Matt,
I've been working on this the past month, and I have NSS working well
with my CAC using coolkey. Here is some sample code (please excuse the
sloppiness--I haven't cleaned it up yet) that gets the certs from the
card. You can do a lot of the standard NSS functions once it is
initialized and the slot is loaded.
Note, this is just an excerpt of my program--I didn't want to include
all the GTK stuff for my gui that makes it more confusing. I've included
the GetCerts which doesn't require the pin login, and the the Get Token
name, which gets your name off the CAC card. Hopefully this will get
you started.
Stephen
CERTCertList *GetCerts()
{
int numkeys =0;
SECMODModule *caccard;
PK11SlotInfo *slot;
unsigned char *data;
int len = 25;
void *wincx = 0;
CERTCertList *certlist;
SECStatus rv;
CERTCertificate *cert;
SECKEYPublicKey *pkey;
CERTCertListNode *certnode;
SECStatus *callback;
int numcerts = 0;
initNSS();
caccard = SECMOD_FindModule("CoolKey PKCS #11 Module");
if (caccard->loaded)
{
slot = caccard->slots[0];
if( !PK11_IsFriendly(slot) ) {
PK11_Authenticate(slot, PR_TRUE /*load certs*/, NULL
/*wincx*/);
puts("Authenticating.");
}
else {
puts("No auth required"); /*Not really sure if we need this
Authentication stuff */
}
certlist = PK11_ListCertsInSlot(slot);
PK11CertListType pk11type;
pk11type = PK11CertListUser;
certlist = PK11_ListCerts(pk11type, NULL);
if (certlist)
{
puts("Got Certlist");
for (certnode = CERT_LIST_HEAD(certlist);
!CERT_LIST_END(certnode,certlist);
certnode = CERT_LIST_NEXT(certnode)) {
cert = certnode->cert;
pkey = (SECKEYPublicKey *)
SECITEM_DupItem(&certnode->cert->derPublicKey);
//SECU_PrintCertNickname(certnode,stdout);
numcerts++;
}
printf("Number of certs= %u\n", numcerts);
}
printf("Numcerts: %u", numcerts);
PK11_FreeSlot(slot);
return certlist;
}
else
{
puts("FindModule failed.");
return 0;
}
}
gchar *GetTname(PK11SlotInfo *slot, int *cacstatus)
{
/* Initialization Parameters */
SECStatus rv;
SECMODModuleList *modlist;
SECMODModule *caccard;
CK_SLOT_INFO slotinfo;
CK_TOKEN_INFO tokeninfo;
int slotnum;
gchar *tname;
//rv = initNSS(); Moved to main.c
caccard = SECMOD_FindModule("CoolKey PKCS #11 Module");
if (caccard->loaded)
{
/* Loop over each slot */
for (slotnum=0; slotnum < caccard->slotCount; slotnum++)
{
slot = caccard->slots[slotnum];
if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess)
{
PR_fprintf(PR_STDERR, "Fail", PK11_GetSlotName(slot));
rv = 0;
tname = "No Module";
return tname;
}
}
if(PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess)
{
PR_fprintf(PR_STDERR, "fail",PK11_GetTokenName(slot));
rv = 0;
tname = "No Card";
return tname;
}
/*We got this far, so the CAC is good. Return the tokenname. */
tname = tokeninfo.label;
strncpy (tname, tokeninfo.label, strlen(tokeninfo.label));
printf("t:%s\n", tname);
*cacstatus = 1; //Let the main program know we got a good card
return tname;
}
else
{
tname = "CAC appears not to be present";
return tname;
}
}
Matt Anderson wrote:
Robert Relyea wrote:
Matt Anderson wrote:
After running that I have a DER formated public certificate in the
file foo. Since my end goal is to be able to use stunnel I really
need to get OpenSSL to be able to access this certificate, but I
can't seem to do that yet. What am I missing?
A faster way forward may be to use stunnel with NSS. I know there's a
patch for it (I don't know if it has been fed upstream yet). There is
certainly a RedHat RPM
I don't see how I would get NSS to work with Coolkey to access my CAC
token, is that possible? Can you provide some links to any
documentation?
-matt
_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel
_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel
