I am using the following curl command to download a value from an LDAP directory:
curl ldap:// -o crl.crlThe problem is it writes the following to the file crl.crl:
DN: CN=ACME-Test-CRL,O=ACME certificateRevocationList;binary: MIICxzCBsAIBATAN...When I only want the base64 encoded CRL i.e., that starting MIICxzCBsAIBATAN
Is there anyway to tell curl to just write the base64 encoded binary value to the file?
2 Answers
Had the same issue when trying to apply the CRL of my Active Directory CA on OpenVPN's "crl-verify" command.
My solution is the following:
curl -o CAName.ldap -u domain\\username:password "ldap:// Key Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList" && grep -Po '(?<=certificateRevocationList:: )(.+)' CAName.ldap > CAName.b64 && base64 -d CAName.b64 > CAName.der && openssl crl -inform DER -in CAName.der -outform PEM -out CAName.pemExplanation:
curl -o CAName.ldap -u domain\\username:password "ldap:// Key Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList"This command downloads the binary part with the DN and the base64 encrypted content to the output file "-o CAName.ldap". The "-u" part is needed for non anonymous ldap binding.
grep -Po '(?<=certificateRevocationList:: )(.+)' CAName.ldap > CAName.b64This gets the base64 part into the new file "CAName.b64"
base64 -d CAName.b64 > CAName.derDecrypt base64 content (into binary from ldap query) into new file "CAName.der"
openssl crl -inform DER -in CAName.der -outform PEM -out CAName.pemNow convert DER (binary) into PEM for OpenVPN's "crl-verify".
You can verify the content with openssl:
openssl crl -inform PEM -text -noout -in CAName.pem4 year later...
The file that you are receiving is in The LDAP Data Interchange Format (LDIF) format. So best case, you would use an LDIF parse to fetch certificateRevocationList attribute (see bellow). However, none of CRL servers that I have came across properly apply the LDIF syntax so parsers have difficulties understanding these files. This leaves you with manual parsing:
curl ldap://endpoint | sed -n 's/[[:space:]]*certificaterevocationlist;binary:: \(.*\)/\1/p' > file.crlThe code above saves the base64 formatted value of CRL into file.crl. You can, however, directly pipe the code into openssl for further processing:
curl ldap://endpoint | sed -n 's/[[:space:]]*certificaterevocationlist;binary:: \(.*\)/\1/p' | base64 --decode | openssl crl -inform der -noout -textA word of advise:
It should be noted that parsing structured data manually, i.e. using grep, awk, etc., is generally a very bad idea. I use sed here as the last resort as none of the parsers that I tried out (Net::LDAP::Entry for Perl, ldif for Python, and ldif for nodeJS) were able to parse the LDIF file without any prior modifications.
