Difference between revisions of "OpenID-eID"
Line 77: | Line 77: | ||
Status: |
Status: |
||
+ | * I could validate the client certificate against the root CA and I could extract the data of the certificate |
||
⚫ | |||
+ | * I added a discover mode which tells you what are your OpenIDs given your own eID, you can try here: |
||
+ | http://id.yobi.be/index.php?openid.mode=discover |
||
+ | Note that the proposed OpenIDs are not yet working but you can try them manually with e.g. for mine: |
||
http://id.yobi.be/?openid.mode=login&id=ae96fba0cd9515cd |
http://id.yobi.be/?openid.mode=login&id=ae96fba0cd9515cd |
||
− | This identifies me properly with my card as well as |
||
http://id.yobi.be/?openid.mode=login&id=philippe.teuwen.159 |
http://id.yobi.be/?openid.mode=login&id=philippe.teuwen.159 |
||
− | and |
||
http://id.yobi.be/?openid.mode=login&id=philippe.yvon.teuwen |
http://id.yobi.be/?openid.mode=login&id=philippe.yvon.teuwen |
||
− | |||
Estonian [https://openid.ee/about/english counterpart] plans to provide simply firstname.lastname and to build an index in case of clashes.<br> |
Estonian [https://openid.ee/about/english counterpart] plans to provide simply firstname.lastname and to build an index in case of clashes.<br> |
||
But this requires to have a stateful server and I don't want that, I want anybody to build his own service and the generated OpenIDs will always be the same, only depending on the certificate data, not on "who came first".<br> |
But this requires to have a stateful server and I don't want that, I want anybody to build his own service and the generated OpenIDs will always be the same, only depending on the certificate data, not on "who came first".<br> |
||
⚫ | |||
Todo: |
Todo: |
Revision as of 01:02, 21 February 2008
Here are my attempts to create an OpenID provider based on the Belgian eID
Install packages
Let's get apache2, php5 and openssl stuff:
apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert
Setup apache server with SSL
Create self-signed certificate
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:
openssl req -days 1024 ...
Verify generated certificate
openssl x509 -text -in /etc/apache2/ssl/apache.pem
Start from ssl example config
zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \ > /etc/apache2/sites-available/default-ssl
Activates ssl module
a2enmod ssl
Activates ssl virtualhost
a2ensite default-ssl
Edit /etc/apache2/sites-available/default-ssl
SSLCertificateFile /etc/apache2/ssl/apache.pem #SSLCertificateKeyFile not required as apache.pem contains also the key
And the usual stuff
DocumentRoot "/var/www" ServerName ... ServerAdmin ... ErrorLog /var/log/apache2/error.log TransferLog /var/log/apache2/access.log
To activate only the secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol -ALL +SSLv3 +TLSv1
Adding Belgian Government Root certificates
You can extract the Belgium Root CA and the Citizen CA from your eID:
pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt
Then add client certificate requirements to /etc/apache2/sites-available/default-ssl
SSLCACertificateFile /etc/apache2/ssl/ca/belgium.crt SSLOptions +StrictRequire SSLVerifyClient require SSLVerifyDepth 10 <Location /> # accept only certificates emitted by Citizen CA: SSLRequire %{SSL_CLIENT_I_DN_C} eq "BE" \ and %{SSL_CLIENT_I_DN_CN} in {"Citizen CA"} </Location>
According to the doc, because of a bug in Internet Explorer, you also need to add GlobalSign Root certificate...
Retrieving citizens' certificate information
The user's distinguish name can be retrieved from php with
$_SERVER['SSL_CLIENT_S_DN']
And the user's name with
$_SERVER['SSL_CLIENT_S_DN_CN']
TODO: cf apache SSL reverse proxy proposed by the government
Add to /etc/apache2/sites-available/default-ssl:
SSLUseOCSP on SSLForceValidation on
Enable ssl_error_module:
LoadModule ssl_error_module modules/mod_ssl_error.so
And add to /etc/apache2/sites-available/default-ssl:
<IfModule mod_ssl_error.c> SSL_Error_DefaultURL "/error/invalid.html" SSL_Error_URL 23 "/error/revoked.html" SSL_Error_URL 10 "/error/expired.html" </IfModule>
cf doc...
Hacking phpMyID
Details on the patch
- remove HTTP Digest for the authorization step
- redirect authorization to HTTPS as we'll deal with SSL client certificates
- TODO
Status:
- I could validate the client certificate against the root CA and I could extract the data of the certificate
- I could create various OpenIDs based on the certificate data
Everything is extracted only from the names and RRN, not on the serial nr of the certificate or any part prone to be changed if you've to renew your ID card! (unless they change the way they write your name on the certificate...) - I added a discover mode which tells you what are your OpenIDs given your own eID, you can try here:
http://id.yobi.be/index.php?openid.mode=discover
Note that the proposed OpenIDs are not yet working but you can try them manually with e.g. for mine:
http://id.yobi.be/?openid.mode=login&id=ae96fba0cd9515cd http://id.yobi.be/?openid.mode=login&id=philippe.teuwen.159 http://id.yobi.be/?openid.mode=login&id=philippe.yvon.teuwen
Estonian counterpart plans to provide simply firstname.lastname and to build an index in case of clashes.
But this requires to have a stateful server and I don't want that, I want anybody to build his own service and the generated OpenIDs will always be the same, only depending on the certificate data, not on "who came first".
Todo:
- Find a way to incorporate the id in the OpenID string and to extract it
- Maybe we'll need to fix the links embedded in the openid server & delegate
- Test it with http://www.openidenabled.com/resources/openid-test/checkup
- CRL & cf TODO patches above
- Security: given the name and hash can we guess the RNN?