25
votes

Is it possible to access a smartcard reader connected to a computer from a web browser running on the same machine, i.e. from an ActionScript, JavaScript or whatsoever script running therein?

For example, I read something about the flash.external.ExternalInterface class in ActionScript. Can it be used for accessing a smartcard reader or is the Sandbox impenetrable?

7

7 Answers

9
votes

Q: is it possible to access smartcard reader connected to a computer from a web browser running on the same machine?

A: Yes, it is possible. I was able to do that by using a signed JAVA applet. The java applet needs to be signed since it will require user to grant permission to access system files/hardware(same as letting an applet write/edit/delete a text file for you).

Why java? the smart card reader I used already has a JAVA API, it also have examples on accessing it using java. But the examples are coded in swing. (like a standalone desktop application) What I did is simply porting the java swing code to applet on a browser. I successfully used this applet to make a login and log out on a website/webapp by requiring smart cards, username and password. Pretty secure I would say.

The source code? As much as I would like to share it, but I'm bound on a company contract to not share the code. Just find a sample smart card access using java and just port it to applet(for web)

I hope this helps

5
votes

You can also have a look at this beta native plugin:

https://github.com/ubinity/webpcsc-firebreath

It is cross-browser/cross-pltaform plugin based on firebreath framework, exposing a subset of the PCSC API.

4
votes

When this proposal "Smart cards in browsers" gets implemented, we will also be able to use JavaScript for this.

4
votes

I worked on doing the same circa 2012, back then, I worked on top of a previous work that provided a Java Applet.

Nowadays [December 2015], It makes even less sense to use a Java Applet due to 'recent' security problems, and following dismissal of support for Java Applets, and the native plugin technologies are also being discontinued as well.

Regardless of the current usefulness of a Java Applet, picking up on @Glen Allen's answer, I'm not bound by contract, and here is the open source code of an example Applet: https://github.com/ist-dsi/signature

It was built upon a thesis work and it produces documents in this format: http://www.w3.org/TR/xmldsig-core/ more info on the why's can be found in the abstract of that MsC thesis https://fenix.tecnico.ulisboa.pt/downloadFile/395139415358/resumo.pdf (the author is a better engineer than thesis writer though, but it might be a good point to start if you want to know the state of the art of the thing, although is old)

There are more requirements that on hindsight and without knowing made some odd choices of technologies on the code that I give you here, just disregard that part :)

One of the answers here hinted on PKCS_11 and open standards. Maybe the trick resides in a smart card reader driver that automatically sets up the certificate infrastructure on the client side, I remember having to go through lots of hoops though to setup my ID card's smart card with a reader on Mac OS X with Chrome [AFAIK it wasn't easy to set up the smart card reader with Apple's keystore, and perhaps also not that easy back then to have Chrome configured so that it would use client authentication and requested access to Apple's keystore].

Or maybe the NFC + SmartCard and a mobile app will be the way to go.

It just is such a waste to have whole countries with IDs with SmartCards, lots of government services already with webapps, and no easy way to connect the two.

Cheers.

2
votes

You can use a signed Java applet to access the reader. Signed applets are allowed to access hardware peripherials, the smartcard reader can be accessed via the Java Crypto API.

Hope this helps.

0
votes

If you can access the smartcard on your file system, like when a USB drive is connected and appears as a separate disk, then you can simply use flash.net.FileReference.

0
votes

You can't achieve this with ActionScript/Flash if you've to stick to the browser.

Adobe AIR could do this, but then you'd have to build an application which the user has to install prior to using it.

Something like this (AIR): http://cookbooks.adobe.com/post_Mass_Storage_Device_Detection_AIR_2_0-16747.html