After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
Greetings, Stefan Scheidewig
Am Montag, 17. Juni 2013 17:31:46 schrieb Dan White:
On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
It seems that this special configuration is not possible. Trying to set the key will always result in
TLS: could not use key file `xyz'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:398 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400 TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
The ldap code has to be adjusted to use a key or certificate from a configured pkcs#11 keystore.
Is there another way to accomplish that?
You might give GnuTLS a try, since you can specify the engine in the private key string:
p11tool --login --list-all
private key format (tls_key=) example:
pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private
If your HSM requires a PIN, you may have to hard code it within that string.
-- Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig@t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949