问题
I got a java keystore which I want to store in LDAP using userPKCS12 attribute. I already transfered the JKS keystore to PKCS12
keytool -importkeystore -srckeystore /opt/tomcat/conf/.keystore -destkeystore /tmp/tomcat.p12 -deststoretype PKCS12
How do I proceed to finally get the entries of this keystore into my LDIF-file?
dn: cn=$name,$cn
objectClass: top
objectClass: inetorgPerson
description: $name
cn: $name
sn: $name
userPKCS12;binary:: MIIQoAIBAzCCEFoGCSqGSIb3DQEHAaCCEEsEghBHMIIQQzCCCfAGCSqGSIb3DQEH
AaCCCeEEggndMIIJ2TCCCdUGCyqGSIb3DQEMCgECoIIJgjCCCX4wKAYKKoZIhvcN
AQwBAzAaBBQJgfNb/kt83JjEL34s/vE5pFjL0wICBAAEgglQ0DQ23QhylRz4uvMr
lleD94JSA6hdpLjsee3zxqxsPXgyz1CtsY159vw4F6rSHeSDaILve8g2w/nA0KPH
V/QbsbAU6/g8tvqBGbbLJFbe20m9ZhAOeohPdLzT54SViJ8b3VvZf5rWCidUaYQu
7yNqjkXAbuezRxf3TMEuR9BNQV+DWLjvNmiMGN3b1rQ0jFZHKk1VJnb6OUn63UUT
dRun7OUdi9zR4WM7yKy0VNmC3xaI630PABibIACMdGaQGprQM6HrchkxP2M3D5jm
8UwCkEYazd7eKyKiAEEMnK5o3nKYWbd+NmELssendiEoi3ztrLTZnEdIwUc9wA3/
yJgcptUjzbh/2NwKdyO21Snj9iGWyw90KqI3hfL1HqiYKjF+sZ9nudxFLwbmYi0Y
.....
Gives this error:
ldapadd -h 10.1.0.99 -D cn=Directory\ Manager -w - -f action.ldif
Enter bind password:
adding new entry cn=abcd,dc=Example,dc=com
ldap_add: Undefined attribute type
ldap_add: additional info: Entry cn=abcd,dc=Example,dc=com can not be added because BER encoding of userPKCS12 attribute is not supported
Solutions for bash scripts are preferred.
Thanks and regards,
Daniel
回答1:
Binary Data in LDIF
Binary data in LDIF files is simply Base64 encoded (see RFC 2849):
userPKCS12:: MIIJtgIBAzCCCXAGCSqGSIb3DQEHAaCCCWEEggldMIIJWTCCBW4GCSqGSIb3DQEHA
CCBV8EggVbMIIFVzCCBVMGCyqGSIb3DQEMCgECoIIE+jCCBPYwKAYKKoZIhvcNAQwBAzAaBBT3WG
...
RFC 2849 explicitly states that line breaks are not required:
10) When an attrval-spec, distinguishedName, or rdn is base64- encoded, the encoding rules specified in [5] are used with the following exceptions: a) The requirement that base64 output streams must be represented as lines of no more than 76 characters is removed. Lines in LDIF files may only be folded according to the folding rules described in note 2, above.
That being said, I have never seen an LDIF file where long lines were not folded. So, it might be a good idea to add line breaks after 76 characters anyway, just for compatibility reasons.
Rules for folding lines in LDIF are:
2) Any non-empty line, including comment lines, in an LDIF file MAY be folded by inserting a line separator (SEP) and a SPACE. Folding MUST NOT occur before the first character of the line. In other words, folding a line into two lines, the first of which is empty, is not permitted. Any line that begins with a single space MUST be treated as a continuation of the previous (non-empty) line. When joining folded lines, exactly one space character at the beginning of each continued line must be discarded. Implementations SHOULD NOT fold lines in the middle of a multi-byte UTF-8 character.
References to External Files
Binary data must not necessarily be included in the LDIF file as a Base64 string. Instead a reference to an external file can be used. Example from RFC 2849:
jpegphoto:< file:///usr/local/directory/photos/fiona.jpg
Transfer Option ";binary"
The binary option ";binary" is specified in RFC 4522, it affects the transfer of data between LDAP client and server (not the storage on the LDAP server). When it is set, the attribute is encoded according to the Basic Encoding Rules (BER).
Whether ";binary" is required for "userPKCS12" depends on the LDAP server. For example with OpenLDAP ";binary" does not work, because the syntax of "userPKCS12" is binary (and not a special syntax for PKCS#12).
Conversion of Binary Data to Base64
There are many ways to convert the PKCS#12 file to Base64 and you did not write if you have to do this programmatically or with command line tools. Some options are:
- OpenSSL:
openssl enc -e -base64 -in tomcat.p12 -out tomcat.b64 - Java with Bouncy Castle: Base64.encode()
- Some LDAP servers like Sun Directory Server, 389 or RedHat Directory Server include a command line tool named "ldif" that does exactly what you want:
ldif -b "userPKCS12" < tomcat.p12 >> p12.ldif
来源:https://stackoverflow.com/questions/33414640/how-to-store-keystore-using-userpkcs12-in-ldap