From f71b9d826dfcd1832627c85f33183891a0d4a6b4 Mon Sep 17 00:00:00 2001 From: Craigory Coppola Date: Thu, 21 May 2026 21:15:41 -0400 Subject: [PATCH] fix(jwt): unify jsonwebtoken crypto backend --- Cargo.lock | 13 +++---------- Cargo.toml | 3 ++- tests/int_jwt_provider.rs | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 11 deletions(-) create mode 100644 tests/int_jwt_provider.rs diff --git a/Cargo.lock b/Cargo.lock index 85f94fc..bba96ba 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -377,7 +377,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5ec2f1fc3ec205783a5da9a7e6c1509cc69dedf09a1949e412c1e18469326d00" dependencies = [ "aws-lc-sys", - "untrusted 0.7.1", "zeroize", ] @@ -4930,7 +4929,6 @@ version = "10.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "eba32bfb4ffdeaca3e34431072faf01745c9b26d25504aa7a6cf5684334fc4fc" dependencies = [ - "aws-lc-rs", "base64", "ed25519-dalek", "getrandom 0.2.17", @@ -5020,6 +5018,7 @@ dependencies = [ "indenter", "indicatif", "ipnet", + "jsonwebtoken", "kingfisher-core", "kingfisher-rules", "kingfisher-scanner", @@ -7160,7 +7159,7 @@ dependencies = [ "cfg-if", "getrandom 0.2.17", "libc", - "untrusted 0.9.0", + "untrusted", "windows-sys 0.52.0", ] @@ -7355,7 +7354,7 @@ dependencies = [ "aws-lc-rs", "ring", "rustls-pki-types", - "untrusted 0.9.0", + "untrusted", ] [[package]] @@ -9051,12 +9050,6 @@ version = "0.2.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861" -[[package]] -name = "untrusted" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" - [[package]] name = "untrusted" version = "0.9.0" diff --git a/Cargo.toml b/Cargo.toml index e6876a9..e8d0def 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -220,7 +220,7 @@ aws-sdk-ssm = { version = "1.102.0", default-features = false, features = ["defa gcloud-storage = { version = "1.1.1", default-features = false, features = [ "rustls-tls", "auth", - "jwt-aws-lc-rs", + "jwt-rust-crypto", ] } tokei = "14.0.0" crc32fast = "1.5.0" @@ -249,6 +249,7 @@ testcontainers = "0.27.2" predicates = "3.1.3" assert_cmd = "2.1.1" proptest = "1.9.0" +jsonwebtoken = { version = "10.4.0", default-features = false, features = ["rust_crypto"] } [profile.release] debug = false diff --git a/tests/int_jwt_provider.rs b/tests/int_jwt_provider.rs new file mode 100644 index 0000000..704ebe9 --- /dev/null +++ b/tests/int_jwt_provider.rs @@ -0,0 +1,34 @@ +use jsonwebtoken::DecodingKey; +use kingfisher_scanner::validation::jwt::{ValidateOptions, validate_jwt_with}; + +const RS256_TOKEN: &str = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtb2NrLXN1YmplY3QiLCJuYmYiOjAsImV4cCI6NDEwMjQ0NDgwMH0.T87uqt_EI9ISXFmfn2hVTJa-sDTF2xWjNl0Fo6ZClM3_bvdyEB5BWzkIjDmQGbXjP1iVGHv59esuoHjeRYR_S7cBBIM-J2ZWuR_FfVSwjI-jxDlQGw8BFBN6qqpX2dBQfe0NmJ4GzBmQmyPX9GVNlw6zZvW0SGnaX5GcD7HOCqoZQhkiI4W1zTCQ_J4OjJnMwdNg6XkquwBj_yV-VKx_9NYXXTCjl6JtFBF9ZP2X3I58sLSOTzbkTSwSHfLpWLxWfzEYItwHALsK_fBAYMlSZwRvHpRBc48Tqg_2hjOi8j2qQiMbPDTNJJDnt1jEz0JeYahH8N7aJzIPEmd2HXFdKw"; + +const RSA_PUBLIC_KEY_PEM: &str = r#"-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2OcytZklidtKr63saWAt +CnwQmMS8W7OEpbnrP746SSR/gkkrNYBkW3POX3T9dcaf4Ozn50QuFGUqBdCAvHUS +9ZFjubPXsqaxOY9R1eiQt8V+0mf1yI7Q9KCygbqZvilyJ6//kvWTKWA5N9A48J69 +wkkxuDXnhmSK0zwuNOetphuQNtVuCvePrvrI9OkcYp8EC2qtJi6oxy+0dI9lCN5+ +qQyxWDAJVtPw1I/xSZFzMdFrpZWA65VcqKVqjCEB4bHAc15S7UCuLEgBFlqQEndk +6qTKCy0cVm7LqMOLuNJzbhzNU5caXbEYu6uzzU4vLgIdWpIr09dpNxFl+oA0zbMa +vQIDAQAB +-----END PUBLIC KEY-----"#; + +#[tokio::test] +async fn validate_jwt_with_fallback_key_handles_rs256_without_panicking() { + let opts = ValidateOptions { + allow_alg_none: false, + fallback_decoding_key: Some( + DecodingKey::from_rsa_pem(RSA_PUBLIC_KEY_PEM.as_bytes()).expect("valid RSA key"), + ), + }; + + let (ok, message) = validate_jwt_with(RS256_TOKEN, &opts, false, false) + .await + .expect("RS256 validation should not panic or error"); + + assert!(ok, "expected JWT signature verification to succeed: {message}"); + assert!( + message.contains("JWT valid via fallback key"), + "unexpected validation message: {message}" + ); +}