Skip to content

Instantly share code, notes, and snippets.

@usmansaleem

usmansaleem/yubihsm.md

Last active December 12, 2023 00:58
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save usmansaleem/fb0d2ced543b28aa1615ceb93d2a27f4 to your computer and use it in GitHub Desktop.
Save usmansaleem/fb0d2ced543b28aa1615ceb93d2a27f4 to your computer and use it in GitHub Desktop.
Download ZIP
YubiHSM setup for Web3Signer
Raw
yubihsm.md

YubiHSM

yubihsm-shell --connector=yhusb:// --authkey=1 --password=password \
--action=put-authentication-key --new-password=password3 --object-id=3 --domains=1,2,3 \
--capabilities=get-opaque,put-opaque,delete-opaque,export-wrapped,get-pseudo-random,put-wrap-key,import-wrapped \
--delegated=exportable-under-wrap,export-wrapped,import-wrapped

The output would look like:

Created session 0
Stored Authentication key 0x0003
  • Put opaque data using auth key 3 with the opaque object id is 15
yubihsm-shell --connector=yhusb:// --authkey=3 --password=password3 \
--action=put-opaque \
--object-id=15 --label="bls_key_1" --domains=1,2,3 \
--algorithm=opaque-data --capabilities=none \
--informat=hex --in=5e8d5667ce78982a07242739ab03dc63c91e830c80a5b6adca777e3f216a405d

The output should look like:

Session keepalive set up to run every 15 seconds
Created session 0
Stored 32 bytes to Opaque object 0x000f
  • Use authkey 1 to view the inserted data
yubihsm-shell --connector=yhusb:// --authkey=1 --password=password --action=get-opaque --object-id=15 --outformat=hex

The output would look like:

Session keepalive set up to run every 15 seconds
Created session 0
5e8d5667ce78982a07242739ab03dc63c91e830c80a5b6adca777e3f216a405d
  • Identify the location of yubihsm_pkcs11 dynamic library. For example, on Mac, it is installed at /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib using the latest YubiHSM release. Due to a bug in how the yubihsm libraries are generated, this file needs to be copied in its parent folder i.e. /usr/local/lib
sudo cp /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib /usr/local/lib/
  • In addition, a soft link for libyubihsm_usb.2.dylib needs to be created in current directory (from where web3signer is running) i.e.
ln -s /usr/local/lib/libyubihsm_usb.2.dylib ./libyubihsm_usb.2.dylib

The above changes may not be required on Linux.

mkdir ./keys

cat <<EOF > ./keys/yubihsm_key1.yaml
type: yubihsm  
connectorUrl: yhusb://  
authId: 3  
password: password3  
opaqueDataId: 15  
pkcs11ModulePath: /usr/local/lib/yubihsm_pkcs11.dylib
additionalInitConfig: debug libdebug timeout=5

EOF
  • Web3Siger config file config.yaml
cat <<EOF > ./config.yaml
http-listen-host: "0.0.0.0"  
http-listen-port: 9000  
http-host-allowlist: "*"  
  
metrics-enabled: true  
metrics-host: "0.0.0.0"  
metrics-port: 9001  
metrics-host-allowlist: "*"

key-store-path: "./keys/"
  
# eth2 subcommand options  
eth2.network: "minimal"  

eth2.slashing-protection-enabled: false  

EOF
./web3signer --config-file config.yaml eth2

The output should look like:

2023-10-04 15:30:27.761+10:00 | pool-2-thread-1 | INFO  | SignerLoader | Converting signing metadata to Artifact Signer using parallel streams ...
[P11 - INF 15:30:27.769485] yubihsm_pkcs11.c:266 (C_Initialize): Found 1 configured connector(s)
[LIB - INF 15:30:27.769505] yubihsm.c:4426 (yh_init_connector): Loading usb backend
[LIB - INF 15:30:27.770065] yubihsm_libusb.c:61 (backend_create): backend_create
[LIB - INF 15:30:27.772352] yubihsm_usb.c:48 (backend_connect): backend_connect
[LIB - INF 15:30:27.772364] lib_util.c:178 (parse_usb_url): USB url parsed with serial decimal 0.
...
2023-10-04 15:30:28.176+10:00 | pool-2-thread-1 | INFO  | DefaultArtifactSignerProvider | Total signers (keys) currently loaded in memory: 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment