I have a VM running Windows Server 2019 Datacenter Core, which is running a Jenkins build agent as a noninteractive service with its own local user account (
Now I’d like to add code signing. To have at least a semblance of security, I want to use a virtual smartcard that is based on crypto operations on the host, so an attacker who is interested in copying key material would need to break out of the VM.
I have configured a virtual USB CCID reader with a card permanently inserted, and it shows up in Windows:
PS> Get-PnpDevice ... Error SmartCardReader Microsoft Usbccid Smartcard Reader (WUDF) USBVID_08E6... ...
Error state is concerning. I have applied this fix, which seems to have improved things a bit (the card shows up
OK right after boot), but that doesn’t seem permanent.
The problem where I’m truly stuck however is the security model for smartcard access. Most documentation I could find concerns using the smartcard for logon, for which the policy is simple: the logon UI has access to the card to verify credentials, then passes on this access to the user session.
In my case however, I have a noninteractive logon that isn’t associated with a desktop. When I manually start the
ScDeviceEnum services, I cannot access the card even as Administrator when logged in via SSH:
The Microsoft Smart Card Resource Manager is not running. SCardAccessStartedEvent: Service is in an unknown state. CertUtil: -SCInfo command FAILED: 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED) CertUtil: Access is denied.
which makes sense, and from the local console, as Administrator, I get
PS> certutil -scinfo The Microsoft Smart Card Resource Manager is running. Current reader/card status: SCardEstablishContext: The Smart Card Resource Manager is not running. 0x8010001d (-2146435043 SCARD_E_NO_SERVICE) SCardEstablishContext failed for user scope.
The two services also terminate by themselves after two minutes.
- How can I verify that the emulated smartcard is seen as inserted and possibly list the contained certificates?
- How can I give permission to a user to access the smartcard (
certutil -scinfowould probably show that)?
- How can I import a certificate that already exists on the smartcard into the local user’s key store? Do I need the original P7 certificate, or can I pull that from the card itself?
- Do I need to do anything to keep the service running continuously, or will resolving the access problems also allow it to demand-start?