Smartcards and wpa_supplicant

Gordon Hecker g.hecker at et.bocholt.fh-ge.de
Thu Apr 14 06:30:01 EDT 2005



Jouni Malinen wrote:
> On Wed, Mar 09, 2005 at 05:36:03PM +0100, Gordon Hecker wrote:
> 
>>Jouni Malinen wrote:
>>
>>>Unfortunately, OpenSC does not seem to support PKCS#15 initialization
>>>for SetCOS and I happen to only have SetCOS cards.
> 
> 
> It looks like some initial code for this was actually just added in
> OpenSC, so there's something new for me to test now..
> 
> 
>>I have extracted the PIN-through-wpa_cli related changes and created a
>>diff containing only those.
>>As usual:
>>http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-pin-through-wpa_cli-20050309-2.patch
> 
> 
> Like I mentioned yesterday, this is now in CVS. I added one missed part
> today, i.e., pending PIN requests are now re-sent when a new ctrl_iface
> monitor (e.g., wpa_cli) attaches to wpa_supplicant. This makes it easier
> to notice PIN requests that happen immediately after starting
> wpa_supplicant, i.e., when there are likely no attached frontends to ask
> for the PIN.
a very nice feature!

> 
> 
>>There's no code included that makes EAP-SIM or AKA use that
>>functionality. I don't want to mess around in that code for now.
> 
> 
> This is now implemented, committed to CVS, and even found working in my
> tests. I ended up moving PIN validation from scard_init() into a
> separate function that will be used only when the identity (and IMSI, in
> case of EAP-SIM/AKA) is needed. This ended up getting this code into EAP
> implementation and as such, it works fine with the same function you
> used for requesting a PIN. I did not yet verify, but I wouldn't expect
> these changes to cause problems for your changes related to getting PIN
> for opensc_engine.
> 
> 
>>I'm working through your comments on the other parts. Most of the things
>>are solved, I'll see how I can split the big patch into pieces and
>>resend them as soon as possible.
> 
> 
> Is http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-engine-20050316.patch
> the latest version of the patch or do you have some updates on top of
> that? I'll try to get one of the SetCOS cards initialized for PKCS#15
> and start merging the remaining changes to wpa_supplicant.
 >
There's no update yet, but as the old patch does no longer apply I did
a simple re-merge. I'll put it into the same directory.

There will also be a split-up version consisting of

wpa_supplicant-config.patch
wpa_supplicant-openssl.patch
(which compile independent from each other)
and
wpa_supplicant-eap-tls.patch
(which depends on the above two)

The code compiles but is untested for now. I'll see if I get some
testing done today. There should be no issues, though.

I might add some functionality to get the certificates from the
smartcard, too since there was a patch allowing that in opensc cvs
recently. I'll keep you up to date.

Gordon



More information about the HostAP mailing list