diff options
author | Lars Wirzenius <liw@sequoia-pgp.org> | 2022-01-19 17:25:18 +0200 |
---|---|---|
committer | Lars Wirzenius <liw@sequoia-pgp.org> | 2022-01-19 19:35:06 +0200 |
commit | 2a9178673622c146afb15558e54f867a9c3094f1 (patch) | |
tree | ff9da3b82b9a9578913e713339163e9af5890e5b | |
parent | 927140c6faed033bb1f8550332491b30ea77fba2 (diff) |
sq: add verification scenarios for encryption and decryption
Sponsored-by: NLnet Foundation; NGI Assure; European Commission
-rw-r--r-- | sq/sq-subplot.md | 81 |
1 files changed, 75 insertions, 6 deletions
diff --git a/sq/sq-subplot.md b/sq/sq-subplot.md index 28cd92a8..854d8cb7 100644 --- a/sq/sq-subplot.md +++ b/sq/sq-subplot.md @@ -747,7 +747,52 @@ when I run sq keyring split ring.pgp then the resulting files match alice,pgp and bob.pgp ~~~ -# Encrypt and decrypt a file using public keys +# Encryption and decryption: `sq encrypt` and `sq decrypt` + +This chapter has scenarios for verifying that encryption and +decryption work. The overall approach is to do round trips: we +encrypt, then decrypt, and is the result is identical to the input, +all good. + +## Encrypt to stdout as ASCII armored + +_Requirement: We must be able to encrypt a file using a certificate, +with output going to stdout. + +We also verify that the encrypted output doesn't contain the message +in cleartext, just in case. + +~~~scenario +given an installed sq +given file hello.txt +when I run sq key generate --export key.pgp +when I run sq key extract-cert -o cert.pgp key.pgp +when I run sq encrypt --recipient-cert cert.pgp hello.txt +then stdout contains "-----BEGIN PGP MESSAGE-----" +then stdout doesn't contain "hello, world" +~~~ + + +## Encrypt to stdout as binary + +_Requirement: We must be able to encrypt a file using a certificate, +with output going to stdout. + +We also verify that the encrypted output doesn't contain the message +in cleartext, just in case. + +~~~scenario +given an installed sq +given file hello.txt +when I run sq key generate --export key.pgp +when I run sq key extract-cert -o cert.pgp key.pgp +when I run sq encrypt --binary --recipient-cert cert.pgp hello.txt +then stdout doesn't contain "-----BEGIN PGP MESSAGE-----" +then stdout doesn't contain "hello, world" +~~~ + + +## Encrypt and decrypt using asymmetric encryption _Requirement: We must be able to encrypt a file using a certificate, and then decrypt it using the corresponding key._ @@ -761,13 +806,37 @@ files, etc). ~~~scenario given an installed sq given file hello.txt -when I run sq key generate --userid Tomjon --export tomjon.pgp -when I run sq key extract-cert -o cert.pgp tomjon.pgp -when I run sq encrypt -o e.pgp --recipient-cert cert.pgp hello.txt -when I run sq decrypt -o output.txt --recipient-key tomjon.pgp e.pgp +when I run sq key generate --export key.pgp +when I run sq key extract-cert -o cert.pgp key.pgp +when I run sq encrypt -o x.pgp --recipient-cert cert.pgp hello.txt +when I run sq decrypt -o output.txt --recipient-key key.pgp x.pgp then files hello.txt and output.txt match ~~~ + +## Encrypt for multiple recipients + +_Requirement: We must be able to encrypt a message for multiple +recipients at a time._ + +~~~scenario +given an installed sq +given file hello.txt +when I run sq key generate --export alice.pgp +when I run sq key extract-cert -o alice-cert.pgp alice.pgp +when I run sq key generate --export bob.pgp +when I run sq key extract-cert -o bob-cert.pgp bob.pgp + +when I run sq encrypt --recipient-cert alice-cert.pgp --recipient-cert bob-cert.pgp hello.txt -o x.pgp + +when I run sq decrypt --recipient-key alice.pgp -o alice.txt x.pgp +then files hello.txt and alice.txt match + +when I run sq decrypt --recipient-key bob.pgp -o bob.txt x.pgp +then files hello.txt and bob.txt match +~~~ + + # Sign a document and verify the signature _Requirement: We must be able to sign a document, to prove it comes @@ -861,7 +930,7 @@ then stdout doesn't contain "hello, world" then stdout doesn't contain "HELLO, WORLD" ~~~ -# ASCII Armor data representation: `sq armor` +# ASCII Armor data representation: `sq armor` and `sq dearmor` The scenarios in this chapter verify that `sq` can convert data into the "ASCII Armor" representation and back. |