Type Definition sequoia_openpgp::cert::amalgamation::key::ValidErasedKeyAmalgamation

source · [−]

pub type ValidErasedKeyAmalgamation<'a, P> = ValidKeyAmalgamation<'a, P, UnspecifiedRole, bool>;

Expand description

A valid key whose role is not known at compile time.

A specialized version of ValidKeyAmalgamation.

Implementations

source

impl<'a, P> ValidErasedKeyAmalgamation<'a, P> where
P: KeyParts,

source

pub fn parts_into_public(self) -> ValidErasedKeyAmalgamation<'a, PublicParts>

Changes the key’s parts tag to PublicParts.

source

pub fn parts_as_public(
&'a self
) -> &'a ValidErasedKeyAmalgamation<'a, PublicParts>

Changes the key’s parts tag to PublicParts.

source

pub fn parts_into_secret(
self
) -> Result<ValidErasedKeyAmalgamation<'a, SecretParts>>

Changes the key’s parts tag to SecretParts.

source

pub fn parts_as_secret(
&'a self
) -> Result<&'a ValidErasedKeyAmalgamation<'a, SecretParts>>

Changes the key’s parts tag to SecretParts.

source

pub fn parts_into_unspecified(
self
) -> ValidErasedKeyAmalgamation<'a, UnspecifiedParts>

Changes the key’s parts tag to UnspecifiedParts.

source

pub fn parts_as_unspecified(
&'a self
) -> &ValidErasedKeyAmalgamation<'a, UnspecifiedParts>

Changes the key’s parts tag to UnspecifiedParts.

source

impl<'a, P> ValidErasedKeyAmalgamation<'a, P> where
P: 'a + KeyParts,

source

pub fn set_expiration_time(
    &self,
    primary_signer: &mut dyn Signer,
    subkey_signer: Option<&mut dyn Signer>,
    expiration: Option<SystemTime>
) -> Result<Vec<Signature>>

Creates signatures that cause the key to expire at the specified time.

This function creates new binding signatures that cause the key to expire at the specified time when integrated into the certificate. For subkeys, only a single Signature is returned. For the primary key, however, it is necessary to create a new self-signature for each non-revoked User ID, and to create a direct key signature. This is needed, because the primary User ID is first consulted when determining the primary key’s expiration time, and certificates can be distributed with a possibly empty subset of User IDs.

Setting a key’s expiry time means updating an existing binding signature—when looking up information, only one binding signature is normally considered, and we don’t want to drop the other information stored in the current binding signature. This function uses the binding signature determined by ValidKeyAmalgamation’s policy and reference time for this.

When updating the expiration time of signing-capable subkeys, we need to create a new primary key binding signature. Therefore, we need a signer for the subkey. If subkey_signer is None, and this is a signing-capable subkey, this function fails with Error::InvalidArgument. Likewise, this function fails if subkey_signer is not None when updating the expiration of the primary key, or an non signing-capable subkey.

Examples

use std::time;
use openpgp::policy::StandardPolicy;

let p = &StandardPolicy::new();

let vc = cert.with_policy(p, None)?;

// Assert that the keys are not expired.
for ka in vc.keys() {
    assert!(ka.alive().is_ok());
}

// Make the keys expire in a week.
let t = time::SystemTime::now()
    + time::Duration::from_secs(7 * 24 * 60 * 60);

// We assume that the secret key material is available, and not
// password protected.
let mut primary_signer = vc.primary_key()
    .key().clone().parts_into_secret()?.into_keypair()?;
let mut signing_subkey_signer = vc.keys().for_signing().nth(0).unwrap()
    .key().clone().parts_into_secret()?.into_keypair()?;

let mut sigs = Vec::new();
for ka in vc.keys() {
    if ! ka.for_signing() {
        // Non-signing-capable subkeys are easy to update.
        sigs.append(&mut ka.set_expiration_time(&mut primary_signer,
                                                None, Some(t))?);
    } else {
        // Signing-capable subkeys need to create a primary
        // key binding signature with the subkey:
        assert!(ka.set_expiration_time(&mut primary_signer,
                                       None, Some(t)).is_err());

        // Here, we need the subkey's signer:
        sigs.append(&mut ka.set_expiration_time(&mut primary_signer,
                                                Some(&mut signing_subkey_signer),
                                                Some(t))?);
    }
}
let cert = cert.insert_packets(sigs)?;

// They aren't expired yet.
let vc = cert.with_policy(p, None)?;
for ka in vc.keys() {
    assert!(ka.alive().is_ok());
}

// But in two weeks, they will be...
let t = time::SystemTime::now()
    + time::Duration::from_secs(2 * 7 * 24 * 60 * 60);
let vc = cert.with_policy(p, t)?;
for ka in vc.keys() {
    assert!(ka.alive().is_err());
}

Trait Implementations

source