Module: sip-router Branch: master Commit: 0536bbc8739a46a5b67f37519e03881d5bf07684 URL: http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=0536bbc… Author: oej &lt;oej(a)edvina.net&gt; Committer: oej &lt;oej(a)edvina.net&gt; Date: Sat Oct 10 16:13:46 2009 +0200 Typos, formatting --- modules/auth_identity/README | 47 ++++++++++++++------------- modules/auth_identity/doc/auth_identity.xml | 22 ++++++------ 2 files changed, 35 insertions(+), 34 deletions(-) diff --git a/modules/auth_identity/README b/modules/auth_identity/README index 70deb13..592f0aa 100644 --- a/modules/auth_identity/README +++ b/modules/auth_identity/README @@ -1,4 +1,4 @@ -1. Auth Identity Module +1. SIP Authenticated Identity Module Gergely Kovacs @@ -70,7 +70,7 @@ Gergely Kovacs * verifier - verifies an authorized message Known limitations in this version: - * authorizer and verifier support only SIP requests except for CANCEL + * authorizer and verifier support all SIP requests except for CANCEL and REGISTER * verifier does not support the subjectAltName extension of certificates @@ -83,17 +83,17 @@ Gergely Kovacs This module needs the following headers and libraries: * OpenSSL (version 0.9.8 or higher) for cryptographic functions - * libcURL for HTTP, HTTPS functions + * libcurl for HTTP, HTTPS functions If you'd like to use TLS module too then use the corresponding LIB line in auth_identity's Makefile 1.4. Installation And Running - Authorizer service needs an opportunity to make the public key, which - conveyed in a certificate, available over HTTPS or HTTP for verifiers. - The domain the authorizer is responsible for and the domain part of the - URL of the certificate must be the same. This service needs its private + the Authorizer service needs to make the public key, which conveyed in + a certificate, available over HTTPS or HTTP for verifiers. The domain + the authorizer is responsible for and the domain part of the URL of the + certificate must be the same. This service needs access to the private key too. 1.5. Authorizer service parameters @@ -150,26 +150,27 @@ modparam("auth_identity","msg_timeout",600) 1.6. Authorizer service functions -1.6.1. auth_date_proc() +1.6.1. auth_date_proc() If a message, the auth service should authorize, contains Date header then this function checks whether it falls in message timeout (set by - msg_timeout parameter). If there is not any Date header then adds one. - This function also checks whether the certificate of auth service (set - by certificate_path parameter) has not been expired. + msg_timeout parameter). If there is not any Date header then the module + adds one. This function also checks whether the certificate of the + authentication service (set by certificate_path parameter) has been + expired. 1.6.1.1. Dependencies No dependencies -1.6.2. auth_add_identity() +1.6.2. auth_add_identity() Assembles digest-string from the message, calculates its SHA1 hash, - encrypt it with the private key (set by privatekey_path parameter) of - authorizer service, base64 encodes it and adds to the outgoing message - as the value of Identity header. This function also adds Identity-Info - header which contains an URI (set by certificate_url parameter) from - which the certificate of auth service can be acquired. + encrypts it with the private key (set by privatekey_path parameter) of + the authorizer service, base64 encodes it and adds to the outgoing + message as the value of Identity header. This function also adds + Identity-Info header which contains an URI (set by certificate_url + parameter) from which the certificate of auth service can be acquired. Note: this function needs the final outgoing message for authorization, so no module may modify any digest string related headers (From, To, @@ -270,7 +271,7 @@ modparam("auth_identity","certificate_cache_limit",4096) A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together. It could be useful - for verifying a certificate not signed by a trusted CA. + for verifying a certificate signed by a private CA. This parameter is optional. It has not got default value. @@ -292,7 +293,7 @@ modparam("auth_identity","accept_pem_certs",1) 1.9. Verifier service functions -1.9.1. vrfy_check_date() +1.9.1. vrfy_check_date() Checks Date header of the incoming message whether falls in validity time (set by auth_validity_time parameter) @@ -301,7 +302,7 @@ modparam("auth_identity","accept_pem_certs",1) No dependencies -1.9.2. vrfy_get_certificate() +1.9.2. vrfy_get_certificate() Tries to get certificate defined by the value of Identity-info header from certificate table (which size is set by certificate_cache_limit @@ -312,7 +313,7 @@ modparam("auth_identity","accept_pem_certs",1) No dependencies -1.9.3. vrfy_check_certificate() +1.9.3. vrfy_check_certificate() Checks whether the downloaded certificate is valid (is not expired, its subject and the domain part of the URL are the same) and adds it to @@ -322,7 +323,7 @@ modparam("auth_identity","accept_pem_certs",1) vrfy_get_certificate() must be called before -1.9.4. vrfy_check_msgvalidity() +1.9.4. vrfy_check_msgvalidity() Assembles digest-string from the message, create SHA1 hash and compares it with the decrypted value of Identity header. @@ -332,7 +333,7 @@ modparam("auth_identity","accept_pem_certs",1) vrfy_get_certificate() must be called before and vrfy_check_certificate() should be called before -1.9.5. vrfy_check_callid() +1.9.5. vrfy_check_callid() Checks whether the current call's been already processed in validity time (set by auth_validity_time) to recognize call replay attacks. If diff --git a/modules/auth_identity/doc/auth_identity.xml b/modules/auth_identity/doc/auth_identity.xml index c473752..a47f5db 100644 --- a/modules/auth_identity/doc/auth_identity.xml +++ b/modules/auth_identity/doc/auth_identity.xml @@ -20,7 +20,7 @@ </copyright> </sectioninfo> - <title>Auth Identity Module</title> + <title>SIP Authenticated Identity Module</title> <section> <title>Overview</title> @@ -47,7 +47,7 @@ <itemizedlist> <listitem> <para> - authorizer and verifier support only SIP requests except for + authorizer and verifier support all SIP requests except for <emphasis>CANCEL</emphasis> and <emphasis>REGISTER</emphasis> </para> </listitem> @@ -79,7 +79,7 @@ </listitem> <listitem> <para> - <emphasis>libcURL</emphasis> for HTTP, HTTPS functions + <emphasis>libcurl</emphasis> for HTTP, HTTPS functions </para> </listitem> </itemizedlist> @@ -91,11 +91,11 @@ <section id="auth_identity.install_and_run"> <title>Installation And Running</title> <para> - <emphasis>Authorizer</emphasis> service needs an opportunity to make the public key, + the <emphasis>Authorizer</emphasis> service needs to make the public key, which conveyed in a certificate, available over HTTPS or HTTP for verifiers. The domain the authorizer is responsible for and the domain part of the URL of the certificate must be the same. This - service needs its private key too. + service needs access to the private key too. </para> </section> @@ -197,9 +197,9 @@ modparam("auth_identity","msg_timeout",600) If a message, the auth service should authorize, contains Date header then this function checks whether it falls in message timeout (set by <emphasis>msg_timeout</emphasis> parameter). If there is not any Date - header then adds one. This function also checks whether the certificate - of auth service (set by <emphasis>certificate_path</emphasis> parameter) - has not been expired. + header then the module adds one. This function also checks whether the certificate + of the authentication service (set by <emphasis>certificate_path</emphasis> parameter) + has been expired. </para> <section> <title>Dependencies</title> @@ -215,8 +215,8 @@ modparam("auth_identity","msg_timeout",600) </title> <para> Assembles digest-string from the message, calculates its SHA1 hash, - encrypt it with the private key (set by <emphasis>privatekey_path</emphasis> - parameter) of authorizer service, base64 encodes it and adds to the + encrypts it with the private key (set by <emphasis>privatekey_path</emphasis> + parameter) of the authorizer service, base64 encodes it and adds to the outgoing message as the value of <emphasis>Identity</emphasis> header. This function also adds Identity-Info header which contains an URI (set by <emphasis>certificate_url</emphasis> parameter) from which @@ -362,7 +362,7 @@ modparam("auth_identity","certificate_cache_limit",4096) <para> A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together. It could be useful - for verifying a certificate not signed by a trusted CA. + for verifying a certificate signed by a private CA. </para> <para> This parameter is optional. It has not got default value.