Apache Directory Server LDAP usercertificate attribute for S/MIME not supported, seems working only with usercertificate;binary response

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
10 years ago
9 years ago

People

(Reporter: rihards, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; GTB5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; InfoPath.2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618; FDM)
Build Identifier: 3.0 b3pre, 2.0.0.21 as well

When trying to send S/MIME encrypted e-mail, fething usercertificate from LDAP server based on Apache DS v. 1.5.4, Thunderbird send usercerificate;binary search request, but recieve just usercertificate and return "Sending of message failed....apllication failed to find an encryption certificate of user...."
Problem described in Apache DS bug report: https://issues.apache.org/jira/browse/DIRSERVER-1198 

Reproducible: Always

Steps to Reproduce:
1. Install S/MIME signing and encryption certificates for current user
2. Add external LDAP and search base of externel Apache DS LDAP holding user entries both - email and usercertificates
3. Try to send encypted mail to other users
Actual Results:  
Thunderbird finds users and their e-mail adrresses in external LDAP, trying to fetch attribute usercertificate;binary , recieves attribute usercertificate= (sniffed by Microsoft Network Monitor 3.2), but fails to recognize certificate and write "Sending of message failed....apllication failed to find an encryption certificate of user...."

Expected Results:  
Find certificate from external LDAP, encrypt and send e-mail, as it does with OpenLDAP, when recieves attribute usercertificate;binary=...

Comment 1

9 years ago
This relates to RFC 4523 [Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates] (http://www.rfc-editor.org/rfc/rfc4523.txt) which says:
====
2.1.  Certificate
   Due to changes made to the definition of a Certificate through time,
   no LDAP-specific encoding is defined for this syntax.  Values of this
   syntax SHOULD be encoded using Distinguished Encoding Rules (DER)
   [X.690] and MUST only be transferred using the ;binary transfer
   option [RFC4522]; that is, by requesting and returning values using
   attribute descriptions such as "userCertificate;binary".

   As values of this syntax contain digitally signed data, values of
   this syntax and the form of each value MUST be preserved as
   presented.
====

According to the issues.apache.org bug, it looks like the Apache directory server is not compliant with the RFC.

I would suggest using a directory server that implements this spec correctly, such as Project 389:
http://directory.fedoraproject.org/ (This used to be the Netscape DS, and is also the basis for the Red Hat Directory Server).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.