[SmartcardServices-Users] Java and CAC
Disiena, Ridley (GRC-VG00)[DB Consulting Group, Inc.]
ridley.disiena at nasa.gov
Wed Jul 30 09:19:48 PDT 2014
AFAIK, the last time the PKCS11 shim was released by Apple was in the 10.7 GM. I don’t believe it is “supported” anymore, I would have to defer to OS X Forge on that. Having said that, from my experience, if one wanted to use the shim module on a later OS version it does still have functionality as long as you also have also have a functional tokend that is compatible with the card. Technically one can just move the tokendPKCS11.so from a 10.7 build to the new OS and point to it just as you did before.
If you wanted a supported PKCS11, you could use commercial middleware that will work for CAC/PIV. There are several middleware products, but HIDs ActivClient 4 for Mac is the only one with PKCS11 support that I am aware of. They have their own PKCS11 module that they support. They include a Mozilla plugin as well for Firefox and Thunderbird, but anything else that needs PKCS11 can be configured to use the ActivClient module. Other advantages to ActivClient is it does reset the cache if a card gets updated with new certificates, so no having to clear out /var/db/TokenCache/tokens/. It also supports key history on card, so old keys in the key history slots can be leveraged, another unique feature that the other comercial middleware does not yet have.
-Ridley
On Jul 28, 2014, at 9:49 PM, Peter Walsh <peter.walsh at jackpinetech.com> wrote:
> ======================================
> REPOSTING
>
> No response the first time so trying one more time
> ======================================
>
> The new SmartCardsService 2.0 is great. Works like a champ for us in a DoD environment.
>
> We are tying to get back to a point where we can use our CACs with Java, with a specific goal of using jsvn with Forge.mil.
>
> For a while were able to do a jsvn and CoolKeys combo. We would have to add the PKCS11 security provider to Java and it would point to the /usr/libexec/SmartCardServices/pkcs11/tokendPKCS11.so. Then there was a brief window where the Apple supplied Java eliminated the need for CoolKeys. That was short lived as I think it was lost in the shift to 64-bit Java.
>
> In Mavericks with SmartCardServices 2.0, is there a PKCS11 provider that we can point to? The SCardServices and SCardTokend page refers to a tokendPKCS11.so shim but we don’t see it installed anywhere. Are we missing something? Or do we still need a third party piece? FWIW, in our testing OpenSC is only working for some tasks (e.g. keytool) and only with debug enabled; CoolKeys isn’t readily available, is 32 bit only and hasn’t been updated in a while.
>
> Thanks.
>
> Peter Walsh
> Jackpine Technologies, Inc.
> peter.walsh at jackpinetech.com
> c. 617/816-6001
>
>
>
> _______________________________________________
> SmartcardServices-Users mailing list
> SmartcardServices-Users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/smartcardservices-users
More information about the SmartcardServices-Users
mailing list