2020-05-04 21:11:00 +00:00
|
|
|
;
|
|
|
|
; This file is used by the res_stir_shaken module to configure parameters
|
|
|
|
; used for STIR/SHAKEN.
|
|
|
|
;
|
2021-04-21 16:12:55 +00:00
|
|
|
; There are 2 sides to STIR/SHAKEN: attestation and verification.
|
|
|
|
;
|
|
|
|
; Attestation is done on outgoing calls and makes use out of the certificate
|
|
|
|
; objects. The cert located at path will be used to sign, and the cert
|
|
|
|
; located at public_cert_url will be placed in the Identity header to let the
|
|
|
|
; remote side know where to download the public cert from. These 2 certs must
|
|
|
|
; match; that is, the cert located at public_cert_url must be the public cert
|
|
|
|
; derived from the private cert located at path.
|
|
|
|
;
|
|
|
|
; Verification is done on incoming calls and doesn't rely on cert objects
|
|
|
|
; defined in this file.
|
|
|
|
;
|
|
|
|
; The general section applies to all STIR/SHAKEN operations. However,
|
|
|
|
; cache_max_size, curl_timeout, and signature_timeout only apply to the
|
|
|
|
; verification side.
|
|
|
|
;
|
|
|
|
; It's important to note that downloaded certificates are stored in
|
|
|
|
; <ast_config_AST_DATA_DIR>/keys/stir_shaken, which is usually
|
|
|
|
; /etc/asterisk/keys/stir_shaken, but may be changed depending on where your
|
|
|
|
; config directory is.
|
|
|
|
;
|
|
|
|
; Visit the wiki page:
|
2023-11-09 21:26:46 +00:00
|
|
|
; https://docs.asterisk.org/Deployment/STIR-SHAKEN/
|
2020-05-04 21:11:00 +00:00
|
|
|
;
|
|
|
|
; [general]
|
|
|
|
;
|
|
|
|
; File path to the certificate authority certificate
|
|
|
|
;ca_file=/etc/asterisk/stir/ca.crt
|
|
|
|
;
|
|
|
|
; File path to a chain of trust
|
|
|
|
;ca_path=/etc/asterisk/stir/ca
|
|
|
|
;
|
|
|
|
; Maximum size to use for caching public keys
|
|
|
|
;cache_max_size=1000
|
|
|
|
;
|
2020-06-24 16:49:11 +00:00
|
|
|
; Maximum time (in seconds) to wait to CURL certificates
|
|
|
|
;curl_timeout=2
|
|
|
|
;
|
|
|
|
; Amount of time (in seconds) a signature is valid for
|
|
|
|
;signature_timeout=15
|
2020-05-04 21:11:00 +00:00
|
|
|
;
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
;
|
|
|
|
; A certificate store is used to examine, and load all certificates found in a
|
|
|
|
; given directory. When using this type the public key URL is generated based
|
|
|
|
; upon the filename, and variable substitution.
|
|
|
|
;[certificates]
|
|
|
|
;
|
|
|
|
; type must be "store"
|
|
|
|
;type=store
|
|
|
|
;
|
|
|
|
; Path to a directory containing certificates
|
|
|
|
;path=/etc/asterisk/stir
|
|
|
|
;
|
2021-04-21 16:12:55 +00:00
|
|
|
; URL to the public certificate(s). Must contain variable '${CERTIFICATE}' used for
|
|
|
|
; substitution. '${CERTIFICATE}' will be replaced by the names of the files located
|
|
|
|
; at path.
|
|
|
|
; This will be put in the Identity header when signing.
|
|
|
|
;public_cert_url=http://mycompany.com/${CERTIFICATE}.pem
|
2020-05-04 21:11:00 +00:00
|
|
|
;
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
;
|
|
|
|
; Individual certificates are declared by using the certificate type.
|
|
|
|
;[alice]
|
|
|
|
;
|
|
|
|
; type must be "certificate"
|
|
|
|
;type=certificate
|
|
|
|
;
|
2021-04-21 16:12:55 +00:00
|
|
|
; File path to a certificate. This can be RSA or ECDSA, but eventually only ECDSA will be supported.
|
|
|
|
;path=/etc/asterisk/stir/alice.pem
|
2020-05-04 21:11:00 +00:00
|
|
|
;
|
2021-04-21 16:12:55 +00:00
|
|
|
; URL to the public certificate. Must be of type X509 and be derived from the
|
|
|
|
; certificate located at path.
|
|
|
|
; This will be put in the identity header when signing.
|
|
|
|
;public_cert_url=http://mycompany.com/alice.pem
|
res_stir_shaken: Add outbound INVITE support.
Integrated STIR/SHAKEN support with outgoing INVITEs. When an INVITE is
sent, the caller ID will be checked to see if there is a certificate
that corresponds to it. If so, that information will be retrieved and an
Identity header will be added to the SIP message. The format is:
header.payload.signature;info=<public_key_url>alg=ES256;ppt=shaken
Header, payload, and signature are all BASE64 encoded. The public key
URL is retrieved from the certificate. Currently the algorithm and ppt
are ES256 and shaken, respectively. This message is signed and can be
used for verification on the receiving end.
Two new configuration options have been added to the certificate object:
attestation and origid. The attestation is required and must be A, B, or
C. origid is the origination identifier.
A new utility function has been added as well that takes a string,
allocates space, BASE64 encodes it, then returns it, eliminating the
need to calculate the size yourself.
Change-Id: I1f84d6a5839cb2ed152ef4255b380cfc2de662b4
2020-06-02 14:04:23 +00:00
|
|
|
;
|
2020-06-24 16:49:11 +00:00
|
|
|
; The caller ID number to match on
|
|
|
|
;caller_id_number=1234567
|
|
|
|
;
|
res_stir_shaken: Add outbound INVITE support.
Integrated STIR/SHAKEN support with outgoing INVITEs. When an INVITE is
sent, the caller ID will be checked to see if there is a certificate
that corresponds to it. If so, that information will be retrieved and an
Identity header will be added to the SIP message. The format is:
header.payload.signature;info=<public_key_url>alg=ES256;ppt=shaken
Header, payload, and signature are all BASE64 encoded. The public key
URL is retrieved from the certificate. Currently the algorithm and ppt
are ES256 and shaken, respectively. This message is signed and can be
used for verification on the receiving end.
Two new configuration options have been added to the certificate object:
attestation and origid. The attestation is required and must be A, B, or
C. origid is the origination identifier.
A new utility function has been added as well that takes a string,
allocates space, BASE64 encodes it, then returns it, eliminating the
need to calculate the size yourself.
Change-Id: I1f84d6a5839cb2ed152ef4255b380cfc2de662b4
2020-06-02 14:04:23 +00:00
|
|
|
; Must have an attestation of A, B, or C
|
|
|
|
;attestation=C
|
2022-02-28 17:19:54 +00:00
|
|
|
;
|
|
|
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
|
|
;
|
|
|
|
; Profiles can be defined here which can be referenced by channel drivers.
|
|
|
|
;[my_profile]
|
|
|
|
;
|
|
|
|
; type must be "profile"
|
|
|
|
;type=profile
|
|
|
|
;
|
|
|
|
; Set stir_shaken to 'attest', 'verify', or 'on', which is the default
|
|
|
|
;stir_shaken=on
|
|
|
|
;
|
|
|
|
; You can specify an ACL that will be used strictly for the Identity header when downloading public certificates
|
|
|
|
;acllist=myacllist
|
|
|
|
;
|
|
|
|
; You can also do permit / deny lines if you want (also supports IPv6)
|
|
|
|
;permit=0.0.0.0/0.0.0.0
|
|
|
|
;deny=127.0.0.1
|