How to get the eid electronic card reader ACR38U working in Ubuntu 16.04 64-bit

Posted: 2014/01/04 in Ubuntu
Tags: , , , , , , , , , , , , ,

How to get the eid electronic card reader ACR38U working in Ubuntu 16.04 64-bit

Prerequisites: Ubuntu 16.04.2 LTS 64-bit or newer, newest version of Mozilla Firefox OR newest version of 64-bit Google Chrome browser, pcscd, default-jre, opensc, libacr38u,  libacr38ucontrol0, libacsccid1, libccid

Supported CCID readers:   http://pcsclite.alioth.debian.org/ccid/section.html

Copy-paste all the commands below into a temporary file. Then execute the file as a bash script. The Terminal command to execute this script is similar to “bash name-of-temporary-file”

# add repository for eid-mw and eid-viewer software packages
sudo rm /etc/apt/sources.list.d/eid.list
sudo touch /etc/apt/sources.list.d/eid.list
sudo sh -c 'echo "deb http://files.eid.belgium.be/debian xenial main" >> /etc/apt/sources.list.d/eid.list'
sudo sh -c 'echo "deb http://files2.eid.belgium.be/debian xenial main" >> /etc/apt/sources.list.d/eid.list'
cd $HOME
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 63F7D4AFF6D61D45  A35743EA6773D225   F9FDA6BED73CDC22 3B4FE6ACC0B21F32  4E940D7FDD7FB8CC  A040830F7FAC5991 16126D3A3E5C1192 
sudo DEBIAN_FRONTEND=noninteractive add-apt-repository --yes ppa:gertvdijk/opensc-backports
sudo DEBIAN_FRONTEND=noninteractive apt --yes --force-yes remove --purge beid*
sudo DEBIAN_FRONTEND=noninteractive apt update
sudo DEBIAN_FRONTEND=noninteractive apt install aptitude
sudo aptitude install usbutils pciutils eid-mw eid-viewer apt  firefox pcscd  default-jre  opensc libacr38u libacr38ucontrol0 libacsccid1  libccid libudev-dev libusb-1.0-0 libpcsclite1 libpcsclite-dev pcsc-tools  libnss3-tools ca-certificates
sudo update-pciids
sudo update-usbids
cd $HOME/.mozilla/firefox/*.default
rm extensions*
rm -rf extensions/*
rm addons*
sudo rm -rf /usr/lib/firefox/browser/extensions*
sudo chattr -i prefs.js
cp prefs.js prefs.js.$LogDay.backup
grep -v security.ssl prefs.js > prefs.js.nossl.1
grep -v security.tls.version.min prefs.js.nossl.1 > prefs.js.nossl.2
grep -v extensions.enabled prefs.js.nossl.2 > prefs.js.nossl 
echo 'user_pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);' >> prefs.js.nossl
echo 'user_pref("security.ssl.enable_false_start", true);' >> prefs.js.nossl
echo 'user_pref("security.ssl.renego_unrestricted_hosts", "*.be");' >> prefs.js.nossl
# protect Mozilla Firefox v33 or lower against POODLE SSLv3 vulnerability:
echo 'user_pref("security.tls.version.min", "1");' >> prefs.js.nossl
cp prefs.js.nossl prefs.js
# Change on ISO date 2017/05/25:
# Ensure Mozilla Firefox cannot change new prefs.js contents when closing Mozilla Firefox browser window:
sudo chattr +i prefs.js
# install certificates in Mozilla Firefox:
cd ~/.mozilla/firefox/*.default
rm *.crt
rm *.db
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrs.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrs2.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrs3.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrs4.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrca.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrca2.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrca3.crt
wget --no-check-certificate  http://certs.eid.belgium.be/belgiumrca4.crt
# download newest citizen eid certificate:
citizenVERSION=`echo "http://certs.eid.belgium.be/" | wget -O- -i- --no-check-certificate |  hxnormalize -x  |grep citizen|tail -n 1|cut -d"\"" -f2 `
wget --no-check-certificate  http://certs.eid.belgium.be/$citizenVERSION
# download newest foreigner eid certificate:
FOREIGNERVERSION=`echo "http://certs.eid.belgium.be/" | wget -O- -i- --no-check-certificate |  hxnormalize -x  |grep foreigner|tail -n 1|cut -d"\"" -f2 `
wget --no-check-certificate  http://certs.eid.belgium.be/$FOREIGNERVERSION
cd ~/.mozilla/firefox/*.default
certutil -N -d .
certutil -L -d .
# certutil -D -n belgiumrs -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrs -i belgiumrs.crt
certutil -A -n "belgiumrs" -t "TCPuw,TCPuw,TCPuw" -i belgiumrs.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrs2 -i belgiumrs2.crt
certutil -A -n "belgiumrs2" -t "TCPuw,TCPuw,TCPuw" -i belgiumrs2.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrs3 -i belgiumrs3.crt
certutil -A -n "belgiumrs3" -t "TCPuw,TCPuw,TCPuw" -i belgiumrs3.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrs4 -i belgiumrs4.crt
certutil -A -n "belgiumrs4" -t "TCPuw,TCPuw,TCPuw" -i belgiumrs4.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrca -i belgiumrca.crt
certutil -A -n "belgiumrca" -t "TCPuw,TCPuw,TCPuw" -i belgiumrca.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrca2 -i belgiumrca2.crt
certutil -A -n "belgiumrca2" -t "TCPuw,TCPuw,TCPuw" -i belgiumrca2.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "TCPc,TCPc,TCPc" -n belgiumrca3 -i belgiumrca3.crt
certutil -A -n "belgiumrca3" -t "TCPuw,TCPuw,TCPuw" -i belgiumrca3.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n belgiumrca4 -i belgiumrca4.crt
certutil -A -n "belgiumrca4" -t "TCPuw,TCPuw,TCPuw" -i belgiumrca4.crt -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n $citizenVERSION -i $citizenVERSION
certutil -A -n $citizenVERSION -t "TCPuw,TCPuw,TCPuw" -i $citizenVERSION -d .
certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n $FOREIGNERVERSION -i $FOREIGNERVERSION
certutil -A -n $FOREIGNERVERSION -t "TCPuw,TCPuw,TCPuw" -i $FOREIGNERVERSION -d .
sudo mkdir /usr/share/ca-certificates/extra
sudo cp *.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates
sudo certutil -d sql:$HOME/.pki/nssdb -A -t "c,T,C" -n ca-certificates.crt  -i /etc/ssl/certs/ca-certificates.crt
certutil -A -n ca-certificates.crt -t "TCPuw,TCPuw,TCPuw" -i /etc/ssl/certs/ca-certificates.crt -d .
certutil -L -d .
cd
# add support for Google Chrome browser (64-bit):
modutil -dbdir sql:.pki/nssdb -add "Belgium eID" -libfile /usr/lib/x86_64-linux-gnu/libbeidpkcs11.so.0
modutil -dbdir sql:.pki/nssdb/ -list
# no eid extensions/addons should be installed in Mozilla Firefox or Google Chrome.

Manually replace the security.ssl.renego_unrestricted_hosts name value *.be in about:config,  if you want to authenticate on a DIFFERENT site than www.cm.be or test.eid.belgium.be

Download Belgium Root CA, CA2, CA3 and CA4 certificates here:

http://repository.eid.belgium.be/certificates.php?cert=Root&lang=en

Import Belgium Root CA, CA2, CA3 and CA4 certificates into Firefox.

The Belgium Root certificates are required if you want to use the applications of the FSP Finance (Belcotax, Intervat, Finprof, etc.).

Before you begin, make sure your electronic identity card is in the card reader. Then go to following location in Mozilla Firefox browser:

Viewing certificates
For Linux: Go to Edit > Preferences > Advanced > Encryption and click ‘View certificates’.
Check-marking certificates

Find the Belgium Root CA certificate and click the line below the arrow.
Click ‘Edit…’.
Check ALL three boxes.
Click ‘OK’.

Perform the same steps for the CA2, CA3 and CA4 certificates as well.

Ensure that there are absolutely NO add-on EXTENSIONS installed in the Mozilla Firefox and 64-bit Google Chrome webbrowsers.

The add-on PLUGINS like Citrix Receiver for Linux,OpenH264 and Shockwave Flash plugins can remain active in Mozilla Firefox, as they do not seem to interfere with the eid card reader.

Test eid card reader here using the Mozilla Firefox webbrowser:

http://test.eid.belgium.be/


===============================================================================

Advertisements
Comments
  1. mark911 says:

    Automated the configuration of the about:config settings in Mozilla Firefox by adding more bash commands.

  2. mark911 says:

    Added ppa:gertvdijk/opensc-backports to bash script to enable installation of opensc version 0.14.

    More details are here:

    https://launchpad.net/~gertvdijk/+archive/ubuntu/opensc-backports?field.series_filter=trusty

  3. wistef says:

    Merci beaucoup 🙂

  4. mark911 says:

    Rewrote the procedure for Ubuntu 16.04 LTS 64-bit and added some improvements.

  5. mark911 says:

    Added support for 64-bit Google Chrome browser in Ubuntu 16.04.2 64-bit in last couple of lines in bash shell script.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s