Architectures to access Smart Card from a generic browser? Or: How to bridge the gap from browser to PC/SC stack?

Question

What are the possible client-side architectures to access a local Smart Card from a generic browser (connected to a server through http(s)), preferably from Javascript, with the minimum installation hassle for the end user? The server needs to be able to at least issue APDUs of its choice to the card (or perhaps delegate some of that to client-side code that it generates). I am assuming availability on the client side of a working PC/SC stack, complete with Smart Card reader. That's a reasonable assumption at least on Windows since XP, modern OS X and Unixes.

I have so far identified the following options:

1. Some custom ActiveX. That's what my existing application uses (we developed it in-house), deployment is quite easy for clients with IE once they get the clearance to install the ActiveX, but it does not match the "generic browser" requirement.
   Update: ActiveX is supported mostly by the deprecated IE, including IE11; but not by Edge.
2. Some PC/SC browser extension using the Netscape Plugin API, which seems like a smooth extension of the above. The only ready-made one I located is SConnect (webarchive). It's no longer promoted (Update: thought still actively maintained and used late 2020 in at least one application), it's API documentation (webarchive) is no longer officially available, and it has strong ties to a particular Smart Card and reader vendor. The principle may be nice, but making such a plugin for every platform would be a lot of work.
   Update: NPAPI support is dropped by many browsers, including Chrome and Firefox.
3. A Java Applet, running on top of Oracle's JVM (1.)6 or better, which comes with javax.smartcardio. That's fine from a functional point of view, well documented, I can live with the few known bugs, but I'm afraid of an irresistible downwards spiral regarding acceptance of Java-as-a-browser-extension.
4. [update, Feb 2021]: This answer considered the WebUSB API as a promising solution solution in 2015, then reported in 2019 that can't work or is abandoned. I made a question about it there.

Any other idea?

Also: is there some way to prevent abuse of whatever PC/SC interface the browser has by a rogue server (e.g. presenting 3 wrong PINs to block a card, just for the nastiness of it; or making some even more evil things).

Answer 1

The fact is that browsers can't talk to (cryptographic) smart cards for other purposes than establishing SSL.

You shall need additional code, executed by the browser, to access smart cards.

There are tens of custom and proprietary plugins (using all three options you mentioned) for various purposes (signing being the most popular, I guess) built because there is no standard or universally accepted way, at least in Europe and I 'm sure elsewhere as well.

Creating, distributing and maintaining your own shall be a blast, because browsers release every month or so and every new release changes sanboxing ir UI tricks, so you may need to adjust your code quite often.

And you probably would want to have GUI capabilities, at least for asking the permission of the user to access a card or some functionality on it.

For creating a multiple-platform, multiple browser plugin, something like firebreath could be used.

Personally, I don't believe that exposing PC/SC to the web is any good. PC/SC is by nature qute a low level protocol that when exposing this, you could as well expose block level access to your disk and hope that "applications on the web are mine only and they behave well" (this should answer your "Also"). At the same time a thin shim like SConnect is the easiest to create, for providing a javscript plugin.sendAPDU()-style code (or just wrap all the PC/SC API and let the javascript caller take care of the same level of details as in native PC/SC API use case).

Creating a plugin for this purpose is usually driven by acute current deficiencies.

Addressing the future (mobile etc) is another story, where things like W3C webcrypto and OpenMobile API will probably finally somehow create something that exposes client-side key containers to web applications. If your target with smart cards is cryptography, my suggestion is to avoid PC/SC and use platform services (CryptoAPI on Windows, Keychain on OSX, PKCS#11 on Linux)

Any kind of design has requirements. This all applies if you're thinking of using keys rather than arbitrary APDU-s. If your requirement is to send arbitrary APDU-s, do create a plugin and just go with it.

Answer 2

Update (8/2016): A new API for the Web called WebUSB API is being discussed. You can already use it with Chrome v54+.

This standard will be implemented in all major browsers and will replace the need for third-party applications or extensions for Smard Cards :-)

So the new answer is YES!

And the OSI-like architecture stack is:

• PC/SC
• CCID v1.1
• WebUSB API
• USB driver, i.e. libusb.

2019 Update: As @vlp commented, it seems that it doesn't work any in Chrome because they decided to block WebUSB for smartcards for some specious reasons :-(

---

Note: Google annonced that they will abandon Chrome Apps in 2017.

Previous anwser:

Now (2015) you can create a Google Chrome App, using the chrome.usb API.

Then you access the smartcard reader via its CCID-compliant interface.

It's not cross-browser but JavaScript programmable & cross-platform.

Anyway Netscape Plugin API (NPAPI) is not supported any more by modern browsers. And Java applets are being dismissed by browser vendors.