git:master:f007736b: stirshaken: removed repeated x509 certification path check - sr-dev

6 May 2025

Module: kamailio
Branch: master
Commit: f007736ba18f5cc2114ffdd1e6df2b9b03808fe7
URL: https://github.com/kamailio/kamailio/commit/f007736ba18f5cc2114ffdd1e6df2b9b...
Author: FelipeCuadra f.cuadra@zaleos.net
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date: 2025-05-06T13:34:41+02:00
stirshaken: removed repeated x509 certification path check
- removed a second check of the x509 certificate path from the module, since it is already done earlier in the library and updated documentation
---
Modified: src/modules/stirshaken/doc/stirshaken_admin.xml
Modified: src/modules/stirshaken/stirshaken_mod.c
---
Diff:  https://github.com/kamailio/kamailio/commit/f007736ba18f5cc2114ffdd1e6df2b9b...
Patch: https://github.com/kamailio/kamailio/commit/f007736ba18f5cc2114ffdd1e6df2b9b...
---

diff --git a/src/modules/stirshaken/doc/stirshaken_admin.xml b/src/modules/stirshaken/doc/stirshaken_admin.xml
index ef07e6a7212..41f72e5c1b7 100644
--- a/src/modules/stirshaken/doc/stirshaken_admin.xml
+++ b/src/modules/stirshaken/doc/stirshaken_admin.xml
@@ -528,6 +528,10 @@ request_route {
 ...
 </programlisting>
    	</example>
+	<para>
+		To ensure proper functionality, the Kamailio stirshaken module requires a minimum version of libstirshaken that includes the stir_shaken_verify_cert_path function for performing the x509 certificate path check. This functionality was added to libstirshaken around 2020 (<![CDATA[https://github.com/signalwire/libstirshaken/commit/58e740b897ae40e2bb02ada2231a051a7eb55137]]>). 
+		If you're using an older version of libstirshaken that predates this commit, the stirshaken module may not function correctly.
+	</para>
    </section>
</chapter>
diff --git a/src/modules/stirshaken/stirshaken_mod.c b/src/modules/stirshaken/stirshaken_mod.c
index 95bbdeb5736..5d0bc744885 100644
--- a/src/modules/stirshaken/stirshaken_mod.c
+++ b/src/modules/stirshaken/stirshaken_mod.c
@@ -613,23 +613,6 @@ static int ki_stirshaken_check_identity(sip_msg_t *msg)
    	goto fail;
    }
-	if(stirshaken_vs_verify_x509_cert_path) {
-
-		LM_DBG("Running X509 certificate path verification\n");
-
-		if(!vs) {
-			LM_ERR("Verification Service not started\n");
-			goto fail;
-		}
-
-		if(STIR_SHAKEN_STATUS_OK
-				!= stir_shaken_verify_cert_path(&ss, cert_out, vs->store)) {
-			LM_ERR("Cert did not pass X509 path validation\n");
-			stirshaken_print_error_details(&ss);
-			goto fail;
-		}
-	}
-
    if(stirshaken_vs_pptg_pvname.s != 0) {
    	memset(&val, 0, sizeof(pv_value_t));
    	val.flags = PV_VAL_STR;

    