[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication



After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.

So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.

Greetings,
Stefan Scheidewig

Am Montag, 17. Juni 2013 17:31:46 schrieb Dan White:
On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
It seems that this special configuration is not possible.
Trying to set the key will always result in

TLS: could not use key file `xyz'.
TLS: error:02001002:system library:fopen:No such file or directory
bss_file.c:398
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400
TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system
lib ssl_rsa.c:648

The ldap code has to be adjusted to use a key or certificate from a
configured pkcs#11 keystore.

Is there another way to accomplish that?

You might give GnuTLS a try, since you can specify the engine in the
private key string:

p11tool --login --list-all

private key format (tls_key=) example:

pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private


If your HSM requires a PIN, you may have to hard code it within that
string.




--
Mit freundlichen GrÃÃen,

Stefan Scheidewig

T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com

T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
GeschÃftsfÃhrung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949