<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>in 3.1.5 when I try to use <span style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0,
0); background-color: rgb(255, 255, 255);"
class="ContentPasted0">stir_shaken_check_cert($var(cert))
without double quotes it trows an error on first INVITE after
restart:</span></p>
<p><span style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255,
255, 255);" class="ContentPasted0">ERROR:core:get_cmd_fixups:
Variable in param [1] is not a string<br>
ERROR:core:do_action: Failed to get fixups for command
<stir_shaken_check_cert><br>
</span></p>
<p>So I am using stir_shaken_check_cert("$var(cert)") , but it does
not seam to make any deference.</p>
<p><br>
</p>
<p>I attempted your config for cert management, got certificate in
xlog, but verification still fails.</p>
<p>I guess, I'll try to upgrade to 3.1.11</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 1/5/2023 4:40 PM, Joseph Jackson
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CY8PR17MB62608B71E23A5607AB18EC33DBFA9@CY8PR17MB6260.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
<div class="elementToProof"><span style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);">We have it
slightly different but otherwise close to yours
<br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"><br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"
class="ContentPasted0"> cache_fetch("local",
$identity(x5u), $var(cert));
<div class="FluidPluginCopy ContentPasted0"> if
(!stir_shaken_check_cert($var(cert))) {</div>
<div class="FluidPluginCopy ContentPasted0">
xlog("--[$ci] STI Getting a fresh certificate, existing one
doesn't exist or is invalid\n");</div>
<div class="FluidPluginCopy"><br class="ContentPasted0">
</div>
<div class="FluidPluginCopy ContentPasted0"> $var(rc) =
rest_get($identity(x5u), $var(cert));</div>
<div class="FluidPluginCopy"><br class="ContentPasted0">
</div>
<div class="FluidPluginCopy ContentPasted0"> if
($var(rc) < 0) {</div>
<div class="FluidPluginCopy ContentPasted0">
xlog("--[$ci] STI Failed to get the certificate\n");</div>
<div class="FluidPluginCopy ContentPasted0">
send_reply(436, "Bad Identity Info");</div>
<div class="FluidPluginCopy ContentPasted0"> exit;</div>
<div class="FluidPluginCopy ContentPasted0"> }</div>
<div class="FluidPluginCopy"><br class="ContentPasted0">
</div>
<div class="FluidPluginCopy ContentPasted0">
xlog("--[$ci] STI got certificate[$var(cert)]\n");</div>
<div class="FluidPluginCopy"><br class="ContentPasted0">
</div>
<div class="FluidPluginCopy ContentPasted0">
cache_store("local", $identity(x5u), $var(cert));</div>
<div class="FluidPluginCopy ContentPasted0"> } else {</div>
<div class="FluidPluginCopy"><br class="ContentPasted0">
</div>
<div class="FluidPluginCopy ContentPasted0">
xlog("--[$ci] Using cached certificate\n");</div>
<div class="FluidPluginCopy"><br class="ContentPasted0">
</div>
<div class="FluidPluginCopy ContentPasted0"> }</div>
<br>
</span></div>
<div class="elementToProof"><span style="font-family: Calibri,
Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
0, 0); background-color: rgb(255, 255, 255);"><br>
</span></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b> Users
<a class="moz-txt-link-rfc2396E" href="mailto:users-bounces@lists.opensips.org"><users-bounces@lists.opensips.org></a> on behalf of Marcin
Groszek <a class="moz-txt-link-rfc2396E" href="mailto:marcin@voipplus.net"><marcin@voipplus.net></a><br>
<b>Sent:</b> Thursday, January 5, 2023 4:19 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a><br>
<b>Subject:</b> Re: [OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Thank you very much. I have the same file, and verification
is still failing. Perhaps my config:</p>
<p><br>
</p>
<p>$var(found) = cache_fetch("local", $identity(x5u),
$var(cert));<br>
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {<br>
rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));<br>
if ($rc<0 || $var(http_rc) != 200) {<br>
send_reply(436, "Bad Identity Info");<br>
exit;<br>
}<br>
cache_store("local", $identity(x5u), $var(cert), 60);<br>
}<br>
<br>
stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));<br>
if ($rc < 0) {<br>
xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");<br>
send_reply( $var(err_sip_code), $var(err_sip_reason));<br>
exit;<br>
}<br>
</p>
<p><br>
</p>
<p>I figured this much: <br>
</p>
<p>$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,</p>
<p>stir_shaken_check_cert("$var(cert)") is generating these
errors:<br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse certificate<br>
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in local
cashdb)</p>
<p>this forces the download of the public cert from
$identity(x5u) and store in local cashdb<br>
</p>
<p>second attempt does not generate this errors, however calls
with deferent identity header and url for public cert should
generate same errors again as the public cert from new url is
not in local cashdb, but it is NOT generating same error.</p>
<p>Also, I have minimize cache_store down to 1 second and after
that second call with same $identity(x5u) should generate same
errors , but it is not.</p>
<p>an example at shaken-not-stirred page have : <br>
</p>
<pre class="x_wp-block-preformatted">rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));</pre>
<p>but this fails a start-up with error ERROR:core:fix_cmd:
Param [2] expected to be a variable so I removed the double
quotes from around $var(cert) .</p>
<p><br>
</p>
<p><br>
</p>
<div class="x_moz-cite-prefix">On 1/5/2023 1:18 PM, Joseph
Jackson wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">Hi Marcin,</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">I suspect you are
correct that its how you are decoding the ca cert file
from iconectiv.</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
attached is what we have currently and it works in our
production enviroment.</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">If the maillist strips
out that attachment let me know. You can reach me
directly at
<a class="x_moz-txt-link-abbreviated"
href="mailto:jjackson@aninetworks.net"
moz-do-not-send="true">jjackson@aninetworks.net</a></span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">Joseph</span></div>
<div class="x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Users
<a class="x_moz-txt-link-rfc2396E"
href="mailto:users-bounces@lists.opensips.org"
moz-do-not-send="true">
<users-bounces@lists.opensips.org></a> on behalf
of Marcin Groszek <a class="x_moz-txt-link-rfc2396E"
href="mailto:marcin@voipplus.net" moz-do-not-send="true">
<marcin@voipplus.net></a><br>
<b>Sent:</b> Thursday, January 5, 2023 10:16 AM<br>
<b>To:</b> <a class="x_moz-txt-link-abbreviated"
href="mailto:users@lists.opensips.org"
moz-do-not-send="true">
users@lists.opensips.org</a> <a
class="x_moz-txt-link-rfc2396E"
href="mailto:users@lists.opensips.org"
moz-do-not-send="true">
<users@lists.opensips.org></a><br>
<b>Subject:</b> Re: [OpenSIPS-Users] stir shaken
verification</font>
<div> </div>
</div>
<div>
<p>Joseph, Thank you very much for your respond.</p>
<p><br>
</p>
<p>I have downloaded and apply new sti-ca file but
certificate validation fails.</p>
<p>INFO:stir_shaken:verify_callback: certificate validation
failed: certificate signature failure<br>
INFO:stir_shaken:w_stir_verify: Invalid certificate<br>
DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
[1637] stir_shaken_verify() failed: 437, Unsupported
Credential</p>
<p><br>
</p>
<p>Perhaps I am not processing the sti-ca file properly.</p>
<p><br>
</p>
<p>I am testing this with a valid token , in fact test calls
are coming from major cellular carrier in US and the
verification fails.</p>
<p>I can see curl download the public cert, storing it in
local cache and then attempt to verify, but it fails.</p>
<p>Upon next call with same token, the public cert is pulled
from local cache and still fails.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="x_x_moz-cite-prefix">On 1/4/2023 7:37 PM, Joseph
Jackson wrote:<br>
</div>
<blockquote type="cite">
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div class="x_x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">Hi Marcin,</span></div>
<div class="x_x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">We have a process
that downloads the CA list from iconectiv nightly,
decodes the jwt and stores the certs in a single file
in /etc/ssl/sti-ca/sti-ca.pem</span></div>
<div class="x_x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">Here is the
opensips modparam</span></div>
<div class="x_x_elementToProof"><span
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_x_elementToProof"><span
class="x_x_ContentPasted0"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">#stir and shaken
<div class="x_x_FluidPluginCopy x_x_ContentPasted0">loadmodule
"stir_shaken.so"</div>
<div class="x_x_FluidPluginCopy x_x_ContentPasted0">modparam("stir_shaken",
"verify_date_freshness", 300)</div>
<div class="x_x_FluidPluginCopy x_x_ContentPasted0">modparam("stir_shaken",
"auth_date_freshness", 300)</div>
<div class="x_x_FluidPluginCopy x_x_ContentPasted0">modparam("stir_shaken",
"e164_strict_mode", 0)</div>
<div class="x_x_FluidPluginCopy x_x_ContentPasted0">#list
of root certs for stir / shaken verification</div>
<div class="x_x_FluidPluginCopy x_x_ContentPasted0">modparam("stir_shaken",
"ca_list", "/etc/ssl/sti-ca/sti-ca.pem")</div>
<br>
</span></div>
<div class="x_x_elementToProof"><span
class="x_x_ContentPasted0"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)">This is on opensips
v3.1.11</span></div>
<div class="x_x_elementToProof"><span
class="x_x_ContentPasted0"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<div class="x_x_elementToProof"><span
class="x_x_ContentPasted0"
style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0);
background-color:rgb(255,255,255)"><br>
</span></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> Users
<a class="x_x_moz-txt-link-rfc2396E"
href="mailto:users-bounces@lists.opensips.org"
moz-do-not-send="true">
<users-bounces@lists.opensips.org></a> on
behalf of Marcin Groszek <a
class="x_x_moz-txt-link-rfc2396E"
href="mailto:marcin@voipplus.net"
moz-do-not-send="true">
<marcin@voipplus.net></a><br>
<b>Sent:</b> Wednesday, January 4, 2023 6:12 PM<br>
<b>To:</b> <a class="x_x_moz-txt-link-abbreviated"
href="mailto:users@lists.opensips.org"
moz-do-not-send="true">
users@lists.opensips.org</a> <a
class="x_x_moz-txt-link-rfc2396E"
href="mailto:users@lists.opensips.org"
moz-do-not-send="true">
<users@lists.opensips.org></a><br>
<b>Subject:</b> [OpenSIPS-Users] stir shaken
verification</font>
<div> </div>
</div>
<div>
<p>Opensips version 3.1.5<br>
</p>
<p>I am having some issues with stir_shaken setup. I am
sure this not an issue with the module, but me.<br>
</p>
<p><code class="x_x_x_function">stir_shaken_auth works
just fine and I am able to sign the calls, however I
was unable to find any document how to use a ca file
available for download at iconectiv/download-list as
well as via API. They do come in as jwt file, but
after little manipulation individual certificates
can be extracted, and the first one is the root
certificate; I think, and the rest are trusted
STI-CA.
</code><code>I guess my question is how do I use this
file or any other cert file as
</code>"ca_list" and/or "ca_dir" . <br>
</p>
<p>After weeks and hundreds attempts I was unsuccessful,
and I was unable to locate any document explaining
preparation/setup/steps to setup verification.<br>
</p>
<p>All I get is : <br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse
certificate<br>
ERROR:stir_shaken:w_stir_verify: Failed to load
certificate<br>
on INVITE with valid identity header.<br>
</p>
<p>When I remove or replace "ca_list" file with
something bogus opensips does not even start with
errors:</p>
<p>ERROR:stir_shaken:init_cert_validation: Failed to
load trustefd CAs<br>
ERROR:core:init_mod: failed to initialize module
stir_shaken</p>
<p>I would really appreciate some guidance on this one.</p>
<p><br>
</p>
<p><code class="x_x_x_function"></code></p>
<p><code class="x_x_x_function"></code></p>
</div>
<br>
<fieldset class="x_x_mimeAttachmentHeader"></fieldset>
<pre class="x_x_moz-quote-pre">_______________________________________________
Users mailing list
<a class="x_x_moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="x_x_moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="x_x_moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="x_x_moz-txt-link-freetext" href="https://www.voipplus.net" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset class="x_mimeAttachmentHeader"></fieldset>
<pre class="x_moz-quote-pre">_______________________________________________
Users mailing list
<a class="x_moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="x_moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="x_moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="x_moz-txt-link-freetext" href="https://www.voipplus.net" moz-do-not-send="true">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Best Regards:
Marcin Groszek
Business Phone Service
<a class="moz-txt-link-freetext" href="https://www.voipplus.net">https://www.voipplus.net</a></pre>
</body>
</html>