diff options
author | Neal H. Walfield <neal@pep.foundation> | 2022-01-14 13:01:51 +0100 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2022-01-14 14:17:12 +0100 |
commit | d9c482b441e0b6f9becd09791061a3a54b1c7aba (patch) | |
tree | 0a5d73c758146bcc86c3e63c72e66003e5fe00ae | |
parent | 42a3accc76560f0ea470137592e8fbad10dc98b9 (diff) |
sq: Make sq certify work with password-protected keys.
- Use `get_certification_keys` to get the certification key. This
also unlocks the key, if needed.
Fixes #776.
- Add `--private-key-store` as an option to also work with keys
stored on a PKS.
-rw-r--r-- | sq/src/commands/certify.rs | 10 | ||||
-rw-r--r-- | sq/src/sq-usage.rs | 5 | ||||
-rw-r--r-- | sq/src/sq_cli.rs | 6 |
3 files changed, 17 insertions, 4 deletions
diff --git a/sq/src/commands/certify.rs b/sq/src/commands/certify.rs index 98c28402..c497d301 100644 --- a/sq/src/commands/certify.rs +++ b/sq/src/commands/certify.rs @@ -12,6 +12,7 @@ use openpgp::types::SignatureType; use crate::Config; use crate::parse_duration; use crate::SECONDS_IN_YEAR; +use crate::commands::get_certification_keys; pub fn certify(config: Config, m: &clap::ArgMatches) -> Result<()> @@ -21,6 +22,7 @@ pub fn certify(config: Config, m: &clap::ArgMatches) let userid = m.value_of("userid").unwrap(); let certifier = Cert::from_file(certifier)?; + let private_key_store = m.value_of("private-key-store"); let cert = Cert::from_file(cert)?; let vc = cert.with_policy(&config.policy, None)?; @@ -141,8 +143,12 @@ pub fn certify(config: Config, m: &clap::ArgMatches) // Sign it. - let mut signer = certifier.primary_key().key().clone() - .parts_into_secret()?.into_keypair()?; + let signers = get_certification_keys( + &[certifier], &config.policy, + private_key_store, + None)?; + assert_eq!(signers.len(), 1); + let mut signer = signers.into_iter().next().unwrap(); let certification = builder .sign_userid_binding( diff --git a/sq/src/sq-usage.rs b/sq/src/sq-usage.rs index f3ac305b..0951f6f5 100644 --- a/sq/src/sq-usage.rs +++ b/sq/src/sq-usage.rs @@ -981,6 +981,9 @@ //! -o, --output <FILE> //! Writes to FILE or stdout if omitted //! +//! --private-key-store <KEY_STORE> +//! Provides parameters for private key store +//! //! -r, --regex <REGEX>... //! Adds a regular expression to constrain what a trusted introducer can //! certify. The regular expression must match the certified User ID in @@ -990,7 +993,7 @@ //! //! ARGS: //! <CERTIFIER-KEY> -//! Creates the certificate using CERTIFIER-KEY. +//! Creates the certification using CERTIFIER-KEY. //! //! <CERTIFICATE> //! Certifies CERTIFICATE. diff --git a/sq/src/sq_cli.rs b/sq/src/sq_cli.rs index 64c35de1..600bef3a 100644 --- a/sq/src/sq_cli.rs +++ b/sq/src/sq_cli.rs @@ -1116,7 +1116,11 @@ $ sq certify juliet.pgp romeo.pgp \"<romeo@example.org>\" .value_name("CERTIFIER-KEY") .required(true) .index(1) - .help("Creates the certificate using CERTIFIER-KEY.")) + .help("Creates the certification using CERTIFIER-KEY.")) + .arg(Arg::with_name("private-key-store") + .long("private-key-store").value_name("KEY_STORE") + .help("Provides parameters for private key store")) + .arg(Arg::with_name("certificate") .value_name("CERTIFICATE") .required(true) |