On Fri, Feb 19, 2010 at 04:13:42PM -0800, Murray S. Kucherawy <msk_at_blackops.org> wrote:
> Actually, I think the PEM functions inside libcrypto will work if the
> header and footer are removed. Note that a DKIM public key doesn't have
> them, for example. That data is passed as-is, without decoding, to the
> PEM functions inside libcrypto when signing is about to occur.
>
> Would it be difficult to use LDIF to insert base64-encoded keys if you
> just take the base64 part of a PEM key, without header/footer/newlines?
> If so, we don't need to support DER explicitly.
I've tried the following:
1. Strip the header, footer, and linebreaks from the PEM file. Insert
into LDAP as text.
2. Strip the header, footer, and linebreaks from the PEM file. The
result is the DER-encoded key. Insert into LDAP as binary data.
3. Strip just the header and footer from the PEM file. Leave the line
breaks. Encode the wrapped text as base64 (required to preserve the
linebreaks). Insert into LDAP as text. (your suggestion)
4. Encode the whole, unmangled PEM file as base64. Insert into LDAP as
text.
Only #4 resulted in a signature. The rest resulted in "resource
unavailable: PEM_read_bio_PrivateKey() failed".
After a quick test with OpenDKIM 1.x, I agree that a lack of header
lines seems to be no issue for it, but that just isn't the case with the
version of the filter I'm testing with. I don't know if that's an issue
with the code path for the LDAP support or with 2.x. I've tried it both
ways, and here's the diff of the key values that are returned by
ldapsearch:
1d0
< -----BEGIN RSA PRIVATE KEY-----
15d13
< -----END RSA PRIVATE KEY-----
--
Mike Markley <mike_at_markley.org>
Received on Sat Feb 20 2010 - 01:15:06 PST