[Spice-devel] smartcard usage

william kc at cobradevil.org
Mon Feb 28 08:34:14 PST 2011


On 02/26/2011 08:49 PM, Alon Levy wrote:
> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
>> On 02/24/2011 08:10 PM, Alon Levy wrote:
>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, kc at cobradevil.org wrote:
>>>>>>>> Dear list,
>>>>>>>>
>>>>>>>> i have tried to get smartcard support running but i'm a bit lost :)
>>>>>>>> probably because it's not finished yet.
>>>>>>>>
>>>>>>>> we have smartcards with certificates like us dod and i would like to use
>>>>>>>> those from a client on a remote server for authentication and such.
>>>>>>>> I have followed the build instructions:
>>>>>>>> http://spice-space.org/page/Building_Instructions on a ubuntu system and
>>>>>>>> have managed to get those compiled.
>>>>>>>>
>>>>>>>> But when i try to start a vm with smartcard passthrough it asks me to give
>>>>>>>> a driver name?
>>>>>>>>
>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L pc-bios
>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing  -usbdevice tablet
>>>>>>>> -enable-kvm -m 512
>>>>>>>>
>>>>>>>> do_spice_init: starting 0.6.3
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>> red_worker_main: begin
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>> qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid: Parameter
>>>>>>>> 'driver' expects a driver name
>>>>>>>> Try with argument '?' for a list.
>>>>>>>>
>>>>>>>> Am i starting the vm the right way or am i missing something?
>>>>>>> You are doing the right steps with the wrong qemu. To be explicit: qemu hasn't
>>>>>>> accepted the patches for the smartcard devices yet, so I don't know where you
>>>>>>> got the qemu executable but unless you built it by hand and applied the patches
>>>>>>> on the list, or easier used the pull url I provide in the patches I sent (like v20
>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you won't have them.
>>>>>>>
>>>>>>> Alon
>>>>>>>
>>>>>> Sorry for the priv mail :(
>>>>>> i can start the vm now with the usb_ccid.v19  git 20 gives me compile errors
>>>>>>
>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device usb-ccid
>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>> file=/var/lib/libvirt/images/test.img,if=ide  -soundhw ac97 -L
>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>> tablet -enable-kvm -m 512 -device
>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>> do_spice_init: starting 0.7.3
>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>> red_worker_main: begin
>>>>>> handle_dev_input: start
>>>>>>
>>>>>> I also installed spice 0.7.3
>>>>>>
>>>>>> When starting the spicec client i can connect but how can i share
>>>>>> say a local device now through spicec to the guest?
>>>>>> On the local client i can run pcsc_scan and it returns my reader and
>>>>>> detects my card, would that also be possible on the guest?
>>>>>>
>>>>> about v20 if you can run make V=1 and post the output?
>>>> Nah forget this
>>>> i did not switch to v20 that was the problem.
>>> I still don't understand, but it would be nice if you could do your
>>> tests with the last version, v20, even if the changes are just cosmetic.
>>>
>>>>> about the rest, yes, the guest should show the card too using pcsc_scan.
>>>>>
>>>>> you shouldn't need to be root on the client, but possibly it will work then -
>>>>> could you try that? in that case I don't remember exactly what the solution was :(
>>>>> but there is one!
>>>> ok here is what i see now
>>>>
>>>> - on my local system i have:
>>>> #lsusb
>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx
>>>> Smart Card Reader
>>>> #pcsc_scan
>>>> PC/SC device scanner
>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>> Compiled with PC/SC lite version: 1.5.3
>>>> Scanning present readers...
>>>> 0: SCM SCR 355 00 00
>>>>
>>>> Thu Feb 24 17:36:04 2011
>>>>   Reader 0: SCM SCR 355 00 00
>>>>    Card state: Card inserted,
>>>>    ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>>>
>>>> - Now when i start qemu like the following
>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device usb-ccid
>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>> file=/var/lib/libvirt/images/test.img,if=ide  -soundhw ac97 -L
>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>> tablet -enable-kvm -m 512 -device
>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>
>>>> - i see this in my vm after starting spicec with the following options
>>>> #spicec -h localhost -p 5930
>>>> #lsusb
>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>>>> #pcsc_scan
>>>> PC/SC device scanner
>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>> Compiled with PC/SC lite version: 1.5.3
>>>> Scanning present readers...
>>>> 0: Gemplus GemPC4433 SL (1) 00 00
>>>>
>>>> Thu Feb 24 17:42:05 2011
>>>>   Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>>>    Card state: Card removed,
>>>>
>>>>
>>>> After removing the device from my local machine and starting the vm
>>>> again with the above options it still shows me the gemplus smartcard
>>>> reader
>>>>
>>>> Any hints from here?
>>>>
>>> Yes. It looks like the guest sees the ccid device (that's the Gemplus,
>>> you can see it's qemu if you do lsusb), but no card. The reason for the
>>> later is that spicec didn't see any card. That's why I suggested trying to
>>> run spicec as root - the bottom line is that you need to make sure NSS
>>> can see the device as a regular user. I'll try to supply better instructions
>>> later.
>> Well i managed to get something working but i'm not sure if thats
>> the way to go.
>>
>> When i start the vm with the ccid passthrough i receive a device gemplus.
>>
>> When starting spicec with --smartcard after adding the aet
> oops, forgot you needed that.
>
>> middleware libs to the nss database with the following command:
>> modutil  -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
>> /usr/lib/libaetpkss.so.3.0
>> then start spicec with --smartcard my reader begins blinking so
>> something is read from the token but then in the vm i got nothing
>> when using pcsc_scan perhaps it has todo something with the
>> following error on the start of spicec: Warning: VSC Error: reader
>> -1, code 32684
>>
> So using "spicec --smartcard" (spicec for short) you can't do pcsc_scan
> and see a card in the vm?
>
>> Anyway i also got the idea that using the vscclient would be
>> possible so i gave that a try
>> vscclient -e use_hw=yes 127.0.0.1 2001
>> i takes some time but then i can do list and it shows me that my
>> smartcard is active and has a card in it
>> but in the vm nogo
>>
>> vscclient -e use_hw=yes 127.0.0.1 2001
>>> list
>> Active Readers:
>>    0 CARD_PRESENT SCM SCR 355 00 00
>>    0              UNAVAILABLE 1
>>    0              UNAVAILABLE 2
>>    0              UNAVAILABLE 3
>>    0              UNAVAILABLE 4
>> Inactive Readers:
>>> debug 1
>> debug level = 1
>>> Header: type=7, reader_id=0 length=5 (0x5)
>>   recv APDU: 00 CA DF 30 05
>>   send response: 69 00
>> Header: type=7, reader_id=0 length=10 (0xa)
>>   recv APDU: 00 A4 04 00 05 A0 00 00 00 01
>>   send response: 6A 82
>> Header: type=7, reader_id=0 length=14 (0xe)
>>   recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>   send response: 6A 82
>> Header: type=7, reader_id=0 length=14 (0xe)
>>   recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>   send response: 6A 82
>> Header: type=7, reader_id=0 length=7 (0x7)
>>   recv APDU: 00 A4 08 00 02 2F 00
>>   send response: 6A 81
>> Header: type=7, reader_id=0 length=7 (0x7)
>>   recv APDU: 00 A4 08 00 02 50 15
>>   send response: 6A 81
>> Header: type=7, reader_id=0 length=7 (0x7)
>>   recv APDU: 00 A4 08 00 02 50 15
>>   send response: 6A 81
>>
>> so it kinda works accept that it does not see the right card it also
>> shows me the wrong atr.
> The ATR isn't wrong, it's just not the card's ATR. The architecture is like this:
>
> real card - real reader - pcscd - spicec (via nss) - simulated card<-protocol->
>   emulated ccid device - |(in vm) pcscd - pcsc_scan (or any other client)
>
> When using vscclient it's exactly the same, difference is just that it goes via a TCP socket directly instead of in a spice channel.
>
> So the ATR you see in the vm is by the simulated card (libcacard).
>
> But you should definitely see a card with spicec as well.
>
>> I also need the middleware library in the vm else it does not work at all.
>>
>> Any ideas?
> Nothing really. I'll try to take a look at the APDU's later (I'm not really an expert on them) - can you try using the certificates backed card just to make sure everything except the hardware is working correctly? (i.e. vm stack is fine, spicec version and libspiceserver and qemu versions work fine). The instructions are in qemu doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/ is the patch with the file).
>
I'm not getting any further.

I will explain below the stips i took to get things (almost:) running

Download all deps:
git clone git://anongit.freedesktop.org/~alon/qemu
  git checkout -b usb_ccid.v20 origin/usb_ccid.v20
wget 
http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
wget http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2

install libcacard
install spice protocol
install spice client and server with the configure option  
--enable-smartcard
install qemu with configure option --enable-smartcard --enable-spice

import certificates into nss database
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb
certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1
certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n cert2
certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n cert3

certutil -L -d /etc/pki/nssdb
cert3                                                        CTu,Cu,Cu
cert1                                                        CTu,Cu,Cu
cert2                                                        CTu,Cu,Cu

start vm with the following options
-spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device usb-ccid 
-device 
ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
start spicec -h localhost -p 5930
after boot i have gemplus ccid reader and pcsc_scan tells me that i have 
a reader

But how can i show the certificates cert1,2,3 in the vm with certutil?

>> With kind regards
>>
>> William
>>>> With kind regards
>>>>
>>>> William van de Velde
>>>>
>>>>
>>>>
>>>>>> With kind regards
>>>>>>
>>>>>> William
>>>>>>
>>>>>>
>>>>>>>> With kind regards
>>>>>>>>
>>>>>>>> William
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Spice-devel mailing list
>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>> _______________________________________________
>>>>>> Spice-devel mailing list
>>>>>> Spice-devel at lists.freedesktop.org
>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> _______________________________________________
>>>> Spice-devel mailing list
>>>> Spice-devel at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel



More information about the Spice-devel mailing list