Use go.step.sm/crypto/jose

Replace use of github.com/smallstep/cli/crypto with the new package
go.step.sm/crypto/jose.

acme/account.go

@@ -6,8 +6,8 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
+	"go.step.sm/crypto/jose"
 )
 
 // Account is a subset of the internal account type containing only those

acme/account_test.go

@@ -12,9 +12,9 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"github.com/smallstep/nosql/database"
+	"go.step.sm/crypto/jose"
 )
 
 var (

acme/api/account_test.go

@@ -16,7 +16,7 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 var (

acme/api/handler_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
 

acme/api/middleware.go

@@ -14,8 +14,8 @@ import (
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 )
 

acme/api/middleware_test.go

@@ -18,8 +18,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql/database"
+	"go.step.sm/crypto/jose"
 )
 
 var testBody = []byte("foo")

acme/authority.go

@@ -14,8 +14,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
 	database "github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
+	"go.step.sm/crypto/jose"
 )
 
 // Interface is the acme authority interface.

acme/authority_test.go

@@ -11,8 +11,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql/database"
+	"go.step.sm/crypto/jose"
 )
 
 func TestAuthorityGetLink(t *testing.T) {

acme/challenge.go

@@ -18,8 +18,8 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
+	"go.step.sm/crypto/jose"
 )
 
 // Challenge is a subset of the challenge type containing only those attributes

acme/challenge_test.go

@@ -28,9 +28,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"github.com/smallstep/nosql/database"
+	"go.step.sm/crypto/jose"
 )
 
 var testOps = ChallengeOptions{

acme/common.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 )
 

api/api_test.go

@@ -32,7 +32,7 @@ import (
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"golang.org/x/crypto/ssh"
 )
 

authority/authority_test.go

@@ -15,14 +15,14 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
 
 func testAuthority(t *testing.T, opts ...Option) *Authority {
-	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
+	maxjwk, err := jose.ReadKey("testdata/secrets/max_pub.jwk")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	disableRenewal := true
 	enableSSHCA := true

authority/authorize.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"golang.org/x/crypto/ssh"
 )
 

authority/authorize_test.go

@@ -17,11 +17,10 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/ssh"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 var testAudiences = provisioner.Audiences{
@@ -84,7 +83,7 @@ func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose
 func TestAuthority_authorizeToken(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -112,16 +111,16 @@ func TestAuthority_authorizeToken(t *testing.T) {
 			}
 		},
 		"fail/prehistoric-token": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
-				IssuedAt:  jwt.NewNumericDate(now.Add(-time.Hour)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
+				IssuedAt:  jose.NewNumericDate(now.Add(-time.Hour)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -131,11 +130,11 @@ func TestAuthority_authorizeToken(t *testing.T) {
 			}
 		},
 		"fail/provisioner-not-found": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "44",
 			}
@@ -143,7 +142,7 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", "foo"))
 			assert.FatalError(t, err)
 
-			raw, err := jwt.Signed(_sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(_sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -153,15 +152,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 			}
 		},
 		"ok/simpledb": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -170,15 +169,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 		},
 		"fail/simpledb/token-already-used": func(t *testing.T) *authorizeTest {
 			_a := testAuthority(t)
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			_, err = _a.authorizeToken(context.Background(), raw)
 			assert.FatalError(t, err)
@@ -197,15 +196,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				},
 			}
 
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  _a,
@@ -220,15 +219,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				},
 			}
 
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  _a,
@@ -245,15 +244,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				},
 			}
 
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  _a,
@@ -288,7 +287,7 @@ func TestAuthority_authorizeToken(t *testing.T) {
 func TestAuthority_authorizeRevoke(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -316,15 +315,15 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
 			}
 		},
 		"fail/token/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -334,15 +333,15 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
 			}
 		},
 		"ok/token": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "44",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -372,7 +371,7 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
 func TestAuthority_authorizeSign(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -400,15 +399,15 @@ func TestAuthority_authorizeSign(t *testing.T) {
 			}
 		},
 		"fail/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -418,15 +417,15 @@ func TestAuthority_authorizeSign(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "44",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -459,7 +458,7 @@ func TestAuthority_authorizeSign(t *testing.T) {
 func TestAuthority_Authorize(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -496,15 +495,15 @@ func TestAuthority_Authorize(t *testing.T) {
 			}
 		},
 		"ok/sign": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.Sign,
 				ID:        "1",
 			}
-			token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -522,15 +521,15 @@ func TestAuthority_Authorize(t *testing.T) {
 			}
 		},
 		"ok/revoke": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.Revoke,
 				ID:        "2",
 			}
-			token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -622,15 +621,15 @@ func TestAuthority_Authorize(t *testing.T) {
 			}
 		},
 		"ok/sshRevoke": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRevoke,
 				ID:        "3",
 			}
-			token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -892,7 +891,7 @@ func createSSHCert(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certificate,
 func TestAuthority_authorizeSSHSign(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -920,15 +919,15 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
 			}
 		},
 		"fail/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -971,7 +970,7 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
 func TestAuthority_authorizeSSHRenew(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -999,15 +998,15 @@ func TestAuthority_authorizeSSHRenew(t *testing.T) {
 			}
 		},
 		"fail/sshRenew-unimplemented-jwk-provisioner": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRenew,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -1073,7 +1072,7 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
 		},
 	})}...)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -1100,15 +1099,15 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
 			}
 		},
 		"fail/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRevoke,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@@ -1164,7 +1163,7 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
 func TestAuthority_authorizeSSHRekey(t *testing.T) {
 	a := testAuthority(t)
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -1192,15 +1191,15 @@ func TestAuthority_authorizeSSHRekey(t *testing.T) {
 			}
 		},
 		"fail/sshRekey-unimplemented-jwk-provisioner": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				NotBefore: jose.NewNumericDate(now),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRekey,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,

authority/config_test.go

@@ -7,13 +7,13 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestConfigValidate(t *testing.T) {
-	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
+	maxjwk, err := jose.ReadKey("testdata/secrets/max_pub.jwk")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	ac := &AuthConfig{
 		Provisioners: provisioner.List{
@@ -224,9 +224,9 @@ func TestAuthConfigValidate(t *testing.T) {
 		CommonName:    "test",
 	}
 
-	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
+	maxjwk, err := jose.ReadKey("testdata/secrets/max_pub.jwk")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	p := provisioner.List{
 		&provisioner.JWK{

authority/provisioner/aws.go

@@ -17,7 +17,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )

authority/provisioner/aws_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestAWS_Getters(t *testing.T) {

authority/provisioner/azure.go

@@ -14,7 +14,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )

authority/provisioner/azure_test.go

@@ -18,7 +18,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestAzure_Getters(t *testing.T) {

authority/provisioner/collection.go

@@ -13,7 +13,7 @@ import (
 	"sync"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 // DefaultProvisionersLimit is the default limit for listing provisioners.

authority/provisioner/collection_test.go

@@ -9,7 +9,7 @@ import (
 	"testing"
 
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestCollection_Load(t *testing.T) {

authority/provisioner/gcp.go

@@ -15,7 +15,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )

authority/provisioner/gcp_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestGCP_Getters(t *testing.T) {

authority/provisioner/jwk.go

@@ -8,7 +8,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )

authority/provisioner/jwk_test.go

@@ -14,7 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestJWK_Getters(t *testing.T) {

authority/provisioner/k8sSA.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"

authority/provisioner/k8sSA_test.go

@@ -10,7 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func TestK8sSA_Getters(t *testing.T) {

authority/provisioner/keystore.go

@@ -10,7 +10,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 const (

authority/provisioner/keystore_test.go

@@ -8,7 +8,7 @@ import (
 	"time"
 
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func Test_newKeyStore(t *testing.T) {

authority/provisioner/oidc.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )

authority/provisioner/oidc_test.go

@@ -15,7 +15,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 func Test_openIDConfiguration_Validate(t *testing.T) {

authority/provisioner/options.go

@@ -5,7 +5,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
 )
 

authority/provisioner/sshpop.go

@@ -10,7 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"golang.org/x/crypto/ssh"
 )
 

authority/provisioner/sshpop_test.go

@@ -13,7 +13,7 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )

authority/provisioner/utils_test.go

@@ -16,7 +16,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/ssh"

authority/provisioner/x5c.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )

authority/provisioner/x5c_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 )
@@ -154,7 +154,7 @@ M46l92gdOozT
 func TestX5C_authorizeToken(t *testing.T) {
 	x5cCerts, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 	assert.FatalError(t, err)
-	x5cJWK, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+	x5cJWK, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 	assert.FatalError(t, err)
 
 	type test struct {
@@ -402,7 +402,7 @@ lgsqsR63is+0YQ==
 func TestX5C_AuthorizeSign(t *testing.T) {
 	certs, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 	assert.FatalError(t, err)
-	jwk, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+	jwk, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 	assert.FatalError(t, err)
 
 	type test struct {
@@ -518,7 +518,7 @@ func TestX5C_AuthorizeRevoke(t *testing.T) {
 		"ok": func(t *testing.T) test {
 			certs, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 			assert.FatalError(t, err)
-			jwk, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+			jwk, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 			assert.FatalError(t, err)
 
 			p, err := generateX5C(nil)
@@ -599,7 +599,7 @@ func TestX5C_AuthorizeRenew(t *testing.T) {
 func TestX5C_AuthorizeSSHSign(t *testing.T) {
 	x5cCerts, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 	assert.FatalError(t, err)
-	x5cJWK, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+	x5cJWK, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 	assert.FatalError(t, err)
 
 	_, fn := mockNow()

authority/ssh.go

@@ -14,7 +14,7 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/sshutil"
 	"golang.org/x/crypto/ssh"

authority/ssh_test.go

@@ -19,7 +19,7 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"golang.org/x/crypto/ssh"
 )

authority/tls.go

@@ -15,7 +15,7 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
@@ -281,7 +281,7 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 		errs.WithKeyVal("reason", revokeOpts.Reason),
 		errs.WithKeyVal("passiveOnly", revokeOpts.PassiveOnly),
 		errs.WithKeyVal("MTLS", revokeOpts.MTLS),
-		errs.WithKeyVal("context", string(provisioner.MethodFromContext(ctx))),
+		errs.WithKeyVal("context", provisioner.MethodFromContext(ctx).String()),
 	}
 	if revokeOpts.MTLS {
 		opts = append(opts, errs.WithKeyVal("certificate", base64.StdEncoding.EncodeToString(revokeOpts.Crt.Raw)))

authority/tls_test.go

@@ -22,7 +22,7 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
@@ -219,7 +219,7 @@ func TestAuthority_Sign(t *testing.T) {
 
 	// Create a token to get test extra opts.
 	p := a.config.AuthorityConfig.Provisioners[1].(*provisioner.JWK)
-	key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	key, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	token, err := generateToken("smallstep test", "step-cli", testAudiences.Sign[0], []string{"test.smallstep.com"}, time.Now(), key)
 	assert.FatalError(t, err)
@@ -1000,7 +1000,7 @@ func TestAuthority_Revoke(t *testing.T) {
 	validAudience := testAudiences.Revoke
 	now := time.Now().UTC()
 
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@@ -1193,7 +1193,7 @@ func TestAuthority_Revoke(t *testing.T) {
 					assert.Equals(t, ctxErr.Details["reasonCode"], tc.opts.ReasonCode)
 					assert.Equals(t, ctxErr.Details["reason"], tc.opts.Reason)
 					assert.Equals(t, ctxErr.Details["MTLS"], tc.opts.MTLS)
-					assert.Equals(t, ctxErr.Details["context"], string(provisioner.RevokeMethod))
+					assert.Equals(t, ctxErr.Details["context"], provisioner.RevokeMethod.String())
 
 					if tc.checkErrDetails != nil {
 						tc.checkErrDetails(ctxErr)

ca/acmeClient.go

@@ -14,7 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/acme"
 	acmeAPI "github.com/smallstep/certificates/acme/api"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 
 // ACMEClient implements an HTTP client to an ACME API.

ca/acmeClient_test.go

@@ -16,7 +16,7 @@ import (
 	"github.com/smallstep/certificates/acme"
 	acmeAPI "github.com/smallstep/certificates/acme/api"
 	"github.com/smallstep/certificates/api"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
 

ca/bootstrap.go

@@ -8,8 +8,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
-	"gopkg.in/square/go-jose.v2/jwt"
+	"go.step.sm/crypto/jose"
 )
 
 type tokenClaims struct {
@@ -20,7 +19,7 @@ type tokenClaims struct {
 // Bootstrap is a helper function that initializes a client with the
 // configuration in the bootstrap token.
 func Bootstrap(token string) (*Client, error) {
-	tok, err := jwt.ParseSigned(token)
+	tok, err := jose.ParseSigned(token)
 	if err != nil {
 		return nil, errors.Wrap(err, "error parsing token")
 	}

ca/bootstrap_test.go

@@ -15,10 +15,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 func newLocalListener() net.Listener {
@@ -78,7 +76,7 @@ func startCAServer(configFile string) (*CA, string, error) {
 
 func generateBootstrapToken(ca, subject, sha string) string {
 	now := time.Now()
-	jwk, err := stepJOSE.ParseKey("testdata/secrets/ott_mariano_priv.jwk", stepJOSE.WithPassword([]byte("password")))
+	jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
 	if err != nil {
 		panic(err)
 	}
@@ -93,21 +91,21 @@ func generateBootstrapToken(ca, subject, sha string) string {
 	}
 	cl := struct {
 		SHA string `json:"sha"`
-		jwt.Claims
+		jose.Claims
 		SANS []string `json:"sans"`
 	}{
 		SHA: sha,
-		Claims: jwt.Claims{
+		Claims: jose.Claims{
 			ID:        id,
 			Subject:   subject,
 			Issuer:    "mariano",
-			NotBefore: jwt.NewNumericDate(now),
-			Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+			NotBefore: jose.NewNumericDate(now),
+			Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 			Audience:  []string{ca + "/sign"},
 		},
 		SANS: []string{subject},
 	}
-	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+	raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 	if err != nil {
 		panic(err)
 	}

ca/ca_test.go

@@ -25,13 +25,11 @@ import (
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/x509util"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 type ClosingBuffer struct {
@@ -95,7 +93,7 @@ func TestCASign(t *testing.T) {
 	assert.FatalError(t, err)
 	intermediateCert, err := pemutil.ReadCertificate("testdata/secrets/intermediate_ca.crt")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk", stepJOSE.WithPassword([]byte("pass")))
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: clijwk.Key},
 		(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", clijwk.KeyID))
@@ -177,20 +175,20 @@ ZEp7knvU2psWRw==
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
 			cl := struct {
-				jwt.Claims
+				jose.Claims
 				SANS []string `json:"sans"`
 			}{
-				Claims: jwt.Claims{
+				Claims: jose.Claims{
 					Subject:   "invalid",
 					Issuer:    "step-cli",
-					NotBefore: jwt.NewNumericDate(now),
-					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					NotBefore: jose.NewNumericDate(now),
+					Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 					Audience:  validAud,
 					ID:        jti,
 				},
 				SANS: []string{"invalid"},
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			csr, err := getCSR(priv)
 			assert.FatalError(t, err)
@@ -210,20 +208,20 @@ ZEp7knvU2psWRw==
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
 			cl := struct {
-				jwt.Claims
+				jose.Claims
 				SANS []string `json:"sans"`
 			}{
-				Claims: jwt.Claims{
+				Claims: jose.Claims{
 					Subject:   "test.smallstep.com",
 					Issuer:    "step-cli",
-					NotBefore: jwt.NewNumericDate(now),
-					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					NotBefore: jose.NewNumericDate(now),
+					Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 					Audience:  validAud,
 					ID:        jti,
 				},
 				SANS: []string{"test.smallstep.com"},
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			csr, err := getCSR(priv)
 			assert.FatalError(t, err)
@@ -244,19 +242,19 @@ ZEp7knvU2psWRw==
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
 			cl := struct {
-				jwt.Claims
+				jose.Claims
 				SANS []string `json:"sans"`
 			}{
-				Claims: jwt.Claims{
+				Claims: jose.Claims{
 					Subject:   "test.smallstep.com",
 					Issuer:    "step-cli",
-					NotBefore: jwt.NewNumericDate(now),
-					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					NotBefore: jose.NewNumericDate(now),
+					Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 					Audience:  validAud,
 					ID:        jti,
 				},
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			csr, err := getCSR(priv)
 			assert.FatalError(t, err)

ca/provisioner.go

@@ -7,9 +7,9 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/cli/token"
 	"github.com/smallstep/cli/token/provision"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 )
 

ca/provisioner_test.go

@@ -7,13 +7,13 @@ import (
 	"testing"
 	"time"
 
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )
 
 func getTestProvisioner(t *testing.T, caURL string) *Provisioner {
-	jwk, err := jose.ParseKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
+	jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
 	if err != nil {
 		t.Fatal(err)
 	}

ca/tls_test.go

@@ -18,15 +18,13 @@ import (
 
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 func generateOTT(subject string) string {
 	now := time.Now()
-	jwk, err := stepJOSE.ParseKey("testdata/secrets/ott_mariano_priv.jwk", stepJOSE.WithPassword([]byte("password")))
+	jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
 	if err != nil {
 		panic(err)
 	}
@@ -40,20 +38,20 @@ func generateOTT(subject string) string {
 		panic(err)
 	}
 	cl := struct {
-		jwt.Claims
+		jose.Claims
 		SANS []string `json:"sans"`
 	}{
-		Claims: jwt.Claims{
+		Claims: jose.Claims{
 			ID:        id,
 			Subject:   subject,
 			Issuer:    "mariano",
-			NotBefore: jwt.NewNumericDate(now),
-			Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+			NotBefore: jose.NewNumericDate(now),
+			Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 			Audience:  []string{"https://127.0.0.1:0/sign"},
 		},
 		SANS: []string{subject},
 	}
-	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+	raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 	if err != nil {
 		panic(err)
 	}

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/rs/xid v1.2.1
 	github.com/sirupsen/logrus v1.4.2
-	github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15
+	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/cli v0.14.7-rc.1.0.20200721180458-731b7c4c8c95
 	github.com/smallstep/nosql v0.3.0
 	github.com/urfave/cli v1.22.2
@@ -23,9 +23,9 @@ require (
 	google.golang.org/api v0.15.0
 	google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb
 	google.golang.org/grpc v1.26.0
-	gopkg.in/square/go-jose.v2 v2.4.0
+	gopkg.in/square/go-jose.v2 v2.5.1
 )
 
 // replace github.com/smallstep/cli => ../cli
 // replace github.com/smallstep/nosql => ../nosql
-// replace go.step.sm/crypto => ../crypto
+replace go.step.sm/crypto => ../crypto

go.sum

@@ -476,6 +476,8 @@ github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5 h1:lX6ybsQW9Agn3q
 github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5/go.mod h1:TC9A4+RjIOS+HyTH7wG17/gSqVv95uDw2J64dQZx7RE=
 github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15 h1:kSImCuenAkXtCaBeQ1UhmzzJGRhSm8sVH7I3sHE2Qdg=
 github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
+github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
+github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/certificates v0.14.5/go.mod h1:zzpB8wMz967gL8FmK6zvCNB4pDVwFDKjPg1diTVc1h8=
 github.com/smallstep/certinfo v1.3.0/go.mod h1:1gQJekdPwPvUwFWGTi7bZELmQT09cxC9wJ0VBkBNiwU=
 github.com/smallstep/cli v0.14.5/go.mod h1:mRFuqC3cGwQESBGJvog4o76jZZZ7bMjkE+hAnq2QyR8=
@@ -804,6 +806,8 @@ gopkg.in/ini.v1 v1.51.1/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.4.0 h1:0kXPskUMGAXXWJlP05ktEMOV0vmzFQUWw6d+aZJQU8A=
 gopkg.in/square/go-jose.v2 v2.4.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
+gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

pki/pki.go

@@ -23,9 +23,9 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/config"
 	"github.com/smallstep/cli/errs"
-	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"