Steps on how to set up the Croatian e-Građani app for identification (Chrome/Firefox) and signing documents (LibreOffice) on Linux (Ubuntu 21.04.)
-
Install smart-card reader tooling
# if on Ubunt 22.04 LTS keep only `pcsc-tools` `opensc` packages and try without others # in case modutil is missing install `libnss3-tools` as well sudo apt-get install -y libccid ccid pcsc-tools opensc
-
Start the service
sudo systemctl start pcscd.service sudo systemctl enable pcscd.service
To use your ID certificates, you must activate your eOI, and check eid.hr for steps.
There you should find the latest linux .deb package. For the previous versions check here.
-
Download
eidmiddlewareapp that contains all services, certificates, etc.sudo dpkg -i eidmiddleware_vX.Y.Z_amd64.deb
-
Create a new local NSS db
rm -rf $HOME/.pki/nssdb mkdir -p $HOME/.pki/nssdb # if on Ubunt 22.04 LTS skip this command sudo chmod 777 /etc/pam_pkcs11/nssdb certutil -d $HOME/.pki/nssdb -N --empty-password sudo chmod 777 $HOME/.pki/nssdb/pkcs11.txt
-
Add the named module
HR eIDto NSS module database withPKCS #11implementation libfilemodutil \ -dbdir sql:$HOME/.pki/nssdb \ -add "HR eID" -libfile /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so \ -mechanisms FRIENDLY \ -force
Flag
-mechanisms FRIENDLYis required to work on Chromium/Chrome, check here for details.Alternative path for newer versions seems to be
/usr/lib/akd/certiliamiddleware/pkcs11/libEidPkcs11.soso try changing path if this is not working for you. -
Check whether
HR eIDis added to NSS dbmodutil -dbdir sql:$HOME/.pki/nssdb/ -list -
Turn on Client and Signer apps.
- Go to gov.hr and login with eOsobna option
-
Chrome:
-
Firefox:
-
To sign documents using LibreOffice go to
LibreOffice > Tools > Options > Security > Certificate... > Select NSS path
and navigate to folder $HOME/.pki/nssdb and press OK and restart LibreOffice. Go to
File > Digital Signatures > Digital Signatures... > Sign Document...
and pop-ups for Signature/Identification will appear.
Inspect the content of eidmiddleware:
$ tree /usr/lib/akd/eidmiddleware/
/usr/lib/akd/eidmiddleware/
├── certificates
│ ├── AKDCARoot.pem <---------------- ca root certificate
│ └── HRIDCA.pem <---------------- ca certificate
├── Client <---------------- identification app
├── lib
│ ├── libp11.so.2
│ ├── libpkcs11.so
│ ├── libQt5Core.so.5
│ ├── libQt5DBus.so.5
│ ├── libQt5Gui.so.5
│ ├── libQt5PrintSupport.so.5
│ ├── libQt5Widgets.so.5
│ └── libQt5XcbQpa.so.5
├── License.bin
├── pkcs11
│ ├── libEidPkcs11.so <---------------- pkcs11 driver
│ └── libEidPkcs11.so.lic
├── plugins
│ ├── imageformats
│ │ ├── libqjp2.so
│ │ └── libqjpeg.so
│ ├── platforms
│ │ └── libqxcb.so
│ └── printsupport
│ └── libcupsprintersupport.so
├── qt.conf
└── Signer <---------------- signer appI use FER (university usb card reader) ACR38U-A1.
$ modutil -dbdir sql:$HOME/.pki/nssdb/ -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.49
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. HR eID
library name: /usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so
uri: pkcs11:library-manufacturer=AKD;library-description=AKD%20eID%20Middleware%20PKCS11;library-version=1.7
slots: 5 slots attached
status: loaded
slot: ACS ACR 38U-CCID 00 00 <---------------- my usb card reader (when you plug in your ID you should see here two tokens: `AKD eID Card (Identification)` and `AKD eID Card (Signature)`)
token:
uri: pkcs11:
slot: Virtual Slot 2
token:
uri: pkcs11:
slot: Virtual Slot 3
token:
uri: pkcs11:
slot: Virtual Slot 4
token:
uri: pkcs11:
slot: Virtual Slot 5
token:
uri: pkcs11:
-----------------------------------------------------------Download and import manually certificates to Firefox
/usr/lib/akd/eidmiddleware/certificates/*(Firefox > View Certificates > Import)/usr/lib/akd/eidmiddleware/pkcs11/libEidPkcs11.so(Firefox > Security Devices > Load)
