Bug 1650246

Summary: tang provides adv which makes clevis fail on unhandled jose failing call
Product: Red Hat Enterprise Linux 8 Reporter: Martin Zelený <mzeleny>
Component: clevisAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Zelený <mzeleny>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: dapospis, mthacker, npmccallum
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: clevis-11-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 01:02:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed enhancement patch for clevis
none
proposed enhancement patch for clevis none

Description Martin Zelený 2018-11-15 16:27:58 UTC 
Description of problem:
When test is run on clean installation, clevis sometimes fail on line:
https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang#L117
(jose fails on exit code 1, 'clevis encrypt tang' fails on exit code 1 with no error message)

Version-Release number of selected component (if applicable):
clevis-11-1.el8.x86_64
tang-7-1.el8.x86_64
jose-10-2.el8.x86_64

How reproducible:
Between 50-100 % cases of runs on clean installation (1minutetip or beaker)

Steps to Reproduce:
0. get clean fresh installation of rhel-8 (1minutetip, beaker machine)
1. dnf install tang jose
2. systemctl start tangd.socket
3. wget localhost/adv -O adv.json
4. cat adv.json
{"payload":"eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQWFsamJfN2E4Smo1QjFOcmZOLWMzQUU2dGpfY2RRakF6bF9maDVNVG9GV3dqV3BkcVlyNlY3eUZITUREMDJuUXFISjRNT0xFZWQ1SHNJSklTZm9fN1R6TSIsInkiOiJBWXhvWEl4bVVGX2tiaGxTTmdCWjlicURhZlUzNGpud2R4c2cyQS01V1JLOWpPNWdZa0htZk9qTWU5cjRvZEZaa0JodVV1RkxRb0FNVkZEQVpwV0wzLXRYIn1dfQ","protected":"eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9","signature":"AHm2wJq7NeHmSLv_cj2ENRhx6BR-b37YlFeWjyPoKzkhlQoErWpxHpJaWAR-cPcQT0HrKCOyM_sv6hFdXSFJMVUmAe8dHhBKzu25ODIRJO4lf8PkmlqQmfpYa0qDiUkfY4ZAHM8z7Qe_Cmlosz5v_25hvJayPF-J_xzUH8Wr-_3iOvVm"}
5. jwks=`jose fmt -j- -Og payload -SyOg keys -AUo- < adv.json` #line 89 of clevis-encrypt-tang
6. echo $jwks
{"keys":[{"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"Aaljb_7a8Jj5B1NrfN-c3AE6tj_cdQjAzl_fh5MToFWwjWpdqYr6V7yFHMDD02nQqHJ4MOLEed5HsIJISfo_7TzM","y":"AYxoXIxmUF_kbhlSNgBZ9bqDafU34jnwdxsg2A-5WRK9jO5gYkHmfOjMe9r4odFZkBhuUuFLQoAMVFDAZpWL3-tX"}]}
7. jose jwk use -i- -r -u deriveKey -o- <<< "$jwks" #line 117 of clevis-encrypt-tang

Actual results:
No output of running step 7. Unhandled empty variable in clevis code. Exit code 1 with no error message.

Expected results:
While restarting tang server, it works:
# jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"
{"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AHpHNX88LDH8GPBB0nXu7RM1JIlPN7GdWV9muUh0zUCL7ZckW_DCH1cJNRp9Wnz0nXlTOADc3dP9Z4GYVmGUScsl","y":"AVioYGZzjiYdBkSyiTrlLoC4fLdhtlDb0sKpfJTNaQYQIdZnx-fLOjVqrVxBcvqr0z44cvnyxI_IKUJlhhK5kOGn"}
Comment 1 Martin Zelený 2018-11-16 10:46:13 UTC 
Additional info: tang sever on first start does not provide advertisement with 'deriveKey'

# cat adv.json | jose fmt -j- -Og payload -SyOg keys -AUo- | jq
{
  "keys": [
    {
      "alg": "ES512",
      "crv": "P-521",
      "key_ops": [
        "verify"
      ],
      "kty": "EC",
      "x": "AcBew1hyXud_rdJUtgHglr31qizbxMpy6HBmoDOWR3vaGOEVgttZ1YDUojtJ-UGEE3U1Uvz7sYhZ71ft0Yo4g6X9",
      "y": "ASI0lSuvvaJ1Wyic3nRiF12Se76cZa9SgLkntqhqVuuqRN1bc6MvjYD4c7e5dsiLVyx01E8rssEX16euoCJX_T5U"
    }
  ]
}

After 'systemctl restart tangd.socket' and new advertisement download 'wget localhost/adv -O adv.json':
# cat adv.json | jose fmt -j- -Og payload -SyOg keys -AUo- | jq
{
  "keys": [
    {
      "alg": "ECMR",
      "crv": "P-521",
      "key_ops": [
        "deriveKey"
      ],
      "kty": "EC",
      "x": "Aa1FrvMEQ0iOUk5qwjls5ap4g3xs4Co0WkLph0kfczoN1spNRfhpdsraLMblEW_lKJ__NLugz1QPq-9CoEoQ6tgN",
      "y": "AQYmkSegphsAMapLwYdZ-_cgoypcr6ISA77uvAemR_V6k-0as7-Yg77ER5gEx91NBOS8J0Gk9qXQC9tFgXXmVLK5"
    },
    {
      "alg": "ES512",
      "crv": "P-521",
      "key_ops": [
        "verify"
      ],
      "kty": "EC",
      "x": "AcBew1hyXud_rdJUtgHglr31qizbxMpy6HBmoDOWR3vaGOEVgttZ1YDUojtJ-UGEE3U1Uvz7sYhZ71ft0Yo4g6X9",
      "y": "ASI0lSuvvaJ1Wyic3nRiF12Se76cZa9SgLkntqhqVuuqRN1bc6MvjYD4c7e5dsiLVyx01E8rssEX16euoCJX_T5U"
    }
  ]
}

Nathaniel, can you please provide some insight into this? Thanks.
Comment 2 Daniel Kopeček 2018-12-05 12:33:27 UTC 
Created attachment 1511663 [details]
proposed enhancement patch for clevis

@mzeleny, I've created a clevis build with the proposed error checking. Wanna check it out? https://copr.devel.redhat.com/coprs/dkopecek/PolicyBasedDecryption/build/25119/
Comment 3 Daniel Kopeček 2018-12-05 12:34:33 UTC 
Removing the needinfo flag, I think we got it on the last sync up meeting.
Comment 4 Daniel Kopeček 2018-12-05 15:58:56 UTC 
Created attachment 1511774 [details]
proposed enhancement patch for clevis

https://copr.devel.redhat.com/coprs/dkopecek/PolicyBasedDecryption/build/25136/
Comment 8 Mark Thacker 2019-01-04 15:39:51 UTC 
Exception approved and added pmapproved to internal whiteboard section.