From 8dc4c4089be54b94ada625ddc2a9d4971ccb8a55 Mon Sep 17 00:00:00 2001
From: Eric Chiang <eric.chiang.m@gmail.com>
Date: Thu, 14 Dec 2017 09:37:55 -0800
Subject: [PATCH] pkg/controller/bootstrap: update jose package

---
 pkg/controller/bootstrap/BUILD  |  2 +-
 pkg/controller/bootstrap/jws.go | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/pkg/controller/bootstrap/BUILD b/pkg/controller/bootstrap/BUILD
index 6dfcd204c9d..737dd4eae99 100644
--- a/pkg/controller/bootstrap/BUILD
+++ b/pkg/controller/bootstrap/BUILD
@@ -46,7 +46,7 @@ go_library(
         "//pkg/bootstrap/api:go_default_library",
         "//pkg/util/metrics:go_default_library",
         "//vendor/github.com/golang/glog:go_default_library",
-        "//vendor/github.com/square/go-jose:go_default_library",
+        "//vendor/gopkg.in/square/go-jose.v2:go_default_library",
         "//vendor/k8s.io/api/core/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
diff --git a/pkg/controller/bootstrap/jws.go b/pkg/controller/bootstrap/jws.go
index ec73ceb4887..273a002c202 100644
--- a/pkg/controller/bootstrap/jws.go
+++ b/pkg/controller/bootstrap/jws.go
@@ -20,19 +20,28 @@ import (
 	"fmt"
 	"strings"
 
-	jose "github.com/square/go-jose"
+	jose "gopkg.in/square/go-jose.v2"
 )
 
 // computeDetachedSig takes content and token details and computes a detached
 // JWS signature.  This is described in Appendix F of RFC 7515.  Basically, this
 // is a regular JWS with the content part of the signature elided.
 func computeDetachedSig(content, tokenID, tokenSecret string) (string, error) {
-	jwk := &jose.JsonWebKey{
+	jwk := &jose.JSONWebKey{
 		Key:   []byte(tokenSecret),
 		KeyID: tokenID,
 	}
 
-	signer, err := jose.NewSigner(jose.HS256, jwk)
+	opts := &jose.SignerOptions{
+		// Since this is a symetric key, go-jose doesn't automatically include
+		// the KeyID as part of the protected header. We have to pass it here
+		// explicitly.
+		ExtraHeaders: map[jose.HeaderKey]interface{}{
+			"kid": tokenID,
+		},
+	}
+
+	signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: jwk}, opts)
 	if err != nil {
 		return "", fmt.Errorf("can't make a HS256 signer from the given token: %v", err)
 	}