2023-03-16 18:53:28 +01:00
<!-- START doctoc generated TOC please keep comment here to allow auto update -->
<!-- DON'T EDIT THIS SECTION, INSTEAD RE - RUN doctoc TO UPDATE -->
- [Finnish Electronic Identity ](#finnish-electronic-identity )
- [Requirements for everything ](#requirements-for-everything )
- [Chromium ](#chromium )
- [Firefox and Thunderbird ](#firefox-and-thunderbird )
- [Okular ](#okular )
- [Root certificates ](#root-certificates )
- [Testing ](#testing )
- [FINEID as SSH key ](#fineid-as-ssh-key )
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
2021-12-02 19:15:49 +01:00
# Finnish Electronic Identity
Finnish identity cards have been electronic for ages and as I tend to forget
how to use it on Linux again, here are my notes.
2023-02-26 18:01:13 +01:00
- Official application: https://dvv.fi/en/card-reader-software
- Fedora/rpm is hidden under "All versions", "Linux versions"
- DVV certificate newsletter: https://uutiskirjeet.dvv.fi/uutiset/varmennepalvelut.html
2021-12-02 19:15:49 +01:00
## Requirements for everything
PCSDd must be running, it's found in package `pcscd` on Debian and likely
`pcsc-lite` on Fedora.
```bash
sudo systemctl enable pcscd --now
```
2022-02-10 16:45:58 +01:00
[As in my shell-things repo, /etc/pkcs11/modules/libcryptoki.module should be created; ](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/pkcs11/modules )
```
module: /usr/lib64/libcryptoki.so
managed: no
```
2021-12-02 19:15:49 +01:00
## Chromium
Should work as long as the `DigiSignApplication` from above was running before
the browser was started.
## Firefox and Thunderbird
2023-02-26 18:01:13 +01:00
**_This doesn't apply if the above libcryptoki.so is created
and preferably `libcryptoki.so` would be loaded anyway_**
2022-02-10 16:45:58 +01:00
2021-12-02 19:15:49 +01:00
In Settings, Advanced, Security devices load the module from (DVV app) `/usr/lib64/libcryptoki.so` or (OpenSC):
2023-02-26 18:01:13 +01:00
- Debian: `/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so`
- Package: `opensc-pkcs11`
- Fedora: `/usr/lib64/onepin-opensc-pkcs11.so`
- Package: `opensc`
2021-12-02 19:15:49 +01:00
`onepin` is a workaround to not ask for PIN2 which is only used for legal agreements,
email signing also uses PIN1.
2022-10-13 16:46:25 +02:00
## Okular
Okular is the KDE document viewer and supports signing PDF files using FINEID!
2023-02-26 18:01:13 +01:00
There are three ways to go, they all begin with _Settings_ menu, _Configure backends_
and _PDF_ .
2022-10-13 16:46:25 +02:00
Set the certificate database to one of the three:
2023-02-26 18:01:13 +01:00
- `/etc/nssdb` with password that I don't know.
- `~/.pki/nssdb` which password theoretically reads in `~/.digisign/Seed.txt` assuming the official DigiSignApplication is used.
- `~/.mozilla/firefox/<randomString>.<ProfileName>` - when Firefox is used (may require the configuration above), didn't ask me for a password, which may be the main password and directly offers the certificates from FINEID.
2022-10-13 16:46:25 +02:00
2023-02-26 18:01:13 +01:00
Next Apply or OK and restart Okular, open _Tools_ menu and select
_Digitally sign..._, draw an area for the signature (which FINEID wants to be big),
2022-10-13 16:46:25 +02:00
select where to save the signed .pdf and enter the signing PIN a few times.
2022-10-13 17:00:55 +02:00
These signed documents can then be verified at [English ](https://dvv.fi/en/validate-pdf-document ),
[Finnish ](https://dvv.fi/tarkasta-pdf-asiakirja ) or [Swedish ](https://dvv.fi/sv/granska-pdf-dokument )
or other EIDAS/European signing verification capable services or applications.
```txt
✔️ PDF document validated. The following signatures were found:
1 valid signatures with EU qualified certificate issuers and signature keys stored in a qualified signature creation device.
Signature 1/1: [...]
✔️ The electronic signature is valid and has not been modified or forged after signature. Signature level is PKCS7_B (basic).
✔️ The signature is made by a party trusted by DVV.
✔️ The signature is made with an EU qualified certificate.
✔️ The signature key is stored in an EU qualified signature creation device (QSCD).
Signed by: ...
Issuer of certificate and root certificate: VRK Gov. CA for Citizen Certificates - G3 | VRK Gov. Root CA - G2 (Trusted)
Time of signature: ... (Time stamp not validated by a time stamp authority (TSA))
```
2021-12-02 19:15:49 +01:00
## Root certificates
While I don't think the user necessarily needs them, my notes mention `DVV Gov. Root CA` .
2023-02-26 18:01:13 +01:00
- https://dvv.fi/en/ca-certificates
2021-12-02 19:15:49 +01:00
## Testing
2023-02-26 18:01:13 +01:00
- https://dvv.fineid.fi/en/authentication
2021-12-02 19:15:49 +01:00
## FINEID as SSH key
0. I would start by `ssh-add -D` to remove other keys from the ssh-agent.
1. Add the key to the agent
2023-02-26 18:01:13 +01:00
- Debian: `ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so`
- Fedora: `ssh-add -s /usr/lib64/opensc-pkcs11.so`
2022-02-10 16:45:58 +01:00
2. Export the public key by `ssh-add -L|head -n1` (the comment should be "todentamis- ja salausavain" ("authentication and encryption key"))
3. Naturally put it into `~/.ssh/authorized_keys` , but SSH should detect
it automatically. The file could also be mentioned in `ssh_config`
The public key should also be stored somewhere that can be passed to gitconfig
or SSH signing commands if SSH signing is to be used.
2021-12-02 19:15:49 +01:00
Via: https://www.linux.fi/wiki/HST#Ssh_2