Bug 1172247

Summary: RFE: Accept standard PKCS#11 URIs
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: wpa_supplicantAssignee: Lubomir Rintel <lkundrak>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: dcbw, stefw
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-01 08:21:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1173552    
Bug Blocks: 1173546    

Description David Woodhouse 2014-12-09 17:15:30 UTC 
It looks like wpa_supplicant can use keys from a PKCS#11 token. However, the example configuration at http://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf looks very odd.

It ought to be using p11-kit to know which PKCS#11 modules to load (or maybe just load p11-kit-proxy.so), and it ought to just take a simple PKCS#11 URI as a configuration option, instead of all that other stuff.
Comment 1 David Woodhouse 2014-12-09 21:57:55 UTC 
FWIW here's a proof-of-concept patch to the OpenSSL PKCS#11 ENGINE to make it work properly: http://sourceforge.net/p/opensc/mailman/message/33132605/
Comment 2 David Woodhouse 2014-12-18 15:24:47 UTC 
Patches at 
http://lists.shmoo.com/pipermail/hostap/2014-December/031550.html

With the engine_pkcs11 fixes from bug 1173552, this now works:

 client_cert="pkcs11:token=NSS%20Certificate%20DB;id=%01%7d%45%ee%34%e9%75%3d%1a%aa%fb%44%a4%03%05%fb%06%11%97%01;object-type=cert"
 private_key="pkcs11:token=NSS%20Certificate%20DB;id=%01%7d%45%ee%34%e9%75%3d%1a%aa%fb%44%a4%03%05%fb%06%11%97%01;object-type=private"
 pin="foobar"
Comment 3 David Woodhouse 2015-04-27 12:39:51 UTC 
These patches are in the 2.4 release.
Comment 4 Fedora Admin XMLRPC Client 2015-10-14 14:50:11 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 5 David Woodhouse 2016-03-01 08:21:24 UTC 
I think if I assign this to Fedora 23 we can close it as fixed. This should all basically just work if you give a PKCS#11 URI to wpa_supplicant, I believe.

All we need is to fix NetworkManager to allow us to do so... :)