views:

91

answers:

1

I'm developing a CAC authentication app.

I'm running RHEL 5.5 and have a card reader attached to my machine. When I insert a smart card/CAC, there is a popup notification that comes on the upper right hand side on the window where the clock is and the "Smart Card Manager" GUI is accessible clicking on the icon (card with lock on it) that appears. With Smart Card Manager displayed I can view the list of certificates on the card as well as the details etc WITHOUT having to enter a pin.

Now, on the other hand when in my C++ code when I used nss libraries to get the slot and list certificate I cannot get the list of certificates without having to enter the pin.

What I would like to do is get the list of certificates off the card and present that list to the user in a dialog box ALONG with pin text field so that User can enter the pin and then select the certificate to use for authentication ALL IN ONE step instead of application having to display a separate dialog box for pin and then the popup for certificate selection but it seems like it's not possible using nss libraries but on the other hand smart card manager gui can easily do this. Can anone point me to the right direction as to if there a separate api I can use to get the list of certificates from CAC??? Thanks!

+1  A: 
  • Search the web for "friendly certs" or "publicly readable certs" feature/mechanism (0x1<<28 when loading the module) - by default NSS assumes that a PIN is needed before anything can be read from the token. Which is IMHO utter stupidity and keeping it as a default...
  • Be sure to take into account pinpad readers (protected authentication path in PKCS#11) as you hopefully will like to support better security for your users who have the capability. No PIN entry textbox should be shown when there is a pinpad reader attached.
martin
martin, thanks for the reply. I must admit that I'm sorta newbie to c++ and nss api so I don't know what (0x1<<28 ) means. I'm loading module in my c++ program using this method: module = SECMOD_LoadUserModule(moduleSpecName, NULL, PR_TRUE);How do I set this flag using above method?There is no pinpad involved in my app. this is a linux logon app. Thanks!
azm882
From https://developer.mozilla.org/en/PKCS11_Module_Specs:slotParams - space separated list of name/value pairs where the name is a slotID and the value is a space sparated list of parameters related to that slotID. Valid slotParams values are:slotFlags - comma separated list of cipher groups which this slot is expected to be the default implementation for (case-insensitive). Valid flags are:PublicCerts
martin
in case someone is looking for specifics, following worked in my case:static char moduleName[] = "library=\"/usr/lib/pkcs11/libcoolkeypk11.so\" name=\"SmartCard\" NSS=\"slotParams={0x1=[slotFlags='PublicCerts']}\"";module = SECMOD_LoadUserModule(moduleName, NULL, PR_TRUE);
azm882