Create advertisements offline

[olastor]

Hi, is there a way to create the keys (under /var/db/tang) and advertisements offline without having tang installed by just using the jose cli?

The key generation is mentioned in the docs:

$ sudo jose jwk gen -i '{"alg":"ES512"}' -o /var/db/tang/newsig.jwk
$ sudo jose jwk gen -i '{"alg":"ECMR"}' -o /var/db/tang/newexc.jwk

but I'm not sure which command will output me a valid advertisement payload.

[sarroutbi]

Sorry, I don't understand what you mean by a "valid advertisement payload". The files that are generated by tang are done in the way you specified.

Apart from that, tang uses a SHA mechanism to get the file names used by tang. This is done by using "jose jwk thp"

But the content is generated similarly to the way you specified.

If you check the file ./src/tangd-rotate-keys.in, you can check how the keys are rotated (which in the end is a move + new key generation):

    DEFAULT_THP_HASH="S256"                                                     
    for alg in "ES512" "ECMR"; do                                               
        json="$(printf '{"alg": "%s"}' "${alg}")"                               
        jwe="$(jose jwk gen --input "${json}")"                                 
        thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \                  
                                           -a "${DEFAULT_THP_HASH}")"           
        echo "${jwe}" > "${thp}.jwk"                                            
        set_perms "${thp}.jwk"                                                  
        log "Created new key ${thp}.jwk" "${VERBOSE}"                           
    done  

As you can see, "jose jwk gen --input" is used (similar to what you posted), and the file name is calculated passing that output to "jose jwk thp --input=- -a S256"

Hope this helps

[olastor]

@sarroutbi Thank you for your reply!

Sorry, I don't understand what you mean by a "valid advertisement payload".

Sorry, my explanation was probably not detailed enough. I am trying to generate the keys offline as well as what is returned by "http://<TANG_URL>/adv" with jose so that I would be able to use clevis with the tang pin even before the tang server was created.

If you check the file ./src/tangd-rotate-keys.in, you can check how the keys are rotated (which in the end is a move + new key generation):

Thanks for that pointer about the file names!

[olastor]

I've figured it out. The advertisement seems to be a payload of the form { "keys": [<signing-public-key>, <exchange-public-key>] } that is signed with the signing private key. The public keys can be derived from the keys in /var/db/tang, e.g., cat <keyfile> | jose jwk pub -i - -o - and the payload can then be signed, e.g. echo "${payload}" | jose jws sig -k <priv-sig-keyfile> -I - -o -. The output should be valid to use with clevis with the "adv" field to make offline encryption work.