On 02/28/2011 08:34 AM, william wrote: > On 02/26/2011 08:49 PM, Alon Levy wrote: >> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote: >>> On 02/24/2011 08:10 PM, Alon Levy wrote: >>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote: >>>>> On 02/24/2011 05:09 PM, Alon Levy wrote: >>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote: >>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote: >>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, k...@cobradevil.org wrote: >>>>>>>>> Dear list, >>>>>>>>> >>>>>>>>> i have tried to get smartcard support running but i'm a bit >>>>>>>>> lost :) >>>>>>>>> probably because it's not finished yet. >>>>>>>>> >>>>>>>>> we have smartcards with certificates like us dod and i would >>>>>>>>> like to use >>>>>>>>> those from a client on a remote server for authentication and >>>>>>>>> such. >>>>>>>>> I have followed the build instructions: >>>>>>>>> http://spice-space.org/page/Building_Instructions on a ubuntu >>>>>>>>> system and >>>>>>>>> have managed to get those compiled. >>>>>>>>> >>>>>>>>> But when i try to start a vm with smartcard passthrough it >>>>>>>>> asks me to give >>>>>>>>> a driver name? >>>>>>>>> >>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev >>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device >>>>>>>>> ccid-card-passthru,chardev=ccid -drive >>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L >>>>>>>>> pc-bios >>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing >>>>>>>>> -usbdevice tablet >>>>>>>>> -enable-kvm -m 512 >>>>>>>>> >>>>>>>>> do_spice_init: starting 0.6.3 >>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD >>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE >>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL >>>>>>>>> red_worker_main: begin >>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD >>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK >>>>>>>>> qemu-system-x86_64: -device ccid-card-passthru,chardev=ccid: >>>>>>>>> Parameter >>>>>>>>> 'driver' expects a driver name >>>>>>>>> Try with argument '?' for a list. >>>>>>>>> >>>>>>>>> Am i starting the vm the right way or am i missing something? >>>>>>>> You are doing the right steps with the wrong qemu. To be >>>>>>>> explicit: qemu hasn't >>>>>>>> accepted the patches for the smartcard devices yet, so I don't >>>>>>>> know where you >>>>>>>> got the qemu executable but unless you built it by hand and >>>>>>>> applied the patches >>>>>>>> on the list, or easier used the pull url I provide in the >>>>>>>> patches I sent (like v20 >>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) you >>>>>>>> won't have them. >>>>>>>> >>>>>>>> Alon >>>>>>>> >>>>>>> Sorry for the priv mail :( >>>>>>> i can start the vm now with the usb_ccid.v19 git 20 gives me >>>>>>> compile errors >>>>>>> >>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev >>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device >>>>>>> usb-ccid >>>>>>> -device ccid-card-passthru,chardev=ccid -drive >>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L >>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice >>>>>>> tablet -enable-kvm -m 512 -device >>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user >>>>>>> do_spice_init: starting 0.7.3 >>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD >>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE >>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD >>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK >>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL >>>>>>> red_worker_main: begin >>>>>>> handle_dev_input: start >>>>>>> >>>>>>> I also installed spice 0.7.3 >>>>>>> >>>>>>> When starting the spicec client i can connect but how can i share >>>>>>> say a local device now through spicec to the guest? >>>>>>> On the local client i can run pcsc_scan and it returns my reader >>>>>>> and >>>>>>> detects my card, would that also be possible on the guest? >>>>>>> >>>>>> about v20 if you can run make V=1 and post the output? >>>>> Nah forget this >>>>> i did not switch to v20 that was the problem. >>>> I still don't understand, but it would be nice if you could do your >>>> tests with the last version, v20, even if the changes are just >>>> cosmetic. >>>> >>>>>> about the rest, yes, the guest should show the card too using >>>>>> pcsc_scan. >>>>>> >>>>>> you shouldn't need to be root on the client, but possibly it will >>>>>> work then - >>>>>> could you try that? in that case I don't remember exactly what >>>>>> the solution was :( >>>>>> but there is one! >>>>> ok here is what i see now >>>>> >>>>> - on my local system i have: >>>>> #lsusb >>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx >>>>> Smart Card Reader >>>>> #pcsc_scan >>>>> PC/SC device scanner >>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rouss...@free.fr> >>>>> Compiled with PC/SC lite version: 1.5.3 >>>>> Scanning present readers... >>>>> 0: SCM SCR 355 00 00 >>>>> >>>>> Thu Feb 24 17:36:04 2011 >>>>> Reader 0: SCM SCR 355 00 00 >>>>> Card state: Card inserted, >>>>> ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx >>>>> >>>>> - Now when i start qemu like the following >>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev >>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -device usb-ccid >>>>> -device ccid-card-passthru,chardev=ccid -drive >>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 -L >>>>> pc-bios -nographic -spice port=5930,disable-ticketing -usbdevice >>>>> tablet -enable-kvm -m 512 -device >>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net user >>>>> >>>>> - i see this in my vm after starting spicec with the following >>>>> options >>>>> #spicec -h localhost -p 5930 >>>>> #lsusb >>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap >>>>> #pcsc_scan >>>>> PC/SC device scanner >>>>> V 1.4.16 (c) 2001-2009, Ludovic Rousseau<ludovic.rouss...@free.fr> >>>>> Compiled with PC/SC lite version: 1.5.3 >>>>> Scanning present readers... >>>>> 0: Gemplus GemPC4433 SL (1) 00 00 >>>>> >>>>> Thu Feb 24 17:42:05 2011 >>>>> Reader 0: Gemplus GemPC4433 SL (1) 00 00 >>>>> Card state: Card removed, >>>>> >>>>> >>>>> After removing the device from my local machine and starting the vm >>>>> again with the above options it still shows me the gemplus smartcard >>>>> reader >>>>> >>>>> Any hints from here? >>>>> >>>> Yes. It looks like the guest sees the ccid device (that's the Gemplus, >>>> you can see it's qemu if you do lsusb), but no card. The reason for >>>> the >>>> later is that spicec didn't see any card. That's why I suggested >>>> trying to >>>> run spicec as root - the bottom line is that you need to make sure NSS >>>> can see the device as a regular user. I'll try to supply better >>>> instructions >>>> later. >>> Well i managed to get something working but i'm not sure if thats >>> the way to go. >>> >>> When i start the vm with the ccid passthrough i receive a device >>> gemplus. >>> >>> When starting spicec with --smartcard after adding the aet >> oops, forgot you needed that. >> >>> middleware libs to the nss database with the following command: >>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile >>> /usr/lib/libaetpkss.so.3.0 >>> then start spicec with --smartcard my reader begins blinking so >>> something is read from the token but then in the vm i got nothing >>> when using pcsc_scan perhaps it has todo something with the >>> following error on the start of spicec: Warning: VSC Error: reader >>> -1, code 32684 >>> >> So using "spicec --smartcard" (spicec for short) you can't do pcsc_scan >> and see a card in the vm? >> >>> Anyway i also got the idea that using the vscclient would be >>> possible so i gave that a try >>> vscclient -e use_hw=yes 127.0.0.1 2001 >>> i takes some time but then i can do list and it shows me that my >>> smartcard is active and has a card in it >>> but in the vm nogo >>> >>> vscclient -e use_hw=yes 127.0.0.1 2001 >>>> list >>> Active Readers: >>> 0 CARD_PRESENT SCM SCR 355 00 00 >>> 0 UNAVAILABLE 1 >>> 0 UNAVAILABLE 2 >>> 0 UNAVAILABLE 3 >>> 0 UNAVAILABLE 4 >>> Inactive Readers: >>>> debug 1 >>> debug level = 1 >>>> Header: type=7, reader_id=0 length=5 (0x5) >>> recv APDU: 00 CA DF 30 05 >>> send response: 69 00 >>> Header: type=7, reader_id=0 length=10 (0xa) >>> recv APDU: 00 A4 04 00 05 A0 00 00 00 01 >>> send response: 6A 82 >>> Header: type=7, reader_id=0 length=14 (0xe) >>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 >>> send response: 6A 82 >>> Header: type=7, reader_id=0 length=14 (0xe) >>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 >>> send response: 6A 82 >>> Header: type=7, reader_id=0 length=7 (0x7) >>> recv APDU: 00 A4 08 00 02 2F 00 >>> send response: 6A 81 >>> Header: type=7, reader_id=0 length=7 (0x7) >>> recv APDU: 00 A4 08 00 02 50 15 >>> send response: 6A 81 >>> Header: type=7, reader_id=0 length=7 (0x7) >>> recv APDU: 00 A4 08 00 02 50 15 >>> send response: 6A 81 >>> >>> so it kinda works accept that it does not see the right card it also >>> shows me the wrong atr. >> The ATR isn't wrong, it's just not the card's ATR. The architecture >> is like this: >> >> real card - real reader - pcscd - spicec (via nss) - simulated >> card<-protocol-> >> emulated ccid device - |(in vm) pcscd - pcsc_scan (or any other >> client) >> >> When using vscclient it's exactly the same, difference is just that >> it goes via a TCP socket directly instead of in a spice channel. >> >> So the ATR you see in the vm is by the simulated card (libcacard). >> >> But you should definitely see a card with spicec as well. >> >>> I also need the middleware library in the vm else it does not work >>> at all. >>> >>> Any ideas? >> Nothing really. I'll try to take a look at the APDU's later (I'm not >> really an expert on them) - can you try using the certificates backed >> card just to make sure everything except the hardware is working >> correctly? (i.e. vm stack is fine, spicec version and libspiceserver >> and qemu versions work fine). The instructions are in qemu >> doc/ccid.txt I think. (http://patchwork.ozlabs.org/patch/84129/ is >> the patch with the file). >> > I'm not getting any further. > > I will explain below the stips i took to get things (almost:) running > > Download all deps: > git clone git://anongit.freedesktop.org/~alon/qemu > git checkout -b usb_ccid.v20 origin/usb_ccid.v20 > wget > http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz > wget http://spice-space.org/download/releases/spice-0.7.3.tar.bz2 > wget > http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2 > > install libcacard > install spice protocol > install spice client and server with the configure option > --enable-smartcard > install qemu with configure option --enable-smartcard --enable-spice > > import certificates into nss database > mkdir -p /etc/pki/nssdb > certutil -N -d /etc/pki/nssdb > certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1 > certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" -n cert2 > certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" -n cert3 > > certutil -L -d /etc/pki/nssdb > cert3 CTu,Cu,Cu > cert1 CTu,Cu,Cu > cert2 CTu,Cu,Cu > > start vm with the following options > -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device > usb-ccid -device > ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3 > start spicec -h localhost -p 5930 > after boot i have gemplus ccid reader and pcsc_scan tells me that i > have a reader > > But how can i show the certificates cert1,2,3 in the vm with certutil?
You need to start certutil with a database which points the the smart card.
If you install libcoolkey, I believe /etc/pki/nssdb should already be
set up...
Here's what mine looks like:
bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 3 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
slot: NSS Application Slot 00000004
token: NSS user database
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 00
token:
3. Built-ins
library name: /usr/lib64/__libnssckbi.so
slots: There are no slots attached to this module
status: Not loaded
-----------------------------------------------------------
bobs-laptop(52)
The important one here is #2 ("Coolkey PKCS #11 Module").
Once you have that you should be able to run
certutil -L -h all -d sql:/etc/pki/nssdb
to list all the certs on your card.
bob
>
>>> With kind regards
>>>
>>> William
>>>>> With kind regards
>>>>>
>>>>> William van de Velde
>>>>>
>>>>>
>>>>>
>>>>>>> With kind regards
>>>>>>>
>>>>>>> William
>>>>>>>
>>>>>>>
>>>>>>>>> With kind regards
>>>>>>>>>
>>>>>>>>> William
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Spice-devel mailing list
>>>>>>>>> Spice-devel@lists.freedesktop.org
>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>>>> _______________________________________________
>>>>>>> Spice-devel mailing list
>>>>>>> Spice-devel@lists.freedesktop.org
>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>>>> _______________________________________________
>>>>> Spice-devel mailing list
>>>>> Spice-devel@lists.freedesktop.org
>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>>> _______________________________________________
>>> Spice-devel mailing list
>>> Spice-devel@lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
