clevis-encrypt-tang 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
  1. #!/bin/bash -e
  2. # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
  3. #
  4. # Copyright (c) 2017 Red Hat, Inc.
  5. # Author: Nathaniel McCallum <npmccallum@redhat.com>
  6. #
  7. # This program is free software: you can redistribute it and/or modify
  8. # it under the terms of the GNU General Public License as published by
  9. # the Free Software Foundation, either version 3 of the License, or
  10. # (at your option) any later version.
  11. #
  12. # This program is distributed in the hope that it will be useful,
  13. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. # GNU General Public License for more details.
  16. #
  17. # You should have received a copy of the GNU General Public License
  18. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  19. #
  20. SUMMARY="Encrypts using a Tang binding server policy"
  21. if [ "$1" == "--summary" ]; then
  22. echo "$SUMMARY"
  23. exit 0
  24. fi
  25. if [ -t 0 ]; then
  26. exec >&2
  27. echo
  28. echo "Usage: clevis encrypt tang CONFIG [-y] < PLAINTEXT > JWE"
  29. echo
  30. echo "$SUMMARY"
  31. echo
  32. echo " -y Use this option for skipping the advertisement"
  33. echo " trust check. This can be useful in automated"
  34. echo " deployments"
  35. echo
  36. echo "This command uses the following configuration properties:"
  37. echo
  38. echo " url: <string> The base URL of the Tang server (REQUIRED)"
  39. echo
  40. echo " thp: <string> The thumbprint of a trusted signing key"
  41. echo
  42. echo " adv: <string> A filename containing a trusted advertisement"
  43. echo " adv: <object> A trusted advertisement (raw JSON)"
  44. echo
  45. echo "Obtaining the thumbprint of a trusted signing key is easy. If you"
  46. echo "have access to the Tang server's database directory, simply do:"
  47. echo
  48. echo " $ jose jwk thp -i \$DBDIR/\$SIG.jwk "
  49. echo
  50. echo "Alternatively, if you have certainty that your network connection"
  51. echo "is not compromised (not likely), you can download the advertisement"
  52. echo "yourself using:"
  53. echo
  54. echo " $ curl -f \$URL/adv > adv.jws"
  55. echo
  56. exit 2
  57. fi
  58. if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then
  59. echo "Configuration is malformed!" >&2
  60. exit 1
  61. fi
  62. trust=
  63. [ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
  64. if ! url="$(jose fmt -j- -Og url -u- <<< "$cfg")"; then
  65. echo "Missing the required 'url' property!" >&2
  66. exit 1
  67. fi
  68. thp="$(jose fmt -j- -Og thp -Su- <<< "$cfg")" || true
  69. ### Get the advertisement
  70. if jws="$(jose fmt -j- -g adv -Oo- <<< "$cfg")"; then
  71. thp="${thp:-any}"
  72. elif jws="$(jose fmt -j- -g adv -Su- <<< "$cfg")"; then
  73. if ! [ -f "$jws" ]; then
  74. echo "Advertisement file '$jws' not found!" >&2
  75. exit 1
  76. fi
  77. if ! jws="$(jose fmt --json="${jws}" -Oo- 2>/dev/null)"; then
  78. echo "Advertisement file '$jws' is malformed!" >&2
  79. exit 1
  80. fi
  81. thp="${thp:-any}"
  82. elif ! jws="$(curl -sfg "$url/adv/$thp")"; then
  83. echo "Unable to fetch advertisement: '$url/adv/$thp'!" >&2
  84. exit 1
  85. fi
  86. if ! jwks="$(jose fmt --json="${jws}" -Og payload -SyOg keys \
  87. -AUo- 2>/dev/null)"; then
  88. echo "Advertisement is malformed!" >&2
  89. exit 1
  90. fi
  91. ### Check advertisement validity
  92. ver="$(jose jwk use -i- -r -u verify -o- <<< "$jwks")"
  93. if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
  94. echo "Advertisement is missing signatures!" >&2
  95. exit 1
  96. fi
  97. ### Check advertisement trust
  98. if [ -z "${trust}" ]; then
  99. if [ -z "$thp" ]; then
  100. echo "The advertisement contains the following signing keys:" >&2
  101. echo >&2
  102. jose jwk thp -i- <<< "$ver" >&2
  103. echo >&2
  104. read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
  105. [[ "$ans" =~ ^[yY]$ ]] || exit 1
  106. elif [ "$thp" != "any" ] && \
  107. ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
  108. echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
  109. exit 1
  110. fi
  111. fi
  112. ### Perform encryption
  113. if ! enc="$(jose jwk use -i- -r -u deriveKey -o- <<< "$jwks")"; then
  114. echo "Key derivation key not available!" >&2
  115. exit 1
  116. fi
  117. jose fmt -j "$enc" -Og keys -A || enc="{\"keys\":[$enc]}"
  118. if ! jwk="$(jose fmt -j- -Og keys -Af- <<< "$enc")"; then
  119. echo "No exchange keys found!" >&2
  120. exit 1
  121. fi
  122. jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
  123. jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
  124. kid="$(jose jwk thp -i- <<< "$jwk")"
  125. jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
  126. jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
  127. jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
  128. jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -j- -s adv -UUUUo- <<< "$jwks")"
  129. exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)