Re: Bug#1100967: golang-step-crypto-dev and golang-github-smallstep-crypto-dev have undeclared file conflicts

Le mer. 2 avr. 2025 à 10:39, Simon Josefsson <simon@josefsson.org> a écrit :

A short-term fix to resolve the RC bug may be to simply add a
'Conflicts: golang-step-crypto-dev' to
golang-github-smallstep-crypto-dev? Or is there a need to be able to
co-install these two packages?

Meanwhile I looked into updating golang-github-smallstep-certificates to
latest version and ran into what I think is a build dependency issue
with golang-step-linkedca which would needs a package rename/reupload to
get the latest version. The name name ought to be
golang-github-smallstep-linkedca instead which is the new namespace. It
seems most if not all of go.step.sm moved to github.com/smallstep
namespace. I doubt we can finish that transition before trixie though.

I had a look at another approach, just upgrading the dependency to golang-github-smallstep-crypto-dev

for these two packages:

- golang-step-cli-utils: all fine, level1

- golang-github-smallstep-certificates: level 2, needs the previous one rebuilt first, and the attached patch.

There are probably mistakes in that patch.

This would allow removal of golang-step-crypto-dev.

--- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -10,7 +10,6 @@ "os" "github.com/pkg/errors" - "gopkg.in/square/go-jose.v2/jwt" "go.step.sm/cli-utils/step" "go.step.sm/cli-utils/ui" @@ -89,7 +88,7 @@ // LoadProvisionerByToken returns an interface to the provisioner that // provisioned the token. -func (a *Authority) LoadProvisionerByToken(token *jwt.JSONWebToken, claims *jwt.Claims) (provisioner.Interface, error) { +func (a *Authority) LoadProvisionerByToken(token *jose.JSONWebToken, claims *jose.Claims) (provisioner.Interface, error) { a.adminMutex.RLock() defer a.adminMutex.RUnlock() p, ok := a.provisioners.LoadByToken(token, claims) --- a/authority/provisioner/jwk_test.go +++ b/authority/provisioner/jwk_test.go @@ -171,10 +171,10 @@ {"fail-token", p1, args{failTok}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk token")}, {"fail-key", p1, args{failKey}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")}, {"fail-claims", p1, args{failClaims}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims")}, - {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")}, - {"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)")}, - {"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token is expired (exp)")}, - {"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: square/go-jose/jwt: validation failed, token not valid yet (nbf)")}, + {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")}, + {"fail-issuer", p1, args{failIss}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)")}, + {"fail-expired", p1, args{failExp}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token is expired (exp)")}, + {"fail-not-before", p1, args{failNbf}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk claims: go-jose/go-jose/jwt: validation failed, token not valid yet (nbf)")}, {"fail-audience", p1, args{failAud}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; invalid jwk token audience claim (aud)")}, {"fail-subject", p1, args{failSub}, http.StatusUnauthorized, errors.New("jwk.authorizeToken; jwk token subject cannot be empty")}, {"ok", p1, args{t1}, http.StatusOK, nil}, @@ -218,7 +218,7 @@ code int err error }{ - {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive")}, + {"fail-signature", p1, args{failSig}, http.StatusUnauthorized, errors.New("jwk.AuthorizeRevoke: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive")}, {"ok", p1, args{t1}, http.StatusOK, nil}, } for _, tt := range tests { @@ -266,7 +266,7 @@ prov: p1, args: args{failSig}, code: http.StatusUnauthorized, - err: errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: square/go-jose: error in cryptographic primitive"), + err: errors.New("jwk.AuthorizeSign: jwk.authorizeToken; error parsing jwk claims: go-jose/go-jose: error in cryptographic primitive"), }, { name: "ok-sans", --- a/authority/provisioner/k8sSA_test.go +++ b/authority/provisioner/k8sSA_test.go @@ -97,7 +97,7 @@ p: p, token: tok, code: http.StatusUnauthorized, - err: errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: square/go-jose/jwt: validation failed, invalid issuer claim (iss)"), + err: errors.New("k8ssa.authorizeToken; invalid k8sSA token claims: go-jose/go-jose/jwt: validation failed, invalid issuer claim (iss)"), } }, "ok": func(t *testing.T) test { --- a/acme/account_test.go +++ b/acme/account_test.go @@ -25,7 +25,7 @@ jwk.Key = "foo" return test{ jwk: jwk, - err: NewErrorISE("error generating jwk thumbprint: square/go-jose: unknown key type 'string'"), + err: NewErrorISE("error generating jwk thumbprint: go-jose/go-jose: unknown key type 'string'"), } }, "ok": func(t *testing.T) test { --- a/acme/api/middleware_test.go +++ b/acme/api/middleware_test.go @@ -358,7 +358,7 @@ return test{ body: strings.NewReader("foo"), statusCode: 400, - err: acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: square/go-jose: compact JWS format must have three parts"), + err: acme.NewError(acme.ErrorMalformedType, "failed to parse JWS from request body: go-jose/go-jose: compact JWS format must have three parts"), } }, "ok": func(t *testing.T) test { @@ -483,7 +483,7 @@ return test{ ctx: ctx, statusCode: 400, - err: acme.NewError(acme.ErrorMalformedType, "error verifying jws: square/go-jose: error in cryptographic primitive"), + err: acme.NewError(acme.ErrorMalformedType, "error verifying jws: go-jose/go-jose: error in cryptographic primitive"), } }, "fail/algorithm-mismatch": func(t *testing.T) test { --- a/acme/api/revoke_test.go +++ b/acme/api/revoke_test.go @@ -1281,7 +1281,7 @@ } }, "wrap-subject": func(t *testing.T) test { - acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: square/go-jose: error in cryptographic primitive") + acmeErr := acme.NewError(acme.ErrorUnauthorizedType, "verification of jws using certificate public key failed: go-jose/go-jose: error in cryptographic primitive") acmeErr.Status = http.StatusForbidden acmeErr.Detail = "No authorization provided for name test.example.com" cert := &x509.Certificate{ @@ -1290,7 +1290,7 @@ }, } return test{ - err: errors.New("square/go-jose: error in cryptographic primitive"), + err: errors.New("go-jose/go-jose: error in cryptographic primitive"), cert: cert, unauthorizedIdentifiers: []acme.Identifier{}, msg: "verification of jws using certificate public key failed", --- a/acme/challenge_test.go +++ b/acme/challenge_test.go @@ -196,7 +196,7 @@ return test{ token: "1234", jwk: jwk, - err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"), + err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"), } }, "ok": func(t *testing.T) test { @@ -725,7 +725,7 @@ }, }, jwk: jwk, - err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"), + err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"), } }, "ok/key-auth-mismatch": func(t *testing.T) test { @@ -1021,7 +1021,7 @@ }, }, jwk: jwk, - err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"), + err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"), } }, "fail/key-auth-mismatch-store-error": func(t *testing.T) test { @@ -1758,7 +1758,7 @@ }, srv: srv, jwk: jwk, - err: NewErrorISE("error generating JWK thumbprint: square/go-jose: unknown key type 'string'"), + err: NewErrorISE("error generating JWK thumbprint: go-jose/go-jose: unknown key type 'string'"), } }, "ok/error-no-extension": func(t *testing.T) test { --- a/authority/policy_test.go +++ b/authority/policy_test.go @@ -7,9 +7,9 @@ "testing" "github.com/stretchr/testify/assert" - "gopkg.in/square/go-jose.v2" "go.step.sm/linkedca" + "go.step.sm/crypto/jose" "github.com/smallstep/certificates/authority/admin" "github.com/smallstep/certificates/authority/administrator" --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -18,8 +18,6 @@ "testing" "time" - "gopkg.in/square/go-jose.v2/jwt" - "go.step.sm/crypto/jose" "go.step.sm/crypto/keyutil" "go.step.sm/crypto/pemutil" @@ -1327,15 +1325,15 @@ } }, "fail/nil-db": func() test { - cl := jwt.Claims{ + cl := jose.Claims{ Subject: "sn", Issuer: validIssuer, - NotBefore: jwt.NewNumericDate(now), - Expiry: jwt.NewNumericDate(now.Add(time.Minute)), + NotBefore: jose.NewNumericDate(now), + Expiry: jose.NewNumericDate(now.Add(time.Minute)), Audience: validAudience, ID: "44", } - raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize() + raw, err := jose.Signed(sig).Claims(cl).CompactSerialize() assert.FatalError(t, err) return test{ @@ -1367,15 +1365,15 @@ Err: errors.New("force"), })) - cl := jwt.Claims{ + cl := jose.Claims{ Subject: "sn", Issuer: validIssuer, - NotBefore: jwt.NewNumericDate(now), - Expiry: jwt.NewNumericDate(now.Add(time.Minute)), + NotBefore: jose.NewNumericDate(now), + Expiry: jose.NewNumericDate(now.Add(time.Minute)), Audience: validAudience, ID: "44", } - raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize() + raw, err := jose.Signed(sig).Claims(cl).CompactSerialize() assert.FatalError(t, err) return test{ @@ -1407,15 +1405,15 @@ Err: db.ErrAlreadyExists, })) - cl := jwt.Claims{ + cl := jose.Claims{ Subject: "sn", Issuer: validIssuer, - NotBefore: jwt.NewNumericDate(now), - Expiry: jwt.NewNumericDate(now.Add(time.Minute)), + NotBefore: jose.NewNumericDate(now), + Expiry: jose.NewNumericDate(now.Add(time.Minute)), Audience: validAudience, ID: "44", } - raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize() + raw, err := jose.Signed(sig).Claims(cl).CompactSerialize() assert.FatalError(t, err) return test{ @@ -1446,15 +1444,15 @@ }, })) - cl := jwt.Claims{ + cl := jose.Claims{ Subject: "sn", Issuer: validIssuer, - NotBefore: jwt.NewNumericDate(now), - Expiry: jwt.NewNumericDate(now.Add(time.Minute)), + NotBefore: jose.NewNumericDate(now), + Expiry: jose.NewNumericDate(now.Add(time.Minute)), Audience: validAudience, ID: "44", } - raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize() + raw, err := jose.Signed(sig).Claims(cl).CompactSerialize() assert.FatalError(t, err) return test{ auth: _a, @@ -1538,15 +1536,15 @@ }, })) - cl := jwt.Claims{ + cl := jose.Claims{ Subject: "sn", Issuer: validIssuer, - NotBefore: jwt.NewNumericDate(now), - Expiry: jwt.NewNumericDate(now.Add(time.Minute)), + NotBefore: jose.NewNumericDate(now), + Expiry: jose.NewNumericDate(now.Add(time.Minute)), Audience: validAudience, ID: "44", } - raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize() + raw, err := jose.Signed(sig).Claims(cl).CompactSerialize() assert.FatalError(t, err) return test{ auth: a, --- a/ca/acmeClient.go +++ b/ca/acmeClient.go @@ -173,7 +173,7 @@ } signed, err := signer.Sign(payload) if err != nil { - return nil, errors.Errorf("error signing payload: %s", strings.TrimPrefix(err.Error(), "square/go-jose: ")) + return nil, errors.Errorf("error signing payload: %s", strings.TrimPrefix(err.Error(), "go-jose/go-jose: ")) } raw, err := serialize(signed) if err != nil { --- a/ca/client.go +++ b/ca/client.go @@ -35,7 +35,6 @@ "golang.org/x/net/http2" "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/proto" - "gopkg.in/square/go-jose.v2/jwt" ) // DisableIdentity is a global variable to disable the identity. @@ -1207,7 +1206,7 @@ // CreateSignRequest is a helper function that given an x509 OTT returns a // simple but secure sign request as well as the private key used. func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error) { - token, err := jwt.ParseSigned(ott) + token, err := jose.ParseSigned(ott) if err != nil { return nil, nil, errors.Wrap(err, "error parsing ott") } --- a/kms/azurekms/key_vault_test.go +++ b/kms/azurekms/key_vault_test.go @@ -16,7 +16,6 @@ "github.com/smallstep/certificates/kms/apiv1" "github.com/smallstep/certificates/kms/azurekms/internal/mock" "go.step.sm/crypto/keyutil" - "gopkg.in/square/go-jose.v2" ) var errTest = fmt.Errorf("test error") --- a/authority/provisioner/options_test.go +++ b/authority/provisioner/options_test.go @@ -159,7 +159,7 @@ func TestCustomTemplateOptions(t *testing.T) { csr := parseCertificateRequest(t, "testdata/certs/ecdsa.csr") - csrCertificate := `{"version":0,"subject":{"commonName":"foo"},"dnsNames":["foo"],"emailAddresses":null,"ipAddresses":null,"uris":null,"sans":null,"extensions":[{"id":"2.5.29.17","critical":false,"value":"MAWCA2Zvbw=="}],"signatureAlgorithm":""}` + csrCertificate := `{"version":0,"subject":{"commonName":"foo"},"rawSubject":"MA4xDDAKBgNVBAMTA2Zvbw==","dnsNames":["foo"],"emailAddresses":null,"ipAddresses":null,"uris":null,"sans":null,"extensions":[{"id":"2.5.29.17","critical":false,"value":"MAWCA2Zvbw=="}],"signatureAlgorithm":""}` data := x509util.TemplateData{ x509util.SubjectKey: x509util.Subject{ CommonName: "foobar", --- a/cas/stepcas/x5c_issuer_test.go +++ b/cas/stepcas/x5c_issuer_test.go @@ -53,7 +53,7 @@ sans []string } type claims struct { - Aud []string `json:"aud"` + Aud string `json:"aud"` Sub string `json:"sub"` Sans []string `json:"sans"` } @@ -87,7 +87,7 @@ } var c claims want := claims{ - Aud: []string{tt.fields.caURL.String() + "/1.0/sign#x5c/X5C"}, + Aud: string{tt.fields.caURL.String() + "/1.0/sign#x5c/X5C"}, Sub: tt.args.subject, Sans: tt.args.sans, } @@ -117,7 +117,7 @@ subject string } type claims struct { - Aud []string `json:"aud"` + Aud string `json:"aud"` Sub string `json:"sub"` Sans []string `json:"sans"` } @@ -152,7 +152,7 @@ } var c claims want := claims{ - Aud: []string{tt.fields.caURL.String() + "/1.0/revoke#x5c/X5C"}, + Aud: string{tt.fields.caURL.String() + "/1.0/revoke#x5c/X5C"}, Sub: tt.args.subject, } if err := jwt.Claims(testX5CKey.Public(), &c); err != nil { --- a/authority/authority_test.go +++ b/authority/authority_test.go @@ -109,7 +109,7 @@ c.Root = []string{"foo"} return &newTest{ config: c, - err: errors.New("error reading foo: no such file or directory"), + err: errors.New("error reading \"foo\": no such file or directory"), } }, "fail bad password": func(t *testing.T) *newTest { @@ -127,7 +127,7 @@ c.IntermediateCert = "wrong" return &newTest{ config: c, - err: errors.New("error reading wrong: no such file or directory"), + err: errors.New("error reading \"wrong\": no such file or directory"), } }, }

Reply to: