validate_stir_shaken_identity
ActiveTool of Sipflow
[cost: external_io (HTTPS fetch of the x5u cert) | read-only] Verify a SIP `Identity:` JWS (RFC 8224 / SHAKEN). Fetches the x5u certificate, parses it, verifies the ES256 signature against the cert's public key, and optionally validates the RCD icon hash (RFC 9795). The icon-hash check accepts both `payload.rcdi["/icn"]` (RFC 9795 §6.1 spec form) and the legacy `payload.rcdi["icn"]` form deployed in the wild - the legacy form raises a warning unless `strictRfc9795: true` (then it fails). Returns per-check pass/fail/warning with details - useful for diagnosing 438 Invalid Identity Header rejections, expired certs, and tampered PASSporTs. Pair with: `stir_attestation_explainer` for the human-readable A/B/C interpretation; `lookup_response_code(438)` for the SIP-side context; `lint_sip_request` for non-cryptographic structural checks on the host INVITE.
Parameters schema
{
"type": "object",
"$schema": "http://json-schema.org/draft-07/schema#",
"required": [
"headerB64",
"payloadB64",
"signatureB64"
],
"properties": {
"rcdi": {
"type": "object",
"description": "Full `payload.rcdi` claim. The validator looks up `/icn` first (RFC 9795 §6.1 spec form), then falls back to the legacy `icn` key (still seen in the wild). A legacy hit produces a `rcdi-pointer-form` warning unless `strictRfc9795: true` (then it fails).",
"additionalProperties": {
"type": "string"
}
},
"iconUrl": {
"type": "string",
"format": "uri",
"description": "RCD icon URL - `payload.rcd.icn`. Omit if no Rich Call Data icon."
},
"infoUrl": {
"type": "string",
"format": "uri",
"description": "Cert URL from the SIP Identity header `info=` param (or the JWT `x5u`). If omitted, signature verification is skipped."
},
"headerB64": {
"type": "string",
"minLength": 1,
"description": "Base64url-encoded JWS protected header (the first dot-separated segment)."
},
"payloadB64": {
"type": "string",
"minLength": 1,
"description": "Base64url-encoded JWS payload (the second segment)."
},
"signatureB64": {
"type": "string",
"minLength": 1,
"description": "Base64url-encoded ES256 signature (the third segment, raw R||S, 64 bytes)."
},
"strictRfc9795": {
"type": "boolean",
"description": "When true, reject the legacy `rcdi['icn']` key as a hard failure rather than warning. Default false."
},
"expectedIconHash": {
"type": "string",
"description": "Pre-extracted icon hash, e.g. `sha256-XYZ` (RFC 9795 §6.1 form `<algorithm>-<base64>`). Pass this OR `rcdi`."
}
},
"additionalProperties": false
}No endpoints wrapped at confidence ≥ 0.50.
Parent server
Sipflow
https://github.com/cmendes0101/sipflow-cursor-plugin
1/7 registries