<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    Hi Joshua,<br>
    <br>
    The xlogging is truncated by default to 4K, see
<a class="moz-txt-link-freetext" href="https://www.opensips.org/Documentation/Script-CoreParameters-3-2#xlog_buf_size">https://www.opensips.org/Documentation/Script-CoreParameters-3-2#xlog_buf_size</a>.<br>
    <br>
    Still, the printing only of the first line is strange :-/, unless
    some special chars are in the certificate. You can try to print what
    is after that first line, by using the substr() transformation ,
    skip the first 28/29 chars of the "-----BEGIN
    CERTIFICATE-----"...just to see what's in there.<br>
    <br>
    Now regarding on the failure of the verification, have you tried to
    run in debug level (set log_level to 4), to see what the function
    does, maybe there are some clues there.<br>
    <br>
    Best regards,<br>
    <pre class="moz-signature" cols="72">Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  <a class="moz-txt-link-freetext" href="https://www.opensips-solutions.com">https://www.opensips-solutions.com</a>
OpenSIPS Summit 27-30 Sept 2022, Athens
  <a class="moz-txt-link-freetext" href="https://www.opensips.org/events/Summit-2022Athens/">https://www.opensips.org/events/Summit-2022Athens/</a></pre>
    <div class="moz-cite-prefix">On 7/1/22 7:59 PM, Joshua Young via
      Users wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAPY59GypSUsAKEw2jZwdkBUjHuZom_hAtNtDN1QA_Rqe5BWCCg@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Hello OpenSIPS,
        <div><br>
        </div>
        <div>I'm trying to implement the stir_shaken_verify() function,
          and I have a feeling the rest_get() is truncating output
          variable...</div>
        <div><br>
        </div>
        <div>I have these for the modules</div>
        <div><br>
        </div>
        <div>...</div>
        <div># STIR/SHAKEN modules<br>
          loadmodule "rest_client.so"<br>
          loadmodule "stir_shaken.so"<br>
          modparam("stir_shaken", "require_date_hdr", 0)<br>
          modparam("stir_shaken", "verify_date_freshness", 300)<br>
          loadmodule "cfgutils.so"<br>
          modparam("cfgutils", "shvset", "stirshaken=s:enable")<br>
          modparam("stir_shaken", "ca_list",
          "/etc/opensips/tls/calist.pem")<br>
        </div>
        <div>...</div>
        <div><br>
        </div>
        <div>and then I'm using something like this to do the verifying</div>
        <div><br>
        </div>
        <div>...</div>
        <div>    $var(rc) = rest_get( "$identity(x5u)", $var(cert),
          $var(ctype), $var(http_rc));<br>
              if ($var(rc) < 0) {<br>
                  xlog("L_ERR", "rest_get() FAILED\n");<br>
                 send_reply(436, "Bad Identity Info");<br>
                 exit;<br>
              } else {<br>
                  $var(len) = $(var(cert){s.len});<br>
                  $var(cert_full) = $(var(cert){s.escape.common});<br>
                  xlog("L_ERR","cert full = $var(cert_full)");<br>
                  xlog("L_ERR", "length $$var(cert) = $var(len)\n");<br>
                  xlog("L_ERR", "rest_get() PASSED:  $$var(cert) =
          $var(cert)");<br>
              }<br>
          <br>
        </div>
        <div>    xlog("L_ERR","$$identity(x5u) = $identity(x5u)");<br>
              $var(rc) = stir_shaken_verify("$var(cert)",
          $var(err_code), $var(err_reason), $identity(orig),
          $identity(dest));<br>
              if ($var(rc) < -1) {<br>
                  xlog("L_ERR", "stir_shaken_verify() FAILED\n");<br>
                  send_reply($var(err_code), $var(err_reason));<br>
                  exit;<br>
              } else {<br>
                  xlog("L_ERR", "stir_shaken_verify() PASSED\n");<br>
              }<br>
        </div>
        <div>...</div>
        <div><br>
        </div>
        <div><br>
        </div>
        <div>my output xlogs are showing</div>
        <div>...</div>
        <div>/usr/local/sbin/opensips[113989]: cert full = -----BEGIN
          CERTIFICATE-----<br>
          /usr/local/sbin/opensips[113989]: length $var(cert) = 2367<br>
          /usr/local/sbin/opensips[113989]: rest_get() PASSED:
           $var(cert) = -----BEGIN CERTIFICATE-----<br>
          /usr/local/sbin/opensips[113989]: cached $var(cert) is still
          good<br>
          /usr/local/sbin/opensips[113989]: $identity(x5u) = <a
            href="https://cr.sansay.com/star2star-prod-stirshaken"
            moz-do-not-send="true">https://cr.sansay.com/star2star-prod-stirshaken</a><br>
          /usr/local/sbin/opensips[113989]:
          <a class="moz-txt-link-freetext" href="INFO:stir_shaken:verify_callback">INFO:stir_shaken:verify_callback</a>: certificate validation
          failed: certificate signature failure<br>
          /usr/local/sbin/opensips[113989]:
          <a class="moz-txt-link-freetext" href="INFO:stir_shaken:w_stir_verify">INFO:stir_shaken:w_stir_verify</a>: Invalid certificate<br>
          /usr/local/sbin/opensips[113989]: stir_shaken_verify() FAILED<br>
        </div>
        <div>...</div>
        <div><br>
        </div>
        <div>the variable is showing 2367 bytes</div>
        <div><br>
        </div>
        <div>$var(len) = $(var(cert){s.len});<br>
        </div>
        xlog("L_ERR", "length $$var(cert) = $var(len)\n");<br>
        <div>/usr/local/sbin/opensips[113989]: length $var(cert) = 2367<br>
        </div>
        <div><br>
        </div>
        <div>but regardless what I try to print, it only printing the
          first line</div>
        <br>
        $var(cert_full) = $(var(cert){s.escape.common});<br>
        xlog("L_ERR","cert full = $var(cert_full)");<br>
        <div>/usr/local/sbin/opensips[113989]: cert full = -----BEGIN
          CERTIFICATE-----<br>
        </div>
        <div><br>
        </div>
        <div> xlog("L_ERR", "rest_get() PASSED:  $$var(cert) =
          $var(cert)");<br>
        </div>
        <div>/usr/local/sbin/opensips[113989]: rest_get() PASSED:
           $var(cert) = -----BEGIN CERTIFICATE-----<br>
        </div>
        <div>....</div>
        <div><br>
        </div>
        <div>Perhaps this isnt the issue after all, but I am unable to
          determine why the stir_shaken_verify() is failing</div>
        <div><br>
        </div>
        <div>/usr/local/sbin/opensips[113989]:
          <a class="moz-txt-link-freetext" href="INFO:stir_shaken:verify_callback">INFO:stir_shaken:verify_callback</a>: certificate validation
          failed: certificate signature failure<br>
          /usr/local/sbin/opensips[113989]:
          <a class="moz-txt-link-freetext" href="INFO:stir_shaken:w_stir_verify">INFO:stir_shaken:w_stir_verify</a>: Invalid certificate<br>
        </div>
        <div><br>
        </div>
        <div>I feel like the $var(cert) is being truncated which i why
          it's failing... but I have no clue...</div>
        <div><br>
        </div>
        <div>Can you provide pointers?</div>
        <div>Thanks</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>