Tweak privateKey schema

We're using PKCS#8 syntax, drop the OpenLDAP syntax OID. Rename attribute accordingly. Tweak validator to accept encrypted keys.
2025-01-30 13:30:57 +08:00 · 2018-12-18 19:10:04 +00:00 · 2018-12-18 19:10:04 +00:00 · 0e8c2d5a54
commit 0e8c2d5a54
parent 4e23cfc4a9
5 changed files with 31 additions and 22 deletions
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@ -796,8 +796,7 @@ static ConfigTable config_back_cf_table[] = {
 #endif
 		"( OLcfgGlAt:99 NAME 'olcTLSCertificateKey' "
 			"DESC 'X.509 privateKey, must use ;binary' "
-			"EQUALITY privateKeyMatch "
-			"SYNTAX 1.3.6.1.4.1.4203.666.2.13 SINGLE-VALUE )", NULL, NULL },
+			"SUP pKCS8PrivateKey SINGLE-VALUE )", NULL, NULL },
 	{ "TLSCertificateKeyFile", NULL, 2, 2, 0,
 #ifdef HAVE_TLS
 		CFG_TLS_CERT_KEY|ARG_STRING|ARG_MAGIC, &config_tls_option,
--- a/servers/slapd/overlays/autoca.c
+++ b/servers/slapd/overlays/autoca.c
@ -73,10 +73,10 @@ static ObjectClass *oc_caObj, *oc_usrObj;
 static char *aca_attrs[] = {
 	"( " ACA_SCHEMA_AT ".1 NAME 'cAPrivateKey' "
 		"DESC 'X.509 CA private key, use ;binary' "
-		"SUP x509PrivateKey )",
+		"SUP pKCS8PrivateKey )",
 	"( " ACA_SCHEMA_AT ".2 NAME 'userPrivateKey' "
 		"DESC 'X.509 user private key, use ;binary' "
-		"SUP x509PrivateKey )",
+		"SUP pKCS8PrivateKey )",
 	NULL
 };

--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@ -609,18 +609,28 @@ privateKeyValidate(
 	tag = ber_skip_tag( ber, &len );	/* Sequence */
 	if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
 	tag = ber_peek_tag( ber, &len );
-	if ( tag != LBER_INTEGER ) return LDAP_INVALID_SYNTAX;
-	tag = ber_get_int( ber, &version );
-	tag = ber_skip_tag( ber, &len );	/* AlgorithmIdentifier */
-	if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
-	ber_skip_data( ber, len );
-	tag = ber_skip_tag( ber, &len );	/* PrivateKey */
-	if ( tag != LBER_OCTETSTRING ) return LDAP_INVALID_SYNTAX;
-	ber_skip_data( ber, len );
-	tag = ber_skip_tag( ber, &len );
-	if ( tag == LBER_SET ) {			/* Optional Attributes */
+	if ( tag != LBER_INTEGER ) {
+		/* might be an encrypted key */
+		if ( tag == LBER_SEQUENCE ) {	/* encryptionAlgorithm */
+			ber_skip_data( ber, len );
+			tag = ber_skip_tag( ber, &len );	/* encryptedData */
+			if ( tag != LBER_OCTETSTRING ) return LDAP_INVALID_SYNTAX;
+			ber_skip_data( ber, len );
+		} else
+			return LDAP_INVALID_SYNTAX;
+	} else {
+		tag = ber_get_int( ber, &version );
+		tag = ber_skip_tag( ber, &len );	/* AlgorithmIdentifier */
+		if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+		ber_skip_data( ber, len );
+		tag = ber_skip_tag( ber, &len );	/* PrivateKey */
+		if ( tag != LBER_OCTETSTRING ) return LDAP_INVALID_SYNTAX;
 		ber_skip_data( ber, len );
 		tag = ber_skip_tag( ber, &len );
+		if ( tag == LBER_SET ) {			/* Optional Attributes */
+			ber_skip_data( ber, len );
+			tag = ber_skip_tag( ber, &len );
+		}
 	}

 	/* Must be at end now */
@ -6385,7 +6395,7 @@ static slap_syntax_defs_rec syntax_defs[] = {
 		SLAP_SYNTAX_HIDE, NULL, authzValidate, authzPretty},

 	/* PKCS#8 Private Keys for X.509 certificates */
-	{"( 1.3.6.1.4.1.4203.666.2.13 DESC 'OpenLDAP privateKey' )",
+	{"( 1.2.840.113549.1.8.1.1 DESC 'PKCS#8 PrivateKeyInfo' )",
 		SLAP_SYNTAX_BINARY|SLAP_SYNTAX_BER, NULL, privateKeyValidate, NULL},
 	{NULL, 0, NULL, NULL, NULL}
 };
@ -6875,7 +6885,7 @@ static slap_mrule_defs_rec mrule_defs[] = {
 		NULL},

 	{"( 1.3.6.1.4.1.4203.666.4.13 NAME 'privateKeyMatch' "
-		"SYNTAX 1.3.6.1.4.1.4203.666.2.13 )", /* OpenLDAP privateKey */
+		"SYNTAX 1.2.840.113549.1.8.1.1 )", /* PKCS#8 privateKey */
 		SLAP_MR_HIDE | SLAP_MR_EQUALITY, NULL,
 		NULL, NULL, octetStringMatch,
 		NULL, NULL,
--- a/servers/slapd/schema_prep.c
+++ b/servers/slapd/schema_prep.c
@ -1009,15 +1009,15 @@ static struct slap_schema_ad_map {
 		NULL, NULL, NULL, NULL, NULL,
 		offsetof(struct slap_internal_schema, si_ad_seeAlso) },

-	{ "x509PrivateKey", "( 1.3.6.1.4.1.4203.666.1.60 "
-			"NAME 'x509PrivateKey' "
-			"DESC 'X.509 private key, use ;binary' "
+	{ "pKCS8PrivateKey", "( 1.3.6.1.4.1.4203.666.1.60 "
+			"NAME 'pKCS8PrivateKey' "
+			"DESC 'PKCS#8 PrivateKeyInfo, use ;binary' "
 			"EQUALITY privateKeyMatch "
-			"SYNTAX 1.3.6.1.4.1.4203.666.2.13 )",
+			"SYNTAX 1.2.840.113549.1.8.1.1 )",
 		NULL, 0,
 		NULL, NULL,
 		NULL, NULL, NULL, NULL, NULL,
-		offsetof(struct slap_internal_schema, si_ad_x509PrivateKey) },
+		offsetof(struct slap_internal_schema, si_ad_pKCS8PrivateKey) },

 	{ NULL, NULL, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0 }
 };
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@ -985,7 +985,7 @@ struct slap_internal_schema {
 	AttributeDescription *si_ad_seeAlso;

 	/* privateKeys */
-	AttributeDescription *si_ad_x509PrivateKey;
+	AttributeDescription *si_ad_pKCS8PrivateKey;

 	/* Undefined Attribute Type */
 	AttributeType	*si_at_undefined;