keyfork-shard: extract threshold from encrypted metadata
This commit is contained in:
parent
869860a903
commit
e42e362aea
|
@ -3,7 +3,6 @@ use std::{
|
||||||
io::{stdin, stdout},
|
io::{stdin, stdout},
|
||||||
path::PathBuf,
|
path::PathBuf,
|
||||||
process::ExitCode,
|
process::ExitCode,
|
||||||
str::FromStr,
|
|
||||||
};
|
};
|
||||||
|
|
||||||
use keyfork_shard::openpgp::{combine, discover_certs, openpgp::Cert, parse_messages};
|
use keyfork_shard::openpgp::{combine, discover_certs, openpgp::Cert, parse_messages};
|
||||||
|
@ -11,10 +10,8 @@ use keyfork_shard::openpgp::{combine, discover_certs, openpgp::Cert, parse_messa
|
||||||
type Result<T, E = Box<dyn std::error::Error>> = std::result::Result<T, E>;
|
type Result<T, E = Box<dyn std::error::Error>> = std::result::Result<T, E>;
|
||||||
|
|
||||||
fn validate<'a>(
|
fn validate<'a>(
|
||||||
threshold: &str,
|
|
||||||
key_discovery: impl Into<Option<&'a str>>,
|
key_discovery: impl Into<Option<&'a str>>,
|
||||||
) -> Result<(u8, Vec<Cert>)> {
|
) -> Result<Vec<Cert>> {
|
||||||
let threshold = u8::from_str(threshold)?;
|
|
||||||
let key_discovery = key_discovery.into().map(PathBuf::from);
|
let key_discovery = key_discovery.into().map(PathBuf::from);
|
||||||
key_discovery.as_ref().map(std::fs::metadata).transpose()?;
|
key_discovery.as_ref().map(std::fs::metadata).transpose()?;
|
||||||
|
|
||||||
|
@ -24,16 +21,16 @@ fn validate<'a>(
|
||||||
.transpose()?
|
.transpose()?
|
||||||
.unwrap_or(vec![]);
|
.unwrap_or(vec![]);
|
||||||
|
|
||||||
Ok((threshold, certs))
|
Ok(certs)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn run() -> Result<()> {
|
fn run() -> Result<()> {
|
||||||
let mut args = env::args();
|
let mut args = env::args();
|
||||||
let program_name = args.next().expect("program name");
|
let program_name = args.next().expect("program name");
|
||||||
let args = args.collect::<Vec<_>>();
|
let args = args.collect::<Vec<_>>();
|
||||||
let (threshold, cert_list) = match args.as_slice() {
|
let cert_list = match args.as_slice() {
|
||||||
[threshold, key_discovery] => validate(threshold, key_discovery.as_str())?,
|
[key_discovery] => validate(key_discovery.as_str())?,
|
||||||
[threshold] => validate(threshold, None)?,
|
[] => validate(None)?,
|
||||||
_ => panic!("Usage: {program_name} threshold [key_discovery]"),
|
_ => panic!("Usage: {program_name} threshold [key_discovery]"),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -44,7 +41,6 @@ fn run() -> Result<()> {
|
||||||
.expect("any pgp encrypted message");
|
.expect("any pgp encrypted message");
|
||||||
|
|
||||||
combine(
|
combine(
|
||||||
threshold,
|
|
||||||
cert_list,
|
cert_list,
|
||||||
encrypted_metadata,
|
encrypted_metadata,
|
||||||
encrypted_messages.into(),
|
encrypted_messages.into(),
|
||||||
|
|
|
@ -206,7 +206,6 @@ fn get_decryption_keys<'a>(
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn combine(
|
pub fn combine(
|
||||||
threshold: u8,
|
|
||||||
certs: Vec<Cert>,
|
certs: Vec<Cert>,
|
||||||
metadata: EncryptedMessage,
|
metadata: EncryptedMessage,
|
||||||
messages: Vec<EncryptedMessage>,
|
messages: Vec<EncryptedMessage>,
|
||||||
|
@ -232,11 +231,7 @@ pub fn combine(
|
||||||
SHARD_METADATA_VERSION, content[0],
|
SHARD_METADATA_VERSION, content[0],
|
||||||
"incompatible metadata version"
|
"incompatible metadata version"
|
||||||
);
|
);
|
||||||
// TODO: this should be removed along with the `threshold` option.
|
let threshold = content[1];
|
||||||
assert_eq!(
|
|
||||||
threshold, content[1],
|
|
||||||
"threshold does not match stored threshold"
|
|
||||||
);
|
|
||||||
|
|
||||||
let mut cert_parser =
|
let mut cert_parser =
|
||||||
CertParser::from_bytes(&content[SHARD_METADATA_OFFSET..]).map_err(Error::Sequoia)?;
|
CertParser::from_bytes(&content[SHARD_METADATA_OFFSET..]).map_err(Error::Sequoia)?;
|
||||||
|
|
|
@ -36,7 +36,6 @@ trait ShardExec {
|
||||||
|
|
||||||
fn combine<T>(
|
fn combine<T>(
|
||||||
&self,
|
&self,
|
||||||
threshold: u8,
|
|
||||||
key_discovery: Option<T>,
|
key_discovery: Option<T>,
|
||||||
input: impl Read + Send + Sync,
|
input: impl Read + Send + Sync,
|
||||||
output: &mut impl Write,
|
output: &mut impl Write,
|
||||||
|
@ -70,7 +69,6 @@ impl ShardExec for OpenPGP {
|
||||||
|
|
||||||
fn combine<T>(
|
fn combine<T>(
|
||||||
&self,
|
&self,
|
||||||
threshold: u8,
|
|
||||||
key_discovery: Option<T>,
|
key_discovery: Option<T>,
|
||||||
input: impl Read + Send + Sync,
|
input: impl Read + Send + Sync,
|
||||||
output: &mut impl Write,
|
output: &mut impl Write,
|
||||||
|
@ -89,7 +87,6 @@ impl ShardExec for OpenPGP {
|
||||||
.expect("any pgp encrypted message");
|
.expect("any pgp encrypted message");
|
||||||
|
|
||||||
keyfork_shard::openpgp::combine(
|
keyfork_shard::openpgp::combine(
|
||||||
threshold,
|
|
||||||
certs,
|
certs,
|
||||||
encrypted_metadata,
|
encrypted_metadata,
|
||||||
encrypted_messages.into(),
|
encrypted_messages.into(),
|
||||||
|
@ -131,10 +128,6 @@ pub enum ShardSubcommands {
|
||||||
/// hardware metadata discovery, any hardware key used to split may be used to decrypt metadata
|
/// hardware metadata discovery, any hardware key used to split may be used to decrypt metadata
|
||||||
/// used to combine.
|
/// used to combine.
|
||||||
Combine {
|
Combine {
|
||||||
/// The amount of sharesr equired to recombine a secret.
|
|
||||||
#[arg(long)]
|
|
||||||
threshold: u8,
|
|
||||||
|
|
||||||
/// The path to discover private keys from.
|
/// The path to discover private keys from.
|
||||||
key_discovery: Option<PathBuf>,
|
key_discovery: Option<PathBuf>,
|
||||||
},
|
},
|
||||||
|
@ -170,11 +163,10 @@ impl ShardSubcommands {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ShardSubcommands::Combine {
|
ShardSubcommands::Combine {
|
||||||
threshold,
|
|
||||||
key_discovery,
|
key_discovery,
|
||||||
} => match &shard.format {
|
} => match &shard.format {
|
||||||
Some(Format::OpenPGP(o)) => {
|
Some(Format::OpenPGP(o)) => {
|
||||||
o.combine(*threshold, key_discovery.as_ref(), stdin, &mut stdout)
|
o.combine(key_discovery.as_ref(), stdin, &mut stdout)
|
||||||
}
|
}
|
||||||
Some(Format::P256(_p)) => {
|
Some(Format::P256(_p)) => {
|
||||||
todo!()
|
todo!()
|
||||||
|
|
Loading…
Reference in New Issue