From 422500cd8a06ef9d083279881aa34e2539fe17a2 Mon Sep 17 00:00:00 2001
From: Dwayne Sykes <dwayne@sykes.pw>
Date: Tue, 7 Oct 2025 15:43:46 -0500
Subject: [PATCH 1/3] feat!: support `aws-lc-rs` or `rust-crypto`; remove
 `ring`

Add `aws-lc-rs` and `rust-crypto` features, exactly one of which is
required to be enabled by `jsonwebtoken` v10. `rust-crypto` is now
part of `default` features.

Use new `jsonwebtoken::dangerous::insecure_decode` to support
jsonwebtoken v10, which introduced breaking changes to the previous
workaround to insecurely decode a JWT.

BREAKING CHANGE: `rust-crypto` and `aws-lc-rs` are mutually exclusive so
`--all-features` will fail. This is an inherent limitation of
`jsonwebtoken` v10 at this time.

BREAKING CHANGE: dependency on `ring` is eliminated and replaced by
either `aws-lc-rs` OR `rust-crypto`.

Signed-off-by: Dwayne Sykes <dwayne@sykes.pw>
---
 spiffe/Cargo.toml          |  6 ++++--
 spiffe/src/svid/jwt/mod.rs | 16 +++-------------
 2 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/spiffe/Cargo.toml b/spiffe/Cargo.toml
index e2ef01d..f95bf29 100644
--- a/spiffe/Cargo.toml
+++ b/spiffe/Cargo.toml
@@ -21,7 +21,7 @@ url = "2"
 asn1 = { package = "simple_asn1", version = "0.6" }
 x509-parser = "0.18"
 pkcs8 = "0.10"
-jsonwebtoken = "9"
+jsonwebtoken = "10"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 zeroize = { version = "1", features = ["zeroize_derive"] }
@@ -55,7 +55,9 @@ prost-build = "0.14"
 anyhow = "1"
 
 [features]
-default = ["spiffe-types", "workload-api"]
+default = ["spiffe-types", "workload-api", "rust-crypto"]
 spiffe-types = []
 workload-api = ["prost", "prost-types", "tokio", "tokio-stream", "tower", "tokio-util", "log"]
 integration-tests = []
+aws-lc-rs = ["jsonwebtoken/aws_lc_rs"]
+rust-crypto = ["jsonwebtoken/rust_crypto"]
diff --git a/spiffe/src/svid/jwt/mod.rs b/spiffe/src/svid/jwt/mod.rs
index c054701..3cacdaf 100644
--- a/spiffe/src/svid/jwt/mod.rs
+++ b/spiffe/src/svid/jwt/mod.rs
@@ -3,7 +3,7 @@
 use std::str::FromStr;
 
 use jsonwebtoken::jwk::Jwk;
-use jsonwebtoken::{Algorithm, DecodingKey, Validation};
+use jsonwebtoken::{Algorithm, DecodingKey};
 use serde::{de, Deserialize, Deserializer, Serialize};
 use thiserror::Error;
 use zeroize::Zeroize;
@@ -237,12 +237,8 @@ impl FromStr for JwtSvid {
     /// IMPORTANT: For parsing and validating the signature of untrusted tokens, use `parse_and_validate` method.
     fn from_str(token: &str) -> Result<Self, Self::Err> {
         // decode token without signature or expiration validation
-        let mut validation = Validation::default();
         // We later on validate audience separately with `parse_and_validate`
-        validation.validate_aud = false;
-        validation.insecure_disable_signature_validation();
-        let token_data =
-            jsonwebtoken::decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation)?;
+        let token_data = jsonwebtoken::dangerous::insecure_decode::<Claims>(token)?;
 
         let claims = token_data.claims;
         let spiffe_id = SpiffeId::from_str(&claims.sub)?;
@@ -503,13 +499,7 @@ mod test {
             typ,
             alg,
             kid,
-            cty: None,
-            jku: None,
-            x5u: None,
-            x5c: None,
-            x5t: None,
-            jwk: None,
-            x5t_s256: None,
+            ..Default::default()
         };
         encode(&header, &claims, encoding_key).unwrap()
     }

From 31a4027452a566a3a58a75d9e3397613b10456f0 Mon Sep 17 00:00:00 2001
From: Dwayne Sykes <dwayne@sykes.pw>
Date: Tue, 7 Oct 2025 15:58:18 -0500
Subject: [PATCH 2/3] !DROPME: temporary patch to test new `jsonwebtoken`
 features

Signed-off-by: Dwayne Sykes <dwayne@sykes.pw>
---
 Cargo.toml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Cargo.toml b/Cargo.toml
index 4af7ba9..f9c484a 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -4,3 +4,6 @@ members = [
     "spire-api",
 ]
 resolver = "2"
+
+[patch.crates-io]
+jsonwebtoken = { git = "https://github.com/dsykes16/jsonwebtoken.git", branch = "add-dangerous-decode" }

From e7d2475f6ef6174c974b3a21fdc6b63a11e06d39 Mon Sep 17 00:00:00 2001
From: Dwayne Sykes <dwayne@sykes.pw>
Date: Tue, 7 Oct 2025 16:09:43 -0500
Subject: [PATCH 3/3] ci: run integration tests w/ aws-lc-rs feature

Add 'Run Integration Tests with aws-lc-rs' step to 'Build and Test'
CI job to ensure functionality with `aws-lc-rs` (alternative to
`rust-crypto`).

Signed-off-by: Dwayne Sykes <dwayne@sykes.pw>
---
 .github/workflows/ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e26e24b..40026ab 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,5 +51,12 @@ jobs:
       - name: Run Integration Tests
         run: RUST_BACKTRACE=1 cargo test --features integration-tests
 
+      - name: Run Integration Tests with aws-lc-rs
+        run: >
+          RUST_BACKTRACE=1
+          cargo test
+          --no-default-features
+          --features integration-tests,spiffe-types,workload-api,aws-lc-rs
+
       - name: Clean up SPIRE
         run: .github/workflows/scripts/cleanup-spire.sh