Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
/*
* Asterisk - - An open source telephony toolkit .
*
* Copyright ( C ) 2023 , Sangoma Technologies Corporation
*
* George Joseph < gjoseph @ digium . com >
*
* See http : //www.asterisk.org for more information about
* the Asterisk project . Please do not directly contact
* any of the maintainers of this project for assistance ;
* the project provides a web site , mailing lists and IRC
* channels for your use .
*
* This program is free software , distributed under the terms of
* the GNU General Public License Version 2. See the LICENSE file
* at the top of the source tree .
*/
2024-11-08 11:22:12 -07:00
# define _TRACE_PREFIX_ "ac",__LINE__, ""
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
# include "asterisk.h"
# include "asterisk/cli.h"
2024-11-08 11:22:12 -07:00
# include "asterisk/logger.h"
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
# include "asterisk/sorcery.h"
# include "asterisk/paths.h"
# include "stir_shaken.h"
# define CONFIG_TYPE "attestation"
# define DEFAULT_global_disable 0
# define DEFAULT_check_tn_cert_public_url check_tn_cert_public_url_NO
# define DEFAULT_private_key_file NULL
# define DEFAULT_public_cert_url NULL
# define DEFAULT_attest_level attest_level_NOT_SET
2024-11-08 11:22:12 -07:00
# define DEFAULT_unknown_tn_attest_level attest_level_NOT_SET
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
# define DEFAULT_send_mky send_mky_NO
static struct attestation_cfg * empty_cfg = NULL ;
struct attestation_cfg * as_get_cfg ( void )
{
struct attestation_cfg * cfg = ast_sorcery_retrieve_by_id ( get_sorcery ( ) ,
CONFIG_TYPE , CONFIG_TYPE ) ;
if ( cfg ) {
return cfg ;
}
return empty_cfg ? ao2_bump ( empty_cfg ) : NULL ;
}
int as_is_config_loaded ( void )
{
struct attestation_cfg * cfg = ast_sorcery_retrieve_by_id ( get_sorcery ( ) ,
CONFIG_TYPE , CONFIG_TYPE ) ;
ao2_cleanup ( cfg ) ;
return ! ! cfg ;
}
generate_acfg_common_sorcery_handlers ( attestation_cfg ) ;
2024-11-08 11:22:12 -07:00
generate_sorcery_enum_from_str_ex ( attestation_cfg , , unknown_tn_attest_level , attest_level , UNKNOWN ) ;
generate_sorcery_enum_to_str_ex ( attestation_cfg , , unknown_tn_attest_level , attest_level ) ;
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
void acfg_cleanup ( struct attestation_cfg_common * acfg_common )
{
if ( ! acfg_common ) {
return ;
}
ast_string_field_free_memory ( acfg_common ) ;
ao2_cleanup ( acfg_common - > raw_key ) ;
}
static void attestation_destructor ( void * obj )
{
struct attestation_cfg * cfg = obj ;
ast_string_field_free_memory ( cfg ) ;
acfg_cleanup ( & cfg - > acfg_common ) ;
}
static void * attestation_alloc ( const char * name )
{
struct attestation_cfg * cfg ;
cfg = ast_sorcery_generic_alloc ( sizeof ( * cfg ) , attestation_destructor ) ;
if ( ! cfg ) {
return NULL ;
}
if ( ast_string_field_init ( cfg , 1024 ) ) {
ao2_ref ( cfg , - 1 ) ;
return NULL ;
}
/*
* The memory for acfg_common actually comes from cfg
* due to the weirdness of the STRFLDSET macro used with
* sorcery . We just use a token amount of memory in
* this call so the initialize doesn ' t fail .
*/
if ( ast_string_field_init ( & cfg - > acfg_common , 8 ) ) {
ao2_ref ( cfg , - 1 ) ;
return NULL ;
}
return cfg ;
}
int as_copy_cfg_common ( const char * id , struct attestation_cfg_common * cfg_dst ,
struct attestation_cfg_common * cfg_src )
{
int rc = 0 ;
if ( ! cfg_dst | | ! cfg_src ) {
return - 1 ;
}
cfg_sf_copy_wrapper ( id , cfg_dst , cfg_src , private_key_file ) ;
cfg_sf_copy_wrapper ( id , cfg_dst , cfg_src , public_cert_url ) ;
cfg_enum_copy ( cfg_dst , cfg_src , attest_level ) ;
cfg_enum_copy ( cfg_dst , cfg_src , check_tn_cert_public_url ) ;
cfg_enum_copy ( cfg_dst , cfg_src , send_mky ) ;
if ( cfg_src - > raw_key ) {
/* Free and overwrite the destination */
ao2_cleanup ( cfg_dst - > raw_key ) ;
cfg_dst - > raw_key = ao2_bump ( cfg_src - > raw_key ) ;
cfg_dst - > raw_key_length = cfg_src - > raw_key_length ;
}
return rc ;
}
int as_check_common_config ( const char * id , struct attestation_cfg_common * acfg_common )
{
SCOPE_ENTER ( 3 , " %s: Checking common config \n " , id ) ;
if ( ! ast_strlen_zero ( acfg_common - > private_key_file )
& & ! ast_file_is_readable ( acfg_common - > private_key_file ) ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: default_private_key_path %s is missing or not readable \n " , id ,
acfg_common - > private_key_file ) ;
}
if ( ENUM_BOOL ( acfg_common - > check_tn_cert_public_url ,
check_tn_cert_public_url )
& & ! ast_strlen_zero ( acfg_common - > public_cert_url ) ) {
RAII_VAR ( char * , public_cert_data , NULL , ast_std_free ) ;
X509 * public_cert ;
size_t public_cert_len ;
int rc = 0 ;
long http_code ;
SCOPE_ENTER ( 3 , " %s: Checking public cert url '%s' \n " ,
id , acfg_common - > public_cert_url ) ;
http_code = curl_download_to_memory ( acfg_common - > public_cert_url ,
& public_cert_len , & public_cert_data , NULL ) ;
if ( http_code / 100 ! = 2 ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: public_cert '%s' could not be downloaded \n " , id ,
acfg_common - > public_cert_url ) ;
}
2025-06-18 14:38:08 -06:00
public_cert = crypto_load_cert_chain_from_memory ( public_cert_data ,
public_cert_len , NULL ) ;
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
if ( ! public_cert ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: public_cert '%s' could not be parsed as a certificate \n " , id ,
acfg_common - > public_cert_url ) ;
}
rc = crypto_is_cert_time_valid ( public_cert , 0 ) ;
X509_free ( public_cert ) ;
if ( ! rc ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: public_cert '%s' is not valid yet or has expired \n " , id ,
acfg_common - > public_cert_url ) ;
}
rc = crypto_has_private_key_from_memory ( public_cert_data , public_cert_len ) ;
if ( rc ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: DANGER!!! public_cert_url '%s' has a private key in the file!!! \n " , id ,
acfg_common - > public_cert_url ) ;
}
SCOPE_EXIT ( " %s: Done \n " , id ) ;
}
if ( ! ast_strlen_zero ( acfg_common - > private_key_file ) ) {
EVP_PKEY * private_key ;
2024-03-05 12:12:08 -07:00
RAII_VAR ( unsigned char * , raw_key , NULL , ast_free ) ;
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
private_key = crypto_load_privkey_from_file ( acfg_common - > private_key_file ) ;
if ( ! private_key ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: Could not extract raw private key from file '%s' \n " , id ,
acfg_common - > private_key_file ) ;
}
acfg_common - > raw_key_length = crypto_extract_raw_privkey ( private_key , & raw_key ) ;
EVP_PKEY_free ( private_key ) ;
if ( acfg_common - > raw_key_length = = 0 | | raw_key = = NULL ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR , " %s: Could not extract raw private key from file '%s' \n " , id ,
acfg_common - > private_key_file ) ;
}
/*
* We ' re making this an ao2 object so it can be referenced
* by a profile instead of having to copy it .
*/
acfg_common - > raw_key = ao2_alloc ( acfg_common - > raw_key_length , NULL ) ;
if ( ! acfg_common - > raw_key ) {
SCOPE_EXIT_LOG_RTN_VALUE ( - 1 , LOG_ERROR ,
" %s: Could not allocate memory for raw private key \n " , id ) ;
}
memcpy ( acfg_common - > raw_key , raw_key , acfg_common - > raw_key_length ) ;
}
SCOPE_EXIT_RTN_VALUE ( 0 , " %s: Done \n " , id ) ;
}
static int attestation_apply ( const struct ast_sorcery * sorcery , void * obj )
{
struct attestation_cfg * cfg = obj ;
const char * id = ast_sorcery_object_get_id ( cfg ) ;
if ( as_check_common_config ( id , & cfg - > acfg_common ) ! = 0 ) {
return - 1 ;
}
return 0 ;
}
static char * attestation_show ( struct ast_cli_entry * e , int cmd , struct ast_cli_args * a )
{
struct attestation_cfg * cfg ;
struct config_object_cli_data data = {
. title = " Default Attestation " ,
. object_type = config_object_type_attestation ,
} ;
switch ( cmd ) {
case CLI_INIT :
e - > command = " stir_shaken show attestation " ;
e - > usage =
" Usage: stir_shaken show attestation \n "
" Show the stir/shaken attestation settings \n " ;
return NULL ;
case CLI_GENERATE :
return NULL ;
}
if ( a - > argc ! = 3 ) {
return CLI_SHOWUSAGE ;
}
2024-07-19 08:46:31 -06:00
if ( ! as_is_config_loaded ( ) ) {
ast_log ( LOG_WARNING , " Stir/Shaken attestation service disabled. Either there were errors in the 'attestation' object in stir_shaken.conf or it was missing altogether. \n " ) ;
return CLI_FAILURE ;
}
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
cfg = as_get_cfg ( ) ;
config_object_cli_show ( cfg , a , & data , 0 ) ;
ao2_cleanup ( cfg ) ;
return CLI_SUCCESS ;
}
static struct ast_cli_entry attestation_cli [ ] = {
AST_CLI_DEFINE ( attestation_show , " Show stir/shaken attestation configuration " ) ,
} ;
int as_config_reload ( void )
{
struct ast_sorcery * sorcery = get_sorcery ( ) ;
ast_sorcery_force_reload_object ( sorcery , CONFIG_TYPE ) ;
if ( ! as_is_config_loaded ( ) ) {
ast_log ( LOG_WARNING , " Stir/Shaken attestation service disabled. Either there were errors in the 'attestation' object in stir_shaken.conf or it was missing altogether. \n " ) ;
}
if ( ! empty_cfg ) {
empty_cfg = attestation_alloc ( CONFIG_TYPE ) ;
if ( ! empty_cfg ) {
return - 1 ;
}
empty_cfg - > global_disable = 1 ;
}
return 0 ;
}
int as_config_unload ( void )
{
ast_cli_unregister_multiple ( attestation_cli ,
ARRAY_LEN ( attestation_cli ) ) ;
ao2_cleanup ( empty_cfg ) ;
return 0 ;
}
int as_config_load ( void )
{
struct ast_sorcery * sorcery = get_sorcery ( ) ;
ast_sorcery_apply_default ( sorcery , CONFIG_TYPE , " config " ,
" stir_shaken.conf,criteria=type= " CONFIG_TYPE " ,single_object=yes,explicit_name= " CONFIG_TYPE ) ;
if ( ast_sorcery_object_register ( sorcery , CONFIG_TYPE , attestation_alloc ,
NULL , attestation_apply ) ) {
ast_log ( LOG_ERROR , " stir/shaken - failed to register '%s' sorcery object \n " , CONFIG_TYPE ) ;
return - 1 ;
}
ast_sorcery_object_field_register_nodoc ( sorcery , CONFIG_TYPE , " type " ,
" " , OPT_NOOP_T , 0 , 0 ) ;
ast_sorcery_object_field_register ( sorcery , CONFIG_TYPE , " global_disable " ,
DEFAULT_global_disable ? " yes " : " no " ,
OPT_YESNO_T , 1 , FLDSET ( struct attestation_cfg , global_disable ) ) ;
2024-11-08 11:22:12 -07:00
enum_option_register_ex ( sorcery , CONFIG_TYPE , unknown_tn_attest_level ,
unknown_tn_attest_level , attest_level , ) ;
Stir/Shaken Refactor
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
Resolves: #351
Resolves: #46
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added. Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.
2023-10-26 10:27:35 -06:00
register_common_attestation_fields ( sorcery , attestation_cfg , CONFIG_TYPE , ) ;
ast_sorcery_load_object ( sorcery , CONFIG_TYPE ) ;
if ( ! as_is_config_loaded ( ) ) {
ast_log ( LOG_WARNING , " Stir/Shaken attestation service disabled. Either there were errors in the 'attestation' object in stir_shaken.conf or it was missing altogether. \n " ) ;
}
if ( ! empty_cfg ) {
empty_cfg = attestation_alloc ( CONFIG_TYPE ) ;
if ( ! empty_cfg ) {
return - 1 ;
}
empty_cfg - > global_disable = 1 ;
}
ast_cli_register_multiple ( attestation_cli ,
ARRAY_LEN ( attestation_cli ) ) ;
return 0 ;
}
