STIR/SHAKEN module for Asterisk STIR/SHAKEN attestation options Globally disable verification File path to a certificate URL to the public certificate Must be a valid http, or https, URL. Attestation level Attestation level to use for unknown TNs Normally if a callerid TN isn't configured in stir_shaken.conf no Identity header will be created. If this option is set, however, an Identity header will be sent using this attestation level. Since there's no TN object, you must ensure that a private_key_file and public_cert_url are configured in the attestation or profile objects for this to work. On load, Retrieve all TN's certificates and validate their dates Send a media key (mky) grant in the attestation for DTLS calls. (not common) STIR/SHAKEN TN options Must be of type 'tn'. File path to a certificate URL to the public certificate Must be a valid http, or https, URL. Attestation level On load, Retrieve all TN's certificates and validate their dates Send a media key (mky) grant in the attestation for DTLS calls. (not common) STIR/SHAKEN verification options Globally disable verification A boolean indicating whether trusted CA certificates should be loaded from the system Path to a file containing one or more CA certs in PEM format These certs are used to verify the chain of trust for the certificate retrieved from the X5U Identity header parameter. This file must have the root CA certificate, the certificate of the issuer of the X5U certificate, and any intermediate certificates between them. See https://docs.asterisk.org/Deployment/STIR-SHAKEN/ for more information. Path to a directory containing one or more hashed CA certs For this option, the individual certificates must be placed in the directory specified and hashed using the openssl rehash command. See https://docs.asterisk.org/Deployment/STIR-SHAKEN/ for more information. Path to a file containing one or more CRLs in PEM format If you with to check if the certificate in the X5U Identity header parameter has been revoked, you'll need the certificate revocation list generated by the issuer. See https://docs.asterisk.org/Deployment/STIR-SHAKEN/ for more information. Path to a directory containing one or more hashed CRLs For this option, the individual CRLs must be placed in the directory specified and hashed using the openssl rehash command. See https://docs.asterisk.org/Deployment/STIR-SHAKEN/ for more information. Path to a file containing one or more untrusted cert in PEM format used to verify CRLs If you with to check if the certificate in the X5U Identity header parameter has been revoked, you'll need the certificate revocation list generated by the issuer. Unfortunately, sometimes the CRLs are signed by a different CA than the certificate being verified. In this case, you may need to provide the untrusted certificate to verify the CRL. See https://docs.asterisk.org/Deployment/STIR-SHAKEN/ for more information. Path to a directory containing one or more hashed untrusted certs used to verify CRLs For this option, the individual certificates must be placed in the directory specified and hashed using the openssl rehash command. See https://docs.asterisk.org/Deployment/STIR-SHAKEN/ for more information. Directory to cache retrieved verification certs Maximum time to wait to CURL certificates Number of seconds a cache entry may be behind current time Maximum size to use for caching public keys Number of seconds an iat grant may be behind current time Number of seconds a SIP Date header may be behind current time The default failure action when not set on a profile If set to continue, continue and let the dialplan decide what action to take. If set to reject_request, reject the incoming request with response codes defined in RFC8224. If set to return_reason, continue to the dialplan but add a Reason header to the sender in the next provisional response. RFC9410 uses the STIR protocol on Reason headers instead of the SIP protocol Relaxes check for "https" and port 443 or 8443 in incoming Identity header x5u URLs. Relaxes check for query parameters, user/password, etc. in incoming Identity header x5u URLs. An existing ACL from acl.conf to use when checking hostnames in incoming Identity header x5u URLs. An IP or subnet to permit when checking hostnames in incoming Identity header x5u URLs. An IP or subnet to deny checking hostnames in incoming Identity header x5u URLs. STIR/SHAKEN profile configuration options Must be of type 'profile'. Actions performed when an endpoint references this profile Don't do any STIR/SHAKEN processing. Attest on outgoing calls. Verify incoming calls. Attest outgoing calls and verify incoming calls. Gets the number of STIR/SHAKEN results or a specific STIR/SHAKEN value from a result on the channel. The index of the STIR/SHAKEN result to get. If only 'count' is passed in, gets the number of STIR/SHAKEN results instead. The value to get from the STIR/SHAKEN result. Only used when an index is passed in (instead of 'count'). Allowable values: This function will either return the number of STIR/SHAKEN identities, or return information on the specified identity. To get the number of identities, just pass 'count' as the only parameter to the function. If you want to get information on a specific STIR/SHAKEN identity, you can get the number of identities and then pass an index as the first parameter and one of the values you would like to retrieve as the second parameter. same => n,NoOp(Number of STIR/SHAKEN identities: ${STIR_SHAKEN(count)}) same => n,NoOp(Identity ${STIR_SHAKEN(0, identity)} has attestation level ${STIR_SHAKEN(0, attestation)})