sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-09-11 09:44:19 +03:00
Code Activity

gp: Convert CA certificates to base64

Browse Source 
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
to a string fails with the following:

'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte

We found a fix to be encoding the certificate to base64 when
constructing the CA list.

Section 4.4.5.2 of MS-CAESO also suggests that the content of
`cACertificate` is binary (OCTET string).

Signed-off-by: Gabriel Nagy <gabriel.nagy@canonical.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: David Mulder <dmulder@samba.org>
This commit is contained in:
Gabriel Nagy
2023-08-16 12:20:11 +03:00
committed by Andrew Bartlett
parent 1ef722cf66
commit 157335ee93
2 changed files with 2 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
python/samba/gp/gp_cert_auto_enroll_ext.py
View File

@@ -158,7 +158,7 @@ def fetch_certification_authorities(ldb):
for es in res: for es in res:
data = { 'name': get_string(es['cn'][0]), data = { 'name': get_string(es['cn'][0]),
'hostname': get_string(es['dNSHostName'][0]), 'hostname': get_string(es['dNSHostName'][0]),
'cACertificate': get_string(es['cACertificate'][0]) 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0]))
} }
result.append(data) result.append(data)
return result return result
@@ -176,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None):
return {'msPKI-Minimal-Key-Size': ['2048']} return {'msPKI-Minimal-Key-Size': ['2048']}
def format_root_cert(cert): def format_root_cert(cert):
cert = base64.b64encode(cert.encode()) return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL)
return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL)
def find_cepces_submit(): def find_cepces_submit():
certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger',

13
selftest/knownfail.d/gpo
View File

@@ -1,13 +0,0 @@
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext