Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kevin Reinholz (kreinholzgmail.com)
Date: Mon Nov 26 2007 - 18:54:30 CST
Thank you for the explanation!
I will go the coolkey route, then. It was easy to get it to build, there
was just that linker issue. I did not define PKG_CONFIG_PATH the handful
of times I compiled coolkey, so it is definitely worth a try.
I'll mess around with coolkey on my own for a bit and report back.
Hopefully I'll be able to provide confirmation of a successful coolkey
test on FreeBSD.
Todd Denniston wrote:
> Summary: ditch commonAccessCard.bundle, and use CoolKey.
> If you are having trouble building CoolKey, I suggest asking about the
> errors you are seeing either here or at
> IIRC the biggest trick to getting CoolKey to build was defining
> PKG_CONFIG_PATH before doing the ./configure
> i.e., export PKG_CONFIG_PATH=$INSTALL_PREFIX/lib/pkgconfig
> where pcscd's INSTALL_PREFIX=/usr/local
> Kevin Reinholz wrote, On 11/25/2007 10:12 PM:
>> I wonder if the issue is truly with Firefox/Thunderbird/Seamonkey, in
>> other words Mozilla's NSS, or if the problem is related to
>> libmusclepkcs11 and/or commonAccessCard.bundle.
> Unless you are working with a "SmartCardServices"
> commonAccessCard.bundle source newer than ~April 2006, the problem is
> with commonAccessCard.bundle + libmusclepkcs11.
> <SNIP muscletool output that indicates pcscd is working well with the
> The only thing nice about the commonAccessCard.bundle was that with
> muscletool you could look at the DEERS personnel data, i.e., blood
> type, birthday, SSN, Exchange Privileges...
>> Clearly my CAC is being read, the muscle framework recognizes when I
>> enter my PIN correctly, and I can display the certificates loaded on
>> my CAC. That would seem to imply that the problem lies elsewhere.
>> I go to AF Portal or AFMC webmail, I'm prompted for a certificate and
>> I can choose between my e-mail and non-e-mail certificate, I'm
>> prompted for my PIN which I enter correctly, and then I receive that
>> cryptic Error code -12222 pertaining to NSS. Very frustrating to be
>> so close yet not quite there.
>> There is also the option of going back and trying to get libcoolkey
>> to link against libpcsclite, then seeing if I have better luck using
>> libcoolkey.so as a security module. However, it seems to me that
>> libmusclepkcs11 is working fine, and the problem lies with Mozilla's
>> NSS or Firefox's handling of certificates.
>> Either route is an adventure. . .
> Those of us who went through getting CAC to work under Linux early
> on had many of the same problems you are seeing.
> My own impression of commonAccessCard.bundle + libmusclepkcs11 was
> that it was _very_ brittle. locally we had patches against
> pam_pkcs11 and libmusclepkcs11 that pretty much made it sort of work
> OK for pam_pkcs11, it never worked well under Mozilla products.
> very soon after trying coolkey and seeing it work with several of the
> applications we needed it to work with, I think most folks stopped
> messing with libmusclepkcs11 , probably because
> commonAccessCard.bundle 1) did not work as well as coolkey, and 2) was
> not distributed under a license which did not permit nice patching and
> The adventure was easier with the CoolKey route, and the reward was
> that it worked.
>  http://lists.drizzle.com/pipermail/muscle/2006-July/005643.html
>  http://lists.drizzle.com/pipermail/muscle/2006-July/005641.html
>  http://lists.drizzle.com/pipermail/muscle/2006-August/005659.html
Muscle mailing list