Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
use assert_cmd ::Command ;
2024-05-28 16:04:48 +03:00
use tempfile ::TempDir ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
use chrono ::Duration ;
use openpgp ::parse ::Parse ;
use openpgp ::types ::ReasonForRevocation ;
use openpgp ::types ::RevocationStatus ;
use openpgp ::types ::SignatureType ;
use openpgp ::Cert ;
use openpgp ::Result ;
use sequoia_openpgp as openpgp ;
mod common ;
use common ::compare_notations ;
use common ::sq_key_generate ;
use common ::STANDARD_POLICY ;
#[ test ]
fn sq_key_revoke ( ) -> Result < ( ) > {
2024-05-28 16:04:48 +03:00
let ( tmpdir , cert_path , time ) = sq_key_generate ( None ) ? ;
let cert_path = cert_path . display ( ) . to_string ( ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
2024-05-28 16:04:48 +03:00
let cert = Cert ::from_file ( & cert_path ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let valid_cert = cert . with_policy ( STANDARD_POLICY , Some ( time . into ( ) ) ) ? ;
let fingerprint = & valid_cert . clone ( ) . fingerprint ( ) ;
let message = " message " ;
// revoke for various reasons, with or without notations added, or with
// a revocation whose reference time is one hour after the creation of the
// certificate
for ( reason , reason_str , notations , revocation_time ) in [
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
None ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeyRetired , " retired " , None , None ) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeySuperseded , " superseded " , None , None ) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::Unspecified , " unspecified " , None , None ) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
None ,
Some ( time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
] {
2024-05-28 16:04:48 +03:00
eprintln! ( " ========================== " ) ;
eprintln! ( " reason: {} , message: {} , notations: {:?} , time: {:?} " ,
reason , reason_str , notations , revocation_time ) ;
for keystore in [ false , true ] . into_iter ( ) {
eprintln! ( " -------------------------- " ) ;
eprintln! ( " keystore: {} " , keystore ) ;
let home = TempDir ::new ( ) . unwrap ( ) ;
let home = home . path ( ) . display ( ) . to_string ( ) ;
let revocation = & tmpdir . path ( ) . join ( format! (
" revocation_{}_{}_{}.rev " ,
reason_str ,
if notations . is_some ( ) {
" notations "
} else {
" no_notations "
} ,
if revocation_time . is_some ( ) {
" time "
} else {
" no_time "
}
) ) ;
if keystore {
// When using the keystore, we need to import the key.
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --home " , & home ,
" key " ,
" import " ,
& cert_path ,
] ) ;
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
}
2024-05-28 16:04:48 +03:00
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
cmd . args ( [
2024-05-28 16:04:48 +03:00
" --home " , & home ,
" key " ,
" revoke " ,
reason_str ,
message ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
] ) ;
2024-05-28 16:04:48 +03:00
if keystore {
cmd . args ( [
" --cert " , & cert . fingerprint ( ) . to_string ( ) ,
] ) ;
} else {
cmd . args ( [
" --output " ,
& revocation . to_string_lossy ( ) ,
" --cert-file " ,
& cert_path ,
] ) ;
}
if let Some ( notations ) = notations {
for ( k , v ) in notations {
cmd . args ( [ " --notation " , k , v ] ) ;
}
}
if let Some ( time ) = revocation_time {
cmd . args ( [
" --time " ,
& time . format ( " %Y-%m-%dT%H:%M:%SZ " ) . to_string ( ) ,
] ) ;
}
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
if keystore {
// When using the keystore, we need to export the
// revoked certificate.
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --home " , & home ,
" cert " ,
" export " ,
" --cert " , & cert . fingerprint ( ) . to_string ( ) ,
] ) ;
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
std ::fs ::write ( & revocation , & output . stdout )
. expect ( & format! ( " Writing {} " , & revocation . display ( ) ) ) ;
}
let updated = Cert ::from_file ( & revocation ) . expect ( " valid cert " ) ;
if let RevocationStatus ::Revoked ( sigs )
= updated . revocation_status ( STANDARD_POLICY , None )
{
assert_eq! ( sigs . len ( ) , 1 ) ;
let sig = sigs . into_iter ( ) . next ( ) . unwrap ( ) ;
// the issuer is the certificate owner
assert_eq! (
sig . get_issuers ( ) . into_iter ( ) . next ( ) ,
Some ( fingerprint . into ( ) )
) ;
let revoked_cert = cert . clone ( ) . insert_packets ( sig . clone ( ) ) . unwrap ( ) ;
let status = revoked_cert
. with_policy ( STANDARD_POLICY , revocation_time . map ( Into ::into ) )
. unwrap ( )
. revocation_status ( ) ;
println! ( " {:?} " , sig ) ;
println! ( " {:?} " , status ) ;
// Verify the revocation.
assert! ( matches! ( status , RevocationStatus ::Revoked ( _ ) ) ) ;
// it is a key revocation
assert_eq! ( sig . typ ( ) , SignatureType ::KeyRevocation ) ;
// our reason for revocation and message matches
assert_eq! (
sig . reason_for_revocation ( ) ,
Some ( ( reason , message . as_bytes ( ) ) )
) ;
// the notations of the revocation match the ones
// we passed in
compare_notations ( sig , notations ) ? ;
} else {
panic! ( " Not revoked " ) ;
}
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
}
}
tmpdir . close ( ) ? ;
Ok ( ( ) )
}
#[ test ]
fn sq_key_revoke_thirdparty ( ) -> Result < ( ) > {
2024-05-28 16:04:48 +03:00
let ( tmpdir , cert_path , _ ) = sq_key_generate ( None ) ? ;
let cert_path = cert_path . display ( ) . to_string ( ) ;
let cert = Cert ::from_file ( & cert_path ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let ( thirdparty_tmpdir , thirdparty_path , thirdparty_time ) =
2024-04-09 13:05:34 +03:00
sq_key_generate ( Some ( & [ " bob <bob@example.org> " ] ) ) ? ;
2024-05-28 16:04:48 +03:00
let thirdparty_path = thirdparty_path . display ( ) . to_string ( ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
let thirdparty_cert = Cert ::from_file ( & thirdparty_path ) ? ;
let thirdparty_valid_cert = thirdparty_cert
. with_policy ( STANDARD_POLICY , Some ( thirdparty_time . into ( ) ) ) ? ;
let thirdparty_fingerprint = & thirdparty_valid_cert . clone ( ) . fingerprint ( ) ;
let message = " message " ;
// revoke for various reasons, with or without notations added, or with
// a revocation whose reference time is one hour after the creation of the
// certificate
for ( reason , reason_str , notations , revocation_time ) in [
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
None ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyCompromised ,
" compromised " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeyRetired , " retired " , None , None ) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeyRetired ,
" retired " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::KeySuperseded , " superseded " , None , None ) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::KeySuperseded ,
" superseded " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
( ReasonForRevocation ::Unspecified , " unspecified " , None , None ) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
None ,
Some ( thirdparty_time + Duration ::hours ( 1 ) ) ,
) ,
(
ReasonForRevocation ::Unspecified ,
" unspecified " ,
Some ( & [ ( " foo " , " bar " ) , ( " hallo@sequoia-pgp.org " , " VALUE " ) ] ) ,
None ,
) ,
] {
2024-05-28 16:04:48 +03:00
for keystore in [ false , true ] . into_iter ( ) {
let home = TempDir ::new ( ) . unwrap ( ) ;
let home = home . path ( ) . display ( ) . to_string ( ) ;
let revocation = & tmpdir . path ( ) . join ( format! (
" revocation_{}_{}_{}.rev " ,
reason_str ,
if notations . is_some ( ) {
" notations "
} else {
" no_notations "
} ,
if revocation_time . is_some ( ) {
" time "
} else {
" no_time "
}
) ) ;
if keystore {
// When using the keystore, we need to import the key.
for path in & [ & cert_path , & thirdparty_path ] {
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --home " , & home ,
" key " ,
" import " ,
& path ,
] ) ;
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
}
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
}
2024-05-28 16:04:48 +03:00
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
cmd . args ( [
2024-05-28 16:04:48 +03:00
" --home " , & home ,
" key " ,
" revoke " ,
reason_str ,
message ,
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
] ) ;
2024-05-28 16:04:48 +03:00
if keystore {
cmd . args ( [
" --cert " , & cert . fingerprint ( ) . to_string ( ) ,
" --revoker " , & thirdparty_cert . fingerprint ( ) . to_string ( ) ,
] ) ;
} else {
cmd . args ( [
" --output " ,
& revocation . to_string_lossy ( ) ,
" --cert-file " ,
& cert_path ,
" --revoker-file " ,
& thirdparty_path ,
] ) ;
}
if let Some ( notations ) = notations {
for ( k , v ) in notations {
cmd . args ( [ " --notation " , k , v ] ) ;
}
}
if let Some ( time ) = revocation_time {
cmd . args ( [
" --time " ,
& time . format ( " %Y-%m-%dT%H:%M:%SZ " ) . to_string ( ) ,
] ) ;
}
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
if keystore {
// When using the keystore, we need to export the
// revoked certificate.
let mut cmd = Command ::cargo_bin ( " sq " ) ? ;
cmd . args ( [
" --home " , & home ,
" cert " ,
" export " ,
" --cert " , & cert . fingerprint ( ) . to_string ( ) ,
] ) ;
let output = cmd . output ( ) ? ;
if ! output . status . success ( ) {
panic! (
" sq exited with non-zero status code: {} " ,
String ::from_utf8 ( output . stderr ) ?
) ;
}
std ::fs ::write ( & revocation , & output . stdout )
. expect ( & format! ( " Writing {} " , & revocation . display ( ) ) ) ;
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
}
2024-05-28 16:04:48 +03:00
// read revocation cert
let revocation_cert = Cert ::from_file ( & revocation ) ? ;
assert! ( ! revocation_cert . is_tsk ( ) ) ;
// evaluate revocation status
let status = revocation_cert . revocation_status (
STANDARD_POLICY , revocation_time . map ( Into ::into ) ) ;
if let RevocationStatus ::CouldBe ( sigs ) = status {
// there is only one signature packet
assert_eq! ( sigs . len ( ) , 1 ) ;
let sig = sigs . into_iter ( ) . next ( ) . unwrap ( ) ;
// it is a key revocation
assert_eq! ( sig . typ ( ) , SignatureType ::KeyRevocation ) ;
// the issuer is a thirdparty revoker
assert_eq! (
sig . get_issuers ( ) . into_iter ( ) . next ( ) . as_ref ( ) ,
Some ( & thirdparty_fingerprint . clone ( ) . into ( ) )
) ;
// the revocation can be verified
if sig
. clone ( )
. verify_primary_key_revocation (
& thirdparty_cert . primary_key ( ) ,
& cert . primary_key ( ) ,
)
. is_err ( )
{
panic! ( " revocation is not valid " )
}
// our reason for revocation and message matches
assert_eq! (
sig . reason_for_revocation ( ) ,
Some ( ( reason , message . as_bytes ( ) ) )
) ;
// the notations of the revocation match the ones
// we passed in
compare_notations ( sig , notations ) ? ;
} else {
panic! ( " there are no signatures in {:?} " , status ) ;
}
Consolidate `sq revoke` commands as `sq key` subcommands
- Move the `sq revoke certificate`, `sq revoke subkey` and `sq revoke
userid` subcommands below the `sq key` namespace as `sq key revoke`,
`sq key subkey revoke` and `sq key userid revoke` (respectively). This
consolidates commands relevant to key management below `sq key`, which
is in line with already existing subcommands (e.g. `sq key generate`,
`sq key subkey add` or `sq key userid add`).
- Replace the use of a common `revoke()` with `CertificateRevocation`,
`SubkeyRevocation` and `UserIDRevocation` to reduce complexity and
allow for easier per target (i.e., certificate, subkey or userid)
command modification.
- Allow specifying an output file using `--output`/ `-o` for all
revocation subcommands (i.e., `sq key revoke`, `sq key subkey revoke`,
`sq key userid revoke`). If unspecified, output goes to stdout as
before.
- Add common test facilities to create a default certificate in a
temporary directory.
- Add common test function to compare a set of notations with those in
a `Signature`.
- Replace the integration tests which used to test a combined `sq
revoke` subcommand with integration tests for `sq key subkey revoke`,
`sq key userid revoke` and `sq key revoke` using direct and third
party revocation.
Fixes #93
2023-06-20 15:44:11 +03:00
}
}
tmpdir . close ( ) ? ;
thirdparty_tmpdir . close ( ) ? ;
Ok ( ( ) )
}