[PATCH 05/10] s4-backupkey: Set defined cert serialnumber
Arvid Requate
requate at univention.de
Mon Jul 7 11:14:53 MDT 2014
[MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate
should be set identical to the subjectUniqueID. In fact certificates
generated by native AD have this field encoded in little-endian format.
See also
https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html
Signed-off-by: Arvid Requate <requate at univention.de>
---
source4/rpc_server/backupkey/dcesrv_backupkey.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c
b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index cf62323..046efb9 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -833,7 +833,8 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx,
hx509_context *hctx, hx509_request
hx509_name subject = NULL;
hx509_ca_tbs tbs;
struct heim_bit_string uniqueid;
- int ret;
+ struct heim_integer serialnumber;
+ int ret, i;
uniqueid.data = talloc_memdup(ctx, guidblob->data, guidblob->length);
if (uniqueid.data == NULL) {
@@ -845,6 +846,22 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx,
hx509_context *hctx, hx509_request
*/
uniqueid.length = 8 * guidblob->length;
+ serialnumber.data = talloc_array(ctx, uint8_t,
+ guidblob->length);
+ if (serialnumber.data == NULL) {
+ talloc_free(uniqueid.data);
+ return WERR_NOMEM;
+ }
+
+ /* Native AD generates certificates with serialnumber in reversed
notation */
+ for(i=0; i< guidblob->length; i++) {
+ uint8_t *reversed = (uint8_t *)serialnumber.data;
+ uint8_t *uncrypt = guidblob->data;
+ reversed[i] = uncrypt[guidblob->length - 1 - i];
+ }
+ serialnumber.length = guidblob->length;
+ serialnumber.negative = 0;
+
memset(&spki, 0, sizeof(spki));
ret = hx509_request_get_name(*hctx, *req, &subject);
@@ -881,6 +898,10 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx,
hx509_context *hctx, hx509_request
if (ret !=0) {
goto fail;
}
+ ret = hx509_ca_tbs_set_serialnumber(*hctx, tbs, &serialnumber);
+ if (ret !=0) {
+ goto fail;
+ }
ret = hx509_ca_sign_self(*hctx, tbs, *private_key, cert);
if (ret !=0) {
goto fail;
--
2.0.0.rc2
More information about the samba-technical
mailing list