On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote:
> On Wed, Mar 13, 2019 at 04:56:17PM -0700, David Woodhouse wrote:
> > On Sat, 2019-01-12 at 12:59 +0100, huger@xxxxxx wrote:
> > > Hi
> > >
> > > I am working on a plan to operate mobile Linux computers and
> > > would like them to use corporate wifi with EAP TLS. Security
> > > requires us to safely store the client key. Easiest solution
> > > would be in the computer's TPM 2.0 device.
> > >
> > > So far we were not successful trying to set this up with
> > > wpa_supplicant and pkcs11 engine. Even if successful a solution
> > > with these multiple layers of abstraction is quite complex and
> > > therefore might be prone to updates of any of the components.
> > >
> > > So I wonder if there are plans to directly support openssl tpm2
> > > engine?
> >
> > Here's a quick hack to make it work by abusing the OpenSC engine
> > config, as a proof of concept. Making it work cleanly so that it
> > can be merged is left as an exercise for the reader, or perhaps an
> > interested party in one of the mailing lists I've added to Cc.
Well, you can't have the engine name hard coded ... that really needs
to be some type of parameter, which is going to be 99% of the hassle
making a proper patch ...
> > I have no idea why wpa_supplicant doesn't call
> > ENGINE_load_dynamic() for current versions of OpenSSL. That seems
> > to be a bug, which is why I've removed the #ifdefs around it.
> >
> > Signed-off-by: David Woodhouse <dwmw2@xxxxxxxxxxxxx> (not that
> > you'd want to apply it as-is).
> >
> > diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> > index 705fa29a3..546d3a598 100644
> > --- a/src/crypto/tls_openssl.c
> > +++ b/src/crypto/tls_openssl.c
> > @@ -864,7 +864,7 @@ static int tls_engine_load_dynamic_pkcs11(const
> > char *pkcs11_so_path,
> > */
> > static int tls_engine_load_dynamic_opensc(const char
> > *opensc_so_path)
> > {
> > - char *engine_id = "opensc";
> > + char *engine_id = "tpm2";
> > const char *pre_cmd[] = {
> > "SO_PATH", NULL /* opensc_so_path */,
> > "ID", NULL /* engine_id */,
> > @@ -1034,10 +1034,8 @@ void * tls_init(const struct tls_config
> > *conf)
> >
> > #ifndef OPENSSL_NO_ENGINE
> > wpa_printf(MSG_DEBUG, "ENGINE: Loading dynamic engine");
> > -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> > ERR_load_ENGINE_strings();
> > ENGINE_load_dynamic();
> > -#endif /* OPENSSL_VERSION_NUMBER */
> >
> > if (conf &&
> > (conf->opensc_engine_path || conf->pkcs11_engine_path
> > ||
> > diff --git a/wpa_supplicant/wpa_supplicant.conf
> > b/wpa_supplicant/wpa_supplicant.conf
> > index 1bd43b226..b3045fb3d 100644
> > --- a/wpa_supplicant/wpa_supplicant.conf
> > +++ b/wpa_supplicant/wpa_supplicant.conf
> > @@ -174,7 +174,7 @@ fast_reauth=1
> > # private_key option appear to be a PKCS#11 URI, and these options
> > # should not need to be used explicitly.
> > # make the opensc engine available
> > -#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
> > +opensc_engine_path=/home/dwmw/git/openssl_tpm2_engine/.libs/libtpm
> > 2.so
> > # make the pkcs11 engine available
> > #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
> > # configure the path to the pkcs11 module required by the pkcs11
> > engine
> > _______________________________________________
> > tpm2 mailing list
> > tpm2@xxxxxxxxxxxx
> > https://lists.01.org/mailman/listinfo/tpm2
>
> Sweet! I'd been working on this too, I just got the hostapd /
> wpa_supplicant test stuff working and was going to try setting
> pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
Just on this particular part: I recently got annoyed with the inability
to use TPM keys on firefox. I did look at the tpm pkcs11 projects but
they all looked deficient to say the least, so I put together this
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl-pkcs11-export.git
It's a generic engine key to pkcs11 exporter (will work for any openssl
engine) driven by a simple ini like config file. The big advantage it
has is that now I can use openssl engines with gnutls.
> To the tpm2-software/tpm2-pcks11 library.
>
> From the amount of changes it took you, it seems like your approach
> is cleaner, so, out of curiousity, what was your ratoinal for going
> with this approach? I was going to try the pcks11 way because I came
> across
>
> https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.
> conf
>
> But, I haven't gotten to it yet as I got sidetracked right after I
> got the tests up and running.
Going the pkcs11 route is definitely the heath robinson approach, so
the direct engine route is definitely much better.
James
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
