decrypt_keyblob.js

Summary

No overview generated for 'decrypt_keyblob.js'


/*
 * Decrypt Key Blob from SmartCard-HSM
 *
 * (c) 2014 CardContact Software & System Consulting, Andreas Schwier, Minden, Germany
 *
 * Information contained in this script is confidential and released under NDA
 *
 * This script initializes a SmartCard-HSM with two DKEK shares, generates and exports a RSA key
 * From the DKEK share it generates the Kenc/Mmac for key wrap and decodes the exported key blob
 *
 * Please note, that the sc-hsm-tool will further wrap the key blob generated by the SmartCard-HSM
 * with the private key description and the certificate read from an EF in the device. Please see
 * the sc-hsm-tool.c source for details.
 *
 * Warning: The device will be re-initialized by this script.
 */

PublicKeyReference = require('scsh/eac/PublicKeyReference').PublicKeyReference;
SmartCardHSM = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSM;
SmartCardHSMKeySpecGenerator = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSMKeySpecGenerator;
DKEK = require("scsh/sc-hsm/DKEK").DKEK;

var pin = new ByteString("648219", ASCII);
var initializationCode = new ByteString("57621880", ASCII);

var dkekshare1 = new ByteString("A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5", HEX);
var dkekshare2 = new ByteString("E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1E1", HEX);


// Attach to SmartCard-HSM

var card = new Card(_scsh3.reader);
var sc = new SmartCardHSM(card);

if (sc.queryUserPINStatus() == 0x6984) {
	var page = "<html><p><b>Warning:</b></p><br/>" +
		   "<p>This is a new device that has never been initialized before.</p><br/>" +
		   "<p>If you choose to continue this test, then the device initialization code will be set to " + initializationCode.toString(ASCII) + " </p><br/>" +
		   "<p>Please be advised, that this code can be changed later, however the same code must be used in subsequent re-initialization of the device.</p><br/>" +
		   "<p>Press OK to continue or Cancel to abort.</p>" +
		   "</html>";
	var userAction = Dialog.prompt(page);
	assert(userAction != null);
}


// Initialize Device with a double DKEK share

sc.initDevice(new ByteString("0001", HEX), pin, initializationCode, 3, 2);

sc.importKeyShare(dkekshare1);
var status = sc.importKeyShare(dkekshare2);

print("Device initialized:");
print("-------------------");
print("SW          : " + status.sw.toString(HEX));
print("Shares      : " + status.shares);
print("Outstanding : " + status.outstanding);
print("KVC         : " + status.kcv.toString(HEX));
print("");


// Determine keys for wrap/unwrap

var crypto = new Crypto();

var dkek = new DKEK(crypto);
dkek.importDKEKShare(dkekshare1);
dkek.importDKEKShare(dkekshare2);
var kenc = dkek.getKENC();
var kmac = dkek.getKMAC();

print("Values derived from DKEK shared:");
print("--------------------------------");
print("DKEK        : " + dkek.dkek.toString(HEX));
print("KVC         : " + dkek.getKCV().toString(HEX));
print("Kenc        : " + kenc.getComponent(Key.AES).toString(HEX));
print("Kmac        : " + kmac.getComponent(Key.AES).toString(HEX));
print("");


// Generate a Test RSA Key with 1024 Bit

sc.verifyUserPIN(pin);

var spec = new SmartCardHSMKeySpecGenerator(Crypto.RSA, 1024);

var rsp = this.sc.generateAsymmetricKeyPair(1, 0, spec.encode());
// print("Card generated certificate signing request");
// print(new ASN1(rsp));


// Wrap key

var keyblob = sc.wrapKey(1);

print("Key blob");
print("--------");
print(keyblob);

dkek.dumpKeyBLOB(keyblob);



var keyspec = new Key();
keyspec.setComponent(Key.ECC_CURVE_OID, new ByteString("brainpoolP256r1", OID));

var spec = new SmartCardHSMKeySpecGenerator(Crypto.EC, keyspec);

var rsp = this.sc.generateAsymmetricKeyPair(2, 0, spec.encode());
// print("Card generated certificate signing request");
// print(new ASN1(rsp));


// Wrap key

var keyblob = sc.wrapKey(2);

print("Key blob");
print("--------");
print(keyblob);

dkek.dumpKeyBLOB(keyblob);


Documentation generated by JSDoc on Sat Feb 24 15:17:19 2024