questions about adding pkcs11 support in nm-applet



Hi all,

I'm working on adding PKCS#11 support to network manager for specifying 
certificates and private keys for EAP-TLS sessions. This is useful for a few 
cases:

 * System administrators can distribute cryptographic objects (i.e. certs and 
keys) to users using standard interfaces like the gnome-keyring which 
provides a PKCS#11 interface.
 * Users can improve the security of their cryptographic objects using 
smartcards or TPM chips because the private keys can never be read into 
system memory; all operations involving the key are performed on the card and 
the results passed back to caller.

I've submitted the necessary patches to wpasupplicant ([1], [2]), I've added 
the fundamental bits necessary to network manager core and will send a patch 
for that once the last wpasupplicant patch gets finalized, and now I'm 
starting work on adding frontend support to nm-applet. This brings up some 
new problems that I want to get feedback on before proceeding further.

First, the plumbing: nm-applet has to access a pkcs11 device in order to allow 
the user to select a certificate from the device. Since nm-applet already 
supports NSS and NSS provides pkcs11 support, this could the easiest way. 
Unfortunately, there is no easy support for gnutls. I prefer a different 
solution: add the option to compile with libpkcs11-helper. The reasoning is 
that nm-applet only has to scan the device, give the user a selection dialog 
to select the certificate (more about this below), and get the pkcs11 ID of 
the certificate and key to pass on to wpasupplicant. In other words, 
nm-applet doesn't need to do any cryptographic operations with the objects on 
the pkcs11 device and so the support doesn't need to be specific to any TLS 
library. Considering that the downside to be just wrapping the pkcs11 support 
in a bunch of #ifdef HAS_PKCS11 seems ok to me.

Second, the interface, specifically eap_tls_notebook. I've attached a 
screenshot showing the basic changes I want to make. The main things are the 
selection of the pkcs11 library using a GtkFileChooserButton, the PKCS#11 PIN 
field, and replacing the user cert, CA cert, and private key buttons with a 
custom widget that provides a drop down of objects found in the PKCS#11 
device and an entry for picking a file on the file system launching a 
GtkFileChooserDialog on click. That selection is poorly gimped in the 
screenshot but I think it would work well. And please nevermind that the 
logos use "Google", replace with your organization name, wherever you might 
have a relatively large x509 infrastructure. What do you think of this 
interface? An alternative would be to simply use pkcs11 for all certificate 
and key selection and in the case of gnome-keyring, provide a button on the 
eap-tls window to add a new certificate and private key to gnome-keyring that 
would then show up in the drop-down box.

Any feedback greatly appreciated,
- dds
-- 
man perl | tail -6 | head -2

Attachment: eap_tls_widget.png
Description: PNG image

Attachment: signature.asc
Description: This is a digitally signed message part.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]