Smartcard reader access from a web browser? - javascript

Is it possible to access a smartcard reader connected to a computer from a web browser running on the same machine, i.e. from an ActionScript, JavaScript or whatsoever script running therein?
For example, I read something about the flash.external.ExternalInterface class in ActionScript. Can it be used for accessing a smartcard reader or is the Sandbox impenetrable?

Q: is it possible to access smartcard reader connected to a computer from a web browser running on the same machine?
A: Yes, it is possible. I was able to do that by using a signed JAVA applet. The java applet needs to be signed since it will require user to grant permission to access system files/hardware(same as letting an applet write/edit/delete a text file for you).
Why java? the smart card reader I used already has a JAVA API, it also have examples on accessing it using java. But the examples are coded in swing. (like a standalone desktop application) What I did is simply porting the java swing code to applet on a browser. I successfully used this applet to make a login and log out on a website/webapp by requiring smart cards, username and password. Pretty secure I would say.
The source code? As much as I would like to share it, but I'm bound on a company contract to not share the code. Just find a sample smart card access using java and just port it to applet(for web)
I hope this helps

You can also have a look at this beta native plugin:
https://github.com/ubinity/webpcsc-firebreath
It is cross-browser/cross-pltaform plugin based on firebreath framework, exposing a subset of the PCSC API.

When this proposal "Smart cards in browsers" gets implemented, we will also be able to use JavaScript for this.

I worked on doing the same circa 2012, back then, I worked on top of a previous work that provided a Java Applet.
Nowadays [December 2015], It makes even less sense to use a Java Applet due to 'recent' security problems, and following dismissal of support for Java Applets, and the native plugin technologies are also being discontinued as well.
Regardless of the current usefulness of a Java Applet, picking up on #Glen Allen's answer, I'm not bound by contract, and here is the open source code of an example Applet:
https://github.com/ist-dsi/signature
It was built upon a thesis work and it produces documents in this format: http://www.w3.org/TR/xmldsig-core/ more info on the why's can be found in the abstract of that MsC thesis https://fenix.tecnico.ulisboa.pt/downloadFile/395139415358/resumo.pdf (the author is a better engineer than thesis writer though, but it might be a good point to start if you want to know the state of the art of the thing, although is old)
There are more requirements that on hindsight and without knowing made some odd choices of technologies on the code that I give you here, just disregard that part :)
One of the answers here hinted on PKCS_11 and open standards. Maybe the trick resides in a smart card reader driver that automatically sets up the certificate infrastructure on the client side, I remember having to go through lots of hoops though to setup my ID card's smart card with a reader on Mac OS X with Chrome [AFAIK it wasn't easy to set up the smart card reader with Apple's keystore, and perhaps also not that easy back then to have Chrome configured so that it would use client authentication and requested access to Apple's keystore].
Or maybe the NFC + SmartCard and a mobile app will be the way to go.
It just is such a waste to have whole countries with IDs with SmartCards, lots of government services already with webapps, and no easy way to connect the two.
Cheers.

You can use a signed Java applet to access the reader. Signed applets are allowed to access hardware peripherials, the smartcard reader can be accessed via the Java Crypto API.
Hope this helps.

If you can access the smartcard on your file system, like when a USB drive is connected and appears as a separate disk, then you can simply use flash.net.FileReference.

You can't achieve this with ActionScript/Flash if you've to stick to the browser.
Adobe AIR could do this, but then you'd have to build an application which the user has to install prior to using it.
Something like this (AIR):
http://cookbooks.adobe.com/post_Mass_Storage_Device_Detection_AIR_2_0-16747.html

Related

How does DBSign use smart card certificates for signatures in a browser-only solution?

Recently I've encountered a product (DBSign) that claims to do smartcard signing entirely in the browser without any plugins or java.
As far as I knew this wasn't supported by major browsers / web crypto, but apparently this is working somehow (having used the app it apparently does what it says it does).
Is this now possible in 2019 with webcrypto and I'm just not aware of it? The file is heavily obfuscated and I couldn't make sense out of it.
Yablargo, I have watched video on DBSign several times. As you are saying "claims to use smartchard" but the solution does not use SmartCard. Video clearly says "this opens door to use global devices and move beyond smartcards..."
This uses Browser SSL/TLS Authentication and NIST Derived PIV Credentials
Thus the Digital Signatures issued by Certifying Authorities (CA) on smart card is not being used here, but some other mechanism.
Hope this resolves your query of "is there any mechanism to access smartcard without Browser Extension or plugin in 2019?" - To me answer seems "No".

Protecting Apps with Apache Cordova MS VS Extension on App Stores

Just have a question about apps that are uploaded on the Windows Store, Andriod Store, and Apple Store. I have never built an App before for any of the three stores, but the Multi Hybrid Extension for Visual Studio seems to be a great start to cover all three Platforms.
How do I protect my code for apps that are uploaded to the three stores? The core development for the Apache Cordova extension is done in HTML5 and Javascript. On a regular HTML / Javascript website, the end user can simply right click and View Source of the page and see all the code I've written.
My question is, how is this protected for apps that are uploaded to the app store? Will someone be able to reverse engineer my application and get the code and simply re-sell it?
Thank you all for your time
You want to, develop once, deploy many. Then, you’ll want to use HTML5 to do it.
You can use Apache Cordova directly, but you’ll want to use a service like Telerik AppBuilder, Adobe Phonegap or Intel XDK.
Regarding your question, your best bet is to use a good JavaScript source code obfuscation service to protect your sources before publishing. There is no such thing as a 100% full proof solution when it comes to JavaScript obfuscation, but professional tools such as JScrambler can take you a long way. At least JScrambler I know that it supports Mobile and HTML5, which is good because they make sure the resulting code is compliant.
There are other tools, even free ones. But be careful though, there are tons of other tools that do obfuscation, encoding/packing or minfication that seem to provide protection, but are reversed in a few minutes. So, unless you really know how to tell the difference, I recommend that you rely on a professional service.

Serial communication from JavaScript?

Is it possible to communicate over a machine's serial port through JavaScript?
I have to write a short program that sends data to a microcontroller over the serial port that has a GUI and is cross-platform compatible, and I really don't want to use Java's Swing.
JavaScript itself doesn't have any built in functionality to allow you to access the serial port. However, various JavaScript engines (v8, rhino, etc) allow you to write your own custom native objects.
You might want to check out node.js, which is a JavaScript library for v8 that's focused on writing server-side code (rather than web browser client code). It seems that someone's already written a serialport package for that:
https://github.com/voodootikigod/node-serialport
This is an old question, but in case this helps anyone else, Chrome Apps have access to a serial API - http://developer.chrome.com/apps/serial.html - which might help.
It's Chrome specific (obviously..), but Chrome is available cross-platform so might answer the question.
There's a cross platform plugin for serial port communication called jUART.
Yes, it's possible using an ActiveX(I did it). You can make an activeX and use JavaScript to invoke it.
If you prefer, you can make a .net dll and register it using regasm. Take a look at this link
You also can write an activeX using VB6 and register it. Both works fine.
Ps.: if you are using ActiveX, the JavaScript code will run just on IE.
If you have a DLL library (this includes e.g. most Windows APIs) that allows you to communicate over serial port you can invoke it from Firefox chrome code (or content code with universalxpconnect privileges) by using ctypes.
What you could do is to use a Java applet that connects to the local computer's Java application that reads the serial port. The applet would then transfer the data to a JavaScript class or something that can hold the information. Then additional JavaScript code can be used to access the data. It's a complicated solution but should work.
Another way is to create a POJO service.

Developing Windows apps with JavaScript

I'm currently in the need of developing a Windows application. I want to keep things simple (in the spirit of uTorrent) and I would like the result program to be a single .exe file containing all that it needs.
The program is simple. It just needs some UI. It needs to run for a long period of time (lay there as a tray icon). It needs to do some routine tasks like simple I/O. It also needs to access the internet, specifically some web server.
Apart from these small requirements I would like to write all of it in JavaScript, as I feel more comfortable with it than any other language.
I know there's things like Windows Script Host that let you run JavaScript programs and interact with some Win32 API, but will I be able to do everything I need with Windows Script Host? Can I pack all of the Windows Script Host in a single .exe?
If not, what alternatives do I have for JavaScript?
I found that there's actually a JavaScript compiler that comes with the .NET framework called jsc.exe.
For more information:
http://www.phpied.com/make-your-javascript-a-windows-exe/
http://msdn.microsoft.com/en-us/library/7435xtz6(VS.80).aspx
I guess it's not really JavaScript since it introduces extra things like import and even some class syntax which is weird for me. But this works perfectly for me as I will just doing things as I am used to on the web.
Aside from Windows Script Host, there are
Windows Desktop Gadgets (Vista and Windows 7 only)
HTML Applications (HTAs)
Both are written with standard web technologies, HTML, JavaScript, Flash, etc. They can also be extended with COM objects/ActiveX controls such as FileSystemObject, WMI, WScript or even ones that you write yourself. Windows Desktop Gadgets have access to a separate API/namespace with various Win32-esque properties and methods.
It seems that nobody mentioned JSDB.
JSDB offers a command line environment which you can execute arbitrary javascript code. You can easily compile to a .exe file by using the command copy /b jsdb.exe+program.zip program.exe
It's important to know that you've got to call your main js file main.js within a standard zip file. Not sure if the name program.zip is required.
I haven't actually tried making GUI applications with this yet - although it seems to support various APIs like ActiveX.
It's possible that by using the copy /b command mentioned above, you could compile a script from the wscript.exe file - but I tried and couldn't get it working. Let me know if anybody tries and has success somehow.
I think you're looking for Adobe AIR
The Adobe® AIR® 2 runtime enables developers to use HTML, JavaScript, Adobe Flash® software, and ActionScript® to build web applications that run as standalone client applications without the constraints of a browser. ~ The AIR website
Internet Explorer introduced the concept of Hypertext Applications in IE 5. It never made a big breakthrough, so resources and documentation are scarce.
Mozilla-backed competitor Prism seems to be alive and well, though, and is definitely worth a look.
Prism is an application that lets users split web applications
out of their browser and run them directly on their desktop
I believe the best way to go is V8 JavaScript Engine provided by Google.
"V8 can run standalone, or can be embedded into any C++ application." - which I believe is perfect for your needs, because you can do most of the stuff in JavaScript and use provided interfaces to communicate with the system.
I'm not 100% but I believe WSH uses JScript or WScript, not JavaScript.
Color me crazy, but its only a short step form Javascript to Java or C#. I'd suggest C# as, on a windows machine, the libraries are already there. You can just copypaste your .exe and let 'er rip.
If you want a single .EXE, what runtimes are you okay if they are required pre-requisites?
If you're okay with requiring .NET runtime to be preinstalled, then you do all your work in JScript.NET
Chromium Embedded Framework (CEF) may give you some help. i have not clearly know how, but i realy found many Apps using this framework.
http://code.google.com/p/chromiumembedded/
Introduce for CEF are:
The Chromium Embedded Framework (CEF) is an open source project founded by Marshall Greenblatt in 2008 to develop a Web browser control based on the Google Chromium project. CEF currently supports a range of programming languages and operating systems and can be easily integrated into both new and existing applications. It was designed from the ground up with both performance and ease of use in mind. The base framework includes C and C++ programming interfaces exposed via native libraries that insulate the host application from Chromium and WebKit implementation details. It provides close integration between the browser control and the host application including support for custom plugins, protocols, JavaScript objects and JavaScript extensions. The host application can optionally control resource loading, navigation, context menus, printing and more, while taking advantage of the same performance and HTML5 technologies available in the Google Chrome Web browser.
Numerous individuals and organizations contribute time and resources to support CEF development, but more involvement from the community is always welcome. This includes support for both the core CEF project and external projects that integrate CEF with additional programming languages and frameworks (see the "External Projects" section below).
Why not use Rhino -- JavaScript on the JVM? You can even compile your scripts to .class files and package them into a JAR along with Rhino for easy distribution...

Launching an application from a browser (platform and browser independent), best approach?

Please forgive a question that has been addressed in some form or fashion previously. I have numerous test applications that run on various platforms from Windows 95, Windows XP, SUSE, RedHat, and other forms of *NIX. Currently, the mechanism has a native application that queries a database for some information then launches the test application to perform the test. This said program is a "launcher application" which I am trying to convert to a "HTML/Javascript Launcher Application". In addition, this "launcher application" needs to known when the test application is completed, then collect the test result then store the results in a database.
I have read that launching an application (executable) from HTML is not permitted, but this is entirely true in the sense (if I understand correctly). From what I have read here on SO and other sites, I have the following possible solutions:
Registering a unique protocol to an test application (SO Link)
Using Java to launch the application
Adobe AIR or its opensource counter part, Titanium by Appcelerator
Using WSH, though this will only work on Windows platforms
What would be a good (or best ) approach to solution this problem? Ideally, I would like to just use HTML and Javascript, but this may not be possible? Thanks for any advice and any example/sample code would be greatly appreciated.
Mark
Hopefully many people will think, as I do, that this is a 'bad idea'™, simply because in order for it to work you must allow your browser to launch software, which would be a huge hole in security, allowing access for all sorts of nasties.
Given you are cross platform I'd suggest you stick with a dedicated laucher application, but code it in java. This is the most common solution used in the java applications world which regularly crosses os's.
You could give JNLP (java network launch protocol) a try... Really easy to distribute and deploy full fledged applications in a platform independent manner. More or less through the browser if you like...

Categories

Resources