diff options
author | Justus Winter <justus@sequoia-pgp.org> | 2020-12-11 13:10:51 +0100 |
---|---|---|
committer | Justus Winter <justus@sequoia-pgp.org> | 2020-12-11 15:19:48 +0100 |
commit | 3a52967289a79b707387319efc0019cca85076bf (patch) | |
tree | e43accaa9dbe6f7a22be7fde1e9cc4de5a4b5c29 | |
parent | 35119b755db270ab43a8e1ec13577bc0f9846546 (diff) |
sq: Allow cert-rings as recipients, reword key -> cert.
-rw-r--r-- | sq/src/sq-usage.rs | 28 | ||||
-rw-r--r-- | sq/src/sq.rs | 37 | ||||
-rw-r--r-- | sq/src/sq_cli.rs | 8 |
3 files changed, 50 insertions, 23 deletions
diff --git a/sq/src/sq-usage.rs b/sq/src/sq-usage.rs index db5e559d..2729cafa 100644 --- a/sq/src/sq-usage.rs +++ b/sq/src/sq-usage.rs @@ -80,18 +80,22 @@ //! -V, --version Prints version information //! //! OPTIONS: -//! --compression <KIND> Selects compression scheme to use [default: pad] [possible values: none, -//! pad, zip, zlib, bzip2] -//! --mode <MODE> Selects what kind of keys are considered for encryption. Transport -//! select subkeys marked as suitable for transport encryption, rest selects -//! those for encrypting data at rest, and all selects all encryption-capable -//! subkeys [default: all] [possible values: transport, rest, all] -//! -o, --output <FILE> Sets the output file to use -//! -r, --recipient <LABEL>... Recipient to encrypt for (can be given multiple times) -//! --recipient-key-file <CERT-FILE>... Recipient to encrypt for, given as a file (can be given multiple times) -//! --signer-key-file <TSK-FILE>... Secret key to sign with, given as a file (can be given multiple times) -//! -t, --time <TIME> Chooses keys valid at the specified time and sets the signature's -//! creation time +//! --compression <KIND> +//! Selects compression scheme to use [default: pad] [possible values: none, pad, zip, zlib, bzip2] +//! +//! --mode <MODE> +//! Selects what kind of keys are considered for encryption. Transport select subkeys marked as suitable for +//! transport encryption, rest selects those for encrypting data at rest, and all selects all encryption-capable +//! subkeys [default: all] [possible values: transport, rest, all] +//! -o, --output <FILE> Sets the output file to use +//! -r, --recipient <LABEL>... Recipient to encrypt for (can be given multiple times) +//! --recipients-cert-file <CERTS-FILE>... +//! Recipients to encrypt for, given as a file (can be given multiple times) +//! +//! --signer-key-file <TSK-FILE>... Secret key to sign with, given as a file (can be given multiple times) +//! -t, --time <TIME> +//! Chooses keys valid at the specified time and sets the signature's creation time +//! //! //! ARGS: //! <FILE> Sets the input file to use diff --git a/sq/src/sq.rs b/sq/src/sq.rs index 00477329..970e2ebe 100644 --- a/sq/src/sq.rs +++ b/sq/src/sq.rs @@ -82,13 +82,36 @@ fn create_or_stdout_pgp<'a>(f: Option<&str>, force: bool, Ok(message) } +/// Loads one TSK from every given file. +fn load_keys<'a, I>(files: I) -> openpgp::Result<Vec<Cert>> + where I: Iterator<Item=&'a str> +{ + let mut certs = vec![]; + for f in files { + let cert = Cert::from_file(f) + .context(format!("Failed to load key from file {:?}", f))?; + if ! cert.is_tsk() { + Err(anyhow::anyhow!( + "Cert in file {:?} does not contain secret keys", f))?; + } + certs.push(cert); + } + Ok(certs) +} + +/// Loads one or more certs from every given file. fn load_certs<'a, I>(files: I) -> openpgp::Result<Vec<Cert>> where I: Iterator<Item=&'a str> { let mut certs = vec![]; for f in files { - certs.push(Cert::from_file(f) - .context(format!("Failed to load key from file {:?}", f))?); + for maybe_cert in CertParser::from_file(f) + .context(format!("Failed to load certs from file {:?}", f))? + { + certs.push(maybe_cert.context( + format!("A cert from file {:?} is bad", f) + )?); + } } Ok(certs) } @@ -204,7 +227,7 @@ fn main() -> Result<()> { .map(load_certs) .unwrap_or(Ok(vec![]))?; let secrets = m.values_of("secret-key-file") - .map(load_certs) + .map(load_keys) .unwrap_or(Ok(vec![]))?; let mut mapping = Mapping::open(&ctx, realm_name, mapping_name) .context("Failed to open the mapping")?; @@ -217,7 +240,7 @@ fn main() -> Result<()> { ("encrypt", Some(m)) => { let mapping = Mapping::open(&ctx, realm_name, mapping_name) .context("Failed to open the mapping")?; - let mut recipients = m.values_of("recipient-key-file") + let mut recipients = m.values_of("recipients-cert-file") .map(load_certs) .unwrap_or(Ok(vec![]))?; if let Some(r) = m.values_of("recipient") { @@ -232,7 +255,7 @@ fn main() -> Result<()> { m.is_present("binary"), armor::Kind::Message)?; let additional_secrets = m.values_of("signer-key-file") - .map(load_certs) + .map(load_keys) .unwrap_or(Ok(vec![]))?; let mode = match m.value_of("mode").expect("has default") { "rest" => KeyFlags::empty() @@ -266,7 +289,7 @@ fn main() -> Result<()> { let append = m.is_present("append"); let notarize = m.is_present("notarize"); let secrets = m.values_of("secret-key-file") - .map(load_certs) + .map(load_keys) .unwrap_or(Ok(vec![]))?; let time = if let Some(time) = m.value_of("time") { Some(parse_iso8601(time, chrono::NaiveTime::from_hms(0, 0, 0)) @@ -382,7 +405,7 @@ fn main() -> Result<()> { m.is_present("binary"), armor::Kind::Message)?; let secrets = m.values_of("secret-key-file") - .map(load_certs) + .map(load_keys) .unwrap_or(Ok(vec![]))?; let mut mapping = Mapping::open(&ctx, realm_name, mapping_name) .context("Failed to open the mapping")?; diff --git a/sq/src/sq_cli.rs b/sq/src/sq_cli.rs index 9c56154b..464d78b4 100644 --- a/sq/src/sq_cli.rs +++ b/sq/src/sq_cli.rs @@ -101,13 +101,13 @@ pub fn build() -> App<'static, 'static> { .number_of_values(1) .help("Recipient to encrypt for \ (can be given multiple times)")) - .arg(Arg::with_name("recipient-key-file") - .long("recipient-key-file") + .arg(Arg::with_name("recipients-cert-file") + .long("recipients-cert-file") .multiple(true) .takes_value(true) - .value_name("CERT-FILE") + .value_name("CERTS-FILE") .number_of_values(1) - .help("Recipient to encrypt for, given as a file \ + .help("Recipients to encrypt for, given as a file \ (can be given multiple times)")) .arg(Arg::with_name("signer-key-file") .long("signer-key-file") |