証明書を格納してみる
LDAP サーバには証明書を格納できます.
格納の方法(LDIF ファイルの書き方)が少し特殊なので書いておきます.
core.shema
core.schema を眺めてみると,それらしい属性がいくつか見つかります.
- userCertificate
- cACertificate
- authorityRevocationList
- certificateRevocationList
- crossCertificatePair
偶然,クライアント証明書が手元にあったので,この証明書を userCertificate に指定してみます.
格納するクライアント証明書
今回使用するクライアント証明書です.
-----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgIFAJ+xmTcwDQYJKoZIhvcNAQEFBQAwGTEXMBUGA1UEAwwO Y2EuZXhhbXBsZS5jb20wHhcNMTIwMTMwMTUwMDAwWhcNMTMwMTMwMTUwMDAwWjAh MR8wHQYDVQQDDBZoZXhhLmRpYXJ5QGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAqeo9n9jvwvZqdQiek7MwOg3YO2Ft28/vjTDD4UvD JeGD2oOVg3C5Pg9EqHtC+HebxpYabJNRIcx3gcH/Ykooy/xaVvK2aQq+zwcZuvgU RYRtdpmGx6otbA+LShVK0rolRYkH4MWEpN7SUrxNGUR41kYX+jbDUpp97Yp38z6h o6thal+4hm0GvIc3a9NMBYog2aFpNuCDJCeQaLcqNRYOI9v7IXxbNolM5tmCMNTs zIFwz8d1UZQREouSG6536joBrug/CbBhH/TthpWpVy6UrUk8MC6G/XbwMhIlafY/ uJ6Y8qkplugJiKLiaBp0NcdM2Mc+igGmDkr4b8VWlws3dwIDAQAfo4GlMIGiMAwG A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUW+hePyMFM8Hpn/SIi93Fs4NfPikwHQYD VR0OBBYEFMdf5OBoGg9TxSrnfvObmjg3k8txMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vZXhhbXBsZS5jb20v Y3JsL2V4YW1wbGUuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAyWCvNP/k1UYuoZ49d JwlURKm6g59+6bqeUdv7EkaSgjTol0mvY7UwwHzztZsnapmGin36bWURaNZs+xrZ 7Xn/OWHB3grmKxF/eXowlmtF0EzS0Xg5n6s48n0deMkPIy8GUxD/KpQqUV+GYt5V XdSEKdH0ovLkzoiqtISN7C49VRRm6F9MIFoFnJQMQUU3XCN0djrEuNiPZ/op4zJ1 1/Ft5UdYDB7TIWXI1+sJy1yrRWg31dRj0ThiNxBTL9zR9rHCCMLDJAZODLl6jRhg lSyVF995MJRNui7qlJksHpDOM85H67SthInq18Jc67lyrKyJPAXuQON20ftq86Y7 ygvo -----END CERTIFICATE-----
テキストだとこんな感じです.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2679216439 (0x9fb19937)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ca.example.com
Validity
Not Before: Jan 30 15:00:00 2012 GMT
Not After : Jan 30 15:00:00 2013 GMT
Subject: CN=hexa.diary@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:ea:3d:9f:d8:ef:c2:f6:6a:75:08:9e:93:b3:
30:3a:0d:d8:3b:61:6d:db:cf:ef:8d:30:c3:e1:4b:
c3:25:e1:83:da:83:95:83:70:b9:3e:0f:44:a8:7b:
42:f8:77:9b:c6:96:1a:6c:93:51:21:cc:77:81:c1:
ff:62:4a:28:cb:fc:5a:56:f2:b6:69:0a:be:cf:07:
19:ba:f8:14:45:84:6d:76:99:86:c7:aa:2d:6c:0f:
8b:4a:15:4a:d2:ba:25:45:89:07:e0:c5:84:a4:de:
d2:52:bc:4d:19:44:78:d6:46:17:fa:36:c3:52:9a:
7d:ed:8a:77:f3:3e:a1:a3:ab:61:6a:5f:b8:86:6d:
06:bc:87:37:6b:d3:4c:05:8a:20:d9:a1:69:36:e0:
83:24:27:90:68:b7:2a:35:16:0e:23:db:fb:21:7c:
5b:36:89:4c:e6:d9:82:30:d4:ec:cc:81:70:cf:c7:
75:51:94:11:12:8b:92:1b:ae:77:ea:3a:01:ae:e8:
3f:09:b0:61:1f:f4:ed:86:95:a9:57:2e:94:ad:49:
3c:30:2e:86:fd:76:f0:32:12:25:69:f6:3f:b8:9e:
98:f2:a9:29:96:e8:09:88:a2:e2:68:1a:74:35:c7:
4c:d8:c7:3e:8a:01:a6:0e:4a:f8:6f:c5:56:97:0b:
37:77
Exponent: 65567 (0x1001f)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:5B:E8:5E:3F:23:05:33:C1:E9:9F:F4:88:8B:DD:C5:B3:83:5F:3E:29
X509v3 Subject Key Identifier:
C7:5F:E4:E0:68:1A:0F:53:C5:2A:E7:7E:F3:9B:9A:38:37:93:CB:71
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/crl/example.crl
Signature Algorithm: sha1WithRSAEncryption
32:58:2b:cd:3f:f9:35:51:8b:a8:67:8f:5d:27:09:54:44:a9:
ba:83:9f:7e:e9:ba:9e:51:db:fb:12:46:92:82:34:e8:97:49:
af:63:b5:30:c0:7c:f3:b5:9b:27:6a:99:86:8a:7d:fa:6d:65:
11:68:d6:6c:fb:1a:d9:ed:79:ff:39:61:c1:de:0a:e6:2b:11:
7f:79:7a:30:96:6b:45:d0:4c:d2:d1:78:39:9f:ab:38:f2:7d:
1d:78:c9:0f:23:2f:06:53:10:ff:2a:94:2a:51:5f:86:62:de:
55:5d:d4:84:29:d1:f4:a2:f2:e4:ce:88:aa:b4:84:8d:ec:2e:
3d:55:14:66:e8:5f:4c:20:5a:05:9c:94:0c:41:45:37:5c:23:
74:76:3a:c4:b8:d8:8f:67:fa:29:e3:32:75:d7:f1:6d:e5:47:
58:0c:1e:d3:21:65:c8:d7:eb:09:cb:5c:ab:45:68:37:d5:d4:
63:d1:38:62:37:10:53:2f:dc:d1:f6:b1:c2:08:c2:c3:24:06:
4e:0c:b9:7a:8d:18:60:95:2c:95:17:df:79:30:94:4d:ba:2e:
ea:94:99:2c:1e:90:ce:33:ce:47:eb:b4:ad:84:89:ea:d7:c2:
5c:eb:b9:72:ac:ac:89:3c:05:ee:40:e3:76:d1:fb:6a:f3:a6:
3b:ca:0b:e8
証明書は PEM 形式から,DER 形式に変換しておきます.
OpenSSL を使用する場合は,下記のようにして変換します.
# openssl x509 -inform PEM -outform DER -in client.pem -out client.der
LDIF ファイル
inetOrgPerson オブジェクトクラスを使用します.
必須の属性は cn と sn です.
必須属性が必要なのは,基底オブジェクトクラス(の基底オブジェクトクラス)が Person オブジェクトクラスだからです.
LDIF ファイルには,userCertificate にクライアント証明書のファイルを指定します.また,userCertificate: ではなく,userCertificate;binary: と記載します.
dn: cn=hexa.diary@example.com,dc=ldap,dc=example,dc=com objectclass: inetOrgPerson cn: hexa.diary@example.com sn: sn userCertificate;binary:< file:///root/client.der
cn, sn は適当に指定してます.
追加と確認
ldapadd
エントリを追加します.
# ldapadd -x -H ldaps://ldap.example.com -D 'cn=Manager,dc=ldap,dc=example,dc=com' -W -f hexa.diary.ldif Enter LDAP Password: adding new entry "cn=hexa.diary@example.com,dc=ldap,dc=example,dc=com"
ldapsearch
ldapsearch で確認してみます.
# ldapsearch -x -H ldaps://ldap.example.com -D 'cn=Manager,dc=ldap,dc=example,dc=com' -W -b 'dc=ldap,dc=example,dc=com' '(cn=hexa.diary@example.com)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=ldap,dc=example,dc=com> with scope subtree # filter: (cn=hexa.diary@example.com) # requesting: ALL # # hexa.diary@example.com, ldap.example.com dn: cn=hexa.diary@example.com,dc=ldap,dc=example,dc=com objectClass: inetOrgPerson cn: hexa.diary@example.com sn: sn userCertificate;binary:: MIIDXzCCAkegAwIBAgIFAJ+xmTcwDQYJKoZIhvcNAQEFBQAwGTEXM BUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMTIwMTMwMTUwMDAwWhcNMTMwMTMwMTUwMDAwWjAhMR 8wHQYDVQQDDBZoZXhhLmRpYXJ5QGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMII BCgKCAQEAqeo9n9jvwvZqdQiek7MwOg3YO2Ft28/vjTDD4UvDJeGD2oOVg3C5Pg9EqHtC+HebxpYa bJNRIcx3gcH/Ykooy/xaVvK2aQq+zwcZuvgURYRtdpmGx6otbA+LShVK0rolRYkH4MWEpN7SUrxNG UR41kYX+jbDUpp97Yp38z6ho6thal+4hm0GvIc3a9NMBYog2aFpNuCDJCeQaLcqNRYOI9v7IXxbNo lM5tmCMNTszIFwz8d1UZQREouSG6536joBrug/CbBhH/TthpWpVy6UrUk8MC6G/XbwMhIlafY/uJ6 Y8qkplugJiKLiaBp0NcdM2Mc+igGmDkr4b8VWlws3dwIDAQAfo4GlMIGiMAwGA1UdEwEB/wQCMAAw HwYDVR0jBBgwFoAUW+hePyMFM8Hpn/SIi93Fs4NfPikwHQYDVR0OBBYEFMdf5OBoGg9TxSrnfvObm jg3k8txMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodH RwOi8vZXhhbXBsZS5jb20vY3JsL2V4YW1wbGUuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAyWCvNP/k 1UYuoZ49dJwlURKm6g59+6bqeUdv7EkaSgjTol0mvY7UwwHzztZsnapmGin36bWURaNZs+xrZ7Xn/ OWHB3grmKxF/eXowlmtF0EzS0Xg5n6s48n0deMkPIy8GUxD/KpQqUV+GYt5VXdSEKdH0ovLkzoiqt ISN7C49VRRm6F9MIFoFnJQMQUU3XCN0djrEuNiPZ/op4zJ11/Ft5UdYDB7TIWXI1+sJy1yrRWg31d Rj0ThiNxBTL9zR9rHCCMLDJAZODLl6jRhglSyVF995MJRNui7qlJksHpDOM85H67SthInq18Jc67l yrKyJPAXuQON20ftq86Y7ygvo # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
無事に追加されているようです.
userCertificate の確認
ついでなので,userCertificate;binary:: の内容を確認してみます.
userCertificate;binary:: の内容を client.crt ファイルに保存して,下記を実行して確認します.
$ ruby -r openssl -r base64 -e "puts OpenSSL::X509::Certificate.new(Base64::decode64(File.read('client.crt'))).to_text"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2679216439 (0x9fb19937)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ca.example.com
Validity
Not Before: Jan 30 15:00:00 2012 GMT
Not After : Jan 30 15:00:00 2013 GMT
Subject: CN=hexa.diary@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:ea:3d:9f:d8:ef:c2:f6:6a:75:08:9e:93:b3:
30:3a:0d:d8:3b:61:6d:db:cf:ef:8d:30:c3:e1:4b:
c3:25:e1:83:da:83:95:83:70:b9:3e:0f:44:a8:7b:
42:f8:77:9b:c6:96:1a:6c:93:51:21:cc:77:81:c1:
ff:62:4a:28:cb:fc:5a:56:f2:b6:69:0a:be:cf:07:
19:ba:f8:14:45:84:6d:76:99:86:c7:aa:2d:6c:0f:
8b:4a:15:4a:d2:ba:25:45:89:07:e0:c5:84:a4:de:
d2:52:bc:4d:19:44:78:d6:46:17:fa:36:c3:52:9a:
7d:ed:8a:77:f3:3e:a1:a3:ab:61:6a:5f:b8:86:6d:
06:bc:87:37:6b:d3:4c:05:8a:20:d9:a1:69:36:e0:
83:24:27:90:68:b7:2a:35:16:0e:23:db:fb:21:7c:
5b:36:89:4c:e6:d9:82:30:d4:ec:cc:81:70:cf:c7:
75:51:94:11:12:8b:92:1b:ae:77:ea:3a:01:ae:e8:
3f:09:b0:61:1f:f4:ed:86:95:a9:57:2e:94:ad:49:
3c:30:2e:86:fd:76:f0:32:12:25:69:f6:3f:b8:9e:
98:f2:a9:29:96:e8:09:88:a2:e2:68:1a:74:35:c7:
4c:d8:c7:3e:8a:01:a6:0e:4a:f8:6f:c5:56:97:0b:
37:77
Exponent: 65567 (0x1001f)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:5B:E8:5E:3F:23:05:33:C1:E9:9F:F4:88:8B:DD:C5:B3:83:5F:3E:29
X509v3 Subject Key Identifier:
C7:5F:E4:E0:68:1A:0F:53:C5:2A:E7:7E:F3:9B:9A:38:37:93:CB:71
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://example.com/crl/example.crl
Signature Algorithm: sha1WithRSAEncryption
32:58:2b:cd:3f:f9:35:51:8b:a8:67:8f:5d:27:09:54:44:a9:
ba:83:9f:7e:e9:ba:9e:51:db:fb:12:46:92:82:34:e8:97:49:
af:63:b5:30:c0:7c:f3:b5:9b:27:6a:99:86:8a:7d:fa:6d:65:
11:68:d6:6c:fb:1a:d9:ed:79:ff:39:61:c1:de:0a:e6:2b:11:
7f:79:7a:30:96:6b:45:d0:4c:d2:d1:78:39:9f:ab:38:f2:7d:
1d:78:c9:0f:23:2f:06:53:10:ff:2a:94:2a:51:5f:86:62:de:
55:5d:d4:84:29:d1:f4:a2:f2:e4:ce:88:aa:b4:84:8d:ec:2e:
3d:55:14:66:e8:5f:4c:20:5a:05:9c:94:0c:41:45:37:5c:23:
74:76:3a:c4:b8:d8:8f:67:fa:29:e3:32:75:d7:f1:6d:e5:47:
58:0c:1e:d3:21:65:c8:d7:eb:09:cb:5c:ab:45:68:37:d5:d4:
63:d1:38:62:37:10:53:2f:dc:d1:f6:b1:c2:08:c2:c3:24:06:
4e:0c:b9:7a:8d:18:60:95:2c:95:17:df:79:30:94:4d:ba:2e:
ea:94:99:2c:1e:90:ce:33:ce:47:eb:b4:ad:84:89:ea:d7:c2:
5c:eb:b9:72:ac:ac:89:3c:05:ee:40:e3:76:d1:fb:6a:f3:a6:
3b:ca:0b:e8
確かに,LDIF ファイルで指定したクライアント証明書であることが確認できました.
