Copyright © 2007 Alexander Christ, Cologne University of Applied Sciences
| Revision History | |
|---|---|
| Revision $Revision: 5901 $ | $Date: 2007-03-29$ |
Table of Contents
List of Examples
The following modules must be loaded before this module:
No dependencies on other OpenSIPS modules.
Filename of private RSA-key of authentication service. This file must be in PEM format.
Example 1.1. Set privKey parameter
...
modparam("identity", "privKey", "/etc/openser/privkey.pem")
...
Filename of certificate which belongs to privKey. This file must be in PEM format.
Example 1.2. Set authCert parameter
...
modparam("identity", "authCert", "/etc/openser/cert.pem")
...
URI from which the certificate of the authentication service can be acquired. This string will be placed in the Identity-Info header.
Example 1.3. Set certUri parameter
...
modparam("identity", "certUri", "http://www.myserver.com/cert.pem")
...
Path containing certificates for the verifier. Certificates must be in PEM format. The URI in the Identity-Info header field is used to find the corresponding certificate for the request. For this purpose the verifier replaces every character which is not alphanumeric, no “_” and no “.” with a “-”. A “.” at the beginning of the URI is forbidden. If the URI is “http://www.test.com/cert.pem” the verifier will look for the file “http---www.test.com-cert.pem”, for example. It is also possible to store a whole certificate chain in a file. In this case certificates must be in right order, end certificate first.
File containing all trusted (root) certificates for the verifier. Certificates must be in PEM format.
File containing certificate revocation lists (crls) for the verifier. Setting this parameter is only necessary if useCrls is set to “1”.
This function performs the steps of an authentication service. Before you call this function, you have to ensure that
the server is responsible for this request (from URI matches local SIP domain)
the sender of the request is authorized to claim the identity given in the From header field.
-3: Date header field does not match validity period of cert. Identity header has not been added.
-2: message out of time (e.g. message to old), Identity header has not been added.
-1: An error occurred.
1: everything OK, Identity header has been added.
Example 1.8. authservice() usage
...
# CANCEL and ACK cannot be challenged
if ((method=="CANCEL") || (method=="ACK"))
{
route(1); # forward
exit;
}
# some clients (e.g. Kphone) do not answer, when a BYE is challenged
if (method=="BYE")
{
route(1); # forward
exit;
}
### Authentication Service ###
# check whether I am authoritative
if(!from_uri=~".*@mysipdomain.de")
{
route(1); # forward
exit;
}
if(!proxy_authorize("mysipdomain.de","subscriber"))
{
proxy_challenge("mysipdomain.de","0");
exit;
}
if (!db_check_from())
{
sl_send_reply("403", "Use From=ID");
exit;
}
consume_credentials();
authservice();
switch($retcode)
{
case -3:
xlog("L_DBG" ,"authservice: Date header field does not match validity period of cert\n");
break;
case -2:
xlog("L_DBG" ,"authservice: msg out of time (max. +- 10 minutes allowed)\n");
break;
case -1:
xlog("L_DBG" ,"authservice: ERROR, returnvalue: -1\n");
break;
case 1:
xlog("L_DBG" ,"authservice: everything OK\n");
break;
default:
xlog("L_DBG" ,"unknown returnvalue of authservice\n");
}
route(1); #forward with ($retcode=1) or without ($retcode!=1) Identity header
...
This function performs the steps of an verifier. The returned code tells you the result of the verification:
-438: Signature does not correspond to the message. 438-response should be send.
-437: Certificate cannot be validated. 437-response should be send.
-436: Certificate is not available. 436-response should be send.
-428: Message does not have an Identity header. 428-response should be send.
-3: Error verifying Date header field.
-2: Authentication service is not authoritative.
-1: An unknown error occurred.
1: verification OK
Example 1.9. verifier() usage
...
# we have to define the same exceptions as we did for the authentication service
if ((method=="CANCEL") || (method=="ACK"))
{
route(1); # forward
exit;
}
if (method=="BYE")
{
route(1); # forward
exit;
}
verifier();
switch($retcode)
{
case -438:
xlog("L_DBG" ,"verifier: returnvalue: -438\n");
sl_send_reply("438", "Invalid Identity Header");
exit;
break;
case -437:
xlog("L_DBG" ,"verifier: returnvalue: -437\n");
sl_send_reply("437", "Unsupported Certificate");
exit;
break;
case -436:
xlog("L_DBG" ,"verifier: returnvalue: -436\n");
sl_send_reply("436", "Bad Identity-Info");
exit;
break;
case -428:
xlog("L_DBG" ,"verifier: returnvalue: -428\n");
sl_send_reply("428", "Use Identity Header");
exit;
break;
case -3:
xlog("L_DBG" ,"verifier: error verifying Date header field\n");
exit;
break;
case -2:
xlog("L_DBG" ,"verifier: authentication service is not authoritative\n");
exit;
break;
case -1:
xlog("L_DBG" ,"verifier: ERROR, returnvalue: -1\n");
exit;
break;
case 1:
xlog("L_DBG" ,"verifier: verification OK\n");
route(1); # forward
exit;
break;
default:
xlog("L_DBG" ,"unknown returnvalue of verifier\n");
exit;
}
exit;
...
Certificates are not downloaded. They have to be stored locally.
Call-IDs of valid requests containing an Identity header are not recorded. Hence the verifier does not provide full replay protection.
Authentication service and verifier use the original request. Changes resulting from message processing in OpenSER script are ignored.