sq: Expose `dane get` command.

  - Similar to "wkd get" this command will fetch OpenPGP certificates
    and display them in armored form with comments.

  - Fixes #865.

5 files changed, 144 insertions, 0 deletions

diff --git a/sq/sq-usage.md b/sq/sq-usage.md
index 927c66a3..41751068 100644
--- a/sq/sq-usage.md
+++ b/sq/sq-usage.md
@@ -71,6 +71,8 @@ SUBCOMMANDS:
             Interacts with keyservers
     wkd
             Interacts with Web Key Directories
+    dane
+            Interacts with DANE
     armor
             Converts binary to ASCII
     dearmor
@@ -1498,6 +1500,55 @@ OPTIONS:
             Print help information
 ```
 
+## Subcommand sq dane
+
+```text
+DNS-Based Authentication of Named Entities (DANE) is a method for publishing
+public keys in DNS as specified in RFC 7929.
+
+USAGE:
+    sq dane [OPTIONS] <SUBCOMMAND>
+
+OPTIONS:
+    -n, --network-policy <NETWORK-POLICY>
+            Sets the network policy to use
+
+            [default: encrypted]
+            [possible values: offline, anonymized, encrypted, insecure]
+
+    -h, --help
+            Print help information
+
+SUBCOMMANDS:
+    get
+            Queries for certs using DANE
+    help
+            Print this message or the help of the given subcommand(s)
+```
+
+### Subcommand sq dane get
+
+```text
+Queries for certs using DANE
+
+USAGE:
+    sq dane get [OPTIONS] <ADDRESS>
+
+ARGS:
+    <ADDRESS>
+            Queries a cert for ADDRESS
+
+OPTIONS:
+    -B, --binary
+            Emits binary data
+
+    -h, --help
+            Print help information
+
+    -o, --output <FILE>
+            Writes to FILE or stdout if omitted
+```
+
 ## Subcommand sq armor
 
 ```text
diff --git a/sq/src/commands/net.rs b/sq/src/commands/net.rs
index 4b5e6b2e..46d23a24 100644
--- a/sq/src/commands/net.rs
+++ b/sq/src/commands/net.rs
@@ -20,6 +20,7 @@ use sequoia_net as net;
 use net::{
     KeyServer,
     wkd,
+    dane,
 };
 
 use crate::{
@@ -173,3 +174,33 @@ pub fn dispatch_wkd(config: Config, c: sq_cli::wkd::Command) -> Result<()> {
 
     Ok(())
 }
+
+pub fn dispatch_dane(config: Config, c: sq_cli::dane::Command) -> Result<()> {
+    let network_policy: net::Policy = c.network_policy.into();
+
+    let rt = tokio::runtime::Builder::new_current_thread()
+        .enable_io()
+        .enable_time()
+        .build()?;
+
+    use crate::sq_cli::dane::Subcommands::*;
+    match c.subcommand {
+        Get(c) => {
+            // Check that the policy allows https.
+            network_policy.assert(net::Policy::Encrypted)?;
+
+            let email_address = c.email_address;
+            // XXX: EmailAddress could be created here to
+            // check it's a valid email address, print the error to
+            // stderr and exit.
+            // Because it might be created a WkdServer struct, not
+            // doing it for now.
+            let certs = rt.block_on(dane::get(&email_address))?;
+            let mut output =
+                config.create_or_stdout_safe(c.output.as_deref())?;
+            serialize_keyring(&mut output, &certs, c.binary)?;
+        },
+    }
+
+    Ok(())
+}
diff --git a/sq/src/sq.rs b/sq/src/sq.rs
index 9fef712d..e759c142 100644
--- a/sq/src/sq.rs
+++ b/sq/src/sq.rs
@@ -691,6 +691,10 @@ fn main() -> Result<()> {
             commands::net::dispatch_wkd(config, command)?
         }
 
+        SqSubcommands::Dane(command) => {
+            commands::net::dispatch_dane(config, command)?
+        }
+
         SqSubcommands::Certify(command) => {
             commands::certify::certify(config, command)?
         }
diff --git a/sq/src/sq_cli/dane.rs b/sq/src/sq_cli/dane.rs
new file mode 100644
index 00000000..069f9598
--- /dev/null
+++ b/sq/src/sq_cli/dane.rs
@@ -0,0 +1,56 @@
+use clap::{Args, Parser, Subcommand};
+
+use crate::sq_cli::types::NetworkPolicy;
+
+#[derive(Parser, Debug)]
+#[clap(
+    name = "dane",
+    about = "Interacts with DANE",
+    long_about = "DNS-Based Authentication of Named Entities (DANE) is a method for publishing public keys in DNS as specified in RFC 7929.",
+    subcommand_required = true,
+    arg_required_else_help = true,
+    setting(clap::AppSettings::DeriveDisplayOrder),
+)]
+pub struct Command {
+    #[clap(
+        short,
+        long,
+        value_name = "NETWORK-POLICY",
+        default_value_t = NetworkPolicy::Encrypted,
+        arg_enum,
+        help = "Sets the network policy to use",
+    )]
+    pub network_policy: NetworkPolicy,
+    #[clap(subcommand)]
+    pub subcommand: Subcommands,
+}
+
+#[derive(Debug, Subcommand)]
+pub enum Subcommands {
+    Get(GetCommand),
+}
+
+#[derive(Debug, Args)]
+#[clap(
+    about = "Queries for certs using DANE",
+)]
+pub struct GetCommand {
+    #[clap(
+        value_name = "ADDRESS",
+        help = "Queries a cert for ADDRESS",
+    )]
+    pub email_address: String,
+    #[clap(
+        short = 'B',
+        long,
+        help = "Emits binary data",
+    )]
+    pub binary: bool,
+    #[clap(
+        short,
+        long,
+        value_name = "FILE",
+        help = "Writes to FILE or stdout if omitted"
+    )]
+    pub output: Option<String>,
+}
diff --git a/sq/src/sq_cli/mod.rs b/sq/src/sq_cli/mod.rs
index 91748a1f..5221a2ec 100644
--- a/sq/src/sq_cli/mod.rs
+++ b/sq/src/sq_cli/mod.rs
@@ -6,6 +6,7 @@ pub mod autocrypt;
 
 pub mod armor;
 pub mod certify;
+pub mod dane;
 mod dearmor;
 mod decrypt;
 pub mod encrypt;
@@ -129,6 +130,7 @@ pub enum SqSubcommands {
     Autocrypt(autocrypt::Command),
     Keyserver(keyserver::Command),
     Wkd(wkd::Command),
+    Dane(dane::Command),
 
     Armor(armor::Command),
     Dearmor(dearmor::Command),