forked from usecallmanagernz/usecallmanagernz.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathitl-file-tlv.html
More file actions
190 lines (189 loc) · 12.7 KB
/
itl-file-tlv.html
File metadata and controls
190 lines (189 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
<!DOCTYPE html>
<html>
<head>
<title>Device Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="shortcut icon" type="image/x-icon" href="favicon.ico">
<link rel="stylesheet" type="text/css" href="includes/theme.css">
<link rel="stylesheet" type="text/css" href="includes/prettify.css">
<script type="text/javascript" src="includes/jquery.js"></script>
<script type="text/javascript" src="includes/prettify.js"></script>
<script type="text/javascript">
jQuery (window).on ("load", function () {
prettyPrint ();
});
</script>
</head>
<body>
<header>
<img src="images/logo.png">
<h2><<span>proxy</span>></h2><h1><span>USECALLMANAGER</span>.nz</h1><h2></<span>proxy</span>></h2>
</header>
<main>
<nav>
<ul>
<li><span class="icon">home</span> <a href="document-overview.html">Document Overview</a></li>
<li><span class="icon">build</span> <a href="patching-asterisk.html">Patching Asterisk</a></li>
</ul>
<ul>
<li><h3>Network Configuration</h3></li>
<li><span class="icon">settings_ethernet</span> <a href="dhcpd-conf.html">DHCP Options</a></li>
<li><span class="icon">file_download</span> <a href="apache-conf.html">HTTP Provisioning</a></li>
<li><span class="icon">file_download</span> <a href="tftpd-conf.html">TFTP Provisioning</a></li>
</ul>
<ul>
<li><h3>Phone Configuration</h3></li>
<li><span class="icon">settings_phone</span> <a href="sepmac-cnf-xml.html">SEPMAC.cnf.xml</a></li>
<li><span class="icon">dialpad</span> <a href="dial-template-xml.html">Dial Templates</a></li>
<li><span class="icon">import_contacts</span> <a href="app-dial-rules-xml.html">Application Dial Rules</a></li>
<li><span class="icon">power_input</span> <a href="soft-keys-xml.html">Soft Keys</a></li>
<li><span class="icon">format_list_bulleted</span> <a href="line-keys-xml.html">Line Keys</a></li>
<li><span class="icon">done</span> <a href="feature-policy-xml.html">Feature Policy</a></li>
<li><span class="icon">language</span> <a href="network-locale.html">Network Locale</a></li>
<li><span class="icon">face</span> <a href="user-locale.html">User Locale</a></li>
<li><span class="icon">file_upload</span> <a href="load-information.html">Firmware Load Information</a></li>
<li><span class="icon">wallpaper</span> <a href="image-list-xml.html">Background Images</a></li>
<li><span class="icon">ring_volume</span> <a href="ring-list-xml.html">Ring Tones</a></li>
<li><span class="icon selected">security</span> <b>Device Security</b></li>
<li><span class="icon">vpn_key</span> <a href="vpn-group.html">VPN Connection</a></li>
</ul>
<ul>
<li><h3>Asterisk Configuration</h3></li>
<li><span class="icon">dialer_sip</span> <a href="sip-conf.html">SIP Peers</a></li>
<li><span class="icon">settings_power</span> <a href="sip-notify-conf.html">SIP Notify Commands</a></li>
<li><span class="icon">format_list_numbered</span> <a href="extensions-conf.html">Dialplan Extensions</a></li>
<li><span class="icon">local_parking</span> <a href="res-parking-conf.html">Call Parking</a></li>
<li><span class="icon">code</span> <a href="sippeer-options.html">SIPPEER Options</a></li>
<li><span class="icon">volume_up</span> <a href="rtp-streaming.html">RTP Streaming</a></li>
<li><span class="icon">keyboard_arrow_right</span> <a href="command-line.html">Command Line</a></li>
</ul>
<ul>
<li><h3>XML Services</h3></li>
<li><span class="icon">settings</span> <a href="phone-services-xml.html">Phone Services</a></li>
<li><span class="icon">phone_forwarded</span> <a href="cgi-execute-xml.html">CGI Execute</a></li>
</ul>
<ul>
<li><h3>Additional Features</h3></li>
<li><span class="icon">extension</span> <a href="as-feature-events.html">AS Feature Events</a></li>
</ul>
</nav>
<article>
<h1>Device Security</h1>
The default list of valid X509 certificates is specified in a file called <code class="literal">ITLFile.tlv</code>. These certificates are used to verify SIP-TLS and HTTPS connections as well as optionally sign configuration files.<br>
<br>
An archive containing the scripts need to generate X509 certificates, build <code class="literal">.tlv</code> and <code class="literal">.sgn</code> files can be downloaded from the URL below.<br>
<br>
<span class="icon">file_download</span> <a href="https://github.com/usecallmanagernz/certutils/archive/v2.5.tar.gz">certutils-2.5.tar.gz</a> (16K) <span class="icon">event</span> 29/01/2021 <span class="icon">security</span> SHA256:da620e52e4e982dba8ff000f682fecf4fd6af10d80e0528939fda5b817342ece.<br>
<br>
<h2 id="gencert">gencert</h2>
<code class="literal">gencert</code> is basic script to generate RSA private keys and sign X509 certificates. If you already have certificates they can be used instead.<br>
<br>
<b>1.</b> Create a CA (Certificate Authority) certificate valid for 20 years. This will function as the <code class="literal">sast</code> (System Administrator Security Token) certificate.<br>
<br>
<code class="command-line">~/certutils$ ./gencert -r -C "Certificate Authority" -b 2048 -y 20 -o ca.pem</code>
<br>
<b>2.</b> Create a certificate for Asterisk signed by the CA for 1 year. This will function as the <code class="literal">ccm</code> and <code class="literal">tftp</code> certificate.<br>
<br>
<code class="command-line">~/certutils$ ./gencert -c ca.pem -C "Asterisk" -b 2048 -y 1 -o asterisk.pem</code>
<br>
<b>3.</b> Create a certificate for Apache with an EC (elliptic curve) key signed by the CA for 1 year (optional). This will function as an <code class="literal">tftp</code> certificate for HTTPS provisioning.<br>
<br>
<code class="command-line">~/certutils$ ./gencert -c ca.pem -E secp384r1 -C "Apache-EC" -y 1 -o apache-EC.pem</code>
<br>
<b>4.</b> Create a certificate for Apache signed by the CA for 1 year (optional). This will function as an <code class="literal">https</code> certificate.<br>
<br>
<code class="command-line">~/certutils$ ./gencert -c ca.pem -C "Apache" -b 2048 -y 1 -o apache.pem</code>
<br>
<h2 id="tlvfile">tlvfile</h2>
<code class="literal">tlvfile</code> is used to build or parse <code class="literal">.tlv</code> files. Each certificate has an function specifying where it is used and the same certificate can be included multiple times to provide different functions. Valid functions are listed below.<br>
<br>
<table>
<tbody>
<tr>
<td><b>sast</b></td>
<td>System Administrator Security Token, signs and verifies <code class="literal">.tlv</code> files</td>
</tr>
<tr>
<td><b>ccm</b></td>
<td>Verifies the SIP-TLS connection to Asterisk</td>
</tr>
<tr>
<td><b>tftp</b></td>
<td>Signs and verifies provisioning files downloaded via HTTP, HTTPS or TFTP</td>
</tr>
<tr>
<td><b>ccm+tftp</b></td>
<td>Combined <code class="literal">ccm</code> and <code class="literal">tftp</code> functions</td>
</tr>
<tr>
<td><b>https</b></td>
<td>Verifies HTTPS connections to phone services</td>
</tr>
</tbody>
</table>
<br>
<b>Note</b>: Once a phone has installed a <code class="literal">.tlv</code> new versions of that file can only be signed by a previously known certificate with the <code class="literal">sast</code> function. A <code class="literal">.tlv</code> can have a maximum of <code class="literal">2</code> certificates with the <code class="literal">sast</code> function.<br>
<br>
<b>1.</b> Create an <code class="literal">ITLFile.tlv</code> in the tftpboot provisioning directory, the certificate used to sign the <code class="literal">.tlv</code> file is automatically included as providing the <code class="literal">sast</code> function.<br>
<br>
<code class="command-line">~/certutils$ ./tlvfile -b /var/lib/tftpboot/ITLFile.tlv -c ca.pem \
-r asterisk.pem -f ccm -r apache.pem -f https</code>
<br>
<b>2.</b> Optionally, the default <code class="literal">ITLFile.tlv</code> can be overridden using a file name based on the MAC address of the phone, eg: <code class="literal">ITLSEP58971ECC97C1.tlv</code>.<br>
<br>
<code class="command-line">~/certutils$ ./tlvfile -b /var/lib/tftpboot/ITLSEP58971ECC97C1.tlv -c ca.pem \
-r asterisk1.pem -f ccm -r asterisk2.pem -f ccm -F ITLFile.tlv</code>
<br>
<b>3.</b> Optionally, additional certificates can be included using a file name based on the MAC address of the phone, eg: <code class="literal">CTLSEP58971ECC97C1.tlv</code>.<br>
<br>
<code class="command-line">~/certutils$ ./tlvfile -b /var/lib/tftpboot/CTLSEP58971ECC97C1.tlv -c ca.pem \
-r apache1.pem -f https -r apache2.pem -f https -F CTLFile.tlv</code>
<br>
<b>4.</b> Optionally, use HTTPS provisioning for SEPMAC.cnf.xml and signing for the other configuration files. <b>Note</b>: the certificate used to verify the HTTPS connection must use an EC (Elliptic Curve) key.<br>
<br>
<code class="command-line">~/certutils$ ./tlvfile -b /var/lib/tftpboot/ITLFile.tlv -v 1.1 -c ca.pem \
-r asterisk.pem -f tftp -r apache-EC.pem -f tftp</code>
<br>
<b>5.</b> Enable SIP-TLS mode by setting <<code class="tag">transportLayerProtocol</code>> to <code class="literal">3</code> and setting <<code class="tag">deviceSecurityMode</code>> to either <code class="literal">2</code> (Authenticated) or <code class="literal">3</code> (Encrypted) in <a href="sepmac-cnf-xml.html">SEPMAC.cnf.xml</a>. Optionally, any XML services can be configured to use HTTPS.<br>
<br>
<h2 id="libsrtp">libsrtp</h2>
To use secure (encrypted) RTP <code class="literal">libsrtp</code> must be installed. The latest release is available from the <span class="icon">open_in_browser</span> <a href="https://github.com/cisco/libsrtp/releases" target="_blank">libsrtp GitHub repository</a>.<br>
<br>
<code class="command-line">~/libsrtp-2.3.0$ ./configure --prefix=/usr --enable-openssl
~/libsrtp-2.3.0$ make shared_library
~/libsrtp-2.3.0$ sudo make install</code>
<br>
<h2 id="sgnfile">sgnfile</h2>
<code class="literal">sgnfile</code> is used to build or parse <code class="literal">.sgn</code> files which are any non-firmware files the phone downloads during provisioning with a digital signature added. You only need to sign files if the <code class="literal">tftp</code> function has been included in the phone's <code class="literal">.tlv</code> file.<br>
<br>
<b>1.</b> Sign SEPMAC.cnf.xml, soft-key and dial-plan files.<br>
<br>
<code class="command-line">~/certutils$ ./sgnfile -b /var/lib/tftpboot/SEP58971ECC97C1.cnf.xml -c asterisk.pem
~/certutils$ ./sgnfile -b /var/lib/tftpboot/SoftKeys.xml -c asterisk.pem
~/certutils$ ./sgnfile -b /var/lib/tftpboot/DialTemplate.xml -c asterisk.pem</code>
<br>
<b>2.</b> Sign network and user locale files.<br>
<br>
<code class="command-line">~/certutils$ ./sgnfile -b /var/lib/tftpboot/New_Zealand/g3-tones.xml -c asterisk.pem \
-F New_Zealand/g3-tones.xml.sgn
~/certutils$ ./sgnfile -b /var/lib/tftpboot/New_Zealand/mk-sip.jar -c asterisk.pem \
-F New_Zealand/mk-sip.jar.sgn</code>
<br>
<b>3.</b> Sign ring-tones (optional).<br>
<br>
<code class="command-line">~/certutils$ ./sgnfile -b /var/lib/tftpboot/Ringlist.xml -c asterisk.pem
~/certutils$ ./sgnfile -b /var/lib/tftpboot/Old_Telephone.raw -c asterisk.pem</code>
<br>
<b>4.</b> Sign background images (optional).<br>
<br>
<code class="command-line">~/certutils$ ./sgnfile -b /var/lib/tftpboot/Desktops/320x196x4/List.xml -c asterisk.pem \
-F Desktops/320x196x4/List.xml.sgn
~/certutils$ ./sgnfile -b /var/lib/tftpboot/Desktops/320x196x4/Logo.png -c asterisk.pem \
-F Desktops/320x196x4/Logo.png.sgn
~/certutils$ ./sgnfile -b /var/lib/tftpboot/Desktops/320x196x4/Logo_Preview.png -c asterisk.pem \
-F Desktops/320x196x4/Logo_Preview.png.sgn</code>
</article>
</main>
<footer></footer>
</body>
</html>