1 /** 2 * --------- 3 * |.##> <##.| Open Smart Card Development Platform (www.openscdp.org) 4 * |# #| 5 * |# #| Copyright (c) 1999-2009 CardContact Software & System Consulting 6 * |'##> <##'| Andreas Schwier, 32429 Minden, Germany (www.cardcontact.de) 7 * --------- 8 * 9 * This file is part of OpenSCDP. 10 * 11 * OpenSCDP is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 as 13 * published by the Free Software Foundation. 14 * 15 * OpenSCDP is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License 21 * along with OpenSCDP; if not, write to the Free Software 22 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 23 * 24 * @fileoverview Script to generate a full reference EAC PKI 25 */ 26 27 load("../icao/cvcca.js"); 28 load("../icao/pace.js"); 29 30 31 32 /** 33 * Generate a complete CVC PKI setup for testing purposes 34 * 35 * @param {Crypto} crypto the crypto provider to use 36 * @param {CVCertificateStore} certstore place to store keys and certificates 37 */ 38 function CVCCAGenerator(crypto, certstore) { 39 this.crypto = crypto; 40 this.certstore = certstore; 41 this.keyspec = new Key(); 42 this.keyspec.setComponent(Key.ECC_CURVE_OID, new ByteString("brainpoolP256r1", OID)); 43 this.taAlgorithmIdentifier = new ByteString("id-TA-ECDSA-SHA-256", OID); 44 this.verbose = false; 45 } 46 47 48 49 /** 50 * Log message 51 * 52 * @param {String} msg the message 53 */ 54 CVCCAGenerator.prototype.log = function(msg) { 55 if (this.verbose) { 56 GPSystem.trace(msg); 57 } 58 } 59 60 61 62 /** 63 * Create a CVCA at the given path and with the defined policy. 64 * 65 * <p>Calling this method a second time will create a link certificate.</p> 66 * 67 * @param {String} path a path of certificate holder names 68 * @param {Object} policy the certificate policy 69 */ 70 CVCCAGenerator.prototype.createCVCA = function(path, policy) { 71 var cvca = new CVCCA(this.crypto, this.certstore, null, null, path); 72 cvca.setKeySpec(this.keyspec, this.taAlgorithmIdentifier); 73 74 // Create a new request 75 var req = cvca.generateRequest(null, false); 76 this.log("Request: " + req); 77 this.log(req.getASN1()); 78 79 assert(req.verifyWith(this.crypto, req.getPublicKey())); 80 81 var cert = cvca.generateCertificate(req, policy); 82 this.log("Certificate: " + cert); 83 this.log(cert.getASN1()); 84 85 // Import certificate into store, making it the most current certificate 86 cvca.importCertificate(cert); 87 } 88 89 90 91 /** 92 * Create a DVCA at the given path and with the defined policy. 93 * 94 * @param {String} path a path of certificate holder names 95 * @param {Object} policy the certificate policy 96 */ 97 CVCCAGenerator.prototype.createDVCA = function(path, policy) { 98 var cvca = new CVCCA(this.crypto, this.certstore, null, null, CVCertificateStore.parentPathOf(path)); 99 cvca.setKeySpec(this.keyspec, this.taAlgorithmIdentifier); 100 101 var dvca = new CVCCA(this.crypto, this.certstore, null, null, path); 102 dvca.setKeySpec(this.keyspec, this.taAlgorithmIdentifier); 103 104 // Create a new request 105 var req = dvca.generateRequest(null, false); 106 this.log("Request: " + req); 107 this.log(req.getASN1()); 108 109 assert(req.verifyWith(this.crypto, req.getPublicKey())); 110 111 var cert = cvca.generateCertificate(req, policy); 112 this.log("Certificate: " + cert); 113 this.log(cert.getASN1()); 114 115 // Import certificate into store, making it the most current certificate 116 dvca.importCertificate(cert); 117 } 118 119 120 121 /** 122 * Create a terminal at the given path and with the defined policy. 123 * 124 * @param {String} path a path of certificate holder names 125 * @param {Object} policy the certificate policy 126 */ 127 CVCCAGenerator.prototype.createTerminal = function(path, policy) { 128 var dvca = new CVCCA(this.crypto, this.certstore, null, null, CVCertificateStore.parentPathOf(path)); 129 dvca.setKeySpec(this.keyspec, this.taAlgorithmIdentifier); 130 131 var term = new CVCCA(this.crypto, this.certstore, null, null, path); 132 term.setKeySpec(this.keyspec, this.taAlgorithmIdentifier); 133 134 // Create a new request 135 var req = term.generateRequest(null, false); 136 this.log("Request: " + req); 137 this.log(req.getASN1()); 138 139 assert(req.verifyWith(this.crypto, req.getPublicKey())); 140 141 var cert = dvca.generateCertificate(req, policy); 142 this.log("Certificate: " + cert); 143 this.log(cert.getASN1()); 144 145 // Import certificate into store, making it the most current certificate 146 term.importCertificate(cert); 147 } 148 149 150 CVCCAGenerator.CWD = GPSystem.mapFilename("", GPSystem.CWD); 151 152 153 /** 154 * Setup EAC PKI 155 */ 156 CVCCAGenerator.setup = function() { 157 var crypto = new Crypto(); 158 var ss = new CVCertificateStore(CVCCAGenerator.CWD + "/cvc"); 159 var g = new CVCCAGenerator(crypto, ss); 160 // g.verbose = true; 161 162 // Create CVCAs 163 var policy = { certificateValidityDays: 3650, 164 chatRoleOID: new ByteString("id-IS", OID), 165 chatRights: new ByteString("C3", HEX), 166 includeDomainParameter: true 167 }; 168 g.createCVCA("/UTISCVCA", policy); 169 170 171 var policy = { certificateValidityDays: 3650, 172 chatRoleOID: new ByteString("id-AT", OID), 173 chatRights: new ByteString("FFFFFFFFFF", HEX), 174 includeDomainParameter: true 175 }; 176 g.createCVCA("/UTATCVCA", policy); 177 178 179 var policy = { certificateValidityDays: 3650, 180 chatRoleOID: new ByteString("id-ST", OID), 181 chatRights: new ByteString("C3", HEX), 182 includeDomainParameter: true 183 }; 184 g.createCVCA("/UTSTCVCA", policy); 185 186 187 188 // Create DVCAs 189 var policy = { certificateValidityDays: 3650, 190 chatRoleOID: new ByteString("id-IS", OID), 191 chatRights: new ByteString("83", HEX), 192 includeDomainParameter: false 193 }; 194 g.createDVCA("/UTISCVCA/UTISDVCAOD", policy); 195 196 197 var policy = { certificateValidityDays: 3650, 198 chatRoleOID: new ByteString("id-IS", OID), 199 chatRights: new ByteString("43", HEX), 200 includeDomainParameter: false 201 }; 202 g.createDVCA("/UTISCVCA/UTISDVCAOF", policy); 203 204 205 var policy = { certificateValidityDays: 3650, 206 chatRoleOID: new ByteString("id-AT", OID), 207 chatRights: new ByteString("BFFFFFFFFF", HEX), 208 includeDomainParameter: false 209 }; 210 g.createDVCA("/UTATCVCA/UTATDVCAOD", policy); 211 212 213 var policy = { certificateValidityDays: 3650, 214 chatRoleOID: new ByteString("id-AT", OID), 215 chatRights: new ByteString("7FFFFFFFFF", HEX), 216 includeDomainParameter: false 217 }; 218 g.createDVCA("/UTATCVCA/UTATDVCANO", policy); 219 220 221 var policy = { certificateValidityDays: 3650, 222 chatRoleOID: new ByteString("id-ST", OID), 223 chatRights: new ByteString("83", HEX), 224 includeDomainParameter: false 225 }; 226 g.createDVCA("/UTSTCVCA/UTSTDVCAAB", policy); 227 228 229 var policy = { certificateValidityDays: 3650, 230 chatRoleOID: new ByteString("id-ST", OID), 231 chatRights: new ByteString("43", HEX), 232 includeDomainParameter: false 233 }; 234 g.createDVCA("/UTSTCVCA/UTSTDVCACP", policy); 235 236 237 238 // Create terminals 239 var policy = { certificateValidityDays: 3650, 240 chatRoleOID: new ByteString("id-IS", OID), 241 chatRights: new ByteString("03", HEX), 242 includeDomainParameter: false 243 }; 244 g.createTerminal("/UTISCVCA/UTISDVCAOD/UTTERM", policy); 245 246 247 var policy = { certificateValidityDays: 3650, 248 chatRoleOID: new ByteString("id-IS", OID), 249 chatRights: new ByteString("03", HEX), 250 includeDomainParameter: false 251 }; 252 g.createTerminal("/UTISCVCA/UTISDVCAOF/UTTERM", policy); 253 254 255 var policy = { certificateValidityDays: 3650, 256 chatRoleOID: new ByteString("id-AT", OID), 257 chatRights: new ByteString("3FFFFFFFFF", HEX), 258 includeDomainParameter: false 259 }; 260 g.createTerminal("/UTATCVCA/UTATDVCAOD/UTTERM", policy); 261 262 263 var sectorPublicKey1 = new Key(CVCCAGenerator.CWD + "/kp_puk_SectorKey1.xml"); 264 sectorPublicKey1.setComponent(Key.ECC_CURVE_OID, sectorPublicKey1.getComponent(Key.ECC_CURVE_OID)); 265 var encodedSectorPublicKey1 = PACE.encodePublicKey("id-RI-ECDH-SHA-256", sectorPublicKey1, true).getBytes(); 266 var encodedSectorPublicKeyHash1 = crypto.digest(Crypto.SHA_256, encodedSectorPublicKey1); 267 268 var sectorPublicKey2 = new Key(CVCCAGenerator.CWD + "/kp_puk_SectorKey2.xml"); 269 sectorPublicKey2.setComponent(Key.ECC_CURVE_OID, sectorPublicKey2.getComponent(Key.ECC_CURVE_OID)); 270 var encodedSectorPublicKey2 = PACE.encodePublicKey("id-RI-ECDH-SHA-256", sectorPublicKey2, true).getBytes(); 271 var encodedSectorPublicKeyHash2 = crypto.digest(Crypto.SHA_256, encodedSectorPublicKey2); 272 273 var sectorId = new ASN1(0x73, 274 new ASN1(ASN1.OBJECT_IDENTIFIER, new ByteString("id-sector", OID)), 275 new ASN1(0x80, encodedSectorPublicKeyHash1), 276 new ASN1(0x81, encodedSectorPublicKeyHash2) 277 ); 278 279 var policy = { certificateValidityDays: 3650, 280 chatRoleOID: new ByteString("id-AT", OID), 281 chatRights: new ByteString("3FFFFFFFFF", HEX), 282 includeDomainParameter: false, 283 extensions: [ sectorId ] 284 }; 285 g.createTerminal("/UTATCVCA/UTATDVCANO/UTTERM", policy); 286 287 288 var policy = { certificateValidityDays: 3650, 289 chatRoleOID: new ByteString("id-ST", OID), 290 chatRights: new ByteString("03", HEX), 291 includeDomainParameter: false 292 }; 293 g.createTerminal("/UTSTCVCA/UTSTDVCAAB/UTTERM", policy); 294 295 296 var policy = { certificateValidityDays: 3650, 297 chatRoleOID: new ByteString("id-ST", OID), 298 chatRights: new ByteString("03", HEX), 299 includeDomainParameter: false 300 }; 301 g.createTerminal("/UTSTCVCA/UTSTDVCACP/UTTERM", policy); 302 } 303