sequoia-sq/tests/integration/sq_key_expire.rs

use std::time::Duration;

use sequoia_openpgp as openpgp;
use openpgp::parse::Parse;
use openpgp::Cert;
use openpgp::cert::amalgamation::ValidAmalgamation;
use openpgp::Result;
use openpgp::types::RevocationStatus;

use super::common::STANDARD_POLICY;
use super::common::Sq;
use super::common::time_as_string;
use super::common::UserIDArg;

#[test]
fn sq_key_expire() -> Result<()> {
    for keystore in [false, true] {
        let mut sq = Sq::new();

        let (cert, cert_path, _rev_path)
            = sq.key_generate(&[], &["alice <alice@example.org>"]);
        let fpr = cert.fingerprint().to_string();

        // Two days go by.
        sq.tick(2 * 24 * 60 * 60);

        let updated_path = sq.scratch_file("updated.pgp");
        let updated2_path = sq.scratch_file("updated2.pgp");

        if keystore {
            sq.key_import(&cert_path);
        }

        // Change the key to expire in one day.
        let mut cmd = sq.command();
        cmd.args(["key", "expire", "--expiration", "1d"]);
        if keystore {
            cmd.args(["--cert", &fpr ]);
        } else {
            cmd
                .arg("--overwrite")
                .arg("--cert-file").arg(&cert_path)
                .arg("--output").arg(&updated_path);
        }
        sq.run(cmd, true);

        let updated = if keystore {
            eprintln!("Updated certificate to expire in one day:\n{}",
                      sq.inspect(cert.key_handle()));

            sq.cert_export(cert.key_handle())
        } else {
            eprintln!("Updated certificate to expire in one day:\n{}",
                      sq.inspect(&updated_path));

            Cert::from_file(&updated_path).expect("valid cert")
        };

        // It should be alive now.
        let vc = updated.with_policy(STANDARD_POLICY, sq.now()).expect("valid");
        assert!(matches!(vc.alive(), Ok(())));

        // It should be alive in 1 day minus 1 second.
        let t = sq.now() + Duration::new(24 * 60 * 60 - 1, 0);
        eprintln!("Checking expiration status at {}", time_as_string(t.into()));
        let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");
        assert!(matches!(vc.alive(), Ok(())));

        // But in exactly one day, it should be expired.
        let t = sq.now() + Duration::new(24 * 60 * 60, 0);
        eprintln!("Checking expiration status at {}", time_as_string(t.into()));
        let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");
        assert!(matches!(vc.alive(), Err(_)));

        // 12 hours go by.  Clear the expiration time.
        sq.tick(12 * 60 * 60);

        let mut cmd = sq.command();
        cmd.args([ "key", "expire", "--expiration", "never" ]);
        if keystore {
            cmd.args([ "--cert", &fpr ]);
        } else {
            cmd.args([
                "--cert-file", &updated_path.to_string_lossy(),
                "--output", &updated2_path.to_string_lossy(),
            ]);
        }
        sq.run(cmd, true);

        let updated = if keystore {
            eprintln!("Updated certificate to expire in one day:\n{}",
                      sq.inspect(cert.key_handle()));

            sq.cert_export(cert.key_handle())
        } else {
            eprintln!("Updated certificate to expire in one day:\n{}",
                      sq.inspect(&updated2_path));

            Cert::from_file(&updated2_path).expect("valid cert")
        };

        // It should be alive now.
        let vc = updated.with_policy(STANDARD_POLICY, None)
            .expect("valid");
        assert!(matches!(vc.alive(), Ok(())));

        // It should be alive in 1 day minus 1 second.
        let vc = updated.with_policy(
            STANDARD_POLICY,
            sq.now() + Duration::new(24 * 60 * 60 - 1, 0))
            .expect("valid");
        assert!(matches!(vc.alive(), Ok(())));

        // And in exactly one day...
        let vc = updated.with_policy(
            STANDARD_POLICY,
            sq.now() + Duration::new(24 * 60 * 60, 0))
            .expect("valid");
        assert!(matches!(vc.alive(), Ok(())));
    }

    Ok(())
}

/// Tests changing the expiration time of a key without direct key
/// signature.
///
/// These kind of keys are generated by GnuPG.
#[test]
fn sq_key_expire_no_direct_key_sig() -> Result<()> {
    use openpgp::{
        packet::{Any, Signature},
        serialize::Serialize,
        types::SignatureType,
    };

    let mut sq = Sq::new();
    let (cert, _cert_path, _rev_path)
        = sq.key_generate(&[], &[UserIDArg::Email("alice@example.org")]);
    let fipr = cert.fingerprint().to_string();


    // Strip the direct key signature.
    let mut p = cert.as_tsk().into_packets().collect::<Vec<_>>();
    p.retain(|p| Any::<Signature>::downcast_ref(p)
             .map(|sig| sig.typ() != SignatureType::DirectKey)
             .unwrap_or(true));
    let cert = Cert::from_packets(p.into_iter())?;

    // Two days go by.
    sq.tick(2 * 24 * 60 * 60);

    let cert_path = sq.scratch_file("updated.pgp");
    cert.as_tsk().serialize(&mut std::fs::File::create(&cert_path)?)?;
    sq.key_import(&cert_path);

    // Change the key to expire in one day.
    let mut cmd = sq.command();
    cmd.args(["key", "expire", "--expiration", "1d", "--cert", &fipr]);
    sq.run(cmd, true);

    eprintln!("Updated certificate to expire in one day:\n{}",
              sq.inspect(cert.key_handle()));
    let updated = sq.cert_export(cert.key_handle());

    // It should be alive now.
    let vc = updated.with_policy(STANDARD_POLICY, sq.now()).expect("valid");
    assert!(matches!(vc.alive(), Ok(())));

    // It should be alive in 1 day minus 1 second.
    let t = sq.now() + Duration::new(24 * 60 * 60 - 1, 0);
    eprintln!("Checking expiration status at {}", time_as_string(t.into()));
    let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");
    assert!(matches!(vc.alive(), Ok(())));

    // But in exactly one day, it should be expired.
    let t = sq.now() + Duration::new(24 * 60 * 60, 0);
    eprintln!("Checking expiration status at {}", time_as_string(t.into()));
    let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");
    assert!(matches!(vc.alive(), Err(_)));

    // 12 hours go by.  Clear the expiration time.
    sq.tick(12 * 60 * 60);

    let mut cmd = sq.command();
    cmd.args(["key", "expire", "--expiration", "never", "--cert", &fipr]);
    sq.run(cmd, true);

    eprintln!("Updated certificate to expire in one day:\n{}",
              sq.inspect(cert.key_handle()));
    let updated = sq.cert_export(cert.key_handle());

    // It should be alive now.
    let vc = updated.with_policy(STANDARD_POLICY, None)
        .expect("valid");
    assert!(matches!(vc.alive(), Ok(())));

    // It should be alive in 1 day minus 1 second.
    let vc = updated.with_policy(
        STANDARD_POLICY,
        sq.now() + Duration::new(24 * 60 * 60 - 1, 0))
        .expect("valid");
    assert!(matches!(vc.alive(), Ok(())));

    // And in exactly one day...
    let vc = updated.with_policy(
        STANDARD_POLICY,
        sq.now() + Duration::new(24 * 60 * 60, 0))
        .expect("valid");
    assert!(matches!(vc.alive(), Ok(())));

    Ok(())
}

#[test]
fn unbound_userid() {
    // Make sure we can extend the expiration time of a certificate
    // that includes an unbound user ID (i.e., a user ID without a
    // self signature).

    let sq = Sq::new();

    let cert_path = sq.test_data()
        .join("keys")
        .join("unbound-userid.pgp");

    let cert = Cert::from_file(&cert_path).expect("can read");
    let vc = cert.with_policy(STANDARD_POLICY, sq.now())
        .expect("valid cert");
    // It shouldn't be expired yet.
    assert!(vc.primary_key().key_expiration_time().is_none());

    // Set it to expire in a day.
    let updated_path = sq.scratch_file("updated");
    let updated = sq.key_expire(cert_path,
                                "1d",
                                None,
                                updated_path.as_path(),
                                true)
        .expect("sq key expire should succeed");

    let vc = updated.with_policy(STANDARD_POLICY, sq.now())
        .expect("valid cert");
    let expiration = vc.primary_key().key_expiration_time();
    assert_eq!(expiration,
               Some(sq.now() + std::time::Duration::new(24 * 60 * 60, 0)));
}


#[test]
fn revoked_userid() {
    // Make sure we can extend the expiration time of a certificate
    // that includes a revoked user ID (i.e., a user ID without a self
    // signature), and make sure we DON'T make the user ID valid.

    let sq = Sq::new();

    let cert_path = sq.test_data()
        .join("keys")
        .join("retired-userid.pgp");

    let cert = Cert::from_file(&cert_path).expect("can read");
    let vc = cert.with_policy(STANDARD_POLICY, sq.now())
        .expect("valid cert");
    // It shouldn't be expired yet.
    assert!(vc.primary_key().key_expiration_time().is_none());

    let ua = vc.userids().next().expect("have a user ID");
    if let RevocationStatus::Revoked(_) = ua.revocation_status() {
    } else {
        panic!("User ID should be revoked, but isn't.");
    };

    // Set it to expire in a day.
    let updated_path = sq.scratch_file("updated");
    let updated = sq.key_expire(cert_path,
                                "1d",
                                None,
                                updated_path.as_path(),
                                true)
        .expect("sq key expire should succeed");

    let vc = updated.with_policy(STANDARD_POLICY, sq.now())
        .expect("valid cert");
    let expiration = vc.primary_key().key_expiration_time();
    assert_eq!(expiration,
               Some(sq.now() + std::time::Duration::new(24 * 60 * 60, 0)));

    let ua = vc.userids().next().expect("have a user ID");
    if let RevocationStatus::Revoked(_) = ua.revocation_status() {
    } else {
        panic!("User ID should be revoked, but isn't.");
    };
}
Add a test for sq key expire. 2024-05-30 21:47:52 +03:00			`use std::time::Duration;`

Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update each user ID's self signature. If a user ID is revoked, creating a new self signature will "unrevoke it." - Skip user IDs that are revoked. 2024-10-07 14:27:16 +03:00			`use sequoia_openpgp as openpgp;`
Add a test for sq key expire. 2024-05-30 21:47:52 +03:00			`use openpgp::parse::Parse;`
			`use openpgp::Cert;`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update each user ID's self signature. If a user ID is revoked, creating a new self signature will "unrevoke it." - Skip user IDs that are revoked. 2024-10-07 14:27:16 +03:00			`use openpgp::cert::amalgamation::ValidAmalgamation;`
Add a test for sq key expire. 2024-05-30 21:47:52 +03:00			`use openpgp::Result;`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update each user ID's self signature. If a user ID is revoked, creating a new self signature will "unrevoke it." - Skip user IDs that are revoked. 2024-10-07 14:27:16 +03:00			`use openpgp::types::RevocationStatus;`
Add a test for sq key expire. 2024-05-30 21:47:52 +03:00
Consolidate all integration tests. - This way they only have to be compiled once, and can all be run concurrently. 2024-08-15 14:38:43 +03:00			`use super::common::STANDARD_POLICY;`
			`use super::common::Sq;`
			`use super::common::time_as_string;`
tests: Abstract user ID argument passing. - Add a new type, `UserIDArg`, which represents a user ID argument. - Change functions that take user IDs like `Sq::key_generate` to use it. 2024-11-13 11:20:18 +03:00			`use super::common::UserIDArg;`
Add a test for sq key expire. 2024-05-30 21:47:52 +03:00
			`#[test]`
			`fn sq_key_expire() -> Result<()> {`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00			`for keystore in [false, true] {`
tests: Dry out the test framework. - Replace uses of `sq_key_generate` with `Sq::key_generate`, and remove `sq_key_generate`. 2024-07-20 23:05:03 +03:00			`let mut sq = Sq::new();`

			`let (cert, cert_path, _rev_path)`
			`= sq.key_generate(&[], &["alice <alice@example.org>"]);`
			`let fpr = cert.fingerprint().to_string();`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00
			`// Two days go by.`
			`sq.tick(2 * 24 * 60 * 60);`

tests: Dry out the test framework. - Replace uses of `sq_key_generate` with `Sq::key_generate`, and remove `sq_key_generate`. 2024-07-20 23:05:03 +03:00			`let updated_path = sq.scratch_file("updated.pgp");`
			`let updated2_path = sq.scratch_file("updated2.pgp");`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00
			`if keystore {`
			`sq.key_import(&cert_path);`
			`}`

			`// Change the key to expire in one day.`
			`let mut cmd = sq.command();`
Make sq key expire's expiration argument a named argument. - `sq key expire`'s expiration argument is a positional argument. Change it to a named argument. - See #318. 2024-10-29 10:57:18 +03:00			`cmd.args(["key", "expire", "--expiration", "1d"]);`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00			`if keystore {`
			`cmd.args(["--cert", &fpr ]);`
			`} else {`
tests: Dry out the test framework. - Replace uses of `sq_key_generate` with `Sq::key_generate`, and remove `sq_key_generate`. 2024-07-20 23:05:03 +03:00			`cmd`
Rename the global `--force` flag to `--overwrite`. - This flag now only controls whether existing files are overwritten. - Fixes #31. 2024-10-02 19:42:31 +03:00			`.arg("--overwrite")`
Use `--cert-` prefix for all cert designators. - Resolves a conflict with the user ID designators, and makes the interface more consistent. - Fixes #385. 2024-11-18 16:57:09 +03:00			`.arg("--cert-file").arg(&cert_path)`
tests: Dry out the test framework. - Replace uses of `sq_key_generate` with `Sq::key_generate`, and remove `sq_key_generate`. 2024-07-20 23:05:03 +03:00			`.arg("--output").arg(&updated_path);`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00			`}`
			`sq.run(cmd, true);`

			`let updated = if keystore {`
			`eprintln!("Updated certificate to expire in one day:\n{}",`
			`sq.inspect(cert.key_handle()));`

			`sq.cert_export(cert.key_handle())`
			`} else {`
			`eprintln!("Updated certificate to expire in one day:\n{}",`
tests: Dry out the test framework. - Replace uses of `sq_key_generate` with `Sq::key_generate`, and remove `sq_key_generate`. 2024-07-20 23:05:03 +03:00			`sq.inspect(&updated_path));`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00
			`Cert::from_file(&updated_path).expect("valid cert")`
			`};`

			`// It should be alive now.`
			`let vc = updated.with_policy(STANDARD_POLICY, sq.now()).expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// It should be alive in 1 day minus 1 second.`
			`let t = sq.now() + Duration::new(24 * 60 * 60 - 1, 0);`
			`eprintln!("Checking expiration status at {}", time_as_string(t.into()));`
			`let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// But in exactly one day, it should be expired.`
			`let t = sq.now() + Duration::new(24 * 60 * 60, 0);`
			`eprintln!("Checking expiration status at {}", time_as_string(t.into()));`
			`let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");`
			`assert!(matches!(vc.alive(), Err(_)));`

			`// 12 hours go by. Clear the expiration time.`
			`sq.tick(12 * 60 * 60);`

			`let mut cmd = sq.command();`
Make sq key expire's expiration argument a named argument. - `sq key expire`'s expiration argument is a positional argument. Change it to a named argument. - See #318. 2024-10-29 10:57:18 +03:00			`cmd.args([ "key", "expire", "--expiration", "never" ]);`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00			`if keystore {`
			`cmd.args([ "--cert", &fpr ]);`
			`} else {`
			`cmd.args([`
Use `--cert-` prefix for all cert designators. - Resolves a conflict with the user ID designators, and makes the interface more consistent. - Fixes #385. 2024-11-18 16:57:09 +03:00			`"--cert-file", &updated_path.to_string_lossy(),`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00			`"--output", &updated2_path.to_string_lossy(),`
			`]);`
			`}`
			`sq.run(cmd, true);`

			`let updated = if keystore {`
			`eprintln!("Updated certificate to expire in one day:\n{}",`
			`sq.inspect(cert.key_handle()));`

			`sq.cert_export(cert.key_handle())`
			`} else {`
			`eprintln!("Updated certificate to expire in one day:\n{}",`
tests: Dry out the test framework. - Replace uses of `sq_key_generate` with `Sq::key_generate`, and remove `sq_key_generate`. 2024-07-20 23:05:03 +03:00			`sq.inspect(&updated2_path));`
Change sq key expire etc. to support the cert store and key store. - Change `sq key expire` and `sq key subkey expire` to support the cert store and key store. - See #205. 2024-05-31 14:22:27 +03:00
			`Cert::from_file(&updated2_path).expect("valid cert")`
			`};`

			`// It should be alive now.`
			`let vc = updated.with_policy(STANDARD_POLICY, None)`
			`.expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// It should be alive in 1 day minus 1 second.`
			`let vc = updated.with_policy(`
			`STANDARD_POLICY,`
			`sq.now() + Duration::new(24 * 60 * 60 - 1, 0))`
			`.expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// And in exactly one day...`
			`let vc = updated.with_policy(`
			`STANDARD_POLICY,`
			`sq.now() + Duration::new(24 * 60 * 60, 0))`
			`.expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`
			`}`
Add a test for sq key expire. 2024-05-30 21:47:52 +03:00
			`Ok(())`
			`}`
Fix changing the expiration time on keys without direct key sig. - Fixes #230. 2024-10-02 17:34:17 +03:00
			`/// Tests changing the expiration time of a key without direct key`
			`/// signature.`
			`///`
			`/// These kind of keys are generated by GnuPG.`
			`#[test]`
			`fn sq_key_expire_no_direct_key_sig() -> Result<()> {`
			`use openpgp::{`
			`packet::{Any, Signature},`
			`serialize::Serialize,`
			`types::SignatureType,`
			`};`

			`let mut sq = Sq::new();`
			`let (cert, _cert_path, _rev_path)`
tests: Abstract user ID argument passing. - Add a new type, `UserIDArg`, which represents a user ID argument. - Change functions that take user IDs like `Sq::key_generate` to use it. 2024-11-13 11:20:18 +03:00			`= sq.key_generate(&[], &[UserIDArg::Email("alice@example.org")]);`
Fix changing the expiration time on keys without direct key sig. - Fixes #230. 2024-10-02 17:34:17 +03:00			`let fipr = cert.fingerprint().to_string();`


			`// Strip the direct key signature.`
			`let mut p = cert.as_tsk().into_packets().collect::<Vec<_>>();`
			`p.retain(\|p\| Any::<Signature>::downcast_ref(p)`
			`.map(\|sig\| sig.typ() != SignatureType::DirectKey)`
			`.unwrap_or(true));`
			`let cert = Cert::from_packets(p.into_iter())?;`

			`// Two days go by.`
			`sq.tick(2 * 24 * 60 * 60);`

			`let cert_path = sq.scratch_file("updated.pgp");`
			`cert.as_tsk().serialize(&mut std::fs::File::create(&cert_path)?)?;`
			`sq.key_import(&cert_path);`

			`// Change the key to expire in one day.`
			`let mut cmd = sq.command();`
Make sq key expire's expiration argument a named argument. - `sq key expire`'s expiration argument is a positional argument. Change it to a named argument. - See #318. 2024-10-29 10:57:18 +03:00			`cmd.args(["key", "expire", "--expiration", "1d", "--cert", &fipr]);`
Fix changing the expiration time on keys without direct key sig. - Fixes #230. 2024-10-02 17:34:17 +03:00			`sq.run(cmd, true);`

			`eprintln!("Updated certificate to expire in one day:\n{}",`
			`sq.inspect(cert.key_handle()));`
			`let updated = sq.cert_export(cert.key_handle());`

			`// It should be alive now.`
			`let vc = updated.with_policy(STANDARD_POLICY, sq.now()).expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// It should be alive in 1 day minus 1 second.`
			`let t = sq.now() + Duration::new(24 * 60 * 60 - 1, 0);`
			`eprintln!("Checking expiration status at {}", time_as_string(t.into()));`
			`let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// But in exactly one day, it should be expired.`
			`let t = sq.now() + Duration::new(24 * 60 * 60, 0);`
			`eprintln!("Checking expiration status at {}", time_as_string(t.into()));`
			`let vc = updated.with_policy(STANDARD_POLICY, t).expect("valid");`
			`assert!(matches!(vc.alive(), Err(_)));`

			`// 12 hours go by. Clear the expiration time.`
			`sq.tick(12 * 60 * 60);`

			`let mut cmd = sq.command();`
Make sq key expire's expiration argument a named argument. - `sq key expire`'s expiration argument is a positional argument. Change it to a named argument. - See #318. 2024-10-29 10:57:18 +03:00			`cmd.args(["key", "expire", "--expiration", "never", "--cert", &fipr]);`
Fix changing the expiration time on keys without direct key sig. - Fixes #230. 2024-10-02 17:34:17 +03:00			`sq.run(cmd, true);`

			`eprintln!("Updated certificate to expire in one day:\n{}",`
			`sq.inspect(cert.key_handle()));`
			`let updated = sq.cert_export(cert.key_handle());`

			`// It should be alive now.`
			`let vc = updated.with_policy(STANDARD_POLICY, None)`
			`.expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// It should be alive in 1 day minus 1 second.`
			`let vc = updated.with_policy(`
			`STANDARD_POLICY,`
			`sq.now() + Duration::new(24 * 60 * 60 - 1, 0))`
			`.expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`// And in exactly one day...`
			`let vc = updated.with_policy(`
			`STANDARD_POLICY,`
			`sq.now() + Duration::new(24 * 60 * 60, 0))`
			`.expect("valid");`
			`assert!(matches!(vc.alive(), Ok(())));`

			`Ok(())`
			`}`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update the direct key signature, and each user ID's self signature. This fails if a user ID doesn't have a valid self signature. - User IDs, however, don't need to be self signed! For instance, a user ID may only have a third-party certification. - Relax `sq key expire` to only add a self signature for a user ID, if the user ID already has a self signature. 2024-10-07 12:50:36 +03:00
			`#[test]`
			`fn unbound_userid() {`
			`// Make sure we can extend the expiration time of a certificate`
			`// that includes an unbound user ID (i.e., a user ID without a`
			`// self signature).`

			`let sq = Sq::new();`

			`let cert_path = sq.test_data()`
			`.join("keys")`
			`.join("unbound-userid.pgp");`

			`let cert = Cert::from_file(&cert_path).expect("can read");`
			`let vc = cert.with_policy(STANDARD_POLICY, sq.now())`
			`.expect("valid cert");`
			`// It shouldn't be expired yet.`
			`assert!(vc.primary_key().key_expiration_time().is_none());`

			`// Set it to expire in a day.`
			`let updated_path = sq.scratch_file("updated");`
			`let updated = sq.key_expire(cert_path,`
			`"1d",`
			`None,`
			`updated_path.as_path(),`
			`true)`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update each user ID's self signature. If a user ID is revoked, creating a new self signature will "unrevoke it." - Skip user IDs that are revoked. 2024-10-07 14:27:16 +03:00			`.expect("sq key expire should succeed");`

			`let vc = updated.with_policy(STANDARD_POLICY, sq.now())`
			`.expect("valid cert");`
			`let expiration = vc.primary_key().key_expiration_time();`
			`assert_eq!(expiration,`
			`Some(sq.now() + std::time::Duration::new(24 * 60 * 60, 0)));`
			`}`


			`#[test]`
			`fn revoked_userid() {`
			`// Make sure we can extend the expiration time of a certificate`
			`// that includes a revoked user ID (i.e., a user ID without a self`
			`// signature), and make sure we DON'T make the user ID valid.`

			`let sq = Sq::new();`

			`let cert_path = sq.test_data()`
			`.join("keys")`
			`.join("retired-userid.pgp");`

			`let cert = Cert::from_file(&cert_path).expect("can read");`
			`let vc = cert.with_policy(STANDARD_POLICY, sq.now())`
			`.expect("valid cert");`
			`// It shouldn't be expired yet.`
			`assert!(vc.primary_key().key_expiration_time().is_none());`

			`let ua = vc.userids().next().expect("have a user ID");`
			`if let RevocationStatus::Revoked(_) = ua.revocation_status() {`
			`} else {`
			`panic!("User ID should be revoked, but isn't.");`
			`};`

			`// Set it to expire in a day.`
			`let updated_path = sq.scratch_file("updated");`
			`let updated = sq.key_expire(cert_path,`
			`"1d",`
			`None,`
			`updated_path.as_path(),`
			`true)`
			`.expect("sq key expire should succeed");`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update the direct key signature, and each user ID's self signature. This fails if a user ID doesn't have a valid self signature. - User IDs, however, don't need to be self signed! For instance, a user ID may only have a third-party certification. - Relax `sq key expire` to only add a self signature for a user ID, if the user ID already has a self signature. 2024-10-07 12:50:36 +03:00
			`let vc = updated.with_policy(STANDARD_POLICY, sq.now())`
			`.expect("valid cert");`
			`let expiration = vc.primary_key().key_expiration_time();`
			`assert_eq!(expiration,`
			`Some(sq.now() + std::time::Duration::new(24 * 60 * 60, 0)));`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update each user ID's self signature. If a user ID is revoked, creating a new self signature will "unrevoke it." - Skip user IDs that are revoked. 2024-10-07 14:27:16 +03:00
			`let ua = vc.userids().next().expect("have a user ID");`
			`if let RevocationStatus::Revoked(_) = ua.revocation_status() {`
			`} else {`
			`panic!("User ID should be revoked, but isn't.");`
			`};`
Fix setting a certificate's expiration time. - When setting a certificate's expiration time, we update the direct key signature, and each user ID's self signature. This fails if a user ID doesn't have a valid self signature. - User IDs, however, don't need to be self signed! For instance, a user ID may only have a third-party certification. - Relax `sq key expire` to only add a self signature for a user ID, if the user ID already has a self signature. 2024-10-07 12:50:36 +03:00			`}`