mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-10-26 14:10:59 +01:00
Code Issues Projects Releases Wiki Activity

MINOR: jwt: Do not look into ckch_store for jwt_verify converter

Browse Source 
We must not try to load full-on certificates for 'jwt_verify' converter
anymore. 'jwt_verify_cert' is the only one that accepts a certificate.
This commit is contained in:
Remi Tricot-Le Breton 2025-10-02 15:32:42 +02:00 committed by William Lallemand
parent f5632fd481
commit 53957c50c3
3 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/haproxy/jwt.h
View File

@ -28,7 +28,7 @@
#ifdef USE_OPENSSL
enum jwt_alg jwt_parse_alg(const char *alg_str, unsigned int alg_len);
int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int *item_num);
int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char **err);
int jwt_tree_load_cert(char *path, int pathlen, int tryload_cert, const char *file, int line, char **err);
enum jwt_vrfy_status jwt_verify(const struct buffer *token, const struct buffer *alg,
const struct buffer *key, int is_x509);

5
src/jwt.c
View File

@ -133,7 +133,7 @@ int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int
* Parse a public certificate and insert it into the jwt_cert_tree.
* Returns 0 in case of success.
*/
int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char **err)
int jwt_tree_load_cert(char *path, int pathlen, int tryload_cert, const char *file, int line, char **err)
{
int retval = -1;
struct jwt_cert_tree_entry *entry = NULL;
@ -182,6 +182,9 @@ int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char
}
}
if (!tryload_cert)
goto end;
/* Look for an actual certificate or crt-store with the given name.
* If the path corresponds to an actual certificate that was not loaded
* yet we will create the corresponding ckch_store. */

4
src/sample.c
View File

@ -4526,7 +4526,7 @@ static int sample_conv_jwt_verify_check(struct arg *args, struct sample_conv *co
break;
default:
retval = (jwt_tree_load_cert(args[1].data.str.area, args[1].data.str.data,
file, line, err) == 0);
0, file, line, err) == 0);
/* The second arg might be an HMAC secret but
* the 'alg' is stored in a var */
if (!retval && args[0].type == ARGT_VAR)
@ -4573,7 +4573,7 @@ static int sample_conv_jwt_verify_cert_check(struct arg *args, struct sample_con
break;
default:
retval = (jwt_tree_load_cert(args[1].data.str.area, args[1].data.str.data,
file, line, err) == 0);
1, file, line, err) == 0);
break;
}
} else if (args[1].type == ARGT_VAR) {