parsec-cloud icon indicating copy to clipboard operation
parsec-cloud copied to clipboard
verified publisher icon Scille

Implement pki primitive for web platform

Open FirelightFlagboy opened this issue 1 month ago • 4 comments

By web we mean firefox with OpenSC PKCS#11 module

  • [ ] Setup firefox to use opensc
  • [ ] Able to list certificates
  • [ ] Able to list root certificates
  • [ ] Able to list intermediate certificates
  • [ ] Able to sign a random message
  • [ ] Able to verify a random message
  • [ ] Able to encrypt a random message
  • [ ] Able to decrypt a random message

FirelightFlagboy avatar Nov 21 '25 14:11 FirelightFlagboy

Install OpenSC

Ubuntu 24.04

sudo apt install opensc

Configure opensc on firefox

Based on: https://github.com/OpenSC/OpenSC/wiki/Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step

  1. Open about:preferences#privacy

    Image

  2. Scroll to Security > Certificates and click on Security devices...

    Image

  3. Click on load and fill in the path to opensc driver

    Image

On Ubuntu-24.04, the path to opensc driver is: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

  1. A new device should have been added

    Image

Fake smartcard

  • Simulate Smartcard on linux with opensc: https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Simulation#simulation-on-linux
WIP 
sudo apt install {,auto}make autoconf pkg-config git openssl libtool lib{pcsclite,ssl}-dev pcsc{d,-tools} help2man

Used https://github.com/OpenSC/OpenSC/blob/0116667174060aaf609ff07daa99deeae1497e0e/.github/setup-linux.sh to list dependencies

cd
if [ ! -f "vsmartcard/virtualsmartcard/Makefile" ]; then
	git clone https://github.com/frankmorgner/vsmartcard.git
	pushd vsmartcard/virtualsmartcard
	autoreconf -vis && ./configure && make -j2
	popd
fi
pushd vsmartcard/virtualsmartcard
sudo make install
popd

Inspired by https://github.com/OpenSC/OpenSC/blob/0116667174060aaf609ff07daa99deeae1497e0e/.github/setup-vsmartcard.sh

sudo systemctl restart pcscd.service

FirelightFlagboy avatar Nov 24 '25 14:11 FirelightFlagboy

while doing some outgoing research, I found a draft that exactly what we want: https://wicg.github.io/web-smart-card/ but since it's a draft, it not implemented for now

FirelightFlagboy avatar Nov 26 '25 07:11 FirelightFlagboy

After doing some research, it seems not possible today to use a PKI in the same way as Windows (and in the future Linux & MacOS).

To interact with a smartcard we have the following possibilities:

  • Use an extension that would provide a bridge to the OS API to interact with a smartcard

  • Use webauthn public key system, but that only support signature and we only get a public key so we cannot verify the identity

    It's mean to be use as an authentication method after all against a relying party (a server)

  • In the future we could have an API integrated in browser to interact with smart card (https://wicg.github.io/web-smart-card/)

Sources

FirelightFlagboy avatar Nov 26 '25 08:11 FirelightFlagboy

Set status back to Ready and reset priority since this is no longer an urgent priority (at least for the moment).

mmmarcos avatar Dec 05 '25 14:12 mmmarcos