Update PKCS#11 references in template wpa_supplicant.conf
Ditch the legacy syntax and manual engine mangling and just give an example using simple PKCS#11 URIs that'll work with both GnuTLS and OpenSSL. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
parent
c3d7fb7e27
commit
f7cb6e9f24
1 changed files with 15 additions and 17 deletions
|
@ -168,10 +168,13 @@ ap_scan=1
|
||||||
fast_reauth=1
|
fast_reauth=1
|
||||||
|
|
||||||
# OpenSSL Engine support
|
# OpenSSL Engine support
|
||||||
# These options can be used to load OpenSSL engines.
|
# These options can be used to load OpenSSL engines in special or legacy
|
||||||
|
# modes.
|
||||||
# The two engines that are supported currently are shown below:
|
# The two engines that are supported currently are shown below:
|
||||||
# They are both from the opensc project (http://www.opensc.org/)
|
# They are both from the opensc project (http://www.opensc.org/)
|
||||||
# By default no engines are loaded.
|
# By default the PKCS#11 engine is loaded if the client_cert or
|
||||||
|
# private_key option appear to be a PKCS#11 URI, and these options
|
||||||
|
# should not need to be used explicitly.
|
||||||
# make the opensc engine available
|
# make the opensc engine available
|
||||||
#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
|
#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
|
||||||
# make the pkcs11 engine available
|
# make the pkcs11 engine available
|
||||||
|
@ -480,6 +483,10 @@ fast_reauth=1
|
||||||
# (EAP-TLS). Full path to the file should be used since working
|
# (EAP-TLS). Full path to the file should be used since working
|
||||||
# directory may change when wpa_supplicant is run in the background.
|
# directory may change when wpa_supplicant is run in the background.
|
||||||
#
|
#
|
||||||
|
# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
|
||||||
|
#
|
||||||
|
# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
|
||||||
|
#
|
||||||
# Alternatively, a named configuration blob can be used by setting
|
# Alternatively, a named configuration blob can be used by setting
|
||||||
# this to blob://blob_name.
|
# this to blob://blob_name.
|
||||||
#
|
#
|
||||||
|
@ -490,6 +497,9 @@ fast_reauth=1
|
||||||
# used since working directory may change when wpa_supplicant is run
|
# used since working directory may change when wpa_supplicant is run
|
||||||
# in the background.
|
# in the background.
|
||||||
#
|
#
|
||||||
|
# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
|
||||||
|
# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
|
||||||
|
#
|
||||||
# Windows certificate store can be used by leaving client_cert out and
|
# Windows certificate store can be used by leaving client_cert out and
|
||||||
# configuring private_key in one of the following formats:
|
# configuring private_key in one of the following formats:
|
||||||
#
|
#
|
||||||
|
@ -1587,22 +1597,10 @@ network={
|
||||||
group=CCMP TKIP
|
group=CCMP TKIP
|
||||||
identity="user@example.com"
|
identity="user@example.com"
|
||||||
ca_cert="/etc/cert/ca.pem"
|
ca_cert="/etc/cert/ca.pem"
|
||||||
client_cert="/etc/cert/user.pem"
|
|
||||||
|
|
||||||
engine=1
|
# Certificate and/or key identified by PKCS#11 URI (RFC7512)
|
||||||
|
client_cert="pkcs11:manufacturer=piv_II;id=%01"
|
||||||
# The engine configured here must be available. Look at
|
private_key="pkcs11:manufacturer=piv_II;id=%01"
|
||||||
# OpenSSL engine support in the global section.
|
|
||||||
# The key available through the engine must be the private key
|
|
||||||
# matching the client certificate configured above.
|
|
||||||
|
|
||||||
# use the opensc engine
|
|
||||||
#engine_id="opensc"
|
|
||||||
#key_id="45"
|
|
||||||
|
|
||||||
# use the pkcs11 engine
|
|
||||||
engine_id="pkcs11"
|
|
||||||
key_id="id_45"
|
|
||||||
|
|
||||||
# Optional PIN configuration; this can be left out and PIN will be
|
# Optional PIN configuration; this can be left out and PIN will be
|
||||||
# asked through the control interface
|
# asked through the control interface
|
||||||
|
|
Loading…
Reference in a new issue