-
Notifications
You must be signed in to change notification settings - Fork 909
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
secsipid method to only validate signature without checking the rest of the header #3784
Comments
Not sure I got exactly the kind of function you look for. One that still takes the Identity header value and verifies only the signature, with the key provided as parameter? Or the key has to be takes from the Identity header parameter? Maybe you can give the function prototype (or the list of parameters you want to provide to the function). On the hand hand, can you look at the jwt module and see if it can already help with what you need? |
I'll give the JWT module a peek. Lack of caching is maybe an issue (but can be 'farmed out' to something else for caching purposes). Perhaps this would be better considered as an error with the existing
The function notes, "Further checks can be done with config operations, decoding the JWT header and payload using {s.select} and {s.decode.base64t} transformations together with jansson module.", which is a very clean waay to handle this, and the function here should just be less opinionated on what is and isn't a valid Identity header? |
I added the function |
Sorry for the delayed reply - I had a few small issues compiling, but kamailio then fails to start with secsipid_verify() not found: During startup:
The function is called like this:
Versions:
This is my Dockerfile in case I'm missing something in compilation:
|
Ah - I see the function takes three arguments. The third argument only has "A" as an allowed value? |
Is it possible to use the same logic for downloading (and caching) of the key as the
|
This function is with key value as parameter, not file path. There is also a function in the secsipid module to download: |
Confirmed that this is working. Will it get ported to 5.8 or will it be the next |
This issue is stale because it has been open 6 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks. |
Issue auto marked marked as "stale", but the provided fix works. |
Description
Currently secsipid has a method to sign arbitrary (json) data (
secsipid_sign
), however it has no converse method to check the signature. Currently, an attempt to check adiv
signature for example will yield a-303
error (SIPHdrInfo
). Rather than trying to have full parsing for every possible type of Identity header (which are likely to increase in variety), it would be good to simply check "is this signature valid by trusted key", possibly validating theiat
timestamp as well, but without any other opinions on the header values.Expected behavior
A feature to check only the signature of an identity header.
Actual observed behavior
Currently the
secsipid_check_
family of functions fails for non-shaken
passport types.Debugging Data
The following DIV identity header was generated by secsipid's
secsipid_sign()
function, so it should be possible to reverse this to validate the signature:Possible Solutions
Because it's fairly straight forward to investigate the JWT, it's not necessary to try to account for every possible passport type, etc. The act of validating the signature is the complicated part, so a function that does only that would be convenient.
Additional Information
kamailio -v
Currently alpine linux 3.19 in a docker container, but it should be pretty reproducible everywhere.
The text was updated successfully, but these errors were encountered: