Move signing helper fn from ca_secret to cert.

2 files changed, 50 insertions, 58 deletions

diff --git a/src/ca_secret.rs b/src/ca_secret.rs
index 85b045b..03180be 100644
--- a/src/ca_secret.rs
+++ b/src/ca_secret.rs
@@ -11,7 +11,6 @@ use crate::db::models;
 use crate::pgp::Pgp;
 
 use sequoia_openpgp::cert;
-use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation;
 use sequoia_openpgp::cert::CertRevocationBuilder;
 use sequoia_openpgp::packet::{signature, Signature, UserID};
 use sequoia_openpgp::serialize::stream::Armorer;
@@ -64,13 +63,6 @@ pub trait CaSec {
     /// Generate a detached signature with the CA key, for 'text'
     fn sign_detached(&self, text: &str) -> Result<String>;
 
-    fn sign_cert_emails(
-        &self,
-        user_cert: &Cert,
-        emails_filter: Option<&[&str]>,
-        duration_days: Option<u64>,
-    ) -> Result<Cert>;
-
     fn sign_user_ids(
         &self,
         user_cert: &Cert,
@@ -306,48 +298,6 @@ adversaries."#;
         Ok(std::str::from_utf8(&sink)?.to_string())
     }
 
-    /// CA certifies either all or a subset of User IDs of cert.
-    ///
-    /// 'emails_filter' (if not None) specifies the subset of User IDs to
-    /// certify.
-    fn sign_cert_emails(
-        &self,
-        cert: &Cert,
-        emails_filter: Option<&[&str]>,
-        duration_days: Option<u64>,
-    ) -> Result<Cert> {
-        let fp_ca = self.ca_get_priv_key()?.fingerprint();
-
-        let mut uids = Vec::new();
-
-        for uid in cert.userids() {
-            // check if this uid already has a valid signature by ca_cert.
-            // if yes, don't add another one.
-            if !uid
-                .clone()
-                .with_policy(Pgp::SP, None)?
-                .certifications()
-                .any(|s| s.issuer_fingerprints().any(|fp| fp == &fp_ca))
-            {
-                let userid = uid.userid();
-                let uid_addr = userid
-                    .email_normalized()?
-                    .expect("email normalization failed");
-
-                // Certify this User ID if we
-                // a) have no filter-list, or
-                // b) if the User ID is specified in the filter-list.
-                if emails_filter.is_none()
-                    || emails_filter.unwrap().contains(&uid_addr.as_str())
-                {
-                    uids.push(userid);
-                }
-            }
-        }
-
-        self.sign_user_ids(cert, &uids, duration_days)
-    }
-
     /// CA certifies a specified list of User IDs of a cert.
     ///
     /// This fn does not perform any checks as a precondition for adding new
diff --git a/src/cert.rs b/src/cert.rs
index b45f7e5..63c7891 100644
--- a/src/cert.rs
+++ b/src/cert.rs
@@ -10,7 +10,9 @@ use crate::ca::OpenpgpCa;
 use crate::db::models;
 use crate::pgp::Pgp;
 
+use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation;
 use sequoia_openpgp::packet::{Signature, UserID};
+use sequoia_openpgp::Cert;
 
 use anyhow::{Context, Result};
 
@@ -31,10 +33,9 @@ pub fn user_new(
             .context("make_user_cert failed")?;
 
     // CA certifies user cert
-    let user_certified = oca
-        .secret()
-        .sign_cert_emails(&user_key, Some(emails), duration_days)
-        .context("sign_user_emails failed")?;
+    let user_certified =
+        sign_cert_emails(&oca, &user_key, Some(emails), duration_days)
+            .context("sign_user_emails failed")?;
 
     // User tsigns CA cert
     let ca_cert = oca.ca_get_cert_pub()?;
@@ -105,10 +106,9 @@ pub fn cert_import_new(
     }
 
     // Sign user cert with CA key (only the User IDs that have been specified)
-    let certified = oca
-        .secret()
-        .sign_cert_emails(&user_cert, Some(emails), duration_days)
-        .context("sign_cert_emails() failed")?;
+    let certified =
+        sign_cert_emails(&oca, &user_cert, Some(emails), duration_days)
+            .context("sign_cert_emails() failed")?;
 
     // use name from User IDs, if no name was passed
     let name = match name {
@@ -298,3 +298,45 @@ pub fn cert_check_tsig_on_ca(
             .any(|fp| fp == &user_cert.fingerprint())
     }))
 }
+
+/// CA certifies either all or a subset of User IDs of cert.
+///
+/// 'emails_filter' (if not None) specifies the subset of User IDs to
+/// certify.
+fn sign_cert_emails(
+    oca: &OpenpgpCa,
+    cert: &Cert,
+    emails_filter: Option<&[&str]>,
+    duration_days: Option<u64>,
+) -> Result<Cert> {
+    let fp_ca = oca.ca_get_cert_pub()?.fingerprint();
+
+    let mut uids = Vec::new();
+
+    for uid in cert.userids() {
+        // check if this uid already has a valid signature by ca_cert.
+        // if yes, don't add another one.
+        if !uid
+            .clone()
+            .with_policy(Pgp::SP, None)?
+            .certifications()
+            .any(|s| s.issuer_fingerprints().any(|fp| fp == &fp_ca))
+        {
+            let userid = uid.userid();
+            let uid_addr = userid
+                .email_normalized()?
+                .expect("email normalization failed");
+
+            // Certify this User ID if we
+            // a) have no filter-list, or
+            // b) if the User ID is specified in the filter-list.
+            if emails_filter.is_none()
+                || emails_filter.unwrap().contains(&uid_addr.as_str())
+            {
+                uids.push(userid);
+            }
+        }
+    }
+
+    oca.secret().sign_user_ids(cert, &uids, duration_days)
+}