Bug 2209058
| Summary: | clevis should support SHA-256 thumbprints | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Sergio Correia <scorreia> |
| Component: | clevis | Assignee: | Sergio Arroutbi <sarroutb> |
| Status: | CLOSED ERRATA | QA Contact: | Martin Zelený <mzeleny> |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | unspecified | ||
| Version: | 8.8 | CC: | dapospis, jafiala, mjahoda, mzeleny, sarroutb |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | --- | Flags: | sarroutb:
needinfo-
pm-rhel: mirror+ |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | clevis-15-15.el8 | Doc Type: | Bug Fix |
| Doc Text: |
.Clevis now handles SHA-256 thumbprints
Before this update, the Clevis client did not recognize SHA-256 thumbprints specified through the `thp` configuration option. Consequently, clients did not bind to Tang servers that used SHA-256 thumbprints, and every corresponding `clevis encrypt tang` command reported an error. With this update, Clevis recognizes thumbprints using SHA-256 and handles them correctly. As a result, Clevis clients can bind not only to Tang servers using SHA-1 but also SHA-256 thumbprints.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-14 15:32:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (clevis bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:6971 |
Description of problem: clevis (tang) in RHEL-8 does not recognize SHA-256 thumbprints when specified via the "thp" configuration option. Instead, it complains that the trusted JWK did not sign the advertisement. Version-Release number of selected component (if applicable): clevis-15-14.el8 How reproducible: Always Steps to Reproduce: 1.Get a SHA-256 thumbprint from a tang server, e.g: curl TANG_SERVER/adv | jose fmt -j- -g payload -y -o- | jose jwk use -i- -r -u verify -o- | jose jwk thp -i- -a S256 2. Try to use this thumbprint with clevis and the tang pin: echo foo | clevis encrypt tang '{"url": "localhost", "thp": "uJzbiBZ6QYiYfTNiD9h6NZkNi5ZjvY2dgPuGvF0R2hA"}' Actual results: Trusted JWK 'uJzbiBZ6QYiYfTNiD9h6NZkNi5ZjvY2dgPuGvF0R2hA' did not sign the advertisement! Expected results: It works and the JWE is displayed.