[kamailio/kamailio] Stirshaken module not handling certificate chain caching (Issue #3246)
### Description The stirshaken module has an option to cache certificates instead of downloading it using http for each calls. The problem is that the module doesn't save the certificate chain in the cached file. from here: https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d8... We see that only `cert->x` is saved to the file. It needs to save `cert->chainx` as well.
Similarly, the load function should load both the x509 and associated x509 chain.
### Troubleshooting
#### Reproduction To reproduce, we need to configure the stirshaken module to do cerrtificate caching: ``` modparam("stirshaken", "vs_verify_x509_cert_path", 1) modparam("stirshaken", "vs_ca_dir", "/path/to/ca") modparam("stirshaken", "vs_cache_certificates", 1) modparam("stirshaken", "vs_cache_dir", "/path/to/cert_cache") modparam("stirshaken", "vs_cache_expire_s", 100) ``` Then send 2 calls featuring an identity header signed by a private key associated to a public certificate that includes a chain such as https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09 Verification for the fist call should work, but verification of x509 cert path will fail on second call
#### SIP Traffic
Example sip INVITE that should help reproduce the problem. ``` INVITE sip:+13855551212@216.82.227.102:5060 SIP/2.0 Max-Forwards: 61 f: sip:+13852194167@reg.mydomain.net;tag=as04e1a3e0 t: sip:+13851212@somedomain.net m: sip:+13852194167@reg.mydomain.net:5060 i: 59ede93214794e1033b27ed249a90f15@reg.mydomain.net CSeq: 102 INVITE Date: Mon, 19 Sep 2022 15:04:01 GMT l: 0 Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9wc3RuLWNkbi5saXZlLmd0Yy5nb3RvLmNvbS9jZXJ0cy9zdGlyc2hha2VuL2dvdG8tMjAyMi0wOSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxNTE0ODM4MjY0NyJdfSwiaWF0IjoxNjYzNTk5ODQxLCJvcmlnIjp7InRuIjoiMTM4NTIxOTQxNjcifSwib3JpZ2lkIjoiNTllZGU5MzIxNDc5NGUxMDMzYjI3ZWQyNDlhOTBmMTVAcmVnLmppdmVpcC5uZXQifQ.wX5H0FhPt99MPWbdk_xgZXOWCHPGRcS_RiGTBBE5mG_r6By6StdnsBWiipdU9xyLuG3nSPKKFybhdO1S8OIeSQ;info=https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09;alg=ES256;ppt=shaken ```
### Possible Solutions
The module should save/load `cert->chainx` as well. Maybe a new set of function in libstirshaken should be added to save/load a certificate (vs saving/loading x509)
If you know a solution and can implement it, you can make a PR that will be reviewed and merged if all ok.
Note also that there is secsipid module offering STIR/SHAKEN, it has caching support as well.
https://github.com/kamailio/kamailio/pull/3289
@SylvainFontaineJive I've had this solved for quite some time now.
First, apply two patches to libstirshaken:
https://github.com/signalwire/libstirshaken/pull/124 https://github.com/signalwire/libstirshaken/pull/125
Then apply my PR that @henningw linked.
https://github.com/kamailio/kamailio/pull/3289
Then you should be all set. Feel free to share your feedback to those PRs if it works for you.
Close the issue, as the PR has been merged to Kamailio. The PRs towards the external library are not merged yet, but this should be discussed in the issues there.
Closed #3246 as completed.
-
Daniel-Constantin Mierla -
Henning Westerholt
-
mrtrev
-
Sylvain Fontaine