Smartcard authentification in Chromium
Mon 06 July 2015My university's website for exam enrollment needs smardcard authentification, but only contains instructions how to use it with Mozilla Firefox. If you prefer Chrome/Chromium over Firefox and don't want to keep a Firefox installation around, you can do so - here are the instructions.
OT: The Ruhr-University of Bochum (RUB) uses two different systems for exam enrollment, VSPL and FlexNow. The reason for using two different, incompatible systems surpasses my understanding. I was very happy that my faculty uses FlexNow, which is browser-based, rather than VSPL, which only works via a proprietary, Windows-only client (even though the download page for that application used to show a hip student with a MacBook... oh, the irony). Anyway, VSPL recently got a web-interface, too, so if you have to use VSPL, you can also use Firefox or Chromium now.
Since I'm using ArchLinux, I'll base my instruction on that, but any other distro also should work fine if you accomodate package names and file paths.
You'll need a CCID-conformant smardcard reader (this is the one I am using, but the "official" reader that the university sells works too).
First, we need the software - apart from chrome that is the CCID-driver, the OpenSC-library and Mozilla's Network Security Services:
# pacman -Sy ccid opensc nss
Next, we need to add the PKCS#11 module from OpenSC to the Chromium NSS module. Quit Chromium if necessary and run:
$ modutil -dbdir sql:.pki/nssdb/ -add "opensc" -libfile /usr/lib/pkcs11/opensc-pkcs11.so
You can verify that everything worked by running:
$ modutil -dbdir sql:.pki/nssdb/ -list
It should print a listing of PKCS#11 modules. If your smardcard driver is attached, one of the slots of the opensc
module shows the name of your smardcard reader. If you also plugged in your smardcard, the according token tells you what smardcard has been detected.
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. opensc
library name: /usr/lib/opensc-pkcs11.so
slots: 2 slots attached
status: loaded
slot: Virtual hotplug slot
token:
slot: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB C
token: Student Card (User Pin)
-----------------------------------------------------------
That's it.
If you now start Chromium and click "Manage certificates" button in the HTTPS/SSL section of Chromiums settings (Settings -> Show advanced settings...), you should see your smartcard certificate in the "Your certificates" tab.
You can now log into FlexNow (or VSPL), de-register all you exams and chill.