using heimdal x509 functions for certificate handling rather than gnutls

Matthieu Patou mat at
Sun Aug 8 04:24:43 MDT 2010

  Dear all,

I'm pretty incline to think that the subject says all.
Let me explain the reason of my question, I am currently working on 
backup key remote protocol implementation (ms-bkrp.pdf).
Globally this protocol is about encrypting and decrypting data blobs 
with server public and private key.
When a client wants to decrypt some data it send to the server the 
ciphered text and the the id of the key that has been used for encryption.
The id of the key in contained into the certificate that the server 
sends to client when they want to encrypt, it is not sent separately.

So the client solely rely on this id information for identifying the 
server's key. The problem I faced when first trying with gnutls it's 
that this ID is stored in subjectUniqueID field of the certificate (as 
indicated page 14 of the ms-bkrp.pdf) and this field is optional and now 
are more or less deprecated (it's clearly stated this way in openssl, in 
gnutls it's not possible to get the value and to set it).

With both openssl and gnutls it's not possible to get (needed for the 
client implementation) and set this field (needed for the server 
implementation), it's also not the case with heimdal implementation as well.
So one of the libraries needs to be patched to allow querying and 
setting this field, it might be possible to get this patch in the 
mainline of gnutls, openssl or heimdal but it will take time because 
first the patch has to be accepted by developers and then it has to make 
its way into main distros, and during this period people who want to 
have the backup protocol implementation will need to have a specially 
patched library and as far as I am concerned I didn't like much to have 
a patched lib when it's related to core security things.
On the other hand as we already embed heimdal, we can just patch the 
current version of heimdal, and do like this up to the moment where our 
patch go mainline. I also suppose that this action will be much quicker 
than with others as love is also a samba team member.

Although this protocol seem fairly simple (and it is), it's quite 
important as it's heavily used in the DPAPI of Microsoft. This API is 
used to store in a secure way passwords for certificates in the 
registry. Without this API everytime the account password change, 
certificate has to be removed and reimported. And trust me it's very 
unpleasant as it's not rare for company to use certificate (ie. for 
WPA-EAP aka enterprise wifi or for 802.11x) so clearly implementing the 
backup protocol is a real plus for samba4 and I guess it worth the effort.

Do you have any comments ?


Matthieu Patou
Samba Team

More information about the samba-technical mailing list