Hello,
we have two LDAP instances. LDAP A acts as proxy for LDAP B using the ldap-backend. Now we configured LDAP B to use client authentication. We successfully established a connection to LDAP B using OpenSSL s_client and the PKCS#11 engine (OpenSSL engine library). Now we want the LDAP proxy to establish the connection using this pkcs11 engine (we compiled the ldap proxy to use OpenSSL as TLS implementation). Is there a posibility to tell the LDAP proxy to use the certificate and key from the smartcard (e.g. something like pkcs11:slot_1-id_42) ?
Thank you in advance, Stefan Scheidewig
On 06/17/13 10:26 +0200, Stefan Scheidewig wrote:
Hello,
we have two LDAP instances. LDAP A acts as proxy for LDAP B using the ldap-backend. Now we configured LDAP B to use client authentication. We successfully established a connection to LDAP B using OpenSSL s_client and the PKCS#11 engine (OpenSSL engine library). Now we want the LDAP proxy to establish the connection using this pkcs11 engine (we compiled the ldap proxy to use OpenSSL as TLS implementation). Is there a posibility to tell the LDAP proxy to use the certificate and key from the smartcard (e.g. something like pkcs11:slot_1-id_42) ?
I don't know. However, you could try to set tls_key=slot_1-id_42, but since OpenLDAP does not provide a configurable engine selection (to my knowledge), you'd need to find some way to set the engine to pkcs11, perhaps with an environment variable or via a default config option in /etc/openssl/, or via some openssl compile option.
It seems that this special configuration is not possible. Trying to set the key will always result in
TLS: could not use key file `xyz'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:398 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400 TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
The ldap code has to be adjusted to use a key or certificate from a configured pkcs#11 keystore.
Is there another way to accomplish that?
Am Montag, 17. Juni 2013 15:48:13 schrieb Dan White:
On 06/17/13 10:26 +0200, Stefan Scheidewig wrote:
Hello,
we have two LDAP instances. LDAP A acts as proxy for LDAP B using the ldap-backend. Now we configured LDAP B to use client authentication. We successfully established a connection to LDAP B using OpenSSL s_client and the PKCS#11 engine (OpenSSL engine library). Now we want the LDAP proxy to establish the connection using this pkcs11 engine (we compiled the ldap proxy to use OpenSSL as TLS implementation). Is there a posibility to tell the LDAP proxy to use the certificate and key from the smartcard (e.g. something like pkcs11:slot_1-id_42) ?
I don't know. However, you could try to set tls_key=slot_1-id_42, but since OpenLDAP does not provide a configurable engine selection (to my knowledge), you'd need to find some way to set the engine to pkcs11, perhaps with an environment variable or via a default config option in /etc/openssl/, or via some openssl compile option.
-- Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig@t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949
On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
It seems that this special configuration is not possible. Trying to set the key will always result in
TLS: could not use key file `xyz'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:398 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400 TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
The ldap code has to be adjusted to use a key or certificate from a configured pkcs#11 keystore.
Is there another way to accomplish that?
You might give GnuTLS a try, since you can specify the engine in the private key string:
p11tool --login --list-all
private key format (tls_key=) example: pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private
If your HSM requires a PIN, you may have to hard code it within that string.
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
Greetings, Stefan Scheidewig
Am Montag, 17. Juni 2013 17:31:46 schrieb Dan White:
On 06/17/13 16:54 +0200, Stefan Scheidewig wrote:
It seems that this special configuration is not possible. Trying to set the key will always result in
TLS: could not use key file `xyz'. TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:398 TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:400 TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib ssl_rsa.c:648
The ldap code has to be adjusted to use a key or certificate from a configured pkcs#11 keystore.
Is there another way to accomplish that?
You might give GnuTLS a try, since you can specify the engine in the private key string:
p11tool --login --list-all
private key format (tls_key=) example:
pkcs11:model=PKCS%2315%20emulated;manufacturer=OpenPGP%20project;serial=00050000xxxxxxxx;token=OpenPGP%20Card%20%28Signature%20PIN%29;id=%01;object=Signature%20key;object-type=private
If your HSM requires a PIN, you may have to hard code it within that string.
-- Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig@t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Ciao, Michael.
Michael Ströder wrote:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Or submit appropriate GnuTLS or OpenSSL patches to add the feature.
Hello,
you were right. The only way to get the PKCS#11 access working, was to patch the tls_g.c file using gnutls_certificate_set_x509_key_file instead of gnutls_certificate_set_x509_key. The former function also handles PKCS#11 URIs. So the tlsg_get_file function is obsolete.
After applying the patch the smart card access was successful. The way to get this access working was a working p11-kit configuration and the configuration of the PKCS#11 URIs for TLS_CERT and TLS_KEY (here you can use the GNUTLS program p11tool to find out the PKCS#11 URIs). If you append the pinfile attribute to the end of the URI (provided the pin file callback patch has been applied - http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=c1eddcfe663b... ) you don't have to type in the PIN anymore (here it is necessary that the pin file has no end of line character).
Greetings, Stefan Scheidewig
Am 24.06.2013 19:47, schrieb Howard Chu:
Michael Ströder wrote:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Or submit appropriate GnuTLS or OpenSSL patches to add the feature.
Looks promising. For instance the function PK11_FindKeyByDERCert in tls_m.c . I will try it with this one.
Am 24.06.2013 18:26, schrieb Michael Ströder:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Ciao, Michael.
After I recompiled OpenLDAP to use the Mozilla NSS framework (quite complicated process - see http://www.openldap.org/faq/data/cache/196.html) I created a new certificate database directory structure and added the PKCS#11 module of my smartcard with modutil (but without specifying any mechanisms). According to http://www.openldap.org/faq/data/cache/1514.html I configured the ldaprc to point to the certificate directory (TLS_CACERTDIR) using the appropriate client certificate for authentication (TLS_CERT, <tokenname>:<certificate nickname> value) and pointing to the pin file with TLS_KEY (I believe this does only work if OpenLDAP is compiled with RETRIEVE_PASSWORD_FROM_FILE set).
But unfortunately a search request call with ldapsearch fails, because the key for the certificate cannot be found. During the debug session one can see that the certificate is loaded from the smartcard but the lookup for the associated private key fails (i.e. the NSS function PK11_FindKeyByDERCert returns null).
Does anyone know if I have to make any Mozilla NSS related adjustments at this point to make the key lookup working?
Am Dienstag, 25. Juni 2013 06:26:10 schrieb Stefan Scheidewig:
Looks promising. For instance the function PK11_FindKeyByDERCert in tls_m.c . I will try it with this one.
Am 24.06.2013 18:26, schrieb Michael Ströder:
Stefan Scheidewig wrote:
After I managed to connect to the LDAP server with gnutls-cli (with a PKCS#11 URI containing a pinfile attribute) I tried to set those PKCS#11 URIs to the ldaprc settings TLS_KEY and TLS_CERT. But these settings are handled as PEM encoded file (see function tlsg_ctx_init in tls_g.c) and a connection initialization fails trying to read the PKCS#11 URI from the local file system.
So currently there seems to be no way to configure the OpenLDAP client to look up the pkcs#11 store for the client key as well as the client certificate to establish a client authenticated TLS connection.
If PKCS#11 support for smartcard/HSM is needed I'd try to use libnss (--with-tls=moznss). Never tried that myself though.
Ciao, Michael.
-- Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig@t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949
openldap-technical@openldap.org
-
Dan White -
Howard Chu -
Michael Ströder -
Stefan Scheidewig