TLS-CCA not working

[hillar]

TLDR;

We recommend using the TLS-CCA solution in e-services with strict security requirements #ref

Description: The current version of the "osx-installer" repository does not include support for TLS-CCA (TLS client certificate authentication).

What is TLS-CCA? TLS-CCA is a certificate-based authentication method that is useful for services with strict security requirements, such as e-services where state secrets are stored. This method is an alternative to Web eID, which is recommended for general personal identification with an ID-card in e-services.

Why is this important? For high-security environments, TLS-CCA is still a preferred solution. According to the security analysis by Cybernetica AS, while Web eID offers a user-friendly option, TLS-CCA is recommended for e-services with stricter security needs. The current installer package only seems to support the Web eID solution but is missing the important option for TLS-CCA.

Expected Behavior: The installer should include support for TLS-CCA, along with Web eID, to offer users the option to use TLS-CCA for personal identification with ID-cards in high-security e-services.

[metsma]

The current version of the "osx-installer" repository does not include support for TLS-CCA (TLS client certificate authentication).

Where did you get this conclusion?
CTK driver is still installed to computers for this purpose:
https://github.com/open-eid/osx-installer/blob/master/distribution.xml#L71-L73

[hillar]

I came to this conclusion based on my experience while using the installer on macOS Sonoma (version 14). Here's what happened:

I installed the package from id.ee

I tested it with both Safari and Chrome browsers, but neither browser prompted me for a client certificate when trying to authenticate.

The server returned an error during the authentication process.

I then installed OpenSC, and after that, both Safari and Chrome started prompting for a client certificate, and authentication worked correctly.

Based on this behavior, it seems that the package might be missing something that OpenSC provides, which enables TLS-CCA to work properly.

I hope this helps clarify my concern. Please let me know if you need more information or if there's something else I should try.

[metsma]

Seems like the esteid-ctk-tokend extension is not loaded or misbehaves.
There are some debugging hints in readme https://github.com/open-eid/esteid-ctk-tokend.
And /Applications/Utilities/EstEIDTokenApp provides some diagnostic info.
OpenSC provides alternative CTK driver

[hillar]

Additionally, I tried to find more information on TLS-CCA, particularly a public testing page, but I couldn’t locate anything specific. I found some details on the ID.ee website, but it only mentions Web eID and doesn’t provide any guidance on testing TLS-CCA.

[hillar]

I initially looked into this because I’ve been hearing more and more complaints from Mac users saying that the ID-card simply doesn't work, and that the software from RIA is often described as "not working for me TM".

Unfortunately, I don’t have the capacity right now to fully debug the issue or to compare why OpenSC works right out of the box while the EsteID solution does not. However, I did notice that OpenSC was last updated in 2024, whereas EsteID was updated in 2022. This difference in release dates might (or might not) be a factor.