From 577fa69b5287b047ee2564786e19c9941a25734c Mon Sep 17 00:00:00 2001
From: Arvid Requate <requate@univention.de>
Date: Mon, 7 Jul 2014 18:18:30 +0200
Subject: [PATCH] s4-backupkey: Set defined cert serialnumber

[MS-BKRP] 2.2.1 specifies that the serialnumber of the certificate
should be set identical to the subjectUniqueID. In fact certificates
generated by native AD have this field encoded in little-endian format.
See also
https://www.mail-archive.com/cifs-protocol@cifs.org/msg01364.html

Signed-off-by: Arvid Requate <requate@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
---
 source4/rpc_server/backupkey/dcesrv_backupkey.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 5db7685e67e..f748cd1c395 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -833,7 +833,8 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request
 	hx509_name subject = NULL;
 	hx509_ca_tbs tbs;
 	struct heim_bit_string uniqueid;
-	int ret;
+	struct heim_integer serialnumber;
+	int ret, i;
 
 	uniqueid.data = talloc_memdup(ctx, guidblob->data, guidblob->length);
 	if (uniqueid.data == NULL) {
@@ -845,6 +846,22 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request
 	 */
 	uniqueid.length = 8 * guidblob->length;
 
+	serialnumber.data = talloc_array(ctx, uint8_t,
+					    guidblob->length);
+	if (serialnumber.data == NULL) {
+		talloc_free(uniqueid.data);
+		return WERR_NOMEM;
+	}
+
+	/* Native AD generates certificates with serialnumber in reversed notation */
+	for (i = 0; i < guidblob->length; i++) {
+		uint8_t *reversed = (uint8_t *)serialnumber.data;
+		uint8_t *uncrypt = guidblob->data;
+		reversed[i] = uncrypt[guidblob->length - 1 - i];
+	}
+	serialnumber.length = guidblob->length;
+	serialnumber.negative = 0;
+
 	memset(&spki, 0, sizeof(spki));
 
 	ret = hx509_request_get_name(*hctx, *req, &subject);
@@ -881,6 +898,10 @@ static WERROR self_sign_cert(TALLOC_CTX *ctx, hx509_context *hctx, hx509_request
 	if (ret !=0) {
 		goto fail;
 	}
+	ret = hx509_ca_tbs_set_serialnumber(*hctx, tbs, &serialnumber);
+	if (ret !=0) {
+		goto fail;
+	}
 	ret = hx509_ca_sign_self(*hctx, tbs, *private_key, cert);
 	if (ret !=0) {
 		goto fail;
-- 
2.11.4.GIT