[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7221) Support private keys in PKCS #8 in slapd when linked with gnutls

To: openldap-its@OpenLDAP.org
Subject: (ITS#7221) Support private keys in PKCS #8 in slapd when linked with gnutls
From: komyagin@altell.ru
Date: Tue, 3 Apr 2012 14:12:04 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Alexander Komyagin
Version: 2.4.23
OS: Debian Squeeze
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (178.16.156.18)


Hi! I found out that when slapd is linked with gnutls, it fails to parse private
key on startup if the one is given in PKCS #8 form (TLS init def ctx failed:
-207).

The problem is in tlsg_ctx_init() (tls_g.c) function, which calls
gnutls_x509_privkey_import() from gnutls. But gnutls_x509_privkey_import() is
designed to support only RSA/DSA keys, while for PKCS#8
gnutls_x509_privkey_import_pkcs8() shall be used.

I think that incorporating such enhancement for slapd would make it even better
(for example, some popular commands like "openssl req" generate keys in PKCS #8)
:) Especially when such enhancement can be done in a few lines of code (just
like certtool does):

if (!info.pkcs8)
    ret = gnutls_x509_privkey_import (key, &pem, info.incert_format);

/* If we failed to import the certificate previously try PKCS #8 */
if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
{
   /* first try to import the key without asking any password */
   ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
					      info.incert_format,
					      NULL, GNUTLS_PKCS_PLAIN);
   if (ret < 0)
   {
        if (info.pass)
	    pass = info.pass;
	else
	    pass = get_pass ();
	ret = gnutls_x509_privkey_import_pkcs8 (key, &pem,
						  info.incert_format,
						  pass, 0);
   }
}

Prev by Date: Re: RE : RE : (ITS#7149) Back-perl, Back-shell and Binary Data
Next by Date: (ITS#7222) Slapd hangs on high load
Index(es):
- Chronological
- Thread