keyfork-shard: homogenize function signatures, start work on decrypt_one()
This commit is contained in:
parent
726670fe96
commit
2670cf63a3
|
@ -232,8 +232,8 @@ fn decode_metadata_v1(buf: &[u8]) -> Result<(u8, Cert, Vec<Cert>)> {
|
||||||
// single message.
|
// single message.
|
||||||
fn decrypt_with_manager(
|
fn decrypt_with_manager(
|
||||||
threshold: u8,
|
threshold: u8,
|
||||||
certs: &[Cert],
|
|
||||||
messages: &mut HashMap<KeyID, EncryptedMessage>,
|
messages: &mut HashMap<KeyID, EncryptedMessage>,
|
||||||
|
certs: &[Cert],
|
||||||
policy: NullPolicy,
|
policy: NullPolicy,
|
||||||
manager: &mut SmartcardManager,
|
manager: &mut SmartcardManager,
|
||||||
) -> Result<HashMap<KeyID, Vec<u8>>> {
|
) -> Result<HashMap<KeyID, Vec<u8>>> {
|
||||||
|
@ -276,10 +276,10 @@ fn decrypt_with_manager(
|
||||||
// NOTE: When using single-decryptor mechanism, only a single key should be provided in Keyring to
|
// NOTE: When using single-decryptor mechanism, only a single key should be provided in Keyring to
|
||||||
// decrypt messages with.
|
// decrypt messages with.
|
||||||
fn decrypt_with_keyring(
|
fn decrypt_with_keyring(
|
||||||
|
messages: &mut HashMap<KeyID, EncryptedMessage>,
|
||||||
certs: &[Cert],
|
certs: &[Cert],
|
||||||
policy: &NullPolicy,
|
policy: &NullPolicy,
|
||||||
keyring: &mut Keyring,
|
keyring: &mut Keyring,
|
||||||
messages: &mut HashMap<KeyID, EncryptedMessage>,
|
|
||||||
) -> Result<HashMap<KeyID, Vec<u8>>, Error> {
|
) -> Result<HashMap<KeyID, Vec<u8>>, Error> {
|
||||||
let mut decrypted_messages = HashMap::new();
|
let mut decrypted_messages = HashMap::new();
|
||||||
|
|
||||||
|
@ -309,6 +309,53 @@ fn decrypt_with_keyring(
|
||||||
Ok(decrypted_messages)
|
Ok(decrypted_messages)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn decrypt_metadata(
|
||||||
|
message: &EncryptedMessage,
|
||||||
|
policy: &NullPolicy,
|
||||||
|
keyring: &mut Keyring,
|
||||||
|
manager: &mut SmartcardManager,
|
||||||
|
) -> Result<Vec<u8>> {
|
||||||
|
Ok(if keyring.is_empty() {
|
||||||
|
manager.load_any_card()?;
|
||||||
|
message.decrypt_with(policy, manager)?
|
||||||
|
} else {
|
||||||
|
message.decrypt_with(policy, keyring)?
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
|
fn decrypt_one(
|
||||||
|
messages: Vec<EncryptedMessage>,
|
||||||
|
keyring: &mut Keyring,
|
||||||
|
manager: &mut SmartcardManager,
|
||||||
|
metadata: EncryptedMessage,
|
||||||
|
) -> Result<Vec<u8>> {
|
||||||
|
let policy = NullPolicy::new();
|
||||||
|
|
||||||
|
let content = decrypt_metadata(&metadata, &policy, &mut *keyring, &mut *manager)?;
|
||||||
|
|
||||||
|
let (_threshold, root_cert, certs) = decode_metadata_v1(&content)?;
|
||||||
|
|
||||||
|
keyring.set_root_cert(root_cert.clone());
|
||||||
|
manager.set_root_cert(root_cert);
|
||||||
|
|
||||||
|
let mut messages: HashMap<KeyID, EncryptedMessage> =
|
||||||
|
HashMap::from_iter(certs.iter().map(|c| c.keyid()).zip(messages));
|
||||||
|
|
||||||
|
let decrypted_messages = decrypt_with_keyring(&mut messages, &certs, &policy, keyring)?;
|
||||||
|
|
||||||
|
if let Some(message) = decrypted_messages.into_values().next() {
|
||||||
|
return Ok(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
let decrypted_messages = decrypt_with_manager(1, &mut messages, &certs, policy, manager)?;
|
||||||
|
|
||||||
|
if let Some(message) = decrypted_messages.into_values().next() {
|
||||||
|
return Ok(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
unreachable!("smartcard manager should always decrypt")
|
||||||
|
}
|
||||||
|
|
||||||
pub fn combine(
|
pub fn combine(
|
||||||
certs: Vec<Cert>,
|
certs: Vec<Cert>,
|
||||||
metadata: EncryptedMessage,
|
metadata: EncryptedMessage,
|
||||||
|
@ -321,16 +368,7 @@ pub fn combine(
|
||||||
|
|
||||||
let mut keyring = Keyring::new(certs)?;
|
let mut keyring = Keyring::new(certs)?;
|
||||||
let mut manager = SmartcardManager::new()?;
|
let mut manager = SmartcardManager::new()?;
|
||||||
let content = if keyring.is_empty() {
|
let content = decrypt_metadata(&metadata, &policy, &mut keyring, &mut manager)?;
|
||||||
// NOTE: Any card plugged in that can't decrypt, will raise issues.
|
|
||||||
// This should not be used on a system where OpenPGP cards are available that shouldn't be
|
|
||||||
// used. The manager will try every wildcard packet for the card on the system, and once no
|
|
||||||
// matching PKESK packet has been found, will return an error.
|
|
||||||
manager.load_any_card()?;
|
|
||||||
metadata.decrypt_with(&policy, &mut manager)?
|
|
||||||
} else {
|
|
||||||
metadata.decrypt_with(&policy, &mut keyring)?
|
|
||||||
};
|
|
||||||
|
|
||||||
let (threshold, root_cert, certs) = decode_metadata_v1(&content)?;
|
let (threshold, root_cert, certs) = decode_metadata_v1(&content)?;
|
||||||
|
|
||||||
|
@ -344,7 +382,7 @@ pub fn combine(
|
||||||
HashMap::from_iter(certs.iter().map(|c| c.keyid()).zip(messages));
|
HashMap::from_iter(certs.iter().map(|c| c.keyid()).zip(messages));
|
||||||
|
|
||||||
let mut decrypted_messages =
|
let mut decrypted_messages =
|
||||||
decrypt_with_keyring(&certs, &policy, &mut keyring, &mut messages)?;
|
decrypt_with_keyring(&mut messages, &certs, &policy, &mut keyring)?;
|
||||||
|
|
||||||
// clean decrypted messages from encrypted messages
|
// clean decrypted messages from encrypted messages
|
||||||
messages.retain(|k, _v| !decrypted_messages.contains_key(k));
|
messages.retain(|k, _v| !decrypted_messages.contains_key(k));
|
||||||
|
@ -353,8 +391,8 @@ pub fn combine(
|
||||||
if left_from_threshold > 0 {
|
if left_from_threshold > 0 {
|
||||||
let new_messages = decrypt_with_manager(
|
let new_messages = decrypt_with_manager(
|
||||||
left_from_threshold as u8,
|
left_from_threshold as u8,
|
||||||
&certs,
|
|
||||||
&mut messages,
|
&mut messages,
|
||||||
|
&certs,
|
||||||
policy,
|
policy,
|
||||||
&mut manager,
|
&mut manager,
|
||||||
)?;
|
)?;
|
||||||
|
|
Loading…
Reference in New Issue