
<p></p>

<h3 dir="auto">Description</h3>

<p dir="auto">The stirshaken module has an option to cache certificates instead of downloading it using http for each calls.  The problem is that the module doesn't save the certificate chain in the cached file.<br>

from here: <a href="https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d84d8123/src/modules/stirshaken/stirshaken_mod.c#L448">https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d84d8123/src/modules/stirshaken/stirshaken_mod.c#L448</a><br>

We see that only <code class="notranslate">cert->x</code> is saved to the file.  It needs to save <code class="notranslate">cert->chainx</code> as well.</p>

<p dir="auto">Similarly, the load function should load both the x509 and associated x509 chain.</p>

<h3 dir="auto">Troubleshooting</h3>

<h4 dir="auto">Reproduction</h4>

<p dir="auto">To reproduce, we need to configure the stirshaken module to do cerrtificate caching:</p>

<pre class="notranslate"><code class="notranslate">modparam("stirshaken", "vs_verify_x509_cert_path", 1)

modparam("stirshaken", "vs_ca_dir", "/path/to/ca")

modparam("stirshaken", "vs_cache_certificates", 1)

modparam("stirshaken", "vs_cache_dir", "/path/to/cert_cache")

modparam("stirshaken", "vs_cache_expire_s", 100)

</code></pre>

<p dir="auto">Then send 2 calls featuring an identity header signed by a private key associated to a public certificate that includes a chain such as <a href="https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09" rel="nofollow">https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09</a><br>

Verification for the fist call should work, but verification of x509 cert path will fail on second call</p>

<h4 dir="auto">SIP Traffic</h4>

<p dir="auto">Example sip INVITE that should help reproduce the problem.</p>

<pre class="notranslate"><code class="notranslate">INVITE sip:+13855551212@216.82.227.102:5060 SIP/2.0

Max-Forwards: 61

f: <sip:+13852194167@reg.mydomain.net>;tag=as04e1a3e0

t: <sip:+13851212@somedomain.net>

m: <sip:+13852194167@reg.mydomain.net:5060>

i: 59ede93214794e1033b27ed249a90f15@reg.mydomain.net

CSeq: 102 INVITE

Date: Mon, 19 Sep 2022 15:04:01 GMT

l: 0

Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9wc3RuLWNkbi5saXZlLmd0Yy5nb3RvLmNvbS9jZXJ0cy9zdGlyc2hha2VuL2dvdG8tMjAyMi0wOSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxNTE0ODM4MjY0NyJdfSwiaWF0IjoxNjYzNTk5ODQxLCJvcmlnIjp7InRuIjoiMTM4NTIxOTQxNjcifSwib3JpZ2lkIjoiNTllZGU5MzIxNDc5NGUxMDMzYjI3ZWQyNDlhOTBmMTVAcmVnLmppdmVpcC5uZXQifQ.wX5H0FhPt99MPWbdk_xgZXOWCHPGRcS_RiGTBBE5mG_r6By6StdnsBWiipdU9xyLuG3nSPKKFybhdO1S8OIeSQ;info=<https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09>;alg=ES256;ppt=shaken

</code></pre>

<h3 dir="auto">Possible Solutions</h3>

<p dir="auto">The module should save/load <code class="notranslate">cert->chainx</code> as well.  Maybe a new set of function in libstirshaken should be added to save/load a certificate (vs saving/loading x509)</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/issues/3246">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABO7UZLICFF6CL7N7JPPL6LV7CCOLANCNFSM6AAAAAAQQHJA7Q">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/ABO7UZKR3BXAZAIEKMGQDYDV7CCOLA5CNFSM6AAAAAAQQHJA7SWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHFEJH5O4.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><kamailio/kamailio/issues/3246</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/kamailio/kamailio/issues/3246",

"url": "https://github.com/kamailio/kamailio/issues/3246",

"name": "View Issue"

},

"description": "View this Issue on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>