I have a VM running Windows Server 2019 Datacenter Core, which is running a Jenkins build agent as a noninteractive service with its own local user account (.\build
).
Now I'd like to add code signing. To have at least a semblance of security, I want to use a virtual smartcard that is based on crypto operations on the host, so an attacker who is interested in copying key material would need to break out of the VM.
I have configured a virtual USB CCID reader with a card permanently inserted, and it shows up in Windows:
PS> Get-PnpDevice
...
Error SmartCardReader Microsoft Usbccid Smartcard Reader (WUDF) USB\VID_08E6...
...
First, the Error
state is concerning. I have applied this fix, which seems to have improved things a bit (the card shows up OK
right after boot), but that doesn't seem permanent.
The problem where I'm truly stuck however is the security model for smartcard access. Most documentation I could find concerns using the smartcard for logon, for which the policy is simple: the logon UI has access to the card to verify credentials, then passes on this access to the user session.
In my case however, I have a noninteractive logon that isn't associated with a desktop. When I manually start the SCardSvr
and ScDeviceEnum
services, I cannot access the card even as Administrator when logged in via SSH:
The Microsoft Smart Card Resource Manager is not running.
SCardAccessStartedEvent: Service is in an unknown state.
CertUtil: -SCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.
which makes sense, and from the local console, as Administrator, I get
PS> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
SCardEstablishContext: The Smart Card Resource Manager is not running. 0x8010001d (-2146435043 SCARD_E_NO_SERVICE)
SCardEstablishContext failed for user scope.
The two services also terminate by themselves after two minutes.
Questions:
- How can I verify that the emulated smartcard is seen as inserted and possibly list the contained certificates?
- How can I give permission to a user to access the smartcard (
certutil -scinfo
would probably show that)? - How can I import a certificate that already exists on the smartcard into the local user's key store? Do I need the original P7 certificate, or can I pull that from the card itself?
- Do I need to do anything to keep the service running continuously, or will resolving the access problems also allow it to demand-start?
0 Answers