Common operations using Estonian eID (Linux)


Assumptions: Using Ubuntu with OpenSC

Installation Tip: Make sure to have installed OpenSC from source, rather than using the Ubuntu repositories (in other words, follow the instructions here [1] rather than using apt-get install opensc). This is necessary to avoid the

“failed: Invalid arguments
Decrypt failed: Invalid arguments ”

error as outlined in this OpenSC mailing list submission [2]. It took a while to figure out what the problem was. Hopefully outlining the troubleshooting process will help with similar problems. First, enable verbose output (in this instance we were using pkcs15-crypt) and have a look at the output. In this case, we noted the output highlighted in red here [3]. Searching for the error “Invalid Case 4 short APDUleads us to this OpenSC pull request [4], which highlights the need to install a later version of OpenSC.

Common Cryptographic operations using Estonian E-ID.

File names used:

/tmp/toSign: the file whose signature you would like to generate.

/tmp/toSign.sig: the signature of the file

/tmp/toEncrypt: the file you would like to encrypt

/tmp/Encrypted.enc: the encrypted file

/tmp/publickey.pem: the public key assigned to you, stored on your e-ID card, which is safe to distribute ( hence “public”😉 )

Extracting Public Key for distribution

pkcs15-tool --read-public-key 01 > /tmp/publickey.pem

Generating a signature of a document (signing operation)

openssl dgst -binary -sha512 /tmp/toSign | /usr/bin/pkcs15-crypt --sign --key 01 --sha-512 --pkcs1 --raw > /tmp/toSign.sig


Verifying a signature of a document (signature verification operation)

openssl dgst -sha512 -verify /tmp/publickey.pem -signature toSign.sig /tmp/toSign

Encrypting a file using a public key (e.g. someone needs to send data ONLY YOU can decrypt)

openssl rsautl -inkey /tmp/publickey.pem -pubin -encrypt -pkcs -in /tmp/toEncrypt -out /tmp/Encrypted.enc

Decrypting a file with your private key stored on your card

pkcs15-crypt --decipher --key 01 --input /tmp/Encrypted.enc --pkcs1 --raw


PS: The following sites have been invaluable during the investigation