hashicorp · tomhjp · Apr 22, 2024 · Apr 19, 2024 · Apr 19, 2024 · Apr 19, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,7 @@ IMPROVEMENTS:
    * `github.com/stretchr/testify` v1.8.4 -> v1.9.0
    * `golang.org/x/oauth2` v0.16.0 -> v0.19.0
    * `google.golang.org/api` v0.161.0 -> v0.172.0
-* Upgrade `github.com/go-jose/go-jose/v3` to `github.com/go-jose/go-jose/v4` 4.0.1: [GH-202](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/202)
+* Upgrade `gopkg.in/square/go-jose.v2` and `github.com/go-jose/go-jose/v3` to `github.com/go-jose/go-jose/v4` 4.0.1: [GH-202](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/202), [GH-203](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/203)
 * Bump `google.golang.org/protobuf` from 1.32.0 to 1.33.0: [GH-197](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/197)
 * Bump `github.com/docker/docker` from 24.0.7+incompatible to 24.0.9+incompatible: [GH-198](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/198)
 * Bump `golang.org/x/net` from 0.22.0 to 0.24.0: [GH-201](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/201)

diff --git a/go.mod b/go.mod
@@ -6,6 +6,7 @@ toolchain go1.22.2
 
 require (
 	cloud.google.com/go/compute/metadata v0.3.0
+	github.com/go-jose/go-jose/v4 v4.0.1
 	github.com/golang/mock v1.6.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-gcp-common v0.8.0
@@ -18,7 +19,6 @@ require (
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/oauth2 v0.19.0
 	google.golang.org/api v0.172.0
-	gopkg.in/square/go-jose.v2 v2.6.0
 )
 
 require (
@@ -34,7 +34,6 @@ require (
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect

diff --git a/go.sum b/go.sum
@@ -406,8 +406,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
-gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

diff --git a/plugin/path_login.go b/plugin/path_login.go
@@ -12,6 +12,8 @@ import (
 	"strings"
 	"time"
 
+	jose "github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/hashicorp/go-gcp-common/gcputil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -21,14 +23,21 @@ import (
 	"google.golang.org/api/cloudresourcemanager/v1"
 	"google.golang.org/api/compute/v1"
 	"google.golang.org/api/iam/v1"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 const (
 	expectedJwtAudTemplate string = "vault/%s"
 	jwtExpToleranceSec            = 60
 )
 
+var (
+	allowedSignatureAlgorithms = []jose.SignatureAlgorithm{
+		jose.RS256,
+		jose.ES256,
+		jose.HS256,
+	}
+)
+
 func pathLogin(b *GcpAuthBackend) *framework.Path {
 	return &framework.Path{
 		Pattern: "login$",
@@ -205,7 +214,7 @@ func (b *GcpAuthBackend) parseAndValidateJwt(ctx context.Context, s logical.Stor
 	}
 
 	// Parse 'kid' key id from headers.
-	jwtVal, err := jwt.ParseSigned(signedJwt.(string))
+	jwtVal, err := jwt.ParseSigned(signedJwt.(string), allowedSignatureAlgorithms)
 	if err != nil {
 		return nil, fmt.Errorf("unable to parse signed JWT: %w", err)
 	}
@@ -276,7 +285,7 @@ func (b *GcpAuthBackend) getSigningKey(ctx context.Context, token *jwt.JSONWebTo
 
 // getJWTSubject grabs 'sub' claim given an unverified signed JWT.
 func getJWTSubject(signedJwt string) (string, error) {
-	jwtVal, err := jwt.ParseSigned(signedJwt)
+	jwtVal, err := jwt.ParseSigned(signedJwt, allowedSignatureAlgorithms)
 	if err != nil {
 		return "", fmt.Errorf("could not parse JWT: %v", err)
 	}

diff --git a/plugin/path_login_test.go b/plugin/path_login_test.go
@@ -13,15 +13,15 @@ import (
 	"testing"
 	"time"
 
+	jose "github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
 	"github.com/hashicorp/go-gcp-common/gcputil"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/api/iam/v1"
 	"google.golang.org/api/iamcredentials/v1"
 	"google.golang.org/api/option"
-	jose "gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )
 
 func TestRoleResolution(t *testing.T) {
@@ -674,7 +674,7 @@ func testCreateExpiredJwtToken(tb testing.TB, roleName string, creds *gcputil.Gc
 			Subject:  creds.ClientId,
 			Audience: []string{fmt.Sprintf(expectedJwtAudTemplate, roleName)},
 			Expiry:   jwt.NewNumericDate(time.Now().Add(-100 * time.Minute)),
-		}).CompactSerialize()
+		}).Serialize()
 	if err != nil {
 		tb.Fatal(err)
 	}