manageSOPIN.js

Summary

Manage SO-PIN and switch from default to value managed by AES key and vice versa


Class Summary
ManageSOPIN  

/**
 *  ---------
 * |.##> <##.|  SmartCard-HSM Support Scripts
 * |#       #|
 * |#       #|  Copyright (c) 2020 CardContact Systems GmbH
 * |'##> <##'|  32429 Minden, Germany (www.cardcontact.de)
 *  ---------
 *
 * Consult your license package for usage terms and conditions.
 *
 * @fileoverview Manage SO-PIN and switch from default to value managed by AES key and vice versa
 */

var CVC = require("scsh/eac/CVC").CVC;
var SmartCardHSM = require("scsh/sc-hsm/SmartCardHSM").SmartCardHSM;
var HSMKeyStore = require("scsh/sc-hsm/HSMKeyStore").HSMKeyStore;



function ManageSOPIN() {
	this.crypto = new Crypto();
}



ManageSOPIN.prototype.selectKey = function() {
	var card = new Card(_scsh3.reader);
	var sc = new SmartCardHSM(card);
	this.crypto = sc.getCrypto();
	var ks = new HSMKeyStore(sc);
	var labels = ks.enumerateKeys();
	var keylabel = Dialog.prompt("Select management key", "", labels);
	assert(keylabel != null, "User abort");

	var key = ks.getKey(keylabel);
	assert(key.getType() == "AES", "Key must be an AES key");
	this.managementKey = key;

	var opt = [ "Switch from Default SO-PIN to managed SO-PIN", "Switch from managed SO-PIN to Default SO-PIN" ];
	var mode = Dialog.prompt("Select mode", opt[0], opt);
	assert(mode != null, "User abort");
	this.toManaged = mode == opt[0];

	sc.verifyUserPIN();
}



ManageSOPIN.prototype.cardInserted = function(reader) {

	var card = new Card(reader);
	var sc = new SmartCardHSM(card);
	var devAutCert = sc.readBinary(SmartCardHSM.C_DevAut);
	var certchain = SmartCardHSM.validateCertificateChain(this.crypto, devAutCert);

	var cmac = this.managementKey.sign(Crypto.AES_CMAC, new ByteString(certchain.path, ASCII));

	if (this.toManaged) {
		var oldsopin = new ByteString("57621880", ASCII);
		var newsopin = cmac.bytes(0, 8);
	} else {
		var oldsopin = cmac.bytes(0, 8);
		var newsopin = new ByteString("57621880", ASCII);
	}

	sc.changeInitializationCode(oldsopin, newsopin);

	if (this.toManaged) {
		print("SO-PIN changed to managed mode");
	} else {
		print("SO-PIN changed to default value");
	}
}



ManageSOPIN.prototype.cardRemoved = function() {
}


print("This script will change the default SO-PIN on a SmartCard-HSM to a SO-PIN");
print("derived from an AES key on another SmartCard-HSM.");
print("The same key derivation mechanism is used in the PKI-as-a-Service Portal");
print("when SmartCard-HSMs (token) are managed by a trust center");

var dso = new ManageSOPIN();

dso.selectKey();

print("Insert SE to manage SO-PIN");
Card.setCardEventListener(dso);



Documentation generated by JSDoc on Sat Feb 24 15:17:19 2024