Arch Linux

kunev

Member

From: Sofia, Bulgaria

Registered: 2012-12-12

Posts: 5

Issues getting Chrome/Firefox to work with bit4id miniLector S EVO

Hi,

I have a bit4id miniLector S EVO and have some issues getting it to work with my browser. I usually use Chrome and would like to have it working in there, but Firefox is just as fine. I've had this kind of setup(bot Chrome and FF working with it properly) on LMDE and Mint13, so it's doable.

My first attempt was the simplest possible: installed bit4id-ipki, pcsc-tools, nns and ccid, since that's what I needed in the previous distros I've managed to get it working on. I followed the instructions for adding the needed certificates for my identity provider to my local NSS database. I've done a `systemctl enable pcscd` and pcscd is running.
Here's what I have now:

> lsusb
Bus 001 Device 016: ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader
...

> pcsc_scan
PC/SC device scanner
V 1.4.20 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.3
Using reader plug'n play mechanism
Scanning present readers...
0: ACS AET65 00 00

Thu Dec 13 01:23:10 2012
Reader 0: ACS AET65 00 00
  Card state: Card inserted, 
  ATR: 3B FF 18 00 FF 81 31 FE 55 00 6B 02 09 03 03 01 11 01 43 4E 53 11 31 80 8C
...

And the nss database

> modutil -dbdir sql:$HOME/.pki/nssdb -list                                         ⏎

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. Bit4id
	library name: /usr/lib/libbit4ipki.so
	 slots: 1 slot attached
	status: loaded

	 slot: ACS AET65 00 00
	token: InfoNotary
-----------------------------------------------------------

So it seems the drivers are ok. My identity provider(InfoNotary) has a card manager software that someone made a package on AUR for. That card manager works fine and recognizes my device, I can see the information on it, login with my PIN and generally have no issues with it.

When I try using Chrome or Firefox to login to sited that require my digital signature I have no success.
I can see all the relevant certificates in Chrome's settings(chrome://settings/certificates) as well as my own personal certificate from the device. When I login to a website that tries to use it however Chrome asks me for my PIN and when I enter it and press OK it closes the PIN dialog and starts doing something, just hanging there, not stuck, but working. It can stay like that for up to 10 minutes(I haven't left it for longer) and have no useful result.
I tried starting Chrome with verbose logging and the only thing I found in the logs that seems like it might be related is the following:

...
[19460:19460:1213/012550:VERBOSE1:ssl_client_auth_handler.cc(63)] 0x7f4f4404e120 CertificateSelected 0x7f4f43f8c480
[19460:19489:1213/012550:VERBOSE1:ssl_client_auth_handler.cc(72)] 0x7f4f4404e120 DoCertificateSelected 0x7f4f43f8c480
[19460:19489:1213/012550:VERBOSE1:ssl_client_auth_handler.cc(72)] 0x7f4f4404e120 DoCertificateSelected 0
...

I wouldn't mind if Chrome couldn't work with it fine, since I have no problem using Firefox for just that. However the effect in Firefox is pretty much the same. I'm asked for my PIN and after entering it it just starts doing something for an indefinite period of time.

I tried different ccid drivers, some didn't work at all(`pcsc_scan` and `modutil -l` didn't recognize my device) some produced the same effect.

I found a libminilector38u-bit4id on AUR, which seems to be exactly the driver for my device. It has a broken URL in the PKGBUILD so I downloaded the tarball, extracted it, put the Linux.zip file in the directory I extracted the tar to and edited the PKGBUILD to work with that local Linux.zip file. It installed just fine with pacman, but didn't have any different effect. In fact pcsc_scan couldn't recognize the device with it.

It's been two days since I started fighting with this. I had something I really needed to do so I gave up today and just did the easy thing, I sat at a widnows box and did what I needed, so the device is ok, it's my Arch setup that has an issue. It would be great if anyone has some ideas to share on this.

bobi1024

Member

Registered: 2013-05-29

Posts: 2

Re: Issues getting Chrome/Firefox to work with bit4id miniLector S EVO

I was wondering, did you find the solution for your problem, because the same problem is bugging me for months. When I say the same, I mean exactly the same.

I have the same smart card reader and smart card form Infonotary, the smart card is actually "SIMLector 38T"/Universita' Degli Studi di Torino (Infocert), but it is using libbit4ipki.so anyway.

I have the digital signature (DS) from 1,5 years and it was working fine under debian testing + firefox (FF). Recently (by recently I mean may be several months ago) the same problem that you've described occurred under FF. It wasn't a big problem, because I was still able to use the DS trough Seamonkey/Iceape, but after a while the same problem occurred under Seamonkey. Then I found the following workaround:

- Start FF after the DS is inserted, then remove/add the libbit4ipki.so module form the "Security Devices", then access a site which is using personal certificate like epay.bg e.g. and you will be able to login in to site successfully but the PIN popup for the DS just keeps coming up. It is very annoying but I use my DS rarely so no biggie .

The annoying part started bothering me a lot this week  so I've tried to debug the problem. But it seems that the problem is very tricky or I don't have the sufficient knowledge to locate it. I was able to reproduce the problem under Fedora 18 x86_64 using Firefox 17. On my debian testing I use the beta versions of FF which is 22.

There is a definitely problem. I will call Infonotary tomorrow and try to get some assistance, but I highly doubt that the problem could be debugged trough the phone.
As I see it there are two solutions:
1. The bug gets fixed by the developers soon. - (the not so possible one )
2. Get my smart card and/or smart card reader replaced with different one, which I assume will result in reissuing the DS . - (the possible one)

bobi1024

Member

Registered: 2013-05-29

Posts: 2

Re: Issues getting Chrome/Firefox to work with bit4id miniLector S EVO

OK, so I got in touch with Infonotary and solution №2 is in progress