<div dir="auto">Is <span style="word-spacing:1px;color:rgb(49,49,49)">$var(cert) actually set? Print it out</span></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 5 Jan 2023 at 23:19, Marcin Groszek <<a href="mailto:marcin@voipplus.net">marcin@voipplus.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>Thank you very much. I have the same file, and verification is
still failing. Perhaps my config:</p>
<p><br>
</p>
<p>$var(found) = cache_fetch("local", $identity(x5u), $var(cert));<br>
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {<br>
rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));<br>
if ($rc<0 || $var(http_rc) != 200) {<br>
send_reply(436, "Bad Identity Info");<br>
exit;<br>
}<br>
cache_store("local", $identity(x5u), $var(cert), 60);<br>
}<br>
<br>
stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));<br>
if ($rc < 0) {<br>
xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");<br>
send_reply( $var(err_sip_code), $var(err_sip_reason));<br>
exit;<br>
}<br>
</p>
<p><br>
</p>
<p>I figured this much: <br>
</p>
<p>$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,</p>
<p>stir_shaken_check_cert("$var(cert)") is generating these errors:<br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse certificate<br>
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate (
because the entry does not exists in local cashdb)</p>
<p>this forces the download of the public cert from $identity(x5u)
and store in local cashdb<br>
</p>
<p>second attempt does not generate this errors, however calls with
deferent identity header and url for public cert should generate
same errors again as the public cert from new url is not in local
cashdb, but it is NOT generating same error.</p>
<p>Also, I have minimize cache_store down to 1 second and after
that second call with same $identity(x5u) should generate same
errors , but it is not.</p>
<p>an example at shaken-not-stirred page have : <br>
</p>
<pre style="font-family:monospace">rest_get( "$identity(x5u)", "$var(cert)",
$var(ctype), $var(http_rc));</pre>
<p>but this fails a start-up with error ERROR:core:fix_cmd: Param
[2] expected to be a variable so I removed the double quotes from
around $var(cert) .</p></div><div>
<p><br>
</p>
<p><br>
</p>
<div>On 1/5/2023 1:18 PM, Joseph Jackson
wrote:<br>
</div>
<blockquote type="cite">
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi Marcin,</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">I suspect you
are correct that its how you are decoding the ca cert file
from iconectiv.</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
attached is what we have currently and it works in our
production enviroment.</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">If the maillist
strips out that attachment let me know. You can reach me
directly at <a href="mailto:jjackson@aninetworks.net" target="_blank" style="font-family:Calibri,Arial,Helvetica,sans-serif">jjackson@aninetworks.net</a></span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Joseph</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_7204651923108459797divRplyFwdMsg" dir="ltr"><font style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)" face="Calibri, sans-serif"><b style="font-family:Calibri,sans-serif">From:</b> Users
<a href="mailto:users-bounces@lists.opensips.org" target="_blank" style="font-family:Calibri,sans-serif"><users-bounces@lists.opensips.org></a> on behalf of Marcin
Groszek <a href="mailto:marcin@voipplus.net" target="_blank" style="font-family:Calibri,sans-serif"><marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b> Thursday, January 5, 2023 10:16 AM<br>
<b style="font-family:Calibri,sans-serif">To:</b> <a href="mailto:users@lists.opensips.org" target="_blank" style="font-family:Calibri,sans-serif">users@lists.opensips.org</a>
<a href="mailto:users@lists.opensips.org" target="_blank" style="font-family:Calibri,sans-serif"><users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b> Re: [OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Joseph, Thank you very much for your respond.</p>
<p><br>
</p>
<p>I have downloaded and apply new sti-ca file but certificate
validation fails.</p>
<p>INFO:stir_shaken:verify_callback: certificate validation
failed: certificate signature failure<br>
INFO:stir_shaken:w_stir_verify: Invalid certificate<br>
DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
[1637] stir_shaken_verify() failed: 437, Unsupported
Credential</p>
<p><br>
</p>
<p>Perhaps I am not processing the sti-ca file properly.</p>
<p><br>
</p>
<p>I am testing this with a valid token , in fact test calls are
coming from major cellular carrier in US and the verification
fails.</p>
<p>I can see curl download the public cert, storing it in local
cache and then attempt to verify, but it fails.</p>
<p>Upon next call with same token, the public cert is pulled
from local cache and still fails.</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div>On 1/4/2023 7:37 PM, Joseph
Jackson wrote:<br>
</div>
<blockquote type="cite">
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Hi Marcin,</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">We have a process that
downloads the CA list from iconectiv nightly, decodes the
jwt and stores the certs in a single file in
/etc/ssl/sti-ca/sti-ca.pem</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">Here is the opensips
modparam</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">#stir and shaken
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">loadmodule
"stir_shaken.so"</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"verify_date_freshness", 300)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"auth_date_freshness", 300)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"e164_strict_mode", 0)</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">#list of
root certs for stir / shaken verification</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif">modparam("stir_shaken",
"ca_list", "/etc/ssl/sti-ca/sti-ca.pem")</div>
<br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)">This is on opensips
v3.1.11</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;background-color:rgb(255,255,255);color:rgb(0,0,0)"><br>
</span></div>
<hr style="display:inline-block;width:98%">
<div id="m_7204651923108459797x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)" face="Calibri, sans-serif"><b style="font-family:Calibri,sans-serif">From:</b> Users
<a href="mailto:users-bounces@lists.opensips.org" target="_blank" style="font-family:Calibri,sans-serif">
<users-bounces@lists.opensips.org></a> on behalf
of Marcin Groszek <a href="mailto:marcin@voipplus.net" target="_blank" style="font-family:Calibri,sans-serif">
<marcin@voipplus.net></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b> Wednesday, January 4, 2023 6:12 PM<br>
<b style="font-family:Calibri,sans-serif">To:</b> <a href="mailto:users@lists.opensips.org" target="_blank" style="font-family:Calibri,sans-serif">
users@lists.opensips.org</a> <a href="mailto:users@lists.opensips.org" target="_blank" style="font-family:Calibri,sans-serif">
<users@lists.opensips.org></a><br>
<b style="font-family:Calibri,sans-serif">Subject:</b> [OpenSIPS-Users] stir shaken verification</font>
<div> </div>
</div>
<div>
<p>Opensips version 3.1.5<br>
</p>
<p>I am having some issues with stir_shaken setup. I am sure
this not an issue with the module, but me.<br>
</p>
<p><code style="font-family:monospace">stir_shaken_auth works just
fine and I am able to sign the calls, however I was
unable to find any document how to use a ca file
available for download at iconectiv/download-list as
well as via API. They do come in as jwt file, but after
little manipulation individual certificates can be
extracted, and the first one is the root certificate; I
think, and the rest are trusted STI-CA.
</code><code style="font-family:monospace">I guess my question is how do I use this file
or any other cert file as
</code>"ca_list" and/or "ca_dir" . <br>
</p>
<p>After weeks and hundreds attempts I was unsuccessful, and
I was unable to locate any document explaining
preparation/setup/steps to setup verification.<br>
</p>
<p>All I get is : <br>
</p>
<p>ERROR:stir_shaken:load_cert: Failed to parse certificate<br>
ERROR:stir_shaken:w_stir_verify: Failed to load
certificate<br>
on INVITE with valid identity header.<br>
</p>
<p>When I remove or replace "ca_list" file with something
bogus opensips does not even start with errors:</p>
<p>ERROR:stir_shaken:init_cert_validation: Failed to load
trustefd CAs<br>
ERROR:core:init_mod: failed to initialize module
stir_shaken</p>
<p>I would really appreciate some guidance on this one.</p>
<p><br>
</p>
<p><code style="font-family:monospace"></code></p>
<p><code style="font-family:monospace"></code></p>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" style="font-family:monospace">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" style="font-family:monospace">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" target="_blank" style="font-family:monospace">https://www.voipplus.net</a></pre>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">_______________________________________________
Users mailing list
<a href="mailto:Users@lists.opensips.org" target="_blank" style="font-family:monospace">Users@lists.opensips.org</a>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank" style="font-family:monospace">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Best Regards:
Marcin Groszek
Business Phone Service
<a href="https://www.voipplus.net" target="_blank" style="font-family:monospace">https://www.voipplus.net</a></pre>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div>