Hi All;
I am working on a PKI project, and would like to be able to use OpenLDAP, however, the certificate policy that we have to conform to mandates that CA entries be a member of pkiCA and cpCps auxiliary object classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP supports that just fine, however, I'm wondering if cpCPS is able to be supported.
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class (I presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP, and if so, does anyone happen to have a schema file available so that I don't have to write one myself to add this objectClass to OpenLDAP.
If not, is it possible to add these syntax checking routines in the same way as one can extend the schema for object classes and attributes?
(I know that I could probably cheat, turn schema checking off and just build have the server support the attributes in a somewhat custom fashion, but since this is for a PKI system that needs a certain level of trust, I am a bit loath to do this).
Thanks in advance.
Patrick Patterson skrev, on 25-02-2008 21:25:
I am working on a PKI project, and would like to be able to use OpenLDAP, however, the certificate policy that we have to conform to mandates that CA entries be a member of pkiCA and cpCps auxiliary object classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP supports that just fine, however, I'm wondering if cpCPS is able to be supported.
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class (I presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP, and if so, does anyone happen to have a schema file available so that I don't have to write one myself to add this objectClass to OpenLDAP.
If not, is it possible to add these syntax checking routines in the same way as one can extend the schema for object classes and attributes?
(I know that I could probably cheat, turn schema checking off and just build have the server support the attributes in a somewhat custom fashion, but since this is for a PKI system that needs a certain level of trust, I am a bit loath to do this).
Not to put too fine a point on it (I have no need for this schema myself), but if I Google (just for the interest) on 'cpCps "object class" schema' it comes up with (i.a.) draft-ietf-pkix-ldap-pki-schema-00.txt, which would appear to be exactly what you're looking for for building your "own" schema. Besides which, 25 other links.
Best,
--Tonni
Tony Earnshaw wrote:
Patrick Patterson skrev, on 25-02-2008 21:25:
I am working on a PKI project, and would like to be able to use OpenLDAP, however, the certificate policy that we have to conform to mandates that CA entries be a member of pkiCA and cpCps auxiliary object classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP supports that just fine, however, I'm wondering if cpCPS is able to be supported.
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class
Strictly speaking an object class doesn't have any matching rules assigned to it. You're probably talking about the related attribute types and their matching rules.
(I presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP,
Matching rule 'objectIdentifierFirstComponentMatch' for attribute type 'certificatePolicy' seems to be implemented in OpenLDAP 2.4.x. Not sure about 2.3.x, check the subschema yourself.
and if so, does anyone happen to have a schema file available so that I don't have to write one myself to add this objectClass to OpenLDAP.
It's quite easy since you just have to take the declarations from http://tools.ietf.org/draft/draft-ietf-pkix-ldap-pki-schema/draft-ietf-pkix-...
If not, is it possible to add these syntax checking routines in the same way as one can extend the schema for object classes and attributes?
No, you can't simply add matching rules by configuration. You have to implement them in C code.
(I know that I could probably cheat, turn schema checking off
No, you can't turn off schema checking anymore even though OpenLDAP 2.3.x still accepts the configuration directive but silently ignores it. 2.4.x does not accept this directive anymore.
Not to put too fine a point on it (I have no need for this schema myself), but if I Google (just for the interest) on 'cpCps "object class" schema' it comes up with (i.a.) draft-ietf-pkix-ldap-pki-schema-00.txt, which would appear to be exactly what you're looking for for building your "own" schema.
It's worth looking at this *expired* draft, especially section "14. Outstanding Issues". I'm not sure whether it's a good idea to rely on this expired draft.
If you want this I-D to make any progress it might be worth to post a request on the ietf-pkix or ietf-ldapext mailing lists since both authors and other skilled people are there. But don't expect too much. This probably won't make any progress within the time-frame of your project.
Ciao, Michael.
On Tue, Feb 26, 2008 at 5:05 AM, Michael Ströder michael@stroeder.com wrote:
Tony Earnshaw wrote:
Patrick Patterson skrev, on 25-02-2008 21:25:
I am working on a PKI project, and would like to be able to use OpenLDAP, however, the certificate policy that we have to conform to mandates that CA entries be a member of pkiCA and cpCps auxiliary object classes. Now, the pkiCA requirement is easy, as it looks like OpenLDAP supports that just fine, however, I'm wondering if cpCPS is able to be supported.
I guess my question is twofold:
Have the syntax checking routines mandated for the cpCps object class
Strictly speaking an object class doesn't have any matching rules assigned to it. You're probably talking about the related attribute types and their matching rules.
(I presume out of ITU-T X.509 chapter 11) been implemented in OpenLDAP,
Matching rule 'objectIdentifierFirstComponentMatch' for attribute type 'certificatePolicy' seems to be implemented in OpenLDAP 2.4.x. Not sure about 2.3.x, check the subschema yourself.
and if so, does anyone happen to have a schema file available so that I don't have to write one myself to add this objectClass to OpenLDAP.
It's quite easy since you just have to take the declarations from
http://tools.ietf.org/draft/draft-ietf-pkix-ldap-pki-schema/draft-ietf-pkix-...
Ok - I had looked at this, but was confused by the lack of a specific certificatePolicyStmt attribute, which is in the X.509 spec, but not in that draft.
If not, is it possible to add these syntax checking routines in the same way as one can extend the schema for object classes and
attributes?
No, you can't simply add matching rules by configuration. You have to implement them in C code.
That's what I figured - but I figured that I would ask anyways in case I missed something :)
(I know that I could probably cheat, turn schema checking off
No, you can't turn off schema checking anymore even though OpenLDAP 2.3.x still accepts the configuration directive but silently ignores it. 2.4.x does not accept this directive anymore.
Hmmm... was not aware of this.
Not to put too fine a point on it (I have no need for this schema myself), but if I Google (just for the interest) on 'cpCps "object class" schema' it comes up with (i.a.) draft-ietf-pkix-ldap-pki-schema-00.txt, which would appear to be exactly what you're looking for for building your "own" schema.
It's worth looking at this *expired* draft, especially section "14. Outstanding Issues". I'm not sure whether it's a good idea to rely on this expired draft.
Unfortunately, these are rules that are brought down from the certificate policy that we have to implement, so that's why I'm even bothering with this. Frankly, the LDAP repository seems to me to be the wrong place to put CP and CPS information, when the certificatePolicy X.509 extension is quite happy to have an HTTP URI, and most people know how to follow one of those :)
If you want this I-D to make any progress it might be worth to post a request on the ietf-pkix or ietf-ldapext mailing lists since both authors and other skilled people are there. But don't expect too much. This probably won't make any progress within the time-frame of your project.
I'll bring this up to the policy management authority - they are the ones that will be most interested... I'm just stuck implementing this :)
Thanks again.
Patrick Patterson wrote:
On Tue, Feb 26, 2008 at 5:05 AM, Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com> wrote:
It's quite easy since you just have to take the declarations from http://tools.ietf.org/draft/draft-ietf-pkix-ldap-pki-schema/draft-ietf-pkix-ldap-pki-schema-00.txtOk - I had looked at this, but was confused by the lack of a specific certificatePolicyStmt attribute, which is in the X.509 spec, but not in that draft.
I don't know your data. Google does not find anything with an attribute type 'certificatePolicyStmt'. But this attribute type is not referenced in the draft above anyway.
Another valuable source for finding OIDs related to PKI is Peter Gutmann's config file for dumpasn1:
http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg
There you'll find: -------------------------- snip -------------------------- OID = 06 03 55 04 44 Comment = X.520 id-at (2 5 4) Description = certificationPracticeStmt (2 5 4 68) -------------------------- snip --------------------------
=> look up X.520 to find the schema declaration for this attribute type.
In case you have an older LDAP server running and you want to migrate the data to OpenLDAP then take a closer look at the subschema subentry of that server before. Using a decent schema browser helps grabbing old schema declarations. (E.g. use web2ldap but being the author I'm biased.) Try to sort out unneeded schema declarations.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Patrick Patterson -
Tony Earnshaw