Architectures to access Smart Card from a generic browser? Or: How to bridge the gap from browser to PC/SC stack?

前端 未结 10 2182
梦谈多话
梦谈多话 2020-11-28 02:54

What are the possible client-side architectures to access a local Smart Card from a generic browser (connected to a server through http(s)), preferably from Javascript, with

相关标签:
10条回答
  • 2020-11-28 03:27

    The fact is that browsers can't talk to (cryptographic) smart cards for other purposes than establishing SSL.

    You shall need additional code, executed by the browser, to access smart cards.

    There are tens of custom and proprietary plugins (using all three options you mentioned) for various purposes (signing being the most popular, I guess) built because there is no standard or universally accepted way, at least in Europe and I 'm sure elsewhere as well.

    Creating, distributing and maintaining your own shall be a blast, because browsers release every month or so and every new release changes sanboxing ir UI tricks, so you may need to adjust your code quite often.

    And you probably would want to have GUI capabilities, at least for asking the permission of the user to access a card or some functionality on it.

    For creating a multiple-platform, multiple browser plugin, something like firebreath could be used.

    Personally, I don't believe that exposing PC/SC to the web is any good. PC/SC is by nature qute a low level protocol that when exposing this, you could as well expose block level access to your disk and hope that "applications on the web are mine only and they behave well" (this should answer your "Also"). At the same time a thin shim like SConnect is the easiest to create, for providing a javscript plugin.sendAPDU()-style code (or just wrap all the PC/SC API and let the javascript caller take care of the same level of details as in native PC/SC API use case).

    Creating a plugin for this purpose is usually driven by acute current deficiencies.

    Addressing the future (mobile etc) is another story, where things like W3C webcrypto and OpenMobile API will probably finally somehow create something that exposes client-side key containers to web applications. If your target with smart cards is cryptography, my suggestion is to avoid PC/SC and use platform services (CryptoAPI on Windows, Keychain on OSX, PKCS#11 on Linux)

    Any kind of design has requirements. This all applies if you're thinking of using keys rather than arbitrary APDU-s. If your requirement is to send arbitrary APDU-s, do create a plugin and just go with it.

    0 讨论(0)
  • 2020-11-28 03:27

    There is another browser plugin similar to the one proposed by @cslashm available at http://github.com/cardid/WebCard. Is also open source and can be installed with "minimum installation hassle" as required in the original question. You can see an example of use visiting http://plugin.cardid.org

    WebCard has been tested in IE 8 through 11, Chrome and Firefox in Windows and in Chrome and Safari in Mac OS X. Since is just a wrapper for PC/SC it requires in Mac OS X the installation of SmartCard Services from http://smartcardservices.macosforge.com

    0 讨论(0)
  • 2020-11-28 03:28

    Its dirty, but if its acceptable / viable to install a bridge daemon/service on the client machine, then you can write a local bridge service (e.g. in python / pyscard) that exposes the smartcard via a REST interface, then have javascript in the browser that mediates between that local service (facade) and the remote server API.

    0 讨论(0)
  • 2020-11-28 03:30

    For your first question I have little hope: either you are satisied with a very small subset of smart card functionality (like signing e-Mail or PDFs), then you may use some ready-made software (like PKCS), ideally maintained by the smart card company, or you want broader functionality and need to invest considerable effort on your own. Surely PCSC is the starting point to choose.

    At least for your "also:" there is some hope.

    1) Note, that some specifications (e.g. ICAO/German BSI TR-3110) request a method, where a PIN is not blocked, but uses a substantial amount of time as soon as the error counter hits 1 before replying. The final attempt must be enabled using a different command, otherwise no further comparison and error counter adjustment is done.

    2) Simply protect the Verify command by requiring secure messaging. Sensitive applications use secure messaging for everything, so first step a session key is negtiated, which is second applied to all succeeding commands and responses. The effect would be, that the command is rejected due to incorrect MACs long before a comparison or modification of error counter is done.

    0 讨论(0)
  • As chrome and firefox going to stop the support of NPAPI Plugin, there is no secure solution available to maintain the session for the smart card reading instead your certificate of the card have support for mutual ssl ,I answered for the similar question source,It might help

    0 讨论(0)
  • 2020-11-28 03:35

    Clients,clients,clients...plugins,..JSApis.. Well.. For certain we know this : All browsers, when communicating to an Apache or IIS servers, are actually signing "something" when a https/SSL handshake process is needed.

    For instance, a typical Apache configuration like this:

    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions +FakeBasicAuth +StdEnvVars +ExportCertData +OptRenegotiate
    

    Initiates a PIN pad pop up and the user must insert the smartcard pin to go on.

    Well, my idea is : why not make the turn to the server, and tweak that behaviour, in order to upload a bytestream of stuff to sign something when a handshake is initiaded?

    0 讨论(0)
提交回复
热议问题