Difference between revisions of "OpenID-eID"

From YobiWiki
Jump to navigation Jump to search
Line 28: Line 28:
 
pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt
 
pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt
 
pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt
 
pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt
  +
Then add client certificate requirements to /etc/apache2/sites-available/default-ssl
 
  +
SSLCACertificateFile /etc/apache2/ssl/ca/belgium.crt
Details on apache2 config...
 
  +
SSLVerifyClient require
* requires client certificate
 
  +
SSLVerifyDepth 2
   
 
===TODO: cf [http://www.belgium.be/zip/eid_authentication_proxy_fr.html apache SSL reverse proxy] proposed by the government===
 
===TODO: cf [http://www.belgium.be/zip/eid_authentication_proxy_fr.html apache SSL reverse proxy] proposed by the government===

Revision as of 21:55, 19 February 2008

Here are my attempts to create an OpenID provider based on the Belgian eID

Install packages

Let's get apache2, php5 and openssl stuff:

apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert

Setup apache server with SSL

Create self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:

openssl req -days 1024 ...

Verify generated certificate

openssl x509 -text -in /etc/apache2/ssl/apache.pem

Start from ssl example config

zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \
  > /etc/apache2/sites-available/default-ssl

Activates ssl module

a2enmod ssl

Activates ssl virtualhost

a2ensite default-ssl

Edit /etc/apache2/sites-available/default-ssl

...

To activate only the secure ciphers, edit /etc/apache2/mods-available/ssl.conf and uncomment those lines:

SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol -ALL +SSLv3 +TLSv1

Adding Belgian Government Root certificates

You can extract the Belgium Root CA and the Citizen CA from your eID:

pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt
pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt

Then add client certificate requirements to /etc/apache2/sites-available/default-ssl

SSLCACertificateFile /etc/apache2/ssl/ca/belgium.crt
SSLVerifyClient require
SSLVerifyDepth  2

TODO: cf apache SSL reverse proxy proposed by the government

Hacking phpMyID

Details on the patch

  • remove HTTP Digest for the authorization step
  • redirect authorization to HTTPS as we'll deal with SSL client certificates