From d9521c74385a08b0d4c21619dc816b5c362363d9 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 23 May 2008 19:41:05 +0300
Subject: [PATCH] Example configuration for EAP-TLS authentication using
 PKCS#11 TPM token

---
 wpa_supplicant/examples/openCryptoki.conf | 41 +++++++++++++++++++++++
 www/wpa_supplicant/index.html             |  8 ++++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 wpa_supplicant/examples/openCryptoki.conf

diff --git a/wpa_supplicant/examples/openCryptoki.conf b/wpa_supplicant/examples/openCryptoki.conf
new file mode 100644
index 000000000..e2301a61c
--- /dev/null
+++ b/wpa_supplicant/examples/openCryptoki.conf
@@ -0,0 +1,41 @@
+# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
+# openCryptoki (e.g., with TPM token)
+
+# This example uses following PKCS#11 objects:
+# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so  -O -l
+# Please enter User PIN:
+# Private Key Object; RSA
+#   label:      rsakey
+#   ID:         04
+#   Usage:      decrypt, sign, unwrap
+# Certificate Object, type = X.509 cert
+#   label:      ca
+#   ID:         01
+# Certificate Object, type = X.509 cert
+#   label:      cert
+#   ID:         04
+
+# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
+pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
+pkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so
+
+network={
+	ssid="test network"
+	key_mgmt=WPA-EAP
+	eap=TLS
+	identity="User"
+
+	# use OpenSSL PKCS#11 engine for this network
+	engine=1
+	engine_id="pkcs11"
+
+	# select the private key and certificates based on ID (see pkcs11-tool
+	# output above)
+	key_id="4"
+	cert_id="4"
+	ca_cert_id="1"
+
+	# set the PIN code; leave this out to configure the PIN to be requested
+	# interactively when needed (e.g., via wpa_gui or wpa_cli)
+	pin="123456"
+}
diff --git a/www/wpa_supplicant/index.html b/www/wpa_supplicant/index.html
index 8db8249a5..e63c58e71 100644
--- a/www/wpa_supplicant/index.html
+++ b/www/wpa_supplicant/index.html
@@ -303,6 +303,12 @@ fields. In addition, simpler example configurations are available for
 <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/ieee8021x.conf">IEEE 802.1X with dynamic WEP (EAP-PEAP/MSCHAPv2)</a>,
 <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/wpa-psk-tkip.conf">WPA-PSK/TKIP</a>, and
 <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/wpa2-eap-ccmp.conf">WPA2-EAP/CCMP (EAP-TLS)</a>.
+In addition, wpa_supplicant can use OpenSSL engine to avoid need for
+exposing private keys in the file system. This can be used for EAP-TLS
+authentication with smartcards and TPM tokens.
+<a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/openCryptoki.conf">Example configuration for using openCryptoki</a>
+shows an example network block and related parameters for EAP-TLS
+authentication using PKCS#11 TPM token.
 </p>
 
 <h3>Feedback, comments, mailing list</h3>
@@ -350,7 +356,7 @@ Internet Systems Consortium (ISC).
     <address><a href="mailto:j@w1.fi">Jouni Malinen</a></address>
 <!-- Created: Sat May 22 21:41:58 PDT 2004 -->
 <!-- hhmts start -->
-Last modified: Sat Feb 23 15:47:15 PST 2008
+Last modified: Fri May 23 19:39:40 EEST 2008
 <!-- hhmts end -->
     </div>
   </body>