I've now been able to send correctly-signed messages using LDAP KeyTable
and SigningTable. I'll use the last couple of notes you sent, Murray, to
flesh out the sample schema and do some doc work. Maybe even a quick
LDAP how-to.
I now feel more strongly that we should support DER private keys in
LDAP. Simply stripping out the headers and inserting the PEM data into
the LDAP attribute resulted in a "dkim_eom(): resource unavailable:
PEM_read_bio_PrivateKey() failed" error. I ended up having to
base64-encode the PEM file (which is already base64-encoded) and specify
in my LDIF file that the value was so encoded.
This happens because of the line breaks in the PEM file: LDIF doesn't
have a good way to handle newlines in an attribute value. That being the
case, it's actually easier to get DER into the LDIF; PEM is just DER
+ base64 + header/footer, and LDIF natively supports specifying
attribute values in base64, so all you have to do is:
attributeName:: <PEM file with header, footer, and newlines stripped)
I have no doubt that there are UIs out there that can handle multiline
text more elegantly, but LDIF is still pretty much the standard for that
sort of thing.
That, however, is a fairly minor nit; the big piece works.
--
Mike Markley <mike_at_markley.org>
Physics is like sex: sure, it may give some practical results, but
that's not why we do it.
- Richard Feynman
Received on Fri Feb 19 2010 - 19:18:19 PST