Hardware PKCS#11 token login support for Wi-Fi 802.1x
Hi. I'm using hardware token via libeTPkcs11.so for wifi 802.1x. It works when used directly in wpa_supplicant. It also works via Network Manager GUI for openconnect VPN connections. But it does not for Wi-Fi 802.1x connections.
I see three potential problems that may be at play here:
- Keys on those tokens are discoverable only with logging in to the token. nm-connection-editor does not see keys on the token, "unlock" in GUI hangs.
- Getting keys by url with pin-value parameter is impossible, login is still required.
- wpa_supplicant with libeTPkcs11.so pkcs11 engine requires TTY to enter pin.
Specifying keys and certs as 'pkcs11:' urls manually via nmcli works, but getting key during connection does not.
wpa_supplicant[11355]: wlp3s0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
wpa_supplicant[11355]: Unable to enumerate private keys
wpa_supplicant[11355]: Unable to check if already logged in
wpa_supplicant[11355]: Enter PKCS#11 token PIN for [Token name redacted]:
wpa_supplicant[11355]: UI_process failed
wpa_supplicant[11355]: No PIN code was entered
wpa_supplicant[11355]: Login to token failed, returning NULL...
wpa_supplicant[11355]: PKCS11_get_private_key returned NULL
wpa_supplicant[11355]: tls_connection_set_params: Clearing pending SSL error: error:2807106B:UI routines:UI_process:processing error
wpa_supplicant[11355]: tls_connection_set_params: Clearing pending SSL error: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key
wpa_supplicant[11355]: ENGINE: cannot load private key with id 'pkcs11:model=eToken;[redacted];type=private?pin-value=' [error:820730B3:PKCS#11 module:pkcs11_is_logged_in:Session handle invalid]
wpa_supplicant[11355]: TLS: Failed to initialize engine
wpa_supplicant[11355]: TLS: Failed to set TLS connection parameters
wpa_supplicant[11355]: EAP-TLS: Failed to initialize SSL.
wpa_supplicant[11355]: wlp3s0: CTRL-REQ-PASSPHRASE-0:Private key passphrase needed for SSID KLCorp
wpa_supplicant[11355]: wlp3s0: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
Whatever the problem is, Network Manager Openconnect plugin solved it, so it might provide hints for potential fix.