XMPP SSL client certificates
neuro at o2.pl
Wed Jul 29 10:57:37 EDT 2009
I've been working on implementing XEP-0178 compatible client2server SASL External
authentication for jabberd2 (https://bugs.launchpad.net/jabberd2/+bug/405233). I've
already tested this implementation with a pyXmpp Python XMPP library and I would like to
implement SASL External authentication (based on TLS certificates) in Pidgin. While
implementing SASL External negotiation is trivial, assigning client certificates to TLS
connections isn't as simple in Purple code.
I took a short glimpse at the current structure of Pidgin and I see two approaches.
1. Make a client cert/client key field in PurpleAccount/PurpleConnection, which would be
operated from the Account settings dialog box. Then somehow propagate the information (by
possibly modifying other data structures) right up to ssl-gnutls and explicitly set the
connection credentials using SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file.
This approach is a bit hackish, yet simple. The user could set the certificates per
account explicitly, encouraging the feel that the certificate is not only used for SSL but
also for auth. However, this approach would require some modifications to key data
structures. Would this be a really bad thing or is it acceptable?
2. Another approach is to rely on PurpleCertificatePool for storing client certificates.
This would require adding another statically (for example 'client_certs) created pool of
certificates (next to 'tls_peers'). ssl-gnutls would then rely on
certificate-to-use.html) a callback function to match the server-acceptable CA's against
certificates in this pool.
While elegant, this approach is complicated. PurpleCertificatePool, as far as I can see,
doesn't support looking up certificates by issuer DN, only by subject DN. Support for
issuer DN lookup would have to be added. Additonally, RSA key support is missing. I've
tested the certificate manager by importing a PEM file containg a x509 cert with a RSA
key. Only the x509 was read. That comes as no suprise, since ssl-gnutls only imports x509
parts of datums. After scoping around I found that the certificate manager code is hard to
modify in order to accomodate private key handling, although I can be missing some obvious
ways of doing it.
If anyone has any suggestions as to how to proceed, please let me know.
More information about the Devel