Summary: ditch commonAccessCard.bundle, and use CoolKey.
If you are having trouble building CoolKey, I suggest asking about the errors
you are seeing either here or at
https://www.redhat.com/mailman/listinfo/coolkey-devel
IIRC the biggest trick to getting CoolKey to build was defining
PKG_CONFIG_PATH before doing the ./configure
i.e., export PKG_CONFIG_PATH=$INSTALL_PREFIX/lib/pkgconfig
where pcscd's INSTALL_PREFIX=/usr/local
Kevin Reinholz wrote, On 11/25/2007 10:12 PM:
<SNIP>
I wonder if the issue is truly with Firefox/Thunderbird/Seamonkey, in other
words Mozilla's NSS, or if the problem is related to libmusclepkcs11 and/or
commonAccessCard.bundle.
Unless you are working with a "SmartCardServices" commonAccessCard.bundle
source newer than ~April 2006, the problem is with commonAccessCard.bundle +
libmusclepkcs11.
<SNIP muscletool output that indicates pcscd is working well with the card.>
The only thing nice about the commonAccessCard.bundle was that with muscletool
you could look at the DEERS personnel data, i.e., blood type, birthday, SSN,
Exchange Privileges...
Clearly my CAC is being read, the muscle framework recognizes when I enter my
PIN correctly, and I can display the certificates loaded on my CAC. That would
seem to imply that the problem lies elsewhere.
True.
I go to AF Portal or AFMC webmail, I'm prompted for a certificate and I can
choose between my e-mail and non-e-mail certificate, I'm prompted for my PIN
which I enter correctly, and then I receive that cryptic Error code -12222
pertaining to NSS. Very frustrating to be so close yet not quite there.
There is also the option of going back and trying to get libcoolkey to link
against libpcsclite, then seeing if I have better luck using libcoolkey.so as a
security module. However, it seems to me that libmusclepkcs11 is working fine,
and the problem lies with Mozilla's NSS or Firefox's handling of certificates.
Either route is an adventure. . .
Those of us who went through getting CAC to work under Linux early on[0] had
many of the same problems you are seeing.
My own impression of commonAccessCard.bundle + libmusclepkcs11 was that it was
_very_ brittle. locally we had patches[1] against pam_pkcs11 and
libmusclepkcs11 that pretty much made it sort of work OK for pam_pkcs11, it
never worked well under Mozilla products.
very soon after trying coolkey and seeing it work with several of the
applications we needed it to work with[1], I think most folks stopped messing
with libmusclepkcs11 [2], probably because commonAccessCard.bundle 1) did not
work as well as coolkey, and 2) was not distributed under a license which did
not permit nice patching and sharing.
The adventure was easier with the CoolKey route, and the reward was that it
worked.
[0] http://lists.drizzle.com/pipermail/muscle/2006-July/005643.html
http://lists.drizzle.com/pipermail/muscle/2006-July/005609.html
[1] http://lists.drizzle.com/pipermail/muscle/2006-July/005641.html
[2] http://lists.drizzle.com/pipermail/muscle/2006-August/005659.html
http://lists.drizzle.com/pipermail/muscle/2006-July/005614.html
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
