[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn client & smartcard certificates

From: Calahan, Joshua A CTR USAF AFMC AEDC/ATA <Joshua.Calahan_at_arnold.af.mil>
Date: Thu, 10 Apr 2008 10:54:13 -0400

On Fri, Mar 28, 2008 at 09:26:59AM, Joe Orton wrote:
> Getting it working requires some effort; you need all of:
>
> 1) pakchois from http://www.manyfish.co.uk/pakchois/, set up to find the
> PKCS#11 provider(s) of choice
> 2) GnuTLS 2.x from http://www.gnu.org/software/gnutls/
> 3) neon 0.28.x built against both the above
> 4) Subversion built against that neon 0.28.x install
>
> So, for example, if you have the CoolKey PKCS#11 provider installed at
> /usr/lib/pkcs11/libcoolkeypk11.so, then you would do this:
>
> 1) Build pakchois:
>
> ./configure --enable-module-path=/usr/lib/pkcs11 --prefix=/usr/local/pkcs11
> make && make install
>
> *** very important that pakchois is configured to look in the right
> directory for PKCS#11 provider loadable modules ***
>
> 2) Build GnuTLS 2.x:
>
> ./configure --prefix=/usr/local/pkcs11
> make && make install
>
> 3) Build neon 0.28.2:
>
> ./configure --prefix=/usr/local/pkcs11 --enable-shared \
> --with-libs=/usr/local/pkcs11 --with-ssl=gnutls
>
> *** check for this line in the configure output: ***
>
> configure: using pakchois for PKCS11 support
>
> *** if not present, neon will not have PKCS#11 support ***
>
> make && make install
>
> 4) Build Subversion 1.5.0 alpha2:
>
> ./configure --with-neon=/usr/local/pkcs11
>
> This should result in a Subversion build with working PKCS#11 support.
>
> To configure use of the CoolKey provider, you'd then need to add:
>
> ssl-pkcs11-provider = coolkey
>
> at the appropriate place in ~/.subversion/servers. You could add it in
> the [global] section to use it for all servers, or e.g. to use it for
> all *.mil servers:
>
> [groups]
> cac = *.mil
>
> [cac]
> ssl-pkcs11-provider = coolkey
>
> That should be it. When you try to use an SSL server which requests a
> client cert, you should get prompted for the smartcard PIN.
>
> I'd be very interested in hearing about whether this works for the CAC
> card - let me know if you have problems, or any questions/feedback.

No luck here. I get:

    svn: Invalid config: unable to load PKCS#11 provider 'coolkey'

The only difference from the instructions above is that I'm using the 64-bit libcoolkey, i.e. /usr/lib64/pkcs11/libcoolkeypk11.so. As with Quint, it works with firefox.

I'm using:

pakchois-0.4.tar.gz
gnutls-2.3.4.tar.bz2
subversion-deps-1.5.0-rc1.tar.bz2 (neon 0.28.2)
subversion-1.5.0-rc1.tar.bz2

Thanks,
Josh

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-04-11 22:53:10 CEST

This is an archived mail posted to the Subversion Users mailing list.