Smartcards and wpa_supplicant

Gordon Hecker g.hecker
Tue Oct 12 06:11:05 PDT 2004


Hi,

I'm working on a patch to support smartcards in wpa_supplicant.
The smartcards are integrated via Openssl engines.
The engines currently supported are the opensc and pkcs11
engines from the opensc project.

Currently the patch implements the following:

There are some new configuration options shown below.

...
opensc_engine_path=/usr/lib/opensc/engine_opensc.so
pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so

network={
     ...
     engine=1
     engine_id="opensc"
     key_id="45"
}

An example configuration file called smartcard.conf is included in
the patch. It includes settings for both engines.

All the engines configured in the global section are loaded when
wpa_supplicant is started.
To use an engine it must additionally be chosen (engine_id="...") and
enabled (engine=1) in the network section. And the key id on the
smartcard must be configured similar to specifying a file for the
private key.

If an engine is used the smartcard requires a pin code. That pin code is
asked for via the control interface. So running wpa_cli is currently
neccessary to provide the smartcard pin.
The command I added to wpa_cli is "scpin <network id> <pin>". It's
similar to the existing password and identity commands.

I tested the patch only with EAP-TLS in combination with wpa2 or dynamic
wep keying.

The patch seems to be too big for the list, so I placed it in 
http://ghe.dyndns.org/patches/wpa_supplicant/wpa_supplicant-engine-20041012.patch

I'm looking forward to your commments and feedback!

Gordon





More information about the Hostap mailing list