After I recompiled OpenLDAP to use the Mozilla NSS framework (quite complicated process - see http://www.openldap.org/faq/data/cache/196.html) I created a new certificate database directory structure and added the PKCS#11 module of my smartcard with modutil (but without specifying any mechanisms). According to http://www.openldap.org/faq/data/cache/1514.html I configured the ldaprc to point to the certificate directory (TLS_CACERTDIR) using the appropriate client certificate for authentication (TLS_CERT, <tokenname>:<certificate nickname> value) and pointing to the pin file with TLS_KEY (I believe this does only work if OpenLDAP is compiled with RETRIEVE_PASSWORD_FROM_FILE set).
But unfortunately a search request call with ldapsearch fails, because the key for the certificate cannot be found. During the debug session one can see that the certificate is loaded from the smartcard but the lookup for the associated private key fails (i.e. the NSS function PK11_FindKeyByDERCert returns null).
Does anyone know if I have to make any Mozilla NSS related adjustments at this point to make the key lookup working?
Am Dienstag, 25. Juni 2013 06:26:10 schrieb Stefan Scheidewig:
Looks promising. For instance the function PK11_FindKeyByDERCert in tls_m.c . I will try it with this one.
Am 24.06.2013 18:26, schrieb Michael Ströder:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Ciao, Michael.
-- Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig@t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949