curl-users
Re: Curl with NSS and smart card
Date: Fri, 2 Sep 2016 20:17:51 -0400
curl version: curl-7.43.0-4.fc23.x86_64
I have some test certs/private keys in the certificate database that I have
been testing mutual auth with curl successfully.
[root_at_localhost foo]# certutil -L -d sql:$SSL_DIR
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
cacert CT,C,C
dbguy u,u,u
pg u,u,u
[root_at_localhost foo]# modutil -list -dbdir .
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. test
library name: /usr/lib64/pkcs11/libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: OMNIKEY AG CardMan 3121 00 00
token: GEORGE.WASH.DELL.139219165
-----------------------------------------------------------
[root_at_localhost foo]# certutil -L -d "sql:$SSL_DIR" -h
"GEORGE.WASH.DELL.139219165"
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
pg u,u,u
dbguy u,u,u
cacert CT,C,C
[root_at_localhost foo]# certutil -L -d "$SSL_DIR" -h
"GEORGE.WASH.DELL.139219165"
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "GEORGE.WASH.DELL.139219165":
GEORGE.WASH.DELL.139219165:CAC ID Certificate u,u,u
GEORGE.WASH.DELL.139219165:CAC Email Signature Certificate u,u,u
GEORGE.WASH.DELL.139219165:CAC Email Encryption Certificate u,u,u
[root_at_localhost foo]# curl -v --cert "GEORGE.WASH.DELL.139219165\:CAC ID
Certificate:<PIN>" https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate not found: GEORGE.WASH.DELL.139219165:CAC ID
Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
[root_at_localhost foo]# curl -v --cert "GEORGE.WASH.DELL.139219165\:CAC ID
Certificate" https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate not found: GEORGE.WASH.DELL.139219165:CAC ID
Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
[root_at_localhost foo]# curl -v --cert "GEORGE.WASH.DELL.139219165\:CAC ID
Certificate" --pass <PIN> https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate not found: GEORGE.WASH.DELL.139219165:CAC ID
Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
[root_at_localhost foo]# curl -v --cert "CAC ID Certificate" --pass <PIN>
https://localhost.localdomain:10443/
* Trying 127.0.0.1...
* Connected to localhost.localdomain (127.0.0.1) port 10443 (#0)
* Initializing NSS with certpath: sql:/root/foo
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS: client certificate not found: CAC ID Certificate
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
On Fri, Sep 2, 2016 at 3:50 AM, Kamil Dudka <kdudka_at_redhat.com> wrote:
> On Thursday, September 01, 2016 23:10:17 George Wash wrote:
> > I'm trying to use curl on fedora 23 with NSS coolkey and a CAC smart
> card.
> > Want to use a credential on the smart card for mutual auth TLS.
> >
> > After using modutil I can see and list my certs from the token attached
> to
> > the NSS certdb.
> >
> > I've set the SSL_DIR to the path to my cert db?
> >
> > My build of curl seems to have the fix where a cert nickname can have a
> ':'
> > but needs escaping with a \. This is helpful because the --cert
> > "token\:cert nickname:password" seems to be parsing the token and cert
> > nickname correctly. However I get an error that the token:cert cannot be
> > found in the cert database.
>
> Have you tried to pass just the nickname to the --cert option of curl?
>
> You can use the --pass option to specify the password.
>
> > Has anyone had luck with an NSS build of curl and a smart card from the
> > command line (without vectoring off to using libcurl)?
>
> I have no first-hand experience with that, neither any HW to try it out.
>
> > Are there any other avenues I should consider here?
>
> Please paste the full output of 'certutil -L -d sql:$SSL_DIR'.
>
> Kamil
>
> > Thanks
>
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-03