Skip to content

Commit

Permalink
Conflict with the OpenSC PKCS#11 module
Browse files Browse the repository at this point in the history 
The OpenSC module claims it supports the Belgian eID card, but it only
supports applet 1.7, not 1.8. The result is that users who have OpenSC
installed may or may not successfully authenticate, depending on whether
their browser prefers OpenSC over the eID software (or not).

To avoid this situation, we can conflict with OpenSC. Users who need
OpenSC for other things will hate us for that, but that can't be helped.
  • Loading branch information
@yoe
yoe committed Apr 4, 2024
1 parent aa9f7dc commit 11daff9
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions debian/control
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Section: libs
Multi-Arch: same
Pre-Depends: ${misc:Pre-Depends}
Replaces: eid-mw (<< 4.0.6r1508)
Conflicts: opensc-pkcs11
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}, libbeidpkcs11-bin, pinentry-x11
Description: PKCS#11 library for Belgian Electronic Identity Card
Expand Down
1 change: 1 addition & 0 deletions rpm/eid-mw.spec.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,7 @@ programs needed by the eID Middleware.

%package libs
Summary: Belgium electronic identity card PKCS#11 module - libraries
Conflicts: %{_libdir}/pkcs11/opensc-pkcs11.so

%description libs
The eID Middleware provides the libraries, a PKCS#11 module and a Firefox
Expand Down

5 comments on commit 11daff9

@thecommandingheights
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ouch... I understand your point here, I also read your explanation on grep.be, but simply conflicting with opensc is harsh. Lots of broken systems.

I guess adding a priority to the beid.module file in the p11-kit configuration is not a solution?

@metsma
Copy link

@metsma metsma commented on 11daff9 May 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OpenSC registers opensc-pkcs11.so to directly nss module database and p11-kit is not involved here

@yoe
Copy link
Member Author

@yoe yoe commented on 11daff9 May 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that OpenSC/OpenSC#3109 is merged into OpenSC upstream, we're just waiting for that to have a proper version number. At that point, we'll reduce the conflict to the versions that are problematic.

Yeah, it sucks, but having to tell people that it's really OpenSC that's breaking your tax declaration a million times over sucks too -- especially since there are "guides" out there that claim that OpenSC is required for authenticating with eID (which is totally wrong).

@MarkRijckenberg
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are you planning on solving the conflict between "eid-nssdb add" command (part of eid-mw) and steam (game client) on NixOS unstable?

Only way to solve this conflict right now, is replacing libbeidpkcs11.so with opensc-pkcs11.so library....

Please see
ValveSoftware/steam-runtime#667 (comment)
NixOS/nixpkgs#298662
NixOS/nixpkgs#309085

@yoe
Copy link
Member Author

@yoe yoe commented on 11daff9 May 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have no such plans, because NixOS is not supported by the eID software that is distributed on eid.belgium.be.

If there is a problem that can be resolved with a sensible patch which doesn't impact functionality on any of the distributions that we do support, we'll happily merge it. But we won't work on it ourselves.

Please sign in to comment.