[Spice-devel] smartcard usage

william kc at cobradevil.org
Tue Mar 1 12:47:06 PST 2011


On 03/01/2011 09:30 PM, william wrote:
> On 03/01/2011 07:21 PM, Alon Levy wrote:
>>> On 03/01/2011 10:00 AM, william wrote:
>>>> On 03/01/2011 08:13 AM, william wrote:
>>>>> On 03/01/2011 12:23 AM, Robert Relyea wrote:
>>>>>> On 02/28/2011 08:34 AM, william wrote:
>>>>>>> On 02/26/2011 08:49 PM, Alon Levy wrote:
>>>>>>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
>>>>>>>>> On 02/24/2011 08:10 PM, Alon Levy wrote:
>>>>>>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
>>>>>>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
>>>>>>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
>>>>>>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
>>>>>>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100,
>>>>>>>>>>>>>> kc at cobradevil.org
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> Dear list,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> i have tried to get smartcard support running but i'm a
>>>>>>>>>>>>>>> bit
>>>>>>>>>>>>>>> lost :)
>>>>>>>>>>>>>>> probably because it's not finished yet.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> we have smartcards with certificates like us dod and i
>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>> like to use
>>>>>>>>>>>>>>> those from a client on a remote server for authentication
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> such.
>>>>>>>>>>>>>>> I have followed the build instructions:
>>>>>>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a
>>>>>>>>>>>>>>> ubuntu
>>>>>>>>>>>>>>> system and
>>>>>>>>>>>>>>> have managed to get those compiled.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> But when i try to start a vm with smartcard passthrough
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> asks me to give
>>>>>>>>>>>>>>> a driver name?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait
>>>>>>>>>>>>>>> -device
>>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw
>>>>>>>>>>>>>>> ac97 -L
>>>>>>>>>>>>>>> pc-bios
>>>>>>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing
>>>>>>>>>>>>>>> -usbdevice tablet
>>>>>>>>>>>>>>> -enable-kvm -m 512
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> do_spice_init: starting 0.6.3
>>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>>>>>>> red_worker_main: begin
>>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>>>>>>> qemu-system-x86_64: -device
>>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid:
>>>>>>>>>>>>>>> Parameter
>>>>>>>>>>>>>>> 'driver' expects a driver name
>>>>>>>>>>>>>>> Try with argument '?' for a list.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Am i starting the vm the right way or am i missing
>>>>>>>>>>>>>>> something?
>>>>>>>>>>>>>> You are doing the right steps with the wrong qemu. To be
>>>>>>>>>>>>>> explicit: qemu hasn't
>>>>>>>>>>>>>> accepted the patches for the smartcard devices yet, so I
>>>>>>>>>>>>>> don't
>>>>>>>>>>>>>> know where you
>>>>>>>>>>>>>> got the qemu executable but unless you built it by hand
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> applied the patches
>>>>>>>>>>>>>> on the list, or easier used the pull url I provide in the
>>>>>>>>>>>>>> patches I sent (like v20
>>>>>>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you
>>>>>>>>>>>>>> won't have them.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Alon
>>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry for the priv mail :(
>>>>>>>>>>>>> i can start the vm now with the usb_ccid.v19 git 20 gives
>>>>>>>>>>>>> me
>>>>>>>>>>>>> compile errors
>>>>>>>>>>>>>
>>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>>>>> usb-ccid
>>>>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97
>>>>>>>>>>>>> -L
>>>>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing
>>>>>>>>>>>>> -usbdevice
>>>>>>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net
>>>>>>>>>>>>> user
>>>>>>>>>>>>> do_spice_init: starting 0.7.3
>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
>>>>>>>>>>>>> red_worker_main: begin
>>>>>>>>>>>>> handle_dev_input: start
>>>>>>>>>>>>>
>>>>>>>>>>>>> I also installed spice 0.7.3
>>>>>>>>>>>>>
>>>>>>>>>>>>> When starting the spicec client i can connect but how can i
>>>>>>>>>>>>> share
>>>>>>>>>>>>> say a local device now through spicec to the guest?
>>>>>>>>>>>>> On the local client i can run pcsc_scan and it returns my
>>>>>>>>>>>>> reader
>>>>>>>>>>>>> and
>>>>>>>>>>>>> detects my card, would that also be possible on the guest?
>>>>>>>>>>>>>
>>>>>>>>>>>> about v20 if you can run make V=1 and post the output?
>>>>>>>>>>> Nah forget this
>>>>>>>>>>> i did not switch to v20 that was the problem.
>>>>>>>>>> I still don't understand, but it would be nice if you could do
>>>>>>>>>> your
>>>>>>>>>> tests with the last version, v20, even if the changes are just
>>>>>>>>>> cosmetic.
>>>>>>>>>>
>>>>>>>>>>>> about the rest, yes, the guest should show the card too
>>>>>>>>>>>> using
>>>>>>>>>>>> pcsc_scan.
>>>>>>>>>>>>
>>>>>>>>>>>> you shouldn't need to be root on the client, but possibly it
>>>>>>>>>>>> will
>>>>>>>>>>>> work then -
>>>>>>>>>>>> could you try that? in that case I don't remember exactly
>>>>>>>>>>>> what
>>>>>>>>>>>> the solution was :(
>>>>>>>>>>>> but there is one!
>>>>>>>>>>> ok here is what i see now
>>>>>>>>>>>
>>>>>>>>>>> - on my local system i have:
>>>>>>>>>>> #lsusb
>>>>>>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc.
>>>>>>>>>>> SCR35xx
>>>>>>>>>>> Smart Card Reader
>>>>>>>>>>> #pcsc_scan
>>>>>>>>>>> PC/SC device scanner
>>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic
>>>>>>>>>>> Rousseau<ludovic.rousseau at free.fr>
>>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>>>>>> Scanning present readers...
>>>>>>>>>>> 0: SCM SCR 355 00 00
>>>>>>>>>>>
>>>>>>>>>>> Thu Feb 24 17:36:04 2011
>>>>>>>>>>>     Reader 0: SCM SCR 355 00 00
>>>>>>>>>>>      Card state: Card inserted,
>>>>>>>>>>>      ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
>>>>>>>>>>>
>>>>>>>>>>> - Now when i start qemu like the following
>>>>>>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>>>>>>>>>> usb-ccid
>>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
>>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing
>>>>>>>>>>> -usbdevice
>>>>>>>>>>> tablet -enable-kvm -m 512 -device
>>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
>>>>>>>>>>>
>>>>>>>>>>> - i see this in my vm after starting spicec with the
>>>>>>>>>>> following
>>>>>>>>>>> options
>>>>>>>>>>> #spicec -h localhost -p 5930
>>>>>>>>>>> #lsusb
>>>>>>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
>>>>>>>>>>> #pcsc_scan
>>>>>>>>>>> PC/SC device scanner
>>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic
>>>>>>>>>>> Rousseau<ludovic.rousseau at free.fr>
>>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3
>>>>>>>>>>> Scanning present readers...
>>>>>>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>>>>>
>>>>>>>>>>> Thu Feb 24 17:42:05 2011
>>>>>>>>>>>     Reader 0: Gemplus GemPC4433 SL (1) 00 00
>>>>>>>>>>>      Card state: Card removed,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> After removing the device from my local machine and starting
>>>>>>>>>>> the vm
>>>>>>>>>>> again with the above options it still shows me the gemplus
>>>>>>>>>>> smartcard
>>>>>>>>>>> reader
>>>>>>>>>>>
>>>>>>>>>>> Any hints from here?
>>>>>>>>>>>
>>>>>>>>>> Yes. It looks like the guest sees the ccid device (that's the
>>>>>>>>>> Gemplus,
>>>>>>>>>> you can see it's qemu if you do lsusb), but no card. The
>>>>>>>>>> reason for
>>>>>>>>>> the
>>>>>>>>>> later is that spicec didn't see any card. That's why I
>>>>>>>>>> suggested
>>>>>>>>>> trying to
>>>>>>>>>> run spicec as root - the bottom line is that you need to make
>>>>>>>>>> sure NSS
>>>>>>>>>> can see the device as a regular user. I'll try to supply
>>>>>>>>>> better
>>>>>>>>>> instructions
>>>>>>>>>> later.
>>>>>>>>> Well i managed to get something working but i'm not sure if
>>>>>>>>> thats
>>>>>>>>> the way to go.
>>>>>>>>>
>>>>>>>>> When i start the vm with the ccid passthrough i receive a
>>>>>>>>> device
>>>>>>>>> gemplus.
>>>>>>>>>
>>>>>>>>> When starting spicec with --smartcard after adding the aet
>>>>>>>> oops, forgot you needed that.
>>>>>>>>
>>>>>>>>> middleware libs to the nss database with the following command:
>>>>>>>>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
>>>>>>>>> /usr/lib/libaetpkss.so.3.0
>>>>>>>>> then start spicec with --smartcard my reader begins blinking so
>>>>>>>>> something is read from the token but then in the vm i got
>>>>>>>>> nothing
>>>>>>>>> when using pcsc_scan perhaps it has todo something with the
>>>>>>>>> following error on the start of spicec: Warning: VSC Error:
>>>>>>>>> reader
>>>>>>>>> -1, code 32684
>>>>>>>>>
>>>>>>>> So using "spicec --smartcard" (spicec for short) you can't do
>>>>>>>> pcsc_scan
>>>>>>>> and see a card in the vm?
>>>>>>>>
>>>>>>>>> Anyway i also got the idea that using the vscclient would be
>>>>>>>>> possible so i gave that a try
>>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>>>>> i takes some time but then i can do list and it shows me that
>>>>>>>>> my
>>>>>>>>> smartcard is active and has a card in it
>>>>>>>>> but in the vm nogo
>>>>>>>>>
>>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
>>>>>>>>>> list
>>>>>>>>> Active Readers:
>>>>>>>>>      0 CARD_PRESENT SCM SCR 355 00 00
>>>>>>>>>      0 UNAVAILABLE 1
>>>>>>>>>      0 UNAVAILABLE 2
>>>>>>>>>      0 UNAVAILABLE 3
>>>>>>>>>      0 UNAVAILABLE 4
>>>>>>>>> Inactive Readers:
>>>>>>>>>> debug 1
>>>>>>>>> debug level = 1
>>>>>>>>>> Header: type=7, reader_id=0 length=5 (0x5)
>>>>>>>>>     recv APDU: 00 CA DF 30 05
>>>>>>>>>     send response: 69 00
>>>>>>>>> Header: type=7, reader_id=0 length=10 (0xa)
>>>>>>>>>     recv APDU: 00 A4 04 00 05 A0 00 00 00 01
>>>>>>>>>     send response: 6A 82
>>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>>>>>>     recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>>>>>>     send response: 6A 82
>>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
>>>>>>>>>     recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
>>>>>>>>>     send response: 6A 82
>>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>>>>>     recv APDU: 00 A4 08 00 02 2F 00
>>>>>>>>>     send response: 6A 81
>>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>>>>>     recv APDU: 00 A4 08 00 02 50 15
>>>>>>>>>     send response: 6A 81
>>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
>>>>>>>>>     recv APDU: 00 A4 08 00 02 50 15
>>>>>>>>>     send response: 6A 81
>>>>>>>>>
>>>>>>>>> so it kinda works accept that it does not see the right card it
>>>>>>>>> also
>>>>>>>>> shows me the wrong atr.
>>>>>>>> The ATR isn't wrong, it's just not the card's ATR. The
>>>>>>>> architecture
>>>>>>>> is like this:
>>>>>>>>
>>>>>>>> real card - real reader - pcscd - spicec (via nss) - simulated
>>>>>>>> card<-protocol->
>>>>>>>>     emulated ccid device - |(in vm) pcscd - pcsc_scan (or any
>>>>>>>>     other
>>>>>>>> client)
>>>>>>>>
>>>>>>>> When using vscclient it's exactly the same, difference is just
>>>>>>>> that
>>>>>>>> it goes via a TCP socket directly instead of in a spice channel.
>>>>>>>>
>>>>>>>> So the ATR you see in the vm is by the simulated card
>>>>>>>> (libcacard).
>>>>>>>>
>>>>>>>> But you should definitely see a card with spicec as well.
>>>>>>>>
>>>>>>>>> I also need the middleware library in the vm else it does not
>>>>>>>>> work
>>>>>>>>> at all.
>>>>>>>>>
>>>>>>>>> Any ideas?
>>>>>>>> Nothing really. I'll try to take a look at the APDU's later (I'm
>>>>>>>> not
>>>>>>>> really an expert on them) - can you try using the certificates
>>>>>>>> backed
>>>>>>>> card just to make sure everything except the hardware is working
>>>>>>>> correctly? (i.e. vm stack is fine, spicec version and
>>>>>>>> libspiceserver
>>>>>>>> and qemu versions work fine). The instructions are in qemu
>>>>>>>> doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/
>>>>>>>> is
>>>>>>>> the patch with the file).
>>>>>>>>
>>>>>>> I'm not getting any further.
>>>>>>>
>>>>>>> I will explain below the stips i took to get things (almost:)
>>>>>>> running
>>>>>>>
>>>>>>> Download all deps:
>>>>>>> git clone git://anongit.freedesktop.org/~alon/qemu
>>>>>>>    git checkout -b usb_ccid.v20 origin/usb_ccid.v20
>>>>>>> wget
>>>>>>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz 
>>>>>>>
>>>>>>>
>>>>>>> wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
>>>>>>> wget
>>>>>>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2 
>>>>>>>
>>>>>>>
>>>>>>> install libcacard
>>>>>>> install spice protocol
>>>>>>> install spice client and server with the configure option
>>>>>>> --enable-smartcard
>>>>>>> install qemu with configure option --enable-smartcard
>>>>>>> --enable-spice
>>>>>>>
>>>>>>> import certificates into nss database
>>>>>>> mkdir -p /etc/pki/nssdb
>>>>>>> certutil -N -d /etc/pki/nssdb
>>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n
>>>>>>> cert1
>>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n
>>>>>>> cert2
>>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n
>>>>>>> cert3
>>>>>>>
>>>>>>> certutil -L -d /etc/pki/nssdb
>>>>>>> cert3 CTu,Cu,Cu
>>>>>>> cert1 CTu,Cu,Cu
>>>>>>> cert2 CTu,Cu,Cu
>>>>>>>
>>>>>>> start vm with the following options
>>>>>>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
>>>>>>> usb-ccid -device
>>>>>>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3 
>>>>>>>
>>>>>>>
>>>>>>> start spicec -h localhost -p 5930
>>>>>>> after boot i have gemplus ccid reader and pcsc_scan tells me that
>>>>>>> i
>>>>>>> have a reader
>>>>>>>
>>>>>>> But how can i show the certificates cert1,2,3 in the vm with
>>>>>>> certutil?
>>>>>> You need to start certutil with a database which points the the
>>>>>> smart card.
>>>>>> If you install libcoolkey, I believe /etc/pki/nssdb should already
>>>>>> be
>>>>>> set up...
>>>>>>
>>>>>> Here's what mine looks like:
>>>>>>
>>>>>> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
>>>>>>
>>>>>> Listing of PKCS #11 Modules
>>>>>> -----------------------------------------------------------
>>>>>>     1. NSS Internal Crypto Services
>>>>>>        slots: 3 slots attached
>>>>>>       status: loaded
>>>>>>
>>>>>>        slot: NSS Internal Cryptographic Services
>>>>>>       token: NSS Generic Crypto Services
>>>>>>
>>>>>>        slot: NSS User Private Key and Certificate Services
>>>>>>       token: NSS Certificate DB
>>>>>>
>>>>>>        slot: NSS Application Slot 00000004
>>>>>>       token: NSS user database
>>>>>>
>>>>>>     2. CoolKey PKCS #11 Module
>>>>>>       library name: libcoolkeypk11.so
>>>>>>        slots: 1 slot attached
>>>>>>       status: loaded
>>>>>>
>>>>>>        slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
>>>>>>       token:
>>>>>>
>>>>>>     3. Built-ins
>>>>>>       library name: /usr/lib64/__libnssckbi.so
>>>>>>        slots: There are no slots attached to this module
>>>>>>       status: Not loaded
>>>>>> -----------------------------------------------------------
>>>>>> bobs-laptop(52)
>>>>>>
>>>>>> The important one here is #2 ("Coolkey PKCS #11 Module").
>>>>>>
>>>>>> Once you have that you should be able to run
>>>>>>
>>>>>> certutil -L -h all -d sql:/etc/pki/nssdb
>>>>>>
>>>>>> to list all the certs on your card.
>>>>>>
>>>>>> bob
>>>>> Ok i have that in my local system where i use the aet middleware.
>>>>> Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get the
>>>>> certificates after entering the pin.
>>>>>
>>>>> But how are those visible within the vm with the virtual smartcard
>>>>> reader ? When i use the same middelware library it tells me that i
>>>>> have the wrong smartcard. So i guess i need something like the
>>>>> coolkey or aet in the vm but then for the virtual smartcard?
>>>>>
>>>>> With kind regards
>>>>>
>>>>> William
>>>>>
>>>> some more info
>>>>
>>>> On my laptop my list looks like:
>>>> Listing of PKCS #11 Modules
>>>> -----------------------------------------------------------
>>>>    1. NSS Internal PKCS #11 Module
>>>>       slots: 2 slots attached
>>>>      status: loaded
>>>>
>>>>       slot: NSS Internal Cryptographic Services
>>>>      token: NSS Generic Crypto Services
>>>>
>>>>       slot: NSS User Private Key and Certificate Services
>>>>      token: NSS Certificate DB
>>>>
>>>>    2. Root Certs
>>>>      library name: /etc/pki/nssdb/libnssckbi.so
>>>>       slots: 1 slot attached
>>>>      status: loaded
>>>>
>>>>       slot: NSS Builtin Objects
>>>>      token: Builtin Object Token
>>>>
>>>>    3. Aet1
>>>>      library name: /usr/lib/libaetpkss.so.3.0
>>>>       slots: 5 slots attached
>>>>      status: loaded
>>>>
>>>>       slot: SCM SCR 355 00 00
>>>>      token: smartcard
>>>>
>>>>       slot: UNAVAILABLE 1
>>>>      token:
>>>>
>>>>       slot: UNAVAILABLE 2
>>>>      token:
>>>>
>>>>       slot: UNAVAILABLE 3
>>>>      token:
>>>>
>>>>       slot: UNAVAILABLE 4
>>>>      token:
>>>> -----------------------------------------------------------
>>>>
>>>>
>>>> on the vm i only have 1 and 2 like above and number 3 i can add but
>>>> then it says token not recognized.
>>>>
>>>> But when i try Alon his option to create the 3 certs manually and
>>>> use
>>>> those when starting the vm i also can't show them?
>>>> so do i need to add like libcacard.so as a middleware lib or
>>>> something
>>>> in the vm?
>>>>
>>> Ok finally it works :)
>>>
>> m'glad.
>>
>>> i had to install the coolkey (thanks Robert) libs and add those to the
>>> nss database.
>>> i was looking for something like that, I just did not understand that
>>> I
>>> had to install the coolkey in the vm.
>>>
>>> so for my understanding the libcacard virtual smartcard is based on
>>> coolkey?
>>>
>> There is no library dependency, libcacard is linked to nss only (and
>> that's also something that will be made optional if we make a windows
>> scard backend for instance, or a testing backend).
>>
>>> So now i have that working with vscclient and not with spicec.
>>> Spicec uses the /etc/pki/nssdb file and my smartcard starts to blink
>>> but
>>> it cannot use the smartcard in the vm.
>>> pcsc_scan also tells me that it has no smartcard.
>>>
>> Did you try spicec with certificates? did that work? it sounds like
>> just different db being used by spicec - it's basically the exact
>> same codepath as vscclient (different code, so bug possible/expected
>> of course, but it worked for me ;)
> Well i have tried spicec to start with the certificates cert1 cert2 
> and 3 like starting qemu but thats not working
> can you give me an example how to do that (create the certs and how to 
> pass them using spicec)?
>
>
> not getting it entirely :)
> vscclient -d 1 127.0.0.1 -e "use_hw=yes" 2001
> only works when using the libaetpkss.so driver in the nssdb
>
> when i start vscclient use_hw=no it does not work and it also does not 
> work when using use_hw=yes and i removed the library from the nssdb. 
> So it seems to really use the aet middleware and the nssdb.
>
> spicec --smartcard reads my smartcard so i guess that should also work 
> but something is going wrong when passing that to the spiced vm (does 
> the spice-0.7.3 package from the website contains the necessary patches?)
>
> Do i need to start qemu with a different device when using spicec 
> --smartcard?

Answering myself :)

-chardev spicevmc,server,host=127.0.0.1,name=smartcard,id=ccid  -device 
usb-ccid -device ccid-card-passthru,chardev=ccid -usb
not sure if thats completely right but it works.

going to bed now will celebrate tomorrow and write some documentation :)


>
> With kind regards
>
> William
>
>
>
>
>>> This is when starting the vm with:
>>> -chardev socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
>>> usb-ccid -device ccid-card-passthru,chardev=ccid -usb
>>>
>>> This works with vscclient but spicec just gives an error and no
>>> smartcard.
>>>
>>> 1299000951 INFO [8657:8679]
>>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>>> 1299000951 INFO [8657:8657] SmartCardChannel::add_unallocated_reader:
>>> adding unallocated reader 0x914c510
>>> 1299000951 INFO [8657:8679]
>>> SmartCardChannel::cac_card_events_thread_main: VEVENT_CARD_INSERT
>>> 1299000951 INFO [8657:8679]
>>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>>> 1299000951 INFO [8657:8679]
>>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>>> 1299000951 INFO [8657:8679]
>>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>>> 1299000951 INFO [8657:8679]
>>> SmartCardChannel::cac_card_events_thread_main: VEVENT_READER_INSERT
>>> 1299000951 WARN [8657:8657]
>>> SmartCardChannel::handle_reader_add_response: VSC Error: reader -1,
>>> code
>>> 32511
>>>
>>>
>>>> With kind regards
>>>>
>>>> William
>>>>>
>>>>>>>>> With kind regards
>>>>>>>>>
>>>>>>>>> William
>>>>>>>>>>> With kind regards
>>>>>>>>>>>
>>>>>>>>>>> William van de Velde
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>>> With kind regards
>>>>>>>>>>>>>
>>>>>>>>>>>>> William
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>> With kind regards
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> William
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Spice-devel mailing list
>>>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>>>> _______________________________________________
>>>>>>>>> Spice-devel mailing list
>>>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>> _______________________________________________
>>>>>>> Spice-devel mailing list
>>>>>>> Spice-devel at lists.freedesktop.org
>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>> _______________________________________________
>>>>> Spice-devel mailing list
>>>>> Spice-devel at lists.freedesktop.org
>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>
>>>> _______________________________________________
>>>> Spice-devel mailing list
>>>> Spice-devel at lists.freedesktop.org
>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>
>>> _______________________________________________
>>> Spice-devel mailing list
>>> Spice-devel at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>



More information about the Spice-devel mailing list