Skip to content

Commit b3567f9

Browse files
author
Ronan Pigott
committed
luks-list: add arg to show tang key thumbprints
1 parent 47b01ab commit b3567f9

2 files changed

Lines changed: 22 additions & 9 deletions

File tree

src/luks/clevis-luks-common-functions.in

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,7 @@ clevis_luks_decode_jwe() {
163163
clevis_luks_print_pin_config() {
164164
local P="${1}"
165165
local decoded="${2}"
166+
local THP="${3}"
166167

167168
local content
168169
if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \
@@ -173,9 +174,15 @@ clevis_luks_print_pin_config() {
173174
local pin=
174175
case "${P}" in
175176
tang)
176-
local url
177+
local url adv thp
177178
url="$(jose fmt -j- -g url -u- <<< "${content}")"
178-
pin=$(printf '{"url":"%s"}' "${url}")
179+
if [ -z "${THP}" ]; then
180+
pin=$(printf '{"url":"%s"}' "${url}")
181+
else
182+
adv="$(jose fmt -j- -g adv -o- <<< "${content}")"
183+
thp="$(jose jwk thp -i- <<< "${adv}" | tail -n1)"
184+
pin=$(printf '{"url":"%s","thp":"%s"}' "${url}" "${thp}")
185+
fi
179186
printf "tang '%s'" "${pin}"
180187
;;
181188
tpm2)
@@ -195,7 +202,7 @@ clevis_luks_print_pin_config() {
195202
sss)
196203
local threshold
197204
threshold=$(jose fmt -j- -Og t -o- <<< "${content}")
198-
clevis_luks_process_sss_pin "${content}" "${threshold}"
205+
clevis_luks_process_sss_pin "${content}" "${threshold}" "${THP}"
199206
;;
200207
*)
201208
printf "unknown pin '%s'" "${P}"
@@ -207,6 +214,7 @@ clevis_luks_print_pin_config() {
207214
# from it.
208215
clevis_luks_decode_pin_config() {
209216
local jwe="${1}"
217+
local THP="${2}"
210218

211219
local decoded
212220
if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then
@@ -218,7 +226,7 @@ clevis_luks_decode_pin_config() {
218226
return 1
219227
fi
220228

221-
clevis_luks_print_pin_config "${P}" "${decoded}"
229+
clevis_luks_print_pin_config "${P}" "${decoded}" "${THP}"
222230
}
223231

224232
# clevis_luks_join_sss_cfg() will receive a list of configurations for a given
@@ -235,6 +243,7 @@ clevis_luks_join_sss_cfg() {
235243
clevis_luks_process_sss_pin() {
236244
local jwe="${1}"
237245
local threshold="${2}"
246+
local THP="${3}"
238247

239248
local sss_tang
240249
local sss_tpm2
@@ -245,7 +254,7 @@ clevis_luks_process_sss_pin() {
245254

246255
local coded
247256
for coded in $(jose fmt -j- -Og jwe -Af- <<< "${jwe}"| tr -d '"'); do
248-
if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}")"; then
257+
if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}" "${THP}")"; then
249258
continue
250259
fi
251260
read -r pin cfg <<< "${pin_cfg}"
@@ -286,14 +295,15 @@ clevis_luks_process_sss_pin() {
286295
clevis_luks_read_pins_from_slot() {
287296
local DEV="${1}"
288297
local SLOT="${2}"
298+
local THP="${3}"
289299

290300
local jwe
291301
if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then
292302
return 1
293303
fi
294304

295305
local cfg
296-
if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then
306+
if ! cfg="$(clevis_luks_decode_pin_config "${jwe}" "${THP}")"; then
297307
return 1
298308
fi
299309
printf "%s: %s\n" "${SLOT}" "${cfg}"

src/luks/clevis-luks-list

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,16 @@ SUMMARY="Lists pins bound to a LUKSv1 or LUKSv2 device"
2525

2626
function usage() {
2727
echo >&2
28-
echo "Usage: clevis luks list -d DEV [-s SLT]" >&2
28+
echo "Usage: clevis luks list -d DEV [-s SLT] [-t]" >&2
2929
echo >&2
3030
echo "$SUMMARY": >&2
3131
echo >&2
3232
echo " -d DEV The LUKS device to list bound pins" >&2
3333
echo >&2
3434
echo " -s SLOT The slot number to list" >&2
3535
echo >&2
36+
echo " -t show thumbprints in the output" >&2
37+
echo >&2
3638
exit 1
3739
}
3840

@@ -45,6 +47,7 @@ while getopts ":d:s:" o; do
4547
case "$o" in
4648
d) DEV=${OPTARG};;
4749
s) SLT=${OPTARG};;
50+
t) THP="true";;
4851
*) usage;;
4952
esac
5053
done
@@ -62,15 +65,15 @@ if cryptsetup isLuks --type luks1 "${DEV}"; then
6265
fi
6366

6467
if [ -n "${SLT}" ]; then
65-
clevis_luks_read_pins_from_slot "${DEV}" "${SLT}"
68+
clevis_luks_read_pins_from_slot "${DEV}" "${SLT}" "${THP}"
6669
else
6770
if ! used_slots=$(clevis_luks_used_slots "${DEV}"); then
6871
echo "No used slots detected for device ${DEV}!" >&2
6972
exit 1
7073
fi
7174

7275
for s in ${used_slots}; do
73-
if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}"; then
76+
if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}" "${THP}"; then
7477
continue
7578
fi
7679
done

0 commit comments

Comments
 (0)