Age | Commit message (Collapse) | Author |
|
It is customary in Rust to implement the Default trait for types that
can have a new method that takes no arguments. However, that's not
always wanted.
I've marked all the structures that have a new without arguments but
don't implement Default, so that if we get more of them, clippy will
warn.
Found by clippy lint new_without_default:
https://rust-lang.github.io/rust-clippy/master/index.html#new_without_default
|
|
Instead of this:
if foo {
if bar {
...
}
}
do this:
if foo && bar {
...
}
Nesting statements implies a more complicated code structure than it
really is. Thus it's arguably simpler to write a combined condition by
joining the two conditions with a logical and operation.
Found by clippy lint collapsible_if:
https://rust-lang.github.io/rust-clippy/master/index.html#collapsible_if
|
|
|
|
|
|
|
|
- openpgp: Make broken relative links absolute:
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+packet),\1crate::packet,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+cert),\1crate::cert,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+parse),\1crate::parse,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+policy),\1crate::policy,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+serialize),\1crate::serialize,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+armor),\1crate::armor,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+types),\1crate::types,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!] *(\[`PacketPile`\]):).*$,\1 crate::PacketPile,' {} +
- openpgp: Link to PacketParser and Policy structs, not the modules.
- ffi: Make links to sequoia_openpgp and sequoia_net absolute
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+sequoia_openpgp),\1sequoia_openpgp,' {} +
- find -name "*.rs" -exec sed -i -E 's,^( *//[/!](.*): )((super::)+sequoia_net),\1sequoia_net,' {} +
|
|
- Apply cargo intraconv.
|
|
- The documentation refers to this function, however, until now it
was missing. Adding it is simple enough, but technically breaks
the API, because it breaks callers invoking
ValidCert::revocation_keys, which would previously deref to
Cert::revocation_keys.
- Avoid the breakage by adding an optional argument, which should be
None but can be Some(_) in order to appease existing users. See
#725.
|
|
- Adds an interface to add userids, user attributes, and subkeys
with explicit binding signature templates. This makes it possible
to customize the signatures, while still hiding most of the
complexity of creating a binding signature.
- Fixes #421.
|
|
- Move common logic to methods. Do not reuse the direct key
signature as template for user handle binding signatures, instead,
use the new functions.
|
|
|
|
- The feature subpacket is only honored on direct key signatures and
user id and attribute binding signatures.
|
|
|
|
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#redundant_clone
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#iter_nth_zero
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#len_zero
- https://rust-lang.github.io/rust-clippy/master/index.html#comparison_to_empty
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#useless_conversion
|
|
- https://rust-lang.github.io/rust-clippy/master/index.html#or_fun_call
|
|
|
|
- Adjust `self_signatures`, `certifications`, `self_revocations` and
`other_revocations` to return `impl Iterator` over the signatures.
- Adjust all call-sites including doc tests.
- Adjust downstream projects (sq, autocrypt).
|
|
- Certificates with a primary key that is not signing capable, and a
subkey that is, are strictly more secure than ones that combine
signing and certification capabilities in the primary key.
- If the owner of a certificate with a signing-capable primary key
can be tricked into creating a binary signature over carefully
chosen attacker-controlled data, this signature can be repurposed
to bind arbitrary attacker-controlled components to the
certificate using a chosen-prefix collision attack on the hash
function (see e.g. "SHA-1 is a Shambles" for a similar attack).
- Having a separate signing-subkey mitigates the attack, because
signatures by the signing subkey cannot bind components to the
certificate.
|
|
- Remove the function.
- Remove associated tests.
- Cert::revocation_keys does examine all live self-signatures.
- Fixes #629.
|
|
|
|
- Use generics and the anonmymous lifetime in `assert_send_and_sync!`.
- See 627.
|
|
- See #627.
|
|
- Since `set_features` requires ownership of `Features`, it should take
ownership rather than borrowing and cloning them.
See https://rust-lang.github.io/api-guidelines/flexibility.html#caller-decides-where-to-copy-and-place-data-c-caller-control .
- See #616.
|
|
- Make `generate_key` polymorphic over `AsRef<KeyFlags>`.
- Since `set_key_flags` requires ownership of the key flags, it should
take ownership rather than borrowing and cloning the them.
See https://rust-lang.github.io/api-guidelines/flexibility.html#caller-decides-where-to-copy-and-place-data-c-caller-control .
- See #616.
|
|
`key` parameter.
- Make sign_direct_key take Key of key::PublicParts.
- Simplify calling sign_direct_key by using Into.
- Allow passing None to sign_subkey_binding.
- Allow passing None to sign_userid_binding.
- Allow using None as key parameter.
- Improve docs mentioning new default for `pk`.
- `pk` set to `Option::None` will now default to signer's public key.
- Fixes #565.
|
|
|
|
|
|
|
|
- This will allow us to use the CertBuilder to change certificates
with detached secret keys in the future.
- Fixes #608.
|
|
- This is closer to collection types such as HashMap, and
distinguishes the function from Cert::merge that merges two
certificates.
- See #572.
|
|
- Fixes #523.
|
|
- If not given an explicit creation time, backdate created
certificates by a minute. This has the advantage that the
certificate can immediately be customized:
In order to reliably override a binding signature, the overriding
binding signature must be newer than the existing signature. If,
however, the existing signature is created `now`, any newer
signature must have a future creation time, and is considered
invalid by Sequoia. To avoid this, we backdate certificate
creation times (and hence binding signature creation times), so
that there is "space" between the creation time and now for
signature updates.
- See #488.
|
|
- Make `SubpacketArea::lookup`'s name more consistent with
`SubpacketArea::subpackets`, `SubpacketAreas::subpacket`, and
`SubpacketAreas::subpackets`.
|
|
- Align our examples with how the code in the examples of the Rust
standard library is formatted. We are writing examples in the
hope that downstream users will copy fragments of them, therefore
using idiomatic formatting in these snippets is important.
|
|
- See #525.
|
|
- `CertBuilder::set_expiration_time` takes an absolute time.
- Most callers use a relative time.
- Internally, we need a relative time (that's what the Key
Expiration Time packet takes).
- Converting the absolute time to a relative time is error prone:
should it be relative to the creation time when called or when
`CertBuilder` is finalized?
- KISS: Change it to just take a relative time.
- To better reflect the new semantics, also change the name to
`CertBuilder::set_validity_period`.
|
|
- Add a getter to `CertBuilder` to return the configured creation
time.
- This is useful when gradually building up a `CertBuilder` and you
want to set an absolute expiration time.
|
|
- This also drops the implementation of PartialOrd since we did not
use it in the key selection after all.
- Fixes #525.
|
|
- `CertBuilder` places the `Preferred Hash Algorithm` and `Preferred
Symmetric Algorithm` subpackets only on subkeys. But, GnuPG only
recognizes them on User ID binding signatures, and direct key
signatures.
- This means that when GnuPG encrypts a message to a certificate
generated by Sequoia, it falls back to 3DES (4880's only MUST
algorithm).
- Change `CertBuilder` to match GnuPG's expectations: when creating
a certificate, add the `Preferred Hash Algorithm` and `Preferred
Symmetric Algorithm` subpackets to the User ID binding signatures,
User Attribute binding signatures, and direct key signature, and
don't bother adding them to the subkey binding signatures.
- See #522.
|
|
- To support third-party direct key signatures (e.g., revocations),
change `SignatureBuilder::sign_direct_key` to take the key that is
being signed, and not assume that it is `signer::public`.
|
|
- When using the `SignatureBuilder`, the signature creation time and
issuer subpackets will be correctly set by default.
- Don't do it explicitly.
|
|
- Currently, `SignatureBuilder` sets the `Signature Creation Time`
subpacket when it is instantiated, or uses any existing `Signature
Creation Time` when it is converted using `From`.
- This can be problematic: usually, we want the current time.
- Change the behavior to emit a `Signature Creation Time` subpakcet
when the signature is generated, unless this behavior is
explicitly overridden.
|
|
- Make quickcheck dependency optional.
- Make quickcheck a dev-dependency for tests.
- Fix doctests for
- cert::ValidCert::user_attributes,
- cert::builder::CertBuilder::add_user_attribute,
- cert::revoke::UserAttributeRevocationBuilder
- cert::revoke::UserAttributeRevocationBuilder::build.
Doctests do not use cfg(test), so we cannot use quickcheck in there.
|
|
- Fixes #475.
|
|
- Improve documentation for public data structures and public
methods in `cert::builder`.
- See #466.
|
|
- When using `CertBuilder` to generate a certificate, if there are
no User IDs, set the primary User ID flag on the first User
Attribute.
|