2023-04-25 22:12:07 +03:00
use assert_cmd ::Command ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
use chrono ::Duration ;
use openpgp ::packet ::Key ;
2023-04-25 22:12:07 +03:00
use openpgp ::parse ::Parse ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
use openpgp ::types ::ReasonForRevocation ;
use openpgp ::types ::RevocationStatus ;
use openpgp ::types ::SignatureType ;
2023-04-25 22:12:07 +03:00
use openpgp ::Cert ;
use openpgp ::Result ;
use sequoia_openpgp as openpgp ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
mod common ;
use common ::compare_notations ;
use common ::sq_key_generate ;
use common ::STANDARD_POLICY ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
#[ test ]
fn sq_key_subkey_generate_authentication_subkey ( ) -> Result < ( ) > {
let ( tmpdir , path , _ ) = sq_key_generate ( None ) . unwrap ( ) ;
let output = path . parent ( ) . unwrap ( ) . join ( " new_key.pgp " ) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" key " ,
" subkey " ,
" add " ,
" --output " ,
& output . to_string_lossy ( ) ,
" --can-authenticate " ,
& path . to_string_lossy ( ) ,
] ) ;
cmd . assert ( ) . success ( ) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let cert = Cert ::from_file ( & output ) ? ;
let valid_cert = cert . with_policy ( STANDARD_POLICY , None ) ? ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
assert_eq! (
valid_cert . keys ( ) . filter ( | x | x . for_authentication ( ) ) . count ( ) ,
2
) ;
tmpdir . close ( ) ? ;
Ok ( ( ) )
}
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
#[ test ]
fn sq_key_subkey_generate_encryption_subkey ( ) -> Result < ( ) > {
let ( tmpdir , path , _ ) = sq_key_generate ( None ) . unwrap ( ) ;
let output = path . parent ( ) . unwrap ( ) . join ( " new_key.pgp " ) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" key " ,
" subkey " ,
" add " ,
" --output " ,
& output . to_string_lossy ( ) ,
" --can-encrypt=universal " ,
& path . to_string_lossy ( ) ,
] ) ;
cmd . assert ( ) . success ( ) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let cert = Cert ::from_file ( & output ) ? ;
let valid_cert = cert . with_policy ( STANDARD_POLICY , None ) ? ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
assert_eq! (
valid_cert
. keys ( )
. filter ( | x | x . for_storage_encryption ( ) )
. count ( ) ,
2
) ;
assert_eq! (
valid_cert
. keys ( )
. filter ( | x | x . for_transport_encryption ( ) )
. count ( ) ,
2
) ;
tmpdir . close ( ) ? ;
Ok ( ( ) )
}
#[ test ]
fn sq_key_subkey_generate_signing_subkey ( ) -> Result < ( ) > {
let ( tmpdir , path , _ ) = sq_key_generate ( None ) . unwrap ( ) ;
let output = path . parent ( ) . unwrap ( ) . join ( " new_key.pgp " ) ;
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" key " ,
" subkey " ,
" add " ,
" --output " ,
& output . to_string_lossy ( ) ,
" --can-sign " ,
& path . to_string_lossy ( ) ,
] ) ;
cmd . assert ( ) . success ( ) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let cert = Cert ::from_file ( & output ) ? ;
let valid_cert = cert . with_policy ( STANDARD_POLICY , None ) ? ;
assert_eq! ( valid_cert . keys ( ) . filter ( | x | x . for_signing ( ) ) . count ( ) , 2 ) ;
tmpdir . close ( ) ? ;
Ok ( ( ) )
}
#[ test ]
fn sq_key_subkey_revoke ( ) -> Result < ( ) > {
let ( tmpdir , path , time ) = sq_key_generate ( None ) ? ;
let cert = Cert ::from_file ( & path ) ? ;
let valid_cert = cert . with_policy ( STANDARD_POLICY , Some ( time . into ( ) ) ) ? ;
let fingerprint = valid_cert . clone ( ) . fingerprint ( ) ;
let subkey : Key < _ , _ > = valid_cert
. with_policy ( STANDARD_POLICY , Some ( time . into ( ) ) )
. unwrap ( )
. keys ( )
. subkeys ( )
. nth ( 0 )
. unwrap ( )
. key ( )
. clone ( ) ;
let subkey_fingerprint = subkey . fingerprint ( ) ;
let message = " message " ;
// revoke for various reasons, with or without notations added, or with
// a revocation whose reference time is one hour after the creation of the
// certificate
for ( reason , reason_str , notations , revocation_time ) in [
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
None ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeyRetired , " retired " , None , None ) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeySuperseded , " superseded " , None , None ) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::Unspecified , " unspecified " , None , None ) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
] {
let revocation = & path . parent ( ) . unwrap ( ) . join ( format! (
" revocation_{}_{}_{}.rev " ,
reason_str ,
if notations . is_some ( ) {
" notations "
} else {
" no_notations "
} ,
if revocation_time . is_some ( ) {
" time "
} else {
" no_time "
}
) ) ;
2023-04-25 22:12:07 +03:00
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
2023-04-25 22:12:07 +03:00
" key " ,
" subkey " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" revoke " ,
2023-04-25 22:12:07 +03:00
" --output " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
& revocation . to_string_lossy ( ) ,
" --certificate-file " ,
2023-04-25 22:12:07 +03:00
& path . to_string_lossy ( ) ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
& subkey_fingerprint . to_string ( ) ,
reason_str ,
message ,
2023-04-25 22:12:07 +03:00
] ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
if let Some ( notations ) = notations {
for ( k , v ) in notations {
cmd . args ( [ " --notation " , k , v ] ) ;
}
}
if let Some ( time ) = revocation_time {
cmd . args ( [
" --time " ,
& time . format ( " %Y-%m-%dT%H:%M:%SZ " ) . to_string ( ) ,
] ) ;
}
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! ( " sq exited with non-zero status code: {:?} " , output . stderr ) ;
}
// whether we found a revocation signature
let mut found_revoked = false ;
// read revocation cert
Emit partial TPKs as revocation certificates.
- When emitting revocation certificates, emit the revocation
signature with enough context so that it is a well-formed TPK,
i.e. include the primary key, the component to be revoked (if
revoking a user ID or subkey), and the revocation signature.
- Having a partial TPK instead of a bare revocation makes handling
it much easier, as it can be stored and transported like any
cert. It also gives the recipient of the certificate more
context, and simplifies merging it into a database of certs.
- Previously, there was a bug in sq where we would emit secret key
material when emitting revocation certificates. The reason for
that was that the certificate was first converted to a packet
stream, and then each packet serialized. In contrast, if a
Cert is serialized, no secrets are emitted unless the
programmer opts in. In a way, this is the more comprehensive fix
for the problem, as it leverages sequoia-openpgp's mechanisms to
protect secret key material.
- See #160.
2023-12-08 18:25:26 +03:00
let rev = Cert ::from_file ( & revocation ) ? ;
assert! ( ! rev . is_tsk ( ) ) ;
// and merge it into the certificate.
let cert = cert . clone ( ) . merge_public ( rev ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let valid_cert =
cert . with_policy ( STANDARD_POLICY , revocation_time . map ( Into ::into ) ) ? ;
valid_cert
. with_policy ( STANDARD_POLICY , revocation_time . map ( Into ::into ) )
. unwrap ( )
. keys ( )
. subkeys ( )
. for_each ( | x | {
if x . fingerprint ( ) = = subkey_fingerprint {
let status = x . revocation_status (
STANDARD_POLICY ,
revocation_time . map ( Into ::into ) ,
) ;
// the subkey is revoked
assert! ( matches! ( status , RevocationStatus ::Revoked ( _ ) ) ) ;
if let RevocationStatus ::Revoked ( sigs ) = status {
// there is only one signature packet
assert_eq! ( sigs . len ( ) , 1 ) ;
let sig = sigs . into_iter ( ) . next ( ) . unwrap ( ) ;
// it is a subkey revocation
assert_eq! ( sig . typ ( ) , SignatureType ::SubkeyRevocation ) ;
// the issuer is the certificate owner
assert_eq! (
sig . get_issuers ( ) . into_iter ( ) . next ( ) . as_ref ( ) ,
Some ( & fingerprint . clone ( ) . into ( ) )
) ;
// our reason for revocation and message matches
assert_eq! (
sig . reason_for_revocation ( ) ,
Some ( ( reason , message . as_bytes ( ) ) )
) ;
// the notations of the revocation match the ones
// we passed in
assert! ( compare_notations ( sig , notations ) . is_ok ( ) ) ;
found_revoked = true ;
}
}
} ) ;
if ! found_revoked {
panic! ( " the revoked subkey is not found in the revocation cert " ) ;
}
2023-04-25 22:12:07 +03:00
}
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
tmpdir . close ( ) ? ;
Ok ( ( ) )
}
#[ test ]
fn sq_key_subkey_revoke_thirdparty ( ) -> Result < ( ) > {
let ( tmpdir , path , time ) = sq_key_generate ( None ) ? ;
let ( thirdparty_tmpdir , thirdparty_path , thirdparty_time ) =
2024-04-09 13:05:34 +03:00
sq_key_generate ( Some ( & [ " bob <bob@example.org> " ] ) ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let cert = Cert ::from_file ( & path ) ? ;
let valid_cert = cert . with_policy ( STANDARD_POLICY , Some ( time . into ( ) ) ) ? ;
let subkey : Key < _ , _ > = valid_cert
. with_policy ( STANDARD_POLICY , Some ( time . into ( ) ) )
. unwrap ( )
. keys ( )
. subkeys ( )
. nth ( 0 )
. unwrap ( )
. key ( )
. clone ( ) ;
let subkey_fingerprint = subkey . fingerprint ( ) ;
let thirdparty_cert = Cert ::from_file ( & thirdparty_path ) ? ;
let thirdparty_valid_cert = thirdparty_cert
. with_policy ( STANDARD_POLICY , Some ( thirdparty_time . into ( ) ) ) ? ;
let thirdparty_fingerprint = thirdparty_valid_cert . clone ( ) . fingerprint ( ) ;
let message = " message " ;
// revoke for various reasons, with or without notations added, or with
// a revocation whose reference time is one hour after the creation of the
// certificate
for ( reason , reason_str , notations , revocation_time ) in [
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
None ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeyRetired , " retired " , None , None ) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeySuperseded , " superseded " , None , None ) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::Unspecified , " unspecified " , None , None ) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
] {
let revocation = & path . parent ( ) . unwrap ( ) . join ( format! (
" revocation_{}_{}_{}.rev " ,
reason_str ,
if notations . is_some ( ) {
" notations "
} else {
" no_notations "
} ,
if revocation_time . is_some ( ) {
" time "
} else {
" no_time "
}
) ) ;
2023-04-25 22:12:07 +03:00
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
2023-04-25 22:12:07 +03:00
" key " ,
" subkey " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" revoke " ,
2023-04-25 22:12:07 +03:00
" --output " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
& revocation . to_string_lossy ( ) ,
" --certificate-file " ,
2023-04-25 22:12:07 +03:00
& path . to_string_lossy ( ) ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" --revocation-file " ,
& thirdparty_path . to_string_lossy ( ) ,
& subkey_fingerprint . to_string ( ) ,
reason_str ,
message ,
2023-04-25 22:12:07 +03:00
] ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
if let Some ( notations ) = notations {
for ( k , v ) in notations {
cmd . args ( [ " --notation " , k , v ] ) ;
}
}
if let Some ( time ) = revocation_time {
cmd . args ( [
" --time " ,
& time . format ( " %Y-%m-%dT%H:%M:%SZ " ) . to_string ( ) ,
] ) ;
}
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! ( " sq exited with non-zero status code: {:?} " , output . stderr ) ;
}
// whether we found a revocation signature
let mut found_revoked = false ;
// read revocation cert
Emit partial TPKs as revocation certificates.
- When emitting revocation certificates, emit the revocation
signature with enough context so that it is a well-formed TPK,
i.e. include the primary key, the component to be revoked (if
revoking a user ID or subkey), and the revocation signature.
- Having a partial TPK instead of a bare revocation makes handling
it much easier, as it can be stored and transported like any
cert. It also gives the recipient of the certificate more
context, and simplifies merging it into a database of certs.
- Previously, there was a bug in sq where we would emit secret key
material when emitting revocation certificates. The reason for
that was that the certificate was first converted to a packet
stream, and then each packet serialized. In contrast, if a
Cert is serialized, no secrets are emitted unless the
programmer opts in. In a way, this is the more comprehensive fix
for the problem, as it leverages sequoia-openpgp's mechanisms to
protect secret key material.
- See #160.
2023-12-08 18:25:26 +03:00
let rev = Cert ::from_file ( & revocation ) ? ;
assert! ( ! rev . is_tsk ( ) ) ;
// and merge it into the certificate.
let cert = cert . clone ( ) . merge_public ( rev ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let valid_cert =
cert . with_policy ( STANDARD_POLICY , revocation_time . map ( Into ::into ) ) ? ;
assert_eq! ( valid_cert . userids ( ) . count ( ) , 1 ) ;
valid_cert
. with_policy ( STANDARD_POLICY , revocation_time . map ( Into ::into ) )
. unwrap ( )
. keys ( )
. subkeys ( )
. for_each ( | x | {
if x . fingerprint ( ) = = subkey_fingerprint {
if let RevocationStatus ::CouldBe ( sigs ) = x
. revocation_status (
STANDARD_POLICY ,
revocation_time . map ( Into ::into ) ,
)
{
// there is only one signature packet
assert_eq! ( sigs . len ( ) , 1 ) ;
let sig = sigs . into_iter ( ) . next ( ) . unwrap ( ) ;
// it is a subkey revocation
assert_eq! ( sig . typ ( ) , SignatureType ::SubkeyRevocation ) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
// the issuer is a thirdparty revoker
assert_eq! (
sig . get_issuers ( ) . into_iter ( ) . next ( ) . as_ref ( ) ,
Some ( & thirdparty_fingerprint . clone ( ) . into ( ) )
) ;
2023-04-25 22:12:07 +03:00
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
// the revocation can be verified
if sig
. clone ( )
. verify_subkey_revocation (
& thirdparty_cert . primary_key ( ) ,
& cert . primary_key ( ) ,
& subkey ,
)
. is_err ( )
{
panic! ( " revocation is not valid " )
}
// our reason for revocation and message matches
assert_eq! (
sig . reason_for_revocation ( ) ,
Some ( ( reason , message . as_bytes ( ) ) )
) ;
// the notations of the revocation match the ones
// we passed in
assert! ( compare_notations ( sig , notations ) . is_ok ( ) ) ;
found_revoked = true ;
} else {
panic! ( " there are no signatures in {:?} " , x ) ;
}
}
} ) ;
if ! found_revoked {
panic! ( " the revoked subkey is not found in the revocation cert " ) ;
}
2023-04-25 22:12:07 +03:00
}
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
tmpdir . close ( ) ? ;
thirdparty_tmpdir . close ( ) ? ;
Ok ( ( ) )
2023-04-25 22:12:07 +03:00
}
