Page 2

From Govcamp

What is an eID? If we consult Wikipedia, we find out that: The electronic identity card (eID) is an official electronic proof of one's identity. It also enables the possibility to sign electronic documents with a legal signature. The identity card has the format of a regular bankcard, with basic identity information in visual format, such as personal details and a photograph. Figure 2.1 shows you what such an eID looks like in Belgium (note that this is not a genuine eID of an existing person).

figure 2.1: an eID that can be used for testing

On the official website of the Belgian eID we can read that: The implementation of the electronic identity card (eID) is part of an e-Government project in order to simplify the administration and to modernize the public services. The electronic identity card allows the citizen to identify himself electronically from a distance and to dispose of a legally valuable electronic signature. The result is a quick and customer-oriented service which guarantees the security of the private data of the owner. The appearance of those applications combined with the legal recognition of the electronic signature will rapidly and safely replace a part of the paper documents by their electronic equivalent. At Ghent University the eID is used in the enrollment process of the students. Another speaker at GovCamp, my colleague Jurgen Lust, will tell you more about it, but in case you miss his talk, this is what happens:

Students have to present themselves at the desk of the student administration in person. In the past, they had to fill in a form with their name, address, date of birth, and so forth. This information was then entered into the central database by an administrator. If the handwriting of the student was hard to read, the administrator had to double check. There was also the risk of typos.Nowadays the personal data, including the student's photograph, are read from the eID. There are also plans to use the eID so that the student can identify himself on the University's portal site in order to get access to his personal data (his curriculum, his grades, and so forth).

But let's return to PDF and PDF forms, and try to find out how we could fill in the form we made on the previous page using the eID.

Fill in a form with data retrieved from an eID First we'll create a form that looks a little bit more complex: we'll use EIDForm.java to create EIDForm.pdf (see figure 2.2).

figure 2.2: a two-page form that will be used as a template

As I already told you, I am not an eID expert, that's why I contacted Danny De Cock from the University of Leuven for advice. He has written the 'GoDot' library that is used in a tool that allows you to retrieve data from the Belgian eID. We are going to use this tool to fill in our EIDForm.pdf.

In EIDFormAutoFill1.java, I create an instance of Danny's be.godot.sc.engine.BelpicCard class:

BelpicCard scd = new BelpicCard("");I use this instance to create a CitizenIdentityData and a CitizenAddressData objects. These objects are derived from the code in Danny's tool. They parse the identity and address data from the card owner and provide us a programmer-friendly way to access this data:

CitizenIdentityData identity = new CitizenIdentityData(scd.readCitizenIdentityDataBytes()); form.setField(EIDForm.BIRTH_DATE, identity.getBirthDate()); form.setField(EIDForm.BIRTH_LOCATION, identity.getBirthLocation()); form.setField(EIDForm.CARD_NUMBER, identity.getCardNumber()); form.setField(EIDForm.CARD_VALIDITY_BEGIN, identity.getCardValidityBegin()); form.setField(EIDForm.CARD_VALIDITY_END, identity.getCardValidityEnd()); form.setField(EIDForm.CHIP_NUMBER, identity.getChipNumber()); form.setField(EIDForm.DOCUMENT_TYPE, identity.getDocumentType()); form.setField(EIDForm.NAME, identity.getName()); form.setField(EIDForm.NATIONAL_NUMBER, identity.getNationalNumber()); form.setField(EIDForm.NATIONALITY, identity.getNationality()); form.setField(EIDForm.SEX, identity.getSex()); form.setField(EIDForm.TWO_FIRST_FIRST_NAMES, identity.getTwoFirstFirstNames() + " " + identity.getFirstLetterThirdFirstName()); CitizenAddressData address = new CitizenAddressData(scd.readCitizenAddressBytes()); form.setField(EIDForm.ADDRESS, address.getAddress()); form.setField(EIDForm.MUNICIPALITY, address.getMunicipality()); form.setField(EIDForm.ZIP, address.getZip());We can also retrieve different certificates from the card:

form.setField(EIDForm.CERT_AUTHENTICATION, new String(scd.getAuthCertificateBytes())); form.setField(EIDForm.CERT_NON_REPUDIATION, new String(scd.getNonRepCertificateBytes())); form.setField(EIDForm.CERT_CITIZEN_CA, new String(scd.readCACertificateBytes())); form.setField(EIDForm.CERT_ROOT_CA, new String(scd.readRootCACertificateBytes())); form.setField(EIDForm.CERT_RNN_CA, new String(scd.readRRNCertificateBytes()));This results in a new PDF document, EIDFormAutoFilled1.pdf, that is still a form; see figure 2.3.

figure 2.3: a form filled in with data from an eID

The data that was filled in is still inside a form. The fields can still be altered manually. We could set the field flags to make the field read only (as described in chapter 16), but another option is to 'flatten' the form. The source code of EIDFormAutoFill2.java is identical to the source code of EIDFormAutoFill1.java, except for one line:

stamper.setFormFlattening(true);The end result, EIDFormAutoFilled2.pdf, looks very similar to figure figure 2.3, but there is a difference: the form has disappeared. The resulting PDF is a 'traditional PDF' file, there is no AcroForm inside (see figure 2.4).

figure 2.4: a flattened PDF file with data from an eID

We won't go into the details of the data that was filled in into the PDF form, but before we can move on to the page about digital signatures, I should tell you a word or two on the certificates that are present on the eID.

eID Certificates The Belgian eID holds three different private keys (1024-bit RSA):

one to authenticate the citizen one for non-repudiation signatures one to identify the card towards the Belgian government for mutual authentication It is evident that these keys never leave the smart card: they are private.

The first key is accompanied by a certificate that can be used for authentication (the authentication certificate [#1]); you'll need it for instance when you fill in your tax forms online. The second one is accompanied by a certificate that can be used to produce an electronic signature that is equivalent with a handwritten signature (the qualified certificate [#2]). On the next page, we will use this 'non-repudiation certificate' to add a digital signature to a PDF document. The third private key is used when the card communicates with the National Register (RRN). There is no corresponding certificate on the card; the National Registry keeps the public key in its databases.

The authentication and digital signature certificate are signed by the Citizen CA [#3], which itself is signed by the Belgium Root CA [#4] (these are self-signed certificates). You can read more about these certificates in The Belgian Identity Card (Overview), a short introduction to the eID written by Danny De Cock, Christopher Wolf, and Bart Preneel. For a more complete overview, you can read this study on id documents. You'll find a general explanation about Certificate Authorities (CA) and Self-Signed Certificates in chapter 16. Finally there is also the National Registry (RRN) Certificate [#5] (corresponding with a private key used by the National Registry).

We have entered these five certificates into five multiline PDF form fields for demonstration purposes only. On the next page, we will use the non-repudiation certificate to add a digital signature to a PDF document.

Page 2

From Govcamp

Views

Personal tools

Navigation

Search

Toolbox