SO Java Answer Help

http://stackoverflow.com.80bola.com/questions/544056/common-access-card-cac-authentication-using-java

I load up NetBeans to run that code sample in this thread (scroll down) however I’m getting some errors. I think this is due to me not putting the card.config thing in right.

Can someone who knows Java walk me through? Not sure how many people know Java on here.

java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:129)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at cacpkcs.Cacpkcs.main(Cacpkcs.java:21)
Caused by: java.io.FileNotFoundException: pkcs11.properties (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:131)
at java.io.FileInputStream.(FileInputStream.java:87)
at sun.security.pkcs11.Config.(Config.java:211)
at sun.security.pkcs11.Config.getConfig(Config.java:84)
… 3 more

I also don’t know if I have the PKCS package installed though…dunno. Someone with Java knowledge probably can read more into this than I can.

I have 0 experience in CAC but the error seems clear. It can’t find pkcs11.properties. If you enable debugging in your IDE then take a look at

at sun.security.pkcs11.Config.(Config.java:211)

 195       private Config(String filename, InputStream in) throws IOException {
  196           if (in == null) {
  197               if (filename.startsWith("--")) {
  198                   // inline config
  199                   String config = filename.substring(2).replace("\\n", "\n");
  200                   reader = new StringReader(config);
  201               } else {
  202                   in = new FileInputStream(expand(filename));
  203               }
  204           }
  205           if (reader == null) {
  206               reader = new BufferedReader(new InputStreamReader(in));
  207           }
  208           parsedKeywords = new HashSet<String>();
  209           st = new StreamTokenizer(reader);
  210           setupTokenizer();
  211           parse();
  212       }

Yes I do believe this is caused by it being unable to find the package. However I’m unsure how to install this. I’ve googled this and it’s all very confusing.

http://stackoverflow.com/questions/7597495/add-more-existing-sources-to-java-project

(OT: I really dislike the SO previews)

For most things, you can prevent the preview and post a straight link simply by adding a space at the start of the URL.

If you’re using Apache, there are several lines remarked out in one of the config files that will make these available if a CAC is inserted into the reader. There might be the same in IIS, but don’t know. Also, check to make sure that the CAC has exported certificates to the Operating System for use.

(If you are on a Windows desktop, right-click the ActivClient icon and choose OPEN, then click on TOOLS > ADVANCED, and select “Make certificates available to Windows”)

HTH,

Ultimately the goal here was to get all EDIPI numbers (10digit number on back of the cards) and loop through all 7000ish results and insert them into ActiveDirectory.

They said they can only release those numbers on court order. Well sh**.

We do have an IIS server but we have no test server of it so I’d be making changes on a live server. That’s extremely no-no so that’s out of the question.

We do have a test apache server but I’m a lowly junior developer who doesn’t have access…man this whole thing is a PITA. I don’t speak server language / Apache either so I’m reading all these articles and crap and it’s like Chinese to me. This is getting ridiculous.

The current effort I have to make now is to have a web form which lets users fill out their first/last name, and then a script to grab the CaC EDIPI (validated against the PIN) which then inserts into the ActiveDirectory. LET IT BE KNOWN that I have to AUTOMATICALLY get the number instead of users entering it in so it’s correct and user-error free.

Just ONE clear and CONCISE tutorial would make this a whole lot easier but all these server folks try to talk smart to impress others. Super annoying. I’m going to go bald before my 24th birthday at this rate…

What you’re trying to do is not a simple task. A senior dev would probably struggle a bit if they’d never done it before.

Got the source for the beginning of the
Cacpkcs.java
file?
i.e where the packages are called in including line 21

The entire cacpkcs.java file is in that stackoverflow thread. I copy/pasted it in @Mittineague

If I may ask, what server-side language are you scripting? If it’s ColdFusion, and if the web server is set for it, the EPIDI appears in the CGI scope. It will be in the following format:

LAST dot (CADENCE, if any dot) FIRST dot MI dot {10 digit number}

If you do a #ListLast(cgi.CLIENT_S_DN_CN,'.')#, you’ll have the EPIDI.

HTH,

Once this program is working then I’ll need to somehow include this as a servlet or something (maybe PHP exec()?) and somehow be able to grab whatever number this program grabs.

PHP would be the choice if possible.

Och… I have only tutorial knowledge of PHP. Do you know if PHP can access the CGI scope?

V/r,

Brother, I do not know. I’m almost done with this whole project. It’s defeating me.

I’m not SURE, but I think that CGI variables are in the $_ENV superglobal. If you can output that array, you should be able to see if CLIENT_S_DN_CN is present.

HTH,

So try something like this?

<?php
echo $_ENV[CLIENT_S_DC_CN];
?>

I’m not accustomed to SO but if it is I’m sure not seeing it.
Here?
http://stackoverflow.com.80bola.com/questions/544056/common-access-card-cac-authentication-using-java

This answer
http://stackoverflow.com.80bola.com/a/1632882

Edit-Just scroll down that thread - you don’t see Java code?

The SO links they give to share are messed up.

Theoretically, given my lack of PHP knowledge/experience, I’d guess yes. If you want to see EVERYTHING, loop the array (or use an arrayOutput, if PHP has one.)

Just my $0.03164.

I see
public class Test
that one?

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

2.1 Requirements
The Sun PKCS#11 provider is supported on Solaris (SPARC and x86) and Linux (x86) in both 32-bit and 64-bit Java processes. It is also supported on 32-bit Windows (x86) but not currently on 64-bit Windows platforms due to the lack of suitable PKCS#11 libraries.

The Sun PKCS#11 provider requires an implementation of PKCS#11 v2.0 or later to be installed on the system. This implementation must take the form of a shared-object library (.so on Solaris and Linux) or dynamic-link library (.dll on Windows). Please consult your vendor documentation to find out if your cryptographic device includes such a PKCS#11 implementation, how to configure it, and what the name of the library file is.

The Sun PKCS#11 provider supports a number of algorithms, provided that the underlying PKCS#11 implementation offers them. The algorithms and their corresponding PKCS#11 mechanisms are listed in the table in Appendix A.