Signing e-mails and PDFs with Belgian EID on Linux

With the current Covid-19 lockdown, more and more transactions are getting handled remote. In Belgium we have the possibility to legally sign documents with a certificate stored on our eID (smartcard). However... when I started looking for information on how to do that on Linux, I could only find partial info. Mainly on how to use LibreOffice to sign a document, but not on how to use your Belgian eID there. Or information on how to sign a PDF with eID on Windows or Mac with Adobe reader, but not on Linux. It took me a while to figure out how to get it working, so I'll try to glue all parts together in this blog post. :)

Prerequisites

I suppose you already have the eID middleware installed, a working smartcard reader and opensc installed.

Your eID should be in the smartcard reader while configuring and you should know your PIN.

 

Configure Thunderbird

LibreOffice is using the Thunderbird Security Modules and Devices manager. To use your Belgian eID in Thunderbird, you have to add some configuration.

Import the Belgium root CA into Thunderbird

You have to trust the root CA from Belgium to be able to sign and check signatures. I tried to google for a download, but couldn't find a correct and up to date version. The most secure way to get it, is probably to export it from your eID.
List the objects on your smartcard to find the CA object (you'll be prompted for the eID pin for every pkcs11-tool command here):

$ pkcs11-tool --login --list-objects
Using slot 0 with a present token (0x0)
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Private Key Object; RSA
  label:      Authentication
  ID:         02
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Certificate Object; type = X.509 cert
  label:      Authentication
  subject:    DN: C=BE, CN=Luc Stroobant (Authentication), SN=Stroobant, GN=Luc/serialNumber=XXXXXXXXXXXX
  ID:         02
Public Key Object; RSA 2048 bits
  label:      Authentication
  ID:         02
  Usage:      encrypt, verify
  Access:     local
Private Key Object; RSA
  label:      Signature
  ID:         03
  Usage:      sign, non-repudiation
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
Certificate Object; type = X.509 cert
  label:      Signature
  subject:    DN: C=BE, CN=Luc Stroobant (Signature), SN=Stroobant, GN=Luc/serialNumber=XXXXXXXXXXXX
  ID:         03
Public Key Object; RSA 2048 bits
  label:      Signature
  ID:         03
  Usage:      encrypt, verify
  Access:     local
Certificate Object; type = X.509 cert
  label:      CA
  subject:    DN: C=BE, CN=Citizen CA/serialNumber=201510
  ID:         04
Public Key Object; RSA 4096 bits
  label:      CA
  ID:         04
  Usage:      encrypt, verify
  Access:     local
Certificate Object; type = X.509 cert
  label:      Root
  subject:    DN: C=BE, CN=Belgium Root CA3
  ID:         06
Public Key Object; RSA 4096 bits
  label:      Root
  ID:         06
  Usage:      encrypt, verify
  Access:     local

 

The CA is ID 06 in my case (and I suppose this will be the case on all cards, but didn't check :)).
Export the root CA from your card and convert it to a pem:

$ pkcs11-tool --login --read-object --id 06 --type cert --output-file ca.der
$ openssl x509 -inform DER -in ca.der > ca.pem

In Thunderbird, go to Preferences > Account Settings and select Security for an account.

Thunderbird: account settings > security

To import the certificate, select Manage Certificates.

Thunderbird certificates window

There select Import to import the CA we just exported (use the pem file).

A window should appear where you can select to trust the CA to idenitfy websites and e-mail users. Select both options and hit OK.

Trust Belgium's root CA

Also close the Certificate Manager by hitting OK once more. (keep the account settings window open)

 

Configure Security Device

In the account security settings, click on the last button Security Devices.

Thunderbird security devices screen

There you have to add a new security device for your E-ID. Click Load to configure our security device:

Configure security device for Belgian EID

Add a free description and for Module filename the path to beidpkcs11.so on your system. On my Ubuntu laptop with eid-mw 4.4, this is /usr/lib/x86_64-linux-gnu/pkcs11/beidpkcs11.so .

Confirm with OK and also click OK to close the device manager. (and again: keep the account settings open)

 

Select the certificate for signing

Now for each account where you want to sign with your EID, in the Security settings go to the field Digital Signing and click Select. You should get a pop-up where you select the Signature certificate in the dropdown on the top. (make sure to check, the default is probably the authentication certificate).

Selection of the EID certificate

Click OK.

You'll probably be prompted to select an encryption certificate too. Select No there, since the EID certificates can't be used for encryption.

Finally close the account settings window by clicking OK.

 

Test with a signed e-mail

Create a new mail to yourself and in the Security dropdown, select Digitally Sign This Message. Now Send the message. You'll get a pop-up that prompts for your eID pincode.

Enter eID pin code

Enter the pin and click OK.

The message you receive should have a sealed letter with a question mark on it on the right. That's because your e-mail address is not included in the eID certificate, so Thunderbird is not able to verify the security on it's own.

eID signed message

Check certificate.

Check eID certificate

 

Use LibreOffice to sign PDF documents

Now the e-mail signing is nice and fine, but probably not all that useful. You should be aware that your social security number ("rijksregister nummer"), is included in all signed messages and documents. So I personally don't really recommend to spread that info with all your e-mails since you never know where it ends after a few forward of virusses on the receiving end. :)

But as I already mentioned before, you have to configure Thunderbird to be able to sign documents in LibreOffice and that should work now. I'm not gone include all steps there, digital signatures in LibreOffice is properly documented here. When you try to sign a document now, you should have the option to select the signature certificate from your eID:

LibreOffice select eID certificate to sign

If you select the signature certificate and sign, you'll get the pop-up that prompts for your pin again. Afterwards the signature will be listed on the document:

LibreOffice: eID signed document

 

Update 1

Wouter Verhelst sent some useful remarks on Twitter:

  • The CA can be found on https://certs.eid.belgium.be/ (however, it's a long list there :)).
  • Some versions of LibreOffice on Linux use p11-kit or the chrome configuration rather than the thunderbird one. We already register the Middleware work those two upon installation, so it might just work! I tried that that on a Fedora 32 system to compare and can confirm: it worked there without this manual configuration.

Update 2

Wouter Verhelst fixed the configuration script upstream to include Thunderbird configuration. So in future versions this howto should be no longer required.

 

Dat was interessant, Luc. Bedankt! Dat komt nog van pas...

Goeie dag Luc,
Met heel veel aandacht heb ik je handleiding gelezen over het digitaal ondertekenen met de eID kaart van mails en documenten in libreoffice.
Ik ben medewerker op het pchelpforum en iemand vroeg mij om hulp voor het digitaal ondertekenen van mails en pdf documenten.
Dus ik dacht je handleiding daarin te gebruiken maar kwam op een probleem.
Namelijk dat thunderbird nu aan versie 78 is en dat het anders is.
Die smartcard lezer wordt niet meer ondersteund.
Zou je het zien zitten om mij hierin te helpen dit op te lossen?
Met vriendelijke groeten,
Hendrik

Dag Luc,

Ik heb deze documentatie zorgvuldig gelezen en toegepast.
In thunderbird kan ik emails tekenen, dat lukt.
Maar in LibreOffice wordt mijn certificaat niet getoond in de lijst van certificaten. Deze blijft leeg.

Enige idee wat hier aan de hand zou kunnen zijn ?

In LibreOffice staat het certificate path naar thunderbird.

Mijn configuratie :
beid
Linux Mint Linux Mint 19 Cinnamon
LibreOffice Version: 6.0.7.3

Met vriendelijke groeten,

Bruno

I tried these steps on NixOS and they worked, thanks :)

On NixOS, you need to have this in config:

services.pcscd.enable = true;

and add pkgs.eid-mw to the environment.systemPackages list. Then the module for loading in Thunderbird is at

/run/current-system/sw/lib/pkcs11/beidpkcs11.so

After configuring, I had to restart libreoffice and the certificates were available.

The pkcs11-tool can be used from nix-shell -p opensc

One more thing: you're proposing to trust the beid root for both websites and signatures, but it should only be for signatures. Otherwise, the Belgian government can do man-in-the-middle attacks on your facebook :)

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.