[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svn client & smartcard certificates

From: Van Deman, Quint CTR US USJFCOM J7 <quint.vandeman_at_att.jfcom.mil>
Date: Fri, 28 Mar 2008 09:03:55 -0400

Thank you both for the information.
I will certainly respond back to the users@ list with our progress.
I also apologize for hitting the dev@ list...but I should note that I
did try users first & didn't get any responses...that aside, my
apologizes for the lack of list etiquette...

Thanks,

Quint

-----Original Message-----
From: Joe Orton [mailto:jorton_at_redhat.com]
Sent: Friday, March 28, 2008 5:27 AM
To: Van Deman, Quint CTR US USJFCOM J7
Cc: users_at_subversion.tigris.org
Subject: Re: svn client & smartcard certificates

Per Karl's mail, following up to users@.

On Thu, Mar 27, 2008 at 04:10:21PM -0400, Van Deman, Quint CTR US
USJFCOM J7 wrote:
> I asked this question of the users list back on March 5th and haven't
> gotten any responses. Perhaps someone here might have some insight,
> any information would be appreciated.
>
> I'm working on standing up a subversion server for a US DoD command.
> As such, one of the requirements is that the repository be protected
> with US DoD PKI (a.k.a CAC cards).

...and also yes, the code for using smartcards is present in the
Subversion alpha2 tarball. The current code is indeed pretty basic, as
you say; I'm not sure how the CAC cards are set up so I'm not sure
whether they will work.

Notably: if you have multiple tokens made available by the PKCS#11
provider, or a token with multiple client cert/key pairs, neon will
simply pick the first token/keypair it finds. This can be improved.

Getting it working requires some effort; you need all of:

1) pakchois from http://www.manyfish.co.uk/pakchois/, set up to find the
PKCS#11 provider(s) of choice
2) GnuTLS 2.x from http://www.gnu.org/software/gnutls/
3) neon 0.28.x built against both the above
4) Subversion built against that neon 0.28.x install

So, for example, if you have the CoolKey PKCS#11 provider installed at
/usr/lib/pkcs11/libcoolkeypk11.so, then you would do this:

1) Build pakchois:

   ./configure --enable-module-path=/usr/lib/pkcs11
--prefix=/usr/local/pkcs11
   make && make install

   *** very important that pakchois is configured to look in the right
   directory for PKCS#11 provider loadable modules ***

2) Build GnuTLS 2.x:

   ./configure --prefix=/usr/local/pkcs11
   make && make install

3) Build neon 0.28.2:

   ./configure --prefix=/usr/local/pkcs11 --enable-shared \
        --with-libs=/usr/local/pkcs11 --with-ssl=gnutls

   *** check for this line in the configure output: ***

configure: using pakchois for PKCS11 support

   *** if not present, neon will not have PKCS#11 support ***

   make && make install

4) Build Subversion 1.5.0 alpha2:

   ./configure --with-neon=/usr/local/pkcs11

This should result in a Subversion build with working PKCS#11 support.

To configure use of the CoolKey provider, you'd then need to add:

   ssl-pkcs11-provider = coolkey

at the appropriate place in ~/.subversion/servers. You could add it in
the [global] section to use it for all servers, or e.g. to use it for
all *.mil servers:

[groups]
cac = *.mil

[cac]
ssl-pkcs11-provider = coolkey

That should be it. When you try to use an SSL server which requests a
client cert, you should get prompted for the smartcard PIN.

I'd be very interested in hearing about whether this works for the CAC
card - let me know if you have problems, or any questions/feedback.

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-28 16:43:08 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.