Re: (ITS#7221) Support private keys in PKCS #8 in slapd when linked with gnutls

[hyc@symas.com]

komyagin@altell.ru wrote:
> Full_Name: Alexander Komyagin
> Version: 2.4.23
> OS: Debian Squeeze
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (178.16.156.18)
>
>
> Hi! I found out that when slapd is linked with gnutls, it fails to parse private
> key on startup if the one is given in PKCS #8 form (TLS init def ctx failed:
> -207).
>
> The problem is in tlsg_ctx_init() (tls_g.c) function, which calls
> gnutls_x509_privkey_import() from gnutls. But gnutls_x509_privkey_import() is
> designed to support only RSA/DSA keys, while for PKCS#8
> gnutls_x509_privkey_import_pkcs8() shall be used.
>
> I think that incorporating such enhancement for slapd would make it even better
> (for example, some popular commands like "openssl req" generate keys in PKCS #8)
> :) Especially when such enhancement can be done in a few lines of code (just
> like certtool does):

Please read http://www.openldap.org/devel/contributing.html and submit an 
actual patch if you want this suggestion to be considered.

> if (!info.pkcs8)
>      ret = gnutls_x509_privkey_import (key,&pem, info.incert_format);
>
> /* If we failed to import the certificate previously try PKCS #8 */
> if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
> {
>     /* first try to import the key without asking any password */
>     ret = gnutls_x509_privkey_import_pkcs8 (key,&pem,
> 					      info.incert_format,
> 					      NULL, GNUTLS_PKCS_PLAIN);
>     if (ret<  0)
>     {
>          if (info.pass)
> 	    pass = info.pass;
> 	else
> 	    pass = get_pass ();
> 	ret = gnutls_x509_privkey_import_pkcs8 (key,&pem,
> 						  info.incert_format,
> 						  pass, 0);
>     }
> }
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/