[CentOS] Firefox fails to authenticate .mil sites with New DoD CAC

Wed Dec 3 22:34:39 UTC 2014
Cal Webster <cwebster at ec.rr.com>

Can anyone help with getting the new DoD CACs (Smart Card) to work in
CentOS 6.6? I don't use it for console logins, only for email and .mil
web sites.

I recently had to get a new DoD CAC (Smart Card) when one of the
buildings I work in upgraded their security system. My old CAC was
working fine prior to this for signing and encrypting email and for
authenticating to various DoD (.mil) sites from the Internet using the
coolkey libraries. 

After getting my new CAC I am no longer able to authenticate to any DoD
sites. I can still sign and encrypt email in Thunderbird via the coolkey
libraries but .mil sites either simply display blank pages or raise
various errors in firefox. I am prompted for my PIN, which is
successfully accepted but I'm not even prompted for which cert to use,
like I used to be.

I've tried installing and loading the latest "cackey" libraries (see
below) but when I insert my CAC and attempt to login to the module in
the Mozilla device manager it completely freezes firefox. Recovery
requires killing firefox. If I remove the latest and install the next
previous cackey library it works the same as coolkey - doesn't freeze up
firefox but never connects to .mil sites.

I tried building the cackey RPMs from the source RPMs too but the result
is the same.

Latest 64-bit cackey: cackey-0.6.8-3522.x86_64.rpm
Next previous cackey: cackey-0.6.5-2444.x86_64.rpm

I'm pretty sure it has something to do with the newer PIV CAC internal
layout. I went through a similar transition when the GEMAL 144 cards
came out but the cackey libraries did at least work and coolkey
eventually caught up.

One thing is for sure... the cackey RPM from forge.mil is not a drop-in
replacement for coolkey. The cackey RPM only installs the libraries
themselves, nothing else. It doesn't even register them in the nss db I
had to do that manually with modutil. I must be missing something...

Without direct access to forge.mil it's difficult to troubleshoot
cackey. For some silly reason they still require CAC authentication to
get the CAC software and drivers and access the forums, etc.

More relevant information below...

I'd be grateful for any ideas or advice on this. I desperately need to
retrieve vulnerability reports, patches, and other DoD resources.
Thanks!

Cal Webster




Smart Card Reader:
SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202509) 00
00-0

Old CAC:	GEMAL TO TOPDL GX4 144
New CAC:	G&D FIPS 201 SCE 3.2


[root at inet3 ~]# cat /etc/redhat-release 
CentOS release 6.6 (Final)
[root at inet3 ~]# uname -a
Linux inet3 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC
2014 x86_64 x86_64 x86_64 GNU/Linux
[root at inet3 ~]# 

Installed Packages

coolkey.i686                       1.1.0-32.el6                @base
coolkey.x86_64                     1.1.0-32.el6                @base
firefox.i686                       31.2.0-3.el6.centos         @updates
firefox.x86_64                     31.2.0-3.el6.centos         @updates
thunderbird.x86_64                 31.2.0-3.el6.centos         @updates
pcsc-lite.x86_64                   1.5.2-14.el6                @base   
pcsc-lite-devel.x86_64             1.5.2-14.el6                @base   
pcsc-lite-libs.x86_64              1.5.2-14.el6                @base   
nss.i686                           3.16.1-14.el6               @base   
nss.x86_64                         3.16.1-14.el6               @base   
nss-devel.x86_64                   3.16.1-14.el6               @base   
nss-softokn.i686                   3.14.3-18.el6_6             @updates
nss-softokn.x86_64                 3.14.3-18.el6_6             @updates
nss-softokn-devel.x86_64           3.14.3-18.el6_6             @updates
nss-softokn-freebl.i686            3.14.3-18.el6_6             @updates
nss-softokn-freebl.x86_64          3.14.3-18.el6_6             @updates
nss-softokn-freebl-devel.x86_64    3.14.3-18.el6_6             @updates
nss-sysinit.x86_64                 3.16.1-14.el6               @base   
nss-tools.x86_64                   3.16.1-14.el6               @base   
nss-util.i686                      3.16.1-3.el6                @base   
nss-util.x86_64                    3.16.1-3.el6                @base   
nss-util-devel.x86_64              3.16.1-3.el6                @base   


[root at inet3 ~]# modutil -list -dbdir /etc/pki/nssdb

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	 slots: 1 slot attached
	status: loaded

	 slot: SCM Microsystems Inc. SCR3310 USB Smart Card Reader (21120628202
	token: WEBSTER.CALVIN.DALE.9427154028

  3. cackey
	library name: libcackey.so
	 slots: 2 slots attached
	status: loaded

	 slot: CACKey Slot
	token: WEBSTER.CALVIN.DALE.9427154028

	 slot: CACKey Slot
	token: DoD Certificates
-----------------------------------------------------------
[root at inet3 ~]#