NetworkManager should support smartcard based certificate

Bug #120363 reported by Carles Fernàndez Julià
90
This bug affects 14 people
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Triaged
High
Unassigned
Nominated for Lucid by David Smith

Bug Description

Binary package hint: network-manager

In our organization we use WPA -TKIP -TLS with certificates stored in smartcards.
I guess wpa_supplicant can support smartcards througt defining an external engine. (opensc or openssl)
NetworkManager's gui for wpa enterprise doesn't have any option to use smartcards.

I think it would be very usefull

Changed in network-manager:
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Edouard Lafargue (edouard-lafargue) wrote :

It would indeed be useful. OpenVPN 2.1 also supports smart cards and networkmanager should be able to use smart cards as well, though it's not the case yet...

Revision history for this message
Alexander Sack (asac) wrote :

In theory wpasupplicant should support smart cards in intrepid now. Can you test report back?

Revision history for this message
David Smith (dds) wrote :

I've written patches to support this in nm-core and nm-applet. I think the one for nm-core can be included easily and used from the system settings daemon, but the patch for the applet changes the EAP-TLS UI a bit so I think it needs more work before inclusion in Ubuntu.

See the following bugzilla bugs for the patches:

http://bugzilla.gnome.org/show_bug.cgi?id=537237
http://bugzilla.gnome.org/show_bug.cgi?id=537239

Revision history for this message
David Smith (dds) wrote :

*bump* Could the patch at http://bugzilla.gnome.org/show_bug.cgi?id=537237 be included in the next release of the package?

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 120363] Re: NetworkManager should support smartcard based certificate

On Tue, Dec 02, 2008 at 02:03:34AM -0000, David Smith wrote:
> *bump* Could the patch at
> http://bugzilla.gnome.org/show_bug.cgi?id=537237 be included in the next
> release of the package?
>

That patch is quite huge and we need to backport it ABI wise ... so it
might take some time, but its definitly on my backport list.

FWIW, network-manager team PPA will get a final 0.7 build soon ... and
its fixed there according to upstream.

 - Alexander.

Revision history for this message
David Smith (dds) wrote :

OK, that sounds good.

Is the upstream work you're mentioning their inclusion of libnss support (and by extension its smartcard support)? If so, AFAICS that doesn't allow using smartcards for wireless connections until wpasupplicant gets extended with libnss support, which I was under the impression was very far away. Any clarification would be helpful.

Cheers,

Revision history for this message
Alexander Sack (asac) wrote :

On Thu, Dec 04, 2008 at 01:38:32PM -0000, David Smith wrote:
> OK, that sounds good.
>
> Is the upstream work you're mentioning their inclusion of libnss support
> (and by extension its smartcard support)? If so, AFAICS that doesn't
> allow using smartcards for wireless connections until wpasupplicant gets
> extended with libnss support, which I was under the impression was very
> far away. Any clarification would be helpful.

Well ... first we need to get basic TLS support in ubuntu - which is
fixed upstream, but backport as I said is tricky.

AFAIK, smartcard stuff isnt supported that easily in NM. Not really
sure how that is supposed to work. IIRC, wpasupplicant alone should
support tht though. Could you test and shed some light on the
wpasupplicant (when used manually and not through network-manager)
status for smartcard?

 - Alexander

Revision history for this message
David Smith (dds) wrote :

OK. First, what do you mean by basic TLS support in ubuntu? AFAICS the bits this bug depends on are already in place, everything but backporting this patch which doesn't appear to be that much work (I'm using it locally against your current NM0.7 package in intrepid).

To answer your second question, I wrote the patches for wpasupplicant to support configuring smartcards over dbus, that was included upstream many moons ago and is in the wpasupplicant version already shipping in intrepid. The patch that I'm asking to include gives libnm-util the ability to handle the necessary configuration parameters to send to wpasupplicant; it doesn't make setting them available in the applet yet but at least makes them usable from the system-settings facility or directly settable over dbus which on its own a huge benefit and makes NM completely usable for connecting to my 802.1x protected TLS network via the private key and certificate stored in my TPM chip, which is emulated as a smartcard to the system via opencryptoki. This is specifically intended for those of us who either realize that storing private keys on the filesystem is unsafe and want to better protect our security by using cryptographic hardware storage, or those of us at organizations who have a policy that these private keys must be stored in such format, e.g. for Windows, use of the MS crypto API storage which is bound to the TPM on the laptop. Does that answer your question?

Revision history for this message
Alexander Sack (asac) wrote :

On Sun, Dec 07, 2008 at 06:54:16AM -0000, David Smith wrote:
> OK. First, what do you mean by basic TLS support in ubuntu? AFAICS the
> bits this bug depends on are already in place, everything but
> backporting this patch which doesn't appear to be that much work (I'm
> using it locally against your current NM0.7 package in intrepid).

AFAIK, upstream landed this stuff against the "new" api (after the
accessor function migration) ... so I assume cherry picking doesnt
work. If the patches in bugzilla are _before_ the accessor migration
then yes, the backport should work easily and I am sorry for the
delay. If you want attach the patches you use here, so I can just add
them on next update round.

Again sorry for the delay. (also excuse if i miss some detail,
currently writing this mail from a plane).

>
> To answer your second question, I wrote the patches for wpasupplicant to
> support configuring smartcards over dbus, that was included upstream
> many moons ago and is in the wpasupplicant version already shipping in
> intrepid. The patch that I'm asking to include gives libnm-util the
> ability to handle the necessary configuration parameters to send to
> wpasupplicant; it doesn't make setting them available in the applet yet
> but at least makes them usable from the system-settings facility or
> directly settable over dbus which on its own a huge benefit and makes NM
> completely usable for connecting to my 802.1x protected TLS network via
> the private key and certificate stored in my TPM chip, which is emulated
> as a smartcard to the system via opencryptoki. This is specifically
> intended for those of us who either realize that storing private keys on
> the filesystem is unsafe and want to better protect our security by
> using cryptographic hardware storage, or those of us at organizations
> who have a policy that these private keys must be stored in such format,
> e.g. for Windows, use of the MS crypto API storage which is bound to the
> TPM on the laptop. Does that answer your question?

OK thanks. If the patches are attached to this bug I will look and use
them. If they are not it would be helpful to just attach them
explicitly here too.

(same plane excuse from above applies).

Thanks for your help and for understanding the delay on my side.

 - Alexander

Revision history for this message
David Smith (dds) wrote :

Hi Alex, I'm sorry for the wait. I updated the patch to build cleanly against the version of NM 0.7 in the PPA (0.7-0ubuntu1~nm1) and have attached it to the bug.

Happy new year,
- dds

Revision history for this message
David Smith (dds) wrote :

Err, the patch I attached introduced a regression. Fixed.

Revision history for this message
David Smith (dds) wrote :

Found another small regression.

Revision history for this message
Alexander Sack (asac) wrote :

On Wed, Jan 07, 2009 at 04:09:44AM -0000, David Smith wrote:
> Found another small regression.
>
> ** Attachment added: "updated patch for smartcard support in NM 0.7"
> http://launchpadlibrarian.net/20967538/pkcs11.patch
>

How about sending this to nm list too?

 - Alexander

Revision history for this message
David Smith (dds) wrote : Re: [Bug 120363] Re: NetworkManager should support smartcard based certificate

I updated the bug referenced above in NM's bugzilla with the new patch
as well as here.

On Thu, Jan 8, 2009 at 8:49 PM, Alexander Sack <email address hidden> wrote:
> On Wed, Jan 07, 2009 at 04:09:44AM -0000, David Smith wrote:
>> Found another small regression.
>>
>> ** Attachment added: "updated patch for smartcard support in NM 0.7"
>> http://launchpadlibrarian.net/20967538/pkcs11.patch
>>
>
> How about sending this to nm list too?
>
> - Alexander
>
> --
> NetworkManager should support smartcard based certificate
> https://bugs.launchpad.net/bugs/120363
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
- dds

Revision history for this message
David Smith (dds) wrote :

Ping. Now that NM 0.7 has landed in jaunty, it would be great if the patch could be applied to the released package.

Revision history for this message
David Smith (dds) wrote :

Ping. About two weeks since my last message with no response.

Revision history for this message
Alexander Sack (asac) wrote :

Committed revision 2991 to lp:~network-manager/network-manager/ubuntu.0.7 packaging branch (aka development release branch -> jaunty).

Changed in network-manager:
status: Confirmed → Fix Committed
Revision history for this message
Alexander Sack (asac) wrote :

do you know whether that patch already landed in 0.7 upstream branch (for 0.7.1)?

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 120363] Re: NetworkManager should support smartcard based certificate

On Fri, Feb 13, 2009 at 05:34:50PM -0000, Alexander Sack wrote:
> do you know whether that patch already landed in 0.7 upstream branch
> (for 0.7.1)?
>

rebasing this patch to 0.7.1 git snapshot went well. Its also fixed in
lp:~network-manager/network-manager/ubuntu.0.7.1 which is what will go
into jaunty soon.

 - Alexander

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.7-0ubuntu2

---------------
network-manager (0.7-0ubuntu2) jaunty; urgency=low

  * ppp 2.4.5git transition: bump ppp-dev lower version bound to 2.4.5~
    - update debian/control

  * fix LP: #120363 - NetworkManager should support smartcard based
    certificate; we apply the backend patch contributed by David Smith
    - add debian/patches/lp120363_smartcard_pkcs11.patch
    - update debian/patches/series

  [ Alessandro Ghersi <email address hidden> ]
  * fix LP: #270584 add the dependency network-manager-dev in
    libnm-glib-dev; also fixes LP: #321473 liferea doesnt handle
    network-manager online/offline state
    - update debian/control
  * update Standards-Version to 3.8.0
    - update debian/control

  [ Steven S Danna <email address hidden> ]
  * fix LP: #283416 - add /etc/init.d/NetworkManager status; init
    script was fixed upstream; however, we take the lsb-base lower
    version bound from the bug (>= 3.2-14)
    - udpate debian/control

 -- Alexander Sack <email address hidden> Sat, 14 Feb 2009 22:16:12 +0100

Changed in network-manager:
status: Fix Committed → Fix Released
Revision history for this message
Ingo Rohlfs (ingo-rohlfs) wrote :

Nice that the Backend supports now pkcs11 but aint't it a little senseless if even the backend works but know one can configure it. Tryed to test it but not getting it to work.
So it would be very very nice to have a working frontend where the user can configure this.....

Revision history for this message
Mark Painter (mpainter) wrote :

Not entirely senseless, as you can set up system connections in /etc/NetworkManager/system-connections/ with it. Definitely applet support for configuration is desirable, but not strictly necessary -- I've been using this for a few weeks now.

Revision history for this message
David Smith (dds) wrote :

Also, above I referenced another gnome bugzilla bug, #537239, that has a patch for the applet for configuring TLS certificates with the TPM instead of files to demonstrate how to do it, but there was more discussion about how to make a good interface ... If you have comments about how you'd like the interface to "look & feel" please tell the NM devs and you may still be able to apply the patch in that bug if you want to try out one way.

Revision history for this message
Patrik Martinsson (patrik.martinsson) wrote :

Hey David or Mark, (and others ofc.)

I'm really curious how you got this working with pkcs11, we have our certificates stored on smartcards, and use a pkcs11-module to access them. (Module is built by the company that delivers this "service" for us).

So i have successfully connected to our network through wpa_supplicant, but i would love to get it working in NM to.
And as i understand it, your (David) patch makes it possible to send pkcs11 commands through dbus to wpa_supplicant, right ? Which sounds exactly as the thing i want.

However, i cant really get NM to use my keyfile, since it doesnt seem to get pass the "validation process" of NM so NM doesnt use the keyfile as "settingsfile" when it tries to connect to my wireless.

I'm just curious how you guys got this to work ? Which versions of NM did you use ? Can i have a look at your key-files ?

Happily taking any suggestions i can get.
Patrik Martinsson.

Revision history for this message
Mark Painter (mpainter) wrote :

A relevant snippet from the systems-connections file for the 802-1x portion could be something like this:

[802-1x]
eap=tls;
<email address hidden>
pkcs11-module-path=/usr/lib/opencryptoki/libopencryptoki.so.0
pkcs11-engine-path=/usr/lib/engines/engine_pkcs11.so
pkcs11-slot=1
pkcs11-client-cert=5
pkcs11-private-key=5
pin=123456

Having the full file in place allows you to use the applet to choose the network. You can generate files in systems-connections by right clicking on the applet, choosing "edit connections" and selecting the "Available to all users" checkbox when editing a connection you have set up.

Revision history for this message
David Smith (dds) wrote :

This broke on 0.8-RC builds. The patch needs a small update to work with NM's new private key scheme formats. New patch attached.

Changed in network-manager (Ubuntu):
status: Fix Released → Incomplete
Changed in network-manager (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Arnaud Morin (arnaud-morin) wrote :

I am currently trying to use the pkcs11-* entries for my network.
I successfully made it work with wpa_supplicant, but I can't with NM.

Here is my 802-1x portion

[802-1x]
eap=tls;
<email address hidden>
password=xxxx
ca-cert=/etc/mycrt/a.crt
pkcs11-module-path=/usr/lib/opensc/opensc-pkcs11.so
pkcs11-engine-path=/usr/lib/engines/engine_pkcs11.so
pkcs11-slot=4
pkcs11-client-cert=45
pkcs11-private-key=45
pin=0000

Here is a log from /var/log/syslog
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) starting connection 'WifiFT_WPA2'
Jun 2 17:19:50 l-at12094 NetworkManager: <info> (wlan0): device state change: 3 -> 4 (reason 0)
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) scheduled...
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) started...
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) scheduled...
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) complete.
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) starting...
Jun 2 17:19:50 l-at12094 NetworkManager: <info> (wlan0): device state change: 4 -> 5 (reason 0)
Jun 2 17:19:50 l-at12094 NetworkManager: need_secrets_tls: unknown private key scheme 0
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0/wireless): access point 'WifiFT_WPA2' has security, but secrets are required.
Jun 2 17:19:50 l-at12094 NetworkManager: <info> (wlan0): device state change: 5 -> 6 (reason 0)
Jun 2 17:19:50 l-at12094 NetworkManager: need_secrets_tls: unknown private key scheme 0
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 2 of 5 (Device Configure) complete.
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) scheduled...
Jun 2 17:19:50 l-at12094 NetworkManager: <info> Activation (wlan0) Stage 1 of 5 (Device Prepare) started...
Jun 2 17:19:50 l-at12094 NetworkManager: <info> (wlan0): device state change: 6 -> 4 (reason 0)

Am I missing something?
I am wondering if the ca-certificate has to be inside the smartcard? (mine is in my filesystem)

Thank you for any help

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

I'm marking this bug as Fix Released since we've been carrying this patch for a little while now, at least it's in Maverick and Lucid as well from a quick glance at it...

If someone is having additional issues with smartcard auth, please file a new bug so we can look at what is happening.

Changed in network-manager (Ubuntu):
status: Triaged → Fix Released
Jorge Peixoto (jrglz)
description: updated
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Reopening and setting to high. For oneiric we've had to disable that patch, but we're looking (and it's a priority) to re-enable this for Precise (Ubuntu 12.04 LTS).

Changed in network-manager (Ubuntu):
status: Fix Released → Triaged
importance: Wishlist → High
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

Did this make it into precise?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.