[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

To: Dan White <dwhite@olp.net>
Subject: Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
From: Stefan Scheidewig <sese@mms-dresden.de>
Date: Mon, 24 Jun 2013 14:31:28 +0200
Cc: stefan.scheidewig@t-systems.com, openldap-technical@openldap.org
In-reply-to: <20130617153145.GC6825@dan.olp.net>
Organization: T-Systems Multimedia Solutions GmbH
References: <51BEC830.4080104@mms-dresden.de> <20130617134812.GA6825@dan.olp.net> <51BF230E.3020404@mms-dresden.de> <20130617153145.GC6825@dan.olp.net>
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130509 Thunderbird/17.0.6

After I managed to connect to the LDAP server with gnutls-cli (with aPKCS#11 URI containing a pinfile attribute) I tried to set thosePKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But thesesettings are handled as PEM encoded file (see function tlsg_ctx_init intls_g.c) and a connection initialization fails trying to read thePKCS#11 URI from the local file system.

So currently there seems to be no way to configure the OpenLDAP clientto look up the pkcs#11 store for the client key as well as the clientcertificate to establish a client authenticated TLS connection.


Greetings,
Stefan Scheidewig

Am Montag, 17. Juni 2013 17:31:46 schrieb Dan White:

On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:

It seems that this special configuration is not possible.
Trying to set the key will always result in

TLS: could not use key file `xyz'.
TLS: error:02001002:system library:fopen:No such file or directory
bss_file.c:398
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400
TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system
lib ssl_rsa.c:648

The ldap code has to be adjusted to use a key or certificate from a
configured pkcs#11 keystore.

Is there another way to accomplish that?


You might give GnuTLS a try, since you can specify the engine in the
private key string:

p11tool --login --list-all

private key format (tls_key=) example:

pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private


If your HSM requires a PIN, you may have to hard code it within that
string.




--
Mit freundlichen GrÃÃen,

Stefan Scheidewig

T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com

T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
GeschÃftsfÃhrung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949

Follow-Ups:
- Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Michael StrÃder <michael@stroeder.com>

References:
- OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Stefan Scheidewig <sese@mms-dresden.de>
- Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Dan White <dwhite@olp.net>
- Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Stefan Scheidewig <sese@mms-dresden.de>
- Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
  - From: Dan White <dwhite@olp.net>

Prev by Date: OpenLDAP export in Oracle DB (10g) - not as backend
Next by Date: Re: OpenLDAP export in Oracle DB (10g) - not as backend
Index(es):
- Chronological
- Thread