Will do

On Wed, 2 Jun 2021 at 07:14, Daniel-Constantin Mierla <miconda@gmail.com> wrote:

The lib and module are rather fresh, they improve base on feedback.

The latest version of the lib should return different codes in case of failures, being propagated by the functions in the kamailio config. The codes can be found at:

  * https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32

If you have time, try it and report if works as expected.

Cheers,
Daniel

On 31.05.21 17:35, David Villasmil wrote:
Yep, It's working with 1.16.4
So the problem was with the pem ownership.
It's a pity secsipid.so doesn't return an access denied error.

CLI doesn return an error:

error: Unable to read private key file: open /etc/kamailio/ec256-private.pem: permission denied

Regards,

David Villasmil
phone: +34669448337


On Mon, May 31, 2021 at 4:26 PM David Villasmil <david.villasmil.work@gmail.com> wrote:
Daniel,

Ok, i downloaded and installed 1.11.6 just like yours and recompiled, etc.
I also changed the owner of the pem file, which was owned by root, and not by the user kamailio.

Now it's working.

d9655} <script>: [STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655] secsipid_add_identity('493044448888', '493055559999', 'A', '', 'http://asipto.lab/stir/cert.pem', '/etc/kamailio/ec256-private.pem')
May 31 15:24:08 ip-10-231-32-237 /usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1 36683532 INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655} secsipid [secsipid_mod.c:333]: ki_secsipid_add_identity(): appending identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<http://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken

But now i¡m left wondering whether it was the ownership of the file or the version.

So i will install again the latest and see what happens.


Regards,

David Villasmil
phone: +34669448337


On Mon, May 31, 2021 at 2:19 PM David Villasmil <david.villasmil.work@gmail.com> wrote:
Hello Daniel,

Thanks for looking into this:

# go version
go version go1.16.4 linux/amd64

# openssl version
OpenSSL 1.1.1d  10 Sep 2019
root@sip-stir1:/home/admin#
i can try getting the same go version and see what happens.

Regards,

David Villasmil
phone: +34669448337


On Mon, May 31, 2021 at 2:15 PM Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

what are your operating system, golang and openssl versions?

I tried on Debian stable and I get the Identity header, see next:

OPTIONS sip:alice@127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP 127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0
Via: SIP/2.0/UDP 127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias
From: sip:sipsak@127.0.1.1:52897;tag=219ec22d
To: sip:alice@127.0.0.1
Call-ID: 564052525@127.0.1.1
CSeq: 1 OPTIONS
Contact: sip:sipsak@127.0.1.1:52897
Content-Length: 0
Max-Forwards: 69
User-Agent: sipsak 0.9.7pre
Accept: text/plain
Identity: eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<https://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken

The OPTIONS was generated with: sipsak -s sip:alice@127.0.0.1

In kamaili.cfg I have:

   if(is_method("OPTIONS|INVITE")) {
          secsipid_add_identity("493044448888", "493055559999", "A", "",
                  "https://asipto.lab/stir/cert.pem",
                  "/tmp/ec256-private.pem");

Versions:

$ go version
go version go1.11.6 linux/amd64

$ openssl version
OpenSSL 1.1.1d  10 Sep 2019

Cheers,
Daniel

On 28.05.21 13:05, Daniel-Constantin Mierla wrote:

I will try to reproduce when I get the first chance these days, maybe I broke something while I worked to propagate different return codes for error cases.

One more question for now: are you using the latest libsecsipid, build from the master/main branch of the secsipidx project?

Cheers,
Daniel

On 28.05.21 10:27, David Villasmil wrote:
Correct.
That’s a log with debug 3, absolutely nothing is coming out. :(



On Thu, 27 May 2021 at 20:54, Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Same logs like with before with previous certificate? Can you attach log messages with debug=3?

Cheers,
Daniel

On 27.05.21 20:13, David Villasmil wrote:
Yep i just tried that :)

I don't get an error on the CLI:

# secsipidx -sign-full -orig-tn 493044448888 -dest-tn 493055559999 -attest A -x5u http://asipto.lab/stir/cert.pem -k ec256-private.pem
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<http://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken

But still failing in kamailio...

Regards,

David Villasmil
phone: +34669448337


On Thu, May 27, 2021 at 7:09 PM Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

On 27.05.21 19:58, David Villasmil wrote:
Hello guys,

I want to test secsipid, but i don't yet have the certificate. So i thought i'd create a cert like:

openssl req -new -newkey rsa:4096 -nodes -keyout snakeoil.key -out snakeoil.csr
openssl x509 -req -sha256 -days 365 -in snakeoil.csr -signkey snakeoil.key -out snakeoil.pem

Then i'm simply doing:

$var(rc) = secsipid_add_identity("$fU", "$rU", "A", "", "https://somedomain.com/stir/$rd/cert.pem", "/etc/kamailio/snakeoil.pem");
if ( $var(rc) ) {
    xlog("L_ERR", "[STIR/SHAKEN][$ci] Shaken authentication added (SIP Identity Header created)\n");
} else {
    xlog("L_ERR", "[STIR/SHAKEN][$ci] Failed\n");
}

But no matter what i do it silently fails:

INVITE d54c2919-39b6-123a-95a7-0e29a5289b8d} <script>: [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d] Failed

I have debug on 6, but i don't get more info regarding the error.

Any ideas?

based on the specs, it should not be the usual ssl/tls certificate, try to generate them using the guidelines at:

  * https://github.com/asipto/secsipidx#keys-generation

Cheers,
Daniel

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
--
Regards,

David Villasmil
phone: +34669448337
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/
--
Regards,

David Villasmil
email: david.villasmil.work@gmail.com
phone: +34669448337