Web eID: Difference between revisions

Line 19:

== Firefox ==

If you're using Firefox, and <code>programs.firefox.enable = true</code> to configure your firefox, you can set <code>~~ic|~~programs.firefox.nativeMessagingHosts.euwebid = true}</code>.

If you're using Firefox, and <code>programs.firefox.enable = true</code> to configure your firefox, you can set <code>programs.firefox.nativeMessagingHosts.euwebid = true;</code>.

If you're building a firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.

Line 46:

== PKCS#11 ==

Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.

Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.

We configure the browser(s) to load PKCS#11 modules via the <code>p11-kit-proxy</code> module as configured in <code>/etc/pkcs11/modules</code>, and configure <code>opensc-pkcs11.so</code> in there.

{

# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots

# (PIN1 for authentication/decryption, PIN2 for signing).

environment.etc."pkcs11/modules/opensc-pkcs11".text = ''

module: ${pkgs.opensc}/lib/opensc-pkcs11.so

'';

}

</syntaxhighlight>

=== Firefox ===

Firefox can be configured to load PKCS#11 tokens with the following snippet:

{

programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";

}

</syntaxhighlight>

If you're building a firefox derivation yourself, you can override it with <code>extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";</code>.

=== Google Chrome / Chromium ===

Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens.

We need to invoke the <code>modutil</code> command on the nssdb, and render a script that'll reconfigure it:

environment.systemPackages = with pkgs; [

# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load

# security devices, so they can be used for TLS client auth.

# Each user needs to run this themselves, it does not work on a system level

# due to a bug in Chromium:

#

# https://bugs.chromium.org/p/chromium/issues/detail?id=16387

#

# Firefox users can just set

# extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";

# when overriding the firefox derivation.

(pkgs.writeShellScriptBin "setup-browser-eid" ''

NSSDB="''${HOME}/.pki/nssdb"

mkdir -p ''${NSSDB}

${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \

-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so

'')

];

</syntaxhighlight>

Invoke <code>setup-browser-eid</code> to configure (and whenever this gets garbage-collected), and restart your browser.

@@ Line 19: / Line 19: @@
 == Firefox ==
-If you're using Firefox, and  <code>programs.firefox.enable = true</code> to configure your firefox, you can set <code>ic|programs.firefox.nativeMessagingHosts.euwebid = true}</code>.
+If you're using Firefox, and  <code>programs.firefox.enable = true</code> to configure your firefox, you can set <code>programs.firefox.nativeMessagingHosts.euwebid = true;</code>.
 If you're building a firefox derivation yourself, you can override it with <code>extraNativeMessagingHosts = [ pkgs.web-eid-app ];</code>.
@@ Line 46: / Line 46: @@
 == PKCS#11 ==
-Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.
+Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.
+We configure the browser(s) to load PKCS#11 modules via the <code>p11-kit-proxy</code> module as configured in <code>/etc/pkcs11/modules</code>, and configure <code>opensc-pkcs11.so</code> in there.
+<syntaxhighlight lang="nix">
+{
+  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
+  # (PIN1 for authentication/decryption, PIN2 for signing).
+  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
+    module: ${pkgs.opensc}/lib/opensc-pkcs11.so
+  '';
+}
+</syntaxhighlight>
+=== Firefox ===
+Firefox can be configured to load PKCS#11 tokens with the following snippet:
+<syntaxhighlight lang="nix">
+{
+  programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+}
+</syntaxhighlight>
+If you're building a firefox derivation yourself, you can override it with <code>extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";</code>.
+=== Google Chrome / Chromium ===
+Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens.
+We need to invoke the <code>modutil</code> command on the nssdb, and render a script that'll reconfigure it:
+<syntaxhighlight lang="nix">
+  environment.systemPackages = with pkgs; [
+    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
+    # security devices, so they can be used for TLS client auth.
+    # Each user needs to run this themselves, it does not work on a system level
+    # due to a bug in Chromium:
+    #
+    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
+    #
+    # Firefox users can just set
+    # extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
+    # when overriding the firefox derivation.
+    (pkgs.writeShellScriptBin "setup-browser-eid" ''
+      NSSDB="''${HOME}/.pki/nssdb"
+      mkdir -p ''${NSSDB}
+      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
+        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
+    '')
+  ];
+</syntaxhighlight>
+Invoke <code>setup-browser-eid</code> to configure (and whenever this gets garbage-collected), and restart your browser.