-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathtrust-verification.html
128 lines (128 loc) · 9.48 KB
/
trust-verification.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
<!DOCTYPE html>
<html lang="en">
<head>
<title>Trust Verification</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
<link rel="shortcut icon" href="images/logo.svg">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:[email protected]">
<link rel="stylesheet" href="includes/theme.css">
<link rel="stylesheet" href="includes/prettify.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="includes/prettify.js"></script>
<script>
jQuery(window).on("load", function () {
prettyPrint();
});
</script>
</head>
<body>
<header>
<a href="/"><img src="images/logo.svg" alt=""></a>
<h2><<span>proxy</span>></h2><h1><span>USECALLMANAGER</span>.nz</h1><h2></<span>proxy</span>></h2>
</header>
<main>
<nav>
<ul>
<li><a href="documentation-overview.html"><span class="icon">home</span> Documentation Overview</a></li>
<li><a href="patching-asterisk.html"><span class="icon">build</span> Patching Asterisk</a></li>
</ul>
<ul>
<li><h3>Network Configuration</h3></li>
<li><a href="dhcpd-conf.html"><span class="icon">settings_ethernet</span> DHCP Options</a></li>
<li><a href="apache-conf.html"><span class="icon">file_download</span> HTTP Provisioning</a></li>
<li><a href="tftpd-conf.html"><span class="icon">file_download</span> TFTP Provisioning</a></li>
</ul>
<ul>
<li><h3>Phone Configuration</h3></li>
<li><a href="sepmac-cnf-xml.html"><span class="icon">settings_phone</span> SEPMAC.cnf.xml</a></li>
<li><a href="dial-template-xml.html"><span class="icon">dialpad</span> Dial Templates</a></li>
<li><a href="app-dial-rules-xml.html"><span class="icon">bluetooth</span> Application Dial Rules</a></li>
<li><a href="soft-keys-xml.html"><span class="icon">power_input</span> Soft Keys</a></li>
<li><a href="line-keys-xml.html"><span class="icon">format_list_bulleted</span> Line Keys</a></li>
<li><a href="feature-policy-xml.html"><span class="icon">fact_check</span> Feature Policy</a></li>
<li><a href="network-locale.html"><span class="icon">language</span> Network Locale</a></li>
<li><a href="user-locale.html"><span class="icon">face</span> User Locale</a></li>
<li><a href="load-information.html"><span class="icon">file_upload</span> Firmware Load Information</a></li>
<li><a href="image-list-xml.html"><span class="icon">wallpaper</span> Background Images</a></li>
<li><a href="ring-list-xml.html"><span class="icon">ring_volume</span> Ring Tones</a></li>
<li><a href="itl-file-tlv.html"><span class="icon">security</span> Device Security</a></li>
<li><span class="icon selected">verified</span> <b>Trust Verification</b></li>
<li><a href="certificate-enrollment.html"><span class="icon">card_membership</span> Certificate Enrollment</a></li>
<li><a href="vpn-group.html"><span class="icon">vpn_key</span> VPN Connection</a></li>
</ul>
<ul>
<li><h3>Asterisk Configuration</h3></li>
<li><a href="sip-conf.html"><span class="icon">dialer_sip</span> SIP Peers</a></li>
<li><a href="sip-notify-conf.html"><span class="icon">settings_power</span> SIP Notify Commands</a></li>
<li><a href="extensions-conf.html"><span class="icon">format_list_numbered</span> Dialplan Extensions</a></li>
<li><a href="res-parking-conf.html"><span class="icon">local_parking</span> Call Parking</a></li>
<li><a href="sippeer-options.html"><span class="icon">code</span> SIPPEER Options</a></li>
<li><a href="rtp-streaming.html"><span class="icon">volume_up</span> RTP Streaming</a></li>
<li><a href="command-line.html"><span class="icon">keyboard_arrow_right</span> Command Line</a></li>
<li><a href="freepbx-integration.html"><span class="icon">view_kanban</span> FreePBX Integration</a></li>
</ul>
<ul>
<li><h3>XML Services</h3></li>
<li><a href="phone-services-xml.html"><span class="icon">settings</span> Phone Services</a></li>
<li><a href="cgi-execute-xml.html"><span class="icon">phone_forwarded</span> CGI Execute</a></li>
</ul>
<ul>
<li><h3>Additional Features</h3></li>
<li><a href="as-feature-events.html"><span class="icon">extension</span> AS Feature Events</a></li>
</ul>
</nav>
<article>
<h1>Trust Verification</h1>
The Trust Verification Service (TVS) allows phones to query the validity of a certificate that is not included in <code class="literal">ITLFile.tlv</code> on demand. Certificates used for <code class="literal">CCM</code>, <code class="literal">TFTP</code>, <code class="literal">CAPF</code> and <code class="literal">APP-SERVER</code> roles can be dynamically provisioned without the phone having to re-download <code class="literal">ITLFile.tlv</code>.<br>
<br>
To enable use of TVS set <<code class="tag">address</code>> and <<code class="tag">port</code>> in <a href="sepmac-cnf-xml.html#TVS/member">SEPMAC.cnf.xml</a> and include a certificate with the <code class="literal">TVS</code> role in <code class="literal">ITLFile.tlv</code>. An archive containing the server and client utilities can be downloaded from the URL below.<br>
<br>
<a href="https://github.com/usecallmanagernz/daemons/archive/v4.1.tar.gz" download><span class="icon">file_download</span> daemons-4.1.tar.gz</a> (28K) <span class="icon">event</span> 29/08/2024 <span class="icon">security</span> SHA256:546df03cf7832d3d58434f7f97e5de8acb509acc52bb57b3bbd74909d24f994e.<br>
<br>
<h2 id="tvsctl">tvsctl <a href="#tvsctl" title="Link">link</a></h2>
The <code class="literal">tvsctl</code> utility is used to manage the database file used by <code class="literal">tvsd</code>. The following adds certificates used for <code class="literal">CCM</code> and <code class="literal">APP-SERVER</code> roles to a database file in <code class="literal">/var/lib/tvs</code>.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/asterisk/keys/asterisk.pem \
--ccm
<span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/apache2/ssl-certs/apache.pem \
--app-server</code>
<br>
Multiple roles can be assigned to a certificate and a optional TTL (time to live). If the certificate already exists in the database file the settings will be overwritten.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/asterisk/keys/asterisk.pem \
--ccm --app-server --ttl 3600</code>
<br>
Certificates can be removed from the database when no longer required. The certificate hash can be specified as prefix to match.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --remove 5dc2c141</code>
<br>
A list of certificates and roles in the database file can be shown.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> ./tvsctl /var/lib/tvs/tvs.sqlite3 --list</code>
<br>
<h2 id="tvsd">tvsd <a href="#tvsd" title="Link">link</a></h2>
The Trust Verification Service requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using <code class="literal">mkcert</code>. See <a href="itl-file-tlv.html">Device Security</a> for more information.<br>
<br>
<code class="command-line"><span class="prompt">~/certutils-X.X$</span> sudo ./mkcert --common "TVS" --organization "TVS" --unit "TVS" \
/var/lib/tvs/tvs.pem</code>
<br>
Add the TVS certificate to <code class="literal">ITLFile.tlv</code> using <code class="literal">tlvfile</code> and restart phones to have them download the new version.<br>
<br>
<code class="command-line"><span class="prompt">~/certutils-X.X$</span> sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \
--tvs /var/lib/tvs/tvs.pem ...</code>
<br>
Run the daemon by specifying the path to the database file and the certificate that has the <code class="literal">TVS</code> role. <code class="literal">INSTALL.md</code> has example instructions to run the daemon as a service.<br>
<br>
<code class="command-line"><span class="prompt">~/daemons-X.X$</span> ./tvsd /var/lib/tvs/tvs.sqlite3 --tvs /var/lib/tvs/tvs.pem</code>
<br>
<h2 id="tvsc">tvsc <a href="#tvsc" title="Link">link</a></h2>
<code class="literal">tvsc</code> is a command line client that connects to <code class="literal">tvsd</code> to query the validity of a certificate. This can be used to debug certificate verification failures.
</article>
</main>
<footer>
<span class="icon">copyright</span> Gareth Palmer and individual contributors. Documentation distributed under <a href="LICENSE">CC BY 4.0</a>.
</footer>
</body>
</html>