Smart card PIV/PKCS#11 devices not accessible on Fedora

[jmpolom]

Chrome does not pickup attached smart card/PIV devices attached and working via the host. Tested on Fedora 38 with a functioning p11-kit, opensc and pcsc daemon. Flatpak might be missing pcsc? Since the pcsc socket is passed into the flatpak sandbox what's missing is likely a PKCS#11 library such as opensc or p11-kit.

[refi64]

We do give access to the pcsc socket.

[jmpolom]

Yes, I noticed. Apparently that is not sufficient on Fedora. I noticed the flatpak is being built from the deb archive. Does the Debian build of Chrome work with pcsc or p11-kit? I would suspect this aspect or some missing libraries in the flatpak.

[Erick555]

Firefox at least needs pcsc-lite library to be present.

BTW: chromium flatpak has neither pcsc permission or the library

[jmpolom]

The flathub flatpak of Firefox also does not seem able to pickup attached smart cards either. pcsc-lite is likely unnecessary to have in the flatpak if the host runs pcscd and the socket is available to the flatpak app.

Generally you need more than just pcsc to make smart cards work in an application on Linux. If the hosts pcscd socket is available to the flatpak app, what is needed is probably opensc and/or p11-kit.

[Erick555]

Here's article about how to connect to pcsc daemon from inside flatpak from pscsc creator.

opensc can be added in flatpak like this but I couldn't find anyone wanting to test it.

[jmpolom]

Here's article about how to connect to pcsc daemon from inside flatpak from pscsc creator.

opensc can be added in flatpak like flathub/org.mozilla.Thunderbird#162 but I couldn't find anyone wanting to test it.

I found and read the referenced article before I posted this issue. Having been using PKCS#11 token smart cards for years on Linux I am acutely aware of the supporting pieces needed to get them working. You need more than pcsc-lite.

opensc is very likely to be the critical missing piece here. I am unclear if pcsc-lite is needed in the flatpak or not. If the host pcscd socket is available inside the flatpak, the flatpak certainly does not need to run pcscd (host should be relied on to provide low level access to card/reader). On Fedora, I do not see opensc linking to any pcsc libs:

$ ldd /usr/lib64/libpcsclite.so.1
	linux-vdso.so.1 (0x00007ffc2a7a3000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f353693e000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3536b3a000)
$ ldd /usr/lib64/libopensc.so.8.1.0
	linux-vdso.so.1 (0x00007ffe9c7fd000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f101febe000)
	libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f101fa00000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f101f822000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f10200d1000)
$ ldd /usr/lib64/opensc-pkcs11.so
	linux-vdso.so.1 (0x00007ffd79385000)
	libopensc.so.8 => /lib64/libopensc.so.8 (0x00007f0c76e22000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f0c76e08000)
	libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f0c76800000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f0c76c2a000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f0c77059000)

In the above, the opensc-pkcs11.so lib is the one that applications like Thunderbird or Firefox or Chrome will need to load to access PKCS#11 tokens. Fedora ships with p11-kit configured to aggregate and proxy PKCS#11 to applications like Firefox. This obviously does not work inside of flatpaks though that are separated from the rest of the system.

Per the opensc linux build docs pcsc-lite is called out as a build dependency. I am unclear if it is only a build dependency or also a runtime dependency. Have never built opensc from source.

To clarify, pcsc-lite and the pcscd daemon are "lower level" in the stack. They communicate with the card reader. They do not provide any higher level PKCS#11 APIs which is the issue here. PIV uses PKCS#11.

[Erick555]

If the host pcscd socket is available inside the flatpak, the flatpak certainly does not need to run pcscd

That's for sure but who from sandbox do the talking to the socket? From the linked article I got impression it's the client pcsc library.