Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:08 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Mon Sep 12, 2011 3:11 pm 
Offline

Joined: Mon Sep 12, 2011 2:53 pm
Posts: 1
Hello,

I have just gotten my Yubihsm, and starting to get my mind around it so that I can start implementing it into my applications.

I have two problems that I can't determine aren't related, the hsm reporting keystore sealed, and being unable to load yubikeys via dbload. I'll describe what I did with both issues, in the event that they are related, but I suspect the former issue is caused by the latter.

During the setup (finial prompts after entering the "hsm" command from the NO_CFG> prompt), the yubihsm prompts for an "Admin public ID". I presume this is the public id of the yubikey that I plan to use to unseal it, so I entered the public id of the customized key that I had made. I then told it to generate a random string when I was prompted for an "Admin master key".

Once at the "HSM>" prompt, I generated five secrets with the keygen command, and then tried to load in my yubikey data using the dbload command. Any input I provided it was met with "too short" or "invalid format" errors. The manual indicates it wants the output of a yubico configuration tool, so I was trying with variations of the ykcustomize output:
fixed: m:iecrfviecrfv
uid: h:000000000000
key: h:db2eaa9150919f236d5bc789459e227c
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags:
extended_flags:

I also tried a few other formats, attempting to brute-force the desired format, but got nowhere. The manual doesn't seem to provide an example format, so I don't have anything to base my pasts off of (I am using minicom with the Linux generic usb serial driver to talk to the hsm).

I don't have a Windows box to see if the Windows version of the tool provides better output, but the manual for that didn't seem to point to any such output.

After giving up and running the exit command to play with plain encryption, every attempt to use the pyhsm examples that require access to the keystore leads to a YSM_KEYSTORE_SEALED (typing this off the top of my head, but somthing similar to that) error. Attempting to run the unseal example with the master key I provided and --no-otp, an otp from the token (though it wouldn't be able to validate it without the db loaded) and master key, and a few other combinations all had no useful results. In both cases I was able to use the Yubihsm to load random numbers into /dev/random.

I have also tried leaving both the admin public id and admin master key fields blank during yubihsm setup, but that results in the same sealed errors, and being unable to unseal it using blank details to the unseal util.

I am guessing that my woes are related to my inability to use the "dbload" command to tell it the secret of the yubikey I am using for administration. So I am wondering if someone can confirm that is indeed the reason that the hsm is telling me everything it is sealed, and then give me an example format for the HSM dbload command so that I can try that.

Thanks,
- Chad


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jan 14, 2014 11:20 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
Quote:
Once at the "HSM>" prompt, I generated five secrets with the keygen command, and then tried to load in my yubikey data using the dbload command. Any input I provided it was met with "too short" or "invalid format" errors. The manual indicates it wants the output of a yubico configuration tool, so I was trying with variations of the ykcustomize output:
fixed: m:iecrfviecrfv
uid: h:000000000000
key: h:db2eaa9150919f236d5bc789459e227c
acc_code: h:000000000000
ticket_flags: APPEND_CR
config_flags:
extended_flags:


The above is the wrong format. The input should be in a CSV like format, like this: -
Code:
00001,ftftftfteeee,f0f1f2f3f4f5,4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d4d,,,


If you are using an Admin YubiKey, then you will need to have it in the saved in the YubiHSM on-device database with the dbload command. You can test that it is in the DB correctly by using the otpverify command, you should see it print " - ok" after entering the OTP.

If you didn't set a master key nor a Admin YubiKey, you shouldn't need to unseal/unlock the YubiHSM, attempting to do some might fail, I'm not sure. Perhaps attempting to unlock using an all-zeros key will work, I haven't tested it. In general if you attempt to unlock/unseal it with an invalid key it will actually lock it.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group