### Device Setup with Profiles Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Initialize YubiHSM devices using declarative JSON profiles for consistent deployments. The `erase_device_and_init_with_profile` function takes a `setup::Profile` and returns generated passwords for new authentication keys. ```rust use yubihsm::{setup, Connector, Credentials}; // Load a setup profile from JSON let profile_json = r#"{ \"reset_device_timeout_secs\": 10, \"setup_auth_key_id\": 2, \"delete_setup_auth_key\": true, \"roles\": [ { \"authentication_key_id\": 3, \"authentication_key_label\": \"operator\", \"capabilities\": [\"sign-ecdsa\", \"sign-eddsa\"], \"delegated_capabilities\": [], \"domains\": [\"1\"], \"generate_password\": true } ] }"#; let profile: setup::Profile = serde_json::from_str(profile_json).unwrap(); // Erase device and initialize with profile let connector = Connector::usb(&Default::default()); let credentials = Credentials::default(); let report = setup::erase_device_and_init_with_profile( connector, credentials, profile ).unwrap(); // Report contains generated passwords for new roles for auth in &report.authentication_keys { println!("Key ID {}: password = {:?}", auth.authentication_key_id, auth.authentication_key_password ); } ``` -------------------------------- ### Access and Configure Audit Logs Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Provides examples for retrieving audit log entries, setting audit options for specific commands, enabling forced auditing, and marking log entries as consumed. ```rust use yubihsm::{audit::AuditOption, command, Client}; let client: Client = /* ... */; // Get audit log entries let log_entries = client.get_log_entries().unwrap(); println!("Unlogged boot events: {}", log_entries.unlogged_boot_events); println!("Unlogged auth events: {}", log_entries.unlogged_authentication_events); println!("Number of entries: {}", log_entries.entries.len()); for entry in &log_entries.entries { println!("Entry {}: command={:?}, result={:?}", entry.item, entry.command, entry.result ); } // Set audit option for a specific command client.set_command_audit_option( command::Code::SignEcdsa, AuditOption::On ).unwrap(); // Get audit option for a command let option = client.get_command_audit_option(command::Code::SignEcdsa).unwrap(); println!("SignEcdsa audit: {:?}", option); // Set forced auditing (device refuses operations if log is full) client.set_force_audit_option(AuditOption::On).unwrap(); // Mark log entries as consumed client.set_log_index(log_entries.entries.last().unwrap().item).unwrap(); ``` -------------------------------- ### HTTP Server for yubihsm-connector Compatibility Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Run an HTTP server compatible with `yubihsm-connector` to allow `yubihsm-shell` and `libyubihsm` to connect. Configure the server address, port, and timeout, then start it using `server.run()`. ```rust use yubihsm::{connector::{http::Server, HttpConfig}, Connector}; // Open USB connection to YubiHSM let connector = Connector::usb(&Default::default()); // Configure HTTP server (compatible with yubihsm-connector) let http_config = HttpConfig { addr: "127.0.0.1".to_owned(), port: 12345, timeout_ms: 5000, }; // Start the server let server = Server::new(&http_config, connector).unwrap(); println!("Server running at http://{}:{}", http_config.addr, http_config.port); println!("Connect with: yubihsm-shell > connect > session open 1 password"); // Run server (blocking) server.run().unwrap(); ``` -------------------------------- ### Open YubiHSM Client Session Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Shows how to open a client session with the YubiHSM using different connectors and credentials. It includes examples for default and custom credentials, and enables auto-reconnect. Always change default credentials in production. ```rust use yubihsm::{Client, Connector, Credentials}; // Create connector (USB example) let connector = Connector::usb(&Default::default()); // Default credentials (key ID 1, default password "password") // WARNING: Change these in production! let credentials = Credentials::default(); // Open client with auto-reconnect enabled let client = Client::open(connector, credentials, true).unwrap(); // Alternatively, create with custom credentials let custom_credentials = Credentials::from_password( 1, // authentication key ID b"my-secure-password" ); let client = Client::open( Connector::http(&Default::default()), custom_credentials, true // enable reconnection ).unwrap(); // Ping to verify connection and measure latency let latency = client.ping().unwrap(); println!("HSM latency: {:?}", latency); ``` -------------------------------- ### Generate and Use RSA Keys for Signing Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Shows how to generate RSA keys for signing and then perform both RSA-PKCS#1v1.5 and RSA-PSS signatures using SHA-256. The key generation requires specific signing capabilities. ```rust use yubihsm::{asymmetric, object, Client, Capability, Domain}; let client: Client = /* ... */; // Generate RSA key for signing client.generate_asymmetric_key( 300, "rsa-signing-key".into(), Domain::DOM1, Capability::SIGN_PKCS | Capability::SIGN_PSS, asymmetric::Algorithm::Rsa2048 ).unwrap(); let data = b"Data to sign with RSA"; // RSA-PKCS#1v1.5 signature with SHA-256 let pkcs1_signature = client.sign_rsa_pkcs1v15_sha256(300, data).unwrap(); println!("PKCS#1v1.5 signature length: {}", pkcs1_signature.as_ref().len()); // RSA-PSS signature with SHA-256 let pss_signature = client.sign_rsa_pss_sha256(300, data).unwrap(); println!("PSS signature length: {}", pss_signature.as_ref().len()); ``` -------------------------------- ### Key Wrapping and Data Encryption/Decryption Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Demonstrates generating a wrap key, exporting an existing key in a wrapped format, and importing a wrapped key. It also shows how to wrap arbitrary data for encryption and then unwrap it. ```rust use yubihsm::{wrap, object, Client, Capability, Domain}; let client: Client = /* ... */; // Generate a wrap key for key export/import let wrap_key_id = client.generate_wrap_key( 500, "backup-wrap-key".into(), Domain::DOM1, Capability::EXPORT_WRAPPED | Capability::IMPORT_WRAPPED, Capability::all(), // delegated capabilities wrap::Algorithm::Aes256Ccm ).unwrap(); // Export a key (key must have EXPORTABLE_UNDER_WRAP capability) let exported = client.export_wrapped( wrap_key_id, object::Type::AsymmetricKey, 100 // key ID to export ).unwrap(); println!("Exported nonce: {:?}", exported.nonce); println!("Exported ciphertext length: {}", exported.ciphertext.len()); // Import a wrapped key let imported_handle = client.import_wrapped(wrap_key_id, exported).unwrap(); println!("Imported object: ID={}, Type={{:?}}", imported_handle.object_id(), imported_handle.object_type() ); // Wrap arbitrary data let plaintext = b"Sensitive data to encrypt"; let wrapped = client.wrap_data(wrap_key_id, plaintext.to_vec()).unwrap(); // Unwrap data let decrypted = client.unwrap_data(wrap_key_id, wrapped).unwrap(); assert_eq!(plaintext.as_slice(), decrypted.as_slice()); ``` -------------------------------- ### Create YubiHSM Connectors Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Demonstrates creating different types of connectors for YubiHSM devices: HTTP, USB, and a mock HSM for testing. Ensure the `yubihsm-connector` process is running for the HTTP connector. ```rust use yubihsm::{Connector, HttpConfig, UsbConfig}; // HTTP connector (requires yubihsm-connector process running) let http_config = HttpConfig { addr: "127.0.0.1".to_owned(), port: 12345, timeout_ms: 5000, }; let http_connector = Connector::http(&http_config); // USB connector (direct connection) let usb_config = UsbConfig { serial: None, // Connect to first detected device timeout_ms: 30_000, }; let usb_connector = Connector::usb(&usb_config); // MockHSM connector (for testing without hardware) #[cfg(feature = "mockhsm")] let mock_connector = Connector::mockhsm(); ``` -------------------------------- ### Import Existing Cryptographic Keys Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Shows how to import existing private keys (Ed25519, ECDSA P-256) and authentication keys into the HSM. ```rust use yubihsm::{asymmetric, authentication, object, Client, Capability, Domain}; let client: Client = /* ... */; // Put an existing Ed25519 private key (32 bytes) let ed25519_private_key = [0u8; 32]; // Your private key bytes client.put_asymmetric_key( 600, "imported-ed25519".into(), Domain::DOM1, Capability::SIGN_EDDSA, asymmetric::Algorithm::Ed25519, ed25519_private_key ).unwrap(); // Put an existing ECDSA P-256 private key (32 bytes) let p256_private_key = [0u8; 32]; // Your private key bytes client.put_asymmetric_key( 601, "imported-p256".into(), Domain::DOM1, Capability::SIGN_ECDSA, asymmetric::Algorithm::EcP256, p256_private_key ).unwrap(); // Put an authentication key let auth_key = authentication::Key::derive_from_password(b"secure-password"); client.put_authentication_key( 2, "admin-key".into(), Domain::DOM1 | Domain::DOM2, Capability::all(), Capability::all(), // delegated capabilities authentication::Algorithm::YubicoAes, auth_key ).unwrap(); ``` -------------------------------- ### List and Manage HSM Objects Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Demonstrates how to list all objects, filter objects by type, retrieve detailed object information, and delete objects from the HSM. ```rust use yubihsm::{object, Client}; let client: Client = /* ... */; // List all objects let objects = client.list_objects(&[]).unwrap(); for entry in &objects { println!("Object ID: {}, Type: {:?}", entry.object_id, entry.object_type); } // List with filters let asymmetric_keys = client.list_objects(&[ object::Filter::Type(object::Type::AsymmetricKey), ]).unwrap(); // Get detailed object information let info = client.get_object_info(100, object::Type::AsymmetricKey).unwrap(); println!("Label: {}", info.label); println!("Algorithm: {:?}", info.algorithm); println!("Capabilities: {:?}", info.capabilities); println!("Domains: {:?}", info.domains); println!("Origin: {:?}", info.origin); // Delete an object client.delete_object(100, object::Type::AsymmetricKey).unwrap(); ``` -------------------------------- ### Generate and Use HMAC Keys Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Illustrates generating an HMAC-SHA256 key, computing an HMAC tag for a message, and verifying an HMAC tag. It also shows how to import an existing HMAC key into the HSM. ```rust use yubihsm::{hmac, object, Client, Capability, Domain}; let client: Client = /* ... */; // Generate HMAC-SHA256 key let key_id = client.generate_hmac_key( 400, "hmac-key".into(), Domain::DOM1, Capability::SIGN_HMAC | Capability::VERIFY_HMAC, hmac::Algorithm::Sha256 ).unwrap(); // Compute HMAC tag let message = b"Message to authenticate"; let tag = client.sign_hmac(key_id, message).unwrap(); println!("HMAC tag: {:?}", tag.as_ref()); // Verify HMAC tag (returns Ok(()) on success, Err on failure) client.verify_hmac(key_id, message, tag).unwrap(); // Put an existing HMAC key into the HSM let existing_key = [0u8; 32]; // Your 32-byte key client.put_hmac_key( 401, "imported-hmac-key".into(), Domain::DOM1, Capability::SIGN_HMAC | Capability::VERIFY_HMAC, hmac::Algorithm::Sha256, existing_key ).unwrap(); ``` -------------------------------- ### Generate Attestation Certificates Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Demonstrates generating X.509 attestation certificates for a given key ID, optionally using a custom attestation key. ```rust use yubihsm::{attestation, object, Client}; let client: Client = /* ... */; let key_id: object::Id = 100; // Generate attestation certificate using the default attestation key let cert = client.sign_attestation_certificate( key_id, None // Use default attestation key ).unwrap(); println!("Attestation certificate (DER): {} bytes", cert.as_ref().len()); // Use a custom attestation key let custom_attestation_key_id: object::Id = 50; let cert = client.sign_attestation_certificate( key_id, Some(custom_attestation_key_id) ).unwrap(); ``` -------------------------------- ### Retrieve HSM Device Information Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Shows how to fetch general device information, including firmware version and serial number, and query storage status. ```rust use yubihsm::Client; let client: Client = /* ... */; // Get device information let info = client.device_info().unwrap(); println!("Firmware version: {}.{}.{}", info.major_version, info.minor_version, info.build_version ); println!("Serial number: {}", info.serial_number); println!("Supported algorithms: {:?}", info.algorithms); // Get storage information let storage = client.get_storage_info().unwrap(); println!("Total records: {}", storage.total_records); println!("Free records: {}", storage.free_records); println!("Total pages: {}", storage.total_pages); println!("Free pages: {}", storage.free_pages); // Generate random bytes from HSM's PRNG let random_bytes = client.get_pseudo_random(32).unwrap(); println!("Random bytes: {:?}", random_bytes); // Blink device LEDs (useful for physical identification) client.blink_device(5).unwrap(); // Blink for 5 seconds ``` -------------------------------- ### Generate and Use ECDSA Keys Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Demonstrates generating NIST P-256 and secp256k1 ECDSA keys, signing messages (both directly and prehashed), and retrieving the public key. Requires the 'secp256k1' feature for secp256k1 keys. ```rust use yubihsm::{ecdsa, object, Client, Capability, Domain, asymmetric}; use signature::{Signer, DigestSigner}; use ecdsa::signature::hazmat::PrehashSigner; let client: Client = /* ... */; // Generate NIST P-256 key client.generate_asymmetric_key( 200, "ecdsa-p256-key".into(), Domain::DOM1, Capability::SIGN_ECDSA, asymmetric::Algorithm::EcP256 ).unwrap(); // Create ECDSA signer for NIST P-256 let signer = ecdsa::Signer::::create(client.clone(), 200).unwrap(); // Sign a message (automatically hashed with SHA-256) let message = b"ECDSA test message"; let signature: ecdsa::Signature = signer.try_sign(message).unwrap(); // Get the public key let public_key = signer.public_key(); // Sign a prehashed digest directly let prehash = sha2::Sha256::digest(b"prehashed message"); let sig: ecdsa::Signature = signer.sign_prehash(&prehash).unwrap(); // For secp256k1 (requires "secp256k1" feature) #[cfg(feature = "secp256k1")] { let k256_signer = ecdsa::Signer::::create(client.clone(), key_id).unwrap(); let sig: ecdsa::Signature = k256_signer.try_sign(message).unwrap(); } ``` -------------------------------- ### Generate Asymmetric Keys in YubiHSM Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Illustrates generating various types of asymmetric keys (Ed25519, ECDSA, RSA) directly within the YubiHSM. It specifies key IDs, labels, domains, capabilities, and algorithms. Also shows how to retrieve the public key of a generated key. ```rust use yubihsm::{asymmetric, object, Capability, Client, Domain}; let client: Client = /* ... */; // Generate an Ed25519 signing key let key_id = client.generate_asymmetric_key( 100, // key ID "my-ed25519-key".into(), // label Domain::DOM1, // domain Capability::SIGN_EDDSA, // capabilities asymmetric::Algorithm::Ed25519 // algorithm ).unwrap(); println!("Generated Ed25519 key with ID: {}", key_id); // Generate an ECDSA P-256 key let ecdsa_key_id = client.generate_asymmetric_key( 101, "my-ecdsa-key".into(), Domain::DOM1 | Domain::DOM2, Capability::SIGN_ECDSA | Capability::EXPORTABLE_UNDER_WRAP, asymmetric::Algorithm::EcP256 ).unwrap(); // Generate RSA 2048-bit key let rsa_key_id = client.generate_asymmetric_key( 102, "my-rsa-key".into(), Domain::DOM1, Capability::SIGN_PKCS | Capability::SIGN_PSS | Capability::DECRYPT_OAEP, asymmetric::Algorithm::Rsa2048 ).unwrap(); // Get the public key for a generated key let public_key = client.get_public_key(key_id).unwrap(); ``` -------------------------------- ### Device Management and Utilities Source: https://github.com/iqlusioninc/yubihsm.rs/blob/main/README.md APIs for managing the YubiHSM device, including listing objects, resetting the device, and setting options. ```APIDOC ## List Objects ### Description Lists all objects stored on the YubiHSM. ### Method GET ### Endpoint /list_objects ### Parameters #### Query Parameters - **domain** (u16) - Optional - Filter by domain. ### Response #### Success Response (200) - **objects** (array) - A list of objects, each with properties like `id`, `type`, `domain`, and `label`. ### Response Example ```json { "objects": [ { "id": 1, "type": "AsymmetricKey", "domain": 0, "label": "MyKey" } ] } ``` ``` ```APIDOC ## Randomize OTP AEAD ### Description Randomizes an OTP AEAD key on the YubiHSM. ### Method POST ### Endpoint /randomize_otp_aead ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the OTP AEAD key to randomize. ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the operation was successful. ### Response Example ```json { "success": true } ``` ``` ```APIDOC ## Reset Device ### Description Resets the YubiHSM device to its factory settings. ### Method POST ### Endpoint /reset_device ### Parameters None ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the reset was successful. ### Response Example ```json { "success": true } ``` ``` ```APIDOC ## Rewrap OTP AEAD ### Description Rewraps an OTP AEAD key on the YubiHSM. ### Method POST ### Endpoint /rewrap_otp_aead ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the OTP AEAD key to rewrap. ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the operation was successful. ### Response Example ```json { "success": true } ``` ``` ```APIDOC ## Session Message ### Description Sends a session message to the YubiHSM. This is a low-level command for establishing and managing sessions. ### Method POST ### Endpoint /session_message ### Parameters #### Request Body - **message** (bytes) - Required - The session message payload. ### Response #### Success Response (200) - **response** (bytes) - The response from the YubiHSM. ### Response Example ```json { "response": "..." } ``` ``` ```APIDOC ## Set Log Index ### Description Sets the log index on the YubiHSM. ### Method POST ### Endpoint /set_log_index ### Parameters #### Request Body - **log_index** (u32) - Required - The log index to set. ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the operation was successful. ### Response Example ```json { "success": true } ``` ``` ```APIDOC ## Set Audit Option ### Description Sets an audit option on the YubiHSM. ### Method POST ### Endpoint /set_audit_option ### Parameters #### Request Body - **option** (AuditOption) - Required - The audit option to set. - **enabled** (boolean) - Required - Whether to enable or disable the option. ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the operation was successful. ### Response Example ```json { "success": true } ``` ``` -------------------------------- ### Ed25519 Signing with YubiHSM Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Demonstrates signing messages using Ed25519 keys stored in the YubiHSM. It covers both direct signing via the `Client` and using the high-level `Signer` API, which implements the `signature::Signer` trait. Includes retrieving the public key. ```rust use yubihsm::{ed25519, object, Client}; use signature::Signer; let client: Client = /* ... */; let key_id: object::Id = 100; // Direct signing via Client let message = b"Hello, YubiHSM!"; let signature = client.sign_ed25519(key_id, message).unwrap(); println!("Signature: {:?}", signature); // Using the high-level Signer API (implements signature::Signer trait) let signer = ed25519::Signer::create(client.clone(), key_id).unwrap(); // Get the public key let public_key = signer.public_key(); println!("Public key: {:?}", public_key); // Sign using the Signer trait let signature: ed25519::Signature = signer.try_sign(b"message to sign").unwrap(); ``` -------------------------------- ### Store and Retrieve Opaque Objects Source: https://context7.com/iqlusioninc/yubihsm.rs/llms.txt Use `put_opaque` to store arbitrary binary data like certificates or configuration. Retrieve data using `get_opaque` by its ID. Ensure correct domain, capabilities, and algorithm are specified. ```rust use yubihsm::{opaque, object, Client, Capability, Domain}; let client: Client = /* ... */; // Store an X.509 certificate let certificate_der = vec![/* DER-encoded certificate */]; client.put_opaque( 700, "root-ca-cert".into(), Domain::DOM1, Capability::GET_OPAQUE, opaque::Algorithm::X509Certificate, certificate_der ).unwrap(); // Store arbitrary opaque data let custom_data = b"Application-specific configuration data"; client.put_opaque( 701, "app-config".into(), Domain::DOM1, Capability::GET_OPAQUE, opaque::Algorithm::Data, custom_data ).unwrap(); // Retrieve opaque data let retrieved = client.get_opaque(701).unwrap(); println!("Retrieved data: {:?}", retrieved); ``` -------------------------------- ### Key Management Operations Source: https://github.com/iqlusioninc/yubihsm.rs/blob/main/README.md APIs for importing, creating, and managing various types of keys on the YubiHSM device. ```APIDOC ## Import Wrapped Key ### Description Imports a wrapped key into the YubiHSM. ### Method POST ### Endpoint /import_wrapped ### Parameters #### Request Body - **wrapped_key** (bytes) - Required - The wrapped key data. - **key_type** (KeyType) - Required - The type of the key being imported. - **storage_id** (u16) - Optional - The storage ID for the key. ### Response #### Success Response (200) - **key_handle** (u16) - The handle of the imported key. ### Response Example ```json { "key_handle": 123 } ``` ``` ```APIDOC ## Put Asymmetric Key ### Description Stores an asymmetric key on the YubiHSM. ### Method POST ### Endpoint /put_asymmetric_key ### Parameters #### Request Body - **key_type** (AsymmetricKeyType) - Required - The type of the asymmetric key. - **key_data** (bytes) - Required - The private key data. - **domain** (u16) - Optional - The domain for the key. - **key_label** (string) - Optional - A label for the key. - **capabilities** (u16) - Optional - Key capabilities. - **algorithm** (Algorithm) - Optional - The algorithm used by the key. ### Response #### Success Response (200) - **key_handle** (u16) - The handle of the stored key. ### Response Example ```json { "key_handle": 456 } ``` ``` ```APIDOC ## Put Authentication Key ### Description Stores an authentication key on the YubiHSM. ### Method POST ### Endpoint /put_auth_key ### Parameters #### Request Body - **key_id** (u8) - Required - The ID of the authentication key. - **key_data** (bytes) - Required - The authentication key data. - **key_type** (AuthKeyType) - Required - The type of the authentication key. ### Response #### Success Response (200) - **Success** (boolean) - Indicates if the operation was successful. ### Response Example ```json { "success": true } ``` ``` ```APIDOC ## Put HMAC Key ### Description Stores an HMAC key on the YubiHSM. ### Method POST ### Endpoint /put_hmac_key ### Parameters #### Request Body - **key_type** (HmacKeyType) - Required - The type of the HMAC key. - **key_data** (bytes) - Required - The HMAC key data. - **domain** (u16) - Optional - The domain for the key. - **key_label** (string) - Optional - A label for the key. - **capabilities** (u16) - Optional - Key capabilities. ### Response #### Success Response (200) - **key_handle** (u16) - The handle of the stored key. ### Response Example ```json { "key_handle": 789 } ``` ``` ```APIDOC ## Put Opaque ### Description Stores opaque data on the YubiHSM. ### Method POST ### Endpoint /put_opaque ### Parameters #### Request Body - **object_id** (u16) - Required - The ID for the opaque object. - **data** (bytes) - Required - The opaque data. - **domain** (u16) - Optional - The domain for the object. - **key_label** (string) - Optional - A label for the object. - **capabilities** (u16) - Optional - Object capabilities. ### Response #### Success Response (200) - **object_handle** (u16) - The handle of the stored opaque object. ### Response Example ```json { "object_handle": 101 } ``` ``` ```APIDOC ## Put OTP AEAD Key ### Description Stores an OTP AEAD key on the YubiHSM. ### Method POST ### Endpoint /put_otp_aead_key ### Parameters #### Request Body - **key_type** (OtpAeadKeyType) - Required - The type of the OTP AEAD key. - **key_data** (bytes) - Required - The OTP AEAD key data. - **domain** (u16) - Optional - The domain for the key. - **key_label** (string) - Optional - A label for the key. - **capabilities** (u16) - Optional - Key capabilities. ### Response #### Success Response (200) - **key_handle** (u16) - The handle of the stored key. ### Response Example ```json { "key_handle": 112 } ``` ``` ```APIDOC ## Put SSH Template ### Description Stores an SSH template on the YubiHSM. ### Method POST ### Endpoint /put_template ### Parameters #### Request Body - **template_id** (u16) - Required - The ID for the SSH template. - **template_data** (bytes) - Required - The template data. - **key_label** (string) - Optional - A label for the template. ### Response #### Success Response (200) - **template_handle** (u16) - The handle of the stored SSH template. ### Response Example ```json { "template_handle": 131 } ``` ``` ```APIDOC ## Put Wrap Key ### Description Stores a wrap key on the YubiHSM. ### Method POST ### Endpoint /put_wrap_key ### Parameters #### Request Body - **key_type** (WrapKeyType) - Required - The type of the wrap key. - **key_data** (bytes) - Required - The wrap key data. - **domain** (u16) - Optional - The domain for the key. - **key_label** (string) - Optional - A label for the key. - **capabilities** (u16) - Optional - Key capabilities. ### Response #### Success Response (200) - **key_handle** (u16) - The handle of the stored key. ### Response Example ```json { "key_handle": 141 } ``` ``` -------------------------------- ### Cryptographic Operations Source: https://github.com/iqlusioninc/yubihsm.rs/blob/main/README.md APIs for performing cryptographic operations such as signing, verification, and data encryption/decryption. ```APIDOC ## Sign Attestation Certificate ### Description Signs an attestation certificate using a key on the YubiHSM. ### Method POST ### Endpoint /sign_attestation_certificate ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the key to use for signing. - **certificate_data** (bytes) - Required - The data for the certificate to be signed. ### Response #### Success Response (200) - **signature** (bytes) - The signature of the certificate. ### Response Example ```json { "signature": "..." } ``` ``` ```APIDOC ## Sign ECDSA ### Description Signs data using an ECDSA key on the YubiHSM. ### Method POST ### Endpoint /sign_ecdsa ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the ECDSA key. - **digest** (bytes) - Required - The digest to sign. ### Response #### Success Response (200) - **signature** (bytes) - The ECDSA signature. ### Response Example ```json { "signature": "..." } ``` ``` ```APIDOC ## Sign EdDSA ### Description Signs data using an EdDSA key on the YubiHSM. ### Method POST ### Endpoint /sign_eddsa ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the EdDSA key. - **digest** (bytes) - Required - The digest to sign. ### Response #### Success Response (200) - **signature** (bytes) - The EdDSA signature. ### Response Example ```json { "signature": "..." } ``` ``` ```APIDOC ## Sign HMAC ### Description Signs data using an HMAC key on the YubiHSM. ### Method POST ### Endpoint /sign_hmac ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the HMAC key. - **data** (bytes) - Required - The data to sign. ### Response #### Success Response (200) - **hmac** (bytes) - The HMAC signature. ### Response Example ```json { "hmac": "..." } ``` ``` ```APIDOC ## Sign PKCS1v15 SHA256 ### Description Signs data using RSA PKCS1v15 with SHA256 on the YubiHSM. ### Method POST ### Endpoint /sign_rsa_pkcs1v15_sha256 ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the RSA key. - **digest** (bytes) - Required - The SHA256 digest to sign. ### Response #### Success Response (200) - **signature** (bytes) - The RSA PKCS1v15 signature. ### Response Example ```json { "signature": "..." } ``` ``` ```APIDOC ## Sign RSA PSS SHA256 ### Description Signs data using RSA PSS with SHA256 on the YubiHSM. ### Method POST ### Endpoint /sign_rsa_pss_sha256 ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the RSA key. - **digest** (bytes) - Required - The SHA256 digest to sign. ### Response #### Success Response (200) - **signature** (bytes) - The RSA PSS signature. ### Response Example ```json { "signature": "..." } ``` ``` ```APIDOC ## Sign SSH Certificate ### Description Signs an SSH certificate using a key on the YubiHSM. ### Method POST ### Endpoint /sign_ssh_certificate ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the key to use for signing. - **certificate_data** (bytes) - Required - The data for the certificate to be signed. ### Response #### Success Response (200) - **signature** (bytes) - The signature of the certificate. ### Response Example ```json { "signature": "..." } ``` ``` ```APIDOC ## Unwrap Data ### Description Unwraps data using a wrap key on the YubiHSM. ### Method POST ### Endpoint /unwrap_data ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the wrap key. - **wrapped_data** (bytes) - Required - The data to unwrap. ### Response #### Success Response (200) - **unwrapped_data** (bytes) - The unwrapped data. ### Response Example ```json { "unwrapped_data": "..." } ``` ``` ```APIDOC ## Verify HMAC ### Description Verifies an HMAC signature using an HMAC key on the YubiHSM. ### Method POST ### Endpoint /verify_hmac ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the HMAC key. - **data** (bytes) - Required - The data that was signed. - **hmac** (bytes) - Required - The HMAC signature to verify. ### Response #### Success Response (200) - **valid** (boolean) - True if the HMAC is valid, false otherwise. ### Response Example ```json { "valid": true } ``` ``` ```APIDOC ## Wrap Data ### Description Wraps data using a wrap key on the YubiHSM. ### Method POST ### Endpoint /wrap_data ### Parameters #### Request Body - **key_handle** (u16) - Required - The handle of the wrap key. - **data** (bytes) - Required - The data to wrap. ### Response #### Success Response (200) - **wrapped_data** (bytes) - The wrapped data. ### Response Example ```json { "wrapped_data": "..." } ``` ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.