[OpenSIPS-Users] Issue with CRL Validation in French STIR/SHAKEN Implementation

Podrigal, Aron aronp at guaranteedplus.com
Mon Sep 9 18:58:33 UTC 2024 

Hi

I think I am facing the same problem.


On Thu, Aug 10, 2023 at 4:46 AM Mickael Hubert <mickael at winlux.fr> wrote:

> Hi all,
> Thanks Wadii for your help (in private ;) )
> I developed a solution to check CRL in an external process (python script
> scheduled by AWX).
>
> My python script (download only in memory, not on disk)
> *For CA certificates:*
> - Download CA et intermediate certs
> - Download PA cert (pa cert is used to sign CRL)
> - Download CA CRL
> - Check if CA or intermediate cert are revoked
> - I use ansible (AWX) to write CA et intermediate certs into opensips disk
> - Ansible restart opensips only if CA or intermediate cert change
>
> *For provider certificate (BPCO):*
> - Download provider certificates that are in tar.gz (only in memory)
> - Uncompress tar.gz and create a dict with data (cert data, cert id,
> provider id)
> - Download CRL for provider certificates
> - Check all provider certificates signatures (not necessary, because
> opensips can do that for each call)
> - Check if cert is revoked
> - Extract metadata and add them to dict
> - Ansible parses this dict and push each line in mysql cache DB
> (sql_cacher module)
>
> Ex of dict:
> {
>   "126881e75888888": {
>     "provider_code": "PROV00",
>     "cert_data": "-----BEGIN CERTIFICATE-----.........\n-----END
> CERTIFICATE-----\n",
>     "not_before": "20230815220000Z",
>     "not_after": "20240814215959Z",
>     "has_expired": false,
>     "valid": false,
>     "revoked": true,
>     "revoked_date": "20230809151920Z"
>   }
> }
>
> Thanks to that, when call is processed by opensips, it gets in its cache
> the correct data, if revoked == true, force $rc = -7 (
> https://github.com/OpenSIPS/sipssert-opensips-tests/blob/1313d03b6ecd1972f9d2facf69116c418fb40399/stir-shaken/04.verify-200/stir_shaken_verify.cfg#L135)
> to send a correct error code 437 Unsupported Credential)
>
> Maybe that can help my french friends voip providers ;)
>
> Have a good day
>
>
> Le lun. 7 août 2023 à 09:29, Wadii ELMAJDI | Evenmedia <wadii at evenmedia.fr>
> a écrit :
>
>> Hello
>>
>>
>>
>> I have run into a problem with the STIR/SHAKEN verification process.
>>
>> In the French implementation of StirShaken, the CRL of the operator
>> certificates is signed with a certificate that is different from the one
>> used to sign providers certificates.
>> and in such case, OpenSSL does not allow in one command to validate the
>> entire certification chain.
>>
>> Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to
>> validate providers certificate (with CRL Loaded)
>>
>>
>>
>> Error : certificate validation failed: unable to get certificate CRL
>>
>>
>>
>> For now, following the guidelines suggested by the French authority
>> handling STIR/SHAKEN, we are planning to implement a two-step approach to
>> check CRL before stir_shaken_verify kicks in (w/o CRL loaded)
>>
>> First, we verify the certification chain of the provider's certificate,
>> plus making sure CA’s certificates are not revoked. We do this using a
>> command like:
>>
>>
>>
>> openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted
>> /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all
>> -CRLfile /etc/opensips/example_certs/crl_list.pem
>> /etc/opensips/example_certs/ProviderCertificate.cer
>>
>>
>>
>> Where example_pa.pem is the certificate used to sign CRL of providers
>> certificates, and crl_list : the concatenation of both providers and CA’s
>> CRLs in PEM format.
>>
>> The second step involves a separate check to verify if the provider’s
>> certificate is revoked :
>>
>>
>>
>> openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text |
>> grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer
>> -noout -serial | cut -d '=' -f 2)
>>
>>
>>
>> This will add an extra processing time due to a double certification
>> validation (ran by both by openssl and stir_shaken_verify)  + reading crls
>> from disk.
>>
>>
>>
>> Given this situation, it would be highly beneficial if Opensips could
>> accommodate cases where revocation lists are signed with a different
>> certificate. This would not only simplify the verification process but also
>> improve compatibility for similar future scenarios (like a complex
>> certificate hierarchy)
>>
>>
>>
>> Suggestion :
>>
>>
>>
>> Consider adding an exported parameter, such as :
>>
>> modparam("stir_shaken", "crl_signing_certs",
>> "/stir_certs/crl_signing_certs.pem")
>>
>>
>>
>> This parameter would allow users to specify a list of separate
>> certificates used to sign the CRLs, in cases where the CRLs and the
>> provider certificates are not signed by the same certificate.
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


-- 

-
Aron Podrigal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20240909/da10d329/attachment-0001.html>

More information about the Users mailing list