Hello Devang,
The cache_fetch() functions returns -2 when the key is not found so it's
normal when getting the certificate the first time.
STIR/SHAKEN requires that the certificates have the TnAuthList
extension. You can check out some examples on how to generate such
certificates in this document [1] at Appendix A or this script [2].
[1]
https://cstga.ca/wp-content/uploads/2020/07/ATIS-1000080.v002_SHAKEN-Governance-Model.pdf
[2]
https://github.com/OpenSIPIt/OpenSIPIt_00/blob/master/STIR_SHAKEN/Certgen/gencert.sh
Regards,
--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com
On 22.11.2021 14:41, Devang Dhandhalya wrote:
Hello Vlad
Authentication service works fine. Now I am getting an error in the
stir_shaken_verify function , after fetching a certificate, I am
getting below error . I generated private keys and X509 certificates
using prime256v1" EC.
After fetching the certificate I am getting var(found) = -2 can you
please tell me about this too .
OpenSIPS Logs :
*
*
*var(found) = [-2]
INFO:stir_shaken:validate_certificate: The certificate is missing the
TnAuthList extension
INFO:stir_shaken:w_stir_verify: Invalid certificate
return code : [-8] stir_shaken_verify() failed:437, Unsupported Credential
*
below opensips script snippet :
$var(found) = cache_fetch("local",$identity(x5u),$var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
rest_get("$identity(x5u)",$var(cert),$var(ctype), $var(http_rc));
if ($rc<0 ) {
send_reply(436, "Bad Identity Info");
exit;
}
cache_store("local", $identity(x5u),"$var(cert)");
}
$var(rc_verify)= stir_shaken_verify($var(cert),
$var(err_sip_code),$var(err_sip_reason),"$var(orig)","$var(dest)");
if ($var(rc_verify) < 0) {
send_reply(
$var(err_sip_code),$var(err_sip_reason));
exit;
}
Kindly inform me why I am getting this error . Please suggest a
solution to this .
Regards
Devang Dhandhalya
On Fri, Nov 19, 2021 at 3:16 PM Devang Dhandhalya
<devang.dhandha...@ecosmob.com <mailto:devang.dhandha...@ecosmob.com>>
wrote:
Hello Vlad
Thanks for your response . Authentication service works .
Regards ,
Devang Dhandhalya
On Wed, Nov 17, 2021 at 8:57 PM Devang Dhandhalya
<devang.dhandha...@ecosmob.com
<mailto:devang.dhandha...@ecosmob.com>> wrote:
hello all
Above E.164 Error still getting .Right now I'm getting the below error .
Can anyone tell me why I am getting this error ? as far as i know this
error for x5u parameter in stir_shaken_auth function , this issue coming
for certificate path or certificate file format .
I check the certificate file with .der and .cer format also .
Here is the code snippet used .
$var(rc_auth)=stir_shaken_auth("A",
"GWID-123456","$var(cert)",
"$var(pkey)","http://localhost/certificate.pem
<http://localhost/certificate.pem>","$var(orig)","$var(dest)");
Below Error i am getting .
ERROR:stir_shaken:add_identity_hf: Failed to convert from DER to
internal format
ERROR:stir_shaken:w_stir_auth: Failed to add Identity header
STIR_SHAKEN AUTHENTICATION SERVICE return code : -1
Kindly let me know if there is something wrong that I could be
doing. Many Thanks Devang Dhandhalya
On Wed, Nov 17, 2021 at 11:37 AM Devang Dhandhalya
<devang.dhandha...@ecosmob.com
<mailto:devang.dhandha...@ecosmob.com>> wrote:
Hi All
I configured the e164 strict mode module parameter as 0
(disabled) . but still i am getting errors related to its
e164 format .While if orig/dest number is not in e164
format then also opensips have to accept it but it is not
accepting . I have a user like extension123 for this
function I have to perform authentication service . if i
have a user extension123 is it possible to perform
authenticate service for this kind of user ?
I think this is a bug for the e164 strict mode module
parameter . I am getting the below error .
opensips version : 3.2.2
ERROR :
ERROR:stir_shaken:check_passport_phonenum: number is not
in E.164 format: extension123
ERROR:stir_shaken:w_stir_auth: failed to validate
Originator number (extension123)
loadmodule "stir_shaken.so"
modparam("stir_shaken", "auth_date_freshness", 300)
modparam("stir_shaken", "verify_date_freshness", 300)
modparam("stir_shaken", "require_date_hdr", 0)
modparam("stir_shaken", "e164_strict_mode", 0)
$var(orig) = $fU;
$var(dest) = $tU
$var(rc_auth)=stir_shaken_auth("A",
"GWID-123456","$var(cert)",
"$var(pkey)","http://localhost/certificate.pem
<http://localhost/certificate.pem>","$var(orig)","$var(dest)");
Please suggest a solution to this .
Many Thanks
Devang
*Disclaimer*
In addition to generic Disclaimer which you have agreed on our
website, any views or opinions presented in this email are solely
those of the originator and do not necessarily represent those of the
Company or its sister concerns. Any liability (in negligence, contract
or otherwise) arising from any third party taking any action, or
refraining from taking any action on the basis of any of the
information contained in this email is hereby excluded.
*Confidentiality*
This communication (including any attachment/s) is intended only for
the use of the addressee(s) and contains information that is
PRIVILEGED AND CONFIDENTIAL. Unauthorized reading, dissemination,
distribution, or copying of this communication is prohibited. Please
inform originator if you have received it in error.
*Caution for viruses, malware etc.*
This communication, including any attachments, may not be free of
viruses, trojans, similar or new contaminants/malware, interceptions
or interference, and may not be compatible with your systems. You
shall carry out virus/malware scanning on your own before opening any
attachment to this e-mail. The sender of this e-mail and Company
including its sister concerns shall not be liable for any damage that
may incur to you as a result of viruses, incompleteness of this
message, a delay in receipt of this message or any other computer
problems.
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
