tags:

views:

91

answers:

1
+1  Q: 

Listing certificates from a CAC without pin

I'm developing a CAC authentication app.

I'm running RHEL 5.5 and have a card reader attached to my machine. When I insert a smart card/CAC, there is a popup notification that comes on the upper right hand side on the window where the clock is and the "Smart Card Manager" GUI is accessible clicking on the icon (card with lock on it) that appears. With Smart Card Manager displayed I can view the list of certificates on the card as well as the details etc WITHOUT having to enter a pin.

Now, on the other hand when in my C++ code when I used nss libraries to get the slot and list certificate I cannot get the list of certificates without having to enter the pin.

What I would like to do is get the list of certificates off the card and present that list to the user in a dialog box ALONG with pin text field so that User can enter the pin and then select the certificate to use for authentication ALL IN ONE step instead of application having to display a separate dialog box for pin and then the popup for certificate selection but it seems like it's not possible using nss libraries but on the other hand smart card manager gui can easily do this. Can anone point me to the right direction as to if there a separate api I can use to get the list of certificates from CAC??? Thanks!

+1  A: 
  • Search the web for "friendly certs" or "publicly readable certs" feature/mechanism (0x1<<28 when loading the module) - by default NSS assumes that a PIN is needed before anything can be read from the token. Which is IMHO utter stupidity and keeping it as a default...
  • Be sure to take into account pinpad readers (protected authentication path in PKCS#11) as you hopefully will like to support better security for your users who have the capability. No PIN entry textbox should be shown when there is a pinpad reader attached.
martin  2010-07-08 20:45:47
martin, thanks for the reply. I must admit that I'm sorta newbie to c++ and nss api so I don't know what (0x1<<28 ) means. I'm loading module in my c++ program using this method: module = SECMOD_LoadUserModule(moduleSpecName, NULL, PR_TRUE);How do I set this flag using above method?There is no pinpad involved in my app. this is a linux logon app. Thanks!
azm882  2010-07-09 15:46:16
From https://developer.mozilla.org/en/PKCS11_Module_Specs:slotParams - space separated list of name/value pairs where the name is a slotID and the value is a space sparated list of parameters related to that slotID. Valid slotParams values are:slotFlags - comma separated list of cipher groups which this slot is expected to be the default implementation for (case-insensitive). Valid flags are:PublicCerts
martin  2010-07-11 10:04:34
in case someone is looking for specifics, following worked in my case:static char moduleName[] = "library=\"/usr/lib/pkcs11/libcoolkeypk11.so\" name=\"SmartCard\" NSS=\"slotParams={0x1=[slotFlags='PublicCerts']}\"";module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);
azm882  2010-07-19 17:05:47

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS