Does WPA support multiple CA certs using blob?
Dan Williams
dcbw
Fri May 1 08:32:42 PDT 2009
On Fri, 2009-05-01 at 11:13 -0400, TianHong Zhao wrote:
> Hi,
>
>
>
> I have a requirement that needs multiple CA certs to be saved in the
> flash as blob(s).
No, because OpenSSL doesn't support this format, because the format is
binary ASN.1 encoding. However, you may be able to use multiple CA
certificates in a PKCS#12 file that you dump into a blob, since PKCS#12
is more of a container format. Not sure. You'll want to use the
ca_path configuration option, and give it a path to the PEM-encoded
multi-CA file on your filesystem instead.
> Does WPA?s core ((source files under ~/src in wpa 0.6.8) support this
> mode? I know the config file does not support this,
>
> but this is not a problem for me since I only use the core as a
> library.
Its more of a problem with OpenSSL and calls like
X509_STORE_load_locations(), which don't accept multiple CA certs. I
don't actually know if the API of OpenSSL would support manually adding
CA certs to the X509_STORE object, but it might.
On the wpa_supplicant size, it might be possible to extend the config
format to allow multiple "ca_cert" and "phase2_ca_cert" lines, each one
getting added to the final OpenSSL verification store or something like
that.
The core problem is that there's no way to sensibly store PEM-encoded CA
certificate lists (which are really unique to OpenSSL) inside the
wpa_supplicant config file; stuffing the entire PEM file into the
supplicant config file seems pretty icky.
Dan
> If not, can you provide some guidelines about how to make the change
> in the core to support this mode?
>
>
>
> Regards
>
>
>
> Tianhong
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
More information about the Hostap
mailing list