Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(nm): remove unusable 802.1x password parameters #5097

Merged
merged 3 commits into from
Jan 12, 2024

Conversation

mattdibi
Copy link
Contributor

@mattdibi mattdibi commented Jan 12, 2024

Currently, we allow the user to set the CA cert and private key passwords in the snapshot via the following optional snapshot parameters (they are not exposed in the UI):

  • net.interface.%s.config.802-1x.private-key-password: see here
  • net.interface.%s.config.802-1x.ca-cert-password: see here

These are mapped to NetworkManager’s:

  • private-key-password: The password used to decrypt the private key specified in the "private-key" property when the private key either uses the path scheme, or if the private key is a PKCS#12 format key.
  • ca-cert-password: The password used to access the CA certificate stored in "ca-cert" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.

This is wrong because, since we’re using the Kura Keystore to store the keys we:

  • don't support password-protected keys
  • keys are returned in the PKCS#8 format

Therefore these settings can’t be used.

In addition to that, to solve Issue-6767 "[NetworkManager][802.1x] Authentication keys are saved in cleartext on filesystem by NetworkManager" we need to use the private-key-password parameter and cannot allow the user to override this field.

Fortunately(!?) we didn’t document any of the 802.1x parameters in the docs

After a discussion we @MMaiero we decided to remove any use of these parameters in our current codebase since they were optional and undocumented.

@mattdibi mattdibi marked this pull request as ready for review January 12, 2024 07:48
@pierantoniomerlino pierantoniomerlino merged commit e32251a into develop Jan 12, 2024
9 checks passed
@pierantoniomerlino pierantoniomerlino deleted the fix/8021x_remove_unusable_passwords branch January 12, 2024 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants