Tuesday, September 3. 2013
Today's entry is dedicated again to the Spanish electronic ID card (DNIe). This subject has been talked several times in the blog, but this week the final act of this drama has been played. Finally the code of OpenDNIe has been merged into OpenSC. I suppose that some of you do not understand why that integration is so important and that is the reason for the entry.
The Spanish eID card project started several years ago and the first card was issued in march 2006. The needed software was ready very quick and (to my surprise) the Spanish government not only developed it for windows, a DNIe module for OpenSC was ready in a few months. OpenSC is the project that provides access to smart cards and their cryptographic operations in the linux / open source world, it also provides a PKCS#11 library for external applications. This code was initially not published but in some months the source code could be downloaded from the DNIe page. The problem was that the module was released using GPLv3 license while OpenSC uses LGPL, this issue did not let a direct integration (see this bug for more information). Besides the code for the module was never maintained, therefore it became deprecated very quickly and soon it could not be integrated with the new OpenSC versions in a straightforward way. My previous entry about DNIe and the java applet was of that time and talked about some of the issues.
After that messy situation a Spanish guy (Juan Antonio Martinez) started a new implementation from scratch. It called the new module OpenDNIe and it was presented in the OpenSC mailing lists in the beginning of 2011. For several months this second attempt was said to be included in the main OpenSC project (initially for version 0.12.1, then for 0.12.2) but it was not merged until this week. During that time the new module lived inside a Spanish site which provided packages for OpenSC versions.
The new version 0.13.0 of OpenSC was released at the end of 2012. Again the integration of the OpenDNIe module was not there and the situation was getting more and more complicated. Currently it seems that both OpenSC and OpenDNIe are under some important changes. The original developer of OpenDNIe seems to not continue with the project and OpenSC is moving to github, but I think that this point is only the visible part of a complete change in the project organization and management.
During the Christmas vacation I decided to check what was the status of OpenDNIe and its integration in the new OpenSC 0.13.0 version. I checked the differences and I successfully compiled a working OpenDNIe/OpenSC 0.13.0. But I realized that another guy (Germán Blanco) was also doing the same effort and he was being tidier and smarter than me. He was talking with people of the OpenSC project in order to try to finally merge the code. He did an incredible job and this week there was a big commit that included OpenDNIe changes into OpenSC main branch.
So finally the Spanish DNIe is integrated in OpenSC. This milestone is incredibly important, as soon as the new version of this project was released all the major linux distributions will start to support DNIe by default. Therefore any Spanish linux user will be able to use his national eID card with minimal configuration (only the browser/application configuration will be needed). But the main question is still in place. Why did not the Spanish government follow this way since the beginning? In my humble opinion because they did not understand how open source works, an effort to include DNIe in linux/UNIX was done (which is quite important I must say) but it was done absolutely in the wrong way. If they had worked hand in hand with OpenSC since the beginning all the following pain would not have been necessary.
At this moment the only chance to get OpenSC/OpenDNIe working is compiling the sources directly from github (let's see if we are lucky and OpenSC guys release the new version in a short time). I present a simple compilation in debian testing which follows step by step the project instructions:
First Clone the project.
$ git clone https://github.com/OpenSC/OpenSC.git
Then check that your system (debian in my case) has the needed packages.
# apt-get install pcscd libccid libpcsclite-dev libssl-dev libreadline-dev autoconf automake build-essential docbook-xsl xsltproc libtool
Compile the project with the needed OpenDNIe options (dni-ui and sm are compulsory for OpenDNIe to work).
$ ./bootstrap $ ./configure --prefix=/home/ricky/apps/opensc --enable-dnie-ui --enable-sm $ make $ make install
Now the pcscd daemon can be started. I started it in the foreground and with debug just for the first time.
# pcscd -f -d
This point is optional and obviously not necessary when OpenSC is used normally (it will be started by the system by default). At this moment and with no configuration the OpenSC commands can be executed (the card should be inserted in your reader).
$ /home/ricky/apps/opensc/bin/opensc-tool -D | grep DNI dnie DNIe: Spanish eID card $ /home/ricky/apps/opensc/bin/dnie-tool -d Using reader with a card: Broadcom Corp 5880 [Broadcom USH w/swipe sensor] (0123456789ABCD) 00 00 DNIe Number: ********* SurName: MARTIN Name: RICARDO
The final part is configuring your browser to work with the PKCS#11 module that OpenSC provides. In Edit → Preferences → Select Advanced → Then Encryption.
Click the Security Devices button and add the compiled OpenSC PKCS#11 library (the library is opensc-pkcs11.so placed in the lib directory). Click Load button and add the library.
The new OpenSC module appears and now you can login in the DNI slot.
Now when the certificates are requested (clicking the View Certificates in the same preferences window) iceweasel shows the two certs that our DNIe contains.
Besides I tested the module with the testing DNIe page. The secure access to the page was done correctly but the signing test did not work, but my feeling is that the problem is in the Java/applet part (I am using openjdk with the icedtea-web plugin) and not with the OpenSC PKCS#11 module.
The conclusion of this entry is quite important and a big lesson to learn by anybody who wants to work in the open source world. Because Spanish government decided to follow a crazy path with the linux implementation of the DNIe (but please think that at least a linux solution was thought and done, which is much more than the usual only windows solution) all OpenDNIe module was developed by unselfish people in their spare time (mainly Juan Antonio). So please, when developing for linux environments think that linux is not windows, rules are different, and you have to work properly in order to be in all the major distributions. For me DNIe is a clear example of the misunderstanding that exists around the FOSS world.
Special thanks to Juan Antonio and Germán for their work!
I am created a bug for its inclusion. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731235
nice post, very helpful.
I was also wondering if you know how to configure Chrome to make it work with the DNIe.
Thanks in advanced,
I have written a quick entry about installing opensc/opendnie in chrome/chromium:
Please check it if you are still interested.
Thanks for reading the blog!
If you take your card out of the reader and plug it again (you will have to enter your PIN again) prior to clicking the signing test, you will get the page for the signature procedure.