Il 03/08/2011 09:32, helpcrypto helpcrypto ha scritto: > Do yo code on assembly for you web pages? PCSC should be used only > if your smartcard doesnt have a higher level of abstraction possible > (like opensc) I'd even prefer higher APIs, since doing security really well is hard.
>> I usually do C, but this time I need a java applet for: 1) a >> web-based password manager I have to write for the office > If you explain more, i can tell you my opinion about what you could > need/do I need to implement a multiuser web password manager that allows users to group-share passwords (so Linux sysadmins don't have access to Windows passwords -- yes, I know AD, it's just an example). Server NEVER knows plaintext passwords, so even if it gets hacked no sensitive information is disclosed. Passwords must not be displayed, just gets copied to the clipboard (so I can access firewall password even if I'm in a lab with a dozen users behind my shoulders). >> 2) safely and strongly authenticate users to a plain HTTP page >> (very shared-hosting friendly!) -- I already can authenticate users >> w/ a smartcard (on https), but it needs Firefox to load its PKCS11 >> that "locks" the card and no other process can use it. > must be a problem with your code. Actually, our card is used by > firefox+thunder+ie+local apps at the same time. Known bug in FF, IIUC. When you insert the card (or load opensc-pkcs11) it C_Login to every slot even if you're not accessing certs. So: 1) it asks for EVERY pin (even signature ones) 2) while opensc-pkcs11 is loaded in FF, thunderbird (nor any other PKCS11 'client') doesn't "see" the card Anyway, auth using 'internal' method is possible only on https sites (unavailable on shared-hosting plans, and it's now giving me headaches since I need to use SNI, that's not supported by IE on XP). > You can observe what others do: Always useful. > Spanish tax ministry dont use Applets (use native componentes), > which doesnt require the user to have java. But, IIUC, that restricts use to only "supported" browser/platform -- I have labs w/ Linux machines, workstations w/ Windows XP (some w/ only IE, some w/ FF), quite a lot of Macs... The "minimum common denominator" can be Java w/ a minimum of must-have native libs (like pcsc-lite and ccid), even if it could be even better if those aren't needed. > https://www.agenciatributaria.gob.es/AEAT.sede/Inicio/Inicio.shtml > Spanish ecofirma (also from gov) uses an applet that downloads a > jnlp that install everything needed on your computer > http://oficinavirtual.mityc.es/javawebstart/soc_info/ecofirma/index.html This assumes that the user: - can install sw - usually uses only one machine > In our company, we use smartcard for client/user authentication > using certificates, and also mail signing and document signing. For > web applications we use a signed applet. This applet is done using > Oracle/Sun JCE (java 1.6). Seems that SUN >= 1.6 jre its the only one > which had cryptography some time ago. Maybe this has changed and now > openjdk include it. You should ask on java lists (and update me with > the news, PLEASE!). I'm using Sun JVM too, since professor's digital signing applet needs it, too. > The applet side is made by another person, but im the developer of > the pkcs11 library that runs on osx, win and linux. Its not made > using opensc due its a legacy code that have been re-coded just a few > months ago, and 'cause our card its not pkcs#15, either really > criptographic. (at least its PCSC!) Well, I'm using Aventra cards, so they're both PKCS15 and cryptographic :) I thougt you can't have "legally strong" signature unless you're using a crypto card (at least here in Italy). > Anyhow, on a recent discussion on mozilla bug > (https://bugzilla.mozilla.org/show_bug.cgi?id=654939), i was sadly > surprised to read things like: "If Java is trying to load Firefox's > NSS libraries, it deserves to not work." "Having external apps > digging through the Mozilla cert store is not recommended or > supported in any case." "This is not something that we intend to > support or fix. No, writing enterprise apps which poke into the > Firefox certificate store is not a desired use-case, especially while > the app is running." "I know that JSS is used for server applications > written in Java. I was not even aware that it's possible to use JSS > inside browser applets." ... (and many more) Sometimes I can't understand'em... Like for the support of DNS extensions (commonly used by voip, jabber, Active Directory...) to tell on which port is https listening... IIRC it's about 10 years that a patch is available but never got adopted! > So, in other words...altough Java has examples, doc and code to > explain how to use JSS (Java to NSS) and its working perfectly, this > seems to be a bad thing for mozilla's people. I still have to discuss > at https://lists.mozilla.org/listinfo/dev-platform On IE, you should > code a CSP/CNG to access the smartcard and on Safari, you could use > opensc or a tokend. Chrome depends on the system. That's why I was trying to use SunPKCS11 -- it should work on any browser and requires very little deps. > At your position i will: > -Check smartcard features to check if its > opensc compatible It is. And I already hit some of the limits in actual code, as you can see looking at some old messages... > -Implement your card at opensc or doing your own > pkcs#11/csp/tokend (watch out lion 10.7 smartcard services!) if > needed. This involves PCSC. As I said, I'm using Aventra ards, that are really well supported (Toni reads this ML :) and is quite active). > -Use SUNPKCS11, or JSS if you want to > rely on "dangerous and evil undocumented behaviour" If only SunPKCS11 would be more versatile... Maybe the simplest thing is to get its source and hack it, so that it: - supports plain on-card keypairs - only asks PIN when needed - handles multiple slots - handles certs "outside a slot" (that is: that are not PIN protected) > Anything you need, dont hesitate to contact me. Tks. BYtE, Diego. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
