secsipid method to only validate signature without checking the rest of the header about kamailio HOT 8 OPEN

Not sure I got exactly the kind of function you look for. One that still takes the Identity header value and verifies only the signature, with the key provided as parameter? Or the key has to be takes from the Identity header parameter? Maybe you can give the function prototype (or the list of parameters you want to provide to the function).

On the hand hand, can you look at the jwt module and see if it can already help with what you need?

• https://www.kamailio.org/docs/modules/stable/modules/jwt.html

from kamailio.

I'll give the JWT module a peek. Lack of caching is maybe an issue (but can be 'farmed out' to something else for caching purposes).

Perhaps this would be better considered as an error with the existing secsipid_check() function in that it will only validate shaken passport types, and the ask should be simply to eliminate this check.

secsipid_check(sIdentity, keyPath)

Check the validity of the "sIdentity" parameter using the keys stored in the file specified by "keyPath". If the keyPath parameter is empty, the function is downloading the key using the URL from "info" parameter of the sIdentity, using the value of "timeout" parameter to limit the download time. The validity of the JWT in the sIdentity value is also checked against the "expire" parameter.

The function notes, "Further checks can be done with config operations, decoding the JWT header and payload using {s.select} and {s.decode.base64t} transformations together with jansson module.", which is a very clean waay to handle this, and the function here should just be less opinionated on what is and isn't a valid Identity header?

from kamailio.

I added the function secsipid_verify(...) that should allow disabling the checks on the jwt header attributes. I haven't tested though, report if you get any issues. You have to use the latest git versions of both kamailio and libsecsipid.

from kamailio.

Sorry for the delayed reply - I had a few small issues compiling, but kamailio then fails to start with secsipid_verify() not found:

During startup:

 0(1) ERROR: <core> [core/cfg.y:3870]: yyparse(): cfg. parser: failed to find command secsipid_verify (params 2)

The function is called like this:

secsipid_verify("$var(identity)", "")

Versions:

[ben@NV0162~/projects/cnam_relay]$ dc exec cnam-sti-vs kamailio -v
version: kamailio 5.9.0-dev0 (x86_64/linux) 951ab1
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 951ab1
compiled on 21:42:15 Mar 19 2024 with gcc 12.2.0

[ben@NV0162~/projects/cnam_relay]$ dc exec cnam-sti-vs secsipidx -version
secsipidx v1.3.2

This is my Dockerfile in case I'm missing something in compilation:

FROM golang:1.22.1-bookworm AS secsipidbuilder
ENV GO111MODULE=off
RUN    cd / \
    && git clone https://github.com/asipto/secsipidx.git \
    && cd secsipidx \
    && make \
    && make install \
    && cd / \
    && apt update \
    && apt upgrade -y \
    && apt install -y git make automake autoconf libtool libcurl4-openssl-dev \
                      sngrep gnupg2 wget lsb-release openssl libssl-dev \
                      pkg-config uuid-dev sip-tester \
    && apt install -y pkg-config gcc bison flex g++ libssl-dev libxml2-dev \
                      libjson-c-dev libpcre3 libjansson-dev libpcre3-dev  \
                      libhiredis-dev libsqlite3-dev libpq-dev libevent-dev \
                      sqlite3 uuid-dev \
    && cd /secsipidx \
    && make install \
    && git clone \
            -b master \
            --single-branch https://github.com/kamailio/kamailio.git /kamailio \
    && cd /kamailio \
    && make include_modules="jansson json ndb_redis db_sqlite db_postgres \
                             secsipid secsipid_proc http_async_client avpops \
                             uuid" prefix="/" cfg \
    && make all \
    && make install \
    && apt clean \
    && apt-get autoremove --yes \
    && cd / \
    && rm -rf /var/lib/{apt,dpkg,cache,log}/ \
    && rm -rf /kamailio \
    && rm -rf /secsipidx

COPY etc/kamailio /etc/kamailio

from kamailio.

Ah - I see the function takes three arguments. The third argument only has "A" as an allowed value?

from kamailio.

Is it possible to use the same logic for downloading (and caching) of the key as the secsipid_check function:

If the keyPath parameter is empty, the function is downloading the key using the URL from "info" parameter of the sIdentity, using the value of "timeout" parameter to limit the download time

from kamailio.

This function is with key value as parameter, not file path. There is also a function in the secsipid module to download:

• https://www.kamailio.org/docs/modules/devel/modules/secsipid.html#secsipid.f.secsipid_get_url

from kamailio.

Confirmed that this is working. Will it get ported to 5.8 or will it be the next major.minor release?

from kamailio.