Belgian eID
Belgian eID is part of the efforts of the government for Belgian eGov
Officials
- Official eID portal
- Certificates
- eID services
- Revocation lists and OCSP server
- Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires
e.g.
3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE
10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE
11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
Usage & Software
- Middleware & developer's kit
- eID configuration toolkit by Novell
- Danny De Cock's page on eID (same as http://www.godot.be)
- short intro
- how to use the eID card within your .NET apps
Articles
Misc
- http://www.foo.be/eID/ Official data, spec sheet etc
Why I revoked my certificates
Short answer:
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring.
How I did it?
It was quite epic.
I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil officiers :-)
I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
to be continued
What I think today? to be continued
My attempts under Linux
I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€
Installing beidgui and dependencies:
apt-get install beidgui beid-tools => libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd less /usr/share/doc/libbeidlibopensc2/README.Debian
The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools
Exploring
pkcs15-tool --dump pkcs15-tool --read-certificate 02 > my_auth.crt pkcs15-tool --read-certificate 03 > my_sign.crt pkcs15-tool --read-certificate 04 > belgium.crt pkcs15-tool --read-certificate 06 >> belgium.crt openssl x509 -in my_auth.crt -text pkcs15-tool --read-ssh-key 2 # For a little demo... beid-pkcs11-tool --slot 0 --login --test
Firefox security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service
Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"
If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?
Error establishing an encrypted connection to... Error Code: -12222.
Thunderbird security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11 Module filename: /usr/lib/libbeidpkcs11.so
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"
Try to sign a first mail:
Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif
I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used.
Signing text with pkcs15-crypt
Signing text and extracting the public certificate:
fortune > data.txt openssl sha1 -binary data.txt > data.sha1 pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig pkcs15-tool --read-certificate 02 > my_auth.crt
Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt
I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig [pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported [pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported Compute signature failed: Not supported
GpgSM
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html
apt-get install gpgsm dirmngr gnupg-agent pinentry-qt
~/.gnupg/gpg-agent.conf: no-grab default-cache-ttl 1800 ignore-cache-for-signing allow-mark-trusted
~/.bash_profile: (appending this stuff) # preparing gpg-agent: if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info` export GPG_AGENT_INFO else eval `gpg-agent --daemon` echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info fi
~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader) disable-ccid debug-level none
~/.gnupg/gpgsm.conf: debug-level none
Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys /home/phil/.gnupg/pubring.kbx ----------------------------- Subject: /CN=Belgium Root CA/C=BE [...] Subject: /CN=Citizen CA/C=BE/SerialNumber=200507 [...] Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=... [...] Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S
Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt [...] gpgsm: signature created
I was prompted for my PIN during the process.
And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056 gpgsm: note: non-critical certificate policy not allowed dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type dirmngr[8994]: permanently loaded certificates: 0 dirmngr[8994]: runtime cached certificates: 0 dirmngr[8994]: command ISVALID failed: Certificat révoqué gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE gpgsm: certificate has been revoked gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056 gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
SSH
Inspired from http://simi.be/?page_id=9
Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc Architecture: any Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
I recompile ssh with smartcard support.
apt-get source openssh-client cd openssh-4.7p1 patch -p1 < ../mypatch dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
TODO: SSL Auth
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic
apt-get install libengine-pkcs11-openssl
To generate a request, open a console and launch openssh. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.
TODO: OpenVPN Auth
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
TODO: Login
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
Bad side: it conflicts with xlockmore :-(
openssh way:
Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
before I was even prompted for my PIN
opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid chmod 0755 ~/.eid pkcs15-tool -r 2 > ~/.eid/authorized_certificates chmod 0644 ~/.eid/authorized_certificates
So I still couldn't find a way.
TODO: Apache SSL Reverse Proxy
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
TODO: OpenGPG & x509
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
Sth to check: OpenPGP Signatures Incorporating X.509 Certificates