Giter Club home page Giter Club logo

puzi-python's Introduction

pUZI logo

pUZI python

Python application

Proficient UZI pass reader in python, based on work by Anne Jan: https://github.com/minvws/pUZI-php

The UZI card is part of an authentication mechanism for medical staff and doctors working in the Netherlands. The cards are distributed by the CIBG. More information and the relevant client software can be found at www.uziregister.nl (in Dutch).

pUZI is a simple and functional module which allows you to use the UZI cards as authentication mechanism. It consists of:

  1. a reader that reads the data on the card and gives an UziUser object in return (this repository).

pUZI is available under the EU PL licence. It was created early 2021 during the COVID19 campaign as part of the vaccination registration project BRBA for the ‘Ministerie van Volksgezondheid, Welzijn & Sport, programma Realisatie Digitale Ondersteuning.’

Questions and contributions are welcome via GitHub.

See www.Uziregister.nl for the documentation, software and application form for the UZI card.

Requirements

  • python >= 3.6

Apache config (or NginX equivalent):

SSLEngine on
SSLProtocol -all +TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLVerifyClient require
SSLVerifyDepth 3
SSLCACertificateFile /path/to/uziCA.crt
SSLOptions +StdEnvVars +ExportCertData

Installation

pip install pUzi

Usage

from uzireader.uzipassuser import UziPassUser
uzipas = UziPassUser(env['SSL_CLIENT_VERIFY'], env['SSL_CLIENT_CERT'])
print(uzipas)
{"givenName": "john", "surName": "doe-11111111", "OidCa": "2.16.528.1.1003.1.3.5.5.2", "UziVersion": "1", "UziNumber": "11111111", "CardType": "N", "SubscriberNumber": "90000111", "Role": "01.015", "AgbCode": "00000000"}

Uses

Python cryptography Library

Contributing

  1. Fork the Project

  2. Ensure you have the requirements and Black installed

    pip3 install -r requirements.txt
pip3 install black

  3. Create a Feature Branch

  4. Run tests

    cd tests/certs 
./generate_mock_certs.sh
cd -
python3 -m unittest

  5. (Recommended) Check whether your code conforms to our Coding Standards by running black on your changed files

    black .

  6. Send us a Pull Request

pUZI

puzi-python's People

Contributors

annejan avatar nicktencate avatar rafaeltheraven avatar sigio avatar underdarknl avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

annejan rafaeltheraven

puzi-python's Issues

Working Nginx configuration for Safari?

With nginx/1.21.6 running with OpenSSL 1.1.1n (Linux) I am unable to get a working configuration that supports Safari (v15.4 on macOS v12.3.1).

A default Nginx configuration that requires TEST Zorg CSP Root CA G3 as client certificate with ssl_verify_client on and ssl_verify_depth 3 works properly with Chrome and Firefox, but Safari fails to establish a secure connection to the server.

Nginx reports the error: SSL_do_handshake() failed (SSL: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback) while SSL handshaking.

This can be reproduced in isolation from Nginx with openssl s_server:

openssl s_server -key key.pem -cert cert.pem \
                 -accept 3000 -www -Verify 3 \
                 -CAfile test_zorg_csp_root_ca_g3.pem \
                 -tls1_2 -debug

Firefox and Chrome will ask for the certificate and PIN and show a proper response when connecting to https://localhost:3000, but Safari shows an error after asking for the client certificate. The error log from openssl s_server shows:

140184936240448:error:14209102:SSLroutines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1685:

Using openssl s_server with LibreSSL instead of OpenSSL works, but only for LibreSSL 2.8.3 and LibreSSL 2.9.0. LibreSSL is currently the default on macOS, so it was a bit of a coincidence to notice this working. This version of LibreSSL also works on Ubuntu but the latest release LibreSSL 3.5.1 shows the same problem as OpenSSL with Safari.

Although this is not directly related to this particular repository, it would be helpful to have an example of a working Nginx configuration that support all major browsers to get started with UZI card authentication.

Windows certificate selection dialog

When a Windows computer is used by multiple people, the operating system remembers previously used certificates. Browsers (Chrome, Edge and Firefox) ask the user to select a certificate to verify their identity.

image

Of course, only one certificate corresponds to the UZI card that is currently in the smart card reader, and users need to enter their PIN to prove it is theirs, but from a usability perspective this is rather inconvenient.

Are their ways to circumvent this dialog? On macOS the user is only asked to confirm the UZI card that is actually in the reader, which is much more user friendly.

This is not specific to the implementation in this repository, but applies to all websites accepting UZI cards via client certificate authentication.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.