diff options
author | Heiko <heiko@schaefer.name> | 2021-05-04 12:58:10 +0200 |
---|---|---|
committer | Heiko <heiko@schaefer.name> | 2021-05-04 12:58:10 +0200 |
commit | 95451d49eba1222b8e5ed9fc17d28f7b322244ea (patch) | |
tree | 169d19911e50d70058c60e793b8eff8d8a858032 | |
parent | fe76661324136a8fd15d81b48c69c12ab6ec251d (diff) | |
download | openpgp-ca-95451d49eba1222b8e5ed9fc17d28f7b322244ea.tar.gz |
Move signing helper fn from ca_secret to cert.
-rw-r--r-- | src/ca_secret.rs | 50 | ||||
-rw-r--r-- | src/cert.rs | 58 |
2 files changed, 50 insertions, 58 deletions
diff --git a/src/ca_secret.rs b/src/ca_secret.rs index 85b045b..03180be 100644 --- a/src/ca_secret.rs +++ b/src/ca_secret.rs @@ -11,7 +11,6 @@ use crate::db::models; use crate::pgp::Pgp; use sequoia_openpgp::cert; -use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation; use sequoia_openpgp::cert::CertRevocationBuilder; use sequoia_openpgp::packet::{signature, Signature, UserID}; use sequoia_openpgp::serialize::stream::Armorer; @@ -64,13 +63,6 @@ pub trait CaSec { /// Generate a detached signature with the CA key, for 'text' fn sign_detached(&self, text: &str) -> Result<String>; - fn sign_cert_emails( - &self, - user_cert: &Cert, - emails_filter: Option<&[&str]>, - duration_days: Option<u64>, - ) -> Result<Cert>; - fn sign_user_ids( &self, user_cert: &Cert, @@ -306,48 +298,6 @@ adversaries."#; Ok(std::str::from_utf8(&sink)?.to_string()) } - /// CA certifies either all or a subset of User IDs of cert. - /// - /// 'emails_filter' (if not None) specifies the subset of User IDs to - /// certify. - fn sign_cert_emails( - &self, - cert: &Cert, - emails_filter: Option<&[&str]>, - duration_days: Option<u64>, - ) -> Result<Cert> { - let fp_ca = self.ca_get_priv_key()?.fingerprint(); - - let mut uids = Vec::new(); - - for uid in cert.userids() { - // check if this uid already has a valid signature by ca_cert. - // if yes, don't add another one. - if !uid - .clone() - .with_policy(Pgp::SP, None)? - .certifications() - .any(|s| s.issuer_fingerprints().any(|fp| fp == &fp_ca)) - { - let userid = uid.userid(); - let uid_addr = userid - .email_normalized()? - .expect("email normalization failed"); - - // Certify this User ID if we - // a) have no filter-list, or - // b) if the User ID is specified in the filter-list. - if emails_filter.is_none() - || emails_filter.unwrap().contains(&uid_addr.as_str()) - { - uids.push(userid); - } - } - } - - self.sign_user_ids(cert, &uids, duration_days) - } - /// CA certifies a specified list of User IDs of a cert. /// /// This fn does not perform any checks as a precondition for adding new diff --git a/src/cert.rs b/src/cert.rs index b45f7e5..63c7891 100644 --- a/src/cert.rs +++ b/src/cert.rs @@ -10,7 +10,9 @@ use crate::ca::OpenpgpCa; use crate::db::models; use crate::pgp::Pgp; +use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation; use sequoia_openpgp::packet::{Signature, UserID}; +use sequoia_openpgp::Cert; use anyhow::{Context, Result}; @@ -31,10 +33,9 @@ pub fn user_new( .context("make_user_cert failed")?; // CA certifies user cert - let user_certified = oca - .secret() - .sign_cert_emails(&user_key, Some(emails), duration_days) - .context("sign_user_emails failed")?; + let user_certified = + sign_cert_emails(&oca, &user_key, Some(emails), duration_days) + .context("sign_user_emails failed")?; // User tsigns CA cert let ca_cert = oca.ca_get_cert_pub()?; @@ -105,10 +106,9 @@ pub fn cert_import_new( } // Sign user cert with CA key (only the User IDs that have been specified) - let certified = oca - .secret() - .sign_cert_emails(&user_cert, Some(emails), duration_days) - .context("sign_cert_emails() failed")?; + let certified = + sign_cert_emails(&oca, &user_cert, Some(emails), duration_days) + .context("sign_cert_emails() failed")?; // use name from User IDs, if no name was passed let name = match name { @@ -298,3 +298,45 @@ pub fn cert_check_tsig_on_ca( .any(|fp| fp == &user_cert.fingerprint()) })) } + +/// CA certifies either all or a subset of User IDs of cert. +/// +/// 'emails_filter' (if not None) specifies the subset of User IDs to +/// certify. +fn sign_cert_emails( + oca: &OpenpgpCa, + cert: &Cert, + emails_filter: Option<&[&str]>, + duration_days: Option<u64>, +) -> Result<Cert> { + let fp_ca = oca.ca_get_cert_pub()?.fingerprint(); + + let mut uids = Vec::new(); + + for uid in cert.userids() { + // check if this uid already has a valid signature by ca_cert. + // if yes, don't add another one. + if !uid + .clone() + .with_policy(Pgp::SP, None)? + .certifications() + .any(|s| s.issuer_fingerprints().any(|fp| fp == &fp_ca)) + { + let userid = uid.userid(); + let uid_addr = userid + .email_normalized()? + .expect("email normalization failed"); + + // Certify this User ID if we + // a) have no filter-list, or + // b) if the User ID is specified in the filter-list. + if emails_filter.is_none() + || emails_filter.unwrap().contains(&uid_addr.as_str()) + { + uids.push(userid); + } + } + } + + oca.secret().sign_user_ids(cert, &uids, duration_days) +} |