Commit Graph

1246 Commits

Author SHA1 Message Date
Justus Winter
9f5c5ce930
Mark sq keyring filter experimental.
- Invoking it now requires the `--experimental` flag.  This is a
    template that we may use to introduce features into sq with a bit
    of a chance to stabilize it over time.

  - Fixes #455.
2024-11-27 17:27:04 +01:00
Justus Winter
1d23ae8a5b
Update MSRV to 1.79, which is subplot's current MSRV.
- Fixes #460.
2024-11-27 16:39:13 +01:00
Justus Winter
4b3f2c97ad
Add a configuration file and associated management commands.
- Add a configuration file for sq, and sq config get to
    programmatically query configuration values, and sq config template
    to create a template as a starting point for a custom configuration
    file.

  - As a first step, the following things have been made configurable:

    - The cipher suite for key generation.
    - The set of keyservers.
    - The cryptographic policy, which can be sourced from an external
      file as well as modified inline.

  - If there is no configuration file, sq config template can be used to
    create a template for the user to modify.

  - If a default has been overridden using the configuration file,
    sq's --help output is augmented with the configured value.
2024-11-27 15:26:36 +01:00
Justus Winter
3b1bd79195
Align user ID designators in sq pki {link,vouch} {add,authorize}.
- Align user ID designators across these four commands.  Previously,
    `--all` was implied for the authorize commands if no user ID
    designator was given.

  - However, this is problematic for the following reasons:

    - First, it is inconsistent across the commands.

    - Second, while CAs can add any name to their cert because they
      are CAs, those certifications are subject to constraints, such
      as domain constraints, or the amount.  But, the link we add
      fully authenticates the current user IDs, which may not be what
      the user wants, so it should require explicit consent.

    - Third, making this implicit again is easier than going from
      implicit to explicit, which breaks existing users.

  - Fixes #442.
2024-11-27 13:33:30 +01:00
Justus Winter
1c6bf5d6fd
Require self-signed user IDs when publishing certs in a WKD.
- Fixes #449.
2024-11-27 11:36:32 +01:00
Justus Winter
7b2be4d93c
Update sequoia-keystore to 0.6.2.
- Fixes #458.
2024-11-26 20:50:52 +01:00
Justus Winter
f55015ab77
Remove argument sq key subkey export --cert-file.
- This doesn't work, and it is of questionable use.  Also, `sq key
    export` doesn't have `--cert-file` either.

  - Fixes #464.
2024-11-26 19:49:16 +01:00
Neal H. Walfield
8072a9f8e6
Fix message. 2024-11-26 13:59:23 +01:00
Justus Winter
a47da3ac33
Remove argument sq cert lint --export-secret-keys.
- If a secret key is provided as file input, it will be emitted.
    This makes it consistent with what other commands do.

  - Fixes #448.
2024-11-25 15:30:58 +01:00
Neal H. Walfield
be5b1f7103
Change sq pki link retract to use the NULL policy.
- Change `sq pki link retract` to use the NULL policy when resolving
    user IDs.  It's safer to retract a link for a user ID than to
    refuse.
2024-11-24 22:01:06 +01:00
Neal H. Walfield
4763cfef48
Improve hint. 2024-11-23 20:38:34 +01:00
Neal H. Walfield
bfc843bc52
To revoke a user ID, require the cert be valid under the current policy.
- Change `sq key userid revoke` to require the certificate be valid
    under the current policy.  If the certificate is not valid under
    the current policy, the user should revoke the whole certificate,
    or fix it using `sq cert lint` after verifying the certificate's
    integrity.  If the certificate is valid under the current policy,
    but the user ID to revoke isn't, it can still be revoked using
    `--userid-or-add`.

  - See #375.
2024-11-23 20:38:21 +01:00
Neal H. Walfield
99ad920c43
Improve message when a certificate can't be used for encryption.
- Improve the error message that `sq encrypt` emits when it can't
    use a certificate for encryption.
2024-11-23 14:51:10 +01:00
Neal H. Walfield
c51e657fcc
tests: Add more tests for sq encrypt. 2024-11-23 12:15:17 +01:00
Neal H. Walfield
258394678f
Don't use revoked certificates for encryption.
- Change `sq encrypt` to not use revoked certificates.
2024-11-23 12:14:56 +01:00
Neal H. Walfield
9835714dbd
Improve sq key password's output.
- When prompting to unlock a key, show the key's fingerprint, the
    key's creation time, and its key flags.  Don't show the
    certificate's fingerprint.  That's constant.

  - When we actually change a password, show a message, which can be
    silenced with `--quiet`.
2024-11-22 18:19:05 +01:00
Neal H. Walfield
d5c4c50326
Make sq key password change the password of weakly bound keys.
- Change `sq key password` to also change the password of keys that
    are weakly bound.  Users are likely to be more surprised when a
    password is not changed.
2024-11-22 17:47:41 +01:00
Neal H. Walfield
493ab3ab31
tests: Add tests for sq key password. 2024-11-22 17:20:17 +01:00
Neal H. Walfield
0c5e0c9487
Improve how sq key delete handles ambiguous associations.
- Change `sq key delete` to fail if a key is associated with
    multiple certificates.

  - Fixes #457.
2024-11-22 16:03:20 +01:00
Neal H. Walfield
569a5fa5f9
Change sq key {delete,password} to work with more certificates.
- `sq key delete` and `sq key password` fail if any of the keys are
    missing secret key material.

  - Change them to work with the available secret key material.  (But
    if there is none, still fail.)
2024-11-22 16:01:38 +01:00
Neal H. Walfield
faa350b694
Change sq key delete to refuse to work with weakly bound subkeys.
- `sq key delete` deletes all secret key material associated with a
    certificate.  Of course, we don't want to delete secret key
    material that we are not confident belongs to the certificate.

  - Imagine Alice creates a new certificate.  Mallory see this, and
    anticipates that she is going to delete the old certificate.  He
    attaches her new encryption-capable subkey to the old certificate
    using some weak cryptography, publishes it, and then Alice gets
    the update to her old certificate via parcimonie.  When she
    deletes the secret key material associated with the old
    certificate, she would also delete her new secret key material.
    Ouch!  Admittedly, this attack is a bit contrived.

  - Alternatively, we could skip subkeys whose bindings rely on
    weak cryptography.  This behavior would probably surprise most
    users.  It could have serious consequences as well, since the
    user thought they deleted the secret key material, but didn't.

  - Instead, we are conservative: if a subkey's binding signature
    relies on weak cryptography AND we have secret key material for
    it, we abort, and suggest using `sq key subkey delete` instead.

  - See #375 and #457.
2024-11-22 16:01:02 +01:00
Justus Winter
df23d2bb25
Update to subplot 0.11.0.
- Fixes #158.
2024-11-21 17:28:01 +01:00
Justus Winter
574edf61bb
Fix hint. 2024-11-21 16:58:02 +01:00
Justus Winter
7eac986d5f
Improve documentation. 2024-11-21 16:56:50 +01:00
Justus Winter
fea18da98d
New mandatory switches sq key generate <--own-key|--shared-key>.
- When generating keys, either `--own-key` or `--shared-key` has to
    be given.  The former marks the key's user IDs as authenticated
    and makes it a trusted introducer.  The latter marks the key's
    user IDs as authenticated, and marks the key as a group key.

  - Fixes #452.
2024-11-21 16:36:39 +01:00
Justus Winter
6e0e4fb502
Improve status messages when publishing a WKD. 2024-11-21 15:57:40 +01:00
Justus Winter
a77389a51c
Fix copying the policy file if no updates happened. 2024-11-21 15:57:40 +01:00
Justus Winter
15c687af00
Make sq network wkd publish work without a cert store.
- Fixes #453.
2024-11-21 15:57:40 +01:00
Neal H. Walfield
4a5ce6603c
Change sq key subkey {password,delete} to work with weak bindings.
- Currently, it is not possible to delete secret key material that
    is only associated with a certificate that is not valid under the
    current policy.  The same goes for changing the password protecting
    the secret key material.

  - Users shouldn't have to first update a key's binding signature to
    delete it, or change its password.

  - Change `sq key subkey delete` and `sq key subkey password` to use
    the null policy.  This is not a security concern, because even if
    the binding signature is weak, both the certificate and the key
    are explicitly named.

  - See #375
2024-11-21 12:14:24 +01:00
Justus Winter
c37bfe5e7b
Rename --notation to --signature-notation.
- This aligns with `sq encrypt --signature-notation` and makes it
    clearer that notations are being put on signatures.

  - Fixes #454.
2024-11-21 11:38:59 +01:00
Justus Winter
7753d92f13
Add sq encrypt --signature-notation.
- This adds any relevant flags to `sq encrypt` that are present in
    `sq sign`.

  - Fixes #450.
2024-11-20 17:47:18 +01:00
Justus Winter
add58a88ac
Fix examples.
- Fixes 1989acaf7a.
2024-11-20 17:32:38 +01:00
Justus Winter
1989acaf7a
Add missing examples for the network commands.
- Except for `sq version`, and the intermediate subcommands (like
    `sq cert`), all commands now have examples.

  - Fixes #196.
2024-11-20 16:53:09 +01:00
Justus Winter
356781e535
Add a builder-style interface to the example framework.
- Also, port the examples for `sq cert export` over, and thin them
    out a little (see #451).
2024-11-20 16:42:43 +01:00
Justus Winter
797ab7a003
Certify newly created keys with a per-host shadow CA.
- This tracks the origin, like we do when we download certificates
    over the network.

  - This also has the benefit that newly created keys also show up in
    the cert listing.

  - Fixes #377.
2024-11-20 14:13:52 +01:00
Justus Winter
23f4e9150e
Differentiate the help texts for --notation slightly. 2024-11-20 13:54:37 +01:00
Neal H. Walfield
e9155823e7
Fix sq cert lint.
- If there are no certificate designators, we add one for stdin.

  - Do this before we inspect the certificate designators.
2024-11-20 13:34:29 +01:00
Neal H. Walfield
5cc0115b9c
Check for the cert / key store before doing work.
- Some commands only access the cert or key store after they do a
    lot of work.  If the cert or key store is disabled, this is
    annoying.

  - Change `sq key generate`, `sq cert import`, `sq network search`,
    `sq network keyserver search`, `sq network wkd search`, and `sq
    network dane search` to error out early if they will save
    something to the key store or the certificate, and it is disabled.

  - Fixes #264.
2024-11-20 13:32:34 +01:00
Neal H. Walfield
b89041d9d6
Improve no cert store / no key store error messages.
- When there is no certificate or key store, but the command
    requires it, return use a `clap::Error` instead of an
    `anyhow::Error` so that the error is formatted better.
2024-11-20 13:26:15 +01:00
Neal H. Walfield
ecfc6711c2
Catch clap errors, and display them better.
- If a command returns a `clap:Error`, format it using clap's
    formatter.
2024-11-20 13:22:51 +01:00
Justus Winter
6688e0a6d7
Rename sq pki vouch certify to sq pki vouch add.
- This makes it consistent with `sq pki link add` and all the other
    commands that add components to certs.

  - Fixes #433.
2024-11-20 12:00:23 +01:00
Justus Winter
c4bfad0d15
Make sq key import read from stdin if no files are given.
- This aligns the behavior with `sq cert import`.

  - Fixes #445.
2024-11-20 10:34:41 +01:00
Justus Winter
5ed656b789
Move the CLI parser for sq key import to its own module. 2024-11-20 10:22:51 +01:00
Devan Carpenter
da9afcb242
update container examples in readme 2024-11-20 02:12:26 +00:00
Devan Carpenter
f499cc1ddf
make container a single-user environment
this simplifies permissions wrangling when bind mounting to host.
rootless podman is a preferred OCI runtime to docker, wherein superuser
within a container is simulated and not a security concern.
2024-11-20 02:07:59 +00:00
Devan Carpenter
8b49656c74
add dockerignore file
this helps prevent cache poisoning, reducing uncessesary rebuilds
2024-11-20 02:07:59 +00:00
Devan Carpenter
c08c5653cc
add bash completion and manpages to container 2024-11-20 02:07:59 +00:00
Devan Carpenter
864e37ac6c
improve OCI compatibility of Containerfile 2024-11-20 01:37:41 +00:00
Devan Carpenter
84314d4bfa
rename Dockerfile to vendor-neutral Containerfile
Aiming for OCI compatibility, not vendor-lockin

https://lists.podman.io/archives/list/podman@lists.podman.io/thread/DXJBNFCQETRX5M2HQR7IQ4TIMZAK7FG7/
2024-11-20 01:37:40 +00:00
Neal H. Walfield
ebea842729
Change sq network wkd generate to avoid unnecessary churn.
- When updating a WKD in `sq network wkd generate`, if a certificate
    is not changed, don't insert it.

  - If no certificates changed, and none were inserted, then don't
    bother copying the WKD back.
2024-11-19 17:56:16 +01:00