Re: ldap cert retrieval and pem encoding

["Arne Jørgensen" <arne@arnested.dk>]

Ulf Stegemann <ulf@zeitform.de> skriver:

> Arne Jørgensen <arne@arnested.dk> wrote:
>
>> Was this with or without the patch i posted here some weeks ago?
>> <http://article.gmane.org/gmane.emacs.gnus.general/60203>
>
> I tried it only with the patch.

OK. Then the world makes sense again.

>> I've read somewhere that certificates published via LDAP _should_
>> always be in DER format. But your LDAP server is probably not the only
>> server out there delivering in PEM format so we should maybe support
>> this anyway.
>>
>> Is there some way to identify that the certificate is in PEM format?
>
> The only way to tell if the certificate is PEM encoded is to look at the
> certificate itself ...
>
>> Could you try to issue a command line like:
>>
>> ldapsearch -x -t -h LDAPSERVER -b SEARCHBASE "mail=your@address.com" "userCertificate"
>>
>> and have a look at whether the userCertificate attribute is reported
>> as userCertificate or userCertificate;binary?
>
> ... as every certificate is delivered as userCertificate;binary and no other
> field indicates the kind of encoding.
>
>> And look whether the retrieved certificate contains the PEM header and
>> footer? (-----BEGIN CERTIFICATE-----)
>
> Certificates from the ldap do contain the '-----BEGIN CERTIFICATE-----' and
> '-----END CERTIFICATE-----' lines.
>
> I do not know what's the intend of the guys running the ldap server to store
> certificates in different encodings.  I was asked to provide my certificate
> PEM encoded but I presume that the encoding demanded is dependent on the
> ldap admin I talk to.
>
> Anyway, the main purpose for the ldap provided certificates is to allow
> Outlook users (and to a lesser degree Mozilla Mail/Thunderbird users) to
> encrypt/verify mail.  Therefore, I think that any certificate recognized by
> Outlook --- may it be DER or PEM encoded, may it be with or without
> '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines, may it
> be as userCertificate or userCertificate;binary -- will possibly appear in
> ldap servers out there.  I think it would be useful to know which kind of
> data Outlook (Mozilla Mail/Thunderbird) could handle to find out what could
> happen in the wild.  However, I'm not familiar with Outlook and will
> most likely never be.  Someone else?

I have no idea what Outlook expects either.

What we could do in Gnus is:

1. If it contains "-----BEGIN CERTIFICATE-----" it is in PEM-format.

2. Otherwise try to base64-decode it and if that succeeds also assumed
   it is in PEM-format.

3. Finally decide it must be in DER-format.

This shouldn't be difficult to implement. I have time make an
implementation on Tuesday.

Kind regards,
-- 
Arne Jørgensen <http://arnested.dk/>