[Spice-devel] smartcard usage
william
kc at cobradevil.org
Tue Mar 1 10:05:59 PST 2011
On 03/01/2011 10:00 AM, william wrote:
> On 03/01/2011 08:13 AM, william wrote:
>> On 03/01/2011 12:23 AM, Robert Relyea wrote:
>>> On 02/28/2011 08:34 AM, william wrote:
>>>> On 02/26/2011 08:49 PM, Alon Levy wrote:
>>>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
>>>>>> On 02/24/2011 08:10 PM, Alon Levy wrote:
>>>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>>>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, kc at cobradevil.org
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Dear list,
>>>>>>>>>>>>
>>>>>>>>>>>> i have tried to get smartcard support running but i'm a bit
>>>>>>>>>>>> lost :)
>>>>>>>>>>>> probably because it's not finished yet.
>>>>>>>>>>>>
>>>>>>>>>>>> we have smartcards with certificates like us dod and i would
>>>>>>>>>>>> like to use
>>>>>>>>>>>> those from a client on a remote server for authentication and
>>>>>>>>>>>> such.
>>>>>>>>>>>> I have followed the build instructions:
>>>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a ubuntu
>>>>>>>>>>>> system and
>>>>>>>>>>>> have managed to get those compiled.
>>>>>>>>>>>>
>>>>>>>>>>>> But when i try to start a vm with smartcard passthrough it
>>>>>>>>>>>> asks me to give
>>>>>>>>>>>> a driver name?
>>>>>>>>>>>>
>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>>>>> pc-bios
>>>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing
>>>>>>>>>>>> -usbdevice tablet
>>>>>>>>>>>> -enable-kvm -m 512
>>>>>>>>>>>>
>>>>>>>>>>>> do_spice_init: starting 0.6.3
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>>>> red_worker_main: begin
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>>>> qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid:
>>>>>>>>>>>> Parameter
>>>>>>>>>>>> 'driver' expects a driver name
>>>>>>>>>>>> Try with argument '?' for a list.
>>>>>>>>>>>>
>>>>>>>>>>>> Am i starting the vm the right way or am i missing something?
>>>>>>>>>>> You are doing the right steps with the wrong qemu. To be
>>>>>>>>>>> explicit: qemu hasn't
>>>>>>>>>>> accepted the patches for the smartcard devices yet, so I don't
>>>>>>>>>>> know where you
>>>>>>>>>>> got the qemu executable but unless you built it by hand and
>>>>>>>>>>> applied the patches
>>>>>>>>>>> on the list, or easier used the pull url I provide in the
>>>>>>>>>>> patches I sent (like v20
>>>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you
>>>>>>>>>>> won't have them.
>>>>>>>>>>>
>>>>>>>>>>> Alon
>>>>>>>>>>>
>>>>>>>>>> Sorry for the priv mail :(
>>>>>>>>>> i can start the vm now with the usb_ccid.v19 git 20 gives me
>>>>>>>>>> compile errors
>>>>>>>>>>
>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>> usb-ccid
>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>>>> do_spice_init: starting 0.7.3
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>> red_worker_main: begin
>>>>>>>>>> handle_dev_input: start
>>>>>>>>>>
>>>>>>>>>> I also installed spice 0.7.3
>>>>>>>>>>
>>>>>>>>>> When starting the spicec client i can connect but how can i
>>>>>>>>>> share
>>>>>>>>>> say a local device now through spicec to the guest?
>>>>>>>>>> On the local client i can run pcsc_scan and it returns my reader
>>>>>>>>>> and
>>>>>>>>>> detects my card, would that also be possible on the guest?
>>>>>>>>>>
>>>>>>>>> about v20 if you can run make V=1 and post the output?
>>>>>>>> Nah forget this
>>>>>>>> i did not switch to v20 that was the problem.
>>>>>>> I still don't understand, but it would be nice if you could do your
>>>>>>> tests with the last version, v20, even if the changes are just
>>>>>>> cosmetic.
>>>>>>>
>>>>>>>>> about the rest, yes, the guest should show the card too using
>>>>>>>>> pcsc_scan.
>>>>>>>>>
>>>>>>>>> you shouldn't need to be root on the client, but possibly it will
>>>>>>>>> work then -
>>>>>>>>> could you try that? in that case I don't remember exactly what
>>>>>>>>> the solution was :(
>>>>>>>>> but there is one!
>>>>>>>> ok here is what i see now
>>>>>>>>
>>>>>>>> - on my local system i have:
>>>>>>>> #lsusb
>>>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx
>>>>>>>> Smart Card Reader
>>>>>>>> #pcsc_scan
>>>>>>>> PC/SC device scanner
>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>>> Scanning present readers...
>>>>>>>> 0: SCM SCR 355 00 00
>>>>>>>>
>>>>>>>> Thu Feb 24 17:36:04 2011
>>>>>>>> Reader 0: SCM SCR 355 00 00
>>>>>>>> Card state: Card inserted,
>>>>>>>> ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>>>>>>>
>>>>>>>> - Now when i start qemu like the following
>>>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>> usb-ccid
>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>>
>>>>>>>> - i see this in my vm after starting spicec with the following
>>>>>>>> options
>>>>>>>> #spicec -h localhost -p 5930
>>>>>>>> #lsusb
>>>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>>>>>>>> #pcsc_scan
>>>>>>>> PC/SC device scanner
>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rousseau at free.fr>
>>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>>> Scanning present readers...
>>>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>>
>>>>>>>> Thu Feb 24 17:42:05 2011
>>>>>>>> Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>> Card state: Card removed,
>>>>>>>>
>>>>>>>>
>>>>>>>> After removing the device from my local machine and starting
>>>>>>>> the vm
>>>>>>>> again with the above options it still shows me the gemplus
>>>>>>>> smartcard
>>>>>>>> reader
>>>>>>>>
>>>>>>>> Any hints from here?
>>>>>>>>
>>>>>>> Yes. It looks like the guest sees the ccid device (that's the
>>>>>>> Gemplus,
>>>>>>> you can see it's qemu if you do lsusb), but no card. The reason for
>>>>>>> the
>>>>>>> later is that spicec didn't see any card. That's why I suggested
>>>>>>> trying to
>>>>>>> run spicec as root - the bottom line is that you need to make
>>>>>>> sure NSS
>>>>>>> can see the device as a regular user. I'll try to supply better
>>>>>>> instructions
>>>>>>> later.
>>>>>> Well i managed to get something working but i'm not sure if thats
>>>>>> the way to go.
>>>>>>
>>>>>> When i start the vm with the ccid passthrough i receive a device
>>>>>> gemplus.
>>>>>>
>>>>>> When starting spicec with --smartcard after adding the aet
>>>>> oops, forgot you needed that.
>>>>>
>>>>>> middleware libs to the nss database with the following command:
>>>>>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
>>>>>> /usr/lib/libaetpkss.so.3.0
>>>>>> then start spicec with --smartcard my reader begins blinking so
>>>>>> something is read from the token but then in the vm i got nothing
>>>>>> when using pcsc_scan perhaps it has todo something with the
>>>>>> following error on the start of spicec: Warning: VSC Error: reader
>>>>>> -1, code 32684
>>>>>>
>>>>> So using "spicec --smartcard" (spicec for short) you can't do
>>>>> pcsc_scan
>>>>> and see a card in the vm?
>>>>>
>>>>>> Anyway i also got the idea that using the vscclient would be
>>>>>> possible so i gave that a try
>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>> i takes some time but then i can do list and it shows me that my
>>>>>> smartcard is active and has a card in it
>>>>>> but in the vm nogo
>>>>>>
>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>>> list
>>>>>> Active Readers:
>>>>>> 0 CARD_PRESENT SCM SCR 355 00 00
>>>>>> 0 UNAVAILABLE 1
>>>>>> 0 UNAVAILABLE 2
>>>>>> 0 UNAVAILABLE 3
>>>>>> 0 UNAVAILABLE 4
>>>>>> Inactive Readers:
>>>>>>> debug 1
>>>>>> debug level = 1
>>>>>>> Header: type=7, reader_id=0 length=5 (0x5)
>>>>>> recv APDU: 00 CA DF 30 05
>>>>>> send response: 69 00
>>>>>> Header: type=7, reader_id=0 length=10 (0xa)
>>>>>> recv APDU: 00 A4 04 00 05 A0 00 00 00 01
>>>>>> send response: 6A 82
>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>>> send response: 6A 82
>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>>> send response: 6A 82
>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>> recv APDU: 00 A4 08 00 02 2F 00
>>>>>> send response: 6A 81
>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>> recv APDU: 00 A4 08 00 02 50 15
>>>>>> send response: 6A 81
>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>> recv APDU: 00 A4 08 00 02 50 15
>>>>>> send response: 6A 81
>>>>>>
>>>>>> so it kinda works accept that it does not see the right card it also
>>>>>> shows me the wrong atr.
>>>>> The ATR isn't wrong, it's just not the card's ATR. The architecture
>>>>> is like this:
>>>>>
>>>>> real card - real reader - pcscd - spicec (via nss) - simulated
>>>>> card<-protocol->
>>>>> emulated ccid device - |(in vm) pcscd - pcsc_scan (or any other
>>>>> client)
>>>>>
>>>>> When using vscclient it's exactly the same, difference is just that
>>>>> it goes via a TCP socket directly instead of in a spice channel.
>>>>>
>>>>> So the ATR you see in the vm is by the simulated card (libcacard).
>>>>>
>>>>> But you should definitely see a card with spicec as well.
>>>>>
>>>>>> I also need the middleware library in the vm else it does not work
>>>>>> at all.
>>>>>>
>>>>>> Any ideas?
>>>>> Nothing really. I'll try to take a look at the APDU's later (I'm not
>>>>> really an expert on them) - can you try using the certificates backed
>>>>> card just to make sure everything except the hardware is working
>>>>> correctly? (i.e. vm stack is fine, spicec version and libspiceserver
>>>>> and qemu versions work fine). The instructions are in qemu
>>>>> doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/ is
>>>>> the patch with the file).
>>>>>
>>>> I'm not getting any further.
>>>>
>>>> I will explain below the stips i took to get things (almost:) running
>>>>
>>>> Download all deps:
>>>> git clone git://anongit.freedesktop.org/~alon/qemu
>>>> git checkout -b usb_ccid.v20 origin/usb_ccid.v20
>>>> wget
>>>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
>>>>
>>>> wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
>>>> wget
>>>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2
>>>>
>>>> install libcacard
>>>> install spice protocol
>>>> install spice client and server with the configure option
>>>> --enable-smartcard
>>>> install qemu with configure option --enable-smartcard --enable-spice
>>>>
>>>> import certificates into nss database
>>>> mkdir -p /etc/pki/nssdb
>>>> certutil -N -d /etc/pki/nssdb
>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1
>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n cert2
>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n cert3
>>>>
>>>> certutil -L -d /etc/pki/nssdb
>>>> cert3 CTu,Cu,Cu
>>>> cert1 CTu,Cu,Cu
>>>> cert2 CTu,Cu,Cu
>>>>
>>>> start vm with the following options
>>>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
>>>> usb-ccid -device
>>>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
>>>>
>>>> start spicec -h localhost -p 5930
>>>> after boot i have gemplus ccid reader and pcsc_scan tells me that i
>>>> have a reader
>>>>
>>>> But how can i show the certificates cert1,2,3 in the vm with certutil?
>>> You need to start certutil with a database which points the the
>>> smart card.
>>> If you install libcoolkey, I believe /etc/pki/nssdb should already be
>>> set up...
>>>
>>> Here's what mine looks like:
>>>
>>> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
>>>
>>> Listing of PKCS #11 Modules
>>> -----------------------------------------------------------
>>> 1. NSS Internal Crypto Services
>>> slots: 3 slots attached
>>> status: loaded
>>>
>>> slot: NSS Internal Cryptographic Services
>>> token: NSS Generic Crypto Services
>>>
>>> slot: NSS User Private Key and Certificate Services
>>> token: NSS Certificate DB
>>>
>>> slot: NSS Application Slot 00000004
>>> token: NSS user database
>>>
>>> 2. CoolKey PKCS #11 Module
>>> library name: libcoolkeypk11.so
>>> slots: 1 slot attached
>>> status: loaded
>>>
>>> slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
>>> token:
>>>
>>> 3. Built-ins
>>> library name: /usr/lib64/__libnssckbi.so
>>> slots: There are no slots attached to this module
>>> status: Not loaded
>>> -----------------------------------------------------------
>>> bobs-laptop(52)
>>>
>>> The important one here is #2 ("Coolkey PKCS #11 Module").
>>>
>>> Once you have that you should be able to run
>>>
>>> certutil -L -h all -d sql:/etc/pki/nssdb
>>>
>>> to list all the certs on your card.
>>>
>>> bob
>>
>> Ok i have that in my local system where i use the aet middleware.
>> Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get the
>> certificates after entering the pin.
>>
>> But how are those visible within the vm with the virtual smartcard
>> reader ? When i use the same middelware library it tells me that i
>> have the wrong smartcard. So i guess i need something like the
>> coolkey or aet in the vm but then for the virtual smartcard?
>>
>> With kind regards
>>
>> William
>>
> some more info
>
> On my laptop my list looks like:
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
>
> 2. Root Certs
> library name: /etc/pki/nssdb/libnssckbi.so
> slots: 1 slot attached
> status: loaded
>
> slot: NSS Builtin Objects
> token: Builtin Object Token
>
> 3. Aet1
> library name: /usr/lib/libaetpkss.so.3.0
> slots: 5 slots attached
> status: loaded
>
> slot: SCM SCR 355 00 00
> token: smartcard
>
> slot: UNAVAILABLE 1
> token:
>
> slot: UNAVAILABLE 2
> token:
>
> slot: UNAVAILABLE 3
> token:
>
> slot: UNAVAILABLE 4
> token:
> -----------------------------------------------------------
>
>
> on the vm i only have 1 and 2 like above and number 3 i can add but
> then it says token not recognized.
>
> But when i try Alon his option to create the 3 certs manually and use
> those when starting the vm i also can't show them?
> so do i need to add like libcacard.so as a middleware lib or something
> in the vm?
>
Ok finally it works :)
i had to install the coolkey (thanks Robert) libs and add those to the
nss database.
i was looking for something like that, I just did not understand that I
had to install the coolkey in the vm.
so for my understanding the libcacard virtual smartcard is based on
coolkey?
So now i have that working with vscclient and not with spicec.
Spicec uses the /etc/pki/nssdb file and my smartcard starts to blink but
it cannot use the smartcard in the vm.
pcsc_scan also tells me that it has no smartcard.
This is when starting the vm with:
-chardev socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
usb-ccid -device ccid-card-passthru,chardev=ccid -usb
This works with vscclient but spicec just gives an error and no smartcard.
1299000951 INFO [8657:8679]
SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
1299000951 INFO [8657:8657] SmartCardChannel::add_unallocated_reader:
adding unallocated reader 0x914c510
1299000951 INFO [8657:8679]
SmartCardChannel::cac_card_events_thread_main: VEVENT_CARD_INSERT
1299000951 INFO [8657:8679]
SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
1299000951 INFO [8657:8679]
SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
1299000951 INFO [8657:8679]
SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
1299000951 INFO [8657:8679]
SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
1299000951 WARN [8657:8657]
SmartCardChannel::handle_reader_add_response: VSC Error: reader -1, code
32511
> With kind regards
>
> William
>>
>>
>>>>>> With kind regards
>>>>>>
>>>>>> William
>>>>>>>> With kind regards
>>>>>>>>
>>>>>>>> William van de Velde
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>> With kind regards
>>>>>>>>>>
>>>>>>>>>> William
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> With kind regards
>>>>>>>>>>>>
>>>>>>>>>>>> William
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>> _______________________________________________
>>>>>>>> Spice-devel mailing list
>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>> _______________________________________________
>>>>>> Spice-devel mailing list
>>>>>> Spice-devel at lists.freedesktop.org
>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> _______________________________________________
>>>> Spice-devel mailing list
>>>> Spice-devel at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>
>>
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list