├── .ci ├── client-combined.pem.enc └── server-crt.pem ├── .clang-format ├── .github ├── codeql │ └── codeql-config.yml └── workflows │ ├── build_and_fuzz.yml │ ├── build_and_test.yml │ ├── build_and_test_windows.yml │ ├── codeql-analysis.yml │ ├── integration_test.yml │ ├── push_fuzzing_msan_container.yml │ └── release.yml ├── .gitignore ├── .pre-commit-config.yaml ├── CHANGELOG ├── CMakeLists.txt ├── LICENSE ├── README ├── README.adoc ├── aes_cmac ├── aes.c ├── aes.h ├── aes_cmac.c ├── aes_cmac.h └── tests │ └── aes_cmac_tests.c ├── cmake ├── FindGcov.cmake ├── FindLcov.cmake ├── Findcodecov.cmake ├── Fuzzing.cmake ├── SecurityFlags.cmake ├── cppcheck.cmake ├── gengetopt.cmake ├── getopt.cmake ├── help2man.cmake ├── mingw32.cmake ├── mingw64.cmake ├── openssl.cmake └── zlib.cmake ├── common ├── debug.h ├── ecdh.c ├── ecdh.h ├── hash.c ├── hash.h ├── insecure_memzero.h ├── openssl-compat.c ├── openssl-compat.h ├── parsing.c ├── parsing.h ├── pkcs5.c ├── pkcs5.h ├── platform-config.h.in ├── rand.c ├── rand.h ├── time_win.c ├── time_win.h ├── util.c └── util.h ├── debian ├── README.source ├── changelog ├── compat ├── control ├── copyright ├── gbp.conf ├── libykhsmauth-dev.install ├── libykhsmauth1.install ├── libyubihsm-dev.install ├── libyubihsm-http1.install ├── libyubihsm-usb1.install ├── libyubihsm1.install ├── rules ├── source │ └── format ├── watch ├── yubihsm-auth.install ├── yubihsm-pkcs11.install ├── yubihsm-shell.install └── yubihsm-wrap.install ├── doc └── API_Changes.adoc ├── examples ├── CMakeLists.txt ├── asym_auth.c ├── attest.c ├── attestation_template.pem ├── change_authkey.c ├── decrypt_ec.c ├── decrypt_rsa.c ├── echo.c ├── ed25519_pvtkey.pem ├── encrypt_aes.c ├── generate_ec.c ├── generate_hmac.c ├── generate_rsa.c ├── import_authkey.c ├── import_ec.c ├── import_ed.c ├── import_rsa.c ├── info.c ├── logs.c ├── p11_generate_rsa.c ├── p256_pvtkey.pem ├── rsa2048_pvtkey.pem ├── ssh.c ├── ssh_ca_pvtkey.pem ├── ssh_req.dat ├── wrap.c ├── wrap_data.c └── yubico_otp.c ├── lib ├── CMakeLists.txt ├── Doxyfile ├── README.adoc ├── data_compress.c ├── data_compress.h ├── debug_lib.h ├── error.c ├── fuzz │ ├── fuzz_send_plain_msg.cc │ ├── fuzz_send_secure_msg.cc │ ├── yubihsm_fuzz.cc │ └── yubihsm_fuzz.h ├── internal.h ├── lib_util.c ├── scp.h ├── tests │ ├── CMakeLists.txt │ ├── test_parsing.c │ ├── test_pbkdf2.c │ ├── test_usb_url.c │ └── test_util.c ├── version.rc.in ├── version_winhttp.rc.in ├── version_winusb.rc.in ├── yubihsm.c ├── yubihsm.h ├── yubihsm.pc.in ├── yubihsm_curl.c ├── yubihsm_libusb.c ├── yubihsm_usb.c ├── yubihsm_usb.h ├── yubihsm_winhttp.c └── yubihsm_winusb.c ├── pkcs11 ├── CMakeLists.txt ├── README.adoc ├── cmdline.ggo ├── debug_p11.c ├── debug_p11.h ├── fuzz │ └── fuzz_get_attribute_value.cc ├── list.c ├── list.h ├── pkcs11.h ├── pkcs11f.h ├── pkcs11t.h ├── pkcs11y.h ├── tests │ ├── CMakeLists.txt │ ├── aes_encrypt_test.c │ ├── asym_wrap_test.c │ ├── common.c │ ├── common.h │ ├── ecdh_derive_test.c │ ├── ecdh_sp800_test.c │ ├── engine_tests.sh │ ├── pkcs11_interfaces_test.c │ ├── pkcs11test.sh │ ├── pss_sign_test.c │ └── rsa_enc_test.c ├── util_pkcs11.c ├── util_pkcs11.h ├── version.rc.in ├── yubihsm_pkcs11.c └── yubihsm_pkcs11.h ├── resources ├── fuzzing │ └── Docker.fuzzing_msan ├── make_src_dist.sh ├── release │ ├── icons │ │ ├── yubico-msi-background.png │ │ └── yubico-msi-y-banner.png │ ├── linux │ │ ├── Vagrantfile │ │ ├── build-all.sh │ │ ├── build-pkg.sh │ │ ├── build-rpm.sh │ │ ├── install_redhat_dependencies.sh │ │ ├── licenses │ │ │ ├── libusb │ │ │ └── openssl │ │ └── yubihsm-shell.spec │ ├── macos │ │ ├── check_hardening.sh │ │ ├── distribution.xml │ │ ├── license.adoc │ │ ├── make_installer.sh │ │ └── make_release_binaries.sh │ └── win │ │ ├── license.rtf │ │ ├── make_release_binaries.ps1 │ │ ├── repack_installer.ps1 │ │ ├── sign_installer.bat │ │ ├── sign_release.bat │ │ ├── yubihsm-shell_x64.wxs │ │ └── yubihsm-shell_x86.wxs └── tests │ ├── bash │ ├── cmdline_test.sh │ ├── opensc_test.sh │ ├── test_eckey.sh │ ├── test_edkey.sh │ ├── test_hmackey.sh │ ├── test_otpaeadkey.sh │ ├── test_rsakey.sh │ ├── test_wrapkey.sh │ └── test_x509template.pem │ └── ps1 │ ├── cmdline_test.ps1 │ ├── opensc_test.ps1 │ ├── test_eckey.ps1 │ ├── test_edkey.ps1 │ ├── test_hmackey.ps1 │ ├── test_otpaeadkey.ps1 │ └── test_rsakey.ps1 ├── src ├── CMakeLists.txt ├── README.adoc ├── cmdline.ggo ├── commands.c ├── commands.h ├── main.c ├── tests │ ├── CMakeLists.txt │ ├── data.txt │ ├── sig.out │ ├── tests.sh │ ├── wrapped_tests.sh │ └── yubihsm_shell_tests.c ├── version.rc.in └── yubihsm-shell.h ├── yhwrap ├── CMakeLists.txt ├── README.adoc ├── cmdline.ggo ├── main.c └── version.rc.in ├── ykhsmauth ├── CMakeLists.txt ├── README.adoc ├── error.c ├── internal.h ├── version.rc.in ├── ykhsmauth.c ├── ykhsmauth.h └── ykhsmauth.pc.in └── yubihsm-auth ├── CMakeLists.txt ├── README.adoc ├── cmdline.ggo ├── main.c └── version.rc.in /.ci/client-combined.pem.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Yubico/yubihsm-shell/a85a9bd4c5f25cea1227ca60379419ca7a6a0a28/.ci/client-combined.pem.enc -------------------------------------------------------------------------------- /.ci/server-crt.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIID/TCCAuWgAwIBAgIUUn0rSVeM6MoylF6Ll6Jy5O95iMwwDQYJKoZIhvcNAQEL 3 | BQAwYzELMAkGA1UEBhMCU0UxEjAQBgNVBAcMCVN0b2NraG9sbTESMBAGA1UECgwJ 4 | WXViaWNvIEFCMSwwKgYDVQQDDCNoc20tY29ubmVjdG9yMDEuc3RobG0uaW4ueXVi 5 | aWNvLm9yZzAgFw0yNTAyMDMxNzQ5MjVaGA8yMTI1MDExMDE3NDkyNVowYzELMAkG 6 | A1UEBhMCU0UxEjAQBgNVBAcMCVN0b2NraG9sbTESMBAGA1UECgwJWXViaWNvIEFC 7 | MSwwKgYDVQQDDCNoc20tY29ubmVjdG9yMDEuc3RobG0uaW4ueXViaWNvLm9yZzCC 8 | ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJXDOCdEJTPn4x0CQbXg12xm 9 | z4yIOAoFhTo40cV+AQnHfaha0Wd7hKTi2r7Lc4ehlv+GBf3fafrNKdzvzIepZMzx 10 | GcVqVpqwdTwdwQS5u0iyPRNqbLQeFEqWD2myYnI6NciTF78GyCwvKc5zsBmue95l 11 | zRooTnr0I0UqBnqWpstmSRD+3uYytr3T0CWbtR2keNSIqKtYErIvc3ahvT6eAywH 12 | Gv7BXpp6Q1htb4eJVIwdB4iyQV4uf283l1rzzWnt4dE5e2IoKvF3eENt/D5YXEuV 13 | alVkr7j/j/56O0cwjGKXdubpn0YUexb7YaWWjmHBzEewk+WDMk7VzliQ2NGajQEC 14 | AwEAAaOBpjCBozAdBgNVHQ4EFgQUOCPzWstJLYd6aptH/QltOrxDzS8wHwYDVR0j 15 | BBgwFoAUOCPzWstJLYd6aptH/QltOrxDzS8wDwYDVR0TAQH/BAUwAwEB/zBQBgNV 16 | HREESTBHgiNoc20tY29ubmVjdG9yMDEuc3RobG0uaW4ueXViaWNvLm9yZ4IgaHNt 17 | LWNvbm5lY3RvcjAxLnN0aGxtLnl1Ymljby5vcmcwDQYJKoZIhvcNAQELBQADggEB 18 | AEydBYgUmKz1Gur9QxCCpPaGmbiMDWb+HpSRP5PsmKiaZc7lwlWEO8buYb/yJhhR 19 | CSBo5Qr9SV1Hdk8ciP0RV69hcIl5IKMShskjjXwcHJjoJ5+6uD+tDfDKOiyqAyeH 20 | 5ttPJEWiyhE+Di5shenxuT9WHMsSMGaeeM91wWAlM0TEwWxYbKb5aMK7v616zTax 21 | 4vKtRh5BkkMDBcpb609DJU3B7SIITXNZzkfPi1WzHRTWNtkP5uSvwuj8EYFDNApd 22 | BijeHm7PXfegboK52AlnN3KPcX1t+xid1DTArVRjOoh21RklQBkY/5Y8zf0fXCr1 23 | Sy+Mzw5uNrrWS6RUzkCEvXo= 24 | -----END CERTIFICATE----- 25 | -------------------------------------------------------------------------------- /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | Language: Cpp 3 | AccessModifierOffset: -2 4 | AlignAfterOpenBracket: Align 5 | AlignConsecutiveAssignments: false 6 | AlignConsecutiveDeclarations: false 7 | AlignEscapedNewlines: Right 8 | AlignOperands: true 9 | AlignTrailingComments: true 10 | AllowAllParametersOfDeclarationOnNextLine: true 11 | AllowShortBlocksOnASingleLine: false 12 | AllowShortCaseLabelsOnASingleLine: false 13 | AllowShortFunctionsOnASingleLine: All 14 | AllowShortIfStatementsOnASingleLine: false 15 | AllowShortLoopsOnASingleLine: false 16 | AlwaysBreakAfterDefinitionReturnType: None 17 | AlwaysBreakAfterReturnType: None 18 | AlwaysBreakBeforeMultilineStrings: false 19 | AlwaysBreakTemplateDeclarations: false 20 | BinPackArguments: true 21 | BinPackParameters: true 22 | BraceWrapping: 23 | AfterClass: false 24 | AfterControlStatement: false 25 | AfterEnum: false 26 | AfterFunction: false 27 | AfterNamespace: false 28 | AfterObjCDeclaration: false 29 | AfterStruct: false 30 | AfterUnion: false 31 | BeforeCatch: false 32 | BeforeElse: false 33 | IndentBraces: false 34 | SplitEmptyFunction: true 35 | SplitEmptyRecord: true 36 | SplitEmptyNamespace: true 37 | BreakBeforeBinaryOperators: None 38 | BreakBeforeBraces: Attach 39 | BreakBeforeInheritanceComma: false 40 | BreakBeforeTernaryOperators: true 41 | BreakConstructorInitializersBeforeComma: false 42 | BreakConstructorInitializers: BeforeColon 43 | BreakAfterJavaFieldAnnotations: false 44 | BreakStringLiterals: true 45 | ColumnLimit: 80 46 | CommentPragmas: '^ IWYU pragma:' 47 | CompactNamespaces: false 48 | ConstructorInitializerAllOnOneLineOrOnePerLine: false 49 | ConstructorInitializerIndentWidth: 2 50 | ContinuationIndentWidth: 2 51 | Cpp11BracedListStyle: true 52 | DerivePointerAlignment: false 53 | DisableFormat: false 54 | ExperimentalAutoDetectBinPacking: false 55 | FixNamespaceComments: true 56 | ForEachMacros: 57 | - foreach 58 | - Q_FOREACH 59 | - BOOST_FOREACH 60 | IncludeCategories: 61 | - Regex: '^"(llvm|llvm-c|clang|clang-c)/' 62 | Priority: 2 63 | - Regex: '^(<|"(gtest|isl|json)/)' 64 | Priority: 3 65 | - Regex: '.*' 66 | Priority: 1 67 | IncludeIsMainRegex: '(Test)?$' 68 | IndentCaseLabels: true 69 | IndentWidth: 2 70 | IndentWrappedFunctionNames: false 71 | JavaScriptQuotes: Leave 72 | JavaScriptWrapImports: true 73 | KeepEmptyLinesAtTheStartOfBlocks: true 74 | MacroBlockBegin: '' 75 | MacroBlockEnd: '' 76 | MaxEmptyLinesToKeep: 1 77 | NamespaceIndentation: None 78 | ObjCBlockIndentWidth: 2 79 | ObjCSpaceAfterProperty: false 80 | ObjCSpaceBeforeProtocolList: true 81 | PenaltyBreakAssignment: 2 82 | PenaltyBreakBeforeFirstCallParameter: 1000 83 | PenaltyBreakComment: 300 84 | PenaltyBreakFirstLessLess: 120 85 | PenaltyBreakString: 1000 86 | PenaltyExcessCharacter: 1000000 87 | PenaltyReturnTypeOnItsOwnLine: 60 88 | PointerAlignment: Right 89 | ReflowComments: true 90 | SortIncludes: false 91 | SortUsingDeclarations: true 92 | SpaceAfterCStyleCast: true 93 | SpaceAfterTemplateKeyword: true 94 | SpaceBeforeAssignmentOperators: true 95 | SpaceBeforeParens: ControlStatements 96 | SpaceInEmptyParentheses: false 97 | SpacesBeforeTrailingComments: 1 98 | SpacesInAngles: false 99 | SpacesInContainerLiterals: true 100 | SpacesInCStyleCastParentheses: false 101 | SpacesInParentheses: false 102 | SpacesInSquareBrackets: false 103 | Standard: Cpp11 104 | TabWidth: 8 105 | UseTab: Never 106 | ... 107 | 108 | -------------------------------------------------------------------------------- /.github/codeql/codeql-config.yml: -------------------------------------------------------------------------------- 1 | name: "yubihsm-shell codeql config" 2 | queries: 3 | - uses: security-and-quality 4 | paths: 5 | - aes_cmac 6 | - common 7 | - lib 8 | - pkcs11 9 | - src 10 | - yhwrap 11 | - ykhsmauth 12 | paths-ignore: 13 | # these cmdline.c files are autogenerated via gengetopt 14 | - '**/cmdline.c' 15 | -------------------------------------------------------------------------------- /.github/workflows/build_and_fuzz.yml: -------------------------------------------------------------------------------- 1 | name: Build and Fuzz 2 | 3 | on: 4 | schedule: 5 | # Run this every wednesday at 3:50. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule 6 | - cron: '50 3 * * 3' 7 | 8 | jobs: 9 | fuzz_msan: 10 | name: fuzz with MemorySanitizer 11 | runs-on: ubuntu-latest 12 | container: ghcr.io/yubico/yubihsm-shell/fuzzing-msan:latest 13 | 14 | steps: 15 | 16 | - name: clone the Yubico/yubihsm-shell repository 17 | uses: actions/checkout@v3 18 | with: 19 | path: yubihsm-shell 20 | 21 | - name: do build 22 | working-directory: yubihsm-shell 23 | run: | 24 | cmake \ 25 | -DENABLE_CERT_COMPRESS=OFF \ 26 | -DFUZZING=ON \ 27 | -DFUZZING_MSAN=ON \ 28 | -DWITHOUT_MANPAGES=ON \ 29 | -DDISABLE_LTO=ON \ 30 | -DENABLE_STATIC=ON \ 31 | -B build-msan 32 | cmake --build build-msan 33 | 34 | - name: run harness for fuzz_get_attribute_value 35 | working-directory: yubihsm-shell 36 | env: 37 | LD_LIBRARY_PATH: /llvm-msan/install-runtimes-msan/lib;/openssl-msan/install/lib 38 | run: ./build-msan/pkcs11/fuzz_get_attribute_value -max_total_time=1800 39 | 40 | fuzz_asan: 41 | name: fuzz with AddressSanitizer 42 | runs-on: ubuntu-latest 43 | container: ubuntu:24.04 44 | 45 | steps: 46 | 47 | - name: install dependencies from package management 48 | env: 49 | DEBIAN_FRONTEND: noninteractive 50 | run: | 51 | apt -q -y update 52 | apt -q -y install \ 53 | llvm-16 clang-16 lld-16 \ 54 | build-essential cmake ninja-build pkg-config \ 55 | libssl-dev libedit-dev libcurl4-openssl-dev libusb-1.0-0-dev libpcsclite-dev gengetopt zlib1g-dev 56 | 57 | - name: clone the Yubico/yubihsm-shell repository 58 | uses: actions/checkout@v3 59 | with: 60 | path: yubihsm-shell 61 | 62 | - name: do build 63 | env: 64 | CC: clang-16 65 | CXX: clang++-16 66 | working-directory: yubihsm-shell 67 | run: | 68 | cmake \ 69 | -DENABLE_CERT_COMPRESS=OFF \ 70 | -DFUZZING=ON \ 71 | -DWITHOUT_MANPAGES=ON \ 72 | -DDISABLE_LTO=ON \ 73 | -DENABLE_STATIC=ON \ 74 | -B build-asan 75 | cmake --build build-asan 76 | 77 | - name: run harness for fuzz_get_attribute_value 78 | working-directory: yubihsm-shell 79 | run: ./build-asan/pkcs11/fuzz_get_attribute_value -max_total_time=1800 80 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | pull_request: 6 | schedule: 7 | - cron: '27 22 * * 0' 8 | 9 | jobs: 10 | analyze: 11 | name: Analyze 12 | runs-on: ubuntu-latest 13 | permissions: 14 | actions: read 15 | contents: read 16 | security-events: write 17 | 18 | steps: 19 | - name: Checkout repository 20 | uses: actions/checkout@v2 21 | 22 | # Initializes the CodeQL tools for scanning. 23 | - name: Initialize CodeQL 24 | uses: github/codeql-action/init@v2 25 | with: 26 | languages: cpp 27 | config-file: ./.github/codeql/codeql-config.yml 28 | 29 | - name: Install dependencies from package management 30 | env: 31 | DEBIAN_FRONTEND: noninteractive 32 | run: | 33 | sudo apt -q update 34 | sudo apt install -q -y 35 | sudo apt install -q -y libssl-dev libcurl4-openssl-dev libusb-1.0-0-dev libedit-dev libpcsclite-dev gengetopt help2man 36 | 37 | - name: Build project 38 | run: | 39 | mkdir build 40 | cd build 41 | cmake .. 42 | make 43 | 44 | - name: Perform CodeQL Analysis 45 | uses: github/codeql-action/analyze@v2 46 | -------------------------------------------------------------------------------- /.github/workflows/push_fuzzing_msan_container.yml: -------------------------------------------------------------------------------- 1 | name: Create MSAN fuzzing docker image 2 | 3 | on: 4 | push: 5 | paths: 6 | - "resources/fuzzing/Docker.fuzzing_msan" 7 | 8 | jobs: 9 | build_and_push: 10 | name: Build and Push 11 | 12 | runs-on: ubuntu-latest 13 | 14 | permissions: 15 | packages: write 16 | 17 | steps: 18 | - name: Check out repository 19 | uses: actions/checkout@v4 20 | 21 | - name: Login to GHCR 22 | uses: docker/login-action@v3 23 | with: 24 | registry: ghcr.io 25 | username: ${{ github.actor }} 26 | password: ${{ secrets.GITHUB_TOKEN }} 27 | 28 | - name: Build image 29 | uses: docker/build-push-action@v5 30 | with: 31 | pull: true 32 | push: true 33 | tags: ghcr.io/yubico/yubihsm-shell/fuzzing-msan:latest 34 | context: "{{defaultContext}}:resources/fuzzing" 35 | file: "Docker.fuzzing_msan" 36 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .deps/ 2 | Makefile 3 | aclocal.m4 4 | autom4te.cache/ 5 | config.log 6 | config.status 7 | configure 8 | libsrc 9 | libtool 10 | m4/libtool.m4 11 | m4/libsrc.m4 12 | m4/ltoptions.m4 13 | m4/ltsugar.m4 14 | m4/ltversion.m4 15 | m4/lt~obsolete.m4 16 | *.c~ 17 | *.h~ 18 | build-aux/ar-lib 19 | build-aux/compile 20 | build-aux/config.guess 21 | build-aux/config.sub 22 | build-aux/depcomp 23 | build-aux/install-sh 24 | build-aux/ltmain.sh 25 | build-aux/missing 26 | build-aux/test-driver 27 | tmp32/ 28 | tmp64/ 29 | yubihsm-shell-*-win32.zip 30 | yubihsm-shell-*-win32.zip.sig 31 | yubihsm-shell-*-win64.zip 32 | yubihsm-shell-*-win64.zip.sig 33 | yubihsm-shell-*.tar.gz 34 | yubihsm-shell-*.tar.gz.sig 35 | yubihsm-shell-*-mac.zip 36 | yubihsm-shell-*-mac.zip.sig 37 | **/.libs/* 38 | **/*.la 39 | **/*.lo 40 | **/*.log 41 | **/*.trs 42 | **/*.o 43 | **/*.pc 44 | **/*_tests 45 | \#*\# 46 | src/cmdline.c 47 | src/cmdline.h 48 | pkcs11/cmdline.c 49 | pkcs11/cmdline.h 50 | build*/ 51 | cscope.* 52 | yhauth/cmdline.c 53 | yhauth/cmdline.h 54 | yhwrap/cmdline.c 55 | yhwrap/cmdline.h 56 | yubihsm-auth/cmdline.c 57 | yubihsm-auth/cmdline.h 58 | common/platform-config.h 59 | lib/*doxygen* 60 | .ci/client-combined.pem 61 | .DS_Store 62 | .ccls-cache 63 | compile_commands.json 64 | cov 65 | cov.info 66 | coverage.dat 67 | .vscode/ 68 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: git://github.com/pre-commit/pre-commit-hooks 3 | sha: v1.4.0 4 | hooks: 5 | - id: check-added-large-files 6 | - id: check-case-conflict 7 | - id: check-merge-conflict 8 | - repo: local 9 | hooks: 10 | - id: indent 11 | name: Reticulating splines 12 | entry: clang-format 13 | args: 14 | - -i 15 | language: system 16 | files: \.(c|h)$ 17 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | README.adoc -------------------------------------------------------------------------------- /aes_cmac/aes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* aes.h 18 | ** 19 | ** Defines the AES crypto module for CMAC 20 | */ 21 | 22 | #ifndef _AESCMAC_AES_H_ 23 | #define _AESCMAC_AES_H_ 24 | 25 | #include 26 | #include "../common/platform-config.h" 27 | 28 | #ifdef _WIN32_BCRYPT 29 | #include 30 | #include 31 | #include 32 | #else 33 | #include 34 | #endif 35 | 36 | #ifndef AES_BLOCK_SIZE // Defined in openssl/aes.h 37 | #define AES_BLOCK_SIZE 16 38 | #endif 39 | 40 | #ifdef __cplusplus 41 | extern "C" { 42 | #endif 43 | 44 | typedef struct { 45 | #ifdef _WIN32_BCRYPT 46 | BCRYPT_ALG_HANDLE hAlgCBC; 47 | BCRYPT_ALG_HANDLE hAlgECB; 48 | BCRYPT_KEY_HANDLE hKeyCBC; 49 | BCRYPT_KEY_HANDLE hKeyECB; 50 | PBYTE pbKeyCBCObj; 51 | PBYTE pbKeyECBObj; 52 | size_t cbKeyObj; 53 | #else 54 | EVP_CIPHER_CTX *ctx; 55 | uint16_t key_len; 56 | uint8_t key[32]; 57 | #endif 58 | } aes_context; 59 | 60 | #ifndef __WIN32 61 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 62 | #else 63 | #define YH_INTERNAL 64 | #endif 65 | 66 | int YH_INTERNAL aes_load_key(const char *key, aes_context *ctx); 67 | int YH_INTERNAL aes_set_key(const uint8_t *key, uint16_t key_len, 68 | aes_context *ctx); 69 | 70 | int YH_INTERNAL aes_encrypt(const uint8_t *in, uint8_t *out, aes_context *ctx); 71 | int YH_INTERNAL aes_decrypt(const uint8_t *in, uint8_t *out, aes_context *ctx); 72 | 73 | int YH_INTERNAL aes_cbc_encrypt(const uint8_t *in, uint8_t *out, uint16_t len, 74 | const uint8_t *iv, aes_context *ctx); 75 | int YH_INTERNAL aes_cbc_decrypt(const uint8_t *in, uint8_t *out, uint16_t len, 76 | const uint8_t *iv, aes_context *ctx); 77 | 78 | int YH_INTERNAL aes_add_padding(uint8_t *in, uint16_t max_len, uint16_t *len); 79 | void YH_INTERNAL aes_remove_padding(uint8_t *in, uint16_t *len); 80 | 81 | void YH_INTERNAL aes_destroy(aes_context *ctx); 82 | 83 | #ifdef __cplusplus 84 | } 85 | #endif 86 | 87 | #endif /* _AESCMAC_AES_H_ */ 88 | -------------------------------------------------------------------------------- /aes_cmac/aes_cmac.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | // AES-CMAC implementation as defined in SP-800-38B 18 | // AES key length can be one of 128, 192, 256 19 | // Output length is one full block (16 bytes) 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | #include "aes_cmac.h" 26 | #include "../common/insecure_memzero.h" 27 | 28 | static const uint8_t zero[AES_BLOCK_SIZE] = {0}; 29 | 30 | static void do_pad(uint8_t *data, uint8_t len) { 31 | 32 | for (uint8_t i = len; i < AES_BLOCK_SIZE; i++) 33 | if (i == len) 34 | data[i] = 0x80; 35 | else 36 | data[i] = 0x00; 37 | } 38 | 39 | static void do_xor(const uint8_t *a, uint8_t *b) { 40 | 41 | for (uint8_t i = 0; i < AES_BLOCK_SIZE; i++) { 42 | b[i] ^= a[i]; 43 | } 44 | } 45 | 46 | static void do_shift_one_bit_left(const uint8_t *a, uint8_t *b, 47 | uint8_t *carry) { 48 | for (int8_t i = AES_BLOCK_SIZE - 1; i >= 0; i--) { 49 | b[i] = (a[i] << 1) | *carry; 50 | 51 | *carry = a[i] >> 7; 52 | } 53 | } 54 | 55 | static void cmac_generate_subkey(const uint8_t *key, uint8_t *subkey) { 56 | 57 | uint8_t carry = 0; 58 | 59 | do_shift_one_bit_left(key, subkey, &carry); 60 | 61 | subkey[AES_BLOCK_SIZE - 1] ^= 0x87 >> (8 - (carry * 8)); 62 | } 63 | 64 | int aes_cmac_encrypt(aes_cmac_context_t *ctx, const uint8_t *message, 65 | const uint16_t message_len, uint8_t *mac) { 66 | 67 | uint8_t M[AES_BLOCK_SIZE] = {0}; 68 | const uint8_t *ptr = message; 69 | 70 | memcpy(mac, zero, AES_BLOCK_SIZE); 71 | 72 | uint8_t n_blocks; 73 | if (message_len == 0) 74 | n_blocks = 0; 75 | else 76 | n_blocks = (message_len + (AES_BLOCK_SIZE - 1)) / AES_BLOCK_SIZE - 1; 77 | 78 | for (uint8_t i = 0; i < n_blocks; i++) { 79 | int rc = aes_cbc_encrypt(ptr, mac, AES_BLOCK_SIZE, mac, ctx->aes_ctx); 80 | if (rc) { 81 | return rc; 82 | } 83 | ptr += AES_BLOCK_SIZE; 84 | } 85 | 86 | uint8_t remaining_bytes = (message_len % AES_BLOCK_SIZE); 87 | 88 | if (remaining_bytes == 0) { 89 | if (message != NULL && message_len != 0) { 90 | memcpy(M, ptr, AES_BLOCK_SIZE); 91 | do_xor(ctx->k1, M); 92 | } else { 93 | do_pad(M, 0); 94 | do_xor(ctx->k2, M); 95 | } 96 | } else { 97 | memcpy(M, ptr, remaining_bytes); 98 | do_pad(M, remaining_bytes); 99 | do_xor(ctx->k2, M); 100 | } 101 | 102 | return aes_cbc_encrypt(M, mac, AES_BLOCK_SIZE, mac, ctx->aes_ctx); 103 | } 104 | 105 | int aes_cmac_init(aes_context *aes_ctx, aes_cmac_context_t *ctx) { 106 | 107 | uint8_t L[AES_BLOCK_SIZE] = {0}; 108 | 109 | ctx->aes_ctx = aes_ctx; 110 | 111 | int rc = aes_encrypt(zero, L, ctx->aes_ctx); 112 | if (rc) { 113 | return rc; 114 | } 115 | 116 | cmac_generate_subkey(L, ctx->k1); 117 | cmac_generate_subkey(ctx->k1, ctx->k2); 118 | 119 | return 0; 120 | } 121 | 122 | void aes_cmac_destroy(aes_cmac_context_t *ctx) { 123 | if (ctx) { 124 | insecure_memzero(ctx, sizeof(aes_cmac_context_t)); 125 | } 126 | } 127 | -------------------------------------------------------------------------------- /aes_cmac/aes_cmac.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "aes.h" 18 | 19 | typedef struct { 20 | aes_context *aes_ctx; 21 | uint8_t k1[AES_BLOCK_SIZE]; 22 | uint8_t k2[AES_BLOCK_SIZE]; 23 | } aes_cmac_context_t; 24 | 25 | #ifndef __WIN32 26 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 27 | #else 28 | #define YH_INTERNAL 29 | #endif 30 | 31 | int YH_INTERNAL aes_cmac_init(aes_context *aes_ctx, aes_cmac_context_t *ctx); 32 | int YH_INTERNAL aes_cmac_encrypt(aes_cmac_context_t *ctx, 33 | const uint8_t *message, 34 | const uint16_t message_len, uint8_t *mac); 35 | void YH_INTERNAL aes_cmac_destroy(aes_cmac_context_t *ctx); 36 | -------------------------------------------------------------------------------- /cmake/Fuzzing.cmake: -------------------------------------------------------------------------------- 1 | option(FUZZING "Compile binaries with fuzzing instrumentation" OFF) 2 | option(LIBFUZZER_ASAN "Enable ASAN instrumentation with libfuzzer" OFF) 3 | option(FUZZING_MSAN "Compile binaries with MemorySanitizer instrumentation" OFF) 4 | 5 | if (FUZZING) 6 | message(STATUS "Building with fuzzing instrumentation.") 7 | 8 | string (APPEND CMAKE_C_FLAGS " -DFUZZING") 9 | string (APPEND CMAKE_C_FLAGS " -fno-omit-frame-pointer -O1 -g") 10 | 11 | string (APPEND CMAKE_CXX_FLAGS " -std=c++17") 12 | string (APPEND CMAKE_CXX_FLAGS " -DFUZZING") 13 | string (APPEND CMAKE_CXX_FLAGS " -fno-omit-frame-pointer -O1 -g") 14 | 15 | string (APPEND CMAKE_EXE_LINKER_FLAGS " -g") 16 | 17 | if (FUZZING_MSAN) 18 | string (APPEND CMAKE_C_FLAGS " -fsanitize=memory") 19 | string (APPEND CMAKE_CXX_FLAGS " -fsanitize=memory") 20 | string (APPEND CMAKE_EXE_LINKER_FLAGS " -fsanitize=memory") 21 | else (FUZZING_MSAN) 22 | string (APPEND CMAKE_C_FLAGS " -fsanitize=address -fsanitize=undefined") 23 | string (APPEND CMAKE_CXX_FLAGS " -fsanitize=address -fsanitize=undefined") 24 | string (APPEND CMAKE_EXE_LINKER_FLAGS " -fsanitize=address -fsanitize=undefined") 25 | endif (FUZZING_MSAN) 26 | 27 | endif () 28 | -------------------------------------------------------------------------------- /cmake/SecurityFlags.cmake: -------------------------------------------------------------------------------- 1 | include(CheckCCompilerFlag) 2 | 3 | if (CMAKE_C_COMPILER_ID STREQUAL "Clang" OR 4 | CMAKE_C_COMPILER_ID STREQUAL "AppleClang" OR 5 | CMAKE_C_COMPILER_ID STREQUAL "GNU") 6 | 7 | add_compile_options (-Wformat -Wformat-nonliteral -Wformat-security) 8 | add_compile_options (-Wshadow) 9 | #add_compile_options (-Wcast-qual) 10 | add_compile_options (-Wmissing-prototypes) 11 | add_compile_options (-Wbad-function-cast) 12 | add_compile_options (-pedantic -pedantic-errors) 13 | add_compile_options (-fpie -fpic) 14 | if (NOT FUZZING) 15 | add_compile_options (-Wall -Wextra -Werror) 16 | add_compile_options(-O2) 17 | add_definitions (-D_FORTIFY_SOURCE=2) 18 | endif () 19 | 20 | check_c_compiler_flag("-fstack-protector-all" HAVE_STACK_PROTECTOR_ALL) 21 | if (HAVE_STACK_PROTECTOR_ALL) 22 | message(STATUS "-fstack-protector-all support detected") 23 | add_compile_options(-fstack-protector-all) 24 | set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fstack-protector-all") 25 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fstack-protector-all") 26 | else () 27 | check_c_compiler_flag("-fstack-protector" HAVE_STACK_PROTECTOR) 28 | if(HAVE_STACK_PROTECTOR) 29 | message(STATUS "-fstack-protector support detected") 30 | add_compile_options(-fstack-protector) 31 | set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fstack-protector") 32 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fstack-protector") 33 | else () 34 | message(WARNING "No stack protection supported.") 35 | endif () 36 | endif () 37 | 38 | check_c_compiler_flag("-Wno-implicit-fallthrough" HAVE_NO_IMPLICIT_FALLTHROUGH) 39 | if (HAVE_NO_IMPLICIT_FALLTHROUGH) 40 | add_compile_options (-Wno-implicit-fallthrough) 41 | endif () 42 | 43 | if (NOT APPLE) 44 | set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -pie") 45 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie") 46 | set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,noexecstack -Wl,-z,relro,-z,now") 47 | set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,-z,noexecstack -Wl,-z,relro,-z,now") 48 | endif() 49 | elseif (CMAKE_C_COMPILER_ID STREQUAL "MSVC") 50 | add_compile_options (/GS) 51 | add_compile_options (/Gs) 52 | add_link_options (/NXCOMPAT) 53 | add_link_options (/guard:cf) 54 | else () 55 | message(WARNING "Security related flags cannot be set for unknown C compiler.") 56 | endif () 57 | -------------------------------------------------------------------------------- /cmake/cppcheck.cmake: -------------------------------------------------------------------------------- 1 | macro (add_cppcheck_target _cc_target _cc_directories _cc_ignore) 2 | 3 | set(_cc_directories_var ${_cc_directories}) 4 | string (REPLACE " " " ${CMAKE_CURRENT_SOURCE_DIR}/" _cc_abs_directories ${_cc_directories_var}) 5 | set (_cc_abs_directories "${CMAKE_CURRENT_SOURCE_DIR}/${_cc_abs_directories}") 6 | separate_arguments (xxx UNIX_COMMAND "${_cc_abs_directories}") 7 | 8 | if (_cc_ignore STREQUAL "") 9 | string (REPLACE " " "${CMAKE_CURRENT_SOURCE_DIR}/" _cc_abs_ignore ${_cc_ignore}) 10 | set (_cc_abs_ignore ";${CMAKE_CURRENT_SOURCE_DIR}/${_cc_abs_ignore}") 11 | endif () 12 | 13 | set (_cc_extra_input "${ARGV3}") 14 | 15 | message ("Replaced ?${_cc_abs_directories}?") 16 | message ("Replaxxx ?${xxx}?") 17 | list (LENGTH _cc_abs_directories bla) 18 | message ("ignored ${_cc_abs_ignore} length is ${bla}") 19 | 20 | file(GLOB_RECURSE ALL_SOURCE_FILES *.c *.h) 21 | #message (${ALL_SOURCE_FILES}) 22 | 23 | # 24 | # set (_ignore_arg "--ignore ${_ignore}") 25 | #else () 26 | # set (_ignore_arg "set ${_ignore}") 27 | #endif () 28 | 29 | #list (APPEND _cpp_remove_list "") 30 | #list (APPEND _cpp_remove_list ) 31 | #set (_ggo_extra_input ${ARGV1}) 32 | 33 | add_custom_target ( 34 | ${_cc_target} 35 | COMMAND cppcheck 36 | --enable=all 37 | --template="[{severity}][{id}] {message} {callstack} \(On {file}:{line}\)" 38 | --suppress="unusedStructMember" 39 | -i="${_cc_abs_ignore}" 40 | --verbose 41 | --quiet 42 | ${_cc_extra_input} 43 | #"${_cc_abs_directories}" 44 | ${CMAKE_SOURCE_DIR} 45 | #"${xxx}" 46 | #VERBATIM 47 | ) 48 | endmacro(add_cppcheck_target) 49 | -------------------------------------------------------------------------------- /cmake/gengetopt.cmake: -------------------------------------------------------------------------------- 1 | macro (find_gengetopt) 2 | if (NOT GENGETOPT_EXECUTABLE) 3 | find_program (GENGETOPT_EXECUTABLE gengetopt) 4 | if (NOT GENGETOPT_EXECUTABLE) 5 | message (FATAL_ERROR "gengetopt not found. Aborting...") 6 | endif () 7 | endif () 8 | endmacro () 9 | 10 | macro (add_gengetopt_files _basename) 11 | find_gengetopt () 12 | 13 | set (_ggo_extra_input ${ARGV}) 14 | 15 | set (_ggo_c ${CMAKE_CURRENT_SOURCE_DIR}/${_basename}.c) 16 | set (_ggo_h ${CMAKE_CURRENT_SOURCE_DIR}/${_basename}.h) 17 | set (_ggo_g ${CMAKE_CURRENT_SOURCE_DIR}/${_basename}.ggo) 18 | 19 | add_custom_command ( 20 | OUTPUT ${_ggo_c} ${_ggo_h} 21 | COMMAND gengetopt ${_ggo_extra_input} -i ${_ggo_g} --output-dir ${CMAKE_CURRENT_SOURCE_DIR} 22 | DEPENDS ${_ggo_g} 23 | # BYPRODUCTS 24 | COMMENT "Generating getopt parser code (cmdline.{h,c}) ..." 25 | VERBATIM 26 | ) 27 | 28 | set (GGO_C ${_ggo_c}) 29 | set (GGO_H ${_ggo_h}) 30 | 31 | endmacro (add_gengetopt_files) 32 | -------------------------------------------------------------------------------- /cmake/getopt.cmake: -------------------------------------------------------------------------------- 1 | macro (find_getopt) 2 | if (MSVC) 3 | if(NOT GETOPT_LIB_DIR AND NOT GETOPT_INCLUDE_DIR) 4 | message (FATAL_ERROR "Missing 'GETOPT_LIB_DIR' and 'GETOPT_INCLUDE_DIR' options to CMake command. Aborting...") 5 | else(NOT GETOPT_LIB_DIR AND NOT GETOPT_INCLUDE_DIR) 6 | find_library(GETOPT getopt PATHS ${GETOPT_LIB_DIR}) 7 | set(GETOPT_LIBS ${GETOPT}) 8 | include_directories(${GETOPT_INCLUDE_DIR}) 9 | endif(NOT GETOPT_LIB_DIR AND NOT GETOPT_INCLUDE_DIR) 10 | endif (MSVC) 11 | endmacro () -------------------------------------------------------------------------------- /cmake/help2man.cmake: -------------------------------------------------------------------------------- 1 | find_program (HELP2MAN_LOCATION help2man) 2 | IF (NOT HELP2MAN_LOCATION) 3 | message (FATAL_ERROR "Cannot find help2man. Please install it.") 4 | ENDIF () 5 | 6 | MACRO (add_help2man_manpage file command) 7 | add_custom_command (OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${file} 8 | COMMAND ${HELP2MAN_LOCATION} ARGS -s1 -N -o ${CMAKE_CURRENT_BINARY_DIR}/${file} ./${command} 9 | DEPENDS ${command} 10 | COMMENT "Building manpage for ${command}") 11 | ENDMACRO () 12 | -------------------------------------------------------------------------------- /cmake/mingw32.cmake: -------------------------------------------------------------------------------- 1 | # the name of the target operating system 2 | SET(CMAKE_SYSTEM_NAME Windows) 3 | 4 | # which compilers to use for C and C++ 5 | SET(CMAKE_C_COMPILER i686-w64-mingw32-gcc) 6 | SET(CMAKE_CXX_COMPILER i686-w64-mingw32-g++) 7 | SET(CMAKE_RC_COMPILER i686-w64-mingw32-windres) 8 | 9 | # here is the target environment located 10 | SET(CMAKE_FIND_ROOT_PATH /usr/i686-w64-mingw32 ) 11 | 12 | # adjust the default behaviour of the FIND_XXX() commands: 13 | # search headers and libraries in the target environment, search 14 | # programs in the host environment 15 | set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) 16 | set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) 17 | set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) 18 | 19 | -------------------------------------------------------------------------------- /cmake/mingw64.cmake: -------------------------------------------------------------------------------- 1 | # the name of the target operating system 2 | SET(CMAKE_SYSTEM_NAME Windows) 3 | 4 | # which compilers to use for C and C++ 5 | SET(CMAKE_C_COMPILER x86_64-w64-mingw32-gcc) 6 | SET(CMAKE_CXX_COMPILER x86_64-w64-mingw32-g++) 7 | SET(CMAKE_RC_COMPILER x86_64-w64-mingw32-windres) 8 | 9 | # here is the target environment located 10 | SET(CMAKE_FIND_ROOT_PATH /usr/x86_64-w64-mingw32 ) 11 | 12 | # adjust the default behaviour of the FIND_XXX() commands: 13 | # search headers and libraries in the target environment, search 14 | # programs in the host environment 15 | set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) 16 | set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) 17 | set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) 18 | 19 | -------------------------------------------------------------------------------- /cmake/openssl.cmake: -------------------------------------------------------------------------------- 1 | macro (find_libcrypto) 2 | if(NOT LIBCRYPTO_LDFLAGS) 3 | if(WIN32) 4 | find_package(OpenSSL REQUIRED) 5 | set(LIBCRYPTO_LDFLAGS "OpenSSL::Crypto") 6 | set(LIBCRYPTO_VERSION ${OPENSSL_VERSION}) 7 | set(LIBCRYPTO_INCLUDEDIR ${OPENSSL_INCLUDE_DIR}) 8 | else(WIN32) 9 | pkg_search_module (LIBCRYPTO REQUIRED libcrypto) 10 | endif(WIN32) 11 | endif(NOT LIBCRYPTO_LDFLAGS) 12 | endmacro() -------------------------------------------------------------------------------- /cmake/zlib.cmake: -------------------------------------------------------------------------------- 1 | macro(find_zlib) 2 | if(MSVC) 3 | if (NOT ZLIB_LIB_DIR AND NOT ZLIB_INCLUDE_DIR) 4 | message(FATAL_ERROR "Missing 'ZLIB_LIB_DIR' and 'ZLIB_INCLUDE_DIR' options to CMake command. Aborting...") 5 | else (NOT ZLIB_LIB_DIR AND NOT ZLIB_INCLUDE_DIR) 6 | find_library(ZLIB zlib PATHS ${ZLIB_LIB_DIR}) 7 | set(ZLIB_LIBS ${ZLIB}) 8 | include_directories(${ZLIB_INCLUDE_DIR}) 9 | endif (NOT ZLIB_LIB_DIR AND NOT ZLIB_INCLUDE_DIR) 10 | else (MSVC) 11 | find_package(ZLIB REQUIRED) 12 | set(ZLIB_LIBS ${ZLIB_LIBRARIES}) 13 | include_directories(${ZLIB_INCLUDE_DIRS}) 14 | endif (MSVC) 15 | endmacro() -------------------------------------------------------------------------------- /common/debug.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef DEBUG_H 18 | #define DEBUG_H 19 | 20 | #include "../common/platform-config.h" 21 | #include "time_win.h" 22 | 23 | #ifdef _MSVC 24 | #include 25 | #endif 26 | 27 | #ifdef __linux__ 28 | #define ANSI_RED "\x1b[31m" 29 | #define ANSI_GREEN "\x1b[32m" 30 | #define ANSI_YELLOW "\x1b[33m" 31 | #define ANSI_BLUE "\x1b[34m" 32 | #define ANSI_MAGENTA "\x1b[35m" 33 | #define ANSI_CYAN "\x1b[36m" 34 | #define ANSI_RESET "\x1b[0m" 35 | #else 36 | #define ANSI_RED "" 37 | #define ANSI_GREEN "" 38 | #define ANSI_YELLOW "" 39 | #define ANSI_BLUE "" 40 | #define ANSI_MAGENTA "" 41 | #define ANSI_CYAN "" 42 | #define ANSI_RESET "" 43 | #endif 44 | 45 | #define __FILENAME__ \ 46 | (strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__) 47 | 48 | #ifdef _MSVC 49 | #define localtime_r(a, b) localtime_s(b, a) 50 | #endif 51 | 52 | #define D(var, file, col, who, lev, ...) \ 53 | if (var) { \ 54 | struct timeval _tv; \ 55 | struct tm _tm; \ 56 | char _tbuf[20]; \ 57 | time_t _tsecs; \ 58 | gettimeofday(&_tv, NULL); \ 59 | _tsecs = _tv.tv_sec; \ 60 | localtime_r(&_tsecs, &_tm); \ 61 | strftime(_tbuf, 20, "%H:%M:%S", &_tm); \ 62 | fprintf(file, "[" col who " - " lev ANSI_RESET " %s.%06ld] ", _tbuf, \ 63 | (long) _tv.tv_usec); \ 64 | fprintf(file, "%s:%d (%s): ", __FILENAME__, __LINE__, __func__); \ 65 | fprintf(file, __VA_ARGS__); \ 66 | } 67 | 68 | #define DLN(var, file, col, who, lev, ...) \ 69 | if (var) { \ 70 | D(var, file != NULL ? file : stderr, col, who, lev, __VA_ARGS__); \ 71 | fprintf(file != NULL ? file : stderr, "\n"); \ 72 | } 73 | 74 | #endif 75 | -------------------------------------------------------------------------------- /common/ecdh.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* ecdh.h 18 | ** 19 | ** Implements platform specific ECDH operations 20 | */ 21 | 22 | #ifndef _YUBICOM_ECDH_H_ 23 | #define _YUBICOM_ECDH_H_ 24 | 25 | #include 26 | #include 27 | 28 | #include "../common/platform-config.h" 29 | 30 | #ifdef __cplusplus 31 | extern "C" { 32 | #endif 33 | 34 | #ifndef __WIN32 35 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 36 | #else 37 | #define YH_INTERNAL 38 | #endif 39 | 40 | int YH_INTERNAL ecdh_curve_p256(void); 41 | int YH_INTERNAL ecdh_calculate_public_key(int curve, const uint8_t *privkey, 42 | size_t cb_privkey, uint8_t *pubkey, 43 | size_t cb_pubkey); 44 | int YH_INTERNAL ecdh_generate_keypair(int curve, uint8_t *privkey, 45 | size_t cb_privkey, uint8_t *pubkey, 46 | size_t cb_pubkey); 47 | int YH_INTERNAL ecdh_calculate_secret(int curve, const uint8_t *privkey, 48 | size_t cb_privkey, const uint8_t *pubkey, 49 | size_t cb_pubkey, uint8_t *secret, 50 | size_t cb_secret); 51 | 52 | #ifdef __cplusplus 53 | } 54 | #endif 55 | 56 | #endif /* _YUBICOM_ECDH_H_ */ 57 | -------------------------------------------------------------------------------- /common/hash.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* hash.h 18 | ** 19 | ** Implements platform specific hashing operations 20 | */ 21 | 22 | #ifndef _YUBICOM_HASH_H_ 23 | #define _YUBICOM_HASH_H_ 24 | 25 | #include 26 | #include 27 | #include 28 | #include "../common/platform-config.h" 29 | 30 | #ifdef __cplusplus 31 | extern "C" { 32 | #endif 33 | 34 | typedef enum { 35 | _NONE, 36 | _SHA1, 37 | _SHA256, 38 | _SHA384, 39 | _SHA512, 40 | } hash_t; 41 | 42 | #ifndef __WIN32 43 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 44 | #else 45 | #define YH_INTERNAL 46 | #endif 47 | 48 | bool YH_INTERNAL hash_bytes(const uint8_t *in, size_t len, hash_t hash, 49 | uint8_t *out, size_t *out_len); 50 | 51 | typedef struct _hash_ctx _hash_ctx, *hash_ctx; 52 | 53 | bool YH_INTERNAL hash_create(hash_ctx *ctx, hash_t hash); 54 | bool YH_INTERNAL hash_init(hash_ctx ctx); 55 | bool YH_INTERNAL hash_update(hash_ctx ctx, const uint8_t *in, size_t cb_in); 56 | bool YH_INTERNAL hash_final(hash_ctx ctx, uint8_t *out, size_t *pcb_out); 57 | bool YH_INTERNAL hash_destroy(hash_ctx ctx); 58 | 59 | #ifndef _WIN32_BCRYPT 60 | #include 61 | const YH_INTERNAL EVP_MD *get_hash(hash_t hash); 62 | #else 63 | #include 64 | #include 65 | LPCWSTR YH_INTERNAL get_hash(hash_t hash); 66 | #endif 67 | 68 | #ifdef __cplusplus 69 | } 70 | #endif 71 | 72 | #endif /* _YUBICOM_HASH_H_ */ 73 | -------------------------------------------------------------------------------- /common/insecure_memzero.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBICOM_MEMZERO_H 18 | #define YUBICOM_MEMZERO_H 19 | 20 | #ifdef _WIN32 21 | #include 22 | #define insecure_memzero(buf, len) SecureZeroMemory(buf, len) 23 | #elif HAVE_MEMSET_S 24 | #include 25 | #define insecure_memzero(buf, len) memset_s(buf, len, 0, len) 26 | #elif HAVE_EXPLICIT_BZERO 27 | #include 28 | #define insecure_memzero(buf, len) explicit_bzero(buf, len) 29 | #else 30 | #include 31 | #define insecure_memzero(buf, len) OPENSSL_cleanse(buf, len) 32 | #endif 33 | 34 | #endif 35 | -------------------------------------------------------------------------------- /common/openssl-compat.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 | * 4 | * Licensed under the OpenSSL license (the "License"). You may not use 5 | * this file except in compliance with the License. You can obtain a copy 6 | * in the file LICENSE in the source distribution or at 7 | * https://www.openssl.org/source/license.html 8 | */ 9 | 10 | #include "openssl-compat.h" 11 | 12 | extern int make_iso_compilers_happy; 13 | 14 | #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) 15 | #include 16 | 17 | #if (OPENSSL_VERSION_NUMBER < 0x10100000L) 18 | 19 | int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { 20 | /* If the fields n and e in r are NULL, the corresponding input 21 | * parameters MUST be non-NULL for n and e. d may be 22 | * left NULL (in case only the public key is used). 23 | */ 24 | if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) 25 | return 0; 26 | 27 | if (n != NULL) { 28 | BN_free(r->n); 29 | r->n = n; 30 | } 31 | if (e != NULL) { 32 | BN_free(r->e); 33 | r->e = e; 34 | } 35 | if (d != NULL) { 36 | BN_free(r->d); 37 | r->d = d; 38 | } 39 | 40 | return 1; 41 | } 42 | 43 | void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, 44 | const BIGNUM **d) { 45 | if (n != NULL) 46 | *n = r->n; 47 | if (e != NULL) 48 | *e = r->e; 49 | if (d != NULL) 50 | *d = r->d; 51 | } 52 | 53 | void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) { 54 | if (p != NULL) 55 | *p = r->p; 56 | if (q != NULL) 57 | *q = r->q; 58 | } 59 | 60 | void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, 61 | const BIGNUM **iqmp) { 62 | if (dmp1 != NULL) 63 | *dmp1 = r->dmp1; 64 | if (dmq1 != NULL) 65 | *dmq1 = r->dmq1; 66 | if (iqmp != NULL) 67 | *iqmp = r->iqmp; 68 | } 69 | 70 | int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { 71 | if ((sig->r == NULL && r == NULL) || (sig->s == NULL && s == NULL)) { 72 | return 0; 73 | } 74 | 75 | if (r != NULL) { 76 | BN_free(sig->r); 77 | sig->r = r; 78 | } 79 | if (s != NULL) { 80 | BN_free(sig->s); 81 | sig->s = s; 82 | } 83 | 84 | return 1; 85 | } 86 | void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, 87 | const BIGNUM **ps) { 88 | if (pr != NULL) { 89 | *pr = sig->r; 90 | } 91 | if (ps != NULL) { 92 | *ps = sig->s; 93 | } 94 | } 95 | 96 | const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509 *x) { 97 | return x->cert_info->extensions; 98 | } 99 | 100 | ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex) { 101 | return ex->object; 102 | } 103 | ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex) { 104 | return ex->value; 105 | } 106 | 107 | #endif /* OPENSSL_VERSION_NUMBER */ 108 | 109 | int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) { 110 | int n = BN_num_bytes(a); 111 | if (n < 0 || n > tolen) { 112 | return -1; 113 | } 114 | memset(to, 0, tolen - n); 115 | if (BN_bn2bin(a, to + tolen - n) < 0) { 116 | return -1; 117 | } 118 | return tolen; 119 | } 120 | 121 | #endif /* OPENSSL_VERSION_NUMBER */ 122 | -------------------------------------------------------------------------------- /common/openssl-compat.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. 3 | * 4 | * Licensed under the OpenSSL license (the "License"). You may not use 5 | * this file except in compliance with the License. You can obtain a copy 6 | * in the file LICENSE in the source distribution or at 7 | * https://www.openssl.org/source/license.html 8 | */ 9 | 10 | #ifndef LIBCRYPTO_COMPAT_H 11 | #define LIBCRYPTO_COMPAT_H 12 | 13 | #include 14 | #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | #ifndef __WIN32 21 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 22 | #else 23 | #define YH_INTERNAL 24 | #endif 25 | 26 | #if (OPENSSL_VERSION_NUMBER < 0x10100000L) 27 | 28 | int YH_INTERNAL RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); 29 | void YH_INTERNAL RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, 30 | const BIGNUM **d); 31 | void YH_INTERNAL RSA_get0_factors(const RSA *r, const BIGNUM **p, 32 | const BIGNUM **q); 33 | void YH_INTERNAL RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, 34 | const BIGNUM **dmq1, const BIGNUM **iqmp); 35 | 36 | void YH_INTERNAL ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, 37 | const BIGNUM **ps); 38 | int YH_INTERNAL ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); 39 | 40 | const YH_INTERNAL STACK_OF(X509_EXTENSION) * 41 | X509_get0_extensions(const X509 *x); 42 | 43 | ASN1_OBJECT YH_INTERNAL *X509_EXTENSION_get_object(X509_EXTENSION *ex); 44 | ASN1_OCTET_STRING YH_INTERNAL *X509_EXTENSION_get_data(X509_EXTENSION *ex); 45 | 46 | #endif /* OPENSSL_VERSION_NUMBER */ 47 | 48 | int YH_INTERNAL BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); 49 | 50 | #endif /* OPENSSL_VERSION_NUMBER */ 51 | #endif /* LIBCRYPTO_COMPAT_H */ 52 | -------------------------------------------------------------------------------- /common/parsing.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include "parsing.h" 25 | 26 | #define READ_STR_PROMPT_BASE "Enter %s: " 27 | 28 | bool read_string(const char *name, char *str_buf, size_t str_buf_len, 29 | enum input_visibility visibility) { 30 | 31 | char prompt[sizeof(READ_STR_PROMPT_BASE) + 64] = {0}; 32 | int ret; 33 | 34 | if (str_buf_len < 1) { 35 | fprintf(stderr, "Unable to read %s: buffer too small\n", name); 36 | return false; 37 | } 38 | 39 | ret = snprintf(prompt, sizeof(prompt), READ_STR_PROMPT_BASE, name); 40 | if (ret < 0 || ((unsigned int) ret) > (sizeof(prompt) - 1)) { 41 | fprintf(stderr, "Unable to read %s: snprintf failed\n", name); 42 | return false; 43 | } 44 | 45 | bool checked = false; 46 | switch (visibility) { 47 | case VISIBLE: 48 | fprintf(stdout, "%s", prompt); 49 | str_buf = fgets(str_buf, str_buf_len, stdin); 50 | if (str_buf == NULL) { 51 | return false; 52 | } 53 | str_buf[strlen(str_buf) - 1] = '\0'; 54 | 55 | break; 56 | 57 | case HIDDEN_CHECKED: 58 | checked = true; 59 | case HIDDEN_UNCHECKED: 60 | ret = EVP_read_pw_string(str_buf, str_buf_len - 1, prompt, checked); 61 | if (ret != 0) { 62 | fprintf(stderr, "Retrieving %s failed (%d)\n", name, ret); 63 | return false; 64 | } 65 | 66 | break; 67 | } 68 | 69 | return true; 70 | } 71 | 72 | bool hex_decode(const char *in, uint8_t *out, size_t *len) { 73 | int pos = 0; 74 | if (in == NULL || out == NULL || len == NULL) { 75 | return false; 76 | } 77 | size_t in_len = strlen(in); 78 | if (in_len > 0 && in[in_len - 1] == '\n') { 79 | in_len--; 80 | } 81 | if (in_len > 0 && in[in_len - 1] == '\r') { 82 | in_len--; 83 | } 84 | if (in_len % 2 != 0) { 85 | return false; 86 | } else if (in_len / 2 > *len) { 87 | return false; 88 | } 89 | 90 | for (size_t i = 0; i < in_len / 2; i++) { 91 | char *endptr = NULL; 92 | char buf[3] = {0}; 93 | long num; 94 | errno = 0; 95 | 96 | buf[0] = in[pos]; 97 | buf[1] = in[pos + 1]; 98 | num = strtol(buf, &endptr, 16); 99 | if (errno != 0 || num < 0 || num > UCHAR_MAX || *endptr != '\0') { 100 | return false; 101 | } 102 | out[i] = (uint8_t) num; 103 | pos += 2; 104 | } 105 | *len = in_len / 2; 106 | return true; 107 | } 108 | -------------------------------------------------------------------------------- /common/parsing.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBICOM_PARSING_H 18 | #define YUBICOM_PARSING_H 19 | 20 | #include 21 | #include 22 | #include 23 | #include "../common/platform-config.h" 24 | 25 | // NOTE(adma): those utility functions do not link against libyubihsm 26 | 27 | #define READ_STR_PROMPT_BASE "Enter %s: " 28 | #ifndef __WIN32 29 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 30 | #else 31 | #define YH_INTERNAL 32 | #endif 33 | 34 | enum input_visibility { VISIBLE, HIDDEN_CHECKED, HIDDEN_UNCHECKED }; 35 | 36 | bool YH_INTERNAL read_string(const char *name, char *str_buf, 37 | size_t str_buf_len, 38 | enum input_visibility visibility); 39 | bool YH_INTERNAL hex_decode(const char *in, uint8_t *out, size_t *len); 40 | 41 | #endif 42 | -------------------------------------------------------------------------------- /common/pkcs5.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "pkcs5.h" 18 | 19 | #ifdef _WIN32_BCRYPT 20 | #include 21 | #include 22 | #else 23 | #include 24 | #endif 25 | 26 | bool pkcs5_pbkdf2_hmac(const uint8_t *password, size_t cb_password, 27 | const uint8_t *salt, size_t cb_salt, uint64_t iterations, 28 | hash_t hash, uint8_t *key, size_t cb_key) { 29 | bool res = false; 30 | 31 | #ifdef _WIN32_BCRYPT 32 | NTSTATUS status = 0; 33 | LPCWSTR alg = NULL; 34 | BCRYPT_ALG_HANDLE hAlg = 0; 35 | 36 | if (!(alg = get_hash(hash))) { 37 | goto cleanup; 38 | } 39 | 40 | if (!BCRYPT_SUCCESS( 41 | status = BCryptOpenAlgorithmProvider(&hAlg, alg, NULL, 42 | BCRYPT_ALG_HANDLE_HMAC_FLAG))) { 43 | goto cleanup; 44 | } 45 | 46 | if (!BCRYPT_SUCCESS( 47 | status = 48 | BCryptDeriveKeyPBKDF2(hAlg, (PUCHAR) password, (ULONG) cb_password, 49 | (PUCHAR) salt, (ULONG) cb_salt, iterations, key, 50 | (ULONG) cb_key, 0))) { 51 | goto cleanup; 52 | } 53 | 54 | res = true; 55 | 56 | cleanup: 57 | 58 | if (hAlg) { 59 | BCryptCloseAlgorithmProvider(hAlg, 0); 60 | } 61 | 62 | #else 63 | const EVP_MD *md = NULL; 64 | 65 | if (!(md = get_hash(hash))) { 66 | return false; 67 | } 68 | 69 | /* for some reason openssl always returns 1 for PBKDF2 */ 70 | if (1 != PKCS5_PBKDF2_HMAC((const char *) password, cb_password, salt, 71 | cb_salt, iterations, md, cb_key, key)) { 72 | return false; 73 | } 74 | 75 | res = true; 76 | 77 | #endif 78 | return res; 79 | } 80 | -------------------------------------------------------------------------------- /common/pkcs5.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* pkcs5.h 18 | ** 19 | ** Implements platform specific PKCS5 operations 20 | */ 21 | 22 | #ifndef _YUBICOM_PKCS5_H_ 23 | #define _YUBICOM_PKCS5_H_ 24 | 25 | #include 26 | #include 27 | #include 28 | 29 | #include "hash.h" 30 | 31 | #ifdef __cplusplus 32 | extern "C" { 33 | #endif 34 | 35 | #ifndef __WIN32 36 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 37 | #else 38 | #define YH_INTERNAL 39 | #endif 40 | 41 | bool YH_INTERNAL pkcs5_pbkdf2_hmac(const uint8_t *password, size_t cb_password, 42 | const uint8_t *salt, size_t cb_salt, 43 | uint64_t iterations, hash_t hash, 44 | uint8_t *key, size_t cb_key); 45 | 46 | #ifdef __cplusplus 47 | } 48 | #endif 49 | 50 | #endif /* _YUBICOM_PKCS5_H_ */ 51 | -------------------------------------------------------------------------------- /common/platform-config.h.in: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 2020 Yubico AB 3 | * All rights reserved. 4 | * 5 | * Redistribution and use in source and binary forms, with or without 6 | * modification, are permitted provided that the following conditions are 7 | * met: 8 | * 9 | * * Redistributions of source code must retain the above copyright 10 | * notice, this list of conditions and the following disclaimer. 11 | * 12 | * * Redistributions in binary form must reproduce the above 13 | * copyright notice, this list of conditions and the following 14 | * disclaimer in the documentation and/or other materials provided 15 | * with the distribution. 16 | * 17 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 20 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 21 | * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 22 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 23 | * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 27 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 | * 29 | */ 30 | 31 | #ifndef YUBIHSM_CONFIG_H 32 | #define YUBIHSM_CONFIG_H 33 | 34 | #ifdef __cplusplus 35 | extern "C" 36 | { 37 | #endif 38 | 39 | #cmakedefine _WIN32_BCRYPT @WIN32_BCRYPT@ 40 | #cmakedefine __WIN32 @__WIN32@ 41 | #cmakedefine _WIN32 @_WIN32@ 42 | #cmakedefine _MSVC @_MSVC@ 43 | 44 | #ifdef __cplusplus 45 | } 46 | #endif 47 | 48 | #endif 49 | -------------------------------------------------------------------------------- /common/rand.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "rand.h" 18 | 19 | #ifdef _WIN32_BCRYPT 20 | #include 21 | #include 22 | #include 23 | #else 24 | #include 25 | #endif 26 | 27 | bool rand_generate(uint8_t *buf, size_t cb_buf) { 28 | 29 | #ifdef _WIN32_BCRYPT 30 | NTSTATUS status = STATUS_SUCCESS; 31 | 32 | BCRYPT_ALG_HANDLE hAlg = 0; 33 | 34 | if (!BCRYPT_SUCCESS( 35 | status = 36 | BCryptOpenAlgorithmProvider(&hAlg, BCRYPT_RNG_ALGORITHM, NULL, 0))) { 37 | return false; 38 | } 39 | 40 | status = BCryptGenRandom(hAlg, buf, (ULONG) cb_buf, 0); 41 | BCryptCloseAlgorithmProvider(hAlg, 0); 42 | 43 | return BCRYPT_SUCCESS(status); 44 | 45 | #else 46 | return (1 == RAND_bytes(buf, cb_buf)); 47 | 48 | #endif 49 | } 50 | -------------------------------------------------------------------------------- /common/rand.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* rand.h 18 | ** 19 | ** Implements platform specific random generation operations 20 | */ 21 | 22 | #ifndef _YUBICOM_RAND_H_ 23 | #define _YUBICOM_RAND_H_ 24 | 25 | #include 26 | #include 27 | #include 28 | #include "../common/platform-config.h" 29 | 30 | #ifdef __cplusplus 31 | extern "C" { 32 | #endif 33 | 34 | #ifndef __WIN32 35 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 36 | #else 37 | #define YH_INTERNAL 38 | #endif 39 | 40 | bool YH_INTERNAL rand_generate(uint8_t *buf, size_t cb_buf); 41 | 42 | #ifdef __cplusplus 43 | } 44 | #endif 45 | 46 | #endif /* _YUBICOM_RAND_H_ */ 47 | -------------------------------------------------------------------------------- /common/time_win.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2020 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #include "time_win.h" 19 | 20 | int gettimeofday(struct timeval *tv, void *tzp) { 21 | // There's no equivalent implementation of gettimeofday() on Window 22 | struct timespec ts = {0}; 23 | if (timespec_get(&ts, TIME_UTC)) { 24 | tv->tv_sec = (long) ts.tv_sec; 25 | tv->tv_usec = ts.tv_nsec / 1000; 26 | return 0; 27 | } 28 | return -1; 29 | } 30 | -------------------------------------------------------------------------------- /common/time_win.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2020 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBIHSM_SHELL_TIME_WIN_H 18 | #define YUBIHSM_SHELL_TIME_WIN_H 19 | 20 | #include 21 | 22 | #ifdef _MSVC 23 | 24 | struct timeval; 25 | 26 | int gettimeofday(struct timeval *tv, void *tzp); 27 | 28 | #endif 29 | 30 | #endif // YUBIHSM_SHELL_TIME_WIN_H 31 | -------------------------------------------------------------------------------- /common/util.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBICOM_UTIL_H 18 | #define YUBICOM_UTIL_H 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include 26 | #include "../common/platform-config.h" 27 | 28 | typedef enum { 29 | _base64, 30 | _binary, 31 | _hex, 32 | _PEM, 33 | } format_t; 34 | 35 | #ifndef __WIN32 36 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 37 | #else 38 | #define YH_INTERNAL 39 | #endif 40 | 41 | bool YH_INTERNAL set_component(uint8_t *in_ptr, const BIGNUM *bn, 42 | int32_t element_len); 43 | bool YH_INTERNAL read_private_key(uint8_t *buf, size_t len, yh_algorithm *algo, 44 | uint8_t *bytes, size_t *bytes_len, 45 | bool internal_repr); 46 | bool YH_INTERNAL read_public_key(uint8_t *buf, size_t len, yh_algorithm *algo, 47 | uint8_t *bytes, size_t *bytes_len); 48 | void YH_INTERNAL format_digest(uint8_t *digest, char *str, uint16_t len); 49 | int YH_INTERNAL algo2nid(yh_algorithm algo); 50 | bool YH_INTERNAL algo2type(yh_algorithm algorithm, yh_object_type *type); 51 | int YH_INTERNAL parse_NID(uint8_t *data, uint16_t data_len, 52 | const EVP_MD **md_type); 53 | bool YH_INTERNAL read_file(FILE *fp, uint8_t *buf, size_t *buf_len); 54 | bool YH_INTERNAL write_file(const uint8_t *buf, size_t buf_len, FILE *fp, 55 | format_t format); 56 | bool YH_INTERNAL read_ed25519_key(uint8_t *in, size_t in_len, uint8_t *out, 57 | size_t *out_len); 58 | bool YH_INTERNAL write_ed25519_key(uint8_t *buf, size_t buf_len, FILE *fp, 59 | format_t format); 60 | 61 | bool YH_INTERNAL base64_decode(const char *in, uint8_t *out, size_t *len); 62 | 63 | bool YH_INTERNAL split_hmac_key(yh_algorithm algorithm, uint8_t *in, 64 | size_t in_len, uint8_t *out, size_t *out_len); 65 | 66 | #endif 67 | -------------------------------------------------------------------------------- /debian/README.source: -------------------------------------------------------------------------------- 1 | We describe here one way to work with the package sources. 2 | 3 | Initialize cowbuilder: 4 | 5 | $ git-pbuilder create 6 | 7 | Optionally update cowbuilder: 8 | 9 | $ git-pbuilder update 10 | 11 | Clone the project from repository: 12 | 13 | $ git clone 14 | 15 | Build the package: 16 | 17 | $ gbp buildpackage --git-pbuilder --git-pbuilder-options=--twice 18 | 19 | If all goes well, you should have newly built packages in ../. 20 | 21 | Update the package to a new upstream release (don't forget debian/changelog): 22 | 23 | $ gbp import-orig /path/to/new-release.tar.gz 24 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 9 2 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ 2 | Upstream-Name: yubihsm-shell 3 | Source: https://developers.yubico.com/YubiHSM2 4 | 5 | Files: * 6 | Copyright: Copyright (c) 2017 Yubico AB 7 | License: BSD-2-clause 8 | Redistribution and use in source and binary forms, with or without 9 | modification, are permitted provided that the following conditions are 10 | met: 11 | . 12 | * Redistributions of source code must retain the above copyright 13 | notice, this list of conditions and the following disclaimer. 14 | . 15 | * Redistributions in binary form must reproduce the above 16 | copyright notice, this list of conditions and the following 17 | disclaimer in the documentation and/or other materials provided 18 | with the distribution. 19 | . 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 23 | A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 24 | OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 25 | SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 26 | LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | -------------------------------------------------------------------------------- /debian/gbp.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | pristine-tar = True 3 | sign-tags = True 4 | -------------------------------------------------------------------------------- /debian/libykhsmauth-dev.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | usr/lib/libykhsmauth*.so /usr/lib/ 3 | usr/share/pkgconfig/ykhsmauth.pc /usr/lib/ 4 | 5 | usr/include/ykhsmauth.h 6 | -------------------------------------------------------------------------------- /debian/libykhsmauth1.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | 3 | usr/lib/libykhsmauth.so.* /usr/lib/ 4 | -------------------------------------------------------------------------------- /debian/libyubihsm-dev.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | usr/lib/lib*.so /usr/lib/${DEB_HOST_MULTIARCH} 3 | usr/share/pkgconfig/ /usr/lib/${DEB_HOST_MULTIARCH} 4 | 5 | usr/include/ 6 | -------------------------------------------------------------------------------- /debian/libyubihsm-http1.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | 3 | usr/lib/libyubihsm_http.so.* /usr/lib/${DEB_HOST_MULTIARCH} 4 | -------------------------------------------------------------------------------- /debian/libyubihsm-usb1.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | 3 | usr/lib/libyubihsm_usb.so.* /usr/lib/${DEB_HOST_MULTIARCH} 4 | -------------------------------------------------------------------------------- /debian/libyubihsm1.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | 3 | usr/lib/libyubihsm.so.* /usr/lib/${DEB_HOST_MULTIARCH} 4 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | DH_VERBOSE = 1 4 | DEB_BUILD_OPTIONS=noddebs 5 | 6 | %: 7 | dh $@ --parallel 8 | 9 | override_dh_install: 10 | chrpath -d $(CURDIR)/debian/tmp/usr/bin/* 11 | chrpath -d $(CURDIR)/debian/tmp/usr/lib/*.so* 12 | chrpath -d $(CURDIR)/debian/tmp/usr/lib/pkcs11/*.so* 13 | dh_install --fail-missing 14 | 15 | override_dh_auto_configure: 16 | dh_auto_configure -- -DWITHOUT_YKYH=1 -DRELEASE_BUILD=1 17 | 18 | override_dh_auto_test: 19 | true 20 | 21 | #override_dh_installdocs: 22 | # find debian 23 | -------------------------------------------------------------------------------- /debian/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (native) 2 | -------------------------------------------------------------------------------- /debian/watch: -------------------------------------------------------------------------------- 1 | version=3 2 | opts=pgpsigurlmangle=s/$/.sig/ \ 3 | https://developers.yubico.com/YubiHSM2/Releases/ yubihsm2-sdk-(.*)\.tar\.gz 4 | -------------------------------------------------------------------------------- /debian/yubihsm-auth.install: -------------------------------------------------------------------------------- 1 | usr/bin/yubihsm-auth 2 | usr/share/man/man1/yubihsm-auth.1 3 | -------------------------------------------------------------------------------- /debian/yubihsm-pkcs11.install: -------------------------------------------------------------------------------- 1 | #! /usr/bin/dh-exec 2 | 3 | usr/lib/pkcs11/*.so /usr/lib/${DEB_HOST_MULTIARCH}/pkcs11 4 | -------------------------------------------------------------------------------- /debian/yubihsm-shell.install: -------------------------------------------------------------------------------- 1 | usr/bin/yubihsm-shell 2 | usr/share/man/man1/yubihsm-shell.1 3 | -------------------------------------------------------------------------------- /debian/yubihsm-wrap.install: -------------------------------------------------------------------------------- 1 | usr/bin/yubihsm-wrap 2 | usr/share/man/man1/yubihsm-wrap.1 3 | -------------------------------------------------------------------------------- /examples/attestation_template.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIC8TCCAdmgAwIBAgIJAI4siOgx84SNMA0GCSqGSIb3DQEBCwUAMA8xDTALBgNV 3 | BAMMBHRlc3QwHhcNMTcwMzE3MTMwODAyWhcNMjcwMzE1MTMwODAyWjAPMQ0wCwYD 4 | VQQDDAR0ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0J9YugQ 5 | 3po8PtkrhQsq4aUbU0y2MtruYvZjRG0tMMtTrE92FXqrBltL+LXjhC6nOcgkjb4U 6 | JFdJzK+QsQ3jpJNOpGWSWHCrEk8CVJnl2klq6vhlcSTlojHu912WYdiCudA0KhQ+ 7 | ffFhfGpAItctLMvaD7aS01l/OKzXAUkCv+8f2p+/+2I7mEnv88gOsisf78kqRPrQ 8 | b1xuRvHdNsehtxo+VN5bbKICkNskd18EloX46LjYi9oQ0zihmm24yGYPWUmDv1zm 9 | CBlM2AT2kHxHtHMl+DyewZERYtHKUN3irzyEq/9H2TxsfsYk2wR8QtAADU+mMe9M 10 | ne9lXrkgusx4RQIDAQABo1AwTjAdBgNVHQ4EFgQUGzIsrm1ZNd37V7vCLXolfTtM 11 | xEEwHwYDVR0jBBgwFoAUGzIsrm1ZNd37V7vCLXolfTtMxEEwDAYDVR0TBAUwAwEB 12 | /zANBgkqhkiG9w0BAQsFAAOCAQEAh7S+9c8Mcg/aK6qhQ/m0WJUSW5W4QL0p3fwG 13 | ettK+4tntI6ufgaJgxgvG8ucrcOJ/j/s7ZDqJ7MjRsZm391616oZixkPzCrBhWgr 14 | 3Vv6gFtnxXrwQMdgvzpKhtSrxjoDyUnFLs14H/e/L0+qGAlAN2adHHha7zouaWwY 15 | +KyyK5sX2m/yQg/uQm4KeVqz3wsA6zJXIg0EEH/ISj7JBCCyux3ouS3x/z+43Hl4 16 | DzFJtJotn34HKe02gcCd4qxginQJJ84j2G4JZ42deVFPPp6dbHIuLFHunCH8HTkA 17 | jpI5R8+6LS+5+gci9J5OaVMAgvy6cYqx85lbaoyXdXB8aGLkNw== 18 | -----END CERTIFICATE----- 19 | -------------------------------------------------------------------------------- /examples/echo.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifdef NDEBUG 18 | #undef NDEBUG 19 | #endif 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include 26 | 27 | const uint8_t password[] = "password"; 28 | const uint8_t data[] = "sudo make me a sandwich"; 29 | 30 | int main(void) { 31 | yh_connector *connector = NULL; 32 | yh_rc yrc = YHR_GENERIC_ERROR; 33 | 34 | const char *connector_url; 35 | 36 | connector_url = getenv("DEFAULT_CONNECTOR_URL"); 37 | if (connector_url == NULL) { 38 | connector_url = DEFAULT_CONNECTOR_URL; 39 | } 40 | 41 | yrc = yh_init(); 42 | if (yrc != YHR_SUCCESS) { 43 | fprintf(stderr, "unable to initialize yubihsm: %s\n", yh_strerror(yrc)); 44 | exit(EXIT_FAILURE); 45 | } 46 | 47 | yrc = yh_init_connector(connector_url, &connector); 48 | assert(yrc == YHR_SUCCESS); 49 | 50 | yrc = yh_connect(connector, 0); 51 | assert(yrc == YHR_SUCCESS); 52 | 53 | char *received_url; 54 | yrc = yh_get_connector_address(connector, &received_url); 55 | assert(yrc == YHR_SUCCESS); 56 | 57 | yh_set_verbosity(connector, YH_VERB_ALL); 58 | 59 | printf("Send a plain (unencrypted, unauthenticated) echo command\n"); 60 | 61 | uint16_t data_len = sizeof(data) - 1; 62 | uint8_t response[sizeof(data)] = {0}; 63 | size_t response_len = sizeof(response); 64 | yh_cmd response_cmd; 65 | yrc = yh_send_plain_msg(connector, YHC_ECHO, data, data_len, &response_cmd, 66 | response, &response_len); 67 | if (yrc != YHR_SUCCESS) { 68 | fprintf(stderr, "Failed to send ECHO command: %s\n", yh_strerror(yrc)); 69 | exit(EXIT_FAILURE); 70 | } 71 | 72 | printf("Response (%zu bytes): \"%s\"\n", response_len, response); 73 | 74 | yh_session *session = NULL; 75 | uint16_t authkey = 1; 76 | yrc = yh_create_session_derived(connector, authkey, password, 77 | sizeof(password) - 1, false, &session); 78 | assert(yrc == YHR_SUCCESS); 79 | 80 | uint8_t session_id; 81 | yrc = yh_get_session_id(session, &session_id); 82 | assert(yrc == YHR_SUCCESS); 83 | 84 | printf("Successfully established session %02d\n", session_id); 85 | 86 | printf("Send a secure echo command\n"); 87 | 88 | uint8_t response2[sizeof(data)] = {0}; 89 | size_t response2_len = sizeof(response); 90 | yh_cmd response2_cmd; 91 | yrc = yh_send_secure_msg(session, YHC_ECHO, data, data_len, &response2_cmd, 92 | response2, &response2_len); 93 | if (yrc != YHR_SUCCESS) { 94 | fprintf(stderr, "Failed to send ECHO command: %s\n", yh_strerror(yrc)); 95 | exit(EXIT_FAILURE); 96 | } 97 | 98 | printf("Response (%zu bytes): \"%s\"\n", response_len, response); 99 | 100 | assert(response_len == response2_len); 101 | assert(memcmp(response, response2, response_len) == 0); 102 | 103 | yrc = yh_util_close_session(session); 104 | assert(yrc == YHR_SUCCESS); 105 | 106 | yrc = yh_destroy_session(&session); 107 | assert(yrc == YHR_SUCCESS); 108 | 109 | yh_disconnect(connector); 110 | assert(yrc == YHR_SUCCESS); 111 | 112 | yrc = yh_exit(); 113 | assert(yrc == YHR_SUCCESS); 114 | 115 | return 0; 116 | } 117 | -------------------------------------------------------------------------------- /examples/ed25519_pvtkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MC4CAQAwBQYDK2VwBCIEIEzNCJso/5banbbDRuwRTg9bijGfNaumJNqM9u1PuKb7 3 | -----END PRIVATE KEY----- 4 | -------------------------------------------------------------------------------- /examples/info.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifdef NDEBUG 18 | #undef NDEBUG 19 | #endif 20 | #include 21 | #include 22 | #include 23 | 24 | #include 25 | 26 | int main(void) { 27 | yh_connector *connector = NULL; 28 | yh_rc yrc = YHR_GENERIC_ERROR; 29 | 30 | const char *connector_url; 31 | 32 | connector_url = getenv("DEFAULT_CONNECTOR_URL"); 33 | if (connector_url == NULL) { 34 | connector_url = DEFAULT_CONNECTOR_URL; 35 | } 36 | 37 | yrc = yh_init(); 38 | if (yrc != YHR_SUCCESS) { 39 | fprintf(stderr, "unable to initialize yubihsm: %s\n", yh_strerror(yrc)); 40 | exit(EXIT_FAILURE); 41 | } 42 | 43 | yrc = yh_init_connector(connector_url, &connector); 44 | assert(yrc == YHR_SUCCESS); 45 | 46 | yrc = yh_connect(connector, 0); 47 | assert(yrc == YHR_SUCCESS); 48 | 49 | char *received_url; 50 | yrc = yh_get_connector_address(connector, &received_url); 51 | assert(yrc == YHR_SUCCESS); 52 | 53 | printf("Successfully connected to %s, device is ", received_url); 54 | if (yh_connector_has_device(connector) == false) { 55 | printf("not present\n"); 56 | exit(EXIT_FAILURE); // This won't happen since we manged to connect 57 | } 58 | printf("present\n"); 59 | 60 | uint8_t c_major, c_minor, c_patch; 61 | yrc = yh_get_connector_version(connector, &c_major, &c_minor, &c_patch); 62 | assert(yrc == YHR_SUCCESS); 63 | printf("Connector Version: %hhu.%hhu.%hhu\n", c_major, c_minor, c_patch); 64 | 65 | uint8_t d_major, d_minor, d_patch; 66 | uint32_t serial; 67 | uint8_t log_total, log_used; 68 | yh_algorithm algorithms[YH_MAX_ALGORITHM_COUNT]; 69 | size_t n_algorithms = sizeof(algorithms); 70 | yrc = 71 | yh_util_get_device_info(connector, &d_major, &d_minor, &d_patch, &serial, 72 | &log_total, &log_used, algorithms, &n_algorithms); 73 | assert(yrc == YHR_SUCCESS); 74 | 75 | printf("Device Version: %hhu.%hhu.%hhu\n", d_major, d_minor, d_patch); 76 | printf("Serial: %d\n", serial); 77 | printf("Log: %d/%d (used/total)\n", log_used, log_total); 78 | printf("Supported algorithms:\n"); 79 | for (size_t i = 0; i < n_algorithms; i++) { 80 | const char *str; 81 | yh_algo_to_string(algorithms[i], &str); 82 | printf("%s\n", str); 83 | } 84 | 85 | yrc = yh_disconnect(connector); 86 | assert(yrc == YHR_SUCCESS); 87 | 88 | yrc = yh_exit(); 89 | assert(yrc == YHR_SUCCESS); 90 | 91 | return 0; 92 | } 93 | -------------------------------------------------------------------------------- /examples/p256_pvtkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN EC PARAMETERS----- 2 | BggqhkjOPQMBBw== 3 | -----END EC PARAMETERS----- 4 | -----BEGIN EC PRIVATE KEY----- 5 | MHcCAQEEIHj8HDHmb3sE2LbjB4iOkfh2wngiUJX340mzn9viEm/ZoAoGCCqGSM49 6 | AwEHoUQDQgAESfiuLv9xV/VNf2wLgrMba2jLcjY/DmstGEs2sC9nbR+OhUUia3n1 7 | f/TdJE466eFZ9MIaZNmRsrkwxWbZ1w7yWQ== 8 | -----END EC PRIVATE KEY----- 9 | -------------------------------------------------------------------------------- /examples/rsa2048_pvtkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEA1LILtPHUKTGvzNKpNHCSmRfE54NoabtPtV/SqAI/6VFT1PIf 3 | dLBUsBL19g4yAfnyOSTo5o8CYl6LzfdPgkyESXKzOYCKuBDEn14yQ/F1vzzydl5G 4 | a65dESVCFKUELu9IJwX1hjXpHLkwb9Wj8Z4h/Uikn6Xh3C6GvVOIJZGb9Kjcz+Mo 5 | Kx9IFAFAIWDV88DKUG9EontXYq4p2Vk6/XvAW63eQPWjUWeOSUiQp8UWtWA3SMZ9 6 | GwxUh9ZRyd4gw1kqcrqMzwbJyEtmjBbYNnIGPYDCkr4YQJIoGPwNq6hh2HGa1J+M 7 | EYYZWVbl2GOW1FVMn75q45tnaCaWOlT0H7Om/wIDAQABAoIBAByVHJuhT9iFU9Gb 8 | kZ95bUnjdtOBxjtHL6v5B48KVlpdUn2wV+fPdmH++kyplbDMTO++9QleuHxNpk30 9 | aRvieniAUHNuwbWAk1uzRd/5h9A+OXsMqjv4P4t5TUsG7ev8vd54n4j8n6n7fPXa 10 | aOCkVn76Dx1hJlv3aKXynr4ltiaHeABXz2ph5f7wHsC9cEqXjr4Tt+sXu9tURKMq 11 | hGNNYFgJPIsa0q07dqClJtNxS0hCkCp4gEFjsCVLFPzxEP+TU8OND7eNgXqQ9TYG 12 | zQGNEVN2Dmk/HFatTRnKY2wqlYjfFXhUsubVSPm0krIU04JeBgqo/B7u20G3wwW/ 13 | EWhA8skCgYEA73gkpHxKnykzJBx3jbPNgcegBJA2cqv7IonOO+KG1nqccnOzzYZX 14 | DFrEqemVuESPUSz1dzvilKkb2Fz+t8PFg9Qq4nV2Oa7h5TYp05T6dyuwrcmoPiIM 15 | 9kT7YGohaucf9EqRIYkjMbefWn9reiXKOztemD8Nq40GqT96zWdll+0CgYEA42DC 16 | vHnNS3ChPN6ueiiGrSYNiu0o35/+Zv0/YAXF69gC118qtBof8lVr74/vSE3SqNyh 17 | /8y8WhM/TlErZSSKoUZCIkQE3LhIsbR0Nh95RwY0It/jbnVTwb11/PkILfvaQlwQ 18 | 8DM2WXYg39QdPlYw1GNTvKuAYtzeROUqOoF5BRsCgYEA3qDTcBgdR9sFsIzGmPaQ 19 | GBd+rL9l3zYERBfZo9L1iHB1AfKPNoOuac35B/4hMy6KDu29Rxxlic+uE3hhVnar 20 | KeQV+nM5dmcfm/i+6fWW5TO5DdhskVcWtd1r1jbU2o4FJxgr1QGpto7/lyLeyLBZ 21 | UrffOatlChgSGUbq5As8aAECgYAogmivY5PryNkxGwtCwE2eM5VeFvqdPMf6WUwd 22 | M2obppR7An19MNpYNlfQing7DYJmi0hhZnx4H827ikKM9oGsUfQeXrfvCvYIkvnR 23 | WrIksTpArFq8pzKQ5cxLkaKfbqtn/zcVVEpujdk1h3jeTkTM0hVtG7D37Bm9dIad 24 | fcut2QKBgGwhl9lil+kDVkmWajQGHzxrct1hWlcn8hsXcO6bu8TGSYTjeT0XQUog 25 | OjdB5pTbPXncE/3ExaMttiBV8eLkhW+HRXq+IxyWPG3ROu5N1tTxBtV7X5tkzY9m 26 | V5rUvEN+bLOUGLGA4qd66j5DC0QwP1gaAHlpnMoipNvgXmEcriSu 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /examples/ssh_ca_pvtkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEpQIBAAKCAQEA0zWtGoriTQmqtCmLHr3JQSK+EdMOqyXtvF4vqvJIFFsU7uMD 3 | m/FShw1hCVFgyZu7P77+RUaIMAUEbtYKF4vYvPPxUFDL1YyHF6VsNvwkMNDSmRZy 4 | D6lH5D/QFcGGZtn6Rz1SfJuynrT+/ZltM/NroddaITA23NSmJrIi/lwm5vruvFQJ 5 | 7JD4+tiR8iLOqWsGXlUtIXDt09sQs+/HCbziHUeoWP8TSphKfc6LjNtSx6pmynC2 6 | wRF7LYd0Cm7Nq0HQ+xPxuaBBWeqdKUJ7/0Rqt7smrGGcqWu3P9yxcxiYVlFgZSBA 7 | UVjHMYaCRiWZKPs6wDTYnJOBE9vFqHHjT+7mnwIDAQABAoIBAQCL375WF6grML22 8 | NtUFdNa1plaN42KRgbrhxtZ2taF6qZ9BXWJkgfsPqZKb4yLgIZxuaQRnyIAknQ4E 9 | gQeJ9HmDGWK0t+1l7X0B8fGqsG0fTwxJig3bxVXxGTmrTtC9iJoxV7ErCMnQRTmh 10 | pVwmzYx4T/BGjnGm6cVnVw3JuimhSVWQnMLUNcwTBQjcwbKI3o/Y4FhoDe0GYof8 11 | 6gJq+cj7jFn+x89e1uuXev562CidbOzfGYEc45X+I+DLEN9+xjRPZM0bfnyBS/bM 12 | /SCmvcgprITomY+d7H4iJ08BTEEo1z0fWcT8yfM2UgzOrUsjGCOBoZsOnr5zpnlC 13 | hfmBc+1BAoGBAOvIt1YN8YpOa/6+y2s8+c95S9yPmdTuO3QanybQMrb1W7iWlOb5 14 | bi3aEuU7cUY+cHbzAYf2WC93pT3cKDPbuvG09EUTXExWw1hOGQ3ot3pgkbshmcBK 15 | 8TeQn3kp4d7YM92hnzDLPoEpkWuPdN+If3x2+CQ0Bs8IZjCRJGn5yMAPAoGBAOVR 16 | kiLV2qltk5xnOEvlzNXJoaxYeJBiQhXZOrwzYXJXUxz1Kk4QROlSVRboFvHImdGS 17 | MoLaUJ5WDE77z77v2f8+zaAeoSakbFaIofJ4qTvXrsc7L4djg9prveQvDZY50mbH 18 | SR5la5aQxJkA+TeE1hEowRhNK69aUJIfyfnga+BxAoGBAJG3946IiYm3k8jZs7Av 19 | /Be8WCUU3raZEUddGJUNQPqPwsLe1WG2L+DIkLr5NLV761eoMX8MwU18vTPw9yut 20 | lejBs+Fo6LcJPCs8AQH2nEZWnlovlu0fo9p6WASy3LQznEJSG6c1RQjgXs5B17I6 21 | kseiYxNE0BxtjXJgkUeppucDAoGAZd5Tlaf8Z9Fmhk8QIh8mXD4i1MXEYRdVFhGW 22 | 1u3YNwv1vuJl9aGiiydo5zEYqDWdpwxT5e8Hax78fsW75qzz4UBL5fpVSi42dkZh 23 | 8q2JOC061gRDu9gIRaohA9GnLnnnLoMOxzL0lUEgJHvbOb+HvL2m8Z2ub0omipMW 24 | jSsVoPECgYEAodn6s+oG9zpq9Gl4Q8jsPiQAgsjwc4CGzz/oBvWooGf8pei0N2gj 25 | MIByXmIhpexBlJ4o/MgEMj7g299usGKq06Dg4dMn1DtunkSF/Vd1OcjlZVJpRmrJ 26 | m2HWLeo2pjD9W9KaMzZWQ5jxpGliC2TtpWuP44/ihZODFrQZc8DytPo= 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /examples/ssh_req.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Yubico/yubihsm-shell/a85a9bd4c5f25cea1227ca60379419ca7a6a0a28/examples/ssh_req.dat -------------------------------------------------------------------------------- /lib/README.adoc: -------------------------------------------------------------------------------- 1 | == YubiHSM Library 2 | 3 | The YubiHSM C Library `libyubihsm` is a native library to interact 4 | with a YubiHSM 2 device. 5 | 6 | Two main sets of functions are exposed. Functions prefixed with only 7 | `yh_` are low-level functions (e.g., send byte array to the device) 8 | that perform a simple single action and can be used to build more 9 | advanced functionalities. Functions prefixed with `yh_util_` are 10 | higher-level function that perform multiple actions together (e.g. 11 | sign the content of a buffer with a specific padding scheme). 12 | 13 | === Documentation 14 | 15 | The library is annotated with Doxygen comments and a `Doxyfile` is 16 | provided. To build the library simply run 17 | 18 | [source, bash] 19 | ---- 20 | $ cd lib 21 | $ doxygen 22 | ---- 23 | 24 | and open the `doxygen/html/index.html` file with 25 | your preferred browser. 26 | 27 | A pre-built version of the documentation is available 28 | link:https://developers.yubico.com/YubiHSM2/Releases/libyubihsm-doxygen-1.0.0.tar.gz[here]. 29 | 30 | === Examples 31 | 32 | Code examples of how to use the library are available in the examples directory. 33 | -------------------------------------------------------------------------------- /lib/data_compress.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2024 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | #include "data_compress.h" 22 | #include "debug_lib.h" 23 | 24 | int compress_data(const uint8_t *data, size_t data_len, 25 | uint8_t *compressed_data, size_t *compressed_data_len) { 26 | 27 | z_stream zs = {0}; 28 | zs.zalloc = Z_NULL; 29 | zs.zfree = Z_NULL; 30 | zs.opaque = Z_NULL; 31 | zs.avail_in = (uInt) data_len; 32 | zs.next_in = (Bytef *) data; 33 | zs.avail_out = (uInt) *compressed_data_len; 34 | zs.next_out = (Bytef *) compressed_data; 35 | 36 | int res = deflateInit2(&zs, Z_DEFAULT_COMPRESSION, Z_DEFLATED, MAX_WBITS | 16, 37 | 8, Z_DEFAULT_STRATEGY); 38 | if (res != Z_OK) { 39 | DBG_ERR("Failed to initialize data compression. ZLIB error code: %d (%s)", 40 | res, zError(res)); 41 | return -1; 42 | } 43 | 44 | res = deflate(&zs, Z_FINISH); 45 | if (res != Z_STREAM_END) { 46 | DBG_ERR("Failed to compress data. ZLIB error code: %d (%s)", res, 47 | zError(res)); 48 | return -1; 49 | } 50 | 51 | res = deflateEnd(&zs); 52 | if (res != Z_OK) { 53 | DBG_ERR("Failed to finish data compression. ZLIB error code: %d (%s)", res, 54 | zError(res)); 55 | return -1; 56 | } 57 | 58 | *compressed_data_len = zs.total_out; 59 | return 0; 60 | } 61 | 62 | int decompress_data(uint8_t *compressed_data, size_t compressed_data_len, 63 | uint8_t *data, size_t *data_len) { 64 | uint8_t *dataptr = compressed_data; 65 | 66 | z_stream zs = {0}; 67 | zs.zalloc = Z_NULL; 68 | zs.zfree = Z_NULL; 69 | zs.opaque = Z_NULL; 70 | zs.avail_in = (uInt) compressed_data_len; 71 | zs.next_in = (Bytef *) dataptr; 72 | zs.avail_out = (uInt) *data_len; 73 | zs.next_out = (Bytef *) data; 74 | 75 | int res = inflateInit2(&zs, MAX_WBITS | 16); 76 | if (res != Z_OK) { 77 | DBG_ERR("Failed to initialize data decompression. ZLIB error code: %d (%s)", 78 | res, zError(res)); 79 | return -1; 80 | } 81 | 82 | res = inflate(&zs, Z_FINISH); 83 | if (res != Z_STREAM_END) { 84 | DBG_ERR("Failed to decompress data. ZLIB error code: %d (%s)", res, 85 | zError(res)); 86 | return -1; 87 | } 88 | 89 | res = inflateEnd(&zs); 90 | if (res != Z_OK) { 91 | DBG_ERR("Failed to finish data decompression. ZLIB error code: %d (%s)", 92 | res, zError(res)); 93 | return -1; 94 | } 95 | *data_len = zs.total_out; 96 | return 0; 97 | } 98 | -------------------------------------------------------------------------------- /lib/data_compress.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2024 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | /* 18 | ** Implements platform specific operations to compress and uncompress X509Cert 19 | */ 20 | 21 | #ifndef YUBIHSM_SHELL_DATA_COMPRESS_H 22 | #define YUBIHSM_SHELL_DATA_COMPRESS_H 23 | 24 | #include "../common/platform-config.h" 25 | #include 26 | #include 27 | 28 | #ifdef __cplusplus 29 | extern "C" { 30 | #endif 31 | 32 | #ifndef __WIN32 33 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 34 | #else 35 | #define YH_INTERNAL 36 | #endif 37 | 38 | int YH_INTERNAL compress_data(const uint8_t *data, size_t data_len, 39 | uint8_t *compressed_data, 40 | size_t *compressed_data_len); 41 | int YH_INTERNAL decompress_data(uint8_t *compressed_data, 42 | size_t compressed_data_len, uint8_t *data, 43 | size_t *data_len); 44 | 45 | #endif // YUBIHSM_SHELL_DATA_COMPRESS_H 46 | -------------------------------------------------------------------------------- /lib/error.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | 19 | #include 20 | 21 | #define ERR(name, desc) \ 22 | { name, desc } 23 | 24 | typedef struct { 25 | yh_rc rc; 26 | const char *description; 27 | } err_t; 28 | 29 | static const err_t errors[] = { 30 | ERR(YHR_SUCCESS, "Success"), 31 | ERR(YHR_MEMORY_ERROR, "Unable to allocate memory"), 32 | ERR(YHR_INIT_ERROR, "Unable to initialize libyubihsm"), 33 | ERR(YHR_CONNECTION_ERROR, "Connection error"), 34 | ERR(YHR_CONNECTOR_NOT_FOUND, "Unable to find a suitable connector"), 35 | ERR(YHR_INVALID_PARAMETERS, "Invalid argument to a function"), 36 | ERR(YHR_WRONG_LENGTH, "Mismatch between expected and received length"), 37 | ERR(YHR_BUFFER_TOO_SMALL, "Not enough space to store data"), 38 | ERR(YHR_CRYPTOGRAM_MISMATCH, "Unable to verify cryptogram"), 39 | ERR(YHR_SESSION_AUTHENTICATION_FAILED, "Unable to authenticate session"), 40 | ERR(YHR_MAC_MISMATCH, "Unable to verify MAC"), 41 | ERR(YHR_DEVICE_OK, "No error"), 42 | ERR(YHR_DEVICE_INVALID_COMMAND, "Unrecognized command"), 43 | ERR(YHR_DEVICE_INVALID_DATA, "Malformed command / invalid data"), 44 | ERR(YHR_DEVICE_INVALID_SESSION, "Invalid session"), 45 | ERR(YHR_DEVICE_AUTHENTICATION_FAILED, 46 | "Message encryption / verification failed"), 47 | ERR(YHR_DEVICE_SESSIONS_FULL, "All sessions are allocated"), 48 | ERR(YHR_DEVICE_SESSION_FAILED, "Session creation failed"), 49 | ERR(YHR_DEVICE_STORAGE_FAILED, "Storage failure"), 50 | ERR(YHR_DEVICE_WRONG_LENGTH, "Wrong length"), 51 | ERR(YHR_DEVICE_INSUFFICIENT_PERMISSIONS, "Wrong permissions for operation"), 52 | ERR(YHR_DEVICE_LOG_FULL, "Log buffer is full and forced audit is set"), 53 | ERR(YHR_DEVICE_OBJECT_NOT_FOUND, "Object not found"), 54 | ERR(YHR_DEVICE_INVALID_ID, "Invalid ID used"), 55 | ERR(YHR_DEVICE_INVALID_OTP, "Invalid OTP"), 56 | ERR(YHR_DEVICE_DEMO_MODE, "Demo mode, power cycle device"), 57 | ERR(YHR_DEVICE_COMMAND_UNEXECUTED, 58 | "The command execution has not terminated"), 59 | ERR(YHR_GENERIC_ERROR, "Generic error"), 60 | ERR(YHR_DEVICE_OBJECT_EXISTS, "An Object with that ID already exists"), 61 | ERR(YHR_CONNECTOR_ERROR, "Connector operation failed"), 62 | ERR(YHR_DEVICE_SSH_CA_CONSTRAINT_VIOLATION, "SSH CA constraint violation"), 63 | ERR(YHR_DEVICE_ALGORITHM_DISABLED, "Algorithm disabled"), 64 | }; 65 | 66 | const char *yh_strerror(yh_rc err) { 67 | static const char *unknown = "Unknown yubihsm error"; 68 | const char *p; 69 | 70 | if (-err < 0 || -err >= (int) (sizeof(errors) / sizeof(errors[0]))) { 71 | return unknown; 72 | } 73 | 74 | p = errors[-err].description; 75 | if (!p) { 76 | p = unknown; 77 | } 78 | 79 | return p; 80 | } 81 | -------------------------------------------------------------------------------- /lib/fuzz/fuzz_send_plain_msg.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include "debug_lib.h" 3 | 4 | extern "C" { 5 | #include "yubihsm.h" 6 | 7 | uint8_t *backend_data; 8 | size_t backend_data_len; 9 | } 10 | 11 | #include "yubihsm_fuzz.h" 12 | 13 | yh_connector *connector; 14 | 15 | static bool initialize() { 16 | yh_rc rc = yh_init_connector("yhfuzz://yubihsm_fuzz", &connector); 17 | assert(rc == YHR_SUCCESS); 18 | rc = yh_connect(connector, 0); 19 | assert(rc == YHR_SUCCESS); 20 | return true; 21 | } 22 | 23 | extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { 24 | static bool is_initialized = initialize(); 25 | 26 | if (size < 2) { 27 | return 0; 28 | } 29 | size_t data_len = data[0]; 30 | size_t response_len = data[1]; 31 | 32 | backend_data = data + 2; 33 | backend_data_len = size - 2; 34 | 35 | uint8_t *hsm_data = new uint8_t[data_len]; 36 | uint8_t *response = new uint8_t[response_len]; 37 | yh_cmd response_cmd; 38 | 39 | yh_send_plain_msg(connector, YHC_ECHO, hsm_data, data_len, &response_cmd, 40 | response, &response_len); 41 | 42 | delete[] hsm_data; 43 | delete[] response; 44 | 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /lib/fuzz/fuzz_send_secure_msg.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include "debug_lib.h" 4 | 5 | extern "C" { 6 | #include "yubihsm.h" 7 | 8 | uint8_t *backend_data; 9 | size_t backend_data_len; 10 | yh_session *fuzz_session; 11 | } 12 | 13 | #include "yubihsm_fuzz.h" 14 | 15 | yh_connector *connector; 16 | 17 | static bool initialize() { 18 | yh_rc rc = yh_init_connector("yhfuzz://yubihsm_fuzz", &connector); 19 | assert(rc == YHR_SUCCESS); 20 | rc = yh_connect(connector, 0); 21 | assert(rc == YHR_SUCCESS); 22 | return true; 23 | } 24 | 25 | extern "C" int LLVMFuzzerTestOneInput(uint8_t *data, size_t size) { 26 | static bool is_initialized = initialize(); 27 | yh_rc yrc = YHR_GENERIC_ERROR; 28 | 29 | if (size < 2) { 30 | return 0; 31 | } 32 | 33 | yrc = yh_create_session_derived(connector, 1, 34 | (const uint8_t *) FUZZ_BACKEND_PASSWORD, 35 | strlen(FUZZ_BACKEND_PASSWORD), false, 36 | &fuzz_session); 37 | assert(yrc == YHR_SUCCESS); 38 | 39 | size_t data_len = data[0]; 40 | size_t response_len = data[1]; 41 | 42 | backend_data = data + 2; 43 | backend_data_len = size - 2; 44 | 45 | uint8_t *hsm_data = new uint8_t[data_len]; 46 | uint8_t *response = new uint8_t[response_len]; 47 | yh_cmd response_cmd; 48 | 49 | yh_send_secure_msg(fuzz_session, YHC_ECHO, hsm_data, data_len, &response_cmd, 50 | response, &response_len); 51 | 52 | yrc = yh_util_close_session(fuzz_session); 53 | assert(yrc == YHR_SUCCESS); 54 | 55 | yrc = yh_destroy_session(&fuzz_session); 56 | assert(yrc == YHR_SUCCESS); 57 | 58 | delete[] hsm_data; 59 | delete[] response; 60 | 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /lib/fuzz/yubihsm_fuzz.h: -------------------------------------------------------------------------------- 1 | #ifndef _FUZZER_H 2 | #define _FUZZER_H 3 | 4 | #ifdef __cplusplus 5 | extern "C" { 6 | #endif 7 | 8 | #include 9 | #include 10 | 11 | extern yh_session *fuzz_session; 12 | #define FUZZ_BACKEND_PASSWORD "fuzzfuzz" 13 | 14 | extern uint8_t *backend_data; 15 | extern size_t backend_data_len; 16 | 17 | #ifdef __cplusplus 18 | } 19 | #endif 20 | 21 | #endif 22 | -------------------------------------------------------------------------------- /lib/internal.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBIHSM_INTERNAL_H 18 | #define YUBIHSM_INTERNAL_H 19 | 20 | #include "../common/platform-config.h" 21 | #include "scp.h" 22 | 23 | #include 24 | #include 25 | 26 | struct yh_session { 27 | uint16_t authkey_id; 28 | uint8_t key_enc[SCP_KEY_LEN]; 29 | uint8_t key_mac[SCP_KEY_LEN]; 30 | Scp_ctx s; 31 | uint8_t context[2 * YH_EC_P256_PUBKEY_LEN]; 32 | }; 33 | 34 | typedef struct state yh_backend; 35 | 36 | struct yh_connector { 37 | void *backend; 38 | struct backend_functions *bf; 39 | yh_backend *connection; 40 | char status_url[256]; 41 | char api_url[256]; 42 | bool has_device; 43 | uint8_t version_major; 44 | uint8_t version_minor; 45 | uint8_t version_patch; 46 | char address[32]; 47 | uint32_t port; 48 | uint32_t pid; 49 | yh_device_info device_info; 50 | }; 51 | 52 | #ifndef __WIN32 53 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 54 | #else 55 | #define YH_INTERNAL 56 | #endif 57 | 58 | void YH_INTERNAL dump_hex(FILE *file, const uint8_t *ptr, uint16_t len); 59 | void YH_INTERNAL dump_msg(FILE *file, const Msg *msg); 60 | void YH_INTERNAL dump_response(FILE *file, const Msg *msg); 61 | 62 | void YH_INTERNAL parse_status_data(char *data, yh_connector *connector); 63 | bool YH_INTERNAL parse_usb_url(const char *url, unsigned long *serial); 64 | 65 | struct backend_functions { 66 | yh_rc (*backend_init)(uint8_t verbosity, FILE *output); 67 | yh_backend *(*backend_create)(void); 68 | yh_rc (*backend_connect)(yh_connector *connector, int timeout); 69 | void (*backend_disconnect)(yh_backend *connection); 70 | yh_rc (*backend_send_msg)(yh_backend *connection, Msg *msg, Msg *response, 71 | const char *identifier); 72 | void (*backend_cleanup)(void); 73 | yh_rc (*backend_option)(yh_backend *connection, yh_connector_option opt, 74 | const void *val); 75 | void (*backend_set_verbosity)(uint8_t verbosity, FILE *output); 76 | }; 77 | 78 | #ifdef STATIC 79 | struct backend_functions YH_INTERNAL *usb_backend_functions(void); 80 | struct backend_functions YH_INTERNAL *http_backend_functions(void); 81 | #ifdef FUZZING 82 | struct backend_functions YH_INTERNAL *fuzz_backend_functions(void); 83 | #endif 84 | #else 85 | struct backend_functions *backend_functions(void); 86 | #endif 87 | 88 | #endif 89 | -------------------------------------------------------------------------------- /lib/scp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef SCP_H 18 | #define SCP_H 19 | 20 | #include 21 | #include 22 | 23 | // Data derivation constants 24 | #define SCP_CARD_CRYPTOGRAM 0x00 25 | #define SCP_HOST_CRYPTOGRAM 0x01 26 | 27 | #define SCP_CARD_CHALLENGE 0x02 28 | 29 | #define SCP_S_ENC_DERIVATION 0x04 30 | #define SCP_S_MAC_DERIVATION 0x06 31 | #define SCP_S_RMAC_DERIVATION 0x07 32 | 33 | // Lengths 34 | #define AES_128_KEY_LEN 16 35 | #define AES_192_KEY_LEN 24 36 | #define AES_256_KEY_LEN 32 37 | #define SCP_KEY_LEN (AES_128_KEY_LEN) 38 | #define SCP_PRF_LEN 16 // One AES block 39 | 40 | #define SCP_CARD_CHAL_LEN 8 41 | #define SCP_HOST_CHAL_LEN 8 42 | 43 | #define SCP_CARD_CRYPTO_LEN 8 44 | #define SCP_HOST_CRYPTO_LEN 8 45 | 46 | #define SCP_MAC_LEN 8 47 | 48 | #define SCP_CONTEXT_LEN 16 49 | 50 | #define SCP_AUTHKEY_ID_LEN 2 51 | 52 | #ifndef FUZZING 53 | #define SCP_MSG_BUF_SIZE 3136 54 | #else 55 | // in fuzzing builds make the data buffers smaller 56 | #define SCP_MSG_BUF_SIZE 100 57 | #endif 58 | 59 | // Message 60 | #pragma pack(push, 1) 61 | union _Msg { 62 | struct { 63 | uint8_t cmd; 64 | uint16_t len; 65 | uint8_t data[SCP_MSG_BUF_SIZE]; 66 | } st; 67 | uint8_t raw[SCP_MSG_BUF_SIZE + 3]; 68 | }; 69 | #pragma pack(pop) 70 | 71 | typedef union _Msg Msg; 72 | struct yh_connector; 73 | 74 | typedef struct { 75 | uint8_t sid; 76 | uint8_t s_enc[SCP_KEY_LEN]; 77 | uint8_t s_mac[SCP_KEY_LEN]; 78 | uint8_t s_rmac[SCP_KEY_LEN]; 79 | uint8_t mac_chaining_value[SCP_PRF_LEN]; 80 | uint8_t ctr[SCP_PRF_LEN]; 81 | char identifier[17]; 82 | struct yh_connector *parent; 83 | } Scp_ctx; 84 | 85 | #endif 86 | -------------------------------------------------------------------------------- /lib/tests/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | if(MSVC) 18 | set(ADDITIONAL_LIBRARY ws2_32) 19 | endif(MSVC) 20 | 21 | set ( 22 | SOURCE_PARSING 23 | test_parsing.c 24 | ) 25 | 26 | set ( 27 | SOURCE_PBKDF2 28 | test_pbkdf2.c 29 | ../../common/pkcs5.c 30 | ../../common/hash.c 31 | ) 32 | 33 | set ( 34 | SOURCE_USB_URL 35 | test_usb_url.c 36 | ../lib_util.c 37 | ) 38 | if(MSVC) 39 | set(SOURCE_USB_URL ${SOURCE_USB_URL} ../../common/time_win.c) 40 | endif(MSVC) 41 | set ( 42 | SOURCE_UTIL 43 | test_util.c 44 | ../lib_util.c 45 | ) 46 | if(MSVC) 47 | set(SOURCE_UTIL ${SOURCE_UTIL} ../../common/time_win.c) 48 | endif(MSVC) 49 | include_directories ( 50 | ${CMAKE_CURRENT_SOURCE_DIR}/../lib 51 | ) 52 | 53 | add_executable (test_parsing ${SOURCE_PARSING}) 54 | 55 | add_executable (test_pbkdf2 ${SOURCE_PBKDF2}) 56 | 57 | add_executable (test_usb_url ${SOURCE_USB_URL}) 58 | 59 | add_executable (test_util ${SOURCE_UTIL}) 60 | 61 | target_link_libraries ( 62 | test_parsing 63 | yubihsm 64 | ) 65 | 66 | target_link_libraries ( 67 | test_pbkdf2 68 | # this doesn't really need libyubihsm, needs openssl/windows whatever 69 | yubihsm 70 | ) 71 | 72 | target_link_libraries (test_usb_url ${ADDITIONAL_LIBRARY}) 73 | 74 | target_link_libraries (test_util ${ADDITIONAL_LIBRARY}) 75 | -------------------------------------------------------------------------------- /lib/tests/test_pbkdf2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #ifdef NDEBUG 19 | #undef NDEBUG 20 | #endif 21 | #include 22 | #include 23 | 24 | #include "../../common/pkcs5.h" 25 | 26 | static void test_pbkdf2_vectors(void) { 27 | struct vector { 28 | const uint8_t *password; 29 | size_t password_len; 30 | const uint8_t *salt; 31 | size_t salt_len; 32 | uint64_t iterations; 33 | hash_t hash; 34 | const uint8_t *output; 35 | size_t size; 36 | } vectors[] = { 37 | {(const uint8_t *) "password", 8, (const uint8_t *) "salt", 4, 1, _SHA1, 38 | (const uint8_t *) "\x0c\x60\xc8\x0f\x96\x1f\x0e\x71\xf3\xa9\xb5\x24\xaf" 39 | "\x60\x12\x06\x2f\xe0\x37\xa6", 40 | 20}, 41 | {(const uint8_t *) "password", 8, (const uint8_t *) "salt", 4, 2, _SHA1, 42 | (const uint8_t *) "\xea\x6c\x01\x4d\xc7\x2d\x6f\x8c\xcd\x1e\xd9\x2a\xce" 43 | "\x1d\x41\xf0\xd8\xde\x89\x57", 44 | 20}, 45 | {(const uint8_t *) "password", 8, (const uint8_t *) "salt", 4, 4096, _SHA1, 46 | (const uint8_t *) "\x4b\x00\x79\x01\xb7\x65\x48\x9a\xbe\xad\x49\xd9\x26" 47 | "\xf7\x21\xd0\x65\xa4\x29\xc1", 48 | 20}, 49 | //{(const uint8_t*)"password", 8, (const uint8_t*)"salt", 4, 16777216, 50 | //_SHA1, (const 51 | // uint8_t*)"\xee\xfe\x3d\x61\xcd\x4d\xa4\xe4\xe9\x94\x5b\x3d\x6b\xa2\x15\x8c\x26\x34\xe9\x84", 52 | // 20}, 53 | {(const uint8_t *) "passwordPASSWORDpassword", 24, 54 | (const uint8_t *) "saltSALTsaltSALTsaltSALTsaltSALTsalt", 36, 4096, _SHA1, 55 | (const uint8_t *) "\x3d\x2e\xec\x4f\xe4\x1c\x84\x9b\x80\xc8\xd8\x36\x62" 56 | "\xc0\xe4\x4a\x8b\x29\x1a\x96\x4c\xf2\xf0\x70\x38", 57 | 25}, 58 | {(const uint8_t *) "pass\0word", 9, (const uint8_t *) "sa\0lt", 5, 4096, 59 | _SHA1, 60 | (const uint8_t 61 | *) "\x56\xfa\x6a\xa7\x55\x48\x09\x9d\xcc\x37\xd7\xf0\x34\x25\xe0\xc3", 62 | 16}, 63 | }; 64 | 65 | for (size_t i = 0; i < sizeof(vectors) / sizeof(vectors[0]); i++) { 66 | uint8_t key[256]; 67 | bool res = pkcs5_pbkdf2_hmac(vectors[i].password, vectors[i].password_len, 68 | vectors[i].salt, vectors[i].salt_len, 69 | vectors[i].iterations, vectors[i].hash, key, 70 | vectors[i].size); 71 | assert(res == true); 72 | assert(memcmp(key, vectors[i].output, vectors[i].size) == 0); 73 | } 74 | } 75 | 76 | int main(void) { 77 | test_pbkdf2_vectors(); 78 | return 0; 79 | } 80 | -------------------------------------------------------------------------------- /lib/tests/test_usb_url.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifdef NDEBUG 18 | #undef NDEBUG 19 | #endif 20 | #include 21 | #include 22 | #include 23 | 24 | #include "yubihsm.h" 25 | #include "internal.h" 26 | 27 | uint8_t _yh_verbosity = YH_VERB_ALL; 28 | FILE *_yh_output; 29 | 30 | static void test_urls(void) { 31 | struct { 32 | const char *string; 33 | unsigned long serial; 34 | bool ret; 35 | } tests[] = { 36 | {"yhusb://serial=12345", 12345, true}, 37 | {"", 0, false}, 38 | {"yhusb://", 0, true}, 39 | {"yhusb://foo=bar&serial=1000000", 1000000, true}, 40 | {"yhusb://serial=0001234", 1234, true}, 41 | {"yhusb://serial=0x1234", 0, false}, 42 | {"yhusb://serial=FF", 0, false}, 43 | {"yhusb://serial=1234foo", 0, false}, 44 | {"yhusb://serial=", 0, false}, 45 | }; 46 | 47 | for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { 48 | unsigned long serial = 0; 49 | assert(parse_usb_url(tests[i].string, &serial) == tests[i].ret); 50 | if (tests[i].ret) { 51 | assert(serial == tests[i].serial); 52 | } 53 | } 54 | } 55 | 56 | int main(void) { 57 | _yh_output = stderr; 58 | test_urls(); 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /lib/tests/test_util.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifdef NDEBUG 18 | #undef NDEBUG 19 | #endif 20 | 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "yubihsm.h" 27 | #include "internal.h" 28 | 29 | uint8_t _yh_verbosity; 30 | FILE *_yh_output; 31 | 32 | static void test_status(void) { 33 | struct { 34 | const char *data; 35 | yh_connector c; 36 | } tests[] = { 37 | {"status=OK\nversion=1.2.3\n", 38 | {NULL, NULL, NULL, {0}, {0}, true, 1, 2, 3, "", 0, 0, {0}}}, 39 | {"", {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0, {0}}}, 40 | {"foobar", {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0, {0}}}, 41 | {"\n\n\n\n\n\n", {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0, {0}}}, 42 | {"status=NO_DEVICE\nserial=*\nversion=1.0.2\npid=412\naddress=\nport=12345", 43 | {NULL, NULL, NULL, {0}, {0}, false, 1, 0, 2, "", 12345, 412, {0}}}, 44 | {"version=1.2", {NULL, NULL, NULL, {0}, {0}, false, 1, 2, 0, "", 0, 0, {0}}}, 45 | {"version=foobar", 46 | {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0, {0}}}, 47 | {"version=2..\nstatus=OK", 48 | {NULL, NULL, NULL, {0}, {0}, true, 2, 0, 0, "", 0, 0, {0}}}, 49 | }; 50 | 51 | for (size_t i = 0; i < sizeof(tests) / sizeof(tests[0]); i++) { 52 | yh_connector c = {NULL, NULL, NULL, {0}, {0}, false, 0, 0, 0, "", 0, 0, {0}}; 53 | char *data = strdup(tests[i].data); 54 | 55 | parse_status_data(data, &c); 56 | free(data); 57 | assert(memcmp(&c, &tests[i].c, sizeof(c)) == 0); 58 | } 59 | } 60 | 61 | int main(void) { 62 | _yh_output = stderr; 63 | _yh_verbosity = 0; 64 | 65 | test_status(); 66 | return 0; 67 | } 68 | -------------------------------------------------------------------------------- /lib/version.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM Interface Library" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "libyubihsm.dll" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "libyubihsm.dll" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /lib/version_winhttp.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM HTTP backend Library" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "libyubihsm_http.dll" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "libyubihsm_http.dll" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /lib/version_winusb.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM USB backend Library" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "libyubihsm_usb.dll" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "libyubihsm_usb.dll" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /lib/yubihsm.pc.in: -------------------------------------------------------------------------------- 1 | libdir=-L@YUBIHSM_INSTALL_LIB_DIR@ 2 | includedir=-I@YUBIHSM_INSTALL_INC_DIR@ 3 | 4 | Name: yubihsm 5 | Description: Yubico YubiHSM C Library 6 | URL: https://www.yubico.com/ 7 | Version: @VERSION@ 8 | Requires.private: libcrypto libcurl 9 | Libs: ${libdir} -lyubihsm 10 | Cflags: ${includedir} 11 | -------------------------------------------------------------------------------- /lib/yubihsm_usb.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBIHSM_USB_H 18 | #define YUBIHSM_USB_H 19 | 20 | #ifndef __WIN32 21 | #define YH_INTERNAL __attribute__((visibility("hidden"))) 22 | #else 23 | #define YH_INTERNAL 24 | #endif 25 | 26 | void YH_INTERNAL usb_close(yh_backend *state); 27 | void YH_INTERNAL usb_destroy(yh_backend **state); 28 | yh_backend YH_INTERNAL *backend_create(void); 29 | bool YH_INTERNAL usb_open_device(yh_backend *backend); 30 | int YH_INTERNAL usb_write(yh_backend *state, unsigned char *buf, 31 | long unsigned len); 32 | int YH_INTERNAL usb_read(yh_backend *state, unsigned char *buf, 33 | long unsigned *len); 34 | void YH_INTERNAL usb_set_serial(yh_backend *state, unsigned long serial); 35 | 36 | #endif 37 | -------------------------------------------------------------------------------- /pkcs11/cmdline.ggo: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | option "config-file" - "Configuration file to read" string optional default="./yubihsm_pkcs11.conf" 18 | option "connector" - "List of connectors to use" string optional multiple 19 | option "debug" - "Enable pkcs11 debugging" flag off 20 | option "dinout" - "Enable pkcs11 function tracing" flag off 21 | option "libdebug" - "Enable libyubihsm debugging" flag off 22 | option "debug-file" - "Output file for debugging" string optional default="stderr" 23 | option "cacert" - "Cacert to use for HTTPS validation" string optional 24 | option "cert" - "HTTPS client certificate to authenticate with" string optional 25 | option "key" - "HTTPS client certificate key" string optional 26 | option "proxy" - "Proxy server to use for connector" string optional 27 | option "noproxy" - "Comma separated list of hosts ignore proxy for" string optional 28 | option "timeout" - "Timeout to use for initial connection to connector" int optional default="5" 29 | option "device-pubkey" - "List of device public keys allowed for asymmetric authentication" string optional multiple 30 | 31 | -------------------------------------------------------------------------------- /pkcs11/debug_p11.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | #include "debug_p11.h" 21 | #include "yubihsm.h" 22 | 23 | int _YHP11_DBG = 0; 24 | int _YHP11_DINOUT = 0; 25 | FILE *_YHP11_OUTPUT = NULL; 26 | 27 | void yh_dbg_init(int dbg, int dinout, int libdbg, const char *debug_file) { 28 | if (_YHP11_OUTPUT != stderr && _YHP11_OUTPUT != stdout && 29 | _YHP11_OUTPUT != NULL) { 30 | fclose(_YHP11_OUTPUT); 31 | _YHP11_OUTPUT = stderr; 32 | } 33 | if (strcmp(debug_file, "stderr") == 0) { 34 | _YHP11_OUTPUT = stderr; 35 | } else if (strcmp(debug_file, "stdout") == 0) { 36 | _YHP11_OUTPUT = stdout; 37 | } else { 38 | FILE *file = fopen(debug_file, "ab"); 39 | if (file) { 40 | _YHP11_OUTPUT = file; 41 | } else { 42 | _YHP11_OUTPUT = stderr; 43 | } 44 | } 45 | yh_set_debug_output(NULL, _YHP11_OUTPUT); 46 | if (dbg || getenv("YUBIHSM_PKCS11_DBG")) { 47 | _YHP11_DBG = 1; 48 | } 49 | if (dinout || getenv("YUBIHSM_PKCS11_DINOUT")) { 50 | _YHP11_DINOUT = 1; 51 | } 52 | if (libdbg || getenv("YUBIHSM_LIB_DBG")) { 53 | yh_set_verbosity(NULL, YH_VERB_ALL); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /pkcs11/debug_p11.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef DEBUG_P11_H 18 | #define DEBUG_P11_H 19 | 20 | #include 21 | #include 22 | 23 | #include "../common/debug.h" 24 | 25 | extern int _YHP11_DBG; 26 | extern int _YHP11_DINOUT; 27 | extern FILE *_YHP11_OUTPUT; 28 | 29 | void yh_dbg_init(int dbg, int dinout, int libdbg, const char *debug_file); 30 | 31 | #define DBG_INFO(...) \ 32 | do { \ 33 | DLN(_YHP11_DBG, _YHP11_OUTPUT, ANSI_BLUE, "P11", "INF", __VA_ARGS__); \ 34 | } while (0) 35 | 36 | #define DBG_WARN(...) \ 37 | do { \ 38 | DLN(_YHP11_DBG, _YHP11_OUTPUT, ANSI_YELLOW, "P11", "WRN", __VA_ARGS__); \ 39 | } while (0) 40 | 41 | #define DBG_ERR(...) \ 42 | do { \ 43 | DLN(_YHP11_DBG, _YHP11_OUTPUT, ANSI_RED, "P11", "ERR", __VA_ARGS__); \ 44 | } while (0) 45 | 46 | #define DIN \ 47 | do { \ 48 | DLN(_YHP11_DINOUT, _YHP11_OUTPUT, ANSI_BLUE, "P11", "INF", ("In")); \ 49 | } while (0) 50 | 51 | #define DOUT \ 52 | do { \ 53 | DLN(_YHP11_DINOUT, _YHP11_OUTPUT, ANSI_BLUE, "P11", "INF", ("Out")); \ 54 | } while (0) 55 | 56 | #endif 57 | -------------------------------------------------------------------------------- /pkcs11/list.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef LIST_H 18 | #define LIST_H 19 | 20 | #include 21 | 22 | typedef void (*FreeItemFn)(void *); 23 | 24 | typedef bool (*CompareItemFn)(void *, void *); 25 | 26 | typedef void (*IteratorFn)(void *); 27 | 28 | typedef struct ListItem ListItem; 29 | 30 | struct ListItem { 31 | void *data; 32 | ListItem *next; 33 | }; 34 | 35 | typedef struct { 36 | int length; 37 | int item_size; 38 | ListItem *head; 39 | ListItem *tail; 40 | FreeItemFn free_item_fn; 41 | } List; 42 | 43 | void list_create(List *list, int item_size, FreeItemFn free_item_fn); 44 | void list_destroy(List *list); 45 | 46 | bool list_prepend(List *list, void *item); 47 | bool list_append(List *list, void *item); 48 | 49 | ListItem *list_get(List *list, void *data, CompareItemFn compare_item_fn); 50 | void list_delete(List *list, ListItem *item); 51 | 52 | void list_iterate(List *list, IteratorFn iterator_fn); 53 | 54 | #endif 55 | -------------------------------------------------------------------------------- /pkcs11/pkcs11y.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef PKCS11Y_H 18 | #define PKCS11Y_H 19 | 20 | #include 21 | 22 | #ifdef CRYPTOKI_EXPORTS 23 | #ifdef _WIN32 24 | #define CK_SPEC __declspec(dllexport) 25 | #else 26 | #define CK_SPEC __attribute__((visibility("default"))) 27 | #endif 28 | #else 29 | #define CK_SPEC 30 | #endif 31 | 32 | #ifndef NULL_PTR 33 | #define NULL_PTR 0 34 | #endif 35 | 36 | #define CRYPTOKI_LEGACY_VERSION_MAJOR 2 37 | #define CRYPTOKI_LEGACY_VERSION_MINOR 40 38 | 39 | #define CK_PTR * 40 | #define CK_BOOL bool 41 | #define CK_HANDLE void * 42 | #define CK_DECLARE_FUNCTION(returnType, name) returnType CK_SPEC name 43 | #define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType(*name) 44 | #define CK_CALLBACK_FUNCTION(returnType, name) returnType(*name) 45 | 46 | #define CK_DEFINE_FUNCTION(returnType, name) returnType CK_SPEC name 47 | 48 | #ifdef _WIN32 49 | #pragma pack(push, cryptoki, 1) 50 | #endif 51 | 52 | #ifdef __cplusplus 53 | extern "C" { 54 | #endif 55 | 56 | #include "pkcs11.h" 57 | 58 | #ifdef __cplusplus 59 | } 60 | #endif 61 | 62 | #ifdef _WIN32 63 | #pragma pack(pop, cryptoki) 64 | #endif 65 | 66 | /* This is an offset for the vendor definitions to avoid clashes */ 67 | #define YUBICO_BASE_VENDOR 0x59554200 68 | 69 | #define CKK_YUBICO_AES128_CCM_WRAP \ 70 | (CKK_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_ALGO_AES128_CCM_WRAP) 71 | #define CKK_YUBICO_AES192_CCM_WRAP \ 72 | (CKK_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_ALGO_AES192_CCM_WRAP) 73 | #define CKK_YUBICO_AES256_CCM_WRAP \ 74 | (CKK_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_ALGO_AES256_CCM_WRAP) 75 | 76 | #define CKM_YUBICO_AES_CCM_WRAP \ 77 | (CKM_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_WRAP_KEY) 78 | 79 | /* CKM_YUBICO_AES_CCM_WRAP_PARAMS provides the parameters to the 80 | * CKM_YUBICO_AES_CCM_WRAP mechanism. 81 | */ 82 | typedef struct CKM_YUBICO_AES_CCM_WRAP_PARAMS { 83 | CK_ULONG format; // 0 = legacy, 1 = ED keys with seed 84 | } CKM_YUBICO_AES_CCM_WRAP_PARAMS; 85 | 86 | typedef CKM_YUBICO_AES_CCM_WRAP_PARAMS CK_PTR CKM_YUBICO_AES_CCM_WRAP_PARAMS_PTR; 87 | 88 | #define CKM_YUBICO_RSA_WRAP \ 89 | (CKM_VENDOR_DEFINED | YUBICO_BASE_VENDOR | YH_PUBLIC_WRAP_KEY) 90 | #endif 91 | -------------------------------------------------------------------------------- /pkcs11/tests/common.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2021 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBIHSM_PKCS11_TESTS_COMMON_H 18 | #define YUBIHSM_PKCS11_TESTS_COMMON_H 19 | 20 | #include 21 | #include "../pkcs11y.h" 22 | 23 | void *open_module(const char *path); 24 | void close_module(void *handle); 25 | CK_FUNCTION_LIST_3_0_PTR get_function_list(void *handle); 26 | CK_SESSION_HANDLE open_session(CK_FUNCTION_LIST_3_0_PTR p11); 27 | void close_session(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session); 28 | void print_session_state(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session); 29 | bool destroy_object(CK_FUNCTION_LIST_3_0_PTR p11, CK_SESSION_HANDLE session, 30 | CK_OBJECT_HANDLE key); 31 | 32 | #endif 33 | -------------------------------------------------------------------------------- /pkcs11/tests/pkcs11test.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | 3 | # 4 | # Copyright 2015-2018 Yubico AB 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | set -e 20 | 21 | if [ -z $PKCS11TEST_PATH ]; then 22 | bin="pkcs11test" 23 | else 24 | bin="${PKCS11TEST_PATH}/pkcs11test" 25 | fi 26 | 27 | dir=`mktemp -d /tmp/yubihsmtest.XXXXXX` 28 | trap 'rm -rf "$dir"' INT TERM EXIT 29 | 30 | if [ -z ${DEFAULT_CONNECTOR_URL} ]; then 31 | DEFAULT_CONNECTOR_URL="http://localhost:12345" 32 | fi 33 | 34 | cat > $dir/p11.conf <<-EOF 35 | connector = ${DEFAULT_CONNECTOR_URL} 36 | EOF 37 | 38 | export YUBIHSM_PKCS11_CONF=$dir/p11.conf 39 | 40 | env 41 | 42 | $bin -myubihsm_pkcs11.${LIBEXT} -l${BINDIR}/pkcs11 -u0001password --gtest_filter=-${SKIPPED_TESTS} 43 | -------------------------------------------------------------------------------- /pkcs11/version.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM PKCS11 Module" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "yubihsm_pkcs11.dll" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "yubihsm_pkcs11.dll" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /resources/make_src_dist.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script to produce the source distribution package 3 | 4 | VERSION=$1 # Full yubihsm-shell version, tex 2.1.0 5 | 6 | mkdir dist_build; cd dist_build 7 | cmake .. 8 | make 9 | cd .. 10 | rm -r dist_build 11 | 12 | set +e 13 | set -x 14 | 15 | tar --exclude README \ 16 | --exclude .git \ 17 | --exclude .github \ 18 | --exclude .gitignore \ 19 | --exclude .ci \ 20 | --exclude .clang-format \ 21 | --exclude .pre-commit-config.yaml \ 22 | --exclude .travis.yml \ 23 | --transform="s/^\./yubihsm-shell-$VERSION/" -czf yubihsm-shell-$VERSION.tar.gz . 24 | exitcode=$? 25 | if [ "$exitcode" != "1" ] && [ "$exitcode" != "0" ]; then 26 | exit $exitcode 27 | fi 28 | 29 | set -e -------------------------------------------------------------------------------- /resources/release/icons/yubico-msi-background.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Yubico/yubihsm-shell/a85a9bd4c5f25cea1227ca60379419ca7a6a0a28/resources/release/icons/yubico-msi-background.png -------------------------------------------------------------------------------- /resources/release/icons/yubico-msi-y-banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Yubico/yubihsm-shell/a85a9bd4c5f25cea1227ca60379419ca7a6a0a28/resources/release/icons/yubico-msi-y-banner.png -------------------------------------------------------------------------------- /resources/release/linux/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | Vagrant.configure("2") do |config| 5 | config.vm.synced_folder ".", "/vagrant", disabled: true 6 | config.vm.provider "virtualbox" do |v| 7 | v.memory = 2048 8 | v.cpus = 2 9 | end 10 | 11 | config.vm.define "fedora36" do |fedora36| 12 | fedora36.vm.box = "generic/fedora36" 13 | fedora36.vm.synced_folder "../../..", "/shared", type: "rsync", 14 | rsync__args: ["--verbose", "--archive", "-z", "--delete"] 15 | fedora36.vm.provision "shell", :path => "build-rpm.sh", :args => "fedora36", :privileged => false 16 | end 17 | 18 | config.vm.define "fedora37" do |fedora37| 19 | fedora37.vm.box = "generic/fedora37" 20 | fedora37.vm.synced_folder "../../..", "/shared", type: "rsync", 21 | rsync__args: ["--verbose", "--archive", "-z", "--delete"] 22 | fedora37.vm.provision "shell", :path => "build-rpm.sh", :args => "fedora37", :privileged => false 23 | end 24 | 25 | config.vm.define "centos7" do |centos7| 26 | centos7.vm.box = "centos/7" 27 | centos7.vm.synced_folder "../../..", "/shared", type: "rsync", 28 | rsync__args: ["--verbose", "--archive", "-z", "--copy-links"] 29 | centos7.vm.provision "shell", :path => "build-rpm.sh", :args => "centos7", :privileged => false 30 | end 31 | 32 | config.vm.define "debian10" do |debian10| 33 | debian10.vm.box = "roboxes/debian10" 34 | debian10.vm.synced_folder "../../..", "/shared", type: "rsync", 35 | rsync__args: ["--verbose", "--archive", "-z", "--delete"] 36 | debian10.vm.provision "shell", :path => "build-pkg.sh", :args => "debian10", :privileged => false 37 | end 38 | 39 | config.vm.define "debian11" do |debian11| 40 | debian11.vm.box = "generic/debian11" 41 | debian11.vm.synced_folder "../../..", "/shared", type: "rsync", 42 | rsync__args: ["--verbose", "--archive", "-z", "--delete"] 43 | debian11.vm.provision "shell", :path => "build-pkg.sh", :args => "debian11", :privileged => false 44 | end 45 | 46 | config.vm.define "trusty" do |trusty| 47 | trusty.vm.box = "ubuntu/trusty64" 48 | trusty.vm.synced_folder "../../..", "/shared" 49 | trusty.vm.provision "shell", :path => "build-pkg.sh", :args => "ubuntu1404", :privileged => false 50 | end 51 | 52 | config.vm.define "xenial" do |xenial| 53 | xenial.vm.box = "ubuntu/xenial64" 54 | xenial.vm.synced_folder "../../..", "/shared" 55 | xenial.vm.provision "shell", :path => "build-pkg.sh", :args => "ubuntu1604", :privileged => false 56 | end 57 | 58 | config.vm.define "bionic" do |bionic| 59 | bionic.vm.box = "ubuntu/bionic64" 60 | bionic.vm.synced_folder "../../..", "/shared" 61 | bionic.vm.provision "shell", :path => "build-pkg.sh", :args => "ubuntu1804", :privileged => false 62 | end 63 | 64 | config.vm.define "focal" do |focal| 65 | focal.vm.box = "generic/ubuntu2004" 66 | focal.vm.synced_folder "../../..", "/shared", type: "rsync", 67 | rsync__args: ["--verbose", "--archive", "-z", "--copy-links"] 68 | focal.vm.provision "shell", :path => "build-pkg.sh", :args => "ubuntu2004", :privileged => false 69 | end 70 | 71 | config.vm.define "jammy" do |jammy| 72 | jammy.vm.box = "alvistack/ubuntu-22.04" 73 | jammy.vm.synced_folder "../../..", "/shared", type: "rsync", 74 | rsync__args: ["--verbose", "--archive", "-z", "--copy-links"] 75 | jammy.vm.provision "shell", :path => "build-pkg.sh", :args => "ubuntu2204", :privileged => false 76 | end 77 | 78 | config.vm.define "kinetic" do |kinetic| 79 | kinetic.vm.box = "ubuntu/kinetic64" 80 | kinetic.vm.synced_folder "../../..", "/shared", type: "rsync", 81 | rsync__args: ["--verbose", "--archive", "-z", "--copy-links"] 82 | kinetic.vm.provision "shell", :path => "build-pkg.sh", :args => "ubuntu2210", :privileged => false 83 | end 84 | 85 | end 86 | -------------------------------------------------------------------------------- /resources/release/linux/build-all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e -o pipefail -x 4 | 5 | for machine in focal jammy kinetic debian10 debian11 fedora36 fedora37 centos7; do 6 | vagrant box update $machine 7 | time vagrant up $machine 8 | vagrant rsync-back $machine 9 | set +e 10 | vagrant destroy -f $machine 11 | set -e 12 | done 13 | 14 | for machine in trusty xenial bionic; do 15 | vagrant box update $machine 16 | time vagrant up $machine 17 | set +e 18 | vagrant destroy -f $machine 19 | set -e 20 | done 21 | -------------------------------------------------------------------------------- /resources/release/linux/build-pkg.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e -o pipefail 3 | set -x 4 | 5 | PLATFORM=$1 6 | 7 | export DEBIAN_FRONTEND=noninteractive 8 | 9 | sudo apt-get update && sudo apt-get dist-upgrade -y 10 | sudo apt-get install -y build-essential \ 11 | chrpath \ 12 | git \ 13 | cmake \ 14 | pkg-config \ 15 | gengetopt \ 16 | help2man \ 17 | libedit-dev \ 18 | libcurl4-openssl-dev \ 19 | liblzma-dev \ 20 | libssl-dev \ 21 | libseccomp-dev \ 22 | libusb-1.0.0-dev \ 23 | dh-exec \ 24 | git-buildpackage \ 25 | curl \ 26 | libpcsclite-dev 27 | 28 | 29 | 30 | 31 | export INPUT=/shared/ 32 | export OUTPUT=/shared/resources/release/linux/build/$PLATFORM/yubihsm-shell 33 | rm -rf $OUTPUT 34 | mkdir -p $OUTPUT 35 | 36 | pushd "/tmp" &>/dev/null 37 | rm -rf yubihsm-shell 38 | git clone "$INPUT" yubihsm-shell 39 | pushd "yubihsm-shell" &>/dev/null 40 | if [ "${PLATFORM:0:6}" == "debian" ] || [ "$PLATFORM" == "ubuntu1804" ]; then 41 | dpkg-buildpackage -b --no-sign 42 | else 43 | dpkg-buildpackage 44 | fi 45 | 46 | popd &>/dev/null 47 | cp *.deb $OUTPUT 48 | popd &>/dev/null 49 | 50 | LICENSE_DIR="$OUTPUT/share/yubihsm-shell" 51 | mkdir -p $LICENSE_DIR 52 | pushd "/shared" &>/dev/null 53 | cp -r resources/release/linux/licenses $LICENSE_DIR/ 54 | for lf in $LICENSE_DIR/licenses/*; do 55 | chmod 644 $lf 56 | done 57 | 58 | pushd "$OUTPUT" &>/dev/null 59 | rm -f yubihsm-shell-$PLATFORM-amd64.tar.gz 60 | tar -C .. -zcvf ../yubihsm-shell-$PLATFORM-amd64.tar.gz yubihsm-shell 61 | rm -f *.deb 62 | rm -rf licenses 63 | rm -rf ../yubihsm-shell 64 | popd &>/dev/null 65 | popd &>/dev/null -------------------------------------------------------------------------------- /resources/release/linux/build-rpm.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e -o pipefail 3 | set -x 4 | 5 | PLATFORM=$1 6 | 7 | if [ "$PLATFORM" == "centos7" ]; then 8 | sudo yum -y install centos-release-scl 9 | sudo yum -y update && sudo yum -y upgrade 10 | sudo yum -y install devtoolset-7-gcc \ 11 | devtoolset-7-gcc-c++ \ 12 | devtoolset-7-make \ 13 | chrpath \ 14 | git \ 15 | cmake \ 16 | openssl-devel \ 17 | libedit-devel \ 18 | libcurl-devel \ 19 | libusbx-devel \ 20 | rpm-build \ 21 | redhat-rpm-config \ 22 | pcsc-lite-devel 23 | 24 | . /opt/rh/devtoolset-7/enable 25 | 26 | GENGETOPT_VER=2.23 27 | curl -o gengetopt-${GENGETOPT_VER}.rpm https://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/g/gengetopt-2.23-1.el7.x86_64.rpm 28 | sudo yum -y install ./gengetopt-${GENGETOPT_VER}.rpm 29 | 30 | export CMAKE="cmake" 31 | 32 | elif [ "$PLATFORM" == "centos8" ]; then 33 | sudo yum -y install epel-release 34 | sudo yum -y update && sudo yum -y upgrade 35 | 36 | sudo dnf group -y install "Development Tools" 37 | sudo dnf config-manager -y --set-enabled powertools 38 | 39 | sudo yum -y install chrpath \ 40 | git \ 41 | cmake3 \ 42 | gengetopt \ 43 | libedit-devel \ 44 | libcurl-devel \ 45 | libusbx-devel \ 46 | openssl-devel \ 47 | pcsc-lite-devel 48 | 49 | export CMAKE="cmake3" 50 | 51 | elif [ "${PLATFORM:0:6}" == "fedora" ]; then 52 | sudo dnf -y update 53 | sudo dnf -y install binutils \ 54 | git \ 55 | chrpath \ 56 | cmake \ 57 | gengetopt \ 58 | openssl-devel \ 59 | libusb-devel \ 60 | libedit-devel \ 61 | libcurl-devel \ 62 | rpmdevtools \ 63 | pcsc-lite-devel 64 | 65 | export CMAKE="cmake" 66 | fi 67 | 68 | 69 | export INPUT=/shared 70 | export OUTPUT=/shared/resources/release/linux/build/$PLATFORM/yubihsm-shell 71 | rm -rf $OUTPUT 72 | mkdir -p $OUTPUT 73 | 74 | # These 2 lines can be replaced by the command "rpmdev-setuptree", but this command seems to add macros that force check paths that do not exist 75 | mkdir -p ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} 76 | echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros 77 | 78 | export RPM_DIR=~/rpmbuild 79 | cp /shared/resources/release/linux/yubihsm-shell.spec $RPM_DIR/SPECS/ 80 | 81 | QA_SKIP_BUILD_ROOT=1 rpmbuild -bb $RPM_DIR/SPECS/yubihsm-shell.spec 82 | cp $RPM_DIR/RPMS/x86_64/*.rpm $OUTPUT 83 | 84 | LICENSE_DIR="$OUTPUT/share/yubihsm-shell" 85 | mkdir -p $LICENSE_DIR 86 | pushd "/shared" &>/dev/null 87 | cp -r resources/release/linux/licenses $LICENSE_DIR/ 88 | for lf in $LICENSE_DIR/licenses/*; do 89 | chmod 644 $lf 90 | done 91 | 92 | pushd "$OUTPUT" &>/dev/null 93 | rm -f "yubihsm-shell-$PLATFORM-amd64.tar.gz" 94 | tar -C ".." -zcvf "../yubihsm-shell-$PLATFORM-amd64.tar.gz" "yubihsm-shell" 95 | rm -f *.rpm 96 | rm -rf licenses 97 | rm -rf ../yubihsm-shell 98 | popd &>/dev/null 99 | popd &>/dev/null 100 | -------------------------------------------------------------------------------- /resources/release/linux/install_redhat_dependencies.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e -o pipefail 3 | set -x 4 | 5 | PLATFORM=$1 6 | 7 | if [ "$PLATFORM" == "centos7" ]; then 8 | yum -y install centos-release-scl 9 | yum -y update && yum -y upgrade 10 | 11 | # yum -y install devtoolset-7-gcc \ 12 | # devtoolset-7-gcc-c++ \ 13 | # devtoolset-7-make \ 14 | # chrpath \ 15 | # git \ 16 | # cmake \ 17 | # openssl-devel \ 18 | # libedit-devel \ 19 | # libcurl-devel \ 20 | # libusbx-devel \ 21 | # rpm-build \ 22 | # redhat-rpm-config \ 23 | # pcsc-lite-devel 24 | 25 | yum -y install gcc gcc-c++ \ 26 | cmake \ 27 | gengetopt \ 28 | openssl \ 29 | openssl-devel \ 30 | libedit-devel \ 31 | libcurl-devel \ 32 | libusbx-devel \ 33 | pcsc-lite-devel \ 34 | help2man \ 35 | chrpath \ 36 | rpm-build \ 37 | redhat-rpm-config 38 | 39 | # . /opt/rh/devtoolset-7/enable 40 | 41 | GENGETOPT_VER=2.23 42 | #curl -o gengetopt-${GENGETOPT_VER}.rpm https://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/g/gengetopt-2.23-1.el7.x86_64.rpm 43 | curl -o gengetopt-${GENGETOPT_VER}.rpm https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/g/gengetopt-2.23-1.el7.x86_64.rpm 44 | yum -y install ./gengetopt-${GENGETOPT_VER}.rpm 45 | 46 | export CMAKE="cmake" 47 | 48 | elif [ "$PLATFORM" == "centos8" ]; then 49 | yum -y install epel-release 50 | yum -y update && yum -y upgrade 51 | 52 | dnf group -y install "Development Tools" 53 | dnf config-manager -y --set-enabled powertools 54 | 55 | yum -y install chrpath \ 56 | git \ 57 | cmake3 \ 58 | gengetopt \ 59 | libedit-devel \ 60 | libcurl-devel \ 61 | libusbx-devel \ 62 | openssl-devel \ 63 | pcsc-lite-devel \ 64 | zlib-devel 65 | 66 | export CMAKE="cmake3" 67 | 68 | elif [ "${PLATFORM:0:6}" == "fedora" ]; then 69 | dnf -y update 70 | dnf -y install binutils \ 71 | gcc \ 72 | gcc-c++ \ 73 | chrpath \ 74 | cmake \ 75 | gengetopt \ 76 | openssl-devel \ 77 | libedit-devel \ 78 | libcurl-devel \ 79 | rpmdevtools \ 80 | pcsc-lite-devel \ 81 | libusb1-devel \ 82 | help2man \ 83 | zlib-devel 84 | 85 | export CMAKE="cmake" 86 | fi 87 | -------------------------------------------------------------------------------- /resources/release/linux/yubihsm-shell.spec: -------------------------------------------------------------------------------- 1 | %global _yubihsm yubihsm 2 | 3 | Name: yubihsm-shell 4 | Version: 2.6.0 5 | Release: 1%{?dist} 6 | Summary: Tools to interact with YubiHSM 2 7 | 8 | License: Apache 2.0 9 | URL: https://github.com/Yubico/yubihsm-shell 10 | 11 | %description 12 | This package contains most of the components used to interact with the YubiHSM 2 at both a user-facing and 13 | programmatic level. It contains the libyubihsm, yubihsm-shell, yubihsm-pkcs11, yubihsm-wrap and yubihsm-auth 14 | 15 | %package -n %{_yubihsm}-devel 16 | Summary: Development tools for interacting with YubiHSM 2 17 | 18 | %description -n %{_yubihsm}-devel 19 | Development libraries for working with yubihsm 2. 20 | 21 | %prep 22 | cd %{_builddir} 23 | rm -rf * 24 | cp -r $INPUT/* . 25 | 26 | 27 | %build 28 | rm -rf build 29 | mkdir build && cd build 30 | $CMAKE -DRELEASE_BUILD=1 -DWITHOUT_YKYH=1 -DWITHOUT_MANPAGES=1 -DYUBIHSM_INSTALL_LIB_DIR="%{buildroot}/%{_prefix}/lib64/" -DYUBIHSM_INSTALL_INC_DIR="%{buildroot}/%{_prefix}/include/" -DYUBIHSM_INSTALL_BIN_DIR="%{buildroot}/%{_prefix}/bin/" -DYUBIHSM_INSTALL_MAN_DIR="%{buildroot}/%{_prefix}/man/" -DYUBIHSM_INSTALL_PKGCONFIG_DIR="%{buildroot}/%{_prefix}/lib64/pkgconfig/" .. 31 | make 32 | 33 | #Would be nice to use %license, but that macro does not seem to work on Centos, so the license needs to be installed manually 34 | 35 | %install 36 | rm -rf %{buildroot} 37 | mkdir -p %{buildroot} 38 | cd build 39 | make install 40 | chrpath -r %{_libdir} %{buildroot}/%{_bindir}/yubihsm-shell 41 | chrpath -r %{_libdir} %{buildroot}/%{_bindir}/yubihsm-wrap 42 | chrpath -r %{_libdir} %{buildroot}/%{_bindir}/yubihsm-auth 43 | chrpath -r %{_libdir} %{buildroot}/%{_libdir}/libykhsmauth.so 44 | chrpath -r %{_libdir} %{buildroot}/%{_libdir}/pkcs11/yubihsm_pkcs11.so 45 | mkdir -p %{buildroot}/%{_prefix}/share/licenses/%{name} 46 | install -m 0644 ../LICENSE %{buildroot}/%{_prefix}/share/licenses/%{name} 47 | 48 | 49 | %files 50 | %{_prefix}/share/licenses/%{name}/LICENSE 51 | %{_bindir}/yubihsm-shell 52 | %{_bindir}/yubihsm-wrap 53 | %{_bindir}/yubihsm-auth 54 | %{_libdir}/libyubihsm.so.2 55 | %{_libdir}/libyubihsm.so.2.* 56 | %{_libdir}/libyubihsm_http.so.2 57 | %{_libdir}/libyubihsm_http.so.2.* 58 | %{_libdir}/libyubihsm_usb.so.2 59 | %{_libdir}/libyubihsm_usb.so.2.* 60 | %{_libdir}/libykhsmauth.so.2 61 | %{_libdir}/libykhsmauth.so.2.* 62 | %dir %{_libdir}/pkcs11 63 | %{_libdir}/pkcs11/yubihsm_pkcs11.so 64 | %files -n %{_yubihsm}-devel 65 | %{_libdir}/libyubihsm.so 66 | %{_libdir}/libyubihsm_http.so 67 | %{_libdir}/libyubihsm_usb.so 68 | %{_libdir}/libykhsmauth.so 69 | %{_includedir}/yubihsm.h 70 | %{_includedir}/ykhsmauth.h 71 | %dir %{_includedir}/pkcs11 72 | %{_includedir}/pkcs11/pkcs11.h 73 | %{_includedir}/pkcs11/pkcs11f.h 74 | %{_includedir}/pkcs11/pkcs11t.h 75 | %{_includedir}/pkcs11/pkcs11y.h 76 | %{_libdir}/pkgconfig/yubihsm.pc 77 | %{_libdir}/pkgconfig/ykhsmauth.pc 78 | 79 | 80 | %changelog 81 | * Wed Mar 27 2024 Aveen Ismail - 2.6.0 82 | - Releasing version 2.6.0 83 | -------------------------------------------------------------------------------- /resources/release/macos/check_hardening.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e -o pipefail -x 4 | 5 | YUBIHSM_SHELL_EXECUTABLE=$1 6 | 7 | otool -hv $YUBIHSM_SHELL_EXECUTABLE 8 | # awk only looks at the fourth (last) output line of otool 9 | # the first line is the path to the file 10 | # the second line is simply 'Mach header' 11 | # the third line contains the column names 12 | otool -hv $YUBIHSM_SHELL_EXECUTABLE | awk 'NR == 4 { 13 | split($0, stdin_split, " "); 14 | 15 | flag_pie = 0; 16 | flag_allow_stack_execution = 0; 17 | flag_no_heap_execution = 0; 18 | 19 | # first 7 tokens are unrelated to the header flags 20 | # so we start looking tokens from the 8th position 21 | for (i = 8; i <= length(stdin_split); i++) { 22 | flag = stdin_split[i] 23 | if (flag == "PIE") { 24 | flag_pie = 1; 25 | } 26 | if (flag == "ALLOW_STACK_EXECUTION") { 27 | flag_allow_stack_execution = 1; 28 | } 29 | if (flag == "NO_HEAP_EXECUTION") { 30 | flag_no_heap_execution = 1; 31 | } 32 | } 33 | 34 | fail = 0; 35 | if (flag_pie == 0) { 36 | print "BINARY DOES NOT HAVE THE PIE FLAG"; 37 | fail = 1; 38 | } 39 | if (flag_allow_stack_execution == 1) { 40 | print "BINARY ALLOWS EXECUTION FROM THE STACK"; 41 | fail = 1; 42 | } 43 | if (flag_no_heap_execution == 0) { 44 | print "BINARY ALLOWS EXECUTION FROM THE HEAP"; 45 | # currently we do not treat this as an error 46 | } 47 | if (fail == 1) { 48 | exit 1; 49 | } 50 | }' 51 | if [ $? = 1 ]; then 52 | exit 1 53 | fi 54 | 55 | check_import() { 56 | nm -u $YUBIHSM_SHELL_EXECUTABLE | grep $1 >/dev/null 57 | # return code of grep is 0 when it finds something 58 | if [ $? == 0 ]; then 59 | echo 1 60 | else 61 | echo 0 62 | fi 63 | } 64 | chk_fail=$(check_import '___stack_chk_fail') 65 | chk_guard=$(check_import '___stack_chk_guard') 66 | if [ $chk_fail = 0 ] | [ $chk_guard = 0 ]; then 67 | echo "BINARY DOES NOT HAVE STACK CANARIES" 68 | exit 1 69 | fi 70 | -------------------------------------------------------------------------------- /resources/release/macos/distribution.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | yubihsm2-sdk 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | yubihsm2-sdk.pkg 18 | -------------------------------------------------------------------------------- /resources/release/macos/license.adoc: -------------------------------------------------------------------------------- 1 | By clicking Continue you agree to the Yubico Toolset Software License Agreement located at 2 | https://www.yubico.com/support/terms-conditions/yubico-toolset-software-license-agreement/ -------------------------------------------------------------------------------- /resources/release/macos/make_installer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script to produce an OS X installer .pkg 3 | # This script has to be run from the source directory 4 | set -x 5 | 6 | ARCH=$1 7 | SRC_PATH=$2 8 | 9 | MAC_DIR=$PWD 10 | PKG_DIR=$MAC_DIR/pkg 11 | PKG_COMP=$PKG_DIR/comp 12 | PKG_RESOURCES=$PKG_DIR/resources/English.lproj 13 | mkdir -p $PKG_COMP $PKG_RESOURCES 14 | 15 | asciidoctor -o $PKG_RESOURCES/license.html $MAC_DIR/license.adoc 16 | 17 | pkgbuild --root="$SRC_PATH" --identifier "com.yubico.yubihsm2-sdk" "$PKG_COMP/yubihsm2-sdk.pkg" 18 | productbuild --package-path "$PKG_COMP" --distribution "$MAC_DIR/distribution.xml" --resources $PKG_RESOURCES "$MAC_DIR/yubihsm2-sdk-darwin-$ARCH.pkg" 19 | 20 | #clean up 21 | rm -rf $PKG_DIR 22 | -------------------------------------------------------------------------------- /resources/release/macos/make_release_binaries.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e -o pipefail 3 | set -x 4 | 5 | ARCH=$1 # amd or arm 6 | VERSION=$2 # Full yubico-piv-tool version, tex 2.1.0 7 | SO_VERSION=$3 8 | 9 | if [ "$ARCH" == "amd" ]; then 10 | BREW_LIB="/usr/local/opt" 11 | #BREW_CELLAR="/usr/local/Cellar" 12 | elif [ "$ARCH" == "arm" ]; then 13 | BREW_LIB="/opt/homebrew/opt" 14 | #BREW_CELLAR="/opt/homebrew/Cellar" 15 | else 16 | echo "Unknown architecture" 17 | exit 18 | fi 19 | 20 | echo "BREW_LIB: $BREW_LIB" 21 | ls $BREW_LIB 22 | 23 | export PKG_CONFIG_PATH=$BREW_LIB/openssl/lib/pkgconfig 24 | 25 | SOURCE_DIR=$PWD 26 | MAC_DIR=$SOURCE_DIR/resources/release/macos 27 | OUTPUT=$MAC_DIR/yubihsm-shell-darwin-$ARCH-$VERSION/usr/local 28 | LICENSE_DIR=$OUTPUT/licenses 29 | 30 | cd $SOURCE_DIR 31 | mkdir build; cd build 32 | cmake -DRELEASE_BUILD=1 -DWITHOUT_YKYH=1 -DWITHOUT_MANPAGES=1 -DCMAKE_INSTALL_PREFIX="$OUTPUT/" .. 33 | make install 34 | cd $OUTPUT/lib 35 | ln -s "libcrypto.3.dylib" "libcrypto.dylib" 36 | cp "$BREW_LIB/openssl/lib/libcrypto.3.dylib" "$OUTPUT/lib" 37 | chmod +w "$OUTPUT/lib/libcrypto.3.dylib" 38 | cp -r $BREW_LIB/openssl/include/openssl "$OUTPUT/include" 39 | 40 | install_name_tool -id "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/lib/libcrypto.3.dylib" 41 | 42 | install_name_tool -change "$BREW_LIB/openssl@3/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/lib/libyubihsm.dylib" 43 | install_name_tool -change "$BREW_LIB/openssl@3/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/lib/libyubihsm.$VERSION.dylib" 44 | install_name_tool -change "$BREW_LIB/openssl/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/lib/libyubihsm.$SO_VERSION.dylib" 45 | 46 | install_name_tool -change "$BREW_LIB/libusb/lib/libusb-1.0.0.dylib" "@loader_path/../lib/libusb-1.0.0.dylib" "$OUTPUT/lib/libyubihsm_usb.dylib" 47 | install_name_tool -change "$BREW_LIB/libusb/lib/libusb-1.0.0.dylib" "@loader_path/../lib/libusb-1.0.0.dylib" "$OUTPUT/lib/libyubihsm_usb.$VERSION.dylib" 48 | install_name_tool -change "$BREW_LIB/libusb/lib/libusb-1.0.0.dylib" "@loader_path/../lib/libusb-1.0.0.dylib" "$OUTPUT/lib/libyubihsm_usb.$SO_VERSION.dylib" 49 | 50 | install_name_tool -change "$BREW_LIB/openssl/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/lib/pkcs11/yubihsm_pkcs11.dylib" 51 | 52 | install_name_tool -change "$BREW_LIB/openssl/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/bin/yubihsm-shell" 53 | install_name_tool -change "$BREW_LIB/openssl/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/bin/yubihsm-wrap" 54 | install_name_tool -change "$BREW_LIB/openssl/lib/libcrypto.3.dylib" "@loader_path/../lib/libcrypto.3.dylib" "$OUTPUT/bin/yubihsm-auth" 55 | 56 | for file in `find $OUTPUT/lib $OUTPUT/bin -type f`; do 57 | if otool -L $file | grep -q '$OUTPUT'; then 58 | echo "ERROR: $file is incorrectly linked, paths contain $OUTPUT" 59 | exit 1 60 | fi 61 | done -------------------------------------------------------------------------------- /resources/release/win/license.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} 2 | {\colortbl ;\red0\green0\blue255;} 3 | {\*\generator Riched20 10.0.18362}\viewkind4\uc1 4 | \pard\sa200\sl276\slmult1\f0\fs22\lang9 By clicking Next you agree to the Yubico Toolset Software License Agreement located at {{\field{\*\fldinst{HYPERLINK https://www.yubico.com/support/terms-conditions/yubico-toolset-software-license-agreement/ }}{\fldrslt{https://www.yubico.com/support/terms-conditions/yubico-toolset-software-license-agreement/\ul0\cf0}}}}\f0\fs22\par 5 | \par 6 | \par 7 | \par 8 | } 9 | -------------------------------------------------------------------------------- /resources/release/win/make_release_binaries.ps1: -------------------------------------------------------------------------------- 1 | if($args.length -lt 2) 2 | { 3 | echo "Usage: ./make_release_binaries.ps1 " 4 | echo "" 5 | echo "This is a script to build an MSI installer for yubihsm" 6 | echo "" 7 | echo " Win32 builds using X86 architecture by adding '-A Win32' argument to the cmake command" 8 | echo " x64 builds using X64 architecture by adding '-A x64' argument to the cmake command" 9 | echo "" 10 | echo " VCPKG_PATH Absolute path to the directory where vcpkg.exe is located" 11 | exit 12 | } 13 | 14 | $CMAKE_ARCH=$args[0] 15 | $VCPKG_PATH=$args[1] 16 | 17 | if($CMAKE_ARCH -eq "Win32") { 18 | $ARCH="x86" 19 | } else { 20 | $ARCH="x64" 21 | } 22 | 23 | $WIN_DIR = "$PSScriptRoot" 24 | $SOURCE_DIR="$PSScriptRoot/../../.." 25 | $BUILD_DIR="$WIN_DIR/build_release" 26 | $RELEASE_DIR="$WIN_DIR/yubihsm-shell-$ARCH" 27 | $LICENSES_DIR="$RELEASE_DIR/licenses" 28 | 29 | Set-PSDebug -Trace 1 30 | 31 | # Install prerequisites 32 | cd $VCPKG_PATH 33 | .\vcpkg.exe update 34 | .\vcpkg.exe install openssl:$ARCH-windows 35 | .\vcpkg.exe install getopt:$ARCH-windows 36 | .\vcpkg.exe install zlib:$env:ARCH-windows 37 | 38 | $env:OPENSSL_ROOT_DIR ="$VCPKG_PATH/packages/openssl_$ARCH-windows" 39 | 40 | # Build binaries 41 | mkdir $BUILD_DIR; cd $BUILD_DIR 42 | cmake -S $SOURCE_DIR -A "$CMAKE_ARCH" -DCMAKE_INSTALL_PREFIX="$RELEASE_DIR" ` 43 | -DGETOPT_LIB_DIR="$VCPKG_PATH\packages\getopt-win32_$ARCH-windows\lib" ` 44 | -DGETOPT_INCLUDE_DIR="$VCPKG_PATH\packages\getopt-win32_$ARCH-windows\include" ` 45 | -DZLIB_LIB_DIR="$VCPKG_PATH/packages/zlib_$ARCH-windows/lib" ` 46 | -DZLIB_INCLUDE_DIR="$VCPKG_PATH/packages/zlib_$ARCH-windows/include" 47 | 48 | cmake --build . --config Release --target install 49 | 50 | # Copy openssl and getopt libraries 51 | cd $RELEASE_DIR/bin 52 | if($ARCH -eq "x86") 53 | { 54 | cp $VCPKG_PATH/packages/openssl_x86-windows/bin/libcrypto-3.dll . 55 | cp $VCPKG_PATH/packages/getopt-win32_x86-windows/bin/getopt.dll . 56 | } 57 | else 58 | { 59 | cp $VCPKG_PATH/packages/openssl_x64-windows/bin/libcrypto-3-x64.dll . 60 | cp $VCPKG_PATH/packages/getopt-win32_x64-windows/bin/getopt.dll . 61 | } 62 | cp $VCPKG_PATH/packages/zlib_$ARCH-windows/bin/zlib1.dll . 63 | 64 | # Create missing directories 65 | Remove-Item -Path $LICENSES_DIR -Force -Recurse -ErrorAction SilentlyContinue 66 | mkdir -p $LICENSES_DIR 67 | 68 | # Copy licenses 69 | $license=(Get-ChildItem -Path $SOURCE_DIR -Filter LICENSE -Recurse -ErrorAction SilentlyContinue -Force | %{$_.FullName}) 70 | cp $license $LICENSES_DIR/yubihsm-shell.txt 71 | 72 | $license=(Get-ChildItem -Path $VCPKG_PATH\buildtrees\openssl\src\ -Filter LICENSE -Recurse -ErrorAction SilentlyContinue -Force | %{$_.FullName}) 73 | cp $license $LICENSES_DIR\openssl.txt 74 | 75 | $license=(Get-ChildItem -Path $VCPKG_PATH\buildtrees\getopt-win32\src\ -Filter LICENSE -Recurse -ErrorAction SilentlyContinue -Force | %{$_.FullName}) 76 | cp $license $LICENSES_DIR\getopt.txt 77 | 78 | $license=(Get-ChildItem -Path $VCPKG_PATH\buildtrees\zlib\src\ -Filter LICENSE -Recurse -ErrorAction SilentlyContinue -Force | %{$_.FullName}) 79 | cp $license $LICENSES_DIR\zlib.txt 80 | 81 | # Copy header files 82 | cp -r $VCPKG_PATH\packages\openssl_$ARCH-windows\include\openssl $RELEASE_DIR/include/ 83 | cp -r $VCPKG_PATH\packages\zlib_$ARCH-windows\include\zlib.h $RELEASE_DIR/include/ 84 | 85 | 86 | #cd $WIN_DIR 87 | #Compress-Archive -LiteralPath "$WIN_DIR/yubihsm-shell-$ARCH" -DestinationPath "$WIN_DIR/yubihsm-shell-$ARCH.zip" 88 | rm -r $BUILD_DIR 89 | 90 | Set-PSDebug -Trace 0 91 | -------------------------------------------------------------------------------- /resources/release/win/repack_installer.ps1: -------------------------------------------------------------------------------- 1 | if($args.length -lt 3) 2 | { 3 | echo "Usage: ./repack_installer.ps1 []" 4 | echo "" 5 | echo "This is a script to build an MSI installer for yubihsm" 6 | echo "" 7 | echo " x86 builds the installer for X86 architecture" 8 | echo " x64 builds the installer for X64 architecture" 9 | echo "" 10 | echo " WIX_PATH Absolute path to the directory where WIX Tools binaries (heat.exe, candle.exe and light.exe) are located" 11 | echo " MERGE_MODULE_PATH Absolute path to the redistribution module (tex Microsoft_VC142_CRT_x86.msm or Microsoft_VC142_CRT_x64.msm)" 12 | echo " SIGNED_BINARIES_PATH (Optional) Absolute path to signed binaries. If not spacified, YUBIHSM-SHELL/resources/release/win/yubihsm-shell-[x86|x64] is assumed" 13 | exit 14 | } 15 | 16 | $ARCH=$args[0] 17 | $WIX_PATH=$args[1] # Absolute path to the WixTools binaries 18 | $MERGE_MODULE=$args[2] # Absolute path containing Microsoft_VC142_CRT_x86.msm or Microsoft_VC142_CRT_x64.msm 19 | 20 | $WIN_DIR = "$PSScriptRoot" 21 | $SOURCE_DIR="$PSScriptRoot/../../.." 22 | 23 | if($args.length -eq 4) 24 | { 25 | $RELEASE_DIR=$args[3] 26 | } 27 | else 28 | { 29 | $RELEASE_DIR="$WIN_DIR/yubihsm-shell-$ARCH" 30 | } 31 | 32 | Set-PSDebug -Trace 1 33 | 34 | # Build MSI 35 | cd $WIN_DIR 36 | $env:PATH += ";$WIX_PATH" 37 | $env:SRCDIR = $RELEASE_DIR 38 | $env:MERGEDPATH = $MERGE_MODULE 39 | 40 | heat.exe dir $RELEASE_DIR -out fragment.wxs -gg -scom -srd -sfrag -sreg -dr INSTALLDIR -cg ApplicationFiles -var env.SRCDIR 41 | candle.exe fragment.wxs "yubihsm-shell_$ARCH.wxs" -ext WixUtilExtension -arch $ARCH 42 | light.exe fragment.wixobj "yubihsm-shell_$ARCH.wixobj" -ext WixUIExtension -ext WixUtilExtension -o "yubihsm-shell-$ARCH.msi" 43 | 44 | #cleanup 45 | rm fragment.wxs 46 | rm fragment.wixobj 47 | rm "yubihsm-shell_$ARCH.wixobj" 48 | rm "yubihsm-shell-$ARCH.wixpdb" 49 | 50 | Set-PSDebug -Trace 0 51 | -------------------------------------------------------------------------------- /resources/release/win/sign_installer.bat: -------------------------------------------------------------------------------- 1 | SETLOCAL 2 | 3 | set CERTHASH="107533FA07911D8BB375459B804DABA89CC61E77" 4 | set SIGNCMD=signtool sign /ph /fd "SHA256" /sha1 %CERTHASH% /t "http://timestamp.digicert.com" 5 | 6 | %SIGNCMD% /d "YubiHSM Shell Installer (x64)" yubihsm-shell-x64.msi 7 | %SIGNCMD% /d "YubiHSM Shell Installer (x86)" yubihsm-shell-x86.msi -------------------------------------------------------------------------------- /resources/release/win/sign_release.bat: -------------------------------------------------------------------------------- 1 | SETLOCAL 2 | 3 | set CERTHASH="107533FA07911D8BB375459B804DABA89CC61E77" 4 | set CERTHASHSTD="DD86A2E1383B0E4E1C823B606DDBBCC26E1FF82D" 5 | 6 | set SIGNCMD=signtool sign /ph /fd "SHA256" /sha1 %CERTHASH% /t "http://timestamp.digicert.com" 7 | set SIGNCMDSTD=signtool sign /ph /fd "SHA256" /sha1 %CERTHASHSTD% /t "http://timestamp.digicert.com" 8 | 9 | rem Sign x64 components 10 | %SIGNCMD% yubihsm-shell-x64\bin\libyubihsm.dll 11 | %SIGNCMD% yubihsm-shell-x64\bin\libyubihsm_http.dll 12 | %SIGNCMD% yubihsm-shell-x64\bin\libyubihsm_usb.dll 13 | %SIGNCMD% yubihsm-shell-x64\bin\pkcs11\yubihsm_pkcs11.dll 14 | %SIGNCMD% yubihsm-shell-x64\bin\ykhsmauth.dll 15 | %SIGNCMD% /d "YubiHSM Authenication" yubihsm-shell-x64\bin\yubihsm-auth.exe 16 | %SIGNCMD% /d "YubiHSM Shell" yubihsm-shell-x64\bin\yubihsm-shell.exe 17 | %SIGNCMD% /d "YubiHSM Wrap" yubihsm-shell-x64\bin\yubihsm-wrap.exe 18 | 19 | rem Sign x86 components 20 | %SIGNCMD% yubihsm-shell-x86\bin\libyubihsm.dll 21 | %SIGNCMD% yubihsm-shell-x86\bin\libyubihsm_http.dll 22 | %SIGNCMD% yubihsm-shell-x86\bin\libyubihsm_usb.dll 23 | %SIGNCMD% yubihsm-shell-x86\bin\pkcs11\yubihsm_pkcs11.dll 24 | %SIGNCMD% yubihsm-shell-x86\bin\ykhsmauth.dll 25 | %SIGNCMD% /d "YubiHSM Authenication" yubihsm-shell-x86\bin\yubihsm-auth.exe 26 | %SIGNCMD% /d "YubiHSM Shell" yubihsm-shell-x86\bin\yubihsm-shell.exe 27 | %SIGNCMD% /d "YubiHSM Wrap" yubihsm-shell-x86\bin\yubihsm-wrap.exe 28 | 29 | rem Sign "standard open source" components (not from Yubico Source) 30 | %SIGNCMDSTD% yubihsm-shell-x64\bin\getopt.dll 31 | %SIGNCMDSTD% yubihsm-shell-x64\bin\libcrypto-3-x64.dll 32 | %SIGNCMDSTD% yubihsm-shell-x86\bin\getopt.dll 33 | %SIGNCMDSTD% yubihsm-shell-x86\bin\libcrypto-3.dll 34 | -------------------------------------------------------------------------------- /resources/release/win/yubihsm-shell_x64.wxs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 1 35 | 1 40 | 2 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /resources/release/win/yubihsm-shell_x86.wxs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 1 35 | 1 40 | 2 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /resources/tests/bash/test_edkey.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -u 3 | 4 | if [ "$#" -ne 1 ]; then 5 | BIN="yubihsm-shell" 6 | else 7 | BIN=$1 # path to the yubico-piv-tool command line tool 8 | fi 9 | 10 | if [ -e yubihsm-shell_test_dir ]; then 11 | rm -rf yubihsm-shell_test_dir 12 | fi 13 | mkdir yubihsm-shell_test_dir; cd yubihsm-shell_test_dir 14 | echo test signing data > data.txt 15 | 16 | test () { 17 | set +e 18 | $1 > output.txt 2>&1 19 | ret=$? 20 | if [ $ret -ne 0 ]; then 21 | echo $1 22 | cat output.txt 23 | rm output.txt 24 | exit 1 25 | else 26 | echo "$2 ... OK!" 27 | rm output.txt 28 | fi 29 | set -e 30 | } 31 | 32 | set -e 33 | 34 | echo "====================== ED keys ===================== " 35 | # Generate 36 | echo "Generate key:" 37 | test "$BIN -p password -a generate-asymmetric-key -i 100 -l \"edKey\" -d 1,2,3 -c sign-eddsa -A ed25519" " Generate key" 38 | test "$BIN -p password -a get-object-info -i 100 -t asymmetric-key" " get-object-info" 39 | info=$($BIN -p password -a get-object-info -i 100 -t asymmetric-key 2>&1) 40 | test "echo $info | grep \"id: 0x0064\"" " Object info contains correct ID" 41 | test "echo $info | grep \"type: asymmetric-key\"" " Object info contains correct type" 42 | test "echo $info | grep \"algorithm: ed25519\"" " Object info contains correct algorithm" 43 | test "echo $info | grep 'label: \"edKey\"'" " Object info contains correct label" 44 | test "echo $info | grep \"domains: 1:2:3\"" " Object info contains correct domains" 45 | test "echo $info | grep \"origin: generated\"" " Object info contains correct origin" 46 | test "echo $info | grep \"capabilities: sign-eddsa\"" " Object info contains correct capabilities" 47 | 48 | # Import 49 | #ssh-keygen -t ed25519 -C "test@yubihsm.se" -f edkey -N foo123 50 | #$BIN --verbose=5 -p password -a put-asymmetric-key -i 200 -l "edKey_imported" -d "5" -c "sign-eddsa" --in=edkey 51 | 52 | # Get public key 53 | echo "Get public key:" 54 | test "$BIN -p password -a get-public-key -i 100" " Get public key to stdout" 55 | $BIN -p password -a get-public-key -i 100 > edkey1.pub 2>/dev/null 56 | test "$BIN -p password -a get-public-key -i 100 --out edkey2.pub" " Get public key to file" 57 | test "cmp edkey1.pub edkey2.pub" " Match public key in stdout and file" 58 | 59 | # Signing 60 | echo "Signing:" 61 | test "$BIN -p password -a sign-eddsa -i 100 -A ed25519 --in data.txt" " Sign to stdout" 62 | $BIN -p password -a sign-eddsa -i 100 -A ed25519 --in data.txt > data.ed1.sig 2>/dev/null 63 | test "$BIN -p password -a sign-eddsa -i 100 -A ed25519 --in data.txt --out data.ed2.sig" " Sign to file" 64 | if [[ $(cat data.ed1.sig) != $(cat data.ed2.sig) ]]; then 65 | echo "Signature in stdout and file are different" 66 | exit 2 67 | fi 68 | echo " Matching signature in stdout and file ... OK" 69 | 70 | # Delete 71 | echo "Clean up:" 72 | test "$BIN -p password -a delete-object -i 100 -t asymmetric-key" " Delete key" 73 | 74 | cd .. 75 | rm -rf yubihsm-shell_test_dir 76 | 77 | set +e 78 | -------------------------------------------------------------------------------- /resources/tests/bash/test_otpaeadkey.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -u 3 | 4 | if [ "$#" -ne 1 ]; then 5 | BIN="yubihsm-shell" 6 | else 7 | BIN=$1 # path to the yubico-piv-tool command line tool 8 | fi 9 | 10 | if [ -e yubihsm-shell_test_dir ]; then 11 | rm -rf yubihsm-shell_test_dir 12 | fi 13 | mkdir yubihsm-shell_test_dir; cd yubihsm-shell_test_dir 14 | echo test signing data > data.txt 15 | 16 | test () { 17 | set +e 18 | $1 > output.txt 2>&1 19 | ret=$? 20 | if [ $ret -ne 0 ]; then 21 | echo $1 22 | cat output.txt 23 | rm output.txt 24 | exit 1 25 | else 26 | echo "$2 ... OK!" 27 | rm output.txt 28 | fi 29 | set -e 30 | } 31 | 32 | test_with_resp () { 33 | set +e 34 | $1 > resp.txt 2>&1 35 | ret=$? 36 | if [ $ret -ne 0 ]; then 37 | echo $1 38 | cat resp.txt 39 | rm resp.txt 40 | exit 1 41 | else 42 | echo "$2 ... OK!" 43 | fi 44 | set -e 45 | } 46 | 47 | set -e 48 | 49 | 50 | echo "====================== AEAD keys ===================== " 51 | echo "------------- AEAD Key 128" 52 | test_with_resp "$BIN -p password -a generate-otp-aead-key -i 0 -l aeadkey -d 1,2,3 -c randomize-otp-aead -A aes128-yubico-otp --nonce 0x01020304" " Generate key" 53 | keyid=$(tail -1 resp.txt | awk '{print $5}') 54 | test "$BIN -p password -a get-object-info -i $keyid -t otp-aead-key" " Get object info" 55 | info=$($BIN -p password -a get-object-info -i $keyid -t otp-aead-key 2> /dev/null) 56 | test "echo $info | grep \"id: $keyid\"" " Object info contains correct ID" 57 | test "echo $info | grep \"type: otp-aead-key\"" " Object info contains correct type" 58 | test "echo $info | grep \"algorithm: aes128-yubico-otp\"" " Object info contains correct algorithm" 59 | test "echo $info | grep 'label: \"aeadkey\"'" " Object info contains correct label" 60 | test "echo $info | grep \"domains: 1:2:3\"" " Object info contains correct domains" 61 | test "echo $info | grep \"origin: generated\"" " Object info contains correct origin" 62 | test "echo $info | grep \"capabilities: randomize-otp-aead\"" " Object info contains correct capabilities" 63 | test "$BIN -p password -a randomize-otp-aead -i $keyid" " Randomize OTP AEAD" 64 | test "$BIN -p password -a delete-object -i $keyid -t otp-aead-key" " Delete key" 65 | 66 | echo "------------- AEAD Key 128" 67 | test_with_resp "$BIN -p password -a generate-otp-aead-key -i 0 -l aeadkey -d 1,2,3 -c randomize-otp-aead -A aes192-yubico-otp --nonce 0x01020304" " Generate key" 68 | keyid=$(tail -1 resp.txt | awk '{print $5}') 69 | test "$BIN -p password -a get-object-info -i $keyid -t otp-aead-key" " Get object info" 70 | info=$($BIN -p password -a get-object-info -i $keyid -t otp-aead-key 2> /dev/null) 71 | test "echo $info | grep \"algorithm: aes192-yubico-otp\"" " Object info contains correct algorithm" 72 | test "$BIN -p password -a randomize-otp-aead -i $keyid" " Randomize OTP AEAD" 73 | test "$BIN -p password -a delete-object -i $keyid -t otp-aead-key" " Delete key" 74 | 75 | echo "------------- AEAD Key 256" 76 | test_with_resp "$BIN -p password -a generate-otp-aead-key -i 0 -l aeadkey -d 1,2,3 -c randomize-otp-aead -A aes256-yubico-otp --nonce 0x01020304" " Generate key" 77 | keyid=$(tail -1 resp.txt | awk '{print $5}') 78 | test "$BIN -p password -a get-object-info -i $keyid -t otp-aead-key" " Get object info" 79 | info=$($BIN -p password -a get-object-info -i $keyid -t otp-aead-key 2> /dev/null) 80 | test "echo $info | grep \"algorithm: aes256-yubico-otp\"" " Object info contains correct algorithm" 81 | test "$BIN -p password -a randomize-otp-aead -i $keyid" " Randomize OTP AEAD" 82 | test "$BIN -p password -a delete-object -i $keyid -t otp-aead-key" " Delete key" 83 | 84 | cd .. 85 | rm -rf yubihsm-shell_test_dir 86 | 87 | set +e 88 | -------------------------------------------------------------------------------- /resources/tests/bash/test_x509template.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIICpzCCAY+gAwIBAgIRALnaMgizd13cmPh34E4HNz0wDQYJKoZIhvcNAQELBQAw 3 | KjEoMCYGA1UEAwwfWXViaUhTTTIgQXR0ZXN0YXRpb24gKDEzMjAwNTAxKTAgFw0x 4 | NzAxMDEwMDAwMDBaGA8yMDcxMTAwNTAwMDAwMFowKDEmMCQGA1UEAwwdWXViaUhT 5 | TSBBdHRlc3RhdGlvbiBpZDoweDU2MGQwTjAQBgcqhkjOPQIBBgUrgQQAIQM6AATn 6 | 8QLCgsBZlpkoqdMOTbWS/tOiXfI1aOMrUQC+w6rWw8WwEbJ7LjqoPwdWg0DKrXeA 7 | 7sAEMUKX4aOBnTCBmjATBgorBgEEAYLECgQBBAUEAwIBAzAUBgorBgEEAYLECgQC 8 | BAYCBADJbHUwEgYKKwYBBAGCxAoEAwQEAwIAATATBgorBgEEAYLECgQEBAUDAwAQ 9 | kDAZBgorBgEEAYLECgQFBAsDCQAAAAAEAAAIgDASBgorBgEEAYLECgQGBAQCAlYN 10 | MBUGCisGAQQBgsQKBAkEBwwFZWNLZXkwDQYJKoZIhvcNAQELBQADggEBAEV/0jl7 11 | ulAmLLiYGV8ELoavjtJ3wmMLyJpSURC8WPO8MucAopIsh0URXKpjLjHQHqscdAbP 12 | DyT+/l1VfFS7Fvsz/OXeMP1dYzpoYzw4iyHFkvf5G8k0hxY+BEqBa89MXKGrcDo0 13 | iu0lSusaEJF2zq3PH3hnPIXm9SJDfWcZ7iueA0xGu6miUz3rHklnbPUqaM/omGyV 14 | MgAtLOolX7rnW7E3MEkAOII1kbwv8C/NlseKXyECRvAn2reAMH11c/t2BvGMbD81 15 | OGTPZ2OvfNJcPnzy1olxE0Ajew5CrOB2XrOaqhVrNPA4aqpCT3ukMv60m6TXsHnU 16 | RdEhPSf0SomH7MQ= 17 | -----END CERTIFICATE----- 18 | -------------------------------------------------------------------------------- /resources/tests/ps1/opensc_test.ps1: -------------------------------------------------------------------------------- 1 | # This script runs on Powershell. If running tests on the current Powershell terminal is not permitted, run the 2 | # following command to allow it only on the current terminal: 3 | # >> Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process 4 | 5 | if($args.length -eq 0) { 6 | echo "Usage: ./opensc_tests.ps1 " 7 | echo "" 8 | echo "This script expects that libyubihsm.dll and the libcrypto.dll are on PATH and YUBIHSM_PKCS11_CONF environment variable is defined" 9 | exit 10 | } 11 | 12 | if ((Get-Command "pkcs11-tool.exe" -ErrorAction SilentlyContinue) -eq $null) 13 | { 14 | $env:Path +=";C:\Program Files\OpenSC Project\OpenSC\tools" 15 | } 16 | 17 | $MODULE=$args[0] 18 | #$YHPKCS11CFG=$args[2] 19 | 20 | #$env:YUBIHSM_PKCS11_CONF=$YHPKCS11CFG 21 | 22 | Set-PSDebug -Trace 1 23 | 24 | echo "******************* Generation Tests ********************* " 25 | pkcs11-tool.exe --module $MODULE --login --pin 0001password --keypairgen --id 100 --key-type EC:secp384r1 26 | pkcs11-tool.exe --module $MODULE --login --pin 0001password --keypairgen --id 2 --key-type EC:prime256v1 27 | pkcs11-tool.exe --module $MODULE --login --pin 0001password --keypairgen --id 4 --key-type rsa:2048 28 | pkcs11-tool.exe --module $MODULE --login --pin 0001password --keypairgen --id 5 --key-type rsa:3072 29 | #Set-PSDebug -Trace 0 30 | #exit 31 | echo "******************* Signing Tests ********************* " 32 | echo "this is test data" > Z:/data.txt 33 | pkcs11-tool.exe --module $MODULE --sign --pin 0001password --id 100 -m ECDSA-SHA1 --signature-format openssl -i Z:/data.txt -o Z:/data.sig 34 | pkcs11-tool.exe --module $MODULE --sign --pin 0001password --id 2 -m ECDSA-SHA1 --signature-format openssl -i Z:/data.txt -o Z:/data.sig 35 | pkcs11-tool.exe --module $MODULE --sign --pin 0001password --id 4 -m SHA512-RSA-PKCS -i Z:/data.txt -o Z:/data.sig 36 | pkcs11-tool.exe --module $MODULE --sign --pin 0001password --id 5 -m SHA512-RSA-PKCS -i Z:/data.txt -o Z:/data.sig 37 | rm Z:/data.txt 38 | rm Z:/data.sig 39 | 40 | echo "******************* Testing RSA Tests ********************* " 41 | pkcs11-tool.exe --module $MODULE --login --pin 0001password --test 42 | 43 | #echo "******************* Testing EC Tests ********************* " 44 | #pkcs11-tool.exe --module $MODULE --login --login-type so --so-pin 0001password --test-ec --id 200 --key-type EC:secp256r1 45 | 46 | Set-PSDebug -Trace 0 -------------------------------------------------------------------------------- /resources/tests/ps1/test_edkey.ps1: -------------------------------------------------------------------------------- 1 | $ARCH=$args[0] 2 | if($ARCH -eq "x86") 3 | { 4 | if ((Get-Command "yubihsm-shell.exe" -ErrorAction SilentlyContinue) -eq $null) 5 | { 6 | $env:Path += ";C:/Program Files (x86)/Yubico/YubiHSM Shell/bin" 7 | } 8 | } 9 | elseif ($ARCH -eq "x64") 10 | { 11 | if ((Get-Command "yubihsm-shell.exe" -ErrorAction SilentlyContinue) -eq $null) 12 | { 13 | $env:Path += ";C:/Program Files/Yubico/YubiHSM Shell/bin" 14 | } 15 | } 16 | else { 17 | echo "Usage: ./cmdline_test.ps1 " 18 | echo "" 19 | echo "This is a test script that uses the yubihsm-shell command line tool to reset the conncted YubiHSM and then 20 | different commands." 21 | echo "" 22 | echo " x86 expects that yubihsm-shell.exe is installed in 'C:/Program Files (x86)/Yubico/Yubico PIV Tool/bin'" 23 | echo " x64 expects that yubhsm-shell.exe is installed in 'C:/Program Files/Yubico/Yubico PIV Tool/bin'" 24 | exit 25 | } 26 | 27 | echo "Running commands on $ARCH architecture" 28 | 29 | $TEST_DIR = "yubihsm-shell_test_dir" 30 | Remove-Item -Path "$TEST_DIR" -Recurse -ErrorAction SilentlyContinue 31 | New-Item $TEST_DIR -type Directory -Force 32 | cd $TEST_DIR 33 | echo "test signing data" > data.txt 34 | Set-PSDebug -Trace 1 35 | $ErrorActionPreference = "Stop" 36 | 37 | function CheckExitStatus { 38 | param ( 39 | $ECode 40 | ) 41 | if(!$ECode) { 42 | echo "Fail!" 43 | exit 44 | } 45 | } 46 | 47 | echo "---------------------- ED keys --------------------- " 48 | # Generate 49 | yubihsm-shell.exe -p password -a generate-asymmetric-key -i 100 -l "edKey" -d "1,2,3" -c "sign-eddsa" -A "ed25519"; CheckExitStatus -ECode $? 50 | yubihsm-shell.exe -p password -a get-object-info -i 100 -t asymmetric-key; CheckExitStatus -ECode $? 51 | 52 | 53 | # Get public key 54 | yubihsm-shell.exe -p password -a get-public-key -i 100 > edkey1.pub; CheckExitStatus -ECode $? 55 | yubihsm-shell.exe -p password -a get-public-key -i 100 --out edkey2.pub; CheckExitStatus -ECode $? 56 | 57 | # Signing 58 | yubihsm-shell.exe -p password -a sign-eddsa -i 100 -A ed25519 --in data.txt > data.ed1.sig; CheckExitStatus -ECode $? 59 | yubihsm-shell.exe -p password -a sign-eddsa -i 100 -A ed25519 --in data.txt --out data.ed2.sig; CheckExitStatus -ECode $? 60 | 61 | # Delete 62 | yubihsm-shell.exe -p password -a delete-object -i 100 -t asymmetric-key; CheckExitStatus -ECode $? 63 | 64 | cd .. 65 | Remove-Item -Path "$TEST_DIR" -Recurse -ErrorAction SilentlyContinue 66 | 67 | Set-PSDebug -Trace 0 -------------------------------------------------------------------------------- /src/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | include(${CMAKE_SOURCE_DIR}/cmake/openssl.cmake) 18 | find_libcrypto() 19 | 20 | set ( 21 | SOURCE 22 | commands.c 23 | main.c 24 | ../common/util.c 25 | ../common/hash.c 26 | ../common/parsing.c 27 | ../common/openssl-compat.c 28 | ) 29 | 30 | if(WIN32) 31 | set(SOURCE ${SOURCE} cmdline.c) 32 | include(${CMAKE_SOURCE_DIR}/cmake/getopt.cmake) 33 | find_getopt() 34 | else(WIN32) 35 | include(gengetopt) 36 | find_gengetopt () 37 | add_gengetopt_files (cmdline "--conf-parser") 38 | set(SOURCE ${SOURCE} ${GGO_C}) 39 | endif(WIN32) 40 | 41 | include_directories ( 42 | ${LIBCRYPTO_INCLUDEDIR} 43 | ${LIBEDIT_INCLUDEDIR} 44 | ${CMAKE_CURRENT_SOURCE_DIR}/../lib 45 | ${CMAKE_CURRENT_SOURCE_DIR} 46 | ${CMAKE_CURRENT_SOURCE_DIR}/../common 47 | ) 48 | 49 | include_directories(${CMAKE_CURRENT_SOURCE_DIR}/../ykhsmauth) 50 | set(YKHSMAUTH_LIB ykhsmauth) 51 | set(YKHSMAUTH_LIB_STATIC ykhsmauth_static) 52 | 53 | if(WIN32) 54 | list(APPEND SOURCE ${CMAKE_CURRENT_BINARY_DIR}/version.rc) 55 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/version.rc.in ${CMAKE_CURRENT_BINARY_DIR}/version.rc @ONLY) 56 | endif(WIN32) 57 | 58 | # NOTE(adma): required by gengetopt 59 | add_definitions (-DPACKAGE="yubihsm-shell") 60 | add_definitions (-DVERSION="${yubihsm_shell_VERSION_MAJOR}.${yubihsm_shell_VERSION_MINOR}.${yubihsm_shell_VERSION_PATCH}") 61 | 62 | list(APPEND LCOV_REMOVE_PATTERNS "'${PROJECT_SOURCE_DIR}/src/cmdline.c'") 63 | 64 | add_executable (yubihsm-shell ${SOURCE}) 65 | if (ENABLE_STATIC AND NOT FUZZING) 66 | add_executable (yubihsm-shell_static ${SOURCE}) 67 | set_target_properties (yubihsm-shell_static PROPERTIES COMPILE_FLAGS "-DSTATIC") 68 | target_link_libraries(yubihsm-shell_static 69 | ${LIBCRYPTO_LDFLAGS} 70 | ${LIBEDIT_LDFLAGS} 71 | ${GETOPT_LIBS} 72 | yubihsm_static 73 | ${YKHSMAUTH_LIB_STATIC}) 74 | add_coverage (yubihsm-shell_static) 75 | endif () 76 | 77 | target_link_libraries ( 78 | yubihsm-shell 79 | ${LIBCRYPTO_LDFLAGS} 80 | ${LIBEDIT_LDFLAGS} 81 | ${GETOPT_LIBS} 82 | yubihsm 83 | ${YKHSMAUTH_LIB}) 84 | 85 | # Set install RPATH 86 | set_target_properties(yubihsm-shell PROPERTIES INSTALL_RPATH "${YUBIHSM_INSTALL_LIB_DIR}") 87 | 88 | add_coverage (yubihsm-shell) 89 | 90 | install( 91 | TARGETS yubihsm-shell 92 | ARCHIVE DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 93 | LIBRARY DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 94 | RUNTIME DESTINATION "${YUBIHSM_INSTALL_BIN_DIR}") 95 | 96 | if (NOT WITHOUT_MANPAGES) 97 | include (help2man) 98 | add_help2man_manpage (yubihsm-shell.1 yubihsm-shell) 99 | 100 | add_custom_target (yubihsm-shell-man ALL 101 | DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/yubihsm-shell.1 102 | ) 103 | 104 | install(FILES "${CMAKE_CURRENT_BINARY_DIR}/yubihsm-shell.1" DESTINATION "${YUBIHSM_INSTALL_MAN_DIR}/man1") 105 | endif() 106 | 107 | add_subdirectory (tests) 108 | -------------------------------------------------------------------------------- /src/tests/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | find_program (BASH_PROGRAM bash) 18 | 19 | configure_file ( 20 | ${CMAKE_CURRENT_SOURCE_DIR}/data.txt 21 | ${CMAKE_CURRENT_BINARY_DIR}/data.txt 22 | COPYONLY) 23 | 24 | configure_file ( 25 | ${CMAKE_CURRENT_SOURCE_DIR}/sig.out 26 | ${CMAKE_CURRENT_BINARY_DIR}/sig.out 27 | COPYONLY) 28 | 29 | add_test( 30 | NAME bash_tests 31 | COMMAND ${BASH_PROGRAM} ${CMAKE_CURRENT_SOURCE_DIR}/tests.sh 32 | ) 33 | 34 | add_test( 35 | NAME wrapped_tests 36 | COMMAND ${BASH_PROGRAM} ${CMAKE_CURRENT_SOURCE_DIR}/wrapped_tests.sh 37 | ) 38 | -------------------------------------------------------------------------------- /src/tests/data.txt: -------------------------------------------------------------------------------- 1 | Hello World! 2 | -------------------------------------------------------------------------------- /src/tests/sig.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Yubico/yubihsm-shell/a85a9bd4c5f25cea1227ca60379419ca7a6a0a28/src/tests/sig.out -------------------------------------------------------------------------------- /src/tests/tests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # 4 | # Copyright 2015-2018 Yubico AB 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | 19 | set -e 20 | set -x 21 | TMPDIR=$(mktemp -d) 22 | #trap 'rm -rf "$TMPDIR"' INT TERM EXIT 23 | DATA="$TMPDIR/data" 24 | SIG="$TMPDIR/sig" 25 | BIN_SIG="$TMPDIR/bin_sig" 26 | PUBLIC_KEY="$TMPDIR/public" 27 | 28 | if [ -z ${DEFAULT_CONNECTOR_URL} ]; then 29 | DEFAULT_CONNECTOR_URL="http://localhost:12345" 30 | fi 31 | PROG="../yubihsm-shell --connector=${DEFAULT_CONNECTOR_URL}" 32 | if [ "x$(uname)" = "xFreeBSD" ]; then 33 | DECODE="b64decode -pr" 34 | else 35 | DECODE="base64 --decode -i" 36 | fi 37 | 38 | echo "Hello World!" >"$DATA" 39 | OUTPUT=$($PROG -a generate-asymmetric -A ecp256 -csign-ecdsa -p password 2>&1) 40 | OBJ_ID=$(echo "$OUTPUT" | grep -o -E '0x[a-f0-9]{4}$') 41 | 42 | $PROG -a sign-ecdsa -i $OBJ_ID -A ecdsa-sha256 --in "$DATA" --out "$SIG" -p password 43 | $DECODE "$SIG" >"$BIN_SIG" 44 | $PROG -a get-public-key -i $OBJ_ID --out "$PUBLIC_KEY" -p password 45 | openssl dgst -sha256 -verify "$PUBLIC_KEY" -signature "$BIN_SIG" "$DATA" 46 | 47 | truncate -s 0 "$SIG" 48 | truncate -s 0 "$PUBLIC_KEY" 49 | #$PROG -a generate-asymmetric -i 0x1234 -A ecp256 -csign_ecdsa 50 | $PROG -a sign-ecdsa -i $OBJ_ID -A ecdsa-sha1 --in "$DATA" --out "$SIG" -p password 51 | $DECODE "$SIG" >"$BIN_SIG" 52 | $PROG -a get-public-key -i $OBJ_ID --out "$PUBLIC_KEY" -p password 53 | openssl dgst -sha1 -verify "$PUBLIC_KEY" -signature "$BIN_SIG" "$DATA" 54 | 55 | truncate -s 0 "$SIG" 56 | truncate -s 0 "$PUBLIC_KEY" 57 | OUTPUT=$($PROG -a generate-asymmetric -A ecp384 -csign-ecdsa -p password 2>&1) 58 | OBJ_ID=$(echo "$OUTPUT" | grep -o -E '0x[a-f0-9]{4}$') 59 | $PROG -a sign-ecdsa -i $OBJ_ID -A ecdsa-sha384 --in "$DATA" --out "$SIG" -p password 60 | $DECODE "$SIG" >"$BIN_SIG" 61 | $PROG -a get-public-key -i $OBJ_ID --out "$PUBLIC_KEY" -p password 62 | openssl dgst -sha384 -verify "$PUBLIC_KEY" -signature "$BIN_SIG" "$DATA" 63 | 64 | truncate -s 0 "$SIG" 65 | truncate -s 0 "$PUBLIC_KEY" 66 | OUTPUT=$($PROG -a generate-asymmetric -A ecp521 -csign-ecdsa -p password 2>&1) 67 | OBJ_ID=$(echo "$OUTPUT" | grep -o -E '0x[a-f0-9]{4}$') 68 | $PROG -a sign-ecdsa -i $OBJ_ID -A ecdsa-sha512 --in "$DATA" --out "$SIG" -p password 69 | $DECODE "$SIG" >"$BIN_SIG" 70 | $PROG -a get-public-key -i $OBJ_ID --out "$PUBLIC_KEY" -p password 71 | openssl dgst -sha512 -verify "$PUBLIC_KEY" -signature "$BIN_SIG" "$DATA" 72 | 73 | $PROG -a blink-device -p password 74 | 75 | $PROG -a get-device-info 76 | 77 | $PROG -a get-storage-info -p password 78 | 79 | $PROG -a get-option -p password --opt-name command-audit 80 | $PROG -a put-option -p password --opt-name command-audit --opt-value 0101 81 | $PROG -a get-option -p password --opt-name force-audit 82 | $PROG -a put-option -p password --opt-name force-audit --opt-value 00 83 | $PROG -a get-option -p password --opt-name algorithm-toggle 84 | # no test for putting algorithm-toggle as that requires and empty device 85 | -------------------------------------------------------------------------------- /src/version.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM Shell" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "yubihsm-shell.exe" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "yubihsm-shell.exe" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /src/yubihsm-shell.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YUBIHSM_SHELL_H 18 | #define YUBIHSM_SHELL_H 19 | 20 | #include 21 | 22 | #include 23 | #include 24 | #include 25 | 26 | #define UNUSED(x) (void) (x) 27 | 28 | typedef enum { 29 | fmt_nofmt, 30 | fmt_base64, 31 | fmt_binary, 32 | fmt_hex, 33 | fmt_PEM, 34 | fmt_password, 35 | fmt_ASCII 36 | } cmd_format; 37 | 38 | static const struct { 39 | const char *name; 40 | cmd_format format; 41 | } formats[] = { 42 | {"default", fmt_nofmt}, {"base64", fmt_base64}, {"binary", fmt_binary}, 43 | {"hex", fmt_hex}, {"PEM", fmt_PEM}, {"password", fmt_password}, 44 | {"ASCII", fmt_ASCII}, 45 | }; 46 | 47 | typedef struct { 48 | uint8_t **device_pubkey_list; 49 | char **connector_list; 50 | yh_connector *connector; 51 | yh_session *sessions[256]; 52 | ykhsmauth_state *state; 53 | FILE *out; 54 | char *cacert; 55 | char *cert; 56 | char *key; 57 | char *proxy; 58 | char *noproxy; 59 | } yubihsm_context; 60 | 61 | int actions_run(struct gengetopt_args_info *args_info); 62 | int do_put_key(uint8_t *enc_key, uint8_t *mac_key, uint16_t key_id, 63 | uint16_t domains, uint32_t capabilities, yh_session *ses); 64 | 65 | #ifdef _MSC_VER 66 | #pragma strict_gs_check(on) 67 | #endif 68 | 69 | #endif 70 | -------------------------------------------------------------------------------- /yhwrap/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | include(${CMAKE_SOURCE_DIR}/cmake/openssl.cmake) 18 | find_libcrypto() 19 | 20 | set ( 21 | SOURCE 22 | ../common/hash.c 23 | ../common/parsing.c 24 | ../common/pkcs5.c 25 | ../common/util.c 26 | ../common/openssl-compat.c 27 | main.c 28 | ) 29 | 30 | if(WIN32) 31 | set(SOURCE ${SOURCE} cmdline.c) 32 | include(${CMAKE_SOURCE_DIR}/cmake/getopt.cmake) 33 | find_getopt() 34 | else(WIN32) 35 | include(gengetopt) 36 | add_gengetopt_files (cmdline) 37 | set(SOURCE ${SOURCE} ${GGO_C}) 38 | message("${GGO_C}") 39 | endif(WIN32) 40 | 41 | include_directories ( 42 | ${LIBCRYPTO_INCLUDEDIR} 43 | ${CMAKE_CURRENT_SOURCE_DIR}/../lib 44 | ${CMAKE_CURRENT_SOURCE_DIR}/../common 45 | ) 46 | 47 | if(${WIN32}) 48 | list(APPEND SOURCE ${CMAKE_CURRENT_BINARY_DIR}/version.rc) 49 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/version.rc.in ${CMAKE_CURRENT_BINARY_DIR}/version.rc @ONLY) 50 | endif(${WIN32}) 51 | 52 | # NOTE(adma): required by gengetopt 53 | add_definitions (-DPACKAGE="yubihsm-wrap") 54 | add_definitions (-DVERSION="${yubihsm_shell_VERSION_MAJOR}.${yubihsm_shell_VERSION_MINOR}.${yubihsm_shell_VERSION_PATCH}") 55 | 56 | list(APPEND LCOV_REMOVE_PATTERNS "'${PROJECT_SOURCE_DIR}/yhwrap/cmdline.c'") 57 | 58 | if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") 59 | set_property(SOURCE ${GGO_C} APPEND_STRING PROPERTY COMPILE_FLAGS " -Wno-unused-but-set-variable ") 60 | endif() 61 | 62 | add_executable (yubihsm-wrap ${SOURCE}) 63 | 64 | target_link_libraries ( 65 | yubihsm-wrap 66 | ${LIBCRYPTO_LDFLAGS} 67 | ${GETOPT_LIBS} 68 | yubihsm 69 | ) 70 | 71 | set_target_properties(yubihsm-wrap PROPERTIES INSTALL_RPATH "${YUBIHSM_INSTALL_LIB_DIR}") 72 | 73 | add_coverage(yubihsm-wrap) 74 | 75 | install( 76 | TARGETS yubihsm-wrap 77 | ARCHIVE DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 78 | LIBRARY DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 79 | RUNTIME DESTINATION "${YUBIHSM_INSTALL_BIN_DIR}") 80 | 81 | if (NOT WITHOUT_MANPAGES) 82 | include (help2man) 83 | add_help2man_manpage (yubihsm-wrap.1 yubihsm-wrap) 84 | 85 | add_custom_target (yubihsm-wrap-man ALL 86 | DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/yubihsm-wrap.1 87 | ) 88 | install(FILES "${CMAKE_CURRENT_BINARY_DIR}/yubihsm-wrap.1" DESTINATION "${YUBIHSM_INSTALL_MAN_DIR}/man1") 89 | endif () 90 | -------------------------------------------------------------------------------- /yhwrap/README.adoc: -------------------------------------------------------------------------------- 1 | == YubiHSM Wrap 2 | 3 | YubiHSM Wrap is a command-line tool to create "offline wraps" for a 4 | YubiHSM 2 device. 5 | 6 | One of the functionalities supported by the YubiHSM is to import 7 | objects under wrap. The typical use is to generate an object on one 8 | device, export it under wrap using a Wrap Key and import it to a 9 | different device which has the same Wrap Key. 10 | 11 | At times it is also useful to be able to create those wrapped objects 12 | from a computer, so that they can be encrypted at rest and also easily 13 | sent to devices for use. 14 | 15 | === Example 16 | 17 | This example shows how to generate a private key using OpenSSL, wrap 18 | it to a pre-shared Wrap Key and import it on a device. 19 | 20 | The first thing we need is a Wrap Key that we will use to wrap the 21 | object. For this example we are going to use 22 | `00112233445566778899aabbccddeeff` 23 | 24 | We first save it to a file called `wrap.key` by running 25 | 26 | [source, bash] 27 | ---- 28 | $ echo -en '\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff' >wrap.key 29 | ---- 30 | 31 | The Wrap Key has to also exist on the YubiHSM. We can import it in the 32 | device and give it Object ID `20` by running 33 | 34 | [source, bash] 35 | ---- 36 | $ yubihsm-shell -p password -a put-wrap-key -i 20 -c all --delegated all --informat bin --in wrap.key 37 | ---- 38 | 39 | At this point we can use OpenSSL to generate the RSA key that we would 40 | like to wrap and import 41 | 42 | [source, bash] 43 | ---- 44 | $ openssl genrsa -out private.pem 45 | ---- 46 | 47 | We can now use `yubihsm-wrap` to produce the wrapped version of the 48 | private key. Specifically, we will be asking for the key to have, once 49 | imported, Object ID `30`, label `RSA_Key` and belong to Domains `1`, 50 | `2` and `5`. 51 | 52 | [source, bash] 53 | ---- 54 | $ yubihsm-wrap -a rsa2048 -c sign-pkcs -d 1,2,5 --id 30 --label RSA_Key --in private.pem --wrapkey wrap.key --out private.yhw 55 | ---- 56 | 57 | The output file `private.yhw` is the wrapped version of the key and it 58 | is ready to be imported in the device using the Wrap Key that we 59 | stored before. The command to do that is 60 | 61 | [source, bash] 62 | ---- 63 | $ yubihsm-shell -p password -a put-wrapped --wrap-id 20 --in private.yhw 64 | ---- 65 | 66 | We should now be able to retrieve information about the Asymmetric Key 67 | with Object ID `30` by running 68 | 69 | [source, bash] 70 | ---- 71 | $ yubihsm-shell -p password -a get-object-info -i 30 -t asymmetric-key 72 | Using default connector URL: http://localhost:12345 73 | Session keepalive set up to run every 15 seconds 74 | Created session 0 75 | id: 0x001e, type: asymmetric-key, algorithm: rsa2048, label: "RSA_Key", length: 896, domains: 1:2:5, sequence: 0, origin: imported:imported_wrapped, capabilities: sign-pkcs 76 | ---- 77 | -------------------------------------------------------------------------------- /yhwrap/cmdline.ggo: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | option "algorithm" a "Object algorithm" string 18 | option "capabilities" c "Object capabilities" string 19 | option "delegated" e "Object delegates capabilities" string optional 20 | option "domains" d "Object domains" string 21 | option "id" i "Object ID" short optional default="0" 22 | option "in" - "Input data (filename)" string 23 | option "out" - "Output data (filename)" string 24 | option "label" l "Object label" string 25 | option "wrapkey" k "Key to wrap data with (filename)" string 26 | -------------------------------------------------------------------------------- /yhwrap/version.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM Wrap" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "yubihsm-wrap.exe" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "yubihsm-wrap.exe" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /ykhsmauth/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | set ( 18 | SOURCE 19 | error.c 20 | ykhsmauth.c 21 | ) 22 | 23 | if(WIN32) 24 | set(SOURCE ${SOURCE} ${CMAKE_CURRENT_BINARY_DIR}/version.rc) 25 | endif(WIN32) 26 | 27 | include_directories ( 28 | ${LIBPCSC_INCLUDEDIR} 29 | ) 30 | 31 | # Uncomment this for Ubuntu 24.10 and higher and Fedora 41 and higher 32 | #SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${LIBPCSC_CFLAGS}") 33 | 34 | add_library (ykhsmauth SHARED ${SOURCE}) 35 | 36 | #add_definitions (-DVERSION="${yubihsm_shell_VERSION_MAJOR}.${yubihsm_shell_VERSION_MINOR}.${yubihsm_shell_VERSION_PATCH}") 37 | 38 | target_link_libraries (ykhsmauth ${LIBPCSC_LDFLAGS}) 39 | 40 | set_target_properties (ykhsmauth PROPERTIES VERSION "${yubihsm_shell_VERSION_MAJOR}.${yubihsm_shell_VERSION_MINOR}.${yubihsm_shell_VERSION_PATCH}" SOVERSION ${yubihsm_shell_VERSION_MAJOR}) 41 | 42 | # Set install RPATH 43 | set_target_properties(ykhsmauth PROPERTIES INSTALL_RPATH "${YUBIHSM_INSTALL_LIB_DIR}") 44 | 45 | add_library (ykhsmauth_static STATIC ${SOURCE}) 46 | set_target_properties (ykhsmauth_static PROPERTIES POSITION_INDEPENDENT_CODE on OUTPUT_NAME ykhsmauth) 47 | set_target_properties (ykhsmauth_static PROPERTIES COMPILE_FLAGS "-DSTATIC") 48 | target_link_libraries (ykhsmauth_static ${LIBPCSC_LDFLAGS}) 49 | 50 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/ykhsmauth.pc.in ${CMAKE_CURRENT_BINARY_DIR}/ykhsmauth.pc @ONLY) 51 | if(WIN32) 52 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/version.rc.in ${CMAKE_CURRENT_BINARY_DIR}/version.rc @ONLY) 53 | endif(WIN32) 54 | 55 | install( 56 | TARGETS ykhsmauth 57 | ARCHIVE DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 58 | LIBRARY DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 59 | RUNTIME DESTINATION "${YUBIHSM_INSTALL_BIN_DIR}") 60 | install(FILES ykhsmauth.h DESTINATION ${YUBIHSM_INSTALL_INC_DIR}) 61 | install(FILES ${CMAKE_CURRENT_BINARY_DIR}/ykhsmauth.pc DESTINATION ${YUBIHSM_INSTALL_PKGCONFIG_DIR}) 62 | -------------------------------------------------------------------------------- /ykhsmauth/README.adoc: -------------------------------------------------------------------------------- 1 | == YkHSMAuth Library 2 | 3 | The YkHSMAuth C Library `libykhsmauth` is a native library to interact 4 | with the HSM auth application on a YubiKey. This application is meant 5 | to be used for having the HSM authentication keys on a YubiKey. 6 | 7 | The library exposes functions in the `ykhsmauth_` namespace. These all 8 | interact with the HSM auth application over PCSC and are meant for 9 | management and usage for the application. 10 | -------------------------------------------------------------------------------- /ykhsmauth/error.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #include "ykhsmauth.h" 18 | 19 | #include 20 | 21 | #define ERR(name, desc) \ 22 | { name, #name, desc } 23 | 24 | typedef struct { 25 | ykhsmauth_rc rc; 26 | const char *name; 27 | const char *description; 28 | } err_t; 29 | 30 | static const err_t errors[] = { 31 | ERR(YKHSMAUTHR_SUCCESS, "Successful return"), 32 | ERR(YKHSMAUTHR_MEMORY_ERROR, "Device memory error"), 33 | ERR(YKHSMAUTHR_PCSC_ERROR, "Error in PCSC call"), 34 | ERR(YKHSMAUTHR_GENERIC_ERROR, "General device error"), 35 | ERR(YKHSMAUTHR_WRONG_PW, "Wrong Password/Authentication key"), 36 | ERR(YKHSMAUTHR_INVALID_PARAMS, "Invalid argument to a device command"), 37 | ERR(YKHSMAUTHR_ENTRY_NOT_FOUND, "Entry not found"), 38 | ERR(YKHSMAUTHR_STORAGE_FULL, "Device storage full"), 39 | ERR(YKHSMAUTHR_TOUCH_ERROR, "Device not touched"), 40 | ERR(YKHSMAUTHR_ENTRY_INVALID, "Entry invalid"), 41 | ERR(YKHSMAUTHR_DATA_INVALID, "Invalid authentication data"), 42 | ERR(YKHSMAUTHR_NOT_SUPPORTED, "Device command not supported"), 43 | }; 44 | 45 | const char *ykhsmauth_strerror(ykhsmauth_rc err) { 46 | static const char *unknown = "Unknown ykhsmauth error"; 47 | const char *p; 48 | 49 | if (-err < 0 || -err >= (int) (sizeof(errors) / sizeof(errors[0]))) { 50 | return unknown; 51 | } 52 | 53 | p = errors[-err].description; 54 | if (!p) { 55 | p = unknown; 56 | } 57 | 58 | return p; 59 | } 60 | 61 | const char *ykhsmauth_strerror_name(ykhsmauth_rc err) { 62 | if (-err < 0 || -err >= (int) (sizeof(errors) / sizeof(errors[0]))) { 63 | return NULL; 64 | } 65 | 66 | return errors[-err].name; 67 | } 68 | -------------------------------------------------------------------------------- /ykhsmauth/internal.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright 2015-2018 Yubico AB 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"); 5 | * you may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | #ifndef YKHSMAUTH_INTERNAL_H 18 | #define YKHSMAUTH_INTERNAL_H 19 | 20 | #include 21 | 22 | #if defined(_WIN32) 23 | #include 24 | #else 25 | #include 26 | #include 27 | #endif 28 | 29 | #define READER_LEN 32 30 | #define MAX_READERS 16 31 | 32 | struct ykhsmauth_state { 33 | SCARDCONTEXT context; 34 | SCARDHANDLE card; 35 | int verbose; 36 | }; 37 | 38 | union u_APDU { 39 | struct { 40 | unsigned char cla; 41 | unsigned char ins; 42 | unsigned char p1; 43 | unsigned char p2; 44 | unsigned char lc; 45 | unsigned char data[0xff]; 46 | } st; 47 | unsigned char raw[0xff + 5]; 48 | }; 49 | 50 | typedef union u_APDU APDU; 51 | 52 | #endif 53 | -------------------------------------------------------------------------------- /ykhsmauth/version.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiAuth Interface Library" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "ykhsmauth.dll" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "ykhsmauth.dll" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | -------------------------------------------------------------------------------- /ykhsmauth/ykhsmauth.pc.in: -------------------------------------------------------------------------------- 1 | libdir=-L@YUBIHSM_INSTALL_LIB_DIR@ 2 | includedir=@YUBIHSM_INSTALL_INC_DIR@ 3 | 4 | Name: ykhsmauth 5 | Description: Yubico YubiHSM application for YubiKey C Library 6 | URL: https://www.yubico.com/ 7 | Version: @VERSION@ 8 | Requires.private: libcrypto libpcsclite 9 | Libs: ${libdir} -lykhsmauth 10 | -------------------------------------------------------------------------------- /yubihsm-auth/CMakeLists.txt: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | include(${CMAKE_SOURCE_DIR}/cmake/openssl.cmake) 18 | find_libcrypto() 19 | 20 | set ( 21 | SOURCE 22 | main.c 23 | ../common/parsing.c 24 | ../common/pkcs5.c 25 | ../common/hash.c 26 | ) 27 | 28 | if(WIN32) 29 | set(SOURCE ${SOURCE} cmdline.c) 30 | include(${CMAKE_SOURCE_DIR}/cmake/getopt.cmake) 31 | find_getopt() 32 | else(WIN32) 33 | include(gengetopt) 34 | add_gengetopt_files (cmdline) 35 | set(SOURCE ${SOURCE} ${GGO_C}) 36 | message("${GGO_C}") 37 | endif(WIN32) 38 | 39 | include_directories ( 40 | ${LIBCRYPTO_INCLUDEDIR} 41 | ${CMAKE_CURRENT_SOURCE_DIR}/../ykhsmauth 42 | ${CMAKE_CURRENT_SOURCE_DIR}/../common 43 | ) 44 | 45 | if(WIN32) 46 | list(APPEND SOURCE ${CMAKE_CURRENT_BINARY_DIR}/version.rc) 47 | configure_file(${CMAKE_CURRENT_SOURCE_DIR}/version.rc.in ${CMAKE_CURRENT_BINARY_DIR}/version.rc @ONLY) 48 | set (BCRYPT_LIBRARY bcrypt) 49 | endif(WIN32) 50 | 51 | # NOTE(adma): required by gengetopt 52 | add_definitions (-DPACKAGE="yubihsm-auth") 53 | add_definitions (-DVERSION="${yubihsm_shell_VERSION_MAJOR}.${yubihsm_shell_VERSION_MINOR}.${yubihsm_shell_VERSION_PATCH}") 54 | 55 | list(APPEND LCOV_REMOVE_PATTERNS "'${PROJECT_SOURCE_DIR}/yubihsm-auth/cmdline.c'") 56 | 57 | if ("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") 58 | set_property(SOURCE ${GGO_C} APPEND_STRING PROPERTY COMPILE_FLAGS " -Wno-unused-but-set-variable ") 59 | endif() 60 | 61 | add_executable (yubihsm-auth ${SOURCE}) 62 | 63 | target_link_libraries ( 64 | yubihsm-auth 65 | ${LIBCRYPTO_LDFLAGS} 66 | ${GETOPT_LIBS} 67 | ykhsmauth 68 | ${BCRYPT_LIBRARY} 69 | ) 70 | 71 | # Set install RPATH 72 | set_target_properties(yubihsm-auth PROPERTIES INSTALL_RPATH "${YUBIHSM_INSTALL_LIB_DIR}") 73 | 74 | install( 75 | TARGETS yubihsm-auth 76 | ARCHIVE DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 77 | LIBRARY DESTINATION "${YUBIHSM_INSTALL_LIB_DIR}" 78 | RUNTIME DESTINATION "${YUBIHSM_INSTALL_BIN_DIR}") 79 | 80 | if (NOT WITHOUT_MANPAGES) 81 | include (help2man) 82 | add_help2man_manpage (yubihsm-auth.1 yubihsm-auth) 83 | 84 | add_custom_target (yubihsm-auth-man ALL 85 | DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/yubihsm-auth.1 86 | ) 87 | 88 | install(FILES "${CMAKE_CURRENT_BINARY_DIR}/yubihsm-auth.1" DESTINATION "${YUBIHSM_INSTALL_MAN_DIR}/man1") 89 | endif () 90 | -------------------------------------------------------------------------------- /yubihsm-auth/README.adoc: -------------------------------------------------------------------------------- 1 | == YubiHSM Auth 2 | 3 | YubiHSM Auth is a command-line tool for the YubiKey HSM Auth 4 | application. This is used for storing the authentication keys of a 5 | YubiHSM in a YubiKey. 6 | 7 | === Examples 8 | 9 | This example shows how to store a new authentication key in the application, 10 | then using it with the YubiHSM. 11 | 12 | First we store the key in a YubiKey, if options are omitted they will be 13 | asked for: 14 | 15 | [source, bash] 16 | ---- 17 | $ yubihsm-auth -a put --label="default key" --derivation-password="password" --credpwd="my secret" 18 | Credential successfully stored 19 | ---- 20 | 21 | Then we authenticate with a YubiHSM (in interactive mode) using the YubiKey: 22 | [source, bash] 23 | ---- 24 | yubihsm> session ykopen 1 "default key" "my secret" 25 | trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' 26 | Created session 0 27 | ---- 28 | 29 | Alternatively using the command line: 30 | [source, bash] 31 | ---- 32 | $ yubihsm-shell -a get-pseudo-random --ykhsmauth-label="default key" --password="my secret" 33 | Session keepalive set up to run every 15 seconds 34 | trying to connect to reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' 35 | Created session 0 36 | 06a4d93be9bbcf97891f09979d4297eee335c4ea9526bfb8565baa9239b6359d68d9c636364052bee91a5b1801d6844b88dd3aa1e47f34f2389d841a21398f60ba67507d7f282e8fdc3b7090a2465b3b0358df660f74dd8e9aa5af2c73aadd9d82101c762e558e129703fe44ecb8433537db4d04350141c73ba9d36143afe5264125ec2bfc202d18f73155c34f0e16d45a4ade4a92f17433a6426d4cda6d4b36e831c641be71c561cbeb537e412341b6318810b581b006c29acef3b5bdae157d536d05f4275b86510d6a22c37b352dc148a3400a513dad2a91162795964212b9f361328e5f98fb47ae7ad9e4c4d66ff912d90cb028e15f89d3b8e5d8c3664ed3 37 | ---- 38 | -------------------------------------------------------------------------------- /yubihsm-auth/cmdline.ggo: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015-2018 Yubico AB 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | 17 | option "action" a "Action to perform" values="calculate", "change-mgmkey", "delete", "list", "put", "reset", "retries", "version", "get-challenge", "get-pubkey" enum optional 18 | option "mgmkey" k "Management key is required to put and delete credentials. Sometimes, this key is also referenced as 'Admin Access Code'" string optional default="00000000000000000000000000000000" 19 | option "new-mgmkey" K "New management key" string optional default="" 20 | option "credpwd" p "Credential password is used to access the credential when logging into the YubiHSM2. Sometimes, this password is also referenced as 'User Access Code'" string optional default="" 21 | option "label" l "Credential label" string optional default="" 22 | option "reader" r "Only use a matching reader" string optional default="" 23 | option "touch" t "Touch required" values="off","on" enum optional default="off" 24 | option "context" c "Session keys calculation context" string optional default="" 25 | option "verbose" v "Print more information" int optional default="0" argoptional 26 | 27 | defmode "derivation" modedesc="Derive keys from a password using PBKDF2" 28 | modeoption "derivation-password" d "Derivation password for encryption and MAC keys" string mode="derivation" optional default="" 29 | 30 | defmode "explicit" modedesc="Explicit encryption and MAC keys" 31 | modeoption "enckey" e "Encryption key" string optional default="" mode="explicit" 32 | modeoption "mackey" m "MAC key" string optional default="" mode="explicit" 33 | 34 | defmode "asymmetric" modedesc="Explicit ec-p256 private key" 35 | modeoption "privkey" s "Private key" string optional default="" mode="asymmetric" 36 | -------------------------------------------------------------------------------- /yubihsm-auth/version.rc.in: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | 4 | #define VER_FILEVERSION @yubihsm_shell_VERSION_MAJOR@,@yubihsm_shell_VERSION_MINOR@,@yubihsm_shell_VERSION_PATCH@,0 5 | #define VER_FILEVERSION_STR "@yubihsm_shell_VERSION_MAJOR@.@yubihsm_shell_VERSION_MINOR@.@yubihsm_shell_VERSION_PATCH@.0" 6 | 7 | VS_VERSION_INFO VERSIONINFO 8 | FILEVERSION VER_FILEVERSION 9 | PRODUCTVERSION VER_FILEVERSION 10 | FILEFLAGSMASK 0x3fL 11 | #ifdef _DEBUG 12 | FILEFLAGS 0x1L 13 | #else 14 | FILEFLAGS 0x0L 15 | #endif 16 | FILEOS 0x40004L 17 | FILETYPE 0x2L 18 | FILESUBTYPE 0x0L 19 | BEGIN 20 | BLOCK "StringFileInfo" 21 | BEGIN 22 | BLOCK "040904b0" 23 | BEGIN 24 | VALUE "CompanyName", "Yubico AB" 25 | VALUE "FileDescription", "YubiHSM Auth" 26 | VALUE "FileVersion", VER_FILEVERSION_STR 27 | VALUE "InternalName", "yubihsm-auth.exe" 28 | VALUE "LegalCopyright", "\xa9 Yubico AB" 29 | VALUE "OriginalFilename", "yubihsm-auth.exe" 30 | VALUE "ProductName", "YubiHSM" 31 | VALUE "ProductVersion", VER_FILEVERSION_STR 32 | END 33 | END 34 | BLOCK "VarFileInfo" 35 | BEGIN 36 | VALUE "Translation", 0x409, 1200 37 | END 38 | END 39 | --------------------------------------------------------------------------------