New Belgian eID cards issued from May 2021

[Chanthralekha Balakrishnan]

Dears

We receive information from our application users that they receive error when trying to read customers' new Belgian eID cards, issued after 6th May 2021. I do not have test cards yet for the new cards. 

Can someone tell me what has really changed in the new eID cards ?

Many thanks in advance for your feedback.

Thanks and Regards

Chanthralekha

[Frederik Vernelen]

Hello Chanthralekha,

You can find the mailing list announcement about the applet 1.8 cards here:
https://groups.google.com/g/eid-middleware-dev/c/ja5yHZOB_JM

It contain a link to our wiki where all the changes are listed:
https://github.com/Fedict/eid-mw/wiki/Applet-1.8

Wkr,
 Frederik

--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/eid-middleware-dev/668361a0-57c1-4c0f-90b8-dda51a9fdf7dn%40googlegroups.com.

[Chanthralekha Balakrishnan]

Dear Frederik

Thank you for your feedback. 

I have the following questions.

1. I see from the documentation that the CA Root certificates might not be present at times. I could find the CA Root certificates in (all the 5) test cards that we ordered and received. Will there be a case where this certificate will be missing ? 

2. We use OpenSSL functions EVP_VerifyInit(), EVP_VerifyUpdate() and EVP_VerifyFinal() for Signature verification. EVP_VerifyFinal() returns success for the ID signature verification, but fails (with return code -1) for Address Signature verification. Address signature length is 104 and I use the ECDSA with SHA384 algorithm. Do you have any clue about this Address signature verification failure ? 

Many thanks in advance. 

Thanks and Regards

Chanthralekha

[Machiel Sleeuwaert]

Hi Chanthralekha,

For your second question you can look at this thread: https://groups.google.com/g/eid-middleware-dev/c/BTsPgB-VCqI.

It describes how the address signature should be verified on the 1.8 cards.

Regards,

Machiel

[Frederik Vernelen]

Hello Chanthralekha

Regarding your other point:

I cannot recall a current situation where the rootCA is not present on the eID card.

Though this situation might change in the future, like the documentions mentions this is a possibility: 

If you want to be sure, it might be best to verify with rrn.

https://www.ibz.rrn.fgov.be/nl/contact/

Wkr,

 Frederik

To view this discussion on the web visit https://groups.google.com/d/msgid/eid-middleware-dev/9b3d473d-125e-4076-8d86-6bf003067397n%40googlegroups.com.

[Wouter Verhelst]

Hi,

For your first question: The eID viewers for Windows and macOS ship with the BRCA6, and they should be able to verify your eID card out of the box (the Linux one does not, currently, due to an oversight on our part; an update should be available soonishly). It does not ship with the test root CA (which is not the same CA as the one for production cards), and even if you add it to the trust store (which is possible) the card may still fail verification because a few other properties of the certificate do not match the ones of production cards (the OCSP and CRL URLs).

For your second question, you can look at the link which Machiel posted. For some more background, ECDSA signatures in ASN.1 format are variable length (in case of the P384 curve that is used for the eID card, they can be 102, 103, or 104 bytes long), and as the address may be updated (if the card's holder ever changes address), the signature may need to be updated as well, which means that the address signature file is always made to be 104 bytes long, even if the contents of the file is not.

Unfortunately, we also discovered that OpenSSL will bail out if the size of the signature that's passed to the library does not match the size of the signature that the ASN.1 encoding claims, so you need to use the correct size. If you want some inspiration, you can look at how the Linux and macOS viewers do verification (we use OpenSSL for those implementations, too). The relevant part that checks the address signature file size is here:

https://github.com/Fedict/eid-mw/blob/54de07db80b138d86e450d8f80bc53bab85a704f/plugins_tools/eid-viewer/certhelpers.c#L125-L137

Regards,

Chanthralekha Balakrishnan schreef op za 24-07-2021 om 15:02 [-0700]:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and you expect to receive a link or attachment from them.

[Chanthralekha Balakrishnan]

Hi 

Thank you for your explanation. 

Address signature verification is fixed. 

I was trying to understand the CA root certificate validation as per your explanation. 

We normally store the CA root certificate as .pem file in our application source. I have added the new .pem file also to the source. 

The certificate verification is done by X509_verify_cert() function with "verify -CAfile file".  With this, the CA root certificate verification is success in the test cards that we ordered. Do you think this will fail in the production cards ?  

Many thanks in advance. 

Regards

Chanthralekha

[Wouter Verhelst]

Hi,

If your code works with the test cards, and you wrote it so that it supports the production root certificate that you can download from https://repository.eidpki.belgium.be/#/download, then yes, it should work.

Chanthralekha Balakrishnan schreef op wo 28-07-2021 om 07:22 [-0700]:

Hi 

Thank you for your explanation. 

Address signature verification is fixed. 

I was trying to understand the CA root certificate validation as per your explanation. 

We normally store the CA root certificate as .pem file in our application source. I have added the new .pem file also to the source. 

The certificate verification is done by X509_verify_cert() function with "verify -CAfile file".  With this, the CA root certificate verification is success in the test cards that we ordered. Do you think this will fail in the production cards ?  

Many thanks in advance. 

Regards

Chanthralekha

On Monday, July 26, 2021 at 11:02:11 AM UTC+2 wouter....@zetes.com wrote:

Hi,

For your first question: The eID viewers for Windows and macOS ship with the BRCA6, and they should be able to verify your eID card out of the box (the Linux one does not, currently, due to an oversight on our part; an update should be available soonishly). It does not ship with the test root CA (which is not the same CA as the one for production cards), and even if you add it to the trust store (which is possible) the card may still fail verification because a few other properties of the certificate do not match the ones of production cards (the OCSP and CRL URLs).

For your second question, you can look at the link which Machiel posted. For some more background, ECDSA signatures in ASN.1 format are variable length (in case of the P384 curve that is used for the eID card, they can be 102, 103, or 104 bytes long), and as the address may be updated (if the card's holder ever changes address), the signature may need to be updated as well, which means that the address signature file is always made to be 104 bytes long, even if thecontents of the file is not.