MINOR: jwt: Add new "jwt" certificate option

This option can be used to enable the use of a given certificate for JWT verification. It defaults to 'off' so certificates that are declared in a crt-store and will be used for JWT verification must have a "jwt on" option in the configuration.
2025-10-26 14:10:59 +01:00 · 2025-10-02 15:32:43 +02:00 · 2025-10-02 15:32:43 +02:00 · 18ff130e9d
commit 18ff130e9d
parent 53957c50c3
3 changed files with 14 additions and 1 deletions
--- a/include/haproxy/ssl_ckch-t.h
+++ b/include/haproxy/ssl_ckch-t.h
@ -67,6 +67,7 @@ struct ckch_conf {
 	char *issuer;
 	char *sctl;
 	int ocsp_update_mode;
+	int jwt;      /* info stored here for now but should be in a dedicated jwt instance */
 	struct {
 		char *id;
 		char **domains;
--- a/src/jwt.c
+++ b/src/jwt.c
@ -227,6 +227,8 @@ int jwt_tree_load_cert(char *path, int pathlen, int tryload_cert, const char *fi
 		}
 	}

+	store->conf.jwt = 1;
+
 	retval = 0;

 	HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
@ -403,7 +405,7 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
 		if (!HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) {

 			store = ckchs_lookup(ctx->key);
-			if (store) {
+			if (store && store->conf.jwt) {
 				pubkey = X509_get_pubkey(store->data->cert);
 				if (pubkey)
 					EVP_PKEY_up_ref(pubkey);
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@ -1043,6 +1043,7 @@ struct ckch_store *ckchs_dup(const struct ckch_store *src)


 	dst->conf.ocsp_update_mode = src->conf.ocsp_update_mode;
+	dst->conf.jwt = src->conf.jwt;

        /* copy ckch_conf
 	 * XXX: could be automated for each field with the
@ -2251,6 +2252,8 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
 		chunk_appendf(out, "Empty\n");
 	else if (ckchs == ckchs_transaction.new_ckchs)
 		chunk_appendf(out, "Uncommitted\n");
+	else if (ckchs->conf.jwt)
+		chunk_appendf(out, "Used for JWT verification\n");
 	else if (LIST_ISEMPTY(&ckchs->ckch_inst))
 		chunk_appendf(out, "Unused\n");
 	else
@ -3165,6 +3168,12 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx,
 		memprintf(&err, "certificate '%s' doesn't exist!\n", filename);
 		goto error;
 	}
+
+	if (store->conf.jwt) {
+		memprintf(&err, "certificate '%s' in use for JWT validation, can't be deleted!\n", filename);
+		goto error;
+	}
+
 	if (!LIST_ISEMPTY(&store->ckch_inst)) {
 		memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
 		goto error;
@ -4601,6 +4610,7 @@ struct ckch_conf_kws ckch_conf_kws[] = {
 #if defined(HAVE_SSL_OCSP)
 	{ "ocsp-update",  offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init,               },
 #endif
+	{ "jwt",          offsetof(struct ckch_conf, jwt),              PARSE_TYPE_ONOFF, NULL,                           },
 #if defined(HAVE_ACME)
 	{ "acme",         offsetof(struct ckch_conf, acme.id),          PARSE_TYPE_STR,   ckch_conf_acme_init,            },
 #endif