manageSOPIN.js
Summary
Manage SO-PIN and switch from default to value managed by AES key and vice versa
var CVC = require("scsh/eac/CVC").CVC;
var SmartCardHSM = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSM;
var HSMKeyStore = require("scsh/sc-hsm/HSMKeyStore").HSMKeyStore;
function ManageSOPIN() {
this.crypto = new Crypto();
}
ManageSOPIN.prototype.selectKey = function() {
var card = new Card(_scsh3.reader);
var sc = new SmartCardHSM(card);
this.crypto = sc.getCrypto();
var ks = new HSMKeyStore(sc);
var labels = ks.enumerateKeys();
var keylabel = Dialog.prompt("Select management key", "", labels);
assert(keylabel != null, "User abort");
var key = ks.getKey(keylabel);
assert(key.getType() == "AES", "Key must be an AES key");
this.managementKey = key;
var opt = [ "Switch from Default SO-PIN to managed SO-PIN", "Switch from managed SO-PIN to Default SO-PIN" ];
var mode = Dialog.prompt("Select mode", opt[0], opt);
assert(mode != null, "User abort");
this.toManaged = mode == opt[0];
sc.verifyUserPIN();
}
ManageSOPIN.prototype.cardInserted = function(reader) {
var card = new Card(reader);
var sc = new SmartCardHSM(card);
var devAutCert = sc.readBinary(SmartCardHSM.C_DevAut);
var certchain = SmartCardHSM.validateCertificateChain(this.crypto, devAutCert);
var cmac = this.managementKey.sign(Crypto.AES_CMAC, new ByteString(certchain.path, ASCII));
if (this.toManaged) {
var oldsopin = new ByteString("57621880", ASCII);
var newsopin = cmac.bytes(0, 8);
} else {
var oldsopin = cmac.bytes(0, 8);
var newsopin = new ByteString("57621880", ASCII);
}
sc.changeInitializationCode(oldsopin, newsopin);
if (this.toManaged) {
print("SO-PIN changed to managed mode");
} else {
print("SO-PIN changed to default value");
}
}
ManageSOPIN.prototype.cardRemoved = function() {
}
print("This script will change the default SO-PIN on a SmartCard-HSM to a SO-PIN");
print("derived from an AES key on another SmartCard-HSM.");
print("The same key derivation mechanism is used in the PKI-as-a-Service Portal");
print("when SmartCard-HSMs (token) are managed by a trust center");
var dso = new ManageSOPIN();
dso.selectKey();
print("Insert SE to manage SO-PIN");
Card.setCardEventListener(dso);
Documentation generated by
JSDoc on Sat Feb 24 15:17:19 2024