Re: Successful LDAP signing test

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 19 Feb 2010 14:03:28 -0800 (PST)

On Fri, 19 Feb 2010, Mike Markley wrote:
>> For extra credit: Does the new opendkim-genzone tool work for the
>> sample key you put in LDAP?
>
> Actually, it doesn't compile on my system. Now that I've got LDAP
> tested, I plan to go see why that, Lua, etc. all cause build failures
> here. Seems to all come down to missing dependencies, since the failures
> are almost universally unresolved symbols.

You may need the Makefile.in I sent to opendkim-users this morning. I had
forgotten to make opendkim-genzone link against the external database
libraries.

>> What mechanism would you suggest for indicating that the input keys are
>> DER-formatted? A fourth attribute in the query? A command-line flag?
>> Something else? I don't really want to assume DER if the installation is
>> using LDAP because, for example, it might be hard to do the same thing in
>> the Sleepycat DB and OpenDBX cases.
>
> Would it be crazy to just check for the PEM header/footer? If the LDAP
> bits can't handle it without the header/footer, then I assume that the
> other DB types can't because they're being shoved through the same
> OpenSSL routines.

Modifying libopendkim and opendkim-genzone to take either form shouldn't
be too difficult. opendkim itself just passes the data through and
reports on errors in processing, if any.

I wonder if there's a more intelligent way to check for which form it's in
other than seeing if the first five bytes are "-----", but that seems to
me like it should be a good starting place.
Received on Fri Feb 19 2010 - 22:03:47 PST