[MS-BKRP] backupkey server and GnuTLS

Andrew Bartlett abartlet at samba.org
Thu Nov 12 22:53:13 UTC 2015

On Thu, 2015-11-12 at 12:04 +0100, Andreas Schneider wrote:
> Hello,
> I've started to migrate the backupkey server implementation to
> GnuTLS.

Great!  Having this use two crypto frameworks was insane - but
required... :-)

> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master
> -backupkey
> The 5 patches before the TODO patch are working and pass the tests.
> They can 
> be pushed upstream.
> To move on we have an issue. GnuTLS doesn't provide a function to set
> the 
> issuer unique id on a certificate. There is also no workaround
> because the 
> flag is cleared before singing. The function will be added to the
> next GnuTLS 
> release.
> The bug for that is:
> https://bugzilla.redhat.com/show_bug.cgi?id=1281343
> As soon as the function is available I will add functions to use
> GnuTLS, if 
> not we will use the existing heimdal code. This means with a MIT KDC
> build you 
> will need a recent GnuTLS release.

I think that also fixes some other issues we had.  In particular, see
the comments around gnutls_privkey_export_rsa_raw() and please add some
kind of assertion that this is fixed in the version used. 

Please double-check this with Garming before this gets merged - he got
his head into this pretty well, and ensure you test against Windows
(open credentials manager in Windows 8.1 with a fresh profile).  I say
this given the subtle bugs we had earlier this year.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list