X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=wpa_supplicant%2Fwpa_supplicant.conf;h=1d86a71f96747311ff8fe279af6de49fc15d52e8;hb=50a17a76e11bc30f01a67d353146aeb3e47baf4a;hp=3d34bc04b2e468262c54d3756b3b1472b615479e;hpb=c86bef2913a6aa9947d45e8d28bb0539c2d5c25c;p=mech_eap.git diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 3d34bc0..1d86a71 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -168,10 +168,13 @@ ap_scan=1 fast_reauth=1 # OpenSSL Engine support -# These options can be used to load OpenSSL engines. +# These options can be used to load OpenSSL engines in special or legacy +# modes. # The two engines that are supported currently are shown below: # They are both from the opensc project (http://www.opensc.org/) -# By default no engines are loaded. +# By default the PKCS#11 engine is loaded if the client_cert or +# private_key option appear to be a PKCS#11 URI, and these options +# should not need to be used explicitly. # make the opensc engine available #opensc_engine_path=/usr/lib/opensc/engine_opensc.so # make the pkcs11 engine available @@ -480,6 +483,10 @@ fast_reauth=1 # (EAP-TLS). Full path to the file should be used since working # directory may change when wpa_supplicant is run in the background. # +# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI. +# +# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" +# # Alternatively, a named configuration blob can be used by setting # this to blob://blob_name. # @@ -490,6 +497,9 @@ fast_reauth=1 # used since working directory may change when wpa_supplicant is run # in the background. # +# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI. +# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" +# # Windows certificate store can be used by leaving client_cert out and # configuring private_key in one of the following formats: # @@ -1587,22 +1597,10 @@ network={ group=CCMP TKIP identity="user@example.com" ca_cert="/etc/cert/ca.pem" - client_cert="/etc/cert/user.pem" - - engine=1 - - # The engine configured here must be available. Look at - # OpenSSL engine support in the global section. - # The key available through the engine must be the private key - # matching the client certificate configured above. - - # use the opensc engine - #engine_id="opensc" - #key_id="45" - # use the pkcs11 engine - engine_id="pkcs11" - key_id="id_45" + # Certificate and/or key identified by PKCS#11 URI (RFC7512) + client_cert="pkcs11:manufacturer=piv_II;id=%01" + private_key="pkcs11:manufacturer=piv_II;id=%01" # Optional PIN configuration; this can be left out and PIN will be # asked through the control interface