1 /**
  2  *  ---------
  3  * |.##> <##.|  SmartCard-HSM Support Scripts
  4  * |#       #|  
  5  * |#       #|  Copyright (c) 2011-2012 CardContact Software & System Consulting
  6  * |'##> <##'|  Andreas Schwier, 32429 Minden, Germany (www.cardcontact.de)
  7  *  --------- 
  8  *
  9  * Consult your license package for usage terms and conditions.
 10  * 
 11  * @fileoverview Script to issue X.509 certificates for keys generated on the SmartCard-HSM
 12  *
 13  * <p>This script uses a simple CA located in the ca/ directory.</p>
 14  * <p>You can change the issueCertificate() calls to create your own test setup.</p>
 15  *
 16  */
 17  
 18 load("../lib/smartcardhsm.js");
 19 
 20 load("tools/eccutils.js");
 21 
 22 load("../ca/ca.js");
 23 
 24 load("../lib/hsmkeystore.js");
 25 
 26 // Some default values
 27 var userPIN = new ByteString("648219", ASCII);
 28 var initializationCode = new ByteString("57621880", ASCII);
 29 
 30 
 31 
 32 // Some default value
 33 var name = "Joe Doe";
 34 var emailaddress = "joe.doe@openehic.org";
 35 
 36 
 37 
 38 function issueCertificate(ca, hsmks, cn, keysizeOrCurve, profile, emailaddress) {
 39 	var label = cn;
 40 	var subject = [ { C:"DE" }, { O:"CardContact" }, { OU:"CardContact Demo CA 1" }, { CN:cn } ];
 41 
 42 	print("Generating key pair for " + cn);
 43 	if (typeof(keysizeOrCurve) == "string") {
 44 		var req = hsmks.generateECCKeyPair(label, keysizeOrCurve);
 45 	} else {
 46 		var req = hsmks.generateRSAKeyPair(label, keysizeOrCurve);
 47 	}
 48 	// No request checking so far
 49 	var publicKey = req.getPublicKey();
 50 	
 51 	if (typeof(keysizeOrCurve) == "string") {
 52 		publicKey.setComponent(Key.ECC_CURVE_OID, new ByteString(keysizeOrCurve, OID));
 53 	}
 54 	
 55 	var extvalues = { email : emailaddress };
 56 	print("Issuing certificate for " + cn);
 57 	var cert = ca.issueCertificate(publicKey, subject, profile, extvalues);
 58 	print(cert);
 59 
 60 	hsmks.storeEndEntityCertificate(label, cert);
 61 }
 62 
 63 
 64 
 65 
 66 // Use default crypto provider
 67 var crypto = new Crypto();
 68 
 69 // Create card access object
 70 var card = new Card(_scsh3.reader);
 71 
 72 card.reset(Card.RESET_COLD);
 73 
 74 // Create SmartCard-HSM card service
 75 var sc = new SmartCardHSM(card);
 76 
 77 var doinit = true;
 78 // Check if device is yet un-initialized
 79 if (sc.queryUserPINStatus() == 0x6984) {
 80 	var page = "<html><p><b>Warning:</b></p><br/>" + 
 81 			   "<p>This is a new device that has never been initialized before.</p><br/>" + 
 82 			   "<p>If you choose to continue, then the device initialization code will be set to " + initializationCode.toString(ASCII) + "</p><br/>" + 
 83 			   "<p>Please be advised, that this code can not be changed once set. The same code must be used in subsequent re-initialization of the device.</p><br/>" + 
 84 			   "<p>Press OK to continue or Cancel to abort.</p>" + 
 85 			   "</html>";
 86 	var userAction = Dialog.prompt(page);
 87 	assert(userAction != null);
 88 } else {
 89 	doinit = (Dialog.prompt("OK to initialize device ?") != null);
 90 }
 91 
 92 if (doinit) {
 93 	sc.initDevice(new ByteString("0001", HEX), userPIN, initializationCode, 3);
 94 }
 95 
 96 // Verify user PIN
 97 assert(sc.verifyUserPIN(userPIN) == 0x9000, "PIN Verification failed");
 98 
 99 name = Dialog.prompt("User Name", name);
100 assert(name != null);
101 
102 emailaddress = Dialog.prompt("e-Mail address", emailaddress);
103 assert(emailaddress != null);
104 
105 
106 // Create and initialize simple CA
107 var ca = new X509CA(crypto);
108 
109 var fn = GPSystem.mapFilename("../ca/DEMO-CA.jks", GPSystem.CWD);
110 var ks = new KeyStore("SUN", "JKS", fn, "openscdp");
111 var key = new Key();
112 key.setID("DEMOCA");
113 
114 ks.getKey(key, "openscdp");
115 ca.setSignerKey(key);
116 
117 var cert = ks.getCertificate("DEMOCA");
118 ca.setSignerCertificate(cert);
119 
120 var hsmks = new HSMKeyStore(sc);
121 
122 issueCertificate(ca, hsmks, name + " (RSA2048)", 2048, "EmailAndTLSClient", emailaddress);
123 issueCertificate(ca, hsmks, name + " (ECC-SECP256)", "secp256r1", "TLSClient", emailaddress);
124 issueCertificate(ca, hsmks, name + " (ECC-SECP192)", "secp192r1", "TLSClient", emailaddress);
125 issueCertificate(ca, hsmks, name + " (ECC-BP224)", "brainpoolP224r1", "TLSClient", emailaddress);
126 issueCertificate(ca, hsmks, name + " (ECC-BP320)", "brainpoolP320r1", "TLSClient", emailaddress);
127 issueCertificate(ca, hsmks, name + " (RSA1536)", 1536, "EmailAndTLSClient", emailaddress);
128 issueCertificate(ca, hsmks, name + " (RSA1024)", 1024, "EmailAndTLSClient", emailaddress);
129