[Users] domainkeys module
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Nov 28 18:44:44 CET 2005
Hi!
I've just posted a domainkeys module on the tracker on sourceforge:
http://sourceforge.net/tracker/index.php?func=detail&aid=1368417&group_id=139143&atid=743022
This is a "proof-of-concept" and at the moment not a module for real
usage. Further, this is something which not standardized or documented
anywhere. It's just an experiment to use the domainkeys technology
(invented as anti-SPAM technology for emails) also with SIP.
Following some snippets from the README file.
If you would like to discuss this idea with me, you'r welcome.
regards
klaus
Chapter 1. User's Guide
1.1. Overview
This module is a proof-of-concept. It tries to use the
domainkeys technologie, for signing SIP message. Domainkeys
were developed as an anti-SPAM technology for emails. But as
SIP is familiar with email, it might also be useful to use
domainkeys for signing SIP messages.
_________________________________________________________
1.1.1. Installation
Just copy the module into openser's module directory. This
module needs the libdomainkeys library and the libcrypto
library (from openssl). Thus make sure to have openssl
installed. If the domainkeys library is not installed in the
default directories, you have to modify the library path in
the Makefile to point to the location of the domainkeys module
and include this directory to /etc/ld.so.conf. Further you
have to adopt the inlcude path of #include
"/home/darilion/libdomainkeys-0.68/domainkeys.h" in the file
domainkeys.c. Then compile and use the module as usual.
_________________________________________________________
1.1.2. Known Limitations
* The current version signs only the From: and To: header,
and the message body.
* This module is far from stable and seriously contains
several bugs.
* Signing and validation takes time. On a 2GHz Athlon CPU,
the signing off an INVITE message (From:, To: and body)
took ~8ms. The validation of this message took ~9ms.
Additionally, the validation takes time as at least one
DNS lookup is necessary to fetch the public key of the
signing domain. This can be reduced by a fast resolving
name server and long TTLs for the public key.
* This module uses the original received SIP message for
calculating the message signatur. Thus, if you use
function which modify the used headers (e.g. uac module)
or which modify the body (e.g. nathelper module), then the
added signature will be invalid.
1.3. Exported Parameters
1.3.1. privkey_file (string)
Path to the file containing the private key for the signing.
(The public key for the validation will be fetched from DNS)
Default value is "".
Example 1-1. privkey_file example
modparam("domainkeys", "privkey_file", "/etc/domainkeys/privkeys/2005")
_________________________________________________________
1.4. Exported Functions
1.4.1. domainkeys_validate
Signs the SIP message.
This function can be used from REQUEST_ROUTE.
Example 1-2. domainkeys_validate usage
...
if (is_method("INVITE")) {
if (domainkeys_sign()) {
xlog("L_INFO","domainkeys - signing: SUCCESS\n");
} else {
xlog("L_INFO","domainkeys - signing: FAILURE\n");
}
}
...
_________________________________________________________
1.4.2. domainkeys_validate
Validates the Domainkeys-Signature in the received SIP
message.
This function can be used from REQUEST_ROUTE.
Example 1-3. search_append usage
...
if (is_present_hf("Domainkey-Signature")) {
xlog("L_INFO","Domainkey-Signature found, start validating...\n");
if (domainkeys_validate()) {
xlog("L_INFO","domainkeys - validate: SUCCESS\n");
} else {
xlog("L_INFO","domainkeys - validate: FAILURE\n");
}
}
...
More information about the sr-users
mailing list