Belgian eID
Belgian eID is part of the efforts of the government for Belgian eGov
News
Generally speaking there are regularly interesting posts on Belsec blog, check it as I don't maintain actively this news section
- 2010-06-01 : The Belgian e-ID: hacker vs developer, a presentation by Erwin Geirnaert and Frank Cornelis at OWASP Belgian chapter meeting
- 2009-06-04 : SNCB/NMBS announced on the news (FR here) and on their site that "The tickets bought via Ticket on line ... can be loaded onto your electronic identity card". How could they do that??
Actually this is not true, as they explain here:
Your travel tickets are linked to the National Register Number (social security number) on your electronic identity card. Your tickets are not physically loaded onto your electronic identity card
Ok now I understand better. And one more way (after MOBIB) for the gov to know who goes where... - 2009-01-16 : PME et indépendants peuvent demander un lecteur eID gratuit
16 janvier 2009 -- Rédaction Data News
Pour promouvoir la déclaration TVA électronique, Fedict va distribuer des lecteurs de cartes eID gratuits aux PME et aux indépendants.
Depuis le 1er janvier, la déclaration TVA électronique obligatoire s'applique à l'ensemble des PME et indépendants. Tel était déjà le cas pour les entreprises moyennes et grandes. Seule l'entreprise qui peut prouver qu'elle ne dispose pas de la possibilité technique requise, peut demander aux Finances de pouvoir encore utiliser une déclaration TVA papier.
Fedict fournira un lecteur de cartes eID gratuit aux PME et aux indépendants qui n'en possèdent pas encore, peut-on lire dans un communiqué de presse émanant du ministre de l'entreprise et de la simplification, Vincent Van Quickenborne. Pour obtenir un lecteur de cartes gratuit, il suffit d'envoyer un mail à 'servicedesk@fedict.be', avec la mention "déclaration TVA électronique", le nom et le numéro d'enregistrement de l'entreprise et l'adresse d'envoi souhaitée. - 2009-01-14 : Question and answer about eID security at the "Commission de l'Intérieur, des Affaires Générales et de la Fonction Publique"
- 2009-01 : Belgian eID: Vulnerability Summary for CVE-2009-0049
Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. - Various blog posts
- 2008-06-13 : Interesting discussions here about the infamous report
- 2008-05-17 : Liège mairie de quartier du Thier-à-Liège this Saturday (Yes the office is open on Saturdays !) We received our new EID card, No more paper to sign (Annex 3 and 10) for revoking a certificate. (Maybe this is a bug in the administration ... The girl doesn't know the difference between the 2 certificates (auth. and sign). Worse: she doesn't know the signification ... and the top of the top ... Event on the paper you receive from the administration, it is clearly written '.. 2 certificates : 1 for signing and 1 for authentification' BUT on the screen of the administration computer for the revokation : 'révoquer le certificat de signature' et 'révoquer le certificat de non-répudiation' (sorry french) : Find the mistake ... --Dorian
COMMENT Yes I know... Authentication and Signature refer to the technical PCKS#11 labeling of the 2 RSA certificates on the card. Both are actually used only for "signature" in the crypto sense. Legally, the "authentication" one is for signing anything like emails, login to websites etc and the other one is for the qualified signature (as by the European directive), if done in a "secure context" is legally equivalent to hand-written signature and is not repudiable. Anyway thanks for the feedback! --Phil - 2008-04-23 Belgian EID and the Microsoft question
- 2008-04-03..04 European e-ID Card Conference: Current Perspective and Initiatives from around Europe in Government and Business, K.U.Leuven, €450
- 2008-03-08 Certipost the first and only digital signature company approved by our Privacycommission
- 2008-02-26 The eID to register to eBay.be (fr) and here (fr)
- 2008-02-24 Presentation of Wouter Verhelst at FOSDEM about The Belgian electronic ID card in Debian: screencast and video
- 2008-02-22 Belgacom sells stake in Certipost (fr) so now La Poste/De Post owns 100%
- News Resources:
- Belsec blog entries about the eID
Officials
- Major sources of documentation:
Official eID portal
docs on the repository
docs on the ePortal
Direction Générale Institutions & Population, with an interesting news channel- Google -> promotional movie (37Mb) and flash presentation (down, archived wmv file)
- Google -> In the context of the e-Government initiative of the Belgian Federal Government, a project has been defined to design and develop a messaging environment that allows smooth message- based communication information exchange between different governmental institutions. This messaging environment is called the Universal Messaging Engine – Version 2 (UME2) (zip)
- Google deeply, deeply, deeply...
- Certificates, also "raw" here and the Belgium Root CA site
- eID services, check online the status of a certificate and search the delta CRLs
- Revocation lists and OCSP server
- Help website for the eID-kits for kids
- Circulaires & Instructions
Among others:
Instructions générales de la carte d'identité électronique version du 14 novembre 2005 and its page 29 stating the possibility to revoke one or both certificates on card issuance
Annexe 3 : formulaire de renonciation aux certificats de la carte d'identité électronique au moment de la demande de la carte
Annexe 10 : modèle d'attestation d'activation ou de révocation des certificats après activation de la carte
Annexe 10 bis : modèle d'attestation de génération et d'activation d'une nouvelle paire de certificats après activation de la carte
Annexe 11 : modèle d'attestation de suspension et de reactivation des certificats
Application Belpic - Version 20.03 - 3. Carte d'identité de belge - Map of eID applications
- CertiPost, by Belgacom & La Poste/De Post
- eID shop, partners & implementations available
- cardreaders officially supported
- eCommunities
- CheckDoc
- DocStop
- 2009 roadshow
- MyPension
- SocialSecurity
- NotaClic, auctions! Want to buy a house à la "eBay"?
Misc links
- Danny de Cock's site
- his latest comprehensive presentation (pdf)
- adapID project
- The eID Company
- signing documents online, same here
- Microsoft's Belgian eID card website
- Estonian Company Registration Portal
- VASCO: Use your eID as Digipass to create OTP
Specifications
- Belgian Electronic Identity Card content
- v2.2 (pdf) from Official eID portal
- v2.8a (pdf) from WaybackMachine, found ref in this NIST document (pdf)
Ok the document actually moved to the new website- That version skips v2.2 in the Document Change History, very strange...
- See also this discussion
- Description of the Belpic EID-version numbering
- Public User Specification BELPIC Application
- V2.0 (pdf in zip)
- I found this doc on the Hungarian Chamber of Commerce & Industry, even in a version partly translated in hungarian
The end of that document is the Public User Specification BELPIC Application but badly formatted
Apparently it ended up on this site as part of a publication for the European institutions
- EID-Readers technical compatibility
- Belgian Electronic Identity Card Middleware Programmers Guide
- Belgian eID Toolkit Developer's guide
Usage & Software
- Middleware & developer's kit
- There are also Debian packages, cf below my tests under Linux
- eID configuration toolkit by Novell
- Danny De Cock's page on eID (same as http://www.godot.be)
- short intro
- how to use the eID card within your .NET apps
- Belgian E-ID runtime guide windows/linux pdf
- Open source interoperability and E-ID pdf
- The road to European E-ID interoperability pdf
- Microsoft and the eID (nl) (or (fr)), just an old marketing buzz? (I wouldn't complain...)
- Belgian eID Card Technicalities (pdf) by Danny de Cock, a MUST to read if you want to know all the gory details about the eID!
- New eid-applet project on Google Code
Revoking certificates
Some details about those certificates
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
- One labeled "Authentication" is for daily use
- To log in on SSL websites such as Tax-on-web or SaferChat or even your bank e.g. Keytrade has implemented it (pdf) with CRL check
- For signing mails with S/MIME
- For your own purpose, to log on your SSH server, SSL server, VPN etc
- One labeled "Signature" is for special cases
- It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
- According to CertiPost applicability guidelines (pdf), the electronic signature still cannot replace a hand-written signature in a number of cases
- It's automatically revoked for minors under 18 years as they cannot sign legally yet.
- From Certipost FAQ:
Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him.
In other words, non-repudiation means that information cannot be disclaimed, similar to a witnessed handwritten signature on a paper document.
to be checked in the law - Normal pkcs software doesn't seem to be able to use it (?)
- Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
- CertiPost e-Registered mails is using the non-repudiation signature
- CertiPost e-Signing is using the non-repudiation signature
- Both are protected by the same PIN which is typed on your (unsafe) PC
What says the law
Sorry, here are french version abstracts.
9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification, date de publication au Moniteur: 29 septembre 2001
Morceaux choisis:
- Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
- § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
- § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
- que la signature se présente sous forme électronique, ou
- qu'elle ne repose pas sur un certificat qualifié, ou
- qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
- qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
- Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof???
Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4
Catastrophe scenario
- Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
- you know, the kind of stuff that never happens, anyway it's now your problem even if the official middleware is not signed
- And apparently even some readers with integrated keypads are not safer :-(
- And apparently even commercial standalone smatcard terminals are not safer :-( (pdf)
- And, oh, I did a small test with lkl, a userland keylogger and of course the PIN typed into the beid graphical prompt could be easily captured.
- He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
- Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
- The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.
Privacy and other security considerations
- Another consideration I didn't talk about yet: PRIVACY
- Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or if you simply send a signed email) sees your RRN ("rijksregistratienummer")
But officially (see "Puis-je utiliser le numéro de Registre national?") this is normal...
BTW here is how it's constructed: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for women, uneven for men) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically... - Tax-on-web announce it but what about the others and your mail correspondants?
Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national.
Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances.
La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles. - Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
You can import Belgium Root CA signed by GlobalSign Root CA here (the belgiumrs*.crt) - And even "better": for Firefox, CertiPost e-Signing requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
- ADAPID project is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
- Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
- Ethical-ID is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.
- And what about administrative errors? ;-)
2005: I revoked my certificates
Why?
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring.
I knew they were talking about two certificates without understanding their difference, so let's revoke both.
Note that it doesn't mean my eID was not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf FAQ)
How?
It was quite epic.
I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
- [Me] Good morning, I come for my eID and... I want to get rid of the certificates
- [Her] You what? Is it possible? Never heard about that
- [Me] Yes, yes, see (and I show her what's in her User Manual)
- ... (takes a while to digest the info)
- [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
- [Josette] ANNEX WHAT??
- [Me] No prob, look (and I pull out my own copy of Annex 3 (pdf))
- ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
- [Me] No prob, look (and I pull out my own copy of Annex 10 (pdf))
- [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D
Who knows, maybe I crafted the form... ;-)
It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.
According to Danny de Cock you can revoke them by phone via the eID card stop service: call +32-2-518.21.16 or +32.2.518.21.17,in French or Dutch, respectively (there is a 7-day period prior to definitive revocation, I'm not sure how secure is the procedure...)
2010: I revoked my signature certificate, but kept my authentication certificate
Why?
- Since 2005 I learned...
- I accept the Authentication certificate to be able to play around with it (Tax-on-web, RRN website,...).
- We can change the 4-digit PIN to up to a 12-digit value.
- I could use it but only on trusted devices, that's another story...
- I revoke the Signature certificate unless they change their architecture:
- I don't want the same PIN as on the other certificate.
Note that there were some discussions here
Public user specification BELPIC application v2.0 mention 2 different PINs with their own ids (01 for auth, 04 for non-repud) and according to Danny the new cards will have 2 PINs but as of today (2010) this is not yet the case. - Probably they limited themselves to one single PIN in order to pass the Kafka test ;-)
- I don't want the same PIN as on the other certificate.
How?
It was again epic...
The municipality employee claimed that I should have asked to not have the certificate while ordering the card and now it's too late, because rules have changed, blabla.
She claimed that if she revokes now my certificates my cards will automatically expire 7 days later.
So I took the risk and asked her to revoke my signature certificate, anyway, at my own risks.
It was indeed quite risky as she was about to revoke the authentication certificate on the application screen rather than the signature certificate, so be very careful and double-check what they're doing!!
The reality:
- My card is still fully working and I can use it to log into federal websites.
- There were indeed new eID instructions published on 1st of July 2010 (one month after I got my card)
- The new instructions suppressed annexes 10, 10bis & 11 amongst other things, leaving only annex 3.
- If you refuse your certificates while ordering your card you will not have any usage certificate while I wanted to have anyway the authentication certificate.
- To get the municipality understanding what you want, the best is probably to refer to the instructions of the latest instructions (pdf 01/06/2010)
- UPDATE new version of the instructions is here (pdf 10/08/2012) but contains the same text in 6.3 Activation de la carte - cas particuliers
Instructions générales relatives aux cartes d’identité électroniques de Belges Version du 1er juillet 2010 6. Délivrance de la carte au citoyen 6.3 Activation de la carte Conformément à la loi du 25 mars 2003, le certificat qualifié de signature n’est pas validé sur la carte d’identité des personnes reconnues incapables en vertu de la législation en vigueur (mineurs d’âge non émancipés, personnes sous statut de minorité prolongée, les majeurs placés sous administration provisoire, les incapables légaux, les incapables juridiques et les personnes placées sous conseil judiciaire). En effet, ces personnes ne peuvent signer valablement.
Pour les mineurs d’âge non émancipés, lors de l’activation de la carte, le certificat de signature est automatiquement révoqué et le certificat d’authentification est quant à lui activé.
Pour les personnes reconnues incapables et mentionnées ci-dessus, après activation de la carte, il y a lieu de révoquer le certificat de signature (Logiciel Belpic – Menu : « Gestion des certificats »)
A l'issue de la procédure d’activation de la carte d’une personne majeure ou d’un mineur émancipé, le préposé de la commune s’informe du souhait du citoyen quant à l’utilisation ou non des fonctions électroniques (certificat de signature et certificat d’authentification) de sa carte. Au cas où le citoyen décide de renoncer à l’utilisation de l’un ou /et l’autre certificat de sa carte, le préposé de la commune procédera à la révocation immédiate de son/ses certificat(s) (cfr. Logiciel Belpic, menu « Gestion des certificats »). Ensuite, la carte d'identité électronique peut être remise au citoyen.
The last paragraph is very clear. Of course don't expect them to ask you if you wish to use the certificates or not, they never do it and when you ask for revoking a certificate it's always mess & fuzz.
PIN unlocking
- Default PIN is 4-digit, can be changed up to 12 digits.
- PIN locked after 3 wrong attempts
- PUK can unlock PIN
- PUK is 12-digit long
- You get 6-digit half-PUK, and you need to go to the municipality to have your eID card unblocked... This unblocking consists of sending 12 PUK digits to your eID card: you provide 6 PUK digits, and the National Register provides the other 6... I.e., it is impossible for a citizen to unblock his/her eID card without presenting him/herself to the municipality... Thanks for the info Danny!
Linux: Drivers
If you want to try also make sure you're using Linux :-D
I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€
So the card is accessed via the USB reader, handled by the libccid, used by the pcscd daemon.
$ pcsc_scan Reader 0: iDream ID-SMID01 00 00 Card state: Card inserted, ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11 ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11 + TS = 3B --> Direct Convention + T0 = 98, Y(1): 1001, K: 8 (historical bytes) TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU (38400 bits/s at 3.57 MHz) TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0 ----- TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F) + Historical bytes: A5 03 01 01 01 AD 13 11 Category indicator byte: A5 (proprietary format) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B 98 13 40 0A A5 03 01 01 01 AD 13 11 Belgium Electronic ID card
Linux: Government Middleware v2.1
Installation
The Belgian government is providing a Linux middleware to access the eID.
The sources are accessible here (fr) or there (nl)
But thanks to Wouter Verhelst, there are also Debian packages (2.6.0-3 in Lenny as I'm writing):
apt-get install beidgui beid-tools => libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
Some interesting documentation once it's installed: /usr/share/doc/libbeidlibopensc2/README.Debian
A short introduction to the middleware is available here (fr, pdf) or here (nl, pdf)
Belpic version of OpenSC
The middleware is a modified version of OpenSC, talking to pcscd.
I recently saw that my ~/.xsession-errors logfile was full of Error: can't open /var/run/openct/status...
It happens whenever icedove/iceweasel are open (so when the libbeidpkcs11.so is loaded) I found a bugreport on Ubuntu and the proposed fix works so I opened a Debian bugreport: #469485:
OpenSC has support for three driver types : PCSC, OpenCT and CT-API. Belpic only needs PC/SC, and will produce errors/warnings if you leave support for OpenCT enabled.
Edit /etc/beidbase.conf, and insert a statement that limits the use of drivers to pcsc. Right before the reader_driver config feels like an OK place to do this :
## specify driver family pcsc. # Others (openct, ..) are not needed for Belpic and # may produce errors/warnings reader_drivers = pcsc ; reader_driver pcsc { ....
GUI
The GUI application (beidgui) works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!
You can easily change your PIN here, with a PIN between 4 and 12 digits!
I don't remember of having read that PINs bigger than 4-digit were possible...
beidcrld
Part of beid-tools
It's an optional daemon, supposed to download automatically the CRLs.
TODO: where are those CRLs stored locally? How to check the status? /usr/share/beid/crl
beidpcscd
Part of beid-tools
It's an optional daemon.
The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent
it's listening on port tcp 2500 and beidcrld, Iceweasel & Icedove (through the PKCS#11 module we'll install later) are constantly speaking with it...
And if it's not running, Iceweasel & Icedove will poll every second on that port 2500, no matter if you are really using the eID at that moment or not, erk!
beid-pkcs11-tool
Part of beid-tools
For a little demo...
$ beid-pkcs11-tool --list-slots Available slots: Slot 0 iDream ID-SMID01 00 00 manufacturer: Zetes hardware ver: 1.0 firmware ver: 1.0 flags: token present, removable device, hardware slot token label: BELPIC (Basic PIN) token manuf: Axalto token model: Belgium eID token flags: rng, PIN initialized, token initialized [...]
$ beid-pkcs11-tool --list-objects Private Key Object; RSA 1024 bits label: Authentication ID: 02 Usage: sign Certificate Object, type = X.509 cert label: Authentication ID: 02 Public Key Object; RSA 1024 bits label: Authentication ID: 02 Usage: encrypt, verify Certificate Object, type = X.509 cert label: CA ID: 00 Public Key Object; RSA 2048 bits label: CA ID: 04 Usage: encrypt, verify Certificate Object, type = X.509 cert label: Root ID: 00 Public Key Object; RSA 2048 bits label: Root ID: 06 Usage: encrypt, verify Private Key Object; RSA 1024 bits label: Signature ID: 03 Usage: sign Certificate Object, type = X.509 cert label: Signature ID: 03 Public Key Object; RSA 1024 bits label: Signature ID: 03 Usage: encrypt, verify
$ beid-pkcs11-tool --list-mechanisms Supported mechanisms: SHA-1, digest MD5, digest RIPEMD160, digest RSA-PKCS, sign, verify, unwrap SHA1-RSA-PKCS, sign, verify MD5-RSA-PKCS, sign, verify RIPEMD160-RSA-PKCS, sign, verify
$ beid-pkcs11-tool --test C_SeedRandom() and C_GenerateRandom(): seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (Authentication) QSettings: failed to open file '/etc/qt3/qt_plugins_3.3rc' all 4 signature functions seem to work testing signature mechanisms: RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK testing key 1 (Signature) with 1 signature mechanism RSA-PKCS: OK Verify (currently only for RSA): testing key 0 (Authentication) RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK testing key 1 (Signature) with 1 mechanism RSA-PKCS: OK Key unwrap (RSA) testing key 0 (Authentication) -- can't be used to unwrap, skipping testing key 1 (Signature) -- can't be used to unwrap, skipping [...]
libbeidpkcs11.so
It's a PKCS#11 library which can be used by Firefox/Iceweasel, Thunderbird/Icedove, Iceape, OpenOffice,...
See below for some tests with those applications.
Firefox security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service. If installing the service through beid-pkcs11-register.html does not work, try to load /usr/lib/libbeidpkcs11.so manually through Edit -> Preferences -> Advanced -> Encryption -> Security devices -> Load.
Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"
You can then connect to federal sites like Tax-on-web or the RRN, being identified by your card & PIN.
Note that it works only if I start Firefox after having the eID in place in the reader.
Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html
Thunderbird security module
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11 Module filename: /usr/lib/libbeidpkcs11.so
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"
Try to sign a first mail:
Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif
I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.
TODO: I still would like to understand what went wrong before, why only the "Authentication" certificate worked and not the "Signature" one.
One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.
Signing in OpenOffice
It is using the same certificate set as firefox/iceweasel so signing in OpenOffice works out-of-the-box on my Debian.
If not you can still check this article to debug your situation.
File -> Digital Signatures... -> Add...
This works also with the legal "signature" certificate
Signing in LibreOffice
Official instructions (in French)
Signing in Acrobat Reader
acroread can deals with PKCS#11 modules...
Document -> Security Settings -> Digital IDs -> PKCS#11 -> Attach module -> /usr/lib/libbeidpkcs11.so (apparently worked only with v3.5)
You can use https://signbox.eidcompany.be/ to create a pdf to be signed.
Seems to work but I still find strange it prompts me twice for the PIN, once in the Acrobat interface (password) and once with the virtual pad of the beid pkcs11 library.
Old stuff: see also https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCards0068?t=2008-04-04T18:04:26Z and try with http://itext.ugent.be/articles/eid-pdf/
Linux: Government Middleware v3.5
Why upgrading?
Among other things because with a recent eID you could face an error of beidgui about invalid root certificate, see here and [there http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=385735]
Installation
Here are some note of a quick run around the new release 3.5
The middleware was released among other for "Debian Etch", not bad...
Well actually the middleware comes with an ugly install.sh script doing stuff like erasing old beidlib files, appending blindly stuff in /etc/ld.conf etc
As I'm not running etch I had to help it a bit:
libxerces27 is only in etch, but can be installed smoothly on lenny if you apt-get install its own dependency to libicu36
So now I could try their new toys...
About the GUI:
- The beidgui is now kind of applet in the taskbar popping up gently your picture when you insert your card.
- The detailed view provides also a parsing of the ATR, which is much nicer than having to dig into the (outdated) spec docs.
About the beidlib:
- privacy proxy": now every time an application wants to read the card there is a Qt popup asking for confirmation and showing the full path of that application. Nice but what for non X systems?
- PIN prompt: exists also with virtual keypad flavor.
- BUG?? On my system every time an application requests an operation with PIN it takes 2secs @ 100% CPU to popup :-(
About the SDK:
- I could try all C++ examples, didn't try Java (allergy to that caffeine probably)
Little quirk to be able to compile the legal signature example:
samples/sign_p11/C++/Makefile: -CXXFLAGS = -O2 -g +CXXFLAGS = -O2 -g -ldl
The read_eid and the get_exception are apparently featuring code to read also the SIS card.
I tried but I got a BEID_Exception (code = e1d00300) which means from eidErrors.h:
/** Error communicating with the card */ #define EIDMW_ERR_CARD_COMM 0xe1d00300
You need a reader such as ACR38 which can read memory cards. Even the OmniKey5321 which supports 3-wire protocol seems to not be usable with the middleware to read a SIS card :-(
Getting the old lib running too
So the barbarian ./install.sh seemed to have deleted the following:
- beid-tools:
- /usr/bin/beidcrld
- /usr/bin/beidpcscd
- libbeidlibopensc2:
- /usr/lib/libbeidpkcs11.so.2.1.0
- libbeidlibopensc2-dev:
- /usr/include/beid/opensc/*
Some tools are still working (pcsc_scan, opensc-explorer, beidgui (v2.1), beid-tool
But some fail: Firefox pkcs11 module, beid-pkcs11-tool
My solution: reinstalling libbeidlibopensc2_2.6.0-6_i386.deb
It fixed the problem and Firefox is actually using pkcs11 lib of middleware3.5
Linux: Government Middleware v3.5.x on 64-bit Debian
Installation (libs & Mozilla plugin, manually)
I had problems when trying to get the middleware running on my new 64-bit laptop because the binary & libraries available at http://eid.belgium.be are only for 32-bit OS.
My solution was to compile it from code.google.com but it was not that easy because it required a libtool version newer than what was in Debian, so I did (not very clean I agree):
sudo apt-get install automake automake1.9- wget ftp://ftp.gnu.org/gnu/libtool/libtool-2.2.10.tar.gz ./bootstrap ./configure make sudo apt-get remove libtool sudo make install sudo cp /usr/local/share/aclocal/* /usr/share/aclocal sudo cp -a /usr/local/share/libtool/config /usr/share/libtool
Then the middleware code:
svn checkout http://eid-mw.googlecode.com/svn/trunk/ eid-mw-read-only # Edit configure.ac -> openssl v0.9.8 ok otherwise it'll claim for openssl v1.0.0 ./bootstrap.sh ./configure make sudo apt-get remove libbeid2 libbeidlibopensc2 beid-tools beidgui sudo make install
Middleware works with e.g. Firefox but when prompted for a PIN the virtual keyboard was blank, no image of the numbers on the buttons.
Installation (via Debian unstable)
UPDATE: At the time of writing, middleware v3.5.2 is available in Debian unstable
beidgui
sudo aptitude install -t unstable beidgui
Seems to work except that it doesn't load my certificates, the tab is just empty
beid-mozilla-plugin
sudo aptitude install -t unstable beid-mozilla-plugin Edit > Preferences > Advanced > Encryption > Security Devices > Load > Browse > /usr/lib/libbeidpkcs11.so.3
Note that apparently the card must be inserted in the reader before you launch Firefox...
There is also a Firefox add-on: eID Belgique 1.0.7, not sure what it's useful for, apparently it's meant to ease installation of the middleware & expects plugin to be in /usr/local/lib/libbeidpcks11.so so if you installed /usr/lib/libbeidpkcs11.so.3 in Firefox as stated above you don't need this plugin.
beid-tools
sudo aptitude install -t unstable beid-tools
At first I had an error about undefined symbol because I had still my manual install libraries in /usr/local -> rm /usr/local/bin/beid* /usr/local/lib/*beid* /usr/local/lib/libcard*
Linux: Government Middleware v4.0.4
Some certificate cleaning in Firefox first, cf this page:
- Edit / Preferences / Advanced / Encryption / View Certificates / Authorities
- Delete Global Sign nv-sa / Belgium Root CA2
- Mmm I did it but it went back, so not sure if it's needed... and Irisbox fails with eID while other sites work...
Installing middleware, see this page
sudo apt-get remove --purge beid* wget http://eid.belgium.be/fr/binaries/eid-mw_4%2E0%2E4r1253_amd64_tcm226-178472.deb sudo dpkg -i eid-mw_4.0.4r1253_amd64_tcm226-178472.deb wget http://eid.belgium.be/fr/binaries/eid-viewer_4%2E0%2E4r146_amd64_tcm226-178482.deb sudo dpkg -i eid-viewer_4.0.4r146_amd64_tcm226-178482.deb
Test it:
eid-viewer
Questions?
- http://eid.belgium.be/en/using_your_eid/
- http://test.eid.belgium.be/
- http://test.eid.belgium.be/faq/faq_fr.htm or http://test.eid.belgium.be/faq/faq_nl.htm
Untrusted certificate when visiting gov site? see this page
- Edit / Preferences / Advanced / Encryption / View Certificates / Authorities
- Edit trust of Belgium Root CA2 / Belgium Root CA2 -> trust for all 3 purposes
Notes:
- pcsc needs to run when launching ff, but card doesn't need to be inserted in advance
Linux: OpenSC Middleware
Installation
belpic, the Belgian middleware, is a modified version of OpenSC, let's try the plain OpenSC:
apt-get install opensc
=> file:///usr/share/doc/opensc/BelgianEid.html
OpenSC 0.10.* will include support for the Belgian eID card, except for legally binding signatures (with the so-called Signature key) as this requires a GUI, which is not yet available/implemented. Till that new release please use the "belpic" software available from the belgian state.
Note that you've to stop the filter daemon (beidpcscd) first
cardos-info
Returns the ATR
$ cardos-info 3b:98:13:40:0a:a5:03:01:01:01:ad:13:11 Received (SW1=0x6D, SW2=0x00)
opensc-tool
$ opensc-tool -a -v # with debug=1 in /etc/opensc/opensc.conf [opensc-tool] ctx.c:705:sc_context_create: =================================== [opensc-tool] ctx.c:706:sc_context_create: opensc version: 0.11.4 [opensc-tool] sc.c:196:sc_detect_card_presence: called [opensc-tool] sc.c:201:sc_detect_card_presence: returning with: 1 Connecting to card in reader iDream ID-SMID01 00 00... [opensc-tool] card.c:110:sc_connect_card: called [opensc-tool] reader-pcsc.c:542:pcsc_connect: After connect protocol = 1 [opensc-tool] reader-pcsc.c:561:pcsc_connect: Requesting reader features ... [opensc-tool] card-belpic.c:988:belpic_init: Belpic V1.4 [opensc-tool] card-belpic.c:995:belpic_init: [opensc-tool] card.c:221:sc_connect_card: card info: Belpic cards, 12002, 0x0 [opensc-tool] card.c:222:sc_connect_card: returning with: 0 Using card driver Belpic cards. Card ATR: 3B 98 13 40 0A A5 03 01 01 01 AD 13 11 ;..@......... [opensc-tool] card.c:236:sc_disconnect_card: called [opensc-tool] card.c:251:sc_disconnect_card: returning with: 0 [opensc-tool] ctx.c:738:sc_release_context: called
From the ATR:
- Component code: A5
- OS number: 03
- OS version: 01
- Softmask number: 01
- Softmask version: 01
- Applet version: 1.1
$ opensc-tool -n Belpic cards
$ opensc-tool -f 3f00 type: DF, size: 65535 select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A] list[N/A] [opensc-tool] card.c:343:sc_list_files: returning with: Not supported sc_list_files() failed: Not supported
Reading the address file:
$ opensc-tool -s 00CADF3005 Sending: 00 CA DF 30 05 Received (SW1=0x6D, SW2=0x00) $ opensc-tool -s 00A4080C023F00 Sending: 00 A4 08 0C 02 3F 00 Received (SW1=0x90, SW2=0x00) $ opensc-tool -s 00A4080C043F00DF01 Sending: 00 A4 08 0C 04 3F 00 DF 01 Received (SW1=0x90, SW2=0x00) $ opensc-tool -s 00A4080C063F00DF014033 Sending: 00 A4 08 0C 06 3F 00 DF 01 40 33 Received (SW1=0x90, SW2=0x00) $ opensc-tool -s 00B0000080 Sending: 00 B0 00 00 80 Received (SW1=0x90, SW2=0x00): 01 1E 41 76 65 6E 75 65 20 64 65 20 6C 61 20 43 ..Avenue de la C 6F 75 72 6F 6E 6E 65 20 34 31 20 2F 62 30 32 37 ouronne 41 /b027 02 04 31 30 35 30 03 07 49 78 65 6C 6C 65 73 00 ..1050..Ixelles. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 ..... (that one is handled smartly because actually there is a first error 6C75 then a new request 00B0000075)
opensc-explorer
$ opensc-explorer #PUK: (max trials: 3, length: 4-12) OpenSC [3F00]> verify CHV1 31:31:31:31 [opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect Incorrect code, 2 tries left. OpenSC [3F00]> verify CHV1 31:32:33:34 Code correct. #PUK: (max trials: 12, length: 12) OpenSC [3F00]> verify CHV3 31:32:33:34 [opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect Incorrect code, 11 tries left. #PINreset (max trials: 10, length: 12) OpenSC [3F00]> verify CHV2 31:32:33:34 [opensc-explorer] sec.c:201:sc_pin_cmd: returning with: PIN code or key incorrect Incorrect code, 9 tries left. OpenSC [3F00]> random 100 00000000: 80 8E DD 53 92 0A FB 12 17 7E 77 49 11 D5 3E 93 ...S.....~wI..>. 00000010: E7 93 CD C1 D8 AB E2 0E 85 34 44 F0 B2 F4 52 8A .........4D...R. 00000020: FD 0A 34 8F A1 16 2C 91 85 18 77 83 F4 EC 2F DB ..4...,...w.../. 00000030: 5D 5A A6 F8 4C 61 21 74 B1 C0 E2 4C FF 7B CF BF ]Z..La!t...L.{.. 00000040: 01 A2 06 CB 41 33 EB 75 2E 86 90 A7 E6 FD 0C 8C ....A3.u........ 00000050: BF 12 CD CE 32 EB 40 89 D7 98 39 78 30 86 AF 52 ....2.@...9x0..R 00000060: 60 E0 F6 C3 `... OpenSC [3F00]> cd df00 OpenSC [3F00/DF00]> get 5035 Total of 119 bytes read from 5035 and saved to 3F00_DF00_5035.
You can also cat the files:
OpenSC [3F00]> cd df01 OpenSC [3F00/DF01]> cd 4033 OpenSC [3F00/DF01/4033]> cat 00000000: 01 1E 41 76 65 6E 75 65 20 64 65 20 6C 61 20 43 ..Avenue de la C 00000010: 6F 75 72 6F 6E 6E 65 20 34 31 20 2F 62 30 32 37 ouronne 41 /b027 00000020: 02 04 31 30 35 30 03 07 49 78 65 6C 6C 65 73 00 ..1050..Ixelles. 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 .....
The interpretation of the file contents we just extracted can be found in the Belgian Electronic Identity Card content document
Here are all the files you can extract:
3F00_2F00 MF/DIR 3F00_DF00_5031 MF/Belpic/ODF (Object Directory File) 3F00_DF00_5032 MF/Belpic/TokenInfo 3F00_DF00_5034 MF/Belpic/AODF (Authentication Object Directory File) 3F00_DF00_5035 MF/Belpic/PrKDF (Private Key Directory File) 3F00_DF00_5037 MF/Belpic/CDF (Certificate Directory File) 3F00_DF00_5038 MF/Belpic/Cert#2 (auth) 3F00_DF00_5039 MF/Belpic/Cert#3 (non-rep) 3F00_DF00_503A MF/Belpic/Cert#4 (CA) 3F00_DF00_503B MF/Belpic/Cert#6 (Root) 3F00_DF00_503C MF/Belpic/Cert#8 (RRN) 3F00_DF01_4031 MF/ID/ID#RN (contains also hash of ID#Photo) 3F00_DF01_4032 MF/ID/SGN#RN (signature of ID#RN by RRN) 3F00_DF01_4033 MF/ID/ID#Address 3F00_DF01_4034 MF/ID/SGN#Address (signature of ID#Address|SGN#RN by RRN) 3F00_DF01_4035 MF/ID/ID#Photo (140x200 JPEG grayscale) 3F00_DF01_4038 MF/ID/PuK#7 ID (CA role Hash SHA-1) 3F00_DF01_4039 MF/ID/Preferences
Note that here we could extract the RRN Cert#8, which was not shown by the usual pkcs#15 tools...
Note that the Preferences file is 100-byte zeroes, is customisable just with the cardholder PIN but the update_binary command is not supported, so I wrote a patch
$ xview 3F00_DF01_4035 3F00_DF01_4035 is a 140x200 JPEG image, color space Grayscale, 1 comp, Huffman coding. ...
So to extract the picture via a simple script:
echo -e "cd df01\nget 4035 mypic.jpg"|opensc-explorer
pkcs11-tool
Differences with beid-pkcs11-tool are highlighted between *stars*
$ pkcs11-tool --list-slots Available slots: Slot 0 iDream ID-SMID01 00 00 token label: BELPIC (Basic PIN) *token manuf: (unknown)* token model: PKCS #15 SCard token flags: rng, *login required*, PIN initialized, token initialized *serial num : 6CFF252C5F190218*
$ pkcs11-tool --list-objects
$ pkcs11-tool --login --list-objects Please enter User PIN: Private Key Object; RSA label: Authentication ID: 02 Usage: sign Certificate Object, type = X.509 cert label: Authentication ID: 02 Public Key Object; RSA 1024 bits label: Authentication ID: 02 Usage: encrypt, verify Private Key Object; RSA label: Signature ID: 03 Usage: sign Certificate Object, type = X.509 cert label: Signature ID: 03 Public Key Object; RSA 1024 bits label: Signature ID: 03 Usage: encrypt, verify Certificate Object, type = X.509 cert label: CA ID: 00 Public Key Object; RSA 2048 bits label: CA ID: 04 Usage: encrypt, verify Certificate Object, type = X.509 cert label: Root ID: 00 Public Key Object; RSA 2048 bits label: Root ID: 06 Usage: encrypt, verify
Strange, I need to login to extract the objects
Strange, pubkeys can encrypt but privkey cannot decrypt...
Strange, both RootCA and CitizenCA certificates have the same id 0
And what's the format of those certificates when dumped out? Not DER neither PEM
$ pkcs11-tool --login --read-object --id 0 --type cert|xxd [...] $ pkcs11-tool --login --read-object --id 2 --type pubkey |xxd [...]
$ pkcs11-tool --list-mechanisms Supported mechanisms: SHA-1, digest *SHA256, digest* *SHA384, digest* *SHA512, digest* MD5, digest RIPEMD160, digest RSA-PKCS, sign, verify, unwrap, *decrypt* SHA1-RSA-PKCS, sign, verify MD5-RSA-PKCS, sign, verify RIPEMD160-RSA-PKCS, sign, verify *RSA-PKCS-KEY-PAIR-GEN, keypairgen*
Extra mechanisms available apparently...
And they work:
phil@mercure:~$ echo -n test|pkcs11-tool --hash --mechanism SHA512 |xxd 0000000: ee26 b0dd 4af7 e749 aa1a 8ee3 c10a e992 .&..J..I........ 0000010: 3f61 8980 772e 473f 8819 a5d4 940e 0db2 ?a..w.G?........ 0000020: 7ac1 85f8 a0e1 d5f8 4f88 bc88 7fd6 7b14 z.......O.....{. 0000030: 3732 c304 cc5f a9ad 8e6f 57f5 0028 a8ff 72..._...oW..(..
$ pkcs11-tool --login --test Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): not implemented Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (Authentication) all 4 signature functions seem to work testing signature mechanisms: RSA-PKCS: OK SHA1-RSA-PKCS: OK MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK testing key 1 (1024 bits, label=Signature) with 1 signature mechanism [opensc-pkcs11] sec.c:67:sc_set_security_env: returning with: Not supported error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
pkcs15-tool
$ pkcs15-tool --dump PKCS#15 Card [BELPIC]: Version : 1 Serial number : 1234567890ABCDEF1234567890ABCDEF Manufacturer ID: (unknown) Flags : PRN generation, EID compliant PIN [Basic PIN] Com. Flags: 0x3 ID : 01 Flags : [0x30], initialized, needs-padding Length : min_len:4, max_len:12, stored_len:8 Pad char : 0xFF Reference : 1 Type : bcd Path : 3f00 Private RSA Key [Authentication] Com. Flags : 3 Usage : [0x4], sign Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 130 Native : yes Path : 3f00df00 Auth ID : 01 ID : 02 Private RSA Key [Signature] Com. Flags : 3 Usage : [0x200], nonRepudiation Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 131 Native : yes Path : 3f00df00 Auth ID : 01 ID : 03 X.509 Certificate [Authentication] Flags : 3 Authority: no Path : 3f00df005038 ID : 02 X.509 Certificate [Signature] Flags : 3 Authority: no Path : 3f00df005039 ID : 03 X.509 Certificate [CA] Flags : 3 Authority: yes Path : 3f00df00503a ID : 04 X.509 Certificate [Root] Flags : 3 Authority: yes Path : 3f00df00503b ID : 06
pkcs15-tool --read-certificate 02 > my_auth.crt pkcs15-tool --read-certificate 03 > my_sign.crt pkcs15-tool --read-certificate 04 > belgium.crt pkcs15-tool --read-certificate 06 >> belgium.crt openssl x509 -in my_auth.crt -text pkcs15-tool --read-ssh-key 2
pkcs15-crypt
Signing text and extracting the public certificate:
fortune > data.txt openssl sha1 -binary data.txt > data.sha1 pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig pkcs15-tool --read-certificate 02 > my_auth.crt
Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt
I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig [pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported [pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.
eidenv
Very interesting one...
$ eidenv | recode UTF8.. BELPIC_CARDNUMBER: 123456789012 BELPIC_CHIPNUMBER: 1234567890ABCDEF1234567890ABCDEF BELPIC_VALIDFROM: 20.06.2005 BELPIC_VALIDTILL: 20.06.2010 BELPIC_DELIVERINGMUNICIPALITY: Liege BELPIC_NATIONALNUMBER: 00310100123 BELPIC_NAME: Teuwen BELPIC_FIRSTNAMES: Philippe Yvon BELPIC_INITIAL: F BELPIC_NATIONALITY: Belge BELPIC_BIRTHLOCATION: Liège BELPIC_BIRTHDATE: 31 JAN 1900 (or 2000? ;-) BELPIC_SEX: M BELPIC_NOBLECONDITION: BELPIC_DOCUMENTTYPE: 1 BELPIC_SPECIALSTATUS: 0 BELPIC_STREETANDNUMBER: Rue de l'OpenSource 12 /b012 BELPIC_ZIPCODE: 1050 BELPIC_MUNICIPALITY: Ixelles
$ eidenv --exec /bin/bash $ echo $BELPIC_NAME Teuwen $ exit
But if the filter daemon beidpcscd is running:
$ eidenv [eidenv] reader-pcsc.c:534:pcsc_connect: SCardConnect failed: Sharing violation. [eidenv] card.c:228:sc_connect_card: returning with: Generic reader error Failed to connect to card: Generic reader error
I expected to get prompted by the filter but nothing like that
patch
The middleware is missing the function update_binary() while the card supports it and provides a writable file EF(Preferences) for the cardholder (you need first to login with your PIN)
So I added it and submitted it in bugreport #470637
Demo: how to install Linux on the eID (hum, so to speak...)
$ opensc-explorer OpenSC Explorer version 0.11.4 OpenSC [3F00]> cd df01 OpenSC [3F00/DF01]> verify CHV1 31:32:33:34 Code correct. OpenSC [3F00/DF01]> put 4039 tux.txt Total of 100 bytes written.
$ opensc-explorer OpenSC Explorer version 0.11.4 OpenSC [3F00]> cd df01 OpenSC [3F00/DF01]> cd 4039 OpenSC [3F00/DF01/4039]> cat 000000: 5B 47 65 6E 5D 0A 4C 47 3D 66 72 00 5F 20 20 20 [Gen].LG=fr._ 000010: 00 00 00 00 00 00 00 00 20 20 20 2E 20 2E 20 20 ........ . . 000020: 00 00 00 00 00 00 00 00 20 20 20 2F 56 5C 20 20 ........ /V\ 000030: 00 00 00 00 00 00 00 00 20 20 2F 2F 20 5C 5C 20 ........ // \\ 000040: 00 00 00 00 00 00 00 00 20 2F 28 20 20 20 29 5C ........ /( )\ 000050: 00 00 00 00 00 00 00 00 20 20 5E 60 7E 27 5E 20 ........ ^`~'^ 000060: 00 00 00 00 ....
Linux: to be sorted...
Signing with GpgSM
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html
apt-get install gpgsm dirmngr gnupg-agent pinentry-qt
~/.gnupg/gpg-agent.conf: no-grab default-cache-ttl 1800 ignore-cache-for-signing allow-mark-trusted
~/.bash_profile: (appending this stuff) # preparing gpg-agent: if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info` export GPG_AGENT_INFO else eval `gpg-agent --daemon` echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info fi
~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader) disable-ccid debug-level none
~/.gnupg/gpgsm.conf: debug-level none
Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys /home/phil/.gnupg/pubring.kbx ----------------------------- Subject: /CN=Belgium Root CA/C=BE [...] Subject: /CN=Citizen CA/C=BE/SerialNumber=200507 [...] Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=... [...] Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S
Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt [...] gpgsm: signature created
I was prompted for my PIN during the process.
And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056 gpgsm: note: non-critical certificate policy not allowed dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type dirmngr[8994]: permanently loaded certificates: 0 dirmngr[8994]: runtime cached certificates: 0 dirmngr[8994]: command ISVALID failed: Certificat révoqué gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE gpgsm: certificate has been revoked gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056 gpgsm: CRLs not checked due to --disable-crl-checks option gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
e-Signing plugin for Firefox
- pure curiosity...
- cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
- the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it.
The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is a copy of the pem version in Google cache(!)
but that was good enough to be able to install the plugin. - Moreover the form to sign wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
- You've to pay to be able to sign with your eID non-repudiation signature to have a valid Qualified Electronic Signature with long term value
- There are some explanations of the additional services provided by CertiPost:
The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since.
Moreover CertiPost keeps a copy of the signed information. - Timestamps & storage look like additional features, not mandated by the law, so can I create a Qualified Electronic Signature with long term value out of the CertiPost context, so just a plain x509 signature?
SSH
cf OpenSSH#Patch_for_login_with_eID
OpenID
cf OpenID and OpenID-eID where I'm hacking phpMyID to make my own
TrustBearer OpenID supports the Belgian eID as an authentication token. The service uses a browser add-on which contains a middleware stack that communicates directly with the reader & card. See a demonstration on this blog.
Cryptonit
From News: OPENTRUST has announced the availability of a new version of Cryptonit. This latest release is fully compatible with the Belgium electronic ID card which when used with Cryptonit enables documents to be digitally signed.
download
Under Debian:
apt-get install cryptonit Device->Load-> /usr/lib/libbeidpkcs11.so
It works, you can sign files with both certificates.
Note that the first PIN prompt doesn't matter, you'll get prompted directly by the libbeidpkcs11 middleware.
Note that for repetitive Authentication signings (even after close/reopen cryptonit) it doesn't prompt me anymore for the next signatures, but well if I want to use the non-repudiation one.
Exploring with jcshell
You can probably achieve the same with gpshell but I couldn't get gpshell working properly.
Trying GP211 AID:
Note that it works on a card from 2010 but on older cards there is no card manager accessible with that AID.
$ jcshell Welcome to NXP JCShell! (c) 2012 NXP Semiconductors Germany GmbH ------------------------------------------------------------------------------ setting scripts-folder to ./scripts ... enabling modes echo and trace... - /term pcsc --Opening terminal > /card -a a0000001510000 resetCard with timeout: 0 (ms) --Waiting for card... ATR=3B 98 13 40 0A A5 03 01 01 01 AD 13 11 ;..@......... IOCTL(). ATR: T = 0 => 00 A4 04 00 09 A0 00 00 01 67 41 30 00 FF .........gA0.. (153838 usec) <= 6A 86 j. Status: Incorrect parameters (P1,P2) => 00 A4 04 00 07 A0 00 00 01 51 00 00 00 .........Q... (87173 usec) <= 6F 18 84 07 A0 00 00 01 51 00 00 A5 0D 9F 6E 06 o.......Q.....n. 20 41 61 31 02 02 9F 65 01 FF 90 00 Aa1...e.... Status: No Error cm> get-cplc => 80 CA 9F 7F 00 ..... (80409 usec) <= 9F 7F 2A 40 90 66 93 20 41 61 31 02 02 20 3B 18 ..*@.f. Aa1.. ;. 0E 05 2A 00 13 19 42 00 00 19 43 00 00 19 44 00 ..*...B...C...D. 00 00 00 BA 01 FF FF FF FF FF FF FF FF 90 00 ............... Status: No Error IC Fabricator : 4090 IC Type : 6693 Operating System ID : 2041 Operating System release date : 6131 (10.5.2006) Operating System release level : 0202 IC Fabrication Date : 203B (10.2.20X2) IC Serial Number : 180E052A IC Batch Identifier : 0013 IC Module Fabricator : 1942 IC Module Packaging Date : 0000 ICC Manufacturer : 1943 IC Embedding Date : 0000 IC Pre-Personalizer : 1944 IC Pre-Perso. Equipment Date : 0000 IC Pre-Perso. Equipment ID : 0000BA01 IC Personalizer : FFFF IC Personalization Date : FFFF IC Perso. Equipment ID : FFFFFFFF cm> get-data 9f7f => 80 CA 9F 7F 00 ..... (80339 usec) <= 9F 7F 2A 40 90 66 93 20 41 61 31 02 02 20 3B 18 ..*@.f. Aa1.. ;. 0E 05 2A 00 13 19 42 00 00 19 43 00 00 19 44 00 ..*...B...C...D. 00 00 00 BA 01 FF FF FF FF FF FF FF FF 90 00 ............... Status: No Error cm> get-data 0066 => 80 CA 00 66 00 ...f. (103044 usec) <= 66 3F 73 3D 06 07 2A 86 48 86 FC 6B 01 60 0C 06 f?s=..*.H..k.`.. 0A 2A 86 48 86 FC 6B 02 02 01 01 63 09 06 07 2A .*.H..k....c...* 86 48 86 FC 6B 03 64 0B 06 09 2A 86 48 86 FC 6B .H..k.d...*.H..k 04 01 05 66 0C 06 0A 2B 06 01 04 01 2A 02 6E 01 ...f...+....*.n. 02 90 00 ... Status: No Error Global Platform version : 2.1.1 Global Platform Secure Channel Protocol: 01 option 05 Java Card version : 2.2 cm> get-data 0042 => 80 CA 00 42 00 ...B. (38576 usec) <= 42 06 FF FF FF FF FF FF 90 00 B......... Status: No Error cm> get-data 0045 => 80 CA 00 45 00 ...E. (40849 usec) <= 45 08 FF FF FF FF FF FF FF FF 90 00 E........... Status: No Error cm> get-data 00e0 => 80 CA 00 E0 00 ..... (74442 usec) <= E0 12 C0 04 01 01 80 10 C0 04 02 01 80 10 C0 04 ................ 03 01 80 10 90 00 ...... Status: No Error Key information: Key ID : 1 Key version : 1 Key component 1 : Type : DES Length : 16 bytes Key information: Key ID : 2 Key version : 1 Key component 1 : Type : DES Length : 16 bytes Key information: Key ID : 3 Key version : 1 Key component 1 : Type : DES Length : 16 bytes
Linux: TODO
TODO: Login
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
See also file:///usr/share/doc/opensc/PamModules.html
Bad side: it conflicts with xlockmore :-(
openssh way:
Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
before I was even prompted for my PIN
opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid chmod 0755 ~/.eid pkcs15-tool -r 2 > ~/.eid/authorized_certificates chmod 0644 ~/.eid/authorized_certificates
So I still couldn't find a way.
TODO: SSL Auth
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic
apt-get install libengine-pkcs11-openssl
To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.
See also file:///usr/share/doc/opensc/QuickStart.html
TODO: Apache SSL Reverse Proxy
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
and https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/EidForums/ForumEidCardReverseProxy0004
TODO: OpenGPG & x509
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
Sth to check: OpenPGP Signatures Incorporating X.509 Certificates
The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
Apparently PGP supports it already?
TODO: OpenVPN Auth
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
UPDATE openvpn 2.1~rc7-1 is available soon on Debian
TODO: Misc
- OpenSignature targeted for Italian eID
- Open Portal Guard for e.g. public administrations
- beidcrld: where are CRLs downloaded to?
- beidpcscd: how to test it?
- JAVA
- beidlib.jar: BEIDCard.html and Test.java
- http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/JavaEidSampleCodeTOC
- Novell version in C#...
- I could compile but still runtime errors
- http://www.law.kuleuven.be/icri/publications/954eIDPDFSignatures.pdf.pdf and other papers
- http://www.tonywhitmore.co.uk/cgi-local/wiki.pl?UsefulNotes/SmartCards
- WPA?? file:///usr/share/doc/opensc/WPA.html
- https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Eid/EidForum Danny opened some forums on eID, a lot to read probably ;-)
- http://javadoc.iaik.tugraz.at/iaik_jce/current/index.html
- http://www.uvcw.be/e-communes/eid & http://www.uvcw.be/articles/3,90,39,39,1398.htm
- http://www.disinstitute.be/
- http://www.eidating.be/
- http://www.belgium.be/eportal/application?pageid=contentPage&docId=30000 .. 45000?
- http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/AppletEidCardsUtilityTOC
- the applet loads but nothing happens when trying to see the content of the card :-(
- http://www.linux.com/feature/131527
- a JavaScript file to be used with the applet from the eID middleware, making it easier to retrieve data out (and format the data) of eID- and SIS cards using the applet from the eID middleware.