[Fwd: Re: [PATCH] enhanced smartcard support]

Carolin Latze carolin.latze at unifr.ch
Sun Jun 1 13:01:54 EDT 2008


Hi Jouni,

my patches are too big for the listserver. You can download them at:

http://diuf.unifr.ch/people/latzec/patches/

Regards
Carolin

-------- Original Message --------
Subject: 	Re: [PATCH] enhanced smartcard support
Date: 	Fri, 30 May 2008 17:06:56 +0200
From: 	Carolin Latze <carolin.latze at unifr.ch>
To: 	hostap at lists.shmoo.com
References: 	<200805020136.09480.dds at google.com> 
<20080521072939.GH12378 at jm.kir.nu> 
<87d4ng59cj.fsf at piyo.tok.corp.google.com> 
<20080523084728.GA5575 at jm.kir.nu> <483685E7.4010501 at unifr.ch> 
<20080523162259.GB4932 at jm.kir.nu>



Hi Jouni,

I'm sorry I didn't have time to apply my patch on the newest version. 
When I started my project, version 0.5.9 was the newest, so that is the 
newest patch I am able to provide at the moment. I will work on a newer 
version when I find the time...

First of all you need trousers in order to access your TPM, but I think, 
you already installed it.

In order to use my version, you have to install the openssl-tpm-engine 
(http://sourceforge.net/project/showfiles.php?group_id=126012). I also 
provide a patch for that engine, since I wanted to access the keys in 
another way: engine.patch

Afterwards, patch wpa_supplicant-0.5.9: tpm.patch

You will one new configfile option: tpm_engine_path. That has to be the 
location of the openssl tpm engine (libtpm).

Afterwards, create a config file as follows:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=1
fast_reauth=1
tpm_engine_path=/usr/local/lib/openssl/engines/libtpm.so
network={
    ssid="something"
    scan_ssid=0
    mode=0
    proto=WPA
    key_mgmt=WPA-EAP  
    pairwise=TKIP
    group=TKIP
    eap=TLS
    identity="IDENTITY"
    ca_cert="PATH_TO_CA_CERT"
    client_cert="PATH_TO_CLIENT_CERT"
    engine=1
    engine_id="tpm"
    key_id="UUID"
    pin="OWNER-PW"
}

The certificates are the certificates you loaded onto the TPM. In order 
to use them, you have to register them in the persistent storage, which 
means, that they get a so called UUID. My UUID is a bit special: I 
consists of only zeros with a different last byte and the last byte has 
to be between 4 and 9! I implemented it only for experimental use at the 
moment, but that will change in the near future! As I knew, that I use 
zeros in the first bytes, key_id only expects the last byte! Here is my 
example:

network={
        ssid="SOMETHING"
        scan_ssid=0
        mode=0
        proto=WPA
        key_mgmt=WPA-EAP
        pairwise=TKIP
        group=TKIP
        eap=TLS
        identity="10.1.1.5"

        ca_cert="/home/latze/cert/cacert.pem"
        client_cert="/home/latze/impl/basisk-eap.pem"
        engine=1
        engine_id="tpm"
        key_id="5"
        pin="OWNER"
}

Do you have an idea about what I am doing? I hope the patches are ok, 
they worked for me. But this is the first time I created real patches, 
so I wouldn't be surprised if something went wrong.

Regards
Carolin

Jouni Malinen wrote:
> On Fri, May 23, 2008 at 10:52:55AM +0200, Carolin Latze wrote:
>
>   
>> I am still subscribed to this list, but did not really follow it. I just 
>> read something about how to create the TPM into wpa_supplicant and I 
>> have to say that I got it working. I cannot provide a patch till now, 
>> but will prepare one if you are interested in it. I am able to store 
>> X.509 certificates in the TPM and access the TPM during EAP-TLS 
>> authentication. I used the OpenSSL TPM engine in order to implement that 
>> feature.
>>     
>
> If your changes do something else than the patches from David, I would
> be interested in seeing them. I applied David's patches and they allow
> PKCS#11 engine to be used with opencryptoki module to access the
> certificates and private key from TPM.
>
>   

-- 
Carolin Latze
Research Assistant

Department of Computer Science
Boulevard de Pérolles 90
CH-1700 Fribourg

phone: +41 26 300 83 30






More information about the HostAP mailing list