Not working with YubiHSM ?

[udf2457]

I am really struggling to make the instructions work on OS X.

I have put the concatenation of ID + password into a file, e.g. echo '0001pppp' > foo

I have tried calling step as follows:

step kms create --json --kty RSA --size 4096 --kms "pkcs11:module-path=/usr/local/lib/libyubihsm_usb.dylib;token=YubiHSM?pin-source=/path/to/foo" "pkcs11:id=7534;object=my-root-ca;export-under-wrap"

But that returns error:

Error: failed to load key manager: error initializing PKCS#11: could not open PKCS#11

The same with /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib.

So I thought, OK, let's try the http connector

So I fired up yubihsm-connector -d

and then tweaked the step call:

step kms create --json --kty RSA --size 4096 --kms "pkcs11:module-path=/usr/local/lib/libyubihsm_http.dylib;token=YubiHSM?pin-source=/path/to/foo" "pkcs11:id=7534;object=my-root-ca;export-under-wrap"

But the same error:

Error: failed to load key manager: error initializing PKCS#11: could not open PKCS#11

And yubihsm-connector shows nothing in its debug output. So step doesn't even try to connect.

STEPDEBUG=1 has zero effect, it produces no extra information.

Setting YUBIHSM_PKCS11_CONF per the yubico docs also has zero effect.

Meanwhile I have no problems using the YubiHSM wih the Yubico tools, e.g.

yubihsm-connector
yubihsm-shell:
  - connect
  - session open 1 <PASSWORD>

That all works fine.

[maraino]

Hi @udf2457, the right module is /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib. We don't support the attribute export-under-wrap, but you can do the same with the --extractable flag.

In any case, your command, with the proper module, works as expected on my YubiHSM2. I've reproduced the error you mentioned if I use non-PKCS#11 library like libyubihsm_usb.dylib or I try to use a file that does not exist.

Here is a working configuration:

$ echo $YUBIHSM_PKCS11_CONF
/Users/mariano/yubihsm_pkcs11.conf
$ cat /Users/mariano/yubihsm_pkcs11.conf
connector = http://127.0.0.1:12345
$ yubihsm-connector
...

And then in another terminal:

$ echo 0001password > /tmp/pin.txt
$ step kms create --json --kty RSA --size 4096 --extractable --kms "pkcs11:module-path=/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib;token=YubiHSM?pin-source=/tmp/pin.txt" "pkcs11:id=7534;object=my-root-ca"
{
  "name": "pkcs11:id=7534;object=my-root-ca",
  "publicKey": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt0Z8VQXJqbSg/QtlhDP+\nniQ4pcY2V/ieWdtyFDRX5u4vq8ZxtxOWlOYWTKHZ+yx73+b7AvUmAlFsH70IE9Me\nzqKnSwwqTj8KvVIA4f1VYpbnVC6P9a37+5uh+TPj4P+6n7un+LPHwyKMywmx7Rfk\nxIDYkXkuLGRIUHW8PgnPnxwqujDADh8DRQDLaZ3gYTm6svOTs0FP9v3wU7Waktka\nK+pMQtpogP/kNWBQM/D2kxYjzMmN5EVXppDQIwACDbIoqldNaezCdwoar+u1H+CL\n8QTE1/700QHiamaM6rxl3rZwWIqbNjioH10tlbGGyQjVsUkdnSbywMf4RE4Kv3y2\nlFb434mRx7jOqqjcpYx7Bbd49PrsYR8GX9BMJr1UIbzUBuXRt0xUoOJTZA6xSe9c\nL0JGK7BZ5AQyuBiyZYsumVqxUyL8UI8KJo+bhTrbcXJU/f3oTABNci6Q2eRPsXaX\nTAw7znIjWxS0OEN4hYR/QT3W71ow074qxszEw5qPsw78iwDpm/nE1njI8lmJadm8\nsFqimqrFAmCKkAoWeWARcNfOwrBVGbqPHv06qJuUTHVp5H38zDAcSkZ3HI1a5Uvt\ndgqj7xI7Clu1uVlaV2elhZFTY3CtLLGleMzj70s/LsfRAfXdEm8wj5V4Vpd4Umau\nUz7UtMhhoosEXqgFaWbxE5UCAwEAAQ==\n-----END PUBLIC KEY-----\n"
}

[udf2457]

@maraino

Subsequent to my earlier post, I actually did discover /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib but that did not work either.

Can you confirm what OS X version you are on ? I am on Sonoma 14.4.1 ?

[maraino]

You can also combine all the URIs in one, or use p11-kit to simplify things:

$ cat ~/.config/pkcs11/modules/yubihsm
module: /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
managed: true
$ export DYLD_FALLBACK_LIBRARY_PATH=/usr/local/lib
$ step kms create "pkcs11:token=YubiHSM;id=7534;object=my-root-ca?pin-source=/tmp/pin.txt"
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2uZnKCl1txbD7TmsYtq3jfvHAx36
culZcLP8jsPmcrj/6qsAKPCKNLW+vkaRS939i5ypT7EjwbT7U0EpvqGadw==
-----END PUBLIC KEY-----

With the latest version of macOS, we cannot load by default libraries in /usr/local/lib/... so you need to set the environment variable DYLD_FALLBACK_LIBRARY_PATH (or DYLD_LIBRARY_PATH).

[maraino]

Same version as you. Can you try with p11-kit? or pkcs11-tool?

This is from the last key I created in my previous command.

$ pkcs11-tool --module /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib -O --token-label YubiHSM -p 0001password --id 7534
Private Key Object; EC
  label:      my-root-ca
  ID:         7534
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104dae667282975b716c3ed39ac62dab78dfbc7031dfa72e95970b3fc8ec3e672b8ffeaab0028f08a34b5bebe46914bddfd8b9ca94fb123c1b4fb534129bea19a77
  EC_PARAMS:  06082a8648ce3d030107 (OID 1.2.840.10045.3.1.7)
  label:      my-root-ca
  ID:         7534
warning: PKCS11 function C_GetAttributeValue(VERIFY_RECOVER) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

  Usage:      verify
  Access:     local

[maraino]

I'm not sure which version I am using but here is some info:

$ yubihsm-shell --version
yubihsm-shell 2.2.0
$ sha256sum /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
5ec42644ac33d6106883cb7413e1b9b615e7d4a9761697c1a323eeed003f731e  /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib

[maraino]

I've installed the last one and works too:

$ yubihsm-shell --version
yubihsm-shell 2.4.2
$ sha256sum /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
b27217253584750bf1f07e0ab9e6991f178a2b333932c1f517e08b4d88303d37  /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib

I'm on an Intel mac, and this one was https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2023-11-darwin-amd64.pkg

[udf2457]

DYLD_FALLBACK_LIBRARY_PATH was the secret sauce !

Thanks !

Maybe some kind soul needs to make a note of that in the docs. :wink: