custom middleware (device manager) not only in chrome OS

[artemMartynenko]

Hello, I`m interesting in possibility to add custom smart card device manger (middleware) ? I know that you provide a set of middleware for Chrome OS. But what if user wants to use custom device with support of PKCS11 ? The same issue for users of other platforms (Ubuntu, OS X). Is it possible to provide pkcs11 functionality just like Mozilla https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pkcs11 ?

[emaxx-google]

• If the device is compatible with PC/SC-Lite and CCID, then you can write a Chrome extension that uses the Smart Card Connector app and the chrome.certificateProvider API in order to expose the key to Chrome OS. That's what the existing extensions do, like CSSI (https://chrome.google.com/webstore/detail/cssi-smart-card-middlewar/haeblkpifdemlfnkogkipmghfcbonief) or CACKey (https://chrome.google.com/webstore/detail/cackey/lpimdiknnpijeigckalekdccibdmeojg).

• If the device is incompatible with PC/SC-Lite+CCID, then currently your only option is to implement the full stack, starting from the USB driver, yourself - see the chrome.usb API. There's no support right now in the Smart Card Connector app for custom drivers for readers.

P.S. Chrome OS doesn't use PKCS#11 APIs - at least when talking to third-party modules. Only the much smaller chrome.certificateProvider is used in this area in Chrome OS.

[emaxx-google]

Regarding non Chrome OS platforms - AFAIK, there's no plan right now to add support for running custom PKCS#11 modules as Chrome extensions (plugins, etc.) right now. Chrome uses the platform capabilities (e.g., the NSS library) for working with the certificates and keys on these platforms.

[artemMartynenko]

Is it possible to write chrome.certificateProvider implementation for other platform (not Chrome OS) ?

[emaxx-google]

Nope, chrome.certificateProvider is Chrome OS only. As I said above, only the platform capabilities are used on other platforms, like NSS.

[artemMartynenko]

Do you plan to provide something like chrome.certificateProvide for other platforms to allow use custom midlleware in chrome for smartcard support ?

[emaxx-google]

There are no such plans currently.

[artemMartynenko]

Unfortunately, there is a big issues that there is no possibility to use Chrome with custom smart card device manager in cause that a lot of governmental organisations should use smart cards with approved (non standard ) internal implementation ( just like US Department of Defense Common Access Card) on different platforms. Smart cards developers provides a platform dependent libraries with implementation of PKCS11 interface. So in result users in governmental organizations should use Mozilla Firefox. But it will be great to allow use them their loved browser Chrome for work without any restrictions.

[emaxx-google]

Sorry, I'm not following what is the specific problem with the PKCS#11 modules in Chrome.

There's no official documentation that I could find right now, but see, for example, this third-party description: https://homepage.ruhr-uni-bochum.de/jan.holthuis/posts/smartcard-authentification-in-chrome

[artemMartynenko]

Thank you for your answers. I am already tested this third-party example and it works fine, but only for linux systems. To make something like that for windows is another issue. And also it`s may be good solution for developer but not for end user. So it will be cool to add some another way to work with smart cards in Chrome on any platform. Thank you very much !

[artemMartynenko]

The smallest thing that can help is something like chrome.certificateProvide for other platforms to allow developers write their implementations to communicate with ccid compatible smart card and custom providers.

[emaxx-google]

I'm not super familiar with the process of smart card setup on Windows, but AFAIK Windows is already pre-bundled with some middleware; one can also install custom middleware into Windows when needed. For example - see this third-party page for the process of Windows setup for using CAC cards: http://militarycac.com/activclient.htm (please beware that this is a third-party page, use it at your own risk).

The extension+certificateProvider based approach won't work on Windows, since two drivers cannot access the same USB device at the same time (one driver is a driver installed into Windows, and another would be the Chrome that hosts the extension). We don't want to build a solution that only works when the user has to disable standard Windows drivers and to prevent other desktop applications from using the smart card.