1 Chip Card Interface Device (CCID)
2 =================================
6 The USB CCID device is a USB device implementing the CCID specification, which
7 lets one connect smart card readers that implement the same spec. For more
8 information see the specification::
11 Device Class: Smart Card
14 Integrated Circuit(s) Cards Interface Devices
18 Smartcards are used for authentication, single sign on, decryption in
19 public/private schemes and digital signatures. A smartcard reader on the client
20 cannot be used on a guest with simple usb passthrough since it will then not be
21 available on the client, possibly locking the computer when it is "removed". On
22 the other hand this device can let you use the smartcard on both the client and
23 the guest machine. It is also possible to have a completely virtual smart card
24 reader and smart card (i.e. not backed by a physical device) using this device.
28 The cryptographic functions and access to the physical card is done via the
29 libcacard library, whose development package must be installed prior to
34 yum install libcacard-devel
38 apt-get install libcacard-dev
40 Configuring and building::
42 ./configure --enable-smartcard && make
44 Using ccid-card-emulated with hardware
45 --------------------------------------
46 Assuming you have a working smartcard on the host with the current
47 user, using libcacard, QEMU acts as another client using ccid-card-emulated::
49 qemu -usb -device usb-ccid -device ccid-card-emulated
51 Using ccid-card-emulated with certificates stored in files
52 ----------------------------------------------------------
53 You must create the CA and card certificates. This is a one time process.
54 We use NSS certificates::
58 certutil -N -d sql:$PWD
59 certutil -S -d sql:$PWD -s "CN=Fake Smart Card CA" -x -t TC,TC,TC -n fake-smartcard-ca
60 certutil -S -d sql:$PWD -t ,, -s "CN=John Doe" -n id-cert -c fake-smartcard-ca
61 certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (signing)" --nsCertType smime -n signing-cert -c fake-smartcard-ca
62 certutil -S -d sql:$PWD -t ,, -s "CN=John Doe (encryption)" --nsCertType sslClient -n encryption-cert -c fake-smartcard-ca
64 Note: you must have exactly three certificates.
66 You can use the emulated card type with the certificates backend::
68 qemu -usb -device usb-ccid -device ccid-card-emulated,backend=certificates,db=sql:$PWD,cert1=id-cert,cert2=signing-cert,cert3=encryption-cert
70 To use the certificates in the guest, export the CA certificate::
72 certutil -L -r -d sql:$PWD -o fake-smartcard-ca.cer -n fake-smartcard-ca
74 and import it in the guest::
76 certutil -A -d /etc/pki/nssdb -i fake-smartcard-ca.cer -t TC,TC,TC -n fake-smartcard-ca
78 In a Linux guest you can then use the CoolKey PKCS #11 module to access
81 certutil -d /etc/pki/nssdb -L -h all
83 It will prompt you for the PIN (which is the password you assigned to the
84 certificate database early on), and then show you all three certificates
85 together with the manually imported CA cert::
87 Certificate Nickname Trust Attributes
88 fake-smartcard-ca CT,C,C
89 John Doe:CAC ID Certificate u,u,u
90 John Doe:CAC Email Signature Certificate u,u,u
91 John Doe:CAC Email Encryption Certificate u,u,u
93 If this does not happen, CoolKey is not installed or not registered with
94 NSS. Registration can be done from Firefox or the command line::
96 modutil -dbdir /etc/pki/nssdb -add "CAC Module" -libfile /usr/lib64/pkcs11/libcoolkeypk11.so
97 modutil -dbdir /etc/pki/nssdb -list
99 Using ccid-card-passthru with client side hardware
100 --------------------------------------------------
101 On the host specify the ccid-card-passthru device with a suitable chardev::
103 qemu -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
104 -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid
106 On the client run vscclient, built when you built QEMU::
108 vscclient <qemu-host> 2001
110 Using ccid-card-passthru with client side certificates
111 ------------------------------------------------------
112 This case is not particularly useful, but you can use it to debug
115 Follow instructions above, except run QEMU and vscclient as follows.
117 Run qemu as per above, and run vscclient from the "fake-smartcard"
118 directory as follows::
120 qemu -chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off \
121 -usb -device usb-ccid -device ccid-card-passthru,chardev=ccid
122 vscclient -e "db=\"sql:$PWD\" use_hw=no soft=(,Test,CAC,,id-cert,signing-cert,encryption-cert)" <qemu-host> 2001
125 Passthrough protocol scenario
126 -----------------------------
127 This is a typical interchange of messages when using the passthru card device.
128 usb-ccid is a usb device. It defaults to an unattached usb device on startup.
129 usb-ccid expects a chardev and expects the protocol defined in
130 cac_card/vscard_common.h to be passed over that.
131 The usb-ccid device can be in one of three modes:
134 * attached with no card
137 A typical interchange is (the arrow shows who started each exchange, it can be client
138 originated or guest originated)::
140 client event | vscclient | passthru | usb-ccid | guest event
141 ------------------------------------------------------------------------------------------------
143 | VSC_ReaderAdd | | attach |
144 | | | | sees new usb device.
145 card inserted -> | | | |
146 | VSC_ATR | insert | insert | see new card
148 | VSC_APDU | VSC_APDU | | <- guest sends APDU
149 client <-> physical | | | |
150 card APDU exchange | | | |
151 client response -> | VSC_APDU | VSC_APDU | | receive APDU response
153 [APDU<->APDU repeats several times]
155 card removed -> | | | |
156 | VSC_CardRemove | remove | remove | card removed
158 [(card insert, apdu's, card remove) repeat]
162 | VSC_ReaderRemove | | detach |
163 | | | | usb device removed.
167 Both ccid-card-emulated and vscclient use libcacard as the card emulator.
168 libcacard implements a completely virtual CAC (DoD standard for smart
169 cards) compliant card and uses NSS to retrieve certificates and do
170 any encryption. The backend can then be a real reader and card, or
171 certificates stored in files.