Jose unable to parse setting containing an array

[dnoliver]

Discovered in latchset/clevis#102

Clevis is failing to create a TPM PCR Policy to enforce platform integrity state through Jose when the number of selected pcrs_ids is more than one, and an array is passed to the configuration.

From @martinezjavier comment:

$ jose fmt -j- -Og pcr_ids -u- <<< '{"pcr_bank":"sha1","pcr_ids":"16"}'
16
$ echo $?
0

$ jose fmt -j- -Og pcr_ids -u- <<< '{"pcr_bank":"sha1","pcr_ids":["16"]}'
$ echo $?
4

Apparently, Jose is not happy with the array notation in pcrs_ids.
Due to this, on Clevis, when using more than one PCR to declare the policy, it silently fails to parse the config, and create the LUKS key slot without any PCR policy silently

Jose Version: jose-10-3.fc29.x86_64

[sergio-correia]

I am not sure this is an actual bug in jose. jose-fmt man page for -u option is as follows: Write TOP (str.) to STDOUT without quotes.

However we are now trying to use this option against an array. jose does parse it correctly, as we can see if you just change the -u- option to -o-:

$ jose fmt -j- -Og pcr_ids -o- <<< '{"pcr_bank":"sha1","pcr_ids":["16"]}'
["16"]
$ echo $?
0

We can also use -A to check whether jose thinks it is an actual array:

$ jose fmt -j- -Og pcr_ids -A <<< '{"pcr_bank":"sha1","pcr_ids":["16"]}'
$ echo $?
0

[dnoliver]

Agreed, I now think that clevis-encrypt-tpm should be validating that the configuration passed to "pcr_ids" is a string configuration instead of blindly accepting what jose returns in stdout.

As you said, -u expect a string, and it will not magically convert an array of things into a comma separated string.

Thanks! closing