Key rotation resulted in http 404 return error - Githubissues

latchset / tang

Tang binding daemon

GNU General Public License v3.0

515 stars 58 forks source link

Key rotation resulted in http 404 return error #28

Closed hddmet closed 6 years ago

hddmet commented 6 years ago

Causes

system:

tang: centos 7, 3.10.0-862.3.2.el7.x86_64
clevis: ubuntu 18.04, 4.15.0-23-generic #25-Ubuntu

case 1:

# DB=/var/db/tang
 jose jwk gen -i '{"alg":"ES512"}' -o $DB/new_sig.jwk
 jose jwk gen -i '{"alg":"ECMR"}' -o $DB/new_exc.jwk

hide old keys by renaming

case 2:

tangd-keygen /var/db/tang

In both cases, the service return 404.

Partial Fixes:

tangd-update /var/db/tang /var/db/cache

The services now return 200 (at least most of the time) and execute tangd-update again will most certainly do it.

CRITICAL PROBLEM

system: ubuntu 18.04

setup BEFORE key rotation

clevis luks bind -d /dev/sda tang '{"url":...}'
systemctl enable clevis-luks-askpass.path

decrypt at boot works properly before key rotation

FAILED: after key rotation

old keys still exists
cached updated
verified: curl -vf http://tang../adv

hddmet commented 6 years ago

I just verified that tang + clevis works properly but on ubuntu systemd-ask-password socket refuse to connect when password was piped into it.