[PATCH] enhanced smartcard support
Thu May 1 09:45:11 PDT 2008
On Fri, 2008-05-02 at 01:36 +0900, David Smith wrote:
> Hi all,
> I've attached three patches to extend the existing smartcard support to handle
> client certificates and CA certificates as well as EAP-TLS phase2 auth. I've
> added the following ssid configuration variables to wpasupplicant for this:
> cert_id, ca_cert_id, key2_id, cert2_id, and ca_cert2_id
Quick question; are these paths to certificate files, or some other
token? In many cases we don't want wpa_supplicant reading all around
the disk because it's a lot harder to confine the supplicant with things
like SELinux if it just gets passed filenames. That's one of the
reasons why NetworkManager passes the actual binary data of the
certificate to the supplicant instead of passing a path.
> I'm looking for people to help test this. At the current time, it relies on
> the LOAD_CERT_CTRL extension provided by the PKCS#11 OpenSSL engine from the
> OpenSC project. If any other OpenSSL engines support a similar extension,
> inform me and I'll support for them. But since the PKCS#11 engine is probably
> by far the most used one with wpasupplicant, I think this is a good start.
> Again, this code should definitely be tested more before it is ready for
> merging but please give it a read and a try.
More information about the Hostap