[Spice-devel] smartcard usage

william kc at cobradevil.org
Mon Feb 28 23:13:22 PST 2011


On 03/01/2011 12:23 AM, Robert Relyea wrote:
> On 02/28/2011 08:34 AM, william wrote:
>> On 02/26/2011 08:49 PM, Alon Levy wrote:
>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
>>>> On 02/24/2011 08:10 PM, Alon Levy wrote:
>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, kc at cobradevil.org wrote:
>>>>>>>>>> Dear list,
>>>>>>>>>>
>>>>>>>>>> i have tried to get smartcard support running but i'm a bit
>>>>>>>>>> lost :)
>>>>>>>>>> probably because it's not finished yet.
>>>>>>>>>>
>>>>>>>>>> we have smartcards with certificates like us dod and i would
>>>>>>>>>> like to use
>>>>>>>>>> those from a client on a remote server for authentication and
>>>>>>>>>> such.
>>>>>>>>>> I have followed the build instructions:
>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a ubuntu
>>>>>>>>>> system and
>>>>>>>>>> have managed to get those compiled.
>>>>>>>>>>
>>>>>>>>>> But when i try to start a vm with smartcard passthrough it
>>>>>>>>>> asks me to give
>>>>>>>>>> a driver name?
>>>>>>>>>>
>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>>> pc-bios
>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing
>>>>>>>>>> -usbdevice tablet
>>>>>>>>>> -enable-kvm -m 512
>>>>>>>>>>
>>>>>>>>>> do_spice_init: starting 0.6.3
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>> red_worker_main: begin
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>> qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid:
>>>>>>>>>> Parameter
>>>>>>>>>> 'driver' expects a driver name
>>>>>>>>>> Try with argument '?' for a list.
>>>>>>>>>>
>>>>>>>>>> Am i starting the vm the right way or am i missing something?
>>>>>>>>> You are doing the right steps with the wrong qemu. To be
>>>>>>>>> explicit: qemu hasn't
>>>>>>>>> accepted the patches for the smartcard devices yet, so I don't
>>>>>>>>> know where you
>>>>>>>>> got the qemu executable but unless you built it by hand and
>>>>>>>>> applied the patches
>>>>>>>>> on the list, or easier used the pull url I provide in the
>>>>>>>>> patches I sent (like v20
>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you
>>>>>>>>> won't have them.
>>>>>>>>>
>>>>>>>>> Alon
>>>>>>>>>
>>>>>>>> Sorry for the priv mail :(
>>>>>>>> i can start the vm now with the usb_ccid.v19  git 20 gives me
>>>>>>>> compile errors
>>>>>>>>
>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>> usb-ccid
>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide  -soundhw ac97 -L
>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>> do_spice_init: starting 0.7.3
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>> red_worker_main: begin
>>>>>>>> handle_dev_input: start
>>>>>>>>
>>>>>>>> I also installed spice 0.7.3
>>>>>>>>
>>>>>>>> When starting the spicec client i can connect but how can i share
>>>>>>>> say a local device now through spicec to the guest?
>>>>>>>> On the local client i can run pcsc_scan and it returns my reader
>>>>>>>> and
>>>>>>>> detects my card, would that also be possible on the guest?
>>>>>>>>
>>>>>>> about v20 if you can run make V=1 and post the output?
>>>>>> Nah forget this
>>>>>> i did not switch to v20 that was the problem.
>>>>> I still don't understand, but it would be nice if you could do your
>>>>> tests with the last version, v20, even if the changes are just
>>>>> cosmetic.
>>>>>
>>>>>>> about the rest, yes, the guest should show the card too using
>>>>>>> pcsc_scan.
>>>>>>>
>>>>>>> you shouldn't need to be root on the client, but possibly it will
>>>>>>> work then -
>>>>>>> could you try that? in that case I don't remember exactly what
>>>>>>> the solution was :(
>>>>>>> but there is one!
>>>>>> ok here is what i see now
>>>>>>
>>>>>> - on my local system i have:
>>>>>> #lsusb
>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx
>>>>>> Smart Card Reader
>>>>>> #pcsc_scan
>>>>>> PC/SC device scanner
>>>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>> Scanning present readers...
>>>>>> 0: SCM SCR 355 00 00
>>>>>>
>>>>>> Thu Feb 24 17:36:04 2011
>>>>>>    Reader 0: SCM SCR 355 00 00
>>>>>>     Card state: Card inserted,
>>>>>>     ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>>>>>
>>>>>> - Now when i start qemu like the following
>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device usb-ccid
>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>> file=/var/lib/libvirt/images/test.img,if=ide  -soundhw ac97 -L
>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>> tablet -enable-kvm -m 512 -device
>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>
>>>>>> - i see this in my vm after starting spicec with the following
>>>>>> options
>>>>>> #spicec -h localhost -p 5930
>>>>>> #lsusb
>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>>>>>> #pcsc_scan
>>>>>> PC/SC device scanner
>>>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>> Scanning present readers...
>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>
>>>>>> Thu Feb 24 17:42:05 2011
>>>>>>    Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>     Card state: Card removed,
>>>>>>
>>>>>>
>>>>>> After removing the device from my local machine and starting the vm
>>>>>> again with the above options it still shows me the gemplus smartcard
>>>>>> reader
>>>>>>
>>>>>> Any hints from here?
>>>>>>
>>>>> Yes. It looks like the guest sees the ccid device (that's the Gemplus,
>>>>> you can see it's qemu if you do lsusb), but no card. The reason for
>>>>> the
>>>>> later is that spicec didn't see any card. That's why I suggested
>>>>> trying to
>>>>> run spicec as root - the bottom line is that you need to make sure NSS
>>>>> can see the device as a regular user. I'll try to supply better
>>>>> instructions
>>>>> later.
>>>> Well i managed to get something working but i'm not sure if thats
>>>> the way to go.
>>>>
>>>> When i start the vm with the ccid passthrough i receive a device
>>>> gemplus.
>>>>
>>>> When starting spicec with --smartcard after adding the aet
>>> oops, forgot you needed that.
>>>
>>>> middleware libs to the nss database with the following command:
>>>> modutil  -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
>>>> /usr/lib/libaetpkss.so.3.0
>>>> then start spicec with --smartcard my reader begins blinking so
>>>> something is read from the token but then in the vm i got nothing
>>>> when using pcsc_scan perhaps it has todo something with the
>>>> following error on the start of spicec: Warning: VSC Error: reader
>>>> -1, code 32684
>>>>
>>> So using "spicec --smartcard" (spicec for short) you can't do pcsc_scan
>>> and see a card in the vm?
>>>
>>>> Anyway i also got the idea that using the vscclient would be
>>>> possible so i gave that a try
>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>> i takes some time but then i can do list and it shows me that my
>>>> smartcard is active and has a card in it
>>>> but in the vm nogo
>>>>
>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>> list
>>>> Active Readers:
>>>>     0 CARD_PRESENT SCM SCR 355 00 00
>>>>     0              UNAVAILABLE 1
>>>>     0              UNAVAILABLE 2
>>>>     0              UNAVAILABLE 3
>>>>     0              UNAVAILABLE 4
>>>> Inactive Readers:
>>>>> debug 1
>>>> debug level = 1
>>>>> Header: type=7, reader_id=0 length=5 (0x5)
>>>>    recv APDU: 00 CA DF 30 05
>>>>    send response: 69 00
>>>> Header: type=7, reader_id=0 length=10 (0xa)
>>>>    recv APDU: 00 A4 04 00 05 A0 00 00 00 01
>>>>    send response: 6A 82
>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>    recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>    send response: 6A 82
>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>    recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>    send response: 6A 82
>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>    recv APDU: 00 A4 08 00 02 2F 00
>>>>    send response: 6A 81
>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>    recv APDU: 00 A4 08 00 02 50 15
>>>>    send response: 6A 81
>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>    recv APDU: 00 A4 08 00 02 50 15
>>>>    send response: 6A 81
>>>>
>>>> so it kinda works accept that it does not see the right card it also
>>>> shows me the wrong atr.
>>> The ATR isn't wrong, it's just not the card's ATR. The architecture
>>> is like this:
>>>
>>> real card - real reader - pcscd - spicec (via nss) - simulated
>>> card<-protocol->
>>>    emulated ccid device - |(in vm) pcscd - pcsc_scan (or any other
>>> client)
>>>
>>> When using vscclient it's exactly the same, difference is just that
>>> it goes via a TCP socket directly instead of in a spice channel.
>>>
>>> So the ATR you see in the vm is by the simulated card (libcacard).
>>>
>>> But you should definitely see a card with spicec as well.
>>>
>>>> I also need the middleware library in the vm else it does not work
>>>> at all.
>>>>
>>>> Any ideas?
>>> Nothing really. I'll try to take a look at the APDU's later (I'm not
>>> really an expert on them) - can you try using the certificates backed
>>> card just to make sure everything except the hardware is working
>>> correctly? (i.e. vm stack is fine, spicec version and libspiceserver
>>> and qemu versions work fine). The instructions are in qemu
>>> doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/ is
>>> the patch with the file).
>>>
>> I'm not getting any further.
>>
>> I will explain below the stips i took to get things (almost:) running
>>
>> Download all deps:
>> git clone git://anongit.freedesktop.org/~alon/qemu
>>   git checkout -b usb_ccid.v20 origin/usb_ccid.v20
>> wget
>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
>> wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
>> wget
>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2
>>
>> install libcacard
>> install spice protocol
>> install spice client and server with the configure option
>> --enable-smartcard
>> install qemu with configure option --enable-smartcard --enable-spice
>>
>> import certificates into nss database
>> mkdir -p /etc/pki/nssdb
>> certutil -N -d /etc/pki/nssdb
>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1
>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n cert2
>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n cert3
>>
>> certutil -L -d /etc/pki/nssdb
>> cert3                                                        CTu,Cu,Cu
>> cert1                                                        CTu,Cu,Cu
>> cert2                                                        CTu,Cu,Cu
>>
>> start vm with the following options
>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
>> usb-ccid -device
>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
>> start spicec -h localhost -p 5930
>> after boot i have gemplus ccid reader and pcsc_scan tells me that i
>> have a reader
>>
>> But how can i show the certificates cert1,2,3 in the vm with certutil?
> You need to start certutil with a database which points the the smart card.
> If you install libcoolkey, I believe /etc/pki/nssdb should already be
> set up...
>
> Here's what mine looks like:
>
> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>    1. NSS Internal Crypto Services
>       slots: 3 slots attached
>      status: loaded
>
>       slot: NSS Internal Cryptographic Services
>      token: NSS Generic Crypto Services
>
>       slot: NSS User Private Key and Certificate Services
>      token: NSS Certificate DB
>
>       slot: NSS Application Slot 00000004
>      token: NSS user database
>
>    2. CoolKey PKCS #11 Module
>      library name: libcoolkeypk11.so
>       slots: 1 slot attached
>      status: loaded
>
>       slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
>      token:
>
>    3. Built-ins
>      library name: /usr/lib64/__libnssckbi.so
>       slots: There are no slots attached to this module
>      status: Not loaded
> -----------------------------------------------------------
> bobs-laptop(52)
>
> The important one here is #2 ("Coolkey PKCS #11 Module").
>
> Once you have that you should be able to run
>
> certutil -L -h all -d sql:/etc/pki/nssdb
>
> to list all the certs on your card.
>
> bob

Ok i have that in my local system where i use the aet middleware.
Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get the 
certificates after entering the pin.

But how are those visible within the vm with the virtual smartcard 
reader ? When i use the same middelware library it tells me that i have 
the wrong smartcard. So i guess i need something like the coolkey or aet 
in the vm but then for the virtual smartcard?

With kind regards

William



>>>> With kind regards
>>>>
>>>> William
>>>>>> With kind regards
>>>>>>
>>>>>> William van de Velde
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> With kind regards
>>>>>>>>
>>>>>>>> William
>>>>>>>>
>>>>>>>>
>>>>>>>>>> With kind regards
>>>>>>>>>>
>>>>>>>>>> William
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>> _______________________________________________
>>>>>>>> Spice-devel mailing list
>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>> _______________________________________________
>>>>>> Spice-devel mailing list
>>>>>> Spice-devel at lists.freedesktop.org
>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> _______________________________________________
>>>> Spice-devel mailing list
>>>> Spice-devel at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>



More information about the Spice-devel mailing list