Belgian eID
Belgian eID is part of the efforts of the government for Belgian eGov
Officials
Usage & Software
- Middleware & developer's kit
- eID configuration toolkit by Novell
- Danny De Cock's page on eID (same as http://www.godot.be)
- short intro
- how to use the eID card within your .NET apps
Articles
Misc
My attempts under Linux
I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€
Installing beidgui and dependencies:
apt-get install beidgui => libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd less /usr/share/doc/libbeidlibopensc2/README.Debian
The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
Exploring
pkcs15-tool --dump pkcs15-tool --read-certificate 02 > my_auth.crt pkcs15-tool --read-certificate 03 > my_sign.crt pkcs15-tool --read-certificate 04 > belgium.crt pkcs15-tool --read-certificate 06 >> belgium.crt openssl x509 -in my_auth.crt -text pkcs15-tool --read-ssh-key 2
Firefox security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service
Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"
If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?
SSH
Inspired from http://simi.be/?page_id=9
Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc Architecture: any Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
I recompile ssh with smartcard support.
apt-get source openssh-client cd openssh-4.7p1 patch -p1 < ../mypatch dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
TODO: SSL Auth
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic
apt-get install libengine-pkcs11-openssl
To generate a request, open a console and launch openssh. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.
TODO: OpenVPN Auth
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
TODO: Login
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards but with the eID.
apt-get install libpam-p11 th.*required.*pam_env.so/auth sufficient pam_opensc.so\nauth required pam_env.so/' /etc/pam.d/login