TRUSTED CERTIFICATE

TRUSTED CERTIFICATE

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 869 bytes --]

Hello,

I encountered a problem when attempting to connect to a WPA2 Enterprise
network with iwd, that I think is caused by ell not understanding some
certificates.

I'm pretty confident that it should be valid to point EAP-TTLS-CACert to
the /etc/ssl/certs/ca-bundle.crt that comes with my distro.  I believe
this has worked with NetworkManager/wpa_supplicant for me in the past.
It doesn't work with iwd/ell, because
l_pem_load_certificate_list_from_data will error if any of the entries
in the provided PEM data don't have the "CERTIFICATE" label, but some of
the entries in my ca-bundle.crt have the "TRUSTED CERTIFICATE" label.

I think ell should therefore either support trusted certificates (or at
least give up if it finds any), so that users don't need to manually
configure a certificate for networks with certificates signed by a CA in
the system's bundle.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

Re: TRUSTED CERTIFICATE

[James Prestwood]

Hi Alyssa,

On 10/4/24 7:52 AM, Alyssa Ross wrote:
> Hello,
>
> I encountered a problem when attempting to connect to a WPA2 Enterprise
> network with iwd, that I think is caused by ell not understanding some
> certificates.
>
> I'm pretty confident that it should be valid to point EAP-TTLS-CACert to
> the /etc/ssl/certs/ca-bundle.crt that comes with my distro.  I believe
> this has worked with NetworkManager/wpa_supplicant for me in the past.
> It doesn't work with iwd/ell, because
> l_pem_load_certificate_list_from_data will error if any of the entries
> in the provided PEM data don't have the "CERTIFICATE" label, but some of
> the entries in my ca-bundle.crt have the "TRUSTED CERTIFICATE" label.
>
> I think ell should therefore either support trusted certificates (or at
> least give up if it finds any), so that users don't need to manually
> configure a certificate for networks with certificates signed by a CA in
> the system's bundle.

The TRUSTED CERTIFICATE type is an openssl-specific format. Sound like 
the certificate content itself is the same, but they append extra trust 
information onto the end. Supporting this is trivial, but requires 
removing a length check and checking for the "TRUSTED" begin block. I 
can't find any documentation on the actual ASN.1 format for this, so I 
hesitate to throw something into ELL without actually understanding it. 
Below is some code that will allow TRUSTED types though. Maybe 
Denis/Marcel know more about this?

diff --git a/ell/cert.c b/ell/cert.c
index 38bb01a..3912b19 100644
--- a/ell/cert.c
+++ b/ell/cert.c
@@ -124,7 +124,7 @@ LIB_EXPORT struct l_cert *l_cert_new_from_der(const 
uint8_t *buf,

         /* Sanity check: the SEQUENCE spans the whole buffer */
         content_len = asn1_parse_definite_length(&seq, &seq_len);
-       if (content_len < 64 || content_len != seq_len)
+       if (content_len < 64)
                 return NULL;

         /*
diff --git a/ell/pem.c b/ell/pem.c
index 24e8372..1781a46 100644
--- a/ell/pem.c
+++ b/ell/pem.c
@@ -426,7 +426,8 @@ LIB_EXPORT struct l_queue 
*l_pem_load_certificate_list_from_data(
                         goto error;
                 }

-               is_certificate = !strcmp(label, "CERTIFICATE");
+               is_certificate = !strcmp(label, "CERTIFICATE") ||
+                               !strcmp(label, "TRUSTED CERTIFICATE");
                 l_free(label);

                 if (!is_certificate)