mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-14 02:57:01 +02:00
The 'jwt_verify' converter could only be passed public keys as second parameter instead of full-on public certificates. This patch allows proper certificates to be used. Those certificates can be loaded in ckch_stores like any other certificate which means that all the certificate-related operations that can be made via the CLI can now benefit JWT validation as well. We now have two ways JWT validation can work, the legacy one which only relies on public keys which could not be stored in ckch_stores without some in depth changes in the way the ckch_stores are built. In this legacy way, the public keys are fully stored in a cache dedicated to JWT only which does not have any CLI commands and any way to update them during runtime. It also requires that all the public keys used are passed at least once explicitely to the 'jwt_verify' converter so that they can be loaded during init. The new way uses actual certificates, either already stored in the ckch_store tree (if predefined in a crt-store or already used previously in the configuration) or loaded in the ckch_store tree during init if they are explicitely used in the configuration like so: var(txn.bearer),jwt_verify(txn.jwt_alg,"cert.pem") When using a variable (or any other way that can only be resolved during runtime) in place of the converter's <key> parameter, the first time we encounter a new value (for which we don't have any entry in the jwt tree) we will lock the ckch_store tree and try to perform a lookup in it. If the lookup fails, an entry will still be inserted into the jwt tree so that any following call with this value avoids performing the ckch_store tree lookup.
98 lines
2.1 KiB
C
98 lines
2.1 KiB
C
/*
|
|
* include/haproxy/jwt-t.h
|
|
* Macros, variables and structures for JWT management.
|
|
*
|
|
* Copyright (C) 2021 HAProxy Technologies, Remi Tricot-Le Breton <rlebreton@haproxy.com>
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation, version 2.1
|
|
* exclusively.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#ifndef _HAPROXY_JWT_T_H
|
|
#define _HAPROXY_JWT_T_H
|
|
|
|
#include <import/ebmbtree.h>
|
|
#include <haproxy/openssl-compat.h>
|
|
|
|
#ifdef USE_OPENSSL
|
|
enum jwt_alg {
|
|
JWT_ALG_DEFAULT,
|
|
JWS_ALG_NONE,
|
|
JWS_ALG_HS256,
|
|
JWS_ALG_HS384,
|
|
JWS_ALG_HS512,
|
|
JWS_ALG_RS256,
|
|
JWS_ALG_RS384,
|
|
JWS_ALG_RS512,
|
|
JWS_ALG_ES256,
|
|
JWS_ALG_ES384,
|
|
JWS_ALG_ES512,
|
|
JWS_ALG_PS256,
|
|
JWS_ALG_PS384,
|
|
JWS_ALG_PS512,
|
|
};
|
|
|
|
struct jwt_item {
|
|
char *start;
|
|
size_t length;
|
|
};
|
|
|
|
struct jwt_ctx {
|
|
enum jwt_alg alg;
|
|
struct jwt_item jose;
|
|
struct jwt_item claims;
|
|
struct jwt_item signature;
|
|
char *key;
|
|
unsigned int key_length;
|
|
};
|
|
|
|
enum jwt_elt {
|
|
JWT_ELT_JOSE = 0,
|
|
JWT_ELT_CLAIMS,
|
|
JWT_ELT_SIG,
|
|
JWT_ELT_MAX
|
|
};
|
|
|
|
enum jwt_entry_type {
|
|
JWT_ENTRY_DFLT,
|
|
JWT_ENTRY_STORE,
|
|
JWT_ENTRY_PKEY,
|
|
JWT_ENTRY_INVALID, /* already tried looking into ckch_store tree (unsuccessful) */
|
|
};
|
|
|
|
struct jwt_cert_tree_entry {
|
|
EVP_PKEY *pubkey;
|
|
struct ckch_store *ckch_store;
|
|
int type; /* jwt_entry_type */
|
|
struct ebmb_node node;
|
|
char path[VAR_ARRAY];
|
|
};
|
|
|
|
enum jwt_vrfy_status {
|
|
JWT_VRFY_KO = 0,
|
|
JWT_VRFY_OK = 1,
|
|
|
|
JWT_VRFY_UNKNOWN_ALG = -1,
|
|
JWT_VRFY_UNMANAGED_ALG = -2,
|
|
JWT_VRFY_INVALID_TOKEN = -3,
|
|
JWT_VRFY_OUT_OF_MEMORY = -4,
|
|
JWT_VRFY_UNKNOWN_CERT = -5,
|
|
JWT_VRFY_INTERNAL_ERR = -6
|
|
};
|
|
|
|
#endif /* USE_OPENSSL */
|
|
|
|
|
|
#endif /* _HAPROXY_JWT_T_H */
|