[sr-dev] [kamailio/kamailio] [JWT Module] Failed to decode JWT value (Issue #4003)

Mon, 21 Oct 2024 00:19:52 -0700 

<!--
Kamailio Project uses GitHub Issues only for bugs in the code or feature 
requests. Please use this template only for bug reports.

If you have questions about using Kamailio or related to its configuration 
file, ask on sr-users mailing list:

  * 
https://lists.kamailio.org/mailman3/postorius/lists/sr-users.lists.kamailio.org/

If you have questions about developing extensions to Kamailio or its existing C 
code, ask on sr-dev mailing list:

  * 
https://lists.kamailio.org/mailman3/postorius/lists/sr-dev.lists.kamailio.org/

Please try to fill this template as much as possible for any issue. It helps 
the developers to troubleshoot the issue.

Note that an issue report may be closed automatically after about 2 months
if there is no interest from developers or community users on pursuing it, being
considered expired. In such case, it can be reopened by writing a comment that 
includes
the token `/notexpired`. About two weeks before considered expired, the issue is
marked with the label `stale`, trying to notify the submitter and everyone else
that might be interested in it. To remove the label `stale`, write a comment 
that
includes the token `/notstale`. Also, any comment postpone the `expire` 
timeline,
being considered that there is interest in pursuing the issue.

If there is no content to be filled in a section, the entire section can be 
removed.

You can delete the comments from the template sections when filling.

You can delete next line and everything above before submitting (it is a 
comment).
-->

### Description

<!--
Explain what you did, what you expected to happen, and what actually happened.
-->
Tried to verify a dubious JWT, but I get a token decoding error. I tried 
different variations of the key, such as `.pem`, `.key` extensions, `PKCS1`, 
`PKCS8` formats, reading the key from a variable or file.
### Troubleshooting

#### Reproduction

<!--
If the issue can be reproduced, describe how it can be done.
-->
Have the following Kamailio config:
```
loadmodule "jwt.so"
...
modparam("jwt", "key_mode", 0)
....
$var(authorization_header_value) = 
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIyIiwianRpIjoiYmQ1NzlhZTYyZjg2ODE5N2I5OTk1YTFkOWM4NGZkOGFiNWIyYWI4Nzk5YzM0OWVmYjBkNjg1NWFiNDcwYWUzOTYyMzFmYzc5NjIxZDQxODciLCJpYXQiOjE3MjkxODU3MTguNjQxMjI1LCJuYmYiOjE3MjkxODU3MTguNjQxMjI";
$var(jwt_verification) = jwt_verify("/etc/kamailio/oauth_pub.pem", "RS256",
                "sub='$fU'",
                "$var(authorization_header_value)"
                );
...
```

oauth_pub.pem:
```
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA5mfAgdn7JaiRS2Bsov4S
zTlGLSe2wxbdUxIreTcqs88PmWOBtuSeQg5tU3CRnPtsuuRJrlUniV5g56YAHrnt
Qe8meu877iTrcJB6Cii3n+d7SgwCfjMvaFBR+mdGsidAyGBpRhoPrH7SD6CRpBLr
Mxylcgqw4uH/0HdF+B8P5motUQz/tul/UKsq1nvC2AOOzFel1IsUah8dQuxzMx+P
RYcsngJam8TkGr6QidTXc2rD4lEoCD1s/huGUq55bc19J3yRliN2j8cO9j1bGTsp
GYEVtA3PiH/73BZTa3FHbhRYqhvjYacC8eWBFhwThC9CgPyOXrq4L7p9tJAlNwmd
dQHhIzZ9vugQuhfnuUTb0/r2tjpsSPL7etgJdxtZ4Xh9aBEpYn//RAgu5Dkauc2S
XF+uLWwBptFTM3SNppDPMdjRkYakWjVP2pgBGMmrINFb8RQAPEJzD1gVt0fYCxaY
jiazbSc9FPfSbFENHq+r8D7OivpiW0q9+tSZbYmAFzZekoUAoboQThSdRcOy9tFz
196xfg4dOyxkRGGHstz28qBv340ppjnHQd+RZOvbr8s2zEIxGiOpfX8CuLur/nKl
Ld3qtzg0caqDz6nsYK+95rExnbtU+gFcHnwtMdk3R8X6lVHzDeTjO2Nk4Zo023zo
qFH/rRyJBOp98fQPOpx5qncCAwEAAQ==
-----END PUBLIC KEY-----
```
#### Debugging Data

<!--
If you got a core dump, use gdb to extract troubleshooting data - full 
backtrace,
local variables and the list of the code at the issue location.

  gdb /path/to/kamailio /path/to/corefile
  bt full
  info locals
  list

If you are familiar with gdb, feel free to attach more of what you consider to
be relevant.

```
(paste your debugging data here)
```

-->
#### Log Messages

<!--
Check the syslog file and if there are relevant log messages printed by 
Kamailio, add them next, or attach to issue, or provide a link to download them 
(e.g., to a pastebin site).
-->

```
[jwt_mod.c:501]: ki_jwt_verify_key(): failed to decode jwt value
```

#### SIP Traffic

<!--
If the issue is exposed by processing specific SIP messages, grab them with 
ngrep or save in a pcap file, then add them next, or attach to issue, or 
provide a link to download them (e.g., to a pastebin site).

```
(paste your sip traffic here)
```

-->
### Possible Solutions

<!--
If you found a solution or workaround for the issue, describe it. Ideally, 
provide a pull request with a fix.
-->
I've wrote a C++ program using `libjwt` to make sure the issue is not neither 
my key, nor `libjwt`. And they aren't. Here is the program:
```cpp
#include <iostream>
#include <string>
#include <jwt.h>

static const char jwt_test[] = 
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIyIiwianRpIjoiZDY2NDQ4MTdhYWRhNTQ1MDI1YmUwZmU1M2I1ZmFhYTdkZGI3NTY5NTBiMDYxMzk5MzFmNTQ1ZjhkMmE4N2ZhYjU0ODgzNjJhZGNiMWQ5ZTkiLCJpYXQiOjE3MjkyMjg5NjIuMzg5MDI3LCJuYmYiOjE3MjkyMjg5NjIuMzg5MDMzLCJleHAiOjE3MjkyNzIxNjIuMzc5MTg3LCJzdWIiOiIxNDQ0ODEiLCJzY29wZXMiOltdLCJ1c2VyIjp7ImlkIjoxNDQ0ODEsImFjY291bnRfaWQiOjEyOTMyNn0sIm1veHRyYS10b2tlbiI6Ik1WUXpNekZVTU1hdlFET2hNVlNabEdRZ1ptQUNPRmNGU1JKZEVGNGZTQTFFRWxJLVVCMTRkREZVTVZkbFkxY0xjaHhrWkhrU1pnVjVERUppQ0dKSEJWZGxYQTFMQmwwYUF4MUdHbHdkX0RmbHhORGRNMXMzOXlabjhMMEV5USIsImRldmljZSI6eyJpZCI6ImY4MzI0NDkyLWJiYjQtNGJiNC04ZWQxLWZlMTM1OWQwOTNlNSIsInR5cGUiOiJ3ZWIiLCJ2ZXJzaW9uIjoiMS43LjAifX0.E_6jsC7yxPZgHRry55J0oOBzw25tvlfnWRBqSwLVFeAtavkVrYGmH9BGaByaAhebKNijy2WUg1X8Ug0N9Z9cc3P8u2wDSlvlzTNrxnPqdxMrKtP5wiIbImXboobFqKXLRmbor_9I7r0lBlX-e0xSis-PTaBqH40hDYPj0rR5cqnrszSkEMd2jFdiLL5BoF0pqysvrXA631KKA9oHGzAivib_GOddHeUOAVs7-hMVdnDqgrzZ6lDYkQndutrHpwILZWz09ngJBbRh_mN_cE4dDxghgeSotXADT-h5DlokV8ChkgkmHh6m4gU2lvnb7aY9dbCp9R44T1Rpz1P_HhPQ27p1Sgin40Oc2abBwDePw_chl0ajJHuhJCiK7YHbcmzcv3dZ-igVMYpMqhGIlyyuAHCSrKFVFLhodA1xlyCmMqJfFPOZ6DdKzbAQDWPN2xsCMy7WkGT5KmBQR5wWJRIRbTj4OUWo6iUrQdNyjB0F1RKqkuZlz414Hj0tkS5GlS1rfxOtS4yc2m_ERGomSmpDgoq2zpA5o3oJJWXqA7TzT8X_9Up5DkVQCMGW6Z2OT9Sr8hNjIXB1qgYiiZtNf9_b4bma5JEwVvR2-qcZ92V6owFTYx78smdyOgAaMlBQ_9AM6kARz4ZnC3Mz2feJT2qKLP-z9senqIB8k_xNx2lbU2w";

static unsigned char key[16384];
static size_t key_len;

static void read_key(const char *key_file)
{
    FILE *fp = fopen(key_file, "r");
    int ret = 0;

    fp = fopen(key_file, "r");

    key_len = fread(key, 1, sizeof(key), fp);

    fclose(fp);

    key[key_len] = '\0';
}

int main()
{
    jwt_t *jwt = NULL;

    int ret = 0;

    read_key("oauth_pub.pem");

    ret = jwt_decode(&jwt, jwt_test, key, key_len);
    printf("Decoding exit status: %d\n", ret);
    printf("User ID: %s\n", jwt_get_grant(jwt, "sub"));
    return 0;
}
```

### Additional Information

  * **Kamailio Version** - output of `kamailio -v`

```
version: kamailio 5.8.2 (x86_64/linux) 3fa5f4
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, 
USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, 
F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, 
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, 
TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 
262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: 3fa5f4 
compiled on 10:39:56 Jun 12 2024 with gcc 8.5.0
```

* **Operating System**:

<!--
Details about the operating system, the type: Linux (e.g.,: Debian 8.4, Ubuntu 
16.04, CentOS 7.1, ...), MacOS, xBSD, Solaris, ...;
Kernel details (output of `lsb_release -a` and `uname -a`)
-->

```
Rocky Linux 8.10 (Green Obsidian)
```


-- 
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/4003
You are receiving this because you are subscribed to this thread.

Message ID: <kamailio/kamailio/issues/4...@github.com>
_______________________________________________
Kamailio (SER) - Development Mailing List
To unsubscribe send an email to sr-dev-le...@lists.kamailio.org

Reply via email to