Re: [Opensc-devel] Question about how to use opensc from wpa_supplicant

[Andreas S. <and...@ca...>]

Dear Chris,

we've recently integrated a SmartCard-HSM with wpa_supplicant using the
following configuration:

# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so

network={
	ssid="hostAP"
	key_mgmt=WPA-EAP
	eap=TLS
	identity="User"

	# use OpenSSL PKCS#11 engine for this network
	engine=1
	engine_id="pkcs11"

	# select the private key and certificates based on ID (see pkcs11-tool
	# output above)
	key_id="5:1"
	cert_id="5:1"
	#ca_cert_id="1"

	# set the PIN code; leave this out to configure the PIN to be requested
	# interactively when needed (e.g., via wpa_gui or wpa_cli)
	pin="875971"
}

The AP was running hostapd with a PKI-TLS setup.

I got the configuration from the wpa_supplicant/examples directory in
the source.

To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
have pcscd installed.

Andreas



On 08/03/2016 04:00 PM, Chris Green wrote:
> This question is a continuation from the previous thread 'Error with
> pcsc_scan - "buffer overflow detected"'.
> 
> I have got a Gemalto IDBridge K30 (as you suggested at the end of the
> above thread, thank you) and it seems to work OK with opensc on my
> xubuntu 16.04 system:-
> 
>     root@esprimo# pcsc_scan
>     PC/SC device scanner
>     V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
>     Compiled with PC/SC lite version: 1.8.14
>     Using reader plug'n play mechanism
>     Scanning present readers...
>     0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
> 
>     Tue Aug  2 12:24:58 2016
>     Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>       Card state: Card inserted, 
>       ATR: 3B 16 95 D0 01 6C FD 0D 00
> 
>     ATR: 3B 16 95 D0 01 6C FD 0D 00
>     + TS = 3B --> Direct Convention
>     + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
>       TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
>         125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
>     + Historical bytes: D0 01 6C FD 0D 00
>       Category indicator byte: D0 (proprietary format)
> 
>     Possibly identified card (using /root/.cache/smartcard_list.txt):
>             NONE
> 
>     Your card is not present in the database.
>     Please submit your unknown card at:
>     http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00
> 
> 
> Now I want to be able to use the information of the card from
> wpa_supplicant.  The blog/instructions I'm following add the following
> to the wpa_supplicant configuration file:-
> 
>     network={
>       ssid="FreeWifi_secure"
>       key_mgmt=WPA-EAP IEEE8021X
>       eap=SIM
>       pin="1234"
>       pcsc=""
>     }
> 
> Is this really enough to make wpa_supplicant get the information from
> the card using opensc?  Presumably I'd need to run pcscd but is that
> all?
> 
> I realise this is a bit off-topic but I can find very little
> information about this anywhere else so any help (or pointers to help)
> would be much appreciated.
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier