Configuring WPA supplicant to use tpm2 pkcs11 tools

0

I would like to configure WPA supplicant to authenticate with TPM 2.0 managed certificate in order to connect to company network.

I created RSA keypair managed by my TPM, generated CSR and recieved a certificate signed by company's CA. Now I need to configure WPA supplicant to use this certificate and found only 1 example which is valid for TPM 1.0:

https://w1.fi/cgit/hostap/plain/wpa_supplicant/examples/openCryptoki.conf

# EAP-TLS using private key and certificates via OpenSSL PKCS#11 engine and
# openCryptoki (e.g., with TPM token)

# This example uses following PKCS#11 objects:
# $ pkcs11-tool --module /usr/lib/opencryptoki/libopencryptoki.so  -O -l
# Please enter User PIN:
# Private Key Object; RSA
#   label:      rsakey
#   ID:         04
#   Usage:      decrypt, sign, unwrap
# Certificate Object, type = X.509 cert
#   label:      ca
#   ID:         01
# Certificate Object, type = X.509 cert
#   label:      cert
#   ID:         04

# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/lib/opencryptoki/libopencryptoki.so

network={
    ssid="test network"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="User"

    # use OpenSSL PKCS#11 engine for this network
    engine=1
    engine_id="pkcs11"

    # select the private key and certificates based on ID (see pkcs11-tool
    # output above)
    key_id="4"
    cert_id="4"
    ca_cert_id="1"

    # set the PIN code; leave this out to configure the PIN to be requested
    # interactively when needed (e.g., via wpa_gui or wpa_cli)
    pin="123456"
}

When I change paths to pkcs11_engine_path and pkcs11_module_path to TPM 2.0 compatible utils, how to use my cert in this configuration? Should I make it managed by TPM too and how?

Thanks in advance for any help.

Jiří Malák

Posted 2019-12-16T10:23:39.060

Reputation: 5

Answers

1

You don't need TPM-specific PKCS#11 examples – they work like any other PKCS#11 module. If you can get it working with a Yubikey or SoftHSM2, then it should be exactly the same with tpm2-pkcs11.

Yes, many programs expect the certificate to be accessible through the same PKCS#11 module as the corresponding key. Ability to import certificates was actually added to tpm2-pkcs11 just a few days ago. (And if you're planning to build from Git master, beware that the DB format has also changed.)

However, wpa_supplicant (if using OpenSSL) now recognizes "pkcs11:" URIs and automatically loads engine_pkcs11; you no longer need to use the engine= or key_id= options. Instead you can use:

network={
    ssid="test network"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="User"
    client_cert="pkcs11:model=NPCT75x;token=JM;object=myfirstcert;type=certificate"
    private_key="pkcs11:model=NPCT75x;token=JM;object=myfirstcert;type=private"
}

So in theory this should allow you to specify a local file path as client certificate, while still using a token URI for the private key.

user1686

Posted 2019-12-16T10:23:39.060

Reputation: 283 655

Asked: 2019-12-16T10:23:39.060

Viewed: 57 times

Active: 2019-12-16T10:40:03.763