The following issues are known to affect the current release.
VM USB redirection may function inconsistently, particularly in Windows environments.
The yubihsm-shell
utility is limited to reading 4096 bytes in a single command.
Yubihsm-shell when invoked in Command-Line mode (CLI) does not implement the following commands (actions):
put-option
put-hmac
put-otp-aead-key
sign-hmac
benchmark
otp-aead-create
otp-decrypt
version
decrypt-oaep
sign-eddsa
encrypt-aesccm
decrypt-aesccm
Restore for non-shared Wrap Keys is currently not supported in yubihsm-setup
.
Attestation currently does not support ed25519 keys.
Currently yubihsm-wrap
correctly wraps the following Object Types:
Authentication Key
Wrap Key
Asymmetric Key
HMAC Key
The tool uses a catch-all for the rest which may not be correct.
The PKCS#11 module only supports symmetric encryption with CKM_YUBICO_AES_CCM_WRAP
, no CKK_AES
or CKM_AES_CBC
CKA_ID
can only be two bytes long on the device and is therefore truncated to that length
CKA_LABEL
is maximum 40 bytes
C_InitPIN()
, C_SetPIN()
and C_InitToken()
are not supported. Equivalent operations have to be done through other interfaces (e.g., yubihsm-shell
).
C_CopyObject()
is not supported. Objects are never modifiable after creation
C_SetAttributeValue()
can only be used to set the same CKA_ID
or CKA_LABEL
on an object, not to change it. No other use of C_SetAttributeValue()
is supported.
EdDSA signing, including Ed22519, is limited to the size of one message to the YubiHSM: 2019 bytes.