1 QEMU CCID Device Documentation.
6 3. Using ccid-card-emulated with hardware
7 4. Using ccid-card-emulated with certificates
8 5. Using ccid-card-passthru with client side hardware
9 6. Using ccid-card-passthru with client side certificates
10 7. Passthrough protocol scenario
15 The USB CCID device is a USB device implementing the CCID specification, which
16 lets one connect smart card readers that implement the same spec. For more
17 information see the specification:
20 Device Class: Smart Card
23 Integrated Circuit(s) Cards Interface Devices
27 Smartcards are used for authentication, single sign on, decryption in
28 public/private schemes and digital signatures. A smartcard reader on the client
29 cannot be used on a guest with simple usb passthrough since it will then not be
30 available on the client, possibly locking the computer when it is "removed". On
31 the other hand this device can let you use the smartcard on both the client and
32 the guest machine. It is also possible to have a completely virtual smart card
33 reader and smart card (i.e. not backed by a physical device) using this device.
37 The cryptographic functions and access to the physical card is done via NSS.
44 apt-get install libnss3-dev
45 (not tested on ubuntu)
47 Configuring and building:
48 ./configure --enable-smartcard && make
51 3. Using ccid-card-emulated with hardware
53 Assuming you have a working smartcard on the host with the current
54 user, using NSS, qemu acts as another NSS client using ccid-card-emulated:
56 qemu -usb -device usb-ccid -device ccid-card-emulated
59 4. Using ccid-card-emulated with certificates stored in files
61 You must create the CA and card certificates. This is a one time process.
62 We use NSS certificates:
66 certutil -N -d sql:$PWD
67 certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -t TC,TC,TC -n fake-smartcard-ca
68 certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
69 certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime -n signing-cert -c fake-smartcard-ca
70 certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType sslClient -n encryption-cert -c fake-smartcard-ca
72 Note: you must have exactly three certificates.
74 You can use the emulated card type with the certificates backend:
76 qemu -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
78 To use the certificates in the guest, export the CA certificate:
80 certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
82 and import it in the guest:
84 certutil -A -d /etc/pki/nssdb -i fake-smartcard-ca.cer -t TC,TC,TC -n fake-smartcard-ca
86 In a Linux guest you can then use the CoolKey PKCS #11 module to access
89 certutil -d /etc/pki/nssdb -L -h all
91 It will prompt you for the PIN (which is the password you assigned to the
92 certificate database early on), and then show you all three certificates
93 together with the manually imported CA cert:
95 Certificate Nickname Trust Attributes
96 fake-smartcard-ca CT,C,C
97 John Doe:CAC ID Certificate u,u,u
98 John Doe:CAC Email Signature Certificate u,u,u
99 John Doe:CAC Email Encryption Certificate u,u,u
101 If this does not happen, CoolKey is not installed or not registered with
102 NSS. Registration can be done from Firefox or the command line:
104 modutil -dbdir /etc/pki/nssdb -add "CAC Module" -libfile /usr/lib64/pkcs11/libcoolkeypk11.so
105 modutil -dbdir /etc/pki/nssdb -list
108 5. Using ccid-card-passthru with client side hardware
110 on the host specify the ccid-card-passthru device with a suitable chardev:
112 qemu -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
113 -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid
115 on the client run vscclient, built when you built QEMU:
117 vscclient <qemu-host> 2001
120 6. Using ccid-card-passthru with client side certificates
122 This case is not particularly useful, but you can use it to debug
123 your setup if #4 works but #5 does not.
125 Follow instructions as per #4, except run QEMU and vscclient as follows:
126 Run qemu as per #5, and run vscclient from the "fake-smartcard"
127 directory as follows:
129 qemu -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
130 -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid
131 vscclient -e "db=\"sql:$PWD\" use_hw=no soft=(,Test,CAC,,id-cert,signing-cert,encryption-cert)" <qemu-host> 2001
134 7. Passthrough protocol scenario
136 This is a typical interchange of messages when using the passthru card device.
137 usb-ccid is a usb device. It defaults to an unattached usb device on startup.
138 usb-ccid expects a chardev and expects the protocol defined in
139 cac_card/vscard_common.h to be passed over that.
140 The usb-ccid device can be in one of three modes:
142 * attached with no card
145 A typical interchange is: (the arrow shows who started each exchange, it can be client
146 originated or guest originated)
148 client event | vscclient | passthru | usb-ccid | guest event
149 ----------------------------------------------------------------------------------------------
151 | VSC_ReaderAdd | | attach |
152 | | | | sees new usb device.
153 card inserted -> | | | |
154 | VSC_ATR | insert | insert | see new card
156 | VSC_APDU | VSC_APDU | | <- guest sends APDU
157 client<->physical | | | |
158 card APDU exchange| | | |
159 client response ->| VSC_APDU | VSC_APDU | | receive APDU response
161 [APDU<->APDU repeats several times]
163 card removed -> | | | |
164 | VSC_CardRemove | remove | remove | card removed
166 [(card insert, apdu's, card remove) repeat]
170 | VSC_ReaderRemove | | detach |
171 | | | | usb device removed.
176 Both ccid-card-emulated and vscclient use libcacard as the card emulator.
177 libcacard implements a completely virtual CAC (DoD standard for smart
178 cards) compliant card and uses NSS to retrieve certificates and do
179 any encryption. The backend can then be a real reader and card, or
180 certificates stored in files.
182 For documentation of the library see docs/libcacard.txt.