Web eID: Difference between revisions

(6 intermediate revisions by 4 users not shown)

Line 19:

== Firefox ==

If you're using Firefox, and <code>programs.firefox.enable = true</code> to configure your firefox, you can set <~~code~~>~~ic|~~programs.firefox.nativeMessagingHosts.~~euwebid~~ = ~~true}~~</~~code~~>.

If you're using Firefox, and <code>programs.firefox.enable = true</code> to configure your firefox, you can set:

programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];

</syntaxhighlight>

If you're building a firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.

Line 46:

Line 51:

== PKCS#11 ==

Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.

Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.

We configure the browser(s) to load PKCS#11 modules via the <code>p11-kit-proxy</code> module as configured in <code>/etc/pkcs11/modules</code>, and configure <code>opensc-pkcs11.so</code> in there.

{

# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots

# (PIN1 for authentication/decryption, PIN2 for signing).

environment.etc."pkcs11/modules/opensc-pkcs11".text = ''

module: ${pkgs.opensc}/lib/opensc-pkcs11.so

'';

}

</syntaxhighlight>

=== Firefox ===

Firefox can be configured to load PKCS#11 tokens with the following snippet:

{

programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";

}

</syntaxhighlight>

If you're building a firefox derivation yourself, you can override it with <code>extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";</code>.

=== Google Chrome / Chromium ===

Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens.

We need to invoke the <code>modutil</code> command on the nssdb, and render a script that'll reconfigure it:

environment.systemPackages = [

# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load

# security devices, so they can be used for TLS client auth.

# Each user needs to run this themselves, it does not work on a system level

# due to a bug in Chromium:

#

# https://bugs.chromium.org/p/chromium/issues/detail?id=16387

(pkgs.writeShellScriptBin "setup-browser-eid" ''

NSSDB="''${HOME}/.pki/nssdb"

mkdir -p ''${NSSDB}

${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \

-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so

'')

];

</syntaxhighlight>

Invoke <code>setup-browser-eid</code> to configure (and whenever this gets garbage-collected), and restart your browser.

== Belgian eID cards ==

The Web eID browser extension, used for authentication with Belgian eID cards, requires the PKCS#11 module <code>libbeidpkcs11.so.0</code> to be available in the directory <code>/usr/lib/x86_64-linux-gnu/</code>. Since this directory does not exist by default on NixOS, the Web eID application installed on the host system will not detect or support Belgian eID cards.

To resolve this, you can create a symlink from the Nix store version of <code>beidpkcs11.so</code>, provided by the <code>eid-mw</code> package, into <code>/usr/lib/x86_64-linux-gnu/</code>:<syntaxhighlight lang="nix">system.activationScripts.web-eid-app = {

text = ''

mkdir -p /usr/lib/x86_64-linux-gnu

ln -sf ${pkgs.eid-mw}/lib/pkcs11/beidpkcs11.so /usr/lib/x86_64-linux-gnu/libbeidpkcs11.so.0

'';

};</syntaxhighlight>This script ensures the required symlink is created at system activation time and remains up to date with the correct Nix store path for <code>eid-mw</code>.

[[Category:Hardware]]

[[Category:Applications]]

[[Category:Web Applications]]

@@ Line 19: / Line 19: @@
 == Firefox ==
-If you're using Firefox, and  <code>programs.firefox.enable = true</code> to configure your firefox, you can set <code>ic|programs.firefox.nativeMessagingHosts.euwebid = true}</code>.
+If you're using Firefox, and  <code>programs.firefox.enable = true</code> to configure your firefox, you can set:
+<syntaxhighlight lang="nix">
+programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
+</syntaxhighlight>
 If you're building a firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.
@@ Line 46: / Line 51: @@
 == PKCS#11 ==
-Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.
+Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.
+We configure the browser(s) to load PKCS#11 modules via the <code>p11-kit-proxy</code> module as configured in <code>/etc/pkcs11/modules</code>, and configure <code>opensc-pkcs11.so</code> in there.
+<syntaxhighlight lang="nix">
+{
+  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
+  # (PIN1 for authentication/decryption, PIN2 for signing).
+  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+    module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+  '';
+}
+</syntaxhighlight>
+=== Firefox ===
+Firefox can be configured to load PKCS#11 tokens with the following snippet:
+<syntaxhighlight lang="nix">
+{
+  programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+}
+</syntaxhighlight>
+If you're building a firefox derivation yourself, you can override it with <code>extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";</code>.
+=== Google Chrome / Chromium ===
+Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens.
+We need to invoke the <code>modutil</code> command on the nssdb, and render a script that'll reconfigure it:
+<syntaxhighlight lang="nix">
+  environment.systemPackages = [
+    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
+    # security devices, so they can be used for TLS client auth.
+    # Each user needs to run this themselves, it does not work on a system level
+    # due to a bug in Chromium:
+    #
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
+    (pkgs.writeShellScriptBin "setup-browser-eid" ''
+      NSSDB="''${HOME}/.pki/nssdb"
+      mkdir -p ''${NSSDB}
+      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
+        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
+    '')
+  ];
+</syntaxhighlight>
+Invoke <code>setup-browser-eid</code> to configure (and whenever this gets garbage-collected), and restart your browser.
+== Belgian eID cards ==
+The Web eID browser extension, used for authentication with Belgian eID cards, requires the PKCS#11 module <code>libbeidpkcs11.so.0</code> to be available in the directory <code>/usr/lib/x86_64-linux-gnu/</code>. Since this directory does not exist by default on NixOS, the Web eID application installed on the host system will not detect or support Belgian eID cards.
+To resolve this, you can create a symlink from the Nix store version of <code>beidpkcs11.so</code>, provided by the <code>eid-mw</code> package, into <code>/usr/lib/x86_64-linux-gnu/</code>:<syntaxhighlight lang="nix">system.activationScripts.web-eid-app = {
+  text = ''
+    mkdir -p /usr/lib/x86_64-linux-gnu
+    ln -sf ${pkgs.eid-mw}/lib/pkcs11/beidpkcs11.so /usr/lib/x86_64-linux-gnu/libbeidpkcs11.so.0
+  '';
+};</syntaxhighlight>This script ensures the required symlink is created at system activation time and remains up to date with the correct Nix store path for <code>eid-mw</code>.
+[[Category:Hardware]]
+[[Category:Applications]]
+[[Category:Web Applications]]