Smartcards and wpa_supplicant

Jouni Malinen jkmaline at
Sun Feb 27 22:31:21 EST 2005

On Tue, Jan 25, 2005 at 11:11:32AM +0100, Gordon Hecker wrote:

> First a short summary to get it all back to your mind:
> The patch implements smartcard support for EAP-TLS in wpa_supplicant
> using the Openssl Engine interface with the engines provided by the
> Opensc project. So at least in theory every smartcard supported by
> Opensc should be usable. I'm using a Cryptoflex Egate USB Token.

Unfortunately, OpenSC does not seem to support PKCS#15 initialization
for SetCOS and I happen to only have SetCOS cards. One of the cards is
actually already initialized, but of course I don't remember PIN for
it.. ;-) (nor do I have a private key that I could use in the
authentication server).

In other words, I don't currently have suitable hardware for testing the
wpa_supplicant changes. I can try to find a source for supported cards
at some point, but that may take some time. If you happen to know one,
please let me know. I can also try to see if I could initialize the card
with another tool since it is only the initialization part that is
missing from OpenSC.

> As I said, it would be great if you could integrate the code in one of
> the next wpa_supplicant releases.

I can start merging changes into wpa_supplicant. PIN through wpa_cli is
a good starting point, since it is needed for EAP-SIM/AKA, too. Rest of
the changes should be doable, but like I said, I won't be able to test
them completely.

Couple of changes needs to be done to the patch, though, before it can
be merged in. I went through the changes and here's list of comments:


- must not include wpa_supplicant_i.h into this file
  (wpa_supplicant_i.h is internal header file for wpa_supplicant and
  eap.c is generic code that can be used without wpa_supplicant)
- in other words, eap.c cannot read wpa_s->conf (which btw, must not be
  sent to tls_engine_load_engines() either)
- needed parameters have to be passed through eapol_sm -> eap if they
  are really needed in eap.c; I would consider doing this outside eap
  and eapol_sm (e.g., in wpa_supplicant.c at the moment; maybe moved
  somewhere else at some point) based on the configuration


- must not include config.h
- must not use struct wpa_ssid or struct wpa_config
  (i.e., need to get just the needed parameters as arguments to the


+ * tls_engine_load_dynamic_generic - 
+ * This function is a generic function that loads any openssl engine.
+ * It's code is based upon an example found in the engine(3) manpage
+ * from openssl

What license is used for that code? OpenSSL license is not compatible
with the license used in wpa_supplicant as far as including code from
OpenSSL to wpa_supplicant is concerned.

+static void tls_engine_load_dynamic_pkcs11(char *pkcs11_so_path, 
+				    char *pkcs11_module_path)

+		//"NO_VCHECK", "1",

Should that line be removed? If not, at least the commenting should be
changed to use /* ... */ style.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list