This project is an example ASP.NET web application that shows how to implement strong authentication and digital signing with electronic ID smart cards using Web eID.
More information about the Web eID project is available on the project website.
The ASP.NET web application makes use of the following technologies:
Note that for including the Web eID authentication token validation library as a nuget package you need to have added a Package Source with the following address to the NuGet Package Manager: https://gitlab.com/api/v4/projects/35362906/packages/nuget/index.json
Complete the steps below to run the example application in order to test authentication and digital signing with Web eID.
One crucial step of the Web eID authentication token validation algorithm is verifying the token signature. The value that is signed contains the site origin URL (the URL serving the web application) to protect against man-in-the-middle attacks. Hence the site origin URL must be configured in application settings.
To configure the origin URL, add OriginUrl
field in the application settings file appsettings.json
as follows:
{
"OriginUrl": "https://example.org"
}
Note that the URL must not end with a slash /
.
The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded from .cer
files in the profile-specific subdirectory of the Certificates
resource directory. By default, Estonian eID test CA certificates are included in the Development
profile and production CA certificates in the Production
profile.
In case you need to provide your own CA certificates, add the .cer
files to the src/WebEid.AspNetCore.Example/Certificates/{Dev,Prod}
profile-specific directory.
libdigidocpp
library for signinglibdigidocpp
is a library for creating, signing and verifying digitally signed documents according to XAdES and XML-DSIG standards. It is a C++ library that has SWIG bindings for C#.
Set up the libdigidocpp
library as follows:
libdigidocpp
installation folder include\digidocpp_csharp
to the src\WebEid.AspNetCore.Example\DigiDoc
folder.x64
subfolder of the libdigidocpp
installation folder to the example application build output folder bin\...\net8.0
(after building, see next step). When building custom applications, choose x64
if your application is 64-bit and x86
if it is 32-bit.Development
profile, create an empty file named EE_T.xml
for TSL cache as described in the Using test TSL lists section of the libdigidocpp
wiki.wget https://github.com/web-eid/web-eid-asp-dotnet-example/raw/main/src/ria_public_key.gpg
cp ria_public_key.gpg /usr/share/keyrings/ria-repository.gpg
echo "deb [signed-by=/usr/share/keyrings/ria-repository.gpg] https://installer.id.ee/media/ubuntu/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/ria-repository.list
apt update
apt install -y --no-install-recommends libdigidocpp-csharp
Navigate to the src
directory:
cd src
Copy the necessary DigiDoc C# library files into your project:
cp /usr/include/digidocpp_csharp/* WebEid.AspNetCore.Example/DigiDoc/
/Library/libdigidocpp/include/digidocpp_csharp
directory to src/WebEid.AspNetCore.Example/DigiDoc
directory.src/WebEid.AspNetCore.Example/bin/.../net8.0
directory and create symbolic link to /Library/libdigidocpp/lib/libdigidoc_csharp.dylib
library:
ln -s /Library/libdigidocpp/lib/libdigidoc_csharp.dylib
Further information is available in the libdigidocpp example C# application source code and in the libdigidocpp
Wiki.
You need to have the .NET 6.0 SDK installed for building the application package.
Build the application by running the following command in a terminal window under the src
directory:
dotnet build
Development
or Production
profileIf you have a test eID card, use the Development
profile. In this case access to paid services is not required, but you need to upload the authentication and signing certificates of the test card to the test OCSP responder database as described in section Using DigiDoc4j in test mode with the dev
profile of the Web eID Java example application documentation. TheDevelopment
profile is activated by default.
If you only have a production eID card, i.e. an eID card issued to a real person or organization, use the Production
profile. You can still test authentication without further configuration; however, for digital signing to work, you need access to a paid timestamping service as described in section Using DigiDoc4j in production mode with the prod
profile of the Web eID Java example documentation.
You can specify the profile as an environment variable ASPNETCORE_ENVIRONMENT
when running the application. To set the profile for the current session before starting the app using dotnet run
, use the following command:
set ASPNETCORE_ENVIRONMENT=Production
Run the application with the following command in a terminal window under the src
directory:
dotnet run --project WebEid.AspNetCore.Example
This will activate the default Development
profile and launch the built-in kestrel
web server on HTTPS port 5001.
When the application has started, open https://localhost:5001 in your preferred web browser and follow instructions on the front page.
The src\WebEid.AspNetCore.Example
directory contains the ASP.NET application source code and resources. The subdirectories therein have the following purpose:
wwwroot
: web server static content, including CSS and JavaScript files,Certificates
: CA certificates in profile-specific subdirectories,Controllers
: ASP.NET MVC controller for the welcome page and Web API controllers that provide endpoints for
DigiDoc
: contains the C# binding files of the libdigidocpp
library; these files must be copied from the libdigidocpp
installation directory \include\digidocpp_csharp
,Pages
: Razor pages,Services
: Web eID signing service implementation that uses libdigidocpp
.See the Web eID Java example application documentation for more information, including answers to questions not answered below.
System.ApplicationException: Failed to verify OCSP Responder certificate
error during signing?You are running in the Development
profile, but you have not created an empty file named EE_T.xml
for TSL cache. Creating the file is mandatory and is described in more detail in the Using test TSL lists section of the libdigidocpp
wiki.
System.BadImageFormatException: An attempt was made to load a program with an incorrect format
error during signing?You are using libdigidocpp
DLLs for the wrong architecture. Copy files from the x64
subfolder of the libdigidocpp
installation folder to right place as described in the section 3. Setup the libdigidocpp
library for signing above. In case you get this error while developing a custom 32-bit application, copy files from the x86
subfolder instead.
This section covers the steps required to build the application on an Ubuntu Linux environment and run it using Docker.
Before you begin, ensure you have the following installed on your system:
You can install them using the following command:
sudo apt install dotnet-sdk-7.0 libdigidocpp-csharp
Note: Before installing libdigidocpp-csharp
you have to have added the RIA repository as a package source. See For Ubuntu Linux section for information.
To build the application, follow these steps:
Navigate to the src
directory:
cd src
Copy the necessary DigiDoc C# library files into your project:
cp /usr/include/digidocpp_csharp/* WebEid.AspNetCore.Example/DigiDoc/
Publish the application with the Release configuration:
dotnet publish --configuration Release WebEid.AspNetCore.Example.sln
Update the OriginUrl
in the appsettings.json
to match your production environment:
sed -i 's#"OriginUrl": "https://localhost:44391"#"OriginUrl": "https://example.com"#' WebEid.AspNetCore.Example/bin/Release/net6.0/publish/appsettings.json
After successfully building the application, you can create a Docker image:
docker build -t web-eid-asp-dotnet-example .
This command builds a Docker image named web-eid-asp-dotnet-example
using the Dockerfile
in the current directory.
To enable HTTPS support for the .NET application, you have two primary options:
Directly configure Kestrel to use HTTPS by setting up the necessary certificate information in the app's configuration files. This method is detailed in the ASP.NET Core documentation.
Employ a reverse proxy that manages TLS termination and forwards requests to the application over HTTP. This is a common pattern in production environments due to its flexibility.
In this project, we assume the application is running behind a reverse proxy.
First, the proxy server must pass the Host:
line from the incoming request to the proxied application and set the X-Forwarded-*
headers to inform the application that it runs behind a reverse proxy. Here is example configuration for the Apache web server:
<Location />
ProxyPreserveHost On
ProxyPass http://localhost:8480/
ProxyPassReverse http://localhost:8480/
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
</Location>
Next, the .NET application must be configured to recognize and honor the X-Forwarded-*
headers. This can be done by configuring the Forwarded Headers middleware in Startup.cs
:
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
});
By default, this middleware is already enabled in the application.
A Docker Compose configuration file docker-compose.yml
is available in the src
directory for running the Docker image web-eid-asp-dotnet-example
on port 8480 behind a reverse proxy.