NetworkManager 0.7 does not recognize p12 keys

I encountered the same problem. UVa ah?

upstream bug.

could you please test this patch?

for instance like:

sudo apt-get update

sudo apt-get build-dep network-manager-applet

apt-get source network-manager-gnome

cd network-manager-applet-*/

patch -p1 < /tmp/THIS_DOWNLOADED.patch

dpkg-buildpackage -rfakeroot -b

cd ../

sudo dpkg -i network-manager-gnome*.deb

... dont forget to restart everythinng properly.

Heh -- I thought I'd anonymized everything in my screen grabs. I left the "cavalier" on -- yep, I'm at UVa.

But I'm not there now -- I'll try the patch tomorrow.

On Fri, Oct 31, 2008 at 08:02:38PM -0000, J Wood wrote:
> Heh -- I thought I'd anonymized everything in my screen grabs. I left
> the "cavalier" on -- yep, I'm at UVa.
>
> But I'm not there now -- I'll try the patch tomorrow.
>

Don't know what you are talking about , but if you test the patch that
would be great.

 - Alexander

Alexander -- Liu had just noticed the network name in my screengrabs above, the secure network for the University of Virginia, and he asked if I was at UVa (sure am). It's not relevant to your patch, but I'm looking forward to testing it.

Alexander:

I've tried your fix. It did not solve the problem. It seems irrelevant to the file select dialog. Looks like when you entered username/password combination, the login button should be activated which is not currently.

Liu, are you sure its properly applied? Can you at least select .p12 files now in the dialog?

I've the same bug.

After applying your patch, I'm able to choose .p12 files in the dialog!
But it still don't works, I can't click on ok.

killall nm-applet and start nm-applet from a terminal (with the patch)
what output do you get when trying to set the p12 key?

well,

I haven't any output because I can't click on the "connect" button!
It's keeping grey.
It seems that even if I was able to choose the .p12 file, It doesn't recognize it.

Do you have an idea?

no output.

I assume that the "connect" button should be activated as soon as the username/password inputed even if we do not select any certificate file. I do not familiar with GTK framework which make it hard to locate the error line. May this do some help.

In the ubuntu previous version (8.04), you had to put the pass/username AND the 3 files to
activate the connect button.

sorry for the mess. I checked the code, you are right.

ok. does this mean that the patch is enough?

Alexander:

Sorry, I just answer ifts that to activate the connect button, pass/username AND the 3 files are both needed. But the bug remains. I do not familiar with your 0.70 code, it seems have big difference from 0.6x's code. I really want do some help for you to solve the problem, may I in personal way send you the p12 key file and .pem file?

if you could attach "meaningless", but technically valid files to this bug it could help. just dont attach anything useful to log in your real system. Can you provide such files?

Just a note: I won't have a chance to try out a patch or anything until Tuesday, but I'm going to cross-post a bug at the Gnome Bugzilla page for NetworkManager. That seems to be where the bugs are being triaged.

Bug added at http://bugzilla.gnome.org/show_bug.cgi?id=558982. You may want to pop over there and add your input to help ensure that it's acknowledged.

Don't know if anything more has been done with this, but there was an update, and now I can't even pick up a network at my university -- some something else is possibly wrong as well. There has been some activity at bugzilla, but most of it is me being told everything is perfect and not to use p12 keys. Apparently U. of Virginia and Virginia Tech recommend otherwise, because that's what we're stuck with.

It is fixed in NM svn 4280 and applet svn 1018. Is it possible to backport that?

I am using EAP/TLS with WPA2 and it works. You need to extract the key from your pfx certificate and put it in a pem file. Now, having said that, there is a bug that prevents you from saving your certificates in the nm-applet gui. I had to use gconf editor to save my setup. This bug has been there since the summer. Error: Updating connection failed: Client Cert.

NM svn 4280 and applet svn 1018 is quite a huge patch.

NM svn 4280
===================================================================
--- ChangeLog (revision 4279)
+++ ChangeLog (revision 4280)
@@ -1,3 +1,65 @@
+2008-11-13 Dan Williams <email address hidden>
+
+ Add support for PKCS#12 private keys (bgo #558982)
+
+ * libnm-util/crypto.c
+ libnm-util/crypto.h
+ - (parse_old_openssl_key_file): rename from parse_key_file(); adapt to
+ take a GByteArray instead of a filename
+ - (file_to_g_byte_array): handle private key files too
+ - (decrypt_key): take a GByteArray rather than data + len
+ - (crypto_get_private_key_data): refactor crypto_get_private_key() into
+ one function that takes a filename, and one that takes raw data;
+ detect pkcs#12 files as well
+ - (crypto_load_and_verify_certificate): detect file type
+ - (crypto_is_pkcs12_data, crypto_is_pkcs12_file): add pkcs#12 detection
+ functions
+
+ * libnm-util/crypto_gnutls.c
+ - (crypto_decrypt): take GByteArray rather than data + len; fix a bug
+ whereby tail padding was incorrectly handled, leading to erroneous
+ successes when trying to decrypt the data
+ - (crypto_verify_cert): rework somewhat
+ - (crypto_verify_pkcs12): validate pkcs#12 keys
+
+ * libnm-util/crypto_nss.c
+ - (crypto_init): enable various pkcs#12 ciphers
+ - (crypto_decrypt): take a GByteArray rather than data + len
+ - (crypto_verify_cert): clean up
+ - (crypto_verify_pkcs12): validate pkcs#12 keys
+
+ * libnm-util/test-crypto.c
+ - Handle pkcs#12 keys
+
+ * libnm-util/nm-setting-8021x.c
+ libnm-util/nm-setting-8021x.h
+ libnm-util/libnm-util.ver
+ - Add two new properties, 'private-key-password' and
+ 'phase2-private-key-password', to be used in conjunction with
+ pkcs#12 keys
+ - (nm_setting_802_1x_set_ca_cert_from_file,
+ nm_setting_802_1x_set_client_cert_from_file,
+ nm_setting_802_1x_set_phase2_ca_cert_from_file,
+ nm_setting_802_1x_set_phase2_client_from_file): return certificate
+ type
+ - (nm_setting_802_1x_get_private_key_password,
+ nm_setting_802_1x_get_phase2_private_key_password): return private
+ key passwords
+ - (nm_setting_802_1x_set_private_key_from_file,
+ nm_setting_802_1x_set_phase2_private_key_from_file): set the private
+ key from a file, and update the private key password at the same time
+ - (nm_setting_802_1x_get_private_key_type,
+ nm_setting_802_1x_get_phase2_private_key_type): return the private
+ key type
+
+ * src/supplicant-manager/nm-supplicant-settings-verify.c
+ - Whitelist private key passwords
+
+ * src/supplicant-manager/nm-s...

Index: ChangeLog
===================================================================
--- ChangeLog (revision 1017)
+++ ChangeLog (revision 1018)
@@ -1,3 +1,53 @@
+2008-11-13 Dan Williams <email address hidden>
+
+ Add support for PKCS#12 private keys (bgo #558982)
+
+ * src/utils/utils.c
+ - (utils_fill_connection_certs): report errors
+
+ * src/connection-editor/nm-connection-editor.c
+ - (nm_connection_editor_set_connection): run initial validation from
+ and idle handler to allow file choosers time to asynchronously
+ find their files
+
+ * src/gconf-helpers/gconf-helpers.c
+ - (get_one_private_key): add private key passwords to the secrets hash
+ if the private key is a pkcs#12 private key
+ - (nm_gconf_get_keyring_items): move force-included private key passwords
+ functionality into get_one_private_key()
+
+ * src/wireless-security/eap-method.c
+ src/wireless-security/eap-method.h
+ - (eap_method_default_file_chooser_filter_new): use differnet filters
+ for private keys versus certificates, since private keys can be
+ pkcs#12 and certificates cannot
+ - (default_filter): split up into file_has_extension(),
+ file_is_der_or_pem(), default_filter_cert(), and
+ default_filter_privkey(); fix a bug where only the first 1K of a
+ candidate file would be read, missing some certificates with long
+ text descriptions
+ - (eap_method_validate_filepicker): take the private key password for
+ validation purposes; return the certificate/key type
+
+ * src/wireless-security/eap-method-peap.c
+ src/wireless-security/eap-method-ttls.c
+ - Update for eap_method_validate_filepicker() changes
+
+ * src/wireless-security/eap-method-tls.c
+ - (eap_method_tls_new): handle phase2 secrets too; and do initial
+ validation from and idle handler to allow file choosers time to
+ asynchronously find their file
+ - (setup_filepicker): connect a special handler to the private key
+ chooser so that the client certificate chooser can be disabled when
+ the user picks a pkcs#12 private key; additionally, work around a
+ GTK+ issue where GTK would clear the choosers filter
+ - (private_key_picker_helper): disable the client certificate chooser
+ button when the private key is pkcs#12
+ - (fill_connection): if the private key is pkcs#12, set the client
+ certificate to the the same file as the private key, as NM requires
+ - (validate): ignore the client certificate if the private key is
+ pkcs#12
+

Can't comment on bug status, but for a possible workaround, you might start here: http://uvalug.ue8.org/wiki/HOWTO_Cavalier_Wireless.

Cheers.

sps113, just to let you know that uvalug wiki page is a little out of date, but is being updated (I've written some of that wiki). As soon as I can get back down there and just crack at it, I'll be updating some of the pages, including this one about Network Manager: http://uvalug.ue8.org/wiki/Cavalier_Wireless_with_Network_Manager

According to the changelog it's fixed in Jaunty now. Thanks for reporting.

Just wanted to add that I've managed to get this to work at our university. It took some changes from the previous procedures -- a .pem needed to be made of a key, and the university's root certificate needed a little tweak, but after that, it's connecting just right.

If only UVA'a secure network was more stable.

I'm going to update http://uvalug.ue8.org/wiki/Cavalier_Wireless_with_Network_Manager when I get the chance, and hopefully those instructions will be of help to some others.

to Martin Mai,
          What do you mean by "in Jaunty"? Could you provide the information about how to get the patch?
Thanks!

Yan, Jaunty is the name of the next Ubuntu version (Ubuntu 9.04), which is on development right now and will be released in April. I don't know if we can make the patch available in Intrepid, but I think it does not qualify for https://wiki.ubuntu.com/StableReleaseUpdates. If you need a fix for the bug in previous versions of Ubuntu, please follow the instructions for "How to request new packages" at https://help.ubuntu.com/community/UbuntuBackports#request-new-packages. Thanks.

I'm running Ubuntu 9.04 (Jaunty) and the problem is still here. I have a netcert-2.p12 file on my desktop, with r/x permissions set, but the network manager still cannot find that .p12 file.

It's more than a little bit frustrating.

I second TGAT's comment that this is not fixed. I cannot open .p12 files in Karmic. Even though the filter says it allows them, my certificate is not listed in the window.

On Ubuntu 9.10 64-bit, Network ManagerApplet 0.7.996, I could not browse to my Private Key .p12 file. That is, it did not show up in the file browser when I clicked the "browse" button. I could solve this by typing the full file location into the address bar, i.e. /home/myhome/myPersonalKeyfile.p12. Then, I could enter my private key password and get into the secure network here.

NB After this succesfull login, I went to Network Connections --> Wireless--> edit secure network... Clicking now on the "browse" icon show all visible files in the directory, including my .p12 files.