Re: [Qemu-devel] Trying to use ccid-card-emulated

[Patrick Vacek]

Hello Marc-André,

Thanks for your message!

On 14.09.2017 00:13, Marc-André Lureau wrote:
> Hi Patrick
>
> On Wed, Sep 6, 2017 at 5:04 PM Patrick Vacek
> <address@hidden <mailto:address@hidden>>
> wrote:
>
>     Hello,
>
>     I'm trying to emulate a smartcard. I found section 4 of docs/ccid.txt,
>     which appears to do exactly what I'm interested in. However, that
>     document is a few years old and references CoolKey, which at this
>     point
>     seems obsolete, with OpenSC being the preferred succcessor. I've
>     followed the rest of steps with success, and tried registering OpenSC
>     with NSS (i.e. modutil -dbdir /etc/pki/nssdb -add "CAC Module"
>     -libfile
>     /usr/lib/opensc-pkcs11.so), but I'm still not seeing my three
>     certificates listed on the device as I'd expect.
>
>     I'm using QEMU emulator version 2.8.0(Debian 1:2.8+dfsg-3ubuntu2.3).
>     I've also tried using QEMU emulator version 2.10.0 (built from
>     source),
>     but the interface has changed and the commands from the documentation
>     don't work anymore.
>
>     1. Am I correct to assume that OpenSC is the logical successor to
>     CoolKey, and should I expect a simple substitution such as that to
>     work?
>
>
>  That's my understanding too, and it seems Fedora 26 deprecated
> coolkey. However, when I tried opensc a few years with qemu/libcacard,
> it didn't work. I haven't looked further since.
>
>     2. Are there other steps I might be overlooking with OpenSC or with
>     getting the certificates recognized on the device?
>
>
> I would first try to get coolkey module to work, before debuging
> opensc. Ideally get some help from opensc developper since qemu should
> still work with coolkey.

I haven't had great success with OpenSC yet, so I finally took the time
to write a coolkey recipe for Yocto. The recipe seems to work and
coolkey appears to be installed on my device, but it does not work
entirely as desired. Specifically, when I run `modutil -dbdir
sql:/etc/pki/nssdb -add "CAC Module" -libfile
/usr/lib/pkcs11/libcoolkeypk11.so`, I get this: "ERROR: Failed to add
module "CAC Module". Probable cause : "A PKCS #11 module returned
CKR_GENERAL_ERROR, indicating that an unrecoverable error has
occurred."." That's a pretty vague message and I haven't been able to
find anything further to help guide me to a resolution. Do you have any
ideas?

The one thing that has occurred to me is that nss seems to require a
password for a database before being able to do anything meaningful with
it. When I tried to reproduce the steps of docs/ccid.txt item 4 entirely
locally (but with two separate databases), I had no problem with the
modutil command, but when I tried to import the certificates with
`certutil -A -d sql:./temp/ -i fake-smartcard-ca.cer -t TC,TC,TC -n
fake-smartcard-ca`, I got this: "certutil: could not authenticate to
token NSS Certificate DB.: SEC_ERROR_IO: An I/O error occurred during
security authorization." When I recreated the second database manually
and provided a password, that step worked fine and the output of listing
the certificates worked as expected.

Of course, on the device, I can recreate the database at /etc/pki/nssdb
with a password, but that erases the existing contents, which means the
certificates that were supposed to be initialized on the device wouldn't
be there, so that defeats the whole purpose, right? Is there a way to
specify a password for the nss database when launching qemu? In any
case, that probably won't fix the modutil error, but it's the only
thought I've had so far.

>
>     3. If, as I suspect, that document is no longer up to date, what
>     do the
>     steps currently look like to get smartcard emulation working?
>
>
> They look still pretty ok to me. certutil usage may have changes, but
> qemu & coolkey didn't change I think.
>
> What problems did you have when trying to setup following
> docs/ccid.txt ? we may want to update the doc.

In item 2, the necessary nss package on Ubuntu 17.04 is libnss3-tools.
In item 4, I think it might be best to prefix all database paths on the
device with "sql:" as is done with the host commands.
In item 8, docs/libcacard.txt no longer exists, as it is now in a
separate package.
And of course there's the fact that the modutil command doesn't work for
me, but I can't say why or what should change yet.

>
> Thanks
> -- 
> Marc-André Lureau

Thanks,
Patrick

-- 
Patrick Vacek
ATS Advanced Telematic Systems GmbH
Kantstraße 162, 10623 Berlin
HRB 151501 B, Amtsgericht Charlottenburg
Vertreten durch die Geschäftsführer
Dirk Pöschl, Armin G. Schmidt

signature.asc
Description: OpenPGP digital signature