[Users] domainkeys module

Klaus Darilion klaus.mailinglists at pernau.at
Mon Nov 28 18:44:44 CET 2005


I've just posted a domainkeys module on the tracker on sourceforge:

This is a "proof-of-concept" and at the moment not a module for real 
usage. Further, this is something which not standardized or documented 
anywhere. It's just an experiment to use the domainkeys technology 
(invented as anti-SPAM technology for emails) also with SIP.

Following some snippets from the README file.

If you would like to discuss this idea with me, you'r welcome.


Chapter 1. User's Guide

1.1. Overview

    This module is a proof-of-concept. It tries to use the
    domainkeys technologie, for signing SIP message. Domainkeys
    were developed as an anti-SPAM technology for emails. But as
    SIP is familiar with email, it might also be useful to use
    domainkeys for signing SIP messages.

1.1.1. Installation

    Just copy the module into openser's module directory. This
    module needs the libdomainkeys library and the libcrypto
    library (from openssl). Thus make sure to have openssl
    installed. If the domainkeys library is not installed in the
    default directories, you have to modify the library path in
    the Makefile to point to the location of the domainkeys module
    and include this directory to /etc/ld.so.conf. Further you
    have to adopt the inlcude path of #include
    "/home/darilion/libdomainkeys-0.68/domainkeys.h" in the file
    domainkeys.c. Then compile and use the module as usual.

1.1.2. Known Limitations

      * The current version signs only the From: and To: header,
        and the message body.
      * This module is far from stable and seriously contains
        several bugs.
      * Signing and validation takes time. On a 2GHz Athlon CPU,
        the signing off an INVITE message (From:, To: and body)
        took ~8ms. The validation of this message took ~9ms.
        Additionally, the validation takes time as at least one
        DNS lookup is necessary to fetch the public key of the
        signing domain. This can be reduced by a fast resolving
        name server and long TTLs for the public key.
      * This module uses the original received SIP message for
        calculating the message signatur. Thus, if you use
        function which modify the used headers (e.g. uac module)
        or which modify the body (e.g. nathelper module), then the
        added signature will be invalid.

1.3. Exported Parameters

1.3.1. privkey_file (string)

    Path to the file containing the private key for the signing.
    (The public key for the validation will be fetched from DNS)

    Default value is "".

    Example 1-1. privkey_file example
modparam("domainkeys", "privkey_file", "/etc/domainkeys/privkeys/2005")

1.4. Exported Functions

1.4.1. domainkeys_validate

    Signs the SIP message.

    This function can be used from REQUEST_ROUTE.

    Example 1-2. domainkeys_validate usage
if (is_method("INVITE")) {
         if (domainkeys_sign()) {
                 xlog("L_INFO","domainkeys - signing: SUCCESS\n");
         } else {
                 xlog("L_INFO","domainkeys - signing: FAILURE\n");

1.4.2. domainkeys_validate

    Validates the Domainkeys-Signature in the received SIP

    This function can be used from REQUEST_ROUTE.

    Example 1-3. search_append usage
if (is_present_hf("Domainkey-Signature")) {
     xlog("L_INFO","Domainkey-Signature found, start validating...\n");
     if (domainkeys_validate()) {
             xlog("L_INFO","domainkeys - validate: SUCCESS\n");
     } else {
             xlog("L_INFO","domainkeys - validate: FAILURE\n");

More information about the Users mailing list