[Muscle] certificate error using DoD CAC with Firefox or Thunderbird

Mon Nov 26 10:40:11 PST 2007

Summary: ditch commonAccessCard.bundle, and use CoolKey.
If you are having trouble building CoolKey, I suggest asking about the errors 
you are seeing either here or at
https://www.redhat.com/mailman/listinfo/coolkey-devel

IIRC the biggest trick to getting CoolKey to build was defining 
PKG_CONFIG_PATH before doing the ./configure
i.e., export PKG_CONFIG_PATH=$INSTALL_PREFIX/lib/pkgconfig
where pcscd's INSTALL_PREFIX=/usr/local

Kevin Reinholz wrote, On 11/25/2007 10:12 PM:
<SNIP>
> 
> I wonder if the issue is truly with Firefox/Thunderbird/Seamonkey, in other 
> words Mozilla's NSS, or if the problem is related to libmusclepkcs11 and/or 
> commonAccessCard.bundle. 

Unless you are working with a "SmartCardServices" commonAccessCard.bundle 
source newer than ~April 2006, the problem is with commonAccessCard.bundle + 
libmusclepkcs11.

<SNIP muscletool output that indicates pcscd is working well with the card.>
The only thing nice about the commonAccessCard.bundle was that with muscletool 
you could look at the DEERS personnel data, i.e., blood type, birthday, SSN, 
Exchange Privileges...

> 
> Clearly my CAC is being read, the muscle framework recognizes when I enter my 
> PIN correctly, and I can display the certificates loaded on my CAC. That would 
> seem to imply that the problem lies elsewhere.
> 

True.

> I go to AF Portal or AFMC webmail, I'm prompted for a certificate and I can 
> choose between my e-mail and non-e-mail certificate, I'm prompted for my PIN 
> which I enter correctly, and then I receive that cryptic Error code -12222 
> pertaining to NSS. Very frustrating to be so close yet not quite there.
> 
> There is also the option of going back and trying to get libcoolkey to link 
> against libpcsclite, then seeing if I have better luck using libcoolkey.so as a 
> security module. However, it seems to me that libmusclepkcs11 is working fine, 
> and the problem lies with Mozilla's NSS or Firefox's handling of certificates.
> 
> Either route is an adventure. . .
> 

Those of us who went through getting CAC to work under Linux early on[0] had 
many of the same problems you are seeing.
My own impression of commonAccessCard.bundle + libmusclepkcs11 was that it was 
_very_ brittle. locally we had patches[1] against pam_pkcs11 and 
libmusclepkcs11 that pretty much made it sort of work OK for pam_pkcs11, it 
never worked well under Mozilla products.

very soon after trying coolkey and seeing it work with several of the 
applications we needed it to work with[1], I think most folks stopped messing 
with libmusclepkcs11 [2], probably because commonAccessCard.bundle 1) did not 
work as well as coolkey, and 2) was not distributed under a license which did 
not permit nice patching and sharing.

The adventure was easier with the CoolKey route, and the reward was that it 
worked.

[0] http://lists.drizzle.com/pipermail/muscle/2006-July/005643.html
     http://lists.drizzle.com/pipermail/muscle/2006-July/005609.html
[1] http://lists.drizzle.com/pipermail/muscle/2006-July/005641.html
[2] http://lists.drizzle.com/pipermail/muscle/2006-August/005659.html
     http://lists.drizzle.com/pipermail/muscle/2006-July/005614.html

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter