Switch to go-jose v4

letsencrypt · Feb 27, 2024 · ef66822 · ef66822
1 parent 5b7dc87
commit ef66822
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 9 deletions.
diff --git a/core/types.go b/core/types.go
@@ -11,8 +11,9 @@ import (
 	"sync"
 	"time"
 
+	"github.com/go-jose/go-jose/v4"
+
 	"github.com/letsencrypt/pebble/v2/acme"
-	"gopkg.in/square/go-jose.v2"
 )
 
 type Order struct {

diff --git a/db/memorystore.go b/db/memorystore.go
@@ -16,7 +16,7 @@ import (
 	"sync"
 	"time"
 
-	"gopkg.in/square/go-jose.v2"
+	"github.com/go-jose/go-jose/v4"
 
 	"github.com/letsencrypt/pebble/v2/acme"
 	"github.com/letsencrypt/pebble/v2/core"

diff --git a/go.mod b/go.mod
@@ -3,9 +3,9 @@ module github.com/letsencrypt/pebble/v2
 go 1.21
 
 require (
+	github.com/go-jose/go-jose/v4 v4.0.0
 	github.com/letsencrypt/challtestsrv v1.3.2
 	github.com/miekg/dns v1.1.58
-	gopkg.in/square/go-jose.v2 v2.6.0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -1,5 +1,7 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-jose/go-jose/v4 v4.0.0 h1:gHOVQyfrqsagdy/Yj9PTz5HMYzr3UpYh1CcFpktmRoY=
+github.com/go-jose/go-jose/v4 v4.0.0/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/letsencrypt/challtestsrv v1.3.2 h1:pIDLBCLXR3B1DLmOmkkqg29qVa7DDozBnsOpL9PxmAY=
@@ -30,7 +32,5 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.18.0 h1:k8NLag8AGHnn+PHbl7g43CtqZAwG60vZkLqgyZgIHgQ=
 golang.org/x/tools v0.18.0/go.mod h1:GL7B4CwcLLeo59yx/9UWWuNOW1n3VZ4f5axWfML7Lcg=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/wfe/jose.go b/wfe/jose.go
@@ -12,9 +12,13 @@ import (
 
 	"github.com/letsencrypt/pebble/v2/acme"
 
-	"gopkg.in/square/go-jose.v2"
+	jose "github.com/go-jose/go-jose/v4"
 )
 
+var goodJWSSignatureAlgorithms = []jose.SignatureAlgorithm{
+	jose.RS256, jose.ES256, jose.ES384, jose.ES512,
+}
+
 func algorithmForKey(key *jose.JSONWebKey) (string, error) {
 	switch k := key.Key.(type) {
 	case *rsa.PublicKey:

diff --git a/wfe/wfe.go b/wfe/wfe.go
@@ -26,7 +26,7 @@ import (
 	"time"
 	"unicode"
 
-	"gopkg.in/square/go-jose.v2"
+	"github.com/go-jose/go-jose/v4"
 
 	"github.com/letsencrypt/pebble/v2/acme"
 	"github.com/letsencrypt/pebble/v2/ca"
@@ -684,7 +684,7 @@ func (wfe *WebFrontEndImpl) parseJWS(body string) (*jose.JSONWebSignature, error
 			"JWS \"signatures\" field not allowed. Only the \"signature\" field should contain a signature")
 	}
 
-	parsedJWS, err := jose.ParseSigned(body)
+	parsedJWS, err := jose.ParseSigned(body, goodJWSSignatureAlgorithms)
 	if err != nil {
 		return nil, fmt.Errorf("Parse error reading JWS: %w", err)
 	}
@@ -2787,7 +2787,7 @@ func (wfe *WebFrontEndImpl) verifyEAB(
 			fmt.Sprintf("failed to encode external account binding JSON structure: %s", err))
 	}
 
-	eab, err := jose.ParseSigned(string(eabBytes))
+	eab, err := jose.ParseSigned(string(eabBytes), goodJWSSignatureAlgorithms)
 	if err != nil {
 		return nil, acme.MalformedProblem(
 			fmt.Sprintf("failed to decode external account binding: %s", err))