indexwritings › pki-in-lithuania

Digital signatures and PKI in Lithuania

This is a draft / notebook of sorts, in which I try to document the Lithuanian "qualified" PKI compatibility with Linux.

Providers

ADIC (identity card)

The ADIC, formerly NSC, issues national ID cards with two certificates preloaded – one for TLS client authen­tication (NQC-Authentication) and one for non-repudiable digital signatures (QC-DigitalSignature), both 2048-bit RSA. They are valid for 3 years; issuance and renewal is free.

As of 2012-07-04, ADIC issues CryptoTech cards, while older ones are Gemalto (GemXpresso R4). All official drivers and PKI roots are available at http://www.nsc.vrm.lt/downloads.htm.

Skaitmeninio sertifikavimo centras (SSC)

TODO

Registrų centras (RCSC) aka elektroninis.lt

TODO

Hardware (tokens)

CryptoTech smartcards

Issued by ADIC as national ID cards. Drivers for Windows and Linux are provided; a Mac OS X version is listed as "available on request".

I have not tested the Linux driver, however, it appears to be very minimal – just a single PKCS#11 library, which is a good sign.

Gemalto smartcards

Used to be issued by ADIC as national ID cards until mid-2012. Officially ADIC only supports Windows and provides a slightly outdated (but working) Gemalto Classic Client.

Linux drivers can be found in various places, e.g. LuxTrust (who distribute rebranded Gemalto tokens), and the provided libclassicclient seems to work. (n Arch Linux it's repackaged in AUR as libclassicclient.) With it, the card can be managed via pkcs11-tool --module libgclib.so, and various other features seem to work. Unfortunately I can't seem to get TLS client authentication working with it – both 7.0.0 and 6.1.0 keep giving me "CKR_FUNCTION_FAILED".

Oddly, the smartcards also seem to work (or show identical problems) with the CryptoTech PKCS#11 module.

Web authentication

To my knowledge, certificates from all issuers have the "TLS Client Authentication" usage, which means they can be used with any program which speaks PKCS#11, including web browsers. However, some websites use their own custom plugins.

Signa (SoDra, VMI)

A few government websites initially used a Java applet made by MitSoft, but due to web browsers dropping Java support they have switched to a standalone implementation. The new "Signa Browser Extension" is invoked as an URL handler for signa:auth/<uuid> and performs everything out-of-band, while the corresponding webpage polls the server for status.

The "extension" software is reasonably cross-platform, with Linux .deb and .rpm packages provided in addition to Windows .msi (repackaged for Arch as signa-browser-ext; a macOS version is supposed to be available as well). I'm not sure what architectures it works on, but the smart-card interface seems to be a bundled copy of generic javax.smartcardio and detects installed PKCS#11 libraries as it should.

ISIGN.io

The "E-Government Gateway" website uses an extension developed by ISIGN, which uses Native Messaging to communicate with the backend.

The extension works with Chrome as well as Firefox 50 (as of 1.2.0), although this particular website still only offers Java for Firefox.

The backend is available on Linux as a .deb package (repackaged for Arch as isign-chrome-signing) and is based on Qt5. It seems to have a hardcoded list of PKCS#11 modules to try, and does not support selecting between multiple connected tokens, but otherwise works well.

SSC

Selecting "Token (SSC)" in websites which offer this option (e.g. the E-Government Gateway) redirects to the SSC IdP website, which uses native (TLS) client authentication. (A Java-applet option is still available for Firefox, but is probably going to disappear soon.) Fortunately, at least the Linux "SafeNet eToken" PKCS#11 module from sac-core works with both Chromium and Firefox.

Registrų centras – ipasas.lt

Websites managed by "Registrų centras" use a SSO website ipasas.lt, which supports native (TLS) authentication for both RCSC-issued tokens and national ID cards. (SSC token users used to get redirected to SSC's own website; now their certificates are merely rejected.) Unfortunately I couldn't test it due to problems with Gemalto PKCS#11 module.

Mobile signatures

Nearly all websites accepting digital signatures also offer a "mobile signature" option, which uses certificates embedded in one's mobile SIM card. The exact protocol is unknown, but the entire process works like this:

Overall, this is the most convenient and compatible option, although has the major downside of being usable only by the select few services. (Even viewing one's own public certificate requires a certain amount of trickery.) Another downside is that all currently issued certificates are 1024-bit RSA, presumably due to SIM Toolkit limits.

Signed document formats

To do. Format is ADOC-1.0 (also more documentation), online tool Signa Web.