Download
Browse source Changelog
Documentation
Project   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Version numbers curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
API Bindings Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Mailling Lists
curl-library curl-users curl-announce curl-commits Etiquette
Development
Autobuilds Code Style Contribute Internals Release Notes Release Procedure Roadmap Run Tests Security Specifications Test curl
News
Changelog Release table
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Curl with NSS and smart card

From: George Wash <georgewash87_at_gmail.com>
Date: Fri, 2 Sep 2016 20:17:51 -0400

curl version: curl-7.43.0-4.fc23.x86_64

I have some test certs/private keys in the certificate database that I have
been testing mutual auth with curl successfully.

[root_at_localhost foo]# certutil -L -d sql:$SSL_DIR

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

cacert CT,C,C
dbguy u,u,u
pg u,u,u

[root_at_localhost foo]# modutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB

  2. test
    library name: /usr/lib64/pkcs11/libcoolkeypk11.so
     slots: 1 slot attached
    status: loaded

     slot: OMNIKEY AG CardMan 3121 00 00
    token: GEORGE.WASH.DELL.139219165
-----------------------------------------------------------

[root_at_localhost foo]# certutil -L -d "sql:$SSL_DIR" -h
"GEORGE.WASH.DELL.139219165"

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

pg u,u,u
dbguy u,u,u
cacert CT,C,C

[root_at_localhost foo]# certutil -L -d "$SSL_DIR" -h
"GEORGE.WASH.DELL.139219165"

Certificate Nickname Trust
Attributes

SSL,S/MIME,JAR/XPI

Enter Password or Pin for "GEORGE.WASH.DELL.139219165":
GEORGE.WASH.DELL.139219165:CAC ID Certificate u,u,u
GEORGE.WASH.DELL.139219165:CAC Email Signature Certificate u,u,u
GEORGE.WASH.DELL.139219165:CAC Email Encryption Certificate u,u,u

[root_at_localhost foo]# curl -v --cert "GEORGE.WASH.DELL.139219165\:CAC ID
Certificate:<PIN>" https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found: GEORGE.WASH.DELL.139219165:CAC ID
Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)

[root_at_localhost foo]# curl -v --cert "GEORGE.WASH.DELL.139219165\:CAC ID
Certificate" https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found: GEORGE.WASH.DELL.139219165:CAC ID
Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)

[root_at_localhost foo]# curl -v --cert "GEORGE.WASH.DELL.139219165\:CAC ID
Certificate" --pass <PIN> https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found: GEORGE.WASH.DELL.139219165:CAC ID
Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)

[root_at_localhost foo]# curl -v --cert "CAC ID Certificate" --pass <PIN>
https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS: client certificate not found: CAC ID Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)

On Fri, Sep 2, 2016 at 3:50 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:

> On Thursday, September 01, 2016 23:10:17 George Wash wrote:
> > I'm trying to use curl on fedora 23 with NSS coolkey and a CAC smart
> card.
> > Want to use a credential on the smart card for mutual auth TLS.
> >
> > After using modutil I can see and list my certs from the token attached
> to
> > the NSS certdb.
> >
> > I've set the SSL_DIR to the path to my cert db?
> >
> > My build of curl seems to have the fix where a cert nickname can have a
> ':'
> > but needs escaping with a \. This is helpful because the --cert
> > "token\:cert nickname:password" seems to be parsing the token and cert
> > nickname correctly. However I get an error that the token:cert cannot be
> > found in the cert database.
>
> Have you tried to pass just the nickname to the --cert option of curl?
>
> You can use the --pass option to specify the password.
>
> > Has anyone had luck with an NSS build of curl and a smart card from the
> > command line (without vectoring off to using libcurl)?
>
> I have no first-hand experience with that, neither any HW to try it out.
>
> > Are there any other avenues I should consider here?
>
> Please paste the full output of 'certutil -L -d sql:$SSL_DIR'.
>
> Kamil
>
> > Thanks
>

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-03