openpgp: Expose low-level functions for attestation key signatures.

- See #335.
author: Justus Winter <justus@sequoia-pgp.org> 2021-04-21 12:49:13 +0200
committer: Justus Winter <justus@sequoia-pgp.org> 2021-04-26 13:14:15 +0200
commit: 710f2c60a9a00a5a4c3199f25d387fe82aa21aa0 (patch)
tree: 3a6694d7890161b9e85d2fdba04e3309249e485f
parent: 522e5811c2aa0dc741807cc42d5a3eac2bf63413 (diff)
5 files changed, 41 insertions, 21 deletions
diff --git a/openpgp/NEWS b/openpgp/NEWS
index 63b7b4f1..a505818e 100644
--- a/openpgp/NEWS
+++ b/openpgp/NEWS
@@ -4,7 +4,10 @@
 
 * Changes in 1.2.0
 ** New functionality
+   - Signature::verify_user_attribute_attestation
+   - Signature::verify_userid_attestation
    - SignatureBuilder::set_attested_certifications
+   - SignatureType::AttestationKey
    - SubpacketAreas::attested_certifications
    - SubpacketTag::AttestedCertifications
    - SubpacketValue::AttestedCertifications
diff --git a/openpgp/src/cert.rs b/openpgp/src/cert.rs
index 6339f311..12348ecf 100644
--- a/openpgp/src/cert.rs
+++ b/openpgp/src/cert.rs
@@ -1806,7 +1806,7 @@ impl Cert {
                     }
                 },
 
-                crate::types::SignatureType__AttestedKey => {
+                crate::types::SignatureType::AttestationKey => {
                     for binding in self.userids.iter_mut() {
                         check_one!(format!("userid \"{}\"",
                                            String::from_utf8_lossy(
@@ -6051,7 +6051,7 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
         bob.primary_key().key().hash(&mut h);
         bob.userids().next().unwrap().userid().hash(&mut h);
 
-        let attestation = SignatureBuilder::new(SignatureType__AttestedKey)
+        let attestation = SignatureBuilder::new(SignatureType::AttestationKey)
             .set_attested_certifications(vec![digest])?
             .sign_hash(&mut bob_signer, h)?;
 
diff --git a/openpgp/src/packet/signature.rs b/openpgp/src/packet/signature.rs
index 36b308a2..60434378 100644
--- a/openpgp/src/packet/signature.rs
+++ b/openpgp/src/packet/signature.rs
@@ -2787,6 +2787,12 @@ impl Signature {
 
     /// Verifies an attested key signature on a user id.
     ///
+    /// This feature is [experimental](crate#experimental-features).
+    ///
+    /// Allows the certificate owner to attest to third party
+    /// certifications. See [Section 5.2.3.30 of RFC 4880bis] for
+    /// details.
+    ///
     /// `self` is the attested key signature, `signer` is the key that
     /// allegedly made the signature, `pk` is the primary key, and
     /// `userid` is the user id.
@@ -2802,7 +2808,9 @@ impl Signature {
     /// key is not revoked, not expired, has a valid self-signature,
     /// has a subkey binding signature (if appropriate), has the
     /// signing capability, etc.
-    pub(crate) fn verify_userid_attestation<P, Q, R>(
+    ///
+    ///   [Section 5.2.3.30 of RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10.html#section-5.2.3.30
+    pub fn verify_userid_attestation<P, Q, R>(
         &mut self,
         signer: &Key<P, R>,
         pk: &Key<Q, key::PrimaryRole>,
@@ -2812,9 +2820,7 @@ impl Signature {
               Q: key::KeyParts,
               R: key::KeyRole,
     {
-        use crate::types::SignatureType__AttestedKey;
-
-        if self.typ() != SignatureType__AttestedKey {
+        if self.typ() != SignatureType::AttestationKey {
             return Err(Error::UnsupportedSignatureType(self.typ()).into());
         }
 
@@ -2912,6 +2918,12 @@ impl Signature {
 
     /// Verifies an attested key signature on a user attribute.
     ///
+    /// This feature is [experimental](crate#experimental-features).
+    ///
+    /// Allows the certificate owner to attest to third party
+    /// certifications. See [Section 5.2.3.30 of RFC 4880bis] for
+    /// details.
+    ///
     /// `self` is the attested key signature, `signer` is the key that
     /// allegedly made the signature, `pk` is the primary key, and
     /// `ua` is the user attribute.
@@ -2927,7 +2939,9 @@ impl Signature {
     /// key is not revoked, not expired, has a valid self-signature,
     /// has a subkey binding signature (if appropriate), has the
     /// signing capability, etc.
-    pub(crate) fn verify_user_attribute_attestation<P, Q, R>(
+    ///
+    ///   [Section 5.2.3.30 of RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10.html#section-5.2.3.30
+    pub fn verify_user_attribute_attestation<P, Q, R>(
         &mut self,
         signer: &Key<P, R>,
         pk: &Key<Q, key::PrimaryRole>,
@@ -2937,9 +2951,7 @@ impl Signature {
               Q: key::KeyParts,
               R: key::KeyRole,
     {
-        use crate::types::SignatureType__AttestedKey;
-
-        if self.typ() != SignatureType__AttestedKey {
+        if self.typ() != SignatureType::AttestationKey {
             return Err(Error::UnsupportedSignatureType(self.typ()).into());
         }
 
diff --git a/openpgp/src/types/mod.rs b/openpgp/src/types/mod.rs
index 9c33f47a..b3a9822e 100644
--- a/openpgp/src/types/mod.rs
+++ b/openpgp/src/types/mod.rs
@@ -1142,6 +1142,15 @@ pub enum SignatureType {
     /// Positive certification of a User ID and Public-Key packet.
     PositiveCertification,
 
+    /// Attestation Key Signature (proposed).
+    ///
+    /// Allows the certificate owner to attest to third party
+    /// certifications. See [Section 5.2.3.30 of RFC 4880bis] for
+    /// details.
+    ///
+    ///   [Section 5.2.3.30 of RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10.html#section-5.2.3.30
+    AttestationKey,
+
     /// Subkey Binding Signature
     SubkeyBinding,
     /// Primary Key Binding Signature
@@ -1166,11 +1175,6 @@ pub enum SignatureType {
 }
 assert_send_and_sync!(SignatureType);
 
-/// An attested key signature.
-#[allow(non_upper_case_globals)]
-pub(crate) const SignatureType__AttestedKey: SignatureType =
-    SignatureType::Unknown(0x16);
-
 
 impl From<u8> for SignatureType {
     fn from(u: u8) -> Self {
@@ -1182,6 +1186,7 @@ impl From<u8> for SignatureType {
             0x11 => SignatureType::PersonaCertification,
             0x12 => SignatureType::CasualCertification,
             0x13 => SignatureType::PositiveCertification,
+            0x16 => SignatureType::AttestationKey,
             0x18 => SignatureType::SubkeyBinding,
             0x19 => SignatureType::PrimaryKeyBinding,
             0x1f => SignatureType::DirectKey,
@@ -1205,6 +1210,7 @@ impl From<SignatureType> for u8 {
             SignatureType::PersonaCertification => 0x11,
             SignatureType::CasualCertification => 0x12,
             SignatureType::PositiveCertification => 0x13,
+            SignatureType::AttestationKey => 0x16,
             SignatureType::SubkeyBinding => 0x18,
             SignatureType::PrimaryKeyBinding => 0x19,
             SignatureType::DirectKey => 0x1f,
@@ -1235,6 +1241,8 @@ impl fmt::Display for SignatureType {
                 f.write_str("CasualCertification"),
             SignatureType::PositiveCertification =>
                 f.write_str("PositiveCertification"),
+            SignatureType::AttestationKey =>
+                f.write_str("AttestationKey"),
             SignatureType::SubkeyBinding =>
                 f.write_str("SubkeyBinding"),
             SignatureType::PrimaryKeyBinding =>
diff --git a/sq/src/commands/key.rs b/sq/src/commands/key.rs
index 6073e886..41077cd6 100644
--- a/sq/src/commands/key.rs
+++ b/sq/src/commands/key.rs
@@ -431,9 +431,6 @@ fn attest_certifications(config: Config, m: &ArgMatches)
         crypto::hash::{Hash, Digest},
         types::HashAlgorithm,
     };
-    #[allow(non_upper_case_globals)]
-    const SignatureType__AttestedKey: SignatureType =
-        SignatureType::Unknown(0x16);
 
     // Attest to all certifications?
     let all = ! m.is_present("none"); // All is the default.
@@ -452,7 +449,7 @@ fn attest_certifications(config: Config, m: &ArgMatches)
     let key = Cert::from_packets(key.into_packets().filter(|p| {
         !matches!(
                 p,
-                Packet::Signature(s) if s.typ() == SignatureType__AttestedKey
+                Packet::Signature(s) if s.typ() == SignatureType::AttestationKey
         )
     }))?;
 
@@ -492,7 +489,7 @@ fn attest_certifications(config: Config, m: &ArgMatches)
 
         for digests in attestations.chunks(digests_per_sig) {
             attestation_signatures.push(
-                SignatureBuilder::new(SignatureType__AttestedKey)
+                SignatureBuilder::new(SignatureType::AttestationKey)
                     .set_signature_creation_time(t)?
                     .set_attested_certifications(digests)?
                     .sign_hash(&mut pk_signer, hash.clone())?);
@@ -524,7 +521,7 @@ fn attest_certifications(config: Config, m: &ArgMatches)
 
         for digests in attestations.chunks(digests_per_sig) {
             attestation_signatures.push(
-                SignatureBuilder::new(SignatureType__AttestedKey)
+                SignatureBuilder::new(SignatureType::AttestationKey)
                     .set_signature_creation_time(t)?
                     .set_attested_certifications(digests)?
                     .sign_hash(&mut pk_signer, hash.clone())?);
author	Justus Winter <justus@sequoia-pgp.org>	2021-04-21 12:49:13 +0200
committer	Justus Winter <justus@sequoia-pgp.org>	2021-04-26 13:14:15 +0200
commit	710f2c60a9a00a5a4c3199f25d387fe82aa21aa0 (patch)
tree	3a6694d7890161b9e85d2fdba04e3309249e485f
parent	522e5811c2aa0dc741807cc42d5a3eac2bf63413 (diff)