Welcome to pkg-coolkey project!

Support for the CoolKey and Common Access Card (CAC) smart card security keys used in a Public Key Infrastructure (PKI). The libpkcs11 module allows use of Smart Cards in applications that use mozilla Network Security Services (NSS).

Latest News

No News Items Found

Some hints on making use of Coolkey.

The active ingredient in the Coolkey package is the file /usr/lib/pkcs11/libcoolkeypk11.so - which is a "PKCS #11 module". Several applications can make use of PKCS #11 modules - including iceweasel, iceape, icedove, epiphany and evolution.

The web browser and email applications usually have a GUI allowing the user to control how PKCS #11 modules and PKI certificates are used. Many applications use an underlying cryptography library from the Mozilla project called the "Network Security Service". Where there is no gui - such as the Gnome Evolution MUA, the libnss3-tools Debian package provides Network Security Service tools for manipulating an application's database of PKCS #11 modules and PKI certificates.

The Coolkey package also provides the pk11install application. "pk11install is really a generic tool that probably should be moved to NSS (you can change the parameters and install any PKCS #11 module)." ... "It differs form modutil in that it doesn't try to load the module itself to install it. It also differs from modutil in that it 'knows' where several NSS apps store their database (OK, where old netscape and modern mozilla apps). You can run it as a user and install your favorite PKCS #11 module into all the browsers/mailreaders you have installed." - Bob Relyea, a coolkey developer.

Coolkey depends upon the pcscd musclecard token management daemon. (Using libpcsclite to communicate.) Coolkey will dynamically detect pcscd and the presence of tokens when the system has pcscd managing one or more PKI hardware token device interfaces (such as an ActivCard, Inc. SmartCard Reader, or a Dell smart card reader keyboard, or other CCID and/or musclecard supported devices).

A user will have a PKI capable Smart Card inserted in the reader, and then Coolkey will allow the web browser to authenticate the user to a web server, and a Mail User Agent to sign and decrypt email messages.

Public Key Infrastructure, PKI, is all about certificate management. The user has the responsibility to decide which can be trusted, given the set of Certificate Authority certificates (and also subsidiary CA certificates) and individual and system ID certificates. Most applications provide a GUI for managing certificates, or the NSS (Network Security Service) certutil can be useful. Even when an application is using coolkey and the hardware and smart card token are present, the application probably won't carry out authentication or signing operations unless it also has the right chain of CA certificates installed and trusted.

The Debian package ca-certificates has quite a few CA certificates that might be useful. Those using Coolkey with DoD PKI might look into Bug #274963: Read /usr/share/doc/ca-certificates/README.Debian and you can help resolve that bug.

Of course, with PKI one should proceed with caution and due diligence when selecting CA certificates to trust. Some starting places for finding DoD CA certificates include:

Root Certificates
ca-5 ca-6 ca-7 ca-8 ca-9 ca-10 ca-11 ca-12 ca-13 ca-14 ca-15 ca-16 ca-17 ca-18
Thunderbird DoD Configuration Add-on

Coolkey with Mozilla-based NSS applications ( firefox, iceweasel, iceape, thunderbird, icedove...)

From the Application GUI:
 - Edit - Preferences
 - Security tab (or possibly Encrytion tab)
 - Security Devices button
   in the Device Manager pop-up window
   - Load button
     in the Load PKCS#11 Device pop-up window
     - give it a name, such as "Coolkey PKCS#11 Module"
     - select the filename /usr/lib/pkcs11/libcoolkeypk11.so
     with the smart card inserted
     - OK button

  Not that selecting the PKCS#11 token in the Device Manager window
  will provide for log in, log out and change password operations
  using the smart card's PIN.

  Then under the Edit - Preferences - Security tab, selecting
  - View Certificates button
  will show the certificates present on the smart card under the
  My Certiciates tab.

See also, Procedure for Setting up United States Department of Defense Common Access Cards on a Linux System using PC/SC and CoolKey - Kenneth L. Van Alstyne, 2006

Coolkey with Gnome Epiphany web browser:

The Debian package epiphany-extensions should be installed to provide the necessary NSS support. From the Tools menu item, the manage Security Devices and Certificate Manager GUIs are available.

Coolkey with Evolution:

You can use the NSS modultil command to insert your PKCS #11 token into evolution's secmod.db: `modutil -add "Coolkey" -libfile /usr/lib/pkcs11/libcoolkeypk11.so -dbdir .evolution` from my home directory did the right thing. Alas, evolution as of version 2.6.3-3 still had some problems picking the right certificate... perhaps evolution bugzilla bug 372435.

Project Summary
Tracker Tracker

 - Bugs(0 open / 0 total)

 - Support(0 open / 0 total)

 - Patches(0 open / 0 total)

 - Feature Requests(0 open / 0 total)


Mail Lists Mailing Lists ( 1 public lists )
FTP Released Files

 

 


Powered By GForge Collaborative Development Environment