[Spice-devel] smartcard usage

william kc at cobradevil.org
Tue Mar 1 12:30:05 PST 2011


On 03/01/2011 07:21 PM, Alon Levy wrote:
>> On 03/01/2011 10:00 AM, william wrote:
>>> On 03/01/2011 08:13 AM, william wrote:
>>>> On 03/01/2011 12:23 AM, Robert Relyea wrote:
>>>>> On 02/28/2011 08:34 AM, william wrote:
>>>>>> On 02/26/2011 08:49 PM, Alon Levy wrote:
>>>>>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
>>>>>>>> On 02/24/2011 08:10 PM, Alon Levy wrote:
>>>>>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>>>>>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>>>>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>>>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100,
>>>>>>>>>>>>> kc at cobradevil.org
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> Dear list,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i have tried to get smartcard support running but i'm a
>>>>>>>>>>>>>> bit
>>>>>>>>>>>>>> lost :)
>>>>>>>>>>>>>> probably because it's not finished yet.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> we have smartcards with certificates like us dod and i
>>>>>>>>>>>>>> would
>>>>>>>>>>>>>> like to use
>>>>>>>>>>>>>> those from a client on a remote server for authentication
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> such.
>>>>>>>>>>>>>> I have followed the build instructions:
>>>>>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a
>>>>>>>>>>>>>> ubuntu
>>>>>>>>>>>>>> system and
>>>>>>>>>>>>>> have managed to get those compiled.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But when i try to start a vm with smartcard passthrough
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> asks me to give
>>>>>>>>>>>>>> a driver name?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait
>>>>>>>>>>>>>> -device
>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw
>>>>>>>>>>>>>> ac97 -L
>>>>>>>>>>>>>> pc-bios
>>>>>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing
>>>>>>>>>>>>>> -usbdevice tablet
>>>>>>>>>>>>>> -enable-kvm -m 512
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> do_spice_init: starting 0.6.3
>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>>>>>> red_worker_main: begin
>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>>>>>> qemu-system-x86_64: -device
>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid:
>>>>>>>>>>>>>> Parameter
>>>>>>>>>>>>>> 'driver' expects a driver name
>>>>>>>>>>>>>> Try with argument '?' for a list.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Am i starting the vm the right way or am i missing
>>>>>>>>>>>>>> something?
>>>>>>>>>>>>> You are doing the right steps with the wrong qemu. To be
>>>>>>>>>>>>> explicit: qemu hasn't
>>>>>>>>>>>>> accepted the patches for the smartcard devices yet, so I
>>>>>>>>>>>>> don't
>>>>>>>>>>>>> know where you
>>>>>>>>>>>>> got the qemu executable but unless you built it by hand
>>>>>>>>>>>>> and
>>>>>>>>>>>>> applied the patches
>>>>>>>>>>>>> on the list, or easier used the pull url I provide in the
>>>>>>>>>>>>> patches I sent (like v20
>>>>>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you
>>>>>>>>>>>>> won't have them.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Alon
>>>>>>>>>>>>>
>>>>>>>>>>>> Sorry for the priv mail :(
>>>>>>>>>>>> i can start the vm now with the usb_ccid.v19 git 20 gives
>>>>>>>>>>>> me
>>>>>>>>>>>> compile errors
>>>>>>>>>>>>
>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>>>> usb-ccid
>>>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97
>>>>>>>>>>>> -L
>>>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing
>>>>>>>>>>>> -usbdevice
>>>>>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net
>>>>>>>>>>>> user
>>>>>>>>>>>> do_spice_init: starting 0.7.3
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>>>> red_worker_main: begin
>>>>>>>>>>>> handle_dev_input: start
>>>>>>>>>>>>
>>>>>>>>>>>> I also installed spice 0.7.3
>>>>>>>>>>>>
>>>>>>>>>>>> When starting the spicec client i can connect but how can i
>>>>>>>>>>>> share
>>>>>>>>>>>> say a local device now through spicec to the guest?
>>>>>>>>>>>> On the local client i can run pcsc_scan and it returns my
>>>>>>>>>>>> reader
>>>>>>>>>>>> and
>>>>>>>>>>>> detects my card, would that also be possible on the guest?
>>>>>>>>>>>>
>>>>>>>>>>> about v20 if you can run make V=1 and post the output?
>>>>>>>>>> Nah forget this
>>>>>>>>>> i did not switch to v20 that was the problem.
>>>>>>>>> I still don't understand, but it would be nice if you could do
>>>>>>>>> your
>>>>>>>>> tests with the last version, v20, even if the changes are just
>>>>>>>>> cosmetic.
>>>>>>>>>
>>>>>>>>>>> about the rest, yes, the guest should show the card too
>>>>>>>>>>> using
>>>>>>>>>>> pcsc_scan.
>>>>>>>>>>>
>>>>>>>>>>> you shouldn't need to be root on the client, but possibly it
>>>>>>>>>>> will
>>>>>>>>>>> work then -
>>>>>>>>>>> could you try that? in that case I don't remember exactly
>>>>>>>>>>> what
>>>>>>>>>>> the solution was :(
>>>>>>>>>>> but there is one!
>>>>>>>>>> ok here is what i see now
>>>>>>>>>>
>>>>>>>>>> - on my local system i have:
>>>>>>>>>> #lsusb
>>>>>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc.
>>>>>>>>>> SCR35xx
>>>>>>>>>> Smart Card Reader
>>>>>>>>>> #pcsc_scan
>>>>>>>>>> PC/SC device scanner
>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic
>>>>>>>>>> Rousseau<ludovic.rousseau at free.fr>
>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>>>>> Scanning present readers...
>>>>>>>>>> 0: SCM SCR 355 00 00
>>>>>>>>>>
>>>>>>>>>> Thu Feb 24 17:36:04 2011
>>>>>>>>>>     Reader 0: SCM SCR 355 00 00
>>>>>>>>>>      Card state: Card inserted,
>>>>>>>>>>      ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>>>>>>>>>
>>>>>>>>>> - Now when i start qemu like the following
>>>>>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>> usb-ccid
>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing
>>>>>>>>>> -usbdevice
>>>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>>>>
>>>>>>>>>> - i see this in my vm after starting spicec with the
>>>>>>>>>> following
>>>>>>>>>> options
>>>>>>>>>> #spicec -h localhost -p 5930
>>>>>>>>>> #lsusb
>>>>>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>>>>>>>>>> #pcsc_scan
>>>>>>>>>> PC/SC device scanner
>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic
>>>>>>>>>> Rousseau<ludovic.rousseau at free.fr>
>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>>>>> Scanning present readers...
>>>>>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>>>>
>>>>>>>>>> Thu Feb 24 17:42:05 2011
>>>>>>>>>>     Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>>>>      Card state: Card removed,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> After removing the device from my local machine and starting
>>>>>>>>>> the vm
>>>>>>>>>> again with the above options it still shows me the gemplus
>>>>>>>>>> smartcard
>>>>>>>>>> reader
>>>>>>>>>>
>>>>>>>>>> Any hints from here?
>>>>>>>>>>
>>>>>>>>> Yes. It looks like the guest sees the ccid device (that's the
>>>>>>>>> Gemplus,
>>>>>>>>> you can see it's qemu if you do lsusb), but no card. The
>>>>>>>>> reason for
>>>>>>>>> the
>>>>>>>>> later is that spicec didn't see any card. That's why I
>>>>>>>>> suggested
>>>>>>>>> trying to
>>>>>>>>> run spicec as root - the bottom line is that you need to make
>>>>>>>>> sure NSS
>>>>>>>>> can see the device as a regular user. I'll try to supply
>>>>>>>>> better
>>>>>>>>> instructions
>>>>>>>>> later.
>>>>>>>> Well i managed to get something working but i'm not sure if
>>>>>>>> thats
>>>>>>>> the way to go.
>>>>>>>>
>>>>>>>> When i start the vm with the ccid passthrough i receive a
>>>>>>>> device
>>>>>>>> gemplus.
>>>>>>>>
>>>>>>>> When starting spicec with --smartcard after adding the aet
>>>>>>> oops, forgot you needed that.
>>>>>>>
>>>>>>>> middleware libs to the nss database with the following command:
>>>>>>>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
>>>>>>>> /usr/lib/libaetpkss.so.3.0
>>>>>>>> then start spicec with --smartcard my reader begins blinking so
>>>>>>>> something is read from the token but then in the vm i got
>>>>>>>> nothing
>>>>>>>> when using pcsc_scan perhaps it has todo something with the
>>>>>>>> following error on the start of spicec: Warning: VSC Error:
>>>>>>>> reader
>>>>>>>> -1, code 32684
>>>>>>>>
>>>>>>> So using "spicec --smartcard" (spicec for short) you can't do
>>>>>>> pcsc_scan
>>>>>>> and see a card in the vm?
>>>>>>>
>>>>>>>> Anyway i also got the idea that using the vscclient would be
>>>>>>>> possible so i gave that a try
>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>>>> i takes some time but then i can do list and it shows me that
>>>>>>>> my
>>>>>>>> smartcard is active and has a card in it
>>>>>>>> but in the vm nogo
>>>>>>>>
>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>>>>> list
>>>>>>>> Active Readers:
>>>>>>>>      0 CARD_PRESENT SCM SCR 355 00 00
>>>>>>>>      0 UNAVAILABLE 1
>>>>>>>>      0 UNAVAILABLE 2
>>>>>>>>      0 UNAVAILABLE 3
>>>>>>>>      0 UNAVAILABLE 4
>>>>>>>> Inactive Readers:
>>>>>>>>> debug 1
>>>>>>>> debug level = 1
>>>>>>>>> Header: type=7, reader_id=0 length=5 (0x5)
>>>>>>>>     recv APDU: 00 CA DF 30 05
>>>>>>>>     send response: 69 00
>>>>>>>> Header: type=7, reader_id=0 length=10 (0xa)
>>>>>>>>     recv APDU: 00 A4 04 00 05 A0 00 00 00 01
>>>>>>>>     send response: 6A 82
>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>>>>>     recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>>>>>     send response: 6A 82
>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>>>>>     recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>>>>>     send response: 6A 82
>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>>>>     recv APDU: 00 A4 08 00 02 2F 00
>>>>>>>>     send response: 6A 81
>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>>>>     recv APDU: 00 A4 08 00 02 50 15
>>>>>>>>     send response: 6A 81
>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>>>>     recv APDU: 00 A4 08 00 02 50 15
>>>>>>>>     send response: 6A 81
>>>>>>>>
>>>>>>>> so it kinda works accept that it does not see the right card it
>>>>>>>> also
>>>>>>>> shows me the wrong atr.
>>>>>>> The ATR isn't wrong, it's just not the card's ATR. The
>>>>>>> architecture
>>>>>>> is like this:
>>>>>>>
>>>>>>> real card - real reader - pcscd - spicec (via nss) - simulated
>>>>>>> card<-protocol->
>>>>>>>     emulated ccid device - |(in vm) pcscd - pcsc_scan (or any
>>>>>>>     other
>>>>>>> client)
>>>>>>>
>>>>>>> When using vscclient it's exactly the same, difference is just
>>>>>>> that
>>>>>>> it goes via a TCP socket directly instead of in a spice channel.
>>>>>>>
>>>>>>> So the ATR you see in the vm is by the simulated card
>>>>>>> (libcacard).
>>>>>>>
>>>>>>> But you should definitely see a card with spicec as well.
>>>>>>>
>>>>>>>> I also need the middleware library in the vm else it does not
>>>>>>>> work
>>>>>>>> at all.
>>>>>>>>
>>>>>>>> Any ideas?
>>>>>>> Nothing really. I'll try to take a look at the APDU's later (I'm
>>>>>>> not
>>>>>>> really an expert on them) - can you try using the certificates
>>>>>>> backed
>>>>>>> card just to make sure everything except the hardware is working
>>>>>>> correctly? (i.e. vm stack is fine, spicec version and
>>>>>>> libspiceserver
>>>>>>> and qemu versions work fine). The instructions are in qemu
>>>>>>> doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/
>>>>>>> is
>>>>>>> the patch with the file).
>>>>>>>
>>>>>> I'm not getting any further.
>>>>>>
>>>>>> I will explain below the stips i took to get things (almost:)
>>>>>> running
>>>>>>
>>>>>> Download all deps:
>>>>>> git clone git://anongit.freedesktop.org/~alon/qemu
>>>>>>    git checkout -b usb_ccid.v20 origin/usb_ccid.v20
>>>>>> wget
>>>>>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
>>>>>>
>>>>>> wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
>>>>>> wget
>>>>>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2
>>>>>>
>>>>>> install libcacard
>>>>>> install spice protocol
>>>>>> install spice client and server with the configure option
>>>>>> --enable-smartcard
>>>>>> install qemu with configure option --enable-smartcard
>>>>>> --enable-spice
>>>>>>
>>>>>> import certificates into nss database
>>>>>> mkdir -p /etc/pki/nssdb
>>>>>> certutil -N -d /etc/pki/nssdb
>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n
>>>>>> cert1
>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n
>>>>>> cert2
>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n
>>>>>> cert3
>>>>>>
>>>>>> certutil -L -d /etc/pki/nssdb
>>>>>> cert3 CTu,Cu,Cu
>>>>>> cert1 CTu,Cu,Cu
>>>>>> cert2 CTu,Cu,Cu
>>>>>>
>>>>>> start vm with the following options
>>>>>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
>>>>>> usb-ccid -device
>>>>>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
>>>>>>
>>>>>> start spicec -h localhost -p 5930
>>>>>> after boot i have gemplus ccid reader and pcsc_scan tells me that
>>>>>> i
>>>>>> have a reader
>>>>>>
>>>>>> But how can i show the certificates cert1,2,3 in the vm with
>>>>>> certutil?
>>>>> You need to start certutil with a database which points the the
>>>>> smart card.
>>>>> If you install libcoolkey, I believe /etc/pki/nssdb should already
>>>>> be
>>>>> set up...
>>>>>
>>>>> Here's what mine looks like:
>>>>>
>>>>> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
>>>>>
>>>>> Listing of PKCS #11 Modules
>>>>> -----------------------------------------------------------
>>>>>     1. NSS Internal Crypto Services
>>>>>        slots: 3 slots attached
>>>>>       status: loaded
>>>>>
>>>>>        slot: NSS Internal Cryptographic Services
>>>>>       token: NSS Generic Crypto Services
>>>>>
>>>>>        slot: NSS User Private Key and Certificate Services
>>>>>       token: NSS Certificate DB
>>>>>
>>>>>        slot: NSS Application Slot 00000004
>>>>>       token: NSS user database
>>>>>
>>>>>     2. CoolKey PKCS #11 Module
>>>>>       library name: libcoolkeypk11.so
>>>>>        slots: 1 slot attached
>>>>>       status: loaded
>>>>>
>>>>>        slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
>>>>>       token:
>>>>>
>>>>>     3. Built-ins
>>>>>       library name: /usr/lib64/__libnssckbi.so
>>>>>        slots: There are no slots attached to this module
>>>>>       status: Not loaded
>>>>> -----------------------------------------------------------
>>>>> bobs-laptop(52)
>>>>>
>>>>> The important one here is #2 ("Coolkey PKCS #11 Module").
>>>>>
>>>>> Once you have that you should be able to run
>>>>>
>>>>> certutil -L -h all -d sql:/etc/pki/nssdb
>>>>>
>>>>> to list all the certs on your card.
>>>>>
>>>>> bob
>>>> Ok i have that in my local system where i use the aet middleware.
>>>> Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get the
>>>> certificates after entering the pin.
>>>>
>>>> But how are those visible within the vm with the virtual smartcard
>>>> reader ? When i use the same middelware library it tells me that i
>>>> have the wrong smartcard. So i guess i need something like the
>>>> coolkey or aet in the vm but then for the virtual smartcard?
>>>>
>>>> With kind regards
>>>>
>>>> William
>>>>
>>> some more info
>>>
>>> On my laptop my list looks like:
>>> Listing of PKCS #11 Modules
>>> -----------------------------------------------------------
>>>    1. NSS Internal PKCS #11 Module
>>>       slots: 2 slots attached
>>>      status: loaded
>>>
>>>       slot: NSS Internal Cryptographic Services
>>>      token: NSS Generic Crypto Services
>>>
>>>       slot: NSS User Private Key and Certificate Services
>>>      token: NSS Certificate DB
>>>
>>>    2. Root Certs
>>>      library name: /etc/pki/nssdb/libnssckbi.so
>>>       slots: 1 slot attached
>>>      status: loaded
>>>
>>>       slot: NSS Builtin Objects
>>>      token: Builtin Object Token
>>>
>>>    3. Aet1
>>>      library name: /usr/lib/libaetpkss.so.3.0
>>>       slots: 5 slots attached
>>>      status: loaded
>>>
>>>       slot: SCM SCR 355 00 00
>>>      token: smartcard
>>>
>>>       slot: UNAVAILABLE 1
>>>      token:
>>>
>>>       slot: UNAVAILABLE 2
>>>      token:
>>>
>>>       slot: UNAVAILABLE 3
>>>      token:
>>>
>>>       slot: UNAVAILABLE 4
>>>      token:
>>> -----------------------------------------------------------
>>>
>>>
>>> on the vm i only have 1 and 2 like above and number 3 i can add but
>>> then it says token not recognized.
>>>
>>> But when i try Alon his option to create the 3 certs manually and
>>> use
>>> those when starting the vm i also can't show them?
>>> so do i need to add like libcacard.so as a middleware lib or
>>> something
>>> in the vm?
>>>
>> Ok finally it works :)
>>
> m'glad.
>
>> i had to install the coolkey (thanks Robert) libs and add those to the
>> nss database.
>> i was looking for something like that, I just did not understand that
>> I
>> had to install the coolkey in the vm.
>>
>> so for my understanding the libcacard virtual smartcard is based on
>> coolkey?
>>
> There is no library dependency, libcacard is linked to nss only (and
> that's also something that will be made optional if we make a windows
> scard backend for instance, or a testing backend).
>
>> So now i have that working with vscclient and not with spicec.
>> Spicec uses the /etc/pki/nssdb file and my smartcard starts to blink
>> but
>> it cannot use the smartcard in the vm.
>> pcsc_scan also tells me that it has no smartcard.
>>
> Did you try spicec with certificates? did that work? it sounds like
> just different db being used by spicec - it's basically the exact
> same codepath as vscclient (different code, so bug possible/expected
> of course, but it worked for me ;)
Well i have tried spicec to start with the certificates cert1 cert2 and 
3 like starting qemu but thats not working
can you give me an example how to do that (create the certs and how to 
pass them using spicec)?


not getting it entirely :)
vscclient -d 1 127.0.0.1 -e "use_hw=yes" 2001
only works when using the libaetpkss.so driver in the nssdb

when i start vscclient use_hw=no it does not work and it also does not 
work when using use_hw=yes and i removed the library from the nssdb. So 
it seems to really use the aet middleware and the nssdb.

spicec --smartcard reads my smartcard so i guess that should also work 
but something is going wrong when passing that to the spiced vm (does 
the spice-0.7.3 package from the website contains the necessary patches?)

Do i need to start qemu with a different device when using spicec 
--smartcard?

With kind regards

William




>> This is when starting the vm with:
>> -chardev socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>> usb-ccid -device ccid-card-passthru,chardev=ccid -usb
>>
>> This works with vscclient but spicec just gives an error and no
>> smartcard.
>>
>> 1299000951 INFO [8657:8679]
>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>> 1299000951 INFO [8657:8657] SmartCardChannel::add_unallocated_reader:
>> adding unallocated reader 0x914c510
>> 1299000951 INFO [8657:8679]
>> SmartCardChannel::cac_card_events_thread_main: VEVENT_CARD_INSERT
>> 1299000951 INFO [8657:8679]
>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>> 1299000951 INFO [8657:8679]
>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>> 1299000951 INFO [8657:8679]
>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>> 1299000951 INFO [8657:8679]
>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>> 1299000951 WARN [8657:8657]
>> SmartCardChannel::handle_reader_add_response: VSC Error: reader -1,
>> code
>> 32511
>>
>>
>>> With kind regards
>>>
>>> William
>>>>
>>>>>>>> With kind regards
>>>>>>>>
>>>>>>>> William
>>>>>>>>>> With kind regards
>>>>>>>>>>
>>>>>>>>>> William van de Velde
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>> With kind regards
>>>>>>>>>>>>
>>>>>>>>>>>> William
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>>> With kind regards
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> William
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>> _______________________________________________
>>>>>>>> Spice-devel mailing list
>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>> _______________________________________________
>>>>>> Spice-devel mailing list
>>>>>> Spice-devel at lists.freedesktop.org
>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>> _______________________________________________
>>>> Spice-devel mailing list
>>>> Spice-devel at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>
>>> _______________________________________________
>>> Spice-devel mailing list
>>> Spice-devel at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>
>> _______________________________________________
>> Spice-devel mailing list
>> Spice-devel at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/spice-devel



More information about the Spice-devel mailing list