diff options
author | Justus Winter <justus@sequoia-pgp.org> | 2021-04-21 12:49:13 +0200 |
---|---|---|
committer | Justus Winter <justus@sequoia-pgp.org> | 2021-04-26 13:14:15 +0200 |
commit | 710f2c60a9a00a5a4c3199f25d387fe82aa21aa0 (patch) | |
tree | 3a6694d7890161b9e85d2fdba04e3309249e485f | |
parent | 522e5811c2aa0dc741807cc42d5a3eac2bf63413 (diff) |
openpgp: Expose low-level functions for attestation key signatures.
- See #335.
-rw-r--r-- | openpgp/NEWS | 3 | ||||
-rw-r--r-- | openpgp/src/cert.rs | 4 | ||||
-rw-r--r-- | openpgp/src/packet/signature.rs | 28 | ||||
-rw-r--r-- | openpgp/src/types/mod.rs | 18 | ||||
-rw-r--r-- | sq/src/commands/key.rs | 9 |
5 files changed, 41 insertions, 21 deletions
diff --git a/openpgp/NEWS b/openpgp/NEWS index 63b7b4f1..a505818e 100644 --- a/openpgp/NEWS +++ b/openpgp/NEWS @@ -4,7 +4,10 @@ * Changes in 1.2.0 ** New functionality + - Signature::verify_user_attribute_attestation + - Signature::verify_userid_attestation - SignatureBuilder::set_attested_certifications + - SignatureType::AttestationKey - SubpacketAreas::attested_certifications - SubpacketTag::AttestedCertifications - SubpacketValue::AttestedCertifications diff --git a/openpgp/src/cert.rs b/openpgp/src/cert.rs index 6339f311..12348ecf 100644 --- a/openpgp/src/cert.rs +++ b/openpgp/src/cert.rs @@ -1806,7 +1806,7 @@ impl Cert { } }, - crate::types::SignatureType__AttestedKey => { + crate::types::SignatureType::AttestationKey => { for binding in self.userids.iter_mut() { check_one!(format!("userid \"{}\"", String::from_utf8_lossy( @@ -6051,7 +6051,7 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= bob.primary_key().key().hash(&mut h); bob.userids().next().unwrap().userid().hash(&mut h); - let attestation = SignatureBuilder::new(SignatureType__AttestedKey) + let attestation = SignatureBuilder::new(SignatureType::AttestationKey) .set_attested_certifications(vec![digest])? .sign_hash(&mut bob_signer, h)?; diff --git a/openpgp/src/packet/signature.rs b/openpgp/src/packet/signature.rs index 36b308a2..60434378 100644 --- a/openpgp/src/packet/signature.rs +++ b/openpgp/src/packet/signature.rs @@ -2787,6 +2787,12 @@ impl Signature { /// Verifies an attested key signature on a user id. /// + /// This feature is [experimental](crate#experimental-features). + /// + /// Allows the certificate owner to attest to third party + /// certifications. See [Section 5.2.3.30 of RFC 4880bis] for + /// details. + /// /// `self` is the attested key signature, `signer` is the key that /// allegedly made the signature, `pk` is the primary key, and /// `userid` is the user id. @@ -2802,7 +2808,9 @@ impl Signature { /// key is not revoked, not expired, has a valid self-signature, /// has a subkey binding signature (if appropriate), has the /// signing capability, etc. - pub(crate) fn verify_userid_attestation<P, Q, R>( + /// + /// [Section 5.2.3.30 of RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10.html#section-5.2.3.30 + pub fn verify_userid_attestation<P, Q, R>( &mut self, signer: &Key<P, R>, pk: &Key<Q, key::PrimaryRole>, @@ -2812,9 +2820,7 @@ impl Signature { Q: key::KeyParts, R: key::KeyRole, { - use crate::types::SignatureType__AttestedKey; - - if self.typ() != SignatureType__AttestedKey { + if self.typ() != SignatureType::AttestationKey { return Err(Error::UnsupportedSignatureType(self.typ()).into()); } @@ -2912,6 +2918,12 @@ impl Signature { /// Verifies an attested key signature on a user attribute. /// + /// This feature is [experimental](crate#experimental-features). + /// + /// Allows the certificate owner to attest to third party + /// certifications. See [Section 5.2.3.30 of RFC 4880bis] for + /// details. + /// /// `self` is the attested key signature, `signer` is the key that /// allegedly made the signature, `pk` is the primary key, and /// `ua` is the user attribute. @@ -2927,7 +2939,9 @@ impl Signature { /// key is not revoked, not expired, has a valid self-signature, /// has a subkey binding signature (if appropriate), has the /// signing capability, etc. - pub(crate) fn verify_user_attribute_attestation<P, Q, R>( + /// + /// [Section 5.2.3.30 of RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10.html#section-5.2.3.30 + pub fn verify_user_attribute_attestation<P, Q, R>( &mut self, signer: &Key<P, R>, pk: &Key<Q, key::PrimaryRole>, @@ -2937,9 +2951,7 @@ impl Signature { Q: key::KeyParts, R: key::KeyRole, { - use crate::types::SignatureType__AttestedKey; - - if self.typ() != SignatureType__AttestedKey { + if self.typ() != SignatureType::AttestationKey { return Err(Error::UnsupportedSignatureType(self.typ()).into()); } diff --git a/openpgp/src/types/mod.rs b/openpgp/src/types/mod.rs index 9c33f47a..b3a9822e 100644 --- a/openpgp/src/types/mod.rs +++ b/openpgp/src/types/mod.rs @@ -1142,6 +1142,15 @@ pub enum SignatureType { /// Positive certification of a User ID and Public-Key packet. PositiveCertification, + /// Attestation Key Signature (proposed). + /// + /// Allows the certificate owner to attest to third party + /// certifications. See [Section 5.2.3.30 of RFC 4880bis] for + /// details. + /// + /// [Section 5.2.3.30 of RFC 4880bis]: https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-10.html#section-5.2.3.30 + AttestationKey, + /// Subkey Binding Signature SubkeyBinding, /// Primary Key Binding Signature @@ -1166,11 +1175,6 @@ pub enum SignatureType { } assert_send_and_sync!(SignatureType); -/// An attested key signature. -#[allow(non_upper_case_globals)] -pub(crate) const SignatureType__AttestedKey: SignatureType = - SignatureType::Unknown(0x16); - impl From<u8> for SignatureType { fn from(u: u8) -> Self { @@ -1182,6 +1186,7 @@ impl From<u8> for SignatureType { 0x11 => SignatureType::PersonaCertification, 0x12 => SignatureType::CasualCertification, 0x13 => SignatureType::PositiveCertification, + 0x16 => SignatureType::AttestationKey, 0x18 => SignatureType::SubkeyBinding, 0x19 => SignatureType::PrimaryKeyBinding, 0x1f => SignatureType::DirectKey, @@ -1205,6 +1210,7 @@ impl From<SignatureType> for u8 { SignatureType::PersonaCertification => 0x11, SignatureType::CasualCertification => 0x12, SignatureType::PositiveCertification => 0x13, + SignatureType::AttestationKey => 0x16, SignatureType::SubkeyBinding => 0x18, SignatureType::PrimaryKeyBinding => 0x19, SignatureType::DirectKey => 0x1f, @@ -1235,6 +1241,8 @@ impl fmt::Display for SignatureType { f.write_str("CasualCertification"), SignatureType::PositiveCertification => f.write_str("PositiveCertification"), + SignatureType::AttestationKey => + f.write_str("AttestationKey"), SignatureType::SubkeyBinding => f.write_str("SubkeyBinding"), SignatureType::PrimaryKeyBinding => diff --git a/sq/src/commands/key.rs b/sq/src/commands/key.rs index 6073e886..41077cd6 100644 --- a/sq/src/commands/key.rs +++ b/sq/src/commands/key.rs @@ -431,9 +431,6 @@ fn attest_certifications(config: Config, m: &ArgMatches) crypto::hash::{Hash, Digest}, types::HashAlgorithm, }; - #[allow(non_upper_case_globals)] - const SignatureType__AttestedKey: SignatureType = - SignatureType::Unknown(0x16); // Attest to all certifications? let all = ! m.is_present("none"); // All is the default. @@ -452,7 +449,7 @@ fn attest_certifications(config: Config, m: &ArgMatches) let key = Cert::from_packets(key.into_packets().filter(|p| { !matches!( p, - Packet::Signature(s) if s.typ() == SignatureType__AttestedKey + Packet::Signature(s) if s.typ() == SignatureType::AttestationKey ) }))?; @@ -492,7 +489,7 @@ fn attest_certifications(config: Config, m: &ArgMatches) for digests in attestations.chunks(digests_per_sig) { attestation_signatures.push( - SignatureBuilder::new(SignatureType__AttestedKey) + SignatureBuilder::new(SignatureType::AttestationKey) .set_signature_creation_time(t)? .set_attested_certifications(digests)? .sign_hash(&mut pk_signer, hash.clone())?); @@ -524,7 +521,7 @@ fn attest_certifications(config: Config, m: &ArgMatches) for digests in attestations.chunks(digests_per_sig) { attestation_signatures.push( - SignatureBuilder::new(SignatureType__AttestedKey) + SignatureBuilder::new(SignatureType::AttestationKey) .set_signature_creation_time(t)? .set_attested_certifications(digests)? .sign_hash(&mut pk_signer, hash.clone())?); |