kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2026-05-04 20:33:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
259ecfa289dda9d75d1a2e384fe26ffda86f9e67
asterisk/configs/samples/stir_shaken.conf.sample
Ben Ford 259ecfa289 STIR/SHAKEN: Fix certificate type and storage. 
During OpenSIPit, we found out that the public certificates must be of
type X.509. When reading in public keys, we use the corresponding X.509
functions now.

We also discovered that we needed a better naming scheme for the
certificates since certificates with the same name would cause issues
(overwriting certs, etc.). Now when we download a public certificate, we
get the serial number from it and use that as the name of the cached
certificate.

The configuration option public_key_url in stir_shaken.conf has also
been renamed to public_cert_url, which better describes what the option
is for.

https://wiki.asterisk.org/wiki/display/AST/OpenSIPit+2021

Change-Id: Ia00b20835f5f976e3603797f2f2fb19672d8114d
2021-05-11 09:29:57 -05:00

89 lines
3.0 KiB
Plaintext
Raw Blame History

;
; This file is used by the res_stir_shaken module to configure parameters
; used for STIR/SHAKEN.
;
; There are 2 sides to STIR/SHAKEN: attestation and verification.
;
; Attestation is done on outgoing calls and makes use out of the certificate
; objects. The cert located at path will be used to sign, and the cert
; located at public_cert_url will be placed in the Identity header to let the
; remote side know where to download the public cert from. These 2 certs must
; match; that is, the cert located at public_cert_url must be the public cert
; derived from the private cert located at path.
;
; Verification is done on incoming calls and doesn't rely on cert objects
; defined in this file.
;
; The general section applies to all STIR/SHAKEN operations. However,
; cache_max_size, curl_timeout, and signature_timeout only apply to the
; verification side.
;
; It's important to note that downloaded certificates are stored in
; <ast_config_AST_DATA_DIR>/keys/stir_shaken, which is usually
; /etc/asterisk/keys/stir_shaken, but may be changed depending on where your
; config directory is.
;
; Visit the wiki page:
; https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN
;
; [general]
;
; File path to the certificate authority certificate
;ca_file=/etc/asterisk/stir/ca.crt
;
; File path to a chain of trust
;ca_path=/etc/asterisk/stir/ca
;
; Maximum size to use for caching public keys
;cache_max_size=1000
;
; Maximum time (in seconds) to wait to CURL certificates
;curl_timeout=2
;
; Amount of time (in seconds) a signature is valid for
;signature_timeout=15
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; A certificate store is used to examine, and load all certificates found in a
; given directory. When using this type the public key URL is generated based
; upon the filename, and variable substitution.
;[certificates]
;
; type must be "store"
;type=store
;
; Path to a directory containing certificates
;path=/etc/asterisk/stir
;
; URL to the public certificate(s). Must contain variable '${CERTIFICATE}' used for
; substitution. '${CERTIFICATE}' will be replaced by the names of the files located
; at path.
; This will be put in the Identity header when signing.
;public_cert_url=http://mycompany.com/${CERTIFICATE}.pem
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;
; Individual certificates are declared by using the certificate type.
;[alice]
;
; type must be "certificate"
;type=certificate
;
; File path to a certificate. This can be RSA or ECDSA, but eventually only ECDSA will be supported.
;path=/etc/asterisk/stir/alice.pem
;
; URL to the public certificate. Must be of type X509 and be derived from the
; certificate located at path.
; This will be put in the identity header when signing.
;public_cert_url=http://mycompany.com/alice.pem
;
; The caller ID number to match on
;caller_id_number=1234567
;
; Must have an attestation of A, B, or C
;attestation=C
;
; The origination identifier for the certificate
;origid=MyAsterisk
Reference in New Issue View Git Blame Copy Permalink