All,
The dirmngr component doesn't attempt to fetch or parse userSMIMECertificate
attributes within entries while fetching from LDAP, so I've attached a diff
against 0.9.0 which adds the capability [.Our directory stores
userSMIMECertificates to distinguish from our web client certificates].
Also - I think that line 680 in ldap_wrapper (ldap.c) which reads
ctrl->refcount++
should read:
if (ctrl) ctrl->refcount++
since ctrl is not guaranteed to be non-NULL when entering the ldap_wrapper
routine (try loading a CRL whose issuer certificate is not available in the
local store or via LDAP - I get a segfault).
Now the bad news: I can't get libksba (0.9.10) to parse the PKCS7 blob which
makes up a userSMIMECertificate - I just get "unsupported encoding" after the
first couple of calls to the PKCS7 parser. So, I had to use GnuTLS as the
PKCS7 unwrapper, which imposes a partial dependency on GnuTLS. The configure
script will continue if GnuTLS is not present, but the PKCS7 unwrapping will
be #ifdef'ed out.
Also - the code only takes the first certificate from the PKCS7 blob - which
is not necessarily the right thing to do (the chain may be presented root to
leaf, instead of the other way round).
If anyone knows how to get ksba to parse the certs in the blob (I've attached
a sample PKCS7 blob), then that would be a much better solution.
Cheers,
Neil
The dirmngr component doesn't attempt to fetch or parse userSMIMECertificate
attributes within entries while fetching from LDAP, so I've attached a diff
against 0.9.0 which adds the capability [.Our directory stores
userSMIMECertificates to distinguish from our web client certificates].
Also - I think that line 680 in ldap_wrapper (ldap.c) which reads
ctrl->refcount++
should read:
if (ctrl) ctrl->refcount++
since ctrl is not guaranteed to be non-NULL when entering the ldap_wrapper
routine (try loading a CRL whose issuer certificate is not available in the
local store or via LDAP - I get a segfault).
Now the bad news: I can't get libksba (0.9.10) to parse the PKCS7 blob which
makes up a userSMIMECertificate - I just get "unsupported encoding" after the
first couple of calls to the PKCS7 parser. So, I had to use GnuTLS as the
PKCS7 unwrapper, which imposes a partial dependency on GnuTLS. The configure
script will continue if GnuTLS is not present, but the PKCS7 unwrapping will
be #ifdef'ed out.
Also - the code only takes the first certificate from the PKCS7 blob - which
is not necessarily the right thing to do (the chain may be presented root to
leaf, instead of the other way round).
If anyone knows how to get ksba to parse the certs in the blob (I've attached
a sample PKCS7 blob), then that would be a much better solution.
Cheers,
Neil
Attached Files:
-
dirmngr-smime.diff.zip (2.92 KB)
-
sample-pkcs7.der (2.96 KB)