Table of Contents
secsipid_check_identity(keyPath)
secsipid_check_identity_pubkey(pubkeyVal)
secsipid_check(sIdentity, keyPath)
secsipid_verify(sIdentity, keyVal, opts)
secsipid_get_url(url, ovar)
secsipid_add_identity(origTN, destTN, attest, origID, x5u, keyPath)
secsipid_build_identity(origTN, destTN, attest, origID, x5u, keyPath)
secsipid_build_identity_prvkey(origTN, destTN, attest, origID, x5u, keyData)
secsipid_sign(sheaders, spaypload, keyPath)
secsipid_sign_prvkey(sheaders, spaypload, keyData)
List of Examples
expire
parametertimeout
parametercache_dir
parametercache_expire
parametermodproc
parameterlibopt
parametersecsipid_check_identity
usagesecsipid_check_identity_pubkey
usagesecsipid_check
usagesecsipid_verify
usagesecsipid_get_url
usagesecsipid_add_identity
usagesecsipid_build_identity
usagesecsipid_build_identity_prvkey
usagesecsipid_sign
usagesecsipid_sign_prvkey
usageTable of Contents
secsipid_check_identity(keyPath)
secsipid_check_identity_pubkey(pubkeyVal)
secsipid_check(sIdentity, keyPath)
secsipid_verify(sIdentity, keyVal, opts)
secsipid_get_url(url, ovar)
secsipid_add_identity(origTN, destTN, attest, origID, x5u, keyPath)
secsipid_build_identity(origTN, destTN, attest, origID, x5u, keyPath)
secsipid_build_identity_prvkey(origTN, destTN, attest, origID, x5u, keyData)
secsipid_sign(sheaders, spaypload, keyPath)
secsipid_sign_prvkey(sheaders, spaypload, keyData)
The module implements secure SIP identity specifications - STIR (Secure Telephony Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) IETF extensions for SIP (RFC8224, RFC8588), known together as STIR/SHAKEN.
It exports the functions to check and generate SIP Identity header.
Note that this module needs "secsipid_proc.so" module to be installed, but without loading the "secsipid_proc.so" via "loadmodule". This module loads "secsipid_proc.so" in child init callback in order to initialize the "libsecsipid" per child process.
The libsecsipid is provided by secsipidx project: https://github.com/asipto/secsipidx.
In case of failure, the functions in this module return error codes (the negative values) listed in the code of libsecsipid, pretty much at the top of: https://github.com/asipto/secsipidx/blob/main/secsipid/secsipid.go.
The following modules must be installed (but not loaded) to use this module:
secsipid_proc.
The interval in seconds after which the Identity header JWT is considered to be expired.
Default value is 300.
The interval in seconds after which the HTTP GET operation to download the public key times out.
Default value is 5.
The path to the directory where to save cached public keys. If set, it activates the public key file caching in the libsecsipid library.
Default value is "".
Example 1.3. Set cache_dir
parameter
... modparam("secsipid", "cache_dir", "/tmp/kamailio/secsipid") ...
The interval in seconds after which a cached public key is considered expired. This value is passed to the libsecsipid library.
Default value is 3600.
The name of or the path to the required per-process API module.
Default value is "secsipid_proc.so".
Check the validity of the Identity header using the keys stored in the file specified by "keyPath". If the parameter is empty, the function is downloading the key using the URL from "info" parameter of the Identity header, using the value of "timeout" parameter to limit the download time. The validity of the JWT body in the Identity header is also checked against the "expire" parameter.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.7. secsipid_check_identity
usage
... request_route { ... if(secsipid_check_identity("/secsipid/$si/cert.pem")) { ... } ... if(secsipid_check_identity("")) { ... } ... } ...
Further checks can be done with config operations, decoding the JWT header and payload using {s.select} and {s.decode.base64t} transformations together with jansson module.
Similar to secsipid_check_identity() with the public key value provided in the parameter.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.8. secsipid_check_identity_pubkey
usage
... request_route { ... http_client_query("https://provider.com/stir-shaken/cert.pem", "$var(pubkey)"); ... if(secsipid_check_identity_pubkey("$var(pubkey)")) { ... } ... } ...
Check the validity of the "sIdentity" parameter using the keys stored in the file specified by "keyPath". If the keyPath parameter is empty, the function is downloading the key using the URL from "info" parameter of the sIdentity, using the value of "timeout" parameter to limit the download time. The validity of the JWT in the sIdentity value is also checked against the "expire" parameter.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.9. secsipid_check
usage
... request_route { ... if(secsipid_check("...", "/secsipid/$si/cert.pem")) { ... } ... if(secsipid_check("...", "")) { ... } ... } ...
Further checks can be done with config operations, decoding the JWT header and payload using {s.select} and {s.decode.base64t} transformations together with jansson module.
Check the validity of the "sIdentity" parameter using the key value given in the parameter "keyVal". The validity of the JWT in the sIdentity value is also checked against the "expire" parameter.
The "opts" parameter provides the verify options:
A (uppercase) - skip verifying the attributes in the JWT header.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.10. secsipid_verify
usage
... request_route { ... secsipid_get_url("https://provider.com/stir-shaken/cert.pem", "$var(pubkey)"); if(secsipid_verify("$hdr(Identity)", "$var(pubkey)", "A")) { ... } ... } ...
Further checks can be done with config operations, decoding the JWT header and payload using {s.select} and {s.decode.base64t} transformations together with jansson module.
Get the content of a URL and store the result in a variable. The result is cached by libsecsipid, if caching is enabled.
The url parameters can contain pseudo-variables and ovar has to be the name of a writable pseudo-variable.
This function can be used from ANY_ROUTE.
Example 1.11. secsipid_get_url
usage
... request_route { ... if(secsipid_get_url("https://$fd/stirshaken/cert.pem", "$var(pubkey)")) { ... } ... } ...
Add Identity header using the key specified by "keyPath" to sign the JWT body. If origID is empty, a UUID string is generated to fill the field. The origTN represents the origination telephone number; destTN represents the destination telephone number; x5u is the HTTP URL referencing to the public key that should be used to verify the signature; attest represents the attestation level (should be "A", "B" or "C").
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.12. secsipid_add_identity
usage
... request_route { ... secsipid_add_identity("$fU", "$rU", "A", "", "https://kamailio.org/stir/$rd/cert.pem", "/secsipid/$rd/key.pem"); ... } ...
Build Identity value using the key specified by "keyPath" to sign the JWT body. If origID is empty, a UUID string is generated to fill the field. The origTN represents the origination telephone number; destTN represents the destination telephone number; x5u is the HTTP URL referencing to the public key that should be used to verify the signature; attest represents the attestation level (should be "A", "B" or "C"). On success, the Indentity value is stored in variable $secsipid(val). It also sets $secsipid(ret) to the return value of the libsecsipid functions.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.13. secsipid_build_identity
usage
... request_route { ... if(secsipid_build_identity("$fU", "$rU", "A", "", "https://kamailio.org/stir/$rd/cert.pem", "/secsipid/$rd/key.pem")) { xinfo("Identity value: $secsipid(val)\n"); } ... } ...
Similar to secsipid_build_identity(), but the private key data is provided as parameter instead to the file path.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.14. secsipid_build_identity_prvkey
usage
... request_route { ... if(secsipid_build_identity_prvkey("$fU", "$rU", "A", "", "https://kamailio.org/stir/$rd/cert.pem", "$var(prvkey)")) { xinfo("Identity value: $secsipid(val)\n"); } ... } ...
Build Identity value using the key specified by "keyPath" to sign the JWT body. The sheaders and spayload have to be string representation of JSON headers and payload to be signed. On success, the Indentity value is stored in variable $secsipid(val). It also sets $secsipid(ret) to the return value of the libsecsipid functions.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.15. secsipid_sign
usage
... request_route { ... if(secsipid_sign("_JSON_HEADERS_", "_JSON_PAYLOAD_", "/secsipid/$rd/key.pem")) { xinfo("Identity value: $secsipid(val)\n"); } ... } ...
Build Identity value using the private key given by "keyData" to sign the JWT body. The sheaders and spayload have to be string representation of JSON headers and payload to be signed. On success, the Indentity value is stored in variable $secsipid(val). It also sets $secsipid(ret) to the return value of the libsecsipid functions.
The parameters can contain pseudo-variables.
This function can be used from ANY_ROUTE.
Example 1.16. secsipid_sign_prvkey
usage
... request_route { ... if(secsipid_sign_prvkey("_JSON_HEADERS_", "_JSON_PAYLOAD_", "_PRIVATE_KEY_")) { xinfo("Identity value: $secsipid(val)\n"); } ... } ...
The module needs "secsipdi_proc.so" module that depends on "libsecsipid", which is a component of "sipsecidx" project from https://github.com/asipto/secsipidx/. The library is implemented in Go language, with generated C API and library.
To generate the libsecsipid files, it requires to have Go language installed and its environment configured, then run the following commands:
Example 1.17. Libsecsipid Usage
... export GO111MODULE=off go get https://github.com/asipto/secsipidx cd $GOPATH/src/github.com/asipto/secsipidx/csecsipid/ make all make install cd /path/to/kamailio/ make include_modules="secsipid secsipid_proc ..." cfg make all make install ## or compiling individual modules for use inside source tree # make modules modules=src/modules/secsipid_proc # make modules modules=src/modules/secsipid ...
For more details about compilation and installation of libsecsipid, see: https://github.com/asipto/secsipidx.