refactor: use AES256GCM as jwk alg + change default rp_id to 'fido2.c…

…levis'
latchset · Oct 2, 2023 · 4899702 · 4899702
1 parent 2130cbe
commit 4899702
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 15 deletions.
diff --git a/src/pins/fido2/clevis-decrypt-fido2 b/src/pins/fido2/clevis-decrypt-fido2
@@ -71,10 +71,10 @@ client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)"
 
 hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \
   fido2-assert -G -t "uv=${uv}" -t "up=${up}" -t "pin=${pin}" -h "${fido2_token}" | \
-  head -n5 | tail -n1 | jose b64 enc -I -)"
+  head -n5 | tail -n1 | base64 -d | jose b64 enc -I -)"
 
 # use the secret in a key wrapping key
-jwk='{"alg":"PBES2-HS512+A256KW", "kty":"oct"}'
+jwk='{"alg":"A256GCM", "kty":"oct"}'
 jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)"
 
 ( printf '%s' "$jwk$hdr64." ; cat ) | exec jose jwe dec --key=- --input=-
diff --git a/src/pins/fido2/clevis-encrypt-fido2 b/src/pins/fido2/clevis-encrypt-fido2
@@ -47,7 +47,7 @@ function generate_hmac () {
   client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)"
   hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \
     fido2-assert -G -h -t "uv=${uv}" -t "up=${up}" -t "pin=${pin}" "${device}" | \
-    head -n5 | tail -n1 | jose b64 enc -I -)" >&2
+    head -n5 | tail -n1 | base64 -d | jose b64 enc -I -)" >&2
 
   echo -n "${hmac}"
 }
@@ -63,7 +63,7 @@ type="$(jose fmt -j- -Og type -Bo- <<< "$cfg")" || type='es256'
 uv="$(jose fmt -j- -Og uv -Bo- <<< "$cfg")" || uv='true'
 up="$(jose fmt -j- -Og up -Bo- <<< "$cfg")" || up='true'
 pin="$(jose fmt -j- -Og pin -Bo- <<< "$cfg")" || pin='false'
-rp_id="$(jose fmt -j- -Og rp_id -Su- <<< "$cfg")" || rp_id='clevis'
+rp_id="$(jose fmt -j- -Og rp_id -Su- <<< "$cfg")" || rp_id='fido2.clevis'
 
 if ! fido2_token="$(jose fmt -j- -Og device -u- <<< "$cfg")"; then
   fido2_tokens="$(fido2-token -L)"
@@ -93,8 +93,7 @@ if [ -z "${hmac}" ]; then
   exit 1
 fi
 
-# use the secret in a key wrapping key
-jwk='{"kty":"oct", "alg":"PBES2-HS512+A256KW"}'
+jwk='{"kty":"oct", "alg":"A256GCM"}'
 jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)"
 
 jwe='{"protected":{"enc":"A256GCM","clevis":{"pin":"fido2","fido2":{}}}}'

diff --git a/src/pins/fido2/clevis-encrypt-fido2.1.adoc b/src/pins/fido2/clevis-encrypt-fido2.1.adoc
@@ -38,18 +38,18 @@ every decryption. For example:
     Enter PIN for /dev/hidraw0:
     Enter PIN for /dev/hidraw0:
 
-The options "up" and "uv" can be used to set the desired behaviour for user presence and user 
-verification when decrypting the ciphertext (see below). In a "headless" setup, e.g., when 
+The options "up" and "uv" can be used to set the desired behaviour for user presence and user
+verification when decrypting the ciphertext (see below). In a "headless" setup, e.g., when
 encrypting a LUKS partition, those could be set to "false" in order to automatically decrypt
 without any user actions. Note that there are currently no prompts when you need to tap on
-the device, but the token might signal that by blinking. 
+the device, but the token might signal that by blinking.
 
 == CONFIG
 
 This command uses the following configuration properties:
 
 * *type* (string) :
-  The type of the credential, as supported by libfido2, i.e., "es256", "rs256" or "eddsa". 
+  The type of the credential, as supported by libfido2, i.e., "es256", "rs256" or "eddsa".
   Default: "es256".
 
 * *cred_id* (string) :
@@ -59,19 +59,19 @@ This command uses the following configuration properties:
 
 * *rp_id* (string) :
   The reyling party id of the credential (that will be created or is provided via
-  the "cred_id" field). 
-  Default: 'clevis'.
+  the "cred_id" field).
+  Default: 'fido2.clevis'.
 
 * *up* (boolean) :
-  Whether or not to ask the authenticator to require user presence. 
+  Whether or not to ask the authenticator to require user presence.
   Default: true.
 
 * *uv* (string) :
-  Whether or not to ask the authenticator to require user verification. 
+  Whether or not to ask the authenticator to require user verification.
   Default: true.
 
 * *pin* (string) :
-  Whether or not to ask the authenticator to require the PIN and user verification. 
+  Whether or not to ask the authenticator to require the PIN and user verification.
   Default: false.
 
 * *device* (string) :