.. | ||
pyllyukko-fineid.md@1ad938eae9 | ||
README.md |
Finnish Electronic Identity
Finnish identity cards have been electronic for ages and as I tend to forget how to use it on Linux again, here are my notes.
- Official application: https://dvv.fi/en/card-reader-software
- Fedora/rpm is hidden under “All versions”, “Linux versions”
- DVV certificate newsletter: https://uutiskirjeet.dvv.fi/uutiset/varmennepalvelut.html
Requirements for everything
PCSDd must be running, it’s found in package pcscd
on
Debian and likely pcsc-lite
on Fedora.
sudo systemctl enable pcscd --now
As in my shell-things repo, /etc/pkcs11/modules/libcryptoki.module should be created;
module: /usr/lib64/libcryptoki.so
managed: no
Chromium
Should work as long as the DigiSignApplication
from
above was running before the browser was started.
Firefox and Thunderbird
This doesn’t apply if the above libcryptoki.so is created
and preferably libcryptoki.so
would be loaded
anyway
In Settings, Advanced, Security devices load the module from (DVV
app) /usr/lib64/libcryptoki.so
or (OpenSC):
- Debian:
/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
- Package:
opensc-pkcs11
- Package:
- Fedora:
/usr/lib64/onepin-opensc-pkcs11.so
- Package:
opensc
- Package:
onepin
is a workaround to not ask for PIN2 which is only
used for legal agreements, email signing also uses PIN1.
Firefox policy
Firefox organizational policy can also be used for this, Thunderbird likely has one too. It will affect all users and instances of the application on the computer.
In the file /etc/firefox/policies/policies.json
which
must be created if it doesn’t exist:
{
"policies": {
"SecurityDevices": {
"Add": {
"Fujitsu mPollux DigiSignApplication": "/usr/lib64/libcryptoki.so"
}
}
}
}
Okular
Okular is the KDE document viewer and supports signing PDF files using FINEID!
There are three ways to go, they all begin with Settings menu, Configure backends and PDF.
Set the certificate database to one of the three:
/etc/nssdb
with password that I don’t know.~/.pki/nssdb
which password theoretically reads in~/.digisign/Seed.txt
assuming the official DigiSignApplication is used.~/.mozilla/firefox/<randomString>.<ProfileName>
- when Firefox is used (may require the configuration above), didn’t ask me for a password, which may be the main password and directly offers the certificates from FINEID.- This seems the most functional, refer to
about:profiles
within Firefox/LibreWolf.
- This seems the most functional, refer to
Next Apply or OK and restart Okular, open Tools menu and select Digitally sign…, draw an area for the signature (which FINEID wants to be big), select where to save the signed .pdf and enter the signing PIN a few times.
Validation
DVV provides a validator in three languages:
✔️ PDF document validated. The following signatures were found:
1 valid signatures with EU qualified certificate issuers and signature keys stored in a qualified signature creation device.
Signature 1/1: [...]
✔️ The electronic signature is valid and has not been modified or forged after signature. Signature level is PKCS7_B (basic).
✔️ The signature is made by a party trusted by DVV.
✔️ The signature is made with an EU qualified certificate.
✔️ The signature key is stored in an EU qualified signature creation device (QSCD).
Signed by: ...
Issuer of certificate and root certificate: VRK Gov. CA for Citizen Certificates - G3 | VRK Gov. Root CA - G2 (Trusted) Time of signature: ... (Time stamp not validated by a time stamp authority (TSA))
Although other EIDAS/European signing verification capable services or applications should work too.
Root certificates
While I don’t think the user necessarily needs them, my notes mention
DVV Gov. Root CA
.
Testing
FINEID as SSH key
- I would start by
ssh-add -D
to remove other keys from the ssh-agent. - Add the key to the agent
- Debian:
ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
- Fedora:
ssh-add -s /usr/lib64/opensc-pkcs11.so
- Export the public key by
ssh-add -L|head -n1
(the comment should be “todentamis- ja salausavain” (“authentication and encryption key”)) - Naturally put it into
~/.ssh/authorized_keys
, but SSH should detect it automatically. The file could also be mentioned inssh_config
The public key should also be stored somewhere that can be passed to gitconfig or SSH signing commands if SSH signing is to be used.