sq: Allow cert-rings as recipients, reword key -> cert.

3 files changed, 50 insertions, 23 deletions

diff --git a/sq/src/sq-usage.rs b/sq/src/sq-usage.rs
index db5e559d..2729cafa 100644
--- a/sq/src/sq-usage.rs
+++ b/sq/src/sq-usage.rs
@@ -80,18 +80,22 @@
 //!     -V, --version      Prints version information
 //!
 //! OPTIONS:
-//!         --compression <KIND>                   Selects compression scheme to use [default: pad]  [possible values: none,
-//!                                                pad, zip, zlib, bzip2]
-//!         --mode <MODE>                          Selects what kind of keys are considered for encryption.  Transport
-//!                                                select subkeys marked as suitable for transport encryption, rest selects
-//!                                                those for encrypting data at rest, and all selects all encryption-capable
-//!                                                subkeys [default: all]  [possible values: transport, rest, all]
-//!     -o, --output <FILE>                        Sets the output file to use
-//!     -r, --recipient <LABEL>...                 Recipient to encrypt for (can be given multiple times)
-//!         --recipient-key-file <CERT-FILE>...    Recipient to encrypt for, given as a file (can be given multiple times)
-//!         --signer-key-file <TSK-FILE>...        Secret key to sign with, given as a file (can be given multiple times)
-//!     -t, --time <TIME>                          Chooses keys valid at the specified time and sets the signature's
-//!                                                creation time
+//!         --compression <KIND>
+//!             Selects compression scheme to use [default: pad]  [possible values: none, pad, zip, zlib, bzip2]
+//!
+//!         --mode <MODE>
+//!             Selects what kind of keys are considered for encryption.  Transport select subkeys marked as suitable for
+//!             transport encryption, rest selects those for encrypting data at rest, and all selects all encryption-capable
+//!             subkeys [default: all]  [possible values: transport, rest, all]
+//!     -o, --output <FILE>                           Sets the output file to use
+//!     -r, --recipient <LABEL>...                    Recipient to encrypt for (can be given multiple times)
+//!         --recipients-cert-file <CERTS-FILE>...
+//!             Recipients to encrypt for, given as a file (can be given multiple times)
+//!
+//!         --signer-key-file <TSK-FILE>...           Secret key to sign with, given as a file (can be given multiple times)
+//!     -t, --time <TIME>
+//!             Chooses keys valid at the specified time and sets the signature's creation time
+//!
 //!
 //! ARGS:
 //!     <FILE>    Sets the input file to use
diff --git a/sq/src/sq.rs b/sq/src/sq.rs
index 00477329..970e2ebe 100644
--- a/sq/src/sq.rs
+++ b/sq/src/sq.rs
@@ -82,13 +82,36 @@ fn create_or_stdout_pgp<'a>(f: Option<&str>, force: bool,
     Ok(message)
 }
 
+/// Loads one TSK from every given file.
+fn load_keys<'a, I>(files: I) -> openpgp::Result<Vec<Cert>>
+    where I: Iterator<Item=&'a str>
+{
+    let mut certs = vec![];
+    for f in files {
+        let cert = Cert::from_file(f)
+            .context(format!("Failed to load key from file {:?}", f))?;
+        if ! cert.is_tsk() {
+            Err(anyhow::anyhow!(
+                "Cert in file {:?} does not contain secret keys", f))?;
+        }
+        certs.push(cert);
+    }
+    Ok(certs)
+}
+
+/// Loads one or more certs from every given file.
 fn load_certs<'a, I>(files: I) -> openpgp::Result<Vec<Cert>>
     where I: Iterator<Item=&'a str>
 {
     let mut certs = vec![];
     for f in files {
-        certs.push(Cert::from_file(f)
-                  .context(format!("Failed to load key from file {:?}", f))?);
+        for maybe_cert in CertParser::from_file(f)
+            .context(format!("Failed to load certs from file {:?}", f))?
+        {
+            certs.push(maybe_cert.context(
+                format!("A cert from file {:?} is bad", f)
+            )?);
+        }
     }
     Ok(certs)
 }
@@ -204,7 +227,7 @@ fn main() -> Result<()> {
                 .map(load_certs)
                 .unwrap_or(Ok(vec![]))?;
             let secrets = m.values_of("secret-key-file")
-                .map(load_certs)
+                .map(load_keys)
                 .unwrap_or(Ok(vec![]))?;
             let mut mapping = Mapping::open(&ctx, realm_name, mapping_name)
                 .context("Failed to open the mapping")?;
@@ -217,7 +240,7 @@ fn main() -> Result<()> {
         ("encrypt",  Some(m)) => {
             let mapping = Mapping::open(&ctx, realm_name, mapping_name)
                 .context("Failed to open the mapping")?;
-            let mut recipients = m.values_of("recipient-key-file")
+            let mut recipients = m.values_of("recipients-cert-file")
                 .map(load_certs)
                 .unwrap_or(Ok(vec![]))?;
             if let Some(r) = m.values_of("recipient") {
@@ -232,7 +255,7 @@ fn main() -> Result<()> {
                                      m.is_present("binary"),
                                      armor::Kind::Message)?;
             let additional_secrets = m.values_of("signer-key-file")
-                .map(load_certs)
+                .map(load_keys)
                 .unwrap_or(Ok(vec![]))?;
             let mode = match m.value_of("mode").expect("has default") {
                 "rest" => KeyFlags::empty()
@@ -266,7 +289,7 @@ fn main() -> Result<()> {
             let append = m.is_present("append");
             let notarize = m.is_present("notarize");
             let secrets = m.values_of("secret-key-file")
-                .map(load_certs)
+                .map(load_keys)
                 .unwrap_or(Ok(vec![]))?;
             let time = if let Some(time) = m.value_of("time") {
                 Some(parse_iso8601(time, chrono::NaiveTime::from_hms(0, 0, 0))
@@ -382,7 +405,7 @@ fn main() -> Result<()> {
                                          m.is_present("binary"),
                                          armor::Kind::Message)?;
                 let secrets = m.values_of("secret-key-file")
-                    .map(load_certs)
+                    .map(load_keys)
                     .unwrap_or(Ok(vec![]))?;
                 let mut mapping = Mapping::open(&ctx, realm_name, mapping_name)
                     .context("Failed to open the mapping")?;
diff --git a/sq/src/sq_cli.rs b/sq/src/sq_cli.rs
index 9c56154b..464d78b4 100644
--- a/sq/src/sq_cli.rs
+++ b/sq/src/sq_cli.rs
@@ -101,13 +101,13 @@ pub fn build() -> App<'static, 'static> {
                          .number_of_values(1)
                          .help("Recipient to encrypt for \
                                 (can be given multiple times)"))
-                    .arg(Arg::with_name("recipient-key-file")
-                         .long("recipient-key-file")
+                    .arg(Arg::with_name("recipients-cert-file")
+                         .long("recipients-cert-file")
                          .multiple(true)
                          .takes_value(true)
-                         .value_name("CERT-FILE")
+                         .value_name("CERTS-FILE")
                          .number_of_values(1)
-                         .help("Recipient to encrypt for, given as a file \
+                         .help("Recipients to encrypt for, given as a file \
                                 (can be given multiple times)"))
                     .arg(Arg::with_name("signer-key-file")
                          .long("signer-key-file")