[sr-dev] [kamailio/kamailio] Stirshaken module not handling certificate chain caching (Issue #3246)

Sylvain Fontaine notifications at github.com
Mon Sep 19 17:40:21 CEST 2022


### Description
The stirshaken module has an option to cache certificates instead of downloading it using http for each calls.  The problem is that the module doesn't save the certificate chain in the cached file.  
from here: https://github.com/kamailio/kamailio/blob/f7b35f05f31bd7cc01aea4572c79ba48d84d8123/src/modules/stirshaken/stirshaken_mod.c#L448
We see that only `cert->x` is saved to the file.  It needs to save `cert->chainx` as well.

Similarly, the load function should load both the x509 and associated x509 chain.

### Troubleshooting

#### Reproduction
To reproduce, we need to configure the stirshaken module to do cerrtificate caching:
```
modparam("stirshaken", "vs_verify_x509_cert_path", 1)
modparam("stirshaken", "vs_ca_dir", "/path/to/ca")
modparam("stirshaken", "vs_cache_certificates", 1)
modparam("stirshaken", "vs_cache_dir", "/path/to/cert_cache")
modparam("stirshaken", "vs_cache_expire_s", 100)
```
Then send 2 calls featuring an identity header signed by a private key associated to a public certificate that includes a chain such as https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09
Verification for the fist call should work, but verification of x509 cert path will fail on second call

#### SIP Traffic

Example sip INVITE that should help reproduce the problem.
```
INVITE sip:+13855551212 at 216.82.227.102:5060 SIP/2.0
Max-Forwards: 61
f: <sip:+13852194167 at reg.mydomain.net>;tag=as04e1a3e0
t: <sip:+13851212 at somedomain.net>
m: <sip:+13852194167 at reg.mydomain.net:5060>
i: 59ede93214794e1033b27ed249a90f15 at reg.mydomain.net
CSeq: 102 INVITE
Date: Mon, 19 Sep 2022 15:04:01 GMT
l: 0
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9wc3RuLWNkbi5saXZlLmd0Yy5nb3RvLmNvbS9jZXJ0cy9zdGlyc2hha2VuL2dvdG8tMjAyMi0wOSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxNTE0ODM4MjY0NyJdfSwiaWF0IjoxNjYzNTk5ODQxLCJvcmlnIjp7InRuIjoiMTM4NTIxOTQxNjcifSwib3JpZ2lkIjoiNTllZGU5MzIxNDc5NGUxMDMzYjI3ZWQyNDlhOTBmMTVAcmVnLmppdmVpcC5uZXQifQ.wX5H0FhPt99MPWbdk_xgZXOWCHPGRcS_RiGTBBE5mG_r6By6StdnsBWiipdU9xyLuG3nSPKKFybhdO1S8OIeSQ;info=<https://pstn-cdn.live.gtc.goto.com/certs/stirshaken/goto-2022-09>;alg=ES256;ppt=shaken
```

### Possible Solutions

The module should save/load `cert->chainx` as well.  Maybe a new set of function in libstirshaken should be added to save/load a certificate (vs saving/loading x509)




-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/3246
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/3246 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20220919/0b2bbf58/attachment-0001.htm>


More information about the sr-dev mailing list