#encryption #hmac #security #hsm #signing

yubihsm

Pure Rust client for YubiHSM2 devices

28 releases (15 breaking)

0.16.0-alpha2 Sep 6, 2018
0.15.1 Aug 24, 2018
0.14.2 Jul 30, 2018
0.7.2 Mar 31, 2018

#60 in Cryptography

Download history 14/week @ 2018-06-14 21/week @ 2018-06-21 164/week @ 2018-06-28 97/week @ 2018-07-05 47/week @ 2018-07-12 111/week @ 2018-07-19 12/week @ 2018-07-26 121/week @ 2018-08-02 331/week @ 2018-08-09 79/week @ 2018-08-16 85/week @ 2018-08-23 21/week @ 2018-08-30 66/week @ 2018-09-06

389 downloads per month
Used in 2 crates (1 directly)

MIT/Apache

338KB
7.5K SLoC

yubihsm.rs

crate Docs MIT/Apache2 licensed Build Status

Pure Rust client for YubiHSM 2 devices from Yubico.

Documentation

About

This is a pure-Rust client library for YubiHSM 2 devices which implements most the functionality of the closed-source libyubihsm library from the Yubico SDK. It provides two backends for communicating with YubiHSMs:

Note that this is NOT an official Yubico project and is in no way supported or endorsed by Yubico (although whoever runs their Twitter account thinks it's awesome).

Prerequisites

This crate builds on Rust 1.27+ and by default uses SIMD features which require the following RUSTFLAGS:

RUSTFLAGS=-Ctarget-feature=+aes`

You can configure your ~/.cargo/config to always pass these flags:

[build]
rustflags = ["-Ctarget-feature=+aes"]

Supported Commands

NOTE: If there's a command on this list you'd like to use which isn't presently supported, contributing is easy (see below) or open an issue requesting support.

Command Impl'd MockHSM Description
Attest Asymmetric Create X.509 certificate for asymmetric key
Authenticate Session Authenticate to HSM with password or encryption key
Blink Blink the HSM's LEDs (to identify it)
Close Session Terminate an encrypted session with the HSM
Create Session Initiate a new encrypted session with the HSM
Decrypt ECDH Compute Elliptic Curve Diffie-Hellman using HSM-backed key
Decrypt OAEP Decrypt data encrypted with RSA-OAEP
Decrypt PKCS1 Decrypt data encrypted with RSA-PKCS#1v1.5
Device Info Get information about the HSM
Delete Object Delete an object of the given ID and type
Echo Echo a message sent to the HSM
Export Wrapped Export an object from the HSM in encrypted form
Generate Asymmetric Randomly generate new asymmetric key in the HSM
Generate HMAC Key Randomly generate HMAC key in the HSM
Generate OTP Key Randomly generate AES key for Yubico OTP authentication
Generate Wrap Key Randomly generate AES key for exporting/importing objects
Get Logs Obtain the audit log for the HSM
Get Object Info Get information about an object
Get Opaque Get an opaque bytestring from the HSM
Get Option Get HSM auditing settings
Get Pseudo Random Get random data generated by the HSM's internal PRNG
Get Pubkey Get public key for an HSM-backed asymmetric private key
HMAC Data Perform an HMAC operation using an HSM-backed key
Import Wrapped Import an encrypted key into the HSM
List Objects List objects visible from the current session
OTP AEAD Create Create a Yubico OTP AEAD
OTP AEAD Random Randomly generate a Yubico OTP AEAD
OTP AEAD Rewrap Re-wrap a Yubico OTP AEAD from one key to another
OTP Decrypt Decrypt a Yubico OTP, obtaining counters and timer info
Put Asymmetric Put an existing asymmetric key into the HSM
Put Auth Key Put AES-128x2 preshared authentication key into HSM
Put HMAC Key Put an HMAC key into the HSM
Put Opaque Put an opaque bytestring into the HSM
Put Option Change HSM auditing settings
Put OTP AEAD Key Put a Yubico OTP key into the HSM
Put Wrap Key Put an AES keywrapping key into the HSM
Reset Reset the HSM back to factory default settings
Session Message Send an encrypted message to the HSM
Set Log Index Mark log messages in the HSM as consumed
Sign Data ECDSA Compute an ECDSA signature using HSM-backed key
Sign Data EdDSA Compute an Ed25519 signature using HSM-backed key
Sign Data PKCS1 ⚠️ Compute an RSASSA-PKCS#1v1.5 signature using HSM-backed key
Sign Data PSS ⚠️ Compute an RSASSA-PSS signature using HSM-backed key
Storage Status Fetch information about currently free storage
Unwrap Data Decrypt data encrypted using a wrap key
Verify HMAC Verify that an HMAC tag for given data is valid
Wrap Data Encrypt data using a wrap key
Status
Supported
⚠️ Partial/Untested Support
Unsupported

Getting Started

The following documentation describes the most important parts of this crate's API:

  • Session: end-to-end encrypted connection with the YubiHSM. You'll need an active one to do anything.
  • commands: commands supported by the YubiHSM2 (i.e. main functionality)

Here is an example of how to create a Session by connecting to a yubihsm-connector process, and then performing an Ed25519 signature:

extern crate yubihsm;

// Default yubihsm-connector URI, auth key ID, and password for yubihsm-connector
// NOTE: DON'T USE THIS IN PRODUCTION!
let mut session = yubihsm::HttpSession::create(
    Default::default(), // `yubihsm-connector` configuration (`yubihsm::HttpConfig`)
    Default::default(), // auth key ID and key/password (`yubihsm::Credentials`)
    true // automatically reconnect if we get disconnected
).unwrap();

// Note: You'll need to create an Ed25519 key in slot #100 for this to work.
// Run this from yubihsm-shell (or use `yubihsm::generate_asymmetric_key`):
//
// `generate asymmetric 0 100 ed25519_test_key 1 asymmetric_sign_eddsa ed25519`
let signature = yubihsm::sign_ed25519(&session, 100, "Hello, world!").unwrap();
println!("Ed25519 signature: {:?}", signature);

Testing

This crate allows you to run the integration test suite in three different ways:

  • Live testing against a real YubiHSM2 device:
    • via HTTP
    • via USB
  • simulated testing using MockHSM which implements some YubiHSM2 functionality

cargo test: test YubiHSM2 live over HTTP via yubihsm-connector

This mode assumes you have a YubiHSM2 hardware device, have downloaded the YubiHSM2 SDK for your platform, and are running a yubihsm-connector process listening on localhost on the default port of 12345.

The YubiHSM2 device should be in the default factory state. To reset it to this state, either use the yubihsm-shell reset command or press on the YubiHSM2 for 10 seconds immediately after inserting it.

You can confirm the tests are running live against the YubiHSM2 by the LED blinking rapidly for 1 second.

NOTE THAT THESE TESTS ARE DESTRUCTIVE: DO NOT RUN THEM AGAINST A YUBIHSM2 WHICH CONTAINS KEYS YOU CARE ABOUT

cargo test --features=usb: test YubiHSM2 live via USB

Adding the usb cargo feature builds the UsbAdapter backend in addition to the HttpAdapter, and also runs the test suite live via USB rather than using the yubihsm-connector process.

ALSO NOTE THAT THESE TESTS ARE DESTRUCTIVE: DO NOT RUN THEM AGAINST A YUBIHSM2 WHICH CONTAINS KEYS YOU CARE ABOUT

cargo test --features=mockhsm: simulated tests against a mock HSM

This mode is useful for when you don't have access to physical YubiHSM2 hardware, such as CI environments.

License

yubihsm.rs is distributed under the terms of both the MIT license and the Apache License (Version 2.0).

See LICENSE-APACHE and LICENSE-MIT for details.

Dependencies

~4MB
~105K SLoC