[OpenSIPS-Users] Stir Shaken: Failed to load certificate

Mickael Hubert mickael at winlux.fr
Tue May 30 13:31:23 UTC 2023 

I found another way.
I already use ansible to deploy all configurations (exactly, I load a
specific route, with private key) because I like to split configuration.
So I just added my private key in configuration, but this key is encrypted
in ansible template.
very simple ;)

*man_private_key.cfg:*
route[man_private_key]
{
$avp(privKey) = "-----BEGIN EC PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAAAAAAA........
-----END EC PRIVATE KEY-----";
}

*routing.cfg:*
route {
route(man_private_key);
...
route(stir_and_shaken);
...

*stir_and_shaken.cfg:*
...
$var(cert) = $sql_cached_value(man_certificates_cache:certificate:https://
certs.example.org/public_am.pem);
stir_shaken_auth("$var(attest)","blabla","$var(cert)","$avp(privKey)",
"https://certs.example.org/public_am.pem","$var(orig)","$tU",
"$var(identity_hdr)");
...

++

Le mar. 30 mai 2023 à 10:34, Mickael Hubert <mickael at winlux.fr> a écrit :

> Thanks a lot Wadii for your answer
> I already use sqlcacher for all public keys, but for my private key, I
> want to store it securely (maybe crypted it, if I use a DB)
> for your needs, you catch your private key with rest_client.so, right ? In
> France we get all keys thanks to the French state's central API, and this
> API is protected by Oauth2 authentication, so I think use an external dev.
> ++
>
>
> Le lun. 29 mai 2023 à 17:01, Wadii ELMAJDI | Evenmedia <wadii at evenmedia.fr>
> a écrit :
>
>> Hello Mickael
>>
>> if the goal is only to keep your key out of opensips plain sight, the
>> simplest way is using exec.so module, load the private key from a local
>> file or an external data source with an external command, and then store it
>> securely in the local cache for future calls stirshaken signing.
>>
>> you could also use the rest_client.so module and get your key/certificate
>> from a secure external webservice (my personal fav)
>>
>> another option is avpops module to get your private key from a sql
>> database on demand (or sqlcacher to full cache your table on script startup)
>>
>> in case you're considering using the avpops module with its default
>> table, the value column can by default only hold 128 characters. for an RSA
>> private key in PEM format, it can go up to 800 chars.
>>
>> hope this helps
>>
>>
>>
>> *De :* Users <users-bounces at lists.opensips.org> *De la part de* Mickael
>> Hubert
>> *Envoyé :* lundi 29 mai 2023 14:55
>> *À :* OpenSIPS users mailling list <users at lists.opensips.org>
>> *Objet :* Re: [OpenSIPS-Users] Stir Shaken: Failed to load certificate
>>
>>
>>
>> Hi,
>>
>> Can you tell me what is the best way to load our private key please ?
>>
>> It would be great not to have it as clear text in
>> opensips's configuration.
>>
>>
>>
>> thanks in advance
>>
>>
>>
>> Le lun. 21 nov. 2022 à 13:39, ryan embgrets <rembgrets at gmail.com> a
>> écrit :
>>
>> That was it.
>>
>>
>>
>> Working flawlessly.Thanks Vlad Patrascu
>>
>> Ryan
>>
>>
>>
>> On Mon, 21 Nov 2022 at 17:24, Vlad Patrascu <vladp at opensips.org> wrote:
>>
>> Hi Ryan,
>>
>> You have to provide to the stir_shaken_auth() function the actual
>> content of the certificate file and not just the path. The same goes for
>> the private key.
>>
>> Regards,
>>
>> --
>> Vlad Patrascu
>> OpenSIPS Core Developer
>> http://www.opensips-solutions.com
>>
>> On 21.11.2022 14:02, ryan embgrets wrote:
>> > Greetings
>> >
>> > I am trying to generate an Identity header by using the stir_shaken
>> > module of the opensips.
>> >
>> > But I am encountering the below error each time upon call.
>> >
>> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
>> > ERROR:stir_shaken:w_stir_verify: Failed to load certificate
>> > Nov 21 11:15:20 local /usr/sbin/opensips[5051]:
>> > ERROR:stir_shaken:load_cert: Failed to parse certificate
>> >
>> > #Module section.
>> > loadmodule "stir_shaken.so"
>> >
>> > route{
>> >
>> >       $var(cert) = "/etc/opensips/certs.pem";
>> >        $var(privKey) = "/etc/opensips/key.pem";
>> >       stir_shaken_auth("A", "",$var(cert), $var(privKey),
>> > "https://domain.org/cert.pem");
>> > }
>> >
>> > Though the cert looks valid, has proper permission for the opensips to
>> > access them and cross checked with openssl for the verification.
>> >
>> > Any pointer on what might be causing this?
>> >
>> > Ryan
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20230530/4af699c0/attachment.html>

More information about the Users mailing list