[Spice-devel] smartcard usage

william kc at cobradevil.org
Fri Feb 25 03:06:33 PST 2011 

On 02/24/2011 08:10 PM, Alon Levy wrote:
> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, kc at cobradevil.org wrote:
>>>>>> Dear list,
>>>>>>
>>>>>> i have tried to get smartcard support running but i'm a bit lost :)
>>>>>> probably because it's not finished yet.
>>>>>>
>>>>>> we have smartcards with certificates like us dod and i would like to use
>>>>>> those from a client on a remote server for authentication and such.
>>>>>> I have followed the build instructions:
>>>>>> http://spice-space.org/page/Building_Instructions on a ubuntu system and
>>>>>> have managed to get those compiled.
>>>>>>
>>>>>> But when i try to start a vm with smartcard passthrough it asks me to give
>>>>>> a driver name?
>>>>>>
>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L pc-bios
>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing  -usbdevice tablet
>>>>>> -enable-kvm -m 512
>>>>>>
>>>>>> do_spice_init: starting 0.6.3
>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>> red_worker_main: begin
>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>> qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid: Parameter
>>>>>> 'driver' expects a driver name
>>>>>> Try with argument '?' for a list.
>>>>>>
>>>>>> Am i starting the vm the right way or am i missing something?
>>>>> You are doing the right steps with the wrong qemu. To be explicit: qemu hasn't
>>>>> accepted the patches for the smartcard devices yet, so I don't know where you
>>>>> got the qemu executable but unless you built it by hand and applied the patches
>>>>> on the list, or easier used the pull url I provide in the patches I sent (like v20
>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you won't have them.
>>>>>
>>>>> Alon
>>>>>
>>>> Sorry for the priv mail :(
>>>> i can start the vm now with the usb_ccid.v19  git 20 gives me compile errors
>>>>
>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device usb-ccid
>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>> file=/var/lib/libvirt/images/test.img,if=ide  -soundhw ac97 -L
>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>> tablet -enable-kvm -m 512 -device
>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>> do_spice_init: starting 0.7.3
>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>> red_worker_main: begin
>>>> handle_dev_input: start
>>>>
>>>> I also installed spice 0.7.3
>>>>
>>>> When starting the spicec client i can connect but how can i share
>>>> say a local device now through spicec to the guest?
>>>> On the local client i can run pcsc_scan and it returns my reader and
>>>> detects my card, would that also be possible on the guest?
>>>>
>>> about v20 if you can run make V=1 and post the output?
>> Nah forget this
>> i did not switch to v20 that was the problem.
> I still don't understand, but it would be nice if you could do your
> tests with the last version, v20, even if the changes are just cosmetic.
>
>>> about the rest, yes, the guest should show the card too using pcsc_scan.
>>>
>>> you shouldn't need to be root on the client, but possibly it will work then -
>>> could you try that? in that case I don't remember exactly what the solution was :(
>>> but there is one!
>> ok here is what i see now
>>
>> - on my local system i have:
>> #lsusb
>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx
>> Smart Card Reader
>> #pcsc_scan
>> PC/SC device scanner
>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>> Compiled with PC/SC lite version: 1.5.3
>> Scanning present readers...
>> 0: SCM SCR 355 00 00
>>
>> Thu Feb 24 17:36:04 2011
>>   Reader 0: SCM SCR 355 00 00
>>    Card state: Card inserted,
>>    ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>
>> - Now when i start qemu like the following
>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device usb-ccid
>> -device ccid-card-passthru,chardev=ccid -drive
>> file=/var/lib/libvirt/images/test.img,if=ide  -soundhw ac97 -L
>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>> tablet -enable-kvm -m 512 -device
>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>
>> - i see this in my vm after starting spicec with the following options
>> #spicec -h localhost -p 5930
>> #lsusb
>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>> #pcsc_scan
>> PC/SC device scanner
>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>> Compiled with PC/SC lite version: 1.5.3
>> Scanning present readers...
>> 0: Gemplus GemPC4433 SL (1) 00 00
>>
>> Thu Feb 24 17:42:05 2011
>>   Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>    Card state: Card removed,
>>
>>
>> After removing the device from my local machine and starting the vm
>> again with the above options it still shows me the gemplus smartcard
>> reader
>>
>> Any hints from here?
>>
> Yes. It looks like the guest sees the ccid device (that's the Gemplus,
> you can see it's qemu if you do lsusb), but no card. The reason for the
> later is that spicec didn't see any card. That's why I suggested trying to
> run spicec as root - the bottom line is that you need to make sure NSS
> can see the device as a regular user. I'll try to supply better instructions
> later.
Well i managed to get something working but i'm not sure if thats the 
way to go.

When i start the vm with the ccid passthrough i receive a device gemplus.

When starting spicec with --smartcard after adding the aet middleware 
libs to the nss database with the following command:
modutil  -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile 
/usr/lib/libaetpkss.so.3.0
then start spicec with --smartcard my reader begins blinking so 
something is read from the token but then in the vm i got nothing when 
using pcsc_scan perhaps it has todo something with the following error 
on the start of spicec: Warning: VSC Error: reader -1, code 32684


Anyway i also got the idea that using the vscclient would be possible so 
i gave that a try
vscclient -e use_hw=yes 127.0.0.1 2001
i takes some time but then i can do list and it shows me that my 
smartcard is active and has a card in it
but in the vm nogo

vscclient -e use_hw=yes 127.0.0.1 2001
 > list
Active Readers:
   0 CARD_PRESENT SCM SCR 355 00 00
   0              UNAVAILABLE 1
   0              UNAVAILABLE 2
   0              UNAVAILABLE 3
   0              UNAVAILABLE 4
Inactive Readers:
 > debug 1
debug level = 1
 > Header: type=7, reader_id=0 length=5 (0x5)
  recv APDU: 00 CA DF 30 05
  send response: 69 00
Header: type=7, reader_id=0 length=10 (0xa)
  recv APDU: 00 A4 04 00 05 A0 00 00 00 01
  send response: 6A 82
Header: type=7, reader_id=0 length=14 (0xe)
  recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
  send response: 6A 82
Header: type=7, reader_id=0 length=14 (0xe)
  recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
  send response: 6A 82
Header: type=7, reader_id=0 length=7 (0x7)
  recv APDU: 00 A4 08 00 02 2F 00
  send response: 6A 81
Header: type=7, reader_id=0 length=7 (0x7)
  recv APDU: 00 A4 08 00 02 50 15
  send response: 6A 81
Header: type=7, reader_id=0 length=7 (0x7)
  recv APDU: 00 A4 08 00 02 50 15
  send response: 6A 81

so it kinda works accept that it does not see the right card it also 
shows me the wrong atr.

I also need the middleware library in the vm else it does not work at all.

Any ideas?

With kind regards

William
>> With kind regards
>>
>> William van de Velde
>>
>>
>>
>>>> With kind regards
>>>>
>>>> William
>>>>
>>>>
>>>>>> With kind regards
>>>>>>
>>>>>> William
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Spice-devel mailing list
>>>>>> Spice-devel at lists.freedesktop.org
>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> _______________________________________________
>>>> Spice-devel mailing list
>>>> Spice-devel at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list