Re: [OpenSIPS-Users] stir shaken verification

Joseph Jackson Thu, 05 Jan 2023 14:43:43 -0800

We have it slightly different but otherwise close to yours

    cache_fetch("local", $identity(x5u), $var(cert));
    if (!stir_shaken_check_cert($var(cert))) {
        xlog("--[$ci] STI Getting a fresh certificate, existing one doesn't 
exist or is invalid\n");


        $var(rc) = rest_get($identity(x5u), $var(cert));

        if ($var(rc) < 0) {
            xlog("--[$ci] STI Failed to get the certificate\n");
            send_reply(436, "Bad Identity Info");
            exit;
        }

        xlog("--[$ci] STI got certificate[$var(cert)]\n");

        cache_store("local", $identity(x5u), $var(cert));
    } else {

        xlog("--[$ci] Using cached certificate\n");

    }


________________________________
From: Users <users-boun...@lists.opensips.org> on behalf of Marcin Groszek 
<mar...@voipplus.net>
Sent: Thursday, January 5, 2023 4:19 PM
To: users@lists.opensips.org <users@lists.opensips.org>
Subject: Re: [OpenSIPS-Users] stir shaken verification


Thank you very much. I have the same file, and verification is still failing. 
Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
        send_reply(436, "Bad Identity Info");
        exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code), $var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code), $var(err_sip_reason) 
\n");
    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from $identity(x5u), if it does 
not exists in local cache it gets pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because the 
entry does not exists in local cashdb)

this forces the download of the public cert from $identity(x5u) and store in 
local cashdb

second attempt does not generate this errors, however calls with deferent 
identity header and url for public cert should generate same errors again as 
the public cert from new url is not in local cashdb, but it is NOT generating 
same error.

Also, I have minimize cache_store  down to 1 second and after that second call 
with same $identity(x5u) should generate same errors , but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
        $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param [2] expected to 
be a variable so I removed the double quotes from around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:
Hi Marcin,

I suspect you are correct that its how you are decoding the ca cert file from 
iconectiv.

attached is what we have currently and it works in our production enviroment.

If the maillist strips out that attachment let me know.  You can reach me 
directly at jjack...@aninetworks.net<mailto:jjack...@aninetworks.net>

Joseph

________________________________
From: Users 
<users-boun...@lists.opensips.org><mailto:users-boun...@lists.opensips.org> on 
behalf of Marcin Groszek <mar...@voipplus.net><mailto:mar...@voipplus.net>
Sent: Thursday, January 5, 2023 10:16 AM
To: users@lists.opensips.org<mailto:users@lists.opensips.org> 
<users@lists.opensips.org><mailto:users@lists.opensips.org>
Subject: Re: [OpenSIPS-Users] stir shaken verification


Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate validation fails.

INFO:stir_shaken:verify_callback: certificate validation failed: certificate 
signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are coming from major 
cellular carrier in US and the verification fails.

I can see curl download the public cert, storing it in local cache and then 
attempt to verify, but it fails.

Upon next call with same token, the public cert is pulled from local cache and 
still fails.




On 1/4/2023 7:37 PM, Joseph Jackson wrote:
Hi Marcin,

We have a process that downloads the CA list from iconectiv nightly,  decodes 
the jwt and stores the certs in a single file in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11


________________________________
From: Users 
<users-boun...@lists.opensips.org><mailto:users-boun...@lists.opensips.org> on 
behalf of Marcin Groszek <mar...@voipplus.net><mailto:mar...@voipplus.net>
Sent: Wednesday, January 4, 2023 6:12 PM
To: users@lists.opensips.org<mailto:users@lists.opensips.org> 
<users@lists.opensips.org><mailto:users@lists.opensips.org>
Subject: [OpenSIPS-Users] stir shaken verification


Opensips version 3.1.5

I am having some issues with stir_shaken setup. I am sure this not an issue 
with the module, but me.

stir_shaken_auth works just fine and I am able to sign the calls, however I was 
unable to find any document how to use a ca file available for download at 
iconectiv/download-list as well as via API. They do come in as jwt file, but 
after little manipulation individual certificates can be extracted, and the 
first one is the root certificate; I think, and the rest are trusted STI-CA. I 
guess my question is how do I use this file or any other cert file as "ca_list" 
and/or "ca_dir" .

After weeks and hundreds attempts I was unsuccessful, and I was unable to 
locate any document explaining preparation/setup/steps to setup verification.

All I get is :

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_verify: Failed to load certificate
on INVITE with valid identity header.

When I remove or replace  "ca_list" file with something bogus opensips does not 
even start  with errors:

ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
ERROR:core:init_mod: failed to initialize module stir_shaken

I would really appreciate some guidance on this one.




_______________________________________________
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net



_______________________________________________
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net

_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] stir shaken verification

Reply via email to