using heimdal x509 functions for certificate handling rather than gnutls

Andrew Bartlett abartlet at
Mon Aug 9 20:01:04 MDT 2010

On Sun, 2010-08-08 at 14:24 +0400, Matthieu Patou wrote:
> Dear all,
> I'm pretty incline to think that the subject says all.
> Let me explain the reason of my question, I am currently working on 
> backup key remote protocol implementation (ms-bkrp.pdf).
> Globally this protocol is about encrypting and decrypting data blobs 
> with server public and private key.
> When a client wants to decrypt some data it send to the server the 
> ciphered text and the the id of the key that has been used for encryption.
> The id of the key in contained into the certificate that the server 
> sends to client when they want to encrypt, it is not sent separately.

> Although this protocol seem fairly simple (and it is), it's quite 
> important as it's heavily used in the DPAPI of Microsoft. This API is 
> used to store in a secure way passwords for certificates in the 
> registry. Without this API everytime the account password change, 
> certificate has to be removed and reimported. And trust me it's very 
> unpleasant as it's not rare for company to use certificate (ie. for 
> WPA-EAP aka enterprise wifi or for 802.11x) so clearly implementing the 
> backup protocol is a real plus for samba4 and I guess it worth the effort.

It seems quite reasonable to use Heimdal here, if Love is happy to have
it extended in the way you need.  We already use hx509 for the PKINIT

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list