[PATCH] enhanced smartcard support

Jouni Malinen j
Wed May 21 00:29:39 PDT 2008 

On Fri, May 02, 2008 at 01:36:06AM +0900, David Smith wrote:

> I've attached three patches to extend the existing smartcard support to handle 
> client certificates and CA certificates as well as EAP-TLS phase2 auth. I've 
> added the following ssid configuration variables to wpasupplicant for this:
> 
>  cert_id, ca_cert_id, key2_id, cert2_id, and ca_cert2_id

Thanks! This sounds like a useful addition.

> I'm looking for people to help test this. At the current time, it relies on 
> the LOAD_CERT_CTRL extension provided by the PKCS#11 OpenSSL engine from the 
> OpenSC project. If any other OpenSSL engines support a similar extension, 
> inform me and I'll support for them. But since the PKCS#11 engine is probably 
> by far the most used one with wpasupplicant, I think this is a good start.

> Again, this code should definitely be tested more before it is ready for 
> merging but please give it a read and a try.

Unfortunately, I do not have a working setup for testing this, so I have
only looked at the patches. The last time I looked, the OpenSC and
related tools on Linux did not support PKCS#11 initialization for the
smartcards I have.. Though, that was a long time ago, so it might be a
good time to check again (or just finally get smartcards from a
different vendor)..

How much testing have you done for these changes? Do you think they
would cause problems if the new variables are not set (i.e., break
existing functionality)? If not, I don't see problems in merging these
in now since the changes looked fine based on quick review.

Some minor comments:

0001-Add-support-to-crypto-tls-for-client-cert-and-CA-cer.patch

tls_connection_engine_client_cert():

+       if (tls_engine_get_cert(conn, cert_id, &cert))
+               return -1;
+
+       if (!SSL_use_certificate(conn->ssl, cert)) {
+               tls_show_errors(MSG_ERROR, __func__,
+                               "SSL_use_certificate failed");
+               return -1;
+       }
+       X509_free(cert);


Shouldn't the error case free the cert, too? Same for
tls_connection_engine_ca_cert()..

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list