Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jws.UnregisterSigner does not remove the underlying signer from the global signers map #1016

Closed
penkovski opened this issue Nov 17, 2023 · 4 comments
Closed

jws.UnregisterSigner does not remove the underlying signer from the global signers map #1016

penkovski opened this issue Nov 17, 2023 · 4 comments
Assignees
@lestrrat

Comments

@penkovski
Copy link

Describe the bug

jws.UnregisterSigner does not remove the underlying signer implementation from the global signers map.
It removes the jws.SignerFactory, but not the underlying jws.Signer responsible for a given registered algorithm.
We can see it in the following code snippet from UnregisterSigner in jsw/signer.go, where only the SignerFactory
is deleted.

func UnregisterSigner(alg jwa.SignatureAlgorithm) {
	muSignerDB.Lock()
	delete(signerDB, alg)
	muSignerDB.Unlock()
}

The problem is that if you call UnregisterSigner and UnregisterSignatureAlgorithm, and then you want to register a different signer implementation for the same algorithm with RegisterSigner and RegisterSignatureAlgorithm, under the hood you will still use the previous signer implementation, because unregister does not remove it, and when you register again, it ignores the newly provided signer implementation by the new factory.

This happens because makeSigner does not use the algorithm factory to create a signer object, as it checks that the signers global map already contains an object registered for that algorithm.

The fix is very simple and is just one line of code: delete(signers, alg)

func UnregisterSigner(alg jwa.SignatureAlgorithm) {
	muSignerDB.Lock()
	delete(signerDB, alg)
+	delete(signers, alg)
	muSignerDB.Unlock()
}

Why are we having a problem with that and I'm wondering how nobody has had that problem before?

We use an external signing service and we register a custom signing algorithm with a specific implementation which under the hood calls another service (Hashicorp Vault) to produce the signature. For that we've created a small adapter to align the API client with the jws.Signer interface. Everything works correctly, until we have to write unit tests, where the signer implementation is a mock object, and is different for every test case.

When we run go test for multiple test cases where each case does UnregisterSigner/RegisterSigner to provide it's own mock implementation in order to test the different external responses, it breaks because the signer implementation remains the same for all tests.

Please attach the output of go version

go version go1.21.4 darwin/arm64

Expected behavior

I would expect that when you UnregisterSigner and then RegisterSigner again, the newly registered signer to be used for signing, and not a previous leftover one.
@penkovski penkovski changed the title jws.UnregisterSigner does not removes the underlying signer from the global signers map jws.UnregisterSigner does not remove the underlying signer from the global signers map Nov 18, 2023
@lestrrat
Copy link
Collaborator

lestrrat commented Nov 18, 2023
edited
Loading

Why are we having a problem with that and I'm wondering how nobody has had that problem before?

The sad truth is that people ask for features that the developers don't really use, they are asked for feedback for an implementation and they just kind of handwave it without much testing.

So yeah, this probably got overlooked because nobody was registering/unregistering multiple times in a program.

Anyways, please check #1017 and let me know if this fixes the problem for you.

@penkovski
Copy link
Author

Wow, that was very fast! Thank you for the great library, the fix looks good to me and resolves the issue.

@lestrrat
Copy link
Collaborator

Cool, I'll merge the fix after some cleaning up, but for the time being, please reference the commit hash as we'd like to wait for a few days before releasing fixes and wait for the dust to settle.

@lestrrat
Copy link
Collaborator

fixed by #1017

capri-xiyue pushed a commit to abcxyz/abc that referenced this issue Jan 23, 2024
@dependabot
Bump github.com/lestrrat-go/jwx/v2 from 2.0.12 to 2.0.19 (#375)
3d99e9b 
Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.12 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.12...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.12&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/abcxyz/abc/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
verbanicm pushed a commit to abcxyz/guardian that referenced this issue Jan 24, 2024
@dependabot
chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.11 to 2.0.19 (
cd08c95 
…#257)

Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.11 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.11...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.11&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/abcxyz/guardian/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
sethvargo pushed a commit to abcxyz/pmap that referenced this issue Jan 24, 2024
@dependabot
chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.12 to 2.0.19 (
3b9731f 
…#214)

Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.12 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.12...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.12&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/abcxyz/pmap/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
sethvargo pushed a commit to abcxyz/access-on-demand that referenced this issue Jan 24, 2024
@dependabot
build(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.12 to 2.0.19 (
e1dd5a1 
…#148)

Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.12 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.12...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.12&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/abcxyz/access-on-demand/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
mattrandallbecker pushed a commit to abcxyz/abc-updater that referenced this issue Jan 24, 2024
@dependabot
Bump github.com/lestrrat-go/jwx/v2 from 2.0.11 to 2.0.19 (#18)
37b9ecd 
Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.11 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.11...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.11&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/abcxyz/abc-updater/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
mattrandallbecker pushed a commit to abcxyz/jvs-plugin-jira that referenced this issue Jan 31, 2024
@dependabot
Bump github.com/lestrrat-go/jwx/v2 from 2.0.12 to 2.0.19 (#59)
91bbdad 
Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.12 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.12...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.12&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/abcxyz/jvs-plugin-jira/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
capri-xiyue pushed a commit to abcxyz/lumberjack that referenced this issue Jan 31, 2024
@dependabot
chore(deps): bump github.com/lestrrat-go/jwx/v2 from 2.0.13 to 2.0.19 (
0921847 
…#473)

Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.13 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
<h2>v2.0.16</h2>
<pre><code>v2.0.16 31 Oct 2023
[Security]
* [jws] ECDSA signature verification requires us to check if the
signature
&lt;/tr&gt;&lt;/table&gt; 
</code></pre>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
<p>v2.0.16 31 Oct 2023
[Security]</p>
<ul>
<li>
<p>[jws] ECDSA signature verification requires us to check if the
signature
is of the desired length of bytes, but this check that used to exist
before
had been removed in <a
href="https://redirect.github.com/lestrrat-go/jwx/issues/65">#65</a>,
resulting in certain malformed signatures to pass
verification.</p>
<p>One of the ways this could happen if R is a 31 byte integer and S is
32 byte integer,
both containing the correct signature values, but R is not
zero-padded.</p>
<p>Correct = R: [ 0 , ... ] (32 bytes) S: [ ... ] (32 bytes)
Wrong   = R: [ ... ] (31 bytes)     S: [ ... ] (32 bytes)</p>
<p>In order for this check to pass, you would still need to have all 63
bytes</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/3e23a27c76861ce73ca605b10969ba7107ec7117"><code>3e23a27</code></a>
Merge branch 'develop/v2' into v2</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1f04380ed3116b6e186f79757d8e5927d4c4e7ce"><code>1f04380</code></a>
Update Changes</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/16acb8bf5ce89020f6bffcfcc5b00b857f3ed55b"><code>16acb8b</code></a>
Fix ParseInsecure to parse the token even when a key is given (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1008">#1008</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/2ee2c134e04f55183f06a690d24a7f66f2b8b360"><code>2ee2c13</code></a>
Slightly tweak docs (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1010">#1010</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d93668b9930b6c09a3d22424a2279654823861cc"><code>d93668b</code></a>
fix typo (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1009">#1009</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1e3b4781d022b55772dab314a92b5e94784d8579"><code>1e3b478</code></a>
Add (jwk.Key).Validate (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1005">#1005</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/1ecc78f56c8831820056ead7d3d303e276a713d6"><code>1ecc78f</code></a>
[jws] check signature length (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1004">#1004</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.13...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.13&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/abcxyz/lumberjack/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
morri-son pushed a commit to open-component-model/ocm that referenced this issue Feb 21, 2024
@dependabot
Bump github.com/lestrrat-go/jwx/v2 from 2.0.16 to 2.0.19 (#635)
e73ce3a 
Bumps
[github.com/lestrrat-go/jwx/v2](https://github.com/lestrrat-go/jwx) from
2.0.16 to 2.0.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/releases">github.com/lestrrat-go/jwx/v2's
releases</a>.</em></p>
<blockquote>
<h2>v2.0.19</h2>
<pre><code>v2.0.19 09 Jan 2024
[New Features]
* [jws] Added jws.IsVerificationError to check if the error returned by
`jws.Verify`
was caused by actual verification step or something else, for example,
while fetching
    a key from datasource
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.
</code></pre></p>
</li>
</ul>
<h2>v2.0.18</h2>
<pre><code>v2.0.18 03 Dec 2023
[Security Fixes]
* [jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to https://nvd.nist.gov/vuln/detail/CVE-2022-36083. All users
who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the `jwt` package are not immediately susceptible unless they explicitly
try to decrypt
JWTs -- by default the `jwt` package verifies signatures, but does not
decrypt messages.
    [GHSA-7f9x-gw85-8grf]
</code></pre>
<h2>v2.0.17</h2>
<pre><code>v2.0.17 20 Nov 2023
[Bug Fixes]
* [jws] Previously, `jws.UnregisterSigner` did not remove the previous
signer instance when
the signer was registered and unregistered multiple times
([#1016](lestrrat-go/jwx#1016)). This has been
fixed.
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.
</code></pre></li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/lestrrat-go/jwx/blob/develop/v2/Changes">github.com/lestrrat-go/jwx/v2's
changelog</a>.</em></p>
<blockquote>
<p>v2.0.19 09 Jan 2024
[New Features]</p>
<ul>
<li>[jws] Added jws.IsVerificationError to check if the error returned
by <code>jws.Verify</code>
was caused by actual verification step or something else, for example,
while fetching
a key from datasource</li>
</ul>
<p>[Security Fixes]</p>
<ul>
<li>
<p>[jws] JWS messages formated in full JSON format (i.e. not the compact
format, which
consists of three base64 strings concatenated with a '.') with missing
&quot;protected&quot;
headers could cause a panic, thereby introducing a possiblity of a
DoS.</p>
<p>This has been fixed so that the <code>jws.Parse</code> function
succeeds in parsing a JWS message
lacking a protected header. Calling <code>jws.Verify</code> on this same
JWS message will result
in a failed verification attempt. Note that this behavior will differ
slightly when
parsing JWS messages in compact form, which result in an error.</p>
</li>
</ul>
<p>v2.0.18 03 Dec 2023
[Security Fixes]</p>
<ul>
<li>[jwe] A large number in p2c parameter for PBKDF2 based encryptions
could cause a DoS attack,
similar to <a
href="https://nvd.nist.gov/vuln/detail/CVE-2022-36083">https://nvd.nist.gov/vuln/detail/CVE-2022-36083</a>.
All users who use JWE via this
package should upgrade. While the JOSE spec allows for encryption using
JWE on JWTs, users of
the <code>jwt</code> package are not immediately susceptible unless they
explicitly try to decrypt
JWTs -- by default the <code>jwt</code> package verifies signatures, but
does not decrypt messages.
[GHSA-7f9x-gw85-8grf]</li>
</ul>
<p>v2.0.17 20 Nov 2023
[Bug Fixes]</p>
<ul>
<li>[jws] Previously, <code>jws.UnregisterSigner</code> did not remove
the previous signer instance when
the signer was registered and unregistered multiple times (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1016">#1016</a>).
This has been fixed.</li>
</ul>
<p>[New Features]</p>
<ul>
<li>[jwe] (EXPERIMENTAL) <code>jwe.WithCEK</code> has been added to
extract the content encryption key (CEK) from the Decrypt
operation.</li>
<li>[jwe] (EXPERIMENTAL) <code>jwe.EncryptStatic</code> has been added
to encrypt content using a static CEK.
Using static CEKs has serious security implications, and you should not
use
this unless you completely understand the risks involved.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/d69a721931a5c48b9850a42404f18e143704adcd"><code>d69a721</code></a>
v2.0.19 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1051">#1051</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/e75b7c8dcbf8e56ecfbeb17b8b3ffaa81a96914f"><code>e75b7c8</code></a>
v2.0.18 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1022">#1022</a>)</li>
<li><a
href="https://github.com/lestrrat-go/jwx/commit/c02af3ecf9f8248181ce98056d90cd96605dd658"><code>c02af3e</code></a>
v2.0.17 (<a
href="https://redirect.github.com/lestrrat-go/jwx/issues/1019">#1019</a>)</li>
<li>See full diff in <a
href="https://github.com/lestrrat-go/jwx/compare/v2.0.16...v2.0.19">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github.com/lestrrat-go/jwx/v2&package-manager=go_modules&previous-version=2.0.16&new-version=2.0.19)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/open-component-model/ocm/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lestrrat lestrrat

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lestrrat @penkovski