Lithuanian Electronic Identity Card

Lithuanian identity cards are also smart cards equipped with digital signature capabilities. There’s software provided for Windows, macOS and Linux systems. I mostly care about its usability with Linux - so this whole doc is dedicated to this topic.

Linux Software

Available here, produced by Softemia LT, UAB. Linux version is packaged as .deb. Presumably it primarily targets Ubuntu Linux due to popularity. My personal preference is Fedora Linux, so some things here may be Fedora specific.

Package contents:

/bin/mcard-toolbox - desktop application to do initial PACE auth, view card details, download authentication and signature certificates.
/lib/mcard-pkcs11.so - PKCS #11 module.

Not listed here: miscellaneous stuff like icons, shortcuts, license information.

Since I’m on Fedora Linux - I had to manually extract and copy files into my system.

Desktop application starts minimized in the tray.

When a card is present and after entering the CAN (Card Access Number – 6 digit number printed on the right bottom corner of the front side of the document) you should see something like this:

mcard-toolbox

For reasons which I’ll describe later it can be unreliable, and you might need to pull the card or reader multiple times. It may freeze / become unresponsive (screenshot).

Linux app logs and other storage

App keeps logs and some settings in ~/.mcard folder. The files are:

log-toolbox.txt - desktop app logs.
log-pkcs11.txt - logs of card use via PKCS #11 module.
mcard_history.txt - INI file that keeps list of seen card and their CANs in some encrypted or obfuscated form.

Making Firefox aware of mcard PKCS #11 module for signing in

Let’s first start with little bit of confusing information. Signing in with “identity card and card reader” may refer to two slightly different mechanisms:

Using Dokobit browser extension - I’m yet to fully explore this. Example site: https://www.epaslaugos.lt/ (screenshot of login page).
Straight SSL client certificate connection. Example site: https://www.registrucentras.lt/ via www.ipasas.lt (screenshot of login page).

Out of the box, if we try to sign in to https://www.registrucentras.lt/ we get an error:

ipasas chip and pin failure

Reason being: Firefox is not aware of the new /lib/mcard-pkcs11.so module. If we go to Settings » Privacy & Security » Security Devices… we will see:

Firefox Security Devices

We can click Load and manually add it by populating name with anything descriptive and module filename with /usr/lib/mcard-pkcs11.so.

Firefox new pkcs11 module

This is where trouble starts. Firefox becomes unresponsive:

Firefox mcard pkcs11 unresponsive

If we wait a little:

Firefox mcard pkcs11 added

Module is added, but switching back and forth between details of different modules Firefox becomes unresponsive. And regardless if card is inserted or not - status is always Not Present. Log file ~/.mcard/log-pkcs11.txt is full of messages about card connection failures.

As far as I understand there’s some issue the PKCS #11 module implementation. I’ve seen these in action with older revision made by PWPW S.A. card and software. I’ve also played with OpenPGP card.

Currently my best guess why it doesn’t work - /usr/lib/mcard-pkcs11.so tries to read card directly, while desktop application is also accessing the card at the same time.

Alternative way to load mcard PKCS #11 module

To make PKCS #11 modules discoverable Fedora and other distros are now using p11-kit. Here’s a guideline page: https://docs.fedoraproject.org/en-US/packaging-guidelines/Pkcs11Support/.

Let’s start with inspecting available tokens:

p11tool --list-tokens

For p11-kit to be aware of mcard-pkcs11.so we’ll have to create module config file:

mkdir -p ~/.config/pkcs11/modules
echo "module: /usr/lib/mcard-pkcs11.so" > ~/.config/pkcs11/modules/mcard.module

p11-tool now kinda chokes/gets stuck depending on card reader/card status. After some attempts of inserting/removing card, disconnecting reader, quitting mcard desktop app I eventually get:

p11tool --list-tokens now displays mcard

Firefox starts listing (and choking on) the module again, but under p11-kit-proxy:

Firefox mcard pkcs11 added via p11-kit

And I’m still unable to make the Firefox to see the inserted card. And what’s even worse - the mcard pkcs module is now available system wide. So all the software enumerating PKCS tokens gets blocked by it. It’s usually fine while card is not inserted. As soon as card is inserted - all kinds of hell breaks loose, e.g. I can’t even reliably open the weather widget.

Conclusion

For now it looks to be unusable. Note that I’ve tried same thing inside a virtual machine on Ubuntu 24.04 - same poor experience.

Tadas Sasnauskas Tech/Engineering Blog