[Spice-devel] Cac redirection through spice client
David Jaša
djasa at redhat.com
Tue May 19 06:59:06 PDT 2015
On Út, 2015-05-19 at 09:00 -0400, Thomas Foster wrote:
> David,
>
> While using the spice client have you put your cac into your local
> reader? If so, we're you able to use it? I ask because if you look
> at my screenshots from my last email I get the same usb device
> (usbccid), but I also get an extra device that is a problem.
>
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
Hm, I think I start understanding your situation: you're using linux
client (CentOS 7?), Windows 7 guest and the smart card doesn't work for
you. When you write "drivers in spice client" you actually mean drivers
for client OS. That's card-dependent. You need to have a "smart card
middleware" installed in the system and registered in nss, e.g.:
$ modutil -dbdir /etc/pki/nssdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: Gemalto PC Twin Reader 00 00
token: spice qe
3. p11-kit
library name: /usr/lib64/pkcs11/p11-kit-trust.so
slots: 2 slots attached
status: loaded
slot: /etc/pki/ca-trust/source
token: System Trust
slot: /usr/share/pki/ca-trust-source
token: Default Trust
-----------------------------------------------------------
Module 2. is the one that provides my smartcard, "slot: Gemalto PC Twin
Reader 00 00" is my physical card reader, . Coolkey is not however
officially sanctioned in windows (although unofficial builds exist) so
if you intend to use the card in Windows, you'll need a different
middleware for it and possibly, you'll need to register it to nss by
hand:
# modutil -dbdir /etc/pki/nssdb -add "some name for your pkcs#11 module" -libfile /usr/lib64/pkcs11/your_fancy_p11_library.so
once done, the "spice client" will pick up the card automatically and it
will show up in the working card reader in Windows with no further
configuration.
Alternatively, if your card doesn't have linux drivers (or it needs to
be formatted by some Windows tool to a format specific for that
tool...), the option for you is to use USB redirection of the whole card
reader:
Then the card won't be obviously available in the client OS but that's
kind of irrelevant if it's format need to be incompatible with the
client OS anyway.
Please note also that I had to stop and mask pcscd in the client system
in order to make the reader redirect. Note also that you'll need the
driver for the physical reader in the guest OS in this scenario (the
Gemalto driver for my card reader was also available through Windows
update). The card was not recognized in my case beacause it's
CoolKey/RHCS-formatted which would need the driver linked above in
Windows:
HTH,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150519/0ccf7bcf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2015-05-19 15-58-26.png
Type: image/png
Size: 228600 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150519/0ccf7bcf/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2015-05-19 15-50-20.png
Type: image/png
Size: 22645 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20150519/0ccf7bcf/attachment-0003.png>
More information about the Spice-devel
mailing list