| #!/bin/bash | |
| # Generate a Certificate Signing Request (CSR) for an asymmetric key stored in a YubiHSM 2 | |
| # Usage: | |
| # ./gencsr.sh <id> <cn> | |
| # | |
| # where <id> is the object ID of the asymmetric key, | |
| # and <cn> is the Common Name of the subject DN in the generated CSR. |
| #!/bin/bash | |
| # extend PATH with location of yubihsm-parse-attestation tool | |
| PATH=$PATH:~/go/bin | |
| # check for installed tools | |
| command -v curl >/dev/null 2>&1 \ | |
| || { echo >&2 "please install curl - see https://github.com/curl/curl"; exit 1; } | |
| command -v openssl >/dev/null 2>&1 \ | |
| || { echo >&2 "please install openssl - see https://github.com/openssl/openssl"; exit 1; } |
| FROM ubuntu:22.04 | |
| ARG user | |
| RUN apt-get update && apt-get install -y openssh-server | |
| RUN mkdir /var/run/sshd | |
| EXPOSE 22 | |
| RUN useradd -ms /bin/bash "$user" | |
| COPY id_userca.pub /etc/ssh/user_ca.pub | |
| RUN echo "TrustedUserCAKeys /etc/ssh/user_ca.pub" >> /etc/ssh/sshd_config | |
| CMD ["/usr/sbin/sshd", "-D"] |
| #include <assert.h> | |
| #include <dlfcn.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <pkcs11y.h> | |
| /* | |
| * Generate an RSA key in slot 9a of a YubiKey |
| # generate and wrap target key on YubiHSM (firmware 2.4), unwrap using OpenSSL 3.3.1. | |
| # Wrapping Algorithm = RSA_AES_KEY_WRAP_SHA256 (OAEP Padding - SHA256 digest + 256 bit AES-KWP) | |
| HSM=yhusb:// | |
| TARGET_KEYID=0x1234 | |
| WRAP_KEYID=0xabcd | |
| yubihsm="./yubihsm-shell -C $HSM -p password" | |
| # generate target key | |
| $yubihsm --action generate-asymmetric-key --object-id $TARGET_KEYID --domain 1 --capabilities exportable-under-wrap -A ecp256 |
OpenSSL v1.x uses the engine API to support HSMs. The OpenSC project provides a PKCS#11 engine, suitable for using HSMs that provide a PKCS#11 module. OpenSSL v1 is however deprecated, and in OpenSSL v3 the engine concept is replaced with that of a provider
Instead of using OpenSC's PKCS#11 engine, you can use pkcs11-provider with OpenSSL v3.x
| # recover RSA private key file using public key (n,e) and private exponent d | |
| # python recover.py | openssl asn1parse -genconf - -out key.der | |
| from math import gcd | |
| # example Private-Key (512 bit, 2 primes) | |
| modulus=0x00bacb716af4a701ea525c1fc45c7798598a966432a44a347d53054c691bd5a7c60fe717b5f55de46ea8afd1525a4b08b098b7eb0f51d58daf690ae85fcb9254b9 | |
| publicExponent=0x10001 | |
| privateExponent=0x217051f9679a8e09387d2d62a57af356f42c3ffba0d577d80788a74919a681c5f02b3e8422e79737fd9aff15046a91509788023aad60c39492ceddb301f0bcd1 |
| # DEMO for hmac-secret - generate a static secret based on a FIDO credential and a salt | |
| # Uses libfido2 tools: https://github.com/Yubico/libfido2 | |
| HID="$(shell fido2-token -L | head -1 | cut -d: -f1-2)" | |
| all: secret | |
| cred.in: | |
| # challenge: | |
| cat /dev/urandom | head -c32 | base64 > cred.in |
| # See https://gist.github.com/thelastlin/c45b96cf460919e39ab5807b6d20ac2a | |
| set -e | |
| # get source | |
| if [[ ! -d openssh-portable ]] ; then | |
| git clone https://github.com/openssh/openssh-portable.git | |
| fi | |
| cd openssh-portable |
| #!/usr/bin/env python | |
| # verify attestation information to cryptographically prove that a given key is hardware-backed. | |
| # For instance: | |
| # | |
| # ./ssh-sk-attest.py --key id.pub --attestation attestation.bin --challenge challenge.bin --mds mds.jwt | |
| # To generate an SSH pubkey, a challenge, and an attestation: | |
| # openssl rand 128 > challenge.bin | |
| # ssh-keygen -t ${KEYTYPE} -f ./id -N "" -O challenge=challenge.bin -O write-attestation=attestation.bin |