Hi all, Thanks Wadii for your help (in private ;) ) I developed a solution to check CRL in an external process (python script scheduled by AWX).
My python script (download only in memory, not on disk) *For CA certificates:* - Download CA et intermediate certs - Download PA cert (pa cert is used to sign CRL) - Download CA CRL - Check if CA or intermediate cert are revoked - I use ansible (AWX) to write CA et intermediate certs into opensips disk - Ansible restart opensips only if CA or intermediate cert change *For provider certificate (BPCO):* - Download provider certificates that are in tar.gz (only in memory) - Uncompress tar.gz and create a dict with data (cert data, cert id, provider id) - Download CRL for provider certificates - Check all provider certificates signatures (not necessary, because opensips can do that for each call) - Check if cert is revoked - Extract metadata and add them to dict - Ansible parses this dict and push each line in mysql cache DB (sql_cacher module) Ex of dict: { "126881e75888888": { "provider_code": "PROV00", "cert_data": "-----BEGIN CERTIFICATE-----.........\n-----END CERTIFICATE-----\n", "not_before": "20230815220000Z", "not_after": "20240814215959Z", "has_expired": false, "valid": false, "revoked": true, "revoked_date": "20230809151920Z" } } Thanks to that, when call is processed by opensips, it gets in its cache the correct data, if revoked == true, force $rc = -7 ( https://github.com/OpenSIPS/sipssert-opensips-tests/blob/1313d03b6ecd1972f9d2facf69116c418fb40399/stir-shaken/04.verify-200/stir_shaken_verify.cfg#L135) to send a correct error code 437 Unsupported Credential) Maybe that can help my french friends voip providers ;) Have a good day Le lun. 7 août 2023 à 09:29, Wadii ELMAJDI | Evenmedia <wa...@evenmedia.fr> a écrit : > Hello > > > > I have run into a problem with the STIR/SHAKEN verification process. > > In the French implementation of StirShaken, the CRL of the operator > certificates is signed with a certificate that is different from the one > used to sign providers certificates. > and in such case, OpenSSL does not allow in one command to validate the > entire certification chain. > > Also, OPENSIPS stirshaken module's stir_shaken_verify function fails to > validate providers certificate (with CRL Loaded) > > > > Error : certificate validation failed: unable to get certificate CRL > > > > For now, following the guidelines suggested by the French authority > handling STIR/SHAKEN, we are planning to implement a two-step approach to > check CRL before stir_shaken_verify kicks in (w/o CRL loaded) > > First, we verify the certification chain of the provider's certificate, > plus making sure CA’s certificates are not revoked. We do this using a > command like: > > > > openssl verify -CAfile /etc/opensips/example_certs/ca_list.pem -untrusted > /etc/opensips/example_certs/example_pa.pem -extended_crl -crl_check_all > -CRLfile /etc/opensips/example_certs/crl_list.pem > /etc/opensips/example_certs/ProviderCertificate.cer > > > > Where example_pa.pem is the certificate used to sign CRL of providers > certificates, and crl_list : the concatenation of both providers and CA’s > CRLs in PEM format. > > The second step involves a separate check to verify if the provider’s > certificate is revoked : > > > > openssl crl -in /etc/opensips/example_certs/crl_list.pem -noout -text | > grep $(openssl x509 -in /etc/opensips/example_certs/ProviderCertificate.cer > -noout -serial | cut -d '=' -f 2) > > > > This will add an extra processing time due to a double certification > validation (ran by both by openssl and stir_shaken_verify) + reading crls > from disk. > > > > Given this situation, it would be highly beneficial if Opensips could > accommodate cases where revocation lists are signed with a different > certificate. This would not only simplify the verification process but also > improve compatibility for similar future scenarios (like a complex > certificate hierarchy) > > > > Suggestion : > > > > Consider adding an exported parameter, such as : > > modparam("stir_shaken", "crl_signing_certs", > "/stir_certs/crl_signing_certs.pem") > > > > This parameter would allow users to specify a list of separate > certificates used to sign the CRLs, in cases where the CRLs and the > provider certificates are not signed by the same certificate. > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users