[OpenSIPS-Users] STIR/SHAKEN E.164 strict mode module parameter not working .

Vlad Patrascu vladp at opensips.org
Tue Nov 23 17:02:36 EST 2021


Hello Devang,

The cache_fetch() functions returns -2 when the key is not found so it's 
normal when getting the certificate the first time.

STIR/SHAKEN requires that the certificates have the TnAuthList 
extension. You can check out some examples on how to generate such 
certificates in this document [1] at Appendix A or this script [2].

[1] 
https://cstga.ca/wp-content/uploads/2020/07/ATIS-1000080.v002_SHAKEN-Governance-Model.pdf

[2] 
https://github.com/OpenSIPIt/OpenSIPIt_00/blob/master/STIR_SHAKEN/Certgen/gencert.sh

Regards,

-- 
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 22.11.2021 14:41, Devang Dhandhalya wrote:
> Hello Vlad
>
> Authentication service works fine. Now I am getting an error in the 
> stir_shaken_verify function , after fetching a certificate, I am 
> getting below error . I generated private keys and X509 certificates 
> using prime256v1" EC.
> After fetching the certificate I am getting var(found) = -2 can you 
> please tell me about this too .
>
> OpenSIPS Logs :
> *
> *
> *var(found) = [-2]
> INFO:stir_shaken:validate_certificate: The certificate is missing the 
> TnAuthList extension
> INFO:stir_shaken:w_stir_verify: Invalid certificate
> return code : [-8] stir_shaken_verify() failed:437, Unsupported Credential
> *
> below opensips script snippet :
>
> $var(found) = cache_fetch("local",$identity(x5u),$var(cert));
>
>
> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
> rest_get("$identity(x5u)",$var(cert),$var(ctype), $var(http_rc));
>                         if ($rc<0 ) {
>                                 send_reply(436, "Bad Identity Info");
>                                 exit;
>                         }
> cache_store("local", $identity(x5u),"$var(cert)");
>                 }
>
>
> $var(rc_verify)= stir_shaken_verify($var(cert), 
> $var(err_sip_code),$var(err_sip_reason),"$var(orig)","$var(dest)");
>                 if ($var(rc_verify) < 0) {
>
>                         send_reply( 
> $var(err_sip_code),$var(err_sip_reason));
>                         exit;
>                 }
>
> Kindly inform me why I am getting this error . Please suggest a 
> solution to this .
>
>
> Regards
> Devang Dhandhalya
>
>
> On Fri, Nov 19, 2021 at 3:16 PM Devang Dhandhalya 
> <devang.dhandhalya at ecosmob.com <mailto:devang.dhandhalya at ecosmob.com>> 
> wrote:
>
>     Hello Vlad
>
>     Thanks for your response . Authentication service works .
>
>     Regards ,
>     Devang Dhandhalya
>
>     On Wed, Nov 17, 2021 at 8:57 PM Devang Dhandhalya
>     <devang.dhandhalya at ecosmob.com
>     <mailto:devang.dhandhalya at ecosmob.com>> wrote:
>
>         hello all
>
>
>         Above E.164 Error still getting .Right now I'm getting the below error .
>         Can anyone tell me why I am getting this error ? as far as i know this
>         error for x5u parameter in stir_shaken_auth function , this issue coming
>         for certificate path or certificate file format .
>
>
>         I check the certificate file with .der and .cer format also .
>
>         Here is the code snippet used .
>
>
>         $var(rc_auth)=stir_shaken_auth("A",
>         "GWID-123456","$var(cert)",
>         "$var(pkey)","http://localhost/certificate.pem
>         <http://localhost/certificate.pem>","$var(orig)","$var(dest)");
>
>         Below Error i am getting .
>
>
>         ERROR:stir_shaken:add_identity_hf: Failed to convert from DER to internal format
>
>         ERROR:stir_shaken:w_stir_auth: Failed to add Identity header
>
>         STIR_SHAKEN AUTHENTICATION SERVICE  return code : -1
>
>         Kindly let me know if there is something wrong that I could be
>         doing. Many Thanks Devang Dhandhalya
>
>
>         On Wed, Nov 17, 2021 at 11:37 AM Devang Dhandhalya
>         <devang.dhandhalya at ecosmob.com
>         <mailto:devang.dhandhalya at ecosmob.com>> wrote:
>
>             Hi All
>
>             I configured the e164 strict mode module parameter as 0
>             (disabled) . but still i am getting errors related to its
>             e164 format .While if orig/dest number is not in e164
>             format then also opensips have to accept it but it is not
>             accepting .  I have a user like extension123 for this
>             function I have to perform authentication service . if i
>             have a user extension123 is it possible to perform
>             authenticate service for this kind of user ?
>
>             I think this is a bug for the e164 strict mode  module
>             parameter . I am getting the below error .
>
>             opensips version : 3.2.2
>
>             ERROR :
>              ERROR:stir_shaken:check_passport_phonenum: number is not
>             in E.164 format: extension123
>              ERROR:stir_shaken:w_stir_auth: failed to validate
>             Originator number (extension123)
>
>
>             loadmodule "stir_shaken.so"
>             modparam("stir_shaken", "auth_date_freshness", 300)
>             modparam("stir_shaken", "verify_date_freshness", 300)
>             modparam("stir_shaken", "require_date_hdr", 0)
>             modparam("stir_shaken", "e164_strict_mode", 0)
>
>             $var(orig) = $fU;
>             $var(dest) = $tU
>              $var(rc_auth)=stir_shaken_auth("A",
>             "GWID-123456","$var(cert)",
>             "$var(pkey)","http://localhost/certificate.pem
>             <http://localhost/certificate.pem>","$var(orig)","$var(dest)");
>
>             Please suggest a solution to this .
>
>             Many Thanks
>             Devang
>
>
> *Disclaimer*
> In addition to generic Disclaimer which you have agreed on our 
> website, any views or opinions presented in this email are solely 
> those of the originator and do not necessarily represent those of the 
> Company or its sister concerns. Any liability (in negligence, contract 
> or otherwise) arising from any third party taking any action, or 
> refraining from taking any action on the basis of any of the 
> information contained in this email is hereby excluded.
>
> *Confidentiality*
> This communication (including any attachment/s) is intended only for 
> the use of the addressee(s) and contains information that is 
> PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination, 
> distribution, or copying of this communication is prohibited. Please 
> inform originator if you have received it in error.
>
> *Caution for viruses, malware etc.*
> This communication, including any attachments, may not be free of 
> viruses, trojans, similar or new contaminants/malware, interceptions 
> or interference, and may not be compatible with your systems. You 
> shall carry out virus/malware scanning on your own before opening any 
> attachment to this e-mail. The sender of this e-mail and Company 
> including its sister concerns shall not be liable for any damage that 
> may incur to you as a result of viruses, incompleteness of this 
> message, a delay in receipt of this message or any other computer 
> problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20211123/d6a96a04/attachment.html>


More information about the Users mailing list