From 93f34a0f0018904966096f8676fe180f790a5bf1 Mon Sep 17 00:00:00 2001
From: Ronan Pigott <rpigott@berkeley.edu>
Date: Wed, 8 Jun 2022 14:52:56 -0700
Subject: [PATCH] luks-list: add arg to show tang key thumbprints

---
 src/luks/clevis-luks-common-functions.in | 22 ++++++++++++++++------
 src/luks/clevis-luks-list                | 11 +++++++----
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
index 743d638b..453273b7 100644
--- a/src/luks/clevis-luks-common-functions.in
+++ b/src/luks/clevis-luks-common-functions.in
@@ -163,6 +163,7 @@ clevis_luks_decode_jwe() {
 clevis_luks_print_pin_config() {
     local P="${1}"
     local decoded="${2}"
+    local THP="${3}"
 
     local content
     if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \
@@ -173,9 +174,15 @@ clevis_luks_print_pin_config() {
     local pin=
     case "${P}" in
     tang)
-        local url
+        local url adv thp
         url="$(jose fmt -j- -g url -u- <<< "${content}")"
-        pin=$(printf '{"url":"%s"}' "${url}")
+        if [ -z "${THP}" ]; then
+            pin=$(printf '{"url":"%s"}' "${url}")
+        else
+            adv="$(jose fmt -j- -g adv -o- <<< "${content}")"
+            thp="$(jose jwk thp -i- <<< "${adv}" | tail -n1)"
+            pin=$(printf '{"url":"%s","thp":"%s"}' "${url}" "${thp}")
+        fi
         printf "tang '%s'" "${pin}"
         ;;
     tpm2)
@@ -195,7 +202,7 @@ clevis_luks_print_pin_config() {
     sss)
         local threshold
         threshold=$(jose fmt -j- -Og t -o- <<< "${content}")
-        clevis_luks_process_sss_pin "${content}" "${threshold}"
+        clevis_luks_process_sss_pin "${content}" "${threshold}" "${THP}"
         ;;
     *)
         printf "unknown pin '%s'" "${P}"
@@ -207,6 +214,7 @@ clevis_luks_print_pin_config() {
 # from it.
 clevis_luks_decode_pin_config() {
     local jwe="${1}"
+    local THP="${2}"
 
     local decoded
     if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then
@@ -218,7 +226,7 @@ clevis_luks_decode_pin_config() {
         return 1
     fi
 
-    clevis_luks_print_pin_config "${P}" "${decoded}"
+    clevis_luks_print_pin_config "${P}" "${decoded}" "${THP}"
 }
 
 # clevis_luks_join_sss_cfg() will receive a list of configurations for a given
@@ -235,6 +243,7 @@ clevis_luks_join_sss_cfg() {
 clevis_luks_process_sss_pin() {
     local jwe="${1}"
     local threshold="${2}"
+    local THP="${3}"
 
     local sss_tang
     local sss_tpm2
@@ -245,7 +254,7 @@ clevis_luks_process_sss_pin() {
 
     local coded
     for coded in $(jose fmt -j- -Og jwe -Af- <<< "${jwe}"| tr -d '"'); do
-        if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}")"; then
+        if ! pin_cfg="$(clevis_luks_decode_pin_config "${coded}" "${THP}")"; then
             continue
         fi
         read -r pin cfg <<< "${pin_cfg}"
@@ -286,6 +295,7 @@ clevis_luks_process_sss_pin() {
 clevis_luks_read_pins_from_slot() {
     local DEV="${1}"
     local SLOT="${2}"
+    local THP="${3}"
 
     local jwe
     if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then
@@ -293,7 +303,7 @@ clevis_luks_read_pins_from_slot() {
     fi
 
     local cfg
-    if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then
+    if ! cfg="$(clevis_luks_decode_pin_config "${jwe}" "${THP}")"; then
         return 1
     fi
     printf "%s: %s\n" "${SLOT}" "${cfg}"
diff --git a/src/luks/clevis-luks-list b/src/luks/clevis-luks-list
index 40b68b84..9520379a 100755
--- a/src/luks/clevis-luks-list
+++ b/src/luks/clevis-luks-list
@@ -25,7 +25,7 @@ SUMMARY="Lists pins bound to a LUKSv1 or LUKSv2 device"
 
 function usage() {
     echo >&2
-    echo "Usage: clevis luks list -d DEV [-s SLT]" >&2
+    echo "Usage: clevis luks list -d DEV [-s SLT] [-t]" >&2
     echo >&2
     echo "$SUMMARY": >&2
     echo >&2
@@ -33,6 +33,8 @@ function usage() {
     echo >&2
     echo "  -s SLOT The slot number to list" >&2
     echo >&2
+    echo "  -t show thumbprints in the output" >&2
+    echo >&2
     exit 1
 }
 
@@ -41,10 +43,11 @@ if [ ${#} -eq 1 ] && [ "${1}" = "--summary" ]; then
     exit 0
 fi
 
-while getopts ":d:s:" o; do
+while getopts ":d:s:t" o; do
     case "$o" in
     d) DEV=${OPTARG};;
     s) SLT=${OPTARG};;
+    t) THP="true";;
     *) usage;;
     esac
 done
@@ -62,7 +65,7 @@ if cryptsetup isLuks --type luks1 "${DEV}"; then
 fi
 
 if [ -n "${SLT}" ]; then
-    clevis_luks_read_pins_from_slot "${DEV}" "${SLT}"
+    clevis_luks_read_pins_from_slot "${DEV}" "${SLT}" "${THP}"
 else
     if ! used_slots=$(clevis_luks_used_slots "${DEV}"); then
         echo "No used slots detected for device ${DEV}!" >&2
@@ -70,7 +73,7 @@ else
     fi
 
     for s in ${used_slots}; do
-        if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}"; then
+        if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}" "${THP}"; then
             continue
         fi
     done