Hi all, I'm working on adding PKCS#11 support to network manager for specifying certificates and private keys for EAP-TLS sessions. This is useful for a few cases: * System administrators can distribute cryptographic objects (i.e. certs and keys) to users using standard interfaces like the gnome-keyring which provides a PKCS#11 interface. * Users can improve the security of their cryptographic objects using smartcards or TPM chips because the private keys can never be read into system memory; all operations involving the key are performed on the card and the results passed back to caller. I've submitted the necessary patches to wpasupplicant ([1], [2]), I've added the fundamental bits necessary to network manager core and will send a patch for that once the last wpasupplicant patch gets finalized, and now I'm starting work on adding frontend support to nm-applet. This brings up some new problems that I want to get feedback on before proceeding further. First, the plumbing: nm-applet has to access a pkcs11 device in order to allow the user to select a certificate from the device. Since nm-applet already supports NSS and NSS provides pkcs11 support, this could the easiest way. Unfortunately, there is no easy support for gnutls. I prefer a different solution: add the option to compile with libpkcs11-helper. The reasoning is that nm-applet only has to scan the device, give the user a selection dialog to select the certificate (more about this below), and get the pkcs11 ID of the certificate and key to pass on to wpasupplicant. In other words, nm-applet doesn't need to do any cryptographic operations with the objects on the pkcs11 device and so the support doesn't need to be specific to any TLS library. Considering that the downside to be just wrapping the pkcs11 support in a bunch of #ifdef HAS_PKCS11 seems ok to me. Second, the interface, specifically eap_tls_notebook. I've attached a screenshot showing the basic changes I want to make. The main things are the selection of the pkcs11 library using a GtkFileChooserButton, the PKCS#11 PIN field, and replacing the user cert, CA cert, and private key buttons with a custom widget that provides a drop down of objects found in the PKCS#11 device and an entry for picking a file on the file system launching a GtkFileChooserDialog on click. That selection is poorly gimped in the screenshot but I think it would work well. And please nevermind that the logos use "Google", replace with your organization name, wherever you might have a relatively large x509 infrastructure. What do you think of this interface? An alternative would be to simply use pkcs11 for all certificate and key selection and in the case of gnome-keyring, provide a button on the eap-tls window to add a new certificate and private key to gnome-keyring that would then show up in the drop-down box. Any feedback greatly appreciated, - dds -- man perl | tail -6 | head -2
Attachment:
eap_tls_widget.png
Description: PNG image
Attachment:
signature.asc
Description: This is a digitally signed message part.
