yhsm-keystore-unlock(1) General Commands Manual yhsm-keystore-unlock(1)NAME
yhsm-keystore-unlock - Unlock the keystore in a YubiHSM
SYNOPSIS
yhsm-keystore-unlock [options]
DESCRIPTION
In versions of the YubiHSM before 1.0, the YubiHSM could be protected using a 'HSM password'. The YubiHSM would unlock it's cryptographic
functions if the correct password was given, but it was a simple comparision test.
In YubiHSM 1.0, the password was changed into an actual key that was used to decrypt the contents of the YubiHSM internal key store, which
was then AES-256 encrypted using the new 'Master key' when stored in the device.
In YubiHSM 1.0, the option to also require an YubiKey OTP to unlock the keystore was also added. One or more 'Admin YubiKeys' can be con-
figured in the YubiHSM, and an OTP from one of these must also be provided before the YubiHSM will enable it's cryptographic functions.
The OTP is simply validated against the non-encrypted internal database (not key store) in the YubiHSM though, but together with a 'Master
key' not stored on the server with the YubiHSM, it provides enhanced security by being a second factor that an attacker can't just inter-
cept even if the server is compromised.
OPTIONS -D, --device
device file name (default: /dev/ttyACM0).
-v, --verbose
enable verbose operation.
--debug
enable debug printout, including all data sent to/from YubiHSM.
--no-otp
skip the prompt for an OTP. For use by scripts where no OTP is required and the Master Key is stored on the server with the YubiHSM.
--stdin
read password and/or OTP from stdin rather than prompting for them. Python prompts does not accept piped input, so this option have
to be used to unlock the YubiHSM from a script for example.
EXIT STATUS
0 YubiHSM keystore successfully unlocked.
1 Failed to unlock keystore.
BUGS
Report python-pyhsm/yhsm-keystore-unlock bugs in the issue tracker <https://github.com/Yubico/python-pyhsm/issues/>
SEE ALSO
The python-pyhsm home page <https://github.com/Yubico/python-pyhsm/>
YubiHSMs can be obtained from Yubico <http://www.yubico.com/>.
python-pyhsm December 2011 yhsm-keystore-unlock(1)
Check Out this Related Man Page
GJARSIGNER(1) GNU GJARSIGNER(1)NAME
gjarsigner - Java ARchive (JAR) file signing and verification tool
SYNOPSIS
jarsigner [OPTION]... FILE ALIAS
jarsigner -verify [OPTION]... FILE
DESCRIPTION
When the first form is used, the tool signs the designated JAR file. The second form, on the other hand, is used to verify a previously
signed JAR file.
FILE is the .JAR file to process; i.e., to sign if the first syntax form is used, or to verify if the second syntax form is used instead.
ALIAS must be a known Alias of a Key Entry in the designated Key Store. The private key material associated with this Alias is then used
for signing the designated .JAR file.
OPTIONS
Common options
The following options may be used when the tool is used for either signing, or verifying, a .JAR file.
-verbose
Use this option to force the tool to generate more verbose messages, during its processing.
-internalsf
When present, the tool will include --which otherwise it does not-- the ".SF" file in the ".DSA" generated file.
-sectionsonly
When present, the tool will include in the ".SF" generated file --which otherwise it does not-- a header containing a hash of the whole
manifest file. When that header is included, the tool can quickly check, during verification, if the hash (in the header) matches or
not the manifest file.
-provider PROVIDER_CLASS_NAME
A fully qualified class name of a Security Provider to add to the current list of Security Providers already installed in the JVM in-
use. If a provider class is specified with this option, and was successfully added to the runtime --i.e. it was not already installed--
then the tool will attempt to remove this Security Provider before exiting.
-help
Prints a help text similar to this one.
Signing options
The following options may be specified when using the tool for signing purposes.
-keystore URL
Use this option to specify the location of the key store to use. The default value is a file URL referencing the file named .keystore
located in the path returned by the call to "java.lang.System#getProperty(String)" using "user.home" as argument.
If a URL was specified, but was found to be malformed --e.g. missing protocol element-- the tool will attempt to use the URL value as a
file-name (with absolute or relative path-name) of a key store --as if the protocol was "file:".
-storetype STORE_TYPE
Use this option to specify the type of the key store to use. The default value, if this option is omitted, is that of the property
"keystore.type" in the security properties file, which is obtained by invoking the static method call "getDefaultType()" in
"java.security.KeyStore".
-storepass PASSWORD
Use this option to specify the password which will be used to unlock the key store. If this option is missing, the User will be
prompted to provide a password.
-keypass PASSWORD
Use this option to specify the password which the tool will use to unlock the Key Entry associated with the designated Alias.
If this option is omitted, the tool will first attempt to unlock the Key Entry using the same password protecting the key store. If
this fails, you will then be prompted to provide a password.
-sigfile NAME
Use this option to designate a literal that will be used to construct file names for both the ".SF" and ".DSA" signature files. These
files will be generated, by the tool, and placed in the META-INF directory of the signed JAR. Permissible characters for NAME must be
in the range "a-zA-Z0-9_-". All characters will be converted to upper-case ones.
If this option is missing, the first eight characters of the ALIAS argument will be used. When this is the case, any character in ALIAS
that is outside the permissible range of characters will be replaced by an underscore.
-signedjar FILE
Use this option to specify the file name of the signed JAR. If this option is omitted, then the signed JAR will be named the same as
FILE; i.e., the input JAR file will be replaced with the signed copy.
Verification options
The following options may be specified when using the tool for verification purposes.
-verify
Use this option to indicate that the tool is to be used for verification purposes.
-certs
This option is used in conjunction with the -verbose option. When present, along with the -verbose option, the tool will print more
detailed information about the certificates of the signer(s) being processed.
BUGS SEE ALSO AUTHOR 0.98 2010-07-05 GJARSIGNER(1)