1. Home
  2. YubiHSM2
  3. Releases
  4. Known issues

    Known Issues and Limitations

    The following issues are known to affect the current release.

    USB Redirection in Virtual Machines

    VM USB redirection may function inconsistently, particularly in Windows environments.

    YubiHSM Shell

    The yubihsm-shell utility is limited to reading 4096 bytes in a single command.

    Unimplemented Commands When Invoked in Command-Line Mode

    Yubihsm-shell when invoked in Command-Line mode (CLI) does not implement the following commands (actions):

    • put-option

    • put-hmac

    • put-otp-aead-key

    • sign-hmac

    • benchmark

    • otp-aead-create

    • otp-decrypt

    • version

    • decrypt-oaep

    • sign-eddsa

    • encrypt-aesccm

    • decrypt-aesccm

    YubiHSM Setup

    Restore for non-shared Wrap Keys is currently not supported in yubihsm-setup.

    Attestation

    Attestation currently does not support ed25519 keys.

    YubiHSM Wrap Limitations

    Currently yubihsm-wrap correctly wraps the following Object Types:

    • Authentication Key

    • Wrap Key

    • Asymmetric Key

    • HMAC Key

    The tool uses a catch-all for the rest which may not be correct.

    PKCS#11 Module Limitations

    • The PKCS#11 module only supports symmetric encryption with CKM_YUBICO_AES_CCM_WRAP, no CKK_AES or CKM_AES_CBC

    • CKA_ID can only be two bytes long on the device and is therefore truncated to that length

    • CKA_LABEL is maximum 40 bytes

    • C_InitPIN(), C_SetPIN() and C_InitToken() are not supported. Equivalent operations have to be done through other interfaces (e.g., yubihsm-shell).

    • C_CopyObject() is not supported. Objects are never modifiable after creation

    • C_SetAttributeValue() can only be used to set the same CKA_ID or CKA_LABEL on an object, not to change it. No other use of C_SetAttributeValue() is supported.

    EdDSA Limitations

    EdDSA signing, including Ed22519, is limited to the size of one message to the YubiHSM: 2019 bytes.