[OpenSIPS-Users] stir shaken verification

Marcin Groszek marcin at voipplus.net
Thu Jan 5 23:23:58 UTC 2023 

in 3.1.5 when I try to use stir_shaken_check_cert($var(cert)) without 
double quotes it trows an error on first INVITE after restart:

ERROR:core:get_cmd_fixups: Variable in param [1] is not a string
ERROR:core:do_action: Failed to get fixups for command 
<stir_shaken_check_cert>

So I am using stir_shaken_check_cert("$var(cert)") , but it does not 
seam to make any deference.


I attempted your config for cert management, got certificate in xlog, 
but verification still fails.

I guess, I'll try to upgrade to 3.1.11


On 1/5/2023 4:40 PM, Joseph Jackson wrote:
> We have it slightly different but otherwise close to yours
>
>     cache_fetch("local", $identity(x5u), $var(cert));
>     if (!stir_shaken_check_cert($var(cert))) {
> xlog("--[$ci] STI Getting a fresh certificate, existing one doesn't 
> exist or is invalid\n");
>
>         $var(rc) = rest_get($identity(x5u), $var(cert));
>
>         if ($var(rc) < 0) {
> xlog("--[$ci] STI Failed to get the certificate\n");
> send_reply(436, "Bad Identity Info");
>             exit;
>         }
>
> xlog("--[$ci] STI got certificate[$var(cert)]\n");
>
> cache_store("local", $identity(x5u), $var(cert));
>     } else {
>
> xlog("--[$ci] Using cached certificate\n");
>
>     }
>
>
> ------------------------------------------------------------------------
> *From:* Users <users-bounces at lists.opensips.org> on behalf of Marcin 
> Groszek <marcin at voipplus.net>
> *Sent:* Thursday, January 5, 2023 4:19 PM
> *To:* users at lists.opensips.org <users at lists.opensips.org>
> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>
> Thank you very much. I have the same file, and verification is still 
> failing. Perhaps  my config:
>
>
> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
>     rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
>     if ($rc<0 || $var(http_rc) != 200) {
>         send_reply(436, "Bad Identity Info");
>         exit;
>     }
>     cache_store("local", $identity(x5u), $var(cert), 60);
> }
>
> stir_shaken_verify( "$var(cert)", $var(err_sip_code), 
> $var(err_sip_reason));
> if ($rc < 0) {
>     xlog("stir_shaken_verify() failed: $var(err_sip_code), 
> $var(err_sip_reason) \n");
>     send_reply( $var(err_sip_code), $var(err_sip_reason));
>     exit;
> }
>
>
> I figured this much:
>
> $var(cert) is a public certificate downloaded from $identity(x5u), if 
> it does not exists in local cache it gets pulled and stored,
>
> stir_shaken_check_cert("$var(cert)") is generating these errors:
>
> ERROR:stir_shaken:load_cert: Failed to parse certificate
> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( 
> because the entry does not exists in local cashdb)
>
> this forces the download of the public cert from $identity(x5u) and 
> store in local cashdb
>
> second attempt does not generate this errors, however calls with 
> deferent identity header and url for public cert should generate same 
> errors again as the public cert from new url is not in local cashdb, 
> but it is NOT generating same error.
>
> Also, I have minimize cache_store  down to 1 second and after that 
> second call with same $identity(x5u) should generate same errors , but 
> it is not.
>
> an example at shaken-not-stirred page have :
>
> rest_get( "$identity(x5u)", "$var(cert)",
>          $var(ctype), $var(http_rc));
>
> but this fails a start-up with error ERROR:core:fix_cmd: Param [2] 
> expected to be a variable so I removed the double quotes from around 
> $var(cert) .
>
>
>
> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>> Hi Marcin,
>>
>> I suspect you are correct that its how you are decoding the ca cert 
>> file from iconectiv.
>>
>> attached is what we have currently and it works in our production 
>> enviroment.
>>
>> If the maillist strips out that attachment let me know.  You can 
>> reach me directly at jjackson at aninetworks.net 
>> <mailto:jjackson at aninetworks.net>
>>
>> Joseph
>>
>> ------------------------------------------------------------------------
>> *From:* Users <users-bounces at lists.opensips.org> 
>> <mailto:users-bounces at lists.opensips.org> on behalf of Marcin Groszek 
>> <marcin at voipplus.net> <mailto:marcin at voipplus.net>
>> *Sent:* Thursday, January 5, 2023 10:16 AM
>> *To:* users at lists.opensips.org <mailto:users at lists.opensips.org> 
>> <users at lists.opensips.org> <mailto:users at lists.opensips.org>
>> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>>
>> Joseph, Thank you very much for your respond.
>>
>>
>> I have downloaded and apply new sti-ca file but certificate 
>> validation fails.
>>
>> INFO:stir_shaken:verify_callback: certificate validation failed: 
>> certificate signature failure
>> INFO:stir_shaken:w_stir_verify: Invalid certificate
>> DBG:core:comp_scriptvar: int 26 : -8 / 0
>> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>>
>>
>> Perhaps I am not processing the sti-ca file properly.
>>
>>
>> I am testing this with a valid token , in fact test calls are coming 
>> from major cellular carrier in US and the verification fails.
>>
>> I can see curl download the public cert, storing it in local cache 
>> and then attempt to verify, but it fails.
>>
>> Upon next call with same token, the public cert is pulled from local 
>> cache and still fails.
>>
>>
>>
>>
>> On 1/4/2023 7:37 PM, Joseph Jackson wrote:
>>> Hi Marcin,
>>>
>>> We have a process that downloads the CA list from iconectiv nightly, 
>>> decodes the jwt and stores the certs in a single file in 
>>> /etc/ssl/sti-ca/sti-ca.pem
>>>
>>> Here is the opensips modparam
>>>
>>> #stir and shaken
>>> loadmodule "stir_shaken.so"
>>> modparam("stir_shaken", "verify_date_freshness", 300)
>>> modparam("stir_shaken", "auth_date_freshness", 300)
>>> modparam("stir_shaken", "e164_strict_mode", 0)
>>> #list of root certs for stir / shaken verification
>>> modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
>>>
>>> This is on opensips v3.1.11
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Users <users-bounces at lists.opensips.org> 
>>> <mailto:users-bounces at lists.opensips.org> on behalf of Marcin 
>>> Groszek <marcin at voipplus.net> <mailto:marcin at voipplus.net>
>>> *Sent:* Wednesday, January 4, 2023 6:12 PM
>>> *To:* users at lists.opensips.org <mailto:users at lists.opensips.org> 
>>> <users at lists.opensips.org> <mailto:users at lists.opensips.org>
>>> *Subject:* [OpenSIPS-Users] stir shaken verification
>>>
>>> Opensips version 3.1.5
>>>
>>> I am having some issues with stir_shaken setup. I am sure this not 
>>> an issue with the module, but me.
>>>
>>> |stir_shaken_auth works just fine and I am able to sign the calls, 
>>> however I was unable to find any document how to use a ca file 
>>> available for download at iconectiv/download-list as well as via 
>>> API. They do come in as jwt file, but after little manipulation 
>>> individual certificates can be extracted, and the first one is the 
>>> root certificate; I think, and the rest are trusted STI-CA. ||I 
>>> guess my question is how do I use this file or any other cert file 
>>> as |"ca_list" and/or "ca_dir" .
>>>
>>> After weeks and hundreds attempts I was unsuccessful, and I was 
>>> unable to locate any document explaining preparation/setup/steps to 
>>> setup verification.
>>>
>>> All I get is :
>>>
>>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>>> ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>>> on INVITE with valid identity header.
>>>
>>> When I remove or replace  "ca_list" file with something bogus 
>>> opensips does not even start  with errors:
>>>
>>> ERROR:stir_shaken:init_cert_validation: Failed to load trustefd CAs
>>> ERROR:core:init_mod: failed to initialize module stir_shaken
>>>
>>> I would really appreciate some guidance on this one.
>>>
>>>
>>> ||
>>>
>>> ||
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org  <mailto:Users at lists.opensips.org>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> -- 
>> Best Regards:
>> Marcin Groszek
>> Business Phone Service
>> https://www.voipplus.net
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org  <mailto:Users at lists.opensips.org>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> -- 
> Best Regards:
> Marcin Groszek
> Business Phone Service
> https://www.voipplus.net
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users

-- 
Best Regards:
Marcin Groszek
Business Phone Service
https://www.voipplus.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230105/14262200/attachment-0001.html>

More information about the Users mailing list