Stir_verify fails - final phase of signature verificaton

Hey all,

Running current - Asterisk 18.5.0. I’m working on STIR/SHAKEN verification using the res_stir_shaken module.

When sending a call into the box with a Identity header asterisk is able to read the header and count the number of headers and decode the payload and correctly reports the Attestation level.

When calling the ${STIR_SHAKEN(0,verify_result)} function it fails with the following entries in in the log

res_stir_shaken.c: Failed final phase of signature verification
res_stir_shaken.c: Failed to verify signature

I suspect this is related to the the fact that the root certificates for the STIR/SHAKEN providers is not being checked. I have downloaded and imported the root certificates for all the STIR/SHAKEN providers and imported those certificates in the centos 7 cert bundle. I believe asterisk is using the curl module to download the certificate from the URL in the Identity header but its not using the root CAs to do the verification.

Any hits with the clue stick would be very helpful.

Thanks!

I believe asterisk is using the curl module to download the certificate from the URL in the Identity header but its not using the root CAs to do the verification.

Yep, you are correct. Currently that is not set up in Asterisk since work was done to implement STIR/SHAKEN before a lot of the details were ironed out. There is active work being done on STIR/SHAKEN now to bring it up to speed with the RFCs.

Ah that makes sense then. Thanks bford!

This install is a non-production test box. I’ll keep an eye out of updates and if there is any testing needed I have no issue with assisting.

1 Like