[CentOS] Firefox fails to authenticate .mil sites with New DoD CAC

Wed Dec 3 23:20:34 UTC 2014
Jason Pyeron <jpyeron at pdinc.us>

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Cal Webster
> Sent: Wednesday, December 03, 2014 17:35
> To: CentOS List
> Subject: [CentOS] Firefox fails to authenticate .mil sites 
> with New DoD CAC
> 
> Can anyone help with getting the new DoD CACs (Smart Card) to work in
> CentOS 6.6? I don't use it for console logins, only for email and .mil
> web sites.
> 
> I recently had to get a new DoD CAC (Smart Card) when one of the
> buildings I work in upgraded their security system. My old CAC was
> working fine prior to this for signing and encrypting email and for
> authenticating to various DoD (.mil) sites from the Internet using the
> coolkey libraries. 
> 
> After getting my new CAC I am no longer able to authenticate 
> to any DoD
> sites. I can still sign and encrypt email in Thunderbird via 
> the coolkey
> libraries but .mil sites either simply display blank pages or raise
> various errors in firefox. I am prompted for my PIN, which is
> successfully accepted but I'm not even prompted for which cert to use,
> like I used to be.

Does your system trust CA32?

I see 

Issuer: C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DOD EMAIL CA-32
Validity
    Not Before: Nov 24 00:00:00 2014 GMT
    Not After : Jan 30 23:59:59 2015 GMT
Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=CONTRACTOR, CN=WEBSTER.CALVIN.DALE.1011559383
> 
> I've tried installing and loading the latest "cackey" libraries (see
> below) but when I insert my CAC and attempt to login to the module in
> the Mozilla device manager it completely freezes firefox. Recovery
> requires killing firefox. If I remove the latest and install the next
> previous cackey library it works the same as coolkey - 
> doesn't freeze up
> firefox but never connects to .mil sites.
> 
> I tried building the cackey RPMs from the source RPMs too but 
> the result
> is the same.
> 
> Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm
> Next previous cackey: cackey-0.6.5-2444.x86_64.rpm
> 
> I'm pretty sure it has something to do with the newer PIV CAC internal
> layout. I went through a similar transition when the GEMAL 144 cards
> came out but the cackey libraries did at least work and coolkey
> eventually caught up.
> 
> One thing is for sure... the cackey RPM from forge.mil is not 
> a drop-in
> replacement for coolkey. The cackey RPM only installs the libraries
> themselves, nothing else. It doesn't even register them in 
> the nss db I
> had to do that manually with modutil. I must be missing something...
> 
> Without direct access to forge.mil it's difficult to troubleshoot
> cackey. For some silly reason they still require CAC authentication to
> get the CAC software and drivers and access the forums, etc.

Ha. Have you contacted the DOD PKE team for support on that? DISA Tinker AFB OPS List PKE_Support <dgisa.tinker.ops.list.pkesupport at mail.mil>
 
> 
> More relevant information below...
> 
> I'd be grateful for any ideas or advice on this. I desperately need to
> retrieve vulnerability reports, patches, and other DoD resources.
> Thanks!
> 
> Cal Webster
> 

I have a G&D FIPS 201 SCE 3.2 test CAC from JITC I can attach to VM for debbuging.

> 
> 
> 
> Smart Card Reader:
> SCM Microsystems Inc. SCR3310 USB Smart Card Reader 
> (21120628202509) 00
> 00-0
> 
> Old CAC:	GEMAL TO TOPDL GX4 144
> New CAC:	G&D FIPS 201 SCE 3.2
> 
> 
> [root at inet3 ~]# cat /etc/redhat-release 
> CentOS release 6.6 (Final)
> [root at inet3 ~]# uname -a
> Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
> 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at inet3 ~]# 
> 
> Installed Packages
> 
> coolkey.i686                       1.1.0-32.el6                @base
> coolkey.x86_64                     1.1.0-32.el6                @base
> firefox.i686                       31.2.0-3.el6.centos        
>  @updates
> firefox.x86_64                     31.2.0-3.el6.centos        
>  @updates
> thunderbird.x86_64                 31.2.0-3.el6.centos        
>  @updates
> pcsc-lite.x86_64                   1.5.2-14.el6               
>  @base   
> pcsc-lite-devel.x86_64             1.5.2-14.el6               
>  @base   
> pcsc-lite-libs.x86_64              1.5.2-14.el6               
>  @base   
> nss.i686                           3.16.1-14.el6              
>  @base   
> nss.x86_64                         3.16.1-14.el6              
>  @base   
> nss-devel.x86_64                   3.16.1-14.el6              
>  @base   
> nss-softokn.i686                   3.14.3-18.el6_6            
>  @updates
> nss-softokn.x86_64                 3.14.3-18.el6_6            
>  @updates
> nss-softokn-devel.x86_64           3.14.3-18.el6_6            
>  @updates
> nss-softokn-freebl.i686            3.14.3-18.el6_6            
>  @updates
> nss-softokn-freebl.x86_64          3.14.3-18.el6_6            
>  @updates
> nss-softokn-freebl-devel.x86_64    3.14.3-18.el6_6            
>  @updates
> nss-sysinit.x86_64                 3.16.1-14.el6              
>  @base   
> nss-tools.x86_64                   3.16.1-14.el6              
>  @base   
> nss-util.i686                      3.16.1-3.el6               
>  @base   
> nss-util.x86_64                    3.16.1-3.el6               
>  @base   
> nss-util-devel.x86_64              3.16.1-3.el6               
>  @base   
> 
> 
> [root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb
> 
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
> 	 slots: 2 slots attached
> 	status: loaded
> 
> 	 slot: NSS Internal Cryptographic Services
> 	token: NSS Generic Crypto Services
> 
> 	 slot: NSS User Private Key and Certificate Services
> 	token: NSS Certificate DB
> 
>   2. CoolKey PKCS #11 Module
> 	library name: libcoolkeypk11.so
> 	 slots: 1 slot attached
> 	status: loaded
> 
> 	 slot: SCM Microsystems Inc. SCR3310 USB Smart Card 
> Reader (21120628202
> 	token: WEBSTER.CALVIN.DALE.9427154028
> 
>   3. cackey
> 	library name: libcackey.so
> 	 slots: 2 slots attached
> 	status: loaded
> 
> 	 slot: CACKey Slot
> 	token: WEBSTER.CALVIN.DALE.9427154028
> 
> 	 slot: CACKey Slot
> 	token: DoD Certificates
> -----------------------------------------------------------
> [root at inet3 ~]# 
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> 


--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.