#StackBounty: #windows-server-2019 #smartcard Making (virtual) smartcard available to system service

Bounty: 100

I have a VM running Windows Server 2019 Datacenter Core, which is running a Jenkins build agent as a noninteractive service with its own local user account (.build).

Now I’d like to add code signing. To have at least a semblance of security, I want to use a virtual smartcard that is based on crypto operations on the host, so an attacker who is interested in copying key material would need to break out of the VM.

I have configured a virtual USB CCID reader with a card permanently inserted, and it shows up in Windows:

PS> Get-PnpDevice
...
Error      SmartCardReader Microsoft Usbccid Smartcard Reader (WUDF)                                        USBVID_08E6...
...

First, the Error state is concerning. I have applied this fix, which seems to have improved things a bit (the card shows up OK right after boot), but that doesn’t seem permanent.

The problem where I’m truly stuck however is the security model for smartcard access. Most documentation I could find concerns using the smartcard for logon, for which the policy is simple: the logon UI has access to the card to verify credentials, then passes on this access to the user session.

In my case however, I have a noninteractive logon that isn’t associated with a desktop. When I manually start the SCardSvr and ScDeviceEnum services, I cannot access the card even as Administrator when logged in via SSH:

The Microsoft Smart Card Resource Manager is not running.
SCardAccessStartedEvent: Service is in an unknown state.
CertUtil: -SCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)
CertUtil: Access is denied.

which makes sense, and from the local console, as Administrator, I get

PS> certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
SCardEstablishContext: The Smart Card Resource Manager is not running. 0x8010001d (-2146435043 SCARD_E_NO_SERVICE)
SCardEstablishContext failed for user scope.

The two services also terminate by themselves after two minutes.

Questions:

  • How can I verify that the emulated smartcard is seen as inserted and possibly list the contained certificates?
  • How can I give permission to a user to access the smartcard (certutil -scinfo would probably show that)?
  • How can I import a certificate that already exists on the smartcard into the local user’s key store? Do I need the original P7 certificate, or can I pull that from the card itself?
  • Do I need to do anything to keep the service running continuously, or will resolving the access problems also allow it to demand-start?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.