x509-ca-test.js

Summary

Script to create a database and SmartCard-HSM backed two layer PKI.


/**
 *  ---------
 * |.##> <##.|  SmartCard-HSM Support Scripts
 * |#       #|
 * |#       #|  Copyright (c) 2011-2015 CardContact Software & System Consulting
 * |'##> <##'|  Andreas Schwier, 32429 Minden, Germany (www.cardcontact.de)
 *  ---------
 *
 * Consult your license package for usage terms and conditions.
 *
 * @fileoverview Script to create a database and SmartCard-HSM backed two layer PKI.
 */

var DAOFactoryDatabase = require('scsh/pki-db/DAOFactoryDatabase').DAOFactoryDatabase;
var X509CertificateStore = require('scsh/x509/X509CertificateStore').X509CertificateStore;
var X509CertificateIssuer = require('scsh/x509/X509CertificateIssuer').X509CertificateIssuer;
var X509Signer = require('scsh/x509/X509Signer').X509Signer;
var SmartCardHSM = require('scsh/sc-hsm/SmartCardHSM').SmartCardHSM;
var SmartCardHSMInitializer = require('scsh/sc-hsm/SmartCardHSM').SmartCardHSMInitializer;
var CryptoProvider = require('scsh/sc-hsm/CryptoProvider').CryptoProvider;
var PKIXCommon = require("scsh/x509/PKIXCommon").PKIXCommon;


// You need to add a mariadb-java-client to the lib directory of your SmartCard-HSM installation
// to allow accessing a MySQL database. You can copy the file from the scriptingserver installation.
var type = "MySQL";
var url = "jdbc:mysql://localhost/";
var user = "testing";
var password = "password";


assert(Dialog.prompt("Warning: This script will initialize the SmartCard-HSM attached"));

// Create a simple Crypto Provider Factory
var card = new Card(_scsh3.reader);
var sc = new SmartCardHSM(card);
// sc.verifyUserPIN(new ByteString("648219", ASCII));
var i = new SmartCardHSMInitializer(card);
i.initialize();

var cp = new CryptoProvider(sc, 0, -1);

var cpf = { getCryptoProvider: function(id, requireLogin) { return cp }};


// Access the database
var daof = new DAOFactoryDatabase(type, url + "x509", user, password);

daof.dropTables();
daof.createTables();


var starttime = new Date();

print("Started at " + starttime);

// Define policy for self-signed root certificate
var keyspec = new Key();
// keyspec.setSize(1024);
// var sigalg = Crypto.RSA_SHA256;
keyspec.setComponent(Key.ECC_CURVE_OID, new ByteString("brainpoolP256r1", OID));
var sigalg = Crypto.ECDSA_SHA256;

var rootCApolicy = {
	distinguishedName: [ { C:"UT" }, { O:"OpenSCDP" }, { CN:"OpenSCDP Demo Root CA 1" } ],
	keySpecification: keyspec,
	signatureAlgorithm: sigalg,
	reqSignatureAlgorithm: sigalg,
	validityDaysSelfSigned: 3650,
	validityDaysCertificates: 730,
	validityDaysCRL: 10
};

// Create a basic X509CertificateIssuer in the database
var name = PKIXCommon.makeName(rootCApolicy.distinguishedName);
print("Name : " + name);
var holderId = X509CertificateIssuer.createCertificateIssuer(daof, undefined, undefined, { name: name } );

var holderdao = daof.getHolderDAO();
var holder = holderdao.getHolderById(holderId);

// Create a certificate issuer instance from database
var rootCA = new X509CertificateIssuer(daof, cpf, holder);

rootCA.setPolicy(rootCApolicy);

// Create a signer (aka key pair)
var t = {
	keyDomain: 1
};

var keyId = rootCA.newSigner("Root Signer 1", t);

var request = rootCA.getRequest(keyId);
assert(request.verify());

rootCA.issueSelfSignedCertificate(keyId);
var crl = rootCA.issueCRL();

print(crl);

var cert = rootCA.getSignerCertificate();

print(cert);


// Now create a sub-ca policy

var subCApolicy = {
	distinguishedName: [ { C:"UT" }, { O:"OpenSCDP" }, { OU: "OpenSCDP" }, { CN: "OpenSCDP Demo Sub CA 1" } ],
	keySpecification: keyspec,
	signatureAlgorithm: sigalg,
	reqSignatureAlgorithm: sigalg,
	validityDaysCertificates: 730,
	validityDaysCRL: 10
};


// Create a basic X509CertificateIssuer for the sub-ca
var name = PKIXCommon.makeName(subCApolicy.distinguishedName);
print("Name : " + name);
var holderId = X509CertificateIssuer.createCertificateIssuer(daof, rootCA.getHolderId(), undefined, { name: name });
var holder = holderdao.getHolderById(holderId);

// Create a certificate issuer instance from database
var subCA = new X509CertificateIssuer(daof, cpf, holder);

subCA.setPolicy(subCApolicy);
var keyId = subCA.newSigner("Sub-CA Signer 2", t);

var request = subCA.getRequest(keyId);

var cert = rootCA.issueCertificate(subCA.getHolder(), request.getPublicKey(), request.getSubject(), undefined);
print(cert.cert);

// Create 5 holder with 5 signers each
for (var i = 1; i <= 5; i++) {
	var name = "Test" + i;

	var holderId = X509Signer.createSigner(daof, subCA.getHolderId(), undefined, { name: name });
	var holder = holderdao.getHolderById(holderId);
	var s = new X509Signer(daof, cpf, holder);

	var dn = [ { C:"UT" }, { O:"OpenSCDP" }, { OU: "OpenSCDP" }, { OU: "OpenSCDP Samples" }, { CN: name } ];
	var policy = {
		distinguishedName: dn,
		keySpecification: keyspec,
		signatureAlgorithm: sigalg,
		reqSignatureAlgorithm: sigalg
	};
	s.setPolicy(policy);

	for (var j = 1; j <= 5; j++) {
		var keyId = s.newSigner(undefined, t);
//		s.setPolicy({ reqSignatureAlgorithm: sigalg });

		var request = s.getRequest(keyId);

		var cert = subCA.issueCertificate(s.getHolder(), request.getPublicKey(), request.getSubject(), undefined);
		print(cert.cert);
//		var extvalues = { dNSName: "www.openscdp.org" };
//		var cert = subCA.issueCertificateForRequest(s.getHolder(), request, "TLSServer", extvalues);
//		print(cert);
	}
}

var stoptime = new Date();
print("Ended at " + stoptime);
var duration = stoptime.valueOf() - starttime.valueOf();
print("Duration " + duration + " ms");


Documentation generated by JSDoc on Sat Feb 24 15:17:19 2024