Read eID with javascript

[Robin Tack]

Hello, for an upcoming project one of the requirements is to be able to read eID data from an eID reader using javascript. I would like to know if it's possible to read the data in javascript in an angular web app for example.

[Margus Pala]

If you want to use authentication then Client Certificate authentication is the way to go. This is done in the backend though and can be made available to Angular over some API.

If you want to create signatures then it is possible with hwcrypto js library and Chrome Token Signing browser integration. These are included in many countries middlewares but unfortunately for Belgium card the signer needs to install it separately.

Install this browser integration module https://github.com/open-eid/chrome-token-signing/releases/tag/v1.1.4 and https://chrome.google.com/webstore/detail/token-signing/ckjefchnfjhjfedoccjbhjpbncimppeg?hl=en . Try signing at https://hwcrypto.github.io/hwcrypto.js/sign.html 

Make sure that you are using latest Belgium eID Middleware 5.0.17. Earlier versions had issues in Windows.

You could also use eID Easy where all the complex parts are handled for you.

[Luc Saffre]

If you just want to read the public data on the card, then you might want to try https://eidreader.lino-framework.org
Some of our customers use it every day.
Disclaimer: I am the author.

Luc

--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/eid-middleware-dev/ebc5a0b0-df10-4c12-861a-aa3411d51c76n%40googlegroups.com.

[Wouter Verhelst]

If you need to read the card from the browser side, you'll need a native-messaging extension to access the card.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging explains how that works for Firefox, Chrome, Edge, and modern Safari (the other two things that people pointed to in the thread probably do the same thing).

You'll need a native application to go with your extension which does the actual "hard work" to talk to the card.

This is all quite a bit of work to maintain though, so an alternative is to use one of the many identity providers out there that will read the card for you, and then provide the identity information back to you in an OAuth2 communication or so.

Regards,

Robin Tack schreef op do 08-04-2021 om 07:40 [-0700]:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and you expect to receive a link or attachment from them.

[Johan Seutens]

These identities providers are way to expensive for small businesses or little private projects

Kind regards

Johan

--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/eid-middleware-dev/63fe5f56dc80968bdf0b6289b71b2e1eb30f1fd9.camel%40zetes.com.

[Margus Pala]

For Johan

eideasy.com is totally free for Belgium eID card identification over OAuth 2.0

Disclaimer: I am the founder of eID Easy.

[Wouter Verhelst]

Hi Johan,

That's likely correct, yes. I didn't say it's the only solution; the option of writing your own native-messaging extension (or forking an existing one) is also still available.

Regardless of what option is chosen, the official middleware doesn't provide this, because a native-messaging extension that would provide support for doing this on third-party websites would require the "read data on all websites you visit everywhere", and that just raises too many big brother-style red flags.

Johan Seutens schreef op vr 09-04-2021 om 10:07 [+0200]:

[San Cien]

Hello everyone,

I need to use the ID service in an Angular Web Application.

I have read the different conversations and I understand that there are 2 solutions:

     

    - Use an existing provider like https://eideasy.com/, https://eidreader.lino-framework.org and https://www.e-contract.be/products/idp.

     - Implement a plugin that communicates with the card reader using "NativeMessaging". 

However, I can't afford to use a third party provider (professional reason). So I have some questions:

- Is it possible to use the official software (https://eid.belgium.be/en) with its own plugin? (As it is the case for https://eideasy.com/ if I understood well)

- Why only Firefox needs a plugin to communicate with it? (see https://eid.belgium.be/en)

- Is it based on Applet (which has been removed from Gecko 56, Chrome 47 and the removal is under consideration for WebKit and Edge. See https://developer.mozilla.org/fr/docs/Web/HTML/Element/applet) 

- If it is possible, what are the steps to set it up?

[Margus Pala]

Basic data (name, personal code) can be read using Client Certificate Authentication too. It must be implemented in server side and then you can provide API for Angular to get the user data. Sometimes you need user address but this is not available.

However this needs constant maintenance and its very easy to make critical errors. Here you can find some tips to make sure your TLS client certificate authentication is secure https://eideasy.com/smart-card-based-client-certificate-authentication-security/.

[Wouter Verhelst]

Hi San,

First, there are actually four options. Apart from the two that you point out, there is also:

• TLS mutual authentication. This will give you the client certificate, which contains the user's official first and last name, as well as their national registry number; the latter allows you to know their date of birth as well as their gender.
• There is a drag-and-drop functionality in the eid viewer, whereby you can drop an XML file on a webpage to automate filling out forms. Important to note here: the XML data is NOT signed, so this is trivially easy to forge; but if you're only worried about making people's lives a bit easier and a proof of identity is not required, then this may be sufficient. For more information on this, as well as a proof-of-concept implementation, see https://github.com/Fedict/eid-mw/tree/master/plugins_tools/eid-viewer/xml

As to your questions:

• The official software is a PKCS#11 module. It is definitely possible to write a native application that uses the PKCS#11 API to talk to the official software, and this may be the easiest way to get things going. There are probably some native messaging applications that do use that, and eideasy may be one of them (but I'm not too familiar with it, so can't say for sure).
• The firefox add-on actually doesn't communicate with the official software; all it does is configure firefox so that it knows where the official software can be found. This is because on the Windows and macOS platforms, Firefox is the only browser that uses the PKCS#11 platforms, and on these platforms it is not possible to register a PKCS#11 module system wide. As such, without the add-on, you would have to configure Firefox manually, but the procedure to do that is quite involved and not something you can expect a random user to understand (preferences -> Privacy & Security -> Security devices, then add the path to the PKCS#11 module and a name, and click "ok").
• The add-on is not based on a Java applet. There used to be an eID applet, but this is no longer supported because, as you rightly point out, there is no support for Java applets anymore in modern browsers.
• Your last question leaves quite some room for interpretation, so please clarify what you mean by "it", so I can give you more targeted instructions (if you want to, still)

Please also see the wiki page at https://github.com/Fedict/eid-mw/wiki/Development which contains an introduction on all the possible ways to develop with the eID as well as pointers to more information.

Kind regards,

San Cien schreef op vr 09-04-2021 om 07:52 [-0700]:

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and you expect to receive a link or attachment from them.

[San Cien]

Thanks a lot for your answers !

Sorry for the late reply.

I would like to retrieve the user data (including the address) using the official software, using a plugin I would develop, I am however a bit lost.

I discovered https://github.com/Fedict/fts-eidlink which was written to provide electronic signature and digital authentication, so I'm trying to build on it, but I have to admit that I'm a bit confused by the code.

I noticed that there was a C# and C client to communicate with the official state software if I understood correctly, so I don't need to compile one of them (I'm more comfortable with C#), and make the web plugin communicate with it, using a PKCS11 library, if I understood correctly ?

Can you help me in my approach please?

Kind regards,

[San Cien]

** so I need to compile one of them 

[Wouter Verhelst]

Hi San,

You can look at the eidlink (being renamed to beidconnect) to understand how the browser would communicate with your native component yes, but note that the native component of beidconnect doesn't actually use the PKCS#11 module to talk to the card (it uses direct PC/SC calls, which I wouldn't recommend for your purposes).

What your native code would need to do is:

• Communicate with the card using PKCS#11; the C and C# examples in the eid-mw repository show how to do that. If you're interested in writing C# code, then yes, you can ignore the C code examples.
• Communicate with the browser using a JSON protocol over stdout. The native component of beidconnect shows how that would work

On the browser side, you would then have an add-on that implements the Native Messaging API to talk to your native component, and that passes that on to the web page context.

Kind regards,

San Cien schreef op do 29-04-2021 om 00:08 [-0700]:

Thanks a lot for your answers !

Sorry for the late reply.

I would like to retrieve the user data (including the address) using the official software, using a plugin I would develop, I am however a bit lost.

I discovered https://github.com/Fedict/fts-eidlink which was written to provide electronic signature and digital authentication, so I'm trying to build on it, but I have to admit that I'm a bit confused by the code.

I noticed that there was a C# and C client to communicate with the official state software if I understood correctly, so I don't need to compile one of them (I'm more comfortable with C#), and make the web plugin communicate with it, using a PKCS11 library, if I understood correctly ?

Can you help me in my approach please?

Kind regards,

Le lundi 12 avril 2021 à 09:46:40 UTC+2, wouter....@zetes.com a écrit :

Hi San,

First, there are actually four options. Apart from the two that you point out, there is also:

• TLS mutual authentication. This will give you the client certificate, which contains the user's official first and last name, as well as their national registry number; the latter allows you to know their date of birth as well as their gender.

• There is a drag-and-drop functionality in the eid viewer, whereby you can drop an XML file on a webpage to automate filling out forms. Important to note here: the XML data isNOT signed, so this is trivially easy to forge; but if you're only worried about making people's lives a bit easier and a proof of identity is not required, then this may be sufficient. For more information on this, as well as a proof-of-concept implementation, see https://github.com/Fedict/eid-mw/tree/master/plugins_tools/eid-viewer/xml

As to your questions:

• The official software is a PKCS#11 module. It is definitely possible to write a native application that uses the PKCS#11 API to talk to the official software, and this may be the easiest way to get things going. There are probably some native messaging applications that do use that, and eideasy may be one of them (but I'm not too familiar with it, so can't say for sure).

• The firefox add-on actually doesn't communicate with the official software; all it does isconfigure firefox so that it knows where the official software can be found. This is because on the Windows and macOS platforms, Firefox is the only browser that uses the PKCS#11 platforms, and on these platforms it is not possible to register a PKCS#11 module system wide. As such, without the add-on, you would have to configure Firefox manually, but the procedure to do that is quite involved and not something you can expect a random user to understand (preferences -> Privacy & Security -> Security devices, then add the path to the PKCS#11 module and a name, and click "ok").

• The add-on is not based on a Java applet. There used to be an eID applet, but this is no longer supported because, as you rightly point out, there is no support for Java applets anymore in modern browsers.
• Your last question leaves quite some room for interpretation, so please clarify what you mean by "it", so I can give you more targeted instructions (if you want to, still)

Please also see the wiki page at https://github.com/Fedict/eid-mw/wiki/Development which contains an introduction on all the possible ways to develop with the eID as well as pointers to more information.

Kind regards,

San Cien schreef op vr 09-04-2021 om 07:52 [-0700]:

[San Cien]

Hello Wouter,

Thank you very much for all your clarifications, I will try to put it all together!

Kind regards,

Sandra

[Bram]

Hi Sandra,

Have you been able to read the information from the eID card using Angular?

Do you have a demo project? 

Best,

Bram

Op donderdag 29 april 2021 om 12:45:59 UTC+2 schreef sandra.cie...@gmail.com:

[Bert Vanpeteghem]

Hi all,

Piggy-backing on this thread, there are some options listed so far, mainly for authentication.

We're in need for a solution, for the use case, to get eID info onto a web page: eg INSZ number, first name, last name.
But, we only need identification, and so preventing that the user needs to enter an PIN.

What are the remaining options?

• Third party IDP + browser plugin (e-contract.be). I assume the browser plugin uses Native Messaging to the BOSA eid-mw or its own native app on the OS? 
  I tested the demo, this seems promising. Comes with a cost, except for eideasy.
• DIY browser plugin + native app
  Possibly high maintenance cost (keeping browser plugins compatible with browser updates)
• Client Certificate Authentication
  Is not an option because it needs the user to enter PIN
• Drag & Drop from the viewer, which we already use, but we're looking how to use a more user friendly option

Is this a correct summary of this thread?

Another question. e-contract IDP and the Swelio C# library (https://www.nuget.org/packages/Swelio/) seem to be able to read out the data without the eID middleware.

What is the added value of installing the middleware itself?

Kind regards, 

Bert

Op vrijdag 9 juli 2021 om 10:00:43 UTC+2 schreef bramgoe...@gmail.com: