Thread: Using Net::LDAP to retrieve X509 certificates from a directory

perl-ldap-dev

Using Net::LDAP to retrieve X509 certificates from a directory

From: Thierry V. D. <Thi...@de...> - 2001-04-19 14:33:53

Hi,

Has anyone ever tried (and succeeded) to retrieve X509 certificates from a directory using Net::LDAP ?

I tried doing this and get back a string saying : 

usercertificate:{ASN1}.....

How could I exploit this ?

I would greatly appreciate any help / examples / advice.

Thanx.

Thierry

Re: Using Net::LDAP to retrieve X509 certificates from a directory

From: Chris R. <chr...@me...> - 2001-04-19 16:41:30

Thierry Van Doninck <Thi...@de...> wrote:
> Hi,
> 
> Has anyone ever tried (and succeeded) to retrieve X509 certificates from
> a directory using Net::LDAP ?
> 
> I tried doing this and get back a string saying : 
> 
> usercertificate:{ASN1}.....
> 
> How could I exploit this ?
> 
> I would greatly appreciate any help / examples / advice.
> 
> Thanx.
> 
> Thierry
> 

Yes, I have.

Have you looked in the Net::LDAP::FAQ? It tells you about storing them,
which might give enough clues to work out how to read them back.

-----------
Using X.509 certificates.
       How do I store X.509 certificates in the directory?

       The first problem here is that there are many different
       formats to hold certificates in, for example PEM, DER,
       PKCS#7 and PKCS#12. The directory *only* uses the DER
       format (more correctly, it only uses the BER format) which
       is a binary format.
       Your first job is to ensure that your certificates are
       therefore in DER/BER format. You could use OpenSSL to
       convert from PEM like this:

               openssl x509 -inform PEM -in cert.pem -outform DER -out
cert.der

       Consult the OpenSSL documentation to find out how to
       perform other conversions.

       To add a certificate to the directory, just slurp in the
       DER/BER certificate into a scalar variable, and add it to
       the entry's userCertificate attribute. How you do that
       will depend on which version of LDAP you are using.

       To slurp in the certificate try something like this:

               my $cert;
               {
                       local $/ = undef; # Slurp mode
                       open CERT, "cert.der" or die;
                       $cert = <CERT>;
                       close CERT;
               }
               # The certificate is now in $cert

       For LDAPv2, because most directory vendors ignore the
       string representation of certificates defined in RFC 1778,
       you should add this value to the directory like this:

               $res = $ldap->modify("cn=My User, o=My Company,c=XY",
                               add => [
                                       'userCertificate' => [ $cert ]
                               ]);
               die "Modify failed (" . ldap_error_name($res->code) . ")\n"
                       if $res->code;

       For LDAPv3, you must do this instead:

               $res = $ldap->modify("cn=My User, o=My Company, c=XY",
                               add => [
                                       'userCertificate;binary' => [ $cert ]
                               ]);
               die "Modify failed (" . ldap_error_name($res->code) . ")\n"
                       if $res->code;

       Of course, the entry you are trying to add the certificate
       to must use object classes that permit the userCertificate
       attribute, otherwise the modify will fail with an object
       class violation error. The inetOrgPerson structural object
       class permits userCertificates, as does the
       strongAuthenticationUser auxiliary object class. Others
       might also.
-----------

Cheers,

Chris