mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-10-27 06:31:23 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: jwt: Add new "jwt" certificate option

Browse Source 
This option can be used to enable the use of a given certificate for JWT
verification. It defaults to 'off' so certificates that are declared in
a crt-store and will be used for JWT verification must have a
"jwt on" option in the configuration.
This commit is contained in:
Remi Tricot-Le Breton 2025-10-02 15:32:43 +02:00 committed by William Lallemand
parent 53957c50c3
commit 18ff130e9d
3 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/haproxy/ssl_ckch-t.h
View File

@ -67,6 +67,7 @@ struct ckch_conf {
char *issuer; char *issuer;
char *sctl; char *sctl;
int ocsp_update_mode; int ocsp_update_mode;
int jwt; /* info stored here for now but should be in a dedicated jwt instance */
struct { struct {
char *id; char *id;
char **domains; char **domains;

4
src/jwt.c
View File

@ -227,6 +227,8 @@ int jwt_tree_load_cert(char *path, int pathlen, int tryload_cert, const char *fi
} }
} }
store->conf.jwt = 1;
retval = 0; retval = 0;
HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock); HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
@ -403,7 +405,7 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
if (!HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) { if (!HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) {
store = ckchs_lookup(ctx->key); store = ckchs_lookup(ctx->key);
if (store) { if (store && store->conf.jwt) {
pubkey = X509_get_pubkey(store->data->cert); pubkey = X509_get_pubkey(store->data->cert);
if (pubkey) if (pubkey)
EVP_PKEY_up_ref(pubkey); EVP_PKEY_up_ref(pubkey);

10
src/ssl_ckch.c
View File

@ -1043,6 +1043,7 @@ struct ckch_store *ckchs_dup(const struct ckch_store *src)
dst->conf.ocsp_update_mode = src->conf.ocsp_update_mode; dst->conf.ocsp_update_mode = src->conf.ocsp_update_mode;
dst->conf.jwt = src->conf.jwt;
/* copy ckch_conf /* copy ckch_conf
* XXX: could be automated for each field with the * XXX: could be automated for each field with the
@ -2251,6 +2252,8 @@ static int cli_io_handler_show_cert_detail(struct appctx *appctx)
chunk_appendf(out, "Empty\n"); chunk_appendf(out, "Empty\n");
else if (ckchs == ckchs_transaction.new_ckchs) else if (ckchs == ckchs_transaction.new_ckchs)
chunk_appendf(out, "Uncommitted\n"); chunk_appendf(out, "Uncommitted\n");
else if (ckchs->conf.jwt)
chunk_appendf(out, "Used for JWT verification\n");
else if (LIST_ISEMPTY(&ckchs->ckch_inst)) else if (LIST_ISEMPTY(&ckchs->ckch_inst))
chunk_appendf(out, "Unused\n"); chunk_appendf(out, "Unused\n");
else else
@ -3165,6 +3168,12 @@ static int cli_parse_del_cert(char **args, char *payload, struct appctx *appctx,
memprintf(&err, "certificate '%s' doesn't exist!\n", filename); memprintf(&err, "certificate '%s' doesn't exist!\n", filename);
goto error; goto error;
} }
if (store->conf.jwt) {
memprintf(&err, "certificate '%s' in use for JWT validation, can't be deleted!\n", filename);
goto error;
}
if (!LIST_ISEMPTY(&store->ckch_inst)) { if (!LIST_ISEMPTY(&store->ckch_inst)) {
memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename); memprintf(&err, "certificate '%s' in use, can't be deleted!\n", filename);
goto error; goto error;
@ -4601,6 +4610,7 @@ struct ckch_conf_kws ckch_conf_kws[] = {
#if defined(HAVE_SSL_OCSP) #if defined(HAVE_SSL_OCSP)
{ "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, }, { "ocsp-update", offsetof(struct ckch_conf, ocsp_update_mode), PARSE_TYPE_ONOFF, ocsp_update_init, },
#endif #endif
{ "jwt", offsetof(struct ckch_conf, jwt), PARSE_TYPE_ONOFF, NULL, },
#if defined(HAVE_ACME) #if defined(HAVE_ACME)
{ "acme", offsetof(struct ckch_conf, acme.id), PARSE_TYPE_STR, ckch_conf_acme_init, }, { "acme", offsetof(struct ckch_conf, acme.id), PARSE_TYPE_STR, ckch_conf_acme_init, },
#endif #endif