Certificate Signing Request generation with tpm2-pkcs11

tpm2-pkcs11-csr.sh

#!/bin/bash

set -euxo pipefail

export TPM2TOOLS_TCTI="device:/dev/tpmrm0"
export TPM2_PKCS11_TCTI="device:/dev/tpmrm0"
#export TPM2_PKCS11_LOG_LEVEL=2

tpm2_print_handles () {
  for i in transient saved-session loaded-session;
  do
     tpm2_getcap handles-$i;
  done
}

tpm2_flush_handles () {
  for i in transient-object saved-session loaded-session;
  do
     tpm2_flushcontext --$i;
  done
}

tpm2_clear
rm tpm2_pkcs11.sqlite3
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --sopin=mysopin --userpin=myuserpin --label=label
tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=myuserpin
tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label label
p11-kit list-modules
TOKEN=$(p11tool --list-token-urls | grep "token=label")
expect <(cat <<EOF
spawn p11tool --login --list-all "${TOKEN}" --outfile p11tool.out
expect "Enter PIN: "
send -- "myuserpin\r"
interact
EOF
)

RANDOM=$$
ID=${RANDOM}
KEY=$(cat p11tool.out | grep private | awk '{ print $2 }')
SUBJ="/C=FR/ST=Radius/L=Somewhere/O=Example Inc./CN=testing-${ID}/emailAddress=testing-${ID}@123.com"
openssl req -new -engine pkcs11 -keyform engine -key "${KEY};pin-value=myuserpin" -subj "${SUBJ}" -out client-${ID}.csr

# Sign CSR in RADIUS Server with openssl
#
# cd /etc/raddb/certs
# openssl ca \
#       -batch -keyfile ./ca.key -cert ./ca.pem -passin pass:whatever \
#       -in client-${ID}.csr -out client-${ID}.crt \
#       -extensions xpclient_ext -extfile xpextensions
#       -config client.cnf

cat <<EOF > wpa_supplicant-${ID}.conf
network={
        ssid="SSID"
        key_mgmt=WPA-EAP
        eap=TLS
        identity="testing"
        ca_cert="./ca.pem"
        client_cert="./client-${ID}.crt"
        private_key="${KEY}"
        pin="myuserpin"
}
EOF

echo "wpa_supplicant -c wpa_supplicant-${ID}.conf -i wlp1s0"