Difference between revisions of "Belgian eID"

From YobiWiki
Jump to navigation Jump to search
Line 102: Line 102:
 
allow-mark-trusted
 
allow-mark-trusted
   
  +
~/.bash_profile: (appending this stuff)
~/.gnupg/scdaemon.conf:
 
  +
# preparing gpg-agent:
  +
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
  +
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
  +
export GPG_AGENT_INFO
  +
else
  +
eval `gpg-agent --daemon`
  +
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
  +
fi
  +
  +
~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
 
disable-ccid
 
disable-ccid
  +
debug-level none
  +
  +
~/.gnupg/gpgsm.conf:
  +
debug-level none
   
  +
Acquiring the certificates:
 
$ gpgsm --learn-card
 
$ gpgsm --learn-card
  +
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
gpgsm[9287]: can't connect to `/home/phil/.gnupg/S.gpg-agent': Aucun fichier ou répertoire de ce type
 
scdaemon[9289]: pkcs#15 application label from EF(DIR) is `BELPIC'
 
scdaemon[9289]: pkcs#15 application directory is 0xDF00
 
scdaemon[9289]: DBG: Serialnumber from EF(TokenInfo) is: 53 4C 49 4E 33 66 00 29 6C FF 25 2C 5F 19 02 18
 
scdaemon[9289]: DBG: CDF 5037: id=02 path=3F00DF005038
 
scdaemon[9289]: DBG: CDF 5037: id=03 path=3F00DF005039
 
scdaemon[9289]: DBG: CDF 5037: id=04 path=3F00DF00503A
 
scdaemon[9289]: DBG: CDF 5037: id=06 path=3F00DF00503B
 
scdaemon[9289]: DBG: PrKDF 5035: id=02 path=3F00DF00 authid=01 keyref=0x82 usage=sign
 
scdaemon[9289]: DBG: PrKDF 5035: id=03 path=3F00DF00 authid=01 keyref=0x83 usage=non_repudiation
 
scdaemon[9289]: DBG: AODF 5034: id=01 flags=initialized,needs_padding type=bcd min=4 stored=8 pad=0xffffffff pinref=0x01 path=3F00
 
gpg-agent[9288]: card has S/N: 534C494E336600296CFF252C5F190218
 
scdaemon[9289]: updating status of slot 0 to 0x0007
 
scdaemon[9289]: client pid is 9288, sending signal 12
 
scdaemon[9289]: scdaemon (GnuPG) 2.0.8 stopped
 
 
 
$ gpgsm --list-keys
 
$ gpgsm --list-keys
 
/home/phil/.gnupg/pubring.kbx
 
/home/phil/.gnupg/pubring.kbx
 
-----------------------------
 
-----------------------------
 
Subject: /CN=Belgium Root CA/C=BE
 
Subject: /CN=Belgium Root CA/C=BE
  +
[...]
  +
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
 
[...]
 
[...]
 
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
 
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
 
[...]
 
[...]
 
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
 
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
  +
To sign sth:
[...]
 
  +
$ gpgsm --sign mail.txt
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
 
 
$ gpgsm --sign mails.txt
 
 
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 
<br>During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
 
<br>During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
Line 141: Line 141:
 
Ok let's try again without the CRLs check:
 
Ok let's try again without the CRLs check:
 
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
 
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
  +
[...]
gpgsm[6662]: can't connect to `/home/phil/.gnupg/S.gpg-agent': Aucun fichier ou répertoire de ce type
 
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm: note: non-critical certificate policy not allowed
 
gpg-agent[6663]: system trustlist `/etc/gnupg/trustlist.txt' not available
 
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm: CRLs not checked due to --disable-crl-checks option
 
gpgsm: DBG: adding certificates at level 1
 
scdaemon[6664]: pkcs#15 application label from EF(DIR) is `BELPIC'
 
scdaemon[6664]: pkcs#15 application directory is 0xDF00
 
scdaemon[6664]: DBG: Serialnumber from EF(TokenInfo) is: 53 4C 49 4E 33 66 00 29 6C FF 25 2C 5F 19 02 18
 
scdaemon[6664]: DBG: CDF 5037: id=02 path=3F00DF005038
 
scdaemon[6664]: DBG: CDF 5037: id=03 path=3F00DF005039
 
scdaemon[6664]: DBG: CDF 5037: id=04 path=3F00DF00503A
 
scdaemon[6664]: DBG: CDF 5037: id=06 path=3F00DF00503B
 
scdaemon[6664]: DBG: PrKDF 5035: id=02 path=3F00DF00 authid=01 keyref=0x82 usage=sign
 
scdaemon[6664]: DBG: PrKDF 5035: id=03 path=3F00DF00 authid=01 keyref=0x83 usage=non_repudiation
 
scdaemon[6664]: DBG: AODF 5034: id=01 flags=initialized,needs_padding type=bcd min=4 stored=8 pad=0xffffffff pinref=0x01 path=3F00
 
gpg-agent[6663]: DBG: detected card with S/N 534C494E336600296CFF252C5F190218
 
scdaemon[6664]: DBG: asking for PIN 'PIN'
 
scdaemon[6664]: updating status of slot 0 to 0x0007
 
scdaemon[6664]: client pid is 6663, sending signal 12
 
scdaemon[6664]: PIN callback returned error: Fin du fichier
 
scdaemon[6664]: card_sign failed: Fin du fichier
 
gpgsm: error creating signature: Fin du fichier <GpgSM>
 
scdaemon[6664]: scdaemon (GnuPG) 2.0.8 stopped
 
pinentry-gtk: Assuan processing failed: write error
 
So even if gpg-agent launched the pinentry GUI properly it only waited about one second then somehow died (gpg-agent logs stop after "starting a new PIN Entry\nDBG: connection to PIN entry established) and scdaemon got an early EOF.
 
 
Then, big hack, I created my own pinentry which would inject immediately the right PIN.
 
<br>Quite a hack as gpg-agent is calling pinentry with exec() and without possibility for options, two reasons to compile first a little wrapper:
 
 
#include <unistd.h>
 
int main() {
 
execl("/bin/bash", "-c", "/home/phil/pinentry",(char *) NULL);
 
}
 
Which calls a bash script pinentry (no, my PIN is not 1234 ;-) ):
 
#!/bin/bash
 
echo "OK Your orders please"
 
while [ "$REPLY" != "BYE" ]; do
 
read
 
case "$REPLY" in
 
GETPIN)
 
echo "D 1234"
 
echo "OK"
 
;;
 
BYE)
 
;;
 
*)
 
echo "OK"
 
;;
 
esac
 
done
 
echo "OK closing connection"
 
Now trying with that:
 
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
 
gpgsm[8927]: can't connect to `/home/phil/.gnupg/S.gpg-agent': Aucun fichier ou répertoire de ce type
 
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm: note: non-critical certificate policy not allowed
 
gpg-agent[8928]: system trustlist `/etc/gnupg/trustlist.txt' not available
 
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm: CRLs not checked due to --disable-crl-checks option
 
gpgsm: DBG: adding certificates at level 1
 
scdaemon[8929]: listening on socket `/tmp/gpg-Q38pBu/S.scdaemon'
 
scdaemon[8929]: handler for fd -1 started
 
scdaemon[8929]: reader slot 0: active protocol:
 
scdaemon[8929]: slot 0: ATR=3B 98 13 40 0A A5 03 01 01 01 AD 13 11
 
scdaemon[8929.0] DBG: -> OK GNU Privacy Guard's Smartcard server ready
 
scdaemon[8929.0] DBG: <- GETINFO socket_name
 
scdaemon[8929.0] DBG: -> D /tmp/gpg-Q38pBu/S.scdaemon
 
scdaemon[8929.0] DBG: -> OK
 
scdaemon[8929.0] DBG: <- OPTION event-signal=12
 
scdaemon[8929.0] DBG: -> OK
 
scdaemon[8929.0] DBG: <- SERIALNO
 
scdaemon[8929]: pkcs#15 application label from EF(DIR) is `BELPIC'
 
scdaemon[8929]: pkcs#15 application directory is 0xDF00
 
scdaemon[8929]: DBG: Serialnumber from EF(TokenInfo) is: 53 4C 49 4E 33 66 00 29 6C FF 25 2C 5F 19 02 18
 
scdaemon[8929]: DBG: CDF 5037: id=02 path=3F00DF005038
 
scdaemon[8929]: DBG: CDF 5037: id=03 path=3F00DF005039
 
scdaemon[8929]: DBG: CDF 5037: id=04 path=3F00DF00503A
 
scdaemon[8929]: DBG: CDF 5037: id=06 path=3F00DF00503B
 
scdaemon[8929]: DBG: PrKDF 5035: id=02 path=3F00DF00 authid=01 keyref=0x82 usage=sign
 
scdaemon[8929]: DBG: PrKDF 5035: id=03 path=3F00DF00 authid=01 keyref=0x83 usage=non_repudiation
 
scdaemon[8929]: DBG: AODF 5034: id=01 flags=initialized,needs_padding type=bcd min=4 stored=8 pad=0xffffffff pinref=0x01 path=3F00
 
scdaemon[8929.0] DBG: -> S SERIALNO 534C494E336600296CFF252C5F190218 0
 
scdaemon[8929.0] DBG: -> OK
 
gpg-agent[8928]: DBG: detected card with S/N 534C494E336600296CFF252C5F190218
 
scdaemon[8929.0] DBG: <- SETDATA 3021300906052B0E03021A050004148EC70F4DEC497B5D1FB4A77223D03D18CA366C99
 
scdaemon[8929.0] DBG: -> OK
 
scdaemon[8929.0] DBG: <- PKSIGN P15-DF00.02
 
scdaemon[8929]: DBG: asking for PIN 'PIN'
 
scdaemon[8929.0] DBG: -> INQUIRE NEEDPIN PIN
 
/home/phil/pinentry: line 17: echo: write error: Relais brisé (pipe)
 
scdaemon[8929.0] DBG: <- [ 44 20 xx xx xx xx 00 00 00 00 00 00 ...(80 bytes skipped) ]
 
scdaemon[8929.0] DBG: <- END
 
scdaemon[8929]: DBG: PIN verification succeeded
 
scdaemon[8929]: operation sign result: Succès
 
scdaemon[8929.0] DBG: -> [ 44 20 32 cf b0 a9 77 c1 c3 97 72 db ...(120 bytes skipped) ]
 
scdaemon[8929.0] DBG: -> OK
 
 
gpgsm: signature created
 
gpgsm: signature created
  +
I was prompted for my PIN during the process.
scdaemon[8929.0] DBG: <- RESTART
 
scdaemon[8929.0] DBG: -> OK
 
scdaemon[8929.0] DBG: <- [EOF]
 
scdaemon[8929]: updating status of slot 0 to 0x0007
 
scdaemon[8929]: client pid is 8928, sending signal 12
 
scdaemon[8929]: handler for fd -1 terminated
 
scdaemon[8929]: scdaemon (GnuPG) 2.0.8 stopped
 
   
 
And trying to verify, with CRLs:
 
And trying to verify, with CRLs:
Line 258: Line 155:
 
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
 
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
 
gpgsm: certificate has been revoked
 
gpgsm: certificate has been revoked
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm[8993]: can't connect to `/home/phil/.gnupg/S.gpg-agent': Aucun fichier ou répertoire de ce type
 
gpg-agent[8995]: system trustlist `/etc/gnupg/trustlist.txt' not available
 
gpgsm: note: non-critical certificate policy not allowed
 
 
gpgsm: invalid certification chain: Certificat révoqué
 
gpgsm: invalid certification chain: Certificat révoqué
 
And without CRLs:
 
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mails.txt mails.txt.smime
+
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
 
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
 
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm: note: non-critical certificate policy not allowed
 
gpgsm[8987]: can't connect to `/home/phil/.gnupg/S.gpg-agent': Aucun fichier ou répertoire de ce type
 
gpg-agent[8988]: system trustlist `/etc/gnupg/trustlist.txt' not available
 
gpgsm: note: non-critical certificate policy not allowed
 
 
gpgsm: CRLs not checked due to --disable-crl-checks option
 
gpgsm: CRLs not checked due to --disable-crl-checks option
 
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
 
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

Revision as of 23:56, 6 February 2008

Belgian eID is part of the efforts of the government for Belgian eGov

Officials

Usage & Software

Articles

Misc

My attempts under Linux

I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€

Installing beidgui and dependencies:

apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd 
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable

apt-get install -t unstable beidgui beid-tools

Exploring

pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2

Firefox security module

To add the security module to Firefox:

apt-get install libbeid2-dev libbeidlibopensc2-dev

Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?

Error establishing an encrypted connection to... Error Code: -12222.

Thunderbird security module

To add the security module to Firefox:

apt-get install libbeid2-dev libbeidlibopensc2-dev

Menu preferences->advanced->certificates->security devices->load

Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used.

Signing text with pkcs15-crypt

From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:

fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:

openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:

pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported

GpgSM

GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt
~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted
~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
  GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
  export GPG_AGENT_INFO
else
  eval `gpg-agent --daemon`
  echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi
~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none
~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:

$ gpgsm --learn-card

Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:

$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
     Subject: /CN=Belgium Root CA/C=BE
[...] 
     Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...] 
     Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...] 
     Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...

To sign sth:

$ gpgsm --sign mail.txt

Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with

# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:

$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created

I was prompted for my PIN during the process.

And trying to verify, with CRLs:

$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]:     runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué

And without CRLs:

$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime          
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

SSH

Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):

Package: openssh-client-sc                                                          
Architecture: any                                                                   
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...


I recompile ssh with smartcard support.

apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot

Sending my public key to the ssh server:

pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'

Then logging, being prompted for my PIN:

ssh -I 0 user@host.com

TODO: SSL Auth

http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssh. Once at the OpenSSL prompt, issue these 2 commands:

engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so

Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.

req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"

Adjust the days, out and subj parameters, at least. The key ID can be found using

pkcs15-tool -c

Use the ID of the Authentication X509 certificate.


TODO: OpenVPN Auth

http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids

TODO: Login

I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards but with the eID.

apt-get install libpam-p11

See file:///usr/share/doc/libpam-p11/QuickStart.html

openssh way:
Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
Edit /etc/pam.d/login and add before "@include common-auth" sth like:

auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so

/var/log/auth.log tells: no certificates found or

auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so

/var/log/auth.log tells: fatal: pkcs11_sign failed
before I was even prompted for my PIN

opensc way: same results

auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so

preparing the account:

mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

TODO: Apache SSL Reverse Proxy

cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html