<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>The lib and module are rather fresh, they improve base on
      feedback.</p>
    <p>The latest version of the lib should return different codes in
      case of failures, being propagated by the functions in the
      kamailio config. The codes can be found at:</p>
    <p>  *
      <a class="moz-txt-link-freetext" href="https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32">https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32</a></p>
    <p>If you have time, try it and report if works as expected.</p>
    <p>Cheers,<br>
      Daniel<br>
    </p>
    <div class="moz-cite-prefix">On 31.05.21 17:35, David Villasmil
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:CAFGRPVq871yfndHaQn6Ejq7P0T0VkYokg+nHvwjoji9LJPvcaQ@mail.gmail.com">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div dir="ltr">Yep, It's working with 1.16.4
        <div>So the problem was with the pem ownership.</div>
        <div>It's a pity secsipid.so doesn't return an access denied
          error.</div>
        <div><br>
        </div>
        <div>CLI doesn return an error:</div>
        <div><br>
        </div>
        <div>error: Unable to read private key file: open
          /etc/kamailio/ec256-private.pem: permission denied</div>
        <div><br clear="all">
          <div>
            <div dir="ltr" class="gmail_signature"
              data-smartmail="gmail_signature">
              <div dir="ltr">
                <div>Regards,</div>
                <div><br>
                </div>
                David Villasmil
                <div>email: <a
                    href="mailto:david.villasmil.work@gmail.com"
                    target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
                <div>phone: +34669448337</div>
              </div>
            </div>
          </div>
          <br>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at 4:26
          PM David Villasmil <<a
            href="mailto:david.villasmil.work@gmail.com"
            moz-do-not-send="true">david.villasmil.work@gmail.com</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div dir="ltr">Daniel,
            <div><br>
            </div>
            <div>Ok, i downloaded and installed 1.11.6 just like yours
              and recompiled, etc.</div>
            <div>I also changed the owner of the pem file, which was
              owned by root, and not by the user kamailio.</div>
            <div><br>
            </div>
            <div>Now it's working.</div>
            <div><br>
            </div>
            <div>d9655} <script>:
              [STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655]
              secsipid_add_identity('493044448888', '493055559999', 'A',
              '', '<a href="http://asipto.lab/stir/cert.pem"
                target="_blank" moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>',
              '/etc/kamailio/ec256-private.pem')<br>
              May 31 15:24:08 ip-10-231-32-237
              /usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1
              36683532 INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655}
              secsipid [secsipid_mod.c:333]: ki_secsipid_add_identity():
              appending identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<<a
                href="http://asipto.lab/stir/cert.pem" target="_blank"
                moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>>;alg=ES256;ppt=shaken<br>
            </div>
            <div><br>
            </div>
            <div>But now i¡m left wondering whether it was the ownership
              of the file or the version.</div>
            <div><br>
            </div>
            <div>So i will install again the latest and see what
              happens.</div>
            <div><br>
            </div>
            <div><br clear="all">
              <div>
                <div dir="ltr">
                  <div dir="ltr">
                    <div>Regards,</div>
                    <div><br>
                    </div>
                    David Villasmil
                    <div>email: <a
                        href="mailto:david.villasmil.work@gmail.com"
                        target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
                    <div>phone: +34669448337</div>
                  </div>
                </div>
              </div>
              <br>
            </div>
          </div>
          <br>
          <div class="gmail_quote">
            <div dir="ltr" class="gmail_attr">On Mon, May 31, 2021 at
              2:19 PM David Villasmil <<a
                href="mailto:david.villasmil.work@gmail.com"
                target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a>>
              wrote:<br>
            </div>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px
              0.8ex;border-left:1px solid
              rgb(204,204,204);padding-left:1ex">
              <div dir="ltr">Hello Daniel,
                <div><br>
                </div>
                <div>Thanks for looking into this:</div>
                <div><br>
                </div>
                <div># go version<br>
                  go version go1.16.4 linux/amd64</div>
                <div><br>
                  # openssl version<br>
                  OpenSSL 1.1.1d  10 Sep 2019<br>
                  root@sip-stir1:/home/admin#<br>
                </div>
                <div>i can try getting the same go version and see what
                  happens.</div>
                <div><br clear="all">
                  <div>
                    <div dir="ltr">
                      <div dir="ltr">
                        <div>Regards,</div>
                        <div><br>
                        </div>
                        David Villasmil
                        <div>email: <a
                            href="mailto:david.villasmil.work@gmail.com"
                            target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
                        <div>phone: +34669448337</div>
                      </div>
                    </div>
                  </div>
                  <br>
                </div>
              </div>
              <br>
              <div class="gmail_quote">
                <div dir="ltr" class="gmail_attr">On Mon, May 31, 2021
                  at 2:15 PM Daniel-Constantin Mierla <<a
                    href="mailto:miconda@gmail.com" target="_blank"
                    moz-do-not-send="true">miconda@gmail.com</a>>
                  wrote:<br>
                </div>
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px 0.8ex;border-left:1px solid
                  rgb(204,204,204);padding-left:1ex">
                  <div>
                    <p>Hello,</p>
                    <p>what are your operating system, golang and
                      openssl versions?</p>
                    <p>I tried on Debian stable and I get the Identity
                      header, see next:<br>
                    </p>
                    <p>OPTIONS <a moz-do-not-send="true">sip:alice@127.0.0.1</a>
                      SIP/2.0<br>
                      Via: SIP/2.0/UDP
                      127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0<br>
                      Via: SIP/2.0/UDP
127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias<br>
                      From: <a moz-do-not-send="true">sip:sipsak@127.0.1.1:52897;tag=219ec22d</a><br>
                      To: <a moz-do-not-send="true">sip:alice@127.0.0.1</a><br>
                      Call-ID: <a href="mailto:564052525@127.0.1.1"
                        target="_blank" moz-do-not-send="true">564052525@127.0.1.1</a><br>
                      CSeq: 1 OPTIONS<br>
                      Contact: <a moz-do-not-send="true">sip:sipsak@127.0.1.1:52897</a><br>
                      Content-Length: 0<br>
                      Max-Forwards: 69<br>
                      User-Agent: sipsak 0.9.7pre<br>
                      Accept: text/plain<br>
                      Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<a
                        href="https://asipto.lab/stir/cert.pem"
                        target="_blank" moz-do-not-send="true"><https://asipto.lab/stir/cert.pem></a>;alg=ES256;ppt=shaken<br>
                    </p>
                    <p>The OPTIONS was generated with: sipsak -s <a
                        moz-do-not-send="true">sip:alice@127.0.0.1</a><br>
                    </p>
                    <p>In kamaili.cfg I have:</p>
                    <p>   if(is_method("OPTIONS|INVITE")) {<br>
                                secsipid_add_identity("493044448888",
                      "493055559999", "A", "",<br>
                                        <a
                        href="https://asipto.lab/stir/cert.pem"
                        target="_blank" moz-do-not-send="true">"https://asipto.lab/stir/cert.pem"</a>,<br>
                                        "/tmp/ec256-private.pem");<br>
                    </p>
                    <p>Versions:<br>
                    </p>
                    <p>$ go version<br>
                      go version go1.11.6 linux/amd64</p>
                    <p>$ openssl version<br>
                      OpenSSL 1.1.1d  10 Sep 2019</p>
                    <p>Cheers,<br>
                      Daniel<br>
                    </p>
                    <div>On 28.05.21 13:05, Daniel-Constantin Mierla
                      wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <p>I will try to reproduce when I get the first
                        chance these days, maybe I broke something while
                        I worked to propagate different return codes for
                        error cases.</p>
                      <p>One more question for now: are you using the
                        latest libsecsipid, build from the master/main
                        branch of the secsipidx project?</p>
                      <p>Cheers,<br>
                        Daniel<br>
                      </p>
                      <div>On 28.05.21 10:27, David Villasmil wrote:<br>
                      </div>
                      <blockquote type="cite">
                        <div>Correct.</div>
                        <div dir="auto">That’s a log with debug 3,
                          absolutely nothing is coming out. :(</div>
                        <div dir="auto"><br>
                        </div>
                        <div dir="auto"><br>
                        </div>
                        <div><br>
                          <div class="gmail_quote">
                            <div dir="ltr" class="gmail_attr">On Thu, 27
                              May 2021 at 20:54, Daniel-Constantin
                              Mierla <<a
                                href="mailto:miconda@gmail.com"
                                target="_blank" moz-do-not-send="true">miconda@gmail.com</a>>
                              wrote:<br>
                            </div>
                            <blockquote class="gmail_quote"
                              style="margin:0px 0px 0px
                              0.8ex;border-left:1px solid
                              rgb(204,204,204);padding-left:1ex">
                              <div>
                                <p>Same logs like with before with
                                  previous certificate? Can you attach
                                  log messages with debug=3?<br>
                                </p>
                                <p>Cheers,<br>
                                  Daniel<br>
                                </p>
                              </div>
                              <div>
                                <div>On 27.05.21 20:13, David Villasmil
                                  wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">Yep i just tried that
                                    :)
                                    <div><br>
                                    </div>
                                    <div>I don't get an error on the
                                      CLI:</div>
                                    <div><br>
                                    </div>
                                    <div><font face="monospace">#
                                        secsipidx -sign-full -orig-tn
                                        493044448888 -dest-tn
                                        493055559999 -attest A -x5u <a
href="http://asipto.lab/stir/cert.pem" target="_blank"
                                          moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>
                                        -k ec256-private.pem<br>
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<<a
href="http://asipto.lab/stir/cert.pem" target="_blank"
                                          moz-do-not-send="true">http://asipto.lab/stir/cert.pem</a>>;alg=ES256;ppt=shaken</font><br>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>But still failing in
                                      kamailio...</div>
                                    <div><br clear="all">
                                      <div>
                                        <div dir="ltr">
                                          <div dir="ltr">
                                            <div>Regards,</div>
                                            <div><br>
                                            </div>
                                            David Villasmil
                                            <div>email: <a
                                                href="mailto:david.villasmil.work@gmail.com"
                                                target="_blank"
                                                moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
                                            <div>phone: +34669448337</div>
                                          </div>
                                        </div>
                                      </div>
                                      <br>
                                    </div>
                                  </div>
                                  <br>
                                  <div class="gmail_quote">
                                    <div dir="ltr" class="gmail_attr">On
                                      Thu, May 27, 2021 at 7:09 PM
                                      Daniel-Constantin Mierla <<a
                                        href="mailto:miconda@gmail.com"
                                        target="_blank"
                                        moz-do-not-send="true">miconda@gmail.com</a>>
                                      wrote:<br>
                                    </div>
                                    <blockquote class="gmail_quote"
                                      style="margin:0px 0px 0px
                                      0.8ex;border-left:1px solid
                                      rgb(204,204,204);padding-left:1ex">
                                      <div>
                                        <p>Hello,</p>
                                        <div>On 27.05.21 19:58, David
                                          Villasmil wrote:<br>
                                        </div>
                                        <blockquote type="cite">
                                          <div dir="ltr">
                                            <div>Hello guys,<br>
                                            </div>
                                            <div><br>
                                            </div>
                                            <div>I want to test
                                              secsipid, but i don't yet
                                              have the certificate. So i
                                              thought i'd create a cert
                                              like:</div>
                                            <div><br>
                                            </div>
                                            <div>openssl req -new
                                              -newkey rsa:4096 -nodes
                                              -keyout snakeoil.key -out
                                              snakeoil.csr<br>
                                              openssl x509 -req -sha256
                                              -days 365 -in snakeoil.csr
                                              -signkey snakeoil.key -out
                                              snakeoil.pem<br>
                                            </div>
                                            <div><br>
                                            </div>
                                            <div>Then i'm simply doing:</div>
                                            <div><br>
                                            </div>
                                            <div><font face="monospace">$var(rc)
                                                =
                                                secsipid_add_identity("$fU",
                                                "$rU", "A", "", "<a
                                                  href="https://kamailio.org/stir/$rd/cert.pem"
                                                  target="_blank"
                                                  moz-do-not-send="true">https://somedomain.com/stir/$rd/cert.pem</a>",
"/etc/kamailio/snakeoil.pem");<br>
                                                if ( $var(rc) ) {<br>
                                                    xlog("L_ERR",
                                                "[STIR/SHAKEN][$ci]
                                                Shaken authentication
                                                added (SIP Identity
                                                Header created)\n");<br>
                                                } else {<br>
                                                    xlog("L_ERR",
                                                "[STIR/SHAKEN][$ci]
                                                Failed\n");<br>
                                                }</font><br>
                                            </div>
                                            <div><br>
                                            </div>
                                            <div>But no matter what i do
                                              it silently fails:</div>
                                            <div><br>
                                            </div>
                                            <div><font face="monospace">INVITE
d54c2919-39b6-123a-95a7-0e29a5289b8d} <script>:
                                                [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d]
                                                Failed</font><br>
                                            </div>
                                            <div><br>
                                            </div>
                                            <div>I have debug on 6, but
                                              i don't get more info
                                              regarding the error.</div>
                                            <div><br>
                                            </div>
                                            <div>Any ideas?</div>
                                          </div>
                                        </blockquote>
                                        <p>based on the specs, it should
                                          not be the usual ssl/tls
                                          certificate, try to generate
                                          them using the guidelines at:</p>
                                        <p>  * <a
                                            href="https://github.com/asipto/secsipidx#keys-generation"
                                            target="_blank"
                                            moz-do-not-send="true">https://github.com/asipto/secsipidx#keys-generation</a></p>
                                        <p>Cheers,<br>
                                          Daniel<br>
                                        </p>
                                        <pre cols="72">-- 
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
                                      </div>
                                    </blockquote>
                                  </div>
                                </blockquote>
                                <pre cols="72">-- 
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
                              </div>
                            </blockquote>
                          </div>
                        </div>
                        -- <br>
                        <div dir="ltr">
                          <div dir="ltr">
                            <div>Regards,</div>
                            <div><br>
                            </div>
                            David Villasmil
                            <div>email: <a
                                href="mailto:david.villasmil.work@gmail.com"
                                target="_blank" moz-do-not-send="true">david.villasmil.work@gmail.com</a></div>
                            <div>phone: +34669448337</div>
                          </div>
                        </div>
                      </blockquote>
                      <pre cols="72">-- 
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
                    </blockquote>
                    <pre cols="72">-- 
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * <a href="https://www.asipto.com/sw/kamailio-advanced-training-online/" target="_blank" moz-do-not-send="true">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
                  </div>
                </blockquote>
              </div>
            </blockquote>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * <a class="moz-txt-link-freetext" href="https://www.asipto.com/sw/kamailio-advanced-training-online/">https://www.asipto.com/sw/kamailio-advanced-training-online/</a></pre>
  </body>
</html>