Use go.step.sm/crypto/jose

Replace use of github.com/smallstep/cli/crypto with the new package go.step.sm/crypto/jose.
2020-08-24 14:44:11 -07:00 · 2020-08-24 14:44:11 -07:00 · ba918100d0
commit ba918100d0
parent 32ba80f446
53 changed files with 183 additions and 187 deletions
--- a/acme/account.go
+++ b/acme/account.go
@ -6,8 +6,8 @@ import (
 	"time"
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"go.step.sm/crypto/jose"
 )
 // Account is a subset of the internal account type containing only those
--- a/acme/account_test.go
+++ b/acme/account_test.go
@ -12,9 +12,9 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 )
 var (
--- a/acme/api/account_test.go
+++ b/acme/api/account_test.go
@ -16,7 +16,7 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 var (
--- a/acme/api/handler_test.go
+++ b/acme/api/handler_test.go
@ -19,7 +19,7 @@ import (
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
--- a/acme/api/middleware.go
+++ b/acme/api/middleware.go
@ -14,8 +14,8 @@ import (
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 )
--- a/acme/api/middleware_test.go
+++ b/acme/api/middleware_test.go
@ -18,8 +18,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/acme"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 )
 var testBody = []byte("foo")
--- a/acme/authority.go
+++ b/acme/authority.go
@ -14,8 +14,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
 	database "github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"go.step.sm/crypto/jose"
 )
 // Interface is the acme authority interface.
--- a/acme/authority_test.go
+++ b/acme/authority_test.go
@ -11,8 +11,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 )
 func TestAuthorityGetLink(t *testing.T) {
--- a/acme/challenge.go
+++ b/acme/challenge.go
@ -18,8 +18,8 @@ import (
 	"time"
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"go.step.sm/crypto/jose"
 )
 // Challenge is a subset of the challenge type containing only those attributes
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@ -28,9 +28,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/nosql"
 	"github.com/smallstep/nosql/database"
 	"go.step.sm/crypto/jose"
 )
 var testOps = ChallengeOptions{
--- a/acme/common.go
+++ b/acme/common.go
@ -8,7 +8,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 )
--- a/api/api_test.go
+++ b/api/api_test.go
@ -32,7 +32,7 @@ import (
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/logging"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"golang.org/x/crypto/ssh"
 )
--- a/authority/authority_test.go
+++ b/authority/authority_test.go
@ -15,14 +15,14 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
 func testAuthority(t *testing.T, opts ...Option) *Authority {
-	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
+	maxjwk, err := jose.ReadKey("testdata/secrets/max_pub.jwk")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	disableRenewal := true
 	enableSSHCA := true
--- a/authority/authorize.go
+++ b/authority/authorize.go
@ -8,7 +8,7 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"golang.org/x/crypto/ssh"
 )
--- a/authority/authorize_test.go
+++ b/authority/authorize_test.go
@ -17,11 +17,10 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/ssh"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 var testAudiences = provisioner.Audiences{
@ -84,7 +83,7 @@ func generateToken(sub, iss, aud string, sans []string, iat time.Time, jwk *jose
 func TestAuthority_authorizeToken(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -112,16 +111,16 @@ func TestAuthority_authorizeToken(t *testing.T) {
 			}
 		},
 		"fail/prehistoric-token": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
-				IssuedAt:  jwt.NewNumericDate(now.Add(-time.Hour)),
+				IssuedAt:  jose.NewNumericDate(now.Add(-time.Hour)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -131,11 +130,11 @@ func TestAuthority_authorizeToken(t *testing.T) {
 			}
 		},
 		"fail/provisioner-not-found": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "44",
 			}
@ -143,7 +142,7 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", "foo"))
 			assert.FatalError(t, err)
-			raw, err := jwt.Signed(_sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(_sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -153,15 +152,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 			}
 		},
 		"ok/simpledb": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -170,15 +169,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 		},
 		"fail/simpledb/token-already-used": func(t *testing.T) *authorizeTest {
 			_a := testAuthority(t)
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			_, err = _a.authorizeToken(context.Background(), raw)
 			assert.FatalError(t, err)
@ -197,15 +196,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				},
 			}
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  _a,
@ -220,15 +219,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				},
 			}
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  _a,
@ -245,15 +244,15 @@ func TestAuthority_authorizeToken(t *testing.T) {
 				},
 			}
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  _a,
@ -288,7 +287,7 @@ func TestAuthority_authorizeToken(t *testing.T) {
 func TestAuthority_authorizeRevoke(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -316,15 +315,15 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
 			}
 		},
 		"fail/token/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -334,15 +333,15 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
 			}
 		},
 		"ok/token": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "44",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -372,7 +371,7 @@ func TestAuthority_authorizeRevoke(t *testing.T) {
 func TestAuthority_authorizeSign(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -400,15 +399,15 @@ func TestAuthority_authorizeSign(t *testing.T) {
 			}
 		},
 		"fail/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -418,15 +417,15 @@ func TestAuthority_authorizeSign(t *testing.T) {
 			}
 		},
 		"ok": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "44",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -459,7 +458,7 @@ func TestAuthority_authorizeSign(t *testing.T) {
 func TestAuthority_Authorize(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -496,15 +495,15 @@ func TestAuthority_Authorize(t *testing.T) {
 			}
 		},
 		"ok/sign": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.Sign,
 				ID:        "1",
 			}
-			token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -522,15 +521,15 @@ func TestAuthority_Authorize(t *testing.T) {
 			}
 		},
 		"ok/revoke": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.Revoke,
 				ID:        "2",
 			}
-			token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -622,15 +621,15 @@ func TestAuthority_Authorize(t *testing.T) {
 			}
 		},
 		"ok/sshRevoke": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "test.smallstep.com",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRevoke,
 				ID:        "3",
 			}
-			token, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			token, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -892,7 +891,7 @@ func createSSHCert(cert *ssh.Certificate, signer ssh.Signer) (*ssh.Certificate,
 func TestAuthority_authorizeSSHSign(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -920,15 +919,15 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
 			}
 		},
 		"fail/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  validAudience,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -971,7 +970,7 @@ func TestAuthority_authorizeSSHSign(t *testing.T) {
 func TestAuthority_authorizeSSHRenew(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -999,15 +998,15 @@ func TestAuthority_authorizeSSHRenew(t *testing.T) {
 			}
 		},
 		"fail/sshRenew-unimplemented-jwk-provisioner": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRenew,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -1073,7 +1072,7 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
 		},
 	})}...)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -1100,15 +1099,15 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
 			}
 		},
 		"fail/invalid-subject": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRevoke,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
@ -1164,7 +1163,7 @@ func TestAuthority_authorizeSSHRevoke(t *testing.T) {
 func TestAuthority_authorizeSSHRekey(t *testing.T) {
 	a := testAuthority(t)
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -1192,15 +1191,15 @@ func TestAuthority_authorizeSSHRekey(t *testing.T) {
 			}
 		},
 		"fail/sshRekey-unimplemented-jwk-provisioner": func(t *testing.T) *authorizeTest {
-			cl := jwt.Claims{
+			cl := jose.Claims{
 				Subject:   "",
 				Issuer:    validIssuer,
-				NotBefore: jwt.NewNumericDate(now),
+				NotBefore: jose.NewNumericDate(now),
-				Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+				Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 				Audience:  testAudiences.SSHRekey,
 				ID:        "43",
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			return &authorizeTest{
 				auth:  a,
--- a/authority/config_test.go
+++ b/authority/config_test.go
@ -7,13 +7,13 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/authority/provisioner"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestConfigValidate(t *testing.T) {
-	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
+	maxjwk, err := jose.ReadKey("testdata/secrets/max_pub.jwk")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	ac := &AuthConfig{
 		Provisioners: provisioner.List{
@ -224,9 +224,9 @@ func TestAuthConfigValidate(t *testing.T) {
 		CommonName:    "test",
 	}
-	maxjwk, err := stepJOSE.ParseKey("testdata/secrets/max_pub.jwk")
+	maxjwk, err := jose.ReadKey("testdata/secrets/max_pub.jwk")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_pub.jwk")
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_pub.jwk")
 	assert.FatalError(t, err)
 	p := provisioner.List{
 		&provisioner.JWK{
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -17,7 +17,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/aws_test.go
+++ b/authority/provisioner/aws_test.go
@ -20,7 +20,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestAWS_Getters(t *testing.T) {
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@ -14,7 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/azure_test.go
+++ b/authority/provisioner/azure_test.go
@ -18,7 +18,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestAzure_Getters(t *testing.T) {
--- a/authority/provisioner/collection.go
+++ b/authority/provisioner/collection.go
@ -13,7 +13,7 @@ import (
 	"sync"
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 // DefaultProvisionersLimit is the default limit for listing provisioners.
--- a/authority/provisioner/collection_test.go
+++ b/authority/provisioner/collection_test.go
@ -9,7 +9,7 @@ import (
 	"testing"
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestCollection_Load(t *testing.T) {
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@ -15,7 +15,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/gcp_test.go
+++ b/authority/provisioner/gcp_test.go
@ -19,7 +19,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestGCP_Getters(t *testing.T) {
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@ -8,7 +8,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@ -14,7 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestJWK_Getters(t *testing.T) {
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@ -11,7 +11,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
--- a/authority/provisioner/k8sSA_test.go
+++ b/authority/provisioner/k8sSA_test.go
@ -10,7 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func TestK8sSA_Getters(t *testing.T) {
--- a/authority/provisioner/keystore.go
+++ b/authority/provisioner/keystore.go
@ -10,7 +10,7 @@ import (
 	"time"
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 const (
--- a/authority/provisioner/keystore_test.go
+++ b/authority/provisioner/keystore_test.go
@ -8,7 +8,7 @@ import (
 	"time"
 	"github.com/smallstep/assert"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func Test_newKeyStore(t *testing.T) {
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -13,7 +13,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/oidc_test.go
+++ b/authority/provisioner/oidc_test.go
@ -15,7 +15,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 func Test_openIDConfiguration_Validate(t *testing.T) {
--- a/authority/provisioner/options.go
+++ b/authority/provisioner/options.go
@ -5,7 +5,7 @@ import (
 	"strings"
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/sshpop.go
+++ b/authority/provisioner/sshpop.go
@ -10,7 +10,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"golang.org/x/crypto/ssh"
 )
--- a/authority/provisioner/sshpop_test.go
+++ b/authority/provisioner/sshpop_test.go
@ -13,7 +13,7 @@ import (
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"golang.org/x/crypto/ssh"
 )
--- a/authority/provisioner/utils_test.go
+++ b/authority/provisioner/utils_test.go
@ -16,7 +16,7 @@ import (
 	"time"
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/ssh"
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@ -9,7 +9,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"go.step.sm/crypto/x509util"
 )
--- a/authority/provisioner/x5c_test.go
+++ b/authority/provisioner/x5c_test.go
@ -9,7 +9,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/assert"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 )
@ -154,7 +154,7 @@ M46l92gdOozT
 func TestX5C_authorizeToken(t *testing.T) {
 	x5cCerts, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 	assert.FatalError(t, err)
-	x5cJWK, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+	x5cJWK, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 	assert.FatalError(t, err)
 	type test struct {
@ -402,7 +402,7 @@ lgsqsR63is+0YQ==
 func TestX5C_AuthorizeSign(t *testing.T) {
 	certs, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 	assert.FatalError(t, err)
-	jwk, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+	jwk, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 	assert.FatalError(t, err)
 	type test struct {
@ -518,7 +518,7 @@ func TestX5C_AuthorizeRevoke(t *testing.T) {
 		"ok": func(t *testing.T) test {
 			certs, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 			assert.FatalError(t, err)
-			jwk, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+			jwk, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 			assert.FatalError(t, err)
 			p, err := generateX5C(nil)
@ -599,7 +599,7 @@ func TestX5C_AuthorizeRenew(t *testing.T) {
 func TestX5C_AuthorizeSSHSign(t *testing.T) {
 	x5cCerts, err := pemutil.ReadCertificateBundle("./testdata/certs/x5c-leaf.crt")
 	assert.FatalError(t, err)
-	x5cJWK, err := jose.ParseKey("./testdata/secrets/x5c-leaf.key")
+	x5cJWK, err := jose.ReadKey("./testdata/secrets/x5c-leaf.key")
 	assert.FatalError(t, err)
 	_, fn := mockNow()
--- a/authority/ssh.go
+++ b/authority/ssh.go
@ -14,7 +14,7 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/sshutil"
 	"golang.org/x/crypto/ssh"
--- a/authority/ssh_test.go
+++ b/authority/ssh_test.go
@ -19,7 +19,7 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
 	"github.com/smallstep/certificates/templates"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/sshutil"
 	"golang.org/x/crypto/ssh"
 )
--- a/authority/tls.go
+++ b/authority/tls.go
@ -15,7 +15,7 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
@ -281,7 +281,7 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 		errs.WithKeyVal("reason", revokeOpts.Reason),
 		errs.WithKeyVal("passiveOnly", revokeOpts.PassiveOnly),
 		errs.WithKeyVal("MTLS", revokeOpts.MTLS),
-		errs.WithKeyVal("context", string(provisioner.MethodFromContext(ctx))),
+		errs.WithKeyVal("context", provisioner.MethodFromContext(ctx).String()),
 	}
 	if revokeOpts.MTLS {
 		opts = append(opts, errs.WithKeyVal("certificate", base64.StdEncoding.EncodeToString(revokeOpts.Crt.Raw)))
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -22,7 +22,7 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
@ -219,7 +219,7 @@ func TestAuthority_Sign(t *testing.T) {
 	// Create a token to get test extra opts.
 	p := a.config.AuthorityConfig.Provisioners[1].(*provisioner.JWK)
-	key, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	key, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	token, err := generateToken("smallstep test", "step-cli", testAudiences.Sign[0], []string{"test.smallstep.com"}, time.Now(), key)
 	assert.FatalError(t, err)
@ -1000,7 +1000,7 @@ func TestAuthority_Revoke(t *testing.T) {
 	validAudience := testAudiences.Revoke
 	now := time.Now().UTC()
-	jwk, err := jose.ParseKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
+	jwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: jwk.Key},
@ -1193,7 +1193,7 @@ func TestAuthority_Revoke(t *testing.T) {
 					assert.Equals(t, ctxErr.Details["reasonCode"], tc.opts.ReasonCode)
 					assert.Equals(t, ctxErr.Details["reason"], tc.opts.Reason)
 					assert.Equals(t, ctxErr.Details["MTLS"], tc.opts.MTLS)
-					assert.Equals(t, ctxErr.Details["context"], string(provisioner.RevokeMethod))
+					assert.Equals(t, ctxErr.Details["context"], provisioner.RevokeMethod.String())
 					if tc.checkErrDetails != nil {
 						tc.checkErrDetails(ctxErr)
--- a/ca/acmeClient.go
+++ b/ca/acmeClient.go
@ -14,7 +14,7 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/acme"
 	acmeAPI "github.com/smallstep/certificates/acme/api"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 )
 // ACMEClient implements an HTTP client to an ACME API.
--- a/ca/acmeClient_test.go
+++ b/ca/acmeClient_test.go
@ -16,7 +16,7 @@ import (
 	"github.com/smallstep/certificates/acme"
 	acmeAPI "github.com/smallstep/certificates/acme/api"
 	"github.com/smallstep/certificates/api"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 )
--- a/ca/bootstrap.go
+++ b/ca/bootstrap.go
@ -8,8 +8,7 @@ import (
 	"strings"
 	"github.com/pkg/errors"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 type tokenClaims struct {
@ -20,7 +19,7 @@ type tokenClaims struct {
 // Bootstrap is a helper function that initializes a client with the
 // configuration in the bootstrap token.
 func Bootstrap(token string) (*Client, error) {
-	tok, err := jwt.ParseSigned(token)
+	tok, err := jose.ParseSigned(token)
 	if err != nil {
 		return nil, errors.Wrap(err, "error parsing token")
 	}
--- a/ca/bootstrap_test.go
+++ b/ca/bootstrap_test.go
@ -15,10 +15,8 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 	jose "gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 func newLocalListener() net.Listener {
@ -78,7 +76,7 @@ func startCAServer(configFile string) (*CA, string, error) {
 func generateBootstrapToken(ca, subject, sha string) string {
 	now := time.Now()
-	jwk, err := stepJOSE.ParseKey("testdata/secrets/ott_mariano_priv.jwk", stepJOSE.WithPassword([]byte("password")))
+	jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
 	if err != nil {
 		panic(err)
 	}
@ -93,21 +91,21 @@ func generateBootstrapToken(ca, subject, sha string) string {
 	}
 	cl := struct {
 		SHA string `json:"sha"`
-		jwt.Claims
+		jose.Claims
 		SANS []string `json:"sans"`
 	}{
 		SHA: sha,
-		Claims: jwt.Claims{
+		Claims: jose.Claims{
 			ID:        id,
 			Subject:   subject,
 			Issuer:    "mariano",
-			NotBefore: jwt.NewNumericDate(now),
+			NotBefore: jose.NewNumericDate(now),
-			Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+			Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 			Audience:  []string{ca + "/sign"},
 		},
 		SANS: []string{subject},
 	}
-	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+	raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 	if err != nil {
 		panic(err)
 	}
--- a/ca/ca_test.go
+++ b/ca/ca_test.go
@ -25,13 +25,11 @@ import (
 	"github.com/smallstep/certificates/authority"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/errs"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/randutil"
 	"go.step.sm/crypto/x509util"
 	jose "gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 type ClosingBuffer struct {
@ -95,7 +93,7 @@ func TestCASign(t *testing.T) {
 	assert.FatalError(t, err)
 	intermediateCert, err := pemutil.ReadCertificate("testdata/secrets/intermediate_ca.crt")
 	assert.FatalError(t, err)
-	clijwk, err := stepJOSE.ParseKey("testdata/secrets/step_cli_key_priv.jwk", stepJOSE.WithPassword([]byte("pass")))
+	clijwk, err := jose.ReadKey("testdata/secrets/step_cli_key_priv.jwk", jose.WithPassword([]byte("pass")))
 	assert.FatalError(t, err)
 	sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: clijwk.Key},
 		(&jose.SignerOptions{}).WithType("JWT").WithHeader("kid", clijwk.KeyID))
@ -177,20 +175,20 @@ ZEp7knvU2psWRw==
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
 			cl := struct {
-				jwt.Claims
+				jose.Claims
 				SANS []string `json:"sans"`
 			}{
-				Claims: jwt.Claims{
+				Claims: jose.Claims{
 					Subject:   "invalid",
 					Issuer:    "step-cli",
-					NotBefore: jwt.NewNumericDate(now),
+					NotBefore: jose.NewNumericDate(now),
-					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 					Audience:  validAud,
 					ID:        jti,
 				},
 				SANS: []string{"invalid"},
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			csr, err := getCSR(priv)
 			assert.FatalError(t, err)
@ -210,20 +208,20 @@ ZEp7knvU2psWRw==
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
 			cl := struct {
-				jwt.Claims
+				jose.Claims
 				SANS []string `json:"sans"`
 			}{
-				Claims: jwt.Claims{
+				Claims: jose.Claims{
 					Subject:   "test.smallstep.com",
 					Issuer:    "step-cli",
-					NotBefore: jwt.NewNumericDate(now),
+					NotBefore: jose.NewNumericDate(now),
-					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 					Audience:  validAud,
 					ID:        jti,
 				},
 				SANS: []string{"test.smallstep.com"},
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			csr, err := getCSR(priv)
 			assert.FatalError(t, err)
@ -244,19 +242,19 @@ ZEp7knvU2psWRw==
 			jti, err := randutil.ASCII(32)
 			assert.FatalError(t, err)
 			cl := struct {
-				jwt.Claims
+				jose.Claims
 				SANS []string `json:"sans"`
 			}{
-				Claims: jwt.Claims{
+				Claims: jose.Claims{
 					Subject:   "test.smallstep.com",
 					Issuer:    "step-cli",
-					NotBefore: jwt.NewNumericDate(now),
+					NotBefore: jose.NewNumericDate(now),
-					Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+					Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 					Audience:  validAud,
 					ID:        jti,
 				},
 			}
-			raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+			raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 			assert.FatalError(t, err)
 			csr, err := getCSR(priv)
 			assert.FatalError(t, err)
--- a/ca/provisioner.go
+++ b/ca/provisioner.go
@ -7,9 +7,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/cli/token"
 	"github.com/smallstep/cli/token/provision"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 )
--- a/ca/provisioner_test.go
+++ b/ca/provisioner_test.go
@ -7,13 +7,13 @@ import (
 	"testing"
 	"time"
-	"github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"
 )
 func getTestProvisioner(t *testing.T, caURL string) *Provisioner {
-	jwk, err := jose.ParseKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
+	jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ca/tls_test.go
+++ b/ca/tls_test.go
@ -18,15 +18,13 @@ import (
 	"github.com/smallstep/certificates/api"
 	"github.com/smallstep/certificates/authority"
-	stepJOSE "github.com/smallstep/cli/jose"
+	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/randutil"
 	jose "gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 func generateOTT(subject string) string {
 	now := time.Now()
-	jwk, err := stepJOSE.ParseKey("testdata/secrets/ott_mariano_priv.jwk", stepJOSE.WithPassword([]byte("password")))
+	jwk, err := jose.ReadKey("testdata/secrets/ott_mariano_priv.jwk", jose.WithPassword([]byte("password")))
 	if err != nil {
 		panic(err)
 	}
@ -40,20 +38,20 @@ func generateOTT(subject string) string {
 		panic(err)
 	}
 	cl := struct {
-		jwt.Claims
+		jose.Claims
 		SANS []string `json:"sans"`
 	}{
-		Claims: jwt.Claims{
+		Claims: jose.Claims{
 			ID:        id,
 			Subject:   subject,
 			Issuer:    "mariano",
-			NotBefore: jwt.NewNumericDate(now),
+			NotBefore: jose.NewNumericDate(now),
-			Expiry:    jwt.NewNumericDate(now.Add(time.Minute)),
+			Expiry:    jose.NewNumericDate(now.Add(time.Minute)),
 			Audience:  []string{"https://127.0.0.1:0/sign"},
 		},
 		SANS: []string{subject},
 	}
-	raw, err := jwt.Signed(sig).Claims(cl).CompactSerialize()
+	raw, err := jose.Signed(sig).Claims(cl).CompactSerialize()
 	if err != nil {
 		panic(err)
 	}
--- a/go.mod
+++ b/go.mod
@ -13,7 +13,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/rs/xid v1.2.1
 	github.com/sirupsen/logrus v1.4.2
-	github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15
+	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/cli v0.14.7-rc.1.0.20200721180458-731b7c4c8c95
 	github.com/smallstep/nosql v0.3.0
 	github.com/urfave/cli v1.22.2
@ -23,9 +23,9 @@ require (
 	google.golang.org/api v0.15.0
 	google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb
 	google.golang.org/grpc v1.26.0
-	gopkg.in/square/go-jose.v2 v2.4.0
+	gopkg.in/square/go-jose.v2 v2.5.1
 )
 // replace github.com/smallstep/cli => ../cli
 // replace github.com/smallstep/nosql => ../nosql
-// replace go.step.sm/crypto => ../crypto
+replace go.step.sm/crypto => ../crypto
--- a/go.sum
+++ b/go.sum
@ -476,6 +476,8 @@ github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5 h1:lX6ybsQW9Agn3q
 github.com/smallstep/assert v0.0.0-20180720014142-de77670473b5/go.mod h1:TC9A4+RjIOS+HyTH7wG17/gSqVv95uDw2J64dQZx7RE=
 github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15 h1:kSImCuenAkXtCaBeQ1UhmzzJGRhSm8sVH7I3sHE2Qdg=
 github.com/smallstep/assert v0.0.0-20200103212524-b99dc1097b15/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
 github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
 github.com/smallstep/certificates v0.14.5/go.mod h1:zzpB8wMz967gL8FmK6zvCNB4pDVwFDKjPg1diTVc1h8=
 github.com/smallstep/certinfo v1.3.0/go.mod h1:1gQJekdPwPvUwFWGTi7bZELmQT09cxC9wJ0VBkBNiwU=
 github.com/smallstep/cli v0.14.5/go.mod h1:mRFuqC3cGwQESBGJvog4o76jZZZ7bMjkE+hAnq2QyR8=
@ -804,6 +806,8 @@ gopkg.in/ini.v1 v1.51.1/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.4.0 h1:0kXPskUMGAXXWJlP05ktEMOV0vmzFQUWw6d+aZJQU8A=
 gopkg.in/square/go-jose.v2 v2.4.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/square/go-jose.v2 v2.5.1 h1:7odma5RETjNHWJnR32wx8t+Io4djHE1PqxCFx3iiZ2w=
 gopkg.in/square/go-jose.v2 v2.5.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/pki/pki.go
+++ b/pki/pki.go
@ -23,9 +23,9 @@ import (
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/cli/config"
 	"github.com/smallstep/cli/errs"
 	"github.com/smallstep/cli/jose"
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"