jws: improve fix for CVE-2025-22868

[jub0bs]

The fix for CVE-2025-22868 relies on strings.Count, which isn't ideal
because it precludes failing fast when the token contains an unexpected
number of periods. Moreover, Verify still allocates more than necessary.

Eschew strings.Count in favor of strings.Cut. Some benchmark results:

goos: darwin
goarch: amd64
pkg: golang.org/x/oauth2/jws
cpu: Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
│ old │ new │
│ sec/op │ sec/op vs base │
Verify/full_of_periods-8 24862.50n ± 1% 57.87n ± 0% -99.77% (p=0.000 n=20)
Verify/two_trailing_periods-8 3.485m ± 1% 3.445m ± 1% -1.13% (p=0.003 n=20)
geomean 294.3µ 14.12µ -95.20%

                          │     old      │                  new                   │
                          │     B/op     │     B/op      vs base                  │

Verify/full_of_periods-8 16.00 ± 0% 16.00 ± 0% ~ (p=1.000 n=20) ¹
Verify/two_trailing_periods-8 2.001Mi ± 0% 1.001Mi ± 0% -49.98% (p=0.000 n=20)
geomean 5.658Ki 4.002Ki -29.27%
¹ all samples are equal

                          │     old     │                 new                  │
                          │  allocs/op  │ allocs/op   vs base                  │

Verify/full_of_periods-8 1.000 ± 0% 1.000 ± 0% ~ (p=1.000 n=20) ¹
Verify/two_trailing_periods-8 12.000 ± 0% 9.000 ± 0% -25.00% (p=0.000 n=20)
geomean 3.464 3.000 -13.40%
¹ all samples are equal

Also, remove all remaining calls to strings.Split.

Updates golang/go#71490

[gopherbot]

This PR (HEAD: 3fbd01c) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/oauth2/+/655455.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from jub0bs:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 4323f8e) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/oauth2/+/655455.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Neal Patel:

Patch Set 3:

(3 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: d5b383c) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/oauth2/+/655455.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from jub0bs:

Patch Set 5:

(3 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Neal Patel:

Patch Set 5: Code-Review+2 Commit-Queue+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 5:

Dry run: CV is trying the patch.

Bot data: {"action":"start","triggered_at":"2025-03-10T17:36:50Z","revision":"a1b1696d0b147aaf36dc61ffd9bc3cc6d750543e"}

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Neal Patel:

Patch Set 5: -Commit-Queue

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 5:

This CL has passed the run

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 5: LUCI-TryBot-Result+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Neal Patel:

Patch Set 5:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 3a82900) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/oauth2/+/655455.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from jub0bs:

Patch Set 6:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Neal Patel:

Patch Set 7: Code-Review+2 Commit-Queue+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 7:

Dry run: CV is trying the patch.

Bot data: {"action":"start","triggered_at":"2025-03-11T18:44:59Z","revision":"a9c20d14a9b323542435f1f8a017c879fe331163"}

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Neal Patel:

Patch Set 7: -Commit-Queue

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 7:

This CL has passed the run

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 7: LUCI-TryBot-Result+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Roland Shoemaker:

Patch Set 7: Code-Review+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/655455.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR is being closed because golang.org/cl/655455 has been merged.