[asterisk-dev] Stir/Shaken Refactor

George Joseph gjoseph at sangoma.com
Tue Jan 9 14:16:28 CST 2024 

I have no idea how this email will render in the old asterisk-dev
list but here goes.
If you can't read it, and you're not already subscribed to the
new list, this is your reminder to do so...
https://groups.io/g/asterisk-dev

---------- Forwarded message ---------
From: George Joseph via groups.io <gjoseph=sangoma.com at groups.io>
Date: Tue, Jan 9, 2024 at 1:11 PM
Subject: [asterisk-dev] Stir/Shaken Refactor
To: <asterisk-dev at groups.io>


Please review the pull request at Stir/Shaken Refactor
<https://github.com/asterisk/asterisk/pull/524>

You can review this PR locally by running gh pr checkout 524 if you have
the GitHub CLI client installed or by running git fetch upstream
pull/524/head:master-stir-shaken-refactor (assuming "upstream" points to
https://github.com/asterisk/asterisk.git).
It's important that you understand that there are breaking changes to the
Stir/Shaken implementation and that you TEST!!

I'll be updating the documentation at
https://docs.asterisk.org/Deployment/STIR-SHAKEN over the next few days.
Why do we need a refactor?

The original stir/shaken implementation was started over 3 years ago when
little was understood about practical implementation. The result was an
implementation that wouldn't actually interoperate with any other
stir-shaken implementations.

There were also a number of stir-shaken features and RFC requirements that
were never implemented such as TNAuthList certificate validation, sending
Reason headers in SIP responses when verification failed but we wished to
continue the call, and the ability to send Media Key(mky) grants in the
Identity header when the call involved DTLS.

Finally, there were some performance concerns around outgoing calls and
selection of the correct certificate and private key. The configuration was
keyed by an arbitrary name which meant that for every outgoing call, we had
to scan the entire list of configured TNs to find the correct cert to use.
With only a few TNs configured, this wasn't an issue but if you have a
thousand, it could be.

What's changed?

   -

   Configuration objects have been refactored to be clearer about their
   uses and to fix issues.
   - The "general" object was renamed to "verification" since it contains
      parameters specific to the incoming verification process. It also never
      handled ca_path and crl_path correctly.
      - A new "attestation" object was added that controls the outgoing
      attestation process. It sets default certificates, keys, etc.
      - The "certificate" object was renamed to "tn" and had it's key
      change to telephone number since outgoing call attestation needs
to look up
      certificates by telephone number.
      - The "profile" object had more parameters added to it that can
      override default parameters specified in the "attestation" and
      "verification" objects.
      - The "store" object was removed altogether as it was never
      implemented.
   -

   We now use libjwt to create outgoing Identity headers and to parse and
   validate signatures on incoming Identity headers. Our previous custom
   implementation was much of the source of the interoperability issues.
   -

   General code cleanup and refactor.
   - Moved things to better places.
      - Separated some of the complex functions to smaller ones.
      - Using context objects rather than passing tons of parameters in
      function calls.
      - Removed some complexity and unneeded encapsulation from the config
      objects.

Resolves: #351
Resolves: #46

UserNote: Asterisk's stir-shaken feature has been refactored to correct
interoperability, RFC compliance, and performance issues. See
https://docs.asterisk.org/Deployment/STIR-SHAKEN for more information.

UpgradeNote: The stir-shaken refactor is a breaking change but since it's
not working now we don't think it matters. The stir_shaken.conf file has
changed significantly which means that existing ones WILL need to be
changed. The stir_shaken.conf.sample file in configs/samples/ has quite a
bit more information. This is also an ABI breaking change since some of the
existing objects needed to be changed or removed, and new ones added.
_._,_._,_
------------------------------
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#12) <https://groups.io/g/asterisk-dev/message/12> | Reply
To Group
<asterisk-dev at groups.io?subject=Re:%20%5Basterisk-dev%5D%20Stir%2FShaken%20Refactor>
| Reply To Sender
<gjoseph at sangoma.com?subject=Private:%20Re:%20%5Basterisk-dev%5D%20Stir%2FShaken%20Refactor>
| Mute This Topic <https://groups.io/mt/103627606/8107472> | New Topic
<https://groups.io/g/asterisk-dev/post>
Your Subscription <https://groups.io/g/asterisk-dev/editsub/8107472> | Contact
Group Owner <asterisk-dev+owner at groups.io> | Unsubscribe
<https://groups.io/g/asterisk-dev/leave/12915652/8107472/342978022/xyzzy> [
gjoseph at sangoma.com]
_._,_._,_
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20240109/687c3782/attachment.html>

More information about the asterisk-dev mailing list