[snap] smart card reader no longer works

Bug #1843392 reported by Andreas Pokorny on 2019-09-10
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Olivier Tilloy

Bug Description

chromium uses the Netscape Cryptographic Module to access smartcards for authentication purposes. This stopped working when switching to the snap version. Chromium would normally access the setup in ~/.pki/nssdb/pkcs11.txt That file would refer to a library used to access the smart card. I.e /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

The problem can be bypassed by manually launching chromium via: /snap/chromium/current/usr/lib/chromium-browser/chrome

Paul White (paulw2u) on 2019-09-10
tags: added: snap
description: updated
Olivier Tilloy (osomon) wrote :

This is similar to https://forum.snapcraft.io/t/cant-load-security-device-in-firefox-snap/12471.

You probably already know that, but just in case: running /snap/chromium/current/usr/lib/chromium-browser/chrome directly results in bypassing the snapd sandbox, so it's never a good idea (other than for testing/debugging purposes).

The proposed approach to solve this that was discussed with the security team is:
 - stage common PKCS modules in the snap
 - add a layout for /usr/lib/pkcs11 pointing to a writeable area of the snap (e.g. $SNAP_USER_DATA/.local/lib)
 - on first run, copy the common PKCS modules to that writeable area
 - document that custom modules (and their dependencies?) should be manually copied to that directory
 - create a new interface (not auto-connected, that's okay) for access to /var/run/pcscd/pcscd.comm

I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

summary: - [snap] smart card reader no longer works after switching to snap verison
+ [snap] smart card reader no longer works
Changed in chromium-browser (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → High
status: New → Confirmed

My impression was that smart card readers are pretty common and it is the smartcards that keep changing. So USB access to the smart card devices class should be enough there.

Being able to add custom/newer pkcs smartcard support modules sounds like a good idea.

I wonder if that could be something shared across applications? I.e. Firefox / Opera or other Nodejs Desktop applications that reuse chromium, will need something similar.

https://github.com/glasen/snap-ausweisapp2-ce/blob/master/snap/snapcraft.yaml

This is another snap that supports smart card readers. It seems to package pcscd...

Olivier Tilloy (osomon) wrote :

Well spotted, thanks Andreas!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers