3

So I am tasked with having a user either sign in with a username/password combination or they can sign on with their CAC card. I know that I will need to use a card reader to do so but I am completely lost on what to do. I have not been able to find a way to use a card reader from the browser for a CAC card sign in.

What response will I get from scanning a CAC card? Will I be able to at least get an ID from it to associate it with a user account?

BStill
  • 894
  • 1
  • 9
  • 33
  • You should ask those who tasked you with this for help. You're going to need a solid understanding of PKI including the US government-specific parts of their deployment. – Jonathon Reinhart Jan 26 '18 at 04:47
  • I'm sorry but this question is far, far too broad to be considered on-topic here. The CAC is a smart card which presents a client certificate to an HTTPS site. You don't read it from JavaScript. – Jonathon Reinhart Jan 26 '18 at 04:59
  • The browser is responsible for looking for a matching client certificate and prompting the user to select one. – Jonathon Reinhart Jan 26 '18 at 05:06

1 Answers1

3

If you are creating a web app, which it seems like you are, it will be basic client certificate authentication. The fact that the client certificate required is coming from the CAC card doesn't change much for the server.

There are quite a few node packages that can implement client certificate authentication. Here is one of them for instance. I would initially let the user(s) login via username/password authentication, then present them with a page that will link their CAC card to their user. You can also just implement the authentication with the CAC card without linking a user and card.

You can use the PCSC smartcard package to read the actual card, which can be found here. Please bear in mind that you will also need the correct CA certificates loaded on the PC to be able to verify the trust of the certificates. If this app is for a government customer, make sure you work closely with their security team to make sure you meet all their requirements.

Tachyon
  • 2,171
  • 3
  • 22
  • 46
  • Thank you! This is exactly what I needed! I was not sure if I could do it this way. So when you say the correct CA certificates, do you mean the ones I am using to load my site over HTTPS? – BStill Jan 26 '18 at 06:43
  • Sorry if these seem like dumb questions – BStill Jan 26 '18 at 06:44
  • 1
    No problem, with correct CA certificates I mean that you need to trust the CA (certificate authority) that issued the client certificates to the CAC cards. Assuming it is the US gov, you will need to add their CA, which you should be able to get from your clients' development or security team. Adding the CA to the trusted root store basically means that any certificate issued by that CA, the government in this case, will be trusted. Otherwise the client certificates won't be trusted. Hope that makes sense. – Tachyon Jan 26 '18 at 06:48