On Thu, 2019-03-14 at 09:19 -0700, Andersen, John wrote: > Sweet! I'd been working on this too, I just got the hostapd / wpa_supplicant > test stuff working and was going to try setting > pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so > > To the tpm2-software/tpm2-pcks11 library. > > From the amount of changes it took you, it seems like your approach is cleaner, > so, out of curiousity, what was your ratoinal for going with this approach? I > was going to try the pcks11 way because I came across > > https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf > > But, I haven't gotten to it yet as I got sidetracked right after I got the tests > up and running. If you are using the TPMv2 PKCS#11 token (or indeed any PKCS#11 token) and it's installed correctly, it ought to Just Work. You should be able to just give a PKCS#11 URI in place of a filename for any key or certificate, and any well-behaved application will do the right thing. I believe wpa_supplicant meets that definition of "well-behaved application", by automatically using the PKCS#11 ENGINE when the "filename" it's given is actually a PKCS#11 URI. (Except for the fact that all ENGINE loading is broken in wpa_supplicant right now because the init call was removed, as noted).
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
