; ; This file is used by the res_stir_shaken module to configure parameters ; used for STIR/SHAKEN. ; ; There are 2 sides to STIR/SHAKEN: attestation and verification. ; ; Attestation is done on outgoing calls and makes use out of the certificate ; objects. The cert located at path will be used to sign, and the cert ; located at public_cert_url will be placed in the Identity header to let the ; remote side know where to download the public cert from. These 2 certs must ; match; that is, the cert located at public_cert_url must be the public cert ; derived from the private cert located at path. ; ; Verification is done on incoming calls and doesn't rely on cert objects ; defined in this file. ; ; The general section applies to all STIR/SHAKEN operations. However, ; cache_max_size, curl_timeout, and signature_timeout only apply to the ; verification side. ; ; It's important to note that downloaded certificates are stored in ; /keys/stir_shaken, which is usually ; /etc/asterisk/keys/stir_shaken, but may be changed depending on where your ; config directory is. ; ; Visit the wiki page: ; https://wiki.asterisk.org/wiki/display/AST/STIR+and+SHAKEN ; ; [general] ; ; File path to the certificate authority certificate ;ca_file=/etc/asterisk/stir/ca.crt ; ; File path to a chain of trust ;ca_path=/etc/asterisk/stir/ca ; ; Maximum size to use for caching public keys ;cache_max_size=1000 ; ; Maximum time (in seconds) to wait to CURL certificates ;curl_timeout=2 ; ; Amount of time (in seconds) a signature is valid for ;signature_timeout=15 ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ; A certificate store is used to examine, and load all certificates found in a ; given directory. When using this type the public key URL is generated based ; upon the filename, and variable substitution. ;[certificates] ; ; type must be "store" ;type=store ; ; Path to a directory containing certificates ;path=/etc/asterisk/stir ; ; URL to the public certificate(s). Must contain variable '${CERTIFICATE}' used for ; substitution. '${CERTIFICATE}' will be replaced by the names of the files located ; at path. ; This will be put in the Identity header when signing. ;public_cert_url=http://mycompany.com/${CERTIFICATE}.pem ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ; Individual certificates are declared by using the certificate type. ;[alice] ; ; type must be "certificate" ;type=certificate ; ; File path to a certificate. This can be RSA or ECDSA, but eventually only ECDSA will be supported. ;path=/etc/asterisk/stir/alice.pem ; ; URL to the public certificate. Must be of type X509 and be derived from the ; certificate located at path. ; This will be put in the identity header when signing. ;public_cert_url=http://mycompany.com/alice.pem ; ; The caller ID number to match on ;caller_id_number=1234567 ; ; Must have an attestation of A, B, or C ;attestation=C ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; ; Profiles can be defined here which can be referenced by channel drivers. ;[my_profile] ; ; type must be "profile" ;type=profile ; ; Set stir_shaken to 'attest', 'verify', or 'on', which is the default ;stir_shaken=on ; ; You can specify an ACL that will be used strictly for the Identity header when downloading public certificates ;acllist=myacllist ; ; You can also do permit / deny lines if you want (also supports IPv6) ;permit=0.0.0.0/0.0.0.0 ;deny=127.0.0.1