Spanish DNIe

About Spanish DNIe

Documento Nacional de Identidad electrónico is the Spanish eID. It is in line with the EU directive on electronic ID, and it is a “smart” identity card with a chip containing certificates for authentication and digital signature, similar to Estonian ID-kaart, Belgian .beid and many others. The cards are issued to Spanish citizens and can of course be used for regular “real world” authentication, but in order to use it electronically the subject must physically go to a passport issuing police station where he/she can activate the chip on the card using a self service kiosk, “Punto de actualicaćion del DNIe” (“activation point for the DNIe”, see image).

The end user portal for information on DNIe is located at http://usatudni.es/dnie/ (“Usa tu DNIe” means “Use your DNIe”). The site contains information regarding what DNIe is, how to use it and where you can use it. There is no central support organization where you can ask for help with your DNIe. When assisting end users with their DNIe problems, please refer to http://zonatic.usatudni.es/aplicaciones/asistente-dnie.html which provides software downloads and also a client executable which can be downloaded and used to verify the certificates of a DNIe card.

Authentication

DNIe authentication is implemented using bilateral SSL, meaning that the user requests a protected resource with Signicat which can only be accessed if a DNIe client certificate is attached to the request. This will trigger built-in browser functionality to search the computer for a smartcard/certificate, and the user enters a PIN or password to unlock the certificate. DNIe authentication requires that smartcard drivers for the reader and DNIe card are present on the computer.

Signature

The flow through the signature module is visualized in the following figure:

Signed document format

The result of the signing process is an XMLDSig:

<?xml version="1.0" encoding="UTF-8"?>
<DniSignedDocument xmlns="https://id.signicat.com/definitions/xsd/DniSignedDocument-1.0">
    <SignersDocument>
        <Description>Important contract</Description>
        <MimeType>application/pdf</MimeType>
        <SignatureInitializationTime>2013-12-13T21:15:31.642+01:00</SignatureInitializationTime>
        <DocumentData>SmlwcGksIHlvdSBkZWNvZGVkIHRoZSBkb2N1bWVudCBkYXRh....</DocumentData>
    </SignersDocument>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>SGVyZSdzIHRoZSBEaWdlc3RWYWx1ZQ==....</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>Tm90IGJhZCwgeW91IGRlY29kZWQgdGhlIFNpZ25hdHVyZVZhbHVl....</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>WWV5LCB5b3UgZGVjb2RlZCB0aGUgY2xpZW50IGNlcnRpZmljYXRl....</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
</DniSignedDocument>

Monitoring

You may ask support@signicat.com to set up a “Health” module for you. You may use the health module to inspect the state of the service at any time, or you may choose to set up automatic monitoring. For the user interface, please visit http://demo.signicat.com and choose the “Health” option. If you remove the format=html parameter then you will receive a JSON representation of the same data, suitable for consumption by your own monitoring service.

Certificates

Production

The entry point for technical information regarding DNIe is http://www.dnielectronico.es. The material is available in Spanish only. This is also where the certificates belonging to the DNIe certificate hierarchy are downloaded, and where specifications etc. are found. See also politicas_de_certificacion (in spanish).

The following illustrates the certificate hierarchy for DNIe:

AC stands for Autoridad de Certificación which obviously means Certificate Authority. “Raiz” is Spanish for “root”.

The figure illustrates that AC RAIZ has issued three intermediate CA certificates numbered accordingly. All of the intermediate certificates are used to issue client certificates to subjects. In addition, the 001 intermediate certificate is the issuer of the OCSP responder certificate. The OCSP certificate is issued to FNMT (Fábrica Nacional de Moneda y Timbre, “National producer of money and stamps”).

Graphical customization

You may refer to graphical adjustments and customization to get a basic understanding of graphical profiles in the Signicat pipeline. The following is the minimum required for a graphical profile that is to be used with DNIe:

Minimal graphical profile

<!DOCTYPE HTML>
<html>
    <head>
        #HEADER LINKS GOES HERE#
    </head>
    <body>
        #DYNAMIC CONTENT GOES HERE#
    </body>
</html>

If you would like to customize your graphical profile, then there are a few special considerations to note when it comes to DNIe:

Authentication profile

You may choose to run the authentication process in an iframe in order to seamlessly integrate it with your website. You may also create a simple graphical profile to wrap the DNIe authentication. You are required to use an HTML5 doctype declaration, and you may use HTML and CSS but no javascript. An example of a customization can be seen in the following figure:

This is the HTML graphical profile which was used to create that look:

Profile suitable for authentication

<!DOCTYPE HTML>
<html>
    <head>
    #HEADER LINKS GOES HERE#
    <style>
        body { background: url('https://dev01.signicat.com/std/resource/nbidmobile/maskros.jpg') no-repeat center center fixed; background-size: cover; }
        h1 { color: white; font-size: 36px; font-family: sans-serif; }
        .box { width: 500px; margin: 0 auto; }
        .customer-logo { margin-top: 30px; margin-bottom: 10px; }
        .customer { margin-top: 20px auto; box-shadow: 2px 2px 8px 2px #333; }
    </style>
    </head>
    <body>
        <div class="box customer-logo">
            <h1>My company</h1>
        </div>
        <div class="box customer">
            #DYNAMIC CONTENT GOES HERE#
        </div>
    </body>
</html>

Signature profile

You may not wrap the PDF document viewer itself in your graphical profile. If you wish to achieve such an effect, you need to run the Signicat process in an iframe. If you would like, you may add custom graphics to the dialog box which contains the signature process, illustrated in the following figure:

To include your own branding or graphics in the graphical profile for DNIe signature, you may request to have the dialog box size set to any size you would like, and you may then add customizations to the graphical profile for DNIe signatures. In the figure above, the iframe has been extended to be 542×432 pixels, and the following HTML is used for the content in the dialog box:

Profile suitable for signatures

<!DOCTYPE HTML>
<html>
    <head>
    #HEADER LINKS GOES HERE#
        <style>
            body { background: white; }
            h1 { font-family: sans-serif; font-style: italic; }
            .box { width: 500px; margin: 0 auto; }
            .customer-logo { margin-top: 10px; text-align: right; }
            .customer-logo > img { height: 30px; }
            .customer { margin-top: 20px; }
        </style>
    </head>
    <body>
      <div class="box customer">
        #DYNAMIC CONTENT GOES HERE#
      </div>
      <div class="box customer-logo">
        <h1>My company</h1>
      </div>
    </body>
</html>

Graphical profiles will need to be maintained and tested by yourself. You may request changes and asset uploads and deployment at any time by contacting support@signicat.com.

Production

Testing your production certificates

When you have your own configuration on Id.Signicat, you may test your merchant certificate for production. The test must be carried out by authenticating real users, or signing documents on your configuration for production.

Screenshots

Authentication

Upon entering the method, the end user will see the following screen:

The heading translates to “Please insert your DNIe in the card reader”. The links say “Help” and “Cancel”, and the green button says “Continue”. The end user clicks the continue button, upon which an attempt is made to try and load the protected resource from Signicat servers. This will trigger built-in functionality in the browser to prompt the user for a certificate and a PIN-code, during which time the following screen is shown in the background:

“Please wait, establishing communication with your DNIe.”

If the process is unsuccessful for any reason, then the user is presented with a final screen:

“Authentication error. You need to restart your browser if you would like to try again. Sorry about the inconvenience.” (This is one of the downsides of 2-way SSL…) When the user now hits the continue button (or the cancel link), the end user is sent to target with the following SAML response:

If the process is successful and the certificate is determined to be valid, the end user obviously won’t see the “authentication failed”-screen, but will instead be sent to target along with the SAML response.

Signing

When the signature process is started, the user is presented with information on how to proceed. The PDF-document is visible in the background throughout the whole signature process:

Clicking continue brings the PDF-document to the foreground:

The user can read, zoom in/out and download the document before continuing the signature process. Clicking the sign button brings up a view instructing the user to insert the DNIe card into the card reader:

Detection of Java starts when the user clicks the continue button. The user is free to click the cancel link to bring the PDF-document to the foreground again.

If Java cannot be found the user is presented with a link to download the latest version:

If the Java version is too low (compared to what’s configured by us), the user is notified:

If Java is found and the version is found to be OK, the applet is loaded. The applet will not be visible to the end user, but is needed for communication with the smart card.

After loading the applet, the applet will try to communicate with the smart card to get hold of the certificates:

If the user did not install the drivers needed for Linux/OS X (see separate section), the signature process will fail.

If the drivers are found, but not reachable by the applet due to browser sandboxing, the following view is displayed:

This is a known issue in Safari on OS X, which by default prevents plugins (in this case applets) from gaining access to system resources, such as files.

If the drivers are found, but the card cannot be found, the user is notified and given a chance to try again (e.g. if the card was not inserted correctly the first time):

If the card can be read, a view with all non-repudiation certificates is displayed. By default no certificate is selected:

The user has to actively select one to be able to continue. Selecting a certificate from the drop-down menu brings up the following information about the certificate: subjectissuer,validity periodkey usage and serial number:

A test card from ESTEID was used in the example above. Unfortunately there’s no such thing as DNIe test cards.

Selecting a certificate and clicking the continue button brings up the confirmation view. This view comes in two variations, based on the operating system of the user.

Users running Linux/OS X are asked to provide the password/PIN before continuing:

By clicking the sign button, the user confirm that he/she has read and understood the document.

If the password/PIN is incorrect, the user is notified:

Users running Windows will not need to input the password/PIN prior to clicking the sign button:

This is because Windows takes care of the password/PIN input. The PIN popup is displayed after the user clicks the sign button:

This popup also takes care of notifying the user if the password/PIN was incorrect:

If everything goes well, the document gets signed and sent to the server. The user is then presented with a final view with the option to complete the signature process by pressing the continue button:

If something goes wrong during any of the steps in the signature process, the error is reported back to the server (if it was client-side) and a generic failure view is displayed:

Upon clicking the continue button, the process will be aborted.

Test information

Please note that there is no test infrastructure for DNIe. There are no test certificates, no test OCSP responders and no PKI infrastructure for testing at all. Still, Signicat may have DNIe set up for you in the test environment at preprod.signicat.com, but it will have to be configured to use production certificates. Obviously, this means that production DNIe certificates must be used for testing the service.

If you don’t have access to production DNIe certificates, then the service may be set up to use smartcards belonging to another CA infrastructure (such as the Estonian) that provide test cards. Please contact support@signicat.com for more information regarding the possibilities for custom test infrastructures.

Help > ayuda > ajuda

Más información | Més informació | More information

http://usatudni.es/dnie/

http://www.dnielectronico.es/

Requerimientos | Requeriments | Requirements

Windows

Java : Version 1.6.0 or above

Browsers: Chrome, Firefox, Internet Explorer 9 or newer

Linux

Java: Version 1.6.0 or above

Browsers: Chrome, Firefox

Other: OpenSC 0.13 or above

More information:

Mac OS X

Java: Version 1.6.0 or above

Browsers: Firefox, Safari

Other: OpenSC 0.13 or above

More information:

 

Java settings in Safari:

If you are a Mac OS X user, please prefer the Firefox browser to access this service. You may also choose to use the Safari browser, but in order to do so you are required to allow the applet to run in “unsafe mode”, which means that the service has access to your local machine. This is required in order to communicate with the smartcard. See the following screenshots for information regarding how to enable Safari to use this service.

Castellano

Catalan

English

Spanish DNIe support

Bank Support tel. Support Support e-mail Website homepage
oficinatecnica@dnielectronico.es http://www.dnielectronico.es/

Requirements

General requirements:

  • Java – version 1.6.0 or higher
  • Browser – Chrome, Firefox, Safari, IE9+. Internet Explorer 8 and below is unsupported.

Smart card software:

The signature applet uses different mechanisms to communicate with the smart card depending on the end user’s operating system

Operating system Software Description
Windows Nothing needs to be installed by the user. Microsoft Crypto API (MSCAPI) is used, which installs DNIe drivers automatically. Documentation can be found at http://www.dnielectronico.es/descargas/windows.html.
Linux / Mac OS X OpenDNIe Installation packages and instructions can be found at http://www.dnielectronico.es/descargas/PKCS11_para_Sistemas_Unix/index.html. Some Linux distros have packages for OpenDNIe in their package repository. An example is some Ubuntu versions, where installation can be done by executing “sudo apt-get install opensc-dnie”.
OpenSC version 0.13+ Alternative to OpenDNIe. Support for DNIe is available in version 0.13 and above.

It’s important that OpenDNIe/OpenSC is installed with the same architecture (32bit/64bit) as the Java browser plugin. If not, the signature process will fail.

Language support

DNIe supports Spanish (Castellano), Catalan and English. The transactions can be started in any language and additionally it is possible for the end user to switch between different languages at runtime.

If you would like to change the texts in the authentication or signature processes, you may ask support@signicat.com to set up a localization module for you which can be used to translate the texts.