Thank you for the explanation!
I will go the coolkey route, then. It was easy to get it to build, there
was just that linker issue. I did not define PKG_CONFIG_PATH the handful
of times I compiled coolkey, so it is definitely worth a try.
I'll mess around with coolkey on my own for a bit and report back.
Hopefully I'll be able to provide confirmation of a successful coolkey
test on FreeBSD.
Todd Denniston wrote:
Summary: ditch commonAccessCard.bundle, and use CoolKey.
If you are having trouble building CoolKey, I suggest asking about the
errors you are seeing either here or at
https://www.redhat.com/mailman/listinfo/coolkey-devel
IIRC the biggest trick to getting CoolKey to build was defining
PKG_CONFIG_PATH before doing the ./configure
i.e., export PKG_CONFIG_PATH=$INSTALL_PREFIX/lib/pkgconfig
where pcscd's INSTALL_PREFIX=/usr/local
Kevin Reinholz wrote, On 11/25/2007 10:12 PM:
<SNIP>
I wonder if the issue is truly with Firefox/Thunderbird/Seamonkey, in
other words Mozilla's NSS, or if the problem is related to
libmusclepkcs11 and/or commonAccessCard.bundle.
Unless you are working with a "SmartCardServices"
commonAccessCard.bundle source newer than ~April 2006, the problem is
with commonAccessCard.bundle + libmusclepkcs11.
<SNIP muscletool output that indicates pcscd is working well with the
card.>
The only thing nice about the commonAccessCard.bundle was that with
muscletool you could look at the DEERS personnel data, i.e., blood
type, birthday, SSN, Exchange Privileges...
Clearly my CAC is being read, the muscle framework recognizes when I
enter my PIN correctly, and I can display the certificates loaded on
my CAC. That would seem to imply that the problem lies elsewhere.
True.
I go to AF Portal or AFMC webmail, I'm prompted for a certificate and
I can choose between my e-mail and non-e-mail certificate, I'm
prompted for my PIN which I enter correctly, and then I receive that
cryptic Error code -12222 pertaining to NSS. Very frustrating to be
so close yet not quite there.
There is also the option of going back and trying to get libcoolkey
to link against libpcsclite, then seeing if I have better luck using
libcoolkey.so as a security module. However, it seems to me that
libmusclepkcs11 is working fine, and the problem lies with Mozilla's
NSS or Firefox's handling of certificates.
Either route is an adventure. . .
Those of us who went through getting CAC to work under Linux early
on[0] had many of the same problems you are seeing.
My own impression of commonAccessCard.bundle + libmusclepkcs11 was
that it was _very_ brittle. locally we had patches[1] against
pam_pkcs11 and libmusclepkcs11 that pretty much made it sort of work
OK for pam_pkcs11, it never worked well under Mozilla products.
very soon after trying coolkey and seeing it work with several of the
applications we needed it to work with[1], I think most folks stopped
messing with libmusclepkcs11 [2], probably because
commonAccessCard.bundle 1) did not work as well as coolkey, and 2) was
not distributed under a license which did not permit nice patching and
sharing.
The adventure was easier with the CoolKey route, and the reward was
that it worked.
[0] http://lists.drizzle.com/pipermail/muscle/2006-July/005643.html
http://lists.drizzle.com/pipermail/muscle/2006-July/005609.html
[1] http://lists.drizzle.com/pipermail/muscle/2006-July/005641.html
[2] http://lists.drizzle.com/pipermail/muscle/2006-August/005659.html
http://lists.drizzle.com/pipermail/muscle/2006-July/005614.html
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
