php how to sign a document with eid on a website
327 views
Skip to first unread message
Koenraad Vanhoutte
Sep 2, 2020, 9:02:02 AM9/2/20
to eID Middleware Dev
Hi, I'm working on a project where I need to present a document to the user who needs to sign it using his/her eID. The site is running on a CentOS 8.2 with nginx reverse proxy and an apache webserver running php 7.4. I need a solution using php. Is there anyone who has done a similar thing and could give me some clues on how to realize this ? I'm unfortunately not an expert php developer so any help or some direction towards possible existing solutions would be very helpful.
Thank you,
Koenraad.
Wouter Verhelst
Sep 2, 2020, 9:13:20 AM9/2/20
to eid-middl...@googlegroups.com
Hi Koenraad,
This is not all that easy. In order to sign a document with the eID, you need to present a secure hash of the document to the eID card which then needs to be signed by the card, and then you need to incorporate that signature into the document you are
trying to sign. All this needs to be done in a way which understands the format of the file and the security properties of the signature. If you're not familiar with the intricacies of cryptography, it is fairly easy to accidentally create a document which
would appear to be properly signed, but which actually can be forged by a determined attacker.
I would recommend that you look at some of the service companies that provide functionality like this, and that you ask them for an embeddable solution. This is going to be much safer than trying to do it yourself, if you're not that familiar with cryptography.
If you do have a relevant background, then there are certain options out there; e.g., the European government has written a DSS ("Digital Signing Service") code base that should help you to sign and validate certain documents, and with which you can get
started. However, that one is written in Java, not in PHP, and is not a complete solution (more like a library) on which you would need to spend some significant amount of time to get to a working product.
Regards,
Koenraad Vanhoutte schreef op di 25-08-2020 om 16:12 [-0700]:
Margus Pala
Sep 8, 2020, 4:18:10 AM9/8/20
to eID Middleware Dev
Hello
I am following up on the same topic. What is is the recommended and de facto standard tech stack for Belgian eID card signing on the web? For some reason there seems not to be any browser signing integration in downloadable package at https://eid.belgium.be/
I am following up on the same topic. What is is the recommended and de facto standard tech stack for Belgian eID card signing on the web? For some reason there seems not to be any browser signing integration in downloadable package at https://eid.belgium.be/
I have built integrations for several other countries using below setup. Do you have any better suggestions for Belgium eID card? I can ask people to install these components but it is much better if there is no extra soft needed after installing government provided package.
- hwcrypto.js to get certificates and create signatures in the browser.
- Chrome token signing native components and browser extension from https://github.com/open-eid/chrome-token-signing. This has been integrated with Belgium Middleware as well.
- Java and DSS to create containers and signatures
Margus Pala
Wouter Verhelst
Sep 8, 2020, 5:03:07 AM9/8/20
to eid-middl...@googlegroups.com
Hi Margus,
What is "recommended" isn't really obvious... there are various ways of doing authentication with the Belgian eID. The official middleware installs a PKCS#11 module, a crypto minidriver (on Windows), and a CryptoTokenKit driver (on macOS; previously also
a TokenD there, which we only do for older versions of macOS that require it now, soon probably those won't be supported anymore). These components allow authenticating at the TLS layer using the certificates on the card as client certificates, using the mutual
SSL protocol, to any website that wants to.
You are right that it is possible to do authentication with native messaging in most browsers these days (and on those browsers that don't support that, you can do other things like ActiveX (IE) or app addons (Safari) to do pretty much the same thing),
but the official middleware does not ship anything like that; and even if it did, it wouldn't help you because such an addon needs to be able to communicate with the webpage, which if you're going to do it for "all websites" would tell the user it "wants to
read your data on all websites everywhere", which is going to raise some red flags.
For signing data or reading detailed information you obviously can only use the second method, not the mutual TLS one, because the latter only gives you the data that's in the certificate, i.e., name, surname, national registry number, and (embedded in
the latter) date of birth and sex. Anyone who does not either have access to the national registry or can communicate with the Belgian federal authentication service CSAM (which pretty much requires you to be a government) would have to use the second of the
above two methods, too.
So while I understand your desire for a generic solution, there isn't really a possibility to do that in a way that would help anyone.
Margus Pala schreef op zo 06-09-2020 om 01:26 [-0700]:
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and you expect to receive a link or attachment from them.
Margus Pala
Sep 8, 2020, 5:57:17 AM9/8/20
to Wouter Verhelst, eid-middl...@googlegroups.com
Hello
User identification with Client Certificate Authentication is working well. This is also what CSAM is using and Belgium eID Middleware takes good care of it.
Regarding the signatures on the web I think I got my answer as well. There is no "official" browser integration similar to "Chrome Token Signing" in the installable package provided by Belgian government and nowhere else that all web based integration are using. This means that every vendor and integrator must ask all the users to install their own custom browser integration software for signing.
So I will keep on using the well maintained and open source Estonian Chrome Token Signing plugin from https://github.com/open-eid/chrome-token-signing/wiki/Token-Support and ask all the Belgians to install that since it works with many countries cards.
For example Latvia, Estonia and some others include browser signing integration in their Middleware package. It's unfortunate that Belgia does not.
--
eID and eSignature developer tools
Margus Pala
CEO
+372 555 29 332
On Tue, Sep 8, 2020 at 12:18 PM Margus Pala <margu...@eideasy.com> wrote:
HelloUser identification with Client Certificate Authentication is working well. This is also what CSAM is using and Belgium eID Middleware takes good care of it.Regarding the signatures on the web I think I got my answer as well. There is no "official" browser integration similar to "Chrome Token Signing" in the installable package provided by Belgian government. This means that every vendor and integrator must ask all the users to install their own custom browser integration software for signing.So I will keep on using the opensource Estonian Chrome Token Signing plugin from https://github.com/open-eid/chrome-token-signing/wiki/Token-Support and ask all the Belgians to install that since it works with many countries cards.For example Latvia, Estonia and some others include browser signing integration in their Middleware package. It's unfortunate that Belgia does not.--eID and eSignature developer toolsMargus PalaCEO+372 555 29 332
--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/eid-middleware-dev/39e5c5b942611136bc743fc986e87040cdb96a5f.camel%40zetes.com.
Reply all
Reply to author
Forward
0 new messages