[SR-Users] ATIS-1000085 STIR/SHAKEN DIV PASSporT

David Villasmil david.villasmil.work at gmail.com
Thu Jun 17 10:09:20 CEST 2021


For verification, I think a quick solution would be to export a new
function from the module to be able to check an identity from a tring on
instead of automatically  checking the “Identity” header.

This way the script writer can use the current check_identity to verify the
header itself, then after unpacking the jwt, using the new
check_identity_str passing the Jwt that should be included in the outer JWT
if the DIV header is present.

The script writer can then do all the checks he/she needs using jansson.

On Mon, 14 Jun 2021 at 09:20, Daniel-Constantin Mierla <miconda at gmail.com>
wrote:

> It is not implemented in the C code of Kamailio's module, but libsecsipid
> offers a function to sign any payload and headers json documents, pasting
> from its API:
>
>
> // SecSIPIDSignJSONHP --
> // * sign the JSON header and payload with provided private key
> // * headerJSON -  header part in JSON forman (0-terminated string)
> // * payloadJSON -  payload part in JSON forman (0-terminated string)
> // * prvkeyPath - path to private key to be used to generate the signature
> // * outPtr - to be set to the pointer containing the output (it is a
> //   0-terminated string); the `*outPtr` must be freed after use
> // * return: the length of `*outPtr`
> extern int SecSIPIDSignJSONHP(char* headerJSON, char* payloadJSON, char*
> prvkeyPath, char** outPtr);
>
>
> Meaning that one can build the headers and payload json documents as they
> want in the config with script operations and get it back encoded and with
> signature. This function can be easily exported to kamailio.cfg. Obviously,
> adding additional code to simplify usage in kamailio.cfg for this
> particular case would be probably better, but requires more C (to Kamailio)
> or Go (to libsecsipid) coding. If someone wants to do it, he/she is more
> that welcome. Personally I do not have an immediate need for this
> extension, with other higher priority tasks, it's not something I can
> allocate spare time for it.
>
>
> More over, one can do alternative implementation in Lua or Python, using
> KEMI or inline execution via app_lua or app_python3. I remember people
> saying they did it (in Lua, iirc) before we had any dedicated kamailio
> module.
>
>
> Cheers,
> Daniel
>
>
>
> On 09.06.21 16:30, Steven Wheeler wrote:
>
> I believe that David's interpretation is correct. My understanding of the
> standard is that it allows carriers which are diverting a call (call
> forwarding, simultaneous ringing, etc.) on behalf of one of their customers
> to provide the original attestation they received as well as information
> about where the call is being diverted to.
>
>
> I'm no expert in STIR/SHAKEN, but my understanding is that this proposal
> adds two options to handle diversions. The first is a "div" passport which
> is added as an additional Identity header to the outgoing SIP message. The
> second is a "div-o" passport which includes the original Identity header
> within its value and replaces the original Identity header in the outgoing
> SIP message.
>
>
> *Steven Wheeler*
>
> ------------------------------
> *From:* David Villasmil <david.villasmil.work at gmail.com>
> <david.villasmil.work at gmail.com>
> *Sent:* Wednesday, June 9, 2021 6:50 AM
> *To:* Kamailio (SER) - Users Mailing List; miconda at gmail.com
> *Cc:* Steven Wheeler
> *Subject:* Re: [SR-Users] ATIS-1000085 STIR/SHAKEN DIV PASSporT
>
> From reading, I understood a div PASSporTs without attestation should be
> added by the entity doing the diversion.
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-stir-passport-divert-09#section-5
> draft-ietf-stir-passport-divert-09
> <https://datatracker.ietf.org/doc/html/draft-ietf-stir-passport-divert-09#section-5>
> datatracker.ietf.org
> PASSporT Extension for Diverted Calls (Internet-Draft, 2020)
>
>
>
>
>
> On Wed, 9 Jun 2021 at 12:10, Daniel-Constantin Mierla <miconda at gmail.com>
> wrote:
>
>> Hello,
>>
>>
>> I was not aware if this, it does not seem to be from IETF. Can you
>> summarize what it is about, eventually comparing what are the differences
>> to the IETF STIR/SHAKEN specs? Is it about adding the caller signature in
>> another header than Identity and also verifying  another header?
>>
>>
>> Cheers,
>> Daniel
>>
>>
>> On 08.06.21 23:58, Steven Wheeler wrote:
>>
>> My Google searches aren't turning up any results, probably because this
>> standard isn't finalized yet, but is anyone aware of a module which
>> implements DIV PASSporTs for diverted calls?
>>
>>
>> More details on the standard here:
>> https://transnexus.com/blog/2020/shaken-div-std-letter-ballot/
>>
>>
>> *Steven Wheeler*
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>   * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> --
>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>   * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> --
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-- 
Regards,

David Villasmil
email: david.villasmil.work at gmail.com
phone: +34669448337
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210617/241f656f/attachment.htm>


More information about the sr-users mailing list