[Spice-devel] smartcard usage
william
kc at cobradevil.org
Tue Mar 1 01:00:56 PST 2011
On 03/01/2011 08:13 AM, william wrote:
> On 03/01/2011 12:23 AM, Robert Relyea wrote:
>> On 02/28/2011 08:34 AM, william wrote:
>>> On 02/26/2011 08:49 PM, Alon Levy wrote:
>>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
>>>>> On 02/24/2011 08:10 PM, Alon Levy wrote:
>>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, kc at cobradevil.org
>>>>>>>>>> wrote:
>>>>>>>>>>> Dear list,
>>>>>>>>>>>
>>>>>>>>>>> i have tried to get smartcard support running but i'm a bit
>>>>>>>>>>> lost :)
>>>>>>>>>>> probably because it's not finished yet.
>>>>>>>>>>>
>>>>>>>>>>> we have smartcards with certificates like us dod and i would
>>>>>>>>>>> like to use
>>>>>>>>>>> those from a client on a remote server for authentication and
>>>>>>>>>>> such.
>>>>>>>>>>> I have followed the build instructions:
>>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a ubuntu
>>>>>>>>>>> system and
>>>>>>>>>>> have managed to get those compiled.
>>>>>>>>>>>
>>>>>>>>>>> But when i try to start a vm with smartcard passthrough it
>>>>>>>>>>> asks me to give
>>>>>>>>>>> a driver name?
>>>>>>>>>>>
>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>>>> pc-bios
>>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing
>>>>>>>>>>> -usbdevice tablet
>>>>>>>>>>> -enable-kvm -m 512
>>>>>>>>>>>
>>>>>>>>>>> do_spice_init: starting 0.6.3
>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>>> red_worker_main: begin
>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>>> qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid:
>>>>>>>>>>> Parameter
>>>>>>>>>>> 'driver' expects a driver name
>>>>>>>>>>> Try with argument '?' for a list.
>>>>>>>>>>>
>>>>>>>>>>> Am i starting the vm the right way or am i missing something?
>>>>>>>>>> You are doing the right steps with the wrong qemu. To be
>>>>>>>>>> explicit: qemu hasn't
>>>>>>>>>> accepted the patches for the smartcard devices yet, so I don't
>>>>>>>>>> know where you
>>>>>>>>>> got the qemu executable but unless you built it by hand and
>>>>>>>>>> applied the patches
>>>>>>>>>> on the list, or easier used the pull url I provide in the
>>>>>>>>>> patches I sent (like v20
>>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you
>>>>>>>>>> won't have them.
>>>>>>>>>>
>>>>>>>>>> Alon
>>>>>>>>>>
>>>>>>>>> Sorry for the priv mail :(
>>>>>>>>> i can start the vm now with the usb_ccid.v19 git 20 gives me
>>>>>>>>> compile errors
>>>>>>>>>
>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>> usb-ccid
>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>>> do_spice_init: starting 0.7.3
>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>> red_worker_main: begin
>>>>>>>>> handle_dev_input: start
>>>>>>>>>
>>>>>>>>> I also installed spice 0.7.3
>>>>>>>>>
>>>>>>>>> When starting the spicec client i can connect but how can i share
>>>>>>>>> say a local device now through spicec to the guest?
>>>>>>>>> On the local client i can run pcsc_scan and it returns my reader
>>>>>>>>> and
>>>>>>>>> detects my card, would that also be possible on the guest?
>>>>>>>>>
>>>>>>>> about v20 if you can run make V=1 and post the output?
>>>>>>> Nah forget this
>>>>>>> i did not switch to v20 that was the problem.
>>>>>> I still don't understand, but it would be nice if you could do your
>>>>>> tests with the last version, v20, even if the changes are just
>>>>>> cosmetic.
>>>>>>
>>>>>>>> about the rest, yes, the guest should show the card too using
>>>>>>>> pcsc_scan.
>>>>>>>>
>>>>>>>> you shouldn't need to be root on the client, but possibly it will
>>>>>>>> work then -
>>>>>>>> could you try that? in that case I don't remember exactly what
>>>>>>>> the solution was :(
>>>>>>>> but there is one!
>>>>>>> ok here is what i see now
>>>>>>>
>>>>>>> - on my local system i have:
>>>>>>> #lsusb
>>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx
>>>>>>> Smart Card Reader
>>>>>>> #pcsc_scan
>>>>>>> PC/SC device scanner
>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>> Scanning present readers...
>>>>>>> 0: SCM SCR 355 00 00
>>>>>>>
>>>>>>> Thu Feb 24 17:36:04 2011
>>>>>>> Reader 0: SCM SCR 355 00 00
>>>>>>> Card state: Card inserted,
>>>>>>> ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>>>>>>
>>>>>>> - Now when i start qemu like the following
>>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>> usb-ccid
>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>
>>>>>>> - i see this in my vm after starting spicec with the following
>>>>>>> options
>>>>>>> #spicec -h localhost -p 5930
>>>>>>> #lsusb
>>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>>>>>>> #pcsc_scan
>>>>>>> PC/SC device scanner
>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>> Scanning present readers...
>>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>
>>>>>>> Thu Feb 24 17:42:05 2011
>>>>>>> Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>> Card state: Card removed,
>>>>>>>
>>>>>>>
>>>>>>> After removing the device from my local machine and starting the vm
>>>>>>> again with the above options it still shows me the gemplus
>>>>>>> smartcard
>>>>>>> reader
>>>>>>>
>>>>>>> Any hints from here?
>>>>>>>
>>>>>> Yes. It looks like the guest sees the ccid device (that's the
>>>>>> Gemplus,
>>>>>> you can see it's qemu if you do lsusb), but no card. The reason for
>>>>>> the
>>>>>> later is that spicec didn't see any card. That's why I suggested
>>>>>> trying to
>>>>>> run spicec as root - the bottom line is that you need to make
>>>>>> sure NSS
>>>>>> can see the device as a regular user. I'll try to supply better
>>>>>> instructions
>>>>>> later.
>>>>> Well i managed to get something working but i'm not sure if thats
>>>>> the way to go.
>>>>>
>>>>> When i start the vm with the ccid passthrough i receive a device
>>>>> gemplus.
>>>>>
>>>>> When starting spicec with --smartcard after adding the aet
>>>> oops, forgot you needed that.
>>>>
>>>>> middleware libs to the nss database with the following command:
>>>>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
>>>>> /usr/lib/libaetpkss.so.3.0
>>>>> then start spicec with --smartcard my reader begins blinking so
>>>>> something is read from the token but then in the vm i got nothing
>>>>> when using pcsc_scan perhaps it has todo something with the
>>>>> following error on the start of spicec: Warning: VSC Error: reader
>>>>> -1, code 32684
>>>>>
>>>> So using "spicec --smartcard" (spicec for short) you can't do
>>>> pcsc_scan
>>>> and see a card in the vm?
>>>>
>>>>> Anyway i also got the idea that using the vscclient would be
>>>>> possible so i gave that a try
>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>> i takes some time but then i can do list and it shows me that my
>>>>> smartcard is active and has a card in it
>>>>> but in the vm nogo
>>>>>
>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>> list
>>>>> Active Readers:
>>>>> 0 CARD_PRESENT SCM SCR 355 00 00
>>>>> 0 UNAVAILABLE 1
>>>>> 0 UNAVAILABLE 2
>>>>> 0 UNAVAILABLE 3
>>>>> 0 UNAVAILABLE 4
>>>>> Inactive Readers:
>>>>>> debug 1
>>>>> debug level = 1
>>>>>> Header: type=7, reader_id=0 length=5 (0x5)
>>>>> recv APDU: 00 CA DF 30 05
>>>>> send response: 69 00
>>>>> Header: type=7, reader_id=0 length=10 (0xa)
>>>>> recv APDU: 00 A4 04 00 05 A0 00 00 00 01
>>>>> send response: 6A 82
>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>> send response: 6A 82
>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>> send response: 6A 82
>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>> recv APDU: 00 A4 08 00 02 2F 00
>>>>> send response: 6A 81
>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>> recv APDU: 00 A4 08 00 02 50 15
>>>>> send response: 6A 81
>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>> recv APDU: 00 A4 08 00 02 50 15
>>>>> send response: 6A 81
>>>>>
>>>>> so it kinda works accept that it does not see the right card it also
>>>>> shows me the wrong atr.
>>>> The ATR isn't wrong, it's just not the card's ATR. The architecture
>>>> is like this:
>>>>
>>>> real card - real reader - pcscd - spicec (via nss) - simulated
>>>> card<-protocol->
>>>> emulated ccid device - |(in vm) pcscd - pcsc_scan (or any other
>>>> client)
>>>>
>>>> When using vscclient it's exactly the same, difference is just that
>>>> it goes via a TCP socket directly instead of in a spice channel.
>>>>
>>>> So the ATR you see in the vm is by the simulated card (libcacard).
>>>>
>>>> But you should definitely see a card with spicec as well.
>>>>
>>>>> I also need the middleware library in the vm else it does not work
>>>>> at all.
>>>>>
>>>>> Any ideas?
>>>> Nothing really. I'll try to take a look at the APDU's later (I'm not
>>>> really an expert on them) - can you try using the certificates backed
>>>> card just to make sure everything except the hardware is working
>>>> correctly? (i.e. vm stack is fine, spicec version and libspiceserver
>>>> and qemu versions work fine). The instructions are in qemu
>>>> doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/ is
>>>> the patch with the file).
>>>>
>>> I'm not getting any further.
>>>
>>> I will explain below the stips i took to get things (almost:) running
>>>
>>> Download all deps:
>>> git clone git://anongit.freedesktop.org/~alon/qemu
>>> git checkout -b usb_ccid.v20 origin/usb_ccid.v20
>>> wget
>>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
>>>
>>> wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
>>> wget
>>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2
>>>
>>> install libcacard
>>> install spice protocol
>>> install spice client and server with the configure option
>>> --enable-smartcard
>>> install qemu with configure option --enable-smartcard --enable-spice
>>>
>>> import certificates into nss database
>>> mkdir -p /etc/pki/nssdb
>>> certutil -N -d /etc/pki/nssdb
>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1
>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n cert2
>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n cert3
>>>
>>> certutil -L -d /etc/pki/nssdb
>>> cert3 CTu,Cu,Cu
>>> cert1 CTu,Cu,Cu
>>> cert2 CTu,Cu,Cu
>>>
>>> start vm with the following options
>>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
>>> usb-ccid -device
>>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
>>>
>>> start spicec -h localhost -p 5930
>>> after boot i have gemplus ccid reader and pcsc_scan tells me that i
>>> have a reader
>>>
>>> But how can i show the certificates cert1,2,3 in the vm with certutil?
>> You need to start certutil with a database which points the the smart
>> card.
>> If you install libcoolkey, I believe /etc/pki/nssdb should already be
>> set up...
>>
>> Here's what mine looks like:
>>
>> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
>>
>> Listing of PKCS #11 Modules
>> -----------------------------------------------------------
>> 1. NSS Internal Crypto Services
>> slots: 3 slots attached
>> status: loaded
>>
>> slot: NSS Internal Cryptographic Services
>> token: NSS Generic Crypto Services
>>
>> slot: NSS User Private Key and Certificate Services
>> token: NSS Certificate DB
>>
>> slot: NSS Application Slot 00000004
>> token: NSS user database
>>
>> 2. CoolKey PKCS #11 Module
>> library name: libcoolkeypk11.so
>> slots: 1 slot attached
>> status: loaded
>>
>> slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
>> token:
>>
>> 3. Built-ins
>> library name: /usr/lib64/__libnssckbi.so
>> slots: There are no slots attached to this module
>> status: Not loaded
>> -----------------------------------------------------------
>> bobs-laptop(52)
>>
>> The important one here is #2 ("Coolkey PKCS #11 Module").
>>
>> Once you have that you should be able to run
>>
>> certutil -L -h all -d sql:/etc/pki/nssdb
>>
>> to list all the certs on your card.
>>
>> bob
>
> Ok i have that in my local system where i use the aet middleware.
> Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get the
> certificates after entering the pin.
>
> But how are those visible within the vm with the virtual smartcard
> reader ? When i use the same middelware library it tells me that i
> have the wrong smartcard. So i guess i need something like the coolkey
> or aet in the vm but then for the virtual smartcard?
>
> With kind regards
>
> William
>
some more info
On my laptop my list looks like:
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Root Certs
library name: /etc/pki/nssdb/libnssckbi.so
slots: 1 slot attached
status: loaded
slot: NSS Builtin Objects
token: Builtin Object Token
3. Aet1
library name: /usr/lib/libaetpkss.so.3.0
slots: 5 slots attached
status: loaded
slot: SCM SCR 355 00 00
token: smartcard
slot: UNAVAILABLE 1
token:
slot: UNAVAILABLE 2
token:
slot: UNAVAILABLE 3
token:
slot: UNAVAILABLE 4
token:
-----------------------------------------------------------
on the vm i only have 1 and 2 like above and number 3 i can add but then
it says token not recognized.
But when i try Alon his option to create the 3 certs manually and use
those when starting the vm i also can't show them?
so do i need to add like libcacard.so as a middleware lib or something
in the vm?
With kind regards
William
>
>
>>>>> With kind regards
>>>>>
>>>>> William
>>>>>>> With kind regards
>>>>>>>
>>>>>>> William van de Velde
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> With kind regards
>>>>>>>>>
>>>>>>>>> William
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>> With kind regards
>>>>>>>>>>>
>>>>>>>>>>> William
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>> _______________________________________________
>>>>>>>>> Spice-devel mailing list
>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>> _______________________________________________
>>>>>>> Spice-devel mailing list
>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>> _______________________________________________
>>>>> Spice-devel mailing list
>>>>> Spice-devel at lists.freedesktop.org
>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>> _______________________________________________
>>> Spice-devel mailing list
>>> Spice-devel at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list