[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
certificateExactMatch
I have committed to CVS HEAD an implementation of certificate equality
match following the model of the expired, but soon to be reissued,
Internet Draft for PKIX LDAP schema. Thanks go to David Chadwick for
the info provided.
Notice that this matching rule, though present in the X.500
series of recommendations as the equality matching rule for
certificates, is not in RFC2256.
Notice also that the assertion syntax for this matching rule is
different to that of the stored values. The assertion syntax is the
concatenation of the serial number and the distinguished name of the
certificate issuer, using a $ as a separator. This means you search
like this:
ldapsearch -x usercertificate="76000 $ CN=Thawte Personal Freemail RSA
Issuer 1998.9.16,OU=Thawte PF RSA IK 1998.9.16 17:55,
O=Thawte Consulting,L=Durbanville,ST=Western Cape,C=ZA" cn
Indexing is provided based on just the serial number, i.e. if you have
many issuers and few serials instead of the other way round, it will
be suboptimal. Is this a problem?
The implementation is based on the parsing capabilitites of OpenSSL
and you will need a recent version to support returning DNs in LDAP
(RFC2253) format.
Last but not least, you would need to add certificateExactMatch
as the EQUALITY matching rule for userCertificate and maybe
caCertificate.
Julio