[Spice-devel] Cac redirection through spice client

David Jaša djasa at redhat.com
Tue May 19 07:34:26 PDT 2015 

On Út, 2015-05-19 at 15:59 +0200, David Jaša wrote:
> On Út, 2015-05-19 at 09:00 -0400, Thomas Foster wrote:
> > David,
> > 
> > While using the spice client have you put your cac into your local
> > reader?  If so, we're you able to use it?  I ask because if you look
> > at my screenshots from my last email I get the same usb device
> > (usbccid), but I also get an extra device that is a problem.
> > 
> > _______________________________________________
> > Spice-devel mailing list
> > Spice-devel at lists.freedesktop.org
> > http://lists.freedesktop.org/mailman/listinfo/spice-devel
> 
> Hm, I think I start understanding your situation: you're using linux
> client (CentOS 7?), Windows 7 guest and the smart card doesn't work
> for you. When you write "drivers in spice client" you actually mean
> drivers for client OS. That's card-dependent. You need to have a
> "smart card middleware" installed in the system and registered in nss,
> e.g.:
> 
> $ modutil -dbdir /etc/pki/nssdb -list
> 
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
> 	 slots: 2 slots attached
> 	status: loaded
> 
> 	 slot: NSS Internal Cryptographic Services
> 	token: NSS Generic Crypto Services
> 
> 	 slot: NSS User Private Key and Certificate Services
> 	token: NSS Certificate DB
> 
>   2. CoolKey PKCS #11 Module
> 	library name: libcoolkeypk11.so
> 	 slots: 1 slot attached
> 	status: loaded
> 
> 	 slot: Gemalto PC Twin Reader 00 00
> 	token: spice qe
> 
>   3. p11-kit
> 	library name: /usr/lib64/pkcs11/p11-kit-trust.so
> 	 slots: 2 slots attached
> 	status: loaded
> 
> 	 slot: /etc/pki/ca-trust/source
> 	token: System Trust
> 
> 	 slot: /usr/share/pki/ca-trust-source
> 	token: Default Trust
> -----------------------------------------------------------
> 
> Module 2. is the one that provides my smartcard, "slot: Gemalto PC
> Twin Reader 00 00" is my physical card reader, . Coolkey is not
> however officially sanctioned in windows (although unofficial builds
> exist) 

So official builds exist as well but you'd need a Red Hat Certificate
System subscription in order to access them:
https://access.redhat.com/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Managing_Smart_Cards_with_the_Enterprise_Security_Client/install-windows.html

David

> so if you intend to use the card in Windows, you'll need a different
> middleware for it and possibly, you'll need to register it to nss by
> hand:
> 
> # modutil -dbdir /etc/pki/nssdb -add "some name for your pkcs#11 module" -libfile /usr/lib64/pkcs11/your_fancy_p11_library.so
> 
> once done, the "spice client" will pick up the card automatically and
> it will show up in the working card reader in Windows with no further
> configuration.
> Alternatively, if your card doesn't have linux drivers (or it needs to
> be formatted by some Windows tool to a format specific for that
> tool...), the option for you is to use USB redirection of the whole
> card reader:
> 
> Then the card won't be obviously available in the client OS but that's
> kind of irrelevant if it's format need to be incompatible with the
> client OS anyway.
> Please note also that I had to stop and mask pcscd in the client
> system in order to make the reader redirect. Note also that you'll
> need the driver for the physical reader in the guest OS in this
> scenario (the Gemalto driver for my card reader was also available
> through Windows update). The card was not recognized in my case
> beacause it's CoolKey/RHCS-formatted which would need the driver
> linked above in Windows:
> 
> 
> HTH,
> 
> David 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list