kamailio icon indicating copy to clipboard operation
kamailio copied to clipboard

Published 20 hours ago verified publisher icon kamailio

[JWT Module] Failed to decode JWT value

Open l-alexandrov opened this issue 1 year ago • 1 comments

Description

Tried to verify a dubious JWT, but I get a token decoding error. I tried different variations of the key, such as .pem, .key extensions, PKCS1, PKCS8 formats, reading the key from a variable or file.

Troubleshooting

Reproduction

Have the following Kamailio config:

loadmodule "jwt.so"
...
modparam("jwt", "key_mode", 0)
....
$var(authorization_header_value) = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIyIiwianRpIjoiYmQ1NzlhZTYyZjg2ODE5N2I5OTk1YTFkOWM4NGZkOGFiNWIyYWI4Nzk5YzM0OWVmYjBkNjg1NWFiNDcwYWUzOTYyMzFmYzc5NjIxZDQxODciLCJpYXQiOjE3MjkxODU3MTguNjQxMjI1LCJuYmYiOjE3MjkxODU3MTguNjQxMjI";
$var(jwt_verification) = jwt_verify("/etc/kamailio/oauth_pub.pem", "RS256",
                "sub='$fU'",
                "$var(authorization_header_value)"
                );
...

oauth_pub.pem:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5mfAgdn7JaiRS2Bsov4S
zTlGLSe2wxbdUxIreTcqs88PmWOBtuSeQg5tU3CRnPtsuuRJrlUniV5g56YAHrnt
Qe8meu877iTrcJB6Cii3n+d7SgwCfjMvaFBR+mdGsidAyGBpRhoPrH7SD6CRpBLr
Mxylcgqw4uH/0HdF+B8P5motUQz/tul/UKsq1nvC2AOOzFel1IsUah8dQuxzMx+P
RYcsngJam8TkGr6QidTXc2rD4lEoCD1s/huGUq55bc19J3yRliN2j8cO9j1bGTsp
GYEVtA3PiH/73BZTa3FHbhRYqhvjYacC8eWBFhwThC9CgPyOXrq4L7p9tJAlNwmd
dQHhIzZ9vugQuhfnuUTb0/r2tjpsSPL7etgJdxtZ4Xh9aBEpYn//RAgu5Dkauc2S
XF+uLWwBptFTM3SNppDPMdjRkYakWjVP2pgBGMmrINFb8RQAPEJzD1gVt0fYCxaY
jiazbSc9FPfSbFENHq+r8D7OivpiW0q9+tSZbYmAFzZekoUAoboQThSdRcOy9tFz
196xfg4dOyxkRGGHstz28qBv340ppjnHQd+RZOvbr8s2zEIxGiOpfX8CuLur/nKl
Ld3qtzg0caqDz6nsYK+95rExnbtU+gFcHnwtMdk3R8X6lVHzDeTjO2Nk4Zo023zo
qFH/rRyJBOp98fQPOpx5qncCAwEAAQ==
-----END PUBLIC KEY-----

Debugging Data

Log Messages

[jwt_mod.c:501]: ki_jwt_verify_key(): failed to decode jwt value

SIP Traffic

Possible Solutions

I've wrote a C++ program using libjwt to make sure the issue is not neither my key, nor libjwt. And they aren't. Here is the program:

#include <iostream>
#include <string>
#include <jwt.h>

static const char jwt_test[] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIyIiwianRpIjoiZDY2NDQ4MTdhYWRhNTQ1MDI1YmUwZmU1M2I1ZmFhYTdkZGI3NTY5NTBiMDYxMzk5MzFmNTQ1ZjhkMmE4N2ZhYjU0ODgzNjJhZGNiMWQ5ZTkiLCJpYXQiOjE3MjkyMjg5NjIuMzg5MDI3LCJuYmYiOjE3MjkyMjg5NjIuMzg5MDMzLCJleHAiOjE3MjkyNzIxNjIuMzc5MTg3LCJzdWIiOiIxNDQ0ODEiLCJzY29wZXMiOltdLCJ1c2VyIjp7ImlkIjoxNDQ0ODEsImFjY291bnRfaWQiOjEyOTMyNn0sIm1veHRyYS10b2tlbiI6Ik1WUXpNekZVTU1hdlFET2hNVlNabEdRZ1ptQUNPRmNGU1JKZEVGNGZTQTFFRWxJLVVCMTRkREZVTVZkbFkxY0xjaHhrWkhrU1pnVjVERUppQ0dKSEJWZGxYQTFMQmwwYUF4MUdHbHdkX0RmbHhORGRNMXMzOXlabjhMMEV5USIsImRldmljZSI6eyJpZCI6ImY4MzI0NDkyLWJiYjQtNGJiNC04ZWQxLWZlMTM1OWQwOTNlNSIsInR5cGUiOiJ3ZWIiLCJ2ZXJzaW9uIjoiMS43LjAifX0.E_6jsC7yxPZgHRry55J0oOBzw25tvlfnWRBqSwLVFeAtavkVrYGmH9BGaByaAhebKNijy2WUg1X8Ug0N9Z9cc3P8u2wDSlvlzTNrxnPqdxMrKtP5wiIbImXboobFqKXLRmbor_9I7r0lBlX-e0xSis-PTaBqH40hDYPj0rR5cqnrszSkEMd2jFdiLL5BoF0pqysvrXA631KKA9oHGzAivib_GOddHeUOAVs7-hMVdnDqgrzZ6lDYkQndutrHpwILZWz09ngJBbRh_mN_cE4dDxghgeSotXADT-h5DlokV8ChkgkmHh6m4gU2lvnb7aY9dbCp9R44T1Rpz1P_HhPQ27p1Sgin40Oc2abBwDePw_chl0ajJHuhJCiK7YHbcmzcv3dZ-igVMYpMqhGIlyyuAHCSrKFVFLhodA1xlyCmMqJfFPOZ6DdKzbAQDWPN2xsCMy7WkGT5KmBQR5wWJRIRbTj4OUWo6iUrQdNyjB0F1RKqkuZlz414Hj0tkS5GlS1rfxOtS4yc2m_ERGomSmpDgoq2zpA5o3oJJWXqA7TzT8X_9Up5DkVQCMGW6Z2OT9Sr8hNjIXB1qgYiiZtNf9_b4bma5JEwVvR2-qcZ92V6owFTYx78smdyOgAaMlBQ_9AM6kARz4ZnC3Mz2feJT2qKLP-z9senqIB8k_xNx2lbU2w";

static unsigned char key[16384];
static size_t key_len;

static void read_key(const char *key_file)
{
    FILE *fp = fopen(key_file, "r");
    int ret = 0;

    fp = fopen(key_file, "r");

    key_len = fread(key, 1, sizeof(key), fp);

    fclose(fp);

    key[key_len] = '\0';
}

int main()
{
    jwt_t *jwt = NULL;

    int ret = 0;

    read_key("oauth_pub.pem");

    ret = jwt_decode(&jwt, jwt_test, key, key_len);
    printf("Decoding exit status: %d\n", ret);
    printf("User ID: %s\n", jwt_get_grant(jwt, "sub"));
    return 0;
}

Additional Information

  • Kamailio Version - output of kamailio -v
version: kamailio 5.8.2 (x86_64/linux) 3fa5f4
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 3fa5f4 
compiled on 10:39:56 Jun 12 2024 with gcc 8.5.0
  • Operating System:
Rocky Linux 8.10 (Green Obsidian)

l-alexandrov avatar Oct 21 '24 07:10 l-alexandrov