Create advertisements offline about tang HOT 3 CLOSED

Sorry, I don't understand what you mean by a "valid advertisement payload". The files that are generated by tang are done in the way you specified.

Apart from that, tang uses a SHA mechanism to get the file names used by tang. This is done by using "jose jwk thp"

But the content is generated similarly to the way you specified.

If you check the file ./src/tangd-rotate-keys.in, you can check how the keys are rotated (which in the end is a move + new key generation):

    DEFAULT_THP_HASH="S256"                                                     
    for alg in "ES512" "ECMR"; do                                               
        json="$(printf '{"alg": "%s"}' "${alg}")"                               
        jwe="$(jose jwk gen --input "${json}")"                                 
        thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \                  
                                           -a "${DEFAULT_THP_HASH}")"           
        echo "${jwe}" > "${thp}.jwk"                                            
        set_perms "${thp}.jwk"                                                  
        log "Created new key ${thp}.jwk" "${VERBOSE}"                           
    done  

As you can see, "jose jwk gen --input" is used (similar to what you posted), and the file name is calculated passing that output to "jose jwk thp --input=- -a S256"

Hope this helps

from tang.

@sarroutbi Thank you for your reply!

Sorry, I don't understand what you mean by a "valid advertisement payload".

Sorry, my explanation was probably not detailed enough. I am trying to generate the keys offline as well as what is returned by "http://<TANG_URL>/adv" with jose so that I would be able to use clevis with the tang pin even before the tang server was created.

If you check the file ./src/tangd-rotate-keys.in, you can check how the keys are rotated (which in the end is a move + new key generation):

Thanks for that pointer about the file names!

from tang.

I've figured it out. The advertisement seems to be a payload of the form { "keys": [<signing-public-key>, <exchange-public-key>] } that is signed with the signing private key. The public keys can be derived from the keys in /var/db/tang, e.g., cat <keyfile> | jose jwk pub -i - -o - and the payload can then be signed, e.g. echo "${payload}" | jose jws sig -k <priv-sig-keyfile> -I - -o -. The output should be valid to use with clevis with the "adv" field to make offline encryption work.

from tang.