Disregard. It was my mistake. I had sp_key.pem in my kamailio config when it was actually sp-key.pem. Doh. Took me way too long to see my mistake but it is working now and adding the identity. Thanks for the help everyone!
On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey <[email protected]> wrote: > Thanks for the replies. I think I am understanding it better now. My issue > now is I am getting this error: > > ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid > [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get > identity header body (-451) > > -451 = SJWTRetErrFileRead which I assume is either the certificate or the > private key. I am able to download the certificate using the URL so I guess > the key? I have permissions on the key as 600 (-rw-------) and the > user:group for it is kamailio. > > It's still a self signed but I generated it with the TNAuthList, etc like > a production certificate. I have stir/shaken working on s production > machine but it uses libstirshaken and not secsipid. > > Output of cert: > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d > Signature Algorithm: ecdsa-with-SHA256 > Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN > = sip-test.mydomain.net > Validity > Not Before: Jun 21 00:03:27 2024 GMT > Not After : Sep 24 00:03:27 2026 GMT > Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.", > OU = VOIP, CN = SHAKEN > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > 04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39: > 33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95: > 62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8: > a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5: > 01:0c:fb:48:b0 > ASN1 OID: prime256v1 > NIST CURVE: P-256 > X509v3 extensions: > 1.3.6.1.5.5.7.1.26: > 0.....1001 > X509v3 Subject Key Identifier: > 9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB > X509v3 Authority Key Identifier: > 84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C > Signature Algorithm: ecdsa-with-SHA256 > Signature Value: > 30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b: > d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb: > 69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d: > c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb > > > On Thu, Jun 20, 2024 at 5:33 PM David Villasmil < > [email protected]> wrote: > >> this is what i do (i have a redirect server receive the INVITEs to be >> signed, I add the header and then do 302, the initiating server then add it >> to the INVITE and sends the invite out: >> >> if ($rm=="INVITE") { >> $var(rc) = secsipid_add_identity("$(var(from){s.numeric})", >> "$(var(to){s.numeric})", "A", "", " >> https://pki.domain.com/stir-shaken-cert.pem";, >> "/etc/kamailio/ec256-private.pem"); >> >> if ( $var(rc) > 0 ) { >> msg_apply_changes(); >> } else { >> update_stat("stirshaken_create_identity_failed","+1"); >> send_reply("503", "Service Unavailable - can not create Identity header"); >> exit; >> } >> >> append_to_reply("Identity: $hdr(Identity)\r\n"); >> } >> sl_send_reply("302", "Redirect"); >> exit; >> >> >> hope that helps >> >> Regards, >> >> David Villasmil >> email: [email protected] >> >> >> >> On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users < >> [email protected]> wrote: >> >>> Hmm you are correct. I took it out and it started fine. So what exactly >>> would I need for our outbound stirshaken? >>> >>> Just secsipid_add_identity? >>> >>> I guess I've been looking at this for too long today. Just lines and >>> lines after a while. >>> >>> On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <[email protected]> wrote: >>> >>>> Except for `expire` and `timeout`, those parameters don’t exist for >>>> secsip id- at least according to the module documentation: >>>> https://kamailio.org/docs/modules/stable/modules/secsipid >>>> >>>> >>>> >>>> Regards, >>>> >>>> Kaufman >>>> >>>> >>>> >>>> *From:* Blake Ivey <[email protected]> >>>> *Sent:* Thursday, June 20, 2024 3:39 PM >>>> *To:* Ben Kaufman <[email protected]> >>>> *Cc:* [email protected] >>>> *Subject:* Re: [SR-Users] SecSIPID Assistance >>>> >>>> >>>> >>>> *CAUTION:* This email originated from outside the organization. *Do >>>> not click links or open attachments* unless you recognize the sender >>>> and know the content is safe. >>>> >>>> >>>> >>>> Sorry for the formatting: >>>> >>>> ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter >>>> <private_key> of type <1:string> not found in module <secsipid> >>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error >>>> in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set >>>> module parameter >>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error >>>> in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set >>>> module parameter >>>> kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): >>>> parameter <key_path> of type <1:string> not found in module <secsipid> >>>> >>>> >>>> >>>> On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <[email protected]> wrote: >>>> >>>> What is the error you’re getting? >>>> >>>> >>>> >>>> Regards, >>>> >>>> Kaufman >>>> >>>> >>>> >>>> >>>> >>>> *From:* Blake Ivey via sr-users <[email protected]> >>>> *Sent:* Thursday, June 20, 2024 3:14 PM >>>> *To:* Kamailio (SER) - Users Mailing List <[email protected]> >>>> *Cc:* Blake Ivey <[email protected]> >>>> *Subject:* [SR-Users] SecSIPID Assistance >>>> >>>> >>>> >>>> *CAUTION:* This email originated from outside the organization. *Do >>>> not click links or open attachments* unless you recognize the sender >>>> and know the content is safe. >>>> >>>> >>>> >>>> Hi everyone. Wanting to see if someone could point me in the right >>>> direction. Still very knew to Kamailio but I am beginning to understand it >>>> better. I'm making an outbound proxy and have everything working well >>>> besides stir/shaken. I'm looking at the module page and have went back and >>>> forth with chatGPT and can't seem to figure this part out. I keep getting >>>> errors on the modparam lines. >>>> >>>> >>>> >>>> Obviously this is a self signed cert because I'm just testing. I am >>>> able to reach and download the cert from the Web server. >>>> >>>> >>>> >>>> Thank you for any assistance. >>>> >>>> >>>> >>>> # SECSIPID for Stir/Shaken >>>> >>>> modparam("secsipid", "private_key", >>>> "/etc/kamailio/secsipid/private.key") >>>> >>>> modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt") >>>> >>>> modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt") >>>> >>>> modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2) >>>> >>>> >>>> >>>> route[STIRSHAKEN] { >>>> >>>> if (is_method("INVITE")) { >>>> >>>> if (!secsipid_add_identity("$fU", "$rU", "A", "", " >>>> http://myIPaddress.com/stir_shaken_cert.crt >>>> <http://myipaddress.com/stir_shaken_cert.crt>", >>>> "/etc/kamailio/secsipid/private.key")) { >>>> >>>> xlog("L_ERR", "Failed to sign call with ID: $ci - From: >>>> $fU\n"); >>>> >>>> send_reply("500", "Internal Server Error"); >>>> >>>> exit; >>>> >>>> } else { >>>> >>>> xlog("L_INFO", "Successfully signed call with ID: $ci - >>>> From: $fU\n"); >>>> >>>> } >>>> >>>> } >>>> >>>> >>>> >>>> # Relay the call after signing >>>> >>>> route(RELAY); >>>> >>>> } >>>> >>>> >>>> >>>> __________________________________________________________ >>> Kamailio - Users Mailing List - Non Commercial Discussions >>> To unsubscribe send an email to [email protected] >>> Important: keep the mailing list in the recipients, do not reply only to >>> the sender! >>> Edit mailing list options or unsubscribe: >>> >>
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
