Backport of Easy go-jose updates (the codeless[ish] ones) into release/1.17.x

[hc-github-team-secure-vault-core]

Backport

This PR is auto-generated from #28140 to be assessed for backporting due to the inclusion of the label backport/1.17.x.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@kpcraig
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/vault/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

These are the (mostly) codeless changes required to remove our dependency on vulnerable versions of go-jose (before v2.6.3, v3.0.3, or v4.0.1)

There is one transitive hashicorp-controlled dependency on an old go-jose, at hashicorp/vault-testing-stepwise. A PR for this has been merged, but updating here is waiting on a docker issue, since vault-testing-stepwise updated docker in v.0.2.0.

The most invasive change included here is on google/tink-go, which went through a few 'organizational' changes since we updated it. To get to a non-vulnerable version, I had to move us to the new import path tink-crypto/tink-go. This isn't the latest path, but rather the nearest equivalent to what we were using that didn't depend on a "bad" go-jose.

---

Overview of commits

• dc81de7

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

1 out of 2 committers have signed the CLA.

• kpcraig
• temp

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[github-actions]

CI Results:
All Go tests succeeded! ✅

[github-actions]

Build Results:
All builds succeeded! ✅

[kpcraig]

In addition to the Okta issue, there are two remaining dependencies on old jose that are "stuck" - vault -> docker 25.0.6 -> containerd 1.7.12 -> jose 2.5.1, and vault -> vault-testing-stepwise -> docker 25.0.6 (see hashicorp/go-secure-stdlib#132)

Due to the linked issue, these are left for a future update (possibly along with the aforementioned Okta?)

[kpcraig]

The fixed version of this backport has merged: #28152, so I'm closing this.