[OpenSIPS-Users] Issue with CRL Validation in French STIR/SHAKEN Implementation

Mickael Hubert mickael at winlux.fr
Thu Aug 10 09:45:52 UTC 2023

Hi all,
Thanks Wadii for your help (in private ;) )
I developed a solution to check CRL in an external process (python script
scheduled by AWX).

My python script (download only in memory, not on disk)
*For CA certificates:*
- Download CA et intermediate certs
- Download PA cert (pa cert is used to sign CRL)
- Download CA CRL
- Check if CA or intermediate cert are revoked
- I use ansible (AWX) to write CA et intermediate certs into opensips disk
- Ansible restart opensips only if CA or intermediate cert change

*For provider certificate (BPCO):*
- Download provider certificates that are in tar.gz (only in memory)
- Uncompress tar.gz and create a dict with data (cert data, cert id,
provider id)
- Download CRL for provider certificates
- Check all provider certificates signatures (not necessary, because
opensips can do that for each call)
- Check if cert is revoked
- Extract metadata and add them to dict
- Ansible parses this dict and push each line in mysql cache DB (sql_cacher

Ex of dict:
  "126881e75888888": {
    "provider_code": "PROV00",
    "cert_data": "-----BEGIN CERTIFICATE-----.........\n-----END
    "not_before": "20230815220000Z",
    "not_after": "20240814215959Z",
    "has_expired": false,
    "valid": false,
    "revoked": true,
    "revoked_date": "20230809151920Z"

Thanks to that, when call is processed by opensips, it gets in its cache
the correct data, if revoked == true, force $rc = -7 (
to send a correct error code 437 Unsupported Credential)

Maybe that can help my french friends voip providers ;)

Have a good day

Le lun. 7 août 2023 à 09:29, Wadii ELMAJDI | Evenmedia <wadii at evenmedia.fr>
a écrit :

> Hello
> I have run into a problem with the STIR/SHAKEN verification process.
> In the French implementation of StirShaken, the CRL of the operator
> certificates is signed with a certificate that is different from the one
> used to sign providers certificates.
> and in such case, OpenSSL does not allow in one command to validate the
> entire certification chain.
> Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to
> validate providers certificate (with CRL Loaded)
> Error : certificate validation failed: unable to get certificate CRL
> For now, following the guidelines suggested by the French authority
> handling STIR/SHAKEN, we are planning to implement a two-step approach to
> check CRL before stir_shaken_verify kicks in (w/o CRL loaded)
> First, we verify the certification chain of the provider's certificate,
> plus making sure CA’s certificates are not revoked. We do this using a
> command like:
> openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted
> /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all
> -CRLfile /etc/opensips/example_certs/crl_list.pem
> /etc/opensips/example_certs/ProviderCertificate.cer
> Where example_pa.pem is the certificate used to sign CRL of providers
> certificates, and crl_list : the concatenation of both providers and CA’s
> CRLs in PEM format.
> The second step involves a separate check to verify if the provider’s
> certificate is revoked :
> openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text |
> grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer
> -noout -serial | cut -d '=' -f 2)
> This will add an extra processing time due to a double certification
> validation (ran by both by openssl and stir_shaken_verify)  + reading crls
> from disk.
> Given this situation, it would be highly beneficial if Opensips could
> accommodate cases where revocation lists are signed with a different
> certificate. This would not only simplify the verification process but also
> improve compatibility for similar future scenarios (like a complex
> certificate hierarchy)
> Suggestion :
> Consider adding an exported parameter, such as :
> modparam("stir_shaken", "crl_signing_certs",
> "/stir_certs/crl_signing_certs.pem")
> This parameter would allow users to specify a list of separate
> certificates used to sign the CRLs, in cases where the CRLs and the
> provider certificates are not signed by the same certificate.
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230810/9eb42713/attachment.html>

More information about the Users mailing list