<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="FR" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hello<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I have run into a problem with the STIR/SHAKEN verification process.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">In the French implementation of StirShaken, the CRL of the operator certificates is signed with a certificate that is different from the one used to sign providers certificates.<br>
and in such case, OpenSSL does not allow in one command to validate the entire certification chain.<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to validate providers certificate (with CRL Loaded)
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Error : certificate validation failed: unable to get certificate CRL<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">For now, following the guidelines suggested by the French authority handling STIR/SHAKEN, we are planning to implement a two-step approach to check CRL before stir_shaken_verify kicks in (w/o CRL loaded)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">First, we verify the certification chain of the provider's certificate, plus making sure CA’s certificates are not revoked. We do this using a command like:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all -CRLfile /etc/opensips/example_certs/crl_list.pem /etc/opensips/example_certs/ProviderCertificate.cer<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Where example_pa.pem is the certificate used to sign CRL of providers certificates, and crl_list : the concatenation of both providers and CA’s CRLs in PEM format.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The second step involves a separate check to verify if the provider’s certificate is revoked :<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text | grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer -noout -serial | cut -d '=' -f 2)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This will add an extra processing time due to a double certification validation (ran by both by openssl and stir_shaken_verify) + reading crls from disk.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Given this situation, it would be highly beneficial if Opensips could accommodate cases where revocation lists are signed with a different certificate. This would not only simplify the verification process but also improve
compatibility for similar future scenarios (like a complex certificate hierarchy)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Suggestion : <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Consider adding an exported parameter, such as :<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("stir_shaken", "crl_signing_certs", "/stir_certs/crl_signing_certs.pem")<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">This parameter would allow users to specify a list of separate certificates used to sign the CRLs, in cases where the CRLs and the provider certificates are not signed by the same certificate.<o:p></o:p></span></p>
</div>
</body>
</html>