Stir/Shaken Refactor

Why do we need a refactor?

The original stir/shaken implementation was started over 3 years ago
when little was understood about practical implementation.  The
result was an implementation that wouldn't actually interoperate
with any other stir-shaken implementations.

There were also a number of stir-shaken features and RFC
requirements that were never implemented such as TNAuthList
certificate validation, sending Reason headers in SIP responses
when verification failed but we wished to continue the call, and
the ability to send Media Key(mky) grants in the Identity header
when the call involved DTLS.

Finally, there were some performance concerns around outgoing
calls and selection of the correct certificate and private key.
The configuration was keyed by an arbitrary name which meant that
for every outgoing call, we had to scan the entire list of
configured TNs to find the correct cert to use.  With only a few
TNs configured, this wasn't an issue but if you have a thousand,
it could be.

What's changed?

* Configuration objects have been refactored to be clearer about
  their uses and to fix issues.
    * The "general" object was renamed to "verification" since it
      contains parameters specific to the incoming verification
      process.  It also never handled ca_path and crl_path
      correctly.
    * A new "attestation" object was added that controls the
      outgoing attestation process.  It sets default certificates,
      keys, etc.
    * The "certificate" object was renamed to "tn" and had it's key
      change to telephone number since outgoing call attestation
      needs to look up certificates by telephone number.
    * The "profile" object had more parameters added to it that can
      override default parameters specified in the "attestation"
      and "verification" objects.
    * The "store" object was removed altogther as it was never
      implemented.

* We now use libjwt to create outgoing Identity headers and to
  parse and validate signatures on incoming Identiy headers.  Our
  previous custom implementation was much of the source of the
  interoperability issues.

* General code cleanup and refactor.
    * Moved things to better places.
    * Separated some of the complex functions to smaller ones.
    * Using context objects rather than passing tons of parameters
      in function calls.
    * Removed some complexity and unneeded encapsuation from the
      config objects.

Resolves: #351
Resolves: #46

UserNote: Asterisk's stir-shaken feature has been refactored to
correct interoperability, RFC compliance, and performance issues.
See https://docs.asterisk.org/Deployment/STIR-SHAKEN for more
information.

UpgradeNote: The stir-shaken refactor is a breaking change but since
it's not working now we don't think it matters. The
stir_shaken.conf file has changed significantly which means that
existing ones WILL need to be changed.  The stir_shaken.conf.sample
file in configs/samples/ has quite a bit more information.  This is
also an ABI breaking change since some of the existing objects
needed to be changed or removed, and new ones added.  Additionally,
if res_stir_shaken is enabled in menuselect, you'll need to either
have the development package for libjwt v1.15.3 installed or use
the --with-libjwt-bundled option with ./configure.

include/asterisk/astdb.h

@@ -50,6 +50,16 @@ int ast_db_get(const char *family, const char *key, char *value, int valuelen);
  */
 int ast_db_get_allocated(const char *family, const char *key, char **out);
 
+/*!
+ * \brief Check if family/key exitsts
+ *
+ * \param family
+ * \param key
+ * \retval 1 if family/key exists
+ * \retval 0 if family/key does not exist or an error occurred
+ */
+int ast_db_exists(const char *family, const char *key);
+
 /*! \brief Store value addressed by family/key */
 int ast_db_put(const char *family, const char *key, const char *value);
 

include/asterisk/res_pjsip.h

@@ -71,22 +71,6 @@
 #define PJSTR_PRINTF_SPEC "%.*s"
 #define PJSTR_PRINTF_VAR(_v) ((int)(_v).slen), ((_v).ptr)
 
-/* Response codes from RFC8224 */
-#define AST_STIR_SHAKEN_RESPONSE_CODE_STALE_DATE 403
-#define AST_STIR_SHAKEN_RESPONSE_CODE_USE_IDENTITY_HEADER 428
-#define AST_STIR_SHAKEN_RESPONSE_CODE_USE_SUPPORTED_PASSPORT_FORMAT 428
-#define AST_STIR_SHAKEN_RESPONSE_CODE_BAD_IDENTITY_INFO 436
-#define AST_STIR_SHAKEN_RESPONSE_CODE_UNSUPPORTED_CREDENTIAL 437
-#define AST_STIR_SHAKEN_RESPONSE_CODE_INVALID_IDENTITY_HEADER 438
-
-/* Response strings from RFC8224 */
-#define AST_STIR_SHAKEN_RESPONSE_STR_STALE_DATE "Stale Date"
-#define AST_STIR_SHAKEN_RESPONSE_STR_USE_IDENTITY_HEADER "Use Identity Header"
-#define AST_STIR_SHAKEN_RESPONSE_STR_USE_SUPPORTED_PASSPORT_FORMAT "Use Supported PASSporT Format"
-#define AST_STIR_SHAKEN_RESPONSE_STR_BAD_IDENTITY_INFO "Bad Identity Info"
-#define AST_STIR_SHAKEN_RESPONSE_STR_UNSUPPORTED_CREDENTIAL "Unsupported Credential"
-#define AST_STIR_SHAKEN_RESPONSE_STR_INVALID_IDENTITY_HEADER "Invalid Identity Header"
-
 #define AST_SIP_AUTH_MAX_REALM_LENGTH 255	/* From the auth/realm realtime column size */
 
 /* ":12345" */
@@ -666,17 +650,6 @@ enum ast_sip_session_redirect {
 	AST_SIP_REDIRECT_URI_PJSIP,
 };
 
-enum ast_sip_stir_shaken_behavior {
-	/*! Don't do any STIR/SHAKEN operations */
-	AST_SIP_STIR_SHAKEN_OFF = 0,
-	/*! Only do STIR/SHAKEN attestation */
-	AST_SIP_STIR_SHAKEN_ATTEST = 1,
-	/*! Only do STIR/SHAKEN verification */
-	AST_SIP_STIR_SHAKEN_VERIFY = 2,
-	/*! Do STIR/SHAKEN attestation and verification */
-	AST_SIP_STIR_SHAKEN_ON = 3,
-};
-
 /*!
  * \brief Incoming/Outgoing call offer/answer joint codec preference.
  *

include/asterisk/res_pjsip_session.h

@@ -963,4 +963,29 @@ struct ast_sip_session_media *ast_sip_session_media_get_transport(struct ast_sip
  */
 const char *ast_sip_session_get_name(const struct ast_sip_session *session);
 
+/*!
+ * \brief Determines if the Connected Line info can be presented for this session
+ *
+ * \param session The session
+ * \param id The Connected Line info to evaluate
+ *
+ * \retval 1 The Connected Line info can be presented
+ * \retval 0 The Connected Line info cannot be presented
+ */
+int ast_sip_can_present_connected_id(const struct ast_sip_session *session, const struct ast_party_id *id);
+
+/*!
+ * \brief Adds a Reason header in the next reponse to an incoming INVITE
+ *
+ * \param session The session
+ * \param protocol Usually "SIP" but may be "STIR" for stir-shaken
+ * \param code SIP response code
+ * \param text Reason string
+ *
+ * \retval 0 the header is accepted
+ * \retval -1 the header is rejected
+ */
+int ast_sip_session_add_reason_header(struct ast_sip_session *session,
+	const char *protocol, int code, const char *text);
+
 #endif /* _RES_PJSIP_SESSION_H */

include/asterisk/res_stir_shaken.h

@@ -18,176 +18,241 @@
 #ifndef _RES_STIR_SHAKEN_H
 #define _RES_STIR_SHAKEN_H
 
-#define STIR_SHAKEN_ENCRYPTION_ALGORITHM "ES256"
-#define STIR_SHAKEN_PPT "shaken"
-#define STIR_SHAKEN_TYPE "passport"
+#include "asterisk/sorcery.h"
 
-enum ast_stir_shaken_verification_result {
-	AST_STIR_SHAKEN_VERIFY_NOT_PRESENT, /*! No STIR/SHAKEN information was available */
-	AST_STIR_SHAKEN_VERIFY_SIGNATURE_FAILED, /*! Signature verification failed */
-	AST_STIR_SHAKEN_VERIFY_MISMATCH, /*! Contents of the signaling and the STIR/SHAKEN payload did not match */
-	AST_STIR_SHAKEN_VERIFY_PASSED, /*! Signature verified and contents match signaling */
+enum ast_stir_shaken_vs_response_code {
+	AST_STIR_SHAKEN_VS_SUCCESS = 0,
+	AST_STIR_SHAKEN_VS_DISABLED,
+	AST_STIR_SHAKEN_VS_INVALID_ARGUMENTS,
+	AST_STIR_SHAKEN_VS_INTERNAL_ERROR,
+	AST_STIR_SHAKEN_VS_NO_IDENTITY_HDR,
+	AST_STIR_SHAKEN_VS_NO_DATE_HDR,
+	AST_STIR_SHAKEN_VS_DATE_HDR_PARSE_FAILURE,
+	AST_STIR_SHAKEN_VS_DATE_HDR_EXPIRED,
+	AST_STIR_SHAKEN_VS_NO_JWT_HDR,
+	AST_STIR_SHAKEN_VS_INVALID_OR_NO_X5U,
+	AST_STIR_SHAKEN_VS_CERT_CACHE_MISS,
+	AST_STIR_SHAKEN_VS_CERT_CACHE_INVALID,
+	AST_STIR_SHAKEN_VS_CERT_CACHE_EXPIRED,
+	AST_STIR_SHAKEN_VS_CERT_RETRIEVAL_FAILURE,
+	AST_STIR_SHAKEN_VS_CERT_CONTENTS_INVALID,
+	AST_STIR_SHAKEN_VS_CERT_NOT_TRUSTED,
+	AST_STIR_SHAKEN_VS_CERT_DATE_INVALID,
+	AST_STIR_SHAKEN_VS_CERT_NO_TN_AUTH_EXT,
+	AST_STIR_SHAKEN_VS_CERT_NO_SPC_IN_TN_AUTH_EXT,
+	AST_STIR_SHAKEN_VS_NO_RAW_KEY,
+	AST_STIR_SHAKEN_VS_SIGNATURE_VALIDATION,
+	AST_STIR_SHAKEN_VS_NO_IAT,
+	AST_STIR_SHAKEN_VS_IAT_EXPIRED,
+	AST_STIR_SHAKEN_VS_INVALID_OR_NO_PPT,
+	AST_STIR_SHAKEN_VS_INVALID_OR_NO_ALG,
+	AST_STIR_SHAKEN_VS_INVALID_OR_NO_TYP,
+	AST_STIR_SHAKEN_VS_INVALID_OR_NO_GRANTS,
+	AST_STIR_SHAKEN_VS_INVALID_OR_NO_ATTEST,
+	AST_STIR_SHAKEN_VS_NO_ORIGID,
+	AST_STIR_SHAKEN_VS_NO_ORIG_TN,
+	AST_STIR_SHAKEN_VS_CID_ORIG_TN_MISMATCH,
+	AST_STIR_SHAKEN_VS_NO_DEST_TN,
+	AST_STIR_SHAKEN_VS_INVALID_HEADER,
+	AST_STIR_SHAKEN_VS_INVALID_GRANT,
+	AST_STIR_SHAKEN_VS_RESPONSE_CODE_MAX
 };
 
-/*! Different from ast_stir_shaken_verification_result. Used to determine why ast_stir_shaken_verify returned NULL */
-enum ast_stir_shaken_verify_failure_reason {
-	AST_STIR_SHAKEN_VERIFY_FAILED_MEMORY_ALLOC, /*! Memory allocation failure */
-	AST_STIR_SHAKEN_VERIFY_FAILED_TO_GET_CERT, /*! Failed to get the credentials to verify */
-	AST_STIR_SHAKEN_VERIFY_FAILED_SIGNATURE_VALIDATION, /*! Failed validating the signature */
+enum ast_stir_shaken_as_response_code {
+	AST_STIR_SHAKEN_AS_SUCCESS = 0,
+	AST_STIR_SHAKEN_AS_DISABLED,
+	AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS,
+	AST_STIR_SHAKEN_AS_MISSING_PARAMETERS,
+	AST_STIR_SHAKEN_AS_INTERNAL_ERROR,
+	AST_STIR_SHAKEN_AS_NO_TN_FOR_CALLERID,
+	AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL,
+	AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL,
+	AST_STIR_SHAKEN_AS_NO_ATTEST_LEVEL,
+	AST_STIR_SHAKEN_AS_IDENTITY_HDR_EXISTS,
+	AST_STIR_SHAKEN_AS_NO_TO_HDR,
+	AST_STIR_SHAKEN_AS_TO_HDR_BAD_URI,
+	AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE,
+	AST_STIR_SHAKEN_AS_RESPONSE_CODE_MAX
 };
 
-struct ast_stir_shaken_payload;
+enum stir_shaken_failure_action_enum {
+	/*! Unknown value */
+	stir_shaken_failure_action_UNKNOWN = -1,
+	/*! Continue and let dialplan decide action */
+	stir_shaken_failure_action_CONTINUE = 0,
+	/*! Reject request with respone codes defined in RFC8224 */
+	stir_shaken_failure_action_REJECT_REQUEST,
+	/*! Continue but return a Reason header in next provisional response  */
+	stir_shaken_failure_action_CONTINUE_RETURN_REASON,
+	/*! Not set in config */
+	stir_shaken_failure_action_NOT_SET,
+};
 
-struct ast_acl_list;
-
-struct ast_json;
+struct ast_stir_shaken_as_ctx;
 
 /*!
- * \brief Retrieve the value for 'signature' from an ast_stir_shaken_payload
+ * \brief Create Attestation Service Context
  *
- * \param payload The payload
- *
- * \retval The signature
+ * \param caller_id The caller_id for the outgoing call
+ * \param dest_tn Canonicalized destination tn
+ * \param chan The outgoing channel
+ * \param profile_name The profile name on the endpoint
+ *                     May be NULL.
+ * \param tag Identifying string to output in log and trace messages.
+ * \param ctxout Receives a pointer to the newly created context
+ *               The caller must release with ao2_ref or ao2_cleanup.
+
+ * \retval AST_STIR_SHAKEN_AS_SUCCESS if successful.
+ * \retval AST_STIR_SHAKEN_AS_DISABLED if attestation is disabled
+ *         by the endpoint itself, the profile or globally.
+ * \retval Other AST_STIR_SHAKEN_AS errors.
  */
-unsigned char *ast_stir_shaken_payload_get_signature(const struct ast_stir_shaken_payload *payload);
+enum ast_stir_shaken_as_response_code
+	ast_stir_shaken_as_ctx_create(const char *caller_id,
+		const char *dest_tn, struct ast_channel *chan,
+		const char *profile_name,
+		const char *tag, struct ast_stir_shaken_as_ctx **ctxout);
 
 /*!
- * \brief Retrieve the value for 'public_cert_url' from an ast_stir_shaken_payload
+ * \brief Indicates if the AS context needs DTLS fingerprints
  *
- * \param payload The payload
+ * \param ctx AS Context
  *
- * \retval The public key URL
+ * \retval 0 Not needed
+ * \retval 1 Needed
  */
-char *ast_stir_shaken_payload_get_public_cert_url(const struct ast_stir_shaken_payload *payload);
+int ast_stir_shaken_as_ctx_wants_fingerprints(struct ast_stir_shaken_as_ctx *ctx);
 
 /*!
- * \brief Retrieve the value for 'signature_timeout' from 'general' config object
+ * \brief Add DTLS fingerprints to AS context
  *
- * \retval The signature timeout
+ * \param ctx AS context
+ * \param alg Fingerprint algorithm ("sha-1" or "sha-256")
+ * \param fingerprint Fingerprint
+ *
+ * \retval AST_STIR_SHAKEN_AS_SUCCESS if successful
+ * \retval Other AST_STIR_SHAKEN_AS errors.
  */
-unsigned int ast_stir_shaken_get_signature_timeout(void);
+enum ast_stir_shaken_as_response_code ast_stir_shaken_as_ctx_add_fingerprint(
+	struct ast_stir_shaken_as_ctx *ctx, const char *alg, const char *fingerprint);
 
 /*!
- * \brief Retrieve a stir_shaken_profile by id
+ * \brief Attest and return Identity header value
  *
- * \note The profile will need to be unref'd when not needed anymore
+ * \param ctx AS Context
+ * \param header Pointer to buffer to receive the header value
+ *               Must be freed with ast_free when done
  *
- * \param id The id of the stir_shaken_profile to get
- *
- * \retval stir_shaken_profile on success
- * \retval NULL on failure
+ * \retval AST_STIR_SHAKEN_AS_SUCCESS if successful
+ * \retval Other AST_STIR_SHAKEN_AS errors.
  */
-struct stir_shaken_profile *ast_stir_shaken_get_profile(const char *id);
+enum ast_stir_shaken_as_response_code ast_stir_shaken_attest(
+	struct ast_stir_shaken_as_ctx *ctx, char **header);
+
+
+struct ast_stir_shaken_vs_ctx;
 
 /*!
- * \brief Check if a stir_shaken_profile supports attestation
+ * \brief Create Verification Service context
  *
- * \param profile The stir_shaken_profile to test
+ * \param caller_id Incoming caller id
+ * \param chan Incoming channel
+ * \param profile_name The profile name on the endpoint
+ *                     May be NULL.
+ * \param endpoint_behavior Behavior associated to the specific
+ *                          endpoint
+ * \param tag Identifying string to output in log and trace messages.
+ * \param ctxout Receives a pointer to the newly created context
+ *               The caller must release with ao2_ref or ao2_cleanup.
  *
- * \retval 0 if not supported
- * \retval 1 if supported
+ * \retval AST_STIR_SHAKEN_VS_SUCCESS if successful.
+ * \retval AST_STIR_SHAKEN_VS_DISABLED if verification is disabled
+ *         by the endpoint itself, the profile or globally.
+ * \retval Other AST_STIR_SHAKEN_VS errors.
  */
-unsigned int ast_stir_shaken_profile_supports_attestation(const struct stir_shaken_profile *profile);
+enum ast_stir_shaken_vs_response_code
+	ast_stir_shaken_vs_ctx_create(const char *caller_id,
+		struct ast_channel *chan, const char *profile_name,
+		const char *tag, struct ast_stir_shaken_vs_ctx **ctxout);
 
 /*!
- * \brief Check if a stir_shaken_profile supports verification
+ * \brief Sets response code on VS context
  *
- * \param profile The stir_shaken_profile to test
- *
- * \retval 0 if not supported
- * \retval 1 if supported
+ * \param ctx VS context
+ * \param vs_rc ast_stir_shaken_vs_response_code to set
  */
-unsigned int ast_stir_shaken_profile_supports_verification(const struct stir_shaken_profile *profile);
+void ast_stir_shaken_vs_ctx_set_response_code(
+	struct ast_stir_shaken_vs_ctx *ctx,
+	enum ast_stir_shaken_vs_response_code vs_rc);
+
+/*!
+ * \brief Add the received Identity header value to the VS context
+ *
+ * \param ctx VS context
+ * \param identity_hdr Identity header value
+ *
+ * \retval AST_STIR_SHAKEN_VS_SUCCESS if successful
+ * \retval Other AST_STIR_SHAKEN_VS errors.
+ */
+enum ast_stir_shaken_vs_response_code
+	ast_stir_shaken_vs_ctx_add_identity_hdr(struct ast_stir_shaken_vs_ctx * ctx,
+	const char *identity_hdr);
+
+/*!
+ * \brief Add the received Date header value to the VS context
+ *
+ * \param ctx VS context
+ * \param date_hdr Date header value
+ *
+ * \retval AST_STIR_SHAKEN_VS_SUCCESS if successful
+ * \retval Other AST_STIR_SHAKEN_VS errors.
+ */
+enum ast_stir_shaken_vs_response_code
+	ast_stir_shaken_vs_ctx_add_date_hdr(struct ast_stir_shaken_vs_ctx * ctx,
+	const char *date_hdr);
+
+/*!
+ * \brief Get failure_action from context
+ *
+ * \param ctx VS context
+ *
+ * \retval ast_stir_shaken_failure_action
+ */
+enum stir_shaken_failure_action_enum
+	ast_stir_shaken_vs_get_failure_action(
+		struct ast_stir_shaken_vs_ctx *ctx);
+
+/*!
+ * \brief Get use_rfc9410_responses from context
+ *
+ * \param ctx VS context
+ *
+ * \retval 1 if true
+ * \retval 0 if false
+ */
+int	ast_stir_shaken_vs_get_use_rfc9410_responses(
+		struct ast_stir_shaken_vs_ctx *ctx);
 
 /*!
  * \brief Add a STIR/SHAKEN verification result to a channel
  *
- * \param chan The channel
- * \param identity The identity
- * \param attestation The attestation
- * \param result The verification result
+ * \param ctx VS context
  *
  * \retval -1 on failure
  * \retval 0 on success
  */
-int ast_stir_shaken_add_verification(struct ast_channel *chan, const char *identity, const char *attestation,
-	enum ast_stir_shaken_verification_result result);
+int ast_stir_shaken_add_result_to_channel(
+	struct ast_stir_shaken_vs_ctx *ctx);
 
 /*!
- * \brief Verify a JSON STIR/SHAKEN payload
+ * \brief Perform incoming call verification
  *
- * \param header The payload header
- * \param payload The payload section
- * \param signature The payload signature
- * \param algorithm The signature algorithm
- * \param public_cert_url The public key URL
+ * \param ctx VS context
  *
- * \retval ast_stir_shaken_payload on success
- * \retval NULL on failure
+ * \retval AST_STIR_SHAKEN_AS_SUCCESS if successful
+ * \retval Other AST_STIR_SHAKEN_AS errors.
  */
-struct ast_stir_shaken_payload *ast_stir_shaken_verify(const char *header, const char *payload, const char *signature,
-	const char *algorithm, const char *public_cert_url);
-
-/*!
- * \brief Same as ast_stir_shaken_verify, but will populate a struct with additional information on failure
- *
- * \note failure_code will be written to in this function
- *
- * \param header The payload header
- * \param payload The payload section
- * \param signature The payload signature
- * \param algorithm The signature algorithm
- * \param public_cert_url The public key URL
- * \param failure_code Additional failure information
- *
- * \retval ast_stir_shaken_payload on success
- * \retval NULL on failure
- */
-struct ast_stir_shaken_payload *ast_stir_shaken_verify2(const char *header, const char *payload, const char *signature,
-	const char *algorithm, const char *public_cert_url, int *failure_code);
-
-/*!
- * \brief Same as ast_stir_shaken_verify2, but passes in a stir_shaken_profile with additional configuration
- *
- * \note failure_code will be written to in this function
- *
- * \param header The payload header
- * \param payload The payload section
- * \param signature The payload signature
- * \param algorithm The signature algorithm
- * \param public_cert_url The public key URL
- * \param failure Additional failure information
- * \param profile The stir_shaken_profile
- *
- * \retval ast_stir_shaken_payload on success
- * \retval NULL on failure
- */
-struct ast_stir_shaken_payload *ast_stir_shaken_verify_with_profile(const char *header, const char *payload,
-	const char *signature, const char *algorithm, const char *public_cert_url, int *failure,
-	const struct stir_shaken_profile *profile);
-
-/*!
- * \brief Retrieve the stir/shaken sorcery context
- *
- * \retval The stir/shaken sorcery context
- */
-struct ast_sorcery *ast_stir_shaken_sorcery(void);
-
-/*!
- * \brief Free a STIR/SHAKEN payload
- */
-void ast_stir_shaken_payload_free(struct ast_stir_shaken_payload *payload);
-
-/*!
- * \brief Sign a JSON STIR/SHAKEN payload
- *
- * \note This function will automatically add the "attest", "iat", and "origid" fields.
- *
- * \param json The JWT to sign
- *
- * \retval ast_stir_shaken_payload on success
- * \retval NULL on failure
- */
-struct ast_stir_shaken_payload *ast_stir_shaken_sign(struct ast_json *json);
+enum ast_stir_shaken_vs_response_code
+	ast_stir_shaken_vs_verify(struct ast_stir_shaken_vs_ctx * ctx);
 
 #endif /* _RES_STIR_SHAKEN_H */