Coolkey + smart-card == pain. Please help!

mantelope · 2009-06-07 04:34:33

As a member of the armed forces, I was issued a smart card to be used for signing encrypted emails, browsing DOD websites, etc.
Recently, I saw a card reader at the store on base that said WORKS WITH LINUX right on the box, which prompted me to spring for the purchase. There are several tutorials on how to set this up on ubuntu forums and other places around google, but so far I have not been able to make them work for me using archlinux. I have spent a couple of weekends researching and troubleshooting, and finally, I decided to join the archlinux forums and request assistance from you all here.

Most of the tutorials found were designed for ubuntu users and goes something like this:
install pcsclite, pcscd, libccid, pcsc_tools, pcsc_perl, and coolkey
install DOD certificates from http://dodpki.c3pki.chamb.disa.mil/rootca.html
use the firefox gui to link to the coolkey library at /usr/lib/pkcs11/libcoolkeypk11.so
voiala! you are done.

During the course of my troubleshooting, I decided to install ubuntu on a spare partition and try it on that platform. I was able to make it work fairly effortlessly. The card works perfectly with the generic ccid card-reader driver on ubuntu. On archlinux I have attempted to use the generic driver provided by ccid, as well as the linux_64 driver found at the scmmicro.com website. Neither worked.

This is my situation:
Distrobution: archlinux 64bit, ubuntu 32bit
Card Reader: SCM SCR3310
Software installed: pcsc-perl, pcsc-tools, pcsclite, ccid ... all installed from the AUR
coolkey is not in the AUR, so I wrote myself a PKGBUILD, which I have included at the bottom of this text.

These are the symptoms:
when I run pcsc_scan, it shows the correct card reader and when I plug in my smart card, it registers as a DOD issued CAC card. I have also run the pcscd daemon from the command line with debug output, and I do not see any errors. In fact, it looks exactly the same on archlinux as it does on ubuntu.

my PKGBUILD downloads, compiles, and installs coolkey without giving out any errors. I can navigate to libcoolkeypk11.so using the firefox GUI and it appears to install correctly. When I add the library, it registers as a client with the pcscd daemon (which I can see through the debug output). Again, this is exactly the same on my archlinux install as it is on my ubuntu install.

THIS is where the differences stand out.
On ubuntu - as soon as I start firefox, I see the light on the Card reader glow constantly green. When I open the firefox preferences dialog I can look at 'my certificates'. When I look at encryption devices with firefox the status indicates that the card is plugged in and it also changes from 'logged in' to 'not logged in' depending on whether or not I am using the certificates. And, of course, it allows me to use my certificates to navigate to DOD websites and check email.

On archlinux - When I start firefox, nothing happens on the card reader. When I open the preferences dialog box, and look at my encryption devices, the status for my coolkey library is "not inserted" even if I have the card plugged in. When I go to DOD websites and try to use the CAC login feature, it tells me that I do not have a CAC card installed.

I am really hoping that someone can help me. I will continue to troubleshoot and will post on here if I get any closer to solving the problem. This is the PKGBUILD that I used to install the coolkey software. Thanks again for any and all help.

pkgname=coolkey
pkgver=1.1.0
pkgrel=1
pkgdesc="DOD CAC card reader software"
arch=('i686' 'x86_64')
url="http://directory.fedoraproject.org/wiki/Coolkey"
license=('GPL')
depends=('pcsclite' 'pcsc-tools' 'ccid')
makedepends=('cvs')
source=()
md5sums=()



_cvsroot=":pserver:anonymous@cvs.fedora.redhat.com:/cvs/dirsec"
_cvsmod="coolkey"

build() {

    cd $srcdir
    msg "downloading coolkey from CVS server..."
    cvs -d $_cvsroot checkout $_cvsmod


    msg "download complete. Starting build..."
    cp -r $_cvsmod $_cvsmod-build
    cd $_cvsmod-build

    ./configure --prefix=/usr
    make || return 1
    make install || return 1
    #rm -rf $srcdir/$_cvsmod-build || return 1
}

Last edited by mantelope (2009-06-07 04:42:42)

tallmtt · 2009-08-23 21:34:05

I just installed the programs you mentioned above from AUR including coolkey from AUR and my CAC card reader works on AKO! I started pcscd daemon and the light stays on all the time that teh card is in it - regardless of Firefox open or not.

So to keep things clear, i installed:
pcsc-perl, pcsc-tools, pcsclite, ccid, and coolkey all from AUR

I then went to:
http://dodpki.c3pki.chamb.disa.mil/rootca.html

For my certificates.

Lastly, i followed this sites advice for configuring Firefox:

http://ubuntuforums.org/showthread.php?t=564763

Hope this helps.

Unfortunately, the site I wanted to access needs another certificate from my CAC card (email one) which I'll have to send myself or something. This is a different US Army webmail system.

Glad to see fellow members of the Armed Services using Linux!

nicodarious · 2009-11-03 10:08:18

outstanding! really glad to see fellow armed forces members also using Linux! been using it for quite some time now, but never thought of getting a CAC reader for home. now that i got one personally, i started looking around and i found this site. Glad to see you all working with Linux too.

As far as getting the CAC reader to work, not too sure about how to go about it. I've been trying to follow along with your suggestions, but for some reason, even after pcscd is started, there is no light. when i run pcsc_scan, the CLI just sits there and doesn't list anything.

output for lsusb -v:

Bus 004 Device 007: ID 0dc3:0802 Athena Smartcard Solutions, Inc. ASEDrive IIIe
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x0dc3 Athena Smartcard Solutions, Inc.
idProduct 0x0802 ASEDrive IIIe
bcdDevice 1.00
iManufacturer 1
iProduct 2
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 32
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 0
Device Status: 0x0000
(Bus Powered)

it was said to be linux complatible, and even on their website, toted the penguin for compatibility listings. I'm just thinking that i don't have pcsc or one of the other programs that I also installed through AUR installed correctly.

SYSTEM:
Arch Linux OS
kernel26-bigmem kernel
8GB RAM DDR2 800MHz
nvidia GTX275 video card
AMD P2 quad-core @ 3.0 GHz stock

CAC reader: Athena ASE IIIe USB reader

Arch Linux

#1 2009-06-07 04:34:33

Coolkey + smart-card == pain. Please help!

#2 2009-08-23 21:34:05

Re: Coolkey + smart-card == pain. Please help!

#3 2009-11-03 10:08:18

Re: Coolkey + smart-card == pain. Please help!

Board footer