mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/ops/modules/open_eid.nix
Florian Klink b58f6f1d61 feat(ops/modules/open_eid): add support for Web eID extension 
Most likely due to bad UX in browsers for hardware-backed TLS client
cert auth, most websites have switched from client-side TLS to the "Web
eID" extension.

Once installed, the extension uses [Native Messaging] to talk to a
`web-eid-app` application, which handles the communication with the
smart card itself.

This can be tested on https://web-eid.eu/ .

The commit needs nixpkgs to be bumped past
https://github.com/NixOS/nixpkgs/pull/227354 .

[Native Messaging]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging

Change-Id: Iffe6d81ecf7cee25406fa39a983ff52cf669c373
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8490
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
2023-04-28 13:14:24 +00:00

54 lines
2.3 KiB
Nix
Raw Blame History

# NixOS module to configure the Estonian e-ID software.
{ pkgs, ... }:
{
services.pcscd.enable = true;
# Tell p11-kit to load/proxy opensc-pkcs11.so, providing all available slots
# (PIN1 for authentication/decryption, PIN2 for signing).
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';
# Configure Firefox (in case users set `programs.firefox.enable = true;`)
programs.firefox = {
# Allow a possibly installed "Web eID" extension to do native messaging with
# the "web-eid-app" native component.
# Users not using `programs.firefox.enable` can override their firefox
# derivation, by setting `extraNativeMessagingHosts = [ pkgs.web-eid-app ]`.
nativeMessagingHosts.euwebid = true;
# Configure Firefox to load smartcards via p11kit-proxy.
# Users not using `programs.firefox.enable` can override their firefox
# derivation, by setting
# `extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so"`.
policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
};
# Chromium users need a symlink to their (slightly different) .json file
# in the native messaging hosts' manifest file location.
environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
environment.systemPackages = with pkgs; [
libdigidocpp.bin # provides digidoc-tool(1)
qdigidoc
# Wrapper script to tell to Chrome/Chromium to use p11-kit-proxy to load
# security devices, so they can be used for TLS client auth.
# Each user needs to run this themselves, it does not work on a system level
# due to a bug in Chromium:
#
# https://bugs.chromium.org/p/chromium/issues/detail?id=16387
#
# Firefox users can just set
# extraPolicies.SecurityDevices.p11-kit-proxy "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
# when overriding the firefox derivation.
(pkgs.writeShellScriptBin "setup-browser-eid" ''
NSSDB="''${HOME}/.pki/nssdb"
mkdir -p ''${NSSDB}
${pkgs.nssTools}/bin/modutil -force -dbdir sql:$NSSDB -add p11-kit-proxy \
-libfile ${pkgs.p11-kit}/lib/p11-kit-proxy.so
'')
];
}
Reference in a new issue View git blame Copy permalink