Class SmartCardHSM

Object
   |
   +--SmartCardHSM

class SmartCardHSM

Class implementing support for SmartCard-HSM access
Defined in smartcardhsm.js

Field Detail

card

Object card

idmap

Object idmap

maxAPDU

Object maxAPDU

namemap

Object namemap

C_DevAut

<static> Object C_DevAut

CACERTIFICATEPREFIX

<static> Object CACERTIFICATEPREFIX

CONFIDENTIALDATAPREFIX

<static> Object CONFIDENTIALDATAPREFIX

devAutPuk

<static> Object devAutPuk

EECERTIFICATEPREFIX

<static> Object EECERTIFICATEPREFIX

KEYMETAPREFIX

<static> Object KEYMETAPREFIX

KEYPREFIX

<static> Object KEYPREFIX

PIN_User

<static> Object PIN_User

PrK_DevAut

<static> Object PrK_DevAut

PRKDPREFIX

<static> Object PRKDPREFIX

rootCerts

<static> Object rootCerts

SmartCardHSM

SmartCardHSM(<Card> card)

Create a SmartCard-HSM access object

Parameters:
card - the card object

addKeyToMap

void addKeyToMap(<HSMKey> key)

Add a new key to the map of keys

Parameters:
key - the HSM key

changeUserPIN

void changeUserPIN(<ByteString> currentPIN, <ByteString> newPIN)

Change User PIN

Parameters:
currentPIN - current user PIN value
newPIN - new user PIN value

decipher

Object decipher(<Number> keyid, <Number> algo, <ByteString> data)

Decipher cryptogram or agree shared secret using Diffie-Hellman

Parameters:
keyid - the key identifier
algo - the algorithm identifier
data - the the cryptogram or concatenation of x || y of ECC public key

Returns:
the plain output

deleteFile

Object deleteFile(<ByteString> fid)

Delete file system object (EF or key)

Parameters:
fid - the two byte file object identifier

determineFreeKeyId

Number determineFreeKeyId()

Determine an unused key identifier

Returns:
a free key identifier or -1 if all key identifier in use

enumerateKeys

String[] enumerateKeys()

Enumerate key objects in the SmartCard-HSM and build the map of keys

Returns:
the list of key labels

enumerateObjects

Object enumerateObjects()

Enumerate Objects

Returns:
the enumeration

generateAsymmetricKeyPair

ByteString generateAsymmetricKeyPair(<Number> newkid, <Number> signkid, <ByteString> keydata)

Generate an asymmetric key pair

Parameters:
newkid - key identifier for new key
signkid - key identifier for signing the new public key
keydata - the key data template

Returns:
the certificate signing request containing the new public key

generateRandom

Object generateRandom(<Number> length)

Generate random data

Parameters:
length - number of bytes

Returns:
the random bytes

getCrypto

HSMCrypto getCrypto()

Get crypto object

Returns:
the HSMCrypto object

getKey

Key getKey(label)

Get a key reference object

Parameters:
path - the relative path of the PKI element (e.g. "/UTCVCA1/UTDVCA1/UTTERM")

Returns:
the key or null if not found

importKeyShare

Object importKeyShare(<ByteString> keyshare)

Import DKEK share or query status

Parameters:
keyshare - 32 byte key share

Returns:
object with properties sw{Number}, shares{Number}, outstanding{Number} and kcv{ByteString}

initDevice

void initDevice(<ByteString> options, <ByteString> initialPIN, <ByteString> initializationCode, <Number> retryCounterInitial, <Number> keyshares)

Initialize device and clear all keys and files

Parameters:
options - two byte option mask
initialPIN - initial user PIN value
initializationCode - secret code for device initialization (set during first use)
retryCounterInitial - retry counter for user PIN
keyshares - number of device key encryption key shares (optional)

logout

void logout()

Logout

openSecureChannel

ISOSecureChannel openSecureChannel(<Crypto> crypto, <Key> devAuthPK)

Open a secure channel using device authentication

Parameters:
crypto - the crypto provider to use
devAuthPK - the device authentication public key

Returns:
the initialized secure channel

queryUserPINStatus

Number queryUserPINStatus()

Request PIN Status Information

Returns:
the status word SW1/SW2 returned by the device

readBinary

ByteString readBinary(<ByteString> fid, <Number> offset, <Number> length)

Read transparent EF referenced by file identifier

Parameters:
fid - the two byte file identifier
offset - the offset into the EF (optional)
length - the number of byte to read (optional)

Returns:
the data read from the EF

sign

Object sign(<Number> keyid, <algo> algo, <ByteString> data)

Sign data using referenced key

Parameters:
keyid - the key identifier for signing
algo - the algorithm identifier
data - the data to be signed

Returns:
the signature value

unwrapKey

void unwrapKey(<Number> id, <ByteString> keyblob)

Unwrap key with DKEK

Parameters:
id - key id
keyblob - the wrapped key

updateBinary

void updateBinary(<ByteString> fid, <Number> offset, <ByteString> data)

Update transparent EF referenced by file identifier

Parameters:
fid - the two byte file identifier
offset - the offset into the EF
data - the data to write

verifyUserPIN

Object verifyUserPIN(<ByteString> userPIN)

Verify User PIN

Parameters:
userPIN - user PIN value

Returns:
the status word SW1/SW2 returned by the device

wrapKey

ByteString wrapKey(<Number> id)

Wrap key under DKEK

Parameters:
id - key id

Returns:
key blob with encrypted key value

buildGAKPwithECC

<static> ByteString buildGAKPwithECC(<PublicKeyReference> innerCAR, <ByteString> algo, <PublicKeyReference> chr, <Key> dp, <PublicKeyReference> outerCAR, priKey)

Build input for Generate Asymmetric Key Pair command for generating an ECC key pair

Parameters:
innerCAR - the CA the request shall be directed to
algo - the public key algorithm
chr - the certificate holder reference associated with this key
dp - the domain parameter for the key
outerCAR - the certificate holder reference of the public key for verifying the outer signature
privateKey - optional parameter to supply a private key value for import. This only works with the development version of the SmartCard-HSM.

Returns:
the encoded C-Data for GENERATE ASYMMETRIC KEY PAIR

buildGAKPwithRSA

<static> ByteString buildGAKPwithRSA(<PublicKeyReference> innerCAR, <ByteString> algo, <PublicKeyReference> chr, <Number> keysize, <PublicKeyReference> outerCAR)

Build input for Generate Asymmetric Key Pair command for generating a RSA key pair

Parameters:
innerCAR - the CA the request shall be directed to
algo - the public key algorithm
chr - the certificate holder reference associated with this key
keysize - the module size in bits (1024, 1536 or 2048)
outerCAR - the certificate holder reference of the public key for verifying the outer signature

Returns:
the encoded C-Data for GENERATE ASYMMETRIC KEY PAIR

buildPrkDforECC

<static> ASN1 buildPrkDforECC(<Number> keyid, <String> label, keysize)

Create a PKCS#15 PrivateECCKey description

Parameters:
keyid - the key identifier
label - the key label

Returns:
the PrivateECCKey description

buildPrkDforRSA

<static> ASN1 buildPrkDforRSA(<Number> keyid, <String> label, <Number> modulussize)

Create a PKCS#15 PrivateRSAKey description

Parameters:
keyid - the key identifier
label - the key label
modulussize -

Returns:
the PrivateECCKey description

dumpKeyData

<static> void dumpKeyData(<ByteString> keydata)

Dump C-Data of Generate Asymmetric Key Pair command

Parameters:
keydata - the content of C-Data

stripLeadingZeros

<static> ByteString stripLeadingZeros(<ByteString> value)

Strips leading zeros of a ByteString

Parameters:
value - the ByteString value

Returns:
the stripped ByteString object, may be an empty ByteString

test

<static> void test()

validateCertificateChain

<static> Key validateCertificateChain(<Crypto> crypto, <ByteString> devAutCert)

Validate device certificate chain

Parameters:
crypto - the crypto provider to use
devAutCert - the device certificate chain read from EF.C_DevAut

Returns:
the device authentication public key