MINOR: jwt: Add specific error code for known but unavailable certificate

A certificate that does not have the 'jwt' flag enabled cannot be used for JWT validation. We now raise a specific return value so that such a case can be identified.
2025-10-26 14:10:59 +01:00 · 2025-10-02 15:32:44 +02:00 · 2025-10-02 15:32:44 +02:00 · bf5b912a62
commit bf5b912a62
parent 18ff130e9d
2 changed files with 11 additions and 6 deletions
--- a/include/haproxy/jwt-t.h
+++ b/include/haproxy/jwt-t.h
@ -80,7 +80,8 @@ enum jwt_vrfy_status {
 	JWT_VRFY_INVALID_TOKEN = -3,
 	JWT_VRFY_OUT_OF_MEMORY = -4,
 	JWT_VRFY_UNKNOWN_CERT  = -5,
-	JWT_VRFY_INTERNAL_ERR  = -6
+	JWT_VRFY_INTERNAL_ERR  = -6,
+	JWT_VRFY_UNAVAIL_CERT  = -7,
 };

 #endif /* USE_OPENSSL */
--- a/src/jwt.c
+++ b/src/jwt.c
@ -405,10 +405,13 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
 		if (!HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) {

 			store = ckchs_lookup(ctx->key);
-			if (store && store->conf.jwt) {
-				pubkey = X509_get_pubkey(store->data->cert);
-				if (pubkey)
-					EVP_PKEY_up_ref(pubkey);
+			if (store) {
+				if (store->conf.jwt) {
+					pubkey = X509_get_pubkey(store->data->cert);
+					if (pubkey)
+						EVP_PKEY_up_ref(pubkey);
+				} else
+					retval = JWT_VRFY_UNAVAIL_CERT;
 			}
 			HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
 		}
@ -426,7 +429,8 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
 	}

 	if (!pubkey) {
-		retval = JWT_VRFY_UNKNOWN_CERT;
+		if (!retval)
+			retval = JWT_VRFY_UNKNOWN_CERT;
 		goto end;
 	}