BER 在 go 中对 LDAP userCertificate;binary 的字符串进行编码
我目前正在尝试使用 https://github.com/nmcclain/ldap 使用包含 S/MIME 证书的地址簿为邮件客户端(主要是 Outlook)提供服务。
到目前为止,有关“正常”LDAP 属性(如 sn、mail、displayName 等)的部分可以工作,但我很难获得 userCertificate;binary 才能工作。
使用 https://github.com/pingidentity/ldapsdk/releases 中的 ldap 调试器与参考 MS AD 服务器相比,看起来不错。我得到相同的响应
来自 AD 的示例:
LDAP Message:
Message ID: 785
Search Request Protocol Op:
Base DN: CN=user,OU=adresses,DC=local,DC=org
Scope: BASE
Dereference Policy: ALWAYS
Size Limit: 100
Time Limit: 100
Types Only: false
Filter: (objectClass=*)
Requested Attributes:
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
otherTelephone
otherHomePhone
info
userCertificate;binary
user-cert;binary
userSMIMECertificate;binary
TextEncodedORaddress
otherMailbox
proxyAddresses
msExchHomeServerName
secretary
Telephone-Assistant
Telephone-Office2
ou
organizationalUnitName
department
l
postalCode
st
postalAddress
streetAddress
homephone
initials
mobile
facsimileTelephoneNumber
pager
[07/March/2022:13:08:10 +0100] conn=6 from="0:0:0:0:0:0:0:1:56415" to="0:0:0:0:0:0:0:1:33389"
LDAP Message:
Message ID: 785
Search Result Entry Protocol Op:
dn: CN=user,OU=adresses,DC=local,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user
displayName: user
sn: user
company: company
mail: [email protected]
givenName: user
userCertificate;binary:: MIIIvz...H5z/w7QDTxupw=
来自我的 LDAP 服务器的示例:
LDAP Message:
Message ID: 648
Search Request Protocol Op:
Base DN: CN=user,OU=adresses,DC=local,DC=org
Scope: BASE
Dereference Policy: ALWAYS
Size Limit: 100
Time Limit: 100
Types Only: false
Filter: (objectClass=*)
Requested Attributes:
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
otherTelephone
otherHomePhone
info
userCertificate;binary
user-cert;binary
userSMIMECertificate;binary
TextEncodedORaddress
otherMailbox
proxyAddresses
msExchHomeServerName
secretary
Telephone-Assistant
Telephone-Office2
ou
organizationalUnitName
department
l
postalCode
st
postalAddress
streetAddress
homephone
initials
mobile
facsimileTelephoneNumber
pager
[07/March/2022:11:42:11 +0100] conn=6 from="0:0:0:0:0:0:0:1:58508" to="0:0:0:0:0:0:0:1:33389"
LDAP Message:
Message ID: 648
Search Result Entry Protocol Op:
dn: CN=user,OU=adresses,DC=local,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
uid: 3
cn: user
displayName: user
sn: user
company: user
mail: [email protected]
givenName: [email protected]
userCertificate;binary: MIIIfzCC...VLjPjJlyMMA==
但是,我在 Outlook 中没有看到 userCertificate。
userCertificate 的值是
openssl x509 -in user_public_cert.cer -inform DER
减去“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”行的结果,如此处所述 https://unix.stackexchange.com/questions/431944/problems-with-ldap-usercertificate-属性 这会生成证书的 Base64 编码字符串。
但是,如果使用 Wireshark 捕获网络流量,我会通过 MS AD 服务器获得干净的解码证书和“BER 错误:SEQUENCE 中的字段错误:预期类:UNIVERSAL(0) 标记:16(SEQUENCE) 但发现类:APPLICATION” (1) tag:9" 到我的服务器。
据我所知,DER 应该是 BER 的子集,这就是为什么我认为 openssl 结果应该足够了。
现在我想我必须用 BER 再次对 Base64 字符串进行编码。如果这是正确的,我将如何去做呢?
ldap.EntryAttribute 目前看起来像这样
&ldap.EntryAttribute{"userCertificate;binary", []string{cert}},
,其中 cert 是来自数据库的string。
I'm currently trying to build an simple LDAP server using https://github.com/nmcclain/ldap to serve mail clients (primarily Outlook) with an address book containing S/MIME Certificates.
So far the part regarding the "normal" LDAP attributes like sn, mail, displayName etc. work, but I struggle to get userCertificate;binary to work.
Using the ldap-debugger from https://github.com/pingidentity/ldapsdk/releases all looks good compared to a reference MS AD Server. I get the same response
Example from an AD:
LDAP Message:
Message ID: 785
Search Request Protocol Op:
Base DN: CN=user,OU=adresses,DC=local,DC=org
Scope: BASE
Dereference Policy: ALWAYS
Size Limit: 100
Time Limit: 100
Types Only: false
Filter: (objectClass=*)
Requested Attributes:
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
otherTelephone
otherHomePhone
info
userCertificate;binary
user-cert;binary
userSMIMECertificate;binary
TextEncodedORaddress
otherMailbox
proxyAddresses
msExchHomeServerName
secretary
Telephone-Assistant
Telephone-Office2
ou
organizationalUnitName
department
l
postalCode
st
postalAddress
streetAddress
homephone
initials
mobile
facsimileTelephoneNumber
pager
[07/March/2022:13:08:10 +0100] conn=6 from="0:0:0:0:0:0:0:1:56415" to="0:0:0:0:0:0:0:1:33389"
LDAP Message:
Message ID: 785
Search Result Entry Protocol Op:
dn: CN=user,OU=adresses,DC=local,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user
displayName: user
sn: user
company: company
mail: [email protected]
givenName: user
userCertificate;binary:: MIIIvz...H5z/w7QDTxupw=
Example from my LDAP Server:
LDAP Message:
Message ID: 648
Search Request Protocol Op:
Base DN: CN=user,OU=adresses,DC=local,DC=org
Scope: BASE
Dereference Policy: ALWAYS
Size Limit: 100
Time Limit: 100
Types Only: false
Filter: (objectClass=*)
Requested Attributes:
cn
commonName
mail
roleOccupant
display-name
displayname
sn
surname
co
organizationName
o
givenName
legacyExchangeDN
objectClass
uid
mailNickname
title
company
physicalDeliveryOfficeName
telephoneNumber
otherTelephone
otherHomePhone
info
userCertificate;binary
user-cert;binary
userSMIMECertificate;binary
TextEncodedORaddress
otherMailbox
proxyAddresses
msExchHomeServerName
secretary
Telephone-Assistant
Telephone-Office2
ou
organizationalUnitName
department
l
postalCode
st
postalAddress
streetAddress
homephone
initials
mobile
facsimileTelephoneNumber
pager
[07/March/2022:11:42:11 +0100] conn=6 from="0:0:0:0:0:0:0:1:58508" to="0:0:0:0:0:0:0:1:33389"
LDAP Message:
Message ID: 648
Search Result Entry Protocol Op:
dn: CN=user,OU=adresses,DC=local,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
uid: 3
cn: user
displayName: user
sn: user
company: user
mail: [email protected]
givenName: [email protected]
userCertificate;binary: MIIIfzCC...VLjPjJlyMMA==
However, I don't see the userCertificate in Outlook.
The value of userCertificate is the result of
openssl x509 -in user_public_cert.cer -inform DER
minus the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" line as mentioned here https://unix.stackexchange.com/questions/431944/problems-with-ldap-usercertificate-attribute
This results in a base64 encoded string of the certificate.
However, if a capture the network traffic using Wireshark I get a clean decoded certificate with the MS AD Server and a "BER Error: Wrong field in SEQUENCE: expected class:UNIVERSAL(0) tag:16(SEQUENCE) but found class:APPLICATION(1) tag:9" to my server.
As far as I can tell DER should be a subset of BER that's why I assumed the openssl result should be enough.
Now I think I have to encode the base64 string again in BER. If this is right, how would I go about doing that?
The ldap.EntryAttribute looks currently like this
&ldap.EntryAttribute{"userCertificate;binary", []string{cert}},
where cert is a string from the database.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论