1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
Some hints on making use of Coolkey.
The active ingredient in the Coolkey package is the file
/usr/lib/pkcs11/libcoolkeypk11.so - which is a "PKCS #11 module".
Several applications can make use of PKCS #11 modules - including
iceweasel, iceape, icedove, epiphany and evolution.
The web browser and email applications usually have a GUI allowing
the user to control how PKCS #11 modules and PKI certificates are
used. Many applications use an underlying cryptography library
from the Mozilla project called the "Network Security Service".
Where there is no gui - such as the Gnome Evolution MUA, the
libnss3-tools Debian package provides Network Security Service
tools for manipulating an application's database of PKCS #11 modules
and PKI certificates.
The Coolkey package also provides the pk11install application.
"pk11install is really a generic tool that probably should be moved to
NSS (you can change the parameters and install any PKCS #11
module)." ... "It differs form modutil in that it doesn't try
to load the module itself to install it. It also differs from modutil
in that it 'knows' where several NSS apps store their database (OK,
where old netscape and modern mozilla apps). You can run it as a user
and install your favorite PKCS #11 module into all the
browsers/mailreaders you have installed."
- Bob Relyea, a coolkey developer.
Coolkey depends upon the pcscd musclecard token management daemon.
(Using libpcsclite to communicate.) Coolkey will dynamically detect
pcscd and the presence of tokens when the system has pcscd managing
one or more PKI hardware token device interfaces (such as an
ActivCard, Inc. SmartCard Reader, or a Dell smart card reader
keyboard, or other CCID and/or musclecard supported devices).
A user will have a PKI capable Smart Card inserted in the reader, and
then Coolkey will allow the web browser to authenticate the user to a
web server, and a Mail User Agent to sign and decrypt email messages.
Public Key Infrastructure, PKI, is all about certificate management.
The user has the responsibility to decide which can be trusted, given
the set of Certificate Authority certificates (and also subsidiary
CA certificates) and individual and system ID certificates. Most
applications provide a GUI for managing certificates, or the NSS
(Network Security Service) certutil can be useful. Even when an
application is using coolkey and the hardware and smart card token are
present, the application probably won't carry out authentication or
signing operations unless it also has the right chain of CA
certificates installed and trusted.
The Debian package ca-certificates has quite a few CA certificates that
might be useful. Those using Coolkey with DoD PKI might look into
Bug #274963:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=274963
Read /usr/share/doc/ca-certificates/README.Debian and you can
help resolve that bug.
Of course, with PKI one should proceed with caution and due diligence
when selecting CA certificates to trust. Some starting places for
finding DoD CA certificates include:
https://ca-5.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-6.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-7.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-8.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-9.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-10.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-11.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-12.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-13.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-14.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-15.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-16.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-17.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-18.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-19.c3pki.chamb.disa.mil/ca/GetCAChain.html
https://ca-20.c3pki.den.disa.mil/ca/GetCAChain.html
https://ca-21.c3pki.chamb.disa.mil/ca/GetCAChain.html
Coolkey with Mozilla-based NSS applications ( firefox, iceweasel,
iceape, thunderbird, icedove...)
From the Application GUI:
- Edit - Preferences
- Security tab (or possibly Encryption tab)
- Security Devices button
in the Device Manager pop-up window
- Load button
in the Load PKCS#11 Device pop-up window
- give it a name, such as "Coolkey PKCS#11 Module"
- select the filename /usr/lib/pkcs11/libcoolkeypk11.so
with the smart card inserted
- OK button
Not that selecting the PKCS#11 token in the Device Manager window
will provide for log in, log out and change password operations
using the smart card's PIN.
Then under the Edit - Preferences - Security tab, selecting
- View Certificates button
will show the certificates present on the smart card under the
My Certiciates tab.
Coolkey with Gnome Epiphany web browser:
The Debian package epiphany-extensions should be installed to
provide the necessary NSS support.
From the Tools menu item, the manage Security Devices and
Certificate Manager GUIs are available.
Coolkey with Evolution:
You can use the NSS modultil command to insert your PKCS #11
token into evolution's secmod.db:
`modutil -add "Coolkey" -libfile /usr/lib/pkcs11/libcoolkeypk11.so -dbdir .evolution`
from my home directory did the right thing.
Alas, evolution as of version 2.6.3-3 still had some problems picking
the right certificate... perhaps evolution bugzilla bug 372435.
Updates to support newer cards...
as of version 1.1.0-12 coolkey includes support. For discussion see
https://bugzilla.redhat.com/show_bug.cgi?id=593017
https://bugzilla.redhat.com/show_bug.cgi?id=534172
http://rhn.redhat.com/errata/RHEA-2011-0111.html
-- A. Maitland Bottoms <bottoms@debian.org>, Tue, 10 Apr 2012 19:07:33 -0400
|