[SR-Users] STIR/SHAKEN tests

David Villasmil david.villasmil.work at gmail.com
Wed Jun 2 15:39:48 CEST 2021 

Will do

On Wed, 2 Jun 2021 at 07:14, Daniel-Constantin Mierla <miconda at gmail.com>
wrote:

> The lib and module are rather fresh, they improve base on feedback.
>
> The latest version of the lib should return different codes in case of
> failures, being propagated by the functions in the kamailio config. The
> codes can be found at:
>
>   * https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L32
>
> If you have time, try it and report if works as expected.
>
> Cheers,
> Daniel
> On 31.05.21 17:35, David Villasmil wrote:
>
> Yep, It's working with 1.16.4
> So the problem was with the pem ownership.
> It's a pity secsipid.so doesn't return an access denied error.
>
> CLI doesn return an error:
>
> error: Unable to read private key file: open
> /etc/kamailio/ec256-private.pem: permission denied
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
>
> On Mon, May 31, 2021 at 4:26 PM David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
>> Daniel,
>>
>> Ok, i downloaded and installed 1.11.6 just like yours and recompiled, etc.
>> I also changed the owner of the pem file, which was owned by root, and
>> not by the user kamailio.
>>
>> Now it's working.
>>
>> d9655} <script>: [STIR/SHAKEN][157428d2-3cc7-123a-eaad-122eaa5d9655]
>> secsipid_add_identity('493044448888', '493055559999', 'A', '', '
>> http://asipto.lab/stir/cert.pem', '/etc/kamailio/ec256-private.pem')
>> May 31 15:24:08 ip-10-231-32-237
>> /usr/local/kamailio5/sbin/kamailio[1920]: DEBUG: {1 36683532 INVITE
>> 157428d2-3cc7-123a-eaad-122eaa5d9655} secsipid [secsipid_mod.c:333]:
>> ki_secsipid_add_identity(): appending identity:
>> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ3NDY0OCwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiI0YWU3NGE3My01N2Q3LTQzZWMtYjMyOS00NDdiMDg4OWVkYmMifQ.AyxAeNFuthcpJld8osJBj9QVxBnwK91zeo0tEusXrMNNrG2aW8N9Az255qf3UlOIDtm1MmQI_y3-Gz6u57OCQA;info=<
>> http://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken
>>
>> But now i¡m left wondering whether it was the ownership of the file or
>> the version.
>>
>> So i will install again the latest and see what happens.
>>
>>
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> phone: +34669448337
>>
>>
>> On Mon, May 31, 2021 at 2:19 PM David Villasmil <
>> david.villasmil.work at gmail.com> wrote:
>>
>>> Hello Daniel,
>>>
>>> Thanks for looking into this:
>>>
>>> # go version
>>> go version go1.16.4 linux/amd64
>>>
>>> # openssl version
>>> OpenSSL 1.1.1d  10 Sep 2019
>>> root at sip-stir1:/home/admin#
>>> i can try getting the same go version and see what happens.
>>>
>>> Regards,
>>>
>>> David Villasmil
>>> email: david.villasmil.work at gmail.com
>>> phone: +34669448337
>>>
>>>
>>> On Mon, May 31, 2021 at 2:15 PM Daniel-Constantin Mierla <
>>> miconda at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> what are your operating system, golang and openssl versions?
>>>>
>>>> I tried on Debian stable and I get the Identity header, see next:
>>>>
>>>> OPTIONS sip:alice at 127.0.0.1 SIP/2.0
>>>> Via: SIP/2.0/UDP
>>>> 127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0
>>>> Via: SIP/2.0/UDP 127.0.1.1:52897
>>>> ;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias
>>>> From: sip:sipsak at 127.0.1.1:52897;tag=219ec22d
>>>> To: sip:alice at 127.0.0.1
>>>> Call-ID: 564052525 at 127.0.1.1
>>>> CSeq: 1 OPTIONS
>>>> Contact: sip:sipsak at 127.0.1.1:52897
>>>> Content-Length: 0
>>>> Max-Forwards: 69
>>>> User-Agent: sipsak 0.9.7pre
>>>> Accept: text/plain
>>>> Identity:
>>>> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=
>>>> <https://asipto.lab/stir/cert.pem> <https://asipto.lab/stir/cert.pem>
>>>> ;alg=ES256;ppt=shaken
>>>>
>>>> The OPTIONS was generated with: sipsak -s sip:alice at 127.0.0.1
>>>>
>>>> In kamaili.cfg I have:
>>>>
>>>>    if(is_method("OPTIONS|INVITE")) {
>>>>           secsipid_add_identity("493044448888", "493055559999", "A", "",
>>>>                   "https://asipto.lab/stir/cert.pem"
>>>> <https://asipto.lab/stir/cert.pem>,
>>>>                   "/tmp/ec256-private.pem");
>>>>
>>>> Versions:
>>>>
>>>> $ go version
>>>> go version go1.11.6 linux/amd64
>>>>
>>>> $ openssl version
>>>> OpenSSL 1.1.1d  10 Sep 2019
>>>>
>>>> Cheers,
>>>> Daniel
>>>> On 28.05.21 13:05, Daniel-Constantin Mierla wrote:
>>>>
>>>> I will try to reproduce when I get the first chance these days, maybe I
>>>> broke something while I worked to propagate different return codes for
>>>> error cases.
>>>>
>>>> One more question for now: are you using the latest libsecsipid, build
>>>> from the master/main branch of the secsipidx project?
>>>>
>>>> Cheers,
>>>> Daniel
>>>> On 28.05.21 10:27, David Villasmil wrote:
>>>>
>>>> Correct.
>>>> That’s a log with debug 3, absolutely nothing is coming out. :(
>>>>
>>>>
>>>>
>>>> On Thu, 27 May 2021 at 20:54, Daniel-Constantin Mierla <
>>>> miconda at gmail.com> wrote:
>>>>
>>>>> Same logs like with before with previous certificate? Can you attach
>>>>> log messages with debug=3?
>>>>>
>>>>> Cheers,
>>>>> Daniel
>>>>> On 27.05.21 20:13, David Villasmil wrote:
>>>>>
>>>>> Yep i just tried that :)
>>>>>
>>>>> I don't get an error on the CLI:
>>>>>
>>>>> # secsipidx -sign-full -orig-tn 493044448888 -dest-tn 493055559999
>>>>> -attest A -x5u http://asipto.lab/stir/cert.pem -k ec256-private.pem
>>>>>
>>>>> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<
>>>>> http://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken
>>>>>
>>>>> But still failing in kamailio...
>>>>>
>>>>> Regards,
>>>>>
>>>>> David Villasmil
>>>>> email: david.villasmil.work at gmail.com
>>>>> phone: +34669448337
>>>>>
>>>>>
>>>>> On Thu, May 27, 2021 at 7:09 PM Daniel-Constantin Mierla <
>>>>> miconda at gmail.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>> On 27.05.21 19:58, David Villasmil wrote:
>>>>>>
>>>>>> Hello guys,
>>>>>>
>>>>>> I want to test secsipid, but i don't yet have the certificate. So i
>>>>>> thought i'd create a cert like:
>>>>>>
>>>>>> openssl req -new -newkey rsa:4096 -nodes -keyout snakeoil.key -out
>>>>>> snakeoil.csr
>>>>>> openssl x509 -req -sha256 -days 365 -in snakeoil.csr -signkey
>>>>>> snakeoil.key -out snakeoil.pem
>>>>>>
>>>>>> Then i'm simply doing:
>>>>>>
>>>>>> $var(rc) = secsipid_add_identity("$fU", "$rU", "A", "", "
>>>>>> https://somedomain.com/stir/$rd/cert.pem
>>>>>> <https://kamailio.org/stir/$rd/cert.pem>",
>>>>>> "/etc/kamailio/snakeoil.pem");
>>>>>> if ( $var(rc) ) {
>>>>>>     xlog("L_ERR", "[STIR/SHAKEN][$ci] Shaken authentication added
>>>>>> (SIP Identity Header created)\n");
>>>>>> } else {
>>>>>>     xlog("L_ERR", "[STIR/SHAKEN][$ci] Failed\n");
>>>>>> }
>>>>>>
>>>>>> But no matter what i do it silently fails:
>>>>>>
>>>>>> INVITE d54c2919-39b6-123a-95a7-0e29a5289b8d} <script>:
>>>>>> [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d] Failed
>>>>>>
>>>>>> I have debug on 6, but i don't get more info regarding the error.
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>> based on the specs, it should not be the usual ssl/tls certificate,
>>>>>> try to generate them using the guidelines at:
>>>>>>
>>>>>>   * https://github.com/asipto/secsipidx#keys-generation
>>>>>>
>>>>>> Cheers,
>>>>>> Daniel
>>>>>>
>>>>>> --
>>>>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>>>>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>>>>>   * https://www.asipto.com/sw/kamailio-advanced-training-online/
>>>>>>
>>>>>> --
>>>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>>>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>>>>   * https://www.asipto.com/sw/kamailio-advanced-training-online/
>>>>>
>>>>> --
>>>> Regards,
>>>>
>>>> David Villasmil
>>>> email: david.villasmil.work at gmail.com
>>>> phone: +34669448337
>>>>
>>>> --
>>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>>>   * https://www.asipto.com/sw/kamailio-advanced-training-online/
>>>>
>>>> --
>>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>>>> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>>>   * https://www.asipto.com/sw/kamailio-advanced-training-online/
>>>>
>>>> --
> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>   * https://www.asipto.com/sw/kamailio-advanced-training-online/
>
> --
Regards,

David Villasmil
email: david.villasmil.work at gmail.com
phone: +34669448337
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210602/3c5d2c34/attachment.htm>

More information about the sr-users mailing list