web-eid-app for NixOS: pin1 works, pin2 don't

[getreu]

NixOS comes with the package web-eid-app and instructions for Estonians .

With Firefox and the above config for NixOS 23.11, I can authenticate with e.g. https://lhv.ee but I can not sign. Any ideas?

I know, you do not officially support NixOS, but maybe some of you uses it and can help. Here my config:

services.pcscd.enable = true;
programs.firefox.enable = true;
programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
environment.etc."chromium/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
environment.etc."opt/chrome/native-messaging-hosts/eu.webeid.json".source = "${pkgs.web-eid-app}/share/web-eid/eu.webeid.json";
environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
  module: ${pkgs.opensc}/lib/opensc-pkcs11.so
'';

[getreu]

Is this related to #309 ?

[mrts]

What error do you see?
Can you please turn on native app logging as described here: https://web-eid.eu/ > Debugging and logs and check the log?

[getreu]

When I press [Authenticate] on https://web-eid.eu/ I get (in pink color):

Authentication failed

[Code]
ERR_WEBEID_EXTENSION_UNAVAILABLE

[Message]
Web-eID extension is not available

Strangely I can authenticate with https://lhv.ee.
After login in into the bank, there is still no log file:

In ~/.local/share/RIA/ is no web-eid.log.

When I start the binary from the console, I get:

$ web-eid 
INFO: "web-eid" app "2.4.0+0" running in command-line mode

Now the log file is created with the contents:

024-03-25T13:11:44.212Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode

Is web-eid known to the firefox browser?

[mrts]

It looks like the extension is not installed in Firefox. Here's how it should look:

You can add the extension manually from here:
https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/

[getreu]

It seem it is a NixOS firefox package related problem. I do not manage enable the extension. It does not even show in the browser tab (cf. your screenshot) above. If I get it work, I leave a note here. Thank you so far.

[getreu]

No log entry in web-eid.log, but I can start the app from the command line.

[sergey-abc]

@getreu just in case check "Security Devices" section of Firefox settings.

Maybe You have to add (or unload and then load again) "onepin-opensc-pkcs11.so", this file can be located in different folder.

[getreu]

@sergey-abc I have this:

[getreu]

Summary of my efforts. Please correct where I am wrong.

Installation

1. Install the web-eid-app package in NixOS

   Insert in configuration.nix:

    packages = with pkgs; [
      firefox-esr
      web-eid-app
      p11-kit
      opensc
      
    ];

   and below:

   services.pcscd.enable = true;
   programs.firefox.enable = true;
   programs.firefox.package = pkgs.firefox-esr;
   programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
   programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
   # Authentification
   environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
     module: ${pkgs.opensc}/lib/opensc-pkcs11.so
   '';

2. Enable logging (for testing only)

   1. Enable logging:

      echo 'logging=true' > ~/.config/RIA/web-eid.conf

   2. Check success:

      web-eid

      A dialogue About Web eID window appears. Click on [Cancel].

      cat /.local/share/RIA/web-eid/web-eid.log

      You should see something like:

      2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode
      

3. Install the browser extension within Firefox from
   Web eID – Get this Extension for Firefox (en-US)

4. Link the web-eid manifest into the browser configuration

   mkdir -p ~/.mozilla/native-messaging-hosts/
   cd ~/.mozilla/native-messaging-hosts/
   ln -s "$(dirname $(dirname $(realpath $(which web-eid))))/share/web-eid/eu.webeid.json" .
   

5. Check success

   1. Enable logging:
   2. Insert Estionan ID card.
   3. Check with DigiDoc that the card reader works and the ID card reader and
      driver works. (Ok)
   4. Goto https://web-eid.eu/ and click on [Authenticate].

Result

Unfortunately, I get the following error page in the browser:

Authentication failed
[Code]
ERR_WEBEID_NATIVE_UNAVAILABLE
[Message]
a message from native application was expected, but native application closed connection

Furthermore, no log message in /.local/share/RIA/web-eid/web-eid.log.

[getreu]

I also filed an issue here: NixOS/nixpkgs#300435

[mrts]

Thanks for your thorough investigation! The ERR_WEBEID_NATIVE_UNAVAILABLE message indicates that Firefox is unable to locate the native messaging host.

Please check that the native messaging manifest file has the following content:

{
"name": "eu.webeid",
"description": "Web-eid native application",
"path": "/usr/bin/web-eid",
"type": "stdio",
"allowed_extensions": [ "{e68418bc-f2b0-4459-a9ea-3e72b6751b07}" ]
}

Verify the value of allowed_extensions and that /usr/bin/web-eid exists.

If the content is correct, linking the file to ~/.mozilla/native-messaging-hosts/ should indeed work according to https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests#linux. Can you check the symlink just in case or even copy the file in case Firefox does not follow symlinks for some reason? If you still get ERR_WEBEID_NATIVE_UNAVAILABLE when trying to authenticate on https://web-eid.eu, then please try the global locations listed in https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests#linux, start from /usr/lib/mozilla/native-messaging-hosts/eu.webeid.json.

Hope this helps!

[getreu]

@mrts
The manifest was the problem.

In the manual above, I replaced the line:

ln -s "$(dirname $(dirname $(realpath $(which web-eid))))/share/web-eid/eu.webeid.json" .

with

ls -s "$(dirname $(dirname $(realpath $(which web-eid))))/lib/mozilla/native-messaging-hosts/eu.webeid.json" .

Below you find the tested working procedure.

And authentification and signing works. Thank you a lot!

[getreu]

Edit: modified according to NixOS/nixpkgs#281710 (comment)

Tested working procedure:

Installation

1. Install the web-eid-app package in NixOS

   Insert in configuration.nix:

   important: do not add firefox-esr in packages!

    packages = with pkgs; [
      web-eid-app
      p11-kit
      opensc
      
    ];

   and below:

   services.pcscd.enable = true;
   programs.firefox.enable = true;
   programs.firefox.package = pkgs.firefox-esr;
   programs.firefox.nativeMessagingHosts.packages = [ pkgs.web-eid-app ];
   programs.firefox.policies.SecurityDevices.p11-kit-proxy = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
   # Authentification
   environment.etc."pkcs11/modules/opensc-pkcs11".text = ''
     module: ${pkgs.opensc}/lib/opensc-pkcs11.so
   '';

2. Enable logging (for testing only)

   1. Enable logging:

      echo 'logging=true' > ~/.config/RIA/web-eid.conf

   2. Check success:

      web-eid

      A dialogue About Web eID window appears. Click on [Cancel].

      cat /.local/share/RIA/web-eid/web-eid.log

      You should see something like:

      2024-03-31T06:56:42.804Z INFO src/controller/controller.cpp:72:void Controller::run() - "web-eid" app "2.4.0+0" running in command-line mode
      

3. Install the browser extension within Firefox from
   Web eID – Get this Extension for Firefox (en-US)

4. Check success

   1. Enable logging:

   2. Insert Estionan ID card.

   3. Check with DigiDoc that the card reader works and the ID card reader and
      driver works. (Ok)

   4. Goto https://web-eid.eu/ and click on [Authenticate].

      Type pin1, you should see:

      Digital signing
      Welcome, XXX XXX!
      

      Press the button [Sign document], then type pin2, you should see:

        Digital signing
        Welcome, XXX XXX!
        Signature added: example-for-signing.asice
      

[getreu]

Edit: this workaround is not necessary any more according to NixOS/nixpkgs#281710 (comment)

Addendum

The lines

mkdir -p ~/.mozilla/native-messaging-hosts/
cd ~/.mozilla/native-messaging-hosts/
ls -s "$(dirname $(dirname $(realpath $(which web-eid))))/lib/mozilla/native-messaging-hosts/eu.webeid.json" .

are a workaround until #281710 is fixed.

[getreu]

Jens Getreu's blog - Sign with your Estonian ID card under NixOS