Project

General

Profile

Issue #2671

Passing user-supplied cerificate file names to charon-nm is problematic

Added by Mikhail Zabaluev over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
networkmanager (charon-nm)
Affected version:
5.6.2
Resolution:

Description

The NetworkManager-strongswan GUI lets the user select a server certificate file, which is then passed to charon-nm by pathname. This is problematic for two reasons:

  1. Files are not the only possible source of certificate material on the system, and with proliferation of software certificate stores, hardware tokens, etc., it may become the least conventional or convenient.
  2. charon-nm may be subject to the system's security confinement policies and unable to access any arbitrary file path that the user may supply. On Fedora/RHEL/CentOS, charon-nm runs with reduced privileges under SELinux confinement, so an attempt to access a certificate file that's inaccessible to UIDs other than the certificate supplier by plain old user/group DAC permissions results in a SELinux AVC denial.

The currently preferred way to handle certificates in NetworkManager is PKCS#11. The GUI should let the user pick a certificate from a PKCS#11 source using a Gcr widget, then pass the PKCS11 URI to charon-nm which should use strongSwan's PKCS#11 infrastructure to extract it. Gcr support may currently be incomplete; see https://bugzilla.gnome.org/show_bug.cgi?id=679860.


Related issues

Related to Feature #490: charon-nm fails to find private key if CKA_ID doesn't match the x509 subject key idClosed16.01.2014
Has duplicate Feature #3457: user-friendly pkcs11 certificate selectionNew22.05.2020

History

#1 Updated by Tobias Brunner over 2 years ago

  • Related to Feature #490: charon-nm fails to find private key if CKA_ID doesn't match the x509 subject key id added

#2 Updated by Tobias Brunner 5 months ago

  • Has duplicate Feature #3457: user-friendly pkcs11 certificate selection added

Also available in: Atom PDF