Signing e-mails and PDFs with Belgian EID on Linux

With the current Covid-19 lockdown, more and more transactions are getting handled remote. In Belgium we have the possibility to legally sign documents with a certificate stored on our eID (smartcard). However... when I started looking for information on how to do that on Linux, I could only find partial info. Mainly on how to use LibreOffice to sign a document, but not on how to use your Belgian eID there. Or information on how to sign a PDF with eID on Windows or Mac with Adobe reader, but not on Linux. It took me a while to figure out how to get it working, so I'll try to glue all parts together in this blog post. :)

Prerequisites

I suppose you already have the eID middleware installed, a working smartcard reader and opensc installed.

Your eID should be in the smartcard reader while configuring and you should know your PIN.

 

Configure Thunderbird

LibreOffice is using the Thunderbird Security Modules and Devices manager. To use your Belgian eID in Thunderbird, you have to add some configuration.

Import the Belgium root CA into Thunderbird

You have to trust the root CA from Belgium to be able to sign and check signatures. I tried to google for a download, but couldn't find a correct and up to date version. The most secure way to get it, is probably to export it from your eID.
List the objects on your smartcard to find the CA object (you'll be prompted for the eID pin for every pkcs11-tool command here):

$ pkcs11-tool --login --list-objects
Using slot 0 with a present token (0x0)
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Private Key Object; RSA
  label:      Authentication
  ID:         02
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Certificate Object; type = X.509 cert
  label:      Authentication
  subject:    DN: C=BE, CN=Luc Stroobant (Authentication), SN=Stroobant, GN=Luc/serialNumber=XXXXXXXXXXXX
  ID:         02
Public Key Object; RSA 2048 bits
  label:      Authentication
  ID:         02
  Usage:      encrypt, verify
  Access:     local
Private Key Object; RSA
  label:      Signature
  ID:         03
  Usage:      sign, non-repudiation
  Access:     always authenticate, sensitive, always sensitive, never extractable, local
Certificate Object; type = X.509 cert
  label:      Signature
  subject:    DN: C=BE, CN=Luc Stroobant (Signature), SN=Stroobant, GN=Luc/serialNumber=XXXXXXXXXXXX
  ID:         03
Public Key Object; RSA 2048 bits
  label:      Signature
  ID:         03
  Usage:      encrypt, verify
  Access:     local
Certificate Object; type = X.509 cert
  label:      CA
  subject:    DN: C=BE, CN=Citizen CA/serialNumber=201510
  ID:         04
Public Key Object; RSA 4096 bits
  label:      CA
  ID:         04
  Usage:      encrypt, verify
  Access:     local
Certificate Object; type = X.509 cert
  label:      Root
  subject:    DN: C=BE, CN=Belgium Root CA3
  ID:         06
Public Key Object; RSA 4096 bits
  label:      Root
  ID:         06
  Usage:      encrypt, verify
  Access:     local

 

The CA is ID 06 in my case (and I suppose this will be the case on all cards, but didn't check :)).
Export the root CA from your card and convert it to a pem:

$ pkcs11-tool --login --read-object --id 06 --type cert --output-file ca.der
$ openssl x509 -inform DER -in ca.der > ca.pem

In Thunderbird, go to Preferences > Account Settings and select Security for an account.

Thunderbird: account settings > security

To import the certificate, select Manage Certificates.

Thunderbird certificates window

There select Import to import the CA we just exported (use the pem file).

A window should appear where you can select to trust the CA to idenitfy websites and e-mail users. Select both options and hit OK.

Trust Belgium's root CA

Also close the Certificate Manager by hitting OK once more. (keep the account settings window open)

 

Configure Security Device

In the account security settings, click on the last button Security Devices.

Thunderbird security devices screen

There you have to add a new security device for your E-ID. Click Load to configure our security device:

Configure security device for Belgian EID

Add a free description and for Module filename the path to beidpkcs11.so on your system. On my Ubuntu laptop with eid-mw 4.4, this is /usr/lib/x86_64-linux-gnu/pkcs11/beidpkcs11.so .

Confirm with OK and also click OK to close the device manager. (and again: keep the account settings open)

 

Select the certificate for signing

Now for each account where you want to sign with your EID, in the Security settings go to the field Digital Signing and click Select. You should get a pop-up where you select the Signature certificate in the dropdown on the top. (make sure to check, the default is probably the authentication certificate).

Selection of the EID certificate

Click OK.

You'll probably be prompted to select an encryption certificate too. Select No there, since the EID certificates can't be used for encryption.

Finally close the account settings window by clicking OK.

 

Test with a signed e-mail

Create a new mail to yourself and in the Security dropdown, select Digitally Sign This Message. Now Send the message. You'll get a pop-up that prompts for your eID pincode.

Enter eID pin code

Enter the pin and click OK.

The message you receive should have a sealed letter with a question mark on it on the right. That's because your e-mail address is not included in the eID certificate, so Thunderbird is not able to verify the security on it's own.

eID signed message

Check certificate.

Check eID certificate

 

Use LibreOffice to sign PDF documents

Now the e-mail signing is nice and fine, but probably not all that useful. You should be aware that your social security number ("rijksregister nummer"), is included in all signed messages and documents. So I personally don't really recommend to spread that info with all your e-mails since you never know where it ends after a few forward of virusses on the receiving end. :)

But as I already mentioned before, you have to configure Thunderbird to be able to sign documents in LibreOffice and that should work now. I'm not gone include all steps there, digital signatures in LibreOffice is properly documented here. When you try to sign a document now, you should have the option to select the signature certificate from your eID:

LibreOffice select eID certificate to sign

If you select the signature certificate and sign, you'll get the pop-up that prompts for your pin again. Afterwards the signature will be listed on the document:

LibreOffice: eID signed document

 

Dat was interessant, Luc. Bedankt! Dat komt nog van pas...

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.