Unable to import an asymmetric wrapping key? about yubihsm-shell HOT 6 OPEN

Hi @mouse07410

I see few issues here:

1- It looks like you are trying to import an asymmetric key and use it as a wrap key. This is not supported by the YubiHSM2. Wrapkeys are separate objects with symmetric properties. Asymmetric keys can only be used for signing, decryption and derivation of ECDH keys.

2- The command have 2 issues that I can immediately see:
a. There is a delegated capabilities parameters, which put asymmetric is not expecting
b. It says in the ticket that k1.pem contains the public key of the RSA key. put asymmetric expects the private key as an input, not the public key.

I hope this helps

from yubihsm-shell.

1-
A wrap key can either be generated in the YubiHSM or imported into it. If you plan to import the wrapped objects into another YubiHSM, the same wrap key needs to be in both YubiHSMs. For that reason, I would suggest importing a wrap key. See https://developers.yubico.com/YubiHSM2/Commands/Put_Wrap_Key.html for a command example. This wrap key should have the export-wrapped and import-wrapped capabilities and as delegated capabilities, whatever capabilities the objects it's wrapping/unwrapping have. Also, the objects to wrap need to have the capability exportable-under-wrap otherwise the operation won't succeed.

Use the Export Wrapped command to export objects under wrap (https://developers.yubico.com/YubiHSM2/Commands/Export_Wrapped.html). Then use the Import Wrapped command to import the wrapped object into the other YubiHSM (https://developers.yubico.com/YubiHSM2/Commands/Import_Wrapped.html)

2-
That is correct. Public keys are not imported into the YubiHSM but they can be extracted from it. Only private key operations are performed inside the YubiHSM. Public key operations need to be preformed using software outside the YubiHSM. Asymmetric wrap of objects inside the YubiHSM is not supported

from yubihsm-shell.

@aveenismail thank you! Yes it helps, but here are some questions:

Wrapkeys are separate objects with symmetric properties. Asymmetric keys can only be used for signing, decryption and derivation of ECDH keys.

How can I get "wrapkey" functionality - securely export an object, such as symmetric key or asymmetric key-pair, from the HSM, and (securely) import it into a different device (another HSM, or TPM, or such)?

It says in the ticket that k1.pem contains the public key of the RSA key. put asymmetric expects the private key as an input, not the public key.

Does it mean there's no way to import a public key into HSM, and one would have to perform all the operations with it in software (on the host)? I'm trying to find a way to accomplish "wrapping" with asymmetric, as described above.

from yubihsm-shell.

If you plan to import the wrapped objects into another YubiHSM, the same wrap key needs to be in both YubiHSMs

I want to exchange wrapped objects between YubiHSM2 and a non-Yubico device(s) such as TPM. My preference is to keep the "unencrypted" objects only inside those hardware modules - which makes exporting an unencrypted key (even if HSM would allow it, which I doubt) and encrypting it on the host in software - undesirable. I guess, for that I'll need the exact format of the wrapped structure...

Re. asummetric wrap - please pass it to the leadership as a feature request.

from yubihsm-shell.

You are correct in that private keys cannot be exported from the YubiHSM unless they are wrapped. While Yubico does not provide a softwrare to unwrap a wrapped objects outside a YubiHSM, the yubihsm-wrap tool (part of this repository) does provide a way to wrap objects outside of a YubiHSM so they can be unwraped inside one. Maybe that can be a helpful reference.

Asymmetric wrap feature request has been forwarded to the product team.

from yubihsm-shell.

yubihsm-wrap tool (part of this repository) does provide a way to wrap objects outside of a YubiHSM so they can be unwraped inside one

Thank you - but I also need the reverse: wrap within the YubiHSM, and unwrap inside a TMP or another hardware module (not YubiHSM).

Asymmetric wrap feature request has been forwarded to the product team.

Thank you!

from yubihsm-shell.