Trust Verification

The Trust Verification Service (TVS) allows phones to query the validity of a certificate that is not included in ITLFile.tlv on demand. Certificates used for CCM, TFTP, CAPF and APP-SERVER roles can be dynamically provisioned without the phone having to re-download ITLFile.tlv.

To enable use of TVS set <address> and <port> in SEPMAC.cnf.xml and include a certificate with the TVS role in ITLFile.tlv. An archive containing the server and client utilities can be downloaded from the URL below.

file_download daemons-3.2.tar.gz (28K) event 05/03/2023 security SHA256:e499cf6338397c323db120cc52da9361a98f3ab091d686fe783de1032ea32be6.

tvsctl link

The tvsctl utility is used to manage the database file used by tvsd. The following adds certificates used for CCM and APP-SERVER roles to a database file in /var/lib/tvs.

~/daemons-X.X$ sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/asterisk/keys/asterisk.pem \ --ccm ~/daemons-X.X$ sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/apache2/ssl-certs/apache.pem \ --app-server
Multiple roles can be assigned to a certificate and a optional TTL (time to live). If the certificate already exists in the database file the settings will be overwritten.

~/daemons-X.X$ sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --add /etc/asterisk/keys/asterisk.pem \ --ccm --app-server --ttl 3600
Certificates can be removed from the database when no longer required. The certificate hash can be specified as prefix to match.

~/daemons-X.X$ sudo --user tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --remove 5dc2c141
A list of certificates and roles in the database file can be shown.

~/daemons-X.X$ ./tvsctl /var/lib/tvs/tvs.sqlite3 --list

tvsd link

The Trust Verification Service requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using mkcert. See Device Security for more information.

~/certutils-X.X$ sudo ./mkcert --common "TVS" --organization "TVS" --unit "TVS" \ /var/lib/tvs/tvs.pem
Add the TVS certificate to ITLFile.tlv using tlvfile and restart phones to have them download the new version.

~/certutils-X.X$ sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \ --tvs /var/lib/tvs/tvs.pem ...
Run the daemon by specifying the path to the database file and the certificate that has the TVS role. INSTALL.md has example instructions to run the daemon as a service.

~/daemons-X.X$ ./tvsd /var/lib/tvs/tvs.sqlite3 --tvs /var/lib/tvs/tvs.pem

tvsc link

tvsc is a command line client that connects to tvsd to query the validity of a certificate. This can be used to debug certificate verification failures.