[SR-Users] STIR/SHAKEN tests

Daniel-Constantin Mierla miconda at gmail.com
Mon May 31 15:15:20 CEST 2021 

Hello,

what are your operating system, golang and openssl versions?

I tried on Debian stable and I get the Identity header, see next:

OPTIONS sip:alice at 127.0.0.1 SIP/2.0
Via: SIP/2.0/UDP
127.0.0.1;branch=z9hG4bK8eba.da1d50fc272715b1f6dfcd665d319b32.0
Via: SIP/2.0/UDP
127.0.1.1:52897;received=127.0.0.1;branch=z9hG4bK.2d35a346;rport=56013;alias
From: sip:sipsak at 127.0.1.1:52897;tag=219ec22d
To: sip:alice at 127.0.0.1
Call-ID: 564052525 at 127.0.1.1
CSeq: 1 OPTIONS
Contact: sip:sipsak at 127.0.1.1:52897
Content-Length: 0
Max-Forwards: 69
User-Agent: sipsak 0.9.7pre
Accept: text/plain
Identity:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9hc2lwdG8ubGFiL3N0aXIvY2VydC5wZW0ifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjQ2NjUyNSwib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiJlOWI3Nzc1OC03ZmI3LTQ1ZWQtYWMwOS02MDlmOTM3NjFiOWQifQ.fnLenxEUk5qyKvY2xChbAPS-kvjiRmu8jKqEzlywFt0RnpDAK-ErUBjbR78aRjt66fJIFEdQ_dXvV-qRoxkWzA;info=<https://asipto.lab/stir/cert.pem>;alg=ES256;ppt=shaken

The OPTIONS was generated with: sipsak -s sip:alice at 127.0.0.1

In kamaili.cfg I have:

   if(is_method("OPTIONS|INVITE")) {
          secsipid_add_identity("493044448888", "493055559999", "A", "",
                  "https://asipto.lab/stir/cert.pem",
                  "/tmp/ec256-private.pem");

Versions:

$ go version
go version go1.11.6 linux/amd64

$ openssl version
OpenSSL 1.1.1d  10 Sep 2019

Cheers,
Daniel

On 28.05.21 13:05, Daniel-Constantin Mierla wrote:
>
> I will try to reproduce when I get the first chance these days, maybe
> I broke something while I worked to propagate different return codes
> for error cases.
>
> One more question for now: are you using the latest libsecsipid, build
> from the master/main branch of the secsipidx project?
>
> Cheers,
> Daniel
>
> On 28.05.21 10:27, David Villasmil wrote:
>> Correct.
>> That’s a log with debug 3, absolutely nothing is coming out. :(
>>
>>
>>
>> On Thu, 27 May 2021 at 20:54, Daniel-Constantin Mierla
>> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>>
>>     Same logs like with before with previous certificate? Can you
>>     attach log messages with debug=3?
>>
>>     Cheers,
>>     Daniel
>>
>>     On 27.05.21 20:13, David Villasmil wrote:
>>>     Yep i just tried that :)
>>>
>>>     I don't get an error on the CLI:
>>>
>>>     # secsipidx -sign-full -orig-tn 493044448888 -dest-tn
>>>     493055559999 -attest A -x5u http://asipto.lab/stir/cert.pem
>>>     <http://asipto.lab/stir/cert.pem> -k ec256-private.pem
>>>     eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cDovL2FzaXB0by5sYWIvc3Rpci9jZXJ0LnBlbSJ9.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyI0OTMwNTU1NTk5OTkiXX0sImlhdCI6MTYyMjEzOTE1Nywib3JpZyI6eyJ0biI6IjQ5MzA0NDQ0ODg4OCJ9LCJvcmlnaWQiOiIxOWE5OWY2ZS1mZWE5LTQyYmEtYmU2ZC1lNDZkNjZkMGIzNjcifQ.64Z_uNPA5frA20nqurHxOD8qLtuvcGeMxmx0ZhBmSWFoeEU53nHSmEWOsAJC5eiJLuIWfVI9HFhJIKyK6PMrcA;info=<http://asipto.lab/stir/cert.pem
>>>     <http://asipto.lab/stir/cert.pem>>;alg=ES256;ppt=shaken
>>>
>>>     But still failing in kamailio...
>>>
>>>     Regards,
>>>
>>>     David Villasmil
>>>     email: david.villasmil.work at gmail.com
>>>     <mailto:david.villasmil.work at gmail.com>
>>>     phone: +34669448337
>>>
>>>
>>>     On Thu, May 27, 2021 at 7:09 PM Daniel-Constantin Mierla
>>>     <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>>>
>>>         Hello,
>>>
>>>         On 27.05.21 19:58, David Villasmil wrote:
>>>>         Hello guys,
>>>>
>>>>         I want to test secsipid, but i don't yet have the
>>>>         certificate. So i thought i'd create a cert like:
>>>>
>>>>         openssl req -new -newkey rsa:4096 -nodes -keyout
>>>>         snakeoil.key -out snakeoil.csr
>>>>         openssl x509 -req -sha256 -days 365 -in snakeoil.csr
>>>>         -signkey snakeoil.key -out snakeoil.pem
>>>>
>>>>         Then i'm simply doing:
>>>>
>>>>         $var(rc) = secsipid_add_identity("$fU", "$rU", "A", "",
>>>>         "https://somedomain.com/stir/$rd/cert.pem
>>>>         <https://kamailio.org/stir/$rd/cert.pem>",
>>>>         "/etc/kamailio/snakeoil.pem");
>>>>         if ( $var(rc) ) {
>>>>             xlog("L_ERR", "[STIR/SHAKEN][$ci] Shaken authentication
>>>>         added (SIP Identity Header created)\n");
>>>>         } else {
>>>>             xlog("L_ERR", "[STIR/SHAKEN][$ci] Failed\n");
>>>>         }
>>>>
>>>>         But no matter what i do it silently fails:
>>>>
>>>>         INVITE d54c2919-39b6-123a-95a7-0e29a5289b8d} <script>:
>>>>         [STIR/SHAKEN][d54c2919-39b6-123a-95a7-0e29a5289b8d] Failed
>>>>
>>>>         I have debug on 6, but i don't get more info regarding the
>>>>         error.
>>>>
>>>>         Any ideas?
>>>
>>>         based on the specs, it should not be the usual ssl/tls
>>>         certificate, try to generate them using the guidelines at:
>>>
>>>           * https://github.com/asipto/secsipidx#keys-generation
>>>         <https://github.com/asipto/secsipidx#keys-generation>
>>>
>>>         Cheers,
>>>         Daniel
>>>
>>>         -- 
>>>         Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>>>         www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>>>         Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>>           * https://www.asipto.com/sw/kamailio-advanced-training-online/ <https://www.asipto.com/sw/kamailio-advanced-training-online/>
>>>
>>     -- 
>>     Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>>     www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>>     Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>>       * https://www.asipto.com/sw/kamailio-advanced-training-online/ <https://www.asipto.com/sw/kamailio-advanced-training-online/>
>>
>> -- 
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> <mailto:david.villasmil.work at gmail.com>
>> phone: +34669448337
> -- 
> Daniel-Constantin Mierla -- www.asipto.com
> www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
>   * https://www.asipto.com/sw/kamailio-advanced-training-online/

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online - June 7-10, 2021 (America Timezone)
  * https://www.asipto.com/sw/kamailio-advanced-training-online/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210531/c772fde2/attachment.htm>

More information about the sr-users mailing list