[snap] smart card reader no longer works

This is similar to https://forum.snapcraft.io/t/cant-load-security-device-in-firefox-snap/12471.

You probably already know that, but just in case: running /snap/chromium/current/usr/lib/chromium-browser/chrome directly results in bypassing the snapd sandbox, so it's never a good idea (other than for testing/debugging purposes).

The proposed approach to solve this that was discussed with the security team is:
 - stage common PKCS modules in the snap
 - add a layout for /usr/lib/pkcs11 pointing to a writeable area of the snap (e.g. $SNAP_USER_DATA/.local/lib)
 - on first run, copy the common PKCS modules to that writeable area
 - document that custom modules (and their dependencies?) should be manually copied to that directory
 - create a new interface (not auto-connected, that's okay) for access to /var/run/pcscd/pcscd.comm

I'm not familiar with how smart card readers work though, so feedback and suggestions are welcome.

My impression was that smart card readers are pretty common and it is the smartcards that keep changing. So USB access to the smart card devices class should be enough there.

Being able to add custom/newer pkcs smartcard support modules sounds like a good idea.

I wonder if that could be something shared across applications? I.e. Firefox / Opera or other Nodejs Desktop applications that reuse chromium, will need something similar.

https://github.com/glasen/snap-ausweisapp2-ce/blob/master/snap/snapcraft.yaml

This is another snap that supports smart card readers. It seems to package pcscd...

Well spotted, thanks Andreas!

I recently had to switch my company card and it now uses a newer version so it get mis-identified by pcsc-lite from debian - but works fine in the latest release of pcsc-lite. As companies like Atos seem to frequently roll out new versions of their cards it would be nice if we could have opensc (I assume this is also in use - not sure whether it is client or server side) and pcsc-lite in a separate snap built from a more recent source

I switched to firefox (non snap version) to avoid this bug.

Firefox counterpart: https://bugzilla.mozilla.org/show_bug.cgi?id=1734371

Has there been progress on this matter?

Manjaro works fine as it's not using snap, firefox and chromium don't on LTS 2204.

Whoops, sorry, I didn't mean to do that :)

Basically though, this is causing issues for users in, e.g., Belgium, who want to do their tax declaration using Ubuntu and their electronic ID card. We are currently guiding users to use a non-snap browser (see https://eid.belgium.be/en/faq/why-it-not-possible-use-eid-software-snap-andor-flatpak#7636), and that's just sad.

Comment #1 mentions a proposal to possibly resolve this. Since it explicitly asks for feedback, here is some (belated) feedback:

First, PKCS#11 is about more than just smartcards. While allowing access to the pcscd socket from within the confined environment might allow some PKCS#11 modules to work, using this as a solution assumes all PKCS#11 modules use PC/SC as a backend API, and that's a wild assumption which is probably not true for everything. PKCS#11 is a generic cryptographic plug-in API, which allows hardware crypto modules of any kind (e.g., USB tokens, Networked HSMs, PCI(e) crypto accelerator boards, TPM modules, etc etc) to be plugged into anything. libnss uses it mostly for smartcards, and all browsers on Linux do so as well, but it can also be used by libreoffice and evolution to sign documents, it is extensively used by OpenDNSSEC for its crypto operations (going so far as providing a "SoftHSM" pkcs#11 module and not having native crypto), OpenSSH has had PKCS#11 code for a while to read and use certificates, and there are ways to hook PKCS#11 up to OpenSSL allowing for a large number of other applications to use HSMs.

PKCS#11 modules could possibly access the hardware that they're written for using PC/SC (which this proposal could possibly work for, as long as the libpcsclite.so inside the snap and the pcscd outside the snap are sufficiently in sync), but this would not help PKCS#11 modules for USB tokens, TPM modules, PCI crypto accelerators, or possibly networked systems (depending on how the host application is confined).

Apart from hardware, PKCS#11 modules may sometimes need to do other things as well. E.g., the Belgian eID middleware needs to occasionally show certain messages to the user, for which it uses the GnuPG pinentry framework to show a dialog box that integrates with the user's UI. Unless this is explicitly allowed by the snap, this won't work. There might be other similar issues with other PKCS#11 modules, which means that running them in a confined environment might just not work.

So while this may be a solution for some PKCS#11 modules, it will not be a solution for all.

Additionally, the PKCS#11 modules need to be installed and registered in host applications. For NSS-based applications, this means they need to be installed using "modutil". Chrome doesn't even *have* any UI to install PKCS#11 modules; Firefox does, but it's so basic and confusing to users that I developed a "browser.pkcs11" add-on API for Firefox to allow modules to be registered using an add-on. These work with native manifests (intentionally similar to native messaging manifests) and expect the PKCS#11 module to be in the location as specified by the manifest. Libreoffice just gave up and looks for a Firefox, Thunderbird, or Chromium configuration directory and reuses ...

I have been hit by this issue, in my case using firefox, but basically is the same thing. The possibility of loading a security device is fully eliminated. And there are also other functionalities that have been severely damaged by moving firefox to a snap with the inherent restrictions in accessing information in the hard disk. For example, I cannot load an html file located somewhere in the file system. When downloading something from the web, the program suggests me the obscure location /run/user/500/... (instead of, for example ~/Download) which is quite confusing (apparently there is some kind of mapping with regular user folders). Something that I have noticed, when starting from a terminal, is that the program complains about not finding libcanberra-gtk-module (it is installed in the system but apparently not present inside the snap, nothing can be done to avoid the warning but, fortunately, it does not seem to affect program performance).

I can circumvent these inconveniences by executing firefox outside the sandbox (as suggested above for chromium), the command is (I have defined an alias for avoiding keying it in full every time):
 /snap/firefox/current/usr/lib/firefox/firefox
This creates the old .mozilla folder with all the information, I can export certificates, bookmarks, ... from the firefox started within the sandbox and import them in firefox started out of the sandbox.
I guess it is probably not a good idea to execute the program in such an unorthodox way but, for the moment being, this workaround seems to work for me with firefox "out-of-the-sandbox" behaving the old way.
I do not know if all these problems may be qualified as a bug or perhaps they are just the consequences of the wrong (in my opinion) decision, of moving firefox and chromium to snap which implies a lot of restrictions in the use of the information in the disk and in the way of interacting with other libraries or programs of the system.
For the moment being, for anyone being affected by any of this issues, the recommendation could be, as told above, to uninstall snap firefox and install the program from firefox website instead of from ubuntu repo.

Hi,
Can I kindly ask you the status of the resolution of this issue?

Thanks.

PS:
I think I incidentally removed the 'duplicate' tag on this bug and I don't know how to undo that / reset the 'duplicate' tag'. Sorry about that :/

Hi, Pascal. The snap with the new pcscd interface is awaiting approval
from the Snapcraft team.

Once that is done I'll post here so that someone can attempt to verify
the fix.

> I think I incidentally removed the 'duplicate'

Don't worry, it remains logged in the full activity log page (link at
the end of comment section), so I just added it back, thanks for the
heads up.

Thanks for the update.
I'll be glad to test the fix.

Hi Pascal, not sure you receive notifications for the duplicate, but in LP:1967632 I have released a tentative fix with a test case.

Hi Nathan,

Sorry, I somehow lost track of this issue.

iED Viewer (https://eid.belgium.be/fr/eid-viewer )is working fine on my "Ubuntu 22.04.3 LTS" , but testing authentication using https://idp.iamfas.belgium.be/fasui/login/eidservice still fails (Firefox 121.0.1 (64-bit).

Maybe I should install another version of Firefox? (I would prefer to stick to Snap version of Firefox, on NOT using firefox-esr )

To ease and speed up our communication, feel free to reach out to me on linkedin : https://be.linkedin.com/in/pascaldalfarra (I prefer not to put my email address here)