[OpenSIPS-Users] STIR/SHAKEN E.164 strict mode module parameter not working .
Vlad Patrascu
vladp at opensips.org
Tue Nov 23 17:02:36 EST 2021
Hello Devang,
The cache_fetch() functions returns -2 when the key is not found so it's
normal when getting the certificate the first time.
STIR/SHAKEN requires that the certificates have the TnAuthList
extension. You can check out some examples on how to generate such
certificates in this document [1] at Appendix A or this script [2].
[1]
https://cstga.ca/wp-content/uploads/2020/07/ATIS-1000080.v002_SHAKEN-Governance-Model.pdf
[2]
https://github.com/OpenSIPIt/OpenSIPIt_00/blob/master/STIR_SHAKEN/Certgen/gencert.sh
Regards,
--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com
On 22.11.2021 14:41, Devang Dhandhalya wrote:
> Hello Vlad
>
> Authentication service works fine. Now I am getting an error in the
> stir_shaken_verify function , after fetching a certificate, I am
> getting below error . I generated private keys and X509 certificates
> using prime256v1" EC.
> After fetching the certificate I am getting var(found) = -2 can you
> please tell me about this too .
>
> OpenSIPS Logs :
> *
> *
> *var(found) = [-2]
> INFO:stir_shaken:validate_certificate: The certificate is missing the
> TnAuthList extension
> INFO:stir_shaken:w_stir_verify: Invalid certificate
> return code : [-8] stir_shaken_verify() failed:437, Unsupported Credential
> *
> below opensips script snippet :
>
> $var(found) = cache_fetch("local",$identity(x5u),$var(cert));
>
>
> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
> rest_get("$identity(x5u)",$var(cert),$var(ctype), $var(http_rc));
> if ($rc<0 ) {
> send_reply(436, "Bad Identity Info");
> exit;
> }
> cache_store("local", $identity(x5u),"$var(cert)");
> }
>
>
> $var(rc_verify)= stir_shaken_verify($var(cert),
> $var(err_sip_code),$var(err_sip_reason),"$var(orig)","$var(dest)");
> if ($var(rc_verify) < 0) {
>
> send_reply(
> $var(err_sip_code),$var(err_sip_reason));
> exit;
> }
>
> Kindly inform me why I am getting this error . Please suggest a
> solution to this .
>
>
> Regards
> Devang Dhandhalya
>
>
> On Fri, Nov 19, 2021 at 3:16 PM Devang Dhandhalya
> <devang.dhandhalya at ecosmob.com <mailto:devang.dhandhalya at ecosmob.com>>
> wrote:
>
> Hello Vlad
>
> Thanks for your response . Authentication service works .
>
> Regards ,
> Devang Dhandhalya
>
> On Wed, Nov 17, 2021 at 8:57 PM Devang Dhandhalya
> <devang.dhandhalya at ecosmob.com
> <mailto:devang.dhandhalya at ecosmob.com>> wrote:
>
> hello all
>
>
> Above E.164 Error still getting .Right now I'm getting the below error .
> Can anyone tell me why I am getting this error ? as far as i know this
> error for x5u parameter in stir_shaken_auth function , this issue coming
> for certificate path or certificate file format .
>
>
> I check the certificate file with .der and .cer format also .
>
> Here is the code snippet used .
>
>
> $var(rc_auth)=stir_shaken_auth("A",
> "GWID-123456","$var(cert)",
> "$var(pkey)","http://localhost/certificate.pem
> <http://localhost/certificate.pem>","$var(orig)","$var(dest)");
>
> Below Error i am getting .
>
>
> ERROR:stir_shaken:add_identity_hf: Failed to convert from DER to internal format
>
> ERROR:stir_shaken:w_stir_auth: Failed to add Identity header
>
> STIR_SHAKEN AUTHENTICATION SERVICE return code : -1
>
> Kindly let me know if there is something wrong that I could be
> doing. Many Thanks Devang Dhandhalya
>
>
> On Wed, Nov 17, 2021 at 11:37 AM Devang Dhandhalya
> <devang.dhandhalya at ecosmob.com
> <mailto:devang.dhandhalya at ecosmob.com>> wrote:
>
> Hi All
>
> I configured the e164 strict mode module parameter as 0
> (disabled) . but still i am getting errors related to its
> e164 format .While if orig/dest number is not in e164
> format then also opensips have to accept it but it is not
> accepting . I have a user like extension123 for this
> function I have to perform authentication service . if i
> have a user extension123 is it possible to perform
> authenticate service for this kind of user ?
>
> I think this is a bug for the e164 strict mode module
> parameter . I am getting the below error .
>
> opensips version : 3.2.2
>
> ERROR :
> ERROR:stir_shaken:check_passport_phonenum: number is not
> in E.164 format: extension123
> ERROR:stir_shaken:w_stir_auth: failed to validate
> Originator number (extension123)
>
>
> loadmodule "stir_shaken.so"
> modparam("stir_shaken", "auth_date_freshness", 300)
> modparam("stir_shaken", "verify_date_freshness", 300)
> modparam("stir_shaken", "require_date_hdr", 0)
> modparam("stir_shaken", "e164_strict_mode", 0)
>
> $var(orig) = $fU;
> $var(dest) = $tU
> $var(rc_auth)=stir_shaken_auth("A",
> "GWID-123456","$var(cert)",
> "$var(pkey)","http://localhost/certificate.pem
> <http://localhost/certificate.pem>","$var(orig)","$var(dest)");
>
> Please suggest a solution to this .
>
> Many Thanks
> Devang
>
>
> *Disclaimer*
> In addition to generic Disclaimer which you have agreed on our
> website, any views or opinions presented in this email are solely
> those of the originator and do not necessarily represent those of the
> Company or its sister concerns. Any liability (in negligence, contract
> or otherwise) arising from any third party taking any action, or
> refraining from taking any action on the basis of any of the
> information contained in this email is hereby excluded.
>
> *Confidentiality*
> This communication (including any attachment/s) is intended only for
> the use of the addressee(s) and contains information that is
> PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination,
> distribution, or copying of this communication is prohibited. Please
> inform originator if you have received it in error.
>
> *Caution for viruses, malware etc.*
> This communication, including any attachments, may not be free of
> viruses, trojans, similar or new contaminants/malware, interceptions
> or interference, and may not be compatible with your systems. You
> shall carry out virus/malware scanning on your own before opening any
> attachment to this e-mail. The sender of this e-mail and Company
> including its sister concerns shall not be liable for any damage that
> may incur to you as a result of viruses, incompleteness of this
> message, a delay in receipt of this message or any other computer
> problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20211123/d6a96a04/attachment.html>
More information about the Users
mailing list