To use Buypass smartcard, one needs a local proxy to connect to the smartcard. This solution is called SCProxy or Javafri. The proxy is available for Windows and Mac OS, but not for Linux.

This program is a basic attempt to get it working on Linux. It's not very polished, and there are likely to be many corner-cases that aren't handled. But it allows one to log into websites with a Buypass smartcard, and to change the card's PIN.

1. Install the dependencies:

   • Python version 3.10 or later
   • pyscard, Python for smart cards
   • PC/SC-lite daemon, for accessing smart cards
   • OpenSSL, for generating certificates

   On Debian-based distributions (incl. Ubuntu), you can install them using:

   apt-get install python3 python3-pyscard pcscd openssl

2. Clone this repository

   git clone https://github.com/wvengen/scproxy
   cd scproxy

3. Generate SSL certificates

   sh gencerts.sh

4. Install root certificate (generated in the previous step)

   For Firefox, the steps are:

   • open the Preferences and activate the View Certificates button;
   • in the Authorities tab, select Import;
   • choose the file certs/root.crt and trust it to identify websites.

5. Add a user-agent switcher to your web browser, you'll need it later.

To let this work out of the box, you may try running

make && sudo make install

With a bit of luck, this installs the program on your system, and sets it up to work with systemd using socket activation.

1. Start SCProxy.

   Before logging in with Buypass, you need to make sure SCProxy is running. At this moment, you'll need to open a terminal and run

   python3 scproxy.py

   If you've run make install as described above, this is done automatically.

2. In the user-agent switcher, select the Windows platform.

3. Make sure you smartcard reader is connected and the Buypass card inserted.

4. Visit the website you want to login with using Buypass smartcard, and do so.

5. At the end, you can switch back to the terminal and press Ctrl-C to terminate SCProxy. (no need if you ran make install)

This program can also be used with systemd socket activation (based on this).

See system/ for the unit files. The Makefile should setup this all up.

To test socket activation, you can run

systemd-socket-activate -l 31505 python3 scproxy.py

• I'm not the only one
• Buypass still recommends the Java plugin on Linux (great they did support Linux some years ago)
• Technical intro of SCProxy, with Terminalserver notes (Norwegian)
• Troubleshooting SCProxy
• List of sw1 sw2 in smartcards
• ISO 7816-4
• Sniffing USB with Wireshark and decoding ISO 7816-4

The Buypass website makes POST requests to SCProxy, which listens on https://127.0.0.1:31505

1. On page load: POST /scard/version/ to check if SCProxy is running and its version is supported.
2. If SCProxy is detected: POST /scard/list/ to obtain a list of smartcard reader names.
3. If a reader is found: various POST /scard/apdu/(:reader_name) to interact with smartcard.
4. On success: POST /sdcard/getref/ to obtain a shared key to obfuscate the PIN with.
5. After PIN entry, several other POST /scard/apdu/(:reader_name) requests.
6. On success, redirect to service, now authenticated.

POST /scard/apdu/(:reader_name) handles communication with the smartcard. It has a JSON request body with APDU commands. Here is a SELECT MF (master file) command:

{
"timeout": 10,
"apducommands": [{ "apdu":"00A40000023F00" }],
"session": "0123456789abcdef"
}

The session is a random string to avoid concurrent requests to the smartcard interfering with each other.

When a suitable card is inserted, this would return an OK response:

{
"apduresponses": [{ "apdu":"9000" }],
"errorcode": 0,
"errordetail": 0
}

To play around with the API, you can use curl e.g. as follows:

curl --insecure -H 'Sec-Fetch-Mode: cors' -H 'Origin: https://secure.buypass.no' \
     --data-raw '' https://127.0.0.1:31505/scard/list/

This program is licensed under the GNU GPL v3 or later.