1650246 – tang provides adv which makes clevis fail on unhandled jose failing call

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1650246 - tang provides adv which makes clevis fail on unhandled jose failing call

Summary: tang provides adv which makes clevis fail on unhandled jose failing call

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	clevis
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Daniel Kopeček
QA Contact:	Martin Zelený
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-15 16:27 UTC by Martin Zelený
Modified:	2019-06-14 01:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:	clevis-11-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-14 01:02:26 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
proposed enhancement patch for clevis (901 bytes, patch) 2018-12-05 12:33 UTC, Daniel Kopeček	no flags	Details \| Diff
proposed enhancement patch for clevis (991 bytes, patch) 2018-12-05 15:58 UTC, Daniel Kopeček	no flags	Details \| Diff
Show Obsolete (1) View All

Description Martin Zelený 2018-11-15 16:27:58 UTC

Description of problem:
When test is run on clean installation, clevis sometimes fail on line:
https://github.com/latchset/clevis/blob/master/src/pins/tang/clevis-encrypt-tang#L117
(jose fails on exit code 1, 'clevis encrypt tang' fails on exit code 1 with no error message)

Version-Release number of selected component (if applicable):
clevis-11-1.el8.x86_64
tang-7-1.el8.x86_64
jose-10-2.el8.x86_64

How reproducible:
Between 50-100 % cases of runs on clean installation (1minutetip or beaker)

Steps to Reproduce:
0. get clean fresh installation of rhel-8 (1minutetip, beaker machine)
1. dnf install tang jose
2. systemctl start tangd.socket
3. wget localhost/adv -O adv.json
4. cat adv.json
{"payload":"eyJrZXlzIjpbeyJhbGciOiJFUzUxMiIsImNydiI6IlAtNTIxIiwia2V5X29wcyI6WyJ2ZXJpZnkiXSwia3R5IjoiRUMiLCJ4IjoiQWFsamJfN2E4Smo1QjFOcmZOLWMzQUU2dGpfY2RRakF6bF9maDVNVG9GV3dqV3BkcVlyNlY3eUZITUREMDJuUXFISjRNT0xFZWQ1SHNJSklTZm9fN1R6TSIsInkiOiJBWXhvWEl4bVVGX2tiaGxTTmdCWjlicURhZlUzNGpud2R4c2cyQS01V1JLOWpPNWdZa0htZk9qTWU5cjRvZEZaa0JodVV1RkxRb0FNVkZEQVpwV0wzLXRYIn1dfQ","protected":"eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9","signature":"AHm2wJq7NeHmSLv_cj2ENRhx6BR-b37YlFeWjyPoKzkhlQoErWpxHpJaWAR-cPcQT0HrKCOyM_sv6hFdXSFJMVUmAe8dHhBKzu25ODIRJO4lf8PkmlqQmfpYa0qDiUkfY4ZAHM8z7Qe_Cmlosz5v_25hvJayPF-J_xzUH8Wr-_3iOvVm"}
5. jwks=`jose fmt -j- -Og payload -SyOg keys -AUo- < adv.json` #line 89 of clevis-encrypt-tang
6. echo $jwks
{"keys":[{"alg":"ES512","crv":"P-521","key_ops":["verify"],"kty":"EC","x":"Aaljb_7a8Jj5B1NrfN-c3AE6tj_cdQjAzl_fh5MToFWwjWpdqYr6V7yFHMDD02nQqHJ4MOLEed5HsIJISfo_7TzM","y":"AYxoXIxmUF_kbhlSNgBZ9bqDafU34jnwdxsg2A-5WRK9jO5gYkHmfOjMe9r4odFZkBhuUuFLQoAMVFDAZpWL3-tX"}]}
7. jose jwk use -i- -r -u deriveKey -o- <<< "$jwks" #line 117 of clevis-encrypt-tang

Actual results:
No output of running step 7. Unhandled empty variable in clevis code. Exit code 1 with no error message.

Expected results:
While restarting tang server, it works:
# jose jwk use -i- -r -u deriveKey -o- <<< "$jwks"
{"alg":"ECMR","crv":"P-521","key_ops":["deriveKey"],"kty":"EC","x":"AHpHNX88LDH8GPBB0nXu7RM1JIlPN7GdWV9muUh0zUCL7ZckW_DCH1cJNRp9Wnz0nXlTOADc3dP9Z4GYVmGUScsl","y":"AVioYGZzjiYdBkSyiTrlLoC4fLdhtlDb0sKpfJTNaQYQIdZnx-fLOjVqrVxBcvqr0z44cvnyxI_IKUJlhhK5kOGn"}

Comment 1 Martin Zelený 2018-11-16 10:46:13 UTC

Additional info: tang sever on first start does not provide advertisement with 'deriveKey'

# cat adv.json | jose fmt -j- -Og payload -SyOg keys -AUo- | jq
{
  "keys": [
    {
      "alg": "ES512",
      "crv": "P-521",
      "key_ops": [
        "verify"
      ],
      "kty": "EC",
      "x": "AcBew1hyXud_rdJUtgHglr31qizbxMpy6HBmoDOWR3vaGOEVgttZ1YDUojtJ-UGEE3U1Uvz7sYhZ71ft0Yo4g6X9",
      "y": "ASI0lSuvvaJ1Wyic3nRiF12Se76cZa9SgLkntqhqVuuqRN1bc6MvjYD4c7e5dsiLVyx01E8rssEX16euoCJX_T5U"
    }
  ]
}

After 'systemctl restart tangd.socket' and new advertisement download 'wget localhost/adv -O adv.json':
# cat adv.json | jose fmt -j- -Og payload -SyOg keys -AUo- | jq
{
  "keys": [
    {
      "alg": "ECMR",
      "crv": "P-521",
      "key_ops": [
        "deriveKey"
      ],
      "kty": "EC",
      "x": "Aa1FrvMEQ0iOUk5qwjls5ap4g3xs4Co0WkLph0kfczoN1spNRfhpdsraLMblEW_lKJ__NLugz1QPq-9CoEoQ6tgN",
      "y": "AQYmkSegphsAMapLwYdZ-_cgoypcr6ISA77uvAemR_V6k-0as7-Yg77ER5gEx91NBOS8J0Gk9qXQC9tFgXXmVLK5"
    },
    {
      "alg": "ES512",
      "crv": "P-521",
      "key_ops": [
        "verify"
      ],
      "kty": "EC",
      "x": "AcBew1hyXud_rdJUtgHglr31qizbxMpy6HBmoDOWR3vaGOEVgttZ1YDUojtJ-UGEE3U1Uvz7sYhZ71ft0Yo4g6X9",
      "y": "ASI0lSuvvaJ1Wyic3nRiF12Se76cZa9SgLkntqhqVuuqRN1bc6MvjYD4c7e5dsiLVyx01E8rssEX16euoCJX_T5U"
    }
  ]
}

Nathaniel, can you please provide some insight into this? Thanks.

Comment 2 Daniel Kopeček 2018-12-05 12:33:27 UTC

Created attachment 1511663 [details]
proposed enhancement patch for clevis

@mzeleny, I've created a clevis build with the proposed error checking. Wanna check it out? https://copr.devel.redhat.com/coprs/dkopecek/PolicyBasedDecryption/build/25119/

Comment 3 Daniel Kopeček 2018-12-05 12:34:33 UTC

Removing the needinfo flag, I think we got it on the last sync up meeting.

Comment 4 Daniel Kopeček 2018-12-05 15:58:56 UTC

Created attachment 1511774 [details]
proposed enhancement patch for clevis

https://copr.devel.redhat.com/coprs/dkopecek/PolicyBasedDecryption/build/25136/

Comment 8 Mark Thacker 2019-01-04 15:39:51 UTC

Exception approved and added pmapproved to internal whiteboard section.

Note You need to log in before you can comment on or make changes to this bug.