[PATCH v3] Provide support for using the passthru smartcard mode in libcacard.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add an optional args parameter to the --spice-smartcard which
will be passed to vcard_emul_options.

This allows us to deprecate the --smartcard-db and
--smartcard-certificates options as well.

Signed-off-by: Jeremy White <jwhite@xxxxxxxxxxxxxxx>
---
 gtk/smartcard-manager.c |   14 ++++++++++++++
 gtk/spice-option.c      |   21 +++++++++++++++++++--
 gtk/spice-session.c     |   36 ++++++++++++++++++++++++++++++++++--
 man/spice-client.pod    |   37 ++++++++++++++++++++++++++++---------
 4 files changed, 95 insertions(+), 13 deletions(-)

diff --git a/gtk/smartcard-manager.c b/gtk/smartcard-manager.c
index 9e228e9..9e4b313 100644
--- a/gtk/smartcard-manager.c
+++ b/gtk/smartcard-manager.c
@@ -416,14 +416,27 @@ static gboolean smartcard_manager_init(SmartcardManagerInitArgs *args)
     gchar *dbname = NULL;
     GStrv certificates = NULL;
     gboolean retval = FALSE;
+    gchar *smartcard_args = NULL;
 
     SPICE_DEBUG("smartcard_manager_init");
     g_return_val_if_fail(SPICE_IS_SESSION(args->session), FALSE);
     g_object_get(G_OBJECT(args->session),
                  "smartcard-db", &dbname,
                  "smartcard-certificates", &certificates,
+                 "smartcard-args", &smartcard_args,
                  NULL);
 
+    if (smartcard_args) {
+        options = vcard_emul_options(smartcard_args);
+        if (options == NULL) {
+            args->err = g_error_new(SPICE_CLIENT_ERROR,
+                                    SPICE_CLIENT_ERROR_FAILED,
+                                    "vcard_emul_options() failed!");
+            goto end;
+        }
+        goto init;
+    }
+
     if ((certificates == NULL) || (g_strv_length(certificates) != 3))
         goto init;
 
@@ -466,6 +479,7 @@ init:
 
 end:
     SPICE_DEBUG("smartcard_manager_init end: %d", retval);
+    g_free(smartcard_args);
     g_free(emul_args);
     g_free(dbname);
     g_strfreev(certificates);
diff --git a/gtk/spice-option.c b/gtk/spice-option.c
index 958e03c..53d0181 100644
--- a/gtk/spice-option.c
+++ b/gtk/spice-option.c
@@ -35,6 +35,7 @@ static char *smartcard_certificates = NULL;
 static char *usbredir_auto_redirect_filter = NULL;
 static char *usbredir_redirect_on_connect = NULL;
 static gboolean smartcard = FALSE;
+static char *smartcard_args = NULL;
 static gboolean disable_audio = FALSE;
 static gboolean disable_usbredir = FALSE;
 static gint cache_size = 0;
@@ -150,6 +151,19 @@ static gboolean parse_usbredir_filter(const gchar *option_name,
 }
 
 
+static gboolean parse_smartcard(const gchar *option_name, const gchar *value,
+                                      gpointer data, GError **error)
+{
+    if (! value || strlen(value) == 0)
+        smartcard_args = NULL;
+    else
+        smartcard_args = g_strdup(value);
+
+    smartcard = TRUE;
+    return TRUE;
+}
+
+
 /**
  * spice_get_option_group: (skip)
  *
@@ -173,8 +187,9 @@ GOptionGroup* spice_get_option_group(void)
           N_("Subject of the host certificate (field=value pairs separated by commas)"), N_("<host-subject>") },
         { "spice-disable-audio", '\0', 0, G_OPTION_ARG_NONE, &disable_audio,
           N_("Disable audio support"), NULL },
-        { "spice-smartcard", '\0', 0, G_OPTION_ARG_NONE, &smartcard,
-          N_("Enable smartcard support"), NULL },
+        { "spice-smartcard", '\0', G_OPTION_FLAG_OPTIONAL_ARG, G_OPTION_ARG_CALLBACK, parse_smartcard,
+          N_("Enable smartcard support.  By default, the client will emulate a CAC card using libnss. "
+             "Specify an argument of 'passthru' to use pcsclite to pass card data directly"), NULL },
         { "spice-smartcard-certificates", '\0', 0, G_OPTION_ARG_STRING, &smartcard_certificates,
           N_("Certificates to use for software smartcards (field=values separated by commas)"), N_("<certificates>") },
         { "spice-smartcard-db", '\0', 0, G_OPTION_ARG_STRING, &smartcard_db,
@@ -258,6 +273,8 @@ void spice_set_session_option(SpiceSession *session)
         }
         if (smartcard_db)
             g_object_set(session, "smartcard-db", smartcard_db, NULL);
+        if (smartcard_args)
+            g_object_set(session, "smartcard-args", smartcard_args, NULL);
     }
     if (usbredir_auto_redirect_filter) {
         SpiceUsbDeviceManager *m = spice_usb_device_manager_get(session, NULL);
diff --git a/gtk/spice-session.c b/gtk/spice-session.c
index d7f014c..85b1036 100644
--- a/gtk/spice-session.c
+++ b/gtk/spice-session.c
@@ -64,6 +64,7 @@ struct _SpiceSessionPrivate {
 
     /* whether to enable smartcard event forwarding to the server */
     gboolean          smartcard;
+    gchar             *smartcard_args;
 
     /* list of certificates to use for the software smartcard reader if
      * enabled. For now, it has to contain exactly 3 certificates for
@@ -182,6 +183,7 @@ enum {
     PROP_MIGRATION_STATE,
     PROP_AUDIO,
     PROP_SMARTCARD,
+    PROP_SMARTCARD_ARGS,
     PROP_SMARTCARD_CERTIFICATES,
     PROP_SMARTCARD_DB,
     PROP_USBREDIR,
@@ -326,6 +328,7 @@ spice_session_finalize(GObject *gobject)
     g_free(s->ca_file);
     g_free(s->ciphers);
     g_free(s->cert_subject);
+    g_free(s->smartcard_args);
     g_strfreev(s->smartcard_certificates);
     g_free(s->smartcard_db);
     g_strfreev(s->disable_effects);
@@ -570,6 +573,9 @@ static void spice_session_get_property(GObject    *gobject,
     case PROP_SMARTCARD:
         g_value_set_boolean(value, s->smartcard);
         break;
+    case PROP_SMARTCARD_ARGS:
+        g_value_set_string(value, s->smartcard_args);
+        break;
     case PROP_SMARTCARD_CERTIFICATES:
         g_value_set_boxed(value, s->smartcard_certificates);
         break;
@@ -696,6 +702,10 @@ static void spice_session_set_property(GObject      *gobject,
     case PROP_SMARTCARD:
         s->smartcard = g_value_get_boolean(value);
         break;
+    case PROP_SMARTCARD_ARGS:
+        g_free(s->smartcard_args);
+        s->smartcard_args = g_value_dup_string(value);
+        break;
     case PROP_SMARTCARD_CERTIFICATES:
         g_strfreev(s->smartcard_certificates);
         s->smartcard_certificates = g_value_dup_boxed(value);
@@ -1025,6 +1035,26 @@ static void spice_session_class_init(SpiceSessionClass *klass)
                           G_PARAM_STATIC_STRINGS));
 
     /**
+     * SpiceSession:smartcard-args:
+     *
+     * Can be specified in order to set vcard_emul_options.
+     *  The most useful alternate value is
+     *    "hw=yes hw_type=passthru"
+     *  which will use pcsclite to pass smartcard access through
+     *
+     * Since: 0.28
+     **/
+    g_object_class_install_property
+        (gobject_class, PROP_SMARTCARD_ARGS,
+         g_param_spec_string("smartcard-args",
+                          "Arguments to pass when connecting the smartcard.",
+                          "Options to pass to vcard_emul_options to create a smartcard.  The default is 'emulnss' which will use libnss to emulate a CAC card."
+                          " A value of 'passthru' will use pcsclite to directly interact with the card.",
+                          FALSE,
+                          G_PARAM_READWRITE |
+                          G_PARAM_STATIC_STRINGS));
+
+    /**
      * SpiceSession:enable-audio:
      *
      * If set to TRUE, the audio channels will be enabled for
@@ -1051,12 +1081,13 @@ static void spice_session_class_init(SpiceSessionClass *klass)
      * See also spice_smartcard_manager_insert_card()
      *
      * Since: 0.7
+     * Deprecated since: 0.28
      **/
     g_object_class_install_property
         (gobject_class, PROP_SMARTCARD_CERTIFICATES,
          g_param_spec_boxed("smartcard-certificates",
                             "Smartcard certificates",
-                            "Smartcard certificates for software-based smartcards",
+                            "Smartcard certificates for software-based smartcards. Deprecated; use soft=(,Spice Software Smartcard,cac,,cert1,cert2,cert3) in smartcard-args instead.",
                             G_TYPE_STRV,
                             G_PARAM_READABLE |
                             G_PARAM_WRITABLE |
@@ -1069,12 +1100,13 @@ static void spice_session_class_init(SpiceSessionClass *klass)
      * use to simulate a software smartcard
      *
      * Since: 0.7
+     * Deprecated since: 0.28
      **/
     g_object_class_install_property
         (gobject_class, PROP_SMARTCARD_DB,
          g_param_spec_string("smartcard-db",
                               "Smartcard certificate database",
-                              "Path to the database for smartcard certificates",
+                              "Path to the database for smartcard certificates. Deprecated; add db=\"name\" to smartcard-args instead.",
                               NULL,
                               G_PARAM_READABLE |
                               G_PARAM_WRITABLE |
diff --git a/man/spice-client.pod b/man/spice-client.pod
index 69ea84c..0085345 100644
--- a/man/spice-client.pod
+++ b/man/spice-client.pod
@@ -140,27 +140,46 @@ when a SPICE connection to a remote display has been established.
 
 Display Spice-GTK version information
 
-=item --spice-smartcard
+=item --spice-smartcard=[smartcard-args]
 
 Enable smartcard support
 
+The optional argument can be:
+  emulnss   (default)
+  passthru
+  [db="<certificate-db>"] soft=(,Spice Software Smartcard,CAC,,cert1,cert2,cert3)
+
+The emulnss option is the default, and will cause the client to use libnss to access
+the card, and then to simulate a CAC card.
+
+The passthru option will cause the client to use pcsclite to access the card,
+and attempt to pass through the raw card data.
+
+The final option is used for testing to simulate a smartcard using certificates.
+
+The certificate-db is an optional path to the location of the certificates;
+the default is /etc/pki/nssdb.  cert1, cert2, and cert3 are certificate names that
+you have previously generated.
+
+See C<http://www.spice-space.org/page/SmartcardUsage#Using_a_software_smartcard>
+for more details about how to generate these certificates.
+
+You can also learn more about these arguments by examining the usage statement
+of the vscclient utility.
+
 =item --spice-smartcard-db=<certificate-db>
 
 Path to the local certificate database to use for software smartcard certificates
 
-This option is only useful for testing purpose. Instead of having a hardware
-smartcard reader, and a physical smartcard, you can specify a file containing 3
-certificates which will be used to emulate a smartcard in software. See
-C<http://www.spice-space.org/page/SmartcardUsage#Using_a_software_smartcard>
-for more details about how to generate these certificates.
+This option is deprecated; the database path should be given in the arguments to the
+--spice-smartcard option.
 
 =item --spice-smartcard-certificates=<certificates>
 
 Certificates to use for software smartcards (field=values separated by commas)
 
-This option is only useful for testing purpose. This allows to specify which
-certificates from the certificate database specified with --spice-smartcard-db
-should be used for smartcard emulation.
+This option is deprecated; the certificates should be passed as an argument to
+the --spice-smartcard option.
 
 =item --spice-cache-size=<bytes>
 
-- 
1.7.10.4

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]