Re: Fw: Failed to load trusted user certificate

Re: Fw: Failed to load trusted user certificate

[Andrew Zaborowski]

[-- Attachment #1: Type: text/plain, Size: 538 bytes --]

Hi Martin,

On Sat, 20 Jun 2020 at 14:51, Martin Tesar <martin.tesar@yourwifi.cz> wrote:
> it looks like the IWD is not able to load trusted user certificates.
> Basically if the certificate is enclosed in
>
> -----BEGIN TRUSTED CERTIFICATE-----
> -----END TRUSTED CERTIFICATE-----
>
> I'm always getting an error "Failed to load".

Right, we've seen this feature request somewhere recently and thought
that it may be easy to support this format in IWD.

Do you happen to know where this format is specified?

Best regards

Re: Fw: Failed to load trusted user certificate

[Martin Tesar]

[-- Attachment #1: Type: text/plain, Size: 1426 bytes --]

Hi Andrew,

in my current scenario the certificate was issued by the PKI infrastructure, but I've done some research and it is available also in OpenSSL as "trust settings":
"A trusted certificate is an ordinary certificate which has several additional pieces of information attached to it such as the permitted and prohibited uses of the certificate and an "alias"."

 So, we are most likely talking about the X.509 certificate extensions as it is mentioned in the RFC 5280 (https://tools.ietf.org/html/rfc5280#section-4.2).

That's all I was able to find. Hope it helps.

Regards
Martin

________________________________
Od: Andrew Zaborowski <andrew.zaborowski@intel.com>
Odesláno: sobota 20. června 2020 15:17
Komu: Martin Tesar <martin.tesar@yourwifi.cz>
Kopie: iwd(a)lists.01.org <iwd@lists.01.org>
Předmět: Re: Fw: Failed to load trusted user certificate

Hi Martin,

On Sat, 20 Jun 2020 at 14:51, Martin Tesar <martin.tesar@yourwifi.cz> wrote:
> it looks like the IWD is not able to load trusted user certificates.
> Basically if the certificate is enclosed in
>
> -----BEGIN TRUSTED CERTIFICATE-----
> -----END TRUSTED CERTIFICATE-----
>
> I'm always getting an error "Failed to load".

Right, we've seen this feature request somewhere recently and thought
that it may be easy to support this format in IWD.

Do you happen to know where this format is specified?

Best regards

[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3545 bytes --]

Fw: Failed to load trusted user certificate

[Martin Tesar]

[-- Attachment #1: Type: text/plain, Size: 2520 bytes --]

Hello,

it looks like the IWD is not able to load trusted user certificates.
Basically if the certificate is enclosed in

-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----

I'm always getting an error "Failed to load". Once the user cert is
converted using OpenSSL and is enclosed in

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

it can be loaded without any problem. But such a converted certificate
is not accepted by the RADIUS in my case.

Below is the network configuration file and related syslog output

[Security]
EAP-Method=TLS
EAP-Identity=someuser
EAP-TLS-ClientCert=/usr/local/share/ca-certificates/user.crt
EAP-TLS-ClientKey=/usr/local/share/ca-certificates/key.crt
EAP-TLS-CACert=/usr/local/share/ca-certificates/root.crt

Jun  2 01:19:41 somehost systemd[1]: Starting Wireless service...
Jun  2 01:19:41 somehost iwd[767]: No Diffie-Hellman support found, WPS will not be available
Jun  2 01:19:41 somehost iwd[767]: The following options are missing in the kernel:
Jun  2 01:19:41 somehost iwd[767]: #011CONFIG_KEY_DH_OPERATIONS
Jun  2 01:19:41 somehost iwd[767]: Wireless daemon version 1.7
Jun  2 01:19:41 somehost systemd[1]: Started Wireless service.
Jun  2 01:19:41 somehost iwd[767]: netconfig: Network configuration is disabled.
Jun  2 01:19:41 somehost iwd[767]: Wiphy: 0, Name: phy0
Jun  2 01:19:41 somehost iwd[767]: #011Permanent Address: dc:a6:32:49:d4:66
Jun  2 01:19:41 somehost iwd[767]: #011Bands: 2.4 GHz 5 GHz
Jun  2 01:19:41 somehost iwd[767]: #011Ciphers: CCMP TKIP BIP
Jun  2 01:19:41 somehost iwd[767]: #011Supported iftypes: ad-hoc station ap p2p-client p2p-go p2p-device
Jun  2 01:19:41 somehost iwd[767]: Wiphy phy0 will only use the default interface
Jun  2 01:19:41 somehost kernel: [  169.433109] brcmfmac: brcmf_cfg80211_set_power_mgmt: power save disabled
Jun  2 01:19:41 somehost iwd[767]: Failed to load /usr/local/share/ca-certificates/user.crt

Thanks!
Martin


-- System Information:
Debian Release: bullseye/sid
Architecture: armhf (armv7l)

Kernel: Linux 5.6.14-v7l+ (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages iwd depends on:
ii  libc6         2.30-8+rpi1
ii  libreadline8  8.0-4

iwd recommends no packages.

iwd suggests no packages.

-- no debconf information


[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4229 bytes --]