### Description
The stirshaken module has an option to cache certificates instead of downloading it using http for each calls. The problem is that the module doesn't save the certificate chain in the cached file.
from here: https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d…
We see that only `cert->x` is saved to the file. It needs to save `cert->chainx` as well.
Similarly, the load function should load both the x509 and associated x509 chain.
### Troubleshooting
#### Reproduction
To reproduce, we need to configure the stirshaken module to do cerrtificate caching:
```
modparam("stirshaken", "vs_verify_x509_cert_path", 1)
modparam("stirshaken", "vs_ca_dir", "/path/to/ca")
modparam("stirshaken", "vs_cache_certificates", 1)
modparam("stirshaken", "vs_cache_dir", "/path/to/cert_cache")
modparam("stirshaken", "vs_cache_expire_s", 100)
```
Then send 2 calls featuring an identity header signed by a private key associated to a public certificate that includes a chain such as https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09
Verification for the fist call should work, but verification of x509 cert path will fail on second call
#### SIP Traffic
Example sip INVITE that should help reproduce the problem.
```
INVITE sip:+13855551212@216.82.227.102:5060 SIP/2.0
Max-Forwards: 61
f: <sip:+13852194167@reg.mydomain.net>;tag=as04e1a3e0
t: <sip:+13851212@somedomain.net>
m: <sip:+13852194167@reg.mydomain.net:5060>
i: 59ede93214794e1033b27ed249a90f15(a)reg.mydomain.net
CSeq: 102 INVITE
Date: Mon, 19 Sep 2022 15:04:01 GMT
l: 0
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9wc3RuLWNkbi5saXZlLmd0Yy5nb3RvLmNvbS9jZXJ0cy9zdGlyc2hha2VuL2dvdG8tMjAyMi0wOSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxNTE0ODM4MjY0NyJdfSwiaWF0IjoxNjYzNTk5ODQxLCJvcmlnIjp7InRuIjoiMTM4NTIxOTQxNjcifSwib3JpZ2lkIjoiNTllZGU5MzIxNDc5NGUxMDMzYjI3ZWQyNDlhOTBmMTVAcmVnLmppdmVpcC5uZXQifQ.wX5H0FhPt99MPWbdk_xgZXOWCHPGRcS_RiGTBBE5mG_r6By6StdnsBWiipdU9xyLuG3nSPKKFybhdO1S8OIeSQ;info=<https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09>;alg=ES256;ppt=shaken
```
### Possible Solutions
The module should save/load `cert->chainx` as well. Maybe a new set of function in libstirshaken should be added to save/load a certificate (vs saving/loading x509)
--
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246
You are receiving this because you are subscribed to this thread.
Message ID: <kamailio/kamailio/issues/3246(a)github.com>
Dear Community Developer,
I would like to know whom I can contact for installation of kamailio on a server and its configuration if needed.
Kind Regards,Mahmoud Nejad
Module: kamailio
Branch: 5.5
Commit: 7f54d4cc0133612b275b6b3af1ccd80a7a08bf87
URL: https://github.com/kamailio/kamailio/commit/7f54d4cc0133612b275b6b3af1ccd80…
Author: Kamailio Dev <kamailio.dev(a)kamailio.org>
Committer: Kamailio Dev <kamailio.dev(a)kamailio.org>
Date: 2022-12-15T14:32:43+01:00
modules: readme files regenerated - modules ... [skip ci]
---
Modified: src/modules/sanity/README
---
Diff: https://github.com/kamailio/kamailio/commit/7f54d4cc0133612b275b6b3af1ccd80…
Patch: https://github.com/kamailio/kamailio/commit/7f54d4cc0133612b275b6b3af1ccd80…
---
diff --git a/src/modules/sanity/README b/src/modules/sanity/README
index 4493c7f3cd..57acebc806 100644
--- a/src/modules/sanity/README
+++ b/src/modules/sanity/README
@@ -143,7 +143,8 @@ modparam("sanity", "default_checks", 1)
'parse uri' will be executed.
Default value is 7. This resolves to the following list of parsed URIs:
- Request URI (1), From URI (2) and To URI (4).
+ Request URI (1), From URI (2) and To URI (4). Additionally the Contact
+ URI can be also checked (8).
Example 1.2. Set uri_checks parameter
...
Module: kamailio
Branch: 5.6
Commit: 14fcaef65b1b7c1f6ef42e85d8a3a3819a32b620
URL: https://github.com/kamailio/kamailio/commit/14fcaef65b1b7c1f6ef42e85d8a3a38…
Author: Kamailio Dev <kamailio.dev(a)kamailio.org>
Committer: Kamailio Dev <kamailio.dev(a)kamailio.org>
Date: 2022-12-15T14:32:12+01:00
modules: readme files regenerated - modules ... [skip ci]
---
Modified: src/modules/sanity/README
---
Diff: https://github.com/kamailio/kamailio/commit/14fcaef65b1b7c1f6ef42e85d8a3a38…
Patch: https://github.com/kamailio/kamailio/commit/14fcaef65b1b7c1f6ef42e85d8a3a38…
---
diff --git a/src/modules/sanity/README b/src/modules/sanity/README
index ac3e2ca927..d296a83635 100644
--- a/src/modules/sanity/README
+++ b/src/modules/sanity/README
@@ -143,7 +143,8 @@ modparam("sanity", "default_checks", 1)
'parse uri' will be executed.
Default value is 7. This resolves to the following list of parsed URIs:
- Request URI (1), From URI (2) and To URI (4).
+ Request URI (1), From URI (2) and To URI (4). Additionally the Contact
+ URI can be also checked (8).
Example 1.2. Set uri_checks parameter
...
Module: kamailio
Branch: master
Commit: dd14c5c24adae4e7fdf9f19a4d07f6cd4662c901
URL: https://github.com/kamailio/kamailio/commit/dd14c5c24adae4e7fdf9f19a4d07f6c…
Author: Kamailio Dev <kamailio.dev(a)kamailio.org>
Committer: Kamailio Dev <kamailio.dev(a)kamailio.org>
Date: 2022-12-15T14:31:44+01:00
modules: readme files regenerated - sanity ... [skip ci]
---
Modified: src/modules/sanity/README
---
Diff: https://github.com/kamailio/kamailio/commit/dd14c5c24adae4e7fdf9f19a4d07f6c…
Patch: https://github.com/kamailio/kamailio/commit/dd14c5c24adae4e7fdf9f19a4d07f6c…
---
diff --git a/src/modules/sanity/README b/src/modules/sanity/README
index ac3e2ca927..d296a83635 100644
--- a/src/modules/sanity/README
+++ b/src/modules/sanity/README
@@ -143,7 +143,8 @@ modparam("sanity", "default_checks", 1)
'parse uri' will be executed.
Default value is 7. This resolves to the following list of parsed URIs:
- Request URI (1), From URI (2) and To URI (4).
+ Request URI (1), From URI (2) and To URI (4). Additionally the Contact
+ URI can be also checked (8).
Example 1.2. Set uri_checks parameter
...
Module: kamailio
Branch: 5.5
Commit: baf97015f33d4542fe2925c599d5cc3fb0527450
URL: https://github.com/kamailio/kamailio/commit/baf97015f33d4542fe2925c599d5cc3…
Author: Henning Westerholt <hw(a)gilawa.com>
Committer: Henning Westerholt <hw(a)gilawa.com>
Date: 2022-12-15T13:27:16Z
sanity: also add Contact URI check to documentation
(cherry picked from commit b96848689837277d9bc0ec9c1b5524de0f1321e1)
(cherry picked from commit 78e181d82e5802e5b96b05cf9f1d9e54dbd1546d)
---
Modified: src/modules/sanity/doc/sanity_admin.xml
---
Diff: https://github.com/kamailio/kamailio/commit/baf97015f33d4542fe2925c599d5cc3…
Patch: https://github.com/kamailio/kamailio/commit/baf97015f33d4542fe2925c599d5cc3…
---
diff --git a/src/modules/sanity/doc/sanity_admin.xml b/src/modules/sanity/doc/sanity_admin.xml
index a8a57d88d9..b812693a9d 100644
--- a/src/modules/sanity/doc/sanity_admin.xml
+++ b/src/modules/sanity/doc/sanity_admin.xml
@@ -180,6 +180,7 @@ modparam("sanity", "default_checks", 1)
<para>
Default value is 7. This resolves to the following list of
parsed URIs: Request URI (1), From URI (2) and To URI (4).
+ Additionally the Contact URI can be also checked (8).
</para>
<example>
<title>Set <varname>uri_checks</varname> parameter</title>