Assumptions: Using Ubuntu with OpenSC
Installation Tip: Make sure to have installed OpenSC from source, rather than using the Ubuntu repositories (in other words, follow the instructions here  rather than using apt-get install opensc). This is necessary to avoid the
“failed: Invalid arguments
Decrypt failed: Invalid arguments ”
error as outlined in this OpenSC mailing list submission . It took a while to figure out what the problem was. Hopefully outlining the troubleshooting process will help with similar problems. First, enable verbose output (in this instance we were using pkcs15-crypt) and have a look at the output. In this case, we noted the output highlighted in red here . Searching for the error “Invalid Case 4 short APDU” leads us to this OpenSC pull request , which highlights the need to install a later version of OpenSC.
Common Cryptographic operations using Estonian E-ID.
File names used:
/tmp/toSign: the file whose signature you would like to generate.
/tmp/toSign.sig: the signature of the file
/tmp/toEncrypt: the file you would like to encrypt
/tmp/Encrypted.enc: the encrypted file
/tmp/publickey.pem: the public key assigned to you, stored on your e-ID card, which is safe to distribute ( hence “public”😉 )
Extracting Public Key for distribution
pkcs15-tool --read-public-key 01 > /tmp/publickey.pem
Generating a signature of a document (signing operation)
openssl dgst -binary -sha512 /tmp/toSign | /usr/bin/pkcs15-crypt --sign --key 01 --sha-512 --pkcs1 --raw > /tmp/toSign.sig
Verifying a signature of a document (signature verification operation)
openssl dgst -sha512 -verify /tmp/publickey.pem -signature toSign.sig /tmp/toSign
Encrypting a file using a public key (e.g. someone needs to send data ONLY YOU can decrypt)
openssl rsautl -inkey /tmp/publickey.pem -pubin -encrypt -pkcs -in /tmp/toEncrypt -out /tmp/Encrypted.enc
Decrypting a file with your private key stored on your card
pkcs15-crypt --decipher --key 01 --input /tmp/Encrypted.enc --pkcs1 --raw
PS: The following sites have been invaluable during the investigation
Assumptions and pre-requisites.
This article assumes the Linux user has the following installed:
- An Ubuntu derived distribution such as Ubuntu itself, Linux Mint, and so on
- The email client used is evolution, installed via the following packages and their dependencies:
- Open the system menu and search / type for ‘online accounts‘. Note: you may see multiple entries for this. The correct entry is the one which allows you to select an account of type ‘Microsoft Exchange’ (see below)
- Open online accounts and click on the “+” sign on the lower left to add an account. Make sure to select the type “Microsoft Exchange”
- Type in your email and password
- Expand the “custom” settings and enter:
- Username: [email protected](note the following format has also been reported to work: your-domain\your-username)
- Server: webmail.example.com (note that this is actually the domain of your outlook web access URL. For example, if your webmail URL is webmail.something.com/owa, then this server would be webmail.something.owa)
- Click on connect, and very that the account is being used for mail, calendar and contacts as shown below
- close the online accounts settings box
- Open evolution (close and re-open if evolution was previously open)
- Verify that the account has been successfully added in evolution by:
- Edit > Preferences
- Under Mail Accounts, make sure a corresponding entry to the above is visible in the window. In the below example, you see two such accounts of type ‘EWS” (also distinguishable from their icon looking like a plug, whereas other accounts do not have the icon and have the tickbox)
- Your mail should now be visible under the evolution ‘mail’ tab, and an equivalent calendar should have been automatically added under the ‘calendar’ tab
If you do not use gnome-online accounts, it is still possible to set this up (though without calendar), the one extra piece of information needed is that along with an account type of ‘EWS’, the host URL should be: https://webmail.example.com/EWS/Exchange.asmx. Also, during troubleshooting, it is useful to see if that URL is reachable.