Comments (6)
Hi @mouse07410
I see few issues here:
1- It looks like you are trying to import an asymmetric key and use it as a wrap key. This is not supported by the YubiHSM2. Wrapkeys are separate objects with symmetric properties. Asymmetric keys can only be used for signing, decryption and derivation of ECDH keys.
2- The command have 2 issues that I can immediately see:
a. There is a delegated capabilities parameters, which put asymmetric
is not expecting
b. It says in the ticket that k1.pem
contains the public key of the RSA key. put asymmetric
expects the private key as an input, not the public key.
I hope this helps
from yubihsm-shell.
1-
A wrap key can either be generated in the YubiHSM or imported into it. If you plan to import the wrapped objects into another YubiHSM, the same wrap key needs to be in both YubiHSMs. For that reason, I would suggest importing a wrap key. See https://developers.yubico.com/YubiHSM2/Commands/Put_Wrap_Key.html for a command example. This wrap key should have the export-wrapped
and import-wrapped
capabilities and as delegated capabilities, whatever capabilities the objects it's wrapping/unwrapping have. Also, the objects to wrap need to have the capability exportable-under-wrap
otherwise the operation won't succeed.
Use the Export Wrapped command to export objects under wrap (https://developers.yubico.com/YubiHSM2/Commands/Export_Wrapped.html). Then use the Import Wrapped command to import the wrapped object into the other YubiHSM (https://developers.yubico.com/YubiHSM2/Commands/Import_Wrapped.html)
2-
That is correct. Public keys are not imported into the YubiHSM but they can be extracted from it. Only private key operations are performed inside the YubiHSM. Public key operations need to be preformed using software outside the YubiHSM. Asymmetric wrap of objects inside the YubiHSM is not supported
from yubihsm-shell.
@aveenismail thank you! Yes it helps, but here are some questions:
Wrapkeys are separate objects with symmetric properties. Asymmetric keys can only be used for signing, decryption and derivation of ECDH keys.
How can I get "wrapkey" functionality - securely export an object, such as symmetric key or asymmetric key-pair, from the HSM, and (securely) import it into a different device (another HSM, or TPM, or such)?
It says in the ticket that
k1.pem
contains the public key of the RSA key.put asymmetric
expects the private key as an input, not the public key.
Does it mean there's no way to import a public key into HSM, and one would have to perform all the operations with it in software (on the host)? I'm trying to find a way to accomplish "wrapping" with asymmetric, as described above.
from yubihsm-shell.
If you plan to import the wrapped objects into another YubiHSM, the same wrap key needs to be in both YubiHSMs
I want to exchange wrapped objects between YubiHSM2 and a non-Yubico device(s) such as TPM. My preference is to keep the "unencrypted" objects only inside those hardware modules - which makes exporting an unencrypted key (even if HSM would allow it, which I doubt) and encrypting it on the host in software - undesirable. I guess, for that I'll need the exact format of the wrapped structure...
Re. asummetric wrap - please pass it to the leadership as a feature request.
from yubihsm-shell.
You are correct in that private keys cannot be exported from the YubiHSM unless they are wrapped. While Yubico does not provide a softwrare to unwrap a wrapped objects outside a YubiHSM, the yubihsm-wrap tool (part of this repository) does provide a way to wrap objects outside of a YubiHSM so they can be unwraped inside one. Maybe that can be a helpful reference.
Asymmetric wrap feature request has been forwarded to the product team.
from yubihsm-shell.
yubihsm-wrap
tool (part of this repository) does provide a way to wrap objects outside of a YubiHSM so they can be unwraped inside one
Thank you - but I also need the reverse: wrap within the YubiHSM, and unwrap inside a TMP or another hardware module (not YubiHSM).
Asymmetric wrap feature request has been forwarded to the product team.
Thank you!
from yubihsm-shell.
Related Issues (20)
- Signing keys need updating on website HOT 2
- Unwrapping an exported wrapped key without device involvement HOT 4
- Remote problem HOT 1
- the last changelog entry references wrong version HOT 1
- RFE: is it possible to start making github releases?🤔
- Changelog typo HOT 1
- Cannot generate RSA-OAEP key pair? HOT 3
- Error running keytool on windows with YubiHSM HOT 11
- AES CTR Encryption HOT 3
- Failed to store symmetric key: Invalid command HOT 4
- yubihsm-shell ignores env var YUBIHSM_PKCS11_CONF HOT 2
- "debug" option in config file explodes the shell HOT 5
- Yubihsm ran out of session after a while when using with pkcs11 module HOT 10
- Malformed data error when signing SHA3-384 with yh_util_sign_pkcs1v1_5 HOT 1
- 2.4.2: test suite fails in 12% units HOT 7
- Docker container cannot connect to yubihsm connector running on host on Ubuntu 22.04.3 LTS HOT 1
- Inquiry about YubiHSM 2 Authentication & Access control HOT 1
- Support for SHA3-* HOT 1
- [P11 - ERR 21:10:53.246143] util_pkcs11.c:4593 (parse_rsa_generate_template): Boolean truth check failed for attribute 0x1 [P11 - ERR 21:10:53.246154] yubihsm_pkcs11.c:5248 (C_GenerateKeyPair): Unable to parse generation template HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubihsm-shell.