keyfork-shard: create metadata version 1

This commit is contained in:
Ryan Heywood 2023-12-20 13:14:24 -05:00
parent 5cf8e9bb0c
commit 869860a903
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 21 additions and 3 deletions

View File

@ -34,6 +34,13 @@ use keyring::Keyring;
mod smartcard; mod smartcard;
use smartcard::SmartcardManager; use smartcard::SmartcardManager;
/// Shard metadata verson 1:
/// 1 byte: Version
/// 1 byte: Threshold
/// OpenPGP Packet Pile of Certs
const SHARD_METADATA_VERSION: u8 = 1;
const SHARD_METADATA_OFFSET: usize = 2;
#[derive(Debug, thiserror::Error)] #[derive(Debug, thiserror::Error)]
pub enum Error { pub enum Error {
#[error("Error with creating Share: {0}")] #[error("Error with creating Share: {0}")]
@ -221,7 +228,18 @@ pub fn combine(
metadata.decrypt_with(&policy, &mut keyring)? metadata.decrypt_with(&policy, &mut keyring)?
}; };
let mut cert_parser = CertParser::from_bytes(&content).map_err(Error::Sequoia)?; assert_eq!(
SHARD_METADATA_VERSION, content[0],
"incompatible metadata version"
);
// TODO: this should be removed along with the `threshold` option.
assert_eq!(
threshold, content[1],
"threshold does not match stored threshold"
);
let mut cert_parser =
CertParser::from_bytes(&content[SHARD_METADATA_OFFSET..]).map_err(Error::Sequoia)?;
let root_cert = match cert_parser.next() { let root_cert = match cert_parser.next() {
Some(Ok(c)) => c, Some(Ok(c)) => c,
Some(Err(e)) => panic!("Could not find root (first) certificate: {e}"), Some(Err(e)) => panic!("Could not find root (first) certificate: {e}"),
@ -402,7 +420,7 @@ pub fn split(threshold: u8, certs: Vec<Cert>, secret: &[u8], output: impl Write)
messages.push(message_output); messages.push(message_output);
} }
let mut pp = vec![]; let mut pp = vec![SHARD_METADATA_VERSION, threshold];
// store derived cert to verify provided shares // store derived cert to verify provided shares
derived_cert.serialize(&mut pp).map_err(Error::Sequoia)?; derived_cert.serialize(&mut pp).map_err(Error::Sequoia)?;
for recipient in &total_recipients { for recipient in &total_recipients {
@ -410,7 +428,7 @@ pub fn split(threshold: u8, certs: Vec<Cert>, secret: &[u8], output: impl Write)
} }
// verify packet pile // verify packet pile
for (packet_cert, cert) in openpgp::cert::CertParser::from_bytes(&pp) for (packet_cert, cert) in openpgp::cert::CertParser::from_bytes(&pp[2..])
.map_err(Error::Sequoia)? .map_err(Error::Sequoia)?
.skip(1) .skip(1)
.zip(total_recipients.iter()) .zip(total_recipients.iter())