using heimdal x509 functions for certificate handling rather than gnutls
mat at samba.org
Sun Aug 8 04:24:43 MDT 2010
I'm pretty incline to think that the subject says all.
Let me explain the reason of my question, I am currently working on
backup key remote protocol implementation (ms-bkrp.pdf).
Globally this protocol is about encrypting and decrypting data blobs
with server public and private key.
When a client wants to decrypt some data it send to the server the
ciphered text and the the id of the key that has been used for encryption.
The id of the key in contained into the certificate that the server
sends to client when they want to encrypt, it is not sent separately.
So the client solely rely on this id information for identifying the
server's key. The problem I faced when first trying with gnutls it's
that this ID is stored in subjectUniqueID field of the certificate (as
indicated page 14 of the ms-bkrp.pdf) and this field is optional and now
are more or less deprecated (it's clearly stated this way in openssl, in
gnutls it's not possible to get the value and to set it).
With both openssl and gnutls it's not possible to get (needed for the
client implementation) and set this field (needed for the server
implementation), it's also not the case with heimdal implementation as well.
So one of the libraries needs to be patched to allow querying and
setting this field, it might be possible to get this patch in the
mainline of gnutls, openssl or heimdal but it will take time because
first the patch has to be accepted by developers and then it has to make
its way into main distros, and during this period people who want to
have the backup protocol implementation will need to have a specially
patched library and as far as I am concerned I didn't like much to have
a patched lib when it's related to core security things.
On the other hand as we already embed heimdal, we can just patch the
current version of heimdal, and do like this up to the moment where our
patch go mainline. I also suppose that this action will be much quicker
than with others as love is also a samba team member.
Although this protocol seem fairly simple (and it is), it's quite
important as it's heavily used in the DPAPI of Microsoft. This API is
used to store in a secure way passwords for certificates in the
registry. Without this API everytime the account password change,
certificate has to be removed and reimported. And trust me it's very
unpleasant as it's not rare for company to use certificate (ie. for
WPA-EAP aka enterprise wifi or for 802.11x) so clearly implementing the
backup protocol is a real plus for samba4 and I guess it worth the effort.
Do you have any comments ?
Samba Team http://samba.org
More information about the samba-technical