NewSignerRSA(k.ID(), *k.PrivateKey)
+}
+
+func (k *PrivateKey) JWK() jose.JWK {
+ return jose.JWK{
+ ID: k.KeyID,
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Exponent: k.PrivateKey.PublicKey.E,
+ Modulus: k.PrivateKey.PublicKey.N,
+ }
+}
+
+type KeySet interface {
+ ExpiresAt() time.Time
+}
+
+type PublicKeySet struct {
+ keys []PublicKey
+ index map[string]*PublicKey
+ expiresAt time.Time
+}
+
+func NewPublicKeySet(jwks []jose.JWK, exp time.Time) *PublicKeySet {
+ keys := make([]PublicKey, len(jwks))
+ index := make(map[string]*PublicKey)
+ for i, jwk := range jwks {
+ keys[i] = *NewPublicKey(jwk)
+ index[keys[i].ID()] = &keys[i]
+ }
+ return &PublicKeySet{
+ keys: keys,
+ index: index,
+ expiresAt: exp,
+ }
+}
+
+func (s *PublicKeySet) ExpiresAt() time.Time {
+ return s.expiresAt
+}
+
+func (s *PublicKeySet) Keys() []PublicKey {
+ return s.keys
+}
+
+func (s *PublicKeySet) Key(id string) *PublicKey {
+ return s.index[id]
+}
+
+type PrivateKeySet struct {
+ keys []*PrivateKey
+ ActiveKeyID string
+ expiresAt time.Time
+}
+
+func NewPrivateKeySet(keys []*PrivateKey, exp time.Time) *PrivateKeySet {
+ return &PrivateKeySet{
+ keys: keys,
+ ActiveKeyID: keys[0].ID(),
+ expiresAt: exp.UTC(),
+ }
+}
+
+func (s *PrivateKeySet) Keys() []*PrivateKey {
+ return s.keys
+}
+
+func (s *PrivateKeySet) ExpiresAt() time.Time {
+ return s.expiresAt
+}
+
+func (s *PrivateKeySet) Active() *PrivateKey {
+ for i, k := range s.keys {
+ if k.ID() == s.ActiveKeyID {
+ return s.keys[i]
+ }
+ }
+
+ return nil
+}
+
+type GeneratePrivateKeyFunc func() (*PrivateKey, error)
+
+func GeneratePrivateKey() (*PrivateKey, error) {
+ pk, err := rsa.GenerateKey(rand.Reader, 2048)
+ if err != nil {
+ return nil, err
+ }
+ keyID := make([]byte, 20)
+ if _, err := io.ReadFull(rand.Reader, keyID); err != nil {
+ return nil, err
+ }
+
+ k := PrivateKey{
+ KeyID: hex.EncodeToString(keyID),
+ PrivateKey: pk,
+ }
+
+ return &k, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/key_test.go b/vendor/github.com/coreos/go-oidc/key/key_test.go
new file mode 100644
index 00000000..d68a61f0
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/key_test.go
@@ -0,0 +1,103 @@
+package key
+
+import (
+ "crypto/rsa"
+ "math/big"
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+func TestPrivateRSAKeyJWK(t *testing.T) {
+ n := big.NewInt(int64(17))
+ if n == nil {
+ panic("NewInt returned nil")
+ }
+
+ k := &PrivateKey{
+ KeyID: "foo",
+ PrivateKey: &rsa.PrivateKey{
+ PublicKey: rsa.PublicKey{N: n, E: 65537},
+ },
+ }
+
+ want := jose.JWK{
+ ID: "foo",
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Modulus: n,
+ Exponent: 65537,
+ }
+
+ got := k.JWK()
+ if !reflect.DeepEqual(want, got) {
+ t.Fatalf("JWK mismatch: want=%#v got=%#v", want, got)
+ }
+}
+
+func TestPublicKeySetKey(t *testing.T) {
+ n := big.NewInt(int64(17))
+ if n == nil {
+ panic("NewInt returned nil")
+ }
+
+ k := jose.JWK{
+ ID: "foo",
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Modulus: n,
+ Exponent: 65537,
+ }
+ now := time.Now().UTC()
+ ks := NewPublicKeySet([]jose.JWK{k}, now)
+
+ want := &PublicKey{jwk: k}
+ got := ks.Key("foo")
+ if !reflect.DeepEqual(want, got) {
+ t.Errorf("Unexpected response from PublicKeySet.Key: want=%#v got=%#v", want, got)
+ }
+
+ got = ks.Key("bar")
+ if got != nil {
+ t.Errorf("Expected nil response from PublicKeySet.Key, got %#v", got)
+ }
+}
+
+func TestPublicKeyMarshalJSON(t *testing.T) {
+ k := jose.JWK{
+ ID: "foo",
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Modulus: big.NewInt(int64(17)),
+ Exponent: 65537,
+ }
+ want := `{"kid":"foo","kty":"RSA","alg":"RS256","use":"sig","e":"AQAB","n":"EQ=="}`
+ pubKey := NewPublicKey(k)
+ gotBytes, err := pubKey.MarshalJSON()
+ if err != nil {
+ t.Fatalf("failed to marshal public key: %v", err)
+ }
+ got := string(gotBytes)
+ if got != want {
+ t.Errorf("got != want:\n%s\n%s", got, want)
+ }
+}
+
+func TestGeneratePrivateKeyIDs(t *testing.T) {
+ key1, err := GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("GeneratePrivateKey(): %v", err)
+ }
+ key2, err := GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("GeneratePrivateKey(): %v", err)
+ }
+ if key1.KeyID == key2.KeyID {
+ t.Fatalf("expected different keys to have different key IDs")
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/manager.go b/vendor/github.com/coreos/go-oidc/key/manager.go
new file mode 100644
index 00000000..476ab6a8
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/manager.go
@@ -0,0 +1,99 @@
+package key
+
+import (
+ "errors"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/pkg/health"
+)
+
+type PrivateKeyManager interface {
+ ExpiresAt() time.Time
+ Signer() (jose.Signer, error)
+ JWKs() ([]jose.JWK, error)
+ PublicKeys() ([]PublicKey, error)
+
+ WritableKeySetRepo
+ health.Checkable
+}
+
+func NewPrivateKeyManager() PrivateKeyManager {
+ return &privateKeyManager{
+ clock: clockwork.NewRealClock(),
+ }
+}
+
+type privateKeyManager struct {
+ keySet *PrivateKeySet
+ clock clockwork.Clock
+}
+
+func (m *privateKeyManager) ExpiresAt() time.Time {
+ if m.keySet == nil {
+ return m.clock.Now().UTC()
+ }
+
+ return m.keySet.ExpiresAt()
+}
+
+func (m *privateKeyManager) Signer() (jose.Signer, error) {
+ if err := m.Healthy(); err != nil {
+ return nil, err
+ }
+
+ return m.keySet.Active().Signer(), nil
+}
+
+func (m *privateKeyManager) JWKs() ([]jose.JWK, error) {
+ if err := m.Healthy(); err != nil {
+ return nil, err
+ }
+
+ keys := m.keySet.Keys()
+ jwks := make([]jose.JWK, len(keys))
+ for i, k := range keys {
+ jwks[i] = k.JWK()
+ }
+ return jwks, nil
+}
+
+func (m *privateKeyManager) PublicKeys() ([]PublicKey, error) {
+ jwks, err := m.JWKs()
+ if err != nil {
+ return nil, err
+ }
+ keys := make([]PublicKey, len(jwks))
+ for i, jwk := range jwks {
+ keys[i] = *NewPublicKey(jwk)
+ }
+ return keys, nil
+}
+
+func (m *privateKeyManager) Healthy() error {
+ if m.keySet == nil {
+ return errors.New("private key manager uninitialized")
+ }
+
+ if len(m.keySet.Keys()) == 0 {
+ return errors.New("private key manager zero keys")
+ }
+
+ if m.keySet.ExpiresAt().Before(m.clock.Now().UTC()) {
+ return errors.New("private key manager keys expired")
+ }
+
+ return nil
+}
+
+func (m *privateKeyManager) Set(keySet KeySet) error {
+ privKeySet, ok := keySet.(*PrivateKeySet)
+ if !ok {
+ return errors.New("unable to cast to PrivateKeySet")
+ }
+
+ m.keySet = privKeySet
+ return nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/manager_test.go b/vendor/github.com/coreos/go-oidc/key/manager_test.go
new file mode 100644
index 00000000..f3c753e7
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/manager_test.go
@@ -0,0 +1,225 @@
+package key
+
+import (
+ "crypto/rsa"
+ "math/big"
+ "reflect"
+ "strconv"
+ "testing"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+var (
+ jwk1 jose.JWK
+ jwk2 jose.JWK
+ jwk3 jose.JWK
+)
+
+func init() {
+ jwk1 = jose.JWK{
+ ID: "1",
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Modulus: big.NewInt(1),
+ Exponent: 65537,
+ }
+
+ jwk2 = jose.JWK{
+ ID: "2",
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Modulus: big.NewInt(2),
+ Exponent: 65537,
+ }
+
+ jwk3 = jose.JWK{
+ ID: "3",
+ Type: "RSA",
+ Alg: "RS256",
+ Use: "sig",
+ Modulus: big.NewInt(3),
+ Exponent: 65537,
+ }
+}
+
+func generatePrivateKeyStatic(t *testing.T, idAndN int) *PrivateKey {
+ n := big.NewInt(int64(idAndN))
+ if n == nil {
+ t.Fatalf("Call to NewInt(%d) failed", idAndN)
+ }
+
+ pk := &rsa.PrivateKey{
+ PublicKey: rsa.PublicKey{N: n, E: 65537},
+ }
+
+ return &PrivateKey{
+ KeyID: strconv.Itoa(idAndN),
+ PrivateKey: pk,
+ }
+}
+
+func TestPrivateKeyManagerJWKsRotate(t *testing.T) {
+ k1 := generatePrivateKeyStatic(t, 1)
+ k2 := generatePrivateKeyStatic(t, 2)
+ k3 := generatePrivateKeyStatic(t, 3)
+ km := NewPrivateKeyManager()
+ err := km.Set(&PrivateKeySet{
+ keys: []*PrivateKey{k1, k2, k3},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: time.Now().Add(time.Minute),
+ })
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ want := []jose.JWK{jwk1, jwk2, jwk3}
+ got, err := km.JWKs()
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+ if !reflect.DeepEqual(want, got) {
+ t.Fatalf("JWK mismatch: want=%#v got=%#v", want, got)
+ }
+}
+
+func TestPrivateKeyManagerSigner(t *testing.T) {
+ k := generatePrivateKeyStatic(t, 13)
+
+ km := NewPrivateKeyManager()
+ err := km.Set(&PrivateKeySet{
+ keys: []*PrivateKey{k},
+ ActiveKeyID: k.KeyID,
+ expiresAt: time.Now().Add(time.Minute),
+ })
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ signer, err := km.Signer()
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ wantID := "13"
+ gotID := signer.ID()
+ if wantID != gotID {
+ t.Fatalf("Signer has incorrect ID: want=%s got=%s", wantID, gotID)
+ }
+}
+
+func TestPrivateKeyManagerHealthyFail(t *testing.T) {
+ keyFixture := generatePrivateKeyStatic(t, 1)
+ tests := []*privateKeyManager{
+ // keySet nil
+ &privateKeyManager{
+ keySet: nil,
+ clock: clockwork.NewRealClock(),
+ },
+ // zero keys
+ &privateKeyManager{
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{},
+ expiresAt: time.Now().Add(time.Minute),
+ },
+ clock: clockwork.NewRealClock(),
+ },
+ // key set expired
+ &privateKeyManager{
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{keyFixture},
+ expiresAt: time.Now().Add(-1 * time.Minute),
+ },
+ clock: clockwork.NewRealClock(),
+ },
+ }
+
+ for i, tt := range tests {
+ if err := tt.Healthy(); err == nil {
+ t.Errorf("case %d: nil error", i)
+ }
+ }
+}
+
+func TestPrivateKeyManagerHealthyFailsOtherMethods(t *testing.T) {
+ km := NewPrivateKeyManager()
+ if _, err := km.JWKs(); err == nil {
+ t.Fatalf("Expected non-nil error")
+ }
+ if _, err := km.Signer(); err == nil {
+ t.Fatalf("Expected non-nil error")
+ }
+}
+
+func TestPrivateKeyManagerExpiresAt(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ k := generatePrivateKeyStatic(t, 17)
+ km := &privateKeyManager{
+ clock: fc,
+ }
+
+ want := fc.Now().UTC()
+ got := km.ExpiresAt()
+ if want != got {
+ t.Fatalf("Incorrect expiration time: want=%v got=%v", want, got)
+ }
+
+ err := km.Set(&PrivateKeySet{
+ keys: []*PrivateKey{k},
+ ActiveKeyID: k.KeyID,
+ expiresAt: now.Add(2 * time.Minute),
+ })
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ want = fc.Now().UTC().Add(2 * time.Minute)
+ got = km.ExpiresAt()
+ if want != got {
+ t.Fatalf("Incorrect expiration time: want=%v got=%v", want, got)
+ }
+}
+
+func TestPublicKeys(t *testing.T) {
+ km := NewPrivateKeyManager()
+ k1 := generatePrivateKeyStatic(t, 1)
+ k2 := generatePrivateKeyStatic(t, 2)
+ k3 := generatePrivateKeyStatic(t, 3)
+
+ tests := [][]*PrivateKey{
+ []*PrivateKey{k1},
+ []*PrivateKey{k1, k2},
+ []*PrivateKey{k1, k2, k3},
+ }
+
+ for i, tt := range tests {
+ ks := &PrivateKeySet{
+ keys: tt,
+ expiresAt: time.Now().Add(time.Hour),
+ }
+ km.Set(ks)
+
+ jwks, err := km.JWKs()
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ pks := NewPublicKeySet(jwks, time.Now().Add(time.Hour))
+ want := pks.Keys()
+ got, err := km.PublicKeys()
+ if err != nil {
+ t.Fatalf("Unexpected error: %v", err)
+ }
+
+ if !reflect.DeepEqual(want, got) {
+ t.Errorf("case %d: Invalid public keys: want=%v got=%v", i, want, got)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/repo.go b/vendor/github.com/coreos/go-oidc/key/repo.go
new file mode 100644
index 00000000..1acdeb36
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/repo.go
@@ -0,0 +1,55 @@
+package key
+
+import (
+ "errors"
+ "sync"
+)
+
+var ErrorNoKeys = errors.New("no keys found")
+
+type WritableKeySetRepo interface {
+ Set(KeySet) error
+}
+
+type ReadableKeySetRepo interface {
+ Get() (KeySet, error)
+}
+
+type PrivateKeySetRepo interface {
+ WritableKeySetRepo
+ ReadableKeySetRepo
+}
+
+func NewPrivateKeySetRepo() PrivateKeySetRepo {
+ return &memPrivateKeySetRepo{}
+}
+
+type memPrivateKeySetRepo struct {
+ mu sync.RWMutex
+ pks PrivateKeySet
+}
+
+func (r *memPrivateKeySetRepo) Set(ks KeySet) error {
+ pks, ok := ks.(*PrivateKeySet)
+ if !ok {
+ return errors.New("unable to cast to PrivateKeySet")
+ } else if pks == nil {
+ return errors.New("nil KeySet")
+ }
+
+ r.mu.Lock()
+ defer r.mu.Unlock()
+
+ r.pks = *pks
+ return nil
+}
+
+func (r *memPrivateKeySetRepo) Get() (KeySet, error) {
+ r.mu.RLock()
+ defer r.mu.RUnlock()
+
+ if r.pks.keys == nil {
+ return nil, ErrorNoKeys
+ }
+ return KeySet(&r.pks), nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/rotate.go b/vendor/github.com/coreos/go-oidc/key/rotate.go
new file mode 100644
index 00000000..bc6cdfb1
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/rotate.go
@@ -0,0 +1,159 @@
+package key
+
+import (
+ "errors"
+ "log"
+ "time"
+
+ ptime "github.com/coreos/pkg/timeutil"
+ "github.com/jonboulle/clockwork"
+)
+
+var (
+ ErrorPrivateKeysExpired = errors.New("private keys have expired")
+)
+
+func NewPrivateKeyRotator(repo PrivateKeySetRepo, ttl time.Duration) *PrivateKeyRotator {
+ return &PrivateKeyRotator{
+ repo: repo,
+ ttl: ttl,
+
+ keep: 2,
+ generateKey: GeneratePrivateKey,
+ clock: clockwork.NewRealClock(),
+ }
+}
+
+type PrivateKeyRotator struct {
+ repo PrivateKeySetRepo
+ generateKey GeneratePrivateKeyFunc
+ clock clockwork.Clock
+ keep int
+ ttl time.Duration
+}
+
+func (r *PrivateKeyRotator) expiresAt() time.Time {
+ return r.clock.Now().UTC().Add(r.ttl)
+}
+
+func (r *PrivateKeyRotator) Healthy() error {
+ pks, err := r.privateKeySet()
+ if err != nil {
+ return err
+ }
+
+ if r.clock.Now().After(pks.ExpiresAt()) {
+ return ErrorPrivateKeysExpired
+ }
+
+ return nil
+}
+
+func (r *PrivateKeyRotator) privateKeySet() (*PrivateKeySet, error) {
+ ks, err := r.repo.Get()
+ if err != nil {
+ return nil, err
+ }
+
+ pks, ok := ks.(*PrivateKeySet)
+ if !ok {
+ return nil, errors.New("unable to cast to PrivateKeySet")
+ }
+ return pks, nil
+}
+
+func (r *PrivateKeyRotator) nextRotation() (time.Duration, error) {
+ pks, err := r.privateKeySet()
+ if err == ErrorNoKeys {
+ return 0, nil
+ }
+ if err != nil {
+ return 0, err
+ }
+
+ now := r.clock.Now()
+
+ // Ideally, we want to rotate after half the TTL has elapsed.
+ idealRotationTime := pks.ExpiresAt().Add(-r.ttl / 2)
+
+ // If we are past the ideal rotation time, rotate immediatly.
+ return max(0, idealRotationTime.Sub(now)), nil
+}
+
+func max(a, b time.Duration) time.Duration {
+ if a > b {
+ return a
+ }
+ return b
+}
+
+func (r *PrivateKeyRotator) Run() chan struct{} {
+ attempt := func() {
+ k, err := r.generateKey()
+ if err != nil {
+ log.Printf("go-oidc: failed generating signing key: %v", err)
+ return
+ }
+
+ exp := r.expiresAt()
+ if err := rotatePrivateKeys(r.repo, k, r.keep, exp); err != nil {
+ log.Printf("go-oidc: key rotation failed: %v", err)
+ return
+ }
+ }
+
+ stop := make(chan struct{})
+ go func() {
+ for {
+ var nextRotation time.Duration
+ var sleep time.Duration
+ var err error
+ for {
+ if nextRotation, err = r.nextRotation(); err == nil {
+ break
+ }
+ sleep = ptime.ExpBackoff(sleep, time.Minute)
+ log.Printf("go-oidc: error getting nextRotation, retrying in %v: %v", sleep, err)
+ time.Sleep(sleep)
+ }
+
+ select {
+ case <-r.clock.After(nextRotation):
+ attempt()
+ case <-stop:
+ return
+ }
+ }
+ }()
+
+ return stop
+}
+
+func rotatePrivateKeys(repo PrivateKeySetRepo, k *PrivateKey, keep int, exp time.Time) error {
+ ks, err := repo.Get()
+ if err != nil && err != ErrorNoKeys {
+ return err
+ }
+
+ var keys []*PrivateKey
+ if ks != nil {
+ pks, ok := ks.(*PrivateKeySet)
+ if !ok {
+ return errors.New("unable to cast to PrivateKeySet")
+ }
+ keys = pks.Keys()
+ }
+
+ keys = append([]*PrivateKey{k}, keys...)
+ if l := len(keys); l > keep {
+ keys = keys[0:keep]
+ }
+
+ nks := PrivateKeySet{
+ keys: keys,
+ ActiveKeyID: k.ID(),
+ expiresAt: exp,
+ }
+
+ return repo.Set(KeySet(&nks))
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/rotate_test.go b/vendor/github.com/coreos/go-oidc/key/rotate_test.go
new file mode 100644
index 00000000..b66a4b86
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/rotate_test.go
@@ -0,0 +1,311 @@
+package key
+
+import (
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+)
+
+func generatePrivateKeySerialFunc(t *testing.T) GeneratePrivateKeyFunc {
+ var n int
+ return func() (*PrivateKey, error) {
+ n++
+ return generatePrivateKeyStatic(t, n), nil
+ }
+}
+
+func TestRotate(t *testing.T) {
+ now := time.Now()
+ k1 := generatePrivateKeyStatic(t, 1)
+ k2 := generatePrivateKeyStatic(t, 2)
+ k3 := generatePrivateKeyStatic(t, 3)
+
+ tests := []struct {
+ start *PrivateKeySet
+ key *PrivateKey
+ keep int
+ exp time.Time
+ want *PrivateKeySet
+ }{
+ // start with nil keys
+ {
+ start: nil,
+ key: k1,
+ keep: 2,
+ exp: now.Add(time.Second),
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(time.Second),
+ },
+ },
+ // start with zero keys
+ {
+ start: &PrivateKeySet{},
+ key: k1,
+ keep: 2,
+ exp: now.Add(time.Second),
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(time.Second),
+ },
+ },
+ // add second key
+ {
+ start: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now,
+ },
+ key: k2,
+ keep: 2,
+ exp: now.Add(time.Second),
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(time.Second),
+ },
+ },
+ // rotate in third key
+ {
+ start: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now,
+ },
+ key: k3,
+ keep: 2,
+ exp: now.Add(time.Second),
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k3, k2},
+ ActiveKeyID: k3.KeyID,
+ expiresAt: now.Add(time.Second),
+ },
+ },
+ }
+
+ for i, tt := range tests {
+ repo := NewPrivateKeySetRepo()
+ if tt.start != nil {
+ err := repo.Set(tt.start)
+ if err != nil {
+ t.Fatalf("case %d: unexpected error: %v", i, err)
+ }
+ }
+
+ rotatePrivateKeys(repo, tt.key, tt.keep, tt.exp)
+ got, err := repo.Get()
+ if err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ continue
+ }
+ if !reflect.DeepEqual(tt.want, got) {
+ t.Errorf("case %d: unexpected result: want=%#v got=%#v", i, tt.want, got)
+ }
+ }
+}
+
+func TestPrivateKeyRotatorRun(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ k1 := generatePrivateKeyStatic(t, 1)
+ k2 := generatePrivateKeyStatic(t, 2)
+ k3 := generatePrivateKeyStatic(t, 3)
+ k4 := generatePrivateKeyStatic(t, 4)
+
+ kRepo := NewPrivateKeySetRepo()
+ krot := NewPrivateKeyRotator(kRepo, 4*time.Second)
+ krot.clock = fc
+ krot.generateKey = generatePrivateKeySerialFunc(t)
+
+ steps := []*PrivateKeySet{
+ &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(4 * time.Second),
+ },
+ &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(6 * time.Second),
+ },
+ &PrivateKeySet{
+ keys: []*PrivateKey{k3, k2},
+ ActiveKeyID: k3.KeyID,
+ expiresAt: now.Add(8 * time.Second),
+ },
+ &PrivateKeySet{
+ keys: []*PrivateKey{k4, k3},
+ ActiveKeyID: k4.KeyID,
+ expiresAt: now.Add(10 * time.Second),
+ },
+ }
+
+ stop := krot.Run()
+ defer close(stop)
+
+ for i, st := range steps {
+ // wait for the rotater to get sleepy
+ fc.BlockUntil(1)
+
+ got, err := kRepo.Get()
+ if err != nil {
+ t.Fatalf("step %d: unexpected error: %v", i, err)
+ }
+ if !reflect.DeepEqual(st, got) {
+ t.Fatalf("step %d: unexpected state: want=%#v got=%#v", i, st, got)
+ }
+ fc.Advance(2 * time.Second)
+ }
+}
+
+func TestPrivateKeyRotatorExpiresAt(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ krot := &PrivateKeyRotator{
+ clock: fc,
+ ttl: time.Minute,
+ }
+ got := krot.expiresAt()
+ want := fc.Now().UTC().Add(time.Minute)
+ if !reflect.DeepEqual(want, got) {
+ t.Errorf("Incorrect expiration time: want=%v got=%v", want, got)
+ }
+}
+
+func TestNextRotation(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ tests := []struct {
+ expiresAt time.Time
+ ttl time.Duration
+ numKeys int
+ expected time.Duration
+ }{
+ {
+ // closest to prod
+ expiresAt: now.Add(time.Hour * 24),
+ ttl: time.Hour * 24,
+ numKeys: 2,
+ expected: time.Hour * 12,
+ },
+ {
+ expiresAt: now.Add(time.Hour * 2),
+ ttl: time.Hour * 4,
+ numKeys: 2,
+ expected: 0,
+ },
+ {
+ // No keys.
+ expiresAt: now.Add(time.Hour * 2),
+ ttl: time.Hour * 4,
+ numKeys: 0,
+ expected: 0,
+ },
+ {
+ // Nil keyset.
+ expiresAt: now.Add(time.Hour * 2),
+ ttl: time.Hour * 4,
+ numKeys: -1,
+ expected: 0,
+ },
+ {
+ // KeySet expired.
+ expiresAt: now.Add(time.Hour * -2),
+ ttl: time.Hour * 4,
+ numKeys: 2,
+ expected: 0,
+ },
+ {
+ // Expiry past now + TTL
+ expiresAt: now.Add(time.Hour * 5),
+ ttl: time.Hour * 4,
+ numKeys: 2,
+ expected: 3 * time.Hour,
+ },
+ }
+
+ for i, tt := range tests {
+ kRepo := NewPrivateKeySetRepo()
+ krot := NewPrivateKeyRotator(kRepo, tt.ttl)
+ krot.clock = fc
+ pks := &PrivateKeySet{
+ expiresAt: tt.expiresAt,
+ }
+ if tt.numKeys != -1 {
+ for n := 0; n < tt.numKeys; n++ {
+ pks.keys = append(pks.keys, generatePrivateKeyStatic(t, n))
+ }
+ err := kRepo.Set(pks)
+ if err != nil {
+ t.Fatalf("case %d: unexpected error: %v", i, err)
+ }
+
+ }
+ actual, err := krot.nextRotation()
+ if err != nil {
+ t.Errorf("case %d: error calling shouldRotate(): %v", i, err)
+ }
+ if actual != tt.expected {
+ t.Errorf("case %d: actual == %v, want %v", i, actual, tt.expected)
+ }
+ }
+}
+
+func TestHealthy(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ tests := []struct {
+ expiresAt time.Time
+ numKeys int
+ expected error
+ }{
+ {
+ expiresAt: now.Add(time.Hour),
+ numKeys: 2,
+ expected: nil,
+ },
+ {
+ expiresAt: now.Add(time.Hour),
+ numKeys: -1,
+ expected: ErrorNoKeys,
+ },
+ {
+ expiresAt: now.Add(time.Hour),
+ numKeys: 0,
+ expected: ErrorNoKeys,
+ },
+ {
+ expiresAt: now.Add(-time.Hour),
+ numKeys: 2,
+ expected: ErrorPrivateKeysExpired,
+ },
+ }
+
+ for i, tt := range tests {
+ kRepo := NewPrivateKeySetRepo()
+ krot := NewPrivateKeyRotator(kRepo, time.Hour)
+ krot.clock = fc
+ pks := &PrivateKeySet{
+ expiresAt: tt.expiresAt,
+ }
+ if tt.numKeys != -1 {
+ for n := 0; n < tt.numKeys; n++ {
+ pks.keys = append(pks.keys, generatePrivateKeyStatic(t, n))
+ }
+ err := kRepo.Set(pks)
+ if err != nil {
+ t.Fatalf("case %d: unexpected error: %v", i, err)
+ }
+
+ }
+ if err := krot.Healthy(); err != tt.expected {
+ t.Errorf("case %d: got==%q, want==%q", i, err, tt.expected)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/sync.go b/vendor/github.com/coreos/go-oidc/key/sync.go
new file mode 100644
index 00000000..b887f7b5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/sync.go
@@ -0,0 +1,91 @@
+package key
+
+import (
+ "errors"
+ "log"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+
+ "github.com/coreos/pkg/timeutil"
+)
+
+func NewKeySetSyncer(r ReadableKeySetRepo, w WritableKeySetRepo) *KeySetSyncer {
+ return &KeySetSyncer{
+ readable: r,
+ writable: w,
+ clock: clockwork.NewRealClock(),
+ }
+}
+
+type KeySetSyncer struct {
+ readable ReadableKeySetRepo
+ writable WritableKeySetRepo
+ clock clockwork.Clock
+}
+
+func (s *KeySetSyncer) Run() chan struct{} {
+ stop := make(chan struct{})
+ go func() {
+ var failing bool
+ var next time.Duration
+ for {
+ exp, err := syncKeySet(s.readable, s.writable, s.clock)
+ if err != nil || exp == 0 {
+ if !failing {
+ failing = true
+ next = time.Second
+ } else {
+ next = timeutil.ExpBackoff(next, time.Minute)
+ }
+ if exp == 0 {
+ log.Printf("Synced to already expired key set, retrying in %v: %v", next, err)
+
+ } else {
+ log.Printf("Failed syncing key set, retrying in %v: %v", next, err)
+ }
+ } else {
+ failing = false
+ next = exp / 2
+ }
+
+ select {
+ case <-s.clock.After(next):
+ continue
+ case <-stop:
+ return
+ }
+ }
+ }()
+
+ return stop
+}
+
+func Sync(r ReadableKeySetRepo, w WritableKeySetRepo) (time.Duration, error) {
+ return syncKeySet(r, w, clockwork.NewRealClock())
+}
+
+// syncKeySet copies the keyset from r to the KeySet at w and returns the duration in which the KeySet will expire.
+// If keyset has already expired, returns a zero duration.
+func syncKeySet(r ReadableKeySetRepo, w WritableKeySetRepo, clock clockwork.Clock) (exp time.Duration, err error) {
+ var ks KeySet
+ ks, err = r.Get()
+ if err != nil {
+ return
+ }
+
+ if ks == nil {
+ err = errors.New("no source KeySet")
+ return
+ }
+
+ if err = w.Set(ks); err != nil {
+ return
+ }
+
+ now := clock.Now()
+ if ks.ExpiresAt().After(now) {
+ exp = ks.ExpiresAt().Sub(now)
+ }
+ return
+}
diff --git a/vendor/github.com/coreos/go-oidc/key/sync_test.go b/vendor/github.com/coreos/go-oidc/key/sync_test.go
new file mode 100644
index 00000000..1f077401
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/key/sync_test.go
@@ -0,0 +1,214 @@
+package key
+
+import (
+ "errors"
+ "reflect"
+ "sync"
+ "testing"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+)
+
+type staticReadableKeySetRepo struct {
+ mu sync.RWMutex
+ ks KeySet
+ err error
+}
+
+func (r *staticReadableKeySetRepo) Get() (KeySet, error) {
+ r.mu.RLock()
+ defer r.mu.RUnlock()
+ return r.ks, r.err
+}
+
+func (r *staticReadableKeySetRepo) set(ks KeySet, err error) {
+ r.mu.Lock()
+ defer r.mu.Unlock()
+ r.ks, r.err = ks, err
+}
+
+func TestKeySyncerSync(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ k1 := generatePrivateKeyStatic(t, 1)
+ k2 := generatePrivateKeyStatic(t, 2)
+ k3 := generatePrivateKeyStatic(t, 3)
+
+ steps := []struct {
+ fromKS KeySet
+ fromErr error
+ advance time.Duration
+ want *PrivateKeySet
+ }{
+ // on startup, first sync should trigger within a second
+ {
+ fromKS: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(10 * time.Second),
+ },
+ advance: time.Second,
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(10 * time.Second),
+ },
+ },
+ // advance halfway into TTL, triggering sync
+ {
+ fromKS: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(15 * time.Second),
+ },
+ advance: 5 * time.Second,
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(15 * time.Second),
+ },
+ },
+
+ // advance halfway into TTL, triggering sync that fails
+ {
+ fromErr: errors.New("fail!"),
+ advance: 10 * time.Second,
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(15 * time.Second),
+ },
+ },
+
+ // sync retries quickly, and succeeds with fixed data
+ {
+ fromKS: &PrivateKeySet{
+ keys: []*PrivateKey{k3, k2, k1},
+ ActiveKeyID: k3.KeyID,
+ expiresAt: now.Add(25 * time.Second),
+ },
+ advance: 3 * time.Second,
+ want: &PrivateKeySet{
+ keys: []*PrivateKey{k3, k2, k1},
+ ActiveKeyID: k3.KeyID,
+ expiresAt: now.Add(25 * time.Second),
+ },
+ },
+ }
+
+ from := &staticReadableKeySetRepo{}
+ to := NewPrivateKeySetRepo()
+
+ syncer := NewKeySetSyncer(from, to)
+ syncer.clock = fc
+ stop := syncer.Run()
+ defer close(stop)
+
+ for i, st := range steps {
+ from.set(st.fromKS, st.fromErr)
+
+ fc.Advance(st.advance)
+ fc.BlockUntil(1)
+
+ ks, err := to.Get()
+ if err != nil {
+ t.Fatalf("step %d: unable to get keys: %v", i, err)
+ }
+ if !reflect.DeepEqual(st.want, ks) {
+ t.Fatalf("step %d: incorrect state: want=%#v got=%#v", i, st.want, ks)
+ }
+ }
+}
+
+func TestSync(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ k1 := generatePrivateKeyStatic(t, 1)
+ k2 := generatePrivateKeyStatic(t, 2)
+ k3 := generatePrivateKeyStatic(t, 3)
+
+ tests := []struct {
+ keySet *PrivateKeySet
+ want time.Duration
+ }{
+ {
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(time.Minute),
+ },
+ want: time.Minute,
+ },
+ {
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(time.Minute),
+ },
+ want: time.Minute,
+ },
+ {
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{k3, k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(time.Minute),
+ },
+ want: time.Minute,
+ },
+ {
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{k2, k1},
+ ActiveKeyID: k2.KeyID,
+ expiresAt: now.Add(time.Hour),
+ },
+ want: time.Hour,
+ },
+ {
+ keySet: &PrivateKeySet{
+ keys: []*PrivateKey{k1},
+ ActiveKeyID: k1.KeyID,
+ expiresAt: now.Add(-time.Hour),
+ },
+ want: 0,
+ },
+ }
+
+ for i, tt := range tests {
+ from := NewPrivateKeySetRepo()
+ to := NewPrivateKeySetRepo()
+
+ err := from.Set(tt.keySet)
+ if err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ continue
+ }
+ exp, err := syncKeySet(from, to, fc)
+ if err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ continue
+ }
+
+ if tt.want != exp {
+ t.Errorf("case %d: want=%v got=%v", i, tt.want, exp)
+ }
+ }
+}
+
+func TestSyncFail(t *testing.T) {
+ tests := []error{
+ nil,
+ errors.New("fail!"),
+ }
+
+ for i, tt := range tests {
+ from := &staticReadableKeySetRepo{ks: nil, err: tt}
+ to := NewPrivateKeySetRepo()
+
+ if _, err := syncKeySet(from, to, clockwork.NewFakeClock()); err == nil {
+ t.Errorf("case %d: expected non-nil error", i)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oauth2/doc.go b/vendor/github.com/coreos/go-oidc/oauth2/doc.go
new file mode 100644
index 00000000..52eb3085
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oauth2/doc.go
@@ -0,0 +1,2 @@
+// Package oauth2 is DEPRECATED. Use golang.org/x/oauth instead.
+package oauth2
diff --git a/vendor/github.com/coreos/go-oidc/oauth2/error.go b/vendor/github.com/coreos/go-oidc/oauth2/error.go
new file mode 100644
index 00000000..50d89094
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oauth2/error.go
@@ -0,0 +1,29 @@
+package oauth2
+
+const (
+ ErrorAccessDenied = "access_denied"
+ ErrorInvalidClient = "invalid_client"
+ ErrorInvalidGrant = "invalid_grant"
+ ErrorInvalidRequest = "invalid_request"
+ ErrorServerError = "server_error"
+ ErrorUnauthorizedClient = "unauthorized_client"
+ ErrorUnsupportedGrantType = "unsupported_grant_type"
+ ErrorUnsupportedResponseType = "unsupported_response_type"
+)
+
+type Error struct {
+ Type string `json:"error"`
+ Description string `json:"error_description,omitempty"`
+ State string `json:"state,omitempty"`
+}
+
+func (e *Error) Error() string {
+ if e.Description != "" {
+ return e.Type + ": " + e.Description
+ }
+ return e.Type
+}
+
+func NewError(typ string) *Error {
+ return &Error{Type: typ}
+}
diff --git a/vendor/github.com/coreos/go-oidc/oauth2/oauth2.go b/vendor/github.com/coreos/go-oidc/oauth2/oauth2.go
new file mode 100644
index 00000000..72d1d671
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oauth2/oauth2.go
@@ -0,0 +1,416 @@
+package oauth2
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io/ioutil"
+ "mime"
+ "net/http"
+ "net/url"
+ "sort"
+ "strconv"
+ "strings"
+
+ phttp "github.com/coreos/go-oidc/http"
+)
+
+// ResponseTypesEqual compares two response_type values. If either
+// contains a space, it is treated as an unordered list. For example,
+// comparing "code id_token" and "id_token code" would evaluate to true.
+func ResponseTypesEqual(r1, r2 string) bool {
+ if !strings.Contains(r1, " ") || !strings.Contains(r2, " ") {
+ // fast route, no split needed
+ return r1 == r2
+ }
+
+ // split, sort, and compare
+ r1Fields := strings.Fields(r1)
+ r2Fields := strings.Fields(r2)
+ if len(r1Fields) != len(r2Fields) {
+ return false
+ }
+ sort.Strings(r1Fields)
+ sort.Strings(r2Fields)
+ for i, r1Field := range r1Fields {
+ if r1Field != r2Fields[i] {
+ return false
+ }
+ }
+ return true
+}
+
+const (
+ // OAuth2.0 response types registered by OIDC.
+ //
+ // See: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#RegistryContents
+ ResponseTypeCode = "code"
+ ResponseTypeCodeIDToken = "code id_token"
+ ResponseTypeCodeIDTokenToken = "code id_token token"
+ ResponseTypeIDToken = "id_token"
+ ResponseTypeIDTokenToken = "id_token token"
+ ResponseTypeToken = "token"
+ ResponseTypeNone = "none"
+)
+
+const (
+ GrantTypeAuthCode = "authorization_code"
+ GrantTypeClientCreds = "client_credentials"
+ GrantTypeUserCreds = "password"
+ GrantTypeImplicit = "implicit"
+ GrantTypeRefreshToken = "refresh_token"
+
+ AuthMethodClientSecretPost = "client_secret_post"
+ AuthMethodClientSecretBasic = "client_secret_basic"
+ AuthMethodClientSecretJWT = "client_secret_jwt"
+ AuthMethodPrivateKeyJWT = "private_key_jwt"
+)
+
+type Config struct {
+ Credentials ClientCredentials
+ Scope []string
+ RedirectURL string
+ AuthURL string
+ TokenURL string
+
+ // Must be one of the AuthMethodXXX methods above. Right now, only
+ // AuthMethodClientSecretPost and AuthMethodClientSecretBasic are supported.
+ AuthMethod string
+}
+
+type Client struct {
+ hc phttp.Client
+ creds ClientCredentials
+ scope []string
+ authURL *url.URL
+ redirectURL *url.URL
+ tokenURL *url.URL
+ authMethod string
+}
+
+type ClientCredentials struct {
+ ID string
+ Secret string
+}
+
+func NewClient(hc phttp.Client, cfg Config) (c *Client, err error) {
+ if len(cfg.Credentials.ID) == 0 {
+ err = errors.New("missing client id")
+ return
+ }
+
+ if len(cfg.Credentials.Secret) == 0 {
+ err = errors.New("missing client secret")
+ return
+ }
+
+ if cfg.AuthMethod == "" {
+ cfg.AuthMethod = AuthMethodClientSecretBasic
+ } else if cfg.AuthMethod != AuthMethodClientSecretPost && cfg.AuthMethod != AuthMethodClientSecretBasic {
+ err = fmt.Errorf("auth method %q is not supported", cfg.AuthMethod)
+ return
+ }
+
+ au, err := phttp.ParseNonEmptyURL(cfg.AuthURL)
+ if err != nil {
+ return
+ }
+
+ tu, err := phttp.ParseNonEmptyURL(cfg.TokenURL)
+ if err != nil {
+ return
+ }
+
+ // Allow empty redirect URL in the case where the client
+ // only needs to verify a given token.
+ ru, err := url.Parse(cfg.RedirectURL)
+ if err != nil {
+ return
+ }
+
+ c = &Client{
+ creds: cfg.Credentials,
+ scope: cfg.Scope,
+ redirectURL: ru,
+ authURL: au,
+ tokenURL: tu,
+ hc: hc,
+ authMethod: cfg.AuthMethod,
+ }
+
+ return
+}
+
+// Return the embedded HTTP client
+func (c *Client) HttpClient() phttp.Client {
+ return c.hc
+}
+
+// Generate the url for initial redirect to oauth provider.
+func (c *Client) AuthCodeURL(state, accessType, prompt string) string {
+ v := c.commonURLValues()
+ v.Set("state", state)
+ if strings.ToLower(accessType) == "offline" {
+ v.Set("access_type", "offline")
+ }
+
+ if prompt != "" {
+ v.Set("prompt", prompt)
+ }
+ v.Set("response_type", "code")
+
+ q := v.Encode()
+ u := *c.authURL
+ if u.RawQuery == "" {
+ u.RawQuery = q
+ } else {
+ u.RawQuery += "&" + q
+ }
+ return u.String()
+}
+
+func (c *Client) commonURLValues() url.Values {
+ return url.Values{
+ "redirect_uri": {c.redirectURL.String()},
+ "scope": {strings.Join(c.scope, " ")},
+ "client_id": {c.creds.ID},
+ }
+}
+
+func (c *Client) newAuthenticatedRequest(urlToken string, values url.Values) (*http.Request, error) {
+ var req *http.Request
+ var err error
+ switch c.authMethod {
+ case AuthMethodClientSecretPost:
+ values.Set("client_secret", c.creds.Secret)
+ req, err = http.NewRequest("POST", urlToken, strings.NewReader(values.Encode()))
+ if err != nil {
+ return nil, err
+ }
+ case AuthMethodClientSecretBasic:
+ req, err = http.NewRequest("POST", urlToken, strings.NewReader(values.Encode()))
+ if err != nil {
+ return nil, err
+ }
+ encodedID := url.QueryEscape(c.creds.ID)
+ encodedSecret := url.QueryEscape(c.creds.Secret)
+ req.SetBasicAuth(encodedID, encodedSecret)
+ default:
+ panic("misconfigured client: auth method not supported")
+ }
+
+ req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+ return req, nil
+
+}
+
+// ClientCredsToken posts the client id and secret to obtain a token scoped to the OAuth2 client via the "client_credentials" grant type.
+// May not be supported by all OAuth2 servers.
+func (c *Client) ClientCredsToken(scope []string) (result TokenResponse, err error) {
+ v := url.Values{
+ "scope": {strings.Join(scope, " ")},
+ "grant_type": {GrantTypeClientCreds},
+ }
+
+ req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+ if err != nil {
+ return
+ }
+
+ resp, err := c.hc.Do(req)
+ if err != nil {
+ return
+ }
+ defer resp.Body.Close()
+
+ return parseTokenResponse(resp)
+}
+
+// UserCredsToken posts the username and password to obtain a token scoped to the OAuth2 client via the "password" grant_type
+// May not be supported by all OAuth2 servers.
+func (c *Client) UserCredsToken(username, password string) (result TokenResponse, err error) {
+ v := url.Values{
+ "scope": {strings.Join(c.scope, " ")},
+ "grant_type": {GrantTypeUserCreds},
+ "username": {username},
+ "password": {password},
+ }
+
+ req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+ if err != nil {
+ return
+ }
+
+ resp, err := c.hc.Do(req)
+ if err != nil {
+ return
+ }
+ defer resp.Body.Close()
+
+ return parseTokenResponse(resp)
+}
+
+// RequestToken requests a token from the Token Endpoint with the specified grantType.
+// If 'grantType' == GrantTypeAuthCode, then 'value' should be the authorization code.
+// If 'grantType' == GrantTypeRefreshToken, then 'value' should be the refresh token.
+func (c *Client) RequestToken(grantType, value string) (result TokenResponse, err error) {
+ v := c.commonURLValues()
+
+ v.Set("grant_type", grantType)
+ v.Set("client_secret", c.creds.Secret)
+ switch grantType {
+ case GrantTypeAuthCode:
+ v.Set("code", value)
+ case GrantTypeRefreshToken:
+ v.Set("refresh_token", value)
+ default:
+ err = fmt.Errorf("unsupported grant_type: %v", grantType)
+ return
+ }
+
+ req, err := c.newAuthenticatedRequest(c.tokenURL.String(), v)
+ if err != nil {
+ return
+ }
+
+ resp, err := c.hc.Do(req)
+ if err != nil {
+ return
+ }
+ defer resp.Body.Close()
+
+ return parseTokenResponse(resp)
+}
+
+func parseTokenResponse(resp *http.Response) (result TokenResponse, err error) {
+ body, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return
+ }
+ badStatusCode := resp.StatusCode < 200 || resp.StatusCode > 299
+
+ contentType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
+ if err != nil {
+ return
+ }
+
+ result = TokenResponse{
+ RawBody: body,
+ }
+
+ newError := func(typ, desc, state string) error {
+ if typ == "" {
+ return fmt.Errorf("unrecognized error %s", body)
+ }
+ return &Error{typ, desc, state}
+ }
+
+ if contentType == "application/x-www-form-urlencoded" || contentType == "text/plain" {
+ var vals url.Values
+ vals, err = url.ParseQuery(string(body))
+ if err != nil {
+ return
+ }
+ if error := vals.Get("error"); error != "" || badStatusCode {
+ err = newError(error, vals.Get("error_description"), vals.Get("state"))
+ return
+ }
+ e := vals.Get("expires_in")
+ if e == "" {
+ e = vals.Get("expires")
+ }
+ if e != "" {
+ result.Expires, err = strconv.Atoi(e)
+ if err != nil {
+ return
+ }
+ }
+ result.AccessToken = vals.Get("access_token")
+ result.TokenType = vals.Get("token_type")
+ result.IDToken = vals.Get("id_token")
+ result.RefreshToken = vals.Get("refresh_token")
+ result.Scope = vals.Get("scope")
+ } else {
+ var r struct {
+ AccessToken string `json:"access_token"`
+ TokenType string `json:"token_type"`
+ IDToken string `json:"id_token"`
+ RefreshToken string `json:"refresh_token"`
+ Scope string `json:"scope"`
+ State string `json:"state"`
+ ExpiresIn json.Number `json:"expires_in"` // Azure AD returns string
+ Expires int `json:"expires"`
+ Error string `json:"error"`
+ Desc string `json:"error_description"`
+ }
+ if err = json.Unmarshal(body, &r); err != nil {
+ return
+ }
+ if r.Error != "" || badStatusCode {
+ err = newError(r.Error, r.Desc, r.State)
+ return
+ }
+ result.AccessToken = r.AccessToken
+ result.TokenType = r.TokenType
+ result.IDToken = r.IDToken
+ result.RefreshToken = r.RefreshToken
+ result.Scope = r.Scope
+ if expiresIn, err := r.ExpiresIn.Int64(); err != nil {
+ result.Expires = r.Expires
+ } else {
+ result.Expires = int(expiresIn)
+ }
+ }
+ return
+}
+
+type TokenResponse struct {
+ AccessToken string
+ TokenType string
+ Expires int
+ IDToken string
+ RefreshToken string // OPTIONAL.
+ Scope string // OPTIONAL, if identical to the scope requested by the client, otherwise, REQUIRED.
+ RawBody []byte // In case callers need some other non-standard info from the token response
+}
+
+type AuthCodeRequest struct {
+ ResponseType string
+ ClientID string
+ RedirectURL *url.URL
+ Scope []string
+ State string
+}
+
+func ParseAuthCodeRequest(q url.Values) (AuthCodeRequest, error) {
+ acr := AuthCodeRequest{
+ ResponseType: q.Get("response_type"),
+ ClientID: q.Get("client_id"),
+ State: q.Get("state"),
+ Scope: make([]string, 0),
+ }
+
+ qs := strings.TrimSpace(q.Get("scope"))
+ if qs != "" {
+ acr.Scope = strings.Split(qs, " ")
+ }
+
+ err := func() error {
+ if acr.ClientID == "" {
+ return NewError(ErrorInvalidRequest)
+ }
+
+ redirectURL := q.Get("redirect_uri")
+ if redirectURL != "" {
+ ru, err := url.Parse(redirectURL)
+ if err != nil {
+ return NewError(ErrorInvalidRequest)
+ }
+ acr.RedirectURL = ru
+ }
+
+ return nil
+ }()
+
+ return acr, err
+}
diff --git a/vendor/github.com/coreos/go-oidc/oauth2/oauth2_test.go b/vendor/github.com/coreos/go-oidc/oauth2/oauth2_test.go
new file mode 100644
index 00000000..0267a84f
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oauth2/oauth2_test.go
@@ -0,0 +1,518 @@
+package oauth2
+
+import (
+ "errors"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+ "reflect"
+ "strconv"
+ "strings"
+ "testing"
+
+ phttp "github.com/coreos/go-oidc/http"
+)
+
+func TestResponseTypesEqual(t *testing.T) {
+ tests := []struct {
+ r1, r2 string
+ want bool
+ }{
+ {"code", "code", true},
+ {"id_token", "code", false},
+ {"code token", "token code", true},
+ {"code token", "code token", true},
+ {"foo", "bar code", false},
+ {"code token id_token", "token id_token code", true},
+ {"code token id_token", "token id_token code zoo", false},
+ }
+
+ for i, tt := range tests {
+ got1 := ResponseTypesEqual(tt.r1, tt.r2)
+ got2 := ResponseTypesEqual(tt.r2, tt.r1)
+ if got1 != got2 {
+ t.Errorf("case %d: got different answers with different orders", i)
+ }
+ if tt.want != got1 {
+ t.Errorf("case %d: want=%t, got=%t", i, tt.want, got1)
+ }
+ }
+}
+
+func TestParseAuthCodeRequest(t *testing.T) {
+ tests := []struct {
+ query url.Values
+ wantACR AuthCodeRequest
+ wantErr error
+ }{
+ // no redirect_uri
+ {
+ query: url.Values{
+ "response_type": []string{"code"},
+ "scope": []string{"foo bar baz"},
+ "client_id": []string{"XXX"},
+ "state": []string{"pants"},
+ },
+ wantACR: AuthCodeRequest{
+ ResponseType: "code",
+ ClientID: "XXX",
+ Scope: []string{"foo", "bar", "baz"},
+ State: "pants",
+ RedirectURL: nil,
+ },
+ },
+
+ // with redirect_uri
+ {
+ query: url.Values{
+ "response_type": []string{"code"},
+ "redirect_uri": []string{"https://127.0.0.1:5555/callback?foo=bar"},
+ "scope": []string{"foo bar baz"},
+ "client_id": []string{"XXX"},
+ "state": []string{"pants"},
+ },
+ wantACR: AuthCodeRequest{
+ ResponseType: "code",
+ ClientID: "XXX",
+ Scope: []string{"foo", "bar", "baz"},
+ State: "pants",
+ RedirectURL: &url.URL{
+ Scheme: "https",
+ Host: "127.0.0.1:5555",
+ Path: "/callback",
+ RawQuery: "foo=bar",
+ },
+ },
+ },
+
+ // unsupported response_type doesn't trigger error
+ {
+ query: url.Values{
+ "response_type": []string{"token"},
+ "redirect_uri": []string{"https://127.0.0.1:5555/callback?foo=bar"},
+ "scope": []string{"foo bar baz"},
+ "client_id": []string{"XXX"},
+ "state": []string{"pants"},
+ },
+ wantACR: AuthCodeRequest{
+ ResponseType: "token",
+ ClientID: "XXX",
+ Scope: []string{"foo", "bar", "baz"},
+ State: "pants",
+ RedirectURL: &url.URL{
+ Scheme: "https",
+ Host: "127.0.0.1:5555",
+ Path: "/callback",
+ RawQuery: "foo=bar",
+ },
+ },
+ },
+
+ // unparseable redirect_uri
+ {
+ query: url.Values{
+ "response_type": []string{"code"},
+ "redirect_uri": []string{":"},
+ "scope": []string{"foo bar baz"},
+ "client_id": []string{"XXX"},
+ "state": []string{"pants"},
+ },
+ wantACR: AuthCodeRequest{
+ ResponseType: "code",
+ ClientID: "XXX",
+ Scope: []string{"foo", "bar", "baz"},
+ State: "pants",
+ },
+ wantErr: NewError(ErrorInvalidRequest),
+ },
+
+ // no client_id, redirect_uri not parsed
+ {
+ query: url.Values{
+ "response_type": []string{"code"},
+ "redirect_uri": []string{"https://127.0.0.1:5555/callback?foo=bar"},
+ "scope": []string{"foo bar baz"},
+ "client_id": []string{},
+ "state": []string{"pants"},
+ },
+ wantACR: AuthCodeRequest{
+ ResponseType: "code",
+ ClientID: "",
+ Scope: []string{"foo", "bar", "baz"},
+ State: "pants",
+ RedirectURL: nil,
+ },
+ wantErr: NewError(ErrorInvalidRequest),
+ },
+ }
+
+ for i, tt := range tests {
+ got, err := ParseAuthCodeRequest(tt.query)
+ if !reflect.DeepEqual(tt.wantErr, err) {
+ t.Errorf("case %d: incorrect error value: want=%q got=%q", i, tt.wantErr, err)
+ }
+
+ if !reflect.DeepEqual(tt.wantACR, got) {
+ t.Errorf("case %d: incorrect AuthCodeRequest value: want=%#v got=%#v", i, tt.wantACR, got)
+ }
+ }
+}
+
+type fakeBadClient struct {
+ Request *http.Request
+ err error
+}
+
+func (f *fakeBadClient) Do(r *http.Request) (*http.Response, error) {
+ f.Request = r
+ return nil, f.err
+}
+
+func TestClientCredsToken(t *testing.T) {
+ hc := &fakeBadClient{nil, errors.New("error")}
+ cfg := Config{
+ Credentials: ClientCredentials{ID: "c#id", Secret: "c secret"},
+ Scope: []string{"foo-scope", "bar-scope"},
+ TokenURL: "http://example.com/token",
+ AuthMethod: AuthMethodClientSecretBasic,
+ RedirectURL: "http://example.com/redirect",
+ AuthURL: "http://example.com/auth",
+ }
+
+ c, err := NewClient(hc, cfg)
+ if err != nil {
+ t.Errorf("unexpected error %v", err)
+ }
+
+ scope := []string{"openid"}
+ c.ClientCredsToken(scope)
+ if hc.Request == nil {
+ t.Error("request is empty")
+ }
+
+ tu := hc.Request.URL.String()
+ if cfg.TokenURL != tu {
+ t.Errorf("wrong token url, want=%v, got=%v", cfg.TokenURL, tu)
+ }
+
+ ct := hc.Request.Header.Get("Content-Type")
+ if ct != "application/x-www-form-urlencoded" {
+ t.Errorf("wrong content-type, want=application/x-www-form-urlencoded, got=%v", ct)
+ }
+
+ cid, secret, ok := phttp.BasicAuth(hc.Request)
+ if !ok {
+ t.Error("unexpected error parsing basic auth")
+ }
+
+ if url.QueryEscape(cfg.Credentials.ID) != cid {
+ t.Errorf("wrong client ID, want=%v, got=%v", cfg.Credentials.ID, cid)
+ }
+
+ if url.QueryEscape(cfg.Credentials.Secret) != secret {
+ t.Errorf("wrong client secret, want=%v, got=%v", cfg.Credentials.Secret, secret)
+ }
+
+ err = hc.Request.ParseForm()
+ if err != nil {
+ t.Error("unexpected error parsing form")
+ }
+
+ gt := hc.Request.PostForm.Get("grant_type")
+ if gt != GrantTypeClientCreds {
+ t.Errorf("wrong grant_type, want=%v, got=%v", GrantTypeClientCreds, gt)
+ }
+
+ sc := strings.Split(hc.Request.PostForm.Get("scope"), " ")
+ if !reflect.DeepEqual(scope, sc) {
+ t.Errorf("wrong scope, want=%v, got=%v", scope, sc)
+ }
+}
+
+func TestUserCredsToken(t *testing.T) {
+ hc := &fakeBadClient{nil, errors.New("error")}
+ cfg := Config{
+ Credentials: ClientCredentials{ID: "c#id", Secret: "c secret"},
+ Scope: []string{"foo-scope", "bar-scope"},
+ TokenURL: "http://example.com/token",
+ AuthMethod: AuthMethodClientSecretBasic,
+ RedirectURL: "http://example.com/redirect",
+ AuthURL: "http://example.com/auth",
+ }
+
+ c, err := NewClient(hc, cfg)
+ if err != nil {
+ t.Errorf("unexpected error %v", err)
+ }
+
+ c.UserCredsToken("username", "password")
+ if hc.Request == nil {
+ t.Error("request is empty")
+ }
+
+ tu := hc.Request.URL.String()
+ if cfg.TokenURL != tu {
+ t.Errorf("wrong token url, want=%v, got=%v", cfg.TokenURL, tu)
+ }
+
+ ct := hc.Request.Header.Get("Content-Type")
+ if ct != "application/x-www-form-urlencoded" {
+ t.Errorf("wrong content-type, want=application/x-www-form-urlencoded, got=%v", ct)
+ }
+
+ cid, secret, ok := phttp.BasicAuth(hc.Request)
+ if !ok {
+ t.Error("unexpected error parsing basic auth")
+ }
+
+ if url.QueryEscape(cfg.Credentials.ID) != cid {
+ t.Errorf("wrong client ID, want=%v, got=%v", cfg.Credentials.ID, cid)
+ }
+
+ if url.QueryEscape(cfg.Credentials.Secret) != secret {
+ t.Errorf("wrong client secret, want=%v, got=%v", cfg.Credentials.Secret, secret)
+ }
+
+ err = hc.Request.ParseForm()
+ if err != nil {
+ t.Error("unexpected error parsing form")
+ }
+
+ gt := hc.Request.PostForm.Get("grant_type")
+ if gt != GrantTypeUserCreds {
+ t.Errorf("wrong grant_type, want=%v, got=%v", GrantTypeUserCreds, gt)
+ }
+
+ sc := strings.Split(hc.Request.PostForm.Get("scope"), " ")
+ if !reflect.DeepEqual(c.scope, sc) {
+ t.Errorf("wrong scope, want=%v, got=%v", c.scope, sc)
+ }
+}
+
+func TestNewAuthenticatedRequest(t *testing.T) {
+ tests := []struct {
+ authMethod string
+ url string
+ values url.Values
+ }{
+ {
+ authMethod: AuthMethodClientSecretBasic,
+ url: "http://example.com/token",
+ values: url.Values{},
+ },
+ {
+ authMethod: AuthMethodClientSecretPost,
+ url: "http://example.com/token",
+ values: url.Values{},
+ },
+ }
+
+ for i, tt := range tests {
+ cfg := Config{
+ Credentials: ClientCredentials{ID: "c#id", Secret: "c secret"},
+ Scope: []string{"foo-scope", "bar-scope"},
+ TokenURL: "http://example.com/token",
+ AuthURL: "http://example.com/auth",
+ RedirectURL: "http://example.com/redirect",
+ AuthMethod: tt.authMethod,
+ }
+ c, err := NewClient(nil, cfg)
+ req, err := c.newAuthenticatedRequest(tt.url, tt.values)
+ if err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ continue
+ }
+ err = req.ParseForm()
+ if err != nil {
+ t.Errorf("case %d: want nil err, got %v", i, err)
+ }
+
+ if tt.authMethod == AuthMethodClientSecretBasic {
+ cid, secret, ok := phttp.BasicAuth(req)
+ if !ok {
+ t.Errorf("case %d: !ok parsing Basic Auth headers", i)
+ continue
+ }
+ if cid != url.QueryEscape(cfg.Credentials.ID) {
+ t.Errorf("case %d: want CID == %q, got CID == %q", i, cfg.Credentials.ID, cid)
+ }
+ if secret != url.QueryEscape(cfg.Credentials.Secret) {
+ t.Errorf("case %d: want secret == %q, got secret == %q", i, cfg.Credentials.Secret, secret)
+ }
+ } else if tt.authMethod == AuthMethodClientSecretPost {
+ if req.PostFormValue("client_secret") != cfg.Credentials.Secret {
+ t.Errorf("case %d: want client_secret == %q, got client_secret == %q",
+ i, cfg.Credentials.Secret, req.PostFormValue("client_secret"))
+ }
+ }
+
+ for k, v := range tt.values {
+ if !reflect.DeepEqual(v, req.PostForm[k]) {
+ t.Errorf("case %d: key:%q want==%q, got==%q", i, k, v, req.PostForm[k])
+ }
+ }
+
+ if req.URL.String() != tt.url {
+ t.Errorf("case %d: want URL==%q, got URL==%q", i, tt.url, req.URL.String())
+ }
+
+ }
+}
+
+func TestParseTokenResponse(t *testing.T) {
+ type response struct {
+ body string
+ contentType string
+ statusCode int // defaults to http.StatusOK
+ }
+ tests := []struct {
+ resp response
+ wantResp TokenResponse
+ wantError *Error
+ }{
+ {
+ resp: response{
+ body: "{ \"error\": \"invalid_client\", \"state\": \"foo\" }",
+ contentType: "application/json",
+ statusCode: http.StatusBadRequest,
+ },
+ wantError: &Error{Type: "invalid_client", State: "foo"},
+ },
+ {
+ resp: response{
+ body: "{ \"error\": \"invalid_request\", \"state\": \"bar\" }",
+ contentType: "application/json",
+ statusCode: http.StatusBadRequest,
+ },
+ wantError: &Error{Type: "invalid_request", State: "bar"},
+ },
+ {
+ // Actual response from bitbucket
+ resp: response{
+ body: `{"error_description": "Invalid OAuth client credentials", "error": "unauthorized_client"}`,
+ contentType: "application/json",
+ statusCode: http.StatusBadRequest,
+ },
+ wantError: &Error{Type: "unauthorized_client", Description: "Invalid OAuth client credentials"},
+ },
+ {
+ // Actual response from github
+ resp: response{
+ body: `error=incorrect_client_credentials&error_description=The+client_id+and%2For+client_secret+passed+are+incorrect.&error_uri=https%3A%2F%2Fdeveloper.github.com%2Fv3%2Foauth%2F%23incorrect-client-credentials`,
+ contentType: "application/x-www-form-urlencoded; charset=utf-8",
+ },
+ wantError: &Error{Type: "incorrect_client_credentials", Description: "The client_id and/or client_secret passed are incorrect."},
+ },
+ {
+ resp: response{
+ body: `{"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a", "scope":"repo,gist", "token_type":"bearer"}`,
+ contentType: "application/json",
+ },
+ wantResp: TokenResponse{
+ AccessToken: "e72e16c7e42f292c6912e7710c838347ae178b4a",
+ TokenType: "bearer",
+ Scope: "repo,gist",
+ },
+ },
+ {
+ resp: response{
+ body: `access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&scope=user%2Cgist&token_type=bearer`,
+ contentType: "application/x-www-form-urlencoded",
+ },
+ wantResp: TokenResponse{
+ AccessToken: "e72e16c7e42f292c6912e7710c838347ae178b4a",
+ TokenType: "bearer",
+ Scope: "user,gist",
+ },
+ },
+ {
+ resp: response{
+ body: `{"access_token":"foo","id_token":"bar","expires_in":200,"token_type":"bearer","refresh_token":"spam"}`,
+ contentType: "application/json; charset=utf-8",
+ },
+ wantResp: TokenResponse{
+ AccessToken: "foo",
+ IDToken: "bar",
+ Expires: 200,
+ TokenType: "bearer",
+ RefreshToken: "spam",
+ },
+ },
+ {
+ // Azure AD returns "expires_in" value as string
+ resp: response{
+ body: `{"access_token":"foo","id_token":"bar","expires_in":"300","token_type":"bearer","refresh_token":"spam"}`,
+ contentType: "application/json; charset=utf-8",
+ },
+ wantResp: TokenResponse{
+ AccessToken: "foo",
+ IDToken: "bar",
+ Expires: 300,
+ TokenType: "bearer",
+ RefreshToken: "spam",
+ },
+ },
+ {
+ resp: response{
+ body: `{"access_token":"foo","id_token":"bar","expires":200,"token_type":"bearer","refresh_token":"spam"}`,
+ contentType: "application/json; charset=utf-8",
+ },
+ wantResp: TokenResponse{
+ AccessToken: "foo",
+ IDToken: "bar",
+ Expires: 200,
+ TokenType: "bearer",
+ RefreshToken: "spam",
+ },
+ },
+ {
+ resp: response{
+ body: `access_token=foo&id_token=bar&expires_in=200&token_type=bearer&refresh_token=spam`,
+ contentType: "application/x-www-form-urlencoded",
+ },
+ wantResp: TokenResponse{
+ AccessToken: "foo",
+ IDToken: "bar",
+ Expires: 200,
+ TokenType: "bearer",
+ RefreshToken: "spam",
+ },
+ },
+ }
+
+ for i, tt := range tests {
+ r := &http.Response{
+ StatusCode: http.StatusOK,
+ Header: http.Header{
+ "Content-Type": []string{tt.resp.contentType},
+ "Content-Length": []string{strconv.Itoa(len([]byte(tt.resp.body)))},
+ },
+ Body: ioutil.NopCloser(strings.NewReader(tt.resp.body)),
+ ContentLength: int64(len([]byte(tt.resp.body))),
+ }
+ if tt.resp.statusCode != 0 {
+ r.StatusCode = tt.resp.statusCode
+ }
+
+ result, err := parseTokenResponse(r)
+ if err != nil {
+ if tt.wantError == nil {
+ t.Errorf("case %d: got error==%v", i, err)
+ continue
+ }
+ if !reflect.DeepEqual(tt.wantError, err) {
+ t.Errorf("case %d: want=%+v, got=%+v", i, tt.wantError, err)
+ }
+ } else {
+ if tt.wantError != nil {
+ t.Errorf("case %d: want error==%v, got==nil", i, tt.wantError)
+ continue
+ }
+ // don't compare the raw body (it's really big and clogs error messages)
+ result.RawBody = tt.wantResp.RawBody
+ if !reflect.DeepEqual(tt.wantResp, result) {
+ t.Errorf("case %d: want=%+v, got=%+v", i, tt.wantResp, result)
+ }
+ }
+ }
+}
diff --git a/vendor/github.com/ericchiang/oidc/oidc.go b/vendor/github.com/coreos/go-oidc/oidc.go
similarity index 58%
rename from vendor/github.com/ericchiang/oidc/oidc.go
rename to vendor/github.com/coreos/go-oidc/oidc.go
index c2c7eea6..378f8f64 100644
--- a/vendor/github.com/ericchiang/oidc/oidc.go
+++ b/vendor/github.com/coreos/go-oidc/oidc.go
@@ -1,3 +1,4 @@
+// Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
package oidc
import (
@@ -11,13 +12,7 @@ import (
"golang.org/x/net/context"
"golang.org/x/oauth2"
-)
-
-var (
- // ErrTokenExpired indicates that a token parsed by a verifier has expired.
- ErrTokenExpired = errors.New("oidc: ID Token expired")
- // ErrNotSupported indicates that the requested optional OpenID Connect endpoint is not supported by the provider.
- ErrNotSupported = errors.New("oidc: endpoint not supported")
+ jose "gopkg.in/square/go-jose.v2"
)
const (
@@ -35,23 +30,61 @@ const (
ScopeOfflineAccess = "offline_access"
)
-// Provider contains the subset of the OpenID Connect provider metadata needed to request
-// and verify ID Tokens.
+// ClientContext returns a new Context that carries the provided HTTP client.
+//
+// This method sets the same context key used by the golang.org/x/oauth2 package,
+// so the returned context works for that package too.
+//
+// myClient := &http.Client{}
+// ctx := oidc.ClientContext(parentContext, myClient)
+//
+// // This will use the custom client
+// provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")
+//
+func ClientContext(ctx context.Context, client *http.Client) context.Context {
+ return context.WithValue(ctx, oauth2.HTTPClient, client)
+}
+
+func clientFromContext(ctx context.Context) *http.Client {
+ if client, ok := ctx.Value(oauth2.HTTPClient).(*http.Client); ok {
+ return client
+ }
+ return http.DefaultClient
+}
+
+// Provider represents an OpenID Connect server's configuration.
type Provider struct {
+ issuer string
+ authURL string
+ tokenURL string
+ userInfoURL string
+
+ // Raw claims returned by the server.
+ rawClaims []byte
+
+ remoteKeySet *remoteKeySet
+}
+
+type cachedKeys struct {
+ keys []jose.JSONWebKey
+ expiry time.Time
+}
+
+type providerJSON struct {
Issuer string `json:"issuer"`
AuthURL string `json:"authorization_endpoint"`
TokenURL string `json:"token_endpoint"`
JWKSURL string `json:"jwks_uri"`
UserInfoURL string `json:"userinfo_endpoint"`
-
- // Raw claims returned by the server.
- rawClaims []byte
}
-// NewProvider uses the OpenID Connect disovery mechanism to construct a Provider.
+// NewProvider uses the OpenID Connect discovery mechanism to construct a Provider.
+//
+// The issuer is the URL identifier for the service. For example: "https://accounts.google.com"
+// or "https://login.salesforce.com".
func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
wellKnown := strings.TrimSuffix(issuer, "/") + "/.well-known/openid-configuration"
- resp, err := contextClient(ctx).Get(wellKnown)
+ resp, err := clientFromContext(ctx).Get(wellKnown)
if err != nil {
return nil, err
}
@@ -63,18 +96,36 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
return nil, fmt.Errorf("%s: %s", resp.Status, body)
}
defer resp.Body.Close()
- var p Provider
+ var p providerJSON
if err := json.Unmarshal(body, &p); err != nil {
return nil, fmt.Errorf("oidc: failed to decode provider discovery object: %v", err)
}
- p.rawClaims = body
if p.Issuer != issuer {
return nil, fmt.Errorf("oidc: issuer did not match the issuer returned by provider, expected %q got %q", issuer, p.Issuer)
}
- return &p, nil
+ return &Provider{
+ issuer: p.Issuer,
+ authURL: p.AuthURL,
+ tokenURL: p.TokenURL,
+ userInfoURL: p.UserInfoURL,
+ rawClaims: body,
+ remoteKeySet: newRemoteKeySet(ctx, p.JWKSURL, time.Now),
+ }, nil
}
-// Claims returns additional fields returned by the server during discovery.
+// Claims unmarshals raw fields returned by the server during discovery.
+//
+// var claims struct {
+// ScopesSupported []string `json:"scopes_supported"`
+// ClaimsSupported []string `json:"claims_supported"`
+// }
+//
+// if err := provider.Claims(&claims); err != nil {
+// // handle unmarshaling error
+// }
+//
+// For a list of fields defined by the OpenID Connect spec see:
+// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
func (p *Provider) Claims(v interface{}) error {
if p.rawClaims == nil {
return errors.New("oidc: claims not set")
@@ -84,7 +135,7 @@ func (p *Provider) Claims(v interface{}) error {
// Endpoint returns the OAuth2 auth and token endpoints for the given provider.
func (p *Provider) Endpoint() oauth2.Endpoint {
- return oauth2.Endpoint{AuthURL: p.AuthURL, TokenURL: p.TokenURL}
+ return oauth2.Endpoint{AuthURL: p.authURL, TokenURL: p.tokenURL}
}
// UserInfo represents the OpenID Connect userinfo claims.
@@ -107,11 +158,10 @@ func (u *UserInfo) Claims(v interface{}) error {
// UserInfo uses the token source to query the provider's user info endpoint.
func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource) (*UserInfo, error) {
- if p.UserInfoURL == "" {
- return nil, ErrNotSupported
+ if p.userInfoURL == "" {
+ return nil, errors.New("oidc: user info endpoint is not supported by this provider")
}
- cli := oauth2.NewClient(ctx, tokenSource)
- resp, err := cli.Get(p.UserInfoURL)
+ resp, err := clientFromContext(ctx).Get(p.userInfoURL)
if err != nil {
return nil, err
}
@@ -137,19 +187,6 @@ func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource)
//
// The ID Token only holds fields OpenID Connect requires. To access additional
// claims returned by the server, use the Claims method.
-//
-// idToken, err := idTokenVerifier.Verify(rawIDToken)
-// if err != nil {
-// // handle error
-// }
-// var claims struct {
-// Email string `json:"email"`
-// EmailVerified bool `json:"email_verified"`
-// }
-// if err := idToken.Claims(&claims); err != nil {
-// // handle error
-// }
-//
type IDToken struct {
// The URL of the server which issued this token. This will always be the same
// as the URL used for initial discovery.
@@ -165,10 +202,24 @@ type IDToken struct {
Expiry time.Time
Nonce string
+ // Raw payload of the id_token.
claims []byte
}
// Claims unmarshals the raw JSON payload of the ID Token into a provided struct.
+//
+// idToken, err := idTokenVerifier.Verify(rawIDToken)
+// if err != nil {
+// // handle error
+// }
+// var claims struct {
+// Email string `json:"email"`
+// EmailVerified bool `json:"email_verified"`
+// }
+// if err := idToken.Claims(&claims); err != nil {
+// // handle error
+// }
+//
func (i *IDToken) Claims(v interface{}) error {
if i.claims == nil {
return errors.New("oidc: claims not set")
@@ -176,6 +227,15 @@ func (i *IDToken) Claims(v interface{}) error {
return json.Unmarshal(i.claims, v)
}
+type idToken struct {
+ Issuer string `json:"iss"`
+ Subject string `json:"sub"`
+ Audience audience `json:"aud"`
+ Expiry jsonTime `json:"exp"`
+ IssuedAt jsonTime `json:"iat"`
+ Nonce string `json:"nonce"`
+}
+
type audience []string
func (a *audience) UnmarshalJSON(b []byte) error {
@@ -192,6 +252,13 @@ func (a *audience) UnmarshalJSON(b []byte) error {
return nil
}
+func (a audience) MarshalJSON() ([]byte, error) {
+ if len(a) == 1 {
+ return json.Marshal(a[0])
+ }
+ return json.Marshal([]string(a))
+}
+
type jsonTime time.Time
func (j *jsonTime) UnmarshalJSON(b []byte) error {
@@ -214,113 +281,6 @@ func (j *jsonTime) UnmarshalJSON(b []byte) error {
return nil
}
-type idToken struct {
- Issuer string `json:"iss"`
- Subject string `json:"sub"`
- Audience audience `json:"aud"`
- Expiry jsonTime `json:"exp"`
- IssuedAt jsonTime `json:"iat"`
- Nonce string `json:"nonce"`
-}
-
-// IDTokenVerifier provides verification for ID Tokens.
-type IDTokenVerifier struct {
- issuer string
- keySet *remoteKeySet
- options []VerificationOption
-}
-
-// Verify parse the raw ID Token, verifies it's been signed by the provider, preforms
-// additional verification, and returns the claims.
-func (v *IDTokenVerifier) Verify(rawIDToken string) (*IDToken, error) {
- payload, err := v.keySet.verifyJWT(rawIDToken)
- if err != nil {
- return nil, err
- }
- var token idToken
- if err := json.Unmarshal(payload, &token); err != nil {
- return nil, fmt.Errorf("oidc: failed to unmarshal claims: %v", err)
- }
- if v.issuer != token.Issuer {
- return nil, fmt.Errorf("oidc: iss field did not match provider issuer")
- }
- t := &IDToken{
- Issuer: token.Issuer,
- Subject: token.Subject,
- Audience: []string(token.Audience),
- Expiry: time.Time(token.Expiry),
- IssuedAt: time.Time(token.Expiry),
- Nonce: token.Nonce,
- claims: payload,
- }
- for _, option := range v.options {
- if err := option.verifyIDToken(t); err != nil {
- return nil, err
- }
- }
- return t, nil
-}
-
-// NewVerifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
-//
-// The verifier queries the provider to update keys when a signature cannot be verified by the
-// set of keys cached from the previous request.
-func (p *Provider) NewVerifier(ctx context.Context, options ...VerificationOption) *IDTokenVerifier {
- return &IDTokenVerifier{
- issuer: p.Issuer,
- keySet: newRemoteKeySet(ctx, p.JWKSURL),
- options: options,
- }
-}
-
-// VerificationOption is an option provided to Provider.NewVerifier.
-type VerificationOption interface {
- verifyIDToken(token *IDToken) error
-}
-
-// VerifyAudience ensures that an ID Token was issued for the specific client.
-//
-// Note that a verified token may be valid for other clients, as OpenID Connect allows a token to have
-// multiple audiences.
-func VerifyAudience(clientID string) VerificationOption {
- return clientVerifier{clientID}
-}
-
-type clientVerifier struct {
- clientID string
-}
-
-func (c clientVerifier) verifyIDToken(token *IDToken) error {
- for _, aud := range token.Audience {
- if aud == c.clientID {
- return nil
- }
- }
- return errors.New("oidc: id token aud field did not match client_id")
-}
-
-// VerifyExpiry ensures that an ID Token has not expired.
-func VerifyExpiry() VerificationOption {
- return expiryVerifier{time.Now}
-}
-
-type expiryVerifier struct {
- now func() time.Time
-}
-
-func (e expiryVerifier) verifyIDToken(token *IDToken) error {
- if e.now().After(token.Expiry) {
- return ErrTokenExpired
- }
- return nil
-}
-
-// This method is internal to golang.org/x/oauth2. Just copy it.
-func contextClient(ctx context.Context) *http.Client {
- if ctx != nil {
- if hc, ok := ctx.Value(oauth2.HTTPClient).(*http.Client); ok {
- return hc
- }
- }
- return http.DefaultClient
+func (j jsonTime) MarshalJSON() ([]byte, error) {
+ return json.Marshal(time.Time(j).Unix())
}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/client.go b/vendor/github.com/coreos/go-oidc/oidc/client.go
new file mode 100644
index 00000000..7a3cb40f
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/client.go
@@ -0,0 +1,846 @@
+package oidc
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+ "net/http"
+ "net/mail"
+ "net/url"
+ "sync"
+ "time"
+
+ phttp "github.com/coreos/go-oidc/http"
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/go-oidc/key"
+ "github.com/coreos/go-oidc/oauth2"
+)
+
+const (
+ // amount of time that must pass after the last key sync
+ // completes before another attempt may begin
+ keySyncWindow = 5 * time.Second
+)
+
+var (
+ DefaultScope = []string{"openid", "email", "profile"}
+
+ supportedAuthMethods = map[string]struct{}{
+ oauth2.AuthMethodClientSecretBasic: struct{}{},
+ oauth2.AuthMethodClientSecretPost: struct{}{},
+ }
+)
+
+type ClientCredentials oauth2.ClientCredentials
+
+type ClientIdentity struct {
+ Credentials ClientCredentials
+ Metadata ClientMetadata
+}
+
+type JWAOptions struct {
+ // SigningAlg specifies an JWA alg for signing JWTs.
+ //
+ // Specifying this field implies different actions depending on the context. It may
+ // require objects be serialized and signed as a JWT instead of plain JSON, or
+ // require an existing JWT object use the specified alg.
+ //
+ // See: http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
+ SigningAlg string
+ // EncryptionAlg, if provided, specifies that the returned or sent object be stored
+ // (or nested) within a JWT object and encrypted with the provided JWA alg.
+ EncryptionAlg string
+ // EncryptionEnc specifies the JWA enc algorithm to use with EncryptionAlg. If
+ // EncryptionAlg is provided and EncryptionEnc is omitted, this field defaults
+ // to A128CBC-HS256.
+ //
+ // If EncryptionEnc is provided EncryptionAlg must also be specified.
+ EncryptionEnc string
+}
+
+func (opt JWAOptions) valid() error {
+ if opt.EncryptionEnc != "" && opt.EncryptionAlg == "" {
+ return errors.New("encryption encoding provided with no encryption algorithm")
+ }
+ return nil
+}
+
+func (opt JWAOptions) defaults() JWAOptions {
+ if opt.EncryptionAlg != "" && opt.EncryptionEnc == "" {
+ opt.EncryptionEnc = jose.EncA128CBCHS256
+ }
+ return opt
+}
+
+var (
+ // Ensure ClientMetadata satisfies these interfaces.
+ _ json.Marshaler = &ClientMetadata{}
+ _ json.Unmarshaler = &ClientMetadata{}
+)
+
+// ClientMetadata holds metadata that the authorization server associates
+// with a client identifier. The fields range from human-facing display
+// strings such as client name, to items that impact the security of the
+// protocol, such as the list of valid redirect URIs.
+//
+// See http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
+//
+// TODO: support language specific claim representations
+// http://openid.net/specs/openid-connect-registration-1_0.html#LanguagesAndScripts
+type ClientMetadata struct {
+ RedirectURIs []url.URL // Required
+
+ // A list of OAuth 2.0 "response_type" values that the client wishes to restrict
+ // itself to. Either "code", "token", or another registered extension.
+ //
+ // If omitted, only "code" will be used.
+ ResponseTypes []string
+ // A list of OAuth 2.0 grant types the client wishes to restrict itself to.
+ // The grant type values used by OIDC are "authorization_code", "implicit",
+ // and "refresh_token".
+ //
+ // If ommitted, only "authorization_code" will be used.
+ GrantTypes []string
+ // "native" or "web". If omitted, "web".
+ ApplicationType string
+
+ // List of email addresses.
+ Contacts []mail.Address
+ // Name of client to be presented to the end-user.
+ ClientName string
+ // URL that references a logo for the Client application.
+ LogoURI *url.URL
+ // URL of the home page of the Client.
+ ClientURI *url.URL
+ // Profile data policies and terms of use to be provided to the end user.
+ PolicyURI *url.URL
+ TermsOfServiceURI *url.URL
+
+ // URL to or the value of the client's JSON Web Key Set document.
+ JWKSURI *url.URL
+ JWKS *jose.JWKSet
+
+ // URL referencing a flie with a single JSON array of redirect URIs.
+ SectorIdentifierURI *url.URL
+
+ SubjectType string
+
+ // Options to restrict the JWS alg and enc values used for server responses and requests.
+ IDTokenResponseOptions JWAOptions
+ UserInfoResponseOptions JWAOptions
+ RequestObjectOptions JWAOptions
+
+ // Client requested authorization method and signing options for the token endpoint.
+ //
+ // Defaults to "client_secret_basic"
+ TokenEndpointAuthMethod string
+ TokenEndpointAuthSigningAlg string
+
+ // DefaultMaxAge specifies the maximum amount of time in seconds before an authorized
+ // user must reauthroize.
+ //
+ // If 0, no limitation is placed on the maximum.
+ DefaultMaxAge int64
+ // RequireAuthTime specifies if the auth_time claim in the ID token is required.
+ RequireAuthTime bool
+
+ // Default Authentication Context Class Reference values for authentication requests.
+ DefaultACRValues []string
+
+ // URI that a third party can use to initiate a login by the relaying party.
+ //
+ // See: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
+ InitiateLoginURI *url.URL
+ // Pre-registered request_uri values that may be cached by the server.
+ RequestURIs []url.URL
+}
+
+// Defaults returns a shallow copy of ClientMetadata with default
+// values replacing omitted fields.
+func (m ClientMetadata) Defaults() ClientMetadata {
+ if len(m.ResponseTypes) == 0 {
+ m.ResponseTypes = []string{oauth2.ResponseTypeCode}
+ }
+ if len(m.GrantTypes) == 0 {
+ m.GrantTypes = []string{oauth2.GrantTypeAuthCode}
+ }
+ if m.ApplicationType == "" {
+ m.ApplicationType = "web"
+ }
+ if m.TokenEndpointAuthMethod == "" {
+ m.TokenEndpointAuthMethod = oauth2.AuthMethodClientSecretBasic
+ }
+ m.IDTokenResponseOptions = m.IDTokenResponseOptions.defaults()
+ m.UserInfoResponseOptions = m.UserInfoResponseOptions.defaults()
+ m.RequestObjectOptions = m.RequestObjectOptions.defaults()
+ return m
+}
+
+func (m *ClientMetadata) MarshalJSON() ([]byte, error) {
+ e := m.toEncodableStruct()
+ return json.Marshal(&e)
+}
+
+func (m *ClientMetadata) UnmarshalJSON(data []byte) error {
+ var e encodableClientMetadata
+ if err := json.Unmarshal(data, &e); err != nil {
+ return err
+ }
+ meta, err := e.toStruct()
+ if err != nil {
+ return err
+ }
+ if err := meta.Valid(); err != nil {
+ return err
+ }
+ *m = meta
+ return nil
+}
+
+type encodableClientMetadata struct {
+ RedirectURIs []string `json:"redirect_uris"` // Required
+ ResponseTypes []string `json:"response_types,omitempty"`
+ GrantTypes []string `json:"grant_types,omitempty"`
+ ApplicationType string `json:"application_type,omitempty"`
+ Contacts []string `json:"contacts,omitempty"`
+ ClientName string `json:"client_name,omitempty"`
+ LogoURI string `json:"logo_uri,omitempty"`
+ ClientURI string `json:"client_uri,omitempty"`
+ PolicyURI string `json:"policy_uri,omitempty"`
+ TermsOfServiceURI string `json:"tos_uri,omitempty"`
+ JWKSURI string `json:"jwks_uri,omitempty"`
+ JWKS *jose.JWKSet `json:"jwks,omitempty"`
+ SectorIdentifierURI string `json:"sector_identifier_uri,omitempty"`
+ SubjectType string `json:"subject_type,omitempty"`
+ IDTokenSignedResponseAlg string `json:"id_token_signed_response_alg,omitempty"`
+ IDTokenEncryptedResponseAlg string `json:"id_token_encrypted_response_alg,omitempty"`
+ IDTokenEncryptedResponseEnc string `json:"id_token_encrypted_response_enc,omitempty"`
+ UserInfoSignedResponseAlg string `json:"userinfo_signed_response_alg,omitempty"`
+ UserInfoEncryptedResponseAlg string `json:"userinfo_encrypted_response_alg,omitempty"`
+ UserInfoEncryptedResponseEnc string `json:"userinfo_encrypted_response_enc,omitempty"`
+ RequestObjectSigningAlg string `json:"request_object_signing_alg,omitempty"`
+ RequestObjectEncryptionAlg string `json:"request_object_encryption_alg,omitempty"`
+ RequestObjectEncryptionEnc string `json:"request_object_encryption_enc,omitempty"`
+ TokenEndpointAuthMethod string `json:"token_endpoint_auth_method,omitempty"`
+ TokenEndpointAuthSigningAlg string `json:"token_endpoint_auth_signing_alg,omitempty"`
+ DefaultMaxAge int64 `json:"default_max_age,omitempty"`
+ RequireAuthTime bool `json:"require_auth_time,omitempty"`
+ DefaultACRValues []string `json:"default_acr_values,omitempty"`
+ InitiateLoginURI string `json:"initiate_login_uri,omitempty"`
+ RequestURIs []string `json:"request_uris,omitempty"`
+}
+
+func (c *encodableClientMetadata) toStruct() (ClientMetadata, error) {
+ p := stickyErrParser{}
+ m := ClientMetadata{
+ RedirectURIs: p.parseURIs(c.RedirectURIs, "redirect_uris"),
+ ResponseTypes: c.ResponseTypes,
+ GrantTypes: c.GrantTypes,
+ ApplicationType: c.ApplicationType,
+ Contacts: p.parseEmails(c.Contacts, "contacts"),
+ ClientName: c.ClientName,
+ LogoURI: p.parseURI(c.LogoURI, "logo_uri"),
+ ClientURI: p.parseURI(c.ClientURI, "client_uri"),
+ PolicyURI: p.parseURI(c.PolicyURI, "policy_uri"),
+ TermsOfServiceURI: p.parseURI(c.TermsOfServiceURI, "tos_uri"),
+ JWKSURI: p.parseURI(c.JWKSURI, "jwks_uri"),
+ JWKS: c.JWKS,
+ SectorIdentifierURI: p.parseURI(c.SectorIdentifierURI, "sector_identifier_uri"),
+ SubjectType: c.SubjectType,
+ TokenEndpointAuthMethod: c.TokenEndpointAuthMethod,
+ TokenEndpointAuthSigningAlg: c.TokenEndpointAuthSigningAlg,
+ DefaultMaxAge: c.DefaultMaxAge,
+ RequireAuthTime: c.RequireAuthTime,
+ DefaultACRValues: c.DefaultACRValues,
+ InitiateLoginURI: p.parseURI(c.InitiateLoginURI, "initiate_login_uri"),
+ RequestURIs: p.parseURIs(c.RequestURIs, "request_uris"),
+ IDTokenResponseOptions: JWAOptions{
+ c.IDTokenSignedResponseAlg,
+ c.IDTokenEncryptedResponseAlg,
+ c.IDTokenEncryptedResponseEnc,
+ },
+ UserInfoResponseOptions: JWAOptions{
+ c.UserInfoSignedResponseAlg,
+ c.UserInfoEncryptedResponseAlg,
+ c.UserInfoEncryptedResponseEnc,
+ },
+ RequestObjectOptions: JWAOptions{
+ c.RequestObjectSigningAlg,
+ c.RequestObjectEncryptionAlg,
+ c.RequestObjectEncryptionEnc,
+ },
+ }
+ if p.firstErr != nil {
+ return ClientMetadata{}, p.firstErr
+ }
+ return m, nil
+}
+
+// stickyErrParser parses URIs and email addresses. Once it encounters
+// a parse error, subsequent calls become no-op.
+type stickyErrParser struct {
+ firstErr error
+}
+
+func (p *stickyErrParser) parseURI(s, field string) *url.URL {
+ if p.firstErr != nil || s == "" {
+ return nil
+ }
+ u, err := url.Parse(s)
+ if err == nil {
+ if u.Host == "" {
+ err = errors.New("no host in URI")
+ } else if u.Scheme != "http" && u.Scheme != "https" {
+ err = errors.New("invalid URI scheme")
+ }
+ }
+ if err != nil {
+ p.firstErr = fmt.Errorf("failed to parse %s: %v", field, err)
+ return nil
+ }
+ return u
+}
+
+func (p *stickyErrParser) parseURIs(s []string, field string) []url.URL {
+ if p.firstErr != nil || len(s) == 0 {
+ return nil
+ }
+ uris := make([]url.URL, len(s))
+ for i, val := range s {
+ if val == "" {
+ p.firstErr = fmt.Errorf("invalid URI in field %s", field)
+ return nil
+ }
+ if u := p.parseURI(val, field); u != nil {
+ uris[i] = *u
+ }
+ }
+ return uris
+}
+
+func (p *stickyErrParser) parseEmails(s []string, field string) []mail.Address {
+ if p.firstErr != nil || len(s) == 0 {
+ return nil
+ }
+ addrs := make([]mail.Address, len(s))
+ for i, addr := range s {
+ if addr == "" {
+ p.firstErr = fmt.Errorf("invalid email in field %s", field)
+ return nil
+ }
+ a, err := mail.ParseAddress(addr)
+ if err != nil {
+ p.firstErr = fmt.Errorf("invalid email in field %s: %v", field, err)
+ return nil
+ }
+ addrs[i] = *a
+ }
+ return addrs
+}
+
+func (m *ClientMetadata) toEncodableStruct() encodableClientMetadata {
+ return encodableClientMetadata{
+ RedirectURIs: urisToStrings(m.RedirectURIs),
+ ResponseTypes: m.ResponseTypes,
+ GrantTypes: m.GrantTypes,
+ ApplicationType: m.ApplicationType,
+ Contacts: emailsToStrings(m.Contacts),
+ ClientName: m.ClientName,
+ LogoURI: uriToString(m.LogoURI),
+ ClientURI: uriToString(m.ClientURI),
+ PolicyURI: uriToString(m.PolicyURI),
+ TermsOfServiceURI: uriToString(m.TermsOfServiceURI),
+ JWKSURI: uriToString(m.JWKSURI),
+ JWKS: m.JWKS,
+ SectorIdentifierURI: uriToString(m.SectorIdentifierURI),
+ SubjectType: m.SubjectType,
+ IDTokenSignedResponseAlg: m.IDTokenResponseOptions.SigningAlg,
+ IDTokenEncryptedResponseAlg: m.IDTokenResponseOptions.EncryptionAlg,
+ IDTokenEncryptedResponseEnc: m.IDTokenResponseOptions.EncryptionEnc,
+ UserInfoSignedResponseAlg: m.UserInfoResponseOptions.SigningAlg,
+ UserInfoEncryptedResponseAlg: m.UserInfoResponseOptions.EncryptionAlg,
+ UserInfoEncryptedResponseEnc: m.UserInfoResponseOptions.EncryptionEnc,
+ RequestObjectSigningAlg: m.RequestObjectOptions.SigningAlg,
+ RequestObjectEncryptionAlg: m.RequestObjectOptions.EncryptionAlg,
+ RequestObjectEncryptionEnc: m.RequestObjectOptions.EncryptionEnc,
+ TokenEndpointAuthMethod: m.TokenEndpointAuthMethod,
+ TokenEndpointAuthSigningAlg: m.TokenEndpointAuthSigningAlg,
+ DefaultMaxAge: m.DefaultMaxAge,
+ RequireAuthTime: m.RequireAuthTime,
+ DefaultACRValues: m.DefaultACRValues,
+ InitiateLoginURI: uriToString(m.InitiateLoginURI),
+ RequestURIs: urisToStrings(m.RequestURIs),
+ }
+}
+
+func uriToString(u *url.URL) string {
+ if u == nil {
+ return ""
+ }
+ return u.String()
+}
+
+func urisToStrings(urls []url.URL) []string {
+ if len(urls) == 0 {
+ return nil
+ }
+ sli := make([]string, len(urls))
+ for i, u := range urls {
+ sli[i] = u.String()
+ }
+ return sli
+}
+
+func emailsToStrings(addrs []mail.Address) []string {
+ if len(addrs) == 0 {
+ return nil
+ }
+ sli := make([]string, len(addrs))
+ for i, addr := range addrs {
+ sli[i] = addr.String()
+ }
+ return sli
+}
+
+// Valid determines if a ClientMetadata conforms with the OIDC specification.
+//
+// Valid is called by UnmarshalJSON.
+//
+// NOTE(ericchiang): For development purposes Valid does not mandate 'https' for
+// URLs fields where the OIDC spec requires it. This may change in future releases
+// of this package. See: https://github.com/coreos/go-oidc/issues/34
+func (m *ClientMetadata) Valid() error {
+ if len(m.RedirectURIs) == 0 {
+ return errors.New("zero redirect URLs")
+ }
+
+ validURI := func(u *url.URL, fieldName string) error {
+ if u.Host == "" {
+ return fmt.Errorf("no host for uri field %s", fieldName)
+ }
+ if u.Scheme != "http" && u.Scheme != "https" {
+ return fmt.Errorf("uri field %s scheme is not http or https", fieldName)
+ }
+ return nil
+ }
+
+ uris := []struct {
+ val *url.URL
+ name string
+ }{
+ {m.LogoURI, "logo_uri"},
+ {m.ClientURI, "client_uri"},
+ {m.PolicyURI, "policy_uri"},
+ {m.TermsOfServiceURI, "tos_uri"},
+ {m.JWKSURI, "jwks_uri"},
+ {m.SectorIdentifierURI, "sector_identifier_uri"},
+ {m.InitiateLoginURI, "initiate_login_uri"},
+ }
+
+ for _, uri := range uris {
+ if uri.val == nil {
+ continue
+ }
+ if err := validURI(uri.val, uri.name); err != nil {
+ return err
+ }
+ }
+
+ uriLists := []struct {
+ vals []url.URL
+ name string
+ }{
+ {m.RedirectURIs, "redirect_uris"},
+ {m.RequestURIs, "request_uris"},
+ }
+ for _, list := range uriLists {
+ for _, uri := range list.vals {
+ if err := validURI(&uri, list.name); err != nil {
+ return err
+ }
+ }
+ }
+
+ options := []struct {
+ option JWAOptions
+ name string
+ }{
+ {m.IDTokenResponseOptions, "id_token response"},
+ {m.UserInfoResponseOptions, "userinfo response"},
+ {m.RequestObjectOptions, "request_object"},
+ }
+ for _, option := range options {
+ if err := option.option.valid(); err != nil {
+ return fmt.Errorf("invalid JWA values for %s: %v", option.name, err)
+ }
+ }
+ return nil
+}
+
+type ClientRegistrationResponse struct {
+ ClientID string // Required
+ ClientSecret string
+ RegistrationAccessToken string
+ RegistrationClientURI string
+ // If IsZero is true, unspecified.
+ ClientIDIssuedAt time.Time
+ // Time at which the client_secret will expire.
+ // If IsZero is true, it will not expire.
+ ClientSecretExpiresAt time.Time
+
+ ClientMetadata
+}
+
+type encodableClientRegistrationResponse struct {
+ ClientID string `json:"client_id"` // Required
+ ClientSecret string `json:"client_secret,omitempty"`
+ RegistrationAccessToken string `json:"registration_access_token,omitempty"`
+ RegistrationClientURI string `json:"registration_client_uri,omitempty"`
+ ClientIDIssuedAt int64 `json:"client_id_issued_at,omitempty"`
+ // Time at which the client_secret will expire, in seconds since the epoch.
+ // If 0 it will not expire.
+ ClientSecretExpiresAt int64 `json:"client_secret_expires_at"` // Required
+
+ encodableClientMetadata
+}
+
+func unixToSec(t time.Time) int64 {
+ if t.IsZero() {
+ return 0
+ }
+ return t.Unix()
+}
+
+func (c *ClientRegistrationResponse) MarshalJSON() ([]byte, error) {
+ e := encodableClientRegistrationResponse{
+ ClientID: c.ClientID,
+ ClientSecret: c.ClientSecret,
+ RegistrationAccessToken: c.RegistrationAccessToken,
+ RegistrationClientURI: c.RegistrationClientURI,
+ ClientIDIssuedAt: unixToSec(c.ClientIDIssuedAt),
+ ClientSecretExpiresAt: unixToSec(c.ClientSecretExpiresAt),
+ encodableClientMetadata: c.ClientMetadata.toEncodableStruct(),
+ }
+ return json.Marshal(&e)
+}
+
+func secToUnix(sec int64) time.Time {
+ if sec == 0 {
+ return time.Time{}
+ }
+ return time.Unix(sec, 0)
+}
+
+func (c *ClientRegistrationResponse) UnmarshalJSON(data []byte) error {
+ var e encodableClientRegistrationResponse
+ if err := json.Unmarshal(data, &e); err != nil {
+ return err
+ }
+ if e.ClientID == "" {
+ return errors.New("no client_id in client registration response")
+ }
+ metadata, err := e.encodableClientMetadata.toStruct()
+ if err != nil {
+ return err
+ }
+ *c = ClientRegistrationResponse{
+ ClientID: e.ClientID,
+ ClientSecret: e.ClientSecret,
+ RegistrationAccessToken: e.RegistrationAccessToken,
+ RegistrationClientURI: e.RegistrationClientURI,
+ ClientIDIssuedAt: secToUnix(e.ClientIDIssuedAt),
+ ClientSecretExpiresAt: secToUnix(e.ClientSecretExpiresAt),
+ ClientMetadata: metadata,
+ }
+ return nil
+}
+
+type ClientConfig struct {
+ HTTPClient phttp.Client
+ Credentials ClientCredentials
+ Scope []string
+ RedirectURL string
+ ProviderConfig ProviderConfig
+ KeySet key.PublicKeySet
+}
+
+func NewClient(cfg ClientConfig) (*Client, error) {
+ // Allow empty redirect URL in the case where the client
+ // only needs to verify a given token.
+ ru, err := url.Parse(cfg.RedirectURL)
+ if err != nil {
+ return nil, fmt.Errorf("invalid redirect URL: %v", err)
+ }
+
+ c := Client{
+ credentials: cfg.Credentials,
+ httpClient: cfg.HTTPClient,
+ scope: cfg.Scope,
+ redirectURL: ru.String(),
+ providerConfig: newProviderConfigRepo(cfg.ProviderConfig),
+ keySet: cfg.KeySet,
+ }
+
+ if c.httpClient == nil {
+ c.httpClient = http.DefaultClient
+ }
+
+ if c.scope == nil {
+ c.scope = make([]string, len(DefaultScope))
+ copy(c.scope, DefaultScope)
+ }
+
+ return &c, nil
+}
+
+type Client struct {
+ httpClient phttp.Client
+ providerConfig *providerConfigRepo
+ credentials ClientCredentials
+ redirectURL string
+ scope []string
+ keySet key.PublicKeySet
+ providerSyncer *ProviderConfigSyncer
+
+ keySetSyncMutex sync.RWMutex
+ lastKeySetSync time.Time
+}
+
+func (c *Client) Healthy() error {
+ now := time.Now().UTC()
+
+ cfg := c.providerConfig.Get()
+
+ if cfg.Empty() {
+ return errors.New("oidc client provider config empty")
+ }
+
+ if !cfg.ExpiresAt.IsZero() && cfg.ExpiresAt.Before(now) {
+ return errors.New("oidc client provider config expired")
+ }
+
+ return nil
+}
+
+func (c *Client) OAuthClient() (*oauth2.Client, error) {
+ cfg := c.providerConfig.Get()
+ authMethod, err := chooseAuthMethod(cfg)
+ if err != nil {
+ return nil, err
+ }
+
+ ocfg := oauth2.Config{
+ Credentials: oauth2.ClientCredentials(c.credentials),
+ RedirectURL: c.redirectURL,
+ AuthURL: cfg.AuthEndpoint.String(),
+ TokenURL: cfg.TokenEndpoint.String(),
+ Scope: c.scope,
+ AuthMethod: authMethod,
+ }
+
+ return oauth2.NewClient(c.httpClient, ocfg)
+}
+
+func chooseAuthMethod(cfg ProviderConfig) (string, error) {
+ if len(cfg.TokenEndpointAuthMethodsSupported) == 0 {
+ return oauth2.AuthMethodClientSecretBasic, nil
+ }
+
+ for _, authMethod := range cfg.TokenEndpointAuthMethodsSupported {
+ if _, ok := supportedAuthMethods[authMethod]; ok {
+ return authMethod, nil
+ }
+ }
+
+ return "", errors.New("no supported auth methods")
+}
+
+// SyncProviderConfig starts the provider config syncer
+func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{} {
+ r := NewHTTPProviderConfigGetter(c.httpClient, discoveryURL)
+ s := NewProviderConfigSyncer(r, c.providerConfig)
+ stop := s.Run()
+ s.WaitUntilInitialSync()
+ return stop
+}
+
+func (c *Client) maybeSyncKeys() error {
+ tooSoon := func() bool {
+ return time.Now().UTC().Before(c.lastKeySetSync.Add(keySyncWindow))
+ }
+
+ // ignore request to sync keys if a sync operation has been
+ // attempted too recently
+ if tooSoon() {
+ return nil
+ }
+
+ c.keySetSyncMutex.Lock()
+ defer c.keySetSyncMutex.Unlock()
+
+ // check again, as another goroutine may have been holding
+ // the lock while updating the keys
+ if tooSoon() {
+ return nil
+ }
+
+ cfg := c.providerConfig.Get()
+ r := NewRemotePublicKeyRepo(c.httpClient, cfg.KeysEndpoint.String())
+ w := &clientKeyRepo{client: c}
+ _, err := key.Sync(r, w)
+ c.lastKeySetSync = time.Now().UTC()
+
+ return err
+}
+
+type clientKeyRepo struct {
+ client *Client
+}
+
+func (r *clientKeyRepo) Set(ks key.KeySet) error {
+ pks, ok := ks.(*key.PublicKeySet)
+ if !ok {
+ return errors.New("unable to cast to PublicKey")
+ }
+ r.client.keySet = *pks
+ return nil
+}
+
+func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error) {
+ cfg := c.providerConfig.Get()
+
+ if !cfg.SupportsGrantType(oauth2.GrantTypeClientCreds) {
+ return jose.JWT{}, fmt.Errorf("%v grant type is not supported", oauth2.GrantTypeClientCreds)
+ }
+
+ oac, err := c.OAuthClient()
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ t, err := oac.ClientCredsToken(scope)
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ jwt, err := jose.ParseJWT(t.IDToken)
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ return jwt, c.VerifyJWT(jwt)
+}
+
+// ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.
+func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error) {
+ oac, err := c.OAuthClient()
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ t, err := oac.RequestToken(oauth2.GrantTypeAuthCode, code)
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ jwt, err := jose.ParseJWT(t.IDToken)
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ return jwt, c.VerifyJWT(jwt)
+}
+
+// RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.
+func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error) {
+ oac, err := c.OAuthClient()
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ t, err := oac.RequestToken(oauth2.GrantTypeRefreshToken, refreshToken)
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ jwt, err := jose.ParseJWT(t.IDToken)
+ if err != nil {
+ return jose.JWT{}, err
+ }
+
+ return jwt, c.VerifyJWT(jwt)
+}
+
+func (c *Client) VerifyJWT(jwt jose.JWT) error {
+ var keysFunc func() []key.PublicKey
+ if kID, ok := jwt.KeyID(); ok {
+ keysFunc = c.keysFuncWithID(kID)
+ } else {
+ keysFunc = c.keysFuncAll()
+ }
+
+ v := NewJWTVerifier(
+ c.providerConfig.Get().Issuer.String(),
+ c.credentials.ID,
+ c.maybeSyncKeys, keysFunc)
+
+ return v.Verify(jwt)
+}
+
+// keysFuncWithID returns a function that retrieves at most unexpired
+// public key from the Client that matches the provided ID
+func (c *Client) keysFuncWithID(kID string) func() []key.PublicKey {
+ return func() []key.PublicKey {
+ c.keySetSyncMutex.RLock()
+ defer c.keySetSyncMutex.RUnlock()
+
+ if c.keySet.ExpiresAt().Before(time.Now()) {
+ return []key.PublicKey{}
+ }
+
+ k := c.keySet.Key(kID)
+ if k == nil {
+ return []key.PublicKey{}
+ }
+
+ return []key.PublicKey{*k}
+ }
+}
+
+// keysFuncAll returns a function that retrieves all unexpired public
+// keys from the Client
+func (c *Client) keysFuncAll() func() []key.PublicKey {
+ return func() []key.PublicKey {
+ c.keySetSyncMutex.RLock()
+ defer c.keySetSyncMutex.RUnlock()
+
+ if c.keySet.ExpiresAt().Before(time.Now()) {
+ return []key.PublicKey{}
+ }
+
+ return c.keySet.Keys()
+ }
+}
+
+type providerConfigRepo struct {
+ mu sync.RWMutex
+ config ProviderConfig // do not access directly, use Get()
+}
+
+func newProviderConfigRepo(pc ProviderConfig) *providerConfigRepo {
+ return &providerConfigRepo{sync.RWMutex{}, pc}
+}
+
+// returns an error to implement ProviderConfigSetter
+func (r *providerConfigRepo) Set(cfg ProviderConfig) error {
+ r.mu.Lock()
+ defer r.mu.Unlock()
+ r.config = cfg
+ return nil
+}
+
+func (r *providerConfigRepo) Get() ProviderConfig {
+ r.mu.RLock()
+ defer r.mu.RUnlock()
+ return r.config
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/client_race_test.go b/vendor/github.com/coreos/go-oidc/oidc/client_race_test.go
new file mode 100644
index 00000000..315eaf24
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/client_race_test.go
@@ -0,0 +1,81 @@
+// This file contains tests which depend on the race detector being enabled.
+// +build race
+
+package oidc
+
+import (
+ "encoding/json"
+ "net/http"
+ "net/http/httptest"
+ "net/url"
+ "testing"
+ "time"
+)
+
+type testProvider struct {
+ baseURL *url.URL
+}
+
+func (p *testProvider) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+ if r.URL.Path != discoveryConfigPath {
+ http.NotFound(w, r)
+ return
+ }
+
+ cfg := ProviderConfig{
+ Issuer: p.baseURL,
+ ExpiresAt: time.Now().Add(time.Second),
+ }
+ cfg = fillRequiredProviderFields(cfg)
+ json.NewEncoder(w).Encode(&cfg)
+}
+
+// This test fails by triggering the race detector, not by calling t.Error or t.Fatal.
+func TestProviderSyncRace(t *testing.T) {
+
+ prov := &testProvider{}
+
+ s := httptest.NewServer(prov)
+ defer s.Close()
+ u, err := url.Parse(s.URL)
+ if err != nil {
+ t.Fatal(err)
+ }
+ prov.baseURL = u
+
+ prevValue := minimumProviderConfigSyncInterval
+ defer func() { minimumProviderConfigSyncInterval = prevValue }()
+
+ // Reduce the sync interval to increase the write frequencey.
+ minimumProviderConfigSyncInterval = 5 * time.Millisecond
+
+ cliCfg := ClientConfig{
+ HTTPClient: http.DefaultClient,
+ }
+ cli, err := NewClient(cliCfg)
+ if err != nil {
+ t.Error(err)
+ return
+ }
+
+ if !cli.providerConfig.Get().Empty() {
+ t.Errorf("want c.ProviderConfig == nil, got c.ProviderConfig=%#v")
+ }
+
+ // SyncProviderConfig beings a goroutine which writes to the client's provider config.
+ c := cli.SyncProviderConfig(s.URL)
+ if cli.providerConfig.Get().Empty() {
+ t.Errorf("want c.ProviderConfig != nil")
+ }
+
+ defer func() {
+ // stop the background process
+ c <- struct{}{}
+ }()
+
+ for i := 0; i < 10; i++ {
+ time.Sleep(5 * time.Millisecond)
+ // Creating an OAuth client reads from the provider config.
+ cli.OAuthClient()
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/client_test.go b/vendor/github.com/coreos/go-oidc/oidc/client_test.go
new file mode 100644
index 00000000..a0701b5d
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/client_test.go
@@ -0,0 +1,654 @@
+package oidc
+
+import (
+ "encoding/json"
+ "net/mail"
+ "net/url"
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/go-oidc/key"
+ "github.com/coreos/go-oidc/oauth2"
+ "github.com/kylelemons/godebug/pretty"
+)
+
+func TestNewClientScopeDefault(t *testing.T) {
+ tests := []struct {
+ c ClientConfig
+ e []string
+ }{
+ {
+ // No scope
+ c: ClientConfig{RedirectURL: "http://example.com/redirect"},
+ e: DefaultScope,
+ },
+ {
+ // Nil scope
+ c: ClientConfig{RedirectURL: "http://example.com/redirect", Scope: nil},
+ e: DefaultScope,
+ },
+ {
+ // Empty scope
+ c: ClientConfig{RedirectURL: "http://example.com/redirect", Scope: []string{}},
+ e: []string{},
+ },
+ {
+ // Custom scope equal to default
+ c: ClientConfig{RedirectURL: "http://example.com/redirect", Scope: []string{"openid", "email", "profile"}},
+ e: DefaultScope,
+ },
+ {
+ // Custom scope not including defaults
+ c: ClientConfig{RedirectURL: "http://example.com/redirect", Scope: []string{"foo", "bar"}},
+ e: []string{"foo", "bar"},
+ },
+ {
+ // Custom scopes overlapping with defaults
+ c: ClientConfig{RedirectURL: "http://example.com/redirect", Scope: []string{"openid", "foo"}},
+ e: []string{"openid", "foo"},
+ },
+ }
+
+ for i, tt := range tests {
+ c, err := NewClient(tt.c)
+ if err != nil {
+ t.Errorf("case %d: unexpected error from NewClient: %v", i, err)
+ continue
+ }
+ if !reflect.DeepEqual(tt.e, c.scope) {
+ t.Errorf("case %d: want: %v, got: %v", i, tt.e, c.scope)
+ }
+ }
+}
+
+func TestHealthy(t *testing.T) {
+ now := time.Now().UTC()
+
+ tests := []struct {
+ p ProviderConfig
+ h bool
+ }{
+ // all ok
+ {
+ p: ProviderConfig{
+ Issuer: &url.URL{Scheme: "http", Host: "example.com"},
+ ExpiresAt: now.Add(time.Hour),
+ },
+ h: true,
+ },
+ // zero-value ProviderConfig.ExpiresAt
+ {
+ p: ProviderConfig{
+ Issuer: &url.URL{Scheme: "http", Host: "example.com"},
+ },
+ h: true,
+ },
+ // expired ProviderConfig
+ {
+ p: ProviderConfig{
+ Issuer: &url.URL{Scheme: "http", Host: "example.com"},
+ ExpiresAt: now.Add(time.Hour * -1),
+ },
+ h: false,
+ },
+ // empty ProviderConfig
+ {
+ p: ProviderConfig{},
+ h: false,
+ },
+ }
+
+ for i, tt := range tests {
+ c := &Client{providerConfig: newProviderConfigRepo(tt.p)}
+ err := c.Healthy()
+ want := tt.h
+ got := (err == nil)
+
+ if want != got {
+ t.Errorf("case %d: want: healthy=%v, got: healhty=%v, err: %v", i, want, got, err)
+ }
+ }
+}
+
+func TestClientKeysFuncAll(t *testing.T) {
+ priv1, err := key.GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("failed to generate private key, error=%v", err)
+ }
+
+ priv2, err := key.GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("failed to generate private key, error=%v", err)
+ }
+
+ now := time.Now()
+ future := now.Add(time.Hour)
+ past := now.Add(-1 * time.Hour)
+
+ tests := []struct {
+ keySet *key.PublicKeySet
+ want []key.PublicKey
+ }{
+ // two keys, non-expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{priv2.JWK(), priv1.JWK()}, future),
+ want: []key.PublicKey{*key.NewPublicKey(priv2.JWK()), *key.NewPublicKey(priv1.JWK())},
+ },
+
+ // no keys, non-expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{}, future),
+ want: []key.PublicKey{},
+ },
+
+ // two keys, expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{priv2.JWK(), priv1.JWK()}, past),
+ want: []key.PublicKey{},
+ },
+
+ // no keys, expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{}, past),
+ want: []key.PublicKey{},
+ },
+ }
+
+ for i, tt := range tests {
+ var c Client
+ c.keySet = *tt.keySet
+ keysFunc := c.keysFuncAll()
+ got := keysFunc()
+ if !reflect.DeepEqual(tt.want, got) {
+ t.Errorf("case %d: want=%#v got=%#v", i, tt.want, got)
+ }
+ }
+}
+
+func TestClientKeysFuncWithID(t *testing.T) {
+ priv1, err := key.GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("failed to generate private key, error=%v", err)
+ }
+
+ priv2, err := key.GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("failed to generate private key, error=%v", err)
+ }
+
+ now := time.Now()
+ future := now.Add(time.Hour)
+ past := now.Add(-1 * time.Hour)
+
+ tests := []struct {
+ keySet *key.PublicKeySet
+ argID string
+ want []key.PublicKey
+ }{
+ // two keys, match, non-expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{priv2.JWK(), priv1.JWK()}, future),
+ argID: priv2.ID(),
+ want: []key.PublicKey{*key.NewPublicKey(priv2.JWK())},
+ },
+
+ // two keys, no match, non-expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{priv2.JWK(), priv1.JWK()}, future),
+ argID: "XXX",
+ want: []key.PublicKey{},
+ },
+
+ // no keys, no match, non-expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{}, future),
+ argID: priv2.ID(),
+ want: []key.PublicKey{},
+ },
+
+ // two keys, match, expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{priv2.JWK(), priv1.JWK()}, past),
+ argID: priv2.ID(),
+ want: []key.PublicKey{},
+ },
+
+ // no keys, no match, expired set
+ {
+ keySet: key.NewPublicKeySet([]jose.JWK{}, past),
+ argID: priv2.ID(),
+ want: []key.PublicKey{},
+ },
+ }
+
+ for i, tt := range tests {
+ var c Client
+ c.keySet = *tt.keySet
+ keysFunc := c.keysFuncWithID(tt.argID)
+ got := keysFunc()
+ if !reflect.DeepEqual(tt.want, got) {
+ t.Errorf("case %d: want=%#v got=%#v", i, tt.want, got)
+ }
+ }
+}
+
+func TestClientMetadataValid(t *testing.T) {
+ tests := []ClientMetadata{
+ // one RedirectURL
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "http", Host: "example.com"}},
+ },
+
+ // one RedirectURL w/ nonempty path
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "http", Host: "example.com", Path: "/foo"}},
+ },
+
+ // two RedirectURIs
+ ClientMetadata{
+ RedirectURIs: []url.URL{
+ url.URL{Scheme: "http", Host: "foo.example.com"},
+ url.URL{Scheme: "http", Host: "bar.example.com"},
+ },
+ },
+ }
+
+ for i, tt := range tests {
+ if err := tt.Valid(); err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ }
+ }
+}
+
+func TestClientMetadataInvalid(t *testing.T) {
+ tests := []ClientMetadata{
+ // nil RedirectURls slice
+ ClientMetadata{
+ RedirectURIs: nil,
+ },
+
+ // empty RedirectURIs slice
+ ClientMetadata{
+ RedirectURIs: []url.URL{},
+ },
+
+ // empty url.URL
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{}},
+ },
+
+ // empty url.URL following OK item
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "http", Host: "example.com"}, url.URL{}},
+ },
+
+ // url.URL with empty Host
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "http", Host: ""}},
+ },
+
+ // url.URL with empty Scheme
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "", Host: "example.com"}},
+ },
+
+ // url.URL with non-HTTP(S) Scheme
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "tcp", Host: "127.0.0.1"}},
+ },
+
+ // EncryptionEnc without EncryptionAlg
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "http", Host: "example.com"}},
+ IDTokenResponseOptions: JWAOptions{
+ EncryptionEnc: "A128CBC-HS256",
+ },
+ },
+
+ // List of URIs with one empty element
+ ClientMetadata{
+ RedirectURIs: []url.URL{url.URL{Scheme: "http", Host: "example.com"}},
+ RequestURIs: []url.URL{
+ url.URL{Scheme: "http", Host: "example.com"},
+ url.URL{},
+ },
+ },
+ }
+
+ for i, tt := range tests {
+ if err := tt.Valid(); err == nil {
+ t.Errorf("case %d: expected non-nil error", i)
+ }
+ }
+}
+
+func TestChooseAuthMethod(t *testing.T) {
+ tests := []struct {
+ supported []string
+ chosen string
+ err bool
+ }{
+ {
+ supported: []string{},
+ chosen: oauth2.AuthMethodClientSecretBasic,
+ },
+ {
+ supported: []string{oauth2.AuthMethodClientSecretBasic},
+ chosen: oauth2.AuthMethodClientSecretBasic,
+ },
+ {
+ supported: []string{oauth2.AuthMethodClientSecretPost},
+ chosen: oauth2.AuthMethodClientSecretPost,
+ },
+ {
+ supported: []string{oauth2.AuthMethodClientSecretPost, oauth2.AuthMethodClientSecretBasic},
+ chosen: oauth2.AuthMethodClientSecretPost,
+ },
+ {
+ supported: []string{oauth2.AuthMethodClientSecretBasic, oauth2.AuthMethodClientSecretPost},
+ chosen: oauth2.AuthMethodClientSecretBasic,
+ },
+ {
+ supported: []string{oauth2.AuthMethodClientSecretJWT, oauth2.AuthMethodClientSecretPost},
+ chosen: oauth2.AuthMethodClientSecretPost,
+ },
+ {
+ supported: []string{oauth2.AuthMethodClientSecretJWT},
+ chosen: "",
+ err: true,
+ },
+ }
+
+ for i, tt := range tests {
+ cfg := ProviderConfig{
+ TokenEndpointAuthMethodsSupported: tt.supported,
+ }
+ got, err := chooseAuthMethod(cfg)
+ if tt.err {
+ if err == nil {
+ t.Errorf("case %d: expected non-nil err", i)
+ }
+ continue
+ }
+
+ if got != tt.chosen {
+ t.Errorf("case %d: want=%q, got=%q", i, tt.chosen, got)
+ }
+ }
+}
+
+func TestClientMetadataUnmarshal(t *testing.T) {
+ tests := []struct {
+ data string
+ want ClientMetadata
+ wantErr bool
+ }{
+ {
+ `{"redirect_uris":["https://example.com"]}`,
+ ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com"},
+ },
+ },
+ false,
+ },
+ {
+ // redirect_uris required
+ `{}`,
+ ClientMetadata{},
+ true,
+ },
+ {
+ // must have at least one redirect_uris
+ `{"redirect_uris":[]}`,
+ ClientMetadata{},
+ true,
+ },
+ {
+ `{"redirect_uris":["https://example.com"],"contacts":["Ms. Foo <foo@example.com>"]}`,
+ ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com"},
+ },
+ Contacts: []mail.Address{
+ {Name: "Ms. Foo", Address: "foo@example.com"},
+ },
+ },
+ false,
+ },
+ {
+ // invalid URI provided for field
+ `{"redirect_uris":["https://example.com"],"logo_uri":"not a valid uri"}`,
+ ClientMetadata{},
+ true,
+ },
+ {
+ // logo_uri can't be a list
+ `{"redirect_uris":["https://example.com"],"logo_uri":["https://example.com/logo"]}`,
+ ClientMetadata{},
+ true,
+ },
+ {
+ `{
+ "redirect_uris":["https://example.com"],
+ "userinfo_encrypted_response_alg":"RSA1_5",
+ "userinfo_encrypted_response_enc":"A128CBC-HS256",
+ "contacts": [
+ "jane doe <jane.doe@example.com>", "john doe <john.doe@example.com>"
+ ]
+ }`,
+ ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com"},
+ },
+ UserInfoResponseOptions: JWAOptions{
+ EncryptionAlg: "RSA1_5",
+ EncryptionEnc: "A128CBC-HS256",
+ },
+ Contacts: []mail.Address{
+ {Name: "jane doe", Address: "jane.doe@example.com"},
+ {Name: "john doe", Address: "john.doe@example.com"},
+ },
+ },
+ false,
+ },
+ {
+ // If encrypted_response_enc is provided encrypted_response_alg must also be.
+ `{
+ "redirect_uris":["https://example.com"],
+ "userinfo_encrypted_response_enc":"A128CBC-HS256"
+ }`,
+ ClientMetadata{},
+ true,
+ },
+ }
+ for i, tt := range tests {
+ var got ClientMetadata
+ if err := got.UnmarshalJSON([]byte(tt.data)); err != nil {
+ if !tt.wantErr {
+ t.Errorf("case %d: unmarshal failed: %v", i, err)
+ }
+ continue
+ }
+ if tt.wantErr {
+ t.Errorf("case %d: expected unmarshal to produce error", i)
+ continue
+ }
+
+ if diff := pretty.Compare(tt.want, got); diff != "" {
+ t.Errorf("case %d: results not equal: %s", i, diff)
+ }
+ }
+}
+
+func TestClientMetadataMarshal(t *testing.T) {
+
+ tests := []struct {
+ metadata ClientMetadata
+ want string
+ }{
+ {
+ ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com", Path: "/callback"},
+ },
+ },
+ `{"redirect_uris":["https://example.com/callback"]}`,
+ },
+ {
+ ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com", Path: "/callback"},
+ },
+ RequestObjectOptions: JWAOptions{
+ EncryptionAlg: "RSA1_5",
+ EncryptionEnc: "A128CBC-HS256",
+ },
+ },
+ `{"redirect_uris":["https://example.com/callback"],"request_object_encryption_alg":"RSA1_5","request_object_encryption_enc":"A128CBC-HS256"}`,
+ },
+ }
+
+ for i, tt := range tests {
+ got, err := json.Marshal(&tt.metadata)
+ if err != nil {
+ t.Errorf("case %d: failed to marshal metadata: %v", i, err)
+ continue
+ }
+ if string(got) != tt.want {
+ t.Errorf("case %d: marshaled string did not match expected string", i)
+ }
+ }
+}
+
+func TestClientMetadataMarshalRoundTrip(t *testing.T) {
+ tests := []ClientMetadata{
+ {
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com", Path: "/callback"},
+ },
+ LogoURI: &url.URL{Scheme: "https", Host: "example.com", Path: "/logo"},
+ RequestObjectOptions: JWAOptions{
+ EncryptionAlg: "RSA1_5",
+ EncryptionEnc: "A128CBC-HS256",
+ },
+ ApplicationType: "native",
+ TokenEndpointAuthMethod: "client_secret_basic",
+ },
+ }
+
+ for i, want := range tests {
+ data, err := json.Marshal(&want)
+ if err != nil {
+ t.Errorf("case %d: failed to marshal metadata: %v", i, err)
+ continue
+ }
+ var got ClientMetadata
+ if err := json.Unmarshal(data, &got); err != nil {
+ t.Errorf("case %d: failed to unmarshal metadata: %v", i, err)
+ continue
+ }
+ if diff := pretty.Compare(want, got); diff != "" {
+ t.Errorf("case %d: struct did not survive a marshaling round trip: %s", i, diff)
+ }
+ }
+}
+
+func TestClientRegistrationResponseUnmarshal(t *testing.T) {
+ tests := []struct {
+ data string
+ want ClientRegistrationResponse
+ wantErr bool
+ secretExpires bool
+ }{
+ {
+ `{
+ "client_id":"foo",
+ "client_secret":"bar",
+ "client_secret_expires_at": 1577858400,
+ "redirect_uris":[
+ "https://client.example.org/callback",
+ "https://client.example.org/callback2"
+ ],
+ "client_name":"my_example"
+ }`,
+ ClientRegistrationResponse{
+ ClientID: "foo",
+ ClientSecret: "bar",
+ ClientSecretExpiresAt: time.Unix(1577858400, 0),
+ ClientMetadata: ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "client.example.org", Path: "/callback"},
+ {Scheme: "https", Host: "client.example.org", Path: "/callback2"},
+ },
+ ClientName: "my_example",
+ },
+ },
+ false,
+ true,
+ },
+ {
+ `{
+ "client_id":"foo",
+ "client_secret_expires_at": 0,
+ "redirect_uris":[
+ "https://client.example.org/callback",
+ "https://client.example.org/callback2"
+ ],
+ "client_name":"my_example"
+ }`,
+ ClientRegistrationResponse{
+ ClientID: "foo",
+ ClientMetadata: ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "client.example.org", Path: "/callback"},
+ {Scheme: "https", Host: "client.example.org", Path: "/callback2"},
+ },
+ ClientName: "my_example",
+ },
+ },
+ false,
+ false,
+ },
+ {
+ // no client id
+ `{
+ "client_secret_expires_at": 0,
+ "redirect_uris":[
+ "https://client.example.org/callback",
+ "https://client.example.org/callback2"
+ ],
+ "client_name":"my_example"
+ }`,
+ ClientRegistrationResponse{},
+ true,
+ false,
+ },
+ }
+
+ for i, tt := range tests {
+ var got ClientRegistrationResponse
+ if err := json.Unmarshal([]byte(tt.data), &got); err != nil {
+ if !tt.wantErr {
+ t.Errorf("case %d: unmarshal failed: %v", i, err)
+ }
+ continue
+ }
+
+ if tt.wantErr {
+ t.Errorf("case %d: expected unmarshal to produce error", i)
+ continue
+ }
+
+ if diff := pretty.Compare(tt.want, got); diff != "" {
+ t.Errorf("case %d: results not equal: %s", i, diff)
+ }
+ if tt.secretExpires && got.ClientSecretExpiresAt.IsZero() {
+ t.Errorf("case %d: expected client_secret to expire, but it doesn't", i)
+ } else if !tt.secretExpires && !got.ClientSecretExpiresAt.IsZero() {
+ t.Errorf("case %d: expected client_secret to not expire, but it does", i)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/doc.go b/vendor/github.com/coreos/go-oidc/oidc/doc.go
new file mode 100644
index 00000000..196611ec
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/doc.go
@@ -0,0 +1,2 @@
+// Package oidc is DEPRECATED. Use github.com/coreos/go-oidc instead.
+package oidc
diff --git a/vendor/github.com/coreos/go-oidc/oidc/identity.go b/vendor/github.com/coreos/go-oidc/oidc/identity.go
new file mode 100644
index 00000000..9bfa8e34
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/identity.go
@@ -0,0 +1,44 @@
+package oidc
+
+import (
+ "errors"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+type Identity struct {
+ ID string
+ Name string
+ Email string
+ ExpiresAt time.Time
+}
+
+func IdentityFromClaims(claims jose.Claims) (*Identity, error) {
+ if claims == nil {
+ return nil, errors.New("nil claim set")
+ }
+
+ var ident Identity
+ var err error
+ var ok bool
+
+ if ident.ID, ok, err = claims.StringClaim("sub"); err != nil {
+ return nil, err
+ } else if !ok {
+ return nil, errors.New("missing required claim: sub")
+ }
+
+ if ident.Email, _, err = claims.StringClaim("email"); err != nil {
+ return nil, err
+ }
+
+ exp, ok, err := claims.TimeClaim("exp")
+ if err != nil {
+ return nil, err
+ } else if ok {
+ ident.ExpiresAt = exp
+ }
+
+ return &ident, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/identity_test.go b/vendor/github.com/coreos/go-oidc/oidc/identity_test.go
new file mode 100644
index 00000000..d286c669
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/identity_test.go
@@ -0,0 +1,113 @@
+package oidc
+
+import (
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+func TestIdentityFromClaims(t *testing.T) {
+ tests := []struct {
+ claims jose.Claims
+ want Identity
+ }{
+ {
+ claims: jose.Claims{
+ "sub": "123850281",
+ "name": "Elroy",
+ "email": "elroy@example.com",
+ "exp": float64(1.416935146e+09),
+ },
+ want: Identity{
+ ID: "123850281",
+ Name: "",
+ Email: "elroy@example.com",
+ ExpiresAt: time.Date(2014, time.November, 25, 17, 05, 46, 0, time.UTC),
+ },
+ },
+ {
+ claims: jose.Claims{
+ "sub": "123850281",
+ "name": "Elroy",
+ "exp": float64(1.416935146e+09),
+ },
+ want: Identity{
+ ID: "123850281",
+ Name: "",
+ Email: "",
+ ExpiresAt: time.Date(2014, time.November, 25, 17, 05, 46, 0, time.UTC),
+ },
+ },
+ {
+ claims: jose.Claims{
+ "sub": "123850281",
+ "name": "Elroy",
+ "email": "elroy@example.com",
+ "exp": int64(1416935146),
+ },
+ want: Identity{
+ ID: "123850281",
+ Name: "",
+ Email: "elroy@example.com",
+ ExpiresAt: time.Date(2014, time.November, 25, 17, 05, 46, 0, time.UTC),
+ },
+ },
+ {
+ claims: jose.Claims{
+ "sub": "123850281",
+ "name": "Elroy",
+ "email": "elroy@example.com",
+ },
+ want: Identity{
+ ID: "123850281",
+ Name: "",
+ Email: "elroy@example.com",
+ ExpiresAt: time.Time{},
+ },
+ },
+ }
+
+ for i, tt := range tests {
+ got, err := IdentityFromClaims(tt.claims)
+ if err != nil {
+ t.Errorf("case %d: unexpected error: %v", i, err)
+ continue
+ }
+ if !reflect.DeepEqual(tt.want, *got) {
+ t.Errorf("case %d: want=%#v got=%#v", i, tt.want, *got)
+ }
+ }
+}
+
+func TestIdentityFromClaimsFail(t *testing.T) {
+ tests := []jose.Claims{
+ // sub incorrect type
+ jose.Claims{
+ "sub": 123,
+ "name": "foo",
+ "email": "elroy@example.com",
+ },
+ // email incorrect type
+ jose.Claims{
+ "sub": "123850281",
+ "name": "Elroy",
+ "email": false,
+ },
+ // exp incorrect type
+ jose.Claims{
+ "sub": "123850281",
+ "name": "Elroy",
+ "email": "elroy@example.com",
+ "exp": "2014-11-25 18:05:46 +0000 UTC",
+ },
+ }
+
+ for i, tt := range tests {
+ _, err := IdentityFromClaims(tt)
+ if err == nil {
+ t.Errorf("case %d: expected non-nil error", i)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/interface.go b/vendor/github.com/coreos/go-oidc/oidc/interface.go
new file mode 100644
index 00000000..248cac0b
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/interface.go
@@ -0,0 +1,3 @@
+package oidc
+
+type LoginFunc func(ident Identity, sessionKey string) (redirectURL string, err error)
diff --git a/vendor/github.com/coreos/go-oidc/oidc/key.go b/vendor/github.com/coreos/go-oidc/oidc/key.go
new file mode 100755
index 00000000..82a0f567
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/key.go
@@ -0,0 +1,67 @@
+package oidc
+
+import (
+ "encoding/json"
+ "errors"
+ "net/http"
+ "time"
+
+ phttp "github.com/coreos/go-oidc/http"
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/go-oidc/key"
+)
+
+// DefaultPublicKeySetTTL is the default TTL set on the PublicKeySet if no
+// Cache-Control header is provided by the JWK Set document endpoint.
+const DefaultPublicKeySetTTL = 24 * time.Hour
+
+// NewRemotePublicKeyRepo is responsible for fetching the JWK Set document.
+func NewRemotePublicKeyRepo(hc phttp.Client, ep string) *remotePublicKeyRepo {
+ return &remotePublicKeyRepo{hc: hc, ep: ep}
+}
+
+type remotePublicKeyRepo struct {
+ hc phttp.Client
+ ep string
+}
+
+// Get returns a PublicKeySet fetched from the JWK Set document endpoint. A TTL
+// is set on the Key Set to avoid it having to be re-retrieved for every
+// encryption event. This TTL is typically controlled by the endpoint returning
+// a Cache-Control header, but defaults to 24 hours if no Cache-Control header
+// is found.
+func (r *remotePublicKeyRepo) Get() (key.KeySet, error) {
+ req, err := http.NewRequest("GET", r.ep, nil)
+ if err != nil {
+ return nil, err
+ }
+
+ resp, err := r.hc.Do(req)
+ if err != nil {
+ return nil, err
+ }
+ defer resp.Body.Close()
+
+ var d struct {
+ Keys []jose.JWK `json:"keys"`
+ }
+ if err := json.NewDecoder(resp.Body).Decode(&d); err != nil {
+ return nil, err
+ }
+
+ if len(d.Keys) == 0 {
+ return nil, errors.New("zero keys in response")
+ }
+
+ ttl, ok, err := phttp.Cacheable(resp.Header)
+ if err != nil {
+ return nil, err
+ }
+ if !ok {
+ ttl = DefaultPublicKeySetTTL
+ }
+
+ exp := time.Now().UTC().Add(ttl)
+ ks := key.NewPublicKeySet(d.Keys, exp)
+ return ks, nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/provider.go b/vendor/github.com/coreos/go-oidc/oidc/provider.go
new file mode 100644
index 00000000..ca283844
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/provider.go
@@ -0,0 +1,690 @@
+package oidc
+
+import (
+ "encoding/json"
+ "errors"
+ "fmt"
+ "log"
+ "net/http"
+ "net/url"
+ "strings"
+ "sync"
+ "time"
+
+ "github.com/coreos/pkg/timeutil"
+ "github.com/jonboulle/clockwork"
+
+ phttp "github.com/coreos/go-oidc/http"
+ "github.com/coreos/go-oidc/oauth2"
+)
+
+const (
+ // Subject Identifier types defined by the OIDC spec. Specifies if the provider
+ // should provide the same sub claim value to all clients (public) or a unique
+ // value for each client (pairwise).
+ //
+ // See: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
+ SubjectTypePublic = "public"
+ SubjectTypePairwise = "pairwise"
+)
+
+var (
+ // Default values for omitted provider config fields.
+ //
+ // Use ProviderConfig's Defaults method to fill a provider config with these values.
+ DefaultGrantTypesSupported = []string{oauth2.GrantTypeAuthCode, oauth2.GrantTypeImplicit}
+ DefaultResponseModesSupported = []string{"query", "fragment"}
+ DefaultTokenEndpointAuthMethodsSupported = []string{oauth2.AuthMethodClientSecretBasic}
+ DefaultClaimTypesSupported = []string{"normal"}
+)
+
+const (
+ MaximumProviderConfigSyncInterval = 24 * time.Hour
+ MinimumProviderConfigSyncInterval = time.Minute
+
+ discoveryConfigPath = "/.well-known/openid-configuration"
+)
+
+// internally configurable for tests
+var minimumProviderConfigSyncInterval = MinimumProviderConfigSyncInterval
+
+var (
+ // Ensure ProviderConfig satisfies these interfaces.
+ _ json.Marshaler = &ProviderConfig{}
+ _ json.Unmarshaler = &ProviderConfig{}
+)
+
+// ProviderConfig represents the OpenID Provider Metadata specifying what
+// configurations a provider supports.
+//
+// See: http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+type ProviderConfig struct {
+ Issuer *url.URL // Required
+ AuthEndpoint *url.URL // Required
+ TokenEndpoint *url.URL // Required if grant types other than "implicit" are supported
+ UserInfoEndpoint *url.URL
+ KeysEndpoint *url.URL // Required
+ RegistrationEndpoint *url.URL
+ EndSessionEndpoint *url.URL
+ CheckSessionIFrame *url.URL
+
+ // Servers MAY choose not to advertise some supported scope values even when this
+ // parameter is used, although those defined in OpenID Core SHOULD be listed, if supported.
+ ScopesSupported []string
+ // OAuth2.0 response types supported.
+ ResponseTypesSupported []string // Required
+ // OAuth2.0 response modes supported.
+ //
+ // If omitted, defaults to DefaultResponseModesSupported.
+ ResponseModesSupported []string
+ // OAuth2.0 grant types supported.
+ //
+ // If omitted, defaults to DefaultGrantTypesSupported.
+ GrantTypesSupported []string
+ ACRValuesSupported []string
+ // SubjectTypesSupported specifies strategies for providing values for the sub claim.
+ SubjectTypesSupported []string // Required
+
+ // JWA signing and encryption algorith values supported for ID tokens.
+ IDTokenSigningAlgValues []string // Required
+ IDTokenEncryptionAlgValues []string
+ IDTokenEncryptionEncValues []string
+
+ // JWA signing and encryption algorith values supported for user info responses.
+ UserInfoSigningAlgValues []string
+ UserInfoEncryptionAlgValues []string
+ UserInfoEncryptionEncValues []string
+
+ // JWA signing and encryption algorith values supported for request objects.
+ ReqObjSigningAlgValues []string
+ ReqObjEncryptionAlgValues []string
+ ReqObjEncryptionEncValues []string
+
+ TokenEndpointAuthMethodsSupported []string
+ TokenEndpointAuthSigningAlgValuesSupported []string
+ DisplayValuesSupported []string
+ ClaimTypesSupported []string
+ ClaimsSupported []string
+ ServiceDocs *url.URL
+ ClaimsLocalsSupported []string
+ UILocalsSupported []string
+ ClaimsParameterSupported bool
+ RequestParameterSupported bool
+ RequestURIParamaterSupported bool
+ RequireRequestURIRegistration bool
+
+ Policy *url.URL
+ TermsOfService *url.URL
+
+ // Not part of the OpenID Provider Metadata
+ ExpiresAt time.Time
+}
+
+// Defaults returns a shallow copy of ProviderConfig with default
+// values replacing omitted fields.
+//
+// var cfg oidc.ProviderConfig
+// // Fill provider config with default values for omitted fields.
+// cfg = cfg.Defaults()
+//
+func (p ProviderConfig) Defaults() ProviderConfig {
+ setDefault := func(val *[]string, defaultVal []string) {
+ if len(*val) == 0 {
+ *val = defaultVal
+ }
+ }
+ setDefault(&p.GrantTypesSupported, DefaultGrantTypesSupported)
+ setDefault(&p.ResponseModesSupported, DefaultResponseModesSupported)
+ setDefault(&p.TokenEndpointAuthMethodsSupported, DefaultTokenEndpointAuthMethodsSupported)
+ setDefault(&p.ClaimTypesSupported, DefaultClaimTypesSupported)
+ return p
+}
+
+func (p *ProviderConfig) MarshalJSON() ([]byte, error) {
+ e := p.toEncodableStruct()
+ return json.Marshal(&e)
+}
+
+func (p *ProviderConfig) UnmarshalJSON(data []byte) error {
+ var e encodableProviderConfig
+ if err := json.Unmarshal(data, &e); err != nil {
+ return err
+ }
+ conf, err := e.toStruct()
+ if err != nil {
+ return err
+ }
+ if err := conf.Valid(); err != nil {
+ return err
+ }
+ *p = conf
+ return nil
+}
+
+type encodableProviderConfig struct {
+ Issuer string `json:"issuer"`
+ AuthEndpoint string `json:"authorization_endpoint"`
+ TokenEndpoint string `json:"token_endpoint"`
+ UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"`
+ KeysEndpoint string `json:"jwks_uri"`
+ RegistrationEndpoint string `json:"registration_endpoint,omitempty"`
+ EndSessionEndpoint string `json:"end_session_endpoint,omitempty"`
+ CheckSessionIFrame string `json:"check_session_iframe,omitempty"`
+
+ // Use 'omitempty' for all slices as per OIDC spec:
+ // "Claims that return multiple values are represented as JSON arrays.
+ // Claims with zero elements MUST be omitted from the response."
+ // http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse
+
+ ScopesSupported []string `json:"scopes_supported,omitempty"`
+ ResponseTypesSupported []string `json:"response_types_supported,omitempty"`
+ ResponseModesSupported []string `json:"response_modes_supported,omitempty"`
+ GrantTypesSupported []string `json:"grant_types_supported,omitempty"`
+ ACRValuesSupported []string `json:"acr_values_supported,omitempty"`
+ SubjectTypesSupported []string `json:"subject_types_supported,omitempty"`
+
+ IDTokenSigningAlgValues []string `json:"id_token_signing_alg_values_supported,omitempty"`
+ IDTokenEncryptionAlgValues []string `json:"id_token_encryption_alg_values_supported,omitempty"`
+ IDTokenEncryptionEncValues []string `json:"id_token_encryption_enc_values_supported,omitempty"`
+ UserInfoSigningAlgValues []string `json:"userinfo_signing_alg_values_supported,omitempty"`
+ UserInfoEncryptionAlgValues []string `json:"userinfo_encryption_alg_values_supported,omitempty"`
+ UserInfoEncryptionEncValues []string `json:"userinfo_encryption_enc_values_supported,omitempty"`
+ ReqObjSigningAlgValues []string `json:"request_object_signing_alg_values_supported,omitempty"`
+ ReqObjEncryptionAlgValues []string `json:"request_object_encryption_alg_values_supported,omitempty"`
+ ReqObjEncryptionEncValues []string `json:"request_object_encryption_enc_values_supported,omitempty"`
+
+ TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"`
+ TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"`
+
+ DisplayValuesSupported []string `json:"display_values_supported,omitempty"`
+ ClaimTypesSupported []string `json:"claim_types_supported,omitempty"`
+ ClaimsSupported []string `json:"claims_supported,omitempty"`
+ ServiceDocs string `json:"service_documentation,omitempty"`
+ ClaimsLocalsSupported []string `json:"claims_locales_supported,omitempty"`
+ UILocalsSupported []string `json:"ui_locales_supported,omitempty"`
+ ClaimsParameterSupported bool `json:"claims_parameter_supported,omitempty"`
+ RequestParameterSupported bool `json:"request_parameter_supported,omitempty"`
+ RequestURIParamaterSupported bool `json:"request_uri_parameter_supported,omitempty"`
+ RequireRequestURIRegistration bool `json:"require_request_uri_registration,omitempty"`
+
+ Policy string `json:"op_policy_uri,omitempty"`
+ TermsOfService string `json:"op_tos_uri,omitempty"`
+}
+
+func (cfg ProviderConfig) toEncodableStruct() encodableProviderConfig {
+ return encodableProviderConfig{
+ Issuer: uriToString(cfg.Issuer),
+ AuthEndpoint: uriToString(cfg.AuthEndpoint),
+ TokenEndpoint: uriToString(cfg.TokenEndpoint),
+ UserInfoEndpoint: uriToString(cfg.UserInfoEndpoint),
+ KeysEndpoint: uriToString(cfg.KeysEndpoint),
+ RegistrationEndpoint: uriToString(cfg.RegistrationEndpoint),
+ EndSessionEndpoint: uriToString(cfg.EndSessionEndpoint),
+ CheckSessionIFrame: uriToString(cfg.CheckSessionIFrame),
+ ScopesSupported: cfg.ScopesSupported,
+ ResponseTypesSupported: cfg.ResponseTypesSupported,
+ ResponseModesSupported: cfg.ResponseModesSupported,
+ GrantTypesSupported: cfg.GrantTypesSupported,
+ ACRValuesSupported: cfg.ACRValuesSupported,
+ SubjectTypesSupported: cfg.SubjectTypesSupported,
+ IDTokenSigningAlgValues: cfg.IDTokenSigningAlgValues,
+ IDTokenEncryptionAlgValues: cfg.IDTokenEncryptionAlgValues,
+ IDTokenEncryptionEncValues: cfg.IDTokenEncryptionEncValues,
+ UserInfoSigningAlgValues: cfg.UserInfoSigningAlgValues,
+ UserInfoEncryptionAlgValues: cfg.UserInfoEncryptionAlgValues,
+ UserInfoEncryptionEncValues: cfg.UserInfoEncryptionEncValues,
+ ReqObjSigningAlgValues: cfg.ReqObjSigningAlgValues,
+ ReqObjEncryptionAlgValues: cfg.ReqObjEncryptionAlgValues,
+ ReqObjEncryptionEncValues: cfg.ReqObjEncryptionEncValues,
+ TokenEndpointAuthMethodsSupported: cfg.TokenEndpointAuthMethodsSupported,
+ TokenEndpointAuthSigningAlgValuesSupported: cfg.TokenEndpointAuthSigningAlgValuesSupported,
+ DisplayValuesSupported: cfg.DisplayValuesSupported,
+ ClaimTypesSupported: cfg.ClaimTypesSupported,
+ ClaimsSupported: cfg.ClaimsSupported,
+ ServiceDocs: uriToString(cfg.ServiceDocs),
+ ClaimsLocalsSupported: cfg.ClaimsLocalsSupported,
+ UILocalsSupported: cfg.UILocalsSupported,
+ ClaimsParameterSupported: cfg.ClaimsParameterSupported,
+ RequestParameterSupported: cfg.RequestParameterSupported,
+ RequestURIParamaterSupported: cfg.RequestURIParamaterSupported,
+ RequireRequestURIRegistration: cfg.RequireRequestURIRegistration,
+ Policy: uriToString(cfg.Policy),
+ TermsOfService: uriToString(cfg.TermsOfService),
+ }
+}
+
+func (e encodableProviderConfig) toStruct() (ProviderConfig, error) {
+ p := stickyErrParser{}
+ conf := ProviderConfig{
+ Issuer: p.parseURI(e.Issuer, "issuer"),
+ AuthEndpoint: p.parseURI(e.AuthEndpoint, "authorization_endpoint"),
+ TokenEndpoint: p.parseURI(e.TokenEndpoint, "token_endpoint"),
+ UserInfoEndpoint: p.parseURI(e.UserInfoEndpoint, "userinfo_endpoint"),
+ KeysEndpoint: p.parseURI(e.KeysEndpoint, "jwks_uri"),
+ RegistrationEndpoint: p.parseURI(e.RegistrationEndpoint, "registration_endpoint"),
+ EndSessionEndpoint: p.parseURI(e.EndSessionEndpoint, "end_session_endpoint"),
+ CheckSessionIFrame: p.parseURI(e.CheckSessionIFrame, "check_session_iframe"),
+ ScopesSupported: e.ScopesSupported,
+ ResponseTypesSupported: e.ResponseTypesSupported,
+ ResponseModesSupported: e.ResponseModesSupported,
+ GrantTypesSupported: e.GrantTypesSupported,
+ ACRValuesSupported: e.ACRValuesSupported,
+ SubjectTypesSupported: e.SubjectTypesSupported,
+ IDTokenSigningAlgValues: e.IDTokenSigningAlgValues,
+ IDTokenEncryptionAlgValues: e.IDTokenEncryptionAlgValues,
+ IDTokenEncryptionEncValues: e.IDTokenEncryptionEncValues,
+ UserInfoSigningAlgValues: e.UserInfoSigningAlgValues,
+ UserInfoEncryptionAlgValues: e.UserInfoEncryptionAlgValues,
+ UserInfoEncryptionEncValues: e.UserInfoEncryptionEncValues,
+ ReqObjSigningAlgValues: e.ReqObjSigningAlgValues,
+ ReqObjEncryptionAlgValues: e.ReqObjEncryptionAlgValues,
+ ReqObjEncryptionEncValues: e.ReqObjEncryptionEncValues,
+ TokenEndpointAuthMethodsSupported: e.TokenEndpointAuthMethodsSupported,
+ TokenEndpointAuthSigningAlgValuesSupported: e.TokenEndpointAuthSigningAlgValuesSupported,
+ DisplayValuesSupported: e.DisplayValuesSupported,
+ ClaimTypesSupported: e.ClaimTypesSupported,
+ ClaimsSupported: e.ClaimsSupported,
+ ServiceDocs: p.parseURI(e.ServiceDocs, "service_documentation"),
+ ClaimsLocalsSupported: e.ClaimsLocalsSupported,
+ UILocalsSupported: e.UILocalsSupported,
+ ClaimsParameterSupported: e.ClaimsParameterSupported,
+ RequestParameterSupported: e.RequestParameterSupported,
+ RequestURIParamaterSupported: e.RequestURIParamaterSupported,
+ RequireRequestURIRegistration: e.RequireRequestURIRegistration,
+ Policy: p.parseURI(e.Policy, "op_policy-uri"),
+ TermsOfService: p.parseURI(e.TermsOfService, "op_tos_uri"),
+ }
+ if p.firstErr != nil {
+ return ProviderConfig{}, p.firstErr
+ }
+ return conf, nil
+}
+
+// Empty returns if a ProviderConfig holds no information.
+//
+// This case generally indicates a ProviderConfigGetter has experienced an error
+// and has nothing to report.
+func (p ProviderConfig) Empty() bool {
+ return p.Issuer == nil
+}
+
+func contains(sli []string, ele string) bool {
+ for _, s := range sli {
+ if s == ele {
+ return true
+ }
+ }
+ return false
+}
+
+// Valid determines if a ProviderConfig conforms with the OIDC specification.
+// If Valid returns successfully it guarantees required field are non-nil and
+// URLs are well formed.
+//
+// Valid is called by UnmarshalJSON.
+//
+// NOTE(ericchiang): For development purposes Valid does not mandate 'https' for
+// URLs fields where the OIDC spec requires it. This may change in future releases
+// of this package. See: https://github.com/coreos/go-oidc/issues/34
+func (p ProviderConfig) Valid() error {
+ grantTypes := p.GrantTypesSupported
+ if len(grantTypes) == 0 {
+ grantTypes = DefaultGrantTypesSupported
+ }
+ implicitOnly := true
+ for _, grantType := range grantTypes {
+ if grantType != oauth2.GrantTypeImplicit {
+ implicitOnly = false
+ break
+ }
+ }
+
+ if len(p.SubjectTypesSupported) == 0 {
+ return errors.New("missing required field subject_types_supported")
+ }
+ if len(p.IDTokenSigningAlgValues) == 0 {
+ return errors.New("missing required field id_token_signing_alg_values_supported")
+ }
+
+ if len(p.ScopesSupported) != 0 && !contains(p.ScopesSupported, "openid") {
+ return errors.New("scoped_supported must be unspecified or include 'openid'")
+ }
+
+ if !contains(p.IDTokenSigningAlgValues, "RS256") {
+ return errors.New("id_token_signing_alg_values_supported must include 'RS256'")
+ }
+ if contains(p.TokenEndpointAuthMethodsSupported, "none") {
+ return errors.New("token_endpoint_auth_signing_alg_values_supported cannot include 'none'")
+ }
+
+ uris := []struct {
+ val *url.URL
+ name string
+ required bool
+ }{
+ {p.Issuer, "issuer", true},
+ {p.AuthEndpoint, "authorization_endpoint", true},
+ {p.TokenEndpoint, "token_endpoint", !implicitOnly},
+ {p.UserInfoEndpoint, "userinfo_endpoint", false},
+ {p.KeysEndpoint, "jwks_uri", true},
+ {p.RegistrationEndpoint, "registration_endpoint", false},
+ {p.EndSessionEndpoint, "end_session_endpoint", false},
+ {p.CheckSessionIFrame, "check_session_iframe", false},
+ {p.ServiceDocs, "service_documentation", false},
+ {p.Policy, "op_policy_uri", false},
+ {p.TermsOfService, "op_tos_uri", false},
+ }
+
+ for _, uri := range uris {
+ if uri.val == nil {
+ if !uri.required {
+ continue
+ }
+ return fmt.Errorf("empty value for required uri field %s", uri.name)
+ }
+ if uri.val.Host == "" {
+ return fmt.Errorf("no host for uri field %s", uri.name)
+ }
+ if uri.val.Scheme != "http" && uri.val.Scheme != "https" {
+ return fmt.Errorf("uri field %s schemeis not http or https", uri.name)
+ }
+ }
+ return nil
+}
+
+// Supports determines if provider supports a client given their respective metadata.
+func (p ProviderConfig) Supports(c ClientMetadata) error {
+ if err := p.Valid(); err != nil {
+ return fmt.Errorf("invalid provider config: %v", err)
+ }
+ if err := c.Valid(); err != nil {
+ return fmt.Errorf("invalid client config: %v", err)
+ }
+
+ // Fill default values for omitted fields
+ c = c.Defaults()
+ p = p.Defaults()
+
+ // Do the supported values list the requested one?
+ supports := []struct {
+ supported []string
+ requested string
+ name string
+ }{
+ {p.IDTokenSigningAlgValues, c.IDTokenResponseOptions.SigningAlg, "id_token_signed_response_alg"},
+ {p.IDTokenEncryptionAlgValues, c.IDTokenResponseOptions.EncryptionAlg, "id_token_encryption_response_alg"},
+ {p.IDTokenEncryptionEncValues, c.IDTokenResponseOptions.EncryptionEnc, "id_token_encryption_response_enc"},
+ {p.UserInfoSigningAlgValues, c.UserInfoResponseOptions.SigningAlg, "userinfo_signed_response_alg"},
+ {p.UserInfoEncryptionAlgValues, c.UserInfoResponseOptions.EncryptionAlg, "userinfo_encryption_response_alg"},
+ {p.UserInfoEncryptionEncValues, c.UserInfoResponseOptions.EncryptionEnc, "userinfo_encryption_response_enc"},
+ {p.ReqObjSigningAlgValues, c.RequestObjectOptions.SigningAlg, "request_object_signing_alg"},
+ {p.ReqObjEncryptionAlgValues, c.RequestObjectOptions.EncryptionAlg, "request_object_encryption_alg"},
+ {p.ReqObjEncryptionEncValues, c.RequestObjectOptions.EncryptionEnc, "request_object_encryption_enc"},
+ }
+ for _, field := range supports {
+ if field.requested == "" {
+ continue
+ }
+ if !contains(field.supported, field.requested) {
+ return fmt.Errorf("provider does not support requested value for field %s", field.name)
+ }
+ }
+
+ stringsEqual := func(s1, s2 string) bool { return s1 == s2 }
+
+ // For lists, are the list of requested values a subset of the supported ones?
+ supportsAll := []struct {
+ supported []string
+ requested []string
+ name string
+ // OAuth2.0 response_type can be space separated lists where order doesn't matter.
+ // For example "id_token token" is the same as "token id_token"
+ // Support a custom compare method.
+ comp func(s1, s2 string) bool
+ }{
+ {p.GrantTypesSupported, c.GrantTypes, "grant_types", stringsEqual},
+ {p.ResponseTypesSupported, c.ResponseTypes, "response_type", oauth2.ResponseTypesEqual},
+ }
+ for _, field := range supportsAll {
+ requestLoop:
+ for _, req := range field.requested {
+ for _, sup := range field.supported {
+ if field.comp(req, sup) {
+ continue requestLoop
+ }
+ }
+ return fmt.Errorf("provider does not support requested value for field %s", field.name)
+ }
+ }
+
+ // TODO(ericchiang): Are there more checks we feel comfortable with begin strict about?
+
+ return nil
+}
+
+func (p ProviderConfig) SupportsGrantType(grantType string) bool {
+ var supported []string
+ if len(p.GrantTypesSupported) == 0 {
+ supported = DefaultGrantTypesSupported
+ } else {
+ supported = p.GrantTypesSupported
+ }
+
+ for _, t := range supported {
+ if t == grantType {
+ return true
+ }
+ }
+ return false
+}
+
+type ProviderConfigGetter interface {
+ Get() (ProviderConfig, error)
+}
+
+type ProviderConfigSetter interface {
+ Set(ProviderConfig) error
+}
+
+type ProviderConfigSyncer struct {
+ from ProviderConfigGetter
+ to ProviderConfigSetter
+ clock clockwork.Clock
+
+ initialSyncDone bool
+ initialSyncWait sync.WaitGroup
+}
+
+func NewProviderConfigSyncer(from ProviderConfigGetter, to ProviderConfigSetter) *ProviderConfigSyncer {
+ return &ProviderConfigSyncer{
+ from: from,
+ to: to,
+ clock: clockwork.NewRealClock(),
+ }
+}
+
+func (s *ProviderConfigSyncer) Run() chan struct{} {
+ stop := make(chan struct{})
+
+ var next pcsStepper
+ next = &pcsStepNext{aft: time.Duration(0)}
+
+ s.initialSyncWait.Add(1)
+ go func() {
+ for {
+ select {
+ case <-s.clock.After(next.after()):
+ next = next.step(s.sync)
+ case <-stop:
+ return
+ }
+ }
+ }()
+
+ return stop
+}
+
+func (s *ProviderConfigSyncer) WaitUntilInitialSync() {
+ s.initialSyncWait.Wait()
+}
+
+func (s *ProviderConfigSyncer) sync() (time.Duration, error) {
+ cfg, err := s.from.Get()
+ if err != nil {
+ return 0, err
+ }
+
+ if err = s.to.Set(cfg); err != nil {
+ return 0, fmt.Errorf("error setting provider config: %v", err)
+ }
+
+ if !s.initialSyncDone {
+ s.initialSyncWait.Done()
+ s.initialSyncDone = true
+ }
+
+ return nextSyncAfter(cfg.ExpiresAt, s.clock), nil
+}
+
+type pcsStepFunc func() (time.Duration, error)
+
+type pcsStepper interface {
+ after() time.Duration
+ step(pcsStepFunc) pcsStepper
+}
+
+type pcsStepNext struct {
+ aft time.Duration
+}
+
+func (n *pcsStepNext) after() time.Duration {
+ return n.aft
+}
+
+func (n *pcsStepNext) step(fn pcsStepFunc) (next pcsStepper) {
+ ttl, err := fn()
+ if err == nil {
+ next = &pcsStepNext{aft: ttl}
+ } else {
+ next = &pcsStepRetry{aft: time.Second}
+ log.Printf("go-oidc: provider config sync falied, retyring in %v: %v", next.after(), err)
+ }
+ return
+}
+
+type pcsStepRetry struct {
+ aft time.Duration
+}
+
+func (r *pcsStepRetry) after() time.Duration {
+ return r.aft
+}
+
+func (r *pcsStepRetry) step(fn pcsStepFunc) (next pcsStepper) {
+ ttl, err := fn()
+ if err == nil {
+ next = &pcsStepNext{aft: ttl}
+ } else {
+ next = &pcsStepRetry{aft: timeutil.ExpBackoff(r.aft, time.Minute)}
+ log.Printf("go-oidc: provider config sync falied, retyring in %v: %v", next.after(), err)
+ }
+ return
+}
+
+func nextSyncAfter(exp time.Time, clock clockwork.Clock) time.Duration {
+ if exp.IsZero() {
+ return MaximumProviderConfigSyncInterval
+ }
+
+ t := exp.Sub(clock.Now()) / 2
+ if t > MaximumProviderConfigSyncInterval {
+ t = MaximumProviderConfigSyncInterval
+ } else if t < minimumProviderConfigSyncInterval {
+ t = minimumProviderConfigSyncInterval
+ }
+
+ return t
+}
+
+type httpProviderConfigGetter struct {
+ hc phttp.Client
+ issuerURL string
+ clock clockwork.Clock
+}
+
+func NewHTTPProviderConfigGetter(hc phttp.Client, issuerURL string) *httpProviderConfigGetter {
+ return &httpProviderConfigGetter{
+ hc: hc,
+ issuerURL: issuerURL,
+ clock: clockwork.NewRealClock(),
+ }
+}
+
+func (r *httpProviderConfigGetter) Get() (cfg ProviderConfig, err error) {
+ // If the Issuer value contains a path component, any terminating / MUST be removed before
+ // appending /.well-known/openid-configuration.
+ // https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest
+ discoveryURL := strings.TrimSuffix(r.issuerURL, "/") + discoveryConfigPath
+ req, err := http.NewRequest("GET", discoveryURL, nil)
+ if err != nil {
+ return
+ }
+
+ resp, err := r.hc.Do(req)
+ if err != nil {
+ return
+ }
+ defer resp.Body.Close()
+
+ if err = json.NewDecoder(resp.Body).Decode(&cfg); err != nil {
+ return
+ }
+
+ var ttl time.Duration
+ var ok bool
+ ttl, ok, err = phttp.Cacheable(resp.Header)
+ if err != nil {
+ return
+ } else if ok {
+ cfg.ExpiresAt = r.clock.Now().UTC().Add(ttl)
+ }
+
+ // The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information.
+ // http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation
+ if !urlEqual(cfg.Issuer.String(), r.issuerURL) {
+ err = fmt.Errorf(`"issuer" in config (%v) does not match provided issuer URL (%v)`, cfg.Issuer, r.issuerURL)
+ return
+ }
+
+ return
+}
+
+func FetchProviderConfig(hc phttp.Client, issuerURL string) (ProviderConfig, error) {
+ if hc == nil {
+ hc = http.DefaultClient
+ }
+
+ g := NewHTTPProviderConfigGetter(hc, issuerURL)
+ return g.Get()
+}
+
+func WaitForProviderConfig(hc phttp.Client, issuerURL string) (pcfg ProviderConfig) {
+ return waitForProviderConfig(hc, issuerURL, clockwork.NewRealClock())
+}
+
+func waitForProviderConfig(hc phttp.Client, issuerURL string, clock clockwork.Clock) (pcfg ProviderConfig) {
+ var sleep time.Duration
+ var err error
+ for {
+ pcfg, err = FetchProviderConfig(hc, issuerURL)
+ if err == nil {
+ break
+ }
+
+ sleep = timeutil.ExpBackoff(sleep, time.Minute)
+ fmt.Printf("Failed fetching provider config, trying again in %v: %v\n", sleep, err)
+ time.Sleep(sleep)
+ }
+
+ return
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/provider_test.go b/vendor/github.com/coreos/go-oidc/oidc/provider_test.go
new file mode 100644
index 00000000..8dfa121c
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/provider_test.go
@@ -0,0 +1,940 @@
+package oidc
+
+import (
+ "bytes"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io/ioutil"
+ "net/http"
+ "net/http/httptest"
+ "net/url"
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+ "github.com/kylelemons/godebug/diff"
+ "github.com/kylelemons/godebug/pretty"
+
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/go-oidc/oauth2"
+)
+
+func TestProviderConfigDefaults(t *testing.T) {
+ var cfg ProviderConfig
+ cfg = cfg.Defaults()
+ tests := []struct {
+ got, want []string
+ name string
+ }{
+ {cfg.GrantTypesSupported, DefaultGrantTypesSupported, "grant types"},
+ {cfg.ResponseModesSupported, DefaultResponseModesSupported, "response modes"},
+ {cfg.ClaimTypesSupported, DefaultClaimTypesSupported, "claim types"},
+ {
+ cfg.TokenEndpointAuthMethodsSupported,
+ DefaultTokenEndpointAuthMethodsSupported,
+ "token endpoint auth methods",
+ },
+ }
+
+ for _, tt := range tests {
+ if diff := pretty.Compare(tt.want, tt.got); diff != "" {
+ t.Errorf("%s: did not match %s", tt.name, diff)
+ }
+ }
+}
+
+func TestProviderConfigUnmarshal(t *testing.T) {
+
+ // helper for quickly creating uris
+ uri := func(path string) *url.URL {
+ return &url.URL{
+ Scheme: "https",
+ Host: "server.example.com",
+ Path: path,
+ }
+ }
+
+ tests := []struct {
+ data string
+ want ProviderConfig
+ wantErr bool
+ }{
+ {
+ data: `{
+ "issuer": "https://server.example.com",
+ "authorization_endpoint": "https://server.example.com/connect/authorize",
+ "token_endpoint": "https://server.example.com/connect/token",
+ "token_endpoint_auth_methods_supported": ["client_secret_basic", "private_key_jwt"],
+ "token_endpoint_auth_signing_alg_values_supported": ["RS256", "ES256"],
+ "userinfo_endpoint": "https://server.example.com/connect/userinfo",
+ "jwks_uri": "https://server.example.com/jwks.json",
+ "registration_endpoint": "https://server.example.com/connect/register",
+ "scopes_supported": [
+ "openid", "profile", "email", "address", "phone", "offline_access"
+ ],
+ "response_types_supported": [
+ "code", "code id_token", "id_token", "id_token token"
+ ],
+ "acr_values_supported": [
+ "urn:mace:incommon:iap:silver", "urn:mace:incommon:iap:bronze"
+ ],
+ "subject_types_supported": ["public", "pairwise"],
+ "userinfo_signing_alg_values_supported": ["RS256", "ES256", "HS256"],
+ "userinfo_encryption_alg_values_supported": ["RSA1_5", "A128KW"],
+ "userinfo_encryption_enc_values_supported": ["A128CBC-HS256", "A128GCM"],
+ "id_token_signing_alg_values_supported": ["RS256", "ES256", "HS256"],
+ "id_token_encryption_alg_values_supported": ["RSA1_5", "A128KW"],
+ "id_token_encryption_enc_values_supported": ["A128CBC-HS256", "A128GCM"],
+ "request_object_signing_alg_values_supported": ["none", "RS256", "ES256"],
+ "display_values_supported": ["page", "popup"],
+ "claim_types_supported": ["normal", "distributed"],
+ "claims_supported": [
+ "sub", "iss", "auth_time", "acr", "name", "given_name",
+ "family_name", "nickname", "profile", "picture", "website",
+ "email", "email_verified", "locale", "zoneinfo",
+ "http://example.info/claims/groups"
+ ],
+ "claims_parameter_supported": true,
+ "service_documentation": "https://server.example.com/connect/service_documentation.html",
+ "ui_locales_supported": ["en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"]
+ }
+ `,
+ want: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "server.example.com"},
+ AuthEndpoint: uri("/connect/authorize"),
+ TokenEndpoint: uri("/connect/token"),
+ TokenEndpointAuthMethodsSupported: []string{
+ oauth2.AuthMethodClientSecretBasic, oauth2.AuthMethodPrivateKeyJWT,
+ },
+ TokenEndpointAuthSigningAlgValuesSupported: []string{
+ jose.AlgRS256, jose.AlgES256,
+ },
+ UserInfoEndpoint: uri("/connect/userinfo"),
+ KeysEndpoint: uri("/jwks.json"),
+ RegistrationEndpoint: uri("/connect/register"),
+ ScopesSupported: []string{
+ "openid", "profile", "email", "address", "phone", "offline_access",
+ },
+ ResponseTypesSupported: []string{
+ oauth2.ResponseTypeCode, oauth2.ResponseTypeCodeIDToken,
+ oauth2.ResponseTypeIDToken, oauth2.ResponseTypeIDTokenToken,
+ },
+ ACRValuesSupported: []string{
+ "urn:mace:incommon:iap:silver", "urn:mace:incommon:iap:bronze",
+ },
+ SubjectTypesSupported: []string{
+ SubjectTypePublic, SubjectTypePairwise,
+ },
+ UserInfoSigningAlgValues: []string{jose.AlgRS256, jose.AlgES256, jose.AlgHS256},
+ UserInfoEncryptionAlgValues: []string{"RSA1_5", "A128KW"},
+ UserInfoEncryptionEncValues: []string{"A128CBC-HS256", "A128GCM"},
+ IDTokenSigningAlgValues: []string{jose.AlgRS256, jose.AlgES256, jose.AlgHS256},
+ IDTokenEncryptionAlgValues: []string{"RSA1_5", "A128KW"},
+ IDTokenEncryptionEncValues: []string{"A128CBC-HS256", "A128GCM"},
+ ReqObjSigningAlgValues: []string{jose.AlgNone, jose.AlgRS256, jose.AlgES256},
+ DisplayValuesSupported: []string{"page", "popup"},
+ ClaimTypesSupported: []string{"normal", "distributed"},
+ ClaimsSupported: []string{
+ "sub", "iss", "auth_time", "acr", "name", "given_name",
+ "family_name", "nickname", "profile", "picture", "website",
+ "email", "email_verified", "locale", "zoneinfo",
+ "http://example.info/claims/groups",
+ },
+ ClaimsParameterSupported: true,
+ ServiceDocs: uri("/connect/service_documentation.html"),
+ UILocalsSupported: []string{"en-US", "en-GB", "en-CA", "fr-FR", "fr-CA"},
+ },
+ wantErr: false,
+ },
+ {
+ // missing a lot of required field
+ data: `{}`,
+ wantErr: true,
+ },
+ {
+ data: `{
+ "issuer": "https://server.example.com",
+ "authorization_endpoint": "https://server.example.com/connect/authorize",
+ "token_endpoint": "https://server.example.com/connect/token",
+ "jwks_uri": "https://server.example.com/jwks.json",
+ "response_types_supported": [
+ "code", "code id_token", "id_token", "id_token token"
+ ],
+ "subject_types_supported": ["public", "pairwise"],
+ "id_token_signing_alg_values_supported": ["RS256", "ES256", "HS256"]
+ }
+ `,
+ want: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "server.example.com"},
+ AuthEndpoint: uri("/connect/authorize"),
+ TokenEndpoint: uri("/connect/token"),
+ KeysEndpoint: uri("/jwks.json"),
+ ResponseTypesSupported: []string{
+ oauth2.ResponseTypeCode, oauth2.ResponseTypeCodeIDToken,
+ oauth2.ResponseTypeIDToken, oauth2.ResponseTypeIDTokenToken,
+ },
+ SubjectTypesSupported: []string{
+ SubjectTypePublic, SubjectTypePairwise,
+ },
+ IDTokenSigningAlgValues: []string{jose.AlgRS256, jose.AlgES256, jose.AlgHS256},
+ },
+ wantErr: false,
+ },
+ {
+ // invalid scheme 'ftp://'
+ data: `{
+ "issuer": "https://server.example.com",
+ "authorization_endpoint": "https://server.example.com/connect/authorize",
+ "token_endpoint": "https://server.example.com/connect/token",
+ "jwks_uri": "ftp://server.example.com/jwks.json",
+ "response_types_supported": [
+ "code", "code id_token", "id_token", "id_token token"
+ ],
+ "subject_types_supported": ["public", "pairwise"],
+ "id_token_signing_alg_values_supported": ["RS256", "ES256", "HS256"]
+ }
+ `,
+ wantErr: true,
+ },
+ }
+ for i, tt := range tests {
+ var got ProviderConfig
+ if err := json.Unmarshal([]byte(tt.data), &got); err != nil {
+ if !tt.wantErr {
+ t.Errorf("case %d: failed to unmarshal provider config: %v", i, err)
+ }
+ continue
+ }
+ if tt.wantErr {
+ t.Errorf("case %d: expected error", i)
+ continue
+ }
+ if diff := pretty.Compare(tt.want, got); diff != "" {
+ t.Errorf("case %d: unmarshaled struct did not match expected %s", i, diff)
+ }
+ }
+
+}
+
+func TestProviderConfigMarshal(t *testing.T) {
+ tests := []struct {
+ cfg ProviderConfig
+ want string
+ }{
+ {
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "auth.example.com"},
+ AuthEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/auth",
+ },
+ TokenEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/token",
+ },
+ UserInfoEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/userinfo",
+ },
+ KeysEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/jwk",
+ },
+ ResponseTypesSupported: []string{oauth2.ResponseTypeCode},
+ SubjectTypesSupported: []string{SubjectTypePublic},
+ IDTokenSigningAlgValues: []string{jose.AlgRS256},
+ },
+ // spacing must match json.MarshalIndent(cfg, "", "\t")
+ want: `{
+ "issuer": "https://auth.example.com",
+ "authorization_endpoint": "https://auth.example.com/auth",
+ "token_endpoint": "https://auth.example.com/token",
+ "userinfo_endpoint": "https://auth.example.com/userinfo",
+ "jwks_uri": "https://auth.example.com/jwk",
+ "response_types_supported": [
+ "code"
+ ],
+ "subject_types_supported": [
+ "public"
+ ],
+ "id_token_signing_alg_values_supported": [
+ "RS256"
+ ]
+}`,
+ },
+ {
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "auth.example.com"},
+ AuthEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/auth",
+ },
+ TokenEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/token",
+ },
+ UserInfoEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/userinfo",
+ },
+ KeysEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/jwk",
+ },
+ RegistrationEndpoint: &url.URL{
+ Scheme: "https", Host: "auth.example.com", Path: "/register",
+ },
+ ScopesSupported: DefaultScope,
+ ResponseTypesSupported: []string{oauth2.ResponseTypeCode},
+ ResponseModesSupported: DefaultResponseModesSupported,
+ GrantTypesSupported: []string{oauth2.GrantTypeAuthCode},
+ SubjectTypesSupported: []string{SubjectTypePublic},
+ IDTokenSigningAlgValues: []string{jose.AlgRS256},
+ ServiceDocs: &url.URL{Scheme: "https", Host: "example.com", Path: "/docs"},
+ },
+ // spacing must match json.MarshalIndent(cfg, "", "\t")
+ want: `{
+ "issuer": "https://auth.example.com",
+ "authorization_endpoint": "https://auth.example.com/auth",
+ "token_endpoint": "https://auth.example.com/token",
+ "userinfo_endpoint": "https://auth.example.com/userinfo",
+ "jwks_uri": "https://auth.example.com/jwk",
+ "registration_endpoint": "https://auth.example.com/register",
+ "scopes_supported": [
+ "openid",
+ "email",
+ "profile"
+ ],
+ "response_types_supported": [
+ "code"
+ ],
+ "response_modes_supported": [
+ "query",
+ "fragment"
+ ],
+ "grant_types_supported": [
+ "authorization_code"
+ ],
+ "subject_types_supported": [
+ "public"
+ ],
+ "id_token_signing_alg_values_supported": [
+ "RS256"
+ ],
+ "service_documentation": "https://example.com/docs"
+}`,
+ },
+ }
+
+ for i, tt := range tests {
+ got, err := json.MarshalIndent(&tt.cfg, "", "\t")
+ if err != nil {
+ t.Errorf("case %d: failed to marshal config: %v", i, err)
+ continue
+ }
+ if d := diff.Diff(string(got), string(tt.want)); d != "" {
+ t.Errorf("case %d: expected did not match result: %s", i, d)
+ }
+
+ var cfg ProviderConfig
+ if err := json.Unmarshal(got, &cfg); err != nil {
+ t.Errorf("case %d: could not unmarshal marshal response: %v", i, err)
+ continue
+ }
+
+ if d := pretty.Compare(tt.cfg, cfg); d != "" {
+ t.Errorf("case %d: config did not survive JSON marshaling round trip: %s", i, d)
+ }
+ }
+
+}
+
+func TestProviderConfigSupports(t *testing.T) {
+ tests := []struct {
+ provider ProviderConfig
+ client ClientMetadata
+ fillRequiredProviderFields bool
+ ok bool
+ }{
+ {
+ provider: ProviderConfig{},
+ client: ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com", Path: "/callback"},
+ },
+ },
+ fillRequiredProviderFields: true,
+ ok: true,
+ },
+ {
+ // invalid provider config
+ provider: ProviderConfig{},
+ client: ClientMetadata{
+ RedirectURIs: []url.URL{
+ {Scheme: "https", Host: "example.com", Path: "/callback"},
+ },
+ },
+ fillRequiredProviderFields: false,
+ ok: false,
+ },
+ {
+ // invalid client config
+ provider: ProviderConfig{},
+ client: ClientMetadata{},
+ fillRequiredProviderFields: true,
+ ok: false,
+ },
+ }
+
+ for i, tt := range tests {
+ if tt.fillRequiredProviderFields {
+ tt.provider = fillRequiredProviderFields(tt.provider)
+ }
+
+ err := tt.provider.Supports(tt.client)
+ if err == nil && !tt.ok {
+ t.Errorf("case %d: expected non-nil error", i)
+ }
+ if err != nil && tt.ok {
+ t.Errorf("case %d: supports failed: %v", i, err)
+ }
+ }
+}
+
+func newValidProviderConfig() ProviderConfig {
+ var cfg ProviderConfig
+ return fillRequiredProviderFields(cfg)
+}
+
+// fill a provider config with enough information to be valid
+func fillRequiredProviderFields(cfg ProviderConfig) ProviderConfig {
+ if cfg.Issuer == nil {
+ cfg.Issuer = &url.URL{Scheme: "https", Host: "auth.example.com"}
+ }
+ urlPath := func(path string) *url.URL {
+ var u url.URL
+ u = *cfg.Issuer
+ u.Path = path
+ return &u
+ }
+ cfg.AuthEndpoint = urlPath("/auth")
+ cfg.TokenEndpoint = urlPath("/token")
+ cfg.UserInfoEndpoint = urlPath("/userinfo")
+ cfg.KeysEndpoint = urlPath("/jwk")
+ cfg.ResponseTypesSupported = []string{oauth2.ResponseTypeCode}
+ cfg.SubjectTypesSupported = []string{SubjectTypePublic}
+ cfg.IDTokenSigningAlgValues = []string{jose.AlgRS256}
+ return cfg
+}
+
+type fakeProviderConfigGetterSetter struct {
+ cfg *ProviderConfig
+ getCount int
+ setCount int
+}
+
+func (g *fakeProviderConfigGetterSetter) Get() (ProviderConfig, error) {
+ g.getCount++
+ return *g.cfg, nil
+}
+
+func (g *fakeProviderConfigGetterSetter) Set(cfg ProviderConfig) error {
+ g.cfg = &cfg
+ g.setCount++
+ return nil
+}
+
+type fakeProviderConfigHandler struct {
+ cfg ProviderConfig
+ maxAge time.Duration
+}
+
+func (s *fakeProviderConfigHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+ b, _ := json.Marshal(&s.cfg)
+ if s.maxAge.Seconds() >= 0 {
+ w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%d", int(s.maxAge.Seconds())))
+ }
+ w.Header().Set("Content-Type", "application/json")
+ w.Write(b)
+}
+
+func TestProviderConfigRequiredFields(t *testing.T) {
+ // Ensure provider metadata responses have all the required fields.
+ // taken from https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+ requiredFields := []string{
+ "issuer",
+ "authorization_endpoint",
+ "token_endpoint", // "This is REQUIRED unless only the Implicit Flow is used."
+ "jwks_uri",
+ "response_types_supported",
+ "subject_types_supported",
+ "id_token_signing_alg_values_supported",
+ }
+
+ svr := &fakeProviderConfigHandler{
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "http", Host: "example.com"},
+ ExpiresAt: time.Now().Add(time.Minute),
+ },
+ maxAge: time.Minute,
+ }
+ svr.cfg = fillRequiredProviderFields(svr.cfg)
+ s := httptest.NewServer(svr)
+ defer s.Close()
+
+ resp, err := http.Get(s.URL + "/")
+ if err != nil {
+ t.Errorf("get: %v", err)
+ return
+ }
+ defer resp.Body.Close()
+ var data map[string]interface{}
+ if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
+ t.Errorf("decode: %v", err)
+ return
+ }
+ for _, field := range requiredFields {
+ if _, ok := data[field]; !ok {
+ t.Errorf("provider metadata does not have required field '%s'", field)
+ }
+ }
+}
+
+type handlerClient struct {
+ Handler http.Handler
+}
+
+func (hc *handlerClient) Do(r *http.Request) (*http.Response, error) {
+ w := httptest.NewRecorder()
+ hc.Handler.ServeHTTP(w, r)
+
+ resp := http.Response{
+ StatusCode: w.Code,
+ Header: w.Header(),
+ Body: ioutil.NopCloser(w.Body),
+ }
+
+ return &resp, nil
+}
+
+func TestHTTPProviderConfigGetter(t *testing.T) {
+ svr := &fakeProviderConfigHandler{}
+ hc := &handlerClient{Handler: svr}
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+
+ tests := []struct {
+ dsc string
+ age time.Duration
+ cfg ProviderConfig
+ ok bool
+ }{
+ // everything is good
+ {
+ dsc: "https://example.com",
+ age: time.Minute,
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ ExpiresAt: now.Add(time.Minute),
+ },
+ ok: true,
+ },
+ // iss and disco url differ by scheme only (how google works)
+ {
+ dsc: "https://example.com",
+ age: time.Minute,
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ ExpiresAt: now.Add(time.Minute),
+ },
+ ok: true,
+ },
+ // issuer and discovery URL mismatch
+ {
+ dsc: "https://foo.com",
+ age: time.Minute,
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ ExpiresAt: now.Add(time.Minute),
+ },
+ ok: false,
+ },
+ // missing cache header results in zero ExpiresAt
+ {
+ dsc: "https://example.com",
+ age: -1,
+ cfg: ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ },
+ ok: true,
+ },
+ }
+
+ for i, tt := range tests {
+ tt.cfg = fillRequiredProviderFields(tt.cfg)
+ svr.cfg = tt.cfg
+ svr.maxAge = tt.age
+ getter := NewHTTPProviderConfigGetter(hc, tt.dsc)
+ getter.clock = fc
+
+ got, err := getter.Get()
+ if err != nil {
+ if tt.ok {
+ t.Errorf("test %d: unexpected error: %v", i, err)
+ }
+ continue
+ }
+
+ if !tt.ok {
+ t.Errorf("test %d: expected error", i)
+ continue
+ }
+
+ if !reflect.DeepEqual(tt.cfg, got) {
+ t.Errorf("test %d: want: %#v, got: %#v", i, tt.cfg, got)
+ }
+ }
+}
+
+func TestProviderConfigSyncerRun(t *testing.T) {
+ c1 := &ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ }
+ c2 := &ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ }
+
+ tests := []struct {
+ first *ProviderConfig
+ advance time.Duration
+ second *ProviderConfig
+ firstExp time.Duration
+ secondExp time.Duration
+ count int
+ }{
+ // exp is 10m, should have same config after 1s
+ {
+ first: c1,
+ firstExp: time.Duration(10 * time.Minute),
+ advance: time.Minute,
+ second: c1,
+ secondExp: time.Duration(10 * time.Minute),
+ count: 1,
+ },
+ // exp is 10m, should have new config after 10/2 = 5m
+ {
+ first: c1,
+ firstExp: time.Duration(10 * time.Minute),
+ advance: time.Duration(5 * time.Minute),
+ second: c2,
+ secondExp: time.Duration(10 * time.Minute),
+ count: 2,
+ },
+ // exp is 20m, should have new config after 20/2 = 10m
+ {
+ first: c1,
+ firstExp: time.Duration(20 * time.Minute),
+ advance: time.Duration(10 * time.Minute),
+ second: c2,
+ secondExp: time.Duration(30 * time.Minute),
+ count: 2,
+ },
+ }
+
+ assertCfg := func(i int, to *fakeProviderConfigGetterSetter, want ProviderConfig) {
+ got, err := to.Get()
+ if err != nil {
+ t.Fatalf("test %d: unable to get config: %v", i, err)
+ }
+ if !reflect.DeepEqual(want, got) {
+ t.Fatalf("test %d: incorrect state:\nwant=%#v\ngot=%#v", i, want, got)
+ }
+ }
+
+ for i, tt := range tests {
+ from := &fakeProviderConfigGetterSetter{}
+ to := &fakeProviderConfigGetterSetter{}
+
+ fc := clockwork.NewFakeClock()
+ now := fc.Now().UTC()
+ syncer := NewProviderConfigSyncer(from, to)
+ syncer.clock = fc
+
+ tt.first.ExpiresAt = now.Add(tt.firstExp)
+ tt.second.ExpiresAt = now.Add(tt.secondExp)
+ if err := from.Set(*tt.first); err != nil {
+ t.Fatalf("test %d: unexpected error: %v", i, err)
+ }
+
+ stop := syncer.Run()
+ defer close(stop)
+ fc.BlockUntil(1)
+
+ // first sync
+ assertCfg(i, to, *tt.first)
+
+ if err := from.Set(*tt.second); err != nil {
+ t.Fatalf("test %d: unexpected error: %v", i, err)
+ }
+
+ fc.Advance(tt.advance)
+ fc.BlockUntil(1)
+
+ // second sync
+ assertCfg(i, to, *tt.second)
+
+ if tt.count != from.getCount {
+ t.Fatalf("test %d: want: %v, got: %v", i, tt.count, from.getCount)
+ }
+ }
+}
+
+type staticProviderConfigGetter struct {
+ cfg ProviderConfig
+ err error
+}
+
+func (g *staticProviderConfigGetter) Get() (ProviderConfig, error) {
+ return g.cfg, g.err
+}
+
+type staticProviderConfigSetter struct {
+ cfg *ProviderConfig
+ err error
+}
+
+func (s *staticProviderConfigSetter) Set(cfg ProviderConfig) error {
+ s.cfg = &cfg
+ return s.err
+}
+
+func TestProviderConfigSyncerSyncFailure(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+
+ tests := []struct {
+ from *staticProviderConfigGetter
+ to *staticProviderConfigSetter
+
+ // want indicates what ProviderConfig should be passed to Set.
+ // If nil, the Set should not be called.
+ want *ProviderConfig
+ }{
+ // generic Get failure
+ {
+ from: &staticProviderConfigGetter{err: errors.New("fail")},
+ to: &staticProviderConfigSetter{},
+ want: nil,
+ },
+ // generic Set failure
+ {
+ from: &staticProviderConfigGetter{cfg: ProviderConfig{ExpiresAt: fc.Now().Add(time.Minute)}},
+ to: &staticProviderConfigSetter{err: errors.New("fail")},
+ want: &ProviderConfig{ExpiresAt: fc.Now().Add(time.Minute)},
+ },
+ }
+
+ for i, tt := range tests {
+ pcs := &ProviderConfigSyncer{
+ from: tt.from,
+ to: tt.to,
+ clock: fc,
+ }
+ _, err := pcs.sync()
+ if err == nil {
+ t.Errorf("case %d: expected non-nil error", i)
+ }
+ if !reflect.DeepEqual(tt.want, tt.to.cfg) {
+ t.Errorf("case %d: Set mismatch: want=%#v got=%#v", i, tt.want, tt.to.cfg)
+ }
+ }
+}
+
+func TestNextSyncAfter(t *testing.T) {
+ fc := clockwork.NewFakeClock()
+
+ tests := []struct {
+ exp time.Time
+ want time.Duration
+ }{
+ {
+ exp: fc.Now().Add(time.Hour),
+ want: 30 * time.Minute,
+ },
+ // override large values with the maximum
+ {
+ exp: fc.Now().Add(168 * time.Hour), // one week
+ want: 24 * time.Hour,
+ },
+ // override "now" values with the minimum
+ {
+ exp: fc.Now(),
+ want: time.Minute,
+ },
+ // override negative values with the minimum
+ {
+ exp: fc.Now().Add(-1 * time.Minute),
+ want: time.Minute,
+ },
+ // zero-value Time results in maximum sync interval
+ {
+ exp: time.Time{},
+ want: 24 * time.Hour,
+ },
+ }
+
+ for i, tt := range tests {
+ got := nextSyncAfter(tt.exp, fc)
+ if tt.want != got {
+ t.Errorf("case %d: want=%v got=%v", i, tt.want, got)
+ }
+ }
+}
+
+func TestProviderConfigEmpty(t *testing.T) {
+ cfg := ProviderConfig{}
+ if !cfg.Empty() {
+ t.Fatalf("Empty provider config reports non-empty")
+ }
+ cfg = ProviderConfig{
+ Issuer: &url.URL{Scheme: "https", Host: "example.com"},
+ }
+ if cfg.Empty() {
+ t.Fatalf("Non-empty provider config reports empty")
+ }
+}
+
+func TestPCSStepAfter(t *testing.T) {
+ pass := func() (time.Duration, error) { return 7 * time.Second, nil }
+ fail := func() (time.Duration, error) { return 0, errors.New("fail") }
+
+ tests := []struct {
+ stepper pcsStepper
+ stepFunc pcsStepFunc
+ want pcsStepper
+ }{
+ // good step results in retry at TTL
+ {
+ stepper: &pcsStepNext{},
+ stepFunc: pass,
+ want: &pcsStepNext{aft: 7 * time.Second},
+ },
+
+ // good step after failed step results results in retry at TTL
+ {
+ stepper: &pcsStepRetry{aft: 2 * time.Second},
+ stepFunc: pass,
+ want: &pcsStepNext{aft: 7 * time.Second},
+ },
+
+ // failed step results in a retry in 1s
+ {
+ stepper: &pcsStepNext{},
+ stepFunc: fail,
+ want: &pcsStepRetry{aft: time.Second},
+ },
+
+ // failed retry backs off by a factor of 2
+ {
+ stepper: &pcsStepRetry{aft: time.Second},
+ stepFunc: fail,
+ want: &pcsStepRetry{aft: 2 * time.Second},
+ },
+
+ // failed retry backs off by a factor of 2, up to 1m
+ {
+ stepper: &pcsStepRetry{aft: 32 * time.Second},
+ stepFunc: fail,
+ want: &pcsStepRetry{aft: 60 * time.Second},
+ },
+ }
+
+ for i, tt := range tests {
+ got := tt.stepper.step(tt.stepFunc)
+ if !reflect.DeepEqual(tt.want, got) {
+ t.Errorf("case %d: want=%#v got=%#v", i, tt.want, got)
+ }
+ }
+}
+
+func TestProviderConfigSupportsGrantType(t *testing.T) {
+ tests := []struct {
+ types []string
+ typ string
+ want bool
+ }{
+ // explicitly supported
+ {
+ types: []string{"foo_type"},
+ typ: "foo_type",
+ want: true,
+ },
+
+ // explicitly unsupported
+ {
+ types: []string{"bar_type"},
+ typ: "foo_type",
+ want: false,
+ },
+
+ // default type explicitly unsupported
+ {
+ types: []string{oauth2.GrantTypeImplicit},
+ typ: oauth2.GrantTypeAuthCode,
+ want: false,
+ },
+
+ // type not found in default set
+ {
+ types: []string{},
+ typ: "foo_type",
+ want: false,
+ },
+
+ // type found in default set
+ {
+ types: []string{},
+ typ: oauth2.GrantTypeAuthCode,
+ want: true,
+ },
+ }
+
+ for i, tt := range tests {
+ cfg := ProviderConfig{
+ GrantTypesSupported: tt.types,
+ }
+ got := cfg.SupportsGrantType(tt.typ)
+ if tt.want != got {
+ t.Errorf("case %d: assert %v supports %v: want=%t got=%t", i, tt.types, tt.typ, tt.want, got)
+ }
+ }
+}
+
+type fakeClient struct {
+ resp *http.Response
+}
+
+func (f *fakeClient) Do(req *http.Request) (*http.Response, error) {
+ return f.resp, nil
+}
+
+func TestWaitForProviderConfigImmediateSuccess(t *testing.T) {
+ cfg := newValidProviderConfig()
+ b, err := json.Marshal(&cfg)
+ if err != nil {
+ t.Fatalf("Failed marshaling provider config")
+ }
+
+ resp := http.Response{Body: ioutil.NopCloser(bytes.NewBuffer(b))}
+ hc := &fakeClient{&resp}
+ fc := clockwork.NewFakeClock()
+
+ reschan := make(chan ProviderConfig)
+ go func() {
+ reschan <- waitForProviderConfig(hc, cfg.Issuer.String(), fc)
+ }()
+
+ var got ProviderConfig
+ select {
+ case got = <-reschan:
+ case <-time.After(time.Second):
+ t.Fatalf("Did not receive result within 1s")
+ }
+
+ if !reflect.DeepEqual(cfg, got) {
+ t.Fatalf("Received incorrect provider config: want=%#v got=%#v", cfg, got)
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/transport.go b/vendor/github.com/coreos/go-oidc/oidc/transport.go
new file mode 100644
index 00000000..61c926d7
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/transport.go
@@ -0,0 +1,88 @@
+package oidc
+
+import (
+ "fmt"
+ "net/http"
+ "sync"
+
+ phttp "github.com/coreos/go-oidc/http"
+ "github.com/coreos/go-oidc/jose"
+)
+
+type TokenRefresher interface {
+ // Verify checks if the provided token is currently valid or not.
+ Verify(jose.JWT) error
+
+ // Refresh attempts to authenticate and retrieve a new token.
+ Refresh() (jose.JWT, error)
+}
+
+type ClientCredsTokenRefresher struct {
+ Issuer string
+ OIDCClient *Client
+}
+
+func (c *ClientCredsTokenRefresher) Verify(jwt jose.JWT) (err error) {
+ _, err = VerifyClientClaims(jwt, c.Issuer)
+ return
+}
+
+func (c *ClientCredsTokenRefresher) Refresh() (jwt jose.JWT, err error) {
+ if err = c.OIDCClient.Healthy(); err != nil {
+ err = fmt.Errorf("unable to authenticate, unhealthy OIDC client: %v", err)
+ return
+ }
+
+ jwt, err = c.OIDCClient.ClientCredsToken([]string{"openid"})
+ if err != nil {
+ err = fmt.Errorf("unable to verify auth code with issuer: %v", err)
+ return
+ }
+
+ return
+}
+
+type AuthenticatedTransport struct {
+ TokenRefresher
+ http.RoundTripper
+
+ mu sync.Mutex
+ jwt jose.JWT
+}
+
+func (t *AuthenticatedTransport) verifiedJWT() (jose.JWT, error) {
+ t.mu.Lock()
+ defer t.mu.Unlock()
+
+ if t.TokenRefresher.Verify(t.jwt) == nil {
+ return t.jwt, nil
+ }
+
+ jwt, err := t.TokenRefresher.Refresh()
+ if err != nil {
+ return jose.JWT{}, fmt.Errorf("unable to acquire valid JWT: %v", err)
+ }
+
+ t.jwt = jwt
+ return t.jwt, nil
+}
+
+// SetJWT sets the JWT held by the Transport.
+// This is useful for cases in which you want to set an initial JWT.
+func (t *AuthenticatedTransport) SetJWT(jwt jose.JWT) {
+ t.mu.Lock()
+ defer t.mu.Unlock()
+
+ t.jwt = jwt
+}
+
+func (t *AuthenticatedTransport) RoundTrip(r *http.Request) (*http.Response, error) {
+ jwt, err := t.verifiedJWT()
+ if err != nil {
+ return nil, err
+ }
+
+ req := phttp.CopyRequest(r)
+ req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", jwt.Encode()))
+ return t.RoundTripper.RoundTrip(req)
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/transport_test.go b/vendor/github.com/coreos/go-oidc/oidc/transport_test.go
new file mode 100644
index 00000000..9ef909aa
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/transport_test.go
@@ -0,0 +1,176 @@
+package oidc
+
+import (
+ "errors"
+ "net/http"
+ "reflect"
+ "testing"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+type staticTokenRefresher struct {
+ verify func(jose.JWT) error
+ refresh func() (jose.JWT, error)
+}
+
+func (s *staticTokenRefresher) Verify(jwt jose.JWT) error {
+ return s.verify(jwt)
+}
+
+func (s *staticTokenRefresher) Refresh() (jose.JWT, error) {
+ return s.refresh()
+}
+
+func TestAuthenticatedTransportVerifiedJWT(t *testing.T) {
+ tests := []struct {
+ refresher TokenRefresher
+ startJWT jose.JWT
+ wantJWT jose.JWT
+ wantError error
+ }{
+ // verification succeeds, so refresh is not called
+ {
+ refresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return nil },
+ refresh: func() (jose.JWT, error) { return jose.JWT{RawPayload: "2"}, nil },
+ },
+ startJWT: jose.JWT{RawPayload: "1"},
+ wantJWT: jose.JWT{RawPayload: "1"},
+ },
+
+ // verification fails, refresh succeeds so cached JWT changes
+ {
+ refresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return errors.New("fail!") },
+ refresh: func() (jose.JWT, error) { return jose.JWT{RawPayload: "2"}, nil },
+ },
+ startJWT: jose.JWT{RawPayload: "1"},
+ wantJWT: jose.JWT{RawPayload: "2"},
+ },
+
+ // verification succeeds, so failing refresh isn't attempted
+ {
+ refresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return nil },
+ refresh: func() (jose.JWT, error) { return jose.JWT{}, errors.New("fail!") },
+ },
+ startJWT: jose.JWT{RawPayload: "1"},
+ wantJWT: jose.JWT{RawPayload: "1"},
+ },
+
+ // verification fails, but refresh fails, too
+ {
+ refresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return errors.New("fail!") },
+ refresh: func() (jose.JWT, error) { return jose.JWT{}, errors.New("fail!") },
+ },
+ startJWT: jose.JWT{RawPayload: "1"},
+ wantJWT: jose.JWT{},
+ wantError: errors.New("unable to acquire valid JWT: fail!"),
+ },
+ }
+
+ for i, tt := range tests {
+ at := &AuthenticatedTransport{
+ TokenRefresher: tt.refresher,
+ }
+ at.SetJWT(tt.startJWT)
+
+ gotJWT, err := at.verifiedJWT()
+ if !reflect.DeepEqual(tt.wantError, err) {
+ t.Errorf("#%d: unexpected error: want=%#v got=%#v", i, tt.wantError, err)
+ }
+ if !reflect.DeepEqual(tt.wantJWT, gotJWT) {
+ t.Errorf("#%d: incorrect JWT returned from verifiedJWT: want=%#v got=%#v", i, tt.wantJWT, gotJWT)
+ }
+ }
+}
+
+func TestAuthenticatedTransportJWTCaching(t *testing.T) {
+ at := &AuthenticatedTransport{
+ TokenRefresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return errors.New("fail!") },
+ refresh: func() (jose.JWT, error) { return jose.JWT{RawPayload: "2"}, nil },
+ },
+ jwt: jose.JWT{RawPayload: "1"},
+ }
+
+ wantJWT := jose.JWT{RawPayload: "2"}
+ gotJWT, err := at.verifiedJWT()
+ if err != nil {
+ t.Fatalf("got non-nil error: %#v", err)
+ }
+ if !reflect.DeepEqual(wantJWT, gotJWT) {
+ t.Fatalf("incorrect JWT returned from verifiedJWT: want=%#v got=%#v", wantJWT, gotJWT)
+ }
+
+ at.TokenRefresher = &staticTokenRefresher{
+ verify: func(jose.JWT) error { return nil },
+ refresh: func() (jose.JWT, error) { return jose.JWT{RawPayload: "3"}, nil },
+ }
+
+ // the previous JWT should still be cached on the AuthenticatedTransport since
+ // it is still valid, even though there's a new token ready to refresh
+ gotJWT, err = at.verifiedJWT()
+ if err != nil {
+ t.Fatalf("got non-nil error: %#v", err)
+ }
+ if !reflect.DeepEqual(wantJWT, gotJWT) {
+ t.Fatalf("incorrect JWT returned from verifiedJWT: want=%#v got=%#v", wantJWT, gotJWT)
+ }
+}
+
+type fakeRoundTripper struct {
+ Request *http.Request
+ resp *http.Response
+}
+
+func (r *fakeRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+ r.Request = req
+ return r.resp, nil
+}
+
+func TestAuthenticatedTransportRoundTrip(t *testing.T) {
+ rr := &fakeRoundTripper{nil, &http.Response{StatusCode: http.StatusOK}}
+ at := &AuthenticatedTransport{
+ TokenRefresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return nil },
+ },
+ RoundTripper: rr,
+ jwt: jose.JWT{RawPayload: "1"},
+ }
+
+ req := http.Request{}
+ _, err := at.RoundTrip(&req)
+ if err != nil {
+ t.Errorf("unexpected error: %v", err)
+ }
+
+ if !reflect.DeepEqual(req, http.Request{}) {
+ t.Errorf("http.Request object was modified")
+ }
+
+ want := []string{"Bearer .1."}
+ got := rr.Request.Header["Authorization"]
+ if !reflect.DeepEqual(want, got) {
+ t.Errorf("incorrect Authorization header: want=%#v got=%#v", want, got)
+ }
+}
+
+func TestAuthenticatedTransportRoundTripRefreshFail(t *testing.T) {
+ rr := &fakeRoundTripper{nil, &http.Response{StatusCode: http.StatusOK}}
+ at := &AuthenticatedTransport{
+ TokenRefresher: &staticTokenRefresher{
+ verify: func(jose.JWT) error { return errors.New("fail!") },
+ refresh: func() (jose.JWT, error) { return jose.JWT{}, errors.New("fail!") },
+ },
+ RoundTripper: rr,
+ jwt: jose.JWT{RawPayload: "1"},
+ }
+
+ _, err := at.RoundTrip(&http.Request{})
+ if err == nil {
+ t.Errorf("expected non-nil error")
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/util.go b/vendor/github.com/coreos/go-oidc/oidc/util.go
new file mode 100644
index 00000000..f2a5a195
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/util.go
@@ -0,0 +1,109 @@
+package oidc
+
+import (
+ "crypto/rand"
+ "encoding/base64"
+ "errors"
+ "fmt"
+ "net"
+ "net/http"
+ "net/url"
+ "strings"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+// RequestTokenExtractor funcs extract a raw encoded token from a request.
+type RequestTokenExtractor func(r *http.Request) (string, error)
+
+// ExtractBearerToken is a RequestTokenExtractor which extracts a bearer token from a request's
+// Authorization header.
+func ExtractBearerToken(r *http.Request) (string, error) {
+ ah := r.Header.Get("Authorization")
+ if ah == "" {
+ return "", errors.New("missing Authorization header")
+ }
+
+ if len(ah) <= 6 || strings.ToUpper(ah[0:6]) != "BEARER" {
+ return "", errors.New("should be a bearer token")
+ }
+
+ val := ah[7:]
+ if len(val) == 0 {
+ return "", errors.New("bearer token is empty")
+ }
+
+ return val, nil
+}
+
+// CookieTokenExtractor returns a RequestTokenExtractor which extracts a token from the named cookie in a request.
+func CookieTokenExtractor(cookieName string) RequestTokenExtractor {
+ return func(r *http.Request) (string, error) {
+ ck, err := r.Cookie(cookieName)
+ if err != nil {
+ return "", fmt.Errorf("token cookie not found in request: %v", err)
+ }
+
+ if ck.Value == "" {
+ return "", errors.New("token cookie found but is empty")
+ }
+
+ return ck.Value, nil
+ }
+}
+
+func NewClaims(iss, sub string, aud interface{}, iat, exp time.Time) jose.Claims {
+ return jose.Claims{
+ // required
+ "iss": iss,
+ "sub": sub,
+ "aud": aud,
+ "iat": iat.Unix(),
+ "exp": exp.Unix(),
+ }
+}
+
+func GenClientID(hostport string) (string, error) {
+ b, err := randBytes(32)
+ if err != nil {
+ return "", err
+ }
+
+ var host string
+ if strings.Contains(hostport, ":") {
+ host, _, err = net.SplitHostPort(hostport)
+ if err != nil {
+ return "", err
+ }
+ } else {
+ host = hostport
+ }
+
+ return fmt.Sprintf("%s@%s", base64.URLEncoding.EncodeToString(b), host), nil
+}
+
+func randBytes(n int) ([]byte, error) {
+ b := make([]byte, n)
+ got, err := rand.Read(b)
+ if err != nil {
+ return nil, err
+ } else if n != got {
+ return nil, errors.New("unable to generate enough random data")
+ }
+ return b, nil
+}
+
+// urlEqual checks two urls for equality using only the host and path portions.
+func urlEqual(url1, url2 string) bool {
+ u1, err := url.Parse(url1)
+ if err != nil {
+ return false
+ }
+ u2, err := url.Parse(url2)
+ if err != nil {
+ return false
+ }
+
+ return strings.ToLower(u1.Host+u1.Path) == strings.ToLower(u2.Host+u2.Path)
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/util_test.go b/vendor/github.com/coreos/go-oidc/oidc/util_test.go
new file mode 100644
index 00000000..c4b8f16b
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/util_test.go
@@ -0,0 +1,110 @@
+package oidc
+
+import (
+ "fmt"
+ "net/http"
+ "reflect"
+ "testing"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+)
+
+func TestCookieTokenExtractorInvalid(t *testing.T) {
+ ckName := "tokenCookie"
+ tests := []*http.Cookie{
+ &http.Cookie{},
+ &http.Cookie{Name: ckName},
+ &http.Cookie{Name: ckName, Value: ""},
+ }
+
+ for i, tt := range tests {
+ r, _ := http.NewRequest("", "", nil)
+ r.AddCookie(tt)
+ _, err := CookieTokenExtractor(ckName)(r)
+ if err == nil {
+ t.Errorf("case %d: want: error for invalid cookie token, got: no error.", i)
+ }
+ }
+}
+
+func TestCookieTokenExtractorValid(t *testing.T) {
+ validToken := "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+ ckName := "tokenCookie"
+ tests := []*http.Cookie{
+ &http.Cookie{Name: ckName, Value: "some non-empty value"},
+ &http.Cookie{Name: ckName, Value: validToken},
+ }
+
+ for i, tt := range tests {
+ r, _ := http.NewRequest("", "", nil)
+ r.AddCookie(tt)
+ _, err := CookieTokenExtractor(ckName)(r)
+ if err != nil {
+ t.Errorf("case %d: want: valid cookie with no error, got: %v", i, err)
+ }
+ }
+}
+
+func TestExtractBearerTokenInvalid(t *testing.T) {
+ tests := []string{"", "x", "Bearer", "xxxxxxx", "Bearer "}
+
+ for i, tt := range tests {
+ r, _ := http.NewRequest("", "", nil)
+ r.Header.Add("Authorization", tt)
+ _, err := ExtractBearerToken(r)
+ if err == nil {
+ t.Errorf("case %d: want: invalid Authorization header, got: valid Authorization header.", i)
+ }
+ }
+}
+
+func TestExtractBearerTokenValid(t *testing.T) {
+ validToken := "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+ tests := []string{
+ fmt.Sprintf("Bearer %s", validToken),
+ }
+
+ for i, tt := range tests {
+ r, _ := http.NewRequest("", "", nil)
+ r.Header.Add("Authorization", tt)
+ _, err := ExtractBearerToken(r)
+ if err != nil {
+ t.Errorf("case %d: want: valid Authorization header, got: invalid Authorization header: %v.", i, err)
+ }
+ }
+}
+
+func TestNewClaims(t *testing.T) {
+ issAt := time.Date(2, time.January, 1, 0, 0, 0, 0, time.UTC)
+ expAt := time.Date(2, time.January, 1, 1, 0, 0, 0, time.UTC)
+
+ want := jose.Claims{
+ "iss": "https://example.com",
+ "sub": "user-123",
+ "aud": "client-abc",
+ "iat": issAt.Unix(),
+ "exp": expAt.Unix(),
+ }
+
+ got := NewClaims("https://example.com", "user-123", "client-abc", issAt, expAt)
+
+ if !reflect.DeepEqual(want, got) {
+ t.Fatalf("want=%#v got=%#v", want, got)
+ }
+
+ want2 := jose.Claims{
+ "iss": "https://example.com",
+ "sub": "user-123",
+ "aud": []string{"client-abc", "client-def"},
+ "iat": issAt.Unix(),
+ "exp": expAt.Unix(),
+ }
+
+ got2 := NewClaims("https://example.com", "user-123", []string{"client-abc", "client-def"}, issAt, expAt)
+
+ if !reflect.DeepEqual(want2, got2) {
+ t.Fatalf("want=%#v got=%#v", want2, got2)
+ }
+
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/verification.go b/vendor/github.com/coreos/go-oidc/oidc/verification.go
new file mode 100644
index 00000000..d9c6afa6
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/verification.go
@@ -0,0 +1,190 @@
+package oidc
+
+import (
+ "errors"
+ "fmt"
+ "time"
+
+ "github.com/jonboulle/clockwork"
+
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/go-oidc/key"
+)
+
+func VerifySignature(jwt jose.JWT, keys []key.PublicKey) (bool, error) {
+ jwtBytes := []byte(jwt.Data())
+ for _, k := range keys {
+ v, err := k.Verifier()
+ if err != nil {
+ return false, err
+ }
+ if v.Verify(jwt.Signature, jwtBytes) == nil {
+ return true, nil
+ }
+ }
+ return false, nil
+}
+
+// containsString returns true if the given string(needle) is found
+// in the string array(haystack).
+func containsString(needle string, haystack []string) bool {
+ for _, v := range haystack {
+ if v == needle {
+ return true
+ }
+ }
+ return false
+}
+
+// Verify claims in accordance with OIDC spec
+// http://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
+func VerifyClaims(jwt jose.JWT, issuer, clientID string) error {
+ now := time.Now().UTC()
+
+ claims, err := jwt.Claims()
+ if err != nil {
+ return err
+ }
+
+ ident, err := IdentityFromClaims(claims)
+ if err != nil {
+ return err
+ }
+
+ if ident.ExpiresAt.Before(now) {
+ return errors.New("token is expired")
+ }
+
+ // iss REQUIRED. Issuer Identifier for the Issuer of the response.
+ // The iss value is a case sensitive URL using the https scheme that contains scheme,
+ // host, and optionally, port number and path components and no query or fragment components.
+ if iss, exists := claims["iss"].(string); exists {
+ if !urlEqual(iss, issuer) {
+ return fmt.Errorf("invalid claim value: 'iss'. expected=%s, found=%s.", issuer, iss)
+ }
+ } else {
+ return errors.New("missing claim: 'iss'")
+ }
+
+ // iat REQUIRED. Time at which the JWT was issued.
+ // Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z
+ // as measured in UTC until the date/time.
+ if _, exists := claims["iat"].(float64); !exists {
+ return errors.New("missing claim: 'iat'")
+ }
+
+ // aud REQUIRED. Audience(s) that this ID Token is intended for.
+ // It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.
+ // It MAY also contain identifiers for other audiences. In the general case, the aud
+ // value is an array of case sensitive strings. In the common special case when there
+ // is one audience, the aud value MAY be a single case sensitive string.
+ if aud, ok, err := claims.StringClaim("aud"); err == nil && ok {
+ if aud != clientID {
+ return fmt.Errorf("invalid claims, 'aud' claim and 'client_id' do not match, aud=%s, client_id=%s", aud, clientID)
+ }
+ } else if aud, ok, err := claims.StringsClaim("aud"); err == nil && ok {
+ if !containsString(clientID, aud) {
+ return fmt.Errorf("invalid claims, cannot find 'client_id' in 'aud' claim, aud=%v, client_id=%s", aud, clientID)
+ }
+ } else {
+ return errors.New("invalid claim value: 'aud' is required, and should be either string or string array")
+ }
+
+ return nil
+}
+
+// VerifyClientClaims verifies all the required claims are valid for a "client credentials" JWT.
+// Returns the client ID if valid, or an error if invalid.
+func VerifyClientClaims(jwt jose.JWT, issuer string) (string, error) {
+ claims, err := jwt.Claims()
+ if err != nil {
+ return "", fmt.Errorf("failed to parse JWT claims: %v", err)
+ }
+
+ iss, ok, err := claims.StringClaim("iss")
+ if err != nil {
+ return "", fmt.Errorf("failed to parse 'iss' claim: %v", err)
+ } else if !ok {
+ return "", errors.New("missing required 'iss' claim")
+ } else if !urlEqual(iss, issuer) {
+ return "", fmt.Errorf("'iss' claim does not match expected issuer, iss=%s", iss)
+ }
+
+ sub, ok, err := claims.StringClaim("sub")
+ if err != nil {
+ return "", fmt.Errorf("failed to parse 'sub' claim: %v", err)
+ } else if !ok {
+ return "", errors.New("missing required 'sub' claim")
+ }
+
+ if aud, ok, err := claims.StringClaim("aud"); err == nil && ok {
+ if aud != sub {
+ return "", fmt.Errorf("invalid claims, 'aud' claim and 'sub' claim do not match, aud=%s, sub=%s", aud, sub)
+ }
+ } else if aud, ok, err := claims.StringsClaim("aud"); err == nil && ok {
+ if !containsString(sub, aud) {
+ return "", fmt.Errorf("invalid claims, cannot find 'sud' in 'aud' claim, aud=%v, sub=%s", aud, sub)
+ }
+ } else {
+ return "", errors.New("invalid claim value: 'aud' is required, and should be either string or string array")
+ }
+
+ now := time.Now().UTC()
+ exp, ok, err := claims.TimeClaim("exp")
+ if err != nil {
+ return "", fmt.Errorf("failed to parse 'exp' claim: %v", err)
+ } else if !ok {
+ return "", errors.New("missing required 'exp' claim")
+ } else if exp.Before(now) {
+ return "", fmt.Errorf("token already expired at: %v", exp)
+ }
+
+ return sub, nil
+}
+
+type JWTVerifier struct {
+ issuer string
+ clientID string
+ syncFunc func() error
+ keysFunc func() []key.PublicKey
+ clock clockwork.Clock
+}
+
+func NewJWTVerifier(issuer, clientID string, syncFunc func() error, keysFunc func() []key.PublicKey) JWTVerifier {
+ return JWTVerifier{
+ issuer: issuer,
+ clientID: clientID,
+ syncFunc: syncFunc,
+ keysFunc: keysFunc,
+ clock: clockwork.NewRealClock(),
+ }
+}
+
+func (v *JWTVerifier) Verify(jwt jose.JWT) error {
+ // Verify claims before verifying the signature. This is an optimization to throw out
+ // tokens we know are invalid without undergoing an expensive signature check and
+ // possibly a re-sync event.
+ if err := VerifyClaims(jwt, v.issuer, v.clientID); err != nil {
+ return fmt.Errorf("oidc: JWT claims invalid: %v", err)
+ }
+
+ ok, err := VerifySignature(jwt, v.keysFunc())
+ if err != nil {
+ return fmt.Errorf("oidc: JWT signature verification failed: %v", err)
+ } else if ok {
+ return nil
+ }
+
+ if err = v.syncFunc(); err != nil {
+ return fmt.Errorf("oidc: failed syncing KeySet: %v", err)
+ }
+
+ ok, err = VerifySignature(jwt, v.keysFunc())
+ if err != nil {
+ return fmt.Errorf("oidc: JWT signature verification failed: %v", err)
+ } else if !ok {
+ return errors.New("oidc: unable to verify JWT signature: no matching keys")
+ }
+
+ return nil
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc/verification_test.go b/vendor/github.com/coreos/go-oidc/oidc/verification_test.go
new file mode 100644
index 00000000..3b8c5e9f
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc/verification_test.go
@@ -0,0 +1,380 @@
+package oidc
+
+import (
+ "testing"
+ "time"
+
+ "github.com/coreos/go-oidc/jose"
+ "github.com/coreos/go-oidc/key"
+)
+
+func TestVerifyClientClaims(t *testing.T) {
+ validIss := "https://example.com"
+ validClientID := "valid-client"
+ now := time.Now()
+ tomorrow := now.Add(24 * time.Hour)
+ header := jose.JOSEHeader{
+ jose.HeaderKeyAlgorithm: "test-alg",
+ jose.HeaderKeyID: "1",
+ }
+
+ tests := []struct {
+ claims jose.Claims
+ ok bool
+ }{
+ // valid token
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: true,
+ },
+ // valid token, ('aud' claim is []string)
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": []string{"foo", validClientID},
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: true,
+ },
+ // valid token, ('aud' claim is []interface{})
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": []interface{}{"foo", validClientID},
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: true,
+ },
+ // missing 'iss' claim
+ {
+ claims: jose.Claims{
+ "sub": validClientID,
+ "aud": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // invalid 'iss' claim
+ {
+ claims: jose.Claims{
+ "iss": "INVALID",
+ "sub": validClientID,
+ "aud": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // missing 'sub' claim
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "aud": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // invalid 'sub' claim
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": "INVALID",
+ "aud": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // missing 'aud' claim
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // invalid 'aud' claim
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": "INVALID",
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // invalid 'aud' claim
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": []string{"INVALID1", "INVALID2"},
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // invalid 'aud' type
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": struct{}{},
+ "iat": float64(now.Unix()),
+ "exp": float64(tomorrow.Unix()),
+ },
+ ok: false,
+ },
+ // expired
+ {
+ claims: jose.Claims{
+ "iss": validIss,
+ "sub": validClientID,
+ "aud": validClientID,
+ "iat": float64(now.Unix()),
+ "exp": float64(now.Unix()),
+ },
+ ok: false,
+ },
+ }
+
+ for i, tt := range tests {
+ jwt, err := jose.NewJWT(header, tt.claims)
+ if err != nil {
+ t.Fatalf("case %d: Failed to generate JWT, error=%v", i, err)
+ }
+
+ got, err := VerifyClientClaims(jwt, validIss)
+ if tt.ok {
+ if err != nil {
+ t.Errorf("case %d: unexpected error, err=%v", i, err)
+ }
+ if got != validClientID {
+ t.Errorf("case %d: incorrect client ID, want=%s, got=%s", i, validClientID, got)
+ }
+ } else if err == nil {
+ t.Errorf("case %d: expected error but err is nil", i)
+ }
+ }
+}
+
+func TestJWTVerifier(t *testing.T) {
+ iss := "http://example.com"
+ now := time.Now()
+ future12 := now.Add(12 * time.Hour)
+ past36 := now.Add(-36 * time.Hour)
+ past12 := now.Add(-12 * time.Hour)
+
+ priv1, err := key.GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("failed to generate private key, error=%v", err)
+ }
+ pk1 := *key.NewPublicKey(priv1.JWK())
+
+ priv2, err := key.GeneratePrivateKey()
+ if err != nil {
+ t.Fatalf("failed to generate private key, error=%v", err)
+ }
+ pk2 := *key.NewPublicKey(priv2.JWK())
+
+ newJWT := func(issuer, subject string, aud interface{}, issuedAt, exp time.Time, signer jose.Signer) jose.JWT {
+ jwt, err := jose.NewSignedJWT(NewClaims(issuer, subject, aud, issuedAt, exp), signer)
+ if err != nil {
+ t.Fatal(err)
+ }
+ return *jwt
+ }
+
+ tests := []struct {
+ name string
+ verifier JWTVerifier
+ jwt jose.JWT
+ wantErr bool
+ }{
+ {
+ name: "JWT signed with available key",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{pk1}
+ },
+ },
+ jwt: newJWT(iss, "XXX", "XXX", past12, future12, priv1.Signer()),
+ wantErr: false,
+ },
+ {
+ name: "JWT signed with available key, with bad claims",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{pk1}
+ },
+ },
+ jwt: newJWT(iss, "XXX", "YYY", past12, future12, priv1.Signer()),
+ wantErr: true,
+ },
+
+ {
+ name: "JWT signed with available key",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{pk1}
+ },
+ },
+ jwt: newJWT(iss, "XXX", []string{"YYY", "ZZZ"}, past12, future12, priv1.Signer()),
+ wantErr: true,
+ },
+
+ {
+ name: "expired JWT signed with available key",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{pk1}
+ },
+ },
+ jwt: newJWT(iss, "XXX", "XXX", past36, past12, priv1.Signer()),
+ wantErr: true,
+ },
+
+ {
+ name: "JWT signed with unrecognized key, verifiable after sync",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() func() []key.PublicKey {
+ var i int
+ return func() []key.PublicKey {
+ defer func() { i++ }()
+ return [][]key.PublicKey{
+ []key.PublicKey{pk1},
+ []key.PublicKey{pk2},
+ }[i]
+ }
+ }(),
+ },
+ jwt: newJWT(iss, "XXX", "XXX", past36, future12, priv2.Signer()),
+ wantErr: false,
+ },
+
+ {
+ name: "JWT signed with unrecognized key, not verifiable after sync",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{pk1}
+ },
+ },
+ jwt: newJWT(iss, "XXX", "XXX", past12, future12, priv2.Signer()),
+ wantErr: true,
+ },
+
+ {
+ name: "verifier gets no keys from keysFunc, still not verifiable after sync",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{}
+ },
+ },
+ jwt: newJWT(iss, "XXX", "XXX", past12, future12, priv1.Signer()),
+ wantErr: true,
+ },
+
+ {
+ name: "verifier gets no keys from keysFunc, verifiable after sync",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() func() []key.PublicKey {
+ var i int
+ return func() []key.PublicKey {
+ defer func() { i++ }()
+ return [][]key.PublicKey{
+ []key.PublicKey{},
+ []key.PublicKey{pk2},
+ }[i]
+ }
+ }(),
+ },
+ jwt: newJWT(iss, "XXX", "XXX", past12, future12, priv2.Signer()),
+ wantErr: false,
+ },
+
+ {
+ name: "JWT signed with available key, 'aud' is a string array",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error { return nil },
+ keysFunc: func() []key.PublicKey {
+ return []key.PublicKey{pk1}
+ },
+ },
+ jwt: newJWT(iss, "XXX", []string{"ZZZ", "XXX"}, past12, future12, priv1.Signer()),
+ wantErr: false,
+ },
+ {
+ name: "invalid issuer claim shouldn't trigger sync",
+ verifier: JWTVerifier{
+ issuer: "example.com",
+ clientID: "XXX",
+ syncFunc: func() error {
+ t.Errorf("invalid issuer claim shouldn't trigger a sync")
+ return nil
+ },
+ keysFunc: func() func() []key.PublicKey {
+ var i int
+ return func() []key.PublicKey {
+ defer func() { i++ }()
+ return [][]key.PublicKey{
+ []key.PublicKey{},
+ []key.PublicKey{pk2},
+ }[i]
+ }
+ }(),
+ },
+ jwt: newJWT("invalid-issuer", "XXX", []string{"ZZZ", "XXX"}, past12, future12, priv2.Signer()),
+ wantErr: true,
+ },
+ }
+
+ for _, tt := range tests {
+ err := tt.verifier.Verify(tt.jwt)
+ if tt.wantErr && (err == nil) {
+ t.Errorf("case %q: wanted non-nil error", tt.name)
+ } else if !tt.wantErr && (err != nil) {
+ t.Errorf("case %q: wanted nil error, got %v", tt.name, err)
+ }
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/oidc_test.go b/vendor/github.com/coreos/go-oidc/oidc_test.go
new file mode 100644
index 00000000..7307a8f5
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/oidc_test.go
@@ -0,0 +1,21 @@
+package oidc
+
+import (
+ "net/http"
+ "testing"
+
+ "golang.org/x/net/context"
+)
+
+func TestClientContext(t *testing.T) {
+ myClient := &http.Client{}
+
+ ctx := ClientContext(context.Background(), myClient)
+
+ gotClient := clientFromContext(ctx)
+
+ // Compare pointer values.
+ if gotClient != myClient {
+ t.Fatal("clientFromContext did not return the value set by ClientContext")
+ }
+}
diff --git a/vendor/github.com/coreos/go-oidc/test b/vendor/github.com/coreos/go-oidc/test
new file mode 100755
index 00000000..4b2e39f8
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/test
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+# Filter out any files with a !golint build tag.
+LINTABLE=$( go list -tags=golint -f '
+ {{- range $i, $file := .GoFiles -}}
+ {{ $file }} {{ end }}
+ {{ range $i, $file := .TestGoFiles -}}
+ {{ $file }} {{ end }}' github.com/coreos/go-oidc )
+
+go test -v -i -race github.com/coreos/go-oidc
+go test -v -race github.com/coreos/go-oidc
+golint $LINTABLE
+go vet github.com/coreos/go-oidc
diff --git a/vendor/github.com/coreos/go-oidc/verify.go b/vendor/github.com/coreos/go-oidc/verify.go
new file mode 100644
index 00000000..13c0f934
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/verify.go
@@ -0,0 +1,263 @@
+package oidc
+
+import (
+ "bytes"
+ "encoding/base64"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "strings"
+ "time"
+
+ "golang.org/x/net/context"
+ "golang.org/x/oauth2"
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+// IDTokenVerifier provides verification for ID Tokens.
+type IDTokenVerifier struct {
+ keySet *remoteKeySet
+ config *verificationConfig
+}
+
+// verificationConfig is the unexported configuration for an IDTokenVerifier.
+//
+// Users interact with this struct using a VerificationOption.
+type verificationConfig struct {
+ issuer string
+ // If provided, this value must be in the ID Token audiences.
+ audience string
+ // If not nil, check the expiry of the id token.
+ checkExpiry func() time.Time
+ // If specified, only these sets of algorithms may be used to sign the JWT.
+ requiredAlgs []string
+ // If not nil, don't verify nonce.
+ nonceSource NonceSource
+}
+
+// VerificationOption provides additional checks on ID Tokens.
+type VerificationOption interface {
+ // Unexport this method so other packages can't implement this interface.
+ updateConfig(c *verificationConfig)
+}
+
+// Verifier returns an IDTokenVerifier that uses the provider's key set to verify JWTs.
+//
+// The returned IDTokenVerifier is tied to the Provider's context and its behavior is
+// undefined once the Provider's context is canceled.
+func (p *Provider) Verifier(options ...VerificationOption) *IDTokenVerifier {
+ config := &verificationConfig{issuer: p.issuer}
+ for _, option := range options {
+ option.updateConfig(config)
+ }
+
+ return newVerifier(p.remoteKeySet, config)
+}
+
+func newVerifier(keySet *remoteKeySet, config *verificationConfig) *IDTokenVerifier {
+ // As discussed in the godocs for VerifrySigningAlg, because almost all providers
+ // only support RS256, default to only allowing it.
+ if len(config.requiredAlgs) == 0 {
+ config.requiredAlgs = []string{RS256}
+ }
+
+ return &IDTokenVerifier{
+ keySet: keySet,
+ config: config,
+ }
+}
+
+func parseJWT(p string) ([]byte, error) {
+ parts := strings.Split(p, ".")
+ if len(parts) < 2 {
+ return nil, fmt.Errorf("oidc: malformed jwt, expected 3 parts got %d", len(parts))
+ }
+ payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+ if err != nil {
+ return nil, fmt.Errorf("oidc: malformed jwt payload: %v", err)
+ }
+ return payload, nil
+}
+
+func contains(sli []string, ele string) bool {
+ for _, s := range sli {
+ if s == ele {
+ return true
+ }
+ }
+ return false
+}
+
+// Verify parses a raw ID Token, verifies it's been signed by the provider, preforms
+// any additional checks passed as VerifictionOptions, and returns the payload.
+//
+// See: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
+//
+// oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
+// if err != nil {
+// // handle error
+// }
+//
+// // Extract the ID Token from oauth2 token.
+// rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+// if !ok {
+// // handle error
+// }
+//
+// token, err := verifier.Verify(ctx, rawIDToken)
+//
+func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDToken, error) {
+ jws, err := jose.ParseSigned(rawIDToken)
+ if err != nil {
+ return nil, fmt.Errorf("oidc: mallformed jwt: %v", err)
+ }
+
+ // Throw out tokens with invalid claims before trying to verify the token. This lets
+ // us do cheap checks before possibly re-syncing keys.
+ payload, err := parseJWT(rawIDToken)
+ if err != nil {
+ return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
+ }
+ var token idToken
+ if err := json.Unmarshal(payload, &token); err != nil {
+ return nil, fmt.Errorf("oidc: failed to unmarshal claims: %v", err)
+ }
+
+ t := &IDToken{
+ Issuer: token.Issuer,
+ Subject: token.Subject,
+ Audience: []string(token.Audience),
+ Expiry: time.Time(token.Expiry),
+ IssuedAt: time.Time(token.IssuedAt),
+ Nonce: token.Nonce,
+ claims: payload,
+ }
+
+ // Check issuer.
+ if t.Issuer != v.config.issuer {
+ return nil, fmt.Errorf("oidc: id token issued by a different provider, expected %q got %q", v.config.issuer, t.Issuer)
+ }
+
+ // If a client ID has been provided, make sure it's part of the audience.
+ if v.config.audience != "" {
+ if !contains(t.Audience, v.config.audience) {
+ return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.audience, t.Audience)
+ }
+ }
+
+ // If a set of required algorithms has been provided, ensure that the signatures use those.
+ var keyIDs, gotAlgs []string
+ for _, sig := range jws.Signatures {
+ if len(v.config.requiredAlgs) == 0 || contains(v.config.requiredAlgs, sig.Header.Algorithm) {
+ keyIDs = append(keyIDs, sig.Header.KeyID)
+ } else {
+ gotAlgs = append(gotAlgs, sig.Header.Algorithm)
+ }
+ }
+ if len(keyIDs) == 0 {
+ return nil, fmt.Errorf("oidc: no signatures use a require algorithm, expected %q got %q", v.config.requiredAlgs, gotAlgs)
+ }
+
+ // Get keys from the remote key set. This may trigger a re-sync.
+ keys, err := v.keySet.keysWithID(ctx, keyIDs)
+ if err != nil {
+ return nil, fmt.Errorf("oidc: get keys for id token: %v", err)
+ }
+ if len(keys) == 0 {
+ return nil, fmt.Errorf("oidc: no keys match signature ID(s) %q", keyIDs)
+ }
+
+ // Try to use a key to validate the signature.
+ var gotPayload []byte
+ for _, key := range keys {
+ if p, err := jws.Verify(&key); err == nil {
+ gotPayload = p
+ }
+ }
+ if len(gotPayload) == 0 {
+ return nil, fmt.Errorf("oidc: failed to verify id token")
+ }
+
+ // Ensure that the payload returned by the square actually matches the payload parsed earlier.
+ if !bytes.Equal(gotPayload, payload) {
+ return nil, errors.New("oidc: internal error, payload parsed did not match previous payload")
+ }
+
+ // Check the nonce after we've verified the token. We don't want to allow unverified
+ // payloads to trigger a nonce lookup.
+ if v.config.nonceSource != nil {
+ if err := v.config.nonceSource.ClaimNonce(t.Nonce); err != nil {
+ return nil, err
+ }
+ }
+
+ return t, nil
+}
+
+// VerifyAudience ensures that an ID Token was issued for the specific client.
+//
+// Note that a verified token may be valid for other clients, as OpenID Connect allows a token to have
+// multiple audiences.
+func VerifyAudience(clientID string) VerificationOption {
+ return clientVerifier{clientID}
+}
+
+type clientVerifier struct {
+ clientID string
+}
+
+func (v clientVerifier) updateConfig(c *verificationConfig) {
+ c.audience = v.clientID
+}
+
+// VerifyExpiry ensures that an ID Token has not expired.
+func VerifyExpiry() VerificationOption {
+ return expiryVerifier{}
+}
+
+type expiryVerifier struct{}
+
+func (v expiryVerifier) updateConfig(c *verificationConfig) {
+ c.checkExpiry = time.Now
+}
+
+// VerifySigningAlg enforces that an ID Token is signed by a specific signing algorithm.
+//
+// Because so many providers only support RS256, if this verifiction option isn't used,
+// the IDTokenVerifier defaults to only allowing RS256.
+func VerifySigningAlg(allowedAlgs ...string) VerificationOption {
+ return algVerifier{allowedAlgs}
+}
+
+type algVerifier struct {
+ algs []string
+}
+
+func (v algVerifier) updateConfig(c *verificationConfig) {
+ c.requiredAlgs = v.algs
+}
+
+// Nonce returns an auth code option which requires the ID Token created by the
+// OpenID Connect provider to contain the specified nonce.
+func Nonce(nonce string) oauth2.AuthCodeOption {
+ return oauth2.SetAuthURLParam("nonce", nonce)
+}
+
+// NonceSource represents a source which can verify a nonce is valid and has not
+// been claimed before.
+type NonceSource interface {
+ ClaimNonce(nonce string) error
+}
+
+// VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source.
+func VerifyNonce(source NonceSource) VerificationOption {
+ return nonceVerifier{source}
+}
+
+type nonceVerifier struct {
+ nonceSource NonceSource
+}
+
+func (n nonceVerifier) updateConfig(c *verificationConfig) {
+ c.nonceSource = n.nonceSource
+}
diff --git a/vendor/github.com/coreos/go-oidc/verify_test.go b/vendor/github.com/coreos/go-oidc/verify_test.go
new file mode 100644
index 00000000..872f75c3
--- /dev/null
+++ b/vendor/github.com/coreos/go-oidc/verify_test.go
@@ -0,0 +1,265 @@
+package oidc
+
+import (
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "crypto/rsa"
+ "encoding/json"
+ "net/http/httptest"
+ "testing"
+ "time"
+
+ "golang.org/x/net/context"
+ jose "gopkg.in/square/go-jose.v2"
+)
+
+func TestVerify(t *testing.T) {
+ tests := []verificationTest{
+ {
+ name: "good token",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ },
+ {
+ name: "invalid signature",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_1},
+ wantErr: true,
+ },
+ {
+ name: "invalid issuer",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://bar",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ wantErr: true,
+ },
+ }
+ for _, test := range tests {
+ test.run(t)
+ }
+}
+
+func TestVerifyAudience(t *testing.T) {
+ tests := []verificationTest{
+ {
+ name: "good audience",
+ idToken: idToken{
+ Issuer: "https://foo",
+ Audience: []string{"client1"},
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ audience: "client1",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ },
+ {
+ name: "mismatched audience",
+ idToken: idToken{
+ Issuer: "https://foo",
+ Audience: []string{"client2"},
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ audience: "client1",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ wantErr: true,
+ },
+ {
+ name: "multiple audiences, one matches",
+ idToken: idToken{
+ Issuer: "https://foo",
+ Audience: []string{"client2", "client1"},
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ audience: "client1",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ },
+ }
+ for _, test := range tests {
+ test.run(t)
+ }
+}
+
+func TestVerifySigningAlg(t *testing.T) {
+ tests := []verificationTest{
+ {
+ name: "default signing alg",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ signAlg: RS256, // By default we only support RS256.
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ },
+ {
+ name: "bad signing alg",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ },
+ signKey: testKeyRSA_2048_0_Priv,
+ signAlg: RS512,
+ pubKeys: []jose.JSONWebKey{testKeyRSA_2048_0},
+ wantErr: true,
+ },
+ {
+ name: "ecdsa signing",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ requiredAlgs: []string{ES384},
+ },
+ signAlg: ES384,
+ signKey: testKeyECDSA_384_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyECDSA_384_0},
+ },
+ {
+ name: "one of many supported",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ requiredAlgs: []string{RS256, ES384},
+ },
+ signAlg: ES384,
+ signKey: testKeyECDSA_384_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyECDSA_384_0},
+ },
+ {
+ name: "not in requiredAlgs",
+ idToken: idToken{
+ Issuer: "https://foo",
+ },
+ config: verificationConfig{
+ issuer: "https://foo",
+ requiredAlgs: []string{RS256, ES512},
+ },
+ signAlg: ES384,
+ signKey: testKeyECDSA_384_0_Priv,
+ pubKeys: []jose.JSONWebKey{testKeyECDSA_384_0},
+ wantErr: true,
+ },
+ }
+ for _, test := range tests {
+ test.run(t)
+ }
+}
+
+type verificationTest struct {
+ name string
+
+ // ID token claims and a signing key to create the JWT.
+ idToken idToken
+ signKey jose.JSONWebKey
+ // If supplied use this signing algorithm. If not, guess
+ // from the signingKey.
+ signAlg string
+
+ config verificationConfig
+ pubKeys []jose.JSONWebKey
+
+ wantErr bool
+}
+
+func algForKey(t *testing.T, k jose.JSONWebKey) string {
+ switch key := k.Key.(type) {
+ case *rsa.PrivateKey:
+ return RS256
+ case *ecdsa.PrivateKey:
+ name := key.PublicKey.Params().Name
+ switch name {
+ case elliptic.P256().Params().Name:
+ return ES256
+ case elliptic.P384().Params().Name:
+ return ES384
+ case elliptic.P521().Params().Name:
+ return ES512
+ }
+ t.Fatalf("unsupported ecdsa curve: %s", name)
+ default:
+ t.Fatalf("unsupported key type %T", key)
+ }
+ return ""
+}
+
+func (v verificationTest) run(t *testing.T) {
+ payload, err := json.Marshal(v.idToken)
+ if err != nil {
+ t.Fatal(err)
+ }
+ signingAlg := v.signAlg
+ if signingAlg == "" {
+ signingAlg = algForKey(t, v.signKey)
+ }
+
+ signer, err := jose.NewSigner(jose.SigningKey{
+ Algorithm: jose.SignatureAlgorithm(signingAlg),
+ Key: &v.signKey,
+ }, nil)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ jws, err := signer.Sign(payload)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ token, err := jws.CompactSerialize()
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ t0 := time.Now()
+ now := func() time.Time { return t0 }
+
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+
+ server := httptest.NewServer(newKeyServer(v.pubKeys...))
+ defer server.Close()
+
+ verifier := newVerifier(newRemoteKeySet(ctx, server.URL, now), &v.config)
+
+ if _, err := verifier.Verify(ctx, token); err != nil {
+ if !v.wantErr {
+ t.Errorf("%s: verify %v", v.name, err)
+ }
+ } else {
+ if v.wantErr {
+ t.Errorf("%s: expected error", v.name)
+ }
+ }
+}
diff --git a/vendor/github.com/ericchiang/oidc/.travis.yml b/vendor/github.com/ericchiang/oidc/.travis.yml
deleted file mode 100644
index 9d73a45f..00000000
--- a/vendor/github.com/ericchiang/oidc/.travis.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-language: go
-
-go:
-- 1.5.4
-- 1.6.3
-- tip
-
-notifications:
- email: false
-
-matrix:
- allow_failures:
- - go: tip
diff --git a/vendor/github.com/ericchiang/oidc/README.md b/vendor/github.com/ericchiang/oidc/README.md
deleted file mode 100644
index c6adbbf3..00000000
--- a/vendor/github.com/ericchiang/oidc/README.md
+++ /dev/null
@@ -1,106 +0,0 @@
-# OpenID Connect client support for Go
-
-[](https://godoc.org/github.com/ericchiang/oidc)
-
-This package implements OpenID Connect client logic for the golang.org/x/oauth2 package.
-
-```go
-provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")
-if err != nil {
- return err
-}
-
-// Configure an OpenID Connect aware OAuth2 client.
-oauth2Config := oauth2.Config{
- ClientID: clientID,
- ClientSecret: clientSecret,
- RedirectURL: redirectURL,
- Endpoint: provider.Endpoint(),
- Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
-}
-```
-
-OAuth2 redirects are unchanged.
-
-```go
-func handleRedirect(w http.ResponseWriter, r *http.Request) {
- http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
-})
-```
-
-For callbacks the provider can be used to query for [user information](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) such as email.
-
-```go
-func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
- // Verify state...
-
- oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
- if err != nil {
- http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- userinfo, err := provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
- if err != nil {
- http.Error(w, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // ...
-})
-```
-
-Or the provider can be used to verify and inspect the OpenID Connect
-[ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) in the
-[token response](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse).
-
-```go
-verifier := provider.NewVerifier(ctx)
-```
-
-The verifier itself can be constructed with addition checks, such as verifing a
-token was issued for a specific client or hasn't expired.
-
-```go
-verifier := provier.NewVerifier(ctx, oidc.VerifyAudience(clientID), oidc.VerifyExpiry())
-```
-
-The returned verifier can be used to ensure the ID Token (a JWT) is signed by the provider.
-
-```go
-func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
- // Verify state...
-
- oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
- if err != nil {
- http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // Extract the ID Token from oauth2 token.
- rawIDToken, ok := oauth2Token.Extra("id_token").(string)
- if !ok {
- http.Error(w, "No ID Token found", http.StatusInternalServerError)
- return
- }
-
- // Verify that the ID Token is signed by the provider.
- idToken, err := verifier.Verify(rawIDToken)
- if err != nil {
- http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // Unmarshal ID Token for expected custom claims.
- var claims struct {
- Email string `json:"email"`
- EmailVerified bool `json:"email_verified"`
- }
- if err := idToken.Claims(&claims); err != nil {
- http.Error(w, "Failed to unmarshal ID Token claims: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // ...
-})
-```
diff --git a/vendor/github.com/ericchiang/oidc/doc.go b/vendor/github.com/ericchiang/oidc/doc.go
deleted file mode 100644
index cbc1ec4f..00000000
--- a/vendor/github.com/ericchiang/oidc/doc.go
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
-Package oidc implements OpenID Connect client logic for the golang.org/x/oauth2 package.
-
- provider, err := oidc.NewProvider(ctx, "https://accounts.example.com")
- if err != nil {
- return err
- }
-
- // Configure an OpenID Connect aware OAuth2 client.
- oauth2Config := oauth2.Config{
- ClientID: clientID,
- ClientSecret: clientSecret,
- RedirectURL: redirectURL,
- Endpoint: provider.Endpoint(),
- Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
- }
-
-OAuth2 redirects are unchanged.
-
- func handleRedirect(w http.ResponseWriter, r *http.Request) {
- http.Redirect(w, r, oauth2Config.AuthCodeURL(state), http.StatusFound)
- })
-
-For callbacks the provider can be used to query for user information such as email.
-
- func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
- // Verify state...
-
- oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
- if err != nil {
- http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- userinfo, err := provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
- if err != nil {
- http.Error(w, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // ...
- })
-
-The provider also has the ability to verify ID Tokens.
-
- verifier := provider.NewVerifier(ctx)
-
-The returned verifier can be used to perform basic validation on ID Token issued by the provider,
-including verifying the JWT signature. It then returns the payload.
-
- func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
- // Verify state...
-
- oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
- if err != nil {
- http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // Extract the ID Token from oauth2 token.
- rawIDToken, ok := oauth2Token.Extra("id_token").(string)
- if !ok {
- http.Error(w, "No ID Token found", http.StatusInternalServerError)
- return
- }
-
- // Verify that the ID Token is signed by the provider.
- idToken, err := verifier.Verify(rawIDToken)
- if err != nil {
- http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // Unmarshal ID Token for expected custom claims.
- var claims struct {
- Email string `json:"email"`
- EmailVerified bool `json:"email_verified"`
- }
- if err := idToken.Claims(&claims); err != nil {
- http.Error(w, "Failed to unmarshal ID Token custom claims: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // ...
- })
-
-ID Token nonces are supported.
-
-First, provide a nonce source for nonce validation. This will then be used to wrap the existing
-provider ID Token verifier.
-
- // A verifier which boths verifies the ID Token signature and nonce.
- nonceEnabledVerifier := provider.NewVerifier(ctx, oidc.VerifyNonce(nonceSource))
-
-For the redirect provide a nonce auth code option. This will be placed as a URL parameter during
-the client redirect.
-
- func handleRedirect(w http.ResponseWriter, r *http.Request) {
- nonce, err := newNonce()
- if err != nil {
- // ...
- }
- // Provide a nonce for the OpenID Connect ID Token.
- http.Redirect(w, r, oauth2Config.AuthCodeURL(state, oidc.Nonce(nonce)), http.StatusFound)
- })
-
-The nonce enabled verifier can then be used to verify the nonce while unpacking the ID Token.
-
- func handleOAuth2Callback(w http.ResponseWriter, r *http.Request) {
- // Verify state...
-
- oauth2Token, err := oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
- if err != nil {
- http.Error(w, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // Extract the ID Token from oauth2 token.
- rawIDToken, ok := oauth2Token.Extra("id_token").(string)
- if !ok {
- http.Error(w, "No ID Token found", http.StatusInternalServerError)
- return
- }
-
- // Verify that the ID Token is signed by the provider and verify the nonce.
- idToken, err := nonceEnabledVerifier.Verify(rawIDToken)
- if err != nil {
- http.Error(w, "Failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
- return
- }
-
- // Continue as above...
- })
-
-This package uses contexts to derive HTTP clients in the same way as the oauth2 package. To configure
-a custom client, use the oauth2 packages HTTPClient context key when constructing the context.
-
- myClient := &http.Client{}
-
- myCtx := context.WithValue(parentCtx, oauth2.HTTPClient, myClient)
-
- // NewProvider will use myClient to make the request.
- provider, err := oidc.NewProvider(myCtx, "https://accounts.example.com")
-*/
-package oidc
diff --git a/vendor/github.com/ericchiang/oidc/examples/README.md b/vendor/github.com/ericchiang/oidc/examples/README.md
deleted file mode 100644
index b44a2236..00000000
--- a/vendor/github.com/ericchiang/oidc/examples/README.md
+++ /dev/null
@@ -1,15 +0,0 @@
-# Examples
-
-These are example uses of the oidc package. Each requires a Google account and the
-client ID and secret of a registered OAuth2 application. The client ID and secret
-should be set as the following environment variables:
-
-```
-GOOGLE_OAUTH2_CLIENT_ID
-GOOGLE_OAUTH2_CLIENT_SECRET
-```
-
-See Google's documentation on how to set up an OAuth2 app:
-https://developers.google.com/identity/protocols/OpenIDConnect?hl=en
-
-Note that one of the redirect URL's must be "http://127.0.0.1:5556/auth/google/callback"
diff --git a/vendor/github.com/ericchiang/oidc/internal/oidc.go b/vendor/github.com/ericchiang/oidc/internal/oidc.go
deleted file mode 100644
index 01bd7972..00000000
--- a/vendor/github.com/ericchiang/oidc/internal/oidc.go
+++ /dev/null
@@ -1,7 +0,0 @@
-// Package internal contains support packages for the oidc package.
-package internal
-
-// ContextKey is just an empty struct. It exists so context keys can be an immutable
-// public variable with a unique type. It's immutable because nobody else can create
-// a ContextKey, being unexported.
-type ContextKey struct{}
diff --git a/vendor/github.com/ericchiang/oidc/jwks.go b/vendor/github.com/ericchiang/oidc/jwks.go
deleted file mode 100644
index 89847915..00000000
--- a/vendor/github.com/ericchiang/oidc/jwks.go
+++ /dev/null
@@ -1,188 +0,0 @@
-package oidc
-
-import (
- "encoding/json"
- "errors"
- "fmt"
- "io"
- "io/ioutil"
- "net/http"
- "sync"
- "sync/atomic"
- "time"
-
- "github.com/pquerna/cachecontrol"
- "golang.org/x/net/context"
- jose "gopkg.in/square/go-jose.v1"
-)
-
-// No matter what insist on caching keys. This is so our request code can be
-// asynchronous from matching keys. If the request code retrieved keys that
-// expired immediately, the goroutine to match a JWT to a key would always see
-// expired keys.
-//
-// TODO(ericchiang): Review this logic.
-var minCache = 2 * time.Minute
-
-type cachedKeys struct {
- keys map[string]jose.JsonWebKey // immutable
- expiry time.Time
-}
-
-type remoteKeySet struct {
- client *http.Client
-
- // "jwks_uri" from discovery.
- keysURL string
-
- // The value is always of type *cachedKeys.
- //
- // To ensure consistency always call keyCache.Store when holding cond.L.
- keyCache atomic.Value
-
- // cond.L guards all following fields. sync.Cond is used in place of a mutex
- // so multiple processes can wait on a single request to update keys.
- cond sync.Cond
- // Is there an existing request to get the remote keys?
- inflight bool
- // If the last attempt to refresh keys failed, the error will be saved here.
- //
- // TODO(ericchiang): If a routine sets this before calling cond.Broadcast(),
- // there's no guarentee that a routine calling cond.Wait() will actual see
- // the error called by the previous routine. Since Broadcast() unlocks
- // cond.L and Wait() must reacquire the lock, other routines waiting on the
- // lock might acquire it first. Maybe just log the error?
- lastErr error
-}
-
-func newRemoteKeySet(ctx context.Context, jwksURL string) *remoteKeySet {
- r := &remoteKeySet{
- client: contextClient(ctx),
- keysURL: jwksURL,
- cond: sync.Cond{L: new(sync.Mutex)},
- }
- return r
-}
-
-func (r *remoteKeySet) verifyJWT(jwt string) (payload []byte, err error) {
- jws, err := jose.ParseSigned(jwt)
- if err != nil {
- return nil, fmt.Errorf("parsing jwt: %v", err)
- }
- keyIDs := make([]string, len(jws.Signatures))
- for i, signature := range jws.Signatures {
- keyIDs[i] = signature.Header.KeyID
- }
- key, err := r.getKey(keyIDs)
- if err != nil {
- return nil, fmt.Errorf("oidc: %s", err)
- }
- return jws.Verify(key)
-}
-
-func (r *remoteKeySet) getKeyFromCache(keyIDs []string) (*jose.JsonWebKey, bool) {
- cachedKeys, ok := r.keyCache.Load().(*cachedKeys)
- if !ok {
- return nil, false
- }
- if time.Now().After(cachedKeys.expiry) {
- return nil, false
- }
- for _, keyID := range keyIDs {
- if key, ok := cachedKeys.keys[keyID]; ok {
- return &key, true
- }
- }
- return nil, false
-}
-
-func (r *remoteKeySet) getKey(keyIDs []string) (*jose.JsonWebKey, error) {
- // Fast path. Just do an atomic load.
- if key, ok := r.getKeyFromCache(keyIDs); ok {
- return key, nil
- }
-
- // Didn't find keys, use the slow path.
- r.cond.L.Lock()
- defer r.cond.L.Unlock()
-
- // Check again within the mutex.
- if key, ok := r.getKeyFromCache(keyIDs); ok {
- return key, nil
- }
-
- // Keys have expired or we're trying to verify a JWT we don't have a key for.
-
- if !r.inflight {
- // There isn't currently an inflight request to update keys, start a
- // goroutine to do so.
- r.inflight = true
- go func() {
- newKeys, newExpiry, err := requestKeys(r.client, r.keysURL)
-
- r.cond.L.Lock()
- defer r.cond.L.Unlock()
-
- r.inflight = false
- if err != nil {
- r.lastErr = err
- } else {
- r.keyCache.Store(&cachedKeys{newKeys, newExpiry})
- r.lastErr = nil
- }
-
- r.cond.Broadcast() // Wake all r.cond.Wait() calls.
- }()
- }
-
- // Wait for r.cond.Broadcast() to be called. This unlocks r.cond.L and
- // reacquires it after its done waiting.
- r.cond.Wait()
-
- if key, ok := r.getKeyFromCache(keyIDs); ok {
- return key, nil
- }
- if r.lastErr != nil {
- return nil, r.lastErr
- }
- return nil, errors.New("no signing keys can validate the signature")
-}
-
-func requestKeys(client *http.Client, keysURL string) (map[string]jose.JsonWebKey, time.Time, error) {
- req, err := http.NewRequest("GET", keysURL, nil)
- if err != nil {
- return nil, time.Time{}, fmt.Errorf("can't create request: %v", err)
- }
- resp, err := client.Do(req)
- if err != nil {
- return nil, time.Time{}, fmt.Errorf("can't GET new keys %v", err)
- }
- defer resp.Body.Close()
-
- body, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
- if err != nil {
- return nil, time.Time{}, fmt.Errorf("can't fetch new keys: %v", err)
- }
- if resp.StatusCode != http.StatusOK {
- return nil, time.Time{}, fmt.Errorf("can't fetch new keys: %s %s", resp.Status, body)
- }
-
- var keySet jose.JsonWebKeySet
- if err := json.Unmarshal(body, &keySet); err != nil {
- return nil, time.Time{}, fmt.Errorf("can't decode keys: %v %s", err, body)
- }
-
- keys := make(map[string]jose.JsonWebKey, len(keySet.Keys))
- for _, key := range keySet.Keys {
- keys[key.KeyID] = key
- }
-
- minExpiry := time.Now().Add(minCache)
-
- if _, expiry, err := cachecontrol.CachableResponse(req, resp, cachecontrol.Options{}); err == nil {
- if minExpiry.Before(expiry) {
- return keys, expiry, nil
- }
- }
- return keys, minExpiry, nil
-}
diff --git a/vendor/github.com/ericchiang/oidc/jwks_test.go b/vendor/github.com/ericchiang/oidc/jwks_test.go
deleted file mode 100644
index ef668165..00000000
--- a/vendor/github.com/ericchiang/oidc/jwks_test.go
+++ /dev/null
@@ -1,285 +0,0 @@
-package oidc
-
-import (
- "bytes"
- "crypto/x509"
- "encoding/hex"
- "encoding/json"
- "encoding/pem"
- "hash/fnv"
- "io/ioutil"
- "net/http"
- "net/http/httptest"
- "net/url"
- "path/filepath"
- "strings"
- "testing"
- "time"
-
- "golang.org/x/net/context"
-
- jose "gopkg.in/square/go-jose.v1"
-)
-
-func loadKeySet(t *testing.T, keyfiles ...string) jose.JsonWebKeySet {
- var set jose.JsonWebKeySet
- set.Keys = make([]jose.JsonWebKey, len(keyfiles))
- for i, keyfile := range keyfiles {
- set.Keys[i], _ = loadKey(t, keyfile)
- }
- return set
-}
-
-func loadKey(t *testing.T, keyfile string) (pub, priv jose.JsonWebKey) {
- data, err := ioutil.ReadFile(keyfile)
- if err != nil {
- t.Fatalf("can't read key file %s: %v", keyfile, err)
- }
-
- block, _ := pem.Decode(data)
- if block == nil {
- t.Fatalf("no PEM data found in key file: %s", keyfile)
- }
-
- keyID := hex.EncodeToString(fnv.New64().Sum(block.Bytes))
-
- if strings.HasPrefix(filepath.Base(keyfile), "ecdsa") {
- p, err := x509.ParseECPrivateKey(block.Bytes)
- if err != nil {
- t.Fatalf("failed to parse ecdsa key %s: %v", keyfile, err)
- }
- priv = jose.JsonWebKey{Key: p, Algorithm: "EC", Use: "sig", KeyID: keyID}
- pub = jose.JsonWebKey{Key: p.Public(), Algorithm: "EC", Use: "sig", KeyID: keyID}
- } else {
- p, err := x509.ParsePKCS1PrivateKey(block.Bytes)
- if err != nil {
- t.Fatalf("failed to parse rsa key %s: %v", keyfile, err)
- }
- priv = jose.JsonWebKey{Key: p, Algorithm: "RSA", Use: "sig", KeyID: keyID}
- pub = jose.JsonWebKey{Key: p.Public(), Algorithm: "RSA", Use: "sig", KeyID: keyID}
- }
- return
-}
-
-func signPayload(t *testing.T, keyfile string, payload []byte) string {
- _, key := loadKey(t, keyfile)
- var (
- signer jose.Signer
- err error
- )
- if strings.HasPrefix(filepath.Base(keyfile), "rsa") {
- signer, err = jose.NewSigner(jose.RS512, &key)
- } else {
- signer, err = jose.NewSigner(jose.ES512, &key)
- }
- if err != nil {
- t.Fatalf("failed to create signer for %s: %v", keyfile, err)
- }
- jws, err := signer.Sign(payload)
- if err != nil {
- t.Fatalf("failed to sign payload: %v", err)
- }
- s, err := jws.CompactSerialize()
- if err != nil {
- t.Fatalf("failed to serialize signature: %v", err)
- }
- return s
-}
-
-func TestVerify(t *testing.T) {
- jwks := loadKeySet(t,
- "testdata/ecdsa_521_1.pem",
- "testdata/rsa_2048_1.pem",
- )
- s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- if err := json.NewEncoder(w).Encode(jwks); err != nil {
- t.Errorf("failed to encode jwks: %v", err)
- }
- }))
- defer s.Close()
-
- ctx, cancel := context.WithCancel(context.Background())
- defer cancel()
-
- r := newRemoteKeySet(ctx, s.URL)
-
- tests := []struct {
- key string
- wantErr bool
- }{
- {"testdata/ecdsa_521_1.pem", false},
- {"testdata/rsa_2048_1.pem", false},
- {"testdata/ecdsa_521_2.pem", true},
- {"testdata/rsa_2048_2.pem", true},
- {"testdata/ecdsa_521_1.pem", false},
- {"testdata/rsa_2048_1.pem", false},
- }
-
- for _, tc := range tests {
- data := []byte("foobar")
- payload, err := r.verifyJWT(signPayload(t, tc.key, data))
- if err != nil {
- if !tc.wantErr {
- t.Fatalf("failed to verify JWT signed by %s: %v", tc.key, err)
- }
- continue
- }
-
- if tc.wantErr {
- t.Fatalf("didn't expecte to be able to verify payload with %s", tc.key)
- }
-
- if bytes.Compare(payload, data) != 0 {
- t.Errorf("want %q got %q", data, payload)
- }
- }
-}
-
-func TestCacheControl(t *testing.T) {
- tests := []struct {
- transport http.RoundTripper
- expectedMaxAge time.Duration
- url string
- nKeys int
- }{
- {
- transport: new(googleKeysRoundTripper),
- expectedMaxAge: 18213 * time.Second,
- url: "https://googleapis.com/oauth2/v3/certs",
- nKeys: 4,
- },
- {
- // SalesForce insists on not caching keys.
- transport: new(salesForceKeysRoundTripper),
- expectedMaxAge: minCache,
- url: "https://login.salesforce.com/id/keys",
- nKeys: 8,
- },
- }
- for _, tc := range tests {
- client := &http.Client{Transport: tc.transport}
-
- before := time.Now().Add(tc.expectedMaxAge)
- keys, expiry, err := requestKeys(client, tc.url)
- if err != nil {
- t.Fatalf("Request keys failed: %v", err)
- }
- tAfter := time.Now()
- after := tAfter.Add(tc.expectedMaxAge)
- approxExpiration := expiry.Sub(tAfter)
-
- if expiry.Before(before) || expiry.After(after) {
- t.Errorf("expected keys to expire in %s: got about %s", tc.expectedMaxAge, approxExpiration)
- }
- if len(keys) != tc.nKeys {
- t.Errorf("expected %d keys got %d", tc.nKeys, len(keys))
- }
- }
-}
-
-var googleKeysReq = http.Request{
- Method: "GET",
- URL: &url.URL{Scheme: "https", Host: "www.googleapis.com", Path: "/oauth2/v3/certs"},
- Proto: "HTTP/1.1",
- ProtoMajor: 1,
- ProtoMinor: 1,
- Header: http.Header{
- "Host": []string{"www.googleapis.com"},
- "User-Agent": []string{"curl/7.43.0"},
- "Accept": []string{"*/*"},
- },
- Host: "www.googleapis.com",
-}
-
-type googleKeysRoundTripper struct{}
-
-func (_ *googleKeysRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) {
- return &http.Response{
- Status: "200 OK",
- StatusCode: 200,
- Proto: "HTTP/1.1",
- ProtoMajor: 1,
- ProtoMinor: 1,
- Header: http.Header{
- "Expires": []string{"Sat, 16 Jul 2016 01:27:10 GMT"},
- "Date": []string{"Fri, 15 Jul 2016 20:23:37 GMT"},
- "Vary": []string{"Origin", "X-Origin"},
- "Content-Type": []string{"application/json; charset=UTF-8"},
- "X-Content-Type-Options": []string{"nosniff"},
- "X-Frame-Options": []string{"SAMEORIGIN"},
- "X-XSS-Protection": []string{"1; mode=block"},
- "Content-Length": []string{"1957"},
- "Server": []string{"GSE"},
- "Cache-Control": []string{"public, max-age=18213, must-revalidate, no-transform"},
- "Age": []string{"13156"},
- "Alternate-Protocol": []string{"443:quic"},
- "Alt-Svc": []string{`quic=":443"; ma=2592000; v="36,35,34,33,32,31,30,29,28,27,26,25"`},
- },
- ContentLength: 1957,
- Body: ioutil.NopCloser(strings.NewReader(googleKeysBody)),
- }, nil
-}
-
-type salesForceKeysRoundTripper struct{}
-
-func (_ *salesForceKeysRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) {
- return &http.Response{
- Status: "200 OK",
- StatusCode: 200,
- Proto: "HTTP/1.1",
- ProtoMajor: 1,
- ProtoMinor: 1,
- Header: http.Header{
- "Date": []string{"Mon, 18 Jul 2016 23:06:26 GMT"},
- "Strict-Transport-Security": []string{"max-age=10886400; includeSubDomains; preload"},
- "Content-Security-Policy-Report-Only": []string{"default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /_/ContentDomainCSPNoAuth?type=login"},
- "Set-Cookie": []string{"BrowserId=YQwZPagMRDiCEqn6s7D4cg;Path=/;Domain=.salesforce.com;Expires=Fri, 16-Sep-2016 23:06:26 GMT"},
- "Expires": []string{"Thu, 01 Jan 1970 00:00:00 GMT"},
- "Content-Type": []string{"application/json;charset=UTF-8"},
- "Pragma": []string{"no-cache"},
- "Cache-Control": []string{"no-cache, no-store"},
- "Transfer-Encoding": []string{"chunked"},
- },
- ContentLength: -1,
- Body: ioutil.NopCloser(strings.NewReader(salesForceKeysBody)),
- }, nil
-}
-
-var googleKeysBody = `{
- "keys": [
- {
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "kid": "40aa42edac0614d7ca3f57f97ee866cdfba3b61a",
- "n": "6lm9AEGLPFpVqnfeVFuTIZsj7vz_kxla6uW1WWtosM_MtIjXkyyiSolxiSOs3bzG66iVm71023QyOzKYFbio0hI-yZauG3g9nH-zb_AHScsjAKagHtrHmTdtq0JcNkQnAaaUwxVbjwMlYAcOh87W5jWj_MAcPvc-qjy8-WJ81UgoOUZNiKByuF4-9igxKZeskGRXuTPX64kWGBmKl-tM7VnCGMKoK3m92NPrktfBoNN_EGGthNfQsKFUdQFJFtpMuiXp9Gib7dcMGabxcG2GUl-PU086kPUyUdUYiMN2auKSOxSUZgDjT7DcI8Sn8kdQ0-tImaHi54JNa1PNNdKRpw",
- "e": "AQAB"
- },
- {
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "kid": "8fbbeea40332d2c0d27e37e1904af29b64594e57",
- "n": "z7h6_rt35-j6NV2iQvYIuR3xvsxmEImgMl8dc8CFl4SzEWrry3QILajKxQZA9YYYfXIcZUG_6R6AghVMJetNIl2AhCoEr3RQjjNsm9PE6h5p2kQ-zIveFeb__4oIkVihYtxtoYBSdVj69nXLUAJP2bxPfU8RDp5X7hT62pKR05H8QLxH8siIQ5qR2LGFw_dJcitAVRRQofuaj_9u0CLZBfinqyRkBc7a0zi7pBxtEiIbn9sRr8Kkb_Boap6BHbnLS-YFBVarcgFBbifRf7NlK5dqE9z4OUb-dx8wCMRIPVAx_hV4Qx2anTgp1sDA6V4vd4NaCOZX-mSctNZqQmKtNw",
- "e": "AQAB"
- },
- {
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "kid": "6758b0b8eb341e90454860432d6a1648bf4de03b",
- "n": "5K0rYaA7xtqSe1nFn_nCA10uUXY81NcohMeFsYLbBlx_NdpsmbpgtXJ6ektYR7rUdtMMLu2IONlNhkWlx-lge91okyacUrWHP88PycilUE-RnyVjbPEm3seR0VefgALfN4y_e77ljq2F7W2_kbUkTvDzriDIWvQT0WwVF5FIOBydfDDs92S-queaKgLBwt50SXJCZryLew5ODrwVsFGI4Et6MLqjS-cgWpCNwzcRqjBRsse6DXnex_zSRII4ODzKIfX4qdFBKZHO_BkTsK9DNkUayrr9cz8rFRK6TEH6XTVabgsyd6LP6PTxhpiII_pTYRSWk7CGMnm2nO0dKxzaFQ",
- "e": "AQAB"
- },
- {
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "kid": "0b915c6a65e2651ddcd0977757ebc644220a23b5",
- "n": "vKa1quTzaKez5hyWc1SRYA_pgCEUx2FgpcfHEz33IjruqM57QTg4jZ2sukU5JdkjegtZm_ry9FuFKB-tIFszNqRBc4hgKWNzvaXicPpGP-tWFxhe30esaXUhF4WpZd4uhLfowJxuXKkM0qjRFAbQiP_N64fauozjquLfESaT0WdclK-wACzb-Mo9GoxYzgmPSRvmNJ83ZfBOimcIfuCQZkIFUjHrYRJ-kZfS02_tkkqpP8KaU3QL0igsQglawJpvH3TTZbA0xuJMOwGESN1xq4Xr_7o3OfNTTfybdVv1o8FMT8snIATGwKXvi9J3P7OEV6r8_pdFUhCOAvRlUYw5-Q",
- "e": "AQAB"
- }
- ]
-}`
-
-var salesForceKeysBody = `{"keys":[{"kty":"RSA","n":"nOcQOvHV8rc-hcfP_RmxMGjyVlruSLeFXTojYcbixaAH36scUejjaws31orUjmYqB5isE9ntdsL4DnsdP_MDJ2mtYD2FIh8tBkJjgXitjdcDclrwELAx846wBIlSES8wR6czpdJZfSwhL_92EGpDH6z7lKEClqhDlbtZ-yFKFj9BQRwaEXWV7uuq23gxXOqyEN0WXl3ZJPgsodCnlXRn9y_r5CNV9V4wvzXGlJhT3Nv_N_Z5XNZIjZnHdCuE_itT4a1xENEEds7Jjg5mRTlVFzYv5iQtBo7jdY5ogMTgKPmRh6hYuqLeki3AOAUff1AGaN9TZH60UxwTw03-DQJL5C2SuC_vM5KIWxZxQniubfegUCBXpJSAJbLt8zSFztTcrLS4-wgUHo1A8TDNaO28_KsBUTWsrieOr3NfCn4bPNb7t8G90U60lW0GIhEda3fNYnV0WWpZVO1jCRNy_JYUs3ECo0E1ZQJZD72Dm6UjiuH7eR3ZgNKR9tlLNdyZSpZUZPErLrXJ90d5XbmJYvRX9r93z6GQqOv5FQy1JhatwefxhKdyhkDEHsqELO0XDqnDnmgxkEEU-lHYSVGz-iDlUZOUYTTCtxsPDmBIXOMuwp0UydJphO36qRQaDyEjHNsYKLj5KVvjDHS8Gw1FhbFvsoUrBHre4hLY9Pa5meatV_k","e":"AQAB","alg":"RS256","use":"sig","kid":"192"},{"kty":"RSA","n":"sTuRuR0_kfPcrMug1dg4e3y4_elyaKDyzqlvEpzo6FgYTAuR-G9wv4Au6O363PDF8Yd8wg5JSwLjcHlfp3auXb_9pzJyhMBUAQwUYhVOPyxGOiyGYwCwkUX_GUA8IGPQZ6XOISX65492upv2DXW85vxYjPGJypWIQ3GjYrYtqmEg2fkuXX3IwITMxHoxYSmvR5Qcn4acnxRKMqCohxLANDEN4xyZBGbuchXnb0TGFwcGNAO8mz-O4E_A9k3QQwz750Qz6xEe8_UWPRvyX32EvGN19tX90DcT488YT0ImdUt6sVZEyOU_vxYXFFpWhf2_C1_AcjUQejex5y4mQn3idtVSAVGQ_eqhS3ZpyY_IhAGSC1JR_TJfrgnJoQrvv7Toz4K-iskOkFDNZYjhkKSla0EaJOUjRdZxmFTlzydmJFCD16-dbB8cCYGEQWVhnmBnYRQ2zquTCGReuILEcV0ALo9sR7zA5u8xSoJpZO1-KM_9lfbBH5M8V6R-ECWJI5MqPJxK0D3BCiNNxI5Kdslb_49SNA3qukQciassa-xbm26MGyYjt7Kn2KC2Tdh8L0z3328Pe6Wn7-vixSbtSc_qy15OifYKHr7BE1JjZfbkFQ6ZY5WgHZOZWG31-9aIhKsCKJGfGwyaN-I2-IzygSIihJNrFnSrO_s80li3H8P-4A0","e":"AQAB","alg":"RS256","use":"sig","kid":"198"},{"kty":"RSA","n":"n9ggEbWxKGy-cke0GpNQlblk47vL7-rtSsPwehgCdt7vANf6n6eqopLN1WPfq-xRJo7aE4gBXV3hQ4Ts1vm3_lXZmUCcFl8iVEYtDUZakmCYlDZExpo5AuRpwIayaidOzFP2qpMNstd9iVN_0ShCNjN-I_kJXAliqxuEZw5A-P-mcUBkE5ar_xVV3TaAXsxU5cecou9fbQjSLSKpQzfKVdUr0japx4iwSv0vdjXzItUfu7CykHU03Xmd4ucv47gdE0FeESgtPvC6cz6W6qCddP3rjBlgYAg0xYu_uyfLLYyaZZoEx8PfYUXfC4zM2a9p7bT1RxfRJDIqA5S507CylpzeAdBdp0N9UCtecENVgVcRotFBv1GOuVEhkba93spdddCGTSjWqzbq2hVj4napeGZ3I1st0mLQCD2reUh6injMFkVllnpfOitjvM98V-c_cxiTJYfg8K338atpWM7nR9Yo5D684Pr-z77xTl0_WY8mIukmGQtznX2dEYYbyzj_PLtK4YSPyrvnqdGFcZpxstSWOHnCeLNigzWCCBbcO2B8F3QGDagW6Zu7IH_P3KRPqwKWDzGzpmDJPGYexz46qezjVnPm-aCcx_m6cnqXqMMt60YtCMFCLxyyBJrTx66LNUpxVRun2vAu2HHdwxv1lzrEvDMzwrSW9JZVmAJ_eg0","e":"AQAB","alg":"RS256","use":"sig","kid":"202"},{"kty":"RSA","n":"o8Fz0jXjZ0Rz5Kt2TmzP0xVokf-Q4Az-MQg5i5MCxNNTQiZp7VkwAZeM0mJ-mKDbCzPm9ws43v8cxeiIkVZQqrAocnnb90MDCnU-7oD7MvOU4SbmhuLzVCyVZPIBRq5z0OgjcwLeD4trOoogkLOu0kyuyzNoFkr712m_GZ1xic-X0MlFKq3-2cI4U2nEuuh-Xcy7bUqCx0zTJFPOOKghGYEZZ6biZ04VC-ERcW6cC19pEWm6vCqZJEsKPCfazVAoHKZAukNd0XLPQd_W6xAaGnp8e7a5tFHn6dU6ikhI94ZieVp6WItWsQTDwJH-D7bVpVRG-lWL74lgcuQdFAtldm__k7FvlTXdqiLrd0rYuDnTFiwUSsUXWBJbmGVsEOylZVPQAL-K7G7p3BRY4X26vOgfludwCOj7L7WFbd0IXziTm74xe2KZGKsFpoCjJI0z_D5Oe5bofswr1Ceafhl97suG7OoInobt7QAQnnLcBVzUPz_TflOXDc5UiePptA0bxdd8MVENiDbTGGNz6DCzfL986QfcJLPB8aZa3lFN0kWPBkOclZagL4WpyIllB6euvZ2hfpt8IY2_bmUN06luo6N7Fy0hSSFMWvfzaD8_Ff3czb1Kv-b0xI6Ugk4d67RNNSbTcRM2Muvx-dJgOyXqrc_hE96OOqcMjrGZJoXnCAM","e":"AQAB","alg":"RS256","use":"sig","kid":"190"},{"kty":"RSA","n":"wIQtK09qsu1qCCQu1mHh6d_EyyOlbqMCV8WMacOyhZng1sbaFJY-0PIH46Kw1uhjbHg94_r2UELYd30vF8xwViGhCmpPuSGhkxNoT5CMoJPS6JW-zBpR7suHqBUnaGdZ6G2uYZDpwWYs_4SJDuWzxVBrQqIM_ZVgUqutniQPmjMAX5MqznBTnG3zm728BmNzS7T2gtzxs3jAgDsSAu3Kxp3D6NDGERhaAJ8jOgwHvmQK5xFi9Adw7sv2nCH-wM-C5fLJYmpGOSrTP1HLOlq--TROAvWL9gcNEeq4arryIYux5syg66rHT8U2Uhb1PdXt7ReQY8wBnP2BBH1QH7rzOZ7UbqFLbQUQsZFAVMcfm7gJN8JWLlcSJZdC2zaY0wI5q8PWN-N_GgAK64FKZQ7pB0bRQ5AQx-D3U4sYE4EcgSvV8fW86PaF1VXaHMFcom48gZ1GzE_V25uPb-0yue0cv9lejrIKDvRiJ5UiyUPphro4Aw2ZcDi_8r8rqfglWhcnB4bGSri4kEBb_IdwvqKwRCqxlNdRnU1ooQeUBaVRwdbpj23Z1qtYjB55Wf2KOCJ6ewMyddq4bEAG6KIqPmssT7_exvygUyuW6qhnCV-gTZEwFI0A6djsHM5itfkzNY47BeuAtGXjuaRnVYIEvTrnSj3Lx7YfvCIiGqFrG6y31Ak","e":"AQAB","alg":"RS256","use":"sig","kid":"188"},{"kty":"RSA","n":"hsqiqMXZmxJHzWfZwbSffKfc9YYMxj83-aWhA91jtI8k-GMsEB6mtoNWLP6vmz6x6BQ8Sn6kmn65n1IGCIlWxhPn9yqfXBDBaHFGYED9bBloSEMFnnS9-ACsWrHl5UtDQ3nh-VQTKg1LBmjJMmAOHdBLoUikfpx8fjA1LfDn_1iNWnguj2ehgjWCuTn64UdUd84YNcfO8Ha0TAhWHOhkiluMyzGS0dtN0h8Ybyi5oL6Bf1sfhtOncUh1JuWMcmvICbGEkA_0vBbMp9nCvXdMlpzMOCIoYYkQ-25SRZ0GpIr_oBIZByEm1XaJIqNXoC7qJ95iAyWkUiSegY_IcBV3nMXr-kDNn9Vm2cgLEJGymOiDQKH8g7VjraCIrqWPD3DWv3Z6RsExs6i0gG3JU9cVVFwz87d05_yk3L5ubWb96uxsP9rkwZ3h8eJTfFrgMhk1ZwR-63Dk3ZLYisiAU0zKgr4vQ9qsCNPqDg0rkeqOY5k7Gy201_wh6Sw5dCNTTGmZZ1rNE-gyDu4-a1H40n8f2JFiH-xIOD9-w8HGYOu_oGlobK2KvzFYHTk-w7vtfhZ0j96UkjaBhVjYSMi4hf43xNbB4xJoHhHLESABLp9IYDlnzBeBXKumXDO5aRk3sFAEAWxj57Ec_DyK6UwXSR9Xqji5a1lEArUdFPYzVZ_YCec","e":"AQAB","alg":"RS256","use":"sig","kid":"194"},{"kty":"RSA","n":"5SGw1jcqyFYEZaf39RoxAhlq-hfRSOsneVtsT2k09yEQhwB2myvf3ckVAwFyBF6y0Hr1psvu1FlPzKQ9YfcQkfge4e7eeQ7uaez9mMQ8RpyAFZprq1iFCix4XQw-jKW47LAevr9w1ttZY932gFrGJ4gkf_uqutUny82vupVUETpQ6HDmIL958SxYb_-d436zi5LMlHnTxcR5TWIQGGxip-CrD7vOA3hrssYLhNGQdwVYtwI768EvwE8h4VJDgIrovoHPH1ofDQk8-oG20eEmZeWugI1K3z33fZJS-E_2p_OiDVr0EmgFMTvPTnQ75h_9vyF1qhzikJpN9P8KcEm8oGu7KJGIn8ggUY0ftqKG2KcWTaKiirFFYQ981PhLHryH18eOIxMpoh9pRXf2y7DfNTyid99ig0GUH-lzAlbKY0EV2sIuvEsIoo6G8YT2uI72xzl7sCcp41FS7oFwbUyHp_uHGiTZgN7g-18nm2TFmQ_wGB1xCwJMFzjIXq1PwEjmg3W5NBuMLSbG-aDwjeNrcD_4vfB6yg548GztQO2MpV_BuxtrZDJQm-xhJXdm4FfrJzWdwX_JN9qfsP0YU1_mxtSU_m6EKgmwFdE3Yh1WM0-kRRSk3gmNvXpiKeVduzm8I5_Jl7kwLgBw24QUVaLZn8jC2xWRk_jcBNFFLQgOf9U","e":"AQAB","alg":"RS256","use":"sig","kid":"196"},{"kty":"RSA","n":"m-rZsEmySPnZLZ9tdoQ9bW0sI_nudwy70vAXK1JZV9AhCJQB5ZHykaK90mpmwAdt8XsrOuQ6Nd9hrgZOHgq-RznNCFhE9qpnOHg68ywsUeZHXD9FqX_QlKPzMBBQXhyWLz58_LHMmGhn4740rB7tXftvDBOctX41I_hilm8_vKbSPE2ov1h9dYMt0a9jFTd6xk5dnj_r3KiswIl4FG4KoXHCv7Hzgv6iVyOJJgTgJcmRw9ydDxvEzkyXlIYFsOW0IKxAoA28ECAImPmiRX37-oP_IK6ZrjxNHd7SqQS12uc33N1ZfI3WR35GGWfLTH7IjjLj0c8lvUrQOQTZc686wqySRZz-BWSFBAYR8OLA-T1SZVk3R_FyZ26mXNYo33I9DcuK5y6c_AMoO0c4Mw-WmTkrAu5QTPWJ-iQsbMjfIDC7XkxkBoIMqIzynZoV1fH5yO_2CyWQfsr1PJRjp3tFhcVgUBrhVY47IsDQ9pmE8XgtRe9dQGT2wXn-aANqF6vQkw_kJ-zDD5VWQ_IQol_znwyktAoYB7iRwS2Ut4l4YsFE5D9SywHK0F1mvIQWENNbw2WjIxgjI8DtJFPdTN_dhnZDfkKjsxvQlchIiMZGAErhaveyyx4ezbUo4XAtzj84QAj9IjtEjOkEo6MqDDeCh6pXlIV_UBdblTXoX37DRpc","e":"AQAB","alg":"RS256","use":"sig","kid":"200"}]}`
diff --git a/vendor/github.com/ericchiang/oidc/nonce.go b/vendor/github.com/ericchiang/oidc/nonce.go
deleted file mode 100644
index c0bb213f..00000000
--- a/vendor/github.com/ericchiang/oidc/nonce.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package oidc
-
-import (
- "errors"
-
- "golang.org/x/oauth2"
-)
-
-// Nonce returns an auth code option which requires the ID Token created by the
-// OpenID Connect provider to contain the specified nonce.
-func Nonce(nonce string) oauth2.AuthCodeOption {
- return oauth2.SetAuthURLParam("nonce", nonce)
-}
-
-// NonceSource represents a source which can verify a nonce is valid and has not
-// been claimed before.
-type NonceSource interface {
- ClaimNonce(nonce string) error
-}
-
-// VerifyNonce ensures that the ID Token contains a nonce which can be claimed by the nonce source.
-func VerifyNonce(source NonceSource) VerificationOption {
- return nonceVerifier{source}
-}
-
-type nonceVerifier struct {
- nonceSource NonceSource
-}
-
-func (n nonceVerifier) verifyIDToken(token *IDToken) error {
- if token.Nonce == "" {
- return errors.New("oidc: no nonce present in ID Token")
- }
- return n.nonceSource.ClaimNonce(token.Nonce)
-}
diff --git a/vendor/github.com/ericchiang/oidc/oidc_test.go b/vendor/github.com/ericchiang/oidc/oidc_test.go
deleted file mode 100644
index 3a31646f..00000000
--- a/vendor/github.com/ericchiang/oidc/oidc_test.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package oidc
-
-import (
- "encoding/json"
- "reflect"
- "testing"
-)
-
-func TestClientVerifier(t *testing.T) {
- tests := []struct {
- clientID string
- aud []string
- wantErr bool
- }{
- {
- clientID: "1",
- aud: []string{"1"},
- },
- {
- clientID: "1",
- aud: []string{"2"},
- wantErr: true,
- },
- {
- clientID: "1",
- aud: []string{"2", "1"},
- },
- {
- clientID: "3",
- aud: []string{"1", "2"},
- wantErr: true,
- },
- }
-
- for i, tc := range tests {
- token := IDToken{Audience: tc.aud}
- err := (clientVerifier{tc.clientID}).verifyIDToken(&token)
- if err != nil && !tc.wantErr {
- t.Errorf("case %d: %v", i)
- }
- if err == nil && tc.wantErr {
- t.Errorf("case %d: expected error")
- }
- }
-}
-
-func TestUnmarshalAudience(t *testing.T) {
- tests := []struct {
- data string
- want audience
- wantErr bool
- }{
- {`"foo"`, audience{"foo"}, false},
- {`["foo","bar"]`, audience{"foo", "bar"}, false},
- {"foo", nil, true}, // invalid JSON
- }
-
- for _, tc := range tests {
- var a audience
- if err := json.Unmarshal([]byte(tc.data), &a); err != nil {
- if !tc.wantErr {
- t.Errorf("failed to unmarshal %q: %v", tc.data, err)
- }
- continue
- }
-
- if tc.wantErr {
- t.Errorf("did not expected to be able to unmarshal %q", tc.data)
- continue
- }
-
- if !reflect.DeepEqual(tc.want, a) {
- t.Errorf("from %q expected %q got %q", tc.data, tc.want, a)
- }
- }
-}
diff --git a/vendor/github.com/ericchiang/oidc/oidcproxy/main.go b/vendor/github.com/ericchiang/oidc/oidcproxy/main.go
deleted file mode 100644
index fc54f8ed..00000000
--- a/vendor/github.com/ericchiang/oidc/oidcproxy/main.go
+++ /dev/null
@@ -1,283 +0,0 @@
-package main
-
-import (
- "crypto/rand"
- "encoding/gob"
- "flag"
- "fmt"
- "io"
- "log"
- "net/http"
- "net/http/httputil"
- "net/url"
- "os"
- "regexp"
- "strconv"
- "strings"
- "time"
-
- "github.com/ericchiang/oidc"
- "github.com/gorilla/securecookie"
-
- "golang.org/x/net/context"
- "golang.org/x/oauth2"
-)
-
-const (
- cookieName = "oidc-proxy"
- // This header will be set by oidcproxy during authentication and
- // passed to the backend.
- emailHeaderName = "X-User-Email"
-)
-
-// Session represents a logged in user's active session.
-type Session struct {
- Email string
- Expires time.Time
-}
-
-func init() {
- gob.Register(&Session{})
-}
-
-var (
- // Flags.
- issuer string
- backend string
- scopes string
- allow string
- httpAddr string
- httpsAddr string
- cookieExp time.Duration
-
- // Set up during initial configuration.
- oauth2Config = new(oauth2.Config)
- oidcProvider *oidc.Provider
- backendHandler *httputil.ReverseProxy
- verifier *oidc.IDTokenVerifier
-
- // Regexps of emails to allow.
- allowEmail []*regexp.Regexp
-
- nonceSource *memNonceSource
-
- cookieEncrypter *securecookie.SecureCookie
-)
-
-func main() {
- flag.StringVar(&issuer, "issuer", "https://accounts.google.com", "The issuer URL of the OpenID Connect provider.")
- flag.StringVar(&backend, "backend", "", "The URL of the backened to proxy to.")
- flag.StringVar(&oauth2Config.RedirectURL, "redirect-url", "", "A full OAuth2 redirect URL.")
- flag.StringVar(&oauth2Config.ClientID, "client-id", "", "The client ID of the OAuth2 client.")
- flag.StringVar(&oauth2Config.ClientSecret, "client-secret", "", "The client secret of the OAuth2 client.")
- flag.StringVar(&scopes, "scopes", "openid,email,profile", `A comma seprated list of OAuth2 scopes to request ("openid" required).`)
- flag.StringVar(&allow, "allow-email", ".*", "Comma seperated list of email regexp's to match for access to the backend.")
- flag.StringVar(&httpAddr, "http", "127.0.0.1:5556", "Default address to listen on.")
- flag.DurationVar(&cookieExp, "cookie-exp", time.Hour*24, "Duration for which a login cookie is valid for.")
- flag.Parse()
-
- // Set flags from environment variables.
- flag.VisitAll(func(f *flag.Flag) {
- if f.Value.String() != f.DefValue {
- return
- }
-
- // Convert flag name, e.g. "redirect-url" becomes "OIDC_PROXY_REDIRECT_URL"
- envVar := "OIDC_PROXY_" + strings.ToUpper(strings.Replace(f.Name, "-", "_", -1))
-
- if envVal := os.Getenv(envVar); envVal != "" {
- if err := flag.Set(f.Name, envVal); err != nil {
- log.Fatal(err)
- }
- }
- // All flags are manditory.
- if f.Value.String() == "" {
- flag.Usage()
- os.Exit(2)
- }
- })
-
- // compile email regexps
- for _, expr := range strings.Split(allow, ",") {
- allowEmailRegexp, err := regexp.Compile(expr)
- if err != nil {
- log.Fatalf("invalid regexp: %q %v", expr, err)
- }
- allowEmail = append(allowEmail, allowEmailRegexp)
- }
-
- // configure reverse proxy
- backendURL, err := url.Parse(backend)
- if err != nil {
- log.Fatalf("failed to parse backend: %v", err)
- }
- backendHandler = httputil.NewSingleHostReverseProxy(backendURL)
-
- redirectURL, err := url.Parse(oauth2Config.RedirectURL)
- if err != nil {
- log.Fatalf("failed to parse redirect URL: %v", err)
- }
-
- // Query for the provider.
- oidcProvider, err = oidc.NewProvider(context.TODO(), issuer)
- if err != nil {
- log.Fatalf("failed to get provider: %v", err)
- }
-
- nonceSource = newNonceSource(context.TODO())
- verifier = oidcProvider.NewVerifier(context.TODO(), oidc.VerifyNonce(nonceSource))
-
- oauth2Config.Endpoint = oidcProvider.Endpoint()
- oauth2Config.Scopes = strings.Split(scopes, ",")
-
- // Initialize secure cookies.
- // TODO(ericchiang): make these configurable
- hashKey := make([]byte, 64)
- blockKey := make([]byte, 32)
- if _, err := io.ReadFull(rand.Reader, hashKey); err != nil {
- log.Fatalf("failed to initialize hash key: %v", err)
- }
- if _, err := io.ReadFull(rand.Reader, blockKey); err != nil {
- log.Fatalf("failed to initialize block key: %v", err)
- }
- cookieEncrypter = securecookie.New(hashKey, blockKey)
-
- mux := http.NewServeMux()
- mux.HandleFunc("/", handleProxy)
- mux.HandleFunc("/login", handleRedirect)
- mux.HandleFunc("/logout", handleLogout)
- mux.HandleFunc(redirectURL.Path, handleCallback)
-
- log.Printf("Listening on: %s", httpAddr)
- http.ListenAndServe(httpAddr, mux)
-}
-
-// httpRedirect returns a handler which redirects to the provided path.
-func httpRedirect(path string) http.Handler {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- http.Redirect(w, r, path, http.StatusFound)
- })
-}
-
-// httpError returns a handler which presents an error to the end user.
-func httpError(status int, format string, a ...interface{}) http.Handler {
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- http.Error(w, fmt.Sprintf(format, a...), http.StatusInternalServerError)
- })
-}
-
-func handleCallback(w http.ResponseWriter, r *http.Request) {
- func() http.Handler {
- state := r.URL.Query().Get("state")
- if state == "" {
- log.Printf("State not set")
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
- if err := nonceSource.ClaimNonce(state); err != nil {
- log.Printf("Failed to claim nonce: %v", err)
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
-
- oauth2Token, err := oauth2Config.Exchange(context.TODO(), r.URL.Query().Get("code"))
- if err != nil {
- log.Printf("Failed to exchange token: %v", err)
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
-
- // Extract the ID Token from oauth2 token.
- rawIDToken, ok := oauth2Token.Extra("id_token").(string)
- if !ok {
- log.Println("No ID Token found")
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
-
- idToken, err := verifier.Verify(rawIDToken)
- if err != nil {
- log.Printf("Failed to verify token: %v", err)
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
- var claims struct {
- Email string `json:"email"`
- EmailVerified bool `json:"email_verified"`
- }
-
- if err := idToken.Claims(&claims); err != nil {
- log.Printf("Failed to decode claims: %v", err)
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
- if !claims.EmailVerified || claims.Email == "" {
- log.Println("Failed to verify email")
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
-
- s := Session{Email: claims.Email, Expires: time.Now().Add(cookieExp)}
- encoded, err := cookieEncrypter.Encode(cookieName, s)
- if err != nil {
- log.Printf("Failed to encrypt session: %v", err)
- return httpError(http.StatusInternalServerError, "Authentication failed")
- }
-
- // Set the encoded cookie
- cookie := &http.Cookie{Name: cookieName, Value: encoded, HttpOnly: true, Path: "/"}
- http.SetCookie(w, cookie)
- return httpRedirect("/")
-
- }().ServeHTTP(w, r)
-}
-
-func handleRedirect(w http.ResponseWriter, r *http.Request) {
- // TODO(ericchiang): since arbitrary requests can create nonces, rate limit this endpoint.
- func() http.Handler {
- nonce, err := nonceSource.Nonce()
- if err != nil {
- log.Printf("Failed to create nonce: %v", err)
- return httpError(http.StatusInternalServerError, "Failed to generate redirect")
- }
- state, err := nonceSource.Nonce()
- if err != nil {
- log.Printf("Failed to create state: %v", err)
- return httpError(http.StatusInternalServerError, "Failed to generate redirect")
- }
- return httpRedirect(oauth2Config.AuthCodeURL(state, oauth2.ApprovalForce, oidc.Nonce(nonce)))
- }().ServeHTTP(w, r)
-}
-
-func handleLogout(w http.ResponseWriter, r *http.Request) {
- cookie := &http.Cookie{Name: cookieName, Value: "", HttpOnly: true, Path: "/"}
- http.SetCookie(w, cookie)
- httpRedirect("/login").ServeHTTP(w, r)
-}
-
-func handleProxy(w http.ResponseWriter, r *http.Request) {
- func() http.Handler {
- cookie, err := r.Cookie(cookieName)
- if err != nil {
- // Only error can be ErrNoCookie https://goo.gl/o5fZ49
- return httpRedirect("/login")
- }
- var s Session
- if err := cookieEncrypter.Decode(cookieName, cookie.Value, &s); err != nil {
- log.Printf("Failed to decode cookie: %v", err)
- return http.HandlerFunc(handleLogout) // clear the cookie
- }
- if time.Now().After(s.Expires) {
- log.Printf("Cookie for %q expired", s.Email)
- return http.HandlerFunc(handleLogout) // clear the cookie
- }
-
- for _, allow := range allowEmail {
- if allow.MatchString(s.Email) {
- r.Header.Set(emailHeaderName, s.Email)
- return backendHandler
- }
- }
- log.Printf("Denying %q", s.Email)
- return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- resp := []byte(`<html><head></head><body>Provided email does not have permission to login. <a href="/logout">Try a different account.</a></body></html>`)
- w.Header().Set("Content-Type", "text/html")
- w.Header().Set("Content-Length", strconv.Itoa(len(resp)))
- w.WriteHeader(http.StatusForbidden)
- w.Write(resp)
- })
- }().ServeHTTP(w, r)
-}
diff --git a/vendor/github.com/ericchiang/oidc/oidcproxy/nonce.go b/vendor/github.com/ericchiang/oidc/oidcproxy/nonce.go
deleted file mode 100644
index a52a3ed2..00000000
--- a/vendor/github.com/ericchiang/oidc/oidcproxy/nonce.go
+++ /dev/null
@@ -1,72 +0,0 @@
-package main
-
-import (
- "crypto/rand"
- "encoding/base64"
- "errors"
- "io"
- "sync"
- "time"
-
- "golang.org/x/net/context"
-)
-
-var (
- gcInterval = time.Minute
- expiresIn = time.Minute * 10
-)
-
-type memNonceSource struct {
- mu sync.Mutex
- nonces map[string]time.Time
-}
-
-func newNonceSource(ctx context.Context) *memNonceSource {
- s := &memNonceSource{nonces: make(map[string]time.Time)}
- go s.garbageCollect(ctx)
- return s
-}
-
-func (s *memNonceSource) Nonce() (string, error) {
- buff := make([]byte, 32)
- if _, err := io.ReadFull(rand.Reader, buff); err != nil {
- return "", err
- }
- nonce := base64.RawURLEncoding.EncodeToString(buff)
-
- s.mu.Lock()
- defer s.mu.Unlock()
- s.nonces[nonce] = time.Now().Add(expiresIn)
-
- return nonce, nil
-}
-
-func (s *memNonceSource) ClaimNonce(nonce string) error {
- s.mu.Lock()
- defer s.mu.Unlock()
-
- if _, ok := s.nonces[nonce]; ok {
- delete(s.nonces, nonce)
- return nil
- }
- return errors.New("invalid nonce")
-}
-
-func (s *memNonceSource) garbageCollect(ctx context.Context) {
- for {
- select {
- case <-ctx.Done():
- case <-time.After(gcInterval):
- s.mu.Lock()
- now := time.Now()
-
- for nonce, exp := range s.nonces {
- if now.After(exp) {
- delete(s.nonces, nonce)
- }
- }
-
- s.mu.Unlock()
- }
- }
-}
diff --git a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_1.pem b/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_1.pem
deleted file mode 100644
index fa032198..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_1.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIA3zFNhDsB70vMBOzeK48Zn6oic5wfx9xto4ErduEVKFST0aJEfjLO
-/kzNrKDgXArCEl2KYJQfb8J9lslA7cLvpVSgBwYFK4EEACOhgYkDgYYABABxyN4Y
-6VxH/86lgejSlHGrjKVSzn6YeOukabBSiU8PS/o/wfGXKX4eKCkJYqVq18zGAfcL
-q+UM09ZQv/De7mGkXwC67qQv7fS7tJ/t0uFcxriQNtVGPsL4/+YmWrFJBTlK0OgD
-mkSBG7ERdb5x/JzNFbajSbX0wKzs4VOZU0VVj/2DJw==
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_2.pem b/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_2.pem
deleted file mode 100644
index 19c5e55f..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_2.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAtlsqZlQW4bWtSmDgLjbhcCgmmWEVwtzHMTZRoQnUv4rdTxCeKLY3
-hjxzd5hPCmtfP68GyJhKQgKofKYD/DgQLc2gBwYFK4EEACOhgYkDgYYABAABrcbo
-t8KEfgzslg4Bb7t0khCgFrT2hX5htSWnwwHiScs1yO9egRcftZg/WAoIo/QDID+i
-OB4f5Flg5PygZpm/SwE4B1E8dGpyLRmBg3cC0/PfuRkGZ2E5POKZqsiRU5TkvC2D
-AkwVr6UPpXPheStrp2qh6ptBUtZRzn8Q4lVFKoKe9g==
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_3.pem b/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_3.pem
deleted file mode 100644
index 0b09692c..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_3.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIAzUq62J5hiC8B5xw9M/e9KlSeO66uq9PHRSGcFY4d9MFgFKILKU0u
-cfUBCwbhOnDWkdUTp1DkLWeNhE0UUvN2FgegBwYFK4EEACOhgYkDgYYABAHH7ZyR
-YXJ9oDJ/KohiQFFXqkvspk3ljvBAFUFRyfL4Q40TtgKGt5YBNmU3SHNHn3fJdjQy
-xe2OZcmKYxzwCjx6mgACI0IoiIdgZN0RBy8UMhgn810C/iDg+nOZScl7P0t3DFcv
-H3K5+tkVWe8lLBIUOkqEyHmmfHGYcn6Kc5jHEnAebA==
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_4.pem b/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_4.pem
deleted file mode 100644
index 50a51f1f..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/ecdsa_521_4.pem
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBt+T9wRbTfN3T5kSqfT5nqCt65w+SGAQ5DXQgcf7gCXId+Ux/57MA
-/Dld+PvG+T8mobr1/jaFiGOLLRsjtnc5Ml+gBwYFK4EEACOhgYkDgYYABAE/ka2T
-p7MsBezSgeATljES2xBY4wDOcjMmI6MzHdiO9hU/xcIQnhc2tjML2QZSMTuLy1ZQ
-Yjhu0ZRg5Dxj4m7mgAFp2f/FqtOSAR5vuikaYPzHwosvNFIIpRDJCZ23j6qbtemF
-5qXUlSXf2+W491rfb2njNwTWx8BLn1M3fFhobK+O9Q==
------END EC PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/gen.sh b/vendor/github.com/ericchiang/oidc/testdata/gen.sh
deleted file mode 100755
index e2385133..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/gen.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -e
-
-for i in $(seq 1 4); do
- openssl ecparam -out ecdsa_521_${i}.pem -name secp521r1 -genkey -noout
-done
-
-for i in $(seq 1 4); do
- openssl genrsa -out rsa_2048_${i}.pem 2048
-done
-
-for i in $(seq 1 4); do
- openssl genrsa -out rsa_4096_${i}.pem 4096
-done
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_1.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_1.pem
deleted file mode 100644
index 75ab64e8..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_1.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA05kMh0SJfLTbcAhpq1w8jpTuo+Shy95WgvYc1KzxcH6ol/nq
-vFSn1VCT/OHyg1t8BGeIfeuckIppT+cRtTjrsqS6FEmJA3lAiRqJZLWbewyXgoaZ
-eCsmMS0s3w8KUon4Z9t8rFVqv2fkki6p7FtLPjPD0PsTRNCPwtOGM8Ci+0qFuCrt
-4flUr6DpiALkqN1PSJCAwL22y8C86S6PPBU2seR3TWdD+iMAmr3Rezh+J/JqYXK+
-4qORzE6mA3hjn+goULQif5fUbYG0vRSyEp8UrlzevS88+ZzxyS9iTZ6H1ympLcsV
-PeqvCIXPd1OJXn6ZGSuIgOlgZuaieKeuYLHDCQIDAQABAoIBAHrxC+R0H+YDNxRq
-7uqPlufJBLbZGmDXeDBzSuEO8uFH1jEnFgoCrdk1Dib6KOvFddMhTJ7NDJS2tuWj
-/hfrUJblOvCaoS8Rfjuq3XVUR1hBQq6mAfleKLyd4NphZL/8RgYh8tg2cOVxOc7t
-qfEYQimL7hQ4LUPoYf7y46CiJpAV+BIwrR74k9Y3vcpumLwWrkwlfLTMWmcaiJE+
-gQBVl5+CQZmVKohTPDfCnQ9+ISzxvh4nesiQORMljG/ssQaZi5h7VEJDqGOaDgVB
-CsFp9fxLrQzx1Gjxv/uEhG/k45uAU1qgNZcL3/XQhyCgadUsuMM3yOndIaiQNbNN
-7bm1b9kCgYEA6XICJjg6vRbIO7nS5VYW1efFhLlqYjFimjv5f5vaTWA3FM8S1crL
-HG4Q8yh+CBOwY0mtcwr8RjlnX5Dsi+wGJgFjaL7OG0MDojv9/YKZse4dIHELUPKC
-Wj1zxiE23JsMAWKXvkhgGJgkC4mksZHVVszcLOEvmn2uZghDtTxhpw8CgYEA6Aqr
-NipU2MPPOe0Hu2Ar6Kb/EaJyJA2G8lABWILwyI6Wv13dpZz1FfjcpnsZVRNBuYla
-O3OKZun537kQOfHMWJfZyj2fOrJ0z3rsWZ+nbbUy1um8Z6jHTPqQyNoelE5/QTvs
-CJ0jDzotbUYsvE4TdOH2EzSneecAgBN7Brz/tGcCgYEAuSpcOBKbzMZYVr+DX7NU
-c6Dek/M6Rd6kNnBh620k0AEET7YcW4X6a3eGbEjvBtsPKwIS2VCaX91CeJQMfMPe
-8KBjSH8oHomeRT3Orhm8bVzQr53a+v8QlCFwRnSr/nnhIOwiLqVby8ZJuPkZsFtb
-W/ksn1CSoLkV7wqZIhVd49MCgYEArkFU0hh4H1DtDlMyu0Q9tTmz00pq7Sg7bz0l
-xZKPwA1Up+GV0glNBHMfQOaw33LWqL69RGhAR4juXVRdGya6js16gKZGLY5Wqnll
-hOigk4K/6yUcl7vn76c7k5o53KYWaqbVWqKm8Yh/FNDeR4takSwf38xq+ODBP21h
-tm24mYECgYBUS4Ox2dzDBPIKVfxyuV+FviM9wYKBd9G2xUYavF5Id/0byYOkOy11
-K9L4NJI4Xztzw6KZw7ngUsBmK9AN60mLO1SkHyMr7dLanyt03X46jhtEQem+wDqf
-HgKcqIz0gxaU6+widaEM33/cTi+kafH2uLr13aHU23ZfMV7oeRk3XQ==
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_2.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_2.pem
deleted file mode 100644
index a694ee70..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_2.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAsB/GrXd+Ygz/Gq0nxKX06cLh4ECe+AfINVz+LdBCY1R8ossV
-1v2Rk6M59EMZwsR3XuzCoioEGzI+QyEUUQO+FpsDMpZ3iL4+dTCZIo9XXfHyQEnq
-JCy2w6Al2Xr6qTvfHBCMn61IGwAgDhDDb0djclJhqLhgxAVwXyxt3+pVSnUqdKtt
-h0tgLqyEgqX19QjDEh0xhFT+zB/IHmolaJO1DelvDLYmyaxoOCizGb2WyMcjkZ6m
-sdV/rYpzBW1BjA9N1+gnTsPF1cQ6wJJTtDRjovKWtqCQSmmPnQSVNwIz8+zI9FUc
-qPM6gP6v56bcpmqPtPylY6T3GbGxBQtW+1Z2/QIDAQABAoIBAFNvikiNTlMXAxdZ
-JnjTgfXn++en1Wd9EEyvdD6x5XF3CeB5QyxpTbjaX88mpqKNPlu63+3A59cWc0aL
-+jrzAe9lmhsyCwi9z4rm7fTgYSxBPVlVatWeVSrRyHyB9RONKIH8GRJgHcOkyIrB
-SESEVklHW7p5NmZGiVidDKRCOAugMpnYbOB2Nf7wI7cxHT8QcxcKFaQTdCSnYv0D
-eMWpEmP8vsEmnme8Q6Uax470yBHQQvI7JfWUIbh3wZVdDLllbr+E17ej8EHatCyD
-A6J1lLZ72DJy37G/n3kLLtHy0oWjVk9ZT2m+HEQHSEnAqgHz0UzGKGVoeSnbAxUw
-FATBNYUCgYEA3KowvUgRyc1ydi2L6YqQQg8Mhq6SdSPkC91p3pI8pMJGwco0tI2y
-95EFMsFUg3m+v2URDKxjt3itx+vqWxSqeQBgUzKk+0TRuKt0+8dav5BUA3njtLEk
-VdlzwofbvagUnE+slg0lQKsK/IzODPCckcOjBcUyJI1PNYdDjfQjv7cCgYEAzFO1
-vtexZEUw1QGsrxlxrwBu7ui3NvpfC7rGqJIiUxm7cLrfDbOSHJxutCNOZH90zDZl
-xiVBTc3tvpdXdj+zuUkf9Q4dKNTIq3+Hwm3iGXS+yw6rT2C2I3h+IaSCF1YpKakw
-MSjOwlmnYIckeYGHe2kfEgNiL7qRD+SxJCjSVusCgYEA2/3Mc5h7K35oQ8tqtl1P
-LpyEN22pU6GBhBasqpmOXg/VrPPjkbHHH6tzzEMT97OTaIrg8YqYK1zjm/HmBgHX
-ZqTqY2eVNXBJyVseWLlKDrtcFs8ZJZaJDBGrp9/8QdtlGOURwdK/NfaQEHJsJlhn
-L6ckSudq8yfyNQJyZf5k+YcCgYEArSPqCBNiICN5Y6YNnDqlWLO3TP8p8Y5rZ9cX
-a9SY/W36pWXUiRm3IEN2k3KvhP10DW+zAhqjobh0U2KPHIaSVtmeGNui3eyhNqHU
-em7+fq+s1QhTJeo/rQL3bq6mBfxe2Qyi56U6vvmVmXgq8kNOeMb1KyBu3R7suVkC
-ui9VPY0CgYEArXpn5sZz8ERHXjeRHTVxaTk2djvgYtzVKjEGR1LzX6Bi7drbw/lF
-M1Fjqog/k0tsDM7pC30EoxpRR10hSFdC7dQ+STTeTr1gmB6xJmA8boe1jpAfhFXm
-sjjrsFsw3mUpsJD3Ck482T3BA0iZP3NvC/+ge0IkRUC1/j8KP0zQKZI=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_3.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_3.pem
deleted file mode 100644
index 92dfe581..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_3.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAv9Dpk+nfW9lOSHdt8UO5f/ELRA+JM4vX9GkbJy9/M/NTv7gg
-HBNpxYA/RhIMnifeXFAomLYMov0Gxh4+85Dv4YT3lhxlUiwi2yaOIXlgy15R8kGR
-OCFVKgfqfQw3WnWhjGyH3Rb4Znk4IGh2qj+w2lBlnbeKCxXq+SMB/Kc3TMmJg4Cx
-P73vVmT3VifW9goOO4DDNAv0uTl/KgWnaVoPc8eRmYxBc9chTxjlmoLHsCy8z9+p
-pn33eTyfcNF5DS310sMHLcvpP25fPMpkbzDDjnCzBouI0YkJJ1F2m1GPEqnsN0is
-1F9TGJppcAOpb9aaPmtU2wlzMs5Rwm5vQ6/9wQIDAQABAoIBAQCPczl7+QeltRoq
-b8a1DCUKXcZDHCtLdWYHzyMTZx4GSA917cl1tb8AiSzIxm7RSJevCfOSYXOJ4RjT
-yYLivJ3pVnuis5HCpmda5badqhyNevhl6EsmYydBy7G92wj6icZLMk9ZNPiIClfD
-RNyZ7g/g9QdJsB14tOeJcnjl7lgY/8RQOv52mWC2AfvCRGf6fHoopMP4ZlSTDP3q
-2LMGNUW+cEwjZg+AIheJCoCOs51pvm/B2DXeb9T/GMzway3qFBKU/RYi+ceOm6UF
-+BZwStxpXMRbnXrXv9wS3S6260+NSdgIVF7ErzYjinLhZL9Wc6khoRVOCg2ESewr
-+2sJqoABAoGBAOST6/PgAfvODs0m3tzb8dDYMcCtD7p3QoC3HiG7mEu6vnb/GdZZ
-6B1XHiK36xLL0/8tf2BtJIqmrDqOJ8pdiT1sbQUtv8lmbdr2PoV2P86v11F8ZBkq
-szjpQ6gGaItT3dAjJxSGCiwdvMw4za5GJAUPTQZk+t1XasiaAQznMimBAoGBANbT
-9tv+mqwvzK4/Pw/gyIJkIQrbgXTFdMjhZJkNVxCm2R7YnNDRLSxmng0nJCB2Tgkp
-EouWNYi9rsWnmR+AOinSSoAb6znQwOZhQzQb2KzkfBnlZ4XFUxvW4OZmJDZILmyr
-/8uHnEcT7xwT7L90j9cSxq/+WCbB7GGpFmmVpXRBAoGAd7l/ElsXzuOsXwpoGzjd
-HS3QSYKcRWfoHnFLyBFxgOEMmFmgF+U5rfyOnVLGPy8iGHulR0WDqVgJyBXjg5yg
-oNqk89x1ozESg2kNcGxymXkDB/xmlcQG4d1UgbLxmWDRQw7Wjmpy846T8Egke47j
-mP7dsma7+6mpFe+Mc0y5uoECgYBp1D+u/oz5uA5v5G5Phx+fxG3WqG3stX0jnI1v
-LHgwltEs9e7Cm9lSHzdLKXYNm9ozfw1IwHWc6DyZ2EeBkiyU/6h91cMaVzFADLgL
-ipBCE8jjBPTrnFqlw0RFnBnIt+RO2qiHfkXJahOH1HTzmBtoCzLf7j9E0JF/Rsno
-t7SrQQKBgDxAKKHMLT2zm0kz6eTSLSB7WDNxZ14+u32fZj2ln4JMERTk3byGojPX
-zf9poWwCWJOLd7uVtLl2dQZFUZG9GJuZXO15qmKAaXMI5yVwH1ygzzZvDLOlH8Nn
-19ZjFhRLreVeAFLMTyOapEH+5QZxaszMR8Xzna9BJnschht/kPM7
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_4.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_4.pem
deleted file mode 100644
index a55ac961..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_2048_4.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEArmoiX5G36MKPiVGS1sicruEaGRrbhPbIKOf97aGGQRjXVngo
-Knwd2L4T9CRyABgQm3tLHHcT5crODoy46wX2g9onTZWViWWuhJ5wxXNmUbCAPWHb
-j9SunW53WuLYZ/IJLNZt5XYCAFPjAakWp8uMuuDwWo5EyFaw85X3FSMhVmmaYDd0
-cn+1H4+NS/52wX7tWmyvGUNJ8lzjFAnnOtBJByvkyIC7HDphkLQV4j//sMNY1mPX
-HbsYgFv2J/LIJtkjdYO2UoDhZG3Gvj16fMy2JE2owA8IX4/s+XAmA2PiTfd0J5b4
-drAKEcdDl83G6L3depEkTkfvp0ZLsh9xupAvIwIDAQABAoIBABKGgWonPyKA7+AF
-AxS/MC0/CZebC6/+ylnV8lm4K1tkuRKdJp8EmeL4pYPsDxPFepYZLWwzlbB1rxdK
-iSWld36fwEb0WXLDkxrQ/Wdrj3Wjyqs6ZqjLTVS5dAH6UEQSKDlT+U5DD4lbX6RA
-goCGFUeQNtdXfyTMWHU2+4yKM7NKzUpczFky+0d10Mg0ANj3/4IILdr3hqkmMSI9
-1TB9ksWBXJxt3nGxAjzSFihQFUlc231cey/HhYbvAX5fN0xhLxOk88adDcdXE7br
-3Ser1q6XaaFQSMj4oi1+h3RAT9MUjJ6johEqjw0PbEZtOqXvA1x5vfFdei6SqgKn
-Am3BspkCgYEA2lIiKEkT/Je6ZH4Omhv9atbGoBdETAstL3FnNQjkyVau9f6bxQkl
-4/sz985JpaiasORQBiTGY8JDT/hXjROkut91agi2Vafhr29L/mto7KZglfDsT4b2
-9z/EZH8wHw7eYhvdoBbMbqNDSI8RrGa4mpLpuN+E0wsFTzSZEL+QMQUCgYEAzIQh
-xnreQvDAhNradMqLmxRpayn1ORaPReD4/off+mi7hZRLKtP0iNgEVEWHJ6HEqqi1
-r38XAc8ap/lfOVMar2MLyCFOhYspdHZ+TGLZfr8gg/Fzeq9IRGKYadmIKVwjMeyH
-REPqg1tyrvMOE0HI5oqkko8JTDJ0OyVC0Vc6+AcCgYAqCzkywugLc/jcU35iZVOH
-WLdFq1Vmw5w/D7rNdtoAgCYPj6nV5y4Z2o2mgl6ifXbU7BMRK9Hc8lNeOjg6HfdS
-WahV9DmRA1SuIWPkKjE5qczd81i+9AHpmakrpWbSBF4FTNKAewOBpwVVGuBPcDTK
-59IE3V7J+cxa9YkotYuCNQKBgCwGla7AbHBEm2z+H+DcaUktD7R+B8gOTzFfyLoi
-Tdj+CsAquDO0BQQgXG43uWySql+CifoJhc5h4v8d853HggsXa0XdxaWB256yk2Wm
-MePTCRDePVm/ufLetqiyp1kf+IOaw1Oyux0j5oA62mDS3Iikd+EE4Z+BjPvefY/L
-E2qpAoGAZo5Wwwk7q8b1n9n/ACh4LpE+QgbFdlJxlfFLJCKstl37atzS8UewOSZj
-FDWV28nTP9sqbtsmU8Tem2jzMvZ7C/Q0AuDoKELFUpux8shm8wfIhyaPnXUGZoAZ
-Np4vUwMSYV5mopESLWOg3loBxKyLGFtgGKVCjGiQvy6zISQ4fQo=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_1.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_1.pem
deleted file mode 100644
index 15cff3cb..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_1.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAsj0DJZqC86gp5P0B/KXk4CoWLa06uEpMu4K+0QFNR6XwbB7A
-FFXtcjemUnuqnwqHqouG7pcc/KJAiakWPYPbAtwb0JQo3lRPRf6EewjHmspk9vqd
-YBqump9VZedCs7acHCT/xoHhsMI4PyTX5VzhTJoZSMSm1aTX91ZTG2R/KkFhchPd
-b4kMjc2LK9O1CN8vQoX/IolCOlUOVcVrF20jEiOIFpc+5t4V+jRvx4A52dG0DqBm
-Isx3+OioRHD1qRKbi8L851a4UAeX16rW0xsuyCy5htfh3Kbts6AFCtzmvR12QYBl
-+aL1Ksj4lraUmQOkwuj6p+w6x2AU3z5Z48qOmUdcmBnSJE9k37wQEqT4Y09O4+Zb
-UcaAdcexT1YLEKaL6ghGw9pE7gPTmohk+gTYpiPnQ4H/M7HamN8dHN/Ch1hvaI0/
-ZdxSEU2jWlkEeg7c5n7Bmdbc+yMAXeWvS/BeH4yGNh6TtwvTYpq7aDcP4cYw7L7j
-ODIWEmCVgOzdDxn5REHmrOx3qSjimCA/Dia2PHSqkO/pJ0Lu/YNHWdEhxJXYtX8x
-Ldk7i3syJl+s3Qbi1GrNzPRr+enyAWVk5wM4XVwiNlRvvHh8c+gPs7a5qTS2FulW
-psAUB+pCC9Znv8ixgVR9ZMxLALZRIzgZ3s16OZP7pl9t8u87LnbyeihY03sCAwEA
-AQKCAgEAm4gqCtI9mykPBcbRyQlqI0IWgF09dDtBog6BPBiKuw7OMUrUCerBfH2b
-ITbQuF+T6vo+EEzE+p8K+hUWVy+MGX7Ats3Sq8+eLVHfgQ00QJqEaBBg68/ctQh8
-mKOozPF4YAbZOvtzWa7hLhiUXI0j/JgroBgaDSv/WNF3S9vyK4lJ4yX6gK1yyvql
-iuT+gHNg5gfPju9/Xy+Bhs7ymEqf4+AljLEGLqd1PhQrxkbaNHyNRoYpGgyaVBWR
-X8fCVnrqSJcp4SUHSK6XjZaCR0zdEcgVTNltOgJgQfJM9CG3JydiXd4RHjlY/rDI
-W5uPJ8bKK1rp/0ZgNEJfdD8QaXoD28AzoSiL2U8w2wipuq0zAExX9H7ZhgdCMv8n
-1yZ3UWhva1LKzjP/fs9ER4CGK7S5U4tmzF8rYSw0A/RuP5bBhGRAJoCs9ZHmM0TU
-Z9JDAPLy1/P2ICRuHH6mIVOZkHp0IedSJIPqSJ8LywpPNCyh2lIxksnyL0WnI0ai
-8sIu+1t8NGOv/41yUKwJ9LUG+oaWmnUNqduECvYmuX0ByoU/E9YY3RsadiCd5P8l
-xviITyRQG+M5BqOTzd7Xa7K9VBy2V7Vnk/gf6bX8fbv/2TYVD4nnjxNd/H6Uzlj5
-i1R7/gip4rEA6n/ZbioM8TATaJLG2ZAlnxFAGDw10S3cj1W8gMECggEBANxNwBSx
-zbm2vFWCyYY73D+el5cgvSpoXhhu6WotN1aQMBMg4DVQxUSD92erSWvYlb1HOBJL
-wjNLMz5NOanRy42mEXso+oN0PMpykGOb1WmoMx186xj7o7p9NK9AFF7ll2DQMYHd
-9Y/F8ggmj+4orvMMBL//pYDmdguZ2O+KAr/VZAVj6YTnO/tdmk6n4EhAvB5Hy5wZ
-kqi+YD3W01l6vmtWUQBKquaO5XktsAJtv5NapOmy1Fu08gEYwAgADI5Y8CLyMtzX
-NmCSoTZ+GNYPIbW4DocSqyH+N6YpyqLDifb3wE7uvyFwYK6y68TNKhO1F7JLQQNM
-7pM7F1YkUagzE5kCggEBAM8eYUkXqdno5TTubYcH0KOt7kX2ZB4ABFcYnQsMLAC1
-29yElr562jMqgYhpIV+pPMSxKec91g42p6Uiqo1VeciCkFkIcVUyZO1yBFsHnWcS
-z1GFDb0ePDAddLIrOmpKQveRpubPThfioqnrrVjm4YObWVwaO/BiAvFF9ZIPgB7N
-VmXINKJ75Zof6NsCq4Z27dnnXlh1N2kRDEVV2P/x1HRCq1BB84IePGmSjcHBXRqU
-PD0F8PdIYlcW1xDlQuj/x9iWso1MWBWzeuGROTp0LYGA0A6NChU5ldTK3T3+evNo
-KO8xzrjbUH6I6XvWitWG1hvHf31UhoiYOuxjF/++zDMCggEAVgSRrELkdc/w516C
-u0PiMoEE5YBl/An2O4oK32c6RTVVYBKlGIwqCh+Q2UybBV3y0Y3eSd6EvCxvnLLg
-gfslhHBEQRd2AR/AoLdsw0fUY0XGd4wP65hNjIJYsNjPW2I/4hBIVFHLENEUOLR9
-3FrMPKADtsfl4leZ3du7RYRYoHh8blJdmoQC+pnIp0+LFgsYqKYVzSR7DCIRR/P6
-X+S6NwTj6b49znobBV6ea8RYWfu5inpFymzzVRRJ3pXOUUJOuQZib7IkTD7UbYd8
-wQ/1dJOiMIFMiqBNMDb/JOA+nUyNLQSxYigTyAKaZiRJeppp3zbc8qH2QUyARyU1
-MPyIeQKCAQA5WO4S8Oxkm6mrKEFHXBCW4XfSA1DhRZvuCbCh+HLOl4wS2NtsTlPQ
-SvqmrIVDGXbr9ynlDygPs25juN+EVqBrtksFe+L1dgif/ivakJcyjPC+X5rYPGDp
-6Z4AHxwDhiBYsAmIaunyjxv+9HSA4xyZ9g+eAt2Jx3mNGJPQJ16QKMa9U9vPCYMf
-U6qDyY94ocFlzjw/PeVjwAanxAdbhrgOoM8SX9BuvLR5fsylU0bWLykmtFht/6rK
-9lYCJZiLLxdEjyVNHlBdYd6qSi2QU86txt7UyJR8H/+udaUgny+n6bU71YypfoAh
-KQOM+HBkgvsRogFY0GiXtZ7LCP0CIPAlAoIBAG49Ot1AghC9OwLXjcneGRbsML4w
-vkQT9vBkStonR56RkCnN8xGDvLwQQXOJ0Fodo8C3Tup5AHrTNi+V69YVQYCtuM4+
-heWNZxpYDxzZ1IU5a7ITlH5TJFP5paaaH+tIqRZRp+p2+j5y/CyAe5hoYY4K1Xog
-Zuz2piLO5IWKxtznwlQGjlsZ1n6p+WS89NFHuIF2r9NrovPjkEDDqnEcLRTDUnLT
-8FcpdlNkarS/X01ZTBFja5EfW49UWW8sQNRLzVfnP+MECvGFy+oA+4vGprSBuxmt
-WBY7y+z5VD3o+JVHLqkdETwIP9YKLMVhqUb5DQb2EYwggU+1HgZNqTdbfDk=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_2.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_2.pem
deleted file mode 100644
index f331902a..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_2.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEAobIQNPQNtGZlPSpbtZC/c/gb5OxoJfoq07h6X8kyeR3xq9qv
-js8u8YQMt/AtgYw1tSdgNeaYzsvMgaSVgexf8ysqys5obWjcB/sjRR6UJY4hgSm5
-oLoGy8fi8lbSEtpthHStA7UVUGU95Ypga8r++Kkizk84wDq+0jZAGaEPvhO7RJne
-nbEKhhZVIFb13LlkaX1eNOAxAcTszFgX/DaZWFcfzKop6gS7agU5NLCtyAjKdSRz
-CXYMVyVnXhZaxZtLawk9Ld8qIqwmytiPwnlRugoFhTrCPIPfAb1UaESKj4EuupUi
-brlByun/ENiWvbzTZyGLSuYA6rruyfUll4oDT/SwsDMJ0jZiu5C1bTgA+gY6kB+I
-A3EvcP2Eh1uiUvwy5adAr29wlP7/8YwWvyEAAaO9SKbh36xcbsJH9OIQbFati99L
-kn7jfyktUGKxgmwYilF2ehtB1tPOMKRor8HJGoMEcrjiu4Qvc3ygaZtomfY4zxL1
-uNeZ8c51pm5lmo30kJ5q5aWX6iS4Sp+ncFiPjxj7bV7nXOGqwmxK23tk4qdUOK4s
-z26uc+CChP6VdOwLU1uu2FdRvBCPSnvBFIk5qaFZkhbk/gA+iS8R82TUf1DWfvZ4
-why6XJDPQRnscySiIckN3X30TD68dpJ5VtzpRzCvNN9GxoRFY6apcJXoV0sCAwEA
-AQKCAgAKR01scE8mtpOc7cJiqk7hSlZLmRONxndOeh2dVSbWOCcSq5YZV+Y+CAze
-7G+YGpeXamddRclU6/OWEiZG2gXHaWkQ90oAGnhSMY6uaCE2ufA7S7G3G9wuvAgb
-K5WzCRuJHfmZkLtIHwduPfufHopSuD20K6kJ3zIeHsC4YFql1I9E7xsNnyFyIJ1M
-rvp2C3rskcGZTt8Oo7wByV/M8pOQ4Ajvc6mybJaVSLu4M7r4SkbEZ4rAgTaLm58U
-hgtDIHoM1cuDzPnatmLI5jdNP3UIhHaRX4jVW/SjIavp7OF5+dZEmhJUQ4aBJZrH
-MV1ztjsiBSnbmv9X7IYdZG39UhKfuqph20l3NQQ9lGhJH68/V5YEt/301O7Jz2jo
-hPP56TvvP8sNJZqkiD3JQ9Do4V4s0pUR6RQiim34gdivhRNntPjL1hfBZVoIIxOY
-Ek//7OmsfrPwHEatZP6UT+IJTVZRbGp6a5Qu0YmQUh1/MVK+h2PU+FVpkgYALm1u
-6e2dXqRK1NI0v0icFMUTBZAw8h7mob7IlkoA/uLWjgkVZf48/2wCiCtxjDiU31Hu
-QGV3AZFccjKPwjc+lcWjjH3+nM/q4Z9b2r9x5XaPOlq4mXF4QnheSgQ7URhiEG2I
-RI1pmV20HCU/qmAiiGGBWOBYlOSBuRbun5/eSOY8c3FXIMOckQKCAQEAy7F3eqYR
-0tXCJRzR9EQld13QVDeP4PpADbMVzuGXbG6+DDjXgRQiDh0gnS2hSKATd61ZRg+m
-RHVEPAf9lfEyDutr6qZRZJs14auI0Z4eBfdq+pL23e5tcmj5GuqBZ6qR5ZYHblz+
-OT0pEa0VfCW63e0XU/1iG0y6PGbSQiHmqas6E3s7ccDjZZE7lRCBn4+RouBBxtFo
-leugrTK+ahObFeSYSQqjG5vGP13gatui5hib8cGG6QUV6GQvezvLvo/rBmCNFrjm
-wtQ4vfICifadKYYxyTNNB/EKDrXB1E0NyDM8pmXcfFlajQU0fucvSCNmXIDF8nnL
-TCB6mGQBX5VUPwKCAQEAyze5K7YQXe5lp7PLz9IHYyY5dtc4wzwHI4PGe2TAKEtQ
-jEOjSi4bgUYGyalJ8vqmOrGkCBW4NCF8Ywb6wNHgK/O6BGbaSl8N2cYqA9wSnVYB
-c57ieUCg1A/3mdEwO+jHng1G6Me2Tf7VzkO/XPXyA2Fy6XhIg4xf+mxlW010dbKS
-kn4CWljY8XhuX1DZMjA+UAsMzaI6DFcxbIcgcVMP6lp9mnk0Fnm5T5x/EpNjuAHV
-D0m9x9TlQ86akFdf+FljEsj/drDIZ8mkU4JTKiH88wrwfKHrOqhv1NX7hLCXs7wb
-tkxVF71M2qOcYl5TAvJz9uv2U4O9G5l1jL9wT9eJ9QKCAQEAniUAwGajO+/eNfY0
-Q9OMyyo5Dsm8mU1x4bEC44ZejD9GqjKPjpXVAuQ2aBH/QGWX97jMsQqBanEpMvp5
-Nar31IGPXbUXSGcA5F7LcQO0B6nakwT7Sb9NliBOF0mugo/5iih7SIJGlqYXdrPN
-FIAunxLuo7T8MHnXtgGWiOXNMjnQc0OgGWdKpZamjcss+Hb8+Vnnd7cp3gv8ybu1
-/qGOLOc4HK13iX3d42C9VfmEdeTxXjeEyPG72pu+CY2ZWDBgpqjboaKY9vbRvxdg
-RUEFMDISAUYlLl9EEbun626Pnrm5Au/eyWSOWyKJaWWQXg+t72/DP8izwD0PMbWj
-I1TK/QKCAQEAiYSK5R6OUtIprmPILzlE0H6kclxQSCXN+uWIoiXatynINzLqRB+R
-c1is7TiHF0swxBVEGEiCX5ytbOHjPCqKVZPYNHRZkexjFhS4h+YcHqZ90v0Y6s6m
-RvsLJebeihwLQVRgwNOs9XjWvH8x9zlj7Y+7UGyaPZL3vCIwMKnofmE6OLHW68am
-ADnsDspKQGFPOaFQp7L5LzKt+nAyrx1zbraPusH8Up1Knqobf7mHyJRM1syjBaB3
-CPy9saG/CvOKTMMBxRL6eumELxLJLoDTiLDFbsGvygEDtHadfvx1nCZWZnWfO7JZ
-WLdQ82w7JoplmRmylm9WwF+HoZhG63DDJQKCAQEAjkYiyHgh/drr0tQLlpELy3+8
-3CfKgijIs4Q+UGBsygEkPUzS/oFYl9oJ/yFSSOCsyGTYF9ojXYbdaLyHFS1YcpWN
-pcPcZRmd68RdVk2gOMAHBAvT2YN56OQJiDwghMA0bIoY2BI7+h5mFLAgudSZXHY8
-RYt9IjEaFai9cvR88p7p9bQJNuIXWXia9PcdSldHJ01S+GhWHNbd6J0BfPhfAO+R
-VJl98+U6jLyXyY1Ma1v9AfI6dC43SUKG4Z8b2B0ynxMANiOWXCj823owTk542yFi
-ylWbhUGqQ4uMn8ojPArNY+Ndpmlgc8MpgXjaEzMil7BfnhlTHz5sQkMM4ByhaA==
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_3.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_3.pem
deleted file mode 100644
index d899b970..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_3.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEAtZndOamd6RPyspdd28050is48R/ozNBdi5xa2023cQ/lWl7j
-TFTvYyrp/pJ0GvIIUwG3BKQyQBTKcDhLrQzrTO8fxqKfNSQ9/9J2AVChFulVcaJR
-dAJ+k+jjvR+1LMjOxpxjv+RJyTSB4Z6W9xOyqfwAyNsc3nZ2jukHlOCvkpwUJQW2
-AMQFLlZoIZ4FyZ5qkSPP8kw6E6bA76/qSY8/bVMleX7HySIAfA7car3lZuxGMkP1
-aV7Mak4/5kHZwB75SjuiQVwj3urMA1vEoCuwXgdisMS4lmB8iLyW/XJSWHmLrEnQ
-JWbRpie7MYTz2tOJ5GlQpD0U93eV51sn3nQ7If+08IpfZwnsqf+Eew3+cb1scbrI
-rwoS2JI9MW97I4iUiLnXl8ZDYy2pIIt3bs5gFIdNVEr29uDnmtvmZfFaj/RuPLO+
-4YxNILYo42j8grJyuNikhvCMOWvB/6QMWGUc0BEz4QiZJLzqGWpTP0Nli3AedAxT
-6CIbOhfl8RKyZUl4gDD9ZIsXUSZ0dL5CnIYU8yhq9yw45wh8gwPKTo/fiDog44WK
-cFiQOlTNg1G6x0fUcbfrsfGwNfc9skXwDz+hcdD7dePZfN7jKeQxtX5dj5DIJAhX
-9wanwaoqEj+G5KyXbsn4tuYu2SipSad3uA53UVAHzLapDkD9iiaJ+HrNn3ECAwEA
-AQKCAgAW+spgspL13H1YlgjdeIG5k5iYAoat7Cv6L6XbnGD7IJzQK7OthA3qyZJk
-kVm50yi0gEINh02IiFj5jFYfJsRbruKhexCUY+qohZRDJFXOFWang3e1K1+jDdRL
-qUh+y0ZHIaEJtjSUDl3lE/FcgJSaJ/ZddESZ7fmgqeI4t5nf/noaGTfnruZM78gr
-gNiQo8guZ463xWeP9wjxC5ylBEhtaBkU37MeQ3w2NpcztqXhuUJEuA7E76cESLST
-SX/pbMH038jvZl5vpdx9DE68Ser+awbVAX+uH7WChALDPYUoBvFistBw+yrKULrC
-UGWfKieHzL/UmJofmnVQmltYLfMRarjnGrit2uinJb+xxjt4yKMA6ZCHr6jF7ZkK
-F+vKEbLMGZGZcOQvrhMwTkI6asoj3AoDl8pv1AtFlYJi43hlF8fqGHyaEE8KY90M
-z5SC0wxhUfUGV4FVHRdq/UvCGQf/bJhRfGftnC1BNc9NkGQHZAbjeu4YSkIjFPEO
-k2LwKt8XVFX2bhFNMApP9ktTFlUtOV1Ljjn7+R2L7P/hjRmajnMcSgDZYbQ5Ndw9
-fsZ0gTr1NZERgud4CPLgtc6uwp0rYiIwWn2VoMGNM9WUVDhFmOlznKnPqrkw3zH8
-uor7/+AI1AGltarvTcth2kriS34AUUoaGysZwIBcYgJSjNPvMQKCAQEA3UVUzjyn
-J8UCl+KS5vkXJjIp3mvpT4ZlomSJwuWFChXRHiy033rb2Pz6gCKj8Vh/xHfRSn20
-ZlR/hodqhgyZAEkqvvzcBXm6coEwFywZbhN+cJPpqFkrehLBOC+ukOejUo+0Fdm6
-pF42hGZngq5GbAi5A60FJO1xOIjPj0chBOk5SUTPz7C8TZnE5ae3iSHEcqB2f7qY
-OLLrAAs0YQmOOAB17S6UYcRXTAik6yzONboYFUiyTSid6fuMr9akWP7BGOMNTgdB
-RbZB4PYcvMDqJdCOwJV1eqhNz87i3GPAq/D+K+YItxBi4flh8ijrPjpZ4hH22aeL
-tmfxZVK5TilW9QKCAQEA0hqZbmnLCj0TV71VZsodb2G+6BRAnS15/ppW1BHuNvmF
-noRMnTPAVqbzZ5VZshK0dVsQa66lB6z0uPzOG3euxozrK/Y0a4i0bbdsTO1C+MQ4
-ssIasCWTiKaBWuQ+v9yglEvi9nhaQbMUGhwH029xd1e2t7m10O4HYXF1N640j6gu
-sLvMc0xNvom/Sv+MP8YoXX0NwwLqqxFVQhPqFsim0EhpfGrxRxmWeby1UB0yxn1N
-y87UrF8Ap8MxBImz9avL/5I8LI729xMZywa+RNG3YM9AYsnP2JbZPz3kc2oP0XsL
-83lUd8QD+Z2sFB2rL15XnBD1GETOxSvHqjJCcSBBDQKCAQBDp10kqbraGAyQ7//G
-i0aesRvIG+p8HDWbD25nntGsobsMpNKwudnaYI8e+nhx5IM8SP4+7mxoFVHgiirx
-zYxCYBynxJxpOCzfscxIaX1lAKTaOv9oL8txSaa2TS3stEZlifaf77B3bS7yEHV5
-qVty0L/w9cfq4IaLqJj9z9uyqrSPSHDZqcoJWAixxzQAw8hS2+kfaKf+PgZIPyTG
-vqszSEDGQkWwFt4yKzpxhYOPPdT7PPz3RoHx9q2vXctmQo4708BPqTw12mIOLHHg
-7IMrCLd8/rWqySbxcOpARGe2qrqsJWtovaPeP+fIqOY0Ypb03lVBe07meKWAO2jZ
-Ex65AoIBAFDfIDPZ0OeN/sYFALxiC9Z1n1Ahi4V0ncKckdNrW3AZt47+iabw5pX0
-CTjTygS7Im8RsE5imO9NaZ1S4dq8xK90SolPaXoC0sBwm+U4ZlDu5owYHsGylQlC
-XgQoWubq+3xZgXExfjxPu+sY4wJFoT04rAIoH43eMUUWsPHPwjeRmvc4MkgnFL3E
-s7cgilF56suheQyZMM7MCy82DyLZ9Suy07eqSlj9xmfxdTDzLDouvSU35bC7mLr6
-bQG8J2Lmz8z98t+L4A/WcFUvsUk4GAfRfo0H9VL/LXwkTK0IJDKT1FPRXewDrSwF
-vti3Ws8O11YhSNYglh5a7a3bTqvQqHkCggEBAM/oLCz33rLaNQ7Ogcqd3i08vHrT
-CYL+Yxb1ZEIegGgfpIMlYYByhneCcqhXTp8jleJJjRDoaJLfG2rzm4yQ/xIXh2nA
-c31BSicJffk+DV1N7BoZG/OC7CSo0GTlJZ8sAKhAfUApYjVHuDp1GZdHBpLmeYs/
-zSilstxPBgaKUZ92QNt32gjT/nrq/xYmPDR8AEaurS7cZtkAIsmWEJajmqP9PBNZ
-eeCpKaa8m8cSjnSDbTXrA3l7ga2gdEcy++fh+5+VPmpPfnegzImJidC3eBfbDqjn
-/zmUYntVTJ6FepsULoaXz1mQGNzgqCx8y3s0TZ4KmwakiRxwS1OUOWSRvtg=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_4.pem b/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_4.pem
deleted file mode 100644
index 2fe15ba8..00000000
--- a/vendor/github.com/ericchiang/oidc/testdata/rsa_4096_4.pem
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKgIBAAKCAgEAoDHNjtZEnbu8o4nWZR8gV4ugYlysC1QP2mxVN66RSXbeuxHi
-aYHjMTYxMSaMLBuj240kP5brwmZ/Tpwy6xpDKmfNFebd1HmE38KuWn9fnZQdgylo
-w9glcsTLxNOsI/wSV4htF/nRzsvAx95nM7HHbdbHNtPwRhExoNJQ6AOuCVtIAe9B
-yAvzdV5voOhWJIahblPbVwU5NX4elm+XGsvlDP66lKcss9lBTjDnWAP4ZcMABBvb
-h5Kc5T9aRBz1WAmUP0qs6+b/F/XYPIKzrOfRpWt+I/l60h1a/RkmlMR3xujLBh96
-r6ATrYdIHDrg33snCkMUyEe6WfPbD02UTZCIttrfZqWy3ddpmV2FKRiGqPvSHIQa
-GBHYZtjV33bdSfmZE25c3LHLCCCP6xJfzK4JMGPEhsDhk3XPWeY3qpKiNAcKSsjg
-B8ibgpwCtP8Hb+h1GG3ZLfoMLYmoladL4crnff/RXhab7vrM67Ggz4uyqB+lXbDx
-NK3UnmkY6xkX86REMSvJw/tCWBpFxn/2X8UlhgDd7fjgxD7HecowWlXSk+DOdKeD
-pDsEGfi2J6/kfRn02QUKnJO6x7gOB5PQPoOjWwQkCaFx4zRngHFXYGuBIv9qNk8W
-EtkuSnCbuLnjZrUmSCjgMsxQQqaXo7Cy/UKH97PSaNsD7hXaUmZLd2+kdpcCAwEA
-AQKCAgEAi1Ckpxsa015owIToKks2kkxAsCpOCRATNW7PcbxkZ9J0A5abJAysq6io
-gUk30Eg9aXvG0XKMGCWRg6j9806EqQVa6zg7JUSFVR/3B4cMfXtJaz8A+IkqkDQr
-zkITy7u1q+Bel+JQH5s9TdTSRbfPa2vFFp6csCLV2Tnu2MgSe9qhteUAfVw/X4xA
-YlyMRfm7vLo63+QQC8BiE4x6ifhWe8WwOAVnMAW58KlBGF9jkARVKD2d3rqXrhs5
-glD44ZZ7Ecv8tK/Qm2LXqlA0uCNnRIhGTDz0HnUfI0vTLL/sNtVPc0S/Kqt5UYl8
-IejmlhSBMECEe2U94Grd0OI0HnybF6KtZ1/YDxDS0AQyO6z4CLs8hUKbaLm6V/i4
-+9fkWvn4DcS7stTeUe4+I9ua/uaDrrvTNBRH0gaLsl3m3ptPiqN8yigApsCyGrgm
-hnxvE1DQCvRw+yeNjgEgtHEJe9z6pcX/0jrw0zH9hIMFM7nSXWONXGQ5AvWuaD1b
-cF3JhAP8IYXPqwNDj6dr61vszMqh7iJgQklJm0YbiUiaf00vGpcVKdHYzInIXdoD
-rGgPtpoDWx2rAOAdw56IltWV35lSz+zYaPGqQglc+pcMfTqE+7FoFFJmOz2cXxIl
-jZehd7dXmBx/yYYedcamLH1A4vmsazJJIxXSRtt2pQ52hdvkU7kCggEBANHr3Ldc
-ZYH7KYcowfjfmreAJaRP9SVo+1FtqiwU+I9pzYtT4aXqXLzlJUbHwkWyf3ameghb
-EWRKuutC39zz71UsongjVpIPCFZjXXPlo5qxMLAZ0I5KBq4xYEoAplNSJye02HvT
-F9KU/J84YwZuJFhWcFXPp5JiFxpW8t1t8iEOuFdvtNkZ1eOByFCC83a/l4sjKCaZ
-xemvQCAX9rmZptqAsWAgUmnhJaTcpjv5jfbwqmJDfGgpPxBap8HlpRlF8V0tG/jZ
-O0EYoPiHloOD/QoCWaqttQGxxxJW+FfDFo4rlo9xst//6nIVXPU59GbHYBXhio9f
-s2UJXOC8sSh9lUsCggEBAMNbouqyltGiX8w3vicEAJDzWubrVkVsRdNyKLh7ARuM
-uO1faQ/HuCyoagFx0tt+AnlOQRPU4YprmBZj1f8PSHoCtwfm3FXo7mpJVDu8T5zD
-Ja7YOAjmLA42m33ZeAxMdZPTvRYSAP4uxMozrg/tl4md8/lYvStAcoMy5jYvUXF1
-E1iWum5EJV4gqkBI5c18QYIzd/hbluxOUhI/fA9AQLK+I56fGMw0hdT48M5Iu/OU
-nBVF8tuw7CXNUhxbfIP4Q8ahBcTu3FDBl/qIqsd7Zv7ckaS5Xr7J57189x8zZqNf
-k/oHZ0Tdwl5cr29B28YC1vtJ7TLotcDZXXPvOeY/sGUCggEABSkCHPPFfwN4it0C
-n6aHfBlHU5mvkgLZoq/Kbhj53zSfm9wtANIZA3+ygeHpMaNopLcE6u2qKMf5fkz/
-icPpTzOwrrlXqHF8J/t7UZ0Ef4n5g2qvCMBjF6cZEdigPg4X7k7wv2J6BHArIZLW
-RFMyy4Ucb8+R8/Q7UyduAulv+UYOW//f9zI+YsBO90Owzmt5Qy9TDlfbWJo5PlC4
-fOl9A4QEWDOTMw0Yysutvm2tArP5zD6ScVEKPtGrrAWEIHHqs/qm5GAap8f+NP3I
-QmVdNADIyXxJpcgD97xxkF64UDhcFBycZAs7bSB/T3vkOR6PixonOM0GcOZhBRk+
-VZt4rwKCAQEAoal+SwvYpMfi0KM8VxsHwOuxSLBs5uwvaEfrDKa1hu/PxJcU4Psc
-HNCNUH65x+sh7vJkBh4/OgXJiJW7a+NgzZ7bic1wfiNQ0GG4M+qkUwxmbab9z9dx
-k5161Q0WO8816UvqCI6DhdR8Avv7SbEKmtY8JBZcDKO7X3jKawKDOglxJfktc7wu
-1BLh8GqiyIXPzAf9emeIoCo73l/ssM4x+/g+j7AGnE3GhjQvSfWEm5BaDXyh+U0S
-TkH3dgH7K1ZR99geZxZm+OkLdEaOVJ943uT2HUNM9UMt42+7LHWjtQSN9vUTbzi3
-9NBsWPw9+0E0WCSYBm3uohT+McdAuZnwxQKCAQEAvQhO9GqMMtOnN/QUdU4FHVKl
-R8vuJpT3w0ywBcHj5aYwPgkLxCYmfnZtD0kNPkP1FjlYz6C+cGUgNPNifoj6CwCA
-oRrw7mgyhHuoum+7qlFwJzhuyx94Z4B7RbINfEsqk4mXGRssUUUBGd4Sh29w54SU
-dQMn7s0LiwN6AOwOaAnjD9RlBE+021N9Dax71DuBu1RzA/Z1sC5EFYkL1C5B4kSJ
-BYd0Nvru5DRidDrJuxr8tnGqOkNqT2kaujkVmFy6ra6nshkbErbd1LXZksM2PP96
-bM5Pta4jX4ylcS8e5F16zmZZrtuBDla1kizM7tGdPQQztXeBHZzvdQDlWTHqkw==
------END RSA PRIVATE KEY-----
diff --git a/vendor/gopkg.in/square/go-jose.v1/.gitcookies.sh.enc b/vendor/gopkg.in/square/go-jose.v1/.gitcookies.sh.enc
deleted file mode 100644
index 730e569b..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/.gitcookies.sh.enc
+++ /dev/null
@@ -1 +0,0 @@
-'|�&{t�U|gG�(��Cy=+����c�:u:/p�#~��[�"�4�!�n�A�DK<�uf��h�a���:�����B/�ؤ����_�h��S��T*w�x�����-�|���Ӄ������㣗A$�$�6����G)8n�p����ˡ3̚��o���v��B�3��]xݓ�2�l�G�|qR��ޯ
�2
5R�����$��Y���ݙl�˫yAI"ی���û���k�|K��[9����=������|@S�3��#��x?�V�,��S�����wP�og�6&V6 �D.dB��7
\ No newline at end of file
diff --git a/vendor/gopkg.in/square/go-jose.v1/.gitignore b/vendor/gopkg.in/square/go-jose.v1/.gitignore
deleted file mode 100644
index 5b4d73b6..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/.gitignore
+++ /dev/null
@@ -1,7 +0,0 @@
-*~
-.*.swp
-*.out
-*.test
-*.pem
-*.cov
-jose-util/jose-util
diff --git a/vendor/gopkg.in/square/go-jose.v1/.travis.yml b/vendor/gopkg.in/square/go-jose.v1/.travis.yml
deleted file mode 100644
index 7582bb72..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/.travis.yml
+++ /dev/null
@@ -1,45 +0,0 @@
-language: go
-
-sudo: false
-
-matrix:
- fast_finish: true
- allow_failures:
- - go: tip
-
-go:
-- 1.3
-- 1.4
-- 1.5
-- 1.6
-- tip
-
-go_import_path: gopkg.in/square/go-jose.v1
-
-before_script:
-- export PATH=$HOME/.local/bin:$PATH
-
-before_install:
-# Install encrypted gitcookies to get around bandwidth-limits
-# that is causing Travis-CI builds to fail. For more info, see
-# https://github.com/golang/go/issues/12933
-- openssl aes-256-cbc -K $encrypted_1528c3c2cafd_key -iv $encrypted_1528c3c2cafd_iv -in .gitcookies.sh.enc -out .gitcookies.sh -d || true
-- bash .gitcookies.sh || true
-- go get github.com/wadey/gocovmerge
-- go get github.com/mattn/goveralls
-- go get golang.org/x/tools/cmd/cover || true
-- go get code.google.com/p/go.tools/cmd/cover || true
-- pip install cram --user `whoami`
-
-script:
-- go test . -v -covermode=count -coverprofile=profile.cov
-- go test . -tags std_json -v -covermode=count -coverprofile=profile-std-json.cov
-- go test ./cipher -v -covermode=count -coverprofile=cipher/profile.cov
-- go test ./json -v # no coverage for forked encoding/json package
-- cd jose-util && go build && PATH=$PWD:$PATH cram -v jose-util.t
-- cd ..
-
-after_success:
-- gocovmerge *.cov */*.cov > merged.coverprofile
-- $HOME/gopath/bin/goveralls -coverprofile merged.coverprofile -service=travis-ci
-
diff --git a/vendor/gopkg.in/square/go-jose.v1/BUG-BOUNTY.md b/vendor/gopkg.in/square/go-jose.v1/BUG-BOUNTY.md
deleted file mode 100644
index 97e61dbb..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/BUG-BOUNTY.md
+++ /dev/null
@@ -1,10 +0,0 @@
-Serious about security
-======================
-
-Square recognizes the important contributions the security research community
-can make. We therefore encourage reporting security issues with the code
-contained in this repository.
-
-If you believe you have discovered a security vulnerability, please follow the
-guidelines at <https://hackerone.com/square-open-source>.
-
diff --git a/vendor/gopkg.in/square/go-jose.v1/CONTRIBUTING.md b/vendor/gopkg.in/square/go-jose.v1/CONTRIBUTING.md
deleted file mode 100644
index 61b18365..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/CONTRIBUTING.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Contributing
-
-If you would like to contribute code to go-jose you can do so through GitHub by
-forking the repository and sending a pull request.
-
-When submitting code, please make every effort to follow existing conventions
-and style in order to keep the code as readable as possible. Please also make
-sure all tests pass by running `go test`, and format your code with `go fmt`.
-We also recommend using `golint` and `errcheck`.
-
-Before your code can be accepted into the project you must also sign the
-[Individual Contributor License Agreement][1].
-
- [1]: https://spreadsheets.google.com/spreadsheet/viewform?formkey=dDViT2xzUHAwRkI3X3k5Z0lQM091OGc6MQ&ndplr=1
diff --git a/vendor/gopkg.in/square/go-jose.v1/LICENSE b/vendor/gopkg.in/square/go-jose.v1/LICENSE
deleted file mode 100644
index d6456956..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/LICENSE
+++ /dev/null
@@ -1,202 +0,0 @@
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
diff --git a/vendor/gopkg.in/square/go-jose.v1/README.md b/vendor/gopkg.in/square/go-jose.v1/README.md
deleted file mode 100644
index fd859da7..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/README.md
+++ /dev/null
@@ -1,209 +0,0 @@
-# Go JOSE
-
-[](https://godoc.org/gopkg.in/square/go-jose.v1) [](https://raw.githubusercontent.com/square/go-jose/master/LICENSE) [](https://travis-ci.org/square/go-jose) [](https://coveralls.io/r/square/go-jose)
-
-Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. For the moment, it mainly focuses on encryption
-and signing based on the JSON Web Encryption and JSON Web Signature standards.
-
-**Disclaimer**: This library contains encryption software that is subject to
-the U.S. Export Administration Regulations. You may not export, re-export,
-transfer or download this code or any part of it in violation of any United
-States law, directive or regulation. In particular this software may not be
-exported or re-exported in any form or on any media to Iran, North Sudan,
-Syria, Cuba, or North Korea, or to denied persons or entities mentioned on any
-US maintained blocked list.
-
-## Overview
-
-The implementation follows the
-[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516)
-standard (RFC 7516) and
-[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515)
-standard (RFC 7515). Tables of supported algorithms are shown below.
-The library supports both the compact and full serialization formats, and has
-optional support for multiple recipients. It also comes with a small
-command-line utility
-([`jose-util`](https://github.com/square/go-jose/tree/master/jose-util))
-for dealing with JOSE messages in a shell.
-
-**Note**: We use a forked version of the `encoding/json` package from the Go
-standard library which uses case-sensitive matching for member names (instead
-of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)).
-This is to avoid differences in interpretation of messages between go-jose and
-libraries in other languages. If you do not like this behavior, you can use the
-`std_json` build tag to disable it (though we do not recommend doing so).
-
-### Versions
-
-We use [gopkg.in](https://gopkg.in) for versioning.
-
-[Version 1](https://gopkg.in/square/go-jose.v1) is the current stable version:
-
- import "gopkg.in/square/go-jose.v1"
-
-The interface for [go-jose.v1](https://gopkg.in/square/go-jose.v1) will remain
-backwards compatible. We're currently sketching out ideas for a new version, to
-clean up the interface a bit. If you have ideas or feature requests [please let
-us know](https://github.com/square/go-jose/issues/64)!
-
-### Supported algorithms
-
-See below for a table of supported algorithms. Algorithm identifiers match
-the names in the
-[JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518)
-standard where possible. The
-[Godoc reference](https://godoc.org/github.com/square/go-jose#pkg-constants)
-has a list of constants.
-
- Key encryption | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSA-PKCS#1v1.5 | RSA1_5
- RSA-OAEP | RSA-OAEP, RSA-OAEP-256
- AES key wrap | A128KW, A192KW, A256KW
- AES-GCM key wrap | A128GCMKW, A192GCMKW, A256GCMKW
- ECDH-ES + AES key wrap | ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
- ECDH-ES (direct) | ECDH-ES<sup>1</sup>
- Direct encryption | dir<sup>1</sup>
-
-<sup>1. Not supported in multi-recipient mode</sup>
-
- Signing / MAC | Algorithm identifier(s)
- :------------------------- | :------------------------------
- RSASSA-PKCS#1v1.5 | RS256, RS384, RS512
- RSASSA-PSS | PS256, PS384, PS512
- HMAC | HS256, HS384, HS512
- ECDSA | ES256, ES384, ES512
-
- Content encryption | Algorithm identifier(s)
- :------------------------- | :------------------------------
- AES-CBC+HMAC | A128CBC-HS256, A192CBC-HS384, A256CBC-HS512
- AES-GCM | A128GCM, A192GCM, A256GCM
-
- Compression | Algorithm identifiers(s)
- :------------------------- | -------------------------------
- DEFLATE (RFC 1951) | DEF
-
-### Supported key types
-
-See below for a table of supported key types. These are understood by the
-library, and can be passed to corresponding functions such as `NewEncrypter` or
-`NewSigner`. Note that if you are creating a new encrypter or signer with a
-JsonWebKey, the key id of the JsonWebKey (if present) will be added to any
-resulting messages.
-
- Algorithm(s) | Corresponding types
- :------------------------- | -------------------------------
- RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey), *[jose.JsonWebKey](https://godoc.org/github.com/square/go-jose#JsonWebKey)
- ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey), *[jose.JsonWebKey](https://godoc.org/github.com/square/go-jose#JsonWebKey)
- AES, HMAC | []byte, *[jose.JsonWebKey](https://godoc.org/github.com/square/go-jose#JsonWebKey)
-
-## Examples
-
-Encryption/decryption example using RSA:
-
-```Go
-// Generate a public/private key pair to use for this example. The library
-// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
-// that can be used to load keys from PEM/DER-encoded data.
-privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-if err != nil {
- panic(err)
-}
-
-// Instantiate an encrypter using RSA-OAEP with AES128-GCM. An error would
-// indicate that the selected algorithm(s) are not currently supported.
-publicKey := &privateKey.PublicKey
-encrypter, err := NewEncrypter(RSA_OAEP, A128GCM, publicKey)
-if err != nil {
- panic(err)
-}
-
-// Encrypt a sample plaintext. Calling the encrypter returns an encrypted
-// JWE object, which can then be serialized for output afterwards. An error
-// would indicate a problem in an underlying cryptographic primitive.
-var plaintext = []byte("Lorem ipsum dolor sit amet")
-object, err := encrypter.Encrypt(plaintext)
-if err != nil {
- panic(err)
-}
-
-// Serialize the encrypted object using the full serialization format.
-// Alternatively you can also use the compact format here by calling
-// object.CompactSerialize() instead.
-serialized := object.FullSerialize()
-
-// Parse the serialized, encrypted JWE object. An error would indicate that
-// the given input did not represent a valid message.
-object, err = ParseEncrypted(serialized)
-if err != nil {
- panic(err)
-}
-
-// Now we can decrypt and get back our original plaintext. An error here
-// would indicate the the message failed to decrypt, e.g. because the auth
-// tag was broken or the message was tampered with.
-decrypted, err := object.Decrypt(privateKey)
-if err != nil {
- panic(err)
-}
-
-fmt.Printf(string(decrypted))
-// output: Lorem ipsum dolor sit amet
-```
-
-Signing/verification example using RSA:
-
-```Go
-// Generate a public/private key pair to use for this example. The library
-// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
-// that can be used to load keys from PEM/DER-encoded data.
-privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-if err != nil {
- panic(err)
-}
-
-// Instantiate a signer using RSASSA-PSS (SHA512) with the given private key.
-signer, err := NewSigner(PS512, privateKey)
-if err != nil {
- panic(err)
-}
-
-// Sign a sample payload. Calling the signer returns a protected JWS object,
-// which can then be serialized for output afterwards. An error would
-// indicate a problem in an underlying cryptographic primitive.
-var payload = []byte("Lorem ipsum dolor sit amet")
-object, err := signer.Sign(payload)
-if err != nil {
- panic(err)
-}
-
-// Serialize the encrypted object using the full serialization format.
-// Alternatively you can also use the compact format here by calling
-// object.CompactSerialize() instead.
-serialized := object.FullSerialize()
-
-// Parse the serialized, protected JWS object. An error would indicate that
-// the given input did not represent a valid message.
-object, err = ParseSigned(serialized)
-if err != nil {
- panic(err)
-}
-
-// Now we can verify the signature on the payload. An error here would
-// indicate the the message failed to verify, e.g. because the signature was
-// broken or the message was tampered with.
-output, err := object.Verify(&privateKey.PublicKey)
-if err != nil {
- panic(err)
-}
-
-fmt.Printf(string(output))
-// output: Lorem ipsum dolor sit amet
-```
-
-More examples can be found in the [Godoc
-reference](https://godoc.org/github.com/square/go-jose) for this package. The
-[`jose-util`](https://github.com/square/go-jose/tree/master/jose-util)
-subdirectory also contains a small command-line utility which might
-be useful as an example.
diff --git a/vendor/gopkg.in/square/go-jose.v1/asymmetric.go b/vendor/gopkg.in/square/go-jose.v1/asymmetric.go
deleted file mode 100644
index 381156ca..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/asymmetric.go
+++ /dev/null
@@ -1,498 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto"
- "crypto/aes"
- "crypto/ecdsa"
- "crypto/rand"
- "crypto/rsa"
- "crypto/sha1"
- "crypto/sha256"
- "errors"
- "fmt"
- "math/big"
-
- "gopkg.in/square/go-jose.v1/cipher"
-)
-
-// A generic RSA-based encrypter/verifier
-type rsaEncrypterVerifier struct {
- publicKey *rsa.PublicKey
-}
-
-// A generic RSA-based decrypter/signer
-type rsaDecrypterSigner struct {
- privateKey *rsa.PrivateKey
-}
-
-// A generic EC-based encrypter/verifier
-type ecEncrypterVerifier struct {
- publicKey *ecdsa.PublicKey
-}
-
-// A key generator for ECDH-ES
-type ecKeyGenerator struct {
- size int
- algID string
- publicKey *ecdsa.PublicKey
-}
-
-// A generic EC-based decrypter/signer
-type ecDecrypterSigner struct {
- privateKey *ecdsa.PrivateKey
-}
-
-// newRSARecipient creates recipientKeyInfo based on the given key.
-func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKeyInfo, error) {
- // Verify that key management algorithm is supported by this encrypter
- switch keyAlg {
- case RSA1_5, RSA_OAEP, RSA_OAEP_256:
- default:
- return recipientKeyInfo{}, ErrUnsupportedAlgorithm
- }
-
- return recipientKeyInfo{
- keyAlg: keyAlg,
- keyEncrypter: &rsaEncrypterVerifier{
- publicKey: publicKey,
- },
- }, nil
-}
-
-// newRSASigner creates a recipientSigInfo based on the given key.
-func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipientSigInfo, error) {
- // Verify that key management algorithm is supported by this encrypter
- switch sigAlg {
- case RS256, RS384, RS512, PS256, PS384, PS512:
- default:
- return recipientSigInfo{}, ErrUnsupportedAlgorithm
- }
-
- return recipientSigInfo{
- sigAlg: sigAlg,
- publicKey: &JsonWebKey{
- Key: &privateKey.PublicKey,
- },
- signer: &rsaDecrypterSigner{
- privateKey: privateKey,
- },
- }, nil
-}
-
-// newECDHRecipient creates recipientKeyInfo based on the given key.
-func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipientKeyInfo, error) {
- // Verify that key management algorithm is supported by this encrypter
- switch keyAlg {
- case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
- default:
- return recipientKeyInfo{}, ErrUnsupportedAlgorithm
- }
-
- return recipientKeyInfo{
- keyAlg: keyAlg,
- keyEncrypter: &ecEncrypterVerifier{
- publicKey: publicKey,
- },
- }, nil
-}
-
-// newECDSASigner creates a recipientSigInfo based on the given key.
-func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (recipientSigInfo, error) {
- // Verify that key management algorithm is supported by this encrypter
- switch sigAlg {
- case ES256, ES384, ES512:
- default:
- return recipientSigInfo{}, ErrUnsupportedAlgorithm
- }
-
- return recipientSigInfo{
- sigAlg: sigAlg,
- publicKey: &JsonWebKey{
- Key: &privateKey.PublicKey,
- },
- signer: &ecDecrypterSigner{
- privateKey: privateKey,
- },
- }, nil
-}
-
-// Encrypt the given payload and update the object.
-func (ctx rsaEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
- encryptedKey, err := ctx.encrypt(cek, alg)
- if err != nil {
- return recipientInfo{}, err
- }
-
- return recipientInfo{
- encryptedKey: encryptedKey,
- header: &rawHeader{},
- }, nil
-}
-
-// Encrypt the given payload. Based on the key encryption algorithm,
-// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
-func (ctx rsaEncrypterVerifier) encrypt(cek []byte, alg KeyAlgorithm) ([]byte, error) {
- switch alg {
- case RSA1_5:
- return rsa.EncryptPKCS1v15(randReader, ctx.publicKey, cek)
- case RSA_OAEP:
- return rsa.EncryptOAEP(sha1.New(), randReader, ctx.publicKey, cek, []byte{})
- case RSA_OAEP_256:
- return rsa.EncryptOAEP(sha256.New(), randReader, ctx.publicKey, cek, []byte{})
- }
-
- return nil, ErrUnsupportedAlgorithm
-}
-
-// Decrypt the given payload and return the content encryption key.
-func (ctx rsaDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
- return ctx.decrypt(recipient.encryptedKey, KeyAlgorithm(headers.Alg), generator)
-}
-
-// Decrypt the given payload. Based on the key encryption algorithm,
-// this will either use RSA-PKCS1v1.5 or RSA-OAEP (with SHA-1 or SHA-256).
-func (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator keyGenerator) ([]byte, error) {
- // Note: The random reader on decrypt operations is only used for blinding,
- // so stubbing is meanlingless (hence the direct use of rand.Reader).
- switch alg {
- case RSA1_5:
- defer func() {
- // DecryptPKCS1v15SessionKey sometimes panics on an invalid payload
- // because of an index out of bounds error, which we want to ignore.
- // This has been fixed in Go 1.3.1 (released 2014/08/13), the recover()
- // only exists for preventing crashes with unpatched versions.
- // See: https://groups.google.com/forum/#!topic/golang-dev/7ihX6Y6kx9k
- // See: https://code.google.com/p/go/source/detail?r=58ee390ff31602edb66af41ed10901ec95904d33
- _ = recover()
- }()
-
- // Perform some input validation.
- keyBytes := ctx.privateKey.PublicKey.N.BitLen() / 8
- if keyBytes != len(jek) {
- // Input size is incorrect, the encrypted payload should always match
- // the size of the public modulus (e.g. using a 2048 bit key will
- // produce 256 bytes of output). Reject this since it's invalid input.
- return nil, ErrCryptoFailure
- }
-
- cek, _, err := generator.genKey()
- if err != nil {
- return nil, ErrCryptoFailure
- }
-
- // When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
- // prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
- // the Million Message Attack on Cryptographic Message Syntax". We are
- // therefore deliberatly ignoring errors here.
- _ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)
-
- return cek, nil
- case RSA_OAEP:
- // Use rand.Reader for RSA blinding
- return rsa.DecryptOAEP(sha1.New(), rand.Reader, ctx.privateKey, jek, []byte{})
- case RSA_OAEP_256:
- // Use rand.Reader for RSA blinding
- return rsa.DecryptOAEP(sha256.New(), rand.Reader, ctx.privateKey, jek, []byte{})
- }
-
- return nil, ErrUnsupportedAlgorithm
-}
-
-// Sign the given payload
-func (ctx rsaDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
- var hash crypto.Hash
-
- switch alg {
- case RS256, PS256:
- hash = crypto.SHA256
- case RS384, PS384:
- hash = crypto.SHA384
- case RS512, PS512:
- hash = crypto.SHA512
- default:
- return Signature{}, ErrUnsupportedAlgorithm
- }
-
- hasher := hash.New()
-
- // According to documentation, Write() on hash never fails
- _, _ = hasher.Write(payload)
- hashed := hasher.Sum(nil)
-
- var out []byte
- var err error
-
- switch alg {
- case RS256, RS384, RS512:
- out, err = rsa.SignPKCS1v15(randReader, ctx.privateKey, hash, hashed)
- case PS256, PS384, PS512:
- out, err = rsa.SignPSS(randReader, ctx.privateKey, hash, hashed, &rsa.PSSOptions{
- SaltLength: rsa.PSSSaltLengthAuto,
- })
- }
-
- if err != nil {
- return Signature{}, err
- }
-
- return Signature{
- Signature: out,
- protected: &rawHeader{},
- }, nil
-}
-
-// Verify the given payload
-func (ctx rsaEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
- var hash crypto.Hash
-
- switch alg {
- case RS256, PS256:
- hash = crypto.SHA256
- case RS384, PS384:
- hash = crypto.SHA384
- case RS512, PS512:
- hash = crypto.SHA512
- default:
- return ErrUnsupportedAlgorithm
- }
-
- hasher := hash.New()
-
- // According to documentation, Write() on hash never fails
- _, _ = hasher.Write(payload)
- hashed := hasher.Sum(nil)
-
- switch alg {
- case RS256, RS384, RS512:
- return rsa.VerifyPKCS1v15(ctx.publicKey, hash, hashed, signature)
- case PS256, PS384, PS512:
- return rsa.VerifyPSS(ctx.publicKey, hash, hashed, signature, nil)
- }
-
- return ErrUnsupportedAlgorithm
-}
-
-// Encrypt the given payload and update the object.
-func (ctx ecEncrypterVerifier) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
- switch alg {
- case ECDH_ES:
- // ECDH-ES mode doesn't wrap a key, the shared secret is used directly as the key.
- return recipientInfo{
- header: &rawHeader{},
- }, nil
- case ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
- default:
- return recipientInfo{}, ErrUnsupportedAlgorithm
- }
-
- generator := ecKeyGenerator{
- algID: string(alg),
- publicKey: ctx.publicKey,
- }
-
- switch alg {
- case ECDH_ES_A128KW:
- generator.size = 16
- case ECDH_ES_A192KW:
- generator.size = 24
- case ECDH_ES_A256KW:
- generator.size = 32
- }
-
- kek, header, err := generator.genKey()
- if err != nil {
- return recipientInfo{}, err
- }
-
- block, err := aes.NewCipher(kek)
- if err != nil {
- return recipientInfo{}, err
- }
-
- jek, err := josecipher.KeyWrap(block, cek)
- if err != nil {
- return recipientInfo{}, err
- }
-
- return recipientInfo{
- encryptedKey: jek,
- header: &header,
- }, nil
-}
-
-// Get key size for EC key generator
-func (ctx ecKeyGenerator) keySize() int {
- return ctx.size
-}
-
-// Get a content encryption key for ECDH-ES
-func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
- priv, err := ecdsa.GenerateKey(ctx.publicKey.Curve, randReader)
- if err != nil {
- return nil, rawHeader{}, err
- }
-
- out := josecipher.DeriveECDHES(ctx.algID, []byte{}, []byte{}, priv, ctx.publicKey, ctx.size)
-
- headers := rawHeader{
- Epk: &JsonWebKey{
- Key: &priv.PublicKey,
- },
- }
-
- return out, headers, nil
-}
-
-// Decrypt the given payload and return the content encryption key.
-func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
- if headers.Epk == nil {
- return nil, errors.New("square/go-jose: missing epk header")
- }
-
- publicKey, ok := headers.Epk.Key.(*ecdsa.PublicKey)
- if publicKey == nil || !ok {
- return nil, errors.New("square/go-jose: invalid epk header")
- }
-
- apuData := headers.Apu.bytes()
- apvData := headers.Apv.bytes()
-
- deriveKey := func(algID string, size int) []byte {
- return josecipher.DeriveECDHES(algID, apuData, apvData, ctx.privateKey, publicKey, size)
- }
-
- var keySize int
-
- switch KeyAlgorithm(headers.Alg) {
- case ECDH_ES:
- // ECDH-ES uses direct key agreement, no key unwrapping necessary.
- return deriveKey(string(headers.Enc), generator.keySize()), nil
- case ECDH_ES_A128KW:
- keySize = 16
- case ECDH_ES_A192KW:
- keySize = 24
- case ECDH_ES_A256KW:
- keySize = 32
- default:
- return nil, ErrUnsupportedAlgorithm
- }
-
- key := deriveKey(headers.Alg, keySize)
- block, err := aes.NewCipher(key)
- if err != nil {
- return nil, err
- }
-
- return josecipher.KeyUnwrap(block, recipient.encryptedKey)
-}
-
-// Sign the given payload
-func (ctx ecDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
- var expectedBitSize int
- var hash crypto.Hash
-
- switch alg {
- case ES256:
- expectedBitSize = 256
- hash = crypto.SHA256
- case ES384:
- expectedBitSize = 384
- hash = crypto.SHA384
- case ES512:
- expectedBitSize = 521
- hash = crypto.SHA512
- }
-
- curveBits := ctx.privateKey.Curve.Params().BitSize
- if expectedBitSize != curveBits {
- return Signature{}, fmt.Errorf("square/go-jose: expected %d bit key, got %d bits instead", expectedBitSize, curveBits)
- }
-
- hasher := hash.New()
-
- // According to documentation, Write() on hash never fails
- _, _ = hasher.Write(payload)
- hashed := hasher.Sum(nil)
-
- r, s, err := ecdsa.Sign(randReader, ctx.privateKey, hashed)
- if err != nil {
- return Signature{}, err
- }
-
- keyBytes := curveBits / 8
- if curveBits%8 > 0 {
- keyBytes += 1
- }
-
- // We serialize the outpus (r and s) into big-endian byte arrays and pad
- // them with zeros on the left to make sure the sizes work out. Both arrays
- // must be keyBytes long, and the output must be 2*keyBytes long.
- rBytes := r.Bytes()
- rBytesPadded := make([]byte, keyBytes)
- copy(rBytesPadded[keyBytes-len(rBytes):], rBytes)
-
- sBytes := s.Bytes()
- sBytesPadded := make([]byte, keyBytes)
- copy(sBytesPadded[keyBytes-len(sBytes):], sBytes)
-
- out := append(rBytesPadded, sBytesPadded...)
-
- return Signature{
- Signature: out,
- protected: &rawHeader{},
- }, nil
-}
-
-// Verify the given payload
-func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error {
- var keySize int
- var hash crypto.Hash
-
- switch alg {
- case ES256:
- keySize = 32
- hash = crypto.SHA256
- case ES384:
- keySize = 48
- hash = crypto.SHA384
- case ES512:
- keySize = 66
- hash = crypto.SHA512
- }
-
- if len(signature) != 2*keySize {
- return fmt.Errorf("square/go-jose: invalid signature size, have %d bytes, wanted %d", len(signature), 2*keySize)
- }
-
- hasher := hash.New()
-
- // According to documentation, Write() on hash never fails
- _, _ = hasher.Write(payload)
- hashed := hasher.Sum(nil)
-
- r := big.NewInt(0).SetBytes(signature[:keySize])
- s := big.NewInt(0).SetBytes(signature[keySize:])
-
- match := ecdsa.Verify(ctx.publicKey, hashed, r, s)
- if !match {
- return errors.New("square/go-jose: ecdsa signature failed to verify")
- }
-
- return nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/asymmetric_test.go b/vendor/gopkg.in/square/go-jose.v1/asymmetric_test.go
deleted file mode 100644
index 1c8c8b34..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/asymmetric_test.go
+++ /dev/null
@@ -1,431 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "crypto/rand"
- "crypto/rsa"
- "errors"
- "io"
- "math/big"
- "testing"
-)
-
-func TestVectorsRSA(t *testing.T) {
- // Sources:
- // http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/pkcs-rsa-cryptography-standard.htm
- // ftp://ftp.rsa.com/pub/rsalabs/tmp/pkcs1v15crypt-vectors.txt
- priv := &rsa.PrivateKey{
- PublicKey: rsa.PublicKey{
- N: fromHexInt(`
- a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8
- ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0c
- bc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bd
- bf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93
- ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb`),
- E: 65537,
- },
- D: fromHexInt(`
- 53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf1195
- 17ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d
- 4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d6
- 5a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb
- 04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1`),
- Primes: []*big.Int{
- fromHexInt(`
- d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262
- 864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c
- 2f26a471dcad212eac7ca39d`),
- fromHexInt(`
- cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb3
- 3d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af
- 72bfe9a030e860b0288b5d77`),
- },
- }
-
- input := fromHexBytes(
- "6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34")
-
- expectedPKCS := fromHexBytes(`
- 50b4c14136bd198c2f3c3ed243fce036e168d56517984a263cd66492b808
- 04f169d210f2b9bdfb48b12f9ea05009c77da257cc600ccefe3a6283789d
- 8ea0e607ac58e2690ec4ebc10146e8cbaa5ed4d5cce6fe7b0ff9efc1eabb
- 564dbf498285f449ee61dd7b42ee5b5892cb90601f30cda07bf26489310b
- cd23b528ceab3c31`)
-
- expectedOAEP := fromHexBytes(`
- 354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad4
- 68fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618
- c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e6
- 57a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5
- 210035d47ac72e8a`)
-
- // Mock random reader
- randReader = bytes.NewReader(fromHexBytes(`
- 017341ae3875d5f87101f8cc4fa9b9bc156bb04628fccdb2f4f11e905bd3
- a155d376f593bd7304210874eba08a5e22bcccb4c9d3882a93a54db022f5
- 03d16338b6b7ce16dc7f4bbf9a96b59772d6606e9747c7649bf9e083db98
- 1884a954ab3c6f18b776ea21069d69776a33e96bad48e1dda0a5ef`))
- defer resetRandReader()
-
- // RSA-PKCS1v1.5 encrypt
- enc := new(rsaEncrypterVerifier)
- enc.publicKey = &priv.PublicKey
- encryptedPKCS, err := enc.encrypt(input, RSA1_5)
- if err != nil {
- t.Error("Encryption failed:", err)
- return
- }
-
- if bytes.Compare(encryptedPKCS, expectedPKCS) != 0 {
- t.Error("Output does not match expected value (PKCS1v1.5)")
- }
-
- // RSA-OAEP encrypt
- encryptedOAEP, err := enc.encrypt(input, RSA_OAEP)
- if err != nil {
- t.Error("Encryption failed:", err)
- return
- }
-
- if bytes.Compare(encryptedOAEP, expectedOAEP) != 0 {
- t.Error("Output does not match expected value (OAEP)")
- }
-
- // Need fake cipher for PKCS1v1.5 decrypt
- resetRandReader()
- aes := newAESGCM(len(input))
-
- keygen := randomKeyGenerator{
- size: aes.keySize(),
- }
-
- // RSA-PKCS1v1.5 decrypt
- dec := new(rsaDecrypterSigner)
- dec.privateKey = priv
- decryptedPKCS, err := dec.decrypt(encryptedPKCS, RSA1_5, keygen)
- if err != nil {
- t.Error("Decryption failed:", err)
- return
- }
-
- if bytes.Compare(input, decryptedPKCS) != 0 {
- t.Error("Output does not match expected value (PKCS1v1.5)")
- }
-
- // RSA-OAEP decrypt
- decryptedOAEP, err := dec.decrypt(encryptedOAEP, RSA_OAEP, keygen)
- if err != nil {
- t.Error("decryption failed:", err)
- return
- }
-
- if bytes.Compare(input, decryptedOAEP) != 0 {
- t.Error("output does not match expected value (OAEP)")
- }
-}
-
-func TestInvalidAlgorithmsRSA(t *testing.T) {
- _, err := newRSARecipient("XYZ", nil)
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- _, err = newRSASigner("XYZ", nil)
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- enc := new(rsaEncrypterVerifier)
- enc.publicKey = &rsaTestKey.PublicKey
- _, err = enc.encryptKey([]byte{}, "XYZ")
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- err = enc.verifyPayload([]byte{}, []byte{}, "XYZ")
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- dec := new(rsaDecrypterSigner)
- dec.privateKey = rsaTestKey
- _, err = dec.decrypt(make([]byte, 256), "XYZ", randomKeyGenerator{size: 16})
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- _, err = dec.signPayload([]byte{}, "XYZ")
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-}
-
-type failingKeyGenerator struct{}
-
-func (ctx failingKeyGenerator) keySize() int {
- return 0
-}
-
-func (ctx failingKeyGenerator) genKey() ([]byte, rawHeader, error) {
- return nil, rawHeader{}, errors.New("failed to generate key")
-}
-
-func TestPKCSKeyGeneratorFailure(t *testing.T) {
- dec := new(rsaDecrypterSigner)
- dec.privateKey = rsaTestKey
- generator := failingKeyGenerator{}
- _, err := dec.decrypt(make([]byte, 256), RSA1_5, generator)
- if err != ErrCryptoFailure {
- t.Error("should return error on invalid algorithm")
- }
-}
-
-func TestInvalidAlgorithmsEC(t *testing.T) {
- _, err := newECDHRecipient("XYZ", nil)
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- _, err = newECDSASigner("XYZ", nil)
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-
- enc := new(ecEncrypterVerifier)
- enc.publicKey = &ecTestKey256.PublicKey
- _, err = enc.encryptKey([]byte{}, "XYZ")
- if err != ErrUnsupportedAlgorithm {
- t.Error("should return error on invalid algorithm")
- }
-}
-
-func TestInvalidECKeyGen(t *testing.T) {
- gen := ecKeyGenerator{
- size: 16,
- algID: "A128GCM",
- publicKey: &ecTestKey256.PublicKey,
- }
-
- if gen.keySize() != 16 {
- t.Error("ec key generator reported incorrect key size")
- }
-
- _, _, err := gen.genKey()
- if err != nil {
- t.Error("ec key generator failed to generate key", err)
- }
-}
-
-func TestInvalidECDecrypt(t *testing.T) {
- dec := ecDecrypterSigner{
- privateKey: ecTestKey256,
- }
-
- generator := randomKeyGenerator{size: 16}
-
- // Missing epk header
- headers := rawHeader{
- Alg: string(ECDH_ES),
- }
-
- _, err := dec.decryptKey(headers, nil, generator)
- if err == nil {
- t.Error("ec decrypter accepted object with missing epk header")
- }
-
- // Invalid epk header
- headers.Epk = &JsonWebKey{}
-
- _, err = dec.decryptKey(headers, nil, generator)
- if err == nil {
- t.Error("ec decrypter accepted object with invalid epk header")
- }
-}
-
-func TestDecryptWithIncorrectSize(t *testing.T) {
- priv, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- t.Error(err)
- return
- }
-
- dec := new(rsaDecrypterSigner)
- dec.privateKey = priv
- aes := newAESGCM(16)
-
- keygen := randomKeyGenerator{
- size: aes.keySize(),
- }
-
- payload := make([]byte, 254)
- _, err = dec.decrypt(payload, RSA1_5, keygen)
- if err == nil {
- t.Error("Invalid payload size should return error")
- }
-
- payload = make([]byte, 257)
- _, err = dec.decrypt(payload, RSA1_5, keygen)
- if err == nil {
- t.Error("Invalid payload size should return error")
- }
-}
-
-func TestPKCSDecryptNeverFails(t *testing.T) {
- // We don't want RSA-PKCS1 v1.5 decryption to ever fail, in order to prevent
- // side-channel timing attacks (Bleichenbacher attack in particular).
- priv, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- t.Error(err)
- return
- }
-
- dec := new(rsaDecrypterSigner)
- dec.privateKey = priv
- aes := newAESGCM(16)
-
- keygen := randomKeyGenerator{
- size: aes.keySize(),
- }
-
- for i := 1; i < 50; i++ {
- payload := make([]byte, 256)
- _, err := io.ReadFull(rand.Reader, payload)
- if err != nil {
- t.Error("Unable to get random data:", err)
- return
- }
- _, err = dec.decrypt(payload, RSA1_5, keygen)
- if err != nil {
- t.Error("PKCS1v1.5 decrypt should never fail:", err)
- return
- }
- }
-}
-
-func BenchmarkPKCSDecryptWithValidPayloads(b *testing.B) {
- priv, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- panic(err)
- }
-
- enc := new(rsaEncrypterVerifier)
- enc.publicKey = &priv.PublicKey
- dec := new(rsaDecrypterSigner)
- dec.privateKey = priv
- aes := newAESGCM(32)
-
- b.StopTimer()
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- plaintext := make([]byte, 32)
- _, err = io.ReadFull(rand.Reader, plaintext)
- if err != nil {
- panic(err)
- }
-
- ciphertext, err := enc.encrypt(plaintext, RSA1_5)
- if err != nil {
- panic(err)
- }
-
- keygen := randomKeyGenerator{
- size: aes.keySize(),
- }
-
- b.StartTimer()
- _, err = dec.decrypt(ciphertext, RSA1_5, keygen)
- b.StopTimer()
- if err != nil {
- panic(err)
- }
- }
-}
-
-func BenchmarkPKCSDecryptWithInvalidPayloads(b *testing.B) {
- priv, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- panic(err)
- }
-
- enc := new(rsaEncrypterVerifier)
- enc.publicKey = &priv.PublicKey
- dec := new(rsaDecrypterSigner)
- dec.privateKey = priv
- aes := newAESGCM(16)
-
- keygen := randomKeyGenerator{
- size: aes.keySize(),
- }
-
- b.StopTimer()
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- plaintext := make([]byte, 16)
- _, err = io.ReadFull(rand.Reader, plaintext)
- if err != nil {
- panic(err)
- }
-
- ciphertext, err := enc.encrypt(plaintext, RSA1_5)
- if err != nil {
- panic(err)
- }
-
- // Do some simple scrambling
- ciphertext[128] ^= 0xFF
-
- b.StartTimer()
- _, err = dec.decrypt(ciphertext, RSA1_5, keygen)
- b.StopTimer()
- if err != nil {
- panic(err)
- }
- }
-}
-
-func TestInvalidEllipticCurve(t *testing.T) {
- signer256 := ecDecrypterSigner{privateKey: ecTestKey256}
- signer384 := ecDecrypterSigner{privateKey: ecTestKey384}
- signer521 := ecDecrypterSigner{privateKey: ecTestKey521}
-
- _, err := signer256.signPayload([]byte{}, ES384)
- if err == nil {
- t.Error("should not generate ES384 signature with P-256 key")
- }
- _, err = signer256.signPayload([]byte{}, ES512)
- if err == nil {
- t.Error("should not generate ES512 signature with P-256 key")
- }
- _, err = signer384.signPayload([]byte{}, ES256)
- if err == nil {
- t.Error("should not generate ES256 signature with P-384 key")
- }
- _, err = signer384.signPayload([]byte{}, ES512)
- if err == nil {
- t.Error("should not generate ES512 signature with P-384 key")
- }
- _, err = signer521.signPayload([]byte{}, ES256)
- if err == nil {
- t.Error("should not generate ES256 signature with P-521 key")
- }
- _, err = signer521.signPayload([]byte{}, ES384)
- if err == nil {
- t.Error("should not generate ES384 signature with P-521 key")
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go b/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go
deleted file mode 100644
index a5c35834..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac.go
+++ /dev/null
@@ -1,196 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "bytes"
- "crypto/cipher"
- "crypto/hmac"
- "crypto/sha256"
- "crypto/sha512"
- "crypto/subtle"
- "encoding/binary"
- "errors"
- "hash"
-)
-
-const (
- nonceBytes = 16
-)
-
-// NewCBCHMAC instantiates a new AEAD based on CBC+HMAC.
-func NewCBCHMAC(key []byte, newBlockCipher func([]byte) (cipher.Block, error)) (cipher.AEAD, error) {
- keySize := len(key) / 2
- integrityKey := key[:keySize]
- encryptionKey := key[keySize:]
-
- blockCipher, err := newBlockCipher(encryptionKey)
- if err != nil {
- return nil, err
- }
-
- var hash func() hash.Hash
- switch keySize {
- case 16:
- hash = sha256.New
- case 24:
- hash = sha512.New384
- case 32:
- hash = sha512.New
- }
-
- return &cbcAEAD{
- hash: hash,
- blockCipher: blockCipher,
- authtagBytes: keySize,
- integrityKey: integrityKey,
- }, nil
-}
-
-// An AEAD based on CBC+HMAC
-type cbcAEAD struct {
- hash func() hash.Hash
- authtagBytes int
- integrityKey []byte
- blockCipher cipher.Block
-}
-
-func (ctx *cbcAEAD) NonceSize() int {
- return nonceBytes
-}
-
-func (ctx *cbcAEAD) Overhead() int {
- // Maximum overhead is block size (for padding) plus auth tag length, where
- // the length of the auth tag is equivalent to the key size.
- return ctx.blockCipher.BlockSize() + ctx.authtagBytes
-}
-
-// Seal encrypts and authenticates the plaintext.
-func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
- // Output buffer -- must take care not to mangle plaintext input.
- ciphertext := make([]byte, len(plaintext)+ctx.Overhead())[:len(plaintext)]
- copy(ciphertext, plaintext)
- ciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())
-
- cbc := cipher.NewCBCEncrypter(ctx.blockCipher, nonce)
-
- cbc.CryptBlocks(ciphertext, ciphertext)
- authtag := ctx.computeAuthTag(data, nonce, ciphertext)
-
- ret, out := resize(dst, len(dst)+len(ciphertext)+len(authtag))
- copy(out, ciphertext)
- copy(out[len(ciphertext):], authtag)
-
- return ret
-}
-
-// Open decrypts and authenticates the ciphertext.
-func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
- if len(ciphertext) < ctx.authtagBytes {
- return nil, errors.New("square/go-jose: invalid ciphertext (too short)")
- }
-
- offset := len(ciphertext) - ctx.authtagBytes
- expectedTag := ctx.computeAuthTag(data, nonce, ciphertext[:offset])
- match := subtle.ConstantTimeCompare(expectedTag, ciphertext[offset:])
- if match != 1 {
- return nil, errors.New("square/go-jose: invalid ciphertext (auth tag mismatch)")
- }
-
- cbc := cipher.NewCBCDecrypter(ctx.blockCipher, nonce)
-
- // Make copy of ciphertext buffer, don't want to modify in place
- buffer := append([]byte{}, []byte(ciphertext[:offset])...)
-
- if len(buffer)%ctx.blockCipher.BlockSize() > 0 {
- return nil, errors.New("square/go-jose: invalid ciphertext (invalid length)")
- }
-
- cbc.CryptBlocks(buffer, buffer)
-
- // Remove padding
- plaintext, err := unpadBuffer(buffer, ctx.blockCipher.BlockSize())
- if err != nil {
- return nil, err
- }
-
- ret, out := resize(dst, len(dst)+len(plaintext))
- copy(out, plaintext)
-
- return ret, nil
-}
-
-// Compute an authentication tag
-func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
- buffer := make([]byte, len(aad)+len(nonce)+len(ciphertext)+8)
- n := 0
- n += copy(buffer, aad)
- n += copy(buffer[n:], nonce)
- n += copy(buffer[n:], ciphertext)
- binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad)*8))
-
- // According to documentation, Write() on hash.Hash never fails.
- hmac := hmac.New(ctx.hash, ctx.integrityKey)
- _, _ = hmac.Write(buffer)
-
- return hmac.Sum(nil)[:ctx.authtagBytes]
-}
-
-// resize ensures the the given slice has a capacity of at least n bytes.
-// If the capacity of the slice is less than n, a new slice is allocated
-// and the existing data will be copied.
-func resize(in []byte, n int) (head, tail []byte) {
- if cap(in) >= n {
- head = in[:n]
- } else {
- head = make([]byte, n)
- copy(head, in)
- }
-
- tail = head[len(in):]
- return
-}
-
-// Apply padding
-func padBuffer(buffer []byte, blockSize int) []byte {
- missing := blockSize - (len(buffer) % blockSize)
- ret, out := resize(buffer, len(buffer)+missing)
- padding := bytes.Repeat([]byte{byte(missing)}, missing)
- copy(out, padding)
- return ret
-}
-
-// Remove padding
-func unpadBuffer(buffer []byte, blockSize int) ([]byte, error) {
- if len(buffer)%blockSize != 0 {
- return nil, errors.New("square/go-jose: invalid padding")
- }
-
- last := buffer[len(buffer)-1]
- count := int(last)
-
- if count == 0 || count > blockSize || count > len(buffer) {
- return nil, errors.New("square/go-jose: invalid padding")
- }
-
- padding := bytes.Repeat([]byte{last}, count)
- if !bytes.HasSuffix(buffer, padding) {
- return nil, errors.New("square/go-jose: invalid padding")
- }
-
- return buffer[:len(buffer)-count], nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac_test.go b/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac_test.go
deleted file mode 100644
index c230271b..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/cbc_hmac_test.go
+++ /dev/null
@@ -1,498 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "bytes"
- "crypto/aes"
- "crypto/cipher"
- "crypto/rand"
- "io"
- "strings"
- "testing"
-)
-
-func TestInvalidInputs(t *testing.T) {
- key := []byte{
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- }
-
- nonce := []byte{
- 92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91, 210, 145}
-
- aead, _ := NewCBCHMAC(key, aes.NewCipher)
- ciphertext := aead.Seal(nil, nonce, []byte("plaintext"), []byte("aad"))
-
- // Changed AAD, must fail
- _, err := aead.Open(nil, nonce, ciphertext, []byte("INVALID"))
- if err == nil {
- t.Error("must detect invalid aad")
- }
-
- // Empty ciphertext, must fail
- _, err = aead.Open(nil, nonce, []byte{}, []byte("aad"))
- if err == nil {
- t.Error("must detect invalid/empty ciphertext")
- }
-
- // Corrupt ciphertext, must fail
- corrupt := make([]byte, len(ciphertext))
- copy(corrupt, ciphertext)
- corrupt[0] ^= 0xFF
-
- _, err = aead.Open(nil, nonce, corrupt, []byte("aad"))
- if err == nil {
- t.Error("must detect corrupt ciphertext")
- }
-
- // Corrupt authtag, must fail
- copy(corrupt, ciphertext)
- corrupt[len(ciphertext)-1] ^= 0xFF
-
- _, err = aead.Open(nil, nonce, corrupt, []byte("aad"))
- if err == nil {
- t.Error("must detect corrupt authtag")
- }
-
- // Truncated data, must fail
- _, err = aead.Open(nil, nonce, ciphertext[:10], []byte("aad"))
- if err == nil {
- t.Error("must detect corrupt authtag")
- }
-}
-
-func TestVectorsAESCBC128(t *testing.T) {
- // Source: http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-29#appendix-A.2
- plaintext := []byte{
- 76, 105, 118, 101, 32, 108, 111, 110, 103, 32, 97, 110, 100, 32,
- 112, 114, 111, 115, 112, 101, 114, 46}
-
- aad := []byte{
- 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
- 120, 88, 122, 85, 105, 76, 67, 74, 108, 98, 109, 77, 105, 79, 105,
- 74, 66, 77, 84, 73, 52, 81, 48, 74, 68, 76, 85, 104, 84, 77, 106, 85,
- 50, 73, 110, 48}
-
- expectedCiphertext := []byte{
- 40, 57, 83, 181, 119, 33, 133, 148, 198, 185, 243, 24, 152, 230, 6,
- 75, 129, 223, 127, 19, 210, 82, 183, 230, 168, 33, 215, 104, 143,
- 112, 56, 102}
-
- expectedAuthtag := []byte{
- 246, 17, 244, 190, 4, 95, 98, 3, 231, 0, 115, 157, 242, 203, 100,
- 191}
-
- key := []byte{
- 4, 211, 31, 197, 84, 157, 252, 254, 11, 100, 157, 250, 63, 170, 106, 206,
- 107, 124, 212, 45, 111, 107, 9, 219, 200, 177, 0, 240, 143, 156, 44, 207}
-
- nonce := []byte{
- 3, 22, 60, 12, 43, 67, 104, 105, 108, 108, 105, 99, 111, 116, 104, 101}
-
- enc, err := NewCBCHMAC(key, aes.NewCipher)
- out := enc.Seal(nil, nonce, plaintext, aad)
- if err != nil {
- t.Error("Unable to encrypt:", err)
- return
- }
-
- if bytes.Compare(out[:len(out)-16], expectedCiphertext) != 0 {
- t.Error("Ciphertext did not match")
- }
- if bytes.Compare(out[len(out)-16:], expectedAuthtag) != 0 {
- t.Error("Auth tag did not match")
- }
-}
-
-func TestVectorsAESCBC256(t *testing.T) {
- // Source: https://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05#section-5.4
- plaintext := []byte{
- 0x41, 0x20, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x20, 0x73, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x20,
- 0x6d, 0x75, 0x73, 0x74, 0x20, 0x6e, 0x6f, 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x65, 0x71, 0x75,
- 0x69, 0x72, 0x65, 0x64, 0x20, 0x74, 0x6f, 0x20, 0x62, 0x65, 0x20, 0x73, 0x65, 0x63, 0x72, 0x65,
- 0x74, 0x2c, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x69, 0x74, 0x20, 0x6d, 0x75, 0x73, 0x74, 0x20, 0x62,
- 0x65, 0x20, 0x61, 0x62, 0x6c, 0x65, 0x20, 0x74, 0x6f, 0x20, 0x66, 0x61, 0x6c, 0x6c, 0x20, 0x69,
- 0x6e, 0x74, 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x20, 0x6f, 0x66,
- 0x20, 0x74, 0x68, 0x65, 0x20, 0x65, 0x6e, 0x65, 0x6d, 0x79, 0x20, 0x77, 0x69, 0x74, 0x68, 0x6f,
- 0x75, 0x74, 0x20, 0x69, 0x6e, 0x63, 0x6f, 0x6e, 0x76, 0x65, 0x6e, 0x69, 0x65, 0x6e, 0x63, 0x65}
-
- aad := []byte{
- 0x54, 0x68, 0x65, 0x20, 0x73, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x20, 0x70, 0x72, 0x69, 0x6e, 0x63,
- 0x69, 0x70, 0x6c, 0x65, 0x20, 0x6f, 0x66, 0x20, 0x41, 0x75, 0x67, 0x75, 0x73, 0x74, 0x65, 0x20,
- 0x4b, 0x65, 0x72, 0x63, 0x6b, 0x68, 0x6f, 0x66, 0x66, 0x73}
-
- expectedCiphertext := []byte{
- 0x4a, 0xff, 0xaa, 0xad, 0xb7, 0x8c, 0x31, 0xc5, 0xda, 0x4b, 0x1b, 0x59, 0x0d, 0x10, 0xff, 0xbd,
- 0x3d, 0xd8, 0xd5, 0xd3, 0x02, 0x42, 0x35, 0x26, 0x91, 0x2d, 0xa0, 0x37, 0xec, 0xbc, 0xc7, 0xbd,
- 0x82, 0x2c, 0x30, 0x1d, 0xd6, 0x7c, 0x37, 0x3b, 0xcc, 0xb5, 0x84, 0xad, 0x3e, 0x92, 0x79, 0xc2,
- 0xe6, 0xd1, 0x2a, 0x13, 0x74, 0xb7, 0x7f, 0x07, 0x75, 0x53, 0xdf, 0x82, 0x94, 0x10, 0x44, 0x6b,
- 0x36, 0xeb, 0xd9, 0x70, 0x66, 0x29, 0x6a, 0xe6, 0x42, 0x7e, 0xa7, 0x5c, 0x2e, 0x08, 0x46, 0xa1,
- 0x1a, 0x09, 0xcc, 0xf5, 0x37, 0x0d, 0xc8, 0x0b, 0xfe, 0xcb, 0xad, 0x28, 0xc7, 0x3f, 0x09, 0xb3,
- 0xa3, 0xb7, 0x5e, 0x66, 0x2a, 0x25, 0x94, 0x41, 0x0a, 0xe4, 0x96, 0xb2, 0xe2, 0xe6, 0x60, 0x9e,
- 0x31, 0xe6, 0xe0, 0x2c, 0xc8, 0x37, 0xf0, 0x53, 0xd2, 0x1f, 0x37, 0xff, 0x4f, 0x51, 0x95, 0x0b,
- 0xbe, 0x26, 0x38, 0xd0, 0x9d, 0xd7, 0xa4, 0x93, 0x09, 0x30, 0x80, 0x6d, 0x07, 0x03, 0xb1, 0xf6}
-
- expectedAuthtag := []byte{
- 0x4d, 0xd3, 0xb4, 0xc0, 0x88, 0xa7, 0xf4, 0x5c, 0x21, 0x68, 0x39, 0x64, 0x5b, 0x20, 0x12, 0xbf,
- 0x2e, 0x62, 0x69, 0xa8, 0xc5, 0x6a, 0x81, 0x6d, 0xbc, 0x1b, 0x26, 0x77, 0x61, 0x95, 0x5b, 0xc5}
-
- key := []byte{
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
- 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
- 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
- 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f}
-
- nonce := []byte{
- 0x1a, 0xf3, 0x8c, 0x2d, 0xc2, 0xb9, 0x6f, 0xfd, 0xd8, 0x66, 0x94, 0x09, 0x23, 0x41, 0xbc, 0x04}
-
- enc, err := NewCBCHMAC(key, aes.NewCipher)
- out := enc.Seal(nil, nonce, plaintext, aad)
- if err != nil {
- t.Error("Unable to encrypt:", err)
- return
- }
-
- if bytes.Compare(out[:len(out)-32], expectedCiphertext) != 0 {
- t.Error("Ciphertext did not match, got", out[:len(out)-32], "wanted", expectedCiphertext)
- }
- if bytes.Compare(out[len(out)-32:], expectedAuthtag) != 0 {
- t.Error("Auth tag did not match, got", out[len(out)-32:], "wanted", expectedAuthtag)
- }
-}
-
-func TestAESCBCRoundtrip(t *testing.T) {
- key128 := []byte{
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
-
- key192 := []byte{
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7}
-
- key256 := []byte{
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
-
- nonce := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}
-
- RunRoundtrip(t, key128, nonce)
- RunRoundtrip(t, key192, nonce)
- RunRoundtrip(t, key256, nonce)
-}
-
-func RunRoundtrip(t *testing.T, key, nonce []byte) {
- aead, err := NewCBCHMAC(key, aes.NewCipher)
- if err != nil {
- panic(err)
- }
-
- if aead.NonceSize() != len(nonce) {
- panic("invalid nonce")
- }
-
- // Test pre-existing data in dst buffer
- dst := []byte{15, 15, 15, 15}
- plaintext := []byte{0, 0, 0, 0}
- aad := []byte{4, 3, 2, 1}
-
- result := aead.Seal(dst, nonce, plaintext, aad)
- if bytes.Compare(dst, result[:4]) != 0 {
- t.Error("Existing data in dst not preserved")
- }
-
- // Test pre-existing (empty) dst buffer with sufficient capacity
- dst = make([]byte, 256)[:0]
- result, err = aead.Open(dst, nonce, result[4:], aad)
- if err != nil {
- panic(err)
- }
-
- if bytes.Compare(result, plaintext) != 0 {
- t.Error("Plaintext does not match output")
- }
-}
-
-func TestAESCBCOverhead(t *testing.T) {
- aead, err := NewCBCHMAC(make([]byte, 32), aes.NewCipher)
- if err != nil {
- panic(err)
- }
-
- if aead.Overhead() != 32 {
- t.Error("CBC-HMAC reports incorrect overhead value")
- }
-}
-
-func TestPadding(t *testing.T) {
- for i := 0; i < 256; i++ {
- slice := make([]byte, i)
- padded := padBuffer(slice, 16)
- if len(padded)%16 != 0 {
- t.Error("failed to pad slice properly", i)
- return
- }
- unpadded, err := unpadBuffer(padded, 16)
- if err != nil || len(unpadded) != i {
- t.Error("failed to unpad slice properly", i)
- return
- }
- }
-}
-
-func TestInvalidKey(t *testing.T) {
- key := make([]byte, 30)
- _, err := NewCBCHMAC(key, aes.NewCipher)
- if err == nil {
- t.Error("should not be able to instantiate CBC-HMAC with invalid key")
- }
-}
-
-func TestTruncatedCiphertext(t *testing.T) {
- key := make([]byte, 32)
- nonce := make([]byte, 16)
- data := make([]byte, 32)
-
- io.ReadFull(rand.Reader, key)
- io.ReadFull(rand.Reader, nonce)
-
- aead, err := NewCBCHMAC(key, aes.NewCipher)
- if err != nil {
- panic(err)
- }
-
- ctx := aead.(*cbcAEAD)
- ct := aead.Seal(nil, nonce, data, nil)
-
- // Truncated ciphertext, but with correct auth tag
- truncated, tail := resize(ct[:len(ct)-ctx.authtagBytes-2], len(ct)-2)
- copy(tail, ctx.computeAuthTag(nil, nonce, truncated[:len(truncated)-ctx.authtagBytes]))
-
- // Open should fail
- _, err = aead.Open(nil, nonce, truncated, nil)
- if err == nil {
- t.Error("open on truncated ciphertext should fail")
- }
-}
-
-func TestInvalidPaddingOpen(t *testing.T) {
- key := make([]byte, 32)
- nonce := make([]byte, 16)
-
- // Plaintext with invalid padding
- plaintext := padBuffer(make([]byte, 28), aes.BlockSize)
- plaintext[len(plaintext)-1] = 0xFF
-
- io.ReadFull(rand.Reader, key)
- io.ReadFull(rand.Reader, nonce)
-
- block, _ := aes.NewCipher(key)
- cbc := cipher.NewCBCEncrypter(block, nonce)
- buffer := append([]byte{}, plaintext...)
- cbc.CryptBlocks(buffer, buffer)
-
- aead, _ := NewCBCHMAC(key, aes.NewCipher)
- ctx := aead.(*cbcAEAD)
-
- // Mutated ciphertext, but with correct auth tag
- size := len(buffer)
- ciphertext, tail := resize(buffer, size+(len(key)/2))
- copy(tail, ctx.computeAuthTag(nil, nonce, ciphertext[:size]))
-
- // Open should fail (b/c of invalid padding, even though tag matches)
- _, err := aead.Open(nil, nonce, ciphertext, nil)
- if err == nil || !strings.Contains(err.Error(), "invalid padding") {
- t.Error("no or unexpected error on open with invalid padding:", err)
- }
-}
-
-func TestInvalidPadding(t *testing.T) {
- for i := 0; i < 256; i++ {
- slice := make([]byte, i)
- padded := padBuffer(slice, 16)
- if len(padded)%16 != 0 {
- t.Error("failed to pad slice properly", i)
- return
- }
-
- paddingBytes := 16 - (i % 16)
-
- // Mutate padding for testing
- for j := 1; j <= paddingBytes; j++ {
- mutated := make([]byte, len(padded))
- copy(mutated, padded)
- mutated[len(mutated)-j] ^= 0xFF
-
- _, err := unpadBuffer(mutated, 16)
- if err == nil {
- t.Error("unpad on invalid padding should fail", i)
- return
- }
- }
-
- // Test truncated padding
- _, err := unpadBuffer(padded[:len(padded)-1], 16)
- if err == nil {
- t.Error("unpad on truncated padding should fail", i)
- return
- }
- }
-}
-
-func TestZeroLengthPadding(t *testing.T) {
- data := make([]byte, 16)
- data, err := unpadBuffer(data, 16)
- if err == nil {
- t.Error("padding with 0x00 should never be valid")
- }
-}
-
-func benchEncryptCBCHMAC(b *testing.B, keySize, chunkSize int) {
- key := make([]byte, keySize*2)
- nonce := make([]byte, 16)
-
- io.ReadFull(rand.Reader, key)
- io.ReadFull(rand.Reader, nonce)
-
- chunk := make([]byte, chunkSize)
-
- aead, err := NewCBCHMAC(key, aes.NewCipher)
- if err != nil {
- panic(err)
- }
-
- b.SetBytes(int64(chunkSize))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- aead.Seal(nil, nonce, chunk, nil)
- }
-}
-
-func benchDecryptCBCHMAC(b *testing.B, keySize, chunkSize int) {
- key := make([]byte, keySize*2)
- nonce := make([]byte, 16)
-
- io.ReadFull(rand.Reader, key)
- io.ReadFull(rand.Reader, nonce)
-
- chunk := make([]byte, chunkSize)
-
- aead, err := NewCBCHMAC(key, aes.NewCipher)
- if err != nil {
- panic(err)
- }
-
- out := aead.Seal(nil, nonce, chunk, nil)
-
- b.SetBytes(int64(chunkSize))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- aead.Open(nil, nonce, out, nil)
- }
-}
-
-func BenchmarkEncryptAES128_CBCHMAC_1k(b *testing.B) {
- benchEncryptCBCHMAC(b, 16, 1024)
-}
-
-func BenchmarkEncryptAES128_CBCHMAC_64k(b *testing.B) {
- benchEncryptCBCHMAC(b, 16, 65536)
-}
-
-func BenchmarkEncryptAES128_CBCHMAC_1MB(b *testing.B) {
- benchEncryptCBCHMAC(b, 16, 1048576)
-}
-
-func BenchmarkEncryptAES128_CBCHMAC_64MB(b *testing.B) {
- benchEncryptCBCHMAC(b, 16, 67108864)
-}
-
-func BenchmarkDecryptAES128_CBCHMAC_1k(b *testing.B) {
- benchDecryptCBCHMAC(b, 16, 1024)
-}
-
-func BenchmarkDecryptAES128_CBCHMAC_64k(b *testing.B) {
- benchDecryptCBCHMAC(b, 16, 65536)
-}
-
-func BenchmarkDecryptAES128_CBCHMAC_1MB(b *testing.B) {
- benchDecryptCBCHMAC(b, 16, 1048576)
-}
-
-func BenchmarkDecryptAES128_CBCHMAC_64MB(b *testing.B) {
- benchDecryptCBCHMAC(b, 16, 67108864)
-}
-
-func BenchmarkEncryptAES192_CBCHMAC_64k(b *testing.B) {
- benchEncryptCBCHMAC(b, 24, 65536)
-}
-
-func BenchmarkEncryptAES192_CBCHMAC_1MB(b *testing.B) {
- benchEncryptCBCHMAC(b, 24, 1048576)
-}
-
-func BenchmarkEncryptAES192_CBCHMAC_64MB(b *testing.B) {
- benchEncryptCBCHMAC(b, 24, 67108864)
-}
-
-func BenchmarkDecryptAES192_CBCHMAC_1k(b *testing.B) {
- benchDecryptCBCHMAC(b, 24, 1024)
-}
-
-func BenchmarkDecryptAES192_CBCHMAC_64k(b *testing.B) {
- benchDecryptCBCHMAC(b, 24, 65536)
-}
-
-func BenchmarkDecryptAES192_CBCHMAC_1MB(b *testing.B) {
- benchDecryptCBCHMAC(b, 24, 1048576)
-}
-
-func BenchmarkDecryptAES192_CBCHMAC_64MB(b *testing.B) {
- benchDecryptCBCHMAC(b, 24, 67108864)
-}
-
-func BenchmarkEncryptAES256_CBCHMAC_64k(b *testing.B) {
- benchEncryptCBCHMAC(b, 32, 65536)
-}
-
-func BenchmarkEncryptAES256_CBCHMAC_1MB(b *testing.B) {
- benchEncryptCBCHMAC(b, 32, 1048576)
-}
-
-func BenchmarkEncryptAES256_CBCHMAC_64MB(b *testing.B) {
- benchEncryptCBCHMAC(b, 32, 67108864)
-}
-
-func BenchmarkDecryptAES256_CBCHMAC_1k(b *testing.B) {
- benchDecryptCBCHMAC(b, 32, 1032)
-}
-
-func BenchmarkDecryptAES256_CBCHMAC_64k(b *testing.B) {
- benchDecryptCBCHMAC(b, 32, 65536)
-}
-
-func BenchmarkDecryptAES256_CBCHMAC_1MB(b *testing.B) {
- benchDecryptCBCHMAC(b, 32, 1048576)
-}
-
-func BenchmarkDecryptAES256_CBCHMAC_64MB(b *testing.B) {
- benchDecryptCBCHMAC(b, 32, 67108864)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go b/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go
deleted file mode 100644
index cbb5f7b8..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf.go
+++ /dev/null
@@ -1,75 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "crypto"
- "encoding/binary"
- "hash"
- "io"
-)
-
-type concatKDF struct {
- z, info []byte
- i uint32
- cache []byte
- hasher hash.Hash
-}
-
-// NewConcatKDF builds a KDF reader based on the given inputs.
-func NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {
- buffer := make([]byte, len(algID)+len(ptyUInfo)+len(ptyVInfo)+len(supPubInfo)+len(supPrivInfo))
- n := 0
- n += copy(buffer, algID)
- n += copy(buffer[n:], ptyUInfo)
- n += copy(buffer[n:], ptyVInfo)
- n += copy(buffer[n:], supPubInfo)
- copy(buffer[n:], supPrivInfo)
-
- hasher := hash.New()
-
- return &concatKDF{
- z: z,
- info: buffer,
- hasher: hasher,
- cache: []byte{},
- i: 1,
- }
-}
-
-func (ctx *concatKDF) Read(out []byte) (int, error) {
- copied := copy(out, ctx.cache)
- ctx.cache = ctx.cache[copied:]
-
- for copied < len(out) {
- ctx.hasher.Reset()
-
- // Write on a hash.Hash never fails
- _ = binary.Write(ctx.hasher, binary.BigEndian, ctx.i)
- _, _ = ctx.hasher.Write(ctx.z)
- _, _ = ctx.hasher.Write(ctx.info)
-
- hash := ctx.hasher.Sum(nil)
- chunkCopied := copy(out[copied:], hash)
- copied += chunkCopied
- ctx.cache = hash[chunkCopied:]
-
- ctx.i++
- }
-
- return copied, nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf_test.go b/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf_test.go
deleted file mode 100644
index 48219b3e..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/concat_kdf_test.go
+++ /dev/null
@@ -1,150 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "bytes"
- "crypto"
- "testing"
-)
-
-// Taken from: https://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-38.txt
-func TestVectorConcatKDF(t *testing.T) {
- z := []byte{
- 158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
- 38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
- 140, 254, 144, 196}
-
- algID := []byte{0, 0, 0, 7, 65, 49, 50, 56, 71, 67, 77}
-
- ptyUInfo := []byte{0, 0, 0, 5, 65, 108, 105, 99, 101}
- ptyVInfo := []byte{0, 0, 0, 3, 66, 111, 98}
-
- supPubInfo := []byte{0, 0, 0, 128}
- supPrivInfo := []byte{}
-
- expected := []byte{
- 86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16, 26}
-
- ckdf := NewConcatKDF(crypto.SHA256, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo)
-
- out0 := make([]byte, 9)
- out1 := make([]byte, 7)
-
- read0, err := ckdf.Read(out0)
- if err != nil {
- t.Error("error when reading from concat kdf reader", err)
- return
- }
-
- read1, err := ckdf.Read(out1)
- if err != nil {
- t.Error("error when reading from concat kdf reader", err)
- return
- }
-
- if read0+read1 != len(out0)+len(out1) {
- t.Error("did not receive enough bytes from concat kdf reader")
- return
- }
-
- out := []byte{}
- out = append(out, out0...)
- out = append(out, out1...)
-
- if bytes.Compare(out, expected) != 0 {
- t.Error("did not receive expected output from concat kdf reader")
- return
- }
-}
-
-func TestCache(t *testing.T) {
- z := []byte{
- 158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
- 38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
- 140, 254, 144, 196}
-
- algID := []byte{1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4}
-
- ptyUInfo := []byte{1, 2, 3, 4}
- ptyVInfo := []byte{4, 3, 2, 1}
-
- supPubInfo := []byte{}
- supPrivInfo := []byte{}
-
- outputs := [][]byte{}
-
- // Read the same amount of data in different chunk sizes
- chunkSizes := []int{1, 2, 4, 8, 16, 32, 64, 128, 256, 512}
-
- for _, c := range chunkSizes {
- out := make([]byte, 1024)
- reader := NewConcatKDF(crypto.SHA256, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo)
-
- for i := 0; i < 1024; i += c {
- _, _ = reader.Read(out[i : i+c])
- }
-
- outputs = append(outputs, out)
- }
-
- for i := range outputs {
- if bytes.Compare(outputs[i], outputs[(i+1)%len(outputs)]) != 0 {
- t.Error("not all outputs from KDF matched")
- }
- }
-}
-
-func benchmarkKDF(b *testing.B, total int) {
- z := []byte{
- 158, 86, 217, 29, 129, 113, 53, 211, 114, 131, 66, 131, 191, 132,
- 38, 156, 251, 49, 110, 163, 218, 128, 106, 72, 246, 218, 167, 121,
- 140, 254, 144, 196}
-
- algID := []byte{1, 1, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4}
-
- ptyUInfo := []byte{1, 2, 3, 4}
- ptyVInfo := []byte{4, 3, 2, 1}
-
- supPubInfo := []byte{}
- supPrivInfo := []byte{}
-
- out := make([]byte, total)
- reader := NewConcatKDF(crypto.SHA256, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo)
-
- b.ResetTimer()
- b.SetBytes(int64(total))
- for i := 0; i < b.N; i++ {
- _, _ = reader.Read(out)
- }
-}
-
-func BenchmarkConcatKDF_1k(b *testing.B) {
- benchmarkKDF(b, 1024)
-}
-
-func BenchmarkConcatKDF_64k(b *testing.B) {
- benchmarkKDF(b, 65536)
-}
-
-func BenchmarkConcatKDF_1MB(b *testing.B) {
- benchmarkKDF(b, 1048576)
-}
-
-func BenchmarkConcatKDF_64MB(b *testing.B) {
- benchmarkKDF(b, 67108864)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go b/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go
deleted file mode 100644
index c6a5a821..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es.go
+++ /dev/null
@@ -1,51 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "crypto"
- "crypto/ecdsa"
- "encoding/binary"
-)
-
-// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.
-func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {
- // algId, partyUInfo, partyVInfo inputs must be prefixed with the length
- algID := lengthPrefixed([]byte(alg))
- ptyUInfo := lengthPrefixed(apuData)
- ptyVInfo := lengthPrefixed(apvData)
-
- // suppPubInfo is the encoded length of the output size in bits
- supPubInfo := make([]byte, 4)
- binary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)
-
- z, _ := priv.PublicKey.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())
- reader := NewConcatKDF(crypto.SHA256, z.Bytes(), algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})
-
- key := make([]byte, size)
-
- // Read on the KDF will never fail
- _, _ = reader.Read(key)
- return key
-}
-
-func lengthPrefixed(data []byte) []byte {
- out := make([]byte, len(data)+4)
- binary.BigEndian.PutUint32(out, uint32(len(data)))
- copy(out[4:], data)
- return out
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es_test.go b/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es_test.go
deleted file mode 100644
index f92abb17..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/ecdh_es_test.go
+++ /dev/null
@@ -1,98 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "bytes"
- "crypto/ecdsa"
- "crypto/elliptic"
- "encoding/base64"
- "math/big"
- "testing"
-)
-
-// Example keys from JWA, Appendix C
-var aliceKey = &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- Curve: elliptic.P256(),
- X: fromBase64Int("gI0GAILBdu7T53akrFmMyGcsF3n5dO7MmwNBHKW5SV0="),
- Y: fromBase64Int("SLW_xSffzlPWrHEVI30DHM_4egVwt3NQqeUD7nMFpps="),
- },
- D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="),
-}
-
-var bobKey = &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- Curve: elliptic.P256(),
- X: fromBase64Int("weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ="),
- Y: fromBase64Int("e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck="),
- },
- D: fromBase64Int("VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw="),
-}
-
-// Build big int from base64-encoded string. Strips whitespace (for testing).
-func fromBase64Int(data string) *big.Int {
- val, err := base64.URLEncoding.DecodeString(data)
- if err != nil {
- panic("Invalid test data")
- }
- return new(big.Int).SetBytes(val)
-}
-
-func TestVectorECDHES(t *testing.T) {
- apuData := []byte("Alice")
- apvData := []byte("Bob")
-
- expected := []byte{
- 86, 170, 141, 234, 248, 35, 109, 32, 92, 34, 40, 205, 113, 167, 16, 26}
-
- output := DeriveECDHES("A128GCM", apuData, apvData, bobKey, &aliceKey.PublicKey, 16)
-
- if bytes.Compare(output, expected) != 0 {
- t.Error("output did not match what we expect, got", output, "wanted", expected)
- }
-}
-
-func BenchmarkECDHES_128(b *testing.B) {
- apuData := []byte("APU")
- apvData := []byte("APV")
-
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- DeriveECDHES("ID", apuData, apvData, bobKey, &aliceKey.PublicKey, 16)
- }
-}
-
-func BenchmarkECDHES_192(b *testing.B) {
- apuData := []byte("APU")
- apvData := []byte("APV")
-
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- DeriveECDHES("ID", apuData, apvData, bobKey, &aliceKey.PublicKey, 24)
- }
-}
-
-func BenchmarkECDHES_256(b *testing.B) {
- apuData := []byte("APU")
- apvData := []byte("APV")
-
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- DeriveECDHES("ID", apuData, apvData, bobKey, &aliceKey.PublicKey, 32)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go b/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go
deleted file mode 100644
index 1d36d501..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap.go
+++ /dev/null
@@ -1,109 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "crypto/cipher"
- "crypto/subtle"
- "encoding/binary"
- "errors"
-)
-
-var defaultIV = []byte{0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6}
-
-// KeyWrap implements NIST key wrapping; it wraps a content encryption key (cek) with the given block cipher.
-func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
- if len(cek)%8 != 0 {
- return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
- }
-
- n := len(cek) / 8
- r := make([][]byte, n)
-
- for i := range r {
- r[i] = make([]byte, 8)
- copy(r[i], cek[i*8:])
- }
-
- buffer := make([]byte, 16)
- tBytes := make([]byte, 8)
- copy(buffer, defaultIV)
-
- for t := 0; t < 6*n; t++ {
- copy(buffer[8:], r[t%n])
-
- block.Encrypt(buffer, buffer)
-
- binary.BigEndian.PutUint64(tBytes, uint64(t+1))
-
- for i := 0; i < 8; i++ {
- buffer[i] = buffer[i] ^ tBytes[i]
- }
- copy(r[t%n], buffer[8:])
- }
-
- out := make([]byte, (n+1)*8)
- copy(out, buffer[:8])
- for i := range r {
- copy(out[(i+1)*8:], r[i])
- }
-
- return out, nil
-}
-
-// KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
-func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
- if len(ciphertext)%8 != 0 {
- return nil, errors.New("square/go-jose: key wrap input must be 8 byte blocks")
- }
-
- n := (len(ciphertext) / 8) - 1
- r := make([][]byte, n)
-
- for i := range r {
- r[i] = make([]byte, 8)
- copy(r[i], ciphertext[(i+1)*8:])
- }
-
- buffer := make([]byte, 16)
- tBytes := make([]byte, 8)
- copy(buffer[:8], ciphertext[:8])
-
- for t := 6*n - 1; t >= 0; t-- {
- binary.BigEndian.PutUint64(tBytes, uint64(t+1))
-
- for i := 0; i < 8; i++ {
- buffer[i] = buffer[i] ^ tBytes[i]
- }
- copy(buffer[8:], r[t%n])
-
- block.Decrypt(buffer, buffer)
-
- copy(r[t%n], buffer[8:])
- }
-
- if subtle.ConstantTimeCompare(buffer[:8], defaultIV) == 0 {
- return nil, errors.New("square/go-jose: failed to unwrap key")
- }
-
- out := make([]byte, n*8)
- for i := range r {
- copy(out[i*8:], r[i])
- }
-
- return out, nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap_test.go b/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap_test.go
deleted file mode 100644
index ceecf812..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/cipher/key_wrap_test.go
+++ /dev/null
@@ -1,133 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package josecipher
-
-import (
- "bytes"
- "crypto/aes"
- "encoding/hex"
- "testing"
-)
-
-func TestAesKeyWrap(t *testing.T) {
- // Test vectors from: http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
- kek0, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
- cek0, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF")
-
- expected0, _ := hex.DecodeString("1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5")
-
- kek1, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F1011121314151617")
- cek1, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF")
-
- expected1, _ := hex.DecodeString("96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D")
-
- kek2, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F")
- cek2, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF0001020304050607")
-
- expected2, _ := hex.DecodeString("A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1")
-
- block0, _ := aes.NewCipher(kek0)
- block1, _ := aes.NewCipher(kek1)
- block2, _ := aes.NewCipher(kek2)
-
- out0, _ := KeyWrap(block0, cek0)
- out1, _ := KeyWrap(block1, cek1)
- out2, _ := KeyWrap(block2, cek2)
-
- if bytes.Compare(out0, expected0) != 0 {
- t.Error("output 0 not as expected, got", out0, "wanted", expected0)
- }
-
- if bytes.Compare(out1, expected1) != 0 {
- t.Error("output 1 not as expected, got", out1, "wanted", expected1)
- }
-
- if bytes.Compare(out2, expected2) != 0 {
- t.Error("output 2 not as expected, got", out2, "wanted", expected2)
- }
-
- unwrap0, _ := KeyUnwrap(block0, out0)
- unwrap1, _ := KeyUnwrap(block1, out1)
- unwrap2, _ := KeyUnwrap(block2, out2)
-
- if bytes.Compare(unwrap0, cek0) != 0 {
- t.Error("key unwrap did not return original input, got", unwrap0, "wanted", cek0)
- }
-
- if bytes.Compare(unwrap1, cek1) != 0 {
- t.Error("key unwrap did not return original input, got", unwrap1, "wanted", cek1)
- }
-
- if bytes.Compare(unwrap2, cek2) != 0 {
- t.Error("key unwrap did not return original input, got", unwrap2, "wanted", cek2)
- }
-}
-
-func TestAesKeyWrapInvalid(t *testing.T) {
- kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
-
- // Invalid unwrap input (bit flipped)
- input0, _ := hex.DecodeString("1EA68C1A8112B447AEF34BD8FB5A7B828D3E862371D2CFE5")
-
- block, _ := aes.NewCipher(kek)
-
- _, err := KeyUnwrap(block, input0)
- if err == nil {
- t.Error("key unwrap failed to detect invalid input")
- }
-
- // Invalid unwrap input (truncated)
- input1, _ := hex.DecodeString("1EA68C1A8112B447AEF34BD8FB5A7B828D3E862371D2CF")
-
- _, err = KeyUnwrap(block, input1)
- if err == nil {
- t.Error("key unwrap failed to detect truncated input")
- }
-
- // Invalid wrap input (not multiple of 8)
- input2, _ := hex.DecodeString("0123456789ABCD")
-
- _, err = KeyWrap(block, input2)
- if err == nil {
- t.Error("key wrap accepted invalid input")
- }
-
-}
-
-func BenchmarkAesKeyWrap(b *testing.B) {
- kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
- key, _ := hex.DecodeString("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")
-
- block, _ := aes.NewCipher(kek)
-
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- KeyWrap(block, key)
- }
-}
-
-func BenchmarkAesKeyUnwrap(b *testing.B) {
- kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
- input, _ := hex.DecodeString("1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5")
-
- block, _ := aes.NewCipher(kek)
-
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- KeyUnwrap(block, input)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/crypter.go b/vendor/gopkg.in/square/go-jose.v1/crypter.go
deleted file mode 100644
index f61af2c0..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/crypter.go
+++ /dev/null
@@ -1,349 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/ecdsa"
- "crypto/rsa"
- "fmt"
- "reflect"
-)
-
-// Encrypter represents an encrypter which produces an encrypted JWE object.
-type Encrypter interface {
- Encrypt(plaintext []byte) (*JsonWebEncryption, error)
- EncryptWithAuthData(plaintext []byte, aad []byte) (*JsonWebEncryption, error)
- SetCompression(alg CompressionAlgorithm)
-}
-
-// MultiEncrypter represents an encrypter which supports multiple recipients.
-type MultiEncrypter interface {
- Encrypt(plaintext []byte) (*JsonWebEncryption, error)
- EncryptWithAuthData(plaintext []byte, aad []byte) (*JsonWebEncryption, error)
- SetCompression(alg CompressionAlgorithm)
- AddRecipient(alg KeyAlgorithm, encryptionKey interface{}) error
-}
-
-// A generic content cipher
-type contentCipher interface {
- keySize() int
- encrypt(cek []byte, aad, plaintext []byte) (*aeadParts, error)
- decrypt(cek []byte, aad []byte, parts *aeadParts) ([]byte, error)
-}
-
-// A key generator (for generating/getting a CEK)
-type keyGenerator interface {
- keySize() int
- genKey() ([]byte, rawHeader, error)
-}
-
-// A generic key encrypter
-type keyEncrypter interface {
- encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) // Encrypt a key
-}
-
-// A generic key decrypter
-type keyDecrypter interface {
- decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) // Decrypt a key
-}
-
-// A generic encrypter based on the given key encrypter and content cipher.
-type genericEncrypter struct {
- contentAlg ContentEncryption
- compressionAlg CompressionAlgorithm
- cipher contentCipher
- recipients []recipientKeyInfo
- keyGenerator keyGenerator
-}
-
-type recipientKeyInfo struct {
- keyID string
- keyAlg KeyAlgorithm
- keyEncrypter keyEncrypter
-}
-
-// SetCompression sets a compression algorithm to be applied before encryption.
-func (ctx *genericEncrypter) SetCompression(compressionAlg CompressionAlgorithm) {
- ctx.compressionAlg = compressionAlg
-}
-
-// NewEncrypter creates an appropriate encrypter based on the key type
-func NewEncrypter(alg KeyAlgorithm, enc ContentEncryption, encryptionKey interface{}) (Encrypter, error) {
- encrypter := &genericEncrypter{
- contentAlg: enc,
- compressionAlg: NONE,
- recipients: []recipientKeyInfo{},
- cipher: getContentCipher(enc),
- }
-
- if encrypter.cipher == nil {
- return nil, ErrUnsupportedAlgorithm
- }
-
- var keyID string
- var rawKey interface{}
- switch encryptionKey := encryptionKey.(type) {
- case *JsonWebKey:
- keyID = encryptionKey.KeyID
- rawKey = encryptionKey.Key
- default:
- rawKey = encryptionKey
- }
-
- switch alg {
- case DIRECT:
- // Direct encryption mode must be treated differently
- if reflect.TypeOf(rawKey) != reflect.TypeOf([]byte{}) {
- return nil, ErrUnsupportedKeyType
- }
- encrypter.keyGenerator = staticKeyGenerator{
- key: rawKey.([]byte),
- }
- recipient, _ := newSymmetricRecipient(alg, rawKey.([]byte))
- if keyID != "" {
- recipient.keyID = keyID
- }
- encrypter.recipients = []recipientKeyInfo{recipient}
- return encrypter, nil
- case ECDH_ES:
- // ECDH-ES (w/o key wrapping) is similar to DIRECT mode
- typeOf := reflect.TypeOf(rawKey)
- if typeOf != reflect.TypeOf(&ecdsa.PublicKey{}) {
- return nil, ErrUnsupportedKeyType
- }
- encrypter.keyGenerator = ecKeyGenerator{
- size: encrypter.cipher.keySize(),
- algID: string(enc),
- publicKey: rawKey.(*ecdsa.PublicKey),
- }
- recipient, _ := newECDHRecipient(alg, rawKey.(*ecdsa.PublicKey))
- if keyID != "" {
- recipient.keyID = keyID
- }
- encrypter.recipients = []recipientKeyInfo{recipient}
- return encrypter, nil
- default:
- // Can just add a standard recipient
- encrypter.keyGenerator = randomKeyGenerator{
- size: encrypter.cipher.keySize(),
- }
- err := encrypter.AddRecipient(alg, encryptionKey)
- return encrypter, err
- }
-}
-
-// NewMultiEncrypter creates a multi-encrypter based on the given parameters
-func NewMultiEncrypter(enc ContentEncryption) (MultiEncrypter, error) {
- cipher := getContentCipher(enc)
-
- if cipher == nil {
- return nil, ErrUnsupportedAlgorithm
- }
-
- encrypter := &genericEncrypter{
- contentAlg: enc,
- compressionAlg: NONE,
- recipients: []recipientKeyInfo{},
- cipher: cipher,
- keyGenerator: randomKeyGenerator{
- size: cipher.keySize(),
- },
- }
-
- return encrypter, nil
-}
-
-func (ctx *genericEncrypter) AddRecipient(alg KeyAlgorithm, encryptionKey interface{}) (err error) {
- var recipient recipientKeyInfo
-
- switch alg {
- case DIRECT, ECDH_ES:
- return fmt.Errorf("square/go-jose: key algorithm '%s' not supported in multi-recipient mode", alg)
- }
-
- recipient, err = makeJWERecipient(alg, encryptionKey)
-
- if err == nil {
- ctx.recipients = append(ctx.recipients, recipient)
- }
- return err
-}
-
-func makeJWERecipient(alg KeyAlgorithm, encryptionKey interface{}) (recipientKeyInfo, error) {
- switch encryptionKey := encryptionKey.(type) {
- case *rsa.PublicKey:
- return newRSARecipient(alg, encryptionKey)
- case *ecdsa.PublicKey:
- return newECDHRecipient(alg, encryptionKey)
- case []byte:
- return newSymmetricRecipient(alg, encryptionKey)
- case *JsonWebKey:
- recipient, err := makeJWERecipient(alg, encryptionKey.Key)
- if err == nil && encryptionKey.KeyID != "" {
- recipient.keyID = encryptionKey.KeyID
- }
- return recipient, err
- default:
- return recipientKeyInfo{}, ErrUnsupportedKeyType
- }
-}
-
-// newDecrypter creates an appropriate decrypter based on the key type
-func newDecrypter(decryptionKey interface{}) (keyDecrypter, error) {
- switch decryptionKey := decryptionKey.(type) {
- case *rsa.PrivateKey:
- return &rsaDecrypterSigner{
- privateKey: decryptionKey,
- }, nil
- case *ecdsa.PrivateKey:
- return &ecDecrypterSigner{
- privateKey: decryptionKey,
- }, nil
- case []byte:
- return &symmetricKeyCipher{
- key: decryptionKey,
- }, nil
- case *JsonWebKey:
- return newDecrypter(decryptionKey.Key)
- default:
- return nil, ErrUnsupportedKeyType
- }
-}
-
-// Implementation of encrypt method producing a JWE object.
-func (ctx *genericEncrypter) Encrypt(plaintext []byte) (*JsonWebEncryption, error) {
- return ctx.EncryptWithAuthData(plaintext, nil)
-}
-
-// Implementation of encrypt method producing a JWE object.
-func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JsonWebEncryption, error) {
- obj := &JsonWebEncryption{}
- obj.aad = aad
-
- obj.protected = &rawHeader{
- Enc: ctx.contentAlg,
- }
- obj.recipients = make([]recipientInfo, len(ctx.recipients))
-
- if len(ctx.recipients) == 0 {
- return nil, fmt.Errorf("square/go-jose: no recipients to encrypt to")
- }
-
- cek, headers, err := ctx.keyGenerator.genKey()
- if err != nil {
- return nil, err
- }
-
- obj.protected.merge(&headers)
-
- for i, info := range ctx.recipients {
- recipient, err := info.keyEncrypter.encryptKey(cek, info.keyAlg)
- if err != nil {
- return nil, err
- }
-
- recipient.header.Alg = string(info.keyAlg)
- if info.keyID != "" {
- recipient.header.Kid = info.keyID
- }
- obj.recipients[i] = recipient
- }
-
- if len(ctx.recipients) == 1 {
- // Move per-recipient headers into main protected header if there's
- // only a single recipient.
- obj.protected.merge(obj.recipients[0].header)
- obj.recipients[0].header = nil
- }
-
- if ctx.compressionAlg != NONE {
- plaintext, err = compress(ctx.compressionAlg, plaintext)
- if err != nil {
- return nil, err
- }
-
- obj.protected.Zip = ctx.compressionAlg
- }
-
- authData := obj.computeAuthData()
- parts, err := ctx.cipher.encrypt(cek, authData, plaintext)
- if err != nil {
- return nil, err
- }
-
- obj.iv = parts.iv
- obj.ciphertext = parts.ciphertext
- obj.tag = parts.tag
-
- return obj, nil
-}
-
-// Decrypt and validate the object and return the plaintext.
-func (obj JsonWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
- headers := obj.mergedHeaders(nil)
-
- if len(headers.Crit) > 0 {
- return nil, fmt.Errorf("square/go-jose: unsupported crit header")
- }
-
- decrypter, err := newDecrypter(decryptionKey)
- if err != nil {
- return nil, err
- }
-
- cipher := getContentCipher(headers.Enc)
- if cipher == nil {
- return nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(headers.Enc))
- }
-
- generator := randomKeyGenerator{
- size: cipher.keySize(),
- }
-
- parts := &aeadParts{
- iv: obj.iv,
- ciphertext: obj.ciphertext,
- tag: obj.tag,
- }
-
- authData := obj.computeAuthData()
-
- var plaintext []byte
- for _, recipient := range obj.recipients {
- recipientHeaders := obj.mergedHeaders(&recipient)
-
- cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
- if err == nil {
- // Found a valid CEK -- let's try to decrypt.
- plaintext, err = cipher.decrypt(cek, authData, parts)
- if err == nil {
- break
- }
- }
- }
-
- if plaintext == nil {
- return nil, ErrCryptoFailure
- }
-
- // The "zip" header paramter may only be present in the protected header.
- if obj.protected.Zip != "" {
- plaintext, err = decompress(obj.protected.Zip, plaintext)
- }
-
- return plaintext, err
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/crypter_test.go b/vendor/gopkg.in/square/go-jose.v1/crypter_test.go
deleted file mode 100644
index 86b8fc0a..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/crypter_test.go
+++ /dev/null
@@ -1,784 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "crypto/rsa"
- "fmt"
- "io"
- "testing"
-)
-
-// We generate only a single RSA and EC key for testing, speeds up tests.
-var rsaTestKey, _ = rsa.GenerateKey(rand.Reader, 2048)
-
-var ecTestKey256, _ = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-var ecTestKey384, _ = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
-var ecTestKey521, _ = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
-
-func RoundtripJWE(keyAlg KeyAlgorithm, encAlg ContentEncryption, compressionAlg CompressionAlgorithm, serializer func(*JsonWebEncryption) (string, error), corrupter func(*JsonWebEncryption) bool, aad []byte, encryptionKey interface{}, decryptionKey interface{}) error {
- enc, err := NewEncrypter(keyAlg, encAlg, encryptionKey)
- if err != nil {
- return fmt.Errorf("error on new encrypter: %s", err)
- }
-
- enc.SetCompression(compressionAlg)
-
- input := []byte("Lorem ipsum dolor sit amet")
- obj, err := enc.EncryptWithAuthData(input, aad)
- if err != nil {
- return fmt.Errorf("error in encrypt: %s", err)
- }
-
- msg, err := serializer(obj)
- if err != nil {
- return fmt.Errorf("error in serializer: %s", err)
- }
-
- parsed, err := ParseEncrypted(msg)
- if err != nil {
- return fmt.Errorf("error in parse: %s, on msg '%s'", err, msg)
- }
-
- // (Maybe) mangle object
- skip := corrupter(parsed)
- if skip {
- return fmt.Errorf("corrupter indicated message should be skipped")
- }
-
- if bytes.Compare(parsed.GetAuthData(), aad) != 0 {
- return fmt.Errorf("auth data in parsed object does not match")
- }
-
- output, err := parsed.Decrypt(decryptionKey)
- if err != nil {
- return fmt.Errorf("error on decrypt: %s", err)
- }
-
- if bytes.Compare(input, output) != 0 {
- return fmt.Errorf("Decrypted output does not match input, got '%s' but wanted '%s'", output, input)
- }
-
- return nil
-}
-
-func TestRoundtripsJWE(t *testing.T) {
- // Test matrix
- keyAlgs := []KeyAlgorithm{
- DIRECT, ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW, A128KW, A192KW, A256KW,
- RSA1_5, RSA_OAEP, RSA_OAEP_256, A128GCMKW, A192GCMKW, A256GCMKW}
- encAlgs := []ContentEncryption{A128GCM, A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384, A256CBC_HS512}
- zipAlgs := []CompressionAlgorithm{NONE, DEFLATE}
-
- serializers := []func(*JsonWebEncryption) (string, error){
- func(obj *JsonWebEncryption) (string, error) { return obj.CompactSerialize() },
- func(obj *JsonWebEncryption) (string, error) { return obj.FullSerialize(), nil },
- }
-
- corrupter := func(obj *JsonWebEncryption) bool { return false }
-
- // Note: can't use AAD with compact serialization
- aads := [][]byte{
- nil,
- []byte("Ut enim ad minim veniam"),
- }
-
- // Test all different configurations
- for _, alg := range keyAlgs {
- for _, enc := range encAlgs {
- for _, key := range generateTestKeys(alg, enc) {
- for _, zip := range zipAlgs {
- for i, serializer := range serializers {
- err := RoundtripJWE(alg, enc, zip, serializer, corrupter, aads[i], key.enc, key.dec)
- if err != nil {
- t.Error(err, alg, enc, zip, i)
- }
- }
- }
- }
- }
- }
-}
-
-func TestRoundtripsJWECorrupted(t *testing.T) {
- // Test matrix
- keyAlgs := []KeyAlgorithm{DIRECT, ECDH_ES, ECDH_ES_A128KW, A128KW, RSA1_5, RSA_OAEP, RSA_OAEP_256, A128GCMKW}
- encAlgs := []ContentEncryption{A128GCM, A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384, A256CBC_HS512}
- zipAlgs := []CompressionAlgorithm{NONE, DEFLATE}
-
- serializers := []func(*JsonWebEncryption) (string, error){
- func(obj *JsonWebEncryption) (string, error) { return obj.CompactSerialize() },
- func(obj *JsonWebEncryption) (string, error) { return obj.FullSerialize(), nil },
- }
-
- bitflip := func(slice []byte) bool {
- if len(slice) > 0 {
- slice[0] ^= 0xFF
- return false
- }
- return true
- }
-
- corrupters := []func(*JsonWebEncryption) bool{
- func(obj *JsonWebEncryption) bool {
- // Set invalid ciphertext
- return bitflip(obj.ciphertext)
- },
- func(obj *JsonWebEncryption) bool {
- // Set invalid auth tag
- return bitflip(obj.tag)
- },
- func(obj *JsonWebEncryption) bool {
- // Set invalid AAD
- return bitflip(obj.aad)
- },
- func(obj *JsonWebEncryption) bool {
- // Mess with encrypted key
- return bitflip(obj.recipients[0].encryptedKey)
- },
- func(obj *JsonWebEncryption) bool {
- // Mess with GCM-KW auth tag
- return bitflip(obj.protected.Tag.bytes())
- },
- }
-
- // Note: can't use AAD with compact serialization
- aads := [][]byte{
- nil,
- []byte("Ut enim ad minim veniam"),
- }
-
- // Test all different configurations
- for _, alg := range keyAlgs {
- for _, enc := range encAlgs {
- for _, key := range generateTestKeys(alg, enc) {
- for _, zip := range zipAlgs {
- for i, serializer := range serializers {
- for j, corrupter := range corrupters {
- err := RoundtripJWE(alg, enc, zip, serializer, corrupter, aads[i], key.enc, key.dec)
- if err == nil {
- t.Error("failed to detect corrupt data", err, alg, enc, zip, i, j)
- }
- }
- }
- }
- }
- }
- }
-}
-
-func TestEncrypterWithJWKAndKeyID(t *testing.T) {
- enc, err := NewEncrypter(A128KW, A128GCM, &JsonWebKey{
- KeyID: "test-id",
- Key: []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
- })
- if err != nil {
- t.Error(err)
- }
-
- ciphertext, _ := enc.Encrypt([]byte("Lorem ipsum dolor sit amet"))
-
- serialized1, _ := ciphertext.CompactSerialize()
- serialized2 := ciphertext.FullSerialize()
-
- parsed1, _ := ParseEncrypted(serialized1)
- parsed2, _ := ParseEncrypted(serialized2)
-
- if parsed1.Header.KeyID != "test-id" {
- t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed1.Header.KeyID)
- }
- if parsed2.Header.KeyID != "test-id" {
- t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed2.Header.KeyID)
- }
-}
-
-func TestEncrypterWithBrokenRand(t *testing.T) {
- keyAlgs := []KeyAlgorithm{ECDH_ES_A128KW, A128KW, RSA1_5, RSA_OAEP, RSA_OAEP_256, A128GCMKW}
- encAlgs := []ContentEncryption{A128GCM, A192GCM, A256GCM, A128CBC_HS256, A192CBC_HS384, A256CBC_HS512}
-
- serializer := func(obj *JsonWebEncryption) (string, error) { return obj.CompactSerialize() }
- corrupter := func(obj *JsonWebEncryption) bool { return false }
-
- // Break rand reader
- readers := []func() io.Reader{
- // Totally broken
- func() io.Reader { return bytes.NewReader([]byte{}) },
- // Not enough bytes
- func() io.Reader { return io.LimitReader(rand.Reader, 20) },
- }
-
- defer resetRandReader()
-
- for _, alg := range keyAlgs {
- for _, enc := range encAlgs {
- for _, key := range generateTestKeys(alg, enc) {
- for i, getReader := range readers {
- randReader = getReader()
- err := RoundtripJWE(alg, enc, NONE, serializer, corrupter, nil, key.enc, key.dec)
- if err == nil {
- t.Error("encrypter should fail if rand is broken", i)
- }
- }
- }
- }
- }
-}
-
-func TestNewEncrypterErrors(t *testing.T) {
- _, err := NewEncrypter("XYZ", "XYZ", nil)
- if err == nil {
- t.Error("was able to instantiate encrypter with invalid cipher")
- }
-
- _, err = NewMultiEncrypter("XYZ")
- if err == nil {
- t.Error("was able to instantiate multi-encrypter with invalid cipher")
- }
-
- _, err = NewEncrypter(DIRECT, A128GCM, nil)
- if err == nil {
- t.Error("was able to instantiate encrypter with invalid direct key")
- }
-
- _, err = NewEncrypter(ECDH_ES, A128GCM, nil)
- if err == nil {
- t.Error("was able to instantiate encrypter with invalid EC key")
- }
-}
-
-func TestMultiRecipientJWE(t *testing.T) {
- enc, err := NewMultiEncrypter(A128GCM)
- if err != nil {
- panic(err)
- }
-
- err = enc.AddRecipient(RSA_OAEP, &rsaTestKey.PublicKey)
- if err != nil {
- t.Error("error when adding RSA recipient", err)
- }
-
- sharedKey := []byte{
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- }
-
- err = enc.AddRecipient(A256GCMKW, sharedKey)
- if err != nil {
- t.Error("error when adding AES recipient: ", err)
- return
- }
-
- input := []byte("Lorem ipsum dolor sit amet")
- obj, err := enc.Encrypt(input)
- if err != nil {
- t.Error("error in encrypt: ", err)
- return
- }
-
- msg := obj.FullSerialize()
-
- parsed, err := ParseEncrypted(msg)
- if err != nil {
- t.Error("error in parse: ", err)
- return
- }
-
- output, err := parsed.Decrypt(rsaTestKey)
- if err != nil {
- t.Error("error on decrypt with RSA: ", err)
- return
- }
-
- if bytes.Compare(input, output) != 0 {
- t.Error("Decrypted output does not match input: ", output, input)
- return
- }
-
- output, err = parsed.Decrypt(sharedKey)
- if err != nil {
- t.Error("error on decrypt with AES: ", err)
- return
- }
-
- if bytes.Compare(input, output) != 0 {
- t.Error("Decrypted output does not match input", output, input)
- return
- }
-}
-
-func TestMultiRecipientErrors(t *testing.T) {
- enc, err := NewMultiEncrypter(A128GCM)
- if err != nil {
- panic(err)
- }
-
- input := []byte("Lorem ipsum dolor sit amet")
- _, err = enc.Encrypt(input)
- if err == nil {
- t.Error("should fail when encrypting to zero recipients")
- }
-
- err = enc.AddRecipient(DIRECT, nil)
- if err == nil {
- t.Error("should reject DIRECT mode when encrypting to multiple recipients")
- }
-
- err = enc.AddRecipient(ECDH_ES, nil)
- if err == nil {
- t.Error("should reject ECDH_ES mode when encrypting to multiple recipients")
- }
-
- err = enc.AddRecipient(RSA1_5, nil)
- if err == nil {
- t.Error("should reject invalid recipient key")
- }
-}
-
-type testKey struct {
- enc, dec interface{}
-}
-
-func symmetricTestKey(size int) []testKey {
- key, _, _ := randomKeyGenerator{size: size}.genKey()
-
- return []testKey{
- testKey{
- enc: key,
- dec: key,
- },
- testKey{
- enc: &JsonWebKey{KeyID: "test", Key: key},
- dec: &JsonWebKey{KeyID: "test", Key: key},
- },
- }
-}
-
-func generateTestKeys(keyAlg KeyAlgorithm, encAlg ContentEncryption) []testKey {
- switch keyAlg {
- case DIRECT:
- return symmetricTestKey(getContentCipher(encAlg).keySize())
- case ECDH_ES, ECDH_ES_A128KW, ECDH_ES_A192KW, ECDH_ES_A256KW:
- return []testKey{
- testKey{
- dec: ecTestKey256,
- enc: &ecTestKey256.PublicKey,
- },
- testKey{
- dec: ecTestKey384,
- enc: &ecTestKey384.PublicKey,
- },
- testKey{
- dec: ecTestKey521,
- enc: &ecTestKey521.PublicKey,
- },
- testKey{
- dec: &JsonWebKey{KeyID: "test", Key: ecTestKey256},
- enc: &JsonWebKey{KeyID: "test", Key: &ecTestKey256.PublicKey},
- },
- }
- case A128GCMKW, A128KW:
- return symmetricTestKey(16)
- case A192GCMKW, A192KW:
- return symmetricTestKey(24)
- case A256GCMKW, A256KW:
- return symmetricTestKey(32)
- case RSA1_5, RSA_OAEP, RSA_OAEP_256:
- return []testKey{testKey{
- dec: rsaTestKey,
- enc: &rsaTestKey.PublicKey,
- }}
- }
-
- panic("Must update test case")
-}
-
-func RunRoundtripsJWE(b *testing.B, alg KeyAlgorithm, enc ContentEncryption, zip CompressionAlgorithm, priv, pub interface{}) {
- serializer := func(obj *JsonWebEncryption) (string, error) {
- return obj.CompactSerialize()
- }
-
- corrupter := func(obj *JsonWebEncryption) bool { return false }
-
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- err := RoundtripJWE(alg, enc, zip, serializer, corrupter, nil, pub, priv)
- if err != nil {
- b.Error(err)
- }
- }
-}
-
-var (
- chunks = map[string][]byte{
- "1B": make([]byte, 1),
- "64B": make([]byte, 64),
- "1KB": make([]byte, 1024),
- "64KB": make([]byte, 65536),
- "1MB": make([]byte, 1048576),
- "64MB": make([]byte, 67108864),
- }
-
- symKey, _, _ = randomKeyGenerator{size: 32}.genKey()
-
- encrypters = map[string]Encrypter{
- "OAEPAndGCM": mustEncrypter(RSA_OAEP, A128GCM, &rsaTestKey.PublicKey),
- "PKCSAndGCM": mustEncrypter(RSA1_5, A128GCM, &rsaTestKey.PublicKey),
- "OAEPAndCBC": mustEncrypter(RSA_OAEP, A128CBC_HS256, &rsaTestKey.PublicKey),
- "PKCSAndCBC": mustEncrypter(RSA1_5, A128CBC_HS256, &rsaTestKey.PublicKey),
- "DirectGCM128": mustEncrypter(DIRECT, A128GCM, symKey),
- "DirectCBC128": mustEncrypter(DIRECT, A128CBC_HS256, symKey),
- "DirectGCM256": mustEncrypter(DIRECT, A256GCM, symKey),
- "DirectCBC256": mustEncrypter(DIRECT, A256CBC_HS512, symKey),
- "AESKWAndGCM128": mustEncrypter(A128KW, A128GCM, symKey),
- "AESKWAndCBC256": mustEncrypter(A256KW, A256GCM, symKey),
- "ECDHOnP256AndGCM128": mustEncrypter(ECDH_ES, A128GCM, &ecTestKey256.PublicKey),
- "ECDHOnP384AndGCM128": mustEncrypter(ECDH_ES, A128GCM, &ecTestKey384.PublicKey),
- "ECDHOnP521AndGCM128": mustEncrypter(ECDH_ES, A128GCM, &ecTestKey521.PublicKey),
- }
-)
-
-func BenchmarkEncrypt1BWithOAEPAndGCM(b *testing.B) { benchEncrypt("1B", "OAEPAndGCM", b) }
-func BenchmarkEncrypt64BWithOAEPAndGCM(b *testing.B) { benchEncrypt("64B", "OAEPAndGCM", b) }
-func BenchmarkEncrypt1KBWithOAEPAndGCM(b *testing.B) { benchEncrypt("1KB", "OAEPAndGCM", b) }
-func BenchmarkEncrypt64KBWithOAEPAndGCM(b *testing.B) { benchEncrypt("64KB", "OAEPAndGCM", b) }
-func BenchmarkEncrypt1MBWithOAEPAndGCM(b *testing.B) { benchEncrypt("1MB", "OAEPAndGCM", b) }
-func BenchmarkEncrypt64MBWithOAEPAndGCM(b *testing.B) { benchEncrypt("64MB", "OAEPAndGCM", b) }
-
-func BenchmarkEncrypt1BWithPKCSAndGCM(b *testing.B) { benchEncrypt("1B", "PKCSAndGCM", b) }
-func BenchmarkEncrypt64BWithPKCSAndGCM(b *testing.B) { benchEncrypt("64B", "PKCSAndGCM", b) }
-func BenchmarkEncrypt1KBWithPKCSAndGCM(b *testing.B) { benchEncrypt("1KB", "PKCSAndGCM", b) }
-func BenchmarkEncrypt64KBWithPKCSAndGCM(b *testing.B) { benchEncrypt("64KB", "PKCSAndGCM", b) }
-func BenchmarkEncrypt1MBWithPKCSAndGCM(b *testing.B) { benchEncrypt("1MB", "PKCSAndGCM", b) }
-func BenchmarkEncrypt64MBWithPKCSAndGCM(b *testing.B) { benchEncrypt("64MB", "PKCSAndGCM", b) }
-
-func BenchmarkEncrypt1BWithOAEPAndCBC(b *testing.B) { benchEncrypt("1B", "OAEPAndCBC", b) }
-func BenchmarkEncrypt64BWithOAEPAndCBC(b *testing.B) { benchEncrypt("64B", "OAEPAndCBC", b) }
-func BenchmarkEncrypt1KBWithOAEPAndCBC(b *testing.B) { benchEncrypt("1KB", "OAEPAndCBC", b) }
-func BenchmarkEncrypt64KBWithOAEPAndCBC(b *testing.B) { benchEncrypt("64KB", "OAEPAndCBC", b) }
-func BenchmarkEncrypt1MBWithOAEPAndCBC(b *testing.B) { benchEncrypt("1MB", "OAEPAndCBC", b) }
-func BenchmarkEncrypt64MBWithOAEPAndCBC(b *testing.B) { benchEncrypt("64MB", "OAEPAndCBC", b) }
-
-func BenchmarkEncrypt1BWithPKCSAndCBC(b *testing.B) { benchEncrypt("1B", "PKCSAndCBC", b) }
-func BenchmarkEncrypt64BWithPKCSAndCBC(b *testing.B) { benchEncrypt("64B", "PKCSAndCBC", b) }
-func BenchmarkEncrypt1KBWithPKCSAndCBC(b *testing.B) { benchEncrypt("1KB", "PKCSAndCBC", b) }
-func BenchmarkEncrypt64KBWithPKCSAndCBC(b *testing.B) { benchEncrypt("64KB", "PKCSAndCBC", b) }
-func BenchmarkEncrypt1MBWithPKCSAndCBC(b *testing.B) { benchEncrypt("1MB", "PKCSAndCBC", b) }
-func BenchmarkEncrypt64MBWithPKCSAndCBC(b *testing.B) { benchEncrypt("64MB", "PKCSAndCBC", b) }
-
-func BenchmarkEncrypt1BWithDirectGCM128(b *testing.B) { benchEncrypt("1B", "DirectGCM128", b) }
-func BenchmarkEncrypt64BWithDirectGCM128(b *testing.B) { benchEncrypt("64B", "DirectGCM128", b) }
-func BenchmarkEncrypt1KBWithDirectGCM128(b *testing.B) { benchEncrypt("1KB", "DirectGCM128", b) }
-func BenchmarkEncrypt64KBWithDirectGCM128(b *testing.B) { benchEncrypt("64KB", "DirectGCM128", b) }
-func BenchmarkEncrypt1MBWithDirectGCM128(b *testing.B) { benchEncrypt("1MB", "DirectGCM128", b) }
-func BenchmarkEncrypt64MBWithDirectGCM128(b *testing.B) { benchEncrypt("64MB", "DirectGCM128", b) }
-
-func BenchmarkEncrypt1BWithDirectCBC128(b *testing.B) { benchEncrypt("1B", "DirectCBC128", b) }
-func BenchmarkEncrypt64BWithDirectCBC128(b *testing.B) { benchEncrypt("64B", "DirectCBC128", b) }
-func BenchmarkEncrypt1KBWithDirectCBC128(b *testing.B) { benchEncrypt("1KB", "DirectCBC128", b) }
-func BenchmarkEncrypt64KBWithDirectCBC128(b *testing.B) { benchEncrypt("64KB", "DirectCBC128", b) }
-func BenchmarkEncrypt1MBWithDirectCBC128(b *testing.B) { benchEncrypt("1MB", "DirectCBC128", b) }
-func BenchmarkEncrypt64MBWithDirectCBC128(b *testing.B) { benchEncrypt("64MB", "DirectCBC128", b) }
-
-func BenchmarkEncrypt1BWithDirectGCM256(b *testing.B) { benchEncrypt("1B", "DirectGCM256", b) }
-func BenchmarkEncrypt64BWithDirectGCM256(b *testing.B) { benchEncrypt("64B", "DirectGCM256", b) }
-func BenchmarkEncrypt1KBWithDirectGCM256(b *testing.B) { benchEncrypt("1KB", "DirectGCM256", b) }
-func BenchmarkEncrypt64KBWithDirectGCM256(b *testing.B) { benchEncrypt("64KB", "DirectGCM256", b) }
-func BenchmarkEncrypt1MBWithDirectGCM256(b *testing.B) { benchEncrypt("1MB", "DirectGCM256", b) }
-func BenchmarkEncrypt64MBWithDirectGCM256(b *testing.B) { benchEncrypt("64MB", "DirectGCM256", b) }
-
-func BenchmarkEncrypt1BWithDirectCBC256(b *testing.B) { benchEncrypt("1B", "DirectCBC256", b) }
-func BenchmarkEncrypt64BWithDirectCBC256(b *testing.B) { benchEncrypt("64B", "DirectCBC256", b) }
-func BenchmarkEncrypt1KBWithDirectCBC256(b *testing.B) { benchEncrypt("1KB", "DirectCBC256", b) }
-func BenchmarkEncrypt64KBWithDirectCBC256(b *testing.B) { benchEncrypt("64KB", "DirectCBC256", b) }
-func BenchmarkEncrypt1MBWithDirectCBC256(b *testing.B) { benchEncrypt("1MB", "DirectCBC256", b) }
-func BenchmarkEncrypt64MBWithDirectCBC256(b *testing.B) { benchEncrypt("64MB", "DirectCBC256", b) }
-
-func BenchmarkEncrypt1BWithAESKWAndGCM128(b *testing.B) { benchEncrypt("1B", "AESKWAndGCM128", b) }
-func BenchmarkEncrypt64BWithAESKWAndGCM128(b *testing.B) { benchEncrypt("64B", "AESKWAndGCM128", b) }
-func BenchmarkEncrypt1KBWithAESKWAndGCM128(b *testing.B) { benchEncrypt("1KB", "AESKWAndGCM128", b) }
-func BenchmarkEncrypt64KBWithAESKWAndGCM128(b *testing.B) { benchEncrypt("64KB", "AESKWAndGCM128", b) }
-func BenchmarkEncrypt1MBWithAESKWAndGCM128(b *testing.B) { benchEncrypt("1MB", "AESKWAndGCM128", b) }
-func BenchmarkEncrypt64MBWithAESKWAndGCM128(b *testing.B) { benchEncrypt("64MB", "AESKWAndGCM128", b) }
-
-func BenchmarkEncrypt1BWithAESKWAndCBC256(b *testing.B) { benchEncrypt("1B", "AESKWAndCBC256", b) }
-func BenchmarkEncrypt64BWithAESKWAndCBC256(b *testing.B) { benchEncrypt("64B", "AESKWAndCBC256", b) }
-func BenchmarkEncrypt1KBWithAESKWAndCBC256(b *testing.B) { benchEncrypt("1KB", "AESKWAndCBC256", b) }
-func BenchmarkEncrypt64KBWithAESKWAndCBC256(b *testing.B) { benchEncrypt("64KB", "AESKWAndCBC256", b) }
-func BenchmarkEncrypt1MBWithAESKWAndCBC256(b *testing.B) { benchEncrypt("1MB", "AESKWAndCBC256", b) }
-func BenchmarkEncrypt64MBWithAESKWAndCBC256(b *testing.B) { benchEncrypt("64MB", "AESKWAndCBC256", b) }
-
-func BenchmarkEncrypt1BWithECDHOnP256AndGCM128(b *testing.B) {
- benchEncrypt("1B", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkEncrypt64BWithECDHOnP256AndGCM128(b *testing.B) {
- benchEncrypt("64B", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkEncrypt1KBWithECDHOnP256AndGCM128(b *testing.B) {
- benchEncrypt("1KB", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkEncrypt64KBWithECDHOnP256AndGCM128(b *testing.B) {
- benchEncrypt("64KB", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkEncrypt1MBWithECDHOnP256AndGCM128(b *testing.B) {
- benchEncrypt("1MB", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkEncrypt64MBWithECDHOnP256AndGCM128(b *testing.B) {
- benchEncrypt("64MB", "ECDHOnP256AndGCM128", b)
-}
-
-func BenchmarkEncrypt1BWithECDHOnP384AndGCM128(b *testing.B) {
- benchEncrypt("1B", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkEncrypt64BWithECDHOnP384AndGCM128(b *testing.B) {
- benchEncrypt("64B", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkEncrypt1KBWithECDHOnP384AndGCM128(b *testing.B) {
- benchEncrypt("1KB", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkEncrypt64KBWithECDHOnP384AndGCM128(b *testing.B) {
- benchEncrypt("64KB", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkEncrypt1MBWithECDHOnP384AndGCM128(b *testing.B) {
- benchEncrypt("1MB", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkEncrypt64MBWithECDHOnP384AndGCM128(b *testing.B) {
- benchEncrypt("64MB", "ECDHOnP384AndGCM128", b)
-}
-
-func BenchmarkEncrypt1BWithECDHOnP521AndGCM128(b *testing.B) {
- benchEncrypt("1B", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkEncrypt64BWithECDHOnP521AndGCM128(b *testing.B) {
- benchEncrypt("64B", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkEncrypt1KBWithECDHOnP521AndGCM128(b *testing.B) {
- benchEncrypt("1KB", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkEncrypt64KBWithECDHOnP521AndGCM128(b *testing.B) {
- benchEncrypt("64KB", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkEncrypt1MBWithECDHOnP521AndGCM128(b *testing.B) {
- benchEncrypt("1MB", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkEncrypt64MBWithECDHOnP521AndGCM128(b *testing.B) {
- benchEncrypt("64MB", "ECDHOnP521AndGCM128", b)
-}
-
-func benchEncrypt(chunkKey, primKey string, b *testing.B) {
- data, ok := chunks[chunkKey]
- if !ok {
- b.Fatalf("unknown chunk size %s", chunkKey)
- }
-
- enc, ok := encrypters[primKey]
- if !ok {
- b.Fatalf("unknown encrypter %s", primKey)
- }
-
- b.SetBytes(int64(len(data)))
- for i := 0; i < b.N; i++ {
- enc.Encrypt(data)
- }
-}
-
-var (
- decryptionKeys = map[string]interface{}{
- "OAEPAndGCM": rsaTestKey,
- "PKCSAndGCM": rsaTestKey,
- "OAEPAndCBC": rsaTestKey,
- "PKCSAndCBC": rsaTestKey,
-
- "DirectGCM128": symKey,
- "DirectCBC128": symKey,
- "DirectGCM256": symKey,
- "DirectCBC256": symKey,
-
- "AESKWAndGCM128": symKey,
- "AESKWAndCBC256": symKey,
-
- "ECDHOnP256AndGCM128": ecTestKey256,
- "ECDHOnP384AndGCM128": ecTestKey384,
- "ECDHOnP521AndGCM128": ecTestKey521,
- }
-)
-
-func BenchmarkDecrypt1BWithOAEPAndGCM(b *testing.B) { benchDecrypt("1B", "OAEPAndGCM", b) }
-func BenchmarkDecrypt64BWithOAEPAndGCM(b *testing.B) { benchDecrypt("64B", "OAEPAndGCM", b) }
-func BenchmarkDecrypt1KBWithOAEPAndGCM(b *testing.B) { benchDecrypt("1KB", "OAEPAndGCM", b) }
-func BenchmarkDecrypt64KBWithOAEPAndGCM(b *testing.B) { benchDecrypt("64KB", "OAEPAndGCM", b) }
-func BenchmarkDecrypt1MBWithOAEPAndGCM(b *testing.B) { benchDecrypt("1MB", "OAEPAndGCM", b) }
-func BenchmarkDecrypt64MBWithOAEPAndGCM(b *testing.B) { benchDecrypt("64MB", "OAEPAndGCM", b) }
-
-func BenchmarkDecrypt1BWithPKCSAndGCM(b *testing.B) { benchDecrypt("1B", "PKCSAndGCM", b) }
-func BenchmarkDecrypt64BWithPKCSAndGCM(b *testing.B) { benchDecrypt("64B", "PKCSAndGCM", b) }
-func BenchmarkDecrypt1KBWithPKCSAndGCM(b *testing.B) { benchDecrypt("1KB", "PKCSAndGCM", b) }
-func BenchmarkDecrypt64KBWithPKCSAndGCM(b *testing.B) { benchDecrypt("64KB", "PKCSAndGCM", b) }
-func BenchmarkDecrypt1MBWithPKCSAndGCM(b *testing.B) { benchDecrypt("1MB", "PKCSAndGCM", b) }
-func BenchmarkDecrypt64MBWithPKCSAndGCM(b *testing.B) { benchDecrypt("64MB", "PKCSAndGCM", b) }
-
-func BenchmarkDecrypt1BWithOAEPAndCBC(b *testing.B) { benchDecrypt("1B", "OAEPAndCBC", b) }
-func BenchmarkDecrypt64BWithOAEPAndCBC(b *testing.B) { benchDecrypt("64B", "OAEPAndCBC", b) }
-func BenchmarkDecrypt1KBWithOAEPAndCBC(b *testing.B) { benchDecrypt("1KB", "OAEPAndCBC", b) }
-func BenchmarkDecrypt64KBWithOAEPAndCBC(b *testing.B) { benchDecrypt("64KB", "OAEPAndCBC", b) }
-func BenchmarkDecrypt1MBWithOAEPAndCBC(b *testing.B) { benchDecrypt("1MB", "OAEPAndCBC", b) }
-func BenchmarkDecrypt64MBWithOAEPAndCBC(b *testing.B) { benchDecrypt("64MB", "OAEPAndCBC", b) }
-
-func BenchmarkDecrypt1BWithPKCSAndCBC(b *testing.B) { benchDecrypt("1B", "PKCSAndCBC", b) }
-func BenchmarkDecrypt64BWithPKCSAndCBC(b *testing.B) { benchDecrypt("64B", "PKCSAndCBC", b) }
-func BenchmarkDecrypt1KBWithPKCSAndCBC(b *testing.B) { benchDecrypt("1KB", "PKCSAndCBC", b) }
-func BenchmarkDecrypt64KBWithPKCSAndCBC(b *testing.B) { benchDecrypt("64KB", "PKCSAndCBC", b) }
-func BenchmarkDecrypt1MBWithPKCSAndCBC(b *testing.B) { benchDecrypt("1MB", "PKCSAndCBC", b) }
-func BenchmarkDecrypt64MBWithPKCSAndCBC(b *testing.B) { benchDecrypt("64MB", "PKCSAndCBC", b) }
-
-func BenchmarkDecrypt1BWithDirectGCM128(b *testing.B) { benchDecrypt("1B", "DirectGCM128", b) }
-func BenchmarkDecrypt64BWithDirectGCM128(b *testing.B) { benchDecrypt("64B", "DirectGCM128", b) }
-func BenchmarkDecrypt1KBWithDirectGCM128(b *testing.B) { benchDecrypt("1KB", "DirectGCM128", b) }
-func BenchmarkDecrypt64KBWithDirectGCM128(b *testing.B) { benchDecrypt("64KB", "DirectGCM128", b) }
-func BenchmarkDecrypt1MBWithDirectGCM128(b *testing.B) { benchDecrypt("1MB", "DirectGCM128", b) }
-func BenchmarkDecrypt64MBWithDirectGCM128(b *testing.B) { benchDecrypt("64MB", "DirectGCM128", b) }
-
-func BenchmarkDecrypt1BWithDirectCBC128(b *testing.B) { benchDecrypt("1B", "DirectCBC128", b) }
-func BenchmarkDecrypt64BWithDirectCBC128(b *testing.B) { benchDecrypt("64B", "DirectCBC128", b) }
-func BenchmarkDecrypt1KBWithDirectCBC128(b *testing.B) { benchDecrypt("1KB", "DirectCBC128", b) }
-func BenchmarkDecrypt64KBWithDirectCBC128(b *testing.B) { benchDecrypt("64KB", "DirectCBC128", b) }
-func BenchmarkDecrypt1MBWithDirectCBC128(b *testing.B) { benchDecrypt("1MB", "DirectCBC128", b) }
-func BenchmarkDecrypt64MBWithDirectCBC128(b *testing.B) { benchDecrypt("64MB", "DirectCBC128", b) }
-
-func BenchmarkDecrypt1BWithDirectGCM256(b *testing.B) { benchDecrypt("1B", "DirectGCM256", b) }
-func BenchmarkDecrypt64BWithDirectGCM256(b *testing.B) { benchDecrypt("64B", "DirectGCM256", b) }
-func BenchmarkDecrypt1KBWithDirectGCM256(b *testing.B) { benchDecrypt("1KB", "DirectGCM256", b) }
-func BenchmarkDecrypt64KBWithDirectGCM256(b *testing.B) { benchDecrypt("64KB", "DirectGCM256", b) }
-func BenchmarkDecrypt1MBWithDirectGCM256(b *testing.B) { benchDecrypt("1MB", "DirectGCM256", b) }
-func BenchmarkDecrypt64MBWithDirectGCM256(b *testing.B) { benchDecrypt("64MB", "DirectGCM256", b) }
-
-func BenchmarkDecrypt1BWithDirectCBC256(b *testing.B) { benchDecrypt("1B", "DirectCBC256", b) }
-func BenchmarkDecrypt64BWithDirectCBC256(b *testing.B) { benchDecrypt("64B", "DirectCBC256", b) }
-func BenchmarkDecrypt1KBWithDirectCBC256(b *testing.B) { benchDecrypt("1KB", "DirectCBC256", b) }
-func BenchmarkDecrypt64KBWithDirectCBC256(b *testing.B) { benchDecrypt("64KB", "DirectCBC256", b) }
-func BenchmarkDecrypt1MBWithDirectCBC256(b *testing.B) { benchDecrypt("1MB", "DirectCBC256", b) }
-func BenchmarkDecrypt64MBWithDirectCBC256(b *testing.B) { benchDecrypt("64MB", "DirectCBC256", b) }
-
-func BenchmarkDecrypt1BWithAESKWAndGCM128(b *testing.B) { benchDecrypt("1B", "AESKWAndGCM128", b) }
-func BenchmarkDecrypt64BWithAESKWAndGCM128(b *testing.B) { benchDecrypt("64B", "AESKWAndGCM128", b) }
-func BenchmarkDecrypt1KBWithAESKWAndGCM128(b *testing.B) { benchDecrypt("1KB", "AESKWAndGCM128", b) }
-func BenchmarkDecrypt64KBWithAESKWAndGCM128(b *testing.B) { benchDecrypt("64KB", "AESKWAndGCM128", b) }
-func BenchmarkDecrypt1MBWithAESKWAndGCM128(b *testing.B) { benchDecrypt("1MB", "AESKWAndGCM128", b) }
-func BenchmarkDecrypt64MBWithAESKWAndGCM128(b *testing.B) { benchDecrypt("64MB", "AESKWAndGCM128", b) }
-
-func BenchmarkDecrypt1BWithAESKWAndCBC256(b *testing.B) { benchDecrypt("1B", "AESKWAndCBC256", b) }
-func BenchmarkDecrypt64BWithAESKWAndCBC256(b *testing.B) { benchDecrypt("64B", "AESKWAndCBC256", b) }
-func BenchmarkDecrypt1KBWithAESKWAndCBC256(b *testing.B) { benchDecrypt("1KB", "AESKWAndCBC256", b) }
-func BenchmarkDecrypt64KBWithAESKWAndCBC256(b *testing.B) { benchDecrypt("64KB", "AESKWAndCBC256", b) }
-func BenchmarkDecrypt1MBWithAESKWAndCBC256(b *testing.B) { benchDecrypt("1MB", "AESKWAndCBC256", b) }
-func BenchmarkDecrypt64MBWithAESKWAndCBC256(b *testing.B) { benchDecrypt("64MB", "AESKWAndCBC256", b) }
-
-func BenchmarkDecrypt1BWithECDHOnP256AndGCM128(b *testing.B) {
- benchDecrypt("1B", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkDecrypt64BWithECDHOnP256AndGCM128(b *testing.B) {
- benchDecrypt("64B", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkDecrypt1KBWithECDHOnP256AndGCM128(b *testing.B) {
- benchDecrypt("1KB", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkDecrypt64KBWithECDHOnP256AndGCM128(b *testing.B) {
- benchDecrypt("64KB", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkDecrypt1MBWithECDHOnP256AndGCM128(b *testing.B) {
- benchDecrypt("1MB", "ECDHOnP256AndGCM128", b)
-}
-func BenchmarkDecrypt64MBWithECDHOnP256AndGCM128(b *testing.B) {
- benchDecrypt("64MB", "ECDHOnP256AndGCM128", b)
-}
-
-func BenchmarkDecrypt1BWithECDHOnP384AndGCM128(b *testing.B) {
- benchDecrypt("1B", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkDecrypt64BWithECDHOnP384AndGCM128(b *testing.B) {
- benchDecrypt("64B", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkDecrypt1KBWithECDHOnP384AndGCM128(b *testing.B) {
- benchDecrypt("1KB", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkDecrypt64KBWithECDHOnP384AndGCM128(b *testing.B) {
- benchDecrypt("64KB", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkDecrypt1MBWithECDHOnP384AndGCM128(b *testing.B) {
- benchDecrypt("1MB", "ECDHOnP384AndGCM128", b)
-}
-func BenchmarkDecrypt64MBWithECDHOnP384AndGCM128(b *testing.B) {
- benchDecrypt("64MB", "ECDHOnP384AndGCM128", b)
-}
-
-func BenchmarkDecrypt1BWithECDHOnP521AndGCM128(b *testing.B) {
- benchDecrypt("1B", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkDecrypt64BWithECDHOnP521AndGCM128(b *testing.B) {
- benchDecrypt("64B", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkDecrypt1KBWithECDHOnP521AndGCM128(b *testing.B) {
- benchDecrypt("1KB", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkDecrypt64KBWithECDHOnP521AndGCM128(b *testing.B) {
- benchDecrypt("64KB", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkDecrypt1MBWithECDHOnP521AndGCM128(b *testing.B) {
- benchDecrypt("1MB", "ECDHOnP521AndGCM128", b)
-}
-func BenchmarkDecrypt64MBWithECDHOnP521AndGCM128(b *testing.B) {
- benchDecrypt("64MB", "ECDHOnP521AndGCM128", b)
-}
-
-func benchDecrypt(chunkKey, primKey string, b *testing.B) {
- chunk, ok := chunks[chunkKey]
- if !ok {
- b.Fatalf("unknown chunk size %s", chunkKey)
- }
-
- enc, ok := encrypters[primKey]
- if !ok {
- b.Fatalf("unknown encrypter %s", primKey)
- }
-
- dec, ok := decryptionKeys[primKey]
- if !ok {
- b.Fatalf("unknown decryption key %s", primKey)
- }
-
- data, err := enc.Encrypt(chunk)
- if err != nil {
- b.Fatal(err)
- }
-
- b.SetBytes(int64(len(chunk)))
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- data.Decrypt(dec)
- }
-}
-
-func mustEncrypter(keyAlg KeyAlgorithm, encAlg ContentEncryption, encryptionKey interface{}) Encrypter {
- enc, err := NewEncrypter(keyAlg, encAlg, encryptionKey)
- if err != nil {
- panic(err)
- }
- return enc
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/doc.go b/vendor/gopkg.in/square/go-jose.v1/doc.go
deleted file mode 100644
index b4cd1e98..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/doc.go
+++ /dev/null
@@ -1,26 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-/*
-
-Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. For the moment, it mainly focuses on
-encryption and signing based on the JSON Web Encryption and JSON Web Signature
-standards. The library supports both the compact and full serialization
-formats, and has optional support for multiple recipients.
-
-*/
-package jose // import "gopkg.in/square/go-jose.v1"
diff --git a/vendor/gopkg.in/square/go-jose.v1/doc_test.go b/vendor/gopkg.in/square/go-jose.v1/doc_test.go
deleted file mode 100644
index 50468295..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/doc_test.go
+++ /dev/null
@@ -1,226 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/ecdsa"
- "crypto/rand"
- "crypto/rsa"
- "fmt"
-)
-
-// Dummy encrypter for use in examples
-var encrypter, _ = NewEncrypter(DIRECT, A128GCM, []byte{})
-
-func Example_jWE() {
- // Generate a public/private key pair to use for this example. The library
- // also provides two utility functions (LoadPublicKey and LoadPrivateKey)
- // that can be used to load keys from PEM/DER-encoded data.
- privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- panic(err)
- }
-
- // Instantiate an encrypter using RSA-OAEP with AES128-GCM. An error would
- // indicate that the selected algorithm(s) are not currently supported.
- publicKey := &privateKey.PublicKey
- encrypter, err := NewEncrypter(RSA_OAEP, A128GCM, publicKey)
- if err != nil {
- panic(err)
- }
-
- // Encrypt a sample plaintext. Calling the encrypter returns an encrypted
- // JWE object, which can then be serialized for output afterwards. An error
- // would indicate a problem in an underlying cryptographic primitive.
- var plaintext = []byte("Lorem ipsum dolor sit amet")
- object, err := encrypter.Encrypt(plaintext)
- if err != nil {
- panic(err)
- }
-
- // Serialize the encrypted object using the full serialization format.
- // Alternatively you can also use the compact format here by calling
- // object.CompactSerialize() instead.
- serialized := object.FullSerialize()
-
- // Parse the serialized, encrypted JWE object. An error would indicate that
- // the given input did not represent a valid message.
- object, err = ParseEncrypted(serialized)
- if err != nil {
- panic(err)
- }
-
- // Now we can decrypt and get back our original plaintext. An error here
- // would indicate the the message failed to decrypt, e.g. because the auth
- // tag was broken or the message was tampered with.
- decrypted, err := object.Decrypt(privateKey)
- if err != nil {
- panic(err)
- }
-
- fmt.Printf(string(decrypted))
- // output: Lorem ipsum dolor sit amet
-}
-
-func Example_jWS() {
- // Generate a public/private key pair to use for this example. The library
- // also provides two utility functions (LoadPublicKey and LoadPrivateKey)
- // that can be used to load keys from PEM/DER-encoded data.
- privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
- if err != nil {
- panic(err)
- }
-
- // Instantiate a signer using RSASSA-PSS (SHA512) with the given private key.
- signer, err := NewSigner(PS512, privateKey)
- if err != nil {
- panic(err)
- }
-
- // Sign a sample payload. Calling the signer returns a protected JWS object,
- // which can then be serialized for output afterwards. An error would
- // indicate a problem in an underlying cryptographic primitive.
- var payload = []byte("Lorem ipsum dolor sit amet")
- object, err := signer.Sign(payload)
- if err != nil {
- panic(err)
- }
-
- // Serialize the encrypted object using the full serialization format.
- // Alternatively you can also use the compact format here by calling
- // object.CompactSerialize() instead.
- serialized := object.FullSerialize()
-
- // Parse the serialized, protected JWS object. An error would indicate that
- // the given input did not represent a valid message.
- object, err = ParseSigned(serialized)
- if err != nil {
- panic(err)
- }
-
- // Now we can verify the signature on the payload. An error here would
- // indicate the the message failed to verify, e.g. because the signature was
- // broken or the message was tampered with.
- output, err := object.Verify(&privateKey.PublicKey)
- if err != nil {
- panic(err)
- }
-
- fmt.Printf(string(output))
- // output: Lorem ipsum dolor sit amet
-}
-
-func ExampleNewEncrypter_publicKey() {
- var publicKey *rsa.PublicKey
-
- // Instantiate an encrypter using RSA-OAEP with AES128-GCM.
- NewEncrypter(RSA_OAEP, A128GCM, publicKey)
-
- // Instantiate an encrypter using RSA-PKCS1v1.5 with AES128-CBC+HMAC.
- NewEncrypter(RSA1_5, A128CBC_HS256, publicKey)
-}
-
-func ExampleNewEncrypter_symmetric() {
- var sharedKey []byte
-
- // Instantiate an encrypter using AES128-GCM with AES-GCM key wrap.
- NewEncrypter(A128GCMKW, A128GCM, sharedKey)
-
- // Instantiate an encrypter using AES256-GCM directly, w/o key wrapping.
- NewEncrypter(DIRECT, A256GCM, sharedKey)
-}
-
-func ExampleNewSigner_publicKey() {
- var rsaPrivateKey *rsa.PrivateKey
- var ecdsaPrivateKey *ecdsa.PrivateKey
-
- // Instantiate a signer using RSA-PKCS#1v1.5 with SHA-256.
- NewSigner(RS256, rsaPrivateKey)
-
- // Instantiate a signer using ECDSA with SHA-384.
- NewSigner(ES384, ecdsaPrivateKey)
-}
-
-func ExampleNewSigner_symmetric() {
- var sharedKey []byte
-
- // Instantiate an signer using HMAC-SHA256.
- NewSigner(HS256, sharedKey)
-
- // Instantiate an signer using HMAC-SHA512.
- NewSigner(HS512, sharedKey)
-}
-
-func ExampleNewMultiEncrypter() {
- var publicKey *rsa.PublicKey
- var sharedKey []byte
-
- // Instantiate an encrypter using AES-GCM.
- encrypter, err := NewMultiEncrypter(A128GCM)
- if err != nil {
- panic(err)
- }
-
- // Add a recipient using a shared key with AES-GCM key wap
- err = encrypter.AddRecipient(A128GCMKW, sharedKey)
- if err != nil {
- panic(err)
- }
-
- // Add a recipient using an RSA public key with RSA-OAEP
- err = encrypter.AddRecipient(RSA_OAEP, publicKey)
- if err != nil {
- panic(err)
- }
-}
-
-func ExampleNewMultiSigner() {
- var privateKey *rsa.PrivateKey
- var sharedKey []byte
-
- // Instantiate a signer for multiple recipients.
- signer := NewMultiSigner()
-
- // Add a recipient using a shared key with HMAC-SHA256
- err := signer.AddRecipient(HS256, sharedKey)
- if err != nil {
- panic(err)
- }
-
- // Add a recipient using an RSA private key with RSASSA-PSS with SHA384
- err = signer.AddRecipient(PS384, privateKey)
- if err != nil {
- panic(err)
- }
-}
-
-func ExampleEncrypter_encrypt() {
- // Encrypt a plaintext in order to get an encrypted JWE object.
- var plaintext = []byte("This is a secret message")
-
- encrypter.Encrypt(plaintext)
-}
-
-func ExampleEncrypter_encryptWithAuthData() {
- // Encrypt a plaintext in order to get an encrypted JWE object. Also attach
- // some additional authenticated data (AAD) to the object. Note that objects
- // with attached AAD can only be represented using full serialization.
- var plaintext = []byte("This is a secret message")
- var aad = []byte("This is authenticated, but public data")
-
- encrypter.EncryptWithAuthData(plaintext, aad)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/encoding.go b/vendor/gopkg.in/square/go-jose.v1/encoding.go
deleted file mode 100644
index 3e2ac0ae..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/encoding.go
+++ /dev/null
@@ -1,191 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "compress/flate"
- "encoding/base64"
- "encoding/binary"
- "io"
- "math/big"
- "regexp"
- "strings"
-)
-
-var stripWhitespaceRegex = regexp.MustCompile("\\s")
-
-// Url-safe base64 encode that strips padding
-func base64URLEncode(data []byte) string {
- var result = base64.URLEncoding.EncodeToString(data)
- return strings.TrimRight(result, "=")
-}
-
-// Url-safe base64 decoder that adds padding
-func base64URLDecode(data string) ([]byte, error) {
- var missing = (4 - len(data)%4) % 4
- data += strings.Repeat("=", missing)
- return base64.URLEncoding.DecodeString(data)
-}
-
-// Helper function to serialize known-good objects.
-// Precondition: value is not a nil pointer.
-func mustSerializeJSON(value interface{}) []byte {
- out, err := MarshalJSON(value)
- if err != nil {
- panic(err)
- }
- // We never want to serialize the top-level value "null," since it's not a
- // valid JOSE message. But if a caller passes in a nil pointer to this method,
- // MarshalJSON will happily serialize it as the top-level value "null". If
- // that value is then embedded in another operation, for instance by being
- // base64-encoded and fed as input to a signing algorithm
- // (https://github.com/square/go-jose/issues/22), the result will be
- // incorrect. Because this method is intended for known-good objects, and a nil
- // pointer is not a known-good object, we are free to panic in this case.
- // Note: It's not possible to directly check whether the data pointed at by an
- // interface is a nil pointer, so we do this hacky workaround.
- // https://groups.google.com/forum/#!topic/golang-nuts/wnH302gBa4I
- if string(out) == "null" {
- panic("Tried to serialize a nil pointer.")
- }
- return out
-}
-
-// Strip all newlines and whitespace
-func stripWhitespace(data string) string {
- return stripWhitespaceRegex.ReplaceAllString(data, "")
-}
-
-// Perform compression based on algorithm
-func compress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
- switch algorithm {
- case DEFLATE:
- return deflate(input)
- default:
- return nil, ErrUnsupportedAlgorithm
- }
-}
-
-// Perform decompression based on algorithm
-func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
- switch algorithm {
- case DEFLATE:
- return inflate(input)
- default:
- return nil, ErrUnsupportedAlgorithm
- }
-}
-
-// Compress with DEFLATE
-func deflate(input []byte) ([]byte, error) {
- output := new(bytes.Buffer)
-
- // Writing to byte buffer, err is always nil
- writer, _ := flate.NewWriter(output, 1)
- _, _ = io.Copy(writer, bytes.NewBuffer(input))
-
- err := writer.Close()
- return output.Bytes(), err
-}
-
-// Decompress with DEFLATE
-func inflate(input []byte) ([]byte, error) {
- output := new(bytes.Buffer)
- reader := flate.NewReader(bytes.NewBuffer(input))
-
- _, err := io.Copy(output, reader)
- if err != nil {
- return nil, err
- }
-
- err = reader.Close()
- return output.Bytes(), err
-}
-
-// byteBuffer represents a slice of bytes that can be serialized to url-safe base64.
-type byteBuffer struct {
- data []byte
-}
-
-func newBuffer(data []byte) *byteBuffer {
- if data == nil {
- return nil
- }
- return &byteBuffer{
- data: data,
- }
-}
-
-func newFixedSizeBuffer(data []byte, length int) *byteBuffer {
- if len(data) > length {
- panic("square/go-jose: invalid call to newFixedSizeBuffer (len(data) > length)")
- }
- pad := make([]byte, length-len(data))
- return newBuffer(append(pad, data...))
-}
-
-func newBufferFromInt(num uint64) *byteBuffer {
- data := make([]byte, 8)
- binary.BigEndian.PutUint64(data, num)
- return newBuffer(bytes.TrimLeft(data, "\x00"))
-}
-
-func (b *byteBuffer) MarshalJSON() ([]byte, error) {
- return MarshalJSON(b.base64())
-}
-
-func (b *byteBuffer) UnmarshalJSON(data []byte) error {
- var encoded string
- err := UnmarshalJSON(data, &encoded)
- if err != nil {
- return err
- }
-
- if encoded == "" {
- return nil
- }
-
- decoded, err := base64URLDecode(encoded)
- if err != nil {
- return err
- }
-
- *b = *newBuffer(decoded)
-
- return nil
-}
-
-func (b *byteBuffer) base64() string {
- return base64URLEncode(b.data)
-}
-
-func (b *byteBuffer) bytes() []byte {
- // Handling nil here allows us to transparently handle nil slices when serializing.
- if b == nil {
- return nil
- }
- return b.data
-}
-
-func (b byteBuffer) bigInt() *big.Int {
- return new(big.Int).SetBytes(b.data)
-}
-
-func (b byteBuffer) toInt() int {
- return int(b.bigInt().Int64())
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/encoding_test.go b/vendor/gopkg.in/square/go-jose.v1/encoding_test.go
deleted file mode 100644
index e2f8d979..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/encoding_test.go
+++ /dev/null
@@ -1,173 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "strings"
- "testing"
-)
-
-func TestBase64URLEncode(t *testing.T) {
- // Test arrays with various sizes
- if base64URLEncode([]byte{}) != "" {
- t.Error("failed to encode empty array")
- }
-
- if base64URLEncode([]byte{0}) != "AA" {
- t.Error("failed to encode [0x00]")
- }
-
- if base64URLEncode([]byte{0, 1}) != "AAE" {
- t.Error("failed to encode [0x00, 0x01]")
- }
-
- if base64URLEncode([]byte{0, 1, 2}) != "AAEC" {
- t.Error("failed to encode [0x00, 0x01, 0x02]")
- }
-
- if base64URLEncode([]byte{0, 1, 2, 3}) != "AAECAw" {
- t.Error("failed to encode [0x00, 0x01, 0x02, 0x03]")
- }
-}
-
-func TestBase64URLDecode(t *testing.T) {
- // Test arrays with various sizes
- val, err := base64URLDecode("")
- if err != nil || !bytes.Equal(val, []byte{}) {
- t.Error("failed to decode empty array")
- }
-
- val, err = base64URLDecode("AA")
- if err != nil || !bytes.Equal(val, []byte{0}) {
- t.Error("failed to decode [0x00]")
- }
-
- val, err = base64URLDecode("AAE")
- if err != nil || !bytes.Equal(val, []byte{0, 1}) {
- t.Error("failed to decode [0x00, 0x01]")
- }
-
- val, err = base64URLDecode("AAEC")
- if err != nil || !bytes.Equal(val, []byte{0, 1, 2}) {
- t.Error("failed to decode [0x00, 0x01, 0x02]")
- }
-
- val, err = base64URLDecode("AAECAw")
- if err != nil || !bytes.Equal(val, []byte{0, 1, 2, 3}) {
- t.Error("failed to decode [0x00, 0x01, 0x02, 0x03]")
- }
-}
-
-func TestDeflateRoundtrip(t *testing.T) {
- original := []byte("Lorem ipsum dolor sit amet")
-
- compressed, err := deflate(original)
- if err != nil {
- panic(err)
- }
-
- output, err := inflate(compressed)
- if err != nil {
- panic(err)
- }
-
- if bytes.Compare(output, original) != 0 {
- t.Error("Input and output do not match")
- }
-}
-
-func TestInvalidCompression(t *testing.T) {
- _, err := compress("XYZ", []byte{})
- if err == nil {
- t.Error("should not accept invalid algorithm")
- }
-
- _, err = decompress("XYZ", []byte{})
- if err == nil {
- t.Error("should not accept invalid algorithm")
- }
-
- _, err = decompress(DEFLATE, []byte{1, 2, 3, 4})
- if err == nil {
- t.Error("should not accept invalid data")
- }
-}
-
-func TestByteBufferTrim(t *testing.T) {
- buf := newBufferFromInt(1)
- if !bytes.Equal(buf.data, []byte{1}) {
- t.Error("Byte buffer for integer '1' should contain [0x01]")
- }
-
- buf = newBufferFromInt(65537)
- if !bytes.Equal(buf.data, []byte{1, 0, 1}) {
- t.Error("Byte buffer for integer '65537' should contain [0x01, 0x00, 0x01]")
- }
-}
-
-func TestFixedSizeBuffer(t *testing.T) {
- data0 := []byte{}
- data1 := []byte{1}
- data2 := []byte{1, 2}
- data3 := []byte{1, 2, 3}
- data4 := []byte{1, 2, 3, 4}
-
- buf0 := newFixedSizeBuffer(data0, 4)
- buf1 := newFixedSizeBuffer(data1, 4)
- buf2 := newFixedSizeBuffer(data2, 4)
- buf3 := newFixedSizeBuffer(data3, 4)
- buf4 := newFixedSizeBuffer(data4, 4)
-
- if !bytes.Equal(buf0.data, []byte{0, 0, 0, 0}) {
- t.Error("Invalid padded buffer for buf0")
- }
- if !bytes.Equal(buf1.data, []byte{0, 0, 0, 1}) {
- t.Error("Invalid padded buffer for buf1")
- }
- if !bytes.Equal(buf2.data, []byte{0, 0, 1, 2}) {
- t.Error("Invalid padded buffer for buf2")
- }
- if !bytes.Equal(buf3.data, []byte{0, 1, 2, 3}) {
- t.Error("Invalid padded buffer for buf3")
- }
- if !bytes.Equal(buf4.data, []byte{1, 2, 3, 4}) {
- t.Error("Invalid padded buffer for buf4")
- }
-}
-
-func TestSerializeJSONRejectsNil(t *testing.T) {
- defer func() {
- r := recover()
- if r == nil || !strings.Contains(r.(string), "nil pointer") {
- t.Error("serialize function should not accept nil pointer")
- }
- }()
-
- mustSerializeJSON(nil)
-}
-
-func TestFixedSizeBufferTooLarge(t *testing.T) {
- defer func() {
- r := recover()
- if r == nil {
- t.Error("should not be able to create fixed size buffer with oversized data")
- }
- }()
-
- newFixedSizeBuffer(make([]byte, 2), 1)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/README.md b/vendor/gopkg.in/square/go-jose.v1/jose-util/README.md
deleted file mode 100644
index 6cfe6a71..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jose-util/README.md
+++ /dev/null
@@ -1,59 +0,0 @@
-# JOSE CLI
-
-The `jose-util` command line utility allows for encryption, decryption, signing
-and verification of JOSE messages. Its main purpose is to facilitate dealing
-with JOSE messages when testing or debugging.
-
-## Usage
-
-The utility includes the subcommands `encrypt`, `decrypt`, `sign`, `verify` and
-`expand`. Examples for each command can be found below.
-
-Algorithms are selected via the `--alg` and `--enc` flags, which influence the
-`alg` and `enc` headers in respectively. For JWE, `--alg` specifies the key
-managment algorithm (e.g. `RSA-OAEP`) and `--enc` specifies the content
-encryption algorithm (e.g. `A128GCM`). For JWS, `--alg` specifies the
-signature algorithm (e.g. `PS256`).
-
-Input and output files can be specified via the `--in` and `--out` flags.
-Either flag can be omitted, in which case `jose-util` uses stdin/stdout for
-input/output respectively. By default each command will output a compact
-message, but it's possible to get the full serialization by supplying the
-`--full` flag.
-
-Keys are specified via the `--key` flag. Supported key types are naked RSA/EC
-keys and X.509 certificates with embedded RSA/EC keys. Keys must be in PEM
-or DER formats.
-
-## Examples
-
-### Encrypt
-
-Takes a plaintext as input, encrypts, and prints the encrypted message.
-
- jose-util encrypt -k public-key.pem --alg RSA-OAEP --enc A128GCM
-
-### Decrypt
-
-Takes an encrypted message (JWE) as input, decrypts, and prints the plaintext.
-
- jose-util decrypt -k private-key.pem
-
-### Sign
-
-Takes a payload as input, signs it, and prints the signed message with the embedded payload.
-
- jose-util sign -k private-key.pem --alg PS256
-
-### Verify
-
-Reads a signed message (JWS), verifies it, and extracts the payload.
-
- jose-util verify -k public-key.pem
-
-### Expand
-
-Expands a compact message to the full serialization format.
-
- jose-util expand --format JWE # Expands a compact JWE to full format
- jose-util expand --format JWS # Expands a compact JWS to full format
diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t b/vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t
deleted file mode 100644
index 5e42ba4d..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jose-util/jose-util.t
+++ /dev/null
@@ -1,88 +0,0 @@
-Set up test keys.
-
- $ cat > rsa.pub <<EOF
- > -----BEGIN PUBLIC KEY-----
- > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslWybuiNYR7uOgKuvaBw
- > qVk8saEutKhOAaW+3hWF65gJei+ZV8QFfYDxs9ZaRZlWAUMtncQPnw7ZQlXO9ogN
- > 5cMcN50C6qMOOZzghK7danalhF5lUETC4Hk3Eisbi/PR3IfVyXaRmqL6X66MKj/J
- > AKyD9NFIDVy52K8A198Jojnrw2+XXQW72U68fZtvlyl/BTBWQ9Re5JSTpEcVmpCR
- > 8FrFc0RPMBm+G5dRs08vvhZNiTT2JACO5V+J5ZrgP3s5hnGFcQFZgDnXLInDUdoi
- > 1MuCjaAU0ta8/08pHMijNix5kFofdPEB954MiZ9k4kQ5/utt02I9x2ssHqw71ojj
- > vwIDAQAB
- > -----END PUBLIC KEY-----
- > EOF
-
- $ cat > rsa.key <<EOF
- > -----BEGIN RSA PRIVATE KEY-----
- > MIIEogIBAAKCAQEAslWybuiNYR7uOgKuvaBwqVk8saEutKhOAaW+3hWF65gJei+Z
- > V8QFfYDxs9ZaRZlWAUMtncQPnw7ZQlXO9ogN5cMcN50C6qMOOZzghK7danalhF5l
- > UETC4Hk3Eisbi/PR3IfVyXaRmqL6X66MKj/JAKyD9NFIDVy52K8A198Jojnrw2+X
- > XQW72U68fZtvlyl/BTBWQ9Re5JSTpEcVmpCR8FrFc0RPMBm+G5dRs08vvhZNiTT2
- > JACO5V+J5ZrgP3s5hnGFcQFZgDnXLInDUdoi1MuCjaAU0ta8/08pHMijNix5kFof
- > dPEB954MiZ9k4kQ5/utt02I9x2ssHqw71ojjvwIDAQABAoIBABrYDYDmXom1BzUS
- > PE1s/ihvt1QhqA8nmn5i/aUeZkc9XofW7GUqq4zlwPxKEtKRL0IHY7Fw1s0hhhCX
- > LA0uE7F3OiMg7lR1cOm5NI6kZ83jyCxxrRx1DUSO2nxQotfhPsDMbaDiyS4WxEts
- > 0cp2SYJhdYd/jTH9uDfmt+DGwQN7Jixio1Dj3vwB7krDY+mdre4SFY7Gbk9VxkDg
- > LgCLMoq52m+wYufP8CTgpKFpMb2/yJrbLhuJxYZrJ3qd/oYo/91k6v7xlBKEOkwD
- > 2veGk9Dqi8YPNxaRktTEjnZb6ybhezat93+VVxq4Oem3wMwou1SfXrSUKtgM/p2H
- > vfw/76ECgYEA2fNL9tC8u9M0wjA+kvvtDG96qO6O66Hksssy6RWInD+Iqk3MtHQt
- > LeoCjvX+zERqwOb6SI6empk5pZ9E3/9vJ0dBqkxx3nqn4M/nRWnExGgngJsL959t
- > f50cdxva8y1RjNhT4kCwTrupX/TP8lAG8SfG1Alo2VFR8iWd8hDQcTECgYEA0Xfj
- > EgqAsVh4U0s3lFxKjOepEyp0G1Imty5J16SvcOEAD1Mrmz94aSSp0bYhXNVdbf7n
- > Rk77htWC7SE29fGjOzZRS76wxj/SJHF+rktHB2Zt23k1jBeZ4uLMPMnGLY/BJ099
- > 5DTGo0yU0rrPbyXosx+ukfQLAHFuggX4RNeM5+8CgYB7M1J/hGMLcUpjcs4MXCgV
- > XXbiw2c6v1r9zmtK4odEe42PZ0cNwpY/XAZyNZAAe7Q0stxL44K4NWEmxC80x7lX
- > ZKozz96WOpNnO16qGC3IMHAT/JD5Or+04WTT14Ue7UEp8qcIQDTpbJ9DxKk/eglS
- > jH+SIHeKULOXw7fSu7p4IQKBgBnyVchIUMSnBtCagpn4DKwDjif3nEY+GNmb/D2g
- > ArNiy5UaYk5qwEmV5ws5GkzbiSU07AUDh5ieHgetk5dHhUayZcOSLWeBRFCLVnvU
- > i0nZYEZNb1qZGdDG8zGcdNXz9qMd76Qy/WAA/nZT+Zn1AiweAovFxQ8a/etRPf2Z
- > DbU1AoGAHpCgP7B/4GTBe49H0AQueQHBn4RIkgqMy9xiMeR+U+U0vaY0TlfLhnX+
- > 5PkNfkPXohXlfL7pxwZNYa6FZhCAubzvhKCdUASivkoGaIEk6g1VTVYS/eDVQ4CA
- > slfl+elXtLq/l1kQ8C14jlHrQzSXx4PQvjDEnAmaHSJNz4mP9Fg=
- > -----END RSA PRIVATE KEY-----
- > EOF
-
- $ cat > ec.pub <<EOF
- > -----BEGIN PUBLIC KEY-----
- > MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE9yoUEAgxTd9svwe9oPqjhcP+f2jcdTL2
- > Wq8Aw2v9ht1dBy00tFRPNrCxFCkvMcJFhSPoDUV5NL7zfh3/psiSNYziGPrWEJYf
- > gmYihjSeoOf0ru1erpBrTflImPrMftCy
- > -----END PUBLIC KEY-----
- > EOF
-
- $ cat > ec.key <<EOF
- > -----BEGIN EC PRIVATE KEY-----
- > MIGkAgEBBDDvoj/bM1HokUjYWO/IDFs26Jo0GIFtU3tMQQu7ZabKscDMK3dZA0mK
- > v97ij7BBFbCgBwYFK4EEACKhZANiAAT3KhQQCDFN32y/B72g+qOFw/5/aNx1MvZa
- > rwDDa/2G3V0HLTS0VE82sLEUKS8xwkWFI+gNRXk0vvN+Hf+myJI1jOIY+tYQlh+C
- > ZiKGNJ6g5/Su7V6ukGtN+UiY+sx+0LI=
- > -----END EC PRIVATE KEY-----
- > EOF
-
-Encrypt and then decrypt a test message (RSA).
-
- $ echo "Lorem ipsum dolor sit amet" |
- > jose-util encrypt --alg RSA-OAEP --enc A128GCM --key rsa.pub |
- > jose-util decrypt --key rsa.key
- Lorem ipsum dolor sit amet
-
-Encrypt and then decrypt a test message (EC).
-
- $ echo "Lorem ipsum dolor sit amet" |
- > jose-util encrypt --alg ECDH-ES+A128KW --enc A128GCM --key ec.pub |
- > jose-util decrypt --key ec.key
- Lorem ipsum dolor sit amet
-
-Sign and verify a test message (RSA).
-
- $ echo "Lorem ipsum dolor sit amet" |
- > jose-util sign --alg PS256 --key rsa.key |
- > jose-util verify --key rsa.pub
- Lorem ipsum dolor sit amet
-
-Sign and verify a test message (EC).
-
- $ echo "Lorem ipsum dolor sit amet" |
- > jose-util sign --alg ES384 --key ec.key |
- > jose-util verify --key ec.pub
- Lorem ipsum dolor sit amet
diff --git a/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go b/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go
deleted file mode 100644
index 48f01091..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jose-util/main.go
+++ /dev/null
@@ -1,184 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package main
-
-import (
- "fmt"
- "io/ioutil"
- "os"
-
- "gopkg.in/alecthomas/kingpin.v2"
- "gopkg.in/square/go-jose.v1"
-)
-
-var (
- app = kingpin.New("jose-util", "A command-line utility for dealing with JOSE objects.")
-
- keyFile = app.Flag("key", "Path to key file (PEM or DER-encoded)").Required().ExistingFile()
- inFile = app.Flag("in", "Path to input file (stdin if missing)").ExistingFile()
- outFile = app.Flag("out", "Path to output file (stdout if missing)").ExistingFile()
-
- encryptCommand = app.Command("encrypt", "Encrypt a plaintext, output ciphertext.")
- algFlag = encryptCommand.Flag("alg", "Key management algorithm (e.g. RSA-OAEP)").Required().String()
- encFlag = encryptCommand.Flag("enc", "Content encryption algorithm (e.g. A128GCM)").Required().String()
-
- decryptCommand = app.Command("decrypt", "Decrypt a ciphertext, output plaintext.")
-
- signCommand = app.Command("sign", "Sign a payload, output signed message.")
- sigAlgFlag = signCommand.Flag("alg", "Key management algorithm (e.g. RSA-OAEP)").Required().String()
-
- verifyCommand = app.Command("verify", "Verify a signed message, output payload.")
-
- expandCommand = app.Command("expand", "Expand JOSE object to full serialization format.")
- formatFlag = expandCommand.Flag("format", "Type of message to expand (JWS or JWE, defaults to JWE)").String()
-
- full = app.Flag("full", "Use full serialization format (instead of compact)").Bool()
-)
-
-func main() {
- app.Version("v1")
-
- command := kingpin.MustParse(app.Parse(os.Args[1:]))
-
- keyBytes, err := ioutil.ReadFile(*keyFile)
- exitOnError(err, "unable to read key file")
-
- switch command {
- case "encrypt":
- pub, err := jose.LoadPublicKey(keyBytes)
- exitOnError(err, "unable to read public key")
-
- alg := jose.KeyAlgorithm(*algFlag)
- enc := jose.ContentEncryption(*encFlag)
-
- crypter, err := jose.NewEncrypter(alg, enc, pub)
- exitOnError(err, "unable to instantiate encrypter")
-
- obj, err := crypter.Encrypt(readInput(*inFile))
- exitOnError(err, "unable to encrypt")
-
- var msg string
- if *full {
- msg = obj.FullSerialize()
- } else {
- msg, err = obj.CompactSerialize()
- exitOnError(err, "unable to serialize message")
- }
-
- writeOutput(*outFile, []byte(msg))
- case "decrypt":
- priv, err := jose.LoadPrivateKey(keyBytes)
- exitOnError(err, "unable to read private key")
-
- obj, err := jose.ParseEncrypted(string(readInput(*inFile)))
- exitOnError(err, "unable to parse message")
-
- plaintext, err := obj.Decrypt(priv)
- exitOnError(err, "unable to decrypt message")
-
- writeOutput(*outFile, plaintext)
- case "sign":
- signingKey, err := jose.LoadPrivateKey(keyBytes)
- exitOnError(err, "unable to read private key")
-
- alg := jose.SignatureAlgorithm(*sigAlgFlag)
- signer, err := jose.NewSigner(alg, signingKey)
- exitOnError(err, "unable to make signer")
-
- obj, err := signer.Sign(readInput(*inFile))
- exitOnError(err, "unable to sign")
-
- var msg string
- if *full {
- msg = obj.FullSerialize()
- } else {
- msg, err = obj.CompactSerialize()
- exitOnError(err, "unable to serialize message")
- }
-
- writeOutput(*outFile, []byte(msg))
- case "verify":
- verificationKey, err := jose.LoadPublicKey(keyBytes)
- exitOnError(err, "unable to read private key")
-
- obj, err := jose.ParseSigned(string(readInput(*inFile)))
- exitOnError(err, "unable to parse message")
-
- plaintext, err := obj.Verify(verificationKey)
- exitOnError(err, "invalid signature")
-
- writeOutput(*outFile, plaintext)
- case "expand":
- input := string(readInput(*inFile))
-
- var serialized string
- var err error
- switch *formatFlag {
- case "", "JWE":
- var jwe *jose.JsonWebEncryption
- jwe, err = jose.ParseEncrypted(input)
- if err == nil {
- serialized = jwe.FullSerialize()
- }
- case "JWS":
- var jws *jose.JsonWebSignature
- jws, err = jose.ParseSigned(input)
- if err == nil {
- serialized = jws.FullSerialize()
- }
- }
-
- exitOnError(err, "unable to expand message")
- writeOutput(*outFile, []byte(serialized))
- }
-}
-
-// Exit and print error message if we encountered a problem
-func exitOnError(err error, msg string) {
- if err != nil {
- fmt.Fprintf(os.Stderr, "%s: %s\n", msg, err)
- os.Exit(1)
- }
-}
-
-// Read input from file or stdin
-func readInput(path string) []byte {
- var bytes []byte
- var err error
-
- if path != "" {
- bytes, err = ioutil.ReadFile(path)
- } else {
- bytes, err = ioutil.ReadAll(os.Stdin)
- }
-
- exitOnError(err, "unable to read input")
- return bytes
-}
-
-// Write output to file or stdin
-func writeOutput(path string, data []byte) {
- var err error
-
- if path != "" {
- err = ioutil.WriteFile(path, data, 0644)
- } else {
- _, err = os.Stdout.Write(data)
- }
-
- exitOnError(err, "unable to write output")
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/LICENSE b/vendor/gopkg.in/square/go-jose.v1/json/LICENSE
deleted file mode 100644
index 74487567..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Copyright (c) 2012 The Go Authors. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
- * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
- * Neither the name of Google Inc. nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/README.md b/vendor/gopkg.in/square/go-jose.v1/json/README.md
deleted file mode 100644
index 86de5e55..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Safe JSON
-
-This repository contains a fork of the `encoding/json` package from Go 1.6.
-
-The following changes were made:
-
-* Object deserialization uses case-sensitive member name matching instead of
- [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html).
- This is to avoid differences in the interpretation of JOSE messages between
- go-jose and libraries written in other languages.
-* When deserializing a JSON object, we check for duplicate keys and reject the
- input whenever we detect a duplicate. Rather than trying to work with malformed
- data, we prefer to reject it right away.
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/bench_test.go b/vendor/gopkg.in/square/go-jose.v1/json/bench_test.go
deleted file mode 100644
index ed89d115..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/bench_test.go
+++ /dev/null
@@ -1,223 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Large data benchmark.
-// The JSON data is a summary of agl's changes in the
-// go, webkit, and chromium open source projects.
-// We benchmark converting between the JSON form
-// and in-memory data structures.
-
-package json
-
-import (
- "bytes"
- "compress/gzip"
- "io/ioutil"
- "os"
- "strings"
- "testing"
-)
-
-type codeResponse struct {
- Tree *codeNode `json:"tree"`
- Username string `json:"username"`
-}
-
-type codeNode struct {
- Name string `json:"name"`
- Kids []*codeNode `json:"kids"`
- CLWeight float64 `json:"cl_weight"`
- Touches int `json:"touches"`
- MinT int64 `json:"min_t"`
- MaxT int64 `json:"max_t"`
- MeanT int64 `json:"mean_t"`
-}
-
-var codeJSON []byte
-var codeStruct codeResponse
-
-func codeInit() {
- f, err := os.Open("testdata/code.json.gz")
- if err != nil {
- panic(err)
- }
- defer f.Close()
- gz, err := gzip.NewReader(f)
- if err != nil {
- panic(err)
- }
- data, err := ioutil.ReadAll(gz)
- if err != nil {
- panic(err)
- }
-
- codeJSON = data
-
- if err := Unmarshal(codeJSON, &codeStruct); err != nil {
- panic("unmarshal code.json: " + err.Error())
- }
-
- if data, err = Marshal(&codeStruct); err != nil {
- panic("marshal code.json: " + err.Error())
- }
-
- if !bytes.Equal(data, codeJSON) {
- println("different lengths", len(data), len(codeJSON))
- for i := 0; i < len(data) && i < len(codeJSON); i++ {
- if data[i] != codeJSON[i] {
- println("re-marshal: changed at byte", i)
- println("orig: ", string(codeJSON[i-10:i+10]))
- println("new: ", string(data[i-10:i+10]))
- break
- }
- }
- panic("re-marshal code.json: different result")
- }
-}
-
-func BenchmarkCodeEncoder(b *testing.B) {
- if codeJSON == nil {
- b.StopTimer()
- codeInit()
- b.StartTimer()
- }
- enc := NewEncoder(ioutil.Discard)
- for i := 0; i < b.N; i++ {
- if err := enc.Encode(&codeStruct); err != nil {
- b.Fatal("Encode:", err)
- }
- }
- b.SetBytes(int64(len(codeJSON)))
-}
-
-func BenchmarkCodeMarshal(b *testing.B) {
- if codeJSON == nil {
- b.StopTimer()
- codeInit()
- b.StartTimer()
- }
- for i := 0; i < b.N; i++ {
- if _, err := Marshal(&codeStruct); err != nil {
- b.Fatal("Marshal:", err)
- }
- }
- b.SetBytes(int64(len(codeJSON)))
-}
-
-func BenchmarkCodeDecoder(b *testing.B) {
- if codeJSON == nil {
- b.StopTimer()
- codeInit()
- b.StartTimer()
- }
- var buf bytes.Buffer
- dec := NewDecoder(&buf)
- var r codeResponse
- for i := 0; i < b.N; i++ {
- buf.Write(codeJSON)
- // hide EOF
- buf.WriteByte('\n')
- buf.WriteByte('\n')
- buf.WriteByte('\n')
- if err := dec.Decode(&r); err != nil {
- b.Fatal("Decode:", err)
- }
- }
- b.SetBytes(int64(len(codeJSON)))
-}
-
-func BenchmarkDecoderStream(b *testing.B) {
- b.StopTimer()
- var buf bytes.Buffer
- dec := NewDecoder(&buf)
- buf.WriteString(`"` + strings.Repeat("x", 1000000) + `"` + "\n\n\n")
- var x interface{}
- if err := dec.Decode(&x); err != nil {
- b.Fatal("Decode:", err)
- }
- ones := strings.Repeat(" 1\n", 300000) + "\n\n\n"
- b.StartTimer()
- for i := 0; i < b.N; i++ {
- if i%300000 == 0 {
- buf.WriteString(ones)
- }
- x = nil
- if err := dec.Decode(&x); err != nil || x != 1.0 {
- b.Fatalf("Decode: %v after %d", err, i)
- }
- }
-}
-
-func BenchmarkCodeUnmarshal(b *testing.B) {
- if codeJSON == nil {
- b.StopTimer()
- codeInit()
- b.StartTimer()
- }
- for i := 0; i < b.N; i++ {
- var r codeResponse
- if err := Unmarshal(codeJSON, &r); err != nil {
- b.Fatal("Unmmarshal:", err)
- }
- }
- b.SetBytes(int64(len(codeJSON)))
-}
-
-func BenchmarkCodeUnmarshalReuse(b *testing.B) {
- if codeJSON == nil {
- b.StopTimer()
- codeInit()
- b.StartTimer()
- }
- var r codeResponse
- for i := 0; i < b.N; i++ {
- if err := Unmarshal(codeJSON, &r); err != nil {
- b.Fatal("Unmmarshal:", err)
- }
- }
-}
-
-func BenchmarkUnmarshalString(b *testing.B) {
- data := []byte(`"hello, world"`)
- var s string
-
- for i := 0; i < b.N; i++ {
- if err := Unmarshal(data, &s); err != nil {
- b.Fatal("Unmarshal:", err)
- }
- }
-}
-
-func BenchmarkUnmarshalFloat64(b *testing.B) {
- var f float64
- data := []byte(`3.14`)
-
- for i := 0; i < b.N; i++ {
- if err := Unmarshal(data, &f); err != nil {
- b.Fatal("Unmarshal:", err)
- }
- }
-}
-
-func BenchmarkUnmarshalInt64(b *testing.B) {
- var x int64
- data := []byte(`3`)
-
- for i := 0; i < b.N; i++ {
- if err := Unmarshal(data, &x); err != nil {
- b.Fatal("Unmarshal:", err)
- }
- }
-}
-
-func BenchmarkIssue10335(b *testing.B) {
- b.ReportAllocs()
- var s struct{}
- j := []byte(`{"a":{ }}`)
- for n := 0; n < b.N; n++ {
- if err := Unmarshal(j, &s); err != nil {
- b.Fatal(err)
- }
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/decode.go b/vendor/gopkg.in/square/go-jose.v1/json/decode.go
deleted file mode 100644
index 37457e5a..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/decode.go
+++ /dev/null
@@ -1,1183 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Represents JSON data structure using native Go types: booleans, floats,
-// strings, arrays, and maps.
-
-package json
-
-import (
- "bytes"
- "encoding"
- "encoding/base64"
- "errors"
- "fmt"
- "reflect"
- "runtime"
- "strconv"
- "unicode"
- "unicode/utf16"
- "unicode/utf8"
-)
-
-// Unmarshal parses the JSON-encoded data and stores the result
-// in the value pointed to by v.
-//
-// Unmarshal uses the inverse of the encodings that
-// Marshal uses, allocating maps, slices, and pointers as necessary,
-// with the following additional rules:
-//
-// To unmarshal JSON into a pointer, Unmarshal first handles the case of
-// the JSON being the JSON literal null. In that case, Unmarshal sets
-// the pointer to nil. Otherwise, Unmarshal unmarshals the JSON into
-// the value pointed at by the pointer. If the pointer is nil, Unmarshal
-// allocates a new value for it to point to.
-//
-// To unmarshal JSON into a struct, Unmarshal matches incoming object
-// keys to the keys used by Marshal (either the struct field name or its tag),
-// preferring an exact match but also accepting a case-insensitive match.
-// Unmarshal will only set exported fields of the struct.
-//
-// To unmarshal JSON into an interface value,
-// Unmarshal stores one of these in the interface value:
-//
-// bool, for JSON booleans
-// float64, for JSON numbers
-// string, for JSON strings
-// []interface{}, for JSON arrays
-// map[string]interface{}, for JSON objects
-// nil for JSON null
-//
-// To unmarshal a JSON array into a slice, Unmarshal resets the slice length
-// to zero and then appends each element to the slice.
-// As a special case, to unmarshal an empty JSON array into a slice,
-// Unmarshal replaces the slice with a new empty slice.
-//
-// To unmarshal a JSON array into a Go array, Unmarshal decodes
-// JSON array elements into corresponding Go array elements.
-// If the Go array is smaller than the JSON array,
-// the additional JSON array elements are discarded.
-// If the JSON array is smaller than the Go array,
-// the additional Go array elements are set to zero values.
-//
-// To unmarshal a JSON object into a string-keyed map, Unmarshal first
-// establishes a map to use, If the map is nil, Unmarshal allocates a new map.
-// Otherwise Unmarshal reuses the existing map, keeping existing entries.
-// Unmarshal then stores key-value pairs from the JSON object into the map.
-//
-// If a JSON value is not appropriate for a given target type,
-// or if a JSON number overflows the target type, Unmarshal
-// skips that field and completes the unmarshaling as best it can.
-// If no more serious errors are encountered, Unmarshal returns
-// an UnmarshalTypeError describing the earliest such error.
-//
-// The JSON null value unmarshals into an interface, map, pointer, or slice
-// by setting that Go value to nil. Because null is often used in JSON to mean
-// ``not present,'' unmarshaling a JSON null into any other Go type has no effect
-// on the value and produces no error.
-//
-// When unmarshaling quoted strings, invalid UTF-8 or
-// invalid UTF-16 surrogate pairs are not treated as an error.
-// Instead, they are replaced by the Unicode replacement
-// character U+FFFD.
-//
-func Unmarshal(data []byte, v interface{}) error {
- // Check for well-formedness.
- // Avoids filling out half a data structure
- // before discovering a JSON syntax error.
- var d decodeState
- err := checkValid(data, &d.scan)
- if err != nil {
- return err
- }
-
- d.init(data)
- return d.unmarshal(v)
-}
-
-// Unmarshaler is the interface implemented by objects
-// that can unmarshal a JSON description of themselves.
-// The input can be assumed to be a valid encoding of
-// a JSON value. UnmarshalJSON must copy the JSON data
-// if it wishes to retain the data after returning.
-type Unmarshaler interface {
- UnmarshalJSON([]byte) error
-}
-
-// An UnmarshalTypeError describes a JSON value that was
-// not appropriate for a value of a specific Go type.
-type UnmarshalTypeError struct {
- Value string // description of JSON value - "bool", "array", "number -5"
- Type reflect.Type // type of Go value it could not be assigned to
- Offset int64 // error occurred after reading Offset bytes
-}
-
-func (e *UnmarshalTypeError) Error() string {
- return "json: cannot unmarshal " + e.Value + " into Go value of type " + e.Type.String()
-}
-
-// An UnmarshalFieldError describes a JSON object key that
-// led to an unexported (and therefore unwritable) struct field.
-// (No longer used; kept for compatibility.)
-type UnmarshalFieldError struct {
- Key string
- Type reflect.Type
- Field reflect.StructField
-}
-
-func (e *UnmarshalFieldError) Error() string {
- return "json: cannot unmarshal object key " + strconv.Quote(e.Key) + " into unexported field " + e.Field.Name + " of type " + e.Type.String()
-}
-
-// An InvalidUnmarshalError describes an invalid argument passed to Unmarshal.
-// (The argument to Unmarshal must be a non-nil pointer.)
-type InvalidUnmarshalError struct {
- Type reflect.Type
-}
-
-func (e *InvalidUnmarshalError) Error() string {
- if e.Type == nil {
- return "json: Unmarshal(nil)"
- }
-
- if e.Type.Kind() != reflect.Ptr {
- return "json: Unmarshal(non-pointer " + e.Type.String() + ")"
- }
- return "json: Unmarshal(nil " + e.Type.String() + ")"
-}
-
-func (d *decodeState) unmarshal(v interface{}) (err error) {
- defer func() {
- if r := recover(); r != nil {
- if _, ok := r.(runtime.Error); ok {
- panic(r)
- }
- err = r.(error)
- }
- }()
-
- rv := reflect.ValueOf(v)
- if rv.Kind() != reflect.Ptr || rv.IsNil() {
- return &InvalidUnmarshalError{reflect.TypeOf(v)}
- }
-
- d.scan.reset()
- // We decode rv not rv.Elem because the Unmarshaler interface
- // test must be applied at the top level of the value.
- d.value(rv)
- return d.savedError
-}
-
-// A Number represents a JSON number literal.
-type Number string
-
-// String returns the literal text of the number.
-func (n Number) String() string { return string(n) }
-
-// Float64 returns the number as a float64.
-func (n Number) Float64() (float64, error) {
- return strconv.ParseFloat(string(n), 64)
-}
-
-// Int64 returns the number as an int64.
-func (n Number) Int64() (int64, error) {
- return strconv.ParseInt(string(n), 10, 64)
-}
-
-// isValidNumber reports whether s is a valid JSON number literal.
-func isValidNumber(s string) bool {
- // This function implements the JSON numbers grammar.
- // See https://tools.ietf.org/html/rfc7159#section-6
- // and http://json.org/number.gif
-
- if s == "" {
- return false
- }
-
- // Optional -
- if s[0] == '-' {
- s = s[1:]
- if s == "" {
- return false
- }
- }
-
- // Digits
- switch {
- default:
- return false
-
- case s[0] == '0':
- s = s[1:]
-
- case '1' <= s[0] && s[0] <= '9':
- s = s[1:]
- for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
- s = s[1:]
- }
- }
-
- // . followed by 1 or more digits.
- if len(s) >= 2 && s[0] == '.' && '0' <= s[1] && s[1] <= '9' {
- s = s[2:]
- for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
- s = s[1:]
- }
- }
-
- // e or E followed by an optional - or + and
- // 1 or more digits.
- if len(s) >= 2 && (s[0] == 'e' || s[0] == 'E') {
- s = s[1:]
- if s[0] == '+' || s[0] == '-' {
- s = s[1:]
- if s == "" {
- return false
- }
- }
- for len(s) > 0 && '0' <= s[0] && s[0] <= '9' {
- s = s[1:]
- }
- }
-
- // Make sure we are at the end.
- return s == ""
-}
-
-// decodeState represents the state while decoding a JSON value.
-type decodeState struct {
- data []byte
- off int // read offset in data
- scan scanner
- nextscan scanner // for calls to nextValue
- savedError error
- useNumber bool
-}
-
-// errPhase is used for errors that should not happen unless
-// there is a bug in the JSON decoder or something is editing
-// the data slice while the decoder executes.
-var errPhase = errors.New("JSON decoder out of sync - data changing underfoot?")
-
-func (d *decodeState) init(data []byte) *decodeState {
- d.data = data
- d.off = 0
- d.savedError = nil
- return d
-}
-
-// error aborts the decoding by panicking with err.
-func (d *decodeState) error(err error) {
- panic(err)
-}
-
-// saveError saves the first err it is called with,
-// for reporting at the end of the unmarshal.
-func (d *decodeState) saveError(err error) {
- if d.savedError == nil {
- d.savedError = err
- }
-}
-
-// next cuts off and returns the next full JSON value in d.data[d.off:].
-// The next value is known to be an object or array, not a literal.
-func (d *decodeState) next() []byte {
- c := d.data[d.off]
- item, rest, err := nextValue(d.data[d.off:], &d.nextscan)
- if err != nil {
- d.error(err)
- }
- d.off = len(d.data) - len(rest)
-
- // Our scanner has seen the opening brace/bracket
- // and thinks we're still in the middle of the object.
- // invent a closing brace/bracket to get it out.
- if c == '{' {
- d.scan.step(&d.scan, '}')
- } else {
- d.scan.step(&d.scan, ']')
- }
-
- return item
-}
-
-// scanWhile processes bytes in d.data[d.off:] until it
-// receives a scan code not equal to op.
-// It updates d.off and returns the new scan code.
-func (d *decodeState) scanWhile(op int) int {
- var newOp int
- for {
- if d.off >= len(d.data) {
- newOp = d.scan.eof()
- d.off = len(d.data) + 1 // mark processed EOF with len+1
- } else {
- c := d.data[d.off]
- d.off++
- newOp = d.scan.step(&d.scan, c)
- }
- if newOp != op {
- break
- }
- }
- return newOp
-}
-
-// value decodes a JSON value from d.data[d.off:] into the value.
-// it updates d.off to point past the decoded value.
-func (d *decodeState) value(v reflect.Value) {
- if !v.IsValid() {
- _, rest, err := nextValue(d.data[d.off:], &d.nextscan)
- if err != nil {
- d.error(err)
- }
- d.off = len(d.data) - len(rest)
-
- // d.scan thinks we're still at the beginning of the item.
- // Feed in an empty string - the shortest, simplest value -
- // so that it knows we got to the end of the value.
- if d.scan.redo {
- // rewind.
- d.scan.redo = false
- d.scan.step = stateBeginValue
- }
- d.scan.step(&d.scan, '"')
- d.scan.step(&d.scan, '"')
-
- n := len(d.scan.parseState)
- if n > 0 && d.scan.parseState[n-1] == parseObjectKey {
- // d.scan thinks we just read an object key; finish the object
- d.scan.step(&d.scan, ':')
- d.scan.step(&d.scan, '"')
- d.scan.step(&d.scan, '"')
- d.scan.step(&d.scan, '}')
- }
-
- return
- }
-
- switch op := d.scanWhile(scanSkipSpace); op {
- default:
- d.error(errPhase)
-
- case scanBeginArray:
- d.array(v)
-
- case scanBeginObject:
- d.object(v)
-
- case scanBeginLiteral:
- d.literal(v)
- }
-}
-
-type unquotedValue struct{}
-
-// valueQuoted is like value but decodes a
-// quoted string literal or literal null into an interface value.
-// If it finds anything other than a quoted string literal or null,
-// valueQuoted returns unquotedValue{}.
-func (d *decodeState) valueQuoted() interface{} {
- switch op := d.scanWhile(scanSkipSpace); op {
- default:
- d.error(errPhase)
-
- case scanBeginArray:
- d.array(reflect.Value{})
-
- case scanBeginObject:
- d.object(reflect.Value{})
-
- case scanBeginLiteral:
- switch v := d.literalInterface().(type) {
- case nil, string:
- return v
- }
- }
- return unquotedValue{}
-}
-
-// indirect walks down v allocating pointers as needed,
-// until it gets to a non-pointer.
-// if it encounters an Unmarshaler, indirect stops and returns that.
-// if decodingNull is true, indirect stops at the last pointer so it can be set to nil.
-func (d *decodeState) indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnmarshaler, reflect.Value) {
- // If v is a named type and is addressable,
- // start with its address, so that if the type has pointer methods,
- // we find them.
- if v.Kind() != reflect.Ptr && v.Type().Name() != "" && v.CanAddr() {
- v = v.Addr()
- }
- for {
- // Load value from interface, but only if the result will be
- // usefully addressable.
- if v.Kind() == reflect.Interface && !v.IsNil() {
- e := v.Elem()
- if e.Kind() == reflect.Ptr && !e.IsNil() && (!decodingNull || e.Elem().Kind() == reflect.Ptr) {
- v = e
- continue
- }
- }
-
- if v.Kind() != reflect.Ptr {
- break
- }
-
- if v.Elem().Kind() != reflect.Ptr && decodingNull && v.CanSet() {
- break
- }
- if v.IsNil() {
- v.Set(reflect.New(v.Type().Elem()))
- }
- if v.Type().NumMethod() > 0 {
- if u, ok := v.Interface().(Unmarshaler); ok {
- return u, nil, reflect.Value{}
- }
- if u, ok := v.Interface().(encoding.TextUnmarshaler); ok {
- return nil, u, reflect.Value{}
- }
- }
- v = v.Elem()
- }
- return nil, nil, v
-}
-
-// array consumes an array from d.data[d.off-1:], decoding into the value v.
-// the first byte of the array ('[') has been read already.
-func (d *decodeState) array(v reflect.Value) {
- // Check for unmarshaler.
- u, ut, pv := d.indirect(v, false)
- if u != nil {
- d.off--
- err := u.UnmarshalJSON(d.next())
- if err != nil {
- d.error(err)
- }
- return
- }
- if ut != nil {
- d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
- d.off--
- d.next()
- return
- }
-
- v = pv
-
- // Check type of target.
- switch v.Kind() {
- case reflect.Interface:
- if v.NumMethod() == 0 {
- // Decoding into nil interface? Switch to non-reflect code.
- v.Set(reflect.ValueOf(d.arrayInterface()))
- return
- }
- // Otherwise it's invalid.
- fallthrough
- default:
- d.saveError(&UnmarshalTypeError{"array", v.Type(), int64(d.off)})
- d.off--
- d.next()
- return
- case reflect.Array:
- case reflect.Slice:
- break
- }
-
- i := 0
- for {
- // Look ahead for ] - can only happen on first iteration.
- op := d.scanWhile(scanSkipSpace)
- if op == scanEndArray {
- break
- }
-
- // Back up so d.value can have the byte we just read.
- d.off--
- d.scan.undo(op)
-
- // Get element of array, growing if necessary.
- if v.Kind() == reflect.Slice {
- // Grow slice if necessary
- if i >= v.Cap() {
- newcap := v.Cap() + v.Cap()/2
- if newcap < 4 {
- newcap = 4
- }
- newv := reflect.MakeSlice(v.Type(), v.Len(), newcap)
- reflect.Copy(newv, v)
- v.Set(newv)
- }
- if i >= v.Len() {
- v.SetLen(i + 1)
- }
- }
-
- if i < v.Len() {
- // Decode into element.
- d.value(v.Index(i))
- } else {
- // Ran out of fixed array: skip.
- d.value(reflect.Value{})
- }
- i++
-
- // Next token must be , or ].
- op = d.scanWhile(scanSkipSpace)
- if op == scanEndArray {
- break
- }
- if op != scanArrayValue {
- d.error(errPhase)
- }
- }
-
- if i < v.Len() {
- if v.Kind() == reflect.Array {
- // Array. Zero the rest.
- z := reflect.Zero(v.Type().Elem())
- for ; i < v.Len(); i++ {
- v.Index(i).Set(z)
- }
- } else {
- v.SetLen(i)
- }
- }
- if i == 0 && v.Kind() == reflect.Slice {
- v.Set(reflect.MakeSlice(v.Type(), 0, 0))
- }
-}
-
-var nullLiteral = []byte("null")
-
-// object consumes an object from d.data[d.off-1:], decoding into the value v.
-// the first byte ('{') of the object has been read already.
-func (d *decodeState) object(v reflect.Value) {
- // Check for unmarshaler.
- u, ut, pv := d.indirect(v, false)
- if u != nil {
- d.off--
- err := u.UnmarshalJSON(d.next())
- if err != nil {
- d.error(err)
- }
- return
- }
- if ut != nil {
- d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
- d.off--
- d.next() // skip over { } in input
- return
- }
- v = pv
-
- // Decoding into nil interface? Switch to non-reflect code.
- if v.Kind() == reflect.Interface && v.NumMethod() == 0 {
- v.Set(reflect.ValueOf(d.objectInterface()))
- return
- }
-
- // Check type of target: struct or map[string]T
- switch v.Kind() {
- case reflect.Map:
- // map must have string kind
- t := v.Type()
- if t.Key().Kind() != reflect.String {
- d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
- d.off--
- d.next() // skip over { } in input
- return
- }
- if v.IsNil() {
- v.Set(reflect.MakeMap(t))
- }
- case reflect.Struct:
-
- default:
- d.saveError(&UnmarshalTypeError{"object", v.Type(), int64(d.off)})
- d.off--
- d.next() // skip over { } in input
- return
- }
-
- var mapElem reflect.Value
- keys := map[string]bool{}
-
- for {
- // Read opening " of string key or closing }.
- op := d.scanWhile(scanSkipSpace)
- if op == scanEndObject {
- // closing } - can only happen on first iteration.
- break
- }
- if op != scanBeginLiteral {
- d.error(errPhase)
- }
-
- // Read key.
- start := d.off - 1
- op = d.scanWhile(scanContinue)
- item := d.data[start : d.off-1]
- key, ok := unquote(item)
- if !ok {
- d.error(errPhase)
- }
-
- // Check for duplicate keys.
- _, ok = keys[key]
- if !ok {
- keys[key] = true
- } else {
- d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
- }
-
- // Figure out field corresponding to key.
- var subv reflect.Value
- destring := false // whether the value is wrapped in a string to be decoded first
-
- if v.Kind() == reflect.Map {
- elemType := v.Type().Elem()
- if !mapElem.IsValid() {
- mapElem = reflect.New(elemType).Elem()
- } else {
- mapElem.Set(reflect.Zero(elemType))
- }
- subv = mapElem
- } else {
- var f *field
- fields := cachedTypeFields(v.Type())
- for i := range fields {
- ff := &fields[i]
- if bytes.Equal(ff.nameBytes, []byte(key)) {
- f = ff
- break
- }
- }
- if f != nil {
- subv = v
- destring = f.quoted
- for _, i := range f.index {
- if subv.Kind() == reflect.Ptr {
- if subv.IsNil() {
- subv.Set(reflect.New(subv.Type().Elem()))
- }
- subv = subv.Elem()
- }
- subv = subv.Field(i)
- }
- }
- }
-
- // Read : before value.
- if op == scanSkipSpace {
- op = d.scanWhile(scanSkipSpace)
- }
- if op != scanObjectKey {
- d.error(errPhase)
- }
-
- // Read value.
- if destring {
- switch qv := d.valueQuoted().(type) {
- case nil:
- d.literalStore(nullLiteral, subv, false)
- case string:
- d.literalStore([]byte(qv), subv, true)
- default:
- d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal unquoted value into %v", subv.Type()))
- }
- } else {
- d.value(subv)
- }
-
- // Write value back to map;
- // if using struct, subv points into struct already.
- if v.Kind() == reflect.Map {
- kv := reflect.ValueOf(key).Convert(v.Type().Key())
- v.SetMapIndex(kv, subv)
- }
-
- // Next token must be , or }.
- op = d.scanWhile(scanSkipSpace)
- if op == scanEndObject {
- break
- }
- if op != scanObjectValue {
- d.error(errPhase)
- }
- }
-}
-
-// literal consumes a literal from d.data[d.off-1:], decoding into the value v.
-// The first byte of the literal has been read already
-// (that's how the caller knows it's a literal).
-func (d *decodeState) literal(v reflect.Value) {
- // All bytes inside literal return scanContinue op code.
- start := d.off - 1
- op := d.scanWhile(scanContinue)
-
- // Scan read one byte too far; back up.
- d.off--
- d.scan.undo(op)
-
- d.literalStore(d.data[start:d.off], v, false)
-}
-
-// convertNumber converts the number literal s to a float64 or a Number
-// depending on the setting of d.useNumber.
-func (d *decodeState) convertNumber(s string) (interface{}, error) {
- if d.useNumber {
- return Number(s), nil
- }
- f, err := strconv.ParseFloat(s, 64)
- if err != nil {
- return nil, &UnmarshalTypeError{"number " + s, reflect.TypeOf(0.0), int64(d.off)}
- }
- return f, nil
-}
-
-var numberType = reflect.TypeOf(Number(""))
-
-// literalStore decodes a literal stored in item into v.
-//
-// fromQuoted indicates whether this literal came from unwrapping a
-// string from the ",string" struct tag option. this is used only to
-// produce more helpful error messages.
-func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
- // Check for unmarshaler.
- if len(item) == 0 {
- //Empty string given
- d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- return
- }
- wantptr := item[0] == 'n' // null
- u, ut, pv := d.indirect(v, wantptr)
- if u != nil {
- err := u.UnmarshalJSON(item)
- if err != nil {
- d.error(err)
- }
- return
- }
- if ut != nil {
- if item[0] != '"' {
- if fromQuoted {
- d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- } else {
- d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
- }
- return
- }
- s, ok := unquoteBytes(item)
- if !ok {
- if fromQuoted {
- d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- } else {
- d.error(errPhase)
- }
- }
- err := ut.UnmarshalText(s)
- if err != nil {
- d.error(err)
- }
- return
- }
-
- v = pv
-
- switch c := item[0]; c {
- case 'n': // null
- switch v.Kind() {
- case reflect.Interface, reflect.Ptr, reflect.Map, reflect.Slice:
- v.Set(reflect.Zero(v.Type()))
- // otherwise, ignore null for primitives/string
- }
- case 't', 'f': // true, false
- value := c == 't'
- switch v.Kind() {
- default:
- if fromQuoted {
- d.saveError(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- } else {
- d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
- }
- case reflect.Bool:
- v.SetBool(value)
- case reflect.Interface:
- if v.NumMethod() == 0 {
- v.Set(reflect.ValueOf(value))
- } else {
- d.saveError(&UnmarshalTypeError{"bool", v.Type(), int64(d.off)})
- }
- }
-
- case '"': // string
- s, ok := unquoteBytes(item)
- if !ok {
- if fromQuoted {
- d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- } else {
- d.error(errPhase)
- }
- }
- switch v.Kind() {
- default:
- d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
- case reflect.Slice:
- if v.Type().Elem().Kind() != reflect.Uint8 {
- d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
- break
- }
- b := make([]byte, base64.StdEncoding.DecodedLen(len(s)))
- n, err := base64.StdEncoding.Decode(b, s)
- if err != nil {
- d.saveError(err)
- break
- }
- v.SetBytes(b[:n])
- case reflect.String:
- v.SetString(string(s))
- case reflect.Interface:
- if v.NumMethod() == 0 {
- v.Set(reflect.ValueOf(string(s)))
- } else {
- d.saveError(&UnmarshalTypeError{"string", v.Type(), int64(d.off)})
- }
- }
-
- default: // number
- if c != '-' && (c < '0' || c > '9') {
- if fromQuoted {
- d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- } else {
- d.error(errPhase)
- }
- }
- s := string(item)
- switch v.Kind() {
- default:
- if v.Kind() == reflect.String && v.Type() == numberType {
- v.SetString(s)
- if !isValidNumber(s) {
- d.error(fmt.Errorf("json: invalid number literal, trying to unmarshal %q into Number", item))
- }
- break
- }
- if fromQuoted {
- d.error(fmt.Errorf("json: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
- } else {
- d.error(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
- }
- case reflect.Interface:
- n, err := d.convertNumber(s)
- if err != nil {
- d.saveError(err)
- break
- }
- if v.NumMethod() != 0 {
- d.saveError(&UnmarshalTypeError{"number", v.Type(), int64(d.off)})
- break
- }
- v.Set(reflect.ValueOf(n))
-
- case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
- n, err := strconv.ParseInt(s, 10, 64)
- if err != nil || v.OverflowInt(n) {
- d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
- break
- }
- v.SetInt(n)
-
- case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
- n, err := strconv.ParseUint(s, 10, 64)
- if err != nil || v.OverflowUint(n) {
- d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
- break
- }
- v.SetUint(n)
-
- case reflect.Float32, reflect.Float64:
- n, err := strconv.ParseFloat(s, v.Type().Bits())
- if err != nil || v.OverflowFloat(n) {
- d.saveError(&UnmarshalTypeError{"number " + s, v.Type(), int64(d.off)})
- break
- }
- v.SetFloat(n)
- }
- }
-}
-
-// The xxxInterface routines build up a value to be stored
-// in an empty interface. They are not strictly necessary,
-// but they avoid the weight of reflection in this common case.
-
-// valueInterface is like value but returns interface{}
-func (d *decodeState) valueInterface() interface{} {
- switch d.scanWhile(scanSkipSpace) {
- default:
- d.error(errPhase)
- panic("unreachable")
- case scanBeginArray:
- return d.arrayInterface()
- case scanBeginObject:
- return d.objectInterface()
- case scanBeginLiteral:
- return d.literalInterface()
- }
-}
-
-// arrayInterface is like array but returns []interface{}.
-func (d *decodeState) arrayInterface() []interface{} {
- var v = make([]interface{}, 0)
- for {
- // Look ahead for ] - can only happen on first iteration.
- op := d.scanWhile(scanSkipSpace)
- if op == scanEndArray {
- break
- }
-
- // Back up so d.value can have the byte we just read.
- d.off--
- d.scan.undo(op)
-
- v = append(v, d.valueInterface())
-
- // Next token must be , or ].
- op = d.scanWhile(scanSkipSpace)
- if op == scanEndArray {
- break
- }
- if op != scanArrayValue {
- d.error(errPhase)
- }
- }
- return v
-}
-
-// objectInterface is like object but returns map[string]interface{}.
-func (d *decodeState) objectInterface() map[string]interface{} {
- m := make(map[string]interface{})
- keys := map[string]bool{}
-
- for {
- // Read opening " of string key or closing }.
- op := d.scanWhile(scanSkipSpace)
- if op == scanEndObject {
- // closing } - can only happen on first iteration.
- break
- }
- if op != scanBeginLiteral {
- d.error(errPhase)
- }
-
- // Read string key.
- start := d.off - 1
- op = d.scanWhile(scanContinue)
- item := d.data[start : d.off-1]
- key, ok := unquote(item)
- if !ok {
- d.error(errPhase)
- }
-
- // Check for duplicate keys.
- _, ok = keys[key]
- if !ok {
- keys[key] = true
- } else {
- d.error(fmt.Errorf("json: duplicate key '%s' in object", key))
- }
-
- // Read : before value.
- if op == scanSkipSpace {
- op = d.scanWhile(scanSkipSpace)
- }
- if op != scanObjectKey {
- d.error(errPhase)
- }
-
- // Read value.
- m[key] = d.valueInterface()
-
- // Next token must be , or }.
- op = d.scanWhile(scanSkipSpace)
- if op == scanEndObject {
- break
- }
- if op != scanObjectValue {
- d.error(errPhase)
- }
- }
- return m
-}
-
-// literalInterface is like literal but returns an interface value.
-func (d *decodeState) literalInterface() interface{} {
- // All bytes inside literal return scanContinue op code.
- start := d.off - 1
- op := d.scanWhile(scanContinue)
-
- // Scan read one byte too far; back up.
- d.off--
- d.scan.undo(op)
- item := d.data[start:d.off]
-
- switch c := item[0]; c {
- case 'n': // null
- return nil
-
- case 't', 'f': // true, false
- return c == 't'
-
- case '"': // string
- s, ok := unquote(item)
- if !ok {
- d.error(errPhase)
- }
- return s
-
- default: // number
- if c != '-' && (c < '0' || c > '9') {
- d.error(errPhase)
- }
- n, err := d.convertNumber(string(item))
- if err != nil {
- d.saveError(err)
- }
- return n
- }
-}
-
-// getu4 decodes \uXXXX from the beginning of s, returning the hex value,
-// or it returns -1.
-func getu4(s []byte) rune {
- if len(s) < 6 || s[0] != '\\' || s[1] != 'u' {
- return -1
- }
- r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
- if err != nil {
- return -1
- }
- return rune(r)
-}
-
-// unquote converts a quoted JSON string literal s into an actual string t.
-// The rules are different than for Go, so cannot use strconv.Unquote.
-func unquote(s []byte) (t string, ok bool) {
- s, ok = unquoteBytes(s)
- t = string(s)
- return
-}
-
-func unquoteBytes(s []byte) (t []byte, ok bool) {
- if len(s) < 2 || s[0] != '"' || s[len(s)-1] != '"' {
- return
- }
- s = s[1 : len(s)-1]
-
- // Check for unusual characters. If there are none,
- // then no unquoting is needed, so return a slice of the
- // original bytes.
- r := 0
- for r < len(s) {
- c := s[r]
- if c == '\\' || c == '"' || c < ' ' {
- break
- }
- if c < utf8.RuneSelf {
- r++
- continue
- }
- rr, size := utf8.DecodeRune(s[r:])
- if rr == utf8.RuneError && size == 1 {
- break
- }
- r += size
- }
- if r == len(s) {
- return s, true
- }
-
- b := make([]byte, len(s)+2*utf8.UTFMax)
- w := copy(b, s[0:r])
- for r < len(s) {
- // Out of room? Can only happen if s is full of
- // malformed UTF-8 and we're replacing each
- // byte with RuneError.
- if w >= len(b)-2*utf8.UTFMax {
- nb := make([]byte, (len(b)+utf8.UTFMax)*2)
- copy(nb, b[0:w])
- b = nb
- }
- switch c := s[r]; {
- case c == '\\':
- r++
- if r >= len(s) {
- return
- }
- switch s[r] {
- default:
- return
- case '"', '\\', '/', '\'':
- b[w] = s[r]
- r++
- w++
- case 'b':
- b[w] = '\b'
- r++
- w++
- case 'f':
- b[w] = '\f'
- r++
- w++
- case 'n':
- b[w] = '\n'
- r++
- w++
- case 'r':
- b[w] = '\r'
- r++
- w++
- case 't':
- b[w] = '\t'
- r++
- w++
- case 'u':
- r--
- rr := getu4(s[r:])
- if rr < 0 {
- return
- }
- r += 6
- if utf16.IsSurrogate(rr) {
- rr1 := getu4(s[r:])
- if dec := utf16.DecodeRune(rr, rr1); dec != unicode.ReplacementChar {
- // A valid pair; consume.
- r += 6
- w += utf8.EncodeRune(b[w:], dec)
- break
- }
- // Invalid surrogate; fall back to replacement rune.
- rr = unicode.ReplacementChar
- }
- w += utf8.EncodeRune(b[w:], rr)
- }
-
- // Quote, control characters are invalid.
- case c == '"', c < ' ':
- return
-
- // ASCII
- case c < utf8.RuneSelf:
- b[w] = c
- r++
- w++
-
- // Coerce to well-formed UTF-8.
- default:
- rr, size := utf8.DecodeRune(s[r:])
- r += size
- w += utf8.EncodeRune(b[w:], rr)
- }
- }
- return b[0:w], true
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/decode_test.go b/vendor/gopkg.in/square/go-jose.v1/json/decode_test.go
deleted file mode 100644
index 7577b21a..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/decode_test.go
+++ /dev/null
@@ -1,1474 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "bytes"
- "encoding"
- "fmt"
- "image"
- "net"
- "reflect"
- "strings"
- "testing"
- "time"
-)
-
-type T struct {
- X string
- Y int
- Z int `json:"-"`
-}
-
-type U struct {
- Alphabet string `json:"alpha"`
-}
-
-type V struct {
- F1 interface{}
- F2 int32
- F3 Number
-}
-
-// ifaceNumAsFloat64/ifaceNumAsNumber are used to test unmarshaling with and
-// without UseNumber
-var ifaceNumAsFloat64 = map[string]interface{}{
- "k1": float64(1),
- "k2": "s",
- "k3": []interface{}{float64(1), float64(2.0), float64(3e-3)},
- "k4": map[string]interface{}{"kk1": "s", "kk2": float64(2)},
-}
-
-var ifaceNumAsNumber = map[string]interface{}{
- "k1": Number("1"),
- "k2": "s",
- "k3": []interface{}{Number("1"), Number("2.0"), Number("3e-3")},
- "k4": map[string]interface{}{"kk1": "s", "kk2": Number("2")},
-}
-
-type tx struct {
- x int
-}
-
-// A type that can unmarshal itself.
-
-type unmarshaler struct {
- T bool
-}
-
-func (u *unmarshaler) UnmarshalJSON(b []byte) error {
- *u = unmarshaler{true} // All we need to see that UnmarshalJSON is called.
- return nil
-}
-
-type ustruct struct {
- M unmarshaler
-}
-
-type unmarshalerText struct {
- T bool
-}
-
-// needed for re-marshaling tests
-func (u *unmarshalerText) MarshalText() ([]byte, error) {
- return []byte(""), nil
-}
-
-func (u *unmarshalerText) UnmarshalText(b []byte) error {
- *u = unmarshalerText{true} // All we need to see that UnmarshalText is called.
- return nil
-}
-
-var _ encoding.TextUnmarshaler = (*unmarshalerText)(nil)
-
-type ustructText struct {
- M unmarshalerText
-}
-
-var (
- um0, um1 unmarshaler // target2 of unmarshaling
- ump = &um1
- umtrue = unmarshaler{true}
- umslice = []unmarshaler{{true}}
- umslicep = new([]unmarshaler)
- umstruct = ustruct{unmarshaler{true}}
-
- um0T, um1T unmarshalerText // target2 of unmarshaling
- umpT = &um1T
- umtrueT = unmarshalerText{true}
- umsliceT = []unmarshalerText{{true}}
- umslicepT = new([]unmarshalerText)
- umstructT = ustructText{unmarshalerText{true}}
-)
-
-// Test data structures for anonymous fields.
-
-type Point struct {
- Z int
-}
-
-type Top struct {
- Level0 int
- Embed0
- *Embed0a
- *Embed0b `json:"e,omitempty"` // treated as named
- Embed0c `json:"-"` // ignored
- Loop
- Embed0p // has Point with X, Y, used
- Embed0q // has Point with Z, used
- embed // contains exported field
-}
-
-type Embed0 struct {
- Level1a int // overridden by Embed0a's Level1a with json tag
- Level1b int // used because Embed0a's Level1b is renamed
- Level1c int // used because Embed0a's Level1c is ignored
- Level1d int // annihilated by Embed0a's Level1d
- Level1e int `json:"x"` // annihilated by Embed0a.Level1e
-}
-
-type Embed0a struct {
- Level1a int `json:"Level1a,omitempty"`
- Level1b int `json:"LEVEL1B,omitempty"`
- Level1c int `json:"-"`
- Level1d int // annihilated by Embed0's Level1d
- Level1f int `json:"x"` // annihilated by Embed0's Level1e
-}
-
-type Embed0b Embed0
-
-type Embed0c Embed0
-
-type Embed0p struct {
- image.Point
-}
-
-type Embed0q struct {
- Point
-}
-
-type embed struct {
- Q int
-}
-
-type Loop struct {
- Loop1 int `json:",omitempty"`
- Loop2 int `json:",omitempty"`
- *Loop
-}
-
-// From reflect test:
-// The X in S6 and S7 annihilate, but they also block the X in S8.S9.
-type S5 struct {
- S6
- S7
- S8
-}
-
-type S6 struct {
- X int
-}
-
-type S7 S6
-
-type S8 struct {
- S9
-}
-
-type S9 struct {
- X int
- Y int
-}
-
-// From reflect test:
-// The X in S11.S6 and S12.S6 annihilate, but they also block the X in S13.S8.S9.
-type S10 struct {
- S11
- S12
- S13
-}
-
-type S11 struct {
- S6
-}
-
-type S12 struct {
- S6
-}
-
-type S13 struct {
- S8
-}
-
-type unmarshalTest struct {
- in string
- ptr interface{}
- out interface{}
- err error
- useNumber bool
-}
-
-type XYZ struct {
- X interface{}
- Y interface{}
- Z interface{}
-}
-
-func sliceAddr(x []int) *[]int { return &x }
-func mapAddr(x map[string]int) *map[string]int { return &x }
-
-var unmarshalTests = []unmarshalTest{
- // basic types
- {in: `true`, ptr: new(bool), out: true},
- {in: `1`, ptr: new(int), out: 1},
- {in: `1.2`, ptr: new(float64), out: 1.2},
- {in: `-5`, ptr: new(int16), out: int16(-5)},
- {in: `2`, ptr: new(Number), out: Number("2"), useNumber: true},
- {in: `2`, ptr: new(Number), out: Number("2")},
- {in: `2`, ptr: new(interface{}), out: float64(2.0)},
- {in: `2`, ptr: new(interface{}), out: Number("2"), useNumber: true},
- {in: `"a\u1234"`, ptr: new(string), out: "a\u1234"},
- {in: `"http:\/\/"`, ptr: new(string), out: "http://"},
- {in: `"g-clef: \uD834\uDD1E"`, ptr: new(string), out: "g-clef: \U0001D11E"},
- {in: `"invalid: \uD834x\uDD1E"`, ptr: new(string), out: "invalid: \uFFFDx\uFFFD"},
- {in: "null", ptr: new(interface{}), out: nil},
- {in: `{"X": [1,2,3], "Y": 4}`, ptr: new(T), out: T{Y: 4}, err: &UnmarshalTypeError{"array", reflect.TypeOf(""), 7}},
- {in: `{"x": 1}`, ptr: new(tx), out: tx{}},
- {in: `{"F1":1,"F2":2,"F3":3}`, ptr: new(V), out: V{F1: float64(1), F2: int32(2), F3: Number("3")}},
- {in: `{"F1":1,"F2":2,"F3":3}`, ptr: new(V), out: V{F1: Number("1"), F2: int32(2), F3: Number("3")}, useNumber: true},
- {in: `{"k1":1,"k2":"s","k3":[1,2.0,3e-3],"k4":{"kk1":"s","kk2":2}}`, ptr: new(interface{}), out: ifaceNumAsFloat64},
- {in: `{"k1":1,"k2":"s","k3":[1,2.0,3e-3],"k4":{"kk1":"s","kk2":2}}`, ptr: new(interface{}), out: ifaceNumAsNumber, useNumber: true},
-
- // raw values with whitespace
- {in: "\n true ", ptr: new(bool), out: true},
- {in: "\t 1 ", ptr: new(int), out: 1},
- {in: "\r 1.2 ", ptr: new(float64), out: 1.2},
- {in: "\t -5 \n", ptr: new(int16), out: int16(-5)},
- {in: "\t \"a\\u1234\" \n", ptr: new(string), out: "a\u1234"},
-
- // Z has a "-" tag.
- {in: `{"Y": 1, "Z": 2}`, ptr: new(T), out: T{Y: 1}},
-
- {in: `{"alpha": "abc", "alphabet": "xyz"}`, ptr: new(U), out: U{Alphabet: "abc"}},
- {in: `{"alpha": "abc"}`, ptr: new(U), out: U{Alphabet: "abc"}},
- {in: `{"alphabet": "xyz"}`, ptr: new(U), out: U{}},
-
- // syntax errors
- {in: `{"X": "foo", "Y"}`, err: &SyntaxError{"invalid character '}' after object key", 17}},
- {in: `[1, 2, 3+]`, err: &SyntaxError{"invalid character '+' after array element", 9}},
- {in: `{"X":12x}`, err: &SyntaxError{"invalid character 'x' after object key:value pair", 8}, useNumber: true},
-
- // raw value errors
- {in: "\x01 42", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
- {in: " 42 \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 5}},
- {in: "\x01 true", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
- {in: " false \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 8}},
- {in: "\x01 1.2", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
- {in: " 3.4 \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 6}},
- {in: "\x01 \"string\"", err: &SyntaxError{"invalid character '\\x01' looking for beginning of value", 1}},
- {in: " \"string\" \x01", err: &SyntaxError{"invalid character '\\x01' after top-level value", 11}},
-
- // array tests
- {in: `[1, 2, 3]`, ptr: new([3]int), out: [3]int{1, 2, 3}},
- {in: `[1, 2, 3]`, ptr: new([1]int), out: [1]int{1}},
- {in: `[1, 2, 3]`, ptr: new([5]int), out: [5]int{1, 2, 3, 0, 0}},
-
- // empty array to interface test
- {in: `[]`, ptr: new([]interface{}), out: []interface{}{}},
- {in: `null`, ptr: new([]interface{}), out: []interface{}(nil)},
- {in: `{"T":[]}`, ptr: new(map[string]interface{}), out: map[string]interface{}{"T": []interface{}{}}},
- {in: `{"T":null}`, ptr: new(map[string]interface{}), out: map[string]interface{}{"T": interface{}(nil)}},
-
- // composite tests
- {in: allValueIndent, ptr: new(All), out: allValue},
- {in: allValueCompact, ptr: new(All), out: allValue},
- {in: allValueIndent, ptr: new(*All), out: &allValue},
- {in: allValueCompact, ptr: new(*All), out: &allValue},
- {in: pallValueIndent, ptr: new(All), out: pallValue},
- {in: pallValueCompact, ptr: new(All), out: pallValue},
- {in: pallValueIndent, ptr: new(*All), out: &pallValue},
- {in: pallValueCompact, ptr: new(*All), out: &pallValue},
-
- // unmarshal interface test
- {in: `{"T":false}`, ptr: &um0, out: umtrue}, // use "false" so test will fail if custom unmarshaler is not called
- {in: `{"T":false}`, ptr: &ump, out: &umtrue},
- {in: `[{"T":false}]`, ptr: &umslice, out: umslice},
- {in: `[{"T":false}]`, ptr: &umslicep, out: &umslice},
- {in: `{"M":{"T":false}}`, ptr: &umstruct, out: umstruct},
-
- // UnmarshalText interface test
- {in: `"X"`, ptr: &um0T, out: umtrueT}, // use "false" so test will fail if custom unmarshaler is not called
- {in: `"X"`, ptr: &umpT, out: &umtrueT},
- {in: `["X"]`, ptr: &umsliceT, out: umsliceT},
- {in: `["X"]`, ptr: &umslicepT, out: &umsliceT},
- {in: `{"M":"X"}`, ptr: &umstructT, out: umstructT},
-
- // Overwriting of data.
- // This is different from package xml, but it's what we've always done.
- // Now documented and tested.
- {in: `[2]`, ptr: sliceAddr([]int{1}), out: []int{2}},
- {in: `{"key": 2}`, ptr: mapAddr(map[string]int{"old": 0, "key": 1}), out: map[string]int{"key": 2}},
-
- {
- in: `{
- "Level0": 1,
- "Level1b": 2,
- "Level1c": 3,
- "x": 4,
- "Level1a": 5,
- "LEVEL1B": 6,
- "e": {
- "Level1a": 8,
- "Level1b": 9,
- "Level1c": 10,
- "Level1d": 11,
- "x": 12
- },
- "Loop1": 13,
- "Loop2": 14,
- "X": 15,
- "Y": 16,
- "Z": 17,
- "Q": 18
- }`,
- ptr: new(Top),
- out: Top{
- Level0: 1,
- Embed0: Embed0{
- Level1b: 2,
- Level1c: 3,
- },
- Embed0a: &Embed0a{
- Level1a: 5,
- Level1b: 6,
- },
- Embed0b: &Embed0b{
- Level1a: 8,
- Level1b: 9,
- Level1c: 10,
- Level1d: 11,
- Level1e: 12,
- },
- Loop: Loop{
- Loop1: 13,
- Loop2: 14,
- },
- Embed0p: Embed0p{
- Point: image.Point{X: 15, Y: 16},
- },
- Embed0q: Embed0q{
- Point: Point{Z: 17},
- },
- embed: embed{
- Q: 18,
- },
- },
- },
- {
- in: `{"X": 1,"Y":2}`,
- ptr: new(S5),
- out: S5{S8: S8{S9: S9{Y: 2}}},
- },
- {
- in: `{"X": 1,"Y":2}`,
- ptr: new(S10),
- out: S10{S13: S13{S8: S8{S9: S9{Y: 2}}}},
- },
-
- // invalid UTF-8 is coerced to valid UTF-8.
- {
- in: "\"hello\xffworld\"",
- ptr: new(string),
- out: "hello\ufffdworld",
- },
- {
- in: "\"hello\xc2\xc2world\"",
- ptr: new(string),
- out: "hello\ufffd\ufffdworld",
- },
- {
- in: "\"hello\xc2\xffworld\"",
- ptr: new(string),
- out: "hello\ufffd\ufffdworld",
- },
- {
- in: "\"hello\\ud800world\"",
- ptr: new(string),
- out: "hello\ufffdworld",
- },
- {
- in: "\"hello\\ud800\\ud800world\"",
- ptr: new(string),
- out: "hello\ufffd\ufffdworld",
- },
- {
- in: "\"hello\\ud800\\ud800world\"",
- ptr: new(string),
- out: "hello\ufffd\ufffdworld",
- },
- {
- in: "\"hello\xed\xa0\x80\xed\xb0\x80world\"",
- ptr: new(string),
- out: "hello\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdworld",
- },
-
- // issue 8305
- {
- in: `{"2009-11-10T23:00:00Z": "hello world"}`,
- ptr: &map[time.Time]string{},
- err: &UnmarshalTypeError{"object", reflect.TypeOf(map[time.Time]string{}), 1},
- },
-}
-
-func TestMarshal(t *testing.T) {
- b, err := Marshal(allValue)
- if err != nil {
- t.Fatalf("Marshal allValue: %v", err)
- }
- if string(b) != allValueCompact {
- t.Errorf("Marshal allValueCompact")
- diff(t, b, []byte(allValueCompact))
- return
- }
-
- b, err = Marshal(pallValue)
- if err != nil {
- t.Fatalf("Marshal pallValue: %v", err)
- }
- if string(b) != pallValueCompact {
- t.Errorf("Marshal pallValueCompact")
- diff(t, b, []byte(pallValueCompact))
- return
- }
-}
-
-var badUTF8 = []struct {
- in, out string
-}{
- {"hello\xffworld", `"hello\ufffdworld"`},
- {"", `""`},
- {"\xff", `"\ufffd"`},
- {"\xff\xff", `"\ufffd\ufffd"`},
- {"a\xffb", `"a\ufffdb"`},
- {"\xe6\x97\xa5\xe6\x9c\xac\xff\xaa\x9e", `"日本\ufffd\ufffd\ufffd"`},
-}
-
-func TestMarshalBadUTF8(t *testing.T) {
- for _, tt := range badUTF8 {
- b, err := Marshal(tt.in)
- if string(b) != tt.out || err != nil {
- t.Errorf("Marshal(%q) = %#q, %v, want %#q, nil", tt.in, b, err, tt.out)
- }
- }
-}
-
-func TestMarshalNumberZeroVal(t *testing.T) {
- var n Number
- out, err := Marshal(n)
- if err != nil {
- t.Fatal(err)
- }
- outStr := string(out)
- if outStr != "0" {
- t.Fatalf("Invalid zero val for Number: %q", outStr)
- }
-}
-
-func TestMarshalEmbeds(t *testing.T) {
- top := &Top{
- Level0: 1,
- Embed0: Embed0{
- Level1b: 2,
- Level1c: 3,
- },
- Embed0a: &Embed0a{
- Level1a: 5,
- Level1b: 6,
- },
- Embed0b: &Embed0b{
- Level1a: 8,
- Level1b: 9,
- Level1c: 10,
- Level1d: 11,
- Level1e: 12,
- },
- Loop: Loop{
- Loop1: 13,
- Loop2: 14,
- },
- Embed0p: Embed0p{
- Point: image.Point{X: 15, Y: 16},
- },
- Embed0q: Embed0q{
- Point: Point{Z: 17},
- },
- embed: embed{
- Q: 18,
- },
- }
- b, err := Marshal(top)
- if err != nil {
- t.Fatal(err)
- }
- want := "{\"Level0\":1,\"Level1b\":2,\"Level1c\":3,\"Level1a\":5,\"LEVEL1B\":6,\"e\":{\"Level1a\":8,\"Level1b\":9,\"Level1c\":10,\"Level1d\":11,\"x\":12},\"Loop1\":13,\"Loop2\":14,\"X\":15,\"Y\":16,\"Z\":17,\"Q\":18}"
- if string(b) != want {
- t.Errorf("Wrong marshal result.\n got: %q\nwant: %q", b, want)
- }
-}
-
-func TestUnmarshal(t *testing.T) {
- for i, tt := range unmarshalTests {
- var scan scanner
- in := []byte(tt.in)
- if err := checkValid(in, &scan); err != nil {
- if !reflect.DeepEqual(err, tt.err) {
- t.Errorf("#%d: checkValid: %#v", i, err)
- continue
- }
- }
- if tt.ptr == nil {
- continue
- }
-
- // v = new(right-type)
- v := reflect.New(reflect.TypeOf(tt.ptr).Elem())
- dec := NewDecoder(bytes.NewReader(in))
- if tt.useNumber {
- dec.UseNumber()
- }
- if err := dec.Decode(v.Interface()); !reflect.DeepEqual(err, tt.err) {
- t.Errorf("#%d: %v, want %v", i, err, tt.err)
- continue
- } else if err != nil {
- continue
- }
- if !reflect.DeepEqual(v.Elem().Interface(), tt.out) {
- t.Errorf("#%d: mismatch\nhave: %#+v\nwant: %#+v", i, v.Elem().Interface(), tt.out)
- data, _ := Marshal(v.Elem().Interface())
- println(string(data))
- data, _ = Marshal(tt.out)
- println(string(data))
- continue
- }
-
- // Check round trip.
- if tt.err == nil {
- enc, err := Marshal(v.Interface())
- if err != nil {
- t.Errorf("#%d: error re-marshaling: %v", i, err)
- continue
- }
- vv := reflect.New(reflect.TypeOf(tt.ptr).Elem())
- dec = NewDecoder(bytes.NewReader(enc))
- if tt.useNumber {
- dec.UseNumber()
- }
- if err := dec.Decode(vv.Interface()); err != nil {
- t.Errorf("#%d: error re-unmarshaling %#q: %v", i, enc, err)
- continue
- }
- if !reflect.DeepEqual(v.Elem().Interface(), vv.Elem().Interface()) {
- t.Errorf("#%d: mismatch\nhave: %#+v\nwant: %#+v", i, v.Elem().Interface(), vv.Elem().Interface())
- t.Errorf(" In: %q", strings.Map(noSpace, string(in)))
- t.Errorf("Marshal: %q", strings.Map(noSpace, string(enc)))
- continue
- }
- }
- }
-}
-
-func TestUnmarshalMarshal(t *testing.T) {
- initBig()
- var v interface{}
- if err := Unmarshal(jsonBig, &v); err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- b, err := Marshal(v)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- if !bytes.Equal(jsonBig, b) {
- t.Errorf("Marshal jsonBig")
- diff(t, b, jsonBig)
- return
- }
-}
-
-var numberTests = []struct {
- in string
- i int64
- intErr string
- f float64
- floatErr string
-}{
- {in: "-1.23e1", intErr: "strconv.ParseInt: parsing \"-1.23e1\": invalid syntax", f: -1.23e1},
- {in: "-12", i: -12, f: -12.0},
- {in: "1e1000", intErr: "strconv.ParseInt: parsing \"1e1000\": invalid syntax", floatErr: "strconv.ParseFloat: parsing \"1e1000\": value out of range"},
-}
-
-// Independent of Decode, basic coverage of the accessors in Number
-func TestNumberAccessors(t *testing.T) {
- for _, tt := range numberTests {
- n := Number(tt.in)
- if s := n.String(); s != tt.in {
- t.Errorf("Number(%q).String() is %q", tt.in, s)
- }
- if i, err := n.Int64(); err == nil && tt.intErr == "" && i != tt.i {
- t.Errorf("Number(%q).Int64() is %d", tt.in, i)
- } else if (err == nil && tt.intErr != "") || (err != nil && err.Error() != tt.intErr) {
- t.Errorf("Number(%q).Int64() wanted error %q but got: %v", tt.in, tt.intErr, err)
- }
- if f, err := n.Float64(); err == nil && tt.floatErr == "" && f != tt.f {
- t.Errorf("Number(%q).Float64() is %g", tt.in, f)
- } else if (err == nil && tt.floatErr != "") || (err != nil && err.Error() != tt.floatErr) {
- t.Errorf("Number(%q).Float64() wanted error %q but got: %v", tt.in, tt.floatErr, err)
- }
- }
-}
-
-func TestLargeByteSlice(t *testing.T) {
- s0 := make([]byte, 2000)
- for i := range s0 {
- s0[i] = byte(i)
- }
- b, err := Marshal(s0)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- var s1 []byte
- if err := Unmarshal(b, &s1); err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if !bytes.Equal(s0, s1) {
- t.Errorf("Marshal large byte slice")
- diff(t, s0, s1)
- }
-}
-
-type Xint struct {
- X int
-}
-
-func TestUnmarshalInterface(t *testing.T) {
- var xint Xint
- var i interface{} = &xint
- if err := Unmarshal([]byte(`{"X":1}`), &i); err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if xint.X != 1 {
- t.Fatalf("Did not write to xint")
- }
-}
-
-func TestUnmarshalPtrPtr(t *testing.T) {
- var xint Xint
- pxint := &xint
- if err := Unmarshal([]byte(`{"X":1}`), &pxint); err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if xint.X != 1 {
- t.Fatalf("Did not write to xint")
- }
-}
-
-func TestEscape(t *testing.T) {
- const input = `"foobar"<html>` + " [\u2028 \u2029]"
- const expected = `"\"foobar\"\u003chtml\u003e [\u2028 \u2029]"`
- b, err := Marshal(input)
- if err != nil {
- t.Fatalf("Marshal error: %v", err)
- }
- if s := string(b); s != expected {
- t.Errorf("Encoding of [%s]:\n got [%s]\nwant [%s]", input, s, expected)
- }
-}
-
-// WrongString is a struct that's misusing the ,string modifier.
-type WrongString struct {
- Message string `json:"result,string"`
-}
-
-type wrongStringTest struct {
- in, err string
-}
-
-var wrongStringTests = []wrongStringTest{
- {`{"result":"x"}`, `json: invalid use of ,string struct tag, trying to unmarshal "x" into string`},
- {`{"result":"foo"}`, `json: invalid use of ,string struct tag, trying to unmarshal "foo" into string`},
- {`{"result":"123"}`, `json: invalid use of ,string struct tag, trying to unmarshal "123" into string`},
- {`{"result":123}`, `json: invalid use of ,string struct tag, trying to unmarshal unquoted value into string`},
-}
-
-// If people misuse the ,string modifier, the error message should be
-// helpful, telling the user that they're doing it wrong.
-func TestErrorMessageFromMisusedString(t *testing.T) {
- for n, tt := range wrongStringTests {
- r := strings.NewReader(tt.in)
- var s WrongString
- err := NewDecoder(r).Decode(&s)
- got := fmt.Sprintf("%v", err)
- if got != tt.err {
- t.Errorf("%d. got err = %q, want %q", n, got, tt.err)
- }
- }
-}
-
-func noSpace(c rune) rune {
- if isSpace(byte(c)) { //only used for ascii
- return -1
- }
- return c
-}
-
-type All struct {
- Bool bool
- Int int
- Int8 int8
- Int16 int16
- Int32 int32
- Int64 int64
- Uint uint
- Uint8 uint8
- Uint16 uint16
- Uint32 uint32
- Uint64 uint64
- Uintptr uintptr
- Float32 float32
- Float64 float64
-
- Foo string `json:"bar"`
- Foo2 string `json:"bar2,dummyopt"`
-
- IntStr int64 `json:",string"`
-
- PBool *bool
- PInt *int
- PInt8 *int8
- PInt16 *int16
- PInt32 *int32
- PInt64 *int64
- PUint *uint
- PUint8 *uint8
- PUint16 *uint16
- PUint32 *uint32
- PUint64 *uint64
- PUintptr *uintptr
- PFloat32 *float32
- PFloat64 *float64
-
- String string
- PString *string
-
- Map map[string]Small
- MapP map[string]*Small
- PMap *map[string]Small
- PMapP *map[string]*Small
-
- EmptyMap map[string]Small
- NilMap map[string]Small
-
- Slice []Small
- SliceP []*Small
- PSlice *[]Small
- PSliceP *[]*Small
-
- EmptySlice []Small
- NilSlice []Small
-
- StringSlice []string
- ByteSlice []byte
-
- Small Small
- PSmall *Small
- PPSmall **Small
-
- Interface interface{}
- PInterface *interface{}
-
- unexported int
-}
-
-type Small struct {
- Tag string
-}
-
-var allValue = All{
- Bool: true,
- Int: 2,
- Int8: 3,
- Int16: 4,
- Int32: 5,
- Int64: 6,
- Uint: 7,
- Uint8: 8,
- Uint16: 9,
- Uint32: 10,
- Uint64: 11,
- Uintptr: 12,
- Float32: 14.1,
- Float64: 15.1,
- Foo: "foo",
- Foo2: "foo2",
- IntStr: 42,
- String: "16",
- Map: map[string]Small{
- "17": {Tag: "tag17"},
- "18": {Tag: "tag18"},
- },
- MapP: map[string]*Small{
- "19": {Tag: "tag19"},
- "20": nil,
- },
- EmptyMap: map[string]Small{},
- Slice: []Small{{Tag: "tag20"}, {Tag: "tag21"}},
- SliceP: []*Small{{Tag: "tag22"}, nil, {Tag: "tag23"}},
- EmptySlice: []Small{},
- StringSlice: []string{"str24", "str25", "str26"},
- ByteSlice: []byte{27, 28, 29},
- Small: Small{Tag: "tag30"},
- PSmall: &Small{Tag: "tag31"},
- Interface: 5.2,
-}
-
-var pallValue = All{
- PBool: &allValue.Bool,
- PInt: &allValue.Int,
- PInt8: &allValue.Int8,
- PInt16: &allValue.Int16,
- PInt32: &allValue.Int32,
- PInt64: &allValue.Int64,
- PUint: &allValue.Uint,
- PUint8: &allValue.Uint8,
- PUint16: &allValue.Uint16,
- PUint32: &allValue.Uint32,
- PUint64: &allValue.Uint64,
- PUintptr: &allValue.Uintptr,
- PFloat32: &allValue.Float32,
- PFloat64: &allValue.Float64,
- PString: &allValue.String,
- PMap: &allValue.Map,
- PMapP: &allValue.MapP,
- PSlice: &allValue.Slice,
- PSliceP: &allValue.SliceP,
- PPSmall: &allValue.PSmall,
- PInterface: &allValue.Interface,
-}
-
-var allValueIndent = `{
- "Bool": true,
- "Int": 2,
- "Int8": 3,
- "Int16": 4,
- "Int32": 5,
- "Int64": 6,
- "Uint": 7,
- "Uint8": 8,
- "Uint16": 9,
- "Uint32": 10,
- "Uint64": 11,
- "Uintptr": 12,
- "Float32": 14.1,
- "Float64": 15.1,
- "bar": "foo",
- "bar2": "foo2",
- "IntStr": "42",
- "PBool": null,
- "PInt": null,
- "PInt8": null,
- "PInt16": null,
- "PInt32": null,
- "PInt64": null,
- "PUint": null,
- "PUint8": null,
- "PUint16": null,
- "PUint32": null,
- "PUint64": null,
- "PUintptr": null,
- "PFloat32": null,
- "PFloat64": null,
- "String": "16",
- "PString": null,
- "Map": {
- "17": {
- "Tag": "tag17"
- },
- "18": {
- "Tag": "tag18"
- }
- },
- "MapP": {
- "19": {
- "Tag": "tag19"
- },
- "20": null
- },
- "PMap": null,
- "PMapP": null,
- "EmptyMap": {},
- "NilMap": null,
- "Slice": [
- {
- "Tag": "tag20"
- },
- {
- "Tag": "tag21"
- }
- ],
- "SliceP": [
- {
- "Tag": "tag22"
- },
- null,
- {
- "Tag": "tag23"
- }
- ],
- "PSlice": null,
- "PSliceP": null,
- "EmptySlice": [],
- "NilSlice": null,
- "StringSlice": [
- "str24",
- "str25",
- "str26"
- ],
- "ByteSlice": "Gxwd",
- "Small": {
- "Tag": "tag30"
- },
- "PSmall": {
- "Tag": "tag31"
- },
- "PPSmall": null,
- "Interface": 5.2,
- "PInterface": null
-}`
-
-var allValueCompact = strings.Map(noSpace, allValueIndent)
-
-var pallValueIndent = `{
- "Bool": false,
- "Int": 0,
- "Int8": 0,
- "Int16": 0,
- "Int32": 0,
- "Int64": 0,
- "Uint": 0,
- "Uint8": 0,
- "Uint16": 0,
- "Uint32": 0,
- "Uint64": 0,
- "Uintptr": 0,
- "Float32": 0,
- "Float64": 0,
- "bar": "",
- "bar2": "",
- "IntStr": "0",
- "PBool": true,
- "PInt": 2,
- "PInt8": 3,
- "PInt16": 4,
- "PInt32": 5,
- "PInt64": 6,
- "PUint": 7,
- "PUint8": 8,
- "PUint16": 9,
- "PUint32": 10,
- "PUint64": 11,
- "PUintptr": 12,
- "PFloat32": 14.1,
- "PFloat64": 15.1,
- "String": "",
- "PString": "16",
- "Map": null,
- "MapP": null,
- "PMap": {
- "17": {
- "Tag": "tag17"
- },
- "18": {
- "Tag": "tag18"
- }
- },
- "PMapP": {
- "19": {
- "Tag": "tag19"
- },
- "20": null
- },
- "EmptyMap": null,
- "NilMap": null,
- "Slice": null,
- "SliceP": null,
- "PSlice": [
- {
- "Tag": "tag20"
- },
- {
- "Tag": "tag21"
- }
- ],
- "PSliceP": [
- {
- "Tag": "tag22"
- },
- null,
- {
- "Tag": "tag23"
- }
- ],
- "EmptySlice": null,
- "NilSlice": null,
- "StringSlice": null,
- "ByteSlice": null,
- "Small": {
- "Tag": ""
- },
- "PSmall": null,
- "PPSmall": {
- "Tag": "tag31"
- },
- "Interface": null,
- "PInterface": 5.2
-}`
-
-var pallValueCompact = strings.Map(noSpace, pallValueIndent)
-
-func TestRefUnmarshal(t *testing.T) {
- type S struct {
- // Ref is defined in encode_test.go.
- R0 Ref
- R1 *Ref
- R2 RefText
- R3 *RefText
- }
- want := S{
- R0: 12,
- R1: new(Ref),
- R2: 13,
- R3: new(RefText),
- }
- *want.R1 = 12
- *want.R3 = 13
-
- var got S
- if err := Unmarshal([]byte(`{"R0":"ref","R1":"ref","R2":"ref","R3":"ref"}`), &got); err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if !reflect.DeepEqual(got, want) {
- t.Errorf("got %+v, want %+v", got, want)
- }
-}
-
-// Test that the empty string doesn't panic decoding when ,string is specified
-// Issue 3450
-func TestEmptyString(t *testing.T) {
- type T2 struct {
- Number1 int `json:",string"`
- Number2 int `json:",string"`
- }
- data := `{"Number1":"1", "Number2":""}`
- dec := NewDecoder(strings.NewReader(data))
- var t2 T2
- err := dec.Decode(&t2)
- if err == nil {
- t.Fatal("Decode: did not return error")
- }
- if t2.Number1 != 1 {
- t.Fatal("Decode: did not set Number1")
- }
-}
-
-// Test that a null for ,string is not replaced with the previous quoted string (issue 7046).
-// It should also not be an error (issue 2540, issue 8587).
-func TestNullString(t *testing.T) {
- type T struct {
- A int `json:",string"`
- B int `json:",string"`
- C *int `json:",string"`
- }
- data := []byte(`{"A": "1", "B": null, "C": null}`)
- var s T
- s.B = 1
- s.C = new(int)
- *s.C = 2
- err := Unmarshal(data, &s)
- if err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if s.B != 1 || s.C != nil {
- t.Fatalf("after Unmarshal, s.B=%d, s.C=%p, want 1, nil", s.B, s.C)
- }
-}
-
-func intp(x int) *int {
- p := new(int)
- *p = x
- return p
-}
-
-func intpp(x *int) **int {
- pp := new(*int)
- *pp = x
- return pp
-}
-
-var interfaceSetTests = []struct {
- pre interface{}
- json string
- post interface{}
-}{
- {"foo", `"bar"`, "bar"},
- {"foo", `2`, 2.0},
- {"foo", `true`, true},
- {"foo", `null`, nil},
-
- {nil, `null`, nil},
- {new(int), `null`, nil},
- {(*int)(nil), `null`, nil},
- {new(*int), `null`, new(*int)},
- {(**int)(nil), `null`, nil},
- {intp(1), `null`, nil},
- {intpp(nil), `null`, intpp(nil)},
- {intpp(intp(1)), `null`, intpp(nil)},
-}
-
-func TestInterfaceSet(t *testing.T) {
- for _, tt := range interfaceSetTests {
- b := struct{ X interface{} }{tt.pre}
- blob := `{"X":` + tt.json + `}`
- if err := Unmarshal([]byte(blob), &b); err != nil {
- t.Errorf("Unmarshal %#q: %v", blob, err)
- continue
- }
- if !reflect.DeepEqual(b.X, tt.post) {
- t.Errorf("Unmarshal %#q into %#v: X=%#v, want %#v", blob, tt.pre, b.X, tt.post)
- }
- }
-}
-
-// JSON null values should be ignored for primitives and string values instead of resulting in an error.
-// Issue 2540
-func TestUnmarshalNulls(t *testing.T) {
- jsonData := []byte(`{
- "Bool" : null,
- "Int" : null,
- "Int8" : null,
- "Int16" : null,
- "Int32" : null,
- "Int64" : null,
- "Uint" : null,
- "Uint8" : null,
- "Uint16" : null,
- "Uint32" : null,
- "Uint64" : null,
- "Float32" : null,
- "Float64" : null,
- "String" : null}`)
-
- nulls := All{
- Bool: true,
- Int: 2,
- Int8: 3,
- Int16: 4,
- Int32: 5,
- Int64: 6,
- Uint: 7,
- Uint8: 8,
- Uint16: 9,
- Uint32: 10,
- Uint64: 11,
- Float32: 12.1,
- Float64: 13.1,
- String: "14"}
-
- err := Unmarshal(jsonData, &nulls)
- if err != nil {
- t.Errorf("Unmarshal of null values failed: %v", err)
- }
- if !nulls.Bool || nulls.Int != 2 || nulls.Int8 != 3 || nulls.Int16 != 4 || nulls.Int32 != 5 || nulls.Int64 != 6 ||
- nulls.Uint != 7 || nulls.Uint8 != 8 || nulls.Uint16 != 9 || nulls.Uint32 != 10 || nulls.Uint64 != 11 ||
- nulls.Float32 != 12.1 || nulls.Float64 != 13.1 || nulls.String != "14" {
-
- t.Errorf("Unmarshal of null values affected primitives")
- }
-}
-
-func TestStringKind(t *testing.T) {
- type stringKind string
-
- var m1, m2 map[stringKind]int
- m1 = map[stringKind]int{
- "foo": 42,
- }
-
- data, err := Marshal(m1)
- if err != nil {
- t.Errorf("Unexpected error marshaling: %v", err)
- }
-
- err = Unmarshal(data, &m2)
- if err != nil {
- t.Errorf("Unexpected error unmarshaling: %v", err)
- }
-
- if !reflect.DeepEqual(m1, m2) {
- t.Error("Items should be equal after encoding and then decoding")
- }
-}
-
-// Custom types with []byte as underlying type could not be marshalled
-// and then unmarshalled.
-// Issue 8962.
-func TestByteKind(t *testing.T) {
- type byteKind []byte
-
- a := byteKind("hello")
-
- data, err := Marshal(a)
- if err != nil {
- t.Error(err)
- }
- var b byteKind
- err = Unmarshal(data, &b)
- if err != nil {
- t.Fatal(err)
- }
- if !reflect.DeepEqual(a, b) {
- t.Errorf("expected %v == %v", a, b)
- }
-}
-
-// The fix for issue 8962 introduced a regression.
-// Issue 12921.
-func TestSliceOfCustomByte(t *testing.T) {
- type Uint8 uint8
-
- a := []Uint8("hello")
-
- data, err := Marshal(a)
- if err != nil {
- t.Fatal(err)
- }
- var b []Uint8
- err = Unmarshal(data, &b)
- if err != nil {
- t.Fatal(err)
- }
- if !reflect.DeepEqual(a, b) {
- t.Fatal("expected %v == %v", a, b)
- }
-}
-
-var decodeTypeErrorTests = []struct {
- dest interface{}
- src string
-}{
- {new(string), `{"user": "name"}`}, // issue 4628.
- {new(error), `{}`}, // issue 4222
- {new(error), `[]`},
- {new(error), `""`},
- {new(error), `123`},
- {new(error), `true`},
-}
-
-func TestUnmarshalTypeError(t *testing.T) {
- for _, item := range decodeTypeErrorTests {
- err := Unmarshal([]byte(item.src), item.dest)
- if _, ok := err.(*UnmarshalTypeError); !ok {
- t.Errorf("expected type error for Unmarshal(%q, type %T): got %T",
- item.src, item.dest, err)
- }
- }
-}
-
-var unmarshalSyntaxTests = []string{
- "tru",
- "fals",
- "nul",
- "123e",
- `"hello`,
- `[1,2,3`,
- `{"key":1`,
- `{"key":1,`,
-}
-
-func TestUnmarshalSyntax(t *testing.T) {
- var x interface{}
- for _, src := range unmarshalSyntaxTests {
- err := Unmarshal([]byte(src), &x)
- if _, ok := err.(*SyntaxError); !ok {
- t.Errorf("expected syntax error for Unmarshal(%q): got %T", src, err)
- }
- }
-}
-
-// Test handling of unexported fields that should be ignored.
-// Issue 4660
-type unexportedFields struct {
- Name string
- m map[string]interface{} `json:"-"`
- m2 map[string]interface{} `json:"abcd"`
-}
-
-func TestUnmarshalUnexported(t *testing.T) {
- input := `{"Name": "Bob", "m": {"x": 123}, "m2": {"y": 456}, "abcd": {"z": 789}}`
- want := &unexportedFields{Name: "Bob"}
-
- out := &unexportedFields{}
- err := Unmarshal([]byte(input), out)
- if err != nil {
- t.Errorf("got error %v, expected nil", err)
- }
- if !reflect.DeepEqual(out, want) {
- t.Errorf("got %q, want %q", out, want)
- }
-}
-
-// Time3339 is a time.Time which encodes to and from JSON
-// as an RFC 3339 time in UTC.
-type Time3339 time.Time
-
-func (t *Time3339) UnmarshalJSON(b []byte) error {
- if len(b) < 2 || b[0] != '"' || b[len(b)-1] != '"' {
- return fmt.Errorf("types: failed to unmarshal non-string value %q as an RFC 3339 time", b)
- }
- tm, err := time.Parse(time.RFC3339, string(b[1:len(b)-1]))
- if err != nil {
- return err
- }
- *t = Time3339(tm)
- return nil
-}
-
-func TestUnmarshalJSONLiteralError(t *testing.T) {
- var t3 Time3339
- err := Unmarshal([]byte(`"0000-00-00T00:00:00Z"`), &t3)
- if err == nil {
- t.Fatalf("expected error; got time %v", time.Time(t3))
- }
- if !strings.Contains(err.Error(), "range") {
- t.Errorf("got err = %v; want out of range error", err)
- }
-}
-
-// Test that extra object elements in an array do not result in a
-// "data changing underfoot" error.
-// Issue 3717
-func TestSkipArrayObjects(t *testing.T) {
- json := `[{}]`
- var dest [0]interface{}
-
- err := Unmarshal([]byte(json), &dest)
- if err != nil {
- t.Errorf("got error %q, want nil", err)
- }
-}
-
-// Test semantics of pre-filled struct fields and pre-filled map fields.
-// Issue 4900.
-func TestPrefilled(t *testing.T) {
- ptrToMap := func(m map[string]interface{}) *map[string]interface{} { return &m }
-
- // Values here change, cannot reuse table across runs.
- var prefillTests = []struct {
- in string
- ptr interface{}
- out interface{}
- }{
- {
- in: `{"X": 1, "Y": 2}`,
- ptr: &XYZ{X: float32(3), Y: int16(4), Z: 1.5},
- out: &XYZ{X: float64(1), Y: float64(2), Z: 1.5},
- },
- {
- in: `{"X": 1, "Y": 2}`,
- ptr: ptrToMap(map[string]interface{}{"X": float32(3), "Y": int16(4), "Z": 1.5}),
- out: ptrToMap(map[string]interface{}{"X": float64(1), "Y": float64(2), "Z": 1.5}),
- },
- }
-
- for _, tt := range prefillTests {
- ptrstr := fmt.Sprintf("%v", tt.ptr)
- err := Unmarshal([]byte(tt.in), tt.ptr) // tt.ptr edited here
- if err != nil {
- t.Errorf("Unmarshal: %v", err)
- }
- if !reflect.DeepEqual(tt.ptr, tt.out) {
- t.Errorf("Unmarshal(%#q, %s): have %v, want %v", tt.in, ptrstr, tt.ptr, tt.out)
- }
- }
-}
-
-var invalidUnmarshalTests = []struct {
- v interface{}
- want string
-}{
- {nil, "json: Unmarshal(nil)"},
- {struct{}{}, "json: Unmarshal(non-pointer struct {})"},
- {(*int)(nil), "json: Unmarshal(nil *int)"},
-}
-
-func TestInvalidUnmarshal(t *testing.T) {
- buf := []byte(`{"a":"1"}`)
- for _, tt := range invalidUnmarshalTests {
- err := Unmarshal(buf, tt.v)
- if err == nil {
- t.Errorf("Unmarshal expecting error, got nil")
- continue
- }
- if got := err.Error(); got != tt.want {
- t.Errorf("Unmarshal = %q; want %q", got, tt.want)
- }
- }
-}
-
-var invalidUnmarshalTextTests = []struct {
- v interface{}
- want string
-}{
- {nil, "json: Unmarshal(nil)"},
- {struct{}{}, "json: Unmarshal(non-pointer struct {})"},
- {(*int)(nil), "json: Unmarshal(nil *int)"},
- {new(net.IP), "json: cannot unmarshal string into Go value of type *net.IP"},
-}
-
-func TestInvalidUnmarshalText(t *testing.T) {
- buf := []byte(`123`)
- for _, tt := range invalidUnmarshalTextTests {
- err := Unmarshal(buf, tt.v)
- if err == nil {
- t.Errorf("Unmarshal expecting error, got nil")
- continue
- }
- if got := err.Error(); got != tt.want {
- t.Errorf("Unmarshal = %q; want %q", got, tt.want)
- }
- }
-}
-
-// Test that string option is ignored for invalid types.
-// Issue 9812.
-func TestInvalidStringOption(t *testing.T) {
- num := 0
- item := struct {
- T time.Time `json:",string"`
- M map[string]string `json:",string"`
- S []string `json:",string"`
- A [1]string `json:",string"`
- I interface{} `json:",string"`
- P *int `json:",string"`
- }{M: make(map[string]string), S: make([]string, 0), I: num, P: &num}
-
- data, err := Marshal(item)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
-
- err = Unmarshal(data, &item)
- if err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/encode.go b/vendor/gopkg.in/square/go-jose.v1/json/encode.go
deleted file mode 100644
index 1dae8bb7..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/encode.go
+++ /dev/null
@@ -1,1197 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package json implements encoding and decoding of JSON objects as defined in
-// RFC 4627. The mapping between JSON objects and Go values is described
-// in the documentation for the Marshal and Unmarshal functions.
-//
-// See "JSON and Go" for an introduction to this package:
-// https://golang.org/doc/articles/json_and_go.html
-package json
-
-import (
- "bytes"
- "encoding"
- "encoding/base64"
- "fmt"
- "math"
- "reflect"
- "runtime"
- "sort"
- "strconv"
- "strings"
- "sync"
- "unicode"
- "unicode/utf8"
-)
-
-// Marshal returns the JSON encoding of v.
-//
-// Marshal traverses the value v recursively.
-// If an encountered value implements the Marshaler interface
-// and is not a nil pointer, Marshal calls its MarshalJSON method
-// to produce JSON. If no MarshalJSON method is present but the
-// value implements encoding.TextMarshaler instead, Marshal calls
-// its MarshalText method.
-// The nil pointer exception is not strictly necessary
-// but mimics a similar, necessary exception in the behavior of
-// UnmarshalJSON.
-//
-// Otherwise, Marshal uses the following type-dependent default encodings:
-//
-// Boolean values encode as JSON booleans.
-//
-// Floating point, integer, and Number values encode as JSON numbers.
-//
-// String values encode as JSON strings coerced to valid UTF-8,
-// replacing invalid bytes with the Unicode replacement rune.
-// The angle brackets "<" and ">" are escaped to "\u003c" and "\u003e"
-// to keep some browsers from misinterpreting JSON output as HTML.
-// Ampersand "&" is also escaped to "\u0026" for the same reason.
-//
-// Array and slice values encode as JSON arrays, except that
-// []byte encodes as a base64-encoded string, and a nil slice
-// encodes as the null JSON object.
-//
-// Struct values encode as JSON objects. Each exported struct field
-// becomes a member of the object unless
-// - the field's tag is "-", or
-// - the field is empty and its tag specifies the "omitempty" option.
-// The empty values are false, 0, any
-// nil pointer or interface value, and any array, slice, map, or string of
-// length zero. The object's default key string is the struct field name
-// but can be specified in the struct field's tag value. The "json" key in
-// the struct field's tag value is the key name, followed by an optional comma
-// and options. Examples:
-//
-// // Field is ignored by this package.
-// Field int `json:"-"`
-//
-// // Field appears in JSON as key "myName".
-// Field int `json:"myName"`
-//
-// // Field appears in JSON as key "myName" and
-// // the field is omitted from the object if its value is empty,
-// // as defined above.
-// Field int `json:"myName,omitempty"`
-//
-// // Field appears in JSON as key "Field" (the default), but
-// // the field is skipped if empty.
-// // Note the leading comma.
-// Field int `json:",omitempty"`
-//
-// The "string" option signals that a field is stored as JSON inside a
-// JSON-encoded string. It applies only to fields of string, floating point,
-// integer, or boolean types. This extra level of encoding is sometimes used
-// when communicating with JavaScript programs:
-//
-// Int64String int64 `json:",string"`
-//
-// The key name will be used if it's a non-empty string consisting of
-// only Unicode letters, digits, dollar signs, percent signs, hyphens,
-// underscores and slashes.
-//
-// Anonymous struct fields are usually marshaled as if their inner exported fields
-// were fields in the outer struct, subject to the usual Go visibility rules amended
-// as described in the next paragraph.
-// An anonymous struct field with a name given in its JSON tag is treated as
-// having that name, rather than being anonymous.
-// An anonymous struct field of interface type is treated the same as having
-// that type as its name, rather than being anonymous.
-//
-// The Go visibility rules for struct fields are amended for JSON when
-// deciding which field to marshal or unmarshal. If there are
-// multiple fields at the same level, and that level is the least
-// nested (and would therefore be the nesting level selected by the
-// usual Go rules), the following extra rules apply:
-//
-// 1) Of those fields, if any are JSON-tagged, only tagged fields are considered,
-// even if there are multiple untagged fields that would otherwise conflict.
-// 2) If there is exactly one field (tagged or not according to the first rule), that is selected.
-// 3) Otherwise there are multiple fields, and all are ignored; no error occurs.
-//
-// Handling of anonymous struct fields is new in Go 1.1.
-// Prior to Go 1.1, anonymous struct fields were ignored. To force ignoring of
-// an anonymous struct field in both current and earlier versions, give the field
-// a JSON tag of "-".
-//
-// Map values encode as JSON objects.
-// The map's key type must be string; the map keys are used as JSON object
-// keys, subject to the UTF-8 coercion described for string values above.
-//
-// Pointer values encode as the value pointed to.
-// A nil pointer encodes as the null JSON object.
-//
-// Interface values encode as the value contained in the interface.
-// A nil interface value encodes as the null JSON object.
-//
-// Channel, complex, and function values cannot be encoded in JSON.
-// Attempting to encode such a value causes Marshal to return
-// an UnsupportedTypeError.
-//
-// JSON cannot represent cyclic data structures and Marshal does not
-// handle them. Passing cyclic structures to Marshal will result in
-// an infinite recursion.
-//
-func Marshal(v interface{}) ([]byte, error) {
- e := &encodeState{}
- err := e.marshal(v)
- if err != nil {
- return nil, err
- }
- return e.Bytes(), nil
-}
-
-// MarshalIndent is like Marshal but applies Indent to format the output.
-func MarshalIndent(v interface{}, prefix, indent string) ([]byte, error) {
- b, err := Marshal(v)
- if err != nil {
- return nil, err
- }
- var buf bytes.Buffer
- err = Indent(&buf, b, prefix, indent)
- if err != nil {
- return nil, err
- }
- return buf.Bytes(), nil
-}
-
-// HTMLEscape appends to dst the JSON-encoded src with <, >, &, U+2028 and U+2029
-// characters inside string literals changed to \u003c, \u003e, \u0026, \u2028, \u2029
-// so that the JSON will be safe to embed inside HTML <script> tags.
-// For historical reasons, web browsers don't honor standard HTML
-// escaping within <script> tags, so an alternative JSON encoding must
-// be used.
-func HTMLEscape(dst *bytes.Buffer, src []byte) {
- // The characters can only appear in string literals,
- // so just scan the string one byte at a time.
- start := 0
- for i, c := range src {
- if c == '<' || c == '>' || c == '&' {
- if start < i {
- dst.Write(src[start:i])
- }
- dst.WriteString(`\u00`)
- dst.WriteByte(hex[c>>4])
- dst.WriteByte(hex[c&0xF])
- start = i + 1
- }
- // Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
- if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
- if start < i {
- dst.Write(src[start:i])
- }
- dst.WriteString(`\u202`)
- dst.WriteByte(hex[src[i+2]&0xF])
- start = i + 3
- }
- }
- if start < len(src) {
- dst.Write(src[start:])
- }
-}
-
-// Marshaler is the interface implemented by objects that
-// can marshal themselves into valid JSON.
-type Marshaler interface {
- MarshalJSON() ([]byte, error)
-}
-
-// An UnsupportedTypeError is returned by Marshal when attempting
-// to encode an unsupported value type.
-type UnsupportedTypeError struct {
- Type reflect.Type
-}
-
-func (e *UnsupportedTypeError) Error() string {
- return "json: unsupported type: " + e.Type.String()
-}
-
-type UnsupportedValueError struct {
- Value reflect.Value
- Str string
-}
-
-func (e *UnsupportedValueError) Error() string {
- return "json: unsupported value: " + e.Str
-}
-
-// Before Go 1.2, an InvalidUTF8Error was returned by Marshal when
-// attempting to encode a string value with invalid UTF-8 sequences.
-// As of Go 1.2, Marshal instead coerces the string to valid UTF-8 by
-// replacing invalid bytes with the Unicode replacement rune U+FFFD.
-// This error is no longer generated but is kept for backwards compatibility
-// with programs that might mention it.
-type InvalidUTF8Error struct {
- S string // the whole string value that caused the error
-}
-
-func (e *InvalidUTF8Error) Error() string {
- return "json: invalid UTF-8 in string: " + strconv.Quote(e.S)
-}
-
-type MarshalerError struct {
- Type reflect.Type
- Err error
-}
-
-func (e *MarshalerError) Error() string {
- return "json: error calling MarshalJSON for type " + e.Type.String() + ": " + e.Err.Error()
-}
-
-var hex = "0123456789abcdef"
-
-// An encodeState encodes JSON into a bytes.Buffer.
-type encodeState struct {
- bytes.Buffer // accumulated output
- scratch [64]byte
-}
-
-var encodeStatePool sync.Pool
-
-func newEncodeState() *encodeState {
- if v := encodeStatePool.Get(); v != nil {
- e := v.(*encodeState)
- e.Reset()
- return e
- }
- return new(encodeState)
-}
-
-func (e *encodeState) marshal(v interface{}) (err error) {
- defer func() {
- if r := recover(); r != nil {
- if _, ok := r.(runtime.Error); ok {
- panic(r)
- }
- if s, ok := r.(string); ok {
- panic(s)
- }
- err = r.(error)
- }
- }()
- e.reflectValue(reflect.ValueOf(v))
- return nil
-}
-
-func (e *encodeState) error(err error) {
- panic(err)
-}
-
-func isEmptyValue(v reflect.Value) bool {
- switch v.Kind() {
- case reflect.Array, reflect.Map, reflect.Slice, reflect.String:
- return v.Len() == 0
- case reflect.Bool:
- return !v.Bool()
- case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
- return v.Int() == 0
- case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
- return v.Uint() == 0
- case reflect.Float32, reflect.Float64:
- return v.Float() == 0
- case reflect.Interface, reflect.Ptr:
- return v.IsNil()
- }
- return false
-}
-
-func (e *encodeState) reflectValue(v reflect.Value) {
- valueEncoder(v)(e, v, false)
-}
-
-type encoderFunc func(e *encodeState, v reflect.Value, quoted bool)
-
-var encoderCache struct {
- sync.RWMutex
- m map[reflect.Type]encoderFunc
-}
-
-func valueEncoder(v reflect.Value) encoderFunc {
- if !v.IsValid() {
- return invalidValueEncoder
- }
- return typeEncoder(v.Type())
-}
-
-func typeEncoder(t reflect.Type) encoderFunc {
- encoderCache.RLock()
- f := encoderCache.m[t]
- encoderCache.RUnlock()
- if f != nil {
- return f
- }
-
- // To deal with recursive types, populate the map with an
- // indirect func before we build it. This type waits on the
- // real func (f) to be ready and then calls it. This indirect
- // func is only used for recursive types.
- encoderCache.Lock()
- if encoderCache.m == nil {
- encoderCache.m = make(map[reflect.Type]encoderFunc)
- }
- var wg sync.WaitGroup
- wg.Add(1)
- encoderCache.m[t] = func(e *encodeState, v reflect.Value, quoted bool) {
- wg.Wait()
- f(e, v, quoted)
- }
- encoderCache.Unlock()
-
- // Compute fields without lock.
- // Might duplicate effort but won't hold other computations back.
- f = newTypeEncoder(t, true)
- wg.Done()
- encoderCache.Lock()
- encoderCache.m[t] = f
- encoderCache.Unlock()
- return f
-}
-
-var (
- marshalerType = reflect.TypeOf(new(Marshaler)).Elem()
- textMarshalerType = reflect.TypeOf(new(encoding.TextMarshaler)).Elem()
-)
-
-// newTypeEncoder constructs an encoderFunc for a type.
-// The returned encoder only checks CanAddr when allowAddr is true.
-func newTypeEncoder(t reflect.Type, allowAddr bool) encoderFunc {
- if t.Implements(marshalerType) {
- return marshalerEncoder
- }
- if t.Kind() != reflect.Ptr && allowAddr {
- if reflect.PtrTo(t).Implements(marshalerType) {
- return newCondAddrEncoder(addrMarshalerEncoder, newTypeEncoder(t, false))
- }
- }
-
- if t.Implements(textMarshalerType) {
- return textMarshalerEncoder
- }
- if t.Kind() != reflect.Ptr && allowAddr {
- if reflect.PtrTo(t).Implements(textMarshalerType) {
- return newCondAddrEncoder(addrTextMarshalerEncoder, newTypeEncoder(t, false))
- }
- }
-
- switch t.Kind() {
- case reflect.Bool:
- return boolEncoder
- case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
- return intEncoder
- case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:
- return uintEncoder
- case reflect.Float32:
- return float32Encoder
- case reflect.Float64:
- return float64Encoder
- case reflect.String:
- return stringEncoder
- case reflect.Interface:
- return interfaceEncoder
- case reflect.Struct:
- return newStructEncoder(t)
- case reflect.Map:
- return newMapEncoder(t)
- case reflect.Slice:
- return newSliceEncoder(t)
- case reflect.Array:
- return newArrayEncoder(t)
- case reflect.Ptr:
- return newPtrEncoder(t)
- default:
- return unsupportedTypeEncoder
- }
-}
-
-func invalidValueEncoder(e *encodeState, v reflect.Value, quoted bool) {
- e.WriteString("null")
-}
-
-func marshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
- if v.Kind() == reflect.Ptr && v.IsNil() {
- e.WriteString("null")
- return
- }
- m := v.Interface().(Marshaler)
- b, err := m.MarshalJSON()
- if err == nil {
- // copy JSON into buffer, checking validity.
- err = compact(&e.Buffer, b, true)
- }
- if err != nil {
- e.error(&MarshalerError{v.Type(), err})
- }
-}
-
-func addrMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
- va := v.Addr()
- if va.IsNil() {
- e.WriteString("null")
- return
- }
- m := va.Interface().(Marshaler)
- b, err := m.MarshalJSON()
- if err == nil {
- // copy JSON into buffer, checking validity.
- err = compact(&e.Buffer, b, true)
- }
- if err != nil {
- e.error(&MarshalerError{v.Type(), err})
- }
-}
-
-func textMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
- if v.Kind() == reflect.Ptr && v.IsNil() {
- e.WriteString("null")
- return
- }
- m := v.Interface().(encoding.TextMarshaler)
- b, err := m.MarshalText()
- if err != nil {
- e.error(&MarshalerError{v.Type(), err})
- }
- e.stringBytes(b)
-}
-
-func addrTextMarshalerEncoder(e *encodeState, v reflect.Value, quoted bool) {
- va := v.Addr()
- if va.IsNil() {
- e.WriteString("null")
- return
- }
- m := va.Interface().(encoding.TextMarshaler)
- b, err := m.MarshalText()
- if err != nil {
- e.error(&MarshalerError{v.Type(), err})
- }
- e.stringBytes(b)
-}
-
-func boolEncoder(e *encodeState, v reflect.Value, quoted bool) {
- if quoted {
- e.WriteByte('"')
- }
- if v.Bool() {
- e.WriteString("true")
- } else {
- e.WriteString("false")
- }
- if quoted {
- e.WriteByte('"')
- }
-}
-
-func intEncoder(e *encodeState, v reflect.Value, quoted bool) {
- b := strconv.AppendInt(e.scratch[:0], v.Int(), 10)
- if quoted {
- e.WriteByte('"')
- }
- e.Write(b)
- if quoted {
- e.WriteByte('"')
- }
-}
-
-func uintEncoder(e *encodeState, v reflect.Value, quoted bool) {
- b := strconv.AppendUint(e.scratch[:0], v.Uint(), 10)
- if quoted {
- e.WriteByte('"')
- }
- e.Write(b)
- if quoted {
- e.WriteByte('"')
- }
-}
-
-type floatEncoder int // number of bits
-
-func (bits floatEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
- f := v.Float()
- if math.IsInf(f, 0) || math.IsNaN(f) {
- e.error(&UnsupportedValueError{v, strconv.FormatFloat(f, 'g', -1, int(bits))})
- }
- b := strconv.AppendFloat(e.scratch[:0], f, 'g', -1, int(bits))
- if quoted {
- e.WriteByte('"')
- }
- e.Write(b)
- if quoted {
- e.WriteByte('"')
- }
-}
-
-var (
- float32Encoder = (floatEncoder(32)).encode
- float64Encoder = (floatEncoder(64)).encode
-)
-
-func stringEncoder(e *encodeState, v reflect.Value, quoted bool) {
- if v.Type() == numberType {
- numStr := v.String()
- // In Go1.5 the empty string encodes to "0", while this is not a valid number literal
- // we keep compatibility so check validity after this.
- if numStr == "" {
- numStr = "0" // Number's zero-val
- }
- if !isValidNumber(numStr) {
- e.error(fmt.Errorf("json: invalid number literal %q", numStr))
- }
- e.WriteString(numStr)
- return
- }
- if quoted {
- sb, err := Marshal(v.String())
- if err != nil {
- e.error(err)
- }
- e.string(string(sb))
- } else {
- e.string(v.String())
- }
-}
-
-func interfaceEncoder(e *encodeState, v reflect.Value, quoted bool) {
- if v.IsNil() {
- e.WriteString("null")
- return
- }
- e.reflectValue(v.Elem())
-}
-
-func unsupportedTypeEncoder(e *encodeState, v reflect.Value, quoted bool) {
- e.error(&UnsupportedTypeError{v.Type()})
-}
-
-type structEncoder struct {
- fields []field
- fieldEncs []encoderFunc
-}
-
-func (se *structEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
- e.WriteByte('{')
- first := true
- for i, f := range se.fields {
- fv := fieldByIndex(v, f.index)
- if !fv.IsValid() || f.omitEmpty && isEmptyValue(fv) {
- continue
- }
- if first {
- first = false
- } else {
- e.WriteByte(',')
- }
- e.string(f.name)
- e.WriteByte(':')
- se.fieldEncs[i](e, fv, f.quoted)
- }
- e.WriteByte('}')
-}
-
-func newStructEncoder(t reflect.Type) encoderFunc {
- fields := cachedTypeFields(t)
- se := &structEncoder{
- fields: fields,
- fieldEncs: make([]encoderFunc, len(fields)),
- }
- for i, f := range fields {
- se.fieldEncs[i] = typeEncoder(typeByIndex(t, f.index))
- }
- return se.encode
-}
-
-type mapEncoder struct {
- elemEnc encoderFunc
-}
-
-func (me *mapEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
- if v.IsNil() {
- e.WriteString("null")
- return
- }
- e.WriteByte('{')
- var sv stringValues = v.MapKeys()
- sort.Sort(sv)
- for i, k := range sv {
- if i > 0 {
- e.WriteByte(',')
- }
- e.string(k.String())
- e.WriteByte(':')
- me.elemEnc(e, v.MapIndex(k), false)
- }
- e.WriteByte('}')
-}
-
-func newMapEncoder(t reflect.Type) encoderFunc {
- if t.Key().Kind() != reflect.String {
- return unsupportedTypeEncoder
- }
- me := &mapEncoder{typeEncoder(t.Elem())}
- return me.encode
-}
-
-func encodeByteSlice(e *encodeState, v reflect.Value, _ bool) {
- if v.IsNil() {
- e.WriteString("null")
- return
- }
- s := v.Bytes()
- e.WriteByte('"')
- if len(s) < 1024 {
- // for small buffers, using Encode directly is much faster.
- dst := make([]byte, base64.StdEncoding.EncodedLen(len(s)))
- base64.StdEncoding.Encode(dst, s)
- e.Write(dst)
- } else {
- // for large buffers, avoid unnecessary extra temporary
- // buffer space.
- enc := base64.NewEncoder(base64.StdEncoding, e)
- enc.Write(s)
- enc.Close()
- }
- e.WriteByte('"')
-}
-
-// sliceEncoder just wraps an arrayEncoder, checking to make sure the value isn't nil.
-type sliceEncoder struct {
- arrayEnc encoderFunc
-}
-
-func (se *sliceEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
- if v.IsNil() {
- e.WriteString("null")
- return
- }
- se.arrayEnc(e, v, false)
-}
-
-func newSliceEncoder(t reflect.Type) encoderFunc {
- // Byte slices get special treatment; arrays don't.
- if t.Elem().Kind() == reflect.Uint8 {
- return encodeByteSlice
- }
- enc := &sliceEncoder{newArrayEncoder(t)}
- return enc.encode
-}
-
-type arrayEncoder struct {
- elemEnc encoderFunc
-}
-
-func (ae *arrayEncoder) encode(e *encodeState, v reflect.Value, _ bool) {
- e.WriteByte('[')
- n := v.Len()
- for i := 0; i < n; i++ {
- if i > 0 {
- e.WriteByte(',')
- }
- ae.elemEnc(e, v.Index(i), false)
- }
- e.WriteByte(']')
-}
-
-func newArrayEncoder(t reflect.Type) encoderFunc {
- enc := &arrayEncoder{typeEncoder(t.Elem())}
- return enc.encode
-}
-
-type ptrEncoder struct {
- elemEnc encoderFunc
-}
-
-func (pe *ptrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
- if v.IsNil() {
- e.WriteString("null")
- return
- }
- pe.elemEnc(e, v.Elem(), quoted)
-}
-
-func newPtrEncoder(t reflect.Type) encoderFunc {
- enc := &ptrEncoder{typeEncoder(t.Elem())}
- return enc.encode
-}
-
-type condAddrEncoder struct {
- canAddrEnc, elseEnc encoderFunc
-}
-
-func (ce *condAddrEncoder) encode(e *encodeState, v reflect.Value, quoted bool) {
- if v.CanAddr() {
- ce.canAddrEnc(e, v, quoted)
- } else {
- ce.elseEnc(e, v, quoted)
- }
-}
-
-// newCondAddrEncoder returns an encoder that checks whether its value
-// CanAddr and delegates to canAddrEnc if so, else to elseEnc.
-func newCondAddrEncoder(canAddrEnc, elseEnc encoderFunc) encoderFunc {
- enc := &condAddrEncoder{canAddrEnc: canAddrEnc, elseEnc: elseEnc}
- return enc.encode
-}
-
-func isValidTag(s string) bool {
- if s == "" {
- return false
- }
- for _, c := range s {
- switch {
- case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~ ", c):
- // Backslash and quote chars are reserved, but
- // otherwise any punctuation chars are allowed
- // in a tag name.
- default:
- if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
- return false
- }
- }
- }
- return true
-}
-
-func fieldByIndex(v reflect.Value, index []int) reflect.Value {
- for _, i := range index {
- if v.Kind() == reflect.Ptr {
- if v.IsNil() {
- return reflect.Value{}
- }
- v = v.Elem()
- }
- v = v.Field(i)
- }
- return v
-}
-
-func typeByIndex(t reflect.Type, index []int) reflect.Type {
- for _, i := range index {
- if t.Kind() == reflect.Ptr {
- t = t.Elem()
- }
- t = t.Field(i).Type
- }
- return t
-}
-
-// stringValues is a slice of reflect.Value holding *reflect.StringValue.
-// It implements the methods to sort by string.
-type stringValues []reflect.Value
-
-func (sv stringValues) Len() int { return len(sv) }
-func (sv stringValues) Swap(i, j int) { sv[i], sv[j] = sv[j], sv[i] }
-func (sv stringValues) Less(i, j int) bool { return sv.get(i) < sv.get(j) }
-func (sv stringValues) get(i int) string { return sv[i].String() }
-
-// NOTE: keep in sync with stringBytes below.
-func (e *encodeState) string(s string) int {
- len0 := e.Len()
- e.WriteByte('"')
- start := 0
- for i := 0; i < len(s); {
- if b := s[i]; b < utf8.RuneSelf {
- if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
- i++
- continue
- }
- if start < i {
- e.WriteString(s[start:i])
- }
- switch b {
- case '\\', '"':
- e.WriteByte('\\')
- e.WriteByte(b)
- case '\n':
- e.WriteByte('\\')
- e.WriteByte('n')
- case '\r':
- e.WriteByte('\\')
- e.WriteByte('r')
- case '\t':
- e.WriteByte('\\')
- e.WriteByte('t')
- default:
- // This encodes bytes < 0x20 except for \n and \r,
- // as well as <, > and &. The latter are escaped because they
- // can lead to security holes when user-controlled strings
- // are rendered into JSON and served to some browsers.
- e.WriteString(`\u00`)
- e.WriteByte(hex[b>>4])
- e.WriteByte(hex[b&0xF])
- }
- i++
- start = i
- continue
- }
- c, size := utf8.DecodeRuneInString(s[i:])
- if c == utf8.RuneError && size == 1 {
- if start < i {
- e.WriteString(s[start:i])
- }
- e.WriteString(`\ufffd`)
- i += size
- start = i
- continue
- }
- // U+2028 is LINE SEPARATOR.
- // U+2029 is PARAGRAPH SEPARATOR.
- // They are both technically valid characters in JSON strings,
- // but don't work in JSONP, which has to be evaluated as JavaScript,
- // and can lead to security holes there. It is valid JSON to
- // escape them, so we do so unconditionally.
- // See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
- if c == '\u2028' || c == '\u2029' {
- if start < i {
- e.WriteString(s[start:i])
- }
- e.WriteString(`\u202`)
- e.WriteByte(hex[c&0xF])
- i += size
- start = i
- continue
- }
- i += size
- }
- if start < len(s) {
- e.WriteString(s[start:])
- }
- e.WriteByte('"')
- return e.Len() - len0
-}
-
-// NOTE: keep in sync with string above.
-func (e *encodeState) stringBytes(s []byte) int {
- len0 := e.Len()
- e.WriteByte('"')
- start := 0
- for i := 0; i < len(s); {
- if b := s[i]; b < utf8.RuneSelf {
- if 0x20 <= b && b != '\\' && b != '"' && b != '<' && b != '>' && b != '&' {
- i++
- continue
- }
- if start < i {
- e.Write(s[start:i])
- }
- switch b {
- case '\\', '"':
- e.WriteByte('\\')
- e.WriteByte(b)
- case '\n':
- e.WriteByte('\\')
- e.WriteByte('n')
- case '\r':
- e.WriteByte('\\')
- e.WriteByte('r')
- case '\t':
- e.WriteByte('\\')
- e.WriteByte('t')
- default:
- // This encodes bytes < 0x20 except for \n and \r,
- // as well as <, >, and &. The latter are escaped because they
- // can lead to security holes when user-controlled strings
- // are rendered into JSON and served to some browsers.
- e.WriteString(`\u00`)
- e.WriteByte(hex[b>>4])
- e.WriteByte(hex[b&0xF])
- }
- i++
- start = i
- continue
- }
- c, size := utf8.DecodeRune(s[i:])
- if c == utf8.RuneError && size == 1 {
- if start < i {
- e.Write(s[start:i])
- }
- e.WriteString(`\ufffd`)
- i += size
- start = i
- continue
- }
- // U+2028 is LINE SEPARATOR.
- // U+2029 is PARAGRAPH SEPARATOR.
- // They are both technically valid characters in JSON strings,
- // but don't work in JSONP, which has to be evaluated as JavaScript,
- // and can lead to security holes there. It is valid JSON to
- // escape them, so we do so unconditionally.
- // See http://timelessrepo.com/json-isnt-a-javascript-subset for discussion.
- if c == '\u2028' || c == '\u2029' {
- if start < i {
- e.Write(s[start:i])
- }
- e.WriteString(`\u202`)
- e.WriteByte(hex[c&0xF])
- i += size
- start = i
- continue
- }
- i += size
- }
- if start < len(s) {
- e.Write(s[start:])
- }
- e.WriteByte('"')
- return e.Len() - len0
-}
-
-// A field represents a single field found in a struct.
-type field struct {
- name string
- nameBytes []byte // []byte(name)
-
- tag bool
- index []int
- typ reflect.Type
- omitEmpty bool
- quoted bool
-}
-
-func fillField(f field) field {
- f.nameBytes = []byte(f.name)
- return f
-}
-
-// byName sorts field by name, breaking ties with depth,
-// then breaking ties with "name came from json tag", then
-// breaking ties with index sequence.
-type byName []field
-
-func (x byName) Len() int { return len(x) }
-
-func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byName) Less(i, j int) bool {
- if x[i].name != x[j].name {
- return x[i].name < x[j].name
- }
- if len(x[i].index) != len(x[j].index) {
- return len(x[i].index) < len(x[j].index)
- }
- if x[i].tag != x[j].tag {
- return x[i].tag
- }
- return byIndex(x).Less(i, j)
-}
-
-// byIndex sorts field by index sequence.
-type byIndex []field
-
-func (x byIndex) Len() int { return len(x) }
-
-func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] }
-
-func (x byIndex) Less(i, j int) bool {
- for k, xik := range x[i].index {
- if k >= len(x[j].index) {
- return false
- }
- if xik != x[j].index[k] {
- return xik < x[j].index[k]
- }
- }
- return len(x[i].index) < len(x[j].index)
-}
-
-// typeFields returns a list of fields that JSON should recognize for the given type.
-// The algorithm is breadth-first search over the set of structs to include - the top struct
-// and then any reachable anonymous structs.
-func typeFields(t reflect.Type) []field {
- // Anonymous fields to explore at the current level and the next.
- current := []field{}
- next := []field{{typ: t}}
-
- // Count of queued names for current level and the next.
- count := map[reflect.Type]int{}
- nextCount := map[reflect.Type]int{}
-
- // Types already visited at an earlier level.
- visited := map[reflect.Type]bool{}
-
- // Fields found.
- var fields []field
-
- for len(next) > 0 {
- current, next = next, current[:0]
- count, nextCount = nextCount, map[reflect.Type]int{}
-
- for _, f := range current {
- if visited[f.typ] {
- continue
- }
- visited[f.typ] = true
-
- // Scan f.typ for fields to include.
- for i := 0; i < f.typ.NumField(); i++ {
- sf := f.typ.Field(i)
- if sf.PkgPath != "" && !sf.Anonymous { // unexported
- continue
- }
- tag := sf.Tag.Get("json")
- if tag == "-" {
- continue
- }
- name, opts := parseTag(tag)
- if !isValidTag(name) {
- name = ""
- }
- index := make([]int, len(f.index)+1)
- copy(index, f.index)
- index[len(f.index)] = i
-
- ft := sf.Type
- if ft.Name() == "" && ft.Kind() == reflect.Ptr {
- // Follow pointer.
- ft = ft.Elem()
- }
-
- // Only strings, floats, integers, and booleans can be quoted.
- quoted := false
- if opts.Contains("string") {
- switch ft.Kind() {
- case reflect.Bool,
- reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
- reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
- reflect.Float32, reflect.Float64,
- reflect.String:
- quoted = true
- }
- }
-
- // Record found field and index sequence.
- if name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct {
- tagged := name != ""
- if name == "" {
- name = sf.Name
- }
- fields = append(fields, fillField(field{
- name: name,
- tag: tagged,
- index: index,
- typ: ft,
- omitEmpty: opts.Contains("omitempty"),
- quoted: quoted,
- }))
- if count[f.typ] > 1 {
- // If there were multiple instances, add a second,
- // so that the annihilation code will see a duplicate.
- // It only cares about the distinction between 1 or 2,
- // so don't bother generating any more copies.
- fields = append(fields, fields[len(fields)-1])
- }
- continue
- }
-
- // Record new anonymous struct to explore in next round.
- nextCount[ft]++
- if nextCount[ft] == 1 {
- next = append(next, fillField(field{name: ft.Name(), index: index, typ: ft}))
- }
- }
- }
- }
-
- sort.Sort(byName(fields))
-
- // Delete all fields that are hidden by the Go rules for embedded fields,
- // except that fields with JSON tags are promoted.
-
- // The fields are sorted in primary order of name, secondary order
- // of field index length. Loop over names; for each name, delete
- // hidden fields by choosing the one dominant field that survives.
- out := fields[:0]
- for advance, i := 0, 0; i < len(fields); i += advance {
- // One iteration per name.
- // Find the sequence of fields with the name of this first field.
- fi := fields[i]
- name := fi.name
- for advance = 1; i+advance < len(fields); advance++ {
- fj := fields[i+advance]
- if fj.name != name {
- break
- }
- }
- if advance == 1 { // Only one field with this name
- out = append(out, fi)
- continue
- }
- dominant, ok := dominantField(fields[i : i+advance])
- if ok {
- out = append(out, dominant)
- }
- }
-
- fields = out
- sort.Sort(byIndex(fields))
-
- return fields
-}
-
-// dominantField looks through the fields, all of which are known to
-// have the same name, to find the single field that dominates the
-// others using Go's embedding rules, modified by the presence of
-// JSON tags. If there are multiple top-level fields, the boolean
-// will be false: This condition is an error in Go and we skip all
-// the fields.
-func dominantField(fields []field) (field, bool) {
- // The fields are sorted in increasing index-length order. The winner
- // must therefore be one with the shortest index length. Drop all
- // longer entries, which is easy: just truncate the slice.
- length := len(fields[0].index)
- tagged := -1 // Index of first tagged field.
- for i, f := range fields {
- if len(f.index) > length {
- fields = fields[:i]
- break
- }
- if f.tag {
- if tagged >= 0 {
- // Multiple tagged fields at the same level: conflict.
- // Return no field.
- return field{}, false
- }
- tagged = i
- }
- }
- if tagged >= 0 {
- return fields[tagged], true
- }
- // All remaining fields have the same length. If there's more than one,
- // we have a conflict (two fields named "X" at the same level) and we
- // return no field.
- if len(fields) > 1 {
- return field{}, false
- }
- return fields[0], true
-}
-
-var fieldCache struct {
- sync.RWMutex
- m map[reflect.Type][]field
-}
-
-// cachedTypeFields is like typeFields but uses a cache to avoid repeated work.
-func cachedTypeFields(t reflect.Type) []field {
- fieldCache.RLock()
- f := fieldCache.m[t]
- fieldCache.RUnlock()
- if f != nil {
- return f
- }
-
- // Compute fields without lock.
- // Might duplicate effort but won't hold other computations back.
- f = typeFields(t)
- if f == nil {
- f = []field{}
- }
-
- fieldCache.Lock()
- if fieldCache.m == nil {
- fieldCache.m = map[reflect.Type][]field{}
- }
- fieldCache.m[t] = f
- fieldCache.Unlock()
- return f
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/encode_test.go b/vendor/gopkg.in/square/go-jose.v1/json/encode_test.go
deleted file mode 100644
index c00491e0..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/encode_test.go
+++ /dev/null
@@ -1,538 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "bytes"
- "math"
- "reflect"
- "testing"
- "unicode"
-)
-
-type Optionals struct {
- Sr string `json:"sr"`
- So string `json:"so,omitempty"`
- Sw string `json:"-"`
-
- Ir int `json:"omitempty"` // actually named omitempty, not an option
- Io int `json:"io,omitempty"`
-
- Slr []string `json:"slr,random"`
- Slo []string `json:"slo,omitempty"`
-
- Mr map[string]interface{} `json:"mr"`
- Mo map[string]interface{} `json:",omitempty"`
-
- Fr float64 `json:"fr"`
- Fo float64 `json:"fo,omitempty"`
-
- Br bool `json:"br"`
- Bo bool `json:"bo,omitempty"`
-
- Ur uint `json:"ur"`
- Uo uint `json:"uo,omitempty"`
-
- Str struct{} `json:"str"`
- Sto struct{} `json:"sto,omitempty"`
-}
-
-var optionalsExpected = `{
- "sr": "",
- "omitempty": 0,
- "slr": null,
- "mr": {},
- "fr": 0,
- "br": false,
- "ur": 0,
- "str": {},
- "sto": {}
-}`
-
-func TestOmitEmpty(t *testing.T) {
- var o Optionals
- o.Sw = "something"
- o.Mr = map[string]interface{}{}
- o.Mo = map[string]interface{}{}
-
- got, err := MarshalIndent(&o, "", " ")
- if err != nil {
- t.Fatal(err)
- }
- if got := string(got); got != optionalsExpected {
- t.Errorf(" got: %s\nwant: %s\n", got, optionalsExpected)
- }
-}
-
-type StringTag struct {
- BoolStr bool `json:",string"`
- IntStr int64 `json:",string"`
- StrStr string `json:",string"`
-}
-
-var stringTagExpected = `{
- "BoolStr": "true",
- "IntStr": "42",
- "StrStr": "\"xzbit\""
-}`
-
-func TestStringTag(t *testing.T) {
- var s StringTag
- s.BoolStr = true
- s.IntStr = 42
- s.StrStr = "xzbit"
- got, err := MarshalIndent(&s, "", " ")
- if err != nil {
- t.Fatal(err)
- }
- if got := string(got); got != stringTagExpected {
- t.Fatalf(" got: %s\nwant: %s\n", got, stringTagExpected)
- }
-
- // Verify that it round-trips.
- var s2 StringTag
- err = NewDecoder(bytes.NewReader(got)).Decode(&s2)
- if err != nil {
- t.Fatalf("Decode: %v", err)
- }
- if !reflect.DeepEqual(s, s2) {
- t.Fatalf("decode didn't match.\nsource: %#v\nEncoded as:\n%s\ndecode: %#v", s, string(got), s2)
- }
-}
-
-// byte slices are special even if they're renamed types.
-type renamedByte byte
-type renamedByteSlice []byte
-type renamedRenamedByteSlice []renamedByte
-
-func TestEncodeRenamedByteSlice(t *testing.T) {
- s := renamedByteSlice("abc")
- result, err := Marshal(s)
- if err != nil {
- t.Fatal(err)
- }
- expect := `"YWJj"`
- if string(result) != expect {
- t.Errorf(" got %s want %s", result, expect)
- }
- r := renamedRenamedByteSlice("abc")
- result, err = Marshal(r)
- if err != nil {
- t.Fatal(err)
- }
- if string(result) != expect {
- t.Errorf(" got %s want %s", result, expect)
- }
-}
-
-var unsupportedValues = []interface{}{
- math.NaN(),
- math.Inf(-1),
- math.Inf(1),
-}
-
-func TestUnsupportedValues(t *testing.T) {
- for _, v := range unsupportedValues {
- if _, err := Marshal(v); err != nil {
- if _, ok := err.(*UnsupportedValueError); !ok {
- t.Errorf("for %v, got %T want UnsupportedValueError", v, err)
- }
- } else {
- t.Errorf("for %v, expected error", v)
- }
- }
-}
-
-// Ref has Marshaler and Unmarshaler methods with pointer receiver.
-type Ref int
-
-func (*Ref) MarshalJSON() ([]byte, error) {
- return []byte(`"ref"`), nil
-}
-
-func (r *Ref) UnmarshalJSON([]byte) error {
- *r = 12
- return nil
-}
-
-// Val has Marshaler methods with value receiver.
-type Val int
-
-func (Val) MarshalJSON() ([]byte, error) {
- return []byte(`"val"`), nil
-}
-
-// RefText has Marshaler and Unmarshaler methods with pointer receiver.
-type RefText int
-
-func (*RefText) MarshalText() ([]byte, error) {
- return []byte(`"ref"`), nil
-}
-
-func (r *RefText) UnmarshalText([]byte) error {
- *r = 13
- return nil
-}
-
-// ValText has Marshaler methods with value receiver.
-type ValText int
-
-func (ValText) MarshalText() ([]byte, error) {
- return []byte(`"val"`), nil
-}
-
-func TestRefValMarshal(t *testing.T) {
- var s = struct {
- R0 Ref
- R1 *Ref
- R2 RefText
- R3 *RefText
- V0 Val
- V1 *Val
- V2 ValText
- V3 *ValText
- }{
- R0: 12,
- R1: new(Ref),
- R2: 14,
- R3: new(RefText),
- V0: 13,
- V1: new(Val),
- V2: 15,
- V3: new(ValText),
- }
- const want = `{"R0":"ref","R1":"ref","R2":"\"ref\"","R3":"\"ref\"","V0":"val","V1":"val","V2":"\"val\"","V3":"\"val\""}`
- b, err := Marshal(&s)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- if got := string(b); got != want {
- t.Errorf("got %q, want %q", got, want)
- }
-}
-
-// C implements Marshaler and returns unescaped JSON.
-type C int
-
-func (C) MarshalJSON() ([]byte, error) {
- return []byte(`"<&>"`), nil
-}
-
-// CText implements Marshaler and returns unescaped text.
-type CText int
-
-func (CText) MarshalText() ([]byte, error) {
- return []byte(`"<&>"`), nil
-}
-
-func TestMarshalerEscaping(t *testing.T) {
- var c C
- want := `"\u003c\u0026\u003e"`
- b, err := Marshal(c)
- if err != nil {
- t.Fatalf("Marshal(c): %v", err)
- }
- if got := string(b); got != want {
- t.Errorf("Marshal(c) = %#q, want %#q", got, want)
- }
-
- var ct CText
- want = `"\"\u003c\u0026\u003e\""`
- b, err = Marshal(ct)
- if err != nil {
- t.Fatalf("Marshal(ct): %v", err)
- }
- if got := string(b); got != want {
- t.Errorf("Marshal(ct) = %#q, want %#q", got, want)
- }
-}
-
-type IntType int
-
-type MyStruct struct {
- IntType
-}
-
-func TestAnonymousNonstruct(t *testing.T) {
- var i IntType = 11
- a := MyStruct{i}
- const want = `{"IntType":11}`
-
- b, err := Marshal(a)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- if got := string(b); got != want {
- t.Errorf("got %q, want %q", got, want)
- }
-}
-
-type BugA struct {
- S string
-}
-
-type BugB struct {
- BugA
- S string
-}
-
-type BugC struct {
- S string
-}
-
-// Legal Go: We never use the repeated embedded field (S).
-type BugX struct {
- A int
- BugA
- BugB
-}
-
-// Issue 5245.
-func TestEmbeddedBug(t *testing.T) {
- v := BugB{
- BugA{"A"},
- "B",
- }
- b, err := Marshal(v)
- if err != nil {
- t.Fatal("Marshal:", err)
- }
- want := `{"S":"B"}`
- got := string(b)
- if got != want {
- t.Fatalf("Marshal: got %s want %s", got, want)
- }
- // Now check that the duplicate field, S, does not appear.
- x := BugX{
- A: 23,
- }
- b, err = Marshal(x)
- if err != nil {
- t.Fatal("Marshal:", err)
- }
- want = `{"A":23}`
- got = string(b)
- if got != want {
- t.Fatalf("Marshal: got %s want %s", got, want)
- }
-}
-
-type BugD struct { // Same as BugA after tagging.
- XXX string `json:"S"`
-}
-
-// BugD's tagged S field should dominate BugA's.
-type BugY struct {
- BugA
- BugD
-}
-
-// Test that a field with a tag dominates untagged fields.
-func TestTaggedFieldDominates(t *testing.T) {
- v := BugY{
- BugA{"BugA"},
- BugD{"BugD"},
- }
- b, err := Marshal(v)
- if err != nil {
- t.Fatal("Marshal:", err)
- }
- want := `{"S":"BugD"}`
- got := string(b)
- if got != want {
- t.Fatalf("Marshal: got %s want %s", got, want)
- }
-}
-
-// There are no tags here, so S should not appear.
-type BugZ struct {
- BugA
- BugC
- BugY // Contains a tagged S field through BugD; should not dominate.
-}
-
-func TestDuplicatedFieldDisappears(t *testing.T) {
- v := BugZ{
- BugA{"BugA"},
- BugC{"BugC"},
- BugY{
- BugA{"nested BugA"},
- BugD{"nested BugD"},
- },
- }
- b, err := Marshal(v)
- if err != nil {
- t.Fatal("Marshal:", err)
- }
- want := `{}`
- got := string(b)
- if got != want {
- t.Fatalf("Marshal: got %s want %s", got, want)
- }
-}
-
-func TestStringBytes(t *testing.T) {
- // Test that encodeState.stringBytes and encodeState.string use the same encoding.
- es := &encodeState{}
- var r []rune
- for i := '\u0000'; i <= unicode.MaxRune; i++ {
- r = append(r, i)
- }
- s := string(r) + "\xff\xff\xffhello" // some invalid UTF-8 too
- es.string(s)
-
- esBytes := &encodeState{}
- esBytes.stringBytes([]byte(s))
-
- enc := es.Buffer.String()
- encBytes := esBytes.Buffer.String()
- if enc != encBytes {
- i := 0
- for i < len(enc) && i < len(encBytes) && enc[i] == encBytes[i] {
- i++
- }
- enc = enc[i:]
- encBytes = encBytes[i:]
- i = 0
- for i < len(enc) && i < len(encBytes) && enc[len(enc)-i-1] == encBytes[len(encBytes)-i-1] {
- i++
- }
- enc = enc[:len(enc)-i]
- encBytes = encBytes[:len(encBytes)-i]
-
- if len(enc) > 20 {
- enc = enc[:20] + "..."
- }
- if len(encBytes) > 20 {
- encBytes = encBytes[:20] + "..."
- }
-
- t.Errorf("encodings differ at %#q vs %#q", enc, encBytes)
- }
-}
-
-func TestIssue6458(t *testing.T) {
- type Foo struct {
- M RawMessage
- }
- x := Foo{RawMessage(`"foo"`)}
-
- b, err := Marshal(&x)
- if err != nil {
- t.Fatal(err)
- }
- if want := `{"M":"foo"}`; string(b) != want {
- t.Errorf("Marshal(&x) = %#q; want %#q", b, want)
- }
-
- b, err = Marshal(x)
- if err != nil {
- t.Fatal(err)
- }
-
- if want := `{"M":"ImZvbyI="}`; string(b) != want {
- t.Errorf("Marshal(x) = %#q; want %#q", b, want)
- }
-}
-
-func TestIssue10281(t *testing.T) {
- type Foo struct {
- N Number
- }
- x := Foo{Number(`invalid`)}
-
- b, err := Marshal(&x)
- if err == nil {
- t.Errorf("Marshal(&x) = %#q; want error", b)
- }
-}
-
-func TestHTMLEscape(t *testing.T) {
- var b, want bytes.Buffer
- m := `{"M":"<html>foo &` + "\xe2\x80\xa8 \xe2\x80\xa9" + `</html>"}`
- want.Write([]byte(`{"M":"\u003chtml\u003efoo \u0026\u2028 \u2029\u003c/html\u003e"}`))
- HTMLEscape(&b, []byte(m))
- if !bytes.Equal(b.Bytes(), want.Bytes()) {
- t.Errorf("HTMLEscape(&b, []byte(m)) = %s; want %s", b.Bytes(), want.Bytes())
- }
-}
-
-// golang.org/issue/8582
-func TestEncodePointerString(t *testing.T) {
- type stringPointer struct {
- N *int64 `json:"n,string"`
- }
- var n int64 = 42
- b, err := Marshal(stringPointer{N: &n})
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- if got, want := string(b), `{"n":"42"}`; got != want {
- t.Errorf("Marshal = %s, want %s", got, want)
- }
- var back stringPointer
- err = Unmarshal(b, &back)
- if err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if back.N == nil {
- t.Fatalf("Unmarshalled nil N field")
- }
- if *back.N != 42 {
- t.Fatalf("*N = %d; want 42", *back.N)
- }
-}
-
-var encodeStringTests = []struct {
- in string
- out string
-}{
- {"\x00", `"\u0000"`},
- {"\x01", `"\u0001"`},
- {"\x02", `"\u0002"`},
- {"\x03", `"\u0003"`},
- {"\x04", `"\u0004"`},
- {"\x05", `"\u0005"`},
- {"\x06", `"\u0006"`},
- {"\x07", `"\u0007"`},
- {"\x08", `"\u0008"`},
- {"\x09", `"\t"`},
- {"\x0a", `"\n"`},
- {"\x0b", `"\u000b"`},
- {"\x0c", `"\u000c"`},
- {"\x0d", `"\r"`},
- {"\x0e", `"\u000e"`},
- {"\x0f", `"\u000f"`},
- {"\x10", `"\u0010"`},
- {"\x11", `"\u0011"`},
- {"\x12", `"\u0012"`},
- {"\x13", `"\u0013"`},
- {"\x14", `"\u0014"`},
- {"\x15", `"\u0015"`},
- {"\x16", `"\u0016"`},
- {"\x17", `"\u0017"`},
- {"\x18", `"\u0018"`},
- {"\x19", `"\u0019"`},
- {"\x1a", `"\u001a"`},
- {"\x1b", `"\u001b"`},
- {"\x1c", `"\u001c"`},
- {"\x1d", `"\u001d"`},
- {"\x1e", `"\u001e"`},
- {"\x1f", `"\u001f"`},
-}
-
-func TestEncodeString(t *testing.T) {
- for _, tt := range encodeStringTests {
- b, err := Marshal(tt.in)
- if err != nil {
- t.Errorf("Marshal(%q): %v", tt.in, err)
- continue
- }
- out := string(b)
- if out != tt.out {
- t.Errorf("Marshal(%q) = %#q, want %#q", tt.in, out, tt.out)
- }
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/indent.go b/vendor/gopkg.in/square/go-jose.v1/json/indent.go
deleted file mode 100644
index 7cd9f4db..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/indent.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import "bytes"
-
-// Compact appends to dst the JSON-encoded src with
-// insignificant space characters elided.
-func Compact(dst *bytes.Buffer, src []byte) error {
- return compact(dst, src, false)
-}
-
-func compact(dst *bytes.Buffer, src []byte, escape bool) error {
- origLen := dst.Len()
- var scan scanner
- scan.reset()
- start := 0
- for i, c := range src {
- if escape && (c == '<' || c == '>' || c == '&') {
- if start < i {
- dst.Write(src[start:i])
- }
- dst.WriteString(`\u00`)
- dst.WriteByte(hex[c>>4])
- dst.WriteByte(hex[c&0xF])
- start = i + 1
- }
- // Convert U+2028 and U+2029 (E2 80 A8 and E2 80 A9).
- if c == 0xE2 && i+2 < len(src) && src[i+1] == 0x80 && src[i+2]&^1 == 0xA8 {
- if start < i {
- dst.Write(src[start:i])
- }
- dst.WriteString(`\u202`)
- dst.WriteByte(hex[src[i+2]&0xF])
- start = i + 3
- }
- v := scan.step(&scan, c)
- if v >= scanSkipSpace {
- if v == scanError {
- break
- }
- if start < i {
- dst.Write(src[start:i])
- }
- start = i + 1
- }
- }
- if scan.eof() == scanError {
- dst.Truncate(origLen)
- return scan.err
- }
- if start < len(src) {
- dst.Write(src[start:])
- }
- return nil
-}
-
-func newline(dst *bytes.Buffer, prefix, indent string, depth int) {
- dst.WriteByte('\n')
- dst.WriteString(prefix)
- for i := 0; i < depth; i++ {
- dst.WriteString(indent)
- }
-}
-
-// Indent appends to dst an indented form of the JSON-encoded src.
-// Each element in a JSON object or array begins on a new,
-// indented line beginning with prefix followed by one or more
-// copies of indent according to the indentation nesting.
-// The data appended to dst does not begin with the prefix nor
-// any indentation, to make it easier to embed inside other formatted JSON data.
-// Although leading space characters (space, tab, carriage return, newline)
-// at the beginning of src are dropped, trailing space characters
-// at the end of src are preserved and copied to dst.
-// For example, if src has no trailing spaces, neither will dst;
-// if src ends in a trailing newline, so will dst.
-func Indent(dst *bytes.Buffer, src []byte, prefix, indent string) error {
- origLen := dst.Len()
- var scan scanner
- scan.reset()
- needIndent := false
- depth := 0
- for _, c := range src {
- scan.bytes++
- v := scan.step(&scan, c)
- if v == scanSkipSpace {
- continue
- }
- if v == scanError {
- break
- }
- if needIndent && v != scanEndObject && v != scanEndArray {
- needIndent = false
- depth++
- newline(dst, prefix, indent, depth)
- }
-
- // Emit semantically uninteresting bytes
- // (in particular, punctuation in strings) unmodified.
- if v == scanContinue {
- dst.WriteByte(c)
- continue
- }
-
- // Add spacing around real punctuation.
- switch c {
- case '{', '[':
- // delay indent so that empty object and array are formatted as {} and [].
- needIndent = true
- dst.WriteByte(c)
-
- case ',':
- dst.WriteByte(c)
- newline(dst, prefix, indent, depth)
-
- case ':':
- dst.WriteByte(c)
- dst.WriteByte(' ')
-
- case '}', ']':
- if needIndent {
- // suppress indent in empty object/array
- needIndent = false
- } else {
- depth--
- newline(dst, prefix, indent, depth)
- }
- dst.WriteByte(c)
-
- default:
- dst.WriteByte(c)
- }
- }
- if scan.eof() == scanError {
- dst.Truncate(origLen)
- return scan.err
- }
- return nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/number_test.go b/vendor/gopkg.in/square/go-jose.v1/json/number_test.go
deleted file mode 100644
index 4e63cf9c..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/number_test.go
+++ /dev/null
@@ -1,133 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "regexp"
- "testing"
-)
-
-func TestNumberIsValid(t *testing.T) {
- // From: http://stackoverflow.com/a/13340826
- var jsonNumberRegexp = regexp.MustCompile(`^-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?$`)
-
- validTests := []string{
- "0",
- "-0",
- "1",
- "-1",
- "0.1",
- "-0.1",
- "1234",
- "-1234",
- "12.34",
- "-12.34",
- "12E0",
- "12E1",
- "12e34",
- "12E-0",
- "12e+1",
- "12e-34",
- "-12E0",
- "-12E1",
- "-12e34",
- "-12E-0",
- "-12e+1",
- "-12e-34",
- "1.2E0",
- "1.2E1",
- "1.2e34",
- "1.2E-0",
- "1.2e+1",
- "1.2e-34",
- "-1.2E0",
- "-1.2E1",
- "-1.2e34",
- "-1.2E-0",
- "-1.2e+1",
- "-1.2e-34",
- "0E0",
- "0E1",
- "0e34",
- "0E-0",
- "0e+1",
- "0e-34",
- "-0E0",
- "-0E1",
- "-0e34",
- "-0E-0",
- "-0e+1",
- "-0e-34",
- }
-
- for _, test := range validTests {
- if !isValidNumber(test) {
- t.Errorf("%s should be valid", test)
- }
-
- var f float64
- if err := Unmarshal([]byte(test), &f); err != nil {
- t.Errorf("%s should be valid but Unmarshal failed: %v", test, err)
- }
-
- if !jsonNumberRegexp.MatchString(test) {
- t.Errorf("%s should be valid but regexp does not match", test)
- }
- }
-
- invalidTests := []string{
- "",
- "invalid",
- "1.0.1",
- "1..1",
- "-1-2",
- "012a42",
- "01.2",
- "012",
- "12E12.12",
- "1e2e3",
- "1e+-2",
- "1e--23",
- "1e",
- "e1",
- "1e+",
- "1ea",
- "1a",
- "1.a",
- "1.",
- "01",
- "1.e1",
- }
-
- for _, test := range invalidTests {
- if isValidNumber(test) {
- t.Errorf("%s should be invalid", test)
- }
-
- var f float64
- if err := Unmarshal([]byte(test), &f); err == nil {
- t.Errorf("%s should be invalid but unmarshal wrote %v", test, f)
- }
-
- if jsonNumberRegexp.MatchString(test) {
- t.Errorf("%s should be invalid but matches regexp", test)
- }
- }
-}
-
-func BenchmarkNumberIsValid(b *testing.B) {
- s := "-61657.61667E+61673"
- for i := 0; i < b.N; i++ {
- isValidNumber(s)
- }
-}
-
-func BenchmarkNumberIsValidRegexp(b *testing.B) {
- var jsonNumberRegexp = regexp.MustCompile(`^-?(?:0|[1-9]\d*)(?:\.\d+)?(?:[eE][+-]?\d+)?$`)
- s := "-61657.61667E+61673"
- for i := 0; i < b.N; i++ {
- jsonNumberRegexp.MatchString(s)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/scanner.go b/vendor/gopkg.in/square/go-jose.v1/json/scanner.go
deleted file mode 100644
index ee6622e8..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/scanner.go
+++ /dev/null
@@ -1,623 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-// JSON value parser state machine.
-// Just about at the limit of what is reasonable to write by hand.
-// Some parts are a bit tedious, but overall it nicely factors out the
-// otherwise common code from the multiple scanning functions
-// in this package (Compact, Indent, checkValid, nextValue, etc).
-//
-// This file starts with two simple examples using the scanner
-// before diving into the scanner itself.
-
-import "strconv"
-
-// checkValid verifies that data is valid JSON-encoded data.
-// scan is passed in for use by checkValid to avoid an allocation.
-func checkValid(data []byte, scan *scanner) error {
- scan.reset()
- for _, c := range data {
- scan.bytes++
- if scan.step(scan, c) == scanError {
- return scan.err
- }
- }
- if scan.eof() == scanError {
- return scan.err
- }
- return nil
-}
-
-// nextValue splits data after the next whole JSON value,
-// returning that value and the bytes that follow it as separate slices.
-// scan is passed in for use by nextValue to avoid an allocation.
-func nextValue(data []byte, scan *scanner) (value, rest []byte, err error) {
- scan.reset()
- for i, c := range data {
- v := scan.step(scan, c)
- if v >= scanEndObject {
- switch v {
- // probe the scanner with a space to determine whether we will
- // get scanEnd on the next character. Otherwise, if the next character
- // is not a space, scanEndTop allocates a needless error.
- case scanEndObject, scanEndArray:
- if scan.step(scan, ' ') == scanEnd {
- return data[:i+1], data[i+1:], nil
- }
- case scanError:
- return nil, nil, scan.err
- case scanEnd:
- return data[:i], data[i:], nil
- }
- }
- }
- if scan.eof() == scanError {
- return nil, nil, scan.err
- }
- return data, nil, nil
-}
-
-// A SyntaxError is a description of a JSON syntax error.
-type SyntaxError struct {
- msg string // description of error
- Offset int64 // error occurred after reading Offset bytes
-}
-
-func (e *SyntaxError) Error() string { return e.msg }
-
-// A scanner is a JSON scanning state machine.
-// Callers call scan.reset() and then pass bytes in one at a time
-// by calling scan.step(&scan, c) for each byte.
-// The return value, referred to as an opcode, tells the
-// caller about significant parsing events like beginning
-// and ending literals, objects, and arrays, so that the
-// caller can follow along if it wishes.
-// The return value scanEnd indicates that a single top-level
-// JSON value has been completed, *before* the byte that
-// just got passed in. (The indication must be delayed in order
-// to recognize the end of numbers: is 123 a whole value or
-// the beginning of 12345e+6?).
-type scanner struct {
- // The step is a func to be called to execute the next transition.
- // Also tried using an integer constant and a single func
- // with a switch, but using the func directly was 10% faster
- // on a 64-bit Mac Mini, and it's nicer to read.
- step func(*scanner, byte) int
-
- // Reached end of top-level value.
- endTop bool
-
- // Stack of what we're in the middle of - array values, object keys, object values.
- parseState []int
-
- // Error that happened, if any.
- err error
-
- // 1-byte redo (see undo method)
- redo bool
- redoCode int
- redoState func(*scanner, byte) int
-
- // total bytes consumed, updated by decoder.Decode
- bytes int64
-}
-
-// These values are returned by the state transition functions
-// assigned to scanner.state and the method scanner.eof.
-// They give details about the current state of the scan that
-// callers might be interested to know about.
-// It is okay to ignore the return value of any particular
-// call to scanner.state: if one call returns scanError,
-// every subsequent call will return scanError too.
-const (
- // Continue.
- scanContinue = iota // uninteresting byte
- scanBeginLiteral // end implied by next result != scanContinue
- scanBeginObject // begin object
- scanObjectKey // just finished object key (string)
- scanObjectValue // just finished non-last object value
- scanEndObject // end object (implies scanObjectValue if possible)
- scanBeginArray // begin array
- scanArrayValue // just finished array value
- scanEndArray // end array (implies scanArrayValue if possible)
- scanSkipSpace // space byte; can skip; known to be last "continue" result
-
- // Stop.
- scanEnd // top-level value ended *before* this byte; known to be first "stop" result
- scanError // hit an error, scanner.err.
-)
-
-// These values are stored in the parseState stack.
-// They give the current state of a composite value
-// being scanned. If the parser is inside a nested value
-// the parseState describes the nested state, outermost at entry 0.
-const (
- parseObjectKey = iota // parsing object key (before colon)
- parseObjectValue // parsing object value (after colon)
- parseArrayValue // parsing array value
-)
-
-// reset prepares the scanner for use.
-// It must be called before calling s.step.
-func (s *scanner) reset() {
- s.step = stateBeginValue
- s.parseState = s.parseState[0:0]
- s.err = nil
- s.redo = false
- s.endTop = false
-}
-
-// eof tells the scanner that the end of input has been reached.
-// It returns a scan status just as s.step does.
-func (s *scanner) eof() int {
- if s.err != nil {
- return scanError
- }
- if s.endTop {
- return scanEnd
- }
- s.step(s, ' ')
- if s.endTop {
- return scanEnd
- }
- if s.err == nil {
- s.err = &SyntaxError{"unexpected end of JSON input", s.bytes}
- }
- return scanError
-}
-
-// pushParseState pushes a new parse state p onto the parse stack.
-func (s *scanner) pushParseState(p int) {
- s.parseState = append(s.parseState, p)
-}
-
-// popParseState pops a parse state (already obtained) off the stack
-// and updates s.step accordingly.
-func (s *scanner) popParseState() {
- n := len(s.parseState) - 1
- s.parseState = s.parseState[0:n]
- s.redo = false
- if n == 0 {
- s.step = stateEndTop
- s.endTop = true
- } else {
- s.step = stateEndValue
- }
-}
-
-func isSpace(c byte) bool {
- return c == ' ' || c == '\t' || c == '\r' || c == '\n'
-}
-
-// stateBeginValueOrEmpty is the state after reading `[`.
-func stateBeginValueOrEmpty(s *scanner, c byte) int {
- if c <= ' ' && isSpace(c) {
- return scanSkipSpace
- }
- if c == ']' {
- return stateEndValue(s, c)
- }
- return stateBeginValue(s, c)
-}
-
-// stateBeginValue is the state at the beginning of the input.
-func stateBeginValue(s *scanner, c byte) int {
- if c <= ' ' && isSpace(c) {
- return scanSkipSpace
- }
- switch c {
- case '{':
- s.step = stateBeginStringOrEmpty
- s.pushParseState(parseObjectKey)
- return scanBeginObject
- case '[':
- s.step = stateBeginValueOrEmpty
- s.pushParseState(parseArrayValue)
- return scanBeginArray
- case '"':
- s.step = stateInString
- return scanBeginLiteral
- case '-':
- s.step = stateNeg
- return scanBeginLiteral
- case '0': // beginning of 0.123
- s.step = state0
- return scanBeginLiteral
- case 't': // beginning of true
- s.step = stateT
- return scanBeginLiteral
- case 'f': // beginning of false
- s.step = stateF
- return scanBeginLiteral
- case 'n': // beginning of null
- s.step = stateN
- return scanBeginLiteral
- }
- if '1' <= c && c <= '9' { // beginning of 1234.5
- s.step = state1
- return scanBeginLiteral
- }
- return s.error(c, "looking for beginning of value")
-}
-
-// stateBeginStringOrEmpty is the state after reading `{`.
-func stateBeginStringOrEmpty(s *scanner, c byte) int {
- if c <= ' ' && isSpace(c) {
- return scanSkipSpace
- }
- if c == '}' {
- n := len(s.parseState)
- s.parseState[n-1] = parseObjectValue
- return stateEndValue(s, c)
- }
- return stateBeginString(s, c)
-}
-
-// stateBeginString is the state after reading `{"key": value,`.
-func stateBeginString(s *scanner, c byte) int {
- if c <= ' ' && isSpace(c) {
- return scanSkipSpace
- }
- if c == '"' {
- s.step = stateInString
- return scanBeginLiteral
- }
- return s.error(c, "looking for beginning of object key string")
-}
-
-// stateEndValue is the state after completing a value,
-// such as after reading `{}` or `true` or `["x"`.
-func stateEndValue(s *scanner, c byte) int {
- n := len(s.parseState)
- if n == 0 {
- // Completed top-level before the current byte.
- s.step = stateEndTop
- s.endTop = true
- return stateEndTop(s, c)
- }
- if c <= ' ' && isSpace(c) {
- s.step = stateEndValue
- return scanSkipSpace
- }
- ps := s.parseState[n-1]
- switch ps {
- case parseObjectKey:
- if c == ':' {
- s.parseState[n-1] = parseObjectValue
- s.step = stateBeginValue
- return scanObjectKey
- }
- return s.error(c, "after object key")
- case parseObjectValue:
- if c == ',' {
- s.parseState[n-1] = parseObjectKey
- s.step = stateBeginString
- return scanObjectValue
- }
- if c == '}' {
- s.popParseState()
- return scanEndObject
- }
- return s.error(c, "after object key:value pair")
- case parseArrayValue:
- if c == ',' {
- s.step = stateBeginValue
- return scanArrayValue
- }
- if c == ']' {
- s.popParseState()
- return scanEndArray
- }
- return s.error(c, "after array element")
- }
- return s.error(c, "")
-}
-
-// stateEndTop is the state after finishing the top-level value,
-// such as after reading `{}` or `[1,2,3]`.
-// Only space characters should be seen now.
-func stateEndTop(s *scanner, c byte) int {
- if c != ' ' && c != '\t' && c != '\r' && c != '\n' {
- // Complain about non-space byte on next call.
- s.error(c, "after top-level value")
- }
- return scanEnd
-}
-
-// stateInString is the state after reading `"`.
-func stateInString(s *scanner, c byte) int {
- if c == '"' {
- s.step = stateEndValue
- return scanContinue
- }
- if c == '\\' {
- s.step = stateInStringEsc
- return scanContinue
- }
- if c < 0x20 {
- return s.error(c, "in string literal")
- }
- return scanContinue
-}
-
-// stateInStringEsc is the state after reading `"\` during a quoted string.
-func stateInStringEsc(s *scanner, c byte) int {
- switch c {
- case 'b', 'f', 'n', 'r', 't', '\\', '/', '"':
- s.step = stateInString
- return scanContinue
- case 'u':
- s.step = stateInStringEscU
- return scanContinue
- }
- return s.error(c, "in string escape code")
-}
-
-// stateInStringEscU is the state after reading `"\u` during a quoted string.
-func stateInStringEscU(s *scanner, c byte) int {
- if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
- s.step = stateInStringEscU1
- return scanContinue
- }
- // numbers
- return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU1 is the state after reading `"\u1` during a quoted string.
-func stateInStringEscU1(s *scanner, c byte) int {
- if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
- s.step = stateInStringEscU12
- return scanContinue
- }
- // numbers
- return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU12 is the state after reading `"\u12` during a quoted string.
-func stateInStringEscU12(s *scanner, c byte) int {
- if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
- s.step = stateInStringEscU123
- return scanContinue
- }
- // numbers
- return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateInStringEscU123 is the state after reading `"\u123` during a quoted string.
-func stateInStringEscU123(s *scanner, c byte) int {
- if '0' <= c && c <= '9' || 'a' <= c && c <= 'f' || 'A' <= c && c <= 'F' {
- s.step = stateInString
- return scanContinue
- }
- // numbers
- return s.error(c, "in \\u hexadecimal character escape")
-}
-
-// stateNeg is the state after reading `-` during a number.
-func stateNeg(s *scanner, c byte) int {
- if c == '0' {
- s.step = state0
- return scanContinue
- }
- if '1' <= c && c <= '9' {
- s.step = state1
- return scanContinue
- }
- return s.error(c, "in numeric literal")
-}
-
-// state1 is the state after reading a non-zero integer during a number,
-// such as after reading `1` or `100` but not `0`.
-func state1(s *scanner, c byte) int {
- if '0' <= c && c <= '9' {
- s.step = state1
- return scanContinue
- }
- return state0(s, c)
-}
-
-// state0 is the state after reading `0` during a number.
-func state0(s *scanner, c byte) int {
- if c == '.' {
- s.step = stateDot
- return scanContinue
- }
- if c == 'e' || c == 'E' {
- s.step = stateE
- return scanContinue
- }
- return stateEndValue(s, c)
-}
-
-// stateDot is the state after reading the integer and decimal point in a number,
-// such as after reading `1.`.
-func stateDot(s *scanner, c byte) int {
- if '0' <= c && c <= '9' {
- s.step = stateDot0
- return scanContinue
- }
- return s.error(c, "after decimal point in numeric literal")
-}
-
-// stateDot0 is the state after reading the integer, decimal point, and subsequent
-// digits of a number, such as after reading `3.14`.
-func stateDot0(s *scanner, c byte) int {
- if '0' <= c && c <= '9' {
- return scanContinue
- }
- if c == 'e' || c == 'E' {
- s.step = stateE
- return scanContinue
- }
- return stateEndValue(s, c)
-}
-
-// stateE is the state after reading the mantissa and e in a number,
-// such as after reading `314e` or `0.314e`.
-func stateE(s *scanner, c byte) int {
- if c == '+' || c == '-' {
- s.step = stateESign
- return scanContinue
- }
- return stateESign(s, c)
-}
-
-// stateESign is the state after reading the mantissa, e, and sign in a number,
-// such as after reading `314e-` or `0.314e+`.
-func stateESign(s *scanner, c byte) int {
- if '0' <= c && c <= '9' {
- s.step = stateE0
- return scanContinue
- }
- return s.error(c, "in exponent of numeric literal")
-}
-
-// stateE0 is the state after reading the mantissa, e, optional sign,
-// and at least one digit of the exponent in a number,
-// such as after reading `314e-2` or `0.314e+1` or `3.14e0`.
-func stateE0(s *scanner, c byte) int {
- if '0' <= c && c <= '9' {
- return scanContinue
- }
- return stateEndValue(s, c)
-}
-
-// stateT is the state after reading `t`.
-func stateT(s *scanner, c byte) int {
- if c == 'r' {
- s.step = stateTr
- return scanContinue
- }
- return s.error(c, "in literal true (expecting 'r')")
-}
-
-// stateTr is the state after reading `tr`.
-func stateTr(s *scanner, c byte) int {
- if c == 'u' {
- s.step = stateTru
- return scanContinue
- }
- return s.error(c, "in literal true (expecting 'u')")
-}
-
-// stateTru is the state after reading `tru`.
-func stateTru(s *scanner, c byte) int {
- if c == 'e' {
- s.step = stateEndValue
- return scanContinue
- }
- return s.error(c, "in literal true (expecting 'e')")
-}
-
-// stateF is the state after reading `f`.
-func stateF(s *scanner, c byte) int {
- if c == 'a' {
- s.step = stateFa
- return scanContinue
- }
- return s.error(c, "in literal false (expecting 'a')")
-}
-
-// stateFa is the state after reading `fa`.
-func stateFa(s *scanner, c byte) int {
- if c == 'l' {
- s.step = stateFal
- return scanContinue
- }
- return s.error(c, "in literal false (expecting 'l')")
-}
-
-// stateFal is the state after reading `fal`.
-func stateFal(s *scanner, c byte) int {
- if c == 's' {
- s.step = stateFals
- return scanContinue
- }
- return s.error(c, "in literal false (expecting 's')")
-}
-
-// stateFals is the state after reading `fals`.
-func stateFals(s *scanner, c byte) int {
- if c == 'e' {
- s.step = stateEndValue
- return scanContinue
- }
- return s.error(c, "in literal false (expecting 'e')")
-}
-
-// stateN is the state after reading `n`.
-func stateN(s *scanner, c byte) int {
- if c == 'u' {
- s.step = stateNu
- return scanContinue
- }
- return s.error(c, "in literal null (expecting 'u')")
-}
-
-// stateNu is the state after reading `nu`.
-func stateNu(s *scanner, c byte) int {
- if c == 'l' {
- s.step = stateNul
- return scanContinue
- }
- return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateNul is the state after reading `nul`.
-func stateNul(s *scanner, c byte) int {
- if c == 'l' {
- s.step = stateEndValue
- return scanContinue
- }
- return s.error(c, "in literal null (expecting 'l')")
-}
-
-// stateError is the state after reaching a syntax error,
-// such as after reading `[1}` or `5.1.2`.
-func stateError(s *scanner, c byte) int {
- return scanError
-}
-
-// error records an error and switches to the error state.
-func (s *scanner) error(c byte, context string) int {
- s.step = stateError
- s.err = &SyntaxError{"invalid character " + quoteChar(c) + " " + context, s.bytes}
- return scanError
-}
-
-// quoteChar formats c as a quoted character literal
-func quoteChar(c byte) string {
- // special cases - different from quoted strings
- if c == '\'' {
- return `'\''`
- }
- if c == '"' {
- return `'"'`
- }
-
- // use quoted string with different quotation marks
- s := strconv.Quote(string(c))
- return "'" + s[1:len(s)-1] + "'"
-}
-
-// undo causes the scanner to return scanCode from the next state transition.
-// This gives callers a simple 1-byte undo mechanism.
-func (s *scanner) undo(scanCode int) {
- if s.redo {
- panic("json: invalid use of scanner")
- }
- s.redoCode = scanCode
- s.redoState = s.step
- s.step = stateRedo
- s.redo = true
-}
-
-// stateRedo helps implement the scanner's 1-byte undo.
-func stateRedo(s *scanner, c byte) int {
- s.redo = false
- s.step = s.redoState
- return s.redoCode
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/scanner_test.go b/vendor/gopkg.in/square/go-jose.v1/json/scanner_test.go
deleted file mode 100644
index 66383ef0..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/scanner_test.go
+++ /dev/null
@@ -1,316 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "bytes"
- "math"
- "math/rand"
- "reflect"
- "testing"
-)
-
-// Tests of simple examples.
-
-type example struct {
- compact string
- indent string
-}
-
-var examples = []example{
- {`1`, `1`},
- {`{}`, `{}`},
- {`[]`, `[]`},
- {`{"":2}`, "{\n\t\"\": 2\n}"},
- {`[3]`, "[\n\t3\n]"},
- {`[1,2,3]`, "[\n\t1,\n\t2,\n\t3\n]"},
- {`{"x":1}`, "{\n\t\"x\": 1\n}"},
- {ex1, ex1i},
-}
-
-var ex1 = `[true,false,null,"x",1,1.5,0,-5e+2]`
-
-var ex1i = `[
- true,
- false,
- null,
- "x",
- 1,
- 1.5,
- 0,
- -5e+2
-]`
-
-func TestCompact(t *testing.T) {
- var buf bytes.Buffer
- for _, tt := range examples {
- buf.Reset()
- if err := Compact(&buf, []byte(tt.compact)); err != nil {
- t.Errorf("Compact(%#q): %v", tt.compact, err)
- } else if s := buf.String(); s != tt.compact {
- t.Errorf("Compact(%#q) = %#q, want original", tt.compact, s)
- }
-
- buf.Reset()
- if err := Compact(&buf, []byte(tt.indent)); err != nil {
- t.Errorf("Compact(%#q): %v", tt.indent, err)
- continue
- } else if s := buf.String(); s != tt.compact {
- t.Errorf("Compact(%#q) = %#q, want %#q", tt.indent, s, tt.compact)
- }
- }
-}
-
-func TestCompactSeparators(t *testing.T) {
- // U+2028 and U+2029 should be escaped inside strings.
- // They should not appear outside strings.
- tests := []struct {
- in, compact string
- }{
- {"{\"\u2028\": 1}", `{"\u2028":1}`},
- {"{\"\u2029\" :2}", `{"\u2029":2}`},
- }
- for _, tt := range tests {
- var buf bytes.Buffer
- if err := Compact(&buf, []byte(tt.in)); err != nil {
- t.Errorf("Compact(%q): %v", tt.in, err)
- } else if s := buf.String(); s != tt.compact {
- t.Errorf("Compact(%q) = %q, want %q", tt.in, s, tt.compact)
- }
- }
-}
-
-func TestIndent(t *testing.T) {
- var buf bytes.Buffer
- for _, tt := range examples {
- buf.Reset()
- if err := Indent(&buf, []byte(tt.indent), "", "\t"); err != nil {
- t.Errorf("Indent(%#q): %v", tt.indent, err)
- } else if s := buf.String(); s != tt.indent {
- t.Errorf("Indent(%#q) = %#q, want original", tt.indent, s)
- }
-
- buf.Reset()
- if err := Indent(&buf, []byte(tt.compact), "", "\t"); err != nil {
- t.Errorf("Indent(%#q): %v", tt.compact, err)
- continue
- } else if s := buf.String(); s != tt.indent {
- t.Errorf("Indent(%#q) = %#q, want %#q", tt.compact, s, tt.indent)
- }
- }
-}
-
-// Tests of a large random structure.
-
-func TestCompactBig(t *testing.T) {
- initBig()
- var buf bytes.Buffer
- if err := Compact(&buf, jsonBig); err != nil {
- t.Fatalf("Compact: %v", err)
- }
- b := buf.Bytes()
- if !bytes.Equal(b, jsonBig) {
- t.Error("Compact(jsonBig) != jsonBig")
- diff(t, b, jsonBig)
- return
- }
-}
-
-func TestIndentBig(t *testing.T) {
- initBig()
- var buf bytes.Buffer
- if err := Indent(&buf, jsonBig, "", "\t"); err != nil {
- t.Fatalf("Indent1: %v", err)
- }
- b := buf.Bytes()
- if len(b) == len(jsonBig) {
- // jsonBig is compact (no unnecessary spaces);
- // indenting should make it bigger
- t.Fatalf("Indent(jsonBig) did not get bigger")
- }
-
- // should be idempotent
- var buf1 bytes.Buffer
- if err := Indent(&buf1, b, "", "\t"); err != nil {
- t.Fatalf("Indent2: %v", err)
- }
- b1 := buf1.Bytes()
- if !bytes.Equal(b1, b) {
- t.Error("Indent(Indent(jsonBig)) != Indent(jsonBig)")
- diff(t, b1, b)
- return
- }
-
- // should get back to original
- buf1.Reset()
- if err := Compact(&buf1, b); err != nil {
- t.Fatalf("Compact: %v", err)
- }
- b1 = buf1.Bytes()
- if !bytes.Equal(b1, jsonBig) {
- t.Error("Compact(Indent(jsonBig)) != jsonBig")
- diff(t, b1, jsonBig)
- return
- }
-}
-
-type indentErrorTest struct {
- in string
- err error
-}
-
-var indentErrorTests = []indentErrorTest{
- {`{"X": "foo", "Y"}`, &SyntaxError{"invalid character '}' after object key", 17}},
- {`{"X": "foo" "Y": "bar"}`, &SyntaxError{"invalid character '\"' after object key:value pair", 13}},
-}
-
-func TestIndentErrors(t *testing.T) {
- for i, tt := range indentErrorTests {
- slice := make([]uint8, 0)
- buf := bytes.NewBuffer(slice)
- if err := Indent(buf, []uint8(tt.in), "", ""); err != nil {
- if !reflect.DeepEqual(err, tt.err) {
- t.Errorf("#%d: Indent: %#v", i, err)
- continue
- }
- }
- }
-}
-
-func TestNextValueBig(t *testing.T) {
- initBig()
- var scan scanner
- item, rest, err := nextValue(jsonBig, &scan)
- if err != nil {
- t.Fatalf("nextValue: %s", err)
- }
- if len(item) != len(jsonBig) || &item[0] != &jsonBig[0] {
- t.Errorf("invalid item: %d %d", len(item), len(jsonBig))
- }
- if len(rest) != 0 {
- t.Errorf("invalid rest: %d", len(rest))
- }
-
- item, rest, err = nextValue(append(jsonBig, "HELLO WORLD"...), &scan)
- if err != nil {
- t.Fatalf("nextValue extra: %s", err)
- }
- if len(item) != len(jsonBig) {
- t.Errorf("invalid item: %d %d", len(item), len(jsonBig))
- }
- if string(rest) != "HELLO WORLD" {
- t.Errorf("invalid rest: %d", len(rest))
- }
-}
-
-var benchScan scanner
-
-func BenchmarkSkipValue(b *testing.B) {
- initBig()
- b.ResetTimer()
- for i := 0; i < b.N; i++ {
- nextValue(jsonBig, &benchScan)
- }
- b.SetBytes(int64(len(jsonBig)))
-}
-
-func diff(t *testing.T, a, b []byte) {
- for i := 0; ; i++ {
- if i >= len(a) || i >= len(b) || a[i] != b[i] {
- j := i - 10
- if j < 0 {
- j = 0
- }
- t.Errorf("diverge at %d: «%s» vs «%s»", i, trim(a[j:]), trim(b[j:]))
- return
- }
- }
-}
-
-func trim(b []byte) []byte {
- if len(b) > 20 {
- return b[0:20]
- }
- return b
-}
-
-// Generate a random JSON object.
-
-var jsonBig []byte
-
-func initBig() {
- n := 10000
- if testing.Short() {
- n = 100
- }
- b, err := Marshal(genValue(n))
- if err != nil {
- panic(err)
- }
- jsonBig = b
-}
-
-func genValue(n int) interface{} {
- if n > 1 {
- switch rand.Intn(2) {
- case 0:
- return genArray(n)
- case 1:
- return genMap(n)
- }
- }
- switch rand.Intn(3) {
- case 0:
- return rand.Intn(2) == 0
- case 1:
- return rand.NormFloat64()
- case 2:
- return genString(30)
- }
- panic("unreachable")
-}
-
-func genString(stddev float64) string {
- n := int(math.Abs(rand.NormFloat64()*stddev + stddev/2))
- c := make([]rune, n)
- for i := range c {
- f := math.Abs(rand.NormFloat64()*64 + 32)
- if f > 0x10ffff {
- f = 0x10ffff
- }
- c[i] = rune(f)
- }
- return string(c)
-}
-
-func genArray(n int) []interface{} {
- f := int(math.Abs(rand.NormFloat64()) * math.Min(10, float64(n/2)))
- if f > n {
- f = n
- }
- if f < 1 {
- f = 1
- }
- x := make([]interface{}, f)
- for i := range x {
- x[i] = genValue(((i+1)*n)/f - (i*n)/f)
- }
- return x
-}
-
-func genMap(n int) map[string]interface{} {
- f := int(math.Abs(rand.NormFloat64()) * math.Min(10, float64(n/2)))
- if f > n {
- f = n
- }
- if n > 0 && f == 0 {
- f = 1
- }
- x := make(map[string]interface{})
- for i := 0; i < f; i++ {
- x[genString(10)] = genValue(((i+1)*n)/f - (i*n)/f)
- }
- return x
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/stream.go b/vendor/gopkg.in/square/go-jose.v1/json/stream.go
deleted file mode 100644
index 8ddcf4d2..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/stream.go
+++ /dev/null
@@ -1,480 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "bytes"
- "errors"
- "io"
-)
-
-// A Decoder reads and decodes JSON objects from an input stream.
-type Decoder struct {
- r io.Reader
- buf []byte
- d decodeState
- scanp int // start of unread data in buf
- scan scanner
- err error
-
- tokenState int
- tokenStack []int
-}
-
-// NewDecoder returns a new decoder that reads from r.
-//
-// The decoder introduces its own buffering and may
-// read data from r beyond the JSON values requested.
-func NewDecoder(r io.Reader) *Decoder {
- return &Decoder{r: r}
-}
-
-// UseNumber causes the Decoder to unmarshal a number into an interface{} as a
-// Number instead of as a float64.
-func (dec *Decoder) UseNumber() { dec.d.useNumber = true }
-
-// Decode reads the next JSON-encoded value from its
-// input and stores it in the value pointed to by v.
-//
-// See the documentation for Unmarshal for details about
-// the conversion of JSON into a Go value.
-func (dec *Decoder) Decode(v interface{}) error {
- if dec.err != nil {
- return dec.err
- }
-
- if err := dec.tokenPrepareForDecode(); err != nil {
- return err
- }
-
- if !dec.tokenValueAllowed() {
- return &SyntaxError{msg: "not at beginning of value"}
- }
-
- // Read whole value into buffer.
- n, err := dec.readValue()
- if err != nil {
- return err
- }
- dec.d.init(dec.buf[dec.scanp : dec.scanp+n])
- dec.scanp += n
-
- // Don't save err from unmarshal into dec.err:
- // the connection is still usable since we read a complete JSON
- // object from it before the error happened.
- err = dec.d.unmarshal(v)
-
- // fixup token streaming state
- dec.tokenValueEnd()
-
- return err
-}
-
-// Buffered returns a reader of the data remaining in the Decoder's
-// buffer. The reader is valid until the next call to Decode.
-func (dec *Decoder) Buffered() io.Reader {
- return bytes.NewReader(dec.buf[dec.scanp:])
-}
-
-// readValue reads a JSON value into dec.buf.
-// It returns the length of the encoding.
-func (dec *Decoder) readValue() (int, error) {
- dec.scan.reset()
-
- scanp := dec.scanp
- var err error
-Input:
- for {
- // Look in the buffer for a new value.
- for i, c := range dec.buf[scanp:] {
- dec.scan.bytes++
- v := dec.scan.step(&dec.scan, c)
- if v == scanEnd {
- scanp += i
- break Input
- }
- // scanEnd is delayed one byte.
- // We might block trying to get that byte from src,
- // so instead invent a space byte.
- if (v == scanEndObject || v == scanEndArray) && dec.scan.step(&dec.scan, ' ') == scanEnd {
- scanp += i + 1
- break Input
- }
- if v == scanError {
- dec.err = dec.scan.err
- return 0, dec.scan.err
- }
- }
- scanp = len(dec.buf)
-
- // Did the last read have an error?
- // Delayed until now to allow buffer scan.
- if err != nil {
- if err == io.EOF {
- if dec.scan.step(&dec.scan, ' ') == scanEnd {
- break Input
- }
- if nonSpace(dec.buf) {
- err = io.ErrUnexpectedEOF
- }
- }
- dec.err = err
- return 0, err
- }
-
- n := scanp - dec.scanp
- err = dec.refill()
- scanp = dec.scanp + n
- }
- return scanp - dec.scanp, nil
-}
-
-func (dec *Decoder) refill() error {
- // Make room to read more into the buffer.
- // First slide down data already consumed.
- if dec.scanp > 0 {
- n := copy(dec.buf, dec.buf[dec.scanp:])
- dec.buf = dec.buf[:n]
- dec.scanp = 0
- }
-
- // Grow buffer if not large enough.
- const minRead = 512
- if cap(dec.buf)-len(dec.buf) < minRead {
- newBuf := make([]byte, len(dec.buf), 2*cap(dec.buf)+minRead)
- copy(newBuf, dec.buf)
- dec.buf = newBuf
- }
-
- // Read. Delay error for next iteration (after scan).
- n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
- dec.buf = dec.buf[0 : len(dec.buf)+n]
-
- return err
-}
-
-func nonSpace(b []byte) bool {
- for _, c := range b {
- if !isSpace(c) {
- return true
- }
- }
- return false
-}
-
-// An Encoder writes JSON objects to an output stream.
-type Encoder struct {
- w io.Writer
- err error
-}
-
-// NewEncoder returns a new encoder that writes to w.
-func NewEncoder(w io.Writer) *Encoder {
- return &Encoder{w: w}
-}
-
-// Encode writes the JSON encoding of v to the stream,
-// followed by a newline character.
-//
-// See the documentation for Marshal for details about the
-// conversion of Go values to JSON.
-func (enc *Encoder) Encode(v interface{}) error {
- if enc.err != nil {
- return enc.err
- }
- e := newEncodeState()
- err := e.marshal(v)
- if err != nil {
- return err
- }
-
- // Terminate each value with a newline.
- // This makes the output look a little nicer
- // when debugging, and some kind of space
- // is required if the encoded value was a number,
- // so that the reader knows there aren't more
- // digits coming.
- e.WriteByte('\n')
-
- if _, err = enc.w.Write(e.Bytes()); err != nil {
- enc.err = err
- }
- encodeStatePool.Put(e)
- return err
-}
-
-// RawMessage is a raw encoded JSON object.
-// It implements Marshaler and Unmarshaler and can
-// be used to delay JSON decoding or precompute a JSON encoding.
-type RawMessage []byte
-
-// MarshalJSON returns *m as the JSON encoding of m.
-func (m *RawMessage) MarshalJSON() ([]byte, error) {
- return *m, nil
-}
-
-// UnmarshalJSON sets *m to a copy of data.
-func (m *RawMessage) UnmarshalJSON(data []byte) error {
- if m == nil {
- return errors.New("json.RawMessage: UnmarshalJSON on nil pointer")
- }
- *m = append((*m)[0:0], data...)
- return nil
-}
-
-var _ Marshaler = (*RawMessage)(nil)
-var _ Unmarshaler = (*RawMessage)(nil)
-
-// A Token holds a value of one of these types:
-//
-// Delim, for the four JSON delimiters [ ] { }
-// bool, for JSON booleans
-// float64, for JSON numbers
-// Number, for JSON numbers
-// string, for JSON string literals
-// nil, for JSON null
-//
-type Token interface{}
-
-const (
- tokenTopValue = iota
- tokenArrayStart
- tokenArrayValue
- tokenArrayComma
- tokenObjectStart
- tokenObjectKey
- tokenObjectColon
- tokenObjectValue
- tokenObjectComma
-)
-
-// advance tokenstate from a separator state to a value state
-func (dec *Decoder) tokenPrepareForDecode() error {
- // Note: Not calling peek before switch, to avoid
- // putting peek into the standard Decode path.
- // peek is only called when using the Token API.
- switch dec.tokenState {
- case tokenArrayComma:
- c, err := dec.peek()
- if err != nil {
- return err
- }
- if c != ',' {
- return &SyntaxError{"expected comma after array element", 0}
- }
- dec.scanp++
- dec.tokenState = tokenArrayValue
- case tokenObjectColon:
- c, err := dec.peek()
- if err != nil {
- return err
- }
- if c != ':' {
- return &SyntaxError{"expected colon after object key", 0}
- }
- dec.scanp++
- dec.tokenState = tokenObjectValue
- }
- return nil
-}
-
-func (dec *Decoder) tokenValueAllowed() bool {
- switch dec.tokenState {
- case tokenTopValue, tokenArrayStart, tokenArrayValue, tokenObjectValue:
- return true
- }
- return false
-}
-
-func (dec *Decoder) tokenValueEnd() {
- switch dec.tokenState {
- case tokenArrayStart, tokenArrayValue:
- dec.tokenState = tokenArrayComma
- case tokenObjectValue:
- dec.tokenState = tokenObjectComma
- }
-}
-
-// A Delim is a JSON array or object delimiter, one of [ ] { or }.
-type Delim rune
-
-func (d Delim) String() string {
- return string(d)
-}
-
-// Token returns the next JSON token in the input stream.
-// At the end of the input stream, Token returns nil, io.EOF.
-//
-// Token guarantees that the delimiters [ ] { } it returns are
-// properly nested and matched: if Token encounters an unexpected
-// delimiter in the input, it will return an error.
-//
-// The input stream consists of basic JSON values—bool, string,
-// number, and null—along with delimiters [ ] { } of type Delim
-// to mark the start and end of arrays and objects.
-// Commas and colons are elided.
-func (dec *Decoder) Token() (Token, error) {
- for {
- c, err := dec.peek()
- if err != nil {
- return nil, err
- }
- switch c {
- case '[':
- if !dec.tokenValueAllowed() {
- return dec.tokenError(c)
- }
- dec.scanp++
- dec.tokenStack = append(dec.tokenStack, dec.tokenState)
- dec.tokenState = tokenArrayStart
- return Delim('['), nil
-
- case ']':
- if dec.tokenState != tokenArrayStart && dec.tokenState != tokenArrayComma {
- return dec.tokenError(c)
- }
- dec.scanp++
- dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
- dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
- dec.tokenValueEnd()
- return Delim(']'), nil
-
- case '{':
- if !dec.tokenValueAllowed() {
- return dec.tokenError(c)
- }
- dec.scanp++
- dec.tokenStack = append(dec.tokenStack, dec.tokenState)
- dec.tokenState = tokenObjectStart
- return Delim('{'), nil
-
- case '}':
- if dec.tokenState != tokenObjectStart && dec.tokenState != tokenObjectComma {
- return dec.tokenError(c)
- }
- dec.scanp++
- dec.tokenState = dec.tokenStack[len(dec.tokenStack)-1]
- dec.tokenStack = dec.tokenStack[:len(dec.tokenStack)-1]
- dec.tokenValueEnd()
- return Delim('}'), nil
-
- case ':':
- if dec.tokenState != tokenObjectColon {
- return dec.tokenError(c)
- }
- dec.scanp++
- dec.tokenState = tokenObjectValue
- continue
-
- case ',':
- if dec.tokenState == tokenArrayComma {
- dec.scanp++
- dec.tokenState = tokenArrayValue
- continue
- }
- if dec.tokenState == tokenObjectComma {
- dec.scanp++
- dec.tokenState = tokenObjectKey
- continue
- }
- return dec.tokenError(c)
-
- case '"':
- if dec.tokenState == tokenObjectStart || dec.tokenState == tokenObjectKey {
- var x string
- old := dec.tokenState
- dec.tokenState = tokenTopValue
- err := dec.Decode(&x)
- dec.tokenState = old
- if err != nil {
- clearOffset(err)
- return nil, err
- }
- dec.tokenState = tokenObjectColon
- return x, nil
- }
- fallthrough
-
- default:
- if !dec.tokenValueAllowed() {
- return dec.tokenError(c)
- }
- var x interface{}
- if err := dec.Decode(&x); err != nil {
- clearOffset(err)
- return nil, err
- }
- return x, nil
- }
- }
-}
-
-func clearOffset(err error) {
- if s, ok := err.(*SyntaxError); ok {
- s.Offset = 0
- }
-}
-
-func (dec *Decoder) tokenError(c byte) (Token, error) {
- var context string
- switch dec.tokenState {
- case tokenTopValue:
- context = " looking for beginning of value"
- case tokenArrayStart, tokenArrayValue, tokenObjectValue:
- context = " looking for beginning of value"
- case tokenArrayComma:
- context = " after array element"
- case tokenObjectKey:
- context = " looking for beginning of object key string"
- case tokenObjectColon:
- context = " after object key"
- case tokenObjectComma:
- context = " after object key:value pair"
- }
- return nil, &SyntaxError{"invalid character " + quoteChar(c) + " " + context, 0}
-}
-
-// More reports whether there is another element in the
-// current array or object being parsed.
-func (dec *Decoder) More() bool {
- c, err := dec.peek()
- return err == nil && c != ']' && c != '}'
-}
-
-func (dec *Decoder) peek() (byte, error) {
- var err error
- for {
- for i := dec.scanp; i < len(dec.buf); i++ {
- c := dec.buf[i]
- if isSpace(c) {
- continue
- }
- dec.scanp = i
- return c, nil
- }
- // buffer has been scanned, now report any error
- if err != nil {
- return 0, err
- }
- err = dec.refill()
- }
-}
-
-/*
-TODO
-
-// EncodeToken writes the given JSON token to the stream.
-// It returns an error if the delimiters [ ] { } are not properly used.
-//
-// EncodeToken does not call Flush, because usually it is part of
-// a larger operation such as Encode, and those will call Flush when finished.
-// Callers that create an Encoder and then invoke EncodeToken directly,
-// without using Encode, need to call Flush when finished to ensure that
-// the JSON is written to the underlying writer.
-func (e *Encoder) EncodeToken(t Token) error {
- ...
-}
-
-*/
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/stream_test.go b/vendor/gopkg.in/square/go-jose.v1/json/stream_test.go
deleted file mode 100644
index eccf365b..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/stream_test.go
+++ /dev/null
@@ -1,354 +0,0 @@
-// Copyright 2010 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "bytes"
- "io"
- "io/ioutil"
- "log"
- "net"
- "net/http"
- "net/http/httptest"
- "reflect"
- "strings"
- "testing"
-)
-
-// Test values for the stream test.
-// One of each JSON kind.
-var streamTest = []interface{}{
- 0.1,
- "hello",
- nil,
- true,
- false,
- []interface{}{"a", "b", "c"},
- map[string]interface{}{"K": "Kelvin", "ß": "long s"},
- 3.14, // another value to make sure something can follow map
-}
-
-var streamEncoded = `0.1
-"hello"
-null
-true
-false
-["a","b","c"]
-{"ß":"long s","K":"Kelvin"}
-3.14
-`
-
-func TestEncoder(t *testing.T) {
- for i := 0; i <= len(streamTest); i++ {
- var buf bytes.Buffer
- enc := NewEncoder(&buf)
- for j, v := range streamTest[0:i] {
- if err := enc.Encode(v); err != nil {
- t.Fatalf("encode #%d: %v", j, err)
- }
- }
- if have, want := buf.String(), nlines(streamEncoded, i); have != want {
- t.Errorf("encoding %d items: mismatch", i)
- diff(t, []byte(have), []byte(want))
- break
- }
- }
-}
-
-func TestDecoder(t *testing.T) {
- for i := 0; i <= len(streamTest); i++ {
- // Use stream without newlines as input,
- // just to stress the decoder even more.
- // Our test input does not include back-to-back numbers.
- // Otherwise stripping the newlines would
- // merge two adjacent JSON values.
- var buf bytes.Buffer
- for _, c := range nlines(streamEncoded, i) {
- if c != '\n' {
- buf.WriteRune(c)
- }
- }
- out := make([]interface{}, i)
- dec := NewDecoder(&buf)
- for j := range out {
- if err := dec.Decode(&out[j]); err != nil {
- t.Fatalf("decode #%d/%d: %v", j, i, err)
- }
- }
- if !reflect.DeepEqual(out, streamTest[0:i]) {
- t.Errorf("decoding %d items: mismatch", i)
- for j := range out {
- if !reflect.DeepEqual(out[j], streamTest[j]) {
- t.Errorf("#%d: have %v want %v", j, out[j], streamTest[j])
- }
- }
- break
- }
- }
-}
-
-func TestDecoderBuffered(t *testing.T) {
- r := strings.NewReader(`{"Name": "Gopher"} extra `)
- var m struct {
- Name string
- }
- d := NewDecoder(r)
- err := d.Decode(&m)
- if err != nil {
- t.Fatal(err)
- }
- if m.Name != "Gopher" {
- t.Errorf("Name = %q; want Gopher", m.Name)
- }
- rest, err := ioutil.ReadAll(d.Buffered())
- if err != nil {
- t.Fatal(err)
- }
- if g, w := string(rest), " extra "; g != w {
- t.Errorf("Remaining = %q; want %q", g, w)
- }
-}
-
-func nlines(s string, n int) string {
- if n <= 0 {
- return ""
- }
- for i, c := range s {
- if c == '\n' {
- if n--; n == 0 {
- return s[0 : i+1]
- }
- }
- }
- return s
-}
-
-func TestRawMessage(t *testing.T) {
- // TODO(rsc): Should not need the * in *RawMessage
- var data struct {
- X float64
- Id *RawMessage
- Y float32
- }
- const raw = `["\u0056",null]`
- const msg = `{"X":0.1,"Id":["\u0056",null],"Y":0.2}`
- err := Unmarshal([]byte(msg), &data)
- if err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if string([]byte(*data.Id)) != raw {
- t.Fatalf("Raw mismatch: have %#q want %#q", []byte(*data.Id), raw)
- }
- b, err := Marshal(&data)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- if string(b) != msg {
- t.Fatalf("Marshal: have %#q want %#q", b, msg)
- }
-}
-
-func TestNullRawMessage(t *testing.T) {
- // TODO(rsc): Should not need the * in *RawMessage
- var data struct {
- X float64
- Id *RawMessage
- Y float32
- }
- data.Id = new(RawMessage)
- const msg = `{"X":0.1,"Id":null,"Y":0.2}`
- err := Unmarshal([]byte(msg), &data)
- if err != nil {
- t.Fatalf("Unmarshal: %v", err)
- }
- if data.Id != nil {
- t.Fatalf("Raw mismatch: have non-nil, want nil")
- }
- b, err := Marshal(&data)
- if err != nil {
- t.Fatalf("Marshal: %v", err)
- }
- if string(b) != msg {
- t.Fatalf("Marshal: have %#q want %#q", b, msg)
- }
-}
-
-var blockingTests = []string{
- `{"x": 1}`,
- `[1, 2, 3]`,
-}
-
-func TestBlocking(t *testing.T) {
- for _, enc := range blockingTests {
- r, w := net.Pipe()
- go w.Write([]byte(enc))
- var val interface{}
-
- // If Decode reads beyond what w.Write writes above,
- // it will block, and the test will deadlock.
- if err := NewDecoder(r).Decode(&val); err != nil {
- t.Errorf("decoding %s: %v", enc, err)
- }
- r.Close()
- w.Close()
- }
-}
-
-func BenchmarkEncoderEncode(b *testing.B) {
- b.ReportAllocs()
- type T struct {
- X, Y string
- }
- v := &T{"foo", "bar"}
- for i := 0; i < b.N; i++ {
- if err := NewEncoder(ioutil.Discard).Encode(v); err != nil {
- b.Fatal(err)
- }
- }
-}
-
-type tokenStreamCase struct {
- json string
- expTokens []interface{}
-}
-
-type decodeThis struct {
- v interface{}
-}
-
-var tokenStreamCases []tokenStreamCase = []tokenStreamCase{
- // streaming token cases
- {json: `10`, expTokens: []interface{}{float64(10)}},
- {json: ` [10] `, expTokens: []interface{}{
- Delim('['), float64(10), Delim(']')}},
- {json: ` [false,10,"b"] `, expTokens: []interface{}{
- Delim('['), false, float64(10), "b", Delim(']')}},
- {json: `{ "a": 1 }`, expTokens: []interface{}{
- Delim('{'), "a", float64(1), Delim('}')}},
- {json: `{"a": 1, "b":"3"}`, expTokens: []interface{}{
- Delim('{'), "a", float64(1), "b", "3", Delim('}')}},
- {json: ` [{"a": 1},{"a": 2}] `, expTokens: []interface{}{
- Delim('['),
- Delim('{'), "a", float64(1), Delim('}'),
- Delim('{'), "a", float64(2), Delim('}'),
- Delim(']')}},
- {json: `{"obj": {"a": 1}}`, expTokens: []interface{}{
- Delim('{'), "obj", Delim('{'), "a", float64(1), Delim('}'),
- Delim('}')}},
- {json: `{"obj": [{"a": 1}]}`, expTokens: []interface{}{
- Delim('{'), "obj", Delim('['),
- Delim('{'), "a", float64(1), Delim('}'),
- Delim(']'), Delim('}')}},
-
- // streaming tokens with intermittent Decode()
- {json: `{ "a": 1 }`, expTokens: []interface{}{
- Delim('{'), "a",
- decodeThis{float64(1)},
- Delim('}')}},
- {json: ` [ { "a" : 1 } ] `, expTokens: []interface{}{
- Delim('['),
- decodeThis{map[string]interface{}{"a": float64(1)}},
- Delim(']')}},
- {json: ` [{"a": 1},{"a": 2}] `, expTokens: []interface{}{
- Delim('['),
- decodeThis{map[string]interface{}{"a": float64(1)}},
- decodeThis{map[string]interface{}{"a": float64(2)}},
- Delim(']')}},
- {json: `{ "obj" : [ { "a" : 1 } ] }`, expTokens: []interface{}{
- Delim('{'), "obj", Delim('['),
- decodeThis{map[string]interface{}{"a": float64(1)}},
- Delim(']'), Delim('}')}},
-
- {json: `{"obj": {"a": 1}}`, expTokens: []interface{}{
- Delim('{'), "obj",
- decodeThis{map[string]interface{}{"a": float64(1)}},
- Delim('}')}},
- {json: `{"obj": [{"a": 1}]}`, expTokens: []interface{}{
- Delim('{'), "obj",
- decodeThis{[]interface{}{
- map[string]interface{}{"a": float64(1)},
- }},
- Delim('}')}},
- {json: ` [{"a": 1} {"a": 2}] `, expTokens: []interface{}{
- Delim('['),
- decodeThis{map[string]interface{}{"a": float64(1)}},
- decodeThis{&SyntaxError{"expected comma after array element", 0}},
- }},
- {json: `{ "a" 1 }`, expTokens: []interface{}{
- Delim('{'), "a",
- decodeThis{&SyntaxError{"expected colon after object key", 0}},
- }},
-}
-
-func TestDecodeInStream(t *testing.T) {
-
- for ci, tcase := range tokenStreamCases {
-
- dec := NewDecoder(strings.NewReader(tcase.json))
- for i, etk := range tcase.expTokens {
-
- var tk interface{}
- var err error
-
- if dt, ok := etk.(decodeThis); ok {
- etk = dt.v
- err = dec.Decode(&tk)
- } else {
- tk, err = dec.Token()
- }
- if experr, ok := etk.(error); ok {
- if err == nil || err.Error() != experr.Error() {
- t.Errorf("case %v: Expected error %v in %q, but was %v", ci, experr, tcase.json, err)
- }
- break
- } else if err == io.EOF {
- t.Errorf("case %v: Unexpected EOF in %q", ci, tcase.json)
- break
- } else if err != nil {
- t.Errorf("case %v: Unexpected error '%v' in %q", ci, err, tcase.json)
- break
- }
- if !reflect.DeepEqual(tk, etk) {
- t.Errorf(`case %v: %q @ %v expected %T(%v) was %T(%v)`, ci, tcase.json, i, etk, etk, tk, tk)
- break
- }
- }
- }
-
-}
-
-// Test from golang.org/issue/11893
-func TestHTTPDecoding(t *testing.T) {
- const raw = `{ "foo": "bar" }`
-
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Write([]byte(raw))
- }))
- defer ts.Close()
- res, err := http.Get(ts.URL)
- if err != nil {
- log.Fatalf("GET failed: %v", err)
- }
- defer res.Body.Close()
-
- foo := struct {
- Foo string `json:"foo"`
- }{}
-
- d := NewDecoder(res.Body)
- err = d.Decode(&foo)
- if err != nil {
- t.Fatalf("Decode: %v", err)
- }
- if foo.Foo != "bar" {
- t.Errorf("decoded %q; want \"bar\"", foo.Foo)
- }
-
- // make sure we get the EOF the second time
- err = d.Decode(&foo)
- if err != io.EOF {
- t.Errorf("err = %v; want io.EOF", err)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/tagkey_test.go b/vendor/gopkg.in/square/go-jose.v1/json/tagkey_test.go
deleted file mode 100644
index 85bb4ba8..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/tagkey_test.go
+++ /dev/null
@@ -1,115 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "testing"
-)
-
-type basicLatin2xTag struct {
- V string `json:"$%-/"`
-}
-
-type basicLatin3xTag struct {
- V string `json:"0123456789"`
-}
-
-type basicLatin4xTag struct {
- V string `json:"ABCDEFGHIJKLMO"`
-}
-
-type basicLatin5xTag struct {
- V string `json:"PQRSTUVWXYZ_"`
-}
-
-type basicLatin6xTag struct {
- V string `json:"abcdefghijklmno"`
-}
-
-type basicLatin7xTag struct {
- V string `json:"pqrstuvwxyz"`
-}
-
-type miscPlaneTag struct {
- V string `json:"色は匂へど"`
-}
-
-type percentSlashTag struct {
- V string `json:"text/html%"` // https://golang.org/issue/2718
-}
-
-type punctuationTag struct {
- V string `json:"!#$%&()*+-./:<=>?@[]^_{|}~"` // https://golang.org/issue/3546
-}
-
-type emptyTag struct {
- W string
-}
-
-type misnamedTag struct {
- X string `jsom:"Misnamed"`
-}
-
-type badFormatTag struct {
- Y string `:"BadFormat"`
-}
-
-type badCodeTag struct {
- Z string `json:" !\"#&'()*+,."`
-}
-
-type spaceTag struct {
- Q string `json:"With space"`
-}
-
-type unicodeTag struct {
- W string `json:"Ελλάδα"`
-}
-
-var structTagObjectKeyTests = []struct {
- raw interface{}
- value string
- key string
-}{
- {basicLatin2xTag{"2x"}, "2x", "$%-/"},
- {basicLatin3xTag{"3x"}, "3x", "0123456789"},
- {basicLatin4xTag{"4x"}, "4x", "ABCDEFGHIJKLMO"},
- {basicLatin5xTag{"5x"}, "5x", "PQRSTUVWXYZ_"},
- {basicLatin6xTag{"6x"}, "6x", "abcdefghijklmno"},
- {basicLatin7xTag{"7x"}, "7x", "pqrstuvwxyz"},
- {miscPlaneTag{"いろはにほへと"}, "いろはにほへと", "色は匂へど"},
- {emptyTag{"Pour Moi"}, "Pour Moi", "W"},
- {misnamedTag{"Animal Kingdom"}, "Animal Kingdom", "X"},
- {badFormatTag{"Orfevre"}, "Orfevre", "Y"},
- {badCodeTag{"Reliable Man"}, "Reliable Man", "Z"},
- {percentSlashTag{"brut"}, "brut", "text/html%"},
- {punctuationTag{"Union Rags"}, "Union Rags", "!#$%&()*+-./:<=>?@[]^_{|}~"},
- {spaceTag{"Perreddu"}, "Perreddu", "With space"},
- {unicodeTag{"Loukanikos"}, "Loukanikos", "Ελλάδα"},
-}
-
-func TestStructTagObjectKey(t *testing.T) {
- for _, tt := range structTagObjectKeyTests {
- b, err := Marshal(tt.raw)
- if err != nil {
- t.Fatalf("Marshal(%#q) failed: %v", tt.raw, err)
- }
- var f interface{}
- err = Unmarshal(b, &f)
- if err != nil {
- t.Fatalf("Unmarshal(%#q) failed: %v", b, err)
- }
- for i, v := range f.(map[string]interface{}) {
- switch i {
- case tt.key:
- if s, ok := v.(string); !ok || s != tt.value {
- t.Fatalf("Unexpected value: %#q, want %v", s, tt.value)
- }
- default:
- t.Fatalf("Unexpected key: %#q, from %#q", i, b)
- }
- }
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/tags.go b/vendor/gopkg.in/square/go-jose.v1/json/tags.go
deleted file mode 100644
index c38fd510..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/tags.go
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "strings"
-)
-
-// tagOptions is the string following a comma in a struct field's "json"
-// tag, or the empty string. It does not include the leading comma.
-type tagOptions string
-
-// parseTag splits a struct field's json tag into its name and
-// comma-separated options.
-func parseTag(tag string) (string, tagOptions) {
- if idx := strings.Index(tag, ","); idx != -1 {
- return tag[:idx], tagOptions(tag[idx+1:])
- }
- return tag, tagOptions("")
-}
-
-// Contains reports whether a comma-separated list of options
-// contains a particular substr flag. substr must be surrounded by a
-// string boundary or commas.
-func (o tagOptions) Contains(optionName string) bool {
- if len(o) == 0 {
- return false
- }
- s := string(o)
- for s != "" {
- var next string
- i := strings.Index(s, ",")
- if i >= 0 {
- s, next = s[:i], s[i+1:]
- }
- if s == optionName {
- return true
- }
- s = next
- }
- return false
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/tags_test.go b/vendor/gopkg.in/square/go-jose.v1/json/tags_test.go
deleted file mode 100644
index 91fb1883..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json/tags_test.go
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package json
-
-import (
- "testing"
-)
-
-func TestTagParsing(t *testing.T) {
- name, opts := parseTag("field,foobar,foo")
- if name != "field" {
- t.Fatalf("name = %q, want field", name)
- }
- for _, tt := range []struct {
- opt string
- want bool
- }{
- {"foobar", true},
- {"foo", true},
- {"bar", false},
- } {
- if opts.Contains(tt.opt) != tt.want {
- t.Errorf("Contains(%q) = %v", tt.opt, !tt.want)
- }
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json/testdata/code.json.gz b/vendor/gopkg.in/square/go-jose.v1/json/testdata/code.json.gz
deleted file mode 100644
index 0e2895b5..00000000
Binary files a/vendor/gopkg.in/square/go-jose.v1/json/testdata/code.json.gz and /dev/null differ
diff --git a/vendor/gopkg.in/square/go-jose.v1/json_fork.go b/vendor/gopkg.in/square/go-jose.v1/json_fork.go
deleted file mode 100644
index 333e02de..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json_fork.go
+++ /dev/null
@@ -1,31 +0,0 @@
-// +build !std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "gopkg.in/square/go-jose.v1/json"
-)
-
-func MarshalJSON(v interface{}) ([]byte, error) {
- return json.Marshal(v)
-}
-
-func UnmarshalJSON(data []byte, v interface{}) error {
- return json.Unmarshal(data, v)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json_fork_test.go b/vendor/gopkg.in/square/go-jose.v1/json_fork_test.go
deleted file mode 100644
index cacf5d5d..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json_fork_test.go
+++ /dev/null
@@ -1,105 +0,0 @@
-// +build !std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "testing"
-)
-
-type CaseSensitive struct {
- A int `json:"Test"`
- B int `json:"test"`
- C int `json:"TEST"`
-}
-
-type UnicodeTest struct {
- Sig string `json:"sig"`
-}
-
-func TestUnicodeComparison(t *testing.T) {
- // Some tests from RFC 7515, Section 10.13
- raw := []byte(`{"\u0073ig":"foo"}`)
- var ut UnicodeTest
- err := UnmarshalJSON(raw, &ut)
- if err != nil {
- t.Error(err)
- }
-
- if ut.Sig != "foo" {
- t.Error("strings 'sig' and '\\u0073ig' should be equal")
- }
-
- raw = []byte(`{"si\u0047":"bar"}`)
- var ut2 UnicodeTest
- err = UnmarshalJSON(raw, &ut2)
- if err != nil {
- t.Error(err)
- }
-
- if ut2.Sig != "" {
- t.Error("strings 'sig' and 'si\\u0047' should not be equal")
- }
-}
-
-func TestCaseSensitiveJSON(t *testing.T) {
- raw := []byte(`{"test":42}`)
- var cs CaseSensitive
- err := UnmarshalJSON(raw, &cs)
- if err != nil {
- t.Error(err)
- }
-
- if cs.A != 0 || cs.B != 42 || cs.C != 0 {
- t.Errorf("parsing JSON should be case-sensitive (got %v)", cs)
- }
-}
-
-func TestRejectDuplicateKeysObject(t *testing.T) {
- raw := []byte(`{"test":42,"test":43}`)
- var cs CaseSensitive
- err := UnmarshalJSON(raw, &cs)
- if err == nil {
- t.Error("should reject JSON with duplicate keys, but didn't")
- }
-}
-
-func TestRejectDuplicateKeysInterface(t *testing.T) {
- raw := []byte(`{"test":42,"test":43}`)
- var m interface{}
- err := UnmarshalJSON(raw, &m)
- if err == nil {
- t.Error("should reject JSON with duplicate keys, but didn't")
- }
-}
-
-func TestParseCaseSensitiveJWE(t *testing.T) {
- invalidJWE := `{"protected":"eyJlbmMiOiJYWVoiLCJBTEciOiJYWVoifQo","encrypted_key":"QUJD","iv":"QUJD","ciphertext":"QUJD","tag":"QUJD"}`
- _, err := ParseEncrypted(invalidJWE)
- if err == nil {
- t.Error("Able to parse message with case-invalid headers", invalidJWE)
- }
-}
-
-func TestParseCaseSensitiveJWS(t *testing.T) {
- invalidJWS := `{"PAYLOAD":"CUJD","signatures":[{"protected":"e30","signature":"CUJD"}]}`
- _, err := ParseSigned(invalidJWS)
- if err == nil {
- t.Error("Able to parse message with case-invalid headers", invalidJWS)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json_std.go b/vendor/gopkg.in/square/go-jose.v1/json_std.go
deleted file mode 100644
index cb3c3555..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json_std.go
+++ /dev/null
@@ -1,31 +0,0 @@
-// +build std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "encoding/json"
-)
-
-func MarshalJSON(v interface{}) ([]byte, error) {
- return json.Marshal(v)
-}
-
-func UnmarshalJSON(data []byte, v interface{}) error {
- return json.Unmarshal(data, v)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/json_std_test.go b/vendor/gopkg.in/square/go-jose.v1/json_std_test.go
deleted file mode 100644
index 338d96b3..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/json_std_test.go
+++ /dev/null
@@ -1,124 +0,0 @@
-// +build std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "testing"
-)
-
-type CaseInsensitive struct {
- A int `json:"TEST"`
-}
-
-type UnicodeTest struct {
- Sig string `json:"sig"`
-}
-
-func TestUnicodeComparison(t *testing.T) {
- // Some tests from RFC 7515, Section 10.13
- raw := []byte(`{"\u0073ig":"foo"}`)
- var ut UnicodeTest
- err := UnmarshalJSON(raw, &ut)
- if err != nil {
- t.Error(err)
- }
-
- if ut.Sig != "foo" {
- t.Error("strings 'sig' and '\\u0073ig' should be equal")
- }
-}
-
-func TestCaseInsensitiveJSON(t *testing.T) {
- raw := []byte(`{"test":42}`)
- var ci CaseInsensitive
- err := UnmarshalJSON(raw, &ci)
- if err != nil {
- t.Error(err)
- }
-
- if ci.A != 42 {
- t.Errorf("parsing JSON should be case-insensitive (got %v)", ci)
- }
-}
-
-func TestParseCaseInsensitiveJWE(t *testing.T) {
- invalidJWE := `{"protected":"eyJlbmMiOiJYWVoiLCJBTEciOiJYWVoifQo","encrypted_key":"QUJD","iv":"QUJD","ciphertext":"QUJD","tag":"QUJD"}`
- _, err := ParseEncrypted(invalidJWE)
- if err != nil {
- t.Error("Unable to parse message with case-invalid headers", invalidJWE)
- }
-}
-
-func TestParseCaseInsensitiveJWS(t *testing.T) {
- invalidJWS := `{"PAYLOAD":"CUJD","signatures":[{"protected":"e30","signature":"CUJD"}]}`
- _, err := ParseSigned(invalidJWS)
- if err != nil {
- t.Error("Unable to parse message with case-invalid headers", invalidJWS)
- }
-}
-
-var JWKSetDuplicates = stripWhitespace(`{
- "keys": [{
- "kty": "RSA",
- "kid": "exclude-me",
- "use": "sig",
- "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
- -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
- wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
- oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
- 3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
- LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
- HdrNP5zw",
- "e": "AQAB"
- }],
- "keys": [{
- "kty": "RSA",
- "kid": "include-me",
- "use": "sig",
- "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
- -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
- wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
- oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
- 3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
- LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
- HdrNP5zw",
- "e": "AQAB"
- }],
- "custom": "exclude-me",
- "custom": "include-me"
- }`)
-
-func TestDuplicateJWKSetMembersIgnored(t *testing.T) {
- type CustomSet struct {
- JsonWebKeySet
- CustomMember string `json:"custom"`
- }
- data := []byte(JWKSetDuplicates)
- var set CustomSet
- UnmarshalJSON(data, &set)
- if len(set.Keys) != 1 {
- t.Error("expected only one key in set")
- }
- if set.Keys[0].KeyID != "include-me" {
- t.Errorf("expected key with kid: \"include-me\", got: %s", set.Keys[0].KeyID)
- }
- if set.CustomMember != "include-me" {
- t.Errorf("expected custom member value: \"include-me\", got: %s", set.CustomMember)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jwe.go b/vendor/gopkg.in/square/go-jose.v1/jwe.go
deleted file mode 100644
index b88cb797..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jwe.go
+++ /dev/null
@@ -1,278 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "fmt"
- "strings"
-)
-
-// rawJsonWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
-type rawJsonWebEncryption struct {
- Protected *byteBuffer `json:"protected,omitempty"`
- Unprotected *rawHeader `json:"unprotected,omitempty"`
- Header *rawHeader `json:"header,omitempty"`
- Recipients []rawRecipientInfo `json:"recipients,omitempty"`
- Aad *byteBuffer `json:"aad,omitempty"`
- EncryptedKey *byteBuffer `json:"encrypted_key,omitempty"`
- Iv *byteBuffer `json:"iv,omitempty"`
- Ciphertext *byteBuffer `json:"ciphertext,omitempty"`
- Tag *byteBuffer `json:"tag,omitempty"`
-}
-
-// rawRecipientInfo represents a raw JWE Per-Recipient header JSON object. Used for parsing/serializing.
-type rawRecipientInfo struct {
- Header *rawHeader `json:"header,omitempty"`
- EncryptedKey string `json:"encrypted_key,omitempty"`
-}
-
-// JsonWebEncryption represents an encrypted JWE object after parsing.
-type JsonWebEncryption struct {
- Header JoseHeader
- protected, unprotected *rawHeader
- recipients []recipientInfo
- aad, iv, ciphertext, tag []byte
- original *rawJsonWebEncryption
-}
-
-// recipientInfo represents a raw JWE Per-Recipient header JSON object after parsing.
-type recipientInfo struct {
- header *rawHeader
- encryptedKey []byte
-}
-
-// GetAuthData retrieves the (optional) authenticated data attached to the object.
-func (obj JsonWebEncryption) GetAuthData() []byte {
- if obj.aad != nil {
- out := make([]byte, len(obj.aad))
- copy(out, obj.aad)
- return out
- }
-
- return nil
-}
-
-// Get the merged header values
-func (obj JsonWebEncryption) mergedHeaders(recipient *recipientInfo) rawHeader {
- out := rawHeader{}
- out.merge(obj.protected)
- out.merge(obj.unprotected)
-
- if recipient != nil {
- out.merge(recipient.header)
- }
-
- return out
-}
-
-// Get the additional authenticated data from a JWE object.
-func (obj JsonWebEncryption) computeAuthData() []byte {
- var protected string
-
- if obj.original != nil {
- protected = obj.original.Protected.base64()
- } else {
- protected = base64URLEncode(mustSerializeJSON((obj.protected)))
- }
-
- output := []byte(protected)
- if obj.aad != nil {
- output = append(output, '.')
- output = append(output, []byte(base64URLEncode(obj.aad))...)
- }
-
- return output
-}
-
-// ParseEncrypted parses an encrypted message in compact or full serialization format.
-func ParseEncrypted(input string) (*JsonWebEncryption, error) {
- input = stripWhitespace(input)
- if strings.HasPrefix(input, "{") {
- return parseEncryptedFull(input)
- }
-
- return parseEncryptedCompact(input)
-}
-
-// parseEncryptedFull parses a message in compact format.
-func parseEncryptedFull(input string) (*JsonWebEncryption, error) {
- var parsed rawJsonWebEncryption
- err := UnmarshalJSON([]byte(input), &parsed)
- if err != nil {
- return nil, err
- }
-
- return parsed.sanitized()
-}
-
-// sanitized produces a cleaned-up JWE object from the raw JSON.
-func (parsed *rawJsonWebEncryption) sanitized() (*JsonWebEncryption, error) {
- obj := &JsonWebEncryption{
- original: parsed,
- unprotected: parsed.Unprotected,
- }
-
- // Check that there is not a nonce in the unprotected headers
- if (parsed.Unprotected != nil && parsed.Unprotected.Nonce != "") ||
- (parsed.Header != nil && parsed.Header.Nonce != "") {
- return nil, ErrUnprotectedNonce
- }
-
- if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
- err := UnmarshalJSON(parsed.Protected.bytes(), &obj.protected)
- if err != nil {
- return nil, fmt.Errorf("square/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
- }
- }
-
- // Note: this must be called _after_ we parse the protected header,
- // otherwise fields from the protected header will not get picked up.
- obj.Header = obj.mergedHeaders(nil).sanitized()
-
- if len(parsed.Recipients) == 0 {
- obj.recipients = []recipientInfo{
- recipientInfo{
- header: parsed.Header,
- encryptedKey: parsed.EncryptedKey.bytes(),
- },
- }
- } else {
- obj.recipients = make([]recipientInfo, len(parsed.Recipients))
- for r := range parsed.Recipients {
- encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey)
- if err != nil {
- return nil, err
- }
-
- // Check that there is not a nonce in the unprotected header
- if parsed.Recipients[r].Header != nil && parsed.Recipients[r].Header.Nonce != "" {
- return nil, ErrUnprotectedNonce
- }
-
- obj.recipients[r].header = parsed.Recipients[r].Header
- obj.recipients[r].encryptedKey = encryptedKey
- }
- }
-
- for _, recipient := range obj.recipients {
- headers := obj.mergedHeaders(&recipient)
- if headers.Alg == "" || headers.Enc == "" {
- return nil, fmt.Errorf("square/go-jose: message is missing alg/enc headers")
- }
- }
-
- obj.iv = parsed.Iv.bytes()
- obj.ciphertext = parsed.Ciphertext.bytes()
- obj.tag = parsed.Tag.bytes()
- obj.aad = parsed.Aad.bytes()
-
- return obj, nil
-}
-
-// parseEncryptedCompact parses a message in compact format.
-func parseEncryptedCompact(input string) (*JsonWebEncryption, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 5 {
- return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts")
- }
-
- rawProtected, err := base64URLDecode(parts[0])
- if err != nil {
- return nil, err
- }
-
- encryptedKey, err := base64URLDecode(parts[1])
- if err != nil {
- return nil, err
- }
-
- iv, err := base64URLDecode(parts[2])
- if err != nil {
- return nil, err
- }
-
- ciphertext, err := base64URLDecode(parts[3])
- if err != nil {
- return nil, err
- }
-
- tag, err := base64URLDecode(parts[4])
- if err != nil {
- return nil, err
- }
-
- raw := &rawJsonWebEncryption{
- Protected: newBuffer(rawProtected),
- EncryptedKey: newBuffer(encryptedKey),
- Iv: newBuffer(iv),
- Ciphertext: newBuffer(ciphertext),
- Tag: newBuffer(tag),
- }
-
- return raw.sanitized()
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JsonWebEncryption) CompactSerialize() (string, error) {
- if len(obj.recipients) != 1 || obj.unprotected != nil ||
- obj.protected == nil || obj.recipients[0].header != nil {
- return "", ErrNotSupported
- }
-
- serializedProtected := mustSerializeJSON(obj.protected)
-
- return fmt.Sprintf(
- "%s.%s.%s.%s.%s",
- base64URLEncode(serializedProtected),
- base64URLEncode(obj.recipients[0].encryptedKey),
- base64URLEncode(obj.iv),
- base64URLEncode(obj.ciphertext),
- base64URLEncode(obj.tag)), nil
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JsonWebEncryption) FullSerialize() string {
- raw := rawJsonWebEncryption{
- Unprotected: obj.unprotected,
- Iv: newBuffer(obj.iv),
- Ciphertext: newBuffer(obj.ciphertext),
- EncryptedKey: newBuffer(obj.recipients[0].encryptedKey),
- Tag: newBuffer(obj.tag),
- Aad: newBuffer(obj.aad),
- Recipients: []rawRecipientInfo{},
- }
-
- if len(obj.recipients) > 1 {
- for _, recipient := range obj.recipients {
- info := rawRecipientInfo{
- Header: recipient.header,
- EncryptedKey: base64URLEncode(recipient.encryptedKey),
- }
- raw.Recipients = append(raw.Recipients, info)
- }
- } else {
- // Use flattened serialization
- raw.Header = obj.recipients[0].header
- raw.EncryptedKey = newBuffer(obj.recipients[0].encryptedKey)
- }
-
- if obj.protected != nil {
- raw.Protected = newBuffer(mustSerializeJSON(obj.protected))
- }
-
- return string(mustSerializeJSON(raw))
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jwe_test.go b/vendor/gopkg.in/square/go-jose.v1/jwe_test.go
deleted file mode 100644
index ab03fd00..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jwe_test.go
+++ /dev/null
@@ -1,537 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rsa"
- "math/big"
- "testing"
-)
-
-func TestCompactParseJWE(t *testing.T) {
- // Should parse
- msg := "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.dGVzdA"
- _, err := ParseEncrypted(msg)
- if err != nil {
- t.Error("Unable to parse valid message:", err)
- }
-
- // Messages that should fail to parse
- failures := []string{
- // Too many parts
- "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
- // Not enough parts
- "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA",
- // Invalid encrypted key
- "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.//////.dGVzdA.dGVzdA.dGVzdA",
- // Invalid IV
- "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.//////.dGVzdA.dGVzdA",
- // Invalid ciphertext
- "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.//////.dGVzdA",
- // Invalid tag
- "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.//////",
- // Invalid header
- "W10.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
- // Invalid header
- "######.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
- // Missing alc/enc params
- "e30.dGVzdA.dGVzdA.dGVzdA.dGVzdA",
- }
-
- for _, msg := range failures {
- _, err = ParseEncrypted(msg)
- if err == nil {
- t.Error("Able to parse invalid message", msg)
- }
- }
-}
-
-func TestFullParseJWE(t *testing.T) {
- // Messages that should succeed to parse
- successes := []string{
- // Flattened serialization, single recipient
- "{\"protected\":\"eyJhbGciOiJYWVoiLCJlbmMiOiJYWVoifQo\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- // Unflattened serialization, single recipient
- "{\"protected\":\"\",\"unprotected\":{\"enc\":\"XYZ\"},\"recipients\":[{\"header\":{\"alg\":\"XYZ\"},\"encrypted_key\":\"QUJD\"}],\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- }
-
- for i := range successes {
- _, err := ParseEncrypted(successes[i])
- if err != nil {
- t.Error("Unble to parse valid message", err, successes[i])
- }
- }
-
- // Messages that should fail to parse
- failures := []string{
- // Empty
- "{}",
- // Invalid JSON
- "{XX",
- // Invalid protected header
- "{\"protected\":\"###\"}",
- // Invalid protected header
- "{\"protected\":\"e1gK\"}",
- // Invalid encrypted key
- "{\"protected\":\"e30\",\"encrypted_key\":\"###\"}",
- // Invalid IV
- "{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"###\"}",
- // Invalid ciphertext
- "{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"###\"}",
- // Invalid tag
- "{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"###\"}",
- // Invalid AAD
- "{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\",\"aad\":\"###\"}",
- // Missing alg/enc headers
- "{\"protected\":\"e30\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- // Missing enc header
- "{\"protected\":\"eyJhbGciOiJYWVoifQ\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- // Missing alg header
- "{\"protected\":\"eyJlbmMiOiJYWVoifQ\",\"encrypted_key\":\"QUJD\",\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- // Unflattened serialization, single recipient, invalid encrypted_key
- "{\"protected\":\"\",\"recipients\":[{\"header\":{\"alg\":\"XYZ\", \"enc\":\"XYZ\"},\"encrypted_key\":\"###\"}],\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- // Unflattened serialization, single recipient, missing alg
- "{\"protected\":\"eyJhbGciOiJYWVoifQ\",\"recipients\":[{\"encrypted_key\":\"QUJD\"}],\"iv\":\"QUJD\",\"ciphertext\":\"QUJD\",\"tag\":\"QUJD\"}",
- }
-
- for i := range failures {
- _, err := ParseEncrypted(failures[i])
- if err == nil {
- t.Error("Able to parse invalid message", err, failures[i])
- }
- }
-}
-
-func TestMissingInvalidHeaders(t *testing.T) {
- obj := &JsonWebEncryption{
- protected: &rawHeader{Enc: A128GCM},
- unprotected: &rawHeader{},
- recipients: []recipientInfo{
- recipientInfo{},
- },
- }
-
- _, err := obj.Decrypt(nil)
- if err != ErrUnsupportedKeyType {
- t.Error("should detect invalid key")
- }
-
- obj.unprotected.Crit = []string{"1", "2"}
-
- _, err = obj.Decrypt(nil)
- if err == nil {
- t.Error("should reject message with crit header")
- }
-
- obj.unprotected.Crit = nil
- obj.protected = &rawHeader{Alg: string(RSA1_5)}
-
- _, err = obj.Decrypt(rsaTestKey)
- if err == nil || err == ErrCryptoFailure {
- t.Error("should detect missing enc header")
- }
-}
-
-func TestRejectUnprotectedJWENonce(t *testing.T) {
- // No need to test compact, since that's always protected
-
- // Flattened JSON
- input := `{
- "header": {
- "alg": "XYZ", "enc": "XYZ",
- "nonce": "should-cause-an-error"
- },
- "encrypted_key": "does-not-matter",
- "aad": "does-not-matter",
- "iv": "does-not-matter",
- "ciphertext": "does-not-matter",
- "tag": "does-not-matter"
- }`
- _, err := ParseEncrypted(input)
- if err == nil {
- t.Error("JWE with an unprotected nonce parsed as valid.")
- } else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
- t.Errorf("Improper error for unprotected nonce: %v", err)
- }
-
- input = `{
- "unprotected": {
- "alg": "XYZ", "enc": "XYZ",
- "nonce": "should-cause-an-error"
- },
- "encrypted_key": "does-not-matter",
- "aad": "does-not-matter",
- "iv": "does-not-matter",
- "ciphertext": "does-not-matter",
- "tag": "does-not-matter"
- }`
- _, err = ParseEncrypted(input)
- if err == nil {
- t.Error("JWE with an unprotected nonce parsed as valid.")
- } else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
- t.Errorf("Improper error for unprotected nonce: %v", err)
- }
-
- // Full JSON
- input = `{
- "header": { "alg": "XYZ", "enc": "XYZ" },
- "aad": "does-not-matter",
- "iv": "does-not-matter",
- "ciphertext": "does-not-matter",
- "tag": "does-not-matter",
- "recipients": [{
- "header": { "nonce": "should-cause-an-error" },
- "encrypted_key": "does-not-matter"
- }]
- }`
- _, err = ParseEncrypted(input)
- if err == nil {
- t.Error("JWS with an unprotected nonce parsed as valid.")
- } else if err.Error() != "square/go-jose: Nonce parameter included in unprotected header" {
- t.Errorf("Improper error for unprotected nonce: %v", err)
- }
-}
-
-func TestCompactSerialize(t *testing.T) {
- // Compact serialization must fail if we have unprotected headers
- obj := &JsonWebEncryption{
- unprotected: &rawHeader{Alg: "XYZ"},
- }
-
- _, err := obj.CompactSerialize()
- if err == nil {
- t.Error("Object with unprotected headers can't be compact serialized")
- }
-}
-
-func TestVectorsJWE(t *testing.T) {
- plaintext := []byte("The true sign of intelligence is not knowledge but imagination.")
-
- publicKey := &rsa.PublicKey{
- N: fromBase64Int(`
- oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW
- cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S
- psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a
- sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS
- tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj
- YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw`),
- E: 65537,
- }
-
- expectedCompact := stripWhitespace(`
- eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.ROQCfge4JPm_
- yACxv1C1NSXmwNbL6kvmCuyxBRGpW57DvlwByjyjsb6g8m7wtLMqKEyhFCn
- tV7sjippEePIlKln6BvVnz5ZLXHNYQgmubuNq8MC0KTwcaGJ_C0z_T8j4PZ
- a1nfpbhSe-ePYaALrf_nIsSRKu7cWsrwOSlaRPecRnYeDd_ytAxEQWYEKFi
- Pszc70fP9geZOB_09y9jq0vaOF0jGmpIAmgk71lCcUpSdrhNokTKo5y8MH8
- 3NcbIvmuZ51cjXQj1f0_AwM9RW3oCh2Hu0z0C5l4BujZVsDuGgMsGZsjUhS
- RZsAQSXHCAmlJ2NlnN60U7y4SPJhKv5tKYw.48V1_ALb6US04U3b.5eym8T
- W_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6jiS
- diwkIr3ajwQzaBtQD_A.XFBoMYUZodetZdvTiFvSkQ`)
-
- expectedFull := stripWhitespace(`
- { "protected":"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ",
- "encrypted_key":
- "ROQCfge4JPm_yACxv1C1NSXmwNbL6kvmCuyxBRGpW57DvlwByjyjsb
- 6g8m7wtLMqKEyhFCntV7sjippEePIlKln6BvVnz5ZLXHNYQgmubuNq
- 8MC0KTwcaGJ_C0z_T8j4PZa1nfpbhSe-ePYaALrf_nIsSRKu7cWsrw
- OSlaRPecRnYeDd_ytAxEQWYEKFiPszc70fP9geZOB_09y9jq0vaOF0
- jGmpIAmgk71lCcUpSdrhNokTKo5y8MH83NcbIvmuZ51cjXQj1f0_Aw
- M9RW3oCh2Hu0z0C5l4BujZVsDuGgMsGZsjUhSRZsAQSXHCAmlJ2Nln
- N60U7y4SPJhKv5tKYw",
- "iv": "48V1_ALb6US04U3b",
- "ciphertext":
- "5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFS
- hS8iB7j6jiSdiwkIr3ajwQzaBtQD_A",
- "tag":"XFBoMYUZodetZdvTiFvSkQ" }`)
-
- // Mock random reader
- randReader = bytes.NewReader([]byte{
- // Encryption key
- 177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
- 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
- 234, 64, 252,
- // Randomness for RSA-OAEP
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- // Initialization vector
- 227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219})
- defer resetRandReader()
-
- // Encrypt with a dummy key
- encrypter, err := NewEncrypter(RSA_OAEP, A256GCM, publicKey)
- if err != nil {
- panic(err)
- }
-
- object, err := encrypter.Encrypt(plaintext)
- if err != nil {
- panic(err)
- }
-
- serialized, err := object.CompactSerialize()
- if serialized != expectedCompact {
- t.Error("Compact serialization is not what we expected", serialized, expectedCompact)
- }
-
- serialized = object.FullSerialize()
- if serialized != expectedFull {
- t.Error("Full serialization is not what we expected")
- }
-}
-
-func TestVectorsJWECorrupt(t *testing.T) {
- priv := &rsa.PrivateKey{
- PublicKey: rsa.PublicKey{
- N: fromHexInt(`
- a8b3b284af8eb50b387034a860f146c4919f318763cd6c5598c8
- ae4811a1e0abc4c7e0b082d693a5e7fced675cf4668512772c0c
- bc64a742c6c630f533c8cc72f62ae833c40bf25842e984bb78bd
- bf97c0107d55bdb662f5c4e0fab9845cb5148ef7392dd3aaff93
- ae1e6b667bb3d4247616d4f5ba10d4cfd226de88d39f16fb`),
- E: 65537,
- },
- D: fromHexInt(`
- 53339cfdb79fc8466a655c7316aca85c55fd8f6dd898fdaf1195
- 17ef4f52e8fd8e258df93fee180fa0e4ab29693cd83b152a553d
- 4ac4d1812b8b9fa5af0e7f55fe7304df41570926f3311f15c4d6
- 5a732c483116ee3d3d2d0af3549ad9bf7cbfb78ad884f84d5beb
- 04724dc7369b31def37d0cf539e9cfcdd3de653729ead5d1`),
- Primes: []*big.Int{
- fromHexInt(`
- d32737e7267ffe1341b2d5c0d150a81b586fb3132bed2f8d5262
- 864a9cb9f30af38be448598d413a172efb802c21acf1c11c520c
- 2f26a471dcad212eac7ca39d`),
- fromHexInt(`
- cc8853d1d54da630fac004f471f281c7b8982d8224a490edbeb3
- 3d3e3d5cc93c4765703d1dd791642f1f116a0dd852be2419b2af
- 72bfe9a030e860b0288b5d77`),
- },
- }
-
- corruptCiphertext := stripWhitespace(`
- eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.NFl09dehy
- IR2Oh5iSsvEa82Ps7DLjRHeo0RnuTuSR45OsaIP6U8yu7vLlWaZKSZMy
- B2qRBSujf-5XIRoNhtyIyjk81eJRXGa_Bxaor1XBCMyyhGchW2H2P71f
- PhDO6ufSC7kV4bNqgHR-4ziS7KXwzN83_5kogXqxUpymUoJDNc.tk-GT
- W_VVhiTIKFF.D_BE6ImZUl9F.52a-zFnRb3YQwIC7UrhVyQ`)
-
- corruptAuthtag := stripWhitespace(`
- eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.NFl09dehy
- IR2Oh5iSsvEa82Ps7DLjRHeo0RnuTuSR45OsaIP6U8yu7vLlWaZKSZMy
- B2qRBSujf-5XIRoNhtyIyjk81eJRXGa_Bxaor1XBCMyyhGchW2H2P71f
- PhDO6ufSC7kV4bNqgHR-4ziS7KNwzN83_5kogXqxUpymUoJDNc.tk-GT
- W_VVhiTIKFF.D_BE6ImZUl9F.52a-zFnRb3YQwiC7UrhVyQ`)
-
- msg, _ := ParseEncrypted(corruptCiphertext)
- _, err := msg.Decrypt(priv)
- if err != ErrCryptoFailure {
- t.Error("should detect corrupt ciphertext")
- }
-
- msg, _ = ParseEncrypted(corruptAuthtag)
- _, err = msg.Decrypt(priv)
- if err != ErrCryptoFailure {
- t.Error("should detect corrupt auth tag")
- }
-}
-
-// Test vectors generated with nimbus-jose-jwt
-func TestSampleNimbusJWEMessagesRSA(t *testing.T) {
- rsaPrivateKey, err := LoadPrivateKey(fromBase64Bytes(`
- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCNRCEmf5PlbXKuT4uwnb
- wGKvFrtpi+bDYxOZxxqxdVkZM/bYATAnD1fg9pNvLMKeF+MWJ9kPIMmDgOh9RdnRdLvQGb
- BzhLmxwhhcua2QYiHEZizXmiaXvNP12bzEBhebdX7ObW8izMVW0p0lqHPNzkK3K75B0Sxo
- FMVKkZ7KtBHgepBT5yPhPPcNe5lXQeTne5bo3I60DRcN9jTBgMJOXdq0I9o4y6ZmoXdNTm
- 0EyLzn9/EYiHqBxtKFh791EHR7wYgyi/t+nOKr4sO74NbEByP0mHDil+mPvZSzFW4l7fPx
- OclRZvpRIKIub2TroZA9s2WsshGf79eqqXYbBB9NNRAgMBAAECggEAIExbZ/nzTplfhwsY
- 3SCzRJW87OuqsJ79JPQPGM4NX7sQ94eJqM7+FKLl0yCFErjgnYGdCyiArvB+oJPdsimgke
- h83X0hGeg03lVA3/6OsG3WifCAxulnLN44AM8KST8S9D9t5+cm5vEBLHazzAfWWTS13s+g
- 9hH8rf8NSqgZ36EutjKlvLdHx1mWcKX7SREFVHT8FWPAbdhTLEHUjoWHrfSektnczaSHnt
- q8fFJy6Ld13QkF1ZJRUhtA24XrD+qLTc+M36IuedjeZaLHFB+KyhYR3YvXEtrbCug7dCRd
- uG6uTlDCSaSy7xHeTPolWtWo9F202jal54otxiAJFGUHgQKBgQDRAT0s6YQZUfwE0wluXV
- k0JdhDdCo8sC1aMmKlRKWUkBAqrDl7BI3MF56VOr4ybr90buuscshFf9TtrtBOjHSGcfDI
- tSKfhhkW5ewQKB0YqyHzoD6UKT0/XAshFY3esc3uCxuJ/6vOiXV0og9o7eFvr51O0TfDFh
- mcTvW4wirKlQKBgQCtB7UAu8I9Nn8czkd6oXLDRyTWYviuiqFmxR+PM9klgZtsumkeSxO1
- lkfFoj9+G8nFaqYEBA9sPeNtJVTSROCvj/iQtoqpV2NiI/wWeVszpBwsswx2mlks4LJa8a
- Yz9xrsfNoroKYVppefc/MCoSx4M+99RSm3FSpLGZQHAUGyzQKBgQDMQmq4JuuMF1y2lk0E
- SESyuz21BqV0tDVOjilsHT+5hmXWXoS6nkO6L2czrrpM7YE82F6JJZBmo7zEIXHBInGLJ3
- XLoYLZ5qNEhqYDUEDHaBCBWZ1vDTKnZlwWFEuXVavNNZvPbUhKTHq25t8qjDki/r09Vykp
- BsM2yNBKpbBOVQKBgCJyUVd3CaFUExQyAMrqD0XPCQdhJq7gzGcAQVsp8EXmOoH3zmuIeM
- ECzQEMXuWFNLMHm0tbX5Kl83vMHcnKioyI9ewhWxOBYTitf0ceG8j5F97SOl32NmCXzwoJ
- 55Oa0xJXfLuIvOe8hZzp4WwZmBfKBxiCR166aPQQgIawelrVAoGAEJsHomfCI4epxH4oMw
- qYJMCGy95zloB+2+c86BZCOJAGwnfzbtc2eutWZw61/9sSO8sQCfzA8oX+5HwAgnFVzwW4
- lNMZohppYcpwN9EyjkPaCXuALC7p5rF2o63wY7JLvnjS2aYZliknh2yW6X6fSB0PK0Cpvd
- lAIyRw6Kud0zI=`))
- if err != nil {
- panic(err)
- }
-
- rsaSampleMessages := []string{
- "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBMV81In0.EW0KOhHeoAxTBnLjYhh2T6HjwI-srNs6RpcSdZvE-GJ5iww3EYWBCmeGGj1UVz6OcBfwW3wllZ6GPOHU-hxVQH5KYpVOjkmrFIYU6-8BHhxBP_PjSJEBCZzjOgsCm9Th4-zmlO7UWTdK_UtwE7nk4X-kkmEy-aZBCShA8nFe2MVvqD5F7nvEWNFBOHh8ae_juo-kvycoIzvxLV9g1B0Zn8K9FAlu8YF1KiL5NFekn76f3jvAwlExuRbFPUx4gJN6CeBDK_D57ABsY2aBVDSiQceuYZxvCIAajqSS6dMT382FNJzAiQhToOpo_1w5FnnBjzJLLEKDk_I-Eo2YCWxxsQ.5mCMuxJqLRuPXGAr.Ghe4INeBhP3MDWGvyNko7qanKdZIzKjfeiU.ja3UlVWJXKNFJ-rZsJWycw",
- "eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBMV81In0.JsJeYoP0St1bRYNUaAmA34DAA27usE7RNuC2grGikBRmh1xrwUOpnEIXXpwr7fjVmNi52zzWkNHC8JkkRTrLcCh2VXvnOnarpH8DCr9qM6440bSrahzbxIvDds8z8q0wT1W4kjVnq1mGwGxg8RQNBWTV6Sp2FLQkZyjzt_aXsgYzr3zEmLZxB-d41lBS81Mguk_hdFJIg_WO4ao54lozvxkCn_uMiIZ8eLb8qHy0h-N21tiHGCaiC2vV8KXomwoqbJ0SXrEH4r9_R2J844H80TBZdbvNBd8whvoQNHvOX659LNs9EQ9xxvHU2kqGZekXBu7sDXXTjctMkMITobGSzw.1v5govaDvanP3LGp.llwYNBDrD7MwVLaFHesljlratfmndWs4XPQ.ZGT1zk9_yIKi2GzW6CuAyA",
- "eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBMV81In0.fBv3fA3TMS3ML8vlsCuvwdsKvB0ym8R30jJrlOiqkWKk7WVUkjDInFzr1zw3Owla6c5BqOJNoACXt4IWbkLbkoWV3tweXlWwpafuaWPkjLOUH_K31rS2fCX5x-MTj8_hScquVQXpbz3vk2EfulRmGXZc_8JU2NqQCAsYy3a28houqP3rDe5jEAvZS2SOFvJkKW--f5S-z39t1D7fNz1N8Btd9SmXWQzjbul5YNxI9ctqxhJpkKYpxOLlvrzdA6YdJjOlDx3n6S-HnSZGM6kQd_xKtAf8l1EGwhQmhbXhMhjVxMvGwE5BX7PAb8Ccde5bzOCJx-PVbVetuLb169ZYqQ._jiZbOPRR82FEWMZ.88j68LI-K2KT6FMBEdlz6amG5nvaJU8a-90.EnEbUTJsWNqJYKzfO0x4Yw",
- "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBMV81In0.bN6FN0qmGxhkESiVukrCaDVG3woL0xE-0bHN_Mu0WZXTQWbzzT-7jOvaN1xhGK8nzi8qpCSRgE5onONNB9i8OnJm3MMIxF7bUUEAXO9SUAFn2v--wNc4drPc5OjIu0RiJrDVDkkGjNrBDIuBaEQcke7A0v91PH58dXE7o4TLPzC8UJmRtXWhUSwjXVF3-UmYRMht2rjHJlvRbtm6Tu2LMBIopRL0zj6tlPP4Dm7I7sz9OEB3VahYAhpXnFR7D_f8RjLSXQmBvB1FiI5l_vMz2NFt2hYUmQF3EJMLIEdHvvPp3iHDGiXC1obJrDID_CCf3qs9UY7DMYL622KLvP2NIg.qb72oxECzxd_aNuHVR0aNg.Gwet9Ms8hB8rKEb0h4RGdFNRq97Qs2LQaJM0HWrCqoI.03ljVThOFvgXzMmQJ79VjQ",
- "eyJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiUlNBMV81In0.ZbEOP6rqdiIP4g7Nl1PL5gwhgDwv9RinyiUQxZXPOmD7kwEZrZ093dJnhqI9kEd3QGFlHDpB7HgNz53d27z2zmEj1-27v6miizq6tH4sN2MoeZLwSyk16O1_n3bVdDmROawsTYYFJfHsuLwyVJxPd37duIYnbUCFO9J8lLIv-2VI50KJ1t47YfE4P-Wt9jVzxP2CVUQaJwTlcwfiDLJTagYmfyrDjf525WlQFlgfJGqsJKp8BX9gmKvAo-1iCBAM8VpEjS0u0_hW9VSye36yh8BthVV-VJkhJ-0tMpto3bbBmj7M25Xf4gbTrrVU7Nz6wb18YZuhHZWmj2Y2nHV6Jg.AjnS44blTrIIfFlqVw0_Mg.muCRgaEXNKKpW8rMfW7jf7Zpn3VwSYDz-JTRg16jZxY.qjc9OGlMaaWKDWQSIwVpR4K556Pp6SF9",
- "eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiUlNBMV81In0.c7_F1lMlRHQQE3WbKmtHBYTosdZrG9hPfs-F9gNQYet61zKG8NXVkSy0Zf2UFHt0vhcO8hP2qrqOFsy7vmRj20xnGHQ2EE29HH6hwX5bx1Jj3uE5WT9Gvh0OewpvF9VubbwWTIObBpdEG7XdJsMAQlIxtXUmQYAtLTWcy2ZJipyJtVlWQLaPuE8BKfZH-XAsp2CpQNiRPI8Ftza3EAspiyRfVQbjKt7nF8nuZ2sESjt7Y50q4CSiiCuGT28T3diMN0_rWrH-I-xx7OQvJlrQaNGglGtu3jKUcrJDcvxW2e1OxriaTeuQ848ayuRvGUNeSv6WoVYmkiK1x_gNwUAAbw.7XtSqHJA7kjt6JrfxJMwiA.Yvi4qukAbdT-k-Fd2s4G8xzL4VFxaFC0ZIzgFDAI6n0.JSWPJ-HjOE3SK9Lm0yHclmjS7Z1ahtQga9FHGCWVRcc",
- "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.SYVxJbCnJ_tcR13LJpaqHQj-nGNkMxre4A1FmnUdxnvzeJwuvyrLiUdRsZR1IkP4fqLtDON2mumx39QeJQf0WIObPBYlIxycRLkwxDHRVlyTmPvdZHAxN26jPrk09wa5SgK1UF1W1VSQIPm-Tek8jNAmarF1Yxzxl-t54wZFlQiHP4TuaczugO5f-J4nlWenfla2mU1snDgdUMlEZGOAQ_gTEtwSgd1MqXmK_7LZBkoDqqoCujMZhziafJPXPDaUUqBLW3hHkkDA7GpVec3XcTtNUWQJqOpMyQhqo1KQMc8jg3fuirILp-hjvvNVtBnCRBvbrKUCPzu2_yH3HM_agA.2VsdijtonAxShNIW.QzzB3P9CxYP3foNKN0Ma1Z9tMwijAlkWo08.ZdQkIPDY_M-hxqi5fD4NGw",
- "eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.Z2oTJXXib1u-S38Vn3DRKE3JnhnwgUa92UhsefzY2Wpdn0dmxMfYt9iRoJGFfSAcA97MOfjyvXVRCKWXGrG5AZCMAXEqU8SNQwKPRjlcqojcVzQyMucXI0ikLC4mUgeRlfKTwsBicq6JZZylzRoLGGSNJQbni3_BLsf7H3Qor0BYg0FPCLG9Z2OVvrFzvjTLmZtV6gFlVrMHBxJub_aUet9gAkxiu1Wx_Kx46TlLX2tkumXIpTGlzX6pef6jLeZ5EIg_K-Uz4tkWgWQIEkLD7qmTyk5pAGmzukHa_08jIh5-U-Sd8XGZdx4J1pVPJ5CPg0qDJGZ_cfgkgpWbP_wB6A.4qgKfokK1EwYxz20._Md82bv_KH2Vru0Ue2Eb6oAqHP2xBBP5jF8.WFRojvQpD5VmZlOr_dN0rQ",
- "eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.JzCUgJcBJmBgByp4PBAABUfhezPvndxBIVzaoZ96DAS0HPni0OjMbsOGsz6JwNsiTr1gSn_S6R1WpZM8GJc9R2z0EKKVP67TR62ZSG0MEWyLpHmG_4ug0fAp1HWWMa9bT4ApSaOLgwlpVAb_-BPZZgIu6c8cREuMon6UBHDqW1euTBbzk8zix3-FTZ6p5b_3soDL1wXfRiRBEsxxUGMnpryx1OFb8Od0JdyGF0GgfLt6OoaujDJpo-XtLRawu1Xlg6GqRs0NQwSHZ5jXgQ6-zgCufXonAmYTiIyBXY2no9XmECTexjwrS_05nA7H-UyIZEBOCp3Yhz2zxrt5j_0pvQ.SJR-ghhaUKP4zXtZ.muiuzLfZA0y0BDNsroGTw2r2-l73SLf9lK8.XFMH1oHr1G6ByP3dWSUUPA",
- "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAifQ.U946MVfIm4Dpk_86HrnIA-QXyiUu0LZ67PL93CMLmEtJemMNDqmRd9fXyenCIhAC7jPIV1aaqW7gS194xyrrnUpBoJBdbegiPqOfquy493Iq_GQ8OXnFxFibPNQ6rU0l8BwIfh28ei_VIF2jqN6bhxFURCVW7fG6n6zkCCuEyc7IcxWafSHjH2FNttREuVj-jS-4LYDZsFzSKbpqoYF6mHt8H3btNEZDTSmy_6v0fV1foNtUKNfWopCp-iE4hNh4EzJfDuU8eXLhDb03aoOockrUiUCh-E0tQx9su4rOv-mDEOHHAQK7swm5etxoa7__9PC3Hg97_p4GM9gC9ykNgw.pnXwvoSPi0kMQP54of-HGg.RPJt1CMWs1nyotx1fOIfZ8760mYQ69HlyDp3XmdVsZ8.Yxw2iPVWaBROFE_FGbvodA",
- "eyJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiUlNBLU9BRVAifQ.eKEOIJUJpXmO_ghH_nGCJmoEspqKyiy3D5l0P8lKutlo8AuYHPQlgOsaFYnDkypyUVWd9zi-JaQuCeo7dzoBiS1L71nAZo-SUoN0anQBkVuyuRjr-deJMhPPfq1H86tTk-4rKzPr1Ivd2RGXMtWsrUpNGk81r1v8DdMntLE7UxZQqT34ONuZg1IXnD_U6di7k07unI29zuU1ySeUr6w1YPw5aUDErMlpZcEJWrgOEYWaS2nuC8sWGlPGYEjqkACMFGn-y40UoS_JatNZO6gHK3SKZnXD7vN5NAaMo_mFNbh50e1t_zO8DaUdLtXPOBLcx_ULoteNd9H8HyDGWqwAPw.0xmtzJfeVMoIT1Cp68QrXA.841l1aA4c3uvSYfw6l180gn5JZQjL53WQ5fr8ejtvoI.lojzeWql_3gDq-AoaIbl_aGQRH_54w_f",
- "eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiUlNBLU9BRVAifQ.D0QkvIXR1TL7dIHWuPNMybmmD8UPyQd1bRKjRDNbA2HmKGpamCtcJmpNB_EetNFe-LDmhe44BYI_XN2wIBbYURKgDK_WG9BH0LQw_nCVqQ-sKqjtj3yQeytXhLHYTDmiF0TO-uW-RFR7GbPAdARBfuf4zj82r_wDD9sD5WSCGx89iPfozDOYQ_OLwdL2WD99VvDyfwS3ZhxA-9IMSYv5pwqPkxj4C0JdjCqrN0YNrZn_1ORgjtsVmcWXsmusObTozUGA7n5GeVepfZdU1vrMulAwdRYqOYtlqKaOpFowe9xFN3ncBG7wb4f9pmzbS_Dgt-1_Ii_4SEB9GQ4NiuBZ0w.N4AZeCxMGUv52A0UVJsaZw.5eHOGbZdtahnp3l_PDY-YojYib4ft4SRmdsQ2kggrTs.WsmGH8ZDv4ctBFs7qsQvw2obe4dVToRcAQaZ3PYL34E",
- "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.fDTxO_ZzZ3Jdrdw-bxvg7u-xWB2q1tp3kI5zH6JfhLUm4h6rt9qDA_wZlRym8-GzEtkUjkTtQGs6HgQx_qlyy8ylCakY5GHsNhCG4m0UNhRiNfcasAs03JSXfON9-tfTJimWD9n4k5OHHhvcrsCW1G3jYeLsK9WHCGRIhNz5ULbo8HBrCTbmZ6bOEQ9mqhdssLpdV24HDpebotf3bgPJqoaTfWU6Uy7tLmPiNuuNRLQ-iTpLyNMTVvGqqZhpcV3lAEN5l77QabI5xLJYucvYjrXQhAEZ7YXO8oRYhGkdG2XXIRcwr87rBeRH-47HAyhZgF_PBPBhhrJNS9UNMqdfBw.FvU4_s7Md6vxnXWd.fw29Q4_gHt4f026DPPV-CNebQ8plJ6IVLX8._apBZrw7WsT8HOmxgCrTwA",
- "eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.bYuorK-rHMbO4c2CRWtvyOEaM1EN-o-wLRZ0wFWRX9mCXQ-iTNarZn7ksYM1XnGmZ4u3CSowX1Hpca9Rg72_VJCmKapqCT7r3YfasN4_oeLwuSKI_gT-uVOznod97tn3Gf_EDv0y1V4H0k9BEIFGbajAcG1znTD_ODY3j2KZJxisfrsBoslc6N-HI0kKZMC2hSGuHOcOf8HN1sTE-BLqZCtoj-zxQECJK8Wh14Ih4jzzdmmiu_qmSR780K6su-4PRt3j8uY7oCiLBfwpCsCmhJgp8rKd91zoedZmamfvX38mJIfE52j4fG6HmIYw9Ov814fk9OffV6tzixjcg54Q2g.yeVJz4aSh2s-GUr9.TBzzWP5llEiDdugpP2SmPf2U4MEGG9EoPWk.g25UoWpsBaOd45J__FX7mA",
- "eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.h9tFtmh762JuffBxlSQbJujCyI4Zs9yc3IOb1yR8g65W4ZHosIvzVGHWbShj4EY9MNrz-RbKtHfqQGGzDeo3Xb4-HcQ2ZDHyWoUg7VfA8JafJ5zIKL1npz8eUExOVMLsAaRfHg8qNfczodg3egoSmX5Q-nrx4DeidDSXYZaZjV0C72stLTPcuQ7XPV7z1tvERAkqpvcsRmJn_PiRNxIbAgoyHMJ4Gijuzt1bWZwezlxYmw0TEuwCTVC2fl9NJTZyxOntS1Lcm-WQGlPkVYeVgYTOQXLlp7tF9t-aAvYpth2oWGT6Y-hbPrjx_19WaKD0XyWCR46V32DlXEVDP3Xl2A.NUgfnzQyEaJjzt9r.k2To43B2YVWMeR-w3n4Pr2b5wYq2o87giHk.X8_QYCg0IGnn1pJqe8p_KA",
- "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.EDq6cNP6Yp1sds5HZ4CkXYp7bs9plIYVZScKvuyxUy0H1VyBC_YWg0HvndPNb-vwh1LA6KMxRazlOwJ9iPR9YzHnYmGgPM3Je_ZzBfiPlRfq6hQBpGnNaypBI1XZ2tyFBhulsVLqyJe2SmM2Ud00kasOdMYgcN8FNFzq7IOE7E0FUQkIwLdUL1nrzepiYDp-5bGkxWRcL02cYfdqdm00G4m0GkUxAmdxa3oPNxZlt2NeBI_UVWQSgJE-DJVJQkDcyA0id27TV2RCDnmujYauNT_wYlyb0bFDx3pYzzNXfAXd4wHZxt75QaLZ5APJ0EVfiXJ0qki6kT-GRVmOimUbQA.vTULZL7LvS0WD8kR8ZUtLg.mb2f0StEmmkuuvsyz8UplMvF58FtZzlu8eEwzvPUvN0.hbhveEN40V-pgG2hSVgyKg",
- "eyJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.DuYk92p7u-YIN-JKn-XThmlVcnhU9x5TieQ2uhsLQVNlo0iWC9JJPP6bT6aI6u_1BIS3yE8_tSGGL7eM-zyEk6LuTqSWFRaZcZC06d0MnS9eYZcw1T2D17fL-ki-NtCaTahJD7jE2s0HevRVW49YtL-_V8whnO_EyVjvXIAQlPYqhH_o-0Nzcpng9ggdAnuF2rY1_6iRPYFJ3BLQvG1oWhyJ9s6SBttlOa0i6mmFCVLHx6sRpdGAB3lbCL3wfmHq4tpIv77gfoYUNP0SNff-zNmBXF_wp3dCntLZFTjbfMpGyHlruF_uoaLqwdjYpUGNUFVUoeSiMnSbMKm9NxiDgQ.6Mdgcqz7bMU1UeoAwFC8pg.W36QWOlBaJezakUX5FMZzbAgeAu_R14AYKZCQmuhguw.5OeyIJ03olxmJft8uBmjuOFQPWNZMYLI",
- "eyJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.ECulJArWFsPL2FlpCN0W8E7IseSjJg1cZqE3wz5jk9gvwgNForAUEv5KYZqhNI-p5IxkGV0f8K6Y2X8pWzbLwiPIjZe8_dVqHYJoINxqCSgWLBhz0V36qL9Nc_xARTBk4-ZteIu75NoXVeos9gNvFnkOCj4tm-jGo8z8EFO9XfODgjhiR4xv8VqUtvrkjo9GQConaga5zpV-J4JQlXbdqbDjnuwacnJAxYpFyuemqcgqsl6BnFX3tovGkmSUPqcvF1A6tiHqr-TEmcgVqo5C3xswknRBKTQRM00iAmJ92WlVdkoOCx6E6O7cVHFawZ14BLzWzm66Crb4tv0ucYvk_Q.mxolwUaoj5S5kHCfph0w8g.nFpgYdnYg3blHCCEi2XXQGkkKQBXs2OkZaH11m3PRvk.k8BAVT4EcyrUFVIKr-KOSPbF89xyL0Vri2rFTu2iIWM",
- }
-
- for _, msg := range rsaSampleMessages {
- obj, err := ParseEncrypted(msg)
- if err != nil {
- t.Error("unable to parse message", msg, err)
- continue
- }
- plaintext, err := obj.Decrypt(rsaPrivateKey)
- if err != nil {
- t.Error("unable to decrypt message", msg, err)
- continue
- }
- if string(plaintext) != "Lorem ipsum dolor sit amet" {
- t.Error("plaintext is not what we expected for msg", msg)
- }
- }
-}
-
-// Test vectors generated with nimbus-jose-jwt
-func TestSampleNimbusJWEMessagesAESKW(t *testing.T) {
- aesTestKeys := [][]byte{
- fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D"),
- fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D95EC9CDC2D82233C"),
- fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D95EC9CDC2D82233C333C35BA29044E90"),
- }
-
- aesSampleMessages := [][]string{
- []string{
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwidGFnIjoib2ZMd2Q5NGloVWFRckJ0T1pQUDdjUSIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiV2Z3TnN5cjEwWUFjY2p2diJ9.9x3RxdqIS6P9xjh93Eu1bQ.6fs3_fSGt2jull_5.YDlzr6sWACkFg_GU5MEc-ZEWxNLwI_JMKe_jFA.f-pq-V7rlSSg_q2e1gDygw",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwidGFnIjoic2RneXB1ckFjTEFzTmZJU0lkZUNpUSIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoieVFMR0dCdDJFZ0c1THdyViJ9.arslKo4aKlh6f4s0z1_-U-8JbmhAoZHN.Xw2Q-GX98YXwuc4i.halTEWMWAYZbv-qOD52G6bte4x6sxlh1_VpGEA.Z1spn016v58cW6Q2o0Qxag",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoicTNzejF5VUlhbVBDYXJfZ05kSVJqQSIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiM0ZRM0FsLWJWdWhmcEIyQyJ9.dhVipWbzIdsINttuZM4hnjpHvwEHf0VsVrOp4GAg01g.dk7dUyt1Qj13Pipw.5Tt70ONATF0BZAS8dBkYmCV7AQUrfb8qmKNLmw.A6ton9MQjZg0b3C0QcW-hg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidGFnIjoiUHNpTGphZnJZNE16UlRmNlBPLTZfdyIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiSUFPbnd2ODR5YXFEaUxtbSJ9.swf92_LyCvjsvkynHTuMNXRl_MX2keU-fMDWIMezHG4.LOp9SVIXzs4yTnOtMyXZYQ.HUlXrzqJ1qXYl3vUA-ydezCg77WvJNtKdmZ3FPABoZw.8UYl1LOofQLAxHHvWqoTbg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwidGFnIjoiWGRndHQ5dUVEMVlVeU1rVHl6M3lqZyIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiWF90V2RhSmh6X3J1SHJvQSJ9.JQ3dS1JSgzIFi5M9ig63FoFU1nHBTmPwXY_ovNE2m1JOSUvHtalmihIuraPDloCf.e920JVryUIWt7zJJQM-www.8DUrl4LmsxIEhRr9RLTHG9tBTOcwXqEbQHAJd_qMHzE.wHinoqGUhL4O7lx125kponpwNtlp8VGJ",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidGFnIjoicGgyaTdoY0FWNlh3ZkQta1RHYlVXdyIsImFsZyI6IkExMjhHQ01LVyIsIml2IjoiaG41Smk4Wm1rUmRrSUxWVSJ9._bQlJXl22dhsBgYPhkxUyinBNi871teGWbviOueWj2PqG9OPxIc9SDS8a27YLSVDMircd5Q1Df28--vcXIABQA.DssmhrAg6w_f2VDaPpxTbQ.OGclEmqrxwvZqAfn7EgXlIfXgr0wiGvEbZz3zADnqJs.YZeP0uKVEiDl8VyC-s20YN-RbdyGNsbdtoGDP3eMof8",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiQTEyOEtXIn0.TEMcXEoY8WyqGjYs5GZgS-M_Niwu6wDY.i-26KtTt51Td6Iwd.wvhkagvPsLj3QxhPBbfH_th8OqxisUtme2UadQ.vlfvBPv3bw2Zk2H60JVNLQ",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiQTEyOEtXIn0.gPaR6mgQ9TUx05V6DRfgTQeZxl0ZSzBa5uQd-qw6yLs.MojplOD77FkMooS-.2yuD7dKR_C3sFbhgwiBccKKOF8DrSvNiwX7wPQ.qDKUbSvMnJv0qifjpWC14g",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiQTEyOEtXIn0.Fg-dgSkUW1KEaL5YDPoWHNL8fpX1WxWVLA9OOWsjIFhQVDKyUZI7BQ.mjRBpyJTZf7H-quf.YlNHezMadtaSKp23G-ozmYhHOeHwuJnvWGTtGg.YagnR7awBItUlMDo4uklvg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiQTEyOEtXIn0.x1vYzUE-E2XBWva9OPuwtqfQaf9rlJCIBAyAe6N2q2kWfJrkxGxFsQ.gAwe78dyODFaoP2IOityAA.Yh5YfovkWxGBNAs1sVhvXow_2izHHsBiYEc9JYD6kVg.mio1p3ncp2wLEaEaRa7P0w",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiQTEyOEtXIn0.szGrdnmF7D5put2aRBvSSFfp0vRgkRGYaafijJIqAF6PWd1IxsysZRV8aQkQOW1cB6d0fXsTfYM.Ru25LVOOk4xhaK-cIZ0ThA.pF9Ok5zot7elVqXFW5YYHV8MuF9gVGzpQnG1XDs_g_w.-7la0uwcNPpteev185pMHZjbVDXlrec8",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiQTEyOEtXIn0.cz-hRv0xR5CnOcnoRWNK8Q9poyVYzRCVTjfmEXQN6xPOZUkJ3zKNqb8Pir_FS0o2TVvxmIbuxeISeATTR2Ttx_YGCNgMkc93.SF5rEQT94lZR-UORcMKqGw.xphygoU7zE0ZggOczXCi_ytt-Evln8CL-7WLDlWcUHg.5h99r8xCCwP2PgDbZqzCJ13oFfB2vZWetD5qZjmmVho",
- },
- []string{
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwidGFnIjoiVWR5WUVKdEJ5ZTA5dzdjclY0cXI1QSIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiZlBBV0QwUmdSbHlFdktQcCJ9.P1uTfTuH-imL-NJJMpuTRA.22yqZ1NIfx3KNPgc.hORWZaTSgni1FS-JT90vJly-cU37qTn-tWSqTg.gMN0ufXF92rSXupTtBNkhA",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwidGFnIjoiOU9qX3B2LTJSNW5lZl9YbWVkUWltUSIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiY3BybGEwYUYzREVQNmFJTSJ9.6NVpAm_APiC7km2v-oNR8g23K9U_kf1-.jIg-p8tNwSvwxch0.1i-GPaxS4qR6Gy4tzeVtSdRFRSKQSMpmn-VhzA.qhFWPqtA6vVPl7OM3DThsA",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiOVc3THg3MVhGQVJCb3NaLVZ5dXc4ZyIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiZ1N4ZE5heFdBSVBRR0tHYiJ9.3YjPz6dVQwAtCekvtXiHZrooOUlmCsMSvyfwmGwdrOA.hA_C0IDJmGaRzsB0.W4l7OPqpFxiVOZTGfAlRktquyRTo4cEOk9KurQ.l4bGxOkO_ql_jlPo3Oz3TQ",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidGFnIjoiOHJYbWl2WXFWZjNfbHhhd2NUbHJoUSIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiVXBWeXprVTNKcjEwYXRqYyJ9.8qft-Q_xqUbo5j_aVrVNHchooeLttR4Kb6j01O8k98M.hXO-5IKBYCL9UdwBFVm0tg.EBM4lCZX_K6tfqYmfoDxVPHcf6cT--AegXTTjfSqsIw.Of8xUvEQSh3xgFT3uENnAg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwidGFnIjoiVnItSnVaX0tqV2hSWWMzdzFwZ3cwdyIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoiRGg2R3dISVBVS3ljZGNZeCJ9.YSEDjCnGWr_n9H94AvLoRnwm6bdU9w6-Q67k-QQRVcKRd6673pgH9zEF9A9Dt6o1.gcmVN4kxqBuMq6c7GrK3UQ.vWzJb0He6OY1lhYYjYS7CLh55REAAq1O7yNN-ND4R5Q.OD0B6nwyFaDr_92ysDOtlVnJaeoIqhGw",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidGFnIjoieEtad1BGYURpQ3NqUnBqZUprZHhmZyIsImFsZyI6IkExOTJHQ01LVyIsIml2IjoieTVHRFdteXdkb2R1SDJlYyJ9.AW0gbhWqlptOQ1y9aoNVwrTIIkBfrp33C2OWJsbrDRk6lhxg_IgFhMDTE37moReySGUtttC4CXQD_7etHmd3Hw.OvKXK-aRKlXHOpJQ9ZY_YQ.Ngv7WarDDvR2uBj_DavPAR3DYuIaygvSSdcHrc8-ZqM.MJ6ElitzFCKf_0h5fIJw8uOLC6ps7dKZPozF8juQmUY",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiQTE5MktXIn0.8qu63pppcSvp1vv37WrZ44qcCTg7dQMA.cDp-f8dJTrDEpZW4.H6OBJYs4UvFR_IZHLYQZxB6u9a0wOdAif2LNfQ.1dB-id0UIwRSlmwHx5BJCg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiQTE5MktXIn0._FdoKQvC8qUs7K0upriEihUwztK8gOwonXpOxdIwrfs.UO38ok8gDdpLVa1T.x1GvHdVCy4fxoQRg-OQK4Ez3jDOvu9gllLPeEA.3dLeZGIprh_nHizOTVi1xw",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiQTE5MktXIn0.uzCJskgSIK6VkjJIu-dQi18biqaY0INc_A1Ehx0oESafgtR99_n4IA.W2eKK8Y14WwTowI_.J2cJC7R6Bz6maR0s1UBMPyRi5BebNUAmof4pvw.-7w6htAlc4iUsOJ6I04rFg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiQTE5MktXIn0.gImQeQETp_6dfJypFDPLlv7c5pCzuq86U16gzrLiCXth6X9XfxJpvQ.YlC4MxjtLWrsyEvlFhvsqw.Vlpvmg9F3gkz4e1xG01Yl2RXx-jG99rF5UvCxOBXSLc.RZUrU_FoR5bG3M-j3GY0Dw",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiQTE5MktXIn0.T2EfQ6Tu2wJyRMgZzfvBYmQNCCfdMudMrg86ibEMVAOUKJPtR3WMPEb_Syy9p2VjrLKRlv7nebo.GPc8VbarPPRtzIRATB8NsA.ugPCqLvVLwh55bWlwjsFkmWzJ31z5z-wuih2oJqmG_U.m7FY3EjvV6mKosEYJ5cY7ezFoVQoJS8X",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiQTE5MktXIn0.OgLMhZ-2ZhslQyHfzOfyC-qmT6bNg9AdpP59B4jtyxWkQu3eW475WCdiAjojjeyBtVRGQ5vOomwaOIFejY_IekzH6I_taii3.U9x44MF6Wyz5TIwIzwhoxQ.vK7yvSF2beKdNxNY_7n4XdF7JluCGZoxdFJyTJVkSmI.bXRlI8KL-g7gpprQxGmXjVYjYghhWJq7mlCfWI8q2uA",
- },
- []string{
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwidGFnIjoiR3BjX3pfbjduZjJVZlEtWGdsaTBaQSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiUk40eUdhOVlvYlFhUmZ1TCJ9.Q4ukD6_hZpmASAVcqWJ9Wg.Zfhny_1WNdlp4fH-.3sekDCjkExQCcv28ZW4yrcFnz0vma3vgoenSXA.g8_Ird2Y0itTCDP61du-Yg",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwidGFnIjoiWC05UkNVWVh4U3NRelcwelVJS01VUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiY3JNMnJfa3RrdWpyQ1h5OSJ9.c0q2jCxxV4y1h9u_Xvn7FqUDnbkmNEG4.S_noOTZKuUo9z1l6.ez0RdA25vXMUGH96iXmj3DEVox0J7TasJMnzgg.RbuSPTte_NzTtEEokbc5Ig",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwidGFnIjoiWmwyaDFpUW11QWZWd2lJeVp5RHloZyIsImFsZyI6IkEyNTZHQ01LVyIsIml2Ijoib19xZmljb0N0NzNzRWo1QyJ9.NpJxRJ0aqcpekD6HU2u9e6_pL_11JXjWvjfeQnAKkZU.4c5qBcBBrMWi27Lf.NKwNIb4b6cRDJ1TwMKsPrjs7ADn6aNoBdQClVw.yNWmSSRBqQfIQObzj8zDqw",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidGFnIjoiMXdwVEI3LWhjdzZUVXhCbVh2UzdhUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiOUdIVnZJaDZ0a09vX2pHUSJ9.MFgIhp9mzlq9hoPqqKVKHJ3HL79EBYtV4iNhD63yqiU.UzW5iq8ou21VpZYJgKEN8A.1gOEzA4uAPvHP76GMfs9uLloAV10mKaxiZVAeL7iQA0.i1X_2i0bCAz-soXF9bI_zw",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwidGFnIjoiNThocUtsSk15Y1BFUEFRUlNfSzlNUSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiUDh3aTBWMTluVnZqNXpkOSJ9.FXidOWHNFJODO74Thq3J2cC-Z2B8UZkn7SikeosU0bUK6Jx_lzzmUZ-Lafadpdpj.iLfcDbpuBKFiSfiBzUQc7Q.VZK-aD7BFspqfvbwa0wE2wwWxdomzk2IKMetFe8bI44.7wC6rJRGa4x48xbYMd6NH9VzK8uNn4Cb",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwidGFnIjoicGcwOEpUcXdzMXdEaXBaRUlpVExoQSIsImFsZyI6IkEyNTZHQ01LVyIsIml2IjoiSlpodk9CdU1RUDFFZTZTNSJ9.wqVgTPm6TcYCTkpbwmn9sW4mgJROH2A3dIdSXo5oKIQUIVbQsmy7KXH8UYO2RS9slMGtb869C8o0My67GKg9dQ.ogrRiLlqjB1S5j-7a05OwA.2Y_LyqhU4S_RXMsB74bxcBacd23J2Sp5Lblw-sOkaUY.XGMiYoU-f3GaEzSvG41vpJP2DMGbeDFoWmkUGLUjc4M",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiQTI1NktXIn0.QiIZm9NYfahqYFIbiaoUhCCHjotHMkup.EsU0XLn4FjzzCILn.WuCoQkm9vzo95E7hxBtfYpt-Mooc_vmSTyzj6Q.NbeeYVy6gQPlmhoWDrZwaQ",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiQTI1NktXIn0.1ol3j_Lt0Os3UMe2Gypj0o8b77k0FSmqD7kNRNoMa9U.vZ2HMTgN2dgUd42h.JvNcy8-c8sYzOC089VtFSg2BOQx3YF8CqSTuJw.t03LRioWWKN3d7SjinU6SQ",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiQTI1NktXIn0.gbkk03l1gyrE9qGEMVtORiyyUqKsgzbqjLd8lw0RQ07WWn--TV4BgA.J8ThH4ac2UhSsMIP.g-W1piEGrdi3tNwQDJXpYm3fQjTf82mtVCrCOg.-vY05P4kiB9FgF2vwrSeXQ",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiQTI1NktXIn0.k86pQs7gmQIzuIWRFwesF32XY2xi1WbYxi7XUf_CYlOlehwGCTINHg.3NcC9VzfQgsECISKf4xy-g.v2amdo-rgeGsg-II_tvPukX9D-KAP27xxf2uQJ277Ws.E4LIE3fte3glAnPpnd8D9Q",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMTkyQ0JDLUhTMzg0IiwiYWxnIjoiQTI1NktXIn0.b8iN0Am3fCUvj7sBd7Z0lpfzBjh1MOgojV7J5rDfrcTU3b35RGYgEV1RdcrtUTBgUwITDjmU7jM.wsSDBFghDga_ERv36I2AOg.6uJsucCb2YReFOJGBdo4zidTIKLUmZBIXfm_M0AJpKk.YwdAfXI3HHcw2wLSnfCRtw4huZQtSKhz",
- "eyJ6aXAiOiJERUYiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiQTI1NktXIn0.akY9pHCbkHPh5VpXIrX0At41XnJIKBR9iMMkf301vKeJNAZYJTxWzeJhFd-DhQ47tMctc3YYkwZkQ5I_9fGYb_f0oBcw4esh.JNwuuHud78h6S99NO1oBQQ.0RwckPYATBgvw67upkAQ1AezETHc-gh3rryz19i5ryc.3XClRTScgzfMgLCHxHHoRF8mm9VVGXv_Ahtx65PskKQ",
- },
- }
-
- for i, msgs := range aesSampleMessages {
- for _, msg := range msgs {
- obj, err := ParseEncrypted(msg)
- if err != nil {
- t.Error("unable to parse message", msg, err)
- continue
- }
- plaintext, err := obj.Decrypt(aesTestKeys[i])
- if err != nil {
- t.Error("unable to decrypt message", msg, err)
- continue
- }
- if string(plaintext) != "Lorem ipsum dolor sit amet" {
- t.Error("plaintext is not what we expected for msg", msg)
- }
- }
- }
-}
-
-// Test vectors generated with jose4j
-func TestSampleJose4jJWEMessagesECDH(t *testing.T) {
- ecTestKey := &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- Curve: elliptic.P256(),
- X: fromBase64Int("weNJy2HscCSM6AEDTDg04biOvhFhyyWvOHQfeF_PxMQ"),
- Y: fromBase64Int("e8lnCO-AlStT-NJVX-crhB7QRYhiix03illJOVAOyck"),
- },
- D: fromBase64Int("VEmDZpDXXK8p8N0Cndsxs924q6nS1RXFASRl6BfUqdw"),
- }
-
- ecSampleMessages := []string{
- "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTEyOENCQy1IUzI1NiIsImVwayI6eyJrdHkiOiJFQyIsIngiOiJTQzAtRnJHUkVvVkpKSmg1TGhORmZqZnFXMC1XSUFyd3RZMzJzQmFQVVh3IiwieSI6ImFQMWlPRENveU9laTVyS1l2VENMNlRMZFN5UEdUN0djMnFsRnBwNXdiWFEiLCJjcnYiOiJQLTI1NiJ9fQ..3mifklTnTTGuA_etSUBBCw.dj8KFM8OlrQ3rT35nHcHZ7A5p84VB2OZb054ghSjS-M.KOIgnJjz87LGqMtikXGxXw",
- "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTE5MkNCQy1IUzM4NCIsImVwayI6eyJrdHkiOiJFQyIsIngiOiJUaHRGc0lRZ1E5MkZOYWFMbUFDQURLbE93dmNGVlRORHc4ampfWlJidUxjIiwieSI6IjJmRDZ3UXc3YmpYTm1nVThXMGpFbnl5ZUZkX3Y4ZmpDa3l1R29vTFhGM0EiLCJjcnYiOiJQLTI1NiJ9fQ..90zFayMkKc-fQC_19f6P3A.P1Y_7lMnfkUQOXW_en31lKZ3zAn1nEYn6fXLjmyVPrQ.hrgwy1cePVfhMWT0h-crKTXldglHZ-4g",
- "eyJhbGciOiJFQ0RILUVTIiwiZW5jIjoiQTI1NkNCQy1IUzUxMiIsImVwayI6eyJrdHkiOiJFQyIsIngiOiI5R1Z6c3VKNWgySl96UURVUFR3WU5zUkFzVzZfY2RzN0pELVQ2RDREQ1ZVIiwieSI6InFZVGl1dVU4aTB1WFpoaS14VGlRNlZJQm5vanFoWENPVnpmWm1pR2lRTEUiLCJjcnYiOiJQLTI1NiJ9fQ..v2reRlDkIsw3eWEsTCc1NA.0qakrFdbhtBCTSl7EREf9sxgHBP9I-Xw29OTJYnrqP8.54ozViEBYYmRkcKp7d2Ztt4hzjQ9Vb5zCeijN_RQrcI",
- "eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiOElUemg3VVFaaUthTWtfME9qX1hFaHZENXpUWjE2Ti13WVdjeTJYUC1tdyIsInkiOiJPNUJiVEk0bUFpU005ZmpCejBRU3pXaU5vbnl3cWlQLUN0RGgwdnNGYXNRIiwiY3J2IjoiUC0yNTYifX0.D3DP3wqPvJv4TYYfhnfrOG6nsM-MMH_CqGfnOGjgdXHNF7xRwEJBOA.WL9Kz3gNYA7S5Rs5mKcXmA.EmQkXhO_nFqAwxJWaM0DH4s3pmCscZovB8YWJ3Ru4N8.Bf88uzwfxiyTjpejU5B0Ng",
- "eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkExOTJDQkMtSFMzODQiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiMjlJMk4zRkF0UlBlNGhzYjRLWlhTbmVyV0wyTVhtSUN1LXJJaXhNSHpJQSIsInkiOiJvMjY1bzFReEdmbDhzMHQ0U1JROS00RGNpc3otbXh4NlJ6WVF4SktyeWpJIiwiY3J2IjoiUC0yNTYifX0.DRmsmXz6fCnLc_njDIKdpM7Oc4jTqd_yd9J94TOUksAstEUkAl9Ie3Wg-Ji_LzbdX2xRLXIimcw.FwJOHPQhnqKJCfxt1_qRnQ.ssx3q1ZYILsMTln5q-K8HVn93BVPI5ViusstKMxZzRs.zzcfzWNYSdNDdQ4CiHfymj0bePaAbVaT",
- "eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiRUp6bTViQnRzVXJNYTl2Y1Q2d1hZRXI3ZjNMcjB0N1V4SDZuZzdGcFF0VSIsInkiOiJRYTNDSDllVTFXYjItdFdVSDN3Sk9fTDVMZXRsRUlMQWNkNE9XR2tFd0hZIiwiY3J2IjoiUC0yNTYifX0.5WxwluZpVWAOJdVrsnDIlEc4_wfRE1gXOaQyx_rKkElNz157Ykf-JsAD7aEvXfx--NKF4js5zYyjeCtxWBhRWPOoNNZJlqV_.Iuo82-qsP2S1SgQQklAnrw.H4wB6XoLKOKWCu6Y3LPAEuHkvyvr-xAh4IBm53uRF8g._fOLKq0bqDZ8KNjni_MJ4olHNaYz376dV9eNmp9O9PU",
- "eyJhbGciOiJFQ0RILUVTK0ExOTJLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZktNSG5sRkoxajBTSnJ3WGtVWlpaX3BtWHdUQlJtcHhlaTkxdUpaczUycyIsInkiOiJLRkxKaXhEUTJQcjEybWp1aFdYb3pna2U1V3lhWnhmTWlxZkJ0OEJpbkRvIiwiY3J2IjoiUC0yNTYifX0.2LSD2Mw4tyYJyfsmpVmzBtJRd12jMEYGdlhFbaXIbKi5A33CGNQ1tg.s40aAjmZOvK8Us86FCBdHg.jpYSMAKp___oMCoWM495mTfbi_YC80ObeoCmGE3H_gs.A6V-jJJRY1yz24CaXGUbzg",
- "eyJhbGciOiJFQ0RILUVTK0ExOTJLVyIsImVuYyI6IkExOTJDQkMtSFMzODQiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiSDRxcFUzeWtuRktWRnV4SmxLa3NZSE5ieHF3aXM0WWtCVVFHVE1Td05JQSIsInkiOiJHb0lpRUZaUGRRSHJCbVR4ZTA3akJoZmxrdWNqUjVoX1QwNWVXc3Zib0prIiwiY3J2IjoiUC0yNTYifX0.KTrwwV2uzD--gf3PGG-kjEAGgi7u0eMqZPZfa4kpyFGm3x8t2m1NHdz3t9rfiqjuaqsxPKhF4gs.cu16fEOzYaSxhHu_Ht9w4g.BRJdxVBI9spVtY5KQ6gTR4CNcKvmLUMKZap0AO-RF2I.DZyUaa2p6YCIaYtjWOjC9GN_VIYgySlZ",
- "eyJhbGciOiJFQ0RILUVTK0ExOTJLVyIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoieDBYSGRkSGM2Q0ktSnlfbUVMOEZZRExhWnV0UkVFczR4c3BMQmcwZk1jbyIsInkiOiJEa0xzOUJGTlBkTTVTNkpLYVJ3cnV1TWMwcUFzWW9yNW9fZWp6NXBNVXFrIiwiY3J2IjoiUC0yNTYifX0.mfCxJ7JYIqTMqcAh5Vp2USF0eF7OhOeluqda7YagOUJNwxA9wC9o23DSoLUylfrZUfanZrJJJcG69awlv-LY7anOLHlp3Ht5.ec48A_JWb4qa_PVHWZaTfQ.kDAjIDb3LzJpfxNh-DiAmAuaKMYaOGSTb0rkiJLuVeY.oxGCpPlii4pr89XMk4b9s084LucTqPGU6TLbOW2MZoc",
- "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiQXB5TnlqU2d0bmRUcFg0eENYenNDRnZva1l3X18weXg2dGRUYzdPUUhIMCIsInkiOiJYUHdHMDVDaW1vOGlhWmxZbDNsMEp3ZllhY1FZWHFuM2RRZEJUWFpldDZBIiwiY3J2IjoiUC0yNTYifX0.yTA2PwK9IPqkaGPenZ9R-gOn9m9rvcSEfuX_Nm8AkuwHIYLzzYeAEA.ZW1F1iyHYKfo-YoanNaIVg.PouKQD94DlPA5lbpfGJXY-EJhidC7l4vSayVN2vVzvA.MexquqtGaXKUvX7WBmD4bA",
- "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExOTJDQkMtSFMzODQiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiaDRWeGNzNVUzWk1fTlp4WmJxQ3hMTVB5UmEtR2ktSVNZa0xDTzE1RHJkZyIsInkiOiJFeVotS3dWNVE5OXlnWk5zU0lpSldpR3hqbXNLUk1WVE5sTTNSd1VYTFRvIiwiY3J2IjoiUC0yNTYifX0.wo56VISyL1QAbi2HLuVut5NGF2FvxKt7B8zHzJ3FpmavPozfbVZV08-GSYQ6jLQWJ4xsO80I4Kg.3_9Bo5ozvD96WHGhqp_tfQ.48UkJ6jk6WK70QItb2QZr0edKH7O-aMuVahTEeqyfW4.ulMlY2tbC341ct20YSmNdtc84FRz1I4g",
- "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiN0xZRzZZWTJkel9ZaGNvNnRCcG1IX0tPREQ2X2hwX05tajdEc1c2RXgxcyIsInkiOiI5Y2lPeDcwUkdGT0tpVnBRX0NHQXB5NVlyeThDazBmUkpwNHVrQ2tjNmQ0IiwiY3J2IjoiUC0yNTYifX0.bWwW3J80k46HG1fQAZxUroko2OO8OKkeRavr_o3AnhJDMvp78OR229x-fZUaBm4uWv27_Yjm0X9T2H2lhlIli2Rl9v1PNC77.1NmsJBDGI1fDjRzyc4mtyA.9KfCFynQj7LmJq08qxAG4c-6ZPz1Lh3h3nUbgVwB0TI.cqech0d8XHzWfkWqgKZq1SlAfmO0PUwOsNVkuByVGWk",
- }
-
- for _, msg := range ecSampleMessages {
- obj, err := ParseEncrypted(msg)
- if err != nil {
- t.Error("unable to parse message", msg, err)
- continue
- }
- plaintext, err := obj.Decrypt(ecTestKey)
- if err != nil {
- t.Error("unable to decrypt message", msg, err)
- continue
- }
- if string(plaintext) != "Lorem ipsum dolor sit amet." {
- t.Error("plaintext is not what we expected for msg", msg)
- }
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jwk.go b/vendor/gopkg.in/square/go-jose.v1/jwk.go
deleted file mode 100644
index ccdfb2e8..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jwk.go
+++ /dev/null
@@ -1,408 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rsa"
- "fmt"
- "math/big"
- "reflect"
- "strings"
-)
-
-// rawJsonWebKey represents a public or private key in JWK format, used for parsing/serializing.
-type rawJsonWebKey struct {
- Use string `json:"use,omitempty"`
- Kty string `json:"kty,omitempty"`
- Kid string `json:"kid,omitempty"`
- Crv string `json:"crv,omitempty"`
- Alg string `json:"alg,omitempty"`
- K *byteBuffer `json:"k,omitempty"`
- X *byteBuffer `json:"x,omitempty"`
- Y *byteBuffer `json:"y,omitempty"`
- N *byteBuffer `json:"n,omitempty"`
- E *byteBuffer `json:"e,omitempty"`
- // -- Following fields are only used for private keys --
- // RSA uses D, P and Q, while ECDSA uses only D. Fields Dp, Dq, and Qi are
- // completely optional. Therefore for RSA/ECDSA, D != nil is a contract that
- // we have a private key whereas D == nil means we have only a public key.
- D *byteBuffer `json:"d,omitempty"`
- P *byteBuffer `json:"p,omitempty"`
- Q *byteBuffer `json:"q,omitempty"`
- Dp *byteBuffer `json:"dp,omitempty"`
- Dq *byteBuffer `json:"dq,omitempty"`
- Qi *byteBuffer `json:"qi,omitempty"`
-}
-
-// JsonWebKey represents a public or private key in JWK format.
-type JsonWebKey struct {
- Key interface{}
- KeyID string
- Algorithm string
- Use string
-}
-
-// MarshalJSON serializes the given key to its JSON representation.
-func (k JsonWebKey) MarshalJSON() ([]byte, error) {
- var raw *rawJsonWebKey
- var err error
-
- switch key := k.Key.(type) {
- case *ecdsa.PublicKey:
- raw, err = fromEcPublicKey(key)
- case *rsa.PublicKey:
- raw = fromRsaPublicKey(key)
- case *ecdsa.PrivateKey:
- raw, err = fromEcPrivateKey(key)
- case *rsa.PrivateKey:
- raw, err = fromRsaPrivateKey(key)
- case []byte:
- raw, err = fromSymmetricKey(key)
- default:
- return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
- }
-
- if err != nil {
- return nil, err
- }
-
- raw.Kid = k.KeyID
- raw.Alg = k.Algorithm
- raw.Use = k.Use
-
- return MarshalJSON(raw)
-}
-
-// UnmarshalJSON reads a key from its JSON representation.
-func (k *JsonWebKey) UnmarshalJSON(data []byte) (err error) {
- var raw rawJsonWebKey
- err = UnmarshalJSON(data, &raw)
- if err != nil {
- return err
- }
-
- var key interface{}
- switch raw.Kty {
- case "EC":
- if raw.D != nil {
- key, err = raw.ecPrivateKey()
- } else {
- key, err = raw.ecPublicKey()
- }
- case "RSA":
- if raw.D != nil {
- key, err = raw.rsaPrivateKey()
- } else {
- key, err = raw.rsaPublicKey()
- }
- case "oct":
- key, err = raw.symmetricKey()
- default:
- err = fmt.Errorf("square/go-jose: unknown json web key type '%s'", raw.Kty)
- }
-
- if err == nil {
- *k = JsonWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use}
- }
- return
-}
-
-// JsonWebKeySet represents a JWK Set object.
-type JsonWebKeySet struct {
- Keys []JsonWebKey `json:"keys"`
-}
-
-// Key convenience method returns keys by key ID. Specification states
-// that a JWK Set "SHOULD" use distinct key IDs, but allows for some
-// cases where they are not distinct. Hence method returns a slice
-// of JsonWebKeys.
-func (s *JsonWebKeySet) Key(kid string) []JsonWebKey {
- var keys []JsonWebKey
- for _, key := range s.Keys {
- if key.KeyID == kid {
- keys = append(keys, key)
- }
- }
-
- return keys
-}
-
-const rsaThumbprintTemplate = `{"e":"%s","kty":"RSA","n":"%s"}`
-const ecThumbprintTemplate = `{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`
-
-func ecThumbprintInput(curve elliptic.Curve, x, y *big.Int) (string, error) {
- coordLength := curveSize(curve)
- crv, err := curveName(curve)
- if err != nil {
- return "", err
- }
-
- return fmt.Sprintf(ecThumbprintTemplate, crv,
- newFixedSizeBuffer(x.Bytes(), coordLength).base64(),
- newFixedSizeBuffer(y.Bytes(), coordLength).base64()), nil
-}
-
-func rsaThumbprintInput(n *big.Int, e int) (string, error) {
- return fmt.Sprintf(rsaThumbprintTemplate,
- newBufferFromInt(uint64(e)).base64(),
- newBuffer(n.Bytes()).base64()), nil
-}
-
-// Thumbprint computes the JWK Thumbprint of a key using the
-// indicated hash algorithm.
-func (k *JsonWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
- var input string
- var err error
- switch key := k.Key.(type) {
- case *ecdsa.PublicKey:
- input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
- case *ecdsa.PrivateKey:
- input, err = ecThumbprintInput(key.Curve, key.X, key.Y)
- case *rsa.PublicKey:
- input, err = rsaThumbprintInput(key.N, key.E)
- case *rsa.PrivateKey:
- input, err = rsaThumbprintInput(key.N, key.E)
- default:
- return nil, fmt.Errorf("square/go-jose: unknown key type '%s'", reflect.TypeOf(key))
- }
-
- if err != nil {
- return nil, err
- }
-
- h := hash.New()
- h.Write([]byte(input))
- return h.Sum(nil), nil
-}
-
-// Valid checks that the key contains the expected parameters
-func (k *JsonWebKey) Valid() bool {
- if k.Key == nil {
- return false
- }
- switch key := k.Key.(type) {
- case *ecdsa.PublicKey:
- if key.Curve == nil || key.X == nil || key.Y == nil {
- return false
- }
- case *ecdsa.PrivateKey:
- if key.Curve == nil || key.X == nil || key.Y == nil || key.D == nil {
- return false
- }
- case *rsa.PublicKey:
- if key.N == nil || key.E == 0 {
- return false
- }
- case *rsa.PrivateKey:
- if key.N == nil || key.E == 0 || key.D == nil || len(key.Primes) < 2 {
- return false
- }
- default:
- return false
- }
- return true
-}
-
-func (key rawJsonWebKey) rsaPublicKey() (*rsa.PublicKey, error) {
- if key.N == nil || key.E == nil {
- return nil, fmt.Errorf("square/go-jose: invalid RSA key, missing n/e values")
- }
-
- return &rsa.PublicKey{
- N: key.N.bigInt(),
- E: key.E.toInt(),
- }, nil
-}
-
-func fromRsaPublicKey(pub *rsa.PublicKey) *rawJsonWebKey {
- return &rawJsonWebKey{
- Kty: "RSA",
- N: newBuffer(pub.N.Bytes()),
- E: newBufferFromInt(uint64(pub.E)),
- }
-}
-
-func (key rawJsonWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
- var curve elliptic.Curve
- switch key.Crv {
- case "P-256":
- curve = elliptic.P256()
- case "P-384":
- curve = elliptic.P384()
- case "P-521":
- curve = elliptic.P521()
- default:
- return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
- }
-
- if key.X == nil || key.Y == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC key, missing x/y values")
- }
-
- return &ecdsa.PublicKey{
- Curve: curve,
- X: key.X.bigInt(),
- Y: key.Y.bigInt(),
- }, nil
-}
-
-func fromEcPublicKey(pub *ecdsa.PublicKey) (*rawJsonWebKey, error) {
- if pub == nil || pub.X == nil || pub.Y == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC key (nil, or X/Y missing)")
- }
-
- name, err := curveName(pub.Curve)
- if err != nil {
- return nil, err
- }
-
- size := curveSize(pub.Curve)
-
- xBytes := pub.X.Bytes()
- yBytes := pub.Y.Bytes()
-
- if len(xBytes) > size || len(yBytes) > size {
- return nil, fmt.Errorf("square/go-jose: invalid EC key (X/Y too large)")
- }
-
- key := &rawJsonWebKey{
- Kty: "EC",
- Crv: name,
- X: newFixedSizeBuffer(xBytes, size),
- Y: newFixedSizeBuffer(yBytes, size),
- }
-
- return key, nil
-}
-
-func (key rawJsonWebKey) rsaPrivateKey() (*rsa.PrivateKey, error) {
- var missing []string
- switch {
- case key.N == nil:
- missing = append(missing, "N")
- case key.E == nil:
- missing = append(missing, "E")
- case key.D == nil:
- missing = append(missing, "D")
- case key.P == nil:
- missing = append(missing, "P")
- case key.Q == nil:
- missing = append(missing, "Q")
- }
-
- if len(missing) > 0 {
- return nil, fmt.Errorf("square/go-jose: invalid RSA private key, missing %s value(s)", strings.Join(missing, ", "))
- }
-
- rv := &rsa.PrivateKey{
- PublicKey: rsa.PublicKey{
- N: key.N.bigInt(),
- E: key.E.toInt(),
- },
- D: key.D.bigInt(),
- Primes: []*big.Int{
- key.P.bigInt(),
- key.Q.bigInt(),
- },
- }
-
- if key.Dp != nil {
- rv.Precomputed.Dp = key.Dp.bigInt()
- }
- if key.Dq != nil {
- rv.Precomputed.Dq = key.Dq.bigInt()
- }
- if key.Qi != nil {
- rv.Precomputed.Qinv = key.Qi.bigInt()
- }
-
- err := rv.Validate()
- return rv, err
-}
-
-func fromRsaPrivateKey(rsa *rsa.PrivateKey) (*rawJsonWebKey, error) {
- if len(rsa.Primes) != 2 {
- return nil, ErrUnsupportedKeyType
- }
-
- raw := fromRsaPublicKey(&rsa.PublicKey)
-
- raw.D = newBuffer(rsa.D.Bytes())
- raw.P = newBuffer(rsa.Primes[0].Bytes())
- raw.Q = newBuffer(rsa.Primes[1].Bytes())
-
- return raw, nil
-}
-
-func (key rawJsonWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
- var curve elliptic.Curve
- switch key.Crv {
- case "P-256":
- curve = elliptic.P256()
- case "P-384":
- curve = elliptic.P384()
- case "P-521":
- curve = elliptic.P521()
- default:
- return nil, fmt.Errorf("square/go-jose: unsupported elliptic curve '%s'", key.Crv)
- }
-
- if key.X == nil || key.Y == nil || key.D == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
- }
-
- return &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- Curve: curve,
- X: key.X.bigInt(),
- Y: key.Y.bigInt(),
- },
- D: key.D.bigInt(),
- }, nil
-}
-
-func fromEcPrivateKey(ec *ecdsa.PrivateKey) (*rawJsonWebKey, error) {
- raw, err := fromEcPublicKey(&ec.PublicKey)
- if err != nil {
- return nil, err
- }
-
- if ec.D == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC private key")
- }
-
- raw.D = newBuffer(ec.D.Bytes())
-
- return raw, nil
-}
-
-func fromSymmetricKey(key []byte) (*rawJsonWebKey, error) {
- return &rawJsonWebKey{
- Kty: "oct",
- K: newBuffer(key),
- }, nil
-}
-
-func (key rawJsonWebKey) symmetricKey() ([]byte, error) {
- if key.K == nil {
- return nil, fmt.Errorf("square/go-jose: invalid OCT (symmetric) key, missing k value")
- }
- return key.K.bytes(), nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jwk_test.go b/vendor/gopkg.in/square/go-jose.v1/jwk_test.go
deleted file mode 100644
index a87b42a1..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jwk_test.go
+++ /dev/null
@@ -1,552 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rsa"
- "encoding/hex"
- "fmt"
- "math/big"
- "reflect"
- "testing"
-)
-
-func TestCurveSize(t *testing.T) {
- size256 := curveSize(elliptic.P256())
- size384 := curveSize(elliptic.P384())
- size521 := curveSize(elliptic.P521())
- if size256 != 32 {
- t.Error("P-256 have 32 bytes")
- }
- if size384 != 48 {
- t.Error("P-384 have 48 bytes")
- }
- if size521 != 66 {
- t.Error("P-521 have 66 bytes")
- }
-}
-
-func TestRoundtripRsaPrivate(t *testing.T) {
- jwk, err := fromRsaPrivateKey(rsaTestKey)
- if err != nil {
- t.Error("problem constructing JWK from rsa key", err)
- }
-
- rsa2, err := jwk.rsaPrivateKey()
- if err != nil {
- t.Error("problem converting RSA private -> JWK", err)
- }
-
- if rsa2.N.Cmp(rsaTestKey.N) != 0 {
- t.Error("RSA private N mismatch")
- }
- if rsa2.E != rsaTestKey.E {
- t.Error("RSA private E mismatch")
- }
- if rsa2.D.Cmp(rsaTestKey.D) != 0 {
- t.Error("RSA private D mismatch")
- }
- if len(rsa2.Primes) != 2 {
- t.Error("RSA private roundtrip expected two primes")
- }
- if rsa2.Primes[0].Cmp(rsaTestKey.Primes[0]) != 0 {
- t.Error("RSA private P mismatch")
- }
- if rsa2.Primes[1].Cmp(rsaTestKey.Primes[1]) != 0 {
- t.Error("RSA private Q mismatch")
- }
-}
-
-func TestRsaPrivateInsufficientPrimes(t *testing.T) {
- brokenRsaPrivateKey := rsa.PrivateKey{
- PublicKey: rsa.PublicKey{
- N: rsaTestKey.N,
- E: rsaTestKey.E,
- },
- D: rsaTestKey.D,
- Primes: []*big.Int{rsaTestKey.Primes[0]},
- }
-
- _, err := fromRsaPrivateKey(&brokenRsaPrivateKey)
- if err != ErrUnsupportedKeyType {
- t.Error("expected unsupported key type error, got", err)
- }
-}
-
-func TestRsaPrivateExcessPrimes(t *testing.T) {
- brokenRsaPrivateKey := rsa.PrivateKey{
- PublicKey: rsa.PublicKey{
- N: rsaTestKey.N,
- E: rsaTestKey.E,
- },
- D: rsaTestKey.D,
- Primes: []*big.Int{
- rsaTestKey.Primes[0],
- rsaTestKey.Primes[1],
- big.NewInt(3),
- },
- }
-
- _, err := fromRsaPrivateKey(&brokenRsaPrivateKey)
- if err != ErrUnsupportedKeyType {
- t.Error("expected unsupported key type error, got", err)
- }
-}
-
-func TestRoundtripEcPublic(t *testing.T) {
- for i, ecTestKey := range []*ecdsa.PrivateKey{ecTestKey256, ecTestKey384, ecTestKey521} {
- jwk, err := fromEcPublicKey(&ecTestKey.PublicKey)
-
- ec2, err := jwk.ecPublicKey()
- if err != nil {
- t.Error("problem converting ECDSA private -> JWK", i, err)
- }
-
- if !reflect.DeepEqual(ec2.Curve, ecTestKey.Curve) {
- t.Error("ECDSA private curve mismatch", i)
- }
- if ec2.X.Cmp(ecTestKey.X) != 0 {
- t.Error("ECDSA X mismatch", i)
- }
- if ec2.Y.Cmp(ecTestKey.Y) != 0 {
- t.Error("ECDSA Y mismatch", i)
- }
- }
-}
-
-func TestRoundtripEcPrivate(t *testing.T) {
- for i, ecTestKey := range []*ecdsa.PrivateKey{ecTestKey256, ecTestKey384, ecTestKey521} {
- jwk, err := fromEcPrivateKey(ecTestKey)
-
- ec2, err := jwk.ecPrivateKey()
- if err != nil {
- t.Error("problem converting ECDSA private -> JWK", i, err)
- }
-
- if !reflect.DeepEqual(ec2.Curve, ecTestKey.Curve) {
- t.Error("ECDSA private curve mismatch", i)
- }
- if ec2.X.Cmp(ecTestKey.X) != 0 {
- t.Error("ECDSA X mismatch", i)
- }
- if ec2.Y.Cmp(ecTestKey.Y) != 0 {
- t.Error("ECDSA Y mismatch", i)
- }
- if ec2.D.Cmp(ecTestKey.D) != 0 {
- t.Error("ECDSA D mismatch", i)
- }
- }
-}
-
-func TestMarshalUnmarshal(t *testing.T) {
- kid := "DEADBEEF"
-
- for i, key := range []interface{}{ecTestKey256, ecTestKey384, ecTestKey521, rsaTestKey} {
- for _, use := range []string{"", "sig", "enc"} {
- jwk := JsonWebKey{Key: key, KeyID: kid, Algorithm: "foo"}
- if use != "" {
- jwk.Use = use
- }
-
- jsonbar, err := jwk.MarshalJSON()
- if err != nil {
- t.Error("problem marshaling", i, err)
- }
-
- var jwk2 JsonWebKey
- err = jwk2.UnmarshalJSON(jsonbar)
- if err != nil {
- t.Error("problem unmarshalling", i, err)
- }
-
- jsonbar2, err := jwk2.MarshalJSON()
- if err != nil {
- t.Error("problem marshaling", i, err)
- }
-
- if !bytes.Equal(jsonbar, jsonbar2) {
- t.Error("roundtrip should not lose information", i)
- }
- if jwk2.KeyID != kid {
- t.Error("kid did not roundtrip JSON marshalling", i)
- }
-
- if jwk2.Algorithm != "foo" {
- t.Error("alg did not roundtrip JSON marshalling", i)
- }
-
- if jwk2.Use != use {
- t.Error("use did not roundtrip JSON marshalling", i)
- }
- }
- }
-}
-
-func TestMarshalNonPointer(t *testing.T) {
- type EmbedsKey struct {
- Key JsonWebKey
- }
-
- keyJson := []byte(`{
- "e": "AQAB",
- "kty": "RSA",
- "n": "vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw"
- }`)
- var parsedKey JsonWebKey
- err := UnmarshalJSON(keyJson, &parsedKey)
- if err != nil {
- t.Error(fmt.Sprintf("Error unmarshalling key: %v", err))
- return
- }
- ek := EmbedsKey{
- Key: parsedKey,
- }
- out, err := MarshalJSON(ek)
- if err != nil {
- t.Error(fmt.Sprintf("Error marshalling JSON: %v", err))
- return
- }
- expected := "{\"Key\":{\"kty\":\"RSA\",\"n\":\"vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw\",\"e\":\"AQAB\"}}"
- if string(out) != expected {
- t.Error("Failed to marshal embedded non-pointer JWK properly:", string(out))
- }
-}
-
-func TestMarshalUnmarshalInvalid(t *testing.T) {
- // Make an invalid curve coordinate by creating a byte array that is one
- // byte too large, and setting the first byte to 1 (otherwise it's just zero).
- invalidCoord := make([]byte, curveSize(ecTestKey256.Curve)+1)
- invalidCoord[0] = 1
-
- keys := []interface{}{
- // Empty keys
- &rsa.PrivateKey{},
- &ecdsa.PrivateKey{},
- // Invalid keys
- &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- // Missing values in pub key
- Curve: elliptic.P256(),
- },
- },
- &ecdsa.PrivateKey{
- PublicKey: ecdsa.PublicKey{
- // Invalid curve
- Curve: nil,
- X: ecTestKey256.X,
- Y: ecTestKey256.Y,
- },
- },
- &ecdsa.PrivateKey{
- // Valid pub key, but missing priv key values
- PublicKey: ecTestKey256.PublicKey,
- },
- &ecdsa.PrivateKey{
- // Invalid pub key, values too large
- PublicKey: ecdsa.PublicKey{
- Curve: ecTestKey256.Curve,
- X: big.NewInt(0).SetBytes(invalidCoord),
- Y: big.NewInt(0).SetBytes(invalidCoord),
- },
- D: ecTestKey256.D,
- },
- nil,
- }
-
- for i, key := range keys {
- jwk := JsonWebKey{Key: key}
- _, err := jwk.MarshalJSON()
- if err == nil {
- t.Error("managed to serialize invalid key", i)
- }
- }
-}
-
-func TestWebKeyVectorsInvalid(t *testing.T) {
- keys := []string{
- // Invalid JSON
- "{X",
- // Empty key
- "{}",
- // Invalid RSA keys
- `{"kty":"RSA"}`,
- `{"kty":"RSA","e":""}`,
- `{"kty":"RSA","e":"XXXX"}`,
- `{"kty":"RSA","d":"XXXX"}`,
- // Invalid EC keys
- `{"kty":"EC","crv":"ABC"}`,
- `{"kty":"EC","crv":"P-256"}`,
- `{"kty":"EC","crv":"P-256","d":"XXX"}`,
- `{"kty":"EC","crv":"ABC","d":"dGVzdA","x":"dGVzdA"}`,
- `{"kty":"EC","crv":"P-256","d":"dGVzdA","x":"dGVzdA"}`,
- }
-
- for _, key := range keys {
- var jwk2 JsonWebKey
- err := jwk2.UnmarshalJSON([]byte(key))
- if err == nil {
- t.Error("managed to parse invalid key:", key)
- }
- }
-}
-
-// Test vectors from RFC 7520
-var cookbookJWKs = []string{
- // EC Public
- stripWhitespace(`{
- "kty": "EC",
- "kid": "bilbo.baggins@hobbiton.example",
- "use": "sig",
- "crv": "P-521",
- "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9
- A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
- "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVy
- SsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1"
- }`),
-
- // EC Private
- stripWhitespace(`{
- "kty": "EC",
- "kid": "bilbo.baggins@hobbiton.example",
- "use": "sig",
- "crv": "P-521",
- "x": "AHKZLLOsCOzz5cY97ewNUajB957y-C-U88c3v13nmGZx6sYl_oJXu9
- A5RkTKqjqvjyekWF-7ytDyRXYgCF5cj0Kt",
- "y": "AdymlHvOiLxXkEhayXQnNCvDX4h9htZaCJN34kfmC6pV5OhQHiraVy
- SsUdaQkAgDPrwQrJmbnX9cwlGfP-HqHZR1",
- "d": "AAhRON2r9cqXX1hg-RoI6R1tX5p2rUAYdmpHZoC1XNM56KtscrX6zb
- KipQrCW9CGZH3T4ubpnoTKLDYJ_fF3_rJt"
- }`),
-
- // RSA Public
- stripWhitespace(`{
- "kty": "RSA",
- "kid": "bilbo.baggins@hobbiton.example",
- "use": "sig",
- "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
- -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
- wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
- oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
- 3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
- LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
- HdrNP5zw",
- "e": "AQAB"
- }`),
-
- // RSA Private
- stripWhitespace(`{"kty":"RSA",
- "kid":"juliet@capulet.lit",
- "use":"enc",
- "n":"t6Q8PWSi1dkJj9hTP8hNYFlvadM7DflW9mWepOJhJ66w7nyoK1gPNqFMSQRy
- O125Gp-TEkodhWr0iujjHVx7BcV0llS4w5ACGgPrcAd6ZcSR0-Iqom-QFcNP
- 8Sjg086MwoqQU_LYywlAGZ21WSdS_PERyGFiNnj3QQlO8Yns5jCtLCRwLHL0
- Pb1fEv45AuRIuUfVcPySBWYnDyGxvjYGDSM-AqWS9zIQ2ZilgT-GqUmipg0X
- OC0Cc20rgLe2ymLHjpHciCKVAbY5-L32-lSeZO-Os6U15_aXrk9Gw8cPUaX1
- _I8sLGuSiVdt3C_Fn2PZ3Z8i744FPFGGcG1qs2Wz-Q",
- "e":"AQAB",
- "d":"GRtbIQmhOZtyszfgKdg4u_N-R_mZGU_9k7JQ_jn1DnfTuMdSNprTeaSTyWfS
- NkuaAwnOEbIQVy1IQbWVV25NY3ybc_IhUJtfri7bAXYEReWaCl3hdlPKXy9U
- vqPYGR0kIXTQRqns-dVJ7jahlI7LyckrpTmrM8dWBo4_PMaenNnPiQgO0xnu
- ToxutRZJfJvG4Ox4ka3GORQd9CsCZ2vsUDmsXOfUENOyMqADC6p1M3h33tsu
- rY15k9qMSpG9OX_IJAXmxzAh_tWiZOwk2K4yxH9tS3Lq1yX8C1EWmeRDkK2a
- hecG85-oLKQt5VEpWHKmjOi_gJSdSgqcN96X52esAQ",
- "p":"2rnSOV4hKSN8sS4CgcQHFbs08XboFDqKum3sc4h3GRxrTmQdl1ZK9uw-PIHf
- QP0FkxXVrx-WE-ZEbrqivH_2iCLUS7wAl6XvARt1KkIaUxPPSYB9yk31s0Q8
- UK96E3_OrADAYtAJs-M3JxCLfNgqh56HDnETTQhH3rCT5T3yJws",
- "q":"1u_RiFDP7LBYh3N4GXLT9OpSKYP0uQZyiaZwBtOCBNJgQxaj10RWjsZu0c6I
- edis4S7B_coSKB0Kj9PaPaBzg-IySRvvcQuPamQu66riMhjVtG6TlV8CLCYK
- rYl52ziqK0E_ym2QnkwsUX7eYTB7LbAHRK9GqocDE5B0f808I4s",
- "dp":"KkMTWqBUefVwZ2_Dbj1pPQqyHSHjj90L5x_MOzqYAJMcLMZtbUtwKqvVDq3
- tbEo3ZIcohbDtt6SbfmWzggabpQxNxuBpoOOf_a_HgMXK_lhqigI4y_kqS1w
- Y52IwjUn5rgRrJ-yYo1h41KR-vz2pYhEAeYrhttWtxVqLCRViD6c",
- "dq":"AvfS0-gRxvn0bwJoMSnFxYcK1WnuEjQFluMGfwGitQBWtfZ1Er7t1xDkbN9
- GQTB9yqpDoYaN06H7CFtrkxhJIBQaj6nkF5KKS3TQtQ5qCzkOkmxIe3KRbBy
- mXxkb5qwUpX5ELD5xFc6FeiafWYY63TmmEAu_lRFCOJ3xDea-ots",
- "qi":"lSQi-w9CpyUReMErP1RsBLk7wNtOvs5EQpPqmuMvqW57NBUczScEoPwmUqq
- abu9V0-Py4dQ57_bapoKRu1R90bvuFnU63SHWEFglZQvJDMeAvmj4sm-Fp0o
- Yu_neotgQ0hzbI5gry7ajdYy9-2lNx_76aBZoOUu9HCJ-UsfSOI8"}`),
-}
-
-// SHA-256 thumbprints of the above keys, hex-encoded
-var cookbookJWKThumbprints = []string{
- "747ae2dd2003664aeeb21e4753fe7402846170a16bc8df8f23a8cf06d3cbe793",
- "747ae2dd2003664aeeb21e4753fe7402846170a16bc8df8f23a8cf06d3cbe793",
- "f63838e96077ad1fc01c3f8405774dedc0641f558ebb4b40dccf5f9b6d66a932",
- "0fc478f8579325fcee0d4cbc6d9d1ce21730a6e97e435d6008fb379b0ebe47d4",
-}
-
-func TestWebKeyVectorsValid(t *testing.T) {
- for _, key := range cookbookJWKs {
- var jwk2 JsonWebKey
- err := jwk2.UnmarshalJSON([]byte(key))
- if err != nil {
- t.Error("unable to parse valid key:", key, err)
- }
- }
-}
-
-func TestThumbprint(t *testing.T) {
- for i, key := range cookbookJWKs {
- var jwk2 JsonWebKey
- err := jwk2.UnmarshalJSON([]byte(key))
- if err != nil {
- t.Error("unable to parse valid key:", key, err)
- }
-
- tp, err := jwk2.Thumbprint(crypto.SHA256)
- if err != nil {
- t.Error("unable to compute thumbprint:", key, err)
- }
-
- tpHex := hex.EncodeToString(tp)
- if cookbookJWKThumbprints[i] != tpHex {
- t.Error("incorrect thumbprint:", i, cookbookJWKThumbprints[i], tpHex)
- }
- }
-}
-
-func TestMarshalUnmarshalJWKSet(t *testing.T) {
- jwk1 := JsonWebKey{Key: rsaTestKey, KeyID: "ABCDEFG", Algorithm: "foo"}
- jwk2 := JsonWebKey{Key: rsaTestKey, KeyID: "GFEDCBA", Algorithm: "foo"}
- var set JsonWebKeySet
- set.Keys = append(set.Keys, jwk1)
- set.Keys = append(set.Keys, jwk2)
-
- jsonbar, err := MarshalJSON(&set)
- if err != nil {
- t.Error("problem marshalling set", err)
- }
- var set2 JsonWebKeySet
- err = UnmarshalJSON(jsonbar, &set2)
- if err != nil {
- t.Error("problem unmarshalling set", err)
- }
- jsonbar2, err := MarshalJSON(&set2)
- if err != nil {
- t.Error("problem marshalling set", err)
- }
- if !bytes.Equal(jsonbar, jsonbar2) {
- t.Error("roundtrip should not lose information")
- }
-}
-
-func TestJWKSetKey(t *testing.T) {
- jwk1 := JsonWebKey{Key: rsaTestKey, KeyID: "ABCDEFG", Algorithm: "foo"}
- jwk2 := JsonWebKey{Key: rsaTestKey, KeyID: "GFEDCBA", Algorithm: "foo"}
- var set JsonWebKeySet
- set.Keys = append(set.Keys, jwk1)
- set.Keys = append(set.Keys, jwk2)
- k := set.Key("ABCDEFG")
- if len(k) != 1 {
- t.Errorf("method should return slice with one key not %d", len(k))
- }
- if k[0].KeyID != "ABCDEFG" {
- t.Error("method should return key with ID ABCDEFG")
- }
-}
-
-func TestJWKSymmetricKey(t *testing.T) {
- sample1 := `{"kty":"oct","alg":"A128KW","k":"GawgguFyGrWKav7AX4VKUg"}`
- sample2 := `{"kty":"oct","k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow","kid":"HMAC key used in JWS spec Appendix A.1 example"}`
-
- var jwk1 JsonWebKey
- UnmarshalJSON([]byte(sample1), &jwk1)
-
- if jwk1.Algorithm != "A128KW" {
- t.Errorf("expected Algorithm to be A128KW, but was '%s'", jwk1.Algorithm)
- }
- expected1 := fromHexBytes("19ac2082e1721ab58a6afec05f854a52")
- if !bytes.Equal(jwk1.Key.([]byte), expected1) {
- t.Errorf("expected Key to be '%s', but was '%s'", hex.EncodeToString(expected1), hex.EncodeToString(jwk1.Key.([]byte)))
- }
-
- var jwk2 JsonWebKey
- UnmarshalJSON([]byte(sample2), &jwk2)
-
- if jwk2.KeyID != "HMAC key used in JWS spec Appendix A.1 example" {
- t.Errorf("expected KeyID to be 'HMAC key used in JWS spec Appendix A.1 example', but was '%s'", jwk2.KeyID)
- }
- expected2 := fromHexBytes(`
- 0323354b2b0fa5bc837e0665777ba68f5ab328e6f054c928a90f84b2d2502ebf
- d3fb5a92d20647ef968ab4c377623d223d2e2172052e4f08c0cd9af567d080a3`)
- if !bytes.Equal(jwk2.Key.([]byte), expected2) {
- t.Errorf("expected Key to be '%s', but was '%s'", hex.EncodeToString(expected2), hex.EncodeToString(jwk2.Key.([]byte)))
- }
-}
-
-func TestJWKSymmetricRoundtrip(t *testing.T) {
- jwk1 := JsonWebKey{Key: []byte{1, 2, 3, 4}}
- marshaled, err := jwk1.MarshalJSON()
- if err != nil {
- t.Errorf("failed to marshal valid JWK object", err)
- }
-
- var jwk2 JsonWebKey
- err = jwk2.UnmarshalJSON(marshaled)
- if err != nil {
- t.Errorf("failed to unmarshal valid JWK object", err)
- }
-
- if !bytes.Equal(jwk1.Key.([]byte), jwk2.Key.([]byte)) {
- t.Error("round-trip of symmetric JWK gave different raw keys")
- }
-}
-
-func TestJWKSymmetricInvalid(t *testing.T) {
- invalid := JsonWebKey{}
- _, err := invalid.MarshalJSON()
- if err == nil {
- t.Error("excepted error on marshaling invalid symmetric JWK object")
- }
-
- var jwk JsonWebKey
- err = jwk.UnmarshalJSON([]byte(`{"kty":"oct"}`))
- if err == nil {
- t.Error("excepted error on unmarshaling invalid symmetric JWK object")
- }
-}
-
-func TestJWKValid(t *testing.T) {
- bigInt := big.NewInt(0)
- eccPub := ecdsa.PublicKey{elliptic.P256(), bigInt, bigInt}
- rsaPub := rsa.PublicKey{bigInt, 1}
- cases := []struct {
- key interface{}
- expectedValidity bool
- }{
- {nil, false},
- {&ecdsa.PublicKey{}, false},
- {&eccPub, true},
- {&ecdsa.PrivateKey{}, false},
- {&ecdsa.PrivateKey{eccPub, bigInt}, true},
- {&rsa.PublicKey{}, false},
- {&rsaPub, true},
- {&rsa.PrivateKey{}, false},
- {&rsa.PrivateKey{rsaPub, bigInt, []*big.Int{bigInt, bigInt}, rsa.PrecomputedValues{}}, true},
- }
-
- for _, tc := range cases {
- k := &JsonWebKey{Key: tc.key}
- if valid := k.Valid(); valid != tc.expectedValidity {
- t.Errorf("expected Valid to return %t, got %t", tc.expectedValidity, valid)
- }
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jws.go b/vendor/gopkg.in/square/go-jose.v1/jws.go
deleted file mode 100644
index 87173c91..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jws.go
+++ /dev/null
@@ -1,252 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "fmt"
- "strings"
-)
-
-// rawJsonWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
-type rawJsonWebSignature struct {
- Payload *byteBuffer `json:"payload,omitempty"`
- Signatures []rawSignatureInfo `json:"signatures,omitempty"`
- Protected *byteBuffer `json:"protected,omitempty"`
- Header *rawHeader `json:"header,omitempty"`
- Signature *byteBuffer `json:"signature,omitempty"`
-}
-
-// rawSignatureInfo represents a single JWS signature over the JWS payload and protected header.
-type rawSignatureInfo struct {
- Protected *byteBuffer `json:"protected,omitempty"`
- Header *rawHeader `json:"header,omitempty"`
- Signature *byteBuffer `json:"signature,omitempty"`
-}
-
-// JsonWebSignature represents a signed JWS object after parsing.
-type JsonWebSignature struct {
- payload []byte
- Signatures []Signature
-}
-
-// Signature represents a single signature over the JWS payload and protected header.
-type Signature struct {
- // Header fields, such as the signature algorithm
- Header JoseHeader
-
- // The actual signature value
- Signature []byte
-
- protected *rawHeader
- header *rawHeader
- original *rawSignatureInfo
-}
-
-// ParseSigned parses an encrypted message in compact or full serialization format.
-func ParseSigned(input string) (*JsonWebSignature, error) {
- input = stripWhitespace(input)
- if strings.HasPrefix(input, "{") {
- return parseSignedFull(input)
- }
-
- return parseSignedCompact(input)
-}
-
-// Get a header value
-func (sig Signature) mergedHeaders() rawHeader {
- out := rawHeader{}
- out.merge(sig.protected)
- out.merge(sig.header)
- return out
-}
-
-// Compute data to be signed
-func (obj JsonWebSignature) computeAuthData(signature *Signature) []byte {
- var serializedProtected string
-
- if signature.original != nil && signature.original.Protected != nil {
- serializedProtected = signature.original.Protected.base64()
- } else if signature.protected != nil {
- serializedProtected = base64URLEncode(mustSerializeJSON(signature.protected))
- } else {
- serializedProtected = ""
- }
-
- return []byte(fmt.Sprintf("%s.%s",
- serializedProtected,
- base64URLEncode(obj.payload)))
-}
-
-// parseSignedFull parses a message in full format.
-func parseSignedFull(input string) (*JsonWebSignature, error) {
- var parsed rawJsonWebSignature
- err := UnmarshalJSON([]byte(input), &parsed)
- if err != nil {
- return nil, err
- }
-
- return parsed.sanitized()
-}
-
-// sanitized produces a cleaned-up JWS object from the raw JSON.
-func (parsed *rawJsonWebSignature) sanitized() (*JsonWebSignature, error) {
- if parsed.Payload == nil {
- return nil, fmt.Errorf("square/go-jose: missing payload in JWS message")
- }
-
- obj := &JsonWebSignature{
- payload: parsed.Payload.bytes(),
- Signatures: make([]Signature, len(parsed.Signatures)),
- }
-
- if len(parsed.Signatures) == 0 {
- // No signatures array, must be flattened serialization
- signature := Signature{}
- if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
- signature.protected = &rawHeader{}
- err := UnmarshalJSON(parsed.Protected.bytes(), signature.protected)
- if err != nil {
- return nil, err
- }
- }
-
- if parsed.Header != nil && parsed.Header.Nonce != "" {
- return nil, ErrUnprotectedNonce
- }
-
- signature.header = parsed.Header
- signature.Signature = parsed.Signature.bytes()
- // Make a fake "original" rawSignatureInfo to store the unprocessed
- // Protected header. This is necessary because the Protected header can
- // contain arbitrary fields not registered as part of the spec. See
- // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
- // If we unmarshal Protected into a rawHeader with its explicit list of fields,
- // we cannot marshal losslessly. So we have to keep around the original bytes.
- // This is used in computeAuthData, which will first attempt to use
- // the original bytes of a protected header, and fall back on marshaling the
- // header struct only if those bytes are not available.
- signature.original = &rawSignatureInfo{
- Protected: parsed.Protected,
- Header: parsed.Header,
- Signature: parsed.Signature,
- }
-
- signature.Header = signature.mergedHeaders().sanitized()
- obj.Signatures = append(obj.Signatures, signature)
- }
-
- for i, sig := range parsed.Signatures {
- if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
- obj.Signatures[i].protected = &rawHeader{}
- err := UnmarshalJSON(sig.Protected.bytes(), obj.Signatures[i].protected)
- if err != nil {
- return nil, err
- }
- }
-
- // Check that there is not a nonce in the unprotected header
- if sig.Header != nil && sig.Header.Nonce != "" {
- return nil, ErrUnprotectedNonce
- }
-
- obj.Signatures[i].Signature = sig.Signature.bytes()
-
- // Copy value of sig
- original := sig
-
- obj.Signatures[i].header = sig.Header
- obj.Signatures[i].original = &original
- obj.Signatures[i].Header = obj.Signatures[i].mergedHeaders().sanitized()
- }
-
- return obj, nil
-}
-
-// parseSignedCompact parses a message in compact format.
-func parseSignedCompact(input string) (*JsonWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
- return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts")
- }
-
- rawProtected, err := base64URLDecode(parts[0])
- if err != nil {
- return nil, err
- }
-
- payload, err := base64URLDecode(parts[1])
- if err != nil {
- return nil, err
- }
-
- signature, err := base64URLDecode(parts[2])
- if err != nil {
- return nil, err
- }
-
- raw := &rawJsonWebSignature{
- Payload: newBuffer(payload),
- Protected: newBuffer(rawProtected),
- Signature: newBuffer(signature),
- }
- return raw.sanitized()
-}
-
-// CompactSerialize serializes an object using the compact serialization format.
-func (obj JsonWebSignature) CompactSerialize() (string, error) {
- if len(obj.Signatures) != 1 || obj.Signatures[0].header != nil || obj.Signatures[0].protected == nil {
- return "", ErrNotSupported
- }
-
- serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
-
- return fmt.Sprintf(
- "%s.%s.%s",
- base64URLEncode(serializedProtected),
- base64URLEncode(obj.payload),
- base64URLEncode(obj.Signatures[0].Signature)), nil
-}
-
-// FullSerialize serializes an object using the full JSON serialization format.
-func (obj JsonWebSignature) FullSerialize() string {
- raw := rawJsonWebSignature{
- Payload: newBuffer(obj.payload),
- }
-
- if len(obj.Signatures) == 1 {
- if obj.Signatures[0].protected != nil {
- serializedProtected := mustSerializeJSON(obj.Signatures[0].protected)
- raw.Protected = newBuffer(serializedProtected)
- }
- raw.Header = obj.Signatures[0].header
- raw.Signature = newBuffer(obj.Signatures[0].Signature)
- } else {
- raw.Signatures = make([]rawSignatureInfo, len(obj.Signatures))
- for i, signature := range obj.Signatures {
- raw.Signatures[i] = rawSignatureInfo{
- Header: signature.header,
- Signature: newBuffer(signature.Signature),
- }
-
- if signature.protected != nil {
- raw.Signatures[i].Protected = newBuffer(mustSerializeJSON(signature.protected))
- }
- }
- }
-
- return string(mustSerializeJSON(raw))
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/jws_test.go b/vendor/gopkg.in/square/go-jose.v1/jws_test.go
deleted file mode 100644
index d8f94c14..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/jws_test.go
+++ /dev/null
@@ -1,302 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "fmt"
- "strings"
- "testing"
-)
-
-func TestCompactParseJWS(t *testing.T) {
- // Should parse
- msg := "eyJhbGciOiJYWVoifQ.cGF5bG9hZA.c2lnbmF0dXJl"
- _, err := ParseSigned(msg)
- if err != nil {
- t.Error("Unable to parse valid message:", err)
- }
-
- // Messages that should fail to parse
- failures := []string{
- // Not enough parts
- "eyJhbGciOiJYWVoifQ.cGF5bG9hZA",
- // Invalid signature
- "eyJhbGciOiJYWVoifQ.cGF5bG9hZA.////",
- // Invalid payload
- "eyJhbGciOiJYWVoifQ.////.c2lnbmF0dXJl",
- // Invalid header
- "////.eyJhbGciOiJYWVoifQ.c2lnbmF0dXJl",
- // Invalid header
- "cGF5bG9hZA.cGF5bG9hZA.c2lnbmF0dXJl",
- }
-
- for i := range failures {
- _, err = ParseSigned(failures[i])
- if err == nil {
- t.Error("Able to parse invalid message")
- }
- }
-}
-
-func TestFullParseJWS(t *testing.T) {
- // Messages that should succeed to parse
- successes := []string{
- "{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"e30\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"},{\"protected\":\"e30\",\"signature\":\"CUJD\"}]}",
- }
-
- for i := range successes {
- _, err := ParseSigned(successes[i])
- if err != nil {
- t.Error("Unble to parse valid message", err, successes[i])
- }
- }
-
- // Messages that should fail to parse
- failures := []string{
- // Empty
- "{}",
- // Invalid JSON
- "{XX",
- // Invalid protected header
- "{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"CUJD\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}]}",
- // Invalid protected header
- "{\"payload\":\"CUJD\",\"protected\":\"CUJD\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}",
- // Invalid protected header
- "{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"###\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}]}",
- // Invalid payload
- "{\"payload\":\"###\",\"signatures\":[{\"protected\":\"CUJD\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"CUJD\"}]}",
- // Invalid payload
- "{\"payload\":\"CUJD\",\"signatures\":[{\"protected\":\"e30\",\"header\":{\"kid\":\"XYZ\"},\"signature\":\"###\"}]}",
- }
-
- for i := range failures {
- _, err := ParseSigned(failures[i])
- if err == nil {
- t.Error("Able to parse invalid message", err, failures[i])
- }
- }
-}
-
-func TestRejectUnprotectedJWSNonce(t *testing.T) {
- // No need to test compact, since that's always protected
-
- // Flattened JSON
- input := `{
- "header": { "nonce": "should-cause-an-error" },
- "payload": "does-not-matter",
- "signature": "does-not-matter"
- }`
- _, err := ParseSigned(input)
- if err == nil {
- t.Error("JWS with an unprotected nonce parsed as valid.")
- } else if err != ErrUnprotectedNonce {
- t.Errorf("Improper error for unprotected nonce: %v", err)
- }
-
- // Full JSON
- input = `{
- "payload": "does-not-matter",
- "signatures": [{
- "header": { "nonce": "should-cause-an-error" },
- "signature": "does-not-matter"
- }]
- }`
- _, err = ParseSigned(input)
- if err == nil {
- t.Error("JWS with an unprotected nonce parsed as valid.")
- } else if err != ErrUnprotectedNonce {
- t.Errorf("Improper error for unprotected nonce: %v", err)
- }
-}
-
-func TestVerifyFlattenedWithIncludedUnprotectedKey(t *testing.T) {
- input := `{
- "header": {
- "alg": "RS256",
- "jwk": {
- "e": "AQAB",
- "kty": "RSA",
- "n": "tSwgy3ORGvc7YJI9B2qqkelZRUC6F1S5NwXFvM4w5-M0TsxbFsH5UH6adigV0jzsDJ5imAechcSoOhAh9POceCbPN1sTNwLpNbOLiQQ7RD5mY_pSUHWXNmS9R4NZ3t2fQAzPeW7jOfF0LKuJRGkekx6tXP1uSnNibgpJULNc4208dgBaCHo3mvaE2HV2GmVl1yxwWX5QZZkGQGjNDZYnjFfa2DKVvFs0QbAk21ROm594kAxlRlMMrvqlf24Eq4ERO0ptzpZgm_3j_e4hGRD39gJS7kAzK-j2cacFQ5Qi2Y6wZI2p-FCq_wiYsfEAIkATPBiLKl_6d_Jfcvs_impcXQ"
- }
- },
- "payload": "Zm9vCg",
- "signature": "hRt2eYqBd_MyMRNIh8PEIACoFtmBi7BHTLBaAhpSU6zyDAFdEBaX7us4VB9Vo1afOL03Q8iuoRA0AT4akdV_mQTAQ_jhTcVOAeXPr0tB8b8Q11UPQ0tXJYmU4spAW2SapJIvO50ntUaqU05kZd0qw8-noH1Lja-aNnU-tQII4iYVvlTiRJ5g8_CADsvJqOk6FcHuo2mG643TRnhkAxUtazvHyIHeXMxydMMSrpwUwzMtln4ZJYBNx4QGEq6OhpAD_VSp-w8Lq5HOwGQoNs0bPxH1SGrArt67LFQBfjlVr94E1sn26p4vigXm83nJdNhWAMHHE9iV67xN-r29LT-FjA"
- }`
-
- jws, err := ParseSigned(input)
- if err != nil {
- t.Error("Unable to parse valid message.")
- }
- if len(jws.Signatures) != 1 {
- t.Error("Too many or too few signatures.")
- }
- sig := jws.Signatures[0]
- if sig.Header.JsonWebKey == nil {
- t.Error("No JWK in signature header.")
- }
- payload, err := jws.Verify(sig.Header.JsonWebKey)
- if err != nil {
- t.Error(fmt.Sprintf("Signature did not validate: %v", err))
- }
- if string(payload) != "foo\n" {
- t.Error(fmt.Sprintf("Payload was incorrect: '%s' should have been 'foo\\n'", string(payload)))
- }
-}
-
-func TestVerifyFlattenedWithPrivateProtected(t *testing.T) {
- // The protected field contains a Private Header Parameter name, per
- // https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4
- // Base64-decoded, it's '{"nonce":"8HIepUNFZUa-exKTrXVf4g"}'
- input := `{"header":{"alg":"RS256","jwk":{"kty":"RSA","n":"7ixeydcbxxppzxrBphrW1atUiEZqTpiHDpI-79olav5XxAgWolHmVsJyxzoZXRxmtED8PF9-EICZWBGdSAL9ZTD0hLUCIsPcpdgT_LqNW3Sh2b2caPL2hbMF7vsXvnCGg9varpnHWuYTyRrCLUF9vM7ES-V3VCYTa7LcCSRm56Gg9r19qar43Z9kIKBBxpgt723v2cC4bmLmoAX2s217ou3uCpCXGLOeV_BesG4--Nl3pso1VhCfO85wEWjmW6lbv7Kg4d7Jdkv5DjDZfJ086fkEAYZVYGRpIgAvJBH3d3yKDCrSByUEud1bWuFjQBmMaeYOrVDXO_mbYg5PwUDMhw","e":"AQAB"}},"protected":"eyJub25jZSI6IjhISWVwVU5GWlVhLWV4S1RyWFZmNGcifQ","payload":"eyJjb250YWN0IjpbIm1haWx0bzpmb29AYmFyLmNvbSJdfQ","signature":"AyvVGMgXsQ1zTdXrZxE_gyO63pQgotL1KbI7gv6Wi8I7NRy0iAOkDAkWcTQT9pcCYApJ04lXfEDZfP5i0XgcFUm_6spxi5mFBZU-NemKcvK9dUiAbXvb4hB3GnaZtZiuVnMQUb_ku4DOaFFKbteA6gOYCnED_x7v0kAPHIYrQnvIa-KZ6pTajbV9348zgh9TL7NgGIIsTcMHd-Jatr4z1LQ0ubGa8tS300hoDhVzfoDQaEetYjCo1drR1RmdEN1SIzXdHOHfubjA3ZZRbrF_AJnNKpRRoIwzu1VayOhRmdy1qVSQZq_tENF4VrQFycEL7DhG7JLoXC4T2p1urwMlsw"}`
-
- jws, err := ParseSigned(input)
- if err != nil {
- t.Error("Unable to parse valid message.")
- }
- if len(jws.Signatures) != 1 {
- t.Error("Too many or too few signatures.")
- }
- sig := jws.Signatures[0]
- if sig.Header.JsonWebKey == nil {
- t.Error("No JWK in signature header.")
- }
- payload, err := jws.Verify(sig.Header.JsonWebKey)
- if err != nil {
- t.Error(fmt.Sprintf("Signature did not validate: %v", err))
- }
- expected := "{\"contact\":[\"mailto:foo@bar.com\"]}"
- if string(payload) != expected {
- t.Error(fmt.Sprintf("Payload was incorrect: '%s' should have been '%s'", string(payload), expected))
- }
-}
-
-// Test vectors generated with nimbus-jose-jwt
-func TestSampleNimbusJWSMessagesRSA(t *testing.T) {
- rsaPublicKey, err := LoadPublicKey(fromBase64Bytes(`
- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3aLSGwbeX0ZA2Ha+EvELaIFGzO
- 91+Q15JQc/tdGdCgGW3XAbrh7ZUhDh1XKzbs+UOQxqn3Eq4YOx18IG0WsJSuCaHQIxnDlZ
- t/GP8WLwjMC0izlJLm2SyfM/EEoNpmTC3w6MQ2dHK7SZ9Zoq+sKijQd+V7CYdr8zHMpDrd
- NKoEcR0HjmvzzdMoUChhkGH5TaNbZyollULTggepaYUKS8QphqdSDMWiSetKG+g6V87lv6
- CVYyK1FF6g7Esp5OOj5pNn3/bmF+7V+b7TvK91NCIlURCjE9toRgNoIP4TDnWRn/vvfZ3G
- zNrtWmlizqz3r5KdvIs71ahWgMUSD4wfazrwIDAQAB`))
- if err != nil {
- panic(err)
- }
-
- rsaSampleMessages := []string{
- "eyJhbGciOiJSUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.YHX849fvekz6wJGeyqnQhFqyHFcUXNJKj3o2w3ddR46YLlsCopUJrlifRU_ZuTWzpYxt5oC--T2eoqMhlCvltSWrE5_1_EumqiMfAYsZULx9E6Jns7q3w7mttonYFSIh7aR3-yg2HMMfTCgoAY1y_AZ4VjXwHDcZ5gu1oZDYgvZF4uXtCmwT6e5YtR1m8abiWPF8BgoTG_BD3KV6ClLj_QQiNFdfdxAMDw7vKVOKG1T7BFtz6cDs2Q3ILS4To5E2IjcVSSYS8mi77EitCrWmrqbK_G3WCdKeUFGnMnyuKXaCDy_7FLpAZ6Z5RomRr5iskXeJZdZqIKcJV8zl4fpsPA",
- "eyJhbGciOiJSUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.meyfoOTjAAjXHFYiNlU7EEnsYtbeUYeEglK6BL_cxISEr2YAGLr1Gwnn2HnucTnH6YilyRio7ZC1ohy_ZojzmaljPHqpr8kn1iqNFu9nFE2M16ZPgJi38-PGzppcDNliyzOQO-c7L-eA-v8Gfww5uyRaOJdiWg-hUJmeGBIngPIeLtSVmhJtz8oTeqeNdUOqQv7f7VRCuvagLhW1PcEM91VUS-gS0WEUXoXWZ2lp91No0v1O24izgX3__FKiX_16XhrOfAgJ82F61vjbTIQYwhexHPZyYTlXYt_scNRzFGhSKeGFin4zVdFLOXWJqKWdUd5IrDP5Nya3FSoWbWDXAg",
- "eyJhbGciOiJSUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.rQPz0PDh8KyE2AX6JorgI0MLwv-qi1tcWlz6tuZuWQG1hdrlzq5tR1tQg1evYNc_SDDX87DWTSKXT7JEqhKoFixLfZa13IJrOc7FB8r5ZLx7OwOBC4F--OWrvxMA9Y3MTJjPN3FemQePUo-na2vNUZv-YgkcbuOgbO3hTxwQ7j1JGuqy-YutXOFnccdXvntp3t8zYZ4Mg1It_IyL9pzgGqHIEmMV1pCFGHsDa-wStB4ffmdhrADdYZc0q_SvxUdobyC_XzZCz9ENzGIhgwYxyyrqg7kjqUGoKmCLmoSlUFW7goTk9IC5SXdUyLPuESxOWNfHoRClGav230GYjPFQFA",
- "eyJhbGciOiJQUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.UTtxjsv_6x4CdlAmZfAW6Lun3byMjJbcwRp_OlPH2W4MZaZar7aql052mIB_ddK45O9VUz2aphYVRvKPZY8WHmvlTUU30bk0z_cDJRYB9eIJVMOiRCYj0oNkz1iEZqsP0YgngxwuUDv4Q4A6aJ0Bo5E_rZo3AnrVHMHUjPp_ZRRSBFs30tQma1qQ0ApK4Gxk0XYCYAcxIv99e78vldVRaGzjEZmQeAVZx4tGcqZP20vG1L84nlhSGnOuZ0FhR8UjRFLXuob6M7EqtMRoqPgRYw47EI3fYBdeSivAg98E5S8R7R1NJc7ef-l03RvfUSY0S3_zBq_4PlHK6A-2kHb__w",
- "eyJhbGciOiJSUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.meyfoOTjAAjXHFYiNlU7EEnsYtbeUYeEglK6BL_cxISEr2YAGLr1Gwnn2HnucTnH6YilyRio7ZC1ohy_ZojzmaljPHqpr8kn1iqNFu9nFE2M16ZPgJi38-PGzppcDNliyzOQO-c7L-eA-v8Gfww5uyRaOJdiWg-hUJmeGBIngPIeLtSVmhJtz8oTeqeNdUOqQv7f7VRCuvagLhW1PcEM91VUS-gS0WEUXoXWZ2lp91No0v1O24izgX3__FKiX_16XhrOfAgJ82F61vjbTIQYwhexHPZyYTlXYt_scNRzFGhSKeGFin4zVdFLOXWJqKWdUd5IrDP5Nya3FSoWbWDXAg",
- "eyJhbGciOiJSUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.rQPz0PDh8KyE2AX6JorgI0MLwv-qi1tcWlz6tuZuWQG1hdrlzq5tR1tQg1evYNc_SDDX87DWTSKXT7JEqhKoFixLfZa13IJrOc7FB8r5ZLx7OwOBC4F--OWrvxMA9Y3MTJjPN3FemQePUo-na2vNUZv-YgkcbuOgbO3hTxwQ7j1JGuqy-YutXOFnccdXvntp3t8zYZ4Mg1It_IyL9pzgGqHIEmMV1pCFGHsDa-wStB4ffmdhrADdYZc0q_SvxUdobyC_XzZCz9ENzGIhgwYxyyrqg7kjqUGoKmCLmoSlUFW7goTk9IC5SXdUyLPuESxOWNfHoRClGav230GYjPFQFA",
- }
-
- for _, msg := range rsaSampleMessages {
- obj, err := ParseSigned(msg)
- if err != nil {
- t.Error("unable to parse message", msg, err)
- continue
- }
- payload, err := obj.Verify(rsaPublicKey)
- if err != nil {
- t.Error("unable to verify message", msg, err)
- continue
- }
- if string(payload) != "Lorem ipsum dolor sit amet" {
- t.Error("payload is not what we expected for msg", msg)
- }
- }
-}
-
-// Test vectors generated with nimbus-jose-jwt
-func TestSampleNimbusJWSMessagesEC(t *testing.T) {
- ecPublicKeyP256, err := LoadPublicKey(fromBase64Bytes("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIg62jq6FyL1otEj9Up7S35BUrwGF9TVrAzrrY1rHUKZqYIGEg67u/imjgadVcr7y9Q32I0gB8W8FHqbqt696rA=="))
- if err != nil {
- panic(err)
- }
- ecPublicKeyP384, err := LoadPublicKey(fromBase64Bytes("MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEPXsVlqCtN2oTY+F+hFZm3M0ldYpb7IeeJM5wYmT0k1RaqzBFDhDMNnYK5Q5x+OyssZrAtHgYDFw02AVJhhng/eHRp7mqmL/vI3wbxJtrLKYldIbBA+9fYBQcKeibjlu5"))
- if err != nil {
- panic(err)
- }
- ecPublicKeyP521, err := LoadPublicKey(fromBase64Bytes("MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAa2w3MMJ5FWD6tSf68G+Wy5jIhWXOD3IA7pE5IC/myQzo1lWcD8KS57SM6nm4POtPcxyLmDhL7FLuh8DKoIZyvtAAdK8+tOQP7XXRlT2bkvzIuazp05It3TAPu00YzTIpKfDlc19Y1lvf7etrbFqhShD92B+hHmhT4ddrdbPCBDW8hvU="))
- if err != nil {
- panic(err)
- }
-
- ecPublicKeys := []interface{}{ecPublicKeyP256, ecPublicKeyP384, ecPublicKeyP521}
-
- ecSampleMessages := []string{
- "eyJhbGciOiJFUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.MEWJVlvGRQyzMEGOYm4rwuiwxrX-6LjnlbaRDAuhwmnBm2Gtn7pRpGXRTMFZUXsSGDz2L1p-Hz1qn8j9bFIBtQ",
- "eyJhbGciOiJFUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.nbdjPnJPYQtVNNdBIx8-KbFKplTxrz-hnW5UNhYUY7SBkwHK4NZnqc2Lv4DXoA0aWHq9eiypgOh1kmyPWGEmqKAHUx0xdIEkBoHk3ZsbmhOQuq2jL_wcMUG6nTWNhLrB",
- "eyJhbGciOiJFUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.AeYNFC1rwIgQv-5fwd8iRyYzvTaSCYTEICepgu9gRId-IW99kbSVY7yH0MvrQnqI-a0L8zwKWDR35fW5dukPAYRkADp3Y1lzqdShFcEFziUVGo46vqbiSajmKFrjBktJcCsfjKSaLHwxErF-T10YYPCQFHWb2nXJOOI3CZfACYqgO84g",
- }
-
- for i, msg := range ecSampleMessages {
- obj, err := ParseSigned(msg)
- if err != nil {
- t.Error("unable to parse message", msg, err)
- continue
- }
- payload, err := obj.Verify(ecPublicKeys[i])
- if err != nil {
- t.Error("unable to verify message", msg, err)
- continue
- }
- if string(payload) != "Lorem ipsum dolor sit amet" {
- t.Error("payload is not what we expected for msg", msg)
- }
- }
-}
-
-// Test vectors generated with nimbus-jose-jwt
-func TestSampleNimbusJWSMessagesHMAC(t *testing.T) {
- hmacTestKey := fromHexBytes("DF1FA4F36FFA7FC42C81D4B3C033928D")
-
- hmacSampleMessages := []string{
- "eyJhbGciOiJIUzI1NiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.W5tc_EUhxexcvLYEEOckyyvdb__M5DQIVpg6Nmk1XGM",
- "eyJhbGciOiJIUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.sBu44lXOJa4Nd10oqOdYH2uz3lxlZ6o32QSGHaoGdPtYTDG5zvSja6N48CXKqdAh",
- "eyJhbGciOiJIUzUxMiJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ.M0yR4tmipsORIix-BitIbxEPGaxPchDfj8UNOpKuhDEfnb7URjGvCKn4nOlyQ1z9mG1FKbwnqR1hOVAWSzAU_w",
- }
-
- for _, msg := range hmacSampleMessages {
- obj, err := ParseSigned(msg)
- if err != nil {
- t.Error("unable to parse message", msg, err)
- continue
- }
- payload, err := obj.Verify(hmacTestKey)
- if err != nil {
- t.Error("unable to verify message", msg, err)
- continue
- }
- if string(payload) != "Lorem ipsum dolor sit amet" {
- t.Error("payload is not what we expected for msg", msg)
- }
- }
-}
-
-// Test vectors generated with nimbus-jose-jwt
-func TestErrorMissingPayloadJWS(t *testing.T) {
- _, err := (&rawJsonWebSignature{}).sanitized()
- if err == nil {
- t.Error("was able to parse message with missing payload")
- }
- if !strings.Contains(err.Error(), "missing payload") {
- t.Errorf("unexpected error message, should contain 'missing payload': %s", err)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/shared.go b/vendor/gopkg.in/square/go-jose.v1/shared.go
deleted file mode 100644
index 9d895a91..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/shared.go
+++ /dev/null
@@ -1,224 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/elliptic"
- "errors"
- "fmt"
-)
-
-// KeyAlgorithm represents a key management algorithm.
-type KeyAlgorithm string
-
-// SignatureAlgorithm represents a signature (or MAC) algorithm.
-type SignatureAlgorithm string
-
-// ContentEncryption represents a content encryption algorithm.
-type ContentEncryption string
-
-// CompressionAlgorithm represents an algorithm used for plaintext compression.
-type CompressionAlgorithm string
-
-var (
- // ErrCryptoFailure represents an error in cryptographic primitive. This
- // occurs when, for example, a message had an invalid authentication tag or
- // could not be decrypted.
- ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive")
-
- // ErrUnsupportedAlgorithm indicates that a selected algorithm is not
- // supported. This occurs when trying to instantiate an encrypter for an
- // algorithm that is not yet implemented.
- ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm")
-
- // ErrUnsupportedKeyType indicates that the given key type/format is not
- // supported. This occurs when trying to instantiate an encrypter and passing
- // it a key of an unrecognized type or with unsupported parameters, such as
- // an RSA private key with more than two primes.
- ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format")
-
- // ErrNotSupported serialization of object is not supported. This occurs when
- // trying to compact-serialize an object which can't be represented in
- // compact form.
- ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object")
-
- // ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a
- // nonce header parameter was included in an unprotected header object.
- ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header")
-)
-
-// Key management algorithms
-const (
- RSA1_5 = KeyAlgorithm("RSA1_5") // RSA-PKCS1v1.5
- RSA_OAEP = KeyAlgorithm("RSA-OAEP") // RSA-OAEP-SHA1
- RSA_OAEP_256 = KeyAlgorithm("RSA-OAEP-256") // RSA-OAEP-SHA256
- A128KW = KeyAlgorithm("A128KW") // AES key wrap (128)
- A192KW = KeyAlgorithm("A192KW") // AES key wrap (192)
- A256KW = KeyAlgorithm("A256KW") // AES key wrap (256)
- DIRECT = KeyAlgorithm("dir") // Direct encryption
- ECDH_ES = KeyAlgorithm("ECDH-ES") // ECDH-ES
- ECDH_ES_A128KW = KeyAlgorithm("ECDH-ES+A128KW") // ECDH-ES + AES key wrap (128)
- ECDH_ES_A192KW = KeyAlgorithm("ECDH-ES+A192KW") // ECDH-ES + AES key wrap (192)
- ECDH_ES_A256KW = KeyAlgorithm("ECDH-ES+A256KW") // ECDH-ES + AES key wrap (256)
- A128GCMKW = KeyAlgorithm("A128GCMKW") // AES-GCM key wrap (128)
- A192GCMKW = KeyAlgorithm("A192GCMKW") // AES-GCM key wrap (192)
- A256GCMKW = KeyAlgorithm("A256GCMKW") // AES-GCM key wrap (256)
- PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128)
- PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192)
- PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256)
-)
-
-// Signature algorithms
-const (
- HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
- HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
- HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
- RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
- RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
- RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
- ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256
- ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384
- ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512
- PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
- PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
- PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512
-)
-
-// Content encryption algorithms
-const (
- A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
- A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
- A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
- A128GCM = ContentEncryption("A128GCM") // AES-GCM (128)
- A192GCM = ContentEncryption("A192GCM") // AES-GCM (192)
- A256GCM = ContentEncryption("A256GCM") // AES-GCM (256)
-)
-
-// Compression algorithms
-const (
- NONE = CompressionAlgorithm("") // No compression
- DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951)
-)
-
-// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing).
-type rawHeader struct {
- Alg string `json:"alg,omitempty"`
- Enc ContentEncryption `json:"enc,omitempty"`
- Zip CompressionAlgorithm `json:"zip,omitempty"`
- Crit []string `json:"crit,omitempty"`
- Apu *byteBuffer `json:"apu,omitempty"`
- Apv *byteBuffer `json:"apv,omitempty"`
- Epk *JsonWebKey `json:"epk,omitempty"`
- Iv *byteBuffer `json:"iv,omitempty"`
- Tag *byteBuffer `json:"tag,omitempty"`
- Jwk *JsonWebKey `json:"jwk,omitempty"`
- Kid string `json:"kid,omitempty"`
- Nonce string `json:"nonce,omitempty"`
-}
-
-// JoseHeader represents the read-only JOSE header for JWE/JWS objects.
-type JoseHeader struct {
- KeyID string
- JsonWebKey *JsonWebKey
- Algorithm string
- Nonce string
-}
-
-// sanitized produces a cleaned-up header object from the raw JSON.
-func (parsed rawHeader) sanitized() JoseHeader {
- return JoseHeader{
- KeyID: parsed.Kid,
- JsonWebKey: parsed.Jwk,
- Algorithm: parsed.Alg,
- Nonce: parsed.Nonce,
- }
-}
-
-// Merge headers from src into dst, giving precedence to headers from l.
-func (dst *rawHeader) merge(src *rawHeader) {
- if src == nil {
- return
- }
-
- if dst.Alg == "" {
- dst.Alg = src.Alg
- }
- if dst.Enc == "" {
- dst.Enc = src.Enc
- }
- if dst.Zip == "" {
- dst.Zip = src.Zip
- }
- if dst.Crit == nil {
- dst.Crit = src.Crit
- }
- if dst.Crit == nil {
- dst.Crit = src.Crit
- }
- if dst.Apu == nil {
- dst.Apu = src.Apu
- }
- if dst.Apv == nil {
- dst.Apv = src.Apv
- }
- if dst.Epk == nil {
- dst.Epk = src.Epk
- }
- if dst.Iv == nil {
- dst.Iv = src.Iv
- }
- if dst.Tag == nil {
- dst.Tag = src.Tag
- }
- if dst.Kid == "" {
- dst.Kid = src.Kid
- }
- if dst.Jwk == nil {
- dst.Jwk = src.Jwk
- }
- if dst.Nonce == "" {
- dst.Nonce = src.Nonce
- }
-}
-
-// Get JOSE name of curve
-func curveName(crv elliptic.Curve) (string, error) {
- switch crv {
- case elliptic.P256():
- return "P-256", nil
- case elliptic.P384():
- return "P-384", nil
- case elliptic.P521():
- return "P-521", nil
- default:
- return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve")
- }
-}
-
-// Get size of curve in bytes
-func curveSize(crv elliptic.Curve) int {
- bits := crv.Params().BitSize
-
- div := bits / 8
- mod := bits % 8
-
- if mod == 0 {
- return div
- }
-
- return div + 1
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/signing.go b/vendor/gopkg.in/square/go-jose.v1/signing.go
deleted file mode 100644
index c6ed2c92..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/signing.go
+++ /dev/null
@@ -1,218 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/ecdsa"
- "crypto/rsa"
- "fmt"
-)
-
-// NonceSource represents a source of random nonces to go into JWS objects
-type NonceSource interface {
- Nonce() (string, error)
-}
-
-// Signer represents a signer which takes a payload and produces a signed JWS object.
-type Signer interface {
- Sign(payload []byte) (*JsonWebSignature, error)
- SetNonceSource(source NonceSource)
- SetEmbedJwk(embed bool)
-}
-
-// MultiSigner represents a signer which supports multiple recipients.
-type MultiSigner interface {
- Sign(payload []byte) (*JsonWebSignature, error)
- SetNonceSource(source NonceSource)
- SetEmbedJwk(embed bool)
- AddRecipient(alg SignatureAlgorithm, signingKey interface{}) error
-}
-
-type payloadSigner interface {
- signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error)
-}
-
-type payloadVerifier interface {
- verifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
-}
-
-type genericSigner struct {
- recipients []recipientSigInfo
- nonceSource NonceSource
- embedJwk bool
-}
-
-type recipientSigInfo struct {
- sigAlg SignatureAlgorithm
- keyID string
- publicKey *JsonWebKey
- signer payloadSigner
-}
-
-// NewSigner creates an appropriate signer based on the key type
-func NewSigner(alg SignatureAlgorithm, signingKey interface{}) (Signer, error) {
- // NewMultiSigner never fails (currently)
- signer := NewMultiSigner()
-
- err := signer.AddRecipient(alg, signingKey)
- if err != nil {
- return nil, err
- }
-
- return signer, nil
-}
-
-// NewMultiSigner creates a signer for multiple recipients
-func NewMultiSigner() MultiSigner {
- return &genericSigner{
- recipients: []recipientSigInfo{},
- embedJwk: true,
- }
-}
-
-// newVerifier creates a verifier based on the key type
-func newVerifier(verificationKey interface{}) (payloadVerifier, error) {
- switch verificationKey := verificationKey.(type) {
- case *rsa.PublicKey:
- return &rsaEncrypterVerifier{
- publicKey: verificationKey,
- }, nil
- case *ecdsa.PublicKey:
- return &ecEncrypterVerifier{
- publicKey: verificationKey,
- }, nil
- case []byte:
- return &symmetricMac{
- key: verificationKey,
- }, nil
- case *JsonWebKey:
- return newVerifier(verificationKey.Key)
- default:
- return nil, ErrUnsupportedKeyType
- }
-}
-
-func (ctx *genericSigner) AddRecipient(alg SignatureAlgorithm, signingKey interface{}) error {
- recipient, err := makeJWSRecipient(alg, signingKey)
- if err != nil {
- return err
- }
-
- ctx.recipients = append(ctx.recipients, recipient)
- return nil
-}
-
-func makeJWSRecipient(alg SignatureAlgorithm, signingKey interface{}) (recipientSigInfo, error) {
- switch signingKey := signingKey.(type) {
- case *rsa.PrivateKey:
- return newRSASigner(alg, signingKey)
- case *ecdsa.PrivateKey:
- return newECDSASigner(alg, signingKey)
- case []byte:
- return newSymmetricSigner(alg, signingKey)
- case *JsonWebKey:
- recipient, err := makeJWSRecipient(alg, signingKey.Key)
- if err != nil {
- return recipientSigInfo{}, err
- }
- recipient.keyID = signingKey.KeyID
- return recipient, nil
- default:
- return recipientSigInfo{}, ErrUnsupportedKeyType
- }
-}
-
-func (ctx *genericSigner) Sign(payload []byte) (*JsonWebSignature, error) {
- obj := &JsonWebSignature{}
- obj.payload = payload
- obj.Signatures = make([]Signature, len(ctx.recipients))
-
- for i, recipient := range ctx.recipients {
- protected := &rawHeader{
- Alg: string(recipient.sigAlg),
- }
-
- if recipient.publicKey != nil && ctx.embedJwk {
- protected.Jwk = recipient.publicKey
- }
- if recipient.keyID != "" {
- protected.Kid = recipient.keyID
- }
-
- if ctx.nonceSource != nil {
- nonce, err := ctx.nonceSource.Nonce()
- if err != nil {
- return nil, fmt.Errorf("square/go-jose: Error generating nonce: %v", err)
- }
- protected.Nonce = nonce
- }
-
- serializedProtected := mustSerializeJSON(protected)
-
- input := []byte(fmt.Sprintf("%s.%s",
- base64URLEncode(serializedProtected),
- base64URLEncode(payload)))
-
- signatureInfo, err := recipient.signer.signPayload(input, recipient.sigAlg)
- if err != nil {
- return nil, err
- }
-
- signatureInfo.protected = protected
- obj.Signatures[i] = signatureInfo
- }
-
- return obj, nil
-}
-
-// SetNonceSource provides or updates a nonce pool to the first recipients.
-// After this method is called, the signer will consume one nonce per
-// signature, returning an error it is unable to get a nonce.
-func (ctx *genericSigner) SetNonceSource(source NonceSource) {
- ctx.nonceSource = source
-}
-
-// SetEmbedJwk specifies if the signing key should be embedded in the protected header,
-// if any. It defaults to 'true'.
-func (ctx *genericSigner) SetEmbedJwk(embed bool) {
- ctx.embedJwk = embed
-}
-
-// Verify validates the signature on the object and returns the payload.
-func (obj JsonWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
- verifier, err := newVerifier(verificationKey)
- if err != nil {
- return nil, err
- }
-
- for _, signature := range obj.Signatures {
- headers := signature.mergedHeaders()
- if len(headers.Crit) > 0 {
- // Unsupported crit header
- continue
- }
-
- input := obj.computeAuthData(&signature)
- alg := SignatureAlgorithm(headers.Alg)
- err := verifier.verifyPayload(input, signature.Signature, alg)
- if err == nil {
- return obj.payload, nil
- }
- }
-
- return nil, ErrCryptoFailure
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/signing_test.go b/vendor/gopkg.in/square/go-jose.v1/signing_test.go
deleted file mode 100644
index 981770d5..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/signing_test.go
+++ /dev/null
@@ -1,447 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "fmt"
- "io"
- "testing"
-)
-
-type staticNonceSource string
-
-func (sns staticNonceSource) Nonce() (string, error) {
- return string(sns), nil
-}
-
-func RoundtripJWS(sigAlg SignatureAlgorithm, serializer func(*JsonWebSignature) (string, error), corrupter func(*JsonWebSignature), signingKey interface{}, verificationKey interface{}, nonce string) error {
- signer, err := NewSigner(sigAlg, signingKey)
- if err != nil {
- return fmt.Errorf("error on new signer: %s", err)
- }
-
- if nonce != "" {
- signer.SetNonceSource(staticNonceSource(nonce))
- }
-
- input := []byte("Lorem ipsum dolor sit amet")
- obj, err := signer.Sign(input)
- if err != nil {
- return fmt.Errorf("error on sign: %s", err)
- }
-
- msg, err := serializer(obj)
- if err != nil {
- return fmt.Errorf("error on serialize: %s", err)
- }
-
- obj, err = ParseSigned(msg)
- if err != nil {
- return fmt.Errorf("error on parse: %s", err)
- }
-
- // (Maybe) mangle the object
- corrupter(obj)
-
- output, err := obj.Verify(verificationKey)
- if err != nil {
- return fmt.Errorf("error on verify: %s", err)
- }
-
- // Check that verify works with embedded keys (if present)
- for i, sig := range obj.Signatures {
- if sig.Header.JsonWebKey != nil {
- _, err = obj.Verify(sig.Header.JsonWebKey)
- if err != nil {
- return fmt.Errorf("error on verify with embedded key %d: %s", i, err)
- }
- }
-
- // Check that the nonce correctly round-tripped (if present)
- if sig.Header.Nonce != nonce {
- return fmt.Errorf("Incorrect nonce returned: [%s]", sig.Header.Nonce)
- }
- }
-
- if bytes.Compare(output, input) != 0 {
- return fmt.Errorf("input/output do not match, got '%s', expected '%s'", output, input)
- }
-
- return nil
-}
-
-func TestRoundtripsJWS(t *testing.T) {
- // Test matrix
- sigAlgs := []SignatureAlgorithm{RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512}
-
- serializers := []func(*JsonWebSignature) (string, error){
- func(obj *JsonWebSignature) (string, error) { return obj.CompactSerialize() },
- func(obj *JsonWebSignature) (string, error) { return obj.FullSerialize(), nil },
- }
-
- corrupter := func(obj *JsonWebSignature) {}
-
- for _, alg := range sigAlgs {
- signingKey, verificationKey := GenerateSigningTestKey(alg)
-
- for i, serializer := range serializers {
- err := RoundtripJWS(alg, serializer, corrupter, signingKey, verificationKey, "test_nonce")
- if err != nil {
- t.Error(err, alg, i)
- }
- }
- }
-}
-
-func TestRoundtripsJWSCorruptSignature(t *testing.T) {
- // Test matrix
- sigAlgs := []SignatureAlgorithm{RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512}
-
- serializers := []func(*JsonWebSignature) (string, error){
- func(obj *JsonWebSignature) (string, error) { return obj.CompactSerialize() },
- func(obj *JsonWebSignature) (string, error) { return obj.FullSerialize(), nil },
- }
-
- corrupters := []func(*JsonWebSignature){
- func(obj *JsonWebSignature) {
- // Changes bytes in signature
- obj.Signatures[0].Signature[10]++
- },
- func(obj *JsonWebSignature) {
- // Set totally invalid signature
- obj.Signatures[0].Signature = []byte("###")
- },
- }
-
- // Test all different configurations
- for _, alg := range sigAlgs {
- signingKey, verificationKey := GenerateSigningTestKey(alg)
-
- for i, serializer := range serializers {
- for j, corrupter := range corrupters {
- err := RoundtripJWS(alg, serializer, corrupter, signingKey, verificationKey, "test_nonce")
- if err == nil {
- t.Error("failed to detect corrupt signature", err, alg, i, j)
- }
- }
- }
- }
-}
-
-func TestSignerWithBrokenRand(t *testing.T) {
- sigAlgs := []SignatureAlgorithm{RS256, RS384, RS512, PS256, PS384, PS512}
-
- serializer := func(obj *JsonWebSignature) (string, error) { return obj.CompactSerialize() }
- corrupter := func(obj *JsonWebSignature) {}
-
- // Break rand reader
- readers := []func() io.Reader{
- // Totally broken
- func() io.Reader { return bytes.NewReader([]byte{}) },
- // Not enough bytes
- func() io.Reader { return io.LimitReader(rand.Reader, 20) },
- }
-
- defer resetRandReader()
-
- for _, alg := range sigAlgs {
- signingKey, verificationKey := GenerateSigningTestKey(alg)
- for i, getReader := range readers {
- randReader = getReader()
- err := RoundtripJWS(alg, serializer, corrupter, signingKey, verificationKey, "test_nonce")
- if err == nil {
- t.Error("signer should fail if rand is broken", alg, i)
- }
- }
- }
-}
-
-func TestJWSInvalidKey(t *testing.T) {
- signingKey0, verificationKey0 := GenerateSigningTestKey(RS256)
- _, verificationKey1 := GenerateSigningTestKey(ES256)
-
- signer, err := NewSigner(RS256, signingKey0)
- if err != nil {
- panic(err)
- }
-
- input := []byte("Lorem ipsum dolor sit amet")
- obj, err := signer.Sign(input)
- if err != nil {
- panic(err)
- }
-
- // Must work with correct key
- _, err = obj.Verify(verificationKey0)
- if err != nil {
- t.Error("error on verify", err)
- }
-
- // Must not work with incorrect key
- _, err = obj.Verify(verificationKey1)
- if err == nil {
- t.Error("verification should fail with incorrect key")
- }
-
- // Must not work with invalid key
- _, err = obj.Verify("")
- if err == nil {
- t.Error("verification should fail with incorrect key")
- }
-}
-
-func TestMultiRecipientJWS(t *testing.T) {
- signer := NewMultiSigner()
-
- sharedKey := []byte{
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
- }
-
- signer.AddRecipient(RS256, rsaTestKey)
- signer.AddRecipient(HS384, sharedKey)
-
- input := []byte("Lorem ipsum dolor sit amet")
- obj, err := signer.Sign(input)
- if err != nil {
- t.Error("error on sign: ", err)
- return
- }
-
- _, err = obj.CompactSerialize()
- if err == nil {
- t.Error("message with multiple recipient was compact serialized")
- }
-
- msg := obj.FullSerialize()
-
- obj, err = ParseSigned(msg)
- if err != nil {
- t.Error("error on parse: ", err)
- return
- }
-
- output, err := obj.Verify(&rsaTestKey.PublicKey)
- if err != nil {
- t.Error("error on verify: ", err)
- return
- }
-
- if bytes.Compare(output, input) != 0 {
- t.Error("input/output do not match", output, input)
- return
- }
-
- output, err = obj.Verify(sharedKey)
- if err != nil {
- t.Error("error on verify: ", err)
- return
- }
-
- if bytes.Compare(output, input) != 0 {
- t.Error("input/output do not match", output, input)
- return
- }
-}
-
-func GenerateSigningTestKey(sigAlg SignatureAlgorithm) (sig, ver interface{}) {
- switch sigAlg {
- case RS256, RS384, RS512, PS256, PS384, PS512:
- sig = rsaTestKey
- ver = &rsaTestKey.PublicKey
- case HS256, HS384, HS512:
- sig, _, _ = randomKeyGenerator{size: 16}.genKey()
- ver = sig
- case ES256:
- key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- sig = key
- ver = &key.PublicKey
- case ES384:
- key, _ := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
- sig = key
- ver = &key.PublicKey
- case ES512:
- key, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
- sig = key
- ver = &key.PublicKey
- default:
- panic("Must update test case")
- }
-
- return
-}
-
-func TestInvalidSignerAlg(t *testing.T) {
- _, err := NewSigner("XYZ", nil)
- if err == nil {
- t.Error("should not accept invalid algorithm")
- }
-
- _, err = NewSigner("XYZ", []byte{})
- if err == nil {
- t.Error("should not accept invalid algorithm")
- }
-}
-
-func TestInvalidJWS(t *testing.T) {
- signer, err := NewSigner(PS256, rsaTestKey)
- if err != nil {
- panic(err)
- }
-
- obj, err := signer.Sign([]byte("Lorem ipsum dolor sit amet"))
- obj.Signatures[0].header = &rawHeader{
- Crit: []string{"TEST"},
- }
-
- _, err = obj.Verify(&rsaTestKey.PublicKey)
- if err == nil {
- t.Error("should not verify message with unknown crit header")
- }
-
- // Try without alg header
- obj.Signatures[0].protected = &rawHeader{}
- obj.Signatures[0].header = &rawHeader{}
-
- _, err = obj.Verify(&rsaTestKey.PublicKey)
- if err == nil {
- t.Error("should not verify message with missing headers")
- }
-}
-
-func TestSignerKid(t *testing.T) {
- kid := "DEADBEEF"
- payload := []byte("Lorem ipsum dolor sit amet")
-
- key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Error("problem generating test signing key", err)
- }
-
- basejwk := JsonWebKey{Key: key}
- jsonbar, err := basejwk.MarshalJSON()
- if err != nil {
- t.Error("problem marshalling base JWK", err)
- }
-
- var jsonmsi map[string]interface{}
- err = UnmarshalJSON(jsonbar, &jsonmsi)
- if err != nil {
- t.Error("problem unmarshalling base JWK", err)
- }
- jsonmsi["kid"] = kid
- jsonbar2, err := MarshalJSON(jsonmsi)
- if err != nil {
- t.Error("problem marshalling kided JWK", err)
- }
-
- var jwk JsonWebKey
- err = jwk.UnmarshalJSON(jsonbar2)
- if err != nil {
- t.Error("problem unmarshalling kided JWK", err)
- }
-
- signer, err := NewSigner(ES256, &jwk)
- if err != nil {
- t.Error("problem creating signer", err)
- }
- signed, err := signer.Sign(payload)
-
- serialized := signed.FullSerialize()
-
- parsed, err := ParseSigned(serialized)
- if err != nil {
- t.Error("problem parsing signed object", err)
- }
-
- if parsed.Signatures[0].Header.KeyID != kid {
- t.Error("KeyID did not survive trip")
- }
-}
-
-func TestEmbedJwk(t *testing.T) {
- var payload = []byte("Lorem ipsum dolor sit amet")
- key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Error("Failed to generate key")
- }
-
- signer, err := NewSigner(ES256, key)
- if err != nil {
- t.Error("Failed to create signer")
- }
-
- object, err := signer.Sign(payload)
- if err != nil {
- t.Error("Failed to sign payload")
- }
-
- object, err = ParseSigned(object.FullSerialize())
- if err != nil {
- t.Error("Failed to parse jws")
- }
-
- if object.Signatures[0].protected.Jwk == nil {
- t.Error("JWK isn't set in protected header")
- }
-
- // Now sign it again, but don't embed JWK.
- signer.SetEmbedJwk(false)
-
- object, err = signer.Sign(payload)
- if err != nil {
- t.Error("Failed to sign payload")
- }
-
- object, err = ParseSigned(object.FullSerialize())
- if err != nil {
- t.Error("Failed to parse jws")
- }
-
- if object.Signatures[0].protected.Jwk != nil {
- t.Error("JWK is set in protected header")
- }
-}
-
-func TestSignerWithJWKAndKeyID(t *testing.T) {
- enc, err := NewSigner(HS256, &JsonWebKey{
- KeyID: "test-id",
- Key: []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15},
- })
- if err != nil {
- t.Error(err)
- }
-
- signed, _ := enc.Sign([]byte("Lorem ipsum dolor sit amet"))
-
- serialized1, _ := signed.CompactSerialize()
- serialized2 := signed.FullSerialize()
-
- parsed1, _ := ParseSigned(serialized1)
- parsed2, _ := ParseSigned(serialized2)
-
- if parsed1.Signatures[0].Header.KeyID != "test-id" {
- t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed1.Signatures[0].Header.KeyID)
- }
- if parsed2.Signatures[0].Header.KeyID != "test-id" {
- t.Errorf("expected message to have key id from JWK, but found '%s' instead", parsed2.Signatures[0].Header.KeyID)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/symmetric.go b/vendor/gopkg.in/square/go-jose.v1/symmetric.go
deleted file mode 100644
index 51f8cb39..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/symmetric.go
+++ /dev/null
@@ -1,349 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/aes"
- "crypto/cipher"
- "crypto/hmac"
- "crypto/rand"
- "crypto/sha256"
- "crypto/sha512"
- "crypto/subtle"
- "errors"
- "hash"
- "io"
-
- "gopkg.in/square/go-jose.v1/cipher"
-)
-
-// Random reader (stubbed out in tests)
-var randReader = rand.Reader
-
-// Dummy key cipher for shared symmetric key mode
-type symmetricKeyCipher struct {
- key []byte // Pre-shared content-encryption key
-}
-
-// Signer/verifier for MAC modes
-type symmetricMac struct {
- key []byte
-}
-
-// Input/output from an AEAD operation
-type aeadParts struct {
- iv, ciphertext, tag []byte
-}
-
-// A content cipher based on an AEAD construction
-type aeadContentCipher struct {
- keyBytes int
- authtagBytes int
- getAead func(key []byte) (cipher.AEAD, error)
-}
-
-// Random key generator
-type randomKeyGenerator struct {
- size int
-}
-
-// Static key generator
-type staticKeyGenerator struct {
- key []byte
-}
-
-// Create a new content cipher based on AES-GCM
-func newAESGCM(keySize int) contentCipher {
- return &aeadContentCipher{
- keyBytes: keySize,
- authtagBytes: 16,
- getAead: func(key []byte) (cipher.AEAD, error) {
- aes, err := aes.NewCipher(key)
- if err != nil {
- return nil, err
- }
-
- return cipher.NewGCM(aes)
- },
- }
-}
-
-// Create a new content cipher based on AES-CBC+HMAC
-func newAESCBC(keySize int) contentCipher {
- return &aeadContentCipher{
- keyBytes: keySize * 2,
- authtagBytes: 16,
- getAead: func(key []byte) (cipher.AEAD, error) {
- return josecipher.NewCBCHMAC(key, aes.NewCipher)
- },
- }
-}
-
-// Get an AEAD cipher object for the given content encryption algorithm
-func getContentCipher(alg ContentEncryption) contentCipher {
- switch alg {
- case A128GCM:
- return newAESGCM(16)
- case A192GCM:
- return newAESGCM(24)
- case A256GCM:
- return newAESGCM(32)
- case A128CBC_HS256:
- return newAESCBC(16)
- case A192CBC_HS384:
- return newAESCBC(24)
- case A256CBC_HS512:
- return newAESCBC(32)
- default:
- return nil
- }
-}
-
-// newSymmetricRecipient creates a JWE encrypter based on AES-GCM key wrap.
-func newSymmetricRecipient(keyAlg KeyAlgorithm, key []byte) (recipientKeyInfo, error) {
- switch keyAlg {
- case DIRECT, A128GCMKW, A192GCMKW, A256GCMKW, A128KW, A192KW, A256KW:
- default:
- return recipientKeyInfo{}, ErrUnsupportedAlgorithm
- }
-
- return recipientKeyInfo{
- keyAlg: keyAlg,
- keyEncrypter: &symmetricKeyCipher{
- key: key,
- },
- }, nil
-}
-
-// newSymmetricSigner creates a recipientSigInfo based on the given key.
-func newSymmetricSigner(sigAlg SignatureAlgorithm, key []byte) (recipientSigInfo, error) {
- // Verify that key management algorithm is supported by this encrypter
- switch sigAlg {
- case HS256, HS384, HS512:
- default:
- return recipientSigInfo{}, ErrUnsupportedAlgorithm
- }
-
- return recipientSigInfo{
- sigAlg: sigAlg,
- signer: &symmetricMac{
- key: key,
- },
- }, nil
-}
-
-// Generate a random key for the given content cipher
-func (ctx randomKeyGenerator) genKey() ([]byte, rawHeader, error) {
- key := make([]byte, ctx.size)
- _, err := io.ReadFull(randReader, key)
- if err != nil {
- return nil, rawHeader{}, err
- }
-
- return key, rawHeader{}, nil
-}
-
-// Key size for random generator
-func (ctx randomKeyGenerator) keySize() int {
- return ctx.size
-}
-
-// Generate a static key (for direct mode)
-func (ctx staticKeyGenerator) genKey() ([]byte, rawHeader, error) {
- cek := make([]byte, len(ctx.key))
- copy(cek, ctx.key)
- return cek, rawHeader{}, nil
-}
-
-// Key size for static generator
-func (ctx staticKeyGenerator) keySize() int {
- return len(ctx.key)
-}
-
-// Get key size for this cipher
-func (ctx aeadContentCipher) keySize() int {
- return ctx.keyBytes
-}
-
-// Encrypt some data
-func (ctx aeadContentCipher) encrypt(key, aad, pt []byte) (*aeadParts, error) {
- // Get a new AEAD instance
- aead, err := ctx.getAead(key)
- if err != nil {
- return nil, err
- }
-
- // Initialize a new nonce
- iv := make([]byte, aead.NonceSize())
- _, err = io.ReadFull(randReader, iv)
- if err != nil {
- return nil, err
- }
-
- ciphertextAndTag := aead.Seal(nil, iv, pt, aad)
- offset := len(ciphertextAndTag) - ctx.authtagBytes
-
- return &aeadParts{
- iv: iv,
- ciphertext: ciphertextAndTag[:offset],
- tag: ciphertextAndTag[offset:],
- }, nil
-}
-
-// Decrypt some data
-func (ctx aeadContentCipher) decrypt(key, aad []byte, parts *aeadParts) ([]byte, error) {
- aead, err := ctx.getAead(key)
- if err != nil {
- return nil, err
- }
-
- return aead.Open(nil, parts.iv, append(parts.ciphertext, parts.tag...), aad)
-}
-
-// Encrypt the content encryption key.
-func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipientInfo, error) {
- switch alg {
- case DIRECT:
- return recipientInfo{
- header: &rawHeader{},
- }, nil
- case A128GCMKW, A192GCMKW, A256GCMKW:
- aead := newAESGCM(len(ctx.key))
-
- parts, err := aead.encrypt(ctx.key, []byte{}, cek)
- if err != nil {
- return recipientInfo{}, err
- }
-
- return recipientInfo{
- header: &rawHeader{
- Iv: newBuffer(parts.iv),
- Tag: newBuffer(parts.tag),
- },
- encryptedKey: parts.ciphertext,
- }, nil
- case A128KW, A192KW, A256KW:
- block, err := aes.NewCipher(ctx.key)
- if err != nil {
- return recipientInfo{}, err
- }
-
- jek, err := josecipher.KeyWrap(block, cek)
- if err != nil {
- return recipientInfo{}, err
- }
-
- return recipientInfo{
- encryptedKey: jek,
- header: &rawHeader{},
- }, nil
- }
-
- return recipientInfo{}, ErrUnsupportedAlgorithm
-}
-
-// Decrypt the content encryption key.
-func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
- switch KeyAlgorithm(headers.Alg) {
- case DIRECT:
- cek := make([]byte, len(ctx.key))
- copy(cek, ctx.key)
- return cek, nil
- case A128GCMKW, A192GCMKW, A256GCMKW:
- aead := newAESGCM(len(ctx.key))
-
- parts := &aeadParts{
- iv: headers.Iv.bytes(),
- ciphertext: recipient.encryptedKey,
- tag: headers.Tag.bytes(),
- }
-
- cek, err := aead.decrypt(ctx.key, []byte{}, parts)
- if err != nil {
- return nil, err
- }
-
- return cek, nil
- case A128KW, A192KW, A256KW:
- block, err := aes.NewCipher(ctx.key)
- if err != nil {
- return nil, err
- }
-
- cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
- if err != nil {
- return nil, err
- }
- return cek, nil
- }
-
- return nil, ErrUnsupportedAlgorithm
-}
-
-// Sign the given payload
-func (ctx symmetricMac) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
- mac, err := ctx.hmac(payload, alg)
- if err != nil {
- return Signature{}, errors.New("square/go-jose: failed to compute hmac")
- }
-
- return Signature{
- Signature: mac,
- protected: &rawHeader{},
- }, nil
-}
-
-// Verify the given payload
-func (ctx symmetricMac) verifyPayload(payload []byte, mac []byte, alg SignatureAlgorithm) error {
- expected, err := ctx.hmac(payload, alg)
- if err != nil {
- return errors.New("square/go-jose: failed to compute hmac")
- }
-
- if len(mac) != len(expected) {
- return errors.New("square/go-jose: invalid hmac")
- }
-
- match := subtle.ConstantTimeCompare(mac, expected)
- if match != 1 {
- return errors.New("square/go-jose: invalid hmac")
- }
-
- return nil
-}
-
-// Compute the HMAC based on the given alg value
-func (ctx symmetricMac) hmac(payload []byte, alg SignatureAlgorithm) ([]byte, error) {
- var hash func() hash.Hash
-
- switch alg {
- case HS256:
- hash = sha256.New
- case HS384:
- hash = sha512.New384
- case HS512:
- hash = sha512.New
- default:
- return nil, ErrUnsupportedAlgorithm
- }
-
- hmac := hmac.New(hash, ctx.key)
-
- // According to documentation, Write() on hash never fails
- _, _ = hmac.Write(payload)
- return hmac.Sum(nil), nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/symmetric_test.go b/vendor/gopkg.in/square/go-jose.v1/symmetric_test.go
deleted file mode 100644
index 67f535e3..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/symmetric_test.go
+++ /dev/null
@@ -1,131 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "bytes"
- "crypto/cipher"
- "crypto/rand"
- "io"
- "testing"
-)
-
-func TestInvalidSymmetricAlgorithms(t *testing.T) {
- _, err := newSymmetricRecipient("XYZ", []byte{})
- if err != ErrUnsupportedAlgorithm {
- t.Error("should not accept invalid algorithm")
- }
-
- enc := &symmetricKeyCipher{}
- _, err = enc.encryptKey([]byte{}, "XYZ")
- if err != ErrUnsupportedAlgorithm {
- t.Error("should not accept invalid algorithm")
- }
-}
-
-func TestAeadErrors(t *testing.T) {
- aead := &aeadContentCipher{
- keyBytes: 16,
- authtagBytes: 16,
- getAead: func(key []byte) (cipher.AEAD, error) {
- return nil, ErrCryptoFailure
- },
- }
-
- parts, err := aead.encrypt([]byte{}, []byte{}, []byte{})
- if err != ErrCryptoFailure {
- t.Error("should handle aead failure")
- }
-
- _, err = aead.decrypt([]byte{}, []byte{}, parts)
- if err != ErrCryptoFailure {
- t.Error("should handle aead failure")
- }
-}
-
-func TestInvalidKey(t *testing.T) {
- gcm := newAESGCM(16).(*aeadContentCipher)
- _, err := gcm.getAead([]byte{})
- if err == nil {
- t.Error("should not accept invalid key")
- }
-}
-
-func TestStaticKeyGen(t *testing.T) {
- key := make([]byte, 32)
- io.ReadFull(rand.Reader, key)
-
- gen := &staticKeyGenerator{key: key}
- if gen.keySize() != len(key) {
- t.Error("static key generator reports incorrect size")
- }
-
- generated, _, err := gen.genKey()
- if err != nil {
- t.Error("static key generator should always succeed", err)
- }
- if !bytes.Equal(generated, key) {
- t.Error("static key generator returns different data")
- }
-}
-
-func TestVectorsAESGCM(t *testing.T) {
- // Source: http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-29#appendix-A.1
- plaintext := []byte{
- 84, 104, 101, 32, 116, 114, 117, 101, 32, 115, 105, 103, 110, 32,
- 111, 102, 32, 105, 110, 116, 101, 108, 108, 105, 103, 101, 110, 99,
- 101, 32, 105, 115, 32, 110, 111, 116, 32, 107, 110, 111, 119, 108,
- 101, 100, 103, 101, 32, 98, 117, 116, 32, 105, 109, 97, 103, 105,
- 110, 97, 116, 105, 111, 110, 46}
-
- aad := []byte{
- 101, 121, 74, 104, 98, 71, 99, 105, 79, 105, 74, 83, 85, 48, 69,
- 116, 84, 48, 70, 70, 85, 67, 73, 115, 73, 109, 86, 117, 89, 121, 73,
- 54, 73, 107, 69, 121, 78, 84, 90, 72, 81, 48, 48, 105, 102, 81}
-
- expectedCiphertext := []byte{
- 229, 236, 166, 241, 53, 191, 115, 196, 174, 43, 73, 109, 39, 122,
- 233, 96, 140, 206, 120, 52, 51, 237, 48, 11, 190, 219, 186, 80, 111,
- 104, 50, 142, 47, 167, 59, 61, 181, 127, 196, 21, 40, 82, 242, 32,
- 123, 143, 168, 226, 73, 216, 176, 144, 138, 247, 106, 60, 16, 205,
- 160, 109, 64, 63, 192}
-
- expectedAuthtag := []byte{
- 92, 80, 104, 49, 133, 25, 161, 215, 173, 101, 219, 211, 136, 91, 210, 145}
-
- // Mock random reader
- randReader = bytes.NewReader([]byte{
- 177, 161, 244, 128, 84, 143, 225, 115, 63, 180, 3, 255, 107, 154,
- 212, 246, 138, 7, 110, 91, 112, 46, 34, 105, 47, 130, 203, 46, 122,
- 234, 64, 252, 227, 197, 117, 252, 2, 219, 233, 68, 180, 225, 77, 219})
- defer resetRandReader()
-
- enc := newAESGCM(32)
- key, _, _ := randomKeyGenerator{size: 32}.genKey()
- out, err := enc.encrypt(key, aad, plaintext)
- if err != nil {
- t.Error("Unable to encrypt:", err)
- return
- }
-
- if bytes.Compare(out.ciphertext, expectedCiphertext) != 0 {
- t.Error("Ciphertext did not match")
- }
- if bytes.Compare(out.tag, expectedAuthtag) != 0 {
- t.Error("Auth tag did not match")
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/utils.go b/vendor/gopkg.in/square/go-jose.v1/utils.go
deleted file mode 100644
index 4ca2bc06..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/utils.go
+++ /dev/null
@@ -1,74 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/x509"
- "encoding/pem"
- "fmt"
-)
-
-// LoadPublicKey loads a public key from PEM/DER-encoded data.
-func LoadPublicKey(data []byte) (interface{}, error) {
- input := data
-
- block, _ := pem.Decode(data)
- if block != nil {
- input = block.Bytes
- }
-
- // Try to load SubjectPublicKeyInfo
- pub, err0 := x509.ParsePKIXPublicKey(input)
- if err0 == nil {
- return pub, nil
- }
-
- cert, err1 := x509.ParseCertificate(input)
- if err1 == nil {
- return cert.PublicKey, nil
- }
-
- return nil, fmt.Errorf("square/go-jose: parse error, got '%s' and '%s'", err0, err1)
-}
-
-// LoadPrivateKey loads a private key from PEM/DER-encoded data.
-func LoadPrivateKey(data []byte) (interface{}, error) {
- input := data
-
- block, _ := pem.Decode(data)
- if block != nil {
- input = block.Bytes
- }
-
- var priv interface{}
- priv, err0 := x509.ParsePKCS1PrivateKey(input)
- if err0 == nil {
- return priv, nil
- }
-
- priv, err1 := x509.ParsePKCS8PrivateKey(input)
- if err1 == nil {
- return priv, nil
- }
-
- priv, err2 := x509.ParseECPrivateKey(input)
- if err2 == nil {
- return priv, nil
- }
-
- return nil, fmt.Errorf("square/go-jose: parse error, got '%s', '%s' and '%s'", err0, err1, err2)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v1/utils_test.go b/vendor/gopkg.in/square/go-jose.v1/utils_test.go
deleted file mode 100644
index 6ad622da..00000000
--- a/vendor/gopkg.in/square/go-jose.v1/utils_test.go
+++ /dev/null
@@ -1,225 +0,0 @@
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "crypto/ecdsa"
- "crypto/rand"
- "crypto/rsa"
- "encoding/base64"
- "encoding/hex"
- "math/big"
- "regexp"
- "testing"
-)
-
-// Reset random reader to original value
-func resetRandReader() {
- randReader = rand.Reader
-}
-
-// Build big int from hex-encoded string. Strips whitespace (for testing).
-func fromHexInt(base16 string) *big.Int {
- re := regexp.MustCompile(`\s+`)
- val, ok := new(big.Int).SetString(re.ReplaceAllString(base16, ""), 16)
- if !ok {
- panic("Invalid test data")
- }
- return val
-}
-
-// Build big int from base64-encoded string. Strips whitespace (for testing).
-func fromBase64Int(base64 string) *big.Int {
- re := regexp.MustCompile(`\s+`)
- val, err := base64URLDecode(re.ReplaceAllString(base64, ""))
- if err != nil {
- panic("Invalid test data")
- }
- return new(big.Int).SetBytes(val)
-}
-
-// Decode hex-encoded string into byte array. Strips whitespace (for testing).
-func fromHexBytes(base16 string) []byte {
- re := regexp.MustCompile(`\s+`)
- val, err := hex.DecodeString(re.ReplaceAllString(base16, ""))
- if err != nil {
- panic("Invalid test data")
- }
- return val
-}
-
-// Decode base64-encoded string into byte array. Strips whitespace (for testing).
-func fromBase64Bytes(b64 string) []byte {
- re := regexp.MustCompile(`\s+`)
- val, err := base64.StdEncoding.DecodeString(re.ReplaceAllString(b64, ""))
- if err != nil {
- panic("Invalid test data")
- }
- return val
-}
-
-// Test vectors below taken from crypto/x509/x509_test.go in the Go std lib.
-
-var pkixPublicKey = `-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3VoPN9PKUjKFLMwOge6+
-wnDi8sbETGIx2FKXGgqtAKpzmem53kRGEQg8WeqRmp12wgp74TGpkEXsGae7RS1k
-enJCnma4fii+noGH7R0qKgHvPrI2Bwa9hzsH8tHxpyM3qrXslOmD45EH9SxIDUBJ
-FehNdaPbLP1gFyahKMsdfxFJLUvbUycuZSJ2ZnIgeVxwm4qbSvZInL9Iu4FzuPtg
-fINKcbbovy1qq4KvPIrXzhbY3PWDc6btxCf3SE0JdE1MCPThntB62/bLMSQ7xdDR
-FF53oIpvxe/SCOymfWq/LW849Ytv3Xwod0+wzAP8STXG4HSELS4UedPYeHJJJYcZ
-+QIDAQAB
------END PUBLIC KEY-----`
-
-var pkcs1PrivateKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIBOgIBAAJBALKZD0nEffqM1ACuak0bijtqE2QrI/KLADv7l3kK3ppMyCuLKoF0
-fd7Ai2KW5ToIwzFofvJcS/STa6HA5gQenRUCAwEAAQJBAIq9amn00aS0h/CrjXqu
-/ThglAXJmZhOMPVn4eiu7/ROixi9sex436MaVeMqSNf7Ex9a8fRNfWss7Sqd9eWu
-RTUCIQDasvGASLqmjeffBNLTXV2A5g4t+kLVCpsEIZAycV5GswIhANEPLmax0ME/
-EO+ZJ79TJKN5yiGBRsv5yvx5UiHxajEXAiAhAol5N4EUyq6I9w1rYdhPMGpLfk7A
-IU2snfRJ6Nq2CQIgFrPsWRCkV+gOYcajD17rEqmuLrdIRexpg8N1DOSXoJ8CIGlS
-tAboUGBxTDq3ZroNism3DaMIbKPyYrAqhKov1h5V
------END RSA PRIVATE KEY-----`
-
-var ecdsaSHA256p384CertPem = `
------BEGIN CERTIFICATE-----
-MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx
-EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
-BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
-CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0
-WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
-b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
-SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
-YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK
-jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze
-qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI
-zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr
-PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh
-3yILeYQzllt/g0rKVRk=
------END CERTIFICATE-----`
-
-var ecdsaSHA256p384CertDer = fromBase64Bytes(`
-MIICSjCCAdECCQDje/no7mXkVzAKBggqhkjOPQQDAjCBjjELMAkGA1UEBhMCVVMx
-EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDAS
-BgNVBAoMC0dvb2dsZSwgSW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEG
-CSqGSIb3DQEJARYUZ29sYW5nLWRldkBnbWFpbC5jb20wHhcNMTIwNTIxMDYxMDM0
-WhcNMjIwNTE5MDYxMDM0WjCBjjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlm
-b3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNVBAoMC0dvb2dsZSwg
-SW5jMRcwFQYDVQQDDA53d3cuZ29vZ2xlLmNvbTEjMCEGCSqGSIb3DQEJARYUZ29s
-YW5nLWRldkBnbWFpbC5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARRuzRNIKRK
-jIktEmXanNmrTR/q/FaHXLhWRZ6nHWe26Fw7Rsrbk+VjGy4vfWtNn7xSFKrOu5ze
-qxKnmE0h5E480MNgrUiRkaGO2GMJJVmxx20aqkXOk59U8yGA4CghE6MwCgYIKoZI
-zj0EAwIDZwAwZAIwBZEN8gvmRmfeP/9C1PRLzODIY4JqWub2PLRT4mv9GU+yw3Gr
-PU9A3CHMdEcdw/MEAjBBO1lId8KOCh9UZunsSMfqXiVurpzmhWd6VYZ/32G+M+Mh
-3yILeYQzllt/g0rKVRk=`)
-
-var pkcs8ECPrivateKey = `
------BEGIN PRIVATE KEY-----
-MIHtAgEAMBAGByqGSM49AgEGBSuBBAAjBIHVMIHSAgEBBEHqkl65VsjYDQWIHfgv
-zQLPa0JZBsaJI16mjiH8k6VA4lgfK/KNldlEsY433X7wIzo43u8OpX7Nv7n8pVRH
-15XWK6GBiQOBhgAEAfDuikMI4bWsyse7t8iSCmjt9fneW/qStZuIPuVLo7mSJdud
-Cs3J/x9wOnnhLv1u+0atnq5HKKdL4ff3itJPlhmSAQzByKQ5LTvB7d6fn95GJVK/
-hNuS5qGBpB7qeMXVFoki0/2RZIOway8/fXjmNYwe4v/XB5LLn4hcTvEUGYcF8M9K
------END PRIVATE KEY-----`
-
-var ecPrivateKey = `
------BEGIN EC PRIVATE KEY-----
-MIHcAgEBBEIBv2rdY9mWGD/UgiuXB0LJcUzgaB6TXq/Ra1jrZKBV3IGSacM5QDFu
-N8yrywiQaTDEqn1zVcLwrnqoQux3gWN1jxugBwYFK4EEACOhgYkDgYYABAFJgaM/
-2a3+gE6Khm/1PYftqNwAzQ21HSLp27q2lTN+GBFho691ARFRkr9UzlQ8gRnhkTbu
-yGfASamlHsYlr3Tv+gFc4BY8SU0q8kzpQ0dOHWFk7dfGFmKwhJrSFIIOeRn/LY03
-XsVFctNDsGhobS2JguQrxhGx8Ll7vQCakV/PEmCQJA==
------END EC PRIVATE KEY-----`
-
-var ecPrivateKeyDer = fromBase64Bytes(`
-MIHcAgEBBEIBv2rdY9mWGD/UgiuXB0LJcUzgaB6TXq/Ra1jrZKBV3IGSacM5QDFu
-N8yrywiQaTDEqn1zVcLwrnqoQux3gWN1jxugBwYFK4EEACOhgYkDgYYABAFJgaM/
-2a3+gE6Khm/1PYftqNwAzQ21HSLp27q2lTN+GBFho691ARFRkr9UzlQ8gRnhkTbu
-yGfASamlHsYlr3Tv+gFc4BY8SU0q8kzpQ0dOHWFk7dfGFmKwhJrSFIIOeRn/LY03
-XsVFctNDsGhobS2JguQrxhGx8Ll7vQCakV/PEmCQJA==`)
-
-var invalidPemKey = `
------BEGIN PUBLIC KEY-----
-MIHcAgEBBEIBv2rdY9mWGD/UgiuXB0LJcUzgaB6TXq/Ra1jrZKBV3IGSacM5QDFu
-XsVFctNDsGhobS2JguQrxhGx8Ll7vQCakV/PEmCQJA==
------END PUBLIC KEY-----`
-
-func TestLoadPublicKey(t *testing.T) {
- pub, err := LoadPublicKey([]byte(pkixPublicKey))
- switch pub.(type) {
- case *rsa.PublicKey:
- default:
- t.Error("failed to parse RSA PKIX public key:", err)
- }
-
- pub, err = LoadPublicKey([]byte(ecdsaSHA256p384CertPem))
- switch pub.(type) {
- case *ecdsa.PublicKey:
- default:
- t.Error("failed to parse ECDSA X.509 cert:", err)
- }
-
- pub, err = LoadPublicKey([]byte(ecdsaSHA256p384CertDer))
- switch pub.(type) {
- case *ecdsa.PublicKey:
- default:
- t.Error("failed to parse ECDSA X.509 cert:", err)
- }
-
- pub, err = LoadPublicKey([]byte("###"))
- if err == nil {
- t.Error("should not parse invalid key")
- }
-
- pub, err = LoadPublicKey([]byte(invalidPemKey))
- if err == nil {
- t.Error("should not parse invalid key")
- }
-}
-
-func TestLoadPrivateKey(t *testing.T) {
- priv, err := LoadPrivateKey([]byte(pkcs1PrivateKey))
- switch priv.(type) {
- case *rsa.PrivateKey:
- default:
- t.Error("failed to parse RSA PKCS1 private key:", err)
- }
-
- priv, err = LoadPrivateKey([]byte(pkcs8ECPrivateKey))
- if _, ok := priv.(*ecdsa.PrivateKey); !ok {
- t.Error("failed to parse EC PKCS8 private key:", err)
- }
-
- priv, err = LoadPrivateKey([]byte(ecPrivateKey))
- if _, ok := priv.(*ecdsa.PrivateKey); !ok {
- t.Error("failed to parse EC private key:", err)
- }
-
- priv, err = LoadPrivateKey([]byte(ecPrivateKeyDer))
- if _, ok := priv.(*ecdsa.PrivateKey); !ok {
- t.Error("failed to parse EC private key:", err)
- }
-
- priv, err = LoadPrivateKey([]byte("###"))
- if err == nil {
- t.Error("should not parse invalid key")
- }
-
- priv, err = LoadPrivateKey([]byte(invalidPemKey))
- if err == nil {
- t.Error("should not parse invalid key")
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/.travis.yml b/vendor/gopkg.in/square/go-jose.v2/.travis.yml
index 3dc44183..d612b420 100644
--- a/vendor/gopkg.in/square/go-jose.v2/.travis.yml
+++ b/vendor/gopkg.in/square/go-jose.v2/.travis.yml
@@ -10,9 +10,10 @@ matrix:
go:
- 1.5
- 1.6
+- 1.7
- tip
-go_import_path: gopkg.in/square/go-jose.v1
+go_import_path: gopkg.in/square/go-jose.v2
before_script:
- export PATH=$HOME/.local/bin:$PATH
@@ -32,7 +33,6 @@ before_install:
script:
- go test . -v -covermode=count -coverprofile=profile.cov
-- go test . -tags std_json -v -covermode=count -coverprofile=profile-std-json.cov
- go test ./cipher -v -covermode=count -coverprofile=cipher/profile.cov
- go test ./jwt -v -covermode=count -coverprofile=jwt/profile.cov
- go test ./json -v # no coverage for forked encoding/json package
diff --git a/vendor/gopkg.in/square/go-jose.v2/README.md b/vendor/gopkg.in/square/go-jose.v2/README.md
index be79e582..43bf1fbe 100644
--- a/vendor/gopkg.in/square/go-jose.v2/README.md
+++ b/vendor/gopkg.in/square/go-jose.v2/README.md
@@ -1,16 +1,14 @@
# Go JOSE
-**Please note that this branch is still under active development.**
-
-[](https://godoc.org/gopkg.in/square/go-jose.v2)
-[](https://raw.githubusercontent.com/square/go-jose/master/LICENSE)
-[](https://travis-ci.org/square/go-jose)
-[](https://coveralls.io/r/square/go-jose)
-[](https://goreportcard.com/report/github.com/square/go-jose)
+[](https://godoc.org/gopkg.in/square/go-jose.v1)
+[](https://godoc.org/gopkg.in/square/go-jose.v2)
+[](https://raw.githubusercontent.com/square/go-jose/master/LICENSE)
+[](https://travis-ci.org/square/go-jose)
+[](https://coveralls.io/r/square/go-jose)
Package jose aims to provide an implementation of the Javascript Object Signing
-and Encryption set of standards. For the moment, it mainly focuses on encryption
-and signing based on the JSON Web Encryption and JSON Web Signature standards.
+and Encryption set of standards. This includes support for JSON Web Encryption,
+JSON Web Signature, and JSON Web Token standards.
**Disclaimer**: This library contains encryption software that is subject to
the U.S. Export Administration Regulations. You may not export, re-export,
@@ -23,44 +21,50 @@ US maintained blocked list.
## Overview
The implementation follows the
-[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516)
-standard (RFC 7516) and
-[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515)
-standard (RFC 7515). Tables of supported algorithms are shown below.
-The library supports both the compact and full serialization formats, and has
-optional support for multiple recipients. It also comes with a small
-command-line utility
-([`jose-util`](https://github.com/square/go-jose/tree/master/jose-util))
+[JSON Web Encryption](http://dx.doi.org/10.17487/RFC7516) (RFC 7516),
+[JSON Web Signature](http://dx.doi.org/10.17487/RFC7515) (RFC 7515), and
+[JSON Web Token](http://dx.doi.org/10.17487/RFC7519) (RFC 7519).
+Tables of supported algorithms are shown below. The library supports both
+the compact and full serialization formats, and has optional support for
+multiple recipients. It also comes with a small command-line utility
+([`jose-util`](https://github.com/square/go-jose/tree/v2/jose-util))
for dealing with JOSE messages in a shell.
**Note**: We use a forked version of the `encoding/json` package from the Go
standard library which uses case-sensitive matching for member names (instead
of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/current/msg03763.html)).
This is to avoid differences in interpretation of messages between go-jose and
-libraries in other languages. If you do not like this behavior, you can use the
-`std_json` build tag to disable it (though we do not recommend doing so).
+libraries in other languages.
### Versions
We use [gopkg.in](https://gopkg.in) for versioning.
-[Version 1](https://gopkg.in/square/go-jose.v1) is the current stable version:
+[Version 1](https://gopkg.in/square/go-jose.v1) is the old stable version:
import "gopkg.in/square/go-jose.v1"
+[Version 2](https://gopkg.in/square/go-jose.v2) is for new development:
+
+ import "gopkg.in/square/go-jose.v2"
+
The interface for [go-jose.v1](https://gopkg.in/square/go-jose.v1) will remain
-backwards compatible. We're currently sketching out ideas for a new version, to
-clean up the interface a bit. If you have ideas or feature requests [please let
-us know](https://github.com/square/go-jose/issues/64)!
+backwards compatible. No new feature development will take place on the `v1` branch,
+however bug fixes and security fixes will be backported.
+
+The interface for [go-jose.v2](https://gopkg.in/square/go-jose.v2) is mostly
+stable, but we suggest pinning to a particular revision for now as we still reserve
+the right to make changes. New feature development happens on this branch.
+
+New in [go-jose.v2](https://gopkg.in/square/go-jose.v2) is a
+[jwt](https://godoc.org/gopkg.in/square/go-jose.v2/jwt) sub-package
+contributed by [@shaxbee](https://github.com/shaxbee).
### Supported algorithms
See below for a table of supported algorithms. Algorithm identifiers match
-the names in the
-[JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518)
-standard where possible. The
-[Godoc reference](https://godoc.org/github.com/square/go-jose#pkg-constants)
-has a list of constants.
+the names in the [JSON Web Algorithms](http://dx.doi.org/10.17487/RFC7518)
+standard where possible. The Godoc reference has a list of constants.
Key encryption | Algorithm identifier(s)
:------------------------- | :------------------------------
@@ -94,122 +98,22 @@ has a list of constants.
See below for a table of supported key types. These are understood by the
library, and can be passed to corresponding functions such as `NewEncrypter` or
-`NewSigner`. Note that if you are creating a new encrypter or signer with a
-JSONWebKey, the key id of the JSONWebKey (if present) will be added to any
-resulting messages.
+`NewSigner`. Each of these keys can also be wrapped in a JWK if desired, which
+allows attaching a key id.
Algorithm(s) | Corresponding types
:------------------------- | -------------------------------
- RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey), *[jose.JSONWebKey](https://godoc.org/gopkg.in/square/go-jose.v2#JSONWebKey)
- ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey), *[jose.JSONWebKey](https://godoc.org/gopkg.in/square/go-jose.v2#JSONWebKey)
- AES, HMAC | []byte, *[jose.JSONWebKey](https://godoc.org/gopkg.in/square/go-jose.v2#JSONWebKey)
+ RSA | *[rsa.PublicKey](http://golang.org/pkg/crypto/rsa/#PublicKey), *[rsa.PrivateKey](http://golang.org/pkg/crypto/rsa/#PrivateKey)
+ ECDH, ECDSA | *[ecdsa.PublicKey](http://golang.org/pkg/crypto/ecdsa/#PublicKey), *[ecdsa.PrivateKey](http://golang.org/pkg/crypto/ecdsa/#PrivateKey)
+ AES, HMAC | []byte
## Examples
-Encryption/decryption example using RSA:
+[](https://godoc.org/gopkg.in/square/go-jose.v1)
+[](https://godoc.org/gopkg.in/square/go-jose.v2)
-```Go
-// Generate a public/private key pair to use for this example. The library
-// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
-// that can be used to load keys from PEM/DER-encoded data.
-privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-if err != nil {
- panic(err)
-}
-
-// Instantiate an encrypter using RSA-OAEP with AES128-GCM. An error would
-// indicate that the selected algorithm(s) are not currently supported.
-publicKey := &privateKey.PublicKey
-encrypter, err := NewEncrypter(A128GCM, Recipient{Algorithm: RSA_OAEP, Key: publicKey}, nil)
-if err != nil {
- panic(err)
-}
-
-// Encrypt a sample plaintext. Calling the encrypter returns an encrypted
-// JWE object, which can then be serialized for output afterwards. An error
-// would indicate a problem in an underlying cryptographic primitive.
-var plaintext = []byte("Lorem ipsum dolor sit amet")
-object, err := encrypter.Encrypt(plaintext)
-if err != nil {
- panic(err)
-}
-
-// Serialize the encrypted object using the full serialization format.
-// Alternatively you can also use the compact format here by calling
-// object.CompactSerialize() instead.
-serialized := object.FullSerialize()
-
-// Parse the serialized, encrypted JWE object. An error would indicate that
-// the given input did not represent a valid message.
-object, err = ParseEncrypted(serialized)
-if err != nil {
- panic(err)
-}
-
-// Now we can decrypt and get back our original plaintext. An error here
-// would indicate the the message failed to decrypt, e.g. because the auth
-// tag was broken or the message was tampered with.
-decrypted, err := object.Decrypt(privateKey)
-if err != nil {
- panic(err)
-}
-
-fmt.Printf(string(decrypted))
-// output: Lorem ipsum dolor sit amet
-```
-
-Signing/verification example using RSA:
-
-```Go
-// Generate a public/private key pair to use for this example. The library
-// also provides two utility functions (LoadPublicKey and LoadPrivateKey)
-// that can be used to load keys from PEM/DER-encoded data.
-privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-if err != nil {
- panic(err)
-}
-
-// Instantiate a signer using RSASSA-PSS (SHA512) with the given private key.
-signer, err := NewSigner(SigningKey{Algorithm: PS512, Key: privateKey}, nil)
-if err != nil {
- panic(err)
-}
-
-// Sign a sample payload. Calling the signer returns a protected JWS object,
-// which can then be serialized for output afterwards. An error would
-// indicate a problem in an underlying cryptographic primitive.
-var payload = []byte("Lorem ipsum dolor sit amet")
-object, err := signer.Sign(payload)
-if err != nil {
- panic(err)
-}
-
-// Serialize the encrypted object using the full serialization format.
-// Alternatively you can also use the compact format here by calling
-// object.CompactSerialize() instead.
-serialized := object.FullSerialize()
-
-// Parse the serialized, protected JWS object. An error would indicate that
-// the given input did not represent a valid message.
-object, err = ParseSigned(serialized)
-if err != nil {
- panic(err)
-}
-
-// Now we can verify the signature on the payload. An error here would
-// indicate the the message failed to verify, e.g. because the signature was
-// broken or the message was tampered with.
-output, err := object.Verify(&privateKey.PublicKey)
-if err != nil {
- panic(err)
-}
-
-fmt.Printf(string(output))
-// output: Lorem ipsum dolor sit amet
-```
-
-More examples can be found in the [Godoc
-reference](https://godoc.org/github.com/square/go-jose) for this package. The
-[`jose-util`](https://github.com/square/go-jose/tree/master/jose-util)
-subdirectory also contains a small command-line utility which might
-be useful as an example.
+Examples can be found in the Godoc
+reference for this package. The
+[`jose-util`](https://github.com/square/go-jose/tree/v2/jose-util)
+subdirectory also contains a small command-line utility which might be useful
+as an example.
diff --git a/vendor/gopkg.in/square/go-jose.v2/asymmetric.go b/vendor/gopkg.in/square/go-jose.v2/asymmetric.go
index eb12579a..b238b4ad 100644
--- a/vendor/gopkg.in/square/go-jose.v2/asymmetric.go
+++ b/vendor/gopkg.in/square/go-jose.v2/asymmetric.go
@@ -67,6 +67,10 @@ func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKe
return recipientKeyInfo{}, ErrUnsupportedAlgorithm
}
+ if publicKey == nil {
+ return recipientKeyInfo{}, errors.New("invalid public key")
+ }
+
return recipientKeyInfo{
keyAlg: keyAlg,
keyEncrypter: &rsaEncrypterVerifier{
@@ -84,6 +88,10 @@ func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipi
return recipientSigInfo{}, ErrUnsupportedAlgorithm
}
+ if privateKey == nil {
+ return recipientSigInfo{}, errors.New("invalid private key")
+ }
+
return recipientSigInfo{
sigAlg: sigAlg,
publicKey: &JSONWebKey{
@@ -104,6 +112,10 @@ func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipien
return recipientKeyInfo{}, ErrUnsupportedAlgorithm
}
+ if publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+ return recipientKeyInfo{}, errors.New("invalid public key")
+ }
+
return recipientKeyInfo{
keyAlg: keyAlg,
keyEncrypter: &ecEncrypterVerifier{
@@ -121,6 +133,10 @@ func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (re
return recipientSigInfo{}, ErrUnsupportedAlgorithm
}
+ if privateKey == nil {
+ return recipientSigInfo{}, errors.New("invalid private key")
+ }
+
return recipientSigInfo{
sigAlg: sigAlg,
publicKey: &JSONWebKey{
@@ -370,6 +386,10 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI
return nil, errors.New("square/go-jose: invalid epk header")
}
+ if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+ return nil, errors.New("square/go-jose: invalid public key in epk header")
+ }
+
apuData := headers.Apu.bytes()
apvData := headers.Apv.bytes()
@@ -474,6 +494,8 @@ func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, a
case ES512:
keySize = 66
hash = crypto.SHA512
+ default:
+ return ErrUnsupportedAlgorithm
}
if len(signature) != 2*keySize {
diff --git a/vendor/gopkg.in/square/go-jose.v2/asymmetric_test.go b/vendor/gopkg.in/square/go-jose.v2/asymmetric_test.go
index c97b6a55..79bacc4b 100644
--- a/vendor/gopkg.in/square/go-jose.v2/asymmetric_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/asymmetric_test.go
@@ -18,6 +18,8 @@ package jose
import (
"bytes"
+ "crypto/ecdsa"
+ "crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"errors"
@@ -429,3 +431,38 @@ func TestInvalidEllipticCurve(t *testing.T) {
t.Error("should not generate ES384 signature with P-521 key")
}
}
+
+func estInvalidECPublicKey(t *testing.T) {
+ // Invalid key
+ invalid := &ecdsa.PrivateKey{
+ PublicKey: ecdsa.PublicKey{
+ Curve: elliptic.P256(),
+ X: fromBase64Int("MTEx"),
+ Y: fromBase64Int("MTEx"),
+ },
+ D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo"),
+ }
+
+ headers := rawHeader{
+ Alg: string(ECDH_ES),
+ Epk: &JSONWebKey{
+ Key: &invalid.PublicKey,
+ },
+ }
+
+ dec := ecDecrypterSigner{
+ privateKey: ecTestKey256,
+ }
+
+ _, err := dec.decryptKey(headers, nil, randomKeyGenerator{size: 16})
+ if err == nil {
+ t.Fatal("decrypter accepted JWS with invalid ECDH public key")
+ }
+}
+
+func TestInvalidAlgorithmEC(t *testing.T) {
+ err := ecEncrypterVerifier{publicKey: &ecTestKey256.PublicKey}.verifyPayload([]byte{}, []byte{}, "XYZ")
+ if err != ErrUnsupportedAlgorithm {
+ t.Fatal("should not accept invalid/unsupported algorithm")
+ }
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
index a5c35834..126b85ce 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
+++ b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac.go
@@ -82,7 +82,7 @@ func (ctx *cbcAEAD) Overhead() int {
// Seal encrypts and authenticates the plaintext.
func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
// Output buffer -- must take care not to mangle plaintext input.
- ciphertext := make([]byte, len(plaintext)+ctx.Overhead())[:len(plaintext)]
+ ciphertext := make([]byte, uint64(len(plaintext))+uint64(ctx.Overhead()))[:len(plaintext)]
copy(ciphertext, plaintext)
ciphertext = padBuffer(ciphertext, ctx.blockCipher.BlockSize())
@@ -91,7 +91,7 @@ func (ctx *cbcAEAD) Seal(dst, nonce, plaintext, data []byte) []byte {
cbc.CryptBlocks(ciphertext, ciphertext)
authtag := ctx.computeAuthTag(data, nonce, ciphertext)
- ret, out := resize(dst, len(dst)+len(ciphertext)+len(authtag))
+ ret, out := resize(dst, uint64(len(dst))+uint64(len(ciphertext))+uint64(len(authtag)))
copy(out, ciphertext)
copy(out[len(ciphertext):], authtag)
@@ -128,7 +128,7 @@ func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
return nil, err
}
- ret, out := resize(dst, len(dst)+len(plaintext))
+ ret, out := resize(dst, uint64(len(dst))+uint64(len(plaintext)))
copy(out, plaintext)
return ret, nil
@@ -136,12 +136,12 @@ func (ctx *cbcAEAD) Open(dst, nonce, ciphertext, data []byte) ([]byte, error) {
// Compute an authentication tag
func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
- buffer := make([]byte, len(aad)+len(nonce)+len(ciphertext)+8)
+ buffer := make([]byte, uint64(len(aad))+uint64(len(nonce))+uint64(len(ciphertext))+8)
n := 0
n += copy(buffer, aad)
n += copy(buffer[n:], nonce)
n += copy(buffer[n:], ciphertext)
- binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad)*8))
+ binary.BigEndian.PutUint64(buffer[n:], uint64(len(aad))*8)
// According to documentation, Write() on hash.Hash never fails.
hmac := hmac.New(ctx.hash, ctx.integrityKey)
@@ -153,8 +153,8 @@ func (ctx *cbcAEAD) computeAuthTag(aad, nonce, ciphertext []byte) []byte {
// resize ensures the the given slice has a capacity of at least n bytes.
// If the capacity of the slice is less than n, a new slice is allocated
// and the existing data will be copied.
-func resize(in []byte, n int) (head, tail []byte) {
- if cap(in) >= n {
+func resize(in []byte, n uint64) (head, tail []byte) {
+ if uint64(cap(in)) >= n {
head = in[:n]
} else {
head = make([]byte, n)
@@ -168,7 +168,7 @@ func resize(in []byte, n int) (head, tail []byte) {
// Apply padding
func padBuffer(buffer []byte, blockSize int) []byte {
missing := blockSize - (len(buffer) % blockSize)
- ret, out := resize(buffer, len(buffer)+missing)
+ ret, out := resize(buffer, uint64(len(buffer))+uint64(missing))
padding := bytes.Repeat([]byte{byte(missing)}, missing)
copy(out, padding)
return ret
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac_test.go b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac_test.go
index c230271b..40bcb20f 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/cipher/cbc_hmac_test.go
@@ -283,7 +283,7 @@ func TestTruncatedCiphertext(t *testing.T) {
ct := aead.Seal(nil, nonce, data, nil)
// Truncated ciphertext, but with correct auth tag
- truncated, tail := resize(ct[:len(ct)-ctx.authtagBytes-2], len(ct)-2)
+ truncated, tail := resize(ct[:len(ct)-ctx.authtagBytes-2], uint64(len(ct))-2)
copy(tail, ctx.computeAuthTag(nil, nonce, truncated[:len(truncated)-ctx.authtagBytes]))
// Open should fail
@@ -313,8 +313,8 @@ func TestInvalidPaddingOpen(t *testing.T) {
ctx := aead.(*cbcAEAD)
// Mutated ciphertext, but with correct auth tag
- size := len(buffer)
- ciphertext, tail := resize(buffer, size+(len(key)/2))
+ size := uint64(len(buffer))
+ ciphertext, tail := resize(buffer, size+(uint64(len(key))/2))
copy(tail, ctx.computeAuthTag(nil, nonce, ciphertext[:size]))
// Open should fail (b/c of invalid padding, even though tag matches)
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go b/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
index cbb5f7b8..f62c3bdb 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
+++ b/vendor/gopkg.in/square/go-jose.v2/cipher/concat_kdf.go
@@ -32,7 +32,7 @@ type concatKDF struct {
// NewConcatKDF builds a KDF reader based on the given inputs.
func NewConcatKDF(hash crypto.Hash, z, algID, ptyUInfo, ptyVInfo, supPubInfo, supPrivInfo []byte) io.Reader {
- buffer := make([]byte, len(algID)+len(ptyUInfo)+len(ptyVInfo)+len(supPubInfo)+len(supPrivInfo))
+ buffer := make([]byte, uint64(len(algID))+uint64(len(ptyUInfo))+uint64(len(ptyVInfo))+uint64(len(supPubInfo))+uint64(len(supPrivInfo)))
n := 0
n += copy(buffer, algID)
n += copy(buffer[n:], ptyUInfo)
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
index c6a5a821..f23d49e1 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
+++ b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es.go
@@ -23,7 +23,14 @@ import (
)
// DeriveECDHES derives a shared encryption key using ECDH/ConcatKDF as described in JWE/JWA.
+// It is an error to call this function with a private/public key that are not on the same
+// curve. Callers must ensure that the keys are valid before calling this function. Output
+// size may be at most 1<<16 bytes (64 KiB).
func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, pub *ecdsa.PublicKey, size int) []byte {
+ if size > 1<<16 {
+ panic("ECDH-ES output size too large, must be less than 1<<16")
+ }
+
// algId, partyUInfo, partyVInfo inputs must be prefixed with the length
algID := lengthPrefixed([]byte(alg))
ptyUInfo := lengthPrefixed(apuData)
@@ -33,6 +40,10 @@ func DeriveECDHES(alg string, apuData, apvData []byte, priv *ecdsa.PrivateKey, p
supPubInfo := make([]byte, 4)
binary.BigEndian.PutUint32(supPubInfo, uint32(size)*8)
+ if !priv.PublicKey.Curve.IsOnCurve(pub.X, pub.Y) {
+ panic("public key not on same curve as private key")
+ }
+
z, _ := priv.PublicKey.Curve.ScalarMult(pub.X, pub.Y, priv.D.Bytes())
reader := NewConcatKDF(crypto.SHA256, z.Bytes(), algID, ptyUInfo, ptyVInfo, supPubInfo, []byte{})
diff --git a/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es_test.go b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es_test.go
index f92abb17..58fb4c67 100644
--- a/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/cipher/ecdh_es_test.go
@@ -48,7 +48,7 @@ var bobKey = &ecdsa.PrivateKey{
func fromBase64Int(data string) *big.Int {
val, err := base64.URLEncoding.DecodeString(data)
if err != nil {
- panic("Invalid test data")
+ panic("Invalid test data: " + err.Error())
}
return new(big.Int).SetBytes(val)
}
@@ -67,6 +67,23 @@ func TestVectorECDHES(t *testing.T) {
}
}
+func TestInvalidECPublicKey(t *testing.T) {
+ defer func() { recover() }()
+
+ // Invalid key
+ invalid := &ecdsa.PrivateKey{
+ PublicKey: ecdsa.PublicKey{
+ Curve: elliptic.P256(),
+ X: fromBase64Int("MTEx"),
+ Y: fromBase64Int("MTEx"),
+ },
+ D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo="),
+ }
+
+ DeriveECDHES("A128GCM", []byte{}, []byte{}, bobKey, &invalid.PublicKey, 16)
+ t.Fatal("should panic if public key was invalid")
+}
+
func BenchmarkECDHES_128(b *testing.B) {
apuData := []byte("APU")
apvData := []byte("APV")
diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
index e4a0e806..bc7e043b 100644
--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
+++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
@@ -19,6 +19,7 @@ package jose
import (
"crypto/ecdsa"
"crypto/rsa"
+ "errors"
"fmt"
"reflect"
)
@@ -308,10 +309,16 @@ func (ctx *genericEncrypter) EncryptWithAuthData(plaintext, aad []byte) (*JSONWe
return obj, nil
}
-// Decrypt and validate the object and return the plaintext.
+// Decrypt and validate the object and return the plaintext. Note that this
+// function does not support multi-recipient, if you desire multi-recipient
+// decryption use DecryptMulti instead.
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
headers := obj.mergedHeaders(nil)
+ if len(obj.recipients) > 1 {
+ return nil, errors.New("square/go-jose: too many recipients in payload; expecting only one")
+ }
+
if len(headers.Crit) > 0 {
return nil, fmt.Errorf("square/go-jose: unsupported crit header")
}
@@ -339,17 +346,13 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
authData := obj.computeAuthData()
var plaintext []byte
- for _, recipient := range obj.recipients {
- recipientHeaders := obj.mergedHeaders(&recipient)
+ recipient := obj.recipients[0]
+ recipientHeaders := obj.mergedHeaders(&recipient)
- cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
- if err == nil {
- // Found a valid CEK -- let's try to decrypt.
- plaintext, err = cipher.decrypt(cek, authData, parts)
- if err == nil {
- break
- }
- }
+ cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
+ if err == nil {
+ // Found a valid CEK -- let's try to decrypt.
+ plaintext, err = cipher.decrypt(cek, authData, parts)
}
if plaintext == nil {
@@ -363,3 +366,67 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
return plaintext, err
}
+
+// DecryptMulti decrypts and validates the object and returns the plaintexts,
+// with support for multiple recipients. It returns the index of the recipient
+// for which the decryption was successful, the merged headers for that recipient,
+// and the plaintext.
+func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ globalHeaders := obj.mergedHeaders(nil)
+
+ if len(globalHeaders.Crit) > 0 {
+ return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported crit header")
+ }
+
+ decrypter, err := newDecrypter(decryptionKey)
+ if err != nil {
+ return -1, Header{}, nil, err
+ }
+
+ cipher := getContentCipher(globalHeaders.Enc)
+ if cipher == nil {
+ return -1, Header{}, nil, fmt.Errorf("square/go-jose: unsupported enc value '%s'", string(globalHeaders.Enc))
+ }
+
+ generator := randomKeyGenerator{
+ size: cipher.keySize(),
+ }
+
+ parts := &aeadParts{
+ iv: obj.iv,
+ ciphertext: obj.ciphertext,
+ tag: obj.tag,
+ }
+
+ authData := obj.computeAuthData()
+
+ index := -1
+ var plaintext []byte
+ var headers rawHeader
+
+ for i, recipient := range obj.recipients {
+ recipientHeaders := obj.mergedHeaders(&recipient)
+
+ cek, err := decrypter.decryptKey(recipientHeaders, &recipient, generator)
+ if err == nil {
+ // Found a valid CEK -- let's try to decrypt.
+ plaintext, err = cipher.decrypt(cek, authData, parts)
+ if err == nil {
+ index = i
+ headers = recipientHeaders
+ break
+ }
+ }
+ }
+
+ if plaintext == nil || err != nil {
+ return -1, Header{}, nil, ErrCryptoFailure
+ }
+
+ // The "zip" header parameter may only be present in the protected header.
+ if obj.protected.Zip != "" {
+ plaintext, err = decompress(obj.protected.Zip, plaintext)
+ }
+
+ return index, headers.sanitized(), plaintext, err
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter_test.go b/vendor/gopkg.in/square/go-jose.v2/crypter_test.go
index 4275b275..ba70acd9 100644
--- a/vendor/gopkg.in/square/go-jose.v2/crypter_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/crypter_test.go
@@ -279,38 +279,40 @@ func TestMultiRecipientJWE(t *testing.T) {
input := []byte("Lorem ipsum dolor sit amet")
obj, err := enc.Encrypt(input)
if err != nil {
- t.Error("error in encrypt: ", err)
- return
+ t.Fatal("error in encrypt: ", err)
}
msg := obj.FullSerialize()
parsed, err := ParseEncrypted(msg)
if err != nil {
- t.Error("error in parse: ", err)
- return
+ t.Fatal("error in parse: ", err)
}
- output, err := parsed.Decrypt(rsaTestKey)
+ i, _, output, err := parsed.DecryptMulti(rsaTestKey)
if err != nil {
- t.Error("error on decrypt with RSA: ", err)
- return
+ t.Fatal("error on decrypt with RSA: ", err)
+ }
+
+ if i != 0 {
+ t.Fatal("recipient index should be 0 for RSA key")
}
if bytes.Compare(input, output) != 0 {
- t.Error("Decrypted output does not match input: ", output, input)
- return
+ t.Fatal("Decrypted output does not match input: ", output, input)
}
- output, err = parsed.Decrypt(sharedKey)
+ i, _, output, err = parsed.DecryptMulti(sharedKey)
if err != nil {
- t.Error("error on decrypt with AES: ", err)
- return
+ t.Fatal("error on decrypt with AES: ", err)
+ }
+
+ if i != 1 {
+ t.Fatal("recipient index should be 1 for shared key")
}
if bytes.Compare(input, output) != 0 {
- t.Error("Decrypted output does not match input", output, input)
- return
+ t.Fatal("Decrypted output does not match input", output, input)
}
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
index e997ebf6..9f37ef46 100644
--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
@@ -21,6 +21,7 @@ import (
"compress/flate"
"encoding/base64"
"encoding/binary"
+ "encoding/json"
"io"
"math/big"
"regexp"
@@ -31,7 +32,7 @@ var stripWhitespaceRegex = regexp.MustCompile("\\s")
// Helper function to serialize known-good objects.
// Precondition: value is not a nil pointer.
func mustSerializeJSON(value interface{}) []byte {
- out, err := MarshalJSON(value)
+ out, err := json.Marshal(value)
if err != nil {
panic(err)
}
@@ -132,12 +133,12 @@ func newBufferFromInt(num uint64) *byteBuffer {
}
func (b *byteBuffer) MarshalJSON() ([]byte, error) {
- return MarshalJSON(b.base64())
+ return json.Marshal(b.base64())
}
func (b *byteBuffer) UnmarshalJSON(data []byte) error {
var encoded string
- err := UnmarshalJSON(data, &encoded)
+ err := json.Unmarshal(data, &encoded)
if err != nil {
return err
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jose-util/jose-util.t b/vendor/gopkg.in/square/go-jose.v2/jose-util/jose-util.t
index 5e42ba4d..c0d747bb 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jose-util/jose-util.t
+++ b/vendor/gopkg.in/square/go-jose.v2/jose-util/jose-util.t
@@ -86,3 +86,9 @@ Sign and verify a test message (EC).
> jose-util sign --alg ES384 --key ec.key |
> jose-util verify --key ec.pub
Lorem ipsum dolor sit amet
+
+Expand a compact message to full format.
+
+ $ echo "eyJhbGciOiJFUzM4NCJ9.TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQK.QPU35XY913Im7ZEaN2yHykfbtPqjHZvYp-lV8OcTAJZs67bJFSdTSkQhQWE9ch6tvYrj_7py6HKaWVFLll_s_Rm6bmwq3JszsHrIvFFm1NydruYHhvAnx7rjYiqwOu0W" |
+ > jose-util expand --format JWS
+ {"payload":"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQK","protected":"eyJhbGciOiJFUzM4NCJ9","signature":"QPU35XY913Im7ZEaN2yHykfbtPqjHZvYp-lV8OcTAJZs67bJFSdTSkQhQWE9ch6tvYrj_7py6HKaWVFLll_s_Rm6bmwq3JszsHrIvFFm1NydruYHhvAnx7rjYiqwOu0W"}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jose-util/main.go b/vendor/gopkg.in/square/go-jose.v2/jose-util/main.go
index 0a5d6a45..356bc2c4 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jose-util/main.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jose-util/main.go
@@ -28,7 +28,7 @@ import (
var (
app = kingpin.New("jose-util", "A command-line utility for dealing with JOSE objects.")
- keyFile = app.Flag("key", "Path to key file (PEM or DER-encoded)").Required().ExistingFile()
+ keyFile = app.Flag("key", "Path to key file (PEM or DER-encoded)").ExistingFile()
inFile = app.Flag("in", "Path to input file (stdin if missing)").ExistingFile()
outFile = app.Flag("out", "Path to output file (stdout if missing)").ExistingFile()
@@ -54,8 +54,12 @@ func main() {
command := kingpin.MustParse(app.Parse(os.Args[1:]))
- keyBytes, err := ioutil.ReadFile(*keyFile)
- exitOnError(err, "unable to read key file")
+ var keyBytes []byte
+ var err error
+ if command != "expand" {
+ keyBytes, err = ioutil.ReadFile(*keyFile)
+ exitOnError(err, "unable to read key file")
+ }
switch command {
case "encrypt":
@@ -144,6 +148,7 @@ func main() {
exitOnError(err, "unable to expand message")
writeOutput(*outFile, []byte(serialized))
+ writeOutput(*outFile, []byte("\n"))
}
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/json/decode_test.go b/vendor/gopkg.in/square/go-jose.v2/json/decode_test.go
index 7577b21a..32394654 100644
--- a/vendor/gopkg.in/square/go-jose.v2/json/decode_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/json/decode_test.go
@@ -1258,7 +1258,7 @@ func TestSliceOfCustomByte(t *testing.T) {
t.Fatal(err)
}
if !reflect.DeepEqual(a, b) {
- t.Fatal("expected %v == %v", a, b)
+ t.Fatalf("expected %v == %v", a, b)
}
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/json_fork.go b/vendor/gopkg.in/square/go-jose.v2/json_fork.go
deleted file mode 100644
index 38d887f7..00000000
--- a/vendor/gopkg.in/square/go-jose.v2/json_fork.go
+++ /dev/null
@@ -1,31 +0,0 @@
-// +build !std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "gopkg.in/square/go-jose.v2/json"
-)
-
-func MarshalJSON(v interface{}) ([]byte, error) {
- return json.Marshal(v)
-}
-
-func UnmarshalJSON(data []byte, v interface{}) error {
- return json.Unmarshal(data, v)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/json_fork_test.go b/vendor/gopkg.in/square/go-jose.v2/json_fork_test.go
deleted file mode 100644
index cacf5d5d..00000000
--- a/vendor/gopkg.in/square/go-jose.v2/json_fork_test.go
+++ /dev/null
@@ -1,105 +0,0 @@
-// +build !std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "testing"
-)
-
-type CaseSensitive struct {
- A int `json:"Test"`
- B int `json:"test"`
- C int `json:"TEST"`
-}
-
-type UnicodeTest struct {
- Sig string `json:"sig"`
-}
-
-func TestUnicodeComparison(t *testing.T) {
- // Some tests from RFC 7515, Section 10.13
- raw := []byte(`{"\u0073ig":"foo"}`)
- var ut UnicodeTest
- err := UnmarshalJSON(raw, &ut)
- if err != nil {
- t.Error(err)
- }
-
- if ut.Sig != "foo" {
- t.Error("strings 'sig' and '\\u0073ig' should be equal")
- }
-
- raw = []byte(`{"si\u0047":"bar"}`)
- var ut2 UnicodeTest
- err = UnmarshalJSON(raw, &ut2)
- if err != nil {
- t.Error(err)
- }
-
- if ut2.Sig != "" {
- t.Error("strings 'sig' and 'si\\u0047' should not be equal")
- }
-}
-
-func TestCaseSensitiveJSON(t *testing.T) {
- raw := []byte(`{"test":42}`)
- var cs CaseSensitive
- err := UnmarshalJSON(raw, &cs)
- if err != nil {
- t.Error(err)
- }
-
- if cs.A != 0 || cs.B != 42 || cs.C != 0 {
- t.Errorf("parsing JSON should be case-sensitive (got %v)", cs)
- }
-}
-
-func TestRejectDuplicateKeysObject(t *testing.T) {
- raw := []byte(`{"test":42,"test":43}`)
- var cs CaseSensitive
- err := UnmarshalJSON(raw, &cs)
- if err == nil {
- t.Error("should reject JSON with duplicate keys, but didn't")
- }
-}
-
-func TestRejectDuplicateKeysInterface(t *testing.T) {
- raw := []byte(`{"test":42,"test":43}`)
- var m interface{}
- err := UnmarshalJSON(raw, &m)
- if err == nil {
- t.Error("should reject JSON with duplicate keys, but didn't")
- }
-}
-
-func TestParseCaseSensitiveJWE(t *testing.T) {
- invalidJWE := `{"protected":"eyJlbmMiOiJYWVoiLCJBTEciOiJYWVoifQo","encrypted_key":"QUJD","iv":"QUJD","ciphertext":"QUJD","tag":"QUJD"}`
- _, err := ParseEncrypted(invalidJWE)
- if err == nil {
- t.Error("Able to parse message with case-invalid headers", invalidJWE)
- }
-}
-
-func TestParseCaseSensitiveJWS(t *testing.T) {
- invalidJWS := `{"PAYLOAD":"CUJD","signatures":[{"protected":"e30","signature":"CUJD"}]}`
- _, err := ParseSigned(invalidJWS)
- if err == nil {
- t.Error("Able to parse message with case-invalid headers", invalidJWS)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/json_std.go b/vendor/gopkg.in/square/go-jose.v2/json_std.go
deleted file mode 100644
index cb3c3555..00000000
--- a/vendor/gopkg.in/square/go-jose.v2/json_std.go
+++ /dev/null
@@ -1,31 +0,0 @@
-// +build std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "encoding/json"
-)
-
-func MarshalJSON(v interface{}) ([]byte, error) {
- return json.Marshal(v)
-}
-
-func UnmarshalJSON(data []byte, v interface{}) error {
- return json.Unmarshal(data, v)
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/json_std_test.go b/vendor/gopkg.in/square/go-jose.v2/json_std_test.go
deleted file mode 100644
index 8acd97a4..00000000
--- a/vendor/gopkg.in/square/go-jose.v2/json_std_test.go
+++ /dev/null
@@ -1,124 +0,0 @@
-// +build std_json
-
-/*-
- * Copyright 2014 Square Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jose
-
-import (
- "testing"
-)
-
-type CaseInsensitive struct {
- A int `json:"TEST"`
-}
-
-type UnicodeTest struct {
- Sig string `json:"sig"`
-}
-
-func TestUnicodeComparison(t *testing.T) {
- // Some tests from RFC 7515, Section 10.13
- raw := []byte(`{"\u0073ig":"foo"}`)
- var ut UnicodeTest
- err := UnmarshalJSON(raw, &ut)
- if err != nil {
- t.Error(err)
- }
-
- if ut.Sig != "foo" {
- t.Error("strings 'sig' and '\\u0073ig' should be equal")
- }
-}
-
-func TestCaseInsensitiveJSON(t *testing.T) {
- raw := []byte(`{"test":42}`)
- var ci CaseInsensitive
- err := UnmarshalJSON(raw, &ci)
- if err != nil {
- t.Error(err)
- }
-
- if ci.A != 42 {
- t.Errorf("parsing JSON should be case-insensitive (got %v)", ci)
- }
-}
-
-func TestParseCaseInsensitiveJWE(t *testing.T) {
- invalidJWE := `{"protected":"eyJlbmMiOiJYWVoiLCJBTEciOiJYWVoifQo","encrypted_key":"QUJD","iv":"QUJD","ciphertext":"QUJD","tag":"QUJD"}`
- _, err := ParseEncrypted(invalidJWE)
- if err != nil {
- t.Error("Unable to parse message with case-invalid headers", invalidJWE)
- }
-}
-
-func TestParseCaseInsensitiveJWS(t *testing.T) {
- invalidJWS := `{"PAYLOAD":"CUJD","signatures":[{"protected":"e30","signature":"CUJD"}]}`
- _, err := ParseSigned(invalidJWS)
- if err != nil {
- t.Error("Unable to parse message with case-invalid headers", invalidJWS)
- }
-}
-
-var JWKSetDuplicates = stripWhitespace(`{
- "keys": [{
- "kty": "RSA",
- "kid": "exclude-me",
- "use": "sig",
- "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
- -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
- wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
- oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
- 3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
- LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
- HdrNP5zw",
- "e": "AQAB"
- }],
- "keys": [{
- "kty": "RSA",
- "kid": "include-me",
- "use": "sig",
- "n": "n4EPtAOCc9AlkeQHPzHStgAbgs7bTZLwUBZdR8_KuKPEHLd4rHVTeT
- -O-XV2jRojdNhxJWTDvNd7nqQ0VEiZQHz_AJmSCpMaJMRBSFKrKb2wqV
- wGU_NsYOYL-QtiWN2lbzcEe6XC0dApr5ydQLrHqkHHig3RBordaZ6Aj-
- oBHqFEHYpPe7Tpe-OfVfHd1E6cS6M1FZcD1NNLYD5lFHpPI9bTwJlsde
- 3uhGqC0ZCuEHg8lhzwOHrtIQbS0FVbb9k3-tVTU4fg_3L_vniUFAKwuC
- LqKnS2BYwdq_mzSnbLY7h_qixoR7jig3__kRhuaxwUkRz5iaiQkqgc5g
- HdrNP5zw",
- "e": "AQAB"
- }],
- "custom": "exclude-me",
- "custom": "include-me"
- }`)
-
-func TestDuplicateJWKSetMembersIgnored(t *testing.T) {
- type CustomSet struct {
- JSONWebKeySet
- CustomMember string `json:"custom"`
- }
- data := []byte(JWKSetDuplicates)
- var set CustomSet
- UnmarshalJSON(data, &set)
- if len(set.Keys) != 1 {
- t.Error("expected only one key in set")
- }
- if set.Keys[0].KeyID != "include-me" {
- t.Errorf("expected key with kid: \"include-me\", got: %s", set.Keys[0].KeyID)
- }
- if set.CustomMember != "include-me" {
- t.Errorf("expected custom member value: \"include-me\", got: %s", set.CustomMember)
- }
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go
index b3358a63..b6e29c6a 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go
@@ -18,6 +18,7 @@ package jose
import (
"encoding/base64"
+ "encoding/json"
"fmt"
"strings"
)
@@ -112,7 +113,7 @@ func ParseEncrypted(input string) (*JSONWebEncryption, error) {
// parseEncryptedFull parses a message in compact format.
func parseEncryptedFull(input string) (*JSONWebEncryption, error) {
var parsed rawJSONWebEncryption
- err := UnmarshalJSON([]byte(input), &parsed)
+ err := json.Unmarshal([]byte(input), &parsed)
if err != nil {
return nil, err
}
@@ -134,7 +135,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
}
if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
- err := UnmarshalJSON(parsed.Protected.bytes(), &obj.protected)
+ err := json.Unmarshal(parsed.Protected.bytes(), &obj.protected)
if err != nil {
return nil, fmt.Errorf("square/go-jose: invalid protected header: %s, %s", err, parsed.Protected.base64())
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwk.go b/vendor/gopkg.in/square/go-jose.v2/jwk.go
index 0b5b238a..9abe3002 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwk.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwk.go
@@ -21,10 +21,15 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
+ "crypto/x509"
+ "encoding/base64"
+ "errors"
"fmt"
"math/big"
"reflect"
"strings"
+
+ "gopkg.in/square/go-jose.v2/json"
)
// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@@ -49,14 +54,17 @@ type rawJSONWebKey struct {
Dp *byteBuffer `json:"dp,omitempty"`
Dq *byteBuffer `json:"dq,omitempty"`
Qi *byteBuffer `json:"qi,omitempty"`
+ // Certificates
+ X5c []string `json:"x5c,omitempty"`
}
// JSONWebKey represents a public or private key in JWK format.
type JSONWebKey struct {
- Key interface{}
- KeyID string
- Algorithm string
- Use string
+ Key interface{}
+ Certificates []*x509.Certificate
+ KeyID string
+ Algorithm string
+ Use string
}
// MarshalJSON serializes the given key to its JSON representation.
@@ -87,13 +95,17 @@ func (k JSONWebKey) MarshalJSON() ([]byte, error) {
raw.Alg = k.Algorithm
raw.Use = k.Use
- return MarshalJSON(raw)
+ for _, cert := range k.Certificates {
+ raw.X5c = append(raw.X5c, base64.StdEncoding.EncodeToString(cert.Raw))
+ }
+
+ return json.Marshal(raw)
}
// UnmarshalJSON reads a key from its JSON representation.
func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
var raw rawJSONWebKey
- err = UnmarshalJSON(data, &raw)
+ err = json.Unmarshal(data, &raw)
if err != nil {
return err
}
@@ -121,6 +133,19 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
if err == nil {
*k = JSONWebKey{Key: key, KeyID: raw.Kid, Algorithm: raw.Alg, Use: raw.Use}
}
+
+ k.Certificates = make([]*x509.Certificate, len(raw.X5c))
+ for i, cert := range raw.X5c {
+ raw, err := base64.StdEncoding.DecodeString(cert)
+ if err != nil {
+ return err
+ }
+ k.Certificates[i], err = x509.ParseCertificate(raw)
+ if err != nil {
+ return err
+ }
+ }
+
return
}
@@ -192,7 +217,17 @@ func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error) {
return h.Sum(nil), nil
}
-// Valid checks that the key contains the expected parameters
+// IsPublic returns true if the JWK represents a public key (not symmetric, not private).
+func (k *JSONWebKey) IsPublic() bool {
+ switch k.Key.(type) {
+ case *ecdsa.PublicKey, *rsa.PublicKey:
+ return true
+ default:
+ return false
+ }
+}
+
+// Valid checks that the key contains the expected parameters.
func (k *JSONWebKey) Valid() bool {
if k.Key == nil {
return false
@@ -253,13 +288,20 @@ func (key rawJSONWebKey) ecPublicKey() (*ecdsa.PublicKey, error) {
}
if key.X == nil || key.Y == nil {
- return nil, fmt.Errorf("square/go-jose: invalid EC key, missing x/y values")
+ return nil, errors.New("square/go-jose: invalid EC key, missing x/y values")
+ }
+
+ x := key.X.bigInt()
+ y := key.Y.bigInt()
+
+ if !curve.IsOnCurve(x, y) {
+ return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
}
return &ecdsa.PublicKey{
Curve: curve,
- X: key.X.bigInt(),
- Y: key.Y.bigInt(),
+ X: x,
+ Y: y,
}, nil
}
@@ -368,11 +410,18 @@ func (key rawJSONWebKey) ecPrivateKey() (*ecdsa.PrivateKey, error) {
return nil, fmt.Errorf("square/go-jose: invalid EC private key, missing x/y/d values")
}
+ x := key.X.bigInt()
+ y := key.Y.bigInt()
+
+ if !curve.IsOnCurve(x, y) {
+ return nil, errors.New("square/go-jose: invalid EC key, X/Y are not on declared curve")
+ }
+
return &ecdsa.PrivateKey{
PublicKey: ecdsa.PublicKey{
Curve: curve,
- X: key.X.bigInt(),
- Y: key.Y.bigInt(),
+ X: x,
+ Y: y,
},
D: key.D.bigInt(),
}, nil
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwk_test.go b/vendor/gopkg.in/square/go-jose.v2/jwk_test.go
index 3009d424..86364bd2 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwk_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwk_test.go
@@ -22,12 +22,57 @@ import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa"
+ "crypto/x509"
"encoding/hex"
"math/big"
"reflect"
"testing"
+
+ "gopkg.in/square/go-jose.v2/json"
)
+// Test chain of two X.509 certificates
+var testCertificates, _ = x509.ParseCertificates(fromBase64Bytes(`
+MIIDfDCCAmSgAwIBAgIJANWAkzF7PA8/MA0GCSqGSIb3DQEBCwUAMFUxCzAJ
+BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEQMA4GA1UEChMHY2VydGlnbzEQMA4G
+A1UECxMHZXhhbXBsZTEVMBMGA1UEAxMMZXhhbXBsZS1sZWFmMB4XDTE2MDYx
+MDIyMTQxMVoXDTIzMDQxNTIyMTQxMVowVTELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgTAkNBMRAwDgYDVQQKEwdjZXJ0aWdvMRAwDgYDVQQLEwdleGFtcGxlMRUw
+EwYDVQQDEwxleGFtcGxlLWxlYWYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQC7stSvfQyGuHw3v34fisqIdDXberrFoFk9ht/WdXgYzX2uLNKd
+sR/J5sbWSl8K/5djpzj31eIzqU69w8v7SChM5x9bouDsABHz3kZucx5cSafE
+gJojysBkcrq3VY+aJanzbL+qErYX+lhRpPcZK6JMWIwar8Y3B2la4yWwieec
+w2/WfEVvG0M/DOYKnR8QHFsfl3US1dnBM84czKPyt9r40gDk2XiH/lGts5a9
+4rAGvbr8IMCtq0mA5aH3Fx3mDSi3+4MZwygCAHrF5O5iSV9rEI+m2+7j2S+j
+HDUnvV+nqcpb9m6ENECnYX8FD2KcqlOjTmw8smDy09N2Np6i464lAgMBAAGj
+TzBNMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAsBgNVHREEJTAj
+hwR/AAABhxAAAAAAAAAAAAAAAAAAAAABgglsb2NhbGhvc3QwDQYJKoZIhvcN
+AQELBQADggEBAGM4aa/qrURUweZBIwZYv8O9b2+r4l0HjGAh982/B9sMlM05
+kojyDCUGvj86z18Lm8mKr4/y+i0nJ+vDIksEvfDuzw5ALAXGcBzPJKtICUf7
+LstA/n9NNpshWz0kld9ylnB5mbUzSFDncVyeXkEf5sGQXdIIZT9ChRBoiloS
+aa7dvBVCcsX1LGP2LWqKtD+7nUnw5qCwtyAVT8pthEUxFTpywoiJS5ZdzeEx
+8MNGvUeLFj2kleqPF78EioEQlSOxViCuctEtnQuPcDLHNFr10byTZY9roObi
+qdsJLMVvb2XliJjAqaPa9AkYwGE6xHw2ispwg64Rse0+AtKups19WIUwggNT
+MIICO6ADAgECAgkAqD4tCWKt9/AwDQYJKoZIhvcNAQELBQAwVTELMAkGA1UE
+BhMCVVMxCzAJBgNVBAgTAkNBMRAwDgYDVQQKEwdjZXJ0aWdvMRAwDgYDVQQL
+EwdleGFtcGxlMRUwEwYDVQQDEwxleGFtcGxlLXJvb3QwHhcNMTYwNjEwMjIx
+NDExWhcNMjMwNDE1MjIxNDExWjBVMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
+Q0ExEDAOBgNVBAoTB2NlcnRpZ28xEDAOBgNVBAsTB2V4YW1wbGUxFTATBgNV
+BAMTDGV4YW1wbGUtcm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMo4ShKI2MxDz/NQVxBbz0tbD5R5NcobA0NKkaPKLyMEpnWVY9ucyauM
+joNn1F568cfOoF0pm3700U8UTPt2MMxEHIi4mFG/OF8UF+Voh1J42Tb42lRo
+W5RRR3ogh4+7QB1G94nxkYddHAJ4QMhUJlLigFg8c6Ff/MxYODy9I7ilLFOM
+Zzsjx8fFpRKRXNQFt471P/V4WTSba7GzdTOJRyTZf/xipF36n8RoEQPvyde8
+pEAsCC4oDOrEiCTdxw8rRJVAU0Wr55XX+qjxyi55C6oykIC/BWR+lUqGd7IL
+Y2Uyt/OVxllt8b+KuVKNCfn4TFlfgizLWkJRs6JV9KuwJ20CAwEAAaMmMCQw
+DgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcN
+AQELBQADggEBAIsQlTrm9NT6gts0cs4JHp8AutuMrvGyLpIUOlJcEybvgxaz
+LebIMGZek5w3yEJiCyCK9RdNDP3Kdc/+nM6PhvzfPOVo58+0tMCYyEpZVXhD
+zmasNDP4fMbiUpczvx5OwPw/KuhwD+1ITuZUQnQlqXgTYoj9n39+qlgUsHos
+WXHmfzd6Fcz96ADSXg54IL2cEoJ41Q3ewhA7zmWWPLMAl21aex2haiAmzqqN
+xXyfZTnGNnE3lkV1yVguOrqDZyMRdcxDFvxvtmEeMtYV2Mc/zlS9ccrcOkrc
+mZSDxthLu3UMl98NA2NrCGWwzJwpk36vQ0PRSbibsCMarFspP8zbIoU=`))
+
func TestCurveSize(t *testing.T) {
size256 := curveSize(elliptic.P256())
size384 := curveSize(elliptic.P384())
@@ -155,6 +200,38 @@ func TestRoundtripEcPrivate(t *testing.T) {
}
}
+func TestRoundtripX5C(t *testing.T) {
+ jwk := JSONWebKey{
+ Key: rsaTestKey,
+ KeyID: "bar",
+ Algorithm: "foo",
+ Certificates: testCertificates,
+ }
+
+ jsonbar, err := jwk.MarshalJSON()
+ if err != nil {
+ t.Error("problem marshaling", err)
+ }
+
+ var jwk2 JSONWebKey
+ err = jwk2.UnmarshalJSON(jsonbar)
+ if err != nil {
+ t.Error("problem unmarshalling", err)
+ }
+
+ if !reflect.DeepEqual(testCertificates, jwk2.Certificates) {
+ t.Error("Certificates not equal", jwk.Certificates, jwk2.Certificates)
+ }
+
+ jsonbar2, err := jwk2.MarshalJSON()
+ if err != nil {
+ t.Error("problem marshaling", err)
+ }
+ if !bytes.Equal(jsonbar, jsonbar2) {
+ t.Error("roundtrip should not lose information")
+ }
+}
+
func TestMarshalUnmarshal(t *testing.T) {
kid := "DEADBEEF"
@@ -210,7 +287,7 @@ func TestMarshalNonPointer(t *testing.T) {
"n": "vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw"
}`)
var parsedKey JSONWebKey
- err := UnmarshalJSON(keyJSON, &parsedKey)
+ err := json.Unmarshal(keyJSON, &parsedKey)
if err != nil {
t.Errorf("Error unmarshalling key: %v", err)
return
@@ -218,7 +295,7 @@ func TestMarshalNonPointer(t *testing.T) {
ek := EmbedsKey{
Key: parsedKey,
}
- out, err := MarshalJSON(ek)
+ out, err := json.Marshal(ek)
if err != nil {
t.Errorf("Error marshalling JSON: %v", err)
return
@@ -382,6 +459,38 @@ var cookbookJWKs = []string{
"qi":"lSQi-w9CpyUReMErP1RsBLk7wNtOvs5EQpPqmuMvqW57NBUczScEoPwmUqq
abu9V0-Py4dQ57_bapoKRu1R90bvuFnU63SHWEFglZQvJDMeAvmj4sm-Fp0o
Yu_neotgQ0hzbI5gry7ajdYy9-2lNx_76aBZoOUu9HCJ-UsfSOI8"}`),
+
+ // X.509 Certificate Chain
+ stripWhitespace(`{"kty":"RSA",
+ "use":"sig",
+ "kid":"1b94c",
+ "n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08
+ PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q
+ u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a
+ YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH
+ MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv
+ VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ",
+ "e":"AQAB",
+ "x5c":
+ ["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB
+ gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD
+ VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1
+ wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg
+ NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV
+ QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w
+ YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH
+ YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66
+ s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6
+ SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn
+ fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq
+ PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk
+ aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA
+ QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL
+ +9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1
+ zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL
+ 2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo
+ 4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq
+ gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="]}`),
}
// SHA-256 thumbprints of the above keys, hex-encoded
@@ -390,6 +499,7 @@ var cookbookJWKThumbprints = []string{
"747ae2dd2003664aeeb21e4753fe7402846170a16bc8df8f23a8cf06d3cbe793",
"f63838e96077ad1fc01c3f8405774dedc0641f558ebb4b40dccf5f9b6d66a932",
"0fc478f8579325fcee0d4cbc6d9d1ce21730a6e97e435d6008fb379b0ebe47d4",
+ "0ddb05bfedbec2070fa037324ba397396561d3425d6d69245570c261dc49dee3",
}
func TestWebKeyVectorsValid(t *testing.T) {
@@ -429,16 +539,16 @@ func TestMarshalUnmarshalJWKSet(t *testing.T) {
set.Keys = append(set.Keys, jwk1)
set.Keys = append(set.Keys, jwk2)
- jsonbar, err := MarshalJSON(&set)
+ jsonbar, err := json.Marshal(&set)
if err != nil {
t.Error("problem marshalling set", err)
}
var set2 JSONWebKeySet
- err = UnmarshalJSON(jsonbar, &set2)
+ err = json.Unmarshal(jsonbar, &set2)
if err != nil {
t.Error("problem unmarshalling set", err)
}
- jsonbar2, err := MarshalJSON(&set2)
+ jsonbar2, err := json.Marshal(&set2)
if err != nil {
t.Error("problem marshalling set", err)
}
@@ -467,7 +577,7 @@ func TestJWKSymmetricKey(t *testing.T) {
sample2 := `{"kty":"oct","k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow","kid":"HMAC key used in JWS spec Appendix A.1 example"}`
var jwk1 JSONWebKey
- UnmarshalJSON([]byte(sample1), &jwk1)
+ json.Unmarshal([]byte(sample1), &jwk1)
if jwk1.Algorithm != "A128KW" {
t.Errorf("expected Algorithm to be A128KW, but was '%s'", jwk1.Algorithm)
@@ -478,7 +588,7 @@ func TestJWKSymmetricKey(t *testing.T) {
}
var jwk2 JSONWebKey
- UnmarshalJSON([]byte(sample2), &jwk2)
+ json.Unmarshal([]byte(sample2), &jwk2)
if jwk2.KeyID != "HMAC key used in JWS spec Appendix A.1 example" {
t.Errorf("expected KeyID to be 'HMAC key used in JWS spec Appendix A.1 example', but was '%s'", jwk2.KeyID)
diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go
index 0c2978d1..5555f43a 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jws.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jws.go
@@ -18,8 +18,11 @@ package jose
import (
"encoding/base64"
+ "errors"
"fmt"
"strings"
+
+ "gopkg.in/square/go-jose.v2/json"
)
// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@@ -40,7 +43,10 @@ type rawSignatureInfo struct {
// JSONWebSignature represents a signed JWS object after parsing.
type JSONWebSignature struct {
- payload []byte
+ payload []byte
+ // Signatures attached to this object (may be more than one for multi-sig).
+ // Be careful about accessing these directly, prefer to use Verify() or
+ // VerifyMulti() to ensure that the data you're getting is verified.
Signatures []Signature
}
@@ -57,7 +63,7 @@ type Signature struct {
original *rawSignatureInfo
}
-// ParseSigned parses an encrypted message in compact or full serialization format.
+// ParseSigned parses a signed message in compact or full serialization format.
func ParseSigned(input string) (*JSONWebSignature, error) {
input = stripWhitespace(input)
if strings.HasPrefix(input, "{") {
@@ -95,7 +101,7 @@ func (obj JSONWebSignature) computeAuthData(signature *Signature) []byte {
// parseSignedFull parses a message in full format.
func parseSignedFull(input string) (*JSONWebSignature, error) {
var parsed rawJSONWebSignature
- err := UnmarshalJSON([]byte(input), &parsed)
+ err := json.Unmarshal([]byte(input), &parsed)
if err != nil {
return nil, err
}
@@ -119,12 +125,13 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
signature := Signature{}
if parsed.Protected != nil && len(parsed.Protected.bytes()) > 0 {
signature.protected = &rawHeader{}
- err := UnmarshalJSON(parsed.Protected.bytes(), signature.protected)
+ err := json.Unmarshal(parsed.Protected.bytes(), signature.protected)
if err != nil {
return nil, err
}
}
+ // Check that there is not a nonce in the unprotected header
if parsed.Header != nil && parsed.Header.Nonce != "" {
return nil, ErrUnprotectedNonce
}
@@ -147,13 +154,20 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
}
signature.Header = signature.mergedHeaders().sanitized()
+
+ // As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
+ jwk := signature.Header.JSONWebKey
+ if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
+ return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
+ }
+
obj.Signatures = append(obj.Signatures, signature)
}
for i, sig := range parsed.Signatures {
if sig.Protected != nil && len(sig.Protected.bytes()) > 0 {
obj.Signatures[i].protected = &rawHeader{}
- err := UnmarshalJSON(sig.Protected.bytes(), obj.Signatures[i].protected)
+ err := json.Unmarshal(sig.Protected.bytes(), obj.Signatures[i].protected)
if err != nil {
return nil, err
}
@@ -164,14 +178,20 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, ErrUnprotectedNonce
}
+ obj.Signatures[i].Header = obj.Signatures[i].mergedHeaders().sanitized()
obj.Signatures[i].Signature = sig.Signature.bytes()
+ // As per RFC 7515 Section 4.1.3, only public keys are allowed to be embedded.
+ jwk := obj.Signatures[i].Header.JSONWebKey
+ if jwk != nil && (!jwk.Valid() || !jwk.IsPublic()) {
+ return nil, errors.New("square/go-jose: invalid embedded jwk, must be public key")
+ }
+
// Copy value of sig
original := sig
obj.Signatures[i].header = sig.Header
obj.Signatures[i].original = &original
- obj.Signatures[i].Header = obj.Signatures[i].mergedHeaders().sanitized()
}
return obj, nil
diff --git a/vendor/gopkg.in/square/go-jose.v2/jws_test.go b/vendor/gopkg.in/square/go-jose.v2/jws_test.go
index c3547b04..abdbc73b 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jws_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jws_test.go
@@ -22,6 +22,16 @@ import (
"testing"
)
+func TestEmbeddedHMAC(t *testing.T) {
+ // protected: {"alg":"HS256", "jwk":{"kty":"oct", "k":"MTEx"}}, aka HMAC key.
+ msg := `{"payload":"TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQ","protected":"eyJhbGciOiJIUzI1NiIsICJqd2siOnsia3R5Ijoib2N0IiwgImsiOiJNVEV4In19","signature":"lvo41ZZsuHwQvSh0uJtEXRR3vmuBJ7in6qMoD7p9jyo"}`
+
+ _, err := ParseSigned(msg)
+ if err == nil {
+ t.Error("should not allow parsing JWS with embedded JWK with HMAC key")
+ }
+}
+
func TestCompactParseJWS(t *testing.T) {
// Should parse
msg := "eyJhbGciOiJYWVoifQ.cGF5bG9hZA.c2lnbmF0dXJl"
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go b/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
index 0fe90b25..969b5a9d 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/builder.go
@@ -17,111 +17,211 @@
package jwt
-import "gopkg.in/square/go-jose.v2"
+import (
+ "reflect"
+
+ "gopkg.in/square/go-jose.v2/json"
+
+ "gopkg.in/square/go-jose.v2"
+)
// Builder is a utility for making JSON Web Tokens. Calls can be chained, and
// errors are accumulated until the final call to CompactSerialize/FullSerialize.
-type Builder struct {
- transform func([]byte) (serializer, payload, error)
- payload payload
- serializer serializer
- err error
-}
-
-type payload func(interface{}) ([]byte, error)
-
-type serializer interface {
- FullSerialize() string
+type Builder interface {
+ // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
+ // into single JSON object.
+ Claims(i interface{}) Builder
+ // Token builds a JSONWebToken from provided data.
+ Token() (*JSONWebToken, error)
+ // FullSerialize serializes a token using the full serialization format.
+ FullSerialize() (string, error)
+ // CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
}
+type builder struct {
+ payload map[string]interface{}
+ err error
+}
+
+type signedBuilder struct {
+ builder
+ sig jose.Signer
+}
+
+type encryptedBuilder struct {
+ builder
+ enc jose.Encrypter
+}
+
// Signed creates builder for signed tokens.
-func Signed(sig jose.Signer) *Builder {
- return &Builder{
- transform: func(b []byte) (serializer, payload, error) {
- s, err := sig.Sign(b)
- if err != nil {
- return nil, nil, err
- }
- return s, s.Verify, nil
- },
+func Signed(sig jose.Signer) Builder {
+ return &signedBuilder{
+ sig: sig,
}
}
// Encrypted creates builder for encrypted tokens.
-func Encrypted(enc jose.Encrypter) *Builder {
- return &Builder{
- transform: func(b []byte) (serializer, payload, error) {
- e, err := enc.Encrypt(b)
- if err != nil {
- return nil, nil, err
- }
- return e, e.Decrypt, nil
- },
+func Encrypted(enc jose.Encrypter) Builder {
+ return &encryptedBuilder{
+ enc: enc,
}
}
-// Claims encodes claims into the builder.
-func (b *Builder) Claims(c interface{}) *Builder {
- if b.transform == nil {
- panic("Signer/Encrypter not set")
+func (b builder) claims(i interface{}) builder {
+ if b.err != nil {
+ return b
}
- if b.payload != nil {
- panic("Claims already set")
- }
-
- raw, err := marshalClaims(c)
- if err != nil {
- return &Builder{
- err: err,
+ m, ok := i.(map[string]interface{})
+ switch {
+ case ok:
+ return b.merge(m)
+ case reflect.Indirect(reflect.ValueOf(i)).Kind() == reflect.Struct:
+ m, err := normalize(i)
+ if err != nil {
+ return builder{
+ err: err,
+ }
+ }
+ return b.merge(m)
+ default:
+ return builder{
+ err: ErrInvalidClaims,
}
}
+}
- ser, pl, err := b.transform(raw)
- return &Builder{
- transform: b.transform,
- serializer: ser,
- payload: pl,
- err: err,
+func normalize(i interface{}) (map[string]interface{}, error) {
+ m := make(map[string]interface{})
+
+ raw, err := json.Marshal(i)
+ if err != nil {
+ return nil, err
+ }
+ if err := json.Unmarshal(raw, &m); err != nil {
+ return nil, err
+ }
+
+ return m, nil
+}
+
+func (b *builder) merge(m map[string]interface{}) builder {
+ p := make(map[string]interface{})
+ for k, v := range b.payload {
+ p[k] = v
+ }
+ for k, v := range m {
+ p[k] = v
+ }
+
+ return builder{
+ payload: p,
}
}
-// Token builds a JSONWebToken from provided data.
-func (b *Builder) Token() (*JSONWebToken, error) {
+func (b *builder) token(p func(interface{}) ([]byte, error), h []jose.Header) (*JSONWebToken, error) {
+ return &JSONWebToken{
+ payload: p,
+ Headers: h,
+ }, nil
+}
+
+func (b *signedBuilder) Claims(i interface{}) Builder {
+ return &signedBuilder{
+ builder: b.builder.claims(i),
+ sig: b.sig,
+ }
+}
+
+func (b *signedBuilder) Token() (*JSONWebToken, error) {
+ sig, err := b.sign()
+ if err != nil {
+ return nil, err
+ }
+
+ h := make([]jose.Header, len(sig.Signatures))
+ for i, v := range sig.Signatures {
+ h[i] = v.Header
+ }
+
+ return b.builder.token(sig.Verify, h)
+}
+
+func (b *signedBuilder) CompactSerialize() (string, error) {
+ sig, err := b.sign()
+ if err != nil {
+ return "", err
+ }
+
+ return sig.CompactSerialize()
+}
+
+func (b *signedBuilder) FullSerialize() (string, error) {
+ sig, err := b.sign()
+ if err != nil {
+ return "", err
+ }
+
+ return sig.FullSerialize(), nil
+}
+
+func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) {
if b.err != nil {
return nil, b.err
}
- if b.payload == nil {
- return nil, ErrInvalidClaims
+ p, err := json.Marshal(b.payload)
+ if err != nil {
+ return nil, err
}
- return &JSONWebToken{b.payload}, nil
+ return b.sig.Sign(p)
}
-// FullSerialize serializes a token using the full serialization format.
-func (b *Builder) FullSerialize() (string, error) {
+func (b *encryptedBuilder) Claims(i interface{}) Builder {
+ return &encryptedBuilder{
+ builder: b.builder.claims(i),
+ enc: b.enc,
+ }
+}
+
+func (b *encryptedBuilder) CompactSerialize() (string, error) {
+ enc, err := b.encrypt()
+ if err != nil {
+ return "", err
+ }
+
+ return enc.CompactSerialize()
+}
+
+func (b *encryptedBuilder) FullSerialize() (string, error) {
+ enc, err := b.encrypt()
+ if err != nil {
+ return "", err
+ }
+
+ return enc.FullSerialize(), nil
+}
+
+func (b *encryptedBuilder) Token() (*JSONWebToken, error) {
+ enc, err := b.encrypt()
+ if err != nil {
+ return nil, err
+ }
+
+ return b.builder.token(enc.Decrypt, []jose.Header{enc.Header})
+}
+
+func (b *encryptedBuilder) encrypt() (*jose.JSONWebEncryption, error) {
if b.err != nil {
- return "", b.err
+ return nil, b.err
}
- if b.serializer == nil {
- return "", ErrInvalidClaims
+ p, err := json.Marshal(b.payload)
+ if err != nil {
+ return nil, err
}
- return b.serializer.FullSerialize(), nil
-}
-
-// CompactSerialize serializes a token using the compact serialization format.
-func (b *Builder) CompactSerialize() (string, error) {
- if b.err != nil {
- return "", b.err
- }
-
- if b.serializer == nil {
- return "", ErrInvalidClaims
- }
-
- return b.serializer.CompactSerialize()
+ return b.enc.Encrypt(p)
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/builder_test.go b/vendor/gopkg.in/square/go-jose.v2/jwt/builder_test.go
new file mode 100644
index 00000000..1738e509
--- /dev/null
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/builder_test.go
@@ -0,0 +1,415 @@
+/*-
+ * Copyright 2016 Zbigniew Mandziejewicz
+ * Copyright 2016 Square, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jwt
+
+import (
+ "crypto/rand"
+ "crypto/rsa"
+ "crypto/x509"
+ "encoding/hex"
+ "encoding/pem"
+ "errors"
+ "io"
+ "reflect"
+ "sort"
+ "testing"
+ "time"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+
+ "gopkg.in/square/go-jose.v2"
+)
+
+type testClaims struct {
+ Subject string `json:"sub"`
+}
+
+type invalidMarshalClaims struct {
+}
+
+var errInvalidMarshalClaims = errors.New("Failed marshaling invalid claims.")
+
+func (c invalidMarshalClaims) MarshalJSON() ([]byte, error) {
+ return nil, errInvalidMarshalClaims
+}
+
+var sampleClaims = Claims{
+ Subject: "42",
+ IssuedAt: NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
+ Issuer: "issuer",
+ Audience: Audience{"a1", "a2"},
+}
+
+func TestBuilderCustomClaimsNonPointer(t *testing.T) {
+ jwt, err := Signed(rsaSigner).Claims(testClaims{"foo"}).CompactSerialize()
+ require.NoError(t, err, "Error creating JWT.")
+
+ parsed, err := ParseSigned(jwt)
+ require.NoError(t, err, "Error parsing JWT.")
+
+ out := &testClaims{}
+ if assert.NoError(t, parsed.Claims(&testPrivRSAKey1.PublicKey, out), "Error unmarshaling claims.") {
+ assert.Equal(t, "foo", out.Subject)
+ }
+}
+
+func TestBuilderCustomClaimsPointer(t *testing.T) {
+ jwt, err := Signed(rsaSigner).Claims(&testClaims{"foo"}).CompactSerialize()
+ require.NoError(t, err, "Error creating JWT.")
+
+ parsed, err := ParseSigned(jwt)
+ require.NoError(t, err, "Error parsing JWT.")
+
+ out := &testClaims{}
+ if assert.NoError(t, parsed.Claims(&testPrivRSAKey1.PublicKey, out), "Error unmarshaling claims.") {
+ assert.Equal(t, "foo", out.Subject)
+ }
+}
+
+func TestBuilderMergeClaims(t *testing.T) {
+ jwt, err := Signed(rsaSigner).
+ Claims(&Claims{
+ Subject: "42",
+ }).
+ Claims(map[string]interface{}{
+ "Scopes": []string{"read:users"},
+ }).
+ CompactSerialize()
+ require.NoError(t, err, "Error creating JWT.")
+
+ parsed, err := ParseSigned(jwt)
+ require.NoError(t, err, "Error parsing JWT.")
+
+ out := make(map[string]interface{})
+ if assert.NoError(t, parsed.Claims(&testPrivRSAKey1.PublicKey, &out), "Error unmarshaling claims.") {
+ assert.Equal(t, map[string]interface{}{
+ "sub": "42",
+ "Scopes": []interface{}{"read:users"},
+ }, out)
+ }
+
+ _, err = Signed(rsaSigner).Claims("invalid-claims").Claims(&testClaims{"foo"}).CompactSerialize()
+ assert.Equal(t, err, ErrInvalidClaims)
+
+ _, err = Signed(rsaSigner).Claims(&invalidMarshalClaims{}).CompactSerialize()
+ assert.EqualError(t, err, "json: error calling MarshalJSON for type *jwt.invalidMarshalClaims: Failed marshaling invalid claims.")
+}
+
+func TestSignedFullSerializeAndToken(t *testing.T) {
+ b := Signed(rsaSigner).Claims(&testClaims{"foo"})
+
+ jwt, err := b.FullSerialize()
+ require.NoError(t, err, "Error creating JWT.")
+ parsed, err := ParseSigned(jwt)
+ require.NoError(t, err, "Error parsing JWT.")
+ out := &testClaims{}
+ if assert.NoError(t, parsed.Claims(&testPrivRSAKey1.PublicKey, &out), "Error unmarshaling claims.") {
+ assert.Equal(t, &testClaims{
+ Subject: "foo",
+ }, out)
+ }
+
+ jwt2, err := b.Token()
+ require.NoError(t, err, "Error creating JWT.")
+ out2 := &testClaims{}
+ if assert.NoError(t, jwt2.Claims(&testPrivRSAKey1.PublicKey, &out2), "Error unmarshaling claims.") {
+ assert.Equal(t, &testClaims{
+ Subject: "foo",
+ }, out2)
+ }
+
+ b2 := Signed(rsaSigner).Claims(&invalidMarshalClaims{})
+ _, err = b2.FullSerialize()
+ require.EqualError(t, err, "json: error calling MarshalJSON for type *jwt.invalidMarshalClaims: Failed marshaling invalid claims.")
+ _, err = b2.Token()
+ require.EqualError(t, err, "json: error calling MarshalJSON for type *jwt.invalidMarshalClaims: Failed marshaling invalid claims.")
+}
+
+func TestEncryptedFullSerializeAndToken(t *testing.T) {
+ recipient := jose.Recipient{
+ Algorithm: jose.RSA1_5,
+ Key: testPrivRSAKey1.Public(),
+ }
+ encrypter, err := jose.NewEncrypter(jose.A128CBC_HS256, recipient, nil)
+ require.NoError(t, err, "Error creating encrypter.")
+
+ b := Encrypted(encrypter).Claims(&testClaims{"foo"})
+
+ jwt, err := b.FullSerialize()
+ require.NoError(t, err, "Error creating JWT.")
+ parsed, err := ParseEncrypted(jwt)
+ require.NoError(t, err, "Error parsing JWT.")
+ out := &testClaims{}
+ if assert.NoError(t, parsed.Claims(testPrivRSAKey1, &out)) {
+ assert.Equal(t, &testClaims{
+ Subject: "foo",
+ }, out)
+ }
+
+ jwt2, err := b.Token()
+ require.NoError(t, err, "Error creating JWT.")
+ out2 := &testClaims{}
+ if assert.NoError(t, jwt2.Claims(testPrivRSAKey1, &out2)) {
+ assert.Equal(t, &testClaims{
+ Subject: "foo",
+ }, out2)
+ }
+
+ b2 := Encrypted(encrypter).Claims(&invalidMarshalClaims{})
+
+ _, err = b2.FullSerialize()
+ require.EqualError(t, err, "json: error calling MarshalJSON for type *jwt.invalidMarshalClaims: Failed marshaling invalid claims.")
+ _, err = b2.Token()
+ require.EqualError(t, err, "json: error calling MarshalJSON for type *jwt.invalidMarshalClaims: Failed marshaling invalid claims.")
+}
+
+func TestBuilderHeadersSigner(t *testing.T) {
+ tests := []struct {
+ Keys []*rsa.PrivateKey
+ Claims interface{}
+ }{
+ {
+ Keys: []*rsa.PrivateKey{testPrivRSAKey1},
+ Claims: &Claims{Issuer: "foo"},
+ },
+ {
+ Keys: []*rsa.PrivateKey{testPrivRSAKey1, testPrivRSAKey2},
+ Claims: &Claims{Issuer: "foo"},
+ },
+ }
+
+ for i, tc := range tests {
+ wantKeyIDs := make([]string, len(tc.Keys))
+ signingKeys := make([]jose.SigningKey, len(tc.Keys))
+
+ for j, key := range tc.Keys {
+ keyIDBytes := make([]byte, 20)
+ if _, err := io.ReadFull(rand.Reader, keyIDBytes); err != nil {
+ t.Fatalf("failed to read random bytes: %v", err)
+ }
+ keyID := hex.EncodeToString(keyIDBytes)
+
+ wantKeyIDs[j] = keyID
+ signingKeys[j] = jose.SigningKey{
+ Algorithm: jose.RS256,
+ Key: &jose.JSONWebKey{
+ KeyID: keyID,
+ Algorithm: "RSA",
+ Key: key,
+ },
+ }
+ }
+
+ signer, err := jose.NewMultiSigner(signingKeys, nil)
+ if err != nil {
+ t.Errorf("case %d: NewMultiSigner(): %v", i, err)
+ continue
+ }
+
+ var token string
+ if len(tc.Keys) == 1 {
+ token, err = Signed(signer).Claims(tc.Claims).CompactSerialize()
+ } else {
+ token, err = Signed(signer).Claims(tc.Claims).FullSerialize()
+ }
+ if err != nil {
+ t.Errorf("case %d: failed to create token: %v", i, err)
+ continue
+ }
+ jws, err := jose.ParseSigned(token)
+ if err != nil {
+ t.Errorf("case %d: parse signed: %v", i, err)
+ continue
+ }
+ gotKeyIDs := make([]string, len(jws.Signatures))
+ for i, sig := range jws.Signatures {
+ gotKeyIDs[i] = sig.Header.KeyID
+ }
+ sort.Strings(wantKeyIDs)
+ sort.Strings(gotKeyIDs)
+ if !reflect.DeepEqual(wantKeyIDs, gotKeyIDs) {
+ t.Errorf("case %d: wanted=%q got=%q", i, wantKeyIDs, gotKeyIDs)
+ }
+ }
+}
+
+func TestBuilderHeadersEncrypter(t *testing.T) {
+ key := testPrivRSAKey1
+ claims := &Claims{Issuer: "foo"}
+
+ keyIDBytes := make([]byte, 20)
+ if _, err := io.ReadFull(rand.Reader, keyIDBytes); err != nil {
+ t.Fatalf("failed to read random bytes: %v", err)
+ }
+ keyID := hex.EncodeToString(keyIDBytes)
+
+ wantKeyID := keyID
+ recipient := jose.Recipient{
+ Algorithm: jose.RSA1_5,
+ Key: key.Public(),
+ KeyID: keyID,
+ }
+
+ encrypter, err := jose.NewEncrypter(jose.A128CBC_HS256, recipient, nil)
+ if err != nil {
+ t.Errorf("NewEncrypter(): %v", err)
+ return
+ }
+
+ token, err := Encrypted(encrypter).Claims(claims).CompactSerialize()
+ if err != nil {
+ t.Errorf("failed to create token: %v", err)
+ return
+ }
+ jwe, err := jose.ParseEncrypted(token)
+ if err != nil {
+ t.Errorf("parse signed: %v", err)
+ return
+ }
+ if gotKeyID := jwe.Header.KeyID; gotKeyID != wantKeyID {
+ t.Errorf("wanted=%q got=%q", wantKeyID, gotKeyID)
+ }
+}
+
+func BenchmarkMapClaims(b *testing.B) {
+ m := map[string]interface{}{
+ "sub": "42",
+ "iat": 1451606400,
+ "iss": "issuer",
+ "aud": []string{"a1", "a2"},
+ }
+
+ for i := 0; i < b.N; i++ {
+ Signed(rsaSigner).Claims(m)
+ }
+}
+
+func BenchmarkStructClaims(b *testing.B) {
+ for i := 0; i < b.N; i++ {
+ Signed(rsaSigner).Claims(sampleClaims)
+ }
+}
+
+func BenchmarkSignedCompactSerializeRSA(b *testing.B) {
+ tb := Signed(rsaSigner).Claims(sampleClaims)
+
+ b.ResetTimer()
+ for i := 0; i < b.N; i++ {
+ tb.CompactSerialize()
+ }
+}
+
+func BenchmarkSignedCompactSerializeSHA(b *testing.B) {
+ tb := Signed(hmacSigner).Claims(sampleClaims)
+
+ b.ResetTimer()
+ for i := 0; i < b.N; i++ {
+ tb.CompactSerialize()
+ }
+}
+
+func mustUnmarshalRSA(data string) *rsa.PrivateKey {
+ block, _ := pem.Decode([]byte(data))
+ if block == nil {
+ panic("failed to decode PEM data")
+ }
+ key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+ if err != nil {
+ panic("failed to parse RSA key: " + err.Error())
+ }
+ if key, ok := key.(*rsa.PrivateKey); ok {
+ return key
+ }
+ panic("key is not of type *rsa.PrivateKey")
+}
+
+func mustMakeSigner(alg jose.SignatureAlgorithm, k interface{}) jose.Signer {
+ sig, err := jose.NewSigner(jose.SigningKey{Algorithm: alg, Key: k}, nil)
+ if err != nil {
+ panic("failed to create signer:" + err.Error())
+ }
+
+ return sig
+}
+
+var (
+ sharedKey = []byte("secret")
+ sharedEncryptionKey = []byte("itsa16bytesecret")
+
+ testPrivRSAKey1 = mustUnmarshalRSA(`-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDIHBvDHAr7jh8h
+xaqBCl11fjI9YZtdC5b3HtXTXZW3c2dIOImNUjffT8POP6p5OpzivmC1om7iOyuZ
+3nJjC9LT3zqqs3f2i5d4mImxEuqG6uWdryFfkp0uIv5VkjVO+iQWd6pDAPGP7r1Z
+foXCleyCtmyNH4JSkJneNPOk/4BxO8vcvRnCMT/Gv81IT6H+OQ6OovWOuJr8RX9t
+1wuCjC9ezZxeI9ONffhiO5FMrVh5H9LJTl3dPOVa4aEcOvgd45hBmvxAyXqf8daE
+6Kl2O7vQ4uwgnSTVXYIIjCjbepuersApIMGx/XPSgiU1K3Xtah/TBvep+S3VlwPc
+q/QH25S9AgMBAAECggEAe+y8XKYfPw4SxY1uPB+5JSwT3ON3nbWxtjSIYy9Pqp5z
+Vcx9kuFZ7JevQSk4X38m7VzM8282kC/ono+d8yy9Uayq3k/qeOqV0X9Vti1qxEbw
+ECkG1/MqGApfy4qSLOjINInDDV+mOWa2KJgsKgdCwuhKbVMYGB2ozG2qfYIlfvlY
+vLcBEpGWmswJHNmkcjTtGFIyJgPbsI6ndkkOeQbqQKAaadXtG1xUzH+vIvqaUl/l
+AkNf+p4qhPkHsoAWXf1qu9cYa2T8T+mEo79AwlgVC6awXQWNRTiyClDJC7cu6NBy
+ZHXCLFMbalzWF9qeI2OPaFX2x3IBWrbyDxcJ4TSdQQKBgQD/Fp/uQonMBh1h4Vi4
+HlxZdqSOArTitXValdLFGVJ23MngTGV/St4WH6eRp4ICfPyldsfcv6MZpNwNm1Rn
+lB5Gtpqpby1dsrOSfvVbY7U3vpLnd8+hJ/lT5zCYt5Eor46N6iWRkYWzNe4PixiF
+z1puGUvFCbZdeeACVrPLmW3JKQKBgQDI0y9WTf8ezKPbtap4UEE6yBf49ftohVGz
+p4iD6Ng1uqePwKahwoVXKOc179CjGGtW/UUBORAoKRmxdHajHq6LJgsBxpaARz21
+COPy99BUyp9ER5P8vYn63lC7Cpd/K7uyMjaz1DAzYBZIeVZHIw8O9wuGNJKjRFy9
+SZyD3V0ddQKBgFMdohrWH2QVEfnUnT3Q1rJn0BJdm2bLTWOosbZ7G72TD0xAWEnz
+sQ1wXv88n0YER6X6YADziEdQykq8s/HT91F/KkHO8e83zP8M0xFmGaQCOoelKEgQ
+aFMIX3NDTM7+9OoUwwz9Z50PE3SJFAJ1n7eEEoYvNfabQXxBl+/dHEKRAoGAPEvU
+EaiXacrtg8EWrssB2sFLGU/ZrTciIbuybFCT4gXp22pvXXAHEvVP/kzDqsRhLhwb
+BNP6OuSkNziNikpjA5pngZ/7fgZly54gusmW/m5bxWdsUl0iOXVYbeAvPlqGH2me
+LP4Pfs1hw17S/cbT9Z1NE31jbavP4HFikeD73SUCgYEArQfuudml6ei7XZ1Emjq8
+jZiD+fX6e6BD/ISatVnuyZmGj9wPFsEhY2BpLiAMQHMDIvH9nlKzsFvjkTPB86qG
+jCh3D67Os8eSBk5uRC6iW3Fc4DXvB5EFS0W9/15Sl+V5vXAcrNMpYS82OTSMG2Gt
+b9Ym/nxaqyTu0PxajXkKm5Q=
+-----END PRIVATE KEY-----`)
+
+ testPrivRSAKey2 = mustUnmarshalRSA(`-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCxJ09jkXZ5Okyq
+FrEKrs+GTzZRvoLziyzDTIZLJC6BVryau4gaFjuBG+pnm4z53oDP0XVnjFsx1mBw
+R6RHeXlXbxLXsMfJpMzU9I2SRen9DokpD187CAnjLOoN9QRl1h8CA+sqR5Jw9mdl
+mdaBKC99M9QYAPK3vGNfPC4soo8LDSBiemmt5raL4WSfoYh/6qg5rHUTymY28uxV
+ew3I9Yp+3ltIw+WlRDtW5l+MM5CSUofjj2zcgcG3LEuPtvyZ+CSObxxcZZugm9zc
+JdiazNyUxtX8yAj3Xg8Hde0jt0QDXv7A+U0KMVi9lX6PJEaNj4tOhOmQhJVMzAyr
+1W/bifZVAgMBAAECggEAduKnn21GMZLTUi4KP94SvNK55F/Sp7hVoPbhBNpSL1BT
+IBAMBV24LyvZwhAcqq8MiOrLPGNv6+EvNQqPD7xQl0GeRouHeCYVpDA+NdSfc8jm
+eVysjwQVBpTkudsdSW5JvuN8VRJVD2P8/a0gy+p4/C/k/Prd6DoQAiBz6FZrYoEd
+iYgIegHOMXWd4vzO3ENOWSIUI6ci7Aro+Y0Z75kfiVokAGhUcFgrZ58E82fBYh8I
+cxO20oMnucGrLicQzj536jx4wX3Cdd4jr9UVEJ9ZII1ldlp03nZlFLXqJH1547Aq
+ZM+3vVcBGoJ8T9ZQ4VDAL++0K2DLC9JkTARAYCEi/QKBgQDebIc1+2zblhQtVQ/e
+IbEErZcB7v+TkUoRoBfR0lj7bKBFJgRe37fgu1xf95/s63okdnOw/OuQqtGmgx/J
+TL3yULBdNcwTCRm41t+cqoGymjK0VRbqk6CWBId0E3r5TaCVWedk2JI2XwTvIJ1A
+eDiqfJeDHUD44yaonwbysj9ZDwKBgQDL5VQfTppVaJk2PXNwhAkRQklZ8RFmt/7p
+yA3dddQNdwMk4Fl8F7QuO1gBxDiHdnwIrlEOz6fTsM3LwIS+Q12P1vYFIhpo7HDB
+wvjfMwCPxBIS4jI28RgcAf0VbZ/+CHAm6bb9iDwsjXhh1J5oOm5VKnju6/rPH/QY
++md40pnSWwKBgBnKPbdNquafNUG4XjmkcHEZa6wGuU20CAGZLYnfuP+WLdM2wET7
+7cc6ElDyVnHTL/twXKPF/85rcBm9lH7zzgZ9wqVcKoh+gqQDDjSNNLKv3Hc6cojK
+i1E5vzb/Vz/290q5/PGdhv6U7+6GOpWSGwfxoGPMjY8OT5o3rkeP0XaTAoGBALLR
+GQmr4eZtqZDMK+XNpjYgsDvVE7HGRCW7cY17vNFiQruglloiX778BJ7n+7uxye3D
+EwuuSj15ncLHwKMsaW2w1GqEEi1azzjfSWxWSnPLPR6aifdtUfueMtsMHXio5dL6
+vaV0SXG5UI5b7eDy/bhrW0wOYRQtreIKGZz49jZpAoGBAIvxYngkLwmq6g6MmnAc
+YK4oT6YAm2wfSy2mzpEQP5r1igp1rN7T46o7FMUPDLS9wK3ESAaIYe01qT6Yftcc
+5qF+yiOGDTr9XQiHwe4BcyrNEMfUjDhDU5ao2gH8+t1VGr1KspLsUNbedrJwZsY4
+UCZVKEEDHzKfLO/iBgKjJQF7
+-----END PRIVATE KEY-----`)
+
+ rsaSigner = mustMakeSigner(jose.RS256, testPrivRSAKey1)
+ hmacSigner = mustMakeSigner(jose.HS256, sharedKey)
+)
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go b/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
index 4b21015c..60de9400 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/claims.go
@@ -18,66 +18,98 @@
package jwt
import (
+ "encoding/json"
+ "strconv"
"time"
-
- "gopkg.in/square/go-jose.v2"
)
// Claims represents public claim values (as specified in RFC 7519).
type Claims struct {
- Issuer string `json:"-"`
- Subject string `json:"-"`
- Audience []string `json:"-"`
- Expiry time.Time `json:"-"`
- NotBefore time.Time `json:"-"`
- IssuedAt time.Time `json:"-"`
- ID string `json:"-"`
+ Issuer string `json:"iss,omitempty"`
+ Subject string `json:"sub,omitempty"`
+ Audience Audience `json:"aud,omitempty"`
+ Expiry NumericDate `json:"exp,omitempty"`
+ NotBefore NumericDate `json:"nbf,omitempty"`
+ IssuedAt NumericDate `json:"iat,omitempty"`
+ ID string `json:"jti,omitempty"`
}
-type rawClaims struct {
- Iss string `json:"iss,omitempty"`
- Sub string `json:"sub,omitempty"`
- Aud audience `json:"aud,omitempty"`
- Exp NumericDate `json:"exp,omitempty"`
- Nbf NumericDate `json:"nbf,omitempty"`
- Iat NumericDate `json:"iat,omitempty"`
- Jti string `json:"jti,omitempty"`
-}
+// NumericDate represents date and time as the number of seconds since the
+// epoch, including leap seconds. Non-integer values can be represented
+// in the serialized format, but we round to the nearest second.
+type NumericDate int64
-func (c *Claims) marshalJSON() ([]byte, error) {
- t := rawClaims{
- Iss: c.Issuer,
- Sub: c.Subject,
- Aud: audience(c.Audience),
- Exp: TimeToNumericDate(c.Expiry),
- Nbf: TimeToNumericDate(c.NotBefore),
- Iat: TimeToNumericDate(c.IssuedAt),
- Jti: c.ID,
+// NewNumericDate constructs NumericDate from time.Time value.
+func NewNumericDate(t time.Time) NumericDate {
+ if t.IsZero() {
+ return NumericDate(0)
}
- b, err := jose.MarshalJSON(t)
+ // While RFC 7519 technically states that NumericDate values may be
+ // non-integer values, we don't bother serializing timestamps in
+ // claims with sub-second accurancy and just round to the nearest
+ // second instead. Not convined sub-second accuracy is useful here.
+ return NumericDate(t.Unix())
+}
+// MarshalJSON serializes the given NumericDate into its JSON representation.
+func (n NumericDate) MarshalJSON() ([]byte, error) {
+ return []byte(strconv.FormatInt(int64(n), 10)), nil
+}
+
+// UnmarshalJSON reads a date from its JSON representation.
+func (n *NumericDate) UnmarshalJSON(b []byte) error {
+ s := string(b)
+
+ f, err := strconv.ParseFloat(s, 64)
if err != nil {
- return nil, err
+ return ErrUnmarshalNumericDate
}
- return b, err
+ *n = NumericDate(f)
+ return nil
}
-func (c *Claims) unmarshalJSON(b []byte) error {
- t := rawClaims{}
+// Time returns time.Time representation of NumericDate.
+func (n NumericDate) Time() time.Time {
+ return time.Unix(int64(n), 0)
+}
- if err := jose.UnmarshalJSON(b, &t); err != nil {
+// Audience represents the recipents that the token is intended for.
+type Audience []string
+
+// UnmarshalJSON reads an audience from its JSON representation.
+func (s *Audience) UnmarshalJSON(b []byte) error {
+ var v interface{}
+ if err := json.Unmarshal(b, &v); err != nil {
return err
}
- c.Issuer = t.Iss
- c.Subject = t.Sub
- c.Audience = []string(t.Aud)
- c.Expiry = t.Exp.Time()
- c.NotBefore = t.Nbf.Time()
- c.IssuedAt = t.Iat.Time()
- c.ID = t.Jti
+ switch v := v.(type) {
+ case string:
+ *s = []string{v}
+ case []interface{}:
+ a := make([]string, len(v))
+ for i, e := range v {
+ s, ok := e.(string)
+ if !ok {
+ return ErrUnmarshalAudience
+ }
+ a[i] = s
+ }
+ *s = a
+ default:
+ return ErrUnmarshalAudience
+ }
return nil
}
+
+func (s Audience) Contains(v string) bool {
+ for _, a := range s {
+ if a == v {
+ return true
+ }
+ }
+ return false
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/claims_test.go b/vendor/gopkg.in/square/go-jose.v2/jwt/claims_test.go
index 45087534..6799aab2 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/claims_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/claims_test.go
@@ -21,6 +21,8 @@ import (
"testing"
"time"
+ "gopkg.in/square/go-jose.v2/json"
+
"github.com/stretchr/testify/assert"
)
@@ -28,14 +30,15 @@ func TestEncodeClaims(t *testing.T) {
now := time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)
c := Claims{
- Issuer: "issuer",
- Subject: "subject",
- Audience: []string{"a1", "a2"},
- IssuedAt: now,
- Expiry: now.Add(1 * time.Hour),
+ Issuer: "issuer",
+ Subject: "subject",
+ Audience: Audience{"a1", "a2"},
+ NotBefore: NewNumericDate(time.Time{}),
+ IssuedAt: NewNumericDate(now),
+ Expiry: NewNumericDate(now.Add(1 * time.Hour)),
}
- b, err := c.marshalJSON()
+ b, err := json.Marshal(c)
assert.NoError(t, err)
expected := `{"iss":"issuer","sub":"subject","aud":["a1","a2"],"exp":1451610000,"iat":1451606400}`
@@ -47,12 +50,31 @@ func TestDecodeClaims(t *testing.T) {
now := time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)
c := Claims{}
- err := c.unmarshalJSON(s)
- assert.NoError(t, err)
+ if err := json.Unmarshal(s, &c); assert.NoError(t, err) {
+ assert.Equal(t, "issuer", c.Issuer)
+ assert.Equal(t, "subject", c.Subject)
+ assert.Equal(t, Audience{"a1", "a2"}, c.Audience)
+ assert.True(t, now.Equal(c.IssuedAt.Time()))
+ assert.True(t, now.Add(1*time.Hour).Equal(c.Expiry.Time()))
+ }
- assert.Equal(t, "issuer", c.Issuer)
- assert.Equal(t, "subject", c.Subject)
- assert.Equal(t, []string{"a1", "a2"}, c.Audience)
- assert.True(t, now.Equal(c.IssuedAt))
- assert.True(t, now.Add(1*time.Hour).Equal(c.Expiry))
+ s2 := []byte(`{"aud": "a1"}`)
+ c2 := Claims{}
+ if err := json.Unmarshal(s2, &c2); assert.NoError(t, err) {
+ assert.Equal(t, Audience{"a1"}, c2.Audience)
+ }
+
+ invalid := []struct {
+ Raw string
+ Err error
+ }{
+ {`{"aud": 5}`, ErrUnmarshalAudience},
+ {`{"aud": ["foo", 5, "bar"]}`, ErrUnmarshalAudience},
+ {`{"exp": "invalid"}`, ErrUnmarshalNumericDate},
+ }
+
+ for _, v := range invalid {
+ c := Claims{}
+ assert.Equal(t, v.Err, json.Unmarshal([]byte(v.Raw), &c))
+ }
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/example_test.go b/vendor/gopkg.in/square/go-jose.v2/jwt/example_test.go
new file mode 100644
index 00000000..9d4ee007
--- /dev/null
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/example_test.go
@@ -0,0 +1,200 @@
+/*-
+ * Copyright 2016 Zbigniew Mandziejewicz
+ * Copyright 2016 Square, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package jwt_test
+
+import (
+ "fmt"
+ "strings"
+ "time"
+
+ "gopkg.in/square/go-jose.v2"
+ "gopkg.in/square/go-jose.v2/jwt"
+)
+
+var sharedKey = []byte("secret")
+var sharedEncryptionKey = []byte("itsa16bytesecret")
+var signer, _ = jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: sharedKey}, &jose.SignerOptions{})
+
+func ExampleParseSigned() {
+ raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
+ tok, err := jwt.ParseSigned(raw)
+ if err != nil {
+ panic(err)
+ }
+
+ out := jwt.Claims{}
+ if err := tok.Claims(sharedKey, &out); err != nil {
+ panic(err)
+ }
+ fmt.Printf("iss: %s, sub: %s\n", out.Issuer, out.Subject)
+ // Output: iss: issuer, sub: subject
+}
+
+func ExampleParseEncrypted() {
+ key := []byte("itsa16bytesecret")
+ raw := `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..jg45D9nmr6-8awml.z-zglLlEw9MVkYHi-Znd9bSwc-oRGbqKzf9WjXqZxno.kqji2DiZHZmh-1bLF6ARPw`
+ tok, err := jwt.ParseEncrypted(raw)
+ if err != nil {
+ panic(err)
+ }
+
+ out := jwt.Claims{}
+ if err := tok.Claims(key, &out); err != nil {
+ panic(err)
+ }
+ fmt.Printf("iss: %s, sub: %s\n", out.Issuer, out.Subject)
+ //Output: iss: issuer, sub: subject
+}
+
+func ExampleClaims_Validate() {
+ cl := jwt.Claims{
+ Subject: "subject",
+ Issuer: "issuer",
+ NotBefore: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
+ Expiry: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 15, 0, 0, time.UTC)),
+ Audience: jwt.Audience{"leela", "fry"},
+ }
+
+ err := cl.Validate(jwt.Expected{
+ Issuer: "issuer",
+ Time: time.Date(2016, 1, 1, 0, 10, 0, 0, time.UTC),
+ })
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Printf("valid!")
+ // Output: valid!
+}
+
+func ExampleClaims_Validate_withParse() {
+ raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
+ tok, err := jwt.ParseSigned(raw)
+ if err != nil {
+ panic(err)
+ }
+
+ cl := jwt.Claims{}
+ if err := tok.Claims(sharedKey, &cl); err != nil {
+ panic(err)
+ }
+
+ err = cl.Validate(jwt.Expected{
+ Issuer: "issuer",
+ Subject: "subject",
+ })
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Printf("valid!")
+ // Output: valid!
+}
+
+func ExampleSigned() {
+ key := []byte("secret")
+ sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key}, &jose.SignerOptions{})
+ if err != nil {
+ panic(err)
+ }
+
+ cl := jwt.Claims{
+ Subject: "subject",
+ Issuer: "issuer",
+ NotBefore: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
+ Audience: jwt.Audience{"leela", "fry"},
+ }
+ raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Println(raw)
+ // Output: eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOlsibGVlbGEiLCJmcnkiXSwiaXNzIjoiaXNzdWVyIiwibmJmIjoxLjQ1MTYwNjRlKzA5LCJzdWIiOiJzdWJqZWN0In0.uazfxZNgnlLdNDK7JkuYj3LlT4jSyEDG8EWISBPUuME
+}
+
+func ExampleEncrypted() {
+ enc, err := jose.NewEncrypter(jose.A128GCM, jose.Recipient{Algorithm: jose.DIRECT, Key: sharedEncryptionKey}, nil)
+ if err != nil {
+ panic(err)
+ }
+
+ cl := jwt.Claims{
+ Subject: "subject",
+ Issuer: "issuer",
+ }
+ raw, err := jwt.Encrypted(enc).Claims(cl).CompactSerialize()
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Println(raw)
+}
+
+func ExampleSigned_multipleClaims() {
+ c := &jwt.Claims{
+ Subject: "subject",
+ Issuer: "issuer",
+ }
+ c2 := struct {
+ Scopes []string
+ }{
+ []string{"foo", "bar"},
+ }
+ raw, err := jwt.Signed(signer).Claims(c).Claims(c2).CompactSerialize()
+ if err != nil {
+ panic(err)
+ }
+
+ fmt.Println(raw)
+ // Output: eyJhbGciOiJIUzI1NiJ9.eyJTY29wZXMiOlsiZm9vIiwiYmFyIl0sImlzcyI6Imlzc3VlciIsInN1YiI6InN1YmplY3QifQ.esKOIsmwkudr_gnfnB4SngxIr-7pspd5XzG3PImfQ6Y
+}
+
+func ExampleJSONWebToken_Claims_map() {
+ raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
+ tok, err := jwt.ParseSigned(raw)
+ if err != nil {
+ panic(err)
+ }
+
+ out := make(map[string]interface{})
+ if err := tok.Claims(sharedKey, &out); err != nil {
+ panic(err)
+ }
+
+ fmt.Printf("iss: %s, sub: %s\n", out["iss"], out["sub"])
+ // Output: iss: issuer, sub: subject
+}
+
+func ExampleJSONWebToken_Claims_multiple() {
+ raw := `eyJhbGciOiJIUzI1NiJ9.eyJTY29wZXMiOlsiZm9vIiwiYmFyIl0sImlzcyI6Imlzc3VlciIsInN1YiI6InN1YmplY3QifQ.esKOIsmwkudr_gnfnB4SngxIr-7pspd5XzG3PImfQ6Y`
+ tok, err := jwt.ParseSigned(raw)
+ if err != nil {
+ panic(err)
+ }
+
+ out := jwt.Claims{}
+ out2 := struct {
+ Scopes []string
+ }{}
+ if err := tok.Claims(sharedKey, &out, &out2); err != nil {
+ panic(err)
+ }
+ fmt.Printf("iss: %s, sub: %s, scopes: %s\n", out.Issuer, out.Subject, strings.Join(out2.Scopes, ","))
+ // Output: iss: issuer, sub: subject, scopes: foo,bar
+}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/json.go b/vendor/gopkg.in/square/go-jose.v2/jwt/json.go
deleted file mode 100644
index 8a49c968..00000000
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/json.go
+++ /dev/null
@@ -1,179 +0,0 @@
-/*-
- * Copyright 2016 Zbigniew Mandziejewicz
- * Copyright 2016 Square, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package jwt
-
-import (
- "math"
- "reflect"
- "strconv"
- "time"
-
- "gopkg.in/square/go-jose.v2"
-)
-
-// NumericDate represents date and time as the number of seconds since the
-// epoch, including leap seconds. Non-integer values can be represented
-// in the serialized format, but we round to the nearest second.
-type NumericDate int64
-
-// TimeToNumericDate converts time.Time value into NumericDate.
-func TimeToNumericDate(t time.Time) NumericDate {
- if t.IsZero() {
- return NumericDate(0)
- }
-
- // While RFC 7519 technically states that NumericDate values may be
- // non-integer values, we don't bother serializing timestamps in
- // claims with sub-second accurancy and just round to the nearest
- // second instead. Not convined sub-second accuracy is useful here.
- return NumericDate(t.Unix())
-}
-
-// MarshalJSON serializes the given NumericDate into its JSON representation.
-func (n NumericDate) MarshalJSON() ([]byte, error) {
- return []byte(strconv.FormatInt(int64(n), 10)), nil
-}
-
-// UnmarshalJSON reads a date from its JSON representation.
-func (n *NumericDate) UnmarshalJSON(b []byte) error {
- s := string(b)
-
- f, err := strconv.ParseFloat(s, 64)
- if err != nil {
- return ErrUnmarshalNumericDate
- }
-
- *n = NumericDate(f)
- return nil
-}
-
-// Time returns time.Time representation of NumericDate.
-func (n NumericDate) Time() time.Time {
- i, f := math.Modf(float64(n))
- return time.Unix(int64(i), int64(f*float64(time.Second)))
-}
-
-type audience []string
-
-func (s *audience) UnmarshalJSON(b []byte) error {
- var v interface{}
- if err := jose.UnmarshalJSON(b, &v); err != nil {
- return err
- }
-
- switch v := v.(type) {
- case string:
- *s = append(*s, v)
- case []interface{}:
- a := make([]string, len(v))
- for i, e := range v {
- s, ok := e.(string)
- if !ok {
- return ErrUnmarshalAudience
- }
- a[i] = s
- }
- *s = a
- default:
- return ErrUnmarshalAudience
- }
-
- return nil
-}
-
-var claimsType = reflect.TypeOf((*Claims)(nil)).Elem()
-
-func publicClaims(cl interface{}) (*Claims, error) {
- v := reflect.ValueOf(cl)
- if v.IsNil() || v.Kind() != reflect.Ptr || v.Elem().Kind() != reflect.Struct {
- return nil, ErrInvalidClaims
- }
-
- v = v.Elem()
- f := v.FieldByName("Claims")
- if !f.IsValid() || f.Type() != claimsType {
- return nil, nil
- }
-
- c := f.Addr().Interface().(*Claims)
- return c, nil
-}
-
-func marshalClaims(cl interface{}) ([]byte, error) {
- switch cl := cl.(type) {
- case *Claims:
- return cl.marshalJSON()
- case map[string]interface{}:
- return jose.MarshalJSON(cl)
- }
-
- public, err := publicClaims(cl)
- if err != nil {
- return nil, err
- }
- // i doesn't contain nested jwt.Claims
- if public == nil {
- return jose.MarshalJSON(cl)
- }
-
- // marshal jwt.Claims
- b1, err := public.marshalJSON()
- if err != nil {
- return nil, err
- }
-
- // marshal private claims
- b2, err := jose.MarshalJSON(cl)
- if err != nil {
- return nil, err
- }
-
- // merge claims
- r := make([]byte, len(b1)+len(b2)-1)
- copy(r, b1)
- r[len(b1)-1] = ','
- copy(r[len(b1):], b2[1:])
-
- return r, nil
-}
-
-func unmarshalClaims(b []byte, cl interface{}) error {
- switch cl := cl.(type) {
- case *Claims:
- return cl.unmarshalJSON(b)
- case map[string]interface{}:
- return jose.UnmarshalJSON(b, cl)
- }
-
- if err := jose.UnmarshalJSON(b, cl); err != nil {
- return err
- }
-
- public, err := publicClaims(cl)
- if err != nil {
- return err
- }
- // unmarshal jwt.Claims
- if public != nil {
- if err := public.unmarshalJSON(b); err != nil {
- return err
- }
- }
-
- return nil
-}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go b/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
index 6ad6fbe0..73adfcc2 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go
@@ -17,20 +17,31 @@
package jwt
-import "gopkg.in/square/go-jose.v2"
+import (
+ "gopkg.in/square/go-jose.v2"
+ "gopkg.in/square/go-jose.v2/json"
+)
// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
type JSONWebToken struct {
payload func(k interface{}) ([]byte, error)
+ Headers []jose.Header
}
// Claims deserializes a JSONWebToken into dest using the provided key.
-func (t *JSONWebToken) Claims(dest interface{}, key interface{}) error {
+func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
b, err := t.payload(key)
if err != nil {
return err
}
- return unmarshalClaims(b, dest)
+
+ for _, d := range dest {
+ if err := json.Unmarshal(b, d); err != nil {
+ return err
+ }
+ }
+
+ return nil
}
// ParseSigned parses token from JWS form.
@@ -39,8 +50,12 @@ func ParseSigned(s string) (*JSONWebToken, error) {
if err != nil {
return nil, err
}
+ headers := make([]jose.Header, len(sig.Signatures))
+ for i, signature := range sig.Signatures {
+ headers[i] = signature.Header
+ }
- return &JSONWebToken{sig.Verify}, nil
+ return &JSONWebToken{sig.Verify, headers}, nil
}
// ParseEncrypted parses token from JWE form.
@@ -50,5 +65,5 @@ func ParseEncrypted(s string) (*JSONWebToken, error) {
return nil, err
}
- return &JSONWebToken{enc.Decrypt}, nil
+ return &JSONWebToken{enc.Decrypt, []jose.Header{enc.Header}}, nil
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt_test.go b/vendor/gopkg.in/square/go-jose.v2/jwt/jwt_test.go
index 515b6462..d322da3a 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/jwt_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/jwt_test.go
@@ -21,57 +21,96 @@ import (
"testing"
"github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
- "gopkg.in/square/go-jose.v2"
)
-var encryptionKey = []byte("secret")
-var rawToken = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdWJqZWN0IiwiaXNzIjoiaXNzdWVyIiwic2NvcGVzIjpbInMxIiwiczIiXX0.Y6_PfQHrzRJ_Vlxij5VI07-pgDIuJNN3Z_g5sSaGQ0c`
+var (
+ hmacSignedToken = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdWJqZWN0IiwiaXNzIjoiaXNzdWVyIiwic2NvcGVzIjpbInMxIiwiczIiXX0.Y6_PfQHrzRJ_Vlxij5VI07-pgDIuJNN3Z_g5sSaGQ0c`
+ rsaSignedToken = `eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzY29wZXMiOlsiczEiLCJzMiJdLCJzdWIiOiJzdWJqZWN0In0.UDDtyK9gC9kyHltcP7E_XODsnqcJWZIiXeGmSAH7SE9YKy3N0KSfFIN85dCNjTfs6zvy4rkrCHzLB7uKAtzMearh3q7jL4nxbhUMhlUcs_9QDVoN4q_j58XmRqBqRnBk-RmDu9TgcV8RbErP4awpIhwWb5UU-hR__4_iNbHdKqwSUPDKYGlf5eicuiYrPxH8mxivk4LRD-vyRdBZZKBt0XIDnEU4TdcNCzAXojkftqcFWYsczwS8R4JHd1qYsMyiaWl4trdHZkO4QkeLe34z4ZAaPMt3wE-gcU-VoqYTGxz-K3Le2VaZ0r3j_z6bOInsv0yngC_cD1dCXMyQJWnWjQ`
+ invalidPayloadSignedToken = `eyJhbGciOiJIUzI1NiJ9.aW52YWxpZC1wYXlsb2Fk.ScBKKm18jcaMLGYDNRUqB5gVMRZl4DM6dh3ShcxeNgY`
+ invalidPartsSignedToken = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdWJqZWN0IiwiaXNzIjoiaXNzdWVyIiwic2NvcGVzIjpbInMxIiwiczIiXX0`
+ hmacEncryptedToken = `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..NZrU98U4QNO0y-u6.HSq5CvlmkUT1BPqLGZ4.1-zuiZ4RbHrTTUoA8Dvfhg`
+ rsaEncryptedToken = `eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.IvkVHHiI8JwwavvTR80xGjYvkzubMrZ-TDDx8k8SNJMEylfFfNUc7F2rC3WAABF_xmJ3SW2A6on-S6EAG97k0RsjqHHNqZuaFpDvjeuLqZFfYKzI45aCtkGG4C2ij2GbeySqJ784CcvFJPUWJ-6VPN2Ho2nhefUSqig0jE2IvOKy1ywTj_VBVBxF_dyXFnXwxPKGUQr3apxrWeRJfDh2Cf8YPBlLiRznjfBfwgePB1jP7WCZNwItj10L7hsT_YWEx01XJcbxHaXFLwKyVzwWaDhreFyaWMRbGqEfqVuOT34zfmhLDhQlgLLwkXrvYqX90NsQ9Ftg0LLIfRMbsfdgug.BFy2Tj1RZN8yq2Lk-kMiZQ.9Z0eOyPiv5cEzmXh64RlAQ36Uvz0WpZgqRcc2_69zHTmUOv0Vnl1I6ks8sTraUEvukAilolNBjBj47s0b4b-Og.VM8-eJg5ZsqnTqs0LtGX_Q`
+ invalidPayloadEncryptedToken = `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..T4jCS4Yyw1GCH0aW.y4gFaMITdBs_QZM8RKrL.6MPyk1cMVaOJFoNGlEuaRQ`
+ invalidPartsEncryptedToken = `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..NZrU98U4QNO0y-u6.HSq5CvlmkUT1BPqLGZ4`
+)
type customClaims struct {
- Claims
Scopes []string `json:"scopes,omitempty"`
}
func TestDecodeToken(t *testing.T) {
- tok, err := ParseSigned(rawToken)
- assert.NoError(t, err)
- c := &Claims{}
- if assert.NoError(t, tok.Claims(c, encryptionKey)) {
- assert.Equal(t, c.Subject, "subject")
- assert.Equal(t, c.Issuer, "issuer")
+ tok, err := ParseSigned(hmacSignedToken)
+ if assert.NoError(t, err, "Error parsing signed token.") {
+ c := &Claims{}
+ c2 := &customClaims{}
+ if assert.NoError(t, tok.Claims(sharedKey, c, c2)) {
+ assert.Equal(t, "subject", c.Subject)
+ assert.Equal(t, "issuer", c.Issuer)
+ assert.Equal(t, []string{"s1", "s2"}, c2.Scopes)
+ }
+ }
+ assert.EqualError(t, tok.Claims([]byte("invalid-secret")), "square/go-jose: error in cryptographic primitive")
+
+ tok2, err := ParseSigned(rsaSignedToken)
+ if assert.NoError(t, err, "Error parsing encrypted token.") {
+ c := make(map[string]interface{})
+ if assert.NoError(t, tok2.Claims(&testPrivRSAKey1.PublicKey, &c)) {
+ assert.Equal(t, map[string]interface{}{
+ "sub": "subject",
+ "iss": "issuer",
+ "scopes": []interface{}{"s1", "s2"},
+ }, c)
+ }
+ }
+ assert.EqualError(t, tok.Claims(&testPrivRSAKey2.PublicKey), "square/go-jose: error in cryptographic primitive")
+
+ tok3, err := ParseSigned(invalidPayloadSignedToken)
+ if assert.NoError(t, err, "Error parsing signed token.") {
+ assert.Error(t, tok3.Claims(sharedKey, &Claims{}), "Expected unmarshaling claims to fail.")
}
- c2 := &customClaims{}
- if assert.NoError(t, tok.Claims(c2, encryptionKey)) {
- assert.Equal(t, c2.Subject, "subject")
- assert.Equal(t, c2.Issuer, "issuer")
- assert.Equal(t, c2.Scopes, []string{"s1", "s2"})
+ _, err = ParseSigned(invalidPartsSignedToken)
+ assert.EqualError(t, err, "square/go-jose: compact JWS format must have three parts")
+
+ tok4, err := ParseEncrypted(hmacEncryptedToken)
+ if assert.NoError(t, err, "Error parsing encrypted token.") {
+ c := Claims{}
+ if assert.NoError(t, tok4.Claims(sharedEncryptionKey, &c)) {
+ assert.Equal(t, "foo", c.Subject)
+ }
+ }
+ assert.EqualError(t, tok4.Claims([]byte("invalid-secret-key")), "square/go-jose: error in cryptographic primitive")
+
+ tok5, err := ParseEncrypted(rsaEncryptedToken)
+ if assert.NoError(t, err, "Error parsing encrypted token.") {
+ c := make(map[string]interface{})
+ if assert.NoError(t, tok5.Claims(testPrivRSAKey1, &c)) {
+ assert.Equal(t, map[string]interface{}{
+ "sub": "subject",
+ "iss": "issuer",
+ "scopes": []interface{}{"s1", "s2"},
+ }, c)
+ }
+ }
+ assert.EqualError(t, tok5.Claims(testPrivRSAKey2), "square/go-jose: error in cryptographic primitive")
+
+ tok6, err := ParseEncrypted(invalidPayloadEncryptedToken)
+ if assert.NoError(t, err, "Error parsing encrypted token.") {
+ assert.Error(t, tok6.Claims(sharedEncryptionKey, &Claims{}))
+ }
+
+ _, err = ParseEncrypted(invalidPartsEncryptedToken)
+ assert.EqualError(t, err, "square/go-jose: compact JWE format must have five parts")
+}
+
+func BenchmarkDecodeSignedToken(b *testing.B) {
+ for i := 0; i < b.N; i++ {
+ ParseSigned(hmacSignedToken)
}
}
-func TestEncodeToken(t *testing.T) {
- signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: encryptionKey}, &jose.SignerOptions{})
- require.NoError(t, err)
-
- c := &customClaims{
- Claims: Claims{
- Subject: "subject",
- Issuer: "issuer",
- },
- Scopes: []string{"s1", "s2"},
- }
-
- raw, err := Signed(signer).Claims(c).CompactSerialize()
- require.NoError(t, err)
-
- tok, err := ParseSigned(raw)
- require.NoError(t, err)
-
- c2 := &customClaims{}
- if assert.NoError(t, tok.Claims(c2, encryptionKey)) {
- assert.Equal(t, c2.Subject, "subject")
- assert.Equal(t, c2.Issuer, "issuer")
- assert.Equal(t, c2.Scopes, []string{"s1", "s2"})
+func BenchmarkDecodeEncryptedHMACToken(b *testing.B) {
+ for i := 0; i < b.N; i++ {
+ ParseEncrypted(hmacEncryptedToken)
}
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go b/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
index c84fc7ff..143af3dc 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/validation.go
@@ -24,13 +24,19 @@ const (
DefaultLeeway = 1.0 * time.Minute
)
-// Expected defines values used for claims validation.
+// Expected defines values used for protected claims validation.
+// If field has zero value then validation is skipped.
type Expected struct {
- Issuer string
- Subject string
- Audience []string
- ID string
- Time time.Time
+ // Issuer matches the "iss" claim exactly.
+ Issuer string
+ // Subject matches the "sub" claim exactly.
+ Subject string
+ // Audience matches the values in "aud" claim, regardless of their order.
+ Audience Audience
+ // ID matches the "jti" claim exactly.
+ ID string
+ // Time matches the "exp" and "ebf" claims with leeway.
+ Time time.Time
}
// WithTime copies expectations with new time.
@@ -68,18 +74,18 @@ func (c Claims) ValidateWithLeeway(e Expected, leeway time.Duration) error {
return ErrInvalidAudience
}
- for i, a := range e.Audience {
- if a != c.Audience[i] {
+ for _, v := range e.Audience {
+ if !c.Audience.Contains(v) {
return ErrInvalidAudience
}
}
}
- if !e.Time.IsZero() && e.Time.Add(leeway).Before(c.NotBefore) {
+ if !e.Time.IsZero() && e.Time.Add(leeway).Before(c.NotBefore.Time()) {
return ErrNotValidYet
}
- if !e.Time.IsZero() && e.Time.Add(-leeway).After(c.Expiry) {
+ if !e.Time.IsZero() && e.Time.Add(-leeway).After(c.Expiry.Time()) {
return ErrExpired
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/jwt/validation_test.go b/vendor/gopkg.in/square/go-jose.v2/jwt/validation_test.go
index a534b89a..952ddcc6 100644
--- a/vendor/gopkg.in/square/go-jose.v2/jwt/validation_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/jwt/validation_test.go
@@ -32,28 +32,32 @@ func TestFieldsMatch(t *testing.T) {
ID: "42",
}
- assert.NoError(t, c.Validate(Expected{Issuer: "issuer"}))
- err := c.Validate(Expected{Issuer: "invalid-issuer"})
- if assert.Error(t, err) {
- assert.Equal(t, err, ErrInvalidIssuer)
+ valid := []Expected{
+ {Issuer: "issuer"},
+ {Subject: "subject"},
+ {Audience: Audience{"a1", "a2"}},
+ {Audience: Audience{"a2", "a1"}},
+ {ID: "42"},
}
- assert.NoError(t, c.Validate(Expected{Subject: "subject"}))
- err = c.Validate(Expected{Subject: "invalid-subject"})
- if assert.Error(t, err) {
- assert.Equal(t, err, ErrInvalidSubject)
+ for _, v := range valid {
+ assert.NoError(t, c.Validate(v))
}
- assert.NoError(t, c.Validate(Expected{Audience: []string{"a1", "a2"}}))
- err = c.Validate(Expected{Audience: []string{"invalid-audience"}})
- if assert.Error(t, err) {
- assert.Equal(t, err, ErrInvalidAudience)
+ invalid := []struct {
+ Expected Expected
+ Error error
+ }{
+ {Expected{Issuer: "invalid-issuer"}, ErrInvalidIssuer},
+ {Expected{Subject: "invalid-subject"}, ErrInvalidSubject},
+ {Expected{Audience: Audience{"a1"}}, ErrInvalidAudience},
+ {Expected{Audience: Audience{"a1", "invalid-audience"}}, ErrInvalidAudience},
+ {Expected{Audience: Audience{"invalid-audience"}}, ErrInvalidAudience},
+ {Expected{ID: "invalid-id"}, ErrInvalidID},
}
- assert.NoError(t, c.Validate(Expected{ID: "42"}))
- err = c.Validate(Expected{ID: "invalid-id"})
- if assert.Error(t, err) {
- assert.Equal(t, err, ErrInvalidID)
+ for _, v := range invalid {
+ assert.Equal(t, v.Error, c.Validate(v.Expected))
}
}
@@ -62,9 +66,9 @@ func TestExpiryAndNotBefore(t *testing.T) {
twelveHoursAgo := now.Add(-12 * time.Hour)
c := Claims{
- IssuedAt: twelveHoursAgo,
- NotBefore: twelveHoursAgo,
- Expiry: now,
+ IssuedAt: NewNumericDate(twelveHoursAgo),
+ NotBefore: NewNumericDate(twelveHoursAgo),
+ Expiry: NewNumericDate(now),
}
// expired - default leeway (1 minute)
diff --git a/vendor/gopkg.in/square/go-jose.v2/signing.go b/vendor/gopkg.in/square/go-jose.v2/signing.go
index a834e619..c314b125 100644
--- a/vendor/gopkg.in/square/go-jose.v2/signing.go
+++ b/vendor/gopkg.in/square/go-jose.v2/signing.go
@@ -20,6 +20,7 @@ import (
"crypto/ecdsa"
"crypto/rsa"
"encoding/base64"
+ "errors"
"fmt"
)
@@ -185,13 +186,50 @@ func (ctx *genericSigner) Sign(payload []byte) (*JSONWebSignature, error) {
}
// Verify validates the signature on the object and returns the payload.
+// This function does not support multi-signature, if you desire multi-sig
+// verification use VerifyMulti instead.
+//
+// Be careful when verifying signatures based on embedded JWKs inside the
+// payload header. You cannot assume that the key received in a payload is
+// trusted.
func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error) {
verifier, err := newVerifier(verificationKey)
if err != nil {
return nil, err
}
- for _, signature := range obj.Signatures {
+ if len(obj.Signatures) > 1 {
+ return nil, errors.New("square/go-jose: too many signatures in payload; expecting only one")
+ }
+
+ signature := obj.Signatures[0]
+ headers := signature.mergedHeaders()
+ if len(headers.Crit) > 0 {
+ // Unsupported crit header
+ return nil, ErrCryptoFailure
+ }
+
+ input := obj.computeAuthData(&signature)
+ alg := SignatureAlgorithm(headers.Alg)
+ err = verifier.verifyPayload(input, signature.Signature, alg)
+ if err == nil {
+ return obj.payload, nil
+ }
+
+ return nil, ErrCryptoFailure
+}
+
+// VerifyMulti validates (one of the multiple) signatures on the object and
+// returns the index of the signature that was verified, along with the signature
+// object and the payload. We return the signature and index to guarantee that
+// callers are getting the verified value.
+func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error) {
+ verifier, err := newVerifier(verificationKey)
+ if err != nil {
+ return -1, Signature{}, nil, err
+ }
+
+ for i, signature := range obj.Signatures {
headers := signature.mergedHeaders()
if len(headers.Crit) > 0 {
// Unsupported crit header
@@ -202,9 +240,9 @@ func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error)
alg := SignatureAlgorithm(headers.Alg)
err := verifier.verifyPayload(input, signature.Signature, alg)
if err == nil {
- return obj.payload, nil
+ return i, signature, obj.payload, nil
}
}
- return nil, ErrCryptoFailure
+ return -1, Signature{}, nil, ErrCryptoFailure
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/signing_test.go b/vendor/gopkg.in/square/go-jose.v2/signing_test.go
index 9502bc5b..de287f5b 100644
--- a/vendor/gopkg.in/square/go-jose.v2/signing_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/signing_test.go
@@ -24,6 +24,8 @@ import (
"fmt"
"io"
"testing"
+
+ "gopkg.in/square/go-jose.v2/json"
)
type staticNonceSource string
@@ -223,43 +225,45 @@ func TestMultiRecipientJWS(t *testing.T) {
input := []byte("Lorem ipsum dolor sit amet")
obj, err := signer.Sign(input)
if err != nil {
- t.Error("error on sign: ", err)
- return
+ t.Fatal("error on sign: ", err)
}
_, err = obj.CompactSerialize()
if err == nil {
- t.Error("message with multiple recipient was compact serialized")
+ t.Fatal("message with multiple recipient was compact serialized")
}
msg := obj.FullSerialize()
obj, err = ParseSigned(msg)
if err != nil {
- t.Error("error on parse: ", err)
- return
+ t.Fatal("error on parse: ", err)
}
- output, err := obj.Verify(&rsaTestKey.PublicKey)
+ i, _, output, err := obj.VerifyMulti(&rsaTestKey.PublicKey)
if err != nil {
- t.Error("error on verify: ", err)
- return
+ t.Fatal("error on verify: ", err)
+ }
+
+ if i != 0 {
+ t.Fatal("signature index should be 0 for RSA key")
}
if bytes.Compare(output, input) != 0 {
- t.Error("input/output do not match", output, input)
- return
+ t.Fatal("input/output do not match", output, input)
}
- output, err = obj.Verify(sharedKey)
+ i, _, output, err = obj.VerifyMulti(sharedKey)
if err != nil {
- t.Error("error on verify: ", err)
- return
+ t.Fatal("error on verify: ", err)
+ }
+
+ if i != 1 {
+ t.Fatal("signature index should be 1 for EC key")
}
if bytes.Compare(output, input) != 0 {
- t.Error("input/output do not match", output, input)
- return
+ t.Fatal("input/output do not match", output, input)
}
}
@@ -344,12 +348,12 @@ func TestSignerKid(t *testing.T) {
}
var jsonmsi map[string]interface{}
- err = UnmarshalJSON(jsonbar, &jsonmsi)
+ err = json.Unmarshal(jsonbar, &jsonmsi)
if err != nil {
t.Error("problem unmarshalling base JWK", err)
}
jsonmsi["kid"] = kid
- jsonbar2, err := MarshalJSON(jsonmsi)
+ jsonbar2, err := json.Marshal(jsonmsi)
if err != nil {
t.Error("problem marshalling kided JWK", err)
}
diff --git a/vendor/gopkg.in/square/go-jose.v2/utils_test.go b/vendor/gopkg.in/square/go-jose.v2/utils_test.go
index 96f55ab8..09440303 100644
--- a/vendor/gopkg.in/square/go-jose.v2/utils_test.go
+++ b/vendor/gopkg.in/square/go-jose.v2/utils_test.go
@@ -44,7 +44,7 @@ func fromBase64Int(encoded string) *big.Int {
re := regexp.MustCompile(`\s+`)
val, err := base64.RawURLEncoding.DecodeString(re.ReplaceAllString(encoded, ""))
if err != nil {
- panic("Invalid test data")
+ panic("Invalid test data: " + err.Error())
}
return new(big.Int).SetBytes(val)
}