Loading...
Searching...
No Matches
#include <yubihsm.h>#include "internal.h"#include <arpa/inet.h>#include <dlfcn.h>#include <errno.h>#include <stdlib.h>#include <string.h>#include <strings.h>#include <stdio.h>#include <limits.h>#include "../common/rand.h"#include "../common/pkcs5.h"#include "../common/hash.h"#include "../aes_cmac/aes_cmac.h"#include "debug_lib.h"#include "../common/insecure_memzero.h"
Include dependency graph for yubihsm.c:
Go to the source code of this file.
Macros | |
| #define | STATIC_USB_BACKEND "usb" |
| #define | STATIC_HTTP_BACKEND "http" |
| #define | LIST_SEPARATORS ":,;|" |
| #define | LIST_ID 1 |
| #define | LIST_TYPE 2 |
| #define | LIST_DOMAINS 3 |
| #define | LIST_CAPABILITIES 4 |
| #define | LIST_ALGORITHM 5 |
| #define | LIST_LABEL 6 |
| #define | STATUS_ENDPOINT "/connector/status" |
| #define | API_ENDPOINT "/connector/api" |
| #define | USB_LIB "libyubihsm_usb.so." SOVERSION |
| #define | HTTP_LIB "libyubihsm_http.so." SOVERSION |
| #define | htonll(x) |
Variables | |
| uint8_t _yh_verbosity | YH_INTERNAL = 0 |
Macro Definition Documentation
◆ API_ENDPOINT
◆ htonll
| #define htonll | ( | x | ) |
◆ HTTP_LIB
| #define HTTP_LIB "libyubihsm_http.so." SOVERSION |
◆ LIST_ALGORITHM
◆ LIST_CAPABILITIES
◆ LIST_DOMAINS
◆ LIST_ID
◆ LIST_LABEL
◆ LIST_SEPARATORS
◆ LIST_TYPE
◆ STATIC_HTTP_BACKEND
◆ STATIC_USB_BACKEND
◆ STATUS_ENDPOINT
◆ USB_LIB
| #define USB_LIB "libyubihsm_usb.so." SOVERSION |
Function Documentation
◆ yh_algo_to_string()
| yh_rc yh_algo_to_string | ( | yh_algorithm | algo, |
| char const ** | result ) |
Convert an algorithm to its string representation.
- Parameters
-
algo Algorithm to convert. See yh_algorithm result The algorithm as a String. "Unknown" if the algorithm is not supported by YubiHSM 2.
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if
resultis NULL.
- See also
- Algorithms
Definition at line 4384 of file yubihsm.c.
4384 {
4385
4386 if (result == NULL) {
4389 }
4390
4391 for (size_t i = 0; i < sizeof(yh_algorithms) / sizeof(yh_algorithms[0]);
4392 i++) {
4394 *result = yh_algorithms[i].name;
4396 }
4397 }
4398
4399 *result = "Unknown";
4401}
@ YHR_INVALID_PARAMETERS
Returned value when an argument to a function is invalid.
Definition yubihsm.h:182
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_authenticate_session()
| yh_rc yh_authenticate_session | ( | yh_session * | session | ) |
Authenticate session
- Parameters
-
session Session to authenticate
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. YHR_SESSION_AUTHENTICATION_FAILED if the session fails to authenticate. See yh_rc for other possible errors
- See also
- Session
Definition at line 2927 of file yubihsm.c.
2927 {
2928
2929 Msg msg;
2930 Msg response_msg;
2932
2933 uint8_t mac_buf[64];
2934 uint16_t mac_buf_len;
2935
2939 }
2940
2941 // Send AUTHENTICATE SESSION command
2942 msg.st.cmd = YHC_AUTHENTICATE_SESSION;
2944
2946
2947 // Compute host cryptogram
2952 }
2953
2955
2961
2963 session->s.mac_chaining_value);
2965 SCP_MAC_LEN);
2966
2967 // Reset counter to 1
2970
2975 }
2976
2980 }
2981
2983}
struct _Msg::@103 st
@ YHR_SESSION_AUTHENTICATION_FAILED
Returned value when failing to authenticate the session.
Definition yubihsm.h:191
memset(pInfo->slotDescription, ' ', 64)
memcpy((char *) pInfo->slotDescription, s, l)
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_begin_create_session_ext()
| yh_rc yh_begin_create_session_ext | ( | yh_connector * | connector, |
| uint16_t | authkey_id, | ||
| uint8_t ** | context, | ||
| uint8_t * | card_cryptogram, | ||
| size_t | card_cryptogram_len, | ||
| yh_session ** | session ) |
Begin creating an external session. The session's encryption key and MAC key are not stored in the device.
This function must be followed by yh_finish_create_session_ext() to set the session keys.
- Parameters
-
connector Connector to the device authkey_id Object ID of the Authentication Key used to authenticate the session context pointer to where context data is saved card_cryptogram Card cryptogram card_cryptogram_len Length of card cryptogram session created session
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_MEMORY_ERROR if failed to allocate memory for the session. See yh_rc for other possible errors
- See also
- Session
Definition at line 751 of file yubihsm.c.
754 {
755
756 Msg msg;
757 Msg response_msg;
759 uint8_t *ptr;
760 yh_session *new_session;
762
767 }
768
771 } // TODO(adma): take this as an input so that it can be generated from the
772 // YubiKey
773
774 /**********/
775 // TODO(adma): replace with func
777 if (new_session == NULL) {
780 }
781
782 // Send CREATE SESSION command
783 msg.st.cmd = YHC_CREATE_SESSION;
785
786 uint16_t authkey_id_n = htons(authkey_id);
790
792
793 yrc = send_msg(connector, &msg, &response_msg);
795 goto bcse_failure;
796 }
797
798 // Parse response
802 response_msg.st.data[0]);
803 yrc = translated;
804 goto bcse_failure;
805 }
806
809 goto bcse_failure;
810 }
811
812 ptr = response_msg.st.data;
813
814 // Save sid
816
817 // Save card challenge
819 ptr += SCP_CARD_CHAL_LEN;
820
822 ptr += SCP_CARD_CRYPTO_LEN;
823
825
827 "Card challenge: ");
829
830 // Save link back to connector
831 new_session->parent = connector;
832
833 *session = new_session;
835
837
838bcse_failure:
839 free(new_session);
840 (new_session) = NULL;
841
843
845}
Definition yubihsm_winhttp.c:52
Definition internal.h:25
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_capabilities_to_strings()
| yh_rc yh_capabilities_to_strings | ( | const yh_capabilities * | num, |
| const char * | result[], | ||
| size_t * | n_result ) |
Convert an array of yh_capabilities into strings separated by ','
- Parameters
-
num Array of yh_capabilities result Array of the capabilies as strings n_result Number of elements in result
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_BUFFER_TOO_SMALL if
n_resultis too small
- See also
- Capability
Definition at line 4168 of file yubihsm.c.
4169 {
4170
4171 if (num == 0 || result == NULL || n_result == NULL) {
4174 }
4175
4176 size_t matching = 0;
4177
4178 for (size_t i = 0; i < sizeof(yh_capability) / sizeof(yh_capability[0]);
4179 i++) {
4182 (yh_capability[i].bit / 8)]) != 0) {
4183 if (++matching > *n_result) {
4184 memset(result, 0, *n_result);
4185
4187 }
4188
4189 result[matching - 1] = yh_capability[i].name;
4190 }
4191 }
4192
4193 *n_result = matching;
4194
4196}
@ num
@ YHR_BUFFER_TOO_SMALL
Returned value when there is not enough space to store data.
Definition yubihsm.h:187
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_check_capability()
| bool yh_check_capability | ( | const yh_capabilities * | capabilities, |
| const char * | capability ) |
Check if a capability is set
- Parameters
-
capabilities Array of yh_capabilities capability Capability to check as a string.
- Returns
- True if the
capabilityis incapabilities. False otherwise
- Code sample
char *capabilities_str = "sign-pkcs,decrypt-pkcs,set-option"; yh_capabilities capabilities = {{0}}; yh_string_to_capabilities(capabilities_str, &capabilities); //yh_check_capability(&capabilities, "something") => false //yh_check_capability(&capabilities, "sign-pss") => false //yh_check_capability(&capabilities, "decrypt-pkcs") => true
- See also
- Capability
Definition at line 4198 of file yubihsm.c.
4199 {
4200
4201 yh_capabilities check_capabilities = {{0}};
4202
4204 YHR_SUCCESS) {
4205 return false;
4206 }
4207
4211 0) {
4212 return true;
4213 }
4214 }
4215
4216 return false;
4217}
uint8_t capabilities[YH_CAPABILITIES_LEN]
Capabilities is represented as an 8 byte uint8_t array.
Definition yubihsm.h:164
yh_rc yh_string_to_capabilities(const char *capability, yh_capabilities *result)
Definition yubihsm.c:4115
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_connect()
| yh_rc yh_connect | ( | yh_connector * | connector, |
| int | timeout ) |
Connect to the device through the specified connector
- Parameters
-
connector Connector to the device timeout Connection timeout in seconds
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the connector does not exist. See yh_rc for other possible errors
Definition at line 4079 of file yubihsm.c.
4079 {
4080
4084 }
4085
4087
4089
4092 }
4093
4095}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_connector_has_device()
| bool yh_connector_has_device | ( | yh_connector * | connector | ) |
◆ yh_create_session()
| yh_rc yh_create_session | ( | yh_connector * | connector, |
| uint16_t | authkey_id, | ||
| const uint8_t * | key_enc, | ||
| size_t | key_enc_len, | ||
| const uint8_t * | key_mac, | ||
| size_t | key_mac_len, | ||
| bool | recreate_session, | ||
| yh_session ** | session ) |
Create a session that uses the specified encryption key and MAC key to derive session-specific keys
- Parameters
-
connector Connector to the device authkey_id Object ID of the Authentication Key used to authenticate the session key_enc Encryption key used to derive the session encryption key key_enc_len Length of the encryption key. key_mac MAC key used to derive the session MAC key key_mac_len Length of the MAC key. recreate_session If true, the session will be recreated if expired. This caches the password in memory session created session
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or incorrect. See yh_rc for other possible errors
- See also
- Session, Authentication Key
Definition at line 616 of file yubihsm.c.
619 {
620
621 Msg msg;
622 Msg response_msg;
624 uint8_t *ptr;
626 yh_session *new_session;
628
633 }
634
637 }
638
641 if (new_session == NULL) {
644 }
645 } else {
646 new_session = *session;
647 }
648
649 new_session->authkey_id = authkey_id;
650
651 if (recreate) {
655 }
656
657 // Send CREATE SESSION command
658 msg.st.cmd = YHC_CREATE_SESSION;
660
661 uint16_t authkey_id_n = htons(authkey_id);
665
667
668 yrc = send_msg(connector, &msg, &response_msg);
670 goto cs_failure;
671 }
672
673 // Parse response
677 response_msg.st.data[0]);
678 yrc = translated;
679 goto cs_failure;
680 }
681
684 goto cs_failure;
685 }
686
687 ptr = response_msg.st.data;
688
689 // Save sid
691
692 // Save card challenge
694 ptr += SCP_CARD_CHAL_LEN;
695
697 ptr += SCP_CARD_CRYPTO_LEN;
698
700
702 "Card challenge: ");
704
705 // Derive session keys
706 yrc =
709 goto cs_failure;
710
711 yrc =
714 goto cs_failure;
715
716 yrc =
719 goto cs_failure;
720
724 // Verify card cryptogram
726 card_cryptogram);
729 goto cs_failure;
730 }
731
733
734 // Save link back to connector
735 new_session->parent = connector;
736
737 *session = new_session;
738
740
741cs_failure:
743 free(new_session);
744 (new_session) = NULL;
745
747
749}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_create_session_derived()
| yh_rc yh_create_session_derived | ( | yh_connector * | connector, |
| uint16_t | authkey_id, | ||
| const uint8_t * | password, | ||
| size_t | password_len, | ||
| bool | recreate_session, | ||
| yh_session ** | session ) |
Create a session that uses an encryption key and a MAC key derived from a password
- Parameters
-
connector Connector to the device authkey_id Object ID of the Authentication Key used to authenticate the session password Password used to derive the session encryption key and MAC key password_len Length of the password in bytes recreate_session If true, the session will be recreated if expired. This caches the password in memory session The created session
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the connector, the password or the session are NULL. YHR_GENERIC_ERROR if failed to derive the session encryption key and/or the MAC key or if PRNG related errors occur. YHR_MEMORY_ERROR if failed to allocate memory for the session. See yh_rc for other possible errors
- See also
- Session
Definition at line 593 of file yubihsm.c.
595 {
596
600 }
601
604
606
612 }
614}
yh_rc yh_create_session(yh_connector *connector, uint16_t authkey_id, const uint8_t *key_enc, size_t key_enc_len, const uint8_t *key_mac, size_t key_mac_len, bool recreate, yh_session **session)
Definition yubihsm.c:616
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_destroy_session()
| yh_rc yh_destroy_session | ( | yh_session ** | session | ) |
Free data associated with the session
- Parameters
-
session Pointer to the session to destroy
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL.
- See also
- Session
Definition at line 890 of file yubihsm.c.
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_disconnect()
| yh_rc yh_disconnect | ( | yh_connector * | connector | ) |
Disconnect from a connector
- Parameters
-
connector Connector from which to disconnect
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the connector is NULL
Definition at line 4097 of file yubihsm.c.
4097 {
4098
4099 if (connector == NULL) {
4102 }
4103
4104 destroy_connector(connector);
4105
4107}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_domains_to_string()
Convert domains parameter to its String representation
- Parameters
-
domains Encoded domains string Domains as a string max_len Maximum length of the string
- Returns
- YHR_SUCCESS if successful. YHR_BUFFER_TOO_SMALL if
max_lenis too small
- Examples
- 1 => "1"
- 0x8001 => "1:16"
- 0, ""
- 0xffff => "1:2:3:4:5:6:7:8:9:10:11:12:13:14:15:16"
- See also
- Domains
Definition at line 4587 of file yubihsm.c.
4587 {
4588 char *ptr = string;
4589 *ptr = '\0';
4592 size_t wrote = snprintf(ptr, max_len, "%d:", i + 1);
4593 if (wrote >= max_len) {
4595 }
4596 ptr += wrote;
4597 max_len -= wrote;
4598 }
4599 }
4600 if (ptr != string) {
4601 *(ptr - 1) = '\0';
4602 }
4604}
Here is the caller graph for this function:
◆ yh_exit()
| yh_rc yh_exit | ( | void | ) |
Global library clean up
- Returns
- YHR_SUCCESS
Definition at line 3910 of file yubihsm.c.
Here is the caller graph for this function:
◆ yh_filter_capabilities()
| yh_rc yh_filter_capabilities | ( | const yh_capabilities * | capabilities, |
| const yh_capabilities * | filter, | ||
| yh_capabilities * | result ) |
Filter one set of capabilities with another. The resulting set of capabilities contains only the capabilities that exist in both sets of input capabilities
- Parameters
-
capabilities Array of yh_capabilities filter Array of yh_capabilities result Resulting array of yh_capabilities
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL.
- See also
- Capability
Definition at line 4231 of file yubihsm.c.
4233 {
4236 }
4237
4239 result->capabilities[i] =
4241 }
4243}
◆ yh_finish_create_session_ext()
| yh_rc yh_finish_create_session_ext | ( | yh_connector * | connector, |
| yh_session * | session, | ||
| const uint8_t * | key_senc, | ||
| size_t | key_senc_len, | ||
| const uint8_t * | key_smac, | ||
| size_t | key_smac_len, | ||
| const uint8_t * | key_srmac, | ||
| size_t | key_srmac_len, | ||
| uint8_t * | card_cryptogram, | ||
| size_t | card_cryptogram_len ) |
Finish creating external session. The session's encryption key and MAC key are not stored in the device.
This function must be called after yh_begin_create_session_ext().
- Parameters
-
connector Connector to the device session The session created with yh_begin_create_session_ext() key_senc Session encryption key used to encrypt the messages exchanged with the device key_senc_len Lenght of the encryption key. Must be YH_KEY_LEN key_smac Session MAC key used for creating the authentication tag for each message key_smac_len Length of the MAC key. Must be YH_KEY_LEN key_srmac Session return MAC key used for creating the authentication tag for each response message key_srmac_len Length of the return MAC key. Must be YH_KEY_LEN card_cryptogram Card cryptogram card_cryptogram_len Length of card cryptogram
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or any of the key lengths are not YH_KEY_LEN. See yh_rc for other possible errors
- See also
- Session
Definition at line 847 of file yubihsm.c.
851 { // TODO(adma): remove all these
852
854 key_senc_len != YH_KEY_LEN || key_smac == NULL ||
855 key_smac_len != YH_KEY_LEN || key_srmac == NULL ||
856 key_srmac_len != YH_KEY_LEN || card_cryptogram == NULL ||
857 card_cryptogram_len != SCP_CARD_CRYPTO_LEN) {
860 }
861
863
867
871
872 // Verify card cryptogram
876
877 free(session);
878 session = NULL;
879
881
883 }
884
886
888}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_get_connector_address()
| yh_rc yh_get_connector_address | ( | yh_connector * | connector, |
| char **const | address ) |
Get connector address
- Parameters
-
connector Connector currently in use address Pointer to the connector address as string
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL.
Definition at line 926 of file yubihsm.c.
926 {
927
928 if (connector == NULL || address == NULL) {
931 }
932
934
936}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_get_connector_version()
| yh_rc yh_get_connector_version | ( | yh_connector * | connector, |
| uint8_t * | major, | ||
| uint8_t * | minor, | ||
| uint8_t * | patch ) |
Get the connector version
- Parameters
-
connector Connector currently in use major Connector major version minor Connector minor version patch Connector patch version
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL.
Definition at line 911 of file yubihsm.c.
912 {
913
917 }
918
922
924}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_get_key_bitlength()
| yh_rc yh_get_key_bitlength | ( | yh_algorithm | algorithm, |
| size_t * | result ) |
Get the expected key length of a key generated by the given algorithm
- Parameters
-
algorithm Algorithm to check. See yh_algorithm result Expected bitlength of a key generated by the algorithm
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if
resultis NULL or if the algorithm is no supported by YubiHSM 2. For a list of supported algorithms, see yh_algorithm
Definition at line 4309 of file yubihsm.c.
4309 {
4310
4311 if (result == NULL) {
4313 }
4314
4317 *result = 2048;
4318 break;
4319
4321 *result = 3072;
4322 break;
4323
4325 *result = 4096;
4326 break;
4327
4329 *result = 256;
4330 break;
4331
4333 *result = 384;
4334 break;
4335
4337 *result = 521;
4338 break;
4339
4341 *result = 224;
4342 break;
4343
4345 *result = 256;
4346 break;
4347
4349 *result = 256;
4350 break;
4351
4353 *result = 394;
4354 break;
4355
4357 *result = 512;
4358 break;
4359
4361 *result = 160;
4362 break;
4363
4365 *result = 256;
4366 break;
4367
4369 *result = 384;
4370 break;
4371
4373 *result = 512;
4374 break;
4375
4376 default:
4377 *result = 0;
4379 }
4380
4382}
Here is the caller graph for this function:
◆ yh_get_session_id()
| yh_rc yh_get_session_id | ( | yh_session * | session, |
| uint8_t * | sid ) |
Get the session ID
- Parameters
-
session Authenticated session to use sid Session ID
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL.
Definition at line 2915 of file yubihsm.c.
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_get_verbosity()
Get verbosity level when executing commands
- Parameters
-
verbosity The verbosity level
- Returns
- YHR_SUCCESS if seccessful. YHR_INVALID_PARAMETERS if verbosity is NULL
- See also
- YH_VERB_QUIET, YH_VERB_INTERMEDIATE, YH_VERB_CRYPTO, YH_VERB_RAW, YH_VERB_INFO, YH_VERB_ERR, YH_VERB_ALL
Definition at line 3837 of file yubihsm.c.
Here is the caller graph for this function:
◆ yh_init()
| yh_rc yh_init | ( | void | ) |
Global library initialization
- Returns
- YHR_SUCCESS
Definition at line 3857 of file yubihsm.c.
Here is the caller graph for this function:
◆ yh_init_connector()
| yh_rc yh_init_connector | ( | const char * | url, |
| yh_connector ** | connector ) |
Instantiate a new connector
- Parameters
-
url URL associated with this connector connector Connector to the device
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if either the URL or the connector are NULL. YHR_GENERIC_ERROR if failed to load the backend. YHR_MEMORY_ERROR if failed to allocate memory for the connector. YHR_CONNECTION_ERROR if failed to create the connector
Definition at line 4024 of file yubihsm.c.
4024 {
4028 }
4029
4030#ifdef STATIC
4031#define USB_LIB STATIC_USB_BACKEND
4032#define HTTP_LIB STATIC_HTTP_BACKEND
4033#elif defined WIN32
4034#define USB_LIB "libyubihsm_usb.dll"
4035#define HTTP_LIB "libyubihsm_http.dll"
4036#elif defined __APPLE__
4037#define USB_LIB "libyubihsm_usb." SOVERSION ".dylib"
4038#define HTTP_LIB "libyubihsm_http." SOVERSION ".dylib"
4039#else
4040#define USB_LIB "libyubihsm_usb.so." SOVERSION
4041#define HTTP_LIB "libyubihsm_http.so." SOVERSION
4042#endif
4043
4044 void *backend = NULL;
4046
4049 load_backend(USB_LIB, &backend, &bf);
4053 load_backend(HTTP_LIB, &backend, &bf);
4054 }
4055 if (bf == NULL) {
4058 }
4059
4061}
Definition internal.h:65
#define USB_LIB
#define HTTP_LIB
Here is the caller graph for this function:
◆ yh_is_ec()
| bool yh_is_ec | ( | yh_algorithm | algorithm | ) |
Check if an algorithm is a supported Elliptic Curve algorithm.
Supported EC algorithms: YH_ALGO_EC_P224, YH_ALGO_EC_P256, YH_ALGO_EC_P384, YH_ALGO_EC_P521, YH_ALGO_EC_K256, YH_ALGO_EC_BP256, YH_ALGO_EC_BP384 and YH_ALGO_EC_BP512
- Parameters
-
algorithm Algorithm to check. See yh_algorithm
- Returns
- True if the algorithm is one of the supported EC algorithms. False otherwise
Definition at line 4260 of file yubihsm.c.
4260 {
4261
4271 return true;
4272
4273 default:
4274 break;
4275 }
4276
4277 return false;
4278}
Here is the caller graph for this function:
◆ yh_is_ed()
| bool yh_is_ed | ( | yh_algorithm | algorithm | ) |
Check if an algorithm is a supported ED algorithm.
Supported ED algorithms: YH_ALGO_EC_ED25519
- Parameters
-
algorithm algorithm. See yh_algorithm
- Returns
- True if the algorithm is YH_ALGO_EC_ED25519. False otherwise
Definition at line 4280 of file yubihsm.c.
4280 {
4281
4284 return true;
4285
4286 default:
4287 break;
4288 }
4289
4290 return false;
4291}
Here is the caller graph for this function:
◆ yh_is_hmac()
| bool yh_is_hmac | ( | yh_algorithm | algorithm | ) |
Check if algorithm is a supported HMAC algorithm.
Supported HMAC algorithms: YH_ALGO_HMAC_SHA1, YH_ALGO_HMAC_SHA256, YH_ALGO_HMAC_SHA384 and YH_ALGO_HMAC_SHA512
- Parameters
-
algorithm Algorithm to check. See yh_algorithm
- Returns
- True if the algorithm is one of the supported HMAC algorithms. False otherwise
Definition at line 4293 of file yubihsm.c.
4293 {
4294
4300 return true;
4301
4302 default:
4303 break;
4304 }
4305
4306 return false;
4307}
Here is the caller graph for this function:
◆ yh_is_rsa()
| bool yh_is_rsa | ( | yh_algorithm | algorithm | ) |
Check if an algorithm is a supported RSA algorithm.
Supported RSA algorithms: YH_ALGO_RSA_2048, YH_ALGO_RSA_3072 and YH_ALGO_RSA_4096
- Parameters
-
algorithm Algorithm to check. See yh_algorithm
- Returns
- True if the algorithm is one of the supported RSA algorithms . False otherwise
Definition at line 4245 of file yubihsm.c.
4245 {
4246
4251 return true;
4252
4253 default:
4254 break;
4255 }
4256
4257 return false;
4258}
Here is the caller graph for this function:
◆ yh_merge_capabilities()
| yh_rc yh_merge_capabilities | ( | const yh_capabilities * | a, |
| const yh_capabilities * | b, | ||
| yh_capabilities * | result ) |
Merge two sets of capabilities. The resulting set of capabilities contain all capabilities from both arrays
- Parameters
-
a Array of yh_capabilities b Array of yh_capabilities result Resulting array of yh_capabilities
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL.
- See also
- Capability
Definition at line 4219 of file yubihsm.c.
4220 {
4223 }
4224
4227 }
4229}
◆ yh_send_plain_msg()
| yh_rc yh_send_plain_msg | ( | yh_connector * | connector, |
| yh_cmd | cmd, | ||
| const uint8_t * | data, | ||
| size_t | data_len, | ||
| yh_cmd * | response_cmd, | ||
| uint8_t * | response, | ||
| size_t * | response_len ) |
Send a plain (unencrypted) message to the device through a connector
- Parameters
-
connector Connector to the device cmd Command to send. See yh_cmd data Data to send data_len length of data to send response_cmd Response command response Response data response_len Length of response data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_BUFFER_TOO_SMALL if the actual response was longer than response_len. See yh_rc for other possible errors
Definition at line 126 of file yubihsm.c.
129 {
130
131 Msg msg;
132 Msg response_msg;
133
135
136 if (connector == NULL || (data_len != 0 && data == NULL) ||
137 response_cmd == NULL || response == NULL || response_len == NULL) {
140 }
141
146 }
147
148 msg.st.cmd = cmd;
149 msg.st.len = data_len;
150 if (data_len > 0) {
152 }
153
155 data_len + 3);
156
157 yrc = send_msg(connector, &msg, &response_msg);
161 }
162
165 "%s (received %3d Bytes, can fit %3zu Bytes) ",
167 *response_len);
169 }
170
171 *response_cmd = response_msg.st.cmd;
172
174 *response_len = response_msg.st.len;
175
177}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_send_secure_msg()
| yh_rc yh_send_secure_msg | ( | yh_session * | session, |
| yh_cmd | cmd, | ||
| const uint8_t * | data, | ||
| size_t | data_len, | ||
| yh_cmd * | response_cmd, | ||
| uint8_t * | response, | ||
| size_t * | response_len ) |
Send an encrypted message to the device over a session. The session has to be authenticated
- Parameters
-
session Session to send the message over cmd Command to send data Data to send data_len Length of data to send response_cmd Response command response Response data response_len Length of response data
- Returns
- YHR_SUCCESS if successful. See yh_rc for possible errors
Definition at line 416 of file yubihsm.c.
418 {
419
420 size_t saved_len = *response_len;
421
423 response, response_len);
426 session->recreate) {
433 }
437 }
438 *response_len = saved_len;
440 response_len);
441 }
443}
@ YHR_DEVICE_INVALID_SESSION
Returned value when the device session is invalid.
Definition yubihsm.h:201
@ YHR_DEVICE_AUTHENTICATION_FAILED
Return value when the device fails to encrypt or verify the message.
Definition yubihsm.h:203
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_set_connector_option()
| yh_rc yh_set_connector_option | ( | yh_connector * | connector, |
| yh_connector_option | opt, | ||
| const void * | val ) |
Set connector options.
Note that backend options are not supported with winhttp or USB connectors
- Parameters
-
connector Connector to set an option on opt Option to set. See yh_connector_option val Value of the option. Type of value is specific to the given option
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the connector or the value are NULL or if the option is unknown. YHR_CONNECTOR_ERROR if failed to set the option
Definition at line 4063 of file yubihsm.c.
4064 {
4065
4066 if (connector == NULL || val == NULL) {
4069 }
4070
4074 }
4075
4077}
Here is the caller graph for this function:
◆ yh_set_debug_output()
| void yh_set_debug_output | ( | yh_connector * | connector, |
| FILE * | output ) |
Set file for debug output
- Parameters
-
connector If not NULL, the debug messages will be written to the specified output file output The destination of the debug messages
- Returns
- void
Definition at line 3848 of file yubihsm.c.
Here is the caller graph for this function:
◆ yh_set_verbosity()
| yh_rc yh_set_verbosity | ( | yh_connector * | connector, |
| uint8_t | verbosity ) |
Set verbosity level when executing commands. Default verbosity is YH_VERB_QUIET
This function may be called prior to global library initialization to set the debug level
- Parameters
-
connector If not NULL, the verbosity of the specific connector will be set verbosity The desired level of debug output
- Returns
- YHR_SUCCESS
- See also
- YH_VERB_QUIET, YH_VERB_INTERMEDIATE, YH_VERB_CRYPTO, YH_VERB_RAW, YH_VERB_INFO, YH_VERB_ERR, YH_VERB_ALL
Definition at line 3825 of file yubihsm.c.
3825 {
3826
3827 _yh_verbosity = verbosity;
3828
3830 // TODO(adma): should we error out if NULL?
3832 }
3833
3835}
Here is the caller graph for this function:
◆ yh_string_to_algo()
| yh_rc yh_string_to_algo | ( | const char * | string, |
| yh_algorithm * | algo ) |
Convert a string to an algorithm's numeric value
- Parameters
-
string Algorithm as string. See yh_algorithm algo Algorithm numeric value
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if the algorithm is not supported by YubiHSM 2.
- Code sample
yh_algorithm algorithm; //yh_string_to_algo(NULL, &algorithm) => YHR_INVALID_PARAMETERS //yh_string_to_algo("something", NULL) => YHR_INVALID_PARAMETERS //yh_string_to_algo("something", &algorithm) => YHR_INVALID_PARAMETERS //yh_string_to_algo("rsa-pkcs1-sha1", &algorithm) =>YH_ALGO_RSA_PKCS1_SHA1 //yh_string_to_algo("rsa2048", &algorithm) => YH_ALGO_RSA_2048
- See also
- Algorithms
Definition at line 4403 of file yubihsm.c.
4403 {
4404
4405 if (string == NULL || algo == NULL) {
4408 }
4409 if (strcasecmp(string, "any") == 0) {
4410 *algo = 0;
4412 }
4413 for (size_t i = 0; i < sizeof(yh_algorithms) / sizeof(yh_algorithms[0]);
4414 i++) {
4416 *algo = yh_algorithms[i].algorithm;
4418 }
4419 }
4420
4422}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_string_to_capabilities()
| yh_rc yh_string_to_capabilities | ( | const char * | capability, |
| yh_capabilities * | result ) |
Convert capability string to byte array
- Parameters
-
capability String of capabilities separated by ',', ':' or '|' result Array of yh_capabilities
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_BUFFER_TOO_SMALL if
capabilityis too big
- Examples:
- "get-opaque" => {"\x00\x00\x00\x00\x00\x00\x00\x01"}
- "sign-hmac:verify-hmac|exportable-under-wrap," => {"\x00\x00\x00\x00\x00\xc1\x00\x00"}
- ",,unwrap-data|:wrap-data,,," => {"\x00\x00\x00\x60\x00\x00\x00\x00"}
- "0x7fffffffffffffff" => {"\x7f\xff\xff\xff\xff\xff\xff\xff"}
- "0xffffffffffffffff" => {"\xff\xff\xff\xff\xff\xff\xff\xff"}
- See also
- Capability
Definition at line 4115 of file yubihsm.c.
4116 {
4117
4118 char *endptr;
4119 char *saveptr = NULL;
4121 char tmp[2048] = {0};
4123
4124 if (capability == NULL || result == NULL) {
4127 }
4128
4129 errno = 0;
4130 value = strtoull(capability, &endptr, 0);
4131
4132 if (capability != endptr && errno != ERANGE) {
4134 memcpy(result, &actual, 8);
4136 }
4137
4138 if (strcasecmp(capability, "all") == 0) {
4141 } else if (strcasecmp(capability, "none") == 0) {
4144 }
4145
4146 if (strlen(capability) > sizeof(tmp)) {
4148 }
4149 strncpy(tmp, capability, sizeof(tmp) - 1);
4150
4152 for (size_t i = 0; i < sizeof(yh_capability) / sizeof(yh_capability[0]);
4153 i++) {
4155 result
4156 ->capabilities[YH_CAPABILITIES_LEN - 1 - yh_capability[i].bit / 8] |=
4157 1ULL << (yh_capability[i].bit % 8);
4158 break;
4159 } else if (i + 1 == sizeof(yh_capability) / sizeof(yh_capability[0])) {
4161 }
4162 }
4163 }
4164
4166}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_string_to_domains()
Convert a string to a domain's numeric value.
The domains string can contain one or several domains separated by ',', ':' or '|'. Each domain can be written in decimal or hex format
- Parameters
-
domains String of domains result Resulting parsed domains as an unsigned int
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL, if the domains string is does not contains the expected values
- Examples
- "1" => 1
- "1,2:3,4|5,6;7,8,9,10,11,12,13,14,15,16" => 0xffff
- "1,16" => 0x8001
- "16" => 0x8000
- "16,15" => 0xc000
- "1,0xf" => 0x4001
- "0x1,0x2" => 3
- "0x8888" => 0x8888
- "0" => 0
- "all" => 0xffff
- "2" => 2
- "2:4" => 10
- See also
- Domains
Definition at line 4535 of file yubihsm.c.
4535 {
4536 char *endptr;
4537 char *saveptr = NULL;
4539 char tmp[64] = {0};
4541
4545 }
4546 *result = 0;
4547
4549 *result = 0xffff;
4550 goto out;
4552 goto out;
4553 }
4554
4555 errno = 0;
4557
4559 value != ULONG_MAX) {
4563 }
4564 *result = value;
4565 } else {
4568 }
4570
4572 endptr = NULL;
4573 value = strtoul(str, &endptr, 0);
4577 }
4578 *result |= 1 << (value - 1);
4579 }
4580 }
4581
4582out:
4585}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_string_to_option()
Convert a string to an option's numeric value
- Parameters
-
string Option as string. See yh_option option Option numeric value
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if the option was not recognized.
- Code sample
yh_option option; //yh_string_to_option(NULL, &option) => YHR_INVALID_PARAMETERS //yh_string_to_option("something", NULL) => YHR_INVALID_PARAMETERS //yh_string_to_option("something", &option) => YHR_INVALID_PARAMETERS //yh_string_to_option("force-audit", &option) =>option=YH_OPTION_FORCE_AUDIT
- See also
- Options
Definition at line 4463 of file yubihsm.c.
4463 {
4464
4468 }
4469
4470 for (size_t i = 0; i < sizeof(yh_options) / sizeof(yh_options[0]); i++) {
4472 *option = yh_options[i].option;
4474 }
4475 }
4476
4478}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_string_to_type()
| yh_rc yh_string_to_type | ( | const char * | string, |
| yh_object_type * | type ) |
Convert a string to a type's numeric value
- Parameters
-
string Type as a String. See yh_object_type type Type numeric value
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if the type was not recognized.
- Code sample
yh_object_type type; //yh_string_to_type(NULL, &type) => YHR_INVALID_PARAMETERS //yh_string_to_type("something", NULL) => YHR_INVALID_PARAMETERS //yh_string_to_type("something", &type) => YHR_INVALID_PARAMETERS //yh_string_to_type("opaque", &type) => type=YH_OPAQUE //yh_string_to_type("authentication-key", &type) =>type=YH_AUTHENTICATION_KEY
- See also
- Object
Definition at line 4442 of file yubihsm.c.
4442 {
4443
4444 if (string == NULL || type == NULL) {
4447 }
4448
4449 if (strcasecmp(string, "any") == 0) {
4450 *type = 0;
4452 }
4453 for (size_t i = 0; i < sizeof(yh_types) / sizeof(yh_types[0]); i++) {
4455 *type = yh_types[i].type;
4457 }
4458 }
4459
4461}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_type_to_string()
| yh_rc yh_type_to_string | ( | yh_object_type | type, |
| char const ** | result ) |
Convert a yh_object_type to its string representation
- Parameters
-
type Type to convert. See yh_object_type result The type as a String. "Unknown" if the type was not recognized
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if
resultis NULL.
- Code sample
const char *string; //yh_type_to_string(0, NULL) => YHR_INVALID_PARAMETERS //yh_type_to_string(99, &string) => string="Unknown" //yh_type_to_string(YH_OPAQUE, &string) => string="opaque" //yh_type_to_string(YH_AUTHENTICATION_KEY, &string) =>
string="authentication-key"
- See also
- Object
Definition at line 4424 of file yubihsm.c.
4424 {
4425
4426 if (result == NULL) {
4429 }
4430
4431 for (size_t i = 0; i < sizeof(yh_types) / sizeof(yh_types[0]); i++) {
4432 if (type == yh_types[i].type) {
4433 *result = yh_types[i].name;
4435 }
4436 }
4437
4438 *result = "Unknown";
4440}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_blink_device()
| yh_rc yh_util_blink_device | ( | yh_session * | session, |
| uint8_t | seconds ) |
Blink the LED of the device to identify it
- Parameters
-
session Authenticated session to use seconds Number of seconds to blink
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. See yh_rc for other possible errors
Definition at line 3766 of file yubihsm.c.
3766 {
3767
3771 }
3772
3774
3775 uint8_t response[5];
3776 size_t response_len = sizeof(response);
3777 yh_cmd response_cmd;
3778
3780 &response_cmd, response, &response_len);
3784 }
3785
3787 yh_rc translated = translate_device_error(response[0]);
3789 response[0]);
3790 return translated;
3791 }
3792
3794}
yh_rc yh_send_secure_msg(yh_session *session, yh_cmd cmd, const uint8_t *data, size_t data_len, yh_cmd *response_cmd, uint8_t *response, size_t *response_len)
Definition yubihsm.c:416
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_change_authentication_key()
| yh_rc yh_util_change_authentication_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const uint8_t * | key_enc, | ||
| size_t | key_enc_len, | ||
| const uint8_t * | key_mac, | ||
| size_t | key_mac_len ) |
Replace the long lived encryption key and MAC key associated with an YH_AUTHENTICATION_KEY in the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key to replace key_enc New long lived encryption key key_enc_len Length of the new encryption key. Must be YH_KEY_LEN key_mac New long lived MAC key key_mac_len Length of the new MAC key. Must be YH_KEY_LEN
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if
key_enc_lenorkey_mac_lenare not the expected values. See yh_rc for other possible errors
- See also
- Authentication Key
Definition at line 3094 of file yubihsm.c.
3098 {
3099
3101 key_enc_len != YH_KEY_LEN || key_mac == NULL ||
3102 key_mac_len != YH_KEY_LEN) {
3105 }
3106
3107#pragma pack(push, 1)
3108 union {
3109 struct {
3114 };
3116 } data;
3117 union {
3118 struct {
3120 };
3122 } response;
3123#pragma pack(pop)
3124 size_t response_len = sizeof(response);
3125 yh_cmd response_cmd;
3126
3127 data.key_id = htons(*key_id);
3128 data.algorithm = YH_ALGO_AES128_YUBICO_AUTHENTICATION;
3129 memcpy(data.key_enc, key_enc, key_enc_len);
3130 memcpy(data.key_mac, key_mac, key_mac_len);
3131
3133 data.buf, sizeof(data), &response_cmd,
3134 response.buf, &response_len);
3140 }
3141
3143 yh_rc translated = translate_device_error(response.buf[0]);
3145 yh_strerror(translated), response.buf[0]);
3146 return translated;
3147 }
3148
3149 *key_id = ntohs(response.key_id);
3151
3153}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_change_authentication_key_derived()
| yh_rc yh_util_change_authentication_key_derived | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const uint8_t * | password, | ||
| size_t | password_len ) |
Replace the long lived encryption key and MAC key associated with an YH_AUTHENTICATION_KEY in the device with keys derived from a password
- Parameters
-
session Authenticated session to use key_id Object ID of the key to replace password Password to derive the new encryption key and MAC key password_len Length of password
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
- See also
- Authentication Key
Definition at line 3155 of file yubihsm.c.
3158 {
3162 }
3163
3166
3168
3171 sizeof(key_enc), key_mac,
3172 sizeof(key_mac));
3175 }
3177}
yh_rc yh_util_change_authentication_key(yh_session *session, uint16_t *key_id, const uint8_t *key_enc, size_t key_enc_len, const uint8_t *key_mac, size_t key_mac_len)
Definition yubihsm.c:3094
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_close_session()
| yh_rc yh_util_close_session | ( | yh_session * | session | ) |
Close a session
- Parameters
-
session Session to close
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. See yh_rc for other possible errors
Definition at line 1257 of file yubihsm.c.
1257 {
1258
1262 }
1263
1265
1266 uint8_t response[5];
1267 size_t response_len = sizeof(response);
1268 yh_cmd response_cmd;
1269
1271 response, &response_len);
1275 }
1276
1278 yh_rc translated = translate_device_error(response[0]);
1280 response[0]);
1281 return translated;
1282 }
1283
1285}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_create_otp_aead()
| yh_rc yh_util_create_otp_aead | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | key, | ||
| const uint8_t * | private_id, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Create a Yubico OTP AEAD using the provided data
- Parameters
-
session Authenticated session to use key_id Object ID of the Otp-aead Key to use key OTP key private_id OTP private id out The created AEAD out_len Length of the created AEAD
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 3179 of file yubihsm.c.
3181 {
3182
3184 out_len == NULL) {
3187 }
3188#pragma pack(push, 1)
3189 union {
3190 struct {
3192 uint8_t key[16];
3193 uint8_t private_id[6];
3194 };
3196 } data;
3197#pragma pack(pop)
3198
3199 yh_cmd response_cmd;
3200
3201 data.key_id = htons(key_id);
3204
3211 }
3212
3214 yh_rc translated = translate_device_error(out[0]);
3216 out[0]);
3217 return translated;
3218 }
3219
3221}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_decrypt_oaep()
| yh_rc yh_util_decrypt_oaep | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len, | ||
| const uint8_t * | label, | ||
| size_t | label_len, | ||
| yh_algorithm | mgf1Algo ) |
Decrypt data using RSA-OAEP
- Parameters
-
session Authenticated session to use key_id Object ID of the RSA key to use for decryption in Encrypted data in_len Length of encrypted data. Must be 256, 384 or 512 out Decrypted data out_len Length of decrypted data label OAEP label label_len Length of OAEP label. Must be 20, 32, 48 or 64 mgf1Algo MGF1 algorithm
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL. YHR_WRONG_LENGTH if
in_lenorlabel_lenare not what expected. See yh_rc for other possible errors
Definition at line 2107 of file yubihsm.c.
2110 {
2111
2113 label == NULL) {
2116 }
2117
2118#pragma pack(push, 1)
2119 union {
2120 struct {
2122 uint8_t mgf1Algo;
2124 };
2126 } data;
2127#pragma pack(pop)
2128
2129 yh_cmd response_cmd;
2132
2133 data.key_id = htons(key_id);
2135
2136 data.mgf1Algo = mgf1Algo;
2138
2139 // in_len has to match the rsa key size
2143 }
2144
2145 // label_len is hashed and specified the mgf hash
2147 label_len != 64) {
2150 }
2151
2156
2158 &response_cmd, out, out_len);
2162 }
2163
2165 yh_rc translated = translate_device_error(out[0]);
2167 out[0]);
2168 return translated;
2169 }
2170
2172}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_decrypt_otp()
| yh_rc yh_util_decrypt_otp | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | aead, | ||
| size_t | aead_len, | ||
| const uint8_t * | otp, | ||
| uint16_t * | useCtr, | ||
| uint8_t * | sessionCtr, | ||
| uint8_t * | tstph, | ||
| uint16_t * | tstpl ) |
Decrypt a Yubico OTP and return counters and time information.
- Parameters
-
session Authenticated session to use key_id Object ID of the key used for decryption aead AEAD as created by yh_util_create_otp_aead() or yh_util_randomize_otp_aead() aead_len Length of AEAD otp OTP useCtr OTP use counter sessionCtr OTP session counter tstph OTP timestamp high tstpl OTP timestamp low
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 3261 of file yubihsm.c.
3265 {
3266
3267#pragma pack(push, 1)
3268 union {
3269 struct {
3273 };
3275 } data;
3276 union {
3277 struct {
3278 uint16_t useCtr;
3279 uint8_t sessionCtr;
3280 uint8_t tstph;
3281 uint16_t tstpl;
3282 };
3284 } response;
3285#pragma pack(pop)
3286
3288 aead_len != sizeof(data.aead)) {
3291 }
3292
3293 yh_cmd response_cmd;
3294 size_t response_len = sizeof(response);
3295
3296 data.key_id = htons(key_id);
3299
3302 &response_cmd, response.buf, &response_len);
3307 }
3308
3310 yh_rc translated = translate_device_error(response.buf[0]);
3312 response.buf[0]);
3313 return translated;
3314 }
3315
3316 if (response_len != sizeof(response)) {
3319 }
3320
3321 if (useCtr) {
3322 *useCtr = response.useCtr;
3323 }
3324 if (sessionCtr) {
3325 *sessionCtr = response.sessionCtr;
3326 }
3327 if (tstph) {
3328 *tstph = response.tstph;
3329 }
3330 if (tstpl) {
3331 *tstpl = response.tstpl;
3332 }
3333
3335}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_decrypt_pkcs1v1_5()
| yh_rc yh_util_decrypt_pkcs1v1_5 | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Decrypt data that was encrypted using RSA-PKCS#1v1.5
- Parameters
-
session Authenticated session to use key_id Object ID of the RSA key to use for decryption in Encrypted data in_len Length of encrypted data out Decrypted data out_len Length of decrypted data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis bigger than YH_MSG_BUF_SIZE-2. See yh_rc for other possible errors
Definition at line 2059 of file yubihsm.c.
2061 {
2062
2066 }
2067
2071 }
2072
2073#pragma pack(push, 1)
2074 union {
2075 struct {
2078 };
2080 } data;
2081#pragma pack(pop)
2082
2083 yh_cmd response_cmd;
2085
2086 data.key_id = htons(key_id);
2087
2089
2091 &response_cmd, out, out_len);
2095 }
2096
2098 yh_rc translated = translate_device_error(out[0]);
2100 out[0]);
2101 return translated;
2102 }
2103
2105}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_delete_object()
| yh_rc yh_util_delete_object | ( | yh_session * | session, |
| uint16_t | id, | ||
| yh_object_type | type ) |
Delete an object in the device
- Parameters
-
session Authenticated session to use id Object ID of the object to delete type Type of object to delete. See yh_object_type
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if session is NULL. See yh_rc for other possible errors
Definition at line 2222 of file yubihsm.c.
2223 {
2224
2228 }
2229
2230#pragma pack(push, 1)
2231 union {
2232 struct {
2235 };
2237 } data;
2238#pragma pack(pop)
2239
2241 yh_cmd response_cmd;
2243 size_t response_len = sizeof(response);
2244
2245 data.type = type;
2246 data.id = htons(id);
2247
2249 &response_cmd, response, &response_len);
2253 }
2254
2256 yh_rc translated = translate_device_error(response[0]);
2258 response[0]);
2259 return translated;
2260 }
2261
2263}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_derive_ecdh()
| yh_rc yh_util_derive_ecdh | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Derive an ECDH key from a private EC key on the device and a provided public EC key
- Parameters
-
session Authenticated session to use key_id Object ID of the EC private key to use for ECDH derivation in Public key of another EC key-pair in_len Length of public key out Shared secret ECDH key out_len Length of the shared ECDH key
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis bigger than YH_MSG_BUF_SIZE-2. See yh_rc for other possible errors
Definition at line 2174 of file yubihsm.c.
2176 {
2177
2181 }
2182
2186 }
2187
2188#pragma pack(push, 1)
2189 union {
2190 struct {
2193 };
2195 } data;
2196#pragma pack(pop)
2197
2198 yh_cmd response_cmd;
2200
2201 data.key_id = htons(key_id);
2202
2204
2206 &response_cmd, out, out_len);
2210 }
2211
2213 yh_rc translated = translate_device_error(out[0]);
2215 out[0]);
2216 return translated;
2217 }
2218
2220}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_export_wrapped()
| yh_rc yh_util_export_wrapped | ( | yh_session * | session, |
| uint16_t | wrapping_key_id, | ||
| yh_object_type | target_type, | ||
| uint16_t | target_id, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Export an object under wrap from the device
- Parameters
-
session Authenticated session to use wrapping_key_id Object ID of the Wrap Key to use to wrap the object target_type Type of the object to be exported. See yh_object_type target_id Object ID of the object to be exported out Wrapped data out_len Length of wrapped data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 2265 of file yubihsm.c.
2267 {
2268
2272 }
2273
2274#pragma pack(push, 1)
2275 union {
2276 struct {
2279 uint16_t tgt_id;
2280 };
2282 } data;
2283#pragma pack(pop)
2284
2285 yh_cmd response_cmd;
2287
2288 data.key_id = htons(wrapping_key_id);
2290 data.tgt_id = htons(target_id);
2291
2293 &response_cmd, out, out_len);
2297 }
2298
2300 yh_rc translated = translate_device_error(out[0]);
2302 out[0]);
2303 return translated;
2304 }
2305
2307}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_generate_ec_key()
| yh_rc yh_util_generate_ec_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm ) |
Generate an Elliptic Curve key in the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm to use to generate the EC key. Supported algorithm: YH_ALGO_EC_P224, YH_ALGO_EC_P256, YH_ALGO_EC_K256, YH_ALGO_EC_BP256, YH_ALGO_EC_P384, YH_ALGO_EC_BP384, YH_ALGO_EC_BP512 and YH_ALGO_EC_P521.
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or the algorithm is not one of YH_ALGO_EC_P224, YH_ALGO_EC_P256, YH_ALGO_EC_K256, YH_ALGO_EC_BP256, YH_ALGO_EC_P384, YH_ALGO_EC_BP384, YH_ALGO_EC_BP512 or YH_ALGO_EC_P521. See yh_rc for other possible errors
Definition at line 1913 of file yubihsm.c.
1916 {
1917
1921 }
1922
1924}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_generate_ed_key()
| yh_rc yh_util_generate_ed_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm ) |
Generate an ED key in the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label for the key. Maximum length YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the ED key. See yh_string_to_capabilities() algorithm Algorithm to use to generate the ED key. Supported algorithm: YH_ALGO_EC_ED25519
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or the algorithm is not YH_ALGO_EC_ED25519. See yh_rc for other possible errors
Definition at line 1926 of file yubihsm.c.
1929 {
1930
1934 }
1935
1937}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_generate_hmac_key()
| yh_rc yh_util_generate_hmac_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm ) |
Generate an HMAC key in the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label of the key. Maximum length YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm to use to generate the HMAC key. Supported algorithims: YH_ALGO_HMAC_SHA1, YH_ALGO_HMAC_SHA256, YH_ALGO_HMAC_SHA384 and YH_ALGO_HMAC_SHA512
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL. See yh_rc for other possible errors
Definition at line 1992 of file yubihsm.c.
1995 {
1996
1998 key_id == NULL) {
2001 }
2002
2004
2005#pragma pack(push, 1)
2006 union {
2007 struct {
2013 };
2015 } data;
2016 union {
2017 struct {
2019 };
2021 } response;
2022#pragma pack(pop)
2023
2024 size_t response_len = sizeof(response);
2025 yh_cmd response_cmd;
2026
2027 data.key_id = htons(*key_id);
2028
2031
2032 data.domains = htons(domains);
2033
2035
2036 data.algorithm = algorithm;
2037
2038 yrc =
2040 &response_cmd, response.buf, &response_len);
2044 }
2045
2047 yh_rc translated = translate_device_error(response.buf[0]);
2049 response.buf[0]);
2050 return translated;
2051 }
2052
2053 *key_id = ntohs(response.key_id);
2055
2057}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_generate_otp_aead_key()
| yh_rc yh_util_generate_otp_aead_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| uint32_t | nonce_id ) |
Generate an YH_OTP_AEAD_KEY for Yubico OTP decryption in the device.
- Parameters
-
session Authenticated session to use key_id Object ID of the AEAD Key. 0 if the Object ID should be generated by the device label Label of the AEAD Key. Maximum length is YH_OBJ_LABEL_LEN domains Domains the AEAD Key will be operating within. See yh_string_to_domains() capabilities Capabilities of the AEAD Key. See yh_string_to_capabilities() algorithm Algorithm used to generate the AEAD Key. Supported algorithms: YH_ALGO_AES128_YUBICO_OTP, YH_ALGO_AES192_YUBICO_OTP and YH_ALGO_AES256_YUBICO_OTP nonce_id Nonce ID
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 3422 of file yubihsm.c.
3425 {
3426
3431 }
3432
3434
3435#pragma pack(push, 1)
3436 union {
3437 struct {
3443 uint32_t nonce_id;
3444 };
3446 } data;
3448 union {
3449 struct {
3451 };
3453 } response;
3454#pragma pack(pop)
3455
3456 size_t response_len = sizeof(response);
3457 yh_cmd response_cmd;
3458
3459 data.key_id = htons(*key_id);
3460
3463
3464 data.domains = htons(domains);
3465
3467
3468 data.algorithm = algorithm;
3469
3470 data.nonce_id = nonce_id;
3471
3472 yrc =
3474 &response_cmd, response.buf, &response_len);
3475 insecure_memzero(data.buf, data_len);
3480 }
3481
3483 yh_rc translated = translate_device_error(response.buf[0]);
3485 response.buf[0]);
3486 return translated;
3487 }
3488
3489 *key_id = ntohs(response.key_id);
3491
3493}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_generate_rsa_key()
| yh_rc yh_util_generate_rsa_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm ) |
Generate an RSA key in the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm to use to generate the RSA key. Supported algorithms: YH_ALGO_RSA_2048, YH_ALGO_RSA_3072 and YH_ALGO_RSA_4096
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or the algorithm is not one of YH_ALGO_RSA_2048, YH_ALGO_RSA_3072 or YH_ALGO_RSA_4096. See yh_rc for other possible errors
Definition at line 1900 of file yubihsm.c.
1903 {
1904
1908 }
1909
1911}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_generate_wrap_key()
| yh_rc yh_util_generate_wrap_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const yh_capabilities * | delegated_capabilities ) |
Generate a Wrap Key that can be used for export, import, wrap data and unwrap data in the device.
- Parameters
-
session Authenticated session to use key_id Object ID of the Wrap Key. 0 if the Object ID should be generated by the device label Label of the Wrap Key. Maximum length YH_OBJ_LABEL_LEN domains Domains where the Wrap Key will be operating within. See yh_string_to_domains() capabilities Capabilities of the Wrap Key. See yh_string_to_capabilities() algorithm Algorithm used to generate the Wrap Key delegated_capabilities Delegated capabilitites of the Wrap Key. See yh_string_to_capabilities()
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
- See also
- yh_object_type
Definition at line 2458 of file yubihsm.c.
2462 {
2463
2466 delegated_capabilities == NULL) {
2469 }
2470
2472
2473#pragma pack(push, 1)
2474 union {
2475 struct {
2482 };
2484 } data;
2486 union {
2487 struct {
2489 };
2491 } response;
2492#pragma pack(pop)
2493
2494 size_t response_len = sizeof(response);
2495 yh_cmd response_cmd;
2496
2497 data.key_id = htons(*key_id);
2498
2501
2502 data.domains = htons(domains);
2503
2505
2506 data.algorithm = algorithm;
2507
2509 YH_CAPABILITIES_LEN);
2510
2512 &response_cmd, response.buf, &response_len);
2516 }
2517
2519 yh_rc translated = translate_device_error(response.buf[0]);
2521 response.buf[0]);
2522 return translated;
2523 }
2524
2525 *key_id = ntohs(response.key_id);
2527
2529}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_device_info()
| yh_rc yh_util_get_device_info | ( | yh_connector * | connector, |
| uint8_t * | major, | ||
| uint8_t * | minor, | ||
| uint8_t * | patch, | ||
| uint32_t * | serial, | ||
| uint8_t * | log_total, | ||
| uint8_t * | log_used, | ||
| yh_algorithm * | algorithms, | ||
| size_t * | n_algorithms ) |
Get device version, device serial number, supported algorithms and available log entries.
- Parameters
-
connector Connector to the device major Device major version number minor Device minor version number patch Device build version number serial Device serial number log_total Total number of log entries log_used Number of written log entries algorithms List of supported algorithms n_algorithms Number of supported algorithms
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the connector is NULL. YHR_BUFFER_TOO_SMALL if n_algorithms is smaller than the number of actually supported algorithms. See yh_rc for other possible errors.
- See also
- Algorithms
Definition at line 938 of file yubihsm.c.
941 {
942
943 if (connector == NULL) {
946 }
947
949
950#pragma pack(push, 1)
951 union {
952 struct {
957 uint8_t log_total;
958 uint8_t log_used;
960 };
962 } response;
963#pragma pack(pop)
964 size_t response_len = sizeof(response);
965 yh_cmd response_cmd;
966
968 &response_cmd, response.buf, &response_len);
972 }
973
975 yh_rc translated = translate_device_error(response.buf[0]);
977 response.buf[0]);
978 return translated;
979 }
980
982 *major = response.major;
983 }
984
986 *minor = response.minor;
987 }
988
990 *patch = response.patch;
991 }
992
994 *serial = ntohl(response.serial);
995 }
996
997 if (log_total != NULL) {
998 *log_total = response.log_total;
999 }
1000
1001 if (log_used != NULL) {
1002 *log_used = response.log_used;
1003 }
1004
1005 if (algorithms != NULL && n_algorithms) {
1006 size_t items = response_len - sizeof(response.major) -
1007 sizeof(response.minor) - sizeof(response.patch) -
1008 sizeof(response.serial) - sizeof(response.log_total) -
1009 sizeof(response.log_used);
1010 if (*n_algorithms < items) {
1013 }
1014 for (size_t i = 0; i < items; i++) {
1015 algorithms[i] = response.algorithms[i];
1016 }
1017 *n_algorithms = items;
1018 }
1019
1021}
yh_rc yh_send_plain_msg(yh_connector *connector, yh_cmd cmd, const uint8_t *data, size_t data_len, yh_cmd *response_cmd, uint8_t *response, size_t *response_len)
Definition yubihsm.c:126
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_log_entries()
| yh_rc yh_util_get_log_entries | ( | yh_session * | session, |
| uint16_t * | unlogged_boot, | ||
| uint16_t * | unlogged_auth, | ||
| yh_log_entry * | out, | ||
| size_t * | n_items ) |
Get audit logs from the device.
When audit enforce is set, if the log buffer is full, no new operations (other than authentication operations) can be performed unless the log entries are read by this command and then the log index is set by calling yh_util_set_log_index().
- Parameters
-
session Authenticated session to use unlogged_boot Number of unlogged boot events. Used if the log buffer is full and audit enforce is set unlogged_auth Number of unlogged authentication events. Used if the log buffer is full and audit enforce is set out Log entries on the device n_items Number of log entries
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_BUFFER_TOO_SMALL if
n_itemsis smaller than the actual number of retrieved log entries. See yh_rc for other possible errors
Definition at line 2531 of file yubihsm.c.
2533 {
2534
2538 }
2539
2541
2542 union {
2543 struct {
2544 uint16_t log_overflow_boot;
2545 uint16_t log_overflow_auth;
2546 uint8_t items;
2547 uint8_t data[1];
2548 };
2550 } response;
2551 size_t response_len = sizeof(response);
2552 yh_cmd response_cmd;
2553
2555 response.buf, &response_len);
2559 }
2560
2562 yh_rc translated = translate_device_error(response.buf[0]);
2564 response.buf[0]);
2565 return translated;
2566 }
2567
2568 if (unlogged_boot) {
2569 *unlogged_boot = ntohs(response.log_overflow_boot);
2570 }
2571
2572 if (unlogged_auth) {
2573 *unlogged_auth = ntohs(response.log_overflow_auth);
2574 }
2575
2577 DBG_ERR(
2578 "Response contain more items than the maximum number of log entries");
2580 }
2581
2582 if (response.items > *n_items) {
2584 *n_items);
2586 }
2587
2588 *n_items = response.items;
2589
2592 out[i].number = ntohs(ptr[i].number);
2593 out[i].command = ptr[i].command;
2594 out[i].length = ntohs(ptr[i].length);
2595 out[i].session_key = ntohs(ptr[i].session_key);
2596 out[i].target_key = ntohs(ptr[i].target_key);
2597 out[i].second_key = ntohs(ptr[i].second_key);
2598 out[i].result = ptr[i].result;
2599 out[i].systick = ntohl(ptr[i].systick);
2601 }
2602
2604}
Definition yubihsm.h:516
@ YHR_DEVICE_INVALID_DATA
Returned value when the device receives a malformed command invalid data.
Definition yubihsm.h:199
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_object_info()
| yh_rc yh_util_get_object_info | ( | yh_session * | session, |
| uint16_t | id, | ||
| yh_object_type | type, | ||
| yh_object_descriptor * | object ) |
Get metadata of the object with the specified Object ID and Type
- Parameters
-
session Authenticated session to use id Object ID of the object to get type Object type. See yh_object_type object Object information
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. See yh_rc for other possible errors.
- See also
- Objects
Definition at line 1128 of file yubihsm.c.
1130 {
1131
1135 }
1136
1137 uint8_t data[3];
1138 uint8_t *dataptr = data;
1139
1140#pragma pack(push, 1)
1141 union {
1142 struct {
1149 uint8_t sequence;
1150 uint8_t origin;
1153 };
1155 } response;
1156 size_t response_len = sizeof(response);
1157#pragma pack(pop)
1158
1160 yh_cmd response_cmd;
1161
1162 *dataptr++ = id >> 8 & 0xff;
1163 *dataptr++ = id & 0xff;
1164
1165 *dataptr++ = (uint16_t) type;
1166
1168 &response_cmd, response.buf, &response_len);
1172 }
1173
1175 yh_rc translated = translate_device_error(response.buf[0]);
1177 response.buf[0]);
1178 return translated;
1179 }
1180
1181 if (response_len == sizeof(response)) {
1182 if (object) {
1184 YH_CAPABILITIES_LEN);
1185
1186 object->id = htons(response.id);
1187
1188 object->len = htons(response.len);
1189
1190 object->domains = htons(response.domains);
1191
1192 object->type = response.type;
1193
1194 object->algorithm = response.algorithm;
1195
1196 object->sequence = response.sequence;
1197
1198 object->origin = response.origin;
1199
1202
1204 response.delegated_capabilities, YH_CAPABILITIES_LEN);
1205 }
1206 } else {
1209 (unsigned long) response_len);
1211 }
1212
1214}
Definition yubihsm.h:540
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_opaque()
| yh_rc yh_util_get_opaque | ( | yh_session * | session, |
| uint16_t | object_id, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Get an YH_OPAQUE object (like an X.509 certificate) from the device
- Parameters
-
session Authenticated session to use object_id Object ID of the Opaque object out the retrieved Opaque object out_len Length of the retrieved Opaque object
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 2636 of file yubihsm.c.
2637 {
2638
2642 }
2643
2644 uint8_t data[2];
2645 yh_cmd response_cmd;
2647
2648 uint16_t object_id_h = htons(object_id);
2651 &response_cmd, out, out_len);
2655 }
2656
2658 yh_rc translated = translate_device_error(out[0]);
2660 return translated;
2661 }
2662
2664}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_option()
| yh_rc yh_util_get_option | ( | yh_session * | session, |
| yh_option | option, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Get a device-global option
- Parameters
-
session Authenticated session to use option Option to get. See yh_option out Option value out_len Length of option value
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 3584 of file yubihsm.c.
3585 {
3586
3590 }
3592 yh_cmd response_cmd;
3593
3595 &response_cmd, out, out_len);
3599 }
3600
3602 yh_rc translated = translate_device_error(out[0]);
3604 return translated;
3605 }
3606
3608}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_pseudo_random()
| yh_rc yh_util_get_pseudo_random | ( | yh_session * | session, |
| size_t | len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Get a fixed number of pseudo-random bytes from the device
- Parameters
-
session Authenticated session to use len Length of pseudo-random data to get out Pseudo-random data out out_len Length of pseudo-random data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL. See yh_rc for other possible errors
Definition at line 1560 of file yubihsm.c.
1561 {
1563 yh_cmd response_cmd;
1564
1568 }
1569
1570 union {
1573 } data;
1574 data.len = htons(len);
1575
1581 }
1582
1584 yh_rc translated = translate_device_error(out[0]);
1586 return translated;
1587 }
1588
1590}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_public_key()
| yh_rc yh_util_get_public_key | ( | yh_session * | session, |
| uint16_t | id, | ||
| uint8_t * | data, | ||
| size_t * | data_len, | ||
| yh_algorithm * | algorithm ) |
Get the value of the public key with the specified Object ID
- Parameters
-
session Authenticated session to use id Object ID of the public key data Value of the public key data_len Length of the public key in bytes algorithm Algorithm of the key
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_BUFFER_TOO_SMALL if the actual key length was bigger than data_len. See yh_rc for other possible errors
Definition at line 1216 of file yubihsm.c.
1217 {
1218
1222 }
1223
1225 yh_cmd response_cmd;
1227 size_t response_len = sizeof(response);
1228
1230 &response_cmd, response, &response_len);
1231
1235 }
1236
1238 yh_rc translated = translate_device_error(response[0]);
1240 response[0]);
1241 return translated;
1242 }
1243
1244 if (response_len > *data_len) {
1246 }
1247
1249 *algorithm = *response;
1250 }
1251 *data_len = response_len - 1;
1252 memcpy(data, response + 1, *data_len);
1253
1255}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_storage_info()
| yh_rc yh_util_get_storage_info | ( | yh_session * | session, |
| uint16_t * | total_records, | ||
| uint16_t * | free_records, | ||
| uint16_t * | total_pages, | ||
| uint16_t * | free_pages, | ||
| uint16_t * | page_size ) |
Report currently free storage. This is reported as free records, free pages and page size.
- Parameters
-
session Authenticated session to use total_records Total number of records free_records Number of free records total_pages Total number of pages free_pages Number of free pages page_size Page size in bytes
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. See yh_rc for other possible errors
Definition at line 3610 of file yubihsm.c.
3612 {
3613
3617 }
3618
3619 yh_cmd response_cmd;
3620#pragma pack(push, 1)
3621 union {
3622 struct {
3623 uint16_t total_records;
3624 uint16_t free_records;
3625 uint16_t total_pages;
3626 uint16_t free_pages;
3628 };
3630 } response;
3631#pragma pack(pop)
3632 size_t response_len = sizeof(response);
3633
3635 &response_cmd, response.buf, &response_len);
3639 }
3640
3642 yh_rc translated = translate_device_error(response.buf[0]);
3644 response.buf[0]);
3645 return translated;
3646 }
3647
3648 if (total_records) {
3649 *total_records = ntohs(response.total_records);
3650 }
3651 if (free_records) {
3652 *free_records = ntohs(response.free_records);
3653 }
3654 if (total_pages) {
3655 *total_pages = ntohs(response.total_pages);
3656 }
3657 if (free_pages) {
3658 *free_pages = ntohs(response.free_pages);
3659 }
3660 if (page_size) {
3661 *page_size = ntohs(response.page_size);
3662 }
3663
3665}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_get_template()
| yh_rc yh_util_get_template | ( | yh_session * | session, |
| uint16_t | object_id, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Get a YH_TEMPLATE object from the device
- Parameters
-
session Authenticated session to use object_id Object ID of the Template to get out The retrieved Template out_len Length of the retrieved Template
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 2805 of file yubihsm.c.
2806 {
2810 }
2811
2812 uint8_t data[2];
2813 yh_cmd response_cmd;
2815
2816 uint16_t object_id_h = htons(object_id);
2819 &response_cmd, out, out_len);
2823 }
2824
2826 yh_rc translated = translate_device_error(out[0]);
2828 out[0]);
2829 return translated;
2830 }
2831
2833}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_authentication_key()
| yh_rc yh_util_import_authentication_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| const yh_capabilities * | delegated_capabilities, | ||
| const uint8_t * | key_enc, | ||
| size_t | key_enc_len, | ||
| const uint8_t * | key_mac, | ||
| size_t | key_mac_len ) |
Import an YH_AUTHENTICATION_KEY into the device
- Parameters
-
session Authenticated session to use key_id Object ID of the imported key. 0 if the Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() delegated_capabilities Delegated capabilities of the key. See yh_string_to_capabilities() key_enc Long lived encryption key of the Authentication Key to import key_enc_len Length of the encryption key. Must be YH_KEY_LEN key_mac Long lived MAC key of the Authentication Key to import key_mac_len Length of the MAC key. Must be YH_KEY_LEN
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if
key_enc_lenorkey_mac_lenare not the expected values. See yh_rc for other possible errors
- See also
- Authentication Key
Definition at line 2985 of file yubihsm.c.
2989 {
2990
2993 delegated_capabilities == NULL || key_enc == NULL ||
2994 key_enc_len != YH_KEY_LEN || key_mac == NULL ||
2995 key_mac_len != YH_KEY_LEN) {
2998 }
2999
3000#pragma pack(push, 1)
3001 union {
3002 struct {
3011 };
3013 } data;
3014 union {
3015 struct {
3017 };
3019 } response;
3020#pragma pack(pop)
3021 size_t response_len = sizeof(response);
3022 yh_cmd response_cmd;
3023
3026
3027 data.key_id = htons(*key_id);
3028
3031
3032 data.domains = htons(domains);
3033
3035
3036 data.algorithm = YH_ALGO_AES128_YUBICO_AUTHENTICATION;
3037
3039 YH_CAPABILITIES_LEN);
3040
3042 sizeof(data), &response_cmd, response.buf,
3043 &response_len);
3049 }
3050
3052 yh_rc translated = translate_device_error(response.buf[0]);
3054 yh_strerror(translated), response.buf[0]);
3055 return translated;
3056 }
3057
3058 *key_id = ntohs(response.key_id);
3060
3062}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_authentication_key_derived()
| yh_rc yh_util_import_authentication_key_derived | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| const yh_capabilities * | delegated_capabilities, | ||
| const uint8_t * | password, | ||
| size_t | password_len ) |
Import an YH_AUTHENTICATION_KEY with long lived keys derived from a password
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() delegated_capabilities Delegated capabilities of the key. See yh_string_to_capabilities() password Password used to derive the long lived encryption key and MAC key of the Athentication Key password_len Length of password
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
- See also
- Authentication Key
Definition at line 3064 of file yubihsm.c.
3068 {
3069
3072 delegated_capabilities == NULL || password == NULL) {
3075 }
3076
3079
3081
3083 yrc =
3086 key_enc, sizeof(key_enc), key_mac,
3087 sizeof(key_mac));
3090 }
3092}
yh_rc yh_util_import_authentication_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, const yh_capabilities *delegated_capabilities, const uint8_t *key_enc, size_t key_enc_len, const uint8_t *key_mac, size_t key_mac_len)
Definition yubihsm.c:2985
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_ec_key()
| yh_rc yh_util_import_ec_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const uint8_t * | s ) |
Import an Elliptic Curve key into the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs specified as an unsigned int. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm of the key to import. Must be one of: YH_ALGO_EC_P224, YH_ALGO_EC_P256, YH_ALGO_EC_K256, YH_ALGO_EC_BP256, YH_ALGO_EC_P384, YH_ALGO_EC_BP384, YH_ALGO_EC_BP512 or YH_ALGO_EC_P521 s the EC key to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or the algorithm is not one of YH_ALGO_EC_P224, YH_ALGO_EC_P256, YH_ALGO_EC_K256, YH_ALGO_EC_BP256, YH_ALGO_EC_P384, YH_ALGO_EC_BP384, YH_ALGO_EC_BP512 or YH_ALGO_EC_P521. See yh_rc for other possible errors
Definition at line 1689 of file yubihsm.c.
1692 {
1693
1698 }
1699
1700 uint16_t component_len;
1703 component_len = 28;
1704 break;
1708 component_len = 32;
1709 break;
1712 component_len = 48;
1713 break;
1715 component_len = 64;
1716 break;
1718 component_len = 66;
1719 break;
1720 default:
1722 }
1725}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_ed_key()
| yh_rc yh_util_import_ed_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const uint8_t * | k ) |
Import an ED key into the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key will have. 0 if the Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm of the key to import. Must be YH_ALGO_EC_ED25519 k the ED key to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or the algorithm is not YH_ALGO_EC_ED25519. See yh_rc for other possible errors
Definition at line 1727 of file yubihsm.c.
1730 {
1731
1736 }
1737
1738 uint16_t component_len;
1741 component_len = 32;
1742 break;
1743 default:
1745 }
1747 algorithm, k, component_len);
1748}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_hmac_key()
| yh_rc yh_util_import_hmac_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const uint8_t * | key, | ||
| size_t | key_len ) |
Import an HMAC key into the device
- Parameters
-
session Authenticated session to use key_id Object ID of the key. 0 if the Object ID should be generated by the device label Label of the key. Maxium length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm of the key to import. Must be one of: YH_ALGO_HMAC_SHA1, YH_ALGO_HMAC_SHA256, YH_ALGO_HMAC_SHA384 or YH_ALGO_HMAC_SHA512 key The HMAC key to import key_len Length of the HMAC key to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL. See yh_rc for other possible errors
Definition at line 1750 of file yubihsm.c.
1754 {
1755
1760 }
1761
1762#pragma pack(push, 1)
1763 union {
1764 struct {
1770 uint8_t key[128];
1771 };
1773 } k;
1774 union {
1775 struct {
1777 };
1779 } response;
1780#pragma pack(pop)
1782 size_t response_len = sizeof(response);
1783 yh_cmd response_cmd;
1784 size_t max_len = 64;
1786
1787 k.key_id = htons(*key_id);
1788
1791
1792 k.domains = htons(domains);
1793
1794 k.algorithm = algorithm;
1795
1797
1799 max_len = 128;
1800 }
1801
1804 (unsigned long) max_len);
1806 }
1807
1810
1812 response.buf, &response_len);
1817 }
1818
1820 yh_rc translated = translate_device_error(response.buf[0]);
1822 response.buf[0]);
1823 return translated;
1824 }
1825
1826 *key_id = ntohs(response.key_id);
1828
1830}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_opaque()
| yh_rc yh_util_import_opaque | ( | yh_session * | session, |
| uint16_t * | object_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const uint8_t * | in, | ||
| size_t | in_len ) |
Import an YH_OPAQUE object into the device
- Parameters
-
session Authenticated session to use object_id Object ID of the Opaque object. 0 if the Object ID should be generated by the device label Label of the Opaque object. Maximum length is YH_OBJ_LABEL_LEN domains Domains the Opaque object will be operating within. See yh_string_to_domains() capabilities Capabilities of the Opaque object. See yh_string_to_capabilities() algorithm Algorithm of the Opaque object in the Opaque object to import in_len Length of the Opaque object to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or
in_lenis too big. See yh_rc for other possible errors
Definition at line 2666 of file yubihsm.c.
2670 {
2671
2676 }
2677
2679
2680#pragma pack(push, 1)
2681 union {
2682 struct {
2683 uint16_t object_id;
2689 YH_CAPABILITIES_LEN - 2];
2690 };
2692 } data;
2693 uint16_t data_len;
2694 union {
2695 struct {
2696 uint16_t object_id;
2697 };
2699 } response;
2700#pragma pack(pop)
2701 size_t response_len = sizeof(response);
2702 yh_cmd response_cmd;
2703
2704 data.object_id = htons(*object_id);
2705
2708
2709 data.domains = htons(domains);
2710
2712
2713 data.algorithm = algorithm;
2714
2717 (unsigned long) sizeof(data.bytes));
2719 }
2720
2723
2725 &response_cmd, response.buf, &response_len);
2726 insecure_memzero(data.buf, data_len);
2730 }
2731
2733 yh_rc translated = translate_device_error(response.buf[0]);
2735 response.buf[0]);
2736 return translated;
2737 }
2738
2739 *object_id = ntohs(response.object_id);
2741
2743}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_otp_aead_key()
| yh_rc yh_util_import_otp_aead_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| uint32_t | nonce_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len ) |
Import an YH_OTP_AEAD_KEY used for Yubico OTP Decryption
- Parameters
-
session Authenticated session to use key_id Object ID of the AEAD Key. 0 if the Object ID should be generated by the device label Label of the AEAD Key. Maximum length is YH_OBJ_LABEL_LEN domains Domains the AEAD Key will be operating within. See yh_string_to_domains() capabilities Capabilities of the AEAD Key. See yh_string_to_capabilities() nonce_id Nonce ID in AEAD Key to import in_len Length of AEAD Key to import. Must be 16, 24 or 32
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if
in_lenis not one of 16, 24 or 32. See yh_rc for other possible errors
Definition at line 3337 of file yubihsm.c.
3341 {
3342
3347 }
3348#pragma pack(push, 1)
3349 union {
3350 struct {
3356 uint32_t nonce_id;
3357 uint8_t key[32];
3358 };
3360 } data;
3361 union {
3362 struct {
3364 };
3366 } response;
3367#pragma pack(pop)
3368
3370 size_t response_len = sizeof(response);
3371 yh_cmd response_cmd;
3372
3374
3376 data.algorithm = YH_ALGO_AES128_YUBICO_OTP;
3377 data_len -= 16;
3379 data.algorithm = YH_ALGO_AES192_YUBICO_OTP;
3380 data_len -= 8;
3382 data.algorithm = YH_ALGO_AES256_YUBICO_OTP;
3383 } else {
3386 }
3387
3388 data.key_id = htons(*key_id);
3389
3392
3393 data.domains = htons(domains);
3394
3396
3397 data.nonce_id = nonce_id;
3398
3400
3402 &response_cmd, response.buf, &response_len);
3403 insecure_memzero(data.buf, data_len);
3407 }
3408
3410 yh_rc translated = translate_device_error(response.buf[0]);
3412 response.buf[0]);
3413 return translated;
3414 }
3415
3416 *key_id = ntohs(response.key_id);
3418
3420}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_rsa_key()
| yh_rc yh_util_import_rsa_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const uint8_t * | p, | ||
| const uint8_t * | q ) |
Import an RSA key into the device
- Parameters
-
session Authenticated session to use key_id Object ID the key. 0 if Object ID should be generated by the device label Label of the key. Maximum length is YH_OBJ_LABEL_LEN domains Domains to which the key belongs specified as an unsigned int. See yh_string_to_domains() capabilities Capabilities of the key. See yh_string_to_capabilities() algorithm Algorithm of the key to import. Must be one of: YH_ALGO_RSA_2048, YH_ALGO_RSA_3072 or YH_ALGO_RSA_4096 p P component of the RSA key to import q Q component of the RSA key to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or the algorithm is not one of YH_ALGO_RSA_2048, YH_ALGO_RSA_3072 or YH_ALGO_RSA_4096. See yh_rc for other possible errors
Definition at line 1655 of file yubihsm.c.
1659 {
1660
1665 }
1666
1667 uint8_t keybuf[256 * 2];
1668 uint16_t component_len;
1669
1671 component_len = 128;
1673 component_len = 192;
1675 component_len = 256;
1676 } else {
1678 }
1680 memcpy(keybuf + component_len, q, component_len);
1681
1683 algorithm, keybuf, component_len * 2);
1685
1687}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_template()
| yh_rc yh_util_import_template | ( | yh_session * | session, |
| uint16_t * | object_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const uint8_t * | in, | ||
| size_t | in_len ) |
Import a YH_TEMPLATE object into the device
- Parameters
-
session Authenticated session to use object_id Object ID of the Template. 0 if the Object ID should be generated by the device label Label of the Template. Maximum length is YH_OBJ_LABEL_LEN domains Domains the Template will be operating within. See yh_string_to_domains() capabilities Capabilities of the Template. See yh_string_to_capabilities algorithm Algorithm of the Template in Template to import in_len Length of the Template to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if
in_lenis too big. See yh_rc for other possible errors
Definition at line 2835 of file yubihsm.c.
2839 {
2840
2845 }
2846
2848
2849#pragma pack(push, 1)
2850 union {
2851 struct {
2852 uint16_t object_id;
2859 };
2861 } data;
2862 uint16_t data_len;
2863 union {
2864 struct {
2865 uint16_t object_id;
2866 };
2868 } response;
2869#pragma pack(pop)
2870
2871 size_t response_len = sizeof(response);
2872 yh_cmd response_cmd;
2873
2874 data.object_id = htons(*object_id);
2875
2878
2879 data.domains = htons(domains);
2880
2882
2883 data.algorithm = algorithm;
2884
2887 (unsigned long) sizeof(data.bytes));
2889 }
2890
2894
2896 &response_cmd, response.buf, &response_len);
2900 }
2901
2903 yh_rc translated = translate_device_error(response.buf[0]);
2905 response.buf[0]);
2906 return translated;
2907 }
2908
2909 *object_id = ntohs(response.object_id);
2911
2913}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_wrap_key()
| yh_rc yh_util_import_wrap_key | ( | yh_session * | session, |
| uint16_t * | key_id, | ||
| const char * | label, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const yh_capabilities * | delegated_capabilities, | ||
| const uint8_t * | in, | ||
| size_t | in_len ) |
Import a Wrap Key into the device
- Parameters
-
session Authenticated session to use key_id Object ID the Wrap Key. 0 if the Object ID should be generated by the device label Label of the Wrap Key. Maximum length is YH_OBJ_LABEL_LEN domains Domains where the Wrap Key will be operating within. See yh_string_to_domains() capabilities Capabilities of the Wrap Key. See yh_string_to_capabilities() algorithm Algorithm of the Wrap Key. Supported algorithms: YH_ALGO_AES128_CCM_WRAP, YH_ALGO_AES192_CCM_WRAP and YH_ALGO_AES256_CCM_WRAP delegated_capabilities Delegated capabilities of the Wrap Key. See yh_string_to_capabilities() in the Wrap Key to import in_len Length of the Wrap Key to import
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL,
in_lenis not what expected based on the algorithm and if the algorithms is not one of YH_ALGO_AES128_CCM_WRAP, YH_ALGO_AES192_CCM_WRAP or YH_ALGO_AES256_CCM_WRAP. See yh_rc for other possible errors
Definition at line 2363 of file yubihsm.c.
2368 {
2369
2372 delegated_capabilities == NULL || in == NULL) {
2375 }
2376
2377#pragma pack(push, 1)
2378 union {
2379 struct {
2386 uint8_t key[32];
2387 };
2389 } data;
2391 union {
2392 struct {
2394 };
2396 } response;
2397#pragma pack(pop)
2398
2399 size_t response_len = sizeof(response);
2400 yh_cmd response_cmd;
2402
2404
2407 key_len = 16;
2408 data_len -= 16;
2409 break;
2411 key_len = 24;
2412 data_len -= 8;
2413 break;
2415 key_len = 32;
2416 break;
2417 default:
2420 }
2421
2425 }
2426
2427 data.key_id = htons(*key_id);
2430 data.domains = htons(domains);
2432 data.algorithm = algorithm;
2434 YH_CAPABILITIES_LEN);
2436
2438 &response_cmd, response.buf, &response_len);
2439 insecure_memzero(data.buf, data_len);
2443 }
2444
2446 yh_rc translated = translate_device_error(response.buf[0]);
2448 response.buf[0]);
2449 return translated;
2450 }
2451
2452 *key_id = ntohs(response.key_id);
2454
2456}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_import_wrapped()
| yh_rc yh_util_import_wrapped | ( | yh_session * | session, |
| uint16_t | wrapping_key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| yh_object_type * | target_type, | ||
| uint16_t * | target_id ) |
Import a wrapped object into the device. The object should have been previously exported by yh_util_export_wrapped()
- Parameters
-
session Authenticated session to use wrapping_key_id Object ID of the Wrap Key to use to unwrap the object in Wrapped data in_len Length of wrapped data target_type Type of the imported object target_id Object ID of the imported object
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 2309 of file yubihsm.c.
2311 {
2312
2314 target_id == NULL) {
2317 }
2318
2322 }
2323
2324#pragma pack(push, 1)
2325 union {
2326 struct {
2329 };
2331 } data;
2332#pragma pack(pop)
2334
2336 size_t response_len = sizeof(response);
2337 yh_cmd response_cmd;
2339
2340 data.key_id = htons(wrapping_key_id);
2342
2344 &response_cmd, response, &response_len);
2348 }
2349
2351 yh_rc translated = translate_device_error(response[0]);
2353 response[0]);
2354 return translated;
2355 }
2356
2357 *target_type = response[0];
2359
2361}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_list_objects()
| yh_rc yh_util_list_objects | ( | yh_session * | session, |
| uint16_t | id, | ||
| yh_object_type | type, | ||
| uint16_t | domains, | ||
| const yh_capabilities * | capabilities, | ||
| yh_algorithm | algorithm, | ||
| const char * | label, | ||
| yh_object_descriptor * | objects, | ||
| size_t * | n_objects ) |
List objects accessible from the session
- Parameters
-
session Authenticated session to use id Object ID to filter by (0 to not filter by ID) type Object type to filter by (0 to not filter by type). See yh_object_type domains Domains to filter by (0 to not filter by domain) capabilities Capabilities to filter by (0 to not filter by capabilities). See yh_capabilities algorithm Algorithm to filter by (0 to not filter by algorithm) label Label to filter by objects Array of objects returned n_objects Max number of objects (will be set to number found on return)
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. YHR_BUFFER_TOO_SMALL if n_objects is smaller than the number of objects found. See yh_rc for other possible errors.
- See also
- Objects, Domains, Capabilities, Algorithms, Labels
Definition at line 1030 of file yubihsm.c.
1034 {
1035
1040 }
1041
1043 uint8_t *dataptr = data;
1044
1046 size_t response_len = sizeof(response);
1047
1049 yh_cmd response_cmd;
1050
1051 if (id) {
1052 *dataptr++ = LIST_ID;
1053 *dataptr++ = id >> 8 & 0xff;
1054 *dataptr++ = id & 0xff;
1055 }
1056
1057 if (type) {
1058 *dataptr++ = LIST_TYPE;
1059 *dataptr++ = type;
1060 }
1061
1063 *dataptr++ = LIST_DOMAINS;
1064 *dataptr++ = domains >> 8 & 0xff;
1065 *dataptr++ = domains & 0xff;
1066 }
1067
1069 *dataptr++ = LIST_ALGORITHM;
1070 *dataptr++ = algorithm;
1071 }
1072
1074 *dataptr++ = LIST_LABEL;
1077 dataptr += YH_OBJ_LABEL_LEN;
1078 }
1079
1080 bool send_capabilities = false;
1083 send_capabilities = true;
1084 break;
1085 }
1086 }
1087
1088 if (send_capabilities == true) {
1089 *dataptr++ = LIST_CAPABILITIES;
1092 }
1093 }
1094
1096 &response_cmd, response, &response_len);
1100 }
1101
1103 yh_rc translated = translate_device_error(response[0]);
1105 response[0]);
1106 return translated;
1107 }
1108
1112 }
1113
1114 *n_objects = response_len / 4;
1116 // NOTE: clear the fields that we didn't set
1119 objects[i / 4].type = response[i + 2];
1120 objects[i / 4].sequence = response[i + 3];
1121 }
1122
1124
1126}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_randomize_otp_aead()
| yh_rc yh_util_randomize_otp_aead | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Create OTP AEAD from random data
- Parameters
-
session Authenticated session to use key_id Object ID of the Otp-aead Key to use out The created AEAD out_len Length of the created AEAD
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 3223 of file yubihsm.c.
3224 {
3225
3229 }
3230#pragma pack(push, 1)
3231 union {
3232 struct {
3234 };
3236 } data;
3237#pragma pack(pop)
3238
3239 yh_cmd response_cmd;
3240
3241 data.key_id = htons(key_id);
3242
3249 }
3250
3252 yh_rc translated = translate_device_error(out[0]);
3254 out[0]);
3255 return translated;
3256 }
3257
3259}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_reset_device()
| yh_rc yh_util_reset_device | ( | yh_session * | session | ) |
Factory reset the device. Resets and reboots the device, deletes all Objects and restores the default YH_AUTHENTICATION_KEY.
- Parameters
-
session Authenticated session to use
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. See yh_rc for other possible errors
Definition at line 3796 of file yubihsm.c.
3796 {
3797
3801 }
3802
3804
3805 yh_cmd response_cmd;
3806 uint8_t response[1];
3807 size_t response_len = sizeof(response);
3808
3810 response, &response_len);
3814 }
3815
3817 yh_rc translated = translate_device_error(response[0]);
3819 return translated;
3820 }
3821
3823}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_set_log_index()
| yh_rc yh_util_set_log_index | ( | yh_session * | session, |
| uint16_t | index ) |
Set the index of the last extracted log entry.
This function should be called after yh_util_get_log_entries() to inform the device what the last extracted log entry is so new logs can be written. This is used when forced auditing is enabled.
- Parameters
-
session Authenticated session to use index index to set. Should be the same index as the last entry extracted using yh_util_get_log_entries()
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if the session is NULL. See yh_rc for other possible errors
Definition at line 2606 of file yubihsm.c.
2606 {
2610 }
2611 uint8_t data[2];
2612 yh_cmd response_cmd;
2615 size_t response_len = sizeof(response);
2616
2617 uint16_t index_h = htons(index);
2620 &response_cmd, response, &response_len);
2624 }
2625
2627 yh_rc translated = translate_device_error(response[0]);
2629 response[0]);
2630 return translated;
2631 }
2632
2634}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_set_option()
| yh_rc yh_util_set_option | ( | yh_session * | session, |
| yh_option | option, | ||
| size_t | len, | ||
| uint8_t * | val ) |
Set a device-global option
- Parameters
-
session Authenticated session to use option Option to set. See yh_option len Length of option value val Option value
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if
sessionorvalare NULL or iflenis too long. See yh_rc for other possible errors
Definition at line 3537 of file yubihsm.c.
3538 {
3539
3543 }
3544
3548 }
3549
3550#pragma pack(push, 1)
3551 union {
3552 struct {
3556 };
3558 } data;
3559#pragma pack(pop)
3561 size_t outlen = sizeof(out);
3562 yh_cmd response_cmd;
3563
3564 data.option = option;
3565 data.len = htons(len);
3567
3569 &response_cmd, out, &outlen);
3573 }
3574
3576 yh_rc translated = translate_device_error(out[0]);
3578 return translated;
3579 }
3580
3582}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_attestation_certificate()
| yh_rc yh_util_sign_attestation_certificate | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| uint16_t | attest_id, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Get attestation of an Asymmetric Key in the form of an X.509 certificate
- Parameters
-
session Authenticated session to use key_id Object ID of the Asymmetric Key to attest attest_id Object ID for the key used to sign the attestation certificate out The attestation certificate out_len Length of the attestation certificate
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL. See yh_rc for other possible errors
Definition at line 3495 of file yubihsm.c.
3497 {
3498
3502 }
3503#pragma pack(push, 1)
3504 union {
3505 struct {
3507 uint16_t attest_id;
3508 };
3510 } data;
3511#pragma pack(pop)
3512
3513 yh_cmd response_cmd;
3514
3515 data.key_id = htons(key_id);
3516 data.attest_id = htons(attest_id);
3517
3525 }
3526
3528 yh_rc translated = translate_device_error(out[0]);
3530 out[0]);
3531 return translated;
3532 }
3533
3535}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_ecdsa()
| yh_rc yh_util_sign_ecdsa | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Sign data using ECDSA
in is a raw hashed message, a truncated hash to the curve length or a padded hash to the curve length
- Parameters
-
session Authenticated session to use key_id Object ID of the signing key in Data to sign in_len Length of data to sign out Signed data out_len Length of signed data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis not 20, 28, 34, 48, 64 or 66. See yh_rc for other possible errors
Definition at line 1411 of file yubihsm.c.
1413 {
1414
1418 }
1419
1421 case 20:
1422 case 28: // p224..
1423 case 32:
1424 case 48:
1425 case 64:
1426 case 66: // p521 needs 66 bytes input
1427 break;
1428
1429 default:
1432 }
1433
1435
1436#pragma pack(push, 1)
1437 union {
1438 struct {
1441 };
1443 } data;
1444#pragma pack(pop)
1446
1447 yh_cmd response_cmd;
1448
1449 data.key_id = htons(key_id);
1450
1452
1454 &response_cmd, out, out_len);
1458 }
1459
1461 yh_rc translated = translate_device_error(out[0]);
1463 out[0]);
1464 return translated;
1465 }
1466
1468}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_eddsa()
| yh_rc yh_util_sign_eddsa | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Sign data using EdDSA
- Parameters
-
session Authenticated session to use key_id Object ID of the signing key in Data to sign in_len Length of data to sign out Signed data out_len Length of signed data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis bigger than YH_MSG_BUF_SIZE-2. See yh_rc for other possible errors
Definition at line 1470 of file yubihsm.c.
1472 {
1473
1477 }
1478
1482 }
1483
1485
1486#pragma pack(push, 1)
1487 union {
1488 struct {
1491 };
1493 } data;
1494#pragma pack(pop)
1496
1497 yh_cmd response_cmd;
1498
1499 data.key_id = htons(key_id);
1500
1502
1504 &response_cmd, out, out_len);
1508 }
1509
1511 yh_rc translated = translate_device_error(out[0]);
1513 out[0]);
1514 return translated;
1515 }
1516
1518}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_hmac()
| yh_rc yh_util_sign_hmac | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Sign data using HMAC
- Parameters
-
session Authenticated session to use key_id Object ID of the signing key in Data to HMAC in_len Length of data to hmac out HMAC out_len Length of HMAC
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis bigger than YH_MSG_BUF_SIZE-2. See yh_rc for other possible errors
Definition at line 1520 of file yubihsm.c.
1521 {
1522
1526 }
1527
1531 }
1532
1534 uint16_t data_len = 2;
1535
1536 yh_cmd response_cmd;
1537
1538 data[0] = htons(key_id) & 0xff;
1539 data[1] = htons(key_id) >> 8;
1540
1542 data_len += in_len;
1543
1545 &response_cmd, out, out_len);
1549 }
1550
1552 yh_rc translated = translate_device_error(out[0]);
1554 return translated;
1555 }
1556
1558}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_pkcs1v1_5()
| yh_rc yh_util_sign_pkcs1v1_5 | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| bool | hashed, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Sign data using RSA-PKCS#1v1.5
in is either a raw hashed message (sha1, sha256, sha384 or sha512) or that with correct digestinfo pre-pended
- Parameters
-
session Authenticated session to use key_id Object ID of the signing key hashed true if data is only hashed in data to sign in_len length of data to sign out signed data out_len length of signed data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis not 20, 34, 48 or 64. See yh_rc for other possible errors
Definition at line 1287 of file yubihsm.c.
1289 {
1290
1294 }
1295
1296 if (hashed)
1298 case 20:
1299 case 32:
1300 case 48:
1301 case 64:
1302 break;
1303
1304 default:
1307 }
1308
1310
1311#pragma pack(push, 1)
1312 union {
1313 struct {
1316 };
1318 } data;
1319#pragma pack(pop)
1320 uint16_t data_len;
1321
1322 yh_cmd response_cmd;
1323
1324 data.key_id = htons(key_id);
1325
1327 data_len = in_len;
1328
1330 &response_cmd, out, out_len);
1334 }
1335
1337 yh_rc translated = translate_device_error(out[0]);
1339 out[0]);
1340 return translated;
1341 }
1342
1344}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_pss()
| yh_rc yh_util_sign_pss | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len, | ||
| size_t | salt_len, | ||
| yh_algorithm | mgf1Algo ) |
Sign data using RSA-PSS
in is a raw hashed message (sha1, sha256, sha384 or sha512)
- Parameters
-
session Authenticated session to use key_id Object ID of the signing key in Data to sign in_len Length of data to sign out Signed data out_len Length of signed data salt_len Length of salt mgf1Algo Algorithm for mgf1 (mask generation function for PSS)
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
in_lenis not 20, 34, 48 or 64. See yh_rc for other possible errors
- See also
- PSS specifications
Definition at line 1346 of file yubihsm.c.
1348 {
1349
1353 }
1354
1356 case 20:
1357 case 32:
1358 case 48:
1359 case 64:
1360 break;
1361
1362 default:
1365 }
1366
1368
1369#pragma pack(push, 1)
1370 union {
1371 struct {
1373 uint8_t mgf1Algo;
1374 uint16_t salt_len;
1376 };
1378 } data;
1379#pragma pack(pop)
1381
1382 yh_cmd response_cmd;
1383
1384 data.key_id = htons(key_id);
1385
1386 data.mgf1Algo = mgf1Algo;
1387
1388 // NOTE(adma): 'in' is already a hash of the data, which type is inferred from
1389 // the length
1390 data.salt_len = htons(salt_len);
1391
1393
1395 &response_cmd, out, out_len);
1399 }
1400
1402 yh_rc translated = translate_device_error(out[0]);
1404 out[0]);
1405 return translated;
1406 }
1407
1409}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_sign_ssh_certificate()
| yh_rc yh_util_sign_ssh_certificate | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| uint16_t | template_id, | ||
| yh_algorithm | sig_algo, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Sign an SSH Certificate request. The function produces a signature that can then be used to produce the SSH Certificate
- Parameters
-
session Authenticated session to use key_id Object ID of the key used to sign the request template_id Object ID of the template to use as a certificate template sig_algo Signature algorithm to use to sign the certificate request in Certificate request in_len Length of the certificate request out Signature out_len Length of the signature
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or
in_lenis too big. See yh_rc for other possible errors
Definition at line 2745 of file yubihsm.c.
2748 {
2750 in_len == 0) {
2753 }
2754
2756
2757#pragma pack(push, 1)
2758 union {
2759 struct {
2761 uint16_t template_id;
2762 uint8_t algo;
2764 };
2766 } data;
2767 uint16_t data_len;
2768#pragma pack(pop)
2769
2770 yh_cmd response_cmd;
2771
2772 data.key_id = htons(key_id);
2773
2774 data.template_id = htons(template_id);
2775
2776 data.algo = sig_algo;
2777
2780 (unsigned long) sizeof(data.bytes));
2782 }
2783
2784 data_len = in_len + 5;
2786
2788 data_len, &response_cmd, out, out_len);
2793 }
2794
2796 yh_rc translated = translate_device_error(out[0]);
2798 out[0]);
2799 return translated;
2800 }
2801
2803}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_unwrap_data()
| yh_rc yh_util_unwrap_data | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Decrypt (unwrap) data using a YH_WRAP_KEY.
- Parameters
-
session Authenticated session to use key_id Object ID of the Wrap Key to use in Wrapped data in_len Length of wrapped data out Unwrapped data out_len Length of unwrapped data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if
in_lenis too big. See yh_rc for other possible errors
Definition at line 3716 of file yubihsm.c.
3718 {
3719
3723 }
3724
3728 }
3729
3731
3732#pragma pack(push, 1)
3733 union {
3734 struct {
3737 };
3739 } data;
3740#pragma pack(pop)
3742
3743 yh_cmd response_cmd;
3744
3745 data.key_id = htons(key_id);
3747
3749 &response_cmd, out, out_len);
3750 insecure_memzero(data.buf, data_len);
3754 }
3755
3757 yh_rc translated = translate_device_error(out[0]);
3759 out[0]);
3760 return translated;
3761 }
3762
3764}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_verify_hmac()
| yh_rc yh_util_verify_hmac | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | signature, | ||
| size_t | signature_len, | ||
| const uint8_t * | data, | ||
| size_t | data_len, | ||
| bool * | verified ) |
Verify a generated HMAC
- Parameters
-
session Authenticated session to use key_id Object ID of the HMAC key signature HMAC signature (20, 32, 48 or 64 bytes) signature_len length of HMAC signature data data to verify data_len length of data to verify verified true if verification succeeded
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS input parameters are NULL or if
signature_len+data_lenis too long. See yh_rc for other possible errors
Definition at line 1939 of file yubihsm.c.
1942 {
1943
1945 verified == NULL) {
1948 }
1949
1953 }
1954
1956
1958 int cmd_data_len;
1959
1960 uint8_t response[3];
1961 size_t response_len = sizeof(response);
1962 yh_cmd response_cmd;
1963
1965
1967 cmd_data_len = 2;
1968 memcpy(cmd_data + cmd_data_len, signature, signature_len);
1969 cmd_data_len += signature_len;
1970 memcpy(cmd_data + cmd_data_len, data, data_len);
1971 cmd_data_len += data_len;
1972
1974 &response_cmd, response, &response_len);
1978 }
1979
1981 yh_rc translated = translate_device_error(response[0]);
1983 response[0]);
1984 return translated;
1985 }
1986
1987 *verified = response[0];
1988
1990}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_util_wrap_data()
| yh_rc yh_util_wrap_data | ( | yh_session * | session, |
| uint16_t | key_id, | ||
| const uint8_t * | in, | ||
| size_t | in_len, | ||
| uint8_t * | out, | ||
| size_t * | out_len ) |
Encrypt (wrap) data using a YH_WRAP_KEY.
- Parameters
-
session Authenticated session to use key_id Object ID of the Wrap Key to use in Data to wrap in_len Length of data to wrap out Wrapped data out_len Length of the wrapped data
- Returns
- YHR_SUCCESS if successful. YHR_INVALID_PARAMETERS if input parameters are NULL or if
in_lenis too big. See yh_rc for other possible errors
Definition at line 3667 of file yubihsm.c.
3668 {
3669
3673 }
3674
3678 }
3679
3681
3682#pragma pack(push, 1)
3683 union {
3684 struct {
3687 };
3689 } data;
3690#pragma pack(pop)
3692
3693 yh_cmd response_cmd;
3694
3695 data.key_id = htons(key_id);
3697
3699 &response_cmd, out, out_len);
3700 insecure_memzero(data.buf, data_len);
3704 }
3705
3707 yh_rc translated = translate_device_error(out[0]);
3709 out[0]);
3710 return translated;
3711 }
3712
3714}
Here is the call graph for this function:
Here is the caller graph for this function:
◆ yh_verify_logs()
| bool yh_verify_logs | ( | yh_log_entry * | logs, |
| size_t | n_items, | ||
| yh_log_entry * | last_previous_log ) |
Verify an array of log entries
- Parameters
-
logs Array of log entries n_items number of log entries last_previous_log Optional pointer to the entry before the first entry in logs
- Returns
- True if verification succeeds. False otherwise
- See also
- Logs
Definition at line 4480 of file yubihsm.c.
4481 {
4482 if (logs == NULL || n_items == 0) {
4483 return false;
4484 }
4485
4486 hash_ctx hashctx = NULL;
4487 uint8_t previous_hash[32];
4488 size_t previous_hash_len = 32;
4491
4493 return false;
4494 }
4495
4496 if (last_previous_log != NULL) {
4498 start = 0;
4499 } else {
4501 start = 1;
4502 }
4503
4505 yh_log_entry inverted;
4506 inverted.number = htons(logs[i].number);
4508 inverted.length = htons(logs[i].length);
4509 inverted.session_key = htons(logs[i].session_key);
4510 inverted.target_key = htons(logs[i].target_key);
4511 inverted.second_key = htons(logs[i].second_key);
4513 inverted.systick = htonl(logs[i].systick);
4514
4515 hash_init(hashctx);
4519 hash_final(hashctx, previous_hash, &previous_hash_len);
4520
4522 goto out;
4523 }
4524 }
4525
4527
4528out:
4529 hash_destroy(hashctx);
4530 hashctx = NULL;
4531
4533}
@ start
uint8_t digest[YH_LOG_DIGEST_SIZE]
Truncated sha256 digest of this last digest + this entry.
Definition yubihsm.h:534
Here is the call graph for this function:
Here is the caller graph for this function:
Variable Documentation
◆ YH_INTERNAL
| FILE* _yh_output YH_INTERNAL = 0 |
