Common operations using Estonian eID (Linux)

cw2ybdbxiaatsao

Assumptions: Using Ubuntu with OpenSC

Installation Tip: Make sure to have installed OpenSC from source, rather than using the Ubuntu repositories (in other words, follow the instructions here [1] rather than using apt-get install opensc). This is necessary to avoid the

“failed: Invalid arguments
Decrypt failed: Invalid arguments ”

error as outlined in this OpenSC mailing list submission [2]. It took a while to figure out what the problem was. Hopefully outlining the troubleshooting process will help with similar problems. First, enable verbose output (in this instance we were using pkcs15-crypt) and have a look at the output. In this case, we noted the output highlighted in red here [3]. Searching for the error “Invalid Case 4 short APDUleads us to this OpenSC pull request [4], which highlights the need to install a later version of OpenSC.

Common Cryptographic operations using Estonian E-ID.

File names used:

/tmp/toSign: the file whose signature you would like to generate.

/tmp/toSign.sig: the signature of the file

/tmp/toEncrypt: the file you would like to encrypt

/tmp/Encrypted.enc: the encrypted file

/tmp/publickey.pem: the public key assigned to you, stored on your e-ID card, which is safe to distribute ( hence “public”😉 )

Extracting Public Key for distribution

pkcs15-tool --read-public-key 01 > /tmp/publickey.pem

Generating a signature of a document (signing operation)

openssl dgst -binary -sha512 /tmp/toSign | /usr/bin/pkcs15-crypt --sign --key 01 --sha-512 --pkcs1 --raw > /tmp/toSign.sig

 

Verifying a signature of a document (signature verification operation)

openssl dgst -sha512 -verify /tmp/publickey.pem -signature toSign.sig /tmp/toSign

Encrypting a file using a public key (e.g. someone needs to send data ONLY YOU can decrypt)

openssl rsautl -inkey /tmp/publickey.pem -pubin -encrypt -pkcs -in /tmp/toEncrypt -out /tmp/Encrypted.enc

Decrypting a file with your private key stored on your card

pkcs15-crypt --decipher --key 01 --input /tmp/Encrypted.enc --pkcs1 --raw

 

PS: The following sites have been invaluable during the investigation

https://blog.g3rt.nl/luks-smartcard-or-token.html

http://blog.fkraiem.org/2013/03/13/linux-smart-card-authentication-howto/

 

References

[1] https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-OpenSC-on-Unix-flavors

[2] http://opensc.1086184.n5.nabble.com/EstEID-decipher-problem-td12208.html

[3] https://docs.google.com/document/d/1NFtwAOL3EzU_qCZpmVctV8pdmW6jQMhkMVblevGC2LA/edit?usp=sharing

[4] https://sourceforge.net/p/vsmartcard/git/ci/8743b5030b3154df694fd25cfd38db1517109701/tree/ccid/README.dox?barediff=c80c209a98122e602c0439bef48e48903d5ff93f