Sunday, September 5. 2010
DNIe and the Signature Applet
Previously I talked about how to deal with web security and certificates in a two part series of entries. In the first post I generally talked about security concerns and I presented a little solution based on Java applets. The second one extended the PoC using the same certificates that some browsers do (IE and firefox). I already said that a real security device (cryptocard, cryptousb,...) was the missing point and I told to all of you the time will come with my Spanish electronic identity (eID) card renewal. The time is here!
DNIe (this is how the new Spanish eID card is known) has two valid certificates (two years of expiration time), one for digital signature and the other for authentication, two fingerprints (right and left index finger), the written signature and a photo. First of all I want to say the integration of the DNIe in linux is quite a hell. Linux implementation is based on the OpenSC project. This project is an old friend in the linux world and it implements a PKCS#15 backend (PKCS#15 is the RSA standard that defines how the data is organized in a card) and gives a PKCS#11 library (RSA standard API to interact with crypto-devices) to be used inside firefox and many other applications. DNIe distributes an extra library not included in common opensc bits (the library is called libopensc-dnie.so and it is inside opensc-dnie package) which is configured in the opensc configuration file as an external shared library. At first sight I thought these bits are only distributed as a closed blob but then I realized that there is also a source zip file. So I am going to explain both methods of installation (following exactly the same steps I performed).
To make the DNIe blob work in my debian testing box I needed to download the Debian_Lenny_opensc-dnie_1.4.6-2_i386.deb.tar from DNIe official page. The problem here is the blob only works with the distributed 0.11.7 version of opensc (actual version is 0.11.13) and you must exactly install these packages:
The first one, libltdl3, is a package of Lenny (Stable) which have disappeared in testing but it is compulsory for opensc/DNIe and not included in the distribution tar file. Of course you also need to hold new versions of debian opensc packages (if not any upgrade will break your DNIe again).
This integration is so crappy I had decided to not use DNIe in debian (I would have preferred to use a Windows virtual box or similar and not to dirty my system this way). But then, as I commented, I found a source distribution in the same download page. The source is not completed (it seems some certificate and key variables has been deleted from the source and one file does not compile) but this thread in kriptopolis (a spanish security web site) explains how to make it work. The thread is quite long but it was worth the time. After some nm and objdump commands I finally compiled the sources. Now I have my libopensc-dnie.so which links perfectly against OpenSC 0.11.13, debian testing version, and it works without a problem using the same opensc.conf configuration file that blob DNIe packages provide. The new library was tested inside firefox, thunderbird and my Java Signature Applet. I also want to comment that DNIe has a test page which has been incredibly useful to check out all this stuff.
So finally it can be said that DNIe binary packages only work for the distributed 0.11.7 version but compiling the sources you can make the custom DNIe library work linked against current OpenSC version. This is not a perfect solution (any new change in OpenSC can broke again DNIe) but I have to admit that publishing the sources is an awesome step to open source integration. The source zip from DNIe claims to be GPLv3 licensed and I only hope OpenSC can integrate this code in a future release (avoiding all this pain). OpenSC guys already have a open ticket about this issue. I submitted some information on it a few days ago and waiting is the only thing we can do right now.
After DNIe is fully functional in my box we can extend our Signature Java Applet PoC in order to integrate DNIe as a valid device. If you have read the two previous entries you already know that the only thing to do is finding a proper JCE provider for Spanish eID card. It is quite clear that DNIe/OpenSC gives a PKCS#11 library and, obviously, the PKCS#11 provider is the correct bet in linux. If you remember I developed a multi-purpose PKCS11Signer.java (used in the second entry for NSS) which is perfect for OpenSC. Now the applet is instantiated this way.
With DNIe (and any common PKCS#11 library but Mozilla NSS) only the shared library (/usr/lib/opensc-pkcs11.so in debian distribution) and the slot (0 in my configuration) are specified. As in the previous examples DNIe only has a master pin so password prompt for keys is disabled (sample.applet.keyAcessNeeded is set to false). Any further information about the JCE PKCS#11 provider can be achieved in the J2SE documentation.
Finally I present a video where the mail signer application is used again. Using Chromium the email sheet is filled and the applet is started. There the two certificates inside DNIe are displayed and, using the signature one, the email is signed and sent. Now icedove/thunderbird application is started (the startup is quite slow cos the ID card is plugged and OpenSC initialization is not very fast). In this case when the email arrives to me it shows a question mark, that is a consequence of Spanish id certificates does not have any email specified inside them. At the end the certificates of the DNIe are shown again but using thunderbird itself, so DNIe is successfully working on both, the applet and the email application.
As a conclusion it can be said that right now the status of DNIe in the open source world is a bit confusing. The distribution of the source code under GPLv3 license can clarify the situation and it would be wonderful if the code will be integrated someway inside OpenSC project. Talking about the applet signature PoC, DNIe is the perfect example of how a new crypto-device is smoothly integrated just using JCE and PKCS#11 standard.
It is really great when you make the things work! Never give up!
DNIe (this is how the new Spanish eID card is known) has two valid certificates (two years of expiration time), one for digital signature and the other for authentication, two fingerprints (right and left index finger), the written signature and a photo. First of all I want to say the integration of the DNIe in linux is quite a hell. Linux implementation is based on the OpenSC project. This project is an old friend in the linux world and it implements a PKCS#15 backend (PKCS#15 is the RSA standard that defines how the data is organized in a card) and gives a PKCS#11 library (RSA standard API to interact with crypto-devices) to be used inside firefox and many other applications. DNIe distributes an extra library not included in common opensc bits (the library is called libopensc-dnie.so and it is inside opensc-dnie package) which is configured in the opensc configuration file as an external shared library. At first sight I thought these bits are only distributed as a closed blob but then I realized that there is also a source zip file. So I am going to explain both methods of installation (following exactly the same steps I performed).
To make the DNIe blob work in my debian testing box I needed to download the Debian_Lenny_opensc-dnie_1.4.6-2_i386.deb.tar from DNIe official page. The problem here is the blob only works with the distributed 0.11.7 version of opensc (actual version is 0.11.13) and you must exactly install these packages:
# dpkg -i libltdl3_1.5.26-4+lenny1_i386.deb libopensc2_0.11.7-7_i386.deb opensc_0.11.7-7_i386.deb opensc-dnie_1.4.6-2_i386.deb
The first one, libltdl3, is a package of Lenny (Stable) which have disappeared in testing but it is compulsory for opensc/DNIe and not included in the distribution tar file. Of course you also need to hold new versions of debian opensc packages (if not any upgrade will break your DNIe again).
# echo "opensc hold" | dpkg --set-selections
# echo "libopensc2 hold" | dpkg --set-selections
This integration is so crappy I had decided to not use DNIe in debian (I would have preferred to use a Windows virtual box or similar and not to dirty my system this way). But then, as I commented, I found a source distribution in the same download page. The source is not completed (it seems some certificate and key variables has been deleted from the source and one file does not compile) but this thread in kriptopolis (a spanish security web site) explains how to make it work. The thread is quite long but it was worth the time. After some nm and objdump commands I finally compiled the sources. Now I have my libopensc-dnie.so which links perfectly against OpenSC 0.11.13, debian testing version, and it works without a problem using the same opensc.conf configuration file that blob DNIe packages provide. The new library was tested inside firefox, thunderbird and my Java Signature Applet. I also want to comment that DNIe has a test page which has been incredibly useful to check out all this stuff.
So finally it can be said that DNIe binary packages only work for the distributed 0.11.7 version but compiling the sources you can make the custom DNIe library work linked against current OpenSC version. This is not a perfect solution (any new change in OpenSC can broke again DNIe) but I have to admit that publishing the sources is an awesome step to open source integration. The source zip from DNIe claims to be GPLv3 licensed and I only hope OpenSC can integrate this code in a future release (avoiding all this pain). OpenSC guys already have a open ticket about this issue. I submitted some information on it a few days ago and waiting is the only thing we can do right now.
After DNIe is fully functional in my box we can extend our Signature Java Applet PoC in order to integrate DNIe as a valid device. If you have read the two previous entries you already know that the only thing to do is finding a proper JCE provider for Spanish eID card. It is quite clear that DNIe/OpenSC gives a PKCS#11 library and, obviously, the PKCS#11 provider is the correct bet in linux. If you remember I developed a multi-purpose PKCS11Signer.java (used in the second entry for NSS) which is perfect for OpenSC. Now the applet is instantiated this way.
<applet id="signApplet" codebase="resources/applet/" code="sample.applet.SignApplet" archive="SSignApplet.jar,Sbcmail-jdk16-145.jar,Sbcprov-jdk16-145.jar,Smail-1.4.3.jar" width="350" height="200">
<param name="clazz" value="sample.applet.PKCS11Signer"/>
<param name="param0" value="sample.applet.pkcs11Name###DNIe"/>
<param name="param1" value="sample.applet.keyAcessNeeded###false"/>
<param name="param2" value="library###/usr/lib/opensc-pkcs11.so"/>
<param name="param3" value="slot###0"/>
</applet>
With DNIe (and any common PKCS#11 library but Mozilla NSS) only the shared library (/usr/lib/opensc-pkcs11.so in debian distribution) and the slot (0 in my configuration) are specified. As in the previous examples DNIe only has a master pin so password prompt for keys is disabled (sample.applet.keyAcessNeeded is set to false). Any further information about the JCE PKCS#11 provider can be achieved in the J2SE documentation.
Finally I present a video where the mail signer application is used again. Using Chromium the email sheet is filled and the applet is started. There the two certificates inside DNIe are displayed and, using the signature one, the email is signed and sent. Now icedove/thunderbird application is started (the startup is quite slow cos the ID card is plugged and OpenSC initialization is not very fast). In this case when the email arrives to me it shows a question mark, that is a consequence of Spanish id certificates does not have any email specified inside them. At the end the certificates of the DNIe are shown again but using thunderbird itself, so DNIe is successfully working on both, the applet and the email application.
As a conclusion it can be said that right now the status of DNIe in the open source world is a bit confusing. The distribution of the source code under GPLv3 license can clarify the situation and it would be wonderful if the code will be integrated someway inside OpenSC project. Talking about the applet signature PoC, DNIe is the perfect example of how a new crypto-device is smoothly integrated just using JCE and PKCS#11 standard.
It is really great when you make the things work! Never give up!
Comments