key-attestation.js

Summary

Key attestation example


/**
 *  ---------
 * |.##> <##.|  SmartCard-HSM Support Scripts
 * |#       #|
 * |#       #|  Copyright (c) 2011-2015 CardContact Software & System Consulting
 * |'##> <##'|  Andreas Schwier, 32429 Minden, Germany (www.cardcontact.de)
 *  ---------
 *
 * Consult your license package for usage terms and conditions.
 *
 * @fileoverview Key attestation example
 */

var CVC = require("scsh/eac/CVC").CVC;
var SmartCardHSM = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSM;
var SmartCardHSMKeySpecGenerator = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSMKeySpecGenerator;
var HSMKeyStore = require("scsh/sc-hsm/HSMKeyStore").HSMKeyStore;



var crypto = new Crypto();

var card = new Card(_scsh3.reader);
card.reset(Card.RESET_COLD);

// Obtain a SmartCardHSM instance bound to the card
var sc = new SmartCardHSM(card);

// Read device certificate and validate chain up to the SRCA
var devAutCert = sc.readBinary(SmartCardHSM.C_DevAut);
var chain = SmartCardHSM.validateCertificateChain(crypto, devAutCert);
if (this.chain == null) {
	throw new GPError(module.id, GPError.DEVICE_ERROR, 0, "SmartCard-HSM authentication failed");
}

// Authenticate the device and open a secure messaging channel
sc.openSecureChannel(crypto, chain.publicKey, Key.AES);

// Verify the PIN
sc.verifyUserPIN(new ByteString("648219", ASCII));

// Obtain a key store for the SmartCard-HSM
var ks = new HSMKeyStore(sc);

// Create a key spec for generating the key pair
var dp = new Key();
dp.setComponent(Key.ECC_CURVE_OID, new ByteString("brainpoolP256r1", OID));

var gen = new SmartCardHSMKeySpecGenerator(Crypto.EC, dp);

// Use for RSA
//var gen = new SmartCardHSMKeySpecGenerator(Crypto.RSA, 2048);

var label = "Key Attestation Example";

print("Generating " + label);

if (ks.hasKey(label)) {
	ks.deleteKey(label);
}

// Generate the key pair
var req = ks.generateKeyPair(label, gen);

print("Full certificate chain:");
print("SRCA    : " + chain.srca);
print("DICA    : " + chain.dica);
print("DevAut  : " + chain.devicecert);
print("Request : " + req);

req.decorate();		//
print(req.getASN1());

assert(chain.dica.verifyWithCVC(crypto, chain.srca), "Could not validate DICA");
assert(chain.devicecert.verifyWithCVC(crypto, chain.dica), "Could not validate Device");
assert(req.verifyATWithCVC(crypto, chain.devicecert), "Could not validate request");





Documentation generated by JSDoc on Sat Feb 24 15:17:19 2024