From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Mon, 30 Jun 2025 14:56:29 +0000 (+0200)
Subject: REGTESTS: jwt: Add test with actual certificate passed to jwt_verify
X-Git-Tag: v3.3-dev3~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=663ba093aa6f942d519fc136fa03c8dc88217288;p=thirdparty%2Fhaproxy.git

REGTESTS: jwt: Add test with actual certificate passed to jwt_verify

The jwt_verify can now take public certificates as second parameter,
either with actual certificate path (no previously mentioned) or from a
predefined crt-store or from a variable.
---

diff --git a/reg-tests/jwt/cert.ecdsa.pem b/reg-tests/jwt/cert.ecdsa.pem
new file mode 100644
index 0000000000..d9e9e0ef5e
--- /dev/null
+++ b/reg-tests/jwt/cert.ecdsa.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBfzCCASWgAwIBAgIUZ7eU/AOyw6luqrY4aHAErK8bI3AwCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI1MDYyMzE0MDIxMVoYDzIxNjIwNTE2
+MTQwMjExWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAASOru+/8VRGvKqvu6S+SufV6TmuMIyE6eCMPXu5BNk3t+jVBEhXXyU/
+Hk7YR3miT+PyP+FloU4HpM2yE2a2GTd0o1MwUTAdBgNVHQ4EFgQUsI/5IENagw4r
+QX/1qvtiiDZ5OlEwHwYDVR0jBBgwFoAUsI/5IENagw4rQX/1qvtiiDZ5OlEwDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiAMdpsHRDNcXYU1mTSha30P
+bRP+Coj5y/vIshqU8UjjRAIhAK/8VegDDHU1b2rww2FaFCbyoiWYoJ3e/W3HJmvk
+nECr
+-----END CERTIFICATE-----
diff --git a/reg-tests/jwt/cert.rsa.pem b/reg-tests/jwt/cert.rsa.pem
new file mode 100644
index 0000000000..146968d589
--- /dev/null
+++ b/reg-tests/jwt/cert.rsa.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFCTCCAvGgAwIBAgIUAj45QKeD6LQ3Dby5l8pRJHxhC0cwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDYwNTE1MzI0OFoXDTM1MDYw
+MzE1MzI0OFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxCPdKRUDpwNqrka4OYaI9bweoN/YoMYR8sddqK39S0pm
+zVIWZpZ51wXJU7oT4umSGAP0VpexxKNZdKnq6b9ScaIfLCazl8EaU3Wg16l5ZD/O
+mHggaD5iHtI3lV2JhxTFlIdLI6sGoJxaDne0oelvtsE2dbBZBPT0OPKWyXgL2qQH
+CtYnqZI7d9czA61rg1PfiUqV6zh9MC7NW5mKPVS95/MCIILyP4smljh5cUGkzhZa
+By/mfKobTRe5xTP+DJ78wZhTAapOY/GmyQ4rFWZFISH2tVQ7Ic32lbxeYXycTcPx
+EUcijNklnFHfpZ3Hhbz9hBuCWTaujcdYVxkRfMocnz9InY8FCic3vgcOPrpqhZMx
+jeuVwUV9cjJhsWTjZeIne5P4l6DHmDIdoVJVatKR+O4AL2q+VZ+d5euSmUe6bwrz
+1ufczIcRYAo1mnYD+USwjT5rGWSjG8brtfxtrzJzQP4oqMgLH2QBEgVDKlvsHiEC
+2K16tTf1pSEAh9Lyo2t8Tbc1BbuuJPafixNGFEQIJ7sAwYoWNkncGOfwrPUpU13K
+tAGoW8hMBlLSuGb70FLbei/Qiz/YsWi86ybetN4WMpF096lcgqa/JH8IeYvGa/MQ
+YoavloGv05OhaGrvGRy0GV6I9elnLEaSdBROnA4kyPaHW8jKmj04T8EBFmx5Lu0C
+AwEAAaNTMFEwHQYDVR0OBBYEFPj8dhAwfL7lF345ufvnc+esKy2vMB8GA1UdIwQY
+MBaAFPj8dhAwfL7lF345ufvnc+esKy2vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggIBAH2o5hZ5Mqq/JLVfsmJE3UrBq7Ky5PYBR1vis+EQwWdlQDcK
+LC1MACkQeWhtPEBg//il9NQjQZG4iE3qbEEOKDjaKGuJTQ3+FhuCYg1t81chqiRW
+PPLkAwN0QPZjTfCcIl4QYEeO9iEoxhLPB2QyqHj3ppFh+uPlz2ShdDclHlXcojod
+AmVxjiIjEGbDKn/pBDJ0Ul/kfjdYKWvdwJg+CYLqntCxL0kbiApb1r4MvgqbH3FM
+sPo7ro1gfTmL7YIkXZMnYJeRSUF1ZHMty+1tvibRwDf7nCsXvDIhxbTdXP9XcpfT
+C4YZ0APQrEO6/Q682X0DwzXE55Fk8iD12VOEQZKRipsqL74HNKQ6JVcBhpqw40qv
+sUSixzqic3DeEnT6Om3OMdafQVpRSynzpLAc1wcxMfrkNDkSQ4mXMgdD07w9h1tQ
+uIflGtj1szg+mjHxFVV/nRWtJOqA0FJt+gZGy8V3NZ+zEBR2Nqe8AOoIkIBKVbK2
+6UlHrMisuat3LlZjvwrHJtzU6fGemy1BFWAHjvQe3eilQfrDp6boueqWr9m9RjVK
+UZ/2S//AnX+GGUVm6xjkVHcv8cJL//aOUV7tEUCuGjFTuKgNT5Mn9VttvePbgd9F
+uaixpqrs0tuKFWRSLbWUaQE50oC4aJ9LWfzG5gAJJkeXeORYaisqfLCNmO6u
+-----END CERTIFICATE-----
diff --git a/reg-tests/jwt/jws_verify.vtc b/reg-tests/jwt/jws_verify.vtc
index 57a2ee2397..96dc602b75 100644
--- a/reg-tests/jwt/jws_verify.vtc
+++ b/reg-tests/jwt/jws_verify.vtc
@@ -45,6 +45,12 @@ haproxy h1 -conf {
         use_backend auth_bearer_be if { path /auth_bearer }
         default_backend dflt_be
 
+    # Unnamed crt-store
+    crt-store
+        load crt "${testdir}/cert.ecdsa.pem"
+
+    crt-store named_store
+        load crt "${testdir}/cert.rsa.pem"
 
     backend hsXXX_be
         http-request set-var(txn.bearer) http_auth_bearer
@@ -72,6 +78,20 @@ haproxy h1 -conf {
         http-response set-header x-jwt-verify-RS256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS256" }
         http-response set-header x-jwt-verify-RS384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS384" }
         http-response set-header x-jwt-verify-RS512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS512" }
+
+        # Pure certificate (not predefined in crt-store)
+        http-response set-header x-jwt-verify-RS256-cert %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/cert.rsa.pem")] if { var(txn.jwt_alg) -m str "RS256" }
+        # Named crt-store
+        http-response set-header x-jwt-verify-RS256-cert-named %[var(txn.bearer),jwt_verify(txn.jwt_alg,"@named_store${testdir}/cert.rsa.pem")] if { var(txn.jwt_alg) -m str "RS256" }
+
+        # Variables
+        # This first case only works because the certificate
+        # is already explicitely used in a previous jwt_verify call.
+        http-response set-var(txn.cert) str("${testdir}/cert.rsa.pem")
+        http-response set-header x-jwt-verify-RS256-var1 %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "RS256" }
+        http-response set-var(txn.cert) str("@named_store${testdir}/cert.rsa.pem")
+        http-response set-header x-jwt-verify-RS256-var2 %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "RS256" }
+
         server s1 ${s1_addr}:${s1_port}
 
     backend esXXX_be
@@ -86,6 +106,11 @@ haproxy h1 -conf {
         http-response set-header x-jwt-verify-ES256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es256-public.pem")] if { var(txn.jwt_alg) -m str "ES256" }
         http-response set-header x-jwt-verify-ES384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es384-public.pem")] if { var(txn.jwt_alg) -m str "ES384" }
         http-response set-header x-jwt-verify-ES512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es512-public.pem")] if { var(txn.jwt_alg) -m str "ES512" }
+
+        # Variables and real certificate
+        http-response set-var(txn.cert) str("${testdir}/cert.ecdsa.pem")
+        http-response set-header x-jwt-verify-ES256-var %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "ES256" }
+
         server s1 ${s1_addr}:${s1_port}
 
     backend psXXX_be
@@ -192,6 +217,13 @@ client c5 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "RS256"
     expect resp.http.x-jwt-verify-RS256 == "1"
+
+    expect resp.http.x-jwt-verify-RS256-cert == "1"
+    expect resp.http.x-jwt-verify-RS256-cert-named == "1"
+
+    expect resp.http.x-jwt-verify-RS256-var1 == "1"
+    expect resp.http.x-jwt-verify-RS256-var2 == "1"
+
 } -run
 
 client c6 -connect ${h1_mainfe_sock} {
@@ -244,6 +276,7 @@ client c9 -connect ${h1_mainfe_sock} {
     expect resp.status == 200
     expect resp.http.x-jwt-alg == "ES256"
     expect resp.http.x-jwt-verify-ES256 == "1"
+    expect resp.http.x-jwt-verify-ES256-var == "1"
 } -run
 
 client c10 -connect ${h1_mainfe_sock} {