Update PKCS#11 references in template wpa_supplicant.conf

Ditch the legacy syntax and manual engine mangling and just give an
example using simple PKCS#11 URIs that'll work with both GnuTLS and
OpenSSL.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
David Woodhouse 2016-06-08 21:04:02 +01:00 committed by Jouni Malinen
parent c3d7fb7e27
commit f7cb6e9f24

View file

@ -168,10 +168,13 @@ ap_scan=1
fast_reauth=1 fast_reauth=1
# OpenSSL Engine support # OpenSSL Engine support
# These options can be used to load OpenSSL engines. # These options can be used to load OpenSSL engines in special or legacy
# modes.
# The two engines that are supported currently are shown below: # The two engines that are supported currently are shown below:
# They are both from the opensc project (http://www.opensc.org/) # They are both from the opensc project (http://www.opensc.org/)
# By default no engines are loaded. # By default the PKCS#11 engine is loaded if the client_cert or
# private_key option appear to be a PKCS#11 URI, and these options
# should not need to be used explicitly.
# make the opensc engine available # make the opensc engine available
#opensc_engine_path=/usr/lib/opensc/engine_opensc.so #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
# make the pkcs11 engine available # make the pkcs11 engine available
@ -480,6 +483,10 @@ fast_reauth=1
# (EAP-TLS). Full path to the file should be used since working # (EAP-TLS). Full path to the file should be used since working
# directory may change when wpa_supplicant is run in the background. # directory may change when wpa_supplicant is run in the background.
# #
# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
#
# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
#
# Alternatively, a named configuration blob can be used by setting # Alternatively, a named configuration blob can be used by setting
# this to blob://blob_name. # this to blob://blob_name.
# #
@ -490,6 +497,9 @@ fast_reauth=1
# used since working directory may change when wpa_supplicant is run # used since working directory may change when wpa_supplicant is run
# in the background. # in the background.
# #
# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
#
# Windows certificate store can be used by leaving client_cert out and # Windows certificate store can be used by leaving client_cert out and
# configuring private_key in one of the following formats: # configuring private_key in one of the following formats:
# #
@ -1587,22 +1597,10 @@ network={
group=CCMP TKIP group=CCMP TKIP
identity="user@example.com" identity="user@example.com"
ca_cert="/etc/cert/ca.pem" ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
engine=1 # Certificate and/or key identified by PKCS#11 URI (RFC7512)
client_cert="pkcs11:manufacturer=piv_II;id=%01"
# The engine configured here must be available. Look at private_key="pkcs11:manufacturer=piv_II;id=%01"
# OpenSSL engine support in the global section.
# The key available through the engine must be the private key
# matching the client certificate configured above.
# use the opensc engine
#engine_id="opensc"
#key_id="45"
# use the pkcs11 engine
engine_id="pkcs11"
key_id="id_45"
# Optional PIN configuration; this can be left out and PIN will be # Optional PIN configuration; this can be left out and PIN will be
# asked through the control interface # asked through the control interface