#ecdsa #ed25519 #hmac #hsm #yubikey

yubihsm

Pure Rust client for YubiHSM2 devices with support for HTTP and USB-based access to the device. Supports most HSM functionality including ECDSA, Ed25519, HMAC, and RSA.

61 releases (29 breaking)

✓ Uses Rust 2018 edition

new 0.30.0 Dec 11, 2019
0.29.0 Oct 30, 2019
0.28.0 Oct 12, 2019
0.26.4 Jun 24, 2019
0.7.2 Mar 31, 2018

#51 in Cryptography

Download history 194/week @ 2019-08-27 93/week @ 2019-09-03 180/week @ 2019-09-10 353/week @ 2019-09-17 96/week @ 2019-09-24 178/week @ 2019-10-01 96/week @ 2019-10-08 217/week @ 2019-10-15 257/week @ 2019-10-22 97/week @ 2019-10-29 79/week @ 2019-11-05 79/week @ 2019-11-12 123/week @ 2019-11-19 142/week @ 2019-11-26 264/week @ 2019-12-03

683 downloads per month
Used in 2 crates (1 directly)

Apache-2.0 OR MIT

425KB
10K SLoC

yubihsm.rs

crate Docs Apache2/MIT licensed MSRV Build Status

Pure Rust client for YubiHSM 2 devices from Yubico.

Documentation

About

This is a pure-Rust client library for YubiHSM 2 devices which implements most the functionality of the libyubihsm C library from Yubico's YubiHSM SDK. It provides two backends for communicating with YubiHSMs:

  • HTTP: communicate with YubiHSM via the yubihsm-connector process from the Yubico SDK.
  • USB: communicate directly with the YubiHSM over USB using the rusb crate.

The yubihsm::Client type provides access to HSM commands.

This is NOT an official Yubico project and is in no way supported or endorsed by Yubico (although whoever runs their Twitter account thinks it's awesome).

NOTE: Looking for a YubiKey library instead of YubiHSM? Check out yubikey-piv.rs instead.

Prerequisites

This crate builds on Rust 1.36+.

On x86(-64) targets, add the following RUSTFLAGS to enable AES-NI to better secure communication with the YubiHSM:

RUSTFLAGS=-Ctarget-feature=+aes,+ssse3

You can configure your ~/.cargo/config to always pass these flags:

[build]
rustflags = ["-Ctarget-feature=+aes,+ssse3"]

Supported Commands

NOTE: If there's a command on this list you'd like to use which isn't presently supported, please open an issue requesting support.

Command Impl'd MockHSM Description
Authenticate Session Authenticate to HSM with password or encryption key
Blink Device Blink the HSM's LEDs (to identify it)
Change Authentication Key Replace the authentication key used to create current session
Close Session Terminate an encrypted session with the HSM
Create OTP AEAD Create a Yubico OTP AEAD
Create Session Initiate a new encrypted session with the HSM
Decrypt OAEP Decrypt data encrypted with RSA-OAEP
Decrypt OTP Decrypt a Yubico OTP, obtaining counters and timer info
Decrypt PKCS1 Decrypt data encrypted with RSA-PKCS#1v1.5
Delete Object Delete an object of the given ID and type
Derive ECDH ⚠️ Compute Elliptic Curve Diffie-Hellman using HSM-backed key
Device Info Get information about the HSM
Echo Echo a message sent to the HSM
Export Wrapped Export an object from the HSM in encrypted form
Generate Asymmetric Key Randomly generate new asymmetric key in the HSM
Generate HMAC Key Randomly generate HMAC key in the HSM
Generate OTP AEAD Key Randomly generate AES key for Yubico OTP authentication
Generate Wrap Key Randomly generate AES key for exporting/importing objects
Get Log Entries Obtain the audit log for the HSM
Get Object Info Get information about an object
Get Opaque Get an opaque bytestring from the HSM
Get Option Get HSM auditing settings
Get Pseudo Random Get random data generated by the HSM's internal PRNG
Get Public key Get public key for an HSM-backed asymmetric private key
Get Storage Info Fetch information about currently free storage
Get SSH Template Fetch SSH certificate template object from the HSM
Import Wrapped Import an encrypted key into the HSM
List Objects List objects visible from the current session
Put Asymmetric Key Put an existing asymmetric key into the HSM
Put Authentication Key Put YubiHSM authentication key into the HSM
Put HMAC Key Put an HMAC key into the HSM
Put Opaque Put an opaque bytestring into the HSM
Put OTP AEAD Key Put a Yubico OTP key into the HSM
Put SSH Template Put SSH certificate template object into the HSM
Put Wrap Key Put an AES keywrapping key into the HSM
Randomize OTP AEAD Randomly generate a Yubico OTP AEAD
Reset Device Reset the HSM back to factory default settings
Rewrap OTP AEAD Re-wrap a Yubico OTP AEAD from one key to another
Session Message Send an encrypted message to the HSM
Set Log Index Mark log messages in the HSM as consumed
Set Option Change HSM auditing settings
Sign Attestation Certificate Create X.509 certificate for asymmetric key
Sign ECDSA Compute an ECDSA signature using HSM-backed key
Sign EdDSA Compute an Ed25519 signature using HSM-backed key
Sign HMAC Perform an HMAC operation using an HSM-backed key
Sign PKCS1 ⚠️ Compute an RSASSA-PKCS#1v1.5 signature using HSM-backed key
Sign PSS ⚠️ Compute an RSASSA-PSS signature using HSM-backed key
Sign SSH Certificate ⚠️ Sign an SSH certificate request
Unwrap Data Decrypt data encrypted using a wrap key
Verify HMAC Verify that an HMAC tag for given data is valid
Wrap Data Encrypt data using a wrap key
Status
Supported
⚠️ Partial/Untested Support
Unsupported

NOTE: Commands marked ⚠️ have not been properly tested and may contain bugs or not work at all. They are disabled by default: to use them you must enable the yolocrypto cargo feature. If you do get them to work, please open an issue (or PR) reporting success so we can promote them to ✅.

Testing

This crate allows you to run the integration test suite in three different ways:

  • Live testing against a real YubiHSM2 device:
    • via HTTP
    • via USB
  • simulated testing using MockHSM which implements some YubiHSM2 functionality

cargo test: test YubiHSM2 live over HTTP via yubihsm-connector

This mode assumes you have a YubiHSM2 hardware device, have downloaded the YubiHSM2 SDK for your platform, and are running a yubihsm-connector process listening on localhost on the default port of 12345.

The YubiHSM2 device should be in the default factory state. To reset it to this state, either use the yubihsm-shell reset command or press on the YubiHSM2 for 10 seconds immediately after inserting it.

You can confirm the tests are running live against the YubiHSM2 by the LED blinking rapidly for 1 second.

NOTE THAT THESE TESTS ARE DESTRUCTIVE: DO NOT RUN THEM AGAINST A YUBIHSM2 WHICH CONTAINS KEYS YOU CARE ABOUT

cargo test --features=usb: test YubiHSM2 live via USB

Adding the usb cargo feature builds in USB connector support in addition to HTTP connector, and also runs the test suite live via USB rather than using the yubihsm-connector process.

ALSO NOTE THAT THESE TESTS ARE DESTRUCTIVE: DO NOT RUN THEM AGAINST A YUBIHSM2 WHICH CONTAINS KEYS YOU CARE ABOUT

cargo test --features=mockhsm: simulated tests against a mock HSM

This mode is useful for when you don't have access to physical YubiHSM2 hardware, such as CI environments.

License

yubihsm.rs is distributed under the terms of both the MIT license and the Apache License (Version 2.0).

See LICENSE-APACHE and LICENSE-MIT for details.

Dependencies

~1.8–4.5MB
~102K SLoC