----- Original Message ----- > On 03/01/2011 09:30 PM, william wrote: > > On 03/01/2011 07:21 PM, Alon Levy wrote: > >>> On 03/01/2011 10:00 AM, william wrote: > >>>> On 03/01/2011 08:13 AM, william wrote: > >>>>> On 03/01/2011 12:23 AM, Robert Relyea wrote: > >>>>>> On 02/28/2011 08:34 AM, william wrote: > >>>>>>> On 02/26/2011 08:49 PM, Alon Levy wrote: > >>>>>>>> On Fri, Feb 25, 2011 at 12:06:33PM +0100, william wrote: > >>>>>>>>> On 02/24/2011 08:10 PM, Alon Levy wrote: > >>>>>>>>>> On Thu, Feb 24, 2011 at 05:46:33PM +0100, william wrote: > >>>>>>>>>>> On 02/24/2011 05:09 PM, Alon Levy wrote: > >>>>>>>>>>>> On Thu, Feb 24, 2011 at 04:28:13PM +0100, william wrote: > >>>>>>>>>>>>> On 02/24/2011 12:09 PM, Alon Levy wrote: > >>>>>>>>>>>>>> On Thu, Feb 24, 2011 at 10:17:21AM +0100, > >>>>>>>>>>>>>> k...@cobradevil.org > >>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>> Dear list, > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> i have tried to get smartcard support running but i'm > >>>>>>>>>>>>>>> a > >>>>>>>>>>>>>>> bit > >>>>>>>>>>>>>>> lost :) > >>>>>>>>>>>>>>> probably because it's not finished yet. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> we have smartcards with certificates like us dod and i > >>>>>>>>>>>>>>> would > >>>>>>>>>>>>>>> like to use > >>>>>>>>>>>>>>> those from a client on a remote server for > >>>>>>>>>>>>>>> authentication > >>>>>>>>>>>>>>> and > >>>>>>>>>>>>>>> such. > >>>>>>>>>>>>>>> I have followed the build instructions: > >>>>>>>>>>>>>>> http://spice-space.org/page/Building_Instructions on a > >>>>>>>>>>>>>>> ubuntu > >>>>>>>>>>>>>>> system and > >>>>>>>>>>>>>>> have managed to get those compiled. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> But when i try to start a vm with smartcard > >>>>>>>>>>>>>>> passthrough > >>>>>>>>>>>>>>> it > >>>>>>>>>>>>>>> asks me to give > >>>>>>>>>>>>>>> a driver name? > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev > >>>>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait > >>>>>>>>>>>>>>> -device > >>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid -drive > >>>>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw > >>>>>>>>>>>>>>> ac97 -L > >>>>>>>>>>>>>>> pc-bios > >>>>>>>>>>>>>>> -nographic -vga qxl -spice port=5930,disable-ticketing > >>>>>>>>>>>>>>> -usbdevice tablet > >>>>>>>>>>>>>>> -enable-kvm -m 512 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> do_spice_init: starting 0.6.3 > >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD > >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE > >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL > >>>>>>>>>>>>>>> red_worker_main: begin > >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD > >>>>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK > >>>>>>>>>>>>>>> qemu-system-x86_64: -device > >>>>>>>>>>>>>>> ccid-card-passthru,chardev=ccid: > >>>>>>>>>>>>>>> Parameter > >>>>>>>>>>>>>>> 'driver' expects a driver name > >>>>>>>>>>>>>>> Try with argument '?' for a list. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Am i starting the vm the right way or am i missing > >>>>>>>>>>>>>>> something? > >>>>>>>>>>>>>> You are doing the right steps with the wrong qemu. To > >>>>>>>>>>>>>> be > >>>>>>>>>>>>>> explicit: qemu hasn't > >>>>>>>>>>>>>> accepted the patches for the smartcard devices yet, so > >>>>>>>>>>>>>> I > >>>>>>>>>>>>>> don't > >>>>>>>>>>>>>> know where you > >>>>>>>>>>>>>> got the qemu executable but unless you built it by hand > >>>>>>>>>>>>>> and > >>>>>>>>>>>>>> applied the patches > >>>>>>>>>>>>>> on the list, or easier used the pull url I provide in > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>> patches I sent (like v20 > >>>>>>>>>>>>>> git://anongit.freedesktop.org/~alon/qemu usb_ccid.v20) > >>>>>>>>>>>>>> you > >>>>>>>>>>>>>> won't have them. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Alon > >>>>>>>>>>>>>> > >>>>>>>>>>>>> Sorry for the priv mail :( > >>>>>>>>>>>>> i can start the vm now with the usb_ccid.v19 git 20 > >>>>>>>>>>>>> gives > >>>>>>>>>>>>> me > >>>>>>>>>>>>> compile errors > >>>>>>>>>>>>> > >>>>>>>>>>>>> ./x86_64-softmmu/qemu-system-x86_64 -chardev > >>>>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait > >>>>>>>>>>>>> -device > >>>>>>>>>>>>> usb-ccid > >>>>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive > >>>>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw > >>>>>>>>>>>>> ac97 > >>>>>>>>>>>>> -L > >>>>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing > >>>>>>>>>>>>> -usbdevice > >>>>>>>>>>>>> tablet -enable-kvm -m 512 -device > >>>>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net > >>>>>>>>>>>>> user > >>>>>>>>>>>>> do_spice_init: starting 0.7.3 > >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_KEYBOARD > >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_MOUSE > >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_RECORD > >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_PLAYBACK > >>>>>>>>>>>>> spice_server_add_interface: SPICE_INTERFACE_QXL > >>>>>>>>>>>>> red_worker_main: begin > >>>>>>>>>>>>> handle_dev_input: start > >>>>>>>>>>>>> > >>>>>>>>>>>>> I also installed spice 0.7.3 > >>>>>>>>>>>>> > >>>>>>>>>>>>> When starting the spicec client i can connect but how > >>>>>>>>>>>>> can i > >>>>>>>>>>>>> share > >>>>>>>>>>>>> say a local device now through spicec to the guest? > >>>>>>>>>>>>> On the local client i can run pcsc_scan and it returns > >>>>>>>>>>>>> my > >>>>>>>>>>>>> reader > >>>>>>>>>>>>> and > >>>>>>>>>>>>> detects my card, would that also be possible on the > >>>>>>>>>>>>> guest? > >>>>>>>>>>>>> > >>>>>>>>>>>> about v20 if you can run make V=1 and post the output? > >>>>>>>>>>> Nah forget this > >>>>>>>>>>> i did not switch to v20 that was the problem. > >>>>>>>>>> I still don't understand, but it would be nice if you could > >>>>>>>>>> do > >>>>>>>>>> your > >>>>>>>>>> tests with the last version, v20, even if the changes are > >>>>>>>>>> just > >>>>>>>>>> cosmetic. > >>>>>>>>>> > >>>>>>>>>>>> about the rest, yes, the guest should show the card too > >>>>>>>>>>>> using > >>>>>>>>>>>> pcsc_scan. > >>>>>>>>>>>> > >>>>>>>>>>>> you shouldn't need to be root on the client, but possibly > >>>>>>>>>>>> it > >>>>>>>>>>>> will > >>>>>>>>>>>> work then - > >>>>>>>>>>>> could you try that? in that case I don't remember exactly > >>>>>>>>>>>> what > >>>>>>>>>>>> the solution was :( > >>>>>>>>>>>> but there is one! > >>>>>>>>>>> ok here is what i see now > >>>>>>>>>>> > >>>>>>>>>>> - on my local system i have: > >>>>>>>>>>> #lsusb > >>>>>>>>>>> Bus 007 Device 008: ID 04e6:5410 SCM Microsystems, Inc. > >>>>>>>>>>> SCR35xx > >>>>>>>>>>> Smart Card Reader > >>>>>>>>>>> #pcsc_scan > >>>>>>>>>>> PC/SC device scanner > >>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic > >>>>>>>>>>> Rousseau<ludovic.rouss...@free.fr> > >>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3 > >>>>>>>>>>> Scanning present readers... > >>>>>>>>>>> 0: SCM SCR 355 00 00 > >>>>>>>>>>> > >>>>>>>>>>> Thu Feb 24 17:36:04 2011 > >>>>>>>>>>> Reader 0: SCM SCR 355 00 00 > >>>>>>>>>>> Card state: Card inserted, > >>>>>>>>>>> ATR: 3B F9 18 00 00 81 31 FE 45xxxxxxxxxxx > >>>>>>>>>>> > >>>>>>>>>>> - Now when i start qemu like the following > >>>>>>>>>>> #./x86_64-softmmu/qemu-system-x86_64 -chardev > >>>>>>>>>>> socket,server,host=0.0.0.0,port=2001,id=ccid,nowait > >>>>>>>>>>> -device > >>>>>>>>>>> usb-ccid > >>>>>>>>>>> -device ccid-card-passthru,chardev=ccid -drive > >>>>>>>>>>> file=/var/lib/libvirt/images/test.img,if=ide -soundhw ac97 > >>>>>>>>>>> -L > >>>>>>>>>>> pc-bios -nographic -spice port=5930,disable-ticketing > >>>>>>>>>>> -usbdevice > >>>>>>>>>>> tablet -enable-kvm -m 512 -device > >>>>>>>>>>> virtio-net-pci,vlan=0,id=net0,mac=52:54:00:f4:f5:0b -net > >>>>>>>>>>> user > >>>>>>>>>>> > >>>>>>>>>>> - i see this in my vm after starting spicec with the > >>>>>>>>>>> following > >>>>>>>>>>> options > >>>>>>>>>>> #spicec -h localhost -p 5930 > >>>>>>>>>>> #lsusb > >>>>>>>>>>> Bus 001 Device 004: ID 08e6:4433 Gemplus GemPC433-Swap > >>>>>>>>>>> #pcsc_scan > >>>>>>>>>>> PC/SC device scanner > >>>>>>>>>>> V 1.4.16 (c) 2001-2009, Ludovic > >>>>>>>>>>> Rousseau<ludovic.rouss...@free.fr> > >>>>>>>>>>> Compiled with PC/SC lite version: 1.5.3 > >>>>>>>>>>> Scanning present readers... > >>>>>>>>>>> 0: Gemplus GemPC4433 SL (1) 00 00 > >>>>>>>>>>> > >>>>>>>>>>> Thu Feb 24 17:42:05 2011 > >>>>>>>>>>> Reader 0: Gemplus GemPC4433 SL (1) 00 00 > >>>>>>>>>>> Card state: Card removed, > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> After removing the device from my local machine and > >>>>>>>>>>> starting > >>>>>>>>>>> the vm > >>>>>>>>>>> again with the above options it still shows me the gemplus > >>>>>>>>>>> smartcard > >>>>>>>>>>> reader > >>>>>>>>>>> > >>>>>>>>>>> Any hints from here? > >>>>>>>>>>> > >>>>>>>>>> Yes. It looks like the guest sees the ccid device (that's > >>>>>>>>>> the > >>>>>>>>>> Gemplus, > >>>>>>>>>> you can see it's qemu if you do lsusb), but no card. The > >>>>>>>>>> reason for > >>>>>>>>>> the > >>>>>>>>>> later is that spicec didn't see any card. That's why I > >>>>>>>>>> suggested > >>>>>>>>>> trying to > >>>>>>>>>> run spicec as root - the bottom line is that you need to > >>>>>>>>>> make > >>>>>>>>>> sure NSS > >>>>>>>>>> can see the device as a regular user. I'll try to supply > >>>>>>>>>> better > >>>>>>>>>> instructions > >>>>>>>>>> later. > >>>>>>>>> Well i managed to get something working but i'm not sure if > >>>>>>>>> thats > >>>>>>>>> the way to go. > >>>>>>>>> > >>>>>>>>> When i start the vm with the ccid passthrough i receive a > >>>>>>>>> device > >>>>>>>>> gemplus. > >>>>>>>>> > >>>>>>>>> When starting spicec with --smartcard after adding the aet > >>>>>>>> oops, forgot you needed that. > >>>>>>>> > >>>>>>>>> middleware libs to the nss database with the following > >>>>>>>>> command: > >>>>>>>>> modutil -dbdir sql:/etc/pki/nssdb/ -add "Aet" -libfile > >>>>>>>>> /usr/lib/libaetpkss.so.3.0 > >>>>>>>>> then start spicec with --smartcard my reader begins blinking > >>>>>>>>> so > >>>>>>>>> something is read from the token but then in the vm i got > >>>>>>>>> nothing > >>>>>>>>> when using pcsc_scan perhaps it has todo something with the > >>>>>>>>> following error on the start of spicec: Warning: VSC Error: > >>>>>>>>> reader > >>>>>>>>> -1, code 32684 > >>>>>>>>> > >>>>>>>> So using "spicec --smartcard" (spicec for short) you can't do > >>>>>>>> pcsc_scan > >>>>>>>> and see a card in the vm? > >>>>>>>> > >>>>>>>>> Anyway i also got the idea that using the vscclient would be > >>>>>>>>> possible so i gave that a try > >>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001 > >>>>>>>>> i takes some time but then i can do list and it shows me > >>>>>>>>> that > >>>>>>>>> my > >>>>>>>>> smartcard is active and has a card in it > >>>>>>>>> but in the vm nogo > >>>>>>>>> > >>>>>>>>> vscclient -e use_hw=yes 127.0.0.1 2001 > >>>>>>>>>> list > >>>>>>>>> Active Readers: > >>>>>>>>> 0 CARD_PRESENT SCM SCR 355 00 00 > >>>>>>>>> 0 UNAVAILABLE 1 > >>>>>>>>> 0 UNAVAILABLE 2 > >>>>>>>>> 0 UNAVAILABLE 3 > >>>>>>>>> 0 UNAVAILABLE 4 > >>>>>>>>> Inactive Readers: > >>>>>>>>>> debug 1 > >>>>>>>>> debug level = 1 > >>>>>>>>>> Header: type=7, reader_id=0 length=5 (0x5) > >>>>>>>>> recv APDU: 00 CA DF 30 05 > >>>>>>>>> send response: 69 00 > >>>>>>>>> Header: type=7, reader_id=0 length=10 (0xa) > >>>>>>>>> recv APDU: 00 A4 04 00 05 A0 00 00 00 01 > >>>>>>>>> send response: 6A 82 > >>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe) > >>>>>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 > >>>>>>>>> send response: 6A 82 > >>>>>>>>> Header: type=7, reader_id=0 length=14 (0xe) > >>>>>>>>> recv APDU: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 > >>>>>>>>> send response: 6A 82 > >>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7) > >>>>>>>>> recv APDU: 00 A4 08 00 02 2F 00 > >>>>>>>>> send response: 6A 81 > >>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7) > >>>>>>>>> recv APDU: 00 A4 08 00 02 50 15 > >>>>>>>>> send response: 6A 81 > >>>>>>>>> Header: type=7, reader_id=0 length=7 (0x7) > >>>>>>>>> recv APDU: 00 A4 08 00 02 50 15 > >>>>>>>>> send response: 6A 81 > >>>>>>>>> > >>>>>>>>> so it kinda works accept that it does not see the right card > >>>>>>>>> it > >>>>>>>>> also > >>>>>>>>> shows me the wrong atr. > >>>>>>>> The ATR isn't wrong, it's just not the card's ATR. The > >>>>>>>> architecture > >>>>>>>> is like this: > >>>>>>>> > >>>>>>>> real card - real reader - pcscd - spicec (via nss) - > >>>>>>>> simulated > >>>>>>>> card<-protocol-> > >>>>>>>> emulated ccid device - |(in vm) pcscd - pcsc_scan (or any > >>>>>>>> other > >>>>>>>> client) > >>>>>>>> > >>>>>>>> When using vscclient it's exactly the same, difference is > >>>>>>>> just > >>>>>>>> that > >>>>>>>> it goes via a TCP socket directly instead of in a spice > >>>>>>>> channel. > >>>>>>>> > >>>>>>>> So the ATR you see in the vm is by the simulated card > >>>>>>>> (libcacard). > >>>>>>>> > >>>>>>>> But you should definitely see a card with spicec as well. > >>>>>>>> > >>>>>>>>> I also need the middleware library in the vm else it does > >>>>>>>>> not > >>>>>>>>> work > >>>>>>>>> at all. > >>>>>>>>> > >>>>>>>>> Any ideas? > >>>>>>>> Nothing really. I'll try to take a look at the APDU's later > >>>>>>>> (I'm > >>>>>>>> not > >>>>>>>> really an expert on them) - can you try using the > >>>>>>>> certificates > >>>>>>>> backed > >>>>>>>> card just to make sure everything except the hardware is > >>>>>>>> working > >>>>>>>> correctly? (i.e. vm stack is fine, spicec version and > >>>>>>>> libspiceserver > >>>>>>>> and qemu versions work fine). The instructions are in qemu > >>>>>>>> doc/ccid.txt I think. > >>>>>>>> (http://patchwork.ozlabs.org/patch/84129/ > >>>>>>>> is > >>>>>>>> the patch with the file). > >>>>>>>> > >>>>>>> I'm not getting any further. > >>>>>>> > >>>>>>> I will explain below the stips i took to get things (almost:) > >>>>>>> running > >>>>>>> > >>>>>>> Download all deps: > >>>>>>> git clone git://anongit.freedesktop.org/~alon/qemu > >>>>>>> git checkout -b usb_ccid.v20 origin/usb_ccid.v20 > >>>>>>> wget > >>>>>>> http://cgit.freedesktop.org/~alon/libcacard/snapshot/libcacard-0.1.2.tar.gz > >>>>>>> > >>>>>>> > >>>>>>> wget > >>>>>>> http://spice-space.org/download/releases/spice-0.7.3.tar.bz2 > >>>>>>> wget > >>>>>>> http://spice-space.org/download/releases/spice-protocol-0.7.1.tar.bz2 > >>>>>>> > >>>>>>> > >>>>>>> install libcacard > >>>>>>> install spice protocol > >>>>>>> install spice client and server with the configure option > >>>>>>> --enable-smartcard > >>>>>>> install qemu with configure option --enable-smartcard > >>>>>>> --enable-spice > >>>>>>> > >>>>>>> import certificates into nss database > >>>>>>> mkdir -p /etc/pki/nssdb > >>>>>>> certutil -N -d /etc/pki/nssdb > >>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" > >>>>>>> -n > >>>>>>> cert1 > >>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert2" > >>>>>>> -n > >>>>>>> cert2 > >>>>>>> certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert3" > >>>>>>> -n > >>>>>>> cert3 > >>>>>>> > >>>>>>> certutil -L -d /etc/pki/nssdb > >>>>>>> cert3 CTu,Cu,Cu > >>>>>>> cert1 CTu,Cu,Cu > >>>>>>> cert2 CTu,Cu,Cu > >>>>>>> > >>>>>>> start vm with the following options > >>>>>>> -spice addr=127.0.0.1,port=5930,disable-ticketing -usb -device > >>>>>>> usb-ccid -device > >>>>>>> ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3 > >>>>>>> > >>>>>>> > >>>>>>> start spicec -h localhost -p 5930 > >>>>>>> after boot i have gemplus ccid reader and pcsc_scan tells me > >>>>>>> that > >>>>>>> i > >>>>>>> have a reader > >>>>>>> > >>>>>>> But how can i show the certificates cert1,2,3 in the vm with > >>>>>>> certutil? > >>>>>> You need to start certutil with a database which points the the > >>>>>> smart card. > >>>>>> If you install libcoolkey, I believe /etc/pki/nssdb should > >>>>>> already > >>>>>> be > >>>>>> set up... > >>>>>> > >>>>>> Here's what mine looks like: > >>>>>> > >>>>>> bobs-laptop(51) modutil -list -dbdir sql:/etc/pki/nssdb > >>>>>> > >>>>>> Listing of PKCS #11 Modules > >>>>>> ----------------------------------------------------------- > >>>>>> 1. NSS Internal Crypto Services > >>>>>> slots: 3 slots attached > >>>>>> status: loaded > >>>>>> > >>>>>> slot: NSS Internal Cryptographic Services > >>>>>> token: NSS Generic Crypto Services > >>>>>> > >>>>>> slot: NSS User Private Key and Certificate Services > >>>>>> token: NSS Certificate DB > >>>>>> > >>>>>> slot: NSS Application Slot 00000004 > >>>>>> token: NSS user database > >>>>>> > >>>>>> 2. CoolKey PKCS #11 Module > >>>>>> library name: libcoolkeypk11.so > >>>>>> slots: 1 slot attached > >>>>>> status: loaded > >>>>>> > >>>>>> slot: SCM SCR 3310 [CCID Interface] (21120504104040) 00 > >>>>>> 00 > >>>>>> token: > >>>>>> > >>>>>> 3. Built-ins > >>>>>> library name: /usr/lib64/__libnssckbi.so > >>>>>> slots: There are no slots attached to this module > >>>>>> status: Not loaded > >>>>>> ----------------------------------------------------------- > >>>>>> bobs-laptop(52) > >>>>>> > >>>>>> The important one here is #2 ("Coolkey PKCS #11 Module"). > >>>>>> > >>>>>> Once you have that you should be able to run > >>>>>> > >>>>>> certutil -L -h all -d sql:/etc/pki/nssdb > >>>>>> > >>>>>> to list all the certs on your card. > >>>>>> > >>>>>> bob > >>>>> Ok i have that in my local system where i use the aet > >>>>> middleware. > >>>>> Then doing the certutil -L -d sql:/etc/pki/nssdb -h all i get > >>>>> the > >>>>> certificates after entering the pin. > >>>>> > >>>>> But how are those visible within the vm with the virtual > >>>>> smartcard > >>>>> reader ? When i use the same middelware library it tells me that > >>>>> i > >>>>> have the wrong smartcard. So i guess i need something like the > >>>>> coolkey or aet in the vm but then for the virtual smartcard? > >>>>> > >>>>> With kind regards > >>>>> > >>>>> William > >>>>> > >>>> some more info > >>>> > >>>> On my laptop my list looks like: > >>>> Listing of PKCS #11 Modules > >>>> ----------------------------------------------------------- > >>>> 1. NSS Internal PKCS #11 Module > >>>> slots: 2 slots attached > >>>> status: loaded > >>>> > >>>> slot: NSS Internal Cryptographic Services > >>>> token: NSS Generic Crypto Services > >>>> > >>>> slot: NSS User Private Key and Certificate Services > >>>> token: NSS Certificate DB > >>>> > >>>> 2. Root Certs > >>>> library name: /etc/pki/nssdb/libnssckbi.so > >>>> slots: 1 slot attached > >>>> status: loaded > >>>> > >>>> slot: NSS Builtin Objects > >>>> token: Builtin Object Token > >>>> > >>>> 3. Aet1 > >>>> library name: /usr/lib/libaetpkss.so.3.0 > >>>> slots: 5 slots attached > >>>> status: loaded > >>>> > >>>> slot: SCM SCR 355 00 00 > >>>> token: smartcard > >>>> > >>>> slot: UNAVAILABLE 1 > >>>> token: > >>>> > >>>> slot: UNAVAILABLE 2 > >>>> token: > >>>> > >>>> slot: UNAVAILABLE 3 > >>>> token: > >>>> > >>>> slot: UNAVAILABLE 4 > >>>> token: > >>>> ----------------------------------------------------------- > >>>> > >>>> > >>>> on the vm i only have 1 and 2 like above and number 3 i can add > >>>> but > >>>> then it says token not recognized. > >>>> > >>>> But when i try Alon his option to create the 3 certs manually and > >>>> use > >>>> those when starting the vm i also can't show them? > >>>> so do i need to add like libcacard.so as a middleware lib or > >>>> something > >>>> in the vm? > >>>> > >>> Ok finally it works :) > >>> > >> m'glad. > >> > >>> i had to install the coolkey (thanks Robert) libs and add those to > >>> the > >>> nss database. > >>> i was looking for something like that, I just did not understand > >>> that > >>> I > >>> had to install the coolkey in the vm. > >>> > >>> so for my understanding the libcacard virtual smartcard is based > >>> on > >>> coolkey? > >>> > >> There is no library dependency, libcacard is linked to nss only > >> (and > >> that's also something that will be made optional if we make a > >> windows > >> scard backend for instance, or a testing backend). > >> > >>> So now i have that working with vscclient and not with spicec. > >>> Spicec uses the /etc/pki/nssdb file and my smartcard starts to > >>> blink > >>> but > >>> it cannot use the smartcard in the vm. > >>> pcsc_scan also tells me that it has no smartcard. > >>> > >> Did you try spicec with certificates? did that work? it sounds like > >> just different db being used by spicec - it's basically the exact > >> same codepath as vscclient (different code, so bug > >> possible/expected > >> of course, but it worked for me ;) > > Well i have tried spicec to start with the certificates cert1 cert2 > > and 3 like starting qemu but thats not working > > can you give me an example how to do that (create the certs and how > > to > > pass them using spicec)? > > > > > > not getting it entirely :) > > vscclient -d 1 127.0.0.1 -e "use_hw=yes" 2001 > > only works when using the libaetpkss.so driver in the nssdb > > > > when i start vscclient use_hw=no it does not work and it also does > > not > > work when using use_hw=yes and i removed the library from the nssdb. > > So it seems to really use the aet middleware and the nssdb. > > > > spicec --smartcard reads my smartcard so i guess that should also > > work > > but something is going wrong when passing that to the spiced vm > > (does > > the spice-0.7.3 package from the website contains the necessary > > patches?) > > > > Do i need to start qemu with a different device when using spicec > > --smartcard? > > Answering myself :) > > -chardev spicevmc,server,host=127.0.0.1,name=smartcard,id=ccid -device > usb-ccid -device ccid-card-passthru,chardev=ccid -usb > not sure if thats completely right but it works. >
That's exactly right. Never tried to put the -usb last, I thought qemu builds the devices by order of command line arguments, maybe it checks for -usb first? (it does do a number of passes over the command line arguments). Anyway I'm glad it's finally working with spicec! is this with real hardware/certs? > going to bed now will celebrate tomorrow and write some documentation > :) > > > > > > With kind regards > > > > William > > > > > > > > > >>> This is when starting the vm with: > >>> -chardev socket,server,host=0.0.0.0,port=2001,id=ccid,nowait > >>> -device > >>> usb-ccid -device ccid-card-passthru,chardev=ccid -usb > >>> > >>> This works with vscclient but spicec just gives an error and no > >>> smartcard. > >>> > >>> 1299000951 INFO [8657:8679] > >>> SmartCardChannel::cac_card_events_thread_main: > >>> VEVENT_READER_INSERT > >>> 1299000951 INFO [8657:8657] > >>> SmartCardChannel::add_unallocated_reader: > >>> adding unallocated reader 0x914c510 > >>> 1299000951 INFO [8657:8679] > >>> SmartCardChannel::cac_card_events_thread_main: VEVENT_CARD_INSERT > >>> 1299000951 INFO [8657:8679] > >>> SmartCardChannel::cac_card_events_thread_main: > >>> VEVENT_READER_INSERT > >>> 1299000951 INFO [8657:8679] > >>> SmartCardChannel::cac_card_events_thread_main: > >>> VEVENT_READER_INSERT > >>> 1299000951 INFO [8657:8679] > >>> SmartCardChannel::cac_card_events_thread_main: > >>> VEVENT_READER_INSERT > >>> 1299000951 INFO [8657:8679] > >>> SmartCardChannel::cac_card_events_thread_main: > >>> VEVENT_READER_INSERT > >>> 1299000951 WARN [8657:8657] > >>> SmartCardChannel::handle_reader_add_response: VSC Error: reader > >>> -1, > >>> code > >>> 32511 > >>> > >>> > >>>> With kind regards > >>>> > >>>> William > >>>>> > >>>>>>>>> With kind regards > >>>>>>>>> > >>>>>>>>> William > >>>>>>>>>>> With kind regards > >>>>>>>>>>> > >>>>>>>>>>> William van de Velde > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>>> With kind regards > >>>>>>>>>>>>> > >>>>>>>>>>>>> William > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>>>> With kind regards > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> William > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>>>>> Spice-devel mailing list > >>>>>>>>>>>>>>> Spice-devel@lists.freedesktop.org > >>>>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>>> Spice-devel mailing list > >>>>>>>>>>>>> Spice-devel@lists.freedesktop.org > >>>>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>>>>>>>>> _______________________________________________ > >>>>>>>>>>> Spice-devel mailing list > >>>>>>>>>>> Spice-devel@lists.freedesktop.org > >>>>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>>>>>>> _______________________________________________ > >>>>>>>>> Spice-devel mailing list > >>>>>>>>> Spice-devel@lists.freedesktop.org > >>>>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>>>>> _______________________________________________ > >>>>>>> Spice-devel mailing list > >>>>>>> Spice-devel@lists.freedesktop.org > >>>>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>>> _______________________________________________ > >>>>> Spice-devel mailing list > >>>>> Spice-devel@lists.freedesktop.org > >>>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>>> > >>>> _______________________________________________ > >>>> Spice-devel mailing list > >>>> Spice-devel@lists.freedesktop.org > >>>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > >>>> > >>> _______________________________________________ > >>> Spice-devel mailing list > >>> Spice-devel@lists.freedesktop.org > >>> http://lists.freedesktop.org/mailman/listinfo/spice-devel > > > > _______________________________________________ > > Spice-devel mailing list > > Spice-devel@lists.freedesktop.org > > http://lists.freedesktop.org/mailman/listinfo/spice-devel > > > > _______________________________________________ > Spice-devel mailing list > Spice-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/spice-devel _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
