You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Calahan, Joshua A CTR USAF AFMC AEDC/ATA" <Jo...@arnold.af.mil> on 2008/04/10 14:54:13 UTC
Re: svn client & smartcard certificates
On Fri, Mar 28, 2008 at 09:26:59AM, Joe Orton wrote:
> Getting it working requires some effort; you need all of:
>
> 1) pakchois from http://www.manyfish.co.uk/pakchois/, set up to find the
> PKCS#11 provider(s) of choice
> 2) GnuTLS 2.x from http://www.gnu.org/software/gnutls/
> 3) neon 0.28.x built against both the above
> 4) Subversion built against that neon 0.28.x install
>
> So, for example, if you have the CoolKey PKCS#11 provider installed at
> /usr/lib/pkcs11/libcoolkeypk11.so, then you would do this:
>
> 1) Build pakchois:
>
> ./configure --enable-module-path=/usr/lib/pkcs11 --prefix=/usr/local/pkcs11
> make && make install
>
> *** very important that pakchois is configured to look in the right
> directory for PKCS#11 provider loadable modules ***
>
> 2) Build GnuTLS 2.x:
>
> ./configure --prefix=/usr/local/pkcs11
> make && make install
>
> 3) Build neon 0.28.2:
>
> ./configure --prefix=/usr/local/pkcs11 --enable-shared \
> --with-libs=/usr/local/pkcs11 --with-ssl=gnutls
>
> *** check for this line in the configure output: ***
>
> configure: using pakchois for PKCS11 support
>
> *** if not present, neon will not have PKCS#11 support ***
>
> make && make install
>
> 4) Build Subversion 1.5.0 alpha2:
>
> ./configure --with-neon=/usr/local/pkcs11
>
> This should result in a Subversion build with working PKCS#11 support.
>
> To configure use of the CoolKey provider, you'd then need to add:
>
> ssl-pkcs11-provider = coolkey
>
> at the appropriate place in ~/.subversion/servers. You could add it in
> the [global] section to use it for all servers, or e.g. to use it for
> all *.mil servers:
>
> [groups]
> cac = *.mil
>
> [cac]
> ssl-pkcs11-provider = coolkey
>
> That should be it. When you try to use an SSL server which requests a
> client cert, you should get prompted for the smartcard PIN.
>
> I'd be very interested in hearing about whether this works for the CAC
> card - let me know if you have problems, or any questions/feedback.
No luck here. I get:
svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
The only difference from the instructions above is that I'm using the 64-bit libcoolkey, i.e. /usr/lib64/pkcs11/libcoolkeypk11.so. As with Quint, it works with firefox.
I'm using:
pakchois-0.4.tar.gz
gnutls-2.3.4.tar.bz2
subversion-deps-1.5.0-rc1.tar.bz2 (neon 0.28.2)
subversion-1.5.0-rc1.tar.bz2
Thanks,
Josh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn client & smartcard certificates
Posted by "Calahan, Joshua A CTR USAF AFMC AEDC/ATA" <Jo...@arnold.af.mil>.
On Thu, Apr 10, 2008 at 4:07:00PM, Joe Orton wrote:
> On Thu, Apr 10, 2008 at 10:54:13AM -0400, Calahan, Joshua A CTR USAF AFMC AEDC/ATA wrote:
> > svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
> >
> > The only difference from the instructions above is that I'm using the
> > 64-bit libcoolkey, i.e. /usr/lib64/pkcs11/libcoolkeypk11.so. As with
> > Quint, it works with firefox.
>
> Did you configure pakchois using --enable-module-path=/usr/lib64/pkcs11?
>
> If so, can you run svn under strace to check whether the coolkey .so is
> being opened?
>
I configured pakchois using --enable-module-path=/usr/lib64/pkcs11.
Here is the strace output:
...
open("/usr/lib64/pkcs11/libcoolkeypk11.so", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\247\0\0\0\0\0\0"..., 832) = 832
fstat(4, {st_mode=S_IFREG|0755, st_size=138080, ...}) = 0
mmap(NULL, 1184720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x2a970db000
mprotect(0x2a970fc000, 1049552, PROT_NONE) = 0
mmap(0x2a971fb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x20000) = 0x2a971fb000
close(4)
...
The output from this point to the end is attached.
Thanks,
Josh
RE: svn client & smartcard certificates
Posted by "Van Deman, Quint CTR US USJFCOM J7" <qu...@att.jfcom.mil>.
No worries Joe, I'll apply the patch this afternoon & attach the output.
Thanks,
Quint
-----Original Message-----
From: Joe Orton [mailto:jorton@redhat.com]
Sent: Friday, April 18, 2008 9:26 AM
To: Van Deman, Quint CTR US USJFCOM J7
Cc: Calahan, Joshua A CTR USAF AFMC AEDC/ATA; Smith, Barbara CTR US
USJFCOM J7; users@subversion.tigris.org
Subject: Re: svn client & smartcard certificates
On Fri, Apr 18, 2008 at 09:07:15AM -0400, Van Deman, Quint CTR US
USJFCOM J7 wrote:
> Joe--
>
> Thanks again for all of your help & sorry it's taken me a while to get
> back to you. I ran into the same error that Joshua did: svn: Invalid
> config: unable to load PKCS#11 provider 'coolkey'.
...
> open("/usr/lib/pkcs11/libcoolkeypk11.so", O_RDONLY) = 4
> read(4,
>
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240|\0\0004\0\0\0"...,
> 512) = 512
> fstat64(4, {st_mode=S_IFREG|0755, st_size=130744, ...}) = 0
Hi folks, sorry I never followed up with Joshua's report of this
problem. I'm not sure why this is failing; I've tested loading coolkey
on a Fedora 8 system without problems.
Could you try rebuilding pakchois with the attached patch applied, and
trying again? This should give diagnostics on stderr.
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn client & smartcard certificates
Posted by "Van Deman, Quint CTR US USJFCOM J7" <qu...@att.jfcom.mil>.
Sounds great Joe, I'll try to keep tabs on it, but as you here anything
related to the CryptoAPI work if you could shoot it my way I'd
appreciate it. I'm obviously not a windows guy either, but invariably
there are folks out there in DOD land developing on windows and we can't
totally shut them out long term.
I'll append the DOD CA certs to /etc/pki/tls/cert.pem, recompile neon
with the ca-bundle switch and see if that takes care of the cert trust
issue.
Thanks again for all of your help!
-Quint
-----Original Message-----
From: Joe Orton [mailto:jorton@redhat.com]
Sent: Friday, April 18, 2008 10:57 AM
To: Van Deman, Quint CTR US USJFCOM J7
Cc: Calahan, Joshua A CTR USAF AFMC AEDC/ATA; Smith, Barbara CTR US
USJFCOM J7; users@subversion.tigris.org
Subject: Re: svn client & smartcard certificates
On Fri, Apr 18, 2008 at 10:43:20AM -0400, Van Deman, Quint CTR US
USJFCOM J7 wrote:
> Spot on, that was my dumb mistake...
>
> Everything is working perfectly...both co & commits!
Great news. You can revert the pakchois debugging patch so you don't
get spammed by that too much ;)
> I will roll up a RHEL5 rpm to see if we can get this into a good
useable
> for for the average user.
>
> 2 follow on questions:
> - When svn 1.5 is officially released, will these deps be up to an
> appropriate level for all of this to work, or are we still ahead of
the
> curve?
The only issue is the pakchois patch needed for CoolKey. I'm not sure
whether this is a bug in CoolKey itself; I've asked our CoolKey guys.
> - Thoughts on a windows build? How is svn built for windows, cygwin?
There was a discussion of this a few days ago on the dev@ list.
I'm not a Windows expert, but I think you'd need to use the CryptoAPI in
place of PKCS#11; neon doesn't support that. It would be quite a bit of
work, though apparently someone is looking into it.
> As for the certificate acceptance, I have the DoD CA public cert in
both
> PEM & DER format, just need to know where to drop it so neon will see
> it...
There are two choices here. You can configure Subversion to use it
manually, using the "ssl-authority-files" config option in
~/.subversion/servers.
Alternatively, when you build neon you can pass to configure:
--with-ca-bundle=/path/to/certs.pem
and specify an absolute path of a PEM cert bundle. If you do that, all
the certs in that bundled will be trusted by default by Subversion.
(Normally, one would configure neon to use a system-wide CA root bundle
like /etc/pki/tls/cert.pem which includes the standard Internet PKI
roots.)
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn client & smartcard certificates
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Apr 18, 2008 at 10:43:20AM -0400, Van Deman, Quint CTR US USJFCOM J7 wrote:
> Spot on, that was my dumb mistake...
>
> Everything is working perfectly...both co & commits!
Great news. You can revert the pakchois debugging patch so you don't
get spammed by that too much ;)
> I will roll up a RHEL5 rpm to see if we can get this into a good useable
> for for the average user.
>
> 2 follow on questions:
> - When svn 1.5 is officially released, will these deps be up to an
> appropriate level for all of this to work, or are we still ahead of the
> curve?
The only issue is the pakchois patch needed for CoolKey. I'm not sure
whether this is a bug in CoolKey itself; I've asked our CoolKey guys.
> - Thoughts on a windows build? How is svn built for windows, cygwin?
There was a discussion of this a few days ago on the dev@ list.
I'm not a Windows expert, but I think you'd need to use the CryptoAPI in
place of PKCS#11; neon doesn't support that. It would be quite a bit of
work, though apparently someone is looking into it.
> As for the certificate acceptance, I have the DoD CA public cert in both
> PEM & DER format, just need to know where to drop it so neon will see
> it...
There are two choices here. You can configure Subversion to use it
manually, using the "ssl-authority-files" config option in
~/.subversion/servers.
Alternatively, when you build neon you can pass to configure:
--with-ca-bundle=/path/to/certs.pem
and specify an absolute path of a PEM cert bundle. If you do that, all
the certs in that bundled will be trusted by default by Subversion.
(Normally, one would configure neon to use a system-wide CA root bundle
like /etc/pki/tls/cert.pem which includes the standard Internet PKI
roots.)
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn client & smartcard certificates
Posted by "Van Deman, Quint CTR US USJFCOM J7" <qu...@att.jfcom.mil>.
Spot on, that was my dumb mistake...
Everything is working perfectly...both co & commits!
See attached...
I will roll up a RHEL5 rpm to see if we can get this into a good useable
for for the average user.
2 follow on questions:
- When svn 1.5 is officially released, will these deps be up to an
appropriate level for all of this to work, or are we still ahead of the
curve?
- Thoughts on a windows build? How is svn built for windows, cygwin?
As for the certificate acceptance, I have the DoD CA public cert in both
PEM & DER format, just need to know where to drop it so neon will see
it...
Thanks again, great, great work!
- Quint
-----Original Message-----
From: Joe Orton [mailto:jorton@redhat.com]
Sent: Friday, April 18, 2008 10:26 AM
To: Van Deman, Quint CTR US USJFCOM J7
Cc: Calahan, Joshua A CTR USAF AFMC AEDC/ATA; Smith, Barbara CTR US
USJFCOM J7; users@subversion.tigris.org
Subject: Re: svn client & smartcard certificates
On Fri, Apr 18, 2008 at 10:17:48AM -0400, Van Deman, Quint CTR US
USJFCOM J7 wrote:
> Joe--
>
> That patch works great for checkouts,
Excellent!
I noticed you had to manually verify the server cert. Are the set of
trusted CA roots from the DoD PKI shipped on the CAC cards? I have
wondered about having neon/SVN automatically trust any certs marked as
trusted on the token.
> but commits give the following: svn:
> 'https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject' is a URL, but
> URLs cannot be commit targets
...
> [jattl@jtsd-svn testproject1]$ svn commit -m "CAC test"
> https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject testproject1
> svn: 'https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject' is a
URL, but URLs cannot be commit targets
You don't need to specify the URL when committing; the repository
location is stored in the working copy metadata. Just run:
$ svn commit -m "CAC test"
Regards,
joe
Re: svn client & smartcard certificates
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Apr 18, 2008 at 10:17:48AM -0400, Van Deman, Quint CTR US USJFCOM J7 wrote:
> Joe--
>
> That patch works great for checkouts,
Excellent!
I noticed you had to manually verify the server cert. Are the set of
trusted CA roots from the DoD PKI shipped on the CAC cards? I have
wondered about having neon/SVN automatically trust any certs marked as
trusted on the token.
> but commits give the following: svn:
> 'https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject' is a URL, but
> URLs cannot be commit targets
...
> [jattl@jtsd-svn testproject1]$ svn commit -m "CAC test"
> https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject testproject1
> svn: 'https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject' is a URL, but URLs cannot be commit targets
You don't need to specify the URL when committing; the repository
location is stored in the working copy metadata. Just run:
$ svn commit -m "CAC test"
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn client & smartcard certificates
Posted by "Calahan, Joshua A CTR USAF AFMC AEDC/ATA" <Jo...@arnold.af.mil>.
Dropping down to GnuTLS 2.2.x worked!
Great work Joe!
Thanks,
Josh
> -----Original Message-----
> From: Joe Orton [mailto:jorton@redhat.com]
> Sent: Friday, April 18, 2008 9:37 AM
> To: Calahan, Joshua A CTR USAF AFMC AEDC/ATA
> Cc: Van Deman, Quint CTR US USJFCOM J7; Smith, Barbara CTR US USJFCOM
> J7; users@subversion.tigris.org
> Subject: Re: svn client & smartcard certificates
>
> On Fri, Apr 18, 2008 at 10:25:43AM -0400, Calahan, Joshua A CTR USAF
> AFMC AEDC/ATA wrote:
> > Hmmm. I get this for all commands:
> >
> > pakchois: module path [/usr/lib64/pkcs11]
> > pakchois: module directory '/usr/lib64/pkcs11'...
> > pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
> > pakchois: loaded coolkey OK.
> > Passphrase for 'PIN for token "XXXX" in slot "XXXX"':
> > svn: OPTIONS of 'XXXX': SSL negotiation failed: SSL error: GnuTLS
> internal error. (XXXX)
>
> Were you using GnuTLS 2.3.x? 2.3.x is the GnuTLS development branch
> and
> there was a bug which broke PKCS#11 with neon, and would fail like
> that.
> I think 2.3.6 has the fix, but I'd recommend sticking with 2.2.x for
> the
> time being.
>
> Regards,
>
> joe
Re: svn client & smartcard certificates
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Apr 18, 2008 at 10:25:43AM -0400, Calahan, Joshua A CTR USAF AFMC AEDC/ATA wrote:
> Hmmm. I get this for all commands:
>
> pakchois: module path [/usr/lib64/pkcs11]
> pakchois: module directory '/usr/lib64/pkcs11'...
> pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
> pakchois: loaded coolkey OK.
> Passphrase for 'PIN for token "XXXX" in slot "XXXX"':
> svn: OPTIONS of 'XXXX': SSL negotiation failed: SSL error: GnuTLS internal error. (XXXX)
Were you using GnuTLS 2.3.x? 2.3.x is the GnuTLS development branch and
there was a bug which broke PKCS#11 with neon, and would fail like that.
I think 2.3.6 has the fix, but I'd recommend sticking with 2.2.x for the
time being.
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn client & smartcard certificates
Posted by "Calahan, Joshua A CTR USAF AFMC AEDC/ATA" <Jo...@arnold.af.mil>.
Hmmm. I get this for all commands:
pakchois: module path [/usr/lib64/pkcs11]
pakchois: module directory '/usr/lib64/pkcs11'...
pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
pakchois: loaded coolkey OK.
Passphrase for 'PIN for token "XXXX" in slot "XXXX"':
svn: OPTIONS of 'XXXX': SSL negotiation failed: SSL error: GnuTLS internal error. (XXXX)
Josh
-----Original Message-----
From: Van Deman, Quint CTR US USJFCOM J7 [mailto:quint.vandeman@att.jfcom.mil]
Sent: Fri 4/18/2008 9:17 AM
To: Joe Orton; Calahan, Joshua A CTR USAF AFMC AEDC/ATA
Cc: Smith, Barbara CTR US USJFCOM J7; users@subversion.tigris.org
Subject: RE: svn client & smartcard certificates
Joe--
That patch works great for checkouts, but commits give the following:
svn: 'https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject' is a URL,
but URLs cannot be commit targets
Seems like we've almost got it...
Thoughts?
Quint
(Full output attached)
-----Original Message-----
From: Joe Orton [mailto:jorton@redhat.com]
Sent: Friday, April 18, 2008 10:03 AM
To: Calahan, Joshua A CTR USAF AFMC AEDC/ATA
Cc: Van Deman, Quint CTR US USJFCOM J7; Smith, Barbara CTR US USJFCOM
J7; users@subversion.tigris.org
Subject: Re: svn client & smartcard certificates
On Fri, Apr 18, 2008 at 09:53:58AM -0400, Calahan, Joshua A CTR USAF
AFMC AEDC/ATA wrote:
> Here is what I get with the patch:
>
> pakchois: module path [/usr/lib64/pkcs11]
> pakchois: module directory '/usr/lib64/pkcs11'...
> pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
> pakchois: load failed with 10
> svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
OK, thanks! Can you try an additional pakchois patch, attached?
Having said I'd tried coolkey before, I must have been confused - I do
get the same problem here on Fedora 8.
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn client & smartcard certificates
Posted by "Van Deman, Quint CTR US USJFCOM J7" <qu...@att.jfcom.mil>.
Joe--
That patch works great for checkouts, but commits give the following:
svn: 'https://jtsd-svn.att.jfcom.mil/repos/JATTL/testproject' is a URL,
but URLs cannot be commit targets
Seems like we've almost got it...
Thoughts?
Quint
(Full output attached)
-----Original Message-----
From: Joe Orton [mailto:jorton@redhat.com]
Sent: Friday, April 18, 2008 10:03 AM
To: Calahan, Joshua A CTR USAF AFMC AEDC/ATA
Cc: Van Deman, Quint CTR US USJFCOM J7; Smith, Barbara CTR US USJFCOM
J7; users@subversion.tigris.org
Subject: Re: svn client & smartcard certificates
On Fri, Apr 18, 2008 at 09:53:58AM -0400, Calahan, Joshua A CTR USAF
AFMC AEDC/ATA wrote:
> Here is what I get with the patch:
>
> pakchois: module path [/usr/lib64/pkcs11]
> pakchois: module directory '/usr/lib64/pkcs11'...
> pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
> pakchois: load failed with 10
> svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
OK, thanks! Can you try an additional pakchois patch, attached?
Having said I'd tried coolkey before, I must have been confused - I do
get the same problem here on Fedora 8.
joe
Re: svn client & smartcard certificates
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Apr 18, 2008 at 09:53:58AM -0400, Calahan, Joshua A CTR USAF AFMC AEDC/ATA wrote:
> Here is what I get with the patch:
>
> pakchois: module path [/usr/lib64/pkcs11]
> pakchois: module directory '/usr/lib64/pkcs11'...
> pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
> pakchois: load failed with 10
> svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
OK, thanks! Can you try an additional pakchois patch, attached?
Having said I'd tried coolkey before, I must have been confused - I do
get the same problem here on Fedora 8.
joe
RE: svn client & smartcard certificates
Posted by "Calahan, Joshua A CTR USAF AFMC AEDC/ATA" <Jo...@arnold.af.mil>.
On Fri, Apr 18, 2008 at 09:25:15AM -0400, Joe Orton wrote:
> Hi folks, sorry I never followed up with Joshua's report of this
> problem. I'm not sure why this is failing; I've tested loading coolkey
> on a Fedora 8 system without problems.
No problem. I'm using Red Hat Enterprise Linux 5. My build steps are attached.
> Could you try rebuilding pakchois with the attached patch applied, and
> trying again? This should give diagnostics on stderr.
Here is what I get with the patch:
pakchois: module path [/usr/lib64/pkcs11]
pakchois: module directory '/usr/lib64/pkcs11'...
pakchois: loading /usr/lib64/pkcs11/libcoolkeypk11.so
pakchois: load failed with 10
svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
Thanks,
Josh
Re: svn client & smartcard certificates
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Apr 18, 2008 at 09:07:15AM -0400, Van Deman, Quint CTR US USJFCOM J7 wrote:
> Joe--
>
> Thanks again for all of your help & sorry it's taken me a while to get
> back to you. I ran into the same error that Joshua did: svn: Invalid
> config: unable to load PKCS#11 provider 'coolkey'.
...
> open("/usr/lib/pkcs11/libcoolkeypk11.so", O_RDONLY) = 4
> read(4,
> "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240|\0\0004\0\0\0"...,
> 512) = 512
> fstat64(4, {st_mode=S_IFREG|0755, st_size=130744, ...}) = 0
Hi folks, sorry I never followed up with Joshua's report of this
problem. I'm not sure why this is failing; I've tested loading coolkey
on a Fedora 8 system without problems.
Could you try rebuilding pakchois with the attached patch applied, and
trying again? This should give diagnostics on stderr.
joe
RE: svn client & smartcard certificates
Posted by "Van Deman, Quint CTR US USJFCOM J7" <qu...@att.jfcom.mil>.
Joe--
Thanks again for all of your help & sorry it's taken me a while to get
back to you. I ran into the same error that Joshua did: svn: Invalid
config: unable to load PKCS#11 provider 'coolkey'.
(Just for kicks I also tried libcoolkey & libcoolkeypk11 with the same
result).
I can confirm that I followed your instructions very precisely,
including the enable-module-path=/usr/lib/pkcs11 on the pakchois
configure.
The only deviations I had to make were:
- Had to compile libgrcypt from src (1.4.0 vs. RHEL5 rpm provided
1.2.3-1)
- Had to compile libgpgerror from src (1.6 to meet libgcrypt dep)
- The configure for subversion 1.5.0 beta 1 required neon 0.28.1 vs.
0.28.2
I have attached a strace for your review, one can clearly see
libcoolkeypk11.so being accessed, but I'm not well versed enough in
strace to go much beyond that.
open("/usr/lib/pkcs11/libcoolkeypk11.so", O_RDONLY) = 4
read(4,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240|\0\0004\0\0\0"...,
512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=130744, ...}) = 0
Thanks again & let me know what else I can provide for you.
- Quint
gnutls-2.3.6
libgcrypt-1.4.0
libgpgerror-1.6
neon-0.28.1
pakchois-0.4
subversion-1.5.0-beta1
-----Original Message-----
From: Joe Orton [mailto:jorton@redhat.com]
Sent: Thursday, April 10, 2008 5:08 PM
To: Calahan, Joshua A CTR USAF AFMC AEDC/ATA
Cc: users@subversion.tigris.org; Van Deman, Quint CTR US USJFCOM J7
Subject: Re: svn client & smartcard certificates
On Thu, Apr 10, 2008 at 10:54:13AM -0400, Calahan, Joshua A CTR USAF
AFMC AEDC/ATA wrote:
> svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
>
> The only difference from the instructions above is that I'm using the
> 64-bit libcoolkey, i.e. /usr/lib64/pkcs11/libcoolkeypk11.so. As with
> Quint, it works with firefox.
Did you configure pakchois using --enable-module-path=/usr/lib64/pkcs11?
If so, can you run svn under strace to check whether the coolkey .so is
being opened?
joe
Re: svn client & smartcard certificates
Posted by Joe Orton <jo...@redhat.com>.
On Thu, Apr 10, 2008 at 10:54:13AM -0400, Calahan, Joshua A CTR USAF AFMC AEDC/ATA wrote:
> svn: Invalid config: unable to load PKCS#11 provider 'coolkey'
>
> The only difference from the instructions above is that I'm using the
> 64-bit libcoolkey, i.e. /usr/lib64/pkcs11/libcoolkeypk11.so. As with
> Quint, it works with firefox.
Did you configure pakchois using --enable-module-path=/usr/lib64/pkcs11?
If so, can you run svn under strace to check whether the coolkey .so is
being opened?
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org