#!/bin/bash -e # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80: # # Copyright (c) 2017 Red Hat, Inc. # Author: Nathaniel McCallum # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # [ $# -eq 1 ] && [ "$1" == "--summary" ] && exit 2 if [ -t 0 ]; then exec >&2 echo echo "Usage: clevis decrypt tang < JWE > PLAINTEXT" echo exit 2 fi read -r -d . hdr if ! jhd="$(jose b64 dec -i- <<< "$hdr")"; then echo "Error decoding JWE protected header!" >&2 exit 1 fi if [ "$(jose fmt -j- -Og clevis -g pin -u- <<< "$jhd")" != "tang" ]; then echo "JWE pin mismatch!" >&2 exit 1 fi if ! clt="$(jose fmt -j- -Og epk -Oo- <<< "$jhd")"; then echo "JWE missing required 'epk' header parameter!" >&2 exit 1 fi if ! kid="$(jose fmt -j- -Og kid -Su- <<< "$jhd")"; then echo "JWE missing required 'kid' header parameter!" >&2 exit 1 fi if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \ | jose jwk thp -i- -f "$kid")"; then echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2 exit 1 fi if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then echo "JWE missing required 'clevis.tang.url' header parameter!" >&2 exit 1 fi if ! crv="$(jose fmt -j- -Og crv -Su- <<< "$clt")"; then echo "Unable to determine EPK's curve!" >&2 exit 1 fi if ! eph="$(jose jwk gen -i "{\"alg\":\"ECMR\",\"crv\":\"$crv\"}")"; then echo "Error generating ephemeral key!" >&2 exit 1 fi xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")" url="$url/rec/$kid" ct="Content-Type: application/jwk+json" if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then echo "Error communicating with the server!" >&2 exit 1 fi if ! rep="$(jose fmt -j- -Og kty -q EC -EUUg crv -q "$crv" -EUUo- <<< "$rep")"; then echo "Received invalid server reply!" >&2 exit 1 fi tmp="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$eph$srv")" rep="$(jose jwk pub -i- <<< "$rep")" jwk="$(jose jwk exc -l- -r- <<< "$rep$tmp")" (echo -n "$jwk$hdr."; /bin/cat) | jose jwe dec -k- -i- exit $?