Hi I think I am facing the same problem.
On Thu, Aug 10, 2023 at 4:46 AM Mickael Hubert <[email protected]> wrote: > Hi all, > Thanks Wadii for your help (in private ;) ) > I developed a solution to check CRL in an external process (python script > scheduled by AWX). > > My python script (download only in memory, not on disk) > *For CA certificates:* > - Download CA et intermediate certs > - Download PA cert (pa cert is used to sign CRL) > - Download CA CRL > - Check if CA or intermediate cert are revoked > - I use ansible (AWX) to write CA et intermediate certs into opensips disk > - Ansible restart opensips only if CA or intermediate cert change > > *For provider certificate (BPCO):* > - Download provider certificates that are in tar.gz (only in memory) > - Uncompress tar.gz and create a dict with data (cert data, cert id, > provider id) > - Download CRL for provider certificates > - Check all provider certificates signatures (not necessary, because > opensips can do that for each call) > - Check if cert is revoked > - Extract metadata and add them to dict > - Ansible parses this dict and push each line in mysql cache DB > (sql_cacher module) > > Ex of dict: > { > "126881e75888888": { > "provider_code": "PROV00", > "cert_data": "-----BEGIN CERTIFICATE-----.........\n-----END > CERTIFICATE-----\n", > "not_before": "20230815220000Z", > "not_after": "20240814215959Z", > "has_expired": false, > "valid": false, > "revoked": true, > "revoked_date": "20230809151920Z" > } > } > > Thanks to that, when call is processed by opensips, it gets in its cache > the correct data, if revoked == true, force $rc = -7 ( > https://github.com/OpenSIPS/sipssert-opensips-tests/blob/1313d03b6ecd1972f9d2facf69116c418fb40399/stir-shaken/04.verify-200/stir_shaken_verify.cfg#L135) > to send a correct error code 437 Unsupported Credential) > > Maybe that can help my french friends voip providers ;) > > Have a good day > > > Le lun. 7 août 2023 à 09:29, Wadii ELMAJDI | Evenmedia <[email protected]> > a écrit : > >> Hello >> >> >> >> I have run into a problem with the STIR/SHAKEN verification process. >> >> In the French implementation of StirShaken, the CRL of the operator >> certificates is signed with a certificate that is different from the one >> used to sign providers certificates. >> and in such case, OpenSSL does not allow in one command to validate the >> entire certification chain. >> >> Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to >> validate providers certificate (with CRL Loaded) >> >> >> >> Error : certificate validation failed: unable to get certificate CRL >> >> >> >> For now, following the guidelines suggested by the French authority >> handling STIR/SHAKEN, we are planning to implement a two-step approach to >> check CRL before stir_shaken_verify kicks in (w/o CRL loaded) >> >> First, we verify the certification chain of the provider's certificate, >> plus making sure CA’s certificates are not revoked. We do this using a >> command like: >> >> >> >> openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted >> /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all >> -CRLfile /etc/opensips/example_certs/crl_list.pem >> /etc/opensips/example_certs/ProviderCertificate.cer >> >> >> >> Where example_pa.pem is the certificate used to sign CRL of providers >> certificates, and crl_list : the concatenation of both providers and CA’s >> CRLs in PEM format. >> >> The second step involves a separate check to verify if the provider’s >> certificate is revoked : >> >> >> >> openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text | >> grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer >> -noout -serial | cut -d '=' -f 2) >> >> >> >> This will add an extra processing time due to a double certification >> validation (ran by both by openssl and stir_shaken_verify) + reading crls >> from disk. >> >> >> >> Given this situation, it would be highly beneficial if Opensips could >> accommodate cases where revocation lists are signed with a different >> certificate. This would not only simplify the verification process but also >> improve compatibility for similar future scenarios (like a complex >> certificate hierarchy) >> >> >> >> Suggestion : >> >> >> >> Consider adding an exported parameter, such as : >> >> modparam("stir_shaken", "crl_signing_certs", >> "/stir_certs/crl_signing_certs.pem") >> >> >> >> This parameter would allow users to specify a list of separate >> certificates used to sign the CRLs, in cases where the CRLs and the >> provider certificates are not signed by the same certificate. >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > _______________________________________________ > Users mailing list > [email protected] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- - Aron Podrigal
_______________________________________________ Users mailing list [email protected] http://lists.opensips.org/cgi-bin/mailman/listinfo/users
