About | Download | Documentation | Example | Disclaimer

PIDXML.pm

About

This perl module provides a way to validate users with Danish Government OCES certificates. The module uses the XML-interface defined in DS-843-2. The module supports both the "oracle model" and the "lookup model". Please send modifications, comments and bug reports to thelmer@ruc.dk

Download

Download version 001

Documentation

Features

• Queries with the "lookup model"
• Queries with the "oracle model"
• Server status queries

Missing features

• The module only supports one request at a time
• No support for statuscode 8 communication (user consent to non-public service providers)

Apache configuration

The simple way is to make Apache or some other webserver handle the certificate exchange. We have chosen to use the "SSLVerifyClient optional" directive and then handle missing certificate authentification in the login script. This way we can provide feedback to the user.

A cron job should be configured to fetch the revocation list eg. hourly. The "TDC OCES CA" certificate revocation list is located at http://crl.oces.certifikat.dk/oces.crl. The revocation list for test certificates issued by "TDC OCES Systemtest CA I" is located at http://rimfakse.certifikat.dk/ocestest.crl. The CRL location is included in the certificate.

Apache requires the CRL to be encoded in PEM format and TDC distributes the CRL in DER format. Before restarting apache with the new CRL it should be converted:

"openssl crl -inform DER -in ocestest.crl -out ocesca.crl".

NOTE: In our current running system we have moved the CRL-check to the script calling PIDCPR. If you'd like a version of this script send me a note.

  <VirtualHost signon.xxx.xx:443>
    DocumentRoot "/var/www"
    ServerName signon.xxx.xx
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM
    SSLCertificateFile    /cert/server.crt
    SSLCertificateKeyFile /cert/server.key
    SSLCACertificateFile  /cert/ocesca.crt
    SSLCARevocationFile   /cert/ocesca.crl
    <Directory "/var/www/oces">
       SSLVerifyClient optional
       SSLOptions +ExportCertData
    </Directory>
  <VirtualHost signon.xxx.xx:443>

Example

#!/usr/bin/perl -w

use strict;
use CGI qw/:standard/;
use PIDCPR;

my $q = new CGI;
print $q->header, $q->start_html('Cert login');
if ( $ENV{'SSL_CLIENT_CERT'} ) { validate() } 
   else { print $q->p('No certificate') }
$q->end_html;

sub validate {
   my $pidcpr = new PIDCPR (
	 clientcert => '/cert/logon_to_tdc.pkcs12',
	 clientcertpassword => 'Test1234',
	 serviceid => 'your service number',
	 xmlpidurl => 'https://test.pid.certifikat.dk/pidxml/pid'
	);
	
   my $status = $pidcpr->request( cert => $ENV{'SSL_CLIENT_CERT'} );

   print $q->pre("STATUS    : $status\n");
   print $q->pre("StatusText: ", $pidcpr->getStatusTextDK, "\n");

   if ($status == 0) { 
	print $q->pre("CPR   : ", $pidcpr->getCPR, "\n");
   };
}

Disclaimer

The programs are provided 'as is' without any guarantees or warranty. Although the author has attempted to find and correct any bugs in the software, the author is not responsible for any damage or losses of any kind caused by the use or misuse of the program. The author is under no obligation to provide support, service, corrections, or upgrades to the software.

Roskilde University 2005