Asterisk - The Open Source Telephony Project GIT-master-0bf3178
attestation.c
Go to the documentation of this file.
1/*
2 * Asterisk -- An open source telephony toolkit.
3 *
4 * Copyright (C) 2023, Sangoma Technologies Corporation
5 *
6 * George Joseph <gjoseph@sangoma.com>
7 *
8 * See http://www.asterisk.org for more information about
9 * the Asterisk project. Please do not directly contact
10 * any of the maintainers of this project for assistance;
11 * the project provides a web site, mailing lists and IRC
12 * channels for your use.
13 *
14 * This program is free software, distributed under the terms of
15 * the GNU General Public License Version 2. See the LICENSE file
16 * at the top of the source tree.
17 */
18
19#include <jwt.h>
20
21#define _TRACE_PREFIX_ "a",__LINE__, ""
22
23#include "asterisk.h"
24#include "asterisk/module.h"
25#include "asterisk/uuid.h"
26#include "asterisk/json.h"
27#include "asterisk/channel.h"
28
29#include "stir_shaken.h"
30
31static const char *as_rc_map[] = {
32 [AST_STIR_SHAKEN_AS_SUCCESS] = "success",
33 [AST_STIR_SHAKEN_AS_DISABLED] = "disabled",
34 [AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS] = "invalid_arguments",
35 [AST_STIR_SHAKEN_AS_MISSING_PARAMETERS] = "missing_parameters",
36 [AST_STIR_SHAKEN_AS_INTERNAL_ERROR] = "internal_error",
37 [AST_STIR_SHAKEN_AS_NO_TN_FOR_CALLERID] = "no_tn_for_callerid",
38 [AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL] = "no_private_key_avail",
39 [AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL] = "no_public_cert_url_avail",
40 [AST_STIR_SHAKEN_AS_NO_ATTEST_LEVEL] = "no_attest_level",
41 [AST_STIR_SHAKEN_AS_IDENTITY_HDR_EXISTS] = "identity_header_exists",
42 [AST_STIR_SHAKEN_AS_NO_TO_HDR] = "no_to_hdr",
43 [AST_STIR_SHAKEN_AS_TO_HDR_BAD_URI] = "to_hdr_bad_uri",
44 [AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE] "sign_encode_failure",
45};
46
49{
50 return ARRAY_IN_BOUNDS(as_rc, as_rc_map) ?
51 as_rc_map[as_rc] : NULL;
52}
53
54static void ctx_destructor(void *obj)
55{
56 struct ast_stir_shaken_as_ctx *ctx = obj;
57
58 ao2_cleanup(ctx->etn);
63}
64
67 const char *dest_tn, struct ast_channel *chan,
68 const char *profile_name,
69 const char *tag, struct ast_stir_shaken_as_ctx **ctxout)
70{
72 RAII_VAR(struct profile_cfg *, eprofile, NULL, ao2_cleanup);
73 RAII_VAR(struct attestation_cfg *, as_cfg, NULL, ao2_cleanup);
74 RAII_VAR(struct tn_cfg *, etn, NULL, ao2_cleanup);
75 RAII_VAR(char *, canon_dest_tn , canonicalize_tn_alloc(dest_tn), ast_free);
76 RAII_VAR(char *, canon_orig_tn , canonicalize_tn_alloc(orig_tn), ast_free);
77
78 const char *t = S_OR(tag, S_COR(chan, ast_channel_name(chan), ""));
79 SCOPE_ENTER(3, "%s: Enter\n", t);
80
81 as_cfg = as_get_cfg();
82 if (as_cfg->global_disable) {
84 "%s: Globally disabled\n", t);
85 }
86
87 if (ast_strlen_zero(profile_name)) {
89 "%s: Disabled due to missing profile name\n", t);
90 }
91
92 eprofile = eprofile_get_cfg(profile_name);
93 if (!eprofile) {
95 LOG_ERROR, "%s: No profile for profile name '%s'. Call will continue\n", tag,
96 profile_name);
97 }
98
99 if (!PROFILE_ALLOW_ATTEST(eprofile)) {
101 "%s: Disabled by profile '%s'\n", t, profile_name);
102 }
103
104 if (ast_strlen_zero(tag)) {
106 LOG_ERROR, "%s: Must provide tag\n", t);
107 }
108
109 if (!canon_orig_tn) {
111 LOG_ERROR, "%s: Must provide caller_id/orig_tn\n", tag);
112 }
113
114 if (!canon_dest_tn) {
116 LOG_ERROR, "%s: Must provide dest_tn\n", tag);
117 }
118
119 if (!ctxout) {
121 LOG_ERROR, "%s: Must provide ctxout\n", tag);
122 }
123
124 etn = tn_get_etn(canon_orig_tn, eprofile);
125 if (!etn) {
127 "%s: No tn for orig_tn '%s'\n", tag, canon_orig_tn);
128 }
129
130 /* We don't need eprofile or as_cfg anymore so let's clean em up */
131 ao2_cleanup(as_cfg);
132 as_cfg = NULL;
133 ao2_cleanup(eprofile);
134 eprofile = NULL;
135
136
137 if (etn->acfg_common.attest_level == attest_level_NOT_SET) {
139 LOG_ERROR,
140 "'%s': No attest_level specified in tn, profile or attestation objects\n",
141 tag);
142 }
143
146 LOG_ERROR, "%s: No public cert url in tn %s, profile or attestation objects\n",
147 tag, canon_orig_tn);
148 }
149
150 if (etn->acfg_common.raw_key_length == 0) {
152 LOG_ERROR, "%s: No private key in tn %s, profile or attestation objects\n",
153 canon_orig_tn, tag);
154 }
155
156 ctx = ao2_alloc_options(sizeof(*ctx), ctx_destructor,
158 if (!ctx) {
160 LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
161 }
162
163 if (ast_string_field_init(ctx, 1024) != 0) {
165 LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
166 }
167
168 if (ast_string_field_set(ctx, tag, tag) != 0) {
170 LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
171 }
172
173 if (ast_string_field_set(ctx, orig_tn, canon_orig_tn) != 0) {
175 LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
176 }
177
178 if (ast_string_field_set(ctx, dest_tn, canon_dest_tn)) {
180 LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
181 }
182
183 ctx->chan = chan;
184 ast_channel_ref(ctx->chan);
185
186 if (AST_VECTOR_INIT(&ctx->fingerprints, 1) != 0) {
188 LOG_ERROR, "%s: Unable to allocate memory for ctx\n", tag);
189 }
190
191 /* Transfer the references */
192 ctx->etn = etn;
193 etn = NULL;
194 *ctxout = ctx;
195 ctx = NULL;
196
198}
199
201{
202 return ENUM_BOOL(ctx->etn->acfg_common.send_mky, send_mky);
203}
204
207 struct ast_stir_shaken_as_ctx *ctx, const char *alg, const char *fingerprint)
208{
209 char *compacted_fp = ast_alloca(strlen(fingerprint) + 1);
210 const char *f = fingerprint;
211 char *fp = compacted_fp;
212 char *combined;
213 int rc;
214 SCOPE_ENTER(4, "%s: Add fingerprint %s:%s\n", ctx ? ctx->tag : "",
215 alg, fingerprint);
216
217 if (!ctx || ast_strlen_zero(alg) || ast_strlen_zero(fingerprint)) {
219 "%s: Missing arguments\n", ctx->tag);
220 }
221
222 if (!ENUM_BOOL(ctx->etn->acfg_common.send_mky, send_mky)) {
224 "%s: Not needed\n", ctx->tag);
225 }
226
227 /* De-colonize */
228 while (*f != '\0') {
229 if (*f != ':') {
230 *fp++ = *f;
231 }
232 f++;
233 }
234 *fp = '\0';
235 rc = ast_asprintf(&combined, "%s:%s", alg, compacted_fp);
236 if (rc < 0) {
238 "%s: Can't allocate memory for comobined string\n", ctx->tag);
239 }
240
241 rc = AST_VECTOR_ADD_SORTED(&ctx->fingerprints, combined, strcasecmp);
242 if (rc < 0) {
244 "%s: Can't add entry to vector\n", ctx->tag);
245 }
246
248 "%s: Done\n", ctx->tag);
249}
250
251/*
252 * We have to construct the PASSporT payload manually instead of
253 * using ast_json_pack. These macros help make sure nothing
254 * leaks if there are errors creating the individual objects.
255 */
256#define CREATE_JSON_SET_OBJ(__val, __obj, __name) \
257({ \
258 struct ast_json *__var; \
259 if (!(__var = __val)) {\
260 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR, \
261 LOG_ERROR, "%s: Cannot allocate one of the JSON objects\n", \
262 ctx->tag); \
263 } else { \
264 if (ast_json_object_set(__obj, __name, __var)) { \
265 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR, \
266 LOG_ERROR, "%s: Cannot set one of the JSON objects\n", \
267 ctx->tag); \
268 } \
269 } \
270 (__var); \
271})
272
273#define CREATE_JSON_APPEND_ARRAY(__val, __obj) \
274({ \
275 struct ast_json *__var; \
276 if (!(__var = __val)) {\
277 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR, \
278 LOG_ERROR, "%s: Cannot allocate one of the JSON objects\n", \
279 ctx->tag); \
280 } else { \
281 if (ast_json_array_append(__obj, __var)) { \
282 SCOPE_EXIT_LOG_RTN_VALUE(AST_STIR_SHAKEN_AS_INTERNAL_ERROR, \
283 LOG_ERROR, "%s: Cannot set one of the JSON objects\n", \
284 ctx->tag); \
285 } \
286 } \
287 (__var); \
288})
289
291 struct ast_stir_shaken_as_ctx *ctx, jwt_t *jwt)
292{
294 /*
295 * These don't need RAII because once they're added to payload,
296 * they'll get destroyed when payload gets unreffed.
297 */
298 struct ast_json *dest;
299 struct ast_json *tns;
300 struct ast_json *orig;
301 char origid[AST_UUID_STR_LEN];
302 char *payload_str = NULL;
303 SCOPE_ENTER(3, "%s: Enter\n", ctx->tag);
304
305 /*
306 * All fields added need to be in alphabetical order
307 * and there must be no whitespace in the result.
308 *
309 * We can't use ast_json_pack here because the entries
310 * need to be kept in order and the "mky" array may
311 * not be present.
312 */
313
314 /*
315 * The order of the calls matters. We want to add an object
316 * to its parent as soon as it's created, then add things
317 * to it. This way if something later fails, the whole thing
318 * will get destroyed when its parent gets destroyed.
319 */
321 attest_level_to_str(ctx->etn->acfg_common.attest_level)),
322 payload, "attest");
323
324 dest = CREATE_JSON_SET_OBJ(ast_json_object_create(), payload, "dest");
325 tns = CREATE_JSON_SET_OBJ(ast_json_array_create(), dest, "tn");
327
328 CREATE_JSON_SET_OBJ(ast_json_integer_create(time(NULL)), payload, "iat");
329
331 && ENUM_BOOL(ctx->etn->acfg_common.send_mky, send_mky)) {
332 struct ast_json *mky;
333 int i;
334
335 mky = CREATE_JSON_SET_OBJ(ast_json_array_create(), payload, "mky");
336
337 for (i = 0; i < AST_VECTOR_SIZE(&ctx->fingerprints); i++) {
338 struct ast_json *mk;
339 char *afp = AST_VECTOR_GET(&ctx->fingerprints, i);
340 char *fp = strchr(afp, ':');
341 *fp++ = '\0';
342
346 }
347 }
348
349 orig = CREATE_JSON_SET_OBJ(ast_json_object_create(), payload, "orig");
351
352 ast_uuid_generate_str(origid, sizeof(origid));
353 CREATE_JSON_SET_OBJ(ast_json_string_create(origid), payload, "origid");
354
355 payload_str = ast_json_dump_string_format(payload, AST_JSON_COMPACT);
356 ast_trace(2, "Payload: %s\n", payload_str);
357 jwt_add_grants_json(jwt, payload_str);
358 ast_json_free(payload_str);
359
361
362}
363
365 struct ast_stir_shaken_as_ctx *ctx, char **header)
366{
367 RAII_VAR(jwt_t *, jwt, NULL, jwt_free);
368 jwt_alg_t alg;
369 char *encoded = NULL;
371 int rc = 0;
372 SCOPE_ENTER(3, "%s: Attestation: orig: %s dest: %s\n",
373 ctx ? ctx->tag : "NULL", ctx ? ctx->orig_tn : "NULL",
374 ctx ? ctx->dest_tn : "NULL");
375
376 if (!ctx) {
378 "%s: No context object!\n", "NULL");
379 }
380
381 if (header == NULL) {
383 LOG_ERROR, "%s: Header buffer was NULL\n", ctx->tag);
384 }
385
386 rc = jwt_new(&jwt);
387 if (rc != 0) {
389 LOG_ERROR, "%s: Cannot create JWT\n", ctx->tag);
390 }
391
392 /*
393 * All headers added need to be in alphabetical order!
394 */
395 alg = jwt_str_alg(STIR_SHAKEN_ENCRYPTION_ALGORITHM);
396 jwt_set_alg(jwt, alg, (const unsigned char *)ctx->etn->acfg_common.raw_key,
398 jwt_add_header(jwt, "ppt", STIR_SHAKEN_PPT);
399 jwt_add_header(jwt, "typ", STIR_SHAKEN_TYPE);
400 jwt_add_header(jwt, "x5u", ctx->etn->acfg_common.public_cert_url);
401
402 as_rc = pack_payload(ctx, jwt);
403 if (as_rc != AST_STIR_SHAKEN_AS_SUCCESS) {
405 LOG_ERROR, "%s: Cannot pack payload\n", ctx->tag);
406 }
407
408 encoded = jwt_encode_str(jwt);
409 if (!encoded) {
411 LOG_ERROR, "%s: Unable to sign/encode JWT\n", ctx->tag);
412 }
413
414 rc = ast_asprintf(header, "%s;info=<%s>;alg=%s;ppt=%s",
415 encoded, ctx->etn->acfg_common.public_cert_url, jwt_alg_str(alg),
417 ast_std_free(encoded);
418 if (rc < 0) {
420 LOG_ERROR, "%s: Unable to allocate memory for identity header\n",
421 ctx->tag);
422 }
423
425}
426
428{
430
431 return 0;
432}
433
435{
437 return 0;
438}
439
441{
442 if (as_config_load()) {
444 }
445
447}
Asterisk main include file. File version handling, generic pbx functions.
void ast_std_free(void *ptr)
Definition: astmm.c:1734
#define ast_alloca(size)
call __builtin_alloca to ensure we get gcc builtin semantics
Definition: astmm.h:288
#define ast_free(a)
Definition: astmm.h:180
#define ast_asprintf(ret, fmt,...)
A wrapper for asprintf()
Definition: astmm.h:267
@ AO2_ALLOC_OPT_LOCK_NOLOCK
Definition: astobj2.h:367
#define ao2_cleanup(obj)
Definition: astobj2.h:1934
#define ao2_alloc_options(data_size, destructor_fn, options)
Definition: astobj2.h:404
int as_load()
Load the stir/shaken attestation service.
Definition: attestation.c:440
static const char * as_rc_map[]
Definition: attestation.c:31
const char * as_response_code_to_str(enum ast_stir_shaken_as_response_code as_rc)
Return string version of AS response code.
Definition: attestation.c:47
enum ast_stir_shaken_as_response_code ast_stir_shaken_as_ctx_add_fingerprint(struct ast_stir_shaken_as_ctx *ctx, const char *alg, const char *fingerprint)
Add DTLS fingerprints to AS context.
Definition: attestation.c:206
#define CREATE_JSON_APPEND_ARRAY(__val, __obj)
Definition: attestation.c:273
int as_unload()
Load the stir/shaken attestation service.
Definition: attestation.c:434
#define CREATE_JSON_SET_OBJ(__val, __obj, __name)
Definition: attestation.c:256
static void ctx_destructor(void *obj)
Definition: attestation.c:54
int as_reload()
Load the stir/shaken attestation service.
Definition: attestation.c:427
enum ast_stir_shaken_as_response_code ast_stir_shaken_attest(struct ast_stir_shaken_as_ctx *ctx, char **header)
Attest and return Identity header value.
Definition: attestation.c:364
enum ast_stir_shaken_as_response_code ast_stir_shaken_as_ctx_create(const char *orig_tn, const char *dest_tn, struct ast_channel *chan, const char *profile_name, const char *tag, struct ast_stir_shaken_as_ctx **ctxout)
Create Attestation Service Context.
Definition: attestation.c:66
int ast_stir_shaken_as_ctx_wants_fingerprints(struct ast_stir_shaken_as_ctx *ctx)
Indicates if the AS context needs DTLS fingerprints.
Definition: attestation.c:200
static enum ast_stir_shaken_as_response_code pack_payload(struct ast_stir_shaken_as_ctx *ctx, jwt_t *jwt)
Definition: attestation.c:290
int as_config_unload(void)
int as_config_reload(void)
struct attestation_cfg * as_get_cfg(void)
int as_config_load(void)
General Asterisk PBX channel definitions.
const char * ast_channel_name(const struct ast_channel *chan)
#define ast_channel_ref(c)
Increase channel reference count.
Definition: channel.h:2993
#define ast_channel_cleanup(c)
Cleanup a channel reference.
Definition: channel.h:3015
char * canonicalize_tn_alloc(const char *tn)
Canonicalize a TN into nre buffer.
struct profile_cfg * eprofile_get_cfg(const char *id)
#define ENUM_BOOL(__enum1, __field)
#define PROFILE_ALLOW_ATTEST(__profile)
struct tn_cfg * tn_get_etn(const char *tn, struct profile_cfg *eprofile)
Definition: tn_config.c:111
#define SCOPE_EXIT_RTN_VALUE(__return_value,...)
#define SCOPE_EXIT_LOG_RTN_VALUE(__value, __log_level,...)
#define SCOPE_ENTER(level,...)
#define ast_trace(level,...)
#define LOG_ERROR
Asterisk JSON abstraction layer.
struct ast_json * ast_json_string_create(const char *value)
Construct a JSON string from value.
Definition: json.c:278
void ast_json_unref(struct ast_json *value)
Decrease refcount on value. If refcount reaches zero, value is freed.
Definition: json.c:73
void ast_json_free(void *p)
Asterisk's custom JSON allocator. Exposed for use by unit tests.
Definition: json.c:52
struct ast_json * ast_json_object_create(void)
Create a new JSON object.
Definition: json.c:399
struct ast_json * ast_json_integer_create(intmax_t value)
Create a JSON integer.
Definition: json.c:327
struct ast_json * ast_json_array_create(void)
Create a empty JSON array.
Definition: json.c:362
@ AST_JSON_COMPACT
Definition: json.h:793
char * ast_json_dump_string_format(struct ast_json *root, enum ast_json_encoding_format format)
Encode a JSON value to a string.
Definition: json.c:484
Asterisk module definitions.
@ AST_MODULE_LOAD_SUCCESS
Definition: module.h:70
@ AST_MODULE_LOAD_DECLINE
Module has failed to load, may be in an inconsistent state.
Definition: module.h:78
ast_stir_shaken_as_response_code
@ AST_STIR_SHAKEN_AS_NO_TN_FOR_CALLERID
@ AST_STIR_SHAKEN_AS_INVALID_ARGUMENTS
@ AST_STIR_SHAKEN_AS_TO_HDR_BAD_URI
@ AST_STIR_SHAKEN_AS_MISSING_PARAMETERS
@ AST_STIR_SHAKEN_AS_NO_PRIVATE_KEY_AVAIL
@ AST_STIR_SHAKEN_AS_DISABLED
@ AST_STIR_SHAKEN_AS_SIGN_ENCODE_FAILURE
@ AST_STIR_SHAKEN_AS_NO_TO_HDR
@ AST_STIR_SHAKEN_AS_NO_PUBLIC_CERT_URL_AVAIL
@ AST_STIR_SHAKEN_AS_SUCCESS
@ AST_STIR_SHAKEN_AS_INTERNAL_ERROR
@ AST_STIR_SHAKEN_AS_IDENTITY_HDR_EXISTS
@ AST_STIR_SHAKEN_AS_NO_ATTEST_LEVEL
@ AST_STIR_SHAKEN_VS_INTERNAL_ERROR
#define NULL
Definition: resample.c:96
#define STIR_SHAKEN_ENCRYPTION_ALGORITHM
Definition: stir_shaken.h:28
#define STIR_SHAKEN_PPT
Definition: stir_shaken.h:29
#define STIR_SHAKEN_TYPE
Definition: stir_shaken.h:30
#define ast_string_field_set(x, field, data)
Set a field to a simple string value.
Definition: stringfields.h:521
#define ast_string_field_init(x, size)
Initialize a field pool and fields.
Definition: stringfields.h:359
#define ast_string_field_free_memory(x)
free all memory - to be called before destroying the object
Definition: stringfields.h:374
#define S_OR(a, b)
returns the equivalent of logic or for strings: first one if not empty, otherwise second one.
Definition: strings.h:80
#define S_COR(a, b, c)
returns the equivalent of logic or for strings, with an additional boolean check: second one if not e...
Definition: strings.h:87
static force_inline int attribute_pure ast_strlen_zero(const char *s)
Definition: strings.h:65
Main Channel structure associated with a channel.
Abstract JSON element (object, array, string, int, ...).
const ast_string_field dest_tn
Definition: attestation.h:29
const ast_string_field orig_tn
Definition: attestation.h:29
struct tn_cfg * etn
Definition: attestation.h:32
const ast_string_field tag
Definition: attestation.h:29
struct ast_channel * chan
Definition: attestation.h:30
struct ast_vector_string fingerprints
Definition: attestation.h:31
enum attest_level_enum attest_level
unsigned char * raw_key
const ast_string_field public_cert_url
enum send_mky_enum send_mky
Profile configuration for stir/shaken.
TN configuration for stir/shaken.
struct attestation_cfg_common acfg_common
#define RAII_VAR(vartype, varname, initval, dtor)
Declare a variable that will call a destructor function when it goes out of scope.
Definition: utils.h:941
#define ARRAY_IN_BOUNDS(v, a)
Checks to see if value is within the bounds of the given array.
Definition: utils.h:687
Universally unique identifier support.
#define AST_UUID_STR_LEN
Definition: uuid.h:27
char * ast_uuid_generate_str(char *buf, size_t size)
Generate a UUID string.
Definition: uuid.c:141
#define AST_VECTOR_RESET(vec, cleanup)
Reset vector.
Definition: vector.h:625
#define AST_VECTOR_SIZE(vec)
Get the number of elements in a vector.
Definition: vector.h:609
#define AST_VECTOR_FREE(vec)
Deallocates this vector.
Definition: vector.h:174
#define AST_VECTOR_ADD_SORTED(vec, elem, cmp)
Add an element into a sorted vector.
Definition: vector.h:371
#define AST_VECTOR_INIT(vec, size)
Initialize a vector.
Definition: vector.h:113
#define AST_VECTOR_GET(vec, idx)
Get an element from a vector.
Definition: vector.h:680