openpgp: Add high-level interface for attested certifications.

- Fixes #335.
author: Justus Winter <justus@sequoia-pgp.org> 2021-04-21 15:29:48 +0200
committer: Justus Winter <justus@sequoia-pgp.org> 2021-04-26 13:16:57 +0200
commit: 815bb18f7dbbfb8074a34707a254415b8184280d (patch)
tree: 3345277ff77dbb6289a8e6e6cbd47469760bf72e /sq
parent: 65624f499b30589a40c6f4fa87f34f0c0f407394 (diff)
1 files changed, 16 insertions, 77 deletions
diff --git a/sq/src/commands/key.rs b/sq/src/commands/key.rs
index 41077cd6..d6f646e7 100644
--- a/sq/src/commands/key.rs
+++ b/sq/src/commands/key.rs
@@ -424,35 +424,12 @@ fn adopt(config: Config, m: &ArgMatches) -> Result<()> {
 
 fn attest_certifications(config: Config, m: &ArgMatches)
                          -> Result<()> {
-    // XXX: This function has to do some steps manually, because
-    // Sequoia does not expose this functionality because it has not
-    // been standardized yet.
-    use sequoia_openpgp::{
-        crypto::hash::{Hash, Digest},
-        types::HashAlgorithm,
-    };
-
     // Attest to all certifications?
     let all = ! m.is_present("none"); // All is the default.
 
-    // Some configuration.
-    let hash_algo = HashAlgorithm::default();
-    let digest_size = hash_algo.context()?.digest_size();
-    let reserve_area_space = 256; // For the other subpackets.
-    let digests_per_sig = ((1usize << 16) - reserve_area_space) / digest_size;
-
     let input = open_or_stdin(m.value_of("key"))?;
     let key = Cert::from_reader(input)?;
 
-
-    // First, remove all attestations.
-    let key = Cert::from_packets(key.into_packets().filter(|p| {
-        !matches!(
-                p,
-                Packet::Signature(s) if s.typ() == SignatureType::AttestationKey
-        )
-    }))?;
-
     // Get a signer.
     let mut passwords = Vec::new();
     let pk = key.primary_key().key();
@@ -465,66 +442,28 @@ fn attest_certifications(config: Config, m: &ArgMatches)
     // Now, create new attestation signatures.
     let mut attestation_signatures = Vec::new();
     for uid in key.userids() {
-        let mut attestations = Vec::new();
-
         if all {
-            for certification in uid.certifications() {
-                let mut h = hash_algo.context()?;
-                certification.hash_for_confirmation(&mut h);
-                attestations.push(h.into_digest()?);
-            }
-        }
-
-        // Hashes SHOULD be sorted.
-        attestations.sort();
-
-        // All attestation signatures we generate for this component
-        // should have the same creation time.  Fix it now.
-        let t = std::time::SystemTime::now();
-
-        // Hash the components like in a binding signature.
-        let mut hash = hash_algo.context()?;
-        key.primary_key().hash(&mut hash);
-        uid.hash(&mut hash);
-
-        for digests in attestations.chunks(digests_per_sig) {
-            attestation_signatures.push(
-                SignatureBuilder::new(SignatureType::AttestationKey)
-                    .set_signature_creation_time(t)?
-                    .set_attested_certifications(digests)?
-                    .sign_hash(&mut pk_signer, hash.clone())?);
+            attestation_signatures.append(
+                &mut uid.attest_certifications(&config.policy,
+                                               &mut pk_signer,
+                                               uid.certifications())?);
+        } else {
+            attestation_signatures.append(
+                &mut uid.attest_certifications(&config.policy,
+                                               &mut pk_signer, &[])?);
         }
     }
 
     for ua in key.user_attributes() {
-        let mut attestations = Vec::new();
-
         if all {
-            for certification in ua.certifications() {
-                let mut h = hash_algo.context()?;
-                certification.hash_for_confirmation(&mut h);
-                attestations.push(h.into_digest()?);
-            }
-        }
-
-        // Hashes SHOULD be sorted.
-        attestations.sort();
-
-        // All attestation signatures we generate for this component
-        // should have the same creation time.  Fix it now.
-        let t = std::time::SystemTime::now();
-
-        // Hash the components like in a binding signature.
-        let mut hash = hash_algo.context()?;
-        key.primary_key().hash(&mut hash);
-        ua.hash(&mut hash);
-
-        for digests in attestations.chunks(digests_per_sig) {
-            attestation_signatures.push(
-                SignatureBuilder::new(SignatureType::AttestationKey)
-                    .set_signature_creation_time(t)?
-                    .set_attested_certifications(digests)?
-                    .sign_hash(&mut pk_signer, hash.clone())?);
+            attestation_signatures.append(
+                &mut ua.attest_certifications(&config.policy,
+                                              &mut pk_signer,
+                                              ua.certifications())?);
+        } else {
+            attestation_signatures.append(
+                &mut ua.attest_certifications(&config.policy,
+                                              &mut pk_signer, &[])?);
         }
     }
author	Justus Winter <justus@sequoia-pgp.org>	2021-04-21 15:29:48 +0200
committer	Justus Winter <justus@sequoia-pgp.org>	2021-04-26 13:16:57 +0200
commit	815bb18f7dbbfb8074a34707a254415b8184280d (patch)
tree	3345277ff77dbb6289a8e6e6cbd47469760bf72e /sq
parent	65624f499b30589a40c6f4fa87f34f0c0f407394 (diff)