如何在 LDAP 中使用 userPKCS12 存储密钥库?
How to store Keystore using userPKCS12 in LDAP?
我有一个 java 密钥库,我想使用 userPKCS12 属性将其存储在 LDAP 中。我已经将 JKS 密钥库转移到 PKCS12
keytool -importkeystore -srckeystore /opt/tomcat/conf/.keystore -destkeystore /tmp/tomcat.p12 -deststoretype PKCS12
我如何继续将此密钥库的条目最终放入我的 LDIF 文件中?
dn: cn=$name,$cn
objectClass: top
objectClass: inetorgPerson
description: $name
cn: $name
sn: $name
userPKCS12;binary:: MIIQoAIBAzCCEFoGCSqGSIb3DQEHAaCCEEsEghBHMIIQQzCCCfAGCSqGSIb3DQEH
AaCCCeEEggndMIIJ2TCCCdUGCyqGSIb3DQEMCgECoIIJgjCCCX4wKAYKKoZIhvcN
AQwBAzAaBBQJgfNb/kt83JjEL34s/vE5pFjL0wICBAAEgglQ0DQ23QhylRz4uvMr
lleD94JSA6hdpLjsee3zxqxsPXgyz1CtsY159vw4F6rSHeSDaILve8g2w/nA0KPH
V/QbsbAU6/g8tvqBGbbLJFbe20m9ZhAOeohPdLzT54SViJ8b3VvZf5rWCidUaYQu
7yNqjkXAbuezRxf3TMEuR9BNQV+DWLjvNmiMGN3b1rQ0jFZHKk1VJnb6OUn63UUT
dRun7OUdi9zR4WM7yKy0VNmC3xaI630PABibIACMdGaQGprQM6HrchkxP2M3D5jm
8UwCkEYazd7eKyKiAEEMnK5o3nKYWbd+NmELssendiEoi3ztrLTZnEdIwUc9wA3/
yJgcptUjzbh/2NwKdyO21Snj9iGWyw90KqI3hfL1HqiYKjF+sZ9nudxFLwbmYi0Y
.....
出现此错误:
ldapadd -h 10.1.0.99 -D cn=Directory\ Manager -w - -f action.ldif
Enter bind password:
adding new entry cn=abcd,dc=Example,dc=com
ldap_add: Undefined attribute type
ldap_add: additional info: Entry cn=abcd,dc=Example,dc=com can not be added because BER encoding of userPKCS12 attribute is not supported
首选 bash 脚本的解决方案。
感谢和问候,
丹尼尔
LDIF 中的二进制数据
LDIF 文件中的二进制数据只是 Base64 编码(参见 RFC 2849):
userPKCS12:: MIIJtgIBAzCCCXAGCSqGSIb3DQEHAaCCCWEEggldMIIJWTCCBW4GCSqGSIb3DQEHA
CCBV8EggVbMIIFVzCCBVMGCyqGSIb3DQEMCgECoIIE+jCCBPYwKAYKKoZIhvcNAQwBAzAaBBT3WG
...
RFC 2849 明确指出不需要换行符:
- When an attrval-spec, distinguishedName, or rdn is base64-
encoded, the encoding rules specified in [5] are used with the
following exceptions: a) The requirement that base64 output
streams must be represented as lines of no more than 76
characters is removed. Lines in LDIF files may only be folded
according to the folding rules described in note 2, above.
也就是说,我从未见过长行未折叠的 LDIF 文件。因此,出于兼容性原因,无论如何在 76 个字符后添加换行符可能是个好主意。
LDIF 中折叠线的规则是:
- Any non-empty line, including comment lines, in an LDIF file
MAY be folded by inserting a line separator (SEP) and a SPACE.
Folding MUST NOT occur before the first character of the line.
In other words, folding a line into two lines, the first of
which is empty, is not permitted. Any line that begins with a
single space MUST be treated as a continuation of the previous
(non-empty) line. When joining folded lines, exactly one space
character at the beginning of each continued line must be
discarded. Implementations SHOULD NOT fold lines in the middle
of a multi-byte UTF-8 character.
对外部文件的引用
二进制数据不一定必须作为 Base64 字符串包含在 LDIF 文件中。相反,可以使用对外部文件的引用。来自 RFC 2849 的示例:
jpegphoto:< file:///usr/local/directory/photos/fiona.jpg
传输选项“;二进制”
二进制选项“;binary”在RFC 4522中指定,它影响LDAP客户端和服务器之间的数据传输(不是LDAP服务器上的存储)。设置后,属性根据基本编码规则 (BER) 进行编码。
“userPKCS12”是否需要“;binary”取决于 LDAP 服务器。例如,OpenLDAP“;binary”不起作用,因为“userPKCS12”的语法是二进制的(而不是 PKCS#12 的特殊语法)。
二进制数据到Base64的转换
有很多方法可以将 PKCS#12 文件转换为 Base64,如果您必须以编程方式或使用命令行工具执行此操作,则您没有编写。一些选项是:
- OpenSSL:
openssl enc -e -base64 -in tomcat.p12 -out tomcat.b64
- Java 与充气城堡:
- 一些 LDAP 服务器,如 Sun Directory Server、389 或 RedHat Directory Server 包含一个名为“ldif”的命令行工具,它可以完全满足您的需求:
ldif -b "userPKCS12" < tomcat.p12 >> p12.ldif
我有一个 java 密钥库,我想使用 userPKCS12 属性将其存储在 LDAP 中。我已经将 JKS 密钥库转移到 PKCS12
keytool -importkeystore -srckeystore /opt/tomcat/conf/.keystore -destkeystore /tmp/tomcat.p12 -deststoretype PKCS12
我如何继续将此密钥库的条目最终放入我的 LDIF 文件中?
dn: cn=$name,$cn
objectClass: top
objectClass: inetorgPerson
description: $name
cn: $name
sn: $name
userPKCS12;binary:: MIIQoAIBAzCCEFoGCSqGSIb3DQEHAaCCEEsEghBHMIIQQzCCCfAGCSqGSIb3DQEH
AaCCCeEEggndMIIJ2TCCCdUGCyqGSIb3DQEMCgECoIIJgjCCCX4wKAYKKoZIhvcN
AQwBAzAaBBQJgfNb/kt83JjEL34s/vE5pFjL0wICBAAEgglQ0DQ23QhylRz4uvMr
lleD94JSA6hdpLjsee3zxqxsPXgyz1CtsY159vw4F6rSHeSDaILve8g2w/nA0KPH
V/QbsbAU6/g8tvqBGbbLJFbe20m9ZhAOeohPdLzT54SViJ8b3VvZf5rWCidUaYQu
7yNqjkXAbuezRxf3TMEuR9BNQV+DWLjvNmiMGN3b1rQ0jFZHKk1VJnb6OUn63UUT
dRun7OUdi9zR4WM7yKy0VNmC3xaI630PABibIACMdGaQGprQM6HrchkxP2M3D5jm
8UwCkEYazd7eKyKiAEEMnK5o3nKYWbd+NmELssendiEoi3ztrLTZnEdIwUc9wA3/
yJgcptUjzbh/2NwKdyO21Snj9iGWyw90KqI3hfL1HqiYKjF+sZ9nudxFLwbmYi0Y
.....
出现此错误:
ldapadd -h 10.1.0.99 -D cn=Directory\ Manager -w - -f action.ldif
Enter bind password:
adding new entry cn=abcd,dc=Example,dc=com
ldap_add: Undefined attribute type
ldap_add: additional info: Entry cn=abcd,dc=Example,dc=com can not be added because BER encoding of userPKCS12 attribute is not supported
首选 bash 脚本的解决方案。
感谢和问候,
丹尼尔
LDIF 中的二进制数据
LDIF 文件中的二进制数据只是 Base64 编码(参见 RFC 2849):
userPKCS12:: MIIJtgIBAzCCCXAGCSqGSIb3DQEHAaCCCWEEggldMIIJWTCCBW4GCSqGSIb3DQEHA
CCBV8EggVbMIIFVzCCBVMGCyqGSIb3DQEMCgECoIIE+jCCBPYwKAYKKoZIhvcNAQwBAzAaBBT3WG
...
RFC 2849 明确指出不需要换行符:
- When an attrval-spec, distinguishedName, or rdn is base64- encoded, the encoding rules specified in [5] are used with the following exceptions: a) The requirement that base64 output streams must be represented as lines of no more than 76 characters is removed. Lines in LDIF files may only be folded according to the folding rules described in note 2, above.
也就是说,我从未见过长行未折叠的 LDIF 文件。因此,出于兼容性原因,无论如何在 76 个字符后添加换行符可能是个好主意。
LDIF 中折叠线的规则是:
- Any non-empty line, including comment lines, in an LDIF file MAY be folded by inserting a line separator (SEP) and a SPACE. Folding MUST NOT occur before the first character of the line. In other words, folding a line into two lines, the first of which is empty, is not permitted. Any line that begins with a single space MUST be treated as a continuation of the previous (non-empty) line. When joining folded lines, exactly one space character at the beginning of each continued line must be discarded. Implementations SHOULD NOT fold lines in the middle of a multi-byte UTF-8 character.
对外部文件的引用
二进制数据不一定必须作为 Base64 字符串包含在 LDIF 文件中。相反,可以使用对外部文件的引用。来自 RFC 2849 的示例:
jpegphoto:< file:///usr/local/directory/photos/fiona.jpg
传输选项“;二进制”
二进制选项“;binary”在RFC 4522中指定,它影响LDAP客户端和服务器之间的数据传输(不是LDAP服务器上的存储)。设置后,属性根据基本编码规则 (BER) 进行编码。
“userPKCS12”是否需要“;binary”取决于 LDAP 服务器。例如,OpenLDAP“;binary”不起作用,因为“userPKCS12”的语法是二进制的(而不是 PKCS#12 的特殊语法)。
二进制数据到Base64的转换
有很多方法可以将 PKCS#12 文件转换为 Base64,如果您必须以编程方式或使用命令行工具执行此操作,则您没有编写。一些选项是:
- OpenSSL:
openssl enc -e -base64 -in tomcat.p12 -out tomcat.b64 - Java 与充气城堡:
- 一些 LDAP 服务器,如 Sun Directory Server、389 或 RedHat Directory Server 包含一个名为“ldif”的命令行工具,它可以完全满足您的需求:
ldif -b "userPKCS12" < tomcat.p12 >> p12.ldif