I was wondering if anyone has had any experience/recommendations introducing PC/SC smart card authentication to a ColdFusion 2016 application. (Support on generic/any browser)
I have seen the following two posts about general smart cards in the browser:
(Note: the following Questions are from 2012 & 2013, so chances are things have changed)
To Summarize, the following article suggests that no crypto processing should be done by the javascript, but instead the handling of the smart card should be passed through to a PKCS#11 library and be handled there (opensc.so). It however doens't really touch on the server side of the authentication scheme... Does the webserver hosting CF(Apache) or the CF application itself do the authentication on the server side?
This thread introduces the concept of WebUSB API which basically is USB support for browsers, while very cool & useful I can't find which browsers other then Chrome currently support this API. Also from a security standpoint because each browser has a different implementation/ new feature, I feel like this will be a prime sport for vulnerabilities in the future.
My thoughts were to initially create a Java Applet, but due to oracles deprecation of them, I might try a Java Start Application( using smartcardio library that handles all the APDU commands). The java start would send the certificates over to the coldfusion application (or some entity on the server, not sure what) and generate a secure cookie with a sessionID for the unique user. Refreshing the browser with that new cookie
Does this seem like a reasonable approach? or does ColdFusion 2016 have some other way to deal with smartcards/crypto?
Is there anything else I should explore?
