Belgian eID

From YobiWiki
Jump to navigation Jump to search

Belgian eID is part of the efforts of the government for Belgian eGov

Officials

Usage & Software

Articles

Misc

My attempts under Linux

I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€

Installing beidgui and dependencies:

apt-get install beidgui
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd 
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

Exploring

pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2

Firefox security module

To add the security module to Firefox:

apt-get install libbeid2-dev libbeidlibopensc2-dev

Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?

Thunderbird security module

To add the security module to Firefox:

apt-get install libbeid2-dev libbeidlibopensc2-dev

Menu preferences->advanced->certificates->security devices->load

Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

Try to sign a first mail:
Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC sign certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate...

SSH

Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):

Package: openssh-client-sc                                                          
Architecture: any                                                                   
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...


I recompile ssh with smartcard support.

apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot

Sending my public key to the ssh server:

pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'

Then logging, being prompted for my PIN:

ssh -I 0 user@host.com

TODO: SSL Auth

http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssh. Once at the OpenSSL prompt, issue these 2 commands:

engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so

Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.

req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"

Adjust the days, out and subj parameters, at least. The key ID can be found using

pkcs15-tool -c

Use the ID of the Authentication X509 certificate.


TODO: OpenVPN Auth

http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids

TODO: Login

I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards but with the eID.

apt-get install libpam-p11

See file:///usr/share/doc/libpam-p11/QuickStart.html

openssh way:
Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
Edit /etc/pam.d/login and add before "@include common-auth" sth like:

auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so

/var/log/auth.log tells: no certificates found or

auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so

/var/log/auth.log tells: fatal: pkcs11_sign failed
before I was even prompted for my PIN

opensc way: same results

auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so

preparing the account:

mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

Signing text

From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:

fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:

openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:

pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported