1526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
2526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# openCryptoki (e.g., with TPM token)
3526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt
4526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# This example uses following PKCS#11 objects:
5526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so  -O -l
6526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Please enter User PIN:
7526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Private Key Object; RSA
8526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   label:      rsakey
9526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   ID:         04
10526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   Usage:      decrypt, sign, unwrap
11526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Certificate Object, type = X.509 cert
12526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   label:      ca
13526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   ID:         01
14526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Certificate Object, type = X.509 cert
15526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   label:      cert
16526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt#   ID:         04
17526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt
18526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
19526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidtpkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
20526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidtpkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so
21526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt
22526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidtnetwork={
23526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	ssid="test network"
24526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	key_mgmt=WPA-EAP
25526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	eap=TLS
26526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	identity="User"
27526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt
28526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	# use OpenSSL PKCS#11 engine for this network
29526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	engine=1
30526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	engine_id="pkcs11"
31526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt
32526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	# select the private key and certificates based on ID (see pkcs11-tool
33526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	# output above)
34526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	key_id="4"
35526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	cert_id="4"
36526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	ca_cert_id="1"
37526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt
38526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	# set the PIN code; leave this out to configure the PIN to be requested
39526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	# interactively when needed (e.g., via wpa_gui or wpa_cli)
40526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt	pin="123456"
41526fc2a7dc09b4450086cdec313a5c44d36b10fdDmitry Shmidt}
42