"debug" option in config file explodes the shell

[mouse07410]

On both MacOS and Linux, none of the three debug flags in the config file are accepted. Instead, debug, dinout, libdebug all result in yubihsm-shell: unrecognized option '--debug' error message.

This happens with v2.4.1, 2.4.2, and master (built from source).

$ cat ~/yubihsm_pkcs11.conf
# URL of the connector to use. This can be a comma-separated list
connector = https://hostname:12345

# Enables general debug output in the module
#
debug

# Enables function tracing (ingress/egress) debug output in the module
#
dinout

# Enables libyubihsm debug output in the module
#
libdebug
cacert = /opt/local/share/curl/curl-ca-bundle.crt

$ yubihsm-shell -f ~/yubihsm_pkcs11.conf
yubihsm-shell: unrecognized option `--debug'

[qpernil]

That config file is for the pkcs#11 module, the shell uses a different format. The config file for the shell simply allows you to specify the same options you would from the command line. It uses the gengetopt function cmdline_parser_config_file to implement this. Note that only command line options can be used, the interactive commands are not supported.

[mouse07410]

Well, config file for yubihsm-shell clearly understands connector and cacert statements. From the old days, I seem to recall that it used to understand debug - because I used it...

What's the format of the yubihsm-shell configuration file, and what commands (and in what format) can I place there? I think this is a-must for the docs.

[qpernil]

The supported options are the same as the command line 'long options' i.e. the ones with a double dash. You can see them in the source file src/cmdline.ggo or from the help given by yubihsm-shell -h. In the file they should be given without the double dashes. 'connector' and 'cacert' options (but not 'debug', use 'verbose' instead) are indeed supported by yubihsm-shell, but that's just because the options overlap. I agree it should be documented, will forward this.

[mouse07410]

@qpernil thanks.

1. What are the allowed values for verbose=INT, and what would they mean (i.e., what info would I get for each of those values)?
2. cert=STRING and key=STRING - do these options allow the client to authenticate to the connector via certificate? Prior to authenticating to the HSM2 via opening session? If so - how do I force the connector to accept only mutually-authenticated connections?

[qpernil]

The verbosity is a set of bit flags, where YH_VERB_QUIET sets none and YH_VERB_ALL sets all flags. See their definitions in yubihsm.h around line 130.

Regarding cert and key, yes the curl backend now supports client certificate and key, if requested / required by the server. yubihsm-connector doesn't support this directly yet, so something like a reverse proxy would be needed on that side. Also, the winhttp backend (on Windows) doesn't support it yet. This authentication is strictly on the https level, so it has nothing to do with the yubihsm. It is more of a way to disallow unauthorized access to the connector.