[email protected] wrote: > Full_Name: Alexander Komyagin > Version: 2.4.23 > OS: Debian Squeeze > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (178.16.156.18) > > > Hi! I found out that when slapd is linked with gnutls, it fails to parse > private > key on startup if the one is given in PKCS #8 form (TLS init def ctx failed: > -207). > > The problem is in tlsg_ctx_init() (tls_g.c) function, which calls > gnutls_x509_privkey_import() from gnutls. But gnutls_x509_privkey_import() is > designed to support only RSA/DSA keys, while for PKCS#8 > gnutls_x509_privkey_import_pkcs8() shall be used. > > I think that incorporating such enhancement for slapd would make it even > better > (for example, some popular commands like "openssl req" generate keys in PKCS > #8) > :) Especially when such enhancement can be done in a few lines of code (just > like certtool does):
Please read http://www.openldap.org/devel/contributing.html and submit an actual patch if you want this suggestion to be considered. > if (!info.pkcs8) > ret = gnutls_x509_privkey_import (key,&pem, info.incert_format); > > /* If we failed to import the certificate previously try PKCS #8 */ > if (info.pkcs8 || ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) > { > /* first try to import the key without asking any password */ > ret = gnutls_x509_privkey_import_pkcs8 (key,&pem, > info.incert_format, > NULL, GNUTLS_PKCS_PLAIN); > if (ret< 0) > { > if (info.pass) > pass = info.pass; > else > pass = get_pass (); > ret = gnutls_x509_privkey_import_pkcs8 (key,&pem, > info.incert_format, > pass, 0); > } > } > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
