How to connect to HTTPS server using Common Access Card
Asked Answered
N

1

9

I need to write a java program to connect to a HTTPS server (DoD website). The website requires CAC (DoD common access card) authentication. If you access this site via browser, you insert your CAC first, and then enter a PIN.

I need to accomplish the authentication process programmatically in java (kind of acting like browser). How do I retrieve the information from the CAC? I have been Googling around and read the Java PKCS#11 Reference Guide. Seems like Sun PKCS#11 Provider can do it, but you need the native PKCS#11 token implementation.

Am I right? Has anybody done this before? Any suggestion or comment will be greatly appreciated.

Nambypamby answered 15/4, 2009 at 17:40 Comment(1)
take a look at #544556 it might give you some pointers.Eyebrow
J
4

First, you need to install PKCS #11 support. This is some native code that probably came with your card reader that provides a .dll (or .so) that provides a PKCS #11 interface. Other software on the system, like Mozilla products and Sun's PKCS #11 provider, uses this library. (Microsoft products often use a different interface, "CAPI".)

Then, following the directions in the PKCS #11 Reference Guide, set up a SunPKCS11 provider. The only properties that I had to supply in my setup are the location of the native "library" that was installed, and the "name" suffix for this provider. The "name" property is appended to "SunPKCS11-", so if you specify "CAC" for the name, you can lookup the Provider later with Security.getProvider("SunPKCS11-CAC").

Then, you can use the standard JSSE system properties javax.net.ssl.keyStore (with a value of "NONE") and javax.net.ssl.keyStoreType (with a value of "PKCS11") to give the JSSE access to the key material on the CAC. You don't need to set the password property, because the native code should prompt the user for their PIN when needed.

The caveat is that only the user's "end entity" certificate is available from the CAC. To build a trusted chain, most servers expect the client to send any intermediate certificates. Working around this is possible, but complicated, as it involves implementing your own javax.net.ssl.X509KeyManager. If the server you are working with requires a complete chain, please post a follow-up question.

Jarret answered 15/4, 2009 at 18:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.