- a tool to view the content of an eID card and which allows you to securely change your pin on your smartcard reader (provided you are using a DP 850), or via a pseudo-secure pinpad.
- an ssh applet to establish a secure shell between your local computer and a (remote) ssh server. If the applet finds a DP 850 smartcard reader, you will be asked to enter your PIN on that reader, if not, you will be asked to enter your PIN through my very neat pseudo-secure PIN pad.
- an sftp applet to establish a secure file transfer application to securely transfer files between your local computer and a (remote) ssh server. You can enter your PIN through the cool pseud-secure PIN pad, or on the pin pad reader.
- an applet which allows you to read out your public (authentication) key. The (remote) ssh server requires this key in the ~/.ssh/authorized_keys file if you want to use the ssh and/or sftp applets...
begin ===================== Disclaimer ===================== begin
- The information on this page offers open source software (under the Gnu public license, cfr. http://www.gnu.org/copyleft/gpl.html) which works with the Belgian eID card
- I you read email using pine, may want to use the Belgian eID-enabled pine client. Follow the installation procedure at Godot's pine configuration for Belgian eID cards section, and become happy. It currently validates signatures on incoming s/mime emails (e.g., if digitally signed with an eID card). Sending eID card-signed mails is under development.
- Unix users might use generation.one.v0007.tgz
- Windows users might use generation.one.v0007.zip
- If the secure pinpad reader VASCO DP850 is discovered, the reader's secure pinpad is used for all pin entries.
- If a non-DP 850 smartcard reader is discovered, a very cool pseudo-secure pinpad is used for this purpose.
- The windows drivers for the Vasco reader DP850 can be downloaded from here. Make sure to install the drivers prior to connecting the reader to your computer...
- All source code provided on this page is provided as is. Although any comments (cfr. my contact details) are most welcome, one should not expect any support whatsoever when using/relying on this code. Note however, that I use it in various applications, and they are considered very stable.
- People interested in additional information on the deployment of the electronic identity card in Belgium may have a look at this page for external links on the Belgian electronic identity card.
A man of genius makes no mistakes. His errors are volitional and are the portals of discovery -- James Joyce, "Ulysses"
end ===================== Disclaimer ===================== end
Open source software to illustrate the eID card's basic functionality -- no guarantees -- undocumented -- use at your own risk ];->>
System requirements:
- a smartcard reader supported by your operating system and a properly configured pcsc service/daemon. The installation and configuration of your smartcard reader and corresponding system drivers is beyond this page's scope.
- a decent computer system with java (mandatory) and openssl (optional: only necessary if you wish to interpret or verify the eid card's certificates). I use the linux variant of j2sdk1.4.2 as can be found at http://java.sun.com and the openssl which comes with a plain debian installation. I use j2sdk1.4.2 and win32openssl-v0.9.7d on windows xp. The installation and configuration of this software is beyond this page's scope. Have a look at my knoppix installation instructions if you do not feel comfortable with your alien operating system ];-)
- a software bridge between the java application and the pcsc service/daemon. I use JPCSC, which is a JNI library offering Java applications the access to PCSC functions by mapping their requests to an underlying native PCSC implementation. The software found below thus depend on JPCSC to communicate with real smart cards. JPCSC depends on a properly installed and setup PCSC environment. Especially, the LD_LIBRARY_PATH should list the directories where the PCSC client libraries and the native JPCSC library libjpcsc.so are installed, the CLASSPATH variable should list the JPCSC jar file jpcsc.jar. If the installation procedure below is followed, these issues will automatically be dealt with. The ``official'' PCSC package can be found here. If you follow the procedure below, all system/environment settings will automatically be set up to provide a working environment.
# For windows users: unpack the zip file generation.one.v0007.zip in c:\ so that the unzip program can propagate its content into c:\eid. I use the script c:\eid\eid.script.bat to test the functionality described on this page (this batch file relies on the existance of a decent java virtual machine (i.e., the command ``java'') somewhere in the default path). This script creates a directory c:\eid.data to store its output.
# Quick pointer to what you need if you are using a Unix variant:
- # setting it up:
- # system configuration (may be a system-wide setting, or must be set before going any further)
- # unpack jpcsc (has to be done only once)
- # unpack eID code (has to be done only once)
- # compile eID code (has to be done only once)
- # reading out citizen-related stuff:
- # generating signatures at the lowest level:
- certificate-specific stuff:
- # read out the RootCA certificate
- # read out the CA certificate
- # read out the RRN certificate
- # read out the citizen's certificates
- # convert these certificates to make them more human-readable
- # convert these certificates to prepare (cryptographic) certificate validation
- # verify all these certificates
- # show all these certificates
# Unix users may paste the following instructions:
-
# propagating the eID configuration settings:
# location of the eID-specific code and jpcsc library:
export BELPIC=~/eid
mkdir -p $BELPIC/tarfiles $BELPIC/sources $BELPIC/pcsc
# specifying the java virtual machine which is used on this machine:
if test :$JAVA_HOME: = ::;then
export JAVA_HOME=/usr/lib/j2sdk1.4.2_05
fi
if test -e $JAVA_HOME/bin/javac
then echo -n
else echo SERIOUS PROBLEM: Could not find a java compiler...
fi
export PATH=$JAVA_HOME/bin:$PATH
# specification of the source code and jpcsc files:
export CLASSPATH=$BELPIC/sources:$BELPIC/jpcsc/bin/jpcsc.jar
# location of precompiled native jpcsc libary:
export LD_LIBRARY_PATH=$BELPIC/jpcsc/build/linux:$BELPIC/pcsc/lib
# determine where you will store the data read out from the eID card:
export BELPICDATA=$BELPIC/data
mkdir -p $BELPICDATA - # unpack and configure pcsc:
cd $BELPIC/pcsc
wget https://alioth.debian.org/download.php/419/pcsc-lite-1.2.0.tar.gz
tar -xzvf pcsc-lite-1.2.0.tar.gz
cd pcsc-lite-1.2.0
./configure --prefix=$BELPIC/pcsc --enable-usbdropdir=$BELPIC/pcsc/drivers --enable-muscledropdir=$BELPIC/pcsc/services
make install
cd $BELPIC/pcsc/lib
ln -s libpcsclite.so.0 libpcsclite.so.1 -
# extract the jpcsc archive into $BELPIC:
cd $BELPIC/tarfiles
if wget http://godot.studentenweb.org/eid/sources/jpcsc-0.8.0.zip
then echo successfully fetched the bridge software between the java source code and the smartcard reader
echo echo problem fetching the bridge software between the java source code and the smartcard reader =========================================;fi
cd $BELPIC
if unzip $BELPIC/tarfiles/jpcsc-0.8.0.zip
then echo everything has successfully been untarred
else echo problem untarring the bridge software =========================================;fi
cd $BELPIC/jpcsc
sed s/'usr\/local\/pcsc'/'${BELPIC}\/pcsc'/ Config > Config.tmp
mv Config.tmp Config
make -
# fetch and unpack the source code into $BELPIC/sources:
cd $BELPIC/tarfiles
if wget http://godot.studentenweb.org/eid/sources/generation.one.v0007.tgz
then echo successfully fetched the source code
else echo problem fetching the source code =========================================;fi
cd $BELPIC/sources
# All files are self-explanatory
if tar -xzvf $BELPIC/tarfiles/generation.one.v0007.tgz
then echo everything has successfully been untarred
else echo problem untarring the source code =========================================;fi -
# compile the source code
# you can toggle the booleans showApdus and/or debugMode if you wish to see more communication detailsif javac `find be -name \*java`
then echo all the code has successfully been compiled
else echo problem compiling the source code =========================================;fi -
# read out the citizen's certificates:
if java be.godot.sc.apps.eid.be.ScReadNonRepudiationCertificate $BELPICDATA/citizen.identification.certificate.der
then if java be.godot.sc.apps.eid.be.ScReadAuthenticationCertificate $BELPICDATA/citizen.authentication.certificate.der
then echo successfully read out the authentication and non-repudiation certificates of the citizen
else echo problem reading out the authentication certificate =========================================;fi
else echo problem reading out the non-repudiation certificate =========================================;fi -
# read out the citizen's main address:
if java be.godot.sc.apps.eid.be.ScReadCitizenAddressData $BELPICDATA/citizen.address.bin > $BELPICDATA/citizen.address.txt
then cat $BELPICDATA/citizen.address.txt
else echo problem reading out citizen address data =========================================;fi -
# read out the citizen's personal data:
if java be.godot.sc.apps.eid.be.ScReadCitizenIdentityData $BELPICDATA/citizen.identity.file.bin > $BELPICDATA/citizen.identity.file.txt
then cat $BELPICDATA/citizen.identity.file.txt
else echo problem reading out the citizen data =========================================;fi -
# read out the citizen's picture file:
if java be.godot.sc.apps.eid.be.ScReadCitizenPhoto $BELPICDATA/citizen.photo.jpg
then echo successfully read the citizen photo
else echo problem reading the citizen photo =========================================;fi -
# read out the government's Root CA certificate:
if java be.godot.sc.apps.eid.be.ScReadRootCACertificate $BELPICDATA/citizen.rootca.der
then echo successfully read the root ca certificate
else echo problem reading the root ca certificate =========================================;fi -
# read out the government's CA certificate:
if java be.godot.sc.apps.eid.be.ScReadCACertificate $BELPICDATA/citizen.ca.der
then echo successfully read the citizen ca certificate
else echo problem reading the citizen ca certificate =========================================;fi -
# read out the RRN certificate:
if java be.godot.sc.apps.eid.be.ScReadRRNCertificate $BELPICDATA/rrn.certificate.der
then echo successfully read the RRN certificate
else echo problem reading the RRN certificate =========================================;fi -
# convert the various certificates from DER format to PEM format, which is necessary to verify these certificates:
if openssl x509 -in $BELPICDATA/citizen.rootca.der -inform DER -outform PEM -out $BELPICDATA/citizen.rootca.pem
then if openssl x509 -in $BELPICDATA/rrn.certificate.der -inform DER -outform PEM -out $BELPICDATA/rrn.certificate.pem
then if openssl x509 -in $BELPICDATA/citizen.ca.der -inform DER -outform PEM -out $BELPICDATA/citizen.ca.pem
then if openssl x509 -in $BELPICDATA/citizen.identification.certificate.der -inform DER -outform PEM -out $BELPICDATA/citizen.identification.certificate.pem
then if openssl x509 -in $BELPICDATA/citizen.authentication.certificate.der -inform DER -outform PEM -out $BELPICDATA/citizen.authentication.certificate.pem;
then echo successfully converted all certificates from DER to PEM format
else echo problem converting the authentication certificate =========================================;fi
else echo problem converting the non-repudiation certificate =========================================;fi
else echo problem converting the citizen ca certificate =========================================;fi
else echo problem converting the root ca certificate =========================================;fi
else echo problem converting the RRN certificate =========================================;fi -
# convert the various certificates from PEM format to TXT format, which makes them easier to read:
cd $BELPICDATA
for a in *pem;do
if openssl x509 -in $a -text > `basename $a .pem`.txt
then echo successfully converted $a
else echo problem converting $a =========================================;fi
done -
# verify the cryptographic correctness of the various certificates:
if openssl verify -CAfile $BELPICDATA/citizen.rootca.pem $BELPICDATA/citizen.rootca.pem
then if openssl verify -CAfile $BELPICDATA/citizen.rootca.pem $BELPICDATA/citizen.ca.pem
then cat $BELPICDATA/citizen.rootca.pem $BELPICDATA/citizen.ca.pem > $BELPICDATA/trusted.certificates.txt
if openssl verify -CAfile $BELPICDATA/trusted.certificates.txt $BELPICDATA/citizen.identification.certificate.pem
then if openssl verify -CAfile $BELPICDATA/trusted.certificates.txt $BELPICDATA/citizen.authentication.certificate.pem
then echo successfully verified the non-repudiation and authentication certificates of the citizen and the certificates of the root ca and the citizen ca
else echo problem detected with the authentication certificate of the citizen =========================================;fi
else echo problem detected with the non-repudiation certificate of the citizen =========================================;fi
else echo problem detected with the citizen ca certificate =========================================;fi
else echo problem detected with the root ca certificate =========================================;fi -
# show the various certificates using openssl:
if openssl x509 -in $BELPICDATA/citizen.rootca.der -inform DER -text -noout
then if openssl x509 -in $BELPICDATA/citizen.ca.der -inform DER -text -noout
then if openssl x509 -in $BELPICDATA/citizen.identification.certificate.der -inform DER -text -noout
then if openssl x509 -in $BELPICDATA/citizen.authentication.certificate.der -inform DER -text -noout
then echo successful dump of the authentication and non-repudiation certificates of the citizen and of the root ca and the citizen ca
else echo problem dumping the authentication certificate =========================================;fi
else echo problem dumping the non-repudiation certificate =========================================;fi
else echo problem dumping the citizen ca certificate =========================================;fi
else echo problem dumping the root ca certificate =========================================;fi -
# generate and verify a non-repudiation/identification signature:
if java be.godot.sc.apps.eid.be.ScGenerateAndVerifyNonRepudiationSignature
then echo non-repudiation signature successfully generated
else echo problem generating the non-repudiation signature =========================================;fi -
# generate and verify an authentication signature:
if java be.godot.sc.apps.eid.be.ScGenerateAndVerifyAuthenticationSignature
then echo authentication signature successfully generated
else echo problem generating the authentication signature =========================================;fi - # verify the digital signature produced by a Belgian eID card using, e.g., Mozilla Mail. Mozilla Mail creates s/mime messages that can be validated as follows (assume the email message is stored in smime.txt). Make sure the file smime.txt contains only one email message which starts with something like 'From whoever@wherever.com Tue Jul 10 18:07:25 2004'. If the sender's certificate was issued by a Non-Belgian eID card CA, you should add that certificate's root ca's certificate in pem-format to the cafile:
wget http://certs.eid.belgium.be/belgiumrca.crt
openssl x509 -in belgiumrca.crt -inform der -outform pem -out cafile
echo starting signature verification...
if openssl smime -in smime.txt -CAfile cafile -verify -out email.content.txt -signer signer.certificate
then
echo the email signer used the following certificate:
openssl x509 -in signer.certificate -text -noout
echo
echo the email contains: ======= begin =======
cat email.content.txt
echo
echo email content: ======= end =======
echo signature was cryptographically correct
else
echo signature was ============ INVALID ============
fi