Re: ldap cert retrieval and pem encoding

[Ulf Stegemann <ulf@zeitform.de>]

Arne Jørgensen <arne@arnested.dk> wrote:

> Ulf Stegemann <ulf@zeitform.de> writes:
>
>> XEmacs 21.4 (patch 17) "Jumbo Shrimp" [Lucid] (i686-pc-linux, Mule), 
>> No Gnus v0.4
>>
>> The ldap server I use stores s/mime certificates either in DER or in PEM
>> format.  smime-ldap retrieves only DER encoded certificates correctly.  PEM
>> encoded certificates are fetched, too, but the resulting tmp file/buffer does
>> not contain the correct cert only something that looks like a cert.

[...]

> Was this with or without the patch i posted here some weeks ago?
> <http://article.gmane.org/gmane.emacs.gnus.general/60203>

I tried it only with the patch.

> I've read somewhere that certificates published via LDAP _should_
> always be in DER format. But your LDAP server is probably not the only
> server out there delivering in PEM format so we should maybe support
> this anyway.
>
> Is there some way to identify that the certificate is in PEM format?

The only way to tell if the certificate is PEM encoded is to look at the
certificate itself ...

> Could you try to issue a command line like:
>
> ldapsearch -x -t -h LDAPSERVER -b SEARCHBASE "mail=your@address.com" "userCertificate"
>
> and have a look at whether the userCertificate attribute is reported
> as userCertificate or userCertificate;binary?

... as every certificate is delivered as userCertificate;binary and no other
field indicates the kind of encoding.

> And look whether the retrieved certificate contains the PEM header and
> footer? (-----BEGIN CERTIFICATE-----)

Certificates from the ldap do contain the '-----BEGIN CERTIFICATE-----' and
'-----END CERTIFICATE-----' lines.

I do not know what's the intend of the guys running the ldap server to store
certificates in different encodings.  I was asked to provide my certificate
PEM encoded but I presume that the encoding demanded is dependent on the
ldap admin I talk to.

Anyway, the main purpose for the ldap provided certificates is to allow
Outlook users (and to a lesser degree Mozilla Mail/Thunderbird users) to
encrypt/verify mail.  Therefore, I think that any certificate recognized by
Outlook --- may it be DER or PEM encoded, may it be with or without
'-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines, may it
be as userCertificate or userCertificate;binary -- will possibly appear in
ldap servers out there.  I think it would be useful to know which kind of
data Outlook (Mozilla Mail/Thunderbird) could handle to find out what could
happen in the wild.  However, I'm not familiar with Outlook and will
most likely never be.  Someone else?


Ulf