Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(nm): 802.1x TLS Private Key encryption #5099

Merged
merged 19 commits into from
Jan 16, 2024
Merged

fix(nm): 802.1x TLS Private Key encryption #5099

merged 19 commits into from
Jan 16, 2024

Conversation

mattdibi
Copy link
Contributor

@mattdibi mattdibi commented Jan 12, 2024
edited
Loading

Currently, when connecting to a WPA Enterprise Access Point using EAP-TLS, we're providing the client private key in clear text which is not recommended as per the NetworkManager documentation..

WARNING: "private-key" is not a "secret" property, and thus unencrypted private key data using the BLOB scheme may be readable by unprivileged users. Private keys should always be encrypted with a private key password to prevent unauthorized access to unencrypted private key data.

This PR addresses the issue by passing NetworkManager encrypted private keys.

Implementation: since the Kura Keystore only supports not password-protected keys, we need to encrypt the key before sending it to NetworkManager. We chose to use the base64-encoded sha-256 hash of the private key as password so that, even when sending the configuration multiple times, the encrypted key and password stays the same.

Note about key duplication

NetworkManager saves the keys used in the 802.1x TLS authentication on disk inside the /etc/NetworkManager/system-connection folder. It appears that it doesn't perform a cleanup after the connection associated with a particular set of keys gets deleted (i.e. the keys stays there).

Kura re-applies/updated network configuration every time it starts/there's a network configuration updates. Since the keys encryption has a random component (i.e. for the same password the encrypted key will differ every time it gets encrypted) I was worried about key duplication on disk.

This appears to be not a problem: NetworkManager is smart enough to update the key associated with a particular connection

root@device::/etc/NetworkManager/system-connections# sha1sum ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem
636513148df942c2317169c6c5c817edbc872d53  ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem
root@device::/etc/NetworkManager/system-connections# sha1sum ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem
738bbf400eed98bcecb76b421f34d86be0acaa2b  ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem

mattdibi added 15 commits January 12, 2024 17:58
@mattdibi
chore: refactor code to take encryption step into account
6b665cc
@mattdibi
draft: something almost working, need more work
3f13e28
@mattdibi
feat: first working version
139bf11
@mattdibi
feat: use SHA-256 as a password
9c33f7c
@mattdibi
feat: Base64 encoded SHA-256 because... why not?
5e8852f
@mattdibi
refactor: extract PEM conversion step
946d85a
@mattdibi
fix: do not use deprecated method setPasssword, use setPassword instead
18263c7 
lolwut?
@mattdibi
refactor: remove unnecessary settings (private-key-password-flags)
e1c2a4c
@mattdibi
refactor: nicer exception handling
f47c326
@mattdibi
chore: remove unnecessary comments
bba70af
@mattdibi
refactor: move method away from higher level stuff
7ef814c
@mattdibi
style: fix broken comment
641c942
@mattdibi
test(nm): fix test private key generation (still WIP)
2837cd5
@mattdibi
test(nm): add thenResultingBuildAllMapContainsEncrypted for key compa…
f59822f 
…rison
@mattdibi
refactor(test.nm): fix remaining tests
04e6085
@mattdibi mattdibi marked this pull request as ready for review January 15, 2024 16:22
@mattdibi
Copy link
Contributor Author

mattdibi commented Jan 15, 2024
edited
Loading

Tests

Performed connection tests on both platforms (nss-based and gnutls-based ones). Kura is able to connect to the WPA Enterprise endpoint without issues.

Additional tests to be performed: verify keys cleanup/duplication. What happens when Kura reconfigure the network? A new key gets created and saved on disk by NetworkManager?

Test performed: a series of test were performed monitoring the /etc/NetworkManager/system-connection/ folder, looking for duplication of the 802.1x TLS keys. Results are the following:

  • Kura restart with systemctl restart kura: keys were not duplicated.
  • Device reboot: keys were not duplicated.
  • 802.1x tab configuration change (added CA certificate): keys were not duplicated. Only the CA cert was added.
  • Network tab configuration change (switched eth0 WAN -> LAN): keys were not duplicated.

It appears that NetworkManager just updates the key:

root@device::/etc/NetworkManager/system-connections# sha1sum ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem
636513148df942c2317169c6c5c817edbc872d53  ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem
root@device::/etc/NetworkManager/system-connections# sha1sum ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem
738bbf400eed98bcecb76b421f34d86be0acaa2b  ce7696b9-440b-4de1-abf5-a4bcbe8039dd-private-key.pem

@pierantoniomerlino pierantoniomerlino merged commit 83b8591 into develop Jan 16, 2024
8 checks passed
@pierantoniomerlino pierantoniomerlino deleted the fix/8021x_private_key_encryption branch January 16, 2024 14:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierantoniomerlino pierantoniomerlino pierantoniomerlino approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mattdibi @pierantoniomerlino