Belgian eID
Belgian eID is part of the efforts of the government for Belgian eGov
Officials
Usage & Software
- Middleware & developer's kit
- eID configuration toolkit by Novell
- Danny De Cock's page on eID (same as http://www.godot.be)
- short intro
- how to use the eID card within your .NET apps
Articles
Misc
My attempts under Linux
I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€
Installing beidgui and dependencies:
apt-get install beidgui => libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd less /usr/share/doc/libbeidlibopensc2/README.Debian
The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
Exploring
pkcs15-tool --dump pkcs15-tool --read-certificate 02 > my_auth.crt pkcs15-tool --read-certificate 03 > my_sign.crt pkcs15-tool --read-certificate 04 > belgium.crt pkcs15-tool --read-certificate 06 >> belgium.crt openssl x509 -in my_auth.crt -text pkcs15-tool --read-ssh-key 2
Firefox security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service
Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"
If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?
Thunderbird security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11 Module filename: /usr/lib/libbeidpkcs11.so
Try to sign a first mail:
Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC sign certif
I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate...
SSH
Inspired from http://simi.be/?page_id=9
Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc Architecture: any Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
I recompile ssh with smartcard support.
apt-get source openssh-client cd openssh-4.7p1 patch -p1 < ../mypatch dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
TODO: SSL Auth
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic
apt-get install libengine-pkcs11-openssl
To generate a request, open a console and launch openssh. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.
TODO: OpenVPN Auth
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
TODO: Login
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
openssh way:
Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
before I was even prompted for my PIN
opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid chmod 0755 ~/.eid pkcs15-tool -r 2 > ~/.eid/authorized_certificates chmod 0644 ~/.eid/authorized_certificates
So I still couldn't find a way.
Signing text
Signing text and extracting the public certificate:
fortune > data.txt openssl sha1 -binary data.txt > data.sha1 pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig pkcs15-tool --read-certificate 02 > my_auth.crt
Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt
I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig [pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported [pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported Compute signature failed: Not supported