Documentation
¶
Overview ¶
Package yubihsm implements a cgo wrapper around yubihsm.h provided by the YubiHSM2 SDK.
Index ¶
- Constants
- func Domains(domains ...int) int
- func GetVerbosity() (int, error)
- func SetDebugOutput(file *os.File) error
- func SetVerbosity(verbosity int) error
- type Algorithm
- type Capabilities
- type Capability
- type Command
- type Connector
- func (c *Connector) Connect() error
- func (c *Connector) DeviceInfo() (*DeviceInfo, error)
- func (c *Connector) Disconnect() error
- func (c *Connector) NewDerivedSession(id int, password []byte, recreate bool, ctx *Context) (*Session, error)
- func (c *Connector) NewSession(id int, key, mac []byte, recreate bool, ctx *Context) (*Session, error)
- func (c *Connector) Send(msg, res *Message) error
- func (c *Connector) SetHTTPSCA(path string) error
- func (c *Connector) SetProxyServer(url string) error
- type Context
- type DeviceInfo
- type Digest
- type Filter
- type LogEntry
- type Message
- type Object
- type ObjectType
- type Option
- type ReturnCode
- type Session
- func (s *Session) Authenticate(ctx *Context) error
- func (s *Session) Destroy() error
- func (s *Session) GenerateECKey(label string, domains int, caps *Capabilities, algo Algorithm) (id int, err error)
- func (s *Session) GetObject(id int, typ ObjectType) (*Object, error)
- func (s *Session) GetPublicKey(id int) ([]byte, error)
- func (s *Session) ListObjects(f *Filter) ([]*Object, error)
- func (s *Session) SignECDSA(id int, data []byte) (R, S *big.Int, err error)
Constants ¶
View Source
const ( CodeSuccess = ReturnCode(C.YHR_SUCCESS) // Success ErrMemory = ReturnCode(C.YHR_MEMORY) // Memory error ErrInitError = ReturnCode(C.YHR_INIT_ERROR) // Init error ErrNetError = ReturnCode(C.YHR_NET_ERROR) // Network error ErrConnectorNotFound = ReturnCode(C.YHR_CONNECTOR_NOT_FOUND) // Connector not found ErrInvalidParams = ReturnCode(C.YHR_INVALID_PARAMS) // Invalid parameters ErrWrongLength = ReturnCode(C.YHR_WRONG_LENGTH) // Wrong length ErrBufferTooSmall = ReturnCode(C.YHR_BUFFER_TOO_SMALL) // Buffer too small ErrCryptogramMismatch = ReturnCode(C.YHR_CRYPTOGRAM_MISMATCH) // Cryptogram error ErrAuthSessionError = ReturnCode(C.YHR_AUTH_SESSION_ERROR) // Authenticate session error ErrMACMismatch = ReturnCode(C.YHR_MAC_MISMATCH) // MAC not matching CodeDeviceOK = ReturnCode(C.YHR_DEVICE_OK) // Device success ErrInvalidCommand = ReturnCode(C.YHR_DEVICE_INV_COMMAND) // Invalid command ErrInvalidData = ReturnCode(C.YHR_DEVICE_INV_DATA) // Malformed command/data ErrInvalidSession = ReturnCode(C.YHR_DEVICE_INV_SESSION) // Invalid session ErrAuthFail = ReturnCode(C.YHR_DEVICE_AUTH_FAIL) // Encryption/verification failed ErrSessionsFull = ReturnCode(C.YHR_DEVICE_SESSIONS_FULL) // All sessions are allocated ErrSessionFailed = ReturnCode(C.YHR_DEVICE_SESSION_FAILED) // Session creation failed ErrStorageFailed = ReturnCode(C.YHR_DEVICE_STORAGE_FAILED) // Storage failure ErrDeviceWrongLength = ReturnCode(C.YHR_DEVICE_WRONG_LENGTH) // Wrong length ErrInvalidPermissions = ReturnCode(C.YHR_DEVICE_INV_PERMISSION) // Wrong permissions ErrLogFull = ReturnCode(C.YHR_DEVICE_LOG_FULL) // Log buffer is full ErrObjectNotFound = ReturnCode(C.YHR_DEVICE_OBJ_NOT_FOUND) // Object not found ErrIDIllegal = ReturnCode(C.YHR_DEVICE_ID_ILLEGAL) // ID use is illegal ErrInvalidOTP = ReturnCode(C.YHR_DEVICE_INVALID_OTP) // OTP submitted is invalid ErrDemoMode = ReturnCode(C.YHR_DEVICE_DEMO_MODE) // Device is in demo mode ErrUnexecuted = ReturnCode(C.YHR_DEVICE_CMD_UNEXECUTED) // Command has not terminated ErrGeneric = ReturnCode(C.YHR_GENERIC_ERROR) // Unknown error ErrDeviceObjectExists = ReturnCode(C.YHR_DEVICE_OBJECT_EXISTS) // Object with that ID already exists ErrConnector = ReturnCode(C.YHR_CONNECTOR_ERROR) // Connector operation failed )
Return codes.
View Source
const ( CmdEcho = Command(C.YHC_ECHO) // Echo CmdCreateSession = Command(C.YHC_CREATE_SES) // Create session CmdAuthSession = Command(C.YHC_AUTH_SES) // Authenticate session CmdSessionMessage = Command(C.YHC_SES_MSG) // Session message CmdGetDeviceInfo = Command(C.YHC_GET_DEVICE_INFO) // Get device info CmdBSL = Command(C.YHC_BSL) // BSL CmdReset = Command(C.YHC_RESET) // Reset CmdCloseSession = Command(C.YHC_CLOSE_SES) // Close session CmdStats = Command(C.YHC_STATS) // Storage statistics CmdPutOpaque = Command(C.YHC_PUT_OPAQUE) // Put opaque CmdGetOpaque = Command(C.YHC_GET_OPAQUE) // Get opaque CmdPutAuthkey = Command(C.YHC_PUT_AUTHKEY) // Put authentication key CmdPutAsymmetricKey = Command(C.YHC_PUT_ASYMMETRIC_KEY) // Put asymmetric key CmdGenAsymmetricKey = Command(C.YHC_GEN_ASYMMETRIC_KEY) // Generate asymmetric key CmdSignDataPKCS1 = Command(C.YHC_SIGN_DATA_PKCS1) // Sign data with PKCS1 CmdList = Command(C.YHC_LIST) // List objects CmdDecryptPKCS1 = Command(C.YHC_DECRYPT_PKCS1) // Decrypt data with PKCS1 CmdExportWrapped = Command(C.YHC_EXPORT_WRAPPED) // Export an object wrapped CmdImportWrapped = Command(C.YHC_IMPORT_WRAPPED) // Import a wrapped object CmdPutWrapKey = Command(C.YHC_PUT_WRAP_KEY) // Put wrap key CmdGetLogs = Command(C.YHC_GET_LOGS) // Get audit logs CmdGetObjectInfo = Command(C.YHC_GET_OBJECT_INFO) // Get object information CmdPutOption = Command(C.YHC_PUT_OPTION) // Put a global option CmdGetOption = Command(C.YHC_GET_OPTION) // Get a global option CmdGetPseudoRandom = Command(C.YHC_GET_PSEUDO_RANDOM) // Get pseudo random data CmdPutHMACKey = Command(C.YHC_PUT_HMAC_KEY) // Put HMAC key CmdHMACData = Command(C.YHC_HMAC_DATA) // HMAC data CmdGetPubkey = Command(C.YHC_GET_PUBKEY) // Get a public key CmdSignDataPSS = Command(C.YHC_SIGN_DATA_PSS) // Sign data with PSS CmdSignDataECDSA = Command(C.YHC_SIGN_DATA_ECDSA) // Sign data with ECDSA CmdDecryptECDH = Command(C.YHC_DECRYPT_ECDH) // Perform a ECDH exchange CmdDeleteObject = Command(C.YHC_DELETE_OBJECT) // Delete an object CmdDecryptOAEP = Command(C.YHC_DECRYPT_OAEP) // Decrypt data with OAEP CmdGenerateHMACKey = Command(C.YHC_GENERATE_HMAC_KEY) // Generate HMAC key CmdGenerateWrapKey = Command(C.YHC_GENERATE_WRAP_KEY) // Generate wrap key CmdVerifyHMAC = Command(C.YHC_VERIFY_HMAC) // Verify HMAC data CmdSSHCertify = Command(C.YHC_SSH_CERTIFY) // SSH Certify CmdPutTemplate = Command(C.YHC_PUT_TEMPLATE) // Put template CmdGetTemplate = Command(C.YHC_GET_TEMPLATE) // Get template CmdOTPDecrypt = Command(C.YHC_OTP_DECRYPT) // Decrypt OTP CmdOTPAEADCreate = Command(C.YHC_OTP_AEAD_CREATE) // Create OTP AEAD CmdOTPAEADRandom = Command(C.YHC_OTP_AEAD_RANDOM) // Create OTP AEAD from random CmdOTPAEADRewrap = Command(C.YHC_OTP_AEAD_REWRAP) // Rewrap OTP AEAD CmdAttestAsymmetric = Command(C.YHC_ATTEST_ASYMMETRIC) // Attest an asymmetric key CmdPutOTPAEADKey = Command(C.YHC_PUT_OTP_AEAD_KEY) // Put OTP AEAD key CmdGenerateOTPAEADKey = Command(C.YHC_GENERATE_OTP_AEAD_KEY) // Generate OTP AEAD key CmdSetLogIndex = Command(C.YHC_SET_LOG_INDEX) // Set log index CmdWrapData = Command(C.YHC_WRAP_DATA) // Wrap data CmdUnwrapData = Command(C.YHC_UNWRAP_DATA) // Unwrap data CmdSignDataEDDSA = Command(C.YHC_SIGN_DATA_EDDSA) // Sign data with EDDSA CmdBlink = Command(C.YHC_BLINK) // Blink the device CmdError = Command(C.YHC_ERROR) // Error )
Commands identifiers.
View Source
const ( TypeOpaque = ObjectType(C.YH_OPAQUE) // Opaque object TypeAuthKey = ObjectType(C.YH_AUTHKEY) // Authentication key TypeAsymmetric = ObjectType(C.YH_ASYMMETRIC) // Asymmetric key TypeWrapKey = ObjectType(C.YH_WRAPKEY) // Wrap key TypeHMACKey = ObjectType(C.YH_HMACKEY) // HMAC key TypeTemplate = ObjectType(C.YH_TEMPLATE) // Template TypeOTPAEADKey = ObjectType(C.YH_OTP_AEAD_KEY) // OTP AEAD key TypePublic = ObjectType(C.YH_PUBLIC) // Public key (virtual) )
Object types
View Source
const ( AlgoRSAPKCS1SHA1 = Algorithm(C.YH_ALGO_RSA_PKCS1_SHA1) AlgoRSAPKCS1SHA256 = Algorithm(C.YH_ALGO_RSA_PKCS1_SHA256) AlgoRSAPKCS1SHA384 = Algorithm(C.YH_ALGO_RSA_PKCS1_SHA384) AlgoRSAPKCS1SHA512 = Algorithm(C.YH_ALGO_RSA_PKCS1_SHA512) AlgoRSAPSSSHA1 = Algorithm(C.YH_ALGO_RSA_PSS_SHA1) AlgoRSAPSSSHA256 = Algorithm(C.YH_ALGO_RSA_PSS_SHA256) AlgoRSAPSSSHA384 = Algorithm(C.YH_ALGO_RSA_PSS_SHA384) AlgoRSAPSSSHA512 = Algorithm(C.YH_ALGO_RSA_PSS_SHA512) AlgoRSA2048 = Algorithm(C.YH_ALGO_RSA_2048) AlgoRSA3072 = Algorithm(C.YH_ALGO_RSA_3072) AlgoRSA4096 = Algorithm(C.YH_ALGO_RSA_4096) AlgoECP256 = Algorithm(C.YH_ALGO_EC_P256) // secp256r1 AlgoECP384 = Algorithm(C.YH_ALGO_EC_P384) // secp384r1 AlgoECP521 = Algorithm(C.YH_ALGO_EC_P521) // secp521r1 AlgoECK256 = Algorithm(C.YH_ALGO_EC_K256) // secp256k1 AlgoECBP256 = Algorithm(C.YH_ALGO_EC_BP256) // brainpool256r1 AlgoECBP384 = Algorithm(C.YH_ALGO_EC_BP384) // brainpool384r1 AlgoECBP512 = Algorithm(C.YH_ALGO_EC_BP512) // brainpool512r1 AlgoHMACSHA1 = Algorithm(C.YH_ALGO_HMAC_SHA1) AlgoHMACSHA256 = Algorithm(C.YH_ALGO_HMAC_SHA256) AlgoHMACSHA384 = Algorithm(C.YH_ALGO_HMAC_SHA384) AlgoHMACSHA512 = Algorithm(C.YH_ALGO_HMAC_SHA512) AlgoECDSASHA1 = Algorithm(C.YH_ALGO_EC_ECDSA_SHA1) AlgoECECDH = Algorithm(C.YH_ALGO_EC_ECDH) AlgoRSAOAEPSHA1 = Algorithm(C.YH_ALGO_RSA_OAEP_SHA1) AlgoRSAOAEPSHA256 = Algorithm(C.YH_ALGO_RSA_OAEP_SHA256) AlgoRSAOAEPSHA384 = Algorithm(C.YH_ALGO_RSA_OAEP_SHA384) AlgoRSAOAEPSHA512 = Algorithm(C.YH_ALGO_RSA_OAEP_SHA512) AlgoAES128CCMWrap = Algorithm(C.YH_ALGO_AES128_CCM_WRAP) AlgoOpaqueData = Algorithm(C.YH_ALGO_OPAQUE_DATA) AlgoOpaqueX509Cert = Algorithm(C.YH_ALGO_OPAQUE_X509_CERT) AlgoMGF1SHA1 = Algorithm(C.YH_ALGO_MGF1_SHA1) AlgoMGF1SHA256 = Algorithm(C.YH_ALGO_MGF1_SHA256) AlgoMGF1SHA384 = Algorithm(C.YH_ALGO_MGF1_SHA384) AlgoMGF1SHA512 = Algorithm(C.YH_ALGO_MGF1_SHA512) AlgoSSHTemplate = Algorithm(C.YH_ALGO_TEMPL_SSH) AlgoYubicoOTPAES128 = Algorithm(C.YH_ALGO_YUBICO_OTP_AES128) AlgoYubicoAESAuth = Algorithm(C.YH_ALGO_YUBICO_AES_AUTH) AlgoYubicoOTPAES192 = Algorithm(C.YH_ALGO_YUBICO_OTP_AES192) AlgoYubicoOTPAES256 = Algorithm(C.YH_ALGO_YUBICO_OTP_AES256) AlgoAES192CCMWrap = Algorithm(C.YH_ALGO_AES192_CCM_WRAP) AlgoAES256CCMWrap = Algorithm(C.YH_ALGO_AES256_CCM_WRAP) AlgoECDSASHA256 = Algorithm(C.YH_ALGO_EC_ECDSA_SHA256) AlgoECDSASHA384 = Algorithm(C.YH_ALGO_EC_ECDSA_SHA384) AlgoECDSASHA512 = Algorithm(C.YH_ALGO_EC_ECDSA_SHA512) AlgoED25519 = Algorithm(C.YH_ALGO_EC_ED25519) AlgoECP224 = Algorithm(C.YH_ALGO_EC_P224) )
Algorithms understood by the device.
View Source
const ( // Forced audit mode OptionForceAudit = Option(C.YH_OPTION_FORCE_AUDIT) // Audit logging per command OptionCommandAudit = Option(C.YH_OPTION_COMMAND_AUDIT) )
Global options
View Source
const ( // Origin is generated OriginGenerated = C.YH_ORIGIN_GENERATED // Origin is imported OriginImported = C.YH_ORIGIN_IMPORTED // Origin is wrapped (note: this is used in combination with objects' // original origin) OriginImportedWrapper = C.YH_ORIGIN_IMPORTED_WRAPPED )
Origin values
Variables ¶
This section is empty.
Functions ¶
func GetVerbosity ¶
GetVerbosity gets the logging verbosity of the library.
func SetDebugOutput ¶
SetDebugOutput sets the file for debug output.
func SetVerbosity ¶
SetVerbosity sets the logging verbosity of the library.
Types ¶
type Algorithm ¶
type Algorithm C.yh_algorithm
An Algorithm represents an algorithm understood by the device.
func AlgorithmByName ¶
AlgorithmByName returns the algorithm with the given name, or 0 if there is no algorithm with that name.
type Capabilities ¶
type Capabilities C.yh_capabilities
Capabilities represent a set of capability supported by an object.
func CapabilitiesByName ¶
func CapabilitiesByName(names ...string) (*Capabilities, error)
ParseCapabilities parses a list of strings into a capability set.
func (*Capabilities) Parse ¶
func (c *Capabilities) Parse(names ...string) error
Parse a list of strings into a capability set.
func (Capabilities) String ¶
func (c Capabilities) String() string
String returns a string representation of the capabilities.
type Capability ¶
type Capability uint8
A Capability supported by an object.
func CapabilityByName ¶
func CapabilityByName(name string) Capability
CapabilityByName returns the capability with the given name, or 0 if there is no capability with that name.
func (Capability) String ¶
func (c Capability) String() string
String returns the name of a capability.
type Connector ¶
type Connector C.yh_connector
A Connector represents a connector for communicating with a device.
func NewConnector ¶
NewConnector instantiates a new connector with the given URL.
func (*Connector) DeviceInfo ¶
func (c *Connector) DeviceInfo() (*DeviceInfo, error)
DeviceInfo gets device info from the connector.
func (*Connector) Disconnect ¶
Disconnect a connected connector.
func (*Connector) NewDerivedSession ¶
func (c *Connector) NewDerivedSession(id int, password []byte, recreate bool, ctx *Context) (*Session, error)
NewDerivedSession creates a new session encrypted with a key derived from the password.
func (*Connector) NewSession ¶
func (c *Connector) NewSession(id int, key, mac []byte, recreate bool, ctx *Context) (*Session, error)
NewSession creates a new session encrypted with the given key.
func (*Connector) Send ¶
Send a plain message, receiving the response into res. Up to cap(res.Data) will be used to receive data, though after the call len(res.Data) will reflect the length of the data actually received.
func (*Connector) SetHTTPSCA ¶
SetHTTPSCA sets the path to a file with a CA certificate to validate the connector with.
func (*Connector) SetProxyServer ¶
SetProxyServer sets the proxy server to use for connecting to the connector.
type DeviceInfo ¶
type DeviceInfo struct {
Major uint8 // Major version.
Minor uint8 // Minor version.
Patch uint8 // Patch version.
Serial uint32 // Serial number.
LogTotal uint8 // Total number of log entries.
LogUsed uint8 // Log entries used.
Algorithms []Algorithm // Algorithms supported by device.
}
DeviceInfo is information about a device.
type Digest ¶
type Digest [C.YH_LOG_DIGEST_SIZE]C.uint8_t
A Digest is a truncated SHA256 digest used in log entries.
type Filter ¶
type Filter struct {
ID int // ID to filter by.
Type ObjectType // Type to filter by.
Domains int // Domains to filter by.
Capabilities Capabilities // Capabilities to filter by.
Algorithm Algorithm // Algorithm to filter by.
Label string // Label to filter by.
}
A Filter for filtering lists of objects.
type LogEntry ¶
type LogEntry struct {
Number int // Number is a monotonically increasing index.
Command Command // Command that was executed.
Length int // Length of in-data.
SessionKey int // SessionKey is the ID of the authentication key used.
TargetKey int // TargetKey is the ID of object used.
SecondKey int // SecondKey is the ID of object used.
Result ReturnCode // Result of command.
Systick uint // Systick at time of execution.
Digest Digest // Digest of last digest + this entry.
}
A LogEntry is a log entry returned by the device.
type Object ¶
type Object struct {
Capabilities Capabilities // Capabilities of the object.
ID int // ID of the object.
Length int // Length of the object.
Domains int // Domains of the object.
Type ObjectType // Type of the object.
Algorithm Algorithm // Algorithm associated with the object.
Sequence byte // Sequence number of object.
Origin byte // Origin of object.
Label string // Label of object.
// DelegatedCapabilities are the object's delegated capabilities.
DelegatedCapabilities Capabilities
}
An Object is an object descriptor.
type ObjectType ¶
type ObjectType C.yh_object_type
An ObjectType represents the type of an object on a device.
func TypeByName ¶
func TypeByName(name string) ObjectType
TypeByName returns the object type with the given name, or 0 if there is no object type with that name.
func (ObjectType) String ¶
func (t ObjectType) String() string
String returns a string representation of the object type.
type Option ¶
An Option is a global option.
func OptionByName ¶
OptionByName returns the option with the given name, or 0 if there is no option with that name.
type ReturnCode ¶
A ReturnCode returned by an operation to indicate its completion status.
type Session ¶
type Session struct {
// contains filtered or unexported fields
}
A Session is a session with a device.
func (*Session) Authenticate ¶
Authenticate a session.
func (*Session) Destroy ¶
Destroy a session, freeing data associated with the session. This will be called automatically by a finalizer, but it's safe to call multiple times.
func (*Session) GenerateECKey ¶
func (s *Session) GenerateECKey(label string, domains int, caps *Capabilities, algo Algorithm) (id int, err error)
GenerateECKey generates a new EC key on the device, returning the object ID.
func (*Session) GetObject ¶
func (s *Session) GetObject(id int, typ ObjectType) (*Object, error)
GetObject gets info about an object.
func (*Session) GetPublicKey ¶
GetPublicKey gets a public key from a key object.
func (*Session) ListObjects ¶
ListObjects lists objects on the device, taking an optional filter.
Source Files
Click to show internal directories.
Click to hide internal directories.