Commit Graph

270 Commits

Author SHA1 Message Date
Justus Winter
012e762d38
Align user ID designators in sq pki link retract.
- User IDs have to be explicitly given, or `--all` has to be used to
    select them all (this was previously the default).

  - This aligns the retract subcommand with the other link and vouch
    management commands.

  - Fixes #442.
2024-11-28 18:07:30 +01:00
Neal H. Walfield
c9bde7fe47
Add support for addressing shadow CAs by symbolic names.
- Add a new paramter to `sq pki link add`, `sq pki link authorize`,
    and `sq pki link retract`, `--cert-special`, which allows addressing
    shadow CAs by symbolic names.

  - If the shadow CA doesn't exist yet, we create it.

  - This means `sq pki link authorize --cert-special keys.openpgp.org
    --all --unconstrained` can be used to fully trust the
    `keys.openpgp.org` key server, for instance.  This is more
    convenient, and especially useful for documentation.

  - Fixes #337.
2024-11-28 15:38:34 +01:00
Justus Winter
9f5c5ce930
Mark sq keyring filter experimental.
- Invoking it now requires the `--experimental` flag.  This is a
    template that we may use to introduce features into sq with a bit
    of a chance to stabilize it over time.

  - Fixes #455.
2024-11-27 17:27:04 +01:00
Justus Winter
3b1bd79195
Align user ID designators in sq pki {link,vouch} {add,authorize}.
- Align user ID designators across these four commands.  Previously,
    `--all` was implied for the authorize commands if no user ID
    designator was given.

  - However, this is problematic for the following reasons:

    - First, it is inconsistent across the commands.

    - Second, while CAs can add any name to their cert because they
      are CAs, those certifications are subject to constraints, such
      as domain constraints, or the amount.  But, the link we add
      fully authenticates the current user IDs, which may not be what
      the user wants, so it should require explicit consent.

    - Third, making this implicit again is easier than going from
      implicit to explicit, which breaks existing users.

  - Fixes #442.
2024-11-27 13:33:30 +01:00
Neal H. Walfield
be5b1f7103
Change sq pki link retract to use the NULL policy.
- Change `sq pki link retract` to use the NULL policy when resolving
    user IDs.  It's safer to retract a link for a user ID than to
    refuse.
2024-11-24 22:01:06 +01:00
Neal H. Walfield
bfc843bc52
To revoke a user ID, require the cert be valid under the current policy.
- Change `sq key userid revoke` to require the certificate be valid
    under the current policy.  If the certificate is not valid under
    the current policy, the user should revoke the whole certificate,
    or fix it using `sq cert lint` after verifying the certificate's
    integrity.  If the certificate is valid under the current policy,
    but the user ID to revoke isn't, it can still be revoked using
    `--userid-or-add`.

  - See #375.
2024-11-23 20:38:21 +01:00
Neal H. Walfield
c51e657fcc
tests: Add more tests for sq encrypt. 2024-11-23 12:15:17 +01:00
Neal H. Walfield
258394678f
Don't use revoked certificates for encryption.
- Change `sq encrypt` to not use revoked certificates.
2024-11-23 12:14:56 +01:00
Neal H. Walfield
d5c4c50326
Make sq key password change the password of weakly bound keys.
- Change `sq key password` to also change the password of keys that
    are weakly bound.  Users are likely to be more surprised when a
    password is not changed.
2024-11-22 17:47:41 +01:00
Neal H. Walfield
493ab3ab31
tests: Add tests for sq key password. 2024-11-22 17:20:17 +01:00
Neal H. Walfield
0c5e0c9487
Improve how sq key delete handles ambiguous associations.
- Change `sq key delete` to fail if a key is associated with
    multiple certificates.

  - Fixes #457.
2024-11-22 16:03:20 +01:00
Neal H. Walfield
569a5fa5f9
Change sq key {delete,password} to work with more certificates.
- `sq key delete` and `sq key password` fail if any of the keys are
    missing secret key material.

  - Change them to work with the available secret key material.  (But
    if there is none, still fail.)
2024-11-22 16:01:38 +01:00
Neal H. Walfield
faa350b694
Change sq key delete to refuse to work with weakly bound subkeys.
- `sq key delete` deletes all secret key material associated with a
    certificate.  Of course, we don't want to delete secret key
    material that we are not confident belongs to the certificate.

  - Imagine Alice creates a new certificate.  Mallory see this, and
    anticipates that she is going to delete the old certificate.  He
    attaches her new encryption-capable subkey to the old certificate
    using some weak cryptography, publishes it, and then Alice gets
    the update to her old certificate via parcimonie.  When she
    deletes the secret key material associated with the old
    certificate, she would also delete her new secret key material.
    Ouch!  Admittedly, this attack is a bit contrived.

  - Alternatively, we could skip subkeys whose bindings rely on
    weak cryptography.  This behavior would probably surprise most
    users.  It could have serious consequences as well, since the
    user thought they deleted the secret key material, but didn't.

  - Instead, we are conservative: if a subkey's binding signature
    relies on weak cryptography AND we have secret key material for
    it, we abort, and suggest using `sq key subkey delete` instead.

  - See #375 and #457.
2024-11-22 16:01:02 +01:00
Justus Winter
fea18da98d
New mandatory switches sq key generate <--own-key|--shared-key>.
- When generating keys, either `--own-key` or `--shared-key` has to
    be given.  The former marks the key's user IDs as authenticated
    and makes it a trusted introducer.  The latter marks the key's
    user IDs as authenticated, and marks the key as a group key.

  - Fixes #452.
2024-11-21 16:36:39 +01:00
Neal H. Walfield
4a5ce6603c
Change sq key subkey {password,delete} to work with weak bindings.
- Currently, it is not possible to delete secret key material that
    is only associated with a certificate that is not valid under the
    current policy.  The same goes for changing the password protecting
    the secret key material.

  - Users shouldn't have to first update a key's binding signature to
    delete it, or change its password.

  - Change `sq key subkey delete` and `sq key subkey password` to use
    the null policy.  This is not a security concern, because even if
    the binding signature is weak, both the certificate and the key
    are explicitly named.

  - See #375
2024-11-21 12:14:24 +01:00
Justus Winter
c37bfe5e7b
Rename --notation to --signature-notation.
- This aligns with `sq encrypt --signature-notation` and makes it
    clearer that notations are being put on signatures.

  - Fixes #454.
2024-11-21 11:38:59 +01:00
Justus Winter
6688e0a6d7
Rename sq pki vouch certify to sq pki vouch add.
- This makes it consistent with `sq pki link add` and all the other
    commands that add components to certs.

  - Fixes #433.
2024-11-20 12:00:23 +01:00
Justus Winter
19401ef551
Remove sq toolbox extract-cert.
- Fixes #389.
2024-11-19 13:39:46 +01:00
Justus Winter
784e011922
Remove test framework for toolbox strip-userid.
- Fixes e61a03f863.
2024-11-19 13:39:46 +01:00
Neal H. Walfield
2fb5cc4abf
Don't add approvals for non-exportable certifications or certs.
- Change `sq key approvals list` and `sq key approvals update` to
    ignore certifications that are not exportable, and certificates
    that are not exportable, or are a shadow CA.

  - Fixes #402.
2024-11-18 16:40:48 +01:00
Justus Winter
91f4400c26
Use --cert- prefix for all cert designators.
- Resolves a conflict with the user ID designators, and makes the
    interface more consistent.

  - Fixes #385.
2024-11-18 14:57:09 +01:00
Justus Winter
e61a03f863
Remove sq toolbox strip-userid.
- Fixes #439.
2024-11-18 14:15:37 +01:00
Neal H. Walfield
cef1542ee4
Rename --add-userid to --userid-or-add, etc.
- Rename `--add-userid` to `--userid-or-add`, `--add-email` to
    `--email-or-add`, and `--add-name` to `--name-or-add`.  The new
    names better reflect the semantics: we first try to select a user
    ID based on the designator, and then fall back to adding it as it.
2024-11-18 10:40:18 +01:00
Neal H. Walfield
84b1bf99c6
Fix sq cert list for fingerprints and key IDs.
- The implementation of `sq cert list` tried to parse the
    pattern.  To do so, it relied on type inference to determine how
    to parse it.  The type was inferred from the type of the `cert`
    parameter to `authenticate`.  In
    2e17dec9ad, the type of the `cert`
    parameter changed from `KeyHandle` to `Cert`.  `Cert` has a
    `Parse` implementation so the type system didn't detect anything
    wrong.  However, we were now trying to parse the pattern as a
    `Cert` instead of a `KeyHandle`, which would fail for key handles.

  - Fix it, and add some tests for `sq cert list`.
2024-11-16 21:19:28 +01:00
Neal H. Walfield
f95db6fc9e
Lint user IDs that would be added and are not self signed.
- When a user ID designator designates a user ID that is not
    self-signed, and the command would add it to the certificate, check
    that it is in canonical form.

  - The relevant commands are: `sq key userid revoke`, `sq pki link
    add`, `sq pki link authorize`, `sq pki vouch certify`, and `sq pki
    vouch authorize`

  - Allow the user to disable the check with a new flag,
    `--allow-non-canonical-userids`.

  - Fixes #437.
2024-11-16 17:31:33 +01:00
Neal H. Walfield
d46844ca35
Move sq toolbox packet to sq packet.
- Make `sq packet` a top-level subcommand.

  - See #326.
2024-11-16 10:07:07 +01:00
Neal H. Walfield
e1a4fa656c
Move sq toolbox keyring to sq keyring.
- Make `sq keyring` a top-level subcommand.

  - See #326.
2024-11-16 10:06:59 +01:00
Neal H. Walfield
8e41fb7cd4
tests: Fix check.
- When checking if there are any user ID arguments, also check for
    `--userid`.
2024-11-16 07:12:13 +01:00
Neal H. Walfield
b76cec64b6
Port sq toolbox userid-strip to the user ID designator framework.
- Fixes #434.
2024-11-15 20:43:50 +01:00
Neal H. Walfield
4dbeebc045
Port sq cert list and two more to the user ID designator framework.
- Port `sq cert list`, `sq pki authenticate` and `sq pki lookup` to
    the user ID designator framework.  See #434.

  - This changes the user ID parameter from a positional parameter
    to a named parameter, and drops the `--email` flag.  See #318.
2024-11-15 17:47:05 +01:00
Neal H. Walfield
2e17dec9ad
Port sq pki {authenticate,identify} to the cert designator framework.
- Port `sq pki authenticate` and `sq pki identify` to the cert
    designator framework.  See #207.

  - This changes the certificate parameter from a positional parameter
    to a named parameter.  See #318.
2024-11-15 11:04:38 +01:00
Neal H. Walfield
0e36a20d97
Make sq pki path's user ID argument a named argument.
- See #318.
2024-11-14 16:48:49 +01:00
Neal H. Walfield
435b127e5f
Port sq key userid revoke to the user ID designator framework.
- Port `sq key userid revoke` to the user ID designator framework.
    See #434.

  - This replaces the `--add-userid` flag with the `--add-userid`,
    `--add-email` and `--add-name` arguments.  See #318.

  - This change also makes a user ID mandatory, which fixes #428.
2024-11-14 11:30:29 +01:00
Neal H. Walfield
6645fdee6c
Change --email and --add-email to only match user IDs unambiguously.
- Commands like `sq pki vouch certify` allow designating a user ID
    by email address.  Currently, if multiple self-signed user IDs
    include the specified email address, all are used.  Change the
    semantics of `--email` and --add-email` to only match
    unambiguously.

  - Fixes #309.
2024-11-13 14:29:32 +01:00
Justus Winter
78d8538707
Add sq sign --mode to create binary or text signatures.
- Fixes #390.
2024-11-13 14:08:57 +01:00
Neal H. Walfield
9eb0f0754e
Change --add-userid from a flag to two arguments.
- `sq pki link add`, `sq pki link authorize`, `sq pki vouch
    certify`, and `sq pki vouch authorize` have a `--add-userid` flag.

  - Replace the `--add-userid` flag with an `--add-userid` argument,
    and an `--add-email` argument.

  - This change means that a flag does not change how an argument is
    interpreted.  It also makes it more explicit whether a user ID
    should be added, because `--userid` and `--email` could be given
    multiple times.

  - See #309 and #318.
2024-11-13 13:51:35 +01:00
Neal H. Walfield
267a3d3481
tests: When calling sq pki authenticate include --show-paths.
- When `sq pki authenticate` fails, it is helpful to see as much
    details as possible.  As such, include `--show-paths` when calling
    `sq pki authenticate`.  `--show-paths` shows more information, but
    doesn't change the command's behavior.
2024-11-13 13:19:41 +01:00
Neal H. Walfield
fbd7f260e7
tests: Abstract user ID argument passing.
- Add a new type, `UserIDArg`, which represents a user ID argument.

  - Change functions that take user IDs like `Sq::key_generate` to use
    it.
2024-11-13 13:19:40 +01:00
Justus Winter
82a5f13a96
Drop debugging remnant. 2024-11-13 12:38:05 +01:00
Justus Winter
ee737472da
Require explicit mode, and align sq sign and sq verify.
- The flag `sq sign --detached` is now called `sq sign
     --signature-file`.

   - The flag `sq sign --clearsign` is now called `sq sign
     --cleartext`.

   - Both `sq sign` and `sq verify` now require an explicit mode,
     one of `--signature-file`, `--message`, or `--cleartext`.

   - Fixes #430.
2024-11-13 11:18:25 +01:00
Justus Winter
3e3a9e5096
Make tests less expensive.
- Only write out 30 megabytes, not 100.
2024-11-13 11:18:12 +01:00
Justus Winter
0b562c476e
Remove sq cert lint --list-keys.
- Fixes #316.
2024-11-11 18:30:03 +01:00
Justus Winter
16941dea66
Use only designated signers to verify signatures.
- Previously, the signers cert designators added to the set of certs
    in the store, and marked them as trusted.

  - Change this so that only the designated certs are used to verify
    the signatures, and they are marked as trusted.  This allows
    useful semantics like requiring a signature from a set of
    explicitly provided signers.

  - If no signers are designated, the cert store is consulted.

  - Fixes #248.
2024-11-11 18:27:25 +01:00
Neal H. Walfield
7ecc843dee
Add new command sq download.
- Add a new command, `sq download`, which downloads a file and a
    signature file, and then authenticates the file.

  - Fixes #84.
2024-11-09 13:28:17 +01:00
Neal H. Walfield
ee1c6f3fcf
Add new argument, --cli-version, to require a CLI version.
- Add a new argument, `--cli-version`, which the user can use to
    request a particular semver-compatible version of the CLI.

  - This enables breaking changes to the CLI, and enables `sq` to
    support multiple CLI versions.

  - Fixes #75.
2024-11-08 11:42:18 +01:00
Neal H. Walfield
2ae1885971
Finish renaming attestation to approval.
- See 49b7f25cc4.

  - Fixes #417.
2024-11-07 08:41:44 +01:00
Neal H. Walfield
f139b50f24
Change sq key subkey export to require the certificate to export.
- `sq key subkey export` currently takes a list of keys to export.
    This is ambiguous if a key is associated with multiple certificates.

  - Add a new required parameter, `--cert`, which specifies what
    certificate to export.  The specified keys must be attached to that
    certificate under the NULL policy.

  - This change means that `sq key subkey export` can only export a
    single certificate at a time.

  - As the implementations of `sq key export` and `sq key subkey
    export` have diverged, don't try to consolidate them any more.

  - Fixes #386.
2024-11-06 16:08:02 +01:00
Neal H. Walfield
26c70cad32
Don't extend the expiration of invalid components.
- If a component is not valid according to the policy, don't extend
    the expiration time.  Suggest using `sq cert lint`, and then error
    out.

  - Fixes #363.
2024-11-04 11:26:02 +01:00
Neal H. Walfield
70e4935e8d
Extend Time to support relative timestamps.
- Move the duration parsing code from `Expiration` to `Time`, which
    `Expiration` already uses for absolute timestamps.

  - Support negative durations, and to be more precise rename the
    `Duration` variant to `Offset`.

  - Fixes #268.
2024-11-03 09:09:21 +01:00
Jens Reimann
4f73627020
Add a global option, --policy-as-of, to select a crypto policy.
- When working with older messages, it may be necessary to use a
    different cryptographic policy.  Add an option, `--policy-as-of`, to
    select the cryptographic policy that was in effect at the specified
    time.

  - Fixes #123.

Co-authored-by: Neal H. Walfield <neal@sequoia-pgp.org>
2024-10-31 15:08:55 +01:00