Doc update for wifi credentials library and EAP methods

doc/connectivity/networking/api/net_tech.rst

@@ -11,3 +11,4 @@ Networking Technologies
    thread.rst
    ppp.rst
    wifi.rst
+   wifi_credentials.rst

doc/connectivity/networking/api/wifi.rst

@@ -97,15 +97,44 @@ To facilitate installation of the certificates, a helper script is provided, see
 The script will install the certificates in the ``rsa2k`` directory to the TLS credentials store in the device over UART and using TLS credentials shell commands.
 
 
-To initiate Wi-Fi connection, the following command can be used:
+To initiate a Wi-Fi connection using enterprise security, use one of the following commands depending on the EAP method:
 
-.. code-block:: console
+* EAP-TLS
 
-    uart:~$ wifi connect -s <SSID> -c 149 -k 7 -w 2 -a client1 --key1-pwd whatever --key2-pwd whatever
+  .. code-block:: console
+
+     uart:~$ wifi connect -s <SSID> -c <channel> -k 7 -w 2 -a <Anonymous identity> --key1-pwd <Password EAP phase1> --key2-pwd <Password EAP phase2>
+
+* EAP-TTLS-MSCHAPV2
+
+  .. code-block:: console
+
+     uart:~$ wifi connect -s <SSID> -c <channel> -k 14 -K <Private key Password> --eap-id1 <Client Identity> --eap-pwd1 <Client Password> -a <Anonymous identity>
+
+* EAP-PEAP-MSCHAPV2
+
+  .. code-block:: console
+
+     uart:~$ wifi connect -s <SSID> -c <channel> -k 12 -K <Private key Password> --eap-id1 <Client Identity> --eap-pwd1 <Client Password> -a <Anonymous identity>
 
 Server certificate is also provided in the same directory for testing purposes.
 Any AAA server can be used for testing purposes, for example, ``FreeRADIUS`` or ``hostapd``.
 
+Certificate requirements for EAP methods
+----------------------------------------
+
+Different EAP methods have varying client-side certificate requirements, as outlined below:
+
+* EAP-TLS - Requires both a client certificate (and its private key) and a CA certificate on the client.
+            The client authenticates itself to the server using its certificate.
+
+* EAP-TTLS-MSCHAPV2 - Requires only the CA certificate on the client.
+                      The client authenticates to the server using a username and password <MSCHAPV2> inside the TLS tunnel.
+                      No client certificate is needed.
+
+* EAP-PEAP-MSCHAPV2 - Requires only the CA certificate on the client.
+                      Like TTLS, the client uses a username and password <MSCHAPV2> inside the TLS tunnel and does not require a client certificate.
+
 .. note::
 
     The certificates are for testing purposes only and should not be used in production.

doc/connectivity/networking/api/wifi_credentials.rst

@@ -0,0 +1,101 @@
+.. _lib_wifi_credentials:
+
+Wi-Fi credentials Library
+#########################
+
+.. contents::
+   :local:
+   :depth: 2
+
+The Wi-Fi credentials library provides means to load and store Wi-Fi® network credentials.
+
+Overview
+********
+
+This library uses either Zephyr's settings subsystem or Platform Security Architecture (PSA) Internal Trusted Storage (ITS) to store credentials.
+It also holds a list of SSIDs in RAM to provide dictionary-like access using SSIDs as keys.
+
+Configuration
+*************
+
+To use the Wi-Fi credentials library, enable the :kconfig:option:`CONFIG_WIFI_CREDENTIALS` Kconfig option.
+
+You can pick the backend using the following options:
+
+* :kconfig:option:`CONFIG_WIFI_CREDENTIALS_BACKEND_PSA` - Default option for non-secure targets, which includes a TF-M partition (non-minimal TF-M profile type).
+* :kconfig:option:`CONFIG_WIFI_CREDENTIALS_BACKEND_SETTINGS` - Default option for secure targets.
+
+To configure the maximum number of networks, use the :kconfig:option:`CONFIG_WIFI_CREDENTIALS_MAX_ENTRIES` Kconfig option.
+
+The IEEE 802.11 standard does not specify the maximum length of SAE passwords.
+To change the default, use the :kconfig:option:`CONFIG_WIFI_CREDENTIALS_SAE_PASSWORD_LENGTH` Kconfig option.
+
+Adding credentials
+******************
+
+You can add credentials using the :c:func:`wifi_credentials_set_personal` and :c:func:`wifi_credentials_set_personal_struct` functions.
+The former will build the internally used struct from given fields, while the latter takes the struct directly.
+If you add credentials with the same SSID twice, the older entry will be overwritten.
+
+Querying credentials
+********************
+
+With an SSID, you can query credentials using the :c:func:`wifi_credentials_get_by_ssid_personal` and :c:func:`wifi_credentials_get_by_ssid_personal_struct` functions.
+
+You can iterate over all stored credentials with the :c:func:`wifi_credentials_for_each_ssid` function.
+Deleting or overwriting credentials while iterating is allowed, since these operations do not change internal indices.
+
+Removing credentials
+********************
+
+You can remove credentials using the :c:func:`wifi_credentials_delete_by_ssid` function.
+
+Shell commands
+**************
+
+``wifi cred`` is an extension to the Wi-Fi command line.
+It adds the following subcommands to interact with the Wi-Fi credentials library:
+
+.. list-table:: Wi-Fi credentials shell subcommands
+   :header-rows: 1
+
+   * - Subcommands
+     - Description
+   * - add
+     - | Add a network to the credentials storage with following parameters:
+       | <-s --ssid \"<SSID>\">: SSID.
+       | [-c --channel]: Channel that needs to be scanned for connection. 0:any channel
+       | [-b, --band] 0: any band (2:2.4GHz, 5:5GHz, 6:6GHz)
+       | [-p, --passphrase]: Passphrase (valid only for secure SSIDs)
+       | [-k, --key-mgmt]: Key management type.
+       | 0:None, 1:WPA2-PSK, 2:WPA2-PSK-256, 3:SAE-HNP, 4:SAE-H2E, 5:SAE-AUTO, 6:WAPI,"
+       | " 7:EAP-TLS, 8:WEP, 9: WPA-PSK, 10: WPA-Auto-Personal, 11: DPP
+       | [-w, --ieee-80211w]: MFP (optional: needs security type to be specified)
+       | : 0:Disable, 1:Optional, 2:Required.
+       | [-m, --bssid]: MAC address of the AP (BSSID).
+       | [-t, --timeout]: Duration after which connection attempt needs to fail.
+       | [-a, --identity]: Identity for enterprise mode.
+       | [-K, --key-passwd]: Private key passwd for enterprise mode.
+       | [-h, --help]: Print out the help for the connect command.
+   * - delete <SSID>
+     - Removes network from credentials storage.
+   * - list
+     - Lists networks in credential storage.
+   * - auto_connect
+     - Automatically connects to any stored network.
+
+Limitations
+***********
+
+The library has the following limitations:
+
+* Although permitted by the IEEE 802.11 standard, this library does not support zero-length SSIDs.
+* Wi-Fi Protected Access (WPA) Enterprise credentials are only partially supported.
+* The number of networks stored is fixed compile time.
+
+API documentation
+*****************
+
+The following section provides an overview and reference for the Wi-Fi credentials API available in Zephyr:
+
+.. doxygengroup:: wifi_credentials