[SR-Users] STIR/SHAKEN tests
Daniel-Constantin Mierla
miconda at gmail.com
Wed Jun 2 08:14:36 CEST 2021
The lib and module are rather fresh, they improve base on feedback.
The latest version of the lib should return different codes in case of
failures, being propagated by the functions in the kamailio config. The
codes can be found at:
* https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32
If you have time, try it and report if works as expected.
Cheers,
Daniel
On 31.05.21 17:35, David Villasmil wrote:
> Yep, It's working with 1.16.4
> So the problem was with the pem ownership.
> It's a pity secsipid.so doesn't return an access denied error.
>
> CLI doesn return an error:
>
> error: Unable to read private key file: open
> /etc/kamailio/ec256-private.pem: permission denied
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com>
> phone: +34669448337
>
>
> On Mon, May 31, 2021 at 4:26 PM David Villasmil
> <david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com>> wrote:
>
> Daniel,
>
> Ok, i downloaded and installed 1.11.6 just like yours and
> recompiled, etc.
> I also changed the owner of the pem file, which was owned by root,
> and not by the user kamailio.
>
> Now it's working.
>
> d9655} <script>:
> [STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655]
> secsipid_add_identity('493044448888', '493055559999', 'A', '',
> 'http://asipto.lab/stir/cert.pem
> <http://asipto.lab/stir/cert.pem>', '/etc/kamailio/ec256-private.pem')
> May 31 15:24:08 ip-10-231-32-237
> /usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1 36683532
> INVITE 157428d2-3cc7-123a-eaad-122eaa5d9655} secsipid
> [secsipid_mod.c:333]: ki_secsipid_add_identity(): appending
> identity:
> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<http://asipto.lab/stir/cert.pem
> <http://asipto.lab/stir/cert.pem>>;alg=ES256;ppt=shaken
>
> But now i¡m left wondering whether it was the ownership of the
> file or the version.
>
> So i will install again the latest and see what happens.
>
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com>
> phone: +34669448337
>
>
> On Mon, May 31, 2021 at 2:19 PM David Villasmil
> <david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com>> wrote:
>
> Hello Daniel,
>
> Thanks for looking into this:
>
> # go version
> go version go1.16.4 linux/amd64
>
> # openssl version
> OpenSSL 1.1.1d 10 Sep 2019
> root at sip-stir1:/home/admin#
> i can try getting the same go version and see what happens.
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> <mailto:david.villasmil.work at gmail.com>
> phone: +34669448337
>
>
> On Mon, May 31, 2021 at 2:15 PM Daniel-Constantin Mierla
> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
> Hello,
>
> what are your operating system, golang and openssl versions?
>
> I tried on Debian stable and I get the Identity header,
> see next:
>
> OPTIONS sip:alice at 127.0.0.1 SIP/2.0
> Via: SIP/2.0/UDP
> 127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0
> Via: SIP/2.0/UDP
> 127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias
> From: sip:sipsak at 127.0.1.1:52897;tag=219ec22d
> To: sip:alice at 127.0.0.1
> Call-ID: 564052525 at 127.0.1.1 <mailto:564052525 at 127.0.1.1>
> CSeq: 1 OPTIONS
> Contact: sip:sipsak at 127.0.1.1:52897
> Content-Length: 0
> Max-Forwards: 69
> User-Agent: sipsak 0.9.7pre
> Accept: text/plain
> Identity:
> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<https://asipto.lab/stir/cert.pem>
> <https://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken
>
> The OPTIONS was generated with: sipsak -s sip:alice at 127.0.0.1
>
> In kamaili.cfg I have:
>
> if(is_method("OPTIONS|INVITE")) {
> secsipid_add_identity("493044448888",
> "493055559999", "A", "",
> "https://asipto.lab/stir/cert.pem"
> <https://asipto.lab/stir/cert.pem>,
> "/tmp/ec256-private.pem");
>
> Versions:
>
> $ go version
> go version go1.11.6 linux/amd64
>
> $ openssl version
> OpenSSL 1.1.1d 10 Sep 2019
>
> Cheers,
> Daniel
>
> On 28.05.21 13:05, Daniel-Constantin Mierla wrote:
>>
>> I will try to reproduce when I get the first chance these
>> days, maybe I broke something while I worked to propagate
>> different return codes for error cases.
>>
>> One more question for now: are you using the latest
>> libsecsipid, build from the master/main branch of the
>> secsipidx project?
>>
>> Cheers,
>> Daniel
>>
>> On 28.05.21 10:27, David Villasmil wrote:
>>> Correct.
>>> That’s a log with debug 3, absolutely nothing is coming
>>> out. :(
>>>
>>>
>>>
>>> On Thu, 27 May 2021 at 20:54, Daniel-Constantin Mierla
>>> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>>>
>>> Same logs like with before with previous
>>> certificate? Can you attach log messages with debug=3?
>>>
>>> Cheers,
>>> Daniel
>>>
>>> On 27.05.21 20:13, David Villasmil wrote:
>>>> Yep i just tried that :)
>>>>
>>>> I don't get an error on the CLI:
>>>>
>>>> # secsipidx -sign-full -orig-tn 493044448888
>>>> -dest-tn 493055559999 -attest A -x5u
>>>> http://asipto.lab/stir/cert.pem
>>>> <http://asipto.lab/stir/cert.pem> -k ec256-private.pem
>>>> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<http://asipto.lab/stir/cert.pem
>>>> <http://asipto.lab/stir/cert.pem>>;alg=ES256;ppt=shaken
>>>>
>>>> But still failing in kamailio...
>>>>
>>>> Regards,
>>>>
>>>> David Villasmil
>>>> email: david.villasmil.work at gmail.com
>>>> <mailto:david.villasmil.work at gmail.com>
>>>> phone: +34669448337
>>>>
>>>>
>>>> On Thu, May 27, 2021 at 7:09 PM Daniel-Constantin
>>>> Mierla <miconda at gmail.com
>>>> <mailto:miconda at gmail.com>> wrote:
>>>>
>>>> Hello,
>>>>
>>>> On 27.05.21 19:58, David Villasmil wrote:
>>>>> Hello guys,
>>>>>
>>>>> I want to test secsipid, but i don't yet have
>>>>> the certificate. So i thought i'd create a
>>>>> cert like:
>>>>>
>>>>> openssl req -new -newkey rsa:4096 -nodes
>>>>> -keyout snakeoil.key -out snakeoil.csr
>>>>> openssl x509 -req -sha256 -days 365 -in
>>>>> snakeoil.csr -signkey snakeoil.key -out
>>>>> snakeoil.pem
>>>>>
>>>>> Then i'm simply doing:
>>>>>
>>>>> $var(rc) = secsipid_add_identity("$fU", "$rU",
>>>>> "A", "",
>>>>> "https://somedomain.com/stir/$rd/cert.pem
>>>>> <https://kamailio.org/stir/$rd/cert.pem>",
>>>>> "/etc/kamailio/snakeoil.pem");
>>>>> if ( $var(rc) ) {
>>>>> xlog("L_ERR", "[STIR/SHAKEN][$ci] Shaken
>>>>> authentication added (SIP Identity Header
>>>>> created)\n");
>>>>> } else {
>>>>> xlog("L_ERR", "[STIR/SHAKEN][$ci] Failed\n");
>>>>> }
>>>>>
>>>>> But no matter what i do it silently fails:
>>>>>
>>>>> INVITE d54c2919-39b6-123a-95a7-0e29a5289b8d}
>>>>> <script>:
>>>>> [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d]
>>>>> Failed
>>>>>
>>>>> I have debug on 6, but i don't get more info
>>>>> regarding the error.
>>>>>
>>>>> Any ideas?
>>>>
>>>> based on the specs, it should not be the usual
>>>> ssl/tls certificate, try to generate them using
>>>> the guidelines at:
>>>>
>>>> *
>>>> https://github.com/asipto/secsipidx#keys-generation
>>>> <https://github.com/asipto/secsipidx#keys-generation>
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>> --
>>>> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>>>> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ <https://www.asipto.com/sw/kamailio-advanced-training-online/>
>>>>
>>> --
>>> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>>> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ <https://www.asipto.com/sw/kamailio-advanced-training-online/>
>>>
>>> --
>>> Regards,
>>>
>>> David Villasmil
>>> email: david.villasmil.work at gmail.com
>>> <mailto:david.villasmil.work at gmail.com>
>>> phone: +34669448337
>> --
>> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>> * https://www.asipto.com/sw/kamailio-advanced-training-online/ <https://www.asipto.com/sw/kamailio-advanced-training-online/>
>
> --
> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
> * https://www.asipto.com/sw/kamailio-advanced-training-online/ <https://www.asipto.com/sw/kamailio-advanced-training-online/>
>
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210602/40af571a/attachment.htm>
More information about the sr-users
mailing list