search

web-eid / web-eid-app

The Web eID application performs cryptographic digital signing and authentication operations with electronic ID smart cards for the Web eID browser extension
https://web-eid.eu
MIT License
25 stars 29 forks source link

`web-eid-app` for NixOS: pin1 works, pin2 don't #317

Closed getreu closed 7 months ago

getreu commented 7 months ago

NixOS comes with the package web-eid-app and instructions for Estonians .

With Firefox and the above config for NixOS 23.11, I can authenticate with e.g. https://lhv.ee but I can not sign. Any ideas?

I know, you do not officially support NixOS, but maybe some of you uses it and can help. Here my config:

services.pcscd.enable = true;
programs.firefox.enable = true;
programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
  module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';
getreu commented 7 months ago

Is this related to #309 ?

mrts commented 7 months ago

What error do you see? Can you please turn on native app logging as described here: https://web-eid.eu/ > Debugging and logs and check the log?

getreu commented 7 months ago

When I press [Authenticate] on https://web-eid.eu/ I get (in pink color):

Authentication failed

[Code]
ERR_WEBEID_EXTENSION_UNAVAILABLE

[Message]
Web-eID extension is not available

Strangely I can authenticate with https://lhv.ee. After login in into the bank, there is still no log file:

In ~/.local/share/RIA/ is no web-eid.log.

When I start the binary from the console, I get:

$ web-eid 
INFO: "web-eid" app "2.4.0+0" running in command-line mode

Now the log file is created with the contents:

024-03-25T13:11:44.212Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode

Is web-eid known to the firefox browser?

mrts commented 7 months ago

It looks like the extension is not installed in Firefox. Here's how it should look:

image

You can add the extension manually from here: https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/

getreu commented 7 months ago

It seem it is a NixOS firefox package related problem. I do not manage enable the extension. It does not even show in the browser tab (cf. your screenshot) above. If I get it work, I leave a note here. Thank you so far.

getreu commented 7 months ago

Screenshot_2024-03-27_15-39-39 Screenshot_2024-03-27_15-35-38

No log entry in web-eid.log, but I can start the app from the command line. Screenshot_2024-03-27_15-43-38

sergey-abc commented 7 months ago

@getreu just in case check "Security Devices" section of Firefox settings. image Maybe You have to add (or unload and then load again) "onepin-opensc-pkcs11.so", this file can be located in different folder.

getreu commented 7 months ago

@sergey-abc I have this: Screenshot_2024-03-31_10-13-24

getreu commented 7 months ago

Summary of my efforts. Please correct where I am wrong.

Installation

  1. Install the web-eid-app package in NixOS

    Insert in configuration.nix:

    packages = with pkgs; [
  firefox-esr
  web-eid-app
  p11-kit
  opensc

];

    and below:

    services.pcscd.enable = true;
programs.firefox.enable = true;
programs.firefox.package = pkgs.firefox-esr;
programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# Authentification
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
 module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';

  2. Enable logging (for testing only)

    1. Enable logging:

      echo 'logging=true' > ~/.config/RIA/web-eid.conf

    2. Check success:

      web-eid

      A dialogue About Web eID window appears. Click on [Cancel].

      cat /.local/share/RIA/web-eid/web-eid.log

      You should see something like:

      2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode

  3. Install the browser extension within Firefox from Web eID – Get this Extension for Firefox (en-US)

  4. Link the web-eid manifest into the browser configuration

    
mkdir -p ~/.mozilla/native-messaging-hosts/
cd ~/.mozilla/native-messaging-hosts/
ln -s "$(dirname $(dirname $(realpath $(which web-eid))))/share/web-eid/eu.webeid.json" .

  5. Check success

    1. Enable logging:
    2. Insert Estionan ID card.
    3. Check with DigiDoc that the card reader works and the ID card reader and driver works. (Ok)
    4. Goto https://web-eid.eu/ and click on [Authenticate].

Result

Unfortunately, I get the following error page in the browser:

Authentication failed
[Code]
ERR_WEBEID_NATIVE_UNAVAILABLE
[Message]
a message from native application was expected, but native application closed connection

Furthermore, no log message in /.local/share/RIA/web-eid/web-eid.log.

getreu commented 7 months ago

I also filed an issue here: https://github.com/NixOS/nixpkgs/issues/300435

mrts commented 7 months ago

Thanks for your thorough investigation! The ERR_WEBEID_NATIVE_UNAVAILABLE message indicates that Firefox is unable to locate the native messaging host.

Please check that the native messaging manifest file has the following content:

{
"name": "eu.webeid",
"description": "Web-eid native application",
"path": "/usr/bin/web-eid",
"type": "stdio",
"allowed_extensions": [ "{e68418bc-f2b0-4459-a9ea-3e72b6751b07}" ]
}

Verify the value of allowed_extensions and that /usr/bin/web-eid exists.

If the content is correct, linking the file to ~/.mozilla/native-messaging-hosts/ should indeed work according to https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests#linux. Can you check the symlink just in case or even copy the file in case Firefox does not follow symlinks for some reason? If you still get ERR_WEBEID_NATIVE_UNAVAILABLE when trying to authenticate on https://web-eid.eu, then please try the global locations listed in https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests#linux, start from /usr/lib/mozilla/native-messaging-hosts/eu.webeid.json.

Hope this helps!

getreu commented 7 months ago

@mrts The manifest was the problem.

In the manual above, I replaced the line:

ln -s "$(dirname $(dirname $(realpath $(which web-eid))))/share/web-eid/eu.webeid.json" .

with 

ls -s "$(dirname $(dirname $(realpath $(which web-eid))))/lib/mozilla/native-messaging-hosts/eu.webeid.json" .

Below you find the tested working procedure.

And authentification and signing works. Thank you a lot!

getreu commented 7 months ago

Edit: modified according to https://github.com/NixOS/nixpkgs/issues/281710#issuecomment-2031506760

Tested working procedure:

Installation

  1. Install the web-eid-app package in NixOS

    Insert in configuration.nix:

    important: do not add firefox-esr in packages!

    packages = with pkgs; [
  web-eid-app
  p11-kit
  opensc

];

    and below:

    services.pcscd.enable = true;
programs.firefox.enable = true;
programs.firefox.package = pkgs.firefox-esr;
programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# Authentification
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
 module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';

  2. Enable logging (for testing only)

    1. Enable logging:

      echo 'logging=true' > ~/.config/RIA/web-eid.conf

    2. Check success:

      web-eid

      A dialogue About Web eID window appears. Click on [Cancel].

      cat /.local/share/RIA/web-eid/web-eid.log

      You should see something like:

      2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode

  3. Install the browser extension within Firefox from Web eID – Get this Extension for Firefox (en-US)

  4. Check success

    1. Enable logging:
    2. Insert Estionan ID card.
    3. Check with DigiDoc that the card reader works and the ID card reader and driver works. (Ok)

    4. Goto https://web-eid.eu/ and click on [Authenticate].

      Type pin1, you should see:

      Digital signing Welcome, XXX XXX!

      Press the button [Sign document], then type pin2, you should see:

      Digital signing
Welcome, XXX XXX!
Signature added: example-for-signing.asice
getreu commented 7 months ago

Edit: this workaround is not necessary any more according to https://github.com/NixOS/nixpkgs/issues/281710#issuecomment-2031506760

Addendum

The lines 

mkdir -p ~/.mozilla/native-messaging-hosts/
cd ~/.mozilla/native-messaging-hosts/
ls -s "$(dirname $(dirname $(realpath $(which web-eid))))/lib/mozilla/native-messaging-hosts/eu.webeid.json" .

are a workaround until #281710 is fixed.

getreu commented 7 months ago

Jens Getreu's blog - Sign with your Estonian ID card under NixOS