--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIBfzCCASWgAwIBAgIUZ7eU/AOyw6luqrY4aHAErK8bI3AwCgYIKoZIzj0EAwIw
+FDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI1MDYyMzE0MDIxMVoYDzIxNjIwNTE2
+MTQwMjExWjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAASOru+/8VRGvKqvu6S+SufV6TmuMIyE6eCMPXu5BNk3t+jVBEhXXyU/
+Hk7YR3miT+PyP+FloU4HpM2yE2a2GTd0o1MwUTAdBgNVHQ4EFgQUsI/5IENagw4r
+QX/1qvtiiDZ5OlEwHwYDVR0jBBgwFoAUsI/5IENagw4rQX/1qvtiiDZ5OlEwDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiAMdpsHRDNcXYU1mTSha30P
+bRP+Coj5y/vIshqU8UjjRAIhAK/8VegDDHU1b2rww2FaFCbyoiWYoJ3e/W3HJmvk
+nECr
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIFCTCCAvGgAwIBAgIUAj45QKeD6LQ3Dby5l8pRJHxhC0cwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDYwNTE1MzI0OFoXDTM1MDYw
+MzE1MzI0OFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAxCPdKRUDpwNqrka4OYaI9bweoN/YoMYR8sddqK39S0pm
+zVIWZpZ51wXJU7oT4umSGAP0VpexxKNZdKnq6b9ScaIfLCazl8EaU3Wg16l5ZD/O
+mHggaD5iHtI3lV2JhxTFlIdLI6sGoJxaDne0oelvtsE2dbBZBPT0OPKWyXgL2qQH
+CtYnqZI7d9czA61rg1PfiUqV6zh9MC7NW5mKPVS95/MCIILyP4smljh5cUGkzhZa
+By/mfKobTRe5xTP+DJ78wZhTAapOY/GmyQ4rFWZFISH2tVQ7Ic32lbxeYXycTcPx
+EUcijNklnFHfpZ3Hhbz9hBuCWTaujcdYVxkRfMocnz9InY8FCic3vgcOPrpqhZMx
+jeuVwUV9cjJhsWTjZeIne5P4l6DHmDIdoVJVatKR+O4AL2q+VZ+d5euSmUe6bwrz
+1ufczIcRYAo1mnYD+USwjT5rGWSjG8brtfxtrzJzQP4oqMgLH2QBEgVDKlvsHiEC
+2K16tTf1pSEAh9Lyo2t8Tbc1BbuuJPafixNGFEQIJ7sAwYoWNkncGOfwrPUpU13K
+tAGoW8hMBlLSuGb70FLbei/Qiz/YsWi86ybetN4WMpF096lcgqa/JH8IeYvGa/MQ
+YoavloGv05OhaGrvGRy0GV6I9elnLEaSdBROnA4kyPaHW8jKmj04T8EBFmx5Lu0C
+AwEAAaNTMFEwHQYDVR0OBBYEFPj8dhAwfL7lF345ufvnc+esKy2vMB8GA1UdIwQY
+MBaAFPj8dhAwfL7lF345ufvnc+esKy2vMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggIBAH2o5hZ5Mqq/JLVfsmJE3UrBq7Ky5PYBR1vis+EQwWdlQDcK
+LC1MACkQeWhtPEBg//il9NQjQZG4iE3qbEEOKDjaKGuJTQ3+FhuCYg1t81chqiRW
+PPLkAwN0QPZjTfCcIl4QYEeO9iEoxhLPB2QyqHj3ppFh+uPlz2ShdDclHlXcojod
+AmVxjiIjEGbDKn/pBDJ0Ul/kfjdYKWvdwJg+CYLqntCxL0kbiApb1r4MvgqbH3FM
+sPo7ro1gfTmL7YIkXZMnYJeRSUF1ZHMty+1tvibRwDf7nCsXvDIhxbTdXP9XcpfT
+C4YZ0APQrEO6/Q682X0DwzXE55Fk8iD12VOEQZKRipsqL74HNKQ6JVcBhpqw40qv
+sUSixzqic3DeEnT6Om3OMdafQVpRSynzpLAc1wcxMfrkNDkSQ4mXMgdD07w9h1tQ
+uIflGtj1szg+mjHxFVV/nRWtJOqA0FJt+gZGy8V3NZ+zEBR2Nqe8AOoIkIBKVbK2
+6UlHrMisuat3LlZjvwrHJtzU6fGemy1BFWAHjvQe3eilQfrDp6boueqWr9m9RjVK
+UZ/2S//AnX+GGUVm6xjkVHcv8cJL//aOUV7tEUCuGjFTuKgNT5Mn9VttvePbgd9F
+uaixpqrs0tuKFWRSLbWUaQE50oC4aJ9LWfzG5gAJJkeXeORYaisqfLCNmO6u
+-----END CERTIFICATE-----
use_backend auth_bearer_be if { path /auth_bearer }
default_backend dflt_be
+ # Unnamed crt-store
+ crt-store
+ load crt "${testdir}/cert.ecdsa.pem"
+
+ crt-store named_store
+ load crt "${testdir}/cert.rsa.pem"
backend hsXXX_be
http-request set-var(txn.bearer) http_auth_bearer
http-response set-header x-jwt-verify-RS256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS256" }
http-response set-header x-jwt-verify-RS384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS384" }
http-response set-header x-jwt-verify-RS512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/rsa-public.pem")] if { var(txn.jwt_alg) -m str "RS512" }
+
+ # Pure certificate (not predefined in crt-store)
+ http-response set-header x-jwt-verify-RS256-cert %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/cert.rsa.pem")] if { var(txn.jwt_alg) -m str "RS256" }
+ # Named crt-store
+ http-response set-header x-jwt-verify-RS256-cert-named %[var(txn.bearer),jwt_verify(txn.jwt_alg,"@named_store${testdir}/cert.rsa.pem")] if { var(txn.jwt_alg) -m str "RS256" }
+
+ # Variables
+ # This first case only works because the certificate
+ # is already explicitely used in a previous jwt_verify call.
+ http-response set-var(txn.cert) str("${testdir}/cert.rsa.pem")
+ http-response set-header x-jwt-verify-RS256-var1 %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "RS256" }
+ http-response set-var(txn.cert) str("@named_store${testdir}/cert.rsa.pem")
+ http-response set-header x-jwt-verify-RS256-var2 %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "RS256" }
+
server s1 ${s1_addr}:${s1_port}
backend esXXX_be
http-response set-header x-jwt-verify-ES256 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es256-public.pem")] if { var(txn.jwt_alg) -m str "ES256" }
http-response set-header x-jwt-verify-ES384 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es384-public.pem")] if { var(txn.jwt_alg) -m str "ES384" }
http-response set-header x-jwt-verify-ES512 %[var(txn.bearer),jwt_verify(txn.jwt_alg,"${testdir}/es512-public.pem")] if { var(txn.jwt_alg) -m str "ES512" }
+
+ # Variables and real certificate
+ http-response set-var(txn.cert) str("${testdir}/cert.ecdsa.pem")
+ http-response set-header x-jwt-verify-ES256-var %[var(txn.bearer),jwt_verify(txn.jwt_alg,txn.cert)] if { var(txn.jwt_alg) -m str "ES256" }
+
server s1 ${s1_addr}:${s1_port}
backend psXXX_be
expect resp.status == 200
expect resp.http.x-jwt-alg == "RS256"
expect resp.http.x-jwt-verify-RS256 == "1"
+
+ expect resp.http.x-jwt-verify-RS256-cert == "1"
+ expect resp.http.x-jwt-verify-RS256-cert-named == "1"
+
+ expect resp.http.x-jwt-verify-RS256-var1 == "1"
+ expect resp.http.x-jwt-verify-RS256-var2 == "1"
+
} -run
client c6 -connect ${h1_mainfe_sock} {
expect resp.status == 200
expect resp.http.x-jwt-alg == "ES256"
expect resp.http.x-jwt-verify-ES256 == "1"
+ expect resp.http.x-jwt-verify-ES256-var == "1"
} -run
client c10 -connect ${h1_mainfe_sock} {
projects / thirdparty / haproxy.git / commitdiff
