CAC with CoolKey/CACKey

[thepistondoctor]

Hello,

I'm trying to get my CAC working so I can use it to access protected websites, lock/unlock my screen, etc. I have installed the card reader drivers, installed pcsc, coolkey and cackey and have the card reader working. When I run pcsc_scan and insert the card it recognizes the card and when I remove it it recognizes that it is removed. Then I added the security module to Firefox under edit > preferences > advanced > encryption, linking to /usr/lib/libcackey.so. I can see that it recognizes the module and loads it correctly, but when I insert the card into the computer, Firefox freezes. If I pull the card out, nothing happens. Firefox remains hung and I need to kill it via kill -9.

Since CACKey wasn't working, I decided to try CoolKey and link to that module (/usr/lib/libcoolkeypk11.so) and I had the same result when plugging the card in (Firefox hangs) but when I take it out it unhangs when using CoolKey. I have tried going to a couple CAC protected websites but haven't been able to get it to work. I'm sure I need it working at the local browser level first but I wanted to give it a shot anyway.

So, does anyone have experience with this type of issue? Everything seems to be working fine according to pcsc_scan but whenever I insert the card in Firefox it just hangs and I have to kill it.

I am using CentOS 6, Firefox 8, and the following relevant packages:

cackey-0.6.5-1.i386
coolkey-1.1.0-16.el6.i686
pcsc-lite.i686 1.5.2-6.el6 @base
pcsc-lite-devel.i686 1.5.2-6.el6 @base
pcsc-lite-libs.i686 1.5.2-6.el6 @base
pcsc-lite-openct.i686 0.6.19-4.el6 @base

Kernel version 2.6.32-71.29.1.el6.i686

Thanks in advance!

[AlanBartlett]

[quote]
I am using CentOS 6, Firefox 8, and the following relevant packages:
[/quote]
What happens when you use the version of [i]Firefox[/i] that is distributed with [i]CentOS 6[/i] ?

[code]
[b]firefox-3.6.24-3.el6.centos.i686[/b]
[/code]

[thepistondoctor]

Same thing. Firefox 3.6 hangs when using CACKey, hangs then unhangs when using CoolKey.

Didn't think to even try that, and was really hoping it would work! But...that would be too easy wouldn't it? :)

Any other ideas?

[pschaff]

Where did you get cackey-0.6.5-1.i386? I can't find a package in any well-known repos nor a SRPM.

You might want to try enabling the [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=33458&forum=53]Continuous Release [cr] repo[/url] and updating. The current kernel is kernel-2.6.32-131.17.1.el6 and 2.6.32-131.21.1.el6 should be along soon.

[thepistondoctor]

[quote]
pschaff wrote:
Where did you get cackey-0.6.5-1.i386? I can't find a package in any well-known repos nor a SRPM.

You might want to try enabling the [url=https://www.centos.org/modules/newbb/viewtopic.php?topic_id=33458&forum=53]Continuous Release [cr] repo[/url] and updating. The current kernel is kernel-2.6.32-131.17.1.el6 and 2.6.32-131.21.1.el6 should be along soon.[/quote]

I actually got it from a coworker who is using a similar setup. He is running Ubuntu (not sure which version) and happened to have the RPM on his computer still. I can't access forge.mil because my CAC doesn't work, but I can't verify that I'm using the correct software without accessing forge.mil (lol). That was my idea too, that perhaps there's a new version of CACKey that works with my card because his is quite a bit older.

I am going to see if he can get onto forge.mil and check whether a newer package exists. In the mean time I installed centos-release-cr and ran a yum update. I see that there are a bunch of packages in there (coolkey, firefox, libstdc++, glibc, ca-certificates, etc) that are set to be updated so maybe that will help. I'll post back in a bit once I run the update and make sure I am using the latest version of either CACKey or Coolkey (whichever will work, I just want one of them to work damnit! haha)

Thanks for your help.

[pschaff]

Speaking of Catch 22... :-)

Please update the thread if you learn anything new.

[thepistondoctor]

Ok, so I have an update but it's probably not going to be very useful.

After running the yum update, 290 packages were updated and kernel kernel-2.6.32-131.17.1.el6 was installed, but no change in the card reader situation. Now, my computer hangs at boot when starting jexec services. I am not sure which update caused it but I had the same issue before while trying to get my video card to work so I'm guessing it's a change to X that caused it. Anyway I just booted into an older kernel and I'm back up and running. I think I am going to move to a more desktop-friendly OS like Ubuntu or Fedora because I know that the card reader I have will work on both of those. I really was only using CentOS because it was the one I happened to have available when I installed it. I've only had it on this computer for about two weeks so there's nothing important on it and it won't take me any time to rebuild with a new OS.

I'm sure there's a better solution but given my particular situation, my goal is just to get the thing working as quickly as possible and I don't really have anything to lose.

Thanks again for your help!

[pschaff]

I doubt your problem has anything to do with CentOS [i]per se[/i] and I do not consider it to be any less desktop-friendly than Ubuntu or Fedora; rather they are server-unfriendly. :-) OTOH if they support your hardware requirements, that may be the best option.

My guess is that you have a proprietary video driver that is kernel-specific and could encounter the same issue on any distro. Using a kABI-tracking kmod driver from [url=http://elrepo.org]ELRepo[/url] is the usual remedy for that kind of issue.

[AlanBartlett]

A very quick test would be to try with the [url=http://elrepo.org/tiki/kernel-ml]kernel-ml[/url] package for [b]EL6[/b], now available from the [url=http://elrepo.org]ELRepo Project[/url].

[hawaiian717]

You could also try using OpenSC in place of CacKey and Coolkey. It should recognize your CAC as a PIV II card, but it will still work. Most CACs issued in the past several years are hybrid CAC and PIV cards.

0.6.5 is the newest version of CacKey on forge.mil.