[SR-Users] Kamailio 5.5 STIR SHAKEN private key buffer size error

Daniel-Constantin Mierla miconda at gmail.com
Tue Jul 5 18:20:43 CEST 2022 

Hello,

the error code means that the format of the key is invalid:

  - https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go#L46

If you haven't retrieved from someone, then note that is not the usual
tls/ssl key format, see:

  - https://github.com/asipto/secsipidx#keys-generation

Cheers,
Daniel

On 05.07.22 17:01, Maharaja Azhagiah wrote:
> Hi Daniel,
>
> I have following the installation as mentioned in the SecSIPId
> module page
> (https://www.kamailio.org/docs/modules/5.5.x/modules/secsipid.html#secsipid.f.secsipid_add_identity>
> I am able to load the module without any error. However, when I
> initiate a call I can see the following error:
>
> 0(12956) ERROR: {1 9581 INVITE lzss4D1pl5NkPYfdEZ24OlrXHjnEmWiA}
> secsipid [secsipid_mod.c:330]: ki_secsipid_add_identity(): failed to
> get identity header body (-151)
>
>
> Below is the kamaili configuration where identity needs to be added
> before it dispatch to service provider trunk:
>
> secsipid_add_identity("$fU", "$rU", "C", "",
> "http://pinaiyam.8ksamples.com/certificate.pem", "/tmp/cert/private.pem");
>
>  
>
> Regards
>
> *Maharaja Azhagiah*
>
>
>
>
>
>
> On Tue, Jun 28, 2022 at 2:08 AM Daniel-Constantin Mierla
> <miconda at gmail.com> wrote:
>
>     Note that kamailio has another module that offer StIR/SHAKEN
>     capabilities, respectively the secsipid module. You can try to use
>     it, this one I maintain and if there is any issue found, I am
>     going to fix it.
>
>     All the best,
>     Daniel
>
>     On 28.06.22 04:41, Maharaja Azhagiah wrote:
>>     Thank you very much, Muhammad
>>
>>     I tried reducing the SSL key bit length to 1024 but the buffer is
>>     still less than the key size. Hence, I submitted an issue with
>>     signalwire. I appreciate your help. 
>>
>>     Regards
>>
>>     *Maharaja Azhagiah*
>>
>>
>>
>>
>>
>>
>>     On Mon, Jun 27, 2022 at 10:05 PM M S <shaheryarkh at gmail.com> wrote:
>>
>>         This error is  seems to come from libstirshaken
>>         (https://github.com/signalwire/libstirshaken/blob/master/include/stir_shaken.h
>>         line 46) and has nothing to do with Kamailio. Please open a
>>         bug with signalwire who owns and maintains this library.
>>
>>         Per my understanding this library is bit old and uses many
>>         deprecated functions and needs updating. As a general rule of
>>         thumb, in PEM format, the private key size in bytes is
>>         roughly 80% (4/5) of key size in bits e.g. 4096 bit private
>>         key size would be roughly,
>>
>>         (4096 * 4) / 5 ~= 3277 byes
>>
>>         which is too big for allowed size (2000 byes) in
>>         libstirshaken. So, either increasing the allowed size in
>>         libstirshaken OR reducing your SSL key bit length to e.g.
>>         1024 may work.
>>
>>         Thank you.
>>
>>         --
>>         Muhammad Shahzad Shafi
>>         Tel: +49 176 99 83 10 85
>>
>>
>>
>>         On Mon, Jun 27, 2022 at 11:07 PM Maharaja Azhagiah
>>         <er.maharaja at gmail.com> wrote:
>>
>>             Hi,
>>
>>             I am trying STIR/SHAKEN using libstirshaken in Kamailio 5.5.
>>
>>             I used a self signed certificate as this is just a test
>>             in the local docker environment. However, when I try to
>>             add identity with private key
>>             (stirshaken_add_identity_with_key), I get "[error_code:
>>             447] Buffer for key from file /tmp/cert/private.pem too
>>             short (2000 <= 3247)"
>>
>>             I have tried using 2048 and 4096 size
>>
>>             root at 5907e44bd056:/tmp/cert# openssl rsa -in private.pem
>>             -text -noout | grep "Private-Key"
>>             RSA Private-Key: (4096 bit, 2 primes)
>>
>>             Could you tell me what is wrong with the certificate?
>>
>>             Kamailio version:
>>
>>             root at 5907e44bd056:/usr/local/kamailio/etc/kamailio#
>>             kamailio -v
>>             version: kamailio 5.5.4 (x86_64/linux) 469465
>>
>>             Error:
>>
>>              0(404) ERROR: {1 30587 INVITE
>>             NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq} stirshaken
>>             [stirshaken_mod.c:761]:
>>             ki_stirshaken_add_identity_with_key(): Failed to load
>>             private key
>>              0(404) DEBUG: {1 30587 INVITE
>>             NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq} stirshaken
>>             [stirshaken_mod.c:117]: stirshaken_print_error_details():
>>             failure details:
>>              0(404) DEBUG: {1 30587 INVITE
>>             NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq} stirshaken
>>             [stirshaken_mod.c:118]: stirshaken_print_error_details():
>>             failure reason is: src/stir_shaken_ssl.c:2112:
>>             [error_code: 447] Buffer for key from file
>>             /tmp/cert/private.pem too short (2000 <= 3247)
>>              0(404) DEBUG: {1 30587 INVITE
>>             NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq} stirshaken
>>             [stirshaken_mod.c:119]: stirshaken_print_error_details():
>>             failure error code is: 447
>>              0(404) ERROR: {1 30587 INVITE
>>             NzIhM1-2YABveZZ1mPvs3m3tw8K7meSq} <script>: Failed
>>
>>             Regards
>>
>>             *Maharaja Azhagiah*
>>
>>
>>
>>
>>             __________________________________________________________
>>             Kamailio - Users Mailing List - Non Commercial Discussions
>>               * sr-users at lists.kamailio.org
>>             Important: keep the mailing list in the recipients, do
>>             not reply only to the sender!
>>             Edit mailing list options or unsubscribe:
>>               *
>>             https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>         __________________________________________________________
>>         Kamailio - Users Mailing List - Non Commercial Discussions
>>           * sr-users at lists.kamailio.org
>>         Important: keep the mailing list in the recipients, do not
>>         reply only to the sender!
>>         Edit mailing list options or unsubscribe:
>>           * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
>>     __________________________________________________________
>>     Kamailio - Users Mailing List - Non Commercial Discussions
>>       * sr-users at lists.kamailio.org
>>     Important: keep the mailing list in the recipients, do not reply only to the sender!
>>     Edit mailing list options or unsubscribe:
>>       * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>     -- 
>     Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
>     www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>     Kamailio Advanced Training - Online: June 20-23, 2022
>       * https://www.asipto.com/sw/kamailio-advanced-training-online/
>
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220705/0d582345/attachment.htm>

More information about the sr-users mailing list