Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
use assert_cmd ::Command ;
use chrono ::Duration ;
use openpgp ::parse ::Parse ;
use openpgp ::types ::ReasonForRevocation ;
use openpgp ::types ::RevocationStatus ;
use openpgp ::types ::SignatureType ;
use openpgp ::Cert ;
use openpgp ::Packet ;
use openpgp ::PacketPile ;
use openpgp ::Result ;
use sequoia_openpgp as openpgp ;
mod common ;
use common ::compare_notations ;
use common ::sq_key_generate ;
use common ::STANDARD_POLICY ;
#[ test ]
fn sq_key_revoke ( ) -> Result < ( ) > {
let ( tmpdir , path , time ) = sq_key_generate ( None ) ? ;
let cert = Cert ::from_file ( & path ) ? ;
let valid_cert = cert . with_policy ( STANDARD_POLICY , Some ( time . into ( ) ) ) ? ;
let fingerprint = & valid_cert . clone ( ) . fingerprint ( ) ;
let message = " message " ;
// revoke for various reasons, with or without notations added, or with
// a revocation whose reference time is one hour after the creation of the
// certificate
for ( reason , reason_str , notations , revocation_time ) in [
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
None ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeyRetired , " retired " , None , None ) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeySuperseded , " superseded " , None , None ) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::Unspecified , " unspecified " , None , None ) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
] {
let revocation = & path . parent ( ) . unwrap ( ) . join ( format! (
" revocation_{}_{}_{}.rev " ,
reason_str ,
if notations . is_some ( ) {
" notations "
} else {
" no_notations "
} ,
if revocation_time . is_some ( ) {
" time "
} else {
" no_time "
}
) ) ;
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" key " ,
" revoke " ,
" --output " ,
& revocation . to_string_lossy ( ) ,
" --certificate-file " ,
& path . to_string_lossy ( ) ,
reason_str ,
message ,
] ) ;
if let Some ( notations ) = notations {
for ( k , v ) in notations {
cmd . args ( [ " --notation " , k , v ] ) ;
}
}
if let Some ( time ) = revocation_time {
cmd . args ( [
" --time " ,
& time . format ( " %Y-%m-%dT%H:%M:%SZ " ) . to_string ( ) ,
] ) ;
}
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
Emit partial TPKs as revocation certificates.
- When emitting revocation certificates, emit the revocation
signature with enough context so that it is a well-formed TPK,
i.e. include the primary key, the component to be revoked (if
revoking a user ID or subkey), and the revocation signature.
- Having a partial TPK instead of a bare revocation makes handling
it much easier, as it can be stored and transported like any
cert. It also gives the recipient of the certificate more
context, and simplifies merging it into a database of certs.
- Previously, there was a bug in sq where we would emit secret key
material when emitting revocation certificates. The reason for
that was that the certificate was first converted to a packet
stream, and then each packet serialized. In contrast, if a
Cert is serialized, no secrets are emitted unless the
programmer opts in. In a way, this is the more comprehensive fix
for the problem, as it leverages sequoia-openpgp's mechanisms to
protect secret key material.
- See #160.
2023-12-08 18:25:26 +03:00
// We should get the primary key and the revocation signature.
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let packet_pile = PacketPile ::from_file ( & revocation ) ? ;
assert_eq! (
packet_pile . children ( ) . count ( ) ,
Emit partial TPKs as revocation certificates.
- When emitting revocation certificates, emit the revocation
signature with enough context so that it is a well-formed TPK,
i.e. include the primary key, the component to be revoked (if
revoking a user ID or subkey), and the revocation signature.
- Having a partial TPK instead of a bare revocation makes handling
it much easier, as it can be stored and transported like any
cert. It also gives the recipient of the certificate more
context, and simplifies merging it into a database of certs.
- Previously, there was a bug in sq where we would emit secret key
material when emitting revocation certificates. The reason for
that was that the certificate was first converted to a packet
stream, and then each packet serialized. In contrast, if a
Cert is serialized, no secrets are emitted unless the
programmer opts in. In a way, this is the more comprehensive fix
for the problem, as it leverages sequoia-openpgp's mechanisms to
protect secret key material.
- See #160.
2023-12-08 18:25:26 +03:00
2 ,
" expected the primary key and the revocation signature "
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
) ;
Emit partial TPKs as revocation certificates.
- When emitting revocation certificates, emit the revocation
signature with enough context so that it is a well-formed TPK,
i.e. include the primary key, the component to be revoked (if
revoking a user ID or subkey), and the revocation signature.
- Having a partial TPK instead of a bare revocation makes handling
it much easier, as it can be stored and transported like any
cert. It also gives the recipient of the certificate more
context, and simplifies merging it into a database of certs.
- Previously, there was a bug in sq where we would emit secret key
material when emitting revocation certificates. The reason for
that was that the certificate was first converted to a packet
stream, and then each packet serialized. In contrast, if a
Cert is serialized, no secrets are emitted unless the
programmer opts in. In a way, this is the more comprehensive fix
for the problem, as it leverages sequoia-openpgp's mechanisms to
protect secret key material.
- See #160.
2023-12-08 18:25:26 +03:00
if let Some ( Packet ::Signature ( sig ) ) = packet_pile . path_ref ( & [ 1 ] ) {
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
// the issuer is the certificate owner
assert_eq! (
sig . get_issuers ( ) . into_iter ( ) . next ( ) ,
Some ( fingerprint . into ( ) )
) ;
let cert = Cert ::from_file ( & path ) ? ;
let revoked_cert = cert . insert_packets ( sig . clone ( ) ) . unwrap ( ) ;
let status = revoked_cert
. with_policy ( STANDARD_POLICY , revocation_time . map ( Into ::into ) )
. unwrap ( )
. revocation_status ( ) ;
println! ( " {:?} " , sig ) ;
println! ( " {:?} " , status ) ;
// Verify the revocation.
assert! ( matches! ( status , RevocationStatus ::Revoked ( _ ) ) ) ;
// it is a key revocation
assert_eq! ( sig . typ ( ) , SignatureType ::KeyRevocation ) ;
// our reason for revocation and message matches
assert_eq! (
sig . reason_for_revocation ( ) ,
Some ( ( reason , message . as_bytes ( ) ) )
) ;
// the notations of the revocation match the ones
// we passed in
compare_notations ( sig , notations ) ? ;
} else {
panic! ( " Expected a signature, got: {:?} " , packet_pile ) ;
}
}
tmpdir . close ( ) ? ;
Ok ( ( ) )
}
#[ test ]
fn sq_key_revoke_thirdparty ( ) -> Result < ( ) > {
let ( tmpdir , path , _ ) = sq_key_generate ( None ) ? ;
let cert = Cert ::from_file ( & path ) ? ;
let ( thirdparty_tmpdir , thirdparty_path , thirdparty_time ) =
sq_key_generate ( Some ( & [ " bob <bob@example.org " ] ) ) ? ;
let thirdparty_cert = Cert ::from_file ( & thirdparty_path ) ? ;
let thirdparty_valid_cert = thirdparty_cert
. with_policy ( STANDARD_POLICY , Some ( thirdparty_time . into ( ) ) ) ? ;
let thirdparty_fingerprint = & thirdparty_valid_cert . clone ( ) . fingerprint ( ) ;
let message = " message " ;
// revoke for various reasons, with or without notations added, or with
// a revocation whose reference time is one hour after the creation of the
// certificate
for ( reason , reason_str , notations , revocation_time ) in [
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
None ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeyRetired , " retired " , None , None ) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeySuperseded , " superseded " , None , None ) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::Unspecified , " unspecified " , None , None ) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
] {
let revocation = & path . parent ( ) . unwrap ( ) . join ( format! (
" revocation_{}_{}_{}.rev " ,
reason_str ,
if notations . is_some ( ) {
" notations "
} else {
" no_notations "
} ,
if revocation_time . is_some ( ) {
" time "
} else {
" no_time "
}
) ) ;
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --no-cert-store " ,
2024-01-18 20:09:59 +03:00
" --no-key-store " ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
" key " ,
" revoke " ,
" --output " ,
& revocation . to_string_lossy ( ) ,
" --certificate-file " ,
& path . to_string_lossy ( ) ,
" --revocation-file " ,
& thirdparty_path . to_string_lossy ( ) ,
reason_str ,
message ,
] ) ;
if let Some ( notations ) = notations {
for ( k , v ) in notations {
cmd . args ( [ " --notation " , k , v ] ) ;
}
}
if let Some ( time ) = revocation_time {
cmd . args ( [
" --time " ,
& time . format ( " %Y-%m-%dT%H:%M:%SZ " ) . to_string ( ) ,
] ) ;
}
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
// read revocation cert
let revocation_cert = Cert ::from_file ( & revocation ) ? ;
2023-12-11 13:10:18 +03:00
assert! ( ! revocation_cert . is_tsk ( ) ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
// evaluate revocation status
Emit partial TPKs as revocation certificates.
- When emitting revocation certificates, emit the revocation
signature with enough context so that it is a well-formed TPK,
i.e. include the primary key, the component to be revoked (if
revoking a user ID or subkey), and the revocation signature.
- Having a partial TPK instead of a bare revocation makes handling
it much easier, as it can be stored and transported like any
cert. It also gives the recipient of the certificate more
context, and simplifies merging it into a database of certs.
- Previously, there was a bug in sq where we would emit secret key
material when emitting revocation certificates. The reason for
that was that the certificate was first converted to a packet
stream, and then each packet serialized. In contrast, if a
Cert is serialized, no secrets are emitted unless the
programmer opts in. In a way, this is the more comprehensive fix
for the problem, as it leverages sequoia-openpgp's mechanisms to
protect secret key material.
- See #160.
2023-12-08 18:25:26 +03:00
let status = revocation_cert . revocation_status (
STANDARD_POLICY , revocation_time . map ( Into ::into ) ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
if let RevocationStatus ::CouldBe ( sigs ) = status {
// there is only one signature packet
assert_eq! ( sigs . len ( ) , 1 ) ;
let sig = sigs . into_iter ( ) . next ( ) . unwrap ( ) ;
// it is a key revocation
assert_eq! ( sig . typ ( ) , SignatureType ::KeyRevocation ) ;
// the issuer is a thirdparty revoker
assert_eq! (
sig . get_issuers ( ) . into_iter ( ) . next ( ) . as_ref ( ) ,
Some ( & thirdparty_fingerprint . clone ( ) . into ( ) )
) ;
// the revocation can be verified
if sig
. clone ( )
. verify_primary_key_revocation (
& thirdparty_cert . primary_key ( ) ,
& cert . primary_key ( ) ,
)
. is_err ( )
{
panic! ( " revocation is not valid " )
}
// our reason for revocation and message matches
assert_eq! (
sig . reason_for_revocation ( ) ,
Some ( ( reason , message . as_bytes ( ) ) )
) ;
// the notations of the revocation match the ones
// we passed in
compare_notations ( sig , notations ) ? ;
} else {
panic! ( " there are no signatures in {:?} " , status ) ;
}
}
tmpdir . close ( ) ? ;
thirdparty_tmpdir . close ( ) ? ;
Ok ( ( ) )
}