26 February 2012

79. Bankid/nexus personal and iceweasel on Debian Testing

Update 19 Feb. 2013:
Here's an updated post: http://verahill.blogspot.com.au/2013/02/341-upgradinginstalling-bankid-on-64.html -- see that one instead, in particularly if you're upgrading.

Note that you may have to compile your own nspluginwrapper:
http://verahill.blogspot.com.au/2013/03/366-nspluginwrapper-on-debian.html

and you will need to enable multiarch to install ia32-libs:
sudo dpkg --add-architecture i386
sudo apt-get update

Original post:
Swedish banks and government institutions use bankid/nexus personal for electronic id verification. Sadly, it's a horrible solution -- it seems to be closed source, the bankid website is a POS which prevents me from downloading the 64 bit version claiming that it's not supported (I've used it for a few years now, so it's clearly bunkum).

Note that there's a FOSS alternative in Fribid (http://verahill.blogspot.se/2012/02/debian-testing-wheezy-64-fribid-as.html) which seems to be working perfectly -- and if you can use it, use it. The main limitation is that in practice you'll have to collect your certificate/ID with it, since newer versions of BankID saves the ID in an incompatible format. Like many foreigners, I don't have the opportunity to visit Sweden for the sole sake of picking up a new ID, so I'm stuck with BankID. But you may not be.

* A Swedish how-to is available here: http://ubuntu-se.org/wiki/NexusPersonal#Installation_p.C3.A5_64-bitarssystem

* Another, more recent how-to is here: http://popqvarnstrom.blogspot.com.au/2011/06/bankid-nexus-personal-on-ubuntu-1104-64.html

Note: I have never 'exported' my ID, but have always copied the ~/.personal directory between computers. The problem with exporting is that you are only allowed to do it once. The problem with Nexus allowing your to copy the file itself is that anyone with physical access to your computer can copy the key.

--START HERE --
 Here's a summary of how to get it working on debian testing wheezy:

In theory you should install nexus personal from here:
https://install.bankid.com/

I've got v 4.17.0.11 installed on a 64 bit system. The message on this page is a load of bollocks:


Whatever -- the good guys over at Arch supply a link:
wget http://install.bankid.com/Repository/BISP-4.19.0.11351.tar.gz

EDIT: you can use this generic url instead  https://install.bankid.com/Download?defaultFileId=Linux

tar -xvf  BISP-4.19.0.11351.tar.gz
cd  BISP-4.19.0.11351
 sudo sh install.4.19.0.11351.sh i
 Installing BankID Security Application
ln: failed to create symbolic link `/usr/lib/firefox-addons/plugins': No such file or directory
WARNING: Failed installing plugin for Firefox 3. Manually add symlink to libplugins.so in your Firefox 3 plugin directory if this browser is to be used.
Installation complete.

Since the plugin is 32 bit, you need to link it with nspluginwrapper, and you need 32 bit libs, so

sudo apt-get install nspluginwrapper ia32-libs




Also, as far as I can tell, you need iceweasel/firefox. Chrome/ium won't work.

sudo nspluginwrapper -i /usr/local/lib/personal/libplugins.so  

Check to see if it's installed:
nspluginwrapper -l
 /usr/lib/mozilla/plugins/npwrapper.libplugins.so 
 Original plugin: /usr/local/lib/personal/libplugins.so 
Plugin viewer: /usr/lib/nspluginwrapper/i386/linux/npviewer
Wrapper version string: 1.3.0  
And visit  the following page to make sure
 https://test.bankid.com/
Or your bank.


Your  key -- on a computer where you've used bankid before -- will be in ~/.personal -- don't bother trying to import or export it using the bankid/nexus personal programme (http://popqvarnstrom.blogspot.com.au/2011/06/bankid-nexus-personal-on-ubuntu-1104-64.html) since you're apparently only allowed to do that a certain number of times.

If you just plain copy the files, however, you can do it as many times as you want. I told you the programme is a POS. Anyway,

tree .personal
.personal
|-- backup
|   |-- config
|   |   `-- Personal.cfg
|   `-- store
|-- config
|   `-- Personal.cfg
`-- store
    |-- 1.ngp
    `-- 2.ngp


Nexus Personal/BankID is installed in /usr/local/lib/personal/

Links to this page:
http://popqvarnstrom.blogspot.se/2011/06/bankid-nexus-personal-on-ubuntu-1104-64.html

25 comments:

  1. Slightly more generic link to linux bankid software: https://install.bankid.com/Download?defaultFileId=Linux (should provide latest version).

    /popq

    ReplyDelete
  2. Sjysst beskrivning. Det funkar fint utom på min ubuntu 64-bit. Installationen går bra men när jag går till https://test.bankid.com/ så får jag till svar att "BankID Security Application can not be installed."

    nspluginwrapper är installerat också,.... någon idé om fortsättning?

    ReplyDelete
    Replies
    1. Looking into it. Why the government hasn't stepped in and mandated that any solution which is to be accepted by skatteverket must be 1. open source and 2. supported for a reasonable range of platforms is beyond me. And error messages like "BankID Säkerhetsprogrammet som finns installerat på din dator är för gammalt." without specifying which version it actually thinks it has detected. Anyway, will post an update once I've made more progress.

      Delete
    2. Got it to work again.
      1. If you're upgrading, make sure that you purge all the old versions of libplugins.so -- nspluginwrapper seems to be installing the new version of $HOME/.mozilla/plugins/npwrapper.libplugins.so, while it left the old /usr/lib/mozilla/plugins/npwrapper.libplugins.so behind -- and this is what bankid.com kept on detecting as an outdated version (even though the correct, updated version of bankid was launched each time).

      BankID people: a dialogue saying that your version is 'too old' is not enough. Specifying what version is detected and what version is needed is a must.

      Delete
    3. 2. the best test is to try e.g. your bank. However,test.bankid.com will now fail due to it checking the user agent string, detecting that you're on 64 bit and it refusing to even run the test.
      To fix:
      in iceweasel(or firefox) type
      about:config

      Right-click and add a new string. Call it
      general.useragent.override
      and give it the value
      Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20100101 Firefox/10.0.12 Iceweasel/10.0.12

      It'll work now (the key is the i686 instead of x86_64)

      Delete
  3. Till dig som googlat dig hit och inte hört talas om Fribid, här är ett annat blogginlägg på denna blogg som är värt att läsa:
    http://verahill.blogspot.se/2012/02/debian-testing-wheezy-64-fribid-as.html

    Fribid funkar perfekt för mig med Debian Squeeze och Bank-ID, Länsförsäkringar bank, Försäkringskassan, Skatteverket etc.

    ReplyDelete
    Replies
    1. Good point -- I've added the link to the post. However, fribid can't read the current format the bankid saves the certificates in, so you'll have to collect the certificate using fribid. For someone living abroad that's unfortunately not possible, so we're stuck with bankid (for now):
      http://fribid.se/
      "Går det att importera BankID-legitimationer till FriBID?
      Bara e-legitimationer som hämtats med version 4.10 av Nexus Personal eller äldre versioner. De har filändelsen .p12."

      Delete
  4. Allt går bra tills man kommer till : sudo apt-get install nspluginwrapper ia32-libs

    Då står: E: Kunde inte hitta paketet nspluginwrapper

    Försöker man med bara sudo apt-get install ia32-libs
    Står det:
    Några paket kunde inte installeras. Det kan betyda att du har begärt
    en omöjlig situation eller, om du använder den instabila utgåvan
    att några nödvändiga paket ännu inte har skapats eller flyttats
    ut från "Incoming".
    Följande information kan vara till hjälp för att lösa situationen:

    Följande paket har beroenden som inte kan tillfredsställas:
    ia32-libs : Beroende av: ia32-libs-i386 men det kan inte installeras


    Har sökt runt på nätet, men hittar inget. Hur löser vi detta?

    ReplyDelete
    Replies
    1. What debian release? Squeeze, Wheezy, Jessie or Sid?

      See here for nspluginwrapper: http://verahill.blogspot.com.au/2013/03/366-nspluginwrapper-on-debian.html

      To install ia32-libs you need to enable 32 bit multiarch:
      sudo dpkg --add-architecture i386
      sudo apt-get update
      sudo apt-get install ia32-libs

      Delete
    2. Tackar! Nu har jag installerat nsplugin enligt guiden samt ia32-libs enligt ovanstående kommentar.

      Detta kommer nu fram vid sudo nspluginwrapper -i /usr/local/lib/personal/libplugins.so :

      sudo: nspluginwrapper: kommandot hittades inte


      Jag använder Debian 7.0 Wheezy XFCE.

      Delete
    3. Two options:
      1. add squeeze to your sources.list
      you should be able to install nspluginwrapper that way
      2. alternatively, if you followed my post on how to build nspluginwrapper something must have one wrong.
      First do
      'aptitude search nspluginwrapper'
      and see if anything is returned.
      If not, go through the build steps carefully and look for signs of something going wrong.

      The binary should be in /usr/bin/nspluginwrapper

      Delete
  5. Thank you very much! It now works like a charm! I had forgot to do apt-get update before ;)

    Ive been searching for the solution on this for almost a year now! :D

    ReplyDelete
    Replies
    1. Happy it worked out. Now don't forget to write angry letters to your bank complaining about how unacceptably crappy bankid is...not that I think it'll change anything though.

      Delete
  6. Det fungerar ända tills man kommer till att använda själva e-legitimationen.
    Nu står det att det är ett SLL-fel (Nordea, Ge-Moneybank mfl)

    Jag ser också att denna path inte existerar på datorn: /usr/local/lib/personal

    Något måste blivit fel. Det är väl där inne säkerhetsmodulen ska sitta för att få det hela att fungera?

    I övrigt finns Nexus Personal installerat på "Plugins" i Ice och BankId programmet start även på test.bankid.com. Dock så finns som sagt ingen e-legitimation att välja på väl inne på test-sidan på bankid.com.

    ReplyDelete
  7. Ursäkta, måste korrigera.

    /usr/local/lib/personal existerar. Men, "personal" är bara ett script inne i /usr/local/lib/. Det är alltså ingen mapp med massa filer i.

    ReplyDelete
  8. I think ive found the problem.

    The "libp11.so"-plugin is not installed correctly in Iceweasel. And i cant add it to Pref - Adv - Encryption - Security Devices.

    The problem to this seem to be that im running a 64-bit Iceweasel, and for the libp11.so-plugin to work i need a 32-bit Iceweasel.

    So now the question is, how to install 32-bit Iceweasel? :D

    ReplyDelete
    Replies
    1. Answer is Don't.

      I've got the following p11 packages installed:
      libp11-kit-dev
      libp11-kit0
      libp11-kit0:i386

      Delete
    2. You need to collect a new key from your bank using your current set up. Have you done that? Did it work?

      The certs will THEN be found in ~/.personal (~/personal/config and ~/personal/store).

      I think the libp11 is a red herring. Everything's working fine for me and I'm using 64 bit for both browser and OS.

      Delete
  9. Okej.

    Så jag måste alltså ladda ner e-legitimationen på mitt VISA-kort igen, och denna gång från Debian Wheezy 7.0 64-bit XFCE med IceWeasel?

    ReplyDelete
  10. Replies
    1. Yes, I would presume so.

      Once you have that ~/.personal folder you should be able to move it between computers (and linux distros).

      Delete
  11. Det går inte. Det står att jag redan har e-legitimation på mitt VISA-kort och att det är giltligt till och med 2015.

    Är det så att man måste ha e-legitimation på fil för att få det att fungera?

    ReplyDelete
    Replies
    1. I think it should work with hardware based authentication, but I honestly don't know. I've only used it with software-based authentication myself.

      What's your bank?

      Delete