Some random notes of mine, for setting up an environment for testing & developing the PKCS#11 support.

If you don't want to bother setting up your CA look into /usr/share/doc/openvpn/sample/sample-keys.

Set up the AP

Edit interface, hw_mode, channel and ssid in /etc/hostapd/hostapd.conf. Then add 

ieee8021x=1

wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP TKIP

eap_server=1
ca_cert=/etc/pki/ca.crt
server_cert=/etc/pki/server.crt
private_key=/etc/pki/server.key
private_key_passwd=123456

Allow any user identity by putting this into /etc/hostapd.eap_user: 

*               PEAP,TTLS,TLS

Set up the token

Here's how would it look with SoftHSM, if you decided to import and existing key instead of generating a new one and getting a signed certificate for that. 

$ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so \
        --init-token --label test-token
$ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so \
        --login --init-pin
$ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so \
        --login --label client --type privkey --write-object /etc/pki/client.key
$ openssl x509 -in /etc/pki/client.crt -outform der -out /etc/pki/client.der
$ pkcs11-tool --module /usr/lib64/pkcs11/libsofthsm2.so \
        --login --label client --type cert --write-object /etc/pki/client.der

XXX: You could also use p11tool. But how do you import a certificate there?

Set up NetworkManager client

$ nmcli c add \
        connection.type 802-11-wireless \
        connection.interface-name wlan0 \
        connection.id wlan \
        ipv6.method link-local \
        ipv4.method link-local \
        802-11-wireless.ssid wlan \
        802-11-wireless-security.key-mgmt wpa-eap \
        802-1x.eap tls \
        802-1x.identity user@example.com \
        802-1x.client-cert 'file:///etc/pki/client.crt' \
        802-1x.private-key 'pkcs11:token=test-token;object=client;type=private' \
        802-1x.private-key-password 123456

XXX: Note the pin-value attribute. Needed there to work around libp11 bug. A similar bug exists in p11-kit.

XXX: The client cert is in a file, since with libp11 engine no more than one pkcs11 object could be used, due to a bug

An alternative PKCS#11 OpenSSL module exists, but needs patching wpa_supplicant by replacing the engine from "pkcs11" to "p11-kit": https://github.com/NetworkManager/p11-kit-openssl-engine

LubomirRintel/NMPkcs11 (last edited 2017-02-16 17:47:47 by LubomirRintel)