Difference between revisions of "OpenID-eID"

Here are my attempts to create an OpenID provider based on the Belgian eID

Install packages

Let's get apache2, php5 and openssl stuff:

apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert

Setup apache server with SSL

Create self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:

openssl req -days 1024 ...

Verify generated certificate

openssl x509 -text -in /etc/apache2/ssl/apache.pem

Start from ssl example config

zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \
  > /etc/apache2/sites-available/default-ssl

Activates ssl module

a2enmod ssl

Activates ssl virtualhost

a2ensite default-ssl

Edit /etc/apache2/sites-available/default-ssl

...

To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:

SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol -ALL +SSLv3 +TLSv1

Adding Belgian Government Root certificates

You can extract the Belgium Root CA and the Citizen CA from your eID:

pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt
pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt

Details on apache2 config...

• requires client certificate

TODO: cf apache SSL reverse proxy proposed by the government

• OCSP support for mod_ssl
• Certificate validation problems trapping

Hacking phpMyID

Details on the patch

• remove HTTP Digest for the authorization step
• redirect authorization to HTTPS as we'll deal with SSL client certificates