Use jose, not pwmake, for password generation (#418)

This change removes password generation with pwmake
and uses jose to do so. It has been checked that
generation is similar, as jose uses OpenSSL.
Apart from that, we will introduce --force-password
so that pwquality configuration does not bother on
LUKS operations

Resolves: #199

Signed-off-by: Sergio Arroutbi <[email protected]>

src/luks/clevis-luks-common-functions.in

@@ -20,6 +20,11 @@
 
 CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
 
+# Length, in bytes, used for password generated for LUKS key
+# This value corresponds to an entropy of 256 bits if the password
+# was generated by pwmake or similar tool
+JOSE_PASSWORD_LENGTH=40
+
 enable_debugging() {
     # Automatically enable debugging if in initramfs phase and rd.debug
     if [ -e /usr/lib/dracut-lib.sh ]; then
@@ -788,7 +793,7 @@ clevis_luks_add_key() {
     fi
     local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
 
-    printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+    printf '%s' "${input}" | cryptsetup luksAddKey --force-password --batch-mode \
                                          --key-slot "${SLT}" \
                                          "${DEV}" \
                                          ${pbkdf_args} \
@@ -818,11 +823,11 @@ clevis_luks_update_key() {
     local input extra_args=
     input="$(printf '%s\n%s' "${KEY}" "${NEWKEY}")"
     if [ -n "${KEYFILE}" ]; then
-        extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+        extra_args="$(printf -- '--key-file %s --force-password' "${KEYFILE}")"
         input="$(printf '%s' "${NEWKEY}")"
     fi
     if [ -n "${EXISTING_TOKEN_ID}" ]; then
-        extra_args="$(printf -- '--token-id %s' "${EXISTING_TOKEN_ID}")"
+        extra_args="$(printf -- '--token-id %s --force-password' "${EXISTING_TOKEN_ID}")"
         input="$(printf '%s' "${NEWKEY}")"
     fi
 
@@ -884,26 +889,10 @@ clevis_luks_save_key_to_slot() {
 
 # clevis_luks_generate_key() generates a new key for use with clevis.
 clevis_luks_generate_key() {
-    local DEV="${1}"
-    [ -z "${DEV}" ] && return 1
-
-    local dump filter bits
-    local MAX_ENTROPY_BITS=256  # Maximum allowed by pwmake.
-    dump=$(cryptsetup luksDump "${DEV}")
-    if cryptsetup isLuks --type luks1 "${DEV}"; then
-        filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
-    elif cryptsetup isLuks --type luks2 "${DEV}"; then
-        filter="$(echo -n "${dump}" | \
-                  sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p')"
-    else
-        return 1
-    fi
-
-    bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
-    if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
-        bits="${MAX_ENTROPY_BITS}"
-    fi
-    pwmake "${bits}"
+    local input
+    input=$(printf '{"kty":"oct","bytes":%s}' "${JOSE_PASSWORD_LENGTH}")
+    jose jwk gen --input="${input}" --output=- | \
+        jose fmt --json=- --object --get k --unquote=-
 }
 
 # clevis_luks_token_id_by_slot() returns the token ID linked to a
@@ -993,8 +982,7 @@ clevis_luks_do_bind() {
     fi
 
     local newkey jwe
-    if ! newkey="$(clevis_luks_generate_key "${DEV}")" \
-                   || [ -z "${newkey}" ]; then
+    if ! newkey="$(clevis_luks_generate_key)" || [ -z "${newkey}" ]; then
         echo "Unable to generate a new key" >&2
         return 1
     fi

src/luks/meson.build

@@ -1,7 +1,6 @@
 
 luksmeta_data = configuration_data()
 luksmeta = dependency('luksmeta', version: '>=8', required: false)
-pwmake = find_program('pwmake', required: false)
 
 libcryptsetup = dependency('libcryptsetup', version: '>=2.0.4', required: false)
 if libcryptsetup.found()
@@ -33,7 +32,7 @@ clevis_luks_unbind = configure_file(input: 'clevis-luks-unbind.in',
                output: 'clevis-luks-unbind',
                configuration: luksmeta_data)
 
-if libcryptsetup.found() and luksmeta.found() and pwmake.found()
+if libcryptsetup.found() and luksmeta.found()
   subdir('systemd')
   subdir('udisks2')