From: Remi Tricot-Le Breton <rlebreton@haproxy.com>
Date: Thu, 2 Oct 2025 13:32:42 +0000 (+0200)
Subject: MINOR: jwt: Do not look into ckch_store for jwt_verify converter
X-Git-Tag: v3.3-dev10~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53957c50c3dbde84e918608bbeb0f9cdd5689d27;p=thirdparty%2Fhaproxy.git

MINOR: jwt: Do not look into ckch_store for jwt_verify converter

We must not try to load full-on certificates for 'jwt_verify' converter
anymore. 'jwt_verify_cert' is the only one that accepts a certificate.
---

diff --git a/include/haproxy/jwt.h b/include/haproxy/jwt.h
index 4d0c92b02..10e928cef 100644
--- a/include/haproxy/jwt.h
+++ b/include/haproxy/jwt.h
@@ -28,7 +28,7 @@
 #ifdef USE_OPENSSL
 enum jwt_alg jwt_parse_alg(const char *alg_str, unsigned int alg_len);
 int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int *item_num);
-int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char **err);
+int jwt_tree_load_cert(char *path, int pathlen, int tryload_cert, const char *file, int line, char **err);
 
 enum jwt_vrfy_status jwt_verify(const struct buffer *token, const struct buffer *alg,
 				const struct buffer *key, int is_x509);
diff --git a/src/jwt.c b/src/jwt.c
index d80476405..ed9680d21 100644
--- a/src/jwt.c
+++ b/src/jwt.c
@@ -133,7 +133,7 @@ int jwt_tokenize(const struct buffer *jwt, struct jwt_item *items, unsigned int
  * Parse a public certificate and insert it into the jwt_cert_tree.
  * Returns 0 in case of success.
  */
-int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char **err)
+int jwt_tree_load_cert(char *path, int pathlen, int tryload_cert, const char *file, int line, char **err)
 {
 	int retval = -1;
 	struct jwt_cert_tree_entry *entry = NULL;
@@ -182,6 +182,9 @@ int jwt_tree_load_cert(char *path, int pathlen, const char *file, int line, char
 		}
 	}
 
+	if (!tryload_cert)
+		goto end;
+
 	/* Look for an actual certificate or crt-store with the given name.
 	 * If the path corresponds to an actual certificate that was not loaded
 	 * yet we will create the corresponding ckch_store. */
diff --git a/src/sample.c b/src/sample.c
index e3711c1a7..78614d846 100644
--- a/src/sample.c
+++ b/src/sample.c
@@ -4526,7 +4526,7 @@ static int sample_conv_jwt_verify_check(struct arg *args, struct sample_conv *co
 				break;
 			default:
 				retval = (jwt_tree_load_cert(args[1].data.str.area, args[1].data.str.data,
-				                             file, line, err) == 0);
+				                             0, file, line, err) == 0);
 				/* The second arg might be an HMAC secret but
 				 * the 'alg' is stored in a var */
 				if (!retval && args[0].type == ARGT_VAR)
@@ -4573,7 +4573,7 @@ static int sample_conv_jwt_verify_cert_check(struct arg *args, struct sample_con
 				break;
 			default:
 				retval = (jwt_tree_load_cert(args[1].data.str.area, args[1].data.str.data,
-				                             file, line, err) == 0);
+				                             1, file, line, err) == 0);
 				break;
 		}
 	} else if (args[1].type == ARGT_VAR) {