I want to make ADCS support better and I need some advice

Joe Dillon joseph at outurnate.com
Sun Nov 19 02:54:30 UTC 2023

On Wed, Nov 15, 2023, at 2:41 PM, David Mulder via samba-technical wrote:
> On 11/13/23 2:53 PM, Joe Dillon via samba-technical wrote:
> > AIX support is a tier-3 target in rust: https://github.com/rust-lang/compiler-team/issues/553.  Samba already depends dev-depends on rust (selftest requires python3-cryptography).  What's usually a showstopper for rust is gcc support.
> >
> > In my opinion, it makes the most sense to not re-invent the wheel though.  I had to write a Certificate Management over CMS implementation in rust because one didn't exist.  Python has python-cmc.  Would pulling in a dependency on python-asn1crypto be acceptable?  As I understand the source, the samba python module doesn't pull in any dependencies right now?
> >
> > Am I correct that the modules samba.dcerpc and ldb are currently undocumented?
> I've hacked up a way to build Rust via WAF here: 
> https://gitlab.com/samba-team/samba/-/merge_requests/3394
> This is ugly right now. There is probably a better way to do this. I 
> don't understand WAF well enough to make sensible changes here.
> -- 
> David Mulder
> Labs Software Engineer, Samba
> 1221 S Valley Grove Way, Suite 500
> Pleasant Grove, UT 84062
> (P)+1 385.208.2989
> dmulder at suse.com
> http://www.suse.com

I managed to get the IDL for ICPR translated to PIDL.  Would appreciate some feedback on the IDL, in particular, on the dwFlags struct.  It has 8 bits of padding at the end and I wasn't able to discern what the convention is for reserved/padding bits in structs.  See here: https://gitlab.com/Outurnate/samba/-/commit/e7520d74583b0fb3cfeac0783ae741f197f8eb99#note_1657603227

Right now, certificate enrollment relies on python-cryptography, which has rust components.  It uses the asn1 crate - my CMC implementation in rust uses the bcder crate, because that's what the CMS crate uses.  Design-wise, I have a few options, and I'm seeking some guidance here:

1) Pull a new dependency on python-cmc and by extension asn1crypto.  This will bring the number of asn1 parser libraries in samba to four (that I can count) - samba's asn1 lib, pyasn1 used in the test suite, and rust's asn1 crate.
2) Write a new, minimal CMS and CMC implementation in rust on top of the asn1 crate, thus introducing no new dependencies.  This implementation would then be exposed to python to be combined with cepces and ldb to form a complete implementation.
3) Have ICPR be the only in-tree component of this.  Shunt the rest of the implementation off to a certmonger helper binary.  This was my original design concept.  There would be a slight circular dependency - the helper would be dylinked to samba, then python would shell out to it during enrollment (like cepces).

Any direction is appreciate

Joe Dillon

More information about the samba-technical mailing list