[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

To: Howard Chu <hyc@symas.com>
Subject: Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication
From: Stefan Scheidewig <sese@mms-dresden.de>
Date: Mon, 01 Jul 2013 12:46:48 +0200
Cc: Stefan.Scheidewig@t-systems.com, Michael StrÃder <michael@stroeder.com>, openldap-technical@openldap.org
In-reply-to: <51C88645.7010508@symas.com>
Organization: T-Systems Multimedia Solutions GmbH
References: <51BEC830.4080104@mms-dresden.de> <20130617134812.GA6825@dan.olp.net> <51BF230E.3020404@mms-dresden.de> <20130617153145.GC6825@dan.olp.net> <51C83C20.80303@mms-dresden.de> <51C87327.70301@stroeder.com> <51C88645.7010508@symas.com>
User-agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130620 Thunderbird/17.0.7

Hello,

you were right. The only way to get the PKCS#11 access working, was topatch the tls_g.c file using gnutls_certificate_set_x509_key_fileinstead of gnutls_certificate_set_x509_key. The former function alsohandles PKCS#11 URIs. So the tlsg_get_file function is obsolete.

After applying the patch the smart card access was successful. The wayto get this access working was a working p11-kit configuration and theconfiguration of the PKCS#11 URIs for TLS_CERT and TLS_KEY (here you canuse the GNUTLS program p11tool to find out the PKCS#11 URIs). If youappend the pinfile attribute to the end of the URI (provided the pinfile callback patch has been applied -http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=c1eddcfe663b9e3cb9a411f855e00f49811ff205) you don't have to type in the PIN anymore (here it is necessary thatthe pin file has no end of line character).


Greetings,
Stefan Scheidewig

Am 24.06.2013 19:47, schrieb Howard Chu:

Michael StrÃder wrote:

Stefan Scheidewig wrote:

After I managed to connect to the LDAP server with gnutls-cli (with a
PKCS#11
URI containing a pinfile attribute) I tried to set those PKCS#11 URIs
to the
ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled
as PEM
encoded file (see function tlsg_ctx_init in tls_g.c) and a connection
initialization fails trying to read the PKCS#11 URI from the local
file system.

So currently there seems to be no way to configure the OpenLDAP
client to look
up the pkcs#11 store for the client key as well as the client
certificate to
establish a client authenticated TLS connection.


If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss
(--with-tls=moznss). Never tried that myself though.


Or submit appropriate GnuTLS or OpenSSL patches to add the feature.



--
Mit freundlichen GrÃÃen,

Stefan Scheidewig

T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com

T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
GeschÃftsfÃhrung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949

Prev by Date: pure_ftpd & LDAP
Next by Date: RE: pure_ftpd & LDAP
Index(es):
- Chronological
- Thread