search

Yubico / yubihsm-shell

yubihsm-shell and libyubihsm
https://developers.yubico.com/yubihsm-shell/
Apache License 2.0
90 stars 54 forks source link

Wrapped ED25519 key import not working #55

Closed jevonearth closed 5 years ago

jevonearth commented 5 years ago

Related to support #78302

We are trying to build a tool that will allow users to export their key to pkcs8 format keys in order to import them into their Yubi HSM2 device.

For this tool we are targetting 3 algorithm ecp256, eck256 and ed25519. The two first are working wonderfully. Our users are able to export their key, wrap them using yubihsm-wrap and then import them into the HSM with no problem

Our issue is with ed25519. We have tried several things in order to make it work, but we just realized that even if we generate a key with openssl we are not able to import it.

Detailed steps are below, the final error message is;

Failed to store wrapped object: Malformed command / invalid data
Unable to store wrapped object

If you could give me some directions regarding this is it would be very much appreciated. Thanks in advance

  1. Operating System: Windows? macOS? or Linux? and any pertinent build numbers or distributions?
jev@baker ~ % uname -a
Linux baker 4.18.0-21-generic #22-Ubuntu SMP Wed May 15 13:13:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
jev@baker ~ % cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.10
DISTRIB_CODENAME=cosmic
DISTRIB_DESCRIPTION="Ubuntu 18.10"
  1. YubiHSM2 firmware version (launch yubishm-shell >> connect >> get deviceinfo)
yubihsm> get deviceinfo
Version number:         2.1.2
Serial number:          9680228
Log used:               62/62
Supported algorithms:   rsa-pkcs1-sha1, rsa-pkcs1-sha256, rsa-pkcs1-sha384,
                        rsa-pkcs1-sha512, rsa-pss-sha1, rsa-pss-sha256,
                        rsa-pss-sha384, rsa-pss-sha512, rsa2048,
                        rsa3072, rsa4096, ecp256,
                        ecp384, ecp521, eck256,
                        ecbp256, ecbp384, ecbp512,
                        hmac-sha1, hmac-sha256, hmac-sha384,
                        hmac-sha512, ecdsa-sha1, ecdh,
                        rsa-oaep-sha1, rsa-oaep-sha256, rsa-oaep-sha384,
                        rsa-oaep-sha512, aes128-ccm-wrap, opaque-data,
                        opaque-x509-certificate, mgf1-sha1, mgf1-sha256,
                        mgf1-sha384, mgf1-sha512, template-ssh,
                        aes128-yubico-otp, aes128-yubico-authentication, aes192-yubico-otp,
                        aes256-yubico-otp, aes192-ccm-wrap, aes256-ccm-wrap,
                        ecdsa-sha256, ecdsa-sha384, ecdsa-sha512,
                        ed25519, ecp224,
  1. Version of YubiHSM2 SDK (if you're not sure, you should be able to confirm with apt search yubihsm-shell on Ubuntu distributions or yum search yubihsm-shell on CentOS)
yubihsm-shell/now 2.0.1-1 amd64 [installed,local]
  1. Any steps you used to initially configure the YubiHSM2.

Nothing of note. We are using it with all defaults as far as we can tell.

  1. any other information that may provide assistance for us to replicate?

We have posted the steps here: https://stackoverflow.com/questions/57185517/how-to-import-a-ed25519-private-key-into-yubi-hsm-2

and I will repeat a summary here again; I have also attached the shell script that I used to make this output, for your convenience. Note that in our lab, we are running the yubi connector daemon on host http://10.60.58.15:12345, and that is reflected in the below logs.

jev@baker ~ % sudo sh ./test_yubi_ed_import.sh
+ echo -en \x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xaa\xbb\xcc\xdd\xee\xff
+ yubihsm-shell -p password -a put-wrap-key -i 20 -c all --delegated all --informat bin --in wrap.key
Using default connector URL: http://127.0.0.1:12345
Failed connecting 'http://127.0.0.1:12345'
Not connected
Failed to open session
+ yubihsm-shell -C http://10.60.58.15:12345 -p password -a put-wrap-key -i 31 -c all --delegated all --informat bin --in wrap.key
Session keepalive set up to run every 15 seconds
Created session 0
Key length not matching, should be 16, 24 or 32
Unable to put wrapkey
+ openssl genpkey -algorithm Ed25519 -out ed25519key.pem
+ yubihsm-wrap -a ed25519 -c sign-eddsa -d 1,2,5 --id 31 --label ED25519_Key --in ed25519key.pem --wrapkey wrap.key --out private.yhw
Unable to read wrapkey file
+ yubihsm-shell -C http://10.60.58.15:12345 -p password -a put-wrapped --wrap-id 30 --in private.yhw
Session keepalive set up to run every 15 seconds
Created session 0
Failed to store wrapped object: Malformed command / invalid data
Unable to store wrapped object
jev@baker ~ %
  1. any debug logs you may have?

This is the debug output from the connector (running with the -d flag) from when we run the command "yubihsm-shell -C http://10.60.58.15:12345 -p password -a put-wrapped --wrap-id 30 --in private.yhw"

DEBU[0491] reopening usb context                         Correlation-ID=5e7801ec-d77e-70da-e1c9-719350dc54da why="status request"
DEBU[0491] Returning a matched device                    Correlation-ID=5e7801ec-d77e-70da-e1c9-719350dc54da Device-Serial=0009680228 Wanted-Serial=
DEBU[0491] usb endpoint read                             Correlation-ID=5e7801ec-d77e-70da-e1c9-719350dc54da buf="[]" err="libusb: timeout [code -7]" len=0 n=0
INFO[0491] handled request                               Content-Length=0 Content-Type= Method=GET RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/status User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=5e7801ec-d77e-70da-e1c9-719350dc54da latency=288.937117ms
DEBU[0491] usb device already open                       Correlation-ID=12741265-8fab-3f7f-127d-b0220b2a0f73
DEBU[0491] usb endpoint write                            Correlation-ID=12741265-8fab-3f7f-127d-b0220b2a0f73 buf="[3 0
10 0 1 147 18 122 55 33 42 219 186]" err="<nil>" len=13 n=13
DEBU[0491] usb endpoint read                             Correlation-ID=12741265-8fab-3f7f-127d-b0220b2a0f73 buf="[131
0 17 0 190 0 74 153 169 227 82 80 143 17 23 103 78 86 232 127]" err="<nil>" len=20 n=20
INFO[0491] handled request                               Content-Length=13 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=12741265-8fab-3f7f-127d-b0220b2a0f73 latency=11.326757ms
DEBU[0491] usb device already open                       Correlation-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974
DEBU[0491] usb endpoint write                            Correlation-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974 buf="[4 0
17 0 132 254 103 185 248 190 148 33 159 86 86 84 49 7 15 113]" err="<nil>" len=20 n=20
DEBU[0491] usb endpoint read                             Correlation-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974 buf="[132
0 0]" err="<nil>" len=3 n=3
INFO[0491] handled request                               Content-Length=20 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=61ecd7e0-784f-92b0-81e3-b60f1ede7974 latency=9.764995ms
DEBU[0491] usb device already open                       Correlation-ID=48156e3a-ca2c-e984-402d-b817a5157708
DEBU[0491] usb endpoint write                            Correlation-ID=48156e3a-ca2c-e984-402d-b817a5157708 buf="[5 0
137 0 214 95 17 65 127 28 29 103 154 57 229 160 49 4 194 188 88 104 254 153 167 187 245 18 12 78 211 33 29 191 227 59 125 197 52 178 9 104 241 34 74 7 171 88 49 60 195 92 238 229 160 82 164 104 209 125 94 76 37 171 193 75 150 229 177 204
206 105 31 247 60 171 240 7 116 126 125 77 82 229 76 38 134 45 218 215 79 128 194 32 231 176 231 217 105 21 6 118 140 146 140 54 133 157 68 189 170 205 159 237 223 202 255 113 180 238 41 118 7 252 158 214 16 221 98 175 88 2 195 146 102 93 246 80 138 4]" err="<nil>" len=140 n=140
DEBU[0491] usb endpoint read                             Correlation-ID=48156e3a-ca2c-e984-402d-b817a5157708 buf="[133
0 25 0 187 114 145 119 80 14 156 249 101 181 88 1 90 104 165 199 110 162 50 34 92 62 85 90]" err="<nil>" len=28 n=28
INFO[0491] handled request                               Content-Length=140 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=48156e3a-ca2c-e984-402d-b817a5157708 latency=15.084616ms
DEBU[0491] usb device already open                       Correlation-ID=816f6498-77cf-72c5-c00b-0d6219853e18
DEBU[0491] usb endpoint write                            Correlation-ID=816f6498-77cf-72c5-c00b-0d6219853e18 buf="[5 0
25 0 12 10 63 179 178 252 201 29 61 158 6 104 27 32 89 165 164 210 221 18 131 123 25 253]" err="<nil>" len=28 n=28
DEBU[0491] usb endpoint read                             Correlation-ID=816f6498-77cf-72c5-c00b-0d6219853e18 buf="[133
0 25 0 220 190 52 117 122 10 61 237 228 10 126 35 250 68 16 80 105 118 54 177 31 47 23 201]" err="<nil>" len=28 n=28
INFO[0491] handled request                               Content-Length=28 Content-Type=application/octet-stream Method=POST RemoteAddr="10.60.58.15:43686" StatusCode=200 URI=/connector/api User-Agent="YubiHSM curl/2.0.1" X-Real-IP=10.60.58.15 X-Request-ID=816f6498-77cf-72c5-c00b-0d6219853e18 latency=10.966123ms
a-dma commented 5 years ago

There is an issue in yubihsm-wrap with how Ed25519 keys are wrapped. I've pushed new code to the wrap_ed25519 branch. Are you able to build and test that?

jevonearth commented 5 years ago

Thank you for your patience @a-dma

I see that the yubihsm-wrap branch was merged, so I tested with a guild from master at 7e458323323a1cb9601a69558cf236d48532a4eb

My import tests work now, so I think you can close this issue.

Will you be able to cut a new release of yubihsm2-sdk?

a-dma commented 5 years ago

Glad to hear that your issue is solved.

We're planning a new release of the SDK relatively soon. No promise on a date just yet though.