Re: Coolkey and OpenSSL Engines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matt,

I've been working on this the past month, and I have NSS working well with my CAC using coolkey. Here is some sample code (please excuse the sloppiness--I haven't cleaned it up yet) that gets the certs from the card. You can do a lot of the standard NSS functions once it is initialized and the slot is loaded.

Note, this is just an excerpt of my program--I didn't want to include all the GTK stuff for my gui that makes it more confusing. I've included the GetCerts which doesn't require the pin login, and the the Get Token name, which gets your name off the CAC card. Hopefully this will get you started.

Stephen


CERTCertList *GetCerts()
{
int numkeys =0;
   SECMODModule *caccard;
   PK11SlotInfo *slot;
   unsigned char *data;
   int len = 25;
   void *wincx = 0;
   CERTCertList *certlist;
   SECStatus rv;
   CERTCertificate *cert;
   SECKEYPublicKey *pkey;
   CERTCertListNode *certnode;
   SECStatus *callback;
   int numcerts = 0;
   initNSS();
   caccard = SECMOD_FindModule("CoolKey PKCS #11 Module");
   if (caccard->loaded)
   {
slot = caccard->slots[0]; if( !PK11_IsFriendly(slot) ) { PK11_Authenticate(slot, PR_TRUE /*load certs*/, NULL /*wincx*/); puts("Authenticating."); }
       else {
puts("No auth required"); /*Not really sure if we need this Authentication stuff */ }
       certlist = PK11_ListCertsInSlot(slot);
       PK11CertListType pk11type;
       pk11type = PK11CertListUser;
       certlist = PK11_ListCerts(pk11type, NULL);
       if (certlist)
       {
           puts("Got Certlist");
for (certnode = CERT_LIST_HEAD(certlist); !CERT_LIST_END(certnode,certlist);
               certnode = CERT_LIST_NEXT(certnode)) {
               cert = certnode->cert;
pkey = (SECKEYPublicKey *) SECITEM_DupItem(&certnode->cert->derPublicKey);
               //SECU_PrintCertNickname(certnode,stdout);
               numcerts++;
        }
printf("Number of certs= %u\n", numcerts); }
       printf("Numcerts: %u", numcerts);
       PK11_FreeSlot(slot);
       return certlist;
   }
   else
   {
       puts("FindModule failed.");
       return 0;
   }
}

gchar *GetTname(PK11SlotInfo *slot, int *cacstatus)
{ /* Initialization Parameters */ SECStatus rv; SECMODModuleList *modlist; SECMODModule *caccard;
   CK_SLOT_INFO slotinfo;
   CK_TOKEN_INFO tokeninfo;
int slotnum; gchar *tname; //rv = initNSS(); Moved to main.c caccard = SECMOD_FindModule("CoolKey PKCS #11 Module");
   if (caccard->loaded)
   {
        /* Loop over each slot */
       for (slotnum=0; slotnum < caccard->slotCount; slotnum++)
       {
           slot = caccard->slots[slotnum];
           if (PK11_GetSlotInfo(slot, &slotinfo) != SECSuccess)
           {
               PR_fprintf(PR_STDERR, "Fail", PK11_GetSlotName(slot));
               rv = 0;
              tname = "No Module";
              return tname;
              }
}
       if(PK11_GetTokenInfo(slot, &tokeninfo) != SECSuccess)
       {
                  PR_fprintf(PR_STDERR, "fail",PK11_GetTokenName(slot));
                  rv = 0;
                  tname = "No Card";
                  return tname;
        }
       /*We got this far, so the CAC is good.  Return the tokenname. */
tname = tokeninfo.label;
       strncpy (tname, tokeninfo.label, strlen(tokeninfo.label));
       printf("t:%s\n", tname);
       *cacstatus = 1; //Let the main program know we got a good card
       return tname;
   }
   else
   {
       tname =  "CAC appears not to be present";
       return tname;
   }
}

Matt Anderson wrote:
Robert Relyea wrote:
Matt Anderson wrote:
After running that I have a DER formated public certificate in the file foo. Since my end goal is to be able to use stunnel I really need to get OpenSSL to be able to access this certificate, but I can't seem to do that yet. What am I missing?

A faster way forward may be to use stunnel with NSS. I know there's a patch for it (I don't know if it has been fed upstream yet). There is certainly a RedHat RPM

I don't see how I would get NSS to work with Coolkey to access my CAC token, is that possible? Can you provide some links to any documentation?

-matt

_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel


_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux