Integrating the TPM into wpa_supplicant

Jouni Malinen j
Fri Jan 18 20:13:11 PST 2008

On Fri, Jan 18, 2008 at 02:06:45PM +0100, Carolin Latze wrote:

> I had a look at the smart card integration into wpa_supplicant and saw
> that the smart card is only used to store the private key. The
> wpa_supplicant just copies the private key from the smart card into its
> own memory and works as always.

That's not accurate. OpenSSL engine can be used to perform private key
operations with wpa_supplicant having to ever see the key. Likewise,
tls_openssl.c has support for using Windows CryptoAPI for RSA private
key operations; again, without copying the private key.

I would assume you could follow either of these options: enhance OpenSSL
engine to handle the private kehy operations with TPM or implement
TPM-specific RSA operations in tls_openssl.c (see the CryptoAPI example
there; e.g., tls_cryptoapi_cert() registers the specific RSA operations
to get OpenSSL to call CryptoAPI wrappers in tls_openssl.c for RSA

> I had a look at the source code and think, that I have to extend the
> tls_openssl.c. Is that right? I see, that this file is also responsible
> for the communication with the smart card, so it seems a good place for
> the TPM.

If you are going to be using OpenSSL, yes, that would likely be a good
location for modifications.

> Are there more smart card related things in the code? (Yes, I know, in
> the config file, but are there more?) I mean, is it sufficient to modify
> tls_openssl.c?

As far as EAP-TLS is concerned, smartcard access is mostly contained in
tls_*.c, i.e., in case of OpenSSL, in tls_openssl.c.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list