[MS-BKRP] backupkey server and GnuTLS

Andreas Schneider asn at samba.org
Thu Nov 26 15:55:31 UTC 2015

On Friday 20 November 2015 10:44:04 Andrew Bartlett wrote:
> > So I hope you can explain the testing procedures you used ...
> This is what we did (we used libvirt snapshot VMs):
> - Take a Dec 2014 patched Windows 8.1 machine that has never, ever been
> joined to the domain
> - Join to the domain
> - Log in as administrator
> - Open Credentials Manager (part of control panel, can be searched for)
> - If it gives an error, then there is an issue, if it opens correctly
> you are OK.

Hi Andrew,

I've tested with Windows 8.1 and fixed the remaining bugs. After I identified 
the remaining issues, I've improved the torture test. It doesn't only validate 
the RSA key bits but also the rest of the cert. I run the test against Windows 
2012 to fine tune it.

You can find the patchset for review here:


That we are completely using GnuTLS you need version 3.4.7. This version 
offers gnutls_x509_crt_set_issuer_unique_id(). I check for this symbol and if 
found we only build the backupkey server using GnuTLS. If not the certificate 
self signing part still uses Heimdal.

The top commit is an additional torture test which only works against Windows 
and backupkey built with GnuTLS 3.4.7.

Attached shows that Windows 8.1 Credentials Manager is working.

Please review and push!


	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: backupkey.png
Type: image/png
Size: 549030 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151126/96dc4095/backupkey-0001.png>

More information about the samba-technical mailing list