Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Update PKCS#11 references in template wpa_supplicant.conf

Ditch the legacy syntax and manual engine mangling and just give an
example using simple PKCS#11 URIs that'll work with both GnuTLS and
OpenSSL.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse 8 years ago
parent
c3d7fb7e27
commit
f7cb6e9f24
1 changed files with 15 additions and 17 deletions
Split View Show Diff Stats
  1. 15 17
      wpa_supplicant/wpa_supplicant.conf

+ 15 - 17
wpa_supplicant/wpa_supplicant.conf
View File 

@@ -168,10 +168,13 @@ ap_scan=1
 
 fast_reauth=1
 
 
 # OpenSSL Engine support
 
-# These options can be used to load OpenSSL engines.
 
+# These options can be used to load OpenSSL engines in special or legacy
 
+# modes.
 
 # The two engines that are supported currently are shown below:
 
 # They are both from the opensc project (http://www.opensc.org/)
 
-# By default no engines are loaded.
 
+# By default the PKCS#11 engine is loaded if the client_cert or
 
+# private_key option appear to be a PKCS#11 URI, and these options
 
+# should not need to be used explicitly.
 
 # make the opensc engine available
 
 #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
 
 # make the pkcs11 engine available
 
@@ -480,6 +483,10 @@ fast_reauth=1
 
 #	(EAP-TLS). Full path to the file should be used since working
 
 #	directory may change when wpa_supplicant is run in the background.
 
 #
 
+#	Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
 
+#
 
+#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
 
+#
 
 #	Alternatively, a named configuration blob can be used by setting
 
 #	this to blob://blob_name.
 
 #
 
@@ -490,6 +497,9 @@ fast_reauth=1
 
 #	used since working directory may change when wpa_supplicant is run
 
 #	in the background.
 
 #
 
+#	Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
 
+#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
 
+#
 
 #	Windows certificate store can be used by leaving client_cert out and
 
 #	configuring private_key in one of the following formats:
 
 #
 
@@ -1587,22 +1597,10 @@ network={
 
 	group=CCMP TKIP
 
 	identity="user@example.com"
 
 	ca_cert="/etc/cert/ca.pem"
 
-	client_cert="/etc/cert/user.pem"
 
-
 
-	engine=1
 
-
 
-	# The engine configured here must be available. Look at
 
-	# OpenSSL engine support in the global section.
 
-	# The key available through the engine must be the private key
 
-	# matching the client certificate configured above.
 
-
 
-	# use the opensc engine
 
-	#engine_id="opensc"
 
-	#key_id="45"
 
 
-	# use the pkcs11 engine
 
-	engine_id="pkcs11"
 
-	key_id="id_45"
 
+	# Certificate and/or key identified by PKCS#11 URI (RFC7512)
 
+	client_cert="pkcs11:manufacturer=piv_II;id=%01"
 
+	private_key="pkcs11:manufacturer=piv_II;id=%01"
 
 
 	# Optional PIN configuration; this can be left out and PIN will be
 
 	# asked through the control interface