gist/fineid
2022-10-13 17:46:25 +03:00
..
README.md fineid/README.md: document using Okular for pdf signing with FINEID 2022-10-13 17:46:25 +03:00

Finnish Electronic Identity

Finnish identity cards have been electronic for ages and as I tend to forget how to use it on Linux again, here are my notes.

Requirements for everything

PCSDd must be running, its found in package pcscd on Debian and likely pcsc-lite on Fedora.

sudo systemctl enable pcscd --now

As in my shell-things repo, /etc/pkcs11/modules/libcryptoki.module should be created;

module: /usr/lib64/libcryptoki.so
managed: no

Chromium

Should work as long as the DigiSignApplication from above was running before the browser was started.

Firefox and Thunderbird

This doesnt apply if the above libcryptoki.so is created and preferably libcryptoki.so would be loaded anyway

In Settings, Advanced, Security devices load the module from (DVV app) /usr/lib64/libcryptoki.so or (OpenSC):

  • Debian: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
    • Package: opensc-pkcs11
  • Fedora: /usr/lib64/onepin-opensc-pkcs11.so
    • Package: opensc

onepin is a workaround to not ask for PIN2 which is only used for legal agreements, email signing also uses PIN1.

Okular

Okular is the KDE document viewer and supports signing PDF files using FINEID!

There are three ways to go, they all begin with Settings menu, Configure backends and PDF.

Set the certificate database to one of the three:

  • /etc/nssdb with password that I dont know.
  • ~/.pki/nssdb which password theoretically reads in ~/.digisign/Seed.txt assuming the official DigiSignApplication is used.
  • ~/.mozilla/firefox/<randomString>.<ProfileName> - when Firefox is used (may require the configuration above), didnt ask me for a password, which may be the main password and directly offers the certificates from FINEID.

Next Apply or OK and restart Okular, open Tools menu and select Digitally sign…, draw an area for the signature (which FINEID wants to be big), select where to save the signed .pdf and enter the signing PIN a few times.

Root certificates

While I dont think the user necessarily needs them, my notes mention DVV Gov. Root CA.

Testing

FINEID as SSH key

  1. I would start by ssh-add -D to remove other keys from the ssh-agent.
  2. Add the key to the agent
  • Debian: ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  • Fedora: ssh-add -s /usr/lib64/opensc-pkcs11.so
  1. Export the public key by ssh-add -L|head -n1 (the comment should be “todentamis- ja salausavain” (“authentication and encryption key”))
  2. Naturally put it into ~/.ssh/authorized_keys, but SSH should detect it automatically. The file could also be mentioned in ssh_config

The public key should also be stored somewhere that can be passed to gitconfig or SSH signing commands if SSH signing is to be used.

Via: https://www.linux.fi/wiki/HST#Ssh_2