We Keep Coding

Architectures to access Smart Card from a generic browser? Or: How to bridge the gap from browser to PC/SC stack? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 13 days ago.
The community reviewed whether to reopen this question 13 days ago and left it closed:
Original close reason(s) were not resolved
Improve this question
What are the existing client-side architectures to access a local Smart Card thru a PC/SC Smart Card reader (ISO 7816-3, ISO 14443) from a generic browser (connected to a server through http(s)), preferably from Javascript, with the minimum installation hassle for the end user? The server needs to be able to at least issue APDUs of its choice to the card (or perhaps delegate some of that to client-side code that it generates). I am assuming availability on the client side of a working PC/SC stack, complete with Smart Card reader. That's a reasonable assumption at least on Windows since XP, modern OS X and Unixes.
I have so far identified the following options:
Some custom ActiveX. That's what my existing application uses (we developed it in-house), deployment is quite easy for clients with IE once they get the clearance to install the ActiveX, but it does not match the "generic browser" requirement.
Update: ActiveX is supported mostly by the deprecated IE, including IE11; but not by Edge.
Some PC/SC browser extension using the Netscape Plugin API, which seems like a smooth extension of the above. The only ready-made one I located is SConnect (webarchive). It's no longer promoted (Update: thought still actively maintained and used late 2020 in at least one application), it's API documentation (webarchive) is no longer officially available, and it has strong ties to a particular Smart Card and reader vendor. The principle may be nice, but making such a plugin for every platform would be a lot of work.
Update: NPAPI support is dropped by many browsers, including Chrome and Firefox.
A Java Applet, running on top of Oracle's JVM (1.)6 or better, which comes with javax.smartcardio. That's fine from a functional point of view, well documented, I can live with the few known bugs, but I'm afraid of an irresistible downwards spiral regarding acceptance of Java-as-a-browser-extension.
[update, Feb 2021]: This answer considered the WebUSB API as a promising solution solution in 2015, then reported in 2019 that can't work or is abandoned. I made a question about it there.
Any other idea?
Also: is there some way to prevent abuse of whatever PC/SC interface the browser has by a rogue server (e.g. presenting 3 wrong PINs to block a card, just for the nastiness of it; or making some even more evil things).

The fact is that browsers can't talk to (cryptographic) smart cards for other purposes than establishing SSL.
You shall need additional code, executed by the browser, to access smart cards.
There are tens of custom and proprietary plugins (using all three options you mentioned) for various purposes (signing being the most popular, I guess) built because there is no standard or universally accepted way, at least in Europe and I 'm sure elsewhere as well.
Creating, distributing and maintaining your own shall be a blast, because browsers release every month or so and every new release changes sanboxing ir UI tricks, so you may need to adjust your code quite often.
And you probably would want to have GUI capabilities, at least for asking the permission of the user to access a card or some functionality on it.
For creating a multiple-platform, multiple browser plugin, something like firebreath could be used.
Personally, I don't believe that exposing PC/SC to the web is any good. PC/SC is by nature qute a low level protocol that when exposing this, you could as well expose block level access to your disk and hope that "applications on the web are mine only and they behave well" (this should answer your "Also"). At the same time a thin shim like SConnect is the easiest to create, for providing a javscript plugin.sendAPDU()-style code (or just wrap all the PC/SC API and let the javascript caller take care of the same level of details as in native PC/SC API use case).
Creating a plugin for this purpose is usually driven by acute current deficiencies.
Addressing the future (mobile etc) is another story, where things like W3C webcrypto and OpenMobile API will probably finally somehow create something that exposes client-side key containers to web applications. If your target with smart cards is cryptography, my suggestion is to avoid PC/SC and use platform services (CryptoAPI on Windows, Keychain on OSX, PKCS#11 on Linux)
Any kind of design has requirements. This all applies if you're thinking of using keys rather than arbitrary APDU-s. If your requirement is to send arbitrary APDU-s, do create a plugin and just go with it.

Update (8/2016): A new API for the Web called WebUSB API is being discussed. You can already use it with Chrome v54+.
This standard will be implemented in all major browsers and will replace the need for third-party applications or extensions for Smard Cards :-)
So the new answer is YES!
And the OSI-like architecture stack is:
PC/SC
CCID v1.1
WebUSB API
USB driver, i.e. libusb.
2019 Update: As #vlp commented, it seems that it doesn't work any in Chrome because they decided to block WebUSB for smartcards for some specious reasons :-(
Note: Google annonced that they will abandon Chrome Apps in 2017.
Previous anwser:
Now (2015) you can create a Google Chrome App, using the chrome.usb API.
Then you access the smartcard reader via its CCID-compliant interface.
It's not cross-browser but JavaScript programmable & cross-platform.
Anyway Netscape Plugin API (NPAPI) is not supported any more by modern browsers. And Java applets are being dismissed by browser vendors.

I have just released a beta plugin addressing this problem.
This beta code is available here:
https://github.com/ubinity/webpcsc-firebreath
This plugin is based on the firebreath framework and has been beta-tested with Fireofx and Chrome under Linux/WinXP/Win7. Source code and extension pack are provided.
The basic idea is to provide a PCSLite API access and then develop a more friendly JS-api on top of this.
This plugin is under active development, so feel free to send any report and request.

For your first question I have little hope: either you are satisied with a very small subset of smart card functionality (like signing e-Mail or PDFs), then you may use some ready-made software (like PKCS), ideally maintained by the smart card company, or you want broader functionality and need to invest considerable effort on your own. Surely PCSC is the starting point to choose.
At least for your "also:" there is some hope.
1) Note, that some specifications (e.g. ICAO/German BSI TR-3110) request a method, where a PIN is not blocked, but uses a substantial amount of time as soon as the error counter hits 1 before replying. The final attempt must be enabled using a different command, otherwise no further comparison and error counter adjustment is done.
2) Simply protect the Verify command by requiring secure messaging. Sensitive applications use secure messaging for everything, so first step a session key is negtiated, which is second applied to all succeeding commands and responses. The effect would be, that the command is rejected due to incorrect MACs long before a comparison or modification of error counter is done.

There is another browser plugin similar to the one proposed by #cslashm available at http://github.com/cardid/WebCard. Is also open source and can be installed with "minimum installation hassle" as required in the original question. You can see an example of use visiting http://plugin.cardid.org
WebCard has been tested in IE 8 through 11, Chrome and Firefox in Windows and in Chrome and Safari in Mac OS X. Since is just a wrapper for PC/SC it requires in Mac OS X the installation of SmartCard Services from http://smartcardservices.macosforge.com

As chrome and firefox going to stop the support of NPAPI Plugin, there is no secure solution available to maintain the session for the smart card reading instead your certificate of the card have support for mutual ssl ,I answered for the similar question source,It might help

Its dirty, but if its acceptable / viable to install a bridge daemon/service on the client machine, then you can write a local bridge service (e.g. in python / pyscard) that exposes the smartcard via a REST interface, then have javascript in the browser that mediates between that local service (facade) and the remote server API.

Web Serial API (draft) can be used to communicate with a serial smart card reader from some browsers.
Buyer beware: This API is a draft and may be changed/abandoned at any time.

Speaking about Chrome, you can now use the Smart Card Connector app provided by Google which bundles the PC/SC-Lite port and the generic CCID driver.
The app itself works through the chrome.usb API, that was mentioned by the previous commenters.
So, instead of rewriting the whole stack (starting from the lowest level - raw USB), it's now possible for developers to code only the part that works on top of PC/SC API - which is exposed by the Connector app.

Clients,clients,clients...plugins,..JSApis..
Well..
For certain we know this : All browsers, when communicating to an Apache or IIS servers, are actually signing "something" when a https/SSL handshake process is needed.
For instance, a typical Apache configuration like this:
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +StdEnvVars +ExportCertData +OptRenegotiate
Initiates a PIN pad pop up and the user must insert the smartcard pin to go on.
Well, my idea is : why not make the turn to the server, and tweak that behaviour, in order to upload a bytestream of stuff to sign something when a handshake is initiaded?

I have a setup where a smartcard reader is scanned to login a user. The PC/SC library work great on desktop. Somebody had mentioned to use
Emscripten (https://github.com/kripken/emscripten) compiler which compiles c++ into JavaScript code. But that didn't work well because some of the functions being used by PC/SC are only available server side.
After much research. I finally gave up on a client side solution, chrome web usb API also couldn't recognize the reader.
I then decided to give signalR a try and set up a hub on the PC connected to the smartcard reader and this approach worked out very well.

How does the Windows Phone 8 company app store work? [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
The official windows phone website doesn't really describe in detail how exactly the company hub system works.
http://www.windowsphone.com/en-US/business/custom-hub
http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj206943(v=vs.105).aspx
I have a few questions, and I hope someone who has deployed an internal app store can answer them.
First of all, who provides the backend infrastructure? is the app store self hosted, or is it hosted my Microsoft? If it is self hosted, what kind of backend infrastructure is needed? If Microsoft handles the backend, what kind of fees are involved?
Do individual applications still have to be checked and verified for performance/content by Microsoft? Or is anything ok?
Thanks!

Company-Hub is not actually an AppStore, but a simple app that allows for the side-loading of internal enterprise apps. The workflow for this is as follows (in over simplified terms:
Generate a company code signing certificate as per the requirements on MSDN, and convert to an application enrolment token using the tools supplied.
Installed the enrolment token (AET) on the devices you wish to distribute on (you can e-mail/download this and simply open the file).
Create your company hub app, and sign it with the certificate you purchased.
Distribute the app's XAP file in a similar fashion (internet/email/MDM provider).
Now you have the capability of installing enterprise apps on to your phone, you need a mechanism to inform the end user they exist. You do this via any means you feel comfortable with, such as publishing an RSS/OData feed that you consume within your company hub. Once you have your lists of apps displayed you can use some of the new Windows Phone 8 APIs to detect if apps are already installed. You can install apps simply by downloading the XAP from your own server and allowing the OS to handle the XAP file natively.
The process has been designed with device management (MDM) providers in-mind, so that when you join your device to an MDM provider it will automatically install the AET and company hub XAP. However you don't need to rely on using an MDM so using e-mail or URLs to download the files work equally well.

Server side application for embedded devices [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I'd like some advice as to the best server-side code that can handle real time data from devices and make decisions based on inputs. A simple example: Suppose I have a web-enabled thermometer, running a light TCP/IP client stack. When the temperature gets to 30 degrees, I want the device to contact the server, and then I want the server to send me an email. I also want the server to be able to send a command to turn on a heater.
The issue at hand here is the ability to start a TCP message from the server, and get through an assortment of arbitrary firewalls and routers, all the way down to the client device. I know that there are 'workarounds' like polling the server for updates, or 'long polling' where I call up to the server, and keep a connection open in case it has something to send. The problem here is bandwidth. Messages are rare, but important, so the headers and handshaking make up 98% of the traffic.
I've been reading up on WebSockets, and it seems like they are exactly what I need, especially when paired with HTML5.
Does anyone know of a ready-to-go server software package that could run on a cloud server, and push data down to my devices using some standardized methods? I really don't want to reinvent the wheel here, and I can't believe I'm the first to try this. I see a few folks doing it with their own proprietary solutions, but I'm more interested in buying a one-stop package.

WebSocket is a valid choice for connecting embedded devices to backend infrastructure due to it's low overhead, low latency and compatibility with Web and general network infrastructure. There is a broad range of server implementations available, i.e. Jetty, node.js based etc.
As an example, here is a demo connecting an Arduino device to a WebSocket server and a browser client showing real-time data in a chart:
https://github.com/tavendo/AutobahnPython/tree/master/examples/wamp/serial2ws
http://www.youtube.com/watch?v=va7j86thW5M
The technology used there, AutobahnPython, is a Python/Twisted based WebSocket implementation that
provides server and client implementation
directly runs on embedded devices like RasperryPi
makes it easy to access sensors connected via serial or CANbus (since Twisted supports that very well)
provides RPC and PubSub messsaging patterns on top of WebSocket
The tech is open-source, so you can roll your own solution. If you look for help/services to get it done for you, contact me;) We also provide Tavendo WebMQ, a virtual appliance (VMware, EC2) which adds features, management UI etc and also includes a REST API to push data to WebSocket clients.
Disclaimer: I am author of Autobahn and work for Tavendo.

How can I sell my Google Chrome extension? [closed]

Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have developed an extension for Google Chrome, but if I host the app on the Chrome Web Store there are no options to monetize the extension. This, to me, is a complete missed segment of the market, as I am sure developers would love to come up with creative applications and generate revenue for them!
I can't seem to find any alternative site/marketplace that would allow me to sell this extension though. I know that Firefox is building an app store to compete with Google and other HTML5 based app stores, but that doesn't help me too much either.
Is there any way I can.
Host my extension on either my own server or another app marketplace?
Provide some type of payment gateway with licensing that prevents users from downloading
a copy of the .crx and illegally distributing it?
I have a great little app that I don't want to give it away for free. Any Ideas?

Google says that the ability to sell extensions is "coming soon". Untill then, you can always self-host or turn your extension into a packaged app (see Google's notes for selling packaged apps, which are fundamentally identical to extesnions, but add an icon to the home screen.)
EDIT
"New" packaged apps (since the advent of manifest_version: 2) are quite different from extensions and have access to a completely separate set of APIs. Extensions are meant for browser interaction (manipulating tabs, cookies, history, etc.), whereas apps are meant to be closer to standalone programs.

As far as I know, there is no alternative marketplace for paid extensions.
Anyway, you can always host the extension on your own server:
http://code.google.com/chrome/extensions/hosting.html

I appreciate the help from everyone. I think there would be a market for paid extensions. Mozilla is making a market for HTML5 apps, Facebook is rolling out a Market for HTML5 apps, but nothing is up and running for Extensions or Add-Ons.
Most Extensions, like mine, provide a time saver and efficiency-play on the users experience with the web.
Efficiency is something that can always, and should always be monetized. Part of the reason there are so many minimalistic chrome and firefox extensions is because there is no incentive for developers to build comprehensive solutions that are free.
Is there any way that if I do Host my own Extension, which I am more than capable of doing so, that I could put something in place that would prevent users from openly sharing my extension? Maybe keep the extension "unpackaged" so people couldn't just email each other the crx file and openly share it?
Another option I was thinking about would include A log-on screen where a user would have to sign up with an account and then would be given access after they paid for the plugin online. Is there any wayto incorporate that Log-On information into the plugin?
Thoughts?

What kinds of web apps might I want to build with the HTML5 Web Messaging spec? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
The HTML5 family of specs has several new communication capabilities, including XmlHttpRequest Level 2, Web Sockets, and Server-Sent Events. I can easily think of examples of web apps that I might like to build with these specs.
Edit: Here's some examples:
XHR2: search client, web mail, file uploader
Web Sockets: FPS, online games, chat client, NRT traffic or weather reports
SSE: Stock ticker, news feed, FB wall
But when it comes to the HTML5 Web Messaging spec, I can't think of any. So what kinds of web apps might I want to build with it? TIA.
http://www.w3.org/TR/webmessaging/

I use it to communicate between tabs. For example, when capturing an electronic signature, we open the document to be signed in a new tab. When they submit the signature, I message the main tab to let it know that the signature has been submitted. This allows me to take further actions on the main tab without having to do some convoluted server-side check via polling.

It's intended for cross-domain messaging. One big example would be Facebook apps, which currently have to communicate with Facebook via a convoluted manner as they live on a separate domain in an iframe.

I think all these technologies enable a more responsive web design. It's just like the AJAX transition: Before the transition, users expect to see the whole page refresh; After the transition, users understand the page can be updated partially.
When the new transition is finished, users will realize that content on the page could be real-time data. That means a user is not only interacting with a website (and then wait for other users to interact with the same website). He or she could be interacting with other users because it's real-time interaction over the website.
Cross-domain support will make this more widely adopted. Because not everybody will set up their own responsive web server and real-time web application, cross-domain support will allow those not-so-dynamic websites to integrate new features from 3rd-parties.

I recently found a good use case for Web Messaging. Many web apps are starting to authenticate using Facebook, so they open another tab with a Facebook login and communicate with the its contents.
Got a better use case? If so, I'll unselect my answer.