kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-01-21 17:12:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

stir_shaken: CRL fixes and a new CLI command

Browse Source 
* Fixed a bug in crypto_show_cli_store that was causing asterisk
to crash if there were certificate revocation lists in the
verification certificate store.  We're also now prefixing
certificates with "Cert:" and CRLs with "CRL:" to distinguish them
in the list.

* Added 'untrusted_cert_file' and 'untrusted_cert_path' options
to both verification and profile objects.  If you have CRLs that
are signed by a different CA than the incoming X5U certificate
(indirect CRL), you'll need to provide the certificate of the
CRL signer here.  Thse will show up as 'Untrusted" when showing
the verification or profile objects.

* Fixed loading of crl_path.  The OpenSSL API we were using to
load CRLs won't actually load them from a directory, only a file.
We now scan the directory ourselves and load the files one-by-one.

* Fixed the verification flags being set on the certificate store.
  - Removed the CRL_CHECK_ALL flag as this was causing all certificates
    to be checked for CRL extensions and failing to verify the cert if
    there was none.  This basically caused all certs to fail when a CRL
    was provided via crl_file or crl_path.
  - Added the EXTENDED_CRL_SUPPORT flag as it is required to handle
    indirect CRLs.

* Added a new CLI command...
`stir_shaken verify certificate_file <certificate_file> [ <profile> ]`
which will assist troubleshooting certificate problems by allowing
the user to manually verify a certificate file against either the
global verification certificate store or the store for a specific
profile.

* Updated the XML documentation and the sample config file.

Resolves: #809
(cherry picked from commit d7343d2ba7)
This commit is contained in:
George Joseph
2024-07-19 08:46:31 -06:00
committed by Asterisk Development Team
parent 43ca5c0bf9
commit 4539664c52
9 changed files with 710 additions and 178 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
configs/samples/stir_shaken.conf.sample
View File

@@ -209,16 +209,22 @@ CA certififcate to you separately.
Default: no
-- ca_file -----------------------------------------------------------
Path to a single file containing a CA certificate or certificate chain
to be used to validate the certificates in incoming requests.
Path to a file containing one or more CA certs in PEM format.
These certs are used to verify the chain of trust for the
certificate retrieved from the X5U Identity header parameter. This
file must have the root CA certificate, the certificate of the
issuer of the X5U certificate, and any intermediate certificates
between them.
Default: none
-- ca_path -----------------------------------------------------------
Path to a directory containing one or more CA certificates to be used
to validate the certificates in incoming requests. The files in that
directory must contain only one certificate each and the directory
must be hashed using the OpenSSL 'c_rehash' utility.
Path to a directory containing one or more hashed CA certs.
See ca_file above.
For this option, each certificate must be placed in its own
PEM file in the directory specified and hashed with the
following command:
`openssl rehash <ca_path>`
Default: none
@@ -226,21 +232,50 @@ NOTE: Both ca_file and ca_path can be specified but at least one
MUST be.
-- crl_file -----------------------------------------------------------
Path to a single file containing a CA certificate revocation list
to be used to validate the certificates in incoming requests.
Path to a file containing one or more CRLs in PEM format.
If you with to check if the certificate in the X5U Identity header
parameter has been revoked, you'll need the certificate revocation
list generated by the issuer.
Default: none
-- crl_path -----------------------------------------------------------
Path to a directory containing one or more CA certificate revocation
lists to be used to validate the certificates in incoming requests.
The files in that directory must contain only one certificate each and
the directory must be hashed using the OpenSSL 'c_rehash' utility.
Path to a directory containing one or more hashed CRLs.
See crl_file above.
For this option, each CRL must be placed in its own
PEM file in the directory specified and hashed with the
following command:
`openssl rehash <crl_path>`
Default: none
NOTE: Neither crl_file nor crl_path are required.
-- untrusted_cert_file ------------------------------------------------
Path to a file containing one or more untrusted certs in PEM format.
Unfortunately, sometimes the CRLs are signed by a different CA
than the certificate being verified. In this case, you'll need to
provide the certificate belonging to the issuer of the CRL. That
certificate is considered "untrusted" by OpenSSL and can't be placed
in the ca_file or ca_path. It has to be specified here.
Default: none
-- untrusted_cert_path ------------------------------------------------
Path to a directory containing one or more hashed untrusted certs used
to verify CRLs.
See untrusted_cert_file above.
For this option, each certificates must be placed in its own
PEM file in the directory specified and hashed with the
following command:
`openssl rehash <ca_path>`
Default: none
NOTE: Neither untrusted_cert_file nor untrusted_cert_path are required
unless you're verifying CRLs that aren't signed by the same CA as the
X5U certificate.
-- cert_cache_dir -----------------------------------------------------
Incoming Identity headers will have a URL pointing to the certificate
used to sign the header. To prevent us from having to retrieve the