[sr-dev] Re: [kamailio/kamailio] secsipid method to only validate signature without checking the rest of the header (Issue #3784)

11 Mar 2024

I'll give the JWT module a peek.  Lack of caching is maybe an issue (but can be
'farmed out' to something else for caching purposes).

Perhaps this would be better considered as an error with the existing `secsipid_check()`
function in that it will only validate `shaken` passport types, and the ask should be
simply to eliminate this check.

...
  _`secsipid_check(sIdentity, keyPath)`_

Check the validity of the "sIdentity" parameter using the keys stored in the
file specified by "keyPath". If the keyPath parameter is empty, the function is
downloading the key using the URL from "info" parameter of the sIdentity, using
the value of "timeout" parameter to limit the download time. The validity of the
JWT in the sIdentity value is also checked against the "expire" parameter.

The function notes, "Further checks can be done with config operations, decoding the
JWT header and payload using {s.select} and {s.decode.base64t} transformations together
with jansson module.", which is a very clean waay to handle this, and the function
here should just be less opinionated on what is and isn't a valid Identity header?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3784#issuecomment-1988777507
You are receiving this because you are subscribed to this thread.

Message ID: &lt;kamailio/kamailio/issues/3784/1988777507(a)github.com&gt;

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[sr-dev] Re: [kamailio/kamailio] secsipid method to only validate signature without checking the rest of the header (Issue #3784)