diff --git a/Cargo.lock b/Cargo.lock index 53bcedd5d90..974f5e370b6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -460,6 +460,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "879b6c89592deb404ba4dc0ae6b58ffd1795c78991cbb5b8bc441c48a070440d" dependencies = [ "aws-lc-sys", + "untrusted 0.7.1", "zeroize", ] @@ -3636,16 +3637,18 @@ dependencies = [ [[package]] name = "jsonwebtoken" -version = "9.3.1" +version = "10.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde" +checksum = "f1417155a38e99d7704ddb3ea7445fe57fdbd5d756d727740a9ed8b9ebaed6e1" dependencies = [ + "aws-lc-rs", "base64 0.22.1", + "getrandom 0.2.16", "js-sys", "pem", - "ring", "serde", "serde_json", + "signature", "simple_asn1", ] @@ -5081,7 +5084,7 @@ dependencies = [ "cfg-if", "getrandom 0.2.16", "libc", - "untrusted", + "untrusted 0.9.0", "windows-sys 0.52.0", ] @@ -5215,7 +5218,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" dependencies = [ "ring", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -5227,7 +5230,7 @@ dependencies = [ "aws-lc-rs", "ring", "rustls-pki-types", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -5291,7 +5294,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" dependencies = [ "ring", - "untrusted", + "untrusted 0.9.0", ] [[package]] @@ -6671,6 +6674,12 @@ dependencies = [ "subtle", ] +[[package]] +name = "untrusted" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" + [[package]] name = "untrusted" version = "0.9.0" diff --git a/Cargo.toml b/Cargo.toml index 79b9544d859..367e96dc250 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -156,7 +156,7 @@ claims = "=0.8.0" diesel = { version = "=2.3.2", features = ["r2d2"] } googletest = "=0.14.2" insta = { version = "=1.43.2", features = ["glob", "json", "redactions"] } -jsonwebtoken = "=9.3.1" +jsonwebtoken = { version = "=10.0.0", features = ["aws_lc_rs"] } quoted_printable = "=0.5.1" regex = "=1.12.2" sentry = { version = "=0.45.0", features = ["test"] } diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml index 995fbb782c0..6222818a6f4 100644 --- a/crates/crates_io_trustpub/Cargo.toml +++ b/crates/crates_io_trustpub/Cargo.toml @@ -15,7 +15,7 @@ anyhow = "=1.0.100" async-trait = "=0.1.89" bon = { version = "=3.8.1", optional = true } chrono = { version = "=0.4.42", features = ["serde"] } -jsonwebtoken = "=9.3.1" +jsonwebtoken = { version = "=10.0.0", features = ["aws_lc_rs"] } mockall = { version = "=0.13.1", optional = true } rand = "=0.9.2" reqwest = { version = "=0.12.24", features = ["gzip", "json"] } diff --git a/crates/crates_io_trustpub/src/github/claims.rs b/crates/crates_io_trustpub/src/github/claims.rs index f931080df1f..946ddcbdfb8 100644 --- a/crates/crates_io_trustpub/src/github/claims.rs +++ b/crates/crates_io_trustpub/src/github/claims.rs @@ -12,7 +12,7 @@ use jsonwebtoken::{Algorithm, DecodingKey, Validation}; /// Publishing" implementation. /// /// See . -#[derive(Debug, serde::Serialize, serde::Deserialize)] +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] pub struct GitHubClaims { pub aud: String, #[serde(with = "ts_seconds")] diff --git a/crates/crates_io_trustpub/src/gitlab/claims.rs b/crates/crates_io_trustpub/src/gitlab/claims.rs index 46c89c93d03..69067a56979 100644 --- a/crates/crates_io_trustpub/src/gitlab/claims.rs +++ b/crates/crates_io_trustpub/src/gitlab/claims.rs @@ -12,7 +12,7 @@ use jsonwebtoken::{Algorithm, DecodingKey, Validation}; /// Publishing" implementation. /// /// See . -#[derive(Debug, serde::Serialize, serde::Deserialize)] +#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] pub struct GitLabClaims { pub aud: String, #[serde(with = "ts_seconds")] diff --git a/crates/crates_io_trustpub/src/unverified.rs b/crates/crates_io_trustpub/src/unverified.rs index 7bc761dd069..12039453fea 100644 --- a/crates/crates_io_trustpub/src/unverified.rs +++ b/crates/crates_io_trustpub/src/unverified.rs @@ -29,7 +29,7 @@ static EMPTY_KEY: LazyLock = LazyLock::new(|| DecodingKey::from_sec /// validation. Specifically, this only extracts the `iss` claim, which is /// used to look up the corresponding OIDC key set to then verify the /// JWT signature. -#[derive(Debug, Deserialize)] +#[derive(Debug, Clone, Deserialize)] pub struct UnverifiedClaims { pub iss: String, } @@ -48,6 +48,7 @@ impl UnverifiedClaims { #[cfg(test)] mod tests { use super::*; + use crate::test_keys::encode_for_testing; use claims::{assert_err, assert_ok, assert_some_eq}; use insta::assert_compact_debug_snapshot; use jsonwebtoken::{EncodingKey, Header, encode}; @@ -79,6 +80,18 @@ mod tests { assert_eq!(decoded.claims.iss, ISSUER); } + #[test] + fn test_decode_token_encoded_with_test_key() { + const ISSUER: &str = "https://example.com"; + + let iss = ISSUER.to_string(); + let claims = TestClaims { iss }; + let token = encode_for_testing(&claims).unwrap(); + + let decoded = assert_ok!(UnverifiedClaims::decode(&token)); + assert_eq!(decoded.claims.iss, ISSUER); + } + #[test] fn test_decode_invalid_token() { let error = assert_err!(UnverifiedClaims::decode("")); diff --git a/deny.toml b/deny.toml index be5e90df307..2509d4a7402 100644 --- a/deny.toml +++ b/deny.toml @@ -108,6 +108,7 @@ allow = [ "ISC", "MIT", "MPL-2.0", + "OpenSSL", "Unicode-3.0", "Zlib", ]