Thanks for Your reply. But, if I understand correctly with X.509 handler, users(clients) just expose X.509 certificate to server and if certificate is valid and trusted user is authenticated. But I need signed challenge data to verify users authentication (because of security reasons, anyone can have your certificate).
On Tue, Feb 12, 2013 at 2:25 PM, Marvin Addison <[email protected]>wrote: > > As I said, I want to authenticate to CAS via signing some data(about > server) > > with smartcard. So, I just pass some data (as challenge) to client, than > > client sign passed data and try to authenticate. Server gets signed data, > > check signature and authenticate(or not) the user. > > I believe other folks have used the X.509 handler for this purpose. I > don't have any experience with smart cards, but I had the impression > they implement the PKCS11 interface. (A brief scan of > http://en.wikipedia.org/wiki/PKCS_%E2%99%AF11 suggests that's > correct.) We use a hardware USB token that supports PKCS11 with the > X.509 handler and it works splendidly. The involvement of the hardware > to get at the private key is a client concern that's not relevant to > the server. The server simply sees an X.509 certificate that it either > trusts or not; additionally you can configure the server for > certificate revocation using the CRL machinery. That's where the LDAP > directory might come in; alternatively I'm aware of some PKIs that > want to look up the cert in the directory as a means of certificate > verification. You'd have to write your own code to do that, but you > could probably leverage the CRL machinery as a starting point. > > M > > [1] https://wiki.jasig.org/display/CASUM/X.509+Certificates > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- *Pozdrav, Mihalj* -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
