fix(jwt): unify jsonwebtoken crypto backend

Cargo.lock

@@ -377,7 +377,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5ec2f1fc3ec205783a5da9a7e6c1509cc69dedf09a1949e412c1e18469326d00"
 dependencies = [
  "aws-lc-sys",
- "untrusted 0.7.1",
  "zeroize",
 ]
 
@@ -4930,7 +4929,6 @@ version = "10.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eba32bfb4ffdeaca3e34431072faf01745c9b26d25504aa7a6cf5684334fc4fc"
 dependencies = [
- "aws-lc-rs",
  "base64",
  "ed25519-dalek",
  "getrandom 0.2.17",
@@ -5020,6 +5018,7 @@ dependencies = [
  "indenter",
  "indicatif",
  "ipnet",
+ "jsonwebtoken",
  "kingfisher-core",
  "kingfisher-rules",
  "kingfisher-scanner",
@@ -7160,7 +7159,7 @@ dependencies = [
  "cfg-if",
  "getrandom 0.2.17",
  "libc",
- "untrusted 0.9.0",
+ "untrusted",
  "windows-sys 0.52.0",
 ]
 
@@ -7355,7 +7354,7 @@ dependencies = [
  "aws-lc-rs",
  "ring",
  "rustls-pki-types",
- "untrusted 0.9.0",
+ "untrusted",
 ]
 
 [[package]]
@@ -9051,12 +9050,6 @@ version = "0.2.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
 
-[[package]]
-name = "untrusted"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
-
 [[package]]
 name = "untrusted"
 version = "0.9.0"

Cargo.toml

@@ -220,7 +220,7 @@ aws-sdk-ssm = { version = "1.102.0", default-features = false, features = ["defa
 gcloud-storage = { version = "1.1.1", default-features = false, features = [
     "rustls-tls",
     "auth",
-    "jwt-aws-lc-rs",
+    "jwt-rust-crypto",
 ] }
 tokei = "14.0.0"
 crc32fast = "1.5.0"
@@ -249,6 +249,7 @@ testcontainers = "0.27.2"
 predicates = "3.1.3"
 assert_cmd = "2.1.1"
 proptest = "1.9.0"
+jsonwebtoken = { version = "10.4.0", default-features = false, features = ["rust_crypto"] }
 
 [profile.release]
 debug = false

tests/int_jwt_provider.rs

@@ -0,0 +1,34 @@
+use jsonwebtoken::DecodingKey;
+use kingfisher_scanner::validation::jwt::{ValidateOptions, validate_jwt_with};
+
+const RS256_TOKEN: &str = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtb2NrLXN1YmplY3QiLCJuYmYiOjAsImV4cCI6NDEwMjQ0NDgwMH0.T87uqt_EI9ISXFmfn2hVTJa-sDTF2xWjNl0Fo6ZClM3_bvdyEB5BWzkIjDmQGbXjP1iVGHv59esuoHjeRYR_S7cBBIM-J2ZWuR_FfVSwjI-jxDlQGw8BFBN6qqpX2dBQfe0NmJ4GzBmQmyPX9GVNlw6zZvW0SGnaX5GcD7HOCqoZQhkiI4W1zTCQ_J4OjJnMwdNg6XkquwBj_yV-VKx_9NYXXTCjl6JtFBF9ZP2X3I58sLSOTzbkTSwSHfLpWLxWfzEYItwHALsK_fBAYMlSZwRvHpRBc48Tqg_2hjOi8j2qQiMbPDTNJJDnt1jEz0JeYahH8N7aJzIPEmd2HXFdKw";
+
+const RSA_PUBLIC_KEY_PEM: &str = r#"-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2OcytZklidtKr63saWAt
+CnwQmMS8W7OEpbnrP746SSR/gkkrNYBkW3POX3T9dcaf4Ozn50QuFGUqBdCAvHUS
+9ZFjubPXsqaxOY9R1eiQt8V+0mf1yI7Q9KCygbqZvilyJ6//kvWTKWA5N9A48J69
+wkkxuDXnhmSK0zwuNOetphuQNtVuCvePrvrI9OkcYp8EC2qtJi6oxy+0dI9lCN5+
+qQyxWDAJVtPw1I/xSZFzMdFrpZWA65VcqKVqjCEB4bHAc15S7UCuLEgBFlqQEndk
+6qTKCy0cVm7LqMOLuNJzbhzNU5caXbEYu6uzzU4vLgIdWpIr09dpNxFl+oA0zbMa
+vQIDAQAB
+-----END PUBLIC KEY-----"#;
+
+#[tokio::test]
+async fn validate_jwt_with_fallback_key_handles_rs256_without_panicking() {
+    let opts = ValidateOptions {
+        allow_alg_none: false,
+        fallback_decoding_key: Some(
+            DecodingKey::from_rsa_pem(RSA_PUBLIC_KEY_PEM.as_bytes()).expect("valid RSA key"),
+        ),
+    };
+
+    let (ok, message) = validate_jwt_with(RS256_TOKEN, &opts, false, false)
+        .await
+        .expect("RS256 validation should not panic or error");
+
+    assert!(ok, "expected JWT signature verification to succeed: {message}");
+    assert!(
+        message.contains("JWT valid via fallback key"),
+        "unexpected validation message: {message}"
+    );
+}