[OpenSIPS-Users] Why is rest_get truncating pem in the output var?

Bogdan-Andrei Iancu bogdan at opensips.org
Tue Aug 9 09:35:03 UTC 2022 

Hi Joshua,

The xlogging is truncated by default to 4K, see 
https://www.opensips.org/Documentation/Script-CoreParameters-3-2#xlog_buf_size.

Still, the printing only of the first line is strange :-/, unless some 
special chars are in the certificate. You can try to print what is after 
that first line, by using the substr() transformation , skip the first 
28/29 chars of the "-----BEGIN CERTIFICATE-----"...just to see what's in 
there.

Now regarding on the failure of the verification, have you tried to run 
in debug level (set log_level to 4), to see what the function does, 
maybe there are some clues there.

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
   https://www.opensips.org/events/Summit-2022Athens/

On 7/1/22 7:59 PM, Joshua Young via Users wrote:
> Hello OpenSIPS,
>
> I'm trying to implement the stir_shaken_verify() function, and I have 
> a feeling the rest_get() is truncating output variable...
>
> I have these for the modules
>
> ...
> # STIR/SHAKEN modules
> loadmodule "rest_client.so"
> loadmodule "stir_shaken.so"
> modparam("stir_shaken", "require_date_hdr", 0)
> modparam("stir_shaken", "verify_date_freshness", 300)
> loadmodule "cfgutils.so"
> modparam("cfgutils", "shvset", "stirshaken=s:enable")
> modparam("stir_shaken", "ca_list", "/etc/opensips/tls/calist.pem")
> ...
>
> and then I'm using something like this to do the verifying
>
> ...
>     $var(rc) = rest_get( "$identity(x5u)", $var(cert), $var(ctype), 
> $var(http_rc));
>     if ($var(rc) < 0) {
>         xlog("L_ERR", "rest_get() FAILED\n");
>        send_reply(436, "Bad Identity Info");
>        exit;
>     } else {
>         $var(len) = $(var(cert){s.len});
>         $var(cert_full) = $(var(cert){s.escape.common});
>         xlog("L_ERR","cert full = $var(cert_full)");
>         xlog("L_ERR", "length $$var(cert) = $var(len)\n");
>         xlog("L_ERR", "rest_get() PASSED:  $$var(cert) = $var(cert)");
>     }
>
>     xlog("L_ERR","$$identity(x5u) = $identity(x5u)");
>     $var(rc) = stir_shaken_verify("$var(cert)", $var(err_code), 
> $var(err_reason), $identity(orig), $identity(dest));
>     if ($var(rc) < -1) {
>         xlog("L_ERR", "stir_shaken_verify() FAILED\n");
>         send_reply($var(err_code), $var(err_reason));
>         exit;
>     } else {
>         xlog("L_ERR", "stir_shaken_verify() PASSED\n");
>     }
> ...
>
>
> my output xlogs are showing
> ...
> /usr/local/sbin/opensips[113989]: cert full = -----BEGIN CERTIFICATE-----
> /usr/local/sbin/opensips[113989]: length $var(cert) = 2367
> /usr/local/sbin/opensips[113989]: rest_get() PASSED:  $var(cert) = 
> -----BEGIN CERTIFICATE-----
> /usr/local/sbin/opensips[113989]: cached $var(cert) is still good
> /usr/local/sbin/opensips[113989]: $identity(x5u) = 
> https://cr.sansay.com/star2star-prod-stirshaken 
> <https://cr.sansay.com/star2star-prod-stirshaken>
> /usr/local/sbin/opensips[113989]: INFO:stir_shaken:verify_callback: 
> certificate validation failed: certificate signature failure
> /usr/local/sbin/opensips[113989]: INFO:stir_shaken:w_stir_verify: 
> Invalid certificate
> /usr/local/sbin/opensips[113989]: stir_shaken_verify() FAILED
> ...
>
> the variable is showing 2367 bytes
>
> $var(len) = $(var(cert){s.len});
> xlog("L_ERR", "length $$var(cert) = $var(len)\n");
> /usr/local/sbin/opensips[113989]: length $var(cert) = 2367
>
> but regardless what I try to print, it only printing the first line
>
> $var(cert_full) = $(var(cert){s.escape.common});
> xlog("L_ERR","cert full = $var(cert_full)");
> /usr/local/sbin/opensips[113989]: cert full = -----BEGIN CERTIFICATE-----
>
>  xlog("L_ERR", "rest_get() PASSED:  $$var(cert) = $var(cert)");
> /usr/local/sbin/opensips[113989]: rest_get() PASSED:  $var(cert) = 
> -----BEGIN CERTIFICATE-----
> ....
>
> Perhaps this isnt the issue after all, but I am unable to determine 
> why the stir_shaken_verify() is failing
>
> /usr/local/sbin/opensips[113989]: INFO:stir_shaken:verify_callback: 
> certificate validation failed: certificate signature failure
> /usr/local/sbin/opensips[113989]: INFO:stir_shaken:w_stir_verify: 
> Invalid certificate
>
> I feel like the $var(cert) is being truncated which i why it's 
> failing... but I have no clue...
>
> Can you provide pointers?
> Thanks
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220809/4d3ba6b6/attachment.html>

More information about the Users mailing list