[MS-BKRP] backupkey server and GnuTLS

Andreas Schneider asn at samba.org
Mon Nov 30 09:56:20 UTC 2015

On Monday 30 November 2015 11:45:07 Garming Sam wrote:
> Hi Andreas,

Hi Garming,

> I've looked through all the patches and I'm fairly happy with them.
> There's a few things I noticed though, but apart from those you can
> effectively consider me signed off.
> s4-torture: Migrate get_cert_guid() from backupkey to GnuTLS
> In this patch, I noticed that there's a predefined size for the issuer
> unique id. I was wondering if it would be more appropriate to avoid this
> assumption (calling the function twice to get the correct length). The
> same goes for the additional torture tests that you've added. Assuming
> that all these checks pass on Windows, then they're definitely helpful
> additions.


> s4-rpc-bkrp: Use GnuTLS API for hash functions
> I'm well aware that GNUTLS_MAC_SHA1 refers to the same constant as its
> digest counterpart, but if it is doing a plain digest, then the
> appropriate constant should probably be used (especially when skimming,
> it's one of the more obvious things to notice).


> s4-rpc-bkrp: Self sign the certificate using GnuTLS
> In the function, generate_bkrp_cert, it looks like you may have missed
> 'gnutls_privkey_deinit(issuer_privkey)' on the first return of WERR_NOMEM.


> I also noticed you removed the CA status, which was the other thing I
> was going to comment on.

I've looked at the certificates which windows creates and they do not set the 
CA status at all! Heimdal always add CA status information.

I've implemented it the same way with GnuTLS as Windows does. See the top 
commit which adds the torture test, run it against windows and you will notice 
that it will pass ...

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list