Question about how to use opensc from wpa_supplicant

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about how to use opensc from wpa_supplicant

Chris Green
This question is a continuation from the previous thread 'Error with
pcsc_scan - "buffer overflow detected"'.

I have got a Gemalto IDBridge K30 (as you suggested at the end of the
above thread, thank you) and it seems to work OK with opensc on my
xubuntu 16.04 system:-

    root@esprimo# pcsc_scan
    PC/SC device scanner
    V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
    Compiled with PC/SC lite version: 1.8.14
    Using reader plug'n play mechanism
    Scanning present readers...
    0: Gemalto USB Shell Token V2 (5689ABD5) 00 00

    Tue Aug  2 12:24:58 2016
    Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
      Card state: Card inserted,
      ATR: 3B 16 95 D0 01 6C FD 0D 00

    ATR: 3B 16 95 D0 01 6C FD 0D 00
    + TS = 3B --> Direct Convention
    + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
      TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
        125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
    + Historical bytes: D0 01 6C FD 0D 00
      Category indicator byte: D0 (proprietary format)

    Possibly identified card (using /root/.cache/smartcard_list.txt):
            NONE

    Your card is not present in the database.
    Please submit your unknown card at:
    http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00


Now I want to be able to use the information of the card from
wpa_supplicant.  The blog/instructions I'm following add the following
to the wpa_supplicant configuration file:-

    network={
      ssid="FreeWifi_secure"
      key_mgmt=WPA-EAP IEEE8021X
      eap=SIM
      pin="1234"
      pcsc=""
    }

Is this really enough to make wpa_supplicant get the information from
the card using opensc?  Presumably I'd need to run pcscd but is that
all?

I realise this is a bit off-topic but I can find very little
information about this anywhere else so any help (or pointers to help)
would be much appreciated.

--
Chris Green

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Question about how to use opensc from wpa_supplicant

Ludovic Rousseau


2016-08-03 16:00 GMT+02:00 Chris Green <[hidden email]>:
This question is a continuation from the previous thread 'Error with
pcsc_scan - "buffer overflow detected"'.

I have got a Gemalto IDBridge K30 (as you suggested at the end of the
above thread, thank you) and it seems to work OK with opensc on my
xubuntu 16.04 system:-

Great!
 

    root@esprimo# pcsc_scan
    PC/SC device scanner
    V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
    Compiled with PC/SC lite version: 1.8.14
    Using reader plug'n play mechanism
    Scanning present readers...
    0: Gemalto USB Shell Token V2 (5689ABD5) 00 00

    Tue Aug  2 12:24:58 2016
    Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
      Card state: Card inserted,
      ATR: 3B 16 95 D0 01 6C FD 0D 00

    ATR: 3B 16 95 D0 01 6C FD 0D 00
    + TS = 3B --> Direct Convention
    + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
      TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
        125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
    + Historical bytes: D0 01 6C FD 0D 00
      Category indicator byte: D0 (proprietary format)

    Possibly identified card (using /root/.cache/smartcard_list.txt):
            NONE

    Your card is not present in the database.
    Please submit your unknown card at:
    http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00


Now I want to be able to use the information of the card from
wpa_supplicant.  The blog/instructions I'm following add the following
to the wpa_supplicant configuration file:-

    network={
      ssid="FreeWifi_secure"
      key_mgmt=WPA-EAP IEEE8021X
      eap=SIM
      pin="1234"
      pcsc=""
    }

Is this really enough to make wpa_supplicant get the information from
the card using opensc?  Presumably I'd need to run pcscd but is that
all?

I realise this is a bit off-topic but I can find very little
information about this anywhere else so any help (or pointers to help)
would be much appreciated.

What is your card?
You just reported the ATR as "Phone SIM card" using http://smartcard-atr.appspot.com/
OpenSC does not support SIM cards.

I don't know if wpa_supplicant supports EAP-SIM using a SIM card.


Maybe it would be simpler to use a "FreeWifi" network with login + password instead of the "FreeWifi_secure" network using EAP-SIM.
But you need to have a Freebox to get a "FreeWifi" account.

For the non-French readers free.fr is a French Internet Service Provider (ADSL + optical fibre) and since some years also a GSM operator. The ADSL boxes are call freebox and they provide a wifi access for all the Free.fr users using login+password if you have a freebox yourself or EAP-SIM if you have a Free.fr SIM card.

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Question about how to use opensc from wpa_supplicant

Andreas Schwier (ML)
In reply to this post by Chris Green
Dear Chris,

we've recently integrated a SmartCard-HSM with wpa_supplicant using the
following configuration:

# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so

network={
        ssid="hostAP"
        key_mgmt=WPA-EAP
        eap=TLS
        identity="User"

        # use OpenSSL PKCS#11 engine for this network
        engine=1
        engine_id="pkcs11"

        # select the private key and certificates based on ID (see pkcs11-tool
        # output above)
        key_id="5:1"
        cert_id="5:1"
        #ca_cert_id="1"

        # set the PIN code; leave this out to configure the PIN to be requested
        # interactively when needed (e.g., via wpa_gui or wpa_cli)
        pin="875971"
}

The AP was running hostapd with a PKI-TLS setup.

I got the configuration from the wpa_supplicant/examples directory in
the source.

To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
have pcscd installed.

Andreas



On 08/03/2016 04:00 PM, Chris Green wrote:

> This question is a continuation from the previous thread 'Error with
> pcsc_scan - "buffer overflow detected"'.
>
> I have got a Gemalto IDBridge K30 (as you suggested at the end of the
> above thread, thank you) and it seems to work OK with opensc on my
> xubuntu 16.04 system:-
>
>     root@esprimo# pcsc_scan
>     PC/SC device scanner
>     V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
>     Compiled with PC/SC lite version: 1.8.14
>     Using reader plug'n play mechanism
>     Scanning present readers...
>     0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>
>     Tue Aug  2 12:24:58 2016
>     Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>       Card state: Card inserted,
>       ATR: 3B 16 95 D0 01 6C FD 0D 00
>
>     ATR: 3B 16 95 D0 01 6C FD 0D 00
>     + TS = 3B --> Direct Convention
>     + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
>       TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
>         125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
>     + Historical bytes: D0 01 6C FD 0D 00
>       Category indicator byte: D0 (proprietary format)
>
>     Possibly identified card (using /root/.cache/smartcard_list.txt):
>             NONE
>
>     Your card is not present in the database.
>     Please submit your unknown card at:
>     http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00
>
>
> Now I want to be able to use the information of the card from
> wpa_supplicant.  The blog/instructions I'm following add the following
> to the wpa_supplicant configuration file:-
>
>     network={
>       ssid="FreeWifi_secure"
>       key_mgmt=WPA-EAP IEEE8021X
>       eap=SIM
>       pin="1234"
>       pcsc=""
>     }
>
> Is this really enough to make wpa_supplicant get the information from
> the card using opensc?  Presumably I'd need to run pcscd but is that
> all?
>
> I realise this is a bit off-topic but I can find very little
> information about this anywhere else so any help (or pointers to help)
> would be much appreciated.
>


--

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Question about how to use opensc from wpa_supplicant

Chris Green
In reply to this post by Ludovic Rousseau
>      Now I want to be able to use the information of the card from
>      wpa_supplicant.  The blog/instructions I'm following add the
>      following
>      to the wpa_supplicant configuration file:-
>          network={
>            ssid="FreeWifi_secure"
>            key_mgmt=WPA-EAP IEEE8021X
>            eap=SIM
>            pin="1234"
>            pcsc=""
>          }
>      Is this really enough to make wpa_supplicant get the information
>      from
>      the card using opensc?  Presumably I'd need to run pcscd but is that
>      all?
>      I realise this is a bit off-topic but I can find very little
>      information about this anywhere else so any help (or pointers to
>      help)
>      would be much appreciated.
>
>    What is your card?

It's a Virgin Mobile SIM card.  The card reader is a Gemalto IdBridge
K30.

>    You just reported the ATR as "Phone SIM card" using
>    [4]http://smartcard-atr.appspot.com/
>    OpenSC does not support SIM cards.

Well it's what pcsc_scan asked me to do!  :-)


>    I don't know if wpa_supplicant supports EAP-SIM using a SIM card.

It seems that it does, the blog here:-
    https://ohnomoregadgets.wordpress.com/2013/08/28/free-wifi-with-eap-sim-on-a-desktop-computer/
describes how to do it using openct.  However openct is deprecated
(and seems to have bugs now, as per the earlier thread) so I was
hoping to use opensc directly.


>    Maybe it would be simpler to use a "FreeWifi" network with login +
>    password instead of the "FreeWifi_secure" network using EAP-SIM.
>    But you need to have a Freebox to get a "FreeWifi" account.
>    For the non-French readers [5]free.fr is a French Internet Service
>    Provider (ADSL + optical fibre) and since some years also a GSM
>    operator. The ADSL boxes are call freebox and they provide a wifi
>    access for all the Free.fr users using login+password if you have a
>    freebox yourself or EAP-SIM if you have a Free.fr SIM card.

Yes, exactly, and I have a Free.fr SIM card.


--
Chris Green

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Question about how to use opensc from wpa_supplicant

Chris Green
In reply to this post by Andreas Schwier (ML)
On Wed, Aug 03, 2016 at 05:09:43PM +0200, Andreas Schwier wrote:
> Dear Chris,
>
> we've recently integrated a SmartCard-HSM with wpa_supplicant using the
> following configuration:
>
> # Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
> pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
> pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so
>
Do these go in the wpa_supplicant.conf file?

> network={
> ssid="hostAP"
> key_mgmt=WPA-EAP
> eap=TLS
> identity="User"
>
> # use OpenSSL PKCS#11 engine for this network
> engine=1
> engine_id="pkcs11"
>
> # select the private key and certificates based on ID (see pkcs11-tool
> # output above)
> key_id="5:1"
> cert_id="5:1"
> #ca_cert_id="1"
>
> # set the PIN code; leave this out to configure the PIN to be requested
> # interactively when needed (e.g., via wpa_gui or wpa_cli)
> pin="875971"
> }
>
> The AP was running hostapd with a PKI-TLS setup.
>
> I got the configuration from the wpa_supplicant/examples directory in
> the source.
>
OK, presumably I use the example given for EAP-SIM instead.


> To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
> have pcscd installed.
>
Yes, OK.  I wish there was an easy way to find out what support is
compiled in to a version of wpa_supplicant.  I might have a version
with EAP-SIM support but there's no way to find out.

I have pcscd installed.

Thank you.

--
Chris Green

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel