[OpenSIPS-Users] Why is rest_get truncating pem in the output var?

[Joshua Young]

Hello OpenSIPS,

I'm trying to implement the stir_shaken_verify() function, and I have a
feeling the rest_get() is truncating output variable...

I have these for the modules

...
# STIR/SHAKEN modules
loadmodule "rest_client.so"
loadmodule "stir_shaken.so"
modparam("stir_shaken", "require_date_hdr", 0)
modparam("stir_shaken", "verify_date_freshness", 300)
loadmodule "cfgutils.so"
modparam("cfgutils", "shvset", "stirshaken=s:enable")
modparam("stir_shaken", "ca_list", "/etc/opensips/tls/calist.pem")
...

and then I'm using something like this to do the verifying

...
    $var(rc) = rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
    if ($var(rc) < 0) {
        xlog("L_ERR", "rest_get() FAILED\n");
       send_reply(436, "Bad Identity Info");
       exit;
    } else {
        $var(len) = $(var(cert){s.len});
        $var(cert_full) = $(var(cert){s.escape.common});
        xlog("L_ERR","cert full = $var(cert_full)");
        xlog("L_ERR", "length $$var(cert) = $var(len)\n");
        xlog("L_ERR", "rest_get() PASSED:  $$var(cert) = $var(cert)");
    }

    xlog("L_ERR","$$identity(x5u) = $identity(x5u)");
    $var(rc) = stir_shaken_verify("$var(cert)", $var(err_code),
$var(err_reason), $identity(orig), $identity(dest));
    if ($var(rc) < -1) {
        xlog("L_ERR", "stir_shaken_verify() FAILED\n");
        send_reply($var(err_code), $var(err_reason));
        exit;
    } else {
        xlog("L_ERR", "stir_shaken_verify() PASSED\n");
    }
...


my output xlogs are showing
...
/usr/local/sbin/opensips[113989]: cert full = -----BEGIN CERTIFICATE-----
/usr/local/sbin/opensips[113989]: length $var(cert) = 2367
/usr/local/sbin/opensips[113989]: rest_get() PASSED:  $var(cert) =
-----BEGIN CERTIFICATE-----
/usr/local/sbin/opensips[113989]: cached $var(cert) is still good
/usr/local/sbin/opensips[113989]: $identity(x5u) =
https://cr.sansay.com/star2star-prod-stirshaken
/usr/local/sbin/opensips[113989]: INFO:stir_shaken:verify_callback:
certificate validation failed: certificate signature failure
/usr/local/sbin/opensips[113989]: INFO:stir_shaken:w_stir_verify: Invalid
certificate
/usr/local/sbin/opensips[113989]: stir_shaken_verify() FAILED
...

the variable is showing 2367 bytes

$var(len) = $(var(cert){s.len});
xlog("L_ERR", "length $$var(cert) = $var(len)\n");
/usr/local/sbin/opensips[113989]: length $var(cert) = 2367

but regardless what I try to print, it only printing the first line

$var(cert_full) = $(var(cert){s.escape.common});
xlog("L_ERR","cert full = $var(cert_full)");
/usr/local/sbin/opensips[113989]: cert full = -----BEGIN CERTIFICATE-----

 xlog("L_ERR", "rest_get() PASSED:  $$var(cert) = $var(cert)");
/usr/local/sbin/opensips[113989]: rest_get() PASSED:  $var(cert) =
-----BEGIN CERTIFICATE-----
....

Perhaps this isnt the issue after all, but I am unable to determine why the
stir_shaken_verify() is failing

/usr/local/sbin/opensips[113989]: INFO:stir_shaken:verify_callback:
certificate validation failed: certificate signature failure
/usr/local/sbin/opensips[113989]: INFO:stir_shaken:w_stir_verify: Invalid
certificate

I feel like the $var(cert) is being truncated which i why it's failing...
but I have no clue...

Can you provide pointers?
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220701/4a80fab5/attachment-0001.html>