[−][src]Struct sequoia_openpgp::cert::prelude::CertBuilder
Simplifies the generation of OpenPGP certificates.
A builder to generate complex certificate hierarchies with multiple
UserID
s, UserAttribute
s, and Key
s.
This builder does not aim to be as flexible as creating certificates manually, but it should be sufficiently powerful to cover most use cases.
Examples
Generate a general-purpose certificate with one User ID:
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; let (cert, rev) = CertBuilder::general_purpose(None, Some("alice@example.org")) .generate()?;
Implementations
impl CertBuilder
[src]
pub fn new() -> Self
[src]
Returns a new CertBuilder
.
The returned builder is configured to generate a minimal
OpenPGP certificate, a certificate with just a
certification-capable primary key. You'll typically want to
add at least one User ID (using
CertBuilder::add_userid
). and some subkeys (using
CertBuilder::add_signing_subkey
,
CertBuilder::add_transport_encryption_subkey
, etc.).
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; let (cert, rev) = CertBuilder::new() .add_userid("Alice Lovelace <alice@lovelace.name>") .add_signing_subkey() .add_transport_encryption_subkey() .add_storage_encryption_subkey() .generate()?;
pub fn general_purpose<C, U>(ciphersuite: C, userids: Option<U>) -> Self where
C: Into<Option<CipherSuite>>,
U: Into<UserID>,
[src]
C: Into<Option<CipherSuite>>,
U: Into<UserID>,
Generates a general-purpose certificate.
The returned builder is set to generate a certificate with a certification- and signature-capable primary key, and an encryption-capable subkey. The subkey is marked as being appropriate for both data in transit and data at rest.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; let (cert, rev) = CertBuilder::general_purpose(None, Some("Alice Lovelace <alice@example.org>")) .generate()?;
pub fn set_creation_time<T>(self, creation_time: T) -> Self where
T: Into<Option<SystemTime>>,
[src]
T: Into<Option<SystemTime>>,
Sets the creation time.
If creation_time
is None
, the default, this causes the
CertBuilder
to use that time when CertBuilder::generate
is called.
Warning: this function takes a SystemTime
. A SystemTime
has a higher resolution, and a larger range than an OpenPGP
Timestamp
. Assuming the creation_time
is in range, it
will automatically be truncated to the nearest time that is
representable by a Timestamp
. If it is not in range,
generate
will return an error.
Examples
Generate a backdated certificate:
use std::time::{SystemTime, Duration}; use std::convert::TryFrom; use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::types::Timestamp; let t = SystemTime::now() - Duration::from_secs(365 * 24 * 60 * 60); // Roundtrip the time so that the assert below works. let t = SystemTime::from(Timestamp::try_from(t)?); let (cert, rev) = CertBuilder::general_purpose(None, Some("Alice Lovelace <alice@example.org>")) .set_creation_time(t) .generate()?; assert_eq!(cert.primary_key().self_signatures()[0].signature_creation_time(), Some(t));
pub fn set_cipher_suite(self, cs: CipherSuite) -> Self
[src]
Sets the default asymmetric algorithms.
This method controls the set of algorithms that is used to generate the certificate's keys.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::types::PublicKeyAlgorithm; let (ecc, _) = CertBuilder::general_purpose(None, Some("alice@example.org")) .set_cipher_suite(CipherSuite::Cv25519) .generate()?; assert_eq!(ecc.primary_key().pk_algo(), PublicKeyAlgorithm::EdDSA); let (rsa, _) = CertBuilder::general_purpose(None, Some("alice@example.org")) .set_cipher_suite(CipherSuite::RSA4k) .generate()?; assert_eq!(rsa.primary_key().pk_algo(), PublicKeyAlgorithm::RSAEncryptSign);
pub fn add_userid<'a, U>(self, uid: U) -> Self where
U: Into<UserID>,
[src]
U: Into<UserID>,
Adds a User ID.
Adds a User ID to the certificate. The first User ID that is
added, whether via this interface or another interface, e.g.,
CertBuilder::general_purpose
, will have the primary User
ID flag set.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::packet::prelude::*; use openpgp::policy::StandardPolicy; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::general_purpose(None, Some("Alice Lovelace <alice@example.org>")) .add_userid("Alice Lovelace <alice@lovelace.name>") .generate()?; assert_eq!(cert.userids().count(), 2); let mut userids = cert.with_policy(p, None)?.userids().collect::<Vec<_>>(); // Sort lexicographically. userids.sort_by(|a, b| a.value().cmp(b.value())); assert_eq!(userids[0].userid(), &UserID::from("Alice Lovelace <alice@example.org>")); assert_eq!(userids[1].userid(), &UserID::from("Alice Lovelace <alice@lovelace.name>")); assert_eq!(userids[0].binding_signature().primary_userid().unwrap_or(false), true); assert_eq!(userids[1].binding_signature().primary_userid().unwrap_or(false), false);
pub fn add_user_attribute<'a, U>(self, ua: U) -> Self where
U: Into<UserAttribute>,
[src]
U: Into<UserAttribute>,
Adds a new User Attribute.
Adds a User Attribute to the certificate. If there are no User IDs, the first User attribute that is added, whether via this interface or another interface, will have the primary User ID flag set.
Examples
When there are no User IDs, the first User Attribute has the primary User ID flag set:
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::packet::prelude::*; use openpgp::policy::StandardPolicy; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_user_attribute(user_attribute) .generate()?; assert_eq!(cert.userids().count(), 0); assert_eq!(cert.user_attributes().count(), 1); let mut uas = cert.with_policy(p, None)?.user_attributes().collect::<Vec<_>>(); assert_eq!(uas[0].binding_signature().primary_userid().unwrap_or(false), true);
Where there are User IDs, then the primary User ID flag is not set:
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::packet::prelude::*; use openpgp::policy::StandardPolicy; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_userid("alice@example.org") .add_user_attribute(user_attribute) .generate()?; assert_eq!(cert.userids().count(), 1); assert_eq!(cert.user_attributes().count(), 1); let mut uas = cert.with_policy(p, None)?.user_attributes().collect::<Vec<_>>(); assert_eq!(uas[0].binding_signature().primary_userid().unwrap_or(false), false);
pub fn add_signing_subkey(self) -> Self
[src]
Adds a signing-capable subkey.
The key uses the default cipher suite (see
CertBuilder::set_cipher_suite
), and is not set to expire.
Use CertBuilder::add_subkey
if you need to change these
parameters.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_signing_subkey() .generate()?; assert_eq!(cert.keys().count(), 2); let ka = cert.with_policy(p, None)?.keys().nth(1).unwrap(); assert_eq!(ka.key_flags(), Some(KeyFlags::empty().set_signing()));
pub fn add_transport_encryption_subkey(self) -> Self
[src]
Adds a subkey suitable for transport encryption.
The key uses the default cipher suite (see
CertBuilder::set_cipher_suite
), and is not set to expire.
Use CertBuilder::add_subkey
if you need to change these
parameters.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_transport_encryption_subkey() .generate()?; assert_eq!(cert.keys().count(), 2); let ka = cert.with_policy(p, None)?.keys().nth(1).unwrap(); assert_eq!(ka.key_flags(), Some(KeyFlags::empty().set_transport_encryption()));
pub fn add_storage_encryption_subkey(self) -> Self
[src]
Adds a subkey suitable for storage encryption.
The key uses the default cipher suite (see
CertBuilder::set_cipher_suite
), and is not set to expire.
Use CertBuilder::add_subkey
if you need to change these
parameters.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_storage_encryption_subkey() .generate()?; assert_eq!(cert.keys().count(), 2); let ka = cert.with_policy(p, None)?.keys().nth(1).unwrap(); assert_eq!(ka.key_flags(), Some(KeyFlags::empty().set_storage_encryption()));
pub fn add_certification_subkey(self) -> Self
[src]
Adds an certification-capable subkey.
The key uses the default cipher suite (see
CertBuilder::set_cipher_suite
), and is not set to expire.
Use CertBuilder::add_subkey
if you need to change these
parameters.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_certification_subkey() .generate()?; assert_eq!(cert.keys().count(), 2); let ka = cert.with_policy(p, None)?.keys().nth(1).unwrap(); assert_eq!(ka.key_flags(), Some(KeyFlags::empty().set_certification()));
pub fn add_authentication_subkey(self) -> Self
[src]
Adds an authentication-capable subkey.
The key uses the default cipher suite (see
CertBuilder::set_cipher_suite
), and is not set to expire.
Use CertBuilder::add_subkey
if you need to change these
parameters.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::new() .add_authentication_subkey() .generate()?; assert_eq!(cert.keys().count(), 2); let ka = cert.with_policy(p, None)?.keys().nth(1).unwrap(); assert_eq!(ka.key_flags(), Some(KeyFlags::empty().set_authentication()));
pub fn add_subkey<T, C>(self, flags: KeyFlags, expiration: T, cs: C) -> Self where
T: Into<Option<SystemTime>>,
C: Into<Option<CipherSuite>>,
[src]
T: Into<Option<SystemTime>>,
C: Into<Option<CipherSuite>>,
Adds a custom subkey.
If expiration
is None
, the subkey uses the same expiration
time as the primary key.
Likewise, if cs
is None
, the same cipher suite is used as
for the primary key.
Examples
Generates a certificate with an encryption subkey that is for protecting both data in transit and data at rest, and expires at a different time from the primary key:
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let now = std::time::SystemTime::now(); let y = std::time::Duration::new(365 * 24 * 60 * 60, 0); // Make the certificate expire in 2 years, and the subkey // expire in a year. let (cert,_) = CertBuilder::new() .set_creation_time(now) .set_expiration_time(now + 2 * y) .add_subkey(KeyFlags::empty() .set_storage_encryption() .set_transport_encryption(), now + y, None) .generate()?; assert_eq!(cert.with_policy(p, now)?.keys().alive().count(), 2); assert_eq!(cert.with_policy(p, now + y)?.keys().alive().count(), 1); assert_eq!(cert.with_policy(p, now + 2 * y)?.keys().alive().count(), 0); let ka = cert.with_policy(p, None)?.keys().nth(1).unwrap(); assert_eq!(ka.key_flags(), Some(KeyFlags::empty() .set_storage_encryption() .set_transport_encryption()));
pub fn set_primary_key_flags(self, flags: KeyFlags) -> Self
[src]
Sets the primary key's key flags.
By default, the primary key is set to only be certification capable. This allows the caller to set additional flags.
Examples
Make the primary key certification and signing capable:
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::KeyFlags; let p = &StandardPolicy::new(); let (cert, rev) = CertBuilder::general_purpose(None, Some("Alice Lovelace <alice@example.org>")) .set_primary_key_flags(KeyFlags::empty().set_signing()) .generate()?; // Observe that the primary key's certification capability is // set implicitly. assert_eq!(cert.with_policy(p, None)?.primary_key().key_flags(), Some(KeyFlags::empty().set_signing().set_certification()));
pub fn set_password(self, password: Option<Password>) -> Self
[src]
Sets a password to encrypt the secret keys with.
The password is used to encrypt all secret key material.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; // Make the certificate expire in 10 minutes. let (cert, rev) = CertBuilder::general_purpose(None, Some("Alice Lovelace <alice@example.org>")) .set_password(Some("1234".into())) .generate()?; for ka in cert.keys() { assert!(ka.has_secret()); }
pub fn set_expiration_time<T>(self, expiration: T) -> Self where
T: Into<Option<SystemTime>>,
[src]
T: Into<Option<SystemTime>>,
Sets the certificate's expiration time.
A value of None means never.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::RevocationKey; let p = &StandardPolicy::new(); let now = std::time::SystemTime::now(); let s = std::time::Duration::new(1, 0); // Make the certificate expire in 10 minutes. let (cert,_) = CertBuilder::new() .set_creation_time(now) .set_expiration_time(now + 600 * s) .generate()?; assert!(cert.with_policy(p, now)?.primary_key().alive().is_ok()); assert!(cert.with_policy(p, now + 599 * s)?.primary_key().alive().is_ok()); assert!(cert.with_policy(p, now + 600 * s)?.primary_key().alive().is_err());
pub fn set_revocation_keys(self, revocation_keys: Vec<RevocationKey>) -> Self
[src]
Sets designated revokers.
Adds designated revokers to the primary key. This allows the designated revoker to issue revocation certificates on behalf of the primary key.
Examples
Make Alice a designated revoker for Bob:
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::RevocationKey; let p = &StandardPolicy::new(); let (alice, _) = CertBuilder::general_purpose(None, Some("alice@example.org")) .generate()?; let (bob, _) = CertBuilder::general_purpose(None, Some("bob@example.org")) .set_revocation_keys(vec![ (&alice).into() ]) .generate()?; // Make sure Alice is listed as a designated revoker for Bob. assert_eq!(bob.revocation_keys(p).collect::<Vec<&RevocationKey>>(), vec![ &(&alice).into() ]);
pub fn generate(self) -> Result<(Cert, Signature)>
[src]
Generates a certificate.
Examples
use sequoia_openpgp as openpgp; use openpgp::cert::prelude::*; use openpgp::policy::StandardPolicy; use openpgp::types::RevocationKey; let p = &StandardPolicy::new(); let (alice, _) = CertBuilder::general_purpose(None, Some("alice@example.org")) .generate()?;
Trait Implementations
impl Clone for CertBuilder
[src]
fn clone(&self) -> CertBuilder
[src]
fn clone_from(&mut self, source: &Self)
1.0.0[src]
impl Debug for CertBuilder
[src]
Auto Trait Implementations
impl RefUnwindSafe for CertBuilder
impl Send for CertBuilder
impl Sync for CertBuilder
impl Unpin for CertBuilder
impl UnwindSafe for CertBuilder
Blanket Implementations
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> DynClone for T where
T: Clone,
[src]
T: Clone,
impl<T> From<T> for T
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T> ToOwned for T where
T: Clone,
[src]
T: Clone,
type Owned = T
The resulting type after obtaining ownership.
fn to_owned(&self) -> T
[src]
fn clone_into(&self, target: &mut T)
[src]
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = Infallible
The type returned in the event of a conversion error.
fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,