Added JSON Decode and Encode helpers.

Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.

api/logical.go

@@ -2,8 +2,9 @@ package api
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 const (
@@ -113,9 +114,7 @@ func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
 
 	wrappedSecret := new(Secret)
 	buf := bytes.NewBufferString(secret.Data["response"].(string))
-	dec := json.NewDecoder(buf)
+	if err := jsonutil.DecodeJSONFromReader(buf, wrappedSecret); err != nil {
-	dec.UseNumber()
-	if err := dec.Decode(wrappedSecret); err != nil {
 		return nil, fmt.Errorf("error unmarshaling wrapped secret: %s", err)
 	}
 

api/response.go

@@ -2,10 +2,11 @@ package api
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 // Response is a raw response that wraps an HTTP response.
@@ -17,9 +18,7 @@ type Response struct {
 // will consume the response body, but will not close it. Close must
 // still be called.
 func (r *Response) DecodeJSON(out interface{}) error {
-	dec := json.NewDecoder(r.Body)
+	return jsonutil.DecodeJSONFromReader(r.Body, out)
-	dec.UseNumber()
-	return dec.Decode(out)
 }
 
 // Error returns an error response if there is one. If there is an error,
@@ -42,9 +41,7 @@ func (r *Response) Error() error {
 	// in a bytes.Reader here so that the JSON decoder doesn't move the
 	// read pointer for the original buffer.
 	var resp ErrorResponse
-	dec := json.NewDecoder(bytes.NewReader(bodyBuf.Bytes()))
+	if err := jsonutil.DecodeJSON(bodyBuf.Bytes(), &resp); err != nil {
-	dec.UseNumber()
-	if err := dec.Decode(&resp); err != nil {
 		// Ignore the decoding error and just drop the raw response
 		return fmt.Errorf(
 			"Error making API request.\n\n"+

api/secret.go

@@ -1,9 +1,10 @@
 package api
 
 import (
-	"encoding/json"
 	"io"
 	"time"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 // Secret is the structure returned for every secret within Vault.
@@ -56,9 +57,7 @@ type SecretAuth struct {
 func ParseSecret(r io.Reader) (*Secret, error) {
 	// First decode the JSON into a map[string]interface{}
 	var secret Secret
-	dec := json.NewDecoder(r)
+	if err := jsonutil.DecodeJSONFromReader(r, &secret); err != nil {
-	dec.UseNumber()
-	if err := dec.Decode(&secret); err != nil {
 		return nil, err
 	}
 

audit/format_json_test.go

@@ -9,6 +9,7 @@ import (
 
 	"errors"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -42,12 +43,12 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 		}
 
 		var expectedjson = new(JSONRequestEntry)
-		if err := json.Unmarshal([]byte(tc.Result), &expectedjson); err != nil {
+		if err := jsonutil.DecodeJSON([]byte(tc.Result), &expectedjson); err != nil {
 			t.Fatalf("bad json: %s", err)
 		}
 
 		var actualjson = new(JSONRequestEntry)
-		if err := json.Unmarshal([]byte(buf.String()), &actualjson); err != nil {
+		if err := jsonutil.DecodeJSON([]byte(buf.String()), &actualjson); err != nil {
 			t.Fatalf("bad json: %s", err)
 		}
 

builtin/credential/aws-ec2/path_login.go

@@ -1,7 +1,6 @@
 package awsec2
 
 import (
-	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"time"
@@ -9,6 +8,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/fullsailor/pkcs7"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -191,8 +191,7 @@ func (b *backend) parseIdentityDocument(s logical.Storage, pkcs7B64 string) (*id
 	}
 
 	var identityDoc identityDocument
-	err = json.Unmarshal(pkcs7Data.Content, &identityDoc)
+	if err := jsonutil.DecodeJSON(pkcs7Data.Content, &identityDoc); err != nil {
-	if err != nil {
 		return nil, err
 	}
 

builtin/logical/rabbitmq/backend_test.go

@@ -1,12 +1,12 @@
 package rabbitmq
 
 import (
-	"encoding/json"
 	"fmt"
 	"log"
 	"os"
 	"testing"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 	logicaltest "github.com/hashicorp/vault/logical/testing"
 	"github.com/michaelklishin/rabbit-hole"
@@ -189,7 +189,7 @@ func testAccStepReadRole(t *testing.T, name, tags, rawVHosts string) logicaltest
 			}
 
 			var vhosts map[string]vhostPermission
-			if err := json.Unmarshal([]byte(rawVHosts), &vhosts); err != nil {
+			if err := jsonutil.DecodeJSON([]byte(rawVHosts), &vhosts); err != nil {
 				return fmt.Errorf("bad expected vhosts %#v: %s", vhosts, err)
 			}
 

builtin/logical/rabbitmq/path_roles.go

@@ -1,10 +1,10 @@
 package rabbitmq
 
 import (
-	"encoding/json"
 	"fmt"
 
 	"github.com/fatih/structs"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -122,8 +122,7 @@ func (b *backend) pathRoleUpdate(req *logical.Request, d *framework.FieldData) (
 
 	var vhosts map[string]vhostPermission
 	if len(rawVHosts) > 0 {
-		err := json.Unmarshal([]byte(rawVHosts), &vhosts)
+		if err := jsonutil.DecodeJSON([]byte(rawVHosts), &vhosts); err != nil {
-		if err != nil {
 			return logical.ErrorResponse(fmt.Sprintf("failed to unmarshal vhosts: %s", err)), nil
 		}
 	}

builtin/logical/transit/lock_manager.go

@@ -1,11 +1,11 @@
 package transit
 
 import (
-	"encoding/json"
 	"errors"
 	"fmt"
 	"sync"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -321,7 +321,7 @@ func (lm *lockManager) getStoredPolicy(storage logical.Storage, name string) (*P
 	policy := &Policy{
 		Keys: KeyEntryMap{},
 	}
-	err = json.Unmarshal(raw.Value, policy)
+	err = jsonutil.DecodeJSON(raw.Value, policy)
 	if err != nil {
 		return nil, err
 	}

builtin/logical/transit/policy.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/vault/helper/certutil"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/kdf"
 	"github.com/hashicorp/vault/logical"
 )
@@ -42,12 +43,13 @@ func (kem KeyEntryMap) MarshalJSON() ([]byte, error) {
 }
 
 // MarshalJSON implements JSON unmarshaling
-func (kem KeyEntryMap) UnmarshalJSON(data []byte) error {
+func (kem KeyEntryMap) DecodeJSON(data []byte) error {
 	intermediate := map[string]KeyEntry{}
-	err := json.Unmarshal(data, &intermediate)
+
-	if err != nil {
+	if err := jsonutil.DecodeJSON(data, &intermediate); err != nil {
 		return err
 	}
+
 	for k, v := range intermediate {
 		keyval, err := strconv.Atoi(k)
 		if err != nil {
@@ -106,7 +108,7 @@ func (p *Policy) loadArchive(storage logical.Storage) (*ArchivedKeys, error) {
 		return archive, nil
 	}
 
-	if err := json.Unmarshal(raw.Value, archive); err != nil {
+	if err := jsonutil.DecodeJSON(raw.Value, archive); err != nil {
 		return nil, err
 	}
 

command/format_test.go

@@ -1,12 +1,12 @@
 package command
 
 import (
-	"encoding/json"
 	"strings"
 	"testing"
 
 	"github.com/ghodss/yaml"
 	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 var output string
@@ -43,7 +43,7 @@ func TestJsonFormatter(t *testing.T) {
 		t.Fatal(err)
 	}
 	var newUi mockUi
-	if err := json.Unmarshal([]byte(output), &newUi); err != nil {
+	if err := jsonutil.DecodeJSON([]byte(output), &newUi); err != nil {
 		t.Fatal(err)
 	}
 	if newUi.SampleData != ui.SampleData {

helper/certutil/helpers.go

@@ -9,13 +9,13 @@ import (
 	"crypto/rsa"
 	"crypto/sha1"
 	"crypto/x509"
-	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 	"strconv"
 	"strings"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/mitchellh/mapstructure"
 )
 
@@ -84,14 +84,14 @@ func ParsePKIMap(data map[string]interface{}) (*ParsedCertBundle, error) {
 // JSON not coming from the PKI backend.
 func ParsePKIJSON(input []byte) (*ParsedCertBundle, error) {
 	result := &CertBundle{}
-	err := json.Unmarshal(input, &result)
+	err := jsonutil.DecodeJSON(input, &result)
 
 	if err == nil {
 		return result.ToParsedCertBundle()
 	}
 
 	var secret Secret
-	err = json.Unmarshal(input, &secret)
+	err = jsonutil.DecodeJSON(input, &secret)
 
 	if err == nil {
 		return ParsePKIMap(secret.Data)

helper/kv-builder/builder.go

@@ -2,12 +2,13 @@ package kvbuilder
 
 import (
 	"bytes"
-	"encoding/json"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"strings"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 // Builder is a struct to build a key/value mapping based on a list
@@ -111,6 +112,5 @@ func (b *Builder) add(raw string) error {
 }
 
 func (b *Builder) addReader(r io.Reader) error {
-	dec := json.NewDecoder(r)
+	return jsonutil.DecodeJSONFromReader(r, &b.result)
-	return dec.Decode(&b.result)
 }

helper/mfa/duo/duo_test.go

@@ -1,20 +1,20 @@
 package duo
 
 import (
-	"encoding/json"
 	"net/url"
 	"strings"
 	"testing"
 
 	"github.com/duosecurity/duo_api_golang/authapi"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
 type MockClientData struct {
-	PreauthData *authapi.PreauthResult
+	PreauthData  *authapi.PreauthResult
 	PreauthError error
-	AuthData *authapi.AuthResult
+	AuthData     *authapi.AuthResult
-	AuthError error
+	AuthError    error
 }
 
 type MockAuthClient struct {
@@ -29,15 +29,15 @@ func (c *MockAuthClient) Auth(factor string, options ...func(*url.Values)) (*aut
 	return c.MockData.AuthData, c.MockData.AuthError
 }
 
-func MockGetDuoAuthClient(data *MockClientData) func (*logical.Request, *DuoConfig) (AuthClient, error) {
+func MockGetDuoAuthClient(data *MockClientData) func(*logical.Request, *DuoConfig) (AuthClient, error) {
-	return func (*logical.Request, *DuoConfig) (AuthClient, error) {
+	return func(*logical.Request, *DuoConfig) (AuthClient, error) {
 		return getDuoAuthClient(data), nil
 	}
 }
 
 func getDuoAuthClient(data *MockClientData) AuthClient {
 	var c MockAuthClient
-	// set default response to be successful  
+	// set default response to be successful
 	preauthSuccessJSON := `
 	{
 	  "Stat": "OK",
@@ -49,7 +49,7 @@ func getDuoAuthClient(data *MockClientData) AuthClient {
 	}`
 	if data.PreauthData == nil {
 		data.PreauthData = &authapi.PreauthResult{}
-		json.Unmarshal([]byte(preauthSuccessJSON), data.PreauthData)
+		jsonutil.DecodeJSON([]byte(preauthSuccessJSON), data.PreauthData)
 	}
 
 	authSuccessJSON := `
@@ -61,7 +61,7 @@ func getDuoAuthClient(data *MockClientData) AuthClient {
 	}`
 	if data.AuthData == nil {
 		data.AuthData = &authapi.AuthResult{}
-		json.Unmarshal([]byte(authSuccessJSON), data.AuthData)
+		jsonutil.DecodeJSON([]byte(authSuccessJSON), data.AuthData)
 	}
 
 	c.MockData = data
@@ -76,9 +76,9 @@ func TestDuoHandlerSuccess(t *testing.T) {
 		UsernameFormat: "%s",
 	}
 	duoAuthClient := getDuoAuthClient(&MockClientData{})
-	resp, err := duoHandler(duoConfig, duoAuthClient, &duoAuthRequest {
+	resp, err := duoHandler(duoConfig, duoAuthClient, &duoAuthRequest{
 		successResp: successResp,
-		username: "",
+		username:    "",
 	})
 	if err != nil {
 		t.Fatalf(err.Error())
@@ -98,7 +98,7 @@ func TestDuoHandlerReject(t *testing.T) {
 	    "Status_Msg": "Invalid auth"
 	  }
 	}`
-	json.Unmarshal([]byte(authRejectJSON), AuthData)
+	jsonutil.DecodeJSON([]byte(authRejectJSON), AuthData)
 	successResp := &logical.Response{
 		Auth: &logical.Auth{},
 	}
@@ -109,9 +109,9 @@ func TestDuoHandlerReject(t *testing.T) {
 	duoAuthClient := getDuoAuthClient(&MockClientData{
 		AuthData: AuthData,
 	})
-	resp, err := duoHandler(duoConfig, duoAuthClient, &duoAuthRequest {
+	resp, err := duoHandler(duoConfig, duoAuthClient, &duoAuthRequest{
 		successResp: successResp,
-		username: "user",
+		username:    "user",
 	})
 	if err != nil {
 		t.Fatalf(err.Error())

helper/pgpkeys/keybase.go

@@ -3,11 +3,11 @@ package pgpkeys
 import (
 	"bytes"
 	"encoding/base64"
-	"encoding/json"
 	"fmt"
 	"strings"
 
 	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"golang.org/x/crypto/openpgp"
 )
 
@@ -70,8 +70,7 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) {
 		Them: []them{},
 	}
 
-	dec := json.NewDecoder(resp.Body)
+	if err := jsonutil.DecodeJSONFromReader(resp.Body, out); err != nil {
-	if err := dec.Decode(out); err != nil {
 		return nil, err
 	}
 

http/handler.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/vault"
 )
@@ -81,8 +82,7 @@ func stripPrefix(prefix, path string) (string, bool) {
 }
 
 func parseRequest(r *http.Request, out interface{}) error {
-	dec := json.NewDecoder(r.Body)
+	err := jsonutil.DecodeJSONFromReader(r.Body, out)
-	err := dec.Decode(out)
 	if err != nil && err != io.EOF {
 		return fmt.Errorf("Failed to parse JSON input: %s", err)
 	}

http/handler_test.go

@@ -2,6 +2,7 @@ package http
 
 import (
 	"bytes"
+	"encoding/json"
 	"errors"
 	"net/http"
 	"net/http/httptest"
@@ -38,24 +39,24 @@ func TestSysMounts_headerAuth(t *testing.T) {
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}

http/http_test.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 func testHttpGet(t *testing.T, token string, addr string) *http.Response {
@@ -93,8 +94,7 @@ func testResponseStatus(t *testing.T, resp *http.Response, code int) {
 func testResponseBody(t *testing.T, resp *http.Response, out interface{}) {
 	defer resp.Body.Close()
 
-	dec := json.NewDecoder(resp.Body)
+	if err := jsonutil.DecodeJSONFromReader(resp.Body, out); err != nil {
-	if err := dec.Decode(out); err != nil {
 		t.Fatalf("err: %s", err)
 	}
 }

http/logical_test.go

@@ -2,10 +2,12 @@ package http
 
 import (
 	"bytes"
+	"encoding/json"
 	"io"
 	"log"
 	"os"
 	"reflect"
+	"strconv"
 	"testing"
 	"time"
 
@@ -39,7 +41,7 @@ func TestLogical(t *testing.T) {
 	var nilWarnings interface{}
 	expected := map[string]interface{}{
 		"renewable":      false,
-		"lease_duration": float64((30 * 24 * time.Hour) / time.Second),
+		"lease_duration": json.Number(strconv.Itoa(int((30 * 24 * time.Hour) / time.Second))),
 		"data": map[string]interface{}{
 			"data": "bar",
 		},
@@ -130,19 +132,19 @@ func TestLogical_StandbyRedirect(t *testing.T) {
 	var nilWarnings interface{}
 	expected := map[string]interface{}{
 		"renewable":      false,
-		"lease_duration": float64(0),
+		"lease_duration": json.Number("0"),
 		"data": map[string]interface{}{
 			"meta":             nil,
-			"num_uses":         float64(0),
+			"num_uses":         json.Number("0"),
 			"path":             "auth/token/root",
 			"policies":         []interface{}{"root"},
 			"display_name":     "root",
 			"orphan":           true,
 			"id":               root,
-			"ttl":              float64(0),
+			"ttl":              json.Number("0"),
-			"creation_ttl":     float64(0),
+			"creation_ttl":     json.Number("0"),
 			"role":             "",
-			"explicit_max_ttl": float64(0),
+			"explicit_max_ttl": json.Number("0"),
 		},
 		"warnings":  nilWarnings,
 		"wrap_info": nil,
@@ -181,13 +183,13 @@ func TestLogical_CreateToken(t *testing.T) {
 	expected := map[string]interface{}{
 		"lease_id":       "",
 		"renewable":      false,
-		"lease_duration": float64(0),
+		"lease_duration": json.Number("0"),
 		"data":           nil,
 		"wrap_info":      nil,
 		"auth": map[string]interface{}{
 			"policies":       []interface{}{"root"},
 			"metadata":       nil,
-			"lease_duration": float64(0),
+			"lease_duration": json.Number("0"),
 			"renewable":      true,
 		},
 		"warnings": nilWarnings,

http/sys_auth_test.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"encoding/json"
 	"reflect"
 	"testing"
 
@@ -21,8 +22,8 @@ func TestSysAuth(t *testing.T) {
 			"description": "token based credentials",
 			"type":        "token",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -53,16 +54,16 @@ func TestSysEnableAuth(t *testing.T) {
 			"description": "foo",
 			"type":        "noop",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"token/": map[string]interface{}{
 			"description": "token based credentials",
 			"type":        "token",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -94,8 +95,8 @@ func TestSysDisableAuth(t *testing.T) {
 	expected := map[string]interface{}{
 		"token/": map[string]interface{}{
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 			"description": "token based credentials",
 			"type":        "token",

http/sys_generate_root_test.go

@@ -3,6 +3,7 @@ package http
 import (
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/json"
 	"net/http"
 	"reflect"
 	"testing"
@@ -27,8 +28,8 @@ func TestSysGenerateRootAttempt_Status(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":            false,
-		"progress":           float64(0),
+		"progress":           json.Number("0"),
-		"required":           float64(1),
+		"required":           json.Number("1"),
 		"complete":           false,
 		"encoded_root_token": "",
 		"pgp_fingerprint":    "",
@@ -61,8 +62,8 @@ func TestSysGenerateRootAttempt_Setup_OTP(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":            true,
-		"progress":           float64(0),
+		"progress":           json.Number("0"),
-		"required":           float64(1),
+		"required":           json.Number("1"),
 		"complete":           false,
 		"encoded_root_token": "",
 		"pgp_fingerprint":    "",
@@ -82,8 +83,8 @@ func TestSysGenerateRootAttempt_Setup_OTP(t *testing.T) {
 	actual = map[string]interface{}{}
 	expected = map[string]interface{}{
 		"started":            true,
-		"progress":           float64(0),
+		"progress":           json.Number("0"),
-		"required":           float64(1),
+		"required":           json.Number("1"),
 		"complete":           false,
 		"encoded_root_token": "",
 		"pgp_fingerprint":    "",
@@ -115,8 +116,8 @@ func TestSysGenerateRootAttempt_Setup_PGP(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":            true,
-		"progress":           float64(0),
+		"progress":           json.Number("0"),
-		"required":           float64(1),
+		"required":           json.Number("1"),
 		"complete":           false,
 		"encoded_root_token": "",
 		"pgp_fingerprint":    "816938b8a29146fbe245dd29e7cbaf8e011db793",
@@ -151,8 +152,8 @@ func TestSysGenerateRootAttempt_Cancel(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":            true,
-		"progress":           float64(0),
+		"progress":           json.Number("0"),
-		"required":           float64(1),
+		"required":           json.Number("1"),
 		"complete":           false,
 		"encoded_root_token": "",
 		"pgp_fingerprint":    "",
@@ -178,8 +179,8 @@ func TestSysGenerateRootAttempt_Cancel(t *testing.T) {
 	actual = map[string]interface{}{}
 	expected = map[string]interface{}{
 		"started":            false,
-		"progress":           float64(0),
+		"progress":           json.Number("0"),
-		"required":           float64(1),
+		"required":           json.Number("1"),
 		"complete":           false,
 		"encoded_root_token": "",
 		"pgp_fingerprint":    "",
@@ -265,8 +266,8 @@ func TestSysGenerateRoot_Update_OTP(t *testing.T) {
 	expected := map[string]interface{}{
 		"complete":        true,
 		"nonce":           rootGenerationStatus["nonce"].(string),
-		"progress":        float64(1),
+		"progress":        json.Number("1"),
-		"required":        float64(1),
+		"required":        json.Number("1"),
 		"started":         true,
 		"pgp_fingerprint": "",
 	}
@@ -296,14 +297,14 @@ func TestSysGenerateRoot_Update_OTP(t *testing.T) {
 		"id":               newRootToken,
 		"display_name":     "root",
 		"meta":             interface{}(nil),
-		"num_uses":         float64(0),
+		"num_uses":         json.Number("0"),
 		"policies":         []interface{}{"root"},
 		"orphan":           true,
-		"creation_ttl":     float64(0),
+		"creation_ttl":     json.Number("0"),
-		"ttl":              float64(0),
+		"ttl":              json.Number("0"),
 		"path":             "auth/token/root",
 		"role":             "",
-		"explicit_max_ttl": float64(0),
+		"explicit_max_ttl": json.Number("0"),
 	}
 
 	resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")
@@ -347,8 +348,8 @@ func TestSysGenerateRoot_Update_PGP(t *testing.T) {
 	expected := map[string]interface{}{
 		"complete":        true,
 		"nonce":           rootGenerationStatus["nonce"].(string),
-		"progress":        float64(1),
+		"progress":        json.Number("1"),
-		"required":        float64(1),
+		"required":        json.Number("1"),
 		"started":         true,
 		"pgp_fingerprint": "816938b8a29146fbe245dd29e7cbaf8e011db793",
 	}
@@ -379,14 +380,14 @@ func TestSysGenerateRoot_Update_PGP(t *testing.T) {
 		"id":               newRootToken,
 		"display_name":     "root",
 		"meta":             interface{}(nil),
-		"num_uses":         float64(0),
+		"num_uses":         json.Number("0"),
 		"policies":         []interface{}{"root"},
 		"orphan":           true,
-		"creation_ttl":     float64(0),
+		"creation_ttl":     json.Number("0"),
-		"ttl":              float64(0),
+		"ttl":              json.Number("0"),
 		"path":             "auth/token/root",
 		"role":             "",
-		"explicit_max_ttl": float64(0),
+		"explicit_max_ttl": json.Number("0"),
 	}
 
 	resp = testHttpGet(t, newRootToken, addr+"/v1/auth/token/lookup-self")

http/sys_lease_test.go

@@ -1,9 +1,9 @@
 package http
 
 import (
-	"encoding/json"
 	"testing"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/vault"
 )
 
@@ -25,8 +25,7 @@ func TestSysRenew(t *testing.T) {
 	var result struct {
 		LeaseId string `json:"lease_id"`
 	}
-	dec := json.NewDecoder(resp.Body)
+	if err := jsonutil.DecodeJSONFromReader(resp.Body, &result); err != nil {
-	if err := dec.Decode(&result); err != nil {
 		t.Fatalf("bad: %s", err)
 	}
 

http/sys_mount_test.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"encoding/json"
 	"reflect"
 	"testing"
 
@@ -22,24 +23,24 @@ func TestSysMounts(t *testing.T) {
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -70,32 +71,32 @@ func TestSysMount(t *testing.T) {
 			"description": "foo",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"secret/": map[string]interface{}{
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -148,32 +149,32 @@ func TestSysRemount(t *testing.T) {
 			"description": "foo",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"secret/": map[string]interface{}{
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -207,24 +208,24 @@ func TestSysUnmount(t *testing.T) {
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -255,32 +256,32 @@ func TestSysTuneMount(t *testing.T) {
 			"description": "foo",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"secret/": map[string]interface{}{
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -332,32 +333,32 @@ func TestSysTuneMount(t *testing.T) {
 			"description": "foo",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(259196400),
+				"default_lease_ttl": json.Number("259196400"),
-				"max_lease_ttl":     float64(259200000),
+				"max_lease_ttl":     json.Number("259200000"),
 			},
 		},
 		"secret/": map[string]interface{}{
 			"description": "generic secret storage",
 			"type":        "generic",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"sys/": map[string]interface{}{
 			"description": "system endpoints used for control, policy and debugging",
 			"type":        "system",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 		"cubbyhole/": map[string]interface{}{
 			"description": "per-token private secret storage",
 			"type":        "cubbyhole",
 			"config": map[string]interface{}{
-				"default_lease_ttl": float64(0),
+				"default_lease_ttl": json.Number("0"),
-				"max_lease_ttl":     float64(0),
+				"max_lease_ttl":     json.Number("0"),
 			},
 		},
 	}
@@ -373,8 +374,8 @@ func TestSysTuneMount(t *testing.T) {
 	resp = testHttpGet(t, token, addr+"/v1/sys/mounts/foo/tune")
 	actual = map[string]interface{}{}
 	expected = map[string]interface{}{
-		"default_lease_ttl": float64(259196400),
+		"default_lease_ttl": json.Number("259196400"),
-		"max_lease_ttl":     float64(259200000),
+		"max_lease_ttl":     json.Number("259200000"),
 	}
 
 	testResponseStatus(t, resp, 200)
@@ -393,8 +394,8 @@ func TestSysTuneMount(t *testing.T) {
 	resp = testHttpGet(t, token, addr+"/v1/sys/mounts/secret/tune")
 	actual = map[string]interface{}{}
 	expected = map[string]interface{}{
-		"default_lease_ttl": float64(40),
+		"default_lease_ttl": json.Number("40"),
-		"max_lease_ttl":     float64(80),
+		"max_lease_ttl":     json.Number("80"),
 	}
 
 	testResponseStatus(t, resp, 200)

http/sys_rekey_test.go

@@ -2,6 +2,7 @@ package http
 
 import (
 	"encoding/hex"
+	"encoding/json"
 	"net/http"
 	"reflect"
 	"testing"
@@ -23,10 +24,10 @@ func TestSysRekeyInit_Status(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":          false,
-		"t":                float64(0),
+		"t":                json.Number("0"),
-		"n":                float64(0),
+		"n":                json.Number("0"),
-		"progress":         float64(0),
+		"progress":         json.Number("0"),
-		"required":         float64(1),
+		"required":         json.Number("1"),
 		"pgp_fingerprints": interface{}(nil),
 		"backup":           false,
 		"nonce":            "",
@@ -53,10 +54,10 @@ func TestSysRekeyInit_Setup(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":          true,
-		"t":                float64(3),
+		"t":                json.Number("3"),
-		"n":                float64(5),
+		"n":                json.Number("5"),
-		"progress":         float64(0),
+		"progress":         json.Number("0"),
-		"required":         float64(1),
+		"required":         json.Number("1"),
 		"pgp_fingerprints": interface{}(nil),
 		"backup":           false,
 	}
@@ -75,10 +76,10 @@ func TestSysRekeyInit_Setup(t *testing.T) {
 	actual = map[string]interface{}{}
 	expected = map[string]interface{}{
 		"started":          true,
-		"t":                float64(3),
+		"t":                json.Number("3"),
-		"n":                float64(5),
+		"n":                json.Number("5"),
-		"progress":         float64(0),
+		"progress":         json.Number("0"),
-		"required":         float64(1),
+		"required":         json.Number("1"),
 		"pgp_fingerprints": interface{}(nil),
 		"backup":           false,
 	}
@@ -119,10 +120,10 @@ func TestSysRekeyInit_Cancel(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"started":          false,
-		"t":                float64(0),
+		"t":                json.Number("0"),
-		"n":                float64(0),
+		"n":                json.Number("0"),
-		"progress":         float64(0),
+		"progress":         json.Number("0"),
-		"required":         float64(1),
+		"required":         json.Number("1"),
 		"pgp_fingerprints": interface{}(nil),
 		"backup":           false,
 		"nonce":            "",

http/sys_rotate_test.go

@@ -1,6 +1,7 @@
 package http
 
 import (
+	"encoding/json"
 	"reflect"
 	"testing"
 
@@ -20,7 +21,7 @@ func TestSysRotate(t *testing.T) {
 
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
-		"term": float64(2),
+		"term": json.Number("2"),
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)

http/sys_seal_test.go

@@ -2,8 +2,11 @@ package http
 
 import (
 	"encoding/hex"
+	"encoding/json"
+	"log"
 	"net/http"
 	"reflect"
+	"strconv"
 	"testing"
 
 	"github.com/hashicorp/vault/logical"
@@ -24,9 +27,9 @@ func TestSysSealStatus(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"sealed":   true,
-		"t":        float64(1),
+		"t":        json.Number("1"),
-		"n":        float64(1),
+		"n":        json.Number("1"),
-		"progress": float64(0),
+		"progress": json.Number("0"),
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
@@ -96,9 +99,9 @@ func TestSysUnseal(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"sealed":   false,
-		"t":        float64(1),
+		"t":        json.Number("1"),
-		"n":        float64(1),
+		"n":        json.Number("1"),
-		"progress": float64(0),
+		"progress": json.Number("0"),
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
@@ -120,9 +123,9 @@ func TestSysUnseal_badKey(t *testing.T) {
 	var actual map[string]interface{}
 	expected := map[string]interface{}{
 		"sealed":   true,
-		"t":        float64(1),
+		"t":        json.Number("1"),
-		"n":        float64(1),
+		"n":        json.Number("1"),
-		"progress": float64(0),
+		"progress": json.Number("0"),
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)
@@ -161,15 +164,16 @@ func TestSysUnseal_Reset(t *testing.T) {
 		var actual map[string]interface{}
 		expected := map[string]interface{}{
 			"sealed":   true,
-			"t":        float64(3),
+			"t":        json.Number("3"),
-			"n":        float64(5),
+			"n":        json.Number("5"),
-			"progress": float64(i + 1),
+			"progress": json.Number(strconv.Itoa(i + 1)),
 		}
 		testResponseStatus(t, resp, 200)
 		testResponseBody(t, resp, &actual)
 		if !reflect.DeepEqual(actual, expected) {
 			t.Fatalf("\nexpected:\n%#v\nactual:\n%#v\n", expected, actual)
 		}
+		log.Printf("reached here\n")
 	}
 
 	resp = testHttpPut(t, "", addr+"/v1/sys/unseal", map[string]interface{}{
@@ -179,9 +183,9 @@ func TestSysUnseal_Reset(t *testing.T) {
 	actual = map[string]interface{}{}
 	expected := map[string]interface{}{
 		"sealed":   true,
-		"t":        float64(3),
+		"t":        json.Number("3"),
-		"n":        float64(5),
+		"n":        json.Number("5"),
-		"progress": float64(0),
+		"progress": json.Number("0"),
 	}
 	testResponseStatus(t, resp, 200)
 	testResponseBody(t, resp, &actual)

logical/framework/path_struct.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -31,7 +32,7 @@ func (p *PathStruct) Get(s logical.Storage) (map[string]interface{}, error) {
 	}
 
 	var result map[string]interface{}
-	if err := json.Unmarshal(entry.Value, &result); err != nil {
+	if err := jsonutil.DecodeJSON(entry.Value, &result); err != nil {
 		return nil, err
 	}
 

logical/framework/wal.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -68,7 +69,7 @@ func GetWAL(s logical.Storage, id string) (*WALEntry, error) {
 	}
 
 	var raw WALEntry
-	if err := json.Unmarshal(entry.Value, &raw); err != nil {
+	if err := jsonutil.DecodeJSON(entry.Value, &raw); err != nil {
 		return nil, err
 	}
 	raw.ID = id

logical/storage.go

@@ -1,8 +1,9 @@
 package logical
 
 import (
-	"bytes"
+	"fmt"
-	"encoding/json"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 // Storage is the way that logical backends are able read/write data.
@@ -19,20 +20,20 @@ type StorageEntry struct {
 	Value []byte
 }
 
+// DecodeJSON decodes the 'Value' present in StorageEntry.
 func (e *StorageEntry) DecodeJSON(out interface{}) error {
-	return json.Unmarshal(e.Value, out)
+	return jsonutil.DecodeJSON(e.Value, out)
 }
 
 // StorageEntryJSON creates a StorageEntry with a JSON-encoded value.
 func StorageEntryJSON(k string, v interface{}) (*StorageEntry, error) {
-	var buf bytes.Buffer
+	encodedBytes, err := jsonutil.EncodeJSON(v)
-	enc := json.NewEncoder(&buf)
+	if err != nil {
-	if err := enc.Encode(v); err != nil {
+		return nil, fmt.Errorf("failed to encode storage entry: %v", err)
-		return nil, err
 	}
 
 	return &StorageEntry{
 		Key:   k,
-		Value: buf.Bytes(),
+		Value: encodedBytes,
 	}, nil
 }

physical/file.go

@@ -7,6 +7,8 @@ import (
 	"os"
 	"path/filepath"
 	"sync"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 // FileBackend is a physical backend that stores data on disk
@@ -68,8 +70,7 @@ func (b *FileBackend) Get(k string) (*Entry, error) {
 	defer f.Close()
 
 	var entry Entry
-	dec := json.NewDecoder(f)
+	if err := jsonutil.DecodeJSONFromReader(f, &entry); err != nil {
-	if err := dec.Decode(&entry); err != nil {
 		return nil, err
 	}
 

vault/audit.go

@@ -13,6 +13,7 @@ import (
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/go-uuid"
 	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/salt"
 	"github.com/hashicorp/vault/logical"
 )
@@ -141,7 +142,7 @@ func (c *Core) loadAudits() error {
 	defer c.auditLock.Unlock()
 
 	if raw != nil {
-		if err := json.Unmarshal(raw.Value, auditTable); err != nil {
+		if err := jsonutil.DecodeJSON(raw.Value, auditTable); err != nil {
 			c.logger.Printf("[ERR] core: failed to decode audit table: %v", err)
 			return errLoadAuditFailed
 		}

vault/auth.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -205,7 +206,7 @@ func (c *Core) loadCredentials() error {
 	defer c.authLock.Unlock()
 
 	if raw != nil {
-		if err := json.Unmarshal(raw.Value, authTable); err != nil {
+		if err := jsonutil.DecodeJSON(raw.Value, authTable); err != nil {
 			c.logger.Printf("[ERR] core: failed to decode auth table: %v", err)
 			return errLoadAuthFailed
 		}

vault/barrier_aes_gcm.go

@@ -7,13 +7,13 @@ import (
 	"crypto/rand"
 	"crypto/subtle"
 	"encoding/binary"
-	"encoding/json"
 	"fmt"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/armon/go-metrics"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/physical"
 )
 
@@ -377,7 +377,7 @@ func (b *AESGCMBarrier) Unseal(key []byte) error {
 
 	// Unmarshal the barrier init
 	var init barrierInit
-	if err := json.Unmarshal(plain, &init); err != nil {
+	if err := jsonutil.DecodeJSON(plain, &init); err != nil {
 		return fmt.Errorf("failed to unmarshal barrier init file")
 	}
 

vault/expiration.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -779,5 +780,5 @@ func (le *leaseEntry) renewable() error {
 // decodeLeaseEntry is used to reverse encode and return a new entry
 func decodeLeaseEntry(buf []byte) (*leaseEntry, error) {
 	out := new(leaseEntry)
-	return out, json.Unmarshal(buf, out)
+	return out, jsonutil.DecodeJSON(buf, out)
 }

vault/keyring.go

@@ -5,6 +5,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"time"
+
+	"github.com/hashicorp/vault/helper/jsonutil"
 )
 
 // Keyring is used to manage multiple encryption keys used by
@@ -43,7 +45,7 @@ func (k *Key) Serialize() ([]byte, error) {
 // DeserializeKey is used to deserialize and return a new key
 func DeserializeKey(buf []byte) (*Key, error) {
 	k := new(Key)
-	if err := json.Unmarshal(buf, k); err != nil {
+	if err := jsonutil.DecodeJSON(buf, k); err != nil {
 		return nil, fmt.Errorf("deserialization failed: %v", err)
 	}
 	return k, nil
@@ -165,7 +167,7 @@ func (k *Keyring) Serialize() ([]byte, error) {
 func DeserializeKeyring(buf []byte) (*Keyring, error) {
 	// Deserialize the keyring
 	var enc EncodedKeyring
-	if err := json.Unmarshal(buf, &enc); err != nil {
+	if err := jsonutil.DecodeJSON(buf, &enc); err != nil {
 		return nil, fmt.Errorf("deserialization failed: %v", err)
 	}
 

vault/logical_cubbyhole.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -95,7 +96,7 @@ func (b *CubbyholeBackend) handleRead(
 
 	// Decode the data
 	var rawData map[string]interface{}
-	if err := json.Unmarshal(out.Value, &rawData); err != nil {
+	if err := jsonutil.DecodeJSON(out.Value, &rawData); err != nil {
 		return nil, fmt.Errorf("json decoding failed: %v", err)
 	}
 

vault/logical_passthrough.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -108,7 +109,8 @@ func (b *PassthroughBackend) handleRead(
 
 	// Decode the data
 	var rawData map[string]interface{}
-	if err := json.Unmarshal(out.Value, &rawData); err != nil {
+
+	if err := jsonutil.DecodeJSON(out.Value, &rawData); err != nil {
 		return nil, fmt.Errorf("json decoding failed: %v", err)
 	}
 

vault/mount.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/logical"
 )
 
@@ -404,7 +405,7 @@ func (c *Core) loadMounts() error {
 	defer c.mountsLock.Unlock()
 
 	if raw != nil {
-		if err := json.Unmarshal(raw.Value, mountTable); err != nil {
+		if err := jsonutil.DecodeJSON(raw.Value, mountTable); err != nil {
 			c.logger.Printf("[ERR] core: failed to decode mount table: %v", err)
 			return errLoadMountsFailed
 		}

vault/rekey.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/pgpkeys"
 	"github.com/hashicorp/vault/physical"
 	"github.com/hashicorp/vault/shamir"
@@ -634,7 +635,7 @@ func (c *Core) RekeyRetrieveBackup(recovery bool) (*RekeyBackup, error) {
 	}
 
 	ret := &RekeyBackup{}
-	err = json.Unmarshal(entry.Value, ret)
+	err = jsonutil.DecodeJSON(entry.Value, ret)
 	if err != nil {
 		return nil, err
 	}

vault/seal.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/physical"
 
 	"golang.org/x/crypto/openpgp"
@@ -117,7 +118,7 @@ func (d *DefaultSeal) BarrierConfig() (*SealConfig, error) {
 	var conf SealConfig
 
 	// Decode the barrier entry
-	if err := json.Unmarshal(pe.Value, &conf); err != nil {
+	if err := jsonutil.DecodeJSON(pe.Value, &conf); err != nil {
 		d.core.logger.Printf("[ERR] core: failed to decode seal configuration: %v", err)
 		return nil, fmt.Errorf("failed to decode seal configuration: %v", err)
 	}

vault/token_store.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/policyutil"
 	"github.com/hashicorp/vault/helper/salt"
 	"github.com/hashicorp/vault/helper/strutil"
@@ -687,7 +688,7 @@ func (ts *TokenStore) lookupSalted(saltedId string) (*TokenEntry, error) {
 
 	// Unmarshal the token
 	entry := new(TokenEntry)
-	if err := json.Unmarshal(raw.Value, entry); err != nil {
+	if err := jsonutil.DecodeJSON(raw.Value, entry); err != nil {
 		return nil, fmt.Errorf("failed to decode entry: %v", err)
 	}