From RFC 8225 Section 5.2.1:
The "dest" claim is a JSON object with the claim name of "dest"
and MUST have at least one identity claim object. The "dest"
claim value is an array containing one or more identity claim JSON
objects representing the destination identities of any type
(currently "tn" or "uri"). If the "dest" claim value array
contains both "tn" and "uri" claim names, the JSON object should
list the "tn" array first and the "uri" array second. Within the
"tn" and "uri" arrays, the identity strings should be put in
lexicographical order, including the scheme-specific portion of
the URI characters.
Additionally, make it clear that there was a failure to sign the JWT
payload and not necessarily a memory allocation failure.
Change-Id: Ia8733b861aef6edfaa9c2136e97b447a01578dc9
The text description needs to be the last thing on the AST_MODULE_INFO
line to be pulled in properly by menuselect.
Change-Id: I0c913e36fea8b661f42e56920b6c5513ae8fd832
STIR/SHAKEN requires a Date header alongside the Identity header, so
that has been added. Still on the outgoing side, we were missing the
dest->tn section of the JSON payload, so that has been added as well.
Moving to the incoming side, URL checking has been added to the public
cert URL to ensure that it starts with http.
https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021
Change-Id: Idee5b1b5e45bc3b483b3070e46ce322dca5b3f1c
STIR/SHAKEN encodes using base64 URL format. Currently, we just use
base64. New functions have been added that convert to and from base64
encoding.
The origid field should also be an UUID. This means there's no reason to
have it as an option in stir_shaken.conf, as we can simply generate one
when creating the Identity header.
https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021
Change-Id: Icf094a2a54e87db91d6b12244c9f5ba4fc2e0b8c
During OpenSIPit, we found out that the public certificates must be of
type X.509. When reading in public keys, we use the corresponding X.509
functions now.
We also discovered that we needed a better naming scheme for the
certificates since certificates with the same name would cause issues
(overwriting certs, etc.). Now when we download a public certificate, we
get the serial number from it and use that as the name of the cached
certificate.
The configuration option public_key_url in stir_shaken.conf has also
been renamed to public_cert_url, which better describes what the option
is for.
https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021
Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d
the 'J' is missing in module description.
"PSIP STIR/SHAKEN Module for Asterisk" -> "PJSIP STIR/SHAKEN Module for Asterisk"
ASTERISK-29175 #close
Change-Id: I17da008540ee2e8496b644d05f995b320b54ad7a
This avoids the inclusion of the OpenSSL headers in the public header,
which avoids one external library dependency in res_pjsip_stir_shaken.
Change-Id: I6a07e2d81d2b5442e24e99b8cc733a99f881dcf4
Added a new configuration option for PJSIP endpoints - stir_shaken. If
set to yes, then STIR/SHAKEN support will be added to inbound and
outbound INVITEs. The default is no. Alembic has been updated to include
this option.
Previously the dialplan function was not trimming the whitespace from
the parameters it recieved. Now it does.
Also added a conditional that, when TEST_FRAMEWORK is enabled, the
timestamp in the identity header will be overlooked. This is just for
testing, since the testsuite will rely on a SIPp scenario with a preset
identity header to trigger the MISMATCH result.
Change-Id: I43d67f1489b8c1c5729ed3ca8d71e35ddf438df1
Integrated STIR/SHAKEN support with outgoing INVITEs. When an INVITE is
sent, the caller ID will be checked to see if there is a certificate
that corresponds to it. If so, that information will be retrieved and an
Identity header will be added to the SIP message. The format is:
header.payload.signature;info=<public_key_url>alg=ES256;ppt=shaken
Header, payload, and signature are all BASE64 encoded. The public key
URL is retrieved from the certificate. Currently the algorithm and ppt
are ES256 and shaken, respectively. This message is signed and can be
used for verification on the receiving end.
Two new configuration options have been added to the certificate object:
attestation and origid. The attestation is required and must be A, B, or
C. origid is the origination identifier.
A new utility function has been added as well that takes a string,
allocates space, BASE64 encodes it, then returns it, eliminating the
need to calculate the size yourself.
Change-Id: I1f84d6a5839cb2ed152ef4255b380cfc2de662b4
Integrated STIR/SHAKEN support with incoming INVITES. Upon receiving an
INVITE, the Identity header is retrieved, parsing the message to verify
the signature. If any of the parsing fails,
AST_STIR_SHAKEN_VERIFY_NOT_PRESENT will be added to the channel for this
caller ID. If verification itself fails,
AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED will be added. If anything in
the payload does not line up with the SIP signaling,
AST_STIR_SHAKEN_VERIFY_MISMATCH will be added. If all of the above steps
pass, then AST_STIR_SHAKEN_VERIFY_PASSED will be added, completing the
verification process.
A new config option has been added to the general section for
stir_shaken.conf. "signature_timeout" is the amount of time a signature
will be considered valid. If an INVITE is received and the amount of
time between when it was received and when it was signed is greater than
signature_timeout, verification will fail.
Some changes were also made to signing and verification. There was an
error where the whole JSON string was being signed rather than the
header combined with the payload. This has been changed to sign the
correct thing. Verification has been changed to do this as well, and the
unit tests have been updated to reflect these changes.
A couple of utility functions have also been added. One decodes a BASE64
string and returns the decoded string, doing all the length calculations
for you. The other retrieves a string value from a header in a rdata
object.
Change-Id: I855f857be3d1c63b64812ac35d9ce0534085b913
This commit sets up some of the initial framework for the module and
adds a way to read the private key from the specified file, which will
then be appended to the certificate object. This works fine for now, but
eventually some other structure will likely need to be used to store all
this information. Similarly, the caller_id_number is specified on the
certificate config object, but in the end we will want that information
to be tied to the certificate itself and read it from there.
A method has been added that will retrieve the private key associated
with the caller_id_number passed in. Tab completion for certificates and
stores has also been added.
Change-Id: Ic4bc1416fab5d6afe15a8e2d32f7ddd4e023295f
Sean Bright
Ben Ford
Stanislav
Alexander Traud