yubico / yubihsm-shell Goto Github PK
View Code? Open in Web Editor NEWyubihsm-shell and libyubihsm
Home Page: https://developers.yubico.com/yubihsm-shell/
License: Apache License 2.0
yubihsm-shell's People
Contributors
Stargazers
Watchers
Forkers
jakuje mouse07410 panduit-chrc snaxfoundation bzm3yt kento-m jeamland juikim aiyee arisenio fioprotocol ajb042487 osterlad testitesti22 jimuezcybuss88 spoonincode loai-kanou paulh-adion classicvalues quinndiggity nevun hrio tomorrowsj naimulhq cherepakha matthewcroughan armoniax tarak-stratus isabella232 data-mall acc01ade joostd tessellated-io marcelmws cyberflamego greg-szabo paragonsean misodengaku zx2c4-forks oxidecomputer driseley gillsoftab baloo marcwillert jasoncolburne myksyr-tdy dantecmeloyubihsm-shell's Issues
Cant unwrap private Key
I got following code, the used authentication has capabilites and delegated capabilities the same:
"sign-eddsa|exportable-under-wrap|export-wrapped|import-wrapped|unwrap-data|wrap-data|generate-asymmetric-key|generate-wrap-key|get-log-entries"
#include <assert.h>
#include "yubihsm.h"
#include "internal.h"
const uint8_t password[] = "XXX";
/*
struct yh_connector {
void *backend;
struct backend_functions *bf;
yh_backend *connection;
char *status_url;
char *api_url;
bool has_device;
uint8_t version_major;
uint8_t version_minor;
uint8_t version_patch;
uint8_t address[32];
uint32_t port;
uint32_t pid;
};
*/
static yh_connector connector_arg;
void print_yhrc(yh_rc yrc);
void print_buffer(uint8_t *label, uint8_t *buffer, uint32_t len);
int main(int argc, char *argv[]) {
yh_connector *connector = &connector_arg;
yh_session *session = NULL;
yh_rc yrc = YHR_GENERIC_ERROR;
uint16_t authkey = 3754;
const char *connector_url;
//yhusb://serial=0007550878
connector_url = "yhusb://";
yrc = yh_init();
assert(yrc == YHR_SUCCESS);
yrc = yh_init_connector(connector_url, &connector);
assert(yrc == YHR_SUCCESS);
//yh_set_verbosity(connector, (uint8_t)YH_VERB_ALL);
//printf("Device %d\n", (uint32_t)(((struct yh_connector*)connector)->backend));
yrc = yh_connect(connector, 0);
if (yrc == YHR_SUCCESS) {
printf("Connected!\n");
//printf(yh_strerror(yrc));
} else {
printf("Connect error: %02d\n", (int)yrc);
}
yrc = yh_create_session_derived(connector, authkey, password,
sizeof(password), false, &session);
if (yrc != YHR_SUCCESS) {
printf(yh_strerror(yrc));
}
yrc = yh_authenticate_session(session);
assert(yrc == YHR_SUCCESS);
uint8_t session_id;
yrc = yh_get_session_id(session, &session_id);
assert(yrc == YHR_SUCCESS);
printf("Successfully established session %02d\n", session_id);
uint16_t domain_arg;
uint16_t *domain = &domain_arg;
yrc = yh_string_to_domains("1", domain);
print_yhrc(yrc);
uint16_t wrapkey_arg = 0; //let device generate id
uint16_t* wrapkey_p = &wrapkey_arg;
yh_capabilities wrapkey_cap_arg;
yh_capabilities *wrapkey_cap = &wrapkey_cap_arg;
yrc = yh_string_to_capabilities("export-wrapped|import-wrapped|unwrap-data|wrap-data|exportable-under-wrap", wrapkey_cap);
print_yhrc(yrc);
uint16_t key_arg = 0; //let device generate id
uint16_t* key_p = &key_arg;
yh_capabilities yh_cap_arg;
yh_capabilities *yh_cap = &yh_cap_arg;
yrc = yh_string_to_capabilities("sign-eddsa|exportable-under-wrap|unwrap-data|wrap-data", yh_cap);
print_yhrc(yrc);
/*yh_rc yh_util_generate_wrap_key(yh_session *session, uint16_t *key_id,
const char *label, uint16_t domains,
const yh_capabilities *capabilities,
yh_algorithm algorithm,
const yh_capabilities *delegated_capabilities);*/
printf("Generate WrapKey\n");
yrc = yh_util_generate_wrap_key(session,
wrapkey_p,
"TestLabel",
*domain,
wrapkey_cap,
YH_ALGO_AES256_CCM_WRAP,
yh_cap);
print_yhrc(yrc);
printf("GeneratedWrapKey ID: %02d\n", *wrapkey_p);
printf("Generate EDKey\n");
yrc = yh_util_generate_ed_key(session, key_p,
"TestLabel",
*domain,
yh_cap,
YH_ALGO_EC_ED25519);
print_yhrc(yrc);
printf("GeneratedKey ID: %02d\n", *key_p);
size_t wrapout_len=10000;
size_t *wrapout_len_p=&wrapout_len;
uint8_t wrapoutcome[10000] = {};
/*yh_rc yh_util_export_wrapped(yh_session *session, uint16_t wrapping_key_id,
yh_object_type target_type, uint16_t target_id,
uint8_t *out, size_t *out_len);*/
printf("Export WrapData\n");
yrc = yh_util_export_wrapped(session,
*wrapkey_p,
YH_ASYMMETRIC_KEY,
*key_p,
wrapoutcome, wrapout_len_p);
print_yhrc(yrc);
//print_buffer("WrapData", wrapoutcome, *wrapout_len_p);
size_t outwrapout_len=10000;
size_t *outwrapout_len_p=&outwrapout_len;
uint8_t outwrapoutcome[10000] = {};
printf("Unwrap Data\n");
/*yh_rc yh_util_unwrap_data(yh_session *session, uint16_t key_id,
const uint8_t *in, size_t in_len, uint8_t *out,
size_t *out_len);*/
yrc = yh_util_unwrap_data(session,
*wrapkey_p,
wrapoutcome,
*wrapout_len_p,
outwrapoutcome,
outwrapout_len_p);
print_yhrc(yrc);
print_buffer("PrivateKey", outwrapoutcome, *outwrapout_len_p);
const uint8_t* data = "WurstMitKaese";
uint8_t outcome[128] = {};
size_t out_len_arg = 128;
size_t *outcome_len = &out_len_arg;
printf("Signing Data\n");
yrc = yh_util_sign_eddsa(session, *key_p,
data,
(size_t)13,
outcome,
outcome_len);
print_yhrc(yrc);
print_buffer("Signature", outcome, *outcome_len);
printf("Get PublicKey\n");
uint8_t puboutcome[10000] = {};
size_t pubout_len_arg = 10000;
size_t* puboutcome_len = &pubout_len_arg;
yh_algorithm pubalgo;
yh_algorithm *pubalgo_p = &pubalgo;
yrc = yh_util_get_public_key(session, *key_p, puboutcome,
puboutcome_len, pubalgo_p);
printf("Algo: %02d\n", (uint8_t)pubalgo);
print_yhrc(yrc);
print_buffer("PublicKey1", puboutcome, *puboutcome_len);
yrc = yh_util_close_session(session);
print_yhrc(yrc);
yrc = yh_disconnect(connector);
print_yhrc(yrc);
yrc = yh_exit();
return 0;
}
void print_yhrc(yh_rc yrc) {
if (yrc == YHR_SUCCESS) {
} else {
printf("Error: %02d\n", (int)yrc);
}
}
void print_buffer(uint8_t *label, uint8_t *buffer, uint32_t len) {
printf(label);
printf("\nBuffer len: %02d\n", len);
for(uint32_t i = 0; i<len; i++) {
printf("0x%02x,", *buffer);
buffer++;
}
printf("\n");
}
But i get error -13 while unwrapping data.
Error for invalid data.
command "echo" doesn't work.
Hello,
I'm learning the quick_start_tutorial .
But, "echo" example in quick_start_tutorial doesn't work.
When I try to excute the example, I got this error :
yubihsm> echo MEUCIQDrBqS04LN5YdyWGiD4iaEjfl1dn+W4cl97uMMXDpoaiQIgEBe/G/FgP4cumnO3K2XWToAnPvnuVDOnqHPiuUS0q5g= >signature.b64
Invalid argument 1: MEUCIQDrBqS04LN5YdyWGiD4iaEjfl1dn+W4cl97uMMXDpoaiQIgEBe/G/FgP4cumnO3K2XWToAnPvnuVDOnqHPiuUS0q5g= (e:session)
How can I store a signature as it is in a temporary file ?
USB serial number parsing has problems with leading zeros
I recently noticed that leading zeros in the device serial number throw off the command line parsing when specifying -C "yhusb://serial= to connect to a particular local device.
Good behaviour:
./yubihsm-shell -C "yhusb://serial=4242424"
yubihsm> debug all
Debug messages enabled
yubihsm> connect
[LIB - INF ...] yubihsm.c:4069 (yh_init_connector): Loading usb backend
[LIB - INF ...] lib_util.c:166 (parse_usb_url): USB url parsed with serial 4242424.
Unexpected behaviour:
./yubihsm-shell -C "yhusb://serial=0004242424"
yubihsm> debug all
Debug messages enabled
yubihsm> connect
[LIB - INF ...] yubihsm.c:4069 (yh_init_connector): Loading usb backend
[LIB - INF ...] lib_util.c:166 (parse_usb_url): USB url parsed with serial 1131796.
1131796 is not a reasonable serial number in this context.
This is relevant for people that use the serial number as delivered by lsusb -v, example output:
lsusb -v
[...]
iManufacturer 1 Yubico
iProduct 2 YubiHSM
iSerial 3 0004242424
Support for RSA with public exponent e = 3
Hi,
we at TBTL are considering using your yubihsm 2 device, but we need support for RSA with e = 3. Do you plan to support that in the near future?
yh_is_ec does not check all ECC algorithms
yh_is_ec returns false for some of the new defines for ECC algorithms.
Instructions for noobs
hello,
one thing to note, after the "make" command, you need "make install", I was googling for hours and it was a super simple fix. Might be good to add it to the documentation for the other noobs out there.
This dependancy was also required(needed to specify the dev version)
sudo apt install libpcsclite-dev
also this one for the Rockpi
help2man
cheers and thanks for the build! got it working
Unable to read Asymmetric Key
I am trying to generate private public key pairs outside of the Yubihsm2 so I could import it to multiple different HSMs. I am running the following commands:
openssl genrsa -out private-key.pem 2048
openssl rsa -in private-key.pem -pubout -out public-key.pem
yubihsm-shell
Using default connector URL: http://127.0.0.1:12345
yubihsm> connect
Session keepalive set up to run every 15 seconds
yubihsm> session open 1 password
Created session 0
yubihsm> put asymmetric 0 0 test 1 none rsa-pkcs1-sha256 private-key.pem
Unable to read asymmetric key
I am not sure why the key is not being imported. Any advice?
The command "set outformat" displays incorrect help
When running the command "set outformat" in a command prompt running Yubihsm-shell, the command line help is "outformat Set: input format". This should be changed to "outformat Set: output format".
YubiHSM sessions are not handled/conveyed correctly in yubishell
It is documented on dev.yubico.com that all sessions have an expiration period of 30s.
However, when sessions are allowed to expire, "list sessions" does not appear to reflect any status changes.
To illustrate, here is a transcript of an interaction with the YubiHSM when testing this particular issue:
yubihsm> keepalive off
Session keepalive set up to run every 0 seconds
yubihsm> list sessions
yubihsm> session open 1 password
Created session 0
– Wait for 30+ seconds for the session to elapse –
yubihsm> list objects 0
Failed to list objects: Invalid session
yubihsm> list sessions
Session 0
Note that this does not happen if a session is explicitly closed:
yubihsm> session open 1 password
Created session 0
yubihsm> list sessions
Session 0
yubihsm> session close 0
yubihsm> list sessions
yubihsm>
How to force reset if the default auth key is deleted?
How to force reset if default auth key is deleted and there's no more auth keys have the right permission ?
Created session 0
yubihsm> reset 0
Failed to reset device: Wrong permissions for operation
Same program under ubuntu 18.04 and centOS7
Hi guys, can you help me?
I wrote a golang wrap for some functions from yubihsm2.h, and it works perfectly under Ubuntu 18.04, but does not on centOS7?
There are somehow inconsistencies in processing the capabilites?!
It's easy stuff like importing and generating wrapkeys.
Code compilation error on PureOS version 9.0 Amber
I had been trying to compile YubiHSM-Shell tool from the source – “https://github.com/Yubico/yubihsm-shell” for PureOS Amber version 9.0.
I downloaded the dependencies, compiled the code, and built the tool, however when I am trying to run “make test” command, 5/26 tests are failing. Below is the link for the test failure image.
Can someone please help me resolving the issue?
Building with GCC 10 fails
Building with GCC 10 (gcc-10.0.1-0.7.fc32.x86_64) fails with following errors:
In function 'memcpy',
inlined from 'register_subcommand' at /builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c:136:3,
inlined from 'create_command_list' at /builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c:245:3:
/usr/include/bits/string_fortified.h:34:10: error: writing 26 bytes into a region of size 24 [-Werror=stringop-overflow=]
34 | return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
| ^
/builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c: In function 'create_command_list':
/builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c:130:16: note: at offset 32 to an object with size 56 allocated by 'malloc' here
130 | Command *c = malloc(sizeof(Command));
| ^
In function 'memcpy',
inlined from 'register_subcommand' at /builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c:136:3,
inlined from 'create_command_list' at /builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c:248:3:
/usr/include/bits/string_fortified.h:34:10: error: writing 29 bytes into a region of size 24 [-Werror=stringop-overflow=]
34 | return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
| ^
/builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c: In function 'create_command_list':
/builddir/build/BUILD/yubihsm-shell-2.0.2/src/main.c:130:16: note: at offset 32 to an object with size 56 allocated by 'malloc' here
130 | Command *c = malloc(sizeof(Command));
| ^
and several other similar issues. I had hard time to make sense from this, but it looks like the new gcc does not handle well the commands created like this:
245 register_subcommand(*c, (Command){"all", yh_com_debug_all, NULL, fmt_nofmt,
246 fmt_nofmt, "Enable all debug messages",
247 NULL, NULL});
I did not investigate this too deeply, whether it is a bug in gcc or in your code, but it is certainly something that will deserve some attention.
Is it possible to stabilize the signature result?
Is it possible to stabilize the signature result using secp256k1?
Every time i execute client.sign_ecdsa(key_id, msg) with the same key_id and msg, will get different results. Sometimes it's even wrong.
Did I use the wrong api?
memory resource leaks in yubihsm-shell CLI tool
Part no. 1
During recent fuzzing of yubihsm-shell, I've noticed that the following memory allocated in the main() is not properly free'd in the cleanup phase:
Line 1791 in 130a1cf
Line 1798 in 130a1cf
The main_exit section doesn't touch it:
Lines 2718 to 2733 in 130a1cf
Part no. 2
While looking at the pcc_failure cleanup section of the related parse_configured_connectors() function, I've noticed the following line, which I think is flawed and also leads to some resource leakage:
Line 1713 in 130a1cf
It doesn't make sense to overwrite ctx->connector_list multiple times with NULL and then try to free() it.
The line should probably have been ctx->connector_list[i] = NULL;
Comment
Given the context, I do not consider either issue security related. The functional impact of the leaks is likely also low for regular CLI operation.
Wrapped ED25519 key import not working
Related to support #78302
We are trying to build a tool that will allow users to export their key to pkcs8 format keys in order to import them into their Yubi HSM2 device.
For this tool we are targetting 3 algorithm ecp256, eck256 and ed25519. The two first are working wonderfully. Our users are able to export their key, wrap them using yubihsm-wrap and then import them into the HSM with no problem
Our issue is with ed25519. We have tried several things in order to make it work, but we just realized that even if we generate a key with openssl we are not able to import it.
Detailed steps are below, the final error message is;
Failed to store wrapped object: Malformed command / invalid data
Unable to store wrapped object
If you could give me some directions regarding this is it would be very much appreciated.
Thanks in advance
- Operating System: Windows? macOS? or Linux? and any pertinent build numbers or distributions?
jev@baker ~ % uname -a
Linux baker 4.18.0-21-generic #22-Ubuntu SMP Wed May 15 13:13:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
jev@baker ~ % cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.10
DISTRIB_CODENAME=cosmic
DISTRIB_DESCRIPTION="Ubuntu 18.10"
- YubiHSM2 firmware version (launch yubishm-shell >> connect >> get deviceinfo)
yubihsm> get deviceinfo
Version number: 2.1.2
Serial number: 9680228
Log used: 62/62
Supported algorithms: rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384,
rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256,
rsa-pss-sha384, rsa-pss-sha512, rsa2048,
rsa3072, rsa4096, ecp256,
ecp384, ecp521, eck256,
ecbp256, ecbp384, ecbp512,
hmac-sha1, hmac-sha256, hmac-sha384,
hmac-sha512, ecdsa-sha1, ecdh,
rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384,
rsa-oaep-sha512, aes128-ccm-wrap, opaque-data,
opaque-x509-certificate, mgf1-sha1, mgf1-sha256,
mgf1-sha384, mgf1-sha512, template-ssh,
aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp,
aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap,
ecdsa-sha256, ecdsa-sha384, ecdsa-sha512,
ed25519, ecp224,
- Version of YubiHSM2 SDK (if you're not sure, you should be able to confirm with apt search yubihsm-shell on Ubuntu distributions or yum search yubihsm-shell on CentOS)
yubihsm-shell/now 2.0.1-1 amd64 [installed,local]
- Any steps you used to initially configure the YubiHSM2.
Nothing of note. We are using it with all defaults as far as we can tell.
- any other information that may provide assistance for us to replicate?
We have posted the steps here: https://stackoverflow.com/questions/57185517/how-to-import-a-ed25519-private-key-into-yubi-hsm-2
and I will repeat a summary here again; I have also attached the shell script that I used to make this output, for your convenience. Note that in our lab, we are running the yubi connector daemon on host http://10.60.58.15:12345, and that is reflected in the below logs.
jev@baker ~ % sudo sh ./test_yubi_ed_import.sh
+ echo -en \x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff
+ yubihsm-shell -p password -a put-wrap-key -i 20 -c all --delegated all --informat bin --in wrap.key
Using default connector URL: http://127.0.0.1:12345
Failed connecting 'http://127.0.0.1:12345'
Not connected
Failed to open session
+ yubihsm-shell -C http://10.60.58.15:12345 -p password -a put-wrap-key -i 31 -c all --delegated all --informat bin --in wrap.key
Session keepalive set up to run every 15 seconds
Created session 0
Key length not matching, should be 16, 24 or 32
Unable to put wrapkey
+ openssl genpkey -algorithm Ed25519 -out ed25519key.pem
+ yubihsm-wrap -a ed25519 -c sign-eddsa -d 1,2,5 --id 31 --label ED25519_Key --in ed25519key.pem --wrapkey wrap.key --out private.yhw
Unable to read wrapkey file
+ yubihsm-shell -C http://10.60.58.15:12345 -p password -a put-wrapped --wrap-id 30 --in private.yhw
Session keepalive set up to run every 15 seconds
Created session 0
Failed to store wrapped object: Malformed command / invalid data
Unable to store wrapped object
jev@baker ~ %
- any debug logs you may have?
This is the debug output from the connector (running with the -d flag) from when we run the command "yubihsm-shell -C http://10.60.58.15:12345 -p password -a put-wrapped --wrap-id 30 --in private.yhw"
DEBU[0491] reopening usb context Correlation-ID=5e7801ec-d77e-70da-e1c9-719350dc54da why="status request"
DEBU[0491] Returning a matched device Correlation-ID=5e7801ec-d77e-70da-e1c9-719350dc54da Device-Serial=0009680228 Wanted-Serial=
DEBU[0491] usb endpoint read Correlation-ID=5e7801ec-d77e-70da-e1c9-719350dc54da buf="[]" err="libusb: timeout [code -7]" len=0 n=0
INFO[0491] handled request Content-Length=0 Content-Type= Method=GET RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/status User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=5e7801ec-d77e-70da-e1c9-719350dc54da latency=288.937117ms
DEBU[0491] usb device already open Correlation-ID=12741265-8fab-3f7f-127d-b0220b2a0f73
DEBU[0491] usb endpoint write Correlation-ID=12741265-8fab-3f7f-127d-b0220b2a0f73 buf="[3 0
10 0 1 147 18 122 55 33 42 219 186]" err="<nil>" len=13 n=13
DEBU[0491] usb endpoint read Correlation-ID=12741265-8fab-3f7f-127d-b0220b2a0f73 buf="[131
0 17 0 190 0 74 153 169 227 82 80 143 17 23 103 78 86 232 127]" err="<nil>" len=20 n=20
INFO[0491] handled request Content-Length=13 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=12741265-8fab-3f7f-127d-b0220b2a0f73 latency=11.326757ms
DEBU[0491] usb device already open Correlation-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974
DEBU[0491] usb endpoint write Correlation-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974 buf="[4 0
17 0 132 254 103 185 248 190 148 33 159 86 86 84 49 7 15 113]" err="<nil>" len=20 n=20
DEBU[0491] usb endpoint read Correlation-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974 buf="[132
0 0]" err="<nil>" len=3 n=3
INFO[0491] handled request Content-Length=20 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974 latency=9.764995ms
DEBU[0491] usb device already open Correlation-ID=48156e3a-ca2c-e984-402d-b817a5157708
DEBU[0491] usb endpoint write Correlation-ID=48156e3a-ca2c-e984-402d-b817a5157708 buf="[5 0
137 0 214 95 17 65 127 28 29 103 154 57 229 160 49 4 194 188 88 104 254 153 167 187 245 18 12 78 211 33 29 191 227 59 125 197 52 178 9 104 241 34 74 7 171 88 49 60 195 92 238 229 160 82 164 104 209 125 94 76 37 171 193 75 150 229 177 204
206 105 31 247 60 171 240 7 116 126 125 77 82 229 76 38 134 45 218 215 79 128 194 32 231 176 231 217 105 21 6 118 140 146 140 54 133 157 68 189 170 205 159 237 223 202 255 113 180 238 41 118 7 252 158 214 16 221 98 175 88 2 195 146 102 93 246 80 138 4]" err="<nil>" len=140 n=140
DEBU[0491] usb endpoint read Correlation-ID=48156e3a-ca2c-e984-402d-b817a5157708 buf="[133
0 25 0 187 114 145 119 80 14 156 249 101 181 88 1 90 104 165 199 110 162 50 34 92 62 85 90]" err="<nil>" len=28 n=28
INFO[0491] handled request Content-Length=140 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=48156e3a-ca2c-e984-402d-b817a5157708 latency=15.084616ms
DEBU[0491] usb device already open Correlation-ID=816f6498-77cf-72c5-c00b-0d6219853e18
DEBU[0491] usb endpoint write Correlation-ID=816f6498-77cf-72c5-c00b-0d6219853e18 buf="[5 0
25 0 12 10 63 179 178 252 201 29 61 158 6 104 27 32 89 165 164 210 221 18 131 123 25 253]" err="<nil>" len=28 n=28
DEBU[0491] usb endpoint read Correlation-ID=816f6498-77cf-72c5-c00b-0d6219853e18 buf="[133
0 25 0 220 190 52 117 122 10 61 237 228 10 126 35 250 68 16 80 105 118 54 177 31 47 23 201]" err="<nil>" len=28 n=28
INFO[0491] handled request Content-Length=28 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=816f6498-77cf-72c5-c00b-0d6219853e18 latency=10.966123ms
Question: how to connect via HTTPS?
When I specify connector as https://localhost:12345 (and provide the key and the cert to the yubihsm-connector, of course), the shell fails to connect with the following debug messages:
yubihsm> connect https://127.0.0.1:12345
[LIB - INF 16:23:06.975870] yubihsm.c:4048 (yh_init_connector): Loading http backend
[LIB - INF 16:23:06.981988] yubihsm.c:4056 (yh_init_connector): Loaded a backend
[LIB - INF 16:23:06.982002] yubihsm.c:3901 (create_connector): Creating connector
[LIB - INF 16:23:06.982023] yubihsm.c:3953 (create_connector): Creating *connector->connection
[LIB - INF 16:23:06.982044] yubihsm.c:3963 (create_connector): Created connector
[LIB - INF 16:23:06.982054] yubihsm_curl.c:86 (backend_connect): Trying to connect to http://127.0.0.1:12345/connector/status
[LIB - ERR 16:23:06.982685] yubihsm_curl.c:113 (backend_connect): Amount of data received does not match scratch buffer. Expected 3, found 7
[LIB - ERR 16:23:06.982700] yubihsm.c:4088 (yh_connect): Failed when connecting: Generic error
yubihsm-connector displays the following:
2018/11/27 16:23:06 http: TLS handshake error from 127.0.0.1:51001: tls: first record does not look like a TLS handshake
Cannot connect yubihsm2 without touch
What's your problem?
I have bought three yubihsm2, the first key works fine. But the others yubihsm2 would not flash after plug in the computer.
Any other supplementary information?
Accidental discovery of keeping in touch with my finger after plugging into computer, it will be flash. Once my fingers are gone, re-touch will not work.
Perhaps double authentication needs to be turned off, but why not the first one?
Invalid argument 6: export-wrapped:import-wrapped (c:capabilities)
yubihsm-shell 1.0.4
yubihsm> put wrapkey 0 0 "Wrap Key" all export-wrapped,import-wrapped exportable-under-wrap,sign-pkcs,sign-pss,sign-ecdsa,sign-eddsa,decrypt-pkcs,decrypt-oaep,derive-ecdh,sign-hmac,verify-hmac,sign-ssh-certificate,decrypt-otp,create-otp-aead,randomize-otp-aead,rewrap-from-otp-aead-key,rewrap-to-otp-aead-key,sign-attestation-certificate XXXXXXX
Invalid argument 6: export-wrapped,import-wrapped (c:capabilities)
Even a copy/paste of the examples on the website fail.
release for ubuntu 20.04
I've attempted to build yubihsm-connector and yubihsm-shell on Ubuntu 20.04 and I seem to have gotten it to build successfully, but I'm unable to actually get it to connect okay. I can see the HSM is being recognized by the OS (in the output of dmesg), but when I try to actually open a session I see failed usb proxy with device not found in the debug output.
I'm sure I've missed something in the build/install process that's being handled by the packages you provide. I'd love to just have a supported 20.04 release. Is there any chance you could get a 20.04 build added at some point?
GCC9 build issues with [-Werror=vla-larger-than=]
The GCC9 introduced some checks that fail to build the testsuite:
/builddir/build/BUILD/yubihsm-shell-2.0.0/pkcs11/tests/ecdh_derive_test.c: In function 'main':
/builddir/build/BUILD/yubihsm-shell-2.0.0/pkcs11/tests/ecdh_derive_test.c:368:17: error: variable-length array bound is unknown [-Werror=vla-larger-than=]
368 | unsigned char ecdh1_bytes[ecdh1_len]; // public key in DER
| ^
/builddir/build/BUILD/yubihsm-shell-2.0.0/pkcs11/tests/ecdh_derive_test.c:419:41: error: variable-length array bound is unknown [-Werror=vla-larger-than=]
419 | unsigned char ecdh1_value[ecdh1_len], ecdh2_value[ecdh2_len];
| ^
lto1: all warnings being treated as errors
lto-wrapper: fatal error: /usr/bin/cc returned 1 exit status
I am not decided whether this is a bug in yubihsm-shell or in gcc since many other uses of VLA are fine for GCC (probably the lenght are bounded by some constants?), but I am attaching a patch that I used to make the things build using dynamic allocation (I can do a PR if you would be willing to accept this change):
https://src.fedoraproject.org/rpms/yubihsm-shell/blob/master/f/yubihsm-shell-2.0.0-gcc9.patch
Otherwise, it is mostly for reference for others who might hit build issues with the new GCC9.
Unable to export object wrap-key with ID 0xd74f
Hi
we are having trouble making a backup of our newly deployed YubiHSM2.
We are running the yubihsm-setup dump with this command line:
yubihsm-set.exe -k 0x6925 -c http://127.0.0.1:12345 dump
Enter our authentication password
Enter our wrapping key ID 0xd74f
With the output:
Found 4 object(s) Successfully exported object asymmetric-key with ID......... Unable to export object wrap-key ID 0xd74f: Wrong permissions for operationg. Skipping over....
The rest are successful.
We have verified that the authenticator-key 0x6925 has the capabilities: export-wrapped and import-wrapped and also delegated capabilities include exportable-under-wrap.
Can we have signed releases?
The current version of https://developers.yubico.com/yubihsm-shell/ does not list the releases nor any signatures of the releases. Can this be added as it already exists for other projects?
Thanks.
Cannot put wrap according to the documentation
I have tried to follow the guide and use the command yubihsm-shell (authentication options) -a put-wrap-key -i 20 -c all --delegated all --informat bin --in wrap.key. It has ended with the following error:
Session keepalive set up to run every 15 seconds
Created session 0
Failed to store wrapkey: Malformed command / invalid data
Unable to put wrapkey
I have also added --verbose=9:
[LIB - INF 09:17:39.648542] yubihsm.c:4052 (yh_init_connector): Loading http backend
[LIB - INF 09:17:39.654880] yubihsm_curl.c:88 (backend_connect): Trying to connect to http://XXX.YYY.ZZZ.AAA:12345/connector/status
[LIB - INF 09:17:39.700006] lib_util.c:129 (parse_status_data): response from connector
[LIB - INF 09:17:39.700035] lib_util.c:130 (parse_status_data): has device: yes
[LIB - INF 09:17:39.700041] lib_util.c:132 (parse_status_data): version: 2.0.0
[LIB - INF 09:17:39.700045] lib_util.c:133 (parse_status_data): pid: 17400
[LIB - INF 09:17:39.700050] lib_util.c:134 (parse_status_data): address: 0.0.0.0
[LIB - INF 09:17:39.700055] lib_util.c:135 (parse_status_data): port: 12345
[LIB - INF 09:17:39.700059] yubihsm_curl.c:129 (backend_connect): Found working connector
Session keepalive set up to run every 15 seconds
[LIB - INT 09:17:39.705290] yubihsm.c:666 (yh_create_session): Host challenge: 629c9dcf0a676bd5
[LIB - INF 09:17:39.727969] yubihsm.c:699 (yh_create_session): Received Session ID: 0
[LIB - INT 09:17:39.727992] yubihsm.c:702 (yh_create_session): Card challenge: 8bc2f4027b7cfee8
[LIB - INT 09:17:39.728005] yubihsm.c:703 (yh_create_session): Card cryptogram: 9fe021ad171e0daa
[LIB - INT 09:17:39.728021] yubihsm.c:721 (yh_create_session): S-ENC: 436ec1cc404503f9 4f984a0fcd6fab6f
[LIB - INT 09:17:39.728040] yubihsm.c:722 (yh_create_session): S-MAC: 11c796d63780a372 dc4a2c4fd4b3c1d1
[LIB - INT 09:17:39.728060] yubihsm.c:723 (yh_create_session): S-RMAC: eba33bcfc501def1 a553b6b75cba0c46
[LIB - INF 09:17:39.728080] yubihsm.c:732 (yh_create_session): Card cryptogram successfully verified
[LIB - INT 09:17:39.728088] yubihsm.c:2954 (yh_authenticate_session): Host cryptogram: 87fa25519ec59904
Created session 0
[LIB - INF 09:17:39.762697] yubihsm.c:4583 (yh_string_to_domains): Domains parsed as ffff
Failed to get input data
[LIB - INF 09:17:39.762743] yubihsm.c:304 (_send_secure_msg): Sending cmd 40 ( 3 Bytes): 400000
[LIB - INF 09:17:39.780365] yubihsm.c:365 (_send_secure_msg): Response MAC successfully verified
Possibly related issues
- #55 looks related, but the PR #56 looks like handling just elliptic curves.
- #13 looks related, but changing the capabilities does not help.
Software version
apt-cache policy yubihsm-shell | grep Installed
Installed: 2.0.1-1
yubihsm-shell refuses to ECDSA-sign
MacOS 10.14.2, current SDK
yubihsm> set informat binary
yubihsm> sign ecdsa 0 7 ecdsa-sha384 "t3b-out.txt" "t3b-out.txt.sig"
Invalid argument 5: t3b-out.txt (i:data=-)
yubihsm>
Files are OK, and PKCS#11 access works:
$ ll t3b-out*
-rw-r--r-- 1 ur20980 MITLL\Domain Users 328391 Aug 12 13:05 t3b-out.txt
$ openssl dgst -engine pkcs11 -keyform engine -sign "pkcs11:model=YubiHSM;manufacturer=Yubico%20%28www.yubico.com%29;serial=0755xxxx;token=YubiHSM;id=%00%07;type=private" -sha384 -out t3b-out.txt.osslsig t3b-out.txt
engine "pkcs11" set.
Enter PKCS#11 token PIN for YubiHSM:
$ openssl dgst -verify ~/yubihsm-7-pub.der -keyform DER -sha384 -signature t3b-out.txt.osslsig t3b-out.txt
Verified OK
$
PKCS11_get_private_key returned NULL
Hello!
I get the error "PKCS11_get_private_key returned NULL" when I try to create a self signed certificate.
With this script I can provoke the behavior reproducibly:
#!/bin/bash
export YUBIHSM_PKCS11_CONF=./yubihsm_pkcs11.conf
TEST_AUTH_KEY=0x0001
TEST_AUTH_PW=password
TEST_SIGN_KEY=0x0004
echo 'connector = http://127.0.0.1:12345' > ${YUBIHSM_PKCS11_CONF}
yubihsm-shell \
--action=list-objects \
--domains=0 \
--object-type=any \
--algorithm=any \
--authkey="${TEST_AUTH_KEY}" \
--password="${TEST_AUTH_PW}"
yubihsm-shell \
--action=generate-asymmetric-key \
--object-id=${TEST_SIGN_KEY} \
--label="root_ca_sign_key" \
--algorithm="rsa3072" \
--capabilities=sign-pkcs,sign-pss,sign-ecdsa,sign-eddsa,sign-ssh-certificate \
--authkey=${TEST_AUTH_KEY} \
--password="${TEST_AUTH_PW}"
openssl req \
-new \
-x509 \
-days 9125 \
-nodes \
-config ./openssl.cnf \
-extensions v3_ca \
-engine pkcs11 \
-key "0:${TEST_SIGN_KEY}" \
-keyform engine \
-out ./hsm-root-ca-01.dum.my.crt.pem
yubihsm-shell \
--action=list-objects \
--domains=0 \
--object-type=any \
--algorithm=any \
--authkey="${TEST_AUTH_KEY}" \
--password="${TEST_AUTH_PW}" As output I get:
[or@olafthink yubihsm2-tests]$ bash -x ./short_test.sh
+ export YUBIHSM_PKCS11_CONF=./yubihsm_pkcs11.conf
+ YUBIHSM_PKCS11_CONF=./yubihsm_pkcs11.conf
+ TEST_AUTH_KEY=0x0001
+ TEST_AUTH_PW=password
+ TEST_SIGN_KEY=0x0004
+ echo 'connector = http://127.0.0.1:12345'
+ yubihsm-shell --action=list-objects --domains=0 --object-type=any --algorithm=any --authkey=0x0001 --password=password
Using default connector URL: http://127.0.0.1:12345
Session keepalive set up to run every 15 seconds
Created session 0
Found 1 object(s)
id: 0x0001, type: authentication-key, sequence: 1
+ yubihsm-shell --action=generate-asymmetric-key --object-id=0x0004 --label=root_ca_sign_key --algorithm=rsa3072 --capabilities=sign-pkcs,sign-pss,sign-ecdsa,sign-eddsa,sign-ssh-certificate --authkey=0x0001 --password=password
Using default connector URL: http://127.0.0.1:12345
Session keepalive set up to run every 15 seconds
Created session 0
Generated Asymmetric key 0x0004
+ openssl req -new -x509 -days 9125 -nodes -config ./openssl.cnf -extensions v3_ca -engine pkcs11 -key 0:0x0004 -keyform engine -out ./hsm-root-ca-01.dum.my.crt.pem
engine "pkcs11" set.
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140430704670528:error:80067065:pkcs11 engine:ctx_load_privkey:object not found:eng_back.c:975:
140430704670528:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:crypto/engine/eng_pkey.c:77:
unable to load Private Key
+ yubihsm-shell --action=list-objects --domains=0 --object-type=any --algorithm=any --authkey=0x0001 --password=password
Using default connector URL: http://127.0.0.1:12345
Session keepalive set up to run every 15 seconds
Created session 0
Found 2 object(s)
id: 0x0001, type: authentication-key, sequence: 1
id: 0x0004, type: asymmetric-key, sequence: 0
yubihsm-connector writes in journal:
Nov 15 10:22:35 olafthink.localdomain yubihsm-connector[1719]: 2020/11/15 10:22:35 handle_events: error: libusb: interrupted [code -10]
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":0,"Content-Type":"","Method":"GET","RemoteAddr":"127.0.0.1:59028","StatusCode":200,"URI":"/connector/status","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"f2b25f56-0529-45eb-ba87-5f30ac1abf93","latency":258114239,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":13,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59028","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"59471638-60cc-441c-b9c1-ba4faf3c64f2","latency":10574447,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":20,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59028","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"440a8259-2481-4bb3-9a22-d02815a9e07f","latency":9332985,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":28,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59028","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"3f4ea55b-413f-4651-b1b5-f78d00a23b5b","latency":10717618,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":28,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59028","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"2fe38d66-9ee4-4519-b68e-52a3572a0a9b","latency":10013619,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":0,"Content-Type":"","Method":"GET","RemoteAddr":"127.0.0.1:59030","StatusCode":200,"URI":"/connector/status","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"6eb925a7-0186-4e42-9ca2-c3314d9ee1b4","latency":258374039,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":13,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59030","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"ff3106dd-b99d-4156-9dfb-234c3ba40955","latency":10527860,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:37 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":20,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59030","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"3d5de477-19fc-46c2-9c48-1fa40d0b73d3","latency":9338995,"level":"info","msg":"handled request","time":"2020-11-15T10:22:37+01:00"}
Nov 15 10:22:42 olafthink.localdomain yubihsm-connector[1719]: 2020/11/15 10:22:42 handle_events: error: libusb: interrupted [code -10]
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":76,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59030","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"4b1d9d73-45e6-4522-a9f6-773164d04b53","latency":36945737904,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":28,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59030","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"20bcc662-ceae-432d-a014-6c513ed35a2c","latency":10156689,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: 2020/11/15 10:23:14 handle_events: error: libusb: interrupted [code -10]
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":0,"Content-Type":"","Method":"GET","RemoteAddr":"127.0.0.1:59042","StatusCode":200,"URI":"/connector/status","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"8fcd0aae-6a49-429c-97c5-57139f031ee0","latency":256144883,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":13,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59042","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"11e4a679-51d9-4d59-b8e7-1ed0ab571cf4","latency":10599185,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":20,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59042","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"fb0fbdf3-0a25-4a88-a495-6b00a7e15243","latency":9389912,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":28,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59042","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"31cf68d1-94c4-49b2-ab4c-3d209e8431fe","latency":10784905,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
Nov 15 10:23:14 olafthink.localdomain yubihsm-connector[1719]: {"Content-Length":28,"Content-Type":"application/octet-stream","Method":"POST","RemoteAddr":"127.0.0.1:59042","StatusCode":200,"URI":"/connector/api","User-Agent":"YubiHSM curl/2.0.3","X-Real-IP":"127.0.0.1","X-Request-ID":"4459c5be-a9e3-4891-940a-3e7e59bb9ac4","latency":10089052,"level":"info","msg":"handled request","time":"2020-11-15T10:23:14+01:00"}
My openssl.cnf looks like this:
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib64/pkcs11/yubihsm_pkcs11.so
INIT_ARGS = connector=http://127.0.0.1:12345 debug
PIN = "password"
init = 0
I have no idea what else I could try.
Greetings
Olaf
New release with signature on official website
Related to #6, can we have the release on
https://developers.yubico.com/yubihsm-shell/Releases/
where all the previous releases were published, including the signatures? It looks like the last release was done by @aveenismail.
YubiHSM produces error -5 sometimes and sometimes not
Hi Guys,
Sometimes the yubihsm does not execute operation and returns -5. But sometimes he does?
Is there any timing i have to fullfill? I tried to stabilize with sleep command, but it does not help.
i have following c-program:
#include <string.h>
#include <stdlib.h>
#include <yubihsm.h>
#include "internal.h"
#include <assert.h>
#include <unistd.h>
static void print_yhrc(yh_rc yrc);
static void print_buffer(uint8_t *label, uint8_t *buffer, uint32_t len);
yh_rc yh_wrap_data( uint16_t authkey,
const char* password,
const char* label,
const char* domains,
uint16_t *wrapkey_id_p,
uint8_t *data,
size_t *data_len,
uint8_t *out,
size_t *out_len) {
sleep(1);
printf(password);printf("\n");
printf(label);printf("\n");
printf("%d",authkey);printf("\n");
static yh_connector connector_arg;
yh_connector *connector = &connector_arg;
yh_session *session = NULL;
yh_rc yrc = YHR_GENERIC_ERROR;
//serial=0007550878
const char *connector_url = "yhusb://";
yrc = yh_init();
assert(yrc == YHR_SUCCESS);
yrc = yh_init_connector(connector_url, &connector);
assert(yrc == YHR_SUCCESS);
yrc = yh_connect(connector, 0);
if (yrc == YHR_SUCCESS) {
printf("Connected!\n");
//printf(yh_strerror(yrc));
} else {
printf("Connect error: %02d\n", (int)yrc);
}
yrc = yh_create_session_derived(connector, authkey, password,
sizeof(password), false, &session);
print_yhrc(yrc);
yrc = yh_authenticate_session(session);
print_yhrc(yrc);
uint8_t session_id;
yrc = yh_get_session_id(session, &session_id);
print_yhrc(yrc);
if (yrc == YHR_SUCCESS) {
printf("Successfully established session %02d\n", session_id);
} else {
return yrc;
}
uint16_t domain_arg2;
uint16_t *domain = &domain_arg2;
printf("string_to_domains\n");
yrc = yh_string_to_domains(domains, domain);
print_yhrc(yrc);
yh_capabilities wrapkey_cap_arg;
yh_capabilities *wrapkey_cap = &wrapkey_cap_arg;
printf("WrapKey caps\n");
yrc = yh_string_to_capabilities("exportable-under-wrap|unwrap-data|wrap-data", wrapkey_cap);
print_yhrc(yrc);
uint16_t key_arg = 0; //let device generate id
uint16_t* key_p = &key_arg;
yh_capabilities yh_cap_arg;
yh_capabilities *yh_cap = &yh_cap_arg;
printf("Key caps\n");
yrc = yh_string_to_capabilities("exportable-under-wrap|unwrap-data|wrap-data", yh_cap);
print_yhrc(yrc);
/*yh_rc yh_util_generate_wrap_key(yh_session *session, uint16_t *key_id,
const char *label, uint16_t domains,
const yh_capabilities *capabilities,
yh_algorithm algorithm,
const yh_capabilities *delegated_capabilities);*/
sleep(1);
yrc = yh_util_generate_wrap_key(session, wrapkey_id_p,
label, *domain,
wrapkey_cap,
YH_ALGO_AES128_CCM_WRAP,
yh_cap);
printf("GeneratedWrapKey ID: %02d\n", *wrapkey_id_p);
print_yhrc(yrc);
/*yh_rc yh_util_wrap_data( yh_session *session,
uint16_t key_id,
const uint8_t *in,
size_t in_len,
uint8_t *out,
size_t *out_len);*/
size_t wrapout_len=10000;
size_t *wrapout_len_p=&wrapout_len;
uint8_t wrapoutcome[10000] = {};
printf("Wrap-Data\n");
print_buffer("Not Wrapped", data, *data_len);
sleep(1);
yrc = yh_util_wrap_data(session, *wrapkey_id_p,
data,
*data_len,
wrapoutcome,
wrapout_len_p);
print_yhrc(yrc);
if (yrc == YHR_SUCCESS) {
print_buffer("Wrapped", wrapoutcome, *wrapout_len_p);
}
size_t unwrapout_len=10000;
size_t *unwrapout_len_p=&wrapout_len;
uint8_t unwrapoutcome[10000] = {};
sleep(1);
/*yh_rc yh_util_unwrap_data(yh_session *session, uint16_t key_id,
const uint8_t *in, size_t in_len, uint8_t *out,
size_t *out_len);*/
yrc = yh_util_unwrap_data(session, *wrapkey_id_p,
wrapoutcome, *wrapout_len_p,
unwrapoutcome, unwrapout_len_p);
print_yhrc(yrc);
if (yrc == YHR_SUCCESS) {
print_buffer("Unwrapped", unwrapoutcome, *unwrapout_len_p);
}
out = (uint8_t*)memcpy(out,unwrapoutcome,*unwrapout_len_p);
*out_len = *unwrapout_len_p;
sleep(1);
yrc = yh_util_close_session(session);
print_yhrc(yrc);
yrc = yh_disconnect(connector);
print_yhrc(yrc);
yrc = yh_exit();
sleep(1);
return yrc;
}
static void print_yhrc(yh_rc yrc) {
if (yrc == YHR_SUCCESS) {
} else {
printf("Error: %02d\n", (int)yrc);
}
}
static void print_buffer(uint8_t *label, uint8_t *buffer, uint32_t len) {
printf(label);
printf("\nBuffer len: %02d\n", len);
for(uint32_t i = 0; i<len; i++) {
printf("0x%02x,", *buffer);
buffer++;
}
printf("\n");
}
2.0.2: test suite is failing
[tkloczko@barrel x86_64-redhat-linux-gnu]$ make test ARGS=--output-on-failure
Running tests...
/usr/bin/ctest --force-new-ctest-process --output-on-failure
Test project /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/x86_64-redhat-linux-gnu
Start 1: parsing
1/25 Test #1: parsing .......................... Passed 0.00 sec
Start 2: pbkdf2
2/25 Test #2: pbkdf2 ........................... Passed 0.02 sec
Start 3: attest
3/25 Test #3: attest ...........................Child aborted***Exception: 0.13 sec
attest: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/attest.c:128: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 4: generate_ec
4/25 Test #4: generate_ec ......................Child aborted***Exception: 0.13 sec
generate_ec: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/generate_ec.c:64: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 5: generate_hmac
5/25 Test #5: generate_hmac ....................Child aborted***Exception: 0.13 sec
generate_hmac: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/generate_hmac.c:58: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 6: import_authkey
6/25 Test #6: import_authkey ...................Child aborted***Exception: 0.15 sec
import_authkey: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/import_authkey.c:58: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 7: import_rsa
7/25 Test #7: import_rsa .......................Child aborted***Exception: 0.13 sec
import_rsa: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/import_rsa.c:64: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 8: info
8/25 Test #8: info .............................Child aborted***Exception: 0.12 sec
info: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/info.c:51: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 9: wrap
9/25 Test #9: wrap .............................Child aborted***Exception: 0.12 sec
wrap: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/wrap.c:56: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 10: wrap_data
10/25 Test #10: wrap_data ........................Child aborted***Exception: 0.13 sec
wrap_data: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/wrap_data.c:58: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 11: yubico_otp
11/25 Test #11: yubico_otp .......................Child aborted***Exception: 0.13 sec
yubico_otp: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/yubico_otp.c:109: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 12: echo
12/25 Test #12: echo .............................Child aborted***Exception: 0.12 sec
echo: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/echo.c:55: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 13: import_ec
13/25 Test #13: import_ec ........................Child aborted***Exception: 0.13 sec
import_ec: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/import_ec.c:65: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 14: generate_rsa
14/25 Test #14: generate_rsa .....................Child aborted***Exception: 0.13 sec
generate_rsa: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/generate_rsa.c:63: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 15: logs
15/25 Test #15: logs .............................Child aborted***Exception: 0.15 sec
logs: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/logs.c:62: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 16: ssh
16/25 Test #16: ssh ..............................Child aborted***Exception: 0.12 sec
ssh: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/ssh.c:181: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 17: decrypt_rsa
17/25 Test #17: decrypt_rsa ......................Child aborted***Exception: 0.11 sec
decrypt_rsa: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/decrypt_rsa.c:69: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 18: decrypt_ec
18/25 Test #18: decrypt_ec .......................Child aborted***Exception: 0.13 sec
decrypt_ec: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/decrypt_ec.c:62: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 19: import_ed
19/25 Test #19: import_ed ........................Child aborted***Exception: 0.12 sec
import_ed: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/import_ed.c:72: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 20: change_authkey
20/25 Test #20: change_authkey ...................Child aborted***Exception: 0.12 sec
change_authkey: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/examples/change_authkey.c:59: main: Assertion `yrc == YHR_SUCCESS' failed.
Start 21: engine_tests
21/25 Test #21: engine_tests ..................... Passed 0.01 sec
Start 22: pkcs11test
22/25 Test #22: pkcs11test .......................***Failed 0.01 sec
SHELL=/bin/bash
HISTCONTROL=ignoreboth
CTEST_INTERACTIVE_DEBUG_MODE=1
HISTSIZE=1000
HOSTNAME=barrel
MAKE_TERMOUT=/dev/pts/8
YUBIHSM_PKCS11_CONF=/tmp/yubihsmtest.9NPY5M/p11.conf
PWD=/home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/x86_64-redhat-linux-gnu/pkcs11/tests
LOGNAME=tkloczko
XDG_SESSION_TYPE=tty
MAKEOVERRIDES=${-*-command-variables-*-}
MC_TMPDIR=/var/tmp/mc-tkloczko
MOTD_SHOWN=pam
MC_SID=3505125
HOME=/home/tkloczko
ARGS=--output-on-failure
LANG=en_GB.UTF-8
LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
BINDIR=/home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/x86_64-redhat-linux-gnu
SKIPPED_TESTS=Slot.NoInit:PKCS11Test.EnumerateMechanisms:ReadOnlySessionTest.GenerateRandom:ReadOnlySessionTest.GenerateRandomNone:ReadOnlySessionTest.UserLoginWrongPIN:ReadOnlySessionTest.SOLoginFail:ReadOnlySessionTest.CreateKeyPairObjects:ReadOnlySessionTest.CreateSecretKeyAttributes:ReadOnlySessionTest.SecretKeyTestVectors:ReadOnlySessionTest.SignVerifyRecover:ReadOnlySessionTest.GenerateKeyInvalid:ReadOnlySessionTest.GenerateKeyPairInvalid:ReadOnlySessionTest.WrapUnwrap:ReadOnlySessionTest.WrapInvalid:ReadOnlySessionTest.UnwrapInvalid:ReadWriteSessionTest.CreateCopyDestroyObject:ReadWriteSessionTest.SetLatchingAttribute:ReadWriteSessionTest.FindObjectSubset:ReadWriteSessionTest.ReadOnlySessionSOLoginFail:ReadWriteSessionTest.SOLogin:ReadWriteSessionTest.TookanAttackA1:ReadWriteSessionTest.TookanAttackA3:ReadWriteSessionTest.TookanAttackA4:ReadWriteSessionTest.TookanAttackA5a:ReadWriteSessionTest.TookanAttackA5b:ReadWriteSessionTest.PublicExponent4Bytes:ReadWriteSessionTest.ExtractKeys:ReadWriteSessionTest.AsymmetricTokenKeyPair:RWUserSessionTest.SOLoginFail:DataObjectTest.CopyDestroyObjectInvalid:DataObjectTest.GetMultipleAttributes:DataObjectTest.GetSetAttributeInvalid:RWSOSessionTest.SOSessionFail:RWSOSessionTest.UserLoginFail:RWEitherSessionTest.TookanAttackA2:KeyPairTest.EncryptDecrypt:Ciphers/SecretKeyTest.EncryptDecrypt/0:Ciphers/SecretKeyTest.EncryptDecrypt/1:Ciphers/SecretKeyTest.EncryptDecrypt/2:Ciphers/SecretKeyTest.EncryptDecrypt/3:Ciphers/SecretKeyTest.EncryptDecrypt/4:Ciphers/SecretKeyTest.EncryptDecrypt/5:Ciphers/SecretKeyTest.EncryptFailDecrypt/0:Ciphers/SecretKeyTest.EncryptFailDecrypt/1:Ciphers/SecretKeyTest.EncryptFailDecrypt/2:Ciphers/SecretKeyTest.EncryptFailDecrypt/3:Ciphers/SecretKeyTest.EncryptFailDecrypt/4:Ciphers/SecretKeyTest.EncryptFailDecrypt/5:Ciphers/SecretKeyTest.EncryptDecryptGetSpace/0:Ciphers/SecretKeyTest.EncryptDecryptGetSpace/1:Ciphers/SecretKeyTest.EncryptDecryptGetSpace/2:Ciphers/SecretKeyTest.EncryptDecryptGetSpace/3:Ciphers/SecretKeyTest.EncryptDecryptGetSpace/4:Ciphers/SecretKeyTest.EncryptDecryptGetSpace/5:Ciphers/SecretKeyTest.EncryptDecryptParts/0:Ciphers/SecretKeyTest.EncryptDecryptParts/1:Ciphers/SecretKeyTest.EncryptDecryptParts/2:Ciphers/SecretKeyTest.EncryptDecryptParts/3:Ciphers/SecretKeyTest.EncryptDecryptParts/4:Ciphers/SecretKeyTest.EncryptDecryptParts/5:Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/0:Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/1:Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/2:Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/3:Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/4:Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/5:Ciphers/SecretKeyTest.EncryptErrors/0:Ciphers/SecretKeyTest.EncryptErrors/1:Ciphers/SecretKeyTest.EncryptErrors/2:Ciphers/SecretKeyTest.EncryptErrors/3:Ciphers/SecretKeyTest.EncryptErrors/4:Ciphers/SecretKeyTest.EncryptErrors/5:Ciphers/SecretKeyTest.DecryptErrors/0:Ciphers/SecretKeyTest.DecryptErrors/1:Ciphers/SecretKeyTest.DecryptErrors/2:Ciphers/SecretKeyTest.DecryptErrors/3:Ciphers/SecretKeyTest.DecryptErrors/4:Ciphers/SecretKeyTest.DecryptErrors/5:Ciphers/SecretKeyTest.EncryptUpdateErrors/0:Ciphers/SecretKeyTest.EncryptUpdateErrors/1:Ciphers/SecretKeyTest.EncryptUpdateErrors/2:Ciphers/SecretKeyTest.EncryptUpdateErrors/3:Ciphers/SecretKeyTest.EncryptUpdateErrors/4:Ciphers/SecretKeyTest.EncryptUpdateErrors/5:Ciphers/SecretKeyTest.EncryptModePolicing1/0:Ciphers/SecretKeyTest.EncryptModePolicing1/1:Ciphers/SecretKeyTest.EncryptModePolicing1/2:Ciphers/SecretKeyTest.EncryptModePolicing1/3:Ciphers/SecretKeyTest.EncryptModePolicing1/4:Ciphers/SecretKeyTest.EncryptModePolicing1/5:Ciphers/SecretKeyTest.EncryptModePolicing2/0:Ciphers/SecretKeyTest.EncryptModePolicing2/1:Ciphers/SecretKeyTest.EncryptModePolicing2/2:Ciphers/SecretKeyTest.EncryptModePolicing2/3:Ciphers/SecretKeyTest.EncryptModePolicing2/4:Ciphers/SecretKeyTest.EncryptModePolicing2/5:Ciphers/SecretKeyTest.EncryptInvalidIV/0:Ciphers/SecretKeyTest.EncryptInvalidIV/1:Ciphers/SecretKeyTest.EncryptInvalidIV/2:Ciphers/SecretKeyTest.EncryptInvalidIV/3:Ciphers/SecretKeyTest.EncryptInvalidIV/4:Ciphers/SecretKeyTest.EncryptInvalidIV/5:Ciphers/SecretKeyTest.DecryptInvalidIV/0:Ciphers/SecretKeyTest.DecryptInvalidIV/1:Ciphers/SecretKeyTest.DecryptInvalidIV/2:Ciphers/SecretKeyTest.DecryptInvalidIV/3:Ciphers/SecretKeyTest.DecryptInvalidIV/4:Ciphers/SecretKeyTest.DecryptInvalidIV/3:Ciphers/SecretKeyTest.DecryptInvalidIV/4:Ciphers/SecretKeyTest.DecryptInvalidIV/5:Ciphers/SecretKeyTest.DecryptUpdateErrors/0:Ciphers/SecretKeyTest.DecryptUpdateErrors/1:Ciphers/SecretKeyTest.DecryptUpdateErrors/2:Ciphers/SecretKeyTest.DecryptUpdateErrors/3:Ciphers/SecretKeyTest.DecryptUpdateErrors/4:Ciphers/SecretKeyTest.DecryptUpdateErrors/5:Ciphers/SecretKeyTest.EncryptFinalImmediate/0:Ciphers/SecretKeyTest.EncryptFinalImmediate/1:Ciphers/SecretKeyTest.EncryptFinalImmediate/2:Ciphers/SecretKeyTest.EncryptFinalImmediate/3:Ciphers/SecretKeyTest.EncryptFinalImmediate/4:Ciphers/SecretKeyTest.EncryptFinalImmediate/5:Ciphers/SecretKeyTest.EncryptFinalErrors1/0:Ciphers/SecretKeyTest.EncryptFinalErrors1/1:Ciphers/SecretKeyTest.EncryptFinalErrors1/2:Ciphers/SecretKeyTest.EncryptFinalErrors1/3:Ciphers/SecretKeyTest.EncryptFinalErrors1/4:Ciphers/SecretKeyTest.EncryptFinalErrors1/5:Ciphers/SecretKeyTest.EncryptFinalErrors2/0:Ciphers/SecretKeyTest.EncryptFinalErrors2/1:Ciphers/SecretKeyTest.EncryptFinalErrors2/2:Ciphers/SecretKeyTest.EncryptFinalErrors2/3:Ciphers/SecretKeyTest.EncryptFinalErrors2/4:Ciphers/SecretKeyTest.EncryptFinalErrors2/5:Ciphers/SecretKeyTest.DecryptFinalErrors1/0:Ciphers/SecretKeyTest.DecryptFinalErrors1/1:Ciphers/SecretKeyTest.DecryptFinalErrors1/2:Ciphers/SecretKeyTest.DecryptFinalErrors1/3:Ciphers/SecretKeyTest.DecryptFinalErrors1/4:Ciphers/SecretKeyTest.DecryptFinalErrors1/5:Ciphers/SecretKeyTest.DecryptFinalErrors2/0:Ciphers/SecretKeyTest.DecryptFinalErrors2/1:Ciphers/SecretKeyTest.DecryptFinalErrors2/2:Ciphers/SecretKeyTest.DecryptFinalErrors2/3:Ciphers/SecretKeyTest.DecryptFinalErrors2/4:Ciphers/SecretKeyTest.DecryptFinalErrors2/5:Digests/DigestTest.DigestKey/0:Digests/DigestTest.DigestKey/1:Digests/DigestTest.DigestKey/2:Digests/DigestTest.DigestKey/3:Digests/DigestTest.DigestKey/4:Digests/DigestTest.DigestKeyInvalid/0:Digests/DigestTest.DigestKeyInvalid/1:Digests/DigestTest.DigestKeyInvalid/2:Digests/DigestTest.DigestKeyInvalid/3:Digests/DigestTest.DigestKeyInvalid/4:Signatures/SignTest.SignVerify/0:Signatures/SignTest.SignFailVerifyWrong/0:Signatures/SignTest.SignFailVerifyShort/0:Duals/DualSecretKeyTest.DigestEncrypt/0:Duals/DualSecretKeyTest.DigestEncrypt/1:Duals/DualSecretKeyTest.DigestEncrypt/2:Duals/DualSecretKeyTest.DigestEncrypt/3:Duals/DualSecretKeyTest.DigestEncrypt/4:Duals/DualSecretKeyTest.DigestEncrypt/5:Init.InitArgsBadReserved
SSH_CONNECTION=192.168.1.153 52800 192.168.1.10 22
MFLAGS=
XDG_SESSION_CLASS=user
MAKEFLAGS= -- ARGS=--output-on-failure
SELINUX_ROLE_REQUESTED=
TERM=xterm-256color
LESSOPEN=||/usr/bin/lesspipe.sh %s
USER=tkloczko
MAKE_TERMERR=/dev/pts/8
SELINUX_USE_CURRENT_RANGE=
SHLVL=3
MAKELEVEL=1
LIBEXT=so
CVS_RSH=ssh
XDG_SESSION_ID=466
XDG_RUNTIME_DIR=/run/user/1000
S_COLORS=auto
SSH_CLIENT=192.168.1.153 52800 22
KDEDIRS=/usr
PATH=/usr/bin:/usr/sbin:/usr/local/sbin
SELINUX_LEVEL_REQUESTED=
MAIL=/var/spool/mail/tkloczko
SSH_TTY=/dev/pts/5
OLDPWD=/home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2
_=/usr/bin/env
/home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/pkcs11/tests/pkcs11test.sh: line 42: pkcs11test: command not found
Start 23: ecdh_derive_test
23/25 Test #23: ecdh_derive_test .................Child aborted***Exception: 0.12 sec
ecdh_derive_test: /home/tkloczko/rpmbuild/BUILD/yubihsm-shell-2.0.2/pkcs11/tests/ecdh_derive_test.c:81: open_session: Assertion `rv == CKR_OK' failed.
Start 24: bash_tests
24/25 Test #24: bash_tests .......................***Failed 0.02 sec
++ mktemp -d
+ TMPDIR=/tmp/tmp.ZQouyzhVcS
+ DATA=/tmp/tmp.ZQouyzhVcS/data
+ SIG=/tmp/tmp.ZQouyzhVcS/sig
+ BIN_SIG=/tmp/tmp.ZQouyzhVcS/bin_sig
+ PUBLIC_KEY=/tmp/tmp.ZQouyzhVcS/public
+ '[' -z ']'
+ DEFAULT_CONNECTOR_URL=http://127.0.0.1:12345
+ PROG='../yubihsm-shell --connector=http://127.0.0.1:12345'
++ uname
+ '[' xLinux = xFreeBSD ']'
+ DECODE='base64 --decode'
+ echo 'Hello World!'
++ ../yubihsm-shell --connector=http://127.0.0.1:12345 -a generate-asymmetric -A ecp256 -csign-ecdsa -p password
+ OUTPUT='Failed connecting '\''http://127.0.0.1:12345'\''
Not connected
Failed to open session'
Start 25: wrapped_tests
25/25 Test #25: wrapped_tests ....................***Failed 0.05 sec
>>> TMPDIR=/tmp/tmp.ugWpeTH0wF
Failed connecting 'http://127.0.0.1:12345'
Not connected
Failed to open session
put_yhwrapped_authkey: put-wrap-key
Failed connecting 'http://127.0.0.1:12345'
Not connected
Failed to open session
12% tests passed, 22 tests failed out of 25
Total Test time (real) = 2.55 sec
The following tests FAILED:
3 - attest (Child aborted)
4 - generate_ec (Child aborted)
5 - generate_hmac (Child aborted)
6 - import_authkey (Child aborted)
7 - import_rsa (Child aborted)
8 - info (Child aborted)
9 - wrap (Child aborted)
10 - wrap_data (Child aborted)
11 - yubico_otp (Child aborted)
12 - echo (Child aborted)
13 - import_ec (Child aborted)
14 - generate_rsa (Child aborted)
15 - logs (Child aborted)
16 - ssh (Child aborted)
17 - decrypt_rsa (Child aborted)
18 - decrypt_ec (Child aborted)
19 - import_ed (Child aborted)
20 - change_authkey (Child aborted)
22 - pkcs11test (Failed)
23 - ecdh_derive_test (Child aborted)
24 - bash_tests (Failed)
25 - wrapped_tests (Failed)
Errors while running CTest
Invalid argument 1: 0 (e:session)
I am trying to perform a hard reset on my yubikey (Edit: YubiHSM), following the instructions here - https://developers.yubico.com/YubiHSM2/Commands/Reset_Device.html
However I am getting an error with Invalid argument
I'm building and running with docker
docker run -it --rm --name yubihsm-shell -v /dev/bus/usb:/dev/bus/usb --privileged <internal_docker_image_url> /bin/sh
# which yubihsm-shell
/usr/local/bin/yubihsm-shell
# yubihsm-shell
Using default connector URL: http://127.0.0.1:12345
yubihsm> reset 0
Invalid argument 1: 0 (e:session)
yubihsm>
yubihsm> connect
Failed initializing connector http://127.0.0.1:12345: Generic error
HTTPS connection doesn't work with yubihsm-shell
$ yubihsm-shell --connector=https://localhost:12345
yubihsm> connect
Failed connecting 'https://localhost:12345'
yubihsm> debug all
Debug messages enabled
yubihsm> connect
[LIB - INF 10:58:33.546335] yubihsm.c:4048 (yh_init_connector): Loading http backend
[LIB - INF 10:58:33.549195] yubihsm.c:4056 (yh_init_connector): Loaded a backend
[LIB - INF 10:58:33.549209] yubihsm.c:3901 (create_connector): Creating connector
[LIB - INF 10:58:33.549216] yubihsm.c:3953 (create_connector): Creating *connector->connection
[LIB - INF 10:58:33.549251] yubihsm.c:3963 (create_connector): Created connector
[LIB - INF 10:58:33.549258] yubihsm_curl.c:86 (backend_connect): Trying to connect to https://localhost:12345/connector/status
[LIB - ERR 10:58:33.560844] yubihsm.c:4088 (yh_connect): Failed when connecting: Unable to find a suitable connector
Failed connecting 'https://localhost:12345'
yubihsm> quit
$ yubihsm-shell --connector=https://127.0.0.1:12345
yubihsm> debug all
Debug messages enabled
yubihsm> connect
[LIB - INF 10:58:54.345650] yubihsm.c:4048 (yh_init_connector): Loading http backend
[LIB - INF 10:58:54.351802] yubihsm.c:4056 (yh_init_connector): Loaded a backend
[LIB - INF 10:58:54.351817] yubihsm.c:3901 (create_connector): Creating connector
[LIB - INF 10:58:54.351837] yubihsm.c:3953 (create_connector): Creating *connector->connection
[LIB - INF 10:58:54.351857] yubihsm.c:3963 (create_connector): Created connector
[LIB - INF 10:58:54.351865] yubihsm_curl.c:86 (backend_connect): Trying to connect to https://127.0.0.1:12345/connector/status
[LIB - ERR 10:58:54.362705] yubihsm.c:4088 (yh_connect): Failed when connecting: Unable to find a suitable connector
Failed connecting 'https://127.0.0.1:12345'
yubihsm>
Corresponding connector window:
$ yubihsm-connector --config ~/yubihsm-connector-config.yaml
2018/11/28 10:58:16 http: TLS handshake error from 127.0.0.1:59686: remote error: tls: unknown certificate authority
2018/11/28 10:58:33 http: TLS handshake error from 127.0.0.1:59690: remote error: tls: unknown certificate authority
2018/11/28 10:58:54 http: TLS handshake error from 127.0.0.1:59695: remote error: tls: unknown certificate authority
Config file:
$ cat ~/yubihsm-connector-config.yaml
# Certificate (X.509)
cert: "/Users/ur20980/Certs/yubihsm2.pem"
# Certificate key
key: "/Users/ur20980/Certs/yubihsm2.key"
# Listening address. Defaults to "localhost:12345".
listen: localhost:12345
# Device serial in case of multiple devices
serial: ""
# Log to syslog/eventlog. Defaults to "false".
syslog: false
# Use to enable host header filtering. Default to "false".
# Use this if there is an absolute need to use a web browser on the host where the YubiHSM 2 is installed to connect to untrusted web sites on the Internet.
enable-host-whitelist: true
# Default list for the host header filter
host-whitelist: localhost,localhost.,127.0.0.1,[::1],ur20980-vpn.llan.ll.mit.edu,535792-mitll.llan.ll.mit.edu
Feature Request: BLS Signature Support
Would it be possible to do something like add a C interface to https://github.com/Chia-Network/bls-signatures and release the capability to create BLS signatures in a firmware update?
This would be a great addition to the product. If you're able to devote time to it, I would be greatly appreciative, as there are next to none HSMs which boast BLS signature support, and a mature operating platform.
Thanks!
Using a local HSM with the connector
I'm trying to use the yubihsm-shell and I managed to install the binaries onto the system. However I'm not sure how to connect the yubihsm-connector to the hsm2 without the connector daemon running. Right now I am running
yubihsm-shell --connector http://10.0.7.7:12345
however without the yubihsm-connector daemon, i'm not sure how to actually connect to the yubihsm.
Connector error -29
Hi Guys,
i have very simple c-code:
#include <assert.h>
#include "yubihsm.h"
#include "internal.h"
const uint8_t password[] = "password";
/*
struct yh_connector {
void *backend;
struct backend_functions *bf;
yh_backend *connection;
char *status_url;
char *api_url;
bool has_device;
uint8_t version_major;
uint8_t version_minor;
uint8_t version_patch;
uint8_t address[32];
uint32_t port;
uint32_t pid;
};
*/
static yh_connector connector_arg;
int main(int argc, char *argv[]) {
yh_connector *connector = &connector_arg;
yh_session *session = NULL;
yh_rc yrc = YHR_GENERIC_ERROR;
uint16_t authkey = 1;
const char *connector_url;
//yhusb://serial=0007550878
connector_url = "yhusb://serial=0007550878";
yrc = yh_init();
assert(yrc == YHR_SUCCESS);
yrc = yh_init_connector(connector_url, &connector);
assert(yrc == YHR_SUCCESS);
//yh_set_verbosity(connector, (uint8_t)YH_VERB_ALL);
//printf("Device %d\n", (uint32_t)(((struct yh_connector*)connector)->backend));
yrc = yh_connect(connector, 0);
if (yrc == YHR_SUCCESS) {
printf("Connected!\n");
//printf(yh_strerror(yrc));
} else {
printf("Connect error: %02d\n", (int)yrc);
}
yrc = yh_create_session_derived(connector, authkey, password,
sizeof(password), false, &session);
if (yrc != YHR_SUCCESS) {
printf(yh_strerror(yrc));
}
yrc = yh_authenticate_session(session);
assert(yrc == YHR_SUCCESS);
uint8_t session_id;
yrc = yh_get_session_id(session, &session_id);
assert(yrc == YHR_SUCCESS);
printf("Successfully established session %02d\n", session_id);
return 0;
}
But it gives me -29 connector error, while controlling the yubihsm via python is possible.
Unencrypting wrapped key
I have exported a wrapped asymmetric key, and now I need to decrypt the key to use in an a different application outside of the YubiHSM2. Is there any documentation for the process of decrypting a wrapped key?
Question: is connector needed for direct USB?
If I defined connector as yhusb://..., do I still need to run yubihsm-connector app?
Segfault during decrypt oaep
System information
$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux bullseye/sid
Release: testing
Codename: bullseye
$ uname -a
Linux senid-home 5.8.0-1-amd64 #1 SMP Debian 5.8.7-1 (2020-09-05) x86_64 GNU/Linux
$ yubihsm-shell --version
yubihsm-shell 2.0.2
Encryption
yubihsm device have generated RSA 4096 with capabilities decrypt-pkcs, decrypt-oaep - id 0x7abe.
public key
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmita2ZjfsUqPmDpfCgp3
IevFHpCLjE04qJ5i4o9vh+f/7cVkExLF+BTakZJ+uJUXBBf5X5V2aZ0vMupBDFaW
aHm32QB+klYT/HNLxak/LASlL7KA80zgw6oPdY5z9LtM7OraecQvs5G4upiYGHVE
AgBLH23ZaVVVpgC6JbKJae/lTb3fY4MbMc2p92q4wQP7VkatsoNWtMim7euE9bnP
BxEEbFL4KgPTuEYL0ubNFB4ZIIKmXth2hnCl286hYSAFWhS8TbPHZYi+5nM0KAdM
/wFZHnli+ONo7oMjciw8qFCjt93ULBPyB8dN/A+NzOfDibwjAEU0GnuvucA/IdGk
FXoJNVZjg0s8KvkmuphSTV71GS5u9xhiLv3dYs+dy6Qp3DmzZ6ikroxwButRrzkn
IFqCSGq1hZ3RNuRKCYZ6Urg7ce8J35TIf+iclNppw8oruMDV33bn4tMGiS1Pnth1
wQxIjv8/qivKOgqvNRhM84x1ypmmo0h/Lz6FEOF6Gos3NTlqrB/fEC0hHoCsKcjL
b1KOFnofRP8/NtJY5EfpDg+FtipGVuZxaRUuR728rOEpQNYJUEeH1QAeyFifYEkO
wnC67Y23ux5RdNV1myLGDYEO+a1u67GAH6q5q2zL6sIhQ5zAv2n44Pi/bl1BRvqm
D49OS48GKNZg/G+u2Amwu58CAwEAAQ==
-----END PUBLIC KEY-----
txt_to_enc.txt is 256 byte file where character q repeated 256 times.
6161616161616161616161616161616161616161 is character a repeated 20 times in hex string.
data was encrypted using openssl pkeyutl
$ openssl pkeyutl -in txt_to_enc.txt -encrypt -inkey 0x7abe.pub -pubin \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha256 \
-pkeyopt rsa_mgf1_md:sha256 \
-pkeyopt rsa_oaep_label:6161616161616161616161616161616161616161 \
-out encrypted.txt
I've used -pkeyopt rsa_oaep_md:sha1 option too but result same - segfault.
Decryption
$ yubihsm-shell -C http://127.0.0.1:12345
yubihsm> connect
Session keepalive set up to run every 15 seconds
yubihsm> session open 1 password
dCreated session 0
yubihsm> debug all
Debug messages enabled
yubihsm> decrypt oaep 0 0x7abe rsa-oaep-sha256 encrypted.txt aaaaaaaaaaaaaaaaaaaa
Segmentation fault
via gdb I see following backtrace after crash
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
142 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) bt
#0 __memmove_avx_unaligned () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:142
#1 0x00007ffff7e9c09f in memcpy (__len=40, __src=0x0, __dest=0x5555555e9578) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
#2 SHA256_Update (len=40, data_=<optimized out>, c=0x5555555e9550) at ../include/crypto/md32_common.h:181
#3 SHA256_Update (c=0x5555555e9550, data_=<optimized out>, len=<optimized out>) at ../include/crypto/md32_common.h:128
#4 0x000055555555e079 in ?? ()
#5 0x00005555555605e9 in yh_com_decrypt_oaep ()
#6 0x000055555556609b in validate_and_call ()
#7 0x000055555555c23b in main ()
github issues does not provide ability to attach file - I can provide core file on demand
Command-line "--action=sign-eddsa" is unimplemented
The sign eddsa command is implemented in the interactive shell. The --action=sign-eddsa command-line parameter is documented but returns a "Command not implemented" error.
The implementation is identical to --action=sign-ecdsa with the letter "c" replaced with "d". It takes almost as much code to report it is unimplemented as it does to implement it.
main.c.zip
memory resource leaks in yubihsm-shell CLI tool
I have found more cases of memory resource leaks similar to the ones reported in #88. Given the context, I do not consider the issues as security-related. The functional impact of the leaks is very low during regular CLI operation.
Part no. 1
If parse_configured_connectors() is called with n_connectors = 0, some memory for the list is still assigned:
Line 1760 in ba7b105
However, the default handling in main() overwrites the ctx.connector_list with new heap memory:
Lines 1927 to 1943 in ba7b105
Consequently, the cleanup in the main_exit: section will not be able to release the originally allocated memory.
Part no. 2
If parse_usb_url() exits with errors, the memory assigned with char *copy = strdup(url); is not released:
Lines 161 to 166 in 55c3eee
Part no. 3
As far as I can see, the memory allocated in parse_configured_pubkeys() is never released (apart from error handling within the function itself):
Line 1783 in ba7b105
Line 1791 in ba7b105
Cannot generate authentication-key with full set of capabilities
I'm trying to create a new authentication key for all the domains, including all capabilities. The provided example shows:
yubihsm> put authkey 0 2 yubico 1,2,3 generate-asymmetric-key,export-wrapped,get-pseudo-random,put-wrap-key,import-wrapped,delete-asymmetric-key,sign-ecdsa sign-ecdsa,exportable-under-wrap,export-wrapped,import-wrapped password
I am trying to re-create a "master key", aka an auth key with all the possible capabilities, like the "DEFAULT AUTH KEY". However, when I type those, it is rejected with "Command to long" error message:
yubihsm> put authkey 0 0x02 "NEW MAIN AUTHKEY" 0xff change-authentication-key:create-otp-aead:decrypt-oaep:decrypt-otp:decrypt-pkcs:delete-asymmetric-key:delete-authentication-key:delete-hmac-key:delete-opaque:delete-otp-aead-key:delete-template:delete-wrap-key:derive-ecdh:export-wrapped:exportable-under-wrap:generate-asymmetric-key:generate-hmac-key:generate-otp-aead-key:generate-wrap-key:get-log-entries:get-opaque:get-option:get-pseudo-random:get-template:import-wrapped:put-asymmetric-key:put-authentication-key:put-mac-key:put-opaque:put-otp-aead-key:put-template:put-wrap-key:randomize-otp-aead:reset-device:rewrap-from-otp-aead-key:rewrap-to-otp-aead-key:set-option:sign-attestation-certificate:sign-ecdsa:sign-eddsa:sign-hmac:sign-pkcs:sign-pss:sign-ssh-certificate:unwrap-data:verify-hmac:wrap-data change-authentication-key:create-otp-aead:decrypt-oaep:decrypt-otp:decrypt-pkcs:delete-asymmetric-key:delete-authentication-key:delete-hmac-key:delete-opaque:delete-otp-aead-key:delete-template:delete-wrap-key:derive-ecdh:export-wrapped:exportable-under-wrap:generate-asymmetric-key:generate-hmac-key:generate-otp-aead-key:generate-wrap-key:get-log-entries:get-opaque:get-option:get-pseudo-random:get-template:import-wrapped:put-asymmetric-key:put-authentication-key:put-mac-key:put-opaque:put-otp-aead-key:put-template:put-wrap-key:randomize-otp-aead:reset-device:rewrap-from-otp-aead-key:rewrap-to-otp-aead-key:set-option:sign-attestation-certificate:sign-ecdsa:sign-eddsa:sign-hmac:sign-pkcs:sign-pss:sign-ssh-certificate:unwrap-data:verify-hmac:wrap-data
Command to long
yubihsm>
Please explain how I can generate one.
YH_MSG_BUF_SIZE too small to import a wrapped RSA:4096 key
I've created a RSA:4096 key and exported it as follows:
# create decrypt key
yubihsm-shell \
--authkey=1 --password=password \
--action=generate-asymmetric-key \
--object-id=0x10 \
--label=decrypt_key \
--capabilities=decrypt-oaep,sign-pkcs,exportable-under-wrap \
--algorithm=rsa4096
# create wrap key
echo 00000000000000000000000000000000 | yubihsm-shell \
--authkey=1 --password=password \
--action=put-wrap-key \
--object-id=0x30 \
--label=export_wrapkey \
--capabilities=export-wrapped,import-wrapped \
--delegated=decrypt-oaep,sign-pkcs,exportable-under-wrap
# export decrypt key under wrap
yubihsm-shell \
--authkey=1 --password=password \
--action=get-wrapped \
--wrap-id=0x30 \
--object-id=0x10 \
--object-type=asymmetric-key \
--out=/tmpfs/decrypt_key
# delete the decrypt key (making room for import)
yubihsm-shell \
--authkey=1 --password=password \
--action=delete-object \
--object-id=0x10 \
--object-type=asymmetric-key
# ls -l /tmpfs/decrypt_key
-rw-r--r-- 1 root root 5016 Nov 7 16:11 /tmpfs/decrypt_key
With #60 in place to allow this file to be loaded, I attempt to import:
# yubihsm-shell \
--authkey=1 --password=password \
--action=put-wrapped \
--wrap-id=0x30 \
--in=file:/tmpfs/decrypt_key
Using default connector URL: http://127.0.0.1:12345
Session keepalive set up to run every 15 seconds
Created session 0
Failed to store wrapped object: Invalid argument to a function
Unable to store wrapped object
Tracing the code, we see we land in this error condition in yh_util_import_wrapped:
if (in_len > YH_MSG_BUF_SIZE - 2) {
DBG_ERR("Too much data, must be < %d", YH_MSG_BUF_SIZE - 2);
return YHR_INVALID_PARAMETERS;
}Here in_len is 3761 bytes, but YH_MSG_BUF_SIZE is 2048.
Reading further, it looks like YH_MSG_BUF_SIZE is deeply wired into USB message sizes, so naively increasing it is probably not going to work. Is that right?
Any ideas for how to import this key?
what is the difference between yubihsm 2 and 2.1?
I tried to ask via support, but they're not very informative
Critical Parameters Missing in the YubiHSM Signed Certificate
Hi Team Yubico,
We are migrating from Yubikey to YubiHSM to configure multiple CA's inside YubiHSM. I have configured the YubiHSM to work as SubCA which signed the client CSR file. Client CSR signing is successful but after I compared YubiHSM signed certificate with Yubikey signed certificate & I can see some parameters missing & certificate version is different in the YubiHSM signed certificate. Please see below screen shots.
I am trying different configuration options but I am looking someone who can quickly guide me to resolve this missing parameters & certification version issue.
OpenSSL used on Linux:
- OpenSSL 1.1.1
OpenSSL command used to sign the CSR with YubiHSM SubCA:
OPENSSL_CONF=./engine.conf openssl x509 -req -days 7305 -CAkeyform engine -engine pkcs11 -CA yubihsm-crt.pem -in clientcsrfile -CAkey "0:0005" -CAcreateserial -sha256 -outform DER -out clientcsrfile.derBelow is the engine.conf file:
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
INIT_ARGS = connector=http://localhost:12345
init = 0
# Will keep the PIN common for all slots/domains inside YubiHSM
# TODO: Change this PIN as per final deployment
#PIN Format: "<auth key id><auth key password>"
PIN="0001password"ed25519 support in PKCS#11 module
Could you please add support for ed25519 keys into your pkcs11 module?
yubishell password in command line mode
Is there a way to specify password from a file instead of using -p in command line mode? -p can appear in history.
Alternative to the yubihsm-shell wrap/encrypt and unwrap/decrypt
Per the "Known Issues" page on developers.yubico.com, I'm aware that the encryption and decryption commands are "unimplemented". I'm currently looking for a solution to generate a object on the YubiHSM2, export it under wrap, and decrypt it locally on my machine. We have current need to generate an object (an HMAC, for example), export it, and send it to a manufacturer for production.
We have successfully accomplished generating a wrap key, importing a wrap key, and exporting an object under wrap with a stored wrap key.
We'd like to just use the wrap key (aes ccm key) that we generated in our linux environment to decrypt the exported wrapped object. We currently do not have a way to do this without the decrypt/unwrap data commands being unimplemented in the yubihsm-shell.
Please provide guidance. We appreciate your help in advance!
Operating system: Ubuntu 18.04
Using release 2021.08 (from a few days ago), have also used the 2021.04 in our efforts over the past few days.
"all" is not accepted as a synonym for "all capabilities"
Screen log speaks for itself: explicitly listing all the capabilities works. Trying to replace them with the keyword "all" doesn't:
yubihsm> put authkey 0 0x0003 "Test AuthKey" 0xffff change-authentication-key,create-otp-aead,decrypt-oaep,decrypt-otp,decrypt-pkcs,delete-asymmetric-key,delete-authentication-key,delete-hmac-key,delete-opaque,delete-otp-aead-key,delete-template,delete-wrap-key,derive-ecdh,export-wrapped,exportable-under-wrap,generate-asymmetric-key,generate-hmac-key,generate-otp-aead-key,generate-wrap-key,get-log-entries,get-opaque,get-option,get-pseudo-random,get-template,import-wrapped,put-asymmetric-key,put-authentication-key,put-mac-key,put-opaque,put-otp-aead-key,put-template,put-wrap-key,randomize-otp-aead,reset-device,rewrap-from-otp-aead-key,rewrap-to-otp-aead-key,set-option,sign-attestation-certificate,sign-ecdsa,sign-eddsa,sign-hmac,sign-pkcs,sign-pss,sign-ssh-certificate,unwrap-data,verify-hmac,wrap-data change-authentication-key,create-otp-aead,decrypt-oaep,decrypt-otp,decrypt-pkcs,delete-asymmetric-key,delete-authentication-key,delete-hmac-key,delete-opaque,delete-otp-aead-key,delete-template,delete-wrap-key,derive-ecdh,export-wrapped,exportable-under-wrap,generate-asymmetric-key,generate-hmac-key,generate-otp-aead-key,generate-wrap-key,get-log-entries,get-opaque,get-option,get-pseudo-random,get-template,import-wrapped,put-asymmetric-key,put-authentication-key,put-mac-key,put-opaque,put-otp-aead-key,put-template,put-wrap-key,randomize-otp-aead,reset-device,rewrap-from-otp-aead-key,rewrap-to-otp-aead-key,set-option,sign-attestation-certificate,sign-ecdsa,sign-eddsa,sign-hmac,sign-pkcs,sign-pss,sign-ssh-certificate,unwrap-data,verify-hmac,wrap-data
Enter password:
Stored Authentication key 0x0003
yubihsm> put authkey 0 0x0004 "Test AuthKey2" 0xffff all all
Enter password:
Failed to store authkey: Malformed command / invalid data
yubihsm>
Abort when opening an already existing file
It is somewhat surprising that open_file appends by default. Truncating sounds like a worse option, so the only viable solution seems to be to throw an error back at the user and let them deal with the issue. On the other hand, formats like PEM can typically handle multiple "objects" in a single file as those can be parsed independently. Still a consistent behavior is probably better here.
Optionally some kind of force flag could be added to signal whether or not to abort.
This is related to #61.
Please consider providing release build for openSUSE
Would be great if you added a release build for openSUSE LEAP 15.
(OpenBSD would be amazing too... but I guess that would be a lot harder work for you guys than just extending your build release scripts for a slightly different Linux flavour).
Missing dokumentation about setting session passwprd
Hello,
I'm sorry but I can't find the documentation, about how to setup the session password. Isn't possible to set a new session password with yubihsm-shell?
Thanks!
Olaf
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.