dnoliver/tpm2-pkcs11-csr.sh

## tpm2-pkcs11-csr.sh
#!/bin/bash

set -euxo pipefail

export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
#export TPM2_PKCS11_LOG_LEVEL=2

tpm2_print_handles () {
  for i in transient saved-session loaded-session;
  do
     tpm2_getcap handles-$i;
  done
}

tpm2_flush_handles () {
  for i in transient-object saved-session loaded-session;
  do
     tpm2_flushcontext --$i;
  done
}

tpm2_clear
rm tpm2_pkcs11.sqlite3
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label
tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=myuserpin
tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label label
p11-kit list-modules
TOKEN=$(p11tool --list-token-urls | grep "token=label")
expect <(cat <<EOF
spawn p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
expect "Enter PIN: "
send -- "myuserpin\r"
interact
EOF
)

RANDOM=$$
ID=${RANDOM}
KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')
SUBJ="/C=FR/ST=Radius/L=Somewhere/O=Example Inc./CN=testing-${ID}/emailAddress=testing-${ID}@123.com"
openssl req -new -engine pkcs11 -keyform engine -key "${KEY};pin-value=myuserpin" -subj "${SUBJ}" -out client-${ID}.csr

# Sign CSR in RADIUS Server with openssl
#
# cd /etc/raddb/certs
# openssl ca \
#       -batch -keyfile ./ca.key -cert ./ca.pem -passin pass:whatever \
#       -in client-${ID}.csr -out client-${ID}.crt \
#       -extensions xpclient_ext -extfile xpextensions
#       -config client.cnf

cat <<EOF > wpa_supplicant-${ID}.conf
network={
        ssid="SSID"
        key_mgmt=WPA-EAP
        eap=TLS
        identity="testing"
        ca_cert="./ca.pem"
        client_cert="./client-${ID}.crt"
        private_key="${KEY}"
        pin="myuserpin"
}
EOF

echo "wpa_supplicant -c wpa_supplicant-${ID}.conf -i wlp1s0"
	#!/bin/bash

	set -euxo pipefail

	export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
	export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
	#export TPM2_PKCS11_LOG_LEVEL=2

	tpm2_print_handles () {
	for i in transient saved-session loaded-session;
	do
	tpm2_getcap handles-$i;
	done
	}

	tpm2_flush_handles () {
	for i in transient-object saved-session loaded-session;
	do
	tpm2_flushcontext --$i;
	done
	}

	tpm2_clear
	rm tpm2_pkcs11.sqlite3
	tpm2_ptool init
	tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label
	tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=myuserpin
	tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label label
	p11-kit list-modules
	TOKEN=$(p11tool --list-token-urls \| grep "token=label")
	expect <(cat <<EOF
	spawn p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
	expect "Enter PIN: "
	send -- "myuserpin\r"
	interact
	EOF
	)

	RANDOM=$$
	ID=${RANDOM}
	KEY=$(cat p11tool.out \| grep private \| awk '{ print $2 }')
	SUBJ="/C=FR/ST=Radius/L=Somewhere/O=Example Inc./CN=testing-${ID}/emailAddress=testing-${ID}@123.com"
	openssl req -new -engine pkcs11 -keyform engine -key "${KEY};pin-value=myuserpin" -subj "${SUBJ}" -out client-${ID}.csr

	# Sign CSR in RADIUS Server with openssl
	#
	# cd /etc/raddb/certs
	# openssl ca \
	# -batch -keyfile ./ca.key -cert ./ca.pem -passin pass:whatever \
	# -in client-${ID}.csr -out client-${ID}.crt \
	# -extensions xpclient_ext -extfile xpextensions
	# -config client.cnf

	cat <<EOF > wpa_supplicant-${ID}.conf
	network={
	ssid="SSID"
	key_mgmt=WPA-EAP
	eap=TLS
	identity="testing"
	ca_cert="./ca.pem"
	client_cert="./client-${ID}.crt"
	private_key="${KEY}"
	pin="myuserpin"
	}
	EOF

	echo "wpa_supplicant -c wpa_supplicant-${ID}.conf -i wlp1s0"