Difference between revisions of "Belgian eID"

From YobiWiki
Jump to navigation Jump to search
m
Line 31: Line 31:
   
 
The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
 
The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
  +
 
===Exploring===
 
pkcs15-tool --dump
 
pkcs15-tool --read-certificate 02 > my_auth.crt
 
pkcs15-tool --read-certificate 03 > my_sign.crt
 
pkcs15-tool --read-certificate 04 > belgium.crt
 
pkcs15-tool --read-certificate 06 >> belgium.crt
 
openssl x509 -in my_auth.crt -text
 
pkcs15-tool --read-ssh-key 2
  +
 
===Firefox security module===
 
===Firefox security module===
 
To add the security module to Firefox:
 
To add the security module to Firefox:
Line 42: Line 52:
 
If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?
 
If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?
   
===Exploring===
 
pkcs15-tool --dump
 
pkcs15-tool --read-certificate 02 > my_auth.crt
 
pkcs15-tool --read-certificate 03 > my_sign.crt
 
pkcs15-tool --read-certificate 04 > belgium.crt
 
pkcs15-tool --read-certificate 06 >> belgium.crt
 
openssl x509 -in my_auth.crt -text
 
pkcs15-tool --read-ssh-key 2
 
 
===SSH===
 
===SSH===
 
Inspired from http://simi.be/?page_id=9
 
Inspired from http://simi.be/?page_id=9

Revision as of 00:37, 6 February 2008

Belgian eID is part of the efforts of the government for Belgian eGov

Officials

Usage & Software

Articles

Misc

My attempts under Linux

I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€

Installing beidgui and dependencies:

apt-get install beidgui
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd 
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

Exploring

pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2

Firefox security module

To add the security module to Firefox:

apt-get install libbeid2-dev libbeidlibopensc2-dev

Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?

SSH

Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):

Package: openssh-client-sc                                                          
Architecture: any                                                                   
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...


I recompile ssh with smartcard support.

apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot

Sending my public key to the ssh server:

pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'

Then logging, being prompted for my PIN:

ssh -I 0 user@host.com

TODO

http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids