Verify a Stir/Shaken Certificate

Part of the identity token included in a SIP header is the Stir/Shaken Certificate of the originating carriers.
An identity token looks like the following:
eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9idy1zaGFrZW4tY2VydC1wdWIuczMuYW1xx9uYXdzLmNvbS9iYW5kd2lkdGgtc2hha2VuLWNlcnRfMjAyMzA3MTYucGVtIn0.eyJhdHRlc3QiOiJCIiwiZGVzdCI6eyJ0biI6WyIxNzcwMjk2NTM1OSJdfSwiaWF0IjoxNjY1NDI0MDcxLCJvcmlnIjp7InRuIjoiMTc3MDQ0ODgyMDAifSwib3JpZ2lkIjoiY2Y1NzVkOWYtOGNiMS0zOWMzLWI3N2EtODUyZjJiYTdmNTQ2In0.IIXlVkGpYtP70O-HQQKAv4mqR2_1qqPpDqELS_US1mS0jEcvUnUm2N16HLwlrn0Zne2-UkTl0U3f_IYNO8slvQ;info=<https://certificates.peeringhub.io/123H/123H.crt>;alg=ES256;ppt=shaken
You can download the certificate file from the "info" field and the content of the file is similar to below:
-----BEGIN CERTIFICATE-----
zIIDdddCAr2gAwIBAgIQSJ/BURPUF9492q9GgBDhlDAKBggqhkjOPQQDAjB8MQsw
xQYDVQQGEwJVUzEXMBUGA1UECgwOUGVlcmluZ2h1YiBJbmMxIjAgBgNVBAsMGUNl
cnRpZmljYXRpb24gQXV0aG9yaXRpZXMxMDAuBgNVBAMMJ1BlZXJpbmdodWIgSW5j
IFNIQUtFTiBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0yMjA4MjQwNTA1MzBaFw0yMjA5
MTIxMTExNTVaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJERTERMA8GA1UEBwwI
Q0xBWU1PTlQxETAPBgNVBAoMCE1lcmF0YWxrMR0wGwYDVQQDDBRNZXJhdGFsayBT
SEFLRU4gMjg5SzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLa/dZjC4lmBJw7
m2nFkausaapWdoWc1ug4pr/w3rm/DQsSRs/0o0Gm7Cw0L2WjSYTG6e2wt820w9rq
Z5rgl9KjggE8MIIBODAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUw1+a9xx+PW878Lx98N9MOf33JEcwHwYDVR0jBBgwFoAUrqFzUYgpVxHK
DKn0sQpuTrhLTQcwFwYDVR0gBBAwDjAMBgpghkgBhv8JAQEBMBYGCCsGAQUFBwEa
BAowCKAGFgQyODlLMIGmBgNVHR8EgZ4wgZswgZigOqA4hjZodHRwczovL2F1dGhl
bnRpY2F0ZS1hcGkuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jcmyiWqRYMFYx
FDASBgNVBAcMC0JyaWRnZXdhdGVyMQswCQYDVQQIDAJOSjETMBEGA1UEAwwKU1RJ
LVBBIENSTDELMAkGA1UEBhMCVVMxDzANBgNVBAoMBlNUSS1QQTAKBggqhkjOPQQD
AgNIADBFAiEA9FwWY/mpoaJrUX/5C0kiMy0tFTwb4LmRiVgJc3RImNwCICt2Z6Mo
Z2Bza1qdBai5uMy0BeIXbGq/9b1Z6wCOfLHW
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxdCCArWgAwIBAgIRALZNFq96KG4nRDKyzVhPcaUwCgYIKoZIzj0EAwIwazEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoMDlBlZXJpbmdodWIgSW5jMSIwIAYDVQQLDBlD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMR8wHQYDVQQDDBZQZWVyaW5naHViIElu
YyBSb290IENBMB4XDTIyMDYyMjIyNDUwMloXDTMyMDYxOTIyNDUwMlowfDELMAkG
A1UEBhMCVVMxFzAVBgNVBAoMDlBlZXJpbmdodWIgSW5jMSIwIAYDVQQLDBlDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0aWVzMTAwLgYDVQQDDCdQZWVyaW5naHViIEluYyBT
SEFLRU4gSW50ZXJtZWRpYXRlIENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AATXEEZfOD4d6FnCYEcvzXAMpFyyP8F1fGefqfxy+R22euER5DvlXYg0vRiyF1hD
KC/hvM7eC74evVeiNgpWB3j+o4IBJzCCASMwDgYDVR0PAQH/BAQDAgGGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFK6hc1GIKVcRygyp9LEKbk64S00HMB8GA1Ud
IwQYMBaAFBzpokb/fffddddngvRijv4Fon/PMBcGA1UdIAQQMA4wDAYKYIZIAYb/
CQEBATCBpgYDVR0fBIGeMIGbMIGYoDqgOIY2aHR0cHM6Ly9hdXRoZW50aWNhdGUt
YXBpLmljb25lY3Rpdi5jb20vZvvvvvvvYWQvdjEvY3JsolqkWDBWMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCTkoxFDASBgNVBAcMC0JyaWRnZXdhdGVyMQ8wDQYDVQQK
DAZTVEktUEExEzARBgNVBAMMClNUSS1QQSBDUkwwCgYIKoZIzj0EAwIDSAAwRQIg
GkVAngGoauAcC66weTZ39bchjkWjkJKdZifjcqqM/y0CIQCmG8NEcrd6aC92TjHp
N2/d38qvM8vvvvv+smqhcg==
-----END CERTIFICATE-----
You can decrypt the content of the certificate to get the information about the origination carrier using Openssl command:
openssl x509 -text -noout -in cert_file_path
You should get back a response similar to the following:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
48:9f:c1:51:13:ee:17:de:aa:da:af:46:80:10:e1:94
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Peeringhub Inc, OU=Certification Authorities, CN=Peeringhub Inc SHAKEN Intermediate CA 2
Validity
Not Before: Aug 24 05:05:30 2022 GMT
Not After : Sep 12 11:11:55 2022 GMT
Subject: C=US, ST=DE, L=CLAYMONT, O=ABC, CN=ABC SHAKEN 123H
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:62:da:fd:d6:aa:0b:bb:66:04:9c:3b:9b:69:c5:
91:ab:ac:69:aa:56:76:85:9c:d6:e8:38:a6:bf:f0:
de:b9:bf:0d:dd:12:46:cf:f4cca3:41:a6:ec:2c:34:
2f:65:a3:49:84:c6:e9:ed:b0:b7:cd:b4:c3:da:ea:
67:9a:e0:97:d2
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
C3:5F:9A:F7:1C:7E:dd:6F:3B:bb:BC:cc:F0:DF:4C:39:FD:F7:24:dd
X509v3 Authority Key Identifier:
keyid:AE:A1:73:51:88:29:57:22:CA:0C:A9:F4:B1:4A:6E:4E:B8:4B:4D:07
X509v3 Certificate Policies:
Policy: 2.16.840.1.114569.1.1.1
1.3.6.1.5.5.7.1.26:
0.....123H
X509v3 CRL Distribution Points:
Full Name:
URI:https://authenticate-api.iconectiv.com/download/v1/crl
CRL Issuer:
DirName: L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:f4:5c:16:11:f9:a9:a1:a2:6b:51:7f:f9:0b:
49:22:33:2d:2d:15:3c:1b:33:b9:91:89:58:09:73:74:48:98:
dc:02:20:2b:76:67:a3:28:44:60:73:6b:5a:9d:05:a8:b9:b8:
cc:b4:05:e2:17:6c:6a:bf:f5:bd:59:eb:00:8e:7c:b1:a3