[OpenSIPS-Users] STIR/SHAKEN E.164 strict mode module parameter not working .
Devang Dhandhalya
devang.dhandhalya at ecosmob.com
Wed Nov 24 12:57:00 EST 2021
Hello vlad
Thank you so much For your response , Verification Service works using
those certificates .
Regards,
Devang Dhandhalya
On Tue, Nov 23, 2021 at 10:32 PM Vlad Patrascu <vladp at opensips.org> wrote:
> Hello Devang,
>
> The cache_fetch() functions returns -2 when the key is not found so it's
> normal when getting the certificate the first time.
>
> STIR/SHAKEN requires that the certificates have the TnAuthList extension.
> You can check out some examples on how to generate such certificates in
> this document [1] at Appendix A or this script [2].
>
> [1]
> https://cstga.ca/wp-content/uploads/2020/07/ATIS-1000080.v002_SHAKEN-Governance-Model.pdf
>
> [2]
> https://github.com/OpenSIPIt/OpenSIPIt_00/blob/master/STIR_SHAKEN/Certgen/gencert.sh
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developerhttp://www.opensips-solutions.com
>
> On 22.11.2021 14:41, Devang Dhandhalya wrote:
>
> Hello Vlad
>
> Authentication service works fine. Now I am getting an error in the
> stir_shaken_verify function , after fetching a certificate, I am getting
> below error . I generated private keys and X509 certificates using
> prime256v1" EC.
> After fetching the certificate I am getting var(found) = -2 can you please
> tell me about this too .
>
> OpenSIPS Logs :
>
>
>
>
>
> *var(found) = [-2] INFO:stir_shaken:validate_certificate: The certificate
> is missing the TnAuthList extension INFO:stir_shaken:w_stir_verify: Invalid
> certificate return code : [-8] stir_shaken_verify() failed:437, Unsupported
> Credential *
> below opensips script snippet :
>
> $var(found) = cache_fetch("local",$identity(x5u),$var(cert));
>
>
> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
> rest_get("$identity(x5u)",$var(cert),$var(ctype),
> $var(http_rc));
> if ($rc<0 ) {
> send_reply(436, "Bad Identity Info");
> exit;
> }
> cache_store("local", $identity(x5u),"$var(cert)");
> }
>
>
> $var(rc_verify)= stir_shaken_verify($var(cert),
> $var(err_sip_code),$var(err_sip_reason),"$var(orig)","$var(dest)");
> if ($var(rc_verify) < 0) {
>
> send_reply(
> $var(err_sip_code),$var(err_sip_reason));
> exit;
> }
>
> Kindly inform me why I am getting this error . Please suggest a solution
> to this .
>
>
> Regards
> Devang Dhandhalya
>
>
> On Fri, Nov 19, 2021 at 3:16 PM Devang Dhandhalya <
> devang.dhandhalya at ecosmob.com> wrote:
>
>> Hello Vlad
>>
>> Thanks for your response . Authentication service works .
>>
>> Regards ,
>> Devang Dhandhalya
>>
>>
>> On Wed, Nov 17, 2021 at 8:57 PM Devang Dhandhalya <
>> devang.dhandhalya at ecosmob.com> wrote:
>>
>>> hello all
>>>
>>>
>>> Above E.164 Error still getting .Right now I'm getting the below error .
>>> Can anyone tell me why I am getting this error ? as far as i know this
>>> error for x5u parameter in stir_shaken_auth function , this issue coming
>>> for certificate path or certificate file format .
>>>
>>>
>>> I check the certificate file with .der and .cer format also .
>>>
>>> Here is the code snippet used .
>>> $var(rc_auth)=stir_shaken_auth("A", "GWID-123456","$var(cert)", "$var(pkey)","http://localhost/certificate.pem","$var(orig)","$var(dest)");
>>>
>>> Below Error i am getting .
>>>
>>>
>>> ERROR:stir_shaken:add_identity_hf: Failed to convert from DER to internal format
>>>
>>> ERROR:stir_shaken:w_stir_auth: Failed to add Identity header
>>>
>>> STIR_SHAKEN AUTHENTICATION SERVICE return code : -1
>>>
>>>
>>> Kindly let me know if there is something wrong that I could be doing.
>>>
>>> Many Thanks
>>> Devang Dhandhalya
>>>
>>>
>>> On Wed, Nov 17, 2021 at 11:37 AM Devang Dhandhalya <
>>> devang.dhandhalya at ecosmob.com> wrote:
>>>
>>>> Hi All
>>>>
>>>> I configured the e164 strict mode module parameter as 0 (disabled) .
>>>> but still i am getting errors related to its e164 format .While if
>>>> orig/dest number is not in e164 format then also opensips have to accept it
>>>> but it is not accepting . I have a user like extension123 for this
>>>> function I have to perform authentication service . if i have a user
>>>> extension123 is it possible to perform authenticate service for this kind
>>>> of user ?
>>>>
>>>> I think this is a bug for the e164 strict mode module parameter . I am
>>>> getting the below error .
>>>>
>>>> opensips version : 3.2.2
>>>>
>>>> ERROR :
>>>> ERROR:stir_shaken:check_passport_phonenum: number is not in E.164
>>>> format: extension123
>>>> ERROR:stir_shaken:w_stir_auth: failed to validate Originator number
>>>> (extension123)
>>>>
>>>>
>>>> loadmodule "stir_shaken.so"
>>>> modparam("stir_shaken", "auth_date_freshness", 300)
>>>> modparam("stir_shaken", "verify_date_freshness", 300)
>>>> modparam("stir_shaken", "require_date_hdr", 0)
>>>> modparam("stir_shaken", "e164_strict_mode", 0)
>>>>
>>>> $var(orig) = $fU;
>>>> $var(dest) = $tU
>>>> $var(rc_auth)=stir_shaken_auth("A", "GWID-123456","$var(cert)",
>>>> "$var(pkey)","http://localhost/certificate.pem
>>>> ","$var(orig)","$var(dest)");
>>>>
>>>> Please suggest a solution to this .
>>>>
>>>> Many Thanks
>>>> Devang
>>>>
>>>
> *Disclaimer*
> In addition to generic Disclaimer which you have agreed on our website,
> any views or opinions presented in this email are solely those of the
> originator and do not necessarily represent those of the Company or its
> sister concerns. Any liability (in negligence, contract or otherwise)
> arising from any third party taking any action, or refraining from taking
> any action on the basis of any of the information contained in this email
> is hereby excluded.
>
> *Confidentiality*
> This communication (including any attachment/s) is intended only for the
> use of the addressee(s) and contains information that is PRIVILEGED AND
> CONFIDENTIAL. Unauthorized reading, dissemination, distribution, or copying
> of this communication is prohibited. Please inform originator if you have
> received it in error.
>
> *Caution for viruses, malware etc.*
> This communication, including any attachments, may not be free of viruses,
> trojans, similar or new contaminants/malware, interceptions or
> interference, and may not be compatible with your systems. You shall carry
> out virus/malware scanning on your own before opening any attachment to
> this e-mail. The sender of this e-mail and Company including its sister
> concerns shall not be liable for any damage that may incur to you as a
> result of viruses, incompleteness of this message, a delay in receipt of
> this message or any other computer problems.
>
>
--
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our
website, any views or opinions presented in this email are solely those of
the originator and do not necessarily represent those of the Company or its
sister concerns. Any liability (in negligence, contract or otherwise)
arising from any third party taking any action, or refraining from taking
any action on the basis of any of the information contained in this email
is hereby excluded.
*Confidentiality*
This communication (including any
attachment/s) is intended only for the use of the addressee(s) and contains
information that is PRIVILEGED AND CONFIDENTIAL. Unauthorized reading,
dissemination, distribution, or copying of this communication is
prohibited. Please inform originator if you have received it in error.
*Caution for viruses, malware etc.*
This communication, including any
attachments, may not be free of viruses, trojans, similar or new
contaminants/malware, interceptions or interference, and may not be
compatible with your systems. You shall carry out virus/malware scanning on
your own before opening any attachment to this e-mail. The sender of this
e-mail and Company including its sister concerns shall not be liable for
any damage that may incur to you as a result of viruses, incompleteness of
this message, a delay in receipt of this message or any other computer
problems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20211124/ceb70421/attachment.html>
More information about the Users
mailing list