OpenID-eID

From YobiWiki
Jump to navigation Jump to search

Here are my attempts to create an OpenID provider based on the Belgian eID

Install packages

Let's get apache2, php5 and openssl stuff:

apt-get install apache2-utils apache2-mpm-prefork libapache2-mod-php5 php5 openssl ssl-cert

Setup apache server with SSL

Create self-signed certificate

make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Little problem: by default the certificate is valid only 30 days, you've to edit make-ssl-cert script and add "-days" options, e.g:

openssl req -days 1024 ...

Verify generated certificate

openssl x509 -text -in /etc/apache2/ssl/apache.pem

Start from ssl example config

zcat /usr/share/doc/apache2.2-common/examples/apache2/extra/httpd-ssl.conf.gz \
  > /etc/apache2/sites-available/default-ssl

Activates ssl module

a2enmod ssl

Activates ssl virtualhost

a2ensite default-ssl

Edit /etc/apache2/sites-available/default-ssl

SSLCertificateFile /etc/apache2/ssl/apache.pem
#SSLCertificateKeyFile not required as apache.pem contains also the key

And the usual stuff

DocumentRoot "/var/www"
ServerName ...
ServerAdmin ...
ErrorLog /var/log/apache2/error.log
TransferLog /var/log/apache2/access.log

To activate only the secure ciphers:

SSLCipherSuite HIGH:MEDIUM:!ADH
SSLProtocol -ALL +SSLv3 +TLSv1

Adding Belgian Government Root certificates

You can extract the Belgium Root CA and the Citizen CA from your eID:

pkcs15-tool --read-certificate 04 > /etc/apache2/ssl/ca/belgium.crt
pkcs15-tool --read-certificate 06 >> /etc/apache2/ssl/ca/belgium.crt

Then add client certificate requirements to /etc/apache2/sites-available/default-ssl

SSLCACertificateFile /etc/apache2/ssl/ca/belgium.crt
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth  10
<Location />
 # accept only certificates emitted by Citizen CA:
 SSLRequire %{SSL_CLIENT_I_DN_C} eq "BE" \
   and %{SSL_CLIENT_I_DN_CN} in {"Citizen CA"}
</Location>

According to the doc, because of a bug in Internet Explorer, you also need to add GlobalSign Root certificate...

Retrieving citizens' certificate information

The user's distinguish name can be retrieved from php with

$_SERVER['SSL_CLIENT_S_DN']

And the user's name with

$_SERVER['SSL_CLIENT_S_DN_CN']

TODO: cf apache SSL reverse proxy proposed by the government

Add to /etc/apache2/sites-available/default-ssl:

SSLUseOCSP         on
SSLForceValidation on

Enable ssl_error_module:

LoadModule ssl_error_module modules/mod_ssl_error.so

And add to /etc/apache2/sites-available/default-ssl:

<IfModule mod_ssl_error.c>
SSL_Error_DefaultURL "/error/invalid.html"
SSL_Error_URL  23   "/error/revoked.html"
SSL_Error_URL  10   "/error/expired.html"
</IfModule>

cf doc...

Hacking phpMyID

Details on the patch

  • remove HTTP Digest for the authorization step
  • redirect authorization to HTTPS as we'll deal with SSL client certificates
  • TODO

Status:

http://id.yobi.be/?openid.mode=login&id=ae96fba0cd9515cd

This identifies me properly with my card as well as

http://id.yobi.be/?openid.mode=login&id=philippe.teuwen

Todo:

  • Comprehensive openid with only the name is not robust against collisions so I should at least add sth e.g. a much shorter part of the hash as well in e.g. 3 numerals:
http://id.yobi.be/?openid.mode=login&id=philippe.teuwen.123
  • Find a way to incorporate the id in the OpenID string and to extract it
  • Maybe we'll need to fix the links embedded in the openid server & delegate
  • Test it with http://www.openidenabled.com/resources/openid-test/checkup
  • CRL & cf TODO patches above
  • Security: given the name and hash can we guess the RNN?