Fix generation of user ID-less keys.

- Fixes #491.
2024-12-11 13:29:32 +01:00 · 2024-12-11 13:29:32 +01:00 · 02f0dc44fa
commit 02f0dc44fa
parent 44d97fc920
2 changed files with 26 additions and 5 deletions
--- a/src/commands/key/generate.rs
+++ b/src/commands/key/generate.rs
@ -182,7 +182,7 @@ pub fn generate(
        builder.generate()
    };

-    let (cert, rev);
+    let (mut cert, rev);

    let rev_path = if let Some(rev_cert) = command.rev_cert {
        (cert, rev) = gen()?;
@ -250,8 +250,12 @@ pub fn generate(
            None => {
                // write the key to the key store

-                // Certify the key with a per-host shadow CA.
-                let cert = certify_generated(&mut sq, &cert)?;
+                // Certify the key with a per-host shadow CA if there
+                // are any user IDs to certify.
+                let have_userids = cert.userids().next().is_some();
+                if have_userids {
+                    cert = certify_generated(&mut sq, &cert)?;
+                }

                match sq.import_key(cert.clone(), &mut Default::default())
                    .map(|(key_status, _cert_status)| key_status)
@ -278,7 +282,7 @@ pub fn generate(
                let trust_root = sq.local_trust_root()?;
                let trust_root = trust_root.to_cert()?;

-                if command.own_key {
+                if command.own_key && have_userids {
                    // Mark all user IDs as authenticated, and mark
                    // the key as a trusted introducer.
                    crate::common::pki::certify::certify(
@ -301,7 +305,7 @@ pub fn generate(
                        None, // Output.
                        false, // Binary.
                    )?;
-                } else if command.shared_key {
+                } else if command.shared_key && have_userids {
                    // Mark all user IDs as authenticated.
                    crate::common::pki::certify::certify(
                        &mut std::io::stderr(),
--- a/tests/integration/sq_key_generate.rs
+++ b/tests/integration/sq_key_generate.rs
@ -7,6 +7,23 @@ use super::common;
 use super::common::UserIDArg;
 use super::common::NO_USERIDS;

+#[test]
+fn sq_key_generate_no_userid() -> Result<()> {
+    let sq = common::Sq::new();
+
+    // Stateless key generation.
+    let (cert, _, _) = sq.key_generate::<&str>(&[], &[]);
+    assert_eq!(cert.userids().count(), 0);
+
+    // Stateful key generation.
+    let mut cmd = sq.command();
+    cmd.args(["key", "generate", "--own-key", "--no-userids",
+              "--without-password"]);
+    sq.run(cmd, true);
+
+    Ok(())
+}
+
 #[test]
 fn sq_key_generate_creation_time() -> Result<()>
 {