On 06/21/2013 08:13 AM, John Dennis wrote:
On 06/20/2013 01:20 PM, Johan Dahlin wrote:
[Sorry if this appears twice, the first copy got stuck in the moderation queue]
I'm investigating the use of smart card readers for my application[1],
which is also free software.
As part of the brazilian eletronic legislation I need to be able to
connect to a https server[2] and do a couple of soap calls.
It works just fine in Firefox 21, when I:
* Go to the site
* Add a certificate exception via the "I accept the risk" dialog
* Enter the PIN for the smart card reader via a popup dialog
* Access the site normally
When I tried adapting httplib_example.py in python-nss I ran into
two problems:
it has an unknown issuer which I can workaround by implementing a
SSL_AuthCertificateHook.
The second problem however is that I need a way to use the client
certificate from the smart card reader, including ask the user
to enter a pin code.
How can I access a site requiring a client certificate stored on a
pkcs11 compatible smart card readers via libnss/python-nss?
So first, you need to make sure that your PKCS 11 module is loaded. In
NSS you can do this two ways:
1) Use modutil to add it to the database you open with NSS_Init()
(or relatives). [preferred method]
2) Call SECMOD_LoadUserModule() from your application.
It doesn't look like SECMOD_LoadUserModule is exported by through
python-nss, but the first method should always work (as long as you
aren't initializeing with nodb().
Second, you need to make sure you have a way to prompt for the PIN. NSS
has a call PK11_SetPasswordFunc() which allows applications to 'fetch'
passwords for the tokens as the application sees fit. This call is
reflected in python-nss as nss.nss.function.set_password_callback(). The
SSL example that John describes has a very simplistic password callback
function, but I wouldn't recommend using that example for a smartcard
(you'll likely fry your smartcard if you mis-type your password, or you
have more than one token with different passwords). The password
callback probably shouldn't cache the password at all, but if it does it
should definately flush that password if retry = true. It also should
not try to use a password cached for one slot for a different slot.
Anyway that's function you need to hook in the pin prompt (if you are
prompting with a popup, you can simply just prompted each time and not
cache the password).
Third, you may need to hook the client_auth_callback as John describes
below. If your server sends the list of trusted CA's in it's client auth
request, then the default client_auth_callback should be able to find
the cert on your smartcard without requiring the use of any special
hooks, but if there isn't enough information, then a
client_auth_callback hook would be needed.
Did you set the socket client auth callback to supply the client cert?
See SSLSocket.set_client_auth_data_callback()
There is an example of it's usage in doc/examples/ssl_example.py
John
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
