Web eID

From NixOS Wiki

The Web eID project enables usage of European Union electronic identity (eID) smart cards for secure authentication and digital signing of documents on the web using public-key cryptography.

Check [1] for more details and an example application.

The application consists of the "Web eID" browser extension (available for Chrom{e,ium} and Firefox), and a native messaging host / application running on the system, which takes care of communication with the smart card.

NixOS Unstable (and 23.05, once released) have the native messaging host packaged. Some local system configuration is still necessary, so the browsers know the extension is allowed to execute the native host application, and where it can find it.

PCSCD also needs to be enabled:

  services.pcscd.enable = true;

On the browser side, the "Web eID" browser extension needs to be installed, and the browser needs to know about the native messaging host.


If you're using Firefox, and programs.firefox.enable = true to configure your firefox, you can set:

programs.firefox.nativeMessagingHosts.euwebid = true;

If you're building a firefox derivation yourself, you can override it with extraNativeMessagingHosts = [ pkgs.web-eid-app ];.

Google Chrome / Chromium

Google Chrome and Chromium read JSON files from the /etc/opt/chrome/native-messaging-hosts or /etc/chromium/native-messaging-hosts directories (system-wide) / ~/.config/google-chrome/NativeMessagingHosts or ~/.config/chromium/NativeMessagingHosts (per user).

To configure system-wide, use the following snippet:

  environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
  environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";

For user-wide config (inside home-manager), use the following:

  xdg.configFile."chromium/NativeMessagingHosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
  xdg.configFile."google-chrome/NativeMessagingHosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";


Note some websites still use PKCS#11 instead of Web eID (for Estonian ID cards). This requires different configuration.

We configure the browser(s) to load PKCS#11 modules via the p11-kit-proxy module as configured in /etc/pkcs11/modules, and configure opensc-pkcs11.so in there.

  # Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
  # (PIN1 for authentication/decryption, PIN2 for signing).
  environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
    module: ${pkgs.opensc}/lib/opensc-pkcs11.so


Firefox can be configured to load PKCS#11 tokens with the following snippet:

  programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";

If you're building a firefox derivation yourself, you can override it with extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";.

Google Chrome / Chromium

Unfortunately, Chrome and Chromium browsers can't be declaratively configured for PKCS#11 tokens. We need to invoke the modutil command on the nssdb, and render a script that'll reconfigure it:

  environment.systemPackages = [
    # Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
    # security devices, so they can be used for TLS client auth.
    # Each user needs to run this themselves, it does not work on a system level
    # due to a bug in Chromium:
    # https://bugs.chromium.org/p/chromium/issues/detail?id=16387
    (pkgs.writeShellScriptBin "setup-browser-eid" ''
      mkdir -p ''${NSSDB}

      ${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
        -libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so

Invoke setup-browser-eid to configure (and whenever this gets garbage-collected), and restart your browser.