SIP WG C. Jennings Internet-Draft Cisco Systems Expires: August 14, 2004 February 14, 2004 Example call flows using SIP security mechanisms draft-jennings-sip-sec-flows-01 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 14, 2004. Copyright Notice Copyright (C) The Internet Society (2004). All Rights Reserved. Abstract This document shows call flows demonstrating the use of SIPS, TLS, and S/MIME in SIP. This draft provides information that helps implementers build interoperable SIP software. It is purely informational. To help facilitate interoperability testing, it includes certificates used in the example call flows and a CA certificate to create certificates for testing. Warning - this is a very early draft of this document. The call flows in it have not been verified against multiple versions of the software and have reasonable odds of being wrong. Some known deficiencies with the draft are documented in Section 4. This work is being discussed on the sip@ietf.org mailing list. Jennings Expires August 14, 2004 [Page 1] Internet-Draft SIP Secure Flows February 2004 Table of Contents 1. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 4. Known Problems . . . . . . . . . . . . . . . . . . . . . . . . 4 5. CA Certificates . . . . . . . . . . . . . . . . . . . . . . . 4 6. Host Certificate . . . . . . . . . . . . . . . . . . . . . . . 8 7. Callflow with Message over TLS . . . . . . . . . . . . . . . . 9 8. Callflow with TLS with Mutual Authentication . . . . . . . . . 11 9. User Certificates . . . . . . . . . . . . . . . . . . . . . . 11 10. Callflow with Signed Message . . . . . . . . . . . . . . . . . 14 11. Callflow with Encrypted Message . . . . . . . . . . . . . . . 19 12. Callflow with Signed and Encrypted Message . . . . . . . . . . 21 13. Callflow with SRTP keying material in the SDP . . . . . . . . 26 14. Callflow with Secure REFER . . . . . . . . . . . . . . . . . . 26 15. Test Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 26 16. Making Test Certificates . . . . . . . . . . . . . . . . . . . 27 17. makeCA script . . . . . . . . . . . . . . . . . . . . . . . . 28 18. makeCert script . . . . . . . . . . . . . . . . . . . . . . . 30 19. Certificates for Testing . . . . . . . . . . . . . . . . . . . 32 20. Message Dumps . . . . . . . . . . . . . . . . . . . . . . . . 36 21. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 39 22. Still To Do . . . . . . . . . . . . . . . . . . . . . . . . . 40 23. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 Normative References . . . . . . . . . . . . . . . . . . . . . 40 Informative References . . . . . . . . . . . . . . . . . . . . 41 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 41 Intellectual Property and Copyright Statements . . . . . . . . 42 Jennings Expires August 14, 2004 [Page 2] Internet-Draft SIP Secure Flows February 2004 1. Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [1]. 2. Introduction Several different groups are starting to implement the S/MIME portion of SIP. Over the last several interoperability events, it has become clear that it is difficult to write these systems without any test vectors or examples of "known good" messages to test against. Furthermore, testing at the events is often hampered by trying to get certificates signed by some common test root into the appropriate format for various clients. This document addresses both of these issues by providing detailed messages that give detailed examples that implemetors can use for comparison and that can also be used for testing. In addition, this document provides a common certificate that can be used for a CA to reduce the time it takes to set up a test at an interoperability event. The document also provides some hints and clarifications for implementers. A simple SIP call flow using SIPS and TLS is shown in Section 7. The certificates for the hosts used are shown in Section 6 and the CA certificates used to sign these are shown in Section 5. The text from Section 10 through Section 12 shows some simple SIP call flows using S/MIME to sign and encrypt the body of the message. The user certificates used in these examples are shown in Section 9 and are signed with the same CA certs. A way to make certificates that can be used for interoperability testing is presented in Section 16, along with methods for converting these to various formats. In Section 15, a partial list of things implementers should check that they do in order to implement a secure system is presented. Binary copies of various messages in this draft that can be used for testing appear in Section 20. 3. Security Considerations Implementers must never use any of the certificates provided in this document in anything but a test environment. Installing the CA root certificates used in this document as a trusted root in operational software would completely destroy the security of the system while giving the user the impression that the system was operating Jennings Expires August 14, 2004 [Page 3] Internet-Draft SIP Secure Flows February 2004 securely. This document recommends some things that implementers might test or verify to improve the security of their implementations. It is impossible to make a comprehensive list of these, and this document only suggests some of the most common mistakes that have been seen at the SIPit interoperability events. Just because an implementation does everything this document recommends does not make it secure. The S/MIME examples use 3DES, but AES is preferred. 4. Known Problems This section lists known problems, deficencies, and mistakes in examples in this draft. The SubjectAltName in the S/MIME certificates contains only one name (like sip:alice@example.com). These should be a list of names with different URL types like sip, im, and pres. This is necessary for interoperating with CPIM gateways. Implementers are cautioned against assuming these messages are correct. At the most recent SIPIT and SIMPLET, there was not good interoperability between multiple vendors that could be used to verify or collect messages. Until that has been shown, these messages should be viewed with some skepticism. 5. CA Certificates The certificate used by the CA to sign the other certificates is shown below. This is a X509v3 certificate. Note that the basic constraints allow it to be used as a CA. Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 18 12:21:52 2003 GMT Not After : Jul 15 12:21:52 2013 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Jennings Expires August 14, 2004 [Page 4] Internet-Draft SIP Secure Flows February 2004 Modulus (1024 bit): 00:c3:22:1e:83:91:c5:03:2c:3c:8a:f4:11:14:c6: 4b:9d:fa:72:78:c6:b0:95:18:a7:e0:8c:79:ba:5d: a4:ae:1e:21:2d:9d:f1:0b:1c:cf:bd:5b:29:b3:90: 13:73:66:92:6e:df:4c:b3:b3:1c:1f:2a:82:0a:ba: 07:4d:52:b0:f8:37:7b:e2:0a:27:30:70:dd:f9:2e: 03:ff:2a:76:cd:df:87:1a:bd:71:eb:e1:99:6a:c4: 7f:8e:74:a0:77:85:04:e9:41:ad:fc:03:b6:17:75: aa:33:ea:0a:16:d9:fb:79:32:2e:f8:cf:4d:c6:34: a3:ff:1b:d0:68:28:e1:9d:e5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 X509v3 Authority Key Identifier: 6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 96:6d:1b:ef:d5:91:93:45:7c:5b:1f:cf:c4:aa:47:52:0b:34: a8:50:fa:ec:fa:b4:2a:47:4c:5d:41:a7:3d:c0:d6:3f:9e:56: 5b:91:1d:ce:a8:07:b3:1b:a4:9f:9a:49:6f:7f:e0:ce:83:94: 71:42:af:fe:63:a2:34:dc:b4:5e:a5:ce:ca:79:50:e9:6a:99: 4c:14:69:e9:7c:ab:22:6c:44:cc:8a:9c:33:6b:23:50:42:05: 1f:e1:c2:81:88:5f:ba:e5:47:bb:85:9b:83:25:ad:84:32:ff: 2a:5b:8b:70:12:11:83:61:c9:69:15:4f:58:a3:3c:92:d4:e8: 6f:52 The ASN.1 parse of the CA certificate is shown below. 0:l= 804 cons: SEQUENCE 4:l= 653 cons: SEQUENCE 8:l= 3 cons: cont [ 0 ] 10:l= 1 prim: INTEGER :02 13:l= 1 prim: INTEGER :00 16:l= 13 cons: SEQUENCE 18:l= 9 prim: OBJECT :sha1WithRSAEncryption 29:l= 0 prim: NULL 31:l= 112 cons: SEQUENCE 33:l= 11 cons: SET 35:l= 9 cons: SEQUENCE 37:l= 3 prim: OBJECT :countryName Jennings Expires August 14, 2004 [Page 5] Internet-Draft SIP Secure Flows February 2004 42:l= 2 prim: PRINTABLESTRING :US 46:l= 19 cons: SET 48:l= 17 cons: SEQUENCE 50:l= 3 prim: OBJECT :stateOrProvinceName 55:l= 10 prim: PRINTABLESTRING :California 67:l= 17 cons: SET 69:l= 15 cons: SEQUENCE 71:l= 3 prim: OBJECT :localityName 76:l= 8 prim: PRINTABLESTRING :San Jose 86:l= 14 cons: SET 88:l= 12 cons: SEQUENCE 90:l= 3 prim: OBJECT :organizationName 95:l= 5 prim: PRINTABLESTRING :sipit 102:l= 41 cons: SET 104:l= 39 cons: SEQUENCE 106:l= 3 prim: OBJECT :organizationalUnitName 111:l= 32 prim: PRINTABLESTRING : Sipit Test Certificate Authority 145:l= 30 cons: SEQUENCE 147:l= 13 prim: UTCTIME :030718122152Z 162:l= 13 prim: UTCTIME :130715122152Z 177:l= 112 cons: SEQUENCE 179:l= 11 cons: SET 181:l= 9 cons: SEQUENCE 183:l= 3 prim: OBJECT :countryName 188:l= 2 prim: PRINTABLESTRING :US 192:l= 19 cons: SET 194:l= 17 cons: SEQUENCE 196:l= 3 prim: OBJECT :stateOrProvinceName 201:l= 10 prim: PRINTABLESTRING :California 213:l= 17 cons: SET 215:l= 15 cons: SEQUENCE 217:l= 3 prim: OBJECT :localityName 222:l= 8 prim: PRINTABLESTRING :San Jose 232:l= 14 cons: SET 234:l= 12 cons: SEQUENCE 236:l= 3 prim: OBJECT :organizationName 241:l= 5 prim: PRINTABLESTRING :sipit 248:l= 41 cons: SET 250:l= 39 cons: SEQUENCE 252:l= 3 prim: OBJECT :organizationalUnitName 257:l= 32 prim: PRINTABLESTRING : Sipit Test Certificate Authority 291:l= 159 cons: SEQUENCE 294:l= 13 cons: SEQUENCE 296:l= 9 prim: OBJECT :rsaEncryption 307:l= 0 prim: NULL 309:l= 141 prim: BIT STRING Jennings Expires August 14, 2004 [Page 6] Internet-Draft SIP Secure Flows February 2004 00 30 81 89 02 81 81 00-c3 22 1e 83 91 c5 03 2c .0......."....., 3c 8a f4 11 14 c6 4b 9d-fa 72 78 c6 b0 95 18 a7 <.....K..rx..... e0 8c 79 ba 5d a4 ae 1e-21 2d 9d f1 0b 1c cf bd ..y.]...!-...... 5b 29 b3 90 13 73 66 92-6e df 4c b3 b3 1c 1f 2a [)...sf.n.L....* 82 0a ba 07 4d 52 b0 f8-37 7b e2 0a 27 30 70 dd ....MR..7{..'0p. f9 2e 03 ff 2a 76 cd df-87 1a bd 71 eb e1 99 6a ....*v.....q...j c4 7f 8e 74 a0 77 85 04-e9 41 ad fc 03 b6 17 75 ...t.w...A.....u aa 33 ea 0a 16 d9 fb 79-32 2e f8 cf 4d c6 34 a3 .3.....y2...M.4. ff 1b d0 68 28 e1 9d e5-02 03 01 00 01 ...h(........ 453:l= 205 cons: cont [ 3 ] 456:l= 202 cons: SEQUENCE 459:l= 29 cons: SEQUENCE 461:l= 3 prim: OBJECT :X509v3 Subject Key Identifier 466:l= 22 prim: OCTET STRING 04 14 6b 46 17 14 ea 94-76 25 80 54 6e 13 54 da ..kF....v%.Tn.T. a1 e3 54 14 a1 b6 ..T... 490:l= 154 cons: SEQUENCE 493:l= 3 prim: OBJECT :X509v3 Authority Key Identifier 498:l= 146 prim: OCTET STRING 30 81 8f 80 14 6b 46 17-14 ea 94 76 25 80 54 6e 0....kF....v%.Tn 13 54 da a1 e3 54 14 a1-b6 a1 74 a4 72 30 70 31 .T...T....t.r0p1 0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0. 06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi 61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San 4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s 69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S 69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif 69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority. 01 . 0092 - 647:l= 12 cons: SEQUENCE 649:l= 3 prim: OBJECT :X509v3 Basic Constraints 654:l= 5 prim: OCTET STRING 30 03 01 01 ff 0.... 661:l= 13 cons: SEQUENCE 663:l= 9 prim: OBJECT :sha1WithRSAEncryption 674:l= 0 prim: NULL 676:l= 129 prim: BIT STRING 00 96 6d 1b ef d5 91 93-45 7c 5b 1f cf c4 aa 47 ..m.....E|[....G 52 0b 34 a8 50 fa ec fa-b4 2a 47 4c 5d 41 a7 3d R.4.P....*GL]A.= c0 d6 3f 9e 56 5b 91 1d-ce a8 07 b3 1b a4 9f 9a ..?.V[.......... 49 6f 7f e0 ce 83 94 71-42 af fe 63 a2 34 dc b4 Io.....qB..c.4.. 5e a5 ce ca 79 50 e9 6a-99 4c 14 69 e9 7c ab 22 ^...yP.j.L.i.|." 6c 44 cc 8a 9c 33 6b 23-50 42 05 1f e1 c2 81 88 lD...3k#PB...... 5f ba e5 47 bb 85 9b 83-25 ad 84 32 ff 2a 5b 8b _..G....%..2.*[. 70 12 11 83 61 c9 69 15-4f 58 a3 3c 92 d4 e8 6f p...a.i.OX.<...o 52 R Jennings Expires August 14, 2004 [Page 7] Internet-Draft SIP Secure Flows February 2004 6. Host Certificate The certificate for the host b.example.com is shown below. Note that the Subject Alternative Name is set to b.example.com and is a DNS type. Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 20 20:46:16 2003 GMT Not After : Jul 19 20:46:16 2004 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=b.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e2:85:18:89:7b:67:2a:b8:67:ac:a5:f9:4e:42: 58:04:d8:3a:ae:bb:f6:87:c4:57:2e:5d:79:5f:15: fb:32:7b:00:b1:10:64:19:2a:ed:3e:d9:19:7f:bd: f4:aa:bd:94:b5:d3:19:9e:f2:b8:8c:56:28:dc:3d: 08:6e:29:2d:17:e5:b0:bb:da:2a:af:f8:e2:95:ce: 87:2f:da:9e:bc:bf:00:90:53:1f:47:c6:52:7f:f6: 0e:dc:af:cb:57:2a:7b:17:46:69:db:b1:62:e9:b3: e3:aa:74:6b:bc:d5:65:bc:db:ea:1d:15:2b:1b:22: bc:7b:23:6e:74:9f:01:62:b9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:b.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 62:8E:28:DB:A2:BF:79:75:17:E1:48 FA:FE:10:61:A2:56:EF:63:74 X509v3 Authority Key Identifier: keyid:6B:46:17:14:EA:94:76:25:80:54:6E 13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 Signature Algorithm: sha1WithRSAEncryption 57:e2:12:67:d1:ca:d9:1c:8e:38:8f:83:f4:62:c2:9c:54:b1: Jennings Expires August 14, 2004 [Page 8] Internet-Draft SIP Secure Flows February 2004 69:7e:32:29:d6:14:67:81:69:c4:11:95:07:af:2c:b0:61:67: 6a:17:6d:47:ea:ed:cd:43:ab:fb:a5:b8:25:84:44:9b:59:5a: b8:9f:12:bb:7a:df:7b:84:ef:f7:3d:1c:3f:35:4b:41:0a:91: 62:49:1a:e4:92:0f:d5:79:00:01:33:7d:dd:1c:f0:1c:dc:95: 96:e8:d4:e5:59:d8:64:39:80:ca:08:1d:a4:c4:bd:52:fe:83: 24:ee:82:b2:3c:53:4d:58:b5:bf:2e:7d:59:a3:df:78:38:0b: 75:c4 7. Callflow with Message over TLS The flow below shows the edited SSLDump output of the host a.example.com forming a TLS connection to b.example.com. In this example mutual authentication is not used. Note that the client proposed three protocol suites including the required TLS_RSA_WITH_AES_128_CBC_SHA. The certificate returned by the server contains a Subject Alternative Name that is set to b.example.com. A detailed discussion of TLS can be found in [9]. New TCP connection #1: a.example.com(5071) <-> b.example.com(5081) 1 1 0.0015 (0.0015) C>SV3.1(49) Handshake ClientHello Version 3.1 random[32]= 3f 1d 41 76 31 6f af f1 42 fa 7b 57 c7 79 49 2b d4 21 9c be e9 8b 85 83 56 4b 36 cb f2 99 ef b2 cipher suites TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA compression methods NULL 1 2 0.4307 (0.4292) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 3f 1d 41 77 92 f5 55 a3 97 69 cf b5 7a 0a 3c 00 bc 0c 59 91 1c 6b 2b 4a 0e 98 40 21 a9 b5 4b 6f session_id[32]= 10 3c 8c aa 75 d8 62 0b c3 5b ad 24 c1 7f 4f 80 25 b7 1c 40 a3 3c e1 85 0d b5 29 d3 15 40 51 d3 cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA compressionMethod NULL 1 3 0.4307 (0.0000) S>CV3.1(822) Handshake Certificate Subject C=US Jennings Expires August 14, 2004 [Page 9] Internet-Draft SIP Secure Flows February 2004 ST=California L=San Jose O=sipit CN=b.example.com Issuer C=US ST=California L=San Jose O=sipit OU=Sipit Test Certificate Authority Serial 01 Extensions Extension: X509v3 Subject Alternative Name Extension: X509v3 Basic Constraints Extension: X509v3 Subject Key Identifier Extension: X509v3 Authority Key Identifier 1 4 0.4307 (0.0000) S>CV3.1(4) Handshake ServerHelloDone 1 5 0.4594 (0.0286) C>SV3.1(134) Handshake ClientKeyExchange 1 6 0.5498 (0.0903) C>SV3.1(1) ChangeCipherSpec 1 7 0.5498 (0.0000) C>SV3.1(48) Handshake 1 8 0.5505 (0.0007) S>CV3.1(1) ChangeCipherSpec 1 9 0.5505 (0.0000) S>CV3.1(48) Handshake Once the TLS session is set up, the following MESSAGE message is sent from a.example.com to b.example.com. Note that the URI has a SIPS URL and that the VIA indicates that TLS was used. MESSAGE sips:bob@b.example.com:5081 SIP/2.0 To: From: ;tag=2639484b Via: SIP/2.0/TLS b.example.com:5071; branch=z9hG4bK-c87542-240491824-1-c87542- Call-ID: 7ba3572175b0f542 CSeq: 1 MESSAGE Contact: Max-Forwards: 70 Content-Type: text/plain User-Agent: SIPimp.org/0.2.1 (curses) Content-Length: 2 Hi The response is sent from b.example.com to a.example.com over the same TLS connections. It is shown below. Jennings Expires August 14, 2004 [Page 10] Internet-Draft SIP Secure Flows February 2004 SIP/2.0 200 OK To: ;tag=514db9e7 From: ;tag=2639484b Via: SIP/2.0/UDP b.example.com; branch=z9hG4bK-c87542-240491824-1-c87542-;received=127.0.0.1 Call-ID: 7ba3572175b0f542 CSeq: 1 MESSAGE Contact: Content-Length: 0 8. Callflow with TLS with Mutual Authentication 9. User Certificates Alice's certificate is shown below. Note that it has a Subject Alternative Name of type email and is set to alice@a.example.com. In this example a.example.com is the domain for Alice, the message could be coming from a host called host1.a.example.com, and the AOR in the user certificate would still be the same. Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 20 14:29:54 2003 GMT Not After : Jul 19 14:29:54 2004 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=alice@a.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f0:9f:91:9a:6d:6f:81:b9:9d:67:db:5f:be:95: 3a:29:8a:cc:73:dd:b9:7a:33:c8:f9:52:dd:99:13: 04:2b:f1:9b:c2:f5:93:72:7a:9b:e1:97:fc:c2:d2: 96:d0:76:db:b5:0e:47:b1:59:74:59:5b:b0:73:ad: c8:64:bd:59:1c:67:1a:82:2f:c2:cf:53:87:d3:2b: 5a:dc:e6:3c:8c:27:a0:ab:6e:7f:4d:86:dd:2b:9b: e3:69:3b:f0:aa:1b:ad:f2:ab:1e:44:46:b2:8a:ab: 85:2c:81:13:03:98:06:65:57:0c:ff:c3:4f:02:cb: ed:79:e5:81:19:c7:02:e2:1b Jennings Expires August 14, 2004 [Page 11] Internet-Draft SIP Secure Flows February 2004 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:alice@a.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: DE:0C:46:FC:B7:4C:CE:6B:73:99:22:C2:3D:A9:DE:53:EC:BF:69:66 X509v3 Authority Key Identifier: keyid:6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 Signature Algorithm: sha1WithRSAEncryption 95:2c:fb:26:83:35:4a:3c:da:20:be:74:1a:1f:80:7f:27:61: dc:27:f1:a9:7b:2e:a7:24:31:1f:f7:c9:77:cd:0f:bf:02:9b: 8d:d5:35:42:6d:90:60:30:4c:6b:f4:7f:11:4d:a0:3f:1e:9c: d2:2b:e0:4b:4f:fc:fa:37:43:68:e2:d8:32:29:bd:6e:22:e6: ef:0e:97:b0:d9:92:49:ae:46:95:38:ab:a5:11:de:fa:dc:1b: ae:30:6b:48:2c:a3:c5:26:71:a6:23:58:a2:d2:57:4a:b1:ae: d8:45:c6:9a:71:8b:01:e9:ac:95:5e:9a:2c:67:ae:c3:5d:2b: 7c:9d Alice's private key is shown below. 0: 604 cons: SEQUENCE 4: 1 prim: INTEGER :00 7: 129 prim: INTEGER : F09F919A6D6F81B99D67DB5FBE953A298ACC73DDB97A33C8F952DD9913042BF19B C2F593727A9BE197FCC2D296D076DBB50E47B15974595BB073ADC864BD591C671A 822FC2CF5387D32B5ADCE63C8C27A0AB6E7F4D86DD2B9BE3693BF0AA1BADF2AB1E 4446B28AAB852C811303980665570CFFC34F02CBED79E58119C702E21B 139: 3 prim: INTEGER :010001 144: 128 prim: INTEGER : 4764C0F9D5E090D7F6E91AC0E4B638249D471E55BA3394EBDB7607C3E44D87904F 4BE03B586B229723D65E23C795A0BE7D90F81A99D518B248BF79DF8C6C55E4B135 6249D82F9B18C37525FA05D3562399E4912BC902FA92CF12D7AE653C3C0D851A4B B3DF35E8722006460FC076E02D012D3CF233D1934100FEC7EAC72DE989 275: 65 prim: INTEGER : FA5A76D62011E3A219B4D89CF2A392FF57A55BC4E1092EC67030E31ABEDC591485 C284250BC0195C33A92920B340B2636EBB880C3DC6E2748A6045A07FCC2E97 342: 65 prim: INTEGER : F60CEC61DB985C1AE0F927E831AADA2E1DF889D135E91A49B662B8094CF140075A 9C782DF6A28F538D2C51CC4910CB02B159894FB597D17A3FB69DDD37099D1D 409: 64 prim: INTEGER : 53E735A495A2E9334E823986801B2A0CC186FDB681E4DDF44B6D56EF83BFBD6B0F 591D887CE3A89C2A042B707622DCA64E5A33424701FCAB2A2511B0B4A3ED89 Jennings Expires August 14, 2004 [Page 12] Internet-Draft SIP Secure Flows February 2004 475: 65 prim: INTEGER : CBD8F91E39E888A65C2D103AF6AB2E07771D2A5101F115AE6C446D64873278719F 4872E8E1A4DC49C4742B70AC3815792DA598754965764F69E9C9F03460EAA1 542: 64 prim: INTEGER : 021CFC8DEC23F4B82BE937CD45B819AE8C5777BFF14C74F719FFBBF3EB567A563A 9B2256EC3563E764B269DC34BFEC772BE443484D974B8FF07C52D9BF95DC24 Bob's certificate is shown below. Bob is in the domain b.example.com. Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=sipit, OU=Sipit Test Certificate Authority Validity Not Before: Jul 20 14:30:06 2003 GMT Not After : Jul 19 14:30:06 2004 GMT Subject: C=US, ST=California, L=San Jose, O=sipit, CN=bob@b.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b0:ef:02:43:fd:59:28:0b:d3:59:ff:e6:66:3a: a7:30:b0:e5:11:54:c0:d7:e9:8a:51:a7:2b:30:94: 98:ef:bb:f9:8a:95:a6:ca:5e:e3:7a:af:a2:2a:f9: b4:5e:b0:8a:e1:ab:0d:c4:67:9b:2f:10:b1:c8:71: 28:0b:0d:36:75:46:30:f9:17:39:d0:c8:e2:14:ac: ec:bb:ba:3d:d1:a7:50:13:83:3e:d3:75:67:87:ef: 36:a5:5d:b3:23:71:29:15:94:e8:50:3c:f8:7b:a7: 0c:ce:f0:be:92:6b:d8:03:c3:e6:fb:25:78:ea:5c: 18:76:36:06:ba:2e:78:cf:3d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:bob@b.example.com X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: B5:B2:6C:07:9B:79:19:9B:64:FB:9F:37:F7:7A:60:BC:1D:40:25:DA X509v3 Authority Key Identifier: keyid:6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 DirName:/C=US/ST=California/L=San Jose/O=sipit/ OU=Sipit Test Certificate Authority serial:00 Signature Algorithm: sha1WithRSAEncryption Jennings Expires August 14, 2004 [Page 13] Internet-Draft SIP Secure Flows February 2004 9c:99:39:e7:19:59:96:06:46:74:b5:b7:98:1a:cc:f5:a3:e6: 55:6c:3c:e9:b0:7a:a3:0a:1a:ea:32:c9:51:e5:da:7e:ac:24: 1b:cb:b4:7d:ae:b5:70:ba:26:0f:34:81:d6:7d:e5:c6:76:11: 44:7f:26:90:ff:0a:9f:6a:8e:d2:f8:34:7b:7d:21:66:53:9d: 1b:1c:74:d5:72:95:8d:76:fe:68:88:f2:c4:79:d2:df:d0:7a: 4e:6c:e7:2d:f0:1f:7e:03:7a:14:21:56:6c:f0:cb:04:c8:c2: 63:0d:24:52:1f:e4:b8:aa:21:65:0f:75:e3:76:9b:35:48:0f: b4:ab Bob's private key is shown below. 0: 605 cons: SEQUENCE 4: 1 prim: INTEGER :00 7: 129 prim: INTEGER : B0EF0243FD59280BD359FFE6663AA730B0E51154C0D7E98A51A72B309498EFBBF9 8A95A6CA5EE37AAFA22AF9B45EB08AE1AB0DC4679B2F10B1C871280B0D36754630 F91739D0C8E214ACECBBBA3DD1A75013833ED3756787EF36A55DB32371291594E8 503CF87BA70CCEF0BE926BD803C3E6FB2578EA5C18763606BA2E78CF3D 139: 3 prim: INTEGER :010001 144: 128 prim: INTEGER : 06B0A2D74B4709BA98BD386DCFC3BBFA9D55ABF8166A938C05565ACDB570AAEFE2 9998DAFB9FE6DE06B20D09F005FC8AE3C981F5C12D1EF474A46D92E40815DCFD36 860631EF92CB2F30AB746A0CF80428CC544C51A04F08AF1773E53F88FC4031DF32 68B82476A1875DBB9212AAA6373AF6600F37053B3417E957D7D9633D49 275: 65 prim: INTEGER : DB1765DB11C76D7CC0A50E60CFA66025EC971C0F6D797D2166B7578F8DC1401E87 B3D448135B2FB74ABD3EEDB41B0EE538D587A88D08D018C2971C298F88971F 342: 65 prim: INTEGER : CEBD8090AAD98D86986FBB1E38C1CB0FAA1951D625A9333BF4F52E53AE2405878B AB54179A1964F02BEF17B2E25F922BDA097E7B282ADF8AD8DEC962012D1A23 409: 64 prim: INTEGER : 3EF3CF298E473E577D4730057344FC158990B5D85CFD6E8DFD64AAFD2D9F1C9C69 23ABD875EF5A9B91172590C99288CA26757C805ADDF0655CEC6C8428A0F7C3 475: 65 prim: INTEGER : 9D23529623162AC9341230C29ED745D5C92F6791829CA1B19FD5BFF9A0B20675E9 46372B9D5851ED6F2752F707B326B2280EF15100CDDD8D769B97ABE342F9CB 542: 65 prim: INTEGER : 84D65C4EBCC1B95AA42AA2AD2ECDDC58809316CC4793A889C24828E04F386B1277 8DA68B57E7891E6780D5FD1A028B207D7C7D9AE40CDD9F9059BDEB2EF098BF 10. Callflow with Signed Message Example Signed Message. The value on the Content-Type line has been broken across lines to fit on the page but it should not be. Jennings Expires August 14, 2004 [Page 14] Internet-Draft SIP Secure Flows February 2004 MESSAGE sip:bob@b.example.com SIP/2.0 To: From: ;tag=1b2f5769 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-730075406-1--c87542-;rport Call-ID: 22b4f26d6be23a0e CSeq: 1 MESSAGE Contact: Max-Forwards: 70 Content-Type: multipart/signed;boundary=65b6563f5e8ef632;\ micalg=sha1;protocol=application/pkcs7-signature User-Agent: SIPimp.org/0.2.2 (curses) Content-Length: 1653 --65b6563f5e8ef632 Content-Type: text/plain Content-Transfer-Encoding: binary Hi --65b6563f5e8ef632 Content-Type: application/pkcs7-signature;name=smime.p7s Content-Disposition: attachment;handling=required;filename=smime.p7s Content-Transfer-Encoding: binary ******************* * BINARY BLOB 1 * ******************* --65b6563f5e8ef632-- It is important to note that the data the signature is computed across includes the header and is: Content-Type: text/plain Content-Transfer-Encoding: binary Hi The response follows. The Via line has been split across lines for formatting but it should not be. SIP/2.0 200 OK To: ;tag=6b167ed8 From: ;tag=1b2f5769 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-730075406-1--c87542-;\ rport=5070;received=127.0.0.1 Jennings Expires August 14, 2004 [Page 15] Internet-Draft SIP Secure Flows February 2004 Call-ID: 22b4f26d6be23a0e CSeq: 1 MESSAGE Contact: Content-Length: 0 ASN.1 parse of binary blob 1. Note that at address 30, the hash for the signature is specified as sha1. 0: SEQUENCE 4: OBJECT :pkcs7-signedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :01 26: SET 28: SEQUENCE 30: OBJECT :sha1 37: NULL 39: SEQUENCE 41: OBJECT :pkcs7-data 52: cont [ 0 ] 56: SEQUENCE 60: SEQUENCE 64: cont [ 0 ] 66: INTEGER :02 69: INTEGER :55018102490073 78: SEQUENCE 80: OBJECT :sha1WithRSAEncryption 91: NULL 93: SEQUENCE 95: SET 97: SEQUENCE 99: OBJECT :countryName 104: PRINTABLESTRING :US 108: SET 110: SEQUENCE 112: OBJECT :stateOrProvinceName 117: PRINTABLESTRING :California 129: SET 131: SEQUENCE 133: OBJECT :localityName 138: PRINTABLESTRING :San Jose 148: SET 150: SEQUENCE 152: OBJECT :organizationName 157: PRINTABLESTRING :sipit 164: SET 166: SEQUENCE Jennings Expires August 14, 2004 [Page 16] Internet-Draft SIP Secure Flows February 2004 168: OBJECT :organizationalUnitName 173: PRINTABLESTRING :Sipit Test Certificate Authority 207: SEQUENCE 209: UTCTIME :031014202459Z 224: UTCTIME :061013202459Z 239: SEQUENCE 241: SET 243: SEQUENCE 245: OBJECT :countryName 250: PRINTABLESTRING :US 254: SET 256: SEQUENCE 258: OBJECT :stateOrProvinceName 263: PRINTABLESTRING :California 275: SET 277: SEQUENCE 279: OBJECT :localityName 284: PRINTABLESTRING :San Jose 294: SET 296: SEQUENCE 298: OBJECT :organizationName 303: PRINTABLESTRING :sipit 310: SET 312: SEQUENCE 314: OBJECT :commonName 319: T61STRING :alice@a.example.com 340: SEQUENCE 343: SEQUENCE 345: OBJECT :rsaEncryption 356: NULL 358: BIT STRING 502: cont [ 3 ] 505: SEQUENCE 508: SEQUENCE 510: OBJECT :X509v3 Subject Alternative Name 515: OCTET STRING 540: SEQUENCE 542: OBJECT :X509v3 Basic Constraints 547: OCTET STRING 551: SEQUENCE 553: OBJECT :X509v3 Subject Key Identifier 558: OCTET STRING 582: SEQUENCE 585: OBJECT :X509v3 Authority Key Identifier 590: OCTET STRING 739: SEQUENCE 741: OBJECT :sha1WithRSAEncryption 752: NULL Jennings Expires August 14, 2004 [Page 17] Internet-Draft SIP Secure Flows February 2004 754: BIT STRING 886: SET 890: SEQUENCE 894: INTEGER :01 897: SEQUENCE 899: SEQUENCE 901: SET 903: SEQUENCE 905: OBJECT :countryName 910: PRINTABLESTRING :US 914: SET 916: SEQUENCE 918: OBJECT :stateOrProvinceName 923: PRINTABLESTRING :California 935: SET 937: SEQUENCE 939: OBJECT :localityName 944: PRINTABLESTRING :San Jose 954: SET 956: SEQUENCE 958: OBJECT :organizationName 963: PRINTABLESTRING :sipit 970: SET 972: SEQUENCE 974: OBJECT :organizationalUnitName 979: PRINTABLESTRING :Sipit Test Certificate Authority 1013: INTEGER :55018102490073 1022: SEQUENCE 1024: OBJECT :sha1 1031: NULL 1033: cont [ 0 ] 1036: SEQUENCE 1038: OBJECT :contentType 1049: SET 1051: OBJECT :pkcs7-data 1062: SEQUENCE 1064: OBJECT :signingTime 1075: SET 1077: UTCTIME :031015000907Z 1092: SEQUENCE 1094: OBJECT :messageDigest 1105: SET 1107: OCTET STRING 1129: SEQUENCE 1131: OBJECT :S/MIME Capabilities 1142: SET 1144: SEQUENCE 1146: SEQUENCE Jennings Expires August 14, 2004 [Page 18] Internet-Draft SIP Secure Flows February 2004 1148: OBJECT :des-ede3-cbc 1158: SEQUENCE 1160: OBJECT :rc2-cbc 1170: INTEGER :80 1174: SEQUENCE 1176: OBJECT :rc2-cbc 1186: INTEGER :40 1189: SEQUENCE 1191: OBJECT :des-cbc 1198: SEQUENCE 1200: OBJECT :rc2-cbc 1210: INTEGER :28 1213: SEQUENCE 1215: OBJECT :rsaEncryption 1226: NULL 1228: OCTET STRING 11. Callflow with Encrypted Message Example encrypted message: MESSAGE sip:bob@b.example.com SIP/2.0 To: From: ;tag=4bba1f0d Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-558422834-1--c87542-;rport Call-ID: 132bb895019d4536 CSeq: 1 MESSAGE Contact: Max-Forwards: 70 Content-Disposition: attachment;handling=required;filename=smime.p7 Content-Type: application/pkcs7-mime;smime-type=enveloped-data;name=smime.p7m User-Agent: SIPimp.org/0.2.2 (curses) Content-Length: 385 ***************** * BINARY BLOB 2 * ***************** The Response. The Via is split across lines for formatting but is not split in the real message. SIP/2.0 200 OK To: ;tag=330805f5 From: ;tag=4bba1f0d Via: SIP/2.0/UDP Jennings Expires August 14, 2004 [Page 19] Internet-Draft SIP Secure Flows February 2004 127.0.0.1:5070;branch=z9hG4bK-c87542-558422834-1--c87542-;\ rport=5070;received=127.0.0.1 Call-ID: 132bb895019d4536 CSeq: 1 MESSAGE Contact: Content-Length: 0 ASN.1 parse of Binary Blob 2. Note that at address 323, the encryption is set to des-ebe3-cbc. 0: SEQUENCE 4: OBJECT :pkcs7-envelopedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :00 26: SET 30: SEQUENCE 34: INTEGER :00 37: SEQUENCE 39: SEQUENCE 41: SET 43: SEQUENCE 45: OBJECT :countryName 50: PRINTABLESTRING :US 54: SET 56: SEQUENCE 58: OBJECT :stateOrProvinceName 63: PRINTABLESTRING :California 75: SET 77: SEQUENCE 79: OBJECT :localityName 84: PRINTABLESTRING :San Jose 94: SET 96: SEQUENCE 98: OBJECT :organizationName 103: PRINTABLESTRING :sipit 110: SET 112: SEQUENCE 114: OBJECT :organizationalUnitName 119: PRINTABLESTRING :Sipit Test Certificate Authority 153: INTEGER :55018102490072 162: SEQUENCE 164: OBJECT :rsaEncryption 175: NULL 177: OCTET STRING 308: SEQUENCE Jennings Expires August 14, 2004 [Page 20] Internet-Draft SIP Secure Flows February 2004 310: OBJECT :pkcs7-data 321: SEQUENCE 323: OBJECT :des-ede3-cbc 333: OCTET STRING 343: cont [ 0 ] 12. Callflow with Signed and Encrypted Message Example Signed and Encrypted Message In the example below, one of the headers is contained in a box and is split across two lines. This was only done to make it fit in the RFC format. This header should not have the box around it and should be on one line with no whitespace between the "mime;" and the "smime-type". Note that Content-Type is split across lines for formatting but is not split in the real message. MESSAGE sip:bob@b.example.com SIP/2.0 To: From: ;tag=1d8673a3 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-488884104-1--c87542-;rport Call-ID: 450c8b112715a732 CSeq: 1 MESSAGE Contact: Max-Forwards: 70 Content-Type: multipart/signed;boundary=75b3d73b4e24d3f6;\ micalg=sha1;protocol=application/pkcs7-signature User-Agent: SIPimp.org/0.2.2 (curses) Content-Length: 2158 --75b3d73b4e24d3f6 |---See note about stuff in this box---------------------| |Content-Type: application/pkcs7-mime; | | smime-type=enveloped-data;name=smime.p7m | |--------------------------------------------------------| Content-Disposition: attachment;handling=required;filename=smime.p7 Content-Transfer-Encoding: binary ***************** * BINARY BLOB 3 * ***************** --75b3d73b4e24d3f6 Content-Type: application/pkcs7-signature;name=smime.p7s Content-Disposition: attachment;handling=required;filename=smime.p7s Content-Transfer-Encoding: binary Jennings Expires August 14, 2004 [Page 21] Internet-Draft SIP Secure Flows February 2004 ***************** * BINARY BLOB 4 * ***************** --75b3d73b4e24d3f6-- Response back. Note that the Via is split across lines for formatting. SIP/2.0 200 OK To: ;tag=40d7131b From: ;tag=1d8673a3 Via: SIP/2.0/UDP 127.0.0.1:5070;branch=z9hG4bK-c87542-488884104-1--c87542-;\ rport=5070;received=127.0.0.1 Call-ID: 450c8b112715a732 CSeq: 1 MESSAGE Contact: Content-Length: 0 Binary blob 3 0: SEQUENCE 4: OBJECT :pkcs7-envelopedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :00 26: SET 30: SEQUENCE 34: INTEGER :00 37: SEQUENCE 39: SEQUENCE 41: SET 43: SEQUENCE 45: OBJECT :countryName 50: PRINTABLESTRING :US 54: SET 56: SEQUENCE 58: OBJECT :stateOrProvinceName 63: PRINTABLESTRING :California 75: SET 77: SEQUENCE 79: OBJECT :localityName 84: PRINTABLESTRING :San Jose 94: SET 96: SEQUENCE Jennings Expires August 14, 2004 [Page 22] Internet-Draft SIP Secure Flows February 2004 98: OBJECT :organizationName 103: PRINTABLESTRING :sipit 110: SET 112: SEQUENCE 114: OBJECT :organizationalUnitName 119: PRINTABLESTRING :Sipit Test Certificate Authority 153: INTEGER :55018102490072 162: SEQUENCE 164: OBJECT :rsaEncryption 175: NULL 177: OCTET STRING 308: SEQUENCE 310: OBJECT :pkcs7-data 321: SEQUENCE 323: OBJECT :des-ede3-cbc 333: OCTET STRING 343: cont [ 0 ] Binary Blob 4 0: SEQUENCE 4: OBJECT :pkcs7-signedData 15: cont [ 0 ] 19: SEQUENCE 23: INTEGER :01 26: SET 28: SEQUENCE 30: OBJECT :sha1 37: NULL 39: SEQUENCE 41: OBJECT :pkcs7-data 52: cont [ 0 ] 56: SEQUENCE 60: SEQUENCE 64: cont [ 0 ] 66: INTEGER :02 69: INTEGER :55018102490073 78: SEQUENCE 80: OBJECT :sha1WithRSAEncryption 91: NULL 93: SEQUENCE 95: SET 97: SEQUENCE 99: OBJECT :countryName 104: PRINTABLESTRING :US 108: SET 110: SEQUENCE Jennings Expires August 14, 2004 [Page 23] Internet-Draft SIP Secure Flows February 2004 112: OBJECT :stateOrProvinceName 117: PRINTABLESTRING :California 129: SET 131: SEQUENCE 133: OBJECT :localityName 138: PRINTABLESTRING :San Jose 148: SET 150: SEQUENCE 152: OBJECT :organizationName 157: PRINTABLESTRING :sipit 164: SET 166: SEQUENCE 168: OBJECT :organizationalUnitName 173: PRINTABLESTRING :Sipit Test Certificate Authority 207: SEQUENCE 209: UTCTIME :031014202459Z 224: UTCTIME :061013202459Z 239: SEQUENCE 241: SET 243: SEQUENCE 245: OBJECT :countryName 250: PRINTABLESTRING :US 254: SET 256: SEQUENCE 258: OBJECT :stateOrProvinceName 263: PRINTABLESTRING :California 275: SET 277: SEQUENCE 279: OBJECT :localityName 284: PRINTABLESTRING :San Jose 294: SET 296: SEQUENCE 298: OBJECT :organizationName 303: PRINTABLESTRING :sipit 310: SET 312: SEQUENCE 314: OBJECT :commonName 319: T61STRING :alice@a.example.com 340: SEQUENCE 343: SEQUENCE 345: OBJECT :rsaEncryption 356: NULL 358: BIT STRING 502: cont [ 3 ] 505: SEQUENCE 508: SEQUENCE 510: OBJECT :X509v3 Subject Alternative Name 515: OCTET STRING Jennings Expires August 14, 2004 [Page 24] Internet-Draft SIP Secure Flows February 2004 540: SEQUENCE 542: OBJECT :X509v3 Basic Constraints 547: OCTET STRING 551: SEQUENCE 553: OBJECT :X509v3 Subject Key Identifier 558: OCTET STRING 582: SEQUENCE 585: OBJECT :X509v3 Authority Key Identifier 590: OCTET STRING 739: SEQUENCE 741: OBJECT :sha1WithRSAEncryption 752: NULL 754: BIT STRING 886: SET 890: SEQUENCE 894: INTEGER :01 897: SEQUENCE 899: SEQUENCE 901: SET 903: SEQUENCE 905: OBJECT :countryName 910: PRINTABLESTRING :US 914: SET 916: SEQUENCE 918: OBJECT :stateOrProvinceName 923: PRINTABLESTRING :California 935: SET 937: SEQUENCE 939: OBJECT :localityName 944: PRINTABLESTRING :San Jose 954: SET 956: SEQUENCE 958: OBJECT :organizationName 963: PRINTABLESTRING :sipit 970: SET 972: SEQUENCE 974: OBJECT :organizationalUnitName 979: PRINTABLESTRING :Sipit Test Certificate Authority 1013: INTEGER :55018102490073 1022: SEQUENCE 1024: OBJECT :sha1 1031: NULL 1033: cont [ 0 ] 1036: SEQUENCE 1038: OBJECT :contentType 1049: SET 1051: OBJECT :pkcs7-data 1062: SEQUENCE Jennings Expires August 14, 2004 [Page 25] Internet-Draft SIP Secure Flows February 2004 1064: OBJECT :signingTime 1075: SET 1077: UTCTIME :031015000922Z 1092: SEQUENCE 1094: OBJECT :messageDigest 1105: SET 1107: OCTET STRING 1129: SEQUENCE 1131: OBJECT :S/MIME Capabilities 1142: SET 1144: SEQUENCE 1146: SEQUENCE 1148: OBJECT :des-ede3-cbc 1158: SEQUENCE 1160: OBJECT :rc2-cbc 1170: INTEGER :80 1174: SEQUENCE 1176: OBJECT :rc2-cbc 1186: INTEGER :40 1189: SEQUENCE 1191: OBJECT :des-cbc 1198: SEQUENCE 1200: OBJECT :rc2-cbc 1210: INTEGER :28 1213: SEQUENCE 1215: OBJECT :rsaEncryption 1226: NULL 1228: OCTET STRING 13. Callflow with SRTP keying material in the SDP Still TODO. 14. Callflow with Secure REFER Still TODO. 15. Test Notes This section describes some common interoperability problems. Implementers should verify their clients do the correct things and perhaps make their clients forgiving in what they receive, or at least produce reasonable error messages with other software that does have these problems. A common problem in interoperability is that some SIP clients do not support TLS and only do SSLv3. Check that the client does use TLS. Jennings Expires August 14, 2004 [Page 26] Internet-Draft SIP Secure Flows February 2004 Many SIP clients were found to accept expired certificates with no warning or error. TLS and S/MIME can provide the identity of the peer that a client is communicating with in the Subject Alternative Name in the certificate. The software must check that this name corresponds to the identity the server is trying to contact. If a client is trying to set up a TLS connection to good.example.com and it gets a TLS connection set up with a server that presents a valid certificate but with the name evil.example.com, it must generate an error or warning of some type. Similarly with S/MIME, if a user is trying to communicate with bob@b.example.com, the Subject Alternate Name field in the certificate must match the AOR for bob. Some implementations used binary MIME encodings while others used base64. There is no reason not to use binary - check that your implementation sends binary and preferably receives both. 16. Making Test Certificates These scripts allow you to make certificates for test purposes. The certificates will all share a common CA root so that everyone running these scripts can have interoperable certificates. WARNING - these certificates are totally insecure and are for test purposes only. All the CA created by this script share the same private key to facilitate interoperability testing, but this totally breaks the security since the private key of the CA is well known. The instructions assume a Unix-like environment with openssl installed, but openssl does work in Windows too. Make sure you have openssl installed by trying to run "openssl". Run the makeCA script found in Section 17; this creates a subdirectory called demoCA. If the makeCA script cannot find where your openssl is installed you will have to set an environment variable called OPENSSLDIR to whatever directory contains the file openssl.cnf. You can find this with a "locate openssl.cnf". You are not ready to make certificates. To create certs for use with TLS, run the makeCert script found in Section 18 with the fully qualified domain name of the proxy you are making the certificate for. For example, "makeCert host.example.net". This will generate a private key and a certificate. The private key will be left in a file named host.example.net_key.pem in pem format. The certificate will be in host.example.net_cert.pem. Some programs expect both the certificate and private key combined together in a PKCS12 format file. This is created by the script and left in a file named host.example.net.p12. Some programs expect this file to have a .pfx extension instead of .p12 - just rename the file if needed. Jennings Expires August 14, 2004 [Page 27] Internet-Draft SIP Secure Flows February 2004 A second argument indicating the number of days for which the certificate should be valid can be passed to the makeCert script. It is possible to make an expired certificate using the command "makeCert host.example.net 0". Anywhere that a password is used to protect a certificate, the password is set to the string "password". The root certificate for the CA is in the file demoCA/cacert.pem and a PKCS#7 version of it is in demoCA/cacert.p7c. For things that need DER format certificates, a certificate can be converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER". Some programs expect certificates in PKCS#7 format (with a file extension of .p7c). You can convert these from PEM format with to PKCS#7 with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/cacert.pem -outform DER -out cert.p7c" IE, Outlook, and Netscape can import and export .p12 files and .p7c files. You can convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in cert.p7c -inform DER -outform PEM -out cert.pem". The private key can be converted to pkcs8 format with "openssl pkcs8 -in a_key.pem -topk8 -outform DER -out a_key.p8c" In general, a TLS client will just need the root certificate of the CA. A TLS server will need its private key and its certificate. These could be in two PEM files or one .p12 file. An S/MIME program will need its private key and certificate, the root certificate of the CA, and the certificate for every other user it communicates with. When validating a chain of certificates, make sure that the basic constraints on any non leaf node allow the certificate to be used for a CA. For example, if the domain example.com issues a certificate for alice@example.com, Alice should not be able to use this to sign a certificate for bob@example.com. 17. makeCA script Appendix B - makeCA script #!/bin/sh #set -x rm -rf demoCA Jennings Expires August 14, 2004 [Page 28] Internet-Draft SIP Secure Flows February 2004 mkdir demoCA mkdir demoCA/certs mkdir demoCA/crl mkdir demoCA/newcerts mkdir demoCA/private #echo "01" > demoCA/serial hexdump -n 4 -e '4/1 "%04d"' /dev/random > demoCA/serial touch demoCA/index.txt # You may need to modify this for where your default file is # you can find where yours in by typing "openssl ca" CONF=${OPENSSLDIR:=/usr/local/ssl}/openssl.cnf if [ ! -f $CONF ]; then echo "Can not find file $CONF - set your OPENSSLDIR variable" fi cp $CONF openssl.cnf cat >> openssl.cnf < demoCA/private/cakey.pem < demoCA/cacert.pem <