Hello Marc-André, Thanks for your message!
On 14.09.2017 00:13, Marc-André Lureau wrote: > Hi Patrick > > On Wed, Sep 6, 2017 at 5:04 PM Patrick Vacek > <patr...@advancedtelematic.com <mailto:patr...@advancedtelematic.com>> > wrote: > > Hello, > > I'm trying to emulate a smartcard. I found section 4 of docs/ccid.txt, > which appears to do exactly what I'm interested in. However, that > document is a few years old and references CoolKey, which at this > point > seems obsolete, with OpenSC being the preferred succcessor. I've > followed the rest of steps with success, and tried registering OpenSC > with NSS (i.e. modutil -dbdir /etc/pki/nssdb -add "CAC Module" > -libfile > /usr/lib/opensc-pkcs11.so), but I'm still not seeing my three > certificates listed on the device as I'd expect. > > I'm using QEMU emulator version 2.8.0(Debian 1:2.8+dfsg-3ubuntu2.3). > I've also tried using QEMU emulator version 2.10.0 (built from > source), > but the interface has changed and the commands from the documentation > don't work anymore. > > 1. Am I correct to assume that OpenSC is the logical successor to > CoolKey, and should I expect a simple substitution such as that to > work? > > > That's my understanding too, and it seems Fedora 26 deprecated > coolkey. However, when I tried opensc a few years with qemu/libcacard, > it didn't work. I haven't looked further since. > > 2. Are there other steps I might be overlooking with OpenSC or with > getting the certificates recognized on the device? > > > I would first try to get coolkey module to work, before debuging > opensc. Ideally get some help from opensc developper since qemu should > still work with coolkey. I haven't had great success with OpenSC yet, so I finally took the time to write a coolkey recipe for Yocto. The recipe seems to work and coolkey appears to be installed on my device, but it does not work entirely as desired. Specifically, when I run `modutil -dbdir sql:/etc/pki/nssdb -add "CAC Module" -libfile /usr/lib/pkcs11/libcoolkeypk11.so`, I get this: "ERROR: Failed to add module "CAC Module". Probable cause : "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred."." That's a pretty vague message and I haven't been able to find anything further to help guide me to a resolution. Do you have any ideas? The one thing that has occurred to me is that nss seems to require a password for a database before being able to do anything meaningful with it. When I tried to reproduce the steps of docs/ccid.txt item 4 entirely locally (but with two separate databases), I had no problem with the modutil command, but when I tried to import the certificates with `certutil -A -d sql:./temp/ -i fake-smartcard-ca.cer -t TC,TC,TC -n fake-smartcard-ca`, I got this: "certutil: could not authenticate to token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization." When I recreated the second database manually and provided a password, that step worked fine and the output of listing the certificates worked as expected. Of course, on the device, I can recreate the database at /etc/pki/nssdb with a password, but that erases the existing contents, which means the certificates that were supposed to be initialized on the device wouldn't be there, so that defeats the whole purpose, right? Is there a way to specify a password for the nss database when launching qemu? In any case, that probably won't fix the modutil error, but it's the only thought I've had so far. > > 3. If, as I suspect, that document is no longer up to date, what > do the > steps currently look like to get smartcard emulation working? > > > They look still pretty ok to me. certutil usage may have changes, but > qemu & coolkey didn't change I think. > > What problems did you have when trying to setup following > docs/ccid.txt ? we may want to update the doc. In item 2, the necessary nss package on Ubuntu 17.04 is libnss3-tools. In item 4, I think it might be best to prefix all database paths on the device with "sql:" as is done with the host commands. In item 8, docs/libcacard.txt no longer exists, as it is now in a separate package. And of course there's the fact that the modutil command doesn't work for me, but I can't say why or what should change yet. > > Thanks > -- > Marc-André Lureau Thanks, Patrick -- Patrick Vacek ATS Advanced Telematic Systems GmbH Kantstraße 162, 10623 Berlin HRB 151501 B, Amtsgericht Charlottenburg Vertreten durch die Geschäftsführer Dirk Pöschl, Armin G. Schmidt
signature.asc
Description: OpenPGP digital signature