Description

I used jwt_verify() function and expected to automatically handle the expiration check. But it doesn't.

Troubleshooting

Reproduction

Have the following Kamailio config:

loadmodule "jwt.so"
...
modparam("jwt", "key_mode", 0)
....
$var(authorization_header_value) = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxNDQ0ODEiLCJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjExMTYyMzkwMjJ9.Ce0o-10D-ghrfQ8jAZTFgJxw6pufLa6gtoCsylI9cPQo2MANVKV1sjwwKtbLfPzSobz1VhOVZ3RtbFME1GKwEOQq0MuNh7EsmMypjAyBbSPj3he0H4ysa3Lt2i8nJ2Z02j_PU387EEwziC4ilkbXNLXdx43ji_SP--dF3rij2C1Wv8AWbNloPnIAIgtTMdXRuxQPPGFhpBLfUPa54dgrRjLRSGzUJKNbszVljhpzqLM6rJ7hsf2MiB3Ww0goRH7r_9-rm4s9eYMK1xaCPlxBUIxw9bVbNkpiFypq_IcdhXnfyTsF4FUuXSgoUqGD6dOCOh6umsDfl7rrBTMRDdqT1CcBj-_CIWSwmxreVxYz1ET5cZe0oj1GnZRYFXrJzUFd1y9srV6qKY-QK1hlflONd_YZ23hpT1hXOVF0fsgB5JQBjDYBi2kLKms5zi-EAmoIVr1JVJS5-tE_iS3p40YGblI0oOOfxeKCtskgl9KtsRvUWi_25pU5BOEX8KiXVkJ2MH9KFYv2-HXrBVkZyY4kCsHIedz8k_nMfOICrh932pC2bgkQLJEZLSwtO8nTK5G1OrS_VLYwqJv0oGtnmcupexTGYiDjN6t1nqnH6s6409z16M-pKG2wwrt-40sFJh-5eDrpqs8KreSDdOYZsoB5POn7ipqZ0OfbVUCT4TzYYPA";
$var(jwt_verification) = jwt_verify("/etc/kamailio/oauth_pub.pem", "RS256",
                "sub='$fU'",
                "$var(authorization_header_value)"
                );
xlog("JWT verification Status: $var(jwt_verification)");
#Outputs 1
...

If you decode the JWT you'll see that the timestamp in the iat header is in the past.

Debugging Data

Log Messages

{1 90377072 REGISTER 1d0833c1-0d75-123e-8abe-560004469ea4} <script>: JWT verification Status: 1

Possible Solutions

Compare the timestamp from the token's iat claim with the current timestamp and fail the verification if it's in the past.

Additional Information

• Kamailio Version - output of kamailio -v

version: kamailio 5.8.2 (x86_64/linux) 3fa5f4
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 3fa5f4 
compiled on 10:39:56 Jun 12 2024 with gcc 8.5.0

• Operating System:

Rocky Linux 8.10 (Green Obsidian)

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/issues/4007@github.com>