89 #define YH_CONTEXT_LEN 16 90 #define YH_HOST_CHAL_LEN 8 92 #define YH_MSG_BUF_SIZE 2048 100 #define YH_CMD_RESP_FLAG 0x80 102 #define YH_MAX_ITEMS_COUNT 256 104 #define YH_MAX_SESSIONS 16 106 #define YH_DEFAULT_ENC_KEY \ 108 "\x09\x0b\x47\xdb\xed\x59\x56\x54\x90\x1d\xee\x1c\xc6\x55\xe4\x20" 109 #define YH_DEFAULT_MAC_KEY \ 111 "\x59\x2f\xd4\x83\xf7\x59\xe2\x99\x09\xa0\x4c\x45\x05\xd2\xce\x0a" 112 #define YH_DEFAULT_PASSWORD "password" 114 #define YH_DEFAULT_SALT "Yubico" 116 #define YH_DEFAULT_ITERS 10000 118 #define YH_CAPABILITIES_LEN 8 120 #define YH_MAX_LOG_ENTRIES 64 122 #define YH_OBJ_LABEL_LEN 40 124 #define YH_MAX_DOMAINS 16 126 #define YH_LOG_DIGEST_SIZE 16 128 #define YH_USB_URL_SCHEME "yhusb://" 133 #define YH_VERB_QUIET 0x00 134 #define YH_VERB_INTERMEDIATE 0x01 136 #define YH_VERB_CRYPTO 0x02 138 #define YH_VERB_RAW 0x04 140 #define YH_VERB_INFO 0x08 142 #define YH_VERB_ERR 0x10 144 #define YH_VERB_ALL 0xff 149 #define YH_CCM_WRAP_OVERHEAD (1 + 13 + 16) 238 #define ADD_COMMAND(c, v) c = v, c##_R = v | YH_CMD_RESP_FLAG 383 #define YH_MAX_ALGORITHM_COUNT 0xff 509 #pragma pack(push, 1) 564 static const struct {
567 } yh_capability[] = {
568 {
"change-authentication-key", 0x2e},
569 {
"create-otp-aead", 0x1e},
570 {
"decrypt-oaep", 0x0a},
571 {
"decrypt-otp", 0x1d},
572 {
"decrypt-pkcs", 0x09},
573 {
"delete-asymmetric-key", 0x29},
574 {
"delete-authentication-key", 0x28},
575 {
"delete-hmac-key", 0x2b},
576 {
"delete-opaque", 0x27},
577 {
"delete-otp-aead-key", 0x2d},
578 {
"delete-template", 0x2c},
579 {
"delete-wrap-key", 0x2a},
580 {
"derive-ecdh", 0x0b},
581 {
"export-wrapped", 0x0c},
582 {
"exportable-under-wrap", 0x10},
583 {
"generate-asymmetric-key", 0x04},
584 {
"generate-hmac-key", 0x15},
585 {
"generate-otp-aead-key", 0x24},
586 {
"generate-wrap-key", 0x0f},
587 {
"get-log-entries", 0x18},
588 {
"get-opaque", 0x00},
589 {
"get-option", 0x12},
590 {
"get-pseudo-random", 0x13},
591 {
"get-template", 0x1a},
592 {
"import-wrapped", 0x0d},
593 {
"put-asymmetric-key", 0x03},
594 {
"put-authentication-key", 0x02},
595 {
"put-mac-key", 0x14},
596 {
"put-opaque", 0x01},
597 {
"put-otp-aead-key", 0x23},
598 {
"put-template", 0x1b},
599 {
"put-wrap-key", 0x0e},
600 {
"randomize-otp-aead", 0x1f},
601 {
"reset-device", 0x1c},
602 {
"rewrap-from-otp-aead-key", 0x20},
603 {
"rewrap-to-otp-aead-key", 0x21},
604 {
"set-option", 0x11},
605 {
"sign-attestation-certificate", 0x22},
606 {
"sign-ecdsa", 0x07},
607 {
"sign-eddsa", 0x08},
611 {
"sign-ssh-certificate", 0x19},
612 {
"unwrap-data", 0x26},
613 {
"verify-hmac", 0x17},
617 static const struct {
620 } yh_algorithms[] = {
670 static const struct {
683 static const struct {
692 #define YH_ORIGIN_GENERATED 0x01 693 #define YH_ORIGIN_IMPORTED 0x02 695 #define YH_ORIGIN_IMPORTED_WRAPPED 0x10 834 const uint8_t *data,
size_t data_len,
835 yh_cmd *response_cmd, uint8_t *response,
836 size_t *response_len);
853 size_t data_len,
yh_cmd *response_cmd,
854 uint8_t *response,
size_t *response_len);
881 const uint8_t *password,
size_t password_len,
910 const uint8_t *key_enc,
size_t key_enc_len,
911 const uint8_t *key_mac,
size_t key_mac_len,
938 uint8_t **context, uint8_t *card_cryptogram,
939 size_t card_cryptogram_len,
971 const uint8_t *key_senc,
size_t key_senc_len,
972 const uint8_t *key_smac,
size_t key_smac_len,
973 const uint8_t *key_srmac,
974 size_t key_srmac_len,
975 uint8_t *card_cryptogram,
976 size_t card_cryptogram_len);
1031 uint8_t *minor, uint8_t *patch, uint32_t *serial,
1032 uint8_t *log_total, uint8_t *log_used,
1139 const uint8_t *in,
size_t in_len, uint8_t *out,
1164 size_t in_len, uint8_t *out,
size_t *out_len,
1186 const uint8_t *in,
size_t in_len, uint8_t *out,
1205 const uint8_t *in,
size_t in_len, uint8_t *out,
1224 size_t in_len, uint8_t *out,
size_t *out_len);
1263 const char *label, uint16_t domains,
1292 const char *label, uint16_t domains,
1314 const char *label, uint16_t domains,
1339 const char *label, uint16_t domains,
1363 const char *label, uint16_t domains,
1390 const char *label, uint16_t domains,
1413 const char *label, uint16_t domains,
1435 const uint8_t *signature,
size_t signature_len,
1436 const uint8_t *data,
size_t data_len,
bool *verified);
1458 const char *label, uint16_t domains,
1479 const uint8_t *in,
size_t in_len, uint8_t *out,
1503 const uint8_t *in,
size_t in_len, uint8_t *out,
1504 size_t *out_len,
const uint8_t *label,
1525 const uint8_t *in,
size_t in_len, uint8_t *out,
1559 uint8_t *out,
size_t *out_len);
1577 const uint8_t *in,
size_t in_len,
1607 const char *label, uint16_t domains,
1611 const uint8_t *in,
size_t in_len);
1636 const char *label, uint16_t domains,
1720 const char *label, uint16_t domains,
1745 const uint8_t *in,
size_t in_len,
1746 uint8_t *out,
size_t *out_len);
1774 yh_session *session, uint16_t *key_id,
const char *label, uint16_t domains,
1776 const yh_capabilities *delegated_capabilities,
const uint8_t *key_enc,
1777 size_t key_enc_len,
const uint8_t *key_mac,
size_t key_mac_len);
1802 yh_session *session, uint16_t *key_id,
const char *label, uint16_t domains,
1804 const yh_capabilities *delegated_capabilities,
const uint8_t *password,
1805 size_t password_len);
1828 const uint8_t *key_enc,
1830 const uint8_t *key_mac,
1831 size_t key_mac_len);
1853 const uint8_t *password,
1854 size_t password_len);
1869 uint8_t *out,
size_t *out_len);
1892 const char *label, uint16_t domains,
1912 const uint8_t *key,
const uint8_t *private_id,
1913 uint8_t *out,
size_t *out_len);
1928 uint8_t *out,
size_t *out_len);
1949 const uint8_t *aead,
size_t aead_len,
1950 const uint8_t *otp, uint16_t *useCtr,
1951 uint8_t *sessionCtr, uint8_t *tstph, uint16_t *tstpl);
1974 const char *label, uint16_t domains,
1976 uint32_t nonce_id,
const uint8_t *in,
2000 const char *label, uint16_t domains,
2019 uint16_t attest_id, uint8_t *out,
2069 uint16_t *free_records, uint16_t *total_pages,
2070 uint16_t *free_pages, uint16_t *page_size);
2088 size_t in_len, uint8_t *out,
size_t *out_len);
2106 const uint8_t *in,
size_t in_len, uint8_t *out,
2166 uint8_t *minor, uint8_t *patch);
2219 const char *result[],
size_t *n_result);
2243 const char *capability);
opaque-data
Definition: yubihsm.h:450
yh_rc yh_algo_to_string(yh_algorithm algo, char const **result)
Convert an algorithm to its string representation.
Verify a generated HMAC.
Definition: yubihsm.h:313
yh_rc yh_util_generate_otp_aead_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, uint32_t nonce_id)
Generate an YH_OTP_AEAD_KEY for Yubico OTP decryption in the device.
Generate an HMAC Key in the device.
Definition: yubihsm.h:309
mgf1-sha256
Definition: yubihsm.h:456
yh_rc yh_set_connector_option(yh_connector *connector, yh_connector_option opt, const void *val)
Set connector options.
Asymmetric Key is the private key of an asymmetric key-pair.
Definition: yubihsm.h:366
yh_rc yh_string_to_algo(const char *string, yh_algorithm *algo)
Convert a string to an algorithm's numeric value.
ecdh
Definition: yubihsm.h:438
uint8_t command
What command was executed.
Definition: yubihsm.h:520
Get a fixed number of pseudo-random bytes from the device.
Definition: yubihsm.h:291
Return value when encountering SSH CA constraint violation.
Definition: yubihsm.h:234
#define YH_LOG_DIGEST_SIZE
Size that the log digest is truncated to.
Definition: yubihsm.h:127
yh_rc yh_util_generate_ed_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Generate an ED key in the device.
void yh_set_debug_output(yh_connector *connector, FILE *output)
Set file for debug output.
mgf1-sha1
Definition: yubihsm.h:454
uint16_t length
Length of in-data.
Definition: yubihsm.h:522
yh_cmd
Command definitions.
Definition: yubihsm.h:243
Authenticate the session to the device.
Definition: yubihsm.h:249
Get all metadata about an Object.
Definition: yubihsm.h:285
aes128-yubico-otp
Definition: yubihsm.h:464
yh_rc yh_util_close_session(yh_session *session)
Close a session.
yh_rc yh_util_decrypt_pkcs1v1_5(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Decrypt data that was encrypted using RSA-PKCS#1v1.5.
Returned value when there is not enough space to store data.
Definition: yubihsm.h:187
#define YH_CAPABILITIES_LEN
Length of capabilities array.
Definition: yubihsm.h:119
HMAC Key is a secret key used when computing and verifying HMAC signatures.
Definition: yubihsm.h:371
aes128-yubico-authentication
Definition: yubihsm.h:466
rsa-pkcs1-sha384
Definition: yubihsm.h:396
Re-encrypt a Yubico OTP AEAD from one OTP AEAD Key to another OTP AEAD Key.
Definition: yubihsm.h:327
Returned value when unable to allocate memory.
Definition: yubihsm.h:174
ecp256
Definition: yubihsm.h:414
yh_rc yh_util_import_otp_aead_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, uint32_t nonce_id, const uint8_t *in, size_t in_len)
Import an YH_OTP_AEAD_KEY used for Yubico OTP Decryption.
rsa-oaep-sha384
Definition: yubihsm.h:444
yh_rc yh_begin_create_session_ext(yh_connector *connector, uint16_t authkey_id, uint8_t **context, uint8_t *card_cryptogram, size_t card_cryptogram_len, yh_session **session)
Begin creating an external session.
yh_rc yh_util_sign_hmac(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Sign data using HMAC.
Import an Asymmetric Key into the device.
Definition: yubihsm.h:267
hmac-sha256
Definition: yubihsm.h:430
yh_option
Global options.
Definition: yubihsm.h:490
hmac-sha1
Definition: yubihsm.h:428
Returned value when a connection error was encountered.
Definition: yubihsm.h:178
yh_rc yh_util_unwrap_data(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Decrypt (unwrap) data using a YH_WRAP_KEY.
template-ssh
Definition: yubihsm.h:462
Replace the Authentication Key used to establish the current Session.
Definition: yubihsm.h:345
yh_rc yh_destroy_session(yh_session **session)
Free data associated with the session.
rsa3072
Definition: yubihsm.h:410
yh_rc yh_util_sign_eddsa(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Sign data using EdDSA.
Enable/Disable Forced Audit mode.
Definition: yubihsm.h:492
yh_rc yh_util_sign_pss(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len, size_t salt_len, yh_algorithm mgf1Algo)
Sign data using RSA-PSS.
yh_rc yh_get_connector_version(yh_connector *connector, uint8_t *major, uint8_t *minor, uint8_t *patch)
Get the connector version.
yh_rc yh_util_import_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *s)
Import an Elliptic Curve key into the device.
Echo data back from the device.
Definition: yubihsm.h:245
Enable/Disable logging of specific commands.
Definition: yubihsm.h:494
Sign data using RSA-PKCS#1v1.5.
Definition: yubihsm.h:271
yh_rc yh_create_session(yh_connector *connector, uint16_t authkey_id, const uint8_t *key_enc, size_t key_enc_len, const uint8_t *key_mac, size_t key_mac_len, bool recreate_session, yh_session **session)
Create a session that uses the specified encryption key and MAC key to derive session-specific keys...
yh_rc yh_util_get_template(yh_session *session, uint16_t object_id, uint8_t *out, size_t *out_len)
Get a YH_TEMPLATE object from the device.
Delete object in the device.
Definition: yubihsm.h:305
Import an Opaque Object into the device.
Definition: yubihsm.h:261
ecdsa-sha384
Definition: yubihsm.h:478
yh_rc yh_filter_capabilities(const yh_capabilities *capabilities, const yh_capabilities *filter, yh_capabilities *result)
Filter one set of capabilities with another.
yh_object_type type
Object type.
Definition: yubihsm.h:550
Import an Authentication Key into the device.
Definition: yubihsm.h:265
yh_rc yh_util_import_ed_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *k)
Import an ED key into the device.
Logging struct as returned by device.
Definition: yubihsm.h:516
Get a device-global option.
Definition: yubihsm.h:289
yh_rc yh_util_import_template(yh_session *session, uint16_t *object_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *in, size_t in_len)
Import a YH_TEMPLATE object into the device.
Create a session with the device.
Definition: yubihsm.h:247
uint8_t result
Command result.
Definition: yubihsm.h:530
aes256-ccm-wrap
Definition: yubihsm.h:474
Perform an HMAC operation in the device.
Definition: yubihsm.h:295
ecdsa-sha512
Definition: yubihsm.h:480
uint8_t origin
Object origin.
Definition: yubihsm.h:556
yh_rc yh_util_change_authentication_key(yh_session *session, uint16_t *key_id, const uint8_t *key_enc, size_t key_enc_len, const uint8_t *key_mac, size_t key_mac_len)
Replace the long lived encryption key and MAC key associated with an YH_AUTHENTICATION_KEY in the dev...
Returned value when failing to initialize libyubihsm.
Definition: yubihsm.h:176
Opaque Object is an unchecked kind of Object, normally used to store raw data in the device...
Definition: yubihsm.h:362
bool yh_check_capability(const yh_capabilities *capabilities, const char *capability)
Check if a capability is set.
Generate an OTP AEAD Key in the device.
Definition: yubihsm.h:333
Get attestation of an Asymmetric Key.
Definition: yubihsm.h:329
yh_rc yh_util_export_wrapped(yh_session *session, uint16_t wrapping_key_id, yh_object_type target_type, uint16_t target_id, uint8_t *out, size_t *out_len)
Export an object under wrap from the device.
struct yh_session yh_session
Reference to a session.
Definition: yubihsm.h:159
ecdsa-sha1
Definition: yubihsm.h:436
ecp521
Definition: yubihsm.h:418
Return value when the device fails to encrypt or verify the message.
Definition: yubihsm.h:203
yh_rc yh_finish_create_session_ext(yh_connector *connector, yh_session *session, const uint8_t *key_senc, size_t key_senc_len, const uint8_t *key_smac, size_t key_smac_len, const uint8_t *key_srmac, size_t key_srmac_len, uint8_t *card_cryptogram, size_t card_cryptogram_len)
Finish creating external session.
rsa2048
Definition: yubihsm.h:408
yh_rc yh_get_key_bitlength(yh_algorithm algorithm, size_t *result)
Get the expected key length of a key generated by the given algorithm.
yh_rc yh_util_blink_device(yh_session *session, uint8_t seconds)
Blink the LED of the device to identify it.
#define ADD_COMMAND(c, v)
Macro to define command and response command.
Definition: yubihsm.h:238
yh_rc yh_util_decrypt_otp(yh_session *session, uint16_t key_id, const uint8_t *aead, size_t aead_len, const uint8_t *otp, uint16_t *useCtr, uint8_t *sessionCtr, uint8_t *tstph, uint16_t *tstpl)
Decrypt a Yubico OTP and return counters and time information.
Sign data using ECDSA.
Definition: yubihsm.h:301
uint8_t sequence
Object sequence.
Definition: yubihsm.h:554
yh_rc yh_util_import_authentication_key_derived(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, const yh_capabilities *delegated_capabilities, const uint8_t *password, size_t password_len)
Import an YH_AUTHENTICATION_KEY with long lived keys derived from a password.
hmac-sha384
Definition: yubihsm.h:432
rsa-pss-sha1
Definition: yubihsm.h:400
yh_rc yh_domains_to_string(uint16_t domains, char *string, size_t max_len)
Convert domains parameter to its String representation.
Get an Opaque Object from device.
Definition: yubihsm.h:263
yh_capabilities delegated_capabilities
Object delegated capabilities.
Definition: yubihsm.h:560
Return value when failing to create a device session.
Definition: yubihsm.h:207
yh_rc yh_disconnect(yh_connector *connector)
Disconnect from a connector.
List objects in the device.
Definition: yubihsm.h:273
Get a template from the device.
Definition: yubihsm.h:319
aes256-yubico-otp
Definition: yubihsm.h:470
rsa-pkcs1-sha1
Definition: yubihsm.h:392
Sign data using RSA-PSS.
Definition: yubihsm.h:299
Generate an OTP AEAD from random data.
Definition: yubihsm.h:325
hmac-sha512
Definition: yubihsm.h:434
Set the last extracted audit log entry.
Definition: yubihsm.h:335
yh_rc yh_util_get_option(yh_session *session, yh_option option, uint8_t *out, size_t *out_len)
Get a device-global option.
Return value when an invalid OTP is submitted.
Definition: yubihsm.h:222
Return value when the permissions to perform the operation are wrong.
Definition: yubihsm.h:214
yh_rc yh_util_change_authentication_key_derived(yh_session *session, uint16_t *key_id, const uint8_t *password, size_t password_len)
Replace the long lived encryption key and MAC key associated with an YH_AUTHENTICATION_KEY in the dev...
Return value when there is a mismatch between expected and received length of an argument to a functi...
Definition: yubihsm.h:212
yh_rc yh_util_decrypt_oaep(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len, const uint8_t *label, size_t label_len, yh_algorithm mgf1Algo)
Decrypt data using RSA-OAEP.
Generate an Asymmetric Key in the device.
Definition: yubihsm.h:269
Returned value when an argument to a function is invalid.
Definition: yubihsm.h:182
Import a Wrap Key into the device.
Definition: yubihsm.h:281
Returned value when failing to verify cryptogram.
Definition: yubihsm.h:189
yh_rc yh_util_sign_ssh_certificate(yh_session *session, uint16_t key_id, uint16_t template_id, yh_algorithm sig_algo, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Sign an SSH Certificate request.
yh_rc yh_util_generate_rsa_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Generate an RSA key in the device.
bool yh_is_rsa(yh_algorithm algorithm)
Check if an algorithm is a supported RSA algorithm.
yh_rc yh_set_verbosity(yh_connector *connector, uint8_t verbosity)
Set verbosity level when executing commands.
yh_rc yh_string_to_option(const char *string, yh_option *option)
Convert a string to an option's numeric value.
yh_rc yh_get_session_id(yh_session *session, uint8_t *sid)
Get the session ID.
mgf1-sha512
Definition: yubihsm.h:460
yh_rc yh_string_to_type(const char *string, yh_object_type *type)
Convert a string to a type's numeric value.
yh_rc yh_merge_capabilities(const yh_capabilities *a, const yh_capabilities *b, yh_capabilities *result)
Merge two sets of capabilities.
Returned value when function was successful.
Definition: yubihsm.h:172
yh_rc yh_authenticate_session(yh_session *session)
Authenticate session.
Template is a binary object used for example to validate SSH certificate requests.
Definition: yubihsm.h:374
yh_algorithm algorithm
Object algorithm.
Definition: yubihsm.h:552
bool yh_is_hmac(yh_algorithm algorithm)
Check if algorithm is a supported HMAC algorithm.
ed25519
Definition: yubihsm.h:482
Set a device-global options that affect general behavior.
Definition: yubihsm.h:287
yh_rc yh_util_wrap_data(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Encrypt (wrap) data using a YH_WRAP_KEY.
yh_rc yh_util_set_option(yh_session *session, yh_option option, size_t len, uint8_t *val)
Set a device-global option.
ecbp256
Definition: yubihsm.h:422
uint16_t session_key
ID of Authentication Key used.
Definition: yubihsm.h:524
Decrypt data using RSA-OAEP.
Definition: yubihsm.h:307
Returned value when the device receives and invalid command.
Definition: yubihsm.h:197
rsa-pss-sha512
Definition: yubihsm.h:406
yh_rc yh_util_delete_object(yh_session *session, uint16_t id, yh_object_type type)
Delete an object in the device.
yh_rc yh_create_session_derived(yh_connector *connector, uint16_t authkey_id, const uint8_t *password, size_t password_len, bool recreate_session, yh_session **session)
Create a session that uses an encryption key and a MAC key derived from a password.
yh_rc yh_string_to_domains(const char *domains, uint16_t *result)
Convert a string to a domain's numeric value.
uint16_t domains
Object domains.
Definition: yubihsm.h:548
bool yh_is_ed(yh_algorithm algorithm)
Check if an algorithm is a supported ED algorithm.
rsa-pkcs1-sha512
Definition: yubihsm.h:398
opaque-x509-certificate
Definition: yubihsm.h:452
yh_rc yh_util_generate_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities)
Generate a Wrap Key that can be used for export, import, wrap data and unwrap data in the device...
ecp384
Definition: yubihsm.h:416
yh_rc yh_init_connector(const char *url, yh_connector **connector)
Instantiate a new connector.
rsa-pkcs1-sha256
Definition: yubihsm.h:394
yh_rc yh_util_sign_attestation_certificate(yh_session *session, uint16_t key_id, uint16_t attest_id, uint8_t *out, size_t *out_len)
Get attestation of an Asymmetric Key in the form of an X.509 certificate.
Perform an ECDH key exchange operation with a private key in the device.
Definition: yubihsm.h:303
yh_rc yh_util_get_storage_info(yh_session *session, uint16_t *total_records, uint16_t *free_records, uint16_t *total_pages, uint16_t *free_pages, uint16_t *page_size)
Report currently free storage.
ecbp384
Definition: yubihsm.h:424
yh_rc yh_util_import_wrapped(yh_session *session, uint16_t wrapping_key_id, const uint8_t *in, size_t in_len, yh_object_type *target_type, uint16_t *target_id)
Import a wrapped object into the device.
rsa-oaep-sha256
Definition: yubihsm.h:442
Get storage information.
Definition: yubihsm.h:259
yh_rc yh_send_secure_msg(yh_session *session, yh_cmd cmd, const uint8_t *data, size_t data_len, yh_cmd *response_cmd, uint8_t *response, size_t *response_len)
Send an encrypted message to the device over a session.
yh_rc yh_util_get_pseudo_random(yh_session *session, size_t len, uint8_t *out, size_t *out_len)
Get a fixed number of pseudo-random bytes from the device.
yh_object_type
Object types.
Definition: yubihsm.h:359
Capabilities representation.
Definition: yubihsm.h:162
yh_rc yh_send_plain_msg(yh_connector *connector, yh_cmd cmd, const uint8_t *data, size_t data_len, yh_cmd *response_cmd, uint8_t *response, size_t *response_len)
Send a plain (unencrypted) message to the device through a connector.
rsa-pss-sha384
Definition: yubihsm.h:404
Import a template into the device.
Definition: yubihsm.h:317
yh_rc yh_util_get_device_info(yh_connector *connector, uint8_t *major, uint8_t *minor, uint8_t *patch, uint32_t *serial, uint8_t *log_total, uint8_t *log_used, yh_algorithm *algorithms, size_t *n_algorithms)
Get device version, device serial number, supported algorithms and available log entries.
Blink the LED of the device.
Definition: yubihsm.h:343
Get an Object under wrap from the device.
Definition: yubihsm.h:277
bool yh_is_ec(yh_algorithm algorithm)
Check if an algorithm is a supported Elliptic Curve algorithm.
Decrypt data that was encrypted using RSA-PKCS#1v1.5.
Definition: yubihsm.h:275
ecbp512
Definition: yubihsm.h:426
OTP AEAD Key is a secret key used to decrypt Yubico OTP values.
Definition: yubihsm.h:376
Authentication Key is used to establish Sessions with a device.
Definition: yubihsm.h:364
yh_rc yh_util_import_wrap_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const yh_capabilities *delegated_capabilities, const uint8_t *in, size_t in_len)
Import a Wrap Key into the device.
Returned value when there is a mismatch between expected and received length of an argument to a func...
Definition: yubihsm.h:185
yh_rc yh_util_import_hmac_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *key, size_t key_len)
Import an HMAC key into the device.
rsa-pss-sha256
Definition: yubihsm.h:402
Create a Yubico OTP AEAD.
Definition: yubihsm.h:323
ecp224
Definition: yubihsm.h:484
Public Key is the public key of an asymmetric key-pair.
Definition: yubihsm.h:379
yh_rc yh_util_sign_pkcs1v1_5(yh_session *session, uint16_t key_id, bool hashed, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Sign data using RSA-PKCS#1v1.5.
yh_rc yh_util_import_opaque(yh_session *session, uint16_t *object_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *in, size_t in_len)
Import an YH_OPAQUE object into the device.
bool yh_connector_has_device(yh_connector *connector)
Check if the connector has a device connected.
Returned value when the device session is invalid.
Definition: yubihsm.h:201
yh_rc yh_util_reset_device(yh_session *session)
Factory reset the device.
Import a HMAC key into the device.
Definition: yubihsm.h:293
yh_rc yh_util_get_log_entries(yh_session *session, uint16_t *unlogged_boot, uint16_t *unlogged_auth, yh_log_entry *out, size_t *n_items)
Get audit logs from the device.
Sign SSH certificate request.
Definition: yubihsm.h:315
yh_rc yh_type_to_string(yh_object_type type, char const **result)
Convert a yh_object_type to its string representation.
yh_rc
Return codes.
Definition: yubihsm.h:170
yh_rc yh_get_verbosity(uint8_t *verbosity)
Get verbosity level when executing commands.
Encrypt (wrap) data using a Wrap Key.
Definition: yubihsm.h:337
Returned value when the device returned no error.
Definition: yubihsm.h:195
struct yh_connector yh_connector
Reference to a connector.
Definition: yubihsm.h:156
Return value when the command execution has not terminated.
Definition: yubihsm.h:226
yh_rc yh_get_connector_address(yh_connector *connector, char **const address)
Get connector address.
Get the public key of an Asymmetric Key in the device.
Definition: yubihsm.h:297
yh_rc yh_util_generate_ec_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Generate an Elliptic Curve key in the device.
yh_rc yh_util_get_opaque(yh_session *session, uint16_t object_id, uint8_t *out, size_t *out_len)
Get an YH_OPAQUE object (like an X.509 certificate) from the device.
uint16_t len
Object length.
Definition: yubihsm.h:546
Returned value when failing to authenticate the session.
Definition: yubihsm.h:191
yh_algorithm
Algorithms.
Definition: yubihsm.h:390
uint16_t second_key
ID of second Object used.
Definition: yubihsm.h:528
uint32_t systick
Systick at time of execution.
Definition: yubihsm.h:532
yh_rc yh_util_derive_ecdh(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Derive an ECDH key from a private EC key on the device and a provided public EC key.
yh_rc yh_util_list_objects(yh_session *session, uint16_t id, yh_object_type type, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const char *label, yh_object_descriptor *objects, size_t *n_objects)
List objects accessible from the session.
The response byte returned from the device if the command resulted in an error.
Definition: yubihsm.h:348
Decrypt (unwrap) data using a Wrap Key.
Definition: yubihsm.h:339
Generate a Wrap Key in the device.
Definition: yubihsm.h:311
Return value when trying to add an object with an ID that already exists.
Definition: yubihsm.h:230
uint16_t target_key
ID of first Object used.
Definition: yubihsm.h:526
Import an OTP AEAD Key into the device.
Definition: yubihsm.h:331
aes192-ccm-wrap
Definition: yubihsm.h:472
yh_rc yh_util_import_authentication_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, const yh_capabilities *delegated_capabilities, const uint8_t *key_enc, size_t key_enc_len, const uint8_t *key_mac, size_t key_mac_len)
Import an YH_AUTHENTICATION_KEY into the device.
yh_rc yh_util_get_object_info(yh_session *session, uint16_t id, yh_object_type type, yh_object_descriptor *object)
Get metadata of the object with the specified Object ID and Type.
yh_rc yh_init(void)
Global library initialization.
yh_rc yh_string_to_capabilities(const char *capability, yh_capabilities *result)
Convert capability string to byte array.
uint16_t number
Monotonically increasing index.
Definition: yubihsm.h:518
Get all current audit log entries from the device Log Store.
Definition: yubihsm.h:283
Factory reset a device.
Definition: yubihsm.h:255
Return value when connector operation failed.
Definition: yubihsm.h:232
Sign data using EdDSA.
Definition: yubihsm.h:341
rsa-oaep-sha512
Definition: yubihsm.h:446
uint16_t id
Object ID.
Definition: yubihsm.h:544
Close session.
Definition: yubihsm.h:257
yh_rc yh_exit(void)
Global library clean up.
Decrypt a Yubico OTP.
Definition: yubihsm.h:321
yh_rc yh_capabilities_to_strings(const yh_capabilities *num, const char *result[], size_t *n_result)
Convert an array of yh_capabilities into strings separated by ','.
yh_rc yh_connect(yh_connector *connector, int timeout)
Connect to the device through the specified connector.
yh_rc yh_util_generate_hmac_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm)
Generate an HMAC key in the device.
mgf1-sha384
Definition: yubihsm.h:458
File with CA certificate to validate the connector with (const char *).
Definition: yubihsm.h:503
#define YH_OBJ_LABEL_LEN
Max length of object labels.
Definition: yubihsm.h:123
bool yh_verify_logs(yh_log_entry *logs, size_t n_items, yh_log_entry *last_previous_log)
Verify an array of log entries.
Return value when no more sessions can be opened on the device.
Definition: yubihsm.h:205
rsa-oaep-sha1
Definition: yubihsm.h:440
aes128-ccm-wrap
Definition: yubihsm.h:448
yh_capabilities capabilities
Object capabilities.
Definition: yubihsm.h:542
yh_rc yh_util_sign_ecdsa(yh_session *session, uint16_t key_id, const uint8_t *in, size_t in_len, uint8_t *out, size_t *out_len)
Sign data using ECDSA.
Object descriptor.
Definition: yubihsm.h:540
Proxy server to use for connecting to the connector (const char *).
Definition: yubihsm.h:506
yh_rc yh_util_randomize_otp_aead(yh_session *session, uint16_t key_id, uint8_t *out, size_t *out_len)
Create OTP AEAD from random data.
yh_connector_option
Options for the connector, set with yh_set_connector_option()
Definition: yubihsm.h:500
Return value when an invalid Object ID is used.
Definition: yubihsm.h:220
eck256
Definition: yubihsm.h:420
yh_rc yh_util_verify_hmac(yh_session *session, uint16_t key_id, const uint8_t *signature, size_t signature_len, const uint8_t *data, size_t data_len, bool *verified)
Verify a generated HMAC.
Return value when encountering a storage failure on the device.
Definition: yubihsm.h:209
ecdsa-sha256
Definition: yubihsm.h:476
Return value when the device is in demo mode and has to be power cycled.
Definition: yubihsm.h:224
Import a wrapped Object into the device.
Definition: yubihsm.h:279
Return value when encountering an unknown error.
Definition: yubihsm.h:228
Get device metadata.
Definition: yubihsm.h:253
Returned value when the device receives a malformed command invalid data.
Definition: yubihsm.h:199
aes192-yubico-otp
Definition: yubihsm.h:468
Return value when the log buffer is full and forced audit is set.
Definition: yubihsm.h:216
const char * yh_strerror(yh_rc err)
Return a string describing an error condition.
yh_rc yh_util_import_rsa_key(yh_session *session, uint16_t *key_id, const char *label, uint16_t domains, const yh_capabilities *capabilities, yh_algorithm algorithm, const uint8_t *p, const uint8_t *q)
Import an RSA key into the device.
Wrap Key is a secret key used to wrap and unwrap Objects during the export and import process...
Definition: yubihsm.h:369
yh_rc yh_util_get_public_key(yh_session *session, uint16_t id, uint8_t *data, size_t *data_len, yh_algorithm *algorithm)
Get the value of the public key with the specified Object ID.
Return value when the object not found on the device.
Definition: yubihsm.h:218
Returned value when failing to verify MAC.
Definition: yubihsm.h:193
yh_rc yh_util_set_log_index(yh_session *session, uint16_t index)
Set the index of the last extracted log entry.
Send a command over an established session.
Definition: yubihsm.h:251
yh_rc yh_util_create_otp_aead(yh_session *session, uint16_t key_id, const uint8_t *key, const uint8_t *private_id, uint8_t *out, size_t *out_len)
Create a Yubico OTP AEAD using the provided data.
Returned value when failing to find a suitable connector.
Definition: yubihsm.h:180
rsa4096
Definition: yubihsm.h:412
