556 lines
18 KiB
Diff
556 lines
18 KiB
Diff
From 7b1639b2194a8bfbb0daedf1cbdfc4ebef5f6b31 Mon Sep 17 00:00:00 2001
|
|
From: Sergio Correia <scorreia@redhat.com>
|
|
Date: Mon, 18 May 2020 08:36:17 -0300
|
|
Subject: [PATCH] Introduce -y (assume yes) argument to clevis luks bind
|
|
|
|
In order to simplify automated operations with e.g. ansible,
|
|
it would be helpful to have a way to automate the creation of
|
|
bindings with clevis.
|
|
|
|
In simple scenarios, it's possible to download the advertisement
|
|
from a tang server and pass it in the binding configuration, to
|
|
do the binding offline, in the following way:
|
|
|
|
curl -sfg http://tang.server/adv -o adv.jws
|
|
|
|
clevis luks bind -d /dev/sda2 tang '{"url":"http://tang.server", "adv":"adv.jws}'
|
|
|
|
However, for more complex scenarios using multiple servers with
|
|
the sss pin, it becomes a lot more complicated to do the same
|
|
thing and do the binding in an automated fashion. An alternative
|
|
would be to use expect (tcl), but it can also be complicated.
|
|
|
|
In this commit we introduce -y as a parameter to clevis luks bind,
|
|
meanining _assume yes_. Essentially, this would make it so that
|
|
the user would not have to manually trust tang key(s) by typing
|
|
y/yes.
|
|
|
|
Security-wise, it would be similar to downloading the advertisement
|
|
manually and passing it to tang as the "adv" configuration option,
|
|
something already supported.
|
|
|
|
We already have a -f parameter, so we picked something different,
|
|
not to change existing behavior and possibly break existing scripts.
|
|
---
|
|
src/luks/clevis-luks-bind.1.adoc | 7 +-
|
|
src/luks/clevis-luks-bind.in | 11 +++-
|
|
src/luks/clevis-luks-regen | 4 +-
|
|
src/luks/tests/assume-yes-luks1 | 81 ++++++++++++++++++++++++
|
|
src/luks/tests/assume-yes-luks2 | 81 ++++++++++++++++++++++++
|
|
src/luks/tests/meson.build | 2 +
|
|
src/pins/sss/clevis-encrypt-sss.1.adoc | 14 +++-
|
|
src/pins/sss/clevis-encrypt-sss.c | 30 ++++++---
|
|
src/pins/tang/clevis-encrypt-tang | 35 ++++++----
|
|
src/pins/tang/clevis-encrypt-tang.1.adoc | 11 +++-
|
|
10 files changed, 246 insertions(+), 30 deletions(-)
|
|
create mode 100755 src/luks/tests/assume-yes-luks1
|
|
create mode 100755 src/luks/tests/assume-yes-luks2
|
|
|
|
diff --git a/src/luks/clevis-luks-bind.1.adoc b/src/luks/clevis-luks-bind.1.adoc
|
|
index 336c0f4..438e517 100644
|
|
--- a/src/luks/clevis-luks-bind.1.adoc
|
|
+++ b/src/luks/clevis-luks-bind.1.adoc
|
|
@@ -9,7 +9,7 @@ clevis-luks-bind - Bind a LUKS device using the specified policy
|
|
|
|
== SYNOPSIS
|
|
|
|
-*clevis luks bind* [-f] -d DEV [-s SLT] [-k KEY] PIN CFG
|
|
+*clevis luks bind* [-f] [-y] -d DEV [-s SLT] [-k KEY] PIN CFG
|
|
|
|
== OVERVIEW
|
|
|
|
@@ -34,6 +34,11 @@ Clevis LUKS unlockers. See link:clevis-luks-unlockers.7.adoc[*clevis-luks-unlock
|
|
* *-f* :
|
|
Do not prompt for LUKSMeta initialization
|
|
|
|
+* *-y* :
|
|
+ Automatically answer yes for all questions. When using _tang_, it
|
|
+ causes the advertisement trust check to be skipped, which can be
|
|
+ useful in automated deployments
|
|
+
|
|
* *-d* _DEV_ :
|
|
The LUKS device on which to perform binding
|
|
|
|
diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
|
|
index 89a5e22..8b8b5ee 100755
|
|
--- a/src/luks/clevis-luks-bind.in
|
|
+++ b/src/luks/clevis-luks-bind.in
|
|
@@ -33,12 +33,14 @@ function luks2_supported() {
|
|
function usage() {
|
|
exec >&2
|
|
echo
|
|
- echo "Usage: clevis luks bind [-f] [-s SLT] [-k KEY] -d DEV PIN CFG"
|
|
+ echo "Usage: clevis luks bind [-f] [-y] [-s SLT] [-k KEY] -d DEV PIN CFG"
|
|
echo
|
|
echo "$SUMMARY":
|
|
echo
|
|
echo " -f Do not prompt for LUKSMeta initialization"
|
|
echo
|
|
+ echo " -y Automatically answer yes for all questions"
|
|
+ echo
|
|
echo " -d DEV The LUKS device on which to perform binding"
|
|
echo
|
|
echo " -s SLT The LUKS slot to use"
|
|
@@ -55,12 +57,15 @@ if [ $# -eq 1 ] && [ "$1" == "--summary" ]; then
|
|
fi
|
|
|
|
FRC=()
|
|
-while getopts ":hfd:s:k:" o; do
|
|
+YES=()
|
|
+while getopts ":fyd:s:k:" o; do
|
|
case "$o" in
|
|
f) FRC+=(-f);;
|
|
d) DEV="$OPTARG";;
|
|
s) SLT="$OPTARG";;
|
|
k) KEY="$OPTARG";;
|
|
+ y) FRC+=(-f)
|
|
+ YES+=(-y);;
|
|
*) usage;;
|
|
esac
|
|
done
|
|
@@ -139,7 +144,7 @@ cryptsetup luksDump "$DEV" \
|
|
)")"
|
|
|
|
# Encrypt the new key
|
|
-jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG")"
|
|
+jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"
|
|
|
|
# If necessary, initialize the LUKS volume
|
|
if [ "$luks_type" == "luks1" ] && ! luksmeta test -d "$DEV"; then
|
|
diff --git a/src/luks/clevis-luks-regen b/src/luks/clevis-luks-regen
|
|
index 44fd673..6071d85 100755
|
|
--- a/src/luks/clevis-luks-regen
|
|
+++ b/src/luks/clevis-luks-regen
|
|
@@ -110,7 +110,7 @@ if ! new_passphrase=$(generate_key "${DEV}"); then
|
|
fi
|
|
|
|
# Reencrypt the new password.
|
|
-if ! jwe=$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}"); then
|
|
+if ! jwe="$(clevis encrypt "${PIN}" "${CFG}" <<< "${new_passphrase}")"; then
|
|
echo "Error using pin '${PIN}' with config '${CFG}'" >&2
|
|
exit 1
|
|
fi
|
|
@@ -176,7 +176,7 @@ fi
|
|
# Now make sure that we can unlock this device after the change.
|
|
# If we can't, undo the changes.
|
|
if ! cryptsetup open --test-passphrase --key-slot "${SLT}" "${DEV}" 2>/dev/null \
|
|
- <<< $(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null); then
|
|
+ <<< "$(clevis luks pass -d "${DEV}" -s "${SLT}" 2>/dev/null)"; then
|
|
echo "Invalid configuration detected after rebinding. Reverting changes."
|
|
restore_device "${DEV}" "${TMP}"
|
|
exit 1
|
|
diff --git a/src/luks/tests/assume-yes-luks1 b/src/luks/tests/assume-yes-luks1
|
|
new file mode 100755
|
|
index 0000000..ad9dea4
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/assume-yes-luks1
|
|
@@ -0,0 +1,81 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2020 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+. clevis-luks-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ local d
|
|
+ for d in "${TMP}" "${TMP2}"; do
|
|
+ [ ! -d "${d}" ] && continue
|
|
+ tang_stop "${d}"
|
|
+ rm -rf "${d}"
|
|
+ done
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'on_exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+port=$(get_random_port)
|
|
+tang_run "${TMP}" "${port}" &
|
|
+tang_wait_until_ready "${port}"
|
|
+
|
|
+url="http://${TANG_HOST}:${port}"
|
|
+
|
|
+cfg=$(printf '{"url":"%s"}' "$url")
|
|
+
|
|
+# LUKS1.
|
|
+DEV="${TMP}/luks1-device"
|
|
+new_device "luks1" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Bind should have succeeded."
|
|
+fi
|
|
+
|
|
+if ! clevis_luks_unlock_device "${DEV}"; then
|
|
+ error "${TEST}: we were unable to unlock ${DEV}."
|
|
+fi
|
|
+
|
|
+# Let's use a second tang server to test the sss pin.
|
|
+TMP2="$(mktemp -d)"
|
|
+
|
|
+port2=$(get_random_port)
|
|
+tang_run "${TMP2}" "${port2}" &
|
|
+tang_wait_until_ready "${port2}"
|
|
+
|
|
+url2="http://${TANG_HOST}:${port2}"
|
|
+
|
|
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
|
|
+ "${url1}" "${url2}")
|
|
+
|
|
+# LUKS1.
|
|
+new_device "luks1" "${DEV}"
|
|
+# Now let's test the sss pin with the two test tang servers we deployed.
|
|
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Bind should have succeeded."
|
|
+fi
|
|
+
|
|
+# Unlock should still work now.
|
|
+if ! clevis_luks_unlock_device "${DEV}"; then
|
|
+ error "${TEST}: we should still be able to unlock ${DEV}"
|
|
+fi
|
|
diff --git a/src/luks/tests/assume-yes-luks2 b/src/luks/tests/assume-yes-luks2
|
|
new file mode 100755
|
|
index 0000000..5c0edc3
|
|
--- /dev/null
|
|
+++ b/src/luks/tests/assume-yes-luks2
|
|
@@ -0,0 +1,81 @@
|
|
+#!/bin/bash -ex
|
|
+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
|
|
+#
|
|
+# Copyright (c) 2020 Red Hat, Inc.
|
|
+# Author: Sergio Correia <scorreia@redhat.com>
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+
|
|
+TEST=$(basename "${0}")
|
|
+. tests-common-functions
|
|
+
|
|
+. clevis-luks-common-functions
|
|
+
|
|
+on_exit() {
|
|
+ local d
|
|
+ for d in "${TMP}" "${TMP2}"; do
|
|
+ [ ! -d "${d}" ] && continue
|
|
+ tang_stop "${d}"
|
|
+ rm -rf "${d}"
|
|
+ done
|
|
+}
|
|
+
|
|
+trap 'on_exit' EXIT
|
|
+trap 'on_exit' ERR
|
|
+
|
|
+TMP="$(mktemp -d)"
|
|
+
|
|
+port=$(get_random_port)
|
|
+tang_run "${TMP}" "${port}" &
|
|
+tang_wait_until_ready "${port}"
|
|
+
|
|
+url="http://${TANG_HOST}:${port}"
|
|
+
|
|
+cfg=$(printf '{"url":"%s"}' "$url")
|
|
+
|
|
+# LUKS2.
|
|
+DEV="${TMP}/luks2-device"
|
|
+new_device "luks2" "${DEV}"
|
|
+
|
|
+if ! clevis luks bind -y -d "${DEV}" tang "${cfg}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Bind should have succeeded."
|
|
+fi
|
|
+
|
|
+if ! clevis_luks_unlock_device "${DEV}"; then
|
|
+ error "${TEST}: we were unable to unlock ${DEV}."
|
|
+fi
|
|
+
|
|
+# Let's use a second tang server to test the sss pin.
|
|
+TMP2="$(mktemp -d)"
|
|
+
|
|
+port2=$(get_random_port)
|
|
+tang_run "${TMP2}" "${port2}" &
|
|
+tang_wait_until_ready "${port2}"
|
|
+
|
|
+url2="http://${TANG_HOST}:${port2}"
|
|
+
|
|
+cfg2=$(printf '{"t":1,"pins":{"tang":[{"url":"%s"},{"url":"%s"}]}}' \
|
|
+ "${url1}" "${url2}")
|
|
+
|
|
+# LUKS2.
|
|
+new_device "luks2" "${DEV}"
|
|
+# Now let's test the sss pin with the two test tang servers we deployed.
|
|
+if ! clevis luks bind -y -d "${DEV}" sss "${cfg2}" <<< "${DEFAULT_PASS}"; then
|
|
+ error "${TEST}: Bind should have succeeded."
|
|
+fi
|
|
+
|
|
+# Unlock should still work now.
|
|
+if ! clevis_luks_unlock_device "${DEV}"; then
|
|
+ error "${TEST}: we should still be able to unlock ${DEV}"
|
|
+fi
|
|
diff --git a/src/luks/tests/meson.build b/src/luks/tests/meson.build
|
|
index dbef9bf..4795488 100644
|
|
--- a/src/luks/tests/meson.build
|
|
+++ b/src/luks/tests/meson.build
|
|
@@ -85,6 +85,7 @@ endif
|
|
|
|
if has_tang
|
|
test('unlock-tang-luks1', find_program('unlock-tang-luks1'), env: env, timeout: 90)
|
|
+ test('assume-yes-luks1', find_program('assume-yes-luks1'), env: env)
|
|
endif
|
|
test('pass-tang-luks1', find_program('pass-tang-luks1'), env: env)
|
|
test('backup-restore-luks1', find_program('backup-restore-luks1'), env: env)
|
|
@@ -108,6 +109,7 @@ if luksmeta_data.get('OLD_CRYPTSETUP') == '0'
|
|
|
|
if has_tang
|
|
test('unlock-tang-luks2', find_program('unlock-tang-luks2'), env: env, timeout: 120)
|
|
+ test('assume-yes-luks2', find_program('assume-yes-luks2'), env: env, timeout: 60)
|
|
endif
|
|
test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
|
|
test('backup-restore-luks2', find_program('backup-restore-luks2'), env:env, timeout: 90)
|
|
diff --git a/src/pins/sss/clevis-encrypt-sss.1.adoc b/src/pins/sss/clevis-encrypt-sss.1.adoc
|
|
index 7144e7e..7152144 100644
|
|
--- a/src/pins/sss/clevis-encrypt-sss.1.adoc
|
|
+++ b/src/pins/sss/clevis-encrypt-sss.1.adoc
|
|
@@ -5,11 +5,11 @@ CLEVIS-ENCRYPT-SSS(1)
|
|
|
|
== NAME
|
|
|
|
-clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
|
|
+clevis-encrypt-sss - Encrypts using a Shamir's Secret Sharing policy
|
|
|
|
== SYNOPSIS
|
|
|
|
-*clevis encrypt sss* CONFIG < PT > JWE
|
|
+*clevis encrypt sss* CONFIG [-y] < PT > JWE
|
|
|
|
== OVERVIEW
|
|
|
|
@@ -52,6 +52,16 @@ The format of the *pins* property is as follows:
|
|
When the list version of the format is used, multiple pins of that type will
|
|
receive key fragments.
|
|
|
|
+== OPTIONS
|
|
+
|
|
+* *-y* :
|
|
+ Automatically answer yes for all questions. For the _tang_ pin, it will
|
|
+ skip the advertisement trust check, which can be useful in automated
|
|
+ deployments:
|
|
+
|
|
+ $ cfg='{"t":1,"pins":{"tang":[{"url":...},{"url":...}]}}'
|
|
+ $ clevis encrypt sss "$cfg" -y < PT > JWE
|
|
+
|
|
== SEE ALSO
|
|
|
|
link:clevis-encrypt-tang.1.adoc[*clevis-encrypt-tang*(1)],
|
|
diff --git a/src/pins/sss/clevis-encrypt-sss.c b/src/pins/sss/clevis-encrypt-sss.c
|
|
index d6f2c2c..531e918 100644
|
|
--- a/src/pins/sss/clevis-encrypt-sss.c
|
|
+++ b/src/pins/sss/clevis-encrypt-sss.c
|
|
@@ -86,9 +86,9 @@ npins(json_t *pins)
|
|
}
|
|
|
|
static json_t *
|
|
-encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
|
|
+encrypt_frag(json_t *sss, const char *pin, const json_t *cfg, int assume_yes)
|
|
{
|
|
- char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL };
|
|
+ char *args[] = { "clevis", "encrypt", (char *) pin, NULL, NULL, NULL };
|
|
json_auto_t *jwe = json_string("");
|
|
str_auto_t *str = NULL;
|
|
uint8_t *pnt = NULL;
|
|
@@ -100,6 +100,10 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
|
|
if (!str)
|
|
return NULL;
|
|
|
|
+ if (assume_yes) {
|
|
+ args[4] = "-y";
|
|
+ }
|
|
+
|
|
pnt = sss_point(sss, &pntl);
|
|
if (!pnt)
|
|
return NULL;
|
|
@@ -137,7 +141,7 @@ encrypt_frag(json_t *sss, const char *pin, const json_t *cfg)
|
|
}
|
|
|
|
static json_t *
|
|
-encrypt_frags(json_int_t t, json_t *pins)
|
|
+encrypt_frags(json_int_t t, json_t *pins, int assume_yes)
|
|
{
|
|
const char *pname = NULL;
|
|
json_auto_t *sss = NULL;
|
|
@@ -172,7 +176,7 @@ encrypt_frags(json_int_t t, json_t *pins)
|
|
json_array_foreach(pcfgs, i, pcfg) {
|
|
json_auto_t *jwe = NULL;
|
|
|
|
- jwe = encrypt_frag(sss, pname, pcfg);
|
|
+ jwe = encrypt_frag(sss, pname, pcfg, assume_yes);
|
|
if (!jwe)
|
|
return NULL;
|
|
|
|
@@ -201,14 +205,24 @@ main(int argc, char *argv[])
|
|
const char *iv = NULL;
|
|
json_t *pins = NULL;
|
|
json_int_t t = 1;
|
|
+ int assume_yes = 0;
|
|
|
|
if (argc == 2 && strcmp(argv[1], "--summary") == 0) {
|
|
fprintf(stdout, "%s\n", SUMMARY);
|
|
return EXIT_SUCCESS;
|
|
}
|
|
|
|
- if (isatty(STDIN_FILENO) || argc != 2)
|
|
- goto usage;
|
|
+ if (isatty(STDIN_FILENO) || argc != 2) {
|
|
+ if (argc != 3) {
|
|
+ goto usage;
|
|
+ }
|
|
+
|
|
+ if (strcmp(argv[2], "-y") == 0) {
|
|
+ assume_yes = 1;
|
|
+ } else if (strlen(argv[2]) > 0) {
|
|
+ goto usage;
|
|
+ }
|
|
+ }
|
|
|
|
/* Parse configuration. */
|
|
cfg = json_loads(argv[1], 0, NULL);
|
|
@@ -228,7 +242,7 @@ main(int argc, char *argv[])
|
|
return EXIT_FAILURE;
|
|
}
|
|
|
|
- sss = encrypt_frags(t, pins);
|
|
+ sss = encrypt_frags(t, pins, assume_yes);
|
|
if (!sss)
|
|
return EXIT_FAILURE;
|
|
|
|
@@ -287,7 +301,7 @@ main(int argc, char *argv[])
|
|
|
|
usage:
|
|
fprintf(stderr, "\n");
|
|
- fprintf(stderr, "Usage: clevis encrypt sss CONFIG < PLAINTEXT > JWE\n");
|
|
+ fprintf(stderr, "Usage: clevis encrypt sss CONFIG [-y] < PLAINTEXT > JWE\n");
|
|
fprintf(stderr, "\n");
|
|
fprintf(stderr, "%s\n", SUMMARY);
|
|
fprintf(stderr, "\n");
|
|
diff --git a/src/pins/tang/clevis-encrypt-tang b/src/pins/tang/clevis-encrypt-tang
|
|
index 378b25d..4a43f1f 100755
|
|
--- a/src/pins/tang/clevis-encrypt-tang
|
|
+++ b/src/pins/tang/clevis-encrypt-tang
|
|
@@ -28,10 +28,14 @@ fi
|
|
if [ -t 0 ]; then
|
|
exec >&2
|
|
echo
|
|
- echo "Usage: clevis encrypt tang CONFIG < PLAINTEXT > JWE"
|
|
+ echo "Usage: clevis encrypt tang CONFIG [-y] < PLAINTEXT > JWE"
|
|
echo
|
|
echo "$SUMMARY"
|
|
echo
|
|
+ echo " -y Use this option for skipping the advertisement"
|
|
+ echo " trust check. This can be useful in automated"
|
|
+ echo " deployments"
|
|
+ echo
|
|
echo "This command uses the following configuration properties:"
|
|
echo
|
|
echo " url: <string> The base URL of the Tang server (REQUIRED)"
|
|
@@ -60,6 +64,9 @@ if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then
|
|
exit 1
|
|
fi
|
|
|
|
+trust=
|
|
+[ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
|
|
+
|
|
if ! url="$(jose fmt -j- -Og url -u- <<< "$cfg")"; then
|
|
echo "Missing the required 'url' property!" >&2
|
|
exit 1
|
|
@@ -100,18 +107,20 @@ if ! jose jws ver -i "$jws" -k- -a <<< "$ver"; then
|
|
fi
|
|
|
|
### Check advertisement trust
|
|
-if [ -z "$thp" ]; then
|
|
- echo "The advertisement contains the following signing keys:" >&2
|
|
- echo >&2
|
|
- jose jwk thp -i- <<< "$ver" >&2
|
|
- echo >&2
|
|
- read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
|
|
- [[ "$ans" =~ ^[yY]$ ]] || exit 1
|
|
-
|
|
-elif [ "$thp" != "any" ] && \
|
|
- ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
|
|
- echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
|
|
- exit 1
|
|
+if [ -z "${trust}" ]; then
|
|
+ if [ -z "$thp" ]; then
|
|
+ echo "The advertisement contains the following signing keys:" >&2
|
|
+ echo >&2
|
|
+ jose jwk thp -i- <<< "$ver" >&2
|
|
+ echo >&2
|
|
+ read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
|
|
+ [[ "$ans" =~ ^[yY]$ ]] || exit 1
|
|
+
|
|
+ elif [ "$thp" != "any" ] && \
|
|
+ ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
|
|
+ echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
|
|
+ exit 1
|
|
+ fi
|
|
fi
|
|
|
|
### Perform encryption
|
|
diff --git a/src/pins/tang/clevis-encrypt-tang.1.adoc b/src/pins/tang/clevis-encrypt-tang.1.adoc
|
|
index 276575f..c34d109 100644
|
|
--- a/src/pins/tang/clevis-encrypt-tang.1.adoc
|
|
+++ b/src/pins/tang/clevis-encrypt-tang.1.adoc
|
|
@@ -9,7 +9,7 @@ clevis-encrypt-tang - Encrypts using a Tang binding server policy
|
|
|
|
== SYNOPSIS
|
|
|
|
-*clevis encrypt tang* CONFIG < PT > JWE
|
|
+*clevis encrypt tang* CONFIG [-y] < PT > JWE
|
|
|
|
== OVERVIEW
|
|
|
|
@@ -76,6 +76,15 @@ This command uses the following configuration properties:
|
|
* *adv* (object) :
|
|
A trusted advertisement (raw JSON)
|
|
|
|
+== OPTIONS
|
|
+
|
|
+* *-y* :
|
|
+ Automatically answer yes for all questions. Use this option for skipping
|
|
+ the advertisement trust check. This can be useful in automated deployments:
|
|
+
|
|
+ $ clevis encrypt tang '{"url":...}' -y < PT > JWE
|
|
+
|
|
+
|
|
== SEE ALSO
|
|
|
|
link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)]
|
|
--
|
|
2.18.4
|
|
|