Trust Verification

The Trust Verification Service (TVS) allows phones to query the validity of a certificate that is not included in ITLFile.tlv on demand. Certificates used for CCM, TFTP and APP-SERVER roles can be dynamically provisioned without the phone having to re-download ITLFile.tlv.

To enable use of TVS set <address> and <port> in SEPMAC.cnf.xml and include a certificate with the TVS role in ITLFile.tlv. An archive containing the server and client utilities can be downloaded from the URL below.

file_download daemons-1.8.tar.gz (23K) event 07/09/2021 security SHA256:b74a9ae680a0fe1da9f2e3ecad9e732673573630f71348e1baa8f42322cca240.

tvsctl link

The tvsctl utility is used to manage the database file used by tvsd. The following adds certificates used for CCM and APP-SERVER roles to a database file in /var/lib/tvs.

~/daemons-X.X$ sudo -u tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --insert /etc/asterisk/keys/asterisk.pem --ccm ~/daemons-X.X$ sudo -u tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --insert /etc/apache2/ssl-certs/apache.pem --app-server
Certificates can be assigned multiple roles and a optional TTL (time to live). If the certificate already exists in the database file the settings will be overwritten.

~/daemons-X.X$ sudo -u tvs ./tvsctl /var/lib/tvs/tvs.sqlite3 --insert /etc/asterisk/keys/asterisk.pem --ccm --app-server --ttl 3600
A list of certificates and roles in the database file can be shown.

~/daemons-X.X$ ./tvsctl /var/lib/tvs/tvs.sqlite3 --list

tvsd link

The Trust Verification Service requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using mkcert. See Device Security for more information.

~/certutils-X.X$ sudo ./mkcert --common "TVS" --organization "TVS" /var/lib/tvs/tvs.pem
Add the TVS certificate to ITLFile.tlv using tlvfile and restart phones to have them download the new version.

~/certutils-X.X$ sudo ./tlvfile --build /var/lib/tftpboot/ITLFile.tlv --sast /etc/ssl/private/sast.pem \ --tvs /var/lib/tvs/tvs.pem ...
Run the daemon by specifying the path to the database file and the certificate that has the TVS role. INSTALL.md has example instructions to run the daemon as a service.

~/daemons-X.X$ ./tvsd /var/lib/tvs/tvs.sqlite3 --tvs /var/lib/tvs/tvs.pem

tvsc link

tvsc is a command line client that connects to tvsd to query the validity of a certificate. This can be used to debug certificate verification failures.