SO Java Answer Help

RyanReese · April 15, 2015, 2:02pm

http://stackoverflow.com.80bola.com/questions/544056/common-access-card-cac-authentication-using-java

I load up NetBeans to run that code sample in this thread (scroll down) however I’m getting some errors. I think this is due to me not putting the card.config thing in right.

Can someone who knows Java walk me through? Not sure how many people know Java on here.

java.security.ProviderException: Error parsing configuration
at sun.security.pkcs11.Config.getConfig(Config.java:88)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:129)
at sun.security.pkcs11.SunPKCS11.(SunPKCS11.java:103)
at cacpkcs.Cacpkcs.main(Cacpkcs.java:21)
Caused by: java.io.FileNotFoundException: pkcs11.properties (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:131)
at java.io.FileInputStream.(FileInputStream.java:87)
at sun.security.pkcs11.Config.(Config.java:211)
at sun.security.pkcs11.Config.getConfig(Config.java:84)
… 3 more

I also don’t know if I have the PKCS package installed though…dunno. Someone with Java knowledge probably can read more into this than I can.

sg707 · April 15, 2015, 2:37pm

I have 0 experience in CAC but the error seems clear. It can’t find pkcs11.properties. If you enable debugging in your IDE then take a look at

at sun.security.pkcs11.Config.(Config.java:211)

 195       private Config(String filename, InputStream in) throws IOException {
  196           if (in == null) {
  197               if (filename.startsWith("--")) {
  198                   // inline config
  199                   String config = filename.substring(2).replace("\\n", "\n");
  200                   reader = new StringReader(config);
  201               } else {
  202                   in = new FileInputStream(expand(filename));
  203               }
  204           }
  205           if (reader == null) {
  206               reader = new BufferedReader(new InputStreamReader(in));
  207           }
  208           parsedKeywords = new HashSet<String>();
  209           st = new StreamTokenizer(reader);
  210           setupTokenizer();
  211           parse();
  212       }

RyanReese · April 15, 2015, 2:44pm

Yes I do believe this is caused by it being unable to find the package. However I’m unsure how to install this. I’ve googled this and it’s all very confusing.

mawburn · April 15, 2015, 3:02pm

http://stackoverflow.com/questions/7597495/add-more-existing-sources-to-java-project

(OT: I really dislike the SO previews)

TechnoBear · April 15, 2015, 3:04pm

For most things, you can prevent the preview and post a straight link simply by adding a space at the start of the URL.

WolfShade · April 15, 2015, 4:21pm

If you’re using Apache, there are several lines remarked out in one of the config files that will make these available if a CAC is inserted into the reader. There might be the same in IIS, but don’t know. Also, check to make sure that the CAC has exported certificates to the Operating System for use.

(If you are on a Windows desktop, right-click the ActivClient icon and choose OPEN, then click on TOOLS > ADVANCED, and select “Make certificates available to Windows”)

HTH,

RyanReese · April 15, 2015, 4:39pm

Ultimately the goal here was to get all EDIPI numbers (10digit number on back of the cards) and loop through all 7000ish results and insert them into ActiveDirectory.

They said they can only release those numbers on court order. Well sh**.

We do have an IIS server but we have no test server of it so I’d be making changes on a live server. That’s extremely no-no so that’s out of the question.

We do have a test apache server but I’m a lowly junior developer who doesn’t have access…man this whole thing is a PITA. I don’t speak server language / Apache either so I’m reading all these articles and crap and it’s like Chinese to me. This is getting ridiculous.

The current effort I have to make now is to have a web form which lets users fill out their first/last name, and then a script to grab the CaC EDIPI (validated against the PIN) which then inserts into the ActiveDirectory. LET IT BE KNOWN that I have to AUTOMATICALLY get the number instead of users entering it in so it’s correct and user-error free.

Just ONE clear and CONCISE tutorial would make this a whole lot easier but all these server folks try to talk smart to impress others. Super annoying. I’m going to go bald before my 24th birthday at this rate…

mawburn · April 15, 2015, 6:14pm

What you’re trying to do is not a simple task. A senior dev would probably struggle a bit if they’d never done it before.

Mittineague · April 15, 2015, 6:25pm

Got the source for the beginning of the
Cacpkcs.java
file?
i.e where the packages are called in including line 21

RyanReese · April 15, 2015, 6:36pm

The entire cacpkcs.java file is in that stackoverflow thread. I copy/pasted it in @Mittineague

WolfShade · April 15, 2015, 6:36pm

If I may ask, what server-side language are you scripting? If it’s ColdFusion, and if the web server is set for it, the EPIDI appears in the CGI scope. It will be in the following format:

LAST dot (CADENCE, if any dot) FIRST dot MI dot {10 digit number}

If you do a #ListLast(cgi.CLIENT_S_DN_CN,'.')#, you’ll have the EPIDI.

HTH,

RyanReese · April 15, 2015, 6:38pm

Once this program is working then I’ll need to somehow include this as a servlet or something (maybe PHP exec()?) and somehow be able to grab whatever number this program grabs.

PHP would be the choice if possible.

WolfShade · April 15, 2015, 6:40pm

Och… I have only tutorial knowledge of PHP. Do you know if PHP can access the CGI scope?

V/r,

RyanReese · April 15, 2015, 6:41pm

Brother, I do not know. I’m almost done with this whole project. It’s defeating me.

WolfShade · April 15, 2015, 7:06pm

I’m not SURE, but I think that CGI variables are in the $_ENV superglobal. If you can output that array, you should be able to see if CLIENT_S_DN_CN is present.

HTH,

RyanReese · April 15, 2015, 7:07pm

So try something like this?

<?php
echo $_ENV[CLIENT_S_DC_CN];
?>

Mittineague · April 15, 2015, 7:12pm

I’m not accustomed to SO but if it is I’m sure not seeing it.
Here?
http://stackoverflow.com.80bola.com/questions/544056/common-access-card-cac-authentication-using-java

RyanReese · April 15, 2015, 7:14pm

This answer
http://stackoverflow.com.80bola.com/a/1632882

Edit-Just scroll down that thread - you don’t see Java code?

The SO links they give to share are messed up.

WolfShade · April 15, 2015, 7:17pm

Theoretically, given my lack of PHP knowledge/experience, I’d guess yes. If you want to see EVERYTHING, loop the array (or use an arrayOutput, if PHP has one.)

Just my $0.03164.

Mittineague · April 15, 2015, 7:20pm

I see
public class Test
that one?

http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

2.1 Requirements
The Sun PKCS#11 provider is supported on Solaris (SPARC and x86) and Linux (x86) in both 32-bit and 64-bit Java processes. It is also supported on 32-bit Windows (x86) but not currently on 64-bit Windows platforms due to the lack of suitable PKCS#11 libraries.

The Sun PKCS#11 provider requires an implementation of PKCS#11 v2.0 or later to be installed on the system. This implementation must take the form of a shared-object library (.so on Solaris and Linux) or dynamic-link library (.dll on Windows). Please consult your vendor documentation to find out if your cryptographic device includes such a PKCS#11 implementation, how to configure it, and what the name of the library file is.

The Sun PKCS#11 provider supports a number of algorithms, provided that the underlying PKCS#11 implementation offers them. The algorithms and their corresponding PKCS#11 mechanisms are listed in the table in Appendix A.