Re: OpenLDAP Proxy using PKCS#11/SmartCard client authentication

[Stefan Scheidewig <sese@mms-dresden.de>]

After I recompiled OpenLDAP to use the Mozilla NSS framework (quite 
complicated process - see 
http://www.openldap.org/faq/data/cache/196.html) I created a new 
certificate database directory structure and added the PKCS#11 module 
of my smartcard with modutil (but without specifying any mechanisms). 
According to http://www.openldap.org/faq/data/cache/1514.html I 
configured the ldaprc to point to the certificate directory 
(TLS_CACERTDIR) using the appropriate client certificate for 
authentication (TLS_CERT, <tokenname>:<certificate nickname> value) and 
pointing to the pin file with TLS_KEY (I believe this does only work if 
OpenLDAP is compiled with RETRIEVE_PASSWORD_FROM_FILE set).

But unfortunately a search request call with ldapsearch fails, because 
the key for the certificate cannot be found. During the debug session 
one can see that the certificate is loaded from the smartcard but the 
lookup for the associated private key fails (i.e. the NSS function 
PK11_FindKeyByDERCert returns null).

Does anyone know if I have to make any Mozilla NSS related adjustments 
at this point to make the key lookup working?

Am Dienstag, 25. Juni 2013 06:26:10 schrieb Stefan Scheidewig:
> Looks promising. For instance the function PK11_FindKeyByDERCert in
> tls_m.c . I will try it with this one.
>
> Am 24.06.2013 18:26, schrieb Michael StrÃder:
> > Stefan Scheidewig wrote:
> > > After I managed to connect to the LDAP server with gnutls-cli (with
> > > a PKCS#11
> > > URI containing a pinfile attribute) I tried to set those PKCS#11
> > > URIs to the
> > > ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled
> > > as PEM
> > > encoded file (see function tlsg_ctx_init in tls_g.c) and a connection
> > > initialization fails trying to read the PKCS#11 URI from the local
> > > file system.
> > >
> > > So currently there seems to be no way to configure the OpenLDAP
> > > client to look
> > > up the pkcs#11 store for the client key as well as the client
> > > certificate to
> > > establish a client authenticated TLS connection.
> >
> > If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss
> > (--with-tls=moznss). Never tried that myself though.
> >
> > Ciao, Michael.



--
Mit freundlichen GrÃÃen,

Stefan Scheidewig

T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig@t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com

T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
GeschÃftsfÃhrung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949