This discussion is archived
7 Replies Latest reply: Mar 1, 2012 3:24 PM by safarmer RSS

smartcardio and reading a cert from a CAC

917794 Newbie
Currently Being Moderated
hey guys, i've managed to communicate successfully to the card reader, but i'm at a bit of a loss in how to read a certificate on the CAC itself. i just need to see the x509 cert and associated chain.

any help much appreciated, thanks!!!
  • 1. Re: smartcardio and reading a cert from a CAC
    Umer Journeyer
    Currently Being Moderated
    914791 wrote:
    hey guys, i've managed to communicate successfully to the card reader, but i'm at a bit of a loss in how to read a certificate on the CAC itself. i just need to see the x509 cert and associated chain.

    any help much appreciated, thanks!!!
    From the above statement nobody can figure out what you are doing and what type of problem you are having. Please clear your porblem and provide some more detail.

    BR
    Umer
  • 2. Re: smartcardio and reading a cert from a CAC
    917794 Newbie
    Currently Being Moderated
    Sorry about that.

    So I have a a java swing app and am building an authentication mechanism based upon DoD CACs. I'm using javax.smartcardio to connect to the card reader, which has been successful and I've detected whether a card was inserted or not, and cand send commands to it etc... But what I really need to do is read the user certificate that is on the CAC.

    Hope this makes more sense, thanks.
  • 3. Re: smartcardio and reading a cert from a CAC
    Adriaan Explorer
    Currently Being Moderated
    We still need some more information in order to give any kind of assistance.

    1) For those of us who do not work with the DoD, it might be useful to define "CAC".

    2) With which standards is the system compliant, and are they proprietary, or open?

    3) Does the system requirement specification mandate a particular set of protocols on certain layers? This will tell us a lot about the way in which data is stored on the CAC, and it may be possible to deduce commands for retrieving the required data.

    4) Which of the security mechanisms in the standards/protocols are used in the system? The reader might (should!) have to identify itself to the card before gaining access to potentially sensitive data such as certificates.


    Adriaan
  • 4. Re: smartcardio and reading a cert from a CAC
    917794 Newbie
    Currently Being Moderated
    Thanks Adriaan, to answer your questions:

    1) CAC is Common Access Card, it has a chip as would be found in some credit cards (like AMEX Blue). It holds a public and private keep of a user. I have been able to get the user certificate in a web application, but I did not have to go directly to the smart card reader for this.

    2) Right now I am developing on a Windows platform, but production is Linux and source code is open source. I have been leveraging javax.smartcardio

    3) Not sure about this one, I know that for my code to work, the CardTerminal .connect had to be "T=0", hope that helps.

    4) Not sure about the protocols really, but for DoD, each workstation has a card reader, and in order for you to log into the machine, you must have a valid CAC.

    Here's is the output of my test code so far:
    Card_Info: PC/SC card in SCM Microsystems Inc. SCRx31 USB Reader 0, protocol T=0, state OK
    Card Protocol: T=0
    ATR: [B@5afd29
    ATR historical bytes: [B@1a2961b
    response0: 6e 00
  • 5. Re: smartcardio and reading a cert from a CAC
    816119 Journeyer
    Currently Being Moderated
    3 main ways to get/write any information from usual smart card:
    a. via raw APDU commands. In this case you have to know logical structure of data stored in card and APDU commands coding. If you still do not have this information i suppose you will not get it.
    b. via PKCS11 interface. Often cards issuers provide PKCS11 library (*.dll for windows, *.so for linux) with PKCS11 API. I think this is main way for linux, while there is alternative crypto provider on windows.
    c. via windows crypto provider API. Crypto provider, which supports the kind of cards yu work with, must be installed.

    Edited by: 666 on Feb 16, 2012 12:22 PM
  • 6. Re: smartcardio and reading a cert from a CAC
    safarmer Expert
    Currently Being Moderated
    Umer wrote:
    914791 wrote:
    hey guys, i've managed to communicate successfully to the card reader, but i'm at a bit of a loss in how to read a certificate on the CAC itself. i just need to see the x509 cert and associated chain.

    any help much appreciated, thanks!!!
    From the above statement nobody can figure out what you are doing and what type of problem you are having. Please clear your porblem and provide some more detail.
    I knew what they meant, but my last company had CAC and PIV implementations and my ID badge was a CAC card :)
  • 7. Re: smartcardio and reading a cert from a CAC
    safarmer Expert
    Currently Being Moderated
    Hi,

    As mentioned you will need to send the appropriate commands to the card. From memory, CAC is an extension to PIV (FIPS201). You may be able to find the specification for one of these and get the appropriate command to send to the card.

    Unfortunately I do not have any of the details on this any more. I no longer work for the company that dealt with these cards.

    Cheers,
    Shane

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points