Difference between revisions of "OpenID-eID"

From YobiWiki
Jump to navigation Jump to search
Line 74: Line 74:
 
* remove HTTP Digest for the authorization step
 
* remove HTTP Digest for the authorization step
 
* redirect authorization to HTTPS as we'll deal with SSL client certificates
 
* redirect authorization to HTTPS as we'll deal with SSL client certificates
  +
* TODO
  +
  +
Status:
  +
http://id.yobi.be/?openid.mode=login&id=ae96fba0cd9515cd
  +
This identifies me properly with my card as well as
  +
http://id.yobi.be/?openid.mode=login&id=philippe.teuwen
  +
  +
Todo:
  +
* Find a way to incorporate the id in the OpenID string and to extract it
  +
* Maybe we'll need to fix the links embedded in the openid server & delegate
  +
* Test it with http://www.openidenabled.com/resources/openid-test/checkup
  +
* CRL & cf TODO patches above

Revision as of 01:44, 20 February 2008

Here are my attempts to create an OpenID provider based on the Belgian eID

Install packages

Let's get apache2, php5 and openssl stuff:

apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert

Setup apache server with SSL

Create self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:

openssl req -days 1024 ...

Verify generated certificate

openssl x509 -text -in /etc/apache2/ssl/apache.pem

Start from ssl example config

zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \
  > /etc/apache2/sites-available/default-ssl

Activates ssl module

a2enmod ssl

Activates ssl virtualhost

a2ensite default-ssl

Edit /etc/apache2/sites-available/default-ssl

SSLCertificateFile /etc/apache2/ssl/apache.pem
#SSLCertificateKeyFile not required as apache.pem contains also the key

And the usual stuff

DocumentRoot "/var/www"
ServerName ...
ServerAdmin ...
ErrorLog /var/log/apache2/error.log
TransferLog /var/log/apache2/access.log

To activate only the secure ciphers:

SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol -ALL +SSLv3 +TLSv1

Adding Belgian Government Root certificates

You can extract the Belgium Root CA and the Citizen CA from your eID:

pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt
pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt

Then add client certificate requirements to /etc/apache2/sites-available/default-ssl

SSLCACertificateFile /etc/apache2/ssl/ca/belgium.crt
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth  10
<Location />
 # accept only certificates emitted by Citizen CA:
 SSLRequire %{SSL_CLIENT_I_DN_C} eq "BE" \
   and %{SSL_CLIENT_I_DN_CN} in {"Citizen CA"}
</Location>

According to the doc, because of a bug in Internet Explorer, you also need to add GlobalSign Root certificate...

Retrieving citizens' certificate information

The user's distinguish name can be retrieved from php with

$_SERVER['SSL_CLIENT_S_DN']

And the user's name with

$_SERVER['SSL_CLIENT_S_DN_CN']

TODO: cf apache SSL reverse proxy proposed by the government

Add to /etc/apache2/sites-available/default-ssl:

SSLUseOCSP         on
SSLForceValidation on

Enable ssl_error_module:

LoadModule ssl_error_module modules/mod_ssl_error.so

And add to /etc/apache2/sites-available/default-ssl:

<IfModule mod_ssl_error.c>
SSL_Error_DefaultURL "/error/invalid.html"
SSL_Error_URL  23   "/error/revoked.html"
SSL_Error_URL  10   "/error/expired.html"
</IfModule>

cf doc...

Hacking phpMyID

Details on the patch

  • remove HTTP Digest for the authorization step
  • redirect authorization to HTTPS as we'll deal with SSL client certificates
  • TODO

Status:

http://id.yobi.be/?openid.mode=login&id=ae96fba0cd9515cd

This identifies me properly with my card as well as

http://id.yobi.be/?openid.mode=login&id=philippe.teuwen

Todo: