<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body>
    <p>Thank you very much. I have the same file, and verification is
      still failing. Perhaps  my config:</p>
    <p><br>
    </p>
    <p>$var(found) = cache_fetch("local", $identity(x5u), $var(cert));<br>
      if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {<br>
          rest_get( "$identity(x5u)", $var(cert), $var(ctype),
      $var(http_rc));<br>
          if ($rc<0 || $var(http_rc) != 200) {<br>
              send_reply(436, "Bad Identity Info");<br>
              exit;<br>
          }<br>
          cache_store("local", $identity(x5u), $var(cert), 60);<br>
      }<br>
      <br>
      stir_shaken_verify( "$var(cert)", $var(err_sip_code),
      $var(err_sip_reason));<br>
      if ($rc < 0) {<br>
          xlog("stir_shaken_verify() failed: $var(err_sip_code),
      $var(err_sip_reason) \n");<br>
          send_reply( $var(err_sip_code), $var(err_sip_reason));<br>
          exit;<br>
      }<br>
    </p>
    <p><br>
    </p>
    <p>I figured this much: <br>
    </p>
    <p>$var(cert) is a public certificate downloaded from
      $identity(x5u), if it does not exists in local cache it gets
      pulled and stored,</p>
    <p>stir_shaken_check_cert("$var(cert)") is generating these errors:<br>
    </p>
    <p>ERROR:stir_shaken:load_cert: Failed to parse certificate<br>
      ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate (
      because the entry does not exists in local cashdb)</p>
    <p>this forces the download of the public cert from $identity(x5u)
      and store in local cashdb<br>
    </p>
    <p>second attempt does not generate this errors, however calls with
      deferent identity header and url for public cert should generate
      same errors again as the public cert from new url is not in local
      cashdb, but it is NOT generating same error.</p>
    <p>Also, I have minimize cache_store  down to 1 second and after
      that second call with same $identity(x5u) should generate same
      errors , but it is not.</p>
    <p>an example at shaken-not-stirred page have : <br>
    </p>
    <pre class="wp-block-preformatted">rest_get( "$identity(x5u)", "$var(cert)",
        $var(ctype), $var(http_rc));</pre>
    <p>but this fails a start-up with error ERROR:core:fix_cmd: Param
      [2] expected to be a variable so I removed the double quotes from
      around $var(cert) .</p>
    <p><br>
    </p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 1/5/2023 1:18 PM, Joseph Jackson
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CY8PR17MB62606106876D6AF97CAF192DDBFA9@CY8PR17MB6260.namprd17.prod.outlook.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);">Hi Marcin,</span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);"><br>
        </span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);">I suspect you
          are correct that its how you are decoding the ca cert file
          from iconectiv.</span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);"><br>
          attached is what we have currently and it works in our
          production enviroment.</span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);"><br>
        </span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);">If the maillist
          strips out that attachment let me know.  You can reach me
          directly at <a class="moz-txt-link-abbreviated" href="mailto:jjackson@aninetworks.net">jjackson@aninetworks.net</a></span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);"><br>
        </span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);">Joseph</span></div>
      <div class="elementToProof"><span style="font-family: Calibri,
          Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0,
          0, 0); background-color: rgb(255, 255, 255);"><br>
        </span></div>
      <hr style="display:inline-block;width:98%" tabindex="-1">
      <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
          face="Calibri, sans-serif" color="#000000"><b>From:</b> Users
          <a class="moz-txt-link-rfc2396E" href="mailto:users-bounces@lists.opensips.org"><users-bounces@lists.opensips.org></a> on behalf of Marcin
          Groszek <a class="moz-txt-link-rfc2396E" href="mailto:marcin@voipplus.net"><marcin@voipplus.net></a><br>
          <b>Sent:</b> Thursday, January 5, 2023 10:16 AM<br>
          <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@lists.opensips.org">users@lists.opensips.org</a>
          <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.opensips.org"><users@lists.opensips.org></a><br>
          <b>Subject:</b> Re: [OpenSIPS-Users] stir shaken verification</font>
        <div> </div>
      </div>
      <div>
        <p>Joseph, Thank you very much for your respond.</p>
        <p><br>
        </p>
        <p>I have downloaded and apply new sti-ca file but certificate
          validation fails.</p>
        <p>INFO:stir_shaken:verify_callback: certificate validation
          failed: certificate signature failure<br>
          INFO:stir_shaken:w_stir_verify: Invalid certificate<br>
          DBG:core:comp_scriptvar: int 26 : -8 / 0<br>
          [1637] stir_shaken_verify() failed: 437, Unsupported
          Credential</p>
        <p><br>
        </p>
        <p>Perhaps I am not processing the sti-ca file properly.</p>
        <p><br>
        </p>
        <p>I am testing this with a valid token , in fact test calls are
          coming from major cellular carrier in US and the verification
          fails.</p>
        <p>I can see curl download the public cert, storing it in local
          cache and then attempt to verify, but it fails.</p>
        <p>Upon next call with same token, the public cert is pulled
          from local cache and still fails.</p>
        <p><br>
        </p>
        <p><br>
        </p>
        <p><br>
        </p>
        <div class="x_moz-cite-prefix">On 1/4/2023 7:37 PM, Joseph
          Jackson wrote:<br>
        </div>
        <blockquote type="cite">
          <style type="text/css" style="display:none">
<!--
p
        {margin-top:0;
        margin-bottom:0}
-->
</style>
          <div class="x_elementToProof"><span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)">Hi Marcin,</span></div>
          <div class="x_elementToProof"><span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)"><br>
            </span></div>
          <div class="x_elementToProof"><span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)">We have a process that
              downloads the CA list from iconectiv nightly,  decodes the
              jwt and stores the certs in a single file in
              /etc/ssl/sti-ca/sti-ca.pem</span></div>
          <div class="x_elementToProof"><span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)"><br>
            </span></div>
          <div class="x_elementToProof"><span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)">Here is the opensips
              modparam</span></div>
          <div class="x_elementToProof"><span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)"><br>
            </span></div>
          <div class="x_elementToProof"><span class="x_ContentPasted0"
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)">#stir and shaken
              <div class="x_FluidPluginCopy x_ContentPasted0">loadmodule
                "stir_shaken.so"</div>
              <div class="x_FluidPluginCopy x_ContentPasted0">modparam("stir_shaken",
                "verify_date_freshness", 300)</div>
              <div class="x_FluidPluginCopy x_ContentPasted0">modparam("stir_shaken",
                "auth_date_freshness", 300)</div>
              <div class="x_FluidPluginCopy x_ContentPasted0">modparam("stir_shaken",
                "e164_strict_mode", 0)</div>
              <div class="x_FluidPluginCopy x_ContentPasted0">#list of
                root certs for stir / shaken verification</div>
              <div class="x_FluidPluginCopy x_ContentPasted0">modparam("stir_shaken",
                "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")</div>
              <br>
            </span></div>
          <div class="x_elementToProof"><span class="x_ContentPasted0"
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)">This is on opensips
              v3.1.11</span></div>
          <div class="x_elementToProof"><span class="x_ContentPasted0"
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)"><br>
            </span></div>
          <div class="x_elementToProof"><span class="x_ContentPasted0"
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0);
              background-color:rgb(255,255,255)"><br>
            </span></div>
          <hr tabindex="-1" style="display:inline-block; width:98%">
          <div id="x_divRplyFwdMsg" dir="ltr"><font
              style="font-size:11pt" face="Calibri, sans-serif"
              color="#000000"><b>From:</b> Users
              <a class="x_moz-txt-link-rfc2396E"
                href="mailto:users-bounces@lists.opensips.org"
                moz-do-not-send="true">
                <users-bounces@lists.opensips.org></a> on behalf
              of Marcin Groszek <a class="x_moz-txt-link-rfc2396E"
                href="mailto:marcin@voipplus.net" moz-do-not-send="true">
                <marcin@voipplus.net></a><br>
              <b>Sent:</b> Wednesday, January 4, 2023 6:12 PM<br>
              <b>To:</b> <a class="x_moz-txt-link-abbreviated"
                href="mailto:users@lists.opensips.org"
                moz-do-not-send="true">
                users@lists.opensips.org</a> <a
                class="x_moz-txt-link-rfc2396E"
                href="mailto:users@lists.opensips.org"
                moz-do-not-send="true">
                <users@lists.opensips.org></a><br>
              <b>Subject:</b> [OpenSIPS-Users] stir shaken verification</font>
            <div> </div>
          </div>
          <div>
            <p>Opensips version 3.1.5<br>
            </p>
            <p>I am having some issues with stir_shaken setup. I am sure
              this not an issue with the module, but me.<br>
            </p>
            <p><code class="x_x_function">stir_shaken_auth works just
                fine and I am able to sign the calls, however I was
                unable to find any document how to use a ca file
                available for download at iconectiv/download-list as
                well as via API. They do come in as jwt file, but after
                little manipulation individual certificates can be
                extracted, and the first one is the root certificate; I
                think, and the rest are trusted STI-CA.
              </code><code>I guess my question is how do I use this file
                or any other cert file as
              </code>"ca_list" and/or "ca_dir" . <br>
            </p>
            <p>After weeks and hundreds attempts I was unsuccessful, and
              I was unable to locate any document explaining
              preparation/setup/steps to setup verification.<br>
            </p>
            <p>All I get is : <br>
            </p>
            <p>ERROR:stir_shaken:load_cert: Failed to parse certificate<br>
              ERROR:stir_shaken:w_stir_verify: Failed to load
              certificate<br>
              on INVITE with valid identity header.<br>
            </p>
            <p>When I remove or replace  "ca_list" file with something
              bogus opensips does not even start  with errors:</p>
            <p>ERROR:stir_shaken:init_cert_validation: Failed to load
              trustefd CAs<br>
              ERROR:core:init_mod: failed to initialize module
              stir_shaken</p>
            <p>I would really appreciate some guidance on this one.</p>
            <p><br>
            </p>
            <p><code class="x_x_function"></code></p>
            <p><code class="x_x_function"></code></p>
          </div>
          <br>
          <fieldset class="x_mimeAttachmentHeader"></fieldset>
          <pre class="x_moz-quote-pre">_______________________________________________
Users mailing list
<a class="x_moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org" moz-do-not-send="true">Users@lists.opensips.org</a>
<a class="x_moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
        </blockquote>
        <pre class="x_moz-signature" cols="72">-- 
Best Regards:
Marcin Groszek
Business Phone Service
<a class="x_moz-txt-link-freetext" href="https://www.voipplus.net" moz-do-not-send="true">https://www.voipplus.net</a></pre>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 
Best Regards:
Marcin Groszek
Business Phone Service
<a class="moz-txt-link-freetext" href="https://www.voipplus.net">https://www.voipplus.net</a></pre>
  </body>
</html>