From bbbc6da375d6584c7b2bcc74e838fff943f489d4 Mon Sep 17 00:00:00 2001 From: Justus Winter Date: Thu, 28 Nov 2019 15:27:33 +0100 Subject: Call TPKs Certificates, update identifiers, documentation. - Fixes #387. --- tool/src/commands/decrypt.rs | 12 +++--- tool/src/commands/dump.rs | 6 +-- tool/src/commands/inspect.rs | 37 +++++++++-------- tool/src/commands/key.rs | 10 ++--- tool/src/commands/mod.rs | 62 ++++++++++++++-------------- tool/src/commands/sign.rs | 6 +-- tool/src/sq-usage.rs | 52 ++++++++++++----------- tool/src/sq.rs | 98 ++++++++++++++++++++++---------------------- tool/src/sq_cli.rs | 30 ++++++++------ 9 files changed, 161 insertions(+), 152 deletions(-) (limited to 'tool/src') diff --git a/tool/src/commands/decrypt.rs b/tool/src/commands/decrypt.rs index 33725290..a30d6d6f 100644 --- a/tool/src/commands/decrypt.rs +++ b/tool/src/commands/decrypt.rs @@ -9,7 +9,7 @@ use sequoia_core::Context; use crate::openpgp::types::SymmetricAlgorithm; use crate::openpgp::conversions::hex; use crate::openpgp::crypto::{self, SessionKey}; -use crate::openpgp::{Fingerprint, TPK, KeyID, Result}; +use crate::openpgp::{Fingerprint, Cert, KeyID, Result}; use crate::openpgp::packet::prelude::*; use crate::openpgp::parse::PacketParser; use crate::openpgp::parse::stream::{ @@ -32,7 +32,7 @@ struct Helper<'a> { impl<'a> Helper<'a> { fn new(ctx: &'a Context, mapping: &'a mut store::Mapping, - signatures: usize, tpks: Vec, secrets: Vec, + signatures: usize, certs: Vec, secrets: Vec, dump_session_key: bool, dump: bool, hex: bool) -> Self { let mut keys: HashMap @@ -77,7 +77,7 @@ impl<'a> Helper<'a> { } Helper { - vhelper: VHelper::new(ctx, mapping, signatures, tpks), + vhelper: VHelper::new(ctx, mapping, signatures, certs), secret_keys: keys, key_identities: identities, key_hints: hints, @@ -123,7 +123,7 @@ impl<'a> Helper<'a> { } impl<'a> VerificationHelper for Helper<'a> { - fn get_public_keys(&mut self, ids: &[openpgp::KeyHandle]) -> Result> { + fn get_public_keys(&mut self, ids: &[openpgp::KeyHandle]) -> Result> { self.vhelper.get_public_keys(ids) } fn check(&mut self, structure: &MessageStructure) -> Result<()> { @@ -294,11 +294,11 @@ impl<'a> DecryptionHelper for Helper<'a> { pub fn decrypt(ctx: &Context, mapping: &mut store::Mapping, input: &mut dyn io::Read, output: &mut dyn io::Write, - signatures: usize, tpks: Vec, secrets: Vec, + signatures: usize, certs: Vec, secrets: Vec, dump_session_key: bool, dump: bool, hex: bool) -> Result<()> { - let helper = Helper::new(ctx, mapping, signatures, tpks, secrets, + let helper = Helper::new(ctx, mapping, signatures, certs, secrets, dump_session_key, dump, hex); let mut decryptor = Decryptor::from_reader(input, helper, None) .context("Decryption failed")?; diff --git a/tool/src/commands/dump.rs b/tool/src/commands/dump.rs index 319c6e16..9ae129b1 100644 --- a/tool/src/commands/dump.rs +++ b/tool/src/commands/dump.rs @@ -18,7 +18,7 @@ pub enum Kind { encrypted: bool, }, Keyring, - TPK, + Cert, Unknown, } @@ -140,8 +140,8 @@ pub fn dump(input: &mut dyn io::Read, output: &mut dyn io::Write, Ok(Kind::Message { encrypted: message_encrypted, }) - } else if eof.is_tpk().is_ok() { - Ok(Kind::TPK) + } else if eof.is_cert().is_ok() { + Ok(Kind::Cert) } else if eof.is_keyring().is_ok() { Ok(Kind::Keyring) } else { diff --git a/tool/src/commands/inspect.rs b/tool/src/commands/inspect.rs index ef3692aa..87b2bc2d 100644 --- a/tool/src/commands/inspect.rs +++ b/tool/src/commands/inspect.rs @@ -30,7 +30,7 @@ pub fn inspect(m: &clap::ArgMatches, output: &mut dyn io::Write) while let PacketParserResult::Some(mut pp) = ppr { match pp.packet { Packet::PublicKey(_) | Packet::SecretKey(_) => { - if pp.possible_tpk().is_err() + if pp.possible_cert().is_err() && pp.possible_keyring().is_ok() { if ! type_called { @@ -40,8 +40,8 @@ pub fn inspect(m: &clap::ArgMatches, output: &mut dyn io::Write) } let pp = openpgp::PacketPile::from( ::std::mem::replace(&mut packets, Vec::new())); - let tpk = openpgp::TPK::from_packet_pile(pp)?; - inspect_tpk(output, &tpk, print_keygrips, + let cert = openpgp::Cert::from_packet_pile(pp)?; + inspect_cert(output, &cert, print_keygrips, print_certifications)?; } }, @@ -72,7 +72,7 @@ pub fn inspect(m: &clap::ArgMatches, output: &mut dyn io::Write) if let PacketParserResult::EOF(eof) = ppr { let is_message = eof.is_message(); - let is_tpk = eof.is_tpk(); + let is_cert = eof.is_cert(); let is_keyring = eof.is_keyring(); if is_message.is_ok() { @@ -97,10 +97,10 @@ pub fn inspect(m: &clap::ArgMatches, output: &mut dyn io::Write) if literal_prefix.len() == 40 { "..." } else { "" })?; } - } else if is_tpk.is_ok() || is_keyring.is_ok() { + } else if is_cert.is_ok() || is_keyring.is_ok() { let pp = openpgp::PacketPile::from(packets); - let tpk = openpgp::TPK::from_packet_pile(pp)?; - inspect_tpk(output, &tpk, print_keygrips, print_certifications)?; + let cert = openpgp::Cert::from_packet_pile(pp)?; + inspect_cert(output, &cert, print_keygrips, print_certifications)?; } else if packets.is_empty() && ! sigs.is_empty() { writeln!(output, "Detached signature{}.", if sigs.len() > 1 { "s" } else { "" })?; @@ -111,7 +111,7 @@ pub fn inspect(m: &clap::ArgMatches, output: &mut dyn io::Write) } else { writeln!(output, "Unknown sequence of OpenPGP packets.")?; writeln!(output, " Message: {}", is_message.unwrap_err())?; - writeln!(output, " TPK: {}", is_tpk.unwrap_err())?; + writeln!(output, " Cert: {}", is_cert.unwrap_err())?; writeln!(output, " Keyring: {}", is_keyring.unwrap_err())?; writeln!(output)?; writeln!(output, "Hint: Try 'sq packet dump {}'", input_name)?; @@ -123,19 +123,22 @@ pub fn inspect(m: &clap::ArgMatches, output: &mut dyn io::Write) Ok(()) } -fn inspect_tpk(output: &mut dyn io::Write, tpk: &openpgp::TPK, +fn inspect_cert(output: &mut dyn io::Write, cert: &openpgp::Cert, print_keygrips: bool, print_certifications: bool) -> Result<()> { - writeln!(output, "Transferable {} Key.", - if tpk.is_tsk() { "Secret" } else { "Public" })?; + if cert.is_tsk() { + writeln!(output, "Transferable Secret Key.")?; + } else { + writeln!(output, "OpenPGP Certificate.")?; + } writeln!(output)?; - writeln!(output, " Fingerprint: {}", tpk.fingerprint())?; - inspect_revocation(output, "", tpk.revoked(None))?; - inspect_key(output, "", tpk.primary(), tpk.primary_key_signature(None), - tpk.certifications(), + writeln!(output, " Fingerprint: {}", cert.fingerprint())?; + inspect_revocation(output, "", cert.revoked(None))?; + inspect_key(output, "", cert.primary(), cert.primary_key_signature(None), + cert.certifications(), print_keygrips, print_certifications)?; writeln!(output)?; - for skb in tpk.subkeys() { + for skb in cert.subkeys() { writeln!(output, " Subkey: {}", skb.key().fingerprint())?; inspect_revocation(output, "", skb.revoked(None))?; inspect_key(output, "", skb.key(), skb.binding_signature(None), @@ -144,7 +147,7 @@ fn inspect_tpk(output: &mut dyn io::Write, tpk: &openpgp::TPK, writeln!(output)?; } - for uidb in tpk.userids() { + for uidb in cert.userids() { writeln!(output, " UserID: {}", uidb.userid())?; inspect_revocation(output, "", uidb.revoked(None))?; if let Some(sig) = uidb.binding_signature(None) { diff --git a/tool/src/commands/key.rs b/tool/src/commands/key.rs index 1d825bf8..8617cc9f 100644 --- a/tool/src/commands/key.rs +++ b/tool/src/commands/key.rs @@ -4,7 +4,7 @@ use clap::ArgMatches; use itertools::Itertools; use crate::openpgp::Packet; -use crate::openpgp::tpk::{TPKBuilder, CipherSuite}; +use crate::openpgp::cert::{CertBuilder, CipherSuite}; use crate::openpgp::types::KeyFlags; use crate::openpgp::armor::{Writer, Kind}; use crate::openpgp::serialize::Serialize; @@ -12,7 +12,7 @@ use crate::openpgp::serialize::Serialize; use crate::create_or_stdout; pub fn generate(m: &ArgMatches, force: bool) -> failure::Fallible<()> { - let mut builder = TPKBuilder::new(); + let mut builder = CertBuilder::new(); // User ID match m.values_of("userid") { @@ -184,7 +184,7 @@ pub fn generate(m: &ArgMatches, force: bool) -> failure::Fallible<()> { } // Generate the key - let (tpk, rev) = builder.generate()?; + let (cert, rev) = builder.generate()?; // Export if m.is_present("export") { @@ -210,7 +210,7 @@ pub fn generate(m: &ArgMatches, force: bool) -> failure::Fallible<()> { --export")), }; - let headers = tpk.armor_headers(); + let headers = cert.armor_headers(); // write out key { @@ -220,7 +220,7 @@ pub fn generate(m: &ArgMatches, force: bool) -> failure::Fallible<()> { let w = create_or_stdout(Some(&key_path), force)?; let mut w = Writer::new(w, Kind::SecretKey, &headers)?; - tpk.as_tsk().serialize(&mut w)?; + cert.as_tsk().serialize(&mut w)?; } // write out rev cert diff --git a/tool/src/commands/mod.rs b/tool/src/commands/mod.rs index 03af9aa6..ce228b2d 100644 --- a/tool/src/commands/mod.rs +++ b/tool/src/commands/mod.rs @@ -11,7 +11,7 @@ use crate::openpgp::types::{ CompressionAlgorithm, }; use crate::openpgp::crypto; -use crate::openpgp::{TPK, KeyID, Result}; +use crate::openpgp::{Cert, KeyID, Result}; use crate::openpgp::packet::prelude::*; use crate::openpgp::parse::{ Parse, @@ -42,13 +42,13 @@ mod inspect; pub use self::inspect::inspect; pub mod key; -/// Returns suitable signing keys from a given list of TPKs. -fn get_signing_keys(tpks: &[openpgp::TPK]) +/// Returns suitable signing keys from a given list of Certs. +fn get_signing_keys(certs: &[openpgp::Cert]) -> Result>> { let mut keys = Vec::new(); - 'next_tpk: for tsk in tpks { + 'next_cert: for tsk in certs { for key in tsk.keys_valid() .signing_capable() .map(|k| k.2) @@ -67,7 +67,7 @@ fn get_signing_keys(tpks: &[openpgp::TPK]) keys.push(crypto::KeyPair::new(key.clone(), unencrypted) .unwrap()); - break 'next_tpk; + break 'next_cert; } } @@ -81,12 +81,12 @@ fn get_signing_keys(tpks: &[openpgp::TPK]) pub fn encrypt(mapping: &mut store::Mapping, input: &mut dyn io::Read, output: &mut dyn io::Write, npasswords: usize, recipients: Vec<&str>, - mut tpks: Vec, signers: Vec, + mut certs: Vec, signers: Vec, mode: openpgp::types::KeyFlags, compression: &str) -> Result<()> { for r in recipients { - tpks.push(mapping.lookup(r).context("No such key found")?.tpk()?); + certs.push(mapping.lookup(r).context("No such key found")?.cert()?); } let mut passwords: Vec = Vec::with_capacity(npasswords); for n in 0..npasswords { @@ -99,7 +99,7 @@ pub fn encrypt(mapping: &mut store::Mapping, }))?.into()); } - if tpks.len() + passwords.len() == 0 { + if certs.len() + passwords.len() == 0 { return Err(failure::format_err!( "Neither recipient nor password given")); } @@ -107,19 +107,19 @@ pub fn encrypt(mapping: &mut store::Mapping, let mut signers = get_signing_keys(&signers)?; // Build a vector of references to hand to Signer. - let recipients: Vec<&openpgp::TPK> = tpks.iter().collect(); + let recipients: Vec<&openpgp::Cert> = certs.iter().collect(); // Build a vector of recipients to hand to Encryptor. let mut recipient_subkeys: Vec = Vec::new(); - for tpk in tpks.iter() { + for cert in certs.iter() { let mut count = 0; - for (_, _, key) in tpk.keys_valid().key_flags(mode.clone()) { + for (_, _, key) in cert.keys_valid().key_flags(mode.clone()) { recipient_subkeys.push(key.into()); count += 1; } if count == 0 { return Err(failure::format_err!( - "Key {} has no suitable encryption key", tpk)); + "Key {} has no suitable encryption key", cert)); } } @@ -183,7 +183,7 @@ struct VHelper<'a> { ctx: &'a Context, mapping: &'a mut store::Mapping, signatures: usize, - tpks: Option>, + certs: Option>, labels: HashMap, trusted: HashSet, good_signatures: usize, @@ -195,13 +195,13 @@ struct VHelper<'a> { impl<'a> VHelper<'a> { fn new(ctx: &'a Context, mapping: &'a mut store::Mapping, signatures: usize, - tpks: Vec) + certs: Vec) -> Self { VHelper { ctx: ctx, mapping: mapping, signatures: signatures, - tpks: Some(tpks), + certs: Some(certs), labels: HashMap::new(), trusted: HashSet::new(), good_signatures: 0, @@ -301,19 +301,19 @@ impl<'a> VHelper<'a> { } impl<'a> VerificationHelper for VHelper<'a> { - fn get_public_keys(&mut self, ids: &[openpgp::KeyHandle]) -> Result> { - let mut tpks = self.tpks.take().unwrap(); - let seen: HashSet<_> = tpks.iter() - .flat_map(|tpk| { + fn get_public_keys(&mut self, ids: &[openpgp::KeyHandle]) -> Result> { + let mut certs = self.certs.take().unwrap(); + let seen: HashSet<_> = certs.iter() + .flat_map(|cert| { // Even if a key is revoked or expired, we can still // use it to verify a message. - tpk.keys_all().map(|(_, _, key)| key.fingerprint().into()) + cert.keys_all().map(|(_, _, key)| key.fingerprint().into()) }).collect(); // Explicitly provided keys are trusted. self.trusted = seen.clone(); - // Try to get missing TPKs from the mapping. + // Try to get missing Certs from the mapping. for id in ids.iter().map(|i| KeyID::from(i.clone())) .filter(|i| !seen.contains(i)) { @@ -325,10 +325,10 @@ impl<'a> VerificationHelper for VHelper<'a> { // Keys from our mapping are trusted. self.trusted.insert(id.clone()); - binding.tpk() + binding.cert() }) - .and_then(|tpk| { - tpks.push(tpk); + .and_then(|cert| { + certs.push(cert); Ok(()) }); } @@ -336,7 +336,7 @@ impl<'a> VerificationHelper for VHelper<'a> { // Update seen. let seen = self.trusted.clone(); - // Try to get missing TPKs from the pool. + // Try to get missing Certs from the pool. for id in ids.iter().map(|i| KeyID::from(i.clone())) .filter(|i| !seen.contains(i)) { @@ -344,14 +344,14 @@ impl<'a> VerificationHelper for VHelper<'a> { store::Store::lookup_by_subkeyid(self.ctx, &id) .and_then(|key| { // Keys from the pool are NOT trusted. - key.tpk() + key.cert() }) - .and_then(|tpk| { - tpks.push(tpk); + .and_then(|cert| { + certs.push(cert); Ok(()) }); } - Ok(tpks) + Ok(certs) } fn check(&mut self, structure: &MessageStructure) -> Result<()> { @@ -385,9 +385,9 @@ pub fn verify(ctx: &Context, mapping: &mut store::Mapping, input: &mut dyn io::Read, detached: Option<&mut dyn io::Read>, output: &mut dyn io::Write, - signatures: usize, tpks: Vec) + signatures: usize, certs: Vec) -> Result<()> { - let helper = VHelper::new(ctx, mapping, signatures, tpks); + let helper = VHelper::new(ctx, mapping, signatures, certs); let mut verifier = if let Some(dsig) = detached { DetachedVerifier::from_reader(dsig, input, helper, None)? } else { diff --git a/tool/src/commands/sign.rs b/tool/src/commands/sign.rs index 787a7889..a2303fba 100644 --- a/tool/src/commands/sign.rs +++ b/tool/src/commands/sign.rs @@ -19,7 +19,7 @@ use crate::openpgp::serialize::stream::{ use crate::create_or_stdout; pub fn sign(input: &mut dyn io::Read, output_path: Option<&str>, - secrets: Vec, detached: bool, binary: bool, + secrets: Vec, detached: bool, binary: bool, append: bool, notarize: bool, force: bool) -> Result<()> { match (detached, append|notarize) { @@ -32,7 +32,7 @@ pub fn sign(input: &mut dyn io::Read, output_path: Option<&str>, } fn sign_data(input: &mut dyn io::Read, output_path: Option<&str>, - secrets: Vec, detached: bool, binary: bool, + secrets: Vec, detached: bool, binary: bool, append: bool, force: bool) -> Result<()> { let (mut output, prepend_sigs, tmp_path): @@ -129,7 +129,7 @@ fn sign_data(input: &mut dyn io::Read, output_path: Option<&str>, } fn sign_message(input: &mut dyn io::Read, output_path: Option<&str>, - secrets: Vec, binary: bool, notarize: bool, + secrets: Vec, binary: bool, notarize: bool, force: bool) -> Result<()> { let mut output = create_or_stdout(output_path, force)?; diff --git a/tool/src/sq-usage.rs b/tool/src/sq-usage.rs index 24d5ecc5..397df53b 100644 --- a/tool/src/sq-usage.rs +++ b/tool/src/sq-usage.rs @@ -52,10 +52,11 @@ //! -V, --version Prints version information //! //! OPTIONS: -//! -o, --output Sets the output file to use -//! --public-key-file ... Public key to verify with, given as a file (can be given multiple times) -//! --secret-key-file ... Secret key to decrypt with, given as a file (can be given multiple times) -//! -n, --signatures The number of valid signatures required. Default: 0 +//! -o, --output Sets the output file to use +//! --secret-key-file ... Secret key to decrypt with, given as a file (can be given multiple times) +//! --sender-cert-file ... The sender's certificate verify signatures with, given as a file (can be +//! given multiple times) +//! -n, --signatures The number of valid signatures required. Default: 0 //! //! ARGS: //! Sets the input file to use @@ -76,16 +77,16 @@ //! -V, --version Prints version information //! //! OPTIONS: -//! --compression Selects compression scheme to use [default: pad] [possible values: none, -//! pad, zip, zlib, bzip2] -//! --mode Selects what kind of keys are considered for encryption. Transport select -//! subkeys marked as suitable for transport encryption, rest selects those -//! for encrypting data at rest, and all selects all encryption-capable -//! subkeys [default: all] [possible values: transport, rest, all] -//! -o, --output Sets the output file to use -//! -r, --recipient