Bug 1992829

Summary: PKCS module not passing the -login flag while using the smartcard during openssl eap-tls handshake
Product: Red Hat Enterprise Linux 8 Reporter: Mike Ralph <mralph>
Component: NetworkManagerAssignee: Beniamino Galvani <bgalvani>
Status: CLOSED ERRATA QA Contact: David Jaša <djasa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.6CC: bgalvani, djasa, ferferna, fge, lrintel, mthacker, rkhan, sfaye, sukulkar, thaller, till, vbenes
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: NetworkManager-1.36.0-1.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 14:54:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Ralph 2021-08-11 19:12:36 UTC 
Description of problem:
  Customer found NMCLI has a bug where it will not login to the smartcard during an OpenSSL EAP-TLS Handshake, causing a connection failure due to the system’s PKCS#11 module not being passed the –login flag during the handshake.


Version-Release number of selected component (if applicable):
  RedHat Enterprise Linux Workstation (and server) 7.9.
  Network Manager 1.18.8-2.el7_9

How reproducible:
  Consistent

Steps to Reproduce:
1. nmcli c modify <ifname>
802-1x.eap tls
802-1x.client-cert "$user_cert"';'pin-value=$PIN
802-1x.private-key "$priv_key"';'pin-value=$PIN
802-1x.client-cert-password-flags 4
802-1x.private-key-password-flags 4
802-1x.pin-flags 4
802-1x.identity testing
802-1x.ca-path /etc/pki/ca-trust/source/anchors
802-1x.ca-cert /etc/pki/ca-trust/source/anchors/<ca-cert-name>

Actual results:
  ** Message: 14:14:12.074: Cannot save connection due to error: Invalid setting 802.1X Security: missing EAP username ** Message: 14:14:14.347: Cannot save connection due to error: Invalid setting 802.1X Security: missing EAP-TLS identity ** Message: 14:14:32.817: Connection validates and can be saved 

Expected results:
  Smartcard authentication works.

Additional info:
  Multiple issues around this has been opened at:
    - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/772
    - https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1428
Comment 6 Beniamino Galvani 2021-08-19 16:22:29 UTC 
This upstream merge request should fix the handling of PKCS#11 certificate PINs:

  https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/965

Note that PINs should not be appended to the PKCS#11 URI, but they should be in the *-password properties as in:

 # nmcli -o -s connection show eth-pkcs11 
 connection.id:                          eth-pkcs11
 connection.uuid:                        7bc89c12-5426-4584-8eb4-39fd4d6be01c
 connection.type:                        802-3-ethernet
 connection.interface-name:              eth0
 connection.timestamp:                   1629389530
 802-1x.eap:                             tls
 802-1x.identity:                        user
 802-1x.ca-cert:                         pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01d2a3ab349b7801;token=myslot;object=ca-cert;type=cert
 802-1x.ca-cert-password:                1234
 802-1x.ca-cert-password-flags:          0 (none)
 802-1x.client-cert:                     pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01d2a3ab349b7801;token=myslot;object=client-cert;type=cert
 802-1x.client-cert-password:            1234
 802-1x.client-cert-password-flags:      0 (none)
 802-1x.private-key:                     pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01d2a3ab349b7801;token=myslot;object=client-key;type=private
 802-1x.private-key-password:            1234
 802-1x.private-key-password-flags:      0 (none)
 802-1x.pin-flags:                       0 (none)
Comment 12 Thomas Haller 2021-08-30 07:50:39 UTC 
Hi Mike, please find here a scratch build of the patch for RHEL-7.9:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39369588


Note that at this point the barrier to get something fixed in RHEL-7.9 is very high. I don't think that this issue qualifies.
Comment 32 David Jaša 2022-02-28 15:48:21 UTC 
ok in 1.36.0-1:

1) when neither of 802-1x.private-key nor 802-1x.private-key-password-flags options is set, NM correctly errors out early:

# nmcli c add type ethernet  ifname test8X con-name con_ethernet autoconnect no 802-1x.eap tls 802-1x.identity test 802-1x.ca-cert /tmp/certs/test_user.ca.pem 802-1x.client-cert 'pkcs11:token=nmci;object=nmclient' 802-1x.client-cert-password-flags 4 802-1x.private-key 'pkcs11:token=nmci;object=nmclient'
Connection 'con_ethernet' (e729bb0a-5c06-47a9-8a53-e7f31b9d5d74) successfully added.
# nmcli c up id con_ethernet 
Secrets are required to access the wired network 'con_ethernet'
Warning: password for '802-1x.identity' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=e729bb0a-5c06-47a9-8a53-e7f31b9d5d74 + NM_DEVICE=test8X' to get more details.


2) with private-key-password-flags kept unset and card PIN saved in private-key-password, PIN is given correctly to hostapd and connection is established:

[root@rhel8-at-cihla NetworkManager-ci]# nmcli c modify id con_ethernet 802-1x.private-key-password 1234
[root@rhel8-at-cihla NetworkManager-ci]# nmcli c up id con_ethernet 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/12)


3) with private-key-password unset, private-key-password-flags set to 4 (or 'not-required') and PIN value added to PKCS11 URI (as a means to simulate readers with physical PIN keyboard), NM passes URI as-is and doesn't do anything about unset password:

# nmcli c del id con_ethernet 
Connection 'con_ethernet' (e729bb0a-5c06-47a9-8a53-e7f31b9d5d74) successfully deleted.
# nmcli c add type ethernet  ifname test8X con-name con_ethernet autoconnect no 802-1x.eap tls 802-1x.identity test 802-1x.ca-cert /tmp/certs/test_user.ca.pem 802-1x.client-cert 'pkcs11:token=nmci;object=nmclient' 802-1x.client-cert-password-flags 4 802-1x.private-key 'pkcs11:token=nmci;object=nmclient?pin-value=1234' 802-1x.private-key-password-flags not-required 
Connection 'con_ethernet' (ca44e36c-1304-49f8-b9ca-9a9a11c9c2ed) successfully added.
# nmcli c up id con_ethernet 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/13)


All these cases are tested in NM CI suite.
Comment 34 errata-xmlrpc 2022-05-10 14:54:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (NetworkManager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1985