Listing certificates from a CAC without pin
https://stackoverflow.com/questions/3205423
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm developing a CAC authentication app.
I'm running RHEL 5.5 and have a card reader attached to my machine. When I insert a smart card/CAC, there is a popup notification that comes on the upper right hand side on the window where the clock is and the "Smart Card Manager" GUI is accessible clicking on the icon (card with lock on it) that appears. With Smart Card Manager displayed I can view the list of certificates on the card as well as the details etc WITHOUT having to enter a pin.
Now, on the other hand when in my C++ code when I used nss libraries to get the slot and list certificate I cannot get the list of certificates without having to enter the pin.
What I would like to do is get the list of certificates off the card and present that list to the user in a dialog box ALONG with pin text field so that User can enter the pin and then select the certificate to use for authentication ALL IN ONE step instead of application having to display a separate dialog box for pin and then the popup for certificate selection but it seems like it's not possible using nss libraries but on the other hand smart card manager gui can easily do this. Can anone point me to the right direction as to if there a separate api I can use to get the list of certificates from CAC??? Thanks!
Solution
- Search the web for "friendly certs" or "publicly readable certs" feature/mechanism (0x1<<28 when loading the module) - by default NSS assumes that a PIN is needed before anything can be read from the token. Which is IMHO utter stupidity and keeping it as a default...
- Be sure to take into account pinpad readers (protected authentication path in PKCS#11) as you hopefully will like to support better security for your users who have the capability. No PIN entry textbox should be shown when there is a pinpad reader attached.
