Debian GNU/Linux and DNIe

This quick entry to describe the steps that I follow to be able to use the Spanish electronic ID card (aka DNIe) in my Debian box, I followed advices given from some bloggers but mainly from this entry written for a friend of mine.

In this case I’m not using a new fresh Debian system so it could be possible that additional packages will be needed to complete successfully this process in your computer.

1. Installing required packages:
# aptitude install libccid pcscd pcsc-tools pinentry-gtk2 libnss3-tools libpcsclite-dev libreadline-dev libssl-dev libssl-doc xsltproc pkg-config

As a comment it would be a good point if you run lsusb command with smartcard reader plugged in to know if your system recognizes your device.
Depending on the chipset used by your reader you will need to install additional drivers, for example the package libacr38u if your reader is based on ACR38 chipset.

2. Download OpenSC source code. OpenSC is a project which provides software tools to communicate with smart cards supporting cryptographic operations. In addition a PKCS#11 API is implemented by OpenSC.
$ git clone https://github.com/OpenSC/OpenSC.git
$ cd OpenSC

3. Setup, compile and install the binaries:
$ ./bootstrap
...
autoreconf: running: /usr/bin/autoconf --force
autoreconf: running: /usr/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:43: installing './compile'
configure.ac:42: installing './config.guess'
configure.ac:42: installing './config.sub'
configure.ac:15: installing './install-sh'
configure.ac:15: installing './missing'
src/common/Makefile.am: installing './depcomp'
autoreconf: Leaving directory `.
$ ./configure --prefix=/opt/opensc --enable-dnie-ui --enable-sm
OpenSC has been configured with the following options:
...
$ make && make install

It could be useful at this point to stop the pcscd service and to start it manually and then inserting your DNIe in your smart card reader, so you could check the information logged in console and detect a problem with your settings.
# service pcscd stop
# /usr/sbin/pcscd -d -f
00000000 pcscdaemon.c:347:main() pcscd set to foreground with debug send to stdout
00000021 utils.c:82:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
00000045 configfile.l:285:DBGetReaderListDir() Parsing conf directory: /etc/reader.conf.d
00000011 configfile.l:361:DBGetReaderList() Parsing conf file: /etc/reader.conf.d/libccidtwin
00000022 configfile.l:322:DBGetReaderListDir() Skipping non regular file: .
00000003 configfile.l:322:DBGetReaderListDir() Skipping non regular file: ..
00000004 pcscdaemon.c:662:main() pcsc-lite 1.8.23 daemon ready...

Opening a new text console other commands could be executed while smart card is inserted in the reader:
$ /opt/opensc/bin/opensc-tool -D | grep DNI
dnie DNIe: Spanish eID card
$ /opt/opensc/bin/dnie-tool -d
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] 00 00
DNIe Number: XXXXXXXXX
SurName: ACEDO
Name: AITOR

It’s time to configure our browser (iceweasel in my case) so PKCS#11 module from OpenSC can be used. It would be necessary to know the library location to register new security module:
Location to compiled OpenSC+DNIe package:
/opt/opensc/lib/opensc-pkcs11.so

Location to default Debian package:
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Edit > Preferences > Advanced > Security Devices > Load
Module: DNIe PKCS#11 Module
Path: /opt/opensc/lib/opensc-pkcs11.so

Additional steps are required to setup properly the DNIe in Chrome/Chromium browser

Listing previously installed modules in our browser:
$ modutil -rawlist
library= name="NSS Internal PKCS #11 Module" parameters="configdir=/home/aitor/.netscape certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"

1. Previously to add PKCS#11 module in our browser configuration it’s needed to check that our Chrome browser is running:
$ ps -ef|grep -i chrome|grep -v grep
And now we are already prepared to add the new module:
$ modutil -dbdir sql:$HOME/.pki/nssdb -add "OpenSC PKCS#11" -libfile /opt/opensc/lib/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q ' to abort, or to continue:
Module "OpenSC PKCS#11" added to database.

This tool (modutil) provides some commands to manage our installed modules like enable, disable, delete …
$ modutil -dbdir sql:$HOME/.pki/nssdb -delete "OpenSC PKCS#11"
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q ' to abort, or to continue:
Module "OpenSC PKCS#11" deleted from database.

We can check our database using this command:
$ modutil -dbdir sql:$HOME/.pki/nssdb -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. Mozilla Root Certs
library name: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
slots: 1 slot attached
status: loaded

slot: NSS Builtin Objects
token: Builtin Object Token
3. OpenSC PKCS#11
library name: /opt/opensc/lib/opensc-pkcs11.so
slots: 1 slot attached
status: loaded

slot: Virtual hotplug slot
token:
-----------------------------------------------------------

Now you can open Chrome and check in Settings > Show Advanced Settings > HTTPS/SSL with you DNie inserted in your reader and check if you can see your certificates.

I almost forget that is needed to import the certification authority (ac_raiz_dnie.crt) and validation authority certificates (FNMTClase2CA.cer):
$ openssl x509 -in ac_raiz_dnie.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:85:70:fd:ae:a7:d6:5f:11:84:15:c6:31:b5:cb
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, O=DIRECCION GENERAL DE LA POLICIA, OU=DNIE, CN=AC RAIZ DNIE
Validity
Not Before: Feb 16 10:37:25 2006 GMT
Not After : Feb 8 22:59:59 2036 GMT
Subject: C=ES, O=DIRECCION GENERAL DE LA POLICIA, OU=DNIE, CN=AC RAIZ DNIE
...

Just as a reminder (for myself) I include this little note from to identify different formats:
The PEM format uses the header and footer lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

it will also handle files containing:
-----BEGIN X509 CERTIFICATE-----
-----END X509 CERTIFICATE-----

Trusted certificates have the lines
-----BEGIN TRUSTED CERTIFICATE-----
-----END TRUSTED CERTIFICATE-----


“And those who were seen dancing were thought to be insane by those who could not hear the music.”
–Friedrich Nietzsche

2 thoughts on “Debian GNU/Linux and DNIe

  1. This really rocks and works, also in Ubuntu Trusty 14.04. Do not use opensc from the page of the ministry, use the git version as explained here. THANKS!!

Leave a Reply to Pepe Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s