Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

George's Notes:

  • We need to convert over to X509 certificates instead of EC certificates.
  • We need to send the "dest->tn" object in our Identity header.
  • We need to send a SIP "Date" header. Example from Liviu:
    • Wed, 14 Apr 2021 13:17:35 GMT
  • We're not filtering bad certificate URLs.  The SipVicious guys were able to send a "file:///dev/random" URL which put Asterisk into a spin loop reading random data and writing it to /var/lib/asterisk/keys/stir_shaken/random.
  • We need to clarify and document the 3 types of certificate expiration...
    • We compare the current time to the timestamp sent in the Identity header and reject if there's more than signature_timeout seconds difference.
    • When we retrieve the certificate using the URL in the Identity header, we compare the HTTP "Cache-Control"  "max-age" parameter or the Expires header to the time we cached the certificate the last time we retrieved it.
    • OpenSSL looks at the certificate valid date range.
  • Right now we fail if there's no "Cache-Control" or "Expires" header in the HTTP response we reject.  That's not good.
  • We're using Base64 to encode and decode stuff and we should be using Base64URL instead.
  • We should be using randomly generated UUID for every request's orgid
  • We're saving certs in /var/lib/asterisk/keys/stir_shaken with the same name as in the URL.  For instance: http://asterisk.opensipit.net/cert.pem is saved as  /var/lib/asterisk/keys/stir_shaken/cert.pem.  If another request comes in like http://opensips.opensipit.net/cert.pem, we overwrite Asterisk's cert.pem.  We need to save the cert using the cert's serial number rather than its file name.
  • There are some error situations where the RFC says we MUST return a certain response code but we're leaving it to the dialplan author to check and reject and there's currently no way for the dialplan author to send specific SIP response codes.  I suggest we do 2 things...
    • Create a pjsip dialplan function that can set a specific SIP response code for Hangup() to use.
    • Split the stir_shaken endpoint option to 2 options...
      • stir_shaken_attest = (yes | no) to control whether we send an Identity header or not

      • stir_shaken_verify = ( no | permissive | enforce ) where permissive would be the behavior we have today where we leave handling the verification result it up to the dialplan author and where enforcing makes res_pjsip_stir_shaken automatically send back the correct response code on failure.
  • We need enhance the STIR_SHAKEN dialplan function to add a verify_result_code code to get a numeric verification result code instead of the text result message.
  • We need to update the documentation for the STIR_SHAKEN function to include the possible result codes and messages.
  • When Asterisk is compiled with TEST_FRAMEWORK res_pjsip_stir_shaken doesn't do the check for the timestamp in the Identity header.  It should.

...