From patchwork Wed Jun  8 20:04:02 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Woodhouse <dwmw2@infradead.org>
X-Patchwork-Id: 632476
Return-Path: 
 <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from bombadil.infradead.org (bombadil.infradead.org
	[198.137.202.9])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3rPzsl4B9Vz9sdm
	for <incoming@patchwork.ozlabs.org>;
	Thu,  9 Jun 2016 06:04:11 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
	id 1bAjhu-0002AX-Pa; Wed, 08 Jun 2016 20:04:06 +0000
Received: from [2001:8b0:10b:1:7ea0:15de:b196:f4f3] (helo=i7.infradead.org)
	by bombadil.infradead.org with esmtpsa (Exim 4.80.1 #2 (Red Hat
	Linux)) id 1bAjht-0002AD-56; Wed, 08 Jun 2016 20:04:05 +0000
Message-ID: <1465416242.146854.5.camel@infradead.org>
Subject: [PATCH v2 2/2] wpa_supplicant: Update PKCS#11 references in
	template wpa_supplicant.conf
From: David Woodhouse <dwmw2@infradead.org>
To: hostap@lists.infradead.org
Date: Wed, 08 Jun 2016 21:04:02 +0100
In-Reply-To: <1465293252.46888.238.camel@infradead.org>
References: <1465293252.46888.238.camel@infradead.org>
X-Mailer: Evolution 3.20.3 (3.20.3-1.1.fc24) 
Mime-Version: 1.0
X-BeenThere: hostap@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <hostap.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/hostap/>
List-Post: <mailto:hostap@lists.infradead.org>
List-Help: <mailto:hostap-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/hostap>,
	<mailto:hostap-request@lists.infradead.org?subject=subscribe>
Cc: Michael Schaller <misch@google.com>, Jouni Malinen <j@w1.fi>,
	Mike Gerow <gerow@google.com>
Sender: "Hostap" <hostap-bounces@lists.infradead.org>
Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Ditch the legacy syntax and manual engine mangling and just give an example
using simple PKCS#11 URIs that'll work with both GnuTLS and OpenSSL.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 wpa_supplicant/wpa_supplicant.conf | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 2d487c5..c1f663c 100644
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -168,10 +168,13 @@ ap_scan=1
 fast_reauth=1
 
 # OpenSSL Engine support
-# These options can be used to load OpenSSL engines.
+# These options can be used to load OpenSSL engines in special or legacy
+# modes.
 # The two engines that are supported currently are shown below:
 # They are both from the opensc project (http://www.opensc.org/)
-# By default no engines are loaded.
+# By default the PKCS#11 engine is loaded if the client_cert or
+# private_key option appear to be a PKCS#11 URI, and these options
+# should not need to be used explicitly.
 # make the opensc engine available
 #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
 # make the pkcs11 engine available
@@ -474,6 +477,10 @@ fast_reauth=1
 #	(EAP-TLS). Full path to the file should be used since working
 #	directory may change when wpa_supplicant is run in the background.
 #
+#	Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
+#
+#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
+#
 #	Alternatively, a named configuration blob can be used by setting
 #	this to blob://blob_name.
 #
@@ -484,6 +491,9 @@ fast_reauth=1
 #	used since working directory may change when wpa_supplicant is run
 #	in the background.
 #
+#	Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
+#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
+#
 #	Windows certificate store can be used by leaving client_cert out and
 #	configuring private_key in one of the following formats:
 #
@@ -1581,22 +1591,10 @@ network={
 	group=CCMP TKIP
 	identity="user@example.com"
 	ca_cert="/etc/cert/ca.pem"
-	client_cert="/etc/cert/user.pem"
-
-	engine=1
-
-	# The engine configured here must be available. Look at
-	# OpenSSL engine support in the global section.
-	# The key available through the engine must be the private key
-	# matching the client certificate configured above.
-
-	# use the opensc engine
-	#engine_id="opensc"
-	#key_id="45"
 
-	# use the pkcs11 engine
-	engine_id="pkcs11"
-	key_id="id_45"
+	# Certificate and/or key identified by PKCS#11 URI (RFC7512)
+	client_cert="pkcs11:manufacturer=piv_II;id=%01"
+	private_key="pkcs11:manufacturer=piv_II;id=%01"
 
 	# Optional PIN configuration; this can be left out and PIN will be
 	# asked through the control interface