Pc Sc Smart Card Reader
Gaetan Horton
There was a need to make a multi-slot Smart Card Reader (specifically - there will be 3 slots for smart card). In the process, I would like to be able to dynamically switch between them. And that's the main thing.
In the "usbd_ccid_core file.c" there is a set of bytes of the General information of the reader USBD_CCID_CfgDesc[SMARTCARD_SIZ_CONFIG_DESC] (line 82). It has the property "bMaxSlotIndex :highest available slot on this device", which I set to two (bMaxSlotIndex = 0x02).Also, in the file usbd_ccid_cmd.c (line 939) is the RDR_to_PC_NotifySlotChange method. The description of the CCID Protocol specifies that the response to the "RDR_to_PC_NotifySlotChange" command that this method sends a response to should be the number of slot States (www.usb.org/sites/default/files/DWG_Smart-Card_CCID_Rev110.pdf page. 56).I forcibly send the answer allegedly Card Reader has 3 slots and in each card is inserted (I send in the answer number 63).
I can not understand how it is possible to implement, knocking his forehead against the wall for the third day, no progress. I work with smart card directly through the controller. Everything works fine. You only need to display multiple slots in the system.
did you succeed in building such a multiport ( multi-Slot ) SmartCard Reader? I'm currentlich looking for a company, which could offer such a device, which shall be connected by USB-CCID and shall have a local PinPad.
This reader should be mounted in a 19inch Rack inside our DataCenter.
Thanks a lot for your feedback.
Kind regards,
Berny
What are the currently existing and supported client-side architectures to access a local Smart Card thru a PC/SC Smart Card reader (ISO 7816-3, ISO 14443) from a generic browser (connected to a server through http(s)), preferably from Javascript, with the minimum installation hassle for the end user? The server needs to be able to at least issue APDUs of its choice to the Smart Card (or perhaps delegate some of that to client-side Javascript code). I am assuming availability on the client side of a working PC/SC stack, complete with Smart Card reader. That's a reasonable assumption at least on Windows since XP, modern OS X and Unixes.
Also: is there some way to prevent abuse of whatever PC/SC interface the browser has by a rogue server (e.g. presenting 3 wrong PINs to block a card, just for the nastiness of it; or making some even more evil things).
There are tens of custom and proprietary plugins (using all three options you mentioned) for various purposes (signing being the most popular, I guess) built because there is no standard or universally accepted way, at least in Europe and I 'm sure elsewhere as well.
Creating, distributing and maintaining your own shall be a blast, because browsers release every month or so and every new release changes sanboxing ir UI tricks, so you may need to adjust your code quite often.
Personally, I don't believe that exposing PC/SC to the web is any good. PC/SC is by nature qute a low level protocol that when exposing this, you could as well expose block level access to your disk and hope that "applications on the web are mine only and they behave well" (this should answer your "Also"). At the same time a thin shim like SConnect is the easiest to create, for providing a javscript plugin.sendAPDU()-style code (or just wrap all the PC/SC API and let the javascript caller take care of the same level of details as in native PC/SC API use case).
Addressing the future (mobile etc) is another story, where things like W3C webcrypto and OpenMobile API will probably finally somehow create something that exposes client-side key containers to web applications. If your target with smart cards is cryptography, my suggestion is to avoid PC/SC and use platform services (CryptoAPI on Windows, Keychain on OSX, PKCS#11 on Linux)
Any kind of design has requirements. This all applies if you're thinking of using keys rather than arbitrary APDU-s. If your requirement is to send arbitrary APDU-s, do create a plugin and just go with it.
For your first question I have little hope: either you are satisied with a very small subset of smart card functionality (like signing e-Mail or PDFs), then you may use some ready-made software (like PKCS), ideally maintained by the smart card company, or you want broader functionality and need to invest considerable effort on your own. Surely PCSC is the starting point to choose.
1) Note, that some specifications (e.g. ICAO/German BSI TR-3110) request a method, where a PIN is not blocked, but uses a substantial amount of time as soon as the error counter hits 1 before replying. The final attempt must be enabled using a different command, otherwise no further comparison and error counter adjustment is done.
2) Simply protect the Verify command by requiring secure messaging. Sensitive applications use secure messaging for everything, so first step a session key is negtiated, which is second applied to all succeeding commands and responses. The effect would be, that the command is rejected due to incorrect MACs long before a comparison or modification of error counter is done.
There is another browser plugin similar to the one proposed by @cslashm available at Is also open source and can be installed with "minimum installation hassle" as required in the original question. You can see an example of use visiting
WebCard has been tested in IE 8 through 11, Chrome and Firefox in Windows and in Chrome and Safari in Mac OS X. Since is just a wrapper for PC/SC it requires in Mac OS X the installation of SmartCard Services from
As chrome and firefox going to stop the support of NPAPI Plugin, there is no secure solution available to maintain the session for the smart card reading instead your certificate of the card have support for mutual ssl ,I answered for the similar question source,It might help
Its dirty, but if its acceptable / viable to install a bridge daemon/service on the client machine, then you can write a local bridge service (e.g. in python / pyscard) that exposes the smartcard via a REST interface, then have javascript in the browser that mediates between that local service (facade) and the remote server API.
So, instead of rewriting the whole stack (starting from the lowest level - raw USB), it's now possible for developers to code only the part that works on top of PC/SC API - which is exposed by the Connector app.
Clients,clients,clients...plugins,..JSApis..Well..For certain we know this : All browsers, when communicating to an Apache or IIS servers, are actually signing "something" when a https/SSL handshake process is needed.
I have a setup where a smartcard reader is scanned to login a user. The PC/SC library work great on desktop. Somebody had mentioned to use Emscripten ( ) compiler which compiles c++ into JavaScript code. But that didn't work well because some of the functions being used by PC/SC are only available server side. After much research. I finally gave up on a client side solution, chrome web usb API also couldn't recognize the reader.
I then decided to give signalR a try and set up a hub on the PC connected to the smartcard reader and this approach worked out very well.
Is it within the scope of the WebUSB API (drafted there) to be able to use PC/SC devices such as Smart Card readers, perhaps under the assumption they are CCID-compliant (many are close to that and do work with a generic driver)?
Connecting to smart card readers is outside the scope of the WebUSB API. The reason for this is that the security properties of smart cards make it inappropriate to allow arbitrary code to access them. There is too great a risk of phishing attacks.
Faster transactions.More affordable operations.More efficient collection. Our transport solution, TapToPay, makes these possible through intelligent transportation systems (ITS) with emphasis on automatic fare collection (AFC). Our systems can cover bus, rail, ferry, road toll, parking, fast-food establishments, and convenience stores.
ACS offers product customization and product development services to meet specific customer requirements. With the help of our competent and experienced engineering team, we have the capability to design and develop new products that will give you a competitive advantage.
ACS smart cards are available for custom branding and promotional purposes. We welcome OEM enquiries for design printing and personalization at a reasonable cost. Furthermore, customers can buy white ACS cards, which they can design by their own.
ACS offers consultancy services. Occasionally, we invite customers to our offices to let them participate in consultancy sessions. Likewise, we are willing to conduct the sessions for other interested parties.
The ACS Android Library was built to support the use of various ACS readers with Android devices. The ACS Android Library is a collection of methods and functions allowing application developers to build smartcard based application in the Android platform.
Find web applications that enable users to experience the functionalities of ACS smart cards and smart card readers. These demo applications are offered free of charge. Applications require that a user have the smart card or smart card reader being demonstrated.
Find programs to help navigate or maximize the use of supported smart cards and smart card readers. These utility tools are offered free of charge. Tools can be used only with the supported operating systems, indicated respectively.
Our products and solutions have been recognized the world over for their performance and innovativeness. ACS is committed to exceeding this world-class level of performance across all of its products and services.
ACS takes steps to ensure that its operations are sustainable. To this end, the company complies with international regulations governing production and other aspects of operation. ACS also institutes programs to give back to the communities that enable the business to flourish.
c80f0f1006