From 815bb18f7dbbfb8074a34707a254415b8184280d Mon Sep 17 00:00:00 2001
From: Justus Winter <justus@sequoia-pgp.org>
Date: Wed, 21 Apr 2021 15:29:48 +0200
Subject: openpgp: Add high-level interface for attested certifications.

  - Fixes #335.
---
 openpgp/src/cert.rs | 72 ++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 55 insertions(+), 17 deletions(-)

(limited to 'openpgp/src/cert.rs')

diff --git a/openpgp/src/cert.rs b/openpgp/src/cert.rs
index f7f962ef..162b63e0 100644
--- a/openpgp/src/cert.rs
+++ b/openpgp/src/cert.rs
@@ -6013,10 +6013,10 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
     #[test]
     fn attested_key_signatures() -> Result<()> {
         use crate::{
-            crypto::hash::Hash,
             packet::signature::SignatureBuilder,
             types::*,
         };
+        let p = &crate::policy::StandardPolicy::new();
 
         let (alice, _) = CertBuilder::new()
             .add_userid("alice@foo.com")
@@ -6039,26 +6039,25 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
             = bob.userids().next().unwrap().userid().bind(
                 &mut alice_signer, &bob,
                 SignatureBuilder::new(SignatureType::GenericCertification))?;
+        let bob = bob.insert_packets(vec![
+            alice_certifies_bob.clone(),
+        ])?;
 
-        // Have Bob attest that certification.
-        let hash_algo = HashAlgorithm::default();
-
-        // First, hash the certification.
-        let mut h = hash_algo.context()?;
-        alice_certifies_bob.hash_for_confirmation(&mut h);
-        let digest = h.into_digest()?;
-
-        // Then, prepare an attested key signature.
-        let mut h = hash_algo.context()?;
-        bob.primary_key().key().hash(&mut h);
-        bob.userids().next().unwrap().userid().hash(&mut h);
+        assert_eq!(bob.with_policy(p, None)?.userids().next().unwrap()
+                   .certifications().count(), 1);
+        assert_eq!(bob.with_policy(p, None)?.userids().next().unwrap()
+                   .attested_certifications().count(), 0);
 
-        let attestation = SignatureBuilder::new(SignatureType::AttestationKey)
-            .set_attested_certifications(vec![digest])?
-            .sign_hash(&mut bob_signer, h)?;
+        // Have Bob attest that certification.
+        let attestations =
+            bob.userids().next().unwrap().attest_certifications(
+                p,
+                &mut bob_signer,
+                vec![&alice_certifies_bob])?;
+        assert_eq!(attestations.len(), 1);
+        let attestation = attestations[0].clone();
 
         let bob = bob.insert_packets(vec![
-            alice_certifies_bob.clone(),
             attestation.clone(),
         ])?;
 
@@ -6067,6 +6066,10 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
                    Some(&alice_certifies_bob));
         assert_eq!(&bob.userids().next().unwrap().bundle().attestations[0],
                    &attestation);
+        assert_eq!(bob.with_policy(p, None)?.userids().next().unwrap()
+                   .certifications().count(), 1);
+        assert_eq!(bob.with_policy(p, None)?.userids().next().unwrap()
+                   .attested_certifications().count(), 1);
 
         // Check that attested key signatures are kept over merges.
         let bob_ = bob.clone().merge_public(bob_pristine.clone())?;
@@ -6075,6 +6078,8 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
                    Some(&alice_certifies_bob));
         assert_eq!(&bob_.userids().next().unwrap().bundle().attestations[0],
                    &attestation);
+        assert_eq!(bob_.with_policy(p, None)?.userids().next().unwrap()
+                   .attested_certifications().count(), 1);
 
         // And the other way around.
         let bob_ = bob_pristine.clone().merge_public(bob.clone())?;
@@ -6083,6 +6088,33 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
                    Some(&alice_certifies_bob));
         assert_eq!(&bob_.userids().next().unwrap().bundle().attestations[0],
                    &attestation);
+        assert_eq!(bob_.with_policy(p, None)?.userids().next().unwrap()
+                   .attested_certifications().count(), 1);
+
+        // Have Bob withdraw any prior attestations.
+
+        let attestations =
+            bob.userids().next().unwrap().attest_certifications(
+                p,
+                &mut bob_signer,
+                &[])?;
+        assert_eq!(attestations.len(), 1);
+        let attestation = attestations[0].clone();
+
+        let bob = bob.insert_packets(vec![
+            attestation.clone(),
+        ])?;
+
+        assert_eq!(bob.bad_signatures().count(), 0);
+        assert_eq!(bob.userids().next().unwrap().certifications().next(),
+                   Some(&alice_certifies_bob));
+        assert_eq!(&bob.userids().next().unwrap().bundle().attestations[0],
+                   &attestation);
+        assert_eq!(bob.with_policy(p, None)?.userids().next().unwrap()
+                   .certifications().count(), 1);
+        assert_eq!(bob.with_policy(p, None)?.userids().next().unwrap()
+                   .attested_certifications().count(), 0);
+
 
         Ok(())
     }
@@ -6094,6 +6126,7 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
         use crate::{
             crypto::hash::Digest,
         };
+        let p = &crate::policy::StandardPolicy::new();
 
         let test = Cert::from_bytes(crate::tests::key("1pa3pc-dkgpg.pgp"))?;
         assert_eq!(test.bad_signatures().count(), 0);
@@ -6131,6 +6164,11 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g=
             assert!(digests.contains(&digest[..]));
         }
 
+        assert_eq!(test.with_policy(p, None)?.userids().next().unwrap()
+                   .certifications().count(), 1);
+        assert_eq!(test.with_policy(p, None)?.userids().next().unwrap()
+                   .attested_certifications().count(), 1);
+
         Ok(())
     }
 
-- 
cgit v1.2.3