opensc-devel

[Opensc-devel] Question about how to use opensc from wpa_supplicant

[Chris G. <cl...@is...>]

This question is a continuation from the previous thread 'Error with
pcsc_scan - "buffer overflow detected"'.

I have got a Gemalto IDBridge K30 (as you suggested at the end of the
above thread, thank you) and it seems to work OK with opensc on my
xubuntu 16.04 system:-

    root@esprimo# pcsc_scan
    PC/SC device scanner
    V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
    Compiled with PC/SC lite version: 1.8.14
    Using reader plug'n play mechanism
    Scanning present readers...
    0: Gemalto USB Shell Token V2 (5689ABD5) 00 00

    Tue Aug  2 12:24:58 2016
    Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
      Card state: Card inserted, 
      ATR: 3B 16 95 D0 01 6C FD 0D 00

    ATR: 3B 16 95 D0 01 6C FD 0D 00
    + TS = 3B --> Direct Convention
    + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
      TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
        125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
    + Historical bytes: D0 01 6C FD 0D 00
      Category indicator byte: D0 (proprietary format)

    Possibly identified card (using /root/.cache/smartcard_list.txt):
            NONE

    Your card is not present in the database.
    Please submit your unknown card at:
    http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00


Now I want to be able to use the information of the card from
wpa_supplicant.  The blog/instructions I'm following add the following
to the wpa_supplicant configuration file:-

    network={
      ssid="FreeWifi_secure"
      key_mgmt=WPA-EAP IEEE8021X
      eap=SIM
      pin="1234"
      pcsc=""
    }

Is this really enough to make wpa_supplicant get the information from
the card using opensc?  Presumably I'd need to run pcscd but is that
all?

I realise this is a bit off-topic but I can find very little
information about this anywhere else so any help (or pointers to help)
would be much appreciated.

-- 
Chris Green

Re: [Opensc-devel] Question about how to use opensc from wpa_supplicant

[Ludovic R. <lud...@gm...>]

2016-08-03 16:00 GMT+02:00 Chris Green <cl...@is...>:

> This question is a continuation from the previous thread 'Error with
> pcsc_scan - "buffer overflow detected"'.
>
> I have got a Gemalto IDBridge K30 (as you suggested at the end of the
> above thread, thank you) and it seems to work OK with opensc on my
> xubuntu 16.04 system:-
>

Great!


>
>     root@esprimo# pcsc_scan
>     PC/SC device scanner
>     V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
>     Compiled with PC/SC lite version: 1.8.14
>     Using reader plug'n play mechanism
>     Scanning present readers...
>     0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>
>     Tue Aug  2 12:24:58 2016
>     Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>       Card state: Card inserted,
>       ATR: 3B 16 95 D0 01 6C FD 0D 00
>
>     ATR: 3B 16 95 D0 01 6C FD 0D 00
>     + TS = 3B --> Direct Convention
>     + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
>       TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
>         125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
>     + Historical bytes: D0 01 6C FD 0D 00
>       Category indicator byte: D0 (proprietary format)
>
>     Possibly identified card (using /root/.cache/smartcard_list.txt):
>             NONE
>
>     Your card is not present in the database.
>     Please submit your unknown card at:
>     http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00
>
>
> Now I want to be able to use the information of the card from
> wpa_supplicant.  The blog/instructions I'm following add the following
> to the wpa_supplicant configuration file:-
>
>     network={
>       ssid="FreeWifi_secure"
>       key_mgmt=WPA-EAP IEEE8021X
>       eap=SIM
>       pin="1234"
>       pcsc=""
>     }
>
> Is this really enough to make wpa_supplicant get the information from
> the card using opensc?  Presumably I'd need to run pcscd but is that
> all?
>
> I realise this is a bit off-topic but I can find very little
> information about this anywhere else so any help (or pointers to help)
> would be much appreciated.
>

What is your card?
You just reported the ATR as "Phone SIM card" using
http://smartcard-atr.appspot.com/
<http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00>
OpenSC does not support SIM cards.

I don't know if wpa_supplicant supports EAP-SIM using a SIM card.


Maybe it would be simpler to use a "FreeWifi" network with login + password
instead of the "FreeWifi_secure" network using EAP-SIM.
But you need to have a Freebox to get a "FreeWifi" account.

For the non-French readers free.fr is a French Internet Service Provider
(ADSL + optical fibre) and since some years also a GSM operator. The ADSL
boxes are call freebox and they provide a wifi access for all the Free.fr
users using login+password if you have a freebox yourself or EAP-SIM if you
have a Free.fr SIM card.

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Question about how to use opensc from wpa_supplicant

[Chris G. <cl...@is...>]

>      Now I want to be able to use the information of the card from
>      wpa_supplicant.  The blog/instructions I'm following add the
>      following
>      to the wpa_supplicant configuration file:-
>          network={
>            ssid="FreeWifi_secure"
>            key_mgmt=WPA-EAP IEEE8021X
>            eap=SIM
>            pin="1234"
>            pcsc=""
>          }
>      Is this really enough to make wpa_supplicant get the information
>      from
>      the card using opensc?  Presumably I'd need to run pcscd but is that
>      all?
>      I realise this is a bit off-topic but I can find very little
>      information about this anywhere else so any help (or pointers to
>      help)
>      would be much appreciated.
> 
>    What is your card?

It's a Virgin Mobile SIM card.  The card reader is a Gemalto IdBridge
K30.

>    You just reported the ATR as "Phone SIM card" using
>    [4]http://smartcard-atr.appspot.com/
>    OpenSC does not support SIM cards.

Well it's what pcsc_scan asked me to do!  :-)


>    I don't know if wpa_supplicant supports EAP-SIM using a SIM card.

It seems that it does, the blog here:-
    https://ohnomoregadgets.wordpress.com/2013/08/28/free-wifi-with-eap-sim-on-a-desktop-computer/
describes how to do it using openct.  However openct is deprecated
(and seems to have bugs now, as per the earlier thread) so I was
hoping to use opensc directly.


>    Maybe it would be simpler to use a "FreeWifi" network with login +
>    password instead of the "FreeWifi_secure" network using EAP-SIM.
>    But you need to have a Freebox to get a "FreeWifi" account.
>    For the non-French readers [5]free.fr is a French Internet Service
>    Provider (ADSL + optical fibre) and since some years also a GSM
>    operator. The ADSL boxes are call freebox and they provide a wifi
>    access for all the Free.fr users using login+password if you have a
>    freebox yourself or EAP-SIM if you have a Free.fr SIM card.

Yes, exactly, and I have a Free.fr SIM card.


-- 
Chris Green

Re: [Opensc-devel] Question about how to use opensc from wpa_supplicant

[Andreas S. <and...@ca...>]

Dear Chris,

we've recently integrated a SmartCard-HSM with wpa_supplicant using the
following configuration:

# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so

network={
	ssid="hostAP"
	key_mgmt=WPA-EAP
	eap=TLS
	identity="User"

	# use OpenSSL PKCS#11 engine for this network
	engine=1
	engine_id="pkcs11"

	# select the private key and certificates based on ID (see pkcs11-tool
	# output above)
	key_id="5:1"
	cert_id="5:1"
	#ca_cert_id="1"

	# set the PIN code; leave this out to configure the PIN to be requested
	# interactively when needed (e.g., via wpa_gui or wpa_cli)
	pin="875971"
}

The AP was running hostapd with a PKI-TLS setup.

I got the configuration from the wpa_supplicant/examples directory in
the source.

To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
have pcscd installed.

Andreas



On 08/03/2016 04:00 PM, Chris Green wrote:
> This question is a continuation from the previous thread 'Error with
> pcsc_scan - "buffer overflow detected"'.
> 
> I have got a Gemalto IDBridge K30 (as you suggested at the end of the
> above thread, thank you) and it seems to work OK with opensc on my
> xubuntu 16.04 system:-
> 
>     root@esprimo# pcsc_scan
>     PC/SC device scanner
>     V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
>     Compiled with PC/SC lite version: 1.8.14
>     Using reader plug'n play mechanism
>     Scanning present readers...
>     0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
> 
>     Tue Aug  2 12:24:58 2016
>     Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>       Card state: Card inserted, 
>       ATR: 3B 16 95 D0 01 6C FD 0D 00
> 
>     ATR: 3B 16 95 D0 01 6C FD 0D 00
>     + TS = 3B --> Direct Convention
>     + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
>       TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
>         125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
>     + Historical bytes: D0 01 6C FD 0D 00
>       Category indicator byte: D0 (proprietary format)
> 
>     Possibly identified card (using /root/.cache/smartcard_list.txt):
>             NONE
> 
>     Your card is not present in the database.
>     Please submit your unknown card at:
>     http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00
> 
> 
> Now I want to be able to use the information of the card from
> wpa_supplicant.  The blog/instructions I'm following add the following
> to the wpa_supplicant configuration file:-
> 
>     network={
>       ssid="FreeWifi_secure"
>       key_mgmt=WPA-EAP IEEE8021X
>       eap=SIM
>       pin="1234"
>       pcsc=""
>     }
> 
> Is this really enough to make wpa_supplicant get the information from
> the card using opensc?  Presumably I'd need to run pcscd but is that
> all?
> 
> I realise this is a bit off-topic but I can find very little
> information about this anywhere else so any help (or pointers to help)
> would be much appreciated.
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

Re: [Opensc-devel] Question about how to use opensc from wpa_supplicant

[Chris G. <cl...@is...>]

On Wed, Aug 03, 2016 at 05:09:43PM +0200, Andreas Schwier wrote:
> Dear Chris,
> 
> we've recently integrated a SmartCard-HSM with wpa_supplicant using the
> following configuration:
> 
> # Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
> pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
> pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so
> 
Do these go in the wpa_supplicant.conf file?

> network={
> 	ssid="hostAP"
> 	key_mgmt=WPA-EAP
> 	eap=TLS
> 	identity="User"
> 
> 	# use OpenSSL PKCS#11 engine for this network
> 	engine=1
> 	engine_id="pkcs11"
> 
> 	# select the private key and certificates based on ID (see pkcs11-tool
> 	# output above)
> 	key_id="5:1"
> 	cert_id="5:1"
> 	#ca_cert_id="1"
> 
> 	# set the PIN code; leave this out to configure the PIN to be requested
> 	# interactively when needed (e.g., via wpa_gui or wpa_cli)
> 	pin="875971"
> }
> 
> The AP was running hostapd with a PKI-TLS setup.
> 
> I got the configuration from the wpa_supplicant/examples directory in
> the source.
> 
OK, presumably I use the example given for EAP-SIM instead.


> To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
> have pcscd installed.
> 
Yes, OK.  I wish there was an easy way to find out what support is
compiled in to a version of wpa_supplicant.  I might have a version
with EAP-SIM support but there's no way to find out.

I have pcscd installed.

Thank you.

-- 
Chris Green