18d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and 28d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# openCryptoki (e.g., with TPM token) 38d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 48d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# This example uses following PKCS#11 objects: 58d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so -O -l 68d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# Please enter User PIN: 78d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# Private Key Object; RSA 88d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# label: rsakey 98d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# ID: 04 108d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# Usage: decrypt, sign, unwrap 118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# Certificate Object, type = X.509 cert 128d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# label: ca 138d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# ID: 01 148d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# Certificate Object, type = X.509 cert 158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# label: cert 168d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# ID: 04 178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 188d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module 198d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtpkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so 208d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtpkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so 218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 228d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtnetwork={ 238d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt ssid="test network" 248d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt key_mgmt=WPA-EAP 258d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt eap=TLS 268d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt identity="User" 278d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 288d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt # use OpenSSL PKCS#11 engine for this network 298d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt engine=1 308d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt engine_id="pkcs11" 318d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 328d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt # select the private key and certificates based on ID (see pkcs11-tool 338d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt # output above) 348d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt key_id="4" 358d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt cert_id="4" 368d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt ca_cert_id="1" 378d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt 388d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt # set the PIN code; leave this out to configure the PIN to be requested 398d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt # interactively when needed (e.g., via wpa_gui or wpa_cli) 408d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt pin="123456" 418d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidt} 42