You're viewing a demo portfolio

Join the waitlist
PRSM

validate_stir_shaken_identity

Active

Tool of Sipflow

declared in 0.2.0

[cost: external_io (HTTPS fetch of the x5u cert) | read-only] Verify a SIP `Identity:` JWS (RFC 8224 / SHAKEN). Fetches the x5u certificate, parses it, verifies the ES256 signature against the cert's public key, and optionally validates the RCD icon hash (RFC 9795). The icon-hash check accepts both `payload.rcdi["/icn"]` (RFC 9795 §6.1 spec form) and the legacy `payload.rcdi["icn"]` form deployed in the wild - the legacy form raises a warning unless `strictRfc9795: true` (then it fails). Returns per-check pass/fail/warning with details - useful for diagnosing 438 Invalid Identity Header rejections, expired certs, and tampered PASSporTs. Pair with: `stir_attestation_explainer` for the human-readable A/B/C interpretation; `lookup_response_code(438)` for the SIP-side context; `lint_sip_request` for non-cryptographic structural checks on the host INVITE.

Parameters schema

{
  "type": "object",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "required": [
    "headerB64",
    "payloadB64",
    "signatureB64"
  ],
  "properties": {
    "rcdi": {
      "type": "object",
      "description": "Full `payload.rcdi` claim. The validator looks up `/icn` first (RFC 9795 §6.1 spec form), then falls back to the legacy `icn` key (still seen in the wild). A legacy hit produces a `rcdi-pointer-form` warning unless `strictRfc9795: true` (then it fails).",
      "additionalProperties": {
        "type": "string"
      }
    },
    "iconUrl": {
      "type": "string",
      "format": "uri",
      "description": "RCD icon URL - `payload.rcd.icn`. Omit if no Rich Call Data icon."
    },
    "infoUrl": {
      "type": "string",
      "format": "uri",
      "description": "Cert URL from the SIP Identity header `info=` param (or the JWT `x5u`). If omitted, signature verification is skipped."
    },
    "headerB64": {
      "type": "string",
      "minLength": 1,
      "description": "Base64url-encoded JWS protected header (the first dot-separated segment)."
    },
    "payloadB64": {
      "type": "string",
      "minLength": 1,
      "description": "Base64url-encoded JWS payload (the second segment)."
    },
    "signatureB64": {
      "type": "string",
      "minLength": 1,
      "description": "Base64url-encoded ES256 signature (the third segment, raw R||S, 64 bytes)."
    },
    "strictRfc9795": {
      "type": "boolean",
      "description": "When true, reject the legacy `rcdi['icn']` key as a hard failure rather than warning. Default false."
    },
    "expectedIconHash": {
      "type": "string",
      "description": "Pre-extracted icon hash, e.g. `sha256-XYZ` (RFC 9795 §6.1 form `<algorithm>-<base64>`). Pass this OR `rcdi`."
    }
  },
  "additionalProperties": false
}

What this tool wraps· 0 endpoints

min confidence0.700.50

No endpoints wrapped at confidence ≥ 0.70.

Parent server

Sipflow

https://github.com/cmendes0101/sipflow-cursor-plugin

1/7 registries
View full server →