This document contains information about the different tools that are either known to work or known not to work with the current version of the YubiHSM 2.
This is the tool produced by OpenSC.
Running with HEAD on master (currently
dfd18389346296f8e4617832e0d5f4171835620d) the command used is
pkcs11-tool --module yubihsm_pkcs11.so -l -p 0001password -t
All relevant tests are passing with the following notable exceptions:
- RSA-PKCS-OAEP decryption: the test appears to be broken. It calls into OpenSSL’s EVP_PKEY_encrypt/EVP_PKEY_encrypt_old which uses PKCS1v1.5 padding
- mechtype-0xD9554204 decryption: this a Yubico custom mechanism (AES-CCM wrapping) and can’t be handled by the tool
This is a PKCS#11 tester tool by Google. It is built as a test target in the source code. We maintain an internal version to accommodate for some differences at https://github.com/Yubico/pkcs11test.
The command used
pkcs11test -myubihsm_pkcs11.so -l. -u0001password --gtest_filter=-${SKIPPED_TESTS_STR}
where SKIPPED_TESTS_STR is the list below.
All relevant tests pass. The following tests have been explicitly skipped:
Slot.NoInit PKCS11Test.EnumerateMechanisms ReadOnlySessionTest.GenerateRandom ReadOnlySessionTest.GenerateRandomNone ReadOnlySessionTest.UserLoginWrongPIN ReadOnlySessionTest.SOLoginFail ReadOnlySessionTest.CreateKeyPairObjects ReadOnlySessionTest.CreateSecretKeyAttributes ReadOnlySessionTest.SecretKeyTestVectors ReadOnlySessionTest.SignVerifyRecover ReadOnlySessionTest.GenerateKeyInvalid ReadOnlySessionTest.GenerateKeyPairInvalid ReadOnlySessionTest.WrapUnwrap ReadOnlySessionTest.WrapInvalid ReadOnlySessionTest.UnwrapInvalid ReadWriteSessionTest.CreateCopyDestroyObject ReadWriteSessionTest.SetLatchingAttribute ReadWriteSessionTest.FindObjectSubset ReadWriteSessionTest.ReadOnlySessionSOLoginFail ReadWriteSessionTest.SOLogin ReadWriteSessionTest.TookanAttackA1 ReadWriteSessionTest.TookanAttackA3 ReadWriteSessionTest.TookanAttackA4 ReadWriteSessionTest.TookanAttackA5a ReadWriteSessionTest.TookanAttackA5b ReadWriteSessionTest.PublicExponent4Bytes ReadWriteSessionTest.ExtractKeys ReadWriteSessionTest.AsymmetricTokenKeyPair RWUserSessionTest.SOLoginFail DataObjectTest.CopyDestroyObjectInvalid DataObjectTest.GetMultipleAttributes DataObjectTest.GetSetAttributeInvalid RWSOSessionTest.SOSessionFail RWSOSessionTest.UserLoginFail RWEitherSessionTest.TookanAttackA2 KeyPairTest.EncryptDecrypt Ciphers/SecretKeyTest.EncryptDecrypt/0 Ciphers/SecretKeyTest.EncryptDecrypt/1 Ciphers/SecretKeyTest.EncryptDecrypt/2 Ciphers/SecretKeyTest.EncryptDecrypt/3 Ciphers/SecretKeyTest.EncryptDecrypt/4 Ciphers/SecretKeyTest.EncryptDecrypt/5 Ciphers/SecretKeyTest.EncryptFailDecrypt/0 Ciphers/SecretKeyTest.EncryptFailDecrypt/1 Ciphers/SecretKeyTest.EncryptFailDecrypt/2 Ciphers/SecretKeyTest.EncryptFailDecrypt/3 Ciphers/SecretKeyTest.EncryptFailDecrypt/4 Ciphers/SecretKeyTest.EncryptFailDecrypt/5 Ciphers/SecretKeyTest.EncryptDecryptGetSpace/0 Ciphers/SecretKeyTest.EncryptDecryptGetSpace/1 Ciphers/SecretKeyTest.EncryptDecryptGetSpace/2 Ciphers/SecretKeyTest.EncryptDecryptGetSpace/3 Ciphers/SecretKeyTest.EncryptDecryptGetSpace/4 Ciphers/SecretKeyTest.EncryptDecryptGetSpace/5 Ciphers/SecretKeyTest.EncryptDecryptParts/0 Ciphers/SecretKeyTest.EncryptDecryptParts/1 Ciphers/SecretKeyTest.EncryptDecryptParts/2 Ciphers/SecretKeyTest.EncryptDecryptParts/3 Ciphers/SecretKeyTest.EncryptDecryptParts/4 Ciphers/SecretKeyTest.EncryptDecryptParts/5 Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/0 Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/1 Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/2 Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/3 Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/4 Ciphers/SecretKeyTest.EncryptDecryptInitInvalid/5 Ciphers/SecretKeyTest.EncryptErrors/0 Ciphers/SecretKeyTest.EncryptErrors/1 Ciphers/SecretKeyTest.EncryptErrors/2 Ciphers/SecretKeyTest.EncryptErrors/3 Ciphers/SecretKeyTest.EncryptErrors/4 Ciphers/SecretKeyTest.EncryptErrors/5 Ciphers/SecretKeyTest.DecryptErrors/0 Ciphers/SecretKeyTest.DecryptErrors/1 Ciphers/SecretKeyTest.DecryptErrors/2 Ciphers/SecretKeyTest.DecryptErrors/3 Ciphers/SecretKeyTest.DecryptErrors/4 Ciphers/SecretKeyTest.DecryptErrors/5 Ciphers/SecretKeyTest.EncryptUpdateErrors/0 Ciphers/SecretKeyTest.EncryptUpdateErrors/1 Ciphers/SecretKeyTest.EncryptUpdateErrors/2 Ciphers/SecretKeyTest.EncryptUpdateErrors/3 Ciphers/SecretKeyTest.EncryptUpdateErrors/4 Ciphers/SecretKeyTest.EncryptUpdateErrors/5 Ciphers/SecretKeyTest.EncryptModePolicing1/0 Ciphers/SecretKeyTest.EncryptModePolicing1/1 Ciphers/SecretKeyTest.EncryptModePolicing1/2 Ciphers/SecretKeyTest.EncryptModePolicing1/3 Ciphers/SecretKeyTest.EncryptModePolicing1/4 Ciphers/SecretKeyTest.EncryptModePolicing1/5 Ciphers/SecretKeyTest.EncryptModePolicing2/0 Ciphers/SecretKeyTest.EncryptModePolicing2/1 Ciphers/SecretKeyTest.EncryptModePolicing2/2 Ciphers/SecretKeyTest.EncryptModePolicing2/3 Ciphers/SecretKeyTest.EncryptModePolicing2/4 Ciphers/SecretKeyTest.EncryptModePolicing2/5 Ciphers/SecretKeyTest.EncryptInvalidIV/0 Ciphers/SecretKeyTest.EncryptInvalidIV/1 Ciphers/SecretKeyTest.EncryptInvalidIV/2 Ciphers/SecretKeyTest.EncryptInvalidIV/3 Ciphers/SecretKeyTest.EncryptInvalidIV/4 Ciphers/SecretKeyTest.EncryptInvalidIV/5 Ciphers/SecretKeyTest.DecryptInvalidIV/0 Ciphers/SecretKeyTest.DecryptInvalidIV/1 Ciphers/SecretKeyTest.DecryptInvalidIV/2 Ciphers/SecretKeyTest.DecryptInvalidIV/3 Ciphers/SecretKeyTest.DecryptInvalidIV/4 Ciphers/SecretKeyTest.DecryptInvalidIV/3 Ciphers/SecretKeyTest.DecryptInvalidIV/4 Ciphers/SecretKeyTest.DecryptInvalidIV/5 Ciphers/SecretKeyTest.DecryptUpdateErrors/0 Ciphers/SecretKeyTest.DecryptUpdateErrors/1 Ciphers/SecretKeyTest.DecryptUpdateErrors/2 Ciphers/SecretKeyTest.DecryptUpdateErrors/3 Ciphers/SecretKeyTest.DecryptUpdateErrors/4 Ciphers/SecretKeyTest.DecryptUpdateErrors/5 Ciphers/SecretKeyTest.EncryptFinalImmediate/0 Ciphers/SecretKeyTest.EncryptFinalImmediate/1 Ciphers/SecretKeyTest.EncryptFinalImmediate/2 Ciphers/SecretKeyTest.EncryptFinalImmediate/3 Ciphers/SecretKeyTest.EncryptFinalImmediate/4 Ciphers/SecretKeyTest.EncryptFinalImmediate/5 Ciphers/SecretKeyTest.EncryptFinalErrors1/0 Ciphers/SecretKeyTest.EncryptFinalErrors1/1 Ciphers/SecretKeyTest.EncryptFinalErrors1/2 Ciphers/SecretKeyTest.EncryptFinalErrors1/3 Ciphers/SecretKeyTest.EncryptFinalErrors1/4 Ciphers/SecretKeyTest.EncryptFinalErrors1/5 Ciphers/SecretKeyTest.EncryptFinalErrors2/0 Ciphers/SecretKeyTest.EncryptFinalErrors2/1 Ciphers/SecretKeyTest.EncryptFinalErrors2/2 Ciphers/SecretKeyTest.EncryptFinalErrors2/3 Ciphers/SecretKeyTest.EncryptFinalErrors2/4 Ciphers/SecretKeyTest.EncryptFinalErrors2/5 Ciphers/SecretKeyTest.DecryptFinalErrors1/0 Ciphers/SecretKeyTest.DecryptFinalErrors1/1 Ciphers/SecretKeyTest.DecryptFinalErrors1/2 Ciphers/SecretKeyTest.DecryptFinalErrors1/3 Ciphers/SecretKeyTest.DecryptFinalErrors1/4 Ciphers/SecretKeyTest.DecryptFinalErrors1/5 Ciphers/SecretKeyTest.DecryptFinalErrors2/0 Ciphers/SecretKeyTest.DecryptFinalErrors2/1 Ciphers/SecretKeyTest.DecryptFinalErrors2/2 Ciphers/SecretKeyTest.DecryptFinalErrors2/3 Ciphers/SecretKeyTest.DecryptFinalErrors2/4 Ciphers/SecretKeyTest.DecryptFinalErrors2/5 Digests/DigestTest.DigestKey/0 Digests/DigestTest.DigestKey/1 Digests/DigestTest.DigestKey/2 Digests/DigestTest.DigestKey/3 Digests/DigestTest.DigestKey/4 Digests/DigestTest.DigestKeyInvalid/0 Digests/DigestTest.DigestKeyInvalid/1 Digests/DigestTest.DigestKeyInvalid/2 Digests/DigestTest.DigestKeyInvalid/3 Digests/DigestTest.DigestKeyInvalid/4 Signatures/SignTest.SignVerify/0 Signatures/SignTest.SignFailVerifyWrong/0 Signatures/SignTest.SignFailVerifyShort/0 Duals/DualSecretKeyTest.DigestEncrypt/0 Duals/DualSecretKeyTest.DigestEncrypt/1 Duals/DualSecretKeyTest.DigestEncrypt/2 Duals/DualSecretKeyTest.DigestEncrypt/3 Duals/DualSecretKeyTest.DigestEncrypt/4 Duals/DualSecretKeyTest.DigestEncrypt/5
This is a Yubico tool, developed to run additional tests
The command used is
python setup.py test
All relevant tests pass.
This is a tool shipped with GnuTLS. From version 3.5.2 it can work with the YubiHSM 2. Keys can be generated like
p11tool --provider=yubihsm_pkcs11.so "pkcs11:pin-value=0001password" --login --generate-rsa --label="rsa test key" --bits=2048
and signatures tested and verified with the command
p11tool --provider=yubihsm_pkcs11.so "pkcs11:pin-value=0001password;object=rsakey" --login --test-sign
OpenDNSSEC contains a libhsm and two tools, ods-hsmutil and ods-hsmspeed, both of these work with the YubiHSM 2 with a small configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="default">
<Module>yubihsm_pkcs11.so</Module>
<TokenLabel>YubiHSM</TokenLabel>
<PIN>0001password</PIN>
</Repository>
</RepositoryList>
</Configuration>
Using this it is possible to run through tests with the command
ods-hsmutil -c conf-yubihsm.xml test default
This passes all tests using algorithms supported by the YubiHSM 2 (rsa2048, rsa4096, ecp256, ecp384 & randomness)