<div dir="ltr"><div dir="ltr">Hi all,<br><div>Thanks Wadii for your help (in private ;) )</div><div>I developed a solution to check CRL in an external process (python script scheduled by AWX).</div><div><br></div><div>My python script (download only in memory, not on disk)</div><div><u>For CA certificates:</u></div><div>- Download CA et intermediate certs</div><div>- Download PA cert (pa cert is used to sign CRL)</div><div>- Download CA CRL</div><div>- Check if CA or intermediate cert are revoked</div><div>- I use ansible (AWX) to write CA et intermediate certs into opensips disk</div><div>- Ansible restart opensips only if CA or intermediate cert change</div><div><br></div><div><u>For provider certificate (BPCO):</u></div><div>- Download provider certificates that are in tar.gz (only in memory)</div><div>- Uncompress tar.gz and create a dict with data (cert data, cert id, provider id)</div><div>- Download CRL for provider certificates</div><div>- Check all provider certificates signatures (not necessary, because opensips can do that for each call)</div><div>- Check if cert is revoked</div><div>- Extract metadata and add them to dict</div><div>- Ansible parses this dict and push each line in mysql cache DB (sql_cacher module)</div><div><br></div><div>Ex of dict:</div><div><font face="monospace">{<br> "126881e75888888": {<br> "provider_code": "PROV00",<br> "cert_data": "-----BEGIN CERTIFICATE-----.........\n-----END CERTIFICATE-----\n",<br> "not_before": "20230815220000Z",<br> "not_after": "20240814215959Z",<br> "has_expired": false,<br> "valid": false,<br> "revoked": true,<br> "revoked_date": "20230809151920Z"<br> }<br>}</font><br></div><div><font face="monospace"><br></font></div><div><font face="arial, sans-serif">Thanks to that, when call is processed by opensips, it gets in its cache the correct data, if revoked == true, force $rc = -7 (</font><a href="https://github.com/OpenSIPS/sipssert-opensips-tests/blob/1313d03b6ecd1972f9d2facf69116c418fb40399/stir-shaken/04.verify-200/stir_shaken_verify.cfg#L135">https://github.com/OpenSIPS/sipssert-opensips-tests/blob/1313d03b6ecd1972f9d2facf69116c418fb40399/stir-shaken/04.verify-200/stir_shaken_verify.cfg#L135</a>) to send a correct error code 437 Unsupported Credential)</div><div><br></div><div>Maybe that can help my french friends voip providers ;)</div><div><br></div><div>Have a good day</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 7 août 2023 à 09:29, Wadii ELMAJDI | Evenmedia <<a href="mailto:wadii@evenmedia.fr">wadii@evenmedia.fr</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg1444690862459945292">
<div lang="FR" style="overflow-wrap: break-word;">
<div class="m_1444690862459945292WordSection1">
<p class="MsoNormal"><span lang="EN-US">Hello<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">I have run into a problem with the STIR/SHAKEN verification process.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">In the French implementation of StirShaken, the CRL of the operator certificates is signed with a certificate that is different from the one used to sign providers certificates.<br>
and in such case, OpenSSL does not allow in one command to validate the entire certification chain.<br>
<br>
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to validate providers certificate (with CRL Loaded)
<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Error : certificate validation failed: unable to get certificate CRL<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">For now, following the guidelines suggested by the French authority handling STIR/SHAKEN, we are planning to implement a two-step approach to check CRL before stir_shaken_verify kicks in (w/o CRL loaded)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">First, we verify the certification chain of the provider's certificate, plus making sure CA’s certificates are not revoked. We do this using a command like:<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all -CRLfile /etc/opensips/example_certs/crl_list.pem /etc/opensips/example_certs/ProviderCertificate.cer<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Where example_pa.pem is the certificate used to sign CRL of providers certificates, and crl_list : the concatenation of both providers and CA’s CRLs in PEM format.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">The second step involves a separate check to verify if the provider’s certificate is revoked :<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text | grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer -noout -serial | cut -d '=' -f 2)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">This will add an extra processing time due to a double certification validation (ran by both by openssl and stir_shaken_verify) + reading crls from disk.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Given this situation, it would be highly beneficial if Opensips could accommodate cases where revocation lists are signed with a different certificate. This would not only simplify the verification process but also improve
compatibility for similar future scenarios (like a complex certificate hierarchy)<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Suggestion : <u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">Consider adding an exported parameter, such as :<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">modparam("stir_shaken", "crl_signing_certs", "/stir_certs/crl_signing_certs.pem")<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US"><u></u> <u></u></span></p>
<p class="MsoNormal"><span lang="EN-US">This parameter would allow users to specify a list of separate certificates used to sign the CRLs, in cases where the CRLs and the provider certificates are not signed by the same certificate.<u></u><u></u></span></p>
</div>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</div></blockquote></div></div>