Bug 15946 - Serial number without issuer name is not considered a valid certificate mapping per MS-PKCA/KB5014754
Summary: Serial number without issuer name is not considered a valid certificate mappi...
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-11-13 14:08 UTC by Kacper
Modified: 2025-11-13 20:16 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kacper 2025-11-13 14:08:49 UTC 
The code that validates PKINIT strong certificate mapping currently only checks the serial number and does not validate the issuer name. This makes the mapping weak because multiple CAs could issue certificates with the same serial number. Additionally, this type of mapping is not listed as supported by Windows in MS-PKCA or KB5014754.

According to MS-PKCA, serial numbers should be mapped by the issuer and serial number fields: "X509:<I>" + Issuer Name field with "\r" and "\n" replaced with "," + "<SR>" + Serial Number field. (MS-PKCA p. 17 v20250603).

git-ref: a33d2e61feff514141e78251b5e95474fab87804
Comment 1 Kacper 2025-11-13 14:45:08 UTC 
My bad, is_strong_certificate_mapping() correctly identifies issuer_name and serial_number as a strong mapping.
Comment 2 Jennifer Sutton 2025-11-13 20:16:26 UTC 
We could still implement the "\r" and "\n" mappings, as I don’t think we do those yet.