Verify a Stir/Shaken Certificate

Part of the identity token included in a SIP header is the Stir/Shaken Certificate of the originating carriers.

An identity token looks like the following:

eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9idy1zaGFrZW4tY2VydC1wdWIuczMuYW1xx9uYXdzLmNvbS9iYW5kd2lkdGgtc2hha2VuLWNlcnRfMjAyMzA3MTYucGVtIn0.eyJhdHRlc3QiOiJCIiwiZGVzdCI6eyJ0biI6WyIxNzcwMjk2NTM1OSJdfSwiaWF0IjoxNjY1NDI0MDcxLCJvcmlnIjp7InRuIjoiMTc3MDQ0ODgyMDAifSwib3JpZ2lkIjoiY2Y1NzVkOWYtOGNiMS0zOWMzLWI3N2EtODUyZjJiYTdmNTQ2In0.IIXlVkGpYtP70O-HQQKAv4mqR2_1qqPpDqELS_US1mS0jEcvUnUm2N16HLwlrn0Zne2-UkTl0U3f_IYNO8slvQ;info=<https://certificates.peeringhub.io/123H/123H.crt>;alg=ES256;ppt=shaken

You can download the certificate file from the "info" field and the content of the file is similar to below:

-----BEGIN CERTIFICATE-----
zIIDdddCAr2gAwIBAgIQSJ/BURPUF9492q9GgBDhlDAKBggqhkjOPQQDAjB8MQsw
xQYDVQQGEwJVUzEXMBUGA1UECgwOUGVlcmluZ2h1YiBJbmMxIjAgBgNVBAsMGUNl
cnRpZmljYXRpb24gQXV0aG9yaXRpZXMxMDAuBgNVBAMMJ1BlZXJpbmdodWIgSW5j
IFNIQUtFTiBJbnRlcm1lZGlhdGUgQ0EgMjAeFw0yMjA4MjQwNTA1MzBaFw0yMjA5
MTIxMTExNTVaMF8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJERTERMA8GA1UEBwwI
Q0xBWU1PTlQxETAPBgNVBAoMCE1lcmF0YWxrMR0wGwYDVQQDDBRNZXJhdGFsayBT
SEFLRU4gMjg5SzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABGLa/dZjC4lmBJw7
m2nFkausaapWdoWc1ug4pr/w3rm/DQsSRs/0o0Gm7Cw0L2WjSYTG6e2wt820w9rq
Z5rgl9KjggE8MIIBODAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUw1+a9xx+PW878Lx98N9MOf33JEcwHwYDVR0jBBgwFoAUrqFzUYgpVxHK
DKn0sQpuTrhLTQcwFwYDVR0gBBAwDjAMBgpghkgBhv8JAQEBMBYGCCsGAQUFBwEa
BAowCKAGFgQyODlLMIGmBgNVHR8EgZ4wgZswgZigOqA4hjZodHRwczovL2F1dGhl
bnRpY2F0ZS1hcGkuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jcmyiWqRYMFYx
FDASBgNVBAcMC0JyaWRnZXdhdGVyMQswCQYDVQQIDAJOSjETMBEGA1UEAwwKU1RJ
LVBBIENSTDELMAkGA1UEBhMCVVMxDzANBgNVBAoMBlNUSS1QQTAKBggqhkjOPQQD
AgNIADBFAiEA9FwWY/mpoaJrUX/5C0kiMy0tFTwb4LmRiVgJc3RImNwCICt2Z6Mo
Z2Bza1qdBai5uMy0BeIXbGq/9b1Z6wCOfLHW
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxxxdCCArWgAwIBAgIRALZNFq96KG4nRDKyzVhPcaUwCgYIKoZIzj0EAwIwazEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoMDlBlZXJpbmdodWIgSW5jMSIwIAYDVQQLDBlD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMR8wHQYDVQQDDBZQZWVyaW5naHViIElu
YyBSb290IENBMB4XDTIyMDYyMjIyNDUwMloXDTMyMDYxOTIyNDUwMlowfDELMAkG
A1UEBhMCVVMxFzAVBgNVBAoMDlBlZXJpbmdodWIgSW5jMSIwIAYDVQQLDBlDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0aWVzMTAwLgYDVQQDDCdQZWVyaW5naHViIEluYyBT
SEFLRU4gSW50ZXJtZWRpYXRlIENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AATXEEZfOD4d6FnCYEcvzXAMpFyyP8F1fGefqfxy+R22euER5DvlXYg0vRiyF1hD
KC/hvM7eC74evVeiNgpWB3j+o4IBJzCCASMwDgYDVR0PAQH/BAQDAgGGMA8GA1Ud
EwEB/wQFMAMBAf8wHQYDVR0OBBYEFK6hc1GIKVcRygyp9LEKbk64S00HMB8GA1Ud
IwQYMBaAFBzpokb/fffddddngvRijv4Fon/PMBcGA1UdIAQQMA4wDAYKYIZIAYb/
CQEBATCBpgYDVR0fBIGeMIGbMIGYoDqgOIY2aHR0cHM6Ly9hdXRoZW50aWNhdGUt
YXBpLmljb25lY3Rpdi5jb20vZvvvvvvvYWQvdjEvY3JsolqkWDBWMQswCQYDVQQG
EwJVUzELMAkGA1UECAwCTkoxFDASBgNVBAcMC0JyaWRnZXdhdGVyMQ8wDQYDVQQK
DAZTVEktUEExEzARBgNVBAMMClNUSS1QQSBDUkwwCgYIKoZIzj0EAwIDSAAwRQIg
GkVAngGoauAcC66weTZ39bchjkWjkJKdZifjcqqM/y0CIQCmG8NEcrd6aC92TjHp
N2/d38qvM8vvvvv+smqhcg==
-----END CERTIFICATE-----

You can decrypt the content of the certificate to get the information about the origination carrier using Openssl command:

openssl x509 -text -noout -in cert_file_path

You should get back a response similar to the following:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            48:9f:c1:51:13:ee:17:de:aa:da:af:46:80:10:e1:94
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, O=Peeringhub Inc, OU=Certification Authorities, CN=Peeringhub Inc SHAKEN Intermediate CA 2
        Validity
            Not Before: Aug 24 05:05:30 2022 GMT
            Not After : Sep 12 11:11:55 2022 GMT
        Subject: C=US, ST=DE, L=CLAYMONT, O=ABC, CN=ABC SHAKEN 123H
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:62:da:fd:d6:aa:0b:bb:66:04:9c:3b:9b:69:c5:
                    91:ab:ac:69:aa:56:76:85:9c:d6:e8:38:a6:bf:f0:
                    de:b9:bf:0d:dd:12:46:cf:f4cca3:41:a6:ec:2c:34:
                    2f:65:a3:49:84:c6:e9:ed:b0:b7:cd:b4:c3:da:ea:
                    67:9a:e0:97:d2
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                C3:5F:9A:F7:1C:7E:dd:6F:3B:bb:BC:cc:F0:DF:4C:39:FD:F7:24:dd
            X509v3 Authority Key Identifier: 
                keyid:AE:A1:73:51:88:29:57:22:CA:0C:A9:F4:B1:4A:6E:4E:B8:4B:4D:07

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114569.1.1.1

            1.3.6.1.5.5.7.1.26: 
                0.....123H
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:https://authenticate-api.iconectiv.com/download/v1/crl
                CRL Issuer:
                  DirName: L = Bridgewater, ST = NJ, CN = STI-PA CRL, C = US, O = STI-PA

    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:f4:5c:16:11:f9:a9:a1:a2:6b:51:7f:f9:0b:
         49:22:33:2d:2d:15:3c:1b:33:b9:91:89:58:09:73:74:48:98:
         dc:02:20:2b:76:67:a3:28:44:60:73:6b:5a:9d:05:a8:b9:b8:
         cc:b4:05:e2:17:6c:6a:bf:f5:bd:59:eb:00:8e:7c:b1:a3

PreviousTroubleshootNextFAQ

Last updated