20 Jun
2024
20 Jun
'24
9:33 p.m.
Disregard. It was my mistake. I had sp_key.pem in my kamailio config when
it was actually sp-key.pem. Doh. Took me way too long to see my mistake but
it is working now and adding the identity. Thanks for the help everyone!
On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey <uga5324(a)gmail.com> wrote:
Thanks for the replies. I think I am understanding it
better now. My issue
now is I am getting this error:
ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid
[secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get
identity header body (-451)
-451 = SJWTRetErrFileRead which I assume is either the certificate or the
private key. I am able to download the certificate using the URL so I guess
the key? I have permissions on the key as 600 (-rw-------) and the
user:group for it is kamailio.
It's still a self signed but I generated it with the TNAuthList, etc like
a production certificate. I have stir/shaken working on s production
machine but it uses libstirshaken and not secsipid.
Output of cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN
= sip-test.mydomain.net
Validity
Not Before: Jun 21 00:03:27 2024 GMT
Not After : Sep 24 00:03:27 2026 GMT
Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.",
OU = VOIP, CN = SHAKEN
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39:
33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95:
62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8:
a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5:
01:0c:fb:48:b0
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
1.3.6.1.5.5.7.1.26:
0.....1001
X509v3 Subject Key Identifier:
9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB
X509v3 Authority Key Identifier:
84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b:
d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb:
69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d:
c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb
On Thu, Jun 20, 2024 at 5:33 PM David Villasmil <
david.villasmil.work(a)gmail.com> wrote:
> this is what i do (i have a redirect server receive the INVITEs to be
> signed, I add the header and then do 302, the initiating server then add it
> to the INVITE and sends the invite out:
>
> if ($rm=="INVITE") {
> $var(rc) = secsipid_add_identity("$(var(from){s.numeric})",
> "$(var(to){s.numeric})", "A", "", "
> https://pki.domain.com/stir-shaken-cert.pem"quot;,
> "/etc/kamailio/ec256-private.pem");
>
> if ( $var(rc) > 0 ) {
> msg_apply_changes();
> } else {
> update_stat("stirshaken_create_identity_failed","+1");
> send_reply("503", "Service Unavailable - can not create Identity
header");
> exit;
> }
>
> append_to_reply("Identity: $hdr(Identity)\r\n");
> }
> sl_send_reply("302", "Redirect");
> exit;
>
>
> hope that helps
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work(a)gmail.com
>
>
>
> On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users <
> sr-users(a)lists.kamailio.org> wrote:
>
>> Hmm you are correct. I took it out and it started fine. So what exactly
>> would I need for our outbound stirshaken?
>>
>> Just secsipid_add_identity?
>>
>> I guess I've been looking at this for too long today. Just lines and
>> lines after a while.
>>
>> On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
>>
>>> Except for `expire` and `timeout`, those parameters don’t exist for
>>> secsip id- at least according to the module documentation:
>>> https://kamailio.org/docs/modules/stable/modules/secsipid
>>>
>>>
>>>
>>> Regards,
>>>
>>> Kaufman
>>>
>>>
>>>
>>> *From:* Blake Ivey <uga5324(a)gmail.com>
>>> *Sent:* Thursday, June 20, 2024 3:39 PM
>>> *To:* Ben Kaufman <bkaufman(a)bcmone.com>
>>> *Cc:* sr-users(a)lists.kamailio.org
>>> *Subject:* Re: [SR-Users] SecSIPID Assistance
>>>
>>>
>>>
>>> *CAUTION:* This email originated from outside the organization. *Do
>>> not click links or open attachments* unless you recognize the sender
>>> and know the content is safe.
>>>
>>>
>>>
>>> Sorry for the formatting:
>>>
>>> ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter
>>> <private_key> of type <1:string> not found in module
<secsipid>
>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse
error
>>> in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set
>>> module parameter
>>> kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse
error
>>> in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set
>>> module parameter
>>> kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex():
>>> parameter <key_path> of type <1:string> not found in module
<secsipid>
>>>
>>>
>>>
>>> On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman(a)bcmone.com> wrote:
>>>
>>> What is the error you’re getting?
>>>
>>>
>>>
>>> Regards,
>>>
>>> Kaufman
>>>
>>>
>>>
>>>
>>>
>>> *From:* Blake Ivey via sr-users <sr-users(a)lists.kamailio.org>
>>> *Sent:* Thursday, June 20, 2024 3:14 PM
>>> *To:* Kamailio (SER) - Users Mailing List
<sr-users(a)lists.kamailio.org>
>>> *Cc:* Blake Ivey <uga5324(a)gmail.com>
>>> *Subject:* [SR-Users] SecSIPID Assistance
>>>
>>>
>>>
>>> *CAUTION:* This email originated from outside the organization. *Do
>>> not click links or open attachments* unless you recognize the sender
>>> and know the content is safe.
>>>
>>>
>>>
>>> Hi everyone. Wanting to see if someone could point me in the right
>>> direction. Still very knew to Kamailio but I am beginning to understand it
>>> better. I'm making an outbound proxy and have everything working well
>>> besides stir/shaken. I'm looking at the module page and have went back
and
>>> forth with chatGPT and can't seem to figure this part out. I keep
getting
>>> errors on the modparam lines.
>>>
>>>
>>>
>>> Obviously this is a self signed cert because I'm just testing. I am
>>> able to reach and download the cert from the Web server.
>>>
>>>
>>>
>>> Thank you for any assistance.
>>>
>>>
>>>
>>> # SECSIPID for Stir/Shaken
>>>
>>> modparam("secsipid", "private_key",
>>> "/etc/kamailio/secsipid/private.key")
>>>
>>> modparam("secsipid", "certificate",
"/etc/kamailio/secsipid/cert.crt")
>>>
>>> modparam("secsipid", "authority_cert",
"/etc/kamailio/secsipid/ca.crt")
>>>
>>> modparam("secsipid", "expire", 600)
modparam("secsipid", "timeout", 2)
>>>
>>>
>>>
>>> route[STIRSHAKEN] {
>>>
>>> if (is_method("INVITE")) {
>>>
>>> if (!secsipid_add_identity("$fU", "$rU",
"A", "", "
>>> http://myIPaddress.com/stir_shaken_cert.crt
>>> <http://myipaddress.com/stir_shaken_cert.crt>",
>>> "/etc/kamailio/secsipid/private.key")) {
>>>
>>> xlog("L_ERR", "Failed to sign call with ID: $ci -
From:
>>> $fU\n");
>>>
>>> send_reply("500", "Internal Server Error");
>>>
>>> exit;
>>>
>>> } else {
>>>
>>> xlog("L_INFO", "Successfully signed call with ID:
$ci -
>>> From: $fU\n");
>>>
>>> }
>>>
>>> }
>>>
>>>
>>>
>>> # Relay the call after signing
>>>
>>> route(RELAY);
>>>
>>> }
>>>
>>>
>>>
>>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>
>