luks-list: add arg to show thumbprint

latchset · Jun 9, 2022 · 0a77b32 · 0a77b32
1 parent ebdc5e8
commit 0a77b32
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
@@ -163,6 +163,7 @@ clevis_luks_decode_jwe() {
 clevis_luks_print_pin_config() {
     local P="${1}"
     local decoded="${2}"
+    local THP="${3}"
 
     local content
     if ! content="$(jose fmt -j- -g clevis -g "${P}" -o- <<< "${decoded}")" \
@@ -175,9 +176,13 @@ clevis_luks_print_pin_config() {
     tang)
         local url adv thp
         url="$(jose fmt -j- -g url -u- <<< "${content}")"
-        adv="$(jose fmt -j- -g adv -o- <<< "${content}")"
-        thp="$(jose jwk thp -i- <<< "${adv}" | tail -n1)"
-        pin=$(printf '{"url":"%s","thp":"%s"}' "${url}" "${thp}")
+        if [ -z "${THP}" ]; then
+            pin=$(printf '{"url":"%s"}' "${url}")
+        else
+            adv="$(jose fmt -j- -g adv -o- <<< "${content}")"
+            thp="$(jose jwk thp -i- <<< "${adv}" | tail -n1)"
+            pin=$(printf '{"url":"%s","thp":"%s"}' "${url}" "${thp}")
+        fi
         printf "tang '%s'" "${pin}"
         ;;
     tpm2)
@@ -209,6 +214,7 @@ clevis_luks_print_pin_config() {
 # from it.
 clevis_luks_decode_pin_config() {
     local jwe="${1}"
+    local THP="${2}"
 
     local decoded
     if ! decoded=$(clevis_luks_decode_jwe "${jwe}"); then
@@ -220,7 +226,7 @@ clevis_luks_decode_pin_config() {
         return 1
     fi
 
-    clevis_luks_print_pin_config "${P}" "${decoded}"
+    clevis_luks_print_pin_config "${P}" "${decoded}" "${THP}"
 }
 
 # clevis_luks_join_sss_cfg() will receive a list of configurations for a given
@@ -288,14 +294,15 @@ clevis_luks_process_sss_pin() {
 clevis_luks_read_pins_from_slot() {
     local DEV="${1}"
     local SLOT="${2}"
+    local THP="${3}"
 
     local jwe
     if ! jwe=$(clevis_luks_read_slot "${DEV}" "${SLOT}" 2>/dev/null); then
         return 1
     fi
 
     local cfg
-    if ! cfg="$(clevis_luks_decode_pin_config "${jwe}")"; then
+    if ! cfg="$(clevis_luks_decode_pin_config "${jwe}" "${THP}")"; then
         return 1
     fi
     printf "%s: %s\n" "${SLOT}" "${cfg}"

diff --git a/src/luks/clevis-luks-list b/src/luks/clevis-luks-list
@@ -25,14 +25,16 @@ SUMMARY="Lists pins bound to a LUKSv1 or LUKSv2 device"
 
 function usage() {
     echo >&2
-    echo "Usage: clevis luks list -d DEV [-s SLT]" >&2
+    echo "Usage: clevis luks list -d DEV [-s SLT] [-t]" >&2
     echo >&2
     echo "$SUMMARY": >&2
     echo >&2
     echo "  -d DEV  The LUKS device to list bound pins" >&2
     echo >&2
     echo "  -s SLOT The slot number to list" >&2
     echo >&2
+    echo "  -t show thumbprints in the output" >&2
+    echo >&2
     exit 1
 }
 
@@ -45,6 +47,7 @@ while getopts ":d:s:" o; do
     case "$o" in
     d) DEV=${OPTARG};;
     s) SLT=${OPTARG};;
+    t) THP="true";;
     *) usage;;
     esac
 done
@@ -62,15 +65,15 @@ if cryptsetup isLuks --type luks1 "${DEV}"; then
 fi
 
 if [ -n "${SLT}" ]; then
-    clevis_luks_read_pins_from_slot "${DEV}" "${SLT}"
+    clevis_luks_read_pins_from_slot "${DEV}" "${SLT}" "${THP}"
 else
     if ! used_slots=$(clevis_luks_used_slots "${DEV}"); then
         echo "No used slots detected for device ${DEV}!" >&2
         exit 1
     fi
 
     for s in ${used_slots}; do
-        if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}"; then
+        if ! clevis_luks_read_pins_from_slot "${DEV}" "${s}" "${THP}"; then
             continue
         fi
     done