Yeah, I had to both copy the certs to my local nss db and then again into the
qemu command line.
I chose the emulated backend with passing in certs. I tried getting passthru to
work but no dice so gave up and chose emulated.
sudo qemu-system-x86_64 -enable-kvm -m 1024 -nic user,model=virtio
-chardev socket,server=on,host=0.0.0.0,port=2001,id=ccid,wait=off -drive
file=root.img,media=disk,index=0,if=virtio -drive
file=seed.img,index=1,media=cdrom -usb -device usb-ccid -device ccid-
card-emulated,backend=certificates,db=sql:$HOME/.pki/nssdb,cert1=fake-
smartcard-ca,cert2=fake-smartcard-ca,cert3=fake-smartcard-ca -usb
-device virtio-rng-pci -nographic
# check db if you see certs, make sure you can see the fake cert listed there
in the nss db
this is locally and then once again inside of the vm.
certutil -d sql:$HOME/.pki/nssdb -L
user1@ubuntu:~$ certutil -d sql:$HOME/.pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
fake-smartcard-ca CT,C,C
card-cert.pem CT,C,C
The fake-smartcard-ca is what was passed into the vm.
turn on super debug mode if pcsc_scan still not working
# https://ccid.apdu.fr/
sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color | tee
-i log.txt
potentially helpful script to scan card curl
https://ccid.apdu.fr/files/parse.sh | bash -
scp fake-smartcard/* to vm
final output
PC/SC device scanner
V 1.7.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rouss...@free.fr>
SCardEstablishContext: Access denied.
user1@ubuntu:~$ sudo su
root@ubuntu:/home/user1# pcsc_scan
PC/SC device scanner
V 1.7.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rouss...@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface]
(1-0000:00:01.2-1) 00 00
Tue Jul 15 16:53:49 2025
Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface]
(1-0000:00:01.2-1) 00 00
Event number: 0
Card state: Card inserted,
ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
ATR: 3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
+ TS = 3B --> Direct Convention
+ T0 = 7A, Y(1): 0111, K: 10 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 73 66 74 65 20 63 64 31 34 34
Category indicator byte: 73 (proprietary format)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7A 18 00 00 73 66 74 65 20 63 64 31 34 34
Republic Slovenia e-Gov, Ministry of Public Administration
SIGOV-CA, Slovenian Governmental Certification Authority
Giesecke & Devrient (PIV Endpoint) G&D Sm@rtCafe Expert v3.2
$ qemu-system-x86_64 -device help | grep smartcard
name "ccid-card-emulated", bus ccid-bus, desc "emulated smartcard"
name "ccid-card-passthru", bus ccid-bus, desc "passthrough smartcard"
name "usb-ccid", bus usb-bus, desc "CCID Rev 1.1 smartcard reader"
It was mostly getting the certificates inside of the nssdb and passing that
into the vm command.
https://www.qemu.org/docs/master/system/devices/ccid.html
https://www.spice-space.org/smartcard-usage.html
https://ccid.apdu.fr/
https://ccid.apdu.fr/#CCID_compliant
https://manpages.ubuntu.com/manpages/focal/man1/certutil.1.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2110521
Title:
Continue searching other PKCS#11 tokens if certificates are not found
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2110521/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
