bump go-jose to v2.6.0

Update go-jose from v2.2.2 to v2.6.0.
This is to make the kubernetes code compatible with newer go-jose versions that have a small breaking change (`jwt.NewNumericDate()` returns a pointer).

Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>

vendor/gopkg.in/square/go-jose.v2/jwt/jwt.go

@@ -19,9 +19,10 @@ package jwt
 
 import (
 	"fmt"
-	"gopkg.in/square/go-jose.v2"
-	"gopkg.in/square/go-jose.v2/json"
 	"strings"
+
+	jose "gopkg.in/square/go-jose.v2"
+	"gopkg.in/square/go-jose.v2/json"
 )
 
 // JSONWebToken represents a JSON Web Token (as specified in RFC7519).
@@ -38,7 +39,9 @@ type NestedJSONWebToken struct {
 
 // Claims deserializes a JSONWebToken into dest using the provided key.
 func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
-	b, err := t.payload(key)
+	payloadKey := tryJWKS(t.Headers, key)
+
+	b, err := t.payload(payloadKey)
 	if err != nil {
 		return err
 	}
@@ -69,7 +72,9 @@ func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) erro
 }
 
 func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
-	b, err := t.enc.Decrypt(decryptionKey)
+	key := tryJWKS(t.Headers, decryptionKey)
+
+	b, err := t.enc.Decrypt(key)
 	if err != nil {
 		return nil, err
 	}
@@ -130,3 +135,35 @@ func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) {
 		Headers: []jose.Header{enc.Header},
 	}, nil
 }
+
+func tryJWKS(headers []jose.Header, key interface{}) interface{} {
+	var jwks jose.JSONWebKeySet
+
+	switch jwksType := key.(type) {
+	case *jose.JSONWebKeySet:
+		jwks = *jwksType
+	case jose.JSONWebKeySet:
+		jwks = jwksType
+	default:
+		return key
+	}
+
+	var kid string
+	for _, header := range headers {
+		if header.KeyID != "" {
+			kid = header.KeyID
+			break
+		}
+	}
+
+	if kid == "" {
+		return key
+	}
+
+	keys := jwks.Key(kid)
+	if len(keys) == 0 {
+		return key
+	}
+
+	return keys[0].Key
+}