[snap] smart card reader no longer works

Bug #1843392 reported by Andreas Pokorny on 2019-09-10
60
This bug affects 11 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Olivier Tilloy

Bug Description

chromium uses the Netscape Cryptographic Module to access smartcards for authentication purposes. This stopped working when switching to the snap version. Chromium would normally access the setup in ~/.pki/nssdb/pkcs11.txt That file would refer to a library used to access the smart card. I.e /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

The problem can be bypassed by manually launching chromium via: /snap/chromium/current/usr/lib/chromium-browser/chrome

Paul White (paulw2u) on 2019-09-10
tags: added: snap
description: updated
Olivier Tilloy (osomon) wrote :

This is similar to https://forum.snapcraft.io/t/cant-load-security-device-in-firefox-snap/12471.

You probably already know that, but just in case: running /snap/chromium/current/usr/lib/chromium-browser/chrome directly results in bypassing the snapd sandbox, so it's never a good idea (other than for testing/debugging purposes).

The proposed approach to solve this that was discussed with the security team is:
 - stage common PKCS modules in the snap
 - add a layout for /usr/lib/pkcs11 pointing to a writeable area of the snap (e.g. $SNAP_USER_DATA/.local/lib)
 - on first run, copy the common PKCS modules to that writeable area
 - document that custom modules (and their dependencies?) should be manually copied to that directory
 - create a new interface (not auto-connected, that's okay) for access to /var/run/pcscd/pcscd.comm

I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

summary: - [snap] smart card reader no longer works after switching to snap verison
+ [snap] smart card reader no longer works
Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → High
status: New → Confirmed

My impression was that smart card readers are pretty common and it is the smartcards that keep changing. So USB access to the smart card devices class should be enough there.

Being able to add custom/newer pkcs smartcard support modules sounds like a good idea.

I wonder if that could be something shared across applications? I.e. Firefox / Opera or other Nodejs Desktop applications that reuse chromium, will need something similar.

https://github.com/glasen/snap-ausweisapp2-ce/blob/master/snap/snapcraft.yaml

This is another snap that supports smart card readers. It seems to package pcscd...

Olivier Tilloy (osomon) wrote :

Well spotted, thanks Andreas!

I recently had to switch my company card and it now uses a newer version so it get mis-identified by pcsc-lite from debian - but works fine in the latest release of pcsc-lite. As companies like Atos seem to frequently roll out new versions of their cards it would be nice if we could have opensc (I assume this is also in use - not sure whether it is client or server side) and pcsc-lite in a separate snap built from a more recent source

Changed in chromium-browser (Ubuntu):
assignee: Olivier Tilloy (osomon) → anneputarunbharadwaj (anneputarunbharadwaj-123)
Olivier Tilloy (osomon) on 2020-09-29
Changed in chromium-browser (Ubuntu):
assignee: anneputarunbharadwaj (anneputarunbharadwaj-123) → Olivier Tilloy (osomon)
Seifeddine Gamoudi (gamoudis) wrote :

I switched to firefox (non snap version) to avoid this bug.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers