[SR-Users] Kamailio 5.5 STIR SHAKEN private key buffer size error

Maharaja Azhagiah er.maharaja at gmail.com
Tue Jul 5 17:01:16 CEST 2022 

Hi Daniel,

I have following the installation as mentioned in the SecSIPId module page (
https://www.kamailio.org/docs/modules/5.5.x/modules/secsipid.html#secsipid.f.secsipid_add_identity
)

I am able to load the module without any error. However, when I initiate a
call I can see the following error:

0(12956) ERROR: {1 9581 INVITE lzss4D1pl5NkPYfdEZ24OlrXHjnEmWiA} secsipid
[secsipid_mod.c:330]: ki_secsipid_add_identity(): failed to get identity
header body (-151)


Below is the kamaili configuration where identity needs to be added before
it dispatch to service provider trunk:

secsipid_add_identity("$fU", "$rU", "C", "", "
http://pinaiyam.8ksamples.com/certificate.pem", "/tmp/cert/private.pem");



Regards

*Maharaja Azhagiah*






On Tue, Jun 28, 2022 at 2:08 AM Daniel-Constantin Mierla <miconda at gmail.com>
wrote:

> Note that kamailio has another module that offer StIR/SHAKEN capabilities,
> respectively the secsipid module. You can try to use it, this one I
> maintain and if there is any issue found, I am going to fix it.
>
> All the best,
> Daniel
> On 28.06.22 04:41, Maharaja Azhagiah wrote:
>
> Thank you very much, Muhammad
>
> I tried reducing the SSL key bit length to 1024 but the buffer is still
> less than the key size. Hence, I submitted an issue with signalwire. I
> appreciate your help.
>
> Regards
>
> *Maharaja Azhagiah*
>
>
>
>
>
>
> On Mon, Jun 27, 2022 at 10:05 PM M S <shaheryarkh at gmail.com> wrote:
>
>> This error is  seems to come from libstirshaken (
>> https://github.com/signalwire/libstirshaken/blob/master/include/stir_shaken.h
>> line 46) and has nothing to do with Kamailio. Please open a bug with
>> signalwire who owns and maintains this library.
>>
>> Per my understanding this library is bit old and uses many deprecated
>> functions and needs updating. As a general rule of thumb, in PEM format,
>> the private key size in bytes is roughly 80% (4/5) of key size in bits e.g.
>> 4096 bit private key size would be roughly,
>>
>> (4096 * 4) / 5 ~= 3277 byes
>>
>> which is too big for allowed size (2000 byes) in libstirshaken. So,
>> either increasing the allowed size in libstirshaken OR reducing your SSL
>> key bit length to e.g. 1024 may work.
>>
>> Thank you.
>>
>> --
>> Muhammad Shahzad Shafi
>> Tel: +49 176 99 83 10 85
>>
>>
>>
>> On Mon, Jun 27, 2022 at 11:07 PM Maharaja Azhagiah <er.maharaja at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I am trying STIR/SHAKEN using libstirshaken in Kamailio 5.5.
>>>
>>> I used a self signed certificate as this is just a test in the local
>>> docker environment. However, when I try to add identity with private key
>>> (stirshaken_add_identity_with_key), I get "[error_code: 447] Buffer for key
>>> from file /tmp/cert/private.pem too short (2000 <= 3247)"
>>>
>>> I have tried using 2048 and 4096 size
>>>
>>> root at 5907e44bd056:/tmp/cert# openssl rsa -in private.pem -text -noout |
>>> grep "Private-Key"
>>> RSA Private-Key: (4096 bit, 2 primes)
>>>
>>> Could you tell me what is wrong with the certificate?
>>>
>>> Kamailio version:
>>>
>>> root at 5907e44bd056:/usr/local/kamailio/etc/kamailio# kamailio -v
>>> version: kamailio 5.5.4 (x86_64/linux) 469465
>>>
>>> Error:
>>>
>>>  0(404) ERROR: {1 30587 INVITE NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq}
>>> stirshaken [stirshaken_mod.c:761]: ki_stirshaken_add_identity_with_key():
>>> Failed to load private key
>>>  0(404) DEBUG: {1 30587 INVITE NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq}
>>> stirshaken [stirshaken_mod.c:117]: stirshaken_print_error_details():
>>> failure details:
>>>  0(404) DEBUG: {1 30587 INVITE NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq}
>>> stirshaken [stirshaken_mod.c:118]: stirshaken_print_error_details():
>>> failure reason is: src/stir_shaken_ssl.c:2112: [error_code: 447] Buffer for
>>> key from file /tmp/cert/private.pem too short (2000 <= 3247)
>>>  0(404) DEBUG: {1 30587 INVITE NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq}
>>> stirshaken [stirshaken_mod.c:119]: stirshaken_print_error_details():
>>> failure error code is: 447
>>>  0(404) ERROR: {1 30587 INVITE NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq}
>>> <script>: Failed
>>>
>>> Regards
>>>
>>> *Maharaja Azhagiah*
>>>
>>>
>>>
>>>
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>>   * sr-users at lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only to
>>> the sender!
>>> Edit mailing list options or unsubscribe:
>>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>>   * sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
>   * sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the sender!
> Edit mailing list options or unsubscribe:
>   * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio Advanced Training - Online: June 20-23, 2022
>   * https://www.asipto.com/sw/kamailio-advanced-training-online/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220705/01b38c16/attachment.htm>

More information about the sr-users mailing list