I want to make ADCS support better and I need some advice

Andrew Bartlett abartlet at samba.org
Mon Nov 20 01:26:49 UTC 2023

On Sat, 2023-11-18 at 21:54 -0500, Joe Dillon via samba-technical
> I managed to get the IDL for ICPR translated to PIDL.  Would
> appreciate some feedback on the IDL, in particular, on the dwFlags
> struct.  It has 8 bits of padding at the end and I wasn't able to
> discern what the convention is for reserved/padding bits in
> structs.  See here: 
> https://gitlab.com/Outurnate/samba/-/commit/e7520d74583b0fb3cfeac0783ae741f197f8eb99#note_1657603227
> Right now, certificate enrollment relies on python-cryptography,
> which has rust components.  It uses the asn1 crate - my CMC
> implementation in rust uses the bcder crate, because that's what the
> CMS crate uses.  Design-wise, I have a few options, and I'm seeking
> some guidance here:

I wouldn't count python-cryptography as Rust for Samba's purposes, it
is packaged on all our platforms so appears to us just as any other
system dependency, not even requiring a 'pip install'. 
We already use it extensively in Samba's testsuite. 
> 1) Pull a new dependency on python-cmc and by extension
> asn1crypto.  This will bring the number of asn1 parser libraries in
> samba to four (that I can count) - samba's asn1 lib, pyasn1 used in
> the test suite, and rust's asn1 crate.2) Write a new, minimal CMS and
> CMC implementation in rust on top of the asn1 crate, thus introducing
> no new dependencies.  This implementation would then be exposed to
> python to be combined with cepces and ldb to form a complete
> implementation.3) Have ICPR be the only in-tree component of
> this.  Shunt the rest of the implementation off to a certmonger
> helper binary.  This was my original design concept.  There would be
> a slight circular dependency - the helper would be dylinked to samba,
> then python would shell out to it during enrollment (like cepces).

So far, as a system package, Samba has chosen to rely only on software
packaged on our major platforms, not the language ecosystem package

I'm not sure that this is something we can hold to going forward, but
now with a new language coming into the mix might be the time to
examine our rules.  I wouldn't want to be doing massive amount of
duplicate work to stick to this rule, without first thinking about it
very carefully.  

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba-technical mailing list