YobiWiki - User contributions [en]

Belgian eID

2014-04-18T20:45:56Z

Dorian: /* Signing in Acrobat Reader */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==News==
Generally speaking there are regularly interesting posts [http://belsec.skynetblogs.be/tag/1/EID on Belsec blog], check it as I don't maintain actively this news section
* 2010-06-01 : [http://www.owasp.org/images/0/01/The_Belgian_e-ID_hacker_vs_developer.pdf The Belgian e-ID: hacker vs developer], a presentation by Erwin Geirnaert and Frank Cornelis at OWASP Belgian chapter meeting
* 2009-06-04 : SNCB/NMBS announced [http://www.rtbf.be/info/belgique/mobilite/voyager-en-train-sans-billet-mais-avec-la-carte-didentite-electronique-113949 on the news (FR here)] and on their site that [http://buy.b-rail.be/eTicketing/ETicketOrdering/InitStrutsActionToWelcome.do?change=lc&lang=3 "The tickets bought via Ticket on line ... can be loaded onto your electronic identity card"]. How could they do that?? Actually this is not true, as they explain [http://www.b-rail.be/nat/E/popup/private/eid/index.php here]: ''Your travel tickets are linked to the National Register Number (social security number) on your electronic identity card. Your tickets are not physically loaded onto your electronic identity card'' Ok now I understand better. And one more way (after [[MOBIB]]) for the gov to know who goes where...
* 2009-01-16 : [http://www.datanews.be/nl/90-53-21981/article.html?cid=rss PME et indépendants peuvent demander un lecteur eID gratuit] 16 janvier 2009 -- Rédaction Data News Pour promouvoir la déclaration TVA électronique, Fedict va distribuer des lecteurs de cartes eID gratuits aux PME et aux indépendants. Depuis le 1er janvier, la déclaration TVA électronique obligatoire s'applique à l'ensemble des PME et indépendants. Tel était déjà le cas pour les entreprises moyennes et grandes. Seule l'entreprise qui peut prouver qu'elle ne dispose pas de la possibilité technique requise, peut demander aux Finances de pouvoir encore utiliser une déclaration TVA papier. Fedict fournira un lecteur de cartes eID gratuit aux PME et aux indépendants qui n'en possèdent pas encore, peut-on lire dans un communiqué de presse émanant du ministre de l'entreprise et de la simplification, Vincent Van Quickenborne. Pour obtenir un lecteur de cartes gratuit, il suffit d'envoyer un mail à 'servicedesk@fedict.be', avec la mention "déclaration TVA électronique", le nom et le numéro d'enregistrement de l'entreprise et l'adresse d'envoi souhaitée.
* 2009-01-14 : [http://www.lachambre.be/kvvcr/showpage.cfm?section=/cricra&language=fr&cfm=dcricra.cfm?commID=0003&type=comm&cricra=cri&count=all&legislat=52 Question and answer about eID security at the "Commission de l'Intérieur, des Affaires Générales et de la Fonction Publique"]
* 2009-01 : [http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0049 Belgian eID: Vulnerability Summary for CVE-2009-0049] Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077.
* Various blog posts
** [http://christophe.vandeplas.com/2008/06/26/eid-things eID things]
** [http://www.grep.be/blog/en/computer/play/ssh_with_beid SSH with Belgian electronic ID card]
** [http://www.paeps.cx/weblog/activism/why_you_should_distrust_beid.html Why you should distrust your Belgian eID card]
** [http://christophe.vandeplas.com/2008/09/30/belgian-eid-cards Belgian eID Cards]
** [http://www.paeps.cx/weblog/activism/the_eid_saga_continues.html The eID saga continues]
* 2008-06-13 : Interesting discussions [http://belsec.skynetblogs.be/post/5967702/what-does-the-study-about-eid-say- here] about the infamous [http://www.badongo.com/file/9863462 report]
* 2008-05-17 : Liège mairie de quartier du Thier-à-Liège this Saturday (Yes the office is open on Saturdays !) We received our new EID card, No more paper to sign (Annex 3 and 10) for revoking a certificate. (Maybe this is a bug in the administration ... The girl doesn't know the difference between the 2 certificates (auth. and sign). Worse: she doesn't know the signification ... and the top of the top ... Event on the paper you receive from the administration, it is clearly written '.. 2 certificates : 1 for signing and 1 for authentification' BUT on the screen of the administration computer for the revokation : 'révoquer le certificat de signature' et 'révoquer le certificat de non-répudiation' (sorry french) : Find the mistake ... --Dorian ''COMMENT'' Yes I know... Authentication and Signature refer to the technical PCKS#11 labeling of the 2 RSA certificates on the card. Both are actually used only for "signature" in the crypto sense. Legally, the "authentication" one is for signing anything like emails, login to websites etc and the other one is for the qualified signature (as by the European directive), if done in a "secure context" is legally equivalent to hand-written signature and is not repudiable. Anyway thanks for the feedback! --Phil
* 2008-04-23 [http://belsec.skynetblogs.be/post/5799349/belgian-eid-and-the-microsoft-question Belgian EID and the Microsoft question]
* 2008-04-03..04 European e-ID Card Conference: Current Perspective and Initiatives from around Europe in Government and Business, ''K.U.Leuven'', €450
* 2008-03-08 [http://belsec.skynetblogs.be/post/5631741/certipost-the-first-and-only-digital-signatur Certipost the first and only digital signature company approved by our Privacycommission]
* 2008-02-26 [http://www.levif.be/actualite/technologie/72-63-13441/la-carte-d-identite-electronique-pour-s-enregistrer-sur-ebay-.html The eID to register to eBay.be (fr)] [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html and here (fr)]
* 2008-02-24 [http://fosdem.org/2008/schedule/events/debian_belgian_eid Presentation of Wouter Verhelst at FOSDEM about ''The Belgian electronic ID card in Debian'']: [http://samba.grep.be/~wouter/beid-screencast.ogg screencast] and [http://meetings-archive.debian.net/pub/debian-meetings/2008/fosdem/ogg_theora/384x288/The_Belgian_electronic_ID_card_in_Debian___Wouter_Verhelst.ogg video]
* 2008-02-22 [http://www.datanews.be/fr/news/90-61-16807/belgacom-vend-sa-participation-dans-certipost.html Belgacom sells stake in Certipost (fr)] so now La Poste/De Post owns 100%
* News Resources:
** [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID

==Officials==

* Major sources of documentation: [http://eid.belgium.be Official eID portal] [http://repository.eid.belgium.be/FR/TechDoc.htm docs on the repository] [http://www.belgium.be/eportal/application?origin=relatedVertical.jsp&event=bea.portal.framework.internal.refresh&pageid=relatedIndexPage&navId=5933&content_category=doc_link_documentation docs on the ePortal] [http://www.ibz.rrn.fgov.be/index.php?id=122&L=0 Direction Générale Institutions & Population], with an interesting news channel
** Google -> [http://www.belgium.be/zip/fedictmovie/movie_fr.html promotional movie (37Mb)] and [http://www.belgium.be/zip/movieEID_fr/START.html flash presentation] (down, [http://web.archive.org/web/20070714110813/http://www.belgium.be/zip/fedictmovie/Fedict_FR_Large.wmv archived wmv file])
** Google -> In the context of the e-Government initiative of the Belgian Federal Government, a project has been defined to design and develop a messaging environment that allows smooth message- based communication information exchange between different governmental institutions. This messaging environment is called the [http://www.belgium.be/zip/ume-api_fr.html Universal Messaging Engine – Version 2 (UME2) (zip)]
** Google [http://www.google.com/search?q=site:eid.belgium.be+inurl:imported_content_eid deeply], [http://www.google.com/search?q=site:www.belgium.be+inurl:zip deeply], [http://www.google.com/search?q=site:www.ibz.rrn.fgov.be+inurl:eID deeply]...
* [http://repository.eid.belgium.be/FR/Index.htm Certificates], also "raw" [http://certs.eid.belgium.be/ here] and the [https://stage-pki.belgium.be/ Belgium Root CA] site
* [http://status.eid.belgium.be/ eID services], check online the status of a certificate and search the delta CRLs
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [https://readers.eid.belgium.be Help website] for the eID-kits for kids
* [http://www.ibz.rrn.fgov.be/index.php?id=2605&L=1%2F%25 Circulaires] & [http://www.ibz.rrn.fgov.be/index.php?id=2607&L=1%2F%25 Instructions] Among others: [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/instructions_generales.pdf Instructions générales de la carte d'identité électronique version du 14 novembre 2005] and its page 29 stating the possibility to revoke one or both certificates on card issuance [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/ig_annexe3_formulaire_%20renonciation_certifs_suite_v19.pdf Annexe 3 : formulaire de renonciation aux certificats de la carte d'identité électronique au moment de la demande de la carte] [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/ig_annexe10_attestation_activ_certifs_18-10_27_07%20suite_v19.pdf Annexe 10 : modèle d'attestation d'activation ou de révocation des certificats après activation de la carte] [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/ig_annexe10bis_generation_nouvelle_paire_certifs.pdf Annexe 10 bis : modèle d'attestation de génération et d'activation d'une nouvelle paire de certificats après activation de la carte] [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/instructions_generales_annexe_11-attestation_suspension_certificats_27-07.pdf Annexe 11 : modèle d'attestation de suspension et de reactivation des certificats] [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/kidscard/3%20Instructions/fr/nouveau0309/3_ci_belge.pdf Application Belpic - Version 20.03 - 3. Carte d'identité de belge]
* [http://map.eid.belgium.be/fr.html Map of eID applications]
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]
* [http://www.eid-shop.be/language_select/ eID shop], partners & implementations available
* [http://www.cardreaders.be cardreaders] officially supported
* [https://ecommunities.belgium.be eCommunities]
* [https://www.checkdoc.be/CheckDoc/ CheckDoc]
* [https://www.docstop.be/DocStop/ DocStop]
** [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/DockStop_CheckDoc/dossier_presse_05-12-08.pdf Presentation (pdf) FR]
* [http://welcome-to-e-belgium.be 2009 roadshow]
* [http://www.mypension.be MyPension]
* [https://www.socialsecurity.be SocialSecurity]
* [https://www.notaclick.be NotaClic], auctions! Want to buy a house à la "eBay"?
* [http://www.comptesdormants.be/ Comptes dormants], dormant accounts
* [http://www.db2p.be Assurances-groupe dormantes], dormant group insurances

==Misc links==
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi Danny de Cock's site]
** his latest comprehensive [http://www.esat.kuleuven.be/~decockd/slides/20090427.crypto.technicalities.pdf presentation (pdf)]
* [https://www.cosic.esat.kuleuven.be/adapid/index.html adapID project]
* [http://www.eidcompany.be/ The eID Company]
** [https://signbox.eidcompany.be/ signing documents online], same [http://www.signbox.eu here]
* [http://www.microsoft.com/belux/nl/eid Microsoft's Belgian eID card website]
* [https://ettevotjaportaal.rik.ee/index.py?chlang=eng Estonian Company Registration Portal]
* [http://www.digipassforeid.be/ VASCO: Use your eID as Digipass to create OTP]

==Specifications==
* Belgian Electronic Identity Card content
** [http://www.belgium.be/eportal/ShowDoc/fed_ict/imported_content/pdf/Belgian_Electronic_Identity_Card_content_v2.2_FR.pdf?contentHome=entapp.BEA_personalization.eGovWebCacheDocumentManager.fr v2.2 (pdf)] from [http://eid.belgium.be Official eID portal]
** [http://web.archive.org/web/*/http://www.rijksregister.fgov.be/cie/specifications_techniques/belgian_electronic_identity_card_content_v2.8.a.pdf v2.8a (pdf)] from [http://www.archive.org WaybackMachine], found ref in [http://csrc.nist.gov/publications/nistir/ir7284/nistir-7284.pdf this NIST document (pdf)] Ok the document actually [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belgian_electronic_identity_card_content_v2.8.a.pdf moved to the new website]
*** That version skips v2.2 in the Document Change History, very strange...
*** See also [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCardCertificates0037?t=2008-03-20T12:04:34Z this discussion]
* Description of the Belpic EID-version numbering
** [http://www.belgium.be/eportal/ShowDoc/fed_ict/imported_content/pdf/eID-version_numbering_v1_6_8_FR.pdf?contentHome=entapp.BEA_personalization.eGovWebCacheDocumentManager.fr v1.6.8] from [http://eid.belgium.be Official eID portal]
* Public User Specification BELPIC Application
** [http://www.belgium.be/zip/IdentityMiddlewareSpecs.zip V2.0 (pdf in zip)]
** I found [http://www.mkik.hu/download.php?id=726 this doc] on the [http://www.mkik.hu/index.php?id=634 Hungarian Chamber of Commerce & Industry], even in a [http://www.mkik.hu/download.php?id=727 version partly translated in hungarian] The end of that document is the Public User Specification BELPIC Application but badly formatted Apparently it ended up on this site as [http://www.mkik.hu/download.php?id=724 part of a publication for the European institutions]
* EID-Readers technical compatibility
** [http://www.belgium.be/eportal/ShowDoc/fed_ict/imported_content/pdf/Readers_technical_compatibility_v2.7.3_FR.pdf?contentHome=entapp.BEA_personalization.eGovWebCacheDocumentManager.fr v2.7.3 (pdf)] from [http://eid.belgium.be Official eID portal]
** [http://www.foo.be/eID/opensc-belgium/BEID-ReaderSpecs-v2.7.5.pdf v2.7.5 (pdf)]
* Belgian Electronic Identity Card Middleware Programmers Guide
** [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/programmers_guide_v1.1.pdf v1.1 (pdf)]
** [http://www.belgium.be/zip/IdentityMiddlewareSpecs.zip v1.4 (pdf in zip)]
* Belgian eID Toolkit Developer's guide
** [http://www.belgium.be/zip/IdentityMiddlewareSpecs.zip v1.0i (pdf in zip)]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID (nl)] ([http://www.microsoft.com/belux/fr/eid/ or (fr)]), just an old marketing buzz? (I wouldn't complain...)
* [http://homes.esat.kuleuven.be/~decockd/site/EidCards/belpic/mySlides/belgian.eid.card.technical.overview.pdf Belgian eID Card Technicalities (pdf)] by Danny de Cock, a MUST to read if you want to know all the gory details about the eID!
* New [http://code.google.com/p/eid-applet/ eid-applet] project on Google Code

==Revoking certificates==
===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] But [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/4%20Circulaires/fr/060125_III-38-0149-2006-Communication-Commentaires%20et%20clarifications-FR%20(PW).pdf officially (see "Puis-je utiliser le numéro de Registre national?")] this is normal... BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for women, uneven for men) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh... You can import Belgium Root CA signed by GlobalSign Root CA [http://certs.eid.belgium.be/ here (the belgiumrs*.crt)]
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.
* And what about [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/fr/8_documentation/communique_de_presse/presse_150208_2.pdf administrative errors]? ;-)

===2005: I revoked my certificates===
====Why?====
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID was not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
====How?====
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/ig_annexe3_formulaire_%20renonciation_certifs_suite_v19.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/ig_annexe10_attestation_activ_certifs_18-10_27_07%20suite_v19.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

[https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0014 According to Danny de Cock] you can revoke them by phone via the eID card stop service: call +32-2-518.21.16 or +32.2.518.21.17,in French or Dutch, respectively (there is a 7-day period prior to definitive revocation, I'm not sure how secure is the procedure...)

===2010: I revoked my signature certificate, but kept my authentication certificate===
====Why?====
* Since 2005 I learned...
* I accept the Authentication certificate to be able to play around with it (Tax-on-web, RRN website,...).
** We can change the 4-digit PIN to up to a 12-digit value.
** I could use it but only on trusted devices, that's another story...
* I revoke the Signature certificate unless they change their architecture:
** I don't want the same PIN as on the other certificate. Note that there were [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0015 some discussions here] Public user specification BELPIC application v2.0 mention 2 different PINs with their own ids (01 for auth, 04 for non-repud) and [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0067 according to Danny] the new cards will have 2 PINs but as of today (2010) this is not yet the case.
** Probably they limited themselves to one single PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
====How?====
It was again epic...
 The municipality employee claimed that I should have asked to not have the certificate while ordering the card and now it's too late, because rules have changed, blabla.
 She claimed that if she revokes now my certificates my cards will automatically expire 7 days later.
 So I took the risk and asked her to revoke my signature certificate, anyway, at my own risks.
 It was indeed quite risky as she was about to revoke the authentication certificate on the application screen rather than the signature certificate, so be very careful and double-check what they're doing!!

The reality:
* My card is still fully working and I can use it to log into federal websites.
* There were indeed [http://www.ibz.rrn.fgov.be/index.php?id=2607 new eID instructions] published on 1st of July 2010 (one month after I got my card)
** The new instructions suppressed annexes 10, 10bis & 11 amongst other things, leaving only annex 3.
** If you refuse your certificates while ordering your card you will not have any usage certificate while I wanted to have anyway the authentication certificate.
** To get the municipality understanding what you want, the best is probably to refer to the instructions of the latest [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/30062010/IG_POPEID_IST_010710.pdf instructions (pdf 01/06/2010)]
** '''UPDATE''' new version of the instructions is [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/3%20Instructions/fr/20120810/20120810-instructions-generales-eid.pdf here (pdf 10/08/2012)] but contains the same text in ''6.3 Activation de la carte - cas particuliers''
Instructions générales relatives aux cartes d’identité électroniques de Belges
Version du 1er juillet 2010
6. Délivrance de la carte au citoyen
6.3 Activation de la carte
Conformément à la loi du 25 mars 2003, le certificat qualifié de signature n’est pas validé sur la carte d’identité des
personnes reconnues incapables en vertu de la législation en vigueur (mineurs d’âge non émancipés, personnes sous
statut de minorité prolongée, les majeurs placés sous administration provisoire, les incapables légaux, les incapables
juridiques et les personnes placées sous conseil judiciaire). En effet, ces personnes ne peuvent signer valablement.

Pour les mineurs d’âge non émancipés, lors de l’activation de la carte, le certificat de signature est automatiquement
révoqué et le certificat d’authentification est quant à lui activé.

Pour les personnes reconnues incapables et mentionnées ci-dessus, après activation de la carte, il y a lieu de révoquer le
certificat de signature (Logiciel Belpic – Menu : « Gestion des certificats »)

A l'issue de la procédure d’activation de la carte d’une personne majeure ou d’un mineur émancipé, le préposé de la
commune s’informe du souhait du citoyen quant à l’utilisation ou non des fonctions électroniques (certificat de signature et
certificat d’authentification) de sa carte. Au cas où le citoyen décide de renoncer à l’utilisation de l’un ou /et l’autre
certificat de sa carte, le préposé de la commune procédera à la révocation immédiate de son/ses certificat(s) (cfr. Logiciel
Belpic, menu « Gestion des certificats »). Ensuite, la carte d'identité électronique peut être remise au citoyen.
The last paragraph is very clear. Of course don't expect them to ask you if you wish to use the certificates or not, they never do it and when you ask for revoking a certificate it's always mess & fuzz.

==PIN unlocking==
* Default PIN is 4-digit, can be changed up to 12 digits.
* PIN locked after 3 wrong attempts
* PUK can unlock PIN
* PUK is 12-digit long
* You get 6-digit half-PUK, and you need to go to the municipality to have your eID card unblocked... This unblocking consists of sending 12 PUK digits to your eID card: you provide 6 PUK digits, and the National Register provides the other 6... I.e., it is impossible for a citizen to unblock his/her eID card without presenting him/herself to the municipality... [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0067 Thanks for the info Danny]!

==Linux: Drivers==
If you want to try also [https://readers.eid.belgium.be/index.cfm?Content_ID=8515371 make sure you're using Linux] :-D

I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€
 So the card is accessed via the USB reader, handled by the libccid, used by the pcscd daemon.

<pre>
$ pcsc_scan
Reader 0: iDream ID-SMID01 00 00
Card state: Card inserted,
ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11

ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11
+ TS = 3B --> Direct Convention
+ T0 = 98, Y(1): 1001, K: 8 (historical bytes)
TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU (38400 bits/s at 3.57 MHz)
TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0
-----
TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
+ Historical bytes: A5 03 01 01 01 AD 13 11
Category indicator byte: A5 (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 98 13 40 0A A5 03 01 01 01 AD 13 11
Belgium Electronic ID card
</pre>

==Linux: Government Middleware v2.1==
===Installation===
The Belgian government is providing a Linux middleware to access the eID.
 The sources are accessible [http://www.belgium.be/zip/eid_datacapture_fr.html here (fr)] or [http://www.belgium.be/zip/eid_datacapture_fr.html there (nl)]
 But thanks to Wouter Verhelst, there are also Debian packages (2.6.0-3 in Lenny as I'm writing):

apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
Some interesting documentation once it's installed: /usr/share/doc/libbeidlibopensc2/README.Debian

A short introduction to the middleware is available [http://www.belgium.be/zip/middleware_Linux_FR.pdf here (fr, pdf)] or [http://www.belgium.be/zip/middleware_Linux_NL.pdf here (nl, pdf)]
===Belpic version of OpenSC===
The middleware is a modified version of OpenSC, talking to pcscd.
 I recently saw that my ~/.xsession-errors logfile was full of ''Error: can't open /var/run/openct/status...'' It happens whenever icedove/iceweasel are open (so when the libbeidpkcs11.so is loaded) I found a [https://bugs.launchpad.net/ubuntu/+source/belpic/+bug/70442 bugreport on Ubuntu] and the proposed fix works so I opened a Debian bugreport: [http://bugs.debian.org/469485 #469485]:

OpenSC has support for three driver types : PCSC, OpenCT and CT-API. Belpic only needs PC/SC, and will produce errors/warnings if you leave support for OpenCT enabled.

Edit /etc/beidbase.conf, and insert a statement that limits the use of drivers to pcsc. Right before the reader_driver config feels like an OK place to do this :

## specify driver family pcsc.
# Others (openct, ..) are not needed for Belpic and
# may produce errors/warnings

reader_drivers = pcsc ;

reader_driver pcsc {
....
===GUI===
The GUI application (beidgui) works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
 You can easily change your PIN here, with a PIN between 4 and 12 digits!
 I don't remember of having read that PINs bigger than 4-digit were possible...

===beidcrld===
Part of beid-tools
 It's an optional daemon, supposed to download automatically the CRLs.
 '''TODO''': where are those CRLs stored locally? How to check the status? /usr/share/beid/crl

===beidpcscd===
Part of beid-tools
 It's an optional daemon.
 The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, Iceweasel & Icedove (through the PKCS#11 module we'll install later) are constantly speaking with it...
 And if it's not running, Iceweasel & Icedove will poll every second on that port 2500, no matter if you are really using the eID at that moment or not, erk!

===beid-pkcs11-tool===
Part of beid-tools
 For a little demo...
<pre>
$ beid-pkcs11-tool --list-slots
Available slots:
Slot 0 iDream ID-SMID01 00 00
manufacturer: Zetes
hardware ver: 1.0
firmware ver: 1.0
flags: token present, removable device, hardware slot
token label: BELPIC (Basic PIN)
token manuf: Axalto
token model: Belgium eID
token flags: rng, PIN initialized, token initialized
[...]
</pre>
<pre>
$ beid-pkcs11-tool --list-objects
Private Key Object; RSA 1024 bits
label: Authentication
ID: 02
Usage: sign
Certificate Object, type = X.509 cert
label: Authentication
ID: 02
Public Key Object; RSA 1024 bits
label: Authentication
ID: 02
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: CA
ID: 00
Public Key Object; RSA 2048 bits
label: CA
ID: 04
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Root
ID: 00
Public Key Object; RSA 2048 bits
label: Root
ID: 06
Usage: encrypt, verify
Private Key Object; RSA 1024 bits
label: Signature
ID: 03
Usage: sign
Certificate Object, type = X.509 cert
label: Signature
ID: 03
Public Key Object; RSA 1024 bits
label: Signature
ID: 03
Usage: encrypt, verify
</pre>
<pre>
$ beid-pkcs11-tool --list-mechanisms
Supported mechanisms:
SHA-1, digest
MD5, digest
RIPEMD160, digest
RSA-PKCS, sign, verify, unwrap
SHA1-RSA-PKCS, sign, verify
MD5-RSA-PKCS, sign, verify
RIPEMD160-RSA-PKCS, sign, verify
</pre>
<pre>
$ beid-pkcs11-tool --test
C_SeedRandom() and C_GenerateRandom():
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Authentication)
QSettings: failed to open file '/etc/qt3/qt_plugins_3.3rc'
all 4 signature functions seem to work
testing signature mechanisms:
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (Signature) with 1 signature mechanism
RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (Authentication)
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (Signature) with 1 mechanism
RSA-PKCS: OK
Key unwrap (RSA)
testing key 0 (Authentication) -- can't be used to unwrap, skipping
testing key 1 (Signature) -- can't be used to unwrap, skipping
[...]
</pre>

===libbeidpkcs11.so===
It's a PKCS#11 library which can be used by Firefox/Iceweasel, Thunderbird/Icedove, Iceape, OpenOffice,...
 See below for some tests with those applications.
====Firefox security module====
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service.
If installing the service through beid-pkcs11-register.html does not work, try to load /usr/lib/libbeidpkcs11.so manually through Edit -> Preferences -> Advanced -> Encryption -> Security devices -> Load.

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

====Thunderbird security module====
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.
 TODO: I still would like to understand what went wrong before, why only the "Authentication" certificate worked and not the "Signature" one.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.
====Chrome/Chromium security module====
See https://code.google.com/p/eid-mw/wiki/ChromeLinux
apt-get install libnss3-tools
cd # be in your homedir
modutil -dbdir sql:.pki/nssdb/ -add "Belgium eID" -libfile /usr/lib/libbeidpkcs11.so
Check if the library was successfully added
modutil -dbdir sql:.pki/nssdb/ -list

====Signing in OpenOffice====
It is using the same certificate set as firefox/iceweasel so signing in OpenOffice works out-of-the-box on my Debian.
 If not you can still check [http://www.linux.com/articles/57554 this article] to debug your situation.

File -> Digital Signatures... -> Add...

This works also with the legal "signature" certificate
====Signing in LibreOffice====
[http://test.eid.belgium.be/faq/faq_fr.htm#Comment_signer_un_document_dans_LibreOffice_.3F Official instructions (in French)]

====Signing in Acrobat Reader====
acroread can deals with PKCS#11 modules...
Document -> Security Settings -> Digital IDs -> PKCS#11 -> Attach module ->
/usr/lib/libbeidpkcs11.so (apparently worked only with v3.5)
do not work with acroread 9.5.1 but work with acroread 9.5.4

You can use https://signbox.eidcompany.be/ (no more service ...) to create a pdf to be signed.
 Seems to work but I still find strange it prompts me twice for the PIN, once in the Acrobat interface (password) and once with the virtual pad of the beid pkcs11 library.

you can use this one https://sign.belgium.be/ it sent you back a Zip file with the pdf and a signature file, not realy convenient :( ...)

Old stuff: see also https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0068?t=2008-04-04T18:04:26Z and try with http://itext.ugent.be/articles/eid-pdf/

==Linux: Government Middleware v3.5==
Why upgrading?

Among other things because with a recent eID you could face an error of beidgui about invalid root certificate, see [http://eid.belgium.be/fr/besoin_d_aide/QuickFix/QuickFix_standaard_antwoorden/situatie8.jsp here] and [there http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=385735]
===Installation===
Here are some note of a quick run around the new release 3.5
 The middleware was released among other for "Debian Etch", not bad...
 Well actually the middleware comes with an ugly install.sh script doing stuff like erasing old beidlib files, appending blindly stuff in /etc/ld.conf etc

As I'm not running etch I had to help it a bit:
 libxerces27 is only in etch, but can be installed smoothly on lenny if you apt-get install its own dependency to libicu36
 So now I could try their new toys...

About the GUI:
*The beidgui is now kind of applet in the taskbar popping up gently your picture when you insert your card.
*The detailed view provides also a parsing of the ATR, which is much nicer than having to dig into the (outdated) spec docs.

About the beidlib:
*privacy proxy": now every time an application wants to read the card there is a Qt popup asking for confirmation and showing the full path of that application. Nice but what for non X systems?
*PIN prompt: exists also with virtual keypad flavor.
*BUG?? On my system every time an application requests an operation with PIN it takes 2secs @ 100% CPU to popup :-(

About the SDK:
* I could try all C++ examples, didn't try Java (allergy to that caffeine probably)
Little quirk to be able to compile the legal signature example:
samples/sign_p11/C++/Makefile:
-CXXFLAGS = -O2 -g
+CXXFLAGS = -O2 -g -ldl
The read_eid and the get_exception are apparently featuring code to read also the SIS card.
 I tried but I got a BEID_Exception (code = e1d00300) which means from eidErrors.h:
/** Error communicating with the card */
#define EIDMW_ERR_CARD_COMM 0xe1d00300
You need a reader such as ACR38 which can read memory cards. Even the OmniKey5321 which supports 3-wire protocol seems to not be usable with the middleware to read a SIS card :-(
===Getting the old lib running too===
So the barbarian ./install.sh seemed to have deleted the following:
* beid-tools:
**/usr/bin/beidcrld
**/usr/bin/beidpcscd
*libbeidlibopensc2:
**/usr/lib/libbeidpkcs11.so.2.1.0
*libbeidlibopensc2-dev:
**/usr/include/beid/opensc/*
Some tools are still working (pcsc_scan, opensc-explorer, beidgui (v2.1), beid-tool
 But some fail: Firefox pkcs11 module, beid-pkcs11-tool

My solution: reinstalling libbeidlibopensc2_2.6.0-6_i386.deb
 It fixed the problem and Firefox is actually using pkcs11 lib of middleware3.5

==Linux: Government Middleware v3.5.x on 64-bit Debian==
===Installation (libs & Mozilla plugin, manually)===
I had problems when trying to get the middleware running on my new 64-bit laptop because the binary & libraries available at http://eid.belgium.be are only for 32-bit OS.

My solution was to compile it from code.google.com but it was not that easy because it required a libtool version newer than what was in Debian, so I did (not very clean I agree):
sudo apt-get install automake automake1.9-
wget ftp://ftp.gnu.org/gnu/libtool/libtool-2.2.10.tar.gz
./bootstrap
./configure
make
sudo apt-get remove libtool
sudo make install
sudo cp /usr/local/share/aclocal/* /usr/share/aclocal
sudo cp -a /usr/local/share/libtool/config /usr/share/libtool
Then the middleware code:
svn checkout http://eid-mw.googlecode.com/svn/trunk/ eid-mw-read-only
# Edit configure.ac -> openssl v0.9.8 ok otherwise it'll claim for openssl v1.0.0
./bootstrap.sh
./configure
make
sudo apt-get remove libbeid2 libbeidlibopensc2 beid-tools beidgui
sudo make install
Middleware works with e.g. Firefox but when prompted for a PIN the virtual keyboard was blank, no image of the numbers on the buttons.

===Installation (via Debian unstable)===
'''UPDATE''': At the time of writing, middleware v3.5.2 is available in Debian unstable
====beidgui====
sudo aptitude install -t unstable beidgui
Seems to work except that it doesn't load my certificates, the tab is just empty
====beid-mozilla-plugin====
sudo aptitude install -t unstable beid-mozilla-plugin
Edit > Preferences > Advanced > Encryption > Security Devices > Load > Browse > /usr/lib/libbeidpkcs11.so.3
Note that apparently the card must be inserted in the reader before you launch Firefox...

There is also a Firefox add-on: [https://addons.mozilla.org/fr/firefox/addon/51744/ eID Belgique 1.0.7], not sure what it's useful for, apparently it's meant to ease installation of the middleware & expects plugin to be in /usr/local/lib/libbeidpcks11.so so if you installed /usr/lib/libbeidpkcs11.so.3 in Firefox as stated above you don't need this plugin.

====beid-tools====
sudo aptitude install -t unstable beid-tools
At first I had an error about undefined symbol because I had still my manual install libraries in /usr/local -> rm /usr/local/bin/beid* /usr/local/lib/*beid* /usr/local/lib/libcard*

==Linux: Government Middleware v4.0.4==
Some certificate cleaning in Firefox first, cf [http://irisbox.irisnet.be/vip/portal/FireFox.html this page]:
* Edit / Preferences / Advanced / Encryption / View Certificates / Authorities
** Delete Global Sign nv-sa / Belgium Root CA2
** Mmm I did it but it went back, so not sure if it's needed... and Irisbox fails with eID while other sites work...
Installing middleware, see [http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/linux/ this page]
sudo apt-get remove --purge beid*
wget http://eid.belgium.be/fr/binaries/eid-mw_4%2E0%2E4r1253_amd64_tcm226-178472.deb
sudo dpkg -i eid-mw_4.0.4r1253_amd64_tcm226-178472.deb
wget http://eid.belgium.be/fr/binaries/eid-viewer_4%2E0%2E4r146_amd64_tcm226-178482.deb
sudo dpkg -i eid-viewer_4.0.4r146_amd64_tcm226-178482.deb
For Chromium, see https://code.google.com/p/eid-mw/wiki/ChromeLinux
cd
modutil -dbdir sql:.pki/nssdb/ -add "Belgium eID" -libfile /usr/lib/libbeidpkcs11.so
# check if the library was successfully added
modutil -dbdir sql:.pki/nssdb/ -list
 Test it:
eid-viewer
Questions?
* http://eid.belgium.be/en/using_your_eid/
* http://test.eid.belgium.be/
* http://test.eid.belgium.be/faq/faq_fr.htm or http://test.eid.belgium.be/faq/faq_nl.htm
Untrusted certificate when visiting gov site? see [http://eid.belgium.be/en/using_your_eid/need_help/problemen_met_de_installatie/ this page]
* Edit / Preferences / Advanced / Encryption / View Certificates / Authorities
** Edit trust of Belgium Root CA2 / Belgium Root CA2 -> trust for all 3 purposes
Notes:
* pcsc needs to run when launching ff, but card doesn't need to be inserted in advance

==Linux: OpenSC Middleware==
===Installation===
belpic, the Belgian middleware, is a modified version of OpenSC, let's try the plain OpenSC:
apt-get install opensc
=> file:///usr/share/doc/opensc/BelgianEid.html
 ''OpenSC 0.10.* will include support for the Belgian eID card, except for legally binding signatures (with the so-called Signature key) as this requires a GUI, which is not yet available/implemented. Till that new release please use the "belpic" software available from the belgian state.''

Note that you've to stop the filter daemon (beidpcscd) first
===cardos-info===
Returns the ATR
$ cardos-info
3b:98:13:40:0a:a5:03:01:01:01:ad:13:11
Received (SW1=0x6D, SW2=0x00)

===opensc-tool===
<pre>
$ opensc-tool -a -v # with debug=1 in /etc/opensc/opensc.conf
[opensc-tool] ctx.c:705:sc_context_create: ===================================
[opensc-tool] ctx.c:706:sc_context_create: opensc version: 0.11.4
[opensc-tool] sc.c:196:sc_detect_card_presence: called
[opensc-tool] sc.c:201:sc_detect_card_presence: returning with: 1
Connecting to card in reader iDream ID-SMID01 00 00...
[opensc-tool] card.c:110:sc_connect_card: called
[opensc-tool] reader-pcsc.c:542:pcsc_connect: After connect protocol = 1
[opensc-tool] reader-pcsc.c:561:pcsc_connect: Requesting reader features ...
[opensc-tool] card-belpic.c:988:belpic_init: Belpic V1.4
[opensc-tool] card-belpic.c:995:belpic_init:
[opensc-tool] card.c:221:sc_connect_card: card info: Belpic cards, 12002, 0x0
[opensc-tool] card.c:222:sc_connect_card: returning with: 0
Using card driver Belpic cards.
Card ATR:
3B 98 13 40 0A A5 03 01 01 01 AD 13 11 ;..@.........
[opensc-tool] card.c:236:sc_disconnect_card: called
[opensc-tool] card.c:251:sc_disconnect_card: returning with: 0
[opensc-tool] ctx.c:738:sc_release_context: called
</pre>
From the ATR:
* Component code: A5
* OS number: 03
* OS version: 01
* Softmask number: 01
* Softmask version: 01
* Applet version: 1.1
<pre>
$ opensc-tool -n
Belpic cards
</pre>
<pre>
$ opensc-tool -f
3f00 type: DF, size: 65535
select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A] list[N/A]
[opensc-tool] card.c:343:sc_list_files: returning with: Not supported
sc_list_files() failed: Not supported
</pre>
Reading the address file:
<pre>
$ opensc-tool -s 00CADF3005
Sending: 00 CA DF 30 05
Received (SW1=0x6D, SW2=0x00)
$ opensc-tool -s 00A4080C023F00
Sending: 00 A4 08 0C 02 3F 00
Received (SW1=0x90, SW2=0x00)
$ opensc-tool -s 00A4080C043F00DF01
Sending: 00 A4 08 0C 04 3F 00 DF 01
Received (SW1=0x90, SW2=0x00)
$ opensc-tool -s 00A4080C063F00DF014033
Sending: 00 A4 08 0C 06 3F 00 DF 01 40 33
Received (SW1=0x90, SW2=0x00)
$ opensc-tool -s 00B0000080
Sending: 00 B0 00 00 80
Received (SW1=0x90, SW2=0x00):
01 1E 41 76 65 6E 75 65 20 64 65 20 6C 61 20 43 ..Avenue de la C
6F 75 72 6F 6E 6E 65 20 34 31 20 2F 62 30 32 37 ouronne 41 /b027
02 04 31 30 35 30 03 07 49 78 65 6C 6C 65 73 00 ..1050..Ixelles.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 .....

(that one is handled smartly because actually there is a first error 6C75 then a new request 00B0000075)
</pre>

===opensc-explorer===
<pre>
$ opensc-explorer

#PUK: (max trials: 3, length: 4-12)
OpenSC [3F00]> verify CHV1 31:31:31:31
[opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect
Incorrect code, 2 tries left.

OpenSC [3F00]> verify CHV1 31:32:33:34
Code correct.

#PUK: (max trials: 12, length: 12)
OpenSC [3F00]> verify CHV3 31:32:33:34
[opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect
Incorrect code, 11 tries left.

#PINreset (max trials: 10, length: 12)
OpenSC [3F00]> verify CHV2 31:32:33:34
[opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect
Incorrect code, 9 tries left.

OpenSC [3F00]> random 100
00000000: 80 8E DD 53 92 0A FB 12 17 7E 77 49 11 D5 3E 93 ...S.....~wI..>.
00000010: E7 93 CD C1 D8 AB E2 0E 85 34 44 F0 B2 F4 52 8A .........4D...R.
00000020: FD 0A 34 8F A1 16 2C 91 85 18 77 83 F4 EC 2F DB ..4...,...w.../.
00000030: 5D 5A A6 F8 4C 61 21 74 B1 C0 E2 4C FF 7B CF BF ]Z..La!t...L.{..
00000040: 01 A2 06 CB 41 33 EB 75 2E 86 90 A7 E6 FD 0C 8C ....A3.u........
00000050: BF 12 CD CE 32 EB 40 89 D7 98 39 78 30 86 AF 52 ....2.@...9x0..R
00000060: 60 E0 F6 C3 `...

OpenSC [3F00]> cd df00

OpenSC [3F00/DF00]> get 5035
Total of 119 bytes read from 5035 and saved to 3F00_DF00_5035.
</pre>
You can also cat the files:
<pre>
OpenSC [3F00]> cd df01
OpenSC [3F00/DF01]> cd 4033
OpenSC [3F00/DF01/4033]> cat
00000000: 01 1E 41 76 65 6E 75 65 20 64 65 20 6C 61 20 43 ..Avenue de la C
00000010: 6F 75 72 6F 6E 6E 65 20 34 31 20 2F 62 30 32 37 ouronne 41 /b027
00000020: 02 04 31 30 35 30 03 07 49 78 65 6C 6C 65 73 00 ..1050..Ixelles.
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 .....

</pre>
The interpretation of the file contents we just extracted can be found in the [[#Specifications|Belgian Electronic Identity Card content]] document
 Here are all the files you can extract:
<pre>
3F00_2F00 MF/DIR
3F00_DF00_5031 MF/Belpic/ODF (Object Directory File)
3F00_DF00_5032 MF/Belpic/TokenInfo
3F00_DF00_5034 MF/Belpic/AODF (Authentication Object Directory File)
3F00_DF00_5035 MF/Belpic/PrKDF (Private Key Directory File)
3F00_DF00_5037 MF/Belpic/CDF (Certificate Directory File)
3F00_DF00_5038 MF/Belpic/Cert#2 (auth)
3F00_DF00_5039 MF/Belpic/Cert#3 (non-rep)
3F00_DF00_503A MF/Belpic/Cert#4 (CA)
3F00_DF00_503B MF/Belpic/Cert#6 (Root)
3F00_DF00_503C MF/Belpic/Cert#8 (RRN)
3F00_DF01_4031 MF/ID/ID#RN (contains also hash of ID#Photo)
3F00_DF01_4032 MF/ID/SGN#RN (signature of ID#RN by RRN)
3F00_DF01_4033 MF/ID/ID#Address
3F00_DF01_4034 MF/ID/SGN#Address (signature of ID#Address|SGN#RN by RRN)
3F00_DF01_4035 MF/ID/ID#Photo (140x200 JPEG grayscale)
3F00_DF01_4038 MF/ID/PuK#7 ID (CA role Hash SHA-1)
3F00_DF01_4039 MF/ID/Preferences
</pre>
Note that here we could extract the RRN Cert#8, which was not shown by the usual pkcs#15 tools...
 Note that the Preferences file is 100-byte zeroes, is customisable just with the cardholder PIN but the update_binary command is not supported, so [[#patch|I wrote a patch]]
<pre>
$ xview 3F00_DF01_4035
3F00_DF01_4035 is a 140x200 JPEG image, color space Grayscale, 1 comp, Huffman coding.
...
</pre>
So to extract the picture via a simple script:
echo -e "cd df01\nget 4035 mypic.jpg"|opensc-explorer

===pkcs11-tool===
Differences with beid-pkcs11-tool are highlighted between *stars*
<pre>
$ pkcs11-tool --list-slots
Available slots:
Slot 0 iDream ID-SMID01 00 00
token label: BELPIC (Basic PIN)
*token manuf: (unknown)*
token model: PKCS #15 SCard
token flags: rng, *login required*, PIN initialized, token initialized
*serial num : 6CFF252C5F190218*
</pre>
<pre>
$ pkcs11-tool --list-objects
</pre>
<pre>
$ pkcs11-tool --login --list-objects
Please enter User PIN:
Private Key Object; RSA
label: Authentication
ID: 02
Usage: sign
Certificate Object, type = X.509 cert
label: Authentication
ID: 02
Public Key Object; RSA 1024 bits
label: Authentication
ID: 02
Usage: encrypt, verify
Private Key Object; RSA
label: Signature
ID: 03
Usage: sign
Certificate Object, type = X.509 cert
label: Signature
ID: 03
Public Key Object; RSA 1024 bits
label: Signature
ID: 03
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: CA
ID: 00
Public Key Object; RSA 2048 bits
label: CA
ID: 04
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Root
ID: 00
Public Key Object; RSA 2048 bits
label: Root
ID: 06
Usage: encrypt, verify
</pre>
Strange, I need to login to extract the objects
 Strange, pubkeys can encrypt but privkey cannot decrypt...
 Strange, both RootCA and CitizenCA certificates have the same id 0
 And what's the format of those certificates when dumped out? Not DER neither PEM
<pre>
$ pkcs11-tool --login --read-object --id 0 --type cert|xxd
[...]
$ pkcs11-tool --login --read-object --id 2 --type pubkey |xxd
[...]
</pre>
<pre>
$ pkcs11-tool --list-mechanisms
Supported mechanisms:
SHA-1, digest
*SHA256, digest*
*SHA384, digest*
*SHA512, digest*
MD5, digest
RIPEMD160, digest
RSA-PKCS, sign, verify, unwrap, *decrypt*
SHA1-RSA-PKCS, sign, verify
MD5-RSA-PKCS, sign, verify
RIPEMD160-RSA-PKCS, sign, verify
*RSA-PKCS-KEY-PAIR-GEN, keypairgen*
</pre>
Extra mechanisms available apparently...
 And they work:
<pre>
phil@mercure:~$ echo -n test|pkcs11-tool --hash --mechanism SHA512 |xxd
0000000: ee26 b0dd 4af7 e749 aa1a 8ee3 c10a e992 .&..J..I........
0000010: 3f61 8980 772e 473f 8819 a5d4 940e 0db2 ?a..w.G?........
0000020: 7ac1 85f8 a0e1 d5f8 4f88 bc88 7fd6 7b14 z.......O.....{.
0000030: 3732 c304 cc5f a9ad 8e6f 57f5 0028 a8ff 72..._...oW..(..
</pre>
<pre>
$ pkcs11-tool --login --test
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
not implemented
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Authentication)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (1024 bits, label=Signature) with 1 signature mechanism
[opensc-pkcs11] sec.c:67:sc_set_security_env: returning with: Not supported
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
</pre>

===pkcs15-tool===
<pre>
$ pkcs15-tool --dump
PKCS#15 Card [BELPIC]:
Version : 1
Serial number : 1234567890ABCDEF1234567890ABCDEF
Manufacturer ID: (unknown)
Flags : PRN generation, EID compliant

PIN [Basic PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:12, stored_len:8
Pad char : 0xFF
Reference : 1
Type : bcd
Path : 3f00

Private RSA Key [Authentication]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 130
Native : yes
Path : 3f00df00
Auth ID : 01
ID : 02

Private RSA Key [Signature]
Com. Flags : 3
Usage : [0x200], nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 131
Native : yes
Path : 3f00df00
Auth ID : 01
ID : 03

X.509 Certificate [Authentication]
Flags : 3
Authority: no
Path : 3f00df005038
ID : 02

X.509 Certificate [Signature]
Flags : 3
Authority: no
Path : 3f00df005039
ID : 03

X.509 Certificate [CA]
Flags : 3
Authority: yes
Path : 3f00df00503a
ID : 04

X.509 Certificate [Root]
Flags : 3
Authority: yes
Path : 3f00df00503b
ID : 06
</pre>

pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2

===pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.
===eidenv===
Very interesting one...
<pre>
$ eidenv | recode UTF8..
BELPIC_CARDNUMBER: 123456789012
BELPIC_CHIPNUMBER: 1234567890ABCDEF1234567890ABCDEF
BELPIC_VALIDFROM: 20.06.2005
BELPIC_VALIDTILL: 20.06.2010
BELPIC_DELIVERINGMUNICIPALITY: Liege
BELPIC_NATIONALNUMBER: 00310100123
BELPIC_NAME: Teuwen
BELPIC_FIRSTNAMES: Philippe Yvon
BELPIC_INITIAL: F
BELPIC_NATIONALITY: Belge
BELPIC_BIRTHLOCATION: Liège
BELPIC_BIRTHDATE: 31 JAN 1900 (or 2000? ;-)
BELPIC_SEX: M
BELPIC_NOBLECONDITION:
BELPIC_DOCUMENTTYPE: 1
BELPIC_SPECIALSTATUS: 0
BELPIC_STREETANDNUMBER: Rue de l'OpenSource 12 /b012
BELPIC_ZIPCODE: 1050
BELPIC_MUNICIPALITY: Ixelles
</pre>
<pre>
$ eidenv --exec /bin/bash
$ echo $BELPIC_NAME
Teuwen
$ exit
</pre>
But if the filter daemon beidpcscd is running:
<pre>
$ eidenv
[eidenv] reader-pcsc.c:534:pcsc_connect: SCardConnect failed: Sharing violation.
[eidenv] card.c:228:sc_connect_card: returning with: Generic reader error
Failed to connect to card: Generic reader error
</pre>
I expected to get prompted by the filter but nothing like that
===patch===
The middleware is missing the function update_binary() while the card supports it and provides a writable file EF(Preferences) for the cardholder (you need first to login with your PIN)
 So I added it and [http://bugs.debian.org/470637 submitted it in bugreport #470637]
 Demo: how to install Linux on the eID (hum, so to speak...)
<pre>
$ opensc-explorer
OpenSC Explorer version 0.11.4
OpenSC [3F00]> cd df01
OpenSC [3F00/DF01]> verify CHV1 31:32:33:34
Code correct.
OpenSC [3F00/DF01]> put 4039 tux.txt
Total of 100 bytes written.
</pre>
<pre>
$ opensc-explorer
OpenSC Explorer version 0.11.4
OpenSC [3F00]> cd df01
OpenSC [3F00/DF01]> cd 4039
OpenSC [3F00/DF01/4039]> cat
000000: 5B 47 65 6E 5D 0A 4C 47 3D 66 72 00 5F 20 20 20 [Gen].LG=fr._
000010: 00 00 00 00 00 00 00 00 20 20 20 2E 20 2E 20 20 ........ . .
000020: 00 00 00 00 00 00 00 00 20 20 20 2F 56 5C 20 20 ........ /V\
000030: 00 00 00 00 00 00 00 00 20 20 2F 2F 20 5C 5C 20 ........ // \\
000040: 00 00 00 00 00 00 00 00 20 2F 28 20 20 20 29 5C ........ /( )\
000050: 00 00 00 00 00 00 00 00 20 20 5E 60 7E 27 5E 20 ........ ^`~'^
000060: 00 00 00 00 ....
</pre>

==Linux: to be sorted...==
===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
cf [[OpenSSH#Patch_for_login_with_eID]]

===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

[https://openid.trustbearer.com TrustBearer OpenID] supports the Belgian eID as an authentication token. The service uses a browser add-on which contains a middleware stack that communicates directly with the reader & card. See a demonstration on [http://blog.rootshell.be/2008/04/28/openid-and-belgian-eid/ this blog].

===Cryptonit===
From [http://www.opentrust.com/content/view/135/142index.en.html News:] OPENTRUST has announced the availability of a new version of Cryptonit. This latest release is fully compatible with the Belgium electronic ID card which when used with Cryptonit enables documents to be digitally signed. [http://sourceforge.net/project/showfiles.php?group_id=110403 download]

Under Debian:
apt-get install cryptonit
Device->Load-> /usr/lib/libbeidpkcs11.so
It works, you can sign files with both certificates.
 Note that the first PIN prompt doesn't matter, you'll get prompted directly by the libbeidpkcs11 middleware.
 Note that for repetitive Authentication signings (even after close/reopen cryptonit) it doesn't prompt me anymore for the next signatures, but well if I want to use the non-repudiation one.
===Exploring with jcshell===
You can probably achieve the same with gpshell but I couldn't get gpshell working properly.

Trying GP211 AID:
 Note that it works on a card from 2010 but on older cards there is no card manager accessible with that AID.
<pre>
$ jcshell

Welcome to NXP JCShell!
(c) 2012 NXP Semiconductors Germany GmbH
------------------------------------------------------------------------------

setting scripts-folder to ./scripts ...
enabling modes echo and trace...
- /term pcsc
--Opening terminal
> /card -a a0000001510000
resetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B 98 13 40 0A A5 03 01 01 01 AD 13 11 ;..@.........
IOCTL().
ATR:
T = 0
=> 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF .........gA0..
(153838 usec)
<= 6A 86 j.
Status: Incorrect parameters (P1,P2)
=> 00 A4 04 00 07 A0 00 00 01 51 00 00 00 .........Q...
(87173 usec)
<= 6F 18 84 07 A0 00 00 01 51 00 00 A5 0D 9F 6E 06 o.......Q.....n.
20 41 61 31 02 02 9F 65 01 FF 90 00 Aa1...e....
Status: No Error
cm> get-cplc
=> 80 CA 9F 7F 00 .....
(80409 usec)
<= 9F 7F 2A 40 90 66 93 20 41 61 31 02 02 20 3B 18 ..*@.f. Aa1.. ;.
0E 05 2A 00 13 19 42 00 00 19 43 00 00 19 44 00 ..*...B...C...D.
00 00 00 BA 01 FF FF FF FF FF FF FF FF 90 00 ...............
Status: No Error
IC Fabricator : 4090
IC Type : 6693
Operating System ID : 2041
Operating System release date : 6131 (10.5.2006)
Operating System release level : 0202
IC Fabrication Date : 203B (10.2.20X2)
IC Serial Number : 180E052A
IC Batch Identifier : 0013
IC Module Fabricator : 1942
IC Module Packaging Date : 0000
ICC Manufacturer : 1943
IC Embedding Date : 0000
IC Pre-Personalizer : 1944
IC Pre-Perso. Equipment Date : 0000
IC Pre-Perso. Equipment ID : 0000BA01
IC Personalizer : FFFF
IC Personalization Date : FFFF
IC Perso. Equipment ID : FFFFFFFF
cm> get-data 9f7f
=> 80 CA 9F 7F 00 .....
(80339 usec)
<= 9F 7F 2A 40 90 66 93 20 41 61 31 02 02 20 3B 18 ..*@.f. Aa1.. ;.
0E 05 2A 00 13 19 42 00 00 19 43 00 00 19 44 00 ..*...B...C...D.
00 00 00 BA 01 FF FF FF FF FF FF FF FF 90 00 ...............
Status: No Error
cm> get-data 0066
=> 80 CA 00 66 00 ...f.
(103044 usec)
<= 66 3F 73 3D 06 07 2A 86 48 86 FC 6B 01 60 0C 06 f?s=..*.H..k.`..
0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A .*.H..k....c...*
86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B .H..k.d...*.H..k
04 01 05 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 ...f...+....*.n.
02 90 00 ...
Status: No Error
Global Platform version : 2.1.1
Global Platform Secure Channel Protocol: 01 option 05
Java Card version : 2.2
cm> get-data 0042
=> 80 CA 00 42 00 ...B.
(38576 usec)
<= 42 06 FF FF FF FF FF FF 90 00 B.........
Status: No Error
cm> get-data 0045
=> 80 CA 00 45 00 ...E.
(40849 usec)
<= 45 08 FF FF FF FF FF FF FF FF 90 00 E...........
Status: No Error
cm> get-data 00e0
=> 80 CA 00 E0 00 .....
(74442 usec)
<= E0 12 C0 04 01 01 80 10 C0 04 02 01 80 10 C0 04 ................
03 01 80 10 90 00 ......
Status: No Error
Key information:
Key ID : 1
Key version : 1
Key component 1 :
Type : DES
Length : 16 bytes
Key information:
Key ID : 2
Key version : 1
Key component 1 :
Type : DES
Length : 16 bytes
Key information:
Key ID : 3
Key version : 1
Key component 1 :
Type : DES
Length : 16 bytes
</pre>

==Linux: TODO==
===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 See also file:///usr/share/doc/opensc/PamModules.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

See also file:///usr/share/doc/opensc/QuickStart.html

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
 and https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCardReverseProxy0004

===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
 '''UPDATE''' openvpn 2.1~rc7-1 is available soon on Debian

===TODO: Misc===
* [http://opensignature.sourceforge.net/english.php OpenSignature] targeted for Italian eID
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* JAVA
** beidlib.jar: BEIDCard.html and Test.java
** http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/JavaEidSampleCodeTOC
* Novell version in C#...
** I could compile but still runtime errors
* http://www.law.kuleuven.be/icri/publications/954eIDPDFSignatures.pdf.pdf and [http://www.law.kuleuven.be/icri/all_pubs.php?action=pubs_topic&id=2&where= other papers]
* http://www.tonywhitmore.co.uk/cgi-local/wiki.pl?UsefulNotes/SmartCards
* WPA?? file:///usr/share/doc/opensc/WPA.html
* https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Eid/EidForum Danny opened some forums on eID, a lot to read probably ;-)
** [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0031 What about the preferences file?]
* http://javadoc.iaik.tugraz.at/iaik_jce/current/index.html
* http://www.uvcw.be/e-communes/eid & http://www.uvcw.be/articles/3,90,39,39,1398.htm
* http://www.disinstitute.be/
* http://www.eidating.be/
* <nowiki>http://www.belgium.be/eportal/application?pageid=contentPage&docId=30000 .. 45000?</nowiki>
* http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/AppletEidCardsUtilityTOC
** the applet loads but nothing happens when trying to see the content of the card :-(
* http://www.linux.com/feature/131527
* a [https://code.google.com/p/eid-javascript-lib/ JavaScript file] to be used with the applet from the eID middleware, making it easier to retrieve data out (and format the data) of eID- and SIS cards using the applet from the eID middleware.
* http://doc.ubuntu-fr.org/tutoriel/utiliser_carte_identite_electronique_belge

Arduino PDU

2011-02-11T15:30:29Z

Dorian: /* What do we need ? / cahier des charges */

PDU, APC or Server control unit or wathever you want ;-)

APC stand in the minds of IT engineer as system witch control the power supply of servers
-> if you want to remotely shut down or reboot a server, You'll sure use a APC or PDU...

The "problem" with this system, this is a very hard way to shut down a server.
it could be better to put on the power or reset button ?

Yes you get the idea, a system able to put on the power button (remotely off course)

=== What do we need ? / cahier des charges ===
* communication ethernet
** pour la config
** pour les ordres de commande
** simple telnet suffit (on sera obligatoirement sur reseaux prive)
* communication serie avec le system
** pour la config (IP) uniquement ?
** est-il vraiment utile de pouvoir commander via le port serie
(vu qu'il ne sera raccorder a priopri qu'a une seule machine ...)
* idealement capable de commander plusieur serveur (par commande on entend ''apuiller'' sur le BP power ou reset)
* pouvoir mettre une etiquette sur chaque serveur (evite de se tromper de serveur)
* sans alim ou si celui si est dans le choux, les serveurs ne doivent pas se couper/rebooter ...

==== Idee dingue ou pas ? ====
* 'lecture' des diodes power et HDD ou autre ?
* ssh
** bon ca on n'y pense meme pas ! :-p
* Extensionalisable sans trop de frais
** point de vue interface ethernet
*** maintenant vu le faible cout :/

Arduino PDU

2011-02-11T15:19:14Z

Dorian: /* What do we need ? / cahier des charges */

Arduino PDU

2011-02-11T15:16:16Z

Dorian: /* What do we need ? / cahier des charges */

Arduino PDU

2011-02-11T15:15:08Z

Dorian:

PDU, APC or Server control unit or wathever you want ;-)

APC stand in the minds of IT engineer as system witch control the power supply of servers
-> if you want to remotely shut down or reboot a server, You'll sure use a APC or PDU...

The "problem" with this system, this is a very hard way to shut down a server.
it could be better to put on the power or reset button ?

Yes you get the idea, a system able to put on the power button (remotely off course)

=== What do we need ? / cahier des charges ===
* communication ethernet
** pour la config
** pour les ordres de commande
* communication serie avec le system
** pour la config (IP) uniquement ?
** est-il vraiment utile de pouvoir commander via le port serie
(vu qu'il ne sera raccorder a priopri qu'a une seule machine ...)
* idealement capable de commander plusieur serveur (par commande on entend ''apuiller'' sur le BP power ou reset)
* pouvoir mettre une etiquette sur chaque serveur (evite de se tromper de serveur)
* sans alim ou si celui si est dans le choux, les serveurs ne doivent pas se couper/rebooter ...

Arduino PDU

2011-02-11T15:06:36Z

Dorian: Created page with "PDU, APC or Server control unit or wathever you want ;-) APC stand in the minds of IT engineer as system witch control the power supply of servers -> if you want to remotely shu…"

Arduino

2011-02-11T14:56:54Z

Dorian: /* Projects */

So after the [http://www.brucon.org/index.php/Workshops#Arduino:_how_we_made_the_beerduino Arduino workshop] at BruCON 2009 (pics [http://gallery.yobi.be/v/divers/evenements/brucon2009/IMG_9977.JPG.html here]), I was seduced by this little development board.

==Links==
[http://en.wikipedia.org/wiki/Arduino Arduino on Wikipedia]
===boards & clones===
====[http://arduino.cc/en/Main/ArduinoBoardDuemilanove Duemilanove] (SmartProjects)====
The Duemilanove automatically selects the appropriate power supply (USB or external power), eliminating the need for the power selection jumper found on previous boards. It also adds an easiest to cut trace for disabling the auto-reset, along with a solder jumper for re-enabling it.

based on the ATmega168, latest versions are based on ATmega328p

Clones:
* Roboduino
* [http://spiffie.org/kits/freeduino2009/ Freeduino 2009], an (almost) all through hole remake
* [http://www.ge-th.com/product.asp?id=118 Chinduino Duemilanove168-20PU] or [http://www.ge-th.com/product.asp?id=119 Duemilanove328-20PU]

"Make it better" clones:
* [http://www.freetronics.com/products/twentyten TwentyTen] by Freetronics. Nice small enhancements, but more expensive than the other clones...

====[http://arduino.cc/en/Main/ArduinoBoardDecimilia Decimilia] (SmartProjects)====
Version before Duemilanove, with a jumper to select the power supply (USB or external power)

based on the Atmega168, can be upgraded with a ATmega328

Clones:
* [http://www.nuelectronics.com/estore/index.php?main_page=product_info&cPath=1&products_id=1 Freeduino V1.16 Board]
* Freeduino MaxSerial
* HACEduino "2009"
* Fino168 USB Board
** with a DIP switch to disable auto-reset and D13 LED
* Duino168 Serial Board
** with a DIP switch to disable auto-reset and D13 LED
* Duino328 Serial Board
** with a DIP switch to disable auto-reset and D13 LED
* [http://www.makershed.com/ProductDetails.asp?ProductCode=MKSEEED2&ampClick=19209 Seeeduino]

====[http://arduino.cc/en/Main/ArduinoBoardLilypad Lilypad] (SparkFun)====
based on the ATmega168V on v03 (the low-power version of the ATmega168) or the ATmega328V on v04

====[http://arduino.cc/en/Main/ArduinoBoardPro Pro] (SparkFun)====
based on the ATmega168 or ATmega328. The Pro comes in both 3.3V / 8 MHz and 5V / 16 MHz versions. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 6 analog inputs, a battery power jack, a power switch, a reset button, and holes for mounting a power jack, an ICSP header, and pin headers. A six pin header can be connected to an FTDI cable or Sparkfun breakout board to provide USB power and communication to the board.

The Arduino Pro is intended for semi-permanent installation in objects or exhibitions. The board comes without pre-mounted headers, allowing the use of various types of connectors or direct soldering of wires. The pin layout is compatible with Arduino shields. The 3.3V versions of the Pro can be powered with a battery.

Take care that the embedded power regulator is smaller and outputs max 150mA

====[http://arduino.cc/en/Main/ArduinoBoardProMini Pro Mini] (SparkFun)====
based on the ATmega168. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 6 analog inputs, an on-board resonator, a reset button, and holes for mounting pin headers. A six pin header can be connected to an FTDI cable or Sparkfun breakout board to provide USB power and communication to the board.

The Arduino Pro Mini is intended for semi-permanent installation in objects or exhibitions. The board comes without pre-mounted headers, allowing the use of various types of connectors or direct soldering of wires. The pin layout is compatible with the Arduino Mini.

There are two version of the Pro Mini. One runs at 3.3V and 8 MHz, the other at 5V and 16 MHz.

====[http://www.arduino.cc/en/Main/ArduinoBoardNano Nano] (Gravitech)====
small, complete, and breadboard-friendly board based on the ATmega328 (Arduino Nano 3.0) or ATmega168 (Arduino Nano 2.x). It has more or less the same functionality of the Arduino Duemilanove, but in a different package. It lacks only a DC power jack, and works with a Mini-B USB cable instead of a standard one

Clones:
* DFRoduino Nano
* [http://littlegreenmartian.net/index.php?page=shop.product_details&category_id=1&flypage=flypage.tpl&product_id=5&option=com_virtuemart&Itemid=55&vmcchk=1&Itemid=55 HACEduino 2009 Nano]

====[http://www.arduino.cc/en/Main/ArduinoBoardMini Mini] (SmartProjects)====
based on the ATmega168

the smallest of the serie. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 8 analog inputs, and a 16 MHz crystal oscillator. It can be programmed with the Mini USB adapter or other USB or RS232 to TTL serial adapter.

====[http://arduino.cc/en/Main/ArduinoBoardMega Mega] (SmartProjects)====
based on the ATmega1280

54 Digital I/O Pins (of which 14 provide PWM) / 16 Analog Input Pins

====Other clones or derivatives====
* [http://spiffie.org/kits/iduino/ iDuino], a breadboardable version
* [http://www.adafruit.com/index.php?main_page=index&cPath=19 Boarduino], another breadboardable version, see also [http://www.ladyada.net/make/boarduino/ here]
* [http://spiffie.org/kits/stickduino/ Stickduino], USB Stick Sized Arduino Clone
* [http://spiffie.org/kits/duinostamp/ DuinoStamp]
* [http://moderndevice.com/RBBB_revB.shtml Really Bare Bones Board], minimalist, smallest one?
* [http://leaflabs.com/devices/maple/], compatible with Arduino but powered by a 72MHz ARM core!
* [http://timewitharduino.blogspot.com/2009/07/introducing-wiseduino.html Wiseduino], an Arduino-compatible microcontroller board, which includes a DS1307 real time clock (RTC) with backup battery, a 24LC256 EEPROM chip and a connector for XBee adapter for wireless communication.
* [http://lab.guilhermemartins.net/2009/05/06/paperduino-prints/ Paperduino]
* [http://www.liquidware.com/shop/show/ILL/Illuminato Illuminato], 42 I/O pins and 64K code space, powered with a ATmega645, see also [http://antipastohw.blogspot.com/2009/01/introducing-illuminato-100-gnu-gpld.html here]
* [http://www.pjrc.com/teensy/index.html Teensy], based on ATMEGA32U4 or AT90USB646 for Teensy++, small & cheap
* [http://www.hackinglab.org/pinguino/index_pinguino.html Pinguino], similar concept, based on a PIC
* [http://www.myamicus.co.uk/content.php?115-Amicus18-Board Amicus18] uses a Microchip PIC® micro microcontroller instead of an Atmel AVR type

===Officials===
* [http://www.arduino.cc/ Arduino] official website
===Documentation===
* [http://www.lulu.com/content/1108699 Arduino notebook v6]
* [http://www.ladyada.net/learn/arduino/index.html Tutorial], [http://ahmedriaz.com/mind/esketching4designers/ video tutorials] and [http://www.arduino.cc/en/Tutorial/HomePage other examples]
* [http://arduino.cc/en/Reference/Extended Extended Language Reference]
* [http://www.arduino.cc/en/Hacking/Programmer Burning sketches to the Arduino board with an external programmer]
* [http://www.amazon.com/gp/search/ref=sr_adv_b/?search-alias=stripbooks&field-title=arduino Several books] on Amazon...
* [http://shieldlist.org/ Arduino shield List] & pinouts...
* [http://makezine.com/arduino/] Arduino by Make

===Programmers===
* [http://code.google.com/p/mega-isp/ In System Programmers based on the AVR Mega8 chip, including Arduino(tm)]
* [http://www.mightyohm.com/blog/2008/09/arduino-based-avr-high-voltage-programmer/ Arduino-based AVR High Voltage Programmer]

===Hardware===
====Shopping====
* [http://www.sparkfun.com/commerce/categories.php?c=103 SparkFun]
* [http://www.adafruit.com/ Adafruit]
* [http://www.nuelectronics.com/estore/ nuelectronics]
* [https://www.watterott.com/Arduino-project Watterott]
* [http://store.fundamentallogic.com/ecom/ FundamentalLogic] & [http://spiffie.org/electronics/ Spiff's Electronics]
* [http://www.nkcelectronics.com/arduino.html NKC Electronics]
* [http://www.ge-th.com GE-TH], General Electronics Tech, located in ShenZhen, China
* [http://be01.rs-online.com/web/search/searchBrowseAction.html?method=searchProducts&searchTerm=arduino RS]
* [http://www.cooking-hacks.com/index.php/shop/arduino.html Cooking-hacks] by libelium, nice shields...

====Ethernet====
[http://www.adafruit.com/index.php?main_page=product_info&cPath=17&products_id=83 Ethernet shield]
* [http://www.ewiznet.com/ wiznet]
* [http://www.gridconnect.com/xportdirect.html xport], older but with DHCP
* See also [http://www.ladyada.net/make/eshield/ here]

====LCD====
* [http://arduino.cc/en/Tutorial/LiquidCrystal Tutorial] with LiquidCrystal library, for Hitachi HD44780 compatible LCDs

====Misc links to explore====
* http://www.freeduino.org/
* http://enerduino.blogspot.com/2009/12/enerduino-english.html
* SDcard http://www.arduino.cc/cgi-bin/yabb2/YaBB.pl?num=1206874649/8

===Software===
* [http://fritzing.org/ Fritzing] is an open-source initiative to support designers, artists, researchers and hobbyists to work creatively with interactive electronics.
* [http://nootropicdesign.com/toolduino/ Toolduino] lets you easily interact with your Arduino hardware so you can test the circuits you create. Toolduino is written in the Processing languange and is available for Windows, Mac OS X, and Linux.
** The Arduino must be running the [http://firmata.org/wiki/Main_Page Firmata firmware] that comes with the Arduino IDE
* [http://www.modk.it/ ModKit] is a HTML5 visual programming environment for Arduino
* [http://seaside.citilab.eu/scratch/arduino Scratch for Arduino]. Scratch is a learning environment developed by the Lifelong Kindergarten Group at MIT Media Lab

==Arduino and Linux==
===Installation===
Main instructions are [http://www.arduino.cc/playground/Learning/Linux here]

As I'm using a Debian AMD 64bit, here is what I did:

Installing java from Sun and making sure it will be called by the tools. It might be that other java suites are working but at least java-gcj is missing a GtkLookAndFeel component that Arduino GUI is using
 So if you don't have it yet:
aptitude install sun-java6-jre
 Then if it's not the one by default, change it: (maybe "java" is enough but let's be consistent)
update-alternatives --config java
update-alternatives --config jar
update-alternatives --config keytool
update-alternatives --config orbd
update-alternatives --config rmid
update-alternatives --config rmiregistry
update-alternatives --config serialver
Other dependencies:
aptitude install avr-libc gcc-avr
[http://code.google.com/p/arduino/ Arduino tools], here v0017:
wget http://arduino.googlecode.com/files/arduino-0017.tgz
tar xzf arduino-0017.tgz
Arduino tools are coming only for 32bit but it contains only a few executables so let's install the 64bit version of those executables
 Initially I did the following:
aptitude install librxtx-java
rm arduino-0017/lib/librxtxSerial.so
But at time of writing, Debian was only proposing v2.1.7 and if uploading sketches to the Arduino worked, launching the serial monitor provoked a big crash of Java. So better to follow [http://feelslikeburning.com/2009/08/21/how-to-get-arduino-0017-working-on-64-bit-linux-including-ubuntu-9-04/ this post]:
 ''Download [http://rxtx.qbang.org/wiki/index.php/Download rxtx-2.2pre2-bins] from the RXTX folks. Extract the files, and copy RXTXcomm.jar and x86_64-unknown-linux-gnu/librxtxSerial.so to the Arduino lib/ directory, basically replacing the two files that came shipped with Arduino 0017.''

There is also the avrdude binary in arduino-0017 which is compiled as 32bit executable.
 You can recompile it from the source or if you have the ia32-libs package, the 32bit binary provided will work out-of-the-box.
 But in any ways, '''DON'T USE AVRDUDE FROM YOUR DISTRO!''' because the one provided with the Arduino tools is a patched version.

Now let's try to launch the script arduino-0017/arduino
Tools/SerialPort/"/dev/ttyUSB0"
Tools/Board/"Arduino Diecimila, Duemilanove or Nanoe, w/ Atmega168"

Now trying the very first code:
 See [http://www.ladyada.net/learn/arduino/lesson1.html this tuto]

===Problem with the original avrdude===
As I told in the previous section, don't use the avrdude coming with your distro. Initially this is what I did and here are the problems I faced:
aptitude install avrdude avrdude-doc
cd arduino-0017/hardware/tools
mv avrdude avrdude.disabled
mv avrdude.conf avrdude.conf.disabled
ln -s /usr/bin/avrdude
ln -s /etc/avrdude.conf
'''DON'T USE AVRDUDE FROM YOUR DISTRO!'''
Then when trying to upload the bin to the board (menu -> Upload to I/O board), I got the following message:
Binary sketch size: 896 bytes (of a 14336 byte maximum)
avrdude: Yikes! Invalid device signature.
Double check connections and try again, or use -F to override this check.
Then I tried to inject the -F option to avrdude, it flashed the chip, gave me still errors:
Wrong microcontroller found. Did you select the right board in the Tools > Board menu?
avrdude: Yikes! Invalid device signature.
avrdude: Expected signature for ATMEGA168 is 1E 94 06
But the code was apparently correctly uploaded to the board as I got my blinking LED...

Avrdude which is part of the arduino-0017 release is a patched version as it says:
Version 5.4-arduino
While the version in Debian Squeeze is:
Version 5.8
So apparently we need absolutely to use the special arduino version.
===Using USBtinyISP===
USBtinyISP is not driven by a USB-to-serial converter or a driver but by libusb.
 Therefore you must have the right to use libusb.
 As running the IDE as root is not a very wise solution, here is another one using udev:
* Create /etc/udev/rules.d/usbtiny.rules
# udev rules file for USBtinyISP (for udev 0.98 version)

SUBSYSTEM!="usb|usb_device", GOTO="usbtiny_rules_end"
ACTION!="add", GOTO="usbtiny_rules_end"
ATTRS{idVendor}=="1781", ATTRS{idProduct}=="0c9f", ATTRS{product}=="USBtiny", MODE="0664", GROUP="plugdev"
LABEL="usbtiny_rules_end"
* Restart udev
/etc/init.d/udev restart
* Add yourself to the plugdev group if not yet done
adduser toto plugdev
* Unplug and plug back your USBtiny board
===Monitoring avrdude calls===
One annoyance of the GUI is that I don't know what the GUI is doing with avrdude so I wanted to intercept & log the calls to avrdude:
 In arduino-0017/hardware/tools move avrdude to avrdude.orig
 Then create a script called avrdude (make it executable!) with:
script -q -a $(dirname $0)/avrdude.log -c "echo \"$0 $*\" && $0.orig $*"
It will creates a logfile called avrdude.log in the same directory and as bonus you'll see also directly the calls to avrdude with all the arguments in the GUI console.

==Projects==
===[[Arduino Brucon|Brucon Blink blink]]===
===[[Arduino VFD brightness|VFD brightness control]]===
===[[Arduino EMF|Yet another EMF detector]]===
===[[Arduino Photoduino|Photoduino]]===
Personal notes about a wonderful spanish project
===[[Arduino PDU]]===

==TODO & ideas==
* Temperature alarm for tea preparation
* LED cube?
* POV sth? sphere?

==My stuff==
* [http://www.nuelectronics.com/estore/index.php?main_page=product_info&cPath=1&products_id=1 Freeduino V1.16 Board]
* [http://www.arduino.cc/en/Main/ArduinoEthernetShield EthShield SD]
* [http://arduino.cc/en/Main/ArduinoBoardPro Arduino Pro] 5V 16MHz w/ ATmega328
** [http://www.sparkfun.com/commerce/product_info.php?products_id=9115 FTDI Basic Breakout 5V]
* [http://www.ladyada.net/make/boarduino/ USB Boarduino] w/ ATmega328
* [http://www.ladyada.net/make/usbtinyisp/ USBtinyISP]
* [http://leaflabs.com/devices/maple/ Maple w/ ARM 72MHz]
* [http://www.ladyada.net/make/tvbgone/ TV-B-Gone Kit]

==TV-B-Gone==
* [http://www.tvbgone.com/cfe_tvbg_main.php As a product]
** [http://www.tvbgone-fr.com/blog/index.php?Accueil French site]
* [http://www.ladyada.net/make/tvbgone/index.html As a kit]
** [http://forums.adafruit.com/viewforum.php?f=23 Forum]
** Issue to use ISP? See [http://forums.adafruit.com/viewtopic.php?t=4438 here], in short it's easier to use a breadboard or [http://tinkerlog.com/howto/tiny25-header/ Tiny25 header]...
* [https://code.google.com/p/tv-b-gone/ Yet another clone]

Arduino

2010-07-16T09:54:28Z

Dorian: /* Misc links to explore */

So after the [http://www.brucon.org/index.php/Workshops#Arduino:_how_we_made_the_beerduino Arduino workshop] at BruCON 2009 (pics [http://gallery.yobi.be/v/divers/evenements/brucon2009/IMG_9977.JPG.html here]), I was seduced by this little development board.

==Links==
[http://en.wikipedia.org/wiki/Arduino Arduino on Wikipedia]
===boards & clones===
====[http://arduino.cc/en/Main/ArduinoBoardDuemilanove Duemilanove] (SmartProjects)====
The Duemilanove automatically selects the appropriate power supply (USB or external power), eliminating the need for the power selection jumper found on previous boards. It also adds an easiest to cut trace for disabling the auto-reset, along with a solder jumper for re-enabling it.

based on the ATmega168, latest versions are based on ATmega328p

Clones:
* Roboduino
* [http://spiffie.org/kits/freeduino2009/ Freeduino 2009], an (almost) all through hole remake
* [http://www.ge-th.com/product.asp?id=118 Chinduino Duemilanove168-20PU] or [http://www.ge-th.com/product.asp?id=119 Duemilanove328-20PU]

====[http://arduino.cc/en/Main/ArduinoBoardDecimilia Decimilia] (SmartProjects)====
Version before Duemilanove, with a jumper to select the power supply (USB or external power)

based on the Atmega168, can be upgraded with a ATmega328

Clones:
* [http://www.nuelectronics.com/estore/index.php?main_page=product_info&cPath=1&products_id=1 Freeduino V1.16 Board]
* Freeduino MaxSerial
* HACEduino "2009"
* Fino168 USB Board
** with a DIP switch to disable auto-reset and D13 LED
* Duino168 Serial Board
** with a DIP switch to disable auto-reset and D13 LED
* Duino328 Serial Board
** with a DIP switch to disable auto-reset and D13 LED
* [http://www.makershed.com/ProductDetails.asp?ProductCode=MKSEEED2&ampClick=19209 Seeeduino]

====[http://arduino.cc/en/Main/ArduinoBoardLilypad Lilypad] (SparkFun)====
based on the ATmega168V on v03 (the low-power version of the ATmega168) or the ATmega328V on v04

====[http://arduino.cc/en/Main/ArduinoBoardPro Pro] (SparkFun)====
based on the ATmega168 or ATmega328. The Pro comes in both 3.3V / 8 MHz and 5V / 16 MHz versions. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 6 analog inputs, a battery power jack, a power switch, a reset button, and holes for mounting a power jack, an ICSP header, and pin headers. A six pin header can be connected to an FTDI cable or Sparkfun breakout board to provide USB power and communication to the board.

The Arduino Pro is intended for semi-permanent installation in objects or exhibitions. The board comes without pre-mounted headers, allowing the use of various types of connectors or direct soldering of wires. The pin layout is compatible with Arduino shields. The 3.3V versions of the Pro can be powered with a battery.

Take care that the embedded power regulator is smaller and outputs max 150mA

====[http://arduino.cc/en/Main/ArduinoBoardProMini Pro Mini] (SparkFun)====
based on the ATmega168. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 6 analog inputs, an on-board resonator, a reset button, and holes for mounting pin headers. A six pin header can be connected to an FTDI cable or Sparkfun breakout board to provide USB power and communication to the board.

The Arduino Pro Mini is intended for semi-permanent installation in objects or exhibitions. The board comes without pre-mounted headers, allowing the use of various types of connectors or direct soldering of wires. The pin layout is compatible with the Arduino Mini.

There are two version of the Pro Mini. One runs at 3.3V and 8 MHz, the other at 5V and 16 MHz.

====[http://www.arduino.cc/en/Main/ArduinoBoardNano Nano] (Gravitech)====
small, complete, and breadboard-friendly board based on the ATmega328 (Arduino Nano 3.0) or ATmega168 (Arduino Nano 2.x). It has more or less the same functionality of the Arduino Duemilanove, but in a different package. It lacks only a DC power jack, and works with a Mini-B USB cable instead of a standard one

Clones:
* DFRoduino Nano
* [http://littlegreenmartian.net/index.php?page=shop.product_details&category_id=1&flypage=flypage.tpl&product_id=5&option=com_virtuemart&Itemid=55&vmcchk=1&Itemid=55 HACEduino 2009 Nano]

====[http://www.arduino.cc/en/Main/ArduinoBoardMini Mini] (SmartProjects)====
based on the ATmega168

the smallest of the serie. It has 14 digital input/output pins (of which 6 can be used as PWM outputs), 8 analog inputs, and a 16 MHz crystal oscillator. It can be programmed with the Mini USB adapter or other USB or RS232 to TTL serial adapter.

====[http://arduino.cc/en/Main/ArduinoBoardMega Mega] (SmartProjects)====
based on the ATmega1280

54 Digital I/O Pins (of which 14 provide PWM) / 16 Analog Input Pins

====Other clones or derivatives====
* [http://spiffie.org/kits/iduino/ iDuino], a breadboardable version
* [http://spiffie.org/kits/stickduino/ Stickduino], USB Stick Sized Arduino Clone
* [http://spiffie.org/kits/duinostamp/ DuinoStamp]
* [http://moderndevice.com/RBBB_revB.shtml Really Bare Bones Board], minimalist, smallest one?
* [http://leaflabs.com/tiki-index.php?page=Maple Maple], compatible with Arduino but powered by a 72MHz ARM core!
* [http://timewitharduino.blogspot.com/2009/07/introducing-wiseduino.html Wiseduino], an Arduino-compatible microcontroller board, which includes a DS1307 real time clock (RTC) with backup battery, a 24LC256 EEPROM chip and a connector for XBee adapter for wireless communication.
* [http://lab.guilhermemartins.net/2009/05/06/paperduino-prints/ Paperduino]
* [http://www.liquidware.com/shop/show/ILL/Illuminato Illuminato], 42 I/O pins and 64K code space, powered with a ATmega645, see also [http://antipastohw.blogspot.com/2009/01/introducing-illuminato-100-gnu-gpld.html here]
* [http://www.pjrc.com/teensy/index.html Teensy], based on ATMEGA32U4 or AT90USB646 for Teensy++, small & cheap
* [http://www.hackinglab.org/pinguino/index_pinguino.html Pinguino], similar concept, based on a PIC

===Officials===
* [http://www.arduino.cc/ Arduino] official website
===Documentation===
* [http://www.lulu.com/content/1108699 Arduino notebook v6]
* [http://www.ladyada.net/learn/arduino/index.html Tutorial], [http://ahmedriaz.com/mind/esketching4designers/ video tutorials] and [http://www.arduino.cc/en/Tutorial/HomePage other examples]
* [http://arduino.cc/en/Reference/Extended Extended Language Reference]
* [http://www.arduino.cc/en/Hacking/Programmer Burning sketches to the Arduino board with an external programmer]
===Programmers===
* [http://code.google.com/p/mega-isp/ In System Programmers based on the AVR Mega8 chip, including Arduino(tm)]
* [http://www.mightyohm.com/blog/2008/09/arduino-based-avr-high-voltage-programmer/ Arduino-based AVR High Voltage Programmer]

===Hardware===
====Shopping====
* [http://www.sparkfun.com/commerce/categories.php?c=103 SparkFun]
* [http://www.adafruit.com/ Adafruit]
* [http://www.nuelectronics.com/estore/ nuelectronics]
* [https://www.watterott.com/Arduino-project Watterott]
* [http://store.fundamentallogic.com/ecom/ FundamentalLogic] & [http://spiffie.org/electronics/ Spiff's Electronics]
* [http://www.nkcelectronics.com/arduino.html NKC Electronics]
* [http://www.ge-th.com GE-TH], General Electronics Tech, located in ShenZhen, China
* [http://be01.rs-online.com/web/search/searchBrowseAction.html?method=searchProducts&searchTerm=arduino RS]

====Ethernet====
[http://www.adafruit.com/index.php?main_page=product_info&cPath=17&products_id=83 Ethernet shield]
* [http://www.ewiznet.com/ wiznet]
* [http://www.gridconnect.com/xportdirect.html xport], older but with DHCP
* See also [http://www.ladyada.net/make/eshield/ here]

====LCD====
* [http://arduino.cc/en/Tutorial/LiquidCrystal Tutorial] with LiquidCrystal library, for Hitachi HD44780 compatible LCDs

====Misc links to explore====
* http://www.freeduino.org/
* http://enerduino.blogspot.com/2009/12/enerduino-english.html
* SDcard http://www.arduino.cc/cgi-bin/yabb2/YaBB.pl?num=1206874649/8

===Software===
* [http://fritzing.org/ Fritzing] is an open-source initiative to support designers, artists, researchers and hobbyists to work creatively with interactive electronics.
* [http://nootropicdesign.com/toolduino/ Toolduino] lets you easily interact with your Arduino hardware so you can test the circuits you create. Toolduino is written in the Processing languange and is available for Windows, Mac OS X, and Linux.
** The Arduino must be running the [http://firmata.org/wiki/Main_Page Firmata firmware] that comes with the Arduino IDE

==Arduino and Linux==
===Installation===
Main instructions are [http://www.arduino.cc/playground/Learning/Linux here]

As I'm using a Debian AMD 64bit, here is what I did:

Installing java from Sun and making sure it will be called by the tools. It might be that other java suites are working but at least java-gcj is missing a GtkLookAndFeel component that Arduino GUI is using
 So if you don't have it yet:
aptitude install sun-java6-jre
 Then if it's not the one by default, change it: (maybe "java" is enough but let's be consistent)
update-alternatives --config java
update-alternatives --config jar
update-alternatives --config keytool
update-alternatives --config orbd
update-alternatives --config rmid
update-alternatives --config rmiregistry
update-alternatives --config serialver
Other dependencies:
aptitude install avr-libc gcc-avr
[http://code.google.com/p/arduino/ Arduino tools], here v0017:
wget http://arduino.googlecode.com/files/arduino-0017.tgz
tar xzf arduino-0017.tgz
Arduino tools are coming only for 32bit but it contains only a few executables so let's install the 64bit version of those executables
 Initially I did the following:
aptitude install librxtx-java
rm arduino-0017/lib/librxtxSerial.so
But at time of writing, Debian was only proposing v2.1.7 and if uploading sketches to the Arduino worked, launching the serial monitor provoked a big crash of Java. So better to follow [http://feelslikeburning.com/2009/08/21/how-to-get-arduino-0017-working-on-64-bit-linux-including-ubuntu-9-04/ this post]:
 ''Download [http://rxtx.qbang.org/wiki/index.php/Download rxtx-2.2pre2-bins] from the RXTX folks. Extract the files, and copy RXTXcomm.jar and x86_64-unknown-linux-gnu/librxtxSerial.so to the Arduino lib/ directory, basically replacing the two files that came shipped with Arduino 0017.''

There is also the avrdude binary in arduino-0017 which is compiled as 32bit executable.
 You can recompile it from the source or if you have the ia32-libs package, the 32bit binary provided will work out-of-the-box.
 But in any ways, '''DON'T USE AVRDUDE FROM YOUR DISTRO!''' because the one provided with the Arduino tools is a patched version.

Now let's try to launch the script arduino-0017/arduino
Tools/SerialPort/"/dev/ttyUSB0"
Tools/Board/"Arduino Diecimila, Duemilanove or Nanoe, w/ Atmega168"

Now trying the very first code:
 See [http://www.ladyada.net/learn/arduino/lesson1.html this tuto]

===Problem with the original avrdude===
As I told in the previous section, don't use the avrdude coming with your distro. Initially this is what I did and here are the problems I faced:
aptitude install avrdude avrdude-doc
cd arduino-0017/hardware/tools
mv avrdude avrdude.disabled
mv avrdude.conf avrdude.conf.disabled
ln -s /usr/bin/avrdude
ln -s /etc/avrdude.conf
'''DON'T USE AVRDUDE FROM YOUR DISTRO!'''
Then when trying to upload the bin to the board (menu -> Upload to I/O board), I got the following message:
Binary sketch size: 896 bytes (of a 14336 byte maximum)
avrdude: Yikes! Invalid device signature.
Double check connections and try again, or use -F to override this check.
Then I tried to inject the -F option to avrdude, it flashed the chip, gave me still errors:
Wrong microcontroller found. Did you select the right board in the Tools > Board menu?
avrdude: Yikes! Invalid device signature.
avrdude: Expected signature for ATMEGA168 is 1E 94 06
But the code was apparently correctly uploaded to the board as I got my blinking LED...

Avrdude which is part of the arduino-0017 release is a patched version as it says:
Version 5.4-arduino
While the version in Debian Squeeze is:
Version 5.8
So apparently we need absolutely to use the special arduino version.
===Using USBtinyISP===
USBtinyISP is not driven by a USB-to-serial converter or a driver but by libusb.
 Therefore you must have the right to use libusb.
 As running the IDE as root is not a very wise solution, here is another one using udev:
* Create /etc/udev/rules.d/usbtiny.rules
# udev rules file for USBtinyISP (for udev 0.98 version)

SUBSYSTEM!="usb|usb_device", GOTO="usbtiny_rules_end"
ACTION!="add", GOTO="usbtiny_rules_end"
ATTRS{idVendor}=="1781", ATTRS{idProduct}=="0c9f", ATTRS{product}=="USBtiny", MODE="0664", GROUP="plugdev"
LABEL="usbtiny_rules_end"
* Restart udev
/etc/init.d/udev restart
* Add yourself to the plugdev group if not yet done
adduser toto plugdev
* Unplug and plug back your USBtiny board
===Monitoring avrdude calls===
One annoyance of the GUI is that I don't know what the GUI is doing with avrdude so I wanted to intercept & log the calls to avrdude:
 In arduino-0017/hardware/tools move avrdude to avrdude.orig
 Then create a script called avrdude (make it executable!) with:
script -q -a $(dirname $0)/avrdude.log -c "echo \"$0 $*\" && $0.orig $*"
It will creates a logfile called avrdude.log in the same directory and as bonus you'll see also directly the calls to avrdude with all the arguments in the GUI console.

==Projects==
===[[Arduino Brucon|Brucon Blink blink]]===
===[[Arduino VFD brightness|VFD brightness control]]===
===[[Arduino EMF|Yet another EMF detector]]===
==TODO & ideas==
* Intervalometer for my Canon EOS350D, see e.g. [http://etharooni.polorix.net/NikonRemote.html this one] for Nikon
* Temperature alarm for tea preparation
* LED cube?
* POV sth? sphere?

Fetchmail

2010-05-22T15:15:52Z

Dorian: /* Troubleshooting */

==Installation de Fetchmail==
apt-get install fetchmail
installer un fichier /etc/fetchmailrc comme celui-ci:

==fetchmailrc==
Exemple de /etc/fetchmailrc:

set postmaster "fetchmail"
set nobouncemail
set no spambounce
set properties ""
set daemon 120

# IMAP without SSL/TLS
poll courriel.latribu.com with proto IMAP
user 'xxxx.xxxx@latribu.com' there with password 'xxxx' is 'phil' here fetchall
# IMAP with SSL port 993
poll mail.hellea.be with proto IMAP and with interval 5
user 'xxxx' there with password 'xxxx' is 'phil' here fetchall ssl sslfingerprint "24:96:59:5C:A2:D0:60:14:FA:CD:66:32:40:CC:CA:1D"
# IMAP with TLS port 143
poll mail.hellea.be with proto IMAP and with interval 5
user 'xxxx' there with password 'xxxx' is 'phil' here fetchall sslfingerprint "24:96:59:5C:A2:D0:60:14:FA:CD:66:32:40:CC:CA:1D"

Pour avoir les sslfingerprints:
su fetchmail -c "fetchmail -f /etc/fetchmailrc -v -v -N"

C'est important de spécifier les fingerprints sinon on se retrouve avec des erreurs dans les logs system:
fetchmail[1234]: Server certificate verification error: self signed certificate

==Troubleshooting==
Lorsqu'on rencontre une erreur du style:
9 messages pour acount_name dans mail.teledisnet.be (47569 octets).
fetchmail: erreur protocole client/serveur durant la réception de mail.teledisnet.be
fetchmail: État de la requête=4 (PROTOCOLE)

Un fetchmail -v donne :
fetchmail: POP3> TOP 1 99999999
fetchmail: POP3< -ERR No more than 0 lines can be retrieved with TOP command
fetchmail: No more than 0 lines can be retrieved with TOP command

l'histoire c'est que le provider en question ici teledisnet n'accepte plus la commande TOP 1 999999 et il faut donc forcer fetchmail à utiliser la commande RETR

Il suffit simplement d'ajouter dans le fichier ~/.fetchmailrc le mot fetchall en fin de la dernière ligne

Exemple :

poll mail.teledisnet.be with proto POP3
user 'acount_name' there with password 'XXXXXXXX' is 'dorian' here fetchall

=== Specifique a pop.bgc.be ===
Fetchmail de la distro lenny parle "GSSAPI", malheureusement pour nous, le serveur exchange de BGC et mal configurer ou un brol dans le style toujours est-il que celui-ci nous renvoi comme message : 'Erreur durant l'échange des credentials'

pour contourner le probleme :
utilisation du serveur imap a la place, il merdouille aussi, mais ca passe ! [[User:Dorian|Dorian]] 15:15, 22 May 2010 (UTC)

==Installation de Fetchyahoo==
apt-get install fetchyahoo
andrea@olympe:~$ cp /usr/share/doc/fetchyahoo/examples/fetchyahoorc ~/.fetchyahoorc
andrea@olympe:~$ echo "0,15,30,45 6-23 * * * /usr/bin/fetchyahoo"|crontab -u andrea -

Édition d'une copie de /usr/share/doc/fetchyahoo/examples/fetchyahoorc dans ~/.fetchyahoorc

==fetchyahoorc==
Username et password évidemment
username = ''yahoo_user_name''
password = ''XXXXXXXX''
On choisit de délivrer dans un Maildir (veiller à finir la ligne par le "/" !!)
use-spool = 1
spool = /home/andrea/Maildir/.Yahoo/
spool-mode = append
Ou alors on délivre via procmail:
use-spool = 1
spool = procmail
spool-mode = pipe
Théoriquement on peut reprendre jusquà 100 messages mais on a déjà eu une erreur à 97 alors autant rester ''safe''
max-messages = 80
On le lancera depuis un cron donc on évite d'avoir un output en temps normal
quiet = 1
On vide le répertoire Bulk qui ne contient jamais rien d'intéressant...
empty-bulk = 1
Il semble plus sûr de se déconnecter après coup.
logout = 1

Debian Soft Raid

2010-01-07T14:37:38Z

Dorian: /* Fresh install debian */

==How to switch a Debian system on software RAID 1 (mirroring)==
===Intro===
Here are just some quick notes to update this page as now everything can be done relatively easily with just mdadm.
 A very interesting page: http://www200.pair.com/mecham/raid/raid1-degraded-etch.html
 It helps getting familiar with the concepts.
 Here it's not a step-by-step anymore as the first time I used the old method described later and I used the new mdadm-only way to replace a broken drive, build new raid1 arrays as the new drive was larger (and the old smaller than the surviving one) and a raid1 on the /boot and moving from lilo to grub.

===Creating degraded array===
Here we're missing /dev/hda3 so we start with only /dev/hdd3:
mdadm --create /dev/md0 --raid-devices=2 --level=raid1 missing /dev/hdd3
And to get it properly set after reboot, we can create mdadm.conf:
echo DEVICE partitions > /etc/mdadm/mdadm.conf
mdadm --examine --scan >> /etc/mdadm/mdadm.conf
Edit and check the file manually...
 Then prepare for reboot
===Preparing for reboot===
During the configuration, every time we want to reboot, we've to make sure to:
* have the intended partition layout (fdisk)
* have the intended partitions mounted on the intended mountpoints (mount)
* have /etc/fstab reflecting the current mounts
* have /etc/mdadm/mdadm.conf reflecting the current Raid arrays
* have an initrd reflecting the current situation:
dpkg-reconfigure linux-image-...
This is true also after having added the 2nd partition to a raid1 array
===Diagnostic===
Some useful commands to inspect the raid situation:
# From what's currently assembled:
cat /proc/mdstat
mdadm --detail --scan
mdadm --detail /dev/md1
# From what's available as raid partitions
mdadm --examine --scan
mdadm --examine /dev/hda5

===Repairing a degraded array===
Later when we'll be able to integrate /dev/hda3 we'll do:
mdadm /dev/md0 --add /dev/hda3
Then prepare for reboot
===/boot===
Here is one example:
 Initially /boot was not on raid1 but as now it's possible with grub I did so.
 I had /boot=/dev/hda1 and /boot-img=/dev/hdd1 and I did sth like:
umount /dev/hdd1
mdadm --create /dev/md1 --raid-devices=2 --level=raid1 missing /dev/hdd1
mount /dev/md1 /boot-img
cp -a /boot/* /boot-img
umount /boot
umount /boot-img
mdadm /dev/md1 --add /dev/hda1
vi /etc/fstab #/dev/md0 /boot ... and delete /boot-img entry
grub-install "(hd1)"
grub-install "(hd0)"
dpkg-reconfigure linux-image-...
mdadm --examine --scan |grep md1>> /etc/mdadm.conf
reboot
===Changing super-minor===
During the process I wanted to change the number associated to an array (/dev/mdX):
 Suppose /dev/md3 = /dev/hda5+/dev/hdd5
 And we want /dev/md2 = /dev/hda5+/dev/hdd5
mdadm --stop /dev/md3
mdadm --assemble /dev/md2 /dev/hda5 /dev/hdd5
Then prepare for reboot

===Yaird===
To rebuild the initrd there are several tools but finally I used yaird which allowed me to preload my IDE driver and get UDMA modes working, which was essential to get sth like 20x faster data transfers!
 I inserted just before the MOUNTDIR keyword which takes care of inserting the needed generic IDE drivers the amd74xx driver I needed for my nVidia chipset:
/etc/yaird/Default.cfg
MODULE amd74xx
MOUNTDIR "/" "/mnt"
I had also some difficulties when I broke my initrd and had to reboot on a 2.6.14 because apparently kernels pre-2.6.18 cannot generate properly initrd images.
 Hopefully I had a backup of the initrd otherwise try to reboot on a liveCD and chroot or build a new kernel from source without initrd then boot on that one to prepare the initrd.

You can always inspect the initrd by yourself to check things like modules, raid assembly etc, the file is a cpio archive gzip compressed.

===Grub===
I moved from lilo to grub and installed the first stage on both drives:
grub-install "(hd1)"
grub-install "(hd0)"
I edited /etc/kernel-img.conf to have the hooks for Debian kernel automatic installation:
postinst_hook = /usr/sbin/update-grub
postrm_hook = /usr/sbin/update-grub
do_bootloader = no
I edited /boot/grub/menu.lst and added a fallback directive:
default 0
fallback 1
When executing update-grub it creates the following entry:
title Debian GNU/Linux, kernel 2.6.21-2-vserver-k7
root (hd0,0)
kernel /vmlinuz-2.6.21-2-vserver-k7 root=/dev/md0 ro
initrd /initrd.img-2.6.21-2-vserver-k7
savedefault
And I added manually the following one:
title Debian GNU/Linux, kernel 2.6.21-2-vserver-k7 (hd1)
root (hd1,0)
kernel /vmlinuz-2.6.21-2-vserver-k7 root=/dev/md0 ro
initrd /initrd.img-2.6.21-2-vserver-k7
savedefault
But I don't know how to make it happening automatically via update-grub, anyway in case of a failure of the first harddrive I'll probably have to reboot manually and Grub is rich enough to allow reconfiguration on-the-fly.
 That's the major reason why I moved away from lilo.

==How to switch a Debian system on software RAID 1 (mirroring) (OLD)==

Here is how to switch your root (/) filesystem on RAID 1:

Have 2 same disks, let's say hda and hdc (yep, put them on different IDE controllers!)
 Create a specific small partition for /boot at the very beginning of the first disk (hda) because some (most?) bootloaders don't understand RAID.
 Mine is hda1->/boot hda2->swap hda3->/
 Install Debian as usual on hda
 Format hdc with a same partition as the / on hda, it'll be the RAID mirror of /
 My second disk (same vendor, same size) didn't have the same geometry (C/H/S) but after dd if=/dev/zero of=/dev/hdc bs=512 count=1 fdisk used the same geometry...
 Now it is the same as hda: hdc1->/boot-img hdc2->swap hdc3->/
apt-get install initrd-tools raidtools2 mdadm (decline offer to start RAID at boot time)
Create /etc/raidtab:
raiddev /dev/md0
raid-level 1
nr-raid-disks 2
nr-spare-disks 0
persistent-superblock 1
device /dev/hdc3
raid-disk 0
device /dev/hda3
failed-disk 1
So the actual / partition is declared as "broken" for the RAID
 Create the RAID:
mkraid /dev/md0 (it will say disk1: failed)
mkfs.ext3 /dev/md0
mount -v /dev/md0 /mnt/root
Copy the / content:
cd /
find . -xdev | cpio -pm /mnt/root
Prepare to reboot on the RAID:
 Edit /etc/mkinitrd/mkinitrd.conf:
ROOT=probe -> ROOT=/dev/md0

mkinitrd -o /boot/initrd.img-raid
Edit /mnt/root/etc/fstab:
/dev/md0 / ext3 defaults,errors=remount-ro 0 1
Edit /etc/lilo.conf:
image=/boot/vmlinuz...
label=LinuxRAID
root=/dev/md0
read-only
initrd=/boot/initrd.img-raid

umount /dev/md0
raidstop /dev/md0
lilo
reboot
Restore the "broken" RAID:
cat /proc/mdstat: we see only one disk
raidhotadd /dev/md0 /dev/hda3
Now the system is synchonizing the "new" RAID partition
watch cat /proc/mdstat
Prepare for next reboot:
 Edit /etc/fstab:
failed-disk -> raid-disk
mkinitrd -o /boot/initrd.img-raid
lilo
reboot
==Automatic watching==
dpkg-reconfigure mdadm -> accept mdadm survey daemon and give user who should get alert emails
Simulating RAID 0 (striping) for the swap:
 Simply give the same priority to both swap partitions:
/dev/hda2 swap swap defaults,pri=1 0 0
/dev/hdc2 swap swap defaults,pri=1 0 0

== Fresh install debian ==
[http://www200.pair.com/mecham/raid/raid1.html | A good starting point]

==Troubleshooting==
Don't simply dd the MBR from hda to hdc otherwise lilo will complain about a timestamp error, actually that's because now both disks got the same ID number.
 You can mount the initrd image to check if it contains well the RAID instructions:
mount /boot/initrd.img-raid /mnt/disk -o loop,ro
/mnt/disk/script should contain a last line with mdadm
 check the end of the line, first time only /dev/hdc3 is mentioned, second time /dev/hda3 should also be present (or the system will be mounted again in degraded mode)
 If reboot fails:
Boot on a Knoppix
modprobe raid1
mdadm --assemble /dev/md0 /dev/hdd3 /dev/hda3
mount /dev/md0 /mnt/xxx
chroot /mnt/xxx
mount also /proc /boot etc
mkinitrd -o /boot/initrd.img-raid <kernel version>

==Useful commands==

* Diagnostics
mdadm -D /dev/mdXX
mdadm -E /dev/hdXX
cat /proc/mdstat
* Add
mdadm /dev/mdXX -a /dev/hdXX

Debian Soft Raid

2010-01-07T14:37:21Z

Dorian: /* Fresh install debian */

==How to switch a Debian system on software RAID 1 (mirroring)==
===Intro===
Here are just some quick notes to update this page as now everything can be done relatively easily with just mdadm.
 A very interesting page: http://www200.pair.com/mecham/raid/raid1-degraded-etch.html
 It helps getting familiar with the concepts.
 Here it's not a step-by-step anymore as the first time I used the old method described later and I used the new mdadm-only way to replace a broken drive, build new raid1 arrays as the new drive was larger (and the old smaller than the surviving one) and a raid1 on the /boot and moving from lilo to grub.

===Creating degraded array===
Here we're missing /dev/hda3 so we start with only /dev/hdd3:
mdadm --create /dev/md0 --raid-devices=2 --level=raid1 missing /dev/hdd3
And to get it properly set after reboot, we can create mdadm.conf:
echo DEVICE partitions > /etc/mdadm/mdadm.conf
mdadm --examine --scan >> /etc/mdadm/mdadm.conf
Edit and check the file manually...
 Then prepare for reboot
===Preparing for reboot===
During the configuration, every time we want to reboot, we've to make sure to:
* have the intended partition layout (fdisk)
* have the intended partitions mounted on the intended mountpoints (mount)
* have /etc/fstab reflecting the current mounts
* have /etc/mdadm/mdadm.conf reflecting the current Raid arrays
* have an initrd reflecting the current situation:
dpkg-reconfigure linux-image-...
This is true also after having added the 2nd partition to a raid1 array
===Diagnostic===
Some useful commands to inspect the raid situation:
# From what's currently assembled:
cat /proc/mdstat
mdadm --detail --scan
mdadm --detail /dev/md1
# From what's available as raid partitions
mdadm --examine --scan
mdadm --examine /dev/hda5

===Repairing a degraded array===
Later when we'll be able to integrate /dev/hda3 we'll do:
mdadm /dev/md0 --add /dev/hda3
Then prepare for reboot
===/boot===
Here is one example:
 Initially /boot was not on raid1 but as now it's possible with grub I did so.
 I had /boot=/dev/hda1 and /boot-img=/dev/hdd1 and I did sth like:
umount /dev/hdd1
mdadm --create /dev/md1 --raid-devices=2 --level=raid1 missing /dev/hdd1
mount /dev/md1 /boot-img
cp -a /boot/* /boot-img
umount /boot
umount /boot-img
mdadm /dev/md1 --add /dev/hda1
vi /etc/fstab #/dev/md0 /boot ... and delete /boot-img entry
grub-install "(hd1)"
grub-install "(hd0)"
dpkg-reconfigure linux-image-...
mdadm --examine --scan |grep md1>> /etc/mdadm.conf
reboot
===Changing super-minor===
During the process I wanted to change the number associated to an array (/dev/mdX):
 Suppose /dev/md3 = /dev/hda5+/dev/hdd5
 And we want /dev/md2 = /dev/hda5+/dev/hdd5
mdadm --stop /dev/md3
mdadm --assemble /dev/md2 /dev/hda5 /dev/hdd5
Then prepare for reboot

===Yaird===
To rebuild the initrd there are several tools but finally I used yaird which allowed me to preload my IDE driver and get UDMA modes working, which was essential to get sth like 20x faster data transfers!
 I inserted just before the MOUNTDIR keyword which takes care of inserting the needed generic IDE drivers the amd74xx driver I needed for my nVidia chipset:
/etc/yaird/Default.cfg
MODULE amd74xx
MOUNTDIR "/" "/mnt"
I had also some difficulties when I broke my initrd and had to reboot on a 2.6.14 because apparently kernels pre-2.6.18 cannot generate properly initrd images.
 Hopefully I had a backup of the initrd otherwise try to reboot on a liveCD and chroot or build a new kernel from source without initrd then boot on that one to prepare the initrd.

You can always inspect the initrd by yourself to check things like modules, raid assembly etc, the file is a cpio archive gzip compressed.

===Grub===
I moved from lilo to grub and installed the first stage on both drives:
grub-install "(hd1)"
grub-install "(hd0)"
I edited /etc/kernel-img.conf to have the hooks for Debian kernel automatic installation:
postinst_hook = /usr/sbin/update-grub
postrm_hook = /usr/sbin/update-grub
do_bootloader = no
I edited /boot/grub/menu.lst and added a fallback directive:
default 0
fallback 1
When executing update-grub it creates the following entry:
title Debian GNU/Linux, kernel 2.6.21-2-vserver-k7
root (hd0,0)
kernel /vmlinuz-2.6.21-2-vserver-k7 root=/dev/md0 ro
initrd /initrd.img-2.6.21-2-vserver-k7
savedefault
And I added manually the following one:
title Debian GNU/Linux, kernel 2.6.21-2-vserver-k7 (hd1)
root (hd1,0)
kernel /vmlinuz-2.6.21-2-vserver-k7 root=/dev/md0 ro
initrd /initrd.img-2.6.21-2-vserver-k7
savedefault
But I don't know how to make it happening automatically via update-grub, anyway in case of a failure of the first harddrive I'll probably have to reboot manually and Grub is rich enough to allow reconfiguration on-the-fly.
 That's the major reason why I moved away from lilo.

==How to switch a Debian system on software RAID 1 (mirroring) (OLD)==

Here is how to switch your root (/) filesystem on RAID 1:

Have 2 same disks, let's say hda and hdc (yep, put them on different IDE controllers!)
 Create a specific small partition for /boot at the very beginning of the first disk (hda) because some (most?) bootloaders don't understand RAID.
 Mine is hda1->/boot hda2->swap hda3->/
 Install Debian as usual on hda
 Format hdc with a same partition as the / on hda, it'll be the RAID mirror of /
 My second disk (same vendor, same size) didn't have the same geometry (C/H/S) but after dd if=/dev/zero of=/dev/hdc bs=512 count=1 fdisk used the same geometry...
 Now it is the same as hda: hdc1->/boot-img hdc2->swap hdc3->/
apt-get install initrd-tools raidtools2 mdadm (decline offer to start RAID at boot time)
Create /etc/raidtab:
raiddev /dev/md0
raid-level 1
nr-raid-disks 2
nr-spare-disks 0
persistent-superblock 1
device /dev/hdc3
raid-disk 0
device /dev/hda3
failed-disk 1
So the actual / partition is declared as "broken" for the RAID
 Create the RAID:
mkraid /dev/md0 (it will say disk1: failed)
mkfs.ext3 /dev/md0
mount -v /dev/md0 /mnt/root
Copy the / content:
cd /
find . -xdev | cpio -pm /mnt/root
Prepare to reboot on the RAID:
 Edit /etc/mkinitrd/mkinitrd.conf:
ROOT=probe -> ROOT=/dev/md0

mkinitrd -o /boot/initrd.img-raid
Edit /mnt/root/etc/fstab:
/dev/md0 / ext3 defaults,errors=remount-ro 0 1
Edit /etc/lilo.conf:
image=/boot/vmlinuz...
label=LinuxRAID
root=/dev/md0
read-only
initrd=/boot/initrd.img-raid

umount /dev/md0
raidstop /dev/md0
lilo
reboot
Restore the "broken" RAID:
cat /proc/mdstat: we see only one disk
raidhotadd /dev/md0 /dev/hda3
Now the system is synchonizing the "new" RAID partition
watch cat /proc/mdstat
Prepare for next reboot:
 Edit /etc/fstab:
failed-disk -> raid-disk
mkinitrd -o /boot/initrd.img-raid
lilo
reboot
==Automatic watching==
dpkg-reconfigure mdadm -> accept mdadm survey daemon and give user who should get alert emails
Simulating RAID 0 (striping) for the swap:
 Simply give the same priority to both swap partitions:
/dev/hda2 swap swap defaults,pri=1 0 0
/dev/hdc2 swap swap defaults,pri=1 0 0

== Fresh install debian ==
[[http://www200.pair.com/mecham/raid/raid1.html | A good starting point ]]

==Troubleshooting==
Don't simply dd the MBR from hda to hdc otherwise lilo will complain about a timestamp error, actually that's because now both disks got the same ID number.
 You can mount the initrd image to check if it contains well the RAID instructions:
mount /boot/initrd.img-raid /mnt/disk -o loop,ro
/mnt/disk/script should contain a last line with mdadm
 check the end of the line, first time only /dev/hdc3 is mentioned, second time /dev/hda3 should also be present (or the system will be mounted again in degraded mode)
 If reboot fails:
Boot on a Knoppix
modprobe raid1
mdadm --assemble /dev/md0 /dev/hdd3 /dev/hda3
mount /dev/md0 /mnt/xxx
chroot /mnt/xxx
mount also /proc /boot etc
mkinitrd -o /boot/initrd.img-raid <kernel version>

==Useful commands==

* Diagnostics
mdadm -D /dev/mdXX
mdadm -E /dev/hdXX
cat /proc/mdstat
* Add
mdadm /dev/mdXX -a /dev/hdXX

Debian Soft Raid

2010-01-07T07:52:25Z

Dorian:

==How to switch a Debian system on software RAID 1 (mirroring)==
===Intro===
Here are just some quick notes to update this page as now everything can be done relatively easily with just mdadm.
 A very interesting page: http://www200.pair.com/mecham/raid/raid1-degraded-etch.html
 It helps getting familiar with the concepts.
 Here it's not a step-by-step anymore as the first time I used the old method described later and I used the new mdadm-only way to replace a broken drive, build new raid1 arrays as the new drive was larger (and the old smaller than the surviving one) and a raid1 on the /boot and moving from lilo to grub.

===Creating degraded array===
Here we're missing /dev/hda3 so we start with only /dev/hdd3:
mdadm --create /dev/md0 --raid-devices=2 --level=raid1 missing /dev/hdd3
And to get it properly set after reboot, we can create mdadm.conf:
echo DEVICE partitions > /etc/mdadm/mdadm.conf
mdadm --examine --scan >> /etc/mdadm/mdadm.conf
Edit and check the file manually...
 Then prepare for reboot
===Preparing for reboot===
During the configuration, every time we want to reboot, we've to make sure to:
* have the intended partition layout (fdisk)
* have the intended partitions mounted on the intended mountpoints (mount)
* have /etc/fstab reflecting the current mounts
* have /etc/mdadm/mdadm.conf reflecting the current Raid arrays
* have an initrd reflecting the current situation:
dpkg-reconfigure linux-image-...
This is true also after having added the 2nd partition to a raid1 array
===Diagnostic===
Some useful commands to inspect the raid situation:
# From what's currently assembled:
cat /proc/mdstat
mdadm --detail --scan
mdadm --detail /dev/md1
# From what's available as raid partitions
mdadm --examine --scan
mdadm --examine /dev/hda5

===Repairing a degraded array===
Later when we'll be able to integrate /dev/hda3 we'll do:
mdadm /dev/md0 --add /dev/hda3
Then prepare for reboot
===/boot===
Here is one example:
 Initially /boot was not on raid1 but as now it's possible with grub I did so.
 I had /boot=/dev/hda1 and /boot-img=/dev/hdd1 and I did sth like:
umount /dev/hdd1
mdadm --create /dev/md1 --raid-devices=2 --level=raid1 missing /dev/hdd1
mount /dev/md1 /boot-img
cp -a /boot/* /boot-img
umount /boot
umount /boot-img
mdadm /dev/md1 --add /dev/hda1
vi /etc/fstab #/dev/md0 /boot ... and delete /boot-img entry
grub-install "(hd1)"
grub-install "(hd0)"
dpkg-reconfigure linux-image-...
mdadm --examine --scan |grep md1>> /etc/mdadm.conf
reboot
===Changing super-minor===
During the process I wanted to change the number associated to an array (/dev/mdX):
 Suppose /dev/md3 = /dev/hda5+/dev/hdd5
 And we want /dev/md2 = /dev/hda5+/dev/hdd5
mdadm --stop /dev/md3
mdadm --assemble /dev/md2 /dev/hda5 /dev/hdd5
Then prepare for reboot

===Yaird===
To rebuild the initrd there are several tools but finally I used yaird which allowed me to preload my IDE driver and get UDMA modes working, which was essential to get sth like 20x faster data transfers!
 I inserted just before the MOUNTDIR keyword which takes care of inserting the needed generic IDE drivers the amd74xx driver I needed for my nVidia chipset:
/etc/yaird/Default.cfg
MODULE amd74xx
MOUNTDIR "/" "/mnt"
I had also some difficulties when I broke my initrd and had to reboot on a 2.6.14 because apparently kernels pre-2.6.18 cannot generate properly initrd images.
 Hopefully I had a backup of the initrd otherwise try to reboot on a liveCD and chroot or build a new kernel from source without initrd then boot on that one to prepare the initrd.

You can always inspect the initrd by yourself to check things like modules, raid assembly etc, the file is a cpio archive gzip compressed.

===Grub===
I moved from lilo to grub and installed the first stage on both drives:
grub-install "(hd1)"
grub-install "(hd0)"
I edited /etc/kernel-img.conf to have the hooks for Debian kernel automatic installation:
postinst_hook = /usr/sbin/update-grub
postrm_hook = /usr/sbin/update-grub
do_bootloader = no
I edited /boot/grub/menu.lst and added a fallback directive:
default 0
fallback 1
When executing update-grub it creates the following entry:
title Debian GNU/Linux, kernel 2.6.21-2-vserver-k7
root (hd0,0)
kernel /vmlinuz-2.6.21-2-vserver-k7 root=/dev/md0 ro
initrd /initrd.img-2.6.21-2-vserver-k7
savedefault
And I added manually the following one:
title Debian GNU/Linux, kernel 2.6.21-2-vserver-k7 (hd1)
root (hd1,0)
kernel /vmlinuz-2.6.21-2-vserver-k7 root=/dev/md0 ro
initrd /initrd.img-2.6.21-2-vserver-k7
savedefault
But I don't know how to make it happening automatically via update-grub, anyway in case of a failure of the first harddrive I'll probably have to reboot manually and Grub is rich enough to allow reconfiguration on-the-fly.
 That's the major reason why I moved away from lilo.

==How to switch a Debian system on software RAID 1 (mirroring) (OLD)==

Here is how to switch your root (/) filesystem on RAID 1:

Have 2 same disks, let's say hda and hdc (yep, put them on different IDE controllers!)
 Create a specific small partition for /boot at the very beginning of the first disk (hda) because some (most?) bootloaders don't understand RAID.
 Mine is hda1->/boot hda2->swap hda3->/
 Install Debian as usual on hda
 Format hdc with a same partition as the / on hda, it'll be the RAID mirror of /
 My second disk (same vendor, same size) didn't have the same geometry (C/H/S) but after dd if=/dev/zero of=/dev/hdc bs=512 count=1 fdisk used the same geometry...
 Now it is the same as hda: hdc1->/boot-img hdc2->swap hdc3->/
apt-get install initrd-tools raidtools2 mdadm (decline offer to start RAID at boot time)
Create /etc/raidtab:
raiddev /dev/md0
raid-level 1
nr-raid-disks 2
nr-spare-disks 0
persistent-superblock 1
device /dev/hdc3
raid-disk 0
device /dev/hda3
failed-disk 1
So the actual / partition is declared as "broken" for the RAID
 Create the RAID:
mkraid /dev/md0 (it will say disk1: failed)
mkfs.ext3 /dev/md0
mount -v /dev/md0 /mnt/root
Copy the / content:
cd /
find . -xdev | cpio -pm /mnt/root
Prepare to reboot on the RAID:
 Edit /etc/mkinitrd/mkinitrd.conf:
ROOT=probe -> ROOT=/dev/md0

mkinitrd -o /boot/initrd.img-raid
Edit /mnt/root/etc/fstab:
/dev/md0 / ext3 defaults,errors=remount-ro 0 1
Edit /etc/lilo.conf:
image=/boot/vmlinuz...
label=LinuxRAID
root=/dev/md0
read-only
initrd=/boot/initrd.img-raid

umount /dev/md0
raidstop /dev/md0
lilo
reboot
Restore the "broken" RAID:
cat /proc/mdstat: we see only one disk
raidhotadd /dev/md0 /dev/hda3
Now the system is synchonizing the "new" RAID partition
watch cat /proc/mdstat
Prepare for next reboot:
 Edit /etc/fstab:
failed-disk -> raid-disk
mkinitrd -o /boot/initrd.img-raid
lilo
reboot
==Automatic watching==
dpkg-reconfigure mdadm -> accept mdadm survey daemon and give user who should get alert emails
Simulating RAID 0 (striping) for the swap:
 Simply give the same priority to both swap partitions:
/dev/hda2 swap swap defaults,pri=1 0 0
/dev/hdc2 swap swap defaults,pri=1 0 0

== Fresh install debian ==
[[A good starting point | http://www200.pair.com/mecham/raid/raid1.html]]

==Troubleshooting==
Don't simply dd the MBR from hda to hdc otherwise lilo will complain about a timestamp error, actually that's because now both disks got the same ID number.
 You can mount the initrd image to check if it contains well the RAID instructions:
mount /boot/initrd.img-raid /mnt/disk -o loop,ro
/mnt/disk/script should contain a last line with mdadm
 check the end of the line, first time only /dev/hdc3 is mentioned, second time /dev/hda3 should also be present (or the system will be mounted again in degraded mode)
 If reboot fails:
Boot on a Knoppix
modprobe raid1
mdadm --assemble /dev/md0 /dev/hdd3 /dev/hda3
mount /dev/md0 /mnt/xxx
chroot /mnt/xxx
mount also /proc /boot etc
mkinitrd -o /boot/initrd.img-raid <kernel version>

==Useful commands==

* Diagnostics
mdadm -D /dev/mdXX
mdadm -E /dev/hdXX
cat /proc/mdstat
* Add
mdadm /dev/mdXX -a /dev/hdXX

Belgian eID

2008-05-17T11:01:39Z

Dorian: /* News */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==News==
* 2008-05-17 : Liège marie de quartier du Tier-à-liège this saturday (Yes the office is open on saturday !) We received our new EID card, No more paper to sign (Annex 3 and 10) for revoking a certificate. (Maybe this is a bug in the administration ... The girls does'nt know the difference between the 2 certificate (auth. and sign). Worse she does'nt know the signification ... and the top of the top ... Event on the paper you receive from the administration, it is clearly writen '.. 2 certificate : 1 for signing and 1 for authentification' BUT on the screen of the computer'administration for the revokation : 'révoquer le certificat de signature' et 'révoque le certificat de non-répudiation' (sorry french) : Find the mistake ...
* 2008-04-23 [http://belsec.skynetblogs.be/post/5799349/belgian-eid-and-the-microsoft-question Belgian EID and the Microsoft question]
* 2008-04-03..04 European e-ID Card Conference: Current Perspective and Initiatives from around Europe in Government and Business, ''K.U.Leuven'', €450
* 2008-03-08 [http://belsec.skynetblogs.be/post/5631741/certipost-the-first-and-only-digital-signatur Certipost the first and only digital signature company approved by our Privacycommission]
* 2008-02-26 [http://www.levif.be/actualite/technologie/72-63-13441/la-carte-d-identite-electronique-pour-s-enregistrer-sur-ebay-.html The eID to register to eBay.be (fr)] [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html and here (fr)]
* 2008-02-24 [http://fosdem.org/2008/schedule/events/debian_belgian_eid Presentation of Wouter Verhelst at FOSDEM about ''The Belgian electronic ID card in Debian'']: [http://samba.grep.be/~wouter/beid-screencast.ogg screencast] and [http://meetings-archive.debian.net/pub/debian-meetings/2008/fosdem/ogg_theora/384x288/The_Belgian_electronic_ID_card_in_Debian___Wouter_Verhelst.ogg video]
* 2008-02-22 [http://www.datanews.be/fr/news/90-61-16807/belgacom-vend-sa-participation-dans-certipost.html Belgacom sells stake in Certipost (fr)] so now La Poste/De Post owns 100%
* News Resources:
** [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID

==Officials==

* Major sources of documentation: [http://eid.belgium.be Official eID portal] [http://repository.eid.belgium.be/FR/TechDoc.htm docs on the repository] [http://www.belgium.be/eportal/application?origin=relatedVertical.jsp&event=bea.portal.framework.internal.refresh&pageid=relatedIndexPage&navId=5933&content_category=doc_link_documentation docs on the ePortal] [http://www.ibz.rrn.fgov.be/index.php?id=122&L=0 Direction Générale Institutions & Population], with an interesting news channel
** Google -> [http://www.belgium.be/zip/fedictmovie/movie_fr.html promotional movie (37Mb)] and [http://www.belgium.be/zip/movieEID_fr/START.html flash presentation]
** Google -> In the context of the e-Government initiative of the Belgian Federal Government, a project has been defined to design and develop a messaging environment that allows smooth message- based communication information exchange between different governmental institutions. This messaging environment is called the [http://www.belgium.be/zip/ume-api_fr.html Universal Messaging Engine – Version 2 (UME2) (zip)]
** Google [http://www.google.com/search?q=site:eid.belgium.be+inurl:imported_content_eid deeply], [http://www.google.com/search?q=site:www.belgium.be+inurl:zip deeply], [http://www.google.com/search?q=site:www.ibz.rrn.fgov.be+inurl:eID deeply]...
* [http://repository.eid.belgium.be/FR/Index.htm Certificates], also "raw" [http://certs.eid.belgium.be/ here] and the [https://stage-pki.belgium.be/ Belgium Root CA] site
* [http://status.eid.belgium.be/ eID services], check online the status of a certificate and search the delta CRLs
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [https://readers.eid.belgium.be Help website] for the eID-kits for kids
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://map.eid.belgium.be/fr.html Map of eID applications]
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]
* [http://www.eid-shop.be/language_select/ eID shop], partners & implementations available
* [http://www.cardreaders.be cardreaders] officially supported
* [https://ecommunities.belgium.be eCommunities]
* [http://www.eidcompany.be/ The eID Company], they apparently made most of the eID infrastructure (but I never heard about them since now)

==Specifications==
* Belgian Electronic Identity Card content
** [http://www.belgium.be/eportal/ShowDoc/fed_ict/imported_content/pdf/Belgian_Electronic_Identity_Card_content_v2.2_FR.pdf?contentHome=entapp.BEA_personalization.eGovWebCacheDocumentManager.fr v2.2 (pdf)] from [http://eid.belgium.be Official eID portal]
** [http://web.archive.org/web/*/http://www.rijksregister.fgov.be/cie/specifications_techniques/belgian_electronic_identity_card_content_v2.8.a.pdf v2.8a (pdf)] from [http://www.archive.org WaybackMachine], found ref in [http://csrc.nist.gov/publications/nistir/ir7284/nistir-7284.pdf this NIST document (pdf)] Ok the document actually [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belgian_electronic_identity_card_content_v2.8.a.pdf moved to the new website]
*** That version skips v2.2 in the Document Change History, very strange...
* Description of the Belpic EID-version numbering
** [http://www.belgium.be/eportal/ShowDoc/fed_ict/imported_content/pdf/eID-version_numbering_v1_6_8_FR.pdf?contentHome=entapp.BEA_personalization.eGovWebCacheDocumentManager.fr v1.6.8] from [http://eid.belgium.be Official eID portal]
* Public User Specification BELPIC Application
** [http://www.belgium.be/zip/IdentityMiddlewareSpecs.zip V2.0 (pdf in zip)]
** I found [http://www.mkik.hu/download.php?id=726 this doc] on the [http://www.mkik.hu/index.php?id=634 Hungarian Chamber of Commerce & Industry], even in a [http://www.mkik.hu/download.php?id=727 version partly translated in hungarian] The end of that document is the Public User Specification BELPIC Application but badly formatted Apparently it ended up on this site as [http://www.mkik.hu/download.php?id=724 part of a publication for the European institutions]
* EID-Readers technical compatibility
** [http://www.belgium.be/eportal/ShowDoc/fed_ict/imported_content/pdf/Readers_technical_compatibility_v2.7.3_FR.pdf?contentHome=entapp.BEA_personalization.eGovWebCacheDocumentManager.fr v2.7.3 (pdf)] from [http://eid.belgium.be Official eID portal]
** [http://www.foo.be/eID/opensc-belgium/BEID-ReaderSpecs-v2.7.5.pdf v2.7.5 (pdf)]
* Belgian Electronic Identity Card Middleware Programmers Guide
** [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/programmers_guide_v1.1.pdf v1.1 (pdf)]
** [http://www.belgium.be/zip/IdentityMiddlewareSpecs.zip v1.4 (pdf in zip)]
* Belgian eID Toolkit Developer's guide
** [http://www.belgium.be/zip/IdentityMiddlewareSpecs.zip v1.0i (pdf in zip)]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID (nl)] ([http://www.microsoft.com/belux/fr/eid/ or (fr)]), just an old marketing buzz? (I wouldn't complain...)
* [http://homes.esat.kuleuven.be/~decockd/site/EidCards/belpic/mySlides/belgian.eid.card.technical.overview.pdf Belgian eID Card Technicalities (pdf)] by Danny de Cock, a MUST to read if you want to know all the gory details about the eID!

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

[https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0014 According to Danny de Cock] you can revoke them by phone via the eID card stop service: call +32-2-518.21.16 or +32.2.518.21.17,in French or Dutch, respectively (there is a 7-day period prior to definitive revocation, I'm not sure how secure is the procedure...)

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate. ''UPDATE'': [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0015 some discussions here] ''UPDATE'': Public user specification BELPIC application v2.0 mention 2 different PINs with their own ids (01 for auth, 04 for non-repud) and [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0067 according to Danny] the new cards will have 2 PINs
** Better than 4 digits (& 3 attempts so 3 chances over 10000) ''UPDATE'' In fact we can change the PIN to up to a 12-digit value.
** Probably they limited themselves to one single PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can [http://scienceblogs.com/cognitivedaily/2007/02/is_17_the_most_random_number.php generate random] PINs? ;-) ''UPDATE'': Actually you get only half of the PUK, 6 digits, and you need to go to the municipality to have your eID card unblocked... This unblocking consists of sending 12 PUK digits to your eID card: you provide 6 PUK digits, and the National Register provides the other 6... I.e., it is impossible for a citizen to unblock his/her eID card without presenting him/herself to the municipality... [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0067 Thanks for the info Danny]!

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh... You can import Belgium Root CA signed by GlobalSign Root CA [http://certs.eid.belgium.be/ here (the belgiumrs*.crt)]
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.
* And what about [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/fr/8_documentation/communique_de_presse/presse_150208_2.pdf administrative errors]? ;-)

==Linux: Drivers==
If you want to try also [https://readers.eid.belgium.be/index.cfm?Content_ID=8515371 make sure you're using Linux] :-D

I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€
 So the card is accessed via the USB reader, handled by the libccid, used by the pcscd daemon.

<pre>
$ pcsc_scan
Reader 0: iDream ID-SMID01 00 00
Card state: Card inserted,
ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11

ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11
+ TS = 3B --> Direct Convention
+ T0 = 98, Y(1): 1001, K: 8 (historical bytes)
TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU (38400 bits/s at 3.57 MHz)
TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0
-----
TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
+ Historical bytes: A5 03 01 01 01 AD 13 11
Category indicator byte: A5 (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 98 13 40 0A A5 03 01 01 01 AD 13 11
Belgium Electronic ID card
</pre>

==Linux: Government Middleware==
===Installation===
The Belgian government is providing a Linux middleware to access the eID.
 The sources are accessible [http://www.belgium.be/zip/eid_datacapture_fr.html here (fr)] or [http://www.belgium.be/zip/eid_datacapture_fr.html there (nl)]
 But thanks to Wouter Verhelst, there are also Debian packages (2.6.0-3 in Lenny as I'm writing):

apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
Some interesting documentation once it's installed: /usr/share/doc/libbeidlibopensc2/README.Debian

A short introduction to the middleware is available [http://www.belgium.be/zip/middleware_Linux_FR.pdf here (fr, pdf)] or [http://www.belgium.be/zip/middleware_Linux_NL.pdf here (nl, pdf)]
===Belpic version of OpenSC===
The middleware is a modified version of OpenSC, talking to pcscd.
 I recently saw that my ~/.xsession-errors logfile was full of ''Error: can't open /var/run/openct/status...'' It happens whenever icedove/iceweasel are open (so when the libbeidpkcs11.so is loaded) I found a [https://bugs.launchpad.net/ubuntu/+source/belpic/+bug/70442 bugreport on Ubuntu] and the proposed fix works so I opened a Debian bugreport: [http://bugs.debian.org/469485 #469485]:

OpenSC has support for three driver types : PCSC, OpenCT and CT-API. Belpic only needs PC/SC, and will produce errors/warnings if you leave support for OpenCT enabled.

Edit /etc/beidbase.conf, and insert a statement that limits the use of drivers to pcsc. Right before the reader_driver config feels like an OK place to do this :

## specify driver family pcsc.
# Others (openct, ..) are not needed for Belpic and
# may produce errors/warnings

reader_drivers = pcsc ;

reader_driver pcsc {
....
===GUI===
The GUI application (beidgui) works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
 You can easily change your PIN here, with a PIN between 4 and 12 digits!
 I don't remember of having read that PINs bigger than 4-digit were possible...

===beidcrld===
Part of beid-tools
 It's an optional daemon, supposed to download automatically the CRLs.
 '''TODO''': where are those CRLs stored locally? How to check the status? /usr/share/beid/crl

===beidpcscd===
Part of beid-tools
 It's an optional daemon.
 The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, Iceweasel & Icedove (through the PKCS#11 module we'll install later) are constantly speaking with it...
 And if it's not running, Iceweasel & Icedove will poll every second on that port 2500, no matter if you are really using the eID at that moment or not, erk!

===beid-pkcs11-tool===
Part of beid-tools
 For a little demo...
<pre>
$ beid-pkcs11-tool --list-slots
Available slots:
Slot 0 iDream ID-SMID01 00 00
manufacturer: Zetes
hardware ver: 1.0
firmware ver: 1.0
flags: token present, removable device, hardware slot
token label: BELPIC (Basic PIN)
token manuf: Axalto
token model: Belgium eID
token flags: rng, PIN initialized, token initialized
[...]
</pre>
<pre>
$ beid-pkcs11-tool --list-objects
Private Key Object; RSA 1024 bits
label: Authentication
ID: 02
Usage: sign
Certificate Object, type = X.509 cert
label: Authentication
ID: 02
Public Key Object; RSA 1024 bits
label: Authentication
ID: 02
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: CA
ID: 00
Public Key Object; RSA 2048 bits
label: CA
ID: 04
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Root
ID: 00
Public Key Object; RSA 2048 bits
label: Root
ID: 06
Usage: encrypt, verify
Private Key Object; RSA 1024 bits
label: Signature
ID: 03
Usage: sign
Certificate Object, type = X.509 cert
label: Signature
ID: 03
Public Key Object; RSA 1024 bits
label: Signature
ID: 03
Usage: encrypt, verify
</pre>
<pre>
$ beid-pkcs11-tool --list-mechanisms
Supported mechanisms:
SHA-1, digest
MD5, digest
RIPEMD160, digest
RSA-PKCS, sign, verify, unwrap
SHA1-RSA-PKCS, sign, verify
MD5-RSA-PKCS, sign, verify
RIPEMD160-RSA-PKCS, sign, verify
</pre>
<pre>
$ beid-pkcs11-tool --test
C_SeedRandom() and C_GenerateRandom():
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Authentication)
QSettings: failed to open file '/etc/qt3/qt_plugins_3.3rc'
all 4 signature functions seem to work
testing signature mechanisms:
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (Signature) with 1 signature mechanism
RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (Authentication)
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (Signature) with 1 mechanism
RSA-PKCS: OK
Key unwrap (RSA)
testing key 0 (Authentication) -- can't be used to unwrap, skipping
testing key 1 (Signature) -- can't be used to unwrap, skipping
[...]
</pre>

===libbeidpkcs11.so===
It's a PKCS#11 library which can be used by Firefox/Iceweasel, Thunderbird/Icedove, Iceape, OpenOffice,...
 See below for some tests with those applications.
====Firefox security module====
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

====Thunderbird security module====
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.
 TODO: I still would like to understand what went wrong before, why only the "Authentication" certificate worked and not the "Signature" one.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

====Signing in OpenOffice====
It is using the same certificate set as firefox/iceweasel so signing in OpenOffice works out-of-the-box on my Debian.
 If not you can still check [http://www.linux.com/articles/57554 this article] to debug your situation.

File -> Digital Signatures... -> Add...

This works also with the legal "signature" certificate

==Linux: OpenSC Middleware==
===Installation===
belpic, the Belgian middleware, is a modified version of OpenSC, let's try the plain OpenSC:
apt-get install opensc
=> file:///usr/share/doc/opensc/BelgianEid.html
 ''OpenSC 0.10.* will include support for the Belgian eID card, except for legally binding signatures (with the so-called Signature key) as this requires a GUI, which is not yet available/implemented. Till that new release please use the "belpic" software available from the belgian state.''

Note that you've to stop the filter daemon (beidpcscd) first
===cardos-info===
Returns the ATR
$ cardos-info
3b:98:13:40:0a:a5:03:01:01:01:ad:13:11
Received (SW1=0x6D, SW2=0x00)

===opensc-tool===
<pre>
$ opensc-tool -a -v # with debug=1 in /etc/opensc/opensc.conf
[opensc-tool] ctx.c:705:sc_context_create: ===================================
[opensc-tool] ctx.c:706:sc_context_create: opensc version: 0.11.4
[opensc-tool] sc.c:196:sc_detect_card_presence: called
[opensc-tool] sc.c:201:sc_detect_card_presence: returning with: 1
Connecting to card in reader iDream ID-SMID01 00 00...
[opensc-tool] card.c:110:sc_connect_card: called
[opensc-tool] reader-pcsc.c:542:pcsc_connect: After connect protocol = 1
[opensc-tool] reader-pcsc.c:561:pcsc_connect: Requesting reader features ...
[opensc-tool] card-belpic.c:988:belpic_init: Belpic V1.4
[opensc-tool] card-belpic.c:995:belpic_init:
[opensc-tool] card.c:221:sc_connect_card: card info: Belpic cards, 12002, 0x0
[opensc-tool] card.c:222:sc_connect_card: returning with: 0
Using card driver Belpic cards.
Card ATR:
3B 98 13 40 0A A5 03 01 01 01 AD 13 11 ;..@.........
[opensc-tool] card.c:236:sc_disconnect_card: called
[opensc-tool] card.c:251:sc_disconnect_card: returning with: 0
[opensc-tool] ctx.c:738:sc_release_context: called
</pre>
From the ATR:
* Component code: A5
* OS number: 03
* OS version: 01
* Softmask number: 01
* Softmask version: 01
* Applet version: 1.1
<pre>
$ opensc-tool -n
Belpic cards
</pre>
<pre>
$ opensc-tool -f
3f00 type: DF, size: 65535
select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A] list[N/A]
[opensc-tool] card.c:343:sc_list_files: returning with: Not supported
sc_list_files() failed: Not supported
</pre>

===opensc-explorer===
<pre>
$ opensc-explorer

#PUK: (max trials: 3, length: 4-12)
OpenSC [3F00]> verify CHV1 31:31:31:31
[opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect
Incorrect code, 2 tries left.

OpenSC [3F00]> verify CHV1 31:32:33:34
Code correct.

#PUK: (max trials: 12, length: 12)
OpenSC [3F00]> verify CHV3 31:32:33:34
[opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect
Incorrect code, 11 tries left.

#PINreset (max trials: 10, length: 12)
OpenSC [3F00]> verify CHV2 31:32:33:34
[opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect
Incorrect code, 9 tries left.

OpenSC [3F00]> random 100
00000000: 80 8E DD 53 92 0A FB 12 17 7E 77 49 11 D5 3E 93 ...S.....~wI..>.
00000010: E7 93 CD C1 D8 AB E2 0E 85 34 44 F0 B2 F4 52 8A .........4D...R.
00000020: FD 0A 34 8F A1 16 2C 91 85 18 77 83 F4 EC 2F DB ..4...,...w.../.
00000030: 5D 5A A6 F8 4C 61 21 74 B1 C0 E2 4C FF 7B CF BF ]Z..La!t...L.{..
00000040: 01 A2 06 CB 41 33 EB 75 2E 86 90 A7 E6 FD 0C 8C ....A3.u........
00000050: BF 12 CD CE 32 EB 40 89 D7 98 39 78 30 86 AF 52 ....2.@...9x0..R
00000060: 60 E0 F6 C3 `...

OpenSC [3F00]> cd df00

OpenSC [3F00/DF00]> get 5035
Total of 119 bytes read from 5035 and saved to 3F00_DF00_5035.
</pre>
You can also cat the files:
<pre>
OpenSC [3F00]> cd df01
OpenSC [3F00/DF01]> cd 4033
OpenSC [3F00/DF01/4033]> cat
00000000: 01 1E 41 76 65 6E 75 65 20 64 65 20 6C 61 20 43 ..Avenue de la C
00000010: 6F 75 72 6F 6E 6E 65 20 34 31 20 2F 62 30 32 37 ouronne 41 /b027
00000020: 02 04 31 30 35 30 03 07 49 78 65 6C 6C 65 73 00 ..1050..Ixelles.
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 .....

</pre>
The interpretation of the file contents we just extracted can be found in the [[#Specifications|Belgian Electronic Identity Card content]] document
 Here are all the files you can extract:
<pre>
3F00_2F00 MF/DIR
3F00_DF00_5031 MF/Belpic/ODF (Object Directory File)
3F00_DF00_5032 MF/Belpic/TokenInfo
3F00_DF00_5034 MF/Belpic/AODF (Authentication Object Directory File)
3F00_DF00_5035 MF/Belpic/PrKDF (Private Key Directory File)
3F00_DF00_5037 MF/Belpic/CDF (Certificate Directory File)
3F00_DF00_5038 MF/Belpic/Cert#2 (auth)
3F00_DF00_5039 MF/Belpic/Cert#3 (non-rep)
3F00_DF00_503A MF/Belpic/Cert#4 (CA)
3F00_DF00_503B MF/Belpic/Cert#6 (Root)
3F00_DF00_503C MF/Belpic/Cert#8 (RRN)
3F00_DF01_4031 MF/ID/ID#RN (contains also hash of ID#Photo)
3F00_DF01_4032 MF/ID/SGN#RN (signature of ID#RN by RRN)
3F00_DF01_4033 MF/ID/ID#Address
3F00_DF01_4034 MF/ID/SGN#Address (signature of ID#Address|SGN#RN by RRN)
3F00_DF01_4035 MF/ID/ID#Photo (140x200 JPEG grayscale)
3F00_DF01_4038 MF/ID/PuK#7 ID (CA role Hash SHA-1)
3F00_DF01_4039 MF/ID/Preferences
</pre>
Note that here we could extract the RRN Cert#8, which was not shown by the usual pkcs#15 tools...
 Note that the Preferences file is 100-byte zeroes, is customisable just with the cardholder PIN but the update_binary command is not supported, so [[#patch|I wrote a patch]]
<pre>
$ xview 3F00_DF01_4035
3F00_DF01_4035 is a 140x200 JPEG image, color space Grayscale, 1 comp, Huffman coding.
...
</pre>
So to extract the picture via a simple script:
echo -e "cd df01\nget 4035 mypic.jpg"|opensc-explorer

===pkcs11-tool===
Differences with beid-pkcs11-tool are highlighted between *stars*
<pre>
$ pkcs11-tool --list-slots
Available slots:
Slot 0 iDream ID-SMID01 00 00
token label: BELPIC (Basic PIN)
*token manuf: (unknown)*
token model: PKCS #15 SCard
token flags: rng, *login required*, PIN initialized, token initialized
*serial num : 6CFF252C5F190218*
</pre>
<pre>
$ pkcs11-tool --list-objects
</pre>
<pre>
$ pkcs11-tool --login --list-objects
Please enter User PIN:
Private Key Object; RSA
label: Authentication
ID: 02
Usage: sign
Certificate Object, type = X.509 cert
label: Authentication
ID: 02
Public Key Object; RSA 1024 bits
label: Authentication
ID: 02
Usage: encrypt, verify
Private Key Object; RSA
label: Signature
ID: 03
Usage: sign
Certificate Object, type = X.509 cert
label: Signature
ID: 03
Public Key Object; RSA 1024 bits
label: Signature
ID: 03
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: CA
ID: 00
Public Key Object; RSA 2048 bits
label: CA
ID: 04
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Root
ID: 00
Public Key Object; RSA 2048 bits
label: Root
ID: 06
Usage: encrypt, verify
</pre>
Strange, I need to login to extract the objects
 Strange, pubkeys can encrypt but privkey cannot decrypt...
 Strange, both RootCA and CitizenCA certificates have the same id 0
 And what's the format of those certificates when dumped out? Not DER neither PEM
<pre>
$ pkcs11-tool --login --read-object --id 0 --type cert|xxd
[...]
$ pkcs11-tool --login --read-object --id 2 --type pubkey |xxd
[...]
</pre>
<pre>
$ pkcs11-tool --list-mechanisms
Supported mechanisms:
SHA-1, digest
*SHA256, digest*
*SHA384, digest*
*SHA512, digest*
MD5, digest
RIPEMD160, digest
RSA-PKCS, sign, verify, unwrap, *decrypt*
SHA1-RSA-PKCS, sign, verify
MD5-RSA-PKCS, sign, verify
RIPEMD160-RSA-PKCS, sign, verify
*RSA-PKCS-KEY-PAIR-GEN, keypairgen*
</pre>
Extra mechanisms available apparently...
 And they work:
<pre>
phil@mercure:~$ echo -n test|pkcs11-tool --hash --mechanism SHA512 |xxd
0000000: ee26 b0dd 4af7 e749 aa1a 8ee3 c10a e992 .&..J..I........
0000010: 3f61 8980 772e 473f 8819 a5d4 940e 0db2 ?a..w.G?........
0000020: 7ac1 85f8 a0e1 d5f8 4f88 bc88 7fd6 7b14 z.......O.....{.
0000030: 3732 c304 cc5f a9ad 8e6f 57f5 0028 a8ff 72..._...oW..(..
</pre>
<pre>
$ pkcs11-tool --login --test
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
not implemented
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Authentication)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (1024 bits, label=Signature) with 1 signature mechanism
[opensc-pkcs11] sec.c:67:sc_set_security_env: returning with: Not supported
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
</pre>

===pkcs15-tool===
<pre>
$ pkcs15-tool --dump
PKCS#15 Card [BELPIC]:
Version : 1
Serial number : 1234567890ABCDEF1234567890ABCDEF
Manufacturer ID: (unknown)
Flags : PRN generation, EID compliant

PIN [Basic PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:12, stored_len:8
Pad char : 0xFF
Reference : 1
Type : bcd
Path : 3f00

Private RSA Key [Authentication]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 130
Native : yes
Path : 3f00df00
Auth ID : 01
ID : 02

Private RSA Key [Signature]
Com. Flags : 3
Usage : [0x200], nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 131
Native : yes
Path : 3f00df00
Auth ID : 01
ID : 03

X.509 Certificate [Authentication]
Flags : 3
Authority: no
Path : 3f00df005038
ID : 02

X.509 Certificate [Signature]
Flags : 3
Authority: no
Path : 3f00df005039
ID : 03

X.509 Certificate [CA]
Flags : 3
Authority: yes
Path : 3f00df00503a
ID : 04

X.509 Certificate [Root]
Flags : 3
Authority: yes
Path : 3f00df00503b
ID : 06
</pre>

pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2

===pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.
===eidenv===
Very interesting one...
<pre>
$ eidenv | recode UTF8..
BELPIC_CARDNUMBER: 123456789012
BELPIC_CHIPNUMBER: 1234567890ABCDEF1234567890ABCDEF
BELPIC_VALIDFROM: 20.06.2005
BELPIC_VALIDTILL: 20.06.2010
BELPIC_DELIVERINGMUNICIPALITY: Liege
BELPIC_NATIONALNUMBER: 00310100123
BELPIC_NAME: Teuwen
BELPIC_FIRSTNAMES: Philippe Yvon
BELPIC_INITIAL: F
BELPIC_NATIONALITY: Belge
BELPIC_BIRTHLOCATION: Liège
BELPIC_BIRTHDATE: 31 JAN 1900 (or 2000? ;-)
BELPIC_SEX: M
BELPIC_NOBLECONDITION:
BELPIC_DOCUMENTTYPE: 1
BELPIC_SPECIALSTATUS: 0
BELPIC_STREETANDNUMBER: Rue de l'OpenSource 12 /b012
BELPIC_ZIPCODE: 1050
BELPIC_MUNICIPALITY: Ixelles
</pre>
<pre>
$ eidenv --exec /bin/bash
$ echo $BELPIC_NAME
Teuwen
$ exit
</pre>
But if the filter daemon beidpcscd is running:
<pre>
$ eidenv
[eidenv] reader-pcsc.c:534:pcsc_connect: SCardConnect failed: Sharing violation.
[eidenv] card.c:228:sc_connect_card: returning with: Generic reader error
Failed to connect to card: Generic reader error
</pre>
I expected to get prompted by the filter but nothing like that
===patch===
The middleware is missing the function update_binary() while the card supports it and provides a writable file EF(Preferences) for the cardholder (you need first to login with your PIN)
 So I added it and [http://bugs.debian.org/470637 submitted it in bugreport #470637]
 Demo: how to install Linux on the eID (hum, so to speak...)
<pre>
$ opensc-explorer
OpenSC Explorer version 0.11.4
OpenSC [3F00]> cd df01
OpenSC [3F00/DF01]> verify CHV1 31:32:33:34
Code correct.
OpenSC [3F00/DF01]> put 4039 tux.txt
Total of 100 bytes written.
</pre>
<pre>
$ opensc-explorer
OpenSC Explorer version 0.11.4
OpenSC [3F00]> cd df01
OpenSC [3F00/DF01]> cd 4039
OpenSC [3F00/DF01/4039]> cat
000000: 5B 47 65 6E 5D 0A 4C 47 3D 66 72 00 5F 20 20 20 [Gen].LG=fr._
000010: 00 00 00 00 00 00 00 00 20 20 20 2E 20 2E 20 20 ........ . .
000020: 00 00 00 00 00 00 00 00 20 20 20 2F 56 5C 20 20 ........ /V\
000030: 00 00 00 00 00 00 00 00 20 20 2F 2F 20 5C 5C 20 ........ // \\
000040: 00 00 00 00 00 00 00 00 20 2F 28 20 20 20 29 5C ........ /( )\
000050: 00 00 00 00 00 00 00 00 20 20 5E 60 7E 27 5E 20 ........ ^`~'^
000060: 00 00 00 00 ....
</pre>

==Linux: to be sorted...==
===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
cf [[OpenSSH#Patch_for_login_with_eID]]

===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

[https://openid.trustbearer.com TrustBearer OpenID] supports the Belgian eID as an authentication token. The service uses a browser add-on which contains a middleware stack that communicates directly with the reader & card. See a demonstration on [http://blog.rootshell.be/2008/04/28/openid-and-belgian-eid/ this blog].

===Cryptonit===
From [http://www.opentrust.com/content/view/135/142index.en.html News:] OPENTRUST has announced the availability of a new version of Cryptonit. This latest release is fully compatible with the Belgium electronic ID card which when used with Cryptonit enables documents to be digitally signed. [http://sourceforge.net/project/showfiles.php?group_id=110403 download]

Under Debian:
apt-get install cryptonit
Device->Load-> /usr/lib/libbeidpkcs11.so
It works, you can sign files with both certificates.
 Note that the first PIN prompt doesn't matter, you'll get prompted directly by the libbeidpkcs11 middleware.
 Note that for repetitive Authentication signings (even after close/reopen cryptonit) it doesn't prompt me anymore for the next signatures, but well if I want to use the non-repudiation one.

==Linux: TODO==
===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 See also file:///usr/share/doc/opensc/PamModules.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

See also file:///usr/share/doc/opensc/QuickStart.html

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
 and https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCardReverseProxy0004

===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
 '''UPDATE''' openvpn 2.1~rc7-1 is available soon on Debian

===TODO: Acrobat Reader===
acroread can deals with PKCS#11 modules...
Document -> Security Settings -> Digital IDs -> PKCS#11 -> Attach module ->
I tried:
/usr/lib/libbeidpkcs11.so -> fails to load the module
/usr/lib/onepin-opensc-pkcs11.so -> ok
/usr/lib/opensc-pkcs11.so -> ok
But with those last 2 modules I don't know how to access the eID.

See also https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0068?t=2008-04-04T18:04:26Z and try with http://itext.ugent.be/articles/eid-pdf/

===TODO: Misc===
* [http://opensignature.sourceforge.net/english.php OpenSignature] targeted for Italian eID
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* JAVA
** beidlib.jar: BEIDCard.html and Test.java
** http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/JavaEidSampleCodeTOC
* Novell version in C#...
** I could compile but still runtime errors
* http://www.law.kuleuven.be/icri/publications/954eIDPDFSignatures.pdf.pdf and [http://www.law.kuleuven.be/icri/all_pubs.php?action=pubs_topic&id=2&where= other papers]
* http://www.tonywhitmore.co.uk/cgi-local/wiki.pl?UsefulNotes/SmartCards
* WPA?? file:///usr/share/doc/opensc/WPA.html
* https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Eid/EidForum Danny opened some forums on eID, a lot to read probably ;-)
** [https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0031 What about the preferences file?]
* http://javadoc.iaik.tugraz.at/iaik_jce/current/index.html
* http://www.uvcw.be/e-communes/eid & http://www.uvcw.be/articles/3,90,39,39,1398.htm
* http://www.disinstitute.be/
* http://www.eidating.be/
* <nowiki>http://www.belgium.be/eportal/application?pageid=contentPage&docId=30000 .. 45000?</nowiki>
* http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/AppletEidCardsUtilityTOC
** the applet loads but nothing happens when trying to see the content of the card :-(
* http://www.linux.com/feature/131527