To use Buypass smartcard, one needs a local proxy to connect to the smartcard. This solution is called SCProxy or Javafri. The proxy is available for Windows and Mac OS, but not for Linux.
This program is a basic attempt to get it working on Linux. It's not very polished, and there are likely to be many corner-cases that aren't handled. But it allows one to log into websites with a Buypass smartcard, and to change the card's PIN.
-
Install the dependencies:
- Python version 3.10 or later
- pyscard, Python for smart cards
- PC/SC-lite daemon, for accessing smart cards
- OpenSSL, for generating certificates
On Debian-based distributions (incl. Ubuntu), you can install them using:
apt-get install python3 python3-pyscard pcscd openssl
-
Clone this repository
git clone https://github.com/wvengen/scproxy cd scproxy -
Generate SSL certificates
sh gencerts.sh
-
Install root certificate (generated in the previous step)
For Firefox, the steps are:
- open the Preferences and activate the View Certificates button;
- in the Authorities tab, select Import;
- choose the file
certs/root.crtand trust it to identify websites.
-
Add a user-agent switcher to your web browser, you'll need it later.
To let this work out of the box, you may try running
make && sudo make install
With a bit of luck, this installs the program on your system, and sets it up to work with systemd using socket activation.
-
Start SCProxy.
Before logging in with Buypass, you need to make sure SCProxy is running. At this moment, you'll need to open a terminal and run
python3 scproxy.py
If you've run
make installas described above, this is done automatically. -
In the user-agent switcher, select the Windows platform.
-
Make sure you smartcard reader is connected and the Buypass card inserted.
-
Visit the website you want to login with using Buypass smartcard, and do so.
-
At the end, you can switch back to the terminal and press Ctrl-C to terminate SCProxy. (no need if you ran
make install)
This program can also be used with systemd socket activation (based on this).
See system/ for the unit files. The Makefile should setup this all up.
To test socket activation, you can run
systemd-socket-activate -l 31505 python3 scproxy.py- I'm not the only one
- Buypass still recommends the Java plugin on Linux (great they did support Linux some years ago)
- Technical intro of SCProxy, with Terminalserver notes (Norwegian)
- Troubleshooting SCProxy
- List of sw1 sw2 in smartcards
- ISO 7816-4
- Sniffing USB with Wireshark and decoding ISO 7816-4
The Buypass website makes POST requests to SCProxy, which listens on https://127.0.0.1:31505
- On page load:
POST /scard/version/to check if SCProxy is running and its version is supported. - If SCProxy is detected:
POST /scard/list/to obtain a list of smartcard reader names. - If a reader is found: various
POST /scard/apdu/(:reader_name)to interact with smartcard. - On success:
POST /sdcard/getref/to obtain a shared key to obfuscate the PIN with. - After PIN entry, several other
POST /scard/apdu/(:reader_name)requests. - On success, redirect to service, now authenticated.
POST /scard/apdu/(:reader_name) handles communication with the smartcard. It has a JSON request body
with APDU commands. Here is a SELECT MF (master file) command:
{
"timeout": 10,
"apducommands": [{ "apdu":"00A40000023F00" }],
"session": "0123456789abcdef"
}The session is a random string to avoid concurrent requests to the smartcard interfering with each
other.
When a suitable card is inserted, this would return an OK response:
{
"apduresponses": [{ "apdu":"9000" }],
"errorcode": 0,
"errordetail": 0
}To play around with the API, you can use curl e.g. as follows:
curl --insecure -H 'Sec-Fetch-Mode: cors' -H 'Origin: https://secure.buypass.no' \
--data-raw '' https://127.0.0.1:31505/scard/list/This program is licensed under the GNU GPL v3 or later.