index.html

<!DOCTYPE html>
<html lang="en" data-bs-theme="light">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="viewport" content="width=device-width, initial-scale=1.0">
        <meta name="description" content="None">
        
        
        <link rel="shortcut icon" href="img/favicon.ico">
        <title>Architecture of ID-software</title>
        <link href="css/bootstrap.min.css" rel="stylesheet">
        <link href="css/fontawesome.min.css" rel="stylesheet">
        <link href="css/brands.min.css" rel="stylesheet">
        <link href="css/solid.min.css" rel="stylesheet">
        <link href="css/v4-font-face.min.css" rel="stylesheet">
        <link href="css/base.css" rel="stylesheet">
        <link id="hljs-light" rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/styles/github.min.css" >
        <link id="hljs-dark" rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/styles/github-dark.min.css" disabled>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.8.0/highlight.min.js"></script>
        <script>hljs.highlightAll();</script> 
    </head>

    <body class="homepage">
        <div class="navbar fixed-top navbar-expand-lg navbar-dark bg-primary">
            <div class="container">
                <a class="navbar-brand" href=".">Architecture of ID-software</a>

                <!-- Expanded navigation -->
                <div id="navbar-collapse" class="navbar-collapse collapse">

                    <ul class="nav navbar-nav ms-md-auto">
                        <li class="nav-item">
                            <a href="#" class="nav-link" data-bs-toggle="modal" data-bs-target="#mkdocs_search_modal">
                                <i class="fa fa-search"></i> Search
                            </a>
                        </li>
                    </ul>
                </div>
            </div>
        </div>

        <div class="container">
            <div class="row">
                    <div class="col-md-3"><div class="navbar-expand-md bs-sidebar hidden-print affix" role="complementary">
    <div class="navbar-header">
        <button type="button" class="navbar-toggler collapsed" data-bs-toggle="collapse" data-bs-target="#toc-collapse" title="Table of Contents">
            <span class="fa fa-angle-down"></span>
        </button>
    </div>

    
    <div id="toc-collapse" class="navbar-collapse collapse card bg-body-tertiary">
        <ul class="nav flex-column">
            
            <li class="nav-item" data-bs-level="1"><a href="#architecture-of-id-software" class="nav-link">ARCHITECTURE OF ID-SOFTWARE</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            
            <li class="nav-item" data-bs-level="1"><a href="#introduction" class="nav-link">Introduction</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            
            <li class="nav-item" data-bs-level="1"><a href="#background" class="nav-link">Background</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            
            <li class="nav-item" data-bs-level="1"><a href="#component-model" class="nav-link">Component model</a>
              <ul class="nav flex-column">
            <li class="nav-item" data-bs-level="2"><a href="#desktop-applications" class="nav-link">Desktop applications</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#mobile-applications" class="nav-link">Mobile applications</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#software-libraries" class="nav-link">Software libraries</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#web-components" class="nav-link">Web components</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#drivers" class="nav-link">Drivers</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#updating-mechanisms" class="nav-link">Updating mechanisms</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#central-configuration-service" class="nav-link">Central configuration service</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#interfaces-with-external-services" class="nav-link">Interfaces with external services</a>
              <ul class="nav flex-column">
              </ul>
            </li>
              </ul>
            </li>
            
            <li class="nav-item" data-bs-level="1"><a href="#deployment-model" class="nav-link">Deployment model</a>
              <ul class="nav flex-column">
            <li class="nav-item" data-bs-level="2"><a href="#signing-in-web-browser" class="nav-link">Signing in web browser</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#signing-with-digidoc4" class="nav-link">Signing with DigiDoc4</a>
              <ul class="nav flex-column">
              </ul>
            </li>
            <li class="nav-item" data-bs-level="2"><a href="#signing-with-ria-digidoc" class="nav-link">Signing with RIA DigiDoc</a>
              <ul class="nav flex-column">
              </ul>
            </li>
              </ul>
            </li>
        </ul>
    </div>
</div></div>
                    <div class="col-md-9" role="main">

<h1 id="architecture-of-id-software">ARCHITECTURE OF ID-SOFTWARE</h1>
<p>Document version: 2.8<br />
Software version: 24.09<br />
Last updated: 23.9.2024  </p>
<h1 id="introduction">Introduction</h1>
<p>The purpose of this document is to describe the architecture of ID-software.</p>
<p><strong>ID-software</strong> is a collection of software components offering support for PKI-based functionality, i.e. operations with different cryptographic tokens (e.g. eID cards), handling digitally signed documents, file encryption/decryption and signing and authentication in web environment. The ID-software comprises end-user applications, software libraries, web components, drivers for communicating with the cryptographic tokens and other complementary components.</p>
<p>Main sources for information about ID-software are <a href="https://www.id.ee/en/">www.id.ee</a>, <a href="https://github.com/open-eid">Open-EID GitHub repository</a> and <a href="https://github.com/web-eid">Web-eID GitHub repository</a>.</p>
<p>This document covers description of ID-software and its components, their deployment in different environments, provided and required interfaces. The document does not include components that have reached the end of their support nor the components that have not yet been released.</p>
<p>The document is based on the latest released state of the ID-software components. At the time of writing, the latest released version of ID-software is <strong>version 24.09</strong>. Latest version numbers of the various ID-software components are provided at <a href="https://www.id.ee/en/article/information-on-the-latest-software-versions/">https://www.id.ee/en/article/information-on-the-latest-software-versions/</a>.</p>
<p>The document is targeted for:</p>
<ul>
<li>Owners/managers of the software;</li>
<li>Contractors;</li>
<li>Contributors interested in developing ad-hoc solutions;</li>
<li>Integrators/software developers interested in integrating the software with third-party information systems;</li>
<li>International audience – contributors/integrators from countries other than Estonia who wish to use the software internationally and/or contribute in its development.</li>
</ul>
<h1 id="background">Background</h1>
<p><strong>Estonian Information System Authority</strong> (RIA, <a href="https://www.ria.ee/en.html">https://www.ria.ee/en.html</a>) is the main owner/manager of the ID-software.  </p>
<p>The software is being developed and tested by:  </p>
<ul>
<li><strong>RaulWalter</strong> (RW, <a href="https://www.raulwalter.com">https://www.raulwalter.com</a>) as the main contractor during 2019-2024;  </li>
<li><strong>Nortal</strong> (<a href="https://nortal.com">https://nortal.com</a>) during 2019-2024;  </li>
<li><strong>TTT</strong> (<a href="https://www.testijad.ee">https://www.testijad.ee</a>) during 2019-2024;  </li>
<li>SK ID Solutions (SK, <a href="https://www.skidsolutions.eu/en">https://www.skidsolutions.eu/en</a>);  </li>
<li>Aktors (<a href="http://www.aktors.ee/wp/">http://www.aktors.ee/wp/</a>);  </li>
<li>CGI Estonia (<a href="https://www.cgi.ee/et">https://www.cgi.ee/et</a>).</li>
</ul>
<p>Development of ID-software has been mainly done in Estonia, however, the ID-software is released for international usage.
The software is distributed open-source (mainly under LGPL/BSD/MIT licence) and is accessible from the following locations:</p>
<ul>
<li>GitHub repository for the source code, wiki documentation, beta and (optionally) production versions of binary packages: <a href="https://github.com/open-eid">https://github.com/open-eid</a> and <a href="https://github.com/web-eid">https://github.com/web-eid</a>.</li>
<li>Release repository for production versions of binaries: <a href="https://www.id.ee/en/article/install-id-software/">https://www.id.ee/en/article/install-id-software/</a></li>
</ul>
<p>ID-software components can be logically divided in the following groups:</p>
<ul>
<li><strong>Desktop applications</strong> for end-users;</li>
<li><strong>Mobile applications</strong> for end-users;</li>
<li><strong>Software libraries</strong> for integrators/software developers to integrate the libraries’ functionality with third-party information systems/applications;</li>
<li><strong>Web components</strong> for integrators/software developers to add the signature creation and authentication functionality in web environment to third-party web applications;</li>
<li><strong>Drivers</strong> for communication with the cryptographic tokens that conduct the PKI operations;</li>
<li><strong>Other (supportive) components</strong> for packaging, installation, updating and centrally managing changes of the configuration settings in software (with the central configuration service).</li>
</ul>
<p>The following table maps the main ID-software components, their owner/developer (i.e. the main contractor) and the functionality they offer.</p>
<table border="1" cellspacing="0" cellpadding="0">
<thead>
<tr>
<th rowspan="2" colspan="2">Component</td>
<th colspan="6">Function</td>
<th rowspan="2">Owner</td>
<th rowspan="2">Licence</td>
</tr>
<tr>
<th>Handling ASiC/BDOC/PADES documents</td>
<th>Handling DDOC documents</td>
<th>Handling CDOC documents</td>
<th>Calculating RSA/ECDSA signature</td>
<th>Card management operations</td>
<th>Authentication</td>
</tr>
</thead>
<tbody>
<tr>
<th><a href="#desktop-applications">Desktop applications</a></td>
<th>DigiDoc4</th>
<td>yes (1)</td>
<td>yes - validation only (1)</td>
<td>yes</td>
<td>yes (1)</td>
<td>yes</td>
<td>-</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
<tr>
<th rowspan="2"><a href="#mobile-applications">Mobile applications</a></td>
<th>RIA DigiDoc (iOS)</th>
<td>yes (1)</td>
<td>yes - validation only (1)</td>
<td>yes (1)</td>
<td>yes</td>
<td>yes</td>
<td>-</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
<tr>
<th>RIA DigiDoc (Android)</th>
<td>yes (1)</td>
<td>yes - validation only (1)</td>
<td>yes (1)</td>
<td>yes</td>
<td>yes</td>
<td>-</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
<tr>
<th rowspan="3"><a href="#software-libraries">Software libraries</a></td>
<th>DigiDoc4j (Java)</th>
<td>yes (2)</td>
<td>yes (1)</td>
<td>-</td>
<td>yes (1)</td>
<td>-</td>
<td>-</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
<tr>
<th>CDoc4j (java)</th>
<td>-</td>
<td>-</td>
<td>yes</td>
<td>-</td>
<td>-</td>
<td>-</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
<tr>
<th>Libdigidocpp (C++, .NET)</th>
<td>yes (2)</td>
<td>yes - validation only (1)</td>
<td>-</td>
<td>yes (1)</td>
<td>-</td>
<td>-</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
<tr>
<th rowspan="2"><a href="#web-components">Web components</a></td>
<th>Browser signing modules</th>
<td>-</td>
<td>-</td>
<td>-</td>
<td>yes</td>
<td>-</td>
<td>-</td>
<td>RIA</td>
<td>MIT</td>
</tr>
<tr>
<th>web-eid.js (JavaScript)</th>
<td>-</td>
<td>-</td>
<td>-</td>
<td>yes (1)</td>
<td>-</td>
<td>-</td>
<td>RIA</td>
<td>MIT</td>
</tr>
<tr>
<th rowspan="3"><a href="#drivers">Driver components</a></td>
<th>Minidriver</th>
<td>-</td>
<td>-</td>
<td>-</td>
<td>yes</td>
<td>-</td>
<td>yes</td>
<td>IDEMIA</td>
<td>IDEMIA</td>
</tr>
<tr>
<th>OpenSC-pkcs11</th>
<td>-</td>
<td>-</td>
<td>-</td>
<td>yes</td>
<td>-</td>
<td>yes</td>
<td>OpenSC</td>
<td>LGPL</td>
</tr>
<tr>
<th>EstEID-CTK-tokend</th>
<td>-</td>
<td>-</td>
<td>-</td>
<td>yes</td>
<td>-</td>
<td>yes</td>
<td>RIA</td>
<td>LGPL</td>
</tr>
</tbody>
</table>
<p><strong>Table: Mapping of ID-software components and functions</strong></p>
<p>Remarks:</p>
<p>(1) - The functionality is provided via base components.<br />
(2) - PADES handling is not supported.  </p>
<p>The main functions offered by ID-software are described in the following table:</p>
<table>
<thead>
<tr>
<th>Function</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>Handling ASiC/BDOC/PADES documents</td>
<td>Handling documents in <a href="https://www.id.ee/wp-content/uploads/2020/06/bdoc-spec212-eng.pdf">BDOC 2.1</a> digital signature format that is a profile of <a href="http://www.etsi.org/deliver/etsi_ts/101900_101999/101903/01.04.02_60/ts_101903v010402p.pdf">ETSI XAdES</a> (XML Advanced Electronic Signature) and <a href="http://www.etsi.org/deliver/etsi_ts/102900_102999/102918/01.02.01_60/ts_102918v010201p.pdf">ETSI ASiC</a> formats. Validating timestamp and signatures of enclosed DDOC document in the Time Stamp Token (TST) based <a href="http://www.etsi.org/deliver/etsi_ts/102900_102999/102918/01.02.01_60/ts_102918v010201p.pdf">ETSI ASIC-S</a> containers. Validating the signatures of PDF documents in <a href="http://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf">PAdES</a> digital signature format that is a profile of <a href="http://www.etsi.org/deliver/etsi_en/319100_319199/31914201/01.01.01_60/en_31914201v010101p.pdf">ETSI PAdES</a>. More information on the formats’ life cycle can be found from <a href="https://www.id.ee/en/article/digidoc-container-format-life-cycle-2/">https://www.id.ee/en/article/digidoc-container-format-life-cycle-2/</a>. See <a href="http://open-eid.github.io/libdigidocpp/manual.html#format">Libdigidocpp</a> and <a href="https://github.com/open-eid/digidoc4j#features">Digidoc4j</a> documentation for supported formats.</td>
</tr>
<tr>
<td>Handling DDOC documents</td>
<td>Handling documents in <a href="https://www.id.ee/wp-content/uploads/2020/08/digidoc_format_1.3.pdf">DIGIDOC-XML 1.3 (DDOC)</a> digital signature format that is a profile of <a href="http://www.etsi.org/deliver/etsi_ts/101900_101999/101903/01.04.02_60/ts_101903v010402p.pdf">ETSI XAdES</a> (XML Advanced Electronic Signature) format. More information on the formats’ life cycle can be found from <a href="https://www.id.ee/en/article/digidoc-container-format-life-cycle-2/">https://www.id.ee/en/article/digidoc-container-format-life-cycle-2/</a>.</td>
</tr>
<tr>
<td>Handling CDOC documents</td>
<td>Encrypting and decrypting documents in <a href="https://www.id.ee/wp-content/uploads/2020/02/SK-CDOC-1.0-20120625_EN.pdf">ENCDOC-XML 1.0 (CDOC)</a> also <a href="https://www.ria.ee/sites/default/files/content-editors/EID/cdoc.pdf">CDOC 1.1</a> format.</td>
</tr>
<tr>
<td>Calculating RSA/ECDSA signature</td>
<td>Calculating the RSA or ECDSA signature value in browser or desktop/server environment. The operation involves connecting with the signature token’s driver, sending the data to be signed and receiving digital signature value calculated with the token owner’s RSA or ECDSA private key. The following cryptographic tokens are supported: hardware-based tokens (e.g. PKCS#11-based eID cards, USB cryptostick, Mobile-ID and Smart-ID); software-based tokens (e.g. PKCS#12 software token).</td>
</tr>
<tr>
<td>Card management operations</td>
<td>PIN/PUK management, reading personal data file.</td>
</tr>
<tr>
<td>Authentication</td>
<td>Authentication with ID-card. The operation is generally done via native operating system/browser components. In case of Estonian ID-cards and Firefox browser, a PKCS#11 module pkcs11-register is used for setting the proper parameters for authentication in Firefox browser on Linux.</td>
</tr>
</tbody>
</table>
<p><strong>Table: Functions offered by ID-software</strong></p>
<h1 id="component-model">Component model</h1>
<p>The following chapter depicts ID-software component diagrams, including variations of the components used in different supported environments.<br />
In the context of the component diagrams in this document, the ID-software components have been divided to two different packages to show the component’s owner:</p>
<ul>
<li>Components of ID-software that are owned and operated by RIA: <u>placed in "RIA" package</u>.</li>
<li>Components of ID-software that are owned and operated by SK: <u>placed in "SK" package</u>.</li>
</ul>
<p>Other components are regarded as external to ID-software.<br />
Note that not all of the external base libraries are included in the component model to avoid duplicity with other documentation – the base libraries are listed and described in the documentation of the respective ID-software components and can be accessed via the references provided.</p>
<p><a name="_comp_desktop"></a></p>
<h2 id="desktop-applications">Desktop applications</h2>
<p><a name="_DigiDoc4"></a></p>
<h3 id="digidoc4">DigiDoc4</h3>
<p><img alt="cmp DigiDoc4 signing components" src="index_files/comp_digidoc4_signing.png" title="cmp DigiDoc4 signing components" /><br />
<strong>Figure: DigiDoc4 signing and crypto-components</strong></p>
<p><img alt="cmp DigiDoc4 management components" src="index_files/comp_digidoc4_eid.png" title="cmp DigiDoc4 management components" /><br />
<strong>Figure: DigiDoc4 ID-card management components</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>DigiDoc4</td>
<td>DigiDoc4 enables handling digitally signed documents, encryption/decryption for managing ID-card’s PIN/PUK codes replacement and other services.<br/>Code repository: <a href="https://github.com/open-eid/DigiDoc4-Client">https://github.com/open-eid/DigiDoc4-Client</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>DigiDoc4 base libraries</td>
<td>Libdigidocpp (and its base libraries), etc. See <a href="#_DigiDoc4_interfaces">DigiDoc4 interfaces</a>.</td>
<td>-</td>
</tr>
<tr>
<td>Mobile-ID (MID) REST service</td>
<td>REST service that is used by DigiDoc4 for signature creation with Mobile-ID. See also <a href="https://github.com/sk-eid/mid">https://github.com/sk-eid/mid</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>Smart-ID (SID) REST service</td>
<td>REST service that is used by DigiDoc4 for signature creation with Smart-ID. See also <a href="https://github.com/SK-EID/smart-id-documentation">https://github.com/SK-EID/smart-id-documentation</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>LDAP directory</td>
<td>Directory of active certificates issued by SK (as the CA in Estonia). The directory is used by DigiDoc4 for finding authentication certificate (and the respective public key) of the recipient of the encrypted document. See also <a href="https://www.skidsolutions.eu/en/repository/ldap/">https://www.skidsolutions.eu/en/repository/ldap/</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>Central configuration repository</td>
<td>Described in chap. <a href="#_comp_central_conf">Central configuration service</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Central configuration client</td>
<td>Described in chap. <a href="#_comp_central_conf">Central configuration service</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Libdigidocpp</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>SiVa</td>
<td>Described in chap. <a href="#_DigiDoc4">Software libraries</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>TSL repository</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>EU/RIA</td>
</tr>
<tr>
<td>Time-stamping proxy service interface</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>OCSP service</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>Minidriver</td>
<td>Used via CNG interface in Windows environment only. Described in chap. <a href="#_comp_drivers">Drivers</a>.</td>
<td>IDEMIA</td>
</tr>
<tr>
<td>ID-Updater</td>
<td>Used in Windows and macOS only, described in chap. <a href="#_comp_update">Updating mechanisms</a>. In case of Windows platform, the ID-Updater can be executed from DigiDoc4 program.</td>
<td>RIA</td>
</tr>
</tbody>
</table>
<p><strong>Table: DigiDoc4</strong></p>
<p><a name="_DigiDoc4_interfaces"></a></p>
<h4 id="digidoc4-interfaces">DigiDoc4 interfaces</h4>
<p>Provided:</p>
<ul>
<li>Graphical user interface - interface for handling ASiC, BDOC, DDOC, CDOC documents, setting configuration parameters.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>PIN dialog – for inserting PIN value during signature creation or decryption operations in all operating systems except of Windows.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>Graphical user interface – interface for handling card management operations and using the external services (listed under “Required interfaces”).<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>PIN dialog – for inserting PIN/PUK value in all supported operating systems.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li><a href="#windows-updating-mechanism">ID-updater interface</a> (Windows only)</li>
<li><a href="#_comp_central_conf_client_interfaces">Central configuration client interface</a></li>
<li><a href="#_MID_REST_service">Mobile-ID (MID) REST service</a></li>
<li><a href="#_SID_REST_service">Smart-ID (MID) REST service</a></li>
<li><a href="#_LDAP_directory_interface">LDAP directory interface</a></li>
<li>Interfaces with base libraries:<ul>
<li><a href="#_Libdigidocpp_library’s_interfaces">Libdigidocpp library’s API</a> – for handling documents in supported digital signature formats (ASiC, BDOC, DDOC and PDF)</li>
<li>External base libraries: Qt6, libldap, openssl</li>
</ul>
</li>
<li>Interfaces with cryptographic token’s drivers (described in chap. <a href="#_comp_drivers">Drivers</a>)<ul>
<li>PKCS#11 interface</li>
<li>CNG interface</li>
</ul>
</li>
</ul>
<p><a name="_comp_mobile"></a></p>
<h2 id="mobile-applications">Mobile applications</h2>
<p><a name="_RIA_DigiDoc"></a></p>
<h3 id="ria-digidoc">RIA DigiDoc</h3>
<p><img alt="cmp RIA DigiDoc components" src="index_files/comp_mopp_signing.png" title="cmp RIA DigiDoc components" /><br />
<strong>Figure: RIA DigiDoc management, signing and crypto-components</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>RIA DigiDoc</td>
<td>RIA DigiDoc enables handling digitally signed documents, encryption/decryption for managing ID-card’s PIN/PUK codes replacement and other services.<br/>Code repository: <a href="https://github.com/open-eid/MOPP-Android">https://github.com/open-eid/MOPP-Android</a> and <a href="https://github.com/open-eid/MOPP-iOS">https://github.com/open-eid/MOPP-iOS</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>RIA DigiDoc base libraries</td>
<td>Libdigidocpp (and its base libraries), etc. See <a href="#_RIA_DigiDoc_interfaces">RIA DigiDoc interfaces</a>.</td>
<td>-</td>
</tr>
<tr>
<td>Mobile-ID (MID) REST service</td>
<td>REST service that is used by RIA DigiDoc for signature creation with Mobile-ID. See also <a href="https://github.com/sk-eid/mid">https://github.com/sk-eid/mid</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>Smart-ID (SID) REST service</td>
<td>REST service that is used by RIA DigiDoc for signature creation with Smart-ID. See also <a href="https://github.com/SK-EID/smart-id-documentation">https://github.com/SK-EID/smart-id-documentation</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>LDAP directory</td>
<td>Described in chap. <a href="#_DigiDoc4">DigiDoc4</a>.</td>
<td>SK</td>
</tr>
<tr>
<td>Central configuration repository</td>
<td>Described in chap. <a href="#_comp_central_conf">Central configuration service</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Libdigidocpp</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>SiVa</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>TSL repository</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>EU/RIA</td>
</tr>
<tr>
<td>Time-stamping proxy service interface</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>OCSP service</td>
<td>Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>SK</td>
</tr>
</tbody>
</table>
<p><strong>Table: RIA DigiDoc</strong></p>
<p><a name="_RIA_DigiDoc_interfaces"></a></p>
<h4 id="ria-digidoc-interfaces">RIA DigiDoc interfaces</h4>
<p>Provided:</p>
<ul>
<li>Graphical user interface - interface for handling ASiC, BDOC, DDOC, CDOC documents, setting configuration parameters.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>PIN dialog – for inserting PIN value during signature creation or decryption operations in all operating systems except of Windows.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>Graphical user interface – interface for handling card management operations.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>PIN dialog – for inserting PIN/PUK value in all supported operating systems.<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li><a href="#_comp_central_conf_server_interfaces">Central configuration server interface</a></li>
<li><a href="#_MID_REST_service">Mobile-ID (MID) REST service</a></li>
<li><a href="#_SID_REST_service">Smart-ID (MID) REST service</a></li>
<li><a href="#_LDAP_directory_interface">LDAP directory interface</a></li>
<li>Interfaces with base libraries:<ul>
<li><a href="#_Libdigidocpp_library’s_interfaces">Libdigidocpp library’s API</a> – for handling documents in supported digital signature formats (ASiC, BDOC, DDOC and PDF)</li>
<li>External base libraries: libldap, openssl</li>
</ul>
</li>
</ul>
<p><a name="_comp_libraries"></a></p>
<h2 id="software-libraries">Software libraries</h2>
<p><img alt="cmp Software libraries (Java)" src="index_files/sw_java.png" title="cmp Software libraries (Java)" /><br />
<strong>Figure: Java software libraries and their components</strong></p>
<p><img alt="cmp Software libraries (C++/.NET)" src="index_files/sw_cnet.png" title="cmp Software libraries (C++/.NET)" /><br />
<strong>Figure: C++/.NET software libraries and their components</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>DigiDoc4j</td>
<td>Java software library that enables handling documents in BDOC 2.1 (XAdES/ASiC-E) and DIGIDOC-XML 1.3 formats. Documentation: <a href="http://open-eid.github.io/digidoc4j">http://open-eid.github.io/digidoc4j</a> . Code repository: <a href="https://github.com/open-eid/digidoc4j">https://github.com/open-eid/digidoc4j</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>DigiDoc4j-util program</td>
<td>Small command line application that implements the main functionality of DigiDoc4j library. Used for testing purposes. Can also be used as a source for sample client code for using DigiDoc4j. See also <a href="http://open-eid.github.io/digidoc4j">http://open-eid.github.io/digidoc4j</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>CDoc4j</td>
<td>Java software library that enables handling documents in CDoc 1.1 format. Documentation: <a href="https://github.com/open-eid/cdoc4j/wiki/Examples-of-how-to-use-it">https://github.com/open-eid/cdoc4j/wiki/Examples-of-how-to-use-it</a> . Code repository: <a href="https://github.com/open-eid/cdoc4j">https://github.com/open-eid/cdoc4j</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>CDoc4j-util program</td>
<td>Small command line application that implements the main functionality of CDoc4j library. Used for testing purposes. Can also be used as a source for sample client code for using CDoc4j. See also <a href="https://github.com/open-eid/cdoc4j/tree/master/util">https://github.com/open-eid/cdoc4j/tree/master/util</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Libdigidocpp</td>
<td>C++ software library that enables handling documents in BDOC 2.1, ASiC and DIGIDOC-XML 1.3 formats (via SiVa service). Wiki: <a href="https://github.com/open-eid/libdigidocpp/wiki">https://github.com/open-eid/libdigidocpp/wiki</a> Code repository: <a href="https://github.com/open-eid/libdigidocpp">https://github.com/open-eid/libdigidocpp</a> Documentation: <a href="http://open-eid.github.io/libdigidocpp">http://open-eid.github.io/libdigidocpp</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>digidoc-tool program</td>
<td>Small command line application (digidoc-tool.exe) that implements the main functionality of Libdigidocpp library. Used for testing purposes. Can also be used as a source for sample client code for using Libdigidocpp. See also <a href="http://open-eid.github.io/libdigidocpp">http://open-eid.github.io/libdigidocpp</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>DigiDocCSharp</td>
<td>.NET C# wrapper classes for using Libidigidocpp library’s functionality in .NET environment. Created with Swig tool. See also <a href="https://github.com/open-eid/libdigidocpp/blob/master/examples/DigiDocCSharp/README.md">https://github.com/open-eid/libdigidocpp/blob/master/examples/DigiDocCSharp/README.md</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>SiVa</td>
<td><em>Si</em>gnature <em>Ve</em>rification Service is an online web service for validating digitally signed documents.<br/>SiVa is used by the DigiDoc4 and RIA DigiDoc (by libdigidocpp base library) to validate documents in formats that are not natively supported; currently the service is used to validate ASiC (CAdES), PDF (ETSI PAdES) and DDOC documents.<br/>See also <a href="#_SiVa_verification_service">Signature Verification Service interface</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>TSL repository</td>
<td>Repository for accessing the TSL (<a href="http://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.02.01_60/ts_119612v020201p.pdf">Trust Service status List</a>) lists that can be used as a central source of trust anchor information during digital signature creation and validation processes. The European Commission’s TSL list (<a href="https://ec.europa.eu/tools/lotl/eu-lotl.xml">https://ec.europa.eu/tools/lotl/eu-lotl.xml</a>) is used as the central TSL list (with references to national lists).</td>
<td>EU/ RIA</td>
</tr>
<tr>
<td>Time-stamping proxy service interface</td>
<td><a href="https://tools.ietf.org/html/rfc3161">RFC3161</a> based time-stamping service.</td>
<td>RIA</td>
</tr>
<tr>
<td>OCSP service</td>
<td><a href="https://tools.ietf.org/html/rfc6960">RFC6960</a> based OCSP service. Also offered by SK for Estonian and a number of foreign certificates (see <a href="http://www.skidsolutions.eu/en/">www.skidsolutions.eu/en</a>).</td>
<td>SK</td>
</tr>
</tbody>
</table>
<p><strong>Table: Software libraries and their components</strong></p>
<p><a name="_DigiDoc4j_library’s_interfaces"></a></p>
<h3 id="digidoc4j-librarys-interfaces">DigiDoc4j library’s interfaces</h3>
<p>Provided:</p>
<ul>
<li><a href="http://open-eid.github.io/digidoc4j">DigiDoc4j API</a><ul>
<li>User: DigiDoc4j utility program</li>
<li>Accessible with: Java</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li><a href="#_TSL_repositories’_interfaces">TSL repositories’ interfaces</a></li>
<li><a href="#_Time_stamping_proxy">Time-stamping proxy service interface</a></li>
<li><a href="#_OCSP_service_interface">OCSP service interface</a></li>
<li>Interfaces with base libraries:<ul>
<li>Other base libraries: see <a href="http://open-eid.github.io/digidoc4j">http://open-eid.github.io/digidoc4j</a></li>
</ul>
</li>
<li>Interfaces with cryptographic token’s drivers (described in chap. <a href="#_comp_drivers">Drivers</a>)<ul>
<li>PKCS#11 interface</li>
<li>PKCS#12 interface</li>
</ul>
</li>
</ul>
<h3 id="digidoc4j-utility-programs-interfaces">DigiDoc4j utility program’s interfaces</h3>
<p>Provided:</p>
<ul>
<li><a href="http://open-eid.github.io/digidoc4j">DigiDoc4j utility program’s interface</a><ul>
<li>User: server application, end-user application, end-user</li>
<li>Accessible with: command line</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>DigiDoc4j API: see chap. <a href="#_DigiDoc4j_library’s_interfaces">DigiDoc4j library’s interfaces</a></li>
</ul>
<p><a name="_CDoc4j_library’s_interfaces"></a></p>
<h3 id="cdoc4j-librarys-interfaces">CDoc4j library’s interfaces</h3>
<p>Provided:</p>
<ul>
<li><a href="https://github.com/open-eid/cdoc4j/wiki/Examples-of-how-to-use-it">CDoc4j API</a><ul>
<li>User: CDoc4j utility program</li>
<li>Accessible with: Java</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>Interfaces with base libraries:<ul>
<li>Other base libraries: BouncyCastle</li>
</ul>
</li>
<li>Interfaces with cryptographic token’s drivers (described in chap. <a href="#_comp_drivers">Drivers</a>)<ul>
<li>PKCS#11 interface</li>
<li>PKCS#12 interface</li>
</ul>
</li>
</ul>
<h3 id="cdoc4j-utility-programs-interfaces">CDoc4j utility program’s interfaces</h3>
<p>Provided:</p>
<ul>
<li><a href="https://github.com/open-eid/cdoc4j/tree/master/util">CDoc4j utility program’s interface</a><ul>
<li>User: server application, end-user application, end-user</li>
<li>Accessible with: command line</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>CDoc4j API: see chap. <a href="#_CDoc4j_library’s_interfaces">CDoc4j library’s interfaces</a></li>
</ul>
<p><a name="_Libdigidocpp_library’s_interfaces"></a></p>
<h3 id="libdigidocpp-librarys-interfaces">Libdigidocpp library’s interfaces</h3>
<p>Provided:</p>
<ul>
<li><a href="http://open-eid.github.io/libdigidocpp">Libdigidocpp API</a><ul>
<li>User: DigiDoc4, RIA DigiDoc, Libdigidocpp utility program, DigiDocCSharp .NET wrapper classes</li>
<li>Accessible with: C++</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li><a href="#_TSL_repositories’_interfaces">TSL repositories’ interfaces</a></li>
<li><a href="#_Time_stamping_proxy">Time-stamping proxy service interface</a></li>
<li><a href="#_OCSP_service_interface">OCSP service interface</a></li>
<li><a href="#_SiVa_verification_service">Signature Verification Service interface</a></li>
<li>Interfaces with base libraries:<ul>
<li>OpenSSL, libxml2, xmlsec1. See also <a href="http://open-eid.github.io/libdigidocpp">http://open-eid.github.io/libdigidocpp</a></li>
</ul>
</li>
<li>Interfaces with cryptographic token’s drivers (described in chap. <a href="#_comp_drivers">Drivers</a>)<ul>
<li>CNG interface</li>
<li>CSP interface</li>
<li>PKCS#11 interface</li>
<li>PKCS#12 interface</li>
</ul>
</li>
</ul>
<h3 id="libdigidocpp-utility-programs-interfaces">Libdigidocpp utility program’s interfaces</h3>
<p>Provided:</p>
<ul>
<li><a href="http://open-eid.github.io/libdigidocpp">Libdigidocpp utility program’s interface</a><ul>
<li>User: server application, end-user application, end-user</li>
<li>Accessible with: command line</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>Libdigidocpp API: see chap. <a href="#_Libdigidocpp_library’s_interfaces">Libdigidocpp library’s interfaces</a></li>
</ul>
<p><a name="_comp_web"></a></p>
<h2 id="web-components">Web components</h2>
<h3 id="web-signing-components">Web signing components</h3>
<p>The web signing component diagrams describe components that are needed for signature creation in web applications with eID cards.</p>
<p><img alt="cmp Web components for signature creation" src="index_files/web_sign.png" title="cmp Web components for signature creation" />  </p>
<p><strong>Figure: Components for signature creation in web environment</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>web-eid.js</td>
<td>JavaScript library that enables communication with the browser signing extension of the different web browsers. Code and documentation repository: <a href="https://github.com/web-eid/web-eid.js">https://github.com/web-eid/web-eid.js</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Web application</td>
<td>A web application that implements signature creation with an eID-token in browser environment.</td>
<td>-</td>
</tr>
<tr>
<td>Web-eID</td>
<td>Used in Chrome, Edge and Firefox. Comprises two subcomponents: browser extension component and native macOS/Linux/Windows component that implements Native Messaging API (JSON). The browser extension enables data exchange with the native component that in turn interacts with the cryptographic token’s driver for authentication and signing. Code repository: <a href="https://github.com/web-eid/web-eid-app">https://github.com/web-eid/web-eid-app</a>. Documentation: <a href="https://web-eid.eu">https://web-eid.eu</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Web-eID safari</td>
<td>Used in Safari. Comprises two subcomponents: browser extension component and native macOS component that implements Native Messaging API (JSON). The browser extension enables data exchange with the native component that in turn interacts with the cryptographic token’s driver for signing. Code repository: <a href="https://github.com/web-eid/web-eid-app">https://github.com/web-eid/web-eid-app</a>.</td>
<td>RIA</td>
</tr>
</tbody>
</table>
<p><strong>Table: Components for signing in web environment</strong></p>
<h4 id="web-eidjs-librarys-interfaces">Web-eID.js library’s interfaces</h4>
<p>Provided:</p>
<ul>
<li><a href="https://github.com/web-eid/web-eid.js#quickstart">Web-eID.js library’s API</a><ul>
<li>User: a web application in browser environment</li>
<li>Accessible with: JavaScript</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>Interfaces with browser signing modules:<ul>
<li><a href="#_web-eid_extension’s_in">Web-eID extension’s interfaces</a></li>
<li><a href="#_web-eid-safari_extension’s_in">Web-eID Safari extension’s interfaces</a></li>
</ul>
</li>
</ul>
<p><a name="_web-eid_extension’s_in"></a></p>
<h4 id="web-eid-interfaces">Web-eID interfaces</h4>
<p>Provided:</p>
<ul>
<li><a href="https://github.com/web-eid/web-eid-webextension">Web-eID extension’s API</a><ul>
<li>User: a web application in browser environment, web-eid.js and hwcrypto.js library</li>
<li>Accessible with: C++</li>
</ul>
</li>
<li>PIN dialog – for inserting PIN1 or PIN2 value during authentication and signature creation<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>Certificate selection dialog<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>Interfaces with cryptographic token’s drivers (described in chap. <a href="#_comp_drivers">Drivers</a>)<ul>
<li>PKCS#11 interface</li>
</ul>
</li>
</ul>
<p><a name="_web-eid-safari_extension’s_in"></a></p>
<h4 id="web-eid-safari-extensions-interfaces">Web-eID Safari extension’s interfaces</h4>
<p>Provided:</p>
<ul>
<li><a href="https://github.com/web-eid/web-eid-webextension">Web-eID Safari extension’s API</a><ul>
<li>User: a web application in browser environment, web-eid.js and hwcrypto.js library</li>
<li>Accessible with: C++</li>
</ul>
</li>
<li>PIN dialog – for inserting PIN1 or PIN2 value during authentication and signature creation<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
<li>Certificate selection dialog<ul>
<li>User: end-user</li>
<li>Accessible with: GUI elements</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>Interfaces with cryptographic token’s drivers (described in chap. <a href="#_comp_drivers">Drivers</a>)<ul>
<li>PKCS#11 interface</li>
</ul>
</li>
</ul>
<h3 id="web-authentication-components">Web authentication components</h3>
<p>Authentication in web browsers is done with the browsers’ and operating systems’ native components. In case of authenticating in Firefox browser then pkcs11-register is used to load the OpenSC PKCS#11 driver by the browser on Linux.</p>
<p><img alt="cmp Web components for authentication" src="index_files/web_auth.png" title="cmp Web components for authentication" />  </p>
<p><strong>Figure: Web authentication components</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>CTK Tokend</td>
<td>Described in chap. <a href="#_comp_drivers">Drivers</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Minidriver</td>
<td>Described in chap. <a href="#_comp_drivers">Drivers</a>.</td>
<td>IDEMIA</td>
</tr>
</tbody>
</table>
<p><strong>Table: Web authentication components</strong></p>
<p><a name="_comp_drivers"></a></p>
<h2 id="drivers">Drivers</h2>
<p><img alt="cmp Drivers" src="index_files/drivers.png" title="cmp Drivers" /><br />
<strong>Figure: Cryptographic tokens’ drivers</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>OpenSC PKCS#11 driver</td>
<td>A driver for accessing eID-cards. Connects with the card via the operating system’s native PC/SC interface. Used as a default driver for signature creation in web browser environment and DigiDoc4 in case of Linux and macOS platform. Wiki: <a href="https://github.com/OpenSC/OpenSC/wiki">https://github.com/OpenSC/OpenSC/wiki</a>.</td>
<td>OpenSC</td>
</tr>
<tr>
<td>One-pin OpenSC PKCS#11 driver</td>
<td>Version of OpenSC PKCS#11 driver that only enables authentication functionality. Used as a default driver for authentication with eID card in Firefox browser environment in case of Linux platform. Wiki: <a href="https://github.com/OpenSC/OpenSC/wiki">https://github.com/OpenSC/OpenSC/wiki</a>.</td>
<td>OpenSC</td>
</tr>
<tr>
<td>Minidriver</td>
<td>Used as a default driver for accessing Estonian eID-cards via CNG interface for signature creation in web browser environment in case of Windows platform. Used as a default driver for authentication with eID card in browser environment in case of Windows platform.</td>
<td>IDEMIA</td>
</tr>
<tr>
<td>EstEID CTK Tokend</td>
<td>A driver for accessing eID-cards. Connects with the card via the operating system’s native PC/SC interface. Used as a default driver for authentication with eID card in browser environment in case macOS platform. Code repository: <a href="https://github.com/open-eid/esteid-ctk-tokend">https://github.com/open-eid/esteid-ctk-tokend</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>PKCS#12 implementation via base library</td>
<td>An implementation of PKCS#12 interface by the component’s base libraries.</td>
<td>-</td>
</tr>
</tbody>
</table>
<p><strong>Table: Cryptographic token driver components</strong></p>
<p><a name="_Cryptographic_tokens_drivers’"></a><a name="_PKCS#11_drivers"></a></p>
<h3 id="pkcs11-driver-interfaces">PKCS#11 driver interfaces</h3>
<p>Components:</p>
<ul>
<li>OpenSC PKCS#11 driver</li>
<li>One-pin OpenSC PKCS#11 driver</li>
</ul>
<p>Provided:</p>
<ul>
<li>PKCS#11 API<ul>
<li>User: a browser signing module, software library</li>
<li>Accessible with: C/C++</li>
<li>Documentation: <ul>
<li>PKCS#11 API: <a href="http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html">http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html</a></li>
<li>source code for the list of implemented functions</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>PC/SC: see chap. <a href="#_PC/SC_driver">PC/SC driver</a></li>
</ul>
<p><a name="_Minidriver"></a></p>
<h3 id="minidriver-interfaces">Minidriver interfaces</h3>
<p>Provided:</p>
<ul>
<li>
<p>CNG/Minidriver API</p>
<ul>
<li>User: a browser signing module, software library</li>
<li>Accessible with: C/C++</li>
<li>Documentation:<ul>
<li>CNG: <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa376210(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/windows/desktop/aa376210(v=vs.85).aspx</a></li>
<li>Minidriver API: <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/dn631754(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/windows/hardware/dn631754(v=vs.85).aspx</a></li>
<li>source code for the list of implemented functions</li>
</ul>
</li>
</ul>
</li>
<li>
<p>CAPI/Minidriver API</p>
<ul>
<li>User: a browser signing module, software library</li>
<li>Accessible with: C/C++</li>
<li>Documentation:<ul>
<li>CAPI: <a href="http://msdn.microsoft.com/en-us/library/aa380256.aspx">http://msdn.microsoft.com/en-us/library/aa380256.aspx</a></li>
<li>Minidriver API: <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/dn631754(v=vs.85).aspx">http://msdn.microsoft.com/en-us/library/windows/hardware/dn631754(v=vs.85).aspx</a></li>
<li>source code for the list of implemented functions</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>PC/SC: see chap. <a href="#_PC/SC_driver">PC/SC driver</a></li>
</ul>
<p><a name="_PKCS#12_implementation_via"></a></p>
<h3 id="pkcs12-implementation-via-base-library">PKCS#12 implementation via base library</h3>
<p>Provided:</p>
<ul>
<li>PKCS#12 interface<ul>
<li>User: a software library</li>
<li>Accessible with: PKCS#12 API</li>
<li>Documentation: see documentation of the respective component’s appropriate base library</li>
</ul>
</li>
</ul>
<h3 id="tokend-driver-interfaces">Tokend driver interfaces</h3>
<p>Components implementing the interface:</p>
<ul>
<li>EstEID CTK Tokend driver</li>
</ul>
<p>Provided:</p>
<ul>
<li>CryptoTokenKit<ul>
<li>User: software library</li>
<li>Accessible with: C/C++</li>
<li>Documentation: see <a href="https://developer.apple.com/documentation/cryptotokenkit?language=objc">https://developer.apple.com/documentation/cryptotokenkit?language=objc</a></li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>PC/SC: see chap. <a href="#_PC/SC_driver">PC/SC driver</a></li>
</ul>
<p><a name="_PC/SC_driver"></a></p>
<h3 id="pcsc-driver-interfaces">PC/SC driver interfaces</h3>
<p>Provided:</p>
<ul>
<li>PC/SC interface<ul>
<li>User: eID-card’s driver</li>
<li>Accessible with: PC/SC API</li>
<li>Documentation: see <a href="http://www.pcscworkgroup.com/specifications/overview.php">http://www.pcscworkgroup.com/specifications/overview.php</a></li>
</ul>
</li>
</ul>
<p>Required: not in the scope of this document.</p>
<p><a name="_comp_update"></a></p>
<h2 id="updating-mechanisms">Updating mechanisms</h2>
<p>The following chapter describes automatic updating mechanisms of different ID-software desktop applications. Several combinations of central software update checking and distribution environments are used depending on the end-user’s operating system.</p>
<p><a name="_Windows_updating_mechanism"></a></p>
<h3 id="windows-updating-mechanism">Windows updating mechanism</h3>
<p><img alt="cmp Updating (Windows)" src="index_files/up_win.png" title="cmp Updating (Windows)" /><br />
<strong>Figure: Updating mechanisms in Windows</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>ID-updater</td>
<td>Service that is periodically checks if newer versions of related ID-software components are available for download, initiates the download and installation if necessary. Uses <a href="#_comp_central_conf">Central configuration service</a> for determining the latest available software versions.</td>
<td>RIA</td>
</tr>
<tr>
<td>MS Update</td>
<td>Microsoft Update – see Microsoft’s documentation for more information.</td>
<td>Microsoft</td>
</tr>
<tr>
<td>Windows Store</td>
<td>See <a href="https://microsoftedge.microsoft.com/addons/detail/gnmckgbandlkacikdndelhfghdejfido">https://microsoftedge.microsoft.com/addons/detail/gnmckgbandlkacikdndelhfghdejfido</a>.</td>
<td>Microsoft</td>
</tr>
<tr>
<td>Chrome Web Store</td>
<td>See <a href="https://chrome.google.com/webstore/detail/web-eid/ncibgoaomkmdpilpocfeponihegamlic">https://chrome.google.com/webstore/detail/web-eid/ncibgoaomkmdpilpocfeponihegamlic</a>.</td>
<td>Google</td>
</tr>
<tr>
<td>Firefox Web Store</td>
<td>See <a href="https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/">https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/</a>.</td>
<td>Firefox</td>
</tr>
</tbody>
</table>
<p><strong>Table: Updating mechanisms in Windows</strong></p>
<h3 id="macos-updating-mechanism">macOS updating mechanism</h3>
<p><img alt="cmp Updating (macOS)" src="index_files/up_macos.png" title="cmp Updating (macOS)" /><br />
<strong>Figure: Updating mechanisms in macOS</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>ID-updater</td>
<td>Described in chap. <a href="#_Windows_updating_mechanism">Windows updating mechanism</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Apple App Store</td>
<td>See Apple App Store documentation.</td>
<td>Apple</td>
</tr>
<tr>
<td>Chrome Web Store**</td>
<td>See <a href="https://chrome.google.com/webstore/detail/web-eid/ncibgoaomkmdpilpocfeponihegamlic">https://chrome.google.com/webstore/detail/web-eid/ncibgoaomkmdpilpocfeponihegamlic</a>.</td>
<td>Google</td>
</tr>
<tr>
<td>Firefox Web Store</td>
<td>See <a href="https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/">https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/</a>.</td>
<td>Firefox</td>
</tr>
</tbody>
</table>
<p><strong>Table: Updating mechanisms in macOS</strong></p>
<h3 id="linux-updating-mechanism">Linux updating mechanism</h3>
<p><img alt="cmp Updating (Linux)" src="index_files/up_linux.png" title="cmp Updating (Linux)" /><br />
<strong>Figure: Updating mechanism in Linux</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>Ubuntu package updates</td>
<td>Managed and maintained by RIA. The binary packages are released for installation and updating to <a href="https://installer.id.ee/media/ubuntu/">https://installer.id.ee/media/ubuntu/</a> repository.</td>
<td>RIA</td>
</tr>
<tr>
<td>Packages updates for other distros</td>
<td>Managed by the open-source community. Packages are built, added and updated in Estobuntu and Fedora distributions by the package maintainers.</td>
<td>-</td>
</tr>
<tr>
<td>Chrome Web Store</td>
<td>See <a href="https://chrome.google.com/webstore/detail/web-eid/ncibgoaomkmdpilpocfeponihegamlic">https://chrome.google.com/webstore/detail/web-eid/ncibgoaomkmdpilpocfeponihegamlic</a>.</td>
<td>Google</td>
</tr>
<tr>
<td>Firefox Web Store</td>
<td>See <a href="https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/">https://addons.mozilla.org/en-US/firefox/addon/web-eid-webextension/</a>.</td>
<td>Firefox</td>
</tr>
</tbody>
</table>
<p><strong>Table: Updating mechanisms in Linux</strong></p>
<h3 id="mobile-updating-mechanism">Mobile updating mechanism</h3>
<p><img alt="cmp Updating (Mobile)" src="index_files/up_mopp.png" title="cmp Updating (Mobile)" /><br />
<strong>Figure: Updating mechanism in Mobile</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>Google Play</td>
<td>See Google Play documentation.</td>
<td>Google</td>
</tr>
<tr>
<td>Apple App Store</td>
<td>See Apple App Store documentation.</td>
<td>Apple</td>
</tr>
</tbody>
</table>
<p><strong>Table: Updating mechanisms in Mobile</strong></p>
<p><a name="_comp_central_conf"></a></p>
<h2 id="central-configuration-service">Central configuration service</h2>
<p>The central configuration service's purpose is to enable on-line and central management of ID-software components configuration settings.</p>
<p><img alt="cmp Central configuration service" src="index_files/comp_central_configuration.png" title="cmp Central configuration service" /> </p>
<p><strong>Figure: Central configuration service's client and server components</strong></p>
<table>
<thead>
<tr>
<th>Component</th>
<th>Description</th>
<th>Owner</th>
</tr>
</thead>
<tbody>
<tr>
<td>ID-Updater</td>
<td>ID-Updater component (only in Windows and macOS) requests data from the central configuration client component, the latest available ID-software versions are read from the configuration file. See also <a href="#_comp_update">Updating mechanisms</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>DigiDoc4</td>
<td>DigiDoc4 requests configuration data from the central configuration client component. Described in chap. <a href="#_DigiDoc4">DigiDoc4</a>.</td>
<td>RIA</td>
</tr>
<tr>
<td>Central configuration client</td>
<td>Central Configuration Client component manages the configuration file validation and updating processes, returns the validated configuration data to the Requesting Application (DigiDoc4) and if necessary, updates the data from Central Configuration Server.</td>
<td>RIA</td>
</tr>
<tr>
<td>Central configuration service</td>
<td>Central Configuration Server component provides configuration data on-line to the Central Configuration Client component.</td>
<td>RIA</td>
</tr>
<tr>
<td>config.json</td>
<td>The central configuration file is named config.json, the file is in JSON format. The configuration file is signed.</td>
<td>RIA</td>
</tr>
<tr>
<td>config.rsa</td>
<td>Stores the central configuration file's signature value.</td>
<td>RIA</td>
</tr>
<tr>
<td>config.pub</td>
<td>Public key used for validating the central configuration file's signature value.</td>
<td>RIA</td>
</tr>
<tr>
<td>Libdigidocpp</td>
<td>DigiDoc4's base library, also uses the central configuration file's settings. Described in chap. <a href="#_comp_libraries">Software libraries</a>.</td>
<td>RIA</td>
</tr>
</tbody>
</table>
<p><strong>Table: Central configuration service's components</strong></p>
<p><a name="_comp_central_conf_client_interfaces"></a></p>
<h3 id="central-configuration-clients-interfaces">Central configuration client's interfaces</h3>
<p>Provided:</p>
<ul>
<li>Central Configuration Client API<ul>
<li>User: DigiDoc4, ID-Updater</li>
<li>Accessible with: C++</li>
</ul>
</li>
</ul>
<p>Required:</p>
<ul>
<li>Central configuration file config.json from the <a href="#_comp_central_conf_server_interfaces">central configuration repository</a></li>
<li>Central configuration file config.json from the local file system (or the local installation package)</li>
<li>Central configuration file's signature config.rsa from the <a href="#_comp_central_conf_server_interfaces">central configuration repository</a></li>
<li>Central configuration file's signature config.rsa from the local file system (or the local installation package)</li>
<li>Client operating system's registry/environment variables<ul>
<li>LastCheck entry</li>
</ul>
</li>
<li>Base libraries:<ul>
<li>QT framework</li>
<li>OpenSSL</li>
</ul>
</li>
</ul>
<p><a name="_comp_central_conf_repo_interfaces"></a></p>
<h3 id="central-configuration-repositorys-interfaces">Central configuration repository's interfaces</h3>
<p>See <a href="#_comp_central_conf_server_interfaces">Central configuration repository's interfaces</a>.</p>
<p><a name="_comp_external"></a></p>
<h2 id="interfaces-with-external-services">Interfaces with external services</h2>
<p>The following chapter describes interfaces that different ID-software components may have with external services. Relatsionships with the external services are depicted in different ID-software component models above.</p>
<p><a name="_comp_central_conf_server_interfaces"></a></p>
<h4 id="central-configuration-repositorys-interfaces_1">Central configuration repository's interfaces</h4>
<ul>
<li>Central configuration file config.json<ul>
<li>User: central configuration client component</li>
<li>Accessible from: <a href="https://id.eesti.ee/config.json">https://id.eesti.ee/config.json</a></li>
<li>Accessible with: HTTPS protocol</li>
</ul>
</li>
<li>Central configuration file's signature file config.rsa<ul>
<li>User: central configuration client component</li>
<li>Accessible from: <a href="https://id.eesti.ee/config.rsa">https://id.eesti.ee/config.rsa</a></li>
<li>Accessible with: HTTPS protocol</li>
</ul>
</li>
<li>Central configuration file's public key file config.pub<ul>
<li>User: central configuration client component</li>
<li>Accessible from: <a hreef="https://id.eesti.ee/config.pub">https://id.eesti.ee/config.pub</a> </li>
<li>Accessible with: HTTPS protocol</li>
</ul>
</li>
</ul>
<p><a name="_MID_REST_service"></a></p>
<h4 id="mobile-id-rest-service">Mobile-ID REST service</h4>
<ul>
<li>User: DigiDoc4, RIA DigiDoc</li>
<li>Accessible with: REST over HTTPS</li>
<li>Accessible from: <a href="https://eid-dd.ria.ee/mid">https://eid-dd.ria.ee/mid</a>, <a href="https://mid.sk.ee/mid-api">https://mid.sk.ee/mid-api</a></li>
<li>Documentation: <a href="https://github.com/sk-eid/mid">https://github.com/sk-eid/mid</a></li>
</ul>
<p><a name="_SID_REST_service"></a></p>
<h4 id="smart-id-rest-service">Smart-ID REST service</h4>
<ul>
<li>User: DigiDoc4, RIA DigiDoc</li>
<li>Accessible with: REST over HTTPS</li>
<li>Accessible from: <a href="https://eid-dd.ria.ee/sid/v2">https://eid-dd.ria.ee/sid/v2</a>, <a href="https://rp-api.smart-id.com/v2">https://rp-api.smart-id.com/v2</a></li>
<li>Documentation: <a href="https://github.com/SK-EID/smart-id-documentation">https://github.com/SK-EID/smart-id-documentation</a></li>
</ul>
<p><a name="_LDAP_directory_interface"></a></p>
<h4 id="ldap-directory-interface">LDAP directory interface</h4>
<ul>
<li>User: DigiDoc4, RIA DigiDoc</li>
<li>Accessible with: LDAP protocol</li>
<li>Accessible from: ldaps://esteid.ldap.sk.ee, ldaps://k3.ldap.sk.ee</li>
<li>Documentation: <a href="https://www.skidsolutions.eu/en/repository/ldap/">https://www.skidsolutions.eu/en/repository/ldap/</a></li>
</ul>
<p><a name="_TSL_repositories’_interfaces"></a></p>
<h4 id="tsl-repositories-interfaces">TSL repositories’ interfaces</h4>
<ul>
<li>User: Libdigidocpp, DigiDoc4j</li>
<li>Accessible with: HTTPS protocol</li>
<li>Accessible from:<ul>
<li>European Commission’s master list: <a href="https://ec.europa.eu/tools/lotl/eu-lotl.xml">https://ec.europa.eu/tools/lotl/eu-lotl.xml</a></li>
<li>National TSL URLs in the European Commission’s TSL, e,g, Estonian TSL: <a href="http://sr.riik.ee/tsl/estonian-tsl.xml">http://sr.riik.ee/tsl/estonian-tsl.xml</a></li>
</ul>
</li>
<li>Documentation: <a href="http://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.02.01_60/ts_119612v020201p.pdf">http://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.02.01_60/ts_119612v020201p.pdf</a></li>
</ul>
<p><a name="_Time_stamping_proxy"></a></p>
<h4 id="time-stamping-proxy-service-interface">Time-stamping proxy service interface</h4>
<ul>
<li>User: DigiDoc4j, Libdigidocpp (DigiDoc4, RIA DigiDoc)</li>
<li>Accessible with: HTTPS protocol</li>
<li>Accessible from: <a href="https://eid-dd.ria.ee/ts">https://eid-dd.ria.ee/ts</a></li>
<li>Documentation: <a href="https://tools.ietf.org/html/rfc3161">RFC3161</a></li>
</ul>
<p><a name="_OCSP_service_interface"></a></p>
<h4 id="ocsp-service-interface">OCSP service interface</h4>
<ul>
<li>User: DigiDoc4j or Libdigidocpp software libraries</li>
<li>Accessible with: HTTP protocol</li>
<li>Accessible from:<ul>
<li>OCSP URL from signer certificate Authority Information Access extension.</li>
<li>SK’s OCSP service for SK issued certificates: <a href="http://ocsp.sk.ee/">http://ocsp.sk.ee/</a></li>
<li>SK’s test OCSP service: <a href="http://demo.sk.ee/ocsp">http://demo.sk.ee/ocsp</a></li>
</ul>
</li>
<li>Documentation: <a href="https://tools.ietf.org/html/rfc6960">RFC6960</a></li>
</ul>
<p><a name="_SiVa_verification_service"></a></p>
<h4 id="signature-verification-service-interface">Signature Verification Service interface</h4>
<ul>
<li>User: Libdigidocpp (DigiDoc4, RIA DigiDoc)</li>
<li>Accessible with: HTTPS protocol</li>
<li>Accessible from: <a href="https://siva.eesti.ee/V3/validate">https://siva.eesti.ee/V3/validate</a></li>
<li>Documentation: <a href="http://open-eid.github.io/SiVa/">http://open-eid.github.io/SiVa/</a></li>
</ul>
<h1 id="deployment-model">Deployment model</h1>
<p>The following subchapters describe physical deployment of ID-software components in collaboration with external components that were depicted in chap. <a href="#component-model">Component model</a> in case of the most common use cases.</p>
<h2 id="signing-in-web-browser">Signing in web browser</h2>
<p><img alt="cmp Signing in web browser" src="index_files/depl_web.png" title="cmp Signing in web browser" /> </p>
<p><strong>Figure: Signing in web browser via a web application</strong></p>
<p>Additional notes:</p>
<ul>
<li>A digital signing software library (i.e. DigiDoc4j or Libdigidocpp) can be used for creating a ASiC container and adding the created signature value to the container.</li>
<li>Long term validation data is added to the ASiC signature by obtaining OCSP confirmation and a time-stamp.</li>
<li>Mobile-ID REST services is required in order to sign with Mobile-ID.</li>
<li>Smart-ID REST services is required in order to sign with Smart-ID.</li>
<li>Signature value is calculated either in the Mobile-ID SIM card, Smart-ID mobile application or eID-card’s chip.</li>
<li>When signing with eID smartcard then the browser signing module is necessary for enabling communication with the smart card connected to the user’s system. Hwcrypto.js library offers a single API for supporting signing modules of all the supported browsers.</li>
<li>Optionally, trust anchor data is retrieved from TSL lists – the European Commission’s central TSL and national TSL’s of the EU member states.</li>
</ul>
<h2 id="signing-with-digidoc4">Signing with DigiDoc4</h2>
<p><img alt="cmp Signing with DigiDoc4" src="index_files/depl_client.png" title="cmp Signing with DigiDoc4" /><br />
<strong>Figure: Deployment of components during signature creation with DigiDoc4</strong></p>
<p>Additional notes:</p>
<ul>
<li>DigiDoc4 is used for creating the ASiC container and adding the signature value to the container.</li>
<li>Long term validation data is added to the ASiC signature by obtaining OCSP confirmation and a time-stamp.</li>
<li>Mobile-ID REST services is required in order to sign with Mobile-ID.</li>
<li>Smart-ID REST services is required in order to sign with Smart-ID.</li>
<li>Signature value is calculated either in the Mobile-ID SIM card, Smart-ID mobile application or ID-card’s chip.</li>
<li>Trust anchor data is retrieved from TSL lists – the European Commission’s central TSL and national TSL’s of the EU member states.</li>
</ul>
<h2 id="signing-with-ria-digidoc">Signing with RIA DigiDoc</h2>
<p><img alt="cmp Signing with RIA DigiDoc" src="index_files/depl_mopp.png" title="cmp Signing with RIA DigiDoc" /><br />
<strong>Figure: Deployment of components during signature creation with RIA DigiDoc</strong></p>
<p>Additional notes:</p>
<ul>
<li>RIA DigiDoc is used for creating the ASiC container and adding the signature value to the container.</li>
<li>Long term validation data is added to the ASiC signature by obtaining OCSP confirmation and a time-stamp.</li>
<li>Mobile-ID REST services is required in order to sign with Mobile-ID.</li>
<li>Smart-ID REST services is required in order to sign with Smart-ID.</li>
<li>Signature value is calculated either in the Mobile-ID SIM card or ID-card’s chip.</li>
<li>Trust anchor data is retrieved from TSL lists – the European Commission’s central TSL and national TSL’s of the EU member states.</li>
</ul></div>
            </div>
        </div>

        <footer class="col-md-12">
            <hr>
            <p>Documentation built with <a href="https://www.mkdocs.org/">MkDocs</a>.</p>
        </footer>
        <script src="js/bootstrap.bundle.min.js"></script>
        <script>
            var base_url = ".",
                shortcuts = {"help": 191, "next": 78, "previous": 80, "search": 83};
        </script>
        <script src="js/base.js"></script>
        <script src="search/main.js"></script>

        <div class="modal" id="mkdocs_search_modal" tabindex="-1" role="dialog" aria-labelledby="searchModalLabel" aria-hidden="true">
    <div class="modal-dialog modal-lg">
        <div class="modal-content">
            <div class="modal-header">
                <h4 class="modal-title" id="searchModalLabel">Search</h4>
                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
            </div>
            <div class="modal-body">
                <p>From here you can search these documents. Enter your search terms below.</p>
                <form>
                    <div class="form-group">
                        <input type="search" class="form-control" placeholder="Search..." id="mkdocs-search-query" title="Type search term here">
                    </div>
                </form>
                <div id="mkdocs-search-results" data-no-results-text="No results found"></div>
            </div>
            <div class="modal-footer">
            </div>
        </div>
    </div>
</div><div class="modal" id="mkdocs_keyboard_modal" tabindex="-1" role="dialog" aria-labelledby="keyboardModalLabel" aria-hidden="true">
    <div class="modal-dialog">
        <div class="modal-content">
            <div class="modal-header">
                <h4 class="modal-title" id="keyboardModalLabel">Keyboard Shortcuts</h4>
                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
            </div>
            <div class="modal-body">
              <table class="table">
                <thead>
                  <tr>
                    <th style="width: 20%;">Keys</th>
                    <th>Action</th>
                  </tr>
                </thead>
                <tbody>
                  <tr>
                    <td class="help shortcut"><kbd>?</kbd></td>
                    <td>Open this help</td>
                  </tr>
                  <tr>
                    <td class="next shortcut"><kbd>n</kbd></td>
                    <td>Next page</td>
                  </tr>
                  <tr>
                    <td class="prev shortcut"><kbd>p</kbd></td>
                    <td>Previous page</td>
                  </tr>
                  <tr>
                    <td class="search shortcut"><kbd>s</kbd></td>
                    <td>Search</td>
                  </tr>
                </tbody>
              </table>
            </div>
            <div class="modal-footer">
            </div>
        </div>
    </div>
</div>

    </body>
</html>

<!--
MkDocs version : 1.6.1
Build Date UTC : 2024-10-08 04:23:03.826864+00:00
-->