[OpenSIPS-Users] Stir Shaken: Failed to load certificate

Tue May 30 08:34:01 UTC 2023

Thanks a lot Wadii for your answer
I already use sqlcacher for all public keys, but for my private key, I want
to store it securely (maybe crypted it, if I use a DB)
for your needs, you catch your private key with rest_client.so, right ? In
France we get all keys thanks to the French state's central API, and this
API is protected by Oauth2 authentication, so I think use an external dev.
++

Le lun. 29 mai 2023 à 17:01, Wadii ELMAJDI | Evenmedia <wadii at evenmedia.fr>
a écrit :

> Hello Mickael
>
> if the goal is only to keep your key out of opensips plain sight, the
> simplest way is using exec.so module, load the private key from a local
> file or an external data source with an external command, and then store it
> securely in the local cache for future calls stirshaken signing.
>
> you could also use the rest_client.so module and get your key/certificate
> from a secure external webservice (my personal fav)
>
> another option is avpops module to get your private key from a sql
> database on demand (or sqlcacher to full cache your table on script startup)
>
> in case you're considering using the avpops module with its default table,
> the value column can by default only hold 128 characters. for an RSA
> private key in PEM format, it can go up to 800 chars.
>
> hope this helps
>
>
>
> *De :* Users <users-bounces at lists.opensips.org> *De la part de* Mickael
> Hubert
> *Envoyé :* lundi 29 mai 2023 14:55
> *À :* OpenSIPS users mailling list <users at lists.opensips.org>
> *Objet :* Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
>
>
>
> Hi,
>
> Can you tell me what is the best way to load our private key please ?
>
> It would be great not to have it as clear text in opensips's configuration.
>
>
>
> thanks in advance
>
>
>
> Le lun. 21 nov. 2022 à 13:39, ryan embgrets <rembgrets at gmail.com> a
> écrit :
>
> That was it.
>
>
>
> Working flawlessly.Thanks Vlad Patrascu
>
> Ryan
>
>
>
> On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu <vladp at opensips.org> wrote:
>
> Hi Ryan,
>
> You have to provide to the stir_shaken_auth() function the actual
> content of the certificate file and not just the path. The same goes for
> the private key.
>
> Regards,
>
> --
> Vlad Patrascu
> OpenSIPS Core Developer
> http://www.opensips-solutions.com
>
> On 21.11.2022 14:02, ryan embgrets wrote:
> > Greetings
> >
> > I am trying to generate an Identity header by using the stir_shaken
> > module of the opensips.
> >
> > But I am encountering the below error each time upon call.
> >
> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate
> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
> > ERROR:stir_shaken:load_cert: Failed to parse certificate
> >
> > #Module section.
> > loadmodule "stir_shaken.so"
> >
> > route{
> >
> >       $var(cert) = "/etc/opensips/certs.pem";
> >        $var(privKey) = "/etc/opensips/key.pem";
> >       stir_shaken_auth("A", "",$var(cert), $var(privKey),
> > "https://domain.org/cert.pem");
> > }
> >
> > Though the cert looks valid, has proper permission for the opensips to
> > access them and cross checked with openssl for the verification.
> >
> > Any pointer on what might be causing this?
> >
> > Ryan
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230530/ece92c0e/attachment.html>