MINOR: jwt: Add specific error code for known but unavailable certificate

author Remi Tricot-Le Breton <rlebreton@haproxy.com>

Thu, 2 Oct 2025 13:32:44 +0000 (15:32 +0200)

committer William Lallemand <wlallemand@haproxy.com>

Mon, 13 Oct 2025 08:38:52 +0000 (10:38 +0200)
author Remi Tricot-Le Breton <rlebreton@haproxy.com>
Thu, 2 Oct 2025 13:32:44 +0000 (15:32 +0200)
committer William Lallemand <wlallemand@haproxy.com>
Mon, 13 Oct 2025 08:38:52 +0000 (10:38 +0200)
diff --git a/include/haproxy/jwt-t.h b/include/haproxy/jwt-t.h

index fca752ef0c7633f6f94e6a7630a94748359e0424..054d2df68775916a6f256a43e1ce97fe983b6c8a 100644 (file)
--- a/include/haproxy/jwt-t.h
+++ b/include/haproxy/jwt-t.h
@@ -80,7 +80,8 @@ enum jwt_vrfy_status {
         JWT_VRFY_INVALID_TOKEN = -3,
         JWT_VRFY_OUT_OF_MEMORY = -4,
         JWT_VRFY_UNKNOWN_CERT  = -5,
-       JWT_VRFY_INTERNAL_ERR  = -6
+       JWT_VRFY_INTERNAL_ERR  = -6,
+       JWT_VRFY_UNAVAIL_CERT  = -7,
  };
  
  #endif /* USE_OPENSSL */
diff --git a/src/jwt.c b/src/jwt.c

index 8790c868f9a52cde1df1a3dcf9925ff531706866..f8c33c5b3e1481aaafb7703e57af257c75f81e52 100644 (file)
--- a/src/jwt.c
+++ b/src/jwt.c
@@ -405,10 +405,13 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
                 if (!HA_SPIN_TRYLOCK(CKCH_LOCK, &ckch_lock)) {
  
                         store = ckchs_lookup(ctx->key);
-                       if (store && store->conf.jwt) {
-                               pubkey = X509_get_pubkey(store->data->cert);
-                               if (pubkey)
-                                       EVP_PKEY_up_ref(pubkey);
+                       if (store) {
+                               if (store->conf.jwt) {
+                                       pubkey = X509_get_pubkey(store->data->cert);
+                                       if (pubkey)
+                                               EVP_PKEY_up_ref(pubkey);
+                               } else
+                                       retval = JWT_VRFY_UNAVAIL_CERT;
                         }
                         HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
                 }
@@ -426,7 +429,8 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
         }
  
         if (!pubkey) {
-               retval = JWT_VRFY_UNKNOWN_CERT;
+               if (!retval)
+                       retval = JWT_VRFY_UNKNOWN_CERT;
                 goto end;
         }
author	Remi Tricot-Le Breton <rlebreton@haproxy.com>
	Thu, 2 Oct 2025 13:32:44 +0000 (15:32 +0200)
committer	William Lallemand <wlallemand@haproxy.com>
	Mon, 13 Oct 2025 08:38:52 +0000 (10:38 +0200)
include/haproxy/jwt-t.h		patch \| blob \| blame \| history
src/jwt.c		patch \| blob \| blame \| history