So everything is running fine i can see status with curl and the connector claims to see the device:

^CXXXXX@Husten:~/go/yubihsm-connector/bin$ sudo ./yubihsm-conntor -d [sudo] Hohl: DEBU[0000] preflight complete cert= config= key= pid=14393 seccomp=false serial= syslog=false timeout=0s version=2.1.0 DEBU[0000] takeoff TLS=false listen="localhost:12345" pid=14393 DEBU[0168] reopening usb context Correlation-ID=ab256601-a7b3-4697-9179-981f83dd6246 why="status request" DEBU[0168] usb context not yet open Correlation-ID=ab256601-a7b3-4697-9179-981f83dd6246 DEBU[0168] Returning a matched device Correlation-ID=ab256601-a7b3-4697-9179-981f83dd6246 Device-Serial=0007550878 Wanted-Serial= DEBU[0168] usb endpoint read Correlation-ID=ab256601-a7b3-4697-9179-981f83dd6246 buf="[]" err="transfer was cancelled" len=0 n=0 INFO[0168] handled request Content-Length=0 Content-Type= Method=GET RemoteAddr="127.0.0.1:57608" StatusCode=200 URI=/connector/status User-Agent=curl/7.58.0 X-Real-IP=127.0.0.1 X-Request-ID=ab256601-a7b3-4697-9179-981f83dd6246 latency=280.515203ms ERRO[0177] error in handling request Content-Length=0 Content-Type= Method=GET RemoteAddr="127.0.0.1:57612" StatusCode=405 URI=/connector/api User-Agent=curl/7.58.0 X-Real-IP=127.0.0.1 X-Request-ID=d6b7b21b-211e-4f11-856f-e97aeafe1724 latency="26.92µs" DEBU[0181] reopening usb context Correlation-ID=cb69976f-262d-4dd6-a3ec-c82bb3ec2e19 why="status request" DEBU[0181] Returning a matched device Correlation-ID=cb69976f-262d-4dd6-a3ec-c82bb3ec2e19 Device-Serial=0007550878 Wanted-Serial= DEBU[0181] usb endpoint read Correlation-ID=cb69976f-262d-4dd6-a3ec-c82bb3ec2e19 buf="[]" err="transfer was cancelled" len=0 n=0 INFO[0181] handled request Content-Length=0 Content-Type= Method=GET RemoteAddr="127.0.0.1:57616" StatusCode=200 URI=/connector/status User-Agent=curl/7.58.0 X-Real-IP=127.0.0.1 X-Request-ID=cb69976f-262d-4dd6-a3ec-c82bb3ec2e19 latency=281.189278ms

But when i want to connect with python, I'm using the example Code: https://developers.yubico.com/YubiHSM2/Component_Reference/python-yubihsm/

I get http timeout, I have attached strace-log.
st_log_sign.txt

The client that willl use the yubihsm sits in the same LAN as the VM that is connected to the yubihsm. In addition to firewalling at the KMS VM, I'd like to enable host-header-whitelist

I tried

a) yubihsm-connector -d --host-header-whitelist localhost,localhost.,127.0.0.1,10.10.10.xxx -l 0.0.0.0:12345
and
b) yubihsm-connector -d --enable-host-header-whitelist --host-header-whitelist localhost,localhost.,127.0.0.1,10.10.10.xxx -l 0.0.0.0:12345

(where xxx is the LAN IP where the yubihsm is)

B didn't work. Is --enable-host-header-whitelist necessary when --host-header-whitelist is set? Does the former simply enable the default host headers list and should not be used in conjunction with the latter?

Is the release going to be published also on

https://developers.yubico.com/yubihsm-connector/Releases/

Now that #34 is closed, we need to make a new release, otherwise people can't build 3.0.2 reproducibly from source when using a modern version of Go. A version bump to 3.0.3 based on the latest master should be good.

Hi,
when I disconnect and reconnect the USB device, I get this in the logs for the next request:

time="2020-12-26T10:37:21Z" level=debug msg="usb device already open" Correlation-ID=502ce9d6-660b-40c9-9680-c7a2c45e27b8
time="2020-12-26T10:37:21Z" level=debug msg="usb endpoint write" Correlation-ID=502ce9d6-660b-40c9-9680-c7a2c45e27b8 buf="[1 0 12 72 69 65 76 84 72 95 67 72 69 67 75]" err="libusb: no device [code -4]" len=15 n=0
time="2020-12-26T10:37:21Z" level=debug msg="reopening usb context" Correlation-ID=502ce9d6-660b-40c9-9680-c7a2c45e27b8 why="libusb: no device [code -4]"
time="2020-12-26T10:37:21Z" level=error msg="failed usb proxy" X-Request-ID=502ce9d6-660b-40c9-9680-c7a2c45e27b8 error="device not found"
time="2020-12-26T10:37:21Z" level=error msg="error in handling request" Content-Length=15 Content-Type=application/x-www-form-urlencoded Method=POST RemoteAddr="172.17.0.1:51964" StatusCode=500 URI=/connector/api User-Agent=curl/7.72.0 X-Real-IP=172.17.0.1 X-Request-ID=502ce9d6-660b-40c9-9680-c7a2c45e27b8 latency="437.273µs"

And on subsequent requests:

time="2020-12-26T10:37:29Z" level=error msg="failed usb proxy" X-Request-ID=c6a9606e-c938-4d2a-bb7e-2147fbc464e9 error="device not found"
time="2020-12-26T10:37:29Z" level=error msg="error in handling request" Content-Length=15 Content-Type=application/x-www-form-urlencoded Method=POST RemoteAddr="172.17.0.1:51966" StatusCode=500 URI=/connector/api User-Agent=curl/7.72.0 X-Real-IP=172.17.0.1 X-Request-ID=c6a9606e-c938-4d2a-bb7e-2147fbc464e9 latency="211.029µs"

To make things work again, I need to restart the connector process.

Expected behaviour would be to either terminate the process (so it will be restarted by docker) or to open the USB device again.

1. Running yubihsm-connector on host:

sudo yubihsm-connector -d --enable-host-header-allowlist  --host-header-allowlist localhost,localhost.,127.0.0.1,[::1]],host.docker.internal,host.docker.internal.,172.17.0.1,172.17.0.2,host.docker.internal:12345 -l localhost:12345

2. Test on host shows success

curl localhost:12345/connector/status

3. Start Docker container

docker pull ubuntu
docker run -it --add-host=host.docker.internal:host-gateway ubuntu bash

4. [container] Install curl and check /etc/hosts in container to ensure that we can contact services running on the host

apt-get update && apt-get install curl
cat /etc/hosts
    172.17.0.1	host.docker.internal

5. [container] Run a test (Tried with IP 172.17.0.1 as well)

root@c29483c2f844:/# curl -i host.docker.internal:12345/connector/status
curl: (7) Failed to connect to host.docker.internal port 12345 after 0 ms: Connection refused

6. Check docker container's host headers look ok by quitting yubihsm-connector on the host, starting an http listener on the host and running curl from container again.

GET / HTTP/1.1
Host: host.docker.internal:12345
User-Agent: curl/7.81.0
Accept: */*

HTTP/1.1 200 OK

Docker container can definitely contact the host, but it seems that the yubihsm-connector host header allowlist is not accepting host.docker.internal if the request comes from a container?

The last release 2.2.2 [1] is signed using key unknown to [2]. Trying to verify the source does not give any more hints where should I look for the appropriate public key or who is the one who signed the tarball:

gpg: Signature made Mon 17 Feb 2020 01:19:41 PM CET
gpg:                using RSA key E08BDEC634FEB60BBEC8C33F7360A84DD7CE1455

[1] https://developers.yubico.com/yubihsm-connector/Releases/
[2] https://developers.yubico.com/Software_Projects/Software_Signing.html

The current build process is unable to locate libusb.h:

$ ll /opt/local/include/libusb-1.0
total 40
drwxr-xr-x    3 root  admin     96 Aug 14 21:56 ./
drwxr-xr-x  591 root  admin  18912 Nov 26 10:45 ../
-rw-r--r--    1 root  wheel  72802 Mar 24  2018 libusb.h
$ make
/Users/ur20980/src/yubihsm-connector/vendor/src/github.com/thorduri/go-libusb/usb/config.go:17:11: fatal error: 'libusb-1.0/libusb.h' file not found
 #include <libusb-1.0/libusb.h>
          ^~~~~~~~~~~~~~~~~~~~~
1 error generated.
# github.com/thorduri/go-libusb/usb
FATAL: command "build" failed: exit status 2
make: *** [build] Error 1
$

/assign @klali

Hi,

Are there are good references/guides for connecting to the connector via https from a remote device?

Thanks!

I did find #15 - which did not resolve my issue.

canderson@60-signing-01:~$ gpg --verify yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz.sig
gpg: assuming signed data in 'yubihsm-connector-3.0.4-ubuntu2204-amd64.tar.gz'
gpg: Signature made Tue 24 Jan 2023 01:35:50 PM UTC
gpg:                using RSA key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: Can't check signature: No public key

canderson@60-signing-01:~$ gpg --recv-key A8CE167914EEE232B9237B5410CAC4962E03C7CC
gpg: keyserver receive failed: Server indicated a failure

canderson@60-signing-01:~$ cat ~/.gnupg/gpg.conf
keyserver hkps://keys.openpgp.org

Also, looking at the list of yubico developers, here - the signing key A8CE167914EEE232B9237B5410CAC4962E03C7CC is not listed on that page.

Hello, when attempting to start and use the YubiKey connector, any other operations (like yubikey-setup dump or yubikey-shell connect) will fail saying "Unable to find a suitable connector".

The connector than says this:

Here is the connector config:

YubiKey Shell usage (this invokes the error in the connector):

What could be the issue? I have found that CreateFile failed with 0x5 means the application have no access to create file. However, I'm running all commands in administrator PS instance. WinUsb_Initialize failed with 0x8 means ERROR_NOT_ENOUGH_MEMORY in winusb.h Windows library.

Yubico issued update of yubihsm-connector 3.0.1 as part of yubihsm2-sdk-2021-04, but there is no release of the source code here. Is it something planned to do or only prebuild SDK is going to be provided in the future?

https://www.yubico.com/support/security-advisories/ysa-2021-02/

Hello, we are a research team working on Golang. During our investigation, we found CVE-2021-28484 was addressed in commit 82bdf20. However, we noticed that the patch version (v3.0.1) was released after long time (30 days). We are curious about the reasons behind the delayed release of the patch version, as it may hinder the efficient distribution of patches to downstream users. Could the reason be

1.Issues with testing and CI checking.

2.Other commits have to be incorporated into one release.

3.By convention, versions are not frequently released.

4.Other reasons.

Thank you for your attention, and we look forward to receiving your reply.

I am within a team that creates an Appliance VM that needs a Yubikey HSM for Security.

During the setup, we had some struggles with stabilizing the operation of the yubihsm-connector within this VM.

It might just be an issue with the underlying libusb version or the Linux Kernel itself, but nevertheless I would like to pointout the issue and mentioning the workaround, we did implement to have this issue fixed for the moment

Environment

Some Details about the environment:

The Host System is VMWare ESXI 6.7.0 Update 1 (Build 11675023).
The HW is a NUC NUC7i5BNH, we will switch to real server gear later this month, so it might also be a misbehaviour of the underlying HW :-).

The Guest VM is a CentOS Linux release 7.6.1810 (Core) - Kernel Version 3.10.0-957.12.1.el7.x86_64.

The Yubikey HSM is setup as a passtrough device to the Linux VM:

$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 004: ID 1050:0030 Yubico.com
Bus 002 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

What is the error?

In 50% of our tests, the setup just works as expected.
The rest of the tests fail with the Yubikey Connetor stating:

$ curl localhost:12345/connector/status                                                                                                                                                                                                                                                                                            
status=NO_DEVICE
serial=*
version=2.0.0
pid=6677
address=localhost
port=12345

The Debug Log of the Connector shows then:

DEBU[0000] preflight complete                            cert= config= key= pid=6658 seccomp=false serial= syslog=false version=2.0.0
DEBU[0000] takeoff                                       TLS=false listen="localhost:12345" pid=6658
DEBU[0003] reopening usb context                         Correlation-ID=d3a27afe-67b7-69ad-4b43-852b71978459 why="status request"
DEBU[0003] usb context not yet open                      Correlation-ID=d3a27afe-67b7-69ad-4b43-852b71978459
WARN[0005] status failed to open usb device              X-Request-ID=d3a27afe-67b7-69ad-4b43-852b71978459 error="device not found"
INFO[0005] handled request                               Content-Length=0 Content-Type= Method=GET RemoteAddr="127.0.0.1:45628" StatusCode=200 URI=/connector/status User-Agent=curl/7.29.0 X-Real-IP=127.0.0.1 X-Request-ID=d3a27afe-67b7-69ad-4b43-852b71978459 latency=1.629251502s
DEBU[0007] reopening usb context                         Correlation-ID=acaa699f-bd22-25ae-4cfe-6d1030559047 why="status request"

Workaround

Our first attempt was to disable the USB autosuspend via Kernel Parameters that did not work as expected, although the error description was similar to ours.

A working solution was finally to have a cron script running, that checks the connector status and resets all USB Devices if the status is not equals "OK"

#!/bin/bash

 STATUS=$(curl -s localhost:12345/connector/status | grep status=)

 if [ $STATUS != "status=OK" ]; then
     for i in /sys/bus/pci/drivers/[uoex]hci_hcd/*:*; do
 	    [ -e "$i" ] || continue
     	echo "${i##*/}" > "${i%/*}/unbind"
     	echo "${i##*/}" > "${i%/*}/bind"
     done
 fi

Maybe an update of go-libusb (as mentioned in #3) will solve the issue, but otherwise it might be nice to have the connector itself deal with these kind of issues (although resetting USB Device need root access rights :-/)

The yubihsm-connector is ideally suited for providing a counter on requests made to the HSM and automatically pulling logs from the HSM as needed to allow full audit logging of the HSM actions.

I'm working on my own version of this by attempting to modify the connector to be able to count the requests and call another connection that can connect and pull the logs, but I lack the expertise neccessary to do a more directly integrated solution without having to call out to an external program using libyubihsm and then connecting on a newly created API that can bypass the logging counter check for downloading the log.

The go-libusb library [1] used in yubihsm-connector is deprecated (and archived fork of [2]).

From packaging and security point of view, it is not a good idea to package archived fork of deprecated library.

Would it be possible to use the original version or "migrate" to the new gousb [3] that is alive and kicking?

I am not a go developer so I do not know what would it take to do so.

[1] https://github.com/thorduri/go-libusb
[2] https://github.com/kylelemons/gousb
[3] https://github.com/google/gousb

MacOS Mojave 10.14.3, Xcode-10.1, Macports-installed Go go version go1.12 darwin/amd64

$ make
github.com/hashicorp/hcl/hcl/strconv
github.com/kardianos/service
github.com/magiconair/properties
github.com/mitchellh/mapstructure
github.com/spf13/afero/mem
golang.org/x/text/transform
github.com/spf13/jwalterweatherman
github.com/spf13/cast
github.com/spf13/pflag
github.com/hashicorp/hcl/hcl/token
github.com/pelletier/go-toml
golang.org/x/sys/unix
github.com/spf13/cobra
github.com/hashicorp/hcl/hcl/ast
golang.org/x/text/unicode/norm
github.com/hashicorp/hcl/json/token
github.com/hashicorp/hcl/hcl/scanner
github.com/fsnotify/fsnotify
golang.org/x/crypto/ssh/terminal
github.com/hashicorp/hcl/json/scanner
github.com/hashicorp/hcl/hcl/parser
gopkg.in/yaml.v2
github.com/hashicorp/hcl/json/parser
github.com/sirupsen/logrus
github.com/hashicorp/hcl/hcl/printer
github.com/sirupsen/logrus/hooks/syslog
github.com/hashicorp/hcl
github.com/spf13/afero
github.com/spf13/viper
cgo-gcc-prolog:194:2: warning: 'libusb_set_debug' is deprecated [-Wdeprecated-declarations]
/opt/local/include/libusb-1.0/libusb.h:1299:1: note: 'libusb_set_debug' has been explicitly marked deprecated here
/opt/local/include/libusb-1.0/libusb.h:89:49: note: expanded from macro 'LIBUSB_DEPRECATED_FOR'
github.com/thorduri/go-libusb/usb
golang.org/x/sys/unix.kevent: relocation target golang.org/x/sys/unix.Syscall6 not defined for ABIInternal (but is defined for ABI0)
golang.org/x/sys/unix.ioctl: relocation target golang.org/x/sys/unix.Syscall not defined for ABIInternal (but is defined for ABI0)
golang.org/x/sys/unix.Close: relocation target golang.org/x/sys/unix.Syscall not defined for ABIInternal (but is defined for ABI0)
golang.org/x/sys/unix.Kqueue: relocation target golang.org/x/sys/unix.Syscall not defined for ABIInternal (but is defined for ABI0)
golang.org/x/sys/unix.Open: relocation target golang.org/x/sys/unix.Syscall not defined for ABIInternal (but is defined for ABI0)
golang.org/x/sys/unix.mmap: relocation target golang.org/x/sys/unix.Syscall6 not defined for ABIInternal (but is defined for ABI0)
golang.org/x/sys/unix.munmap: relocation target golang.org/x/sys/unix.Syscall not defined for ABIInternal (but is defined for ABI0)
# yubihsm-connector
yubihsm-connector
FATAL: command "build" failed: exit status 2
make: *** [build] Error 1
$

Provided yubihsm-connector-2.0.0.tar.gz also fails to build in exactly the same way.

This pretty much makes YubiHSM2 useless, because it cannot be accessed without yubihsm-connector. Please address this problem ASAP.

We've two yubihsm-2 devices connected to a remote server. We'd like to remove the unused one.
How can we find out which among the two is used by the yubihsm-connector, and which is not, via common linux shell commands?
We'd like to avoid plugging and unplugging both yubihsm-2 devices to try to find out, because this is a live system.
The server is running Ubuntu 20.04.
In yubihsm-connector-config.yaml, the serial is not set, i.e. below

serial: ""

Is it possible both are being used by yubihsm-connector, e.g. in some sort of round-robin or etc manner?