hwcrypto is a umbrella name for a set of specifications, software and API-s, to enable the use of X509 PKI based eID cards on the web for signing and authentication. It is designed to be vendor neutral and horizontally re-usable, to compete with the proliferation of proprietary, sector-specific vertical implementation silos and to avoid the resulting "nascar problem" on end users and integrators alike.
(Note on naming: the techie name "hwcrypto" is only visible to developers, not end users)
It consists of three major parts:
-
hwcrypto.js (MIT) is a JavaScript library for web developers who work with hardware backed eID cards, providing a high-level API that allows for the developer to focus on building things that have value to users, instead of messing with the underlying technological plumbing. The library follows semantic versioning and a simple demo site is available. The JavaScript library is the only component web developers should interact with.
-
hwcrypto-extension (LGPL) is a reference implementation of a modern browser extension that provides access to cryptographic smart card services of the host computer via Native Messaging. The extension is available for Chrome/Chromium, Firefox and Opera.
-
hwcrypto-native (LGPL, formerly chrome-token-signing) is the Native Messaging counterpart of the browser extension, with installers available for Windows, macOS and Linux. It is intended to be extended, branded, repackaged and redistributed by vendors and service providers, as needed. The installer is the only component end users should interact with.
Being a collaboration platform for real-life integrators is another goal of this open source effort.
A bunch of other efforts are underway to define an API, to be implemented by browser vendors, to facilitate access to cryptography, including hardware devices.
- WebCryptoAPI
- Hardware Based Secure Services
- :| similar API level, intended to be implemented by user agent vendors
- :( no working sample code
- :( no interest from browser vendors
- Web API For Accessing Secure Element
- :( low level, ISO7816-4 based APDU interface, not unlike PC/SC
- :( no working sample code
- :( no known intention from browser vendors to implement (more likely to happen on mobiles)
- FIDO U2F / WebAuthn
- :) being implemented
- :( only authentication, and scoped credentials
Some other initiatives with working code and standardisation efforts exist, that allow to bridge the gap between a website and a hardware token, by exposing a common "transport mechanism" to JavaScript:
- WebUSB
- :| low level USB access, would require to implement something like CCID by a JavaScript library, to talk APDU-s to a smart card token. Possible, but not very viable. Desktop-oriented.
- Web Bluetooth
- :| low level Bluetooth access, would require to implement bluetooth connectivity to a smart card reader/token, to transfer APDU-s to smart cards. Possible, but not very viable. Mobile-oriented.
- :( no standardisation of bluetooth smart card readers