YubiHSM Shell is a tool to directly interface with a YubiHSM 2 device.
For the most part it is a thin wrapper around libyubihsm exposing
most of its functions directly to the user.
YubiHSM Shell can be invoked in interactive mode and from the command
line. Special (national) characters are supported on MacOS and Linux
platforms. On Windows, they are supported in interactive mode and the
same support can be activated through the OpenSSL environment variable
OPENSSL_WIN32_UTF8 for interactive password entry in non-interactive
mode (i.e if password is not given on the command line). Such characters
will be encoded according to current locale settings on MacOS/Linux
(typically utf-8), and always as utf-8 on Windows.
To invoke YubiHSM Shell in interactive mode simply run yubihsm-shell
with no parameters. This mode supports tab-completion (not on Windows)
and "classic" terminal shortcuts (C-p, C-n, C-a, C-e, etc.)
In this mode, the default Connector URL is http://127.0.01:12345. If
a different URL is needed, it can be specified with the
--connector option. For example, to select direct USB run
yubihsm-shell --connector yhusb://Help can be obtained by running
yubihsm> helpto get a list of available commands and their syntax, or by running
yubihsm> help COMMANDto get help on a specific command.
Debug messages can be turned on by running
yubihsm> debug allother levels of verbosity are available as well.
Each command has its own default input and output format. Possible
choices are PEM, base64, binary, hex, password and
default. Those can be changed by running
yubihsm> set informat base64or
yubihsm> set outformat hexInput and Output formats are a generic modifier and some values may not
make sense in some cases. The default setting can be restored by using
the default format.
It is possible to run yubihsm-shell as a non-interactive command-line
utility. To do so add the --action option with the desired command
to execute.
For example, to generate an RSA 2048 key with Label Signature_Key,
Object ID 10 and Capabilities sign-pss, run
$ yubihsm-shell -p password -a generate-asymmetric -A rsa2048 -i 10 -c sign-pss -l Signature_Keyto sign a file called message.dat using the previously generated
key, PSS with SHA256 as padding scheme and save the result to a file
called signature.dat run
$ yubihsm-shell -p password -a sign-pss -i 10 -A rsa-pss-sha256 --in message.dat --out signature.dat --outformat binaryit is then possible to extract the public key by using
yubihsm-shell -p password -a get-public-key -i 10 --out key.pem --outformat PEMand verify the signature with OpenSSL by running
$ openssl dgst -sha256 -binary message.dat > digest.dat
$ openssl pkutil -verify -in message.dat -sigfile signature.dat -pkeyopt rsa_padding_mode:pss -pubin -inkey key.pem -pkeyopt rsa_pss_saltlen:-1 -pkeyopt digest:sha256A detailed list of possible actions and parameters is available in the
manpage or by running yubihsm-shell --help.