[OpenSIPS-Users] Issue with CRL Validation in French STIR/SHAKEN Implementation

Wadii ELMAJDI | Evenmedia wadii at evenmedia.fr
Mon Aug 7 07:28:01 UTC 2023


Hello

I have run into a problem with the STIR/SHAKEN verification process.
In the French implementation of StirShaken, the CRL of the operator certificates is signed with a certificate that is different from the one used to sign providers certificates.
and in such case, OpenSSL does not allow in one command to validate the entire certification chain.

Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to validate providers certificate (with CRL Loaded)

Error : certificate validation failed: unable to get certificate CRL

For now, following the guidelines suggested by the French authority handling STIR/SHAKEN, we are planning to implement a two-step approach to check CRL before stir_shaken_verify kicks in (w/o CRL loaded)
First, we verify the certification chain of the provider's certificate, plus making sure CA's certificates are not revoked. We do this using a command like:

openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all -CRLfile /etc/opensips/example_certs/crl_list.pem /etc/opensips/example_certs/ProviderCertificate.cer

Where example_pa.pem is the certificate used to sign CRL of providers certificates, and crl_list : the concatenation of both providers and CA's CRLs in PEM format.
The second step involves a separate check to verify if the provider's certificate is revoked :

openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text | grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer -noout -serial | cut -d '=' -f 2)

This will add an extra processing time due to a double certification validation (ran by both by openssl and stir_shaken_verify)  + reading crls from disk.

Given this situation, it would be highly beneficial if Opensips could accommodate cases where revocation lists are signed with a different certificate. This would not only simplify the verification process but also improve compatibility for similar future scenarios (like a complex certificate hierarchy)

Suggestion :

Consider adding an exported parameter, such as :
modparam("stir_shaken", "crl_signing_certs", "/stir_certs/crl_signing_certs.pem")

This parameter would allow users to specify a list of separate certificates used to sign the CRLs, in cases where the CRLs and the provider certificates are not signed by the same certificate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230807/488fcc80/attachment.html>


More information about the Users mailing list