Bug 1249116
| Summary: | SmartCard does not appear in VM at initial connection with remote-viewer | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Andrei Stepanov <astepano> |
| Component: | libcacard | Assignee: | David Blechter <dblechte> |
| Status: | CLOSED WORKSFORME | QA Contact: | SPICE QE bug list <spice-qe-bugs> |
| Severity: | low | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | low | ||
| Version: | 7.1 | CC: | astepano, cfergeau, dblechte, fdelorey, lmiksik, marcandre.lureau, mkalinin, sfroemer, tpelka |
| Target Milestone: | rc | ||
| Target Release: | 7.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Known Issue | |
| Doc Text: |
The *remote-viewer* SPICE client fails to detect newly plugged-in smart card readers
The *libcacard* library in Red Hat Enterprise Linux 7.3 fails to handle USB hot plug events. As a consequence, while the *remote-viewer* SPICE client is running, the application in some cases fails to detect a USB smart card reader when it is plugged in. To work around the problem, remove the smart card from the reader and reinsert it.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-09-07 09:36:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrei Stepanov
2015-07-31 14:12:22 UTC
It is not necessary to re-plug device. I just tried twice the same command. The first one fails, the second one is success: # pkcs11_inspect debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:235: Looking up module in list DEBUG:pkcs11_lib.c:238: modList = 0x16a1610 next = 0x16ad0d0 DEBUG:pkcs11_lib.c:239: dllName= <null> DEBUG:pkcs11_lib.c:238: modList = 0x16ad0d0 next = 0x0 DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... DEBUG:pkcs11_inspect.c:95: no token available # pkcs11_inspect debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:210: ... NSS Complete DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:235: Looking up module in list DEBUG:pkcs11_lib.c:238: modList = 0x214c610 next = 0x21580d0 DEBUG:pkcs11_lib.c:239: dllName= <null> DEBUG:pkcs11_lib.c:238: modList = 0x21580d0 next = 0x0 DEBUG:pkcs11_lib.c:239: dllName= libcoolkeypk11.so DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:48: PIN = [redhat] DEBUG:pkcs11_lib.c:759: cert 0: found (CoolKey:CAC ID Certificate), "UID=spiceqe,O=Token Key User" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn' DEBUG:mapper_mgr.c:197: Inserting mapper [cn] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'uid' DEBUG:mapper_mgr.c:197: Inserting mapper [uid] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent' DEBUG:mapper_mgr.c:197: Inserting mapper [pwent] into list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null' DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list DEBUG:pkcs11_inspect.c:128: Found '1' certificate(s) DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 DEBUG:cert_vfy.c:34: Verifying Cert: CoolKey:CAC ID Certificate (UID=spiceqe,O=Token Key User) DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 DEBUG:mapper_mgr.c:243: Cannot find cert data for mapper cn Printing data for mapper uid: spiceqe DEBUG:mapper_mgr.c:243: Cannot find cert data for mapper pwent DEBUG:mapper_mgr.c:235: Mapper 'null' has no inspect() function DEBUG:mapper_mgr.c:214: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn DEBUG:mapper_mgr.c:148: Module cn is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() uid DEBUG:mapper_mgr.c:148: Module uid is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove DEBUG:mapper_mgr.c:137: calling mapper_module_end() null DEBUG:mapper_mgr.c:148: Module null is static: don't remove DEBUG:pkcs11_inspect.c:163: releasing pkcs #11 module... DEBUG:pkcs11_inspect.c:166: Process completed Do you have coolkey installed in the guest? (see http://www.spice-space.org/page/SmartcardUsage) Yes # modutil -dbdir /etc/pki/nssdb/ -list ...... 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: 1 slot attached status: loaded slot: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] ( token: CoolKey ----------------------------------------------------------- I'm wondering if this could be related to rhbz#1316495. Could you try reproducing with spice-0.12.4-15.el7_2.1 https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=491704 when you get a chance? Tested this with the aforementioned package, and still an issue. Here removing/reinserting the card was a more reliable 'fix' than unplugging/replugging the card reader. For low-level testing purpose, I'd recommend using pcsc_scan from pscs-tools rather than pkcs11_inspect/pkcs11_login. libcacard does not seem to be able to cope with hot plug/hot unplug of smartcard readers. Here if I unplug/replug a USB card reader, the smartcard needs to be removed/reinserted for libcacard to notice there is a card in the reader, and it really is a limitation of how libcacard interacts with nss. I'm not familiar enough with nss to know the proper way to fix this. Maybe monitor readers coming/going through udev, and refresh libcacard state depending on this. Then figure out whether char devs can be dynamically added / removed in QEMU. Can you confirm that what you tested is - start client - connect reader ? (In reply to Christophe Fergeau from comment #7) > Can you confirm that what you tested is > - start client > - connect reader > ? Andrei, are these the steps to follow to reproduce this bug? Or can you also reproduce the other way around (reader is connected, smartcard can be seen on the client, but when you then start the client, the guest is not seeing the smartcard)? I cannot reproduce this bug with:
Client: RHEL 7.4
virt-viewer-5.0-7.el7.x86_64
spice-gtk3-0.33-6.el7.x86_64
spice-glib-0.33-6.el7.x86_64
Guest: RHEL 7.4
spice-vdagent-0.14.0-14.el7.x86_64
Host: RHV 4.1
spice-server-0.12.8-2.el7.1.x86_64
Steps:
1. Install on the guest and client:
yum group install smart-card
or
yum install coolkey esc pam_pkcs11 pcsc-lite-ccid pcsc-lite
2. Start pcscd on the guest and client:
/bin/systemctl enable pcscd.service
/bin/systemctl start pcscd.service
3. Install certificate on the guest and client:
certutil -A -d /etc/pki/nssdb/ -n "IdmLab" -i IdmLabEngBosRedhatCom_2011-2019.pem -t "CT,CT,CT"
4. Check "Smartcard Enabled" in "Console" for VM in RHV 4.1.
qemu process has:
-chardev spicevmc,id=charsmartcard0,name=smartcard -device ccid-card-passthru,chardev=charsmartcard0,id=smartcard0,bus=ccid0.0
5. Connect from client to guest with remote-viewer. console.vv has:
enable-smartcard=1
secure-channels=main;inputs;cursor;playback;record;display;smartcard;usbredir
6. In client:
# modutil -list -dbdir /etc/pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: Gemalto PC Twin Reader 00 00
token: spice qe
-----------------------------------------------------------
# certutil -L -d /etc/pki/nssdb -h all
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "spice qe":
Idmqe CT,C,C
spice qe:signing key for spiceqe u,u,u
spice qe:encryption key for spiceqe u,u,u
# lsusb | grep -i gem
Bus 001 Device 004: ID 08e6:3437 Gemalto (was Gemplus) GemPC Twin SmartCard Reader
# pklogin_finder
PIN for token:
spiceqe
8. In guest:
# modutil -list -dbdir /etc/pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (
token: CoolKey
-----------------------------------------------------------
# certutil -L -d /etc/pki/nssdb -h all
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "CoolKey":
Idmqe CT,C,C
CoolKey:CAC ID Certificate u,u,u
CoolKey:CAC Email Signature Certificate u,u,u
# lsusb | grep -i gem
Bus 002 Device 002: ID 08e6:4433 Gemalto (was Gemplus) GemPC433-Swap
# pklogin_finder
PIN for token:
spiceqe
Above commands works at the first try. Close the bug as "WORKSFORME".
|