With the current Covid-19 lockdown, more and more transactions are getting handled remote. In Belgium we have the possibility to legally sign documents with a certificate stored on our eID (smartcard). However... when I started looking for information on how to do that on Linux, I could only find partial info. Mainly on how to use LibreOffice to sign a document, but not on how to use your Belgian eID there. Or information on how to sign a PDF with eID on Windows or Mac with Adobe reader, but not on Linux. It took me a while to figure out how to get it working, so I'll try to glue all parts together in this blog post. :)
I suppose you already have the eID middleware installed, a working smartcard reader and opensc installed.
Your eID should be in the smartcard reader while configuring and you should know your PIN.
LibreOffice is using the Thunderbird Security Modules and Devices manager. To use your Belgian eID in Thunderbird, you have to add some configuration.
Import the Belgium root CA into Thunderbird
You have to trust the root CA from Belgium to be able to sign and check signatures. I tried to google for a download, but couldn't find a correct and up to date version. The most secure way to get it, is probably to export it from your eID.
List the objects on your smartcard to find the CA object (you'll be prompted for the eID pin for every pkcs11-tool command here):
$ pkcs11-tool --login --list-objects Using slot 0 with a present token (0x0) Logging in to "BELPIC (Basic PIN)". Please enter User PIN: Private Key Object; RSA label: Authentication ID: 02 Usage: sign Access: sensitive, always sensitive, never extractable, local Certificate Object; type = X.509 cert label: Authentication subject: DN: C=BE, CN=Luc Stroobant (Authentication), SN=Stroobant, GN=Luc/serialNumber=XXXXXXXXXXXX ID: 02 Public Key Object; RSA 2048 bits label: Authentication ID: 02 Usage: encrypt, verify Access: local Private Key Object; RSA label: Signature ID: 03 Usage: sign, non-repudiation Access: always authenticate, sensitive, always sensitive, never extractable, local Certificate Object; type = X.509 cert label: Signature subject: DN: C=BE, CN=Luc Stroobant (Signature), SN=Stroobant, GN=Luc/serialNumber=XXXXXXXXXXXX ID: 03 Public Key Object; RSA 2048 bits label: Signature ID: 03 Usage: encrypt, verify Access: local Certificate Object; type = X.509 cert label: CA subject: DN: C=BE, CN=Citizen CA/serialNumber=201510 ID: 04 Public Key Object; RSA 4096 bits label: CA ID: 04 Usage: encrypt, verify Access: local Certificate Object; type = X.509 cert label: Root subject: DN: C=BE, CN=Belgium Root CA3 ID: 06 Public Key Object; RSA 4096 bits label: Root ID: 06 Usage: encrypt, verify Access: local
The CA is ID 06 in my case (and I suppose this will be the case on all cards, but didn't check :)).
Export the root CA from your card and convert it to a pem:
$ pkcs11-tool --login --read-object --id 06 --type cert --output-file ca.der $ openssl x509 -inform DER -in ca.der > ca.pem
In Thunderbird, go to Preferences > Account Settings and select Security for an account.
To import the certificate, select Manage Certificates.
There select Import to import the CA we just exported (use the pem file).
A window should appear where you can select to trust the CA to idenitfy websites and e-mail users. Select both options and hit OK.
Also close the Certificate Manager by hitting OK once more. (keep the account settings window open)
Configure Security Device
In the account security settings, click on the last button Security Devices.
There you have to add a new security device for your E-ID. Click Load to configure our security device:
Add a free description and for Module filename the path to beidpkcs11.so on your system. On my Ubuntu laptop with eid-mw 4.4, this is /usr/lib/x86_64-linux-gnu/pkcs11/beidpkcs11.so .
Confirm with OK and also click OK to close the device manager. (and again: keep the account settings open)
Select the certificate for signing
Now for each account where you want to sign with your EID, in the Security settings go to the field Digital Signing and click Select. You should get a pop-up where you select the Signature certificate in the dropdown on the top. (make sure to check, the default is probably the authentication certificate).
You'll probably be prompted to select an encryption certificate too. Select No there, since the EID certificates can't be used for encryption.
Finally close the account settings window by clicking OK.
Test with a signed e-mail
Create a new mail to yourself and in the Security dropdown, select Digitally Sign This Message. Now Send the message. You'll get a pop-up that prompts for your eID pincode.
Enter the pin and click OK.
The message you receive should have a sealed letter with a question mark on it on the right. That's because your e-mail address is not included in the eID certificate, so Thunderbird is not able to verify the security on it's own.
Use LibreOffice to sign PDF documents
Now the e-mail signing is nice and fine, but probably not all that useful. You should be aware that your social security number ("rijksregister nummer"), is included in all signed messages and documents. So I personally don't really recommend to spread that info with all your e-mails since you never know where it ends after a few forward of virusses on the receiving end. :)
But as I already mentioned before, you have to configure Thunderbird to be able to sign documents in LibreOffice and that should work now. I'm not gone include all steps there, digital signatures in LibreOffice is properly documented here. When you try to sign a document now, you should have the option to select the signature certificate from your eID:
If you select the signature certificate and sign, you'll get the pop-up that prompts for your pin again. Afterwards the signature will be listed on the document:
Wouter Verhelst sent some useful remarks on Twitter:
- The CA can be found on https://certs.eid.belgium.be/ (however, it's a long list there :)).
- Some versions of LibreOffice on Linux use p11-kit or the chrome configuration rather than the thunderbird one. We already register the Middleware work those two upon installation, so it might just work! I tried that that on a Fedora 32 system to compare and can confirm: it worked there without this manual configuration.
Wouter Verhelst fixed the configuration script upstream to include Thunderbird configuration. So in future versions this howto should be no longer required.