27093c1709
- Support using keys managed by `sequoia-keystore`. - When decrypting a message, have `sq` automatically ask the key store to decrypt the PKESKs. - Extend `sq sign` and `sq encrypt` with the `--signer-key` parameter to use a key managed by the keystore. - Add two top-level options: `--no-key-store`, which disables the use of the key store, and `--key-store`, which uses an alternate key store instance. - Add `sq key list` to list keys on the key store.
422 lines
15 KiB
Rust
422 lines
15 KiB
Rust
use assert_cmd::Command;
|
|
use tempfile::TempDir;
|
|
|
|
use sequoia_openpgp as openpgp;
|
|
use openpgp::KeyHandle;
|
|
use openpgp::Result;
|
|
use openpgp::cert::prelude::*;
|
|
use openpgp::parse::Parse;
|
|
|
|
mod integration {
|
|
use super::*;
|
|
|
|
#[test]
|
|
fn sq_encrypt_using_cert_store() -> Result<()>
|
|
{
|
|
let dir = TempDir::new()?;
|
|
|
|
let certd = dir.path().join("cert.d").display().to_string();
|
|
std::fs::create_dir(&certd).expect("mkdir works");
|
|
let key_pgp = dir.path().join("key.pgp").display().to_string();
|
|
|
|
// Generate a key.
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"key", "generate",
|
|
"--expiry", "never",
|
|
"--userid", "<alice@example.org>",
|
|
"--output", &key_pgp]);
|
|
cmd.assert().success();
|
|
|
|
let cert = Cert::from_file(&key_pgp)?;
|
|
|
|
// Try to encrypt a message. This should fail, because we
|
|
// haven't imported the key.
|
|
for kh in cert.keys().map(|ka| KeyHandle::from(ka.fingerprint()))
|
|
.chain(cert.keys().map(|ka| KeyHandle::from(ka.keyid())))
|
|
{
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"encrypt",
|
|
"--recipient-cert",
|
|
&kh.to_string()])
|
|
.write_stdin("a secret message")
|
|
.assert().failure();
|
|
}
|
|
|
|
// Import the key.
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"cert", "import", &key_pgp]);
|
|
cmd.assert().success();
|
|
|
|
const MESSAGE: &str = "\na secret message\n\nor two\n";
|
|
|
|
// Now we should be able to encrypt a message to it, and
|
|
// decrypt it.
|
|
for kh in cert.keys().map(|ka| KeyHandle::from(ka.fingerprint()))
|
|
.chain(cert.keys().map(|ka| KeyHandle::from(ka.keyid())))
|
|
{
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"encrypt",
|
|
"--recipient-cert",
|
|
&kh.to_string()])
|
|
.write_stdin(MESSAGE);
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
assert!(output.status.success(),
|
|
"encryption succeeds for {}\nstdout:\n{}\nstderr:\n{}",
|
|
kh, stdout, stderr);
|
|
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["decrypt",
|
|
"--recipient-file",
|
|
&key_pgp])
|
|
.write_stdin(stdout.as_bytes());
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
assert!(output.status.success(),
|
|
"decryption succeeds for {}\nstdout:\n{}\nstderr:\n{}",
|
|
kh, stdout, stderr);
|
|
}
|
|
|
|
Ok(())
|
|
}
|
|
|
|
#[test]
|
|
fn sq_encrypt_recipient_userid() -> Result<()>
|
|
{
|
|
let dir = TempDir::new()?;
|
|
|
|
let certd = dir.path().join("cert.d").display().to_string();
|
|
std::fs::create_dir(&certd).expect("mkdir works");
|
|
|
|
let alice_pgp = dir.path().join("alice.pgp").display().to_string();
|
|
let bob_pgp = dir.path().join("bob.pgp").display().to_string();
|
|
|
|
// Generate the keys.
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"key", "generate",
|
|
"--expiry", "never",
|
|
"--userid", "<alice@example.org>",
|
|
"--output", &alice_pgp]);
|
|
cmd.assert().success();
|
|
let alice = Cert::from_file(&alice_pgp)?;
|
|
|
|
let bob_userids = &[
|
|
"<bob@some.org>",
|
|
"Bob <bob@other.org>",
|
|
"<bob@other.org>",
|
|
];
|
|
let bob_emails = &[
|
|
"bob@some.org",
|
|
"bob@other.org",
|
|
];
|
|
|
|
let bob_certified_userids = &[
|
|
"Bob <bob@other.org>",
|
|
];
|
|
let bob_certified_emails = &[
|
|
"bob@other.org",
|
|
];
|
|
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"key", "generate",
|
|
"--expiry", "never",
|
|
"--output", &bob_pgp]);
|
|
for userid in bob_userids.iter() {
|
|
cmd.args(["--userid", userid]);
|
|
}
|
|
cmd.assert().success();
|
|
let bob = Cert::from_file(&bob_pgp)?;
|
|
|
|
// Import the certificates.
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"cert", "import", &alice_pgp]);
|
|
cmd.assert().success();
|
|
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"cert", "import", &bob_pgp]);
|
|
cmd.assert().success();
|
|
|
|
const MESSAGE: &[u8] = &[0x42; 24 * 1024 + 23];
|
|
let encrypt = |trust_roots: &[&str],
|
|
recipients: &[(&str, &str)],
|
|
decryption_keys: &[&str]|
|
|
{
|
|
let mut cmd = Command::cargo_bin("sq").unwrap();
|
|
cmd.args(["--cert-store", &certd]);
|
|
for trust_root in trust_roots {
|
|
cmd.args(["--trust-root", trust_root]);
|
|
}
|
|
cmd.arg("encrypt");
|
|
|
|
// Make a string for debugging.
|
|
let mut cmd_display = "sq encrypt".to_string();
|
|
|
|
for (option, recipient) in recipients.iter() {
|
|
cmd.args([option, recipient]);
|
|
|
|
cmd_display.push_str(" ");
|
|
cmd_display.push_str(option);
|
|
cmd_display.push_str(" ");
|
|
cmd_display.push_str(recipient);
|
|
}
|
|
cmd.write_stdin(MESSAGE);
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
|
|
if decryption_keys.is_empty() {
|
|
assert!(! output.status.success(),
|
|
"'{}' should have failed\nstdout:\n{}\nstderr:\n{}",
|
|
cmd_display, stdout, stderr);
|
|
} else {
|
|
assert!(output.status.success(),
|
|
"'{}' should have succeeded\nstdout:\n{}\nstderr:\n{}",
|
|
cmd_display, stdout, stderr);
|
|
|
|
for key in decryption_keys.iter() {
|
|
let mut cmd = Command::cargo_bin("sq").unwrap();
|
|
cmd.args(["--no-cert-store",
|
|
"--no-key-store",
|
|
"decrypt",
|
|
"--recipient-file",
|
|
&key])
|
|
.write_stdin(stdout.as_bytes());
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
assert!(output.status.success(),
|
|
"'{}' decryption should succeed\nstdout:\n{}\nstderr:\n{}",
|
|
cmd_display, stdout, stderr);
|
|
}
|
|
}
|
|
};
|
|
|
|
// Encryption by fingerprint should work.
|
|
encrypt(&[],
|
|
&[("--recipient-cert", &bob.fingerprint().to_string())],
|
|
&[&bob_pgp]);
|
|
|
|
// Encryption by email address and user id should fail if the
|
|
// binding can't be authenticated.
|
|
for email in bob_emails.iter() {
|
|
encrypt(&[],
|
|
&[("--recipient-email", email)],
|
|
&[]);
|
|
}
|
|
for userid in bob_userids.iter() {
|
|
encrypt(&[],
|
|
&[("--recipient-userid", userid)],
|
|
&[]);
|
|
}
|
|
|
|
// Alice certifies Bob's certificate.
|
|
for userid in bob_certified_userids {
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"pki", "certify", &alice_pgp, &bob_pgp, userid]);
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
|
|
assert!(output.status.success(),
|
|
"'sq pki certify {} ...' should have succeeded\
|
|
\nstdout:\n{}\nstderr:\n{}",
|
|
userid, stdout, stderr);
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"cert", "import"])
|
|
.write_stdin(stdout.as_bytes());
|
|
cmd.assert().success();
|
|
}
|
|
|
|
// Still don't use a trust root. This should still fail.
|
|
for email in bob_emails.iter() {
|
|
encrypt(&[],
|
|
&[("--recipient-email", email)],
|
|
&[]);
|
|
}
|
|
for userid in bob_userids.iter() {
|
|
encrypt(&[],
|
|
&[("--recipient-userid", userid)],
|
|
&[]);
|
|
}
|
|
|
|
// Make Alice the trust root. This should succeed.
|
|
for email in bob_emails.iter() {
|
|
if bob_certified_emails.contains(email) {
|
|
encrypt(&[&alice.fingerprint().to_string()],
|
|
&[("--recipient-email", email)],
|
|
&[ &bob_pgp ]);
|
|
} else {
|
|
encrypt(&[&alice.fingerprint().to_string()],
|
|
&[("--recipient-email", email)],
|
|
&[]);
|
|
}
|
|
}
|
|
for userid in bob_userids.iter() {
|
|
if bob_certified_userids.contains(userid) {
|
|
encrypt(&[&alice.fingerprint().to_string()],
|
|
&[("--recipient-userid", userid)],
|
|
&[ &bob_pgp ]);
|
|
} else {
|
|
encrypt(&[&alice.fingerprint().to_string()],
|
|
&[("--recipient-userid", userid)],
|
|
&[]);
|
|
}
|
|
}
|
|
|
|
// Make Bob a trust root. This should succeed for all
|
|
// self-signed user ids.
|
|
for email in bob_emails.iter() {
|
|
encrypt(&[&bob.fingerprint().to_string()],
|
|
&[("--recipient-email", email)],
|
|
&[&bob_pgp]);
|
|
}
|
|
for userid in bob_userids.iter() {
|
|
encrypt(&[&bob.fingerprint().to_string()],
|
|
&[("--recipient-userid", userid)],
|
|
&[&bob_pgp]);
|
|
}
|
|
|
|
Ok(())
|
|
}
|
|
|
|
// Encrypt a message to two recipients: one whose certificate is
|
|
// in the certificate store, and one whose certificated is in a
|
|
// keyring.
|
|
#[test]
|
|
fn sq_encrypt_keyring() -> Result<()>
|
|
{
|
|
let dir = TempDir::new()?;
|
|
|
|
let certd = dir.path().join("cert.d").display().to_string();
|
|
std::fs::create_dir(&certd).expect("mkdir works");
|
|
|
|
let alice_pgp = dir.path().join("alice.pgp").display().to_string();
|
|
let bob_pgp = dir.path().join("bob.pgp").display().to_string();
|
|
|
|
// Generate the keys.
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"key", "generate",
|
|
"--expiry", "never",
|
|
"--userid", "<alice@example.org>",
|
|
"--output", &alice_pgp]);
|
|
cmd.assert().success();
|
|
let alice = Cert::from_file(&alice_pgp)?;
|
|
let alice_fpr = alice.fingerprint().to_string();
|
|
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"key", "generate",
|
|
"--expiry", "never",
|
|
"--userid", "<bob@example.org>",
|
|
"--output", &bob_pgp]);
|
|
cmd.assert().success();
|
|
let bob = Cert::from_file(&bob_pgp)?;
|
|
let bob_fpr = bob.keyid().to_string();
|
|
|
|
const MESSAGE: &[u8] = &[0x42; 24 * 1024 + 23];
|
|
let encrypt = |keyrings: &[&str],
|
|
recipients: &[&str],
|
|
decryption_keys: &[&str]|
|
|
{
|
|
let mut cmd = Command::cargo_bin("sq").unwrap();
|
|
cmd.args(["--cert-store", &certd]);
|
|
|
|
// Make a string for debugging.
|
|
let mut cmd_display = "sq".to_string();
|
|
|
|
for keyring in keyrings.iter() {
|
|
cmd.args(["--keyring", keyring]);
|
|
|
|
cmd_display.push_str(" --keyring ");
|
|
cmd_display.push_str(keyring);
|
|
}
|
|
|
|
cmd_display.push_str(" encrypt");
|
|
cmd.arg("encrypt");
|
|
|
|
for recipient in recipients.iter() {
|
|
cmd.args(["--recipient-cert", recipient]);
|
|
|
|
cmd_display.push_str(" --recipient-cert ");
|
|
cmd_display.push_str(recipient);
|
|
}
|
|
cmd.write_stdin(MESSAGE);
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
|
|
if decryption_keys.is_empty() {
|
|
assert!(! output.status.success(),
|
|
"'{}' should have failed\nstdout:\n{}\nstderr:\n{}",
|
|
cmd_display, stdout, stderr);
|
|
} else {
|
|
assert!(output.status.success(),
|
|
"'{}' should have succeeded\nstdout:\n{}\nstderr:\n{}",
|
|
cmd_display, stdout, stderr);
|
|
|
|
for key in decryption_keys.iter() {
|
|
let mut cmd = Command::cargo_bin("sq").unwrap();
|
|
cmd.args(["--no-cert-store",
|
|
"--no-key-store",
|
|
"decrypt",
|
|
"--recipient-file",
|
|
&key])
|
|
.write_stdin(stdout.as_bytes());
|
|
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
assert!(output.status.success(),
|
|
"'{}' decryption should succeed\nstdout:\n{}\nstderr:\n{}",
|
|
cmd_display, stdout, stderr);
|
|
}
|
|
}
|
|
};
|
|
|
|
encrypt(&[&alice_pgp, &bob_pgp],
|
|
&[&alice_fpr, &bob_fpr],
|
|
&[&alice_pgp, &bob_pgp]);
|
|
|
|
// Import Alice's certificate.
|
|
let mut cmd = Command::cargo_bin("sq")?;
|
|
cmd.args(["--cert-store", &certd,
|
|
"cert", "import", &alice_pgp]);
|
|
let output = cmd.output().expect("success");
|
|
let stdout = String::from_utf8_lossy(&output.stdout);
|
|
let stderr = String::from_utf8_lossy(&output.stderr);
|
|
assert!(output.status.success(),
|
|
"sq import should succeed\nstdout:\n{}\nstderr:\n{}",
|
|
stdout, stderr);
|
|
|
|
encrypt(&[&alice_pgp, &bob_pgp],
|
|
&[&alice_fpr, &bob_fpr],
|
|
&[&alice_pgp, &bob_pgp]);
|
|
|
|
encrypt(&[&bob_pgp],
|
|
&[&alice_fpr, &bob_fpr],
|
|
&[&alice_pgp, &bob_pgp]);
|
|
|
|
|
|
Ok(())
|
|
}
|
|
}
|