git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
clevis
1
0
Fork 0
Files Pull Requests 0
Tree: ba74221dd9
Branches Tags
clevis
/
src
/
clevis-encrypt-tang

clevis-encrypt-tang 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 
  1. #!/bin/bash -e
    2. 

  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
    3. 

  3. #
    4. 

  4. # Copyright (c) 2017 Red Hat, Inc.
    5. 

  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
    6. 

  6. #
    7. 

  7. # This program is free software: you can redistribute it and/or modify
    8. 

  8. # it under the terms of the GNU General Public License as published by
    9. 

  9. # the Free Software Foundation, either version 3 of the License, or
    10. 

  10. # (at your option) any later version.
    11. 

  11. #
    12. 

  12. # This program is distributed in the hope that it will be useful,
    13. 

  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15. # GNU General Public License for more details.
    16. 

  16. #
    17. 

  17. # You should have received a copy of the GNU General Public License
    18. 

  18. # along with this program.  If not, see <http://www.gnu.org/licenses/>.
    19. 

  19. #
    20. 

  20. 

  21. SUMMARY="Encrypts using a Tang binding server policy"
    22. 

  22. 

  23. if [ "$1" == "--summary" ]; then
    24. 

  24.     echo "$SUMMARY"
    25. 

  25.     exit 0
    26. 

  26. fi
    27. 

  27. 

  28. if [ -t 0 ]; then
    29. 

  29.     echo >&2
    30. 

  30.     echo "Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE" >&2
    31. 

  31.     echo >&2
    32. 

  32.     echo $SUMMARY >&2
    33. 

  33.     echo >&2
    34. 

  34.     echo "This command uses the following configuration properties:" >&2
    35. 

  35.     echo >&2
    36. 

  36.     echo "  url: <string>   The base URL of the Tang server (REQUIRED)" >&2
    37. 

  37.     echo >&2
    38. 

  38.     echo "  thp: <string>   The thumbprint of a trusted signing key" >&2
    39. 

  39.     echo >&2
    40. 

  40.     echo "  adv: <string>   A filename containing a trusted advertisement" >&2
    41. 

  41.     echo "  adv: <object>   A trusted advertisement (raw JSON)" >&2
    42. 

  42.     echo >&2
    43. 

  43.     echo "Obtaining the thumbprint of a trusted signing key is easy. If you" >&2
    44. 

  44.     echo "have access to the Tang server's database directory, simply do:" >&2
    45. 

  45.     echo >&2
    46. 

  46.     echo "    $ jose jwk thp -i \$DBDIR/\$SIG.jwk " >&2
    47. 

  47.     echo >&2
    48. 

  48.     echo "Alternatively, if you have certainty that your network connection" >&2
    49. 

  49.     echo "is not compromised (not likely), you can download the advertisement" >&2
    50. 

  50.     echo "yourself using:" >&2
    51. 

  51.     echo >&2
    52. 

  52.     echo "    $ curl -f \$URL/adv > adv.jws" >&2
    53. 

  53.     echo >&2
    54. 

  54.     exit 1
    55. 

  55. fi
    56. 

  56. 

  57. if ! cfg=`jose fmt -j- -Oo- <<< "$1" 2>/dev/null`; then
    58. 

  58.     echo "Configuration is malformed!" >&2
    59. 

  59.     exit 1
    60. 

  60. fi
    61. 

  61. 

  62. if ! url=`jose fmt -j- -Og url -u- <<< "$cfg"`; then
    63. 

  63.     echo "Missing the required 'url' property!" >&2
    64. 

  64.     exit 1
    65. 

  65. fi
    66. 

  66. 

  67. thp=`jose fmt -j- -Og thp -Su- <<< "$cfg"` || true
    68. 

  68. 

  69. ### Get the advertisement
    70. 

  70. if jws=`jose fmt -j- -g adv -Oo- <<< "$cfg"`; then
    71. 

  71.     thp=${thp:-any}
    72. 

  72. elif jws=`jose fmt -j- -g adv -Su- <<< "$cfg"`; then
    73. 

  73.     if ! [ -f "$jws" ]; then
    74. 

  74.         echo "Advertisement file '$jws' not found!" >&2
    75. 

  75.         exit 1
    76. 

  76.     fi
    77. 

  77. 

  78.     if ! jws=`jose fmt -j- -Oo- < "$jws"`; then
    79. 

  79.         echo "Advertisement file '$jws' is malformed!" >&2
    80. 

  80.         exit 1
    81. 

  81.     fi
    82. 

  82. 

  83.     thp=${thp:-any}
    84. 

  84. elif ! jws=`curl -sfg "$url/adv/$thp"`; then
    85. 

  85.     echo "Unable to fetch advertisement: '$url/adv/$thp'!" >&2
    86. 

  86.     exit 1
    87. 

  87. fi
    88. 

  88. 

  89. if ! jwks=`jose fmt -j- -Og payload -SyOg keys -AUo- <<< "$jws"`; then
    90. 

  90.     echo "Advertisement is malformed!" >&2
    91. 

  91.     exit 1
    92. 

  92. fi
    93. 

  93. 

  94. ### Check advertisement validity
    95. 

  95. ver=`jose jwk use -i- -r -u verify -o- <<< "$jwks"`
    96. 

  96. if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
    97. 

  97.     echo "Advertisement is missing signatures!" >&2
    98. 

  98.     exit 1
    99. 

  99. fi
    100. 

  100. 

  101. ### Check advertisement trust
    102. 

  102. if [ -z "$thp" ]; then
    103. 

  103.     echo "The advertisement contains the following signing keys:" >&2
    104. 

  104.     echo >&2
    105. 

  105.     jose jwk thp -i- <<< "$ver" >&2
    106. 

  106.     echo >&2
    107. 

  107.     read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
    108. 

  108.     [[ "$ans" =~ ^[yY]$ ]] || exit 1
    109. 

  109. 

  110. elif [ "$thp" != "any" ] && \
    111. 

  111.     ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
    112. 

  112.     echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
    113. 

  113.     exit 1
    114. 

  114. fi
    115. 

  115. 

  116. ### Perform encryption
    117. 

  117. enc=`jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"`
    118. 

  118. jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}"
    119. 

  119. 

  120. for jwk in `jose fmt -j- -Og keys -Af- <<< "$enc"`; do
    121. 

  121.     jwk=`jose fmt -j- -Od key_ops -o- <<< "$jwk"`
    122. 

  122.     jwk=`jose fmt -j- -Od alg -o- <<< "$jwk"`
    123. 

  123.     kid=`jose jwk thp -i- <<< "$jwk"`
    124. 

  124.     jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
    125. 

  125.     jwe=`jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-`
    126. 

  126.     jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-`
    127. 

  127.     jwe=`jose fmt -j "$jwe" -g protected -g clevis -g tang -j- -s adv -UUUUo- <<< "$jwks"`
    128. 

  128.     exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; cat)
    129. 

  129. done
    130. 

  130. 

  131. echo "No exchange keys found!" >&2
    132. 

  132. exit 1
    133.