Sorry to bring this back up, but I am struggling again and not sure what to do.

I am trying to use my actual private key and cert from Peering Hub and I keep getting:

SJWTRetErrPrvKeyInvalid = -151

I have done the following:

openssl ec -in private.pem -check
read EC key
EC Key valid.
writing EC key

openssl x509 -text -noout -in public.crt and it shows the cert information and it is valid.

I have kamailio:kamailio as the key/cert owners with chmod 640 permissions

Does it matter that my cert is using .crt and not .pem?

Any suggestions on what to do from here? This is working with libstirshaken but I am trying to migrate to secsipid.

Thanks for any assistance!

On Thu, Jun 20, 2024 at 9:33 PM Blake Ivey <uga5324@gmail.com> wrote:
Disregard. It was my mistake. I had sp_key.pem in my kamailio config when it was actually sp-key.pem. Doh. Took me way too long to see my mistake but it is working now and adding the identity. Thanks for the help everyone!

On Thu, Jun 20, 2024 at 8:43 PM Blake Ivey <uga5324@gmail.com> wrote:
Thanks for the replies. I think I am understanding it better now. My issue now is I am getting this error:

ERROR: {1 84911190 INVITE 9eea2bb8-aa08-123d-c0b5-5a8b7787aa29} secsipid [secsipid_mod.c:444]: ki_secsipid_add_identity_mode(): failed to get identity header body (-451)

-451 = SJWTRetErrFileRead which I assume is either the certificate or the private key. I am able to download the certificate using the URL so I guess the key? I have permissions on the key as 600 (-rw-------) and the user:group for it is kamailio.

It's still a self signed but I generated it with the TNAuthList, etc like a production certificate. I have stir/shaken working on s production machine but it uses libstirshaken and not secsipid.

Output of cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            35:a4:66:b0:ec:7b:3a:f2:e8:e4:fd:0d:f4:cc:56:f2:2c:0b:32:4d
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = US, ST = ME, L = New York, O = Bobs Phone Company, CN = sip-test.mydomain.net
        Validity
            Not Before: Jun 21 00:03:27 2024 GMT
            Not After : Sep 24 00:03:27 2026 GMT
        Subject: C = US, ST = VA, L = Somewhere, O = "AcmeTelecom, Inc.", OU = VOIP, CN = SHAKEN
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:b8:3f:ac:45:14:65:05:1f:df:bd:f4:3c:e5:39:
                    33:66:c4:06:59:90:8a:05:be:76:c2:55:49:48:95:
                    62:3d:7f:25:20:77:d2:fa:4d:60:eb:d8:72:d9:a8:
                    a1:40:e0:51:ad:aa:d0:d3:4b:f1:03:4c:42:b6:d5:
                    01:0c:fb:48:b0
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            1.3.6.1.5.5.7.1.26:
                0.....1001
            X509v3 Subject Key Identifier:
                9C:54:1E:90:7E:5D:58:F3:52:81:2F:E0:13:D6:2D:C2:FE:AE:A9:FB
            X509v3 Authority Key Identifier:
                84:95:50:31:A8:E6:FE:EC:76:C6:C5:1C:EB:79:E5:AC:A8:54:CD:1C
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:46:02:21:00:b0:24:88:8e:cf:27:88:d0:d2:9c:c5:6b:2b:
        d3:c0:88:b1:2f:a6:da:fe:5b:fe:c8:41:f6:02:34:e1:99:eb:
        69:02:21:00:9d:63:32:bc:0f:10:24:80:67:e3:c6:84:84:6d:
        c5:1a:d1:03:2b:19:34:34:34:51:a5:b6:64:9b:9f:db:eb:cb


On Thu, Jun 20, 2024 at 5:33 PM David Villasmil <david.villasmil.work@gmail.com> wrote:
this is what i do (i have a redirect server receive the INVITEs to be signed, I add the header and then do 302, the initiating server then add it to the INVITE and sends the invite out:

 if ($rm=="INVITE") {
$var(rc) = secsipid_add_identity("$(var(from){s.numeric})", "$(var(to){s.numeric})", "A", "", "https://pki.domain.com/stir-shaken-cert.pem", "/etc/kamailio/ec256-private.pem");

if ( $var(rc) > 0 ) {
msg_apply_changes();
} else {
update_stat("stirshaken_create_identity_failed","+1");
send_reply("503", "Service Unavailable - can not create Identity header");
exit;
}

append_to_reply("Identity: $hdr(Identity)\r\n");
}
sl_send_reply("302", "Redirect");
exit;


hope that helps

Regards,

David Villasmil



On Thu, Jun 20, 2024 at 11:14 PM Blake Ivey via sr-users <sr-users@lists.kamailio.org> wrote:

Hmm you are correct. I took it out and it started fine. So what exactly would I need for our outbound stirshaken?

Just secsipid_add_identity?

I guess I've been looking at this for too long today. Just lines and lines after a while.


On Thu, Jun 20, 2024, 4:47 PM Ben Kaufman <bkaufman@bcmone.com> wrote:

Except for `expire` and `timeout`, those parameters don’t exist for secsip id- at least according to the module documentation: https://kamailio.org/docs/modules/stable/modules/secsipid

 

Regards,

Kaufman

 

From: Blake Ivey <uga5324@gmail.com>
Sent: Thursday, June 20, 2024 3:39 PM
To: Ben Kaufman <bkaufman@bcmone.com>
Cc: sr-users@lists.kamailio.org
Subject: Re: [SR-Users] SecSIPID Assistance

 

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Sorry for the formatting:

ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <private_key> of type <1:string> not found in module <secsipid>
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 73: Can't set module parameter
kamailio: CRITICAL: <core> [core/cfg.y:4011]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 71, column 70: Can't set module parameter
kamailio: ERROR: <core> [core/modparam.c:185]: set_mod_param_regex(): parameter <key_path> of type <1:string> not found in module <secsipid>

 

On Thu, Jun 20, 2024, 4:31 PM Ben Kaufman <bkaufman@bcmone.com> wrote:

What is the error you’re getting?

 

Regards,

Kaufman

 

 

From: Blake Ivey via sr-users <sr-users@lists.kamailio.org>
Sent: Thursday, June 20, 2024 3:14 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Cc: Blake Ivey <uga5324@gmail.com>
Subject: [SR-Users] SecSIPID Assistance

 

CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Hi everyone. Wanting to see if someone could point me in the right direction. Still very knew to Kamailio but I am beginning to understand it better. I'm making an outbound proxy and have everything working well besides stir/shaken. I'm looking at the module page and have went back and forth with chatGPT and can't seem to figure this part out. I keep getting errors on the modparam lines. 

 

Obviously this is a self signed cert because I'm just testing. I am able to reach and download the cert from the Web server. 

 

Thank you for any assistance. 

 

# SECSIPID for Stir/Shaken 

modparam("secsipid", "private_key", "/etc/kamailio/secsipid/private.key") 

modparam("secsipid", "certificate", "/etc/kamailio/secsipid/cert.crt") 

modparam("secsipid", "authority_cert", "/etc/kamailio/secsipid/ca.crt")

modparam("secsipid", "expire", 600) modparam("secsipid", "timeout", 2)

 

route[STIRSHAKEN] {

    if (is_method("INVITE")) {

        if (!secsipid_add_identity("$fU", "$rU", "A", "", "http://myIPaddress.com/stir_shaken_cert.crt", "/etc/kamailio/secsipid/private.key")) {

            xlog("L_ERR", "Failed to sign call with ID: $ci - From: $fU\n");

            send_reply("500", "Internal Server Error");

            exit;

        } else {

            xlog("L_INFO", "Successfully signed call with ID: $ci - From: $fU\n");

        }

    }

 

    # Relay the call after signing

    route(RELAY);

}

 

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe: