Confined browser snaps can't use system libraries (PKCS11) and native host messaging. What do we do?

sam_vde · June 14, 2019, 7:36am

We develop and provide a PKCS11 library to enable usage of our national identity card on software that plays nice with standards. So we have had very good system-wide linux support for many years now.

As this shared PKCS11 library location is no longer accessible from within a confined snap, the library itself can’t be registered, and the browser will not have access to the smartcard (e.g. to log on to government applications using the snap version of FireFox).

Furthermore, if you look at a typical addon+native messaging solution (where the native application provides local access to the card) this also breaks. This can easily be seen when trying to manage Gnome extensions using the snap version of Firefox which will not work because the native host connector is unavailable. We use this architecture as well e.g. for signing services.

I read today Chromium will be (confined?) snap only in the future, and I am slightly worried.

Has this problem been considered and if so, what are the recommendations?

chipaca · June 14, 2019, 10:36am

Paging @oSoMoN

oSoMoN · August 7, 2019, 2:49pm

I have investigated the PKCS11 situation in that other thread: Can't Load Security Device in Firefox Snap. @sam_vde: I would appreciate if you could test and confirm my findings.

Native host messaging is being tracked by bug #1741074.

There are no obvious solutions to either as yet.

sam_vde · August 7, 2019, 8:32pm

Will do, thanks for reaching out!

techblue · August 10, 2019, 3:03pm

Thanks for the background information. I’ve installed the no-snap firefox along side just for the purpose of logging in for work. I’ll be watching the bug tracker to see when I can go all in on the snap.

oSoMoN · October 1, 2021, 2:45pm

Discussion to figure out a solution is continuing at Native messaging support in strictly-confined browser snaps. Please refrain from “me too” or “+1”-like comments (but valid use cases that weren’t mentioned yet or suggestions are welcome).

sam_vde · October 1, 2021, 4:14pm

That thread leaves out the PKCS11 security module, which is equally important.

oSoMoN · October 6, 2021, 11:57am

You’re right. I filed upstream bug 1734371 to track the issue and work on a solution. As I don’t have specific knowledge on PKCS#11 modules, I’d appreciate if you could share details on your use case (in the bug) to help test. Thanks!

sam_vde · October 7, 2021, 11:48am

I will create an account for that, but for the time being here is a reference to the basic functionality we rely on: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/PKCS11/Module_Installation

oSoMoN · October 7, 2021, 2:32pm

Thanks Sam, I have added that link to the bug report.

bedfojo · October 27, 2021, 9:33am

Just to add that it is not only Belgium that uses PKCS#11 modules for e-government. Whilst I am indeed Belgian, my partner is Spanish and Spain’s e-id implementation also uses them.

This really needs to be a release-critical issue for firefox snaps.

iav · October 25, 2023, 2:48pm

Same for Latvia(LV) eID.

bedfojo · December 12, 2023, 11:40am

Is there any intention to ever tackle this issue or do we just give up on Ubuntu in a fair few countries?

iXvBgS6OIh · April 7, 2024, 10:35am

Sweden, Finland and Estonia as well.

Do I understand correctly that this is about implementing pcscd interface access in Firefox snap?

ogra · April 7, 2024, 10:50am

No, this is about the bug mentioned above:

Smart card access through pcscd is long working but Firefox needs to be able to do something with it for which it needs native messaging support which does not yet support all use cases

sam_vde · December 15, 2024, 7:11pm

Hard to believe this situation is ongoing for more than 5 years now. So much for “push snaps mainstream to iron out the bugs”. This train is long gone.