I found another way. I already use ansible to deploy all configurations (exactly, I load a specific route, with private key) because I like to split configuration. So I just added my private key in configuration, but this key is encrypted in ansible template. very simple ;)
*man_private_key.cfg:* route[man_private_key] { $avp(privKey) = "-----BEGIN EC PRIVATE KEY----- AAAAAAAAAAAAAAAAAAAAAAAAAA........ -----END EC PRIVATE KEY-----"; } *routing.cfg:* route { route(man_private_key); ... route(stir_and_shaken); ... *stir_and_shaken.cfg:* ... $var(cert) = $sql_cached_value(man_certificates_cache:certificate:https:// certs.example.org/public_am.pem); stir_shaken_auth("$var(attest)","blabla","$var(cert)","$avp(privKey)", "https://certs.example.org/public_am.pem","$var(orig)","$tU", "$var(identity_hdr)"); ... ++ Le mar. 30 mai 2023 à 10:34, Mickael Hubert <mick...@winlux.fr> a écrit : > Thanks a lot Wadii for your answer > I already use sqlcacher for all public keys, but for my private key, I > want to store it securely (maybe crypted it, if I use a DB) > for your needs, you catch your private key with rest_client.so, right ? In > France we get all keys thanks to the French state's central API, and this > API is protected by Oauth2 authentication, so I think use an external dev. > ++ > > > Le lun. 29 mai 2023 à 17:01, Wadii ELMAJDI | Evenmedia <wa...@evenmedia.fr> > a écrit : > >> Hello Mickael >> >> if the goal is only to keep your key out of opensips plain sight, the >> simplest way is using exec.so module, load the private key from a local >> file or an external data source with an external command, and then store it >> securely in the local cache for future calls stirshaken signing. >> >> you could also use the rest_client.so module and get your key/certificate >> from a secure external webservice (my personal fav) >> >> another option is avpops module to get your private key from a sql >> database on demand (or sqlcacher to full cache your table on script startup) >> >> in case you're considering using the avpops module with its default >> table, the value column can by default only hold 128 characters. for an RSA >> private key in PEM format, it can go up to 800 chars. >> >> hope this helps >> >> >> >> *De :* Users <users-boun...@lists.opensips.org> *De la part de* Mickael >> Hubert >> *Envoyé :* lundi 29 mai 2023 14:55 >> *À :* OpenSIPS users mailling list <users@lists.opensips.org> >> *Objet :* Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate >> >> >> >> Hi, >> >> Can you tell me what is the best way to load our private key please ? >> >> It would be great not to have it as clear text in >> opensips's configuration. >> >> >> >> thanks in advance >> >> >> >> Le lun. 21 nov. 2022 à 13:39, ryan embgrets <rembgr...@gmail.com> a >> écrit : >> >> That was it. >> >> >> >> Working flawlessly.Thanks Vlad Patrascu >> >> Ryan >> >> >> >> On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu <vl...@opensips.org> wrote: >> >> Hi Ryan, >> >> You have to provide to the stir_shaken_auth() function the actual >> content of the certificate file and not just the path. The same goes for >> the private key. >> >> Regards, >> >> -- >> Vlad Patrascu >> OpenSIPS Core Developer >> http://www.opensips-solutions.com >> >> On 21.11.2022 14:02, ryan embgrets wrote: >> > Greetings >> > >> > I am trying to generate an Identity header by using the stir_shaken >> > module of the opensips. >> > >> > But I am encountering the below error each time upon call. >> > >> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]: >> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate >> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]: >> > ERROR:stir_shaken:load_cert: Failed to parse certificate >> > >> > #Module section. >> > loadmodule "stir_shaken.so" >> > >> > route{ >> > >> > $var(cert) = "/etc/opensips/certs.pem"; >> > $var(privKey) = "/etc/opensips/key.pem"; >> > stir_shaken_auth("A", "",$var(cert), $var(privKey), >> > "https://domain.org/cert.pem"); >> > } >> > >> > Though the cert looks valid, has proper permission for the opensips to >> > access them and cross checked with openssl for the verification. >> > >> > Any pointer on what might be causing this? >> > >> > Ryan >> > >> > _______________________________________________ >> > Users mailing list >> > Users@lists.opensips.org >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >> _______________________________________________ >> Users mailing list >> Users@lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users