Re: svn client & smartcard certificates

From: Joe Orton <jorton_at_redhat.com>
Date: Fri, 28 Mar 2008 09:26:59 +0000

Per Karl's mail, following up to users@.

On Thu, Mar 27, 2008 at 04:10:21PM -0400, Van Deman, Quint CTR US USJFCOM J7 wrote:
> I asked this question of the users list back on March 5th and haven't
> gotten any responses. Perhaps someone here might have some insight,
> any information would be appreciated.
>
> I'm working on standing up a subversion server for a US DoD command.
> As such, one of the requirements is that the repository be protected
> with US DoD PKI (a.k.a CAC cards).

...and also yes, the code for using smartcards is present in the
Subversion alpha2 tarball. The current code is indeed pretty basic, as
you say; I'm not sure how the CAC cards are set up so I'm not sure
whether they will work.

Notably: if you have multiple tokens made available by the PKCS#11
provider, or a token with multiple client cert/key pairs, neon will
simply pick the first token/keypair it finds. This can be improved.

Getting it working requires some effort; you need all of:

1) pakchois from http://www.manyfish.co.uk/pakchois/, set up to find the
PKCS#11 provider(s) of choice
2) GnuTLS 2.x from http://www.gnu.org/software/gnutls/
3) neon 0.28.x built against both the above
4) Subversion built against that neon 0.28.x install

So, for example, if you have the CoolKey PKCS#11 provider installed at
/usr/lib/pkcs11/libcoolkeypk11.so, then you would do this:

1) Build pakchois:

./configure --enable-module-path=/usr/lib/pkcs11 --prefix=/usr/local/pkcs11
make && make install

*** very important that pakchois is configured to look in the right
directory for PKCS#11 provider loadable modules ***

2) Build GnuTLS 2.x:

./configure --prefix=/usr/local/pkcs11
make && make install

3) Build neon 0.28.2:

./configure --prefix=/usr/local/pkcs11 --enable-shared \
--with-libs=/usr/local/pkcs11 --with-ssl=gnutls

*** check for this line in the configure output: ***

configure: using pakchois for PKCS11 support

*** if not present, neon will not have PKCS#11 support ***

make && make install

4) Build Subversion 1.5.0 alpha2:

./configure --with-neon=/usr/local/pkcs11

This should result in a Subversion build with working PKCS#11 support.

To configure use of the CoolKey provider, you'd then need to add:

ssl-pkcs11-provider = coolkey

at the appropriate place in ~/.subversion/servers. You could add it in
the [global] section to use it for all servers, or e.g. to use it for
all *.mil servers:

[groups]
cac = *.mil

[cac]
ssl-pkcs11-provider = coolkey

That should be it. When you try to use an SSL server which requests a
client cert, you should get prompted for the smartcard PIN.

I'd be very interested in hearing about whether this works for the CAC
card - let me know if you have problems, or any questions/feedback.

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-28 10:27:40 CET

This message: [ Message body ]
Next message: Simon Large: "Using SASL on a Windows server"
Previous message: Tehmul Ghyara: "Re: obliterate revisions [update]"
Maybe in reply to: Van Deman, Quint CTR US USJFCOM J7: "svn client & smartcard certificates"
Next in thread: Van Deman, Quint CTR US USJFCOM J7: "RE: svn client & smartcard certificates"
Reply: Van Deman, Quint CTR US USJFCOM J7: "RE: svn client & smartcard certificates"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]