Specification - open-eid/chrome-token-signing GitHub Wiki

Specification of the native components

• GUI
  • Linux/Qt
  • Windows/MFC
  • OSX/Cocoa
• Backends
  • PKCS#11 (OSX, Linux, Windows)
  • CNG (Windows) - Possible to use SHA224, only Minidriver's and CNG Key Storage Provider's
  • CAPI (Windows) - Most foreign drivers are CAPI modules and can also use Minidriver's
• 32bit, 64bit support
• pinpad support
• No personal information is sent to 3rd party sites without user consent
• Always shows user the certificate selection before sending a certificate to a 3rd party web site
• Maintains certificate selection binding (only user-confirmed certificate can be used for signing)
• Shows only the certificates in cert selection dialog that belong to the token(s) that is/are inserted and usable (private key exists)
• Shows only the certificates in the cert selection dialog that are valid (not expired)
• Has an extension options page to adjust the behaviour of the backend
• HTTPS access is enforced for sensitive data
• Logging (see Developer tips). PIN codes are never logged.
• Supports GUI languages as ISO 639-1 code and supports at least et, en and ru. This is available only on OSX and Linux as Windows uses CAPI/CNG with language selected by the operating system.
• Technical
  • PKCS1 padding is added by Hardware Token
  • DigestMethod OID is added by Hardware Driver (Some cases maybe by Token)
  • Windows CAPI drivers produce little endian signatures, they are converted to big endian "reverse"
• Technical (maintainability)
  • Supported by Coverity builds
  • native components are built separately from the extension
  • packaging is separate from building (signing of extension)