(Help) Accessing DoD CAC protected web sites with Java Applications

[Martin Dudel]

Hi,

We have some Java apps that pull data from web sites to automate labor intensive operations. Most of these web sites are now requiring CAC cards to access.
Are there any OSS projects or Java code snippets that allow a Java application to access a CAC card and then present the credentials on behalf of the Java app to the web service?

My team can currently pull data off the CAC card but aren't quit sure how to pass the credetials with a Java HttpClient connection.

Marty

[cjturner]

Marty -

It's kind of hard to figure out what you are trying to do, but, if the CAC is to be used for authentication to a DoD website, your application is going to have to run  under user control.  The authentication piece uses precisely the data you cannot get off of the card (private key), to create an encrypted packet that the website uses the public key to decrypt. 

If you are accessing a web service of some kind, it is possible for your server to get a 'hardware' certificate to authenticate.  Your partner (target) servers will have to configure to accept that kind of certificate.

christopher

[Matthew]

Yeah, good luck on that, kind of defeats the purpose of having CAC enabled sites.

Matthew Conley
912-398-6704

--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com
To unsubscribe from this group, send email to mil-oss+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

---
You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Steven Siebert]

As mentioned, the application must (should) run under user control - since you require a user CAC card.  If, however, you're planning on having the application interact with a DoD website without a user present you should pursue a server certificate as cjturner suggested - it's not hard to coordinate and it's a fairly routine request to your appropriate CA.

To interact using a CAC card you need to create a custom SSLContext.  I've done this before using Java SE HTTP API...but from your email I assume you're using Apache HttpClient.  You'll want to do something similar to this: http://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java to setup the SSL context with HttpClient.

Instead of pointing to a keystore on disk such as in that example, though, you're going to want to use the PKCS11 provider.  PKCS11 is the standard that defines how to access hardware tokens, such as the smart/CAC card.  

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#PKCS11

Read this carefully as you'll need to configure JSSE properly.  This should get your team pointed in the right direction =)

Good luck!

S

--

[Martin Dudel]

Yeah... we're not trying to get around the CAC, just around a user having to manually browse to a download link -> save as -> type a preformatted file name for dozens of data files a day.

The idea is that the app functions like a browser in the sense that it asks the user which certificate to use and prompts for the PIN, then the connection to the server is made, and a list of files are accessed via http(s).

On Tuesday, March 28, 2017 at 6:12:40 AM UTC+2, SimonTek wrote:

Yeah, good luck on that, kind of defeats the purpose of having CAC enabled sites.

Matthew Conley
912-398-6704

On Mar 27, 2017 8:46 PM, "cjturner" <seajay...@gmail.com> wrote:

Marty -

It's kind of hard to figure out what you are trying to do, but, if the CAC is to be used for authentication to a DoD website, your application is going to have to run  under user control.  The authentication piece uses precisely the data you cannot get off of the card (private key), to create an encrypted packet that the website uses the public key to decrypt. 

If you are accessing a web service of some kind, it is possible for your server to get a 'hardware' certificate to authenticate.  Your partner (target) servers will have to configure to accept that kind of certificate.

christopher

--
--
You received this message because you are subscribed to the "Military Open Source Software" Google Group.
To post to this group, send email to mil...@googlegroups.com

To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com

For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

---
You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+u...@googlegroups.com.

[Trevor Vaughan]

Can you just hook curl into the PKCS11 interface? That's what I've done in the past and it worked like a champ.

To unsubscribe from this group, send email to mil-oss+unsubscribe@googlegroups.com

For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en
 
www.mil-oss.org

---
You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Trevor Vaughan
Vice President, Onyx Point, Inc

(410) 541-6699 x788

-- This account not approved for unencrypted proprietary information --

[Matthew]

I foresee someone could write an awesome how to for this.

Matthew Conley
912-398-6704

[Alex O'Ree]

Source: https://git-wip-us.apache.org/repos/asf?p=juddi.git;a=blob;f=juddi-gui-dsig/src/main/java/org/apache/juddi/gui/dsig/XmlSignatureApplet.java;h=f374e6f80028584d7d5343e3ce9ffa8fe4cac153;hb=refs/heads/master#l187


This will get you access the windows certificate store for the current user.

if (System.getProperty("os.name").startsWith("Windows")) {
try {
keyStore = KeyStore.getInstance("Windows-MY");
keyStore.load(null, null);
} catch (Exception ex) {
keyStoreError += "Error loading Windows cert store " +
ex.getMessage() + "\n";
//ex.printStackTrace();
//JOptionPane.showMessageDialog(this, ex.getMessage());
}
}

There more code in that link to list all the certificates.

You can then access the key with a null password and then windows
prompt for the pin.

>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699 x788
>>
>> -- This account not approved for unencrypted proprietary information --
>>
>> --
>> --
>> You received this message because you are subscribed to the "Military Open
>> Source Software" Google Group.
>> To post to this group, send email to mil...@googlegroups.com
>> To unsubscribe from this group, send email to

[Trevor Vaughan]

Alex (or someone),

Could you gist this under https://github.com/mil-oss ?

>>> mil-oss+unsubscribe@googlegroups.com

>>> For more options, visit this group at
>>> http://groups.google.com/group/mil-oss?hl=en
>>>
>>> www.mil-oss.org
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "Military Open Source Software" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an

>>> email to mil-oss+unsubscribe@googlegroups.com.

>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>>
>> --
>> Trevor Vaughan
>> Vice President, Onyx Point, Inc
>> (410) 541-6699 x788
>>
>> -- This account not approved for unencrypted proprietary information --
>>
>> --
>> --
>> You received this message because you are subscribed to the "Military Open
>> Source Software" Google Group.
>> To post to this group, send email to mil...@googlegroups.com
>> To unsubscribe from this group, send email to

>> mil-oss+unsubscribe@googlegroups.com

>> For more options, visit this group at
>> http://groups.google.com/group/mil-oss?hl=en
>>
>> www.mil-oss.org
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Military Open Source Software" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to mil-oss+unsubscribe@googlegroups.com.

>> For more options, visit https://groups.google.com/d/optout.
>
> --
> --
> You received this message because you are subscribed to the "Military Open
> Source Software" Google Group.
> To post to this group, send email to mil...@googlegroups.com
> To unsubscribe from this group, send email to

> mil-oss+unsubscribe@googlegroups.com

> For more options, visit this group at
> http://groups.google.com/group/mil-oss?hl=en
>
> www.mil-oss.org
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Military Open Source Software" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to mil-oss+unsubscribe@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.

--
--
You received this message because you are subscribed to the "Military Open Source Software"  Google Group.
To post to this group, send email to mil...@googlegroups.com

To unsubscribe from this group, send email to mil-oss+unsubscribe@googlegroups.com

For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en

www.mil-oss.org

---
You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mil-oss+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Robot]

I while ago, we created this github project https://github.com/MoebiusSolutions/cac-agent. It is a small java "agent" that sets up Java to read from the CAC. It works on Windows or Linux (I think one of our devs got Mac to work as well). It hooks Java's default SSL providers so it will not work with a java library that bypasses the standard Java SSL. For example, maven 3 has two different https "wagons", one uses Java SSL and works with this agent, the other uses a different SSL provider so cac-agent does nothing.

We use it with jgit and eclipse to access CAC projected git repositories. We also use it to access CAC projected maven repositories.

[Martin Dudel]

Thanks for the hint. While researching curl and dod cac cards I stumbled onto an article that showed how to accomplish this in PowerShell. We almost are there in Java as well.

We got it working (PS version 5.1) with the following script (also attached as a txt file):

$Urls = New-Object System.Collections.ArrayList;

$FileNames = @{};

$Urls.add("https://web-eurd01.mail.mil/owa/");

$FileNames.add("https://web-eurd01.mail.mil/owa/","owaFileName.txt");

$Urls.add("https://ataaps.csd.disa.mil/");

$FileNames.add("https://ataaps.csd.disa.mil/","ataapsFileName.txt");

$CachePath = "C:\CACHE\";

#SOURCE: http://stackoverflow.com/questions/5621954/how-can-you-add-a-certificate-to-webclient-in-powershell

$def = @"

public class ClientCertWebClient : System.Net.WebClient

{

    System.Net.HttpWebRequest request = null;

    System.Security.Cryptography.X509Certificates.X509CertificateCollection certificates = null;

     protected override System.Net.WebRequest GetWebRequest(System.Uri address)

     {

         request = (System.Net.HttpWebRequest)base.GetWebRequest(address);

         if (certificates != null)

         {

             request.ClientCertificates.AddRange(certificates);

         }

         return request;

     }

     public void AddCerts(System.Security.Cryptography.X509Certificates.X509Certificate[] certs)

     {

         if (certificates == null)

         {

             certificates = new System.Security.Cryptography.X509Certificates.X509CertificateCollection();

         }

         if (request != null)

         {

             request.ClientCertificates.AddRange(certs);

         }

         certificates.AddRange(certs);

     }

 }

"@

Add-Type -TypeDefinition $def

$wc = New-Object ClientCertWebClient;

$certs = dir cert:\CurrentUser\My;

echo "------------------------------------------------------------------------";

echo "USER CERTS:";

echo $certs;

$wc.AddCerts($certs);

foreach($Url in $Urls){

echo "URL: " $Url;

$FileName = $CachePath + $FileNames.Get_Item($Url);

echo "FILENAME: " $FileName;

#Fetch the target url

$Response = $wc.DownloadString($Url);

# If the target file exists, remove it

If (Test-Path $FileName) {

Remove-Item $FileName

}

# Create the target file

New-Item $FileName -type file

# Write the response to the target file

Add-Content -Path $FileName -Value $Response

}

[Jamie Jones]

Martin, would be awesome if once you get through this experience you published your findings, links, and code somewhere. I think this will help many in the community in the future.

Maybe a sample project in the MIL-OSS GitHub Org if you don't want to blog it?

Jamie