If any of you dont agree with any of the following, just let me know.
>>>- should I avoid SunPKCS11 and base my program on "simple" PC/SC?
Absolutely not.
Do yo code on assembly for you web pages? PCSC should be used only if
your smartcard doesnt have a higher level of abstraction possible
(like opensc)
>> If you need to stick to Java, maybe JNI is the answer.
I dont like it very much, but we have some legacy toools which use
this technology
> I usually do C, but this time I need a java applet for:
> 1) a web-based password manager I have to write for the office
If you explain more, i can tell you my opinion about what you could need/do
> 2) safely and strongly authenticate users to a plain HTTP page (very
> shared-hosting friendly!) -- I already can authenticate users w/ a
> smartcard (on https), but it needs Firefox to load its PKCS11 that
> "locks" the card and no other process can use it.
must be a problem with your code. Actually, our card is used by
firefox+thunder+ie+local apps at the same time.
> I don't really like JNI since it usually needs uncommon client-side
> libraries, that's why I thought about pcsc (even if, after all, it's JNI
> anyway), since I already studied it and deps-wise it doesn't need
> anything more than the minimum.
You can observe what others do:
Spanish tax ministry dont use Applets (use native componentes), which
doesnt require the user to have java.
https://www.agenciatributaria.gob.es/AEAT.sede/Inicio/Inicio.shtml
Spanish ecofirma (also from gov) uses an applet that downloads a jnlp
that install everything needed on your computer
http://oficinavirtual.mityc.es/javawebstart/soc_info/ecofirma/index.html
In our company, we use smartcard for client/user authentication using
certificates, and also mail signing and document signing. For web
applications we use a signed applet.
This applet is done using Oracle/Sun JCE (java 1.6). Seems that SUN >=
1.6 jre its the only one which had cryptography some time ago. Maybe
this has changed and now openjdk include it. You should ask on java
lists (and update me with the news, PLEASE!).
The applet side is made by another person, but im the developer of the
pkcs11 library that runs on osx, win and linux. Its not made using
opensc due its a legacy code that have been re-coded just a few months
ago, and 'cause our card its not pkcs#15, either really criptographic.
(at least its PCSC!)
Anyhow, on a recent discussion on mozilla bug
(https://bugzilla.mozilla.org/show_bug.cgi?id=654939), i was sadly
surprised to read things like:
"If Java is trying to load Firefox's NSS libraries, it deserves to not work."
"Having external apps digging through the Mozilla cert store is not
recommended or supported in any case."
"This is not something that we intend to support or fix. No, writing
enterprise apps which poke into the Firefox certificate store is not a
desired use-case, especially while the app is running."
"I know that JSS is used for server applications written in Java. I
was not even aware that it's possible to use JSS inside browser
applets."
...
(and many more)
So, in other words...altough Java has examples, doc and code to
explain how to use JSS (Java to NSS) and its working perfectly, this
seems to be a bad thing for mozilla's people.
I still have to discuss at https://lists.mozilla.org/listinfo/dev-platform
On IE, you should code a CSP/CNG to access the smartcard and on
Safari, you could use opensc or a tokend. Chrome depends on the
system.
At your position i will:
-Check smartcard features to check if its opensc compatible
-Implement your card at opensc or doing your own pkcs#11/csp/tokend
(watch out lion 10.7 smartcard services!) if needed. This involves
PCSC.
-Use SUNPKCS11, or JSS if you want to rely on "dangerous and evil
undocumented behaviour"
Anything you need, dont hesitate to contact me.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
