[MS-BKRP] backupkey server and GnuTLS
Andreas Schneider
asn at samba.org
Fri Nov 13 07:30:19 UTC 2015
On Friday 13 November 2015 11:53:13 Andrew Bartlett wrote:
> On Thu, 2015-11-12 at 12:04 +0100, Andreas Schneider wrote:
> > Hello,
> >
> > I've started to migrate the backupkey server implementation to
> > GnuTLS.
>
> Great! Having this use two crypto frameworks was insane - but
> required... :-)
>
> > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master
> > -backupkey
> >
> > The 5 patches before the TODO patch are working and pass the tests.
> > They can
> > be pushed upstream.
> >
> > To move on we have an issue. GnuTLS doesn't provide a function to set
> > the
> > issuer unique id on a certificate. There is also no workaround
> > because the
> > flag is cleared before singing. The function will be added to the
> > next GnuTLS
> > release.
> >
> > The bug for that is:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1281343
> >
> >
> > As soon as the function is available I will add functions to use
> > GnuTLS, if
> > not we will use the existing heimdal code. This means with a MIT KDC
> > build you
> > will need a recent GnuTLS release.
>
> I think that also fixes some other issues we had. In particular, see
> the comments around gnutls_privkey_export_rsa_raw() and please add some
> kind of assertion that this is fixed in the version used.
I'm not sure in which endianess is needed. I will ask Nikos.
> Please double-check this with Garming before this gets merged - he got
> his head into this pretty well, and ensure you test against Windows
> (open credentials manager in Windows 8.1 with a fresh profile). I say
> this given the subtle bugs we had earlier this year.
Can you please explain in a bit more detail how to test this?
Thanks,
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list