[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
Hello,
you were right. The only way to get the PKCS#11 access working, was to
patch the tls_g.c file using gnutls_certificate_set_x509_key_file
instead of gnutls_certificate_set_x509_key. The former function also
handles PKCS#11 URIs. So the tlsg_get_file function is obsolete.
After applying the patch the smart card access was successful. The way
to get this access working was a working p11-kit configuration and the
configuration of the PKCS#11 URIs for TLS_CERT and TLS_KEY (here you can
use the GNUTLS program p11tool to find out the PKCS#11 URIs). If you
append the pinfile attribute to the end of the URI (provided the pin
file callback patch has been applied -
http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=c1eddcfe663b9e3cb9a411f855e00f49811ff205
) you don't have to type in the PIN anymore (here it is necessary that
the pin file has no end of line character).
Greetings,
Stefan Scheidewig
Am 24.06.2013 19:47, schrieb Howard Chu:
Michael StrÃder wrote:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a
PKCS#11
URI containing a pinfile attribute) I tried to set those PKCS#11 URIs
to the
ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled
as PEM
encoded file (see function tlsg_ctx_init in tls_g.c) and a connection
initialization fails trying to read the PKCS#11 URI from the local
file system.
So currently there seems to be no way to configure the OpenLDAP
client to look
up the pkcs#11 store for the client key as well as the client
certificate to
establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss
(--with-tls=moznss). Never tried that myself though.
Or submit appropriate GnuTLS or OpenSSL patches to add the feature.
--
Mit freundlichen GrÃÃen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
GeschÃftsfÃhrung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949