Re: [OpenSIPS-Users] stir shaken verification

2023-01-06 Thread Jonathan Abrams 
IIRC, the issue you were having with the validation failures on CentOS 7
was related to a shared library. OpenSSL I think.

-Jon Abrams


On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek  wrote:

> Thank you for all your help.
>
> My test opensips installation was on CentOS 7 and cert verification has
> been failing.
>
> The certificates are verifying with same opensips version 3.1.5 and same
> configuration on Oracle linux 8.6.
>
> Thank you again for all your answers and help.
>
>
> On 1/5/2023 5:24 PM, Marcin Groszek wrote:
>
> Yes it is, I sent it to xlog it  an it does.
> On 1/5/2023 4:45 PM, David Villasmil wrote:
>
> Is $var(cert) actually set? Print it out
>
> On Thu, 5 Jan 2023 at 23:19, Marcin Groszek  wrote:
>
>> Thank you very much. I have the same file, and verification is still
>> failing. Perhaps  my config:
>>
>>
>> $var(found) = cache_fetch("local", $identity(x5u), $var(cert));
>> if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
>> rest_get( "$identity(x5u)", $var(cert), $var(ctype), $var(http_rc));
>> if ($rc<0 || $var(http_rc) != 200) {
>> send_reply(436, "Bad Identity Info");
>> exit;
>> }
>> cache_store("local", $identity(x5u), $var(cert), 60);
>> }
>>
>> stir_shaken_verify( "$var(cert)", $var(err_sip_code),
>> $var(err_sip_reason));
>> if ($rc < 0) {
>> xlog("stir_shaken_verify() failed: $var(err_sip_code),
>> $var(err_sip_reason) \n");
>> send_reply( $var(err_sip_code), $var(err_sip_reason));
>> exit;
>> }
>>
>>
>> I figured this much:
>>
>> $var(cert) is a public certificate downloaded from $identity(x5u), if it
>> does not exists in local cache it gets pulled and stored,
>>
>> stir_shaken_check_cert("$var(cert)") is generating these errors:
>>
>> ERROR:stir_shaken:load_cert: Failed to parse certificate
>> ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate ( because
>> the entry does not exists in local cashdb)
>>
>> this forces the download of the public cert from $identity(x5u) and store
>> in local cashdb
>>
>> second attempt does not generate this errors, however calls with deferent
>> identity header and url for public cert should generate same errors again
>> as the public cert from new url is not in local cashdb, but it is NOT
>> generating same error.
>>
>> Also, I have minimize cache_store  down to 1 second and after that second
>> call with same $identity(x5u) should generate same errors , but it is not.
>>
>> an example at shaken-not-stirred page have :
>>
>> rest_get( "$identity(x5u)", "$var(cert)",
>> $var(ctype), $var(http_rc));
>>
>> but this fails a start-up with error ERROR:core:fix_cmd: Param [2]
>> expected to be a variable so I removed the double quotes from around
>> $var(cert) .
>>
>>
>>
>> On 1/5/2023 1:18 PM, Joseph Jackson wrote:
>>
>> Hi Marcin,
>>
>> I suspect you are correct that its how you are decoding the ca cert file
>> from iconectiv.
>>
>> attached is what we have currently and it works in our production
>> enviroment.
>>
>> If the maillist strips out that attachment let me know.  You can reach me
>> directly at jjack...@aninetworks.net
>>
>> Joseph
>>
>> --
>> *From:* Users 
>>  on behalf of Marcin Groszek
>>  
>> *Sent:* Thursday, January 5, 2023 10:16 AM
>> *To:* users@lists.opensips.org 
>> 
>> *Subject:* Re: [OpenSIPS-Users] stir shaken verification
>>
>>
>> Joseph, Thank you very much for your respond.
>>
>>
>> I have downloaded and apply new sti-ca file but certificate validation
>> fails.
>>
>> INFO:stir_shaken:verify_callback: certificate validation failed:
>> certificate signature failure
>> INFO:stir_shaken:w_stir_verify: Invalid certificate
>> DBG:core:comp_scriptvar: int 26 : -8 / 0
>> [1637] stir_shaken_verify() failed: 437, Unsupported Credential
>>
>>
>> Perhaps I am not processing the sti-ca file properly.
>>
>>
>> I am testing this with a valid token , in fact test calls are coming from
>> major cellular carrier in US and the verification fails.
>>
>> I can see curl download the public cert, storing it in local cache and
>> then attempt to verify, but it fails.
>>
>> Upon next call with same token, the public cert is pulled from local
>> cache and still fails.
>>
>>
>>
>>
>> On 1/4/2023 7:37 PM, Joseph Jackson wrote:
>>
>> Hi Marcin,
>>
>> We have a process that downloads the CA list from iconectiv nightly,
>> decodes the jwt and stores the certs in a single file in
>> /etc/ssl/sti-ca/sti-ca.pem
>>
>> Here is the opensips modparam
>>
>> #stir and shaken
>> loadmodule "stir_shaken.so"
>> modparam("stir_shaken", "verify_date_freshness", 300)
>> modparam("stir_shaken", "auth_date_freshness", 300)
>> modparam("stir_shaken", "e164_strict_mode", 0)
>> #list of root certs for stir / shaken verification
>> modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")
>>
>> This is on opensips v3.1.11
>>
>>
>> --
>> *From:* Users 
>>  on behalf of Marcin Groszek
>>  
>> *Sent:* Wednesday, January 4, 2023 6:12 P

Re: [OpenSIPS-Users] stir shaken verification

2023-01-06 Thread Marcin Groszek 

Thank you for all your help.

My test opensips installation was on CentOS 7 and cert verification has 
been failing.


The certificates are verifying with same opensips version 3.1.5 and same 
configuration on Oracle linux 8.6.


Thank you again for all your answers and help.


On 1/5/2023 5:24 PM, Marcin Groszek wrote:


Yes it is, I sent it to xlog it  an it does.

On 1/5/2023 4:45 PM, David Villasmil wrote:

Is $var(cert) actually set? Print it out

On Thu, 5 Jan 2023 at 23:19, Marcin Groszek > wrote:


Thank you very much. I have the same file, and verification is
still failing. Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");
    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load certificate (
because the entry does not exists in local cashdb)

this forces the download of the public cert from $identity(x5u)
and store in local cashdb

second attempt does not generate this errors, however calls with
deferent identity header and url for public cert should generate
same errors again as the public cert from new url is not in local
cashdb, but it is NOT generating same error.

Also, I have minimize cache_store  down to 1 second and after
that second call with same $identity(x5u) should generate same
errors , but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
 $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd: Param
[2] expected to be a variable so I removed the double quotes from
around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the ca
cert file from iconectiv.

attached is what we have currently and it works in our
production enviroment.

If the maillist strips out that attachment let me know.  You can
reach me directly at jjack...@aninetworks.net


Joseph


*From:* Users 
 on behalf of Marcin
Groszek  
*Sent:* Thursday, January 5, 2023 10:16 AM
*To:* users@lists.opensips.org 
 
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate
validation fails.

INFO:stir_shaken:verify_callback: certificate validation failed:
certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls are
coming from major cellular carrier in US and the verification fails.

I can see curl download the public cert, storing it in local
cache and then attempt to verify, but it fails.

Upon next call with same token, the public cert is pulled from
local cache and still fails.




On 1/4/2023 7:37 PM, Joseph Jackson wrote:

Hi Marcin,

We have a process that downloads the CA list from iconectiv
nightly,  decodes the jwt and stores the certs in a single file
in /etc/ssl/sti-ca/sti-ca.pem

Here is the opensips modparam

#stir and shaken
loadmodule "stir_shaken.so"
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "e164_strict_mode", 0)
#list of root certs for stir / shaken verification
modparam("stir_shaken", "ca_list", "/etc/ssl/sti-ca/sti-ca.pem")

This is on opensips v3.1.11



*From:* Users