rust-lang · renovate · Oct 14, 2025 · Oct 14, 2025 · Oct 9, 2025 · Oct 14, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -156,7 +156,7 @@ claims = "=0.8.0"
 diesel = { version = "=2.3.2", features = ["r2d2"] }
 googletest = "=0.14.2"
 insta = { version = "=1.43.2", features = ["glob", "json", "redactions"] }
-jsonwebtoken = "=9.3.1"
+jsonwebtoken = { version = "=10.0.0", features = ["aws_lc_rs"] }
 quoted_printable = "=0.5.1"
 regex = "=1.12.2"
 sentry = { version = "=0.45.0", features = ["test"] }

diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml
@@ -15,7 +15,7 @@ anyhow = "=1.0.100"
 async-trait = "=0.1.89"
 bon = { version = "=3.8.1", optional = true }
 chrono = { version = "=0.4.42", features = ["serde"] }
-jsonwebtoken = "=9.3.1"
+jsonwebtoken = { version = "=10.0.0", features = ["aws_lc_rs"] }
 mockall = { version = "=0.13.1", optional = true }
 rand = "=0.9.2"
 reqwest = { version = "=0.12.24", features = ["gzip", "json"] }

diff --git a/crates/crates_io_trustpub/src/github/claims.rs b/crates/crates_io_trustpub/src/github/claims.rs
@@ -12,7 +12,7 @@ use jsonwebtoken::{Algorithm, DecodingKey, Validation};
 /// Publishing" implementation.
 ///
 /// See <https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token>.
-#[derive(Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct GitHubClaims {
     pub aud: String,
     #[serde(with = "ts_seconds")]

diff --git a/crates/crates_io_trustpub/src/gitlab/claims.rs b/crates/crates_io_trustpub/src/gitlab/claims.rs
@@ -12,7 +12,7 @@ use jsonwebtoken::{Algorithm, DecodingKey, Validation};
 /// Publishing" implementation.
 ///
 /// See <https://docs.gitlab.com/ci/secrets/id_token_authentication/#token-payload>.
-#[derive(Debug, serde::Serialize, serde::Deserialize)]
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct GitLabClaims {
     pub aud: String,
     #[serde(with = "ts_seconds")]

diff --git a/crates/crates_io_trustpub/src/unverified.rs b/crates/crates_io_trustpub/src/unverified.rs
@@ -29,7 +29,7 @@ static EMPTY_KEY: LazyLock<DecodingKey> = LazyLock::new(|| DecodingKey::from_sec
 /// validation. Specifically, this only extracts the `iss` claim, which is
 /// used to look up the corresponding OIDC key set to then verify the
 /// JWT signature.
-#[derive(Debug, Deserialize)]
+#[derive(Debug, Clone, Deserialize)]
 pub struct UnverifiedClaims {
     pub iss: String,
 }
@@ -48,6 +48,7 @@ impl UnverifiedClaims {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::test_keys::encode_for_testing;
     use claims::{assert_err, assert_ok, assert_some_eq};
     use insta::assert_compact_debug_snapshot;
     use jsonwebtoken::{EncodingKey, Header, encode};
@@ -79,6 +80,18 @@ mod tests {
         assert_eq!(decoded.claims.iss, ISSUER);
     }
 
+    #[test]
+    fn test_decode_token_encoded_with_test_key() {
+        const ISSUER: &str = "https://example.com";
+
+        let iss = ISSUER.to_string();
+        let claims = TestClaims { iss };
+        let token = encode_for_testing(&claims).unwrap();
+
+        let decoded = assert_ok!(UnverifiedClaims::decode(&token));
+        assert_eq!(decoded.claims.iss, ISSUER);
+    }
+
     #[test]
     fn test_decode_invalid_token() {
         let error = assert_err!(UnverifiedClaims::decode(""));

diff --git a/deny.toml b/deny.toml
@@ -108,6 +108,7 @@ allow = [
     "ISC",
     "MIT",
     "MPL-2.0",
+    "OpenSSL",
     "Unicode-3.0",
     "Zlib",
 ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -108,6 +108,7 @@ allow = [ @@
         "ISC",
         "MIT",
         "MPL-2.0",
+        "OpenSSL",
         "Unicode-3.0",
         "Zlib",
     ]
@@ Expand Down @@