On 07/22/2014 12:41 PM, Jeremy White wrote:
I'm hoping to get some guidance / clue bats / shock and horror in implementing Smart Card support for XSpice clients.I think I have a tentative, but sufficient grasp of how the Smart Card stuff flows from the client into the server. It's not quite as clear how the server bridges it into qemu, but I think I have the gist of it.However, that doesn't work for XSpice sessions.
I'm not sure why it shouldn't. The qemu portion simply forwards the ccid APDU's from the host. Spice has libcaccard which translates the CAC requests into calls against your PKCS #11 token on your client side.
pam_pkcs11 uses plugable PKCS #11 modules (which also work in firefox and other NSS applications). You would have to install this module in your guest, however. I think redirecting the CCID USB data would be easier, though.It looks to me that this should be possible. My research suggests that pam_pkcs11 is pluggable, and that it should be possible to write a module that would receive the cert information.
So presuming I have a module hook ready to receive certs, the next question is how to get them there.The way that 'feels' right to me is to extend the Linux vd_agent to receive the smart card traffic, and so it is then vd_agent that communicates with my hypothetical pam hook.The alternate would be to put it into the spiceqxl_drv.so. That seems less ideal, but would probably be less code, and wouldn't require messing with the vdagent protocol.Thoughts? Comments? Clue bats? Thanks, Jeremy _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel