RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2002572 - pkcs11: return relevant error from wpa_supplicant instead of asking for private key
Summary: pkcs11: return relevant error from wpa_supplicant instead of asking for priva...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: wpa_supplicant
Version: 8.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Davide Caratti
QA Contact: Laura Trivelloni
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-09 09:30 UTC by David Jaša
Modified: 2023-03-09 07:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-09 07:27:56 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker NMT-249 0 None None None 2023-02-07 07:29:33 UTC
Red Hat Issue Tracker RHELPLAN-96618 0 None None None 2021-09-09 09:31:45 UTC

Description David Jaša 2021-09-09 09:30:11 UTC 
Description of problem:
wpa_supplicant ask NM for private-key-password when entirely different error should be returned

Version-Release number of selected component (if applicable):
NM: current git from COPR
wpa_supplicant-2.9-8.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. git clone --depth 1 https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci.git
2. pushd NetworkManager-ci
3. sh prepare/hostapd_wired.sh contrib/8021x/certs/ 
4.
nmcli c add con-name con_pkcs11 ifname test8X type ethernet \
  autoconnect no 802-1x.eap tls 802-1x.identity test \
  802-1x.ca-cert contrib/8021x/certs/client/test_user.ca.pem \
  802-1x.client-cert 'pkcs11:token=doesnotexist;object=nmclient' \
  802-1x.client-cert-password-flags 4 \
  802-1x.private-key 'pkcs11:token=doesnotexist;object=nmclient' \
  802-1x.private-key-password 1234
5. nmcli c up id con_pkcs11 --ask

Actual results:
nmcli:
Secrets are required to access the wired network 'con_pkcs11'
Identity (802-1x.identity): test
Secrets are required to access the wired network 'con_pkcs11'
Private key password (802-1x.private-key-password): ••••
Secrets are required to access the wired network 'con_pkcs11'
Identity (802-1x.identity): test
Secrets are required to access the wired network 'con_pkcs11'
Private key password (802-1x.private-key-password): ••••
Error: Connection activation failed: Secrets were required, but not provided
Hint: use 'journalctl -xe NM_CONNECTION=308c93b0-a21a-48a8-a3ad-d9848100f29d + NM_DEVICE=test8X' to get more details.

wpa_supplicant:
Sep  9 11:14:18 localhost wpa_supplicant[2198]: SSL: Initializing TLS engine
Sep  9 11:14:18 localhost wpa_supplicant[2198]: ENGINE: engine initialized
Sep  9 11:14:18 localhost wpa_supplicant[2198]: Specified object not found
Sep  9 11:14:18 localhost wpa_supplicant[2198]: PKCS11_get_private_key returned NULL
Sep  9 11:14:18 localhost wpa_supplicant[2198]: ENGINE: cannot load private key with id 'pkcs11:token=doesnotexist;object=nmclient?pin-value=1234' [error:80067065:pkcs11 engine:ctx_load_privkey:object not found]
Sep  9 11:14:18 localhost wpa_supplicant[2198]: TLS: Failed to initialize engine
Sep  9 11:14:18 localhost wpa_supplicant[2198]: TLS: Failed to set TLS connection parameters
Sep  9 11:14:18 localhost wpa_supplicant[2198]: ENGINE: engine deinit
Sep  9 11:14:18 localhost wpa_supplicant[2198]: EAP-TLS: Failed to initialize SSL.
Sep  9 11:14:18 localhost wpa_supplicant[2198]: EAP-TLS: Requesting private key passphrase


Expected results:
* wpa_supplicant returns [error:80067065:pkcs11 engine:ctx_load_privkey:object not found] error to NM
* NM tells user real reason why connection can't go up instead of asking for nonexistent slot PIN

Additional info:
It'd be even nicer to have different errors for nonexistent token and object but when library doesn't tell them apart, w_s and NM can't do much more than report sth like 'pkcs11 token "doesnotexist" or object "nmclient" not found'.
Comment 2 David Jaša 2022-09-02 11:18:13 UTC 
I hit the same base issue in Fedora recently with certificate verification failure. Reproduction is almost the same, just make sure that server cert* is not in client trust store and certificate verification thus fails.

* nor issuing CA nor any intermediate one

NM + wpa_s log of such a sequence:
Aug 24 10:03:35 NetworkManager[1595]: <info>  [1661328215.8206] device (p2p-dev-wlp82s0): supplicant management interface state: scanning -> authenticating
Aug 24 10:03:35 wpa_supplicant[1786]: wlp82s0: Trying to associate with 00:2c:c8:b6:da:9f (SSID='Red Hat' freq=5200 MHz)
Aug 24 10:03:35 NetworkManager[1595]: <info>  [1661328215.8530] device (wlp82s0): supplicant interface state: authenticating -> associating
Aug 24 10:03:35 NetworkManager[1595]: <info>  [1661328215.8531] device (p2p-dev-wlp82s0): supplicant management interface state: authenticating -> associating
Aug 24 10:03:35 wpa_supplicant[1786]: wlp82s0: Associated with 00:2c:c8:b6:da:9f
Aug 24 10:03:35 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-STARTED EAP authentication started
Aug 24 10:03:35 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Aug 24 10:03:35 NetworkManager[1595]: <info>  [1661328215.9038] device (wlp82s0): supplicant interface state: associating -> associated
Aug 24 10:03:35 NetworkManager[1595]: <info>  [1661328215.9039] device (p2p-dev-wlp82s0): supplicant management interface state: associating -> associated
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=3 subject='/C=US/ST=North Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat IT/CN=Red Hat IT Root CA/emailAddress=infosec' hash=270947c8eba9ae6f01799f134
e7dbebe902a0a2e09e1b8fd06b5fc3a7d7ecef3
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/O=Red Hat/OU=prod/CN=Intermediate Certificate Authority' hash=1064a0756e41942346616a634e47bed654eb1f8c38ff7b17685a156b823ebc23
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/O=Red Hat/OU=prod/CN=Certificate Authority' hash=9018f9f242941f2d44cf8d639ad369a958db7ad683ec2a1b5f13483419d5973e
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=ise02-iad2.ise-001.prod.iad2.dc.redhat.com/OU=Information Technology/O=Red Hat, Inc/L=Raleigh/ST=North Carolina/C=US' hash=25a2ca38b53a2670cb562c
e93387c930e9b99375bd3f2c84c36b414e39b183a2
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:ise02-iad2.ise-001.prod.iad2.dc.redhat.com
Aug 24 10:03:36 wpa_supplicant[1786]: TLS: Certificate verification failed, error 10 (certificate has expired) depth 0 for '/CN=ise02-iad2.ise-001.prod.iad2.dc.redhat.com/OU=Information Technology/O=Red Hat, Inc/L=Raleigh/ST=North Carolin
a/C=US'
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=4 depth=0 subject='/CN=ise02-iad2.ise-001.prod.iad2.dc.redhat.com/OU=Information Technology/O=Red Hat, Inc/L=Raleigh/ST=North Carolina/C=US' err='certific
ate has expired'
Aug 24 10:03:36 wpa_supplicant[1786]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate expired
Aug 24 10:03:36 wpa_supplicant[1786]: OpenSSL: openssl_handshake - SSL_connect error:0A000086:SSL routines::certificate verify failed
Aug 24 10:03:36 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
Aug 24 10:03:38 wpa_supplicant[1786]: wlp82s0: Authentication with 00:2c:c8:b6:da:9f timed out.
Aug 24 10:03:38 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-DISCONNECTED bssid=00:2c:c8:b6:da:9f reason=3 locally_generated=1
Aug 24 10:03:38 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="Red Hat" auth_failures=1 duration=10 reason=AUTH_FAILED
Aug 24 10:03:38 wpa_supplicant[1786]: BSSID 00:2c:c8:b6:da:9f ignore list count incremented to 2, ignoring for 10 seconds
Aug 24 10:03:38 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="Red Hat" auth_failures=2 duration=25 reason=CONN_FAILED
Aug 24 10:03:38 wpa_supplicant[1786]: wlp82s0: CTRL-EVENT-DSCP-POLICY clear_all
Aug 24 10:03:38 NetworkManager[1595]: <info>  [1661328218.8457] device (wlp82s0): supplicant interface state: associated -> disconnected
Aug 24 10:03:38 NetworkManager[1595]: <info>  [1661328218.8458] device (wlp82s0): Activation: (wifi) disconnected during association, asking for new key
Comment 4 RHEL Program Management 2023-03-09 07:27:56 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.