forked from olastor/clevis-pin-fido2
-
Notifications
You must be signed in to change notification settings - Fork 0
/
clevis-decrypt-fido2
executable file
·104 lines (88 loc) · 3.28 KB
/
clevis-decrypt-fido2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/bin/bash
DEFAULT_TIMEOUT='120'
set -eu
[ $# -eq 1 ] && [ "$1" == "--summary" ] && exit 2
if [ -t 0 ]; then
exec >&2
echo
echo "Usage: clevis decrypt fido2 < JWE > PLAINTEXT"
echo
exit 2
fi
get_parm () {
elements="${1//\// --get }"
mandatory="$2"
#shellcheck disable=SC2086
if ! output="$(jose fmt --json="${hdr}" ${elements} --unquote=-)" && [[ ${mandatory} -eq 1 ]]; then
echo "${0##*/}: JWE missing '${elements##* }' header parameter!" >&2
exit 1
fi
echo "${output}"
}
read -r -d . hdr64
if ! hdr="$(jose fmt --quote="$hdr64" --string --b64load --object --output=-)" ; then
echo "${0##*/}: JWE header corrupt!" >&2
exit 1
fi
if [ "$(get_parm /clevis/pin 1)" != 'fido2' ] ; then
echo "${0##*/}: JWE pin mismatch!" >&2
exit 1
fi
hmac_salt="$(get_parm /clevis/fido2/hmac_salt 1)"
rp_id="$(get_parm /clevis/fido2/rp_id 1)"
cred_id="$(get_parm /clevis/fido2/cred_id 1)"
uv="$(get_parm /clevis/fido2/uv 1)"
up="$(get_parm /clevis/fido2/up 1)"
pin="$(get_parm /clevis/fido2/pin 1)"
timeout="$(get_parm /clevis/fido2/timeout 0)"
device="$(get_parm /clevis/fido2/device 0)"
fido2_token="${FIDO2_TOKEN:-$device}"
show_msg=1
user_timeout="${TIMEOUT:-$timeout}"
timeout1="${user_timeout:-$DEFAULT_TIMEOUT}"
while [[ ! -c "${fido2_token}" ]]; do
sleep 1
if [[ -z "${fido2_token}" ]]; then
fido2_tokens="$(fido2-token -L)"
if [[ -z "${fido2_tokens}" && show_msg -eq 1 ]]; then
echo "${0##*/}: Please insert your FIDO2 token" >&2
show_msg=0
fi
fido2_token="$(echo "${fido2_tokens}" | head -n1 | cut -d':' -f1)"
num_tokens="$(echo "${fido2_tokens}" | wc -l)"
if ((num_tokens > 1)); then
echo "${0##*/}: Warning: There are multiple tokens. Will use the first one (${fido2_token})." >&2
fi
else
if [[ show_msg -eq 1 ]]; then
echo "${0##*/}: Please insert your specified FIDO2 token ${fido2_token} (if available)" >&2
show_msg=0
fi
fi
# see 'sleep 1' above--we're keeping things simple here (cf. https://unix.stackexchange.com/a/156133/238272)
timeout1=$((timeout1-1))
if [[ ${timeout1} -lt 1 ]]; then
if [[ -z "${fido2_token}" ]]; then
echo "${0##*/}: Error: No FIDO2 token found within ${timeout} seconds." >&2
else
echo "${0##*/}: Error: specified FIDO2 token ${fido2_token} not found within ${timeout} seconds." >&2
fi
exit 1
fi
done
client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)"
f2a_uv="-t uv=${uv}"
if [ "${uv}" == "false" ] && ! fido2-token -I "${fido2_token}" | grep -qE "options:.* uv" ; then
# Yubikey 5 NFC w/ libfido2 v1.14.0 does _not_ allow to explicitly specify "-t uv=true|false" below
# (cf. https://github.com/Yubico/libfido2/issues/642#issuecomment-1303673367: "`uv` option [...] controls
# device-native UV such as biometrics or on-authenticator PIN pad")
f2a_uv=""
fi
#shellcheck disable=SC2086
hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \
fido2-assert -G -h ${f2a_uv} -t "up=${up}" -t "pin=${pin}" "${fido2_token}" | \
head -n5 | tail -n1 | base64 -d | jose b64 enc -I -)"
# use the secret in a key wrapping key
jwk='{"alg":"A256GCM", "kty":"oct"}'
jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)"
( printf '%s' "$jwk$hdr64." ; cat ) | exec jose jwe dec --key=- --input=-