[MS-BKRP] backupkey server and GnuTLS
Andrew Bartlett
abartlet at samba.org
Thu Nov 12 22:53:13 UTC 2015
On Thu, 2015-11-12 at 12:04 +0100, Andreas Schneider wrote:
> Hello,
>
> I've started to migrate the backupkey server implementation to
> GnuTLS.
Great! Having this use two crypto frameworks was insane - but
required... :-)
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master
> -backupkey
>
> The 5 patches before the TODO patch are working and pass the tests.
> They can
> be pushed upstream.
>
> To move on we have an issue. GnuTLS doesn't provide a function to set
> the
> issuer unique id on a certificate. There is also no workaround
> because the
> flag is cleared before singing. The function will be added to the
> next GnuTLS
> release.
>
> The bug for that is:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1281343
>
>
> As soon as the function is available I will add functions to use
> GnuTLS, if
> not we will use the existing heimdal code. This means with a MIT KDC
> build you
> will need a recent GnuTLS release.
I think that also fixes some other issues we had. In particular, see
the comments around gnutls_privkey_export_rsa_raw() and please add some
kind of assertion that this is fixed in the version used.
Please double-check this with Garming before this gets merged - he got
his head into this pretty well, and ensure you test against Windows
(open credentials manager in Windows 8.1 with a fresh profile). I say
this given the subtle bugs we had earlier this year.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list