pkcs11_login and ldap mapper

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

pkcs11_login and ldap mapper

Dominik Fischer
Hello!
I've seen pam_opensc is gone and pkcs11_login is the successor. But
there's no mapper for ldap. Is someone working on this?

If not: I would start writing a mapper for ldap, because I need it
urgently.

Kind regards
Dominik Fischer
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_login and ldap mapper

Jonsy (teleline)
El mar, 23-08-2005 a las 09:39 +0000, Dominik Fischer escribió:
> Hello!
> I've seen pam_opensc is gone and pkcs11_login is the successor. But
> there's no mapper for ldap. Is someone working on this?

Afaik no.
My priority is join most of mappers into a big one,
and merge code with incoming libp11

> If not: I would start writing a mapper for ldap, because I need it
> urgently.

You're wellcomed :-)
Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_login and ldap mapper

Dominik Fischer
Hello Juan,

Am 23.8.2005 schrieb "Jonsy (teleline)" <[hidden email]>:

>El mar, 23-08-2005 a las 09:39 +0000, Dominik Fischer escribió:
>> Hello!
>> I've seen pam_opensc is gone and pkcs11_login is the successor. But
>> there's no mapper for ldap. Is someone working on this?
>
>Afaik no.
>My priority is join most of mappers into a big one,
>and merge code with incoming libp11

Does that have any impact on my source or is the description (API) for
writing
mappers (as described in mapper.h and  generic_mapper.c)  still valid?

>
>> If not: I would start writing a mapper for ldap, because I need it
>> urgently.
>
>You're wellcomed :-)
>Juan Antonio
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_login and ldap mapper

Jonsy (teleline)
El mar, 23-08-2005 a las 11:26 +0000, Dominik Fischer escribió:
> Hello Juan,

> >Afaik no.
> >My priority is join most of mappers into a big one,
> >and merge code with incoming libp11
> Does that have any impact on my source or is the description
> (API) for writing mappers (as described in mapper.h and  
> generic_mapper.c)  still valid?

Expected yes. should be still valid

The only noticeable change in mapper API is that mapper_module_init()
should make real use of second argument (the name of the mapper) to
distinguish which mapping scheme to use and set up function pointers

In fact, several mappers should be kept as standalone ones...

Integrating with libp11 should only affect p11 related files:
cert_vfy.c, cert_info.c, and pkcs11.c

Cheers
Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_login and ldap mapper [u]

Andreas Jellinghaus-2
In reply to this post by Dominik Fischer
On Tuesday 23 August 2005 11:39, Dominik Fischer wrote:
> I've seen pam_opensc is gone and pkcs11_login is the successor. But
> there's no mapper for ldap. Is someone working on this?
>
> If not: I would start writing a mapper for ldap, because I need it
> urgently.

oops, sorry, I thought pam_pkcs11 included one.
you can still use opensc 0.9.6 and pam_opensc.
also shouldn't be hard to link that pam module
with latest opensc.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_login and ldap mapper

Dominik Fischer
In reply to this post by Jonsy (teleline)
Is the ca-certificate only obtained from "ca_dir" or is there a way to
check the signature with a ca-certificate retrieved from a ldap-server
like pam_opensc did?

Am Dienstag, den 23.08.2005, 14:01 +0200 schrieb Jonsy (teleline):

> El mar, 23-08-2005 a las 11:26 +0000, Dominik Fischer escribió:
> > Hello Juan,
>
> > >Afaik no.
> > >My priority is join most of mappers into a big one,
> > >and merge code with incoming libp11
> > Does that have any impact on my source or is the description
> > (API) for writing mappers (as described in mapper.h and  
> > generic_mapper.c)  still valid?
>
> Expected yes. should be still valid
>
> The only noticeable change in mapper API is that mapper_module_init()
> should make real use of second argument (the name of the mapper) to
> distinguish which mapping scheme to use and set up function pointers
>
> In fact, several mappers should be kept as standalone ones...
>
> Integrating with libp11 should only affect p11 related files:
> cert_vfy.c, cert_info.c, and pkcs11.c
>
> Cheers
> Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11_login and ldap mapper

Jonsy (teleline)
El sáb, 27-08-2005 a las 19:20 +0200, Dominik Fischer escribió:
> Is the ca-certificate only obtained from "ca_dir" or is there a way to
> check the signature with a ca-certificate retrieved from a ldap-server
> like pam_opensc did?

You have the code in common/cert_vrfy.c::verify_certificate()

At this moment, ca_dir is hard-wired in local filesystem, but no real
reason to retrieve it from an URI by mean of curl library...

Another task to do :-(

Cheers
Juan Antonio

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pkcs11_login and ldap mapper

Dominik Fischer
In reply to this post by Dominik Fischer
Hi,

I've got a first,almost working version of the ldap-mapper. I get a
certificate from ldap server, but comparing is not finished yet:

I think comparing the digest of the two certificates will do it, or what
do you think?

Regards,
Dominik Fischer


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pkcs11_login and ldap mapper [u]

Andreas Jellinghaus-2
On Sunday 28 August 2005 23:15, Dominik Fischer wrote:
> Hi,
>
> I've got a first,almost working version of the ldap-mapper. I get a
> certificate from ldap server, but comparing is not finished yet:
>
> I think comparing the digest of the two certificates will do it, or what
> do you think?

X509_cmp does that.

Normaly compairing certificates by hash would be fine, but
cryptographers consider md5 and sha1 are considered broken ...

You can still do that (most criminals will rather punch you
and break your bones rather than use a supercomputer to
find a bogus certificate), so I don't think the threat level
is high for most users.

But why not extract the public keys and match those?
for authentication you need to have the public key anyway
for verifying the signature. Might be a nice option.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel