Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

[Dan White <dwhite@olp.net>]

On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
> It seems that this special configuration is not possible.
> Trying to set the key will always result in
>
> TLS: could not use key file `xyz'.
> TLS: error:02001002:system library:fopen:No such file or directory 
> bss_file.c:398
> TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400
> TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system 
> lib ssl_rsa.c:648
>
> The ldap code has to be adjusted to use a key or certificate from a 
> configured pkcs#11 keystore.
>
> Is there another way to accomplish that?

You might give GnuTLS a try, since you can specify the engine in the
private key string:

p11tool --login --list-all

private key format (tls_key=) example:
  pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private

If your HSM requires a PIN, you may have to hard code it within that
string.

--
Dan White