> As I said, I want to authenticate to CAS via signing some data(about server) > with smartcard. So, I just pass some data (as challenge) to client, than > client sign passed data and try to authenticate. Server gets signed data, > check signature and authenticate(or not) the user.
I believe other folks have used the X.509 handler for this purpose. I don't have any experience with smart cards, but I had the impression they implement the PKCS11 interface. (A brief scan of http://en.wikipedia.org/wiki/PKCS_%E2%99%AF11 suggests that's correct.) We use a hardware USB token that supports PKCS11 with the X.509 handler and it works splendidly. The involvement of the hardware to get at the private key is a client concern that's not relevant to the server. The server simply sees an X.509 certificate that it either trusts or not; additionally you can configure the server for certificate revocation using the CRL machinery. That's where the LDAP directory might come in; alternatively I'm aware of some PKIs that want to look up the cert in the directory as a means of certificate verification. You'd have to write your own code to do that, but you could probably leverage the CRL machinery as a starting point. M [1] https://wiki.jasig.org/display/CASUM/X.509+Certificates -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
