komyagin@altell.ru wrote:

Full_Name: Alexander Komyagin Version: 2.4.23 OS: Debian Squeeze URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (178.16.156.18)

Hi! I found out that when slapd is linked with gnutls, it fails to parse private key on startup if the one is given in PKCS #8 form (TLS init def ctx failed: -207).

The problem is in tlsg_ctx_init() (tls_g.c) function, which calls gnutls_x509_privkey_import() from gnutls. But gnutls_x509_privkey_import() is designed to support only RSA/DSA keys, while for PKCS#8 gnutls_x509_privkey_import_pkcs8() shall be used.

I think that incorporating such enhancement for slapd would make it even better (for example, some popular commands like "openssl req" generate keys in PKCS #8) :) Especially when such enhancement can be done in a few lines of code (just like certtool does):

Please read http://www.openldap.org/devel/contributing.html and submit an actual patch if you want this suggestion to be considered.

if (!info.pkcs8) ret = gnutls_x509_privkey_import (key,&pem, info.incert_format);

/* If we failed to import the certificate previously try PKCS #8 */ if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { /* first try to import the key without asking any password */ ret = gnutls_x509_privkey_import_pkcs8 (key,&pem, info.incert_format, NULL, GNUTLS_PKCS_PLAIN); if (ret< 0) { if (info.pass) pass = info.pass; else pass = get_pass (); ret = gnutls_x509_privkey_import_pkcs8 (key,&pem, info.incert_format, pass, 0); } }