On 03/01/2011 08:13 AM, william wrote:
On 03/01/2011 12:23 AM, Robert Relyea wrote:
On 02/28/2011 08:34 AM, william wrote:
On 02/26/2011 08:49 PM, Alon Levy wrote:
On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote:
On 02/24/2011 08:10 PM, Alon Levy wrote:
On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote:
On 02/24/2011 05:09 PM, Alon Levy wrote:
On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote:
On 02/24/2011 12:09 PM, Alon Levy wrote:
On Thu, Feb 24, 2011 at 10:17:21AM +0100, [email protected]
wrote:
Dear list,
i have tried to get smartcard support running but i'm a bit
lost :)
probably because it's not finished yet.
we have smartcards with certificates like us dod and i would
like to use
those from a client on a remote server for authentication and
such.
I have followed the build instructions:
http://spice-space.org/page/Building_Instructions on a ubuntu
system and
have managed to get those compiled.
But when i try to start a vm with smartcard passthrough it
asks me to give
a driver name?
./x86_64-softmmu/qemu-system-x86_64 -chardev
socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
ccid-card-passthru,chardev=ccid -drive
file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
pc-bios
-nographic -vga qxl -spice port=5930,disable-ticketing
-usbdevice tablet
-enable-kvm -m 512
do_spice_init: starting 0.6.3
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
spice_server_add_interface: SPICE_INTERFACE_RECORD
spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid:
Parameter
'driver' expects a driver name
Try with argument '?' for a list.
Am i starting the vm the right way or am i missing something?
You are doing the right steps with the wrong qemu. To be
explicit: qemu hasn't
accepted the patches for the smartcard devices yet, so I don't
know where you
got the qemu executable but unless you built it by hand and
applied the patches
on the list, or easier used the pull url I provide in the
patches I sent (like v20
git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you
won't have them.
Alon
Sorry for the priv mail :(
i can start the vm now with the usb_ccid.v19 git 20 gives me
compile errors
./x86_64-softmmu/qemu-system-x86_64 -chardev
socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
usb-ccid
-device ccid-card-passthru,chardev=ccid -drive
file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
tablet -enable-kvm -m 512 -device
virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
do_spice_init: starting 0.7.3
spice_server_add_interface: SPICE_INTERFACE_KEYBOARD
spice_server_add_interface: SPICE_INTERFACE_MOUSE
spice_server_add_interface: SPICE_INTERFACE_RECORD
spice_server_add_interface: SPICE_INTERFACE_PLAYBACK
spice_server_add_interface: SPICE_INTERFACE_QXL
red_worker_main: begin
handle_dev_input: start
I also installed spice 0.7.3
When starting the spicec client i can connect but how can i share
say a local device now through spicec to the guest?
On the local client i can run pcsc_scan and it returns my reader
and
detects my card, would that also be possible on the guest?
about v20 if you can run make V=1 and post the output?
Nah forget this
i did not switch to v20 that was the problem.
I still don't understand, but it would be nice if you could do your
tests with the last version, v20, even if the changes are just
cosmetic.
about the rest, yes, the guest should show the card too using
pcsc_scan.
you shouldn't need to be root on the client, but possibly it will
work then -
could you try that? in that case I don't remember exactly what
the solution was :(
but there is one!
ok here is what i see now
- on my local system i have:
#lsusb
Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx
Smart Card Reader
#pcsc_scan
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau<[email protected]>
Compiled with PC/SC lite version: 1.5.3
Scanning present readers...
0: SCM SCR 355 00 00
Thu Feb 24 17:36:04 2011
Reader 0: SCM SCR 355 00 00
Card state: Card inserted,
ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx
- Now when i start qemu like the following
#./x86_64-softmmu/qemu-system-x86_64 -chardev
socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device
usb-ccid
-device ccid-card-passthru,chardev=ccid -drive
file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L
pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice
tablet -enable-kvm -m 512 -device
virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user
- i see this in my vm after starting spicec with the following
options
#spicec -h localhost -p 5930
#lsusb
Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap
#pcsc_scan
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau<[email protected]>
Compiled with PC/SC lite version: 1.5.3
Scanning present readers...
0: Gemplus GemPC4433 SL (1) 00 00
Thu Feb 24 17:42:05 2011
Reader 0: Gemplus GemPC4433 SL (1) 00 00
Card state: Card removed,
After removing the device from my local machine and starting the vm
again with the above options it still shows me the gemplus
smartcard
reader
Any hints from here?
Yes. It looks like the guest sees the ccid device (that's the
Gemplus,
you can see it's qemu if you do lsusb), but no card. The reason for
the
later is that spicec didn't see any card. That's why I suggested
trying to
run spicec as root - the bottom line is that you need to make
sure NSS
can see the device as a regular user. I'll try to supply better
instructions
later.
Well i managed to get something working but i'm not sure if thats
the way to go.
When i start the vm with the ccid passthrough i receive a device
gemplus.
When starting spicec with --smartcard after adding the aet
oops, forgot you needed that.
middleware libs to the nss database with the following command:
modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile
/usr/lib/libaetpkss.so.3.0
then start spicec with --smartcard my reader begins blinking so
something is read from the token but then in the vm i got nothing
when using pcsc_scan perhaps it has todo something with the
following error on the start of spicec: Warning: VSC Error: reader
-1, code 32684
So using "spicec --smartcard" (spicec for short) you can't do
pcsc_scan
and see a card in the vm?
Anyway i also got the idea that using the vscclient would be
possible so i gave that a try
vscclient -e use_hw=yes 127.0.0.1 2001
i takes some time but then i can do list and it shows me that my
smartcard is active and has a card in it
but in the vm nogo
vscclient -e use_hw=yes 127.0.0.1 2001
list
Active Readers:
0 CARD_PRESENT SCM SCR 355 00 00
0 UNAVAILABLE 1
0 UNAVAILABLE 2
0 UNAVAILABLE 3
0 UNAVAILABLE 4
Inactive Readers:
debug 1
debug level = 1
Header: type=7, reader_id=0 length=5 (0x5)
recv APDU: 00 CA DF 30 05
send response: 69 00
Header: type=7, reader_id=0 length=10 (0xa)
recv APDU: 00 A4 04 00 05 A0 00 00 00 01
send response: 6A 82
Header: type=7, reader_id=0 length=14 (0xe)
recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
send response: 6A 82
Header: type=7, reader_id=0 length=14 (0xe)
recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00
send response: 6A 82
Header: type=7, reader_id=0 length=7 (0x7)
recv APDU: 00 A4 08 00 02 2F 00
send response: 6A 81
Header: type=7, reader_id=0 length=7 (0x7)
recv APDU: 00 A4 08 00 02 50 15
send response: 6A 81
Header: type=7, reader_id=0 length=7 (0x7)
recv APDU: 00 A4 08 00 02 50 15
send response: 6A 81
so it kinda works accept that it does not see the right card it also
shows me the wrong atr.
The ATR isn't wrong, it's just not the card's ATR. The architecture
is like this:
real card - real reader - pcscd - spicec (via nss) - simulated
card<-protocol->
emulated ccid device - |(in vm) pcscd - pcsc_scan (or any other
client)
When using vscclient it's exactly the same, difference is just that
it goes via a TCP socket directly instead of in a spice channel.
So the ATR you see in the vm is by the simulated card (libcacard).
But you should definitely see a card with spicec as well.
I also need the middleware library in the vm else it does not work
at all.
Any ideas?
Nothing really. I'll try to take a look at the APDU's later (I'm not
really an expert on them) - can you try using the certificates backed
card just to make sure everything except the hardware is working
correctly? (i.e. vm stack is fine, spicec version and libspiceserver
and qemu versions work fine). The instructions are in qemu
doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/ is
the patch with the file).
I'm not getting any further.
I will explain below the stips i took to get things (almost:) running
Download all deps:
git clone git://anongit.freedesktop.org/~alon/qemu
git checkout -b usb_ccid.v20 origin/usb_ccid.v20
wget
http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz
wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2
wget
http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2
install libcacard
install spice protocol
install spice client and server with the configure option
--enable-smartcard
install qemu with configure option --enable-smartcard --enable-spice
import certificates into nss database
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb
certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1
certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n cert2
certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n cert3
certutil -L -d /etc/pki/nssdb
cert3 CTu,Cu,Cu
cert1 CTu,Cu,Cu
cert2 CTu,Cu,Cu
start vm with the following options
-spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device
usb-ccid -device
ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3
start spicec -h localhost -p 5930
after boot i have gemplus ccid reader and pcsc_scan tells me that i
have a reader
But how can i show the certificates cert1,2,3 in the vm with certutil?
You need to start certutil with a database which points the the smart
card.
If you install libcoolkey, I believe /etc/pki/nssdb should already be
set up...
Here's what mine looks like:
bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS user database
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
token:
3. Built-ins
library name: /usr/lib64/__libnssckbi.so
slots: There are no slots attached to this module
status: Not loaded
-----------------------------------------------------------
bobs-laptop(52)
The important one here is #2 ("Coolkey PKCS #11 Module").
Once you have that you should be able to run
certutil -L -h all -d sql:/etc/pki/nssdb
to list all the certs on your card.
bob
Ok i have that in my local system where i use the aet middleware.
Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get the
certificates after entering the pin.
But how are those visible within the vm with the virtual smartcard
reader ? When i use the same middelware library it tells me that i
have the wrong smartcard. So i guess i need something like the coolkey
or aet in the vm but then for the virtual smartcard?
With kind regards
William
some more info
On my laptop my list looks like:
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Root Certs
library name: /etc/pki/nssdb/libnssckbi.so
slots: 1 slot attached
status: loaded
slot: NSS Builtin Objects
token: Builtin Object Token
3. Aet1
library name: /usr/lib/libaetpkss.so.3.0
slots: 5 slots attached
status: loaded
slot: SCM SCR 355 00 00
token: smartcard
slot: UNAVAILABLE 1
token:
slot: UNAVAILABLE 2
token:
slot: UNAVAILABLE 3
token:
slot: UNAVAILABLE 4
token:
-----------------------------------------------------------
on the vm i only have 1 and 2 like above and number 3 i can add but then
it says token not recognized.
But when i try Alon his option to create the 3 certs manually and use
those when starting the vm i also can't show them?
so do i need to add like libcacard.so as a middleware lib or something
in the vm?
With kind regards
William
With kind regards
William
With kind regards
William van de Velde
With kind regards
William
With kind regards
William
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
_______________________________________________
Spice-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/spice-devel
