issue-test-certs.js
Summary
Script to issue X.509 certificates for keys generated on the SmartCard-HSM
SmartCardHSM = require('scsh/sc-hsm/SmartCardHSM').SmartCardHSM;
SmartCardHSMKeySpecGenerator = require('scsh/sc-hsm/SmartCardHSM').SmartCardHSMKeySpecGenerator;
HSMKeyStore = require('scsh/sc-hsm/HSMKeyStore').HSMKeyStore;
X509CA = require('scsh/x509/X509CA').X509CA;
var userPIN = new ByteString("648219", ASCII);
var initializationCode = new ByteString("57621880", ASCII);
var name = "Joe Doe";
var emailaddress = "joe.doe@openehic.org";
function issueCertificate(ca, hsmks, cn, keysizeOrCurve, profile, emailaddress) {
var label = cn;
var subject = [ { C:"DE" }, { O:"CardContact" }, { OU:"CardContact Demo CA 1" }, { CN:cn } ];
print("Generating key pair for " + cn);
if (typeof(keysizeOrCurve) == "string") {
var dp = new Key();
dp.setComponent(Key.ECC_CURVE_OID, new ByteString(keysizeOrCurve, OID));
var spec = new SmartCardHSMKeySpecGenerator(Crypto.EC, dp);
} else {
var spec = new SmartCardHSMKeySpecGenerator(Crypto.RSA, keysizeOrCurve);
}
var req = hsmks.generateKeyPair(label, spec);
var publicKey = req.getPublicKey();
var extvalues = { email : emailaddress };
print("Issuing certificate for " + cn);
var cert = ca.issueCertificate(publicKey, subject, profile, extvalues);
print(cert);
hsmks.storeEndEntityCertificate(label, cert);
}
var crypto = new Crypto();
var card = new Card(_scsh3.reader);
card.reset(Card.RESET_COLD);
var sc = new SmartCardHSM(card);
var doinit = true;
if (!sc.isInitialized()) {
var page = "<html><p><b>Warning:</b></p><br/>" +
"<p>This is a new device that has never been initialized before.</p><br/>" +
"<p>If you choose to continue, then the device initialization code will be set to " + initializationCode.toString(ASCII) + "</p><br/>" +
"<p>Please be advised, that this code can not be changed once set. The same code must be used in subsequent re-initialization of the device.</p><br/>" +
"<p>Press OK to continue or Cancel to abort.</p>" +
"</html>";
var userAction = Dialog.prompt(page);
assert(userAction != null);
} else {
doinit = (Dialog.prompt("OK to initialize device ?") != null);
}
if (doinit) {
sc.initDevice(new ByteString("0001", HEX), userPIN, initializationCode, 3);
}
assert(sc.verifyUserPIN(userPIN) == 0x9000, "PIN Verification failed");
name = Dialog.prompt("User Name", name);
assert(name != null);
emailaddress = Dialog.prompt("e-Mail address", emailaddress);
assert(emailaddress != null);
var ca = new X509CA(crypto);
var ks = new KeyStore("SUN", "PKCS12", X509CA.dir + "/DEMO-CA.p12", "openscdp");
var cakey = Dialog.prompt("Select CA", "democa", ks.getAliases());
var key = new Key();
key.setID(cakey);
ks.getKey(key, "openscdp");
ca.setSignerKey(key);
var cert = ks.getCertificate(cakey);
ca.setSignerCertificate(cert);
var hsmks = new HSMKeyStore(sc);
issueCertificate(ca, hsmks, name + " (RSA2048)", 2048, "EmailAndTLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (RSA1536)", 1536, "EmailAndTLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (RSA1024)", 1024, "EmailAndTLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-SECP256)", "secp256r1", "TLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-SECP192)", "secp192r1", "TLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-BP224)", "brainpoolP224r1", "TLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-BP320)", "brainpoolP320r1", "TLSClient", emailaddress);
if ((sc.major >= 3) || ((sc.major == 0) && (sc.minor > 52))) {
issueCertificate(ca, hsmks, name + " (RSA3072)", 3072, "EmailAndTLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (RSA4096)", 4096, "EmailAndTLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-BP384)", "brainpoolP384r1", "TLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-BP512)", "brainpoolP512r1", "TLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-SECP384)", "secp384r1", "TLSClient", emailaddress);
issueCertificate(ca, hsmks, name + " (ECC-SECP521)", "secp521r1", "TLSClient", emailaddress);
}
hsmks.storeCACertificate(cakey, cert);
Documentation generated by
JSDoc on Sat Feb 24 15:17:19 2024