root / docs / ccid.txt @ e44089c7
History | View | Annotate | Download (5.7 kB)
1 | 1056c02b | Alon Levy | Qemu CCID Device Documentation. |
---|---|---|---|
2 | 1056c02b | Alon Levy | |
3 | 1056c02b | Alon Levy | Contents |
4 | 1056c02b | Alon Levy | 1. USB CCID device |
5 | 1056c02b | Alon Levy | 2. Building |
6 | 1056c02b | Alon Levy | 3. Using ccid-card-emulated with hardware |
7 | 1056c02b | Alon Levy | 4. Using ccid-card-emulated with certificates |
8 | 1056c02b | Alon Levy | 5. Using ccid-card-passthru with client side hardware |
9 | 1056c02b | Alon Levy | 6. Using ccid-card-passthru with client side certificates |
10 | 1056c02b | Alon Levy | 7. Passthrough protocol scenario |
11 | 1056c02b | Alon Levy | 8. libcacard |
12 | 1056c02b | Alon Levy | |
13 | 1056c02b | Alon Levy | 1. USB CCID device |
14 | 1056c02b | Alon Levy | |
15 | 1056c02b | Alon Levy | The USB CCID device is a USB device implementing the CCID specification, which |
16 | 1056c02b | Alon Levy | lets one connect smart card readers that implement the same spec. For more |
17 | 1056c02b | Alon Levy | information see the specification: |
18 | 1056c02b | Alon Levy | |
19 | 1056c02b | Alon Levy | Universal Serial Bus |
20 | 1056c02b | Alon Levy | Device Class: Smart Card |
21 | 1056c02b | Alon Levy | CCID |
22 | 1056c02b | Alon Levy | Specification for |
23 | 1056c02b | Alon Levy | Integrated Circuit(s) Cards Interface Devices |
24 | 1056c02b | Alon Levy | Revision 1.1 |
25 | 1056c02b | Alon Levy | April 22rd, 2005 |
26 | 1056c02b | Alon Levy | |
27 | 1056c02b | Alon Levy | Smartcard are used for authentication, single sign on, decryption in |
28 | 1056c02b | Alon Levy | public/private schemes and digital signatures. A smartcard reader on the client |
29 | 1056c02b | Alon Levy | cannot be used on a guest with simple usb passthrough since it will then not be |
30 | 1056c02b | Alon Levy | available on the client, possibly locking the computer when it is "removed". On |
31 | 1056c02b | Alon Levy | the other hand this device can let you use the smartcard on both the client and |
32 | 1056c02b | Alon Levy | the guest machine. It is also possible to have a completely virtual smart card |
33 | 1056c02b | Alon Levy | reader and smart card (i.e. not backed by a physical device) using this device. |
34 | 1056c02b | Alon Levy | |
35 | 1056c02b | Alon Levy | 2. Building |
36 | 1056c02b | Alon Levy | |
37 | 1056c02b | Alon Levy | The cryptographic functions and access to the physical card is done via NSS. |
38 | 1056c02b | Alon Levy | |
39 | 1056c02b | Alon Levy | Installing NSS: |
40 | 1056c02b | Alon Levy | |
41 | 1056c02b | Alon Levy | In redhat/fedora: |
42 | 1056c02b | Alon Levy | yum install nss-devel |
43 | 1056c02b | Alon Levy | In ubuntu/debian: |
44 | 1056c02b | Alon Levy | apt-get install libnss3-dev |
45 | 1056c02b | Alon Levy | (not tested on ubuntu) |
46 | 1056c02b | Alon Levy | |
47 | 1056c02b | Alon Levy | Configuring and building: |
48 | 1056c02b | Alon Levy | ./configure --enable-smartcard && make |
49 | 1056c02b | Alon Levy | |
50 | 1056c02b | Alon Levy | 3. Using ccid-card-emulated with hardware |
51 | 1056c02b | Alon Levy | |
52 | 1056c02b | Alon Levy | Assuming you have a working smartcard on the host with the current |
53 | 1056c02b | Alon Levy | user, using NSS, qemu acts as another NSS client using ccid-card-emulated: |
54 | 1056c02b | Alon Levy | |
55 | 1056c02b | Alon Levy | qemu -usb -device usb-ccid -device ccid-card-emualated |
56 | 1056c02b | Alon Levy | |
57 | 1056c02b | Alon Levy | 4. Using ccid-card-emulated with certificates |
58 | 1056c02b | Alon Levy | |
59 | 1056c02b | Alon Levy | You must create the certificates. This is a one time process. We use NSS |
60 | 1056c02b | Alon Levy | certificates: |
61 | 1056c02b | Alon Levy | |
62 | 1056c02b | Alon Levy | certutil -d /etc/pki/nssdb -x -t "CT,CT,CT" -S -s "CN=cert1" -n cert1 |
63 | 1056c02b | Alon Levy | |
64 | 1056c02b | Alon Levy | Note: you must have exactly three certificates. |
65 | 1056c02b | Alon Levy | |
66 | 1056c02b | Alon Levy | Assuming the current user can access the certificates (use certutil -L to |
67 | 1056c02b | Alon Levy | verify), you can use the emulated card type with the certificates backend: |
68 | 1056c02b | Alon Levy | |
69 | 1056c02b | Alon Levy | qemu -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,cert1=cert1,cert2=cert2,cert3=cert3 |
70 | 1056c02b | Alon Levy | |
71 | 1056c02b | Alon Levy | 5. Using ccid-card-passthru with client side hardware |
72 | 1056c02b | Alon Levy | |
73 | 1056c02b | Alon Levy | on the host specify the ccid-card-passthru device with a suitable chardev: |
74 | 1056c02b | Alon Levy | |
75 | 1056c02b | Alon Levy | qemu -chardev socket,server,host=0.0.0.0,port=2001,id=ccid,nowait -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid |
76 | 1056c02b | Alon Levy | |
77 | 1056c02b | Alon Levy | on the client run vscclient, built when you built the libcacard library: |
78 | 1056c02b | Alon Levy | libcacard/vscclient <qemu-host> 2001 |
79 | 1056c02b | Alon Levy | |
80 | 1056c02b | Alon Levy | 6. Using ccid-card-passthru with client side certificates |
81 | 1056c02b | Alon Levy | |
82 | 1056c02b | Alon Levy | Run qemu as per #5, and run vscclient as follows: |
83 | 1056c02b | Alon Levy | (Note: vscclient command line interface is in a state of change) |
84 | 1056c02b | Alon Levy | |
85 | 1056c02b | Alon Levy | libcacard/vscclient -e "db=\"/etc/pki/nssdb\" use_hw=no soft=(,Test,CAC,,cert1,cert2,cert3)" <qemu-host> 2001 |
86 | 1056c02b | Alon Levy | |
87 | 1056c02b | Alon Levy | 7. Passthrough protocol scenario |
88 | 1056c02b | Alon Levy | |
89 | 1056c02b | Alon Levy | This is a typical interchange of messages when using the passthru card device. |
90 | 1056c02b | Alon Levy | usb-ccid is a usb device. It defaults to an unattached usb device on startup. |
91 | 1056c02b | Alon Levy | usb-ccid expects a chardev and expects the protocol defined in |
92 | 1056c02b | Alon Levy | cac_card/vscard_common.h to be passed over that. |
93 | 1056c02b | Alon Levy | The usb-ccid device can be in one of three modes: |
94 | 1056c02b | Alon Levy | * detached |
95 | 1056c02b | Alon Levy | * attached with no card |
96 | 1056c02b | Alon Levy | * attached with card |
97 | 1056c02b | Alon Levy | |
98 | 1056c02b | Alon Levy | A typical interchange is: (the arrow shows who started each exchange, it can be client |
99 | 1056c02b | Alon Levy | originated or guest originated) |
100 | 1056c02b | Alon Levy | |
101 | 1056c02b | Alon Levy | client event | vscclient | passthru | usb-ccid | guest event |
102 | 1056c02b | Alon Levy | ---------------------------------------------------------------------------------------------- |
103 | 1056c02b | Alon Levy | | VSC_Init | | | |
104 | 1056c02b | Alon Levy | | VSC_ReaderAdd | | attach | |
105 | 1056c02b | Alon Levy | | | | | sees new usb device. |
106 | 1056c02b | Alon Levy | card inserted -> | | | | |
107 | 1056c02b | Alon Levy | | VSC_ATR | insert | insert | see new card |
108 | 1056c02b | Alon Levy | | | | | |
109 | 1056c02b | Alon Levy | | VSC_APDU | VSC_APDU | | <- guest sends APDU |
110 | 1056c02b | Alon Levy | client<->physical | | | | |
111 | 1056c02b | Alon Levy | card APDU exchange| | | | |
112 | 1056c02b | Alon Levy | client response ->| VSC_APDU | VSC_APDU | | receive APDU response |
113 | 1056c02b | Alon Levy | ... |
114 | 1056c02b | Alon Levy | [APDU<->APDU repeats several times] |
115 | 1056c02b | Alon Levy | ... |
116 | 1056c02b | Alon Levy | card removed -> | | | | |
117 | 1056c02b | Alon Levy | | VSC_CardRemove | remove | remove | card removed |
118 | 1056c02b | Alon Levy | ... |
119 | 1056c02b | Alon Levy | [(card insert, apdu's, card remove) repeat] |
120 | 1056c02b | Alon Levy | ... |
121 | 1056c02b | Alon Levy | kill/quit | | | | |
122 | 1056c02b | Alon Levy | vscclient | | | | |
123 | 1056c02b | Alon Levy | | VSC_ReaderRemove | | detach | |
124 | 1056c02b | Alon Levy | | | | | usb device removed. |
125 | 1056c02b | Alon Levy | |
126 | 1056c02b | Alon Levy | |
127 | 1056c02b | Alon Levy | 8. libcacard |
128 | 1056c02b | Alon Levy | |
129 | 1056c02b | Alon Levy | ccid-card-passthru and vscclient use libcacard as the card emulator. |
130 | 1056c02b | Alon Levy | libcacard implements a completely virtual CAC (DoD standard for smart cards) |
131 | 1056c02b | Alon Levy | compliant card and uses NSS to actually retrive certificates and do any |
132 | 1056c02b | Alon Levy | encryption using the backend (real reader + card or file backed certificates). |
133 | 1056c02b | Alon Levy | |
134 | 1056c02b | Alon Levy | For documentation of cac_card see README in libcacard subdirectory. |