diff --git a/go.mod b/go.mod index 0a93718e4..70b6caa1c 100644 --- a/go.mod +++ b/go.mod @@ -148,7 +148,7 @@ require ( github.com/sigstore/timestamp-authority/v2 v2.0.6 // indirect github.com/spf13/cobra v1.10.2 // indirect github.com/spf13/pflag v1.0.10 // indirect - github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect + github.com/spiffe/go-spiffe/v2 v2.7.0 // indirect github.com/streadway/simpleuuid v0.0.0-20130420165545-6617b501e485 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect github.com/thales-e-security/pool v0.0.2 // indirect diff --git a/go.sum b/go.sum index e307fe795..9baf0fbc4 100644 --- a/go.sum +++ b/go.sum @@ -556,8 +556,8 @@ github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiT github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo= -github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs= +github.com/spiffe/go-spiffe/v2 v2.7.0 h1:uXe1MflJoHw58wAUvxVlcM7WpKtijWG7I1UidcGh6g4= +github.com/spiffe/go-spiffe/v2 v2.7.0/go.mod h1:47Q0Q9/AqGha8QLHp+kxpH4Wca7X7EnOtlIJy3mxZ3U= github.com/streadway/simpleuuid v0.0.0-20130420165545-6617b501e485 h1:tvEO2/Btzw9L4N2VlAHD7AXjk1g1yFTwbGEm8dz7QWY= github.com/streadway/simpleuuid v0.0.0-20130420165545-6617b501e485/go.mod h1:fMlyZAyOBbIsA9SgKX9V3X8DvF+5ImkZ+Z1HZcmo8Ec= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go index 712ec636b..95a3c1243 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/bundle.go @@ -14,6 +14,7 @@ import ( "github.com/go-jose/go-jose/v4" "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" + "github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle" "github.com/spiffe/go-spiffe/v2/internal/jwtutil" "github.com/spiffe/go-spiffe/v2/internal/x509util" "github.com/spiffe/go-spiffe/v2/spiffeid" @@ -22,6 +23,7 @@ import ( const ( x509SVIDUse = "x509-svid" jwtSVIDUse = "jwt-svid" + witSVIDUse = "wit-svid" ) type bundleDoc struct { @@ -41,6 +43,7 @@ type Bundle struct { refreshHint *time.Duration sequenceNumber *uint64 jwtAuthorities map[string]crypto.PublicKey + witAuthorities map[string]crypto.PublicKey x509Authorities []*x509.Certificate } @@ -49,6 +52,7 @@ func New(trustDomain spiffeid.TrustDomain) *Bundle { return &Bundle{ trustDomain: trustDomain, jwtAuthorities: make(map[string]crypto.PublicKey), + witAuthorities: make(map[string]crypto.PublicKey), } } @@ -105,7 +109,11 @@ func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error bundle.AddX509Authority(key.Certificates[0]) case jwtSVIDUse: if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil { - return nil, wrapSpiffebundleErr(fmt.Errorf("error adding authority %d of JWKS: %v", i, errors.Unwrap(err))) + return nil, wrapSpiffebundleErr(fmt.Errorf("error adding authority %d of JWKS: %w", i, errors.Unwrap(err))) + } + case witSVIDUse: + if err := bundle.AddWITAuthority(key.KeyID, key.Key); err != nil { + return nil, wrapSpiffebundleErr(fmt.Errorf("error adding WIT authority %d of JWKS: %w", i, errors.Unwrap(err))) } } } @@ -143,6 +151,21 @@ func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[str return bundle } +// FromWITAuthorities creates a new bundle from WIT authorities. +func FromWITAuthorities(trustDomain spiffeid.TrustDomain, witAuthorities map[string]crypto.PublicKey) *Bundle { + bundle := New(trustDomain) + bundle.witAuthorities = jwtutil.CopyJWTAuthorities(witAuthorities) + return bundle +} + +// FromWITBundle creates a bundle from a WIT bundle. +// The function panics in case of a nil WIT bundle. +func FromWITBundle(witBundle *witbundle.Bundle) *Bundle { + bundle := New(witBundle.TrustDomain()) + bundle.witAuthorities = witBundle.WITAuthorities() + return bundle +} + // TrustDomain returns the trust domain that the bundle belongs to. func (b *Bundle) TrustDomain() spiffeid.TrustDomain { return b.trustDomain @@ -263,12 +286,70 @@ func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey) { b.jwtAuthorities = jwtutil.CopyJWTAuthorities(jwtAuthorities) } -// Empty returns true if the bundle has no X.509 and JWT authorities. +// WITAuthorities returns the WIT authorities in the bundle, keyed by key ID. +func (b *Bundle) WITAuthorities() map[string]crypto.PublicKey { + b.mtx.RLock() + defer b.mtx.RUnlock() + + return jwtutil.CopyJWTAuthorities(b.witAuthorities) +} + +// FindWITAuthority finds the WIT authority with the given key ID from the bundle. +// If the authority is found, it is returned and the boolean is true. Otherwise, +// the returned value is nil and the boolean is false. +func (b *Bundle) FindWITAuthority(keyID string) (crypto.PublicKey, bool) { + b.mtx.RLock() + defer b.mtx.RUnlock() + + witAuthority, ok := b.witAuthorities[keyID] + return witAuthority, ok +} + +// HasWITAuthority returns true if the bundle has a WIT authority with the given key ID. +func (b *Bundle) HasWITAuthority(keyID string) bool { + b.mtx.RLock() + defer b.mtx.RUnlock() + + _, ok := b.witAuthorities[keyID] + return ok +} + +// AddWITAuthority adds a WIT authority to the bundle. If a WIT authority already exists +// under the given key ID, it is replaced. A key ID must be specified. +func (b *Bundle) AddWITAuthority(keyID string, witAuthority crypto.PublicKey) error { + if keyID == "" { + return wrapSpiffebundleErr(errors.New("keyID cannot be empty")) + } + + b.mtx.Lock() + defer b.mtx.Unlock() + + b.witAuthorities[keyID] = witAuthority + return nil +} + +// RemoveWITAuthority removes the WIT authority identified by the key ID from the bundle. +func (b *Bundle) RemoveWITAuthority(keyID string) { + b.mtx.Lock() + defer b.mtx.Unlock() + + delete(b.witAuthorities, keyID) +} + +// SetWITAuthorities sets the WIT authorities in the bundle. +func (b *Bundle) SetWITAuthorities(witAuthorities map[string]crypto.PublicKey) { + b.mtx.Lock() + defer b.mtx.Unlock() + + b.witAuthorities = jwtutil.CopyJWTAuthorities(witAuthorities) +} + +// Empty returns true if the bundle has no X.509, JWT, or WIT authorities. func (b *Bundle) Empty() bool { b.mtx.RLock() defer b.mtx.RUnlock() - return len(b.x509Authorities) == 0 && len(b.jwtAuthorities) == 0 + return len(b.x509Authorities) == 0 && len(b.jwtAuthorities) == 0 && len(b.witAuthorities) == 0 } // RefreshHint returns the refresh hint. If the refresh hint is set in @@ -359,6 +440,14 @@ func (b *Bundle) Marshal() ([]byte, error) { }) } + for keyID, witAuthority := range b.witAuthorities { + jwks.Keys = append(jwks.Keys, jose.JSONWebKey{ + Key: witAuthority, + KeyID: keyID, + Use: witSVIDUse, + }) + } + return json.Marshal(jwks) } @@ -373,6 +462,7 @@ func (b *Bundle) Clone() *Bundle { sequenceNumber: copySequenceNumber(b.sequenceNumber), x509Authorities: x509util.CopyX509Authorities(b.x509Authorities), jwtAuthorities: jwtutil.CopyJWTAuthorities(b.jwtAuthorities), + witAuthorities: jwtutil.CopyJWTAuthorities(b.witAuthorities), } } @@ -437,6 +527,28 @@ func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (* return b.JWTBundle(), nil } +// WITBundle returns a WIT bundle containing the WIT authorities in the SPIFFE bundle. +func (b *Bundle) WITBundle() *witbundle.Bundle { + b.mtx.RLock() + defer b.mtx.RUnlock() + + return witbundle.FromWITAuthorities(b.trustDomain, b.witAuthorities) +} + +// GetWITBundleForTrustDomain returns the WIT bundle of the given trust domain. +// It implements the witbundle.Source interface. An error will be returned if +// the trust domain does not match that of the bundle. +func (b *Bundle) GetWITBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*witbundle.Bundle, error) { + b.mtx.RLock() + defer b.mtx.RUnlock() + + if b.trustDomain != trustDomain { + return nil, wrapSpiffebundleErr(fmt.Errorf("no WIT bundle for trust domain %q", trustDomain)) + } + + return b.WITBundle(), nil +} + // Equal compares the bundle for equality against the given bundle. func (b *Bundle) Equal(other *Bundle) bool { if b == nil || other == nil { @@ -447,6 +559,7 @@ func (b *Bundle) Equal(other *Bundle) bool { refreshHintEqual(b.refreshHint, other.refreshHint) && sequenceNumberEqual(b.sequenceNumber, other.sequenceNumber) && jwtutil.JWTAuthoritiesEqual(b.jwtAuthorities, other.jwtAuthorities) && + jwtutil.JWTAuthoritiesEqual(b.witAuthorities, other.witAuthorities) && x509util.CertsEqual(b.x509Authorities, other.x509Authorities) } diff --git a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go index e0d5d4568..c2e02e6aa 100644 --- a/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go +++ b/vendor/github.com/spiffe/go-spiffe/v2/bundle/spiffebundle/set.go @@ -7,6 +7,7 @@ import ( "github.com/spiffe/go-spiffe/v2/bundle/jwtbundle" "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" + "github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle" "github.com/spiffe/go-spiffe/v2/spiffeid" ) @@ -134,3 +135,17 @@ func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwt return bundle.JWTBundle(), nil } + +// GetWITBundleForTrustDomain returns the WIT bundle for the given trust +// domain. It implements the witbundle.Source interface. +func (s *Set) GetWITBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*witbundle.Bundle, error) { + s.mtx.RLock() + defer s.mtx.RUnlock() + + bundle, ok := s.bundles[trustDomain] + if !ok { + return nil, wrapSpiffebundleErr(fmt.Errorf("no WIT bundle for trust domain %q", trustDomain)) + } + + return bundle.WITBundle(), nil +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/bundle.go b/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/bundle.go new file mode 100644 index 000000000..dbf8cf3cd --- /dev/null +++ b/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/bundle.go @@ -0,0 +1,208 @@ +// Package witbundle provides support for WIT bundles, which are JWK Sets used +// to validate WIT-SVID signatures. +package witbundle + +import ( + "crypto" + "encoding/json" + "errors" + "fmt" + "io" + "os" + "sync" + + "github.com/go-jose/go-jose/v4" + "github.com/spiffe/go-spiffe/v2/internal/jwtutil" + "github.com/spiffe/go-spiffe/v2/spiffeid" +) + +// Bundle is a collection of trusted WIT authorities for a trust domain. +type Bundle struct { + trustDomain spiffeid.TrustDomain + + mtx sync.RWMutex + witAuthorities map[string]crypto.PublicKey +} + +// New creates a new empty bundle for the given trust domain. +func New(trustDomain spiffeid.TrustDomain) *Bundle { + return &Bundle{ + trustDomain: trustDomain, + witAuthorities: make(map[string]crypto.PublicKey), + } +} + +// FromWITAuthorities creates a new bundle from a map of WIT authorities keyed +// by key ID. +func FromWITAuthorities(trustDomain spiffeid.TrustDomain, witAuthorities map[string]crypto.PublicKey) *Bundle { + return &Bundle{ + trustDomain: trustDomain, + witAuthorities: jwtutil.CopyJWTAuthorities(witAuthorities), + } +} + +// Load loads a bundle from a file on disk. The file must contain a standard +// RFC 7517 JWKS document. +func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) { + bundleBytes, err := os.ReadFile(path) + if err != nil { + return nil, wrapErr(fmt.Errorf("unable to read WIT bundle: %w", err)) + } + + return Parse(trustDomain, bundleBytes) +} + +// Read decodes a bundle from a reader. The contents must contain a standard +// RFC 7517 JWKS document. +func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) { + b, err := io.ReadAll(r) + if err != nil { + return nil, wrapErr(fmt.Errorf("unable to read: %v", err)) + } + + return Parse(trustDomain, b) +} + +// Parse parses a bundle from a JWK Set JSON document. +func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) { + jwks := new(jose.JSONWebKeySet) + if err := json.Unmarshal(bundleBytes, jwks); err != nil { + return nil, wrapErr(fmt.Errorf("unable to parse JWKS: %v", err)) + } + + bundle := New(trustDomain) + for i, key := range jwks.Keys { + if err := bundle.AddWITAuthority(key.KeyID, key.Key); err != nil { + return nil, wrapErr(fmt.Errorf("error adding authority %d of JWKS: %v", i, errors.Unwrap(err))) + } + } + + return bundle, nil +} + +// TrustDomain returns the trust domain that the bundle belongs to. +func (b *Bundle) TrustDomain() spiffeid.TrustDomain { + return b.trustDomain +} + +// WITAuthorities returns the WIT authorities in the bundle, keyed by key ID. +func (b *Bundle) WITAuthorities() map[string]crypto.PublicKey { + b.mtx.RLock() + defer b.mtx.RUnlock() + + return jwtutil.CopyJWTAuthorities(b.witAuthorities) +} + +// FindWITAuthority finds the WIT authority with the given key ID from the bundle. +// If the authority is found, it is returned and the boolean is true. Otherwise, +// the returned value is nil and the boolean is false. +func (b *Bundle) FindWITAuthority(keyID string) (crypto.PublicKey, bool) { + b.mtx.RLock() + defer b.mtx.RUnlock() + + if witAuthority, ok := b.witAuthorities[keyID]; ok { + return witAuthority, true + } + return nil, false +} + +// HasWITAuthority returns true if the bundle has a WIT authority with the +// given key ID. +func (b *Bundle) HasWITAuthority(keyID string) bool { + b.mtx.RLock() + defer b.mtx.RUnlock() + + _, ok := b.witAuthorities[keyID] + return ok +} + +// AddWITAuthority adds a WIT authority to the bundle. If a WIT authority already +// exists under the given key ID, it is replaced. A key ID must be specified. +func (b *Bundle) AddWITAuthority(keyID string, witAuthority crypto.PublicKey) error { + if keyID == "" { + return wrapErr(errors.New("keyID cannot be empty")) + } + + b.mtx.Lock() + defer b.mtx.Unlock() + + b.witAuthorities[keyID] = witAuthority + return nil +} + +// RemoveWITAuthority removes the WIT authority identified by the key ID from +// the bundle. +func (b *Bundle) RemoveWITAuthority(keyID string) { + b.mtx.Lock() + defer b.mtx.Unlock() + + delete(b.witAuthorities, keyID) +} + +// SetWITAuthorities sets the WIT authorities in the bundle. +func (b *Bundle) SetWITAuthorities(witAuthorities map[string]crypto.PublicKey) { + b.mtx.Lock() + defer b.mtx.Unlock() + + b.witAuthorities = jwtutil.CopyJWTAuthorities(witAuthorities) +} + +// Empty returns true if the bundle has no WIT authorities. +func (b *Bundle) Empty() bool { + b.mtx.RLock() + defer b.mtx.RUnlock() + + return len(b.witAuthorities) == 0 +} + +// Marshal marshals the WIT bundle into a standard RFC 7517 JWKS document. +func (b *Bundle) Marshal() ([]byte, error) { + b.mtx.RLock() + defer b.mtx.RUnlock() + + jwks := jose.JSONWebKeySet{} + for keyID, witAuthority := range b.witAuthorities { + jwks.Keys = append(jwks.Keys, jose.JSONWebKey{ + Key: witAuthority, + KeyID: keyID, + }) + } + + return json.Marshal(jwks) +} + +// Clone clones the bundle. +func (b *Bundle) Clone() *Bundle { + b.mtx.RLock() + defer b.mtx.RUnlock() + + return FromWITAuthorities(b.trustDomain, b.witAuthorities) +} + +// Equal compares the bundle for equality against the given bundle. +func (b *Bundle) Equal(other *Bundle) bool { + if b == nil || other == nil { + return b == other + } + + return b.trustDomain == other.trustDomain && + jwtutil.JWTAuthoritiesEqual(b.witAuthorities, other.witAuthorities) +} + +// GetWITBundleForTrustDomain returns the WIT bundle for the given trust domain. +// It implements the Source interface. An error will be returned if the trust +// domain does not match that of the bundle. +func (b *Bundle) GetWITBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) { + b.mtx.RLock() + defer b.mtx.RUnlock() + + if b.trustDomain != trustDomain { + return nil, wrapErr(fmt.Errorf("no WIT bundle for trust domain %q", trustDomain)) + } + + return b, nil +} + +func wrapErr(err error) error { + return fmt.Errorf("witbundle: %w", err) +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/set.go b/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/set.go new file mode 100644 index 000000000..2a44c5a5d --- /dev/null +++ b/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/set.go @@ -0,0 +1,106 @@ +package witbundle + +import ( + "fmt" + "sort" + "sync" + + "github.com/spiffe/go-spiffe/v2/spiffeid" +) + +// Set is a set of WIT bundles, keyed by trust domain. +type Set struct { + mtx sync.RWMutex + bundles map[spiffeid.TrustDomain]*Bundle +} + +// NewSet creates a new set initialized with the given bundles. +func NewSet(bundles ...*Bundle) *Set { + bundlesMap := make(map[spiffeid.TrustDomain]*Bundle) + + for _, b := range bundles { + if b != nil { + bundlesMap[b.trustDomain] = b + } + } + + return &Set{ + bundles: bundlesMap, + } +} + +// Add adds a new bundle into the set. If a bundle already exists for the +// trust domain, the existing bundle is replaced. +func (s *Set) Add(bundle *Bundle) { + s.mtx.Lock() + defer s.mtx.Unlock() + + if bundle != nil { + s.bundles[bundle.trustDomain] = bundle + } +} + +// Remove removes the bundle for the given trust domain. +func (s *Set) Remove(trustDomain spiffeid.TrustDomain) { + s.mtx.Lock() + defer s.mtx.Unlock() + + delete(s.bundles, trustDomain) +} + +// Has returns true if there is a bundle for the given trust domain. +func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool { + s.mtx.RLock() + defer s.mtx.RUnlock() + + _, ok := s.bundles[trustDomain] + return ok +} + +// Get returns a bundle for the given trust domain. If the bundle is in the set +// it is returned and the boolean is true. Otherwise, the returned value is nil +// and the boolean is false. +func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool) { + s.mtx.RLock() + defer s.mtx.RUnlock() + + bundle, ok := s.bundles[trustDomain] + return bundle, ok +} + +// Bundles returns the bundles in the set sorted by trust domain. +func (s *Set) Bundles() []*Bundle { + s.mtx.RLock() + defer s.mtx.RUnlock() + + out := make([]*Bundle, 0, len(s.bundles)) + for _, bundle := range s.bundles { + out = append(out, bundle) + } + sort.Slice(out, func(a, b int) bool { + return out[a].TrustDomain().Compare(out[b].TrustDomain()) < 0 + }) + return out +} + +// Len returns the number of bundles in the set. +func (s *Set) Len() int { + s.mtx.RLock() + defer s.mtx.RUnlock() + + return len(s.bundles) +} + +// GetWITBundleForTrustDomain returns the WIT bundle for the given trust domain. +// It implements the Source interface. +func (s *Set) GetWITBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) { + s.mtx.RLock() + defer s.mtx.RUnlock() + + bundle, ok := s.bundles[trustDomain] + if !ok { + return nil, wrapErr(fmt.Errorf("no WIT bundle for trust domain %q", trustDomain)) + } + + return bundle, nil +} diff --git a/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/source.go b/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/source.go new file mode 100644 index 000000000..183ebd1b3 --- /dev/null +++ b/vendor/github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle/source.go @@ -0,0 +1,10 @@ +package witbundle + +import "github.com/spiffe/go-spiffe/v2/spiffeid" + +// Source represents a source of WIT bundles keyed by trust domain. +type Source interface { + // GetWITBundleForTrustDomain returns the WIT bundle for the given trust + // domain. + GetWITBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 0c3a77d7a..f1513438a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -785,11 +785,12 @@ github.com/spf13/cobra # github.com/spf13/pflag v1.0.10 ## explicit; go 1.12 github.com/spf13/pflag -# github.com/spiffe/go-spiffe/v2 v2.6.0 +# github.com/spiffe/go-spiffe/v2 v2.7.0 ## explicit; go 1.24.0 github.com/spiffe/go-spiffe/v2/bundle/jwtbundle github.com/spiffe/go-spiffe/v2/bundle/spiffebundle github.com/spiffe/go-spiffe/v2/bundle/x509bundle +github.com/spiffe/go-spiffe/v2/exp/bundle/witbundle github.com/spiffe/go-spiffe/v2/internal/cryptoutil github.com/spiffe/go-spiffe/v2/internal/jwtutil github.com/spiffe/go-spiffe/v2/internal/pemutil