Jan Holthuis

Personal Blog of Jan Holthuis

Smartcard authentification in Chromium

Mon 06 July 2015

My university's website for exam enrollment needs smardcard authentification, but only contains instructions how to use it with Mozilla Firefox. If you prefer Chrome/Chromium over Firefox and don't want to keep a Firefox installation around, you can do so - here are the instructions.

OT: The Ruhr-University of Bochum (RUB) uses two different systems for exam enrollment, VSPL and FlexNow. The reason for using two different, incompatible systems surpasses my understanding. I was very happy that my faculty uses FlexNow, which is browser-based, rather than VSPL, which only works via a proprietary, Windows-only client (even though the download page for that application used to show a hip student with a MacBook... oh, the irony). Anyway, VSPL recently got a web-interface, too, so if you have to use VSPL, you can also use Firefox or Chromium now.

Since I'm using ArchLinux, I'll base my instruction on that, but any other distro also should work fine if you accomodate package names and file paths.

You'll need a CCID-conformant smardcard reader (this is the one I am using, but the "official" reader that the university sells works too).

First, we need the software - apart from chrome that is the CCID-driver, the OpenSC-library and Mozilla's Network Security Services:

# pacman -Sy ccid opensc nss

Next, we need to add the PKCS#11 module from OpenSC to the Chromium NSS module. Quit Chromium if necessary and run:

$ modutil -dbdir sql:.pki/nssdb/ -add "opensc" -libfile  /usr/lib/pkcs11/opensc-pkcs11.so

You can verify that everything worked by running:

$ modutil -dbdir sql:.pki/nssdb/ -list

It should print a listing of PKCS#11 modules. If your smardcard driver is attached, one of the slots of the opensc module shows the name of your smardcard reader. If you also plugged in your smardcard, the according token tells you what smardcard has been detected.

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
   slots: 2 slots attached
  status: loaded

   slot: NSS Internal Cryptographic Services
  token: NSS Generic Crypto Services

   slot: NSS User Private Key and Certificate Services
  token: NSS Certificate DB

  2. opensc
  library name: /usr/lib/opensc-pkcs11.so
   slots: 2 slots attached
  status: loaded

   slot: Virtual hotplug slot
  token: 

   slot: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB C
  token: Student Card (User Pin)
-----------------------------------------------------------

That's it.

If you now start Chromium and click "Manage certificates" button in the HTTPS/SSL section of Chromiums settings (Settings -> Show advanced settings...), you should see your smartcard certificate in the "Your certificates" tab.

You can now log into FlexNow (or VSPL), de-register all you exams and chill.

Tags: