Use a central Pgp::SP StandardPolicy instance everywhere.

author: Heiko <heiko@schaefer.name> 2021-04-29 17:16:43 +0200
committer: Heiko <heiko@schaefer.name> 2021-04-29 17:16:43 +0200
commit: e0b6191821d7508b029bd0f4219e0ffe89b9e317 (patch)
tree: 97dfb6334844e6c41c5a2b60dd3b15b643fa3727
parent: 457309d7909757aaef5d16160604137f016be676 (diff)
download: openpgp-ca-e0b6191821d7508b029bd0f4219e0ffe89b9e317.tar.gz
3 files changed, 12 insertions, 19 deletions
diff --git a/src/ca_secret.rs b/src/ca_secret.rs
index feacbe0..8648c2c 100644
--- a/src/ca_secret.rs
+++ b/src/ca_secret.rs
@@ -14,7 +14,6 @@ use sequoia_openpgp::cert;
 use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation;
 use sequoia_openpgp::cert::CertRevocationBuilder;
 use sequoia_openpgp::packet::{signature, Signature, UserID};
-use sequoia_openpgp::policy::StandardPolicy;
 use sequoia_openpgp::serialize::stream::Armorer;
 use sequoia_openpgp::serialize::stream::{Message, Signer};
 use sequoia_openpgp::types::{ReasonForRevocation, SignatureType};
@@ -28,8 +27,6 @@ use std::io::Write;
 use std::path::PathBuf;
 use std::time::{Duration, SystemTime};
 
-const POLICY: &StandardPolicy = &StandardPolicy::new();
-
 /// Abstraction of operations that need private key material
 pub trait CaSec {
     /// Initialize OpenPGP CA Admin database entry.
@@ -285,7 +282,7 @@ adversaries."#;
         let signing_keypair = ca_cert
             .keys()
             .secret()
-            .with_policy(&StandardPolicy::new(), None)
+            .with_policy(Pgp::SP, None)
             .supported()
             .alive()
             .revoked(false)
@@ -331,7 +328,7 @@ adversaries."#;
             // if yes, don't add another one.
             if !uid
                 .clone()
-                .with_policy(POLICY, None)?
+                .with_policy(Pgp::SP, None)?
                 .certifications()
                 .any(|s| s.issuer_fingerprints().any(|fp| fp == &fp_ca))
             {
diff --git a/src/cert.rs b/src/cert.rs
index a2aecef..19f2fab 100644
--- a/src/cert.rs
+++ b/src/cert.rs
@@ -11,7 +11,6 @@ use crate::db::models;
 use crate::pgp::Pgp;
 
 use sequoia_openpgp::packet::{Signature, UserID};
-use sequoia_openpgp::policy::StandardPolicy;
 
 use anyhow::{Context, Result};
 
@@ -246,12 +245,10 @@ pub fn certs_expired(
     for db_cert in certs {
         let c = Pgp::armored_to_cert(&db_cert.pub_cert)?;
 
-        let p = StandardPolicy::new();
-
         // Notify only certs that are alive now, but not alive at
         // 'expiry_test'.
-        if c.with_policy(&p, None)?.alive().is_ok()
-            && c.with_policy(&p, expiry_test)?.alive().is_err()
+        if c.with_policy(Pgp::SP, None)?.alive().is_ok()
+            && c.with_policy(Pgp::SP, expiry_test)?.alive().is_err()
         {
             res.insert(db_cert, Pgp::get_expiry(&c)?);
         }
diff --git a/src/pgp.rs b/src/pgp.rs
index d1a30d8..517ffb7 100644
--- a/src/pgp.rs
+++ b/src/pgp.rs
@@ -30,13 +30,13 @@ use sha2::Digest;
 
 const CA_KEY_NOTATION: &str = "openpgp-ca@notations.sequoia-pgp.org";
 
-const POLICY: &StandardPolicy = &StandardPolicy::new();
-
 pub struct Pgp {}
 
 impl Pgp {
     pub const SECONDS_IN_DAY: u64 = 60 * 60 * 24;
 
+    pub const SP: &'static StandardPolicy<'static> = &StandardPolicy::new();
+
     fn diceware() -> String {
         // FIXME: configurable dictionaries, ... ?
         use chbs::passphrase;
@@ -80,7 +80,7 @@ impl Pgp {
 
         let direct_key_sig = cert
             .primary_key()
-            .with_policy(POLICY, None)?
+            .with_policy(Self::SP, None)?
             .binding_signature();
         let builder =
             signature::SignatureBuilder::from(direct_key_sig.clone())
@@ -240,14 +240,14 @@ impl Pgp {
 
     /// get expiration of cert as SystemTime
     pub fn get_expiry(cert: &Cert) -> Result<Option<SystemTime>> {
-        let primary = cert.primary_key().with_policy(POLICY, None)?;
+        let primary = cert.primary_key().with_policy(Self::SP, None)?;
         Ok(primary.key_expiration_time())
     }
 
     /// Is cert (possibly) revoked?
     pub fn is_possibly_revoked(cert: &Cert) -> bool {
         RevocationStatus::NotAsFarAsWeKnow
-            != cert.revocation_status(POLICY, None)
+            != cert.revocation_status(Self::SP, None)
     }
 
     /// Normalize pretty-printed fingerprint strings (with spaces etc)
@@ -347,7 +347,7 @@ impl Pgp {
     ) -> Vec<KeyPair> {
         let keys = cert
             .keys()
-            .with_policy(POLICY, None)
+            .with_policy(Self::SP, None)
             .alive()
             .revoked(false)
             .for_certification()
@@ -412,11 +412,10 @@ impl Pgp {
     /// Get all third party sigs on User IDs in this Cert
     fn get_third_party_sigs(c: &Cert) -> Result<Vec<Signature>> {
         let mut res = Vec::new();
-        let policy = StandardPolicy::new();
 
         for uid in c.userids() {
             let sigs =
-                uid.with_policy(&policy, None)?.bundle().certifications();
+                uid.with_policy(Self::SP, None)?.bundle().certifications();
             sigs.iter().for_each(|s| res.push(s.clone()));
         }
 
@@ -432,7 +431,7 @@ impl Pgp {
     ) -> Vec<Signature> {
         let certifier_keys: Vec<_> = certifier
             .keys()
-            .with_policy(POLICY, None)
+            .with_policy(Self::SP, None)
             .alive()
             .revoked(false)
             .for_certification()
author	Heiko <heiko@schaefer.name>	2021-04-29 17:16:43 +0200
committer	Heiko <heiko@schaefer.name>	2021-04-29 17:16:43 +0200
commit	e0b6191821d7508b029bd0f4219e0ffe89b9e317 (patch)
tree	97dfb6334844e6c41c5a2b60dd3b15b643fa3727
parent	457309d7909757aaef5d16160604137f016be676 (diff)
download	openpgp-ca-e0b6191821d7508b029bd0f4219e0ffe89b9e317.tar.gz