Re: Successful LDAP signing test

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 19 Feb 2010 22:42:43 -0800 (PST)

On Fri, 19 Feb 2010, Mike Markley wrote:
>> Would it be difficult to use LDIF to insert base64-encoded keys if you
>> just take the base64 part of a PEM key, without header/footer/newlines?
>> If so, we don't need to support DER explicitly.
>
> I've tried the following:
> 1. Strip the header, footer, and linebreaks from the PEM file. Insert
> into LDAP as text.

Interesting. Since public keys are stored this way, I would've expected
private keys to work the same way.

So I looked. The public keys are base64-decoded by libopendkim, so what
actually gets passed to libcrypto is a DER key. So right now we take PEM
keys for signing and pass them directly to libcrypto, but we handle the
base64 decoding of the public keys from DNS TXT records ourselves and
actually use DER keys for verifying.

So the next question is: Which of the things you tried is actually easier
for an LDAP administrator to do? I'm fine with supporting DER-style keys
for LDAP (and probably SQL and maybe Sleepycat) but we also need to
consider that flat files can't use anything with linefeeds, so
all-on-one-line keys will have to be supported as well.

Maybe we need a "PrivateKeyFormat" parameter that tells it how to
interpret whatever it gets back from the KeyTable?
Received on Sat Feb 20 2010 - 06:43:11 PST