maxlambrecht · dsykes16 · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025 · Oct 18, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -51,5 +51,12 @@ jobs:
       - name: Run Integration Tests
         run: RUST_BACKTRACE=1 cargo test --features integration-tests
 
+      - name: Run Integration Tests with aws-lc-rs
+        run: >
+          RUST_BACKTRACE=1
+          cargo test
+          --no-default-features
+          --features integration-tests,spiffe-types,workload-api,aws-lc-rs
+
       - name: Clean up SPIRE
         run: .github/workflows/scripts/cleanup-spire.sh
diff --git a/Cargo.toml b/Cargo.toml
@@ -4,3 +4,6 @@ members = [
     "spire-api",
 ]
 resolver = "2"
+
+[patch.crates-io]
+jsonwebtoken = { git = "https://github.com/dsykes16/jsonwebtoken.git", branch = "add-dangerous-decode" }
diff --git a/spiffe/Cargo.toml b/spiffe/Cargo.toml
@@ -21,7 +21,7 @@ url = "2"
 asn1 = { package = "simple_asn1", version = "0.6" }
 x509-parser = "0.18"
 pkcs8 = "0.10"
-jsonwebtoken = "9"
+jsonwebtoken = "10"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 zeroize = { version = "1", features = ["zeroize_derive"] }
@@ -55,7 +55,9 @@ prost-build = "0.14"
 anyhow = "1"
 
 [features]
-default = ["spiffe-types", "workload-api"]
+default = ["spiffe-types", "workload-api", "rust-crypto"]
 spiffe-types = []
 workload-api = ["prost", "prost-types", "tokio", "tokio-stream", "tower", "tokio-util", "log"]
 integration-tests = []
+aws-lc-rs = ["jsonwebtoken/aws_lc_rs"]
+rust-crypto = ["jsonwebtoken/rust_crypto"]
diff --git a/spiffe/src/svid/jwt/mod.rs b/spiffe/src/svid/jwt/mod.rs
@@ -3,7 +3,7 @@
 use std::str::FromStr;
 
 use jsonwebtoken::jwk::Jwk;
-use jsonwebtoken::{Algorithm, DecodingKey, Validation};
+use jsonwebtoken::{Algorithm, DecodingKey};
 use serde::{de, Deserialize, Deserializer, Serialize};
 use thiserror::Error;
 use zeroize::Zeroize;
@@ -237,12 +237,8 @@ impl FromStr for JwtSvid {
     /// IMPORTANT: For parsing and validating the signature of untrusted tokens, use `parse_and_validate` method.
     fn from_str(token: &str) -> Result<Self, Self::Err> {
         // decode token without signature or expiration validation
-        let mut validation = Validation::default();
         // We later on validate audience separately with `parse_and_validate`
-        validation.validate_aud = false;
-        validation.insecure_disable_signature_validation();
-        let token_data =
-            jsonwebtoken::decode::<Claims>(token, &DecodingKey::from_secret(&[]), &validation)?;
+        let token_data = jsonwebtoken::dangerous::insecure_decode::<Claims>(token)?;
 
         let claims = token_data.claims;
         let spiffe_id = SpiffeId::from_str(&claims.sub)?;
@@ -503,13 +499,7 @@ mod test {
             typ,
             alg,
             kid,
-            cty: None,
-            jku: None,
-            x5u: None,
-            x5c: None,
-            x5t: None,
-            jwk: None,
-            x5t_s256: None,
+            ..Default::default()
         };
         encode(&header, &claims, encoding_key).unwrap()
     }