1 /** 2 * --------- 3 * |.##> <##.| SmartCard-HSM Support Scripts 4 * |# #| 5 * |# #| Copyright (c) 2011-2012 CardContact Software & System Consulting 6 * |'##> <##'| Andreas Schwier, 32429 Minden, Germany (www.cardcontact.de) 7 * --------- 8 * 9 * Consult your license package for usage terms and conditions. 10 * 11 * @fileoverview Script to issue X.509 certificates for keys generated on the SmartCard-HSM 12 * 13 * <p>This script uses a simple CA located in the ca/ directory.</p> 14 * <p>You can change the issueCertificate() calls to create your own test setup.</p> 15 * 16 */ 17 18 load("../lib/smartcardhsm.js"); 19 20 load("tools/eccutils.js"); 21 22 load("../ca/ca.js"); 23 24 load("../lib/hsmkeystore.js"); 25 26 // Some default values 27 var userPIN = new ByteString("648219", ASCII); 28 var initializationCode = new ByteString("57621880", ASCII); 29 30 31 32 // Some default value 33 var name = "Joe Doe"; 34 var emailaddress = "joe.doe@openehic.org"; 35 36 37 38 function issueCertificate(ca, hsmks, cn, keysizeOrCurve, profile, emailaddress) { 39 var label = cn; 40 var subject = [ { C:"DE" }, { O:"CardContact" }, { OU:"CardContact Demo CA 1" }, { CN:cn } ]; 41 42 print("Generating key pair for " + cn); 43 if (typeof(keysizeOrCurve) == "string") { 44 var req = hsmks.generateECCKeyPair(label, keysizeOrCurve); 45 } else { 46 var req = hsmks.generateRSAKeyPair(label, keysizeOrCurve); 47 } 48 // No request checking so far 49 var publicKey = req.getPublicKey(); 50 51 if (typeof(keysizeOrCurve) == "string") { 52 publicKey.setComponent(Key.ECC_CURVE_OID, new ByteString(keysizeOrCurve, OID)); 53 } 54 55 var extvalues = { email : emailaddress }; 56 print("Issuing certificate for " + cn); 57 var cert = ca.issueCertificate(publicKey, subject, profile, extvalues); 58 print(cert); 59 60 hsmks.storeEndEntityCertificate(label, cert); 61 } 62 63 64 65 66 // Use default crypto provider 67 var crypto = new Crypto(); 68 69 // Create card access object 70 var card = new Card(_scsh3.reader); 71 72 card.reset(Card.RESET_COLD); 73 74 // Create SmartCard-HSM card service 75 var sc = new SmartCardHSM(card); 76 77 var doinit = true; 78 // Check if device is yet un-initialized 79 if (sc.queryUserPINStatus() == 0x6984) { 80 var page = "<html><p><b>Warning:</b></p><br/>" + 81 "<p>This is a new device that has never been initialized before.</p><br/>" + 82 "<p>If you choose to continue, then the device initialization code will be set to " + initializationCode.toString(ASCII) + "</p><br/>" + 83 "<p>Please be advised, that this code can not be changed once set. The same code must be used in subsequent re-initialization of the device.</p><br/>" + 84 "<p>Press OK to continue or Cancel to abort.</p>" + 85 "</html>"; 86 var userAction = Dialog.prompt(page); 87 assert(userAction != null); 88 } else { 89 doinit = (Dialog.prompt("OK to initialize device ?") != null); 90 } 91 92 if (doinit) { 93 sc.initDevice(new ByteString("0001", HEX), userPIN, initializationCode, 3); 94 } 95 96 // Verify user PIN 97 assert(sc.verifyUserPIN(userPIN) == 0x9000, "PIN Verification failed"); 98 99 name = Dialog.prompt("User Name", name); 100 assert(name != null); 101 102 emailaddress = Dialog.prompt("e-Mail address", emailaddress); 103 assert(emailaddress != null); 104 105 106 // Create and initialize simple CA 107 var ca = new X509CA(crypto); 108 109 var fn = GPSystem.mapFilename("../ca/DEMO-CA.jks", GPSystem.CWD); 110 var ks = new KeyStore("SUN", "JKS", fn, "openscdp"); 111 var key = new Key(); 112 key.setID("DEMOCA"); 113 114 ks.getKey(key, "openscdp"); 115 ca.setSignerKey(key); 116 117 var cert = ks.getCertificate("DEMOCA"); 118 ca.setSignerCertificate(cert); 119 120 var hsmks = new HSMKeyStore(sc); 121 122 issueCertificate(ca, hsmks, name + " (RSA2048)", 2048, "EmailAndTLSClient", emailaddress); 123 issueCertificate(ca, hsmks, name + " (ECC-SECP256)", "secp256r1", "TLSClient", emailaddress); 124 issueCertificate(ca, hsmks, name + " (ECC-SECP192)", "secp192r1", "TLSClient", emailaddress); 125 issueCertificate(ca, hsmks, name + " (ECC-BP224)", "brainpoolP224r1", "TLSClient", emailaddress); 126 issueCertificate(ca, hsmks, name + " (ECC-BP320)", "brainpoolP320r1", "TLSClient", emailaddress); 127 issueCertificate(ca, hsmks, name + " (RSA1536)", 1536, "EmailAndTLSClient", emailaddress); 128 issueCertificate(ca, hsmks, name + " (RSA1024)", 1024, "EmailAndTLSClient", emailaddress); 129