This module implements STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) (RFC8224, RFC8588), with X509 certificate path check (ATIS "Signature-based Handling of Asserted information using toKENs (SHAKEN)", RFC5280 "6. Certification Path Validation"). stirshaken module exports the functions to check and to generate PASSporT, wrapped into SIP Identity header. For call authentication two functions are available: stirshaken_add_identity(...) and stirshaken_add_identity_with_key(key). stirshaken_add_identity() uses default key (through Authentication Service), stirshaken_add_identity_with_key(..., key) uses key specified as argument. For call verification three methods are available: stirshaken_check_identity() (through Verification Service), stirshaken_check_identity_with_key(key) and stirshaken_check_identity_with_cert(cert). stirshaken_check_identity() offers the most comprehensive check as only this method may download certificate (if needed), cache it, and check it with X509 certificate path check algorithm. This method is therefore to be used as a default verification mechanism, while stirshaken_check_identity_with_key(key) and stirshaken_check_identity_with_cert(cert) are only for completeness.
| Parámetro | Tipo | Descripción |
|---|---|---|
| as_default_key | str | 3.2. vs_verify_x509_cert_path (int) 3.3. vs_ca_dir (str) 3.4. vs_crl_dir (str) 3.5. vs_identity_expire_s (int) 3.6. vs_connect_timeout_s (int) 3.7. vs_cache_certificates (int) 3.8. vs_cache_dir (str) |
| vs_verify_x509_cert_path | int | 3.3. vs_ca_dir (str) 3.4. vs_crl_dir (str) 3.5. vs_identity_expire_s (int) 3.6. vs_connect_timeout_s (int) 3.7. vs_cache_certificates (int) 3.8. vs_cache_dir (str) 3.9. vs_cache_expire_s (int) 3.10. v |
| vs_ca_dir | str | 3.4. vs_crl_dir (str) 3.5. vs_identity_expire_s (int) 3.6. vs_connect_timeout_s (int) 3.7. vs_cache_certificates (int) 3.8. vs_cache_dir (str) 3.9. vs_cache_expire_s (int) 3.10. vs_certsubject_pvname |
| vs_crl_dir | str | 3.5. vs_identity_expire_s (int) 3.6. vs_connect_timeout_s (int) 3.7. vs_cache_certificates (int) 3.8. vs_cache_dir (str) 3.9. vs_cache_expire_s (int) 3.10. vs_certsubject_pvname (str) 3.11. vs_pptgran |
| vs_identity_expire_s | int | 3.6. vs_connect_timeout_s (int) 3.7. vs_cache_certificates (int) 3.8. vs_cache_dir (str) 3.9. vs_cache_expire_s (int) 3.10. vs_certsubject_pvname (str) 3.11. vs_pptgrants_pvname (str) |
| vs_connect_timeout_s | int | 3.7. vs_cache_certificates (int) 3.8. vs_cache_dir (str) 3.9. vs_cache_expire_s (int) 3.10. vs_certsubject_pvname (str) 3.11. vs_pptgrants_pvname (str) |
| vs_cache_certificates | int | 3.8. vs_cache_dir (str) 3.9. vs_cache_expire_s (int) 3.10. vs_certsubject_pvname (str) 3.11. vs_pptgrants_pvname (str) |
| vs_cache_dir | str | 3.9. vs_cache_expire_s (int) 3.10. vs_certsubject_pvname (str) 3.11. vs_pptgrants_pvname (str) |
| vs_cache_expire_s | int | 3.10. vs_certsubject_pvname (str) 3.11. vs_pptgrants_pvname (str) |
| vs_certsubject_pvname | str | 3.11. vs_pptgrants_pvname (str) |
| vs_pptgrants_pvname | str | 3.1. as_default_key (str) |
| as_default_key | str | SSL private key to be used as default. Default key must be set if calls to stirshaken_add_identity() are executed. When set, module starts Authentication Service which makes each call to stirshaken_ad |
| vs_verify_x509_cert_path | int | If set, then stirshaken_check_identity() will execute X509 certificate path check on certificate referenced in PASSporT. This param has no meaning for calls to stirshaken_check_identity_with_key(key) |
| vs_ca_dir | str | The path to folder containing CA root certificates with names hashed. If set then must point to existing directory. This must be set when enabled X509 certificate path check, otherwise no end entity c |
| vs_crl_dir | str | The path to folder containing CRLs. If set, then must point to existing directory. This is optional when X509 certificate path check is enabled, only vs_ca_dir is mandatory. If X509 certificate path c |
| vs_identity_expire_s | int | This parameter defines a maximum time in seconds for which PASSporT is considered valid. |
| vs_connect_timeout_s | int | During a call verification with stirshaken_check_identity() a blocking HTTP(s) call is executed to download certificate referenced in PASSporT (unless certificate caching is turned on and a valid cert |
| vs_cache_certificates | int | If set, then certificates caching is turned on. This means that certificates downloaded during call verification with stirshaken_check_identity() are cached inside vs_cache_dir, and will be loaded fro |
| vs_cache_dir | str | If vs_cache_certificates is set then vs_cache_dir must be set too and pointing to existing directory. Cached certificates are saved in this directory and loaded from there when needed during a call ve |
| vs_cache_expire_s | int | If vs_cache_certificates is set then cached certificates are saved in vs_cache_dir directory and loaded from there when needed during a call verification executed with stirshaken_check_identity(), as |
| vs_certsubject_pvname | str | If vs_certsubject_pvname is set then the Subject of the authenticated x509 certificate will be written to this pseudo-variable when stirshaken_check_identity() is executed. If the Identity header cann |
| vs_pptgrants_pvname | str | If vs_pptgrants_pvname is set then the JSON string of the authenticated PASSporT's grants will be written to this pseudo-variable when stirshaken_check_identity() is executed. If the Identity header c |
4.2. stirshaken_check_identity_with_key(keyPath) 4.3. stirshaken_check_identity_with_cert(certPath) 4.4. stirshaken_add_identity(x5u, attest, origtn_val, desttn_val, origid)
4.3. stirshaken_check_identity_with_cert(certPath) 4.4. stirshaken_add_identity(x5u, attest, origtn_val, desttn_val, origid)
4.4. stirshaken_add_identity(x5u, attest, origtn_val, desttn_val, origid)
4.5. stirshaken_add_identity_with_key(x5u, attest, origtn_val, desttn_val, origid, keyPath)
4.1. stirshaken_check_identity()
Check the validity of the Identity header by decoding PASSporT's signature with a certificate referenced in its x5u header and (optionally) checking that certificate for being trusted by X509 certificate check with CA root certificates in vs_ca_dir (
Check the validity of the Identity header by decoding PASSporT's signature with a key read from the location provided. PASSporT's iat grant is also checked for being too fresh or expired against vs_identity_expire_s seconds. This method does not invo
Same as stirshaken_check_identity_with_key(keyPath) but the key is read from the certificate which is read from the location provided.
Add SIP Identity Header to the call using default private key (see as_default_key param). Authenticate call with STIR-Shaken. If origID is empty, a UUID string is generated to fill the field. The origtn_val represents the origination telephone number
Same as stirshaken_add_identity() but using the key read from the location provided as a last parameter.
Copyright © 2021 https://www.signalwire.com
