3

I'm developing a php/mysql application the stores end elaborated some data, for the next step, I need to interface a smartcard reader with a browser (Chrome, Firefox, IE) to extract and save the data into a mysql database.

I can't find anything usefull to do it so I'm here to have some info/help. How is possible to do it ?

Alga85
  • 31
  • 1
  • 5

2 Answers2

3

The only way that is reasonably sure is to create an Applet in Java, break out of the sandbox and try to use javax.smartcardio library. As it is in javax, it is not certain that it is present, and you might trip some additional access rules.

The Applet should be signed and the user should indicate that the Applet is trusted. Of course, a relatively new Java runtime should be installed on the computer. javax.smartcardio can by default only use PCSC smart card readers, so you must make sure that one is present. Furthermore, PCSC and javax.smartcardio do assume ISO 7816 compliant processor cards.

Earlier you could sometimes use a Java applet to install a native library to communicate with the smart card, but with the current operating systems, I would definitely not trust that this is going to work.

Prepare for a lot of work and a lot of testing.

UPDATE 2016-12-24

Applets are on their way out - the plugins that they rely on are deprecated, but not yet removed, in Java 9. Not a direct answer, but using Java Web Start could be a solution to this.

There is a lot of thinking going on with regards to cryptography in a browser, e.g. the Web Crypto API. With regards to direct smart card access it certainly seems to remain thinking rather than acting. At the time of writing access to secure tokens doesn't seem included.

A common but somewhat tricky road to take is to provide smart card plugings to browsers. This however requires browser support (for each separate browser), admin privileges. Many browsers try to migrate away from plugin structures such as these so this kind of solution may not be future proof.

Finally you could use a (signed) native app and refer to it from the browser. The app could be made available in the app. stores of the various operating systems.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Dear Maarten, after 3 years, is there any other solution and update for this answer? (My Target is IE9!) – Ebrahim Ghasemi Dec 23 '16 at 05:10
  • 1
    For IE9??? It's indeed 3 years after, and you're still looking for an answer for IE9? The answer is: don't perform security related operations on a browser that is unsupported. Applets aren't supported anymore either, that has changed. – Maarten Bodewes Dec 24 '16 at 13:31
  • The company I work for currently, has developed a product in-house that does not rely on browsers directly. Instead it's more similar to the last piece of Maarten Bodewes. It works on Mac, Linux and Windows all the way from Windows XP to Windows 10 Anniversary. If you are still looking for a solution I am sure they would be keen to discuss with you. Send me a private message if you are interested. – Thibaut Rey Feb 01 '17 at 08:32
0

most likely you will have to develop native application that would be installed on demand to the browser and execute in full trust to access computer devices such as readers or at least certificate storages or system APIs.

you will have then provide scripting interface to a browser such as NPAPI or ActiveX/COM for IE or other proprietary scripting techniques.

aiodintsov
  • 2,545
  • 15
  • 17