如何在LDAP中使用userPKCS12存储密钥库? [英] How to store Keystore using userPKCS12 in LDAP?

问题描述

我有一个Java密钥库，我想使用userPKCS12属性存储在LDAP中.我已经将JKS密钥库转移到PKCS12

I got a java keystore which I want to store in LDAP using userPKCS12 attribute. I already transfered the JKS keystore to PKCS12

keytool -importkeystore -srckeystore /opt/tomcat/conf/.keystore -destkeystore /tmp/tomcat.p12 -deststoretype PKCS12

如何继续最终将这个密钥库的条目保存到我的LDIF文件中?

How do I proceed to finally get the entries of this keystore into my LDIF-file?

dn: cn=$name,$cn
objectClass: top
objectClass: inetorgPerson
description: $name
cn: $name
sn: $name
userPKCS12;binary:: MIIQoAIBAzCCEFoGCSqGSIb3DQEHAaCCEEsEghBHMIIQQzCCCfAGCSqGSIb3DQEH
 AaCCCeEEggndMIIJ2TCCCdUGCyqGSIb3DQEMCgECoIIJgjCCCX4wKAYKKoZIhvcN
 AQwBAzAaBBQJgfNb/kt83JjEL34s/vE5pFjL0wICBAAEgglQ0DQ23QhylRz4uvMr
 lleD94JSA6hdpLjsee3zxqxsPXgyz1CtsY159vw4F6rSHeSDaILve8g2w/nA0KPH
 V/QbsbAU6/g8tvqBGbbLJFbe20m9ZhAOeohPdLzT54SViJ8b3VvZf5rWCidUaYQu
 7yNqjkXAbuezRxf3TMEuR9BNQV+DWLjvNmiMGN3b1rQ0jFZHKk1VJnb6OUn63UUT
 dRun7OUdi9zR4WM7yKy0VNmC3xaI630PABibIACMdGaQGprQM6HrchkxP2M3D5jm
 8UwCkEYazd7eKyKiAEEMnK5o3nKYWbd+NmELssendiEoi3ztrLTZnEdIwUc9wA3/
 yJgcptUjzbh/2NwKdyO21Snj9iGWyw90KqI3hfL1HqiYKjF+sZ9nudxFLwbmYi0Y
.....

给出此错误:

ldapadd -h 10.1.0.99 -D cn=Directory\ Manager -w - -f action.ldif
Enter bind password: 
adding new entry cn=abcd,dc=Example,dc=com
ldap_add: Undefined attribute type
ldap_add: additional info: Entry cn=abcd,dc=Example,dc=com can not be added because BER encoding of userPKCS12 attribute is not supported

首选bash脚本解决方案.

Solutions for bash scripts are preferred.

感谢和问候，

丹尼尔

推荐答案

LDIF中的二进制数据

LDIF文件中的二进制数据仅经过Base64编码(请参见 RFC 2849 ):

Binary data in LDIF files is simply Base64 encoded (see RFC 2849):

userPKCS12:: MIIJtgIBAzCCCXAGCSqGSIb3DQEHAaCCCWEEggldMIIJWTCCBW4GCSqGSIb3DQEHA
 CCBV8EggVbMIIFVzCCBVMGCyqGSIb3DQEMCgECoIIE+jCCBPYwKAYKKoZIhvcNAQwBAzAaBBT3WG
 ...

RFC 2849明确指出不需要换行符:

RFC 2849 explicitly states that line breaks are not required:

10)当attrval-spec，distinguishedName或rdn为base64- 编码后，[5]中指定的编码规则与 以下例外:a)base64输出的要求 流必须以不超过76行表示 字符已删除. LDIF文件中的行只能折叠 根据上面注释2中所述的折叠规则.

10) When an attrval-spec, distinguishedName, or rdn is base64- encoded, the encoding rules specified in [5] are used with the following exceptions: a) The requirement that base64 output streams must be represented as lines of no more than 76 characters is removed. Lines in LDIF files may only be folded according to the folding rules described in note 2, above.

话虽这么说，但我从未见过没有折叠长行的LDIF文件.因此，出于兼容性考虑，最好在76个字符后添加换行符.

That being said, I have never seen an LDIF file where long lines were not folded. So, it might be a good idea to add line breaks after 76 characters anyway, just for compatibility reasons.

LDIF中折线的规则是:

Rules for folding lines in LDIF are:

2)LDIF文件中的任何非空行，包括注释行 可以通过插入行分隔符(SEP)和空格来折叠. 折叠不得出现在该行的第一个字符之前. 换句话说，将一条线折叠成两行，第一个是 不允许为空.以a开头的任何行 单个空间必须被视为前一个空间的延续 (非空)行.连接折线时，只有一个空格 每条连续行开头的字符必须为 丢弃.实现不应该在中间折叠线 多字节UTF-8字符.

2) Any non-empty line, including comment lines, in an LDIF file MAY be folded by inserting a line separator (SEP) and a SPACE. Folding MUST NOT occur before the first character of the line. In other words, folding a line into two lines, the first of which is empty, is not permitted. Any line that begins with a single space MUST be treated as a continuation of the previous (non-empty) line. When joining folded lines, exactly one space character at the beginning of each continued line must be discarded. Implementations SHOULD NOT fold lines in the middle of a multi-byte UTF-8 character.

对外部文件的引用

二进制数据不一定必须作为Base64字符串包含在LDIF文件中.而是可以使用对外部文件的引用.来自 RFC 2849 的示例:

Binary data must not necessarily be included in the LDIF file as a Base64 string. Instead a reference to an external file can be used. Example from RFC 2849:

jpegphoto:< file:///usr/local/directory/photos/fiona.jpg

转移选项;二进制"

二进制选项; binary"在 RFC 4522 中指定，它会影响传输LDAP客户端和服务器之间的数据(不是LDAP服务器上的存储).设置该属性后，将根据基本编码规则(BER)对属性进行编码.

The binary option ";binary" is specified in RFC 4522, it affects the transfer of data between LDAP client and server (not the storage on the LDAP server). When it is set, the attribute is encoded according to the Basic Encoding Rules (BER).

"userPKCS12"是否需要; binary"取决于LDAP服务器.例如，对于OpenLDAP，; binary"不起作用，因为"userPKCS12"的语法是二进制的(而不是PKCS#12的特殊语法).

Whether ";binary" is required for "userPKCS12" depends on the LDAP server. For example with OpenLDAP ";binary" does not work, because the syntax of "userPKCS12" is binary (and not a special syntax for PKCS#12).

将二进制数据转换为Base64

有很多方法可以将PKCS#12文件转换为Base64，并且如果您必须通过编程方式或使用命令行工具来执行此操作，则无需编写.一些选项是:

There are many ways to convert the PKCS#12 file to Base64 and you did not write if you have to do this programmatically or with command line tools. Some options are:

• OpenSSL:openssl enc -e -base64 -in tomcat.p12 -out tomcat.b64
• 带有Bouncy Castle的Java: Base64. encode()
• 某些LDAP服务器(例如Sun Directory Server，389或RedHat Directory Server)包括一个名为" ldif "的命令行工具，它可以完全满足您的需求:ldif -b "userPKCS12" < tomcat.p12 >> p12.ldif

• OpenSSL: openssl enc -e -base64 -in tomcat.p12 -out tomcat.b64
• Java with Bouncy Castle: Base64.encode()
• Some LDAP servers like Sun Directory Server, 389 or RedHat Directory Server include a command line tool named "ldif" that does exactly what you want: ldif -b "userPKCS12" < tomcat.p12 >> p12.ldif

这篇关于如何在LDAP中使用userPKCS12存储密钥库?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！