It looks like wpa_supplicant can use keys from a PKCS#11 token. However, the example configuration at http://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf looks very odd. It ought to be using p11-kit to know which PKCS#11 modules to load (or maybe just load p11-kit-proxy.so), and it ought to just take a simple PKCS#11 URI as a configuration option, instead of all that other stuff.
FWIW here's a proof-of-concept patch to the OpenSSL PKCS#11 ENGINE to make it work properly: http://sourceforge.net/p/opensc/mailman/message/33132605/
Patches at http://lists.shmoo.com/pipermail/hostap/2014-December/031550.html With the engine_pkcs11 fixes from bug 1173552, this now works: client_cert="pkcs11:token=NSS%20Certificate%20DB;id=%01%7d%45%ee%34%e9%75%3d%1a%aa%fb%44%a4%03%05%fb%06%11%97%01;object-type=cert" private_key="pkcs11:token=NSS%20Certificate%20DB;id=%01%7d%45%ee%34%e9%75%3d%1a%aa%fb%44%a4%03%05%fb%06%11%97%01;object-type=private" pin="foobar"
These patches are in the 2.4 release.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I think if I assign this to Fedora 23 we can close it as fixed. This should all basically just work if you give a PKCS#11 URI to wpa_supplicant, I believe. All we need is to fix NetworkManager to allow us to do so... :)