Integrating the TPM into wpa_supplicant

Carolin Latze carolin.latze
Fri Jan 18 05:06:45 PST 2008

Hi all,

I plan to use TPM AIK certificates for EAP-TLS authentication. For
those, who are not familiar with the trusted platform modules: AIK
certificates are just normal X509 certificates, which can be obtained by
a TPM from a Privacy CA. This so called Privacy CA is an extended CA,
which means, it is able to handle these special TPM requests. These TPM
AIK certificates may be use like normal certificates. The only
difference is that the TPM will never release the private key, which
means that you have to ask the TPM to executes operations, which use the
private key.

I had a look at the smart card integration into wpa_supplicant and saw
that the smart card is only used to store the private key. The
wpa_supplicant just copies the private key from the smart card into its
own memory and works as always. That will be a bit different with a TPM.
There I have to reimplement certain methods to send commands to the tpm
to verify certain things. I have some technical questions regarding this

I had a look at the source code and think, that I have to extend the
tls_openssl.c. Is that right? I see, that this file is also responsible
for the communication with the smart card, so it seems a good place for
the TPM.

Are there more smart card related things in the code? (Yes, I know, in
the config file, but are there more?) I mean, is it sufficient to modify

Thanks in advance

More information about the Hostap mailing list