dirmngr

Karsten Künne kuenne@rentec.com
Thu May 15 19:47:01 2003


--Boundary-02=_IL9w+HMHDlijOjO
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Thursday 15 May 2003 10:09, Bernhard Reiter wrote:
> [It might be that your mail was stuck in moderation quite a while.]
>
>
> > I'm especially interested in http support for CRL-fetching because
> > all of our certs have a "http"-URI as CRL-distributionpoint.
>
> That would be nice to have.
> A patch would be welcome.
>

Unfortunately I'm not a good programmer.

> > I also found out
> > that dirmngr takes the DN from a cert literally and tries to look that =
up
> > in ldap which in our case doesn't work because our ldap base is
> > "dc=3Drentec,dc=3Dcom" whereas the certs contain "o=3Drentec,c=3Dus".
>
> But that is a bug in the cert then, isn't it? :)

Well, the certs and the CA are actually older than the ldap service here. A=
t=20
one point we switched to the dc=3Drentec,dc=3Dcom base because we wanted to=
 use=20
ldap as a nameservice for Solaris (instead of NIS). But changing a CA is a=
=20
bit more complicated because people already have the CA certificate in thei=
r=20
browsers and they get confused and annoyed if we change our CA. At one poin=
t=20
I'll do that, also in order to get rid of the infamous "email" RDN and clea=
n=20
up the extensions and also add a "ldap://" crlDistributionPoint.

> Dirmngr offers a workaround in additionally trying all the ldapserver
> in dimngr_ldapservers.conf. Just configure your ldap server and base ther=
e.
>
> > It also takes
> > the famous (or infamous?) "Email" RDN and makes something strange out of
> > it, for instance, "Email=3Dca@rentec.com" becomes
> > "email=3D#63614072656E7465632E636F6D". It would be nice to have some ki=
nd
> > of (configurable) mapping between certificate DN's and ldap DN's.
>
> If we talk about the same (infamous) E-Mail RDN, than it should
> be noted that it is not recommended in current standards, but a hack.
> AFAIK the above should be a valid quoting, but Werner would know
> for sure. Anyway, new certificates should not use RDN anyway AFAIU.
>

Yes, I know, but these are not new certificates and in the past there was s=
ome=20
(broken?) SW which required that. Fortunately most of this broken stuff is=
=20
now obsolete and newer SW usually uses subjectAlternateName. At one point I=
=20
plan to clean up all of that.

> > Another problem is that dirmngr doesn't use the certs which gpgsm alrea=
dy
> > knows.
>
> I thought we had addressed that problem at some place.
> Maybe we didn't solve it for all cases.
> Certainly a thing to improve then.
>

O.k., here is what happens:

If I try to import a CRL for our CA in KGpgCertManager I get the following=
=20
from dirmngr:

An error occurred when trying to import the CRL file. The output from Dirmn=
gr=20
was: dirmngr[21306]: DBG: got host=3Dmonstertq.rentec.com, port=3D389, user=
=3D,=20
pass=3D, base=3Ddc=3Drentec,dc=3Dcom
dirmngr[21306]: DBG: digest algo: 1.2.840.113549.1.1.4
dirmngr[21306]: DBG: Inquiring=20
1.2.840.113549.1.9.1=3D#63614072656E7465632E636F6D,CN=3DRenaissance=20
CA,O=3DRenaissance Technologies Corp.,ST=3DNew York,C=3DUS
dirmngr[21306]: Error in assuan_inquire(), rc =3D 3
dirmngr[21306]: DBG: No result from inquire
dirmngr[21306]: DBG: trying to fetch attr cACertificate;binary from=20
"monstertq.rentec.com" /=20
"1.2.840.113549.1.9.1=3D#63614072656E7465632E636F6D,CN=3DRenaissance=20
CA,O=3DRenaissance Technologies Corp.,ST=3DNew York,C=3DUS"
dirmngr[21306]: DBG: Error in line ldap.c:120
Error during ldap_seach_st(): No such object (32)
dirmngr[21306]: DBG:=20
dn=3D"1.2.840.113549.1.9.1=3D#63614072656E7465632E636F6D,CN=3DRenaissance=20
CA,O=3DRenaissance Technologies Corp.,ST=3DNew York,C=3DUS"
attr=3D"cACertificate;binary"
dirmngr[21306]: error fetching certificate for issuer: rc=3D302
dirmngr[21306]: DBG: Could not cert CRL issuer cert!!!
dirmngr[21306]: DBG: crl_parse_insert CRL_SIG_ERROR


The ldap server (monstertq) reports:

May 15 13:36:16 monstertq slapd[5365]: [ID 848112 local4.debug] conn=3D94 f=
d=3D12=20
ACCEPT from IP=3D192.168.96.109:40129 (IP=3D0.0.0.0:389)
May 15 13:36:16 monstertq slapd[5365]: [ID 347666 local4.debug] conn=3D94 o=
p=3D0=20
BIND dn=3D"" method=3D128
May 15 13:36:16 monstertq slapd[5365]: [ID 217296 local4.debug] conn=3D94 o=
p=3D0=20
RESULT tag=3D97 err=3D0 text=3D
May 15 13:36:16 monstertq slapd[5365]: [ID 902418 local4.debug] conn=3D94 o=
p=3D1=20
SRCH base=3D"email=3D#63614072656E7465632E636F6D,cn=3DRenaissance CA,o=3DRe=
naissance=20
Technologies Corp.,st=3DNew York,c=3DUS" scope=3D0 filter=3D"(objectClass=
=3D*)"
May 15 13:36:16 monstertq slapd[5365]: [ID 706578 local4.debug] conn=3D94 o=
p=3D1=20
SRCH attr=3DcACertificate;binary
May 15 13:36:16 monstertq slapd[5365]: [ID 217296 local4.debug] conn=3D94 o=
p=3D1=20
RESULT tag=3D101 err=3D32 text=3D
May 15 13:36:16 monstertq slapd[5365]: [ID 850449 local4.debug] conn=3D94 f=
d=3D12=20
closed

So it tries to lookup this funny DN which obviously doesn't exist. BUT, the=
 CA=20
certificate is already there. KGpgCertManager displays the certificate a=20
little bit different, this is how the subject looks (all on one line):

CN=3DRenaissance CA,ST=3DNew York,O=3DRenaissance Technologies=20
Corp.,C=3DUS,(EMail=3Dca@rentec.com)

Maybe it's KGpgCertmanager which is confused because it shows "(Email=3D...=
)"=20
instead of the OID?

=2D-=20
Karsten.

"only wimps use backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it ;)" - linus torvalds

--Boundary-02=_IL9w+HMHDlijOjO
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Description: signature
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIL7DCCBWkw
ggRRoAMCAQICAQAwDQYJKoZIhvcNAQEEBQAwgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcg
WW9yazEnMCUGA1UEChMeUmVuYWlzc2FuY2UgVGVjaG5vbG9naWVzIENvcnAuMRcwFQYDVQQDEw5S
ZW5haXNzYW5jZSBDQTEcMBoGCSqGSIb3DQEJARYNY2FAcmVudGVjLmNvbTAeFw0wMTAzMTIyMzIz
MzhaFw0wNTAzMTEyMzIzMzhaMIGAMQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxJzAl
BgNVBAoTHlJlbmFpc3NhbmNlIFRlY2hub2xvZ2llcyBDb3JwLjEXMBUGA1UEAxMOUmVuYWlzc2Fu
Y2UgQ0ExHDAaBgkqhkiG9w0BCQEWDWNhQHJlbnRlYy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDInVXkgOyrI5cM4PURden9J7r9t3I2mj+lK26/pLiIeHDIrC2M7uw0IVFRBG0L
NxDAuXZuGpLBCSCF/jWrLKRWYxTKJEZ9e3/VIlcf0aRtvlf9Q+QUWaTTm2v+thTSJ6LmfivVu7Ci
AvwoDn/esdLb7QVzs8/ziOXgP0ytyfTeQSPTSXNDN0Y8hGvBiWGuXosrqAW+3sZUVw1M1Eix9ZZW
78/WjmPzvjo3dcV7txJu2vr/I/4eUFGYwGOe8z6J1/dNR/tN4LMvaz3hlA6Wra8RtsJZt+65+jXa
G0U5HjbZZW5qeS1cShauAnV5gT1thnO3ACdP+2c4ePQJlPhI+lmxAgMBAAGjggHqMIIB5jAdBgNV
HQ4EFgQUTwzu2jITtYN5Uwgm7F5Vo9RX7qEwga0GA1UdIwSBpTCBooAUTwzu2jITtYN5Uwgm7F5V
o9RX7qGhgYakgYMwgYAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEnMCUGA1UEChMe
UmVuYWlzc2FuY2UgVGVjaG5vbG9naWVzIENvcnAuMRcwFQYDVQQDEw5SZW5haXNzYW5jZSBDQTEc
MBoGCSqGSIb3DQEJARYNY2FAcmVudGVjLmNvbYIBADAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQE
AwIBBjARBglghkgBhvhCAQEEBAMCAAcwGAYDVR0RBBEwD4ENY2FAcmVudGVjLmNvbTAYBgNVHRIE
ETAPgQ1jYUByZW50ZWMuY29tMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly93d3cucmVudGVjLmNv
bTo4MDgxL2NhL3JlbnRlY19jYS5jcmwwLQYJYIZIAYb4QgECBCAWHmh0dHA6Ly93d3cucmVudGVj
LmNvbTo4MDgxL2NhLzAcBglghkgBhvhCAQgEDxYNY2Fwb2xpY3kuaHRtbDAlBglghkgBhvhCAQME
GBYWY2dpLWJpbi9jaGVjay1yZXYuY2dpPzANBgkqhkiG9w0BAQQFAAOCAQEAOPk71n3QtIGASl4c
5y2uq1nlHz3GpaqXsTENrkP0f1I0OqagazW4v67T+l6qLmZlO1egu2azj6cyrK3gfG+5qS8Nn7mu
D75YoRfT1ntMd1DAwB6F9HE4sTea9py/5MOTPIECb6vnIBNZDqpWiHE3FGKsFVBgjMFa0rtiEizi
FhdqBjPe/6zZt3K8Pz8Ny7/h9GMT3Db1UJIosjJab2REviQ6lPDShXdv5UaBhgWP81iWQjSYU0qn
vQ8XfdkujugKkQSdPHbkXZWfOiCzMRXSWMhGmo+vws2TCAhM6fLJYjzUaA39ZuKzVJN6FUMTEaXS
g7FDQTrpd6tye5tosyNV0zCCBnswggVjoAMCAQICAQswDQYJKoZIhvcNAQEEBQAwgYAxCzAJBgNV
BAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEnMCUGA1UEChMeUmVuYWlzc2FuY2UgVGVjaG5vbG9n
aWVzIENvcnAuMRcwFQYDVQQDEw5SZW5haXNzYW5jZSBDQTEcMBoGCSqGSIb3DQEJARYNY2FAcmVu
dGVjLmNvbTAeFw0wMjAxMDkyMDU3MDdaFw0wNDAxMDkyMDU3MDdaMIGcMQswCQYDVQQGEwJVUzER
MA8GA1UECBMITmV3IFlvcmsxFjAUBgNVBAcTDUVhc3QgU2V0YXVrZXQxJzAlBgNVBAoTHlJlbmFp
c3NhbmNlIFRlY2hub2xvZ2llcyBDb3JwLjEXMBUGA1UEAxMOS2Fyc3RlbiBLdWVubmUxIDAeBgkq
hkiG9w0BCQEWEWt1ZW5uZUByZW50ZWMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3
1cynjPJLl2eVCoy0iZ+vPbMlN5V003I6V4WfBHxFNZGB70sc64T4DXEAAl8NKebXN1yP303ZDama
EBn16eRE9KolpyQ/0GACgRthSBecLtiKFJw5bAKd7ShZfQlufbeY1W/wiZsD5+m0H7qdB/okIHQI
Q1z11dVaqzQz2VGXuwIDAQABo4IDZDCCA2AwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAw
DgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDBQBglghkgBhvhC
AQ0EQxZBT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUsIGlzc3VlZCBieSBSZW5haXNzYW5j
ZSBUZWNobi4gQ29ycC4wHQYDVR0OBBYEFJjjydm6SUTUS3fw2BkEsThreNSoMIGtBgNVHSMEgaUw
gaKAFE8M7toyE7WDeVMIJuxeVaPUV+6hoYGGpIGDMIGAMQswCQYDVQQGEwJVUzERMA8GA1UECBMI
TmV3IFlvcmsxJzAlBgNVBAoTHlJlbmFpc3NhbmNlIFRlY2hub2xvZ2llcyBDb3JwLjEXMBUGA1UE
AxMOUmVuYWlzc2FuY2UgQ0ExHDAaBgkqhkiG9w0BCQEWDWNhQHJlbnRlYy5jb22CAQAwHAYDVR0R
BBUwE4ERa3Vlbm5lQHJlbnRlYy5jb20wGAYDVR0SBBEwD4ENY2FAcmVudGVjLmNvbTA8BgNVHR8E
NTAzMDGgL6AthitodHRwOi8vd3d3LnJlbnRlYy5jb206ODA4MS9jYS9yZW50ZWNfY2EuY3JsMC0G
CWCGSAGG+EIBAgQgFh5odHRwOi8vd3d3LnJlbnRlYy5jb206ODA4MS9jYS8wHAYJYIZIAYb4QgEI
BA8WDWNhcG9saWN5Lmh0bWwwJQYJYIZIAYb4QgEDBBgWFmNnaS1iaW4vY2hlY2stcmV2LmNnaT8w
ggEEBgNVHSAEgfwwgfkwgfYGCisGAQQBw0gDAQEwgecwNwYIKwYBBQUHAgEWK2h0dHA6Ly93d3cu
cmVudGVjLmNvbTo4MDgxL2NhL2NhcG9saWN5Lmh0bWwwgasGCCsGAQUFBwICMIGeGoGbT3BlblNT
TCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUsIGlzc3VlZCBieSBSZW5haXNzYW5jZSBUZWNobi4gQ29y
cC4sIFRoaXMgY2VydGlmaWNhdGUgaXMgdmFsaWQgb25seSBmb3IgU1NMIENsaWVudCBBdXRoZW50
aWNhdGlvbiBhbmQgU2VjdXJlIEUtTWFpbCAoUy9NSU1FKS4wDQYJKoZIhvcNAQEEBQADggEBAFbV
atsZ1CYbBNlHnJQcALjyC/i/A1iCuCnq07BWmHftbwzbqHZUnbjOwUUFfPnP6WkROCImoUDSzoeF
u1zAC8CSJj3kbKv9CRjI3Ebm4/RRRbJa95XVn/bgo6VfcENZdfKTtOILJdczKJ//fFE6RNZn/PMG
V6jzpGH5OTq3Gx2/gecyFVWYqAGA/qjv4xAXvIGIR986SxSWnaxUR+SGMitO6BufDU5YsWLKb4oh
UBG1JVHxBr6vP8NNo9Lu9BYry4PCyhgFP4rtvZwvPMVowwAMei6JrxD15f68uKQTp540P3VmuqE8
Ab6dvYox1KebRD0AQE1xWyI6ox76eK6KW1oxggGIMIIBhAIBATCBhjCBgDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMScwJQYDVQQKEx5SZW5haXNzYW5jZSBUZWNobm9sb2dpZXMgQ29y
cC4xFzAVBgNVBAMTDlJlbmFpc3NhbmNlIENBMRwwGgYJKoZIhvcNAQkBFg1jYUByZW50ZWMuY29t
AgELMAcGBSsOAwIaoF0wIwYJKoZIhvcNAQkEMRYEFNKNr6X8wkXG42OyXzENpC0OTu95MBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAzMDUxNTE3NDc0OVowCwYJKoZI
hvcNAQEBBIGArmJ+QfK9w7Dfs9qrWXASkHP9aF2ak9EWuRpiz9qcezIsldTvPrZiUIpoHqZ9Vh/B
iwjq2WbZn1Xu75DgNwSxIqogZiJyDuKY+n6mj5dGVeK00n/Fa3kipbBExB7bbOo9CQ18LLZVf+7i
QEreuFbKcVUOh7hRoEAWH8B2yVFDt5wAAAAAAAA=

--Boundary-02=_IL9w+HMHDlijOjO--