Web eID

From NixOS Wiki
Revision as of 14:19, 22 April 2023 by imported>Flokli (Created page with "The Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-ke...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography.

Check [1] for more details and an example application.

The application consists of the "Web eID" browser extension (available for Chrom{e,ium} and Firefox), and a native messaging host / application running on the system, which takes care of communication with the smart card.

NixOS Unstable (and 23.05, once released) have the native messaging host packaged. Some local system configuration is still necessary, so the browsers know the extension is allowed to execute the native host application, and where it can find it.

PCSCD also needs to be enabled: 

{
  services.pcscd.enable = true;
}


On the browser side, the "Web eID" browser extension needs to be installed, and the browser needs to know about the native messaging host.

Firefox

If you're using Firefox, and programs.firefox.enable = true to configure your firefox, you can set ic|programs.firefox.nativeMessagingHosts.euwebid = true}.

If you're building a firefox derivation yourself, you can override it with extraNativeMessagingHosts = [ pkgs.web-eid-app ];.

Google Chrome / Chromium

Google Chrome and Chromium read JSON files from the /etc/opt/chrome/native-messaging-hosts or /etc/chromium/native-messaging-hosts directories (system-wide) / ~/.config/google-chrome/NativeMessagingHosts or ~/.config/chromium/NativeMessagingHosts (per user).

To configure system-wide, use the following snippet: 

{
  environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
  environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
}

For user-wide config (inside home-manager), use the following: 

{
  xdg.configFile."chromium/NativeMessagingHosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
  xdg.configFile."google-chrome/NativeMessagingHosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
}

PKCS#11

Note some websites still use PKCS#11 instead of Web eID. This requires different configuration.

Retrieved from "https://wiki.nixos.org/w/index.php?title=Web_eID&oldid=10645"