Commit Graph

63 Commits

Author SHA1 Message Date
Levente Polyak
92f07f0d4b
feature(keyringctl): use sq to split a keyring into individual certificates
Lets use sequoia as well to split an input into individual certificates
instead of creating a custom made function for this job.

Pass down the name of the original input file to `convert_certificate`
in case no override has been defined.
2021-11-30 22:54:06 +01:00
David Runge
5170319717
keyringctl: Add documentation to all functions
keyringctl:
Add documentation to all functions.
Change the inlined functions `convert()` and `alphanum_key()` in
`natural_sort_path()` to rely on type Union[int, str] instead of type
Any.
Change `convert_certificate()` to derive the username using the stem of
the provided certificate.
2021-11-30 22:54:06 +01:00
David Runge
5320f2491e
keyringctl: Implement export of ownertrust/ revoker status
keyringctl:
Add `temp_join_keys()` to generically join PGP packets in a directory
below a temporary directory.
Add `get_all_and_revoked_certs()` to retrieve a tuple containing a list
of all public key fingerprints and a list of all self-revoked public key
fingerprints in a list of paths.
Add `export_ownertrust()` to export a list of fingerprints of
non-revoked public keys to a file that can be imported using `gpg
--import-ownertrust`.
Add `export_revoked()` to export the fingerprints of all self-revoked
public keys and the fingerprints of public keys that have been revoked
by third party signing keys (the latter is still fairly naive).
Change `export_keyring()` to make use of `temp_join_keys()` for
preparing main signing keys and general keys for the export to file. Add
integration for exporting ownertrust and revoker status (using
`export_ownertrust()` and `export_revoked()`, respectively).
Change `__main__` by extending the export_parser by a `-m`/ `--main`
argument to provide one or multiple files or directories, that serve as
the signing authority for key material located below `-s`/ `--source`.
Add a `-p`/ `--pacman-integration` to provide the means to export
ownertrust and revoker status on demand.
2021-11-30 22:54:06 +01:00
David Runge
3c31230eb2
keyringctl: Write User IDs to separate files
keyringctl:
Add `persist_uids()` to write User ID related packets: User-ID and
PositiveCertifications (UID binding signatures).
Rename `persist_basic_key()` to `persist_public_key()` and change it to
only persist the PublicKey packet.
Change `persist_{certifications,revocations}()` to persist the
certificates to a key-specific 'uids' subdirectory per PublicKey.
Change `convert_certificate()` to rename `uid_binding_sig` to
`uid_bind_sigs`. Simplify the logic for signature related data
assignments.
2021-11-30 22:54:06 +01:00
David Runge
7e04c50a16
keyringctl: Split out subkeys to separate structure
keyringctl:
Add `persist_subkeys()` and `persist_subkey_revocations()` to persist
the Public-Subkeys and the SubkeyRevocations of a root key out into a
dedicated directory structure below the respective Public-Key.
Change `persist_basic_key()` to not persist the Public-Subkeys and
SubkeyRevocations of a root key anymore and to output debug information
before writing to file.
Change `convert_certificate()` to refer to Public-Subkeys and
PublicSubkeyBinding as `subkeys` and `subkey_binding_sigs`
(respectively) and to explicitly refer to the main certificate
fingerprint when aggregating the data about them. Add
`subkey_revocations` to track any SubkeyRevocations of a given
Public-Subkey, so that it can be persisted to file.
2021-11-30 22:54:06 +01:00
David Runge
c4fbd95041
keyringctl: Add writing to keyring output file
keyringctl:
Change `packet_join()` to add documentation and a `force` parameter with
which sq's force parameter may be toggled (defaults to False).
Add `export_keyring()` to allow writing all provided PGP packet files to
a single output file using `sq keyring merge`.
Change `__main__` to add an `export` subcommand to allow for providing
multiple input sources and one output file. Add an optional `-f/--force`
parameter that can be used to force subcommands that support it. Remove
the unused `start_dir` variable. Move the creation of `target_dir` below
the context that creates the working directory and only create it when
using the `convert` or `import` subcommands (as it is not used
otherwise).
Call `export_keyring()` when using the `export` subcommand.
2021-11-30 22:54:05 +01:00
David Runge
7f7c2f13f0
keyringctl: Deal with multi-certificate per user files
keyringctl:
Add `sanitize_certificate_file()` to potentially split per-user input
files that contain more than one certificate.
Change `packet_split()` to add documentation and rename the key
parameter to certificate, as it is more generic.
Change `convert_certificate()` to use named parameters when calling
`packet_split()`.
Change `convert()` to call `convert_certificate()` on a list of
sanitized certificates (generated using `sanitized_certificate_file()`)
to be able to deal with multi-certificate files per user.
2021-11-30 22:54:05 +01:00
David Runge
cb8e827112
keyringctl: Copy files instead of moving them
keyringctl:
Change `__main__` to create the `target_dir` before calling any further
function that relies on it.
Change `convert()` to require the `target_dir` to be not None and to
create all username based target directories before using
`shutil.copytree()` to copy all sources to their respective target
directories when iterating over the paths to persist. This has the
upside, that updates to a target directory structure can be done on the
fly (overwriting existing data), which is not possible with
`shutil.move()`.
2021-11-30 22:54:05 +01:00
David Runge
a5be572136
keyringctl: Derive output dir from file and allow override
keyringctl:
Change `convert_certificates()` to use a more descriptive
`name_override` parameter in its signature to allow the overriding of
the username directory name into which key material is persisted.
Distinguish between the per-username directory and the eventual key
material directory. Instead of the key directory return the username
directory.
Change the `persist*` functions to use the `key_dir` instead of the
`root_dir` terminology as well.

Change `convert()` to optionally allow a `name_override` as well and use
that in the calls to `convert_certificate()`. Make the moving of files
more robust, by at least allowing to move the per-key directories for a
username, if the username target directory exists already. NOTE: This
needs expansion for the use-case where existing files should be
updated/extended by new files.

Add an additional argument to the 'convert' argparse parser to allow
users to override the target username directory name.
2021-11-30 22:54:05 +01:00
David Runge
40761f44a7
keyringctl: Add handling of KeyRevocations
keyringctl:
Change `persist_direct_sigs()` to track a sig_type parameter in its
signature so that the output directory of the direct signatures can be
altered.
Change `convert_certificate()` to set a `direct_revocations` variable,
that is used to track KeyRevocations for root keys. Extend the logic to
make use of `add_packet_to_direct_sigs()` to set a list of
KeyRevocations for a given root key. Eventually call
`persist_direct_sigs()` with `direct_revocations` and a custom
`sig_type` to persist the revocation certificates.
2021-11-30 22:54:05 +01:00
David Runge
a77b334859
keyringctl: Persist direct signatures generically
keyringctl:
Rename `persist_direct_keys()` to `persist_direct_sigs()` as it is now
not only handling the persistence of DirectKeys but also *Certifications
directly on a root key (those without an explicit User ID).
Add inline function `add_packet_to_direct_sigs()` to
`convert_certificate()` to generically add direct signatures on a root
key, grouped by issuer.
Change `convert_certificate()` to add Certifications on a root key
(without a specified User ID) to the list of direct_sigs, so that they
are persisted alongside any existing DirectKeys.
Remove breakpoints from `persist_certifications()` as they are no longer
reached. The function is now solely used for Certifications on User IDs.
2021-11-30 22:54:05 +01:00
David Runge
0d32d2f00a
keyringctl: Dedicated functions for writing to file
keyringctl:
Add `persist_basic_key()`, `persist_direct_keys()`,
`persist_certifications()` and `persist_revocations()` to allow for
dedicated writing of basic key material, direct key signatures,
per UID certificates and per UID revocations (respectively).
Change `convert_certificate()` to call the new dedicated write functions
instead of implementing the functionality.
Change `convert_certificate()` to raise on missing current_packet_key
when trying to work on signature files (this is unlikely to occur,
unless the input data is somehow broken, but it keeps the linter happy).
Change `convert_certificate()` to handle direct_keys by issuer on a
given root key (DirectKey signatures by the same issuer are combined).
Change the argparse subparser for the 'convert' command to include a
help text.
2021-11-30 22:54:05 +01:00
Levente Polyak
f626e40b84
feature(keyringctl): add tool to work with key data 2021-11-30 22:54:05 +01:00