Web eID: Difference between revisions

(8 intermediate revisions by 6 users not shown)

Line 1:

~~The~~ Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography.

eThe Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography.

Check [https://web-eid.eu/|web-eid.eu] for more details and an example application.

Line 19:

== Firefox ==

If ~~you're using~~ Firefox~~, and~~ <code>programs.firefox.enable = true</code> ~~to configure your firefox~~, ~~you~~ can ~~set <code>ic|programs~~.~~firefox~~.~~nativeMessagingHosts.euwebid = true}</code>~~.

Firefox requires an additional browser extension for Web eID to work. If Firefox is enabled with <code>programs.firefox.enable = true</code>, this can specified system-wide, as follows...

If you're building a ~~firefox~~ derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.

<syntaxhighlight lang="nix">programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];</syntaxhighlight>

...or per user with Home Manager, as follows:<syntaxhighlight lang="nix">

programs.firefox.nativeMessagingHosts = [ pkgs.web-eid-app ];

</syntaxhighlight>

If you're building a Firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.

== Google Chrome / Chromium ==

Line 46:

Line 53:

== PKCS#11 ==

Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.

Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.

We configure the browser(s) to load PKCS#11 modules via the <code>p11-kit-proxy</code> module as configured in <code>/etc/pkcs11/modules</code>, and configure <code>opensc-pkcs11.so</code> in there.

{

# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots

# (PIN1 for authentication/decryption, PIN2 for signing).

environment.etc."pkcs11/modules/opensc-pkcs11".text = ''

module: ${pkgs.opensc}/lib/opensc-pkcs11.so

'';

}

</syntaxhighlight>

=== Firefox ===

Firefox can be configured to load PKCS#11 tokens with the following snippet:

{

programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";

}

</syntaxhighlight>

If you're building a firefox derivation yourself, you can override it with <code>extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";</code>.

=== Google Chrome / Chromium ===

Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens.

We need to invoke the <code>modutil</code> command on the nssdb, and render a script that'll reconfigure it:

environment.systemPackages = [

# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load

# security devices, so they can be used for TLS client auth.

# Each user needs to run this themselves, it does not work on a system level

# due to a bug in Chromium:

#

# https://bugs.chromium.org/p/chromium/issues/detail?id=16387

(pkgs.writeShellScriptBin "setup-browser-eid" ''

NSSDB="''${HOME}/.pki/nssdb"

mkdir -p ''${NSSDB}

${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \

-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so

'')

];

</syntaxhighlight>

Invoke <code>setup-browser-eid</code> to configure (and whenever this gets garbage-collected), and restart your browser.

== Belgian eID cards ==

The Web eID browser extension, used for authentication with Belgian eID cards, requires the PKCS#11 module <code>libbeidpkcs11.so.0</code> to be available in the directory <code>/usr/lib/x86_64-linux-gnu/</code>. Since this directory does not exist by default on NixOS, the Web eID application installed on the host system will not detect or support Belgian eID cards.

To resolve this, you can create a symlink from the Nix store version of <code>beidpkcs11.so</code>, provided by the <code>eid-mw</code> package, into <code>/usr/lib/x86_64-linux-gnu/</code>:<syntaxhighlight lang="nix">system.activationScripts.web-eid-app = {

text = ''

mkdir -p /usr/lib/x86_64-linux-gnu

ln -sf ${pkgs.eid-mw}/lib/pkcs11/beidpkcs11.so /usr/lib/x86_64-linux-gnu/libbeidpkcs11.so.0

'';

};</syntaxhighlight>This script ensures the required symlink is created at system activation time and remains up to date with the correct Nix store path for <code>eid-mw</code>.

[[Category:Hardware]]

[[Category:Applications]]

[[Category:Web Applications]]

@@ Line 1: / Line 1: @@
-The Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography.
+eThe Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography.
 Check [https://web-eid.eu/|web-eid.eu] for more details and an example application.
@@ Line 19: / Line 19: @@
 == Firefox ==
-If you're using Firefox, and  <code>programs.firefox.enable = true</code> to configure your firefox, you can set <code>ic|programs.firefox.nativeMessagingHosts.euwebid = true}</code>.
+Firefox requires an additional browser extension for Web eID to work. If Firefox is enabled with <code>programs.firefox.enable = true</code>, this can specified system-wide, as follows...
-If you're building a firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.
+<syntaxhighlight lang="nix">programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];</syntaxhighlight>
+...or per user with Home Manager, as follows:<syntaxhighlight lang="nix">
+programs.firefox.nativeMessagingHosts = [ pkgs.web-eid-app ];
+</syntaxhighlight>
+If you're building a Firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.
 == Google Chrome / Chromium ==
@@ Line 46: / Line 53: @@
 == PKCS#11 ==
-Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.
+Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.
+We configure the browser(s) to load PKCS#11 modules via the <code>p11-kit-proxy</code> module as configured in <code>/etc/pkcs11/modules</code>, and configure <code>opensc-pkcs11.so</code> in there.
+<syntaxhighlight lang="nix">
+{
+  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
+  # (PIN1 for authentication/decryption, PIN2 for signing).
+  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+    module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+  '';
+}
+</syntaxhighlight>
+=== Firefox ===
+Firefox can be configured to load PKCS#11 tokens with the following snippet:
+<syntaxhighlight lang="nix">
+{
+  programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+}
+</syntaxhighlight>
+If you're building a firefox derivation yourself, you can override it with <code>extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";</code>.
+=== Google Chrome / Chromium ===
+Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens.
+We need to invoke the <code>modutil</code> command on the nssdb, and render a script that'll reconfigure it:
+<syntaxhighlight lang="nix">
+  environment.systemPackages = [
+    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
+    # security devices, so they can be used for TLS client auth.
+    # Each user needs to run this themselves, it does not work on a system level
+    # due to a bug in Chromium:
+    #
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
+    (pkgs.writeShellScriptBin "setup-browser-eid" ''
+      NSSDB="''${HOME}/.pki/nssdb"
+      mkdir -p ''${NSSDB}
+      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
+        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
+    '')
+  ];
+</syntaxhighlight>
+Invoke <code>setup-browser-eid</code> to configure (and whenever this gets garbage-collected), and restart your browser.
+== Belgian eID cards ==
+The Web eID browser extension, used for authentication with Belgian eID cards, requires the PKCS#11 module <code>libbeidpkcs11.so.0</code> to be available in the directory <code>/usr/lib/x86_64-linux-gnu/</code>. Since this directory does not exist by default on NixOS, the Web eID application installed on the host system will not detect or support Belgian eID cards.
+To resolve this, you can create a symlink from the Nix store version of <code>beidpkcs11.so</code>, provided by the <code>eid-mw</code> package, into <code>/usr/lib/x86_64-linux-gnu/</code>:<syntaxhighlight lang="nix">system.activationScripts.web-eid-app = {
+  text = ''
+    mkdir -p /usr/lib/x86_64-linux-gnu
+    ln -sf ${pkgs.eid-mw}/lib/pkcs11/beidpkcs11.so /usr/lib/x86_64-linux-gnu/libbeidpkcs11.so.0
+  '';
+};</syntaxhighlight>This script ensures the required symlink is created at system activation time and remains up to date with the correct Nix store path for <code>eid-mw</code>.
+[[Category:Hardware]]
+[[Category:Applications]]
+[[Category:Web Applications]]