Difference between revisions of "Common Access Card"

From ArchWiki
Jump to: navigation, search
(Configure browser: typo and option choice clarification)
 
(42 intermediate revisions by 15 users not shown)
Line 1: Line 1:
 
[[Category:Other hardware]]
 
[[Category:Other hardware]]
This page explains how to setup Arch to use a US Department of Defense [http://en.wikipedia.org/wiki/Common_Access_Card Common Access Card] (CAC).  It was tested with an SCR331 USB card reader which is a very common one.  Others may work...or not.
+
{{Expansion|1=A short general article about [[Smartcards]] (or [[Smartcard readers]]) is lacking. This article could become the foundation for it; the CAC relevant/specific content being moved to a section. Further related {{Pkg|pcsc-tools}} exist (and contain supportability information), which can be helpful for identifying other smartcards.[https://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_T460s&diff=449830&oldid=449829]}}
  
==Software Installation==
+
This page explains how to setup Arch to use a US Department of Defense [[wikipedia:Common_Access_Card|Common Access Card]] (CAC).
# Install {{Pkg|pcsclite}} and {{Pkg|ccid}} from [community] and install {{AUR|coolkey}} from [[AUR]].
 
# Add {{Ic|pcscd}} to the daemons array in [[rc.conf]].
 
# Reboot -or- type {{Ic|pcscd}} in a terminal to enable the smart card reader.
 
# Plug in the card reader without a card inserted.  The SCR331's light should turn on (not flashing).
 
# Put a CAC into the reader and make sure (at least on the SCR331) that the light starts flashing.  If it does, it's set up correctly.
 
  
==Configuring Firefox==
+
== Installation ==
 +
 +
Install {{Pkg|ccid}} and {{Pkg|opensc}} from [[official repositories]].
  
===Enabling Firefox to use the CAC Reader===
+
There are two places in {{ic|/etc/opensc.conf}} that comment out {{ic|enable_pinpad = false}}. If your card reader does not have a pin pad, uncomment these lines.
  
Insert CAC into reader - the green light should flash on the SCR331.
+
== Enable pcscd ==
  
Add ''CAC Reader'' to Firefox as a Security Device
+
[[Start]] and enable {{ic|pcscd.service}}.
# Go to Edit->Preferences on the toolbar.
 
# Click on ''Advanced''
 
# Click on the ''Encryption'' Tab
 
# Click on the ''Security Devices'' Button
 
# Click on the ''Load'' Button
 
# Enter ''CAC Reader'' as the module name, and browse to {{ic|/usr/lib/pkcs11/libcoolkeypk11.so}} then click ''Open''.  
 
  
===Importing the DoD Certificates===
+
== Configure browser ==
  
If you're using a branded version of [[Firefox]] you should be able to go to http://dodpki.c3pki.chamb.disa.mil/rootca.html and click on the high-level certificates to install them and be done.
+
1. Go to: http://iase.disa.mil/pki-pke/Pages/tools.aspx
  
If you're using Namoroka this site will not recognize it as Firefox and simply clicking on the link above will not get you into the site. You can work around this problem (which affects some other websites too) by changing Namoroka's configuration a little.
+
2. Download certs: "Trust Store" -> "PKI CA Certificate Bundles: PKCS#7" -> "For DoD PKI Only - Version 5.0" (ZIP Download)
#Open a new tab in Namoroka
 
#Type ''about:config'' in the address bar and press enter
 
#Type 'useragent' in the search box
 
#Double-click on the value where you see "Namoroka"
 
#Change "Namoroka" to "Firefox"
 
#Close the tab
 
  
Once you get into the site, you can download the certificates by following the directions on the page.
+
3. Unzip the DoD PKI zip
  
The primary root certificate used has a CN of "DoD Root CA 2": this certificate can be converted to PEM format for use in other browsers:
+
4. Follow browser-specific instructions
# Download the CA bundle. This includes approximately 36 certificates. {{ic|$ curl -O http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.p7b}}
+
 
# Extract the root certificate into a PEM-formatted file.
+
=== Firefox ===
{{ic|<nowiki>$ openssl pkcs7 -inform DER -in rel3_dodroot_2048.p7b -print_certs | sed -n '/subject=.*CN=DoD Root CA 2/,${/^$/q;P;D}' > DoD_Root_CA_2.pem</nowiki>}}
+
 
 +
==== Load security device ====
 +
 
 +
Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and click "Load" to load a module using {{ic|/usr/lib/opensc-pkcs11.so}} or {{ic|/usr/lib/pkcs11/opensc-pkcs11.so}}.
 +
 
 +
==== Import the DoD Certificates ====
 +
 
 +
Install the certificates from the mentioned zip in _this_ order, by going to Edit -> Preference -> Advanced -> Certificates -> View Certificates -> Authorities -> Import (make sure to at-least check the box for "Trust this CA to identify websites"):
 +
 
 +
1. DoD_Root_CA_2__0x05__DoD_Root_CA_2.cer
 +
 
 +
2. DoD_Root_CA_2__0x05__DoD_Root_CA_3.cer
 +
 
 +
3. DoD_Root_CA_2__0x05__DoD_Root_CA_4.cer
 +
 
 +
4. Certificates_PKCS7_v5.0u1_DoD.der.p7b
 +
 
 +
=== Chromium/Google Chrome ===
 +
1. Ensure CAC is connected, [[Chromium]] is closed and enter the following in a terminal:
 +
{{ic|<nowiki>$ modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/opensc-pkcs11.so</nowiki>}}
 +
 
 +
2. Navigate (in a shell) to the location of the unzip DoD PKI files and install via:
 +
 
 +
  for n in $(ls * | grep Chrome); do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done
  
 
==Testing==
 
==Testing==
  
 
Visit your favorite CAC secured web page and you should be asked for the ''Master Password'' for your certificate.  Enter it and if you get in, you know it's working.
 
Visit your favorite CAC secured web page and you should be asked for the ''Master Password'' for your certificate.  Enter it and if you get in, you know it's working.
 +
 +
If some sites/pages seem to have a problem working correctly (e.g. outlook web access won't authenticate the session for DoD webmail) try using a private/incognito session to test validity of the cert chain and remove some variables.
 +
 +
== Debugging ==
 +
 +
The {{Pkg|pcsc-tools}} package is also availabe in '''[community]'''. The program {{ic|pcsc_scan}} may be helpful
 +
 +
[cceleri@ender ~]$ pcsc_scan
 +
PC/SC device scanner
 +
V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
 +
Compiled with PC/SC lite version: 1.8.6
 +
Using reader plug'n play mechanism
 +
Scanning present readers...
 +
0: Dell Dell Smart Card Reader Keyboard 00 00
 +
 +
Thu Sep  5 10:41:53 2013
 +
Reader 0: Dell Dell Smart Card Reader Keyboard 00 00
 +
  Card state: Card removed,
 +
 +
Thu Sep  5 10:41:58 2013
 +
Reader 0: Dell Dell Smart Card Reader Keyboard 00 00
 +
  Card state: Card inserted,
 +
  ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80
 +
 +
ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80
 +
+ TS = 3B --> Direct Convention
 +
+ T0 = DB, Y(1): 1101, K: 11 (historical bytes)
 +
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
 +
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
 +
  TC(1) = 00 --> Extra guard time: 0
 +
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
 +
-----
 +
  TD(2) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
 +
-----
 +
  TA(3) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
 +
+ Historical bytes: 00 31 C0 64 B0 F3 10 00 07 90 00
 +
  Category indicator byte: 00 (compact TLV data object)
 +
    Tag: 3, len: 1 (card service data byte)
 +
      Card service data byte: C0
 +
        - Application selection: by full DF name
 +
        - Application selection: by partial DF name
 +
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
 +
        - Card with MF
 +
    Tag: 6, len: 4 (pre-issuing data)
 +
      Data: B0 F3 10 00
 +
    Mandatory status indicator (3 last bytes)
 +
      LCS (life card cycle): 07 (Operational state (activated))
 +
      SW: 9000 (Normal processing.)
 +
+ TCK = 80 (correct checksum)
 +
 +
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
 +
3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80
 +
DoD CAC, Oberthur ID One 128 v5.5 Dual

Latest revision as of 13:04, 3 January 2017

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: A short general article about Smartcards (or Smartcard readers) is lacking. This article could become the foundation for it; the CAC relevant/specific content being moved to a section. Further related pcsc-tools exist (and contain supportability information), which can be helpful for identifying other smartcards.[1] (Discuss in Talk:Common Access Card#)

This page explains how to setup Arch to use a US Department of Defense Common Access Card (CAC).

Installation

Install ccid and opensc from official repositories.

There are two places in /etc/opensc.conf that comment out enable_pinpad = false. If your card reader does not have a pin pad, uncomment these lines.

Enable pcscd

Start and enable pcscd.service.

Configure browser

1. Go to: http://iase.disa.mil/pki-pke/Pages/tools.aspx

2. Download certs: "Trust Store" -> "PKI CA Certificate Bundles: PKCS#7" -> "For DoD PKI Only - Version 5.0" (ZIP Download)

3. Unzip the DoD PKI zip

4. Follow browser-specific instructions

Firefox

Load security device

Navigate to Edit -> Preference -> Advanced -> Certificates -> Security Devices and click "Load" to load a module using /usr/lib/opensc-pkcs11.so or /usr/lib/pkcs11/opensc-pkcs11.so.

Import the DoD Certificates

Install the certificates from the mentioned zip in _this_ order, by going to Edit -> Preference -> Advanced -> Certificates -> View Certificates -> Authorities -> Import (make sure to at-least check the box for "Trust this CA to identify websites"):

1. DoD_Root_CA_2__0x05__DoD_Root_CA_2.cer

2. DoD_Root_CA_2__0x05__DoD_Root_CA_3.cer

3. DoD_Root_CA_2__0x05__DoD_Root_CA_4.cer

4. Certificates_PKCS7_v5.0u1_DoD.der.p7b

Chromium/Google Chrome

1. Ensure CAC is connected, Chromium is closed and enter the following in a terminal: $ modutil -dbdir sql:.pki/nssdb/ -add "CAC Module" -libfile /usr/lib/opensc-pkcs11.so

2. Navigate (in a shell) to the location of the unzip DoD PKI files and install via:

 for n in $(ls * | grep Chrome); do certutil -d sql:$HOME/.pki/nssdb -A -t TC -n $n -i $n; done

Testing

Visit your favorite CAC secured web page and you should be asked for the Master Password for your certificate. Enter it and if you get in, you know it's working.

If some sites/pages seem to have a problem working correctly (e.g. outlook web access won't authenticate the session for DoD webmail) try using a private/incognito session to test validity of the cert chain and remove some variables.

Debugging

The pcsc-tools package is also availabe in [community]. The program pcsc_scan may be helpful

[cceleri@ender ~]$ pcsc_scan 
PC/SC device scanner
V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.6
Using reader plug'n play mechanism
Scanning present readers...
0: Dell Dell Smart Card Reader Keyboard 00 00
Thu Sep  5 10:41:53 2013
Reader 0: Dell Dell Smart Card Reader Keyboard 00 00
  Card state: Card removed, 
Thu Sep  5 10:41:58 2013
Reader 0: Dell Dell Smart Card Reader Keyboard 00 00
  Card state: Card inserted, 
  ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80
ATR: 3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80
+ TS = 3B --> Direct Convention
+ T0 = DB, Y(1): 1101, K: 11 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 
-----
  TD(2) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following 
-----
  TA(3) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V 
+ Historical bytes: 00 31 C0 64 B0 F3 10 00 07 90 00
  Category indicator byte: 00 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: C0
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: 4 (pre-issuing data)
     Data: B0 F3 10 00
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 07 (Operational state (activated))
      SW: 9000 (Normal processing.)
+ TCK = 80 (correct checksum)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DB 96 00 80 1F 03 00 31 C0 64 B0 F3 10 00 07 90 00 80
	DoD CAC, Oberthur ID One 128 v5.5 Dual