@@ -65,7 +65,6 @@ static int w_stirshaken_check_identity_with_key(sip_msg_t *msg, char *pkey_path,

 static int w_stirshaken_add_identity(sip_msg_t *msg, str *px5u, str *pattest, str *porigtn_val, str *pdesttn_val, str *porigid);

 static int w_stirshaken_add_identity_with_key(sip_msg_t *msg, str *px5u, str *pattest, str *porigtn_val, str *pdesttn_val, str *porigid, str *pkeypath);

-

 /* clang-format off */

 static cmd_export_t cmds[]={

 	{"stirshaken_check_identity", (cmd_function)w_stirshaken_check_identity, 0,

@@ -158,6 +157,96 @@ static int get_cert_name_hashed(const char *name, char *buf, int buf_len)

 	return 0;

 }

+static int stirshaken_handle_cache_to_disk(X509 *x, STACK_OF(X509) *xchain, const char *cert_full_path)

+{

+    int i = 0;

+    int w = 0;

+    FILE *fp = NULL;

+    X509 *xc = NULL;

+

+    if (!x) {

+        LM_ERR("Refusing to save an empty cert\n");

+        return -1;

+    }

+

+    fp = fopen(cert_full_path, "w");

+    if (!fp) {

+        LM_ERR("Failed to create file: %s", cert_full_path);

+		return -1;

+    }

+

+    w = PEM_write_X509(fp, x);

+	if (w == 0) {

+		LM_ERR("Failed to write cert to %s", cert_full_path);

+		goto fail;

+	}

+

+    for (i = 0; i < sk_X509_num(xchain); i++) {

+		xc = sk_X509_value(xchain, i);

+		if (!xc) continue;

+		w = PEM_write_X509(fp, xc);

+		if (w == 0) {

+			LM_ERR("Failed to write chain to %s", cert_full_path);

+			goto fail;

+		}

+	}

+

+    if (fp) fclose(fp);

+    fp = NULL;

+

+    return 0;

+

+fail:

+	if (fp) fclose(fp);

+	return -1;

+}

+

+static int stirshaken_handle_cache_from_disk(stir_shaken_context_t *ss, stir_shaken_cert_t *cert, const char *name)

+{

+    FILE *fp = NULL;

+    X509 *wcert = NULL;

+

+    LM_DBG("Handle cache from disk; %s", name);

+

+    if (stir_shaken_zstr(name)) {

+        LM_ERR("Cert file name missing");

+		return -1;

+	}

+

+    fp = fopen(name, "r");

+    if (!fp) {

+        LM_ERR("Failed to open %s: %s", name, strerror(errno));

+        goto fail;

+    }

+

+    cert->xchain = sk_X509_new_null();

+

+    while ((wcert = PEM_read_X509(fp, NULL, NULL, NULL))) {

+		if (!cert->x) {

+			cert->x = wcert;

+		}

+		else {

+			sk_X509_push(cert->xchain, wcert);

+		}

+	}

+

+	LM_DBG("done reading file, got %d certs and %d chains", cert->x ? 1 : 0, sk_X509_num(cert->xchain));

+

+    if (!cert->x) {

+        LM_ERR("No certificate found in %s", name);

+        goto fail;

+    }

+

+    if (fp) fclose(fp);

+    fp = NULL;

+

+    return 0;

+

+fail:

+    if (fp) fclose(fp);

+    return -1;

+}

+

 static stir_shaken_status_t shaken_callback(stir_shaken_callback_arg_t *arg)

 {

 	stir_shaken_context_t ss = { 0 };

@@ -207,18 +296,18 @@ static stir_shaken_status_t shaken_callback(stir_shaken_callback_arg_t *arg)

 					diff = now_s - attr.st_mtime;

-					LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %zu, file modification timestamp is: %zu, difference is: %zu)\n",

+					LM_DBG("Checking cached certificate against expiration setting of %zus (now is: %lu, file modification timestamp is: %lu, difference is: %lu)\n",

 						stirshaken_vs_cache_expire_s, now_s, attr.st_mtime, diff);

 					if (diff > stirshaken_vs_cache_expire_s) {

-						LM_WARN("Cached certificate %s is behind expiration threshold (%zu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s);

+						LM_NOTICE("Cached certificate %s is behind expiration threshold (%lu > %zu). Need to download new certificate...\n", cert_full_path, diff, stirshaken_vs_cache_expire_s);

 						goto exit;

 					} else {

-						LM_WARN("Cached certificate %s is valid for next %zus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff);

+						LM_NOTICE("Cached certificate %s is valid for next %lus\n", cert_full_path, stirshaken_vs_cache_expire_s - diff);

 					}

 				}

-				if (!(cache_copy.x = stir_shaken_load_x509_from_file(&ss, cert_full_path))) {

+				if (-1 == stirshaken_handle_cache_from_disk(&ss, &cache_copy, cert_full_path)) {

 					LM_ERR("Cannot load X509 from file %s\n", cert_full_path);

 					goto exit;

 				}

@@ -445,8 +534,8 @@ static int stirshaken_handle_cache(stir_shaken_context_t *ss, stir_shaken_passpo

 		LM_DBG("Saving fresh certificate %s in cache (with name: %s)...\n", x5u, cert_full_path);

-		if (STIR_SHAKEN_STATUS_OK != stir_shaken_x509_to_disk(ss, cert->x, cert_full_path)) {

-			LM_ERR("Failed to write cert %s to disk (as: %s)", x5u, cert_full_path);

+		if (-1 == stirshaken_handle_cache_to_disk(cert->x, cert->xchain, cert_full_path)) {

+			LM_ERR("Failed to cache certificate %s to disk", x5u);

 		}

 	} else {

@@ -485,7 +574,8 @@ static int ki_stirshaken_check_identity(sip_msg_t *msg)

 	ibody = hf->body;

 	if (STIR_SHAKEN_STATUS_OK != stir_shaken_vs_sih_verify(&ss, vs, ibody.s, &cert_out, &passport_out)) {

-		LM_ERR("SIP Identity Header did not pass verification\n");

+		LM_ERR("SIP Identity Header did not pass verification: %s", stir_shaken_get_error(&ss, NULL));

+

 		stirshaken_print_error_details(&ss);

 		goto fail;

 	}