Bug 875892
| Summary: | Smart-card not seen in 6.3 RHEL VM. | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Bill Sanford <bsanford> | ||||||||
| Component: | pcsc-lite | Assignee: | Bob Relyea <rrelyea> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Asha Akkiangady <aakkiang> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | urgent | ||||||||||
| Version: | 6.3 | CC: | alevy, cpelland, dblechte, desktop-qa-list, djasa, ludovic.rousseau, mkrcmari, pvine, vipatel | ||||||||
| Target Milestone: | rc | Keywords: | Regression | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2012-11-23 11:01:08 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Bill Sanford
2012-11-12 18:51:21 UTC
Created attachment 643663 [details]
Smart-card fails on RHEL 6.3 VM
Some more information: Client/Guest: rpm -qa | egrep "pcsc-lite|coolkey|nss-3|spice-gtk" pcsc-lite-libs-1.5.2-7.el6.x86_64 spice-gtk-tools-0.14-4.el6.x86_64 spice-gtk-debuginfo-0.14-4.el6.x86_64 nss-3.14.0.0-4.el6.x86_64 coolkey-1.1.0-21.el6.x86_64 pcsc-lite-1.5.2-8.el6.x86_64 spice-gtk-python-0.14-4.el6.x86_64 spice-gtk-0.14-4.el6.x86_64 Host: $ rpm -qa | egrep "spice-server|qemu-kvm" spice-server-0.12.0-1.el6.x86_64 qemu-kvm-debuginfo-0.12.1.2-2.331.el6.x86_64 spice-server-debuginfo-0.12.0-1.el6.x86_64 qemu-kvm-rhev-0.12.1.2-2.331.el6.x86_64 qemu-kvm-tools-0.12.1.2-2.331.el6.x86_64 Some logs (taken when sc is inserted in reader on client): client_logs_sc20121113.log contains - remote-viewer debug on the client when sc inserted, QEMU stdout (with debug=10), sudo pcscd --foreground --debug (stdout), pcsc_scan on the CLIENT. guest_logs_sc20121113.log contains - pcscd --foreground --debug contains: pcscd --foreground --debug and pcsc_scan (no messages after inserting a sc in client though). Note: Emulated smartcards works jsut fine through spice. Created attachment 644092 [details]
guest_logs_sc20121113.log
Created attachment 644093 [details]
client_logs_sc20121113.log
(In reply to comment #4) > Created attachment 644092 [details] > guest_logs_sc20121113.log The smart card reader "Gemplus GemPC433 SL" is correctly detected. The problem is that a smart card inserted in this reader is not detected? Exact? Is the smart card inserted correctly? Does the reader work in a "normal" setup? (In reply to comment #6) > (In reply to comment #4) > > Created attachment 644092 [details] > > guest_logs_sc20121113.log > > The smart card reader "Gemplus GemPC433 SL" is correctly detected. > > The problem is that a smart card inserted in this reader is not detected? > Exact? Yes, It's not detected on the Virtual machine, It's detected correctly on the physical client (If I redirect USB smart card reader with using USB redirection into Virtual machine, The card is detected in the Virtual machine as well, Just cannot make it work through spice). > > Is the smart card inserted correctly? I believe so. I can see the sc on the physical "normal" setup. > Does the reader work in a "normal" setup? Hi Marian, Are you using a usb smartcard reader and smartcards? Can you verify the reader is attached prior to launching remote-viewer? The logs show the client is not seeing the card being inserted, since there is no "smartcard: card-inserted" line in the client debug logs you attached. Perhaps this is a permission issue, can you try launching remote-viewer as super user? Alon (In reply to comment #8) > Hi Marian, > > Are you using a usb smartcard reader and smartcards? Yes > Can you verify the reader is attached prior to launching remote-viewer? I always did. > The logs show the client is not seeing the card being inserted, since there > is no "smartcard: card-inserted" line in the client debug logs you attached. > Perhaps this is a permission issue, can you try launching remote-viewer as > super user? Unfortunately no change. > > Alon > Yes, It's not detected on the Virtual machine, It's detected correctly on the
> physical client (If I redirect USB smart card reader with using USB redirection
> into Virtual machine, The card is detected in the Virtual machine as well, Just
> cannot make it work through spice).
I'm not sure what you are trying to do will really work. The host and the virtual machine can't both share the reader at the same time. Attempts to use the card from the host would interfere with the reader.
There is code in spice to emulate the smart card as a CAC card, and then ask to host to provide services for the card. I don't know what version of qemu has that code, but the fact that you see the physical reader name instead of a virtual reader seems to indicate that you don't have the virtual reader support on your host.
bob
Robert, Marian,
I'm vnc'ing to the spice client machine of Marian and it is using the cards correctly. However, I cannot see any certificates, i.e. pkcs11_listcerts returns nothing (perhaps my pin is wrong), and the same from libcacard vcard_
607 firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE);
608 if (firstObj == NULL) {
609 return NULL;
610 }
returns here, since PK11_FindGenericObjects returns NULL. The slot is the first (and only) slot advertised by libcoolkeypk11.so.
So Action item:
Marian: do you see certificates on your cards from the client? if so, Marian, can you provide the correct pin code so I can verify this? (Bill - same question).
For reference, the module:
(gdb) p *module
$17 = {arena = 0x7fffe0078bd0, internal = 0, loaded = 1, isFIPS = 0, dllName = 0x7fffe0076e50 "libcoolkeypk11.so", commonName = 0x7fffe0076e48 "Coolkey", library = 0x7fffe006a210,
functionList = 0x7fffdffffc40, refLock = 0x7fffe0078cd0, refCount = 1, slots = 0x7fffe0076e68, slotCount = 1, slotInfo = 0x0, slotInfoCount = 0, moduleID = 2, isThreadSafe = 1, ssl = {0, 0},
libraryParams = 0x0, moduleDBFunc = 0x0, parent = 0x0, isCritical = 0, isModuleDB = 0, moduleDBOnly = 0, trustOrder = 50, cipherOrder = 0, evControlMask = 0, cryptokiVersion = {major = 2 '\002',
minor = 11 '\v'}}
And the slot:
(gdb) p *slot
$21 = {functionList = 0x7fffdffffc40, module = 0x7fffe0076d80, needTest = 1, isPerm = 0, isHW = 1, isInternal = 0, disabled = 0, reason = PK11_DIS_NONE, readOnly = 1, needLogin = 0, hasRandom = 0,
defRWSession = 0, isThreadSafe = 1, flags = 2, session = 16777218, sessionLock = 0x7fffe007cc50, slotID = 1, defaultFlags = 0, refCount = 2, freeListLock = 0x7fffe007cd00, freeSymKeysWithSessionHead = 0x0,
freeSymKeysHead = 0x0, keyCount = 0, maxKeyCount = 800, askpw = 0, timeout = 0, authTransact = 0, authTime = 0, minPassword = 0, maxPassword = 32, series = 2, flagSeries = 0, flagState = 0, wrapKey = 0,
wrapMechanism = 4294967295, refKeys = {0}, mechanismList = 0x7fffe007c420, mechanismCount = 1, cert_array = 0x0, array_size = 0, cert_count = 0, serial = "29191130 ",
slot_name = "Gemplus GemPC Twin 00 00", '\000' <repeats 40 times>, token_name = "CoolKey 29191130", '\000' <repeats 16 times>, hasRootCerts = 0, hasRootTrust = 0, hasRSAInfo = 0, RSAInfoFlags = 0,
protectedAuthPath = 0, isActiveCard = 0, lastLoginCheck = 0, lastState = 0, nssToken = 0x7fffe007cf80, mechanismBits = "\000\001", '\000' <repeats 253 times>}
(gdb) bt
#0 vcard_emul_mirror_card (vreader=0x7fffe007e0f0) at vcard_emul_nss.c:608
#1 0x0000003fe6208261 in vcard_emul_init (options=<value optimized out>) at vcard_emul_nss.c:1021
#2 0x0000003fe822f070 in smartcard_manager_init (res=0x7bdb00, object=<value optimized out>, cancellable=<value optimized out>) at smartcard-manager.c:460
#3 smartcard_manager_init_helper (res=0x7bdb00, object=<value optimized out>, cancellable=<value optimized out>) at smartcard-manager.c:484
#4 0x000000397444c9fc in run_in_thread (job=<value optimized out>, c=0x787210, _data=0x7a4e20) at gsimpleasyncresult.c:676
#5 0x0000003974441c66 in io_job_thread (data=0x846bc0, user_data=<value optimized out>) at gioscheduler.c:182
#6 0x000000397246359b in g_thread_pool_thread_proxy (data=<value optimized out>) at gthreadpool.c:265
#7 0x0000003972462004 in g_thread_create_proxy (data=0x66bca0) at gthread.c:635
#8 0x0000003971807851 in start_thread (arg=0x7fffe4d0c700) at pthread_create.c:301
#9 0x00000039714e890d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
(In reply to comment #11) > Robert, Marian, > > I'm vnc'ing to the spice client machine of Marian and it is using the cards > correctly. However, I cannot see any certificates, i.e. pkcs11_listcerts > returns nothing (perhaps my pin is wrong), and the same from libcacard vcard_ > > 607 firstObj = PK11_FindGenericObjects(slot, CKO_CERTIFICATE); > 608 if (firstObj == NULL) { > 609 return NULL; > 610 } > > returns here, since PK11_FindGenericObjects returns NULL. The slot is the > first (and only) slot advertised by libcoolkeypk11.so. > > So Action item: > Marian: do you see certificates on your cards from the client? if so, > Marian, can you provide the correct pin code so I can verify this? (Bill - > same question). > Alon, I believe There are two things: 1. Missunderstanding of the concept, we believed that even unenrolled smartcard (without certs) would be available in a VM over Spice so a user can enroll the sc directly on the VM and does not need to have whole "infrastructure" on the client. I managed to enroll my smartcard on the client correctly and now It seems to work correctly on a RHEL6.3 client. So I am going to close this bug. Thanks for looking, I leave a question whether It's possible/wanted to emulate even unerolled sc on a VM. 2. We used the latest coolkey (coolkey-1.1.0-21 available in RHEL6.4) and this version seems to be buggy pkcs11_listcerts/pklogin_finder with coolkey-1.1.0-21 does not print any token/certs even they are stored on the sc. Version of coolkey -20 from 6.3 prints the information correctly. Moreover with the atest coolkey ESC (GUI app for managing sc) on the client seems to interfere with spice cient -> the sc is either caught by ESC app on the client or by spice client and emulated in VM correctly. It behaves like racing between each other. I filed a bz #879563 for coolkey with some details. > Alon, > I believe There are two things: > 1. Missunderstanding of the concept, we believed that even unenrolled > smartcard (without certs) would be available in a VM over Spice so a user > can enroll the sc directly on the VM and does not need to have whole > "infrastructure" on the client. I managed to enroll my smartcard on the > client correctly and now It seems to work correctly on a RHEL6.3 client. So > I am going to close this bug. Thanks for looking, I leave a question whether > It's possible/wanted to emulate even unerolled sc on a VM. Thanks Marian for the clear description, I think we should mention this in documentation of the smartcard feature. (No hidden request here - I need to find out if we actually have documentation somewhere). > > 2. We used the latest coolkey (coolkey-1.1.0-21 available in RHEL6.4) and > this version seems to be buggy pkcs11_listcerts/pklogin_finder with > coolkey-1.1.0-21 does not print any token/certs even they are stored on the > sc. Version of coolkey -20 from 6.3 prints the information correctly. > Moreover with the atest coolkey ESC (GUI app for managing sc) on the client > seems to interfere with spice cient -> the sc is either caught by ESC app on > the client or by spice client and emulated in VM correctly. It behaves like > racing between each other. I filed a bz #879563 for coolkey with some > details. OK, that sounds like a pcscd error to me, I think it's supposed to broadcast this events to all it's clients (esc & remote-viewer via libcacard in this case). |