diff options
| author | Arvid Requate <requate@univention.de> | 2014-07-07 18:18:30 +0200 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2015-02-25 01:08:11 +0100 |
| commit | 577fa69b5287b047ee2564786e19c9941a25734c (patch) | |
| tree | fd38d4f8fdcba8c7a4e33bdd4eeedcd6bfc939ba | |
| parent | 525c93caa6c264de7c0cb463d005d3dcda7e45af (diff) | |
| download | samba-577fa69b5287b047ee2564786e19c9941a25734c.tar.gz samba-577fa69b5287b047ee2564786e19c9941a25734c.tar.xz samba-577fa69b5287b047ee2564786e19c9941a25734c.zip | |
s4-backupkey: Set defined cert serialnumber
[MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate
should be set identical to the subjectUniqueID. In fact certificates
generated by native AD have this field encoded in little-endian format.
See also
https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html
Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
| -rw-r--r-- | source4/rpc_server/backupkey/dcesrv_backupkey.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c index 5db7685e67..f748cd1c39 100644 --- a/source4/rpc_server/backupkey/dcesrv_backupkey.c +++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c @@ -833,7 +833,8 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request hx509_name subject = NULL; hx509_ca_tbs tbs; struct heim_bit_string uniqueid; - int ret; + struct heim_integer serialnumber; + int ret, i; uniqueid.data = talloc_memdup(ctx, guidblob->data, guidblob->length); if (uniqueid.data == NULL) { @@ -845,6 +846,22 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request */ uniqueid.length = 8 * guidblob->length; + serialnumber.data = talloc_array(ctx, uint8_t, + guidblob->length); + if (serialnumber.data == NULL) { + talloc_free(uniqueid.data); + return WERR_NOMEM; + } + + /* Native AD generates certificates with serialnumber in reversed notation */ + for (i = 0; i < guidblob->length; i++) { + uint8_t *reversed = (uint8_t *)serialnumber.data; + uint8_t *uncrypt = guidblob->data; + reversed[i] = uncrypt[guidblob->length - 1 - i]; + } + serialnumber.length = guidblob->length; + serialnumber.negative = 0; + memset(&spki, 0, sizeof(spki)); ret = hx509_request_get_name(*hctx, *req, &subject); @@ -881,6 +898,10 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request if (ret !=0) { goto fail; } + ret = hx509_ca_tbs_set_serialnumber(*hctx, tbs, &serialnumber); + if (ret !=0) { + goto fail; + } ret = hx509_ca_sign_self(*hctx, tbs, *private_key, cert); if (ret !=0) { goto fail; |