Wire Sysio Wire Sysion 1.0.0
Loading...
Searching...
No Matches
commands.c
Go to the documentation of this file.
1/*
2 * Copyright 2015-2018 Yubico AB
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <ctype.h>
18#include <stdio.h>
19#include <stdlib.h>
20#include <string.h>
21
22#include "commands.h"
23#include "yubihsm-shell.h"
24#include "../common/insecure_memzero.h"
25
26#include "hash.h"
27#include "util.h"
28#include "openssl-compat.h"
29
30#ifdef __WIN32
31#include <winsock.h>
32#else
33#include <arpa/inet.h>
34#include <unistd.h>
35#include <sys/ioctl.h>
36#endif
37
38#include <openssl/rand.h>
39#include <openssl/pem.h>
40#include <openssl/x509.h>
41#include <sys/time.h>
42
43static format_t fmt_to_fmt(cmd_format fmt) {
44 switch (fmt) {
45 case fmt_base64:
46 return _base64;
47 case fmt_binary:
48 return _binary;
49 case fmt_hex:
50 return _hex;
51 default:
52 return 0;
53 }
54}
55
56// NOTE(adma): Extract log entries
57// argc = 1
58// arg 0: e:session
59int yh_com_audit(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
60
61 UNUSED(ctx);
62 UNUSED(fmt);
63
64 yh_rc yrc;
65
66 uint16_t unlogged_boot = 0;
67 uint16_t unlogged_auth = 0;
68 yh_log_entry logs[YH_MAX_LOG_ENTRIES];
69 size_t n_items = sizeof(logs);
70
71 switch (fmt) {
72 case fmt_binary:
73 case fmt_PEM:
74 case fmt_base64:
75 case fmt_password:
76 fprintf(stderr,
77 "The selected output format is not supported for this operation. "
78 "Supported format are \"ASCII\", \"hex\" and \"default\"\n");
79 return -1;
80
81 default:
82 break;
83 }
84
85 yrc = yh_util_get_log_entries(argv[0].e, &unlogged_boot, &unlogged_auth, logs,
86 &n_items);
87 if (yrc != YHR_SUCCESS) {
88 fprintf(stderr, "Failed to get logs: %s\n", yh_strerror(yrc));
89 return -1;
90 }
91
92 char digest_buf[(2 * YH_LOG_DIGEST_SIZE) + 1];
93
94 switch (ctx->out_fmt) {
95 case fmt_hex:
96 fprintf(ctx->out, "%04x%04x", unlogged_boot, unlogged_auth);
97 for (uint16_t i = 0; i < n_items; i++) {
98 format_digest(logs[i].digest, digest_buf, YH_LOG_DIGEST_SIZE);
99 fprintf(ctx->out, "%04x%02x%04x%04x%04x%04x%02x%08lx%s", logs[i].number,
100 logs[i].command, logs[i].length, logs[i].session_key,
101 logs[i].target_key, logs[i].second_key, logs[i].result,
102 (unsigned long) logs[i].systick, digest_buf);
103 }
104 fprintf(ctx->out, "\n");
105 break;
106
107 case fmt_ASCII:
108 default:
109 fprintf(ctx->out, "%d unlogged boots found\n", unlogged_boot);
110 fprintf(ctx->out, "%d unlogged authentications found\n", unlogged_auth);
111
112 if (n_items == 0) {
113 fprintf(ctx->out, "No logs to extract\n");
114 return 0;
115 } else if (n_items == 1) {
116 fprintf(ctx->out, "Found 1 item\n");
117 } else {
118 fprintf(ctx->out, "Found %zu items\n", n_items);
119 }
120
121 for (uint16_t i = 0; i < n_items; i++) {
122 format_digest(logs[i].digest, digest_buf, YH_LOG_DIGEST_SIZE);
123 fprintf(ctx->out,
124 "item: %5u -- cmd: 0x%02x -- length: %4u -- session key: "
125 "0x%04x -- target key: 0x%04x -- second key: 0x%04x -- "
126 "result: 0x%02x -- tick: %lu -- hash: %s\n",
127 logs[i].number, logs[i].command, logs[i].length,
128 logs[i].session_key, logs[i].target_key, logs[i].second_key,
129 logs[i].result, (unsigned long) logs[i].systick, digest_buf);
130 }
131 break;
132 }
133
134 return 0;
135}
136
137// NOTE: Set the log index
138// argc = 2
139// arg 0: e:session
140// arg 1: w:index
141int yh_com_set_log_index(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
142
143 UNUSED(ctx);
144 UNUSED(fmt);
145
146 yh_rc yrc = yh_util_set_log_index(argv[0].e, argv[1].w);
147 if (yrc != YHR_SUCCESS) {
148 fprintf(stderr, "Failed to set log index: %s\n", yh_strerror(yrc));
149 return -1;
150 }
151
152 return 0;
153}
154
155// NOTE: Blink the device
156// argc = 2
157// arg 0: e:session
158// arg 1: b:seconds
159int yh_com_blink(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
160
161 UNUSED(fmt);
162 UNUSED(ctx);
163
164 yh_rc yrc = yh_util_blink_device(argv[0].e, argv[1].b);
165 if (yrc != YHR_SUCCESS) {
166 fprintf(stderr, "Failed to blink the device: %s\n", yh_strerror(yrc));
167 return -1;
168 }
169
170 return 0;
171}
172
173// NOTE(adma): Close a session with a connector
174// argc = 1
175// arg 0: e:session
176int yh_com_close_session(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
177
178 UNUSED(fmt);
179 uint8_t session_id = 0;
180
181 yh_rc yrc = yh_get_session_id(argv[0].e, &session_id);
182 if (yrc != YHR_SUCCESS) {
183 fprintf(stderr, "Failed to get session id: %s\n", yh_strerror(yrc));
184 return -1;
185 }
186
187 yrc = yh_util_close_session(argv[0].e);
188 if (yrc != YHR_SUCCESS) {
189 fprintf(stderr, "Failed to close session: %s\n", yh_strerror(yrc));
190 return -1;
191 }
192
193 yrc = yh_destroy_session(&argv[0].e);
194 if (yrc != YHR_SUCCESS) {
195 fprintf(stderr, "Failed to destroy session: %s\n", yh_strerror(yrc));
196 return -1;
197 }
198
199 ctx->sessions[session_id] = NULL;
200
201 return 0;
202}
203
204// NOTE(adma): Connect to a connector
205// argc = 0
206int yh_com_connect(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
207
208 UNUSED(argv);
209 UNUSED(fmt);
210 int ret = -1;
211
212 yh_rc yrc;
213 yh_connector **connectors = calloc(ctx->n_connectors, sizeof(yh_connector *));
214 if (connectors == NULL) {
215 fprintf(stderr, "Failed allocating memory\n");
216 return -1;
217 }
218
219 int idx = -1;
220 for (int i = 0; i < ctx->n_connectors; i++) {
221 yrc = yh_init_connector(ctx->connector_list[i], &connectors[i]);
222 if (yrc != YHR_SUCCESS) {
223 fprintf(stderr, "Failed initializing connector\n");
224 goto cleanup;
225 }
226 if (ctx->cacert) {
227 if (yh_set_connector_option(connectors[i], YH_CONNECTOR_HTTPS_CA,
228 ctx->cacert) != YHR_SUCCESS) {
229 fprintf(stderr, "Failed setting HTTPS CA\n");
230 goto cleanup;
231 }
232 }
233 if (ctx->proxy) {
234 if (yh_set_connector_option(connectors[i], YH_CONNECTOR_PROXY_SERVER,
235 ctx->proxy) != YHR_SUCCESS) {
236 fprintf(stderr, "Failed setting proxy server\n");
237 goto cleanup;
238 }
239 }
240 if (yh_connect(connectors[i], 0) != YHR_SUCCESS) {
241 fprintf(stderr, "Failed connecting '%s'\n", ctx->connector_list[i]);
242 continue;
243 }
244 idx = i;
245 break;
246 }
247
248 for (int i = 0; i < ctx->n_connectors; i++) {
249 if (i == idx) {
250 ctx->connector = connectors[i];
251 } else {
252 yh_disconnect(connectors[i]);
253 }
254 }
255
256 if (idx >= 0) {
257 ret = 0;
258
259 (void) yh_com_keepalive_on(NULL, NULL, fmt_nofmt);
260 }
261
262cleanup:
263 free(connectors);
264
265 return ret;
266}
267
268// NOTE(adma): Enable all debug messages
269// argc = 0
270int yh_com_debug_all(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
271
272 UNUSED(ctx);
273 UNUSED(argv);
274 UNUSED(fmt);
275
276 yh_set_verbosity(ctx->connector, YH_VERB_ALL);
277 fprintf(stderr, "Debug messages enabled\n");
278
279 return 0;
280}
281
282// NOTE(adma): Toggle debug messages
283// argc = 0
284int yh_com_debug_error(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
285
286 UNUSED(ctx);
287 UNUSED(argv);
288 UNUSED(fmt);
289
290 uint8_t yh_verbosity;
291
292 yh_get_verbosity(&yh_verbosity);
293 yh_verbosity ^= YH_VERB_ERR;
294
295 if (yh_verbosity & YH_VERB_ERR)
296 fprintf(stderr, "Error messages on\n");
297 else
298 fprintf(stderr, "Error messages off\n");
299
300 yh_set_verbosity(ctx->connector, yh_verbosity);
301
302 return 0;
303}
304
305// NOTE(adma): Toggle debug messages
306// argc = 0
307int yh_com_debug_info(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
308
309 UNUSED(ctx);
310 UNUSED(argv);
311 UNUSED(fmt);
312
313 uint8_t yh_verbosity;
314
315 yh_get_verbosity(&yh_verbosity);
316 yh_verbosity ^= YH_VERB_INFO;
317
318 if (yh_verbosity & YH_VERB_INFO)
319 fprintf(stderr, "Info messages on\n");
320 else
321 fprintf(stderr, "Info messages off\n");
322
323 yh_set_verbosity(ctx->connector, yh_verbosity);
324
325 return 0;
326}
327
328// NOTE(adma): Toggle debug messages
329// argc = 0
330int yh_com_debug_intermediate(yubihsm_context *ctx, Argument *argv,
331 cmd_format fmt) {
332
333 UNUSED(ctx);
334 UNUSED(argv);
335 UNUSED(fmt);
336
337 uint8_t yh_verbosity;
338
339 yh_get_verbosity(&yh_verbosity);
340 yh_verbosity ^= YH_VERB_INTERMEDIATE;
341
342 if (yh_verbosity & YH_VERB_INTERMEDIATE)
343 fprintf(stderr, "Intermediate messages on\n");
344 else
345 fprintf(stderr, "Intermediate messages off\n");
346
347 yh_set_verbosity(ctx->connector, yh_verbosity);
348
349 return 0;
350}
351
352// NOTE(adma): Toggle debug messages
353// argc = 0
354int yh_com_debug_none(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
355
356 UNUSED(ctx);
357 UNUSED(argv);
358 UNUSED(fmt);
359
360 yh_set_verbosity(ctx->connector, YH_VERB_QUIET);
361 fprintf(stderr, "Debug messages disabled\n");
362
363 return 0;
364}
365
366// NOTE(adma): Toggle debug messages
367// argc = 0
368int yh_com_debug_raw(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
369
370 UNUSED(ctx);
371 UNUSED(argv);
372 UNUSED(fmt);
373
374 uint8_t yh_verbosity;
375
376 yh_get_verbosity(&yh_verbosity);
377 yh_verbosity ^= YH_VERB_RAW;
378
379 if (yh_verbosity & YH_VERB_RAW)
380 fprintf(stderr, "Raw messages on\n");
381 else
382 fprintf(stderr, "Raw messages off\n");
383
384 yh_set_verbosity(ctx->connector, yh_verbosity);
385
386 return 0;
387}
388
389// NOTE(adma): Toggle debug messages
390// argc = 0
391int yh_com_debug_crypto(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
392
393 UNUSED(ctx);
394 UNUSED(argv);
395 UNUSED(fmt);
396
397 uint8_t yh_verbosity;
398
399 yh_get_verbosity(&yh_verbosity);
400 yh_verbosity ^= YH_VERB_CRYPTO;
401
402 if (yh_verbosity & YH_VERB_CRYPTO)
403 fprintf(stderr, "Crypto messages on\n");
404 else
405 fprintf(stderr, "Crypto messages off\n");
406
407 yh_set_verbosity(ctx->connector, yh_verbosity);
408
409 return 0;
410}
411
412// NOTE(adma): Decrypt data
413// argc = 3
414// arg 0: e:session
415// arg 1: w:key_id
416// arg 2: i:data
417int yh_com_decrypt_pkcs1v1_5(yubihsm_context *ctx, Argument *argv,
418 cmd_format fmt) {
419
420 yh_rc yrc;
421
422 UNUSED(ctx);
423
424 uint8_t response[YH_MSG_BUF_SIZE];
425 size_t response_len = sizeof(response);
426
427 yrc = yh_util_decrypt_pkcs1v1_5(argv[0].e, argv[1].w, argv[2].x, argv[2].len,
428 response, &response_len);
429 if (yrc != YHR_SUCCESS) {
430 fprintf(stderr, "Failed to decrypt data: %s\n", yh_strerror(yrc));
431 return -1;
432 }
433
434 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
435
436 return 0;
437}
438
439// NOTE: Do a ECDH key exchange
440// argc = 3
441// arg 0: e:session
442// arg 1: w:key_id
443// arg 2: i:pubkey
444int yh_com_derive_ecdh(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
445
446 UNUSED(ctx);
447
448 BIO *bio = BIO_new(BIO_s_mem());
449 if (bio == NULL) {
450 return false;
451 }
452
453 (void) BIO_write(bio, argv[2].x, argv[2].len);
454
455 EVP_PKEY *pubkey = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
456 BIO_free_all(bio);
457 if (pubkey == NULL) {
458 fprintf(stderr, "Failed to load public key\n");
459 return -1;
460 }
461 if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
462 EVP_PKEY_free(pubkey);
463 fprintf(stderr, "Key is not an EC key.\n");
464 return -1;
465 }
466
467 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pubkey);
468 EVP_PKEY_free(pubkey);
469 if (ec == NULL) {
470 fprintf(stderr, "Failed to retrive key.\n");
471 return -1;
472 }
473
474 uint8_t data[YH_MSG_BUF_SIZE];
475 uint8_t *ptr = data;
476 size_t data_len = i2o_ECPublicKey(ec, &ptr);
477
478 EC_KEY_free(ec);
479
480 yh_rc yrc;
481 uint8_t response[YH_MSG_BUF_SIZE];
482 size_t response_len = sizeof(response);
483
484 yrc = yh_util_derive_ecdh(argv[0].e, argv[1].w, data, data_len, response,
485 &response_len);
486 if (yrc != YHR_SUCCESS) {
487 fprintf(stderr, "Failed to do key exchange: %s\n", yh_strerror(yrc));
488 return -1;
489 }
490
491 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
492
493 return 0;
494}
495
496// NOTE: Decrypt data
497// argc = 3
498// arg 0: e:session
499// arg 1: w:key_id
500// arg 2: i:data
501int yh_com_decrypt_aesccm(yubihsm_context *ctx, Argument *argv,
502 cmd_format fmt) {
503 yh_rc yrc;
504
505 UNUSED(ctx);
506
507 uint8_t response[YH_MSG_BUF_SIZE];
508 size_t response_len = sizeof(response);
509
510 yrc = yh_util_unwrap_data(argv[0].e, argv[1].w, argv[2].x, argv[2].len,
511 response, &response_len);
512 if (yrc != YHR_SUCCESS) {
513 fprintf(stderr, "Failed to decrypt data: %s\n", yh_strerror(yrc));
514 return -1;
515 }
516
517 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
518
519 return 0;
520}
521
522// NOTE: Encrypt data
523// argc = 3
524// arg 0: e:session
525// arg 1: w:key_id
526// arg 2: i:data
527int yh_com_encrypt_aesccm(yubihsm_context *ctx, Argument *argv,
528 cmd_format fmt) {
529 yh_rc yrc;
530
531 UNUSED(ctx);
532
533 uint8_t response[YH_MSG_BUF_SIZE];
534 size_t response_len = sizeof(response);
535
536 yrc = yh_util_wrap_data(argv[0].e, argv[1].w, argv[2].x, argv[2].len,
537 response, &response_len);
538 if (yrc != YHR_SUCCESS) {
539 fprintf(stderr, "Failed to encrypt data: %s\n", yh_strerror(yrc));
540 return -1;
541 }
542
543 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
544
545 return 0;
546}
547
548// NOTE(adma): Disconnect from a connector
549// argc = 0
550int yh_com_disconnect(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
551
552 UNUSED(argv);
553 UNUSED(fmt);
554
555 yh_rc yrc;
556
557 for (int i = 0; i < YH_MAX_SESSIONS; i++) {
558 if (ctx->sessions[i]) {
559 yrc = yh_destroy_session(&ctx->sessions[i]);
560 if (yrc != YHR_SUCCESS) {
561 fprintf(stderr, "Failed to destroy session: %s\n", yh_strerror(yrc));
562 }
563 ctx->sessions[i] = NULL;
564 }
565 }
566
567 yrc = yh_disconnect(ctx->connector);
568 if (yrc != YHR_SUCCESS) {
569 fprintf(stderr, "Unable to disconnect: %s\n", yh_strerror(yrc));
570 return -1;
571 }
572 ctx->connector = NULL;
573
574 return 0;
575}
576
577// NOTE(adma): Send authenticated echo
578// argc = 3
579// arg 0: e:session
580// arg 1: b:byte
581// arg 2: w:count
582int yh_com_echo(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
583
584 UNUSED(ctx);
585 UNUSED(fmt);
586
587 yh_rc yrc;
588
589 uint8_t data[YH_MSG_BUF_SIZE];
590 uint16_t data_len;
591
592 uint8_t response[YH_MSG_BUF_SIZE];
593 size_t response_len;
594 yh_cmd response_cmd;
595
596 uint8_t byte = argv[1].b;
597
598 uint16_t count = argv[2].w;
599 if (count > YH_MSG_BUF_SIZE) {
600 fprintf(stderr, "Count must be in [0, %d]\n", YH_MSG_BUF_SIZE);
601 return -1;
602 }
603
604 memset(data, byte, count);
605
606 data_len = count;
607 response_len = sizeof(response);
608
609 yrc = yh_send_secure_msg(argv[0].e, YHC_ECHO, data, data_len, &response_cmd,
610 response, &response_len);
611 if (yrc != YHR_SUCCESS) {
612 fprintf(stderr, "Failed to send ECHO command: %s\n", yh_strerror(yrc));
613 return -1;
614 }
615
616 if (response_cmd == YHC_ERROR) {
617 fprintf(stderr, "Unable to get echo data: %s (%x)\n",
618 yh_strerror(response[0]), response[0]);
619 return -1;
620 }
621
622 fprintf(ctx->out, "Response (%zu bytes):\n", response_len);
623 for (uint32_t i = 0; i < response_len; i++) {
624 if (i && !(i % 64))
625 fprintf(ctx->out, "\n");
626 else if (i && !(i % 8))
627 fprintf(ctx->out, " ");
628 fprintf(ctx->out, "%02x", response[i]);
629 }
630
631 fprintf(ctx->out, "\n");
632
633 return 0;
634}
635
636// NOTE(adma): Generate an Asymmetric Key
637// argc = 6
638// arg 0: e:session
639// arg 1: w:key_id
640// arg 2: s:label
641// arg 3: w:domains
642// arg 4: c:capabilities
643// arg 5: a:algorithm
644int yh_com_generate_asymmetric(yubihsm_context *ctx, Argument *argv,
645 cmd_format fmt) {
646
647 UNUSED(ctx);
648 UNUSED(fmt);
649
650 yh_rc yrc;
651
652 if (yh_is_rsa(argv[5].a)) {
653 yrc = yh_util_generate_rsa_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
654 &argv[4].c, argv[5].a);
655 } else if (yh_is_ec(argv[5].a)) {
656 yrc = yh_util_generate_ec_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
657 &argv[4].c, argv[5].a);
658 } else if (yh_is_ed(argv[5].a)) {
659 yrc = yh_util_generate_ed_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
660 &argv[4].c, argv[5].a);
661 } else {
662 fprintf(stderr, "Invalid algorithm %d\n", argv[5].a);
663 return -1;
664 }
665
666 if (yrc != YHR_SUCCESS) {
667 fprintf(stderr, "Failed to generate asymmetric key: %s\n",
668 yh_strerror(yrc));
669 return -1;
670 }
671
672 fprintf(stderr, "Generated Asymmetric key 0x%04x\n", argv[1].w);
673
674 return 0;
675}
676
677// NOTE: Generate HMAC key
678// argc = 6
679// arg 0: e:session
680// arg 1: w:key_id
681// arg 2: s:label
682// arg 3: w:domains
683// arg 4: c:capabilities
684// arg 5: a:algorithm
685int yh_com_generate_hmac(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
686
687 UNUSED(ctx);
688 UNUSED(fmt);
689
690 yh_rc yrc;
691
692 if (!yh_is_hmac(argv[5].a)) {
693 fprintf(stderr, "Invalid algorithm: %d\n", argv[5].a);
694 return -1;
695 }
696
697 yrc = yh_util_generate_hmac_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
698 &argv[4].c, argv[5].a);
699
700 if (yrc != YHR_SUCCESS) {
701 fprintf(stderr, "Failed to generate HMAC key: %s\n", yh_strerror(yrc));
702 return -1;
703 }
704
705 fprintf(stderr, "Generated HMAC key 0x%04x\n", argv[1].w);
706
707 return 0;
708}
709
710// NOTE: Generate wrap key
711// argc = 6
712// arg 0: e:session
713// arg 1: w:key_id
714// arg 2: s:label
715// arg 3: w:domains
716// arg 4: c:capabilities
717// arg 5: c:delegated_capabilities
718// arg 6: a:algorithm
719int yh_com_generate_wrap(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
720
721 UNUSED(ctx);
722 UNUSED(fmt);
723
724 yh_rc yrc;
725
726 yrc = yh_util_generate_wrap_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
727 &argv[4].c, argv[6].a, &argv[5].c);
728 if (yrc != YHR_SUCCESS) {
729 fprintf(stderr, "Failed to generate wrapping key: %s\n", yh_strerror(yrc));
730 return -1;
731 }
732
733 fprintf(stderr, "Generated Wrap key 0x%04x\n", argv[1].w);
734
735 return 0;
736}
737
738// NOTE(adma): Get an opaque object
739// argc = 2
740// arg 0: e:session,
741// arg 1: w:object_id
742// arg 2: F:file
743int yh_com_get_opaque(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
744
745 UNUSED(ctx);
746
747 uint8_t response[YH_MSG_BUF_SIZE];
748 size_t response_len = sizeof(response);
749
750 yh_rc yrc = yh_util_get_opaque(argv[0].e, argv[1].w, response, &response_len);
751 if (yrc != YHR_SUCCESS) {
752 fprintf(stderr, "Failed to get opaque object: %s\n", yh_strerror(yrc));
753 return -1;
754 }
755
756 if (write_file(response, response_len, ctx->out, fmt_to_fmt(fmt))) {
757 return 0;
758 }
759
760 return -1;
761}
762
763// NOTE(adma): Get a global option value
764// argc = 2
765// arg 0: o:session
766// arg 1: s:option
767int yh_com_get_option(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
768
769 UNUSED(ctx);
770 UNUSED(fmt);
771
772 yh_rc yrc;
773
774 uint8_t response[YH_MSG_BUF_SIZE];
775 size_t response_len = sizeof(response);
776
777 yrc = yh_util_get_option(argv[0].e, argv[1].o, response, &response_len);
778
779 if (yrc != YHR_SUCCESS) {
780 fprintf(stderr, "Failed to get option: %s\n", yh_strerror(yrc));
781 return -1;
782 }
783
784 fprintf(ctx->out, "Option value is: ");
785 for (uint16_t i = 0; i < response_len; i++) {
786 fprintf(ctx->out, "%02x", response[i]);
787 }
788 fprintf(ctx->out, "\n");
789
790 return 0;
791}
792
793// NOTE(adma): Get pseudo-random bytes
794// argc = 2
795// arg 0: e:session
796// arg 1: w:count
797int yh_com_get_random(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
798
799 uint8_t response[YH_MSG_BUF_SIZE];
800 size_t response_len = sizeof(response);
801
802 yh_rc yrc =
803 yh_util_get_pseudo_random(argv[0].e, argv[1].w, response, &response_len);
804 if (yrc != YHR_SUCCESS) {
805 fprintf(stderr, "Failed to get pseudo random bytes: %s\n",
806 yh_strerror(yrc));
807 return -1;
808 }
809
810 if (response_len != argv[1].w) {
811 fprintf(stderr, "Wrong response length\n");
812 return -1;
813 }
814
815 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
816
817 return 0;
818}
819
820// NOTE(adma): Obtain storage information
821// argc = 1
822// arg 0: e:session
823int yh_com_get_storage(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
824
825 UNUSED(ctx);
826 UNUSED(fmt);
827
828 yh_rc yrc;
829 uint16_t total_records, free_records, free_pages, total_pages, page_size;
830 total_records = free_records = free_pages = total_pages = page_size = 0;
831
832 yrc = yh_util_get_storage_info(argv[0].e, &total_records, &free_records,
833 &total_pages, &free_pages, &page_size);
834
835 if (yrc != YHR_SUCCESS) {
836 fprintf(stderr, "Failed to get storage stats: %s\n", yh_strerror(yrc));
837 return -1;
838 }
839 fprintf(stderr,
840 "free records: %d/%d, free pages: %d/%d page size: %d bytes\n",
841 free_records, total_records, free_pages, total_pages, page_size);
842 return 0;
843}
844
845// NOTE: Get public key
846// argc = 3
847// arg 0: e:session
848// arg 1: w:key_id
849// arg 2: f:filename
850int yh_com_get_pubkey(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
851
852 yh_rc yrc;
853
854 uint8_t response[YH_MSG_BUF_SIZE];
855 size_t response_len = sizeof(response);
856
857 yh_algorithm algo;
858 EVP_PKEY *public_key = NULL;
859
860 yrc = yh_util_get_public_key(argv[0].e, argv[1].w, response, &response_len,
861 &algo);
862 if (yrc != YHR_SUCCESS) {
863 fprintf(stderr, "Failed to get public key: %s\n", yh_strerror(yrc));
864 return -1;
865 }
866
867 public_key = EVP_PKEY_new();
868
869 if (yh_is_rsa(algo)) {
870 RSA *rsa = RSA_new();
871 BIGNUM *e = BN_new();
872 BIGNUM *n = BN_bin2bn(response, response_len, NULL);
873 BN_hex2bn(&e, "10001");
874 RSA_set0_key(rsa, n, e, NULL);
875 EVP_PKEY_set1_RSA(public_key, rsa);
876 RSA_free(rsa);
877 } else if (yh_is_ec(algo)) {
878 EC_KEY *eckey = EC_KEY_new();
879 int nid = algo2nid(algo);
880 EC_POINT *point;
881 EC_GROUP *group = EC_GROUP_new_by_curve_name(nid);
882
883 EC_GROUP_set_asn1_flag(group, nid);
884 EC_KEY_set_group(eckey, group);
885 point = EC_POINT_new(group);
886
887 memmove(response + 1, response, response_len);
888 response[0] = 0x04; // hack to make it a valid ec pubkey..
889 response_len++;
890
891 EC_POINT_oct2point(group, point, response, response_len, NULL);
892
893 EC_KEY_set_public_key(eckey, point);
894
895 EVP_PKEY_set1_EC_KEY(public_key, eckey);
896
897 EC_POINT_free(point);
898 EC_KEY_free(eckey);
899 EC_GROUP_free(group);
900 } else {
901 // NOTE(adma): ED25519, there is no support for thi in OpenSSL, so
902 // we manually export them
903 EVP_PKEY_free(public_key);
904 write_ed25519_key(response, response_len, ctx->out,
905 ctx->out_fmt == fmt_PEM); // FIXME: do something
906 return 0;
907 }
908
909 if (fmt == fmt_PEM) {
910 PEM_write_PUBKEY(ctx->out, public_key);
911 } else if (fmt == fmt_binary) {
912 i2d_PUBKEY_fp(ctx->out, public_key);
913 } // FIXME: other formats or error.
914 EVP_PKEY_free(public_key);
915
916 return 0;
917}
918
919// NOTE: Get object information
920// argc = 3
921// arg 0: e:session
922// arg 1: w:id
923// arg 2: t:type
924int yh_com_get_object_info(yubihsm_context *ctx, Argument *argv,
925 cmd_format fmt) {
926 yh_rc yrc;
927 yh_object_descriptor object;
928
929 UNUSED(ctx);
930 UNUSED(fmt);
931
932 yrc = yh_util_get_object_info(argv[0].e, argv[1].w, argv[2].b, &object);
933 if (yrc != YHR_SUCCESS) {
934 fprintf(stderr, "Failed to get object info: %s\n", yh_strerror(yrc));
935 return -1;
936 }
937
938 char domains[256] = {0};
939 const char *cap[sizeof(yh_capability) / sizeof(yh_capability[0])];
940 size_t n_cap = sizeof(yh_capability) / sizeof(yh_capability[0]);
941 const char *type;
942 const char *algorithm = "";
943 const char *extra_algo = "";
944 yh_type_to_string(object.type, &type);
945 if (object.algorithm) {
946 yh_algo_to_string(object.algorithm, &algorithm);
947 extra_algo = ", algorithm: ";
948 }
949 yh_domains_to_string(object.domains, domains, 255);
950
951 fprintf(ctx->out,
952 "id: 0x%04x, type: %s%s%s, label: \"%s\", length: %d, "
953 "domains: %s, sequence: %hhu, origin: ",
954 object.id, type, extra_algo, algorithm, object.label, object.len,
955 domains, object.sequence);
956
957 if (object.origin & YH_ORIGIN_GENERATED) {
958 fprintf(ctx->out, "generated");
959 }
960 if (object.origin & YH_ORIGIN_IMPORTED) {
961 fprintf(ctx->out, "imported");
962 }
963 if (object.origin & YH_ORIGIN_IMPORTED_WRAPPED) {
964 fprintf(ctx->out, ":imported_wrapped");
965 }
966
967 fprintf(ctx->out, ", capabilities: ");
968 if (yh_capabilities_to_strings(&object.capabilities, cap, &n_cap) !=
969 YHR_SUCCESS) {
970 for (size_t i = 0; i < YH_CAPABILITIES_LEN; i++) {
971 fprintf(ctx->out, "0x%02x%s", object.capabilities.capabilities[i],
972 i < YH_CAPABILITIES_LEN - 1 ? " " : "");
973 }
974 } else {
975 for (size_t i = 0; i < n_cap; i++) {
976 fprintf(ctx->out, "%s%s", cap[i], i < n_cap - 1 ? ":" : "");
977 }
978 }
979 if (object.type == YH_WRAP_KEY || object.type == YH_AUTHENTICATION_KEY) {
980 fprintf(ctx->out, ", delegated_capabilities: ");
981 n_cap = sizeof(yh_capability) / sizeof(yh_capability[0]);
982 if (yh_capabilities_to_strings(&object.delegated_capabilities, cap,
983 &n_cap) != YHR_SUCCESS) {
984 for (size_t i = 0; i < YH_CAPABILITIES_LEN; i++) {
985 fprintf(ctx->out, "0x%02x%s",
986 object.delegated_capabilities.capabilities[i],
987 i < YH_CAPABILITIES_LEN - 1 ? " " : "");
988 }
989 } else {
990 for (size_t i = 0; i < n_cap; i++) {
991 fprintf(ctx->out, "%s%s", cap[i], i < n_cap - 1 ? ":" : "");
992 }
993 }
994 }
995 fprintf(ctx->out, "\n");
996
997 return 0;
998}
999
1000// NOTE: Get an object under wrap
1001// argc = 5
1002// arg 0: e:session
1003// arg 1: w:keyid
1004// arg 2: t:type
1005// arg 3: w:id
1006// arg 4: f:file
1007int yh_com_get_wrapped(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1008 uint8_t response[YH_MSG_BUF_SIZE];
1009 size_t response_len = sizeof(response);
1010 yh_rc yrc;
1011
1012 yrc = yh_util_export_wrapped(argv[0].e, argv[1].w, argv[2].b, argv[3].w,
1013 response, &response_len);
1014
1015 if (yrc != YHR_SUCCESS) {
1016 fprintf(stderr, "Failed to get wrapped object: %s\n", yh_strerror(yrc));
1017 return -1;
1018 }
1019
1020 if (write_file(response, response_len, ctx->out, fmt_to_fmt(fmt))) {
1021 return 0;
1022 }
1023
1024 return -1;
1025}
1026
1027// NOTE(adma): Get a template object
1028// argc = 2
1029// arg 0: e:session,
1030// arg 1: w:object_id
1031int yh_com_get_template(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1032
1033 uint8_t response[YH_MSG_BUF_SIZE];
1034 size_t response_len = sizeof(response);
1035
1036 yh_rc yrc =
1037 yh_util_get_template(argv[0].e, argv[1].w, response, &response_len);
1038 if (yrc != YHR_SUCCESS) {
1039 fprintf(stderr, "Failed to get template object: %s\n", yh_strerror(yrc));
1040 return -1;
1041 }
1042
1043 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
1044
1045 return 0;
1046}
1047
1048// NOTE(adma): No operation command
1049// argc = 0
1050int yh_com_noop(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1051
1052 UNUSED(ctx);
1053 UNUSED(argv);
1054 UNUSED(fmt);
1055
1056 return 0;
1057}
1058
1059// NOTE(adma): List capabilities
1060// argc = 0
1061int yh_com_list_capabilities(yubihsm_context *ctx, Argument *argv,
1062 cmd_format fmt) {
1063
1064 UNUSED(ctx);
1065 UNUSED(argv);
1066 UNUSED(fmt);
1067
1068 for (uint16_t i = 0; i < sizeof(yh_capability) / sizeof(yh_capability[0]);
1069 i++) {
1070 fprintf(ctx->out, "%-30s (%016llx)\n", yh_capability[i].name,
1071 1ULL << yh_capability[i].bit);
1072 }
1073
1074 return 0;
1075}
1076
1077// NOTE: List algorithms
1078// argc = 0
1079int yh_com_list_algorithms(yubihsm_context *ctx, Argument *argv,
1080 cmd_format fmt) {
1081
1082 UNUSED(ctx);
1083 UNUSED(argv);
1084 UNUSED(fmt);
1085
1086 for (uint16_t i = 0; i < sizeof(yh_algorithms) / sizeof(yh_algorithms[0]);
1087 i++) {
1088 fprintf(ctx->out, "%s\n", yh_algorithms[i].name);
1089 }
1090
1091 return 0;
1092}
1093
1094// NOTE: List types
1095// argc = 0
1096int yh_com_list_types(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1097
1098 UNUSED(ctx);
1099 UNUSED(argv);
1100 UNUSED(fmt);
1101
1102 for (uint16_t i = 0; i < sizeof(yh_types) / sizeof(yh_types[0]); i++) {
1103 fprintf(ctx->out, "%s\n", yh_types[i].name);
1104 }
1105
1106 return 0;
1107}
1108
1109// NOTE(adma): List sessions
1110// argc = 0
1111int yh_com_list_sessions(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1112
1113 UNUSED(argv);
1114 UNUSED(fmt);
1115
1116 if (ctx->connector == NULL) {
1117 fprintf(stderr, "Not connected\n");
1118 return -1;
1119 }
1120
1121 for (uint16_t i = 0; i < YH_MAX_SESSIONS; i++) {
1122 if (ctx->sessions[i] != NULL) {
1123 fprintf(stderr, "Session %d\n", i);
1124 }
1125 }
1126
1127 return 0;
1128}
1129
1130static int compare_objects(const void *p1, const void *p2) {
1131 const yh_object_descriptor *a = p1;
1132 const yh_object_descriptor *b = p2;
1133
1134 return a->id - b->id;
1135}
1136
1137// NOTE: List object according to a filter
1138// argc = 7
1139// arg 0: e:session
1140// arg 1: w:id
1141// arg 2: t:type
1142// arg 3: w:domains
1143// arg 4: u:capabilities
1144// arg 5: a:algorithm
1145// arg 6: s:label
1146int yh_com_list_objects(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1147 yh_rc yrc;
1148 yh_object_descriptor objects[YH_MAX_ITEMS_COUNT];
1149 size_t num_objects = YH_MAX_ITEMS_COUNT;
1150 const char *label_arg;
1151
1152 UNUSED(ctx);
1153 UNUSED(fmt);
1154
1155 if (argv[6].len == 0) {
1156 label_arg = NULL;
1157 } else {
1158 label_arg = argv[6].s;
1159 }
1160
1161 yrc =
1162 yh_util_list_objects(argv[0].e, argv[1].w, argv[2].b, argv[3].w, &argv[4].c,
1163 argv[5].a, label_arg, objects, &num_objects);
1164 if (yrc != YHR_SUCCESS) {
1165 fprintf(stderr, "Failed to list objects: %s\n", yh_strerror(yrc));
1166 return -1;
1167 }
1168
1169 qsort(objects, num_objects, sizeof(yh_object_descriptor), compare_objects);
1170
1171 fprintf(ctx->out, "Found %zu object(s)\n", num_objects);
1172 for (size_t i = 0; i < num_objects; i++) {
1173 const char *type = "";
1174 yh_type_to_string(objects[i].type, &type);
1175 fprintf(ctx->out, "id: 0x%04x, type: %s, sequence: %hhu\n", objects[i].id,
1176 type, objects[i].sequence);
1177 }
1178 return 0;
1179}
1180
1181#ifdef USE_YKYH
1182static int parse_yk_password(char *line, char **name, char **pw) {
1183
1184 int len = strlen(line);
1185
1186 *name = line;
1187 for (int i = 0; i < len; i++) {
1188 if (line[i] == ':') {
1189 if (len - i - 1 != YKYH_PW_LEN) {
1190 return -1;
1191 }
1192
1193 line[i] = '\0';
1194 *pw = line + i + 1;
1195
1196 return 0;
1197 }
1198 }
1199
1200 return -1;
1201}
1202#endif
1203
1204// NOTE(adma): Open a session with a connector using an Authentication Key
1205// argc = 2
1206// arg 0: w:authkey
1207// arg 1: i:password
1208int yh_com_open_session(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1209
1210 UNUSED(fmt);
1211
1212 yh_session *ses = NULL;
1213 uint8_t session_id = 0;
1214
1215 if (ctx->connector == NULL) {
1216 fprintf(stderr, "Not connected\n");
1217 return -1;
1218 }
1219
1220 yh_rc yrc;
1221
1222 uint16_t authkey = argv[0].w;
1223
1224#ifdef USE_YKYH
1225 uint8_t *yh_context;
1226 if (strncmp("yk:", (char *) argv[1].x, 3) == 0) {
1227 ykyh_rc ykyhrc;
1228 uint8_t card_cryptogram[YH_CONTEXT_LEN / 2];
1229 uint8_t key_s_enc[YH_KEY_LEN];
1230 uint8_t key_s_mac[YH_KEY_LEN];
1231 uint8_t key_s_rmac[YH_KEY_LEN];
1232 size_t key_s_enc_len = sizeof(key_s_enc);
1233 size_t key_s_mac_len = sizeof(key_s_mac);
1234 size_t key_s_rmac_len = sizeof(key_s_rmac);
1235 uint8_t retries;
1236
1237 ykyhrc = ykyh_connect(ctx->state, NULL);
1238 if (ykyhrc != YKYHR_SUCCESS) {
1239 fprintf(stderr, "Failed to connect to the YubiKey: %s\n",
1240 ykyh_strerror(ykyhrc));
1241 return -1;
1242 }
1243
1244 yrc = yh_begin_create_session_ext(ctx->connector, argv[0].w, &yh_context,
1245 card_cryptogram, sizeof(card_cryptogram),
1246 &ses);
1247 if (yrc != YHR_SUCCESS) {
1248 fprintf(stderr, "Failed to create session: %s\n", yh_strerror(yrc));
1249 return -1;
1250 }
1251
1252 char *name;
1253 char *pw;
1254 if (parse_yk_password((char *) (argv[1].x + 3), &name, &pw) == -1) {
1255 fprintf(stderr,
1256 "Failed to decode password, format must be "
1257 "yk:NAME[%d-%d]:PASSWORD[%d]\n",
1258 YKYH_MIN_NAME_LEN, YKYH_MAX_NAME_LEN, YKYH_PW_LEN);
1259 return -1;
1260 }
1261
1262 ykyhrc =
1263 ykyh_calculate(ctx->state, name, yh_context, YH_CONTEXT_LEN, pw,
1264 key_s_enc, sizeof(key_s_enc), key_s_mac, sizeof(key_s_mac),
1265 key_s_rmac, sizeof(key_s_rmac), &retries);
1266 if (ykyhrc != YKYHR_SUCCESS) {
1267 fprintf(stderr, "Failed to get session keys from the YubiKey: %s",
1268 ykyh_strerror(ykyhrc));
1269 if (ykyhrc == YKYHR_WRONG_PW) {
1270 fprintf(stderr, ", %d attempts remaining", retries);
1271 }
1272 fprintf(stderr, "\n");
1273
1274 return -1;
1275 }
1276
1277 yrc =
1278 yh_finish_create_session_ext(ctx->connector, ses, key_s_enc,
1279 key_s_enc_len, key_s_mac, key_s_mac_len,
1280 key_s_rmac, key_s_rmac_len, card_cryptogram,
1281 sizeof(card_cryptogram));
1282 if (yrc != YHR_SUCCESS) {
1283 fprintf(stderr, "Failed to create session: %s\n", yh_strerror(yrc));
1284 return -1;
1285 }
1286 } else {
1287#endif
1288 yrc = yh_create_session_derived(ctx->connector, authkey, argv[1].x,
1289 argv[1].len, false, &ses);
1290 insecure_memzero(argv[1].x, argv[1].len);
1291 if (yrc != YHR_SUCCESS) {
1292 fprintf(stderr, "Failed to create session: %s\n", yh_strerror(yrc));
1293 return -1;
1294 }
1295#ifdef USE_YKYH
1296 }
1297#endif
1298
1299 yrc = yh_authenticate_session(ses);
1300 if (yrc != YHR_SUCCESS) {
1301 fprintf(stderr, "Failed to authenticate session: %s\n", yh_strerror(yrc));
1302 return -1;
1303 }
1304
1305 yrc = yh_get_session_id(ses, &session_id);
1306 if (yrc != YHR_SUCCESS) {
1307 fprintf(stderr, "Failed to create session: %s\n", yh_strerror(yrc));
1308 return -1;
1309 }
1310
1311 if (ctx->sessions[session_id] != NULL) {
1312 yrc = yh_destroy_session(&ctx->sessions[session_id]);
1313 if (yrc != YHR_SUCCESS) {
1314 fprintf(stderr, "Failed to destroy old session with same id (%d): %s\n",
1315 session_id, yh_strerror(yrc));
1316 return -1;
1317 }
1318 }
1319 ctx->sessions[session_id] = ses;
1320
1321 fprintf(stderr, "Created session %d\n", session_id);
1322
1323 return 0;
1324}
1325
1326// NOTE(adma): Send unauthenticated echo
1327// argc = 2
1328// arg 0: b:byte
1329// arg 1: w:count
1330int yh_com_pecho(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1331
1332 UNUSED(fmt);
1333
1334 yh_rc yrc;
1335
1336 uint8_t data[YH_MSG_BUF_SIZE];
1337 uint16_t data_len;
1338
1339 uint8_t response[YH_MSG_BUF_SIZE];
1340 size_t response_len;
1341 yh_cmd response_cmd;
1342
1343 if (ctx->connector == NULL) {
1344 fprintf(stderr, "Not connected\n");
1345 return -1;
1346 }
1347
1348 uint8_t byte = argv[0].b;
1349
1350 uint16_t count = argv[1].w;
1351 if (count > YH_MSG_BUF_SIZE) {
1352 fprintf(stderr, "Count must be in [0, %d]\n", YH_MSG_BUF_SIZE);
1353 return -1;
1354 }
1355
1356 memset(data, byte, count);
1357
1358 data_len = count;
1359 response_len = sizeof(response);
1360
1361 yrc = yh_send_plain_msg(ctx->connector, YHC_ECHO, data, data_len,
1362 &response_cmd, response, &response_len);
1363 if (yrc != YHR_SUCCESS) {
1364 fprintf(stderr, "Failed to send ECHO command): %s\n", yh_strerror(yrc));
1365 return -1;
1366 }
1367
1368 if (response_cmd == YHC_ERROR) {
1369 fprintf(stderr, "Unable to get echo data: %s (%x)\n",
1370 yh_strerror(response[0]), response[0]);
1371 return -1;
1372 }
1373
1374 fprintf(ctx->out, "Response (%zu bytes):\n", response_len);
1375 for (uint32_t i = 0; i < response_len; i++) {
1376 if (i && !(i % 64))
1377 fprintf(ctx->out, "\n");
1378 else if (i && !(i % 8))
1379 fprintf(ctx->out, " ");
1380 fprintf(ctx->out, "%02x", response[i]);
1381 }
1382
1383 fprintf(ctx->out, "\n");
1384
1385 return 0;
1386}
1387
1388// NOTE(adma): Store an asymmetric key
1389// argc = 6
1390// arg 0: e:session
1391// arg 1: w:key_id
1392// arg 2: s:label
1393// arg 3: w:domains
1394// arg 4: c:capabilities
1395// arg 5: i:key
1396int yh_com_put_asymmetric(yubihsm_context *ctx, Argument *argv,
1397 cmd_format fmt) {
1398
1399 UNUSED(ctx);
1400 UNUSED(fmt);
1401
1402 uint8_t key[512];
1403 size_t key_material_len = sizeof(key);
1404 yh_algorithm algorithm;
1405
1406 yh_rc yrc;
1407
1408 bool ret = read_private_key(argv[5].x, argv[5].len, &algorithm, key,
1409 &key_material_len, false);
1410 if (ret == false) {
1411 fprintf(stderr, "Unable to read asymmetric key\n");
1412 return -1;
1413 }
1414
1415 switch (algorithm) {
1416 case YH_ALGO_RSA_2048:
1417 case YH_ALGO_RSA_3072:
1418 case YH_ALGO_RSA_4096:
1419 yrc = yh_util_import_rsa_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1420 &argv[4].c, algorithm, key,
1421 key + key_material_len / 2);
1422 break;
1423 case YH_ALGO_EC_P224:
1424 case YH_ALGO_EC_P256:
1425 case YH_ALGO_EC_P384:
1426 case YH_ALGO_EC_P521:
1427 case YH_ALGO_EC_K256:
1428 case YH_ALGO_EC_BP256:
1429 case YH_ALGO_EC_BP384:
1430 case YH_ALGO_EC_BP512:
1431 yrc = yh_util_import_ec_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1432 &argv[4].c, algorithm, key);
1433 break;
1434
1435 case YH_ALGO_EC_ED25519:
1436 yrc = yh_util_import_ed_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1437 &argv[4].c, algorithm, key);
1438 break;
1439 default:
1440 fprintf(stderr, "Unsupported algorithm\n");
1441 return -1;
1442 }
1443
1444 if (yrc != YHR_SUCCESS) {
1445 fprintf(stderr, "Failed to store asymmetric key: %s\n", yh_strerror(yrc));
1446 return -1;
1447 }
1448
1449 fprintf(stderr, "Stored Asymmetric key 0x%04x\n", argv[1].w);
1450
1451 return 0;
1452}
1453
1454// NOTE(adma): Store an authentication key
1455// argc = 7
1456// arg 0: e:session
1457// arg 1: w:key_id
1458// arg 2: s:label
1459// arg 3: w:domains
1460// arg 4: c:capabilities
1461// arg 5: c:delegated_capabilities
1462// arg 6: x:password
1463int yh_com_put_authentication(yubihsm_context *ctx, Argument *argv,
1464 cmd_format fmt) {
1465
1466 UNUSED(ctx);
1467 UNUSED(fmt);
1468
1469 yh_rc yrc;
1470
1471 yrc =
1472 yh_util_import_authentication_key_derived(argv[0].e, &argv[1].w, argv[2].s,
1473 argv[3].w, &argv[4].c, &argv[5].c,
1474 argv[6].x, argv[6].len);
1475 insecure_memzero(argv[6].x, argv[6].len);
1476 if (yrc != YHR_SUCCESS) {
1477 fprintf(stderr, "Failed to store authkey: %s\n", yh_strerror(yrc));
1478 return -1;
1479 }
1480
1481 fprintf(stderr, "Stored Authentication key 0x%04x\n", argv[1].w);
1482
1483 return 0;
1484}
1485
1486// NOTE(adma): Store an opaque object
1487// argc = 6
1488// arg 0: e:session
1489// arg 1: w:object_id
1490// arg 2: s:label
1491// arg 3: w:domains
1492// arg 4: c:capabilities
1493// arg 5: a:algorithm
1494// arg 6: i:datafile
1495int yh_com_put_opaque(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1496
1497 yh_rc yrc;
1498
1499 UNUSED(ctx);
1500 UNUSED(fmt);
1501
1502 yrc = yh_util_import_opaque(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1503 &argv[4].c, argv[5].a, argv[6].x, argv[6].len);
1504 if (yrc != YHR_SUCCESS) {
1505 fprintf(stderr, "Failed to store opaque object: %s\n", yh_strerror(yrc));
1506 return -1;
1507 }
1508
1509 fprintf(stderr, "Stored Opaque object 0x%04x\n", argv[1].w);
1510
1511 return 0;
1512}
1513
1514// NOTE(adma): Set a global option value
1515// argc = 3
1516// arg 0: e:session
1517// arg 1: o:option
1518// arg 2: x:value
1519int yh_com_put_option(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1520
1521 UNUSED(ctx);
1522 UNUSED(fmt);
1523
1524 yh_rc yrc;
1525
1526 yrc = yh_util_set_option(argv[0].e, argv[1].o, argv[2].len, argv[2].x);
1527 if (yrc != YHR_SUCCESS) {
1528 fprintf(stderr, "Failed to store option: %s\n", yh_strerror(yrc));
1529 return -1;
1530 }
1531
1532 return 0;
1533}
1534
1535// NOTE: Put a HMAC key
1536// argc = 7
1537// arg 0: e:session
1538// arg 1: w:key_id
1539// arg 2: s:label
1540// arg 3: w:domains
1541// arg 4: c:capabilities
1542// arg 5: a:algorithm
1543// arg 6: x:key
1544int yh_com_put_hmac(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1545
1546 UNUSED(ctx);
1547 UNUSED(fmt);
1548
1549 yh_rc yrc;
1550
1551 if (argv[6].len > 128) {
1552 fprintf(stderr, "Too long key supplied, max 128 bytes allowed\n");
1553 return -1;
1554 }
1555
1556 yrc = yh_util_import_hmac_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1557 &argv[4].c, argv[5].a, argv[6].x, argv[6].len);
1558 if (yrc != YHR_SUCCESS) {
1559 fprintf(stderr, "Failed to store HMAC key: %s\n", yh_strerror(yrc));
1560 return -1;
1561 }
1562
1563 fprintf(stderr, "Stored HMAC key 0x%04x\n", argv[1].w);
1564
1565 return 0;
1566}
1567
1568// NOTE: Store a wrapping key
1569// argc = 6
1570// arg 0: e:session
1571// arg 1: w:key_id
1572// arg 2: s:label
1573// arg 3: w:domains
1574// arg 4: c:capabilities
1575// arg 5: c:delegated_capabilities
1576// arg 6: x:key
1577int yh_com_put_wrapkey(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1578 yh_rc yrc;
1579
1580 UNUSED(ctx);
1581 UNUSED(fmt);
1582 yh_algorithm algo;
1583
1584 if (argv[6].len == 16) {
1585 algo = YH_ALGO_AES128_CCM_WRAP;
1586 } else if (argv[6].len == 24) {
1587 algo = YH_ALGO_AES192_CCM_WRAP;
1588 } else if (argv[6].len == 32) {
1589 algo = YH_ALGO_AES256_CCM_WRAP;
1590 } else {
1591 fprintf(stderr, "Key length not matching, should be 16, 24 or 32\n");
1592 return -1;
1593 }
1594
1595 yrc = yh_util_import_wrap_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1596 &argv[4].c, algo, &argv[5].c, argv[6].x,
1597 argv[6].len);
1598 if (yrc != YHR_SUCCESS) {
1599 fprintf(stderr, "Failed to store wrapkey: %s\n", yh_strerror(yrc));
1600 return -1;
1601 }
1602
1603 fprintf(stderr, "Stored Wrap key 0x%04x\n", argv[1].w);
1604
1605 return 0;
1606}
1607
1608// NOTE: Store a wrapped object
1609// argc = 3
1610// arg 0: e:session
1611// arg 1: w:key_id
1612// arg 2: i:data
1613int yh_com_put_wrapped(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1614 yh_rc yrc;
1615 yh_object_type object_type;
1616 uint16_t object_id;
1617 const char *type = "";
1618
1619 UNUSED(ctx);
1620 UNUSED(fmt);
1621
1622 yrc = yh_util_import_wrapped(argv[0].e, argv[1].w, argv[2].x, argv[2].len,
1623 &object_type, &object_id);
1624 if (yrc != YHR_SUCCESS) {
1625 fprintf(stderr, "Failed to store wrapped object: %s\n", yh_strerror(yrc));
1626 return -1;
1627 }
1628
1629 yh_type_to_string(object_type, &type);
1630
1631 fprintf(stderr, "Object imported as 0x%04x of type %s\n", object_id, type);
1632
1633 return 0;
1634}
1635
1636// NOTE(adma): Store a template object
1637// argc = 7
1638// arg 0: e:session
1639// arg 1: w:object_id
1640// arg 2: s:label
1641// arg 3: w:domains
1642// arg 4: c:capabilities
1643// arg 5: a:algorithm
1644// arg 6: i:datafile
1645int yh_com_put_template(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1646
1647 yh_rc yrc;
1648
1649 UNUSED(ctx);
1650 UNUSED(fmt);
1651
1652 yrc = yh_util_import_template(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
1653 &argv[4].c, argv[5].a, argv[6].x, argv[6].len);
1654 if (yrc != YHR_SUCCESS) {
1655 fprintf(stderr, "Failed to store template object: %s\n", yh_strerror(yrc));
1656 return -1;
1657 }
1658
1659 fprintf(stderr, "Stored Template object 0x%04x\n", argv[1].w);
1660
1661 return 0;
1662}
1663
1664// NOTE(adma): Sign data using ECDSA
1665// argc = 4
1666// arg 0: e:session
1667// arg 1: w:key_id
1668// arg 2: a:algorithm
1669// arg 3: i:datafile
1670int yh_com_sign_ecdsa(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1671
1672 yh_rc yrc;
1673
1674 uint8_t data[YH_MSG_BUF_SIZE];
1675 size_t data_len;
1676
1677 uint8_t response[YH_MSG_BUF_SIZE];
1678 size_t response_len = sizeof(response);
1679
1680 int hash;
1681
1682 switch (argv[2].a) {
1683 case YH_ALGO_EC_ECDSA_SHA1:
1684 hash = _SHA1;
1685 break;
1686
1687 case YH_ALGO_EC_ECDSA_SHA256:
1688 hash = _SHA256;
1689 break;
1690
1691 case YH_ALGO_EC_ECDSA_SHA384:
1692 hash = _SHA384;
1693 break;
1694
1695 case YH_ALGO_EC_ECDSA_SHA512:
1696 hash = _SHA512;
1697 break;
1698
1699 default:
1700 fprintf(stderr, "Invalid hash algorithm\n");
1701 return -1;
1702 }
1703
1704 if (hash_bytes(argv[3].x, argv[3].len, hash, data, &data_len) == false) {
1705 fprintf(stderr, "Unable to hash file\n");
1706 return -1;
1707 }
1708
1709 yrc = yh_util_sign_ecdsa(argv[0].e, argv[1].w, data, data_len, response,
1710 &response_len);
1711 if (yrc != YHR_SUCCESS) {
1712 fprintf(stderr, "Failed to sign data with ecdsa: %s\n", yh_strerror(yrc));
1713 return -1;
1714 }
1715
1716 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
1717
1718 return 0;
1719}
1720
1721// NOTE(adma): Sign data using EDDSA
1722// argc = 4
1723// arg 0: e:session
1724// arg 1: w:key_id
1725// arg 2: a:algorithm
1726// arg 3: i:datafile
1727int yh_com_sign_eddsa(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1728
1729 yh_rc yrc;
1730
1731 uint8_t response[YH_MSG_BUF_SIZE];
1732 size_t response_len = sizeof(response);
1733
1734 if (argv[2].a != YH_ALGO_EC_ED25519) {
1735 fprintf(stderr, "Invalid algorithm\n");
1736 return -1;
1737 }
1738
1739 yrc = yh_util_sign_eddsa(argv[0].e, argv[1].w, argv[3].x, argv[3].len,
1740 response, &response_len);
1741 if (yrc != YHR_SUCCESS) {
1742 fprintf(stderr, "Failed to sign data with eddsa: %s\n", yh_strerror(yrc));
1743 return -1;
1744 }
1745
1746 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
1747
1748 return 0;
1749}
1750
1751// NOTE(adma): Sign data using RSASSA-PKCS#1v1.5
1752// argc = 4
1753// arg 0: e:session
1754// arg 1: w:key_id
1755// arg 2: a:algorithm
1756// arg 3: f:datafile
1757int yh_com_sign_pkcs1v1_5(yubihsm_context *ctx, Argument *argv,
1758 cmd_format fmt) {
1759
1760 yh_rc yrc;
1761
1762 uint8_t data[YH_MSG_BUF_SIZE];
1763 size_t data_len;
1764
1765 uint8_t response[YH_MSG_BUF_SIZE];
1766 size_t response_len = sizeof(response);
1767
1768 int hash;
1769
1770 switch (argv[2].a) {
1771 case YH_ALGO_RSA_PKCS1_SHA1:
1772 hash = _SHA1;
1773 break;
1774
1775 case YH_ALGO_RSA_PKCS1_SHA256:
1776 hash = _SHA256;
1777 break;
1778
1779 case YH_ALGO_RSA_PKCS1_SHA384:
1780 hash = _SHA384;
1781 break;
1782
1783 case YH_ALGO_RSA_PKCS1_SHA512:
1784 hash = _SHA512;
1785 break;
1786
1787 default:
1788 fprintf(stderr, "Invalid hash algorithm\n");
1789 return -1;
1790 }
1791
1792 if (hash_bytes(argv[3].x, argv[3].len, hash, data, &data_len) == false) {
1793 fprintf(stderr, "Unable to hash file\n");
1794 return -1;
1795 }
1796
1797 yrc = yh_util_sign_pkcs1v1_5(argv[0].e, argv[1].w, true, data, data_len,
1798 response, &response_len);
1799 if (yrc != YHR_SUCCESS) {
1800 fprintf(stderr, "Failed to sign data with PKCS#1v1.5: %s\n",
1801 yh_strerror(yrc));
1802 return -1;
1803 }
1804
1805 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
1806
1807 return 0;
1808}
1809
1810// NOTE(adma): Sign data using RSASSA-PSS
1811// argc = 4
1812// arg 0: e:session
1813// arg 1: w:key_id
1814// arg 2: a:algorithm
1815// arg 3: f:datafile
1816int yh_com_sign_pss(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1817
1818 yh_rc yrc;
1819
1820 uint8_t data[YH_MSG_BUF_SIZE];
1821 size_t data_len;
1822
1823 uint8_t response[YH_MSG_BUF_SIZE];
1824 size_t response_len = sizeof(response);
1825
1826 int hash;
1827 yh_algorithm mgf;
1828
1829 switch (argv[2].a) {
1830 case YH_ALGO_RSA_PSS_SHA1:
1831 hash = _SHA1;
1832 mgf = YH_ALGO_MGF1_SHA1;
1833 break;
1834
1835 case YH_ALGO_RSA_PSS_SHA256:
1836 hash = _SHA256;
1837 mgf = YH_ALGO_MGF1_SHA256;
1838 break;
1839
1840 case YH_ALGO_RSA_PSS_SHA384:
1841 hash = _SHA384;
1842 mgf = YH_ALGO_MGF1_SHA384;
1843 break;
1844
1845 case YH_ALGO_RSA_PSS_SHA512:
1846 hash = _SHA512;
1847 mgf = YH_ALGO_MGF1_SHA512;
1848 break;
1849
1850 default:
1851 fprintf(stderr, "Invalid hash algorithm\n");
1852 return -1;
1853 }
1854
1855 if (hash_bytes(argv[3].x, argv[3].len, hash, data, &data_len) == false) {
1856 fprintf(stderr, "Unable to hash file\n");
1857 return -1;
1858 }
1859
1860 // NOTE(adma): Salt length always matches the length of the hash
1861 yrc = yh_util_sign_pss(argv[0].e, argv[1].w, data, data_len, response,
1862 &response_len, data_len, mgf);
1863 if (yrc != YHR_SUCCESS) {
1864 fprintf(stderr, "Failed to sign data with PSS: %s\n", yh_strerror(yrc));
1865 return -1;
1866 }
1867
1868 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
1869
1870 return 0;
1871}
1872
1873// NOTE(adma): Extract the version number, serial number and supported
1874// algorithms
1875// argc = 0
1876int yh_com_get_device_info(yubihsm_context *ctx, Argument *argv,
1877 cmd_format fmt) {
1878
1879 UNUSED(argv);
1880 UNUSED(fmt);
1881
1882 if (ctx->connector == NULL) {
1883 fprintf(stderr, "Not connected\n");
1884 return -1;
1885 }
1886
1887 yh_rc yrc;
1888
1889 uint8_t major;
1890 uint8_t minor;
1891 uint8_t patch;
1892 uint32_t serial;
1893 uint8_t log_total;
1894 uint8_t log_used;
1895 yh_algorithm algorithms[YH_MAX_ALGORITHM_COUNT];
1896 size_t n_algorithms = sizeof(algorithms);
1897
1898 yrc =
1899 yh_util_get_device_info(ctx->connector, &major, &minor, &patch, &serial,
1900 &log_total, &log_used, algorithms, &n_algorithms);
1901 if (yrc != YHR_SUCCESS) {
1902 fprintf(stderr, "Failed to get device info: %s\n", yh_strerror(yrc));
1903 return -1;
1904 }
1905
1906 fprintf(ctx->out, "Version number:\t\t%hhu.%hhu.%hhu\n", major, minor, patch);
1907 fprintf(ctx->out, "Serial number:\t\t%u\n", serial);
1908 fprintf(ctx->out, "Log used:\t\t%d/%d\n", log_used, log_total);
1909
1910 fprintf(ctx->out, "Supported algorithms:\t");
1911 for (size_t i = 0; i < n_algorithms; i++) {
1912 const char *algo_str;
1913 yh_algo_to_string(algorithms[i], &algo_str);
1914 fprintf(ctx->out, "%s, ", algo_str);
1915 if ((i + 1) % 3 == 0 && i != 0) {
1916 fprintf(ctx->out, "\n\t\t\t");
1917 }
1918 }
1919 fprintf(ctx->out, "\n");
1920
1921 return 0;
1922}
1923
1924// NOTE: HMAC data
1925// argc = 3
1926// arg 0: e:session
1927// arg 1: w:key_id
1928// arg 2: x:data
1929int yh_com_hmac(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1930
1931 UNUSED(ctx);
1932
1933 yh_rc yrc;
1934
1935 uint8_t response[YH_MSG_BUF_SIZE];
1936 size_t response_len = sizeof(response);
1937
1938 yrc = yh_util_sign_hmac(argv[0].e, argv[1].w, argv[2].x, argv[2].len,
1939 response, &response_len);
1940 if (yrc != YHR_SUCCESS) {
1941 fprintf(stderr, "Failed to HMAC data: %s\n", yh_strerror(yrc));
1942 return -1;
1943 }
1944
1945 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
1946
1947 return 0;
1948}
1949
1950// NOTE: Reset device
1951// argc = 1
1952// arg 0: e:session
1953int yh_com_reset(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1954 UNUSED(ctx);
1955 UNUSED(fmt);
1956
1957 yh_rc yrc;
1958
1959 yrc = yh_util_reset_device(argv[0].e);
1960 if (yrc != YHR_CONNECTION_ERROR && yrc != YHR_SUCCESS) {
1961 fprintf(stderr, "Failed to reset device: %s\n", yh_strerror(yrc));
1962 return -1;
1963 }
1964
1965 fprintf(ctx->out, "Device successfully reset\n");
1966
1967 return 0;
1968}
1969
1970// NOTE: Delete an object
1971// argc = 3
1972// arg 0: e:session
1973// arg 1: w:id
1974// arg 2: t:type
1975int yh_com_delete(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
1976 UNUSED(ctx);
1977 UNUSED(fmt);
1978
1979 yh_rc yrc = yh_util_delete_object(argv[0].e, argv[1].w, argv[2].t);
1980 if (yrc != YHR_SUCCESS) {
1981 fprintf(stderr, "Failed to delete object: %s\n", yh_strerror(yrc));
1982 return -1;
1983 } // TODO(adma): the order of the arguments should be changed to id and type
1984
1985 return 0;
1986}
1987
1988// NOTE(adma): Sign an SSH public key
1989// argc = 4
1990// arg 0: e:session
1991// arg 1: w:key_id
1992// arg 2: w:template_id
1993// arg 3: a:algorithm
1994// arg 4: i:datafile
1995int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv,
1996 cmd_format fmt) {
1997
1998 UNUSED(fmt); // TODO: respect output format
1999
2000 yh_rc yrc;
2001
2002 uint8_t data[YH_MSG_BUF_SIZE + 1024];
2003 size_t response_len = sizeof(data);
2004
2005 memcpy(data, argv[4].x, argv[4].len);
2006 response_len -= argv[4].len;
2007
2008 yrc = yh_util_sign_ssh_certificate(argv[0].e, argv[1].w, argv[2].w, argv[3].a,
2009 data, argv[4].len, data + argv[4].len,
2010 &response_len);
2011 if (yrc != YHR_SUCCESS) {
2012 fprintf(stderr, "Failed to get certificate signature: %s\n",
2013 yh_strerror(yrc));
2014 return -1;
2015 }
2016
2017 BIO *bio;
2018 BIO *b64;
2019 BUF_MEM *bufferPtr;
2020
2021 b64 = BIO_new(BIO_f_base64());
2022 bio = BIO_new(BIO_s_mem());
2023 bio = BIO_push(b64, bio);
2024
2025 (void) BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL);
2026 (void) BIO_write(bio, data + 4 + 256,
2027 argv[4].len + response_len - 4 -
2028 256); // TODO(adma): FIXME, unmagify
2029 (void) BIO_flush(bio);
2030 (void) BIO_get_mem_ptr(bio, &bufferPtr);
2031
2032 const char *ssh_cert_str =
2033 "ssh-rsa-cert-v01@openssh.com "; // TODO(adma): ECDSA
2034
2035 if (fwrite(ssh_cert_str, 1, strlen(ssh_cert_str), ctx->out) !=
2036 strlen(ssh_cert_str) ||
2037 ferror(ctx->out)) {
2038 fprintf(stderr, "Unable to write data to file\n");
2039 return -1;
2040 }
2041
2042 if (fwrite(bufferPtr->data, 1, bufferPtr->length, ctx->out) !=
2043 bufferPtr->length ||
2044 ferror(ctx->out)) {
2045 fprintf(stderr, "Unable to write data to file\n");
2046 return -1;
2047 }
2048
2049 if (fwrite("\n", 1, 1, ctx->out) != 1 || ferror(ctx->out)) {
2050 fprintf(stderr, "Unable to write data to file\n");
2051 return -1;
2052 }
2053
2054 (void) BIO_free_all(bio); // TODO: fix this leak.
2055
2056 return 0;
2057}
2058
2059static void time_elapsed(struct timeval *after, struct timeval *before,
2060 struct timeval *result) {
2061 result->tv_sec = after->tv_sec - before->tv_sec;
2062 result->tv_usec = after->tv_usec - before->tv_usec;
2063 if (result->tv_usec < 0) {
2064 result->tv_sec--;
2065 result->tv_usec += 1000000;
2066 }
2067}
2068
2069static void time_add(struct timeval *a, struct timeval *b,
2070 struct timeval *result) {
2071 result->tv_sec = a->tv_sec + b->tv_sec;
2072 result->tv_usec = a->tv_usec + b->tv_usec;
2073 if (result->tv_usec >= 1000000) {
2074 result->tv_sec++;
2075 result->tv_usec -= 1000000;
2076 }
2077}
2078
2079static void time_average(struct timeval *in, size_t num,
2080 struct timeval *result) {
2081 time_t remains = in->tv_sec % num;
2082 result->tv_sec = in->tv_sec / num;
2083 result->tv_usec = in->tv_usec / num;
2084 if (remains) {
2085 remains *= 1000000;
2086 result->tv_usec += remains / num;
2087 }
2088}
2089
2090static double time_tps(struct timeval *in, size_t num) {
2091 double time = in->tv_sec + (double) in->tv_usec / 1000000;
2092 return num / time;
2093}
2094
2095static bool time_less(struct timeval *a, struct timeval *b) {
2096 if (a->tv_sec < b->tv_sec) {
2097 return true;
2098 } else if (a->tv_sec == b->tv_sec && a->tv_usec < b->tv_usec) {
2099 return true;
2100 } else {
2101 return false;
2102 }
2103}
2104
2105// NOTE: Run a set of benchmarks
2106// argc = 3
2107// arg 0: e:session
2108// arg 1: d:count
2109// arg 2: w:key_id
2110// arg 3: a:algorithm
2111int yh_com_benchmark(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
2112
2113 UNUSED(ctx);
2114 UNUSED(fmt);
2115
2116 struct {
2117 yh_algorithm algo;
2118 yh_algorithm algo2;
2119 uint16_t bytes;
2120 const char *special;
2121 } benchmarks[] = {
2122 {YH_ALGO_RSA_2048, YH_ALGO_RSA_PKCS1_SHA256, 32, ""},
2123 {YH_ALGO_RSA_3072, YH_ALGO_RSA_PKCS1_SHA384, 48, ""},
2124 {YH_ALGO_RSA_4096, YH_ALGO_RSA_PKCS1_SHA512, 64, ""},
2125 {YH_ALGO_RSA_2048, YH_ALGO_RSA_PSS_SHA256, 32, ""},
2126 {YH_ALGO_RSA_3072, YH_ALGO_RSA_PSS_SHA384, 48, ""},
2127 {YH_ALGO_RSA_4096, YH_ALGO_RSA_PSS_SHA512, 64, ""},
2128 {YH_ALGO_EC_P224, YH_ALGO_EC_ECDSA_SHA1, 20, ""},
2129 {YH_ALGO_EC_P256, YH_ALGO_EC_ECDSA_SHA256, 32, ""},
2130 {YH_ALGO_EC_P384, YH_ALGO_EC_ECDSA_SHA384, 48, ""},
2131 {YH_ALGO_EC_P521, YH_ALGO_EC_ECDSA_SHA512, 66, ""},
2132 {YH_ALGO_EC_K256, YH_ALGO_EC_ECDSA_SHA256, 32, ""},
2133 {YH_ALGO_EC_BP256, YH_ALGO_EC_ECDSA_SHA256, 32, ""},
2134 {YH_ALGO_EC_BP384, YH_ALGO_EC_ECDSA_SHA384, 48, ""},
2135 {YH_ALGO_EC_BP512, YH_ALGO_EC_ECDSA_SHA512, 64, ""},
2136 {YH_ALGO_EC_P224, YH_ALGO_EC_ECDH, 56, ""},
2137 {YH_ALGO_EC_P256, YH_ALGO_EC_ECDH, 64, ""},
2138 {YH_ALGO_EC_P384, YH_ALGO_EC_ECDH, 96, ""},
2139 {YH_ALGO_EC_P521, YH_ALGO_EC_ECDH, 132, ""},
2140 {YH_ALGO_EC_K256, YH_ALGO_EC_ECDH, 64, ""},
2141 {YH_ALGO_EC_BP256, YH_ALGO_EC_ECDH, 64, ""},
2142 {YH_ALGO_EC_BP384, YH_ALGO_EC_ECDH, 96, ""},
2143 {YH_ALGO_EC_BP512, YH_ALGO_EC_ECDH, 128, ""},
2144 {YH_ALGO_EC_ED25519, 0, 32, "32 bytes data"},
2145 {YH_ALGO_EC_ED25519, 0, 64, "64 bytes data"},
2146 {YH_ALGO_EC_ED25519, 0, 128, "128 bytes data"},
2147 {YH_ALGO_EC_ED25519, 0, 256, "256 bytes data"},
2148 {YH_ALGO_EC_ED25519, 0, 512, "512 bytes data"},
2149 {YH_ALGO_EC_ED25519, 0, 1024, "1024 bytes data"},
2150 {YH_ALGO_HMAC_SHA1, 0, 64, ""},
2151 {YH_ALGO_HMAC_SHA256, 0, 64, ""},
2152 {YH_ALGO_HMAC_SHA384, 0, 128, ""},
2153 {YH_ALGO_HMAC_SHA512, 0, 128, ""},
2154 {YH_ALGO_AES128_CCM_WRAP, 0, 0, ""},
2155 {YH_ALGO_AES192_CCM_WRAP, 0, 0, ""},
2156 {YH_ALGO_AES256_CCM_WRAP, 0, 0, ""},
2157 {YH_ALGO_AES128_YUBICO_OTP, 0, 0, ""},
2158 {YH_ALGO_AES192_YUBICO_OTP, 0, 0, ""},
2159 {YH_ALGO_AES256_YUBICO_OTP, 0, 0, ""},
2160 {0, 0, 8, "Random 8 bytes"},
2161 {0, 0, 16, "Random 16 bytes"},
2162 {0, 0, 32, "Random 32 bytes"},
2163 {0, 0, 64, "Random 64 bytes"},
2164 {0, 0, 128, "Random 128 bytes"},
2165 {0, 0, 256, "Random 256 bytes"},
2166 {0, 0, 512, "Random 512 bytes"},
2167 {0, 0, 1024, "Random 1024 bytes"},
2168 {YH_ALGO_AES128_YUBICO_AUTHENTICATION, 0, 0, ""},
2169 };
2170
2171 // this is some data for the OTP benchmark
2172 const uint8_t otp_key[] =
2173 "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f";
2174 const uint8_t otp_id[] = "\x01\x02\x03\x04\x05\x06";
2175 const uint8_t otp[] =
2176 "\x2f\x5d\x71\xa4\x91\x5d\xec\x30\x4a\xa1\x3c\xcf\x97\xbb\x0d\xbb";
2177 const uint8_t password[] = "benchmark";
2178
2179 if (argv[1].d == 0) {
2180 fprintf(stderr, "Benchmark with 0 rounds seems pointless\n");
2181 return -1;
2182 }
2183
2184 for (size_t i = 0; i < sizeof(benchmarks) / sizeof(benchmarks[0]); i++) {
2185 struct timeval total = {0, 0};
2186 struct timeval avg = {0, 0};
2187 struct timeval max = {0, 0};
2188 struct timeval min;
2189 yh_capabilities capabilities = {{0}};
2190 yh_rc yrc = YHR_SUCCESS;
2191 uint8_t algo_data[1024];
2192 size_t algo_len = sizeof(algo_data);
2193 const char *str1 = NULL, *str2 = "", *str3 = "";
2194 uint16_t id = argv[2].w;
2195 char label[YH_OBJ_LABEL_LEN + 1] = {0};
2196 yh_object_type type = 0;
2197#ifndef _WIN32
2198 size_t chars = 0;
2199#endif
2200
2201 if (argv[3].a != 0) {
2202 if (argv[3].a != benchmarks[i].algo && argv[3].a != benchmarks[i].algo2) {
2203 continue;
2204 }
2205 }
2206 if (benchmarks[i].algo) {
2207 yh_algo_to_string(benchmarks[i].algo, &str1);
2208 }
2209 if (benchmarks[i].algo2) {
2210 str2 = " ";
2211 yh_algo_to_string(benchmarks[i].algo2, &str3);
2212 }
2213 if (str1) {
2214 snprintf(label, YH_OBJ_LABEL_LEN, "Benchmark: %s%s%s", str1, str2, str3);
2215 }
2216
2217 if (str1) {
2218#ifndef _WIN32
2219 chars =
2220#endif
2221 fprintf(stderr, "Doing benchmark setup for %s%s%s...", str1, str2,
2222 str3);
2223 }
2224
2225 if (yh_is_rsa(benchmarks[i].algo)) {
2226 if (benchmarks[i].algo2 == YH_ALGO_RSA_PKCS1_SHA256 ||
2227 benchmarks[i].algo2 == YH_ALGO_RSA_PKCS1_SHA384 ||
2228 benchmarks[i].algo2 == YH_ALGO_RSA_PKCS1_SHA512) {
2229 yh_string_to_capabilities("sign-pkcs", &capabilities);
2230 } else if (benchmarks[i].algo2 == YH_ALGO_RSA_PSS_SHA256 ||
2231 benchmarks[i].algo2 == YH_ALGO_RSA_PSS_SHA384 ||
2232 benchmarks[i].algo2 == YH_ALGO_RSA_PSS_SHA512) {
2233 yh_string_to_capabilities("sign-pss", &capabilities);
2234 } else {
2235 fprintf(stderr, "Unknown benchmark algorithms\n");
2236 return -1;
2237 }
2238 type = YH_ASYMMETRIC_KEY;
2239 yrc = yh_util_generate_rsa_key(argv[0].e, &id, label, 0xffff,
2240 &capabilities, benchmarks[i].algo);
2241 } else if (yh_is_ec(benchmarks[i].algo)) {
2242 if (benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA1 ||
2243 benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA256 ||
2244 benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA384 ||
2245 benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA512) {
2246 yh_string_to_capabilities("sign-ecdsa", &capabilities);
2247 } else if (benchmarks[i].algo2 == YH_ALGO_EC_ECDH) {
2248 yh_string_to_capabilities("derive-ecdh", &capabilities);
2249 yrc = yh_util_generate_ec_key(argv[0].e, &id, label, 0xffff,
2250 &capabilities, benchmarks[i].algo);
2251
2252 if (yrc != YHR_SUCCESS) {
2253 fprintf(stderr, "Failed ECDH setup\n");
2254 return -1;
2255 }
2256 algo_len--;
2257 yrc =
2258 yh_util_get_public_key(argv[0].e, id, algo_data + 1, &algo_len, NULL);
2259 if (yrc != YHR_SUCCESS || algo_len != benchmarks[i].bytes) {
2260 fprintf(stderr, "Failed to get ECDH pubkey (%zu)\n", algo_len);
2261 return -1;
2262 }
2263 algo_data[0] = 0x04; // this is a hack to make it look correct..
2264 algo_len++;
2265 yrc = yh_util_delete_object(argv[0].e, id, YH_ASYMMETRIC_KEY);
2266 if (yrc != YHR_SUCCESS) {
2267 fprintf(stderr, "Failed deleting temporary ec key\n");
2268 return -1;
2269 }
2270 } else {
2271 fprintf(stderr, "Unknown benchmark algorithms\n");
2272 return -1;
2273 }
2274 type = YH_ASYMMETRIC_KEY;
2275 yrc = yh_util_generate_ec_key(argv[0].e, &id, label, 0xffff,
2276 &capabilities, benchmarks[i].algo);
2277 } else if (benchmarks[i].algo == YH_ALGO_EC_ED25519) {
2278 yh_string_to_capabilities("sign-eddsa", &capabilities);
2279 type = YH_ASYMMETRIC_KEY;
2280 yrc = yh_util_generate_ed_key(argv[0].e, &id, label, 0xffff,
2281 &capabilities, benchmarks[i].algo);
2282 str2 = " ";
2283 str3 = benchmarks[i].special;
2284 } else if (yh_is_hmac(benchmarks[i].algo)) {
2285 type = YH_HMAC_KEY;
2286 yh_string_to_capabilities("sign-hmac", &capabilities);
2287 yrc = yh_util_generate_hmac_key(argv[0].e, &id, label, 0xffff,
2288 &capabilities, benchmarks[i].algo);
2289 } else if (benchmarks[i].algo == YH_ALGO_AES128_CCM_WRAP ||
2290 benchmarks[i].algo == YH_ALGO_AES192_CCM_WRAP ||
2291 benchmarks[i].algo == YH_ALGO_AES256_CCM_WRAP) {
2292 type = YH_WRAP_KEY;
2293 yh_string_to_capabilities("export-wrapped,exportable-under-wrap",
2294 &capabilities);
2295 yrc =
2296 yh_util_generate_wrap_key(argv[0].e, &id, label, 0xffff, &capabilities,
2297 benchmarks[i].algo, &capabilities);
2298 } else if (benchmarks[i].algo == YH_ALGO_AES128_YUBICO_OTP ||
2299 benchmarks[i].algo == YH_ALGO_AES192_YUBICO_OTP ||
2300 benchmarks[i].algo == YH_ALGO_AES256_YUBICO_OTP) {
2301 type = YH_OTP_AEAD_KEY;
2302 yh_string_to_capabilities("decrypt-otp,create-otp-aead", &capabilities);
2303 yrc = yh_util_generate_otp_aead_key(argv[0].e, &id, label, 0xffff,
2304 &capabilities, benchmarks[i].algo,
2305 0x12345678);
2306 if (yrc == YHR_SUCCESS) {
2307 yrc = yh_util_create_otp_aead(argv[0].e, id, otp_key, otp_id, algo_data,
2308 &algo_len);
2309 }
2310 } else if (strncmp(benchmarks[i].special, "Random ", 7) == 0) {
2311 str1 = benchmarks[i].special;
2312 } else if (benchmarks[i].algo == YH_ALGO_AES128_YUBICO_AUTHENTICATION) {
2313 type = YH_AUTHENTICATION_KEY;
2314 yh_string_to_capabilities("", &capabilities);
2315 yrc =
2316 yh_util_import_authentication_key_derived(argv[0].e, &id, label, 0xffff,
2317 &capabilities, &capabilities,
2318 password, sizeof(password));
2319 } else {
2320 fprintf(stderr, "Unknown benchmark algorithms\n");
2321 return -1;
2322 }
2323
2324 if (yrc != YHR_SUCCESS) {
2325 fprintf(stderr, "Failed benchmark setup for %s%s%s\n", str1, str2, str3);
2326 return -1;
2327 }
2328
2329 memset(&min, 0x7f, sizeof(min));
2330 for (uint32_t j = 0; j < argv[1].d; j++) {
2331 uint8_t data[1024];
2332 uint8_t out[1024];
2333 size_t out_len = sizeof(out);
2334 struct timeval before, after, result;
2335
2336 memset(data, j, sizeof(data));
2337 gettimeofday(&before, NULL);
2338 if (yh_is_rsa(benchmarks[i].algo) &&
2339 (benchmarks[i].algo2 == YH_ALGO_RSA_PKCS1_SHA256 ||
2340 benchmarks[i].algo2 == YH_ALGO_RSA_PKCS1_SHA384 ||
2341 benchmarks[i].algo2 == YH_ALGO_RSA_PKCS1_SHA512)) {
2342 yrc = yh_util_sign_pkcs1v1_5(argv[0].e, id, true, data,
2343 benchmarks[i].bytes, out, &out_len);
2344 } else if (yh_is_rsa(benchmarks[i].algo) &&
2345 (benchmarks[i].algo2 == YH_ALGO_RSA_PSS_SHA256 ||
2346 benchmarks[i].algo2 == YH_ALGO_RSA_PSS_SHA384 ||
2347 benchmarks[i].algo2 == YH_ALGO_RSA_PSS_SHA512)) {
2348 yrc =
2349 yh_util_sign_pss(argv[0].e, id, data, benchmarks[i].bytes, out,
2350 &out_len, benchmarks[i].bytes, YH_ALGO_MGF1_SHA1);
2351 } else if (yh_is_ec(benchmarks[i].algo) &&
2352 (benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA1 ||
2353 benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA256 ||
2354 benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA384 ||
2355 benchmarks[i].algo2 == YH_ALGO_EC_ECDSA_SHA512)) {
2356 yrc = yh_util_sign_ecdsa(argv[0].e, id, data, benchmarks[i].bytes, out,
2357 &out_len);
2358 } else if (yh_is_ec(benchmarks[i].algo) &&
2359 benchmarks[i].algo2 == YH_ALGO_EC_ECDH) {
2360 yrc = yh_util_derive_ecdh(argv[0].e, id, algo_data, algo_len, out,
2361 &out_len);
2362 } else if (benchmarks[i].algo == YH_ALGO_EC_ED25519) {
2363 yrc = yh_util_sign_eddsa(argv[0].e, id, data, benchmarks[i].bytes, out,
2364 &out_len);
2365 } else if (yh_is_hmac(benchmarks[i].algo)) {
2366 yrc = yh_util_sign_hmac(argv[0].e, id, data, benchmarks[i].bytes, out,
2367 &out_len);
2368 } else if (benchmarks[i].algo == YH_ALGO_AES128_CCM_WRAP ||
2369 benchmarks[i].algo == YH_ALGO_AES192_CCM_WRAP ||
2370 benchmarks[i].algo == YH_ALGO_AES256_CCM_WRAP) {
2371 yrc =
2372 yh_util_export_wrapped(argv[0].e, id, YH_WRAP_KEY, id, out, &out_len);
2373 } else if (benchmarks[i].algo == YH_ALGO_AES128_YUBICO_OTP ||
2374 benchmarks[i].algo == YH_ALGO_AES192_YUBICO_OTP ||
2375 benchmarks[i].algo == YH_ALGO_AES256_YUBICO_OTP) {
2376 yrc = yh_util_decrypt_otp(argv[0].e, id, algo_data, algo_len, otp, NULL,
2377 NULL, NULL, NULL);
2378 } else if (strncmp(benchmarks[i].special, "Random ", 7) == 0) {
2379 yrc = yh_util_get_pseudo_random(argv[0].e, benchmarks[i].bytes, out,
2380 &out_len);
2381 } else if (benchmarks[i].algo == YH_ALGO_AES128_YUBICO_AUTHENTICATION) {
2382 yh_session *ses = NULL;
2383 yrc = yh_create_session_derived(ctx->connector, id, password,
2384 sizeof(password), false, &ses);
2385 if (yrc == YHR_SUCCESS) {
2386 yrc = yh_authenticate_session(ses);
2387 }
2388 if (yrc == YHR_SUCCESS) {
2389 yrc = yh_util_close_session(ses);
2390 }
2391 } else {
2392 fprintf(stderr, "Unknown benchmark algorithm\n");
2393 return -1;
2394 }
2395
2396 gettimeofday(&after, NULL);
2397
2398 if (yrc != YHR_SUCCESS) {
2399 fprintf(stderr, "Failed running benchmark %u for %s%s%s\n", j, str1,
2400 str2, str3);
2401 return -1;
2402 }
2403
2404 time_elapsed(&after, &before, &result);
2405 if (time_less(&result, &min)) {
2406 min = result;
2407 }
2408 if (time_less(&max, &result)) {
2409 max = result;
2410 }
2411 time_add(&result, &total, &total);
2412 time_average(&total, j + 1, &avg);
2413#ifndef _WIN32
2414 struct winsize w;
2415 ioctl(fileno(stderr), TIOCGWINSZ, &w);
2416
2417 if (chars > w.ws_col) {
2418 // move the cursor up and to column 1
2419 fprintf(stderr, "\33[%zuF", chars / w.ws_col);
2420 } else {
2421 // if we're still on same line, just move to column 1
2422 fprintf(stderr, "\33[1G");
2423 }
2424 // clear display from cursor
2425 fprintf(stderr, "\33[J");
2426 chars = fprintf(stderr,
2427 "%s%s%s (%u/%d times) total: %ld.%06ld avg: %ld.%06ld "
2428 "min: %ld.%06ld max: %ld.%06ld tps: %.06f",
2429 str1, str2, str3, j + 1, argv[1].w, total.tv_sec,
2430 (long) total.tv_usec, avg.tv_sec, (long) avg.tv_usec,
2431 min.tv_sec, (long) min.tv_usec, max.tv_sec,
2432 (long) max.tv_usec, time_tps(&total, j + 1));
2433 fflush(stderr);
2434#endif
2435 }
2436#ifdef _WIN32
2437 fprintf(stderr,
2438 "%s%s%s (%d times) total: %ld.%06ld avg: %ld.%06ld "
2439 "min: %ld.%06ld max: %ld.%06ld tps: %.06f",
2440 str1, str2, str3, argv[1].w, total.tv_sec, (long) total.tv_usec,
2441 avg.tv_sec, (long) avg.tv_usec, min.tv_sec, (long) min.tv_usec,
2442 max.tv_sec, (long) max.tv_usec, time_tps(&total, argv[1].w));
2443
2444#endif
2445 fprintf(stderr, "\n");
2446 if (type != 0) {
2447 yh_util_delete_object(argv[0].e, id, type);
2448 }
2449 }
2450
2451 return 0;
2452}
2453
2454// NOTE: create aead from OTP parameters
2455// argc = 5
2456// arg 0: e:session
2457// arg 1: w:key_id
2458// arg 2: x:key
2459// arg 3: x:private_id
2460// arg 4: f:aead
2461int yh_com_otp_aead_create(yubihsm_context *ctx, Argument *argv,
2462 cmd_format fmt) {
2463
2464 uint8_t response[YH_MSG_BUF_SIZE];
2465 size_t response_len = sizeof(response);
2466 yh_rc yrc;
2467
2468 if (argv[2].len != 16) {
2469 fprintf(stderr, "Wrong length key supplied, has to be 16 bytes\n");
2470 return -1;
2471 }
2472
2473 if (argv[3].len != 6) {
2474 fprintf(stderr, "Wrong length id supplied, has to be 6 bytes\n");
2475 return -1;
2476 }
2477
2478 yrc = yh_util_create_otp_aead(argv[0].e, argv[1].w, argv[2].x, argv[3].x,
2479 response, &response_len);
2480
2481 if (yrc != YHR_SUCCESS) {
2482 fprintf(stderr, "Failed to create OTP AEAD: %s\n", yh_strerror(yrc));
2483 return -1;
2484 }
2485
2486 if (write_file(response, response_len, ctx->out, fmt_to_fmt(fmt))) {
2487 return 0;
2488 }
2489
2490 return -1;
2491}
2492
2493// NOTE: create aead from OTP parameters
2494// argc = 3
2495// arg 0: e:session
2496// arg 1: w:key_id
2497// arg 2: f:aead
2498int yh_com_otp_aead_random(yubihsm_context *ctx, Argument *argv,
2499 cmd_format fmt) {
2500
2501 uint8_t response[YH_MSG_BUF_SIZE];
2502 size_t response_len = sizeof(response);
2503 yh_rc yrc;
2504
2505 yrc =
2506 yh_util_randomize_otp_aead(argv[0].e, argv[1].w, response, &response_len);
2507
2508 if (yrc != YHR_SUCCESS) {
2509 fprintf(stderr, "Failed to create OTP AEAD: %s\n", yh_strerror(yrc));
2510 return -1;
2511 }
2512
2513 if (write_file(response, response_len, ctx->out, fmt_to_fmt(fmt))) {
2514 return 0;
2515 }
2516
2517 return -1;
2518}
2519
2520// NOTE: decrypt OTP with AEAD
2521// argc = 4
2522// arg 0: e:session
2523// arg 1: w:key_id
2524// arg 2: s:otp
2525// arg 3: i:aead
2526int yh_com_otp_decrypt(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
2527 uint16_t useCtr;
2528 uint8_t sessionCtr;
2529 uint8_t tstph;
2530 uint16_t tstpl;
2531 yh_rc yrc;
2532 uint8_t otp[16];
2533 size_t otp_len = sizeof(otp);
2534
2535 UNUSED(ctx);
2536 UNUSED(fmt);
2537
2538 if (argv[2].len != 32) {
2539 fprintf(stderr, "Wrong length OTP supplied, has to be 16 bytes in hex\n");
2540 return -1;
2541 }
2542
2543 if (hex_decode(argv[2].s, otp, &otp_len) == false) {
2544 fprintf(stderr, "Failed to decode OTP\n");
2545 return -1;
2546 }
2547
2548 yrc = yh_util_decrypt_otp(argv[0].e, argv[1].w, argv[3].x, argv[3].len, otp,
2549 &useCtr, &sessionCtr, &tstph, &tstpl);
2550
2551 if (yrc != YHR_SUCCESS) {
2552 fprintf(stderr, "Failed to decrypt OTP: %s\n", yh_strerror(yrc));
2553 return -1;
2554 }
2555
2556 fprintf(stderr, "OTP decoded, useCtr:%d, sessionCtr:%d, tstph:%d, tstpl:%d\n",
2557 useCtr, sessionCtr, tstph, tstpl);
2558
2559 return 0;
2560}
2561
2562// NOTE: decrypt OTP with AEAD
2563// argc = 3
2564// arg 0: e:session
2565// arg 1: w:key_id
2566// arg 2: 2:attest_id
2567int yh_com_sign_attestation_certificate(yubihsm_context *ctx, Argument *argv,
2568 cmd_format fmt) {
2569 uint8_t data[2048];
2570 size_t data_len = sizeof(data);
2571 yh_rc yrc;
2572 int ret = -1;
2573
2574 yrc = yh_util_sign_attestation_certificate(argv[0].e, argv[1].w, argv[2].w,
2575 data, &data_len);
2576 if (yrc != YHR_SUCCESS) {
2577 fprintf(stderr, "Failed to attest asymmetric key: %s\n", yh_strerror(yrc));
2578 return -1;
2579 }
2580
2581 X509 *x509 = X509_new();
2582 const unsigned char *ptr = data;
2583 if (!x509) {
2584 fprintf(stderr, "Failed allocating x509 structure\n");
2585 return -1;
2586 }
2587 x509 = d2i_X509(NULL, &ptr, data_len);
2588 if (!x509) {
2589 fprintf(stderr, "Failed parsing x509 information\n");
2590 } else {
2591 if (fmt == fmt_base64 || fmt == fmt_PEM) {
2592 PEM_write_X509(ctx->out, x509);
2593 } else if (fmt == fmt_binary) {
2594 i2d_X509_fp(ctx->out, x509);
2595 }
2596 ret = 0;
2597 }
2598
2599 X509_free(x509);
2600 return ret;
2601}
2602
2603// NOTE: put OTP AEAD key
2604// argc = 7
2605// arg 0: e:session
2606// arg 1: w:key_id
2607// arg 2: s:label
2608// arg 3: w:domains
2609// arg 4: c:capabilities
2610// arg 5: d:nonce_id
2611// arg 6: x:key
2612int yh_com_put_otp_aead_key(yubihsm_context *ctx, Argument *argv,
2613 cmd_format fmt) {
2614
2615 UNUSED(ctx);
2616 UNUSED(fmt);
2617
2618 yh_rc yrc;
2619
2620 if (argv[6].len != 16 && argv[6].len != 24 && argv[6].len != 32) {
2621 fprintf(stderr, "Key length (%zu) not matching, should be 16, 24 or 32\n",
2622 argv[6].len);
2623 return -1;
2624 }
2625
2626 yrc =
2627 yh_util_import_otp_aead_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
2628 &argv[4].c, argv[5].d, argv[6].x, argv[6].len);
2629 if (yrc != YHR_SUCCESS) {
2630 fprintf(stderr, "Failed to store OTP AEAD key: %s\n", yh_strerror(yrc));
2631 return -1;
2632 }
2633
2634 fprintf(stderr, "Stored OTP AEAD key 0x%04x\n", argv[1].w);
2635
2636 return 0;
2637}
2638
2639// NOTE: generate OTP AEAD key
2640// argc = 7
2641// arg 0: e:session
2642// arg 1: w:key_id
2643// arg 2: s:label
2644// arg 3: w:domains
2645// arg 4: c:capabilities
2646// arg 5: a:algorithm
2647// arg 6: d:nonce_id
2648int yh_com_generate_otp_aead_key(yubihsm_context *ctx, Argument *argv,
2649 cmd_format fmt) {
2650
2651 UNUSED(ctx);
2652 UNUSED(fmt);
2653
2654 yh_rc yrc;
2655
2656 yrc =
2657 yh_util_generate_otp_aead_key(argv[0].e, &argv[1].w, argv[2].s, argv[3].w,
2658 &argv[4].c, argv[5].a, argv[6].d);
2659 if (yrc != YHR_SUCCESS) {
2660 fprintf(stderr, "Failed to generate OTP AEAD key: %s\n", yh_strerror(yrc));
2661 return -1;
2662 }
2663
2664 fprintf(stderr, "Generated OTP AEAD key 0x%04x\n", argv[1].w);
2665
2666 return 0;
2667}
2668
2669// NOTE(adma): Decrypt data using RSAES-OAEP
2670// argc = 5
2671// arg 0: e:session
2672// arg 1: w:key_id
2673// arg 2: a:algorithm
2674// arg 3: s:label
2675// arg 4: f:datafile
2676int yh_com_decrypt_oaep(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
2677
2678 yh_rc yrc;
2679
2680 uint8_t response[YH_MSG_BUF_SIZE];
2681 size_t response_len = sizeof(response);
2682
2683 uint8_t label[64];
2684 size_t label_len = sizeof(label);
2685
2686 int hash;
2687 yh_algorithm mgf;
2688
2689 switch (argv[2].a) {
2690 case YH_ALGO_RSA_OAEP_SHA1:
2691 hash = _SHA1;
2692 mgf = YH_ALGO_MGF1_SHA1;
2693 break;
2694
2695 case YH_ALGO_RSA_OAEP_SHA256:
2696 hash = _SHA256;
2697 mgf = YH_ALGO_MGF1_SHA256;
2698 break;
2699
2700 case YH_ALGO_RSA_OAEP_SHA384:
2701 hash = _SHA384;
2702 mgf = YH_ALGO_MGF1_SHA384;
2703 break;
2704
2705 case YH_ALGO_RSA_OAEP_SHA512:
2706 hash = _SHA512;
2707 mgf = YH_ALGO_MGF1_SHA512;
2708 break;
2709
2710 default:
2711 fprintf(stderr, "Invalid hash algorithm\n");
2712 return -1;
2713 }
2714
2715 if (hash_bytes(argv[4].x, argv[4].len, hash, label, &label_len) == false) {
2716 fprintf(stderr, "Unable to hash data\n");
2717 return -1;
2718 }
2719
2720 yrc = yh_util_decrypt_oaep(argv[0].e, argv[1].w, argv[3].x, argv[3].len,
2721 response, &response_len, label, label_len, mgf);
2722 if (yrc != YHR_SUCCESS) {
2723 fprintf(stderr, "Failed to decrypt data with OAEP: %s\n", yh_strerror(yrc));
2724 return -1;
2725 }
2726
2727 write_file(response, response_len, ctx->out, fmt_to_fmt(fmt));
2728
2729 return 0;
2730}
2731
2732// NOTE: Set ca cert for https validation
2733// argc = 1
2734// arg 0: s:filename
2735int yh_com_set_cacert(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
2736
2737 UNUSED(fmt);
2738
2739 if (ctx->cacert) {
2740 free(ctx->cacert);
2741 }
2742 ctx->cacert = strdup(argv[0].s);
2743
2744 return 0;
2745}
2746
2747// NOTE: Set proxy server to use for connector
2748// argc = 1
2749// arg 0: s:proxy
2750int yh_com_set_proxy(yubihsm_context *ctx, Argument *argv, cmd_format fmt) {
2751
2752 UNUSED(fmt);
2753
2754 ctx->proxy = strdup(argv[0].s);
2755 if (ctx->proxy) {
2756 free(ctx->proxy);
2757 }
2758
2759 return 0;
2760}
2761
2762// NOTE: Change authentication key
2763// argc = 3
2764// arg 0: e:session
2765// arg 1: w:key_id
2766// arg 2: i:password
2767int yh_com_change_authentication_key(yubihsm_context *ctx, Argument *argv,
2768 cmd_format fmt) {
2769
2770 UNUSED(fmt);
2771 UNUSED(ctx);
2772
2773 yh_rc yrc = yh_util_change_authentication_key_derived(argv[0].e, &argv[1].w,
2774 argv[2].x, argv[2].len);
2775 insecure_memzero(argv[2].x, argv[2].len);
2776
2777 if (yrc != YHR_SUCCESS) {
2778 fprintf(stderr, "Failed to change authentication key: %s\n",
2779 yh_strerror(yrc));
2780 return -1;
2781 }
2782
2783 fprintf(stderr, "Changed Authentication key 0x%04x\n", argv[1].w);
2784
2785 return 0;
2786}
name
std::string name
Definition catch_reporter_console.cpp:186
yh_com_sign_ssh_certificate
int yh_com_sign_ssh_certificate(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1995
yh_com_change_authentication_key
int yh_com_change_authentication_key(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2767
yh_com_put_asymmetric
int yh_com_put_asymmetric(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1396
yh_com_derive_ecdh
int yh_com_derive_ecdh(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:444
yh_com_encrypt_aesccm
int yh_com_encrypt_aesccm(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:527
yh_com_generate_otp_aead_key
int yh_com_generate_otp_aead_key(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2648
yh_com_blink
int yh_com_blink(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:159
yh_com_sign_pss
int yh_com_sign_pss(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1816
yh_com_open_session
int yh_com_open_session(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1208
yh_com_set_proxy
int yh_com_set_proxy(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2750
yh_com_list_objects
int yh_com_list_objects(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1146
yh_com_generate_hmac
int yh_com_generate_hmac(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:685
yh_com_put_opaque
int yh_com_put_opaque(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1495
yh_com_decrypt_oaep
int yh_com_decrypt_oaep(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2676
yh_com_noop
int yh_com_noop(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1050
yh_com_put_authentication
int yh_com_put_authentication(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1463
yh_com_audit
int yh_com_audit(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:59
yh_com_get_storage
int yh_com_get_storage(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:823
yh_com_generate_wrap
int yh_com_generate_wrap(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:719
yh_com_decrypt_aesccm
int yh_com_decrypt_aesccm(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:501
yh_com_otp_aead_random
int yh_com_otp_aead_random(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2498
yh_com_reset
int yh_com_reset(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1953
yh_com_list_types
int yh_com_list_types(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1096
yh_com_put_wrapped
int yh_com_put_wrapped(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1613
yh_com_debug_info
int yh_com_debug_info(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:307
yh_com_put_otp_aead_key
int yh_com_put_otp_aead_key(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2612
yh_com_hmac
int yh_com_hmac(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1929
yh_com_connect
int yh_com_connect(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:206
yh_com_pecho
int yh_com_pecho(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1330
yh_com_sign_ecdsa
int yh_com_sign_ecdsa(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1670
yh_com_sign_pkcs1v1_5
int yh_com_sign_pkcs1v1_5(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1757
yh_com_generate_asymmetric
int yh_com_generate_asymmetric(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:644
yh_com_get_pubkey
int yh_com_get_pubkey(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:850
yh_com_get_option
int yh_com_get_option(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:767
yh_com_close_session
int yh_com_close_session(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:176
yh_com_put_wrapkey
int yh_com_put_wrapkey(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1577
yh_com_list_capabilities
int yh_com_list_capabilities(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1061
yh_com_list_sessions
int yh_com_list_sessions(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1111
yh_com_get_wrapped
int yh_com_get_wrapped(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1007
yh_com_disconnect
int yh_com_disconnect(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:550
yh_com_debug_raw
int yh_com_debug_raw(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:368
yh_com_debug_none
int yh_com_debug_none(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:354
yh_com_sign_eddsa
int yh_com_sign_eddsa(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1727
yh_com_get_template
int yh_com_get_template(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1031
yh_com_list_algorithms
int yh_com_list_algorithms(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1079
yh_com_get_device_info
int yh_com_get_device_info(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1876
yh_com_put_template
int yh_com_put_template(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1645
yh_com_delete
int yh_com_delete(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1975
yh_com_debug_intermediate
int yh_com_debug_intermediate(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:330
yh_com_otp_decrypt
int yh_com_otp_decrypt(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2526
yh_com_get_opaque
int yh_com_get_opaque(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:743
yh_com_debug_all
int yh_com_debug_all(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:270
yh_com_set_cacert
int yh_com_set_cacert(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2735
yh_com_benchmark
int yh_com_benchmark(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2111
yh_com_put_option
int yh_com_put_option(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1519
yh_com_otp_aead_create
int yh_com_otp_aead_create(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2461
yh_com_decrypt_pkcs1v1_5
int yh_com_decrypt_pkcs1v1_5(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:417
yh_com_set_log_index
int yh_com_set_log_index(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:141
yh_com_put_hmac
int yh_com_put_hmac(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:1544
yh_com_debug_error
int yh_com_debug_error(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:284
yh_com_sign_attestation_certificate
int yh_com_sign_attestation_certificate(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:2567
yh_com_get_random
int yh_com_get_random(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:797
yh_com_debug_crypto
int yh_com_debug_crypto(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:391
yh_com_echo
int yh_com_echo(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:582
yh_com_get_object_info
int yh_com_get_object_info(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition commands.c:924
yh_com_keepalive_on
int yh_com_keepalive_on(yubihsm_context *ctx, Argument *argv, cmd_format fmt)
Definition main.c:763
count
int * count
Definition gmock_stress_test.cc:177
hash_bytes
bool hash_bytes(const uint8_t *in, size_t len, hash_t hash, uint8_t *out, size_t *out_len)
Definition hash.c:90
argv
char ** argv
Definition hello_driver.cpp:52
BIGNUM
bignum_st BIGNUM
Definition bigint.hpp:7
insecure_memzero.h
insecure_memzero
#define insecure_memzero(buf, len)
Definition insecure_memzero.h:31
yh_strerror
const char * yh_strerror(yh_rc err)
Definition error.c:65
RSA_set0_key
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
Definition openssl-compat.c:13
a
const GenericPointer< typename T::ValueType > T2 T::AllocatorType & a
Definition pointer.h:1181
uint16_t
unsigned short uint16_t
Definition stdint.h:125
uint32_t
unsigned int uint32_t
Definition stdint.h:126
uint8_t
unsigned char uint8_t
Definition stdint.h:124
yh_capabilities
Capabilities representation.
Definition yubihsm.h:162
yh_connector
Definition internal.h:37
yh_log_entry
Definition yubihsm.h:516
yh_log_entry::second_key
uint16_t second_key
ID of second Object used.
Definition yubihsm.h:528
yh_log_entry::result
uint8_t result
Command result.
Definition yubihsm.h:530
yh_log_entry::systick
uint32_t systick
Systick at time of execution.
Definition yubihsm.h:532
yh_log_entry::session_key
uint16_t session_key
ID of Authentication Key used.
Definition yubihsm.h:524
yh_log_entry::target_key
uint16_t target_key
ID of first Object used.
Definition yubihsm.h:526
yh_log_entry::length
uint16_t length
Length of in-data.
Definition yubihsm.h:522
yh_log_entry::command
uint8_t command
What command was executed.
Definition yubihsm.h:520
yh_log_entry::number
uint16_t number
Monotonically increasing index.
Definition yubihsm.h:518
yh_object_descriptor
Definition yubihsm.h:540
yh_object_descriptor::sequence
uint8_t sequence
Object sequence.
Definition yubihsm.h:554
yh_object_descriptor::id
uint16_t id
Object ID.
Definition yubihsm.h:544
yh_session
Definition internal.h:25
yubihsm_context
Definition yubihsm-shell.h:46
yubihsm_context::state
ykyh_state * state
Definition yubihsm-shell.h:51
yubihsm_context::n_connectors
int n_connectors
Definition yubihsm-shell.h:49
yubihsm_context::out
FILE * out
Definition yubihsm-shell.h:52
yubihsm_context::sessions
yh_session * sessions[YH_MAX_SESSIONS]
Definition yubihsm-shell.h:50
yubihsm_context::connector
yh_connector * connector
Definition yubihsm-shell.h:48
yubihsm_context::cacert
char * cacert
Definition yubihsm-shell.h:55
yubihsm_context::proxy
char * proxy
Definition yubihsm-shell.h:56
yubihsm_context::out_fmt
cmd_format out_fmt
Definition yubihsm-shell.h:54
yubihsm_context::connector_list
char ** connector_list
Definition yubihsm-shell.h:47
algo2nid
int algo2nid(yh_algorithm algo)
Definition util.c:335
write_ed25519_key
bool write_ed25519_key(uint8_t *buf, size_t buf_len, FILE *fp, bool b64_encode)
Definition util.c:622
format_digest
void format_digest(uint8_t *digest, char *str, uint16_t len)
Definition util.c:326
write_file
bool write_file(const uint8_t *buf, size_t buf_len, FILE *fp, format_t format)
Definition util.c:559
read_private_key
bool read_private_key(uint8_t *buf, size_t len, yh_algorithm *algo, uint8_t *bytes, size_t *bytes_len, bool internal_repr)
Definition util.c:116
hex_decode
bool hex_decode(const char *in, uint8_t *out, size_t *len)
Definition util.c:524
ykyh_strerror
const char * ykyh_strerror(ykyh_rc err)
Definition error.c:40
ykyh_connect
ykyh_rc ykyh_connect(ykyh_state *state, const char *wanted)
Definition ykyh.c:92
ykyh_calculate
ykyh_rc ykyh_calculate(ykyh_state *state, const char *name, uint8_t *context, size_t context_len, const char *pw, uint8_t *key_s_enc, size_t key_s_enc_len, uint8_t *key_s_mac, size_t key_s_mac_len, uint8_t *key_s_rmac, size_t key_s_rmac_len, uint8_t *retries)
Definition ykyh.c:403
YKYH_PW_LEN
#define YKYH_PW_LEN
Definition ykyh.h:67
ykyh_rc
ykyh_rc
Definition ykyh.h:76
YKYHR_SUCCESS
@ YKYHR_SUCCESS
Definition ykyh.h:77
YKYHR_WRONG_PW
@ YKYHR_WRONG_PW
Definition ykyh.h:81
YKYH_MAX_NAME_LEN
#define YKYH_MAX_NAME_LEN
Definition ykyh.h:65
YKYH_MIN_NAME_LEN
#define YKYH_MIN_NAME_LEN
Definition ykyh.h:64
otp_key
const uint8_t otp_key[]
Definition yubico_otp.c:37
key
uint8_t key[16]
Definition yubico_otp.c:41
otp
uint8_t otp[32]
Definition yubico_otp.c:49
cmd_format
cmd_format
Definition yubihsm-shell.h:28
fmt_nofmt
@ fmt_nofmt
Definition yubihsm-shell.h:29
fmt_ASCII
@ fmt_ASCII
Definition yubihsm-shell.h:35
fmt_binary
@ fmt_binary
Definition yubihsm-shell.h:31
fmt_PEM
@ fmt_PEM
Definition yubihsm-shell.h:33
fmt_hex
@ fmt_hex
Definition yubihsm-shell.h:32
fmt_password
@ fmt_password
Definition yubihsm-shell.h:34
fmt_base64
@ fmt_base64
Definition yubihsm-shell.h:30
_SHA512
@ _SHA512
Definition hash.h:38
_SHA384
@ _SHA384
Definition hash.h:37
_SHA1
@ _SHA1
Definition hash.h:35
_SHA256
@ _SHA256
Definition hash.h:36
format_t
format_t
Definition util.h:27
_base64
@ _base64
Definition util.h:28
_binary
@ _binary
Definition util.h:29
_hex
@ _hex
Definition util.h:30
yh_domains_to_string
yh_rc yh_domains_to_string(uint16_t domains, char *string, size_t max_len)
Definition yubihsm.c:4587
yh_is_rsa
bool yh_is_rsa(yh_algorithm algorithm)
Definition yubihsm.c:4245
yh_util_get_option
yh_rc yh_util_get_option(yh_session *session, yh_option option, uint8_t *out, size_t *out_len)
Definition yubihsm.c:3584
yh_util_import_opaque
yh_rc yh_util_import_opaque(yh_session *session, uint16_t *object_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *in, size_t in_len)
Definition yubihsm.c:2666
yh_is_ed
bool yh_is_ed(yh_algorithm algorithm)
Definition yubihsm.c:4280
yh_get_verbosity
yh_rc yh_get_verbosity(uint8_t *verbosity)
Definition yubihsm.c:3837
yh_util_import_hmac_key
yh_rc yh_util_import_hmac_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *key, size_t key_len)
Definition yubihsm.c:1750
yh_destroy_session
yh_rc yh_destroy_session(yh_session **session)
Definition yubihsm.c:890
yh_util_generate_hmac_key
yh_rc yh_util_generate_hmac_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1992
yh_util_generate_wrap_key
yh_rc yh_util_generate_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities)
Definition yubihsm.c:2458
yh_set_verbosity
yh_rc yh_set_verbosity(yh_connector *connector, uint8_t verbosity)
Definition yubihsm.c:3825
yh_util_derive_ecdh
yh_rc yh_util_derive_ecdh(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2174
yh_begin_create_session_ext
yh_rc yh_begin_create_session_ext(yh_connector *connector, uint16_t authkey_id, uint8_t **context, uint8_t *card_cryptogram, size_t card_cryptogram_len, yh_session **session)
Definition yubihsm.c:751
yh_algo_to_string
yh_rc yh_algo_to_string(yh_algorithm algo, char const **result)
Definition yubihsm.c:4384
yh_util_generate_ec_key
yh_rc yh_util_generate_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1913
yh_is_ec
bool yh_is_ec(yh_algorithm algorithm)
Definition yubihsm.c:4260
yh_util_decrypt_otp
yh_rc yh_util_decrypt_otp(yh_session *session, uint16_t key_id, const uint8_t *aead, size_t aead_len, const uint8_t *otp, uint16_t *useCtr, uint8_t *sessionCtr, uint8_t *tstph, uint16_t *tstpl)
Definition yubihsm.c:3261
yh_util_import_wrap_key
yh_rc yh_util_import_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities, const uint8_t *in, size_t in_len)
Definition yubihsm.c:2363
yh_create_session_derived
yh_rc yh_create_session_derived(yh_connector *connector, uint16_t authkey_id, const uint8_t *password, size_t password_len, bool recreate, yh_session **session)
Definition yubihsm.c:593
yh_util_generate_ed_key
yh_rc yh_util_generate_ed_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1926
yh_util_sign_ssh_certificate
yh_rc yh_util_sign_ssh_certificate(yh_session *session, uint16_t key_id, uint16_t template_id, yh_algorithm sig_algo, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2745
yh_util_get_template
yh_rc yh_util_get_template(yh_session *session, uint16_t object_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2805
yh_util_randomize_otp_aead
yh_rc yh_util_randomize_otp_aead(yh_session *session, uint16_t key_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:3223
yh_send_secure_msg
yh_rc yh_send_secure_msg(yh_session *session, yh_cmd cmd, const uint8_t *data, size_t data_len, yh_cmd *response_cmd, uint8_t *response, size_t *response_len)
Definition yubihsm.c:416
yh_util_sign_ecdsa
yh_rc yh_util_sign_ecdsa(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:1411
yh_util_unwrap_data
yh_rc yh_util_unwrap_data(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:3716
yh_util_get_opaque
yh_rc yh_util_get_opaque(yh_session *session, uint16_t object_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2636
yh_util_sign_attestation_certificate
yh_rc yh_util_sign_attestation_certificate(yh_session *session, uint16_t key_id, uint16_t attest_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:3495
yh_util_get_log_entries
yh_rc yh_util_get_log_entries(yh_session *session, uint16_t *unlogged_boot, uint16_t *unlogged_auth, yh_log_entry *out, size_t *n_items)
Definition yubihsm.c:2531
yh_util_reset_device
yh_rc yh_util_reset_device(yh_session *session)
Definition yubihsm.c:3796
yh_util_decrypt_pkcs1v1_5
yh_rc yh_util_decrypt_pkcs1v1_5(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2059
yh_util_close_session
yh_rc yh_util_close_session(yh_session *session)
Definition yubihsm.c:1257
yh_util_sign_eddsa
yh_rc yh_util_sign_eddsa(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:1470
yh_util_get_device_info
yh_rc yh_util_get_device_info(yh_connector *connector, uint8_t *major, uint8_t *minor, uint8_t *patch, uint32_t *serial, uint8_t *log_total, uint8_t *log_used, yh_algorithm *algorithms, size_t *n_algorithms)
Definition yubihsm.c:938
yh_authenticate_session
yh_rc yh_authenticate_session(yh_session *session)
Definition yubihsm.c:2927
yh_send_plain_msg
yh_rc yh_send_plain_msg(yh_connector *connector, yh_cmd cmd, const uint8_t *data, size_t data_len, yh_cmd *response_cmd, uint8_t *response, size_t *response_len)
Definition yubihsm.c:126
yh_util_import_ed_key
yh_rc yh_util_import_ed_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *k)
Definition yubihsm.c:1727
yh_util_get_object_info
yh_rc yh_util_get_object_info(yh_session *session, uint16_t id, yh_object_type type, yh_object_descriptor *object)
Definition yubihsm.c:1128
yh_util_wrap_data
yh_rc yh_util_wrap_data(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:3667
yh_util_list_objects
yh_rc yh_util_list_objects(yh_session *session, uint16_t id, yh_object_type type, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const char *label, yh_object_descriptor *objects, size_t *n_objects)
Definition yubihsm.c:1030
yh_util_import_authentication_key_derived
yh_rc yh_util_import_authentication_key_derived(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, const yh_capabilities *delegated_capabilities, const uint8_t *password, size_t password_len)
Definition yubihsm.c:3064
yh_util_create_otp_aead
yh_rc yh_util_create_otp_aead(yh_session *session, uint16_t key_id, const uint8_t *key, const uint8_t *private_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:3179
yh_util_set_option
yh_rc yh_util_set_option(yh_session *session, yh_option option, size_t len, uint8_t *val)
Definition yubihsm.c:3537
yh_util_change_authentication_key_derived
yh_rc yh_util_change_authentication_key_derived(yh_session *session, uint16_t *key_id, const uint8_t *password, size_t password_len)
Definition yubihsm.c:3155
yh_util_sign_hmac
yh_rc yh_util_sign_hmac(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:1520
yh_util_sign_pss
yh_rc yh_util_sign_pss(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len, size_t salt_len, yh_algorithm mgf1Algo)
Definition yubihsm.c:1346
yh_set_connector_option
yh_rc yh_set_connector_option(yh_connector *connector, yh_connector_option opt, const void *val)
Definition yubihsm.c:4063
yh_init_connector
yh_rc yh_init_connector(const char *url, yh_connector **connector)
Definition yubihsm.c:4024
yh_util_set_log_index
yh_rc yh_util_set_log_index(yh_session *session, uint16_t index)
Definition yubihsm.c:2606
yh_util_generate_otp_aead_key
yh_rc yh_util_generate_otp_aead_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, uint32_t nonce_id)
Definition yubihsm.c:3422
yh_util_sign_pkcs1v1_5
yh_rc yh_util_sign_pkcs1v1_5(yh_session *session, uint16_t key_id, bool hashed, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:1287
yh_connect
yh_rc yh_connect(yh_connector *connector, int timeout)
Definition yubihsm.c:4079
yh_util_export_wrapped
yh_rc yh_util_export_wrapped(yh_session *session, uint16_t wrapping_key_id, yh_object_type target_type, uint16_t target_id, uint8_t *out, size_t *out_len)
Definition yubihsm.c:2265
yh_util_get_public_key
yh_rc yh_util_get_public_key(yh_session *session, uint16_t id, uint8_t *data, size_t *data_len, yh_algorithm *algorithm)
Definition yubihsm.c:1216
yh_util_decrypt_oaep
yh_rc yh_util_decrypt_oaep(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len, const uint8_t *label, size_t label_len, yh_algorithm mgf1Algo)
Definition yubihsm.c:2107
yh_string_to_capabilities
yh_rc yh_string_to_capabilities(const char *capability, yh_capabilities *result)
Definition yubihsm.c:4115
yh_util_import_rsa_key
yh_rc yh_util_import_rsa_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *p, const uint8_t *q)
Definition yubihsm.c:1655
yh_disconnect
yh_rc yh_disconnect(yh_connector *connector)
Definition yubihsm.c:4097
yh_util_generate_rsa_key
yh_rc yh_util_generate_rsa_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Definition yubihsm.c:1900
yh_capabilities_to_strings
yh_rc yh_capabilities_to_strings(const yh_capabilities *num, const char *result[], size_t *n_result)
Definition yubihsm.c:4168
yh_is_hmac
bool yh_is_hmac(yh_algorithm algorithm)
Definition yubihsm.c:4293
yh_util_blink_device
yh_rc yh_util_blink_device(yh_session *session, uint8_t seconds)
Definition yubihsm.c:3766
yh_util_import_ec_key
yh_rc yh_util_import_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *s)
Definition yubihsm.c:1689
yh_util_import_otp_aead_key
yh_rc yh_util_import_otp_aead_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, uint32_t nonce_id, const uint8_t *in, size_t in_len)
Definition yubihsm.c:3337
yh_util_import_template
yh_rc yh_util_import_template(yh_session *session, uint16_t *object_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *in, size_t in_len)
Definition yubihsm.c:2835
yh_util_import_wrapped
yh_rc yh_util_import_wrapped(yh_session *session, uint16_t wrapping_key_id, const uint8_t *in, size_t in_len, yh_object_type *target_type, uint16_t *target_id)
Definition yubihsm.c:2309
yh_util_delete_object
yh_rc yh_util_delete_object(yh_session *session, uint16_t id, yh_object_type type)
Definition yubihsm.c:2222
yh_util_get_storage_info
yh_rc yh_util_get_storage_info(yh_session *session, uint16_t *total_records, uint16_t *free_records, uint16_t *total_pages, uint16_t *free_pages, uint16_t *page_size)
Definition yubihsm.c:3610
yh_get_session_id
yh_rc yh_get_session_id(yh_session *session, uint8_t *sid)
Definition yubihsm.c:2915
yh_util_get_pseudo_random
yh_rc yh_util_get_pseudo_random(yh_session *session, size_t len, uint8_t *out, size_t *out_len)
Definition yubihsm.c:1560
yh_finish_create_session_ext
yh_rc yh_finish_create_session_ext(yh_connector *connector, yh_session *session, const uint8_t *key_senc, size_t key_senc_len, const uint8_t *key_smac, size_t key_smac_len, const uint8_t *key_srmac, size_t key_srmac_len, uint8_t *card_cryptogram, size_t card_cryptogram_len)
Definition yubihsm.c:847
yh_type_to_string
yh_rc yh_type_to_string(yh_object_type type, char const **result)
Definition yubihsm.c:4424
YH_ORIGIN_IMPORTED_WRAPPED
#define YH_ORIGIN_IMPORTED_WRAPPED
Definition yubihsm.h:697
YH_VERB_ALL
#define YH_VERB_ALL
Debug level all. All previous options enabled.
Definition yubihsm.h:145
YH_ORIGIN_GENERATED
#define YH_ORIGIN_GENERATED
The object was generated on the device.
Definition yubihsm.h:692
YH_ORIGIN_IMPORTED
#define YH_ORIGIN_IMPORTED
The object was imported into the device.
Definition yubihsm.h:694
type
yh_object_type type
Definition yubihsm.h:672
YH_LOG_DIGEST_SIZE
#define YH_LOG_DIGEST_SIZE
Size that the log digest is truncated to.
Definition yubihsm.h:127
YH_VERB_INFO
#define YH_VERB_INFO
Debug level info. General information messages printed out.
Definition yubihsm.h:141
yh_object_type
yh_object_type
Definition yubihsm.h:359
YH_OTP_AEAD_KEY
@ YH_OTP_AEAD_KEY
OTP AEAD Key is a secret key used to decrypt Yubico OTP values.
Definition yubihsm.h:376
YH_WRAP_KEY
@ YH_WRAP_KEY
Definition yubihsm.h:369
YH_HMAC_KEY
@ YH_HMAC_KEY
HMAC Key is a secret key used when computing and verifying HMAC signatures.
Definition yubihsm.h:371
YH_ASYMMETRIC_KEY
@ YH_ASYMMETRIC_KEY
Asymmetric Key is the private key of an asymmetric key-pair.
Definition yubihsm.h:366
YH_AUTHENTICATION_KEY
@ YH_AUTHENTICATION_KEY
Authentication Key is used to establish Sessions with a device.
Definition yubihsm.h:364
YH_MAX_ITEMS_COUNT
#define YH_MAX_ITEMS_COUNT
Max items the device may hold.
Definition yubihsm.h:103
YH_OBJ_LABEL_LEN
#define YH_OBJ_LABEL_LEN
Max length of object labels.
Definition yubihsm.h:123
yh_algorithm
yh_algorithm
Definition yubihsm.h:390
YH_ALGO_EC_P521
@ YH_ALGO_EC_P521
ecp521
Definition yubihsm.h:418
YH_ALGO_MGF1_SHA512
@ YH_ALGO_MGF1_SHA512
mgf1-sha512
Definition yubihsm.h:460
YH_ALGO_RSA_PSS_SHA384
@ YH_ALGO_RSA_PSS_SHA384
rsa-pss-sha384
Definition yubihsm.h:404
YH_ALGO_EC_ECDH
@ YH_ALGO_EC_ECDH
ecdh
Definition yubihsm.h:438
YH_ALGO_RSA_PKCS1_SHA256
@ YH_ALGO_RSA_PKCS1_SHA256
rsa-pkcs1-sha256
Definition yubihsm.h:394
YH_ALGO_RSA_PKCS1_SHA1
@ YH_ALGO_RSA_PKCS1_SHA1
rsa-pkcs1-sha1
Definition yubihsm.h:392
YH_ALGO_RSA_PSS_SHA512
@ YH_ALGO_RSA_PSS_SHA512
rsa-pss-sha512
Definition yubihsm.h:406
YH_ALGO_EC_BP384
@ YH_ALGO_EC_BP384
ecbp384
Definition yubihsm.h:424
YH_ALGO_RSA_PSS_SHA1
@ YH_ALGO_RSA_PSS_SHA1
rsa-pss-sha1
Definition yubihsm.h:400
YH_ALGO_EC_ECDSA_SHA256
@ YH_ALGO_EC_ECDSA_SHA256
ecdsa-sha256
Definition yubihsm.h:476
YH_ALGO_EC_P384
@ YH_ALGO_EC_P384
ecp384
Definition yubihsm.h:416
YH_ALGO_EC_ECDSA_SHA512
@ YH_ALGO_EC_ECDSA_SHA512
ecdsa-sha512
Definition yubihsm.h:480
YH_ALGO_AES128_YUBICO_AUTHENTICATION
@ YH_ALGO_AES128_YUBICO_AUTHENTICATION
aes128-yubico-authentication
Definition yubihsm.h:466
YH_ALGO_RSA_OAEP_SHA256
@ YH_ALGO_RSA_OAEP_SHA256
rsa-oaep-sha256
Definition yubihsm.h:442
YH_ALGO_AES192_YUBICO_OTP
@ YH_ALGO_AES192_YUBICO_OTP
aes192-yubico-otp
Definition yubihsm.h:468
YH_ALGO_AES128_YUBICO_OTP
@ YH_ALGO_AES128_YUBICO_OTP
aes128-yubico-otp
Definition yubihsm.h:464
YH_ALGO_EC_ECDSA_SHA384
@ YH_ALGO_EC_ECDSA_SHA384
ecdsa-sha384
Definition yubihsm.h:478
YH_ALGO_EC_ED25519
@ YH_ALGO_EC_ED25519
ed25519
Definition yubihsm.h:482
YH_ALGO_HMAC_SHA512
@ YH_ALGO_HMAC_SHA512
hmac-sha512
Definition yubihsm.h:434
YH_ALGO_HMAC_SHA384
@ YH_ALGO_HMAC_SHA384
hmac-sha384
Definition yubihsm.h:432
YH_ALGO_MGF1_SHA384
@ YH_ALGO_MGF1_SHA384
mgf1-sha384
Definition yubihsm.h:458
YH_ALGO_RSA_PKCS1_SHA512
@ YH_ALGO_RSA_PKCS1_SHA512
rsa-pkcs1-sha512
Definition yubihsm.h:398
YH_ALGO_AES256_CCM_WRAP
@ YH_ALGO_AES256_CCM_WRAP
aes256-ccm-wrap
Definition yubihsm.h:474
YH_ALGO_HMAC_SHA1
@ YH_ALGO_HMAC_SHA1
hmac-sha1
Definition yubihsm.h:428
YH_ALGO_RSA_OAEP_SHA512
@ YH_ALGO_RSA_OAEP_SHA512
rsa-oaep-sha512
Definition yubihsm.h:446
YH_ALGO_RSA_2048
@ YH_ALGO_RSA_2048
rsa2048
Definition yubihsm.h:408
YH_ALGO_HMAC_SHA256
@ YH_ALGO_HMAC_SHA256
hmac-sha256
Definition yubihsm.h:430
YH_ALGO_RSA_OAEP_SHA384
@ YH_ALGO_RSA_OAEP_SHA384
rsa-oaep-sha384
Definition yubihsm.h:444
YH_ALGO_AES192_CCM_WRAP
@ YH_ALGO_AES192_CCM_WRAP
aes192-ccm-wrap
Definition yubihsm.h:472
YH_ALGO_EC_BP512
@ YH_ALGO_EC_BP512
ecbp512
Definition yubihsm.h:426
YH_ALGO_EC_BP256
@ YH_ALGO_EC_BP256
ecbp256
Definition yubihsm.h:422
YH_ALGO_RSA_PSS_SHA256
@ YH_ALGO_RSA_PSS_SHA256
rsa-pss-sha256
Definition yubihsm.h:402
YH_ALGO_AES256_YUBICO_OTP
@ YH_ALGO_AES256_YUBICO_OTP
aes256-yubico-otp
Definition yubihsm.h:470
YH_ALGO_EC_K256
@ YH_ALGO_EC_K256
eck256
Definition yubihsm.h:420
YH_ALGO_MGF1_SHA1
@ YH_ALGO_MGF1_SHA1
mgf1-sha1
Definition yubihsm.h:454
YH_ALGO_AES128_CCM_WRAP
@ YH_ALGO_AES128_CCM_WRAP
aes128-ccm-wrap
Definition yubihsm.h:448
YH_ALGO_MGF1_SHA256
@ YH_ALGO_MGF1_SHA256
mgf1-sha256
Definition yubihsm.h:456
YH_ALGO_EC_P256
@ YH_ALGO_EC_P256
ecp256
Definition yubihsm.h:414
YH_ALGO_RSA_4096
@ YH_ALGO_RSA_4096
rsa4096
Definition yubihsm.h:412
YH_ALGO_EC_ECDSA_SHA1
@ YH_ALGO_EC_ECDSA_SHA1
ecdsa-sha1
Definition yubihsm.h:436
YH_ALGO_RSA_OAEP_SHA1
@ YH_ALGO_RSA_OAEP_SHA1
rsa-oaep-sha1
Definition yubihsm.h:440
YH_ALGO_EC_P224
@ YH_ALGO_EC_P224
ecp224
Definition yubihsm.h:484
YH_ALGO_RSA_PKCS1_SHA384
@ YH_ALGO_RSA_PKCS1_SHA384
rsa-pkcs1-sha384
Definition yubihsm.h:396
YH_ALGO_RSA_3072
@ YH_ALGO_RSA_3072
rsa3072
Definition yubihsm.h:410
YH_VERB_RAW
#define YH_VERB_RAW
Debug level raw. Raw messages printed out.
Definition yubihsm.h:139
YH_CONNECTOR_PROXY_SERVER
@ YH_CONNECTOR_PROXY_SERVER
Definition yubihsm.h:506
YH_CONNECTOR_HTTPS_CA
@ YH_CONNECTOR_HTTPS_CA
Definition yubihsm.h:503
algorithm
yh_algorithm algorithm
Definition yubihsm.h:619
YH_MAX_ALGORITHM_COUNT
#define YH_MAX_ALGORITHM_COUNT
Max number of algorithms defined here.
Definition yubihsm.h:383
YH_MSG_BUF_SIZE
#define YH_MSG_BUF_SIZE
Maximum length of message buffer.
Definition yubihsm.h:93
YH_VERB_CRYPTO
#define YH_VERB_CRYPTO
Debug level crypto. Crypto results printed out.
Definition yubihsm.h:137
YH_VERB_ERR
#define YH_VERB_ERR
Debug level error. Error messages printed out.
Definition yubihsm.h:143
YH_VERB_QUIET
#define YH_VERB_QUIET
Debug level quiet. No messages printed out.
Definition yubihsm.h:133
yh_cmd
yh_cmd
Definition yubihsm.h:243
YHC_ERROR
@ YHC_ERROR
Definition yubihsm.h:348
YH_KEY_LEN
#define YH_KEY_LEN
Length of authentication keys.
Definition yubihsm.h:95
YH_CAPABILITIES_LEN
#define YH_CAPABILITIES_LEN
Length of capabilities array.
Definition yubihsm.h:119
YH_MAX_SESSIONS
#define YH_MAX_SESSIONS
Max sessions the device may hold.
Definition yubihsm.h:105
YH_MAX_LOG_ENTRIES
#define YH_MAX_LOG_ENTRIES
Max log entries the device may hold.
Definition yubihsm.h:121
yh_rc
yh_rc
Definition yubihsm.h:170
YHR_SUCCESS
@ YHR_SUCCESS
Returned value when function was successful.
Definition yubihsm.h:172
YHR_CONNECTION_ERROR
@ YHR_CONNECTION_ERROR
Returned value when a connection error was encountered.
Definition yubihsm.h:178
YH_VERB_INTERMEDIATE
#define YH_VERB_INTERMEDIATE
Debug level intermediate. Intermediate results printed out.
Definition yubihsm.h:135
YH_CONTEXT_LEN
#define YH_CONTEXT_LEN
Length of context array for authentication.
Definition yubihsm.h:89
patch
uint8_t patch
Definition yubihsm_pkcs11.c:548
capabilities
yh_capabilities capabilities
Definition yubihsm_pkcs11.c:1305
d
CK_ULONG d
Definition yubihsm_pkcs11.c:1238
serial
uint32_t serial
Definition yubihsm_pkcs11.c:611
label
char * label
Definition yubihsm_pkcs11.c:1883
ret
CK_RV ret
Definition yubihsm_pkcs11.c:973
s
char * s
Definition yubihsm_pkcs11.c:524
j
uint16_t j
Definition yubihsm_pkcs11.c:465
domains
uint16_t domains
Definition yubihsm_pkcs11.c:1926
out_len
size_t out_len
Definition yubihsm_pkcs11.c:5000
major
uint8_t major
Definition yubihsm_pkcs11.c:546
len
size_t len
Definition yubihsm_pkcs11.c:4771
object
yh_object_descriptor object
Definition yubihsm_pkcs11.c:1544
UNUSED
#define UNUSED(x)
Definition yubihsm_pkcs11.c:46
pubkey
CK_BYTE_PTR pubkey
Definition yubihsm_pkcs11.c:4984
yrc
yh_rc yrc
Definition yubihsm_pkcs11.c:606
memset
memset(pInfo->slotDescription, ' ', 64)
minor
uint8_t minor
Definition yubihsm_pkcs11.c:547
label_len
size_t label_len
Definition yubihsm_pkcs11.c:4938
memcpy
memcpy((char *) pInfo->slotDescription, s, l)
delegated_capabilities
yh_capabilities delegated_capabilities
Definition yubihsm_pkcs11.c:1306
ses
yh_session * ses
Definition yubihsm_shell_tests.c:28