diff options
author | Heiko <heiko@schaefer.name> | 2021-04-29 17:16:43 +0200 |
---|---|---|
committer | Heiko <heiko@schaefer.name> | 2021-04-29 17:16:43 +0200 |
commit | e0b6191821d7508b029bd0f4219e0ffe89b9e317 (patch) | |
tree | 97dfb6334844e6c41c5a2b60dd3b15b643fa3727 | |
parent | 457309d7909757aaef5d16160604137f016be676 (diff) | |
download | openpgp-ca-e0b6191821d7508b029bd0f4219e0ffe89b9e317.tar.gz |
Use a central Pgp::SP StandardPolicy instance everywhere.
-rw-r--r-- | src/ca_secret.rs | 7 | ||||
-rw-r--r-- | src/cert.rs | 7 | ||||
-rw-r--r-- | src/pgp.rs | 17 |
3 files changed, 12 insertions, 19 deletions
diff --git a/src/ca_secret.rs b/src/ca_secret.rs index feacbe0..8648c2c 100644 --- a/src/ca_secret.rs +++ b/src/ca_secret.rs @@ -14,7 +14,6 @@ use sequoia_openpgp::cert; use sequoia_openpgp::cert::amalgamation::ValidateAmalgamation; use sequoia_openpgp::cert::CertRevocationBuilder; use sequoia_openpgp::packet::{signature, Signature, UserID}; -use sequoia_openpgp::policy::StandardPolicy; use sequoia_openpgp::serialize::stream::Armorer; use sequoia_openpgp::serialize::stream::{Message, Signer}; use sequoia_openpgp::types::{ReasonForRevocation, SignatureType}; @@ -28,8 +27,6 @@ use std::io::Write; use std::path::PathBuf; use std::time::{Duration, SystemTime}; -const POLICY: &StandardPolicy = &StandardPolicy::new(); - /// Abstraction of operations that need private key material pub trait CaSec { /// Initialize OpenPGP CA Admin database entry. @@ -285,7 +282,7 @@ adversaries."#; let signing_keypair = ca_cert .keys() .secret() - .with_policy(&StandardPolicy::new(), None) + .with_policy(Pgp::SP, None) .supported() .alive() .revoked(false) @@ -331,7 +328,7 @@ adversaries."#; // if yes, don't add another one. if !uid .clone() - .with_policy(POLICY, None)? + .with_policy(Pgp::SP, None)? .certifications() .any(|s| s.issuer_fingerprints().any(|fp| fp == &fp_ca)) { diff --git a/src/cert.rs b/src/cert.rs index a2aecef..19f2fab 100644 --- a/src/cert.rs +++ b/src/cert.rs @@ -11,7 +11,6 @@ use crate::db::models; use crate::pgp::Pgp; use sequoia_openpgp::packet::{Signature, UserID}; -use sequoia_openpgp::policy::StandardPolicy; use anyhow::{Context, Result}; @@ -246,12 +245,10 @@ pub fn certs_expired( for db_cert in certs { let c = Pgp::armored_to_cert(&db_cert.pub_cert)?; - let p = StandardPolicy::new(); - // Notify only certs that are alive now, but not alive at // 'expiry_test'. - if c.with_policy(&p, None)?.alive().is_ok() - && c.with_policy(&p, expiry_test)?.alive().is_err() + if c.with_policy(Pgp::SP, None)?.alive().is_ok() + && c.with_policy(Pgp::SP, expiry_test)?.alive().is_err() { res.insert(db_cert, Pgp::get_expiry(&c)?); } @@ -30,13 +30,13 @@ use sha2::Digest; const CA_KEY_NOTATION: &str = "openpgp-ca@notations.sequoia-pgp.org"; -const POLICY: &StandardPolicy = &StandardPolicy::new(); - pub struct Pgp {} impl Pgp { pub const SECONDS_IN_DAY: u64 = 60 * 60 * 24; + pub const SP: &'static StandardPolicy<'static> = &StandardPolicy::new(); + fn diceware() -> String { // FIXME: configurable dictionaries, ... ? use chbs::passphrase; @@ -80,7 +80,7 @@ impl Pgp { let direct_key_sig = cert .primary_key() - .with_policy(POLICY, None)? + .with_policy(Self::SP, None)? .binding_signature(); let builder = signature::SignatureBuilder::from(direct_key_sig.clone()) @@ -240,14 +240,14 @@ impl Pgp { /// get expiration of cert as SystemTime pub fn get_expiry(cert: &Cert) -> Result<Option<SystemTime>> { - let primary = cert.primary_key().with_policy(POLICY, None)?; + let primary = cert.primary_key().with_policy(Self::SP, None)?; Ok(primary.key_expiration_time()) } /// Is cert (possibly) revoked? pub fn is_possibly_revoked(cert: &Cert) -> bool { RevocationStatus::NotAsFarAsWeKnow - != cert.revocation_status(POLICY, None) + != cert.revocation_status(Self::SP, None) } /// Normalize pretty-printed fingerprint strings (with spaces etc) @@ -347,7 +347,7 @@ impl Pgp { ) -> Vec<KeyPair> { let keys = cert .keys() - .with_policy(POLICY, None) + .with_policy(Self::SP, None) .alive() .revoked(false) .for_certification() @@ -412,11 +412,10 @@ impl Pgp { /// Get all third party sigs on User IDs in this Cert fn get_third_party_sigs(c: &Cert) -> Result<Vec<Signature>> { let mut res = Vec::new(); - let policy = StandardPolicy::new(); for uid in c.userids() { let sigs = - uid.with_policy(&policy, None)?.bundle().certifications(); + uid.with_policy(Self::SP, None)?.bundle().certifications(); sigs.iter().for_each(|s| res.push(s.clone())); } @@ -432,7 +431,7 @@ impl Pgp { ) -> Vec<Signature> { let certifier_keys: Vec<_> = certifier .keys() - .with_policy(POLICY, None) + .with_policy(Self::SP, None) .alive() .revoked(false) .for_certification() |