diff --git a/Cargo.lock b/Cargo.lock index 4091408bd28..71ed6337901 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -450,6 +450,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "879b6c89592deb404ba4dc0ae6b58ffd1795c78991cbb5b8bc441c48a070440d" dependencies = [ "aws-lc-sys", + "untrusted 0.7.1", "zeroize", ] @@ -3662,16 +3663,18 @@ dependencies = [ [[package]] name = "jsonwebtoken" -version = "9.3.1" +version = "10.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde" +checksum = "3d119c6924272d16f0ab9ce41f7aa0bfef9340c00b0bb7ca3dd3b263d4a9150b" dependencies = [ + "aws-lc-rs", "base64 0.22.1", + "getrandom 0.2.16", "js-sys", "pem", - "ring", "serde", "serde_json", + "signature", "simple_asn1", ] @@ -5107,7 +5110,7 @@ dependencies = [ "cfg-if", "getrandom 0.2.16", "libc", - "untrusted", + "untrusted 0.9.0", "windows-sys 0.52.0", ] @@ -5241,7 +5244,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ "ring", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -5253,7 +5256,7 @@ dependencies = [ "aws-lc-rs", "ring", "rustls-pki-types", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -5317,7 +5320,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ "ring", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -6694,6 +6697,12 @@ dependencies = [ "subtle", ] +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "untrusted" version = "0.9.0" diff --git a/Cargo.toml b/Cargo.toml index 050ad6c8eb6..75c6e299339 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -161,7 +161,7 @@ claims = "=0.8.0" diesel = { version = "=2.3.3", features = ["r2d2"] } googletest = "=0.14.2" insta = { version = "=1.43.2", features = ["glob", "json", "redactions"] } -jsonwebtoken = "=9.3.1" +jsonwebtoken = { version = "=10.1.0", features = ["aws_lc_rs"] } quoted_printable = "=0.5.1" regex = "=1.12.2" sentry = { version = "=0.45.0", features = ["test"] } diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml index 89e09c2d8df..9d61ea282a3 100644 --- a/crates/crates_io_trustpub/Cargo.toml +++ b/crates/crates_io_trustpub/Cargo.toml @@ -15,7 +15,7 @@ anyhow = "=1.0.100" async-trait = "=0.1.89" bon = { version = "=3.8.1", optional = true } chrono = { version = "=0.4.42", features = ["serde"] } -jsonwebtoken = "=9.3.1" +jsonwebtoken = { version = "=10.1.0", features = ["aws_lc_rs"] } mockall = { version = "=0.13.1", optional = true } rand = "=0.9.2" reqwest = { version = "=0.12.24", features = ["gzip", "json"] } diff --git a/crates/crates_io_trustpub/src/unverified.rs b/crates/crates_io_trustpub/src/unverified.rs index 12039453fea..c671e7ce47d 100644 --- a/crates/crates_io_trustpub/src/unverified.rs +++ b/crates/crates_io_trustpub/src/unverified.rs @@ -1,29 +1,6 @@ +use jsonwebtoken::TokenData; use jsonwebtoken::errors::Error; -use jsonwebtoken::{DecodingKey, TokenData, Validation}; use serde::Deserialize; -use std::collections::HashSet; -use std::sync::LazyLock; - -/// [`Validation`] configuration for decoding JWTs without any -/// signature validation. -/// -/// **This must only be used to extract the `iss` claim from the JWT, which -/// is then used to look up the corresponding OIDC key set.** -static NO_VALIDATION: LazyLock = LazyLock::new(|| { - let mut no_validation = Validation::default(); - no_validation.validate_aud = false; - no_validation.validate_exp = false; - no_validation.required_spec_claims = HashSet::new(); - no_validation.insecure_disable_signature_validation(); - no_validation -}); - -/// Empty [`DecodingKey`] used for decoding JWTs without any signature -/// validation. -/// -/// **This must only be used to extract the `iss` claim from the JWT, which -/// is then used to look up the corresponding OIDC key set.** -static EMPTY_KEY: LazyLock = LazyLock::new(|| DecodingKey::from_secret(b"")); /// Claims that are extracted from the JWT without any signature /// validation. Specifically, this only extracts the `iss` claim, which is @@ -41,7 +18,7 @@ impl UnverifiedClaims { /// **This must only be used to extract the `iss` claim from the JWT, which /// is then used to look up the corresponding OIDC key set.** pub fn decode(token: &str) -> Result, Error> { - jsonwebtoken::decode(token, &EMPTY_KEY, &NO_VALIDATION) + jsonwebtoken::dangerous::insecure_decode(token) } } diff --git a/deny.toml b/deny.toml index be5e90df307..2509d4a7402 100644 --- a/deny.toml +++ b/deny.toml @@ -108,6 +108,7 @@ allow = [ "ISC", "MIT", "MPL-2.0", + "OpenSSL", "Unicode-3.0", "Zlib", ]