sequoia-cert-store-0.5.0/.cargo/config.toml000064400000000000000000000002141046102023000166710ustar 00000000000000[target.'cfg(all())'] # Note: if the RUSTFLAGS environment variable is set, this will be # ignored. rustflags = [ # "-Dwarnings", ]sequoia-cert-store-0.5.0/.cargo_vcs_info.json0000644000000001360000000000100145710ustar { "git": { "sha1": "0b8f90b8d933cb2904c4a1524e8977ef0d4b1fee" }, "path_in_vcs": "" }sequoia-cert-store-0.5.0/.ci/all_commits.sh000075500000000000000000000022711046102023000166760ustar 00000000000000#!/usr/bin/env bash # Test all commits on this branch but the last one. # # Used in the all_commits ci job to ensure all commits build # and tests pass at least for the sequoia-openpgp crate. # NOTE: under gitlab's Settings, "CI/CD", General Pipelines ensure # that the "git shallow clone" setting is set to 0. Otherwise other # branch are not fetched. set -e set -x # Use dummy identity to make git rebase happy. git config user.name "C.I. McTestface" git config user.email "ci.mctestface@example.com" # Make sure the gitlab project is configured. if ! git describe --all origin/main then echo "origin/main is not present. Configure the gitlab project (see .ci/all_commits.sh)." exit 1 fi # If the previous commit already is on main we're done. git merge-base --is-ancestor HEAD~ origin/main && echo "All commits tested already" && exit 0 # Leave out the last commit - it has already been checked. git checkout HEAD~ git status git rebase origin/main \ --exec 'echo ===; echo ===; echo ===; git log -n 1;' \ --exec 'cargo test --all' && echo "All commits passed tests" && exit 0 # The rebase failed - probably because a test failed. git rebase --abort; exit 1 sequoia-cert-store-0.5.0/.codespellrc000064400000000000000000000004111046102023000156550ustar 00000000000000[codespell] skip = Cargo.lock,*.bin,*.gpg,*.pgp,./.git,data,highlight.js,*/target,Makefile,*.html,*/cargo,*.xml,*.xmlv2, ignore-words-list = crate,ede,iff,mut,nd,te,uint,KeyServer,keyserver,Keyserver,keyservers,Keyservers,keypair,keypairs,KeyPair,fpr,dedup,ba,ned, sequoia-cert-store-0.5.0/.gitignore000064400000000000000000000000141046102023000153440ustar 00000000000000/target/ *~ sequoia-cert-store-0.5.0/.gitlab-ci.yml000064400000000000000000000067571046102023000160340ustar 00000000000000# Only ever create pipelines for tags or branches. # Avoid creation of detached pipelines for merge requests. workflow: rules: - if: $CI_COMMIT_TAG - if: $CI_COMMIT_BRANCH stages: - lint - test - deploy # These stanzas do some common management tasks before and after the # job-specific before_script and after_script stanzas are run. # before_script_start configures any default global state. The # job-specific before_script can override this state, if required. # before_script_end prints out information about the environment to # improve debugging; it does not modify the environment. # after_script_end does some common management tasks after the # job-specific after_script is run. It prints information about the # environment, and does some clean up. # # Add this to your stanza as follows: # # before_script: # - *before_script_start # - *** YOUR CODE HERE *** # - *before_script_end # after_script: # - *** YOUR CODE HERE *** # - *after_script_end .before_script_start: &before_script_start - 'if test "x${RUSTFLAGS+SET}" = xSET; then echo "\$RUSTFLAGS is set ($RUSTFLAGS)"; exit 1; fi' # The test rely on gpg. Make sure it is available. - apt update -y -qq && apt install -y gpg .before_script_end: &before_script_end - 'if test "x${RUSTFLAGS+SET}" = xSET; then echo "WARNING: before_script set \$RUSTFLAGS ($RUSTFLAGS)"; fi' - rustc --version --verbose - cargo --version - clang -v - if [ -d $CARGO_TARGET_DIR ]; then find $CARGO_TARGET_DIR | wc --lines; du -sh $CARGO_TARGET_DIR; fi - if [ -d $CARGO_HOME ]; then find $CARGO_HOME | wc --lines; du -sh $CARGO_HOME; fi .after_script_end: &after_script_end - if [ -d $CARGO_TARGET_DIR ]; then du -sh $CARGO_TARGET_DIR; fi - if [ -d $CARGO_HOME ]; then du -sh $CARGO_HOME; fi before_script: - *before_script_start - *before_script_end after_script: - *after_script_end cache: &general_cache_config # default key is default # default policy is pull-push paths: - $CARGO_TARGET_DIR - $CARGO_HOME .rust-stable: image: 192.168.122.1:5000/sequoia-pgp/build-docker-image/rust-stable:latest before_script: - *before_script_start - *before_script_end after_script: - *after_script_end cache: # inherit all general cache settings <<: *general_cache_config # override the key key: "rust-stable" .trixie: image: 192.168.122.1:5000/sequoia-pgp/build-docker-image/trixie:latest before_script: - *before_script_start - *before_script_end after_script: - *after_script_end cache: # inherit all general cache settings <<: *general_cache_config # override the key key: "trixie" codespell: stage: lint interruptible: true extends: .trixie before_script: - *before_script_start - codespell --version - *before_script_end script: - codespell --config .codespellrc --summary after_script: [] test-trixie: stage: test interruptible: true extends: .trixie script: - cargo test --all test-rust-stable: stage: test interruptible: true extends: .rust-stable script: - cargo test --all deny: stage: lint interruptible: true extends: .rust-stable script: - cargo deny check cache: [] all_commits: # Test each commit up to main, to facilitate bisecting. stage: test interruptible: true extends: .trixie script: - .ci/all_commits.sh variables: GIT_STRATEGY: clone variables: CARGO_HOME: cargo/ CARGO_FLAGS: --color always CARGO_INCREMENTAL: 0 CARGO_TARGET_DIR: target/ sequoia-cert-store-0.5.0/CONTRIBUTING.md000064400000000000000000000033071046102023000156150ustar 00000000000000Sequoia PGP is owned by the [p≡p foundation] and licensed under the terms of the LGPLv2+. [p≡p foundation]: https://pep.foundation/ To finance its mission, privacy by default, the [p≡p foundation] allows third parties (currently only [p≡p security]) to relicense its software. Consistent with the rules of a foundation, the money collected by the foundation in this manner is fully reinvested in the foundation's mission, which includes further development of Sequoia PGP. [p≡p security]: https://www.pep.security/ To do this, the [p≡p foundation] needs permission from all contributors to relicense their changes. In return, the [p≡p foundation] guarantees that *all* releases of Sequoia PGP (and any other software it owns) will also be released under a GNU-approved license. That is, even if Foo Corp is granted a license to use Sequoia PGP in a proprietary product, the exact code that Foo Corp uses will also be licensed under a GNU-approved license. If you want to contribute to Sequoia PGP, and you agree to the above, please sign the [p≡p foundation]'s [CLA]. This is an electronic assignment; no paper work is required. You'll need to provide a valid email address. After clicking on a link to verify your email address, you'll receive a second email, which contains the contract between you and the [p≡p foundation]. Be sure to keep it for future reference. The maintainers of Sequoia PGP will also receive a notification. At that point, we can merge patches from you into Sequoia PGP. [CLA]: https://contribution.pep.foundation/contribute/ Please direct questions regarding the CLA to [contribution@pep.foundation]. [contribution@pep.foundation]: mailto:contribution@pep.foundation sequoia-cert-store-0.5.0/Cargo.toml0000644000000044570000000000100126010ustar # THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g., crates.io) dependencies. # # If you are reading this file be aware that the original Cargo.toml # will likely look very different (and much more reasonable). # See Cargo.toml.orig for the original contents. [package] edition = "2021" rust-version = "1.70" name = "sequoia-cert-store" version = "0.5.0" authors = [ "Neal H. Walfield ", "Justus Winter ", ] description = "A certificate database interface." homepage = "https://sequoia-pgp.org/" readme = "README.md" keywords = [ "cryptography", "openpgp", "keyring", "database", ] categories = [ "cryptography", "authentication", "email", "command-line-utilities", ] license = "LGPL-2.0-or-later" repository = "https://gitlab.com/sequoia-pgp/sequoia-cert-store" [package.metadata.docs.rs] features = ["sequoia-openpgp/default"] [lib] name = "sequoia_cert_store" path = "src/lib.rs" [dependencies.anyhow] version = "1.0.18" [dependencies.crossbeam] version = "0.8.1" [dependencies.dirs] version = "5" [dependencies.num_cpus] version = "1" [dependencies.openpgp-cert-d] version = "0.3.1" [dependencies.rayon] version = "1" [dependencies.rusqlite] version = ">=0.29, <0.32" features = [ "collation", "blob", ] [dependencies.sequoia-net] version = "0.28" default-features = false [dependencies.sequoia-openpgp] version = "1.19.0" default-features = false [dependencies.smallvec] version = "1.1" [dependencies.thiserror] version = "1.0.2" [dependencies.tokio] version = "1.13" features = ["rt"] [dev-dependencies.tempfile] version = "3" [target."cfg(not(windows))".dev-dependencies.sequoia-openpgp] version = "1" features = [ "crypto-nettle", "__implicit-crypto-backend-for-tests", ] default-features = false [target."cfg(windows)".dependencies.rusqlite] version = ">=0.29, <0.32" features = ["bundled"] [target."cfg(windows)".dev-dependencies.sequoia-openpgp] version = "1" features = [ "crypto-cng", "__implicit-crypto-backend-for-tests", ] default-features = false [badges.maintenance] status = "actively-developed" sequoia-cert-store-0.5.0/Cargo.toml.orig000064400000000000000000000034321046102023000162520ustar 00000000000000[package] name = "sequoia-cert-store" description = "A certificate database interface." version = "0.5.0" authors = ["Neal H. Walfield ", "Justus Winter "] homepage = "https://sequoia-pgp.org/" repository = "https://gitlab.com/sequoia-pgp/sequoia-cert-store" readme = "README.md" keywords = ["cryptography", "openpgp", "keyring", "database"] categories = ["cryptography", "authentication", "email", "command-line-utilities"] license = "LGPL-2.0-or-later" edition = "2021" rust-version = "1.70" [badges] maintenance = { status = "actively-developed" } [dependencies] anyhow = "1.0.18" crossbeam = "0.8.1" dirs = "5" num_cpus = "1" openpgp-cert-d = "0.3.1" rayon = "1" sequoia-openpgp = { version = "1.19.0", default-features = false } sequoia-net = { version = "0.28", default-features = false } smallvec = "1.1" thiserror = "1.0.2" tokio = { version = "1.13", features = [ "rt" ] } [dependencies.rusqlite] version = ">=0.29, <0.32" features = ["collation", "blob"] # Use the bundled sqlite on Windows. [target.'cfg(windows)'.dependencies] rusqlite = { version = ">=0.29, <0.32", features = ["bundled"] } [dev-dependencies] tempfile = "3" [lib] name = "sequoia_cert_store" path = "src/lib.rs" [target.'cfg(not(windows))'.dev-dependencies] # Enables a crypto backend for the tests: sequoia-openpgp = { version = "1", default-features = false, features = ["crypto-nettle", "__implicit-crypto-backend-for-tests"] } [target.'cfg(windows)'.dev-dependencies] # Enables a crypto backend for the tests: sequoia-openpgp = { version = "1", default-features = false, features = ["crypto-cng", "__implicit-crypto-backend-for-tests"] } [package.metadata.docs.rs] # Enables a crypto backend for the docs.rs generation: features = ["sequoia-openpgp/default"] sequoia-cert-store-0.5.0/LICENSE.txt000064400000000000000000000627341046102023000152200ustar 00000000000000Sequoia PGP is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Sequoia PGP is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --- GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. GNU LIBRARY GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! sequoia-cert-store-0.5.0/README.md000064400000000000000000000047641046102023000146530ustar 00000000000000An OpenPGP certificate store abstraction and implementation. This crates provides a unified, high-level API for different certificate stores via the `Store` and `StoreUpdate` traits. It also provides a number of helper functions and data structures, like `UserIDIndex` to help implement this functionality. Finally, the `CertStore` data structure combines multiple certificate backends in a transparent way to users. This crate supports multiple backends: `CertD` uses an [OpenPGP Certificate Directory]. `Certs` manages a bunch of certificates in-memory. It can be loaded with certificates from a keyring, a keybox, a database, etc. It can also be used as the basis for a new backend, which actually writes changes back to the underlying store. `Pep` provides access to a [pEp] certificate store. Finally, there is a key server backend, which can fetch certificates via HKPS and WKD. [OpenPGP Certificate Directory]: https://crates.io/crates/openpgp-cert-d [pEp]: https://gitea.pep.foundation/pEp.foundation/pEpEngine ## Usage To use `sequoia-cert-store` from your project, you should add the following to your crate's `Cargo.toml`: ```toml [dependencies] sequoia-cert-store = "0.3" sequoia-openpgp = { version = "1.0.0", default-features = false } ``` To compile your crate you would then run: ``` $ cargo build --release --features sequoia-openpgp/crypto-default $ cargo test --features sequoia-openpgp/crypto-default $ cargo doc --no-deps --features sequoia-openpgp/crypto-default ``` If you do not disable the use of `sequoia-openpgp`'s default features, then `sequoia-openpgp` will select the default cryptographic backend, and your users won't be able to easily compile your crate with a different cryptographic backend. `sequoia-openpgp` currently uses Nettle as its default cryptographic backend. `sequoia-openpgp` also supports OpenSSL (`sequoia-openpgp/crypto-openssl`), Botan (`sequoia-openpgp/crypto-botan`), Windows CNG (`sequoia-openpgp/crypto-cng`), Rust Crypto (`sequoia-openpgp/crypto-rust`). For more information about building `sequoia-openpgp`, please refer to [`sequoia-openpgp`'s README]. This also includes information about the different backends' [build requirements]. [`sequoia-openpgp`'s README]: https://gitlab.com/sequoia-pgp/sequoia#features [build requirements]: https://gitlab.com/sequoia-pgp/sequoia#building-sequoia # License sequoia-cert-store is distributed under the terms of LGPL 2.0 or later. See [LICENSE.txt](LICENSE.txt) and [CONTRIBUTING.md](CONTRIBUTING.md) for details. sequoia-cert-store-0.5.0/deny.toml000064400000000000000000000013441046102023000152170ustar 00000000000000[advisories] ignore = [ "RUSTSEC-2020-0071", # chrono not affected by time 0.1 issue # fehler is unmaintained. # # fehler is used by subplot and thus an indirect dependency. Remove # when a new version subplot is released without fehler. See # https://gitlab.com/subplot/subplot/-/issues/340. "RUSTSEC-2023-0067", ] unmaintained = "deny" yanked = "deny" [bans] multiple-versions = "allow" deny = [ # does not have responsible disclosure policy: # https://github.com/briansmith/ring#bug-reporting {name = "ring"}, ] [licenses] allow = [ "Apache-2.0", "BSD-3-Clause", "BSL-1.0", "CC0-1.0", "GPL-2.0", "GPL-3.0", "ISC", "LGPL-2.0", "LGPL-3.0", "MIT", "MIT-0", "MPL-2.0", "Unicode-DFS-2016", ] sequoia-cert-store-0.5.0/src/cert_store.rs000064400000000000000000000520631046102023000166750ustar 00000000000000use std::path::Path; use std::sync::Arc; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::cert::raw::RawCertParser; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::packet::UserID; use openpgp::parse::Parse; use openpgp::Result; use crate::LazyCert; use crate::store; use store::Certs; use store::MergeCerts; use store::Store; use store::StoreError; use store::StoreUpdate; use store::UserIDQueryParams; use crate::TRACE; #[derive(Debug, Clone, PartialEq, Eq)] #[non_exhaustive] pub enum AccessMode { Always, OnMiss, } /// A unified interface to multiple certificate stores. /// /// When a certificate is looked up, the certificate is looked up in /// the primary cert-d, if any, and all the backends whose access mode /// is `AccessMode::Always`. The results are merged and returned. If /// no certificate is found, then the look up is also tried on the /// backends whose access mode is `AccessMode::OnMiss`. Finally, if a /// key server is configured, the key server is tried. /// /// In general, results are preferred to errors. That is, if a /// backend returns a positive result, and another backend returns an /// error, the error is ignored, even if it is something other than /// [`StoreError::NotFound`]. /// /// Results from the key server are either cached when /// [`CertStore::flush`] is called (or the [`CertStore`] is dropped) /// if there is a writable primary cert-d, or simply dropped /// otherwise. pub struct CertStore<'a> { certd: std::result::Result, store::Certs<'a>>, // Read-only backends. backends: Vec<(Box + Send + Sync + 'a>, AccessMode)>, keyserver: Option>>, } assert_send_and_sync!(CertStore<'_>); impl<'a> CertStore<'a> { /// Returns a CertStore, which does not have any configured backends. pub fn empty() -> Self { CertStore { certd: Err(store::Certs::empty()), backends: Vec::new(), keyserver: None, } } /// Returns a CertStore, which uses the default certificate /// directory. /// /// When a certificate is added or updated, it will be added to or /// updated in this certificate store. pub fn new() -> Result { Ok(CertStore { certd: Ok(store::CertD::open_default()?), backends: Vec::new(), keyserver: None, }) } /// Returns a CertStore, which uses the default certificate /// directory in read-only mode. pub fn readonly() -> Result { let mut cert_store = CertStore { certd: Err(store::Certs::empty()), backends: Vec::new(), keyserver: None, }; cert_store.add_default_certd()?; Ok(cert_store) } /// Returns a CertStore, which uses the specified certificate /// directory. /// /// When a certificate is added or updated, it will be added to or /// updated in this certificate store. pub fn open

(path: P) -> Result where P: AsRef { let path = path.as_ref(); Ok(CertStore { certd: Ok(store::CertD::open(path)?), backends: Vec::new(), keyserver: None, }) } /// Returns a CertStore, which uses the specified certificate /// directory in read-only mode. pub fn open_readonly

(path: P) -> Result where P: AsRef { let path = path.as_ref(); let mut cert_store = CertStore { certd: Err(store::Certs::empty()), backends: Vec::new(), keyserver: None, }; cert_store.add_certd(path)?; Ok(cert_store) } /// Add the specified backend to the CertStore. /// /// The backend is added to the collection of read-only backends. pub fn add_backend(&mut self, backend: Box + Send + Sync + 'a>, mode: AccessMode) -> &mut Self { self.backends.push((backend, mode)); self } /// Adds the specified cert-d to the CertStore. /// /// The cert-d is added in read-only mode, and its access mode is /// set to `AccessMode::Always`. pub fn add_certd

(&mut self, path: P) -> Result<&mut Self> where P: AsRef { let path = path.as_ref(); self.add_backend(Box::new(store::CertD::open(path)?), AccessMode::Always); Ok(self) } /// Adds the default cert-d to the CertStore. /// /// The cert-d is added in read-only mode, and its access mode is /// set to `AccessMode::Always`. pub fn add_default_certd(&mut self) -> Result<&mut Self> { self.add_backend(Box::new(store::CertD::open_default()?), AccessMode::Always); Ok(self) } /// Adds the specified keyring to the CertStore. /// /// The keyring is added in read-only mode, and its access mode is /// set to `AccessMode::Always`. pub fn add_keyring

(&mut self, path: P) -> Result<&mut Self> where P: AsRef { self.add_keyrings(std::iter::once(path))?; Ok(self) } /// Adds the specified keyrings to the CertStore. /// /// The keyrings are added in read-only mode, and their access /// mode is set to `AccessMode::Always`. pub fn add_keyrings(&mut self, filenames: I) -> Result<&mut Self> where P: AsRef, I: IntoIterator, { let keyring = Certs::empty(); let mut error = None; for filename in filenames { let filename = filename.as_ref(); let f = std::fs::File::open(filename) .with_context(|| format!("Open {:?}", filename))?; let parser = RawCertParser::from_reader(f) .with_context(|| format!("Parsing {:?}", filename))?; for cert in parser { match cert { Ok(cert) => { keyring.update(Arc::new(cert.into())) .expect("implementation doesn't fail"); } Err(err) => { eprint!("Parsing certificate in {:?}: {}", filename, err); error = Some(err); } } } } if let Some(err) = error { return Err(err).context("Parsing keyrings"); } self.add_backend( Box::new(keyring), AccessMode::Always); Ok(self) } /// Adds the specified keyserver to the CertStore. /// /// The keyserver is added in read-only mode, and its access mode /// is set to `AccessMode::OnMiss`. pub fn add_keyserver(&mut self, url: &str) -> Result<&mut Self> { self.keyserver = Some(Box::new(store::KeyServer::new(url)?)); Ok(self) } /// Adds the specified keyserver to the CertStore. /// /// The keyserver is added in read-only mode, and its access mode /// is set to `AccessMode::OnMiss`. /// /// A key server is treated specially from other backends: any /// results that it returns are written to the cert store (if it /// is open in read-write mode). pub fn add_keyserver_backend(&mut self, ks: store::KeyServer<'a>) -> Result<&mut Self> { self.keyserver = Some(Box::new(ks)); Ok(self) } /// Returns a reference to the certd store, if there is one. pub fn certd(&self) -> Option<&store::CertD<'a>> { self.certd.as_ref().ok() } /// Returns a mutable reference to the certd store, if there /// is one. pub fn certd_mut(&mut self) -> Option<&mut store::CertD<'a>> { self.certd.as_mut().ok() } } macro_rules! forward { ( $method:ident, append:$to_vec:expr, $self:expr, $term:expr, $($args:ident),* ) => {{ tracer!(TRACE, format!("{}({})", stringify!($method), $term)); let mut certs = Vec::new(); let mut err = None; match &$self.certd { Ok(certd) => { match certd.$method($($args),*) { Err(err2) => { if let Some(StoreError::NotFound(_)) = err2.downcast_ref::() { // Ignore NotFound. t!("certd returned nothing"); } else { t!("certd returned: {}", err2); err = Some(err2) } } Ok(c) => { let mut c = $to_vec(c); t!("certd returned {}", c.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); certs.append(&mut c) } } } Err(in_memory) => { match in_memory.$method($($args),*) { Err(err2) => { if let Some(StoreError::NotFound(_)) = err2.downcast_ref::() { // Ignore NotFound. t!("in-memory returned nothing"); } else { t!("in-memory returned: {}", err2); err = Some(err2) } } Ok(c) => { let mut c = $to_vec(c); t!("in-memory returned {}", c.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); certs.append(&mut c) } } } } for mode in [AccessMode::Always, AccessMode::OnMiss] { for (backend, _) in $self.backends.iter() .filter(|(_, m)| &mode == m) { match backend.$method($($args),*) { Err(err2) => { if let Some(StoreError::NotFound(_)) = err2.downcast_ref::() { // Ignore NotFound. t!("backend returned nothing"); } else { t!("backend returned: {}", err2); err = Some(err2) } } Ok(c) => { let mut c = $to_vec(c); t!("backend returned {}", c.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); certs.append(&mut c) } } } // If we found a cert after the AccessMode::Always round, // don't consult the AccessMode::OnMiss backends. if mode == AccessMode::Always && ! certs.is_empty() { break; } } if certs.is_empty() { if let Some(ks) = $self.keyserver.as_ref() { if let Ok(c) = ks.$method($($args),*) { certs = $to_vec(c); t!("keyserver returned {}", certs.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); } } } if certs.is_empty() { if let Some(err) = err { t!("query failed: {}", err); Err(err) } else { t!("query returned nothing"); Ok(certs) } } else { t!("query returned {}", certs.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); Ok(certs) } }}; ( $method:ident, $self:expr, $($args:ident),* ) => {{ forward!($method, append:|c| c, $self, $($args),*) }} } fn merge<'a, 'b>(mut certs: Vec>>) -> Vec>> { certs.sort_by_key(|cert| cert.fingerprint()); certs.dedup_by(|a, b| { // If this returns true, a is dropped. So merge into b. if a.fingerprint() == b.fingerprint() { if let Ok(a2) = a.to_cert() { if let Ok(b2) = b.to_cert() { *b = Arc::new(LazyCert::from( b2.clone() .merge_public(a2.clone()) .expect("Same certificate"))); } else { // b is invalid, but a is valid. Just keep a. *b = Arc::new(LazyCert::from(a2.clone())); } } else { // a is invalid. By returning true, we drop a. // That's what we want. } true } else { false } }); certs } impl<'a> store::Store<'a> for CertStore<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { let certs = forward!(lookup_by_cert, self, kh, kh)?; if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(merge(certs)) } } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { let certs = forward!(lookup_by_cert_fpr, append:|c| vec![c], self, fingerprint, fingerprint)?; // There may be multiple variants. Merge them. let certs = merge(certs); assert!(certs.len() <= 1); if let Some(cert) = certs.into_iter().next() { Ok(cert) } else { Err(StoreError::NotFound( KeyHandle::from(fingerprint.clone())).into()) } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { let certs = forward!(lookup_by_cert_or_subkey, self, kh, kh)?; if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(merge(certs)) } } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { let certs = forward!(select_userid, self, pattern, query, pattern)?; if certs.is_empty() { Err(StoreError::NoMatches(pattern.to_string()).into()) } else { Ok(merge(certs)) } } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { let certs = forward!(lookup_by_userid, self, userid, userid)?; if certs.is_empty() { Err(StoreError::NoMatches( String::from_utf8_lossy(userid.value()).to_string()).into()) } else { Ok(merge(certs)) } } fn grep_userid(&self, pattern: &str) -> Result>>> { let certs = forward!(grep_userid, self, pattern, pattern)?; if certs.is_empty() { Err(StoreError::NoMatches(pattern.to_string()).into()) } else { Ok(merge(certs)) } } fn lookup_by_email(&self, email: &str) -> Result>>> { let certs = forward!(lookup_by_email, self, email, email)?; if certs.is_empty() { Err(StoreError::NoMatches(email.to_string()).into()) } else { Ok(merge(certs)) } } fn grep_email(&self, pattern: &str) -> Result>>> { let certs = forward!(grep_email, self, pattern, pattern)?; if certs.is_empty() { Err(StoreError::NoMatches(pattern.to_string()).into()) } else { Ok(merge(certs)) } } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { let certs = forward!(lookup_by_email_domain, self, domain, domain)?; if certs.is_empty() { Err(StoreError::NoMatches(domain.to_string()).into()) } else { Ok(merge(certs)) } } fn fingerprints(&self) -> Box + 'a> { let mut certs = Vec::new(); match self.certd.as_ref() { Ok(certd) => certs.extend(certd.fingerprints()), Err(in_memory) => certs.extend(in_memory.fingerprints()), }; for (backend, mode) in self.backends.iter() { if mode != &AccessMode::Always { continue; } certs.extend(backend.fingerprints()); } certs.sort(); certs.dedup(); Box::new(certs.into_iter()) } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { let mut certs = Vec::new(); match self.certd { Ok(ref certd) => certs.extend(certd.certs()), Err(ref in_memory) => certs.extend(in_memory.certs()), }; for (backend, mode) in self.backends.iter() { if mode != &AccessMode::Always { continue; } certs.extend(backend.certs()); } let certs = merge(certs); Box::new(certs.into_iter()) } fn prefetch_all(&self) { match self.certd.as_ref() { Ok(certd) => certd.prefetch_all(), Err(in_memory) => in_memory.prefetch_all(), }; for (backend, _mode) in self.backends.iter() { backend.prefetch_all(); } } fn prefetch_some(&self, certs: &[KeyHandle]) { match self.certd.as_ref() { Ok(certd) => certd.prefetch_some(certs), Err(in_memory) => in_memory.prefetch_some(certs), }; for (backend, _mode) in self.backends.iter() { backend.prefetch_some(certs); } } } impl<'a> store::StoreUpdate<'a> for CertStore<'a> { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "CertStore::update_by"); match self.certd.as_ref() { Ok(certd) => { t!("Forwarding to underlying certd"); certd.update_by(cert, merge_strategy) } Err(in_memory) => { t!("Forwarding to underlying in-memory DB"); in_memory.update_by(cert, merge_strategy) } } } } impl<'a> CertStore<'a> { /// Flushes any modified certificates to the backing store. /// /// Currently, this flushes the key server cache to the underlying /// cert-d, if any. All other backends are currently expected to /// work in a write-through manner. /// /// Note: this is called automatically when the `CertStore` is /// dropped, but calling it explicitly allows for reporting of /// errors. pub fn flush(&mut self) -> Result<()> { // Sync the key server's cache to the backing store. tracer!(TRACE, "CertStore::flush"); t!("flushing"); let certd = if let Ok(certd) = self.certd.as_mut() { certd } else { // We don't have a writable backing store so we can't sync // anything to it. We're done. t!("no certd, can't sync"); return Ok(()); }; let ks = if let Some(ks) = self.keyserver.as_mut() { ks } else { // We don't have a key server. There is clearly nothing // to sync. t!("no keyserver, can't sync"); return Ok(()); }; let mut flushed_certs = Vec::new(); let mut result = Ok(()); for c in ks.certs() { let keyid = c.keyid(); if let Err(err) = certd.update(c.clone()) { t!("syncing {} to the cert-d: {}", keyid, err); if result.is_ok() { result = Err(err) .with_context(|| { format!("Flushing changes to {} to disk", keyid) }) } } else { flushed_certs.push(c); } } // Now purge the successfully flushed certs from the keyserver // cache, so that we will not try to flush them again next // time we're called. ks.delete_from_cache(flushed_certs.iter().map(Arc::clone)); t!("Flushed {} certificates", flushed_certs.len()); result } } impl<'a> Drop for CertStore<'a> { fn drop(&mut self) { let _ = self.flush(); } } sequoia-cert-store-0.5.0/src/lazy_cert.rs000064400000000000000000000210051046102023000165100ustar 00000000000000use std::borrow::Cow; use std::time::SystemTime; use std::sync::OnceLock; use sequoia_openpgp as openpgp; use openpgp::Cert; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Result; use openpgp::cert::raw::RawCert; use openpgp::cert::ValidCert; use openpgp::packet::Key; use openpgp::packet::UserID; use openpgp::packet::key; use openpgp::policy::Policy; use openpgp::serialize::SerializeInto; use super::TRACE; /// Stores either a `RawCert` or a parsed `Cert`. /// /// This allows the implementation to defer fully parsing and /// validating the certificate until it is actually needed. #[derive(Clone)] pub struct LazyCert<'a> { // At least one of raw and cert are ever alive. Ideally, we'd put // them in an enum. To do that, the enum would have to be behind // a `RefCell`, but then we couldn't return bare references to the // `Cert`. raw: OnceLock>, cert: OnceLock>, } assert_send_and_sync!(LazyCert<'_>); impl<'a> std::fmt::Debug for LazyCert<'a> { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { f.debug_struct("LazyCert") .field("fingerprint", &self.fingerprint()) .field("subkeys", &self.subkeys().map(|k| k.fingerprint()) .collect::>()) .field("userids", &self.userids().collect::>()) .finish() } } impl<'a> LazyCert<'a> { /// Returns whether the cert has been parsed. pub(crate) fn is_parsed(&self) -> bool { self.cert.get().is_some() } /// Creates a `LazyCert` from a `Cert`. pub fn from_cert(cert: Cert) -> Self { tracer!(TRACE, "LazyCert::from_cert"); t!("Adding a parsed cert: {}", cert.fingerprint()); Self { raw: OnceLock::new(), cert: OnceLock::from(Cow::Owned(cert)), } } /// Creates a `LazyCert` from a `&Cert`. pub fn from_cert_ref(cert: &'a Cert) -> Self { tracer!(TRACE, "LazyCert::from_cert_ref"); t!("Adding a parsed cert: {}", cert.fingerprint()); Self { raw: OnceLock::new(), cert: OnceLock::from(Cow::Borrowed(cert)), } } /// Creates a `LazyCert` from a `RawCert`. pub fn from_raw_cert(raw: RawCert<'a>) -> Self { Self { raw: OnceLock::from(raw), cert: OnceLock::new(), } } /// Returns a reference to the raw cert, if any. /// /// If the cert only exists in parsed form, returns `None`. pub fn raw_cert(&self) -> Option<&RawCert<'a>> { self.raw.get() } /// Returns the RawCert, if any. /// /// If the cert exists only in parsed form, returns `Err(self)`. pub fn into_raw_cert(mut self) -> std::result::Result, Self> { match self.raw.take() { Some(raw) => Ok(raw), None => Err(self), } } /// Returns the certificate's fingerprint. pub fn fingerprint(&self) -> Fingerprint { if let Some(cert) = self.cert.get() { cert.fingerprint() } else if let Some(raw) = self.raw.get() { raw.fingerprint() } else { unreachable!("cert or raw must be set") } } /// Returns the certificate's Key ID. pub fn keyid(&self) -> KeyID { KeyID::from(self.fingerprint()) } /// Returns the certificate's Key Handle. pub fn key_handle(&self) -> KeyHandle { KeyHandle::from(self.fingerprint()) } /// Returns the user ids. pub fn userids(&self) -> impl Iterator + '_ { if let Some(cert) = self.cert.get() { Box::new(cert.userids().map(|ua| ua.userid().clone())) as Box + '_> } else if let Some(raw) = self.raw.get() { Box::new(raw.userids()) as Box + '_> } else { unreachable!("cert or raw must be set") } } /// Returns the keys. pub fn keys(&self) -> impl Iterator> + '_ { if let Some(cert) = self.cert.get() { Box::new(cert.keys().map(|ka| ka.key().clone())) as Box> + '_> } else if let Some(raw) = self.raw.get() { Box::new( raw .keys() // This is rather unsatisfying, but due to // lifetimes... .collect::>>() .into_iter()) as Box> + '_> } else { unreachable!("cert or raw must be set") } } /// Returns the primary key. pub fn primary_key(&self) -> Key { self.keys().next().expect("have a primary key").role_into_primary() } /// Returns the subkeys. pub fn subkeys<'b>(&'b self) -> impl Iterator> + 'b { self.keys().skip(1) } /// Returns a reference to the parsed certificate. /// /// If the `LazyCert` is not yet parsed, parses now. pub fn to_cert(&self) -> Result<&Cert> { tracer!(TRACE, "LazyCert::to_cert"); if let Some(cert) = self.cert.get() { return Ok(cert); } if let Some(raw) = self.raw.get() { t!("Resolving {}", raw.fingerprint()); match Cert::try_from(raw) { Ok(cert) => { // The following will fail, if we lost a race to // parse the raw certificate. That's okay, // because parsing is deterministic. let _ = self.cert.set(Cow::Owned(cert)); } Err(err) => { return Err(err); } } } if let Some(cert) = self.cert.get() { return Ok(cert); } else { unreachable!("cert or raw must be set") } } /// Returns the parsed certificate. /// /// If the `LazyCert` is not yet parsed, parses now. pub fn into_cert(self) -> Result { let _ = self.to_cert()?; Ok(self.cert.into_inner().expect("valid").into_owned()) } /// Associates a policy and a reference time with the certificate. /// /// See [`Cert::with_policy`]. pub fn with_policy<'b, T>(&'b self, policy: &'b dyn Policy, time: T) -> Result> where T: Into>, { let cert = self.to_cert()?; cert.with_policy(policy, time) } /// Returns whether the certificate contains any secret key /// material. pub fn is_tsk(&self) -> bool { if let Some(cert) = self.cert.get() { cert.is_tsk() } else if let Some(raw) = self.raw.get() { raw.keys().any(|key| key.has_secret()) } else { unreachable!("cert or raw must be set") } } } impl<'a> From for LazyCert<'a> { fn from(cert: Cert) -> Self { LazyCert::from_cert(cert) } } impl<'a> From<&'a Cert> for LazyCert<'a> { fn from(cert: &'a Cert) -> Self { LazyCert::from_cert_ref(cert) } } impl<'a> From> for LazyCert<'a> { fn from(cert: RawCert<'a>) -> Self { LazyCert::from_raw_cert(cert) } } // We can't implement openpgp::serialize::Marshal, because it is // sealed. So we fake what is used :/. impl<'a> LazyCert<'a> { /// Serializes the cert to a vector. pub fn to_vec(&self) -> Result> { if let Some(raw) = self.raw.get() { Ok(raw.as_bytes().to_vec()) } else if let Some(cert) = self.cert.get() { Ok(cert.to_vec()?) } else { unreachable!("raw or cert must be set"); } } /// Exports a serialized version of the cert to `o`. /// /// Non-exportable signatures are not exported, and any component /// bound merely by non-exportable signatures is not exported. pub fn export(&self, o: &mut dyn std::io::Write) -> Result<()> { use openpgp::serialize::Marshal; // We need to strip any local signatures. If we have a // RawCert, we could try to figure out if there are any local // signatures to avoid parsing and reserializing, but that is // error prone. let cert = self.to_cert()?; Ok(cert.export(o)?) } } sequoia-cert-store-0.5.0/src/lib.rs000064400000000000000000001342501046102023000152710ustar 00000000000000//! A certificate store abstraction. //! //! This crates provides a unified interface for different certificate //! stores via the [`Store`] and [`StoreUpdate`] traits. It also //! provides a number of helper functions and data structures, like //! [`UserIDIndex`] to help implement this functionality. //! //! [`UserIDIndex`]: store::UserIDIndex //! //! The [`CertStore`] data structure combines multiple certificate //! backends in a transparent way to users. //! //! # Examples //! //! We can store certificates in an in-memory store, and query the store: //! //! ```rust //! use std::sync::Arc; //! use sequoia_openpgp::cert::{Cert, CertBuilder}; //! use sequoia_cert_store::{CertStore, LazyCert, Store, StoreUpdate}; //! //! # fn main() -> anyhow::Result<()> { //! // Create an in-memory certificate store. To use the default //! // on-disk certificate store, use `CertStore::new`. //! let mut certs = CertStore::empty(); //! //! let (cert, _rev) = CertBuilder::new().generate()?; //! let fpr = cert.fingerprint(); //! //! // It's not in the cert store yet: //! assert!(certs.lookup_by_cert_fpr(&fpr).is_err()); //! //! // Insert a certificate. If using a backing store, it would //! // also be written to disk. //! certs.update(Arc::new(LazyCert::from(cert)))?; //! //! // Make sure it is there. //! let cert = certs.lookup_by_cert_fpr(&fpr).expect("present"); //! assert_eq!(cert.fingerprint(), fpr); //! //! // Resolve the `LazyCert` to a `Cert`. Certificates are stored //! // using `LazyCert` so that it is possible to work with `RawCert`s //! // and `Cert`s. This allows the implementation to defer fully parsing //! // and validating the certificate until it is actually needed. //! let cert: &Cert = cert.to_cert()?; //! # Ok(()) } //! ``` //! //! We can use the same API on a persistent certificate store, kept on the //! filesystem: //! //! ```rust //! use std::fs; //! # use tempfile; //! # //! # use std::sync::Arc; //! # //! # use sequoia_openpgp as openpgp; //! # use openpgp::Result; //! # use openpgp::cert::{Cert, CertBuilder}; //! # //! # use sequoia_cert_store::{CertStore, LazyCert, Store, StoreUpdate}; //! //! # fn main() -> Result<()> { //! // Make a certificate store on the file system, in a fresh empty directory. //! let directory = "/tmp/test-sequoia-certificate-directory"; //! # let directory_object = tempfile::tempdir()?; let directory = directory_object.path(); //! fs::create_dir_all(directory)?; //! let mut store = CertStore::open(directory)?; //! //! // Make a new certificate. //! let (cert, _rev) = CertBuilder::new().generate()?; //! let fpr = cert.fingerprint(); //! //! // The certificate of course will not be in the store yet. //! assert!(store.lookup_by_cert_fpr(&fpr).is_err()); //! //! // Add it. //! store.update(Arc::new(LazyCert::from(cert)))?; //! //! // Now the certificate can be found. //! let found = store.lookup_by_cert_fpr(&fpr).expect("present"); //! assert_eq!(found.fingerprint(), fpr); //! //! // Again, we can resolve the `LazyCert` to a `Cert`. //! let cert: &Cert = found.to_cert()?; //! # Ok(()) } //! ``` use std::str; use sequoia_openpgp as openpgp; use openpgp::Result; use openpgp::packet::UserID; #[macro_use] mod log; #[macro_use] mod macros; pub mod store; pub use store::Store; pub use store::StoreUpdate; mod cert_store; pub use cert_store::CertStore; pub use cert_store::AccessMode; mod lazy_cert; pub use lazy_cert::LazyCert; const TRACE: bool = false; /// Converts an email address to a User ID. /// /// If the email address is not valid, returns an error. /// /// The email address must be a bare email address. That is it must /// have the form `localpart@example.org`, and not be surrounded by /// angle brackets like ``. /// /// The email address is checked for validity. Specifically, it is /// checked to conform with [`RFC 2822`]'s [`addr-spec`] grammar. /// /// Returns a UserID containing the normalized User ID in angle /// brackets. /// /// [`RFC 2822`]: https://www.rfc-editor.org/rfc/rfc2822 /// [`addr-spec`]: https://www.rfc-editor.org/rfc/rfc2822#section-3.4.1 pub fn email_to_userid(email: &str) -> Result { let email_check = UserID::from(format!("<{}>", email)); match email_check.email2() { Ok(Some(email_check)) => { if email != email_check { return Err(anyhow::anyhow!( "{:?} does not appear to be an email address", email)); } } Ok(None) => { return Err(anyhow::anyhow!( "{:?} does not appear to be an email address", email)); } Err(err) => { return Err(err.context(format!( "{:?} does not appear to be an email address", email))); } } let userid = UserID::from(&email[..]); match userid.email_normalized() { Err(err) => { Err(err.context(format!( "'{}' is not a valid email address", email))) } Ok(None) => { Err(anyhow::anyhow!("'{}' is not a valid email address", email)) } Ok(Some(_email)) => { Ok(userid) } } } #[cfg(test)] mod tests { use super::*; use std::path::PathBuf; use std::str; use std::sync::Arc; use anyhow::Context; /// Prints the error and causes, if any. pub fn print_error_chain(err: &anyhow::Error) { let _ = write_error_chain_into(&mut std::io::stderr(), err); } /// Prints the error and causes, if any. fn write_error_chain_into(sink: &mut dyn std::io::Write, err: &anyhow::Error) -> Result<()> { writeln!(sink, " {}", err)?; for cause in err.chain().skip(1) { writeln!(sink, " because: {}", cause)?; } Ok(()) } use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Cert; use openpgp::parse::Parse; use openpgp::policy::StandardPolicy; use openpgp::serialize::Serialize; use openpgp_cert_d as cert_d; use store::Certs; use store::Pep; use store::StoreError; use store::UserIDQueryParams; fn certd_merge<'a>(new: &'a [u8], disk: Option<&[u8]>) -> cert_d::Result> { if let Some(disk) = disk { let new = Cert::from_bytes(&new).expect("valid"); let disk = Cert::from_bytes(&disk).expect("valid"); let merged = new.merge_public(disk).expect("valid"); let mut bytes = Vec::new(); merged.serialize(&mut bytes).expect("valid"); Ok(bytes.into()) } else { Ok(cert_d::MergeResult::DataRef(new)) } } include!("../tests/keyring.rs"); fn test_backend<'a, B>(backend: &B) where B: Store<'a> { // Check Store::list. { let mut got: Vec = backend.fingerprints().collect(); got.sort(); let mut expected: Vec = keyring::certs.iter() .map(|c| c.fingerprint.parse::().expect("valid")) .collect(); expected.sort(); expected.dedup(); assert_eq!(got.len(), expected.len()); assert_eq!(got, expected); } std::thread::yield_now(); // Check Store::iter. { let mut got: Vec = backend.certs().map(|c| c.fingerprint()).collect(); got.sort(); let mut expected: Vec = keyring::certs.iter() .map(|c| c.fingerprint.parse::().expect("valid")) .collect(); expected.sort(); expected.dedup(); assert_eq!(got.len(), expected.len()); assert_eq!(got, expected); } std::thread::yield_now(); // Iterate over the certificates in the keyring and check that // can look up the certificate by fingerprint, by key, by User // ID, and by email in various ways. for handle in keyring::certs.iter() { let fpr: Fingerprint = handle.fingerprint.parse().expect("valid"); let cert = handle.to_cert().expect("valid"); assert_eq!(fpr, cert.fingerprint(), "{}", handle.base); let keyid = KeyID::from(fpr.clone()); // Check by_cert_fpr. let got = backend.lookup_by_cert_fpr(&fpr).expect("present"); assert_eq!(got.fingerprint(), fpr, "{}, by_cert_fpr, primary", handle.base); // Look up by subkey and make sure we don't get cert. // Note: if a subkey is also a primary key (as is the case // for the ed certificate), then we'll get a certificate // back. for sk in cert.keys().subkeys() { match backend.lookup_by_cert_fpr(&sk.fingerprint()) { Ok(got) => { // The subkey could be a primary key for a // different certificate. So, make sure it is // not assert!( keyring::certs.iter().any(|c| { c.fingerprint.parse::().unwrap() == got.fingerprint() }), "{}, lookup_by_cert_fpr, subkey, unexpectedly got {}", handle.base, got.fingerprint()); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("Expected StoreError::NotFound, \ got: {}", err), } }, } std::thread::yield_now(); } // Check lookup_by_cert using key ids. let got = backend.lookup_by_cert(&KeyHandle::from(&keyid)) .expect("present"); assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert, keyid, primary", handle.base); // Look up by subkey. This will only return something if // the subkey also happens to be a primary key. for sk in cert.keys().subkeys() { match backend.lookup_by_cert(&KeyHandle::from(sk.keyid())) { Ok(got) => { // Make sure subkey is also a primary key. for got in got.into_iter() { assert!( keyring::certs.iter().any(|c| { c.fingerprint.parse::() .unwrap() == got.fingerprint() }), "{}, lookup_by_cert_fpr, subkey, \ unexpectedly got {}", handle.base, got.fingerprint()); } } Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("Unexpected failure: {}", err), } }, } std::thread::yield_now(); } // Check lookup_by_cert_or_subkey using fingerprints. let got = backend.lookup_by_cert_or_subkey(&KeyHandle::from(fpr.clone())) .expect("present"); assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey, with fingerprint, primary", handle.base); // Look up by subkey and make sure we get cert. for sk in cert.keys().subkeys() { let got = backend.lookup_by_cert_or_subkey( &KeyHandle::from(sk.fingerprint())) .expect("present"); assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey({}), with fingerprint, subkey", handle.base, sk.fingerprint()); std::thread::yield_now(); } // Check lookup_by_cert_or_subkey using keyids. let got = backend.lookup_by_cert_or_subkey(&KeyHandle::from(keyid.clone())) .expect("present"); assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey, with keyid, primary", handle.base); // Look up by subkey and make sure we get cert. for sk in cert.keys().subkeys() { let got = backend.lookup_by_cert_or_subkey(&KeyHandle::from(sk.keyid())) .expect("present"); assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey, with keyid, subkey", handle.base); std::thread::yield_now(); } // Check look up by User ID address by querying for each // User ID, email, domain, etc. for ua in cert.userids() { let userid = ua.userid(); // Search by exact user id. let got = backend.lookup_by_userid(userid) .expect(&format!("{}, lookup_by_userid({:?})", handle.base, userid)); assert!( got.into_iter().any(|c| { c.userids().any(|u| &u == userid) }), "{}, lookup_by_userid({:?})", handle.base, userid); // Extract an interior substring (nor anchored at the // start or the end), and uppercase it. let pattern = str::from_utf8(userid.value()).expect("utf-8"); let pattern = &pattern[1..pattern.len() - 1]; let pattern = pattern.to_uppercase(); // grep removes all constraints so we should still // find it. let got = backend.grep_userid(&pattern) .expect(&format!("{}, grep_userid({:?})", handle.base, pattern)); assert!( got.into_iter().any(|c| { c.userids().any(|u| &u == userid) }), "{}, grep_userid({:?})", handle.base, pattern); // Now use an anchor at the start, or the end, ignore // case, or not. The only one combination that should // return any results is no constraints, which we // tested above. for (start, end, ignore_case) in [(false, false, false), //(false, false, true), (false, true, false), (false, true, true), ( true, false, false), ( true, false, true), ( true, true, false), ( true, true, true)] { let result = backend.select_userid( UserIDQueryParams::new() .set_email(false) .set_anchor_start(start) .set_anchor_end(end) .set_ignore_case(ignore_case), &pattern); match result { Ok(got) => { panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, got.into_iter() .map(|c| c.fingerprint().to_string()) .collect::>() .join(", ")); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NoMatches(_)) => (), _ => panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, err), } } } } // Search by exact email. let email = if let Ok(Some(email)) = userid.email2() { email } else { // No email address. continue; }; // Search with the User ID using lookup_by_email. This will // fail: a User ID that contains an email address is // never a valid email address. assert!( backend.lookup_by_email( str::from_utf8(userid.value()).expect("valid utf-8")) .is_err(), "{}, lookup_by_email({:?})", handle.base, userid); // Search by email. let got = backend.lookup_by_email(&email) .expect(&format!("{}, lookup_by_email({:?})", handle.base, email)); assert!( got.into_iter().any(|c| { c.userids().any(|u| &u == userid) }), "{}, lookup_by_email({:?})", handle.base, userid); // Extract an interior substring (nor anchored at the // start or the end), and uppercase it. let pattern = &email[1..email.len() - 1]; let pattern = pattern.to_uppercase(); // grep removes all constraints so we should still // find it. let got = backend.grep_email(&pattern) .expect(&format!("{}, grep_email({:?})", handle.base, pattern)); assert!( got.into_iter().any(|c| { c.userids().any(|u| &u == userid) }), "{}, grep_email({:?})", handle.base, pattern); // Now use an anchor at the start, or the end, ignore // case, or not. This should not return any results; // the only one that should return any results is no // constraints, which we tested above. for (start, end, ignore_case) in [(false, false, false), //(false, false, true), (false, true, false), (false, true, true), ( true, false, false), ( true, false, true), ( true, true, false), ( true, true, true)] { let result = backend.select_userid( UserIDQueryParams::new() .set_email(true) .set_anchor_start(start) .set_anchor_end(end) .set_ignore_case(ignore_case), &pattern); match result { Ok(got) => { panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, got.into_iter() .map(|c| c.fingerprint().to_string()) .collect::>() .join(", ")); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NoMatches(_)) => (), _ => panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, err), } } } } // Search by domain. let domain = email.rsplit('@').next().expect("have an @"); // Search with the User ID using lookup_by_email_domain. // This will fail: a User ID that contains an email // address is never a valid email address. assert!( backend.lookup_by_email_domain( str::from_utf8(userid.value()).expect("valid utf-8")) .is_err(), "{}, lookup_by_email_domain({:?})", handle.base, userid); // Likewise with the email address. assert!( backend.lookup_by_email_domain(&email).is_err(), "{}, lookup_by_email_domain({:?})", handle.base, email); // Search by domain. We should find it. let got = backend.lookup_by_email_domain(&domain) .expect(&format!("{}, lookup_by_email_domain({:?})", handle.base, domain)); assert!( got.into_iter().any(|c| { c.userids().any(|u| &u == userid) }), "{}, lookup_by_email_domain({:?})", handle.base, userid); // Uppercase it. We should still find it. let pattern = domain.to_uppercase(); let got = backend.lookup_by_email_domain(&pattern) .expect(&format!("{}, lookup_by_email_domain({:?})", handle.base, pattern)); assert!( got.into_iter().any(|c| { c.userids().any(|u| &u == userid) }), "{}, lookup_by_email_domain({:?})", handle.base, pattern); // Extract an substring. That we shouldn't find. let pattern = &domain[1..pattern.len() - 1]; let result = backend.lookup_by_email_domain(pattern); match result { Ok(got) => { assert!( got.into_iter().all(|c| { c.fingerprint() != fpr }), "{}, lookup_by_email_domain({:?}, unexpectedly got {}", handle.base, pattern, fpr); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NoMatches(_)) => (), _ => panic!("{}, lookup_by_email_domain({:?}) -> {}", handle.base, pattern, err), } } } std::thread::yield_now(); } } // So far, the tests have been generic in the sense that we // look up what is there. We now do some data set-specific // tests. let sort_vec = |mut v: Vec<_>| -> Vec<_> { v.sort(); v }; // alice and alice2 share a subkey. assert_eq!( sort_vec(backend.lookup_by_cert_or_subkey( &"5989D7BE9908AE24799DF6CFBE678043781349F1" .parse::().expect("valid")) .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::alice.fingerprint .parse::().expect("valid"), keyring::alice2_adopted_alice.fingerprint .parse::().expect("valid"), ])); std::thread::yield_now(); // ed's primary is also a subkey on the same certificate. { let ed_fpr = "0C346B2B6241263F64E9C7CF1EA300797258A74E" .parse::().expect("valid"); let ed_kh = KeyHandle::from(&ed_fpr); assert_eq!( sort_vec(backend.lookup_by_cert_or_subkey(&ed_kh) .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::ed.fingerprint .parse::().expect("valid"), ])); // Also test that the CertStore implementation is not // impacted. let cert = backend.lookup_by_cert_fpr(&ed_fpr) .expect("found cert"); assert_eq!(cert.fingerprint(), ed_fpr); // Make sure the implementation doesn't return the certificate // twice, once when matching on the primary key, and once when // matching on the subkey. let certs = backend.lookup_by_cert(&ed_kh) .expect("found cert"); assert_eq!(certs.len(), 1); assert_eq!(certs[0].fingerprint(), ed_fpr); let certs = backend.lookup_by_cert_or_subkey(&ed_kh) .expect("found cert"); assert_eq!(certs.len(), 1); assert_eq!(certs[0].fingerprint(), ed_fpr); let certs = backend.certs(); assert_eq!(certs.filter(|c| c.fingerprint() == ed_fpr).count(), 1); let fprs = backend.fingerprints(); assert_eq!(fprs.filter(|fpr| fpr == &ed_fpr).count(), 1); } // david has a subkey that doesn't have a binding signature, // but the backend is not supposed to check that. (That // subkey is bound to carol.) assert_eq!( sort_vec(backend.lookup_by_cert_or_subkey( &"CD22D4BD99FF10FDA11A83D4213DCB92C95346CE" .parse::().expect("valid")) .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::carol.fingerprint .parse::().expect("valid"), keyring::david.fingerprint .parse::().expect("valid"), ])); // Try a key that is not present. match backend.lookup_by_cert_fpr( &"0123 4567 89AB CDEF 0123 4567 89AB CDEF" .parse::().expect("valid")) { Ok(cert) => panic!("lookup_by_cert_fpr(not present) -> {}", cert.fingerprint()), Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("lookup_by_cert(not present) -> {}", err), } } } match backend.lookup_by_cert_or_subkey( &"0123 4567 89AB CDEF 0123 4567 89AB CDEF" .parse::().expect("valid")) { Ok(certs) => panic!("lookup_by_cert_or_subkey(not present) -> {}", certs .into_iter() .map(|c| c.fingerprint().to_string()) .collect::>() .join(", ")), Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("lookup_by_cert(not present) -> {}", err), } } } std::thread::yield_now(); assert!( backend.lookup_by_cert_or_subkey( &"0123 4567 89AB CDEF 0123 4567 89AB CDEF" .parse::().expect("valid")) .is_err()); // Check puny code handling. // Look up the User ID using puny code. assert_eq!( backend.lookup_by_email("hans@xn--bcher-kva.tld") .expect("present") .len(), 1); // And without puny code. assert_eq!( backend.lookup_by_email("hans@bücher.tld") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::hans_puny_code.fingerprint .parse::().expect("valid") ]); // A substring shouldn't match. assert_eq!( backend.lookup_by_email("hans@bücher.tl") .unwrap_or(Vec::new()) .len(), 0); // The same, but just look up by domain. assert_eq!( backend.lookup_by_email_domain("xn--bcher-kva.tld") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::hans_puny_code.fingerprint .parse::().expect("valid") ]); // And without puny code. assert_eq!( backend.lookup_by_email_domain("bücher.tld") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::hans_puny_code.fingerprint .parse::().expect("valid") ]); std::thread::yield_now(); // Check that when looking up a subdomain, we don't get back // User IDs in a subdomain. assert_eq!( backend.lookup_by_email_domain("company.com") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::una.fingerprint .parse::().expect("valid") ]); assert_eq!( backend.lookup_by_email_domain("sub.company.com") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::steve.fingerprint .parse::().expect("valid") ]); // Check searching by domain. assert_eq!( sort_vec(backend.lookup_by_email_domain("verein.de") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::alice2_adopted_alice.fingerprint .parse::().expect("valid"), keyring::carol.fingerprint .parse::().expect("valid"), ])); // It should be case insenitive. assert_eq!( sort_vec(backend.lookup_by_email_domain("VEREIN.DE") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::alice2_adopted_alice.fingerprint .parse::().expect("valid"), keyring::carol.fingerprint .parse::().expect("valid"), ])); } #[test] fn certd() -> Result<()> { use std::io::Read; let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; for cert in keyring::certs.iter() { let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); } drop (certd); let certd = store::certd::CertD::open(&path).expect("exists"); test_backend(&certd); Ok(()) } #[test] fn cert_store() -> Result<()> { use std::io::Read; let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; for cert in keyring::certs.iter() { let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); } drop(certd); let cert_store = CertStore::open(&path).expect("exists"); test_backend(&cert_store); Ok(()) } #[test] fn cert_store_layered() -> Result<()> { use std::io::Read; // A certd for each certificate. let mut paths: Vec = Vec::new(); let mut cert_store = CertStore::empty(); for cert in keyring::certs.iter() { let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); drop(certd); let certd = store::CertD::open(&path).expect("valid"); cert_store.add_backend(Box::new(certd), AccessMode::Always); paths.push(path); } test_backend(&cert_store); Ok(()) } #[test] fn certs() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = store::Certs::from_bytes(&bytes) .expect("valid"); test_backend(&backend); Ok(()) } #[test] fn certd_with_prefetch() -> Result<()> { use std::io::Read; let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; for cert in keyring::certs.iter() { let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); } drop (certd); let certd = store::CertD::open(&path).expect("exists"); certd.prefetch_all(); test_backend(&certd); Ok(()) } #[test] fn certs_with_prefetch() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = store::Certs::from_bytes(&bytes) .expect("valid"); backend.prefetch_all(); test_backend(&backend); Ok(()) } #[test] fn keyrings() -> Result<()> { let mut cert_store = CertStore::empty(); let mut base = PathBuf::from(env!("CARGO_MANIFEST_DIR")); base.push("tests"); cert_store.add_keyrings( keyring::certs.iter().map(|c| { PathBuf::from(&base).join(c.filename) }))?; test_backend(&cert_store); Ok(()) } #[test] fn certs_multithreaded() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = store::Certs::from_bytes(&bytes) .expect("valid"); std::thread::scope(|s| { let threads = (0..4usize) .map(|_| { s.spawn(|| { // Really make sure all threads start by sleeping // for 10ms. std::thread::sleep(std::time::Duration::new(0, 10)); test_backend(&backend); }) }) .collect::>(); threads.into_iter().for_each(|h| { h.join().expect("joined"); }); }); Ok(()) } #[test] fn pep() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = Pep::from_bytes(&bytes).expect("valid"); backend.prefetch_all(); test_backend(&backend); Ok(()) } // Make sure that when we update a certificate, we are able to // find any new components and we are still able to find the old // components. fn test_store_update<'a, B>(backend: B) -> Result<()> where B: store::StoreUpdate<'a> { let p = &StandardPolicy::new(); let signing_cert = Cert::from_bytes(&keyring::halfling_signing.bytes()) .expect("valid"); let fpr = signing_cert.fingerprint(); // We expect a primary and two subkeys. assert_eq!(signing_cert.keys().count(), 3); let signing_vc = signing_cert.with_policy(p, None).expect("ok"); let signing_fpr = signing_vc.keys().subkeys() .for_signing() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(signing_fpr.len(), 1); let signing_fpr = KeyHandle::from( signing_fpr.into_iter().next().expect("have one")); let auth_fpr = signing_vc.keys().subkeys() .for_authentication() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(auth_fpr.len(), 1); let auth_fpr = KeyHandle::from( auth_fpr.into_iter().next().expect("have one")); let encryption_cert = Cert::from_bytes(&keyring::halfling_encryption.bytes()) .expect("valid"); assert_eq!(fpr, encryption_cert.fingerprint()); // We expect a primary and two subkeys. assert_eq!(encryption_cert.keys().count(), 3); let encryption_vc = encryption_cert.with_policy(p, None).expect("ok"); let encryption_fpr = encryption_vc.keys().subkeys() .for_transport_encryption() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(encryption_fpr.len(), 1); let encryption_fpr = KeyHandle::from( encryption_fpr.into_iter().next().expect("have one")); assert_ne!(signing_fpr, encryption_fpr); let auth2_fpr = encryption_vc.keys().subkeys() .for_authentication() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(auth2_fpr.len(), 1); let auth2_fpr = KeyHandle::from( auth2_fpr.into_iter().next().expect("have one")); assert_eq!(auth_fpr, auth2_fpr); let merged_cert = signing_cert.clone() .merge_public(encryption_cert.clone()).expect("ok"); let check = |backend: &B, have_enc: bool, cert: &Cert| { let r = backend.lookup_by_cert(&KeyHandle::from(fpr.clone())).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); let r = backend.lookup_by_cert_or_subkey(&signing_fpr).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); let r = backend.lookup_by_cert_or_subkey(&auth_fpr).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); if have_enc { let r = backend.lookup_by_cert_or_subkey(&encryption_fpr).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); } else { assert!(backend.lookup_by_cert_or_subkey(&encryption_fpr).is_err()); } let r = backend.lookup_by_userid( &UserID::from("")).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); let r = backend.lookup_by_userid( &UserID::from("Halfling ")).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); if have_enc { let r = backend.lookup_by_userid( &UserID::from("Halfling ")) .unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); } else { assert!(backend.lookup_by_cert_or_subkey(&encryption_fpr).is_err()); } }; // Insert the signing certificate. backend.update(Arc::new(LazyCert::from(signing_cert.clone()))) .expect("ok"); check(&backend, false, &signing_cert); backend.update(Arc::new(LazyCert::from(encryption_cert.clone()))) .expect("ok"); check(&backend, true, &merged_cert); backend.update(Arc::new(LazyCert::from(signing_cert.clone()))) .expect("ok"); check(&backend, true, &merged_cert); Ok(()) } // Test StoreUpdate::update for CertStore. #[test] fn test_store_update_cert_store() -> Result<()> { let path = tempfile::tempdir()?; let cert_store = CertStore::open(&path).expect("exists"); test_store_update(cert_store) } // Test StoreUpdate::update for Certs. #[test] fn test_store_update_certs() -> Result<()> { let certs = Certs::empty(); test_store_update(certs) } // Test StoreUpdate::update for Pep. #[test] fn test_store_update_pep() -> Result<()> { let certs = Pep::empty()?; test_store_update(certs) } #[test] fn certs_multithreaded_update() -> Result<()> { let mut certs = Vec::new(); for cert in keyring::certs.iter() { let cert = Cert::from_bytes(&cert.bytes()).expect("valid"); certs.push(cert); } let mut fprs: Vec = certs.iter().map(|cert| cert.fingerprint()).collect(); fprs.sort(); fprs.dedup(); let backend = store::Certs::empty(); std::thread::scope(|s| { let backend = &backend; let threads = certs.into_iter() .map(|cert| { s.spawn(move || { // Really make sure all threads start by sleeping // for 10ms. std::thread::sleep(std::time::Duration::new(0, 10)); backend.update(Arc::new(LazyCert::from(cert))) .expect("ok"); }) }) .collect::>(); threads.into_iter().for_each(|h| { h.join().expect("joined"); }); }); assert_eq!(backend.certs().count(), fprs.len()); Ok(()) } } sequoia-cert-store-0.5.0/src/log.rs000064400000000000000000000073671046102023000153140ustar 00000000000000use std::cell::RefCell; // Like eprintln! macro_rules! log { ($dst:expr $(,)?) => ( eprintln!("{}", $dst) ); ($dst:expr, $($arg:tt)*) => ( eprintln!("{}", std::format!($dst, $($arg)*)) ); } // The indent level. It is increased with each call to tracer and // decremented when the tracer goes out of scope. thread_local! { pub static INDENT_LEVEL: RefCell = RefCell::new(0); } // Like eprintln!, but the first argument is a boolean, which // indicates if the string should actually be printed. macro_rules! trace { ( $TRACE:expr, $fmt:expr, $($pargs:expr),* ) => { if $TRACE { let indent_level = crate::log::INDENT_LEVEL.with(|i| { *i.borrow() }); let ws = " "; log!("{}{}", &ws[0..std::cmp::min(ws.len(), std::cmp::max(1, indent_level) - 1)], format!($fmt, $($pargs),*)); } }; ( $TRACE:expr, $fmt:expr ) => { trace!($TRACE, $fmt, ); }; } macro_rules! tracer { ( $TRACE:expr, $func:expr ) => { // Currently, Rust doesn't support $( ... ) in a nested // macro's definition. See: // https://users.rust-lang.org/t/nested-macros-issue/8348/2 #[allow(unused)] macro_rules! t { ( $fmt:expr ) => { trace!($TRACE, "{}: {}", $func, $fmt) }; ( $fmt:expr, $a:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a)) }; ( $fmt:expr, $a:expr, $b:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr, $i:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h, $i)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr, $i:expr, $j:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h, $i, $j)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr, $i:expr, $j:expr, $k:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h, $i, $j, $k)) }; } struct Indent {} impl Indent { fn init() -> Self { crate::log::INDENT_LEVEL.with(|i| { i.replace_with(|i| *i + 1); }); Indent {} } } impl Drop for Indent { fn drop(&mut self) { crate::log::INDENT_LEVEL.with(|i| { i.replace_with(|i| *i - 1); }); } } let _indent = Indent::init(); } } sequoia-cert-store-0.5.0/src/macros.rs000064400000000000000000000100221046102023000157750ustar 00000000000000/// A very simple profiling tool. /// /// Note: don't ever profile code that has not been compiled in /// release mode. There can be orders of magnitude difference in /// execution time between it and debug mode! /// /// This macro measures the wall time it takes to execute the block. /// If the time is at least $ms_threshold (in milli-seconds), then it /// displays the output on stderr. The output is prefixed with label, /// if it is provided. /// /// ```nocompile /// let result = time_it!("Some code", 10, { /// // Some code. /// 5 /// }); /// assert_eq!(result, 5); /// ``` #[allow(unused_macros)] macro_rules! time_it { ( $label:expr, $ms_threshold:expr, $body:expr ) => {{ use std::time::{SystemTime, Duration}; // We use drop so that code that uses non-local exits (e.g., // using break 'label) still works. struct Timer { start: SystemTime, } impl Drop for Timer { fn drop(&mut self) { let elapsed = self.start.elapsed(); if elapsed.clone().unwrap_or(Duration::from_millis($ms_threshold)) >= Duration::from_millis($ms_threshold) { if $label.len() > 0 { eprint!("{}:", $label); } eprintln!("{}:{}: {:?}", file!(), line!(), elapsed); } } } let _start = Timer { start: SystemTime::now() }; $body }}; ( $label:expr, $body:expr ) => { time_it!($label, 0, $body) }; ( $body:expr ) => { time_it!("", $body) }; } pub(crate) trait Sendable : Send {} pub(crate) trait Syncable : Sync {} /// A simple shortcut for ensuring a type is send and sync. /// /// For most types just call it after defining the type: /// /// ```ignore /// pub struct MyStruct {} /// assert_send_and_sync!(MyStruct); /// ``` /// /// For types with lifetimes, use the anonymous lifetime: /// /// ```ignore /// pub struct WithLifetime<'a> { _p: std::marker::PhantomData<&'a ()> } /// assert_send_and_sync!(WithLifetime<'_>); /// ``` /// /// For a type generic over another type `W`, /// pass the type `W` as a where clause /// including a trait bound when needed: /// /// ```ignore /// pub struct MyWriter { _p: std::marker::PhantomData } /// assert_send_and_sync!(MyWriter where W: std::io::Write); /// ``` /// /// This will assert that `MyWriterStruct` is `Send` and `Sync` /// if `W` is `Send` and `Sync`. /// /// You can also combine the two and be generic over multiple types. /// Just make sure to list all the types - even those without additional /// trait bounds: /// /// ```ignore /// pub struct MyWriterWithLifetime<'a, C, W: std::io::Write> { /// _p: std::marker::PhantomData<&'a (C, W)>, /// } /// assert_send_and_sync!(MyWriterWithLifetime<'_, C, W> where C, W: std::io::Write); /// ``` /// /// If you need multiple additional trait bounds on a single type /// you can add them separated by `+` like in normal where clauses. /// However you have to make sure they are `Identifiers` like `Write`. /// In macro patterns `Paths` (like `std::io::Write`) may not be followed /// by `+` characters. // This is copied from sequoia-openpgp/src/macros.rs. macro_rules! assert_send_and_sync { ( $x:ty where $( $g:ident$( : $a:path )? $(,)?)*) => { impl<$( $g ),*> crate::macros::Sendable for $x where $( $g: Send + Sync $( + $a )? ),* {} impl<$( $g ),*> crate::macros::Syncable for $x where $( $g: Send + Sync $( + $a )? ),* {} }; ( $x:ty where $( $g:ident$( : $a:ident $( + $b:ident )* )? $(,)?)*) => { impl<$( $g ),*> crate::macros::Sendable for $x where $( $g: Send + Sync $( + $a $( + $b )* )? ),* {} impl<$( $g ),*> crate::macros::Syncable for $x where $( $g: Send + Sync $( + $a $( + $b )* )? ),* {} }; ( $x:ty ) => { impl crate::macros::Sendable for $x {} impl crate::macros::Syncable for $x {} }; } sequoia-cert-store-0.5.0/src/store/certd.rs000064400000000000000000001716161046102023000167670ustar 00000000000000use std::borrow::Cow; use std::collections::BTreeMap; use std::collections::btree_map; use std::iter; use std::path::Path; use std::path::PathBuf; use std::str; use std::sync::Arc; use std::sync::Mutex; use std::time::Duration; use std::time::SystemTime; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::Result; use openpgp::cert::prelude::*; use openpgp::cert::raw::RawCertParser; use openpgp::packet::Packet; use openpgp::packet::UserID; use openpgp::packet::signature::SignatureBuilder; use openpgp::parse::Parse; use openpgp::serialize::SerializeInto; use openpgp::types::KeyFlags; use openpgp::types::SignatureType; use openpgp_cert_d as cert_d; use crate::LazyCert; use crate::store::Certs; use crate::store::MergeCerts; use crate::store::Store; use crate::store::StoreUpdate; use crate::store::UserIDQueryParams; use crate::TRACE; /// The creation time for the trust root and intermediate CAs. /// /// We use a creation time in the past (Feb 2002) so that it is still /// possible to use the CA when the reference time is in the past. fn ca_creation_time() -> SystemTime { SystemTime::UNIX_EPOCH + Duration::new(1014235320, 0) } struct CA<'a> { cert: Arc>, // The tag of the file stored under the special name. special_tag: cert_d::Tag, // The tag of the file stored under the fingerprint. public_tag: cert_d::Tag, } assert_send_and_sync!(CA<'_>); pub struct CertD<'a> { certd: cert_d::CertD, certs: Certs<'a>, /// A cache of the trust root, and shadow CAs keyed by the cert-d /// special name. cas: Mutex>>, } assert_send_and_sync!(CertD<'_>); impl<'a> CertD<'a> { /// Returns the canonicalized path. /// /// If path is `None`, then returns the default location. fn path(path: Option<&Path>) -> Result { if let Some(path) = path { Ok(path.to_owned()) } else { Ok(cert_d::CertD::user_configured_store_path()?) } } /// Opens the default cert-d for reading and writing. pub fn open_default() -> Result { let path = Self::path(None)?; Self::open(path) } /// Opens a cert-d for reading and writing. pub fn open

(path: P) -> Result where P: AsRef, { tracer!(TRACE, "CertD::open"); let path = path.as_ref(); t!("loading cert-d {:?}", path); let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { t!("While opening the certd {:?}: {}", path, err); let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); err })?; let mut certd = Self { certd, certs: Certs::empty(), cas: Default::default(), }; certd.initialize(true)?; Ok(certd) } /// Returns a reference to the low-level `CertD`. pub fn certd(&self) -> &cert_d::CertD { &self.certd } /// Returns a mutable reference to the low-level `CertD`. pub fn certd_mut(&mut self) -> &mut cert_d::CertD { &mut self.certd } // Initialize a certd by reading the entries and populating the // index. fn initialize(&mut self, lazy: bool) -> Result<()> { use rayon::prelude::*; tracer!(TRACE, "CertD::initialize"); let open = |fpr: &str| -> Option<( _, _)> { match self.certd.get_file(&fpr) { Ok(Some(file)) => { match cert_d::Tag::try_from(&file) { Ok(tag) => Some((tag, file)), Err(err) => { t!("Reading tag for {}: {}", fpr, err); None } } } Ok(None) => { t!("{} disappeared", fpr); None } Err(err) => { t!("Failed to read {}: {}", fpr, err); None } } }; let items = self.certd.fingerprints() .filter_map(|fpr| fpr.ok()); let result: Vec<(String, cert_d::Tag, LazyCert)> = if lazy { items.collect::>().into_par_iter() .filter_map(|fp| { // XXX: Once we have a cached tag, avoid the // work if tags match. t!("loading {} from overlay", fp); let (tag, file) = open(&fp)?; let mut parser = match RawCertParser::from_reader(file) { Ok(parser) => parser, Err(err) => { t!("While reading {:?} from the certd {:?}: {}", fp, self.certd.base_dir(), err); return None; } }; match parser.next() { Some(Ok(cert)) => Some((fp, tag, LazyCert::from(cert))), Some(Err(err)) => { t!("While parsing {:?} from the certd {:?}: {}", fp, self.certd.base_dir(), err); None } None => { t!("While parsing {:?} from the certd {:?}: empty file", fp, self.certd.base_dir()); None } } }) .collect() } else { // For performance reasons, we read, parse, and // canonicalize certs in parallel. items.collect::>().into_par_iter() .filter_map(|fp| { let (tag, file) = open(&fp)?; // XXX: Once we have a cached tag and // presumably a Sync index, avoid the work if // tags match. t!("loading {} from overlay", fp); match Cert::from_reader(file) { Ok(cert) => Some((fp, tag, LazyCert::from(cert))), Err(err) => { t!("While parsing {:?} from the certd {:?}: {}", fp, self.certd.base_dir(), err); None } } }) .collect() }; for (fp, _tag, cert) in result { if let Err(err) = self.certs.update(Arc::new(cert)) { // This is an in-memory index and updates doesn't // fail. Nevertheless, we don't panic. t!("Error inserting {} into the in-memory index: {}", fp, err); } } Ok(()) } /// Returns the certificate directory's local trust root, and /// whether it was just created. /// /// If the local trust root does not yet exist, it is created. pub fn trust_root(&self) -> Result<(Arc>, bool)> { self.get_ca(cert_d::TRUST_ROOT, true, &UserID::from_static_bytes(b"Local Trust Root"), None) } /// Converts a shadow CA's name to a certificate directory's /// special name. /// /// For instance, this converts "keys.openpgp.org" to its special /// name. fn shadow_ca_special(name: &str) -> Cow { if name == cert_d::TRUST_ROOT { Cow::Borrowed(name) } else { Cow::Owned(format!("_sequoia_ca_{}.pgp", name)) } } // '/', '\\', ':', and whitespace are invalid. fn valid_name(name: &str) -> bool { name.chars().all(Self::valid_char) } /// Returns whether `c` may be used in names. fn valid_char(c: char) -> bool { ! (c.is_whitespace() || c == '/' || c == '\\' || c == ':') } /// Returns a shadow CA's key, and whether it was just created. /// /// # Introduction /// /// Shadow CAs are used to encode evidence of a binding's veracity /// in standard web of trust data structures so that the /// information can be automatically incorportated into web of /// trust calculations. /// /// Consider [`keys.openpgp.org`], which is a verifying keyserver. /// `keys.openpgp.org` checks whether a user ID should be /// associated with a certificate using a challenge-response /// authentication scheme. When someone uploads a certificate, /// `keys.openpgp.org` iterates over the user IDs, and if a user /// ID contains an email address, sends an email to it containing /// a secret link. The owner of the email address can visit the /// link to confirm to `keys.openpgp.org` that the email address /// should be associated with the certificate. /// /// Although `keys.openpgp.org` verifies User IDs, it does not /// issue third-party certifications attesting to that fact. But, /// clients can infer this from `keys.openpgp.org` behavior: when /// `keys.openpgp.org` returns a certificate, it only returns user /// IDs that it has verified as belonging to the certificate. /// /// An OpenPGP client could record the fact that /// `keys.openpgp.org` returned a user ID in a database. The main /// question is then how to combine that information with other /// information in a coherent manner. Alternatively, we can /// encode the assertion as a certification using a so-called /// shadow CA. By encoding this information as a normal OpenPGP /// artifact, it can be directly integrated into web of trust /// calculations; another, parallel system to combine evidence is /// not needed. /// /// [keys.openpgp.org]: https://keys.openpgp.org /// /// # Usage /// /// `name` is the shadow CA's name. This is converted to the /// special name `_sequoia_ca_ + name + .pgp`. Names must not /// contain white space (` ` or `\n`), path separators (`\` or /// `/`), or colons (`:`). /// /// If the shadow CA doesn't exist and `create` is true, it is /// created. In this case, the user ID is set to `userid`, and if /// `trust_amount` is greater than 0, it is designed a trusted /// introducer by the last `CA` listed in `intermediaries`, or the /// local trust root, if the list is empty. The certification's /// trust amount is set to `trust_amount`. /// /// `intermediaries` is a list of tuples consisting of a name, a /// user ID, and a trust amount. Each tuple corresponds to an /// intermediary shadow CA. It may be empty; the local trust root /// is always the trust anchor and shouldn't be listed explicitly. /// /// This function works from the trust root towards the shadow CA. /// If an intermediate shadow CA does not exist and `create` is /// true, it is created, and certified by its parent CA. /// /// On success, the shadow CA is returned, and whether the shadow /// CA was just created. /// /// # Examples /// /// The following code looks up the shadow CA for /// `keys.openpgp.org`. It is not directly certified by the trust /// root, but by a partially trusted intermediary named /// `public_directories`, which acts as a type of resistor for all /// public directories. Note: if you are actually looking up the /// shadow CA for `keys.openpgp.org`, you should use /// [`CertD::shadow_ca_keys_openpgp_org`] instead. /// /// The local key for `keys.openpgp.org` is then used to certify /// the user IDs on a certificate, which was presumably returned /// by `keys.openpgp.org`. /// /// ```rust /// use std::sync::Arc; /// /// use anyhow::Context; /// /// use sequoia_openpgp as openpgp; /// use openpgp::cert::CertBuilder; /// use openpgp::Cert; /// use openpgp::packet::Packet; /// use openpgp::packet::UserID; /// use openpgp::packet::signature::SignatureBuilder; /// use openpgp::types::SignatureType; /// /// use sequoia_cert_store as cert_store; /// use cert_store::LazyCert; /// use cert_store::store::certd::CertD; /// use cert_store::store::StoreUpdate; /// /// # fn main() -> openpgp::Result<()> { /// # let certd_path = tempfile::tempdir()?; /// let mut certd = CertD::open(&certd_path)?; /// /// let (koo, _created) = certd.shadow_ca( /// "keys.openpgp.org", /// true, /// "Downloaded from keys.openpgp.org", /// 1, /// &[ /// ( "public_directories", UserID::from("Public Directories"), 40), /// ])?; /// /// // Pretend the following certificate was fetched from keys.openpgp.org. /// let alice_userid = ""; /// let (alice, _rev) = CertBuilder::general_purpose(None, Some(alice_userid)) /// .generate()?; /// /// // Certify the binding using the shadow CA. /// let mut koo_signer = koo.to_cert()?.primary_key().key().parts_as_secret() /// .context("CA is not certification capable.")? /// .clone().into_keypair() /// .context("CA is not certification capable.")?; /// /// let sig = SignatureBuilder::new(SignatureType::GenericCertification) /// .set_exportable_certification(false)? /// .sign_userid_binding( /// &mut koo_signer, /// alice.primary_key().key(), /// &UserID::from(alice_userid)) /// .context("Signing binding")?; /// /// let alice = alice.insert_packets([ /// Packet::from(UserID::from(alice_userid)), /// Packet::from(sig), /// ])?; /// /// certd.update(Arc::new(LazyCert::from(alice))); /// # Ok(()) } /// ``` pub fn shadow_ca(&self, name: &str, create: bool, userid: U, trust_amount: u8, intermediaries: &[(&str, UserID, u8)], ) -> Result<(Arc>, bool)> where U: Into, { let userid = userid.into(); tracer!(TRACE, "CertD::shadow_ca"); t!("{}, create: {}, userid: {:?}, {}, {} intermediaries", name, create, String::from_utf8_lossy(userid.value()), trust_amount, intermediaries.len()); let name = CertD::shadow_ca_special(name); // If the CA is cached in memory, short-circuit everything. if let Ok(result) = self.get_ca(&name, false, &userid, None) { t!("Returning cached certificate {} for {}", result.0.fingerprint(), name); return Ok(result); } // Iterate from the trust root towards the shadow CA. let mut ca: (Arc, bool) = self.get_ca( cert_d::TRUST_ROOT, create, &UserID::from_static_bytes(b"Local Trust Root"), None)?; for (name, userid, trust_amount) in intermediaries .into_iter() .map(|(name, userid, amount)| { (CertD::shadow_ca_special(name), userid, *amount) }) .chain(iter::once((name, &userid, trust_amount))) { if ! Self::valid_name(&name) { return Err(cert_d::Error::BadName.into()); } t!("Getting {} (create: {}, userid: {:?}, {})", name, create, String::from_utf8_lossy(userid.value()), trust_amount); ca = self.get_ca(&name, create, &userid, Some((ca.0, trust_amount)))?; t!("{} -> {}", name, ca.0.fingerprint()); } Ok(ca) } /// Returns the specified CA, optionally creating and certifying /// it if it doesn't exist. /// /// See [`CertD::shadow_ca`] for details about shadow CAs. /// /// This function first checks if the specified CA is in the /// in-memory cache. If so, it checks that the cached version is /// up to date, and then returns the result. /// /// If the CA is not in the in-memory cache, it is loaded from /// disk. If it doesn't exist on disk an `create` is `true`, it /// the shadow CA is created. See [`CertD::load_ca`] for details /// of what is exactly done. fn get_ca(&self, special_name: &str, create: bool, userid: &UserID, parent: Option<(Arc>, u8)>) -> Result<(Arc>, bool)> { tracer!(TRACE, "CertD::get_ca"); let mut cas = self.cas.lock().unwrap(); let get_if_changed = |tag, name| -> Result> { match self.certd.get_if_changed(tag, name) { Ok(None) => { // The certificate on disk did not change. return Ok(None); }, Ok(Some((new_tag, bytes))) => { // The certificate on disk changed. Reparse it. t!("{} changed on disk, reloading.", name); match Cert::from_bytes(&bytes) { Ok(cert) => { return Ok(Some((cert, new_tag))); } Err(err) => { // An error occurred while parsing the // data. That's not great. We just keep // using what we have. t!("While reparsing {}: {}", name, err); return Ok(None); } } } // An error occurred while reading the file. That's // not great. We just keep using what we have. Err(err) => { t!("While rereading {}: {}", name, err); return Ok(None); } } }; if let Some(CA { cert: ca, special_tag, public_tag }) = cas.get_mut(special_name) { // The certificate is cached it memory. Make sure the // in-memory version is up to date. t!("{} -> {} is cached in memory", special_name, ca.fingerprint()); if let Some((cert, tag)) = get_if_changed(*special_tag, special_name)? { *ca = Arc::new(LazyCert::from( ca.to_cert()? .clone() .merge_public_and_secret(cert)?)); *special_tag = tag; } if let Some((cert, tag)) = get_if_changed(*public_tag, &ca.fingerprint().to_string())? { *ca = Arc::new(LazyCert::from( ca.to_cert()? .clone() .merge_public_and_secret(cert)?)); *public_tag = tag; } Ok((Arc::clone(ca), false)) } else { // The certificate is not cached in memory; we need to // read it from disk, or generate it. let (ca, created) = self.load_ca(special_name, create, userid, parent)?; let cert = Arc::clone(&ca.cert); t!("Loaded {} ({}) from disk, caching in memory", special_name, cert.fingerprint()); match cas.entry(special_name.to_string()) { btree_map::Entry::Occupied(mut oe) => { oe.insert(ca); } btree_map::Entry::Vacant(ve) => { ve.insert(ca); } } Ok((cert, created)) } } /// Loads a CA's certificate from the certificate directory, or /// optionally generates one if it does not exist. /// /// Loads the certificate stored under the specified special name /// from the certificate directory. If the special name exists, /// this also reads and merges in the certificate data stored /// under the fingerprint. /// /// If `create` is `false` and the certificate does not exist, /// returns `std::io::ErrorKind::NotFound`. /// /// If `create` is `true`, and we need to generate a certificate, /// we are careful to so while we hold the certificate directory's /// lock to avoid races. /// /// If we create a certificate, and `parent` is not `None`, then /// we certify the certificate using `parent` as a trusted /// introducer for the specified trust amount. Note: if the CA is /// not created, this function does **not** check that the parent /// has certified the CA. /// /// If we create a certificate, we write it to disk under both its /// special name, and its fingerprint. fn load_ca(&self, name: &str, create: bool, userid: &UserID, parent: Option<(Arc>, u8)>) -> Result<(CA<'a>, bool)> { tracer!(TRACE, "CertD::load_ca"); let certd = self.certd(); // Exclusively lock the certificate directory by inserting the // trust root. We may discover that the trust already exists. // In that case, we won't generate a new one, but just load // the existing one. let mut ca = Err(anyhow::anyhow!("merge callback not invoked")); let mut created = false; let (special_tag, _) = certd.insert_special( name, (), false, |(), disk| { if let Some(disk) = disk { // We have one. ca = Cert::from_bytes(&disk); Ok(cert_d::MergeResult::Keep) } else if create { // We don't have one, and we should create one. let key = Self::generate_ca_key(userid)?; t!("Created {} for {}", key.fingerprint(), name); let bytes = key.as_tsk().to_vec()?; ca = Ok(key); created = true; Ok(cert_d::MergeResult::Data(bytes)) } else { // We don't have one, and we shouldn't create one. Err(cert_d::Error::Other( std::io::Error::new( std::io::ErrorKind::NotFound, format!("{} not found", name)).into())) } })?; let mut ca = ca?; let ca_fpr = format!("{:x}", ca.fingerprint()); let mut certify = |parent_cert: Arc, trust_amount| -> Result<()> { t!("Using {} to make {} a trusted introducer", parent_cert.fingerprint(), ca.fingerprint()); let mut signer = parent_cert .to_cert()? .primary_key() .key() .parts_as_secret() .context("Trust root can't be used for signing.")? .clone() .into_keypair() .context("Trust root can't be used for signing.")?; let sig = SignatureBuilder::new(SignatureType::GenericCertification) .set_exportable_certification(false)? .set_trust_signature(255, trust_amount)? .set_signature_creation_time(ca_creation_time())? .sign_userid_binding( &mut signer, ca.primary_key().key(), &userid) .with_context(|| { format!("Creating certification for {} {:?}", ca.fingerprint(), String::from_utf8_lossy(userid.value())) })?; ca = ca.clone().insert_packets([ Packet::from(userid.clone()), Packet::from(sig), ])?; Ok(()) }; let public_tag = if created { // Make the CA a trusted introducer. if let Some((parent_cert, trust_amount)) = parent { if let Err(err) = certify(parent_cert, trust_amount) { // XXX: What should we do with the error? t!("Failed to authorize CA, {:?}: {}", userid, err); } } // Insert the public bits under the fingerprint. let (public_tag, _) = certd.insert( &ca_fpr, &ca, false, |new, _old| { Ok(cert_d::MergeResult::Data(new.to_vec()?)) })?; public_tag } else { // We didn't create it. Read in the public version and // merge it. match certd.get(&ca_fpr) { Ok(Some((public_tag, bytes))) => { let cert = Cert::from_bytes(&bytes) .with_context(|| { format!("Parsing {}'s public certificate ({})", name, ca.fingerprint()) })?; ca = ca.clone().merge_public(cert) .with_context(|| { format!("Merging {}'s public certificate ({})", name, ca.fingerprint()) })?; public_tag } Ok(None) => { // The certificate is saved under the special // name, but not its fingerprint. Something went // wrong in the past, but we can fix it. let (public_tag, _) = certd.insert( &ca_fpr, &ca, false, |new, _old| { Ok(cert_d::MergeResult::Data(new.to_vec()?)) })?; public_tag } Err(err) => { t!("Reading {}'s public certificate: {}", name, err); return Err(err.into()); } } }; let ca = CA { cert: Arc::new(LazyCert::from(ca)), special_tag, public_tag, }; Ok((ca, created)) } /// Returns a new key, which is appropriate for a CA. /// /// That is, it has just a certification capable primary and no /// subkeys. fn generate_ca_key(userid: &UserID) -> Result { let (root, _) = CertBuilder::new() .set_primary_key_flags(KeyFlags::empty().set_certification()) .set_exportable(false) .set_creation_time(ca_creation_time()) // CAs should *not* expire. .set_validity_period(None) .add_userid(userid.clone()) .generate()?; Ok(root) } const PUBLIC_DIRECTORY_NAME: &'static str = "public_directories"; const PUBLIC_DIRECTORY_USERID: UserID = UserID::from_static_bytes(b"Public Directories"); const PUBLIC_DIRECTORY_TRUST_AMOUNT: u8 = 40; /// A local, intermediate CA used to authorize the shadow CAs for /// public directories. /// /// Shadow CAs for public directories like /// `hkps://keys.openpgp.org` and WKD are not directly certified /// by the local trust root, but by a local, intermediate CA. /// This CA acts as a resistor, which limits the combined trust /// amount of public directories. pub fn public_directory_ca(&self) -> Result<(Arc>, bool)> { self.shadow_ca( Self::PUBLIC_DIRECTORY_NAME, true, Self::PUBLIC_DIRECTORY_USERID, Self::PUBLIC_DIRECTORY_TRUST_AMOUNT, &[]) } fn via_public_directory_ca(&self, name: &str, userid: &str) -> Result<(Arc>, bool)> { self.shadow_ca( name, true, userid, // A public directory has the smallest, positive trust // amount: 1 out of 120. 1, &[ // The public directory CA acts as a resistor and // limits the combined trust amount of public // directories. (Self::PUBLIC_DIRECTORY_NAME, Self::PUBLIC_DIRECTORY_USERID, Self::PUBLIC_DIRECTORY_TRUST_AMOUNT), ]) } /// Returns the shadow CA for keys.openpgp.org. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_keys_openpgp_org(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "keys.openpgp.org", "Downloaded from keys.openpgp.org") } /// Returns the shadow CA for Proton. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_proton_me(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "proton.me", "Downloaded from Proton Mail") } /// Returns the shadow CA for keys.mailvelope.com. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_keys_mailvelope_com(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "keys.mailvelope.com", "Downloaded from keys.mailvelope.com") } /// Returns the shadow CA for WKDs. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_wkd(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "wkd", "Downloaded from a Web Key Directory (WKD)") } /// Returns the shadow CA for DANE. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_dane(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "dane", "Downloaded from DANE") } const WEB_NAME: &'static str = "web"; const WEB_USERID_STR: &'static str = "Downloaded from the Web"; const WEB_USERID: UserID = UserID::from_static_bytes(b"Downloaded from the Web"); const WEB_TRUST_AMOUNT: u8 = 1; /// Returns the shadow CA for the Web. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_web(&self) -> Result<(Arc>, bool)> { debug_assert_eq!(Self::WEB_USERID_STR.as_bytes(), Self::WEB_USERID.value()); self.via_public_directory_ca( Self::WEB_NAME, Self::WEB_USERID_STR) } /// Returns the shadow CA for the give URL. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_for_url(&self, url: &str) -> Result>, bool)>> { debug_assert_eq!(Self::WEB_USERID_STR.as_bytes(), Self::WEB_USERID.value()); // First, parse and sanitize the URL. let mut url = sequoia_net::reqwest::Url::parse(url)?; // We only certify the certificate if the transport was // encrypted and authenticated. if url.scheme() != "https" { return Ok(None); } // Drop sensitive and irrelevant information. url.set_username("").expect("https? supports authentication"); url.set_password(None).expect("https? supports authentication"); url.set_fragment(None); // Percent-encode characters not valid in names. let mut name = String::from("shadow_of_url_"); for c in url.as_str().chars() { if Self::valid_char(c) && c != '%' { name.push(c); } else { // Note: all invalid chars are ASCII characters, so // u8::try_from will succeed. debug_assert_eq!(c.len_utf8(), 1); name.push_str( &format!("%{:02X}", u8::try_from(c).unwrap_or(0))); } } self.shadow_ca( &name, true, format!("Downloaded from {}", url.as_str()), 1, &[ (Self::PUBLIC_DIRECTORY_NAME, Self::PUBLIC_DIRECTORY_USERID, Self::PUBLIC_DIRECTORY_TRUST_AMOUNT), (Self::WEB_NAME, Self::WEB_USERID, Self::WEB_TRUST_AMOUNT), ]) .map(Some) } /// Returns a shadow CA for the specified keyserver. /// /// If a keyserver is not known to be a verifying keyserver, then /// this returns `Ok(None)`. /// /// The URI should be of the form `hkps://server.example.com`. /// Other protocols are not supported. The server name is matched /// case insensitively. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_keyserver(&self, uri: &str) -> Result>, bool)>> { let uri = uri.to_ascii_lowercase(); // We only certify the certificate if the transport was // encrypted and authenticated. let server = if let Some(server) = uri.strip_prefix("hkps://") { server } else { return Ok(None); }; let server = server.strip_suffix("/").unwrap_or(server); // A basic sanity check on the name, which we are about to use // as a filename: it can't start with a dot, and no // whitespace, no slashes, and no colons are allowed. if server.chars().next() == Some('.') || ! Self::valid_name(server) { return Ok(None); } // The known verifying key servers. match &server[..] { "keys.openpgp.org" | "keys.openpgp.io" => self.shadow_ca_keys_openpgp_org().map(Some), "keys.mailvelope.com" => self.shadow_ca_keys_mailvelope_com().map(Some), "mail-api.proton.me" | "api.protonmail.ch" => self.shadow_ca_proton_me().map(Some), _ => Ok(None), } } const AUTOCRYPT_NAME: &'static str = "autocrypt"; const AUTOCRYPT_USERID: UserID = UserID::from_static_bytes(b"Imported from Autocrypt"); const AUTOCRYPT_TRUST_AMOUNT: u8 = 40; /// Returns the shadow CA for Autocrypt. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_autocrypt(&self) -> Result<(Arc>, bool)> { self.shadow_ca( Self::AUTOCRYPT_NAME, true, Self::AUTOCRYPT_USERID, Self::AUTOCRYPT_TRUST_AMOUNT, &[]) } const AUTOCRYPT_GOSSIP_NAME: &'static str = "autocrypt-gossip"; const AUTOCRYPT_GOSSIP_USERID: UserID = UserID::from_static_bytes(b"Imported from Autocrypt Gossip"); const AUTOCRYPT_GOSSIP_TRUST_AMOUNT: u8 = 40; /// Returns the shadow CA for Autocrypt Gossip. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_autocrypt_gossip(&self) -> Result<(Arc>, bool)> { self.shadow_ca( Self::AUTOCRYPT_GOSSIP_NAME, true, Self::AUTOCRYPT_GOSSIP_USERID, Self::AUTOCRYPT_GOSSIP_TRUST_AMOUNT, &[ (Self::AUTOCRYPT_NAME, Self::AUTOCRYPT_USERID, Self::AUTOCRYPT_TRUST_AMOUNT), ]) } /// Returns the shadow CA for recording Autocrypt Gossip in the /// name of the given cert and sender address. /// /// If you observe an Autocrypt mail from `addr` signed by `cert`, /// and the message contains Autocrypt Gossip headers in the /// encrypted payload, use this function to get a shadow CA to /// turn the Autocrypt Gossip into OpenPGP certifications. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_autocrypt_gossip_for(&self, cert: &Cert, addr: &str) -> Result<(Arc>, bool)> { // Sanity-check the address. let u = UserID::from_address( "Autocrypt Gossip from".into(), None, addr)?; self.shadow_ca( &format!("shadow_of_{:x}", cert.fingerprint()), true, u, 1, &[ (Self::AUTOCRYPT_NAME, Self::AUTOCRYPT_USERID, Self::AUTOCRYPT_TRUST_AMOUNT), (Self::AUTOCRYPT_GOSSIP_NAME, Self::AUTOCRYPT_GOSSIP_USERID, Self::AUTOCRYPT_GOSSIP_TRUST_AMOUNT), ]) } } impl<'a> Store<'a> for CertD<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { self.certs.lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { self.certs.lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { self.certs.lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { self.certs.select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { self.certs.lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { self.certs.grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { self.certs.lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { self.certs.grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { self.certs.lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { self.certs.fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { self.certs.certs() } fn prefetch_all(&self) { self.certs.prefetch_all() } fn prefetch_some(&self, certs: &[KeyHandle]) { self.certs.prefetch_some(certs) } } impl<'a> StoreUpdate<'a> for CertD<'a> { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "CertD::update_by"); t!("Inserting {}", cert.fingerprint()); // This is slightly annoying: cert-d expects bytes. But // serializing cert is a complete waste if we have to merge // the certificate with another one. cert-d actually only // needs the primary key, which it uses to derive the // fingerprint, so, we only serialize that. let fpr = cert.fingerprint(); let fpr_str = format!("{:x}", fpr); let mut merged = None; self.certd.insert(&fpr_str, (), false, |(), disk_bytes| { let disk: Option> = if let Some(disk_bytes) = disk_bytes { let mut parser = RawCertParser::from_bytes(disk_bytes) .with_context(|| { format!("Parsing {} as returned from the cert directory", fpr) }) .map_err(|err| { t!("Reading disk version: {}", err); err })?; let disk = parser.next().transpose() .with_context(|| { format!("Parsing {} as returned from the cert directory", fpr) }) .map_err(|err| { t!("Parsing disk version: {}", err); err })?; disk.map(|disk| Arc::new(LazyCert::from(disk))) } else { t!("No disk version"); None }; let merged_ = merge_strategy.merge_public(cert, disk) .with_context(|| { format!("Merging versions of {}", fpr) }) .map_err(|err| { t!("Merging: {}", err); err })?; let bytes = merged_.to_vec()?; merged = Some(merged_); Ok(cert_d::MergeResult::Data(bytes)) })?; let merged = merged.expect("set"); // Inserting into the in-memory index is infallible. if let Err(err) = self.certs.update(merged) { t!("Inserting {} into in-memory index: {}", fpr, err); } // Annoyingly, there is no easy way to get index to return a // reference to what it just inserted. Ok(self.certs.lookup_by_cert_fpr(&fpr).expect("just set")) } } #[cfg(test)] mod tests { use super::*; use anyhow::Context; use openpgp::packet::UserID; use openpgp::policy::StandardPolicy; use openpgp::serialize::Serialize; use crate::store::StoreError; use crate::tests::print_error_chain; // Make sure that we can read a huge cert-d. Specifically, the // typical file descriptor limit is 1024. Make sure we can // initialize and iterate over a cert-d with a few more entries // than that. #[test] fn huge_cert_d() -> Result<()> { let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; // Generate some certificates and write them to a cert-d using // the low-level interface. const N: usize = 1050; let mut certs = Vec::new(); let mut certs_fpr = Vec::new(); let mut subkeys_fpr = Vec::new(); let mut userids = Vec::new(); for i in 0..N { let userid = format!("<{}@example.org>", i); let (cert, _rev) = CertBuilder::new() .set_cipher_suite(CipherSuite::Cv25519) .add_userid(UserID::from(&userid[..])) .add_storage_encryption_subkey() .generate() .expect("ok"); certs_fpr.push(cert.fingerprint()); subkeys_fpr.extend(cert.keys().subkeys().map(|ka| ka.fingerprint())); userids.push(userid); let mut bytes = Vec::new(); cert.serialize(&mut bytes).expect("can serialize to a vec"); certd .insert_data(&bytes, false, |new, disk| { assert!(disk.is_none()); Ok(cert_d::MergeResult::DataRef(new)) }) .with_context(|| { format!("{:?} ({})", path, cert.fingerprint()) }) .expect("can insert"); certs.push(cert); } // One subkey per certificate. assert_eq!(certs_fpr.len(), subkeys_fpr.len()); certs_fpr.sort(); // Open the cert-d and make sure we can read what we wrote via // the low-level interface. let certd = CertD::open(&path).expect("exists"); // Test Store::iter. In particular, make sure we get // everything back. let mut certs_read = certd.certs().collect::>(); assert_eq!( certs_read.len(), certs.len(), "Looks like you're exhausting the available file descriptors"); certs_read.sort_by_key(|c| c.fingerprint()); let certs_read_fpr = certs_read.iter().map(|c| c.fingerprint()).collect::>(); assert_eq!(certs_fpr, certs_read_fpr); // Test Store::by_cert. for cert in certs.iter() { let certs_read = certd.lookup_by_cert(&cert.key_handle()).expect("present"); // We expect exactly one cert. assert_eq!(certs_read.len(), 1); let cert_read = certs_read.iter().next().expect("have one") .to_cert().expect("valid"); assert_eq!(cert_read, cert); } for subkey in subkeys_fpr.iter() { let kh = KeyHandle::from(subkey.clone()); match certd.lookup_by_cert(&kh) { Ok(certs) => panic!("Expected nothing, got {} certs", certs.len()), Err(err) => { if let Some(&StoreError::NotFound(ref got)) = err.downcast_ref::() { assert_eq!(&kh, got); } else { panic!("Expected NotFound, got: {}", err); } } } } // Test Store::lookup_by_cert_or_subkey. for fpr in certs.iter().map(|cert| cert.fingerprint()) .chain(subkeys_fpr.iter().cloned()) { let certs_read = certd.lookup_by_cert_or_subkey(&KeyHandle::from(fpr.clone())).expect("present"); // We expect exactly one cert. assert_eq!(certs_read.len(), 1); let cert_read = certs_read.iter().next().expect("have one") .to_cert().expect("valid"); assert!(cert_read.keys().any(|k| k.fingerprint() == fpr)); } // Test Store::lookup_by_userid. for userid in userids.iter() { let userid = UserID::from(&userid[..]); let certs_read = certd.lookup_by_userid(&userid).expect("present"); // We expect exactly one cert. assert_eq!(certs_read.len(), 1); let cert_read = certs_read.iter().next().expect("have one") .to_cert().expect("valid"); assert!(cert_read.userids().any(|u| u.userid() == &userid)); } Ok(()) } #[test] fn shadow_ca() -> Result<()> { tracer!(true, "shadow_ca"); let path = tempfile::tempdir()?; let certd = CertD::open(&path)?; // Check that the special exists, and includes secret key // material, and that there is a corresponding entry under its // fingerprint, which doesn't include any secret key material. let check = |name: &str| { t!("check({})", name); assert!(cert_d::CertD::is_special(name).is_ok()); let (_tag, ca) = certd.certd() .get(name) .unwrap() .expect("exists"); let ca = Cert::from_bytes(&ca).expect("valid"); assert!(ca.is_tsk()); let (_tag, cert) = certd.certd() .get(&ca.fingerprint().to_string()) .unwrap() .expect("exists"); let cert = Cert::from_bytes(&cert).expect("valid"); assert!(! cert.is_tsk()); assert_eq!(ca.fingerprint(), cert.fingerprint()); ca }; let (koo, _tag) = certd.shadow_ca( "keys.openpgp.org", true, UserID::from_static_bytes(b"Downloaded from keys.openpgp.org"), 1, &[ ( "public_directories", UserID::from_static_bytes(b"Public Directories"), 10, ), ])?; let cert = check(&CertD::shadow_ca_special("keys.openpgp.org")); assert_eq!(cert.fingerprint(), koo.fingerprint()); let public_directories = check(&CertD::shadow_ca_special("public_directories")); let trust_root = check(&CertD::shadow_ca_special(cert_d::TRUST_ROOT)); let (dane, _tag) = certd.shadow_ca( "dane", true, UserID::from_static_bytes(b"Downloaded from DANE"), 1, &[ ( "public_directories", UserID::from_static_bytes(b"Public Directories"), 10), ])?; let cert = check(&CertD::shadow_ca_special("dane")); assert_eq!(cert.fingerprint(), dane.fingerprint()); let cert = check(&CertD::shadow_ca_special("keys.openpgp.org")); assert_eq!(cert.fingerprint(), koo.fingerprint()); let cert = check(&CertD::shadow_ca_special("public_directories")); assert_eq!(cert, public_directories); let cert = check(&CertD::shadow_ca_special(cert_d::TRUST_ROOT)); assert_eq!(cert, trust_root); let (tofu, _tag) = certd.shadow_ca( "tofu", true, UserID::from_static_bytes(b"Trust on First Use (TOFU)"), 120, &[])?; let cert = check(&CertD::shadow_ca_special("tofu")); assert_eq!(cert.fingerprint(), tofu.fingerprint()); let cert = check(&CertD::shadow_ca_special("dane")); assert_eq!(cert.fingerprint(), dane.fingerprint()); let cert = check(&CertD::shadow_ca_special("keys.openpgp.org")); assert_eq!(cert.fingerprint(), koo.fingerprint()); let cert = check(&CertD::shadow_ca_special("public_directories")); assert_eq!(cert, public_directories); let cert = check(&CertD::shadow_ca_special(cert_d::TRUST_ROOT)); assert_eq!(cert, trust_root); Ok(()) } #[test] fn shadow_ca_keyserver() -> Result<()> { tracer!(true, "keyserver_shadow_ca"); let path = tempfile::tempdir()?; let test = |certd: &CertD, may_create: bool| { let (koo, created) = certd.shadow_ca_keys_openpgp_org().unwrap(); if ! may_create { assert!(! created); } let koo = koo.fingerprint(); let (mailvelope, created) = certd.shadow_ca_keys_mailvelope_com().unwrap(); if ! may_create { assert!(! created); } let mailvelope = mailvelope.fingerprint(); let lookup = |uri, expected: Option<&Fingerprint>| { let result = certd.shadow_ca_keyserver(uri).unwrap(); if let Some(fingerprint) = expected { let (ca, created) = result.expect("valid URI"); if ! may_create { assert!(! created); } assert_eq!(fingerprint, &ca.fingerprint()); } else { assert!(result.is_none()); } }; lookup("hkps://keys.openpgp.org", Some(&koo)); lookup("HKPS://KEYS.OPENPGP.ORG", Some(&koo)); lookup("HKPS://KEYS.OPENPGP.io", Some(&koo)); // hkp is not considered secure. lookup("hkp://keys.openpgp.org", None); // https is not the right protocol. lookup("https://keys.openpgp.org", None); // Not a verifying keyserver. lookup("hkps://keyserver.ubuntu.com", None); lookup("hkps://keys.mailvelope.com", Some(&mailvelope)); }; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; test(&certd, true); // The second time through we load them from disk. t!("Loading CAs"); let certd2 = CertD::open(&path)?; test(&certd2, false); Ok(()) } fn check_certifiation(certd: &CertD, certifier: &Cert, cert: Fingerprint, count: usize) { const P: &StandardPolicy = &StandardPolicy::new(); let cert: Arc = certd.lookup_by_cert_fpr(&cert).expect("exists"); let cert: &Cert = cert.to_cert().expect("valid cert"); let userids: Vec = cert.userids().collect(); assert_eq!(userids.len(), 1); let certifications = userids[0].valid_certifications_by_key( P, None, certifier.primary_key().key()); assert_eq!(certifications.count(), count); } #[test] fn shadow_ca_cerified() -> Result<()> { // Check that the shadow CA and intermediate CA are actually // certified. tracer!(true, "keyserver_shadow_certified"); let path = tempfile::tempdir()?; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; let (koo, created) = certd.shadow_ca_keys_openpgp_org().unwrap(); assert!(created); let koo = koo.to_cert().expect("valid cert"); let (pd, created) = certd.public_directory_ca().unwrap(); // This should have been created in the last step. assert!(! created); let pd = pd.to_cert().expect("valid cert"); let (tr, created) = certd.trust_root().unwrap(); // This should have been created in the last step. assert!(! created); let tr = tr.to_cert().expect("valid cert"); let (kmc, created) = certd.shadow_ca_keys_mailvelope_com().unwrap(); assert!(created); let kmc = kmc.to_cert().expect("valid cert"); // Avoid the in-memory cache. let certd = CertD::open(&path)?; t!("Checking that the PD CA certified the KOO shadow CA."); check_certifiation(&certd, &pd, koo.fingerprint(), 1); t!("Checking that the PD CA certified the KMC shadow CA."); check_certifiation(&certd, &pd, kmc.fingerprint(), 1); t!("Checking that the trust root certified the PD CA."); check_certifiation(&certd, &tr, pd.fingerprint(), 1); t!("Checking that the trust root didn't the KOO shadow CA."); check_certifiation(&certd, &tr, koo.fingerprint(), 0); t!("Checking that the trust root didn't the KMC shadow CA."); check_certifiation(&certd, &tr, kmc.fingerprint(), 0); Ok(()) } #[test] fn shadow_ca_for_url() -> Result<()> { tracer!(true, "shadow_ca_for_url"); let path = tempfile::tempdir()?; let test = |certd: &CertD, may_create: bool| { let (alice, created) = certd .shadow_ca_for_url("https://example.org/alice.pgp") .unwrap().unwrap(); if ! may_create { assert!(! created); } let alice = alice.fingerprint(); #[derive(Debug)] enum Expectation { Alice, Other, NoCA } use Expectation::*; let lookup = |uri, expectation| { t!("looking up {} expecting {:?}", uri, expectation); let result = certd.shadow_ca_for_url(uri).unwrap(); match expectation { Alice => { let (ca, created) = result.expect("valid URI"); if ! may_create { assert!(! created); } assert_eq!(alice, ca.fingerprint()); }, Other => { let (_ca, created) = result.expect("valid URI"); if ! may_create { assert!(! created); } }, NoCA => { assert!(result.is_none()); }, } }; lookup("https://example.org/alice.pgp", Alice); lookup("HTTPS://EXAMPLE.ORG/alice.pgp", Alice); lookup("https://foo@example.org/alice.pgp", Alice); lookup("https://foo:bar@example.org/alice.pgp", Alice); lookup("https://foo:bar@example.org/alice.pgp#fragment", Alice); // http is not considered secure. lookup("http://example.org/alice.pgp", NoCA); // hkps is not the right protocol. lookup("hkps://example.org/alice.pgp", NoCA); // Different URLs. lookup("https://example.org/bob.pgp", Other); lookup("https://example.net/alice.pgp", Other); lookup("https://example.org/alice.pgp?some=query", Other); lookup("https://example.org/alice.pgp/other/path", Other); }; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; test(&certd, true); // The second time through we load them from disk. t!("Loading CAs"); let certd2 = CertD::open(&path)?; test(&certd2, false); Ok(()) } #[test] fn shadow_ca_for_web_cerified() -> Result<()> { // Check that the shadow CA and intermediate CA are actually // certified. tracer!(true, "shadow_ca_for_web_cerified"); let path = tempfile::tempdir()?; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; let (alice, created) = certd .shadow_ca_for_url("https://example.org/alice.pgp") .unwrap().unwrap(); assert!(created); let alice = alice.to_cert().expect("valid cert"); let (tr, created) = certd.trust_root().unwrap(); // This should have been created in the first step. assert!(! created); let tr = tr.to_cert().expect("valid cert"); let (pd, created) = certd.public_directory_ca().unwrap(); // This should have been created in the first step. assert!(! created); let pd = pd.to_cert().expect("valid cert"); let (web, created) = certd.shadow_ca_web().unwrap(); // This should have been created in the first step. assert!(! created); let web = web.to_cert().expect("valid cert"); // Avoid the in-memory cache. let certd = CertD::open(&path)?; t!("Checking that the trust root certified the PD CA."); check_certifiation(&certd, &tr, pd.fingerprint(), 1); t!("Checking that the PD CA certified the web CA."); check_certifiation(&certd, &pd, web.fingerprint(), 1); t!("Checking that the web CA certified the ALICE shadow CA."); check_certifiation(&certd, &web, alice.fingerprint(), 1); t!("Checking that the trust root didn't the web CA."); check_certifiation(&certd, &tr, web.fingerprint(), 0); t!("Checking that the trust root didn't the ALICE shadow CA."); check_certifiation(&certd, &tr, alice.fingerprint(), 0); t!("Checking that the PD CA didn't the ALICE shadow CA."); check_certifiation(&certd, &pd, alice.fingerprint(), 0); Ok(()) } /// Test that we can create and sanitize, or reject CAs for funny /// URLs. #[test] fn shadow_ca_for_url_escapes() -> Result<()> { tracer!(true, "shadow_ca_for_url_escapes"); let path = tempfile::tempdir()?; let test = |certd: &CertD, url, stripped| { t!("trying {:?}", url); let (alice, _created) = certd.shadow_ca_for_url(url).unwrap().unwrap(); if let Some(c) = stripped { // Make sure the character is stripped. assert!(alice.userids().all( |uid| ! str::from_utf8(uid.value()).unwrap().contains(c))); } else { // Make sure the odd character is percent-encoded. assert!(alice.userids().all( |uid| str::from_utf8(uid.value()).unwrap().contains("%"))); } }; let test_fail = |certd: &CertD, url| { t!("trying {:?}", url); certd.shadow_ca_for_url(url).unwrap_err(); }; let certd = CertD::open(&path)?; // In the path: test(&certd, "https://example.org/alice\u{0a}bob.pgp", Some("\u{0a}")); test(&certd, "https://example.org/alice\u{0d}bob.pgp", Some("\u{0d}")); test(&certd, "https://example.org/alice\u{09}bob.pgp", Some("\u{09}")); test(&certd, "https://example.org/alice\u{0c}bob.pgp", Some("\u{0c}")); test(&certd, "https://example.org/alice\u{08}\u{08}\u{08}\u{08}\u{08}bob.pgp", None); test(&certd, "https://example.org/alice\u{200f}bob.pgp", None); // RTL mark // In the query: test(&certd, "https://example.org/alice.pgp?q=\u{0a}bob.pgp", Some("\u{0a}")); test(&certd, "https://example.org/alice.pgp?q=\u{0d}bob.pgp", Some("\u{0d}")); test(&certd, "https://example.org/alice.pgp?q=\u{09}bob.pgp", Some("\u{09}")); test(&certd, "https://example.org/alice.pgp?q=\u{0c}bob.pgp", Some("\u{0c}")); test(&certd, "https://example.org/alice.pgp?q=\u{08}\u{08}\u{08}\u{08}\u{08}bob.pgp", None); test(&certd, "https://example.org/alice.pgp?q=\u{200f}bob.pgp", None); // RTL mark // In the host: test(&certd, "https://example.\u{0a}bob.pgp.org/alice.pgp", Some("\u{0a}")); test(&certd, "https://example.\u{0d}bob.pgp.org/alice.pgp", Some("\u{0d}")); test(&certd, "https://example.\u{09}bob.pgp.org/alice.pgp", Some("\u{09}")); test_fail(&certd, "https://example.\u{0c}bob.pgp.org/alice.pgp"); test_fail(&certd, "https://example.\u{08}\u{08}\u{08}\u{08}\u{08}bob.pgp.org/alice.pgp"); test_fail(&certd, "https://example.\u{200f}bob.pgp.org/alice.pgp"); // RTL mark Ok(()) } } sequoia-cert-store-0.5.0/src/store/certs.rs000064400000000000000000000363151046102023000170020ustar 00000000000000use std::collections::BTreeMap; use std::collections::btree_map::Entry; use std::sync::Arc; use std::sync::RwLock; use smallvec::SmallVec; use smallvec::smallvec; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::cert::Cert; use openpgp::cert::raw::RawCert; use openpgp::cert::raw::RawCertParser; use openpgp::Fingerprint; use openpgp::KeyID; use openpgp::KeyHandle; use openpgp::packet::UserID; use openpgp::parse::Parse; use openpgp::Result; use crate::LazyCert; use crate::store::MergeCerts; use crate::store::Store; use crate::store::StoreError; use crate::store::StoreUpdate; use crate::store::UserIDIndex; use crate::store::UserIDQueryParams; const TRACE: bool = false; /// Manages a slice of bytes, `RawCert`s, `Cert`s, or `LazyCert`s. /// /// `Cert`s implements `StoreUpdate`, but it does not write the /// updates to disk; they are only updated in memory. pub struct Certs<'a> { inner: RwLock>, } assert_send_and_sync!(Certs<'_>); struct CertsInner<'a> { // Indexed by primary key fingerprint. certs: BTreeMap>>, // Indexed by a key's KeyID (primary key or subkey) and maps to // the primary key. keys: BTreeMap>, userid_index: UserIDIndex, } impl<'a> Certs<'a> { /// Returns an empty `Certs` store. /// /// This is useful as a placeholder. But, certificates can also /// be added to it using the [`StoreUpdate`] interface. pub fn empty() -> Self { Certs { inner: RwLock::new(CertsInner { certs: Default::default(), keys: Default::default(), userid_index: UserIDIndex::new(), }), } } /// Returns a new `Certs`. pub fn from_bytes(bytes: &'a [u8]) -> Result { tracer!(TRACE, "Certs::from_bytes"); let raw_certs = RawCertParser::from_bytes(bytes)? .filter_map(|c| { match c { Ok(c) => Some(c), Err(err) => { t!("Parsing raw certificate: {}", err); None } } }); Self::from_certs(raw_certs) } /// Returns a new `Certs`. pub fn from_certs(certs: impl IntoIterator) -> Result where I: Into> { let r = Self::empty(); for cert in certs { r.update(Arc::new(cert.into())).expect("implementation doesn't fail") } Ok(r) } } impl<'a> Store<'a> for CertsInner<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Certs::lookup_by_cert"); match kh { KeyHandle::Fingerprint(fpr) => { self.lookup_by_cert_fpr(fpr).map(|c| vec![ c ]) } KeyHandle::KeyID(keyid) => { let certs: Vec> = self.keys.get(keyid) .ok_or_else(|| { anyhow::Error::from( StoreError::NotFound(kh.clone())) })? .iter() .filter_map(|fpr| self.certs.get(fpr).cloned()) // Check the constraints before we convert the // rawcert to a cert. .filter(|cert| cert.key_handle().aliases(kh)) .collect(); if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(certs) } } } } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { tracer!(TRACE, "Certs::lookup_by_cert_fpr"); if let Some(cert) = self.certs.get(fingerprint).cloned() { Ok(cert) } else { Err(StoreError::NotFound( KeyHandle::from(fingerprint.clone())).into()) } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Certs::lookup_by_cert_or_subkey"); let keyid = KeyID::from(kh); let certs: Vec>> = self.keys.get(&keyid) .ok_or_else(|| { anyhow::Error::from( StoreError::NotFound(kh.clone())) })? .iter() .filter_map(|fpr| self.certs.get(fpr)) // Check the constraints before we convert the rawcert to a // cert. .filter(|cert| { cert.keys().any(|k| k.key_handle().aliases(kh)) }) .cloned() .collect(); if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(certs) } } fn select_userid(&self, params: &UserIDQueryParams, pattern: &str) -> Result>>> { tracer!(TRACE, "RawCert::select_userid"); t!("params: {:?}, pattern: {:?}", params, pattern); let matches = self.userid_index.select_userid(params, pattern)?; let matches = matches .into_iter() .map(|fpr| { self.lookup_by_cert_fpr(&fpr).expect("indexed") }) .collect(); Ok(matches) } fn fingerprints<'b>(&'b self) -> Box + 'b> { Box::new(self.certs.keys().cloned()) } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { Box::new(self.certs.values().cloned()) } fn prefetch_all(&self) { // Because the interior mutability is implemented via Certs, // not CertInner, and we need a mutable reference here, but we // only have a normal, non-mutable reference, the prefetch // implementation is dispatched via `Certs`. } fn prefetch_some(&self, _certs: &[KeyHandle]) { // Because the interior mutability is implemented via Certs, // not CertInner, and we need a mutable reference here, but we // only have a normal, non-mutable reference, the prefetch // implementation is dispatched via `Certs`. } } impl<'a> Store<'a> for Certs<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { let inner = self.inner.read().unwrap(); inner.lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { // We aren't lazy to avoid holding the lock. let inner = self.inner.read().unwrap(); let fprs: Vec<_> = inner.fingerprints().collect(); Box::new(fprs.into_iter()) } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { // We aren't lazy to avoid holding the lock. let inner = self.inner.read().unwrap(); let certs: Vec<_> = inner.certs().collect(); Box::new(certs.into_iter()) } fn prefetch_all(&self) { let mut inner = self.inner.write().unwrap(); inner.prefetch(true, &[]) } fn prefetch_some(&self, certs: &[KeyHandle]) { let mut inner = self.inner.write().unwrap(); inner.prefetch(false, certs) } } impl CertsInner<'_> { /// Prefetches the certs identified by `khs`, or `all`. fn prefetch(&mut self, all: bool, khs: &[KeyHandle]) { // LazyCert is Sync and Send, but keeping a reference to the // RawCerts in self.certs prevents us from later updating // self.certs. This requires a bit of acrobatics to get // right. tracer!(TRACE, "Certs::prefetch_some"); t!("Prefetch: {} certificates", khs.len()); use crossbeam::thread; use crossbeam::channel::unbounded as channel; // Avoid an extra level of indentation. let result = thread::scope(|thread_scope| { let mut certs: Vec = self.certs.iter().filter_map(|(fpr, cert)| { if ! cert.is_parsed() { if all || khs.iter() .any(|kh| { kh.aliases(&KeyHandle::from(fpr.clone())) }) { // Unfortunately we have to clone the bytes, // because we cannot keep self.certs borrowed. t!("Queuing {} to be prefetched", fpr); use std::ops::Deref; cert.deref().clone().into_raw_cert().ok() } else { None } } else { None } }).collect(); let cert_count = certs.len(); // The threads. We start them on demand. let threads = if cert_count < 16 { // The keyring is small, limit the number of threads. 2 } else { // Sort the certificates so they are ordered from most // packets to least. More packets implies more work, and // this will hopefully result in a more equal distribution // of load. certs.sort_unstable_by_key(|c| { usize::MAX - c.count() }); // Use at least one and not more than we have cores. num_cpus::get().max(1) }; t!("Using {} threads", threads); // A communication channel for sending work to the workers. let (work_tx, work_rx) = channel(); // A communication channel for returning returns to the main // thread. let (results_tx, results_rx) = channel(); let mut threads_extant = Vec::new(); for cert in certs.into_iter() { if threads_extant.len() < threads { let tid = threads_extant.len(); t!("Starting thread {} of {}", tid, threads); let mut work = Some(Ok(cert)); // The thread's state. let work_rx = work_rx.clone(); let results_tx = results_tx.clone(); threads_extant.push(thread_scope.spawn(move |_| { loop { match work.take().unwrap_or_else(|| work_rx.recv()) { Err(_) => break, Ok(raw) => { t!("Thread {} dequeuing {}!", tid, raw.keyid()); // Silently ignore errors. This will // be caught later when the caller // looks this one up. match Cert::try_from(&raw) { Ok(cert) => { let _ = results_tx.send(cert); } Err(err) => { t!("Parsing raw cert {}: {}", raw.keyid(), err); } } } } } t!("Thread {} exiting", tid); })); } else { work_tx.send(cert).unwrap(); } } // When the threads see this drop, they will exit. drop(work_tx); // Drop our reference to results_tx. When the last thread // exits, the last reference will be dropped and the loop // below will exit. drop(results_tx); let mut count = 0; while let Ok(cert) = results_rx.recv() { let fpr = cert.fingerprint(); t!("Caching {}", fpr); self.certs.insert(fpr, Arc::new(cert.into())); count += 1; } t!("Prefetched {} certificates, ({} RawCerts had errors)", count, cert_count - count); }); // thread scope. // We're just caching results so we can ignore errors. if let Err(err) = result { t!("{:?}", err); } } } impl<'a> StoreUpdate<'a> for Certs<'a> { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "Certs::update_by"); let mut inner = self.inner.write().unwrap(); let fpr = cert.fingerprint(); // Add the cert fingerprint -> cert entry. let merged: Arc; match inner.certs.entry(fpr.clone()) { Entry::Occupied(mut oe) => { t!("Updating {}", fpr); let old = oe.get().clone(); merged = merge_strategy.merge_public(cert, Some(old)) .with_context(|| { format!("Merging two version of {}", fpr) })?; *oe.get_mut() = merged.clone(); } Entry::Vacant(ve) => { t!("Inserting {}", fpr); merged = merge_strategy.merge_public(cert, None)?; ve.insert(merged.clone()); } } // Populate the key map. This is a merge so we are not // removing anything. for k in merged.keys() { match inner.keys.entry(k.keyid()) { Entry::Occupied(mut oe) => { let fprs = oe.get_mut(); if ! fprs.contains(&fpr) { fprs.push(fpr.clone()); } } Entry::Vacant(ve) => { ve.insert(smallvec![ fpr.clone() ]); } } } inner.userid_index.insert(&fpr, merged.userids()); Ok(merged) } } sequoia-cert-store-0.5.0/src/store/keyserver.rs000064400000000000000000000364051046102023000177010ustar 00000000000000use std::collections::BTreeMap; use std::collections::BTreeSet; use std::sync::Arc; use std::sync::Mutex; use sequoia_openpgp as openpgp; use openpgp::Cert; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Result; use openpgp::policy::NullPolicy; use sequoia_net as net; use net::reqwest; use crate::email_to_userid; use crate::LazyCert; use crate::Store; use crate::store::StatusListener; use crate::store::StatusUpdate; use crate::store::StoreError; use crate::store::UserIDQueryParams; use super::TRACE; const NP: &NullPolicy = &NullPolicy::new(); // Reliable keyservers. /// keys.openpgp.org. pub const KEYS_OPENPGP_ORG_URL: &str = "hkps://keys.openpgp.org"; /// A reliable SKS keyserver. pub const SKS_URL: &str = "hkps://keyserver.ubuntu.com"; /// mailvelope's keyserver. pub const MAILVELOPE_URL: &str = "hkps://keys.mailvelope.com"; /// proton's keyserver. pub const PROTON_URL: &str = "hkps://api.protonmail.ch"; /// A keyserver backend. pub struct KeyServer<'a> { inner: Mutex>, } assert_send_and_sync!(KeyServer<'_>); struct KeyServerInner<'a> { keyserver: net::KeyServer, id: String, tx: usize, listeners: Vec>, // A cache. We only cache certificates; we don't cache User ID // searches. // Primary keys and subkeys. hits_fpr: BTreeMap>>, hits_keyid: BTreeMap, // What we failed to look up. misses_fpr: BTreeSet, misses_keyid: BTreeSet, } impl KeyServer<'_> { /// Returns a new key server instance. pub fn new(url: &str) -> Result { Ok(Self { inner: Mutex::new(KeyServerInner { keyserver: net::KeyServer::new(url)?, id: if url.len() <= 10 { // Only prefix "key server" if the URL is short. format!("key server {}", url) } else { url.to_string() }, tx: 0, listeners: Vec::new(), hits_fpr: Default::default(), hits_keyid: Default::default(), misses_fpr: Default::default(), misses_keyid: Default::default(), }), }) } /// Returns a key server instance that uses `keys.openpgp.org`. pub fn keys_openpgp_org() -> Result { Self::new(KEYS_OPENPGP_ORG_URL) } /// Returns a key server instance that uses a reliable SKS /// keyserver. pub fn sks() -> Result { Self::new(SKS_URL) } /// Returns a key server instance that uses mailvelope's /// keyserver. pub fn mailvelope() -> Result { Self::new(MAILVELOPE_URL) } /// Returns a key server instance that uses proton's keyserver. pub fn proton() -> Result { Self::new(PROTON_URL) } /// Sends status updates to the listener. pub fn add_listener(&mut self, listener: Box) { self.inner.lock().unwrap().listeners.push(listener); } } impl<'a> KeyServerInner<'a> { // Looks for a certificate in the cache. fn check_cache(&self, kh: &KeyHandle) -> Option>>>> { let kh_; let kh = if let KeyHandle::KeyID(keyid) = kh { if let Some(fpr) = self.hits_keyid.get(keyid) { kh_ = KeyHandle::Fingerprint(fpr.clone()); &kh_ } else if self.misses_keyid.get(keyid).is_some() { return Some(Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into())); } else { kh } } else { kh }; if let KeyHandle::Fingerprint(fpr) = kh { if let Some(cert) = self.hits_fpr.get(fpr) { return Some(Ok(vec![ cert.clone() ])); } if self.misses_fpr.get(fpr).is_some() { return Some(Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into())); } } None } // Adds the cert to the in-memory cache. fn cache(&mut self, cert: &Arc>) { for k in cert.keys() { self.hits_fpr.insert(k.fingerprint(), cert.clone()); self.hits_keyid.insert(k.keyid(), k.fingerprint()); } } /// Deletes the key with the given fingerprint from the cache. fn delete_from_cache(&mut self, cert: &LazyCert<'_>) { for key in cert.keys() { let fp = key.fingerprint(); self.hits_fpr.remove(&fp); let keyid = KeyID::from(fp); // XXX: Technically, a key ID could map to multiple // fingerprints, so we may be removing the wrong entry here. // But, by using a BTreeMap we do accept // this kind of loss in the first place, as later cache // insertions will overwrite any existing mappings. self.hits_keyid.remove(&keyid); } } } impl<'a> KeyServer<'a> { /// Deletes the key with the given fingerprint from the cache. pub(crate) fn delete_from_cache(&self, certs: I) where I: Iterator>>, { let mut inner = self.inner.lock().unwrap(); for cert in certs { inner.delete_from_cache(&cert); } } } /// Sends a status update. macro_rules! update { ( $self:expr, $update:ident, $($args:expr),* ) => {{ if ! $self.listeners.is_empty() { let update = StatusUpdate::$update( $self.tx, &$self.id, $($args),*); for sub in $self.listeners.iter() { sub.update(&update); } } }} } impl<'a> Store<'a> for KeyServer<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { let mut certs = self.lookup_by_cert_or_subkey(kh)?; // The match may be on a subkey. Only return the certificates // whose primary key aliases kh. certs.retain(|cert| { kh.aliases(KeyHandle::from(cert.fingerprint())) }); if certs.is_empty() { Err(StoreError::NotFound(KeyHandle::from(kh.clone())).into()) } else { Ok(certs) } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "KeyServer::lookup_by_cert_or_subkey"); // Check the cache. t!("Looking up {} on keyserver...", kh); let mut inner = self.inner.lock().unwrap(); if ! inner.listeners.is_empty() { inner.tx += 1; update!(inner, LookupStarted, kh, None); }; if let Some(r) = inner.check_cache(kh) { t!("Found in in-memory cache"); match r.as_ref() { Ok(certs) => { update!(inner, LookupFinished, kh, &certs[..], Some("Found in in-memory cache")); } Err(err) => { update!(inner, LookupFailed, kh, Some(&err)); } } return r; } // It's not in the cache, look it up on the key server. let rt = tokio::runtime::Runtime::new().unwrap(); // The keyserver interface currently only returns a single // result. let r = rt.block_on(async { inner.keyserver.get(kh.clone()).await }); match r { Ok(certs) => { let certs: Vec<_> = certs.into_iter() .filter_map(Result::ok) .map(|c| Arc::new(LazyCert::from(c))).collect(); for cert in &certs { t!("keyserver returned {}", cert.fingerprint()); // Add the result to the cache. inner.cache(cert); } // Make sure the key server gave us the right // certificate. let requested: Vec<_> = certs.iter().filter( |cert| cert.keys().any(|k| k.key_handle().aliases(kh))) .cloned() .collect(); if ! requested.is_empty() { update!(inner, LookupFinished, kh, &requested[..], None); Ok(requested) } else { let err = KeyServerError::UnexpectedResults( kh.clone(), certs.iter().map(|c| c.fingerprint()).collect()) .into(); t!("{}", err); update!(inner, LookupFailed, kh, Some(&err)); Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into()) } } Err(err) => { t!("keyserver returned an error: {}", err); if let Some(net::Error::NotFound) = err.downcast_ref::() { update!(inner, LookupFailed, kh, None); Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into()) } else { update!(inner, LookupFailed, kh, Some(&err)); Err(err) } } } } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { tracer!(TRACE, "KeyServer::select_userid"); t!("{}", pattern); t!("Looking {:?} up on the keyserver... ", pattern); let mut inner = self.inner.lock().unwrap(); if ! inner.listeners.is_empty() { inner.tx += 1; update!(inner, SearchStarted, pattern, None); } let email = if query.email && query.anchor_start && query.anchor_end { match email_to_userid(pattern) { Ok(email) => { if let Ok(email) = std::str::from_utf8(email.value()) { Some(email.to_string()) } else { None } }, Err(err) => { t!("{:?}: invalid email address: {}", pattern, err); None } } } else { None }; let rt = tokio::runtime::Runtime::new().unwrap(); let (ks, wkd) = rt.block_on(async { // Query the keyserver. let ks = inner.keyserver.search(pattern); // And the WKD (if it appears to be an email address). let wkd = async { if let Some(email) = email.as_ref() { net::wkd::get(&reqwest::Client::new(), email).await } else { // If it is not an email, it's not an error. Ok(Vec::new()) } }; tokio::join!(ks, wkd) }); let mut certs: Vec> = Vec::new(); match ks { Ok(c) => { t!("Key server returned {} results", c.len()); if ! inner.listeners.is_empty() { let msg = format!("Key server returned {} results", c.len()); update!(inner, SearchStatus, pattern, &msg); } certs.extend(c); }, Err(err) => t!("Key server response: {}", err), } match wkd { Ok(c) => { t!("WKD server returned {} results", c.len()); if ! inner.listeners.is_empty() { let msg = format!("WKD server returned {} results", c.len()); update!(inner, SearchStatus, pattern, &msg); } certs.extend(c); }, Err(err) => t!("WKD server response: {}", err), } // Sort, merge, and cache. let mut certs = certs.into_iter().flatten().collect::>(); certs.sort_by_key(|c| c.fingerprint()); certs.dedup_by(|a, b| { if a.fingerprint() != b.fingerprint() { return false; } // b is kept. So merge into b. match b.clone().merge_public(a.clone()) { Ok(combined) => *b = combined, Err(err) => { t!("Merging copies of {}: {}", a.keyid(), err); } } true }); let mut certs: Vec<_> = certs.into_iter().map(|c| Arc::new(LazyCert::from(c))).collect(); // Add the results to the cache. certs.iter().for_each(|cert| inner.cache(cert)); // Only keep the certificates that actually satisfy the // constraints. certs.retain(|cert| { let cert = cert.to_cert() .expect("LazyCert should already be canonicalized"); query.check_cert(cert, pattern) }); if certs.is_empty() { update!(inner, SearchFailed, pattern, None); Err(StoreError::NoMatches(pattern.to_string()).into()) } else { if TRACE || ! inner.listeners.is_empty() { let msg = format!( "Got {} results:\n {}", certs.len(), certs.iter() .map(|cert: &Arc| { format!( "{} ({})", cert.keyid().to_hex(), cert.with_policy(NP, None) .and_then(|vc| vc.primary_userid()) .map(|ua| { String::from_utf8_lossy(ua.userid().value()) .into_owned() }) .unwrap_or_else(|_| { cert.userids().next() .map(|userid| { String::from_utf8_lossy(userid.value()) .into_owned() }) .unwrap_or("".into()) })) }) .collect::>() .join("\n ")); t!("{}", msg); update!(inner, SearchFinished, pattern, &certs[..], Some(&msg)); } Ok(certs) } } fn fingerprints<'b>(&'b self) -> Box + 'b> { // Return the entries in our cache. Box::new(self .inner.lock().unwrap() .hits_fpr .keys() .cloned() .collect::>() .into_iter()) } } /// [`KeyServer`] specific error codes. #[non_exhaustive] #[derive(thiserror::Error, Debug)] pub enum KeyServerError { /// Keyserver returned the wrong certs. #[error("Keyserver returned the wrong certs: {1:?} (wanted: {0})")] UnexpectedResults(KeyHandle, Vec), } sequoia-cert-store-0.5.0/src/store/pep.rs000064400000000000000000001505021046102023000164410ustar 00000000000000use std::path::Path; use std::path::PathBuf; use std::sync::Arc; use std::sync::Mutex; use anyhow::Context; use rusqlite::{ CachedStatement, Connection, OpenFlags, OptionalExtension, params, Row, }; use sequoia_openpgp as openpgp; use openpgp::{ Cert, cert::raw::RawCertParser, Fingerprint, KeyHandle, KeyID, packet::UserID, parse::Parse, serialize::Serialize, }; use crate::LazyCert; use crate::Result; use crate::Store; use crate::StoreUpdate; use crate::store::MergeCerts; use crate::store::StoreError; use crate::store::UserIDQueryParams; // Maximum busy wait time. pub const BUSY_WAIT_TIME: std::time::Duration = std::time::Duration::from_secs(5); // The location of the keys DB relative to the user's home directory. pub const KEYS_DB: &[ &str ] = &[ "keys.db" ]; use crate::TRACE; #[non_exhaustive] #[derive(thiserror::Error, Debug)] pub enum Error { #[error("Opening the database failed: {1}")] InitCannotOpenDB(#[source] anyhow::Error, String), #[error("Unknown error: {1}")] UnknownError(#[source] anyhow::Error, String), #[error("Database error: {1}")] UnknownDbError(#[source] anyhow::Error, String), #[error("Cannot delete key: {0}")] CannotDeleteKey(#[source] anyhow::Error, String), } // Transforms an error from some error type to the pep::Error. macro_rules! wrap_err { ($e:expr, $err:ident, $msg:expr) => { $e.map_err(|err| { eprintln!("Error: {}: {}", err, $msg); anyhow::Error::from(Error::$err( anyhow::Error::from(err).into(), String::from($msg))) }) } } /// A pEp certificate store backend. /// /// A backend, which provides access to a [pEp] certificate store. /// /// [pEp]: https://gitea.pep.foundation/pEp.foundation/pEpEngine pub struct Pep { conn: Mutex, } assert_send_and_sync!(Pep); // Generates a convenience method that returns a prepared statement // for the specified sql. If preparing the statement results in an // error, the error is converted to out native error type. macro_rules! sql_stmt { ($name:ident, $sql:expr) => { fn $name(conn: &Connection) -> Result> { let mut name: &str = stringify!($name); if name.ends_with("_stmt") { name = &name[..name.len() - "_stmt".len()]; } wrap_err!( conn.prepare_cached( $sql), UnknownDbError, format!("preparing {} query", name)) } } } // Execute a query to load certificates, and actually load the // certificates. macro_rules! cert_query { ($stmt:expr, $args:expr, $err:expr) => {{ let rows = wrap_err!( $stmt.query_map($args, Self::key_load), UnknownDbError, "executing query")?; let mut results: Vec<_> = Vec::new(); for row in rows { let (keydata, _private) = wrap_err!(row, UnknownError, "parsing result")?; match Cert::from_bytes(&keydata) { Ok(cert) => results.push(Arc::new(LazyCert::from(cert))), Err(err) => { t!("Warning: unable to parse a certificate: {}\n{:?}", err, String::from_utf8(keydata)); } } } if results.is_empty() { Err(anyhow::Error::from($err)) } else { Ok(results) } }} } impl Pep { /// Opens a `Pep` certificate store. /// /// If `path` is `None`, then this uses the default location, which /// is `$HOME/.pEp/keys.db`. /// /// This initializes the database, if necessary. pub fn open

(path: Option

) -> Result where P: AsRef { match path { Some(p) => Self::init_(Some(p.as_ref())), None => { let mut set = false; let mut keys_db = PathBuf::new(); #[cfg(not(windows))] if cfg!(debug_assertions) { if let Ok(pep_home) = std::env::var("PEP_HOME") { set = true; keys_db = PathBuf::from(pep_home); } } if ! set { if let Some(home) = dirs::home_dir() { keys_db = home } else { return Err(anyhow::anyhow!( "Failed to find home directory")); } } for n in KEYS_DB { keys_db.push(n); } Self::init_(Some(&keys_db)) } } } /// Returns a new `Pep`. /// /// This uses an in-memory sqlite database. pub fn empty() -> Result { Self::init_in_memory() } /// Returns a new `Pep`. /// /// This uses an in-memory sqlite database, and loads it with the /// keyring. pub fn from_bytes<'a>(bytes: &'a [u8]) -> Result { tracer!(TRACE, "Pep::from_bytes"); let raw_certs = RawCertParser::from_bytes(bytes)? .filter_map(|c| { match c { Ok(c) => Some(c), Err(err) => { t!("Parsing raw certificate: {}", err); None } } }); Self::from_certs(raw_certs) } /// Returns a new `Pep`. /// /// This uses an in-memory sqlite database, and loads it with the /// specified certificates. pub fn from_certs<'a, I>(certs: impl IntoIterator) -> Result where I: Into> { let r = Self::init_in_memory()?; for cert in certs { r.update(Arc::new(cert.into())).expect("implementation doesn't fail") } Ok(r) } /// Initializes an in-memory key store. /// /// This is used for the unit tests. //#[cfg(test)] pub(crate) fn init_in_memory() -> Result { Self::init_(None) } fn init_(home: Option<&Path>) -> Result { let mut keys_db = PathBuf::new(); let conn = if let Some(home) = home { keys_db.push(home); if home.is_dir() { for n in KEYS_DB { keys_db.push(n); } } wrap_err!( Connection::open_with_flags( &keys_db, OpenFlags::SQLITE_OPEN_READ_WRITE | OpenFlags::SQLITE_OPEN_CREATE | OpenFlags::SQLITE_OPEN_FULL_MUTEX | OpenFlags::SQLITE_OPEN_PRIVATE_CACHE), InitCannotOpenDB, format!("Opening keys DB ('{}')", keys_db.display()))? } else { // Create an in-memory DB. wrap_err!( Connection::open_in_memory(), InitCannotOpenDB, "Creating in-memory keys DB")? }; wrap_err!( conn.execute_batch("PRAGMA secure_delete=true; PRAGMA foreign_keys=true; PRAGMA locking_mode=NORMAL; PRAGMA journal_mode=WAL;"), InitCannotOpenDB, format!("Setting pragmas on keys DB ('{}')", keys_db.display()))?; wrap_err!( conn.busy_timeout(BUSY_WAIT_TIME), InitCannotOpenDB, format!("Setting busy time ('{}')", keys_db.display()))?; wrap_err!( conn.create_collation("EMAIL", Self::email_cmp), InitCannotOpenDB, format!("Registering EMAIL collation function"))?; wrap_err!( conn.execute_batch( "CREATE TABLE IF NOT EXISTS keys ( primary_key TEXT UNIQUE PRIMARY KEY, secret BOOLEAN, tpk BLOB ); CREATE INDEX IF NOT EXISTS keys_index ON keys (primary_key, secret)"), InitCannotOpenDB, format!("Creating keys table ('{}')", keys_db.display()))?; wrap_err!( conn.execute_batch( "CREATE TABLE IF NOT EXISTS subkeys ( subkey TEXT NOT NULL /* KeyID */, primary_key TEXT NOT NULL /* Fingerprint */, UNIQUE(subkey, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE ); CREATE INDEX IF NOT EXISTS subkeys_index ON subkeys (subkey, primary_key)"), InitCannotOpenDB, format!("Creating subkeys table ('{}')", keys_db.display()))?; wrap_err!( conn.execute_batch( "CREATE TABLE IF NOT EXISTS userids ( userid TEXT NOT NULL COLLATE EMAIL, primary_key TEXT NOT NULL, UNIQUE(userid, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE ); CREATE INDEX IF NOT EXISTS userids_index ON userids (userid COLLATE EMAIL, primary_key)"), InitCannotOpenDB, format!("Creating userids table ('{}')", keys_db.display()))?; Ok(Pep { conn: Mutex::new(conn), }) } // Returns a prepared statement for finding a certificate by // primary key fingerprint. sql_stmt!(cert_find_stmt, "SELECT tpk, secret FROM keys WHERE primary_key == ?"); // This only works for v4 certificates! For v6 certificates the // keyid is the start of the fingerprint, not the end. sql_stmt!(cert_find_by_keyid_stmt, "SELECT tpk, secret FROM keys WHERE primary_key like '%' || ?"); // Returns a prepared statement for finding a key by primary key // fingerprint. sql_stmt!(tsk_find_stmt, "SELECT tpk, secret FROM keys WHERE primary_key == ? and secret == 1"); // Returns a prepared statement for finding a certificate that // contains a key with the specified key id. That is, this // matches on the primary key's key ID as well as any subkeys' key // ID. sql_stmt!(cert_find_with_key_stmt, "SELECT tpk, secret FROM subkeys LEFT JOIN keys ON subkeys.primary_key == keys.primary_key WHERE subkey == ?"); // Returns a prepared statement for finding a certificate with // secret key material that contains a key (with or without secret // key material) with the specified key id. That is, this matches // on the primary key's key ID as well as any subkeys' key ID. sql_stmt!(tsk_find_with_key_stmt, "SELECT tpk, secret FROM subkeys LEFT JOIN keys ON subkeys.primary_key == keys.primary_key WHERE subkey == ? and keys.secret == 1"); // Returns a prepared statement for finding a certificate with the // specified email address. sql_stmt!(cert_find_by_email_stmt, "SELECT tpk, secret FROM userids LEFT JOIN keys ON userids.primary_key == keys.primary_key WHERE userid == ?"); // Returns a prepared statement for returning all the fingerprints // of all certificates in the database. sql_stmt!(cert_list_stmt, "select primary_key from keys"); // Returns a prepared statement for returning all certificates in // the database. sql_stmt!(cert_all_stmt, "select tpk, secret from keys"); // Returns a prepared statement for returning all certificates in // the database, which contain secret key material. sql_stmt!(tsk_all_stmt, "select tpk, secret from keys where secret = 1"); // Returns a prepared statement for updating the keys table. sql_stmt!(cert_save_insert_primary_stmt, "INSERT OR REPLACE INTO keys (primary_key, secret, tpk) VALUES (?, ?, ?)"); // Returns a prepared statement for updating the subkeys table. sql_stmt!(cert_save_insert_subkeys_stmt, "INSERT OR REPLACE INTO subkeys (subkey, primary_key) VALUES (?, ?)"); // Returns a prepared statement for updating the userids table. sql_stmt!(cert_save_insert_userids_stmt, "INSERT OR REPLACE INTO userids (userid, primary_key) VALUES (?, ?)"); // Returns a prepared statement for deleting a certificate. // // Note: due to the use of foreign keys, when a key is removed // from the keys table, the subkeys and userids tables are also // automatically update. sql_stmt!(cert_delete_stmt, "DELETE FROM keys WHERE primary_key = ?"); // Compares two User IDs. // // Extracts the email address or URI stored in each User ID and // compares them. A User ID that does not contain an email // address or URI is sorted earlier than one that does. // // This is used as the collation function. pub fn email_cmp(a: &str, b: &str) -> std::cmp::Ordering { let a_userid = UserID::from(a); let b_userid = UserID::from(b); let a_email = a_userid .email_normalized() .or_else(|_| a_userid.uri2().map(|o| o.map(Into::into))) .ok(); let b_email = b_userid .email_normalized() .or_else(|_| b_userid.uri2().map(|o| o.map(Into::into))) .ok(); match (a_email, b_email) { (None, None) => std::cmp::Ordering::Equal, (None, Some(_)) => std::cmp::Ordering::Less, (Some(_), None) => std::cmp::Ordering::Greater, (Some(a), Some(b)) => a.cmp(&b) } } // The callback used by functions returning a certificate and // whether the certificate contains any secret key material. fn key_load(row: &Row) -> rusqlite::Result<(Vec, bool)> { let cert = row.get(0)?; let secret_key_material = row.get(1)?; Ok((cert, secret_key_material)) } /// Returns the matching TSK. /// /// Like [`Store::lookup_by_cert_fpr`], but only returns /// certificates with private key material. pub fn tsk_lookup_by_cert_fpr(&self, fpr: &Fingerprint) -> Result> { tracer!(TRACE, "Pep::tsk_lookup_by_cert_fpr"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::tsk_find_stmt(&conn)?; let r = cert_query!(stmt, [ fpr.to_hex() ], StoreError::NotFound(KeyHandle::from(fpr)))?; let r = r.into_iter() .next() .ok_or_else(|| StoreError::NotFound(KeyHandle::from(fpr)))?; Ok(r) } /// Returns the matching TSK. /// /// Like [`Store::lookup_by_cert_or_subkey`], but only returns certificates /// with private key material. pub fn tsk_lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>> { tracer!(TRACE, "Pep::tsk_lookup_by_cert_or_subkey"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::tsk_find_with_key_stmt(&conn)?; let keyid = KeyID::from(kh).to_hex(); t!("({})", keyid); cert_query!(stmt, [ keyid ], StoreError::NotFound(kh.clone())) } /// Returns all of the TSKs. /// /// Like [`Store::certs`], but only returns certificates with /// private key material. pub fn tsks<'b>(&'b self) -> Box> + 'b> { tracer!(TRACE, "Pep::tsks"); let inner = || -> Result> { let conn = self.conn.lock().unwrap(); let mut stmt = Self::tsk_all_stmt(&conn)?; cert_query!(stmt, [ ], StoreError::NoMatches("EOF".into())) }; match inner() { Ok(results) => Box::new(results.into_iter()), Err(err) => { t!("Listing TSKs: {}", err); Box::new(std::iter::empty()) } } } /// Deletes the specified certificate from the database. /// /// If the certificate contains any private key material, this is /// also deleted. /// /// Returns an error if the specified certificate is not found. pub fn cert_delete(&mut self, fpr: Fingerprint) -> Result<()> { let conn = self.conn.lock().unwrap(); let changes = wrap_err!( Self::cert_delete_stmt(&conn)? .execute(params![ fpr.to_hex() ]), CannotDeleteKey, format!("Deleting {}", fpr))?; if changes == 0 { Err(StoreError::NotFound(KeyHandle::from(fpr.clone())).into()) } else { Ok(()) } } } impl<'a> Store<'a> for Pep { /// Returns the certificates whose fingerprint matches the handle. /// /// Returns [`StoreError::NotFound`] if no certificate is found. /// /// The caller may assume that looking up a fingerprint returns at /// most one certificate. fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Pep::lookup_by_cert"); let conn = self.conn.lock().unwrap(); let mut stmt = match kh { KeyHandle::Fingerprint(_) => { Self::cert_find_stmt(&conn)? } KeyHandle::KeyID(_) => { Self::cert_find_by_keyid_stmt(&conn)? } }; cert_query!(stmt, [ kh.to_hex() ], StoreError::NotFound(kh.clone())) } /// Returns certificates that have a key with the specified /// handle, if any. /// /// Returns [`StoreError::NotFound`] if no certificate is not found. /// /// Note: even if you pass a fingerprint, this may return multiple /// certificates as the same subkey may be attached to multiple /// certificates. fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Pep::lookup_by_cert_or_subkey"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_find_with_key_stmt(&conn)?; let keyid = KeyID::from(kh).to_hex(); t!("({})", keyid); let mut certs: Vec>> = cert_query!(stmt, [ keyid ], StoreError::NotFound(kh.clone()))?; if let KeyHandle::Fingerprint(fpr) = kh { // Self::cert_find_with_key_stmt works with key ids. Make // sure the fingerprint appears. certs = certs .into_iter() .filter(|cert: &Arc>| -> bool { cert.keys().any(|ka| &ka.fingerprint() == fpr) }) .collect::>>>(); } Ok(certs) } /// Returns certificates that have a User ID matching the /// specified pattern according to the query parameters. fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { tracer!(TRACE, "Pep::select_userid"); let results: Vec>; match (query.email(), query.ignore_case(), query.anchor_start(), query.anchor_end()) { // Email. (true, _, true, true) => { match UserIDQueryParams::is_email(pattern) { Ok(email) => return self.lookup_by_email(&email), Err(err) => { t!("{:?} is not a valid email address: {}", pattern, err); return Ok(vec![ ]); } } } _ => { // Iterate over all the certificates, and return those // that match. // // This is potentially very expensive. Where possible // we should use the the indices to reduce false // positives. results = self.certs() .filter(|cert| { query.check_lazy_cert(&cert, pattern) }) .collect(); } } if results.is_empty() { Err(StoreError::NoMatches(pattern.into()).into()) } else { Ok(results) } } /// Returns certificates that have a User ID with the specified /// email address. /// /// The pattern is interpreted as an email address. It is first /// normalized, and then matched against the normalized email /// address, it is anchored, and the match is case sensitive. fn lookup_by_email(&self, email: &str) -> Result>>> { tracer!(TRACE, "Pep::lookup_by_email"); let userid = crate::email_to_userid(&email)?; let email = userid.email_normalized()?.expect("have one"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_find_by_email_stmt(&conn)?; cert_query!(stmt, [ &email ], StoreError::NoMatches(email.into())) } /// Lists all of the certificates. /// /// If a backend is not able to enumerate all the certificates, /// then it should return those that it knows about. For /// instance, some keyservers allow certificates to be looked up /// by fingerprint, but not to enumerate all of the certificates. /// Thus, a user must not assume that if a certificate is not /// returned by this function, it cannot be found by name. fn fingerprints<'b>(&'b self) -> Box + 'b> { tracer!(TRACE, "Pep::fingerprints"); let inner = || -> Result> { let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_list_stmt(&conn)?; let rows = wrap_err!( stmt.query_map([ ], |row: &Row| { let fpr: String = row.get(0)?; Ok(fpr) }), UnknownDbError, "executing query")?; let mut results: Vec<_> = Vec::new(); for row in rows { let fpr = wrap_err!(row, UnknownError, "parsing result")?; match fpr.parse::() { Ok(fpr) => results.push(fpr), Err(err) => { t!("Warning: unable to parse {:?} as a fingerprint: {}", fpr, err); } } }; Ok(results) }; match inner() { Ok(results) => Box::new(results.into_iter()), Err(err) => { t!("Listing fingerprints: {}", err); Box::new(std::iter::empty()) } } } /// Returns all of the certificates. /// /// The default implementation is implemented in terms of /// [`Store::fingerprints`] and [`Store::lookup_by_cert_fpr`]. Many backends /// will be able to do this more efficiently. fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { tracer!(TRACE, "Pep::certs"); let inner = || -> Result> { let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_all_stmt(&conn)?; cert_query!(stmt, [ ], StoreError::NoMatches("EOF".into())) }; match inner() { Ok(results) => Box::new(results.into_iter()), Err(err) => { t!("Error: {}", err); Box::new(std::iter::empty()) } } } } impl<'a> StoreUpdate<'a> for Pep { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "Pep::update_by"); let fpr = cert.fingerprint(); t!("Updating {}", fpr); let mut conn = self.conn.lock().unwrap(); let tx = wrap_err!( conn.transaction(), UnknownDbError, "starting transaction" )?; // If the certificate already exists, we merge the existing // variant with the new variant. let r = wrap_err!( Self::cert_find_stmt(&tx)? .query_row(&[ &fpr.to_hex() ], Self::key_load).optional(), UnknownDbError, "executing query")?; let existing = if let Some((existing_keydata, _)) = r { t!("Got {} bytes of existing certificate data", existing_keydata.len()); match Cert::from_bytes(&existing_keydata) { Ok(existing) => Some((existing_keydata, LazyCert::from(existing))), Err(err) => { t!("Failed to parse existing data for {} (overwriting): {}", fpr, err); None } } } else { t!("New certificate"); None }; let merged = if let Some((_, existing_cert)) = &existing { t!("Updating {}", fpr); merge_strategy.merge_public(cert, Some(Arc::new(existing_cert.clone()))) .with_context(|| { format!("Merging two versions of {}", fpr) })? } else { t!("Inserting {}", fpr); merge_strategy.merge_public(cert, None)? }; let merged = merged.to_cert() .context("Resolving merged certificate")? .clone(); let mut merged_keydata = Vec::new(); wrap_err!( merged.as_tsk().serialize(&mut merged_keydata), UnknownDbError, "Serializing certificate")?; let new_or_changed = if let Some((existing_keydata, _)) = &existing { &merged_keydata != existing_keydata } else { true }; if ! new_or_changed { t!("Data unchanged."); return Ok(Arc::new(LazyCert::from(merged))); } t!("Serializing {} bytes ({:X})", merged_keydata.len(), { use std::collections::hash_map::DefaultHasher; use std::hash::Hasher; let mut hasher = DefaultHasher::new(); hasher.write(&merged_keydata); hasher.finish() }); // Save the certificate. { let mut stmt = Self::cert_save_insert_primary_stmt(&tx)?; wrap_err!( stmt.execute( params![fpr.to_hex(), merged.is_tsk(), &merged_keydata]), UnknownDbError, "Executing cert_save_insert_primary")?; } // Update the subkey table. { let mut stmt = Self::cert_save_insert_subkeys_stmt(&tx)?; for (i, ka) in merged.keys().enumerate() { t!(" {}key: {} ({} secret key material)", if i == 0 { "primary " } else { "sub" }, ka.keyid(), if ka.has_secret() { "has" } else { "no" }); wrap_err!( stmt.execute( params![ka.keyid().to_hex(), fpr.to_hex()]), UnknownDbError, "Executing cert save insert subkeys")?; } } // Update the userid table. { let mut stmt = Self::cert_save_insert_userids_stmt(&tx)?; for ua in merged.userids() { let uid = if let Ok(Some(email)) = ua.email_normalized() { email } else if let Ok(Some(uri)) = ua.uri2() { uri.to_string() } else { continue; }; t!(" User ID: {}", uid); wrap_err!( stmt.execute(params![uid, fpr.to_hex()]), UnknownDbError, "Executing cert save insert userids")?; } } wrap_err!( tx.commit(), UnknownDbError, "committing transaction" )?; t!("saved"); Ok(Arc::new(LazyCert::from(merged))) } } #[cfg(test)] mod tests { use super::*; #[test] fn keys_db() -> Result<()> { tracer!(TRACE, "keys_db"); struct Record { fingerprint: &'static str, subkeys: &'static [&'static str], userids: &'static [&'static str], } impl Record { fn fingerprint(&self) -> Fingerprint { self.fingerprint.parse::().expect("valid") } fn keys(&self) -> impl Iterator { std::iter::once(self.fingerprint()) .chain(self.subkeys.iter().map(|sk| { sk.parse::().expect("valid") })) } } let records = &[ Record { fingerprint: "04880CB55875B6548C25C729A00E4CD660454746", subkeys: &[ "F9CBBC92F2C34E518722CA77CADEEF67FAADD951", "05793483F1826E44A2B866E0A7CB62B3422503EE", "2C0E08F26EE06409C4712149DAC435B561D44E7B", ], userids: &[ "francis@fake.pep.foundation", ] }, Record { fingerprint: "08C6A9408241E6ED99A0A2767A6B35253722954D", subkeys: &[ "2F7B12FD253CF4ECC9255D7053D8C1B7F801D54D", "DB806800E939D5F0611BCD0DD9D4C006F09088D1", "9F62CE8B0786820B933427A50AC73BFE55E17D22", ], userids: &[ "Luca Saiu (free software hacker at pEp foundation) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu ", "Luca Saiu on mobile (do not use: only for myself) ", ] }, Record { fingerprint: "10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F", subkeys: &[ "E111DA754DD6839738F83CDC4A869829AAB70CBE", "E3AB3FFE39F7B12880B1A7035A826CAA7026DB6F", ], userids: &[ "pEpUserThree ", ] }, Record { fingerprint: "1CF1202EC58B5514EADC477AAA9CAC9C7B935A45", subkeys: &[ "423D41EF768D8D1C56CAB1FD994931632B55CF76", "D9947827069496C55E92D514DA2E401BDCC26140", "0706AEDD2CA382D2F3B0EF5C34450D8FA47BE578", ], userids: &[ "john@fake.pep.foundation", ] }, Record { fingerprint: "22A589136F68CC46076FFA6071B2EDA40DC29CC7", subkeys: &[ "C5D71768F5D7CC5C94659384ADF2379966C74972", "528A548BD73B7035AF469F3147D04DC2B74725E1", "65444DDC1BB08DE9AAB7A6BA38E7A3645666C769", ], userids: &[ "david@fake.pep.foundation", ] }, Record { fingerprint: "2349DF0D7DBD60C6C20453350553D1E9E9AE5C54", subkeys: &[ "1B8185A37003F109AE7D56921908736247B42C7C", "1815AFE0BEB4EE7195B8A8402F8A666BE91A400F", "C55EE7CACBBCEB75228CDCFBCDFBE06BBC5F6D29", ], userids: &[ "sabrina@fake.pep.foundation", ] }, Record { fingerprint: "2533E4E13EC84A784DE6F2962C3E64162620C978", subkeys: &[ "5B71667A87F2006D8C874F448134877075548DB7", "1DB026D73D7B6BB8B17646B17AB77AECC3703ED5", "434E3BB9D702FF0E4B4033454D2476E6EDCA3BE2", ], userids: &[ "zachary@fake.pep.foundation", ] }, Record { fingerprint: "2F8EB6F51987B06706ED6E45064ABE0B9108844E", subkeys: &[ "3872E86087B7C38EE469BD962DD7EC6B89966D7D", "AC677AC99D84F60E71BB1A533BDE948165BE1800", "39C6CDBC2D0DF90960BD7FBF3AD07BB3F42BD08E", ], userids: &[ "gilbert@fake.pep.foundation", ] }, Record { fingerprint: "43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3", subkeys: &[ "86801702F48ED113958C70FD28967B47191899F8", "932B684FB0672F374626F8889F5599183124F72D", "DD8B64AEE46E8DE72DBFBC03185B7A6512A48391", ], userids: &[ "ernest@fake.pep.foundation", ] }, Record { fingerprint: "4925E278E468D55BA68B3AC49E1F03BA787E31EA", subkeys: &[ "6C4B1AE1D50683DBF1224F0338CBCE44873FE1A7", "E350B80A80C6C77E4D8D0C62C96ADEF6A2CCFA98", "9578E63C4EBCB861521BE6F71949FBA7A090B71D", ], userids: &[ "yoko@fake.pep.foundation", ] }, Record { fingerprint: "4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B", subkeys: &[ "BEED00902BCD166C0F2B10C51981CA07B08A2AA3", "1EDB7F72E67CA292FE1F3428650BEEAE8BE0BA78", "4658FDA3D8FB8E9154D2EAAFE8F03F5A4682799E", ], userids: &[ "bob@fake.pep.foundation", ] }, Record { fingerprint: "507212E4796EFBF4FF8E4B1BF411A72A5C89092C", subkeys: &[ "282E7BE3396051799239B462A9173FFEBD40DA28", "DFBC57AAC0D7C9D5E5B974ADE6F0D74501D65927", ], userids: &[ "pEpUserTwo ", ] }, Record { fingerprint: "5C55764028BE2DD718F9DAAAD8D14CE515A32801", subkeys: &[ "71BB66F7E592075A11F97E2BB058180EE35C8BE0", "D87E291B879F72682D7FA06804EEFDB17B04F78B", "155A466B86DDC61DDF25E85D50B9CB75C2151872", ], userids: &[ "ophelia@fake.pep.foundation", ] }, Record { fingerprint: "68A4E57878501CF89B9844039B3560C27904221F", subkeys: &[ "C3770108DC6DC449323718F101076D890F515D6F", "B99A6A6BAB7CE86DE08AFC770509657A6BAC730C", "689D45E46A723E234DDC7AFAB4E5A2B2EF97E405", ], userids: &[ "nkls@fake.pep.foundation", ] }, Record { fingerprint: "6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07", subkeys: &[ "FFF6F17D7807A8E40F08253B1B23CEF521884A3F", "0430CE889630E018D824177C1DB2D0B226A87A27", "82C2CD0877B7DA063BD09ECE69AF5A6299EC8A60", ], userids: &[ "ziggy@fake.pep.foundation", ] }, Record { fingerprint: "7A757276DFF48471EA032D2B98611755153523E6", subkeys: &[ "B6F72694DFE3ED77F6E3EE6DEEE9E2E4D0403BA2", "36469B4676CEE3B28710D6441C23477C835E5CEB", "EE98545F41E1AFDB67C4498D42916177BEAA8874", ], userids: &[ "yves@fake.pep.foundation", ] }, Record { fingerprint: "7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76", subkeys: &[ "C8016468CCDF2C33997019647F6B5258C086DC6B", "19529BB44C4AE0FB5F7976194B8313F3BF069E6A", "9DF6E3803A0F57579C5399962C7C1FA3369E4A4D", ], userids: &[ "paul@fake.pep.foundation", ] }, Record { fingerprint: "8049F106768CD5D6374645F3B0C0ABEFB3892D73", subkeys: &[ "69FE5FFBF2EC257B452E880066CC46F715A66DBC", "C21839A49A47E534731137549079AA6B02A61A8B", "D2DC92A6E0DC69F80B355308FD289E27C690EE4E", ], userids: &[ "mary@fake.pep.foundation", ] }, Record { fingerprint: "8A0293871D97E954B8397DFD072889CB0E82D77B", subkeys: &[ "614F9A11152D7D2373A4F505D49FD2CB8EEF9103", "8E7242E2C05D1FB2B49CC19A6C9FF639C2D20ED2", "CC68938EB2949794B5D34061132E928709CB1956", ], userids: &[ "randy@fake.pep.foundation", ] }, Record { fingerprint: "912E63F55388D9886151101CDA4FE8ECD8365D6E", subkeys: &[ "AB22733035AA5F96C357D0D3773082B0012A791A", "673D7C2892CB4D38CDB1DD41AF26C6724E7E40F3", "E5772DCDB9CBD8631A2A03A93F0586841937BDFE", ], userids: &[ "ned@fake.pep.foundation", ] }, Record { fingerprint: "9BC60CF498E584E5620014340C099ECDA62431FE", subkeys: &[ "6675F0E49F87BBB75D0EE762884DFEDE8DF8A5B1", "C4669EDC5091DE34BEDD65331743133E219C1EB1", "6F2087132F126BCFB19B8B0F94D1A2CC4A978727", ], userids: &[ "victor@fake.pep.foundation", ] }, Record { fingerprint: "9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1", subkeys: &[ "32FF5498B9FF8E14D8575139DE99B5AACE801044", "568042CD692658C0FCD8B983AC9255C490B72219", "634B9C334069B2A083D1C9E66286EF138550E5C0", ], userids: &[ "irene@fake.pep.foundation", ] }, Record { fingerprint: "A20EF4E353FF61FF6B8B401AC48BF850A5E9C611", subkeys: &[ "436A273DC129DD70B4C8233B33DB91F8AAECA2FD", "BA455203A9BDEC6B168EEDE851074EA7D24AA490", "F1657C4DC11A61C47DF1CD628451B62D9873AE16", ], userids: &[ "henry@fake.pep.foundation", ] }, Record { fingerprint: "A2439F4C712EA9FA6B65BC17DECD473509E96847", subkeys: &[ "F691FDB3FE8683AC485CABEDAA761009D6D131A0", "36ECEAE6F6A2ED1264001B98B974664B34752AFC", "A762875E701B76729547C5C55609A4F9A4344957", ], userids: &[ "ulysses@fake.pep.foundation", ] }, Record { fingerprint: "AAB978A882B9A6E793960B071ADFC82AC3586C14", subkeys: &[ "F2A0CBDC287931D3D69988E5EDF969810BA5194C", ], userids: &[ "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", ] }, Record { fingerprint: "B5AAD4575B2988D99E3FB3EE973EE71028459E9A", subkeys: &[ "CA0BD82382BC588F51FDDE5083C69AF0F851437A", "826E96AD20F30B027CD6DDD70D6DF17AFEF1FFBA", "D798ABEE594EE900CDA2B0DECEFC4DCD7DD09BF9", ], userids: &[ "xenia@fake.pep.foundation", ] }, Record { fingerprint: "B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79", subkeys: &[ "823A732A9518DC79F687FFBC3D4778FC2C38084F", "9B585A80E1C81CC7A2B9B7DDDF5F5C00DA897592", "5FD13A0E30F49F9F50AD131ACDD45401DD0E759F", ], userids: &[ "alice@fake.pep.foundation", ] }, Record { fingerprint: "C11BCCBB3F843593B8975AFB958E85734EF0ADE0", subkeys: &[ "01389D318C1B7146464F7E0DDD26BFF997B128D0", "13830079F9A096D9333683EAE572969A4BF0EAA1", "FFA2C2B2685B4D258BDE8CCFC0D868F1963180D8", ], userids: &[ "ken@fake.pep.foundation", ] }, Record { fingerprint: "CB4287D637F9BC0CB38F978AEB64F54F552F0AB7", subkeys: &[ "CA30E474FBB1021F3CD7DB74C25C74A408C599D8", "A8B3E97A82D39C6DE4890C4854E2200EE3627373", "D533C66AE6DE8DC54C9D695564BF7EACFA7E07D3", ], userids: &[ "valeria@fake.pep.foundation", ] }, Record { fingerprint: "CDAE31CA330249BC5284C1F96033761A09D517DF", subkeys: &[ "8A8B91F58F4B20C3D79F3710054118196B963B7D", "F9B079BE2882793F7C7EF867EA301A7C9A893815", "6F2B8C671245EFF407259CE82C45488C98085D61", ], userids: &[ "wyatt@fake.pep.foundation", ] }, Record { fingerprint: "D27B4F82C717A04DFF3A986489929D075908994E", subkeys: &[ "C8F9A3AC57C402EACACCA0925DFAD7D10C678DBE", "F405EE2559711EAC16F4B0E37903174192105E48", "0878C54CDFC955756A002259A685E0D6F5530952", ], userids: &[ "xavier@fake.pep.foundation", ] }, Record { fingerprint: "E1C12525BFAF4F092D109F2152B7186506DCC483", subkeys: &[ "F03D87EDA63C5BFAB30182CC2B45B386DCB3A0CF", "8AF21DCC9537E2644C844383DB24D05A4CFF4204", "84FE32BC7C903DE726A36E18BDE25B8E80237EE2", ], userids: &[ "tamara@fake.pep.foundation", ] }, Record { fingerprint: "E4C1FB98268170769154C21BBD1637EEB34E933B", subkeys: &[ "60EF08693793CBC2A0452C59E7D3FED35EAF68B9", "ECA3B609C1661937540C50871D7FA83415FD0C9C", "DB2234A696DBAF7CDF04264FB929651D1EDAD644", ], userids: &[ "zenobia@fake.pep.foundation", ] }, Record { fingerprint: "EB4750A0B0A0F558ED5F768F8B893A26133B3F66", subkeys: &[ "6D600191F05865CFE5F4B93214180E23218FFEDA", "C101BCA52FBC77A2F00241B58F07A6D986845B5A", "A35FC3F687EDE1749A677486F300560992B840A8", ], userids: &[ "owen@fake.pep.foundation", ] }, Record { fingerprint: "F29B751A3123A1502E5C0665745FB6564FC5F7DC", subkeys: &[ "A1CEFF2AD2055D84311A34DD19BAAA837AA0EDE3", "B3358A65A142E96D742006A189E01368B3CFEA66", "ADE383408E6A66E64934114FDF466C19D1E09129", ], userids: &[ "carol@fake.pep.foundation", ] }, Record { fingerprint: "F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3", subkeys: &[ "59901649426B2C70871133CB0DCD1F051766107F", "4560CBD01CD2BE321EC50DF9C1B27AC998ABABB8", "83E8BC30EE962BF2D160A3F59C4396FA8EE7BB36", ], userids: &[ "quasimodo@fake.pep.foundation", ] }, Record { fingerprint: "FBD19974E304C95589F976BD71059020F2CC257C", subkeys: &[ "90FE526A624C3F4503B8E77E94E766EE6359246D", "32294836077FF576868D4958848F73B0CCB468D9", "104807CB7B51CD3CD2FF7366780F3DCE8BA84184", ], userids: &[ "louis@fake.pep.foundation", ] } ]; let tmp = tempfile::tempdir()?; let filename = tmp.path().join("keys.db"); { let mut orig = PathBuf::from(env!("CARGO_MANIFEST_DIR")); orig.push("tests/pep/keys.db"); let data = std::fs::read(orig)?; std::fs::write(&filename, data)?; } let pep = Pep::open(Some(filename)).expect("can open"); // Certs. assert_eq!(records.len(), pep.certs().count()); // Fingerprints. { let mut pep_fprs = pep.fingerprints().collect::>(); pep_fprs.sort(); let mut expected_fprs = records.iter() .map(|r| r.fingerprint()) .collect::>(); expected_fprs.sort(); assert_eq!(pep_fprs.len(), expected_fprs.len()); assert_eq!(pep_fprs, expected_fprs); } for record in records.iter() { // Lookup by certs fingerprint. for (i, key) in record.keys().enumerate() { let r = pep.lookup_by_cert_fpr(&key); if i == 0 { assert!(r.is_ok()); } else { // Looking up by subkey won't work. assert!(r.is_err()); } // By fingerprint. let kh = KeyHandle::from(key); let r = pep.lookup_by_cert(&kh).ok().map(|c| c.len()); if i == 0 { assert_eq!(r, Some(1)); } else { assert_eq!(r, None); } // By Key ID. let kh = KeyHandle::from(KeyID::from(kh)); let r = pep.lookup_by_cert(&kh).ok().map(|c| c.len()); if i == 0 { assert_eq!(r, Some(1)); } else { assert_eq!(r, None); } } // Lookup by keys. for key in record.keys() { // By fingerprint. let kh = KeyHandle::from(key); assert_eq!(pep.lookup_by_cert_or_subkey(&kh).ok().map(|c| c.len()), Some(1)); // By Key ID. let kh = KeyHandle::from(KeyID::from(kh)); assert_eq!(pep.lookup_by_cert_or_subkey(&kh).ok().map(|c| c.len()), Some(1)); } // Look up User IDs. for &userid in record.userids.into_iter() { t!("Checking that {} has User ID {:?}", record.fingerprint(), userid); let matches = pep.lookup_by_userid(&UserID::from(userid)) .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ record.fingerprint() ]); if let Ok(email) = UserIDQueryParams::is_email(userid) { t!("Checking that {} has email {:?}", record.fingerprint(), email); let matches = pep.lookup_by_email(&email) .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ record.fingerprint() ]); } } } // Look up by domain. t!("email domain"); let matches = pep.lookup_by_email_domain("fake.pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 33); let matches = pep.lookup_by_email_domain("@fake.pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 0); let matches = pep.lookup_by_email_domain("e.pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 0); let matches = pep.lookup_by_email_domain("pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 2); let matches = pep.lookup_by_email_domain("ageinghacker.net") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 3); // grep t!("Grepping"); let matches = pep.grep_email("pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 35); t!("TSKs"); let tsk_fpr = "EB4750A0B0A0F558ED5F768F8B893A26133B3F66" .parse::() .expect("valid"); let tsks = records.iter() .filter(|c| c.fingerprint() == tsk_fpr) .collect::>(); assert_eq!(tsks.len(), 1); let tsk_record = tsks.into_iter().next().expect("have one"); assert_eq!(tsk_record.fingerprint(), tsk_fpr); let tsks = pep.tsks() .map(|c| c.to_cert().expect("valid").clone()) .collect::>(); let matches = tsks .iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ tsk_record.fingerprint() ]); let tsk = tsks.into_iter().next().expect("have one"); t!("Updating the tsk"); let tsk_as_cert = tsk.clone().strip_secret_key_material(); pep.update(Arc::new(LazyCert::from(tsk_as_cert))) .expect("can update"); t!("Checking that the TSK is still a TSK"); let tsks = pep.tsks() .map(|c| c.to_cert().expect("valid").clone()) .collect::>(); let matches = tsks .iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ tsk_record.fingerprint() ]); let tsk_updated = tsks.into_iter().next().expect("have one"); assert_eq!(tsk, tsk_updated); Ok(()) } } sequoia-cert-store-0.5.0/src/store/userid_index.rs000064400000000000000000000226101046102023000203350ustar 00000000000000use std::collections::BTreeMap; use std::collections::BTreeSet; use std::collections::VecDeque; use std::str; use std::sync::RwLock; use std::sync::RwLockReadGuard; use sequoia_openpgp as openpgp; use openpgp::Fingerprint; use openpgp::Result; use openpgp::packet::UserID; use crate::store::StoreError; use crate::store::UserIDQueryParams; use super::TRACE; /// A helper data structure for implementations of [`Store`]. /// /// This data structure maintains an in-memory index of User IDs and /// email addresses, and maps them to fingerprints. It is a /// convenient helper for a [`Store`] implementing /// [`Store::select_userid`]. /// /// [`Store`]: crate::Store /// [`Store::select_userid`]: crate::Store::select_userid /// /// This data structure returns certificates with a given User ID or /// email address in `O(log n)` time. Substring and case insensitive /// matching, however, currently requires `O(n)` time. pub struct UserIDIndex { inner: RwLock, } assert_send_and_sync!(UserIDIndex); struct UserIDIndexInner { by_userid: BTreeMap>, // The *normalized* email. // // XXX: As we also want to search by domain, it would be better to // use a different representation / different data structure to // avoid having to do a full scan. One possibility would be to // use a `BTreeMap::range`. That requires a bit of gymnastics. // Alternatively we could use a trie, which is keyed on (domain, // localpart). by_email: BTreeMap>, // Because extracting the email address is expensive, we wait // until a caller actually needs `by_email`. In particular, when // used in a one-shot context, `by_email` is not access at all. by_email_pending: VecDeque<(UserID, Fingerprint)>, } impl Default for UserIDIndex { fn default() -> Self { UserIDIndex { inner: RwLock::new(UserIDIndexInner { by_userid: Default::default(), by_email: Default::default(), by_email_pending: VecDeque::new(), }), } } } impl UserIDIndex { /// Returns a new, empty UserIDIndex. pub fn new() -> Self { Self::default() } /// Adds an entry to UserIDIndex. /// /// This does *not* support removing mappings from the index. /// That is, if this function is called with the same fingerprint, /// but a User ID is removed, then the User ID is not removed from /// the index. Normally, this doesn't matter as User IDs are not /// removed (certificates are append only data structures). pub fn insert(&mut self, fpr: &Fingerprint, userids: I) where I: Iterator { let mut inner = self.inner.write().unwrap(); for userid in userids { inner.by_userid .entry(userid.clone()) .or_default() .insert(fpr.clone()); inner.by_email_pending .push_back((userid, fpr.clone())); } } /// Executes any pending insertions. /// /// This needs to be called before accessing by_email. fn execute_pending_insertions(&self) -> RwLockReadGuard { loop { // First, check if we have anything to do. let inner = self.inner.read().unwrap(); if inner.by_email_pending.is_empty() { return inner; } drop(inner); // Looks like we do. Get the writer lock. let mut inner = self.inner.write().unwrap(); let mut pending = std::mem::take(&mut inner.by_email_pending); for (userid, fpr) in pending.drain(..) { if let Ok(Some(email)) = userid.email_normalized() { inner.by_email .entry(email) .or_default() .insert(fpr.clone()); } } // std::sync::RwLock doesn't implement downgrading a // writer lock to a reader lock, so we loop. drop(inner); } } /// An implementation of [`Store::select_userid`]. /// /// [`Store::select_userid`]: crate::Store::select_userid pub fn select_userid(&self, params: &UserIDQueryParams, pattern: &str) -> Result> { tracer!(TRACE, "UserIDIndex::select_userid"); t!("params: {:?}, pattern: {:?}", params, pattern); // XXX: If you change this function, // UserIDQueryParams::select_userid contains similar code. // Update that too. let mut matches = match params { UserIDQueryParams { anchor_start: true, anchor_end: true, email: false, ignore_case: false, } => { // Exact User ID match. let userid = UserID::from(pattern); let inner = self.inner.read().unwrap(); inner.by_userid.get(&userid) .ok_or_else(|| { StoreError::NoMatches(pattern.into()) })? .iter() .cloned() .collect() } UserIDQueryParams { anchor_start: true, anchor_end: true, email: true, ignore_case: false, } => { // Exact email match. let inner = self.execute_pending_insertions(); inner.by_email .get(pattern) .ok_or_else(|| { StoreError::NoMatches(pattern.into()) })? .iter() .cloned() .collect() } UserIDQueryParams { anchor_start, anchor_end, email, ignore_case, } => { // Substring search. let mut pattern = pattern; let _pattern; if *ignore_case { // Convert to lowercase without tailoring, // i.e. without taking any locale into account. // See: // // - https://www.w3.org/International/wiki/Case_folding // - https://doc.rust-lang.org/std/primitive.str.html#method.to_lowercase // - http://www.unicode.org/versions/Unicode7.0.0/ch03.pdf#G33992 _pattern = pattern.to_lowercase(); pattern = &_pattern[..]; } // Checks if user id a match. let check = |userid: &str| -> bool { let mut userid = userid; let _userid: String; if *ignore_case { _userid = userid.to_lowercase(); userid = &_userid[..]; } t!("Considering if {:?} matches {:?} \ (anchors: {}, {}, ignore case: {})", pattern, userid, anchor_start, anchor_end, ignore_case); // XXX: Consider using // https://crates.io/crates/memchr instead. if match (*anchor_start, *anchor_end) { (true, true) => userid == pattern, (true, false) => userid.starts_with(pattern), (false, true) => userid.ends_with(pattern), (false, false) => userid.contains(pattern), } { t!("*** {:?} matches {:?} (anchors: {}, {})", pattern, userid, *anchor_start, anchor_end); true } else { false } }; if *email { let inner = self.execute_pending_insertions(); inner.by_email .iter() .filter_map(|(email, matches)| { if check(email) { Some(matches.iter()) } else { None } }) .flatten() .cloned() .collect::>() } else { let inner = self.inner.read().unwrap(); inner.by_userid .iter() .filter_map(|(userid, matches)| { // If it is not UTF-8 encoded. Ignore it. let userid = str::from_utf8(userid.value()).ok()?; if check(userid) { Some(matches.iter()) } else { None } }) .flatten() .cloned() .collect::>() } } }; if matches.is_empty() { return Err(StoreError::NoMatches(pattern.into()).into()); } matches.sort(); matches.dedup(); Ok(matches) } } sequoia-cert-store-0.5.0/src/store.rs000064400000000000000000001321501046102023000156540ustar 00000000000000use std::str; use std::sync::Arc; use std::sync::atomic::AtomicUsize; use std::sync::atomic::Ordering; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::Result; use openpgp::cert::Cert; use openpgp::cert::ValidCert; use openpgp::packet::UserID; pub use openpgp_cert_d; mod userid_index; pub use userid_index::UserIDIndex; pub mod certd; pub use certd::CertD; pub mod certs; pub use certs::Certs; pub mod keyserver; pub use keyserver::KeyServer; pub mod pep; pub use pep::Pep; use super::TRACE; use crate::LazyCert; #[derive(Debug, Clone)] pub struct UserIDQueryParams { anchor_start: bool, anchor_end: bool, email: bool, ignore_case: bool, } assert_send_and_sync!(UserIDQueryParams); impl UserIDQueryParams { /// Returns a new `UserIDQueryParams`. /// /// By default, the query is configured to perform an exact match /// on the User ID. That is, the pattern must match the start and /// end of the User ID, and case is considered significant. pub fn new() -> Self { Self { anchor_start: true, anchor_end: true, email: false, ignore_case: false, } } /// Sets whether the pattern must match the start of the User ID /// or email address. pub fn set_anchor_start(&mut self, anchor_start: bool) -> &mut Self { self.anchor_start = anchor_start; self } /// Returns whether the pattern must match the start of the User /// ID or email address. pub fn anchor_start(&self) -> bool { self.anchor_start } /// Sets whether the pattern must match the end of the User /// ID or email address. pub fn set_anchor_end(&mut self, anchor_end: bool) -> &mut Self { self.anchor_end = anchor_end; self } /// Returns whether the pattern must match the end of the User /// ID or email address. pub fn anchor_end(&self) -> bool { self.anchor_end } /// Sets whether the pattern must match the User ID or the /// normalized email address. /// /// The email address to check the pattern against is extracted /// from the User ID using [`UserID::email_normalized`]. /// /// Note: the pattern is *not* normalized, even if the anchors are /// set. If you want to search by email address you need to /// normalize it your yourself. /// /// [`UserID::email_normalized`]: https://docs.rs/sequoia-openpgp/latest/sequoia_openpgp/packet/prelude/struct.UserID.html#method.email_normalized pub fn set_email(&mut self, email: bool) -> &mut Self { self.email = email; self } /// Returns whether the pattern must match the User ID or the /// normalized email address. /// /// See [`UserIDQueryParams::set_email`] for more details. pub fn email(&self) -> bool { self.email } /// Sets whether to ignore the case when matching the User ID or /// email address. /// /// Uses the empty local. /// /// When matching an email address, the domain is always matched /// in a case insensitive manner. The localpart, however, is /// matched in a case sensitive manner by default. pub fn set_ignore_case(&mut self, ignore_case: bool) -> &mut Self { self.ignore_case = ignore_case; self } /// Returns whether to ignore the case when matching the User ID /// or email address. /// /// See [`UserIDQueryParams::set_ignore_case`] for more details. pub fn ignore_case(&self) -> bool { self.ignore_case } /// Checks that the User ID satisfies the constraints. pub fn check(&self, userid: &UserID, pattern: &str) -> bool { tracer!(TRACE, "UserIDQueryParams::check"); // XXX: If you change this function, // UserIDIndex::select_userid contains similar code. Update // that too. match self { UserIDQueryParams { anchor_start: true, anchor_end: true, email: false, ignore_case: false, } => { // Exact User ID match. userid.value() == pattern.as_bytes() } UserIDQueryParams { anchor_start: true, anchor_end: true, email: true, ignore_case: false, } => { // Exact email match. if let Ok(Some(email)) = userid.email_normalized() { email == pattern } else { false } } UserIDQueryParams { anchor_start, anchor_end, email, ignore_case, } => { t!("Considering if {:?} matches {:?} \ (anchors: {}, {}, ignore case: {})", pattern, userid, anchor_start, anchor_end, ignore_case); // Substring search. let mut userid = if *email { if let Ok(Some(email)) = userid.email_normalized() { email } else { t!("User ID does not contain a valid email address"); return false; } } else { if let Ok(userid) = String::from_utf8(userid.value().to_vec()) { userid } else { t!("User ID is not UTF-8 encoded"); return false; } }; if *ignore_case { userid = userid.to_lowercase(); } let mut pattern = pattern; let _pattern; if *ignore_case { // Convert to lowercase without tailoring, // i.e. without taking any locale into account. // See: // // - https://www.w3.org/International/wiki/Case_folding // - https://doc.rust-lang.org/std/primitive.str.html#method.to_lowercase // - http://www.unicode.org/versions/Unicode7.0.0/ch03.pdf#G33992 _pattern = pattern.to_lowercase(); pattern = &_pattern[..]; } if match (*anchor_start, *anchor_end) { (true, true) => userid == pattern, (true, false) => userid.starts_with(pattern), (false, true) => userid.ends_with(pattern), (false, false) => userid.contains(pattern), } { t!("*** {:?} matches {:?} (anchors: {}, {})", pattern, userid, *anchor_start, anchor_end); true } else { false } } } } /// Checks that at least one User ID satisfies the constraints. pub fn check_lazy_cert(&self, cert: &LazyCert, pattern: &str) -> bool { cert.userids().any(|userid| self.check(&userid, pattern)) } /// Checks that at least one User ID satisfies the constraints. pub fn check_cert(&self, cert: &Cert, pattern: &str) -> bool { cert.userids().any(|ua| self.check(ua.userid(), pattern)) } /// Checks that at least one User ID satisfies the constraints. pub fn check_valid_cert(&self, vc: &ValidCert, pattern: &str) -> bool { vc.userids().any(|ua| self.check(ua.userid(), pattern)) } /// Returns whether the supplied email address is actually a valid /// email address. /// /// If it is valid, returns the normalized email address. pub fn is_email(email: &str) -> Result { let email_check = UserID::from(format!("<{}>", email)); match email_check.email2() { Ok(Some(email_check)) => { if email != email_check { return Err(StoreError::InvalidEmail( email.to_string(), None).into()); } } Ok(None) => { return Err(StoreError::InvalidEmail( email.to_string(), None).into()); } Err(err) => { return Err(StoreError::InvalidEmail( email.to_string(), Some(err)).into()); } } match UserID::from(&email[..]).email_normalized() { Err(err) => { Err(StoreError::InvalidEmail( email.to_string(), Some(err)).into()) } Ok(None) => { Err(StoreError::InvalidEmail( email.to_string(), None).into()) } Ok(Some(email)) => { Ok(email) } } } /// Returns whether the supplied domain address is actually a /// valid domain for an email address. /// /// Returns the normalized domain. pub fn is_domain(domain: &str) -> Result { let localpart = "user@"; let email = format!("{}{}", localpart, domain); let email = Self::is_email(&email)?; // We get the normalized email address back. Chop off the // username and the @. assert!(email.starts_with(localpart)); Ok(email[localpart.len()..].to_string()) } } /// [`Store`] specific error codes. #[non_exhaustive] #[derive(thiserror::Error, Debug)] pub enum StoreError { /// No certificate was found. #[error("{0} was not found")] NotFound(KeyHandle), /// No certificate matches the search criteria. #[error("No certificates matched {0}")] NoMatches(String), /// The email address does not appear to be a valid email address. #[error("{0:?} does not appear to be a valid email address")] InvalidEmail(String, #[source] Option), } /// Status messages. /// /// Status messages sent by [`StatusListener::update`]. /// /// The transaction id allows messages to be grouped together. For /// instance, `LookupStarted` will return a new transaction id and /// further messages related to that lookup including `LookupFinished` /// and `LookupFailed` will use the same transaction id. #[non_exhaustive] #[derive(Debug)] pub enum StatusUpdate<'a, 'c> { /// Sent when a lookup is starting. /// /// usize is the transaction id. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what is being looked up. /// /// The last `&str` is a short human-readable message describing /// the look up. LookupStarted(usize, &'a str, &'a KeyHandle, Option<&'a str>), /// Sent while a lookup is on-going. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what was being looked up. /// /// The last `&str` is a short human-readable message describing /// something that happened, e.g., "WKD returned FPR", etc. LookupStatus(usize, &'a str, &'a KeyHandle, &'a str), /// Sent when a lookup has been successful. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what was being looked up. /// /// The certificates are the returned results. /// /// The last `&str` is a short human-readable message describing /// what happened, e.g., "found in cache", etc. LookupFinished(usize, &'a str, &'a KeyHandle, &'a [Arc>], Option<&'a str>), /// Sent when a lookup has failed. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what was being looked up. /// /// The error is the reason that the lookup failed. A backend /// should set this to `None` if no certificate was present. LookupFailed(usize, &'a str, &'a KeyHandle, Option<&'a anyhow::Error>), /// Sent when a search is started. /// /// usize is the transaction id. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The last `&str` is a short human-readable message describing /// what is being looked up. SearchStarted(usize, &'a str, &'a str, Option<&'a str>), /// Sent while a search is on-going. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The last `&str` is a short human-readable message describing /// something that happened, e.g., "WKD returned FPR", etc. SearchStatus(usize, &'a str, &'a str, &'a str), /// Sent when a search is successful. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The certificates are the returned results. /// /// The last `&str` is a short human-readable message describing /// what happened, e.g., "found in cache", "found 5 matching /// certificates", etc. SearchFinished(usize, &'a str, &'a str, &'a [Arc>], Option<&'a str>), /// Sent whenever something has been lookup successfully. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The error is the reason that the search failed. A backend /// should set this to `None` if no matching certificate was /// found. SearchFailed(usize, &'a str, &'a str, Option<&'a anyhow::Error>), } impl<'a, 'c> std::fmt::Display for StatusUpdate<'a, 'c> { fn fmt(&self, fmt: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> { use StatusUpdate::*; match self { LookupStarted(_tx, backend, kh, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Looking up {}: {}...", backend, kh, msg) } else { write!(fmt, "{}: Looking up {}...", backend, kh) } } LookupStatus(_tx, backend, kh, msg) => { write!(fmt, "{}: Looking up {}: {}", backend, kh, msg) } LookupFinished(_tx, backend, kh, results, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Looking up {}, returned {} results: {}", backend, kh, results.len(), msg) } else { write!(fmt, "{}: Looking up {}, returned {} results", backend, kh, results.len()) } } LookupFailed(_tx, backend, kh, err) => { if let Some(err) = err { write!(fmt, "{}: Looking up {}, failed: {}", backend, kh, err) } else { write!(fmt, "{}: Looking up {}, returned no results", backend, kh) } } SearchStarted(_tx, backend, pattern, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Searching for {:?}: {}...", backend, pattern, msg) } else { write!(fmt, "{}: Searching for {:?}...", backend, pattern) } } SearchStatus(_tx, backend, pattern, msg) => { write!(fmt, "{}: Searching for {:?}: {}", backend, pattern, msg) } SearchFinished(_tx, backend, pattern, results, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Searching for {:?}, returned {} results: {}", backend, pattern, results.len(), msg) } else { write!(fmt, "{}: Searching for {:?}, returned {} results", backend, pattern, results.len()) } } SearchFailed(_tx, backend, pattern, err) => { if let Some(err) = err { write!(fmt, "{}: Searching for {:?} failed: {}", backend, pattern, err) } else { write!(fmt, "{}: Searching for {:?}, returned no results", backend, pattern) } } } } } /// A callback mechanism to indicate what a backend is doing. /// /// We use an enum instead of a separate function for each message so /// that a naive listener can just print each message to stdout. /// /// This is primarily interesting for backends like a keyserver. /// /// Currently, backends are not required to implement this trait. In /// fact [`KeyServer`] is the only backend that implements it. A /// caller can add a listener to a `KeyServer` using /// [`KeyServer::add_listener`]. pub trait StatusListener { /// A status update. fn update(&self, status: &StatusUpdate); } /// Returns certificates from a backing store. pub trait Store<'a> { /// Returns the certificates whose fingerprint matches the handle. /// /// Returns [`StoreError::NotFound`] if no certificate is found. /// /// The caller may assume that looking up a fingerprint returns at /// most one certificate. fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>>; /// Returns the certificate with the specified fingerprint, if any. /// /// Returns [`StoreError::NotFound`] if the certificate is not found. /// /// The default implementation is implemented in terms of /// [`Store::lookup_by_cert`]. fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { let kh = KeyHandle::from(fingerprint.clone()); self.lookup_by_cert(&kh) .and_then(|v| { assert!(v.len() <= 1, "Looking up {} returned multiple certificates: {}", fingerprint, v.iter() .map(|c| { c.fingerprint().to_string() }) .collect::>() .join(", ")); v.into_iter().next() .ok_or(StoreError::NotFound(kh).into()) }) } /// Returns certificates that have a key with the specified /// handle, if any. /// /// Returns [`StoreError::NotFound`] if no certificate is not found. /// /// Note: even if you pass a fingerprint, this may return multiple /// certificates as the same subkey may be attached to multiple /// certificates. fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>>; /// Returns certificates that have a User ID matching the /// specified pattern according to the query parameters. fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>>; /// Performs an exact match on the User ID. /// /// The pattern is anchored, and the match is case sensitive. fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { self.select_userid( &UserIDQueryParams::new() .set_email(false) .set_anchor_start(true) .set_anchor_end(true) .set_ignore_case(false), &String::from_utf8(userid.value().to_vec())?) } /// Performs a case insenitive, substring match on the User ID. /// /// The pattern is not anchored, and it is matched case /// insensitively. fn grep_userid(&self, pattern: &str) -> Result>>> { self.select_userid( &UserIDQueryParams::new() .set_email(false) .set_anchor_start(false) .set_anchor_end(false) .set_ignore_case(true), pattern) } /// Returns certificates that have a User ID with the specified /// email address. /// /// The pattern is interpreted as an email address. It is first /// normalized, and then matched against the normalized email /// address, it is anchored, and the match is case sensitive. fn lookup_by_email(&self, email: &str) -> Result>>> { let userid = crate::email_to_userid(&email)?; let email = userid.email_normalized()?.expect("have one"); self.select_userid( &UserIDQueryParams::new() .set_email(true) .set_anchor_start(true) .set_anchor_end(true) .set_ignore_case(false), &email) } /// Performs a case insenitive, substring match on the normalized /// email address. /// /// The pattern is matched against the normalized email address, /// it is not anchored, and it is matched case insensitively. The /// pattern itself is *not* normalized. fn grep_email(&self, pattern: &str) -> Result>>> { self.select_userid( &UserIDQueryParams::new() .set_email(true) .set_anchor_start(false) .set_anchor_end(false) .set_ignore_case(true), pattern) } /// Returns certificates that have User ID with an email address /// from the specified domain. /// /// The pattern is interpreted as a domain address. It is first /// normalized, and then matched against the normalized email /// address, it is anchored, and the match is case sensitive. /// /// `domain` must be a bare domain, like `example.org`; it should /// not start with an `@`. This does not match subdomains. That /// is, it will match `alice@foo.bar.com` when searching for /// `bar.com`. fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { let localpart = "localpart"; let email = format!("{}@{}", localpart, domain); let userid = crate::email_to_userid(&email)?; let email = userid.email_normalized()?.expect("have one"); let domain = &email[email.rfind('@').expect("have an @")..]; self.select_userid( &UserIDQueryParams::new() .set_email(true) .set_anchor_start(false) .set_anchor_end(true) .set_ignore_case(false), domain) } /// Lists all of the certificates. /// /// If a backend is not able to enumerate all the certificates, /// then it should return those that it knows about. For /// instance, some keyservers allow certificates to be looked up /// by fingerprint, but not to enumerate all of the certificates. /// Thus, a user must not assume that if a certificate is not /// returned by this function, it cannot be found by name. fn fingerprints<'b>(&'b self) -> Box + 'b>; /// Returns all of the certificates. /// /// The default implementation is implemented in terms of /// [`Store::fingerprints`] and [`Store::lookup_by_cert_fpr`]. Many backends /// will be able to do this more efficiently. fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { Box::new(self.fingerprints() .filter_map(|fpr| { self.lookup_by_cert_fpr(&fpr).ok() })) } /// Prefills the cache. /// /// Prefilling the cache makes sense when you plan to examine most /// certificates. It doesn't make sense if you are just /// authenticating a single or a few bindings. /// /// This function may be multi-threaded. /// /// Errors should be silently ignored and propagated when the /// operation in question is executed directly. fn prefetch_all(&self) { } /// Prefetches some certificates. /// /// Prefilling the cache makes sense when you plan to examine some /// certificates in the near future. /// /// This interface is useful as it allows batching, which may be /// more efficient, especially when the certificates are accessed /// over the network. And, the function may be multi-threaded. /// /// Errors should be silently ignored and propagated when the /// operation in question is executed directly. fn prefetch_some(&self, certs: &[KeyHandle]) { let _ = certs; } } // The references in Store need a different lifetime from the contents // of the Box. Otherwise, a `Backend` that is a `&Box` would // create a self referential data structure. impl<'a: 't, 't, T> Store<'a> for Box where T: Store<'a> + ?Sized + 't { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { self.as_ref().lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { self.as_ref().lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { self.as_ref().lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { self.as_ref().select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { self.as_ref().lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { self.as_ref().grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { self.as_ref().lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { self.as_ref().grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { self.as_ref().lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { self.as_ref().fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { self.as_ref().certs() } fn prefetch_all(&self) { self.as_ref().prefetch_all() } fn prefetch_some(&self, certs: &[KeyHandle]) { self.as_ref().prefetch_some(certs) } } impl<'a: 't, 't, T> Store<'a> for &'t T where T: Store<'a> + ?Sized { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { (*self).lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { (*self).lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { (*self).lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { (*self).select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { (*self).lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { (*self).grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { (*self).lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { (*self).grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { (*self).lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { (*self).fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { (*self).certs() } } impl<'a: 't, 't, T> Store<'a> for &'t mut T where T: Store<'a> + ?Sized { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { (**self).lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { (**self).lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { (**self).lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { (**self).select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { (**self).lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { (**self).grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { (**self).lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { (**self).grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { (**self).lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { (**self).fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { (**self).certs() } fn prefetch_all(&self) { (**self).prefetch_all() } fn prefetch_some(&self, certs: &[KeyHandle]) { (**self).prefetch_some(certs) } } /// Merges two certificates. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. pub trait MergeCerts<'a> { /// Merges two certificates. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. /// /// The default implementation merges the two certificates using /// [`Cert::merge_public`]. This means that any secret key /// material in `disk` is preserved, any secret key material in /// `new` is ignored, and unhashed subpacket areas are merged. /// /// Note: `self` is a normal reference, not a mutable reference. /// This means that the underlying implementation has to use /// interior mutability. The advantage is that multiple threads /// can have a reference to the store, and update it in parallel. fn merge_public<'b>(&self, new: Arc>, disk: Option>>) -> Result>> { if let Some(disk) = disk { let merged = disk.to_cert()?.clone() .merge_public(new.to_cert()?.clone())?; Ok(Arc::new(LazyCert::from(merged))) } else { if new.is_tsk() { Ok(Arc::new(LazyCert::from(new.to_cert()?.clone() .strip_secret_key_material()))) } else { Ok(new) } } } } impl<'a> MergeCerts<'a> for () { } /// Provides an interface to update a backing store. pub trait StoreUpdate<'a>: Store<'a> { /// Insert a certificate. /// /// This uses the default implementation of [`MergeCerts`] to /// merge the certificate with any existing certificate. /// /// Note: `self` is a normal reference, not a mutable reference. /// This means that the underlying implementation has to use /// interior mutability. The advantage is that multiple threads /// can have a reference to the store, and update it in parallel. fn update(&self, cert: Arc>) -> Result<()> { self.update_by(cert, &mut ())?; Ok(()) } /// Inserts a certificate into the store. /// /// Inserts a certificate into the store and uses `merge_strategy` /// to merge it with the existing certificate, if any. /// /// Unless there is an error, you must call `merge_strategy`. /// This is the case even if the certificate is not on the /// backend. In that case, you must pass `None` for the on-disk /// version. This allows `merge_strategy` to generate statistics, /// and to modify the certificate before it is saved, e.g., by /// stripping third-party certifications. /// /// To use the default merge strategy, either call /// [`StoreUpdate::update`] directly, or pass `&mut ()`. /// /// Note: `self` and `merge_strategy` are normal references, not a /// mutable reference. This means that the underlying /// implementation has to use interior mutability. The advantage /// is that multiple threads can have a reference to the store, /// and update it in parallel. fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>>; } impl<'a: 't, 't, T> StoreUpdate<'a> for Box where T: StoreUpdate<'a> + ?Sized + 't { fn update(&self, cert: Arc>) -> Result<()> { self.as_ref().update(cert) } fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { self.as_ref().update_by(cert, merge_strategy) } } impl<'a: 't, 't, T> StoreUpdate<'a> for &'t T where T: StoreUpdate<'a> + ?Sized { fn update(&self, cert: Arc>) -> Result<()> { (*self).update(cert) } fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { (*self).update_by(cert, merge_strategy) } } /// Merges two certificates and collects statistics. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. #[derive(Debug)] #[non_exhaustive] pub struct MergePublicCollectStats { /// Number of new certificates. new_certs: AtomicUsize, /// Number of unchanged certificates. /// /// Note: there may be false negative. That is some certificates /// may be unchanged, but the heuristic thinks that they have been /// updated. unchanged_certs: AtomicUsize, /// Number of update certificates. updated_certs: AtomicUsize, /// Number of errors. errors: AtomicUsize, } assert_send_and_sync!(MergePublicCollectStats); impl MergePublicCollectStats { /// Returns a new `MergePublicCollectStats` with all stats set to 0. pub fn new() -> Self { Self { new_certs: AtomicUsize::new(0), unchanged_certs: AtomicUsize::new(0), updated_certs: AtomicUsize::new(0), errors: AtomicUsize::new(0), } } /// Returns the number of new certificates. pub fn new_certs(&self) -> usize { self.new_certs.load(Ordering::Relaxed) } /// Returns the number of unchanged certificates. pub fn unchanged_certs(&self) -> usize { self.unchanged_certs.load(Ordering::Relaxed) } /// Returns the number of updated certificates. pub fn updated_certs(&self) -> usize { self.updated_certs.load(Ordering::Relaxed) } /// Returns the number of errors. pub fn errors(&self) -> usize { self.errors.load(Ordering::Relaxed) } /// Increments the number of new certificates by 1. pub fn inc_new_certs(&self) { self.new_certs.fetch_add(1, Ordering::Relaxed); } /// Increments the number of unchanged certificates by 1. pub fn inc_unchanged_certs(&self) { self.unchanged_certs.fetch_add(1, Ordering::Relaxed); } /// Increments the number of updated certificates by 1. pub fn inc_updated_certs(&self) { self.updated_certs.fetch_add(1, Ordering::Relaxed); } /// Increments the number of errors by 1. pub fn inc_errors(&self) { self.errors.fetch_add(1, Ordering::Relaxed); } } impl<'a> MergeCerts<'a> for MergePublicCollectStats { /// Merges two certificates. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. /// /// This implementation has the same merge semantics as the /// default implementation, but it also updates the statistics in /// `self`. /// /// # Examples /// /// ```rust /// use std::any::Any; /// use std::sync::Arc; /// /// use sequoia_openpgp as openpgp; /// # use openpgp::Result; /// use openpgp::cert::prelude::*; /// use openpgp::parse::Parse; /// /// use sequoia_cert_store as cert_store; /// use cert_store::CertStore; /// use cert_store::LazyCert; /// use cert_store::store::MergePublicCollectStats; /// use cert_store::store::StoreUpdate; /// /// # fn main() -> Result<()> { /// let (cert, _rev) = CertBuilder::new().generate()?; /// /// let mut certs = CertStore::empty(); /// /// let mut stats = MergePublicCollectStats::new(); /// /// certs.update_by(Arc::new(LazyCert::from(cert)), &mut stats) /// .expect("valid"); /// /// assert_eq!(stats.new_certs(), 1); /// # Ok(()) } /// ``` fn merge_public<'b, 'rb>(&self, new: Arc>, disk: Option>>) -> Result>> { let disk = if let Some(disk) = disk { disk } else { self.inc_new_certs(); if new.is_tsk() { return Ok(Arc::new(LazyCert::from( new.to_cert()?.clone().strip_secret_key_material()))) } else { return Ok(new); } }; let fpr = new.fingerprint(); let disk = disk.to_cert() .with_context(|| { format!("Parsing {} as returned from the cert directory", fpr) })? .clone(); let new = new.to_cert() .with_context(|| { format!("Parsing {} as being inserted into \ the cert directory", fpr) })? .clone(); if disk == new { self.inc_unchanged_certs(); Ok(Arc::new(LazyCert::from(new))) } else { // If the on-disk version has secrets, we preserve them. // If new has secrets, we ignore them. match disk.clone().merge_public(new) { Ok(merged) => { if merged == disk { self.inc_unchanged_certs(); } else { self.inc_updated_certs(); } Ok(Arc::new(LazyCert::from(merged))) } Err(err) => { self.inc_errors(); Err(err.into()) } } } } } #[cfg(test)] mod tests { use super::*; use crate::store; // Make sure we can pass a &Box where a generic type // needs to implement Store. #[test] fn store_boxed() -> Result<()> { struct Foo<'a, B> where B: Store<'a> { backend: B, _a: std::marker::PhantomData<&'a ()>, } impl<'a, B> Foo<'a, B> where B: Store<'a> { fn new(backend: B) -> Self { Foo { backend, _a: std::marker::PhantomData, } } fn count(&self) -> usize { self.backend.certs().count() } } let backend = store::Certs::empty(); let backend: Box = Box::new(backend); let foo = Foo::new(&backend); // Do something (anything) with the backend. assert_eq!(foo.count(), 0); Ok(()) } // Make sure we can pass a &Box where a generic type // needs to implement Store. #[test] fn store_update_boxed() -> Result<()> { struct Foo<'a, B> where B: StoreUpdate<'a> { backend: B, _a: std::marker::PhantomData<&'a ()>, } impl<'a, B> Foo<'a, B> where B: StoreUpdate<'a> { fn new(backend: B) -> Self { Foo { backend, _a: std::marker::PhantomData, } } fn count(&self) -> usize { self.backend.certs().count() } } let backend = store::Certs::empty(); let backend: Box = Box::new(backend); let foo = Foo::new(&backend); // Do something (anything) with the backend. assert_eq!(foo.count(), 0); Ok(()) } #[test] fn is_email() { assert!(UserIDQueryParams::is_email("foo@domain.com").is_ok()); // Need a local part. assert!(UserIDQueryParams::is_email("@domain.com").is_err()); // Need a domain. assert!(UserIDQueryParams::is_email("foo@").is_err()); // One @ assert!(UserIDQueryParams::is_email("foo").is_err()); assert!(UserIDQueryParams::is_email("foo@@domain.com").is_err()); assert!(UserIDQueryParams::is_email("foo@a@domain.com").is_err()); // Bare email address, not wrapped in angle brackets. assert!(UserIDQueryParams::is_email("").is_err()); // Whitespace is not allowed. assert!(UserIDQueryParams::is_email(" foo@domain.com").is_err()); assert!(UserIDQueryParams::is_email("foo o@domain.com").is_err()); assert!(UserIDQueryParams::is_email("foo@do main.com").is_err()); assert!(UserIDQueryParams::is_email("foo@domain.com ").is_err()); } #[test] fn is_domain() { assert!(UserIDQueryParams::is_domain("domain.com").is_ok()); // No at. assert!(UserIDQueryParams::is_domain("foo").is_ok()); assert!(UserIDQueryParams::is_domain("@domain.com").is_err()); assert!(UserIDQueryParams::is_domain("foo@").is_err()); assert!(UserIDQueryParams::is_domain("foo@@domain.com").is_err()); assert!(UserIDQueryParams::is_domain("foo@a@domain.com").is_err()); assert!(UserIDQueryParams::is_domain("").is_err()); } include!("../tests/keyring.rs"); // Check that MergePublicCollectStats works as advertised. #[test] fn store_update_merge_public_collect_stats() { use std::collections::HashSet; use openpgp::Cert; use openpgp::parse::Parse; use crate::CertStore; use crate::store::MergePublicCollectStats; let certs = CertStore::empty(); let mut stats = MergePublicCollectStats::new(); let mut seen = HashSet::new(); for (i, cert) in keyring::certs.iter().enumerate() { let cert = Cert::from_bytes(&cert.bytes()).expect("valid"); let fpr = cert.fingerprint(); seen.insert(fpr.clone()); certs.update_by(Arc::new(LazyCert::from(cert)), &mut stats) .expect("valid"); eprintln!("After inserting {} ({}), stats: {:?}", i, fpr, stats); assert_eq!(stats.new_certs(), seen.len()); assert_eq!(stats.new_certs() + stats.updated_certs() + stats.unchanged_certs(), i + 1); } let new = stats.new_certs(); let updated = stats.updated_certs(); let unchanged = stats.unchanged_certs(); // Insert again. This time nothing should change. for (i, cert) in keyring::certs.iter().enumerate() { let cert = Cert::from_bytes(&cert.bytes()).expect("valid"); let fpr = cert.fingerprint(); certs.update_by(Arc::new(LazyCert::from(cert)), &mut stats) .expect("valid"); eprintln!("After reinserting {} ({}), stats: {:?}", i, fpr, stats); // These should not change: assert_eq!(stats.new_certs(), new); // Update should also not change, but there may be false // positives. assert_eq!(stats.unchanged_certs() + stats.updated_certs(), updated + unchanged + i + 1); } } } sequoia-cert-store-0.5.0/tests/Makefile000064400000000000000000000006171046102023000161670ustar 00000000000000certs = data/alice.pgp \ data/alice2.pgp \ data/alice2-adopted-alice.pgp \ data/bob.pgp \ data/carol.pgp \ data/david.pgp \ data/ed.pgp \ data/halfling-signing.pgp \ data/halfling-encryption.pgp \ data/hans-puny-code.pgp \ data/steve.pgp \ data/una.pgp keyring.rs keyring.pgp: $(certs) cert2rust.sh ./cert2rust.sh $(certs) > keyring.rs sq toolbox keyring merge $(certs) > keyring.pgp sequoia-cert-store-0.5.0/tests/cert2rust.sh000075500000000000000000000046601046102023000170250ustar 00000000000000#! /bin/bash set -e echo "#[allow(non_upper_case_globals, dead_code)] mod keyring { use std::path::Path; use anyhow::Result; use sequoia_openpgp as openpgp; use openpgp::parse::Parse; pub struct Cert { pub filename: &'static str, pub base: &'static str, pub fingerprint: &'static str, pub subkeys: &'static [&'static str], pub userids: &'static [&'static str], } impl Cert { pub fn bytes(&self) -> Vec { let filename = Path::new(env!(\"CARGO_MANIFEST_DIR\")) .join(\"tests\") .join(self.filename); std::fs::read(filename).expect(\"exists\") } pub fn to_cert(&self) -> Result { openpgp::Cert::from_bytes(&self.bytes()) } } " for file in "$@" "EOF!" do base=${file%-priv.pgp} base=${base%.pgp} base=${base#*/} base=$(echo $base | sed 's/-/_/g') echo "FILE:$file:$base" if test "x$file" != "xEOF!" then sq toolbox packet dump "$file" fi done | awk -F '[ \t]*:[ \t]*' ' BEGIN { # Initialize the arrays. delete certs[0]; delete fprs[0]; delete userids[0]; print " pub const certs: &[Cert] = &[" } END { print " ];" for (i = 0; i < length(certs) - 1; i ++) { print " pub const "certs[i]": &Cert = &certs["i"];"; } } $1 ~ /^FILE$/ { # Print the pending record. if (length(fprs) > 0) { print " // "base print " Cert {" print " filename: \""file"\"," print " base: \""base"\"," print " fingerprint: \""fprs[0]"\"," print " subkeys: &["; for(i = 1; i < length(fprs); i ++) { print " \""fprs[i]"\"," } print " ],"; print " userids: &["; for(i = 0; i < length(userids); i ++) { print " \""userids[i]"\"," } print " ]," print " }," } # Reinitialize the state. delete fprs; delete userids; # Make sure the arrays are interrupted as arrays and not scalars # (need for length(fprs). delete fprs[0]; delete userids[0]; file=$2; base=$3; certs[length(certs)] = base; } $1 ~ /^ *Fingerprint$/ { fprs[length(fprs)] = $2; } $1 ~ /^ *Value$/ { userids[length(userids)] = $2; } ' echo "} // mod keyring" sequoia-cert-store-0.5.0/tests/data/README.md000064400000000000000000000113411046102023000167130ustar 00000000000000The certificates: ``` $ for i in $(ls -1 *.pgp | grep -v -- -priv.pgp | sort); do echo; echo "- $i:"; sq inspect $i; done | grep -E '^- |Fingerprint|Key flags|Subkey|UserID' - alice2-adopted-alice.pgp: Fingerprint: 23CFE49D4BB7A0AA83619C147E716FFE77DF170A Key flags: certification Subkey: 662F03FC47C05D070B53A93AD5A5048A71CD012A Key flags: signing Subkey: 5989D7BE9908AE24799DF6CFBE678043781349F1 Key flags: transport encryption, data-at-rest encryption UserID: UserID: - alice2.pgp: Fingerprint: 23CFE49D4BB7A0AA83619C147E716FFE77DF170A Key flags: certification UserID: UserID: - alice.pgp: Fingerprint: 30505BCEB7403A1BBFA9DBF0BFBE63567B4BA57A Key flags: certification Subkey: 662F03FC47C05D070B53A93AD5A5048A71CD012A Key flags: signing Subkey: A6D92948A7ADEB809F04202F1CF1943DFE153D1E Key flags: authentication Subkey: 5989D7BE9908AE24799DF6CFBE678043781349F1 Key flags: transport encryption, data-at-rest encryption UserID: UserID: - bob.pgp: Fingerprint: 9994DBF9D34E88E2A21D0CE8E79C9395A1004BB0 Key flags: certification Subkey: 7E01441CBF6FAB5C4AB457E2FBD6F5322354B331 Key flags: authentication UserID: - carol.pgp: Fingerprint: E9C6EFC0E39CE6F9DF5274E7E362D45C7FF7B654 Key flags: certification Subkey: CD22D4BD99FF10FDA11A83D4213DCB92C95346CE Key flags: authentication UserID: UserID: - david.pgp: Fingerprint: A82BC944220BD5EBECC4D42883F74A0EAC207446 Key flags: certification Subkey: DF674FBAC52E00F0E6E48436481D2E18158FB594 Key flags: authentication UserID: - ed.pgp: Fingerprint: 0C346B2B6241263F64E9C7CF1EA300797258A74E Key flags: certification Subkey: 0C346B2B6241263F64E9C7CF1EA300797258A74E Key flags: certification UserID: - halfling-encryption.pgp: Fingerprint: D58E047C05D115EA4F3D1A98A67A733127BBE804 Key flags: certification Subkey: 9DCDA2A95A17B728D6A5115EFF5C6582E4D14B68 Key flags: signing Subkey: CC4EFA3BFAB8E92A54CDEA3F3DC7543293DD4E53 Key flags: transport encryption, data-at-rest encryption UserID: UserID: Halfling - halfling-signing.pgp: Fingerprint: D58E047C05D115EA4F3D1A98A67A733127BBE804 Key flags: certification Subkey: 69669E91C8D5C546D442FB246FE6D4751AC09E15 Key flags: authentication Subkey: 9DCDA2A95A17B728D6A5115EFF5C6582E4D14B68 Key flags: signing UserID: UserID: Halfling - hans-puny-code.pgp: Fingerprint: F6675D0E4DA40823715C4811B89491F07D08E4F8 Key flags: certification Subkey: 3F60EA0AEBC13E290939A080DB1F5F11C17CB2D4 Key flags: signing UserID: Hans - steve.pgp: Fingerprint: 217E256E176719A5452EDFF935AADEC66B56585B Key flags: certification Subkey: 32C5820540308752B7092EE5B596B656FD8F700B Key flags: signing UserID: Steve - una.pgp: Fingerprint: 119B01460659D8EF3732BEC271424ADE3EC61BBC Key flags: certification Subkey: EE58C32E3D2336F223BD89CED0BE447BF39B439F Key flags: signing UserID: Una ``` alice: A normal certificate with two User IDs. Shares one with alice. alice2: A normal certificate with two User IDs. Shares one with alice. alice2-adopted-alice: alice2, but adopts the signing and encryption subkeys from alice. (Note: does *not* adopt the authentication subkey.) bob: A normal certificate with two User IDs. carol: A normal certificate with two User IDs. david: A normal certificate, but with a copy of one of carol's subkeys (CD22D4BD99FF10FDA11A83D4213DCB92C95346CE). That is, the subkey is appended to david's certificate, but there is no binding signature. ed: An unusual certificate: his primary key is also a subkey on his certificate! halfling: Two versions of the same certificate. Both have the same authentication subkey, one has a signing subkey, the other an encryption subkey. Likewise, both have one User ID in common (regis@pup.com) and a second User ID ('Halfling ' and 'Halfling ', respectively). hans: A certificate with an email address that uses puny code. una: A certificate with an email address for the domain `company.com`. steve: A certificate with an email address for a subdomain of `sub.company.com`. sequoia-cert-store-0.5.0/tests/data/alice-priv.pgp000064400000000000000000000051251046102023000202020ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 3050 5BCE B740 3A1B BFA9 DBF0 BFBE 6356 7B4B A57A Comment: Comment: xVgEY+UZ6hYJKwYBBAHaRw8BAQdApx8xAVNjcUkGW31wZ6Q9vu3nyxJWtXmHZv3s fNltYBAAAQDsK+BQsRsLPvAIHJu3C+BKXcHM8mT1IjaM8DWG+nzGUxBLwsALBB8W CgB9BYJj5RnqAwsJBwkQv75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jnva4FJbJxx7sK7X3dhFq2wNvcZsFejb7GQ3lC8VLAYgoD FQoIApsBAh4BFiEEMFBbzrdAOhu/qdvwv75jVntLpXoAAP5cAQD061B+gQ3jEOpw 6Q/wjnDozuYsGzLHBFWEFVi/IbItLwD/TWIPqi8u+rg6izg5FyWKUKmOM4aQJ1Vf 197wsnS4owbNEzxhbGljZUBiZWlzcGllbC5kZT7CwAsEExYKAH0FgmPlGeoDCwkH CRC/vmNWe0ulekcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdH+TPK9LgWpgPdmdKdauHGsYnmmqULgjFaoKg1gCusNwMVCggCmwECHgEWIQQw UFvOt0A6G7+p2/C/vmNWe0ulegAAeYEBALQonPFqr7aboFpg0XJYDP87Yj/p2pdQ r/Esmfq6B+3rAP0VuZjSj3jGQdhANQEajzgt+jPiBdHiXYyg1EL3bYJ8Cc0TPGFs aWNlQGV4YW1wbGUub3JnPsLADgQTFgoAgAWCY+UZ6gMLCQcJEL++Y1Z7S6V6RxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6VXkc72cU7i9Ybj ZAE/9tKUTWlrkjezQ4RNMjCAFjW5AxUKCAKZAQKbAQIeARYhBDBQW863QDobv6nb 8L++Y1Z7S6V6AAC0swEAjcl5uncoHJJq3TDFd9djxobft/sG1fRfDZkCbnSDSaEA /Rjc4Q1eMgz1cM8W2wqvbdgdlFVr7kzTkdrsKUaN9ZoIx1gEY+UZ6hYJKwYBBAHa Rw8BAQdA7Xh768P0ELWKVha7jvlrf96N6bK8+ISBFSWBwQeTLakAAQCtqQCQsy1s v2FYdJMNdYhSWii805Yl5cC3A0IYgnrnpw8dwsC/BBgWCgExBYJj5RnqCRC/vmNW e0ulekcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdtYYQ1 1XlNWLv9gxhoTYet69Lh8X77HOWBpzAdtJBmXwKbAr6gBBkWCgBvBYJj5RnqCRDV pQSKcc0BKkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdQ lNFzuInCVzUbKl51HCYaZFdTs2LNrQh8L9q/1owAWhYhBGYvA/xHwF0HC1OpOtWl BIpxzQEqAADLjAD/QUyfRGsEP2hWDBpFpCtUdGfP6A1jeKQn+9Xw9DtxbKQA/3R4 DWT92tQVKhxACYZ0fwonKES3O/LoXUNlAiopk3oHFiEEMFBbzrdAOhu/qdvwv75j VntLpXoAAApDAP0aJdpJydTAcca0k3PXSbkesKGt6FzRX2FfaVYsF344PgEA53Wg I0BP1JaXYVluRw/e810Cs6WU1mfx8+es89IjMg/HWARj5RnqFgkrBgEEAdpHDwEB B0D5ukYoevx2XvwlWHTFXAwCOan5xlwnfSGOMQ1zfxvZNwAA/iWeus2V/ORnJWtL uI/494HqbfeN0iqt8No362LvB4bvFPPCwAAEGBYKAHIFgmPlGeoJEL++Y1Z7S6V6 RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+lcv7W/p/Na pcQEogXqYyBZMz8ravDhJf05LAAF5taFApsgFiEEMFBbzrdAOhu/qdvwv75jVntL pXoAABJ9AQCWbnMz/xaOEjnPVOGDL+zL24fn0p0hsaeoqg3vi5fWxwD8CLVImAhu tMIo5RVprJMPtvB/HYohbEzKhGfPnjDGjALHXQRj5RnqEgorBgEEAZdVAQUBAQdA Znn93nJMi4jDuZCRv4apwCIdKrm/NZbCy0wnDX7MEwgDAQgHAAD/WLQhnzGd2f++ ac/vRlm+/e4+FNeEjUhR0szxsnYg3CgTTMLAAAQYFgoAcgWCY+UZ6gkQv75jVntL pXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jny+Hpckkt MWCWN9rhA2ojDCEHFohdcAL/OqZVDI4A7dQCmwwWIQQwUFvOt0A6G7+p2/C/vmNW e0ulegAAAfwBAI57hRdq6yb6HQLiH1zd4VuKvqCwpHPvNgtniyN8iWKwAQCSHyAV X0P3g8IpYr9kGrcaOJlZBL7lGacyWnqO5X8rAA== =fTyc -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/alice.pgp000064400000000000000000000046101046102023000172220ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 3050 5BCE B740 3A1B BFA9 DBF0 BFBE 6356 7B4B A57A Comment: Comment: xjMEY+UZ6hYJKwYBBAHaRw8BAQdApx8xAVNjcUkGW31wZ6Q9vu3nyxJWtXmHZv3s fNltYBDCwAsEHxYKAH0FgmPlGeoDCwkHCRC/vmNWe0ulekcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcme9rgUlsnHHuwrtfd2EWrbA29xmwV6N vsZDeULxUsBiCgMVCggCmwECHgEWIQQwUFvOt0A6G7+p2/C/vmNWe0ulegAA/lwB APTrUH6BDeMQ6nDpD/COcOjO5iwbMscEVYQVWL8hsi0vAP9NYg+qLy76uDqLODkX JYpQqY4zhpAnVV/X3vCydLijBs0TPGFsaWNlQGJlaXNwaWVsLmRlPsLACwQTFgoA fQWCY+UZ6gMLCQcJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ0f5M8r0uBamA92Z0p1q4caxieaapQuCMVqgqDWAK6w3AxUK CAKbAQIeARYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAB5gQEAtCic8WqvtpugWmDR clgM/ztiP+nal1Cv8SyZ+roH7esA/RW5mNKPeMZB2EA1ARqPOC36M+IF0eJdjKDU QvdtgnwJzRM8YWxpY2VAZXhhbXBsZS5vcmc+wsAOBBMWCgCABYJj5RnqAwsJBwkQ v75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn pVeRzvZxTuL1huNkAT/20pRNaWuSN7NDhE0yMIAWNbkDFQoIApkBApsBAh4BFiEE MFBbzrdAOhu/qdvwv75jVntLpXoAALSzAQCNyXm6dygckmrdMMV312PGht+3+wbV 9F8NmQJudINJoQD9GNzhDV4yDPVwzxbbCq9t2B2UVWvuTNOR2uwpRo31mgjOMwRj 5RnqFgkrBgEEAdpHDwEBB0DteHvrw/QQtYpWFruO+Wt/3o3psrz4hIEVJYHBB5Mt qcLAvwQYFgoBMQWCY+UZ6gkQv75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlv bnMuc2VxdW9pYS1wZ3Aub3JnbWGENdV5TVi7/YMYaE2HrevS4fF++xzlgacwHbSQ Zl8CmwK+oAQZFgoAbwWCY+UZ6gkQ1aUEinHNASpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnUJTRc7iJwlc1GypedRwmGmRXU7Niza0IfC/a v9aMAFoWIQRmLwP8R8BdBwtTqTrVpQSKcc0BKgAAy4wA/0FMn0RrBD9oVgwaRaQr VHRnz+gNY3ikJ/vV8PQ7cWykAP90eA1k/drUFSocQAmGdH8KJyhEtzvy6F1DZQIq KZN6BxYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAAKQwD9GiXaScnUwHHGtJNz10m5 HrChrehc0V9hX2lWLBd+OD4BAOd1oCNAT9SWl2FZbkcP3vNdArOllNZn8fPnrPPS IzIPzjMEY+UZ6hYJKwYBBAHaRw8BAQdA+bpGKHr8dl78JVh0xVwMAjmp+cZcJ30h jjENc38b2TfCwAAEGBYKAHIFgmPlGeoJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+lcv7W/p/NapcQEogXqYyBZMz8ravDh Jf05LAAF5taFApsgFiEEMFBbzrdAOhu/qdvwv75jVntLpXoAABJ9AQCWbnMz/xaO EjnPVOGDL+zL24fn0p0hsaeoqg3vi5fWxwD8CLVImAhutMIo5RVprJMPtvB/HYoh bEzKhGfPnjDGjALOOARj5RnqEgorBgEEAZdVAQUBAQdAZnn93nJMi4jDuZCRv4ap wCIdKrm/NZbCy0wnDX7MEwgDAQgHwsAABBgWCgByBYJj5RnqCRC/vmNWe0ulekcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfL4elySS0xYJY3 2uEDaiMMIQcWiF1wAv86plUMjgDt1AKbDBYhBDBQW863QDobv6nb8L++Y1Z7S6V6 AAAB/AEAjnuFF2rrJvodAuIfXN3hW4q+oLCkc+82C2eLI3yJYrABAJIfIBVfQ/eD wiliv2Qatxo4mVkEvuUZpzJaeo7lfysA =BY+x -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/alice2-adopted-alice-priv.pgp000064400000000000000000000043151046102023000227550ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xVgEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vMAAP9zhzAUmgRsXfq0k+HAauIoMJZolK3EM2kI5CsiIsAniw+WwsALBB8W CgB9BYJj5RobAwsJBwkQfnFv/nffFwpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JncVBBE88Gk0KMiijn6+D2YEwnUHeM/zg0vALIwDl2RrQD FQoIApsBAh4BFiEEI8/knUu3oKqDYZwUfnFv/nffFwoAAOMlAP9D/ZD6KFO8d1TB Ki2nvKSmm/RwX6aVPDEVS0uPu9iMtwD/QhVzSsD6wzcd80Ula9IDT+C7yEZ2CMpc IeiIA2WGQwjNEzxhbGljZUBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGhsDCwkH CRB+cW/+d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdoocXr9PuRzwDItT2MITA36GIBcBfqXedZAbR7P5nqLgMVCggCmQECmwECHgEW IQQjz+SdS7egqoNhnBR+cW/+d98XCgAAqY0BALITDqYhnN3dLZlK3ybrImivQ83D b17zs/FaDBU8rM7MAPsEPi8BtIDh3sgcsjn600t0hlEszveHHFQgoMnuYc3jBM0R PGFsaWNlQHZlcmVpbi5kZT7CwAsEExYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmckJt7Ocdb1SmQu A6weRYznf4bioouOY5+r/FSgtpPc+wMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+ cW/+d98XCgAA9hUBAPQK/vysGLQwjN0dZD2WILPlzbt7qn6VGc9hDCHNPsUDAP4k CdMGyA0acViE1AIc5Twwn3sEPIXJihzjfsUyuk2FDcdYBGPlGeoWCSsGAQQB2kcP AQEHQO14e+vD9BC1ilYWu475a3/ejemyvPiEgRUlgcEHky2pAAEArakAkLMtbL9h WHSTDXWIUloovNOWJeXAtwNCGIJ656cPHcLAvwQYFgoBMQWCY+UagAkQfnFv/nff FwpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnqMoVP0Pd Oi25d/qc8ueT5jt9aF33lxjSugNbcEQ4a4wCmwK+oAQZFgoAbwWCY+UavAkQ1aUE inHNASpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnRoBN k8e87zbsqsgeb64KBZIzl9XnTskLml6gFmtRn6wWIQRmLwP8R8BdBwtTqTrVpQSK cc0BKgAAu0oA/0JDvSmuSOijhvPXMy8g0hX0MjiamfiVNTrk5P1PcnLfAPwNzR12 KvEokeqJ+kbZsl9T1qVqMMfR2/dFEjMPc6atChYhBCPP5J1Lt6Cqg2GcFH5xb/53 3xcKAAAdJQD+OZbuEBjzGBetUP8CPeqyckDWZQCe0dCNw6BBp9JUcAsBAKyVZINQ Q4xRXEaSr/j3yEXXeLAktweByQ9rq75bMTECx10EY+UZ6hIKKwYBBAGXVQEFAQEH QGZ5/d5yTIuIw7mQkb+GqcAiHSq5vzWWwstMJw1+zBMIAwEIBwAA/1i0IZ8xndn/ vmnP70ZZvv3uPhTXhI1IUdLM8bJ2INwoE0zCwAAEGBYKAHIFgmPlGoAJEH5xb/53 3xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZzKM37Ew uBHlB0dJ4Ljo9MIUDIEaVEFyJ+l+659sYwQsApsMFiEEI8/knUu3oKqDYZwUfnFv /nffFwoAANJrAP0aUjgxFCD789m2w0nAry0SA5JlLjuxWOJ42ziWEYAYUgEAzJwW RDgabsLC7VZ+v+TZ7wEh0JhGk6dX2lbH0v1apwE= =Qflk -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/alice2-adopted-alice.pgp000064400000000000000000000040651046102023000220010ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vPCwAsEHxYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdxUEETzwaTQoyKKOfr4PZgTCdQd4z/ ODS8AsjAOXZGtAMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAA4yUA /0P9kPooU7x3VMEqLae8pKab9HBfppU8MRVLS4+72Iy3AP9CFXNKwPrDNx3zRSVr 0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFsaWNlQGV4YW1wbGUub3JnPsLADgQTFgoA gAWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1PYwhMDfoYgFwF+pd51kBtHs/meouAxUK CAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAACpjQEAshMOpiGc3d0t mUrfJusiaK9DzcNvXvOz8VoMFTyszswA+wQ+LwG0gOHeyByyOfrTS3SGUSzO94cc VCCgye5hzeMEzRE8YWxpY2VAdmVyZWluLmRlPsLACwQTFgoAfQWCY+UaGwMLCQcJ EH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y ZyQm3s5x1vVKZC4DrB5FjOd/huKii45jn6v8VKC2k9z7AxUKCAKbAQIeARYhBCPP 5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA9Ar+/KwYtDCM3R1kPZYgs+XNu3uqfpUZ z2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzlPDCfewQ8hcmKHON+xTK6TYUNzjMEY+UZ 6hYJKwYBBAHaRw8BAQdA7Xh768P0ELWKVha7jvlrf96N6bK8+ISBFSWBwQeTLanC wL8EGBYKATEFgmPlGoAJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ6jKFT9D3TotuXf6nPLnk+Y7fWhd95cY0roDW3BEOGuM ApsCvqAEGRYKAG8FgmPlGrwJENWlBIpxzQEqRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZ0aATZPHvO827KrIHm+uCgWSM5fV507JC5peoBZr UZ+sFiEEZi8D/EfAXQcLU6k61aUEinHNASoAALtKAP9CQ70prkjoo4bz1zMvINIV 9DI4mpn4lTU65OT9T3Jy3wD8Dc0ddirxKJHqifpG2bJfU9alajDH0dv3RRIzD3Om rQoWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAAHSUA/jmW7hAY8xgXrVD/Aj3qsnJA 1mUAntHQjcOgQafSVHALAQCslWSDUEOMUVxGkq/498hF13iwJLcHgckPa6u+WzEx As44BGPlGeoSCisGAQQBl1UBBQEBB0Bmef3eckyLiMO5kJG/hqnAIh0qub81lsLL TCcNfswTCAMBCAfCwAAEGBYKAHIFgmPlGoAJEH5xb/533xcKRxQAAAAAAB4AIHNh bHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZzKM37EwuBHlB0dJ4Ljo9MIUDIEa VEFyJ+l+659sYwQsApsMFiEEI8/knUu3oKqDYZwUfnFv/nffFwoAANJrAP0aUjgx FCD789m2w0nAry0SA5JlLjuxWOJ42ziWEYAYUgEAzJwWRDgabsLC7VZ+v+TZ7wEh 0JhGk6dX2lbH0v1apwE= =teyh -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/alice2-priv.pgp000064400000000000000000000023011046102023000202550ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xVgEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vMAAP9zhzAUmgRsXfq0k+HAauIoMJZolK3EM2kI5CsiIsAniw+WwsALBB8W CgB9BYJj5RobAwsJBwkQfnFv/nffFwpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JncVBBE88Gk0KMiijn6+D2YEwnUHeM/zg0vALIwDl2RrQD FQoIApsBAh4BFiEEI8/knUu3oKqDYZwUfnFv/nffFwoAAOMlAP9D/ZD6KFO8d1TB Ki2nvKSmm/RwX6aVPDEVS0uPu9iMtwD/QhVzSsD6wzcd80Ula9IDT+C7yEZ2CMpc IeiIA2WGQwjNEzxhbGljZUBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGhsDCwkH CRB+cW/+d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdoocXr9PuRzwDItT2MITA36GIBcBfqXedZAbR7P5nqLgMVCggCmQECmwECHgEW IQQjz+SdS7egqoNhnBR+cW/+d98XCgAAqY0BALITDqYhnN3dLZlK3ybrImivQ83D b17zs/FaDBU8rM7MAPsEPi8BtIDh3sgcsjn600t0hlEszveHHFQgoMnuYc3jBM0R PGFsaWNlQHZlcmVpbi5kZT7CwAsEExYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmckJt7Ocdb1SmQu A6weRYznf4bioouOY5+r/FSgtpPc+wMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+ cW/+d98XCgAA9hUBAPQK/vysGLQwjN0dZD2WILPlzbt7qn6VGc9hDCHNPsUDAP4k CdMGyA0acViE1AIc5Twwn3sEPIXJihzjfsUyuk2FDQ== =gFrK -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/alice2.pgp000064400000000000000000000022121046102023000173000ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vPCwAsEHxYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdxUEETzwaTQoyKKOfr4PZgTCdQd4z/ ODS8AsjAOXZGtAMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAA4yUA /0P9kPooU7x3VMEqLae8pKab9HBfppU8MRVLS4+72Iy3AP9CFXNKwPrDNx3zRSVr 0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFsaWNlQGV4YW1wbGUub3JnPsLADgQTFgoA gAWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1PYwhMDfoYgFwF+pd51kBtHs/meouAxUK CAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAACpjQEAshMOpiGc3d0t mUrfJusiaK9DzcNvXvOz8VoMFTyszswA+wQ+LwG0gOHeyByyOfrTS3SGUSzO94cc VCCgye5hzeMEzRE8YWxpY2VAdmVyZWluLmRlPsLACwQTFgoAfQWCY+UaGwMLCQcJ EH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y ZyQm3s5x1vVKZC4DrB5FjOd/huKii45jn6v8VKC2k9z7AxUKCAKbAQIeARYhBCPP 5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA9Ar+/KwYtDCM3R1kPZYgs+XNu3uqfpUZ z2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzlPDCfewQ8hcmKHON+xTK6TYUN =YlOd -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/bob-priv.pgp000064400000000000000000000023611046102023000176660ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 9994 DBF9 D34E 88E2 A21D 0CE8 E79C 9395 A100 4BB0 Comment: xVgEY+UatRYJKwYBBAHaRw8BAQdAQIdC7Mtji2y/IXhu8JCxu1G0qqYTgr49Bdj8 snAIEM8AAQCfCfQG/hHyGgmqdj4+UgZp+vloXbyCYj8D42Gex98QCA5ewsALBB8W CgB9BYJj5Rq1AwsJBwkQ55yTlaEAS7BHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jn7D3pLAHwD1YR/1SDpvqqikIW/jpemK0r8zWs/l/3DdUD FQoIApsBAh4BFiEEmZTb+dNOiOKiHQzo55yTlaEAS7AAAPV6AQDhSfx5nt+3MJyo 7B52cukyqIOnoqCYGWo+4t828i9XaAEAx2jWVjseyux9vdanQYlrLdgHsAx0B4tJ ogMFSR6XRwjNETxib2JAZXhhbXBsZS5vcmc+wsAOBBMWCgCABYJj5Rq1AwsJBwkQ 55yTlaEAS7BHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn bfF/2XNAdjk1Z4tNpf8fjcymgy+YqdjnN0x32eHY/k0DFQoIApkBApsBAh4BFiEE mZTb+dNOiOKiHQzo55yTlaEAS7AAAI8xAQCUN00BU9dDjLwlBK4IyF/UBjOXxAR+ +/vMa/HG7n3HHAD5Aa3gipNh3e/ebxKxU6nUel0/UWWc9c4/gTm+uQEQFAvHWARj 5Rq1FgkrBgEEAdpHDwEBB0CCpHHKZeveaGq/F/p022nymMdI3AuvaxqA0AR8avec TwAA/16FbccP13iBXOXTbvnujSBR2XdVR/24wXn/jX85yzEMEoPCwAAEGBYKAHIF gmPlGrUJEOeck5WhAEuwRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt cGdwLm9yZ5os3w7f5+o4HuUxBV2h63k5B43y/CMMuZ273JSDTn7ZApsgFiEEmZTb +dNOiOKiHQzo55yTlaEAS7AAACSnAQDdhmWSrUA+k1fugEjo5Z6qZ2CRHAdMs0ou 70ih530UIgD+IphnO+r+t4vmL38Q5axtrveDaT5/CaObmyWdGpPnJgA= =t/bH -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/bob.pgp000064400000000000000000000022121046102023000167030ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 9994 DBF9 D34E 88E2 A21D 0CE8 E79C 9395 A100 4BB0 Comment: xjMEY+UatRYJKwYBBAHaRw8BAQdAQIdC7Mtji2y/IXhu8JCxu1G0qqYTgr49Bdj8 snAIEM/CwAsEHxYKAH0FgmPlGrUDCwkHCRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfsPeksAfAPVhH/VIOm+qqKQhb+Ol6Y rSvzNaz+X/cN1QMVCggCmwECHgEWIQSZlNv5006I4qIdDOjnnJOVoQBLsAAA9XoB AOFJ/Hme37cwnKjsHnZy6TKog6eioJgZaj7i3zbyL1doAQDHaNZWOx7K7H291qdB iWst2AewDHQHi0miAwVJHpdHCM0RPGJvYkBleGFtcGxlLm9yZz7CwA4EExYKAIAF gmPlGrUDCwkHCRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmdt8X/Zc0B2OTVni02l/x+NzKaDL5ip2Oc3THfZ4dj+TQMVCggC mQECmwECHgEWIQSZlNv5006I4qIdDOjnnJOVoQBLsAAAjzEBAJQ3TQFT10OMvCUE rgjIX9QGM5fEBH77+8xr8cbufcccAPkBreCKk2Hd795vErFTqdR6XT9RZZz1zj+B Ob65ARAUC84zBGPlGrUWCSsGAQQB2kcPAQEHQIKkccpl695oar8X+nTbafKYx0jc C69rGoDQBHxq95xPwsAABBgWCgByBYJj5Rq1CRDnnJOVoQBLsEcUAAAAAAAeACBz YWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeaLN8O3+fqOB7lMQVdoet5OQeN 8vwjDLmdu9yUg05+2QKbIBYhBJmU2/nTTojioh0M6Oeck5WhAEuwAAAkpwEA3YZl kq1APpNX7oBI6OWeqmdgkRwHTLNKLu9Ioed9FCIA/iKYZzvq/reL5i9/EOWsba73 g2k+fwmjm5slnRqT5yYA =Td4n -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/carol-priv.pgp000064400000000000000000000030741046102023000202260ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: E9C6 EFC0 E39C E6F9 DF52 74E7 E362 D45C 7FF7 B654 Comment: Comment: xVgEY+Ua1hYJKwYBBAHaRw8BAQdAY65xupenq6zarpL8+IP4ET8SMHNc2uB5lyRk SkP9o7MAAP96LHgnISslAvTOZmzOKS0ht2NaL6mTXhcJrbZPk/QM+A4qwsALBB8W CgB9BYJj5RrWAwsJBwkQ42LUXH/3tlRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JntxsJyG6tZauXoqu4wDrfT47CuTSEhcZGU50batT3ybUD FQoIApsBAh4BFiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAAPElAP41eTwyyOfcsuHT rFbj3HiWH0KlVONvhUHQMJwKYwzGzgD7BHMzoL1/nVJyaLvUe/REk7bBEloWyWMb HYB+CqT+Zw7NEDxjYXJvbEBjbHViLm9yZz7CwA4EExYKAIAFgmPlGtYDCwkHCRDj YtRcf/e2VEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcB Mlo76iLhVDgLJ277jEun5W2LaQAUV8oTStIxVQ22QAMVCggCmQECmwECHgEWIQTp xu/A45zm+d9SdOfjYtRcf/e2VAAAODUBAOVX3lR6yBsA17Io99wqBExrThnBZP+u hYplpK64E+JwAQDTid1PU54Go8KtN23T39ucl996t3VsIMRVFFqdqhC/Cc0RPGNh cm9sQHZlcmVpbi5kZT7CwAsEExYKAH0FgmPlGtYDCwkHCRDjYtRcf/e2VEcUAAAA AAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfPf6EmtFTrqcqACSnG Zh0/hfvNau9XtWDwMALA524ExAMVCggCmwECHgEWIQTpxu/A45zm+d9SdOfjYtRc f/e2VAAAUXwBAK/EgWyclBzKPzfBtfwphRtLzAEiHDsKXzNyLsreeotbAQDxc4Oq PIG0N71AIBdaQC/l8PRD6WpkyUWPHOhcU9ONAMdYBGPlGtYWCSsGAQQB2kcPAQEH QIO0pe9j/3u853twGgG1CVK3g9SytDdw/i94umEExMbcAAD+OqsXOsky+0KUALOK d0X6bXElePGMHjYUySwNNt4fkZ8OuMLAAAQYFgoAcgWCY+Ua1gkQ42LUXH/3tlRH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnlKNI5wDCnCTp jVDFKO5eSYqxhk0fCNg8Jk2dqnvukt8CmyAWIQTpxu/A45zm+d9SdOfjYtRcf/e2 VAAA1QUA/2EUWkTsVcQsFOs2jqnH5TYYk8dS8ytGEGT4CDnh3h7VAQDXfTW3rRDI MA0aKgKzAtabfE1TIfmq++9ok2NVY6VmCA== =9u3W -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/carol.pgp000064400000000000000000000027241046102023000172510ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: E9C6 EFC0 E39C E6F9 DF52 74E7 E362 D45C 7FF7 B654 Comment: Comment: xjMEY+Ua1hYJKwYBBAHaRw8BAQdAY65xupenq6zarpL8+IP4ET8SMHNc2uB5lyRk SkP9o7PCwAsEHxYKAH0FgmPlGtYDCwkHCRDjYtRcf/e2VEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcme3GwnIbq1lq5eiq7jAOt9PjsK5NISF xkZTnRtq1PfJtQMVCggCmwECHgEWIQTpxu/A45zm+d9SdOfjYtRcf/e2VAAA8SUA /jV5PDLI59yy4dOsVuPceJYfQqVU42+FQdAwnApjDMbOAPsEczOgvX+dUnJou9R7 9ESTtsESWhbJYxsdgH4KpP5nDs0QPGNhcm9sQGNsdWIub3JnPsLADgQTFgoAgAWC Y+Ua1gMLCQcJEONi1Fx/97ZURxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVv aWEtcGdwLm9yZwEyWjvqIuFUOAsnbvuMS6flbYtpABRXyhNK0jFVDbZAAxUKCAKZ AQKbAQIeARYhBOnG78DjnOb531J05+Ni1Fx/97ZUAAA4NQEA5VfeVHrIGwDXsij3 3CoETGtOGcFk/66FimWkrrgT4nABANOJ3U9Tngajwq03bdPf25yX33q3dWwgxFUU Wp2qEL8JzRE8Y2Fyb2xAdmVyZWluLmRlPsLACwQTFgoAfQWCY+Ua1gMLCQcJEONi 1Fx/97ZURxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ89/ oSa0VOupyoAJKcZmHT+F+81q71e1YPAwAsDnbgTEAxUKCAKbAQIeARYhBOnG78Dj nOb531J05+Ni1Fx/97ZUAABRfAEAr8SBbJyUHMo/N8G1/CmFG0vMASIcOwpfM3Iu yt56i1sBAPFzg6o8gbQ3vUAgF1pAL+Xw9EPpamTJRY8c6FxT040AzjMEY+Ua1hYJ KwYBBAHaRw8BAQdAg7Sl72P/e7zne3AaAbUJUreD1LK0N3D+L3i6YQTExtzCwAAE GBYKAHIFgmPlGtYJEONi1Fx/97ZURxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ5SjSOcAwpwk6Y1QxSjuXkmKsYZNHwjYPCZNnap77pLfApsg FiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAANUFAP9hFFpE7FXELBTrNo6px+U2GJPH UvMrRhBk+Ag54d4e1QEA1301t60QyDANGioCswLWm3xNUyH5qvvvaJNjVWOlZgg= =EKJk -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/david-priv.pgp000064400000000000000000000023671046102023000202210ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: A82B C944 220B D5EB ECC4 D428 83F7 4A0E AC20 7446 Comment: xVgEY+Ua5hYJKwYBBAHaRw8BAQdAXAh2K8fjAUO0OgzlDev4uNbX5BGK3Esw4/0J XI1JyzoAAQDkIRWTuiPoOD7sBdGWVpou8lTmj8QQ4a9Szkr2QgacrxBxwsALBB8W CgB9BYJj5RrmAwsJBwkQg/dKDqwgdEZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnaQnCtjdzUum2zN5rDlJ5oAubbIlB22DQi9u3RCozk2ID FQoIApsBAh4BFiEEqCvJRCIL1evsxNQog/dKDqwgdEYAADcHAQC+pct6ehrApldr muFXouCHhgNJY/kluxb1Sm86nbOMBgD/WB1z2zyClo/ih/C4W2lID9/DyiES0Qxx HyTtnVKkBQjNEzxkYXZpZEBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGuYDCwkH CRCD90oOrCB0RkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmcpieSeQNbpWGyU3MABKsAQsYerarlIivPGeZEeWiaitQMVCggCmQECmwECHgEW IQSoK8lEIgvV6+zE1CiD90oOrCB0RgAAfyEBAJPHJI7fgqwKbNRNxQkX9MiB3cRF 3E/PUPzG5j5s9OPuAQClPa4DMSU+eq6R2eKhqRnvVXu0xhjq9X5YSCZNItgkD8dY BGPlGuYWCSsGAQQB2kcPAQEHQEcWx/3XYvqCV2gZckVmuswudsq9SJLCGxqOC39Q UpGlAAEA7hA6/QxuHZ+v0wWaXqoAiMJEGVjQbteS3HyfrOJgFFgPjMLAAAQYFgoA cgWCY+Ua5gkQg/dKDqwgdEZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnXiZfmH9Jd4GM1HP00xfTTv6MYOlIEdNjDvq8wAM1GDkCmyAWIQSo K8lEIgvV6+zE1CiD90oOrCB0RgAAO8YA/1ZbLxcWywe3Jusa1qlXMOlg45BpYKwS wwDXOL2luG8SAPwK69yqLy9ScYsAEL4OhmDL7yM1Uilj6dqj5wf5J2c2Dw== =jWEy -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/david.pgp000064400000000000000000000022001046102023000172250ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY+Ua5hYJKwYBBAHaRw8BAQdAXAh2K8fjAUO0OgzlDev4uNbX5BGK3Esw4/0J XI1JyzrCwAsEHxYKAH0FgmPlGuYDCwkHCRCD90oOrCB0RkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdpCcK2N3NS6bbM3msOUnmgC5tsiUHb YNCL27dEKjOTYgMVCggCmwECHgEWIQSoK8lEIgvV6+zE1CiD90oOrCB0RgAANwcB AL6ly3p6GsCmV2ua4Vei4IeGA0lj+SW7FvVKbzqds4wGAP9YHXPbPIKWj+KH8Lhb aUgP38PKIRLRDHEfJO2dUqQFCM0TPGRhdmlkQGV4YW1wbGUub3JnPsLADgQTFgoA gAWCY+Ua5gMLCQcJEIP3Sg6sIHRGRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZymJ5J5A1ulYbJTcwAEqwBCxh6tquUiK88Z5kR5aJqK1AxUK CAKZAQKbAQIeARYhBKgryUQiC9Xr7MTUKIP3Sg6sIHRGAAB/IQEAk8ckjt+CrAps 1E3FCRf0yIHdxEXcT89Q/MbmPmz04+4BAKU9rgMxJT56rpHZ4qGpGe9Ve7TGGOr1 flhIJk0i2CQPzjMEY+Ua5hYJKwYBBAHaRw8BAQdARxbH/ddi+oJXaBlyRWa6zC52 yr1IksIbGo4Lf1BSkaXCwAAEGBYKAHIFgmPlGuYJEIP3Sg6sIHRGRxQAAAAAAB4A IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ14mX5h/SXeBjNRz9NMX007+ jGDpSBHTYw76vMADNRg5ApsgFiEEqCvJRCIL1evsxNQog/dKDqwgdEYAADvGAP9W Wy8XFssHtybrGtapVzDpYOOQaWCsEsMA1zi9pbhvEgD8Cuvcqi8vUnGLABC+DoZg y+8jNVIpY+nao+cH+SdnNg/OMwRj5RrWFgkrBgEEAdpHDwEBB0CDtKXvY/97vOd7 cBoBtQlSt4PUsrQ3cP4veLphBMTG3A== =qvwl -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/ed-priv.pgp000064400000000000000000000015771046102023000175240ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 0C34 6B2B 6241 263F 64E9 C7CF 1EA3 0079 7258 A74E Comment: xVgEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9GlRVnuTclWR3NJHksXjREY3cH JDyH1voAAQDORtejD38d+8iWdYv3M63QpoyPL/L3+TvN3SbXnUJphBK6wsARBB8W CgCDBYJj6KT0BYkFpI+9AwsJBwkQHqMAeXJYp05HFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3Jnh7+35183eD+a3pvIXkdz7DCCR2ISYaxyaHOD 3WtribIDFQoIApsBAh4BFiEEDDRrK2JBJj9k6cfPHqMAeXJYp04AAJ26AP4ovN3U DSrlm7jGTB+tf8JMdwgcQcUKgnoDBuMJvkLccwEAoRtHRXNH+sYHURU/jahToikJ Zfgzh8sf+uCiL5szGQrNEDxlZEBleGFtcGxlLm9yZz7CwBQEExYKAIYFgmPopPQF iQWkj70DCwkHCRAeowB5clinTkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmfyK5UQkGketo/v4NZTwsJ0zVJ3ELy8grkWl8XLxGytqAMVCggC mQECmwECHgEWIQQMNGsrYkEmP2Tpx88eowB5clinTgAAfqYA/R9/VwnlCaLf3t5I /xVwdg1Ts0YfyV03/A4o2hPFGcOtAP4j0mlIKP819VEtQOR0bGQJoefzbjRRpXPB muVIbumoDA== =rB7Y -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/ed.pgp000064400000000000000000000026351046102023000165420ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 0C34 6B2B 6241 263F 64E9 C7CF 1EA3 0079 7258 A74E Comment: xjMEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9GlRVnuTclWR3NJHksXjREY3cH JDyH1vrCwBEEHxYKAIMFgmPopPQFiQWkj70DCwkHCRAeowB5clinTkcUAAAAAAAe ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeHv7fnXzd4P5rem8heR3Ps MIJHYhJhrHJoc4Pda2uJsgMVCggCmwECHgEWIQQMNGsrYkEmP2Tpx88eowB5clin TgAAnboA/ii83dQNKuWbuMZMH61/wkx3CBxBxQqCegMG4wm+QtxzAQChG0dFc0f6 xgdRFT+NqFOiKQll+DOHyx/64KIvmzMZCs0QPGVkQGV4YW1wbGUub3JnPsLAFAQT FgoAhgWCY+ik9AWJBaSPvQMLCQcJEB6jAHlyWKdORxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZ/IrlRCQaR62j+/g1lPCwnTNUncQvLyCuRaX xcvEbK2oAxUKCAKZAQKbAQIeARYhBAw0aytiQSY/ZOnHzx6jAHlyWKdOAAB+pgD9 H39XCeUJot/e3kj/FXB2DVOzRh/JXTf8DijaE8UZw60A/iPSaUgo/zX1US1A5HRs ZAmh5/NuNFGlc8Ga5Uhu6agMzjMEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9G lRVnuTclWR3NJHksXjREY3cHJDyH1vrCwL8EGBYKATEFgmPopZYJEB6jAHlyWKdO RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2DwGaTs9JDD fiZEnYLt1gnn9Y1BPath3jMWJVieWnMiApsBvqAEGRYKAG8FgmPopZYJEB6jAHly WKdORxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZykmDJ78 rKWJ5keAV7xA/cXU/fILUT42Pl4hKER8n+dpFiEEDDRrK2JBJj9k6cfPHqMAeXJY p04AAFWuAQCgRxcn47GVYgjnCTtM2nR65cDP2tD8Asi17yTK9B4hQQD+NeIuSbjw nJZ20Lc775PN966+4yvmw0yIcqy78W6/qgYWIQQMNGsrYkEmP2Tpx88eowB5clin TgAAHtcA/1Z6hgFz6HduwMGO8pU1UdZOHN9tyof10as2/77QvadlAQCx5HBD+d5P NkOu/RHHPp5w26LRENwzmeWxF7/WwAulAw== =h26d -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/halfling-encryption.pgp000064400000000000000000000033151046102023000221220ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC 3W7Si6vCwAsEHxYKAH0FgmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdPYAQhUEP91O1VnH3HoKmNbyxdQj3b 9oC2B/UsIp4yAQMVCggCmwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAA/tEA /ArkGemMlBvohv/fimDmlg2zkt/Nw5oM2okjWJHphji4AP94j9uSMI3GAEoOLaxI kus5vG90Ud7/qVLpWj+9ychXCM0PPHJlZ2lzQHB1cC5jb20+wsALBBMWCgB9BYJj /y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnGsjX3qd44eMJYm2mbl8MwYPkxEXNI19YCMKg2sveytoDFQoIApsB Ah4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAEtPAQC/ah2Y+9ZEASbXJi+qU/+o vdDlZlLe6ebEhXSC+IbQBwEA9yls7wgOdo/Hd2ObuBZ4yVsYl3mWWiyaHEiBUWaj dAvNIkhhbGZsaW5nIDxlbmNyeXB0aW9uQGhhbGZsaW5nLm9yZz7CwAsEExYKAH0F gmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmcSil+Zw+IntviqsJbeZxDhvtQYNpnCz9ZFvRN21TFxdAMVCggC mwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAh0EA/0ByKwDxhH+/vv1M5RbO og3XIVwZHNcvMAgeP3xc8cv8AQCj8NuNWA69IqmIL6wA3fk2sA8+vsaPeiv5V663 p0FWDM4zBGP/LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4 VqDnXdVfPw6zwsAABBgWCgByBYJj/y4jCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmf9Zi+LJShZF85Q891p2IEzeanqA2l4 3XJl5/Rb/qRaIgKbIBYhBNWOBHwF0RXqTz0amKZ6czEnu+gEAAAgeQEA7Q8yHq28 RY3PAcSTDua7ggtz3G9DFcsE6fUQNWu47vYBAI+IYKsqLqQM6HKyNhQOAAxQy9mK eL+hrmAeQPam+e0MzjgEY/8uIxIKKwYBBAGXVQEFAQEHQCVvNNnL1FUU6TCMyUPF e1jUiulQT/zau/KV4KPofFYnAwEIB8LAAAQYFgoAcgWCY/8uIwkQpnpzMSe76ARH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnYZaiMhnJCms6 gTancmz+JeZeLV2cZ3S13gA1nOQMckICmwwWIQTVjgR8BdEV6k89GpimenMxJ7vo BAAAJsAA/AnJSCYRCloktWNPvfOUszKy4+R7CZ/IAIiCniCk/hIGAP9uf6mJIpnb /bIcfuDmUm5aWgAVUE+FpvNIjY9+mjoNAQ== =98QG -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/halfling-priv.pgp000064400000000000000000000057321046102023000207150ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: D58E 047C 05D1 15EA 4F3D 1A98 A67A 7331 27BB E804 Comment: Comment: Halfling Comment: Halfling xVgEY/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC 3W7Si6sAAQDpLGjeWahSE6psgYSmz7OTAisgRPTCas0HZDlHJrVZQw54wsALBB8W CgB9BYJj/y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnT2AEIVBD/dTtVZx9x6CpjW8sXUI92/aAtgf1LCKeMgED FQoIApsBAh4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAP7RAPwK5BnpjJQb6Ib/ 34pg5pYNs5LfzcOaDNqJI1iR6YY4uAD/eI/bkjCNxgBKDi2sSJLrObxvdFHe/6lS 6Vo/vcnIVwjNDzxyZWdpc0BwdXAuY29tPsLACwQTFgoAfQWCY/8uIwMLCQcJEKZ6 czEnu+gERxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZxrI 196neOHjCWJtpm5fDMGD5MRFzSNfWAjCoNrL3sraAxUKCAKbAQIeARYhBNWOBHwF 0RXqTz0amKZ6czEnu+gEAABLTwEAv2odmPvWRAEm1yYvqlP/qL3Q5WZS3unmxIV0 gviG0AcBAPcpbO8IDnaPx3djm7gWeMlbGJd5llosmhxIgVFmo3QLzSJIYWxmbGlu ZyA8ZW5jcnlwdGlvbkBoYWxmbGluZy5vcmc+wsALBBMWCgB9BYJj/y4jAwsJBwkQ pnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn EopfmcPiJ7b4qrCW3mcQ4b7UGDaZws/WRb0TdtUxcXQDFQoIApsBAh4BFiEE1Y4E fAXRFepPPRqYpnpzMSe76AQAAIdBAP9AcisA8YR/v779TOUWzqIN1yFcGRzXLzAI Hj98XPHL/AEAo/DbjVgOvSKpiC+sAN35NrAPPr7Gj3or+Veut6dBVgzNH0hhbGZs aW5nIDxzaWduaW5nQGhhbGZsaW5nLm9yZz7CwA4EExYKAIAFgmP/LiMDCwkHCRCm enMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmef WyvuawQMSACunre9VWwnwXCShhv05eNmAIx4hDt6CAMVCggCmQECmwECHgEWIQTV jgR8BdEV6k89GpimenMxJ7voBAAAUWIA/jFrXrOw4h6iOJovCvGD9zoJfyZWhCEt t7x/+6amswwgAP0fYkSVoKfBFYKaBjTYRKF3THLsNBeF5YiRQFqG4MknCMdYBGP/ LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4VqDnXdVfPw6z AAEA5teNruqH9A7+PSQEK3dXgr6Fr4ghOKYoNye4GEfhIuoPTcLAAAQYFgoAcgWC Y/8uIwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3Jn/WYviyUoWRfOUPPdadiBM3mp6gNpeN1yZef0W/6kWiICmyAWIQTVjgR8 BdEV6k89GpimenMxJ7voBAAAIHkBAO0PMh6tvEWNzwHEkw7mu4ILc9xvQxXLBOn1 EDVruO72AQCPiGCrKi6kDOhysjYUDgAMUMvZini/oa5gHkD2pvntDMdYBGP/LiMW CSsGAQQB2kcPAQEHQLwKdrFqa5xqwwWWc/XcOJ1lHWcafCeupBQYG9cKzh5MAAEA ro5+ebXHuOPjY/pujqygi0th6+Fol06kvQ7S6SVFW/0TD8LAvwQYFgoBMQWCY/8u IwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Au b3JnzfCsG7qn234cMZF4CFsc4ONjr3AJlHydRYL8Qy1bIs0CmwK+oAQZFgoAbwWC Y/8uIwkQ/1xlguTRS2hHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3JnQoH/CrlAhnFSborWNoHT9TYvuRiBNEDQEYxnNfAWUekWIQSdzaKpWhe3 KNalEV7/XGWC5NFLaAAAQbABAJWxv0yuD0OoNgdD1yJBjGdP+VbNkBppuH8kmFzs KQu2AP49z+hhBHCj6fw9IcFZUPoMH29Sn8ZQJ8uiPUK718fmCBYhBNWOBHwF0RXq Tz0amKZ6czEnu+gEAACFcAEA9/VC7suSJyisJ64qeBryGm9sX2KOm8F3BQlD1ck7 h2IA/i330B58jaJ8JOhaoLqIfNx5OaNx3CNlpkXakPoG+RoLx10EY/8uIxIKKwYB BAGXVQEFAQEHQCVvNNnL1FUU6TCMyUPFe1jUiulQT/zau/KV4KPofFYnAwEIBwAA /1rxV+ZmdBzBr1NKc5q54iqv5/XNCosvy3KIZ7hYswNYEcLCwAAEGBYKAHIFgmP/ LiMJEKZ6czEnu+gERxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdw Lm9yZ2GWojIZyQprOoE2p3Js/iXmXi1dnGd0td4ANZzkDHJCApsMFiEE1Y4EfAXR FepPPRqYpnpzMSe76AQAACbAAPwJyUgmEQpaJLVjT73zlLMysuPkewmfyACIgp4g pP4SBgD/bn+piSKZ2/2yHH7g5lJuWloAFVBPhabzSI2Pfpo6DQE= =GU9G -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/halfling-signing.pgp000064400000000000000000000037111046102023000213660ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC 3W7Si6vCwAsEHxYKAH0FgmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdPYAQhUEP91O1VnH3HoKmNbyxdQj3b 9oC2B/UsIp4yAQMVCggCmwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAA/tEA /ArkGemMlBvohv/fimDmlg2zkt/Nw5oM2okjWJHphji4AP94j9uSMI3GAEoOLaxI kus5vG90Ud7/qVLpWj+9ychXCM0PPHJlZ2lzQHB1cC5jb20+wsALBBMWCgB9BYJj /y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnGsjX3qd44eMJYm2mbl8MwYPkxEXNI19YCMKg2sveytoDFQoIApsB Ah4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAEtPAQC/ah2Y+9ZEASbXJi+qU/+o vdDlZlLe6ebEhXSC+IbQBwEA9yls7wgOdo/Hd2ObuBZ4yVsYl3mWWiyaHEiBUWaj dAvNH0hhbGZsaW5nIDxzaWduaW5nQGhhbGZsaW5nLm9yZz7CwA4EExYKAIAFgmP/ LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lh LXBncC5vcmefWyvuawQMSACunre9VWwnwXCShhv05eNmAIx4hDt6CAMVCggCmQEC mwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAUWIA/jFrXrOw4h6iOJovCvGD 9zoJfyZWhCEtt7x/+6amswwgAP0fYkSVoKfBFYKaBjTYRKF3THLsNBeF5YiRQFqG 4MknCM4zBGP/LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4 VqDnXdVfPw6zwsAABBgWCgByBYJj/y4jCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmf9Zi+LJShZF85Q891p2IEzeanqA2l4 3XJl5/Rb/qRaIgKbIBYhBNWOBHwF0RXqTz0amKZ6czEnu+gEAAAgeQEA7Q8yHq28 RY3PAcSTDua7ggtz3G9DFcsE6fUQNWu47vYBAI+IYKsqLqQM6HKyNhQOAAxQy9mK eL+hrmAeQPam+e0MzjMEY/8uIxYJKwYBBAHaRw8BAQdAvAp2sWprnGrDBZZz9dw4 nWUdZxp8J66kFBgb1wrOHkzCwL8EGBYKATEFgmP/LiMJEKZ6czEnu+gERxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ83wrBu6p9t+HDGReAhb HODjY69wCZR8nUWC/EMtWyLNApsCvqAEGRYKAG8FgmP/LiMJEP9cZYLk0UtoRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ0KB/wq5QIZxUm6K 1jaB0/U2L7kYgTRA0BGMZzXwFlHpFiEEnc2iqVoXtyjWpRFe/1xlguTRS2gAAEGw AQCVsb9Mrg9DqDYHQ9ciQYxnT/lWzZAaabh/JJhc7CkLtgD+Pc/oYQRwo+n8PSHB WVD6DB9vUp/GUCfLoj1Cu9fH5ggWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAhXAB APf1Qu7LkicorCeuKnga8hpvbF9ijpvBdwUJQ9XJO4diAP4t99AefI2ifCToWqC6 iHzceTmjcdwjZaZF2pD6BvkaCw== =RcKT -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/hans-puny-code-priv.pgp000064400000000000000000000030221046102023000217510ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: F667 5D0E 4DA4 0823 715C 4811 B894 91F0 7D08 E4F8 Comment: Hans xVgEY+oqshYJKwYBBAHaRw8BAQdAT3RaMo+Mm0kzj5kQhqNQWwHzsxsXFC10ZWBf tdIAKWMAAP9//c94gjDUS6nzSSxBTkqH7CQPZS5Lfh1x01ZYWkGmXg8twsALBB8W CgB9BYJj6iqyAwsJBwkQuJSR8H0I5PhHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnTonT+wh1nQ6+SGZM/3caxq3V5hflG/hX3IrX/Q/NR3YD FQoIApsBAh4BFiEE9mddDk2kCCNxXEgRuJSR8H0I5PgAAJ4xAP9y4me1jRRfxrnW 3jnV+jB7n6m3xxpn/Y0Tmh/EhZsrGwEAvrMBIyXycmSLB1giDnmeLi8U+z3cx5+x kRJGHi/cvAnNHUhhbnMgPGhhbnNAeG4tLWJjaGVyLWt2YS50bGQ+wsAOBBMWCgCA BYJj6iqyAwsJBwkQuJSR8H0I5PhHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3Jn6ABJrqKC61PG6PamtZM1YuRmoxFWwuBcEadTWjH6VYYDFQoI ApkBApsBAh4BFiEE9mddDk2kCCNxXEgRuJSR8H0I5PgAANV2AP47sc59UcqS0woi p3aqR9rhgQ0PlGR1dlKCved1ScfU4AD7BOlXuMdm9rkPHsMWUVv2zBWHsfOzU9Tr Vt6OsaTrpAjHWARj6iqyFgkrBgEEAdpHDwEBB0AZMvj3dmsZZS+1bL+WX6HDv+gN 8i+QyhyBjB0s8wUjkwAA/RFddhggq/2q9zpOfb0C/mhdZgBCPcZMNz/UbxVzzZuB DwrCwL8EGBYKATEFgmPqKrIJELiUkfB9COT4RxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZyuXD0xCb8liVrUy7F6WOBJOxfEELZY6ysI1tpUL Tb3YApsCvqAEGRYKAG8FgmPqKrIJENsfXxHBfLLURxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZw9UPiixBgUO/0gAwW41/f5qoJTwNSRxtQ3N 2gZw/PPMFiEEP2DqCuvBPikJOaCA2x9fEcF8stQAALtoAP9N9fc0d+mq59zflgdM QSljALYqug0xOECe15Z01FHuPAEAy2VMaBiv140AkT+AoUgFjT5UGbttbAGR5PaT z0f9ZQAWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAAOB0BAOE6N1BWh63R0bozConx 708Xahe/6434g1ypTKLKrPiaAP9qK8oK38FKpoSjL2tLRzDhqUvBsRYPvYZ070tV sKPqCw== =Patr -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/hans-puny-code.pgp000064400000000000000000000026521046102023000210030ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: F667 5D0E 4DA4 0823 715C 4811 B894 91F0 7D08 E4F8 Comment: Hans xjMEY+oqshYJKwYBBAHaRw8BAQdAT3RaMo+Mm0kzj5kQhqNQWwHzsxsXFC10ZWBf tdIAKWPCwAsEHxYKAH0FgmPqKrIDCwkHCRC4lJHwfQjk+EcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdOidP7CHWdDr5IZkz/dxrGrdXmF+Ub +Ffcitf9D81HdgMVCggCmwECHgEWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAAnjEA /3LiZ7WNFF/GudbeOdX6MHufqbfHGmf9jROaH8SFmysbAQC+swEjJfJyZIsHWCIO eZ4uLxT7PdzHn7GREkYeL9y8Cc0dSGFucyA8aGFuc0B4bi0tYmNoZXIta3ZhLnRs ZD7CwA4EExYKAIAFgmPqKrIDCwkHCRC4lJHwfQjk+EcUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmfoAEmuooLrU8bo9qa1kzVi5GajEVbC4FwR p1NaMfpVhgMVCggCmQECmwECHgEWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAA1XYA /juxzn1RypLTCiKndqpH2uGBDQ+UZHV2UoK953VJx9TgAPsE6Ve4x2b2uQ8ewxZR W/bMFYex87NT1OtW3o6xpOukCM4zBGPqKrIWCSsGAQQB2kcPAQEHQBky+Pd2axll L7Vsv5ZfocO/6A3yL5DKHIGMHSzzBSOTwsC/BBgWCgExBYJj6iqyCRC4lJHwfQjk +EcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcrlw9MQm/J Yla1MuxeljgSTsXxBC2WOsrCNbaVC0292AKbAr6gBBkWCgBvBYJj6iqyCRDbH18R wXyy1EcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcPVD4o sQYFDv9IAMFuNf3+aqCU8DUkcbUNzdoGcPzzzBYhBD9g6grrwT4pCTmggNsfXxHB fLLUAAC7aAD/TfX3NHfpqufc35YHTEEpYwC2KroNMThAnteWdNRR7jwBAMtlTGgY r9eNAJE/gKFIBY0+VBm7bWwBkeT2k89H/WUAFiEE9mddDk2kCCNxXEgRuJSR8H0I 5PgAADgdAQDhOjdQVoet0dG6MwqJ8e9PF2oXv+uN+INcqUyiyqz4mgD/aivKCt/B SqaEoy9rS0cw4alLwbEWD72GdO9LVbCj6gs= =zJtz -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/steve-priv.pgp000064400000000000000000000030221046102023000202450ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 217E 256E 1767 19A5 452E DFF9 35AA DEC6 6B56 585B Comment: Steve xVgEY+oyohYJKwYBBAHaRw8BAQdAvt5KOKjBeor71rpom6N/6+TbHhXDIa7qQ0Ht zQneFeQAAQDAzUbk5663nYv1gGFw2L4lix8PKG/VAlTJ60U+WuOSPhDswsALBB8W CgB9BYJj6jKiAwsJBwkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnB5GN1ytb4OBEuWTGbe6YLQERrMyH25xx+ROabT1IlpMD FQoIApsBAh4BFiEEIX4lbhdnGaVFLt/5NarexmtWWFsAAD1FAQC3lqYfMNO+16bQ kczC9nFpKXR0w31T0Y5gcTTUFEPf5wEAsE3qZgUSk5jbAKdApQjae/L7Fg/n3rBT oxcJobSEIQDNHVN0ZXZlIDxzdGV2ZUBzdWIuY29tcGFueS5jb20+wsAOBBMWCgCA BYJj6jKiAwsJBwkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3JnpHmJbxKKXD9L7rb6Nm4QO7MAwEL9tAij4pRJ5nLW3RoDFQoI ApkBApsBAh4BFiEEIX4lbhdnGaVFLt/5NarexmtWWFsAACRKAQComL8m5O1VFzkQ ppd3FiNZ55JFriChzKE4l/PDJtFWKwD+K1v/rPt8xoluiXkcCzCwy5bVTcxhAGD3 yG/kFty8Gw7HWARj6jKiFgkrBgEEAdpHDwEBB0CUDl/MXB9n4zhULNYtn4AvcLYJ p7VEwrrO4SEWTg3SQwABAMUq0/p6feCGZGQBviCqhhOCIn6HIs9NjnDev5dwBn8r Dz3CwL8EGBYKATEFgmPqMqIJEDWq3sZrVlhbRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZyBzXATYY9Bisl9qX3bybDnuHdvr2i0LuDdkCyeH WAjlApsCvqAEGRYKAG8FgmPqMqIJELWWtlb9j3ALRxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZ3ctrGVdHZWTXgkQgDuARO7gqTuwb/rNDolL avWFIE3cFiEEMsWCBUAwh1K3CS7ltZa2Vv2PcAsAAL/oAQDdllWylqthNy+e5OYl 4mr1GWUSOCfDlFaH146drBGyPAEArRTopl2w0KiDbo92kfrx+y3L4cLSK85byPOL swX4eAsWIQQhfiVuF2cZpUUu3/k1qt7Ga1ZYWwAAw3oBAMVzhKa/ZmUQmNX8zk6v GK0vbOw47hPaVRCG1RRrSGrwAQC5Tteh+McKoFQzKea/CreuPbaqDaMfEUarKO1b E0wPCA== =M99G -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/steve.pgp000064400000000000000000000026521046102023000172770ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 217E 256E 1767 19A5 452E DFF9 35AA DEC6 6B56 585B Comment: Steve xjMEY+oyohYJKwYBBAHaRw8BAQdAvt5KOKjBeor71rpom6N/6+TbHhXDIa7qQ0Ht zQneFeTCwAsEHxYKAH0FgmPqMqIDCwkHCRA1qt7Ga1ZYW0cUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcHkY3XK1vg4ES5ZMZt7pgtARGszIfb nHH5E5ptPUiWkwMVCggCmwECHgEWIQQhfiVuF2cZpUUu3/k1qt7Ga1ZYWwAAPUUB ALeWph8w077XptCRzML2cWkpdHTDfVPRjmBxNNQUQ9/nAQCwTepmBRKTmNsAp0Cl CNp78vsWD+fesFOjFwmhtIQhAM0dU3RldmUgPHN0ZXZlQHN1Yi5jb21wYW55LmNv bT7CwA4EExYKAIAFgmPqMqIDCwkHCRA1qt7Ga1ZYW0cUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmekeYlvEopcP0vutvo2bhA7swDAQv20CKPi lEnmctbdGgMVCggCmQECmwECHgEWIQQhfiVuF2cZpUUu3/k1qt7Ga1ZYWwAAJEoB AKiYvybk7VUXORCml3cWI1nnkkWuIKHMoTiX88Mm0VYrAP4rW/+s+3zGiW6JeRwL MLDLltVNzGEAYPfIb+QW3LwbDs4zBGPqMqIWCSsGAQQB2kcPAQEHQJQOX8xcH2fj OFQs1i2fgC9wtgmntUTCus7hIRZODdJDwsC/BBgWCgExBYJj6jKiCRA1qt7Ga1ZY W0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcgc1wE2GPQ YrJfal928mw57h3b69otC7g3ZAsnh1gI5QKbAr6gBBkWCgBvBYJj6jKiCRC1lrZW /Y9wC0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmd3Laxl XR2Vk14JEIA7gETu4Kk7sG/6zQ6JS2r1hSBN3BYhBDLFggVAMIdStwku5bWWtlb9 j3ALAAC/6AEA3ZZVsparYTcvnuTmJeJq9RllEjgnw5RWh9eOnawRsjwBAK0U6KZd sNCog26PdpH68fsty+HC0ivOW8jzi7MF+HgLFiEEIX4lbhdnGaVFLt/5NarexmtW WFsAAMN6AQDFc4Smv2ZlEJjV/M5OrxitL2zsOO4T2lUQhtUUa0hq8AEAuU7XofjH CqBUMynmvwq3rj22qg2jHxFGqyjtWxNMDwg= =ueVE -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/una-priv.pgp000064400000000000000000000027751046102023000177200ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 119B 0146 0659 D8EF 3732 BEC2 7142 4ADE 3EC6 1BBC Comment: Una xVgEY+oykhYJKwYBBAHaRw8BAQdAkHZelZnKgyDf93+x3dEjxFGvfNZ2mzWxh4MM mp+V4YAAAP9c7yFPEUEo8s17G0UvwGdnR5dP7cARfMk9oOXvNpTv4REGwsALBB8W CgB9BYJj6jKSAwsJBwkQcUJK3j7GG7xHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnNkxF9jqWQFtCThu+2My8F4VNsMqIowBzbnMTtzLVFJUD FQoIApsBAh4BFiEEEZsBRgZZ2O83Mr7CcUJK3j7GG7wAAAiYAP0c90sDWGs5jsBv 03H5UkLZvw2uvMrKJd47pT3aloXpOQD8C1vt7PTgkzdr79G8h6nRhpg/FNrW/+pX Cq7qjUZ+/gnNFVVuYSA8dW5hQGNvbXBhbnkuY29tPsLADgQTFgoAgAWCY+oykgML CQcJEHFCSt4+xhu8RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdw Lm9yZ/PoQvY1cIKPZjLqb3HWViJXtrONf9GXxSMIr3z8o4kCAxUKCAKZAQKbAQIe ARYhBBGbAUYGWdjvNzK+wnFCSt4+xhu8AACMJQD+IkXutGYCxJMqwrbD18polWLx IhojofUTcwg9Qlmz3UUBAIP8bKENVhOCwA0hT/3GmOvMRSjosyNhiAMtPd09OIAC x1gEY+oykhYJKwYBBAHaRw8BAQdAINC4y2VLb5XeTxBjK7Pf/53xUXl0OJe/87tE ixluoMoAAQDhNvenwXoaY+Fw2iw1taVy5cZZ2ke/0crBn6RXMSUAnBGSwsC/BBgW CgExBYJj6jKSCRBxQkrePsYbvEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmcMvtVQROXLGIVC8DAhtcW6jbmlokmR9MMngd58P2KuVgKbAr6g BBkWCgBvBYJj6jKSCRDQvkR785tDn0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5z ZXF1b2lhLXBncC5vcmdCjEo62Cqb/N5XxGb1Tdnu225hTSuRiwXz3ss1+N7YwhYh BO5Ywy49IzbyI72JztC+RHvzm0OfAACnMwEAmPaEWKPd3hpJqdAph8KAdRYeVwhm rCwAi8NaE917S4sA/AzyJubT/4Sp/vK+SPa+d/VTNEApS1TRf9SQbkAjp40HFiEE EZsBRgZZ2O83Mr7CcUJK3j7GG7wAADLCAQC2h/atUVO/QhD6sg8uGFMj68/+QBy1 Qg/7f9TezlE2KgD+K6YyFlIZVuScF9xKkKGiQpxBiekcDoVdGev0jxE86QY= =UR1a -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.5.0/tests/data/una.pgp000064400000000000000000000026261046102023000167350ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 119B 0146 0659 D8EF 3732 BEC2 7142 4ADE 3EC6 1BBC Comment: Una xjMEY+oykhYJKwYBBAHaRw8BAQdAkHZelZnKgyDf93+x3dEjxFGvfNZ2mzWxh4MM mp+V4YDCwAsEHxYKAH0FgmPqMpIDCwkHCRBxQkrePsYbvEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmc2TEX2OpZAW0JOG77YzLwXhU2wyoij AHNucxO3MtUUlQMVCggCmwECHgEWIQQRmwFGBlnY7zcyvsJxQkrePsYbvAAACJgA /Rz3SwNYazmOwG/TcflSQtm/Da68ysol3julPdqWhek5APwLW+3s9OCTN2vv0byH qdGGmD8U2tb/6lcKruqNRn7+Cc0VVW5hIDx1bmFAY29tcGFueS5jb20+wsAOBBMW CgCABYJj6jKSAwsJBwkQcUJK3j7GG7xHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jn8+hC9jVwgo9mMupvcdZWIle2s41/0ZfFIwivfPyjiQID FQoIApkBApsBAh4BFiEEEZsBRgZZ2O83Mr7CcUJK3j7GG7wAAIwlAP4iRe60ZgLE kyrCtsPXymiVYvEiGiOh9RNzCD1CWbPdRQEAg/xsoQ1WE4LADSFP/caY68xFKOiz I2GIAy093T04gALOMwRj6jKSFgkrBgEEAdpHDwEBB0Ag0LjLZUtvld5PEGMrs9// nfFReXQ4l7/zu0SLGW6gysLAvwQYFgoBMQWCY+oykgkQcUJK3j7GG7xHFAAAAAAA HgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnDL7VUETlyxiFQvAwIbXF uo25paJJkfTDJ4HefD9irlYCmwK+oAQZFgoAbwWCY+oykgkQ0L5Ee/ObQ59HFAAA AAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnQoxKOtgqm/zeV8Rm 9U3Z7ttuYU0rkYsF897LNfje2MIWIQTuWMMuPSM28iO9ic7QvkR785tDnwAApzMB AJj2hFij3d4aSanQKYfCgHUWHlcIZqwsAIvDWhPde0uLAPwM8ibm0/+Eqf7yvkj2 vnf1UzRAKUtU0X/UkG5AI6eNBxYhBBGbAUYGWdjvNzK+wnFCSt4+xhu8AAAywgEA tof2rVFTv0IQ+rIPLhhTI+vP/kActUIP+3/U3s5RNioA/iumMhZSGVbknBfcSpCh okKcQYnpHA6FXRnr9I8RPOkG =TWWI -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/keyring.pgp000064400000000000000000000414531046102023000167120ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY+UZ6hYJKwYBBAHaRw8BAQdApx8xAVNjcUkGW31wZ6Q9vu3nyxJWtXmHZv3s fNltYBDCwAsEHxYKAH0FgmPlGeoDCwkHCRC/vmNWe0ulekcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcme9rgUlsnHHuwrtfd2EWrbA29xmwV6N vsZDeULxUsBiCgMVCggCmwECHgEWIQQwUFvOt0A6G7+p2/C/vmNWe0ulegAA/lwB APTrUH6BDeMQ6nDpD/COcOjO5iwbMscEVYQVWL8hsi0vAP9NYg+qLy76uDqLODkX JYpQqY4zhpAnVV/X3vCydLijBs0TPGFsaWNlQGJlaXNwaWVsLmRlPsLACwQTFgoA fQWCY+UZ6gMLCQcJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ0f5M8r0uBamA92Z0p1q4caxieaapQuCMVqgqDWAK6w3AxUK CAKbAQIeARYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAB5gQEAtCic8WqvtpugWmDR clgM/ztiP+nal1Cv8SyZ+roH7esA/RW5mNKPeMZB2EA1ARqPOC36M+IF0eJdjKDU QvdtgnwJzRM8YWxpY2VAZXhhbXBsZS5vcmc+wsAOBBMWCgCABYJj5RnqAwsJBwkQ v75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn pVeRzvZxTuL1huNkAT/20pRNaWuSN7NDhE0yMIAWNbkDFQoIApkBApsBAh4BFiEE MFBbzrdAOhu/qdvwv75jVntLpXoAALSzAQCNyXm6dygckmrdMMV312PGht+3+wbV 9F8NmQJudINJoQD9GNzhDV4yDPVwzxbbCq9t2B2UVWvuTNOR2uwpRo31mgjOMwRj 5RnqFgkrBgEEAdpHDwEBB0DteHvrw/QQtYpWFruO+Wt/3o3psrz4hIEVJYHBB5Mt qcLAvwQYFgoBMQWCY+UZ6gkQv75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlv bnMuc2VxdW9pYS1wZ3Aub3JnbWGENdV5TVi7/YMYaE2HrevS4fF++xzlgacwHbSQ Zl8CmwK+oAQZFgoAbwWCY+UZ6gkQ1aUEinHNASpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnUJTRc7iJwlc1GypedRwmGmRXU7Niza0IfC/a v9aMAFoWIQRmLwP8R8BdBwtTqTrVpQSKcc0BKgAAy4wA/0FMn0RrBD9oVgwaRaQr VHRnz+gNY3ikJ/vV8PQ7cWykAP90eA1k/drUFSocQAmGdH8KJyhEtzvy6F1DZQIq KZN6BxYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAAKQwD9GiXaScnUwHHGtJNz10m5 HrChrehc0V9hX2lWLBd+OD4BAOd1oCNAT9SWl2FZbkcP3vNdArOllNZn8fPnrPPS IzIPzjMEY+UZ6hYJKwYBBAHaRw8BAQdA+bpGKHr8dl78JVh0xVwMAjmp+cZcJ30h jjENc38b2TfCwAAEGBYKAHIFgmPlGeoJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+lcv7W/p/NapcQEogXqYyBZMz8ravDh Jf05LAAF5taFApsgFiEEMFBbzrdAOhu/qdvwv75jVntLpXoAABJ9AQCWbnMz/xaO EjnPVOGDL+zL24fn0p0hsaeoqg3vi5fWxwD8CLVImAhutMIo5RVprJMPtvB/HYoh bEzKhGfPnjDGjALOOARj5RnqEgorBgEEAZdVAQUBAQdAZnn93nJMi4jDuZCRv4ap wCIdKrm/NZbCy0wnDX7MEwgDAQgHwsAABBgWCgByBYJj5RnqCRC/vmNWe0ulekcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfL4elySS0xYJY3 2uEDaiMMIQcWiF1wAv86plUMjgDt1AKbDBYhBDBQW863QDobv6nb8L++Y1Z7S6V6 AAAB/AEAjnuFF2rrJvodAuIfXN3hW4q+oLCkc+82C2eLI3yJYrABAJIfIBVfQ/eD wiliv2Qatxo4mVkEvuUZpzJaeo7lfysAxjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlp ai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6pram3vPCwAsEHxYKAH0FgmPlGhsDCwkH CRB+cW/+d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdxUEETzwaTQoyKKOfr4PZgTCdQd4z/ODS8AsjAOXZGtAMVCggCmwECHgEWIQQj z+SdS7egqoNhnBR+cW/+d98XCgAA4yUA/0P9kPooU7x3VMEqLae8pKab9HBfppU8 MRVLS4+72Iy3AP9CFXNKwPrDNx3zRSVr0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFs aWNlQGV4YW1wbGUub3JnPsLADgQTFgoAgAWCY+UaGwMLCQcJEH5xb/533xcKRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1 PYwhMDfoYgFwF+pd51kBtHs/meouAxUKCAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2Gc FH5xb/533xcKAACpjQEAshMOpiGc3d0tmUrfJusiaK9DzcNvXvOz8VoMFTyszswA +wQ+LwG0gOHeyByyOfrTS3SGUSzO94ccVCCgye5hzeMEzRE8YWxpY2VAdmVyZWlu LmRlPsLACwQTFgoAfQWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZyQm3s5x1vVKZC4DrB5FjOd/huKii45j n6v8VKC2k9z7AxUKCAKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA 9Ar+/KwYtDCM3R1kPZYgs+XNu3uqfpUZz2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzl PDCfewQ8hcmKHON+xTK6TYUNxjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN 9Sewy6RIwvaHi2OEIDB7fQr6pram3vPCwAsEHxYKAH0FgmPlGhsDCwkHCRB+cW/+ d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdxUEET zwaTQoyKKOfr4PZgTCdQd4z/ODS8AsjAOXZGtAMVCggCmwECHgEWIQQjz+SdS7eg qoNhnBR+cW/+d98XCgAA4yUA/0P9kPooU7x3VMEqLae8pKab9HBfppU8MRVLS4+7 2Iy3AP9CFXNKwPrDNx3zRSVr0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFsaWNlQGV4 YW1wbGUub3JnPsLADgQTFgoAgAWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4A IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1PYwhMDfo YgFwF+pd51kBtHs/meouAxUKCAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/53 3xcKAACpjQEAshMOpiGc3d0tmUrfJusiaK9DzcNvXvOz8VoMFTyszswA+wQ+LwG0 gOHeyByyOfrTS3SGUSzO94ccVCCgye5hzeMEzRE8YWxpY2VAdmVyZWluLmRlPsLA CwQTFgoAfQWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZyQm3s5x1vVKZC4DrB5FjOd/huKii45jn6v8VKC2 k9z7AxUKCAKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA9Ar+/KwY tDCM3R1kPZYgs+XNu3uqfpUZz2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzlPDCfewQ8 hcmKHON+xTK6TYUNzjMEY+UZ6hYJKwYBBAHaRw8BAQdA7Xh768P0ELWKVha7jvlr f96N6bK8+ISBFSWBwQeTLanCwL8EGBYKATEFgmPlGoAJEH5xb/533xcKRxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6jKFT9D3TotuXf6nPLn k+Y7fWhd95cY0roDW3BEOGuMApsCvqAEGRYKAG8FgmPlGrwJENWlBIpxzQEqRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ0aATZPHvO827KrI Hm+uCgWSM5fV507JC5peoBZrUZ+sFiEEZi8D/EfAXQcLU6k61aUEinHNASoAALtK AP9CQ70prkjoo4bz1zMvINIV9DI4mpn4lTU65OT9T3Jy3wD8Dc0ddirxKJHqifpG 2bJfU9alajDH0dv3RRIzD3OmrQoWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAAHSUA /jmW7hAY8xgXrVD/Aj3qsnJA1mUAntHQjcOgQafSVHALAQCslWSDUEOMUVxGkq/4 98hF13iwJLcHgckPa6u+WzExAs44BGPlGeoSCisGAQQBl1UBBQEBB0Bmef3eckyL iMO5kJG/hqnAIh0qub81lsLLTCcNfswTCAMBCAfCwAAEGBYKAHIFgmPlGoAJEH5x b/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZzKM 37EwuBHlB0dJ4Ljo9MIUDIEaVEFyJ+l+659sYwQsApsMFiEEI8/knUu3oKqDYZwU fnFv/nffFwoAANJrAP0aUjgxFCD789m2w0nAry0SA5JlLjuxWOJ42ziWEYAYUgEA zJwWRDgabsLC7VZ+v+TZ7wEh0JhGk6dX2lbH0v1apwHGMwRj5Rq1FgkrBgEEAdpH DwEBB0BAh0Lsy2OLbL8heG7wkLG7UbSqphOCvj0F2PyycAgQz8LACwQfFgoAfQWC Y+UatQMLCQcJEOeck5WhAEuwRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVv aWEtcGdwLm9yZ+w96SwB8A9WEf9Ug6b6qopCFv46XpitK/M1rP5f9w3VAxUKCAKb AQIeARYhBJmU2/nTTojioh0M6Oeck5WhAEuwAAD1egEA4Un8eZ7ftzCcqOwednLp MqiDp6KgmBlqPuLfNvIvV2gBAMdo1lY7Hsrsfb3Wp0GJay3YB7AMdAeLSaIDBUke l0cIzRE8Ym9iQGV4YW1wbGUub3JnPsLADgQTFgoAgAWCY+UatQMLCQcJEOeck5Wh AEuwRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ23xf9lz QHY5NWeLTaX/H43MpoMvmKnY5zdMd9nh2P5NAxUKCAKZAQKbAQIeARYhBJmU2/nT Tojioh0M6Oeck5WhAEuwAACPMQEAlDdNAVPXQ4y8JQSuCMhf1AYzl8QEfvv7zGvx xu59xxwA+QGt4IqTYd3v3m8SsVOp1HpdP1FlnPXOP4E5vrkBEBQLzjMEY+UatRYJ KwYBBAHaRw8BAQdAgqRxymXr3mhqvxf6dNtp8pjHSNwLr2sagNAEfGr3nE/CwAAE GBYKAHIFgmPlGrUJEOeck5WhAEuwRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ5os3w7f5+o4HuUxBV2h63k5B43y/CMMuZ273JSDTn7ZApsg FiEEmZTb+dNOiOKiHQzo55yTlaEAS7AAACSnAQDdhmWSrUA+k1fugEjo5Z6qZ2CR HAdMs0ou70ih530UIgD+IphnO+r+t4vmL38Q5axtrveDaT5/CaObmyWdGpPnJgDG MwRj5RrWFgkrBgEEAdpHDwEBB0BjrnG6l6errNqukvz4g/gRPxIwc1za4HmXJGRK Q/2js8LACwQfFgoAfQWCY+Ua1gMLCQcJEONi1Fx/97ZURxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ7cbCchurWWrl6KruMA630+Owrk0hIXG RlOdG2rU98m1AxUKCAKbAQIeARYhBOnG78DjnOb531J05+Ni1Fx/97ZUAADxJQD+ NXk8Msjn3LLh06xW49x4lh9CpVTjb4VB0DCcCmMMxs4A+wRzM6C9f51Scmi71Hv0 RJO2wRJaFsljGx2Afgqk/mcOzRA8Y2Fyb2xAY2x1Yi5vcmc+wsAOBBMWCgCABYJj 5RrWAwsJBwkQ42LUXH/3tlRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnATJaO+oi4VQ4Cydu+4xLp+Vti2kAFFfKE0rSMVUNtkADFQoIApkB ApsBAh4BFiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAADg1AQDlV95UesgbANeyKPfc KgRMa04ZwWT/roWKZaSuuBPicAEA04ndT1OeBqPCrTdt09/bnJfferd1bCDEVRRa naoQvwnNETxjYXJvbEB2ZXJlaW4uZGU+wsALBBMWCgB9BYJj5RrWAwsJBwkQ42LU XH/3tlRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnz3+h JrRU66nKgAkpxmYdP4X7zWrvV7Vg8DACwOduBMQDFQoIApsBAh4BFiEE6cbvwOOc 5vnfUnTn42LUXH/3tlQAAFF8AQCvxIFsnJQcyj83wbX8KYUbS8wBIhw7Cl8zci7K 3nqLWwEA8XODqjyBtDe9QCAXWkAv5fD0Q+lqZMlFjxzoXFPTjQDOMwRj5RrWFgkr BgEEAdpHDwEBB0CDtKXvY/97vOd7cBoBtQlSt4PUsrQ3cP4veLphBMTG3MLAAAQY FgoAcgWCY+Ua1gkQ42LUXH/3tlRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3JnlKNI5wDCnCTpjVDFKO5eSYqxhk0fCNg8Jk2dqnvukt8CmyAW IQTpxu/A45zm+d9SdOfjYtRcf/e2VAAA1QUA/2EUWkTsVcQsFOs2jqnH5TYYk8dS 8ytGEGT4CDnh3h7VAQDXfTW3rRDIMA0aKgKzAtabfE1TIfmq++9ok2NVY6VmCMYz BGPlGuYWCSsGAQQB2kcPAQEHQFwIdivH4wFDtDoM5Q3r+LjW1+QRitxLMOP9CVyN Scs6wsALBB8WCgB9BYJj5RrmAwsJBwkQg/dKDqwgdEZHFAAAAAAAHgAgc2FsdEBu b3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaQnCtjdzUum2zN5rDlJ5oAubbIlB22DQ i9u3RCozk2IDFQoIApsBAh4BFiEEqCvJRCIL1evsxNQog/dKDqwgdEYAADcHAQC+ pct6ehrApldrmuFXouCHhgNJY/kluxb1Sm86nbOMBgD/WB1z2zyClo/ih/C4W2lI D9/DyiES0QxxHyTtnVKkBQjNEzxkYXZpZEBleGFtcGxlLm9yZz7CwA4EExYKAIAF gmPlGuYDCwkHCRCD90oOrCB0RkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmcpieSeQNbpWGyU3MABKsAQsYerarlIivPGeZEeWiaitQMVCggC mQECmwECHgEWIQSoK8lEIgvV6+zE1CiD90oOrCB0RgAAfyEBAJPHJI7fgqwKbNRN xQkX9MiB3cRF3E/PUPzG5j5s9OPuAQClPa4DMSU+eq6R2eKhqRnvVXu0xhjq9X5Y SCZNItgkD84zBGPlGuYWCSsGAQQB2kcPAQEHQEcWx/3XYvqCV2gZckVmuswudsq9 SJLCGxqOC39QUpGlwsAABBgWCgByBYJj5RrmCRCD90oOrCB0RkcUAAAAAAAeACBz YWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdeJl+Yf0l3gYzUc/TTF9NO/oxg 6UgR02MO+rzAAzUYOQKbIBYhBKgryUQiC9Xr7MTUKIP3Sg6sIHRGAAA7xgD/Vlsv FxbLB7cm6xrWqVcw6WDjkGlgrBLDANc4vaW4bxIA/Arr3KovL1JxiwAQvg6GYMvv IzVSKWPp2qPnB/knZzYPzjMEY+Ua1hYJKwYBBAHaRw8BAQdAg7Sl72P/e7zne3Aa AbUJUreD1LK0N3D+L3i6YQTExtzGMwRj6KT0FgkrBgEEAdpHDwEBB0A5st9xFSZG L0aVFWe5NyVZHc0keSxeNERjdwckPIfW+sLAEQQfFgoAgwWCY+ik9AWJBaSPvQML CQcJEB6jAHlyWKdORxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdw Lm9yZ4e/t+dfN3g/mt6byF5Hc+wwgkdiEmGscmhzg91ra4myAxUKCAKbAQIeARYh BAw0aytiQSY/ZOnHzx6jAHlyWKdOAACdugD+KLzd1A0q5Zu4xkwfrX/CTHcIHEHF CoJ6AwbjCb5C3HMBAKEbR0VzR/rGB1EVP42oU6IpCWX4M4fLH/rgoi+bMxkKzRA8 ZWRAZXhhbXBsZS5vcmc+wsAUBBMWCgCGBYJj6KT0BYkFpI+9AwsJBwkQHqMAeXJY p05HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn8iuVEJBp HraP7+DWU8LCdM1SdxC8vIK5FpfFy8RsragDFQoIApkBApsBAh4BFiEEDDRrK2JB Jj9k6cfPHqMAeXJYp04AAH6mAP0ff1cJ5Qmi397eSP8VcHYNU7NGH8ldN/wOKNoT xRnDrQD+I9JpSCj/NfVRLUDkdGxkCaHn8240UaVzwZrlSG7pqAzOMwRj6KT0Fgkr BgEEAdpHDwEBB0A5st9xFSZGL0aVFWe5NyVZHc0keSxeNERjdwckPIfW+sLAvwQY FgoBMQWCY+illgkQHqMAeXJYp05HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3JnYPAZpOz0kMN+JkSdgu3WCef1jUE9q2HeMxYlWJ5acyICmwG+ oAQZFgoAbwWCY+illgkQHqMAeXJYp05HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnKSYMnvyspYnmR4BXvED9xdT98gtRPjY+XiEoRHyf52kW IQQMNGsrYkEmP2Tpx88eowB5clinTgAAVa4BAKBHFyfjsZViCOcJO0zadHrlwM/a 0PwCyLXvJMr0HiFBAP414i5JuPCclnbQtzvvk833rr7jK+bDTIhyrLvxbr+qBhYh BAw0aytiQSY/ZOnHzx6jAHlyWKdOAAAe1wD/VnqGAXPod27AwY7ylTVR1k4c323K h/XRqzb/vtC9p2UBALHkcEP53k82Q679Ecc+nnDbotEQ3DOZ5bEXv9bAC6UDxjME Y/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC3W7S i6vCwAsEHxYKAH0FgmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmdPYAQhUEP91O1VnH3HoKmNbyxdQj3b9oC2 B/UsIp4yAQMVCggCmwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAA/tEA/Ark GemMlBvohv/fimDmlg2zkt/Nw5oM2okjWJHphji4AP94j9uSMI3GAEoOLaxIkus5 vG90Ud7/qVLpWj+9ychXCM0PPHJlZ2lzQHB1cC5jb20+wsALBBMWCgB9BYJj/y4j AwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3JnGsjX3qd44eMJYm2mbl8MwYPkxEXNI19YCMKg2sveytoDFQoIApsBAh4B FiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAEtPAQC/ah2Y+9ZEASbXJi+qU/+ovdDl ZlLe6ebEhXSC+IbQBwEA9yls7wgOdo/Hd2ObuBZ4yVsYl3mWWiyaHEiBUWajdAvN H0hhbGZsaW5nIDxzaWduaW5nQGhhbGZsaW5nLm9yZz7CwA4EExYKAIAFgmP/LiMD CwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBn cC5vcmefWyvuawQMSACunre9VWwnwXCShhv05eNmAIx4hDt6CAMVCggCmQECmwEC HgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAUWIA/jFrXrOw4h6iOJovCvGD9zoJ fyZWhCEtt7x/+6amswwgAP0fYkSVoKfBFYKaBjTYRKF3THLsNBeF5YiRQFqG4Mkn CM4zBGP/LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4VqDn XdVfPw6zwsAABBgWCgByBYJj/y4jCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmf9Zi+LJShZF85Q891p2IEzeanqA2l43XJl 5/Rb/qRaIgKbIBYhBNWOBHwF0RXqTz0amKZ6czEnu+gEAAAgeQEA7Q8yHq28RY3P AcSTDua7ggtz3G9DFcsE6fUQNWu47vYBAI+IYKsqLqQM6HKyNhQOAAxQy9mKeL+h rmAeQPam+e0MzjMEY/8uIxYJKwYBBAHaRw8BAQdAvAp2sWprnGrDBZZz9dw4nWUd Zxp8J66kFBgb1wrOHkzCwL8EGBYKATEFgmP/LiMJEKZ6czEnu+gERxQAAAAAAB4A IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ83wrBu6p9t+HDGReAhbHODj Y69wCZR8nUWC/EMtWyLNApsCvqAEGRYKAG8FgmP/LiMJEP9cZYLk0UtoRxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ0KB/wq5QIZxUm6K1jaB 0/U2L7kYgTRA0BGMZzXwFlHpFiEEnc2iqVoXtyjWpRFe/1xlguTRS2gAAEGwAQCV sb9Mrg9DqDYHQ9ciQYxnT/lWzZAaabh/JJhc7CkLtgD+Pc/oYQRwo+n8PSHBWVD6 DB9vUp/GUCfLoj1Cu9fH5ggWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAhXABAPf1 Qu7LkicorCeuKnga8hpvbF9ijpvBdwUJQ9XJO4diAP4t99AefI2ifCToWqC6iHzc eTmjcdwjZaZF2pD6BvkaC8YzBGP/LiMWCSsGAQQB2kcPAQEHQAPWluAdcU0ZKe4g WIxhYLr0uEEgbQxAms+SAt1u0ourwsALBB8WCgB9BYJj/y4jAwsJBwkQpnpzMSe7 6ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnT2AEIVBD /dTtVZx9x6CpjW8sXUI92/aAtgf1LCKeMgEDFQoIApsBAh4BFiEE1Y4EfAXRFepP PRqYpnpzMSe76AQAAP7RAPwK5BnpjJQb6Ib/34pg5pYNs5LfzcOaDNqJI1iR6YY4 uAD/eI/bkjCNxgBKDi2sSJLrObxvdFHe/6lS6Vo/vcnIVwjNDzxyZWdpc0BwdXAu Y29tPsLACwQTFgoAfQWCY/8uIwMLCQcJEKZ6czEnu+gERxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZxrI196neOHjCWJtpm5fDMGD5MRFzSNf WAjCoNrL3sraAxUKCAKbAQIeARYhBNWOBHwF0RXqTz0amKZ6czEnu+gEAABLTwEA v2odmPvWRAEm1yYvqlP/qL3Q5WZS3unmxIV0gviG0AcBAPcpbO8IDnaPx3djm7gW eMlbGJd5llosmhxIgVFmo3QLzSJIYWxmbGluZyA8ZW5jcnlwdGlvbkBoYWxmbGlu Zy5vcmc+wsALBBMWCgB9BYJj/y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2Fs dEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEopfmcPiJ7b4qrCW3mcQ4b7UGDaZ ws/WRb0TdtUxcXQDFQoIApsBAh4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAIdB AP9AcisA8YR/v779TOUWzqIN1yFcGRzXLzAIHj98XPHL/AEAo/DbjVgOvSKpiC+s AN35NrAPPr7Gj3or+Veut6dBVgzOMwRj/y4jFgkrBgEEAdpHDwEBB0BCoAE761Un 3XLt8/HUVZkmDb0WOFoiOFag513VXz8Os8LAAAQYFgoAcgWCY/8uIwkQpnpzMSe7 6ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn/WYviyUo WRfOUPPdadiBM3mp6gNpeN1yZef0W/6kWiICmyAWIQTVjgR8BdEV6k89GpimenMx J7voBAAAIHkBAO0PMh6tvEWNzwHEkw7mu4ILc9xvQxXLBOn1EDVruO72AQCPiGCr Ki6kDOhysjYUDgAMUMvZini/oa5gHkD2pvntDM44BGP/LiMSCisGAQQBl1UBBQEB B0AlbzTZy9RVFOkwjMlDxXtY1IrpUE/82rvyleCj6HxWJwMBCAfCwAAEGBYKAHIF gmP/LiMJEKZ6czEnu+gERxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt cGdwLm9yZ2GWojIZyQprOoE2p3Js/iXmXi1dnGd0td4ANZzkDHJCApsMFiEE1Y4E fAXRFepPPRqYpnpzMSe76AQAACbAAPwJyUgmEQpaJLVjT73zlLMysuPkewmfyACI gp4gpP4SBgD/bn+piSKZ2/2yHH7g5lJuWloAFVBPhabzSI2Pfpo6DQHGMwRj6iqy FgkrBgEEAdpHDwEBB0BPdFoyj4ybSTOPmRCGo1BbAfOzGxcULXRlYF+10gApY8LA CwQfFgoAfQWCY+oqsgMLCQcJELiUkfB9COT4RxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZ06J0/sIdZ0OvkhmTP93Gsat1eYX5Rv4V9yK1/0P zUd2AxUKCAKbAQIeARYhBPZnXQ5NpAgjcVxIEbiUkfB9COT4AACeMQD/cuJntY0U X8a51t451fowe5+pt8caZ/2NE5ofxIWbKxsBAL6zASMl8nJkiwdYIg55ni4vFPs9 3MefsZESRh4v3LwJzR1IYW5zIDxoYW5zQHhuLS1iY2hlci1rdmEudGxkPsLADgQT FgoAgAWCY+oqsgMLCQcJELiUkfB9COT4RxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ+gASa6igutTxuj2prWTNWLkZqMRVsLgXBGnU1ox+lWG AxUKCAKZAQKbAQIeARYhBPZnXQ5NpAgjcVxIEbiUkfB9COT4AADVdgD+O7HOfVHK ktMKIqd2qkfa4YEND5RkdXZSgr3ndUnH1OAA+wTpV7jHZva5Dx7DFlFb9swVh7Hz s1PU61bejrGk66QIzjMEY+oqshYJKwYBBAHaRw8BAQdAGTL493ZrGWUvtWy/ll+h w7/oDfIvkMocgYwdLPMFI5PCwL8EGBYKATEFgmPqKrIJELiUkfB9COT4RxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZyuXD0xCb8liVrUy7F6W OBJOxfEELZY6ysI1tpULTb3YApsCvqAEGRYKAG8FgmPqKrIJENsfXxHBfLLURxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZw9UPiixBgUO/0gA wW41/f5qoJTwNSRxtQ3N2gZw/PPMFiEEP2DqCuvBPikJOaCA2x9fEcF8stQAALto AP9N9fc0d+mq59zflgdMQSljALYqug0xOECe15Z01FHuPAEAy2VMaBiv140AkT+A oUgFjT5UGbttbAGR5PaTz0f9ZQAWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAAOB0B AOE6N1BWh63R0bozConx708Xahe/6434g1ypTKLKrPiaAP9qK8oK38FKpoSjL2tL RzDhqUvBsRYPvYZ070tVsKPqC8YzBGPqMqIWCSsGAQQB2kcPAQEHQL7eSjiowXqK +9a6aJujf+vk2x4VwyGu6kNB7c0J3hXkwsALBB8WCgB9BYJj6jKiAwsJBwkQNare xmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnB5GN 1ytb4OBEuWTGbe6YLQERrMyH25xx+ROabT1IlpMDFQoIApsBAh4BFiEEIX4lbhdn GaVFLt/5NarexmtWWFsAAD1FAQC3lqYfMNO+16bQkczC9nFpKXR0w31T0Y5gcTTU FEPf5wEAsE3qZgUSk5jbAKdApQjae/L7Fg/n3rBToxcJobSEIQDNHVN0ZXZlIDxz dGV2ZUBzdWIuY29tcGFueS5jb20+wsAOBBMWCgCABYJj6jKiAwsJBwkQNarexmtW WFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnpHmJbxKK XD9L7rb6Nm4QO7MAwEL9tAij4pRJ5nLW3RoDFQoIApkBApsBAh4BFiEEIX4lbhdn GaVFLt/5NarexmtWWFsAACRKAQComL8m5O1VFzkQppd3FiNZ55JFriChzKE4l/PD JtFWKwD+K1v/rPt8xoluiXkcCzCwy5bVTcxhAGD3yG/kFty8Gw7OMwRj6jKiFgkr BgEEAdpHDwEBB0CUDl/MXB9n4zhULNYtn4AvcLYJp7VEwrrO4SEWTg3SQ8LAvwQY FgoBMQWCY+oyogkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3JnIHNcBNhj0GKyX2pfdvJsOe4d2+vaLQu4N2QLJ4dYCOUCmwK+ oAQZFgoAbwWCY+oyogkQtZa2Vv2PcAtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jndy2sZV0dlZNeCRCAO4BE7uCpO7Bv+s0OiUtq9YUgTdwW IQQyxYIFQDCHUrcJLuW1lrZW/Y9wCwAAv+gBAN2WVbKWq2E3L57k5iXiavUZZRI4 J8OUVofXjp2sEbI8AQCtFOimXbDQqINuj3aR+vH7LcvhwtIrzlvI84uzBfh4CxYh BCF+JW4XZxmlRS7f+TWq3sZrVlhbAADDegEAxXOEpr9mZRCY1fzOTq8YrS9s7Dju E9pVEIbVFGtIavABALlO16H4xwqgVDMp5r8Kt649tqoNox8RRqso7VsTTA8IxjME Y+oykhYJKwYBBAHaRw8BAQdAkHZelZnKgyDf93+x3dEjxFGvfNZ2mzWxh4MMmp+V 4YDCwAsEHxYKAH0FgmPqMpIDCwkHCRBxQkrePsYbvEcUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmc2TEX2OpZAW0JOG77YzLwXhU2wyoijAHNu cxO3MtUUlQMVCggCmwECHgEWIQQRmwFGBlnY7zcyvsJxQkrePsYbvAAACJgA/Rz3 SwNYazmOwG/TcflSQtm/Da68ysol3julPdqWhek5APwLW+3s9OCTN2vv0byHqdGG mD8U2tb/6lcKruqNRn7+Cc0VVW5hIDx1bmFAY29tcGFueS5jb20+wsAOBBMWCgCA BYJj6jKSAwsJBwkQcUJK3j7GG7xHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3Jn8+hC9jVwgo9mMupvcdZWIle2s41/0ZfFIwivfPyjiQIDFQoI ApkBApsBAh4BFiEEEZsBRgZZ2O83Mr7CcUJK3j7GG7wAAIwlAP4iRe60ZgLEkyrC tsPXymiVYvEiGiOh9RNzCD1CWbPdRQEAg/xsoQ1WE4LADSFP/caY68xFKOizI2GI Ay093T04gALOMwRj6jKSFgkrBgEEAdpHDwEBB0Ag0LjLZUtvld5PEGMrs9//nfFR eXQ4l7/zu0SLGW6gysLAvwQYFgoBMQWCY+oykgkQcUJK3j7GG7xHFAAAAAAAHgAg c2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnDL7VUETlyxiFQvAwIbXFuo25 paJJkfTDJ4HefD9irlYCmwK+oAQZFgoAbwWCY+oykgkQ0L5Ee/ObQ59HFAAAAAAA HgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnQoxKOtgqm/zeV8Rm9U3Z 7ttuYU0rkYsF897LNfje2MIWIQTuWMMuPSM28iO9ic7QvkR785tDnwAApzMBAJj2 hFij3d4aSanQKYfCgHUWHlcIZqwsAIvDWhPde0uLAPwM8ibm0/+Eqf7yvkj2vnf1 UzRAKUtU0X/UkG5AI6eNBxYhBBGbAUYGWdjvNzK+wnFCSt4+xhu8AAAywgEAtof2 rVFTv0IQ+rIPLhhTI+vP/kActUIP+3/U3s5RNioA/iumMhZSGVbknBfcSpChokKc QYnpHA6FXRnr9I8RPOkG =D5P8 -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.5.0/tests/keyring.rs000064400000000000000000000142701046102023000165450ustar 00000000000000#[allow(non_upper_case_globals, dead_code)] mod keyring { use std::path::Path; use anyhow::Result; use sequoia_openpgp as openpgp; use openpgp::parse::Parse; pub struct Cert { pub filename: &'static str, pub base: &'static str, pub fingerprint: &'static str, pub subkeys: &'static [&'static str], pub userids: &'static [&'static str], } impl Cert { pub fn bytes(&self) -> Vec { let filename = Path::new(env!("CARGO_MANIFEST_DIR")) .join("tests") .join(self.filename); std::fs::read(filename).expect("exists") } pub fn to_cert(&self) -> Result { openpgp::Cert::from_bytes(&self.bytes()) } } pub const certs: &[Cert] = &[ // alice Cert { filename: "data/alice.pgp", base: "alice", fingerprint: "30505BCEB7403A1BBFA9DBF0BFBE63567B4BA57A", subkeys: &[ "662F03FC47C05D070B53A93AD5A5048A71CD012A", "A6D92948A7ADEB809F04202F1CF1943DFE153D1E", "5989D7BE9908AE24799DF6CFBE678043781349F1", ], userids: &[ "", "", ], }, // alice2 Cert { filename: "data/alice2.pgp", base: "alice2", fingerprint: "23CFE49D4BB7A0AA83619C147E716FFE77DF170A", subkeys: &[ ], userids: &[ "", "", ], }, // alice2_adopted_alice Cert { filename: "data/alice2-adopted-alice.pgp", base: "alice2_adopted_alice", fingerprint: "23CFE49D4BB7A0AA83619C147E716FFE77DF170A", subkeys: &[ "662F03FC47C05D070B53A93AD5A5048A71CD012A", "5989D7BE9908AE24799DF6CFBE678043781349F1", ], userids: &[ "", "", ], }, // bob Cert { filename: "data/bob.pgp", base: "bob", fingerprint: "9994DBF9D34E88E2A21D0CE8E79C9395A1004BB0", subkeys: &[ "7E01441CBF6FAB5C4AB457E2FBD6F5322354B331", ], userids: &[ "", ], }, // carol Cert { filename: "data/carol.pgp", base: "carol", fingerprint: "E9C6EFC0E39CE6F9DF5274E7E362D45C7FF7B654", subkeys: &[ "CD22D4BD99FF10FDA11A83D4213DCB92C95346CE", ], userids: &[ "", "", ], }, // david Cert { filename: "data/david.pgp", base: "david", fingerprint: "A82BC944220BD5EBECC4D42883F74A0EAC207446", subkeys: &[ "DF674FBAC52E00F0E6E48436481D2E18158FB594", "CD22D4BD99FF10FDA11A83D4213DCB92C95346CE", ], userids: &[ "", ], }, // ed Cert { filename: "data/ed.pgp", base: "ed", fingerprint: "0C346B2B6241263F64E9C7CF1EA300797258A74E", subkeys: &[ "0C346B2B6241263F64E9C7CF1EA300797258A74E", ], userids: &[ "", ], }, // halfling_signing Cert { filename: "data/halfling-signing.pgp", base: "halfling_signing", fingerprint: "D58E047C05D115EA4F3D1A98A67A733127BBE804", subkeys: &[ "69669E91C8D5C546D442FB246FE6D4751AC09E15", "9DCDA2A95A17B728D6A5115EFF5C6582E4D14B68", ], userids: &[ "", "Halfling ", ], }, // halfling_encryption Cert { filename: "data/halfling-encryption.pgp", base: "halfling_encryption", fingerprint: "D58E047C05D115EA4F3D1A98A67A733127BBE804", subkeys: &[ "69669E91C8D5C546D442FB246FE6D4751AC09E15", "CC4EFA3BFAB8E92A54CDEA3F3DC7543293DD4E53", ], userids: &[ "", "Halfling ", ], }, // hans_puny_code Cert { filename: "data/hans-puny-code.pgp", base: "hans_puny_code", fingerprint: "F6675D0E4DA40823715C4811B89491F07D08E4F8", subkeys: &[ "3F60EA0AEBC13E290939A080DB1F5F11C17CB2D4", ], userids: &[ "Hans ", ], }, // steve Cert { filename: "data/steve.pgp", base: "steve", fingerprint: "217E256E176719A5452EDFF935AADEC66B56585B", subkeys: &[ "32C5820540308752B7092EE5B596B656FD8F700B", ], userids: &[ "Steve ", ], }, // una Cert { filename: "data/una.pgp", base: "una", fingerprint: "119B01460659D8EF3732BEC271424ADE3EC61BBC", subkeys: &[ "EE58C32E3D2336F223BD89CED0BE447BF39B439F", ], userids: &[ "Una ", ], }, ]; pub const alice: &Cert = &certs[0]; pub const alice2: &Cert = &certs[1]; pub const alice2_adopted_alice: &Cert = &certs[2]; pub const bob: &Cert = &certs[3]; pub const carol: &Cert = &certs[4]; pub const david: &Cert = &certs[5]; pub const ed: &Cert = &certs[6]; pub const halfling_signing: &Cert = &certs[7]; pub const halfling_encryption: &Cert = &certs[8]; pub const hans_puny_code: &Cert = &certs[9]; pub const steve: &Cert = &certs[10]; pub const una: &Cert = &certs[11]; } // mod keyring sequoia-cert-store-0.5.0/tests/pep/keys.db000064400000000000000000005400001046102023000165700ustar 00000000000000SQLite format 3@ ,.O|   - # } 'Eindexuserids_indexuserids CREATE INDEX userids_index ON userids (userid COLLATE EMAIL, primary_key)g%tableuseridsuseridsCREATE TABLE userids ( userid TEXT NOT NULL COLLATE EMAIL, primary_key TEXT NOT NULL, UNIQUE(userid, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE )-Aindexsqlite_autoindex_userids_1userids o')indexsubkeys_indexsubkeysCREATE INDEX subkeys_index ON subkeys (subkey, primary_key)S}tablesubkeyssubkeysCREATE TABLE subkeys ( subkey TEXT NOT NULL, primary_key TEXT NOT NULL, UNIQUE(subkey, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE )-Aindexsqlite_autoindex_subkeys_1subkeysc!indexkeys_indexkeysCREATE INDEX keys_index ON keys (primary_key, secret)5MtablekeyskeysCREATE TABLE keys ( primary_key TEXT UNIQUE PRIMARY KEY, secret BOOLEAN, tpk BLOB )';indexsqlite_autoindex_keys_1keys,*$)##"       %   ?M P   1 ^ 4 } l  o B # a z ,]AAB978A882B9A6E793960B071ADFC82AC3586C14%,]10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F$,]507212E4796EFBF4FF8E4B1BF411A72A5C89092C#,]08C6A9408241E6ED99A0A2767A6B35253722954D",]6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!,]E4C1FB98268170769154C21BBD1637EEB34E933B ,]2533E4E13EC84A784DE6F2962C3E64162620C978,]7A757276DFF48471EA032D2B98611755153523E6,]4925E278E468D55BA68B3AC49E1F03BA787E31EA,]B5AAD4575B2988D99E3FB3EE973EE71028459E9A,]D27B4F82C717A04DFF3A986489929D075908994E,]CDAE31CA330249BC5284C1F96033761A09D517DF,]9BC60CF498E584E5620014340C099ECDA62431FE,]CB4287D637F9BC0CB38F978AEB64F54F552F0AB7,]A2439F4C712EA9FA6B65BC17DECD473509E96847,]E1C12525BFAF4F092D109F2152B7186506DCC483,]2349DF0D7DBD60C6C20453350553D1E9E9AE5C54,]8A0293871D97E954B8397DFD072889CB0E82D77B,]F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3,]7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76,]EB4750A0B0A0F558ED5F768F8B893A26133B3F66,]5C55764028BE2DD718F9DAAAD8D14CE515A32801,]68A4E57878501CF89B9844039B3560C27904221F,]912E63F55388D9886151101CDA4FE8ECD8365D6E,]8049F106768CD5D6374645F3B0C0ABEFB3892D73 ,]FBD19974E304C95589F976BD71059020F2CC257C ,]C11BCCBB3F843593B8975AFB958E85734EF0ADE0 ,]1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 ,]9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 ,]A20EF4E353FF61FF6B8B401AC48BF850A5E9C611,]2F8EB6F51987B06706ED6E45064ABE0B9108844E,]04880CB55875B6548C25C729A00E4CD660454746,]43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3,]22A589136F68CC46076FFA6071B2EDA40DC29CC7,]F29B751A3123A1502E5C0665745FB6564FC5F7DC,]4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B+] B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 % [ 5I ; o  ! O  i } c [  U ' A w -]AAB978A882B9A6E793960B071ADFC82AC3586C14%-]10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F$-]507212E4796EFBF4FF8E4B1BF411A72A5C89092C#-]08C6A9408241E6ED99A0A2767A6B35253722954D"-]6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!-]E4C1FB98268170769154C21BBD1637EEB34E933B -]2533E4E13EC84A784DE6F2962C3E64162620C978-]7A757276DFF48471EA032D2B98611755153523E6-]4925E278E468D55BA68B3AC49E1F03BA787E31EA-]B5AAD4575B2988D99E3FB3EE973EE71028459E9A-]D27B4F82C717A04DFF3A986489929D075908994E-]CDAE31CA330249BC5284C1F96033761A09D517DF-]9BC60CF498E584E5620014340C099ECDA62431FE-]CB4287D637F9BC0CB38F978AEB64F54F552F0AB7-]A2439F4C712EA9FA6B65BC17DECD473509E96847-]E1C12525BFAF4F092D109F2152B7186506DCC483-]2349DF0D7DBD60C6C20453350553D1E9E9AE5C54-]8A0293871D97E954B8397DFD072889CB0E82D77B-]F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3-]7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76-] EB4750A0B0A0F558ED5F768F8B893A26133B3F66-]5C55764028BE2DD718F9DAAAD8D14CE515A32801-]68A4E57878501CF89B9844039B3560C27904221F-]912E63F55388D9886151101CDA4FE8ECD8365D6E-]8049F106768CD5D6374645F3B0C0ABEFB3892D73 -]FBD19974E304C95589F976BD71059020F2CC257C -]C11BCCBB3F843593B8975AFB958E85734EF0ADE0 -]1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 -]9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 -]A20EF4E353FF61FF6B8B401AC48BF850A5E9C611-]2F8EB6F51987B06706ED6E45064ABE0B9108844E-]04880CB55875B6548C25C729A00E4CD660454746-]43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3-]22A589136F68CC46076FFA6071B2EDA40DC29CC7-]F29B751A3123A1502E5C0665745FB6564FC5F7DC-]4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B,] B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79$@|"|=-]BD1637EEB34E933BE4C1FB98268170769154C21BBD1637EEB34E933B}=-]6033761A09D517DFCDAE31CA330249BC5284C1F96033761A09D517DFe|!|=-]BD1637EEB34E933BE4C1FB98268170769154C21BBD1637EEB34E933B}=-]6033761A09D517DFCDAE31CA330249BC5284C1F96033761A09D517DFe 3av0[ B s / ]  @ i "O }5j$d+^f(aE3A]volker.birk@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C14F2C]volker.birk@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C1461#]vb@pibit.chAAB978A882B9A6E793960B071ADFC82AC3586C14<0/]vb@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C14=/1]vb@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C149.)]vb@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14=-1]dingens@bumens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14=,1]bumens@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14@+7]pep3@ageinghacker.net10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F@*7]pep2@ageinghacker.net507212E4796EFBF4FF8E4B1BF411A72A5C89092CG)E]luca-mobile@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D7(%]luca@saiu.ch08C6A9408241E6ED99A0A2767A6B35253722954D?'5]saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D;&-]positron@gnu.org08C6A9408241E6ED99A0A2767A6B35253722954D@%7]luca@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954DD$?]luca.saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D?#5]iut@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954DB";]positron@pep.foundation08C6A9408241E6ED99A0A2767A6B35253722954DD!?]ziggy@fake.pep.foundation6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07F C]zenobia@fake.pep.foundationE4C1FB98268170769154C21BBD1637EEB34E933BFC]zachary@fake.pep.foundation2533E4E13EC84A784DE6F2962C3E64162620C978C=]yves@fake.pep.foundation7A757276DFF48471EA032D2B98611755153523E6C=]yoko@fake.pep.foundation4925E278E468D55BA68B3AC49E1F03BA787E31EAD?]xenia@fake.pep.foundationB5AAD4575B2988D99E3FB3EE973EE71028459E9AEA]xavier@fake.pep.foundationD27B4F82C717A04DFF3A986489929D075908994ED?]wyatt@fake.pep.foundationCDAE31CA330249BC5284C1F96033761A09D517DFEA]victor@fake.pep.foundation9BC60CF498E584E5620014340C099ECDA62431FEFC]valeria@fake.pep.foundationCB4287D637F9BC0CB38F978AEB64F54F552F0AB7FC]ulysses@fake.pep.foundationA2439F4C712EA9FA6B65BC17DECD473509E96847EA]tamara@fake.pep.foundationE1C12525BFAF4F092D109F2152B7186506DCC483FC]sabrina@fake.pep.foundation2349DF0D7DBD60C6C20453350553D1E9E9AE5C54D?]randy@fake.pep.foundation8A0293871D97E954B8397DFD072889CB0E82D77BHG]quasimodo@fake.pep.foundationF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3C=]paul@fake.pep.foundation7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76C=]owen@fake.pep.foundationEB4750A0B0A0F558ED5F768F8B893A26133B3F66FC]ophelia@fake.pep.foundation5C55764028BE2DD718F9DAAAD8D14CE515A32801C=]nkls@fake.pep.foundation68A4E57878501CF89B9844039B3560C27904221FB;]ned@fake.pep.foundation912E63F55388D9886151101CDA4FE8ECD8365D6EC =]mary@fake.pep.foundation8049F106768CD5D6374645F3B0C0ABEFB3892D73D ?]louis@fake.pep.foundationFBD19974E304C95589F976BD71059020F2CC257CB ;]ken@fake.pep.foundationC11BCCBB3F843593B8975AFB958E85734EF0ADE0C =]john@fake.pep.foundation1CF1202EC58B5514EADC477AAA9CAC9C7B935A45D ?]irene@fake.pep.foundation9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1D?]henry@fake.pep.foundationA20EF4E353FF61FF6B8B401AC48BF850A5E9C611FC]gilbert@fake.pep.foundation2F8EB6F51987B06706ED6E45064ABE0B9108844EFC]francis@fake.pep.foundation04880CB55875B6548C25C729A00E4CD660454746EA]ernest@fake.pep.foundation43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3D?]david@fake.pep.foundation22A589136F68CC46076FFA6071B2EDA40DC29CC7D?]carol@fake.pep.foundationF29B751A3123A1502E5C0665745FB6564FC5F7DCB;]bob@fake.pep.foundation4FDC731D26FAB6E8EAE6993C637DE61020C5DD1BD?]alice@fake.pep.foundationB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 3/u.V H 9  g " M w4 u ,> Rx8 w/{4_GA]volker.birk@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C143HC]volker.birk@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C1428#]vb@pibit.chAAB978A882B9A6E793960B071ADFC82AC3586C141>/]vb@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C140?1]vb@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C14/;)]vb@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14.?1]dingens@bumens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14-?1]bumens@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14,B7]pep3@ageinghacker.net10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F+B7]pep2@ageinghacker.net507212E4796EFBF4FF8E4B1BF411A72A5C89092C*IE]luca-mobile@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D)9%]luca@saiu.ch08C6A9408241E6ED99A0A2767A6B35253722954D(A5]saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D'=-]positron@gnu.org08C6A9408241E6ED99A0A2767A6B35253722954D&B7]luca@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D%F?]luca.saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D$A5]iut@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D#D;]positron@pep.foundation08C6A9408241E6ED99A0A2767A6B35253722954D"F?]ziggy@fake.pep.foundation6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!HC]zenobia@fake.pep.foundationE4C1FB98268170769154C21BBD1637EEB34E933B HC]zachary@fake.pep.foundation2533E4E13EC84A784DE6F2962C3E64162620C978E=]yves@fake.pep.foundation7A757276DFF48471EA032D2B98611755153523E6E=]yoko@fake.pep.foundation4925E278E468D55BA68B3AC49E1F03BA787E31EAF?]xenia@fake.pep.foundationB5AAD4575B2988D99E3FB3EE973EE71028459E9AGA]xavier@fake.pep.foundationD27B4F82C717A04DFF3A986489929D075908994EF?]wyatt@fake.pep.foundationCDAE31CA330249BC5284C1F96033761A09D517DFGA]victor@fake.pep.foundation9BC60CF498E584E5620014340C099ECDA62431FEHC]valeria@fake.pep.foundationCB4287D637F9BC0CB38F978AEB64F54F552F0AB7HC]ulysses@fake.pep.foundationA2439F4C712EA9FA6B65BC17DECD473509E96847GA]tamara@fake.pep.foundationE1C12525BFAF4F092D109F2152B7186506DCC483HC]sabrina@fake.pep.foundation2349DF0D7DBD60C6C20453350553D1E9E9AE5C54F?]randy@fake.pep.foundation8A0293871D97E954B8397DFD072889CB0E82D77BJG]quasimodo@fake.pep.foundationF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3E=]paul@fake.pep.foundation7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=]owen@fake.pep.foundationEB4750A0B0A0F558ED5F768F8B893A26133B3F66HC]ophelia@fake.pep.foundation5C55764028BE2DD718F9DAAAD8D14CE515A32801E=]nkls@fake.pep.foundation68A4E57878501CF89B9844039B3560C27904221FD;]ned@fake.pep.foundation912E63F55388D9886151101CDA4FE8ECD8365D6EE=]mary@fake.pep.foundation8049F106768CD5D6374645F3B0C0ABEFB3892D73 F?]louis@fake.pep.foundationFBD19974E304C95589F976BD71059020F2CC257C D;]ken@fake.pep.foundationC11BCCBB3F843593B8975AFB958E85734EF0ADE0 E=]john@fake.pep.foundation1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 F?]irene@fake.pep.foundation9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 F?]henry@fake.pep.foundationA20EF4E353FF61FF6B8B401AC48BF850A5E9C611HC]gilbert@fake.pep.foundation2F8EB6F51987B06706ED6E45064ABE0B9108844EHC]francis@fake.pep.foundation04880CB55875B6548C25C729A00E4CD660454746GA]ernest@fake.pep.foundation43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3F?]david@fake.pep.foundation22A589136F68CC46076FFA6071B2EDA40DC29CC7F?]carol@fake.pep.foundationF29B751A3123A1502E5C0665745FB6564FC5F7DCD;]bob@fake.pep.foundation4FDC731D26FAB6E8EAE6993C637DE61020C5DD1BE?] alice@fake.pep.foundationB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 3/u.V H 9  g " M w4 u ,> Rx8 w/{4_GA]volker.birk@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C143HC]volker.birk@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C1428#]vb@pibit.chAAB978A882B9A6E793960B071ADFC82AC3586C141>/]vb@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C140?1]vb@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C14/;)]vb@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14.?1]dingens@bumens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14-?1]bumens@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14,B7]pep3@ageinghacker.net10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F+B7]pep2@ageinghacker.net507212E4796EFBF4FF8E4B1BF411A72A5C89092C*IE]luca-mobile@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D)9%]luca@saiu.ch08C6A9408241E6ED99A0A2767A6B35253722954D(A5]saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D'=-]positron@gnu.org08C6A9408241E6ED99A0A2767A6B35253722954D&B7]luca@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D%F?]luca.saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D$A5]iut@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D#D;]positron@pep.foundation08C6A9408241E6ED99A0A2767A6B35253722954D"F?]ziggy@fake.pep.foundation6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!HC]zenobia@fake.pep.foundationE4C1FB98268170769154C21BBD1637EEB34E933B HC]zachary@fake.pep.foundation2533E4E13EC84A784DE6F2962C3E64162620C978E=]yves@fake.pep.foundation7A757276DFF48471EA032D2B98611755153523E6E=]yoko@fake.pep.foundation4925E278E468D55BA68B3AC49E1F03BA787E31EAF?]xenia@fake.pep.foundationB5AAD4575B2988D99E3FB3EE973EE71028459E9AGA]xavier@fake.pep.foundationD27B4F82C717A04DFF3A986489929D075908994EF?]wyatt@fake.pep.foundationCDAE31CA330249BC5284C1F96033761A09D517DFGA]victor@fake.pep.foundation9BC60CF498E584E5620014340C099ECDA62431FEHC]valeria@fake.pep.foundationCB4287D637F9BC0CB38F978AEB64F54F552F0AB7HC]ulysses@fake.pep.foundationA2439F4C712EA9FA6B65BC17DECD473509E96847GA]tamara@fake.pep.foundationE1C12525BFAF4F092D109F2152B7186506DCC483HC]sabrina@fake.pep.foundation2349DF0D7DBD60C6C20453350553D1E9E9AE5C54F?]randy@fake.pep.foundation8A0293871D97E954B8397DFD072889CB0E82D77BJG]quasimodo@fake.pep.foundationF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3E=]paul@fake.pep.foundation7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=]owen@fake.pep.foundationEB4750A0B0A0F558ED5F768F8B893A26133B3F66HC]ophelia@fake.pep.foundation5C55764028BE2DD718F9DAAAD8D14CE515A32801E=]nkls@fake.pep.foundation68A4E57878501CF89B9844039B3560C27904221FD;]ned@fake.pep.foundation912E63F55388D9886151101CDA4FE8ECD8365D6EE=]mary@fake.pep.foundation8049F106768CD5D6374645F3B0C0ABEFB3892D73 F?]louis@fake.pep.foundationFBD19974E304C95589F976BD71059020F2CC257C D;]ken@fake.pep.foundationC11BCCBB3F843593B8975AFB958E85734EF0ADE0 E=]john@fake.pep.foundation1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 F?]irene@fake.pep.foundation9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 F?]henry@fake.pep.foundationA20EF4E353FF61FF6B8B401AC48BF850A5E9C611HC]gilbert@fake.pep.foundation2F8EB6F51987B06706ED6E45064ABE0B9108844EHC]francis@fake.pep.foundation04880CB55875B6548C25C729A00E4CD660454746GA]ernest@fake.pep.foundation43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3F?]david@fake.pep.foundation22A589136F68CC46076FFA6071B2EDA40DC29CC7F?]carol@fake.pep.foundationF29B751A3123A1502E5C0665745FB6564FC5F7DCD;]bob@fake.pep.foundation4FDC731D26FAB6E8EAE6993C637DE61020C5DD1BE?] alice@fake.pep.foundationB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 l 5lF]>4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B3d- +G@ T8s*ng2wLˮTlAރ  }d-  c} G salt@notations.sequoia-pgp.orgD^n!-pPggw)# !Os&p-I5zuT /: g#?>SN !Os&@2y%u­T/*/=H]BB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D793d- +G@$Ji(;+ꞘCzj  }d-  ѫmyG salt@notations.sequoia-pgp.orgO J Y6^#ЅiP( !( 6Eޜ7ѫmyTiym?}NcX@L8 XAncQ#G ҴEXǸ&W(b alice@fake.pep.foundation d-  ѫmyG salt@notations.sequoia-pgp.orgRwpN'e[K'fjwPH !( 6Eޜ7ѫmy\ҹ;OI7   tIϹneoeKvKȽO&8d/u8t!+9 3d- +G@67_"6*kڬH?n| 1d- ѫmyG salt@notations.sequoia-pgp.org&KSGT0Œ r+4Xo< od- =Gx,8OG salt@notations.sequoia-pgp.orgmO{%}`.w+y!:s*y=Gx,8Oh?wyTk~mJm X"O8 3֐pvbycPdNOkc;X 8d- +U@/иxy8Uzq)a^]7a rd- ѫmyG salt@notations.sequoia-pgp.orguW dj/}dL)ֹ- !( 6Eޜ7ѫmy56sjhome<V=]ɱ@HSh:IZT@ j 5jH]B22A589136F68CC46076FFA6071B2EDA40DC29CC73d- +G@$m@=,ʻMCObwC  }d-  q œG salt@notations.sequoia-pgp.orgdٴqc0O+SjE4& !"ohFo`q œmnylYd)ygy<( }e@B3J_̿Eu :_͘[k.4HS!fdavid@fake.pep.foundation d-  q œG salt@notations.sequoia-pgp.org'9sZN"ho7csGt !"ohFo`q œT5zihN2 *.;xwl|jFi<ɍ (x"7։q13d- +G@sd0D٪Q,öT>k rd- q œG salt@notations.sequoia-pgp.org02w?0=ADZޤk !"ohFo`q œNgN _GzXsԖ#B>X &4Ww=\A$E#uGJTg3d- +G@廉! / {,}s̕'Q "L2Jd{ 1d- q œG salt@notations.sequoia-pgp.org8^VE ZÊ6n$,/(tBĩ od- GM·G%G salt@notations.sequoia-pgp.orgֳxS䊪24%1w^|ߌ!RT;p5F1GM·G% Kx,˶.DzH2UsLZD02x6_f }M'.J$ !"ohFo`q œH=Qm!oZAMq8BޢԈyi: sw⚭"MPNy$H]BF29B751A3123A1502E5C0665745FB6564FC5F7DC3d- +G@xލu{Ek6*vKt  }d-  t_VOG salt@notations.sequoia-pgp.org#O/`/͡NjH)_Bå !u1#P.\et_VO+pKEZ2to$ V?FR Eg${3O ݑd^pP1carol@fake.pep.foundation d-  t_VOG salt@notations.sequoia-pgp.orgy ABs ^86_:Mls !u1#P.\et_VO ~ :;=m>/J#i#nKmT2Q#wgaw3d- +G@jhQ~7Xrh gc#1FWj rd- t_VOG salt@notations.sequoia-pgp.org>W fi? ?ziA|G X !u1#P.\et_VO4k]fQɋ/nl@yoe*}AaL&H}8T$3d- +G@jK+!d*Va_ D+︿d 8tr 1d- t_VOG salt@notations.sequoia-pgp.orgjCzD05eqzS 4u\{_7 od- hfG salt@notations.sequoia-pgp.orgtQ[ o,Y~ zV!5eBmt hf /6!h#b_m(fd$D''="E Qcբ!u1#P.\et_VO%Pj{Wٞ8C$X+\B}1m:0gdt)#&ۏE>\\38d- +U@z][cq`e5RDi{Tm rd- t_VOG salt@notations.sequoia-pgp.orgװ:&PMlVt`WJҳ H_̣` !u1#P.\et_VO~TOLOQ-1A VP JLR}/QN\PGK$X i&g\a_̈́ g 4gJ]F04880CB55875B6548C25C729A00E4CD6604547463d- +G@Q< ;lR KQ7francis@fake.pep.foundation d-  L`EGFG salt@notations.sequoia-pgp.org:"W0떘Stb([.ڷ ! XuT%)L`EGFf`H# ķ&iVEqs?G^~Cvk)TLvE(džQe3d- +G@IAp]~G=_Ax;+o2 1d- L`EGFG salt@notations.sequoia-pgp.orgxccQ~8)FڍM+uR^ݪ od- gQG salt@notations.sequoia-pgp.orgf%^>ZW?x7aq!˼NQ"wgQH qv&策Ƥ:׊HT9'(HhǤaLTD92P ! XuT%)L`EGF_ۮ,mgO/qw> '~Kv/ł/?eګD[Zr ! XuT%)L`EGFa!7jyȑ,Q`0N)Afq7M&!,MAtXڗ7xyc I]D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F33d- +G@dh)` {8 ׅ=lÌƺl  }d-  IiEG salt@notations.sequoia-pgp.orghN$lܰ{? ûi Jv !C!}7/IiE_Հ/i>iz0-7@X]ۏ4& 8.RQ"E4ernest@fake.pep.foundation d-  IiEG salt@notations.sequoia-pgp.org!2A2/^H{5ߠ$Ye !C!}7/IiE]V^xwir\4ԍs}[3vV-U9[9.?FPx)s3d- +G@fTIAIs.;;Ɏ֥x 1d- IiEG salt@notations.sequoia-pgp.org]B[9Li jХf+ od- ({GG salt@notations.sequoia-pgp.orgLGVL$*M"cН%!p({GKL3z]x"T7<JXBkq={>08^о!C!}7/IiE 22IJaѵPȠ:38zhXF eB0Zwϙ;\-3d- +G@7.*|@! W͋!;P< rd- IiEG salt@notations.sequoia-pgp.orgU{3z8rMWr ?v1Cy !C!}7/IiE)v~ ~?8-*ǘH4G[* >_0K%DD+8d- +U@4RXw(@щN d3p rd- IiEG salt@notations.sequoia-pgp.orgV)چR4tȪnd<%m)Mo7P':Q !C!}7/IiE!%׽rG-BFuQ6pLsF!sVO5^ ͽKM|> h 3hH]BA20EF4E353FF61FF6B8B401AC48BF850A5E9C6113d- +G@@Sl^tlk(b{_'4)>  }d-  ċPG salt@notations.sequoia-pgp.orgrѼ5:D0dd9Z(e$b\ !Sak@ċPjH1ە4yx\/8Zj| P9ǯ0[L@.ɯF henry@fake.pep.foundation d-  ċPG salt@notations.sequoia-pgp.org_eSW JRUZ􊚬/ !Sak@ċP1pX@B91C@d% ㊀CH> "|{4@ =ͭطd F*3d- +G@} =Qr%⣳bt rd- ċPG salt@notations.sequoia-pgp.org5X1_Z4]E\!JЃ !Sak@ċPJΟqFmSbn[GN-bo7_uaM<[ w]"J 3d- +G@/]0phzdS{f$.! 1d- ċPG salt@notations.sequoia-pgp.org:6+W(7DaGo~ od- QNJG salt@notations.sequoia-pgp.orgdhuImKs[uIr⦜؀!ERkQNJHC5>Q).j 24czy>q(F _yMqCjK->WfU !Sak@ċP1Mv>ŀp2Ͽ.LvZ?ب⤂w`. QG1kX2 8d- +U@}Xz6v> S,HOd~ rd- ċPG salt@notations.sequoia-pgp.org*= Ǔ3OacG죵.&͉ !Sak@ċPG<n|~m дjKq7ah'B9;*~uFGL#bXJ]F2F8EB6F51987B06706ED6E45064ABE0B9108844E3d- +G@}{X.M Ӌ6k]{!٭  }d-  J NG salt@notations.sequoia-pgp.orgaâ)$0Njs* W_  !/gnEJ N:{Y2Zc]Vu! tjSQm 5=,aEgilbert@fake.pep.foundation d-  J NG salt@notations.sequoia-pgp.orgVj,a d0XF   !/gnEJ NјI疁L>F2 #D^SPYw&KPzu$'džy.q8g7 3d- +G@*+Az처qr"M||hkFف 1d- J NG salt@notations.sequoia-pgp.org>kR8{jCJH )`aIC od- -km}G salt@notations.sequoia-pgp.org"AJrd6}L s!8r`Îi-km}RÊs,b 2'.Y_fJBF\iTi^p@4uȬ@6Pl2J0!/gnEJ NGh>I1Wđ_cƏa4;bb *ڋB6xfSԭгᰖ3d- +G@zT =χguҁ\ )nA%|t rd- J NG salt@notations.sequoia-pgp.org0a9x%ɏ*ø:7 [mȑ !/gnEJ NyvGMi,bQ~˜ C«빽 ^#HX:ƾqMW5!Kc_azQf8d- +U@Պo$PP k 5kG ]@1CF1202EC58B5514EADC477AAA9CAC9C7B935A453d- +G@D4Q5Ho+3iNߔLP  }d-  {ZEG salt@notations.sequoia-pgp.orgGo- >0{C_[ ! .ŋUGz{ZE~6Aq(2`B@+.V{\n̛ rLY|􅮍#X=)U/dmfjohn@fake.pep.foundation d-  {ZEG salt@notations.sequoia-pgp.orgCӢO!TdDV聥% ! .ŋUGz{ZEyU7e5+ltlaer;1ڦn@;,5I"S]eW 3d- +G@&!a;M5biblXLL 1d- {ZEG salt@notations.sequoia-pgp.orgAT1fRh]L>rUX0b od- I1c+UvG salt@notations.sequoia-pgp.org}JmuN$Tդ؎ãşa!B=AvVʱI1c+Uv9ajQj8 E_ةAȚN>(~8/@»("tF;B (A! .ŋUGz{ZEX7xӰ"dJ/ĭ IwMj_K7 !$O[:{Mo~bUF:3d- +G@/mGXٸk+QM)):rAė rd- {ZEG salt@notations.sequoia-pgp.org"NA2xuKy) G6U/[?b! ! .ŋUGz{ZEHo2Pdoj{$ڨtm`pZpQɓlRK[h@m_6q9^0{Úgn ڶ 8d- +U@WhKtҘ`n6P@VX rd- {ZEG salt@notations.sequoia-pgp.orgjЬi)C7C-FTKܹ̳ Z( ! .ŋUGz{ZE]WeՃ1sؚlq(SB턱{^]yis9q 1H ]B9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C13d- +G@YnF_nɌ/~a:i'3m  }d-  [2[G salt@notations.sequoia-pgp.org?)mWΛ` ږ/d !H'[2[]i疨C3HլAdb#p.^#l}O3d- +G@UZizZ20ERhv rd- [2[G salt@notations.sequoia-pgp.orgǖ姁GWE%6V] 1ߛze !H'[2[_B@ݔA^#6KoUr κB̵|0Z?6WQ 7B _> P|r-Rn~48d- +U@Q\̕xu*@+MeN-U-ce rd- [2[G salt@notations.sequoia-pgp.org#l͜nEF92إ{MANRUO+ !H'[2[z撬)2ဴzS+Ȗ$B<AWiP{N`0~$R0 l 7lH ]BFBD19974E304C95589F976BD71059020F2CC257C3d- +G@ >[Xy8n81+^F{  }d-  q %|G salt@notations.sequoia-pgp.orgNmX W*T>cٓ !љtUvq %|/Ȯ2-!6E1e8R}V3j=Slouis@fake.pep.foundation d-  q %|G salt@notations.sequoia-pgp.orgdm) }jy4GH@s LmϜ !љtUvq %|)K=wH{4h.B+֏[/LfgmZC_9/B.683d- +G@xFw5svYmm  rd- q %|G salt@notations.sequoia-pgp.org\EMcvaث'Nk'K͕J !љtUvq %|"JNjOM:t!E _1-XEPFHAwxVar6LM+tr Jw3d- +G@^|Xa45`B5 1d- q %|G salt@notations.sequoia-pgp.org'3myOڍAb<**- od- s̴hG salt@notations.sequoia-pgp.orgfXCC".fur'*GT!2)H6vIXs̴h6igIa촉N^~ǘ*S$xnrԣ4&LVn_'(} ΩE2!љtUvq %|5eEKJQnV6j(-.KYY` OJAA@+ GE88d- +U@pY1ՔH~muc`]| rd- q %|G salt@notations.sequoia-pgp.orgC&܄T D[Df{㠢K !љtUvq %|35R J!_"JJЁd6CT=4F6Gˉ?R]?,!P8mGXr F ]>C11BCCBB3F843593B8975AFB958E85734EF0ADE03d- +G@1 %mr&;HX'%lCw  }d-  sNG salt@notations.sequoia-pgp.orgW3ܐZ:@HB/%Ѧ=@ !̻?5ZsNGYo_tyck^r.5 2UtU7Ėt)fRiP}-+$ken@fake.pep.foundation d-  sNG salt@notations.sequoia-pgp.org/.+ˬ70 w}/胞A=Z  !̻?5ZsNo}UHlLH 낶tfVjָTIjgpl>Ңa%INNW ^s3d- +G@^S+o7bAz$ I-0_? 1d- sNG salt@notations.sequoia-pgp.orgrm<pL4Ȭ"|Mcis od- &(G salt@notations.sequoia-pgp.org 2ïH&㕙 )(ؼc鼖M!81qFFO~ &(JRX-Q=&31yq,ZM*BkX[.?q* Vc3 !̻?5ZsNf'*Й3\EB7 0@N(ͲY\Bw@*\S(0APU!"qۿšI 3d- +G@.u߫%-ϚTp+Q|  rd- sNG salt@notations.sequoia-pgp.orgpK|jZ^#81v3 !̻?5ZsNXO܏&&O(;5Jcr4yEqn6/jҍMtlؓP 8d- +U@rokXvj%=ƶxK rd- sNG salt@notations.sequoia-pgp.org?̼WYz갓+;hʫe> !̻?5ZsN0wPj0dg<@\&=A8I*veINPA$1KI R2^{ m 6mF]>912E63F55388D9886151101CDA4FE8ECD8365D6E3d- +G@ҙ-a=q&q`^|C2{J`  }d-  O6]nG salt@notations.sequoia-pgp.org}`|EVe_:x/%  !.cSوaQO6]nHYMs*qfɅ6Rm2f\vɫ)Hs GQhywaXt#j ned@fake.pep.foundation d-  O6]nG salt@notations.sequoia-pgp.org)s _c.\Laq !.cSوaQO6]n>kUU8iXd'Rbbu͉%.cu75޿TsI3oL V)1F{[q=3d- +G@W"a="X] +Σ ;ڟ 1d- O6]nG salt@notations.sequoia-pgp.orgM`wO3i&% t{y od- w0*yG salt@notations.sequoia-pgp.org፻*'m4UּLݚt}9`8 _W!"s05_Ww0*yO??qcL \x*(ߟֺZgi'rҕ(XjZf V6(!.cSوaQO6]n`L_E 6Q*Nx>0p Qw:#SPF&HԲEjM7bس 3d- +G@P*!M"R͋ZHO_`H rd- O6]nG salt@notations.sequoia-pgp.org-KDQ/m~%DT_ !.cSوaQO6]n_z4jzR\:_7ʱ(#IO !Yqz. 18d- +U@B︄ң,O"ws5Q rd- O6]nG salt@notations.sequoia-pgp.orgםb~"PeyazWWq4Mp !.cSوaQO6]nĠfs \ "V<A7 _ ^is \BUFZrX$I*^=w G ]@8049F106768CD5D6374645F3B0C0ABEFB3892D733d- +G@cVFw]uPtv2gn""@Hq  }d-  ﳉ-sG salt@notations.sequoia-pgp.orgooeu(~z`zb !Iv7FEﳉ-s+#kAgAg߻k|%O;*e5 zD²q}G&Gmary@fake.pep.foundation d-  ﳉ-sG salt@notations.sequoia-pgp.orgwb(M,Lu=DBDyQކ*vh !Iv7FEﳉ-s y”w\SWPRk(R!w; v8n0KbH߷WL}}Asʳyq3d- +G@@-㘂jDv&S| 1d- ﳉ-sG salt@notations.sequoia-pgp.org H>>?kz}N ,X-ry od- fFmG salt@notations.sequoia-pgp.org7n)!.=?+Mw_!i_%{E.fFmfL:Z>ͽbTG9  U7;EqkW7 !Iv7FEﳉ-s65IZh^򊊕d֞ @yTEKl3/e4jsV""E1)E O3d- +G@9$ YFJt ^pms rd- ﳉ-sG salt@notations.sequoia-pgp.orgY*lMVogKO  !Iv7FEﳉ-sihY}dREo tXǾM"=½Ht@ʾ +ATx.2Xۑ 8d- +U@Rׇėoi=/ £`oRoJ} rd- ﳉ-sG salt@notations.sequoia-pgp.org} / =HJ7҆K !Iv7FEﳉ-sD-ȁWJͺp\sx:DX;2|C@+4F0aV@D i 6iJ]F5C55764028BE2DD718F9DAAAD8D14CE515A328013d- +G@2O_7S5/E IOQ  }d-  L(G salt@notations.sequoia-pgp.orgAG;ۇdqyt/iz %=cophelia@fake.pep.foundation d-  L(G salt@notations.sequoia-pgp.org&@W,wel5={COi!@t !\Uv@(-ڪL(GCbas- |Wg47~1Յ.azx]Cԙ~ Ld<(Q_:b\ 3d- +G@Rׄ&- ǫ'](&Jb*B 1d- L(G salt@notations.sequoia-pgp.org;WX 1d- 5`y"G salt@notations.sequoia-pgp.orgX5sЄ-rf Va?( ~$ od- mQ]oG salt@notations.sequoia-pgp.org޽_fZ)ČZ7GV63!wmI27mQ]o !R?c7hB\hdlߨOUS?{C,#&3Cn9!hxxPD5`y"}G;7*>8X 9 K+NuXorhiz' q?|t",3d- +G@8£a<= PXЯ;?9M rd- 5`y"G salt@notations.sequoia-pgp.orgXx6я\Ƃ j  U1 !hxxPD5`y"$7 SU291`eߎD&yn~xl5Th긵SZ鿟Ȼp8d- +U@qؐ$ iFUA$ rd- 5`y"G salt@notations.sequoia-pgp.orgTJ L!WgW)gtp !hxxPD5`y"7 U{/[ch~O-dU4 h[4#H]}Aj㻐F 8hFN% V  ^ h e ' l . t 6|>FNVd^ >-]1ADFC82AC3586C14AAB978A882B9A6E793960B071ADFC82AC3586C14>-]5A826CAA7026DB6F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]4A869829AAB70CBE10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]0AC73BFE55E17D2208C6A9408241E6ED99A0A2767A6B35253722954D>-]53D8C1B7F801D54D08C6A9408241E6ED99A0A2767A6B35253722954D=-]5DFAD7D10C678DBED27B4F82C717A04DFF3A986489929D075908994Ej>-]5D5025F89BBA7A076C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]5609A4F9A4344957A2439F4C712EA9FA6B65BC17DECD473509E96847\=-]54E2200EE3627373CB4287D637F9BC0CB38F978AEB64F54F552F0AB7_=-]52B7186506DCC483E1C12525BFAF4F092D109F2152B7186506DCC483U=-]51074EA7D24AA490A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]50B9CB75C21518725C55764028BE2DD718F9DAAAD8D14CE515A32801@=-]4D2476E6EDCA3BE22533E4E13EC84A784DE6F2962C3E64162620C978|=-]4C34BA7BC16F86B3F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3I=-]4B8313F3BF069E6A7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76G=-]4A4DF6C29EDD1F767D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=-]49B0B5F169F745F343C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]47D04DC2B74725E122A589136F68CC46076FFA6071B2EDA40DC29CC7=-]42916177BEAA88747A757276DFF48471EA032D2B98611755153523E6x=-]3F0586841937BDFE912E63F55388D9886151101CDA4FE8ECD8365D6E8=-]3D4778FC2C38084FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]3BDE948165BE18002F8EB6F51987B06706ED6E45064ABE0B9108844E=-]3AD07BB3F42BD08E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]38E7A3645666C76922A589136F68CC46076FFA6071B2EDA40DC29CC7=-]38CBCE44873FE1A74925E278E468D55BA68B3AC49E1F03BA787E31EAr=-]34450D8FA47BE5781CF1202EC58B5514EADC477AAA9CAC9C7B935A45(=-]33DB91F8AAECA2FDA20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]2F8A666BE91A400F2349DF0D7DBD60C6C20453350553D1E9E9AE5C54S=-]2DD7EC6B89966D7D2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]2C7C1FA3369E4A4D7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76H=-]2C45488C98085D61CDAE31CA330249BC5284C1F96033761A09D517DFh=-]2C3E64162620C9782533E4E13EC84A784DE6F2962C3E64162620C978y=-]2B45B386DCB3A0CFE1C12525BFAF4F092D109F2152B7186506DCC483V=-]28967B47191899F843C5C721DCFF1D7D8FD1372F49B0B5F169F745F3>-]1DB2D0B226A87A276C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]1D7FA83415FD0C9CE4C1FB98268170769154C21BBD1637EEB34E933B=-]1C23477C835E5CEB7A757276DFF48471EA032D2B98611755153523E6w>-]1B23CEF521884A3F6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]19BAAA837AA0EDE3F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]1981CA07B08A2AA34FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]1949FBA7A090B71D4925E278E468D55BA68B3AC49E1F03BA787E31EAt=-]1908736247B42C7C2349DF0D7DBD60C6C20453350553D1E9E9AE5C54R=-]185B7A6512A4839143C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]1743133E219C1EB19BC60CF498E584E5620014340C099ECDA62431FEc=-]14180E23218FFEDAEB4750A0B0A0F558ED5F768F8B893A26133B3F66B=-]132E928709CB19568A0293871D97E954B8397DFD072889CB0E82D77BP=-]0DCD1F051766107FF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3J=-]0D6DF17AFEF1FFBAB5AAD4575B2988D99E3FB3EE973EE71028459E9Ao=-]0C099ECDA62431FE9BC60CF498E584E5620014340C099ECDA62431FEa=-]072889CB0E82D77B8A0293871D97E954B8397DFD072889CB0E82D77BM=-]064ABE0B9108844E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]0553D1E9E9AE5C542349DF0D7DBD60C6C20453350553D1E9E9AE5C54Q=-]054118196B963B7DCDAE31CA330249BC5284C1F96033761A09D517DFf=-]0509657A6BAC730C68A4E57878501CF89B9844039B3560C27904221F;=-]04EEFDB17B04F78B5C55764028BE2DD718F9DAAAD8D14CE515A32801?=-]01076D890F515D6F68A4E57878501CF89B9844039B3560C27904221F: 3;3a &I  ^ y;i+ iqYF#N Q V  e  w 9A3|=-]8451B62D9873AE16A20EF4E353FF61FF6B8B401AC48BF850A5E9C611 =-]83C69AF0F851437AB5AAD4575B2988D99E3FB3EE973EE71028459E9An=-]6286EF138550E5C09C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1$=-]98611755153523E67A757276DFF48471EA032D2B98611755153523E6u=-]637DE61020C5DD1B4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]9079AA6B02A61A8B8049F106768CD5D6374645F3B0C0ABEFB3892D733=-]8F07A6D986845B5AEB4750A0B0A0F558ED5F768F8B893A26133B3F66C=-]8B893A26133B3F66EB4750A0B0A0F558ED5F768F8B893A26133B3F66A=-]89E01368B3CFEA66F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]89929D075908994ED27B4F82C717A04DFF3A986489929D075908994Ei=-]884DFEDE8DF8A5B19BC60CF498E584E5620014340C099ECDA62431FEb=-]848F73B0CCB468D9FBD19974E304C95589F976BD71059020F2CC257C/=-]9E1F03BA787E31EA4925E278E468D55BA68B3AC49E1F03BA787E31EAq=-]64BF7EACFA7E07D3CB4287D637F9BC0CB38F978AEB64F54F552F0AB7`=-]973EE71028459E9AB5AAD4575B2988D99E3FB3EE973EE71028459E9Am=-]A685E0D6F5530952D27B4F82C717A04DFF3A986489929D075908994El=-]650BEEAE8BE0BA784FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]94D1A2CC4A9787279BC60CF498E584E5620014340C099ECDA62431FEd=-]6C9FF639C2D20ED28A0293871D97E954B8397DFD072889CB0E82D77BO=-]66CC46F715A66DBC8049F106768CD5D6374645F3B0C0ABEFB3892D732=-]B974664B34752AFCA2439F4C712EA9FA6B65BC17DECD473509E96847[=-]AA761009D6D131A0A2439F4C712EA9FA6B65BC17DECD473509E96847Z=-]780F3DCE8BA84184FBD19974E304C95589F976BD71059020F2CC257C0=-]773082B0012A791A912E63F55388D9886151101CDA4FE8ECD8365D6E6=-]745FB6564FC5F7DCF29B751A3123A1502E5C0665745FB6564FC5F7DC =-]71B2EDA40DC29CC722A589136F68CC46076FFA6071B2EDA40DC29CC7 =-]71059020F2CC257CFBD19974E304C95589F976BD71059020F2CC257C-=-]9C4396FA8EE7BB36F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3Lf>-]8EF85F1B1E37396F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]A9173FFEBD40DA28507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]7A6B35253722954D08C6A9408241E6ED99A0A2767A6B35253722954D>-]69AF5A6299EC8A606C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07>-]B929651D1EDAD644E4C1FB98268170769154C21BBD1637EEB34E933B=-]8134877075548DB72533E4E13EC84A784DE6F2962C3E64162620C978z=-]7F6B5258C086DC6B7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76F=-]7AB77AECC3703ED52533E4E13EC84A784DE6F2962C3E64162620C978{=-]7903174192105E48D27B4F82C717A04DFF3A986489929D075908994Ek=-]B4E5A2B2EF97E40568A4E57878501CF89B9844039B3560C27904221F<=-]B0C0ABEFB3892D738049F106768CD5D6374645F3B0C0ABEFB3892D731=-]B058180EE35C8BE05C55764028BE2DD718F9DAAAD8D14CE515A32801>=-]AF26C6724E7E40F3912E63F55388D9886151101CDA4FE8ECD8365D6E7=-]ADF2379966C7497222A589136F68CC46076FFA6071B2EDA40DC29CC7=-]AC9255C490B722199C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1#=-]AA9CAC9C7B935A451CF1202EC58B5514EADC477AAA9CAC9C7B935A45%=-]A7CB62B3422503EE04880CB55875B6548C25C729A00E4CD660454746=-]A00E4CD66045474604880CB55875B6548C25C729A00E4CD660454746=-]9F5599183124F72D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]9B3560C27904221F68A4E57878501CF89B9844039B3560C27904221F9=-]994931632B55CF761CF1202EC58B5514EADC477AAA9CAC9C7B935A45&=-]958E85734EF0ADE0C11BCCBB3F843593B8975AFB958E85734EF0ADE0)=-]94E766EE6359246DFBD19974E304C95589F976BD71059020F2CC257C. 8hFN% V  ^ h e ' l . t 6|>FNVd^ >-]1ADFC82AC3586C14AAB978A882B9A6E793960B071ADFC82AC3586C14>-]5A826CAA7026DB6F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]4A869829AAB70CBE10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]0AC73BFE55E17D2208C6A9408241E6ED99A0A2767A6B35253722954D>-]53D8C1B7F801D54D08C6A9408241E6ED99A0A2767A6B35253722954D=-]5DFAD7D10C678DBED27B4F82C717A04DFF3A986489929D075908994Ej>-]5D5025F89BBA7A076C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]5609A4F9A4344957A2439F4C712EA9FA6B65BC17DECD473509E96847\=-]54E2200EE3627373CB4287D637F9BC0CB38F978AEB64F54F552F0AB7_=-]52B7186506DCC483E1C12525BFAF4F092D109F2152B7186506DCC483U=-]51074EA7D24AA490A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]50B9CB75C21518725C55764028BE2DD718F9DAAAD8D14CE515A32801@=-]4D2476E6EDCA3BE22533E4E13EC84A784DE6F2962C3E64162620C978|=-]4C34BA7BC16F86B3F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3I=-]4B8313F3BF069E6A7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76G=-]4A4DF6C29EDD1F767D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=-]49B0B5F169F745F343C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]47D04DC2B74725E122A589136F68CC46076FFA6071B2EDA40DC29CC7=-]42916177BEAA88747A757276DFF48471EA032D2B98611755153523E6x=-]3F0586841937BDFE912E63F55388D9886151101CDA4FE8ECD8365D6E8=-]3D4778FC2C38084FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]3BDE948165BE18002F8EB6F51987B06706ED6E45064ABE0B9108844E=-]3AD07BB3F42BD08E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]38E7A3645666C76922A589136F68CC46076FFA6071B2EDA40DC29CC7=-]38CBCE44873FE1A74925E278E468D55BA68B3AC49E1F03BA787E31EAr=-]34450D8FA47BE5781CF1202EC58B5514EADC477AAA9CAC9C7B935A45(=-]33DB91F8AAECA2FDA20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]2F8A666BE91A400F2349DF0D7DBD60C6C20453350553D1E9E9AE5C54S=-]2DD7EC6B89966D7D2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]2C7C1FA3369E4A4D7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76H=-]2C45488C98085D61CDAE31CA330249BC5284C1F96033761A09D517DFh=-]2C3E64162620C9782533E4E13EC84A784DE6F2962C3E64162620C978y=-]2B45B386DCB3A0CFE1C12525BFAF4F092D109F2152B7186506DCC483V=-]28967B47191899F843C5C721DCFF1D7D8FD1372F49B0B5F169F745F3>-]1DB2D0B226A87A276C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]1D7FA83415FD0C9CE4C1FB98268170769154C21BBD1637EEB34E933B=-]1C23477C835E5CEB7A757276DFF48471EA032D2B98611755153523E6w>-]1B23CEF521884A3F6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]19BAAA837AA0EDE3F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]1981CA07B08A2AA34FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]1949FBA7A090B71D4925E278E468D55BA68B3AC49E1F03BA787E31EAt=-]1908736247B42C7C2349DF0D7DBD60C6C20453350553D1E9E9AE5C54R=-]185B7A6512A4839143C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]1743133E219C1EB19BC60CF498E584E5620014340C099ECDA62431FEc=-]14180E23218FFEDAEB4750A0B0A0F558ED5F768F8B893A26133B3F66B=-]132E928709CB19568A0293871D97E954B8397DFD072889CB0E82D77BP=-]0DCD1F051766107FF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3J=-]0D6DF17AFEF1FFBAB5AAD4575B2988D99E3FB3EE973EE71028459E9Ao=-]0C099ECDA62431FE9BC60CF498E584E5620014340C099ECDA62431FEa=-]072889CB0E82D77B8A0293871D97E954B8397DFD072889CB0E82D77BM=-]064ABE0B9108844E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]0553D1E9E9AE5C542349DF0D7DBD60C6C20453350553D1E9E9AE5C54Q=-]054118196B963B7DCDAE31CA330249BC5284C1F96033761A09D517DFf=-]0509657A6BAC730C68A4E57878501CF89B9844039B3560C27904221F;=-]04EEFDB17B04F78B5C55764028BE2DD718F9DAAAD8D14CE515A32801?=-]01076D890F515D6F68A4E57878501CF89B9844039B3560C27904221F: 3;3a &I  ^ y;i+ iqYF#N Q V  e  w 9A3|=-]8451B62D9873AE16A20EF4E353FF61FF6B8B401AC48BF850A5E9C611 =-]83C69AF0F851437AB5AAD4575B2988D99E3FB3EE973EE71028459E9An=-]6286EF138550E5C09C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1$=-]98611755153523E67A757276DFF48471EA032D2B98611755153523E6u=-]637DE61020C5DD1B4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]9079AA6B02A61A8B8049F106768CD5D6374645F3B0C0ABEFB3892D733=-]8F07A6D986845B5AEB4750A0B0A0F558ED5F768F8B893A26133B3F66C=-]8B893A26133B3F66EB4750A0B0A0F558ED5F768F8B893A26133B3F66A=-]89E01368B3CFEA66F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]89929D075908994ED27B4F82C717A04DFF3A986489929D075908994Ei=-]884DFEDE8DF8A5B19BC60CF498E584E5620014340C099ECDA62431FEb=-]848F73B0CCB468D9FBD19974E304C95589F976BD71059020F2CC257C/=-]9E1F03BA787E31EA4925E278E468D55BA68B3AC49E1F03BA787E31EAq=-]64BF7EACFA7E07D3CB4287D637F9BC0CB38F978AEB64F54F552F0AB7`=-]973EE71028459E9AB5AAD4575B2988D99E3FB3EE973EE71028459E9Am=-]A685E0D6F5530952D27B4F82C717A04DFF3A986489929D075908994El=-]650BEEAE8BE0BA784FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]94D1A2CC4A9787279BC60CF498E584E5620014340C099ECDA62431FEd=-]6C9FF639C2D20ED28A0293871D97E954B8397DFD072889CB0E82D77BO=-]66CC46F715A66DBC8049F106768CD5D6374645F3B0C0ABEFB3892D732=-]B974664B34752AFCA2439F4C712EA9FA6B65BC17DECD473509E96847[=-]AA761009D6D131A0A2439F4C712EA9FA6B65BC17DECD473509E96847Z=-]780F3DCE8BA84184FBD19974E304C95589F976BD71059020F2CC257C0=-]773082B0012A791A912E63F55388D9886151101CDA4FE8ECD8365D6E6=-]745FB6564FC5F7DCF29B751A3123A1502E5C0665745FB6564FC5F7DC =-]71B2EDA40DC29CC722A589136F68CC46076FFA6071B2EDA40DC29CC7 =-]71059020F2CC257CFBD19974E304C95589F976BD71059020F2CC257C-=-]9C4396FA8EE7BB36F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3Lf>-]8EF85F1B1E37396F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]A9173FFEBD40DA28507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]7A6B35253722954D08C6A9408241E6ED99A0A2767A6B35253722954D>-]69AF5A6299EC8A606C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07>-]B929651D1EDAD644E4C1FB98268170769154C21BBD1637EEB34E933B=-]8134877075548DB72533E4E13EC84A784DE6F2962C3E64162620C978z=-]7F6B5258C086DC6B7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76F=-]7AB77AECC3703ED52533E4E13EC84A784DE6F2962C3E64162620C978{=-]7903174192105E48D27B4F82C717A04DFF3A986489929D075908994Ek=-]B4E5A2B2EF97E40568A4E57878501CF89B9844039B3560C27904221F<=-]B0C0ABEFB3892D738049F106768CD5D6374645F3B0C0ABEFB3892D731=-]B058180EE35C8BE05C55764028BE2DD718F9DAAAD8D14CE515A32801>=-]AF26C6724E7E40F3912E63F55388D9886151101CDA4FE8ECD8365D6E7=-]ADF2379966C7497222A589136F68CC46076FFA6071B2EDA40DC29CC7=-]AC9255C490B722199C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1#=-]AA9CAC9C7B935A451CF1202EC58B5514EADC477AAA9CAC9C7B935A45%=-]A7CB62B3422503EE04880CB55875B6548C25C729A00E4CD660454746=-]A00E4CD66045474604880CB55875B6548C25C729A00E4CD660454746=-]9F5599183124F72D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]9B3560C27904221F68A4E57878501CF89B9844039B3560C27904221F9=-]994931632B55CF761CF1202EC58B5514EADC477AAA9CAC9C7B935A45&=-]958E85734EF0ADE0C11BCCBB3F843593B8975AFB958E85734EF0ADE0)=-]94E766EE6359246DFBD19974E304C95589F976BD71059020F2CC257C.  G]@7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F763d- +G@`aj6`s zesOS  }d-  JMžvG salt@notations.sequoia-pgp.orgUqnW7q;|2`b7nN !}mNXaJMžv+Yfd_/vuE'9r3wet-/ZsWIbo8(='^paul@fake.pep.foundation d-  JMžvG salt@notations.sequoia-pgp.orghu"iPueVa !}mNXaJMžv^Z>6,:C$ r©ڲTN0h A`* [|}4hwY43d- +G@$T.XaV#HnQaZz^1 rd- JMžvG salt@notations.sequoia-pgp.org,'yĔd7:k7h/GI`3! !}mNXaJMžv |mH J\>s]m`_|ﵺQ@g.YX3d- +G@>ډswrW^'DqWpS¶&: 1d- JMžvG salt@notations.sequoia-pgp.orgLfQ#E6 ٵa`~Wds od- KjG salt@notations.sequoia-pgp.org\;*a,bD=s3;eS460 !MAI ~$L͑U>\3v< dɆg!}mNXaJMžvDS+PM=/`  }d-  :&;?fG salt@notations.sequoia-pgp.org ~:&jԳ,(.l  !GPX_v:&;?f~غ^[ZB4Ko&K4]z^nN6ǐ] l4pxowen@fake.pep.foundation d-  :&;?fG salt@notations.sequoia-pgp.org 0{yoZNJUp !GPX_v:&;?fIlaϊ+5ud\s$}9e\k 2={!$FFx >Knw傣Xd- +G@!r(zCF|{8[x;ݤIIu0_,7¼9ȗ-K 1d- :&;?fG salt@notations.sequoia-pgp.org^*"uĚ6 \s=il /?d od- #!G salt@notations.sequoia-pgp.org}M7?0};f-V!m`Xe2#!|Hk/i W$pnKL tyR㱙k4z~uDDrFmb!GPX_v:&;?ffRh!Á1 Ĩ4a]HOlS1bRu.@r F˶3=Xd- +G@|p')u5O"-5&]}>aBAI':ںJTX&=-&~ rd- :&;?fG salt@notations.sequoia-pgp.org|W75ϘYi||6iZz !GPX_v:&;?fE͕CA1zqjPRSmj]n(rޕPupqpI]d- +U@F@鰘RӆA)EkS}?A.<BB~\k,Ihgߞ rd- :&;?fG salt@notations.sequoia-pgp.orgHiePdq*]W X%t%P, !GPX_v:&;?fPL,gїň~O3-_ݣ,mBYK$W'ʝϝģlQ! @I U a $ m 0 y < H T `#l/x;G S_"k.w:;@-]50B9CB75C21518725C55764028BE2DD718F9DAAAD8D14CE515A32801;?-]04EEFDB17B04F78B5C55764028BE2DD718F9DAAAD8D14CE515A32801;>-]B058180EE35C8BE05C55764028BE2DD718F9DAAAD8D14CE515A32801;=-]D8D14CE515A328015C55764028BE2DD718F9DAAAD8D14CE515A32801;<-]B4E5A2B2EF97E40568A4E57878501CF89B9844039B3560C27904221F;;-]0509657A6BAC730C68A4E57878501CF89B9844039B3560C27904221F;:-]01076D890F515D6F68A4E57878501CF89B9844039B3560C27904221F;9-]9B3560C27904221F68A4E57878501CF89B9844039B3560C27904221F;8-]3F0586841937BDFE912E63F55388D9886151101CDA4FE8ECD8365D6E;7-]AF26C6724E7E40F3912E63F55388D9886151101CDA4FE8ECD8365D6E;6-]773082B0012A791A912E63F55388D9886151101CDA4FE8ECD8365D6E;5-]DA4FE8ECD8365D6E912E63F55388D9886151101CDA4FE8ECD8365D6E;4-]FD289E27C690EE4E8049F106768CD5D6374645F3B0C0ABEFB3892D73;3-]9079AA6B02A61A8B8049F106768CD5D6374645F3B0C0ABEFB3892D73;2-]66CC46F715A66DBC8049F106768CD5D6374645F3B0C0ABEFB3892D73;1-]B0C0ABEFB3892D738049F106768CD5D6374645F3B0C0ABEFB3892D73;0-]780F3DCE8BA84184FBD19974E304C95589F976BD71059020F2CC257C;/-]848F73B0CCB468D9FBD19974E304C95589F976BD71059020F2CC257C;.-]94E766EE6359246DFBD19974E304C95589F976BD71059020F2CC257C;--]71059020F2CC257CFBD19974E304C95589F976BD71059020F2CC257C;,-]C0D868F1963180D8C11BCCBB3F843593B8975AFB958E85734EF0ADE0;+-]E572969A4BF0EAA1C11BCCBB3F843593B8975AFB958E85734EF0ADE0;*-]DD26BFF997B128D0C11BCCBB3F843593B8975AFB958E85734EF0ADE0;)-]958E85734EF0ADE0C11BCCBB3F843593B8975AFB958E85734EF0ADE0;(-]34450D8FA47BE5781CF1202EC58B5514EADC477AAA9CAC9C7B935A45;'-]DA2E401BDCC261401CF1202EC58B5514EADC477AAA9CAC9C7B935A45;&-]994931632B55CF761CF1202EC58B5514EADC477AAA9CAC9C7B935A45;%-]AA9CAC9C7B935A451CF1202EC58B5514EADC477AAA9CAC9C7B935A45;$-]6286EF138550E5C09C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1;#-]AC9255C490B722199C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1;"-]DE99B5AACE8010449C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1;!-]DC5BFE32065BD8C19C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1; -]8451B62D9873AE16A20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]51074EA7D24AA490A20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]33DB91F8AAECA2FDA20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]C48BF850A5E9C611A20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]3AD07BB3F42BD08E2F8EB6F51987B06706ED6E45064ABE0B9108844E;-]3BDE948165BE18002F8EB6F51987B06706ED6E45064ABE0B9108844E;-]2DD7EC6B89966D7D2F8EB6F51987B06706ED6E45064ABE0B9108844E;-]064ABE0B9108844E2F8EB6F51987B06706ED6E45064ABE0B9108844E;-]DAC435B561D44E7B04880CB55875B6548C25C729A00E4CD660454746;-]A7CB62B3422503EE04880CB55875B6548C25C729A00E4CD660454746;-]CADEEF67FAADD95104880CB55875B6548C25C729A00E4CD660454746;-]A00E4CD66045474604880CB55875B6548C25C729A00E4CD660454746;-]185B7A6512A4839143C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]9F5599183124F72D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]28967B47191899F843C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]49B0B5F169F745F343C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]38E7A3645666C76922A589136F68CC46076FFA6071B2EDA40DC29CC7;-]47D04DC2B74725E122A589136F68CC46076FFA6071B2EDA40DC29CC7;-]ADF2379966C7497222A589136F68CC46076FFA6071B2EDA40DC29CC7; -]71B2EDA40DC29CC722A589136F68CC46076FFA6071B2EDA40DC29CC7; -]DF466C19D1E09129F29B751A3123A1502E5C0665745FB6564FC5F7DC; -]89E01368B3CFEA66F29B751A3123A1502E5C0665745FB6564FC5F7DC; -]19BAAA837AA0EDE3F29B751A3123A1502E5C0665745FB6564FC5F7DC; -]745FB6564FC5F7DCF29B751A3123A1502E5C0665745FB6564FC5F7DC;-]E8F03F5A4682799E4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]650BEEAE8BE0BA784FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]1981CA07B08A2AA34FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]637DE61020C5DD1B4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]CDD45401DD0E759FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79;-]DF5F5C00DA897592B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79;-]3D4778FC2C38084FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79;-]D0D1AB8DA16D8D79B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 @I U a $ m 0 y < H T `#l/x;G S_"k.w:;-]B929651D1EDAD644E4C1FB98268170769154C21BBD1637EEB34E933B;-]1D7FA83415FD0C9CE4C1FB98268170769154C21BBD1637EEB34E933B;~-]E7D3FED35EAF68B9E4C1FB98268170769154C21BBD1637EEB34E933B;}-]BD1637EEB34E933BE4C1FB98268170769154C21BBD1637EEB34E933B;|-]4D2476E6EDCA3BE22533E4E13EC84A784DE6F2962C3E64162620C978;{-]7AB77AECC3703ED52533E4E13EC84A784DE6F2962C3E64162620C978;z-]8134877075548DB72533E4E13EC84A784DE6F2962C3E64162620C978;y-]2C3E64162620C9782533E4E13EC84A784DE6F2962C3E64162620C978;x-]42916177BEAA88747A757276DFF48471EA032D2B98611755153523E6;w-]1C23477C835E5CEB7A757276DFF48471EA032D2B98611755153523E6;v-]EEE9E2E4D0403BA27A757276DFF48471EA032D2B98611755153523E6;u-]98611755153523E67A757276DFF48471EA032D2B98611755153523E6;t-]1949FBA7A090B71D4925E278E468D55BA68B3AC49E1F03BA787E31EA;s-]C96ADEF6A2CCFA984925E278E468D55BA68B3AC49E1F03BA787E31EA;r-]38CBCE44873FE1A74925E278E468D55BA68B3AC49E1F03BA787E31EA;q-]9E1F03BA787E31EA4925E278E468D55BA68B3AC49E1F03BA787E31EA;p-]CEFC4DCD7DD09BF9B5AAD4575B2988D99E3FB3EE973EE71028459E9A;o-]0D6DF17AFEF1FFBAB5AAD4575B2988D99E3FB3EE973EE71028459E9A;n-]83C69AF0F851437AB5AAD4575B2988D99E3FB3EE973EE71028459E9A;m-]973EE71028459E9AB5AAD4575B2988D99E3FB3EE973EE71028459E9A;l-]A685E0D6F5530952D27B4F82C717A04DFF3A986489929D075908994E;k-]7903174192105E48D27B4F82C717A04DFF3A986489929D075908994E;j-]5DFAD7D10C678DBED27B4F82C717A04DFF3A986489929D075908994E;i-]89929D075908994ED27B4F82C717A04DFF3A986489929D075908994E;h-]2C45488C98085D61CDAE31CA330249BC5284C1F96033761A09D517DF;g-]EA301A7C9A893815CDAE31CA330249BC5284C1F96033761A09D517DF;f-]054118196B963B7DCDAE31CA330249BC5284C1F96033761A09D517DF;e-]6033761A09D517DFCDAE31CA330249BC5284C1F96033761A09D517DF;d-]94D1A2CC4A9787279BC60CF498E584E5620014340C099ECDA62431FE;c-]1743133E219C1EB19BC60CF498E584E5620014340C099ECDA62431FE;b-]884DFEDE8DF8A5B19BC60CF498E584E5620014340C099ECDA62431FE;a-]0C099ECDA62431FE9BC60CF498E584E5620014340C099ECDA62431FE;`-]64BF7EACFA7E07D3CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;_-]54E2200EE3627373CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;^-]C25C74A408C599D8CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;]-]EB64F54F552F0AB7CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;\-]5609A4F9A4344957A2439F4C712EA9FA6B65BC17DECD473509E96847;[-]B974664B34752AFCA2439F4C712EA9FA6B65BC17DECD473509E96847;Z-]AA761009D6D131A0A2439F4C712EA9FA6B65BC17DECD473509E96847;Y-]DECD473509E96847A2439F4C712EA9FA6B65BC17DECD473509E96847;X-]BDE25B8E80237EE2E1C12525BFAF4F092D109F2152B7186506DCC483;W-]DB24D05A4CFF4204E1C12525BFAF4F092D109F2152B7186506DCC483;V-]2B45B386DCB3A0CFE1C12525BFAF4F092D109F2152B7186506DCC483;U-]52B7186506DCC483E1C12525BFAF4F092D109F2152B7186506DCC483;T-]CDFBE06BBC5F6D292349DF0D7DBD60C6C20453350553D1E9E9AE5C54;S-]2F8A666BE91A400F2349DF0D7DBD60C6C20453350553D1E9E9AE5C54;R-]1908736247B42C7C2349DF0D7DBD60C6C20453350553D1E9E9AE5C54;Q-]0553D1E9E9AE5C542349DF0D7DBD60C6C20453350553D1E9E9AE5C54;P-]132E928709CB19568A0293871D97E954B8397DFD072889CB0E82D77B;O-]6C9FF639C2D20ED28A0293871D97E954B8397DFD072889CB0E82D77B;N-]D49FD2CB8EEF91038A0293871D97E954B8397DFD072889CB0E82D77B;M-]072889CB0E82D77B8A0293871D97E954B8397DFD072889CB0E82D77B;L-]9C4396FA8EE7BB36F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;K-]C1B27AC998ABABB8F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;J-]0DCD1F051766107FF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;I-]4C34BA7BC16F86B3F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;H-]2C7C1FA3369E4A4D7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;G-]4B8313F3BF069E6A7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;F-]7F6B5258C086DC6B7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;E-]4A4DF6C29EDD1F767D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;D-]F300560992B840A8EB4750A0B0A0F558ED5F768F8B893A26133B3F66;C-]8F07A6D986845B5AEB4750A0B0A0F558ED5F768F8B893A26133B3F66;B-]14180E23218FFEDAEB4750A0B0A0F558ED5F768F8B893A26133B3F66;A-]8B893A26133B3F66EB4750A0B0A0F558ED5F768F8B893A26133B3F66 f 1fH]B8A0293871D97E954B8397DFD072889CB0E82D77B3d- +G@dQi\nj @ dnAwU*  }d-  ({G salt@notations.sequoia-pgp.org&79k_o)&,-) !T9}({؃OO `oȯʉ5DD- 0'2<To1<٢dkү:C%vg).&randy@fake.pep.foundation d-  ({G salt@notations.sequoia-pgp.orgDCk2Y?? xh{%f !T9}({$^g,Sě1'/"aQٺҢEWcL0l7"Q0Ozso 3d- +G@ɻ.gU>8.T`̴!D8Bo 1d- ({G salt@notations.sequoia-pgp.org% t1!߾p%͛n 6 od- ԟˎG salt@notations.sequoia-pgp.orgO;`{ @srC5sK|!aO-}#sԟˎ#Z4(*H jCm#[ɿ;CrlH _ف^ٖ `o tA{`LOoP !T9}({NJT:GphY4ļo[VTO^V/#1_+ho 3d- +G@Lxf4+>,:Y (EmJ rd- ({G salt@notations.sequoia-pgp.orgP7d `GcJKIperKzt !T9}({ibEIXWJ= QZ+]@MN7tgJչfHag)8d- +U@4"ԍʤXl%#IXt rd- ({G salt@notations.sequoia-pgp.orgCM#ނ]TpnC\4EFcAayv !T9}({'>D.{5'qnX|`̀b2GG]id*3\2uJn8Q L]JF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B33d- +G@Jΰ%'(^oW5_<6]  }d-  L4{oG salt@notations.sequoia-pgp.orgLQ"H}0 e") !IFzcKΊL4{oL(t@NJI|'#\B?iX!E`Ҿ2 zɘ-q_i^, ªu[hp9Q\l8x4|4"@,@[6M !IFzcKΊL4{ojL} F*NPq8 Q#PʒZ'$W[;R2y ؋"f8d- +U@]吂edjlB[kl(pM rd- L4{oG salt@notations.sequoia-pgp.org g7bPYdx^3&yn!wG !IFzcKΊL4{om*. ; ۏՂ5%l_\IyJ(Gw<3f |R g 3gI]DE1C12525BFAF4F092D109F2152B7186506DCC4833d- +G@bÐk&0N)~ZKpv2  }d-  ReăG salt@notations.sequoia-pgp.org -mQ6FcنF$< !%%O -!Reă[6Χ<] צm 'DRen9"F yqg 3 tamara@fake.pep.foundation d-  ReăG salt@notations.sequoia-pgp.org#:̟CxxGA c"1u~Pu !%%O -!Reă`͍37/OY8=ygҜ.m]ךлNg&RF3d- +G@Wn#ϗk&gӅ%/ _ϋT rd- ReăG salt@notations.sequoia-pgp.org&_gƌ3nk`^OkOx@t _ !%%O -!Reă%k@?6l̬x"1{Ҙcsޮ].b,*LV94DUS'̄WHmQ !%%O -!ReăѡVOT#jdKԓT,R7}y^۽;A z Cwdk> 8d- +U@J:<,l**I~F+5[nF$p^  rd- ReăG salt@notations.sequoia-pgp.orgPT+hTD7?$o7} !%%O -!Reăn;@AMh/3;b;>1$LߊE4蘈?I4>3\:&|J]F2349DF0D7DBD60C6C20453350553D1E9E9AE5C543d- +G@8(0 w&KZ\ mR  }d-  S\TG salt@notations.sequoia-pgp.orgB"ioI`P%Iw,+$ !#I }`S5S\Tϟ*w6ɣ/)G+.$Be` jE,iW?sabrina@fake.pep.foundation d-  S\TG salt@notations.sequoia-pgp.orgaj7bOm.GbWݾ%;c|9W !#I }`S5S\TSSU B/%e8xU҈ahjj H[O(E3d- +G@>սEC`Hc2 rd- S\TG salt@notations.sequoia-pgp.orgG f]PrqJ+Z^ 9OsV).S !#I }`S5S\TQ?^03@d ʐ:3c\U)a*3S6|WI3d- +G@`,b;<%3J|KP*"eKuN 1d- S\TG salt@notations.sequoia-pgp.orgz/9ȤkT{Z͘wō5:6;%s od- /fk@G salt@notations.sequoia-pgp.org6FXN0o|qhG`.RMR!ྴq@/fk@yCɺfat}[$*{nuOh0@ IjJ>`y !#I }`S5S\T^$#b J)հ՘Y&9 V9~";Y]8d- +U@. ׻S7$amզ*͖g/V>5= rd- S\TG salt@notations.sequoia-pgp.orgF()AjyJUC;8 G3  !#I }`S5S\TPG?5zB12٦ T 3̆r K^c^UU.ΘQ' f 3fJ]FCB4287D637F9BC0CB38F978AEB64F54F552F0AB73d- +G@6 R!tŲub0 x  }d-  dOU/ G salt@notations.sequoia-pgp.orgeb>COyОR"dׂ !B7 dOU/ =4w5ݕ Z|:_f (LSHvԫ?d새q= \G{펡rmul17l !CLq.keG5 hG}DvA()1s =ڞUu,x |mc]<|]p_6QP!4TI>, ulysses@fake.pep.foundation d-  G5 hGG salt@notations.sequoia-pgp.orgÏJ/lcǻZP#-} !CLq.keG5 hG&ˮoΠz%bT;/2=`(#b3PN2X4Gl4>#mycat'TkA3d- +G@du#T`}ZoșI"U_NB rd- G5 hGG salt@notations.sequoia-pgp.org%0R+d/۵wk(uߔߍ !CLq.keG5 hG!ȓod7V:ـA& f E;ӧX{3d- +G@/rP?Yoz=.i$ 1d- `3v G salt@notations.sequoia-pgp.orgcݮϻV& `+K od- Ak;}G salt@notations.sequoia-pgp.orgV ݥOe4#l(^4=|,!K ן7Ak;}JH.$ˆr9՘Պy5_Ō dض: }.!ͮ13IR`3v K8PK %%Rr{4m!_M2ͤq/šrus$E3d- +G@ ~jxIH K3 !ͮ13IR`3v {d*I3}2}(o@7]>16+ šrA`y||a9 8d- +U@#BCf^[uYѰ[`|3gxF- rd- `3v G salt@notations.sequoia-pgp.org[4YQ/#wCE70`^< !ͮ13IR`3v -y6'Wj$KwZ\dzg1G+kPJDzn/t)I]D9BC60CF498E584E5620014340C099ECDA62431FE3d- +G@;'!PRH) \S13  }d-   ͦ$1G salt@notations.sequoia-pgp.org0@iDž"xG3d- +G@3] 2bQt&$iicP 1d-  ͦ$1G salt@notations.sequoia-pgp.orgyl3k̽VY k J^E| od- C>!G salt@notations.sequoia-pgp.orgm*9CL(]G4N͓؄Yz3!fP4e3C>!5 ~ X@QD]h Ƞ?Ǯ}w3;\FEE!_e\EXo ! b4 ͦ$1cgnA}&J0O'9coG6o*aDB4cYT]8d- +U@4E :q j9l[iTD޿ZG rd-  ͦ$1G salt@notations.sequoia-pgp.org$ 쪟2a'O&_4a< ! b4 ͦ$1W)IYaI{ sIX{ 3AC r v OhXN%ob? i 4iH]BB5AAD4575B2988D99E3FB3EE973EE71028459E9A3d- +G@˜lng>hjN]ٿ;g}mTwo:^  }d-  >(EG salt@notations.sequoia-pgp.org+6 ##h1uUOz !W[)ٞ?>(EW+.owL 'u/B"5 Hc73OR0,(Kjxenia@fake.pep.foundation d-  >(EG salt@notations.sequoia-pgp.orgu,|Eɢ0CO:~*2w!Z !W[)ٞ?>(EX\̝] u Mpf&X6ưNi5% I-넦 3d- +G@ef|m2[Ӌx\2/žQ rd- >(EG salt@notations.sequoia-pgp.orgb@|q>dj,8_buW_T !W[)ٞ?>(E._ VѩOLZsmB%+|F{1-Ԗ\,~'|:3-]մ 3d- +G@]lcbJ2cHK!3+vRͶ 1d- >(EG salt@notations.sequoia-pgp.org;f]4Z"AvI od-  mzG salt@notations.sequoia-pgp.orgzcZ b*:"P'Cp`J{ [!n | mz`k0gਬf  n=,mH(x_A2! 0T> !W[)ٞ?>(Eoum"gvM4{D"stUP2(~ñ6]!=PP;{rX v8d- +U@;KPZ|g1Un<WDON rd- >(EG salt@notations.sequoia-pgp.org:Ĩ7 h;3-مap !W[)ٞ?>(Ep\Z`αO1/`1@b .VRfALը$e}J7K1CDI]DD27B4F82C717A04DFF3A986489929D075908994E3d- +G@{R8&`cʼnny>oU? !{OM:dYN o\1vң32` uwa]́sfp:BV/gZ dp E.2+鑣pxavier@fake.pep.foundation d-  YNG salt@notations.sequoia-pgp.org֠(nYiR~Y-6^Z*ECEm !{OM:dYNKuZLyOXF%;lY=x\2ܫ ear p 3d- +G@S%gK:a#ޖCL*1# rd- YNG salt@notations.sequoia-pgp.orgIoF~",'ՐD !{OM:dYNehh@Ny|ʋ|¦f*ma st0^D(0$Zy0 3d- +G@܈N?]lyAp5ܓNB$[Or^ 1d- YNG salt@notations.sequoia-pgp.org<ġXyS}7  od- yA^HG salt@notations.sequoia-pgp.org=|3 ..` izZ"@~ !%YqyA^H/!#tE?d1ƨ=yȷ@&zZ'-يZ_]m/⺉z!{OM:dYNA^Z#Z~bS#><Y4㘏CH!nHHھ7߅8d- +U@-]q8ncqYnZ']]7 rd- YNG salt@notations.sequoia-pgp.orgVȓm2~)DY6tQ}*00 !{OM:dYNDWKǑo7\`"UMTjޡZ;&Mլ@E$3d- +G@Û;,IΚsfވ}oUӓO 1d- aU5#G salt@notations.sequoia-pgp.orgI,q$uWIL|{#qU] od- #G|^\G salt@notations.sequoia-pgp.org7X]c*9w(ڌqBDO+XU !6FFv㲇D#G|^\QQ=T?iVokUI B̭e^9]1chCK v !zurvq-+aU5#qfWS2|KO}X!"b%>I*bWmdw  Bnch*2!eS 8d- +U@j1t2ɾvY s5 AL߄# rd- aU5#G salt@notations.sequoia-pgp.orgb8xDYYX{g"nxM0X t}&WO !zurvq-+aU5#LJ5T{` ;yDT=)# "|jUMK"$T@'4 G]@4925E278E468D55BA68B3AC49E1F03BA787E31EA3d- +G@\r@OT[3]^PQ}  }d-  x~1G salt@notations.sequoia-pgp.orgAƔRs u 4"o-kߩ~8 !I%xh[:Ğx~1`,5:巚ЎqLo<>;IU)P jݷwn LN0Pyoko@fake.pep.foundation d-  x~1G salt@notations.sequoia-pgp.org+nq}h[1M'_H}Bwz0J2 !I%xh[:Ğx~15ڊiУp4w!ǩg6sف ('iF+WlvE34V: Fab.3d- +G@*eK&YZ){SDWi -Cm rd- x~1G salt@notations.sequoia-pgp.orgf`\=# ʘ>ai4}dUA !I%xh[:Ğx~1 z7MaRŢUpPuzȲz n@Pt}A>lց~zR 3d- +G@7u[eτdyA\Ɛ  1d- x~1G salt@notations.sequoia-pgp.orgP#pfPϴw{鉿+* g od- jG salt@notations.sequoia-pgp.org͜GBX)VO`ym!P ~M bjTI!FD঱ψw5t̍?~; v b]J .5 N߳!I%xh[:Ğx~1x?7Śޙ.--:(wbP,k&Ģ [TR)=' mʝC8d- +U@:֢]G{ΘTw"y˾T*O rd- x~1G salt@notations.sequoia-pgp.orgRaSK{QV$M3Qz|  !I%xh[:Ğx~1.a<ɔ7;P.1rvW/;J_hsaD+i}H-1ĉIڕ( f 3fJ ]FE4C1FB98268170769154C21BBD1637EEB34E933B3d- +G@ +1iM*B.NbtCKya  }d-  7N;G salt@notations.sequoia-pgp.org[&ȬIJƷ9dgl !&pvT7N;" *1ùiv,a^ j[L1ߟ}e" _~dF L~y9+zenobia@fake.pep.foundation d-  7N;G salt@notations.sequoia-pgp.org$wia!/Qcݐ?n搇(QwR !&pvT7N;Qe+ O2+NNᗯ! 9/u{c¾ ԸCSHS喵Y3d- +G@*[:2b\-@>"r0  1d- 7N;G salt@notations.sequoia-pgp.orgvG6 =feAO/o"M?䧳Ʊm od- ^hG salt@notations.sequoia-pgp.orgB%&`F~]~r͞r/*!`i7 E,Y^hn=Fo~oqV7;PY n7(3\?ϯ`S ZOfi!&pvT7N;6@39o My]Bl#k`%'xok5a~;jW0V@I_dIb3d- +G@aX_`h3$m J rd- 7N;G salt@notations.sequoia-pgp.orgԢ Z.DM^MM#o Eۏ⿊ !&pvT7N;Eb \Mߏ( KZ sKY[2Zߵ"$5  JI@8d- +U@u6e܀ Nwu rd- 7N;G salt@notations.sequoia-pgp.orgNl'Wd>޽FxW;^&ܠP]O !&pvT7N;{rۜ}]#AСr^ K $2ΓW,bKinth="J]F2533E4E13EC84A784DE6F2962C3E64162620C9783d- +G@M+u VK%:Đ `:=Gqԓ  }d-  ,>d& xG salt@notations.sequoia-pgp.org?qCDH w@O;Do !%3>JxM,>d& xhv2+L~sh>7 R`1Wb(^ksjh~gHzachary@fake.pep.foundation d-  ,>d& xG salt@notations.sequoia-pgp.org|857i;B3B} LF !%3>JxM,>d& xV1_SůE]>;{¤Ɏ2'6H,Tc1,F 3d- +G@ϛ={ID K'uc rd- ,>d& xG salt@notations.sequoia-pgp.orgo=JozƈhtM#.F4+$p.{ !%3>JxM,>d& x|6r\&ҍn.)XtT#Ea9n{SGuko@jؠ9\3d- +G@P;=PƏ;  1d- ,>d& xG salt@notations.sequoia-pgp.orgwm~]> UR{B 印V od- zzp>G salt@notations.sequoia-pgp.orgǝRj]6[գ֧0?!>%!&={kvFzzp>&J0eudz*yW urO7!90LAԮM`x.c_9Y !%3>JxM,>d& x\Ҿ^g4tz7 `@ [H'îb/WlGyO.7,8d- +U@]t<&L'e  }n rd- ,>d& xG salt@notations.sequoia-pgp.org҆|glIٖ.l !%3>JxM,>d& xt%hGo19V汖0!__)U E\WC\bd^F,Y5˞j| #FN W  @ _ ! g ) o 1 w 9>-]EDF969810BA5194CAAB978A882B9A6E793960B071ADFC82AC3586C14>-]E6F0D74501D65927507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]F411A72A5C89092C507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]D9D4C006F09088D108C6A9408241E6ED99A0A2767A6B35253722954D=-]FD289E27C690EE4E8049F106768CD5D6374645F3B0C0ABEFB3892D734=-]F300560992B840A8EB4750A0B0A0F558ED5F768F8B893A26133B3F66D=-]EEE9E2E4D0403BA27A757276DFF48471EA032D2B98611755153523E6v=-]EB64F54F552F0AB7CB4287D637F9BC0CB38F978AEB64F54F552F0AB7]=-]EA301A7C9A893815CDAE31CA330249BC5284C1F96033761A09D517DFg=-]E8F03F5A4682799E4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]E7D3FED35EAF68B9E4C1FB98268170769154C21BBD1637EEB34E933B~=-]E572969A4BF0EAA1C11BCCBB3F843593B8975AFB958E85734EF0ADE0+=-]DF5F5C00DA897592B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]DF466C19D1E09129F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]DECD473509E96847A2439F4C712EA9FA6B65BC17DECD473509E96847Y=-]DE99B5AACE8010449C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1"=-]DD26BFF997B128D0C11BCCBB3F843593B8975AFB958E85734EF0ADE0*=-]DC5BFE32065BD8C19C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1!=-]DB24D05A4CFF4204E1C12525BFAF4F092D109F2152B7186506DCC483W=-]DAC435B561D44E7B04880CB55875B6548C25C729A00E4CD660454746=-]DA4FE8ECD8365D6E912E63F55388D9886151101CDA4FE8ECD8365D6E5=-]DA2E401BDCC261401CF1202EC58B5514EADC477AAA9CAC9C7B935A45'=-]D8D14CE515A328015C55764028BE2DD718F9DAAAD8D14CE515A32801==-]D49FD2CB8EEF91038A0293871D97E954B8397DFD072889CB0E82D77BN<-] D0D1AB8DA16D8D79B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CEFC4DCD7DD09BF9B5AAD4575B2988D99E3FB3EE973EE71028459E9Ap=-]CDFBE06BBC5F6D292349DF0D7DBD60C6C20453350553D1E9E9AE5C54T=-]CDD45401DD0E759FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CADEEF67FAADD95104880CB55875B6548C25C729A00E4CD660454746=-]C96ADEF6A2CCFA984925E278E468D55BA68B3AC49E1F03BA787E31EAs=-]C48BF850A5E9C611A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]C25C74A408C599D8CB4287D637F9BC0CB38F978AEB64F54F552F0AB7^=-]C1B27AC998ABABB8F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3K=-]C0D868F1963180D8C11BCCBB3F843593B8975AFB958E85734EF0ADE0,=-]BDE25B8E80237EE2E1C12525BFAF4F092D109F2152B7186506DCC483X #FN W  @ _ ! g ) o 1 w 9>-]EDF969810BA5194CAAB978A882B9A6E793960B071ADFC82AC3586C14>-]E6F0D74501D65927507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]F411A72A5C89092C507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]D9D4C006F09088D108C6A9408241E6ED99A0A2767A6B35253722954D=-]FD289E27C690EE4E8049F106768CD5D6374645F3B0C0ABEFB3892D734=-]F300560992B840A8EB4750A0B0A0F558ED5F768F8B893A26133B3F66D=-]EEE9E2E4D0403BA27A757276DFF48471EA032D2B98611755153523E6v=-]EB64F54F552F0AB7CB4287D637F9BC0CB38F978AEB64F54F552F0AB7]=-]EA301A7C9A893815CDAE31CA330249BC5284C1F96033761A09D517DFg=-]E8F03F5A4682799E4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]E7D3FED35EAF68B9E4C1FB98268170769154C21BBD1637EEB34E933B~=-]E572969A4BF0EAA1C11BCCBB3F843593B8975AFB958E85734EF0ADE0+=-]DF5F5C00DA897592B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]DF466C19D1E09129F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]DECD473509E96847A2439F4C712EA9FA6B65BC17DECD473509E96847Y=-]DE99B5AACE8010449C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1"=-]DD26BFF997B128D0C11BCCBB3F843593B8975AFB958E85734EF0ADE0*=-]DC5BFE32065BD8C19C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1!=-]DB24D05A4CFF4204E1C12525BFAF4F092D109F2152B7186506DCC483W=-]DAC435B561D44E7B04880CB55875B6548C25C729A00E4CD660454746=-]DA4FE8ECD8365D6E912E63F55388D9886151101CDA4FE8ECD8365D6E5=-]DA2E401BDCC261401CF1202EC58B5514EADC477AAA9CAC9C7B935A45'=-]D8D14CE515A328015C55764028BE2DD718F9DAAAD8D14CE515A32801==-]D49FD2CB8EEF91038A0293871D97E954B8397DFD072889CB0E82D77BN<-] D0D1AB8DA16D8D79B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CEFC4DCD7DD09BF9B5AAD4575B2988D99E3FB3EE973EE71028459E9Ap=-]CDFBE06BBC5F6D292349DF0D7DBD60C6C20453350553D1E9E9AE5C54T=-]CDD45401DD0E759FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CADEEF67FAADD95104880CB55875B6548C25C729A00E4CD660454746=-]C96ADEF6A2CCFA984925E278E468D55BA68B3AC49E1F03BA787E31EAs=-]C48BF850A5E9C611A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]C25C74A408C599D8CB4287D637F9BC0CB38F978AEB64F54F552F0AB7^=-]C1B27AC998ABABB8F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3K=-]C0D868F1963180D8C11BCCBB3F843593B8975AFB958E85734EF0ADE0,=-]BDE25B8E80237EE2E1C12525BFAF4F092D109F2152B7186506DCC483X  5S"]V08C6A9408241E6ED99A0A2767A6B35253722954DM]Mɥə*T7CSCo^kX^vBCX *iʿxY@lW͞/ܜ?_ݥ4Au90^&Ieةʚ>@RZo4bf%EwDյ Yta{SQhgVII{^D r74їtxC-z\uHX}}Mk_fq˜n韷tA,'l2Jg>)P-V(J0!_JNKf{H2 *]v dfL~}$-S 0cyX4]h2 i.UdJ`%8G07Щ.u/El'seݩ&i[W#q[Y~R~aq"7AB= 0h,VWkJ2w\ep1Y3W!C2So.@`Ox2uU?Ԙ-},bM{o*LLuca Saiu (free software hacker at pEp foundation)  8!Ʃ@A홠vzk5%7"Mah    zk5%7"MA'>j:.̌VXsaY=p%?(Jب;R*$p^B9Y8[g7#;A;A5pymb ni\oy\~A U`dg '{`Y製Et6[l+9-] e4Ѽ׶8dyo'*-Le}H9CCH[#Sw;뱸5`=m+(gu@lVa/!R=қ<7,w3 *6Y"@̔Wd'SM .28:j=CoAn!-GeujZa,91>ls.6S ]TMZ@zN,N(Oŝ`[5Gг/ƷIPFSJͫ<[Luca Saiu (free software hacker, GNU maintainer, computer scientist)  8!Ʃ@A홠vzk5%7"M]XS%H!]B6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A073d- +G@BvL"#Ji.%.7^oO1q0eG<uziggy@fake.pep.foundation d-  ]P%zG salt@notations.sequoia-pgp.orgU( ,mEr Q|kSqܱ !l6+K]P%zXt:Z"\Z>PzNbwegf,W , 1d- ]P%zG salt@notations.sequoia-pgp.org`ۇCé\C2Gu od- #!J?G salt@notations.sequoia-pgp.org4?Nr$ޱ0G?af4_!}x%;#!J?ʭ^jzݽ_K1Q[RDԨ;D@_fOay9Ojxڶ̃q,[!l6+K]P%z.wdxI:j0Z̻lM1$4$Zd-ai! FC?23d- +G@Q}'ͤ/*#l~t rd- ]P%zG salt@notations.sequoia-pgp.orgi ڑzYcJ !l6+K]P%z@l@BҳZh퓱$z5{^OEAA_@bm_JS;5YM܁8d- +U@IqYi}"G rd- ]P%zG salt@notations.sequoia-pgp.orgZ,vہoJV ,/҉{pƦXA)#u{r (&q2MF^~z%vhUoHFA'IT(i:ҖWz|hjz2f5dPۖ8r{lu%0~$y8Mk{^x$soRԖ:q̌?ham2[rom"cg8W"4V.n6`"7oK _hK8kԈ[i,7ITsbjs|$%r`Y*?laMPLA^[7nG/!~Ӓ#J os6]}+Ȑn ?yIjU?Ԍr@uTq6a4p2#넱fלB&"8_V+lYq,MBH06\rx3uģi& Gϸ >) }1 fSkFYxsXm#D)uq&duȹJCmɆ떻݋)#*Te#.%xЗnig6ٴRs!W\,82>#] >#O -~' p ٜxlf`8R#U75c}>]9Q' ֏Ln$/B}=BEp XD]ZnvWHF|S% R^D:;{z1~]_ 7lt=m]~01&TM(ցsTQa.,xASpxהW/qWI, qj$T8? 8!Ʃ@A홠vzk5%7"M]U    zk5%7"M%HJ @n44wdw-V-=ITTH&.H43[Go-W2{@TU 3mjHC}[_eʈOĊ/8]Ծ4,ꢽ ?ڐYt (PteRXlw`tظDbqR-Vy>2CGzb^^9̆ hD7rFA1 +q #irP2)f!z seoJ`c樫60yHM:KD 5-cДjަɟ7ceFF,S o Sf[ٿ#oӄ =[B4OnGhk\NkX\ЄgO= < 'M'+-߂79 l>֚6m(fI. q%F' Z1 -PXԉ2H_/Пb!s !xE +*C5] *C5O몓oZ0BE5Vr"?y8K^2"pľCi@ &֡-QjI s 5iP$qVyh/a {B/G~7#j"5H G}!JmN1vx5Ay>r-e26:=qhүh /IA. } y{=x`8*KKvj'xG۷tqu}4en l;l׋^ a$ yJBL2c.lW246?AY7e(;!½ՌuRp-w'|"SQ۹Ѹ )SSs ~Egh xa!"֊$qSMUG=VzJVN0hp[`^.ЉLx aWbݔe'*bg+nFkv[JzP7Y:s!W\,82>#] >#Y7R[fH# .̲HAK+s'I>.c!]̠<)Cf4a;q_[/S5怱acYяK1gz/M l Ee`.7=xq W<{Zr5\eNv}(-<%3D6YngGPJF&˽ěXg v^J׻'P,/d+ ugMп-&p/rk-|ml S,!gߢ㏵TX>X85D7ݡm:<@;aǮy9ZQcӑڕ"s rUiiPɂ׭1Y2!v1tqqwqvf:=A5Ẅp!. 6RasDKupbNPFyjy(nˑ|Y?ezR6?svD)Wkj]!r.<3&҆]X 3&҆DGr&lj]/y5/!!eUFZ!"x༏_n\Luca Saiu (free software hacker, GNU maintainer, computer scientist)  8   !Ʃ@A홠vzk5%7"M] zk5%7"M)U H*ҽ#I1LM)|oMG֊%3X?e䜫(G7һaR`mXު)iF@v0cXU G _!GɈZK!տx$)R,еkjkK\TpPxg)sxkW9^qFԬz L/U6YFԴ-HFQ?'ILQPmtOSAOUT*`*ת <> 6z2#jHai!>sBGr,GK"P,XJp;$FƋlYПk*wEZ(糎{֝@JS TKۜ'y/DW;L{^=BJ)&kyf6O R +miJN*F1;RD̫>:q0?R,I8fdt.[P2~/GQ k5(o3OM"*B[W~ 8!Ʃ@A홠vzk5%7"M]M    zk5%7"MWڌmC^q9Gz#tIȴQ$M±\ J-(mPHXӈZXcY:F}lbeŝp8;sTP[юC-pdrւ/< U7ۣ1?3gG5K ," TX'0Rz%yNh>r }8{Pr$u#6d5c)3-wQ{j]W 'n*Yŀ?FPEEx͝}" \,qTI'$w;@6hxr)%(@忙$ioֺ?R>& Z4F%zD95Ր}cBgBg)=CM8@9wV6qoߠ>jϙNnkW |(.]ŀ/m?<_>ϻybI 7½ ^a6Ռ[s !xE +*C5] *C5l fn֠3qz}u`E ]:f~`*vtc)nw =㝅Q=IY0E܉Z7yDo[  ݾױZz4t|M pw es T9`zD:Sǀ-uV/W$p"  6ak+4qTMo[V ,sfM{܈ݽ˅ -xCgo76q&f9y(#_?q_+3 =oʲ@2ʺtqU7nUEi׈"Z4*=BmScO/K:/Ax>KHg2k ({=Ymހn ==$0M}Nd+z5-=蕾#ᒡV_=ף+{RèOt"Km]d2I|p%ٮ!]M#] >#0DJ]vҎ8s)ik#ޕW`~77 ;WF/(-DUJl_<5u/2wg^U@ &W2`]1D,3>Ḧ́@-SLa2!4"5CwBQO l,ڹ/շ,mYXӗŴ6ya;bRm X_ qjW\\}wW 2|0e(5Vc^M(]1X8ß:Vd?Y`w<׼=Zt}*\{'U^Kn)f85\FIN4 !R~l7F/h A>Biu$zgWFۓ7Tzx ϼ)Q9,n,[ȲyUZEBhÐm:LvszBkufmE*ܥ_W3pMp '=)Z˪ *DUJ {O s WLuca Saiu (free software hacker, GNU maintainer, computer scientist)  ;   !Ʃ@A홠vzk5%7"M] zk5%7"MĀ'DLt]ބ4,j mbn?kZcIPc>YV >/@J!cQ =?cRI PKG=["zFvd J`-+%Yi٘Rx^ߟ~&6LK臥QzF<߹=H%Cwg'1>e<%L(oЁxb>$ٵO6S|P'.3EF!&gW\1픽6^P)q2 Z;@1㨷p9H!MS#Ͽ }76#qHrP=]E74=} N\62DF/ySe9Rbqt -9C<*oicIx`nHp7,? 4 < }>~nIhrL;L!F|/۪]}QCxān=Kϵl1w4\kªۥv\6|CC[ ;   !Ʃ@A홠vzk5%7"M] zk5%7"MoPk&P[ w:׈^OPDə@N"NCI: $3 jpm!Ym C]!(]hҠ%j: Bzᙈ컑*-uA>3 ͩB!H`DQ :D!eYjqZt;^8S#RbTE&<,8":.=\yY>ˡN^8Py maC|iGɁ߀U@%=M[UܛfXq;eM)(Rn'7{?+8fj~+"&PUֈ4 RN-<˝˂c*q[nڊ?acÍb}](_E̯ w* YJ˙ZrfTij r'{at;lqb8I;i{[\ֱ̲CRzwC'=%UE lWξFL%|' Kl iVssƺowuJx$!CQ4ss !xE +*C5] *C5Khɗ{L[*8A$=O'.ar;R ծӎH̕=z_Ƞ(^p@흞e'[V"A*Fyv5|߭]vA/%}7wsO&; 0- Ggs!W\,82>#] >#u$ !傯-~%;&}PW0QXL*P uhT͒l$8scןbyt &M !Y$ٓi$xK#O!0ë(();gucFs@V9<%zy6~hʾA.;5Q3 8!Ʃ@A홠vzk5%7"M]U    zk5%7"M@sv&(EI?h`C֜ZL/.m4:Su-wT$4* ?LT(.1i #DeaHm 7Su^Q8c]J~չi#Qug-n"(p*}}(opGAve*MNݸz%y{`9|-/^¢<,%!ۘ)F:j yd\J J|*9Ieu\1ZqL"i(r:)MPEfܶ>H”%+5$9҃ӜcjLVȜWyaQgכ+e2^/1DF+s !xE +*C5] *C5F\1$lltH5 NAǗ=hΎLAR ~ut2H%=%|944]a@l",kH3 P)7 7\hb9 ?f4je{!wklzqWlR\t7=O tlK/Rhg%.J;/1lXW[$QlM]agX"y0ǫzdJ-\ m<BiϷ*炏@۠6?v0K kbmF`XO(JӉ|憌[U:0ըUnh65(]Z4([o->vDtB?r;-IsӒ Hx觍+`!+~_IơǗ ,9 f,/C}鼟(ww,mgw>V{P6Ғ䚘Eo7t2)MsI" s!W\,82>#] >#T2U)lǗT !m\]ڶg iE!heoptj׻itt @#b)YMv Kiv.MX1N{髙L8kSWgO a-L`9{]$yuTUQ!%4֟E3 )o VY ק?іZ!X\FS^7z$)Ԟ lLhVM<ɺ|s{u벓IIcz:f&ay [LU #5ͰE +l_ ^]LRɚѰߏ噲t q!֊4E|@h1AΞ _[FLxy@ JMÐsflTQ s66&ؘ|`UekOͺ ~֊g)*(\*H _,HSܣA+l>>:.\]!r.<3&҆]X 3&҆-xC.ߎs΋ARi0Bs\P^eIе Luca Saiu  8!Ʃ@A홠vzk5%7"Mb_    zk5%7"M5#am\ZLҶ|TZc[x'n@o6? oue:w6Sm ~׶`Qӌ[i[ZDP?A{nt4h3Q83In[ed.H C pwF0y8EWņO!T֣cտ[ r$80I.&bo zyM;FK'RY$ALK/瓛tC^G ٔ8({/47 IȉHS)@:og]!K)Ep hN W C2{&ͯшV Z}gy7ãț'7$cJ=^Z w~Nk6wr_\T Fvh;ilG;+d6_Փߟ9d׎[_+PughKq^~έ7rI!ؿ0挒 Ubw5O,PLuca Saiu on mobile (do not use: only for myself)  8!Ʃ@A홠vzk5%7"Mb    zk5%7"MAؒK,?l#%fߑ+,V{zzQ۝OZL 6p$Yۏ'ra􍖇qfYky;pVw0k(pm90ERhxEqGIZz2O ]r|ZV<\n^BV'F M{d>Q}sKb* lU5 繆&"V m_WB@lIK9mZl1I򥞙 8xwc9tWBȊ 9M]VkP4c^趎e2({=+Ѷwwqz.p50o⊘E# M)\oa > Ikj-&DS,ͤѹ̢7F'a̫Fذ@>AuC1VT#h3:i3Ց;g53^7AE*h)>`C:})'3WBG!) [PEc',VfC`v\ MH»9yZa=HRZӟ^H`yHNL^P|R޽q(.^\{ǍiL XE҉;}؆)S,QcÀʆn81PV~|P :%+499n7Ry譳ie_oQÎ}~7Y]U ]I|ވpn3YU)v4K}\m`g KxM73MxH=v !Ʃ@A홠vzk5%7"M]V zk5%7"M=(B|הt2mdD3scؕh#GU-4w_ÃU&Z%CCBz58"B1&x#~YXړF/'Į澄cuvS|).SvOgTU N}̗An="O;YМ[-H#"HNOe22ykSս04hۆ8Cq؜JҘNZ ڃboXn~m{ʉ?"X?/ O.J_ O+9I,<:z/?"13NBx!jkU(:: 6MRi$Q᪆|̪Bj}F` LQ1o^Ep&/߾ۑ!SI>vmt@[Z#OYU;Xh/bo &LY%'H:p){l5D&+-S*\n}6y^6r+5+ J`WAG;EPM]VǔكnK7І%(z\bvBmTy1 N@+}IJK:P}T,q^-5ӡm O,Tşʑ&x6#G d(hŽ@#,ql8;0x [$}RN9$AŊqr À͉q0C0q#o>X5Sì !Ʃ@A홠vzk5%7"M]V@ zk5%7"Mt  !ۀh9a ]V /SF(facH;Fb*![wfzM/ya(WspxX}MЬ=9l<'Q֙?.B xʉ ʓYºfǞEѨ<&'hIG"p x P5&7H4Ԍ; Bj Ӝ.)j"R=>*PS|n}@Q¹"h9 Tr-^MNC wq;Hľ0k O!*s<42:RGeM@ $VlK{ږho{4bPrM,A:}u(fAʤPf$5rKtnoɛE<7XSd_WrG&uO[NJgϯ*d+%+-J~4f4`dƙF(1o3E;h&jup&ۏ@Uf2臖50 miBQb}lq\Őv υLG]>|KU{'Vxtޅ S(4_a*x1Qxol74noC4cftt5,s k)xq}0+~ Epr`l^*q`duLRb" 歠8D]lFDr[)cHșf" c<ozm8ʮЬs٘}[M7~ V)"T* z(!~jXGr7l:Ov(^sX7ýOƸ)5A&N!n+[Y5D0uр t%WZ"q RDg/&IHcDXz|K㑚b(7PLh>_&1 j&B{]=  hfTRʵ'TzZl\{91"_qI*T_+ u6gXlF8M]Me1[A[ɭI\#LҴES\܇n{m]xdV: zw@ +IeQM~ߑZkNa֛$*VR1Oc$ P&Hu r\#ѴעCQ< ` !eJ#y![B&J!/GvXh>ߦ"?\,y_Wڒ5JnUzZ9TEs Wa}J+d9$&~+j&h7[oH$+n1egc>%uAkڋP5߀5v:A4{@9M(R%2n quiݕML=U_~/IP!("-BFa83z?V$h? 3=NIZ_mOyjFU~By3?$Ó/\&ى`4Si%)fiQRUmxv !Ʃ@A홠vzk5%7"M]M zk5%7"MpjUXkb|sWl${"aE^Sw]@ Sz"Z~@*ժiXOlۿ"ߠ1Q-5F(}:]4e΃om46eekp8d,']>7|i4v|,J~ S b^ynBą*>Nb)Mv.\=נ_vT`钂J1X [q@Eq"` zp h+USq{__MjН >"in  -o 4#]507212E4796EFBF4FF8E4B1BF411A72A5C89092CMb59ɀXRJ]j_%t=\3LSgx R\wAy.GXGe--P_벙="`v p<74L82&Y<`K,԰{Nc$Ƌ|FD쏥v$KݮvA3yK,՘BX?FaώO I7.ecm MMkLsI* &Ϻj3EsGf^sΩ| b59  *\ ,G salt@notations.sequoia-pgp.orgEktB'$@Z?oҜΞʃo’WTƸl֘ے)v({)ဏS$WobEVLHW2,Y["b$fJ06nG& ^!@L*un0"pEpUserTwo  b59  *\ ,G salt@notations.sequoia-pgp.orgn8 Qrwį$9K_L=C !PrynK*\ ,6$bȺ,ɼ|xh(]j߿M|L6zhF;蝬Ai=^se$ ;JD#)^#iIfg|-*B4 }bU{:7ܚ(aںLPŽgCɽ> b#K`C€,$u3mO"pArtrgtR !HBgnD= egjp`v FTҽ(Mb59X۩ +Lч @_-x,ŐՇY~%h>[g^pPFrU٨S)@8u|'n /$ɉ'"0Ξ|e}~/[ZdLO~1BbsvIVB[f2~qXi# fXe1b|z*l ̽SxshwX/Bi[!M(Jy;ވXnçȋES~{?t!B b59 *\ ,G salt@notations.sequoia-pgp.org)#b_}u\A@{Q Um膢 ob59 ?@(G salt@notations.sequoia-pgp.org>Pdf;} "=pX؝zE!(.{9`Qy9b?@(h#@ ?NqGALcl-Qt=A `$ 7|7'.̽Cyφ9 %!PrynK*\ ,LC`Gd:UG01*sfJX7T)l:iFEt* l'$Nr.LXX\D",d~jْBD+bIVr3'ͥ_ɮoҤ"D[D=#6:^nyqa}: F{QI7qG31L ޒd)+4o;zg e!s c^$*(bF Mb59&Q;؜H# ,CSYR>X&Հ9:^lEMs ՛f&߀O>>otvCCcG_@xyugEHO4W`փrC3ia4V:|sG U-cOT2拂›0ˋ;£ F嶷tW +ߙSxC/P/3p?PMBlqUoJ(0 &S|!|POm>1Ak xb59 *\ ,G salt@notations.sequoia-pgp.org#c}TڗFj't>pJ !PrynK*\ ,J @x:wWP8m^iy\oӻfG]j8I"۔j)KfZ޷y爀=O)Ԟ/Kv/6^LSU# z"xĦ㰄lx`(l7*+OKF.Fc˷VpH&AhyP#r͙?BU1Owvwn`[#Bd:NM 6$]10E37AA3BBFD3348CF9AE3698EF85F1B1E37396FMb5:E"zKZ M N]֨S8fBPh6$@$Vx+]d5LN1nB-x\N¹G]礛=!$- Z0-65$7^>߇gd~RZbJ( m^F f3|ʔ1ZLMgdaCez|n8,6cwhL`#*=,ׄx`#3Eth b5:  _79oG salt@notations.sequoia-pgp.org>Cg7G zz| oKw !z3HϚi_79o#aHqXޒ26vilVd\W(p1fSHwt3=?u:bgB{xСl(ЈC>G椰 5Kò*FF\ F7/4ǞшZN9* >#ݪGgeca^L$pEpUserThree  b5:  _79oG salt@notations.sequoia-pgp.orgjW 8moD1\a–L pL+n !z3HϚi_79oяQUz;C/c !(yMty<+(+v^Mq,XeH=^n> ۽Pݚs;sɆam F(p{O!9d,U7PNt/5^3NٮlՇ;bzs7ʪ$^Q![KK* r^usޭ;Q 4)Ԟ޵<]Ts.[H @+âr SӸ؊{XD\Sߤ@A'Mb5:b9G7uV!.'T˳1%aQfWw \nqa$32}tj'9$" ˑB%6n - QխQk-֞sNC?9 䄸Z.L4$1ϻm{Wcm9F^a̵Q~z(m2_0} N&7-WQ xb5: _79oG salt@notations.sequoia-pgp.org)P攌@lBv$x; zP, !z3HϚi_79ob3mVaYЋ,xXk&'.C> %;r{t( ŋ )s`CkSR$BEI*s:(ўy7 J3D$9dKOum͛/cNRklWX?,E Hy~#A%o .dV19;|BӪOm=3/a%SI>v+rB#֓0SE+Ub  PMb5:Vv {҇QgY8OBċ;~* g -h"aDB |ɝs ΋]-՝h ,5Gpޖx뺦;둔B mi qz,D߭gr{>yFcJ(MM/ʅY! KU GK_/byjm.N]r.5f p?m*Q:rךv=3z.6>{ wiB.,B b5: _79oG salt@notations.sequoia-pgp.orgE0BtP>Lδ:*!h_ ob5: Zlp&oG salt@notations.sequoia-pgp.orgyf`A[3 P:!?9(Zlp&ozmM\4b&eQFZ[!εW::HL O_}⃋DCB2 %wu<~f\@ڻg>[,tD'efKB$}Uh}J[ ¶IZKQv،Su78\y> l>85aly^`sHb[}a%p*c ^B]W~1RCdAҙZ9rzgt^,;RUJmA4;"OI8t Js("CXK ;:m6m:rNvzx6k)^~Q&dy'jFDk4*Xl<{ LW//?hRQ+6/M\ESvb;/--,NVf]'L 5s ̃ڈF=mLC? M %~؟SBo=J(ֿ!_ZMvJpFN!x瓖 *Xl]D g    *Xl[ڢy)<ӁM 0>   !x瓖 *XlcA( M *Xln'Cäd^J78'Dݧ,JW^H,V/<?9;14F%|ǶB7Tڄ~+{NZ.28 ZqmF S!=Q(rDgךI& {+CkݼG!O'ud nn95rCW,H@oVBY .Xv8nX#qp;|R#ЎZVECv¢Pu#BR%2>!x瓖 *Xl] g    *XlxE!j+JEqeKES̝E2q[/uN>6x *|t ~zȒVl0$Ew_gO_lٻA(pԄZ^'Ǽ&5O.$՝qhuԔNݲ$`qxڬua A2mdIm|-zq.\7 qҬ!P ubicfRP^\u$ >4;"Volker Birk >   !x瓖 *XlcA( M *Xl)N 3l|G>3*% imO#'v%x5G{%߭w.㵘ѨN[Y ~#(X f,{QGGʮ!p\I~)ֶ=%*fF/b3 &+%Ry hsS~V9]^b`o>!E.裑56gf"x`RR?Qsi/g*/uǎGZ~>!x瓖 *Xl]: g    *XlX s;f,K!DtE[z*-"K\NskԢtC*d #ZSPU 26,Ik%}‰¶aGaK؋d2,R=w&AٰpqM] b*Â|8`aPmq%N *nalE gIbI{zy ;5W?9?8D<U&O)cSE,5=̎h*NMx)Volker Birk >   !x瓖 *XlcA( M *XlպYt X!%lhswF#:\=j~oF5(ԃX쪐B#ݥfdKh3>!x瓖 *Xl] g    *Xl(1Sl3 {xc1zIqBŊe[l$?SGX~OBH[Sҩry 4-7HH¦;(^xG$ٌia{_\ wL܅jٔϬr%fg&831]OK}]q^ߌi8MOɴgAx4o\حHb胵/A:X@:=\1%1(Volker Birk >   !x瓖 *XlcA( M *Xlěa}Cy= N U9F#y-f#>AX@w⦡ʙX/$. &cݿݑ7uGqƀptYuŸQ*zAcnL;_8= "Y>5w&`]K) =7B!5r=k?'KJosKYaJd养xMx!L T==a-\f>g^oODj`Q`|[->!x瓖 *Xl] g    *Xlp(xISq-hq&OD5 d\J5 8:Zt62xobO&IV }R2C)}cjtr8l" D]0?$B'Gbǒ=j N!$Wߊ-!pC?IYnKČ~`M]Dfa͹ ;(YiڞAa=x̼Xp޵wQ-XY1cOy̗;qgsMxMw{R-%? +2Q=@cN\yYAk>   !x瓖 *XlcA( M *Xl#tOLa曾t L}^`0jV rpln @"XM޳69K·}$_VV̦]qFj_Aq u "4'o<3"5?+_b9tNe =-(uY F*,ŸgRY:mLv.ewKp.~*\& tunEdhg|ׇ [iIpѽ*Iua1 X3>!x瓖 *Xl] g    *XlU8;&:3ԝM`7k"MrQ=_?gW*bIb4;u $ ?^cƞ#dPaޏ2l7t%i43ϗ)8cbMDVb"ea S%40\hqGecްnn>ײDOB: j='R<,Bιy'JT?覦Lz~ olhO:0 Volker Birk >   !x瓖 *XlcA( M *Xl5٪&?Y|z`RN˂[w%OQs*?;M15i6Rt܀7i1 ´=J~X؜Җa]F (+?81] ]r"`NZ[^oC_{!jJ?"ѕ;w䬓n oߏ TtcL, /v}ƅթ]PS_6D!&Hq=3L uD>!x瓖 *Xl]' g    *XlE0e_)ʑ#ť1p)OYmgVǢpcRzx2nΝs6#搣kdцzJʮT!(XbDQWn <$ jC tOU3&.48=@r̈́&+i-ר(ߕWH]7R #JNYjO VPqmqXN dR%)/mxkuKrA]C1I[0NTŭQs~.ةxVolker Birk >   !x瓖 *XlcA( M *Xll\Z隒_p}䇈.`J#Rԕ$oA􌪶xUi=&<_kk6qƻTph:4LP2IAYd{8O5ynBPP5o oܾ6goz/_2{l fH+3wG!˥!\뼋F1l߀zw\SuI=|_TlPDyv Yp6: I(re5& qs;I>!x瓖 *Xl] g    *Xl#Qf!<񼍏EnLKbk$||́xNr,]3Xw}cCM; ;4Vs8yp*WK[ |/"tz}Kɖt^wd]ZZa1凐7̍~աzvU=ۏ^AWV]mXaCʞQMX[50K?g\6(?ZaA$'y2n&SRf5) wjtg1R+aeȊ Volker Birk >   !x瓖 *XlcA( M +