blob: c4ebfc7f5afdd066d88089935debc8f0087cc11a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
# libcacard
[![pipeline status](https://gitlab.freedesktop.org/spice/libcacard/badges/master/pipeline.svg)](https://gitlab.freedesktop.org/spice/libcacard/commits/master)
[![coverage report](https://gitlab.freedesktop.org/spice/libcacard/badges/master/coverage.svg)](https://gitlab.freedesktop.org/spice/libcacard/commits/master)
[![cii best practices](https://bestpractices.coreinfrastructure.org/projects/3465/badge)](https://bestpractices.coreinfrastructure.org/en/projects/3465)
CAC (Common Access Card) library
This library provides emulation of smart cards to a virtual card
reader running in a guest virtual machine.
It implements DoD CAC standard with separate pki containers
(compatible with coolkey and OpenSC), using certificates read from NSS.
# Documentation
The API documentation is available in
[docs/libcacard.txt](https://gitlab.freedesktop.org/spice/libcacard/blob/master/docs/libcacard.txt)
file.
The libcacard is internally used by spice to emulate and share smart cards
from client system to local or remote VMs. The whole integration image of
smart card sharing can look like this:
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
~ ~ ~ ~
~ +-----+ ~ ~ ~
~ | | Client ~ ~ Server ~
~ |Smart| ~ ~ ~
~ +-|Card |-+ ~ ~ ~
~ | | | | ~ ~ +--------------+ ~
~ | ------- | ~ ~ | VM | ~
~ | Reader | ~ ~ | +---------+ | ~
~ +---------+ ~ ~ | | virtual | | ~
~ | ~ ~ | | CCID | | ~
~ | ~ ~ | | device | | ~
~ +---------+ +--------+ +-----+ +-----------+ ~ ~ | +---------+ | ~
~ | pcscd |--| OpenSC |--| NSS |--| libcacard | ~ ~ | qemu-kvm | ~
~ +---------+ +--------+ +-----+ +-----------+ ~ ~ +--------------+ ~
~ | ~ ~ | ~
~ | ~ ~ | ~
~ +---------------+ +--------------+ ~ ~ +--------------+ ~
~ | remote-viewer |--| spice-client | ~ <=[ spice channel ]=> ~ | spice-server | ~
~ +---------------+ +--------------+ ~ ~ +--------------+ ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
```
In case of smart card emulation, the client side smart card stack is not needed:
```
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
~ ~ ~ ~
~ Client ~ ~ Server ~
~ ~ ~ ~
~ ~ ~ +--------------+ ~
~ ~ ~ | VM | ~
~ ~ ~ | +---------+ | ~
~ ~ ~ | | virtual | | ~
~ ~ ~ | | CCID | | ~
~ ~ ~ | | device | | ~
~ +-----+ +-----------+ ~ ~ | +---------+ | ~
~ | NSS |--| libcacard | ~ ~ | qemu-kvm | ~
~ +-----+ +-----------+ ~ ~ +--------------+ ~
~ | ~ ~ | ~
~ | ~ ~ | ~
~ +---------------+ +--------------+ ~ ~ +--------------+ ~
~ | remote-viewer |--| spice-client | ~ <=[ spice channel ]=> ~ | spice-server | ~
~ +---------------+ +--------------+ ~ ~ +--------------+ ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
```
The virtual machine can access the shared or emulated smart card as any other
smart card connected to the system through USB reader. There is no additional
software nor drivers needed so this can work regardless operating system
(assuming there is a driver understanding PC/SC and appropriate middleware
understanding GSC-IS 2.1 CAC specification).
More information about libcacard, see the following links to the SPICE documentation:
* https://www.spice-space.org/smartcard-usage.html
* https://www.spice-space.org/spice-user-manual.html#_cac_smartcard_redirection
# Contributing
To read how to submit a bug or contribute your changes to libcacard, see the
[CONTRIBUTION.md](https://gitlab.freedesktop.org/spice/libcacard/blob/master/CONTRIBUTION.md)
in this repository.
# History
This project used to be part of qemu until version 2.5. The history
has been preserved and it inherits the tags and version.
# Authors
This project was originally developed by:
- Alon Levy <alevy@redhat.com>
- Robert Relyea <rrelyea@redhat.com>
Extended to new GSC-IS 2.1 standard by:
- Jakub Jelen <jjelen@redhat.com>
|