<!-- Kamailio Project uses GitHub Issues only for bugs in the code or feature requests. Please use this template only for bug reports.
If you have questions about using Kamailio or related to its configuration file, ask on sr-users mailing list:
* https://lists.kamailio.org/mailman3/postorius/lists/sr-users.lists.kamailio....
If you have questions about developing extensions to Kamailio or its existing C code, ask on sr-dev mailing list:
* https://lists.kamailio.org/mailman3/postorius/lists/sr-dev.lists.kamailio.or...
Please try to fill this template as much as possible for any issue. It helps the developers to troubleshoot the issue.
Note that an issue report may be closed automatically after about 2 months if there is no interest from developers or community users on pursuing it, being considered expired. In such case, it can be reopened by writing a comment that includes the token `/notexpired`. About two weeks before considered expired, the issue is marked with the label `stale`, trying to notify the submitter and everyone else that might be interested in it. To remove the label `stale`, write a comment that includes the token `/notstale`. Also, any comment postpone the `expire` timeline, being considered that there is interest in pursuing the issue.
If there is no content to be filled in a section, the entire section can be removed.
You can delete the comments from the template sections when filling.
You can delete next line and everything above before submitting (it is a comment). -->
### Description
<!-- Explain what you did, what you expected to happen, and what actually happened. --> Tried to verify a dubious JWT, but I get a token decoding error. I tried different variations of the key, such as `.pem`, `.key` extensions, `PKCS1`, `PKCS8` formats, reading the key from a variable or file. ### Troubleshooting
#### Reproduction
<!-- If the issue can be reproduced, describe how it can be done. --> Have the following Kamailio config: ``` loadmodule "jwt.so" ... modparam("jwt", "key_mode", 0) .... $var(authorization_header_value) = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIyIiwianRpIjoiYmQ1NzlhZTYyZjg2ODE5N2I5OTk1YTFkOWM4NGZkOGFiNWIyYWI4Nzk5YzM0OWVmYjBkNjg1NWFiNDcwYWUzOTYyMzFmYzc5NjIxZDQxODciLCJpYXQiOjE3MjkxODU3MTguNjQxMjI1LCJuYmYiOjE3MjkxODU3MTguNjQxMjI"; $var(jwt_verification) = jwt_verify("/etc/kamailio/oauth_pub.pem", "RS256", "sub='$fU'", "$var(authorization_header_value)" ); ... ```
oauth_pub.pem: ``` -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5mfAgdn7JaiRS2Bsov4S zTlGLSe2wxbdUxIreTcqs88PmWOBtuSeQg5tU3CRnPtsuuRJrlUniV5g56YAHrnt Qe8meu877iTrcJB6Cii3n+d7SgwCfjMvaFBR+mdGsidAyGBpRhoPrH7SD6CRpBLr Mxylcgqw4uH/0HdF+B8P5motUQz/tul/UKsq1nvC2AOOzFel1IsUah8dQuxzMx+P RYcsngJam8TkGr6QidTXc2rD4lEoCD1s/huGUq55bc19J3yRliN2j8cO9j1bGTsp GYEVtA3PiH/73BZTa3FHbhRYqhvjYacC8eWBFhwThC9CgPyOXrq4L7p9tJAlNwmd dQHhIzZ9vugQuhfnuUTb0/r2tjpsSPL7etgJdxtZ4Xh9aBEpYn//RAgu5Dkauc2S XF+uLWwBptFTM3SNppDPMdjRkYakWjVP2pgBGMmrINFb8RQAPEJzD1gVt0fYCxaY jiazbSc9FPfSbFENHq+r8D7OivpiW0q9+tSZbYmAFzZekoUAoboQThSdRcOy9tFz 196xfg4dOyxkRGGHstz28qBv340ppjnHQd+RZOvbr8s2zEIxGiOpfX8CuLur/nKl Ld3qtzg0caqDz6nsYK+95rExnbtU+gFcHnwtMdk3R8X6lVHzDeTjO2Nk4Zo023zo qFH/rRyJBOp98fQPOpx5qncCAwEAAQ== -----END PUBLIC KEY----- ``` #### Debugging Data
<!-- If you got a core dump, use gdb to extract troubleshooting data - full backtrace, local variables and the list of the code at the issue location.
gdb /path/to/kamailio /path/to/corefile bt full info locals list
If you are familiar with gdb, feel free to attach more of what you consider to be relevant.
``` (paste your debugging data here) ```
--> #### Log Messages
<!-- Check the syslog file and if there are relevant log messages printed by Kamailio, add them next, or attach to issue, or provide a link to download them (e.g., to a pastebin site). -->
``` [jwt_mod.c:501]: ki_jwt_verify_key(): failed to decode jwt value ```
#### SIP Traffic
<!-- If the issue is exposed by processing specific SIP messages, grab them with ngrep or save in a pcap file, then add them next, or attach to issue, or provide a link to download them (e.g., to a pastebin site).
``` (paste your sip traffic here) ```
--> ### Possible Solutions
<!-- If you found a solution or workaround for the issue, describe it. Ideally, provide a pull request with a fix. --> I've wrote a C++ program using `libjwt` to make sure the issue is not neither my key, nor `libjwt`. And they aren't. Here is the program: ```cpp #include <iostream> #include <string> #include <jwt.h>
static const char jwt_test[] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIyIiwianRpIjoiZDY2NDQ4MTdhYWRhNTQ1MDI1YmUwZmU1M2I1ZmFhYTdkZGI3NTY5NTBiMDYxMzk5MzFmNTQ1ZjhkMmE4N2ZhYjU0ODgzNjJhZGNiMWQ5ZTkiLCJpYXQiOjE3MjkyMjg5NjIuMzg5MDI3LCJuYmYiOjE3MjkyMjg5NjIuMzg5MDMzLCJleHAiOjE3MjkyNzIxNjIuMzc5MTg3LCJzdWIiOiIxNDQ0ODEiLCJzY29wZXMiOltdLCJ1c2VyIjp7ImlkIjoxNDQ0ODEsImFjY291bnRfaWQiOjEyOTMyNn0sIm1veHRyYS10b2tlbiI6Ik1WUXpNekZVTU1hdlFET2hNVlNabEdRZ1ptQUNPRmNGU1JKZEVGNGZTQTFFRWxJLVVCMTRkREZVTVZkbFkxY0xjaHhrWkhrU1pnVjVERUppQ0dKSEJWZGxYQTFMQmwwYUF4MUdHbHdkX0RmbHhORGRNMXMzOXlabjhMMEV5USIsImRldmljZSI6eyJpZCI6ImY4MzI0NDkyLWJiYjQtNGJiNC04ZWQxLWZlMTM1OWQwOTNlNSIsInR5cGUiOiJ3ZWIiLCJ2ZXJzaW9uIjoiMS43LjAifX0.E_6jsC7yxPZgHRry55J0oOBzw25tvlfnWRBqSwLVFeAtavkVrYGmH9BGaByaAhebKNijy2WUg1X8Ug0N9Z9cc3P8u2wDSlvlzTNrxnPqdxMrKtP5wiIbImXboobFqKXLRmbor_9I7r0lBlX-e0xSis-PTaBqH40hDYPj0rR5cqnrszSkEMd2jFdiLL5BoF0pqysvrXA631KKA9oHGzAivib_GOddHeUOAVs7-hMVdnDqgrzZ6lDYkQndutrHpwILZWz09ngJBbRh_mN_cE4dDxghgeSotXADT-h5DlokV8ChkgkmHh6m4gU2lvnb7aY9dbCp9R44T1Rpz1P_HhPQ27p1Sgin40Oc2abBwDePw_chl0ajJHuhJCiK7YHbcmzcv3dZ-igVMYpMqhGIlyyuAHCSrKFVFLhodA1xlyCmMqJfFPOZ6DdKzbAQDWPN2xsCMy7WkGT5KmBQR5wWJRIRbTj4OUWo6iUrQdNyjB0F1RKqkuZlz414Hj0tkS5GlS1rfxOtS4yc2m_ERGomSmpDgoq2zpA5o3oJJWXqA7TzT8X_9Up5DkVQCMGW6Z2OT9Sr8hNjIXB1qgYiiZtNf9_b4bma5JEwVvR2-qcZ92V6owFTYx78smdyOgAaMlBQ_9AM6kARz4ZnC3Mz2feJT2qKLP-z9senqIB8k_xNx2lbU2w";
static unsigned char key[16384]; static size_t key_len;
static void read_key(const char *key_file) { FILE *fp = fopen(key_file, "r"); int ret = 0;
fp = fopen(key_file, "r");
key_len = fread(key, 1, sizeof(key), fp);
fclose(fp);
key[key_len] = '\0'; }
int main() { jwt_t *jwt = NULL;
int ret = 0;
read_key("oauth_pub.pem");
ret = jwt_decode(&jwt, jwt_test, key, key_len); printf("Decoding exit status: %d\n", ret); printf("User ID: %s\n", jwt_get_grant(jwt, "sub")); return 0; } ```
### Additional Information
* **Kamailio Version** - output of `kamailio -v`
``` version: kamailio 5.8.2 (x86_64/linux) 3fa5f4 flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: 3fa5f4 compiled on 10:39:56 Jun 12 2024 with gcc 8.5.0 ```
* **Operating System**:
<!-- Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...; Kernel details (output of `lsb_release -a` and `uname -a`) -->
``` Rocky Linux 8.10 (Green Obsidian) ```
What you set in `$var(authorization_header_value)` does not look like a complete JWT, your C example code has a larger value in `jwt_test`.
You are right. We are using a middleware that seems to unexpectedly truncate the value. Tested with hardcoded JWT and it works as expected.
Closed #4003 as completed.
-
Daniel-Constantin Mierla -
Lyuboslav Alexandrov