Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
THIS IS A DRAFT PR/COMMIT and will not be merged as is. To make
reviewing easier, there's an earlier commit that removes the
existing completely. Otherwise, the review diffs would be an
unfollowable mess of deletions and additions. The final commit
will be a traditional single "update" commit without the removal.
There are also outstanding items that I'm waiting on resolution of.
* Do we need to support the compact form of the Identity PASSporT?
Based on ATIS-10000074, I don't _think_ we do but I'm awaiting
clarification. NOT AT THIS TIME.
* ATIS-10000074 also states that we must not follow redirections or
attempt to retrieve certificates using URLs that have
user:password components or path or query parameters. I still need
to implement that check. DONE.
* RFC-8224 says we must include one or more "mky" Media Key entries
in the PASSporT containing the fingerprints in the SDP if DTLS
is in use. Although this is now implemented, it defaults to
"off" because I can't find any other implementation that respects
them. In fact OpenSIPS will fail to validate any Identity header
that has them.
* Many enums and functions that are private to res_stir_shaken still
have "ast_stir_shaken" prefixes on them. They should be renamed
just for clarity's sake.
* It was my intention to have the stir-shaken internals set error
codes and text responses in the contexts to be passed back to the
outside caller so the caller could decide whether to emit
messages or not. I never got to that and need to either
implement that or remove the associated fields in the contexts
and clean up the error messages.
Things that need to be done ouside this commit:
* Implement dialplan function that allows a dialplan author to
reject a call with a specific SIP response code if they deem it
necessary based on the stir-shaken results passed to them.
DONE
* Add alembic scripts so the configuration can be database based.
* Decide if/how to implement RFC-9090 Certificate Delegation.
* Decide if/how to implement validation of the TNAuthList
extension in certificates. Right now we only validate that
it's present, not its content.
* Decide if/how to implement RFC-8946 Diverted Calls.
* Decide if/how to handle multiple Identity headers.
* Decide if/how to handle passing received identity headers to an
outgoing INVITE.
REAL COMMIT MESSAGE:
Why do we need a refactor?
The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation. The
result was an implementation that, until now, wouldn't interoperate
with any other stir-shaken implementations.
There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.
Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use. With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.
What's changed?
* Configuration objects have been refactored to be clearer about
their uses and to fix issues.
* The "general" object was renamed to "verification" since it
contains parameters specific to the incoming verification
process. It also never handled ca_path and crl_path
correctly.
* A new "attestation" object was added that controls the
outgoing attestation process. It sets default certificates,
keys, etc.
* The "certificate" object was renamed to "tn" and had it's key
change to telephone number since outgoing call attestation
needs to look up certificates by telephone number.
* The "profile" object had more parameters added to it that can
override default parameters specified in the "attestation"
and "verification" objects.
* The "store" object was removed altogther as it was never
implemented.
* We now use libjwt to create outgoing Identity headers and to
parse and validate signatures on incoming Identiy headers. Our
previous custom implementation was much of the source of the
interoperability issues.
* General code cleanup and refactor.
* Moved things to better places.
* Separated some of the complex functions to smaller ones.
* Using context objects rather than passing tons of parameters
in function calls.
* Removed some complexity and unneeded encapsuation from the
config objects.
UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.
UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed. The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information. This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added.- Loading branch information
