Does WPA support multiple CA certs using blob?

Dan Williams dcbw
Fri May 1 08:32:42 PDT 2009


On Fri, 2009-05-01 at 11:13 -0400, TianHong Zhao wrote:
> Hi,
> 
>  
> 
> I have a requirement that needs multiple CA certs to be saved in the
> flash as blob(s).

No, because OpenSSL doesn't support this format, because the format is
binary ASN.1 encoding.  However, you may be able to use multiple CA
certificates in a PKCS#12 file that you dump into a blob, since PKCS#12
is more of a container format.  Not sure.  You'll want to use the
ca_path configuration option, and give it a path to the PEM-encoded
multi-CA file on your filesystem instead.

> Does WPA?s core ((source files under ~/src in wpa 0.6.8) support this
> mode? I know the config file does not support this, 
> 
> but this is not a problem for me since I only use the core as a
> library.

Its more of a problem with OpenSSL and calls like
X509_STORE_load_locations(), which don't accept multiple CA certs.  I
don't actually know if the API of OpenSSL would support manually adding
CA certs to the X509_STORE object, but it might.

On the wpa_supplicant size, it might be possible to extend the config
format to allow multiple "ca_cert" and "phase2_ca_cert" lines, each one
getting added to the final OpenSSL verification store or something like
that.

The core problem is that there's no way to sensibly store PEM-encoded CA
certificate lists (which are really unique to OpenSSL) inside the
wpa_supplicant config file; stuffing the entire PEM file into the
supplicant config file seems pretty icky.

Dan

> If not, can you provide some guidelines about how to make the change
> in the core to support this mode?
> 
>  
> 
> Regards
> 
>  
> 
> Tianhong
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap




More information about the Hostap mailing list