Hello
I have run into a problem with the STIR/SHAKEN verification process.
In the French implementation of StirShaken, the CRL of the operator
certificates is signed with a certificate that is different from the one used
to sign providers certificates.
and in such case, OpenSSL does not allow in one command to validate the entire
certification chain.
Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to
validate providers certificate (with CRL Loaded)
Error : certificate validation failed: unable to get certificate CRL
For now, following the guidelines suggested by the French authority handling
STIR/SHAKEN, we are planning to implement a two-step approach to check CRL
before stir_shaken_verify kicks in (w/o CRL loaded)
First, we verify the certification chain of the provider's certificate, plus
making sure CA's certificates are not revoked. We do this using a command like:
openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted
/etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all
-CRLfile /etc/opensips/example_certs/crl_list.pem
/etc/opensips/example_certs/ProviderCertificate.cer
Where example_pa.pem is the certificate used to sign CRL of providers
certificates, and crl_list : the concatenation of both providers and CA's CRLs
in PEM format.
The second step involves a separate check to verify if the provider's
certificate is revoked :
openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text | grep
$(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer -noout
-serial | cut -d '=' -f 2)
This will add an extra processing time due to a double certification validation
(ran by both by openssl and stir_shaken_verify) + reading crls from disk.
Given this situation, it would be highly beneficial if Opensips could
accommodate cases where revocation lists are signed with a different
certificate. This would not only simplify the verification process but also
improve compatibility for similar future scenarios (like a complex certificate
hierarchy)
Suggestion :
Consider adding an exported parameter, such as :
modparam("stir_shaken", "crl_signing_certs",
"/stir_certs/crl_signing_certs.pem")
This parameter would allow users to specify a list of separate certificates
used to sign the CRLs, in cases where the CRLs and the provider certificates
are not signed by the same certificate.
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
