[Spice-devel] smartcard usage
Alon Levy
alevy at redhat.com
Tue Mar 1 23:10:41 PST 2011
----- Original Message -----
> On 03/01/2011 09:30 PM, william wrote:
> > On 03/01/2011 07:21 PM, Alon Levy wrote:
> >>> On 03/01/2011 10:00 AM, william wrote:
> >>>> On 03/01/2011 08:13 AM, william wrote:
> >>>>> On 03/01/2011 12:23 AM, Robert Relyea wrote:
> >>>>>> On 02/28/2011 08:34 AM, william wrote:
> >>>>>>> On 02/26/2011 08:49 PM, Alon Levy wrote:
> >>>>>>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
> >>>>>>>>> On 02/24/2011 08:10 PM, Alon Levy wrote:
> >>>>>>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
> >>>>>>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote:
> >>>>>>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
> >>>>>>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote:
> >>>>>>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100,
> >>>>>>>>>>>>>> kc at cobradevil.org
> >>>>>>>>>>>>>> wrote:
> >>>>>>>>>>>>>>> Dear list,
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> i have tried to get smartcard support running but i'm
> >>>>>>>>>>>>>>> a
> >>>>>>>>>>>>>>> bit
> >>>>>>>>>>>>>>> lost :)
> >>>>>>>>>>>>>>> probably because it's not finished yet.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> we have smartcards with certificates like us dod and i
> >>>>>>>>>>>>>>> would
> >>>>>>>>>>>>>>> like to use
> >>>>>>>>>>>>>>> those from a client on a remote server for
> >>>>>>>>>>>>>>> authentication
> >>>>>>>>>>>>>>> and
> >>>>>>>>>>>>>>> such.
> >>>>>>>>>>>>>>> I have followed the build instructions:
> >>>>>>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a
> >>>>>>>>>>>>>>> ubuntu
> >>>>>>>>>>>>>>> system and
> >>>>>>>>>>>>>>> have managed to get those compiled.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> But when i try to start a vm with smartcard
> >>>>>>>>>>>>>>> passthrough
> >>>>>>>>>>>>>>> it
> >>>>>>>>>>>>>>> asks me to give
> >>>>>>>>>>>>>>> a driver name?
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
> >>>>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait
> >>>>>>>>>>>>>>> -device
> >>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive
> >>>>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw
> >>>>>>>>>>>>>>> ac97 -L
> >>>>>>>>>>>>>>> pc-bios
> >>>>>>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing
> >>>>>>>>>>>>>>> -usbdevice tablet
> >>>>>>>>>>>>>>> -enable-kvm -m 512
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> do_spice_init: starting 0.6.3
> >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
> >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
> >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
> >>>>>>>>>>>>>>> red_worker_main: begin
> >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
> >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
> >>>>>>>>>>>>>>> qemu-system-x86_64: -device
> >>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid:
> >>>>>>>>>>>>>>> Parameter
> >>>>>>>>>>>>>>> 'driver' expects a driver name
> >>>>>>>>>>>>>>> Try with argument '?' for a list.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Am i starting the vm the right way or am i missing
> >>>>>>>>>>>>>>> something?
> >>>>>>>>>>>>>> You are doing the right steps with the wrong qemu. To
> >>>>>>>>>>>>>> be
> >>>>>>>>>>>>>> explicit: qemu hasn't
> >>>>>>>>>>>>>> accepted the patches for the smartcard devices yet, so
> >>>>>>>>>>>>>> I
> >>>>>>>>>>>>>> don't
> >>>>>>>>>>>>>> know where you
> >>>>>>>>>>>>>> got the qemu executable but unless you built it by hand
> >>>>>>>>>>>>>> and
> >>>>>>>>>>>>>> applied the patches
> >>>>>>>>>>>>>> on the list, or easier used the pull url I provide in
> >>>>>>>>>>>>>> the
> >>>>>>>>>>>>>> patches I sent (like v20
> >>>>>>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20)
> >>>>>>>>>>>>>> you
> >>>>>>>>>>>>>> won't have them.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Alon
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>> Sorry for the priv mail :(
> >>>>>>>>>>>>> i can start the vm now with the usb_ccid.v19 git 20
> >>>>>>>>>>>>> gives
> >>>>>>>>>>>>> me
> >>>>>>>>>>>>> compile errors
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev
> >>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait
> >>>>>>>>>>>>> -device
> >>>>>>>>>>>>> usb-ccid
> >>>>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
> >>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw
> >>>>>>>>>>>>> ac97
> >>>>>>>>>>>>> -L
> >>>>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing
> >>>>>>>>>>>>> -usbdevice
> >>>>>>>>>>>>> tablet -enable-kvm -m 512 -device
> >>>>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net
> >>>>>>>>>>>>> user
> >>>>>>>>>>>>> do_spice_init: starting 0.7.3
> >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
> >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE
> >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD
> >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
> >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL
> >>>>>>>>>>>>> red_worker_main: begin
> >>>>>>>>>>>>> handle_dev_input: start
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> I also installed spice 0.7.3
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> When starting the spicec client i can connect but how
> >>>>>>>>>>>>> can i
> >>>>>>>>>>>>> share
> >>>>>>>>>>>>> say a local device now through spicec to the guest?
> >>>>>>>>>>>>> On the local client i can run pcsc_scan and it returns
> >>>>>>>>>>>>> my
> >>>>>>>>>>>>> reader
> >>>>>>>>>>>>> and
> >>>>>>>>>>>>> detects my card, would that also be possible on the
> >>>>>>>>>>>>> guest?
> >>>>>>>>>>>>>
> >>>>>>>>>>>> about v20 if you can run make V=1 and post the output?
> >>>>>>>>>>> Nah forget this
> >>>>>>>>>>> i did not switch to v20 that was the problem.
> >>>>>>>>>> I still don't understand, but it would be nice if you could
> >>>>>>>>>> do
> >>>>>>>>>> your
> >>>>>>>>>> tests with the last version, v20, even if the changes are
> >>>>>>>>>> just
> >>>>>>>>>> cosmetic.
> >>>>>>>>>>
> >>>>>>>>>>>> about the rest, yes, the guest should show the card too
> >>>>>>>>>>>> using
> >>>>>>>>>>>> pcsc_scan.
> >>>>>>>>>>>>
> >>>>>>>>>>>> you shouldn't need to be root on the client, but possibly
> >>>>>>>>>>>> it
> >>>>>>>>>>>> will
> >>>>>>>>>>>> work then -
> >>>>>>>>>>>> could you try that? in that case I don't remember exactly
> >>>>>>>>>>>> what
> >>>>>>>>>>>> the solution was :(
> >>>>>>>>>>>> but there is one!
> >>>>>>>>>>> ok here is what i see now
> >>>>>>>>>>>
> >>>>>>>>>>> - on my local system i have:
> >>>>>>>>>>> #lsusb
> >>>>>>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc.
> >>>>>>>>>>> SCR35xx
> >>>>>>>>>>> Smart Card Reader
> >>>>>>>>>>> #pcsc_scan
> >>>>>>>>>>> PC/SC device scanner
> >>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic
> >>>>>>>>>>> Rousseau<ludovic.rousseau at free.fr>
> >>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3
> >>>>>>>>>>> Scanning present readers...
> >>>>>>>>>>> 0: SCM SCR 355 00 00
> >>>>>>>>>>>
> >>>>>>>>>>> Thu Feb 24 17:36:04 2011
> >>>>>>>>>>> Reader 0: SCM SCR 355 00 00
> >>>>>>>>>>> Card state: Card inserted,
> >>>>>>>>>>> ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
> >>>>>>>>>>>
> >>>>>>>>>>> - Now when i start qemu like the following
> >>>>>>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev
> >>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait
> >>>>>>>>>>> -device
> >>>>>>>>>>> usb-ccid
> >>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive
> >>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97
> >>>>>>>>>>> -L
> >>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing
> >>>>>>>>>>> -usbdevice
> >>>>>>>>>>> tablet -enable-kvm -m 512 -device
> >>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net
> >>>>>>>>>>> user
> >>>>>>>>>>>
> >>>>>>>>>>> - i see this in my vm after starting spicec with the
> >>>>>>>>>>> following
> >>>>>>>>>>> options
> >>>>>>>>>>> #spicec -h localhost -p 5930
> >>>>>>>>>>> #lsusb
> >>>>>>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
> >>>>>>>>>>> #pcsc_scan
> >>>>>>>>>>> PC/SC device scanner
> >>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic
> >>>>>>>>>>> Rousseau<ludovic.rousseau at free.fr>
> >>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3
> >>>>>>>>>>> Scanning present readers...
> >>>>>>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00
> >>>>>>>>>>>
> >>>>>>>>>>> Thu Feb 24 17:42:05 2011
> >>>>>>>>>>> Reader 0: Gemplus GemPC4433 SL (1) 00 00
> >>>>>>>>>>> Card state: Card removed,
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> After removing the device from my local machine and
> >>>>>>>>>>> starting
> >>>>>>>>>>> the vm
> >>>>>>>>>>> again with the above options it still shows me the gemplus
> >>>>>>>>>>> smartcard
> >>>>>>>>>>> reader
> >>>>>>>>>>>
> >>>>>>>>>>> Any hints from here?
> >>>>>>>>>>>
> >>>>>>>>>> Yes. It looks like the guest sees the ccid device (that's
> >>>>>>>>>> the
> >>>>>>>>>> Gemplus,
> >>>>>>>>>> you can see it's qemu if you do lsusb), but no card. The
> >>>>>>>>>> reason for
> >>>>>>>>>> the
> >>>>>>>>>> later is that spicec didn't see any card. That's why I
> >>>>>>>>>> suggested
> >>>>>>>>>> trying to
> >>>>>>>>>> run spicec as root - the bottom line is that you need to
> >>>>>>>>>> make
> >>>>>>>>>> sure NSS
> >>>>>>>>>> can see the device as a regular user. I'll try to supply
> >>>>>>>>>> better
> >>>>>>>>>> instructions
> >>>>>>>>>> later.
> >>>>>>>>> Well i managed to get something working but i'm not sure if
> >>>>>>>>> thats
> >>>>>>>>> the way to go.
> >>>>>>>>>
> >>>>>>>>> When i start the vm with the ccid passthrough i receive a
> >>>>>>>>> device
> >>>>>>>>> gemplus.
> >>>>>>>>>
> >>>>>>>>> When starting spicec with --smartcard after adding the aet
> >>>>>>>> oops, forgot you needed that.
> >>>>>>>>
> >>>>>>>>> middleware libs to the nss database with the following
> >>>>>>>>> command:
> >>>>>>>>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
> >>>>>>>>> /usr/lib/libaetpkss.so.3.0
> >>>>>>>>> then start spicec with --smartcard my reader begins blinking
> >>>>>>>>> so
> >>>>>>>>> something is read from the token but then in the vm i got
> >>>>>>>>> nothing
> >>>>>>>>> when using pcsc_scan perhaps it has todo something with the
> >>>>>>>>> following error on the start of spicec: Warning: VSC Error:
> >>>>>>>>> reader
> >>>>>>>>> -1, code 32684
> >>>>>>>>>
> >>>>>>>> So using "spicec --smartcard" (spicec for short) you can't do
> >>>>>>>> pcsc_scan
> >>>>>>>> and see a card in the vm?
> >>>>>>>>
> >>>>>>>>> Anyway i also got the idea that using the vscclient would be
> >>>>>>>>> possible so i gave that a try
> >>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
> >>>>>>>>> i takes some time but then i can do list and it shows me
> >>>>>>>>> that
> >>>>>>>>> my
> >>>>>>>>> smartcard is active and has a card in it
> >>>>>>>>> but in the vm nogo
> >>>>>>>>>
> >>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001
> >>>>>>>>>> list
> >>>>>>>>> Active Readers:
> >>>>>>>>> 0 CARD_PRESENT SCM SCR 355 00 00
> >>>>>>>>> 0 UNAVAILABLE 1
> >>>>>>>>> 0 UNAVAILABLE 2
> >>>>>>>>> 0 UNAVAILABLE 3
> >>>>>>>>> 0 UNAVAILABLE 4
> >>>>>>>>> Inactive Readers:
> >>>>>>>>>> debug 1
> >>>>>>>>> debug level = 1
> >>>>>>>>>> Header: type=7, reader_id=0 length=5 (0x5)
> >>>>>>>>> recv APDU: 00 CA DF 30 05
> >>>>>>>>> send response: 69 00
> >>>>>>>>> Header: type=7, reader_id=0 length=10 (0xa)
> >>>>>>>>> recv APDU: 00 A4 04 00 05 A0 00 00 00 01
> >>>>>>>>> send response: 6A 82
> >>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
> >>>>>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
> >>>>>>>>> send response: 6A 82
> >>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe)
> >>>>>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
> >>>>>>>>> send response: 6A 82
> >>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
> >>>>>>>>> recv APDU: 00 A4 08 00 02 2F 00
> >>>>>>>>> send response: 6A 81
> >>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
> >>>>>>>>> recv APDU: 00 A4 08 00 02 50 15
> >>>>>>>>> send response: 6A 81
> >>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7)
> >>>>>>>>> recv APDU: 00 A4 08 00 02 50 15
> >>>>>>>>> send response: 6A 81
> >>>>>>>>>
> >>>>>>>>> so it kinda works accept that it does not see the right card
> >>>>>>>>> it
> >>>>>>>>> also
> >>>>>>>>> shows me the wrong atr.
> >>>>>>>> The ATR isn't wrong, it's just not the card's ATR. The
> >>>>>>>> architecture
> >>>>>>>> is like this:
> >>>>>>>>
> >>>>>>>> real card - real reader - pcscd - spicec (via nss) -
> >>>>>>>> simulated
> >>>>>>>> card<-protocol->
> >>>>>>>> emulated ccid device - |(in vm) pcscd - pcsc_scan (or any
> >>>>>>>> other
> >>>>>>>> client)
> >>>>>>>>
> >>>>>>>> When using vscclient it's exactly the same, difference is
> >>>>>>>> just
> >>>>>>>> that
> >>>>>>>> it goes via a TCP socket directly instead of in a spice
> >>>>>>>> channel.
> >>>>>>>>
> >>>>>>>> So the ATR you see in the vm is by the simulated card
> >>>>>>>> (libcacard).
> >>>>>>>>
> >>>>>>>> But you should definitely see a card with spicec as well.
> >>>>>>>>
> >>>>>>>>> I also need the middleware library in the vm else it does
> >>>>>>>>> not
> >>>>>>>>> work
> >>>>>>>>> at all.
> >>>>>>>>>
> >>>>>>>>> Any ideas?
> >>>>>>>> Nothing really. I'll try to take a look at the APDU's later
> >>>>>>>> (I'm
> >>>>>>>> not
> >>>>>>>> really an expert on them) - can you try using the
> >>>>>>>> certificates
> >>>>>>>> backed
> >>>>>>>> card just to make sure everything except the hardware is
> >>>>>>>> working
> >>>>>>>> correctly? (i.e. vm stack is fine, spicec version and
> >>>>>>>> libspiceserver
> >>>>>>>> and qemu versions work fine). The instructions are in qemu
> >>>>>>>> doc/ccid.txt I think.
> >>>>>>>> (http://patchwork.ozlabs.org/patch/84129/
> >>>>>>>> is
> >>>>>>>> the patch with the file).
> >>>>>>>>
> >>>>>>> I'm not getting any further.
> >>>>>>>
> >>>>>>> I will explain below the stips i took to get things (almost:)
> >>>>>>> running
> >>>>>>>
> >>>>>>> Download all deps:
> >>>>>>> git clone git://anongit.freedesktop.org/~alon/qemu
> >>>>>>> git checkout -b usb_ccid.v20 origin/usb_ccid.v20
> >>>>>>> wget
> >>>>>>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
> >>>>>>>
> >>>>>>>
> >>>>>>> wget
> >>>>>>> http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
> >>>>>>> wget
> >>>>>>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2
> >>>>>>>
> >>>>>>>
> >>>>>>> install libcacard
> >>>>>>> install spice protocol
> >>>>>>> install spice client and server with the configure option
> >>>>>>> --enable-smartcard
> >>>>>>> install qemu with configure option --enable-smartcard
> >>>>>>> --enable-spice
> >>>>>>>
> >>>>>>> import certificates into nss database
> >>>>>>> mkdir -p /etc/pki/nssdb
> >>>>>>> certutil -N -d /etc/pki/nssdb
> >>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1"
> >>>>>>> -n
> >>>>>>> cert1
> >>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2"
> >>>>>>> -n
> >>>>>>> cert2
> >>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3"
> >>>>>>> -n
> >>>>>>> cert3
> >>>>>>>
> >>>>>>> certutil -L -d /etc/pki/nssdb
> >>>>>>> cert3 CTu,Cu,Cu
> >>>>>>> cert1 CTu,Cu,Cu
> >>>>>>> cert2 CTu,Cu,Cu
> >>>>>>>
> >>>>>>> start vm with the following options
> >>>>>>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
> >>>>>>> usb-ccid -device
> >>>>>>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
> >>>>>>>
> >>>>>>>
> >>>>>>> start spicec -h localhost -p 5930
> >>>>>>> after boot i have gemplus ccid reader and pcsc_scan tells me
> >>>>>>> that
> >>>>>>> i
> >>>>>>> have a reader
> >>>>>>>
> >>>>>>> But how can i show the certificates cert1,2,3 in the vm with
> >>>>>>> certutil?
> >>>>>> You need to start certutil with a database which points the the
> >>>>>> smart card.
> >>>>>> If you install libcoolkey, I believe /etc/pki/nssdb should
> >>>>>> already
> >>>>>> be
> >>>>>> set up...
> >>>>>>
> >>>>>> Here's what mine looks like:
> >>>>>>
> >>>>>> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
> >>>>>>
> >>>>>> Listing of PKCS #11 Modules
> >>>>>> -----------------------------------------------------------
> >>>>>> 1. NSS Internal Crypto Services
> >>>>>> slots: 3 slots attached
> >>>>>> status: loaded
> >>>>>>
> >>>>>> slot: NSS Internal Cryptographic Services
> >>>>>> token: NSS Generic Crypto Services
> >>>>>>
> >>>>>> slot: NSS User Private Key and Certificate Services
> >>>>>> token: NSS Certificate DB
> >>>>>>
> >>>>>> slot: NSS Application Slot 00000004
> >>>>>> token: NSS user database
> >>>>>>
> >>>>>> 2. CoolKey PKCS #11 Module
> >>>>>> library name: libcoolkeypk11.so
> >>>>>> slots: 1 slot attached
> >>>>>> status: loaded
> >>>>>>
> >>>>>> slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00
> >>>>>> 00
> >>>>>> token:
> >>>>>>
> >>>>>> 3. Built-ins
> >>>>>> library name: /usr/lib64/__libnssckbi.so
> >>>>>> slots: There are no slots attached to this module
> >>>>>> status: Not loaded
> >>>>>> -----------------------------------------------------------
> >>>>>> bobs-laptop(52)
> >>>>>>
> >>>>>> The important one here is #2 ("Coolkey PKCS #11 Module").
> >>>>>>
> >>>>>> Once you have that you should be able to run
> >>>>>>
> >>>>>> certutil -L -h all -d sql:/etc/pki/nssdb
> >>>>>>
> >>>>>> to list all the certs on your card.
> >>>>>>
> >>>>>> bob
> >>>>> Ok i have that in my local system where i use the aet
> >>>>> middleware.
> >>>>> Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get
> >>>>> the
> >>>>> certificates after entering the pin.
> >>>>>
> >>>>> But how are those visible within the vm with the virtual
> >>>>> smartcard
> >>>>> reader ? When i use the same middelware library it tells me that
> >>>>> i
> >>>>> have the wrong smartcard. So i guess i need something like the
> >>>>> coolkey or aet in the vm but then for the virtual smartcard?
> >>>>>
> >>>>> With kind regards
> >>>>>
> >>>>> William
> >>>>>
> >>>> some more info
> >>>>
> >>>> On my laptop my list looks like:
> >>>> Listing of PKCS #11 Modules
> >>>> -----------------------------------------------------------
> >>>> 1. NSS Internal PKCS #11 Module
> >>>> slots: 2 slots attached
> >>>> status: loaded
> >>>>
> >>>> slot: NSS Internal Cryptographic Services
> >>>> token: NSS Generic Crypto Services
> >>>>
> >>>> slot: NSS User Private Key and Certificate Services
> >>>> token: NSS Certificate DB
> >>>>
> >>>> 2. Root Certs
> >>>> library name: /etc/pki/nssdb/libnssckbi.so
> >>>> slots: 1 slot attached
> >>>> status: loaded
> >>>>
> >>>> slot: NSS Builtin Objects
> >>>> token: Builtin Object Token
> >>>>
> >>>> 3. Aet1
> >>>> library name: /usr/lib/libaetpkss.so.3.0
> >>>> slots: 5 slots attached
> >>>> status: loaded
> >>>>
> >>>> slot: SCM SCR 355 00 00
> >>>> token: smartcard
> >>>>
> >>>> slot: UNAVAILABLE 1
> >>>> token:
> >>>>
> >>>> slot: UNAVAILABLE 2
> >>>> token:
> >>>>
> >>>> slot: UNAVAILABLE 3
> >>>> token:
> >>>>
> >>>> slot: UNAVAILABLE 4
> >>>> token:
> >>>> -----------------------------------------------------------
> >>>>
> >>>>
> >>>> on the vm i only have 1 and 2 like above and number 3 i can add
> >>>> but
> >>>> then it says token not recognized.
> >>>>
> >>>> But when i try Alon his option to create the 3 certs manually and
> >>>> use
> >>>> those when starting the vm i also can't show them?
> >>>> so do i need to add like libcacard.so as a middleware lib or
> >>>> something
> >>>> in the vm?
> >>>>
> >>> Ok finally it works :)
> >>>
> >> m'glad.
> >>
> >>> i had to install the coolkey (thanks Robert) libs and add those to
> >>> the
> >>> nss database.
> >>> i was looking for something like that, I just did not understand
> >>> that
> >>> I
> >>> had to install the coolkey in the vm.
> >>>
> >>> so for my understanding the libcacard virtual smartcard is based
> >>> on
> >>> coolkey?
> >>>
> >> There is no library dependency, libcacard is linked to nss only
> >> (and
> >> that's also something that will be made optional if we make a
> >> windows
> >> scard backend for instance, or a testing backend).
> >>
> >>> So now i have that working with vscclient and not with spicec.
> >>> Spicec uses the /etc/pki/nssdb file and my smartcard starts to
> >>> blink
> >>> but
> >>> it cannot use the smartcard in the vm.
> >>> pcsc_scan also tells me that it has no smartcard.
> >>>
> >> Did you try spicec with certificates? did that work? it sounds like
> >> just different db being used by spicec - it's basically the exact
> >> same codepath as vscclient (different code, so bug
> >> possible/expected
> >> of course, but it worked for me ;)
> > Well i have tried spicec to start with the certificates cert1 cert2
> > and 3 like starting qemu but thats not working
> > can you give me an example how to do that (create the certs and how
> > to
> > pass them using spicec)?
> >
> >
> > not getting it entirely :)
> > vscclient -d 1 127.0.0.1 -e "use_hw=yes" 2001
> > only works when using the libaetpkss.so driver in the nssdb
> >
> > when i start vscclient use_hw=no it does not work and it also does
> > not
> > work when using use_hw=yes and i removed the library from the nssdb.
> > So it seems to really use the aet middleware and the nssdb.
> >
> > spicec --smartcard reads my smartcard so i guess that should also
> > work
> > but something is going wrong when passing that to the spiced vm
> > (does
> > the spice-0.7.3 package from the website contains the necessary
> > patches?)
> >
> > Do i need to start qemu with a different device when using spicec
> > --smartcard?
>
> Answering myself :)
>
> -chardev spicevmc,server,host=127.0.0.1,name=smartcard,id=ccid -device
> usb-ccid -device ccid-card-passthru,chardev=ccid -usb
> not sure if thats completely right but it works.
>
That's exactly right. Never tried to put the -usb last, I thought qemu builds
the devices by order of command line arguments, maybe it checks for -usb first?
(it does do a number of passes over the command line arguments). Anyway I'm
glad it's finally working with spicec! is this with real hardware/certs?
> going to bed now will celebrate tomorrow and write some documentation
> :)
>
>
> >
> > With kind regards
> >
> > William
> >
> >
> >
> >
> >>> This is when starting the vm with:
> >>> -chardev socket,server,host=0.0.0.0,port=2001,id=ccid,nowait
> >>> -device
> >>> usb-ccid -device ccid-card-passthru,chardev=ccid -usb
> >>>
> >>> This works with vscclient but spicec just gives an error and no
> >>> smartcard.
> >>>
> >>> 1299000951 INFO [8657:8679]
> >>> SmartCardChannel::cac_card_events_thread_main:
> >>> VEVENT_READER_INSERT
> >>> 1299000951 INFO [8657:8657]
> >>> SmartCardChannel::add_unallocated_reader:
> >>> adding unallocated reader 0x914c510
> >>> 1299000951 INFO [8657:8679]
> >>> SmartCardChannel::cac_card_events_thread_main: VEVENT_CARD_INSERT
> >>> 1299000951 INFO [8657:8679]
> >>> SmartCardChannel::cac_card_events_thread_main:
> >>> VEVENT_READER_INSERT
> >>> 1299000951 INFO [8657:8679]
> >>> SmartCardChannel::cac_card_events_thread_main:
> >>> VEVENT_READER_INSERT
> >>> 1299000951 INFO [8657:8679]
> >>> SmartCardChannel::cac_card_events_thread_main:
> >>> VEVENT_READER_INSERT
> >>> 1299000951 INFO [8657:8679]
> >>> SmartCardChannel::cac_card_events_thread_main:
> >>> VEVENT_READER_INSERT
> >>> 1299000951 WARN [8657:8657]
> >>> SmartCardChannel::handle_reader_add_response: VSC Error: reader
> >>> -1,
> >>> code
> >>> 32511
> >>>
> >>>
> >>>> With kind regards
> >>>>
> >>>> William
> >>>>>
> >>>>>>>>> With kind regards
> >>>>>>>>>
> >>>>>>>>> William
> >>>>>>>>>>> With kind regards
> >>>>>>>>>>>
> >>>>>>>>>>> William van de Velde
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>>> With kind regards
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> William
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>> With kind regards
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> William
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>>>>> Spice-devel mailing list
> >>>>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
> >>>>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>>>>>>>>>> _______________________________________________
> >>>>>>>>>>>>> Spice-devel mailing list
> >>>>>>>>>>>>> Spice-devel at lists.freedesktop.org
> >>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> Spice-devel mailing list
> >>>>>>>>>>> Spice-devel at lists.freedesktop.org
> >>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>>>>>> _______________________________________________
> >>>>>>>>> Spice-devel mailing list
> >>>>>>>>> Spice-devel at lists.freedesktop.org
> >>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>>>> _______________________________________________
> >>>>>>> Spice-devel mailing list
> >>>>>>> Spice-devel at lists.freedesktop.org
> >>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>> _______________________________________________
> >>>>> Spice-devel mailing list
> >>>>> Spice-devel at lists.freedesktop.org
> >>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>>
> >>>> _______________________________________________
> >>>> Spice-devel mailing list
> >>>> Spice-devel at lists.freedesktop.org
> >>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >>>>
> >>> _______________________________________________
> >>> Spice-devel mailing list
> >>> Spice-devel at lists.freedesktop.org
> >>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> >
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
More information about the Spice-devel
mailing list