diff --git a/src/zlevis-decrypt b/src/zlevis-decrypt index 17672bc..c218fbd 100755 --- a/src/zlevis-decrypt +++ b/src/zlevis-decrypt @@ -64,36 +64,36 @@ fi echo "$jhd" > "$tmp"/jhd # Validate the JWE pin type -if [ "$(jose fmt -j- -Og clevis -g pin -u- < "$tmp"/jhd)" != "tpm2" ]; then +if [ "$(jose fmt -j- -Og zlevis -g pin -u- < "$tmp"/jhd)" != "tpm2" ]; then echo "JWE pin mismatch" >&2 exit 1 fi # Extract required parameters from the JWE header -if ! hash="$(jose fmt -j- -Og clevis -g tpm2 -g hash -Su- < "$tmp"/jhd)"; then +if ! hash="$(jose fmt -j- -Og zlevis -g tpm2 -g hash -Su- < "$tmp"/jhd)"; then echo "JWE missing required 'hash' header parameter!" >&2 exit 1 fi -if ! key="$(jose fmt -j- -Og clevis -g tpm2 -g key -Su- < "$tmp"/jhd)"; then +if ! key="$(jose fmt -j- -Og zlevis -g tpm2 -g key -Su- < "$tmp"/jhd)"; then echo "JWE missing required 'key' header parameter!" >&2 exit 1 fi -if ! jwk_pub="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_pub -Su- < "$tmp"/jhd)"; then +if ! jwk_pub="$(jose fmt -j- -Og zlevis -g tpm2 -g jwk_pub -Su- < "$tmp"/jhd)"; then echo "JWE missing required 'jwk_pub' header parameter!" >&2 exit 1 fi echo "$jwk_pub" > "$tmp"/jwk_pub -if ! jwk_priv="$(jose fmt -j- -Og clevis -g tpm2 -g jwk_priv -Su- < "$tmp"/jhd)"; then +if ! jwk_priv="$(jose fmt -j- -Og zlevis -g tpm2 -g jwk_priv -Su- < "$tmp"/jhd)"; then echo "JWE missing required 'jwk_priv' header parameter!" >&2 exit 1 fi echo "$jwk_priv" > "$tmp"/jwk_priv # Handle optional PCR parameters -pcr_ids="$(jose fmt -j- -Og clevis -g tpm2 -g pcr_ids -Su- < "$tmp"/jhd)" || true +pcr_ids="$(jose fmt -j- -Og zlevis -g tpm2 -g pcr_ids -Su- < "$tmp"/jhd)" || true pcr_spec="" if [ -n "$pcr_ids" ]; then - pcr_bank="$(jose fmt -j- -Og clevis -g tpm2 -g pcr_bank -Su- < "$tmp"/jhd)" + pcr_bank="$(jose fmt -j- -Og zlevis -g tpm2 -g pcr_bank -Su- < "$tmp"/jhd)" pcr_spec="$pcr_bank:$pcr_ids" fi diff --git a/src/zlevis-encrypt b/src/zlevis-encrypt index 1e3b049..f604242 100755 --- a/src/zlevis-encrypt +++ b/src/zlevis-encrypt @@ -216,22 +216,22 @@ if ! jwk_priv="$(jose b64 enc -I "$tmp"/jwk.priv)"; then fi # Construct the JWE (JSON Web Encryption) structure -jwe='{"protected":{"clevis":{"pin":"tpm2","tpm2":{}}}}' -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$hash" -s hash -UUUUo-)" -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$key" -s key -UUUUo-)" +jwe='{"protected":{"zlevis":{"pin":"tpm2","tpm2":{}}}}' +jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$hash" -s hash -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$key" -s key -UUUUo-)" # Include PCR bank and IDs in the JWE if they are provided if [ -n "$pcr_ids" ]; then - jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)" - jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)" + jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$pcr_bank" -s pcr_bank -UUUUo-)" + jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$pcr_ids" -s pcr_ids -UUUUo-)" fi # Add the Base64 encoded JWK public and private keys to the JWE -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" -jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_pub" -s jwk_pub -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g zlevis -g tpm2 -q "$jwk_priv" -s jwk_priv -UUUUo-)" # Output the final JWE -(echo "$jwe$jwk"; /bin/cat) | jose jwe enc -i- -k- -I- -c +(echo "$jwe$jwk$(/bin/cat)") | jose jwe enc -i- -k- -I- -c # Exit with the status of the last command exit $? \ No newline at end of file