Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
The stirshaken module has an option to cache certificates instead of downloading it using http for each calls. The problem is that the module doesn't save the certificate chain in the cached file.
from here: https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d84d8123/src/modules/stirshaken/stirshaken_mod.c#L448
We see that only cert->x is saved to the file. It needs to save cert->chainx as well.
Similarly, the load function should load both the x509 and associated x509 chain.
To reproduce, we need to configure the stirshaken module to do cerrtificate caching:
modparam("stirshaken", "vs_verify_x509_cert_path", 1)
modparam("stirshaken", "vs_ca_dir", "/path/to/ca")
modparam("stirshaken", "vs_cache_certificates", 1)
modparam("stirshaken", "vs_cache_dir", "/path/to/cert_cache")
modparam("stirshaken", "vs_cache_expire_s", 100)
Then send 2 calls featuring an identity header signed by a private key associated to a public certificate that includes a chain such as https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09
Verification for the fist call should work, but verification of x509 cert path will fail on second call
Example sip INVITE that should help reproduce the problem.
INVITE sip:+13855551212@216.82.227.102:5060 SIP/2.0
Max-Forwards: 61
f: <sip:+13852194167@reg.mydomain.net>;tag=as04e1a3e0
t: <sip:+13851212@somedomain.net>
m: <sip:+13852194167@reg.mydomain.net:5060>
i: 59ede93214794e1033b27ed249a90f15@reg.mydomain.net
CSeq: 102 INVITE
Date: Mon, 19 Sep 2022 15:04:01 GMT
l: 0
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9wc3RuLWNkbi5saXZlLmd0Yy5nb3RvLmNvbS9jZXJ0cy9zdGlyc2hha2VuL2dvdG8tMjAyMi0wOSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxNTE0ODM4MjY0NyJdfSwiaWF0IjoxNjYzNTk5ODQxLCJvcmlnIjp7InRuIjoiMTM4NTIxOTQxNjcifSwib3JpZ2lkIjoiNTllZGU5MzIxNDc5NGUxMDMzYjI3ZWQyNDlhOTBmMTVAcmVnLmppdmVpcC5uZXQifQ.wX5H0FhPt99MPWbdk_xgZXOWCHPGRcS_RiGTBBE5mG_r6By6StdnsBWiipdU9xyLuG3nSPKKFybhdO1S8OIeSQ;info=<https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09>;alg=ES256;ppt=shaken
The module should save/load cert->chainx as well. Maybe a new set of function in libstirshaken should be added to save/load a certificate (vs saving/loading x509)
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.