ifcfg-rh: fix read/write of EAP-TLS connections

TLS uses the 'identity' which previously wasn't read. The private key password should also only be used for PKCS#12 files, becuase they aren't decrypted when read into the setting. Private keys also need to be handled differently; PKCS#12 keys are written out unchanged (ie, still encrypted) with their corresponding private key. DER keys are stored in the setting unencrypted, so they are re-encrypted before being written out to disk. But because the private key password isn't known for DER keys, a random password must be used to re-encrypt the key.
2009-03-31 07:29:31 -04:00
parent f4c1b422cf
commit bebe3e891b
10 changed files with 791 additions and 103 deletions
--- a/system-settings/plugins/ifcfg-rh/Makefile.am
+++ b/system-settings/plugins/ifcfg-rh/Makefile.am
@@ -16,17 +16,20 @@ libifcfg_rh_io_la_SOURCES = \
 	errors.c \
 	common.h \
 	utils.c \
-	utils.h
+	utils.h \
+	crypto.c \
+	crypto.h

 libifcfg_rh_io_la_CPPFLAGS = \
 	$(GLIB_CFLAGS) \
 	$(DBUS_CFLAGS) \
+	$(NSS_CFLAGS) \
 	-DG_DISABLE_DEPRECATED \
 	-I$(top_srcdir)/include \
 	-I$(top_srcdir)/libnm-util \
 	-DSYSCONFDIR=\"$(sysconfdir)\"

-libifcfg_rh_io_la_LIBADD = $(GLIB_LIBS)
+libifcfg_rh_io_la_LIBADD = $(GLIB_LIBS) $(NSS_LIBS)

 libnm_settings_plugin_ifcfg_rh_la_SOURCES = \
 	plugin.c \
--- a/system-settings/plugins/ifcfg-rh/crypto.c
+++ b/system-settings/plugins/ifcfg-rh/crypto.c
@@ -0,0 +1,391 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/* NetworkManager system settings service - keyfile plugin
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright (C) 2009 Red Hat, Inc.
+ */
+
+#include "config.h"
+
+#include <glib.h>
+#include <glib/gi18n.h>
+
+#include <prinit.h>
+#include <nss.h>
+#include <pk11pub.h>
+#include <pkcs11t.h>
+#include <cert.h>
+#include <prerror.h>
+
+#include "common.h"
+#include "crypto.h"
+#include "utils.h"
+
+static gboolean initialized = FALSE;
+
+static gboolean
+crypto_init (GError **error)
+{
+	SECStatus ret;
+
+	if (initialized)
+		return TRUE;
+
+	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
+	ret = NSS_NoDB_Init (NULL);
+	if (ret != SECSuccess) {
+		PR_Cleanup ();
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             _("Failed to initialize the crypto engine: %d."),
+		             PR_GetError ());
+		return FALSE;
+	}
+
+	initialized = TRUE;
+	return TRUE;
+}
+
+static gboolean
+nss_md5_hash (const unsigned char *salt,
+              const gsize salt_len,
+              const char *password,
+              gsize password_len,
+              unsigned char *buffer,
+              gsize buflen,
+              GError **error)
+{
+	PK11Context *ctx;
+	int nkey = buflen;
+	unsigned int digest_len;
+	int count = 0;
+	char digest[20]; /* MD5 hash length */
+	unsigned char *p = buffer;
+
+	if (salt)
+		g_return_val_if_fail (salt_len >= 8, FALSE);
+
+	g_return_val_if_fail (password != NULL, FALSE);
+	g_return_val_if_fail (password_len > 0, FALSE);
+	g_return_val_if_fail (buffer != NULL, FALSE);
+	g_return_val_if_fail (buflen > 0, FALSE);
+
+	ctx = PK11_CreateDigestContext (SEC_OID_MD5);
+	if (!ctx) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to initialize the MD5 context: %d.",
+		             PORT_GetError ());
+		return FALSE;
+	}
+
+	while (nkey > 0) {
+		int i = 0;
+
+		PK11_DigestBegin (ctx);
+		if (count++)
+			PK11_DigestOp (ctx, (const unsigned char *) digest, digest_len);
+		PK11_DigestOp (ctx, (const unsigned char *) password, password_len);
+		if (salt)
+			PK11_DigestOp (ctx, salt, 8); /* Only use 8 bytes of salt */
+		PK11_DigestFinal (ctx, (unsigned char *) digest, &digest_len, sizeof (digest));
+
+		while (nkey && (i < digest_len)) {
+			*(p++) = digest[i++];
+			nkey--;
+		}
+	}
+
+	memset (digest, 0, sizeof (digest));
+	PK11_DestroyContext (ctx, PR_TRUE);
+	return TRUE;
+}
+
+static unsigned char *
+make_key (const unsigned char *salt,
+          gsize salt_len,
+          const char *password,
+          gsize *out_len,
+          GError **error)
+{
+	unsigned char *key;
+	guint32 digest_len = 24; /* DES-EDE3-CBC */
+
+	g_return_val_if_fail (salt != NULL, NULL);
+	g_return_val_if_fail (salt_len >= 8, NULL);
+	g_return_val_if_fail (password != NULL, NULL);
+	g_return_val_if_fail (out_len != NULL, NULL);
+
+	key = g_malloc0 (digest_len + 1);
+	if (!key) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Not enough memory to decrypt private key.");
+		return NULL;
+	}
+
+	if (!nss_md5_hash (salt, salt_len, password, strlen (password), key, digest_len, error)) {
+		*out_len = 0;
+		memset (key, 0, digest_len);
+		g_free (key);
+		key = NULL;
+	} else
+		*out_len = digest_len;
+
+	return key;
+}
+
+static unsigned char *
+nss_des3_encrypt (const unsigned char *key,
+                  gsize key_len,
+                  const unsigned char *iv,
+                  gsize iv_len,
+                  const unsigned char *data,
+                  gsize data_len,
+                  gsize *out_len,
+                  GError **error)
+{
+	SECStatus ret;
+	CK_MECHANISM_TYPE cipher_mech = CKM_DES3_CBC_PAD;
+	PK11SlotInfo *slot = NULL;
+	SECItem key_item = { .data = (unsigned char *) key, .len = key_len };
+	SECItem iv_item = { .data = (unsigned char *) iv, .len = iv_len };
+	PK11SymKey *sym_key = NULL;
+	SECItem *sec_param = NULL;
+	PK11Context *ctx = NULL;
+	unsigned char *buf;
+	gsize buflen = data_len + 64;
+	int tmp1_len = 0;
+	unsigned int tmp2_len = 0, len;
+	gboolean success = FALSE;
+
+	buf = g_malloc0 (buflen);
+	if (!buf) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not allocate memory encrypting private key.");
+		return NULL;
+	}
+
+	slot = PK11_GetBestSlot (cipher_mech, NULL);
+	if (!slot) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to initialize the encryption cipher slot.");
+		goto out;
+	}
+
+	sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL);
+	if (!sym_key) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to set symmetric key for encryption.");
+		goto out;
+	}
+
+	sec_param = PK11_ParamFromIV (cipher_mech, &iv_item);
+	if (!sec_param) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to set IV for encryption.");
+		goto out;
+	}
+
+	ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_ENCRYPT, sym_key, sec_param);
+	if (!ctx) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to initialize the encryption context.");
+		goto out;
+	}
+
+	ret = PK11_CipherOp (ctx, buf, &tmp1_len, buflen, (unsigned char *) data, data_len);
+	if (ret != SECSuccess) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to encrypt the private key: %d.",
+		             PORT_GetError ());
+		goto out;
+	}
+
+	ret = PK11_DigestFinal (ctx,
+	                        (unsigned char *) (buf + tmp1_len),
+	                        &tmp2_len,
+	                        buflen - tmp1_len);
+	if (ret != SECSuccess) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Failed to finalize encryption of the private key: %d.",
+		             PORT_GetError ());
+		goto out;
+	}
+	len = tmp1_len + tmp2_len;
+	if (len > buflen) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Error encrypting private key; too much data.");
+		goto out;
+	}
+
+	*out_len = len;
+	buf[*out_len] = '\0';
+	success = TRUE;
+
+out:
+	if (ctx)
+		PK11_DestroyContext (ctx, PR_TRUE);
+	if (sym_key)
+		PK11_FreeSymKey (sym_key);
+	if (sec_param)
+		SECITEM_FreeItem (sec_param, PR_TRUE);
+	if (slot)
+		PK11_FreeSlot (slot);
+
+	if (!success) {
+		memset (buf, 0, buflen);
+		g_free (buf);
+		buf = NULL;
+	}
+	return buf;
+}
+
+#define PEM_RSA_KEY_BEGIN "-----BEGIN RSA PRIVATE KEY-----";
+#define PEM_RSA_KEY_END "-----END RSA PRIVATE KEY-----";
+
+GByteArray *
+crypto_key_to_pem (const GByteArray *data,
+                   const char *password,
+                   GError **error)
+{
+	SECStatus s;
+	unsigned char salt[32];
+	unsigned char *key = NULL, *enc = NULL;
+	gsize key_len = 0, enc_len = 0;
+	GString *pem = NULL;
+	char *tmp;
+	gboolean success = FALSE;
+	int left;
+	const char *p;
+	GByteArray *ret = NULL;
+
+	g_return_val_if_fail (data != NULL, NULL);
+	g_return_val_if_fail (data->len > 0, NULL);
+	g_return_val_if_fail (password != NULL, NULL);
+
+	if (!crypto_init (error))
+		return NULL;
+
+	s = PK11_GenerateRandom (salt, sizeof (salt));
+	if (s != SECSuccess) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not generate random IV for encrypting private key.");
+		return NULL;
+	}
+
+	key = make_key (&salt[0], sizeof (salt), password, &key_len, error);
+	if (!key)
+		return NULL;
+
+	enc = nss_des3_encrypt (key, key_len, salt, sizeof (salt), data->data, data->len, &enc_len, error);
+	if (!enc)
+		goto out;
+
+	pem = g_string_sized_new (enc_len * 2 + 100);
+	if (!pem) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not allocate memory for PEM file creation.");
+		goto out;
+	}
+	
+	g_string_append (pem, "-----BEGIN RSA PRIVATE KEY-----\n");
+	g_string_append (pem, "Proc-Type: 4,ENCRYPTED\n");
+
+	/* Convert the salt to a hex string */
+	tmp = utils_bin2hexstr ((const char *) salt, sizeof (salt), 16);
+	if (!tmp) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not allocate memory for writing IV to PEM file.");
+		goto out;
+	}
+
+	g_string_append_printf (pem, "DEK-Info: DES-EDE3-CBC,%s\n\n", tmp);
+	g_free (tmp);
+
+	/* Convert the encrypted key to a base64 string */
+	p = tmp = g_base64_encode (enc, enc_len);
+	if (!tmp) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not allocate memory for writing encrypted key to PEM file.");
+		goto out;
+	}
+
+	left = strlen (tmp);
+	while (left > 0) {
+		g_string_append_len (pem, p, (left < 64) ? left : 64);
+		g_string_append_c (pem, '\n');
+		left -= 64;
+		p += 64;
+	}
+	g_free (tmp);
+
+	g_string_append (pem, "-----END RSA PRIVATE KEY-----\n");
+
+	ret = g_byte_array_sized_new (pem->len);
+	if (!ret) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not allocate memory for PEM file data.");
+		goto out;
+	}
+	g_byte_array_append (ret, (const unsigned char *) pem->str, pem->len);
+	success = TRUE;
+
+out:
+	if (key) {
+		memset (key, 0, key_len);
+		g_free (key);
+	}
+	if (!enc) {
+		memset (enc, 0, enc_len);
+		g_free (enc);
+	}
+	if (pem)
+		g_string_free (pem, TRUE);
+
+	return ret;
+}
+
+GByteArray *
+crypto_random (gsize len, GError **error)
+{
+	SECStatus s;
+	GByteArray *array;
+	unsigned char *buf;
+
+	if (!crypto_init (error))
+		return NULL;
+
+	buf = g_malloc (len);
+	if (!buf) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not allocate memory for random data.");
+		return NULL;
+	}
+
+	s = PK11_GenerateRandom (buf, len);
+	if (s != SECSuccess) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Could not generate random IV for encrypting private key.");
+		g_free (buf);
+		return NULL;
+	}
+
+	array = g_byte_array_sized_new (len);
+	g_byte_array_append (array, buf, len);
+	memset (buf, 0, len);
+	g_free (buf);
+
+	return array;
+}
+
--- a/system-settings/plugins/ifcfg-rh/crypto.h
+++ b/system-settings/plugins/ifcfg-rh/crypto.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
+/* NetworkManager system settings service - keyfile plugin
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Copyright (C) 2009 Red Hat, Inc.
+ */
+
+#ifndef _CRYPTO_H_
+#define _CRYPTO_H_
+
+#include <glib.h>
+
+GByteArray *
+crypto_key_to_pem (const GByteArray *data,
+                   const char *password,
+                   GError **error);
+
+GByteArray *crypto_random (gsize len, GError **error);
+
+#endif  /* _CRYPTO_H_ */
+
--- a/system-settings/plugins/ifcfg-rh/reader.c
+++ b/system-settings/plugins/ifcfg-rh/reader.c
@@ -973,6 +973,7 @@ eap_tls_reader (const char *eap_method,
                gboolean phase2,
                GError **error)
 {
+	char *value;
 	char *ca_cert = NULL;
 	char *real_path = NULL;
 	char *client_cert = NULL;
@@ -981,6 +982,16 @@ eap_tls_reader (const char *eap_method,
 	gboolean success = FALSE;
 	NMSetting8021xCKType privkey_type = NM_SETTING_802_1X_CK_TYPE_UNKNOWN;

+	value = svGetValue (ifcfg, "IEEE_8021X_IDENTITY", FALSE);
+	if (!value) {
+		g_set_error (error, ifcfg_plugin_error_quark (), 0,
+		             "Missing IEEE_8021X_IDENTITY for EAP method '%s'.",
+		             eap_method);
+		return FALSE;
+	}
+	g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, value, NULL);
+	g_free (value);
+
 	ca_cert = svGetValue (ifcfg,
 	                      phase2 ? "IEEE_8021X_INNER_CA_CERT" : "IEEE_8021X_CA_CERT",
 	                      FALSE);
@@ -1065,6 +1076,14 @@ eap_tls_reader (const char *eap_method,
 	 * same data as the private key, since pkcs12 files contain both.
 	 */
 	if (privkey_type == NM_SETTING_802_1X_CK_TYPE_PKCS12) {
+		/* Set the private key password if PKCS#12, because PKCS#12 doesn't get
+		 * decrypted when being stored in the Setting.
+		 */
+		if (phase2)
+			g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
+		else
+			g_object_set (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
+
 		if (phase2) {
 			if (!nm_setting_802_1x_set_phase2_client_cert_from_file (s_8021x, real_path, NULL, error))
 				goto done;
@@ -1083,12 +1102,6 @@ eap_tls_reader (const char *eap_method,
 			               NM_SETTING_802_1X_CLIENT_CERT);
 		}
 	} else {
-		/* Set the private key password if not PKCS#12 */
-		if (phase2)
-			g_object_set (s_8021x, NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
-		else
-			g_object_set (s_8021x, NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD, privkey_password, NULL);
-
 		/* Otherwise, private key is "traditional" OpenSSL format, so
 		 * client certificate will be a separate file.
 		 */
--- a/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-tls
+++ b/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-tls
@@ -18,6 +18,7 @@ KEY_MGMT=WPA-EAP
 WPA_ALLOW_WPA=yes
 WPA_ALLOW_WPA2=yes
 IEEE_8021X_EAP_METHODS=TLS
+IEEE_8021X_IDENTITY="Bill Smith"
 IEEE_8021X_CA_CERT=test_ca_cert.pem
 IEEE_8021X_CLIENT_CERT=test1_key_and_cert.pem
 IEEE_8021X_PRIVATE_KEY=test1_key_and_cert.pem
--- a/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-ttls-tls
+++ b/system-settings/plugins/ifcfg-rh/tests/network-scripts/ifcfg-test-wifi-wpa-eap-ttls-tls
@@ -18,6 +18,7 @@ KEY_MGMT=WPA-EAP
 WPA_ALLOW_WPA=yes
 WPA_ALLOW_WPA2=yes
 IEEE_8021X_EAP_METHODS=TTLS
+IEEE_8021X_IDENTITY="Chuck Shumer"
 IEEE_8021X_ANON_IDENTITY="anonymous"
 IEEE_8021X_CA_CERT=test_ca_cert.pem
 IEEE_8021X_INNER_AUTH_METHODS=EAP-TLS
--- a/system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c
+++ b/system-settings/plugins/ifcfg-rh/tests/test-ifcfg-rh.c
@@ -2845,8 +2845,9 @@ test_read_wifi_wpa_eap_tls (void)
 	char *keyfile = NULL;
 	gboolean ignore_error = FALSE;
 	GError *error = NULL;
-	const char *tmp, *privkey_password;
-	const char *expected_private_key_password = "test1";
+	const char *tmp;
+	const char *expected_identity = "Bill Smith";
+	const char *expected_privkey_password = "test1";

 	connection = connection_from_file (TEST_IFCFG_WIFI_WPA_EAP_TLS,
 	                                   NULL,
@@ -2913,6 +2914,19 @@ test_read_wifi_wpa_eap_tls (void)
 	        NM_SETTING_802_1X_SETTING_NAME,
 	        NM_SETTING_802_1X_EAP);

+	/* Identity */
+	tmp = nm_setting_802_1x_get_identity (s_8021x);
+	ASSERT (tmp != NULL,
+	        "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
+	        TEST_IFCFG_WIFI_WPA_EAP_TLS,
+	        NM_SETTING_802_1X_SETTING_NAME,
+	        NM_SETTING_802_1X_IDENTITY);
+	ASSERT (strcmp (tmp, expected_identity) == 0,
+	        "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value",
+	        TEST_IFCFG_WIFI_WPA_EAP_TLS,
+	        NM_SETTING_802_1X_SETTING_NAME,
+	        NM_SETTING_802_1X_IDENTITY);
+
 	/* CA Cert */
 	verify_cert_or_key (CK_CA_CERT,
 	                    s_8021x,
@@ -2932,14 +2946,8 @@ test_read_wifi_wpa_eap_tls (void)
 	                    NM_SETTING_802_1X_CLIENT_CERT);

 	/* Private Key Password */
-	privkey_password = nm_setting_802_1x_get_private_key_password (s_8021x);
-	ASSERT (privkey_password != NULL,
-	        "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
-	        TEST_IFCFG_WIFI_WPA_EAP_TLS,
-	        NM_SETTING_802_1X_SETTING_NAME,
-	        NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
-	ASSERT (strcmp (privkey_password, expected_private_key_password) == 0,
-	        "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value",
+	ASSERT (nm_setting_802_1x_get_private_key_password (s_8021x) == NULL,
+	        "wifi-wpa-eap-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key",
 	        TEST_IFCFG_WIFI_WPA_EAP_TLS,
 	        NM_SETTING_802_1X_SETTING_NAME,
 	        NM_SETTING_802_1X_PRIVATE_KEY_PASSWORD);
@@ -2948,7 +2956,7 @@ test_read_wifi_wpa_eap_tls (void)
 	verify_cert_or_key (CK_PRIV_KEY,
 	                    s_8021x,
 	                    TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
-	                    privkey_password,
+	                    expected_privkey_password,
 	                    TEST_IFCFG_WIFI_WPA_EAP_TLS,
 	                    "wifi-wpa-eap-tls-verify-8021x",
 	                    NM_SETTING_802_1X_PRIVATE_KEY);
@@ -2971,8 +2979,9 @@ test_read_wifi_wpa_eap_ttls_tls (void)
 	char *keyfile = NULL;
 	gboolean ignore_error = FALSE;
 	GError *error = NULL;
-	const char *tmp, *privkey_password;
-	const char *expected_private_key_password = "test1";
+	const char *tmp;
+	const char *expected_identity = "Chuck Shumer";
+	const char *expected_privkey_password = "test1";

 	connection = connection_from_file (TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
 	                                   NULL,
@@ -3080,14 +3089,8 @@ test_read_wifi_wpa_eap_ttls_tls (void)
 	                    NM_SETTING_802_1X_PHASE2_CLIENT_CERT);

 	/* Inner Private Key Password */
-	privkey_password = nm_setting_802_1x_get_phase2_private_key_password (s_8021x);
-	ASSERT (privkey_password != NULL,
-	        "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
-	        TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
-	        NM_SETTING_802_1X_SETTING_NAME,
-	        NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
-	ASSERT (strcmp (privkey_password, expected_private_key_password) == 0,
-	        "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value",
+	ASSERT (nm_setting_802_1x_get_phase2_private_key_password (s_8021x) == NULL,
+	        "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key",
 	        TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
 	        NM_SETTING_802_1X_SETTING_NAME,
 	        NM_SETTING_802_1X_PHASE2_PRIVATE_KEY_PASSWORD);
@@ -3096,11 +3099,24 @@ test_read_wifi_wpa_eap_ttls_tls (void)
 	verify_cert_or_key (CK_PRIV_KEY,
 	                    s_8021x,
 	                    TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
-	                    privkey_password,
+	                    expected_privkey_password,
 	                    TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
 	                    "wifi-wpa-eap-ttls-tls-verify-8021x",
 	                    NM_SETTING_802_1X_PHASE2_PRIVATE_KEY);

+	/* Identity */
+	tmp = nm_setting_802_1x_get_identity (s_8021x);
+	ASSERT (tmp != NULL,
+	        "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: missing %s / %s key",
+	        TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
+	        NM_SETTING_802_1X_SETTING_NAME,
+	        NM_SETTING_802_1X_IDENTITY);
+	ASSERT (strcmp (tmp, expected_identity) == 0,
+	        "wifi-wpa-eap-ttls-tls-verify-8021x", "failed to verify %s: unexpected %s / %s key value",
+	        TEST_IFCFG_WIFI_WPA_EAP_TTLS_TLS,
+	        NM_SETTING_802_1X_SETTING_NAME,
+	        NM_SETTING_802_1X_IDENTITY);
+
 	g_object_unref (connection);
 }

@@ -4116,6 +4132,165 @@ test_write_wifi_wpa_psk (const char *name,
 	g_object_unref (reread);
 }

+static void
+test_write_wifi_wpa_eap_tls (void)
+{
+	NMConnection *connection;
+	NMConnection *reread;
+	NMSettingConnection *s_con;
+	NMSettingWireless *s_wifi;
+	NMSettingWirelessSecurity *s_wsec;
+	NMSetting8021x *s_8021x;
+	NMSettingIP4Config *s_ip4;
+	char *uuid;
+	gboolean success;
+	GError *error = NULL;
+	char *testfile = NULL;
+	gboolean unmanaged = FALSE;
+	char *keyfile = NULL;
+	gboolean ignore_error = FALSE;
+	GByteArray *ssid;
+	const char *ssid_data = "blahblah";
+
+	connection = nm_connection_new ();
+	ASSERT (connection != NULL,
+	        "wifi-wpa-eap-tls-write", "failed to allocate new connection");
+
+	/* Connection setting */
+	s_con = (NMSettingConnection *) nm_setting_connection_new ();
+	ASSERT (s_con != NULL,
+	        "wifi-wpa-eap-tls-write", "failed to allocate new %s setting",
+	        NM_SETTING_CONNECTION_SETTING_NAME);
+	nm_connection_add_setting (connection, NM_SETTING (s_con));
+
+	uuid = nm_utils_uuid_generate ();
+	g_object_set (s_con,
+	              NM_SETTING_CONNECTION_ID, "Test Write Wifi WPA EAP-TLS",
+	              NM_SETTING_CONNECTION_UUID, uuid,
+	              NM_SETTING_CONNECTION_AUTOCONNECT, TRUE,
+	              NM_SETTING_CONNECTION_TYPE, NM_SETTING_WIRELESS_SETTING_NAME,
+	              NULL);
+	g_free (uuid);
+
+	/* Wifi setting */
+	s_wifi = (NMSettingWireless *) nm_setting_wireless_new ();
+	ASSERT (s_wifi != NULL,
+	        "wifi-wpa-eap-tls-write", "failed to allocate new %s setting",
+	        NM_SETTING_WIRELESS_SETTING_NAME);
+	nm_connection_add_setting (connection, NM_SETTING (s_wifi));
+
+	ssid = g_byte_array_sized_new (strlen (ssid_data));
+	g_byte_array_append (ssid, (const unsigned char *) ssid_data, strlen (ssid_data));
+
+	g_object_set (s_wifi,
+	              NM_SETTING_WIRELESS_SSID, ssid,
+	              NM_SETTING_WIRELESS_MODE, "infrastructure",
+	              NM_SETTING_WIRELESS_SEC, NM_SETTING_WIRELESS_SECURITY_SETTING_NAME,
+	              NULL);
+
+	g_byte_array_free (ssid, TRUE);
+
+	/* Wireless security setting */
+	s_wsec = (NMSettingWirelessSecurity *) nm_setting_wireless_security_new ();
+	ASSERT (s_wsec != NULL,
+	        "wifi-wpa-eap-tls-write", "failed to allocate new %s setting",
+	        NM_SETTING_WIRELESS_SECURITY_SETTING_NAME);
+	nm_connection_add_setting (connection, NM_SETTING (s_wsec));
+
+	g_object_set (s_wsec, NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "wpa-eap", NULL);
+	nm_setting_wireless_security_add_proto (s_wsec, "wpa");
+	nm_setting_wireless_security_add_pairwise (s_wsec, "tkip");
+	nm_setting_wireless_security_add_group (s_wsec, "tkip");
+
+	/* Wireless security setting */
+	s_8021x = (NMSetting8021x *) nm_setting_802_1x_new ();
+	ASSERT (s_8021x != NULL,
+	        "wifi-wpa-eap-tls-write", "failed to allocate new %s setting",
+	        NM_SETTING_802_1X_SETTING_NAME);
+	nm_connection_add_setting (connection, NM_SETTING (s_8021x));
+
+	g_object_set (s_8021x, NM_SETTING_802_1X_IDENTITY, "Bill Smith", NULL);
+
+	nm_setting_802_1x_add_eap_method (s_8021x, "tls");
+
+	success = nm_setting_802_1x_set_ca_cert_from_file (s_8021x,
+	                                                   TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT,
+	                                                   NULL,
+	                                                   &error);
+	ASSERT (success == TRUE,
+	        "wifi-wpa-eap-tls-write", "failed to set CA certificate '%s': %s",
+	        TEST_IFCFG_WIFI_WPA_EAP_TLS_CA_CERT, error->message);
+
+	success = nm_setting_802_1x_set_client_cert_from_file (s_8021x,
+	                                                       TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT,
+	                                                       NULL,
+	                                                       &error);
+	ASSERT (success == TRUE,
+	        "wifi-wpa-eap-tls-write", "failed to set client certificate '%s': %s",
+	        TEST_IFCFG_WIFI_WPA_EAP_TLS_CLIENT_CERT, error->message);
+
+	success = nm_setting_802_1x_set_private_key_from_file (s_8021x,
+	                                                       TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY,
+	                                                       "test1",
+	                                                       NULL,
+	                                                       &error);
+	ASSERT (success == TRUE,
+	        "wifi-wpa-eap-tls-write", "failed to set private key '%s': %s",
+	        TEST_IFCFG_WIFI_WPA_EAP_TLS_PRIVATE_KEY, error->message);
+
+	/* IP4 setting */
+	s_ip4 = (NMSettingIP4Config *) nm_setting_ip4_config_new ();
+	ASSERT (s_ip4 != NULL,
+			"wifi-wpa-eap-tls-write", "failed to allocate new %s setting",
+			NM_SETTING_IP4_CONFIG_SETTING_NAME);
+	nm_connection_add_setting (connection, NM_SETTING (s_ip4));
+
+	g_object_set (s_ip4, NM_SETTING_IP4_CONFIG_METHOD, NM_SETTING_IP4_CONFIG_METHOD_AUTO, NULL);
+
+	ASSERT (nm_connection_verify (connection, &error) == TRUE,
+	        "wifi-wpa-eap-tls-write", "failed to verify connection: %s",
+	        (error && error->message) ? error->message : "(unknown)");
+
+	/* Save the ifcfg */
+	success = writer_new_connection (connection,
+	                                 TEST_DIR "/network-scripts/",
+	                                 &testfile,
+	                                 &error);
+	ASSERT (success == TRUE,
+	        "wifi-wpa-eap-tls-write", "failed to write connection to disk: %s",
+	        (error && error->message) ? error->message : "(unknown)");
+
+	ASSERT (testfile != NULL,
+	        "wifi-wpa-eap-tls-write", "didn't get ifcfg file path back after writing connection");
+
+	/* re-read the connection for comparison */
+	reread = connection_from_file (testfile,
+	                               NULL,
+	                               TYPE_WIRELESS,
+	                               &unmanaged,
+	                               &keyfile,
+	                               &error,
+	                               &ignore_error);
+	unlink (testfile);
+
+	ASSERT (keyfile != NULL,
+	        "wifi-wpa-eap-tls-write-reread", "expected keyfile for '%s'", testfile);
+	unlink (keyfile);
+
+	ASSERT (reread != NULL,
+	        "wifi-wpa-eap-tls-write-reread", "failed to read %s: %s", testfile, error->message);
+
+	ASSERT (nm_connection_verify (reread, &error),
+	        "wifi-wpa-eap-tls-write-reread-verify", "failed to verify %s: %s", testfile, error->message);
+
+	ASSERT (nm_connection_compare (connection, reread, NM_SETTING_COMPARE_FLAG_EXACT) == TRUE,
+	        "wifi-wpa-eap-tls-write", "written and re-read connection weren't the same.");
+
+	g_free (testfile);
+	g_object_unref (connection);
+	g_object_unref (reread);
+}
+
 #define TEST_IFCFG_WIFI_OPEN_SSID_BAD_HEX TEST_DIR"/network-scripts/ifcfg-test-wifi-open-ssid-bad-hex"
 #define TEST_IFCFG_WIFI_OPEN_SSID_LONG_QUOTED TEST_DIR"/network-scripts/ifcfg-test-wifi-open-ssid-long-quoted"
 #define TEST_IFCFG_WIFI_OPEN_SSID_LONG_HEX TEST_DIR"/network-scripts/ifcfg-test-wifi-open-ssid-long-hex"
@@ -4167,6 +4342,7 @@ int main (int argc, char **argv)
 	test_write_wifi_wpa_psk ("Test Write Wifi WPA2 PSK", "wifi-wpa2-psk-write", FALSE, FALSE, TRUE);
 	test_write_wifi_wpa_psk ("Test Write Wifi WPA WPA2 PSK", "wifi-wpa-wpa2-psk-write", FALSE, TRUE, TRUE);
 	test_write_wifi_wpa_psk ("Test Write Wifi WEP WPA WPA2 PSK", "wifi-wep-wpa-wpa2-psk-write", TRUE, TRUE, TRUE);
+	test_write_wifi_wpa_eap_tls ();

 	basename = g_path_get_basename (argv[0]);
 	fprintf (stdout, "%s: SUCCESS\n", basename);
--- a/system-settings/plugins/ifcfg-rh/utils.c
+++ b/system-settings/plugins/ifcfg-rh/utils.c
@@ -38,14 +38,17 @@ char *
 utils_bin2hexstr (const char *bytes, int len, int final_len)
 {
 	static char hex_digits[] = "0123456789abcdef";
-	char *		result;
+	char *result;
 	int i;
+	gsize buflen = (len * 2) + 1;

 	g_return_val_if_fail (bytes != NULL, NULL);
 	g_return_val_if_fail (len > 0, NULL);
-	g_return_val_if_fail (len < 256, NULL);	/* Arbitrary limit */
+	g_return_val_if_fail (len < 4096, NULL);   /* Arbitrary limit */
+	if (final_len > -1)
+		g_return_val_if_fail (final_len < buflen, NULL);

-	result = g_malloc0 (len * 2 + 1);
+	result = g_malloc0 (buflen);
 	for (i = 0; i < len; i++)
 	{
 		result[2*i] = hex_digits[(bytes[i] >> 4) & 0xf];
@@ -54,6 +57,8 @@ utils_bin2hexstr (const char *bytes, int len, int final_len)
 	/* Cut converted key off at the correct length for this cipher type */
 	if (final_len > -1)
 		result[final_len] = '\0';
+	else
+		result[buflen - 1] = '\0';

 	return result;
 }
@@ -123,13 +128,13 @@ utils_hash_byte_array (const GByteArray *data)
 }

 char *
-utils_cert_path (const char *parent, const char *prefix, const char *suffix)
+utils_cert_path (const char *parent, const char *suffix)
 {
 	char *name, *dir, *path;

 	name = utils_get_ifcfg_name (parent);
 	dir = g_path_get_dirname (parent);
-	path = g_strdup_printf ("%s/%s-%s.%s", dir, prefix, name, suffix);
+	path = g_strdup_printf ("%s/%s-%s", dir, name, suffix);
 	g_free (dir);
 	g_free (name);
 	return path;
--- a/system-settings/plugins/ifcfg-rh/utils.h
+++ b/system-settings/plugins/ifcfg-rh/utils.h
@@ -31,7 +31,7 @@ char *utils_hexstr2bin (const char *hex, size_t len);

 char *utils_hash_byte_array (const GByteArray *data);

-char *utils_cert_path (const char *parent, const char *prefix, const char *suffix);
+char *utils_cert_path (const char *parent, const char *suffix);

 char *utils_get_ifcfg_name (const char *file);

--- a/system-settings/plugins/ifcfg-rh/writer.c
+++ b/system-settings/plugins/ifcfg-rh/writer.c
@@ -40,6 +40,7 @@
 #include "reader.h"
 #include "writer.h"
 #include "utils.h"
+#include "crypto.h"

 #define PLUGIN_WARN(pname, fmt, args...) \
 	{ g_warning ("   " pname ": " fmt, ##args); }
@@ -142,74 +143,112 @@ out:
 	return success;
 }

+typedef struct ObjectType {
+	const char *setting_key;
+	const char *ifcfg_key;
+	const char *path_tag;
+	const char *hash_tag;
+	const char *suffix;
+} ObjectType;
+
+static const ObjectType ca_type = {
+	NM_SETTING_802_1X_CA_CERT,
+	"IEEE_8021X_CA_CERT",
+	TAG_CA_CERT_PATH,
+	TAG_CA_CERT_HASH,
+	"ca-cert.der"
+};
+
+static const ObjectType client_type = {
+	NM_SETTING_802_1X_CLIENT_CERT,
+	"IEEE_8021X_CLIENT_CERT",
+	TAG_CLIENT_CERT_PATH,
+	TAG_CLIENT_CERT_HASH,
+	"client-cert.der"
+};
+
+static const ObjectType pk_type = {
+	NM_SETTING_802_1X_PRIVATE_KEY,
+	"IEEE_8021X_PRIVATE_KEY",
+	TAG_PRIVATE_KEY_PATH,
+	TAG_PRIVATE_KEY_HASH,
+	"private-key.pem"
+};
+
+static const ObjectType p12_type = {
+	NM_SETTING_802_1X_PRIVATE_KEY,
+	"IEEE_8021X_PRIVATE_KEY",
+	TAG_PRIVATE_KEY_PATH,
+	TAG_PRIVATE_KEY_HASH,
+	"private-key.p12"
+};
+
 static gboolean
-write_cert (NMSetting8021x *s_8021x,
+write_object (NMSetting8021x *s_8021x,
              shvarFile *ifcfg,
-            const char *setting_key,
-            const char *ifcfg_key,
-            const char *path_tag,
-            const char *hash_tag,
-            const char *prefix,
-            gboolean is_pkcs12,
+              const GByteArray *object,
+              const ObjectType *objtype,
              gboolean *wrote,
              GError **error)
 {
 	const char *orig_hash, *orig_file;
 	char *new_hash = NULL, *new_file = NULL;
-	const GByteArray *cert = NULL;
 	gboolean success = FALSE;
 	GError *write_error = NULL;

+	g_return_val_if_fail (objtype != NULL, FALSE);
+	g_return_val_if_fail (ifcfg != NULL, FALSE);
+	g_return_val_if_fail (wrote != NULL, FALSE);
+
 	*wrote = FALSE;

-	g_object_get (G_OBJECT (s_8021x), setting_key, &cert, NULL);
-	if (!cert) {
-		svSetValue (ifcfg, ifcfg_key, NULL, FALSE);
+	if (!object) {
+		svSetValue (ifcfg, objtype->ifcfg_key, NULL, FALSE);
 		return TRUE;
 	}

-	new_hash = utils_hash_byte_array (cert);
+	new_hash = utils_hash_byte_array (object);
 	if (!new_hash) {
 		g_set_error (error, ifcfg_plugin_error_quark (), 0,
-		             "Could not hash certificate data for %s / %s",
-		             NM_SETTING_802_1X_SETTING_NAME, setting_key);
+		             "Could not hash certificate/key data for %s / %s",
+		             NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key);
 		return FALSE;
 	}

-	orig_hash = g_object_get_data (G_OBJECT (s_8021x), TAG_CA_CERT_HASH);
-	orig_file = g_object_get_data (G_OBJECT (s_8021x), TAG_CA_CERT_PATH);
+	orig_hash = g_object_get_data (G_OBJECT (s_8021x), objtype->hash_tag);
+	orig_file = g_object_get_data (G_OBJECT (s_8021x), objtype->path_tag);

 	if (!orig_hash || !orig_file || strcmp (new_hash, orig_hash)) {
 		/* if the cert data has changed, or there wasn't a cert
 		 * originally, write data out to the standard file.
 		 */
-		new_file = utils_cert_path (ifcfg->fileName, prefix, is_pkcs12 ? "p12" : "der");
+		new_file = utils_cert_path (ifcfg->fileName, objtype->suffix);
 		if (!new_file) {
 			g_set_error (error, ifcfg_plugin_error_quark (), 0,
 			             "Could not create file path for %s / %s",
-			             NM_SETTING_802_1X_SETTING_NAME, setting_key);
+			             NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key);
 			goto out;
 		}

-		if (!write_secret_file (new_file, (const char *) cert->data, cert->len, &write_error)) {
+		if (!write_secret_file (new_file, (const char *) object->data, object->len, &write_error)) {
 			g_set_error (error, ifcfg_plugin_error_quark (), 0,
-			             "Could not write certificate for %s / %s: %s",
-			             NM_SETTING_802_1X_SETTING_NAME, setting_key,
+			             "Could not write certificate/key for %s / %s: %s",
+			             NM_SETTING_802_1X_SETTING_NAME, objtype->setting_key,
 			             (write_error && write_error->message) ? write_error->message : "(unknown)");
 			g_clear_error (&write_error);
 			goto out;
 		}
 		*wrote = TRUE;

-		svSetValue (ifcfg, ifcfg_key, new_file, FALSE);
-		g_object_set_data_full (G_OBJECT (s_8021x), path_tag, new_file, g_free);
+		svSetValue (ifcfg, objtype->ifcfg_key, new_file, FALSE);
+		g_object_set_data_full (G_OBJECT (s_8021x), objtype->path_tag, new_file, g_free);
 		new_file = NULL; /* g_object_set_data_full() took ownership */

-		g_object_set_data_full (G_OBJECT (s_8021x), hash_tag, new_hash, g_free);
+		g_object_set_data_full (G_OBJECT (s_8021x), objtype->hash_tag, new_hash, g_free);
 		new_hash = NULL; /* g_object_set_data_full() took ownership */
 	} else {
 		/* cert data hasn't changed */
-		svSetValue (ifcfg, ifcfg_key, orig_file, FALSE);
+		svSetValue (ifcfg, objtype->ifcfg_key, orig_file, FALSE);
 	}
 	success = TRUE;

@@ -230,6 +269,10 @@ write_8021x_setting (NMConnection *connection,
 	char *tmp = NULL;
 	gboolean success = FALSE, is_pkcs12 = FALSE, wrote;
 	GString *phase2_auth;
+	const GByteArray *data;
+	GByteArray *enc_key = NULL;
+	const char *password = NULL;
+	char *generated_pw = NULL;

 	s_8021x = (NMSetting8021x *) nm_connection_get_setting (connection, NM_TYPE_SETTING_802_1X);
 	if (!s_8021x) {
@@ -295,19 +338,16 @@ write_8021x_setting (NMConnection *connection,
 		g_free (tmp);
 	}

-	if (phase2_auth->len)
-		svSetValue (ifcfg, "IEEE_8021X_INNER_AUTH_METHODS", phase2_auth->str, FALSE);
+	svSetValue (ifcfg, "IEEE_8021X_INNER_AUTH_METHODS",
+	            phase2_auth->len ? phase2_auth->str : NULL,
+	            FALSE);
+
 	g_string_free (phase2_auth, TRUE);

 	/* CA certificate */
-	if (!write_cert (s_8021x, ifcfg,
-	                 NM_SETTING_802_1X_CA_CERT,
-	                 "IEEE_8021X_CA_CERT",
-	                 TAG_CA_CERT_PATH,
-	                 TAG_CA_CERT_HASH,
-	                 "ca-cert",
-	                 FALSE, &wrote,
-	                 error))
+	data = NULL;
+	g_object_get (G_OBJECT (s_8021x), NM_SETTING_802_1X_CA_CERT, &data, NULL);
+	if (!write_object (s_8021x, ifcfg, data, &ca_type, &wrote, error))
 		goto out;

 	/* Private key */
@@ -315,40 +355,64 @@ write_8021x_setting (NMConnection *connection,
 		if (nm_setting_802_1x_get_private_key_type (s_8021x) == NM_SETTING_802_1X_CK_TYPE_PKCS12)
 			is_pkcs12 = TRUE;
 	}
-	if (!write_cert (s_8021x, ifcfg,
-	                 NM_SETTING_802_1X_PRIVATE_KEY,
-	                 "IEEE_8021X_PRIVATE_KEY",
-	                 TAG_PRIVATE_KEY_PATH,
-	                 TAG_PRIVATE_KEY_HASH,
-	                 "private-key",
-	                 is_pkcs12, &wrote,
+
+	data = NULL;
+	g_object_get (G_OBJECT (s_8021x), NM_SETTING_802_1X_PRIVATE_KEY, &data, NULL);
+
+	password = nm_setting_802_1x_get_private_key_password (s_8021x);
+	if (data && !is_pkcs12) {
+		GByteArray *array;
+
+		if (!password) {
+			/* Create a random private key */
+			array = crypto_random (32, error);
+			if (!array)
+				goto out;
+
+			password = generated_pw = utils_bin2hexstr ((const char *) array->data, array->len, -1);
+			memset (array->data, 0, array->len);
+			g_byte_array_free (array, TRUE);
+		}
+
+		/* Re-encrypt the private key if it's not PKCS#12 (which never decrypted by NM) */
+		enc_key = crypto_key_to_pem (data, password, error);
+		if (!enc_key)
+			goto out;
+	}
+
+	if (!write_object (s_8021x,
+	                   ifcfg,
+	                   enc_key ? enc_key : data,
+	                   is_pkcs12 ? &p12_type : &pk_type,
+	                   &wrote,
 	                   error))
 		goto out;

-	if (is_pkcs12) {
-		svSetValue (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD",
-		            nm_setting_802_1x_get_private_key_password (s_8021x), FALSE);
-	} else {
-		/* Clear the private key password for non-pkcs12 private keys that
-		 * we just wrote out, since it will be unencrypted.
-		 */
-		if (wrote)
-			svSetValue (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", NULL, FALSE);
+	/* Private key password */
+	set_secret (ifcfg, "IEEE_8021X_PRIVATE_KEY_PASSWORD", password);
+
+	if (enc_key) {
+		memset (enc_key->data, 0, enc_key->len);
+		g_byte_array_free (enc_key, TRUE);
+	}

 	/* Client certificate */
-		if (!write_cert (s_8021x, ifcfg,
-		                 NM_SETTING_802_1X_CA_CERT,
-		                 "IEEE_8021X_CA_CERT",
-		                 TAG_CA_CERT_PATH,
-		                 TAG_CA_CERT_HASH,
-		                 "ca-cert",
-		                 FALSE, &wrote,
-		                 error))
+	if (is_pkcs12)
+		svSetValue (ifcfg, "IEEE_8021X_CLIENT_CERT", NULL, FALSE);
+	else {
+		data = NULL;
+		g_object_get (G_OBJECT (s_8021x), NM_SETTING_802_1X_CLIENT_CERT, &data, NULL);
+		if (!write_object (s_8021x, ifcfg, data, &client_type, &wrote, error))
 			goto out;
 	}
 	success = TRUE;

 out:
+	if (generated_pw) {
+		memset (generated_pw, 0, strlen (generated_pw));
+		g_free (generated_pw);
+	}
+
 	return success;
 }