Upgrade go.step.sm/crypto to use go-jose/v3

5 months ago · b20af51f32
parent 2c42907b4e
commit b20af51f32
18 changed files with 83 additions and 90 deletions
--- a/acme/account_test.go
+++ b/acme/account_test.go
@ -25,7 +25,7 @@ func TestKeyToID(t *testing.T) {
 			jwk.Key = "foo"
 			return test{
 				jwk: jwk,
-				err: NewErrorISE("error generating jwk thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating jwk thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok": func(t *testing.T) test {
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -449,11 +449,11 @@ func verifyAndExtractJWSPayload(next nextHTTP) nextHTTP {
 // the JWK by patching the JWS signatures if they're determined to be too short.
 //
 // Generally this shouldn't happen, but we've observed this to be the case with
-// the macOS ACME client, which seems to omit (at least one) leading null byte(s).
-// The error returned is `square/go-jose: error in cryptographic primitive`, which
-// is a sentinel error that hides the details of the actual underlying error, which
-// is as follows: `square/go-jose: invalid signature size, have 63 bytes, wanted 64`,
-// for ES256.
+// the macOS ACME client, which seems to omit (at least one) leading null
+// byte(s). The error returned is `go-jose/go-jose: error in cryptographic
+// primitive`, which is a sentinel error that hides the details of the actual
+// underlying error, which is as follows: `go-jose/go-jose: invalid signature
+// size, have 63 bytes, wanted 64`, for ES256.
 func retryVerificationWithPatchedSignatures(jws *jose.JSONWebSignature, jwk *jose.JSONWebKey) (data []byte, err error) {
 	originalSignatureValues := make([][]byte, len(jws.Signatures))
 	patched := false
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -356,7 +356,7 @@ func TestHandler_parseJWS(t *testing.T) {
 			return test{
 				body:       strings.NewReader("foo"),
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: square/go-jose: compact JWS format must have three parts"),
+				err:        acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: go-jose/go-jose: compact JWS format must have three parts"),
 			}
 		},
 		"ok": func(t *testing.T) test {
@ -480,7 +480,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
 			}
 		},
 		"fail/verify-jws-failure-too-many-signatures": func(t *testing.T) test {
@ -492,7 +492,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: too many signatures in payload; expecting only one"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: too many signatures in payload; expecting only one"),
 			}
 		},
 		"fail/apple-acmeclient-omitting-leading-null-byte-in-signature-with-wrong-jwk": func(t *testing.T) test {
@ -507,7 +507,7 @@ func TestHandler_verifyAndExtractJWSPayload(t *testing.T) {
 			return test{
 				ctx:        ctx,
 				statusCode: 400,
-				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"),
+				err:        acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"),
 			}
 		},
 		"fail/algorithm-mismatch": func(t *testing.T) test {
@ -1817,7 +1817,7 @@ func Test_retryVerificationWithPatchedSignatures(t *testing.T) {
 		{"ok/patched-r", patchedR, patchedRJWK, []byte(`test-1105`), `AK0D2CmH5Xyp5YASqg3lrCR9kyeohwJ6Lu7Bc15ZmA-AK16i32LqqLVhESq52tsH84dKbu1EljtoM5TqkSvaqg`, nil},
 		{"ok/patched-s", patchedS, patchedSJWK, []byte(`test-66`), `krtSKSgVB04oqx6i9QLeal_wZSnjV1_PSIM3AubT0WQASMZ4Zf8mG1aWt4ud6d3VFuek7T-v0lGW6B-kryxzMw`, nil},
 		{"ok/patched-rs", patchedRS, patchedRSJWK, []byte(`test-9067`), `ANq_zMtfaEYO5ln_SOSU5DWKfKLXxDM_sl0QPJbWUwAApnHIku6ulUSCJyY0i27uV9wKsatOAjc5vJ7-BJojJw`, nil},
-		{"fail/patched-r-wrong-jwk", patchedRWithWrongJWK, patchedRSJWK, nil, `rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq`, errors.New("square/go-jose: error in cryptographic primitive")},
+		{"fail/patched-r-wrong-jwk", patchedRWithWrongJWK, patchedRSJWK, nil, `rQPYKYflfKnlgBKqDeWsJH2TJ6iHAnou7sFzXlmYD4ArXqLfYuqotWERKrna2wfzh0pu7USWO2gzlOqRK9qq`, errors.New("go-jose/go-jose: error in cryptographic primitive")},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/acme/api/revoke_test.go
+++ b/acme/api/revoke_test.go
@ -1279,7 +1279,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 			}
 		},
 		"wrap-subject": func(t *testing.T) test {
-			acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: square/go-jose: error in cryptographic primitive")
+			acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: go-jose/go-jose: error in cryptographic primitive")
 			acmeErr.Status = http.StatusForbidden
 			acmeErr.Detail = "No authorization provided for name test.example.com"
 			cert := &x509.Certificate{
@ -1288,7 +1288,7 @@ func Test_wrapUnauthorizedError(t *testing.T) {
 				},
 			}
 			return test{
-				err:                     errors.New("square/go-jose: error in cryptographic primitive"),
+				err:                     errors.New("go-jose/go-jose: error in cryptographic primitive"),
 				cert:                    cert,
 				unauthorizedIdentifiers: []acme.Identifier{},
 				msg:                     "verification of jws using certificate public key failed",
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -354,7 +354,7 @@ func TestKeyAuthorization(t *testing.T) {
 			return test{
 				token: "1234",
 				jwk:   jwk,
-				err:   NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err:   NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok": func(t *testing.T) test {
@ -1089,7 +1089,7 @@ func TestHTTP01Validate(t *testing.T) {
 					},
 				},
 				jwk: jwk,
-				err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok/key-auth-mismatch": func(t *testing.T) test {
@ -1389,7 +1389,7 @@ func TestDNS01Validate(t *testing.T) {
 					},
 				},
 				jwk: jwk,
-				err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"fail/key-auth-mismatch-store-error": func(t *testing.T) test {
@ -2141,7 +2141,7 @@ func TestTLSALPN01Validate(t *testing.T) {
 				},
 				srv: srv,
 				jwk: jwk,
-				err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"),
+				err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"),
 			}
 		},
 		"ok/error-no-extension": func(t *testing.T) test {
--- a/acme/challenge_tpmsimulator_test.go
+++ b/acme/challenge_tpmsimulator_test.go
@ -817,7 +817,7 @@ func Test_doTPMAttestationFormat(t *testing.T) {
 				"certInfo": params.CreateAttestation,
 				"pubArea":  params.Public,
 			},
-		}}, nil, newInternalServerError("failed creating key auth digest: error generating JWK thumbprint: square/go-jose: unknown key type '[]uint8'")},
+		}}, nil, newInternalServerError("failed creating key auth digest: error generating JWK thumbprint: go-jose/go-jose: unknown key type '[]uint8'")},
 		{"fail different keyAuthorization", args{ctx, mustAttestationProvisioner(t, acaRoot), &Challenge{Token: "aDifferentToken"}, jwk, &attestationObject{
 			Format: "tpm",
 			AttStatement: map[string]interface{}{
--- a/api/api_test.go
+++ b/api/api_test.go
@ -28,14 +28,11 @@ import (

 	"github.com/go-chi/chi/v5"
 	"github.com/pkg/errors"
-	sassert "github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
 	"golang.org/x/crypto/ssh"
-	squarejose "gopkg.in/square/go-jose.v2"
-
-	"github.com/smallstep/assert"

 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
@ -658,7 +655,7 @@ func TestSignRequest_Validate(t *testing.T) {
 			}
 			if err := s.Validate(); err != nil {
 				if assert.NotNil(t, tt.err) {
-					assert.HasPrefix(t, err.Error(), tt.err.Error())
+					assert.True(t, strings.HasPrefix(err.Error(), tt.err.Error()))
 				}
 			} else {
 				assert.Nil(t, tt.err)
@ -1259,10 +1256,10 @@ func Test_Provisioners(t *testing.T) {

 	expectedError400 := errs.BadRequest("limit 'abc' is not an integer")
 	expectedError400Bytes, err := json.Marshal(expectedError400)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	expectedError500 := errs.InternalServer("force")
 	expectedError500Bytes, err := json.Marshal(expectedError500)
-	assert.FatalError(t, err)
+	require.NoError(t, err)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockMustAuthority(t, tt.fields.Authority)
@ -1329,7 +1326,7 @@ func Test_ProvisionerKey(t *testing.T) {
 	expected := []byte(`{"key":"` + privKey + `"}`)
 	expectedError404 := errs.NotFound("force")
 	expectedError404Bytes, err := json.Marshal(expectedError404)
-	assert.FatalError(t, err)
+	require.NoError(t, err)

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -1578,7 +1575,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 		"x":   "7ZdAAMZCFU4XwgblI5RfZouBi8lYmF6DlZusNNnsbm8",
 		"y":   "sQr2JdzwD2fgyrymBEXWsxDxFNjjqN64qLLSbLdLZ9Y",
 	}
-	key := squarejose.JSONWebKey{}
+	key := jose.JSONWebKey{}
 	b, err := json.Marshal(k)
 	require.NoError(t, err)
 	err = json.Unmarshal(b, &key)
@ -1644,11 +1641,11 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	}

 	expBytes, err := json.Marshal(expected)
-	sassert.NoError(t, err)
+	assert.NoError(t, err)

 	br, err := r.MarshalJSON()
-	sassert.NoError(t, err)
-	sassert.JSONEq(t, string(expBytes), string(br))
+	assert.NoError(t, err)
+	assert.JSONEq(t, string(expBytes), string(br))

 	keyCopy := key
 	expList := provisioner.List{
@ -1674,7 +1671,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	}

 	// MarshalJSON must not affect the struct properties itself
-	sassert.Equal(t, expList, r.Provisioners)
+	assert.Equal(t, expList, r.Provisioners)
 }

 const (
@ -1693,14 +1690,14 @@ func TestLogSSHCertificate(t *testing.T) {
 	rl := logging.NewResponseLogger(w)
 	LogSSHCertificate(rl, cert)

-	sassert.Equal(t, 200, w.Result().StatusCode)
+	assert.Equal(t, 200, w.Result().StatusCode)

 	fields := rl.Fields()
-	sassert.Equal(t, uint64(14376510277651266987), fields["serial"])
-	sassert.Equal(t, []string{"herman"}, fields["principals"])
-	sassert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate", fields["certificate-type"])
-	sassert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
-	sassert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
-	sassert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
-	sassert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
+	assert.Equal(t, uint64(14376510277651266987), fields["serial"])
+	assert.Equal(t, []string{"herman"}, fields["principals"])
+	assert.Equal(t, "ecdsa-sha2-nistp256-cert-v01@openssh.com user certificate", fields["certificate-type"])
+	assert.Equal(t, time.Unix(1674129191, 0).Format(time.RFC3339), fields["valid-from"])
+	assert.Equal(t, time.Unix(1674186851, 0).Format(time.RFC3339), fields["valid-to"])
+	assert.Equal(t, "AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgLnkvSk4odlo3b1R+RDw+LmorL3RkN354IilCIVFVen4AAAAIbmlzdHAyNTYAAABBBHjKHss8WM2ffMYlavisoLXR0I6UEIU+cidV1ogEH1U6+/SYaFPrlzQo0tGLM5CNkMbhInbyasQsrHzn8F1Rt7nHg5/tcSf9qwAAAAEAAAAGaGVybWFuAAAACgAAAAZoZXJtYW4AAAAAY8kvJwAAAABjyhBjAAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAGgAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAAhuaXN0cDI1NgAAAEEE/ayqpPrZZF5uA1UlDt4FreTf15agztQIzpxnWq/XoxAHzagRSkFGkdgFpjgsfiRpP8URHH3BZScqc0ZDCTxhoQAAAGQAAAATZWNkc2Etc2hhMi1uaXN0cDI1NgAAAEkAAAAhAJuP1wCVwoyrKrEtHGfFXrVbRHySDjvXtS1tVTdHyqymAAAAIBa/CSSzfZb4D2NLP+eEmOOMJwSjYOiNM8fiOoAaqglI", fields["certificate"])
+	assert.Equal(t, "SHA256:RvkDPGwl/G9d7LUFm1kmWhvOD9I/moPq4yxcb0STwr0 (ECDSA-CERT)", fields["public-key"])
 }
--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@ -6,8 +6,8 @@ import (
 	"reflect"
 	"testing"

+	"github.com/go-jose/go-jose/v3"
 	"github.com/stretchr/testify/assert"
-	"gopkg.in/square/go-jose.v2"

 	"go.step.sm/linkedca"

--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@ -171,10 +171,10 @@ func TestJWK_authorizeToken(t *testing.T) {
 		{"fail-token", p1, args{failTok}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk token")},
 		{"fail-key", p1, args{failKey}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")},
 		{"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")},
-		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")},
-		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)")},
-		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token is expired (exp)")},
-		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token not valid yet (nbf)")},
+		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")},
+		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)")},
+		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token is expired (exp)")},
+		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)")},
 		{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk token audience claim (aud)")},
 		{"fail-subject", p1, args{failSub}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; jwk token subject cannot be empty")},
 		{"ok", p1, args{t1}, http.StatusOK, nil},
@ -218,7 +218,7 @@ func TestJWK_AuthorizeRevoke(t *testing.T) {
 		code int
 		err  error
 	}{
-		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")},
+		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")},
 		{"ok", p1, args{t1}, http.StatusOK, nil},
 	}
 	for _, tt := range tests {
@ -266,7 +266,7 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 			prov: p1,
 			args: args{failSig},
 			code: http.StatusUnauthorized,
-			err:  errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive"),
+			err:  errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive"),
 		},
 		{
 			name: "ok-sans",
--- a/authority/provisioner/k8sSA_test.go
+++ b/authority/provisioner/k8sSA_test.go
@ -97,7 +97,7 @@ func TestK8sSA_authorizeToken(t *testing.T) {
 				p:     p,
 				token: tok,
 				code:  http.StatusUnauthorized,
-				err:   errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)"),
+				err:   errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)"),
 			}
 		},
 		"ok": func(t *testing.T) test {
--- a/authority/provisioner/oidc_test.go
+++ b/authority/provisioner/oidc_test.go
@ -233,11 +233,11 @@ func TestOIDC_authorizeToken(t *testing.T) {
 		{"fail-key", p1, args{failKey}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; cannot validate oidc token`)},
 		{"fail-token", p1, args{failTok}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; error parsing oidc token: invalid character '~' looking for beginning of value`)},
 		{"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; error parsing oidc token claims: invalid character '~' looking for beginning of value`)},
-		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, invalid issuer claim (iss)`)},
-		{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, invalid audience claim (aud)`)},
+		{"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)`)},
+		{"fail-audience", p1, args{failAud}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: go-jose/go-jose/jwt: validation failed, invalid audience claim (aud)`)},
 		{"fail-signature", p1, args{failSig}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken; cannot validate oidc token`)},
-		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, token is expired (exp)`)},
-		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: square/go-jose/jwt: validation failed, token not valid yet (nbf)`)},
+		{"fail-expired", p1, args{failExp}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: go-jose/go-jose/jwt: validation failed, token is expired (exp)`)},
+		{"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, "", errors.New(`oidc.AuthorizeToken: validatePayload: failed to validate oidc token payload: go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)`)},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@ -10,7 +10,6 @@ import (
 	"os"

 	"github.com/pkg/errors"
-	"gopkg.in/square/go-jose.v2/jwt"

 	"go.step.sm/cli-utils/step"
 	"go.step.sm/cli-utils/ui"
@ -146,7 +145,7 @@ func (a *Authority) unsafeLoadProvisionerFromDatabase(crt *x509.Certificate) (pr

 // LoadProvisionerByToken returns an interface to the provisioner that
 // provisioned the token.
-func (a *Authority) LoadProvisionerByToken(token *jwt.JSONWebToken, claims *jwt.Claims) (provisioner.Interface, error) {
+func (a *Authority) LoadProvisionerByToken(token *jose.JSONWebToken, claims *jose.Claims) (provisioner.Interface, error) {
 	a.adminMutex.RLock()
 	defer a.adminMutex.RUnlock()
 	p, ok := a.provisioners.LoadByToken(token, claims)
--- a/ca/acmeClient.go
+++ b/ca/acmeClient.go
@ -176,7 +176,7 @@ func (c *ACMEClient) post(payload []byte, url string, headerOps ...withHeaderOpt
 	}
 	signed, err := signer.Sign(payload)
 	if err != nil {
-		return nil, errors.Errorf("error signing payload: %s", strings.TrimPrefix(err.Error(), "square/go-jose: "))
+		return nil, errors.Errorf("error signing payload: %s", jose.TrimPrefix(err))
 	}
 	raw, err := serialize(signed)
 	if err != nil {
--- a/ca/client.go
+++ b/ca/client.go
@ -37,7 +37,6 @@ import (
 	"golang.org/x/net/http2"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
-	"gopkg.in/square/go-jose.v2/jwt"
 )

 // DisableIdentity is a global variable to disable the identity.
@ -1374,7 +1373,7 @@ func (c *Client) RootFingerprintWithContext(ctx context.Context) (string, error)
 // CreateSignRequest is a helper function that given an x509 OTT returns a
 // simple but secure sign request as well as the private key used.
 func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error) {
-	token, err := jwt.ParseSigned(ott)
+	token, err := jose.ParseSigned(ott)
 	if err != nil {
 		return nil, nil, errors.Wrap(err, "error parsing ott")
 	}
--- a/cas/stepcas/jwk_issuer_test.go
+++ b/cas/stepcas/jwk_issuer_test.go
@ -33,10 +33,10 @@ func Test_jwkIssuer_SignToken(t *testing.T) {
 		RA *raInfo `json:"ra"`
 	}
 	type claims struct {
-		Aud  []string   `json:"aud"`
-		Sub  string     `json:"sub"`
-		Sans []string   `json:"sans"`
-		Step stepClaims `json:"step"`
+		Aud  jose.Audience `json:"aud"`
+		Sub  string        `json:"sub"`
+		Sans []string      `json:"sans"`
+		Step stepClaims    `json:"step"`
 	}
 	tests := []struct {
 		name    string
@ -72,7 +72,7 @@ func Test_jwkIssuer_SignToken(t *testing.T) {
 				}
 				var c claims
 				want := claims{
-					Aud:  []string{tt.fields.caURL.String() + "/1.0/sign"},
+					Aud:  jose.Audience{tt.fields.caURL.String() + "/1.0/sign"},
 					Sub:  tt.args.subject,
 					Sans: tt.args.sans,
 				}
@ -80,6 +80,7 @@ func Test_jwkIssuer_SignToken(t *testing.T) {
 					want.Step.RA = tt.args.info
 				}
 				if err := jwt.Claims(testX5CKey.Public(), &c); err != nil {
+					t.Log(got)
 					t.Errorf("jwt.Claims() error = %v", err)
 				}
 				if !reflect.DeepEqual(c, want) {
@ -109,9 +110,9 @@ func Test_jwkIssuer_RevokeToken(t *testing.T) {
 		subject string
 	}
 	type claims struct {
-		Aud  []string `json:"aud"`
-		Sub  string   `json:"sub"`
-		Sans []string `json:"sans"`
+		Aud  jose.Audience `json:"aud"`
+		Sub  string        `json:"sub"`
+		Sans []string      `json:"sans"`
 	}
 	tests := []struct {
 		name    string
--- a/cas/stepcas/x5c_issuer_test.go
+++ b/cas/stepcas/x5c_issuer_test.go
@ -58,10 +58,10 @@ func Test_x5cIssuer_SignToken(t *testing.T) {
 		RA *raInfo `json:"ra"`
 	}
 	type claims struct {
-		Aud  []string   `json:"aud"`
-		Sub  string     `json:"sub"`
-		Sans []string   `json:"sans"`
-		Step stepClaims `json:"step"`
+		Aud  jose.Audience `json:"aud"`
+		Sub  string        `json:"sub"`
+		Sans []string      `json:"sans"`
+		Step stepClaims    `json:"step"`
 	}
 	tests := []struct {
 		name    string
@ -132,9 +132,9 @@ func Test_x5cIssuer_RevokeToken(t *testing.T) {
 		subject string
 	}
 	type claims struct {
-		Aud  []string `json:"aud"`
-		Sub  string   `json:"sub"`
-		Sans []string `json:"sans"`
+		Aud  jose.Audience `json:"aud"`
+		Sub  string        `json:"sub"`
+		Sans []string      `json:"sans"`
 	}
 	tests := []struct {
 		name    string
--- a/go.mod
+++ b/go.mod
@ -10,6 +10,7 @@ require (
 	github.com/dgraph-io/badger/v2 v2.2007.4
 	github.com/fxamacker/cbor/v2 v2.5.0
 	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-tpm v0.9.0
@ -31,7 +32,7 @@ require (
 	github.com/stretchr/testify v1.8.4
 	github.com/urfave/cli v1.22.14
 	go.step.sm/cli-utils v0.8.0
-	go.step.sm/crypto v0.39.0
+	go.step.sm/crypto v0.40.0
 	go.step.sm/linkedca v0.20.1
 	golang.org/x/crypto v0.16.0
 	golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
@ -39,7 +40,6 @@ require (
 	google.golang.org/api v0.153.0
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
-	gopkg.in/square/go-jose.v2 v2.6.0
 )

 require (
@ -48,18 +48,18 @@ require (
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	cloud.google.com/go/iam v1.1.5 // indirect
 	cloud.google.com/go/kms v1.15.5 // indirect
-	filippo.io/edwards25519 v1.0.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
-	github.com/aws/aws-sdk-go v1.48.12 // indirect
+	github.com/aws/aws-sdk-go v1.49.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
@ -69,7 +69,6 @@ require (
 	github.com/dgraph-io/ristretto v0.1.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-kit/kit v0.13.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -13,16 +13,16 @@ cloud.google.com/go/longrunning v0.5.4 h1:w8xEcbZodnA2BbW6sVirkkoC+1gP8wS57EUUgG
 cloud.google.com/go/longrunning v0.5.4/go.mod h1:zqNVncI0BOP8ST6XQD1+VcvuShMmq7+xFSzOL++V0dI=
 cloud.google.com/go/security v1.15.4 h1:sdnh4Islb1ljaNhpIXlIPgb3eYj70QWgPVDKOUYvzJc=
 cloud.google.com/go/security v1.15.4/go.mod h1:oN7C2uIZKhxCLiAAijKUCuHLZbIt/ghYEo8MqwD/Ty4=
-filippo.io/edwards25519 v1.0.0 h1:0wAIcmJUqRdI8IJ/3eGi5/HwXZWPujYXXlkrQogz0Ek=
-filippo.io/edwards25519 v1.0.0/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
 github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 h1:fb8kj/Dh4CSwgsOzHeZY4Xh68cFVbzXx+ONXGMY//4w=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0/go.mod h1:uReU2sSxZExRPBAg3qKzmAucSi51+SP1OhohieR821Q=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 h1:lGlwhPtrX6EVml1hO0ivjkUxsSyl4dsiw9qcA1k/3IQ=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1/go.mod h1:RKUqNu35KJYcVG/fqTRqmuXJZYNhYkBrnC/hX7yGbTA=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 h1:BMAjVKJM0U/CYF27gA0ZMmXGkOcvfFtD0oHVZ1TIPRI=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0/go.mod h1:1fXstnBMas5kzG+S3q8UoJcmyU6nUeunJcMDHcRYHhs=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0 h1:d81/ng9rET2YqdVkVwkb6EXeRrLJIwyGnJcAlAWKwhs=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.0/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 h1:6oNBlSdi1QqM1PNW7FPA6xOGA5UNsXnkaYZz9vdPGhA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1/go.mod h1:s4kgfzA0covAXNicZHDMN58jExvcng2mC/DepXiF1EI=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE=
 github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw=
@ -44,8 +44,8 @@ github.com/ThalesIgnite/crypto11 v1.2.5 h1:1IiIIEqYmBvUYFeMnHqRft4bwf/O36jryEUpY
 github.com/ThalesIgnite/crypto11 v1.2.5/go.mod h1:ILDKtnCKiQ7zRoNxcp36Y1ZR8LBPmR2E23+wTQe/MlE=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
-github.com/aws/aws-sdk-go v1.48.12 h1:n+eGzflzzvYubu2cOjqpVll7lF+Ci0ThyCpg5kzfzbo=
-github.com/aws/aws-sdk-go v1.48.12/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.49.1 h1:Dsamcd8d/nNb3A+bZ0ucfGl0vGZsW5wlRW0vhoYGoeQ=
+github.com/aws/aws-sdk-go v1.49.1/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/cenkalti/backoff/v3 v3.0.0 h1:ske+9nBpD9qZsTBoF41nW5L+AIuFBKMeze18XQ3eG1c=
 github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
@ -434,8 +434,8 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.step.sm/cli-utils v0.8.0 h1:b/Tc1/m3YuQq+u3ghTFP7Dz5zUekZj6GUmd5pCvkEXQ=
 go.step.sm/cli-utils v0.8.0/go.mod h1:S77aISrC0pKuflqiDfxxJlUbiXcAanyJ4POOnzFSxD4=
-go.step.sm/crypto v0.39.0 h1:3CzvUx3ckkTH8/7BgCcD7sV9US0GK8u9jcY7LEhZSeo=
-go.step.sm/crypto v0.39.0/go.mod h1:VIzQPq0itJgQraTTICzud/E70Vi5M8Wm+mgBw5MsmRc=
+go.step.sm/crypto v0.40.0 h1:356UwJSM4Nhg5b5AjjjLlBNkf92Vw3Gi2r3vbEv72oc=
+go.step.sm/crypto v0.40.0/go.mod h1:gfQMeTQXykihbS8e2Tdn0jtd9HbsQ7vbt+kp7efLA7U=
 go.step.sm/linkedca v0.20.1 h1:bHDn1+UG1NgRrERkWbbCiAIvv4lD5NOFaswPDTyO5vU=
 go.step.sm/linkedca v0.20.1/go.mod h1:Vaq4+Umtjh7DLFI1KuIxeo598vfBzgSYZUjgVJ7Syxw=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@ -614,8 +614,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogR
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/inconshreveable/log15.v2 v2.0.0-20180818164646-67afb5ed74ec/go.mod h1:aPpfJ7XW+gOuirDoZ8gHhLh3kZ1B08FtV2bbmy7Jv3s=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=