[Fwd: Re: [PATCH] enhanced smartcard support]
Carolin Latze
carolin.latze
Sun Jun 1 10:01:54 PDT 2008
Hi Jouni,
my patches are too big for the listserver. You can download them at:
http://diuf.unifr.ch/people/latzec/patches/
Regards
Carolin
-------- Original Message --------
Subject: Re: [PATCH] enhanced smartcard support
Date: Fri, 30 May 2008 17:06:56 +0200
From: Carolin Latze <carolin.latze at unifr.ch>
To: hostap at lists.shmoo.com
References: <200805020136.09480.dds at google.com>
<20080521072939.GH12378 at jm.kir.nu>
<87d4ng59cj.fsf at piyo.tok.corp.google.com>
<20080523084728.GA5575 at jm.kir.nu> <483685E7.4010501 at unifr.ch>
<20080523162259.GB4932 at jm.kir.nu>
Hi Jouni,
I'm sorry I didn't have time to apply my patch on the newest version.
When I started my project, version 0.5.9 was the newest, so that is the
newest patch I am able to provide at the moment. I will work on a newer
version when I find the time...
First of all you need trousers in order to access your TPM, but I think,
you already installed it.
In order to use my version, you have to install the openssl-tpm-engine
(http://sourceforge.net/project/showfiles.php?group_id=126012). I also
provide a patch for that engine, since I wanted to access the keys in
another way: engine.patch
Afterwards, patch wpa_supplicant-0.5.9: tpm.patch
You will one new configfile option: tpm_engine_path. That has to be the
location of the openssl tpm engine (libtpm).
Afterwards, create a config file as follows:
ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
ap_scan=1
fast_reauth=1
tpm_engine_path=/usr/local/lib/openssl/engines/libtpm.so
network={
ssid="something"
scan_ssid=0
mode=0
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=TLS
identity="IDENTITY"
ca_cert="PATH_TO_CA_CERT"
client_cert="PATH_TO_CLIENT_CERT"
engine=1
engine_id="tpm"
key_id="UUID"
pin="OWNER-PW"
}
The certificates are the certificates you loaded onto the TPM. In order
to use them, you have to register them in the persistent storage, which
means, that they get a so called UUID. My UUID is a bit special: I
consists of only zeros with a different last byte and the last byte has
to be between 4 and 9! I implemented it only for experimental use at the
moment, but that will change in the near future! As I knew, that I use
zeros in the first bytes, key_id only expects the last byte! Here is my
example:
network={
ssid="SOMETHING"
scan_ssid=0
mode=0
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=TLS
identity="10.1.1.5"
ca_cert="/home/latze/cert/cacert.pem"
client_cert="/home/latze/impl/basisk-eap.pem"
engine=1
engine_id="tpm"
key_id="5"
pin="OWNER"
}
Do you have an idea about what I am doing? I hope the patches are ok,
they worked for me. But this is the first time I created real patches,
so I wouldn't be surprised if something went wrong.
Regards
Carolin
Jouni Malinen wrote:
> On Fri, May 23, 2008 at 10:52:55AM +0200, Carolin Latze wrote:
>
>
>> I am still subscribed to this list, but did not really follow it. I just
>> read something about how to create the TPM into wpa_supplicant and I
>> have to say that I got it working. I cannot provide a patch till now,
>> but will prepare one if you are interested in it. I am able to store
>> X.509 certificates in the TPM and access the TPM during EAP-TLS
>> authentication. I used the OpenSSL TPM engine in order to implement that
>> feature.
>>
>
> If your changes do something else than the patches from David, I would
> be interested in seeing them. I applied David's patches and they allow
> PKCS#11 engine to be used with opencryptoki module to access the
> certificates and private key from TPM.
>
>
--
Carolin Latze
Research Assistant
Department of Computer Science
Boulevard de P?rolles 90
CH-1700 Fribourg
phone: +41 26 300 83 30
More information about the Hostap
mailing list