Parsing information from an eid card from a web application

[tom.r]

Hi, I'm a student, and I'm trying to implement the functionality of having a user insert an eid card into their card reader, being able to click a button to scan their eid card, and having it fill a form with information including.

I have this working locally, but from what I understand, this wouldn't work once the application is published online, seeing as how the PKC11 wrapper seem to require direct access to the card reader in question.

Is there no way to implement this functionality without having to resort to the drag&drop solution of the eid viewer? And if so, could anyone point me in the right direction?

Thanks in advance.

[Margus Pala]

TLS Client Certificate Authentication works very well with Belgium eID cards. Just be aware that some OS setups might not support SHA-1 signed cards anymore.

[Wouter Verhelst]

That's only an issue for the server certificate, not for the client certificate; browsers don't check the client certificate's validity, they only send it to the server.

Margus Pala schreef op do 11-02-2021 om 05:51 [-0800]:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and you expect to receive a link or attachment from them.

[Margus Pala]

Browser will read eID the card, sign TLS handshake and and send to server. Server verifies signature and certificate and makes required info available to your application. 

[johan....@gmail.com]

yes that is theory , now we need the practical guidelines , but they are all hidden behind payable companies.
Belgian E-id is not very open source minded. (not like the Estonian government )
Will post some links that helped me with some rudimentary checking to use a e-id

[johan....@gmail.com]

https://eid.eesti.ee/index.php/Authenticating_in_web_applications

https://www.id.ee/wp-content/uploads/2021/01/2101-3-ubuntu-apache2-webserver-ssl-configuration.pdf

https://www.id.ee/en/article/identification-with-id-cards-on-websites-server-configurations-problem-solutions-etc/

They offer the links to the already made available root/CA in one pem file so all is in the correct order (see PDF)

https://www.id.ee/wp-content/uploads/2021/01/2101-3-ubuntu-apache2-webserver-ssl-configuration.pdf

https://installer.id.ee/media/id2019/Apache_2.4.38_EID_Demo.conf

If you ever find the same for the belgian root/ca please post it here , i got it from my own e-id but it doesn't cover all older cards or with a newer certificate cards.

kind regards

Johan

PS my config and helpfiles  , TLS 1.3 is not working yet so need to be disabled
#wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt | openssl x509 -inform DER -outform PEM | tee -a ca-certs.pem> /dev/null
# commando na vervallen root in 2032 aanpassen en uitvoeren
#zie ook site , bewaard op windows pc
# http://wiki.yobi.be/wiki/OpenID-eID
SSLProtocol -all +TLSv1.2
SSLOptions +StdEnvVars
SSLVerifyClient  optional
SSLVerifyDepth      10
SSLCACertificateFile /etc/ssl/certs/belgiumca4-chain.pem
<Location />
# no special permissions needed in the root folder
</Location>
<Location /wp-admin>
SSLRenegBufferSize 10486000
    SSLVerifyClient require
   SSLRequire %{SSL_CLIENT_I_DN_C} eq "BE" \
   and ( %{SSL_CLIENT_I_DN_CN} in {"Citizen CA"} \
       or %{SSL_CLIENT_I_DN_CN} in {"Foreigner CA"} )
</Location>

[Margus Pala]

Belgian Root CA certificates can be found from https://repository.eid.belgium.be/certificates.php?cert=Root&lang=nl

And here is another guide for configuring. https://eideasy.com/e-id-client-certificate-identification-in-apache2/ These days the CRL verification could also be replaced with OCSP check with SSLOCSPEnable and related Apache2 configuration parameters.

[johan....@gmail.com]

thx Margus

For the Belgian root CA's , the estonians offer a file that can be used immediately , correct order correct format all needed certs are included. The difficulty I have is to get the same for the Belgian E-id and not to make it myself.

[johan....@gmail.com]

@Tom

When Clair's is open again we can have a beer together there to figure this out.

[Wouter Verhelst]

With "that", I was referring to SHA1. Browsers will reject SHA1 certificates, but for servers that's still configurable. Sorry for the confusion.

(a few years ago, I managed to still configure a webserver to accept client certificates that used MD5...)

Margus Pala schreef op do 11-02-2021 om 06:59 [-0800]:

[Basic]

Hey, original poster here. Using a different account.

Thank you all for the information. As far as I understand it though, authenticating the user and parsing the certificate only grants me basic information like first and last name, and the national number, no? If this is the case, then the issue remains that I would like to retrieve the entire user identity through the browser, including things like address, their picture, ...

I don't know if this is beyond the scope of this group to be asking this question, but is there no way to somehow incorporate the eID viewer into the webapplication in such a way as to enable a user to insert their eID card, and have the eID viewer automatically relate the required information?

Once again, thank you all for your time.

Op donderdag 11 februari 2021 om 17:58:12 UTC+1 schreef wouter....@zetes.com:

[Margus Pala]

Unfortunaly or fortunately Address and picture are not part of the certificate so TLS Client certificate authentication does not provide them. For this is needed custom app that user needs to install to their computer and that you can access from Javascript that can read all kinds of information from the card.

[Basic]

That makes sense. Would it be possible to address the official eID viewer with javascript? Or do I truly need to build something from scratch to make this work?

Op vrijdag 12 februari 2021 om 09:31:58 UTC+1 schreef margu...@gmail.com:

[Wouter Verhelst]

You would need to build something yourself, although you wouldn't need to build it from absolute zero.

You can use the PKCS#11 module (which doubles as the eID card's official SDK) to access the card and read the data. Examples for how to do that can be found under https://github.com/Fedict/eid-mw/tree/master/doc/sdk/examples

Alternatively, you can also use the eid-viewer library (which is the common backend of the eID Viewer and which builds on top of the PKCS#11 module) for an event-driven approach. API docs for that library can be found at https://fedict.github.io/eid-mw/

Regards,

Basic schreef op vr 12-02-2021 om 01:17 [-0800]: