From: William Lallemand <wlallemand@haproxy.com>
Date: Mon, 25 Aug 2025 14:41:50 +0000 (+0200)
Subject: REGTESTS: jwt: create dynamically "cert.ecdsa.pem"
X-Git-Tag: v3.3-dev8~105
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a30c10587997cf104197106475b611c7091ae93;p=thirdparty%2Fhaproxy.git

REGTESTS: jwt: create dynamically "cert.ecdsa.pem"

Stop declaring "cert.ecdsa.pem" in a crt-store, and add it dynamically
over the stats socket insted.

This way we fully verify a JWS signature with a certificate which never
existed at HAProxy startup.
---

diff --git a/reg-tests/jwt/jws_verify.vtc b/reg-tests/jwt/jws_verify.vtc
index ca367e3be..3e7b349e6 100644
--- a/reg-tests/jwt/jws_verify.vtc
+++ b/reg-tests/jwt/jws_verify.vtc
@@ -49,10 +49,6 @@ haproxy h1 -conf {
         use_backend auth_bearer_be if { path /auth_bearer }
         default_backend dflt_be
 
-    # Unnamed crt-store
-    crt-store
-        load crt "${testdir}/cert.ecdsa.pem"
-
     crt-store named_store
         load crt "${testdir}/cert.rsa.pem"
 
@@ -268,6 +264,11 @@ client c8 -connect ${h1_mainfe_sock} {
 } -run
 
 
+shell {
+    echo "new ssl cert ${testdir}/cert.ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+    printf "set ssl cert ${testdir}/cert.ecdsa.pem <<\n$(cat ${testdir}/cert.ecdsa.pem)\n\n" | socat "${tmpdir}/h1/stats" -
+    echo "commit ssl cert ${testdir}/cert.ecdsa.pem" | socat "${tmpdir}/h1/stats" -
+}
 
 client c9 -connect ${h1_mainfe_sock} {
     # Token content : {"alg":"ES256","typ":"JWT"}