<div dir="auto">For verification, I think a quick solution would be to export a new function from the module to be able to check an identity from a tring on instead of automatically checking the “Identity” header. </div><div dir="auto"><br></div><div dir="auto">This way the script writer can use the current check_identity to verify the header itself, then after unpacking the jwt, using the new check_identity_str passing the Jwt that should be included in the outer JWT if the DIV header is present.</div><div dir="auto"><br></div><div dir="auto">The script writer can then do all the checks he/she needs using jansson.</div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 14 Jun 2021 at 09:20, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com">miconda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>It is not implemented in the C code of Kamailio's module, but
libsecsipid offers a function to sign any payload and headers json
documents, pasting from its API:</p>
<p><br>
</p>
<p>// SecSIPIDSignJSONHP --<br>
// * sign the JSON header and payload with provided private key<br>
// * headerJSON - header part in JSON forman (0-terminated
string)<br>
// * payloadJSON - payload part in JSON forman (0-terminated
string)<br>
// * prvkeyPath - path to private key to be used to generate the
signature<br>
// * outPtr - to be set to the pointer containing the output (it
is a<br>
// 0-terminated string); the `*outPtr` must be freed after use<br>
// * return: the length of `*outPtr`<br>
extern int SecSIPIDSignJSONHP(char* headerJSON, char* payloadJSON,
char* prvkeyPath, char** outPtr);<br>
</p>
<p><br>
</p>
<p>Meaning that one can build the headers and payload json documents
as they want in the config with script operations and get it back
encoded and with signature. This function can be easily exported
to kamailio.cfg. Obviously, adding additional code to simplify
usage in kamailio.cfg for this particular case would be probably
better, but requires more C (to Kamailio) or Go (to libsecsipid)
coding. If someone wants to do it, he/she is more that welcome.
Personally I do not have an immediate need for this extension,
with other higher priority tasks, it's not something I can
allocate spare time for it.<br>
</p>
<p><br>
</p>
<p>More over, one can do alternative implementation in Lua or
Python, using KEMI or inline execution via app_lua or app_python3.
I remember people saying they did it (in Lua, iirc) before we had
any dedicated kamailio module.</p>
<p><br>
</p>
<p>Cheers,<br>
Daniel<br>
</p></div><div>
<p><br>
</p>
<p><br>
</p>
<div>On 09.06.21 16:30, Steven Wheeler
wrote:<br>
</div>
<blockquote type="cite">
<div id="m_-8767440143870283281divtagdefaultwrapper" dir="ltr">
<p>I believe that David's interpretation is correct. My
understanding of the standard is that it allows carriers which
are diverting a call (call forwarding, simultaneous ringing,
etc.) on behalf of one of their customers to provide the
original attestation they received as well as information
about where the call is being diverted to.</p>
<p><br>
</p>
<p>I'm no expert in STIR/SHAKEN, but my understanding is that
this proposal adds two options to handle diversions. The first
is a "div" passport which is added as an additional Identity
header to the outgoing SIP message. The second is a "div-o"
passport which includes the original Identity header within
its value and replaces the original Identity header in the
outgoing SIP message.</p>
<p><br>
</p>
<div id="m_-8767440143870283281Signature">
<div id="m_-8767440143870283281divtagdefaultwrapper">
<div style="font-size:15px;margin:0px;color:rgb(33,33,33)"><font size="2" face="Calibri,sans-serif" style="font-family:Calibri,sans-serif;color:rgb(33,33,33)"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font face="Moderat" style="font-family:Moderat;color:rgb(244,121,60)"><b style="font-family:Moderat">Steven Wheeler</b></font></span></font></div>
<div style="font-size:15px;margin:0px;color:rgb(33,33,33)"><br>
</div>
</div>
</div>
<div style="color:rgb(0,0,0)">
<hr style="display:inline-block;width:98%">
<div id="m_-8767440143870283281divRplyFwdMsg" dir="ltr"><font style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(0,0,0)" face="Calibri, sans-serif"><b style="font-family:Calibri,sans-serif">From:</b>
David Villasmil <a href="mailto:david.villasmil.work@gmail.com" target="_blank" style="font-family:Calibri,sans-serif"><david.villasmil.work@gmail.com></a><br>
<b style="font-family:Calibri,sans-serif">Sent:</b> Wednesday, June 9, 2021 6:50 AM<br>
<b style="font-family:Calibri,sans-serif">To:</b> Kamailio (SER) - Users Mailing List;
<a href="mailto:miconda@gmail.com" target="_blank" style="font-family:Calibri,sans-serif">miconda@gmail.com</a><br>
<b style="font-family:Calibri,sans-serif">Cc:</b> Steven Wheeler<br>
<b style="font-family:Calibri,sans-serif">Subject:</b> Re: [SR-Users] ATIS-1000085 STIR/SHAKEN
DIV PASSporT</font>
<div> </div>
</div>
<div>
<div dir="auto">From reading, I understood a div PASSporTs
without attestation should be added by the entity doing
the diversion.</div>
<div dir="auto"><br>
</div>
<div dir="auto">
<div><a href="https://datatracker.ietf.org/doc/html/draft-ietf-stir-passport-divert-09#section-5" id="m_-8767440143870283281LPlnk375787" target="_blank">https://datatracker.ietf.org/doc/html/draft-ietf-stir-passport-divert-09#section-5</a></div>
<div id="m_-8767440143870283281LPBorder_GT_16232490070970.7902097731066349" style="margin-bottom:20px;overflow:auto;width:100%;text-indent:0px">
<table id="m_-8767440143870283281LPContainer_16232490070940.22145350644560535" style="width:90%;overflow:auto;padding-top:20px;padding-bottom:20px;margin-top:20px;border-top-width:1px;border-top-style:dotted;border-bottom-width:1px;border-bottom-style:dotted;background-color:rgb(255,255,255);border-top-color:rgb(200,200,200);border-bottom-color:rgb(200,200,200)" cellspacing="0">
<tbody>
<tr style="border-spacing:0px" valign="top">
<td id="m_-8767440143870283281TextCell_16232490070950.6964875361001068" colspan="2" style="vertical-align:top;padding:0px;display:table-cell">
<div id="m_-8767440143870283281LPTitle_16232490070950.24410288437549732">
<a id="m_-8767440143870283281LPUrlAnchor_16232490070960.3154895949099368" href="https://datatracker.ietf.org/doc/html/draft-ietf-stir-passport-divert-09#section-5" style="text-decoration:none" target="_blank">draft-ietf-stir-passport-divert-09</a></div>
<div id="m_-8767440143870283281LPMetadata_16232490070960.3087754406546195" style="margin:10px 0px 16px;font-weight:400;font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:14px;line-height:14px;color:rgb(102,102,102)">
<a href="http://datatracker.ietf.org" target="_blank" style="font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif">datatracker.ietf.org</a></div>
<div id="m_-8767440143870283281LPDescription_16232490070960.5136224761168477" style="display:block;font-weight:400;font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif;font-size:14px;line-height:20px;max-height:100px;overflow:hidden;color:rgb(102,102,102)">
PASSporT Extension for Diverted Calls
(Internet-Draft, 2020)</div>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<br>
</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 9 Jun 2021 at
12:10, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)">
<div>
<p>Hello,</p>
<p><br>
</p>
<p>I was not aware if this, it does not seem to be
from IETF. Can you summarize what it is about,
eventually comparing what are the differences to
the IETF STIR/SHAKEN specs? Is it about adding the
caller signature in another header than Identity
and also verifying another header?</p>
<p><br>
</p>
<p>Cheers,<br>
Daniel</p>
</div>
<div>
<p><br>
</p>
<div>On 08.06.21 23:58, Steven Wheeler wrote:<br>
</div>
<blockquote type="cite">
<div id="m_-8767440143870283281m_-876863524909847696divtagdefaultwrapper" dir="ltr">
<p style="font-family:Calibri,Helvetica,sans-serif">My
Google searches aren't turning up any results,
probably because this standard isn't finalized
yet, but is anyone aware of a module which
implements DIV PASSporTs for diverted calls?</p>
<p style="font-family:Calibri,Helvetica,sans-serif"><br>
</p>
<p style="font-family:Calibri,Helvetica,sans-serif">More
details on the standard here: <a href="https://transnexus.com/blog/2020/shaken-div-std-letter-ballot/" id="m_-8767440143870283281m_-876863524909847696LPlnk221337" style="font-family:Calibri,Helvetica,sans-serif" target="_blank">https://transnexus.com/blog/2020/shaken-div-std-letter-ballot/</a></p>
<p style="font-family:Calibri,Helvetica,sans-serif"><br>
</p>
<div id="m_-8767440143870283281m_-876863524909847696Signature" style="font-family:Calibri,Helvetica,sans-serif">
<div id="m_-8767440143870283281m_-876863524909847696divtagdefaultwrapper" style="font-family:Calibri,Helvetica,sans-serif">
<div style="font-size:15px;margin:0px;font-family:Calibri,Helvetica,sans-serif;color:rgb(33,33,33)">
<font style="font-family:Calibri,sans-serif;color:rgb(33,33,33)" size="2" face="Calibri,sans-serif"><span style="font-size:11pt;font-family:Calibri,sans-serif"><font style="font-family:Moderat;color:rgb(244,121,60)" face="Moderat"><b style="font-family:Moderat">Steven
Wheeler</b></font></span></font></div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* <a href="mailto:sr-users@lists.kamailio.org" style="font-family:monospace" target="_blank">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" style="font-family:monospace" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" style="font-family:monospace" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" style="font-family:monospace" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" style="font-family:monospace" target="_blank">www.linkedin.com/in/miconda</a></pre>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial
Discussions<br>
* <a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do
not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
</div>
-- <br>
<div dir="ltr">
<div dir="ltr">
<div>Regards,</div>
<div><br>
</div>
David Villasmil
<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div>
<div>phone: +34669448337</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre style="font-family:monospace">__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* <a href="mailto:sr-users@lists.kamailio.org" target="_blank" style="font-family:monospace">sr-users@lists.kamailio.org</a>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" style="font-family:monospace">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre cols="72" style="font-family:monospace">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank" style="font-family:monospace">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank" style="font-family:monospace">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank" style="font-family:monospace">www.linkedin.com/in/miconda</a></pre>
</div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial Discussions<br>
* <a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
* <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Regards,</div><div><br></div>David Villasmil<div>email: <a href="mailto:david.villasmil.work@gmail.com" target="_blank">david.villasmil.work@gmail.com</a></div><div>phone: +34669448337</div></div></div>