1992829 – PKCS module not passing the -login flag while using the smartcard during openssl eap-tls handshake

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1992829 - PKCS module not passing the -login flag while using the smartcard during openssl eap-tls handshake

Summary: PKCS module not passing the -login flag while using the smartcard during ope...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	NetworkManager
Sub Component:
Version:	8.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Beniamino Galvani
QA Contact:	David Jaša
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-11 19:12 UTC by Mike Ralph
Modified:	2022-06-09 11:41 UTC (History)
CC List:	12 users (show)
Fixed In Version:	NetworkManager-1.36.0-1.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-05-10 14:54:08 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-93290	None	None	None	2021-08-11 19:42:22 UTC
freedesktop.org Gitlab	NetworkManager/NetworkManager-ci/-/commit/6bf0952d4cf578d061c234144536471205da4339	None	None	None	2022-02-25 10:40:23 UTC
freedesktop.org Gitlab	NetworkManager/NetworkManager-ci/-/commit/6d2a743de4c36600ed94a1174357ede3c368a0a7	None	None	None	2022-02-25 10:40:23 UTC
freedesktop.org Gitlab	NetworkManager NetworkManager merge_requests 965	None	merged	8021x: request PINs for PKCS#11 certs unless explicitly not-required	2022-01-25 09:01:06 UTC

Description Mike Ralph 2021-08-11 19:12:36 UTC

Description of problem:
  Customer found NMCLI has a bug where it will not login to the smartcard during an OpenSSL EAP-TLS Handshake, causing a connection failure due to the system’s PKCS#11 module not being passed the –login flag during the handshake.


Version-Release number of selected component (if applicable):
  RedHat Enterprise Linux Workstation (and server) 7.9.
  Network Manager 1.18.8-2.el7_9

How reproducible:
  Consistent

Steps to Reproduce:
1. nmcli c modify <ifname>
802-1x.eap tls
802-1x.client-cert "$user_cert"';'pin-value=$PIN
802-1x.private-key "$priv_key"';'pin-value=$PIN
802-1x.client-cert-password-flags 4
802-1x.private-key-password-flags 4
802-1x.pin-flags 4
802-1x.identity testing
802-1x.ca-path /etc/pki/ca-trust/source/anchors
802-1x.ca-cert /etc/pki/ca-trust/source/anchors/<ca-cert-name>

Actual results:
  ** Message: 14:14:12.074: Cannot save connection due to error: Invalid setting 802.1X Security: missing EAP username ** Message: 14:14:14.347: Cannot save connection due to error: Invalid setting 802.1X Security: missing EAP-TLS identity ** Message: 14:14:32.817: Connection validates and can be saved 

Expected results:
  Smartcard authentication works.

Additional info:
  Multiple issues around this has been opened at:
    - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/772
    - https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1428

Comment 6 Beniamino Galvani 2021-08-19 16:22:29 UTC

This upstream merge request should fix the handling of PKCS#11 certificate PINs:

  https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/965

Note that PINs should not be appended to the PKCS#11 URI, but they should be in the *-password properties as in:

 # nmcli -o -s connection show eth-pkcs11 
 connection.id:                          eth-pkcs11
 connection.uuid:                        7bc89c12-5426-4584-8eb4-39fd4d6be01c
 connection.type:                        802-3-ethernet
 connection.interface-name:              eth0
 connection.timestamp:                   1629389530
 802-1x.eap:                             tls
 802-1x.identity:                        user
 802-1x.ca-cert:                         pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01d2a3ab349b7801;token=myslot;object=ca-cert;type=cert
 802-1x.ca-cert-password:                1234
 802-1x.ca-cert-password-flags:          0 (none)
 802-1x.client-cert:                     pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01d2a3ab349b7801;token=myslot;object=client-cert;type=cert
 802-1x.client-cert-password:            1234
 802-1x.client-cert-password-flags:      0 (none)
 802-1x.private-key:                     pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01d2a3ab349b7801;token=myslot;object=client-key;type=private
 802-1x.private-key-password:            1234
 802-1x.private-key-password-flags:      0 (none)
 802-1x.pin-flags:                       0 (none)

Comment 12 Thomas Haller 2021-08-30 07:50:39 UTC

Hi Mike, please find here a scratch build of the patch for RHEL-7.9:

https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=39369588


Note that at this point the barrier to get something fixed in RHEL-7.9 is very high. I don't think that this issue qualifies.

Comment 32 David Jaša 2022-02-28 15:48:21 UTC

ok in 1.36.0-1:

1) when neither of 802-1x.private-key nor 802-1x.private-key-password-flags options is set, NM correctly errors out early:

# nmcli c add type ethernet  ifname test8X con-name con_ethernet autoconnect no 802-1x.eap tls 802-1x.identity test 802-1x.ca-cert /tmp/certs/test_user.ca.pem 802-1x.client-cert 'pkcs11:token=nmci;object=nmclient' 802-1x.client-cert-password-flags 4 802-1x.private-key 'pkcs11:token=nmci;object=nmclient'
Connection 'con_ethernet' (e729bb0a-5c06-47a9-8a53-e7f31b9d5d74) successfully added.
# nmcli c up id con_ethernet 
Secrets are required to access the wired network 'con_ethernet'
Warning: password for '802-1x.identity' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=e729bb0a-5c06-47a9-8a53-e7f31b9d5d74 + NM_DEVICE=test8X' to get more details.


2) with private-key-password-flags kept unset and card PIN saved in private-key-password, PIN is given correctly to hostapd and connection is established:

[root@rhel8-at-cihla NetworkManager-ci]# nmcli c modify id con_ethernet 802-1x.private-key-password 1234
[root@rhel8-at-cihla NetworkManager-ci]# nmcli c up id con_ethernet 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/12)


3) with private-key-password unset, private-key-password-flags set to 4 (or 'not-required') and PIN value added to PKCS11 URI (as a means to simulate readers with physical PIN keyboard), NM passes URI as-is and doesn't do anything about unset password:

# nmcli c del id con_ethernet 
Connection 'con_ethernet' (e729bb0a-5c06-47a9-8a53-e7f31b9d5d74) successfully deleted.
# nmcli c add type ethernet  ifname test8X con-name con_ethernet autoconnect no 802-1x.eap tls 802-1x.identity test 802-1x.ca-cert /tmp/certs/test_user.ca.pem 802-1x.client-cert 'pkcs11:token=nmci;object=nmclient' 802-1x.client-cert-password-flags 4 802-1x.private-key 'pkcs11:token=nmci;object=nmclient?pin-value=1234' 802-1x.private-key-password-flags not-required 
Connection 'con_ethernet' (ca44e36c-1304-49f8-b9ca-9a9a11c9c2ed) successfully added.
# nmcli c up id con_ethernet 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/13)


All these cases are tested in NM CI suite.

Comment 34 errata-xmlrpc 2022-05-10 14:54:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (NetworkManager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:1985

Note You need to log in before you can comment on or make changes to this bug.