Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/fpopic/linux-egradjani
Steps on how to set up the Croatian e-Građani app for identification (Chrome/Firefox) and signing documents (LibreOffice) on Linux (Ubuntu 21.04.)
https://github.com/fpopic/linux-egradjani
certificates chrome e-gov e-gradani e-gradjani egradjani eoi firefox identification libreoffice linux nss-db sign-documents signature
Last synced: about 1 month ago
JSON representation
Steps on how to set up the Croatian e-Građani app for identification (Chrome/Firefox) and signing documents (LibreOffice) on Linux (Ubuntu 21.04.)
- Host: GitHub
- URL: https://github.com/fpopic/linux-egradjani
- Owner: fpopic
- Created: 2021-05-13T10:37:54.000Z (over 3 years ago)
- Default Branch: master
- Last Pushed: 2024-05-09T13:33:01.000Z (8 months ago)
- Last Synced: 2024-05-09T15:01:37.663Z (8 months ago)
- Topics: certificates, chrome, e-gov, e-gradani, e-gradjani, egradjani, eoi, firefox, identification, libreoffice, linux, nss-db, sign-documents, signature
- Homepage:
- Size: 22.8 MB
- Stars: 16
- Watchers: 3
- Forks: 1
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# linux-egradjani
Steps on how to set up the Croatian e-Građani app for identification (Chrome/Firefox) and signing documents (LibreOffice) on Linux (Ubuntu 21.04.)
## Linux requirements
1. Install smart-card reader tooling
```bash
# if on Ubunt 22.04 LTS keep only `pcsc-tools` `opensc` packages and try without others
# in case modutil is missing install `libnss3-tools` as well
sudo apt-get install -y libccid ccid pcsc-tools opensc
```2. Start the service
```bash
sudo systemctl start pcscd.service
sudo systemctl enable pcscd.service
```## e-egradjani requirements
To use your ID certificates, you must activate your eOI, and check [eid.hr](https://eid.hr/hr/eosobna/clanci/aktiviraj-eoi) for steps.
There you should find the latest linux `.deb` package. For the previous versions check [here](https://eid.hr/hr/eosobna/clanci/ranije-verzije-middlewara).
## Step-by-step
1. Download `eidmiddleware` app that contains all services, certificates, etc.
```bash
sudo dpkg -i eidmiddleware_vX.Y.Z_amd64.deb
```2. Create a new local NSS db
```bash
rm -rf $HOME/.pki/nssdb
mkdir -p $HOME/.pki/nssdb
# if on Ubunt 22.04 LTS skip this command
sudo chmod 777 /etc/pam_pkcs11/nssdb
certutil -d $HOME/.pki/nssdb -N --empty-password
sudo chmod 777 $HOME/.pki/nssdb/pkcs11.txt
```2. Add the named module `HR eID` to NSS module database with `PKCS #11` implementation libfile
```bash
modutil \
-dbdir sql:$HOME/.pki/nssdb \
-add "HR eID" -libfile /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so \
-mechanisms FRIENDLY \
-force
```
Flag `-mechanisms FRIENDLY` is required to work on Chromium/Chrome,
check [here](https://bugs.chromium.org/p/chromium/issues/detail?id=42073#c76) for details.Alternative path for newer versions seems to be ``/usr/lib/akd/certiliamiddleware/pkcs11/libEidPkcs11.so`` so try changing path if this is not working for you.
3. Check whether `HR eID` is added to NSS db
```bash
modutil -dbdir sql:$HOME/.pki/nssdb/ -list
```4. Turn on Client and Signer apps.
## Identification
1. Go to [gov.hr](https://gov.hr) and login with eOsobna option
- Chrome:
- Firefox:
## Signing documents
To sign documents using `LibreOffice` go to
```
LibreOffice > Tools > Options > Security > Certificate... > Select NSS path
```and navigate to folder `$HOME/.pki/nssdb` and press OK and restart LibreOffice. Go to
```
File > Digital Signatures > Digital Signatures... > Sign Document...
```and pop-ups for Signature/Identification will appear.
## Debugging
Inspect the content of eidmiddleware:
```bash
$ tree /usr/lib/akd/eidmiddleware//usr/lib/akd/eidmiddleware/
├── certificates
│ ├── AKDCARoot.pem <---------------- ca root certificate
│ └── HRIDCA.pem <---------------- ca certificate
├── Client <---------------- identification app
├── lib
│ ├── libp11.so.2
│ ├── libpkcs11.so
│ ├── libQt5Core.so.5
│ ├── libQt5DBus.so.5
│ ├── libQt5Gui.so.5
│ ├── libQt5PrintSupport.so.5
│ ├── libQt5Widgets.so.5
│ └── libQt5XcbQpa.so.5
├── License.bin
├── pkcs11
│ ├── libEidPkcs11.so <---------------- pkcs11 driver
│ └── libEidPkcs11.so.lic
├── plugins
│ ├── imageformats
│ │ ├── libqjp2.so
│ │ └── libqjpeg.so
│ ├── platforms
│ │ └── libqxcb.so
│ └── printsupport
│ └── libcupsprintersupport.so
├── qt.conf
└── Signer <---------------- signer app
```I use FER (university usb card reader) ACR38U-A1.
```bash
$ modutil -dbdir sql:$HOME/.pki/nssdb/ -listListing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.49
slots: 2 slots attached
status: loadedslot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%2032. HR eID
library name: /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so
uri: pkcs11:library-manufacturer=AKD;library-description=AKD%20eID%20Middleware%20PKCS11;library-version=1.7
slots: 5 slots attached
status: loadedslot: ACS ACR 38U-CCID 00 00 <---------------- my usb card reader (when you plug in your ID you should see here two tokens: `AKD eID Card (Identification)` and `AKD eID Card (Signature)`)
token:
uri: pkcs11:slot: Virtual Slot 2
token:
uri: pkcs11:slot: Virtual Slot 3
token:
uri: pkcs11:slot: Virtual Slot 4
token:
uri: pkcs11:slot: Virtual Slot 5
token:
uri: pkcs11:
-----------------------------------------------------------
```## Firefox supports UI to add certificates and secured devices
Download and import manually certificates to Firefox
- `/usr/lib/akd/eidmiddleware/certificates/*` (Firefox > View Certificates > Import)
- `/usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so` (Firefox > Security Devices > Load)![firefox-device-manager](./img/firefox-device-manager.png)
## References
- https://www.eid.hr/hr
- https://hr.comp.os.linux.narkive.com/7ObBGSco/eoi-na-ubuntu (Thanks!)
- https://bugs.chromium.org/p/chromium/issues/detail?id=42073
- https://www.suse.com/c/configuring-smart-card-authentication-suse-linux-enterprise/