So I’ve got to fill in my taxes, and to do this in Belgium, we need to use our ID card. Well we can use a phone app too, but to use this app we have to register… using our ID card… ¯\_(ツ)_/¯
Last time I tested, this didn’t work well on FreeBSD, but I didn’t look too much into it and perhaps things changed since then. Also, like always, I refuse to do this on another OS where I know it works, that would be far too easy!
So we should install the PC/SC-Lite architecture to be able to read the cards and the beid middleware so we can use the card. Fortunately, beid is in the ports so we can just install it:
pkg install beid
This will also install pcsc-lite. The package messages tell us that we must:
- Install drivers for the card reader
- Hack around devd to let the PC/SC Smart Card daemon recognize it
- Mount procfs
- Install the eID Belgium extension if you use Firefox (I’ll also explain how to install it in Chromium)
- Don’t trust your government
Let’s do just all of that!
Install drivers for the card reader
My card reader is a DunnoWhat-Random-USB-Card-Reader, perhaps devel/libccid should do? For some reason, this is not available in the packages but only via ports:
cd /usr/ports/devel/libccid make install clean
Does the card reader read cards?
Does it work tho? Let’s find out!
$ usbconfig ... ugen0.6: <SCM Microsystems Inc. SCR35xx v2.0 USB SC Reader> at usbus0, cfg=0 md=HOST spd=FULL (12Mbps) pwr=ON (100mA) ...
So our card reader is on the USB port ugen0.6. We run pcscd to see if it’s detected properly:
$ pcscd --info --color --foreground ... 00000155 [34366794240] ccid_usb.c:660:OpenUSBByName() Found Vendor/Product: 04E6/5410 (SCM Microsystems Inc. SCR 355) ...
Sweet, so it appears to be detected and working with CCID. However if I run eid-viewer, it doesn’t work. Looking at pcscd info, it looks like the power up of the card failed:
... 00000011 [34375102464] ifdhandler.c:1221:IFDHPowerICC() PowerUp failed ...
Searching a bit over the internet, I’ve found this bug report and it seems that we have to tweak the CCID driver a little.
Edit /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist and search for <key>ifdDriverOptions</key>. By default it is set to 0x0000 which, if you read the description belows, means that it tries to power on the card at 5V, then 1.8V then 3V. But apparently this doesn’t work with my particular card reader. Instead I let the card reader decide, change the value to 0x0030:
<key>ifdDriverOptions</key> <string>0x0030</string>
Restart pcscd (pcscd --info --color --foreground
) and try the card again (eid-viewer
). In my case, I can see my card details, so I believe this means that the card reader is working well.
Hack around devd
First, let’s enable pcscd at boot in /etc/rc.conf with pcscd_enable="YES"
.
Now we need to configure devd as described by the pcsc-lite package message (pkg info -D pcsc-lite
). Add this to /etc/devd.conf:
attach 100 { device-name "ugen[0-9]+"; action "/usr/local/sbin/pcscd -H"; }; detach 100 { device-name "ugen[0-9]+"; action "/usr/local/sbin/pcscd -H"; };
The -H option is to re-read some configuration files in case of a non-USB reader. You can probably remove them.
Now let’s restart everything we need and check that it still works:
$ service devd restart $ service pcscd restart
Check that it works with the eid-viewer.
Mount procfs
It’s probable that you already have procfs mounted because it’s needed by a lot of other ports. But if you didn’t, just add this line to /etc/fstab
proc /proc procfs rw,late 0 0
and then just mount procfs
.
Install the eID Belgium extension (for Firefox)
If you use Firefox, you are looking for this extension. It should work after you have restarted Firefox.
Get it to work in Chromium
On Chromium there is no extension, instead we work directly with NSS. For beid, the process is straightforward since they provide a script to install the necessary module in NSS. Go in your home directory and start the command beid-update-nssdb. Then restart chromium completely and it should work.
Alternatively you can adapt this post which explains how to manually update nssdb on Ubuntu. You would have to adapt this to FreeBSD and also use this library /usr/local/lib/libbeidpkcs11.so.0 instead of libcac.
Don’t trust your government
You do this.