Common Access Card (CAC) Authentication Using Java

java smartcard cac
Paul picture Paul · Feb 13, 2009 · Viewed 36.7k times · Source

I'm bascially looking for someplace to start learning how to interface with a government CAC card using java.

Ultimately, my goal is to find out how to use CAC card authentication (by PIN number) to authorize access to a website hosted using a Tomcat/J2EE server.

But I'll need somewhere to start. So I figure I'd start by writing a small java program to simply read the CAC card information from the CAC card which is inserted into a card reader on my keyboard (DELL keyboard with CAC reader above the numeric keypad).

By searching google, I found the cacard java project (https://cacard.dev.java.net/) which was replaced by the OpenSSO project. But I can't seem to find sample code of how to use it to connect to a card, read from a card, etc.

Does anyone know where I can find some sample code so that I can start learning how to interact with a CAC card using java?

Thanks

EDIT:

After researching more, I was thinking, would I be able to just set clientAuth="true" in the connector element in the server.xml file?

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

clientAuth: Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket.

Answer

erickson picture erickson · Feb 13, 2009

Are you creating the web application, or trying to write software that runs at the client (sort of like your own web browser)?

If you are creating a web application, it's pretty much just standard client certification authentication. The fact that the certificate came from a hardware token doesn't change much for the server; if you want to accept only CAC certificates, you can specify set of acceptable certificate policies when the server validates the client certificate. (Policy validation is a standard part of PKIX validation.) If this application is for a government customer, you'll need to work closely with their security team to ensure that your solution meets their requirements, which can be stringent. If this is your scenario, let me know and I'll update my answer with some of the issues that we encountered.

If you are writing a client, and need to access the physical reader, you may be able to use the Sun PKCS #11 provider, since Java 1.5. I've experimented with this provider, and you can read more about it in another answer.

On the server, you should check that the certificate is not revoked. However, some of these CRLs are enormous—we had over 100 Mb worth of CRL files, and the built-in Sun revocation checker does not scale well to this size.

You will also need to make sure that you have the right root CA certificates in Tomcat's "trust" key store (the government root CA certs are little harder to find because they want to make sure users are verifying them properly). We also found that Firefox does not send the entire certificate chain unless users import the intermediate certificates into their browser manually.

Related questions

Access restriction on sun.security.pkcs11.SunPKCS11

I'm trying to setup a PKCS11 provider for accessing a smartcard. I installed a PKCS11 library on my system and followed the instructions in the Java PKCS#11 Reference Guide. In the reference they simply create an instance of sun.security.…

Read More
Use APDU commands to get some information for a card

I have a terminal that has its own API to stablish and send commands between chip and terminal, there is a function that transmits the APDU command and returns the answer in a byte array. For example, if a want …

Read More
How do I read the PAN from an EMV SmartCard from Java

I need to read account number from Maestro/Mastercard with smart card reader. I am using Java 1.6 and its javax.smartcardio package. I need to send APDU command which will ask EMV application stored on card's chip for PAN number. …

Read More