import_P12.js
Summary
Import RSA Key and certificate from PKCS#12 file into SmartCard-HSM
SmartCardHSM = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSM;
HSMKeyStore = require("scsh/sc-hsm/HSMKeyStore").HSMKeyStore;
DKEK = require("scsh/sc-hsm/DKEK").DKEK;
var crypto = new Crypto();
var dkekshare = crypto.generateRandom(32);
var doinit = true;
var page = "<html>" +
"<p>The DKEK is used to encrypt the private key for import into the SmartCard-HSM.</p>" +
"<p>If you already have initialized your SmartCard-HSM and know the DKEK from a previous key import,<br>" +
"then you can replace the random DKEK below with the known DKEK from the previous import</p>" +
"</html>";
var str = Dialog.prompt(page, dkekshare.toString(HEX));
if ((str != null) && (str.length > 0)) {
newdkekshare = new ByteString(str, HEX);
assert(newdkekshare.length == 32, "DKEK share must be 32 bytes long");
if (!newdkekshare.equals(dkekshare)) {
doinit = false;
dkekshare = newdkekshare;
}
}
var card = new Card(_scsh3.reader);
card.reset(Card.RESET_COLD);
var sc = new SmartCardHSM(card);
if (doinit) {
if (sc.queryUserPINStatus() == 0x6984) {
assert(Dialog.prompt("WARNING: If you continue, then your SmartCard-HSM will be initialized to the initialization code selected in the next step"));
} else {
assert(Dialog.prompt("WARNING: If you continue, then your SmartCard-HSM will be initialized and all key contained will be lost"));
}
var initializationCode = Dialog.prompt("Enter initialization code for SmartCard-HSM", "3537363231383830");
assert(initializationCode != null);
initializationCode = new ByteString(initializationCode, HEX);
var pin = Dialog.prompt("Enter PIN for newly initialized SmartCard-HSM", "648219");
assert(pin != null);
pin = new ByteString(pin, ASCII);
sc.initDevice(new ByteString("0001", HEX), pin, initializationCode, 3, 1);
var status = sc.importKeyShare(dkekshare);
print("Device initialized:");
print("-------------------");
print("SW : " + status.sw.toString(HEX));
print("Shares : " + status.shares);
print("Outstanding : " + status.outstanding);
print("KVC : " + status.kcv.toString(HEX));
print("");
} else {
assert(sc.queryUserPINStatus() != 0x6984, "SmartCard-HSM is not initialized");
var pin = Dialog.prompt("Enter PIN for SmartCard-HSM", "648219");
assert(pin != null);
pin = new ByteString(pin, ASCII);
}
sc.verifyUserPIN(pin);
var file = "";
var pwd = "";
do {
var file = Dialog.prompt("Select PKCS#12 container", file, null, "*.p12");
assert(file != null);
var pwd = Dialog.prompt("Enter PKCS#12 password", pwd);
assert(pwd != null);
var ks = new KeyStore("BC", "PKCS12", file, pwd);
var aliases = ks.getAliases();
var alias = Dialog.prompt("Select key", "", aliases);
assert(alias != null);
var key = new Key();
key.setType(Key.PRIVATE);
key.setID(alias);
ks.getKey(key);
var cert = ks.getCertificate(alias);
print(cert);
var alias = Dialog.prompt("Enter key name for import", alias);
assert(alias != null);
var ks = new HSMKeyStore(sc);
var dkek = new DKEK(crypto);
dkek.importDKEKShare(dkekshare);
var pubkey = cert.getPublicKey();
var blob = dkek.encodeKey(key, pubkey);
dkek.dumpKeyBLOB(blob);
if (pubkey.getComponent(Key.MODULUS)) {
hkey = ks.importRSAKey(alias, blob, cert.getPublicKey().getSize());
var signalgo = Crypto.RSA_PSS_SHA256;
} else {
hkey = ks.importECCKey(alias, blob, cert.getPublicKey().getSize());
var signalgo = Crypto.ECDSA_SHA256;
}
ks.storeEndEntityCertificate(alias, cert);
var msg = new ByteString("Hello World", ASCII);
var signature = hkey.sign(signalgo, msg);
assert(crypto.verify(cert.getPublicKey(), signalgo, msg, signature));
} while (Dialog.prompt("Import more keys ?"));
Documentation generated by
JSDoc on Sat Feb 24 15:17:19 2024