asymmetric: implement the restrictions allowed with the keytype

mathstuf · mathstuf · commit 2aea40c31675 · 2020-05-13T19:55:40.000-04:00
diff --git a/src/api.rs b/src/api.rs
@@ -101,7 +101,6 @@ impl Keyring {
         }
     }
 
-    #[cfg(test)]
     pub(crate) fn serial(&self) -> KeyringSerial {
         self.id
     }
@@ -530,7 +529,6 @@ impl Key {
         }
     }
 
-    #[cfg(test)]
     pub(crate) fn serial(&self) -> KeyringSerial {
         self.id
     }
diff --git a/src/keytypes/asymmetric.rs b/src/keytypes/asymmetric.rs
@@ -26,7 +26,10 @@
 
 //! Asymmetric keys
 
+use std::borrow::Cow;
+
 use crate::keytype::*;
+use crate::{Key, Keyring, KeyringSerial};
 
 /// Asymmetric keys support encrypting, decrypting, signing, and verifying data.
 ///
@@ -54,3 +57,62 @@ impl KeyType for Asymmetric {
         "asymmetric"
     }
 }
+
+/// A restriction that may be placed onto a keyring using an asymmetric key.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum AsymmetricRestriction {
+    /// Only allow keys which have been signed by a key on the builtin trusted keyring.
+    BuiltinTrusted,
+    /// Only allow keys which have been signed by a key on the builtin or secondary trusted
+    /// keyrings.
+    BuiltinAndSecondaryTrusted,
+    /// Only allow keys which have been signed by the given key.
+    Key {
+        /// The signing key.
+        key: Key,
+        /// Whether or not chaining should be used (see `Chained`).
+        chained: bool,
+    },
+    /// Only allow keys which have been signed by a key on the given keyring.
+    Keyring {
+        /// The keyring with permitted signing keys.
+        keyring: Keyring,
+        /// Whether or not chaining should be used (see `Chained`).
+        chained: bool,
+    },
+    /// When chaining the destination keyring is also searched for signing keys.
+    ///
+    /// This allows building up a chain of trust in the destination keyring.
+    Chained,
+}
+
+impl AsymmetricRestriction {
+    fn restriction_str(id: KeyringSerial, chained: bool) -> String {
+        let chain_suffix = if chained { ":chain" } else { "" };
+        format!("key_or_keyring:{}{}", id, chain_suffix)
+    }
+}
+
+impl KeyRestriction for AsymmetricRestriction {
+    fn restriction(&self) -> Cow<str> {
+        match self {
+            AsymmetricRestriction::BuiltinTrusted => "builtin_trusted".into(),
+            AsymmetricRestriction::BuiltinAndSecondaryTrusted => {
+                "builtin_and_secondary_trusted".into()
+            },
+            AsymmetricRestriction::Key {
+                key,
+                chained,
+            } => Self::restriction_str(key.serial(), *chained).into(),
+            AsymmetricRestriction::Keyring {
+                keyring,
+                chained,
+            } => Self::restriction_str(keyring.serial(), *chained).into(),
+            AsymmetricRestriction::Chained => "key_or_keyring:0:chain".into(),
+        }
+    }
+}
+
+impl RestrictableKeyType for Asymmetric {
+    type Restriction = AsymmetricRestriction;
+}

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,6 @@ impl Keyring {`
`101`	`101`	`}`
`102`	`102`	`}`
`103`	`103`
`104`		`- #[cfg(test)]`
`105`	`104`	`pub(crate) fn serial(&self) -> KeyringSerial {`
`106`	`105`	`self.id`
`107`	`106`	`}`
`@@ -530,7 +529,6 @@ impl Key {`
`530`	`529`	`}`
`531`	`530`	`}`
`532`	`531`
`533`		`- #[cfg(test)]`
`534`	`532`	`pub(crate) fn serial(&self) -> KeyringSerial {`
`535`	`533`	`self.id`
`536`	`534`	`}`