Refine sq key userid revoke's user ID designators.

- Change the semantics of `sq key userid revoke --email` to use a user ID with just the specified email address, if the email address is part of a self-signed user ID. That is, use the `Exact` semantics instead of the `By` semantics. For example, if a certificate has the self-signed user ID "Alice <alice@example.org>", then `--email alice@example.org` would have selected "Alice <alice@example.org>" for revocation, but now it selects "<alice@example.org>". - Add `sq key userid revoke --userid-by-email`, which uses the self-signed user ID with the specified email address. For example, if a certificate has the self-signed user ID "Alice <alice@example.org>", then `--userid-by-email alice@example.org` selects "Alice <alice@example.org>" for revocation. - Fixes #212.
2024-12-15 01:28:43 +01:00 · 2024-12-15 01:28:43 +01:00 · 18800cbfcf
commit 18800cbfcf
parent d756753950
4 changed files with 40 additions and 11 deletions
--- a/12
+++ b/12
@ -51,6 +51,18 @@
     has the self-signed user ID "Alice <alice@example.org>", then
     `--userid-by-email alice@example.org` selects "Alice
     <alice@example.org>" for certification.
+   - Change `sq key userid revoke --email` to use a user ID with just
+     the specified email address, if the email address is part of a
+     self-signed user ID.  That is, if the certificate has the
+     self-signed user ID "Alice <alice@example.org>", then `--email
+     alice@example.org` would have selected "Alice
+     <alice@example.org>" for revocation, but now it selects
+     "<alice@example.org>".
+   - Add `sq key userid revoke --userid-by-email`, which uses the
+     self-signed user ID with the specified email address.  That is,
+     if the certificate has the self-signed user ID "Alice
+     <alice@example.org>", then `--userid-by-email alice@example.org`
+     selects "Alice <alice@example.org>" for revocation.

 * Changes in 0.41.0
 ** New functionality
--- a/src/cli/key/userid.rs
+++ b/src/cli/key/userid.rs
@ -219,7 +219,7 @@ pub struct RevokeCommand {

    #[command(flatten)]
    pub userids: UserIDDesignators<
-        userid_designator::PlainByAndAddArgs,
+        userid_designator::ExactByAndAddArgs,
        userid_designator::OneValue>,

    #[clap(
--- a/src/cli/types/userid_designator.rs
+++ b/src/cli/types/userid_designator.rs
@ -57,10 +57,6 @@ pub type PlainByArgs
 pub type PlainAddArgs
    = <AddArgs as std::ops::BitOr<PlainIsAdd>>::Output;

-pub type PlainByAndAddArgs
-    = <<PlainIsBy as std::ops::BitOr<ByArgs>>::Output
-       as std::ops::BitOr<AddArgs>>::Output;
-
 pub type ExactAndAddArgs
    = <ExactArgs as std::ops::BitOr<AddArgs>>::Output;

@ -1197,7 +1193,6 @@ mod test {
        check!(AddArgs,                  None, false, true);
        check!(PlainByArgs,                By, false, false);
        check!(PlainAddArgs,              Add, false, false);
-        check!(PlainByAndAddArgs,          By, false,  true);
        check!(ExactAndAddArgs,         Exact, false,  true);
        check!(ExactByAndAddArgs,       Exact,  true,  true);
        check!(AllExactByAndAddArgs,    Exact,  true,  true);
--- a/tests/integration/sq_key_userid_revoke.rs
+++ b/tests/integration/sq_key_userid_revoke.rs
@ -300,15 +300,15 @@ fn userid_designators() {
                   UserIDArg::AddUserID(other_userid)).is_ok());
    revocations(&sq, cert.key_handle(), other_userid, 1);

-    // 3. --email: use the self-signed user ID with the specified
-    // email address.
+    // 3. --userid-by-email: use the self-signed user ID with the
+    // specified email address.
    let (cert, fpr, sq) = setup();

    // Self-signed and authenticated.
    assert!(sq.pki_authenticate(
        &[], &fpr, UserIDArg::UserID(self_signed_userid)).is_ok());
    assert!(revoke(&sq, cert.key_handle(),
-                   UserIDArg::Email(self_signed_email)).is_ok());
+                   UserIDArg::ByEmail(self_signed_email)).is_ok());
    revocations(&sq, cert.key_handle(), self_signed_userid, 1);
    assert!(sq.pki_authenticate(
        &[], &fpr, UserIDArg::UserID(self_signed_userid)).is_err());
@ -317,10 +317,32 @@ fn userid_designators() {
    assert!(sq.pki_authenticate(
        &[], &fpr, UserIDArg::UserID(other_userid)).is_ok());
    assert!(revoke(&sq, cert.key_handle(),
-                   UserIDArg::Email(other_email)).is_err());
+                   UserIDArg::ByEmail(other_email)).is_err());
    revocations(&sq, cert.key_handle(), other_userid, 0);

-    // 4. --add-email: use a user ID with the email address.
+    // 4. --email: use a user ID with just the email address if there
+    // is a self-signed user ID with the specified email address.
+    let (cert, fpr, sq) = setup();
+
+    // Self-signed and authenticated.
+    assert!(sq.pki_authenticate(
+        &[], &fpr, UserIDArg::UserID(self_signed_userid)).is_ok());
+    assert!(revoke(&sq, cert.key_handle(),
+                   UserIDArg::Email(self_signed_email)).is_ok());
+    revocations(&sq, cert.key_handle(), self_signed_userid, 0);
+    revocations(&sq, cert.key_handle(), &format!("<{}>", self_signed_email), 1);
+    assert!(sq.pki_authenticate(
+        &[], &fpr, UserIDArg::UserID(self_signed_userid)).is_ok());
+
+    // Authenticated, but not self-signed.
+    assert!(sq.pki_authenticate(
+        &[], &fpr, UserIDArg::UserID(other_userid)).is_ok());
+    assert!(revoke(&sq, cert.key_handle(),
+                   UserIDArg::Email(other_email)).is_err());
+    revocations(&sq, cert.key_handle(), other_userid, 0);
+    revocations(&sq, cert.key_handle(), &format!("<{}>", other_email), 0);
+
+    // 5. --add-email: use a user ID with the email address.
    let (cert, fpr, sq) = setup();

    // Self-signed and authenticated.