sequoia-cert-store-0.6.0/.cargo/config.toml000064400000000000000000000002141046102023000166720ustar 00000000000000[target.'cfg(all())'] # Note: if the RUSTFLAGS environment variable is set, this will be # ignored. rustflags = [ # "-Dwarnings", ]sequoia-cert-store-0.6.0/.cargo_vcs_info.json0000644000000001360000000000100145720ustar { "git": { "sha1": "2f3c14539220b88fba9ca8f75dd38677919473e4" }, "path_in_vcs": "" }sequoia-cert-store-0.6.0/.ci/all_commits.sh000075500000000000000000000022711046102023000166770ustar 00000000000000#!/usr/bin/env bash # Test all commits on this branch but the last one. # # Used in the all_commits ci job to ensure all commits build # and tests pass at least for the sequoia-openpgp crate. # NOTE: under gitlab's Settings, "CI/CD", General Pipelines ensure # that the "git shallow clone" setting is set to 0. Otherwise other # branch are not fetched. set -e set -x # Use dummy identity to make git rebase happy. git config user.name "C.I. McTestface" git config user.email "ci.mctestface@example.com" # Make sure the gitlab project is configured. if ! git describe --all origin/main then echo "origin/main is not present. Configure the gitlab project (see .ci/all_commits.sh)." exit 1 fi # If the previous commit already is on main we're done. git merge-base --is-ancestor HEAD~ origin/main && echo "All commits tested already" && exit 0 # Leave out the last commit - it has already been checked. git checkout HEAD~ git status git rebase origin/main \ --exec 'echo ===; echo ===; echo ===; git log -n 1;' \ --exec 'cargo test --all' && echo "All commits passed tests" && exit 0 # The rebase failed - probably because a test failed. git rebase --abort; exit 1 sequoia-cert-store-0.6.0/.codespellrc000064400000000000000000000004111046102023000156560ustar 00000000000000[codespell] skip = Cargo.lock,*.bin,*.gpg,*.pgp,./.git,data,highlight.js,*/target,Makefile,*.html,*/cargo,*.xml,*.xmlv2, ignore-words-list = crate,ede,iff,mut,nd,te,uint,KeyServer,keyserver,Keyserver,keyservers,Keyservers,keypair,keypairs,KeyPair,fpr,dedup,ba,ned, sequoia-cert-store-0.6.0/.gitignore000064400000000000000000000000141046102023000153450ustar 00000000000000/target/ *~ sequoia-cert-store-0.6.0/.gitlab-ci.yml000064400000000000000000000071701046102023000160230ustar 00000000000000# Only ever create pipelines for tags or branches. # Avoid creation of detached pipelines for merge requests. workflow: rules: - if: $CI_COMMIT_TAG - if: $CI_COMMIT_BRANCH stages: - lint - test - deploy # These stanzas do some common management tasks before and after the # job-specific before_script and after_script stanzas are run. # before_script_start configures any default global state. The # job-specific before_script can override this state, if required. # before_script_end prints out information about the environment to # improve debugging; it does not modify the environment. # after_script_end does some common management tasks after the # job-specific after_script is run. It prints information about the # environment, and does some clean up. # # Add this to your stanza as follows: # # before_script: # - *before_script_start # - *** YOUR CODE HERE *** # - *before_script_end # after_script: # - *** YOUR CODE HERE *** # - *after_script_end .before_script_start: &before_script_start - 'if test "x${RUSTFLAGS+SET}" = xSET; then echo "\$RUSTFLAGS is set ($RUSTFLAGS)"; exit 1; fi' # The test rely on gpg. Make sure it is available. - apt update -y -qq && apt install -y gpg .before_script_end: &before_script_end - 'if test "x${RUSTFLAGS+SET}" = xSET; then echo "WARNING: before_script set \$RUSTFLAGS ($RUSTFLAGS)"; fi' - rustc --version --verbose - cargo --version - clang -v - if [ -d $CARGO_TARGET_DIR ]; then find $CARGO_TARGET_DIR | wc --lines; du -sh $CARGO_TARGET_DIR; fi - if [ -d $CARGO_HOME ]; then find $CARGO_HOME | wc --lines; du -sh $CARGO_HOME; fi .after_script_end: &after_script_end - if [ -d $CARGO_TARGET_DIR ]; then du -sh $CARGO_TARGET_DIR; fi - if [ -d $CARGO_HOME ]; then du -sh $CARGO_HOME; fi before_script: - *before_script_start - *before_script_end after_script: - *after_script_end cache: &general_cache_config # default key is default # default policy is pull-push paths: - $CARGO_TARGET_DIR - $CARGO_HOME .rust-stable: image: 192.168.122.1:5000/sequoia-pgp/build-docker-image/rust-stable:latest before_script: - *before_script_start - *before_script_end after_script: - *after_script_end cache: # inherit all general cache settings <<: *general_cache_config # override the key key: "rust-stable" .trixie: image: 192.168.122.1:5000/sequoia-pgp/build-docker-image/trixie:latest before_script: - *before_script_start - *before_script_end after_script: - *after_script_end cache: # inherit all general cache settings <<: *general_cache_config # override the key key: "trixie" codespell: stage: lint interruptible: true extends: .trixie before_script: - *before_script_start - codespell --version - *before_script_end script: - codespell --config .codespellrc --summary after_script: [] test-trixie: stage: test interruptible: true extends: .trixie script: - cargo test --all test-no-default-features: stage: test interruptible: true extends: .trixie script: - cargo test --all --no-default-features test-rust-stable: stage: test interruptible: true extends: .rust-stable script: - cargo test --all deny: stage: lint interruptible: true extends: .rust-stable script: - cargo deny check cache: [] all_commits: # Test each commit up to main, to facilitate bisecting. stage: test interruptible: true extends: .trixie script: - .ci/all_commits.sh variables: GIT_STRATEGY: clone variables: CARGO_HOME: cargo/ CARGO_FLAGS: --color always CARGO_INCREMENTAL: 0 CARGO_TARGET_DIR: target/ sequoia-cert-store-0.6.0/CONTRIBUTING.md000064400000000000000000000033071046102023000156160ustar 00000000000000Sequoia PGP is owned by the [p≡p foundation] and licensed under the terms of the LGPLv2+. [p≡p foundation]: https://pep.foundation/ To finance its mission, privacy by default, the [p≡p foundation] allows third parties (currently only [p≡p security]) to relicense its software. Consistent with the rules of a foundation, the money collected by the foundation in this manner is fully reinvested in the foundation's mission, which includes further development of Sequoia PGP. [p≡p security]: https://www.pep.security/ To do this, the [p≡p foundation] needs permission from all contributors to relicense their changes. In return, the [p≡p foundation] guarantees that *all* releases of Sequoia PGP (and any other software it owns) will also be released under a GNU-approved license. That is, even if Foo Corp is granted a license to use Sequoia PGP in a proprietary product, the exact code that Foo Corp uses will also be licensed under a GNU-approved license. If you want to contribute to Sequoia PGP, and you agree to the above, please sign the [p≡p foundation]'s [CLA]. This is an electronic assignment; no paper work is required. You'll need to provide a valid email address. After clicking on a link to verify your email address, you'll receive a second email, which contains the contract between you and the [p≡p foundation]. Be sure to keep it for future reference. The maintainers of Sequoia PGP will also receive a notification. At that point, we can merge patches from you into Sequoia PGP. [CLA]: https://contribution.pep.foundation/contribute/ Please direct questions regarding the CLA to [contribution@pep.foundation]. [contribution@pep.foundation]: mailto:contribution@pep.foundation sequoia-cert-store-0.6.0/Cargo.toml0000644000000050610000000000100125720ustar # THIS FILE IS AUTOMATICALLY GENERATED BY CARGO # # When uploading crates to the registry Cargo will automatically # "normalize" Cargo.toml files for maximal compatibility # with all versions of Cargo and also rewrite `path` dependencies # to registry (e.g., crates.io) dependencies. # # If you are reading this file be aware that the original Cargo.toml # will likely look very different (and much more reasonable). # See Cargo.toml.orig for the original contents. [package] edition = "2021" rust-version = "1.70" name = "sequoia-cert-store" version = "0.6.0" authors = [ "Neal H. Walfield ", "Justus Winter ", ] description = "A certificate database interface." homepage = "https://sequoia-pgp.org/" readme = "README.md" keywords = [ "cryptography", "openpgp", "keyring", "database", ] categories = [ "cryptography", "authentication", "email", "command-line-utilities", ] license = "LGPL-2.0-or-later" repository = "https://gitlab.com/sequoia-pgp/sequoia-cert-store" [package.metadata.docs.rs] features = ["sequoia-openpgp/default"] [lib] name = "sequoia_cert_store" path = "src/lib.rs" [dependencies.anyhow] version = "1.0.18" [dependencies.crossbeam] version = "0.8.1" [dependencies.dirs] version = "5" [dependencies.gethostname] version = "0.4" [dependencies.num_cpus] version = "1" [dependencies.openpgp-cert-d] version = "0.3.2" [dependencies.rayon] version = "1" [dependencies.rusqlite] version = ">=0.29, <0.32" features = [ "collation", "blob", "trace", ] [dependencies.sequoia-net] version = "0.28" optional = true default-features = false [dependencies.sequoia-openpgp] version = "1.19.0" default-features = false [dependencies.smallvec] version = "1.1" [dependencies.thiserror] version = "1.0.2" [dependencies.tokio] version = "1.13" features = ["rt"] optional = true [dependencies.url] version = "2.5" [dev-dependencies.rand] version = "0.8" [dev-dependencies.tempfile] version = "3" [features] default = ["keyserver"] keyserver = [ "dep:sequoia-net", "dep:tokio", ] [target."cfg(not(windows))".dev-dependencies.sequoia-openpgp] version = "1" features = [ "crypto-nettle", "__implicit-crypto-backend-for-tests", ] default-features = false [target."cfg(windows)".dependencies.rusqlite] version = ">=0.29, <0.32" features = ["bundled"] [target."cfg(windows)".dev-dependencies.sequoia-openpgp] version = "1" features = [ "crypto-cng", "__implicit-crypto-backend-for-tests", ] default-features = false [badges.maintenance] status = "actively-developed" sequoia-cert-store-0.6.0/Cargo.toml.orig000064400000000000000000000037031046102023000162540ustar 00000000000000[package] name = "sequoia-cert-store" description = "A certificate database interface." version = "0.6.0" authors = ["Neal H. Walfield ", "Justus Winter "] homepage = "https://sequoia-pgp.org/" repository = "https://gitlab.com/sequoia-pgp/sequoia-cert-store" readme = "README.md" keywords = ["cryptography", "openpgp", "keyring", "database"] categories = ["cryptography", "authentication", "email", "command-line-utilities"] license = "LGPL-2.0-or-later" edition = "2021" rust-version = "1.70" [badges] maintenance = { status = "actively-developed" } [dependencies] anyhow = "1.0.18" crossbeam = "0.8.1" dirs = "5" gethostname = "0.4" num_cpus = "1" openpgp-cert-d = "0.3.2" rayon = "1" sequoia-openpgp = { version = "1.19.0", default-features = false } sequoia-net = { version = "0.28", default-features = false, optional = true } smallvec = "1.1" thiserror = "1.0.2" tokio = { version = "1.13", features = [ "rt" ], optional = true } url = "2.5" [dependencies.rusqlite] version = ">=0.29, <0.32" features = ["collation", "blob", "trace"] # Use the bundled sqlite on Windows. [target.'cfg(windows)'.dependencies] rusqlite = { version = ">=0.29, <0.32", features = ["bundled"] } [dev-dependencies] rand = "0.8" tempfile = "3" [lib] name = "sequoia_cert_store" path = "src/lib.rs" [features] default = ["keyserver"] keyserver = ["dep:sequoia-net", "dep:tokio"] [target.'cfg(not(windows))'.dev-dependencies] # Enables a crypto backend for the tests: sequoia-openpgp = { version = "1", default-features = false, features = ["crypto-nettle", "__implicit-crypto-backend-for-tests"] } [target.'cfg(windows)'.dev-dependencies] # Enables a crypto backend for the tests: sequoia-openpgp = { version = "1", default-features = false, features = ["crypto-cng", "__implicit-crypto-backend-for-tests"] } [package.metadata.docs.rs] # Enables a crypto backend for the docs.rs generation: features = ["sequoia-openpgp/default"] sequoia-cert-store-0.6.0/LICENSE.txt000064400000000000000000000627341046102023000152210ustar 00000000000000Sequoia PGP is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Sequoia PGP is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --- GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. GNU LIBRARY GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! sequoia-cert-store-0.6.0/README.md000064400000000000000000000047641046102023000146540ustar 00000000000000An OpenPGP certificate store abstraction and implementation. This crates provides a unified, high-level API for different certificate stores via the `Store` and `StoreUpdate` traits. It also provides a number of helper functions and data structures, like `UserIDIndex` to help implement this functionality. Finally, the `CertStore` data structure combines multiple certificate backends in a transparent way to users. This crate supports multiple backends: `CertD` uses an [OpenPGP Certificate Directory]. `Certs` manages a bunch of certificates in-memory. It can be loaded with certificates from a keyring, a keybox, a database, etc. It can also be used as the basis for a new backend, which actually writes changes back to the underlying store. `Pep` provides access to a [pEp] certificate store. Finally, there is a key server backend, which can fetch certificates via HKPS and WKD. [OpenPGP Certificate Directory]: https://crates.io/crates/openpgp-cert-d [pEp]: https://gitea.pep.foundation/pEp.foundation/pEpEngine ## Usage To use `sequoia-cert-store` from your project, you should add the following to your crate's `Cargo.toml`: ```toml [dependencies] sequoia-cert-store = "0.3" sequoia-openpgp = { version = "1.0.0", default-features = false } ``` To compile your crate you would then run: ``` $ cargo build --release --features sequoia-openpgp/crypto-default $ cargo test --features sequoia-openpgp/crypto-default $ cargo doc --no-deps --features sequoia-openpgp/crypto-default ``` If you do not disable the use of `sequoia-openpgp`'s default features, then `sequoia-openpgp` will select the default cryptographic backend, and your users won't be able to easily compile your crate with a different cryptographic backend. `sequoia-openpgp` currently uses Nettle as its default cryptographic backend. `sequoia-openpgp` also supports OpenSSL (`sequoia-openpgp/crypto-openssl`), Botan (`sequoia-openpgp/crypto-botan`), Windows CNG (`sequoia-openpgp/crypto-cng`), Rust Crypto (`sequoia-openpgp/crypto-rust`). For more information about building `sequoia-openpgp`, please refer to [`sequoia-openpgp`'s README]. This also includes information about the different backends' [build requirements]. [`sequoia-openpgp`'s README]: https://gitlab.com/sequoia-pgp/sequoia#features [build requirements]: https://gitlab.com/sequoia-pgp/sequoia#building-sequoia # License sequoia-cert-store is distributed under the terms of LGPL 2.0 or later. See [LICENSE.txt](LICENSE.txt) and [CONTRIBUTING.md](CONTRIBUTING.md) for details. sequoia-cert-store-0.6.0/deny.toml000064400000000000000000000013651046102023000152230ustar 00000000000000[advisories] ignore = [ "RUSTSEC-2020-0071", # chrono not affected by time 0.1 issue # fehler is unmaintained. # # fehler is used by subplot and thus an indirect dependency. Remove # when a new version subplot is released without fehler. See # https://gitlab.com/subplot/subplot/-/issues/340. "RUSTSEC-2023-0067", ] unmaintained = "deny" yanked = "deny" [bans] multiple-versions = "allow" deny = [ # does not have responsible disclosure policy: # https://github.com/briansmith/ring#bug-reporting {name = "ring"}, ] [licenses] allow = [ "Apache-2.0", "BSD-3-Clause", "BSL-1.0", "CC0-1.0", "GPL-2.0", "GPL-3.0", "ISC", "LGPL-2.0", "LGPL-3.0", "MIT", "MIT-0", "MPL-2.0", "Unicode-DFS-2016", "Unicode-3.0", ] sequoia-cert-store-0.6.0/src/cert_store.rs000064400000000000000000000521671046102023000167030ustar 00000000000000use std::path::Path; use std::sync::Arc; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::cert::raw::RawCertParser; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::packet::UserID; use openpgp::parse::Parse; use openpgp::Result; use crate::LazyCert; use crate::store; use store::Certs; use store::MergeCerts; use store::Store; use store::StoreError; use store::StoreUpdate; use store::UserIDQueryParams; use crate::TRACE; #[derive(Debug, Clone, PartialEq, Eq)] #[non_exhaustive] pub enum AccessMode { Always, OnMiss, } /// A unified interface to multiple certificate stores. /// /// When a certificate is looked up, the certificate is looked up in /// the primary cert-d, if any, and all the backends whose access mode /// is `AccessMode::Always`. The results are merged and returned. If /// no certificate is found, then the look up is also tried on the /// backends whose access mode is `AccessMode::OnMiss`. Finally, if a /// key server is configured, the key server is tried. /// /// In general, results are preferred to errors. That is, if a /// backend returns a positive result, and another backend returns an /// error, the error is ignored, even if it is something other than /// [`StoreError::NotFound`]. /// /// Results from the key server are either cached when /// [`CertStore::flush`] is called (or the [`CertStore`] is dropped) /// if there is a writable primary cert-d, or simply dropped /// otherwise. pub struct CertStore<'a> { certd: std::result::Result, store::Certs<'a>>, // Read-only backends. backends: Vec<(Box + Send + Sync + 'a>, AccessMode)>, keyserver: Option>>, } assert_send_and_sync!(CertStore<'_>); impl<'a> CertStore<'a> { /// Returns a CertStore, which does not have any configured backends. pub fn empty() -> Self { CertStore { certd: Err(store::Certs::empty()), backends: Vec::new(), keyserver: None, } } /// Returns a CertStore, which uses the default certificate /// directory. /// /// When a certificate is added or updated, it will be added to or /// updated in this certificate store. pub fn new() -> Result { Ok(CertStore { certd: Ok(store::CertD::open_default()?), backends: Vec::new(), keyserver: None, }) } /// Returns a CertStore, which uses the default certificate /// directory in read-only mode. pub fn readonly() -> Result { let mut cert_store = CertStore { certd: Err(store::Certs::empty()), backends: Vec::new(), keyserver: None, }; cert_store.add_default_certd()?; Ok(cert_store) } /// Returns a CertStore, which uses the specified certificate /// directory. /// /// When a certificate is added or updated, it will be added to or /// updated in this certificate store. pub fn open

(path: P) -> Result where P: AsRef { let path = path.as_ref(); Ok(CertStore { certd: Ok(store::CertD::open(path)?), backends: Vec::new(), keyserver: None, }) } /// Returns a CertStore, which uses the specified certificate /// directory in read-only mode. pub fn open_readonly

(path: P) -> Result where P: AsRef { let path = path.as_ref(); let mut cert_store = CertStore { certd: Err(store::Certs::empty()), backends: Vec::new(), keyserver: None, }; cert_store.add_certd(path)?; Ok(cert_store) } /// Add the specified backend to the CertStore. /// /// The backend is added to the collection of read-only backends. pub fn add_backend(&mut self, backend: Box + Send + Sync + 'a>, mode: AccessMode) -> &mut Self { self.backends.push((backend, mode)); self } /// Adds the specified cert-d to the CertStore. /// /// The cert-d is added in read-only mode, and its access mode is /// set to `AccessMode::Always`. pub fn add_certd

(&mut self, path: P) -> Result<&mut Self> where P: AsRef { let path = path.as_ref(); self.add_backend(Box::new(store::CertD::open(path)?), AccessMode::Always); Ok(self) } /// Adds the default cert-d to the CertStore. /// /// The cert-d is added in read-only mode, and its access mode is /// set to `AccessMode::Always`. pub fn add_default_certd(&mut self) -> Result<&mut Self> { self.add_backend(Box::new(store::CertD::open_default()?), AccessMode::Always); Ok(self) } /// Adds the specified keyring to the CertStore. /// /// The keyring is added in read-only mode, and its access mode is /// set to `AccessMode::Always`. pub fn add_keyring

(&mut self, path: P) -> Result<&mut Self> where P: AsRef { self.add_keyrings(std::iter::once(path))?; Ok(self) } /// Adds the specified keyrings to the CertStore. /// /// The keyrings are added in read-only mode, and their access /// mode is set to `AccessMode::Always`. pub fn add_keyrings(&mut self, filenames: I) -> Result<&mut Self> where P: AsRef, I: IntoIterator, { let keyring = Certs::empty(); let mut error = None; for filename in filenames { let filename = filename.as_ref(); let f = std::fs::File::open(filename) .with_context(|| format!("Open {:?}", filename))?; let parser = RawCertParser::from_reader(f) .with_context(|| format!("Parsing {:?}", filename))?; for cert in parser { match cert { Ok(cert) => { keyring.update(Arc::new(cert.into())) .expect("implementation doesn't fail"); } Err(err) => { eprint!("Parsing certificate in {:?}: {}", filename, err); error = Some(err); } } } } if let Some(err) = error { return Err(err).context("Parsing keyrings"); } self.add_backend( Box::new(keyring), AccessMode::Always); Ok(self) } /// Adds the specified keyserver to the CertStore. /// /// The keyserver is added in read-only mode, and its access mode /// is set to `AccessMode::OnMiss`. #[cfg(feature = "keyserver")] pub fn add_keyserver(&mut self, url: &str) -> Result<&mut Self> { self.keyserver = Some(Box::new(store::KeyServer::new(url)?)); Ok(self) } /// Adds the specified keyserver to the CertStore. /// /// The keyserver is added in read-only mode, and its access mode /// is set to `AccessMode::OnMiss`. /// /// A key server is treated specially from other backends: any /// results that it returns are written to the cert store (if it /// is open in read-write mode). #[cfg(feature = "keyserver")] pub fn add_keyserver_backend(&mut self, ks: store::KeyServer<'a>) -> Result<&mut Self> { self.keyserver = Some(Box::new(ks)); Ok(self) } /// Returns a reference to the certd store, if there is one. pub fn certd(&self) -> Option<&store::CertD<'a>> { self.certd.as_ref().ok() } /// Returns a mutable reference to the certd store, if there /// is one. pub fn certd_mut(&mut self) -> Option<&mut store::CertD<'a>> { self.certd.as_mut().ok() } } macro_rules! forward { ( $method:ident, append:$to_vec:expr, $self:expr, $term:expr, $($args:ident),* ) => {{ tracer!(TRACE, format!("{}({})", stringify!($method), $term)); let mut certs = Vec::new(); let mut err = None; match &$self.certd { Ok(certd) => { match certd.$method($($args),*) { Err(err2) => { if let Some(StoreError::NotFound(_)) = err2.downcast_ref::() { // Ignore NotFound. t!("certd returned nothing"); } else { t!("certd returned: {}", err2); err = Some(err2) } } Ok(c) => { let mut c = $to_vec(c); t!("certd returned {}", c.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); certs.append(&mut c) } } } Err(in_memory) => { match in_memory.$method($($args),*) { Err(err2) => { if let Some(StoreError::NotFound(_)) = err2.downcast_ref::() { // Ignore NotFound. t!("in-memory returned nothing"); } else { t!("in-memory returned: {}", err2); err = Some(err2) } } Ok(c) => { let mut c = $to_vec(c); t!("in-memory returned {}", c.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); certs.append(&mut c) } } } } for mode in [AccessMode::Always, AccessMode::OnMiss] { for (backend, _) in $self.backends.iter() .filter(|(_, m)| &mode == m) { match backend.$method($($args),*) { Err(err2) => { if let Some(StoreError::NotFound(_)) = err2.downcast_ref::() { // Ignore NotFound. t!("backend returned nothing"); } else { t!("backend returned: {}", err2); err = Some(err2) } } Ok(c) => { let mut c = $to_vec(c); t!("backend returned {}", c.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); certs.append(&mut c) } } } // If we found a cert after the AccessMode::Always round, // don't consult the AccessMode::OnMiss backends. if mode == AccessMode::Always && ! certs.is_empty() { break; } } if certs.is_empty() { if let Some(ks) = $self.keyserver.as_ref() { if let Ok(c) = ks.$method($($args),*) { certs = $to_vec(c); t!("keyserver returned {}", certs.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); } } } if certs.is_empty() { if let Some(err) = err { t!("query failed: {}", err); Err(err) } else { t!("query returned nothing"); Ok(certs) } } else { t!("query returned {}", certs.iter() .map(|cert| cert.fingerprint().to_string()) .collect::>() .join(", ")); Ok(certs) } }}; ( $method:ident, $self:expr, $($args:ident),* ) => {{ forward!($method, append:|c| c, $self, $($args),*) }} } fn merge<'a, 'b>(mut certs: Vec>>) -> Vec>> { certs.sort_by_key(|cert| cert.fingerprint()); certs.dedup_by(|a, b| { // If this returns true, a is dropped. So merge into b. if a.fingerprint() == b.fingerprint() { if let Ok(a2) = a.to_cert() { if let Ok(b2) = b.to_cert() { *b = Arc::new(LazyCert::from( b2.clone() .merge_public(a2.clone()) .expect("Same certificate"))); } else { // b is invalid, but a is valid. Just keep a. *b = Arc::new(LazyCert::from(a2.clone())); } } else { // a is invalid. By returning true, we drop a. // That's what we want. } true } else { false } }); certs } impl<'a> store::Store<'a> for CertStore<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { let certs = forward!(lookup_by_cert, self, kh, kh)?; if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(merge(certs)) } } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { let certs = forward!(lookup_by_cert_fpr, append:|c| vec![c], self, fingerprint, fingerprint)?; // There may be multiple variants. Merge them. let certs = merge(certs); assert!(certs.len() <= 1); if let Some(cert) = certs.into_iter().next() { Ok(cert) } else { Err(StoreError::NotFound( KeyHandle::from(fingerprint.clone())).into()) } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { let certs = forward!(lookup_by_cert_or_subkey, self, kh, kh)?; if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(merge(certs)) } } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { let certs = forward!(select_userid, self, pattern, query, pattern)?; if certs.is_empty() { Err(StoreError::NoMatches(pattern.to_string()).into()) } else { Ok(merge(certs)) } } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { let certs = forward!(lookup_by_userid, self, userid, userid)?; if certs.is_empty() { Err(StoreError::NoMatches( String::from_utf8_lossy(userid.value()).to_string()).into()) } else { Ok(merge(certs)) } } fn grep_userid(&self, pattern: &str) -> Result>>> { let certs = forward!(grep_userid, self, pattern, pattern)?; if certs.is_empty() { Err(StoreError::NoMatches(pattern.to_string()).into()) } else { Ok(merge(certs)) } } fn lookup_by_email(&self, email: &str) -> Result>>> { let certs = forward!(lookup_by_email, self, email, email)?; if certs.is_empty() { Err(StoreError::NoMatches(email.to_string()).into()) } else { Ok(merge(certs)) } } fn grep_email(&self, pattern: &str) -> Result>>> { let certs = forward!(grep_email, self, pattern, pattern)?; if certs.is_empty() { Err(StoreError::NoMatches(pattern.to_string()).into()) } else { Ok(merge(certs)) } } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { let certs = forward!(lookup_by_email_domain, self, domain, domain)?; if certs.is_empty() { Err(StoreError::NoMatches(domain.to_string()).into()) } else { Ok(merge(certs)) } } fn fingerprints(&self) -> Box + 'a> { let mut certs = Vec::new(); match self.certd.as_ref() { Ok(certd) => certs.extend(certd.fingerprints()), Err(in_memory) => certs.extend(in_memory.fingerprints()), }; for (backend, mode) in self.backends.iter() { if mode != &AccessMode::Always { continue; } certs.extend(backend.fingerprints()); } certs.sort(); certs.dedup(); Box::new(certs.into_iter()) } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { let mut certs = Vec::new(); match self.certd { Ok(ref certd) => certs.extend(certd.certs()), Err(ref in_memory) => certs.extend(in_memory.certs()), }; for (backend, mode) in self.backends.iter() { if mode != &AccessMode::Always { continue; } certs.extend(backend.certs()); } let certs = merge(certs); Box::new(certs.into_iter()) } fn prefetch_all(&self) { match self.certd.as_ref() { Ok(certd) => certd.prefetch_all(), Err(in_memory) => in_memory.prefetch_all(), }; for (backend, _mode) in self.backends.iter() { backend.prefetch_all(); } } fn prefetch_some(&self, certs: &[KeyHandle]) { match self.certd.as_ref() { Ok(certd) => certd.prefetch_some(certs), Err(in_memory) => in_memory.prefetch_some(certs), }; for (backend, _mode) in self.backends.iter() { backend.prefetch_some(certs); } } } impl<'a> store::StoreUpdate<'a> for CertStore<'a> { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "CertStore::update_by"); match self.certd.as_ref() { Ok(certd) => { t!("Forwarding to underlying certd"); certd.update_by(cert, merge_strategy) } Err(in_memory) => { t!("Forwarding to underlying in-memory DB"); in_memory.update_by(cert, merge_strategy) } } } } impl<'a> CertStore<'a> { /// Flushes any modified certificates to the backing store. /// /// Currently, this flushes the key server cache to the underlying /// cert-d, if any. All other backends are currently expected to /// work in a write-through manner. /// /// Note: this is called automatically when the `CertStore` is /// dropped, but calling it explicitly allows for reporting of /// errors. pub fn flush(&mut self) -> Result<()> { // Sync the key server's cache to the backing store. tracer!(TRACE, "CertStore::flush"); t!("flushing"); let certd = if let Ok(certd) = self.certd.as_mut() { certd } else { // We don't have a writable backing store so we can't sync // anything to it. We're done. t!("no certd, can't sync"); return Ok(()); }; let ks = if let Some(ks) = self.keyserver.as_mut() { ks } else { // We don't have a key server. There is clearly nothing // to sync. t!("no keyserver, can't sync"); return Ok(()); }; let mut flushed_certs = Vec::new(); let mut result = Ok(()); for c in ks.certs() { let keyid = c.keyid(); if let Err(err) = certd.update(c.clone()) { t!("syncing {} to the cert-d: {}", keyid, err); if result.is_ok() { result = Err(err) .with_context(|| { format!("Flushing changes to {} to disk", keyid) }) } } else { flushed_certs.push(c); } } // Now purge the successfully flushed certs from the keyserver // cache, so that we will not try to flush them again next // time we're called. ks.delete_from_cache(flushed_certs.iter().map(Arc::clone)); t!("Flushed {} certificates", flushed_certs.len()); result } } impl<'a> Drop for CertStore<'a> { fn drop(&mut self) { let _ = self.flush(); } } sequoia-cert-store-0.6.0/src/lazy_cert.rs000064400000000000000000000243011046102023000165130ustar 00000000000000use std::borrow::Cow; use std::time::SystemTime; use std::sync::OnceLock; use sequoia_openpgp as openpgp; use openpgp::Cert; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Result; use openpgp::cert::raw::RawCert; use openpgp::cert::ValidCert; use openpgp::packet::Key; use openpgp::packet::UserID; use openpgp::packet::key; use openpgp::policy::Policy; use openpgp::serialize::SerializeInto; use super::TRACE; // Needed for the doc comments. #[allow(unused_imports)] use crate::store::Store; /// Stores either a `RawCert` or a parsed `Cert`. /// /// This allows the implementation to defer fully parsing and /// validating the certificate until it is actually needed. /// /// # Examples /// /// Functions like [`Store::lookup_by_cert`] return an /// `Arc`. Due to the [orphan rule], it is not possible for /// this library to provide an implementation of /// `TryFrom> for Cert`. So instead of using `TryFrom`, /// you have to do the conversion manually as follows: /// /// [orphan rule]: https://doc.rust-lang.org/book/ch10-02-traits.html#implementing-a-trait-on-a-type /// /// ``` /// # use std::sync::Arc; /// # /// # use sequoia_openpgp as openpgp; /// # use openpgp::cert::prelude::*; /// # use openpgp::Result; /// # /// # use sequoia_cert_store as cert_store; /// # use cert_store::LazyCert; /// # /// # fn main() -> Result<()> { /// # /// # let (cert, _) = /// # CertBuilder::general_purpose(None, Some("alice@example.org")) /// # .generate()?; /// // A LazyCert as returned by, e.g., `Store::lookup_by_cert`: /// let lc: Arc = Arc::new(LazyCert::from(cert)); /// /// // If you only need a reference: /// let cert: &Cert = lc.to_cert()?; /// /// // If you need an owned value: /// let cert: Cert = lc.to_cert()?.clone(); /// # Ok(()) } /// ``` #[derive(Clone)] pub struct LazyCert<'a> { // At least one of raw and cert are ever alive. Ideally, we'd put // them in an enum. To do that, the enum would have to be behind // a `RefCell`, but then we couldn't return bare references to the // `Cert`. raw: OnceLock>, cert: OnceLock>, } assert_send_and_sync!(LazyCert<'_>); impl<'a> std::fmt::Debug for LazyCert<'a> { fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { f.debug_struct("LazyCert") .field("fingerprint", &self.fingerprint()) .field("subkeys", &self.subkeys().map(|k| k.fingerprint()) .collect::>()) .field("userids", &self.userids().collect::>()) .finish() } } impl<'a> LazyCert<'a> { /// Returns whether the cert has been parsed. pub(crate) fn is_parsed(&self) -> bool { self.cert.get().is_some() } /// Creates a `LazyCert` from a `Cert`. pub fn from_cert(cert: Cert) -> Self { tracer!(TRACE, "LazyCert::from_cert"); t!("Adding a parsed cert: {}", cert.fingerprint()); Self { raw: OnceLock::new(), cert: OnceLock::from(Cow::Owned(cert)), } } /// Creates a `LazyCert` from a `&Cert`. pub fn from_cert_ref(cert: &'a Cert) -> Self { tracer!(TRACE, "LazyCert::from_cert_ref"); t!("Adding a parsed cert: {}", cert.fingerprint()); Self { raw: OnceLock::new(), cert: OnceLock::from(Cow::Borrowed(cert)), } } /// Creates a `LazyCert` from a `RawCert`. pub fn from_raw_cert(raw: RawCert<'a>) -> Self { Self { raw: OnceLock::from(raw), cert: OnceLock::new(), } } /// Returns a reference to the raw cert, if any. /// /// If the cert only exists in parsed form, returns `None`. pub fn raw_cert(&self) -> Option<&RawCert<'a>> { self.raw.get() } /// Returns the RawCert, if any. /// /// If the cert exists only in parsed form, returns `Err(self)`. pub fn into_raw_cert(mut self) -> std::result::Result, Self> { match self.raw.take() { Some(raw) => Ok(raw), None => Err(self), } } /// Returns the certificate's fingerprint. pub fn fingerprint(&self) -> Fingerprint { if let Some(cert) = self.cert.get() { cert.fingerprint() } else if let Some(raw) = self.raw.get() { raw.fingerprint() } else { unreachable!("cert or raw must be set") } } /// Returns the certificate's Key ID. pub fn keyid(&self) -> KeyID { KeyID::from(self.fingerprint()) } /// Returns the certificate's Key Handle. pub fn key_handle(&self) -> KeyHandle { KeyHandle::from(self.fingerprint()) } /// Returns the user ids. pub fn userids(&self) -> impl Iterator + '_ { if let Some(cert) = self.cert.get() { Box::new(cert.userids().map(|ua| ua.userid().clone())) as Box + '_> } else if let Some(raw) = self.raw.get() { Box::new(raw.userids()) as Box + '_> } else { unreachable!("cert or raw must be set") } } /// Returns the keys. pub fn keys(&self) -> impl Iterator> + '_ { if let Some(cert) = self.cert.get() { Box::new(cert.keys().map(|ka| ka.key().clone())) as Box> + '_> } else if let Some(raw) = self.raw.get() { Box::new( raw .keys() // This is rather unsatisfying, but due to // lifetimes... .collect::>>() .into_iter()) as Box> + '_> } else { unreachable!("cert or raw must be set") } } /// Returns the primary key. pub fn primary_key(&self) -> Key { if let Some(cert) = self.cert.get() { cert.primary_key().key().clone() } else if let Some(raw) = self.raw.get() { raw.primary_key() } else { unreachable!("cert or raw must be set") } } /// Returns the subkeys. pub fn subkeys<'b>(&'b self) -> impl Iterator> + 'b { self.keys().skip(1) } /// Returns a reference to the parsed certificate. /// /// If the `LazyCert` is not yet parsed, parses now. pub fn to_cert(&self) -> Result<&Cert> { tracer!(TRACE, "LazyCert::to_cert"); if let Some(cert) = self.cert.get() { return Ok(cert); } if let Some(raw) = self.raw.get() { t!("Resolving {}", raw.fingerprint()); match Cert::try_from(raw) { Ok(cert) => { // The following will fail, if we lost a race to // parse the raw certificate. That's okay, // because parsing is deterministic. let _ = self.cert.set(Cow::Owned(cert)); } Err(err) => { return Err(err); } } } if let Some(cert) = self.cert.get() { return Ok(cert); } else { unreachable!("cert or raw must be set") } } /// Returns the parsed certificate. /// /// If the `LazyCert` is not yet parsed, parses now. pub fn into_cert(self) -> Result { let _ = self.to_cert()?; Ok(self.cert.into_inner().expect("valid").into_owned()) } /// Associates a policy and a reference time with the certificate. /// /// See [`Cert::with_policy`]. pub fn with_policy<'b, T>(&'b self, policy: &'b dyn Policy, time: T) -> Result> where T: Into>, { let cert = self.to_cert()?; cert.with_policy(policy, time) } /// Returns whether the certificate contains any secret key /// material. pub fn is_tsk(&self) -> bool { if let Some(cert) = self.cert.get() { cert.is_tsk() } else if let Some(raw) = self.raw.get() { raw.keys().any(|key| key.has_secret()) } else { unreachable!("cert or raw must be set") } } } impl<'a> From for LazyCert<'a> { fn from(cert: Cert) -> Self { LazyCert::from_cert(cert) } } impl<'a> From<&'a Cert> for LazyCert<'a> { fn from(cert: &'a Cert) -> Self { LazyCert::from_cert_ref(cert) } } impl<'a> From> for LazyCert<'a> { fn from(cert: RawCert<'a>) -> Self { LazyCert::from_raw_cert(cert) } } impl<'a> TryFrom> for Cert { type Error = anyhow::Error; fn try_from(lc: LazyCert<'a>) -> Result { lc.into_cert() } } impl<'a, 'b> TryFrom<&'b LazyCert<'a>> for &'b Cert { type Error = anyhow::Error; fn try_from(lc: &'b LazyCert<'a>) -> Result { lc.to_cert() } } // We can't implement openpgp::serialize::Marshal, because it is // sealed. So we fake what is used :/. impl<'a> LazyCert<'a> { /// Serializes the cert to a vector. pub fn to_vec(&self) -> Result> { if let Some(raw) = self.raw.get() { Ok(raw.as_bytes().to_vec()) } else if let Some(cert) = self.cert.get() { Ok(cert.to_vec()?) } else { unreachable!("raw or cert must be set"); } } /// Exports a serialized version of the cert to `o`. /// /// Non-exportable signatures are not exported, and any component /// bound merely by non-exportable signatures is not exported. pub fn export(&self, o: &mut dyn std::io::Write) -> Result<()> { use openpgp::serialize::Marshal; // We need to strip any local signatures. If we have a // RawCert, we could try to figure out if there are any local // signatures to avoid parsing and reserializing, but that is // error prone. let cert = self.to_cert()?; Ok(cert.export(o)?) } } sequoia-cert-store-0.6.0/src/lib.rs000064400000000000000000001561751046102023000153040ustar 00000000000000//! A certificate store abstraction. //! //! This crates provides a unified interface for different certificate //! stores via the [`Store`] and [`StoreUpdate`] traits. It also //! provides a number of helper functions and data structures, like //! [`UserIDIndex`] to help implement this functionality. //! //! [`UserIDIndex`]: store::UserIDIndex //! //! The [`CertStore`] data structure combines multiple certificate //! backends in a transparent way to users. //! //! # Examples //! //! We can store certificates in an in-memory store, and query the store: //! //! ```rust //! use std::sync::Arc; //! use sequoia_openpgp::cert::{Cert, CertBuilder}; //! use sequoia_cert_store::{CertStore, LazyCert, Store, StoreUpdate}; //! //! # fn main() -> anyhow::Result<()> { //! // Create an in-memory certificate store. To use the default //! // on-disk certificate store, use `CertStore::new`. //! let mut certs = CertStore::empty(); //! //! let (cert, _rev) = CertBuilder::new().generate()?; //! let fpr = cert.fingerprint(); //! //! // It's not in the cert store yet: //! assert!(certs.lookup_by_cert_fpr(&fpr).is_err()); //! //! // Insert a certificate. If using a backing store, it would //! // also be written to disk. //! certs.update(Arc::new(LazyCert::from(cert)))?; //! //! // Make sure it is there. //! let cert = certs.lookup_by_cert_fpr(&fpr).expect("present"); //! assert_eq!(cert.fingerprint(), fpr); //! //! // Resolve the `LazyCert` to a `Cert`. Certificates are stored //! // using `LazyCert` so that it is possible to work with `RawCert`s //! // and `Cert`s. This allows the implementation to defer fully parsing //! // and validating the certificate until it is actually needed. //! let cert: &Cert = cert.to_cert()?; //! # Ok(()) } //! ``` //! //! We can use the same API on a persistent certificate store, kept on the //! filesystem: //! //! ```rust //! use std::fs; //! # use tempfile; //! # //! # use std::sync::Arc; //! # //! # use sequoia_openpgp as openpgp; //! # use openpgp::Result; //! # use openpgp::cert::{Cert, CertBuilder}; //! # //! # use sequoia_cert_store::{CertStore, LazyCert, Store, StoreUpdate}; //! //! # fn main() -> Result<()> { //! // Make a certificate store on the file system, in a fresh empty directory. //! let directory = "/tmp/test-sequoia-certificate-directory"; //! # let directory_object = tempfile::tempdir()?; let directory = directory_object.path(); //! fs::create_dir_all(directory)?; //! let mut store = CertStore::open(directory)?; //! //! // Make a new certificate. //! let (cert, _rev) = CertBuilder::new().generate()?; //! let fpr = cert.fingerprint(); //! //! // The certificate of course will not be in the store yet. //! assert!(store.lookup_by_cert_fpr(&fpr).is_err()); //! //! // Add it. //! store.update(Arc::new(LazyCert::from(cert)))?; //! //! // Now the certificate can be found. //! let found = store.lookup_by_cert_fpr(&fpr).expect("present"); //! assert_eq!(found.fingerprint(), fpr); //! //! // Again, we can resolve the `LazyCert` to a `Cert`. //! let cert: &Cert = found.to_cert()?; //! # Ok(()) } //! ``` use std::str; use sequoia_openpgp as openpgp; use openpgp::Result; use openpgp::packet::UserID; #[macro_use] mod log; #[macro_use] mod macros; pub mod store; pub use store::Store; pub use store::StoreUpdate; mod cert_store; pub use cert_store::CertStore; pub use cert_store::AccessMode; mod lazy_cert; pub use lazy_cert::LazyCert; const TRACE: bool = false; /// Converts an email address to a User ID. /// /// If the email address is not valid, returns an error. /// /// The email address must be a bare email address. That is it must /// have the form `localpart@example.org`, and not be surrounded by /// angle brackets like ``. /// /// The email address is checked for validity. Specifically, it is /// checked to conform with [`RFC 2822`]'s [`addr-spec`] grammar. /// /// Returns a UserID containing the normalized User ID in angle /// brackets. /// /// [`RFC 2822`]: https://www.rfc-editor.org/rfc/rfc2822 /// [`addr-spec`]: https://www.rfc-editor.org/rfc/rfc2822#section-3.4.1 pub fn email_to_userid(email: &str) -> Result { let email_check = UserID::from(format!("<{}>", email)); match email_check.email2() { Ok(Some(email_check)) => { if email != email_check { return Err(anyhow::anyhow!( "{:?} does not appear to be an email address", email)); } } Ok(None) => { return Err(anyhow::anyhow!( "{:?} does not appear to be an email address", email)); } Err(err) => { return Err(err.context(format!( "{:?} does not appear to be an email address", email))); } } let userid = UserID::from(&email[..]); match userid.email_normalized() { Err(err) => { Err(err.context(format!( "'{}' is not a valid email address", email))) } Ok(None) => { Err(anyhow::anyhow!("'{}' is not a valid email address", email)) } Ok(Some(_email)) => { Ok(userid) } } } #[cfg(test)] mod tests { use super::*; use std::path::PathBuf; use std::str; use std::sync::Arc; use anyhow::Context; /// Prints the error and causes, if any. pub fn print_error_chain(err: &anyhow::Error) { let _ = write_error_chain_into(&mut std::io::stderr(), err); } /// Prints the error and causes, if any. fn write_error_chain_into(sink: &mut dyn std::io::Write, err: &anyhow::Error) -> Result<()> { writeln!(sink, " {}", err)?; for cause in err.chain().skip(1) { writeln!(sink, " because: {}", cause)?; } Ok(()) } use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Cert; use openpgp::parse::Parse; use openpgp::policy::StandardPolicy; use openpgp::serialize::Serialize; use openpgp_cert_d as cert_d; use store::Certs; use store::Pep; use store::StoreError; use store::UserIDQueryParams; fn certd_merge<'a>(new: &'a [u8], disk: Option<&[u8]>) -> cert_d::Result> { if let Some(disk) = disk { let new = Cert::from_bytes(&new).expect("valid"); let disk = Cert::from_bytes(&disk).expect("valid"); let merged = new.merge_public(disk).expect("valid"); let mut bytes = Vec::new(); merged.serialize(&mut bytes).expect("valid"); Ok(bytes.into()) } else { Ok(cert_d::MergeResult::DataRef(new)) } } include!("../tests/keyring.rs"); fn test_backend<'a, B>(backend: &B) where B: Store<'a> { // Check Store::list. { let mut got: Vec = backend.fingerprints().collect(); got.sort(); let mut expected: Vec = keyring::certs.iter() .map(|c| c.fingerprint.parse::().expect("valid")) .collect(); expected.sort(); expected.dedup(); assert_eq!(got.len(), expected.len()); assert_eq!(got, expected); } std::thread::yield_now(); // Check Store::iter. { let mut got: Vec = backend.certs().map(|c| c.fingerprint()).collect(); got.sort(); let mut expected: Vec = keyring::certs.iter() .map(|c| c.fingerprint.parse::().expect("valid")) .collect(); expected.sort(); expected.dedup(); assert_eq!(got.len(), expected.len()); assert_eq!(got, expected); } std::thread::yield_now(); // Iterate over the certificates in the keyring and check that // can look up the certificate by fingerprint, by key, by User // ID, and by email in various ways. for handle in keyring::certs.iter() { let fpr: Fingerprint = handle.fingerprint.parse().expect("valid"); let cert = handle.to_cert().expect("valid"); assert_eq!(fpr, cert.fingerprint(), "{}", handle.base); let keyid = KeyID::from(fpr.clone()); // Check by_cert_fpr. let got = backend.lookup_by_cert_fpr(&fpr).expect("present"); assert_eq!(got.fingerprint(), fpr, "{}, by_cert_fpr, primary", handle.base); // Look up by subkey and make sure we don't get cert. // Note: if a subkey is also a primary key (as is the case // for the ed certificate), then we'll get a certificate // back. for sk in cert.keys().subkeys() { match backend.lookup_by_cert_fpr(&sk.fingerprint()) { Ok(got) => { // Make sure what we got is what we looked up. assert_eq!(got.fingerprint(), sk.fingerprint()); // Make sure subkey is also a primary key. assert!( keyring::certs.iter().any(|c| { c.fingerprint.parse::().unwrap() == got.fingerprint() }), "{}, lookup_by_cert_fpr, subkey, unexpectedly got {}", handle.base, got.fingerprint()); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("Expected StoreError::NotFound, \ got: {}", err), } }, } std::thread::yield_now(); } // Check lookup_by_cert using key ids. let got = backend.lookup_by_cert(&KeyHandle::from(&keyid)) .expect("present"); // Make sure all the returned certificates match. assert!(got.iter() .all(|c| { c.keys().any(|k| k.keyid() == keyid) }), "{}, lookup_by_cert, keyid, primary", handle.base); // Make sure one of the returned certs is the cert we're // looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert, keyid, primary", handle.base); // Look up by subkey. This will only return something if // the subkey also happens to be a primary key. for sk in cert.keys().subkeys() { match backend.lookup_by_cert(&KeyHandle::from(sk.keyid())) { Ok(got) => { // We should never see an empty result. // Instead, the backend should return // StoreError::NotFound. assert!(! got.is_empty()); // Make sure we got what we looked up. for got in got.iter() { assert_eq!(got.keyid(), sk.keyid()); } // Make sure subkey is also a primary key. for got in got.into_iter() { assert!( keyring::certs.iter().any(|c| { c.fingerprint.parse::() .unwrap() == got.fingerprint() }), "{}, lookup_by_cert_fpr, subkey, \ unexpectedly got {}", handle.base, got.fingerprint()); } } Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("Expected StoreError::NotFound, \ got: {}", err), } }, } std::thread::yield_now(); } // Check lookup_by_cert_or_subkey using fingerprints. let got = backend.lookup_by_cert_or_subkey(&KeyHandle::from(fpr.clone())) .expect("present"); // Make sure all the returned certificates match. assert!(got.iter() .all(|c| { c.keys().any(|k| k.fingerprint() == fpr) }), "{}, lookup_by_cert_or_subkey, with fingerprint, primary", handle.base); // Make sure one of the returned certs is the cert we're // looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey, with fingerprint, primary", handle.base); // Look up by subkey and make sure we get cert. for sk in cert.keys().subkeys() { let got = backend.lookup_by_cert_or_subkey( &KeyHandle::from(sk.fingerprint())) .expect("present"); // Make sure all the returned certificates match. for got in got.iter() { assert!( got.keys().any(|k| k.fingerprint() == sk.fingerprint()), "{}, lookup_by_cert_or_subkey({}), with fingerprint, subkey", handle.base, sk.fingerprint()); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey({}), with fingerprint, subkey", handle.base, sk.fingerprint()); std::thread::yield_now(); } // Check lookup_by_cert_or_subkey using keyids. let got = backend.lookup_by_cert_or_subkey(&KeyHandle::from(keyid.clone())) .expect("present"); // Make sure all the returned certificates match. for got in got.iter() { assert!( got.keys().any(|k| k.keyid() == keyid), "{}, lookup_by_cert_or_subkey({}), with keyid, primary", handle.base, keyid); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey({}), with keyid, primary", handle.base, keyid); // Look up by subkey and make sure we get cert. for sk in cert.keys().subkeys() { let got = backend.lookup_by_cert_or_subkey(&KeyHandle::from(sk.keyid())) .expect("present"); // Make sure all the returned certificates match. for got in got.iter() { assert!( got.keys().any(|k| k.keyid() == sk.keyid()), "{}, lookup_by_cert_or_subkey({}), with keyid, subkey", handle.base, sk.keyid()); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_cert_or_subkey({}), with keyid, subkey", handle.base, sk.keyid()); std::thread::yield_now(); } // Check look up by User ID address by querying for each // User ID, email, domain, etc. for ua in cert.userids() { let userid = ua.userid(); // Search by exact user id. let got = backend.lookup_by_userid(userid) .expect(&format!("{}, lookup_by_userid({:?})", handle.base, userid)); // Make sure all the returned certificates match. for got in got.iter() { assert!( got.userids().any(|u| &u == userid), "{}, lookup_by_userid({:?})", handle.base, userid); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_userid({:?})", handle.base, userid); // Extract an interior substring (nor anchored at the // start or the end), and uppercase it. let pattern = str::from_utf8(userid.value()).expect("utf-8"); let pattern = &pattern[1..pattern.len() - 1]; let pattern = pattern.to_uppercase(); // grep removes all constraints so we should still // find it. let got = backend.grep_userid(&pattern) .expect(&format!("{}, grep_userid({:?})", handle.base, pattern)); // Make sure all the returned certificates match. let mut query = UserIDQueryParams::new(); query.set_email(false); query.set_anchor_start(false); query.set_anchor_end(false); query.set_ignore_case(true); for got in got.iter() { assert!( got.userids().any(|u| query.check(&u, &pattern)), "{}, grep_userid({:?})", handle.base, pattern); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, grep_userid({:?})", handle.base, pattern); // Now use an anchor at the start, or the end, ignore // case, or not. The only one combination that should // return any results is no constraints, which we // tested above. for (start, end, ignore_case) in [(false, false, false), //(false, false, true), (false, true, false), (false, true, true), ( true, false, false), ( true, false, true), ( true, true, false), ( true, true, true)] { let result = backend.select_userid( UserIDQueryParams::new() .set_email(false) .set_anchor_start(start) .set_anchor_end(end) .set_ignore_case(ignore_case), &pattern); match result { Ok(got) => { panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, got.into_iter() .map(|c| c.fingerprint().to_string()) .collect::>() .join(", ")); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NoMatches(_)) => (), _ => panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, err), } } } } // Search by exact email. let email = if let Ok(Some(email)) = userid.email2() { email } else { // No email address. continue; }; // Search with the User ID using lookup_by_email. This will // fail: a User ID that contains an email address is // never a valid email address. assert!( backend.lookup_by_email( str::from_utf8(userid.value()).expect("valid utf-8")) .is_err(), "{}, lookup_by_email({:?})", handle.base, userid); // Search by email. let got = backend.lookup_by_email(&email) .expect(&format!("{}, lookup_by_email({:?})", handle.base, email)); // Make sure all the returned certificates match. let mut query = UserIDQueryParams::new(); query.set_email(true); query.set_anchor_start(true); query.set_anchor_end(true); query.set_ignore_case(false); for got in got.iter() { assert!( got.userids().any(|u| query.check(&u, &email)), "{}, lookup_by_email({:?})", handle.base, email); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_email({:?})", handle.base, userid); // Extract an interior substring (nor anchored at the // start or the end), and uppercase it. let pattern = &email[1..email.len() - 1]; let pattern = pattern.to_uppercase(); // grep removes all constraints so we should still // find it. let got = backend.grep_email(&pattern) .expect(&format!("{}, grep_email({:?})", handle.base, pattern)); // Make sure all the returned certificates match. let mut query = UserIDQueryParams::new(); query.set_email(true); query.set_anchor_start(false); query.set_anchor_end(false); query.set_ignore_case(true); for got in got.iter() { assert!( got.userids().any(|u| query.check(&u, &pattern)), "{}, grep_email({:?})", handle.base, pattern); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, grep_email({:?})", handle.base, pattern); // Now use an anchor at the start, or the end, ignore // case, or not. This should not return any results; // the only one that should return any results is no // constraints, which we tested above. for (start, end, ignore_case) in [(false, false, false), //(false, false, true), (false, true, false), (false, true, true), ( true, false, false), ( true, false, true), ( true, true, false), ( true, true, true)] { let result = backend.select_userid( UserIDQueryParams::new() .set_email(true) .set_anchor_start(start) .set_anchor_end(end) .set_ignore_case(ignore_case), &pattern); match result { Ok(got) => { panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, got.into_iter() .map(|c| c.fingerprint().to_string()) .collect::>() .join(", ")); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NoMatches(_)) => (), _ => panic!("{}, select_userid({:?}) -> {}", handle.base, pattern, err), } } } } // Search by domain. let domain = email.rsplit('@').next().expect("have an @"); // Search with the User ID using lookup_by_email_domain. // This will fail: a User ID that contains an email // address is never a valid email address. assert!( backend.lookup_by_email_domain( str::from_utf8(userid.value()).expect("valid utf-8")) .is_err(), "{}, lookup_by_email_domain({:?})", handle.base, userid); // Likewise with the email address. assert!( backend.lookup_by_email_domain(&email).is_err(), "{}, lookup_by_email_domain({:?})", handle.base, email); // Search by domain. We should find it. let got = backend.lookup_by_email_domain(&domain) .expect(&format!("{}, lookup_by_email_domain({:?})", handle.base, domain)); // Make sure all the returned certificates match. let mut query = UserIDQueryParams::new(); query.set_email(true); query.set_anchor_start(false); query.set_anchor_end(true); query.set_ignore_case(true); let at_domain = format!("@{}", domain); for got in got.iter() { assert!( got.userids().any(|u| query.check(&u, &at_domain)), "{}, lookup_by_email_domain({:?})", handle.base, domain); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_email_domain({:?})", handle.base, userid); // Uppercase it. We should still find it. let pattern = domain.to_uppercase(); let got = backend.lookup_by_email_domain(&pattern) .expect(&format!("{}, lookup_by_email_domain({:?})", handle.base, pattern)); // Make sure all the returned certificates match. let mut query = UserIDQueryParams::new(); query.set_email(true); query.set_anchor_start(false); query.set_anchor_end(true); query.set_ignore_case(true); let at_domain = format!("@{}", pattern); for got in got.iter() { assert!( got.userids().any(|u| query.check(&u, &at_domain)), "{}, lookup_by_email_domain({:?})", handle.base, domain); } // Make sure one of the returned certs is the cert // we're looking for. assert!(got.into_iter().any(|c| c.fingerprint() == fpr), "{}, lookup_by_email_domain({:?})", handle.base, pattern); // Extract a substring that we shouldn't find. let pattern = &domain[1..pattern.len() - 1]; let result = backend.lookup_by_email_domain(pattern); match result { Ok(got) => { // We should never see an empty result. // Instead, the backend should return // StoreError::NotFound. assert!(! got.is_empty()); assert!( got.into_iter().all(|c| { c.fingerprint() != fpr }), "{}, lookup_by_email_domain({:?}, unexpectedly got {}", handle.base, pattern, fpr); } Err(err) => { match err.downcast_ref::() { Some(StoreError::NoMatches(_)) => (), _ => panic!("{}, lookup_by_email_domain({:?}) -> {}", handle.base, pattern, err), } } } std::thread::yield_now(); } } // So far, the tests have been generic in the sense that we // look up what is there. We now do some data set-specific // tests. let sort_vec = |mut v: Vec<_>| -> Vec<_> { v.sort(); v }; // alice and alice2 share a subkey. assert_eq!( sort_vec(backend.lookup_by_cert_or_subkey( &"5989D7BE9908AE24799DF6CFBE678043781349F1" .parse::().expect("valid")) .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::alice.fingerprint .parse::().expect("valid"), keyring::alice2_adopted_alice.fingerprint .parse::().expect("valid"), ])); std::thread::yield_now(); // ed's primary is also a subkey on the same certificate. { let ed_fpr = "0C346B2B6241263F64E9C7CF1EA300797258A74E" .parse::().expect("valid"); let ed_kh = KeyHandle::from(&ed_fpr); assert_eq!( sort_vec(backend.lookup_by_cert_or_subkey(&ed_kh) .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::ed.fingerprint .parse::().expect("valid"), ])); // Also test that the CertStore implementation is not // impacted. let cert = backend.lookup_by_cert_fpr(&ed_fpr) .expect("found cert"); assert_eq!(cert.fingerprint(), ed_fpr); // Make sure the implementation doesn't return the certificate // twice, once when matching on the primary key, and once when // matching on the subkey. let certs = backend.lookup_by_cert(&ed_kh) .expect("found cert"); assert_eq!(certs.len(), 1); assert_eq!(certs[0].fingerprint(), ed_fpr); let certs = backend.lookup_by_cert_or_subkey(&ed_kh) .expect("found cert"); assert_eq!(certs.len(), 1); assert_eq!(certs[0].fingerprint(), ed_fpr); let certs = backend.certs(); assert_eq!(certs.filter(|c| c.fingerprint() == ed_fpr).count(), 1); let fprs = backend.fingerprints(); assert_eq!(fprs.filter(|fpr| fpr == &ed_fpr).count(), 1); } // david has a subkey that doesn't have a binding signature, // but the backend is not supposed to check that. (That // subkey is bound to carol.) assert_eq!( sort_vec(backend.lookup_by_cert_or_subkey( &"CD22D4BD99FF10FDA11A83D4213DCB92C95346CE" .parse::().expect("valid")) .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::carol.fingerprint .parse::().expect("valid"), keyring::david.fingerprint .parse::().expect("valid"), ])); // Try a key that is not present. match backend.lookup_by_cert_fpr( &"0123 4567 89AB CDEF 0123 4567 89AB CDEF 0123 4567" .parse::().expect("valid")) { Ok(cert) => panic!("lookup_by_cert_fpr(not present) -> {}", cert.fingerprint()), Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("lookup_by_cert(not present) -> {}", err), } } } match backend.lookup_by_cert_or_subkey( &"0123 4567 89AB CDEF 0123 4567 89AB CDEF 0123 4567" .parse::().expect("valid")) { Ok(certs) => panic!("lookup_by_cert_or_subkey(not present) -> {}", certs .into_iter() .map(|c| c.fingerprint().to_string()) .collect::>() .join(", ")), Err(err) => { match err.downcast_ref::() { Some(StoreError::NotFound(_)) => (), _ => panic!("lookup_by_cert(not present) -> {}", err), } } } std::thread::yield_now(); assert!( backend.lookup_by_cert_or_subkey( &"0123 4567 89AB CDEF 0123 4567 89AB CDEF" .parse::().expect("valid")) .is_err()); // Check puny code handling. // Look up the User ID using puny code. assert_eq!( backend.lookup_by_email("hans@xn--bcher-kva.tld") .expect("present") .len(), 1); // And without puny code. assert_eq!( backend.lookup_by_email("hans@bücher.tld") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::hans_puny_code.fingerprint .parse::().expect("valid") ]); // A substring shouldn't match. assert_eq!( backend.lookup_by_email("hans@bücher.tl") .unwrap_or(Vec::new()) .len(), 0); // The same, but just look up by domain. assert_eq!( backend.lookup_by_email_domain("xn--bcher-kva.tld") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::hans_puny_code.fingerprint .parse::().expect("valid") ]); // And without puny code. assert_eq!( backend.lookup_by_email_domain("bücher.tld") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::hans_puny_code.fingerprint .parse::().expect("valid") ]); std::thread::yield_now(); // Check that when looking up a subdomain, we don't get back // User IDs in a subdomain. assert_eq!( backend.lookup_by_email_domain("company.com") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::una.fingerprint .parse::().expect("valid") ]); assert_eq!( backend.lookup_by_email_domain("sub.company.com") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>(), vec![ keyring::steve.fingerprint .parse::().expect("valid") ]); // Check searching by domain. assert_eq!( sort_vec(backend.lookup_by_email_domain("verein.de") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::alice2_adopted_alice.fingerprint .parse::().expect("valid"), keyring::carol.fingerprint .parse::().expect("valid"), ])); // It should be case insenitive. assert_eq!( sort_vec(backend.lookup_by_email_domain("VEREIN.DE") .expect("present") .into_iter() .map(|c| c.fingerprint()) .collect::>()), sort_vec( vec![ keyring::alice2_adopted_alice.fingerprint .parse::().expect("valid"), keyring::carol.fingerprint .parse::().expect("valid"), ])); // Make sure the backend returns user IDs that are not self // signed. // // Peter's self-signed user ID is: 'Peter // '. Usa certificated a non-self signed // user ID: 'Dad ' assert_eq!( backend.lookup_by_userid( &UserID::from("Dad ")) .expect("present") .len(), 1); assert_eq!( backend.grep_userid("Dad") .expect("present") .len(), 1); assert_eq!( backend.lookup_by_email("peter@example.family") .expect("present") .len(), 1); assert_eq!( backend.grep_email("eter@example.family") .expect("present") .len(), 1); assert_eq!( backend.lookup_by_email_domain("example.family") .expect("present") .len(), 1); } #[test] fn certd() -> Result<()> { use std::io::Read; let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; for cert in keyring::certs.iter() { let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); } drop (certd); let certd = store::certd::CertD::open(&path).expect("exists"); test_backend(&certd); Ok(()) } #[test] fn cert_store() -> Result<()> { use std::io::Read; let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; for cert in keyring::certs.iter() { let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); } drop(certd); let cert_store = CertStore::open(&path).expect("exists"); test_backend(&cert_store); Ok(()) } #[test] fn cert_store_layered() -> Result<()> { use std::io::Read; // A certd for each certificate. let mut paths: Vec = Vec::new(); let mut cert_store = CertStore::empty(); for cert in keyring::certs.iter() { let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); drop(certd); let certd = store::CertD::open(&path).expect("valid"); cert_store.add_backend(Box::new(certd), AccessMode::Always); paths.push(path); } test_backend(&cert_store); Ok(()) } #[test] fn certs() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = store::Certs::from_bytes(&bytes) .expect("valid"); test_backend(&backend); Ok(()) } #[test] fn certd_with_prefetch() -> Result<()> { use std::io::Read; let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; for cert in keyring::certs.iter() { let bytes = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &bytes, openpgp::armor::ReaderMode::VeryTolerant); let mut bytes = Vec::new(); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); certd .insert_data(&bytes, false, certd_merge) .with_context(|| { format!("{} ({})", cert.base, cert.fingerprint) }) .expect("can insert"); } drop (certd); let certd = store::CertD::open(&path).expect("exists"); certd.prefetch_all(); test_backend(&certd); Ok(()) } #[test] fn certs_with_prefetch() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = store::Certs::from_bytes(&bytes) .expect("valid"); backend.prefetch_all(); test_backend(&backend); Ok(()) } #[test] fn keyrings() -> Result<()> { let mut cert_store = CertStore::empty(); let mut base = PathBuf::from(env!("CARGO_MANIFEST_DIR")); base.push("tests"); cert_store.add_keyrings( keyring::certs.iter().map(|c| { PathBuf::from(&base).join(c.filename) }))?; test_backend(&cert_store); Ok(()) } #[test] fn certs_multithreaded() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = store::Certs::from_bytes(&bytes) .expect("valid"); std::thread::scope(|s| { let threads = (0..4usize) .map(|_| { s.spawn(|| { // Really make sure all threads start by sleeping // for 10ms. std::thread::sleep(std::time::Duration::new(0, 10)); test_backend(&backend); }) }) .collect::>(); threads.into_iter().for_each(|h| { h.join().expect("joined"); }); }); Ok(()) } #[test] fn pep() -> Result<()> { use std::io::Read; let mut bytes = Vec::new(); for cert in keyring::certs.iter() { let binary = cert.bytes(); let mut reader = openpgp::armor::Reader::from_bytes( &binary, openpgp::armor::ReaderMode::VeryTolerant); reader.read_to_end(&mut bytes) .expect(&format!("{}", cert.base)); } let backend = Pep::from_bytes(&bytes).expect("valid"); backend.prefetch_all(); test_backend(&backend); Ok(()) } // Make sure that when we update a certificate, we are able to // find any new components and we are still able to find the old // components. fn test_store_update<'a, B>(backend: B) -> Result<()> where B: store::StoreUpdate<'a> { let p = &StandardPolicy::new(); let signing_cert = Cert::from_bytes(&keyring::halfling_signing.bytes()) .expect("valid"); let fpr = signing_cert.fingerprint(); // We expect a primary and two subkeys. assert_eq!(signing_cert.keys().count(), 3); let signing_vc = signing_cert.with_policy(p, None).expect("ok"); let signing_fpr = signing_vc.keys().subkeys() .for_signing() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(signing_fpr.len(), 1); let signing_fpr = KeyHandle::from( signing_fpr.into_iter().next().expect("have one")); let auth_fpr = signing_vc.keys().subkeys() .for_authentication() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(auth_fpr.len(), 1); let auth_fpr = KeyHandle::from( auth_fpr.into_iter().next().expect("have one")); let encryption_cert = Cert::from_bytes(&keyring::halfling_encryption.bytes()) .expect("valid"); assert_eq!(fpr, encryption_cert.fingerprint()); // We expect a primary and two subkeys. assert_eq!(encryption_cert.keys().count(), 3); let encryption_vc = encryption_cert.with_policy(p, None).expect("ok"); let encryption_fpr = encryption_vc.keys().subkeys() .for_transport_encryption() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(encryption_fpr.len(), 1); let encryption_fpr = KeyHandle::from( encryption_fpr.into_iter().next().expect("have one")); assert_ne!(signing_fpr, encryption_fpr); let auth2_fpr = encryption_vc.keys().subkeys() .for_authentication() .map(|ka| ka.fingerprint()) .collect::>(); assert_eq!(auth2_fpr.len(), 1); let auth2_fpr = KeyHandle::from( auth2_fpr.into_iter().next().expect("have one")); assert_eq!(auth_fpr, auth2_fpr); let merged_cert = signing_cert.clone() .merge_public(encryption_cert.clone()).expect("ok"); let check = |backend: &B, have_enc: bool, cert: &Cert| { let r = backend.lookup_by_cert(&KeyHandle::from(fpr.clone())).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); let r = backend.lookup_by_cert_or_subkey(&signing_fpr).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); let r = backend.lookup_by_cert_or_subkey(&auth_fpr).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); if have_enc { let r = backend.lookup_by_cert_or_subkey(&encryption_fpr).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); } else { assert!(backend.lookup_by_cert_or_subkey(&encryption_fpr).is_err()); } let r = backend.lookup_by_userid( &UserID::from("")).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); let r = backend.lookup_by_userid( &UserID::from("Halfling ")).unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); if have_enc { let r = backend.lookup_by_userid( &UserID::from("Halfling ")) .unwrap(); assert_eq!(r.len(), 1); assert_eq!(r[0].to_cert().expect("ok"), cert); } else { assert!(backend.lookup_by_cert_or_subkey(&encryption_fpr).is_err()); } }; // Insert the signing certificate. backend.update(Arc::new(LazyCert::from(signing_cert.clone()))) .expect("ok"); check(&backend, false, &signing_cert); backend.update(Arc::new(LazyCert::from(encryption_cert.clone()))) .expect("ok"); check(&backend, true, &merged_cert); backend.update(Arc::new(LazyCert::from(signing_cert.clone()))) .expect("ok"); check(&backend, true, &merged_cert); Ok(()) } // Test StoreUpdate::update for CertStore. #[test] fn test_store_update_cert_store() -> Result<()> { let path = tempfile::tempdir()?; let cert_store = CertStore::open(&path).expect("exists"); test_store_update(cert_store) } /// Test StoreUpdate::update for CertD. #[test] fn test_store_update_certd() -> Result<()> { let path = tempfile::tempdir()?; let certs = store::CertD::open(&path)?; test_store_update(&certs)?; // We're the only user of the cert-d. Therefore, we should be // able to keep the persistent index and the in-memory index // in sync with the cert-d without having to do any hard // reloads. assert_eq!( certs.load_stats.in_memory_loads(), 0); assert_eq!( certs.load_stats.persistent_index_scans(), 1); Ok(()) } // Test StoreUpdate::update for Certs. #[test] fn test_store_update_certs() -> Result<()> { let certs = Certs::empty(); test_store_update(certs) } // Test StoreUpdate::update for Pep. #[test] fn test_store_update_pep() -> Result<()> { let certs = Pep::empty()?; test_store_update(certs) } #[test] fn test_store_multithreaded_update_cert_store() -> Result<()> { let path = tempfile::tempdir()?; let backend = CertStore::open(&path)?; test_store_multithreaded_update(backend) } #[test] fn test_store_multithreaded_update_certd() -> Result<()> { let path = tempfile::tempdir()?; let backend = store::CertD::open(&path)?; test_store_multithreaded_update(backend) } #[test] fn test_store_multithreaded_update_certs() -> Result<()> { let backend = store::Certs::empty(); test_store_multithreaded_update(backend) } #[test] fn test_store_multithreaded_update_pep() -> Result<()> { let backend = Pep::empty()?; test_store_multithreaded_update(backend) } fn test_store_multithreaded_update<'a, B>(backend: B) -> Result<()> where B: store::StoreUpdate<'a> + Sync { let mut certs = Vec::new(); for cert in keyring::certs.iter() { let cert = Cert::from_bytes(&cert.bytes()).expect("valid"); certs.push(cert); } let mut fprs: Vec = certs.iter().map(|cert| cert.fingerprint()).collect(); fprs.sort(); fprs.dedup(); std::thread::scope(|s| { let backend = &backend; let threads = certs.into_iter() .map(|cert| { s.spawn(move || { // Really make sure all threads start by sleeping // for 10ms. std::thread::sleep(std::time::Duration::new(0, 10)); let kh = cert.key_handle(); backend.update(Arc::new(LazyCert::from(cert))) .expect("ok"); assert!(backend.lookup_by_cert(&kh).is_ok()); assert!(backend.lookup_by_cert_or_subkey(&kh).is_ok()); }) }) .collect::>(); threads.into_iter().for_each(|h| { h.join().expect("joined"); }); }); assert_eq!(backend.certs().count(), fprs.len()); Ok(()) } } sequoia-cert-store-0.6.0/src/log.rs000064400000000000000000000073671046102023000153150ustar 00000000000000use std::cell::RefCell; // Like eprintln! macro_rules! log { ($dst:expr $(,)?) => ( eprintln!("{}", $dst) ); ($dst:expr, $($arg:tt)*) => ( eprintln!("{}", std::format!($dst, $($arg)*)) ); } // The indent level. It is increased with each call to tracer and // decremented when the tracer goes out of scope. thread_local! { pub static INDENT_LEVEL: RefCell = RefCell::new(0); } // Like eprintln!, but the first argument is a boolean, which // indicates if the string should actually be printed. macro_rules! trace { ( $TRACE:expr, $fmt:expr, $($pargs:expr),* ) => { if $TRACE { let indent_level = crate::log::INDENT_LEVEL.with(|i| { *i.borrow() }); let ws = " "; log!("{}{}", &ws[0..std::cmp::min(ws.len(), std::cmp::max(1, indent_level) - 1)], format!($fmt, $($pargs),*)); } }; ( $TRACE:expr, $fmt:expr ) => { trace!($TRACE, $fmt, ); }; } macro_rules! tracer { ( $TRACE:expr, $func:expr ) => { // Currently, Rust doesn't support $( ... ) in a nested // macro's definition. See: // https://users.rust-lang.org/t/nested-macros-issue/8348/2 #[allow(unused)] macro_rules! t { ( $fmt:expr ) => { trace!($TRACE, "{}: {}", $func, $fmt) }; ( $fmt:expr, $a:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a)) }; ( $fmt:expr, $a:expr, $b:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr, $i:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h, $i)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr, $i:expr, $j:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h, $i, $j)) }; ( $fmt:expr, $a:expr, $b:expr, $c:expr, $d:expr, $e:expr, $f:expr, $g:expr, $h:expr, $i:expr, $j:expr, $k:expr ) => { trace!($TRACE, "{}: {}", $func, format!($fmt, $a, $b, $c, $d, $e, $f, $g, $h, $i, $j, $k)) }; } struct Indent {} impl Indent { fn init() -> Self { crate::log::INDENT_LEVEL.with(|i| { i.replace_with(|i| *i + 1); }); Indent {} } } impl Drop for Indent { fn drop(&mut self) { crate::log::INDENT_LEVEL.with(|i| { i.replace_with(|i| *i - 1); }); } } let _indent = Indent::init(); } } sequoia-cert-store-0.6.0/src/macros.rs000064400000000000000000000100221046102023000157760ustar 00000000000000/// A very simple profiling tool. /// /// Note: don't ever profile code that has not been compiled in /// release mode. There can be orders of magnitude difference in /// execution time between it and debug mode! /// /// This macro measures the wall time it takes to execute the block. /// If the time is at least $ms_threshold (in milli-seconds), then it /// displays the output on stderr. The output is prefixed with label, /// if it is provided. /// /// ```nocompile /// let result = time_it!("Some code", 10, { /// // Some code. /// 5 /// }); /// assert_eq!(result, 5); /// ``` #[allow(unused_macros)] macro_rules! time_it { ( $label:expr, $ms_threshold:expr, $body:expr ) => {{ use std::time::{SystemTime, Duration}; // We use drop so that code that uses non-local exits (e.g., // using break 'label) still works. struct Timer { start: SystemTime, } impl Drop for Timer { fn drop(&mut self) { let elapsed = self.start.elapsed(); if elapsed.clone().unwrap_or(Duration::from_millis($ms_threshold)) >= Duration::from_millis($ms_threshold) { if $label.len() > 0 { eprint!("{}:", $label); } eprintln!("{}:{}: {:?}", file!(), line!(), elapsed); } } } let _start = Timer { start: SystemTime::now() }; $body }}; ( $label:expr, $body:expr ) => { time_it!($label, 0, $body) }; ( $body:expr ) => { time_it!("", $body) }; } pub(crate) trait Sendable : Send {} pub(crate) trait Syncable : Sync {} /// A simple shortcut for ensuring a type is send and sync. /// /// For most types just call it after defining the type: /// /// ```ignore /// pub struct MyStruct {} /// assert_send_and_sync!(MyStruct); /// ``` /// /// For types with lifetimes, use the anonymous lifetime: /// /// ```ignore /// pub struct WithLifetime<'a> { _p: std::marker::PhantomData<&'a ()> } /// assert_send_and_sync!(WithLifetime<'_>); /// ``` /// /// For a type generic over another type `W`, /// pass the type `W` as a where clause /// including a trait bound when needed: /// /// ```ignore /// pub struct MyWriter { _p: std::marker::PhantomData } /// assert_send_and_sync!(MyWriter where W: std::io::Write); /// ``` /// /// This will assert that `MyWriterStruct` is `Send` and `Sync` /// if `W` is `Send` and `Sync`. /// /// You can also combine the two and be generic over multiple types. /// Just make sure to list all the types - even those without additional /// trait bounds: /// /// ```ignore /// pub struct MyWriterWithLifetime<'a, C, W: std::io::Write> { /// _p: std::marker::PhantomData<&'a (C, W)>, /// } /// assert_send_and_sync!(MyWriterWithLifetime<'_, C, W> where C, W: std::io::Write); /// ``` /// /// If you need multiple additional trait bounds on a single type /// you can add them separated by `+` like in normal where clauses. /// However you have to make sure they are `Identifiers` like `Write`. /// In macro patterns `Paths` (like `std::io::Write`) may not be followed /// by `+` characters. // This is copied from sequoia-openpgp/src/macros.rs. macro_rules! assert_send_and_sync { ( $x:ty where $( $g:ident$( : $a:path )? $(,)?)*) => { impl<$( $g ),*> crate::macros::Sendable for $x where $( $g: Send + Sync $( + $a )? ),* {} impl<$( $g ),*> crate::macros::Syncable for $x where $( $g: Send + Sync $( + $a )? ),* {} }; ( $x:ty where $( $g:ident$( : $a:ident $( + $b:ident )* )? $(,)?)*) => { impl<$( $g ),*> crate::macros::Sendable for $x where $( $g: Send + Sync $( + $a $( + $b )* )? ),* {} impl<$( $g ),*> crate::macros::Syncable for $x where $( $g: Send + Sync $( + $a $( + $b )* )? ),* {} }; ( $x:ty ) => { impl crate::macros::Sendable for $x {} impl crate::macros::Syncable for $x {} }; } sequoia-cert-store-0.6.0/src/store/certd.rs000064400000000000000000003655311046102023000167710ustar 00000000000000use std::borrow::Cow; use std::collections::BTreeSet; use std::collections::btree_map::{BTreeMap, Entry}; use std::collections::btree_map; use std::ffi::OsString; use std::iter; use std::path::Path; use std::path::PathBuf; use std::str; use std::sync::Arc; use std::sync::Mutex; use std::sync::RwLock; use std::time::{Duration, Instant, SystemTime}; use std::str::FromStr; use anyhow::Context; use rusqlite::{ Connection, Error as RError, ErrorCode, OpenFlags, Result as RResult, Transaction, TransactionBehavior, params, }; use smallvec::{SmallVec, smallvec}; use sequoia_openpgp as openpgp; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Packet; use openpgp::Result; use openpgp::cert::prelude::*; use openpgp::cert::raw::{RawCert, RawCertParser}; use openpgp::packet::UserID; use openpgp::packet::signature::SignatureBuilder; use openpgp::parse::Parse; use openpgp::parse::buffered_reader as br; use openpgp::serialize::SerializeInto; use openpgp::types::KeyFlags; use openpgp::types::SignatureType; use openpgp_cert_d as cert_d; use crate::LazyCert; use crate::store::MergeCerts; use crate::store::{Store, StoreError}; use crate::store::StoreUpdate; use crate::store::UserIDIndex; use crate::store::UserIDQueryParams; use crate::TRACE; /// Do not scan more often than every SCAN_LIMIT. #[cfg(not(test))] const SCAN_LIMIT: Duration = Duration::from_millis(50); /// No SCAN_LIMIT for tests. We want to make race conditions and lock /// contention more likely. #[cfg(test)] const SCAN_LIMIT: Duration = Duration::from_millis(0); /// The creation time for the trust root and intermediate CAs. /// /// We use a creation time in the past (Feb 2002) so that it is still /// possible to use the CA when the reference time is in the past. fn ca_creation_time() -> SystemTime { SystemTime::UNIX_EPOCH + Duration::new(1014235320, 0) } struct CA<'a> { cert: Arc>, // The tag of the file stored under the special name. special_tag: cert_d::Tag, // The tag of the file stored under the fingerprint. public_tag: cert_d::Tag, } assert_send_and_sync!(CA<'_>); /// The tag is the tag of the in-memory index. /// /// We need to keep both the persistent index (the DB) in sync /// with the disk, and the in-memory index in sync with the disk. /// To detect if the persistent index is out of sync, we compare /// the tag stored in the persistent index with the cert's Tag. /// /// This is not enough to keep the in-memory index in sync. /// Consider: an external process changes the cert-d, and updates /// the persistent index. The cert-d and persistent index are /// consistent, but our in-memory index is out of sync! /// /// Thus, we track the tag that the in-memory index corresponds /// to. This tag is associated with the connection to avoid /// taking additional locks. struct DB { in_memory_tag: Option, conn: Connection, } /// Statistics about the number of times the in-memory index, and the /// persistent index were loaded. pub(crate) struct LoadStats { /// The number of times the in-memory index was loaded from the /// database. #[cfg(test)] in_memory_loads: std::sync::atomic::AtomicUsize, /// The number of times the persistent index was loaded from the /// cert-d. #[cfg(test)] persistent_index_scans: std::sync::atomic::AtomicUsize, } impl LoadStats { /// Gets the in-memory-load counter. /// /// The number of times the in-memory index was loaded from the /// database. /// /// This counter is incremented when we load the persistent index /// into memory. Note: when the memory index is initialized as a /// side effect of creating the persistent index, this is not /// incremented. #[allow(dead_code)] pub(crate) fn in_memory_loads(&self) -> usize { #[allow(unused_mut, unused_assignments)] let mut counter = 0; #[cfg(test)] { counter = self.in_memory_loads.load( std::sync::atomic::Ordering::Relaxed); } counter } /// Increments the in-memory-load counter. fn in_memory_loads_inc(&self) { #[cfg(test)] self.in_memory_loads.fetch_add( 1, std::sync::atomic::Ordering::Relaxed); } /// Gets the persistent-index-scans counter. /// /// The number of times the persistent index was loaded from the /// cert-d. /// /// This counter is incremented when we scan the cert-d in order /// to build or update the persistent index. #[allow(dead_code)] pub(crate) fn persistent_index_scans(&self) -> usize { #[allow(unused_mut, unused_assignments)] let mut counter = 0; #[cfg(test)] { counter = self.persistent_index_scans.load( std::sync::atomic::Ordering::Relaxed); } counter } /// Increments the persistent-index-scans counter. fn persistent_index_scans_inc(&self) { #[cfg(test)] self.persistent_index_scans.fetch_add( 1, std::sync::atomic::Ordering::Relaxed); } } impl Default for LoadStats { fn default() -> Self { Self { #[cfg(test)] in_memory_loads: 0.into(), #[cfg(test)] persistent_index_scans: 0.into(), } } } /// A cert-d backed store with persistent indices. /// /// We use the cert-d as the source of truth, and maintain in-core /// indices mapping from key handles, subkey handles, and user IDs to /// cert fingerprints. We serve all requests from the in-core caches. /// /// We persist the indices in SQLite to cache them, but this is a /// best-effort mechanism: concurrent database mutators may have /// exclusive write rights to the database and our update may fail. /// If that happens, we stop trying to update the database, but still /// update the in-core indices. We abort the transaction. And, since /// we didn't update the cert-d tag in the database, we (or another /// process) will recognize the db as stale next time it is accessed, /// and update it. /// /// # Lock order /// /// This struct uses a series of locks, which must be taken in the /// following order to avoid deadlocks: /// /// - CertD::cas /// - CertD::conn /// - CertD::last_scan /// - CertD::certs_cache /// - CertD::index_cache pub struct CertD<'a> { certd: cert_d::CertD, /// A cache of the trust root, and shadow CAs keyed by the cert-d /// special name. cas: Mutex>>, path: PathBuf, conn: Mutex, /// Cache indexed by primary key fingerprint. certs_cache: RwLock>, cert_d::Tag)>>, /// We rate limit scans for changes. This is the last time a scan /// was done (if ever). last_scan: Mutex>, /// Indices mapping from (sub)key fingerprint, (sub)key key ID, /// and user ID to certificate fingerprint. index_cache: RwLock, pub(crate) load_stats: LoadStats, } assert_send_and_sync!(CertD<'_>); /// Indices mapping from (sub)key fingerprint, (sub)key key ID, and /// user ID to certificate fingerprint. #[derive(Default)] struct Index { /// Maps cert and subkey fingerprints to cert fingerprints. /// /// The values are a sorted, de-duplicated list of certificate /// fingerprints. Use `insert_unique` to maintain order and /// uniqueness. by_key_fingerprint: BTreeMap>, /// Maps cert and subkey key IDs to cert fingerprints. /// /// The values are a sorted, de-duplicated list of certificate /// fingerprints. Use `insert_unique` to maintain order and /// uniqueness. by_key_id: BTreeMap>, /// Maps user IDs to cert fingerprints. /// /// XXX: UserIDIndex has an internal RwLock. We could avoid that /// by using UserIDIndexInner, but the query interface is on /// UserIDIndex. by_userid: UserIDIndex, } /// Inserts `fp` into `bucket` if it is not present. fn insert_unique(bucket: &mut SmallVec<[Fingerprint; 1]>, fp: Cow) { if let Err(i) = bucket.binary_search(&fp) { bucket.insert(i, fp.into_owned()); } } impl<'a> CertD<'a> { /// Returns the canonicalized path. /// /// If path is `None`, then returns the default location. fn path(path: Option<&Path>) -> Result { if let Some(path) = path { Ok(path.to_owned()) } else { Ok(cert_d::CertD::user_configured_store_path()?) } } /// Opens the default cert-d for reading and writing. pub fn open_default() -> Result { let path = Self::path(None)?; Self::open(path) } /// Opens a cert-d for reading and writing. pub fn open

(path: P) -> Result where P: AsRef, { tracer!(TRACE, "CertD::open"); let path = path.as_ref(); t!("loading cert-d {:?}", path); let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { t!("While opening the certd {:?}: {}", path, err); let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); err })?; // We include the hostname in the file name to prevent having // to share databases and their locks across network file // systems. let mut database_name = OsString::from("_sequoia_cert_store_index_v1_on_"); database_name.push(&gethostname::gethostname()); database_name.push(".sqlite"); let index_path = path.join(database_name); let mut conn = Connection::open_with_flags( &index_path, OpenFlags::SQLITE_OPEN_READ_WRITE | OpenFlags::SQLITE_OPEN_CREATE | OpenFlags::SQLITE_OPEN_PRIVATE_CACHE)?; if TRACE { fn trace(m: &str) { eprintln!("SQLite: {}", m); } conn.trace(Some(trace)); } conn.execute_batch("PRAGMA secure_delete=true; \ PRAGMA foreign_keys=true; \ PRAGMA journal_mode=WAL; \ ")?; let certd = Self { certd, cas: Default::default(), path: path.into(), conn: Mutex::new(DB { in_memory_tag: None, conn, }), certs_cache: Default::default(), last_scan: Mutex::new(None), index_cache: RwLock::new(Index { by_key_fingerprint: Default::default(), by_key_id: Default::default(), by_userid: Default::default(), }), load_stats: Default::default(), }; certd.initialize()?; Ok(certd) } /// Returns a reference to the low-level `CertD`. pub fn certd(&self) -> &cert_d::CertD { &self.certd } /// Returns a mutable reference to the low-level `CertD`. pub fn certd_mut(&mut self) -> &mut cert_d::CertD { &mut self.certd } /// Initializes a certd by creating the persistent index, reading /// the entries and populating the index. fn initialize(&self) -> Result<()> { tracer!(TRACE, "CertD::initialize"); let mut db = self.conn.lock().unwrap(); let tx = Transaction::new_unchecked( &db.conn, TransactionBehavior::Deferred)?; // First, see which database version we're dealing with. match self.db_version(&tx) { Ok(1) => { drop(tx); self.scan(&mut db)?; Ok(()) }, Ok(n) => { t!("Expected version 1, got version {}. Re-initializing.", n); Self::initialize_v1(&tx)?; tx.commit()?; self.initial_scan(&mut db)?; Ok(()) }, Err(RError::SqliteFailure(e, _)) if e.code == ErrorCode::Unknown => { t!("Initial indexing."); Self::initialize_v1(&tx)?; tx.commit()?; self.initial_scan(&mut db)?; Ok(()) }, Err(e) => Err(e.into()), } } /// Creates the disk index, doing the initial scan in parallel. fn initial_scan(&self, db: &mut DB) -> Result<()> { tracer!(false, "CertD::initial_scan"); let tx = Transaction::new_unchecked( &db.conn, TransactionBehavior::Deferred)?; let mut commit = true; let mut last_scan = self.last_scan.lock().unwrap(); let certd_tag = self.certd.tag(); t!("Initial certd tag is {:?}", certd_tag); // Load all certs without canonicalizing them. self.prefetch_internal(true, &[], false); for (fp, (cert, tag)) in self.certs_cache.read().unwrap().iter() { self.db_insert( &tx, &mut commit, tag.clone(), fp, Box::new(cert.keys().map(|sk| sk.fingerprint())), Box::new(cert.userids()))?; } // Save some cycles next time. self.db_set_certd_tag(&tx, certd_tag)?; t!("Setting DB tag to {:?}", certd_tag); if commit { tx.commit()?; } else { tx.rollback()?; } *last_scan = Some(Instant::now()); self.load_stats.persistent_index_scans_inc(); // As a side effect of updating the persistent index, we build // the in-memory index. db.in_memory_tag = Some(certd_tag); Ok(()) } /// Initializes the in-memory index from the database. /// /// This does a hard reinitialization. It's up to the caller to /// decide whether this is necessary. fn initialize_in_memory_index(&self, tx: &Transaction) -> Result<()> { tracer!(TRACE, "CertD::initialize_in_memory_index"); let mut index_cache = self.index_cache.write().unwrap(); let mut by_key_fingerprint = || -> Result<_> { let mut stmt = tx.prepare("SELECT fingerprint, cert_fingerprint \ FROM keys")?; let r = stmt.query_map( [], |row| { Ok((Fingerprint::from_str(&row.get::<_, String>(0)?), Fingerprint::from_str(&row.get::<_, String>(1)?))) })? .filter_map(|row| { if let Ok((subkey, cert)) = row { if let (Ok(subkey), Ok(cert)) = (subkey, cert) { Some((subkey, smallvec![cert])) } else { None } } else { None } }) .collect::)>>(); Ok(r) }().unwrap_or_else(|_| Default::default()); // Sort by subkey fingerprint, then collate adjacent lists // into the first. by_key_fingerprint.sort_unstable_by(|a, b| a.0.cmp(&b.0)); // We maintain a pointer to the first item within a run of the // same fingerprint. We'll collate all other fingerprints // into the bucket of the first item. let mut current: Option<&mut (Fingerprint, SmallVec<[Fingerprint; 1]>)> = None; for item in by_key_fingerprint.iter_mut() { if let Some(c) = current.as_mut() { if c.0 == item.0 { insert_unique(&mut c.1, Cow::Owned(item.1.pop().unwrap())); } else { // The current run of fingerprints has ended and // it is time to update the pointer. current = Some(item); } } else { // Current was None. We found our first current. current = Some(item); } } // Only retain the entries with non-empty buckets. by_key_fingerprint.retain(|(_, cert_bucket)| ! cert_bucket.is_empty()); let by_key_id = by_key_fingerprint.iter() .map(|(subkey, cert_bucket)| { (KeyID::from(subkey), cert_bucket.clone()) }) .collect(); let by_userid = || -> Result<_> { let mut stmt = tx.prepare( "SELECT cert_fingerprint, userid, email \ FROM userids")?; let r = stmt.query_map( [], |row| { Ok((Fingerprint::from_str(&row.get::<_, String>(0)?), UserID::from(row.get::<_, String>(1)?), row.get::<_, Option>(2)?)) })? .filter_map(|row| { if let Ok((Ok(fp), userid, email)) = row { Some((fp, userid, email.filter(|e| ! e.is_empty()))) } else { None } }) .collect::(); Ok(r) }().unwrap_or_else(|_| Default::default()); *index_cache = Index { by_key_fingerprint: by_key_fingerprint.into_iter().collect(), by_key_id, by_userid, }; self.load_stats.in_memory_loads_inc(); Ok(()) } /// Makes sure that the on-disk index and the in-memory index are /// up-to-date. fn scan(&self, db: &mut DB) -> Result<()> { tracer!(false, "CertD::scan"); // Rate-limit scanning. Don't rescan if we did a scan (very) // recently. let mut last_scan = self.last_scan.lock().unwrap(); let now = Instant::now(); if let Some(last_scan) = last_scan.as_ref() { if now < *last_scan { // Time travel? t!("Maybe rescanning (time travel)"); } else if now.duration_since(*last_scan) > SCAN_LIMIT { // It's been too long since the last scan. t!("Maybe rescanning"); } else { return Ok(()) }; } else { t!("Never scanned"); } // We hold last_scan. This blocks other threads from doing a // scan, which is exactly what we want as when they wake up, // they'll see that a scan was just done. *last_scan = Some(now); // See if the database is up-to-date. let disk_certd_tag = self.certd.tag(); // Start a transaction in deferred mode. We may still // discover that then database is current, so we don't need an // immediate write lock on the database. let tx = Transaction::new_unchecked( &db.conn, TransactionBehavior::Deferred)?; let mut commit = true; let db_tag = self.db_certd_tag(&tx)?; if db_tag == Some(disk_certd_tag) { // It is. We're done. t!("Persistent index is up to date, exiting."); if db.in_memory_tag != Some(disk_certd_tag) { t!("In-memory index's tag does not match disk tag, reloading"); self.initialize_in_memory_index(&tx)?; db.in_memory_tag = db_tag; } else { t!("In-memory index's tag matches disk tag, exiting"); } return Ok(()); } t!("Persistent index's tag does not match disk tag, rescanning"); // Read all tags indexed by fingerprint into the core. This // has two benefits. First, we have a quick way to compare // tags later. Second, we can detect corrupted fingerprints // and key IDs and remove them from the index. let mut stmt = tx.prepare_cached( "SELECT rowid, fingerprint, keyid, tag FROM certs")?; let mut bad = Vec::new(); let tags: BTreeMap<_, _> = stmt.query([])? .mapped(|r| Ok((r.get(0)?, r.get(1)?, r.get(2)?, r.get(3)?))) .filter_map(|row| { let (rowid, fp_str, keyid_str, tag): (i64, String, String, i64) = row.ok()?; match (fp_str.parse::(), keyid_str.parse::()) { (Ok(fp), Ok(_)) => Some((fp, db2tag(tag))), _ => { bad.push(rowid); None }, } }) .collect(); drop(stmt); for bad_rowid in bad { commit = commit && { let mut stmt = tx.prepare_cached( "DELETE FROM certs WHERE rowid = ?0")?; ignore_sqlite_busy(stmt.execute(params![bad_rowid]))? }; } // Scan the subkey index for corrupted fingerprints and key // IDs and remove them from the index. let mut stmt = tx.prepare_cached( "SELECT cert_fingerprint, fingerprint, keyid FROM keys")?; let mut bad = BTreeSet::new(); for row in stmt.query([])? .mapped(|r| Ok((r.get(0)?, r.get(1)?, r.get(2)?))) { let (cert_fp, fp_str, keyid_str): (String, String, String) = row?; match (fp_str.parse::(), keyid_str.parse::()) { (Ok(_), Ok(_)) => (), _ => { bad.insert(cert_fp); }, } } drop(stmt); for bad_cert_fp in bad { commit = commit && { let mut stmt = tx.prepare_cached( "DELETE FROM keys WHERE cert_fingerprint = ?0")?; ignore_sqlite_busy(stmt.execute(params![bad_cert_fp]))? }; } // Scan the subkey index for corrupted fingerprints and key // IDs and remove them from the index. let mut stmt = tx.prepare_cached( "SELECT cert_fingerprint FROM userids")?; let mut bad = BTreeSet::new(); for row in stmt.query([])? .mapped(|r| Ok(r.get::<_, String>(0)?)) { if let Ok(fp) = row { if fp.parse::().is_err() { bad.insert(fp); } } } drop(stmt); for bad_cert_fp in bad { commit = commit && { let mut stmt = tx.prepare_cached( "DELETE FROM userids WHERE cert_fingerprint = ?0")?; ignore_sqlite_busy(stmt.execute(params![bad_cert_fp]))? }; } let transaction = |commit: &mut bool, fp_str: &str, file| -> Result<()> { t!("Considering {}", fp_str); let fp: Fingerprint = fp_str.parse()?; let tag = cert_d::Tag::try_from(&file)?; if tags.get(&fp) == Some(&tag) { t!("{} is up to date!", fp_str); return Ok(()); } let mut parser = br::File::new_with_cookie( file, self.certd.get_path(fp_str)?, Default::default()) .map_err(Into::into) .and_then(RawCertParser::from_buffered_reader) .map_err(|err| { t!("While reading {:?} from the certd {:?}: {}", fp, self.path, err); err })?; match parser.next() { Some(Ok(cert)) => { t!("inserting"); self.insert_rawcert(&tx, commit, cert, tag)?; Ok(()) }, Some(Err(err)) => { t!("While parsing {:?} from the certd {:?}: {}", fp, self.path, err); Err(err) }, None => { t!("While parsing {:?} from the certd {:?}: empty file", fp, self.path); Err(anyhow::anyhow!("empty file")) }, } }; for (fp, file) in self.certd.iter_files().filter_map(cert_d::Result::ok) { if let Err(e) = transaction(&mut commit, &fp, file) { t!("{}: {}", fp, e); let mut stmt = tx.prepare_cached( "DELETE FROM certs WHERE fingerprint = ?1")?; commit = commit && ignore_sqlite_busy(stmt.execute(params![fp]))?; } } // Save some cycles next time. self.db_set_certd_tag(&tx, disk_certd_tag)?; // Make sure the in-memory index is up to date. if db_tag == db.in_memory_tag { // The in-memory index was consistent with the persistent // index. As we updated the persistent index, we also // updated the in-memory index so the in-memory index is // not also consistent with the cert-d. db.in_memory_tag = Some(disk_certd_tag); } else if db.in_memory_tag != Some(disk_certd_tag) { // The in-memory index was not consistent with the cert-d. // Rebuild it. t!("In-memory index out of date relative to db, reloading"); self.initialize_in_memory_index(&tx)?; db.in_memory_tag = db_tag; } *last_scan = Some(Instant::now()); if commit { tx.commit()?; } else { tx.rollback()?; } self.load_stats.persistent_index_scans_inc(); Ok(()) } /// Returns the certificate directory's local trust root, and /// whether it was just created. /// /// If the local trust root does not yet exist, it is created. pub fn trust_root(&self) -> Result<(Arc>, bool)> { self.get_ca(cert_d::TRUST_ROOT, true, &UserID::from_static_bytes(b"Local Trust Root"), None) } /// Converts a shadow CA's name to a certificate directory's /// special name. /// /// For instance, this converts "keys.openpgp.org" to its special /// name. fn shadow_ca_special(name: &str) -> Cow { if name == cert_d::TRUST_ROOT { Cow::Borrowed(name) } else { Cow::Owned(format!("_sequoia_ca_{}.pgp", name)) } } // '/', '\\', ':', and whitespace are invalid. fn valid_name(name: &str) -> bool { name.chars().all(Self::valid_char) } /// Returns whether `c` may be used in names. fn valid_char(c: char) -> bool { // The list of reserved characters on Windows are documented // here: // // https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file ! (c.is_whitespace() || c == '<' || c == '>' || c == ':' || c == '"' || c == '/' || c == '\\' || c == '|' || c == '?' || c == '*') } /// Returns a shadow CA's key, and whether it was just created. /// /// # Introduction /// /// Shadow CAs are used to encode evidence of a binding's veracity /// in standard web of trust data structures so that the /// information can be automatically incorportated into web of /// trust calculations. /// /// Consider [`keys.openpgp.org`], which is a verifying keyserver. /// `keys.openpgp.org` checks whether a user ID should be /// associated with a certificate using a challenge-response /// authentication scheme. When someone uploads a certificate, /// `keys.openpgp.org` iterates over the user IDs, and if a user /// ID contains an email address, sends an email to it containing /// a secret link. The owner of the email address can visit the /// link to confirm to `keys.openpgp.org` that the email address /// should be associated with the certificate. /// /// Although `keys.openpgp.org` verifies User IDs, it does not /// issue third-party certifications attesting to that fact. But, /// clients can infer this from `keys.openpgp.org` behavior: when /// `keys.openpgp.org` returns a certificate, it only returns user /// IDs that it has verified as belonging to the certificate. /// /// An OpenPGP client could record the fact that /// `keys.openpgp.org` returned a user ID in a database. The main /// question is then how to combine that information with other /// information in a coherent manner. Alternatively, we can /// encode the assertion as a certification using a so-called /// shadow CA. By encoding this information as a normal OpenPGP /// artifact, it can be directly integrated into web of trust /// calculations; another, parallel system to combine evidence is /// not needed. /// /// [keys.openpgp.org]: https://keys.openpgp.org /// /// # Usage /// /// `name` is the shadow CA's name. This is converted to the /// special name `_sequoia_ca_ + name + .pgp`. Names must not /// contain white space (` ` or `\n`), path separators (`\` or /// `/`), or colons (`:`). /// /// If the shadow CA doesn't exist and `create` is true, it is /// created. In this case, the user ID is set to `userid`, and if /// `trust_amount` is greater than 0, it is designed a trusted /// introducer by the last `CA` listed in `intermediaries`, or the /// local trust root, if the list is empty. The certification's /// trust amount is set to `trust_amount`. /// /// `intermediaries` is a list of tuples consisting of a name, a /// user ID, and a trust amount. Each tuple corresponds to an /// intermediary shadow CA. It may be empty; the local trust root /// is always the trust anchor and shouldn't be listed explicitly. /// /// This function works from the trust root towards the shadow CA. /// If an intermediate shadow CA does not exist and `create` is /// true, it is created, and certified by its parent CA. /// /// On success, the shadow CA is returned, and whether the shadow /// CA was just created. /// /// # Examples /// /// The following code looks up the shadow CA for /// `keys.openpgp.org`. It is not directly certified by the trust /// root, but by a partially trusted intermediary named /// `public_directories`, which acts as a type of resistor for all /// public directories. Note: if you are actually looking up the /// shadow CA for `keys.openpgp.org`, you should use /// [`CertD::shadow_ca_keys_openpgp_org`] instead. /// /// The local key for `keys.openpgp.org` is then used to certify /// the user IDs on a certificate, which was presumably returned /// by `keys.openpgp.org`. /// /// ```rust /// use std::sync::Arc; /// /// use anyhow::Context; /// /// use sequoia_openpgp as openpgp; /// use openpgp::cert::CertBuilder; /// use openpgp::Cert; /// use openpgp::packet::Packet; /// use openpgp::packet::UserID; /// use openpgp::packet::signature::SignatureBuilder; /// use openpgp::types::SignatureType; /// /// use sequoia_cert_store as cert_store; /// use cert_store::LazyCert; /// use cert_store::store::certd::CertD; /// use cert_store::store::StoreUpdate; /// /// # fn main() -> openpgp::Result<()> { /// # let certd_path = tempfile::tempdir()?; /// let mut certd = CertD::open(&certd_path)?; /// /// let (koo, _created) = certd.shadow_ca( /// "keys.openpgp.org", /// true, /// "Downloaded from keys.openpgp.org", /// 1, /// &[ /// ( "public_directories", UserID::from("Public Directories"), 40), /// ])?; /// /// // Pretend the following certificate was fetched from keys.openpgp.org. /// let alice_userid = ""; /// let (alice, _rev) = CertBuilder::general_purpose(None, Some(alice_userid)) /// .generate()?; /// /// // Certify the binding using the shadow CA. /// let mut koo_signer = koo.to_cert()?.primary_key().key().parts_as_secret() /// .context("CA is not certification capable.")? /// .clone().into_keypair() /// .context("CA is not certification capable.")?; /// /// let sig = SignatureBuilder::new(SignatureType::GenericCertification) /// .set_exportable_certification(false)? /// .sign_userid_binding( /// &mut koo_signer, /// alice.primary_key().key(), /// &UserID::from(alice_userid)) /// .context("Signing binding")?; /// /// let alice = alice.insert_packets([ /// Packet::from(UserID::from(alice_userid)), /// Packet::from(sig), /// ])?; /// /// certd.update(Arc::new(LazyCert::from(alice))); /// # Ok(()) } /// ``` pub fn shadow_ca(&self, name: &str, create: bool, userid: U, trust_amount: u8, intermediaries: &[(&str, UserID, u8)], ) -> Result<(Arc>, bool)> where U: Into, { let userid = userid.into(); tracer!(TRACE, "CertD::shadow_ca"); t!("{}, create: {}, userid: {:?}, {}, {} intermediaries", name, create, String::from_utf8_lossy(userid.value()), trust_amount, intermediaries.len()); let name = CertD::shadow_ca_special(name); // If the CA is cached in memory, short-circuit everything. if let Ok(result) = self.get_ca(&name, false, &userid, None) { t!("Returning cached certificate {} for {}", result.0.fingerprint(), name); return Ok(result); } // Iterate from the trust root towards the shadow CA. let mut ca: (Arc, bool) = self.get_ca( cert_d::TRUST_ROOT, create, &UserID::from_static_bytes(b"Local Trust Root"), None)?; for (name, userid, trust_amount) in intermediaries .into_iter() .map(|(name, userid, amount)| { (CertD::shadow_ca_special(name), userid, *amount) }) .chain(iter::once((name, &userid, trust_amount))) { if ! Self::valid_name(&name) { return Err(cert_d::Error::BadName.into()); } t!("Getting {} (create: {}, userid: {:?}, {})", name, create, String::from_utf8_lossy(userid.value()), trust_amount); ca = self.get_ca(&name, create, &userid, Some((ca.0, trust_amount)))?; t!("{} -> {}", name, ca.0.fingerprint()); } Ok(ca) } /// Returns the specified CA, optionally creating and certifying /// it if it doesn't exist. /// /// See [`CertD::shadow_ca`] for details about shadow CAs. /// /// This function first checks if the specified CA is in the /// in-memory cache. If so, it checks that the cached version is /// up to date, and then returns the result. /// /// If the CA is not in the in-memory cache, it is loaded from /// disk. If it doesn't exist on disk an `create` is `true`, it /// the shadow CA is created. See [`CertD::load_ca`] for details /// of what is exactly done. fn get_ca(&self, special_name: &str, create: bool, userid: &UserID, parent: Option<(Arc>, u8)>) -> Result<(Arc>, bool)> { tracer!(TRACE, "CertD::get_ca"); let mut cas = self.cas.lock().unwrap(); let get_if_changed = |tag, name| -> Result> { match self.certd.get_if_changed(tag, name) { Ok(None) => { // The certificate on disk did not change. return Ok(None); }, Ok(Some((new_tag, bytes))) => { // The certificate on disk changed. Reparse it. t!("{} changed on disk, reloading.", name); match Cert::from_bytes(&bytes) { Ok(cert) => { return Ok(Some((cert, new_tag))); } Err(err) => { // An error occurred while parsing the // data. That's not great. We just keep // using what we have. t!("While reparsing {}: {}", name, err); return Ok(None); } } } // An error occurred while reading the file. That's // not great. We just keep using what we have. Err(err) => { t!("While rereading {}: {}", name, err); return Ok(None); } } }; if let Some(CA { cert: ca, special_tag, public_tag }) = cas.get_mut(special_name) { // The certificate is cached it memory. Make sure the // in-memory version is up to date. t!("{} -> {} is cached in memory", special_name, ca.fingerprint()); if let Some((cert, tag)) = get_if_changed(*special_tag, special_name)? { *ca = Arc::new(LazyCert::from( ca.to_cert()? .clone() .merge_public_and_secret(cert)?)); *special_tag = tag; } if let Some((cert, tag)) = get_if_changed(*public_tag, &ca.fingerprint().to_string())? { *ca = Arc::new(LazyCert::from( ca.to_cert()? .clone() .merge_public_and_secret(cert)?)); *public_tag = tag; } Ok((Arc::clone(ca), false)) } else { // The certificate is not cached in memory; we need to // read it from disk, or generate it. let (ca, created) = self.load_ca(special_name, create, userid, parent)?; let cert = Arc::clone(&ca.cert); t!("Loaded {} ({}) from disk, caching in memory", special_name, cert.fingerprint()); match cas.entry(special_name.to_string()) { btree_map::Entry::Occupied(mut oe) => { oe.insert(ca); } btree_map::Entry::Vacant(ve) => { ve.insert(ca); } } Ok((cert, created)) } } /// Loads a CA's certificate from the certificate directory, or /// optionally generates one if it does not exist. /// /// Loads the certificate stored under the specified special name /// from the certificate directory. If the special name exists, /// this also reads and merges in the certificate data stored /// under the fingerprint. /// /// If `create` is `false` and the certificate does not exist, /// returns `std::io::ErrorKind::NotFound`. /// /// If `create` is `true`, and we need to generate a certificate, /// we are careful to so while we hold the certificate directory's /// lock to avoid races. /// /// If we create a certificate, and `parent` is not `None`, then /// we certify the certificate using `parent` as a trusted /// introducer for the specified trust amount. Note: if the CA is /// not created, this function does **not** check that the parent /// has certified the CA. /// /// If we create a certificate, we write it to disk under both its /// special name, and its fingerprint. fn load_ca(&self, name: &str, create: bool, userid: &UserID, parent: Option<(Arc>, u8)>) -> Result<(CA<'a>, bool)> { tracer!(TRACE, "CertD::load_ca"); let certd = self.certd(); // Exclusively lock the certificate directory by inserting the // trust root. We may discover that the trust already exists. // In that case, we won't generate a new one, but just load // the existing one. let mut ca = Err(anyhow::anyhow!("merge callback not invoked")); let mut created = false; let (special_tag, _) = certd.insert_special( name, (), false, |(), disk| { if let Some(disk) = disk { // We have one. ca = Cert::from_bytes(&disk); Ok(cert_d::MergeResult::Keep) } else if create { // We don't have one, and we should create one. let key = Self::generate_ca_key(userid)?; t!("Created {} for {}", key.fingerprint(), name); let bytes = key.as_tsk().to_vec()?; ca = Ok(key); created = true; Ok(cert_d::MergeResult::Data(bytes)) } else { // We don't have one, and we shouldn't create one. Err(cert_d::Error::Other( std::io::Error::new( std::io::ErrorKind::NotFound, format!("{} not found", name)).into())) } })?; let mut ca = ca?; let ca_fpr = format!("{:x}", ca.fingerprint()); let mut certify = |parent_cert: Arc, trust_amount| -> Result<()> { t!("Using {} to make {} a trusted introducer", parent_cert.fingerprint(), ca.fingerprint()); let mut signer = parent_cert .to_cert()? .primary_key() .key() .parts_as_secret() .context("Trust root can't be used for signing.")? .clone() .into_keypair() .context("Trust root can't be used for signing.")?; let sig = SignatureBuilder::new(SignatureType::GenericCertification) .set_exportable_certification(false)? .set_trust_signature(255, trust_amount)? .set_signature_creation_time(ca_creation_time())? .sign_userid_binding( &mut signer, ca.primary_key().key(), &userid) .with_context(|| { format!("Creating certification for {} {:?}", ca.fingerprint(), String::from_utf8_lossy(userid.value())) })?; ca = ca.clone().insert_packets([ Packet::from(userid.clone()), Packet::from(sig), ])?; Ok(()) }; let public_tag = if created { // Make the CA a trusted introducer. if let Some((parent_cert, trust_amount)) = parent { if let Err(err) = certify(parent_cert, trust_amount) { // XXX: What should we do with the error? t!("Failed to authorize CA, {:?}: {}", userid, err); } } // Insert the public bits under the fingerprint. let (public_tag, _) = certd.insert( &ca_fpr, &ca, false, |new, _old| { Ok(cert_d::MergeResult::Data(new.to_vec()?)) })?; public_tag } else { // We didn't create it. Read in the public version and // merge it. match certd.get(&ca_fpr) { Ok(Some((public_tag, bytes))) => { let cert = Cert::from_bytes(&bytes) .with_context(|| { format!("Parsing {}'s public certificate ({})", name, ca.fingerprint()) })?; ca = ca.clone().merge_public(cert) .with_context(|| { format!("Merging {}'s public certificate ({})", name, ca.fingerprint()) })?; public_tag } Ok(None) => { // The certificate is saved under the special // name, but not its fingerprint. Something went // wrong in the past, but we can fix it. let (public_tag, _) = certd.insert( &ca_fpr, &ca, false, |new, _old| { Ok(cert_d::MergeResult::Data(new.to_vec()?)) })?; public_tag } Err(err) => { t!("Reading {}'s public certificate: {}", name, err); return Err(err.into()); } } }; let ca = CA { cert: Arc::new(LazyCert::from(ca)), special_tag, public_tag, }; Ok((ca, created)) } /// Returns a new key, which is appropriate for a CA. /// /// That is, it has just a certification capable primary and no /// subkeys. fn generate_ca_key(userid: &UserID) -> Result { let (root, _) = CertBuilder::new() .set_primary_key_flags(KeyFlags::empty().set_certification()) .set_exportable(false) .set_creation_time(ca_creation_time()) // CAs should *not* expire. .set_validity_period(None) .add_userid(userid.clone()) .generate()?; Ok(root) } const PUBLIC_DIRECTORY_NAME: &'static str = "public_directories"; const PUBLIC_DIRECTORY_USERID: UserID = UserID::from_static_bytes(b"Public Directories"); const PUBLIC_DIRECTORY_TRUST_AMOUNT: u8 = 40; /// A local, intermediate CA used to authorize the shadow CAs for /// public directories. /// /// Shadow CAs for public directories like /// `hkps://keys.openpgp.org` and WKD are not directly certified /// by the local trust root, but by a local, intermediate CA. /// This CA acts as a resistor, which limits the combined trust /// amount of public directories. pub fn public_directory_ca(&self) -> Result<(Arc>, bool)> { self.shadow_ca( Self::PUBLIC_DIRECTORY_NAME, true, Self::PUBLIC_DIRECTORY_USERID, Self::PUBLIC_DIRECTORY_TRUST_AMOUNT, &[]) } fn via_public_directory_ca(&self, name: &str, userid: &str) -> Result<(Arc>, bool)> { self.shadow_ca( name, true, userid, // A public directory has the smallest, positive trust // amount: 1 out of 120. 1, &[ // The public directory CA acts as a resistor and // limits the combined trust amount of public // directories. (Self::PUBLIC_DIRECTORY_NAME, Self::PUBLIC_DIRECTORY_USERID, Self::PUBLIC_DIRECTORY_TRUST_AMOUNT), ]) } /// Returns the shadow CA for keys.openpgp.org. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_keys_openpgp_org(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "keys.openpgp.org", "Downloaded from keys.openpgp.org") } /// Returns the shadow CA for Proton. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_proton_me(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "proton.me", "Downloaded from Proton Mail") } /// Returns the shadow CA for keys.mailvelope.com. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_keys_mailvelope_com(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "keys.mailvelope.com", "Downloaded from keys.mailvelope.com") } /// Returns the shadow CA for WKDs. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_wkd(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "wkd", "Downloaded from a Web Key Directory (WKD)") } /// Returns the shadow CA for DANE. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_dane(&self) -> Result<(Arc>, bool)> { self.via_public_directory_ca( "dane", "Downloaded from DANE") } const WEB_NAME: &'static str = "web"; const WEB_USERID_STR: &'static str = "Downloaded from the Web"; const WEB_USERID: UserID = UserID::from_static_bytes(b"Downloaded from the Web"); const WEB_TRUST_AMOUNT: u8 = 1; /// Returns the shadow CA for the Web. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_web(&self) -> Result<(Arc>, bool)> { debug_assert_eq!(Self::WEB_USERID_STR.as_bytes(), Self::WEB_USERID.value()); self.via_public_directory_ca( Self::WEB_NAME, Self::WEB_USERID_STR) } /// Returns the shadow CA for the give URL. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_for_url(&self, url: &str) -> Result>, bool)>> { debug_assert_eq!(Self::WEB_USERID_STR.as_bytes(), Self::WEB_USERID.value()); // First, parse and sanitize the URL. let mut url = url::Url::parse(url)?; // We only certify the certificate if the transport was // encrypted and authenticated. if url.scheme() != "https" { return Ok(None); } // Drop sensitive and irrelevant information. url.set_username("").expect("https? supports authentication"); url.set_password(None).expect("https? supports authentication"); url.set_fragment(None); // Percent-encode characters not valid in names. let mut name = String::from("shadow_of_url_"); for c in url.as_str().chars() { if Self::valid_char(c) && c != '%' { name.push(c); } else { // Note: all invalid chars are ASCII characters, so // u8::try_from will succeed. debug_assert_eq!(c.len_utf8(), 1); name.push_str( &format!("%{:02X}", u8::try_from(c).unwrap_or(0))); } } self.shadow_ca( &name, true, format!("Downloaded from {}", url.as_str()), 1, &[ (Self::PUBLIC_DIRECTORY_NAME, Self::PUBLIC_DIRECTORY_USERID, Self::PUBLIC_DIRECTORY_TRUST_AMOUNT), (Self::WEB_NAME, Self::WEB_USERID, Self::WEB_TRUST_AMOUNT), ]) .map(Some) } /// Returns a shadow CA for the specified keyserver. /// /// If a keyserver is not known to be a verifying keyserver, then /// this returns `Ok(None)`. /// /// The URI should be of the form `hkps://server.example.com`. /// Other protocols are not supported. The server name is matched /// case insensitively. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_keyserver(&self, uri: &str) -> Result>, bool)>> { let uri = uri.to_ascii_lowercase(); // We only certify the certificate if the transport was // encrypted and authenticated. let server = if let Some(server) = uri.strip_prefix("hkps://") { server } else { return Ok(None); }; let server = server.strip_suffix("/").unwrap_or(server); // A basic sanity check on the name, which we are about to use // as a filename: it can't start with a dot, and no // whitespace, no slashes, and no colons are allowed. if server.chars().next() == Some('.') || ! Self::valid_name(server) { return Ok(None); } // The known verifying key servers. match &server[..] { "keys.openpgp.org" | "keys.openpgp.io" => self.shadow_ca_keys_openpgp_org().map(Some), "keys.mailvelope.com" => self.shadow_ca_keys_mailvelope_com().map(Some), "mail-api.proton.me" | "api.protonmail.ch" => self.shadow_ca_proton_me().map(Some), _ => Ok(None), } } const AUTOCRYPT_NAME: &'static str = "autocrypt"; const AUTOCRYPT_USERID: UserID = UserID::from_static_bytes(b"Imported from Autocrypt"); const AUTOCRYPT_TRUST_AMOUNT: u8 = 40; /// Returns the shadow CA for Autocrypt. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_autocrypt(&self) -> Result<(Arc>, bool)> { self.shadow_ca( Self::AUTOCRYPT_NAME, true, Self::AUTOCRYPT_USERID, Self::AUTOCRYPT_TRUST_AMOUNT, &[]) } const AUTOCRYPT_GOSSIP_NAME: &'static str = "autocrypt-gossip"; const AUTOCRYPT_GOSSIP_USERID: UserID = UserID::from_static_bytes(b"Imported from Autocrypt Gossip"); const AUTOCRYPT_GOSSIP_TRUST_AMOUNT: u8 = 40; /// Returns the shadow CA for Autocrypt Gossip. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_autocrypt_gossip(&self) -> Result<(Arc>, bool)> { self.shadow_ca( Self::AUTOCRYPT_GOSSIP_NAME, true, Self::AUTOCRYPT_GOSSIP_USERID, Self::AUTOCRYPT_GOSSIP_TRUST_AMOUNT, &[ (Self::AUTOCRYPT_NAME, Self::AUTOCRYPT_USERID, Self::AUTOCRYPT_TRUST_AMOUNT), ]) } /// Returns the shadow CA for recording Autocrypt Gossip in the /// name of the given cert and sender address. /// /// If you observe an Autocrypt mail from `addr` signed by `cert`, /// and the message contains Autocrypt Gossip headers in the /// encrypted payload, use this function to get a shadow CA to /// turn the Autocrypt Gossip into OpenPGP certifications. /// /// See [`CertD::shadow_ca`] for more information about shadow /// CAs. pub fn shadow_ca_autocrypt_gossip_for(&self, cert: &Cert, addr: &str) -> Result<(Arc>, bool)> { // Sanity-check the address. let u = UserID::from_address( "Autocrypt Gossip from".into(), None, addr)?; self.shadow_ca( &format!("shadow_of_{:x}", cert.fingerprint()), true, u, 1, &[ (Self::AUTOCRYPT_NAME, Self::AUTOCRYPT_USERID, Self::AUTOCRYPT_TRUST_AMOUNT), (Self::AUTOCRYPT_GOSSIP_NAME, Self::AUTOCRYPT_GOSSIP_USERID, Self::AUTOCRYPT_GOSSIP_TRUST_AMOUNT), ]) } /// Returns the database version. fn db_version(&self, tx: &Transaction) -> RResult { let mut stmt = tx.prepare_cached( "SELECT version FROM version WHERE id == 0")?; let r = stmt.query([])?.mapped(|r| r.get(0)).next().unwrap_or(Ok(0))?; Ok(r) } /// Returns the certd tag recorded in the database. fn db_certd_tag(&self, tx: &Transaction) -> Result> { let mut stmt = tx.prepare_cached( "SELECT tag FROM certd_tag WHERE id == 0")?; let r = stmt.query([])?.mapped(|r| Ok(db2tag(r.get(0)?))) .next().transpose()?; Ok(r) } /// Sets the certd tag recorded in the database. fn db_set_certd_tag(&self, tx: &Transaction, t: cert_d::Tag) -> Result<()> { if let Ok(mut stmt) = tx.prepare_cached( "INSERT OR REPLACE INTO certd_tag (id, tag) \ VALUES (0, ?1)") { ignore_sqlite_busy(stmt.execute(params![tag2db(t)]))?; } Ok(()) } /// Inserts the raw cert into the database and in-core cache. /// /// Only updates the database as long as `*commit` is true, and /// will clear the flag if writing to the database fails because /// the database is locked for writing. fn insert_rawcert(&self, tx: &Transaction, commit: &mut bool, cert: RawCert<'a>, tag: cert_d::Tag) -> Result<()> { let fp = cert.fingerprint(); self.db_insert( tx, commit, tag, &fp, Box::new(cert.keys().map(|sk| sk.fingerprint())), Box::new(cert.userids()))?; // Now insert it into the cache. self.certs_cache.write().unwrap() .insert(fp, (Arc::new(LazyCert::from(cert)), tag)); Ok(()) } /// Inserts the cert into the database and in-core cache. /// /// `cert_tag` is the certificate's tag. /// /// `certd_tag` is a tuple of the certd's tag prior to the /// insertion, and after the insertion, if known. fn insert_cert(&self, cert: Arc>, cert_tag: cert_d::Tag, certd_tags: Option<(cert_d::Tag, cert_d::Tag)>) -> Result<()> { tracer!(TRACE, "CertD::insert_cert"); let fp = cert.fingerprint(); let mut db = self.conn.lock().unwrap(); let mut set_in_memory_tag = None; if let Ok(tx) = Transaction::new_unchecked( &db.conn, TransactionBehavior::Immediate) { let mut commit = true; self.db_insert( &tx, &mut commit, cert_tag, &fp, Box::new(cert.keys().map(|skb| skb.fingerprint())), Box::new(cert.userids().map(|uidb| uidb.clone())))?; if let Some((pre, post)) = certd_tags { if let Ok(Some(db_certd_tag)) = self.db_certd_tag(&tx) { if pre == db_certd_tag { // If we fail to update the certd tag, nothing // bad will happen: the next time we check the // tag, we'll notice that it's out of date. let _ = self.db_set_certd_tag(&tx, post); t!("DB tag matched cert-d tag, rolling forward"); if Some(pre) == db.in_memory_tag { set_in_memory_tag = Some(post); t!("In-memory tag matched db's cert-d tag, \ rolling forward"); } else { t!("In-memory tag ({:?}) did NOT match db's \ cert-d tag ({:?}), NOT rolling forward \ (to {:?})", db.in_memory_tag, pre, post); } } else { t!("DB tag ({:?}) did NOT match cert-d tag ({:?}), \ NOT rolling forward (to {:?})", db_certd_tag, pre, post); } } } // Commit so that we release the exclusive lock on the // database before acquiring the exclusive lock on the cache. if commit { tx.commit()?; } else { tx.rollback()?; } } if let Some(set_in_memory_tag) = set_in_memory_tag { db.in_memory_tag = Some(set_in_memory_tag); } drop(db); // Now insert it into the cache. self.certs_cache.write().unwrap().insert(fp, (cert, cert_tag)); Ok(()) } /// Inserts information about a cert (subkey fingerprints and user /// IDs) into the database. /// /// Only updates the database as long as `*commit` is true, and /// will clear the flag if writing to the database fails because /// the database is locked for writing. fn db_insert<'i>(&self, tx: &Transaction, commit: &mut bool, tag: cert_d::Tag, cert_fp: &Fingerprint, keys: Box + 'i>, userids: Box + 'i>) -> Result<()> { let keyid = openpgp::KeyID::from(cert_fp); let cert_fp_db = fingerprint2db(cert_fp); // First, insert the cert and get its row id. *commit = *commit && { let mut stmt = tx.prepare_cached( "INSERT OR REPLACE INTO certs (tag, keyid, fingerprint) \ VALUES (?1, ?2, ?3)")?; ignore_sqlite_busy(stmt.execute(params![ tag2db(tag), keyid2db(&keyid), &cert_fp_db]))? }; // Now insert the keys. Note that this doesn't remove // entries for subkeys that have been stripped from the // certificate. let mut stmt = tx.prepare_cached( "INSERT OR IGNORE INTO keys \ (cert_fingerprint, keyid, fingerprint) \ VALUES (?1, ?2, ?3)")?; // And, also update the in-memory index. let mut index = self.index_cache.write().unwrap(); for subkey_fp in keys { let keyid = openpgp::KeyID::from(&subkey_fp); *commit = *commit && ignore_sqlite_busy(stmt.execute(params![ &cert_fp_db, keyid2db(&keyid), fingerprint2db(&subkey_fp)]))?; insert_unique(index.by_key_fingerprint.entry(subkey_fp).or_default(), Cow::Borrowed(cert_fp)); insert_unique(index.by_key_id.entry(keyid).or_default(), Cow::Borrowed(cert_fp)); } // Now insert the user IDs. Note that this doesn't remove // entries for user IDs that have been stripped from the // certificate. let mut by_userid = index.by_userid.inner_mut(); for uid in userids { let uidstr = String::from_utf8_lossy(uid.value()).to_string(); let email = uid.email_normalized().ok().flatten(); by_userid.insert(cert_fp.clone(), uid, email.clone()); *commit = *commit && { let domain = email.as_ref().and_then(|e| e.rfind("@").map(|i| &e[i + 1..])); let mut stmt = tx.prepare_cached( "INSERT OR IGNORE INTO userids \ (cert_fingerprint, userid, email, domain) \ VALUES (?1, ?2, ?3, ?4)")?; ignore_sqlite_busy(stmt.execute(params![ &cert_fp_db, uidstr, email, domain]))? }; } drop(by_userid); drop(index); Ok(()) } /// Initializes the version 1 persistent indices. /// /// Any existing content is lost. fn initialize_v1(tx: &Transaction) -> Result<()> { tx.execute_batch(" -- A table identifying the version and a human-readable magic. DROP TABLE IF EXISTS version; CREATE TABLE version ( id INTEGER PRIMARY KEY, version INTEGER NOT NULL, comment TEXT NOT NULL ); -- Record the schema version. INSERT OR IGNORE INTO version VALUES (0, 1, \"sequoia cert cache v1\"); -- Tag of the certd directory to quickly detect whether the db is stale. DROP TABLE IF EXISTS certd_tag; CREATE TABLE certd_tag ( id INTEGER PRIMARY KEY, tag INTEGER NOT NULL ); -- A table for all the certificates. DROP TABLE IF EXISTS certs; CREATE TABLE certs ( tag INTEGER NOT NULL, keyid TEXT NOT NULL, fingerprint TEXT PRIMARY KEY NOT NULL ); CREATE INDEX IF NOT EXISTS certs_keyid ON certs (keyid); -- A mapping from subkey key IDs and fingerprints to certs. DROP TABLE IF EXISTS keys; CREATE TABLE keys ( cert_fingerprint TEXT NOT NULL, keyid TEXT NOT NULL, fingerprint TEXT NOT NULL, FOREIGN KEY(cert_fingerprint) REFERENCES certs(fingerprint) ON DELETE CASCADE, UNIQUE(cert_fingerprint, fingerprint) ); CREATE INDEX IF NOT EXISTS keys_fingerprint ON keys (fingerprint); CREATE INDEX IF NOT EXISTS keys_keyid ON keys (keyid); -- A mapping from user IDs to certs. DROP TABLE IF EXISTS userids; CREATE TABLE userids ( cert_fingerprint TEXT NOT NULL, userid TEXT NOT NULL, email TEXT, domain TEXT, FOREIGN KEY(cert_fingerprint) REFERENCES certs(fingerprint) ON DELETE CASCADE, UNIQUE(cert_fingerprint, userid) ); CREATE INDEX IF NOT EXISTS userids_userid ON userids (userid); CREATE INDEX IF NOT EXISTS userids_email ON userids (email); CREATE INDEX IF NOT EXISTS userids_domain ON userids (domain); ")?; Ok(()) } /// Loads the cert identified by `fp` either from the cache or the /// disk. /// /// This takes the `CertD::certs_cache` and `CertD::index_cache` /// locks. The caller must be careful to not hold them. fn load(&self, fp: &Fingerprint) -> Result>> { tracer!(TRACE, "CertD::load"); let fp_name = format!("{:x}", fp); // We want to retry once. See below for the explanation. let mut tries = 1; 'retry: loop { let transaction = || { let fh = self.certd.get_file(&fp_name)? .ok_or_else(|| StoreError::NotFound(fp.into()))?; let disk_tag = cert_d::Tag::try_from(&fh)?; Ok((fh, disk_tag)) }; let (fh, disk_tag) = transaction().map_err(|e: anyhow::Error| { // Evict the entry from the cache. self.certs_cache.write().unwrap().remove(fp); e })?; // Happy path: look into the cache without acquiring a write // lock and see if the tag is current. let mut initial_cached_tag = None; if let Some((cached_cert, cached_tag)) = self.certs_cache.read().unwrap().get(fp) { if cached_tag == &disk_tag { t!("{} loaded from cache on happy path", fp); return Ok(cached_cert.clone()); } initial_cached_tag = Some(cached_tag.clone()); } // Slow path: either the cert was not present or outdated. // Load it from disk, and update the cache after the I/O is // done. t!("{} outdated in cache, loaded from disk", fp); let raw = br::File::new_with_cookie( fh, self.certd.get_path(&fp_name)?, Default::default()) .map_err(Into::into) .and_then(RawCert::from_buffered_reader) .map_err(|e| { t!("Failed to load cert: {}", e); e })?; let update_index = |raw: &RawCert| { let mut index = self.index_cache.write().unwrap(); for subkey in raw.keys() { let subkey_fp = subkey.fingerprint(); let keyid = openpgp::KeyID::from(&subkey_fp); insert_unique( index.by_key_fingerprint.entry(subkey_fp).or_default(), Cow::Borrowed(fp)); insert_unique( index.by_key_id.entry(keyid).or_default(), Cow::Borrowed(fp)); } index.by_userid.insert(fp, raw.userids()); drop(index); }; // After we acquire the `CertD::certs_cache` lock, we need // to resolve a potential race. // // Let's say we have two threads, A and B. Both threads // want to load the same certificate. At some point, an // external task, E, may modify the on-disk certificate // changing it from C to C'. At the end, C' should be // stored in the cache; C must not overwrite C'. // // - Scenario #0: No mutation, no conflict. This is fine. // // 1. A: Read C // 2. B: Read C // 3. A: Insert C // 4. B: Insert C // // (Steps 1 & 2, and/or steps 3 & 4 can be reversed // without changing the analysis.) // // - Scenario #1: Mutation after A and B read C. This is // fine: the next time some thread reads C, they will // update the cache. // // 1. A: Read C // 2. B: Read C // 3. E: Modifies C -> C' // 4. A: Insert C <- Safe. // 5. B: Insert C <- Safe. // // (Steps 1 & 2, and/or steps 4 & 5 can be reversed // without changing the analysis.) // // - Scenario #2.A: A reads C. C is mutated. B reads C'. // A inserts C into the cache. Then B inserts C' into // the cache. This is fine: the latest version is // stored in the cache. // // 1. A: Read C // 2. E: Modifies C -> C' // 3. B: Read C' // 4. A: Insert C <- Safe. // 5. B: Insert C' <- Safe. // // - Scenario #2.B: B reads C. C is mutated. A reads C'. // B inserts C into the cache. Then A inserts C' into the // cache. This is fine: the latest version is stored in // the cache. // // 1. B: Read C // 2. E: Modifies C -> C' // 3. A: Read C' // 4. B: Insert C <- Safe. // 5. A: Insert C' <- Safe. // // - Scenario #3.A: A reads C. C is mutated. B reads C', // and inserts it into the cache. A inserts C into the // cache overwriting C'. STEP 5 IS A DISASTER. // // 1. A: Read C // 2. E: Modifies C -> C' // 3. B: Read C' // 4. B: Insert C' <- Safe. // 5. A: Insert C <- DOOM. // // - Scenario #3.B: B reads C. C is mutated. A reads C', // and inserts it into the cache. B inserts C into the // cache overwriting C'. STEP 5 IS A DISASTER. // // 1. B: Read C // 2. E: Modifies C -> C' // 3. A: Read C' // 4. A: Insert C' <- Safe. // 5. B: Insert C <- DOOM. // // To prevent scenario #3, we can do the following: after // reacquiring the lock, but before inserting the // certificate into the cache, the thread checks that: // // - The tag in the cache (`new_cached_tag`) matches // what it originally saw in the cache // (`initial_cached_tag`) // // If this is the case, then no one else updated the // in-memory cache, so it is safe to update it. // // - OR, the tag in the cache (`new_cached_tag`) matches // what it originally saw on disk (`disk_tag`) // // If this is the case, then someone else updated the // in-memory cache with the same update the thread // wants to make, so it is safe to return what's in // the in-memory cache. // // If neither hold, then the in-memory cache was updated // to a different value, and the current thread doesn't // know if it has C or C'. // // Unfortunately, this also means that these conditions // hold for step 2.A.5 and step 2.B.5. // // As such we can use the following mitigation to check // that the current thread is NOT at step 3.A.5 or step // 3.B.5: // // ```text // let safe = new_cached_tag == initial_cached_tag // || new_cached_tag == disk_tag; // ``` // // If this condition holds, we simply retry. If we race // again, then we we prefer to avoid live lock. match self.certs_cache.write().unwrap().entry(fp.clone()) { Entry::Occupied(mut e) => { let (cached_cert, new_cached_tag) = e.get(); if &disk_tag == new_cached_tag { // Another thread updated the in-memory cache // with what we expect. Use the in-memory // cache. t!("{} lost race: loading from cache", fp); return Ok(cached_cert.clone()); } else if initial_cached_tag.as_ref() == Some(new_cached_tag) { // The in-memory cache was not updated. // Insert what we read. t!("{}: won race: updating index", fp); update_index(&raw); let cert = Arc::new(LazyCert::from(raw)); e.insert((cert.clone(), disk_tag)); return Ok(cert); } else if tries > 0 { // The tag changed. We don't know which tag // is newer, so we redo the lookup (there // could have been two quick updates, we got // the old tag and cert, the other thread that // won the race got the new tag and cert). In // the likely case that the cached_tag is the // current version, the next iteration will // take the happy path. t!("{} tag mismatch, retrying lookup once", fp); tries -= 1; continue 'retry; } else { // There's high contention. // // To break possible live lock, take one. t!("{} tag mismatch, avoiding live lock", fp); update_index(&raw); let cert = Arc::new(LazyCert::from(raw)); e.insert((cert.clone(), disk_tag)); return Ok(cert); } }, Entry::Vacant(e) => { t!("{} not in cache, loaded from disk", fp); update_index(&raw); let cert = Arc::new(LazyCert::from(raw)); e.insert((cert.clone(), disk_tag)); return Ok(cert); }, } } } } /// Serializes a Fingerprint for storage in the database. fn fingerprint2db(fp: &Fingerprint) -> String { format!("{:x}", fp) } /// Serializes a Key ID for storage in the database. fn keyid2db(id: &KeyID) -> String { format!("{:x}", id) } /// Converts a `Tag` into something representable by SQLite. fn tag2db(t: cert_d::Tag) -> i64 { u64::from(t) as i64 } /// Converts a `Tag` from something representable by SQLite. fn db2tag(t: i64) -> cert_d::Tag { (t as u64).into() } /// Ignores SQLITE_BUSY. /// /// Returns `Ok(true)` if the update was successful, `Ok(false)` if /// the database was locked for writing, and any other error as-is. /// /// This can be used to implement stricter transaction semantics than /// SQLite offers. If you have a SQLite transaction in deferred /// (i.e. read) mode, and try to update a table, the update fails with /// SQLITE_BUSY, but that doesn't invalidate the transaction. Hence, /// a second update in the same transaction may succeed. But that is /// not what we want, we want either all updates to succeed, or none. /// /// # Examples /// /// ```rust /// # use rusqlite::*; /// # fn ignore_sqlite_busy(r: Result) -> Result { todo!() } /// # fn f() -> anyhow::Result<()> { /// let conn = Connection::open_in_memory()?; /// let tx = Transaction::new_unchecked( /// &conn, TransactionBehavior::Deferred)?; /// let mut commit = true; /// /// commit = commit && { /// let mut stmt = tx.prepare_cached( /// "CREATE TABLE foo")?; /// ignore_sqlite_busy(stmt.execute(params![]))? /// }; /// /// if commit { /// tx.commit()?; /// } else { /// tx.rollback()?; /// } /// # Ok(()) } /// ``` fn ignore_sqlite_busy(r: rusqlite::Result) -> Result { match r { Ok(_) => Ok(true), Err(e) => if is_sqlite_busy(&e) { Ok(false) } else { Err(e.into()) }, } } /// Tests if the error is SQLITE_BUSY. fn is_sqlite_busy(e: &rusqlite::Error) -> bool { Some(rusqlite::ErrorCode::DatabaseBusy) == e.sqlite_error_code() } /// Asserts that the given vector contains at least one cert, or /// returns the appropriate error. fn ok_or_not_found<'a, K>(handle: K, c: Vec>>) -> Result>>> where K: Into, { if c.is_empty() { Err(crate::store::StoreError::NotFound(handle.into()).into()) } else { Ok(c) } } impl<'a> Store<'a> for CertD<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { match kh { KeyHandle::Fingerprint(fp) => Ok(vec![self.load(fp)?]), KeyHandle::KeyID(id) => { let mut db = self.conn.lock().unwrap(); self.scan(&mut db)?; drop(db); let primaries = self.index_cache.read().unwrap().by_key_id.get(id).cloned(); // Note: it is of the utmost importance to compute // `primaries`, then drop the `CertD::index_cache` // lock, then map over self.load, because we must not // hold the lock over calls to self.load. If this is // done on the right hand side of the `if let` // statement, the lock will be held across the call to // self.load. let mut matches = Vec::new(); if let Some(primaries) = primaries { matches = primaries.iter().filter_map(|fp| { if &KeyID::from(fp) == id { Some(self.load(fp)) } else { None } }).collect::>>()?; } // We didn't find a certificate. ok_or_not_found(id, matches) }, } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "lookup_by_cert_or_subkey"); t!("{}", kh); let mut db = self.conn.lock().unwrap(); self.scan(&mut db)?; drop(db); match kh { KeyHandle::Fingerprint(fp) => { let primaries = self.index_cache.read().unwrap() .by_key_fingerprint.get(fp).cloned(); // Note: it is of the utmost importance to compute // `primaries`, then drop the `CertD::index_cache` // lock, then map over self.load, because we must not // hold the lock over calls to self.load. If this is // done on the right hand side of the `if let` // statement, the lock will be held across the call to // self.load. if let Some(primaries) = primaries { t!("In-memory cache hit!"); return primaries.iter().map(|fp| self.load(fp)).collect(); } } KeyHandle::KeyID(keyid) => { let primaries = self.index_cache.read().unwrap() .by_key_id.get(keyid).cloned(); // Note: it is of the utmost importance to compute // `primaries`, then drop the `CertD::index_cache` // lock, then map over self.load, because we must not // hold the lock over calls to self.load. If this is // done on the right hand side of the `if let` // statement, the lock will be held across the call to // self.load. if let Some(primaries) = primaries { t!("In-memory cache hit!"); return primaries.iter().map(|fp| self.load(fp)).collect(); } } } t!("In-memory cache miss!"); // We didn't find a certificate. ok_or_not_found(kh.clone(), Vec::new()) } fn select_userid(&self, params: &UserIDQueryParams, pattern: &str) -> Result>>> { let mut db = self.conn.lock().unwrap(); self.scan(&mut db)?; drop(db); tracer!(TRACE, "CertD::select_userid"); t!("params: {:?}, pattern: {:?}", params, pattern); let matches = self.index_cache.read().unwrap() .by_userid.select_userid(params, pattern)?; // Note: it is of the utmost importance to compute `matches`, // then drop the `CertD::index_cache` lock, then map over // self.load, because we must not hold the lock over calls to // self.load. let matches = matches .into_iter() .map(|fp| self.load(&fp)) .collect::>>()?; Ok(matches) } fn fingerprints<'b>(&'b self) -> Box + 'b> { let transaction = || -> Result + 'b>> { let mut db = self.conn.lock().unwrap(); self.scan(&mut db)?; drop(db); let mut fps = self.index_cache.read().unwrap() .by_key_fingerprint.iter() .filter(|(sk_fp, cert_fps)| cert_fps.binary_search(sk_fp).is_ok()) .map(|(fp, _)| fp.clone()) .collect::>(); fps.sort_unstable(); fps.dedup(); Ok(Box::new(fps.into_iter())) }; match transaction() { Ok(v) => v, Err(_) => { // We cannot return errors here, fall back to // accessing the certd. Box::new(self.certd.fingerprints() .filter_map(|fp| fp.ok().and_then(|s| s.parse().ok()))) }, } } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { self.prefetch_internal(true, &[], false); Box::new( self.certs_cache.read().unwrap().values() .map(|(cert, _)| cert.clone()) .collect::>() .into_iter()) } fn prefetch_all(&self) { self.prefetch_internal(true, &[], true); } fn prefetch_some(&self, certs: &[KeyHandle]) { self.prefetch_internal(false, certs, true); } } impl<'a> CertD<'a> { /// Canonicalize the certs identified by `khs`, or `all`. fn prefetch_internal(&self, all: bool, khs: &[KeyHandle], canonicalize: bool) { // LazyCert is Sync and Send, but keeping a reference to the // RawCerts in certs prevents us from later updating // certs. This requires a bit of acrobatics to get // right. tracer!(TRACE, "CertD::prefetch_internal"); if all { t!("Prefetch all certificates"); } else { t!("Prefetch {} certificates", khs.len()); } /// Work items. enum Work<'a> { /// Load the certificate from disk, canonicalize if /// `canonicalize` is given. Load(Fingerprint), /// Canonicalize a raw cert that is already in our cache. Canonicalize(RawCert<'a>, cert_d::Tag), } use crossbeam::thread; use crossbeam::channel::unbounded as channel; // Avoid an extra level of indentation. let result = thread::scope(|thread_scope| { let mut work: Vec = Default::default(); let certs_cache = self.certs_cache.read().unwrap(); // First, schedule all raw certs in our cache that we // should canonicalize. if canonicalize { for w in certs_cache.iter() .filter_map(|(fpr, (cert, tag))| { if ! cert.is_parsed() { if all || khs.iter() .any(|kh| { kh.aliases(&KeyHandle::from(fpr.clone())) }) { // Unfortunately we have to clone the bytes, // because we cannot keep certs borrowed. t!("Queuing {} to be prefetched", fpr); use std::ops::Deref; cert.deref().clone().into_raw_cert().ok() .map(|raw_cert| Work::Canonicalize(raw_cert, tag.clone())) } else { None } } else { None } }) { work.push(w); } } // Second, we consider all certs not in the cache. if all { // Either all of them. for fp in self.certd.fingerprints() .into_iter().flatten() .filter_map(|f| f.parse::().ok()) .filter(|f| ! certs_cache.contains_key(f)) { work.push(Work::Load(fp)); } } else { // Or just those in `khs`. Here, for simplicity, we // only consider the fingerprints. for fp in khs.iter() .filter_map(|kh| Fingerprint::try_from(kh).ok()) .filter(|f| ! certs_cache.contains_key(f)) { work.push(Work::Load(fp)); } } // Release our read lock. drop(certs_cache); let cert_count = work.len(); // The threads. We start them on demand. let threads = if cert_count < 16 { // The keyring is small, limit the number of threads. 2 } else { // Sort the certificates so they are ordered from most // packets to least. More packets implies more work, and // this will hopefully result in a more equal distribution // of load. work.sort_unstable_by_key(|w| match w { Work::Load(_) => 0, Work::Canonicalize(raw_cert, _tag) => usize::MAX - raw_cert.count(), }); // Use at least one and not more than we have cores. num_cpus::get().max(1) }; t!("Using {} threads", threads); // A communication channel for sending work to the workers. let (work_tx, work_rx) = channel(); // A communication channel for returning returns to the main // thread. let (results_tx, results_rx) = channel(); let mut threads_extant = Vec::new(); for cert in work.into_iter() { if threads_extant.len() < threads { let tid = threads_extant.len(); t!("Starting thread {} of {}", tid, threads); let mut work = Some(Ok(cert)); // The thread's state. let work_rx = work_rx.clone(); let results_tx = results_tx.clone(); threads_extant.push(thread_scope.spawn(move |_| { loop { match work.take().unwrap_or_else(|| work_rx.recv()) { Err(_) => break, Ok(Work::Load(fp)) => { t!("Thread {}: load{} {}", tid, if canonicalize { "+ canonicalize" } else { "" }, fp); // Silently ignore errors. This will // be caught later when the caller // looks this one up. self.certd.get_file(&fp.to_string()) .ok().flatten() .and_then(|file| { let tag = cert_d::Tag::try_from(&file) .ok()?; match br::File::new_with_cookie( file, self.certd.get_path(&fp.to_string()).ok()?, Default::default()) .map_err(Into::::into) .and_then(|c| { if canonicalize { Ok(LazyCert::from( Cert::from_buffered_reader(c)?)) } else { Ok(LazyCert::from( RawCert::from_buffered_reader(c)?)) } }) { Ok(cert) => { let _ = results_tx.send( (cert, tag)); }, Err(err) => { t!("Error loading {}: {}", fp, err); }, } Some(()) }); }, Ok(Work::Canonicalize(raw, tag)) => { t!("Thread {} dequeuing {}!", tid, raw.keyid()); // Silently ignore errors. This will // be caught later when the caller // looks this one up. match Cert::try_from(&raw) { Ok(cert) => { let _ = results_tx.send( (LazyCert::from(cert), tag)); } Err(err) => { t!("Parsing raw cert {}: {}", raw.keyid(), err); } } }, } } t!("Thread {} exiting", tid); })); } else { work_tx.send(cert).unwrap(); } } // When the threads see this drop, they will exit. drop(work_tx); // Drop our reference to results_tx. When the last thread // exits, the last reference will be dropped and the loop // below will exit. drop(results_tx); let mut count = 0; let mut certs = self.certs_cache.write().unwrap(); while let Ok((cert, tag)) = results_rx.recv() { let fpr = cert.fingerprint(); t!("Caching {}", fpr); certs.insert(fpr, (Arc::new(cert), tag)); count += 1; } t!("Prefetched {} certificates, ({} had errors)", count, cert_count - count); }); // thread scope. // We're just caching results so we can ignore errors. if let Err(err) = result { t!("{:?}", err); } } } impl<'a> StoreUpdate<'a> for CertD<'a> { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "CertD::update_by"); t!("Inserting {}", cert.fingerprint()); // This is slightly annoying: cert-d expects bytes. But // serializing cert is a complete waste if we have to merge // the certificate with another one. cert-d actually only // needs the primary key, which it uses to derive the // fingerprint, so, we only serialize that. let fpr = cert.fingerprint(); let fpr_str = format!("{:x}", fpr); let mut merged = None; let mut pre_certd_tag = None; let mut post_certd_tag = None; let (cert_tag, _) = self.certd.insert_extended( &fpr_str, (), false, |_| { // Compute the tag with the cert-d lock held. pre_certd_tag = Some(self.certd.tag()); Ok(()) }, |(), disk_bytes| { let disk: Option> = if let Some(disk_bytes) = disk_bytes { let mut parser = RawCertParser::from_bytes(disk_bytes) .with_context(|| { format!("Parsing {} as returned from the cert directory", fpr) }) .map_err(|err| { t!("Reading disk version: {}", err); err })?; let disk = parser.next().transpose() .with_context(|| { format!("Parsing {} as returned from the cert directory", fpr) }) .map_err(|err| { t!("Parsing disk version: {}", err); err })?; disk.map(|disk| Arc::new(LazyCert::from(disk))) } else { t!("No disk version"); None }; let merged_ = merge_strategy.merge_public(cert, disk) .with_context(|| { format!("Merging versions of {}", fpr) }) .map_err(|err| { t!("Merging: {}", err); err })?; let bytes = merged_.to_vec()?; merged = Some(merged_); Ok(cert_d::MergeResult::Data(bytes)) }, |r| { // Compute the tag with the cert-d lock held. post_certd_tag = Some(self.certd.tag()); Ok(r) }, )?; let certd_tags = if let (Some(pre), Some(post)) = (pre_certd_tag, post_certd_tag) { Some((pre, post)) } else { None }; let merged = merged.expect("set"); self.insert_cert(merged.clone(), cert_tag, certd_tags)?; Ok(merged) } } #[cfg(test)] mod tests { use super::*; use std::sync::OnceLock; use anyhow::Context; use openpgp::packet::UserID; use openpgp::policy::StandardPolicy; use openpgp::serialize::Serialize; use crate::store::StoreError; use crate::tests::print_error_chain; const N: usize = 1050; fn roughly_a_thousand_certs() -> &'static [Cert] { static CERTS: OnceLock> = OnceLock::new(); CERTS.get_or_init( || (0..N).into_iter().map(|i| { let userid = format!("<{}@example.org>", i); let (cert, _rev) = CertBuilder::new() .set_cipher_suite(CipherSuite::Cv25519) .add_userid(UserID::from(&userid[..])) .add_storage_encryption_subkey() .generate() .expect("ok"); cert }).collect()).as_slice() } /// Checks that the CertD at `path` fn check_certd(certd: &CertD, certs: &[&Cert], certs_fpr: Option<&[Fingerprint]>, subkeys_fpr: &[Fingerprint], userids: &[&UserID]) -> Result<()> { // Test Store::iter. In particular, make sure we get // everything back. if let Some(certs_fpr) = certs_fpr { let mut certs_read = certd.certs().collect::>(); assert_eq!( certs_read.len(), certs.len(), "Looks like you're exhausting the available file descriptors"); certs_read.sort_by_key(|c| c.fingerprint()); let certs_read_fpr = certs_read.iter().map(|c| c.fingerprint()).collect::>(); assert_eq!(certs_fpr, certs_read_fpr); } // Test Store::by_cert. for cert in certs.iter() { let certs_read = certd.lookup_by_cert(&cert.key_handle()).expect("present"); // We expect exactly one cert. assert_eq!(certs_read.len(), 1); let cert_read = certs_read.iter().next().expect("have one") .to_cert().expect("valid"); assert_eq!(&cert_read, cert); } for subkey in subkeys_fpr.iter() { let kh = KeyHandle::from(subkey.clone()); match certd.lookup_by_cert(&kh) { Ok(certs) => panic!("Expected nothing, got {} certs", certs.len()), Err(err) => { if let Some(&StoreError::NotFound(ref got)) = err.downcast_ref::() { assert_eq!(&kh, got); } else { panic!("Expected NotFound, got: {}", err); } } } } // Test Store::lookup_by_cert_or_subkey. for fpr in certs.iter().map(|cert| cert.fingerprint()) .chain(subkeys_fpr.iter().cloned()) { let certs_read = certd.lookup_by_cert_or_subkey(&KeyHandle::from(fpr.clone())).expect("present"); // We expect exactly one cert. assert_eq!(certs_read.len(), 1); let cert_read = certs_read.iter().next().expect("have one") .to_cert().expect("valid"); assert!(cert_read.keys().any(|k| k.fingerprint() == fpr)); } // Test Store::lookup_by_userid. for userid in userids.iter() { let certs_read = certd.lookup_by_userid(&userid).expect("present"); // We expect exactly one cert. assert_eq!(certs_read.len(), 1); let cert_read = certs_read.iter().next().expect("have one") .to_cert().expect("valid"); assert!(cert_read.userids().any(|u| &u.userid() == userid)); } Ok(()) } // Make sure that we can read a huge cert-d. Specifically, the // typical file descriptor limit is 1024. Make sure we can // initialize and iterate over a cert-d with a few more entries // than that. #[test] fn huge_cert_d() -> Result<()> { let path = tempfile::tempdir()?; let certd = cert_d::CertD::with_base_dir(&path) .map_err(|err| { let err = anyhow::Error::from(err) .context(format!("While opening the certd {:?}", path)); print_error_chain(&err); err })?; // Generate some certificates and write them to a cert-d using // the low-level interface. let mut certs = Vec::new(); let mut certs_fpr = Vec::new(); let mut subkeys_fpr = Vec::new(); let mut userids = Vec::new(); for cert in roughly_a_thousand_certs() { certs_fpr.push(cert.fingerprint()); subkeys_fpr.extend(cert.keys().subkeys().map(|ka| ka.fingerprint())); userids.push(cert.userids().next().unwrap().userid()); let mut bytes = Vec::new(); cert.serialize(&mut bytes).expect("can serialize to a vec"); certd .insert_data(&bytes, false, |new, disk| { assert!(disk.is_none()); Ok(cert_d::MergeResult::DataRef(new)) }) .with_context(|| { format!("{:?} ({})", path, cert.fingerprint()) }) .expect("can insert"); certs.push(cert); } // One subkey per certificate. assert_eq!(certs_fpr.len(), subkeys_fpr.len()); certs_fpr.sort(); // Open the cert-d and make sure we can read what we wrote via // the low-level interface. let certd = CertD::open(&path).expect("exists"); check_certd( &certd, &certs[..], Some(&certs_fpr), &subkeys_fpr, &userids) } /// Tests four concurrent mutators on the same CertD. #[test] fn concurrent_mutators() -> Result<()> { use rand::prelude::*; let tmpdir = tempfile::tempdir()?; let path = tmpdir.path(); let certd_shared = CertD::open(path)?; let roughly_a_hundred_certs = &roughly_a_thousand_certs()[..101]; std::thread::scope(|s| { for tid in 0..3 { let certd_shared = &certd_shared; s.spawn(move || { // Thread 0 has its own CertD, thread 1 and 2 get // to share one. let certd_owned; let certd = if tid % 3 == 0 { certd_owned = CertD::open(path).unwrap(); &certd_owned } else { certd_shared }; let mut rng = rand::thread_rng(); let mut source_certs = roughly_a_hundred_certs.to_vec(); source_certs.shuffle(&mut rng); let mut certs = Vec::new(); let mut certs_fpr = Vec::new(); let mut subkeys_fpr = Vec::new(); let mut userids = Vec::new(); for cert in source_certs.iter() { eprint!("{}", tid); certs_fpr.push(cert.fingerprint()); subkeys_fpr.extend(cert.keys().subkeys().map(|ka| ka.fingerprint())); userids.push(cert.userids().next().unwrap().userid()); certd.update(Arc::new(cert.clone().into())) .expect("can insert"); certs.push(cert); check_certd( &certd, &certs[..], None, &subkeys_fpr, &userids) .expect("consistency and robustness"); } }); } // Finally, add a fourth mutator that doesn't update the // database. s.spawn(move || { let certd = cert_d::CertD::with_base_dir(path).unwrap(); for cert in roughly_a_hundred_certs { std::thread::sleep(Duration::from_millis(10)); eprint!("."); certd.insert_data( &cert.to_vec().unwrap(), false, |new, _disk| Ok(cert_d::MergeResult::DataRef(new))) .with_context(|| { format!("{:?} ({})", path, cert.fingerprint()) }) .expect("can insert"); } }); }); Ok(()) } /// Tests that the database index preserves all the information. #[test] fn database_index() -> Result<()> { let tmpdir = tempfile::tempdir()?; let p = tmpdir.path(); let c = CertBuilder::new() .add_userid("Alice Lovelace") .add_userid("") .add_userid("Alice Lovelace ") .add_signing_subkey() .generate()?.0; // Insert the cert using the low-level cert-d. { let certd = cert_d::CertD::with_base_dir(p)?; certd.insert_data( &c.to_vec()?, false, |new, _disk| Ok(cert_d::MergeResult::DataRef(new)))?; } // Construct the database index. let _ = CertD::open(p)?; // Do the queries. Construct a new CertD for each query so // that we don't get the benefit of updating the in-core index // when loading a cert from disk. for (i, k) in c.keys().enumerate() { let primary = i == 0; if primary { let d = CertD::open(p)?.lookup_by_cert(&k.fingerprint().into())?; assert_eq!(&c, d[0].to_cert()?); let d = CertD::open(p)?.lookup_by_cert(&k.keyid().into())?; assert_eq!(&c, d[0].to_cert()?); } let d = CertD::open(p)?.lookup_by_cert_or_subkey(&k.fingerprint().into())?; assert_eq!(&c, d[0].to_cert()?); let d = CertD::open(p)?.lookup_by_cert_or_subkey(&k.keyid().into())?; assert_eq!(&c, d[0].to_cert()?); } for u in c.userids() { let d = CertD::open(p)?.select_userid( UserIDQueryParams::new() .set_anchor_start(true) .set_anchor_end(true) .set_email(false) .set_ignore_case(false), &String::from_utf8(u.value().to_vec())?)?; assert_eq!(&c, d[0].to_cert()?); if let Ok(Some(e)) = u.email2() { let d = CertD::open(p)?.select_userid( UserIDQueryParams::new() .set_anchor_start(true) .set_anchor_end(true) .set_email(true) .set_ignore_case(false), e)?; assert_eq!(&c, d[0].to_cert()?); } if let Ok(Some(n)) = u.name2() { let d = CertD::open(p)?.select_userid( UserIDQueryParams::new() .set_anchor_start(true) .set_anchor_end(false) .set_email(false) .set_ignore_case(false), n)?; assert_eq!(&c, d[0].to_cert()?); } } Ok(()) } #[test] fn shadow_ca() -> Result<()> { tracer!(true, "shadow_ca"); let path = tempfile::tempdir()?; let certd = CertD::open(&path)?; // Check that the special exists, and includes secret key // material, and that there is a corresponding entry under its // fingerprint, which doesn't include any secret key material. let check = |name: &str| { t!("check({})", name); assert!(cert_d::CertD::is_special(name).is_ok()); let (_tag, ca) = certd.certd() .get(name) .unwrap() .expect("exists"); let ca = Cert::from_bytes(&ca).expect("valid"); assert!(ca.is_tsk()); let (_tag, cert) = certd.certd() .get(&ca.fingerprint().to_string()) .unwrap() .expect("exists"); let cert = Cert::from_bytes(&cert).expect("valid"); assert!(! cert.is_tsk()); assert_eq!(ca.fingerprint(), cert.fingerprint()); ca }; let (koo, _tag) = certd.shadow_ca( "keys.openpgp.org", true, UserID::from_static_bytes(b"Downloaded from keys.openpgp.org"), 1, &[ ( "public_directories", UserID::from_static_bytes(b"Public Directories"), 10, ), ])?; let cert = check(&CertD::shadow_ca_special("keys.openpgp.org")); assert_eq!(cert.fingerprint(), koo.fingerprint()); let public_directories = check(&CertD::shadow_ca_special("public_directories")); let trust_root = check(&CertD::shadow_ca_special(cert_d::TRUST_ROOT)); let (dane, _tag) = certd.shadow_ca( "dane", true, UserID::from_static_bytes(b"Downloaded from DANE"), 1, &[ ( "public_directories", UserID::from_static_bytes(b"Public Directories"), 10), ])?; let cert = check(&CertD::shadow_ca_special("dane")); assert_eq!(cert.fingerprint(), dane.fingerprint()); let cert = check(&CertD::shadow_ca_special("keys.openpgp.org")); assert_eq!(cert.fingerprint(), koo.fingerprint()); let cert = check(&CertD::shadow_ca_special("public_directories")); assert_eq!(cert, public_directories); let cert = check(&CertD::shadow_ca_special(cert_d::TRUST_ROOT)); assert_eq!(cert, trust_root); let (tofu, _tag) = certd.shadow_ca( "tofu", true, UserID::from_static_bytes(b"Trust on First Use (TOFU)"), 120, &[])?; let cert = check(&CertD::shadow_ca_special("tofu")); assert_eq!(cert.fingerprint(), tofu.fingerprint()); let cert = check(&CertD::shadow_ca_special("dane")); assert_eq!(cert.fingerprint(), dane.fingerprint()); let cert = check(&CertD::shadow_ca_special("keys.openpgp.org")); assert_eq!(cert.fingerprint(), koo.fingerprint()); let cert = check(&CertD::shadow_ca_special("public_directories")); assert_eq!(cert, public_directories); let cert = check(&CertD::shadow_ca_special(cert_d::TRUST_ROOT)); assert_eq!(cert, trust_root); Ok(()) } #[test] fn shadow_ca_keyserver() -> Result<()> { tracer!(true, "keyserver_shadow_ca"); let path = tempfile::tempdir()?; let test = |certd: &CertD, may_create: bool| { let (koo, created) = certd.shadow_ca_keys_openpgp_org().unwrap(); if ! may_create { assert!(! created); } let koo = koo.fingerprint(); let (mailvelope, created) = certd.shadow_ca_keys_mailvelope_com().unwrap(); if ! may_create { assert!(! created); } let mailvelope = mailvelope.fingerprint(); let lookup = |uri, expected: Option<&Fingerprint>| { let result = certd.shadow_ca_keyserver(uri).unwrap(); if let Some(fingerprint) = expected { let (ca, created) = result.expect("valid URI"); if ! may_create { assert!(! created); } assert_eq!(fingerprint, &ca.fingerprint()); } else { assert!(result.is_none()); } }; lookup("hkps://keys.openpgp.org", Some(&koo)); lookup("HKPS://KEYS.OPENPGP.ORG", Some(&koo)); lookup("HKPS://KEYS.OPENPGP.io", Some(&koo)); // hkp is not considered secure. lookup("hkp://keys.openpgp.org", None); // https is not the right protocol. lookup("https://keys.openpgp.org", None); // Not a verifying keyserver. lookup("hkps://keyserver.ubuntu.com", None); lookup("hkps://keys.mailvelope.com", Some(&mailvelope)); }; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; test(&certd, true); // The second time through we load them from disk. t!("Loading CAs"); let certd2 = CertD::open(&path)?; test(&certd2, false); Ok(()) } fn check_certifiation(certd: &CertD, certifier: &Cert, cert: Fingerprint, count: usize) { const P: &StandardPolicy = &StandardPolicy::new(); let cert: Arc = certd.lookup_by_cert_fpr(&cert).expect("exists"); let cert: &Cert = cert.to_cert().expect("valid cert"); let userids: Vec = cert.userids().collect(); assert_eq!(userids.len(), 1); let certifications = userids[0].valid_certifications_by_key( P, None, certifier.primary_key().key()); assert_eq!(certifications.count(), count); } #[test] fn shadow_ca_cerified() -> Result<()> { // Check that the shadow CA and intermediate CA are actually // certified. tracer!(true, "keyserver_shadow_certified"); let path = tempfile::tempdir()?; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; let (koo, created) = certd.shadow_ca_keys_openpgp_org().unwrap(); assert!(created); let koo = koo.to_cert().expect("valid cert"); let (pd, created) = certd.public_directory_ca().unwrap(); // This should have been created in the last step. assert!(! created); let pd = pd.to_cert().expect("valid cert"); let (tr, created) = certd.trust_root().unwrap(); // This should have been created in the last step. assert!(! created); let tr = tr.to_cert().expect("valid cert"); let (kmc, created) = certd.shadow_ca_keys_mailvelope_com().unwrap(); assert!(created); let kmc = kmc.to_cert().expect("valid cert"); // Avoid the in-memory cache. let certd = CertD::open(&path)?; t!("Checking that the PD CA certified the KOO shadow CA."); check_certifiation(&certd, &pd, koo.fingerprint(), 1); t!("Checking that the PD CA certified the KMC shadow CA."); check_certifiation(&certd, &pd, kmc.fingerprint(), 1); t!("Checking that the trust root certified the PD CA."); check_certifiation(&certd, &tr, pd.fingerprint(), 1); t!("Checking that the trust root didn't the KOO shadow CA."); check_certifiation(&certd, &tr, koo.fingerprint(), 0); t!("Checking that the trust root didn't the KMC shadow CA."); check_certifiation(&certd, &tr, kmc.fingerprint(), 0); Ok(()) } #[test] fn shadow_ca_for_url() -> Result<()> { tracer!(true, "shadow_ca_for_url"); let path = tempfile::tempdir()?; let test = |certd: &CertD, may_create: bool| { let (alice, created) = certd .shadow_ca_for_url("https://example.org/alice.pgp") .unwrap().unwrap(); if ! may_create { assert!(! created); } let alice = alice.fingerprint(); #[derive(Debug)] enum Expectation { Alice, Other, NoCA } use Expectation::*; let lookup = |uri, expectation| { t!("looking up {} expecting {:?}", uri, expectation); let result = certd.shadow_ca_for_url(uri).unwrap(); match expectation { Alice => { let (ca, created) = result.expect("valid URI"); if ! may_create { assert!(! created); } assert_eq!(alice, ca.fingerprint()); }, Other => { let (_ca, created) = result.expect("valid URI"); if ! may_create { assert!(! created); } }, NoCA => { assert!(result.is_none()); }, } }; lookup("https://example.org/alice.pgp", Alice); lookup("HTTPS://EXAMPLE.ORG/alice.pgp", Alice); lookup("https://foo@example.org/alice.pgp", Alice); lookup("https://foo:bar@example.org/alice.pgp", Alice); lookup("https://foo:bar@example.org/alice.pgp#fragment", Alice); // http is not considered secure. lookup("http://example.org/alice.pgp", NoCA); // hkps is not the right protocol. lookup("hkps://example.org/alice.pgp", NoCA); // Different URLs. lookup("https://example.org/bob.pgp", Other); lookup("https://example.net/alice.pgp", Other); lookup("https://example.org/alice.pgp?some=query", Other); lookup("https://example.org/alice.pgp/other/path", Other); }; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; test(&certd, true); // The second time through we load them from disk. t!("Loading CAs"); let certd2 = CertD::open(&path)?; test(&certd2, false); Ok(()) } #[test] fn shadow_ca_for_web_cerified() -> Result<()> { // Check that the shadow CA and intermediate CA are actually // certified. tracer!(true, "shadow_ca_for_web_cerified"); let path = tempfile::tempdir()?; // The first time through we create the trust root and CAs. t!("Creating CAs"); let certd = CertD::open(&path)?; let (alice, created) = certd .shadow_ca_for_url("https://example.org/alice.pgp") .unwrap().unwrap(); assert!(created); let alice = alice.to_cert().expect("valid cert"); let (tr, created) = certd.trust_root().unwrap(); // This should have been created in the first step. assert!(! created); let tr = tr.to_cert().expect("valid cert"); let (pd, created) = certd.public_directory_ca().unwrap(); // This should have been created in the first step. assert!(! created); let pd = pd.to_cert().expect("valid cert"); let (web, created) = certd.shadow_ca_web().unwrap(); // This should have been created in the first step. assert!(! created); let web = web.to_cert().expect("valid cert"); // Avoid the in-memory cache. let certd = CertD::open(&path)?; t!("Checking that the trust root certified the PD CA."); check_certifiation(&certd, &tr, pd.fingerprint(), 1); t!("Checking that the PD CA certified the web CA."); check_certifiation(&certd, &pd, web.fingerprint(), 1); t!("Checking that the web CA certified the ALICE shadow CA."); check_certifiation(&certd, &web, alice.fingerprint(), 1); t!("Checking that the trust root didn't the web CA."); check_certifiation(&certd, &tr, web.fingerprint(), 0); t!("Checking that the trust root didn't the ALICE shadow CA."); check_certifiation(&certd, &tr, alice.fingerprint(), 0); t!("Checking that the PD CA didn't the ALICE shadow CA."); check_certifiation(&certd, &pd, alice.fingerprint(), 0); Ok(()) } /// Test that we can create and sanitize, or reject CAs for funny /// URLs. #[test] fn shadow_ca_for_url_escapes() -> Result<()> { tracer!(true, "shadow_ca_for_url_escapes"); let path = tempfile::tempdir()?; let test = |certd: &CertD, url, stripped| { t!("trying {:?}", url); let (alice, _created) = certd.shadow_ca_for_url(url).unwrap().unwrap(); if let Some(c) = stripped { // Make sure the character is stripped. assert!(alice.userids().all( |uid| ! str::from_utf8(uid.value()).unwrap().contains(c))); } else { // Make sure the odd character is percent-encoded. assert!(alice.userids().all( |uid| str::from_utf8(uid.value()).unwrap().contains("%"))); } }; let test_fail = |certd: &CertD, url| { t!("trying {:?}", url); certd.shadow_ca_for_url(url).unwrap_err(); }; let certd = CertD::open(&path)?; // In the path: test(&certd, "https://example.org/alice\u{0a}bob.pgp", Some("\u{0a}")); test(&certd, "https://example.org/alice\u{0d}bob.pgp", Some("\u{0d}")); test(&certd, "https://example.org/alice\u{09}bob.pgp", Some("\u{09}")); test(&certd, "https://example.org/alice\u{0c}bob.pgp", Some("\u{0c}")); test(&certd, "https://example.org/alice\u{08}\u{08}\u{08}\u{08}\u{08}bob.pgp", None); test(&certd, "https://example.org/alice\u{200f}bob.pgp", None); // RTL mark // In the query: test(&certd, "https://example.org/alice.pgp?q=\u{0a}bob.pgp", Some("\u{0a}")); test(&certd, "https://example.org/alice.pgp?q=\u{0d}bob.pgp", Some("\u{0d}")); test(&certd, "https://example.org/alice.pgp?q=\u{09}bob.pgp", Some("\u{09}")); test(&certd, "https://example.org/alice.pgp?q=\u{0c}bob.pgp", Some("\u{0c}")); test(&certd, "https://example.org/alice.pgp?q=\u{08}\u{08}\u{08}\u{08}\u{08}bob.pgp", None); test(&certd, "https://example.org/alice.pgp?q=\u{200f}bob.pgp", None); // RTL mark // In the host: test(&certd, "https://example.\u{0a}bob.pgp.org/alice.pgp", Some("\u{0a}")); test(&certd, "https://example.\u{0d}bob.pgp.org/alice.pgp", Some("\u{0d}")); test(&certd, "https://example.\u{09}bob.pgp.org/alice.pgp", Some("\u{09}")); test_fail(&certd, "https://example.\u{0c}bob.pgp.org/alice.pgp"); test_fail(&certd, "https://example.\u{08}\u{08}\u{08}\u{08}\u{08}bob.pgp.org/alice.pgp"); test_fail(&certd, "https://example.\u{200f}bob.pgp.org/alice.pgp"); // RTL mark Ok(()) } } sequoia-cert-store-0.6.0/src/store/certs.rs000064400000000000000000000363131046102023000170010ustar 00000000000000use std::collections::BTreeMap; use std::collections::btree_map::Entry; use std::sync::Arc; use std::sync::RwLock; use smallvec::SmallVec; use smallvec::smallvec; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::cert::Cert; use openpgp::cert::raw::RawCert; use openpgp::cert::raw::RawCertParser; use openpgp::Fingerprint; use openpgp::KeyID; use openpgp::KeyHandle; use openpgp::packet::UserID; use openpgp::parse::Parse; use openpgp::Result; use crate::LazyCert; use crate::store::MergeCerts; use crate::store::Store; use crate::store::StoreError; use crate::store::StoreUpdate; use crate::store::UserIDIndex; use crate::store::UserIDQueryParams; const TRACE: bool = false; /// Manages a slice of bytes, `RawCert`s, `Cert`s, or `LazyCert`s. /// /// `Cert`s implements `StoreUpdate`, but it does not write the /// updates to disk; they are only updated in memory. pub struct Certs<'a> { inner: RwLock>, } assert_send_and_sync!(Certs<'_>); struct CertsInner<'a> { // Indexed by primary key fingerprint. certs: BTreeMap>>, // Indexed by a key's KeyID (primary key or subkey) and maps to // the primary key. keys: BTreeMap>, userid_index: UserIDIndex, } impl<'a> Certs<'a> { /// Returns an empty `Certs` store. /// /// This is useful as a placeholder. But, certificates can also /// be added to it using the [`StoreUpdate`] interface. pub fn empty() -> Self { Certs { inner: RwLock::new(CertsInner { certs: Default::default(), keys: Default::default(), userid_index: UserIDIndex::new(), }), } } /// Returns a new `Certs`. pub fn from_bytes(bytes: &'a [u8]) -> Result { tracer!(TRACE, "Certs::from_bytes"); let raw_certs = RawCertParser::from_bytes(bytes)? .filter_map(|c| { match c { Ok(c) => Some(c), Err(err) => { t!("Parsing raw certificate: {}", err); None } } }); Self::from_certs(raw_certs) } /// Returns a new `Certs`. pub fn from_certs(certs: impl IntoIterator) -> Result where I: Into> { let r = Self::empty(); for cert in certs { r.update(Arc::new(cert.into())).expect("implementation doesn't fail") } Ok(r) } } impl<'a> Store<'a> for CertsInner<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Certs::lookup_by_cert"); match kh { KeyHandle::Fingerprint(fpr) => { self.lookup_by_cert_fpr(fpr).map(|c| vec![ c ]) } KeyHandle::KeyID(keyid) => { let certs: Vec> = self.keys.get(keyid) .ok_or_else(|| { anyhow::Error::from( StoreError::NotFound(kh.clone())) })? .iter() .filter_map(|fpr| self.certs.get(fpr).cloned()) // Check the constraints before we convert the // rawcert to a cert. .filter(|cert| cert.key_handle().aliases(kh)) .collect(); if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(certs) } } } } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { tracer!(TRACE, "Certs::lookup_by_cert_fpr"); if let Some(cert) = self.certs.get(fingerprint).cloned() { Ok(cert) } else { Err(StoreError::NotFound( KeyHandle::from(fingerprint.clone())).into()) } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Certs::lookup_by_cert_or_subkey"); let keyid = KeyID::from(kh); let certs: Vec>> = self.keys.get(&keyid) .ok_or_else(|| { anyhow::Error::from( StoreError::NotFound(kh.clone())) })? .iter() .filter_map(|fpr| self.certs.get(fpr)) // Check the constraints before we convert the rawcert to a // cert. .filter(|cert| { cert.keys().any(|k| k.key_handle().aliases(kh)) }) .cloned() .collect(); if certs.is_empty() { Err(StoreError::NotFound(kh.clone()).into()) } else { Ok(certs) } } fn select_userid(&self, params: &UserIDQueryParams, pattern: &str) -> Result>>> { tracer!(TRACE, "Certs::select_userid"); t!("params: {:?}, pattern: {:?}", params, pattern); let matches = self.userid_index.select_userid(params, pattern)?; let matches = matches .into_iter() .map(|fpr| { self.lookup_by_cert_fpr(&fpr).expect("indexed") }) .collect(); Ok(matches) } fn fingerprints<'b>(&'b self) -> Box + 'b> { Box::new(self.certs.keys().cloned()) } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { Box::new(self.certs.values().cloned()) } fn prefetch_all(&self) { // Because the interior mutability is implemented via Certs, // not CertInner, and we need a mutable reference here, but we // only have a normal, non-mutable reference, the prefetch // implementation is dispatched via `Certs`. } fn prefetch_some(&self, _certs: &[KeyHandle]) { // Because the interior mutability is implemented via Certs, // not CertInner, and we need a mutable reference here, but we // only have a normal, non-mutable reference, the prefetch // implementation is dispatched via `Certs`. } } impl<'a> Store<'a> for Certs<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { let inner = self.inner.read().unwrap(); inner.lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { let inner = self.inner.read().unwrap(); inner.lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { // We aren't lazy to avoid holding the lock. let inner = self.inner.read().unwrap(); let fprs: Vec<_> = inner.fingerprints().collect(); Box::new(fprs.into_iter()) } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { // We aren't lazy to avoid holding the lock. let inner = self.inner.read().unwrap(); let certs: Vec<_> = inner.certs().collect(); Box::new(certs.into_iter()) } fn prefetch_all(&self) { let mut inner = self.inner.write().unwrap(); inner.prefetch(true, &[]) } fn prefetch_some(&self, certs: &[KeyHandle]) { let mut inner = self.inner.write().unwrap(); inner.prefetch(false, certs) } } impl CertsInner<'_> { /// Prefetches the certs identified by `khs`, or `all`. fn prefetch(&mut self, all: bool, khs: &[KeyHandle]) { // LazyCert is Sync and Send, but keeping a reference to the // RawCerts in self.certs prevents us from later updating // self.certs. This requires a bit of acrobatics to get // right. tracer!(TRACE, "Certs::prefetch_some"); t!("Prefetch: {} certificates", khs.len()); use crossbeam::thread; use crossbeam::channel::unbounded as channel; // Avoid an extra level of indentation. let result = thread::scope(|thread_scope| { let mut certs: Vec = self.certs.iter().filter_map(|(fpr, cert)| { if ! cert.is_parsed() { if all || khs.iter() .any(|kh| { kh.aliases(&KeyHandle::from(fpr.clone())) }) { // Unfortunately we have to clone the bytes, // because we cannot keep self.certs borrowed. t!("Queuing {} to be prefetched", fpr); use std::ops::Deref; cert.deref().clone().into_raw_cert().ok() } else { None } } else { None } }).collect(); let cert_count = certs.len(); // The threads. We start them on demand. let threads = if cert_count < 16 { // The keyring is small, limit the number of threads. 2 } else { // Sort the certificates so they are ordered from most // packets to least. More packets implies more work, and // this will hopefully result in a more equal distribution // of load. certs.sort_unstable_by_key(|c| { usize::MAX - c.count() }); // Use at least one and not more than we have cores. num_cpus::get().max(1) }; t!("Using {} threads", threads); // A communication channel for sending work to the workers. let (work_tx, work_rx) = channel(); // A communication channel for returning returns to the main // thread. let (results_tx, results_rx) = channel(); let mut threads_extant = Vec::new(); for cert in certs.into_iter() { if threads_extant.len() < threads { let tid = threads_extant.len(); t!("Starting thread {} of {}", tid, threads); let mut work = Some(Ok(cert)); // The thread's state. let work_rx = work_rx.clone(); let results_tx = results_tx.clone(); threads_extant.push(thread_scope.spawn(move |_| { loop { match work.take().unwrap_or_else(|| work_rx.recv()) { Err(_) => break, Ok(raw) => { t!("Thread {} dequeuing {}!", tid, raw.keyid()); // Silently ignore errors. This will // be caught later when the caller // looks this one up. match Cert::try_from(&raw) { Ok(cert) => { let _ = results_tx.send(cert); } Err(err) => { t!("Parsing raw cert {}: {}", raw.keyid(), err); } } } } } t!("Thread {} exiting", tid); })); } else { work_tx.send(cert).unwrap(); } } // When the threads see this drop, they will exit. drop(work_tx); // Drop our reference to results_tx. When the last thread // exits, the last reference will be dropped and the loop // below will exit. drop(results_tx); let mut count = 0; while let Ok(cert) = results_rx.recv() { let fpr = cert.fingerprint(); t!("Caching {}", fpr); self.certs.insert(fpr, Arc::new(cert.into())); count += 1; } t!("Prefetched {} certificates, ({} RawCerts had errors)", count, cert_count - count); }); // thread scope. // We're just caching results so we can ignore errors. if let Err(err) = result { t!("{:?}", err); } } } impl<'a> StoreUpdate<'a> for Certs<'a> { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "Certs::update_by"); let mut inner = self.inner.write().unwrap(); let fpr = cert.fingerprint(); // Add the cert fingerprint -> cert entry. let merged: Arc; match inner.certs.entry(fpr.clone()) { Entry::Occupied(mut oe) => { t!("Updating {}", fpr); let old = oe.get().clone(); merged = merge_strategy.merge_public(cert, Some(old)) .with_context(|| { format!("Merging two version of {}", fpr) })?; *oe.get_mut() = merged.clone(); } Entry::Vacant(ve) => { t!("Inserting {}", fpr); merged = merge_strategy.merge_public(cert, None)?; ve.insert(merged.clone()); } } // Populate the key map. This is a merge so we are not // removing anything. for k in merged.keys() { match inner.keys.entry(k.keyid()) { Entry::Occupied(mut oe) => { let fprs = oe.get_mut(); if ! fprs.contains(&fpr) { fprs.push(fpr.clone()); } } Entry::Vacant(ve) => { ve.insert(smallvec![ fpr.clone() ]); } } } inner.userid_index.insert(&fpr, merged.userids()); Ok(merged) } } sequoia-cert-store-0.6.0/src/store/keyserver.rs000064400000000000000000000362751046102023000177070ustar 00000000000000use std::collections::BTreeMap; use std::collections::BTreeSet; use std::sync::Arc; use std::sync::Mutex; use sequoia_openpgp as openpgp; use openpgp::Cert; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::KeyID; use openpgp::Result; use openpgp::policy::NullPolicy; use sequoia_net as net; use net::reqwest; use crate::email_to_userid; use crate::LazyCert; use crate::Store; use crate::store::StatusListener; use crate::store::StatusUpdate; use crate::store::StoreError; use crate::store::UserIDQueryParams; use super::TRACE; const NP: &NullPolicy = &NullPolicy::new(); // Reliable keyservers. /// keys.openpgp.org. pub const KEYS_OPENPGP_ORG_URL: &str = "hkps://keys.openpgp.org"; /// A reliable SKS keyserver. pub const SKS_URL: &str = "hkps://keyserver.ubuntu.com"; /// mailvelope's keyserver. pub const MAILVELOPE_URL: &str = "hkps://keys.mailvelope.com"; /// proton's keyserver. pub const PROTON_URL: &str = "hkps://api.protonmail.ch"; /// A keyserver backend. pub struct KeyServer<'a> { inner: Mutex>, } assert_send_and_sync!(KeyServer<'_>); struct KeyServerInner<'a> { keyserver: net::KeyServer, id: String, tx: usize, listeners: Vec>, // A cache. We only cache certificates; we don't cache User ID // searches. // Primary keys and subkeys. hits_fpr: BTreeMap>>, hits_keyid: BTreeMap, // What we failed to look up. misses_fpr: BTreeSet, misses_keyid: BTreeSet, } impl KeyServer<'_> { /// Returns a new key server instance. pub fn new(url: &str) -> Result { Ok(Self { inner: Mutex::new(KeyServerInner { keyserver: net::KeyServer::new(url)?, id: if url.len() <= 10 { // Only prefix "key server" if the URL is short. format!("key server {}", url) } else { url.to_string() }, tx: 0, listeners: Vec::new(), hits_fpr: Default::default(), hits_keyid: Default::default(), misses_fpr: Default::default(), misses_keyid: Default::default(), }), }) } /// Returns a key server instance that uses `keys.openpgp.org`. pub fn keys_openpgp_org() -> Result { Self::new(KEYS_OPENPGP_ORG_URL) } /// Returns a key server instance that uses a reliable SKS /// keyserver. pub fn sks() -> Result { Self::new(SKS_URL) } /// Returns a key server instance that uses mailvelope's /// keyserver. pub fn mailvelope() -> Result { Self::new(MAILVELOPE_URL) } /// Returns a key server instance that uses proton's keyserver. pub fn proton() -> Result { Self::new(PROTON_URL) } /// Sends status updates to the listener. pub fn add_listener(&mut self, listener: Box) { self.inner.lock().unwrap().listeners.push(listener); } } impl<'a> KeyServerInner<'a> { // Looks for a certificate in the cache. fn check_cache(&self, kh: &KeyHandle) -> Option>>>> { let kh_; let kh = if let KeyHandle::KeyID(keyid) = kh { if let Some(fpr) = self.hits_keyid.get(keyid) { kh_ = KeyHandle::Fingerprint(fpr.clone()); &kh_ } else if self.misses_keyid.get(keyid).is_some() { return Some(Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into())); } else { kh } } else { kh }; if let KeyHandle::Fingerprint(fpr) = kh { if let Some(cert) = self.hits_fpr.get(fpr) { return Some(Ok(vec![ cert.clone() ])); } if self.misses_fpr.get(fpr).is_some() { return Some(Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into())); } } None } // Adds the cert to the in-memory cache. fn cache(&mut self, cert: &Arc>) { for k in cert.keys() { self.hits_fpr.insert(k.fingerprint(), cert.clone()); self.hits_keyid.insert(k.keyid(), k.fingerprint()); } } /// Deletes the key with the given fingerprint from the cache. fn delete_from_cache(&mut self, cert: &LazyCert<'_>) { for key in cert.keys() { let fp = key.fingerprint(); self.hits_fpr.remove(&fp); let keyid = KeyID::from(fp); // XXX: Technically, a key ID could map to multiple // fingerprints, so we may be removing the wrong entry here. // But, by using a BTreeMap we do accept // this kind of loss in the first place, as later cache // insertions will overwrite any existing mappings. self.hits_keyid.remove(&keyid); } } } impl<'a> KeyServer<'a> { /// Deletes the key with the given fingerprint from the cache. pub(crate) fn delete_from_cache(&self, certs: I) where I: Iterator>>, { let mut inner = self.inner.lock().unwrap(); for cert in certs { inner.delete_from_cache(&cert); } } } /// Sends a status update. macro_rules! update { ( $self:expr, $update:ident, $($args:expr),* ) => {{ if ! $self.listeners.is_empty() { let update = StatusUpdate::$update( $self.tx, &$self.id, $($args),*); for sub in $self.listeners.iter() { sub.update(&update); } } }} } impl<'a> Store<'a> for KeyServer<'a> { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { let mut certs = self.lookup_by_cert_or_subkey(kh)?; // The match may be on a subkey. Only return the certificates // whose primary key aliases kh. certs.retain(|cert| { kh.aliases(KeyHandle::from(cert.fingerprint())) }); if certs.is_empty() { Err(StoreError::NotFound(KeyHandle::from(kh.clone())).into()) } else { Ok(certs) } } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "KeyServer::lookup_by_cert_or_subkey"); // Check the cache. t!("Looking up {} on keyserver...", kh); let mut inner = self.inner.lock().unwrap(); if ! inner.listeners.is_empty() { inner.tx += 1; update!(inner, LookupStarted, kh, None); }; if let Some(r) = inner.check_cache(kh) { t!("Found in in-memory cache"); match r.as_ref() { Ok(certs) => { update!(inner, LookupFinished, kh, &certs[..], Some("Found in in-memory cache")); } Err(err) => { update!(inner, LookupFailed, kh, Some(&err)); } } return r; } // It's not in the cache, look it up on the key server. let rt = tokio::runtime::Runtime::new().unwrap(); // The keyserver interface currently only returns a single // result. let r = rt.block_on(async { inner.keyserver.get(kh.clone()).await }); match r { Ok(certs) => { let certs: Vec<_> = certs.into_iter() .filter_map(Result::ok) .map(|c| Arc::new(LazyCert::from(c))).collect(); for cert in &certs { t!("keyserver returned {}", cert.fingerprint()); // Add the result to the cache. inner.cache(cert); } // Make sure the key server gave us the right // certificate. let requested: Vec<_> = certs.iter().filter( |cert| cert.keys().any(|k| k.key_handle().aliases(kh))) .cloned() .collect(); if ! requested.is_empty() { update!(inner, LookupFinished, kh, &requested[..], None); Ok(requested) } else { let err = KeyServerError::UnexpectedResults( kh.clone(), certs.iter().map(|c| c.fingerprint()).collect()) .into(); t!("{}", err); update!(inner, LookupFailed, kh, Some(&err)); Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into()) } } Err(err) => { t!("keyserver returned an error: {}", err); if let Some(net::Error::NotFound) = err.downcast_ref::() { update!(inner, LookupFailed, kh, None); Err(StoreError::NotFound( KeyHandle::from(kh.clone())).into()) } else { update!(inner, LookupFailed, kh, Some(&err)); Err(err) } } } } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { tracer!(TRACE, "KeyServer::select_userid"); t!("{}", pattern); t!("Looking {:?} up on the keyserver... ", pattern); let mut inner = self.inner.lock().unwrap(); if ! inner.listeners.is_empty() { inner.tx += 1; update!(inner, SearchStarted, pattern, None); } let email_; let email = if query.email && query.anchor_start && query.anchor_end { match email_to_userid(pattern) { Ok(email) => { email_ = email.value().to_vec(); Some(String::from_utf8_lossy(&email_)) }, Err(err) => { t!("{:?}: invalid email address: {}", pattern, err); None } } } else { None }; let rt = tokio::runtime::Runtime::new().unwrap(); let (ks, wkd) = rt.block_on(async { // Query the keyserver. let ks = inner.keyserver.search(pattern); // And the WKD (if it appears to be an email address). let wkd = async { if let Some(email) = email.as_ref() { net::wkd::get(&reqwest::Client::new(), email).await } else { // If it is not an email, it's not an error. Ok(Vec::new()) } }; tokio::join!(ks, wkd) }); let mut certs: Vec> = Vec::new(); match ks { Ok(c) => { t!("Key server returned {} results", c.len()); if ! inner.listeners.is_empty() { let msg = format!("Key server returned {} results", c.len()); update!(inner, SearchStatus, pattern, &msg); } certs.extend(c); }, Err(err) => t!("Key server response: {}", err), } match wkd { Ok(c) => { t!("WKD server returned {} results", c.len()); if ! inner.listeners.is_empty() { let msg = format!("WKD server returned {} results", c.len()); update!(inner, SearchStatus, pattern, &msg); } certs.extend(c); }, Err(err) => t!("WKD server response: {}", err), } // Sort, merge, and cache. let mut certs = certs.into_iter().flatten().collect::>(); certs.sort_by_key(|c| c.fingerprint()); certs.dedup_by(|a, b| { if a.fingerprint() != b.fingerprint() { return false; } // b is kept. So merge into b. match b.clone().merge_public(a.clone()) { Ok(combined) => *b = combined, Err(err) => { t!("Merging copies of {}: {}", a.keyid(), err); } } true }); let mut certs: Vec<_> = certs.into_iter().map(|c| Arc::new(LazyCert::from(c))).collect(); // Add the results to the cache. certs.iter().for_each(|cert| inner.cache(cert)); // Only keep the certificates that actually satisfy the // constraints. certs.retain(|cert| { let cert = cert.to_cert() .expect("LazyCert should already be canonicalized"); query.check_cert(cert, pattern) }); if certs.is_empty() { update!(inner, SearchFailed, pattern, None); Err(StoreError::NoMatches(pattern.to_string()).into()) } else { if TRACE || ! inner.listeners.is_empty() { let msg = format!( "Got {} results:\n {}", certs.len(), certs.iter() .map(|cert: &Arc| { format!( "{} ({})", cert.keyid().to_hex(), cert.with_policy(NP, None) .and_then(|vc| vc.primary_userid()) .map(|ua| { String::from_utf8_lossy(ua.userid().value()) .into_owned() }) .unwrap_or_else(|_| { cert.userids().next() .map(|userid| { String::from_utf8_lossy(userid.value()) .into_owned() }) .unwrap_or("".into()) })) }) .collect::>() .join("\n ")); t!("{}", msg); update!(inner, SearchFinished, pattern, &certs[..], Some(&msg)); } Ok(certs) } } fn fingerprints<'b>(&'b self) -> Box + 'b> { // Return the entries in our cache. Box::new(self .inner.lock().unwrap() .hits_fpr .keys() .cloned() .collect::>() .into_iter()) } } /// [`KeyServer`] specific error codes. #[non_exhaustive] #[derive(thiserror::Error, Debug)] pub enum KeyServerError { /// Keyserver returned the wrong certs. #[error("Keyserver returned the wrong certs: {1:?} (wanted: {0})")] UnexpectedResults(KeyHandle, Vec), } sequoia-cert-store-0.6.0/src/store/no_keyserver.rs000064400000000000000000000025121046102023000203660ustar 00000000000000//! Dummy replacement for the keyserver store. use std::sync::Arc; use sequoia_openpgp::{Fingerprint, KeyHandle}; use crate::{ LazyCert, Result, Store, store::UserIDQueryParams, }; /// Replacement for the keyserver store if feature `keyserver` is /// disabled. /// /// This type cannot be constructed. Hence, its methods cannot be /// invoked. pub struct KeyServer<'a> { spooky: std::marker::PhantomData<&'a ()>, } impl<'a> KeyServer<'a> { /// Deletes the key with the given fingerprint from the cache. #[allow(dead_code)] pub(crate) fn delete_from_cache(&self, _: I) where I: Iterator>>, { unreachable!("no instance can be created") } } impl<'a> Store<'a> for KeyServer<'a> { fn lookup_by_cert(&self, _: &KeyHandle) -> Result>>> { unreachable!("no instance can be created") } fn lookup_by_cert_or_subkey(&self, _: &KeyHandle) -> Result>>> { unreachable!("no instance can be created") } fn select_userid(&self, _: &UserIDQueryParams, _: &str) -> Result>>> { unreachable!("no instance can be created") } fn fingerprints<'b>(&'b self) -> Box + 'b> { unreachable!("no instance can be created") } } sequoia-cert-store-0.6.0/src/store/pep.rs000064400000000000000000001504061046102023000164450ustar 00000000000000use std::path::Path; use std::path::PathBuf; use std::sync::Arc; use std::sync::Mutex; use anyhow::Context; use rusqlite::{ CachedStatement, Connection, OpenFlags, OptionalExtension, params, Row, }; use sequoia_openpgp as openpgp; use openpgp::{ Cert, cert::raw::RawCertParser, Fingerprint, KeyHandle, KeyID, packet::UserID, parse::Parse, serialize::Serialize, }; use crate::LazyCert; use crate::Result; use crate::Store; use crate::StoreUpdate; use crate::store::MergeCerts; use crate::store::StoreError; use crate::store::UserIDQueryParams; // Maximum busy wait time. pub const BUSY_WAIT_TIME: std::time::Duration = std::time::Duration::from_secs(5); // The location of the keys DB relative to the user's home directory. pub const KEYS_DB: &[ &str ] = &[ "keys.db" ]; use crate::TRACE; #[non_exhaustive] #[derive(thiserror::Error, Debug)] pub enum Error { #[error("Opening the database failed: {1}")] InitCannotOpenDB(#[source] anyhow::Error, String), #[error("Unknown error: {1}")] UnknownError(#[source] anyhow::Error, String), #[error("Database error: {1}")] UnknownDbError(#[source] anyhow::Error, String), #[error("Cannot delete key: {0}")] CannotDeleteKey(#[source] anyhow::Error, String), } // Transforms an error from some error type to the pep::Error. macro_rules! wrap_err { ($e:expr, $err:ident, $msg:expr) => { $e.map_err(|err| { eprintln!("Error: {}: {}", err, $msg); anyhow::Error::from(Error::$err( anyhow::Error::from(err).into(), String::from($msg))) }) } } /// A pEp certificate store backend. /// /// A backend, which provides access to a [pEp] certificate store. /// /// [pEp]: https://gitea.pep.foundation/pEp.foundation/pEpEngine pub struct Pep { conn: Mutex, } assert_send_and_sync!(Pep); // Generates a convenience method that returns a prepared statement // for the specified sql. If preparing the statement results in an // error, the error is converted to out native error type. macro_rules! sql_stmt { ($name:ident, $sql:expr) => { fn $name(conn: &Connection) -> Result> { let mut name: &str = stringify!($name); if name.ends_with("_stmt") { name = &name[..name.len() - "_stmt".len()]; } wrap_err!( conn.prepare_cached( $sql), UnknownDbError, format!("preparing {} query", name)) } } } // Execute a query to load certificates, and actually load the // certificates. macro_rules! cert_query { ($stmt:expr, $args:expr, $err:expr) => {{ let rows = wrap_err!( $stmt.query_map($args, Self::key_load), UnknownDbError, "executing query")?; let mut results: Vec<_> = Vec::new(); for row in rows { let (keydata, _private) = wrap_err!(row, UnknownError, "parsing result")?; match Cert::from_bytes(&keydata) { Ok(cert) => results.push(Arc::new(LazyCert::from(cert))), Err(err) => { t!("Warning: unable to parse a certificate: {}\n{:?}", err, String::from_utf8(keydata)); } } } if results.is_empty() { Err(anyhow::Error::from($err)) } else { Ok(results) } }} } impl Pep { /// Opens a `Pep` certificate store. /// /// If `path` is `None`, then this uses the default location, which /// is `$HOME/.pEp/keys.db`. /// /// This initializes the database, if necessary. pub fn open

(path: Option

) -> Result where P: AsRef { match path { Some(p) => Self::init_(Some(p.as_ref())), None => { let mut set = false; let mut keys_db = PathBuf::new(); #[cfg(not(windows))] if cfg!(debug_assertions) { if let Ok(pep_home) = std::env::var("PEP_HOME") { set = true; keys_db = PathBuf::from(pep_home); } } if ! set { if let Some(home) = dirs::home_dir() { keys_db = home } else { return Err(anyhow::anyhow!( "Failed to find home directory")); } } for n in KEYS_DB { keys_db.push(n); } Self::init_(Some(&keys_db)) } } } /// Returns a new `Pep`. /// /// This uses an in-memory sqlite database. pub fn empty() -> Result { Self::init_in_memory() } /// Returns a new `Pep`. /// /// This uses an in-memory sqlite database, and loads it with the /// keyring. pub fn from_bytes<'a>(bytes: &'a [u8]) -> Result { tracer!(TRACE, "Pep::from_bytes"); let raw_certs = RawCertParser::from_bytes(bytes)? .filter_map(|c| { match c { Ok(c) => Some(c), Err(err) => { t!("Parsing raw certificate: {}", err); None } } }); Self::from_certs(raw_certs) } /// Returns a new `Pep`. /// /// This uses an in-memory sqlite database, and loads it with the /// specified certificates. pub fn from_certs<'a, I>(certs: impl IntoIterator) -> Result where I: Into> { let r = Self::init_in_memory()?; for cert in certs { r.update(Arc::new(cert.into())).expect("implementation doesn't fail") } Ok(r) } /// Initializes an in-memory key store. /// /// This is used for the unit tests. //#[cfg(test)] pub(crate) fn init_in_memory() -> Result { Self::init_(None) } fn init_(home: Option<&Path>) -> Result { let mut keys_db = PathBuf::new(); let conn = if let Some(home) = home { keys_db.push(home); if home.is_dir() { for n in KEYS_DB { keys_db.push(n); } } wrap_err!( Connection::open_with_flags( &keys_db, OpenFlags::SQLITE_OPEN_READ_WRITE | OpenFlags::SQLITE_OPEN_CREATE | OpenFlags::SQLITE_OPEN_PRIVATE_CACHE), InitCannotOpenDB, format!("Opening keys DB ('{}')", keys_db.display()))? } else { // Create an in-memory DB. wrap_err!( Connection::open_in_memory(), InitCannotOpenDB, "Creating in-memory keys DB")? }; wrap_err!( conn.execute_batch("PRAGMA secure_delete=true; PRAGMA foreign_keys=true; PRAGMA locking_mode=NORMAL; PRAGMA journal_mode=WAL;"), InitCannotOpenDB, format!("Setting pragmas on keys DB ('{}')", keys_db.display()))?; wrap_err!( conn.busy_timeout(BUSY_WAIT_TIME), InitCannotOpenDB, format!("Setting busy time ('{}')", keys_db.display()))?; wrap_err!( conn.create_collation("EMAIL", Self::email_cmp), InitCannotOpenDB, format!("Registering EMAIL collation function"))?; wrap_err!( conn.execute_batch( "CREATE TABLE IF NOT EXISTS keys ( primary_key TEXT UNIQUE PRIMARY KEY, secret BOOLEAN, tpk BLOB ); CREATE INDEX IF NOT EXISTS keys_index ON keys (primary_key, secret)"), InitCannotOpenDB, format!("Creating keys table ('{}')", keys_db.display()))?; wrap_err!( conn.execute_batch( "CREATE TABLE IF NOT EXISTS subkeys ( subkey TEXT NOT NULL /* KeyID */, primary_key TEXT NOT NULL /* Fingerprint */, UNIQUE(subkey, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE ); CREATE INDEX IF NOT EXISTS subkeys_index ON subkeys (subkey, primary_key)"), InitCannotOpenDB, format!("Creating subkeys table ('{}')", keys_db.display()))?; wrap_err!( conn.execute_batch( "CREATE TABLE IF NOT EXISTS userids ( userid TEXT NOT NULL COLLATE EMAIL, primary_key TEXT NOT NULL, UNIQUE(userid, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE ); CREATE INDEX IF NOT EXISTS userids_index ON userids (userid COLLATE EMAIL, primary_key)"), InitCannotOpenDB, format!("Creating userids table ('{}')", keys_db.display()))?; Ok(Pep { conn: Mutex::new(conn), }) } // Returns a prepared statement for finding a certificate by // primary key fingerprint. sql_stmt!(cert_find_stmt, "SELECT tpk, secret FROM keys WHERE primary_key == ?"); // This only works for v4 certificates! For v6 certificates the // keyid is the start of the fingerprint, not the end. sql_stmt!(cert_find_by_keyid_stmt, "SELECT tpk, secret FROM keys WHERE primary_key like '%' || ?"); // Returns a prepared statement for finding a key by primary key // fingerprint. sql_stmt!(tsk_find_stmt, "SELECT tpk, secret FROM keys WHERE primary_key == ? and secret == 1"); // Returns a prepared statement for finding a certificate that // contains a key with the specified key id. That is, this // matches on the primary key's key ID as well as any subkeys' key // ID. sql_stmt!(cert_find_with_key_stmt, "SELECT tpk, secret FROM subkeys LEFT JOIN keys ON subkeys.primary_key == keys.primary_key WHERE subkey == ?"); // Returns a prepared statement for finding a certificate with // secret key material that contains a key (with or without secret // key material) with the specified key id. That is, this matches // on the primary key's key ID as well as any subkeys' key ID. sql_stmt!(tsk_find_with_key_stmt, "SELECT tpk, secret FROM subkeys LEFT JOIN keys ON subkeys.primary_key == keys.primary_key WHERE subkey == ? and keys.secret == 1"); // Returns a prepared statement for finding a certificate with the // specified email address. sql_stmt!(cert_find_by_email_stmt, "SELECT tpk, secret FROM userids LEFT JOIN keys ON userids.primary_key == keys.primary_key WHERE userid == ?"); // Returns a prepared statement for returning all the fingerprints // of all certificates in the database. sql_stmt!(cert_list_stmt, "select primary_key from keys"); // Returns a prepared statement for returning all certificates in // the database. sql_stmt!(cert_all_stmt, "select tpk, secret from keys"); // Returns a prepared statement for returning all certificates in // the database, which contain secret key material. sql_stmt!(tsk_all_stmt, "select tpk, secret from keys where secret = 1"); // Returns a prepared statement for updating the keys table. sql_stmt!(cert_save_insert_primary_stmt, "INSERT OR REPLACE INTO keys (primary_key, secret, tpk) VALUES (?, ?, ?)"); // Returns a prepared statement for updating the subkeys table. sql_stmt!(cert_save_insert_subkeys_stmt, "INSERT OR REPLACE INTO subkeys (subkey, primary_key) VALUES (?, ?)"); // Returns a prepared statement for updating the userids table. sql_stmt!(cert_save_insert_userids_stmt, "INSERT OR REPLACE INTO userids (userid, primary_key) VALUES (?, ?)"); // Returns a prepared statement for deleting a certificate. // // Note: due to the use of foreign keys, when a key is removed // from the keys table, the subkeys and userids tables are also // automatically update. sql_stmt!(cert_delete_stmt, "DELETE FROM keys WHERE primary_key = ?"); // Compares two User IDs. // // Extracts the email address or URI stored in each User ID and // compares them. A User ID that does not contain an email // address or URI is sorted earlier than one that does. // // This is used as the collation function. pub fn email_cmp(a: &str, b: &str) -> std::cmp::Ordering { let a_userid = UserID::from(a); let b_userid = UserID::from(b); let a_email = a_userid .email_normalized() .or_else(|_| a_userid.uri2().map(|o| o.map(Into::into))) .ok(); let b_email = b_userid .email_normalized() .or_else(|_| b_userid.uri2().map(|o| o.map(Into::into))) .ok(); match (a_email, b_email) { (None, None) => std::cmp::Ordering::Equal, (None, Some(_)) => std::cmp::Ordering::Less, (Some(_), None) => std::cmp::Ordering::Greater, (Some(a), Some(b)) => a.cmp(&b) } } // The callback used by functions returning a certificate and // whether the certificate contains any secret key material. fn key_load(row: &Row) -> rusqlite::Result<(Vec, bool)> { let cert = row.get(0)?; let secret_key_material = row.get(1)?; Ok((cert, secret_key_material)) } /// Returns the matching TSK. /// /// Like [`Store::lookup_by_cert_fpr`], but only returns /// certificates with private key material. pub fn tsk_lookup_by_cert_fpr(&self, fpr: &Fingerprint) -> Result> { tracer!(TRACE, "Pep::tsk_lookup_by_cert_fpr"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::tsk_find_stmt(&conn)?; let r = cert_query!(stmt, [ fpr.to_hex() ], StoreError::NotFound(KeyHandle::from(fpr)))?; let r = r.into_iter() .next() .ok_or_else(|| StoreError::NotFound(KeyHandle::from(fpr)))?; Ok(r) } /// Returns the matching TSK. /// /// Like [`Store::lookup_by_cert_or_subkey`], but only returns certificates /// with private key material. pub fn tsk_lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>> { tracer!(TRACE, "Pep::tsk_lookup_by_cert_or_subkey"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::tsk_find_with_key_stmt(&conn)?; let keyid = KeyID::from(kh).to_hex(); t!("({})", keyid); cert_query!(stmt, [ keyid ], StoreError::NotFound(kh.clone())) } /// Returns all of the TSKs. /// /// Like [`Store::certs`], but only returns certificates with /// private key material. pub fn tsks<'b>(&'b self) -> Box> + 'b> { tracer!(TRACE, "Pep::tsks"); let inner = || -> Result> { let conn = self.conn.lock().unwrap(); let mut stmt = Self::tsk_all_stmt(&conn)?; cert_query!(stmt, [ ], StoreError::NoMatches("EOF".into())) }; match inner() { Ok(results) => Box::new(results.into_iter()), Err(err) => { t!("Listing TSKs: {}", err); Box::new(std::iter::empty()) } } } /// Deletes the specified certificate from the database. /// /// If the certificate contains any private key material, this is /// also deleted. /// /// Returns an error if the specified certificate is not found. pub fn cert_delete(&mut self, fpr: Fingerprint) -> Result<()> { let conn = self.conn.lock().unwrap(); let changes = wrap_err!( Self::cert_delete_stmt(&conn)? .execute(params![ fpr.to_hex() ]), CannotDeleteKey, format!("Deleting {}", fpr))?; if changes == 0 { Err(StoreError::NotFound(KeyHandle::from(fpr.clone())).into()) } else { Ok(()) } } } impl<'a> Store<'a> for Pep { /// Returns the certificates whose fingerprint matches the handle. /// /// Returns [`StoreError::NotFound`] if no certificate is found. /// /// The caller may assume that looking up a fingerprint returns at /// most one certificate. fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Pep::lookup_by_cert"); let conn = self.conn.lock().unwrap(); let mut stmt = match kh { KeyHandle::Fingerprint(_) => { Self::cert_find_stmt(&conn)? } KeyHandle::KeyID(_) => { Self::cert_find_by_keyid_stmt(&conn)? } }; cert_query!(stmt, [ kh.to_hex() ], StoreError::NotFound(kh.clone())) } /// Returns certificates that have a key with the specified /// handle, if any. /// /// Returns [`StoreError::NotFound`] if no certificate is not found. /// /// Note: even if you pass a fingerprint, this may return multiple /// certificates as the same subkey may be attached to multiple /// certificates. fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { tracer!(TRACE, "Pep::lookup_by_cert_or_subkey"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_find_with_key_stmt(&conn)?; let keyid = KeyID::from(kh).to_hex(); t!("({})", keyid); let mut certs: Vec>> = cert_query!(stmt, [ keyid ], StoreError::NotFound(kh.clone()))?; if let KeyHandle::Fingerprint(fpr) = kh { // Self::cert_find_with_key_stmt works with key ids. Make // sure the fingerprint appears. certs = certs .into_iter() .filter(|cert: &Arc>| -> bool { cert.keys().any(|ka| &ka.fingerprint() == fpr) }) .collect::>>>(); } Ok(certs) } /// Returns certificates that have a User ID matching the /// specified pattern according to the query parameters. fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { tracer!(TRACE, "Pep::select_userid"); let results: Vec>; match (query.email(), query.ignore_case(), query.anchor_start(), query.anchor_end()) { // Email. (true, _, true, true) => { match UserIDQueryParams::is_email(pattern) { Ok(email) => return self.lookup_by_email(&email), Err(err) => { t!("{:?} is not a valid email address: {}", pattern, err); return Ok(vec![ ]); } } } _ => { // Iterate over all the certificates, and return those // that match. // // This is potentially very expensive. Where possible // we should use the the indices to reduce false // positives. results = self.certs() .filter(|cert| { query.check_lazy_cert(&cert, pattern) }) .collect(); } } if results.is_empty() { Err(StoreError::NoMatches(pattern.into()).into()) } else { Ok(results) } } /// Returns certificates that have a User ID with the specified /// email address. /// /// The pattern is interpreted as an email address. It is first /// normalized, and then matched against the normalized email /// address, it is anchored, and the match is case sensitive. fn lookup_by_email(&self, email: &str) -> Result>>> { tracer!(TRACE, "Pep::lookup_by_email"); let userid = crate::email_to_userid(&email)?; let email = userid.email_normalized()?.expect("have one"); let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_find_by_email_stmt(&conn)?; cert_query!(stmt, [ &email ], StoreError::NoMatches(email.into())) } /// Lists all of the certificates. /// /// If a backend is not able to enumerate all the certificates, /// then it should return those that it knows about. For /// instance, some keyservers allow certificates to be looked up /// by fingerprint, but not to enumerate all of the certificates. /// Thus, a user must not assume that if a certificate is not /// returned by this function, it cannot be found by name. fn fingerprints<'b>(&'b self) -> Box + 'b> { tracer!(TRACE, "Pep::fingerprints"); let inner = || -> Result> { let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_list_stmt(&conn)?; let rows = wrap_err!( stmt.query_map([ ], |row: &Row| { let fpr: String = row.get(0)?; Ok(fpr) }), UnknownDbError, "executing query")?; let mut results: Vec<_> = Vec::new(); for row in rows { let fpr = wrap_err!(row, UnknownError, "parsing result")?; match fpr.parse::() { Ok(fpr) => results.push(fpr), Err(err) => { t!("Warning: unable to parse {:?} as a fingerprint: {}", fpr, err); } } }; Ok(results) }; match inner() { Ok(results) => Box::new(results.into_iter()), Err(err) => { t!("Listing fingerprints: {}", err); Box::new(std::iter::empty()) } } } /// Returns all of the certificates. /// /// The default implementation is implemented in terms of /// [`Store::fingerprints`] and [`Store::lookup_by_cert_fpr`]. Many backends /// will be able to do this more efficiently. fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { tracer!(TRACE, "Pep::certs"); let inner = || -> Result> { let conn = self.conn.lock().unwrap(); let mut stmt = Self::cert_all_stmt(&conn)?; cert_query!(stmt, [ ], StoreError::NoMatches("EOF".into())) }; match inner() { Ok(results) => Box::new(results.into_iter()), Err(err) => { t!("Error: {}", err); Box::new(std::iter::empty()) } } } } impl<'a> StoreUpdate<'a> for Pep { fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { tracer!(TRACE, "Pep::update_by"); let fpr = cert.fingerprint(); t!("Updating {}", fpr); let mut conn = self.conn.lock().unwrap(); let tx = wrap_err!( conn.transaction(), UnknownDbError, "starting transaction" )?; // If the certificate already exists, we merge the existing // variant with the new variant. let r = wrap_err!( Self::cert_find_stmt(&tx)? .query_row(&[ &fpr.to_hex() ], Self::key_load).optional(), UnknownDbError, "executing query")?; let existing = if let Some((existing_keydata, _)) = r { t!("Got {} bytes of existing certificate data", existing_keydata.len()); match Cert::from_bytes(&existing_keydata) { Ok(existing) => Some((existing_keydata, LazyCert::from(existing))), Err(err) => { t!("Failed to parse existing data for {} (overwriting): {}", fpr, err); None } } } else { t!("New certificate"); None }; let merged = if let Some((_, existing_cert)) = &existing { t!("Updating {}", fpr); merge_strategy.merge_public(cert, Some(Arc::new(existing_cert.clone()))) .with_context(|| { format!("Merging two versions of {}", fpr) })? } else { t!("Inserting {}", fpr); merge_strategy.merge_public(cert, None)? }; let merged = merged.to_cert() .context("Resolving merged certificate")? .clone(); let mut merged_keydata = Vec::new(); wrap_err!( merged.as_tsk().serialize(&mut merged_keydata), UnknownDbError, "Serializing certificate")?; let new_or_changed = if let Some((existing_keydata, _)) = &existing { &merged_keydata != existing_keydata } else { true }; if ! new_or_changed { t!("Data unchanged."); return Ok(Arc::new(LazyCert::from(merged))); } t!("Serializing {} bytes ({:X})", merged_keydata.len(), { use std::collections::hash_map::DefaultHasher; use std::hash::Hasher; let mut hasher = DefaultHasher::new(); hasher.write(&merged_keydata); hasher.finish() }); // Save the certificate. { let mut stmt = Self::cert_save_insert_primary_stmt(&tx)?; wrap_err!( stmt.execute( params![fpr.to_hex(), merged.is_tsk(), &merged_keydata]), UnknownDbError, "Executing cert_save_insert_primary")?; } // Update the subkey table. { let mut stmt = Self::cert_save_insert_subkeys_stmt(&tx)?; for (i, ka) in merged.keys().enumerate() { t!(" {}key: {} ({} secret key material)", if i == 0 { "primary " } else { "sub" }, ka.keyid(), if ka.has_secret() { "has" } else { "no" }); wrap_err!( stmt.execute( params![ka.keyid().to_hex(), fpr.to_hex()]), UnknownDbError, "Executing cert save insert subkeys")?; } } // Update the userid table. { let mut stmt = Self::cert_save_insert_userids_stmt(&tx)?; for ua in merged.userids() { let uid = if let Ok(Some(email)) = ua.email_normalized() { email } else if let Ok(Some(uri)) = ua.uri2() { uri.to_string() } else { continue; }; t!(" User ID: {}", uid); wrap_err!( stmt.execute(params![uid, fpr.to_hex()]), UnknownDbError, "Executing cert save insert userids")?; } } wrap_err!( tx.commit(), UnknownDbError, "committing transaction" )?; t!("saved"); Ok(Arc::new(LazyCert::from(merged))) } } #[cfg(test)] mod tests { use super::*; #[test] fn keys_db() -> Result<()> { tracer!(TRACE, "keys_db"); struct Record { fingerprint: &'static str, subkeys: &'static [&'static str], userids: &'static [&'static str], } impl Record { fn fingerprint(&self) -> Fingerprint { self.fingerprint.parse::().expect("valid") } fn keys(&self) -> impl Iterator { std::iter::once(self.fingerprint()) .chain(self.subkeys.iter().map(|sk| { sk.parse::().expect("valid") })) } } let records = &[ Record { fingerprint: "04880CB55875B6548C25C729A00E4CD660454746", subkeys: &[ "F9CBBC92F2C34E518722CA77CADEEF67FAADD951", "05793483F1826E44A2B866E0A7CB62B3422503EE", "2C0E08F26EE06409C4712149DAC435B561D44E7B", ], userids: &[ "francis@fake.pep.foundation", ] }, Record { fingerprint: "08C6A9408241E6ED99A0A2767A6B35253722954D", subkeys: &[ "2F7B12FD253CF4ECC9255D7053D8C1B7F801D54D", "DB806800E939D5F0611BCD0DD9D4C006F09088D1", "9F62CE8B0786820B933427A50AC73BFE55E17D22", ], userids: &[ "Luca Saiu (free software hacker at pEp foundation) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu (free software hacker, GNU maintainer, computer scientist) ", "Luca Saiu ", "Luca Saiu on mobile (do not use: only for myself) ", ] }, Record { fingerprint: "10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F", subkeys: &[ "E111DA754DD6839738F83CDC4A869829AAB70CBE", "E3AB3FFE39F7B12880B1A7035A826CAA7026DB6F", ], userids: &[ "pEpUserThree ", ] }, Record { fingerprint: "1CF1202EC58B5514EADC477AAA9CAC9C7B935A45", subkeys: &[ "423D41EF768D8D1C56CAB1FD994931632B55CF76", "D9947827069496C55E92D514DA2E401BDCC26140", "0706AEDD2CA382D2F3B0EF5C34450D8FA47BE578", ], userids: &[ "john@fake.pep.foundation", ] }, Record { fingerprint: "22A589136F68CC46076FFA6071B2EDA40DC29CC7", subkeys: &[ "C5D71768F5D7CC5C94659384ADF2379966C74972", "528A548BD73B7035AF469F3147D04DC2B74725E1", "65444DDC1BB08DE9AAB7A6BA38E7A3645666C769", ], userids: &[ "david@fake.pep.foundation", ] }, Record { fingerprint: "2349DF0D7DBD60C6C20453350553D1E9E9AE5C54", subkeys: &[ "1B8185A37003F109AE7D56921908736247B42C7C", "1815AFE0BEB4EE7195B8A8402F8A666BE91A400F", "C55EE7CACBBCEB75228CDCFBCDFBE06BBC5F6D29", ], userids: &[ "sabrina@fake.pep.foundation", ] }, Record { fingerprint: "2533E4E13EC84A784DE6F2962C3E64162620C978", subkeys: &[ "5B71667A87F2006D8C874F448134877075548DB7", "1DB026D73D7B6BB8B17646B17AB77AECC3703ED5", "434E3BB9D702FF0E4B4033454D2476E6EDCA3BE2", ], userids: &[ "zachary@fake.pep.foundation", ] }, Record { fingerprint: "2F8EB6F51987B06706ED6E45064ABE0B9108844E", subkeys: &[ "3872E86087B7C38EE469BD962DD7EC6B89966D7D", "AC677AC99D84F60E71BB1A533BDE948165BE1800", "39C6CDBC2D0DF90960BD7FBF3AD07BB3F42BD08E", ], userids: &[ "gilbert@fake.pep.foundation", ] }, Record { fingerprint: "43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3", subkeys: &[ "86801702F48ED113958C70FD28967B47191899F8", "932B684FB0672F374626F8889F5599183124F72D", "DD8B64AEE46E8DE72DBFBC03185B7A6512A48391", ], userids: &[ "ernest@fake.pep.foundation", ] }, Record { fingerprint: "4925E278E468D55BA68B3AC49E1F03BA787E31EA", subkeys: &[ "6C4B1AE1D50683DBF1224F0338CBCE44873FE1A7", "E350B80A80C6C77E4D8D0C62C96ADEF6A2CCFA98", "9578E63C4EBCB861521BE6F71949FBA7A090B71D", ], userids: &[ "yoko@fake.pep.foundation", ] }, Record { fingerprint: "4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B", subkeys: &[ "BEED00902BCD166C0F2B10C51981CA07B08A2AA3", "1EDB7F72E67CA292FE1F3428650BEEAE8BE0BA78", "4658FDA3D8FB8E9154D2EAAFE8F03F5A4682799E", ], userids: &[ "bob@fake.pep.foundation", ] }, Record { fingerprint: "507212E4796EFBF4FF8E4B1BF411A72A5C89092C", subkeys: &[ "282E7BE3396051799239B462A9173FFEBD40DA28", "DFBC57AAC0D7C9D5E5B974ADE6F0D74501D65927", ], userids: &[ "pEpUserTwo ", ] }, Record { fingerprint: "5C55764028BE2DD718F9DAAAD8D14CE515A32801", subkeys: &[ "71BB66F7E592075A11F97E2BB058180EE35C8BE0", "D87E291B879F72682D7FA06804EEFDB17B04F78B", "155A466B86DDC61DDF25E85D50B9CB75C2151872", ], userids: &[ "ophelia@fake.pep.foundation", ] }, Record { fingerprint: "68A4E57878501CF89B9844039B3560C27904221F", subkeys: &[ "C3770108DC6DC449323718F101076D890F515D6F", "B99A6A6BAB7CE86DE08AFC770509657A6BAC730C", "689D45E46A723E234DDC7AFAB4E5A2B2EF97E405", ], userids: &[ "nkls@fake.pep.foundation", ] }, Record { fingerprint: "6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07", subkeys: &[ "FFF6F17D7807A8E40F08253B1B23CEF521884A3F", "0430CE889630E018D824177C1DB2D0B226A87A27", "82C2CD0877B7DA063BD09ECE69AF5A6299EC8A60", ], userids: &[ "ziggy@fake.pep.foundation", ] }, Record { fingerprint: "7A757276DFF48471EA032D2B98611755153523E6", subkeys: &[ "B6F72694DFE3ED77F6E3EE6DEEE9E2E4D0403BA2", "36469B4676CEE3B28710D6441C23477C835E5CEB", "EE98545F41E1AFDB67C4498D42916177BEAA8874", ], userids: &[ "yves@fake.pep.foundation", ] }, Record { fingerprint: "7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76", subkeys: &[ "C8016468CCDF2C33997019647F6B5258C086DC6B", "19529BB44C4AE0FB5F7976194B8313F3BF069E6A", "9DF6E3803A0F57579C5399962C7C1FA3369E4A4D", ], userids: &[ "paul@fake.pep.foundation", ] }, Record { fingerprint: "8049F106768CD5D6374645F3B0C0ABEFB3892D73", subkeys: &[ "69FE5FFBF2EC257B452E880066CC46F715A66DBC", "C21839A49A47E534731137549079AA6B02A61A8B", "D2DC92A6E0DC69F80B355308FD289E27C690EE4E", ], userids: &[ "mary@fake.pep.foundation", ] }, Record { fingerprint: "8A0293871D97E954B8397DFD072889CB0E82D77B", subkeys: &[ "614F9A11152D7D2373A4F505D49FD2CB8EEF9103", "8E7242E2C05D1FB2B49CC19A6C9FF639C2D20ED2", "CC68938EB2949794B5D34061132E928709CB1956", ], userids: &[ "randy@fake.pep.foundation", ] }, Record { fingerprint: "912E63F55388D9886151101CDA4FE8ECD8365D6E", subkeys: &[ "AB22733035AA5F96C357D0D3773082B0012A791A", "673D7C2892CB4D38CDB1DD41AF26C6724E7E40F3", "E5772DCDB9CBD8631A2A03A93F0586841937BDFE", ], userids: &[ "ned@fake.pep.foundation", ] }, Record { fingerprint: "9BC60CF498E584E5620014340C099ECDA62431FE", subkeys: &[ "6675F0E49F87BBB75D0EE762884DFEDE8DF8A5B1", "C4669EDC5091DE34BEDD65331743133E219C1EB1", "6F2087132F126BCFB19B8B0F94D1A2CC4A978727", ], userids: &[ "victor@fake.pep.foundation", ] }, Record { fingerprint: "9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1", subkeys: &[ "32FF5498B9FF8E14D8575139DE99B5AACE801044", "568042CD692658C0FCD8B983AC9255C490B72219", "634B9C334069B2A083D1C9E66286EF138550E5C0", ], userids: &[ "irene@fake.pep.foundation", ] }, Record { fingerprint: "A20EF4E353FF61FF6B8B401AC48BF850A5E9C611", subkeys: &[ "436A273DC129DD70B4C8233B33DB91F8AAECA2FD", "BA455203A9BDEC6B168EEDE851074EA7D24AA490", "F1657C4DC11A61C47DF1CD628451B62D9873AE16", ], userids: &[ "henry@fake.pep.foundation", ] }, Record { fingerprint: "A2439F4C712EA9FA6B65BC17DECD473509E96847", subkeys: &[ "F691FDB3FE8683AC485CABEDAA761009D6D131A0", "36ECEAE6F6A2ED1264001B98B974664B34752AFC", "A762875E701B76729547C5C55609A4F9A4344957", ], userids: &[ "ulysses@fake.pep.foundation", ] }, Record { fingerprint: "AAB978A882B9A6E793960B071ADFC82AC3586C14", subkeys: &[ "F2A0CBDC287931D3D69988E5EDF969810BA5194C", ], userids: &[ "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", "Volker Birk ", ] }, Record { fingerprint: "B5AAD4575B2988D99E3FB3EE973EE71028459E9A", subkeys: &[ "CA0BD82382BC588F51FDDE5083C69AF0F851437A", "826E96AD20F30B027CD6DDD70D6DF17AFEF1FFBA", "D798ABEE594EE900CDA2B0DECEFC4DCD7DD09BF9", ], userids: &[ "xenia@fake.pep.foundation", ] }, Record { fingerprint: "B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79", subkeys: &[ "823A732A9518DC79F687FFBC3D4778FC2C38084F", "9B585A80E1C81CC7A2B9B7DDDF5F5C00DA897592", "5FD13A0E30F49F9F50AD131ACDD45401DD0E759F", ], userids: &[ "alice@fake.pep.foundation", ] }, Record { fingerprint: "C11BCCBB3F843593B8975AFB958E85734EF0ADE0", subkeys: &[ "01389D318C1B7146464F7E0DDD26BFF997B128D0", "13830079F9A096D9333683EAE572969A4BF0EAA1", "FFA2C2B2685B4D258BDE8CCFC0D868F1963180D8", ], userids: &[ "ken@fake.pep.foundation", ] }, Record { fingerprint: "CB4287D637F9BC0CB38F978AEB64F54F552F0AB7", subkeys: &[ "CA30E474FBB1021F3CD7DB74C25C74A408C599D8", "A8B3E97A82D39C6DE4890C4854E2200EE3627373", "D533C66AE6DE8DC54C9D695564BF7EACFA7E07D3", ], userids: &[ "valeria@fake.pep.foundation", ] }, Record { fingerprint: "CDAE31CA330249BC5284C1F96033761A09D517DF", subkeys: &[ "8A8B91F58F4B20C3D79F3710054118196B963B7D", "F9B079BE2882793F7C7EF867EA301A7C9A893815", "6F2B8C671245EFF407259CE82C45488C98085D61", ], userids: &[ "wyatt@fake.pep.foundation", ] }, Record { fingerprint: "D27B4F82C717A04DFF3A986489929D075908994E", subkeys: &[ "C8F9A3AC57C402EACACCA0925DFAD7D10C678DBE", "F405EE2559711EAC16F4B0E37903174192105E48", "0878C54CDFC955756A002259A685E0D6F5530952", ], userids: &[ "xavier@fake.pep.foundation", ] }, Record { fingerprint: "E1C12525BFAF4F092D109F2152B7186506DCC483", subkeys: &[ "F03D87EDA63C5BFAB30182CC2B45B386DCB3A0CF", "8AF21DCC9537E2644C844383DB24D05A4CFF4204", "84FE32BC7C903DE726A36E18BDE25B8E80237EE2", ], userids: &[ "tamara@fake.pep.foundation", ] }, Record { fingerprint: "E4C1FB98268170769154C21BBD1637EEB34E933B", subkeys: &[ "60EF08693793CBC2A0452C59E7D3FED35EAF68B9", "ECA3B609C1661937540C50871D7FA83415FD0C9C", "DB2234A696DBAF7CDF04264FB929651D1EDAD644", ], userids: &[ "zenobia@fake.pep.foundation", ] }, Record { fingerprint: "EB4750A0B0A0F558ED5F768F8B893A26133B3F66", subkeys: &[ "6D600191F05865CFE5F4B93214180E23218FFEDA", "C101BCA52FBC77A2F00241B58F07A6D986845B5A", "A35FC3F687EDE1749A677486F300560992B840A8", ], userids: &[ "owen@fake.pep.foundation", ] }, Record { fingerprint: "F29B751A3123A1502E5C0665745FB6564FC5F7DC", subkeys: &[ "A1CEFF2AD2055D84311A34DD19BAAA837AA0EDE3", "B3358A65A142E96D742006A189E01368B3CFEA66", "ADE383408E6A66E64934114FDF466C19D1E09129", ], userids: &[ "carol@fake.pep.foundation", ] }, Record { fingerprint: "F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3", subkeys: &[ "59901649426B2C70871133CB0DCD1F051766107F", "4560CBD01CD2BE321EC50DF9C1B27AC998ABABB8", "83E8BC30EE962BF2D160A3F59C4396FA8EE7BB36", ], userids: &[ "quasimodo@fake.pep.foundation", ] }, Record { fingerprint: "FBD19974E304C95589F976BD71059020F2CC257C", subkeys: &[ "90FE526A624C3F4503B8E77E94E766EE6359246D", "32294836077FF576868D4958848F73B0CCB468D9", "104807CB7B51CD3CD2FF7366780F3DCE8BA84184", ], userids: &[ "louis@fake.pep.foundation", ] } ]; let tmp = tempfile::tempdir()?; let filename = tmp.path().join("keys.db"); { let mut orig = PathBuf::from(env!("CARGO_MANIFEST_DIR")); orig.push("tests/pep/keys.db"); let data = std::fs::read(orig)?; std::fs::write(&filename, data)?; } let pep = Pep::open(Some(filename)).expect("can open"); // Certs. assert_eq!(records.len(), pep.certs().count()); // Fingerprints. { let mut pep_fprs = pep.fingerprints().collect::>(); pep_fprs.sort(); let mut expected_fprs = records.iter() .map(|r| r.fingerprint()) .collect::>(); expected_fprs.sort(); assert_eq!(pep_fprs.len(), expected_fprs.len()); assert_eq!(pep_fprs, expected_fprs); } for record in records.iter() { // Lookup by certs fingerprint. for (i, key) in record.keys().enumerate() { let r = pep.lookup_by_cert_fpr(&key); if i == 0 { assert!(r.is_ok()); } else { // Looking up by subkey won't work. assert!(r.is_err()); } // By fingerprint. let kh = KeyHandle::from(key); let r = pep.lookup_by_cert(&kh).ok().map(|c| c.len()); if i == 0 { assert_eq!(r, Some(1)); } else { assert_eq!(r, None); } // By Key ID. let kh = KeyHandle::from(KeyID::from(kh)); let r = pep.lookup_by_cert(&kh).ok().map(|c| c.len()); if i == 0 { assert_eq!(r, Some(1)); } else { assert_eq!(r, None); } } // Lookup by keys. for key in record.keys() { // By fingerprint. let kh = KeyHandle::from(key); assert_eq!(pep.lookup_by_cert_or_subkey(&kh).ok().map(|c| c.len()), Some(1)); // By Key ID. let kh = KeyHandle::from(KeyID::from(kh)); assert_eq!(pep.lookup_by_cert_or_subkey(&kh).ok().map(|c| c.len()), Some(1)); } // Look up User IDs. for &userid in record.userids.into_iter() { t!("Checking that {} has User ID {:?}", record.fingerprint(), userid); let matches = pep.lookup_by_userid(&UserID::from(userid)) .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ record.fingerprint() ]); if let Ok(email) = UserIDQueryParams::is_email(userid) { t!("Checking that {} has email {:?}", record.fingerprint(), email); let matches = pep.lookup_by_email(&email) .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ record.fingerprint() ]); } } } // Look up by domain. t!("email domain"); let matches = pep.lookup_by_email_domain("fake.pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 33); let matches = pep.lookup_by_email_domain("@fake.pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 0); let matches = pep.lookup_by_email_domain("e.pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 0); let matches = pep.lookup_by_email_domain("pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 2); let matches = pep.lookup_by_email_domain("ageinghacker.net") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 3); // grep t!("Grepping"); let matches = pep.grep_email("pep.foundation") .unwrap_or(Vec::new()) .into_iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches.len(), 35); t!("TSKs"); let tsk_fpr = "EB4750A0B0A0F558ED5F768F8B893A26133B3F66" .parse::() .expect("valid"); let tsks = records.iter() .filter(|c| c.fingerprint() == tsk_fpr) .collect::>(); assert_eq!(tsks.len(), 1); let tsk_record = tsks.into_iter().next().expect("have one"); assert_eq!(tsk_record.fingerprint(), tsk_fpr); let tsks = pep.tsks() .map(|c| c.to_cert().expect("valid").clone()) .collect::>(); let matches = tsks .iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ tsk_record.fingerprint() ]); let tsk = tsks.into_iter().next().expect("have one"); t!("Updating the tsk"); let tsk_as_cert = tsk.clone().strip_secret_key_material(); pep.update(Arc::new(LazyCert::from(tsk_as_cert))) .expect("can update"); t!("Checking that the TSK is still a TSK"); let tsks = pep.tsks() .map(|c| c.to_cert().expect("valid").clone()) .collect::>(); let matches = tsks .iter() .map(|c| c.fingerprint()) .collect::>(); assert_eq!(matches, vec![ tsk_record.fingerprint() ]); let tsk_updated = tsks.into_iter().next().expect("have one"); assert_eq!(tsk, tsk_updated); Ok(()) } } sequoia-cert-store-0.6.0/src/store/userid_index.rs000064400000000000000000000253511046102023000203430ustar 00000000000000use std::collections::BTreeMap; use std::collections::BTreeSet; use std::collections::VecDeque; use std::str; use std::sync::RwLock; use std::sync::{RwLockReadGuard, RwLockWriteGuard}; use sequoia_openpgp as openpgp; use openpgp::Fingerprint; use openpgp::Result; use openpgp::packet::UserID; use crate::store::StoreError; use crate::store::UserIDQueryParams; use super::TRACE; /// A helper data structure for implementations of [`Store`]. /// /// This data structure maintains an in-memory index of User IDs and /// email addresses, and maps them to fingerprints. It is a /// convenient helper for a [`Store`] implementing /// [`Store::select_userid`]. /// /// [`Store`]: crate::Store /// [`Store::select_userid`]: crate::Store::select_userid /// /// This data structure returns certificates with a given User ID or /// email address in `O(log n)` time. Substring and case insensitive /// matching, however, currently requires `O(n)` time. pub struct UserIDIndex { inner: RwLock, } assert_send_and_sync!(UserIDIndex); pub(crate) struct UserIDIndexInner { by_userid: BTreeMap>, // The *normalized* email. // // XXX: As we also want to search by domain, it would be better to // use a different representation / different data structure to // avoid having to do a full scan. One possibility would be to // use a `BTreeMap::range`. That requires a bit of gymnastics. // Alternatively we could use a trie, which is keyed on (domain, // localpart). by_email: BTreeMap>, // Because extracting the email address is expensive, we wait // until a caller actually needs `by_email`. In particular, when // used in a one-shot context, `by_email` is not access at all. by_email_pending: VecDeque<(UserID, Fingerprint)>, } impl UserIDIndexInner { /// Inserts the given mapping. /// /// `email` is the canonicalized email address. If that hasn't /// been computed, hand in `None`, and it will be computed on /// demand. pub(crate) fn insert(&mut self, fp: Fingerprint, userid: UserID, email: Option) { if let Some(email) = email { self.by_email .entry(email) .or_default() .insert(fp.clone()); } else { self.by_email_pending .push_back((userid.clone(), fp.clone())); } self.by_userid .entry(userid) .or_default() .insert(fp); } } impl Default for UserIDIndex { fn default() -> Self { UserIDIndex { inner: RwLock::new(UserIDIndexInner { by_userid: Default::default(), by_email: Default::default(), by_email_pending: VecDeque::new(), }), } } } impl FromIterator<(Fingerprint, UserID, Option)> for UserIDIndex { fn from_iter)>>(iter: I) -> Self { let index = UserIDIndex::default(); let mut inner = index.inner.write().unwrap(); for (fp, userid, email) in iter { inner.insert(fp, userid, email); } drop(inner); index } } impl UserIDIndex { /// Returns a new, empty UserIDIndex. pub fn new() -> Self { Self::default() } /// Adds an entry to UserIDIndex. /// /// This does *not* support removing mappings from the index. /// That is, if this function is called with the same fingerprint, /// but a User ID is removed, then the User ID is not removed from /// the index. Normally, this doesn't matter as User IDs are not /// removed (certificates are append only data structures). pub fn insert(&mut self, fpr: &Fingerprint, userids: I) where I: Iterator { let mut inner = self.inner.write().unwrap(); for userid in userids { inner.by_userid .entry(userid.clone()) .or_default() .insert(fpr.clone()); inner.by_email_pending .push_back((userid, fpr.clone())); } } /// Executes any pending insertions. /// /// This needs to be called before accessing by_email. fn execute_pending_insertions(&self) -> RwLockReadGuard { loop { // First, check if we have anything to do. let inner = self.inner.read().unwrap(); if inner.by_email_pending.is_empty() { return inner; } drop(inner); // Looks like we do. Get the writer lock. let mut inner = self.inner.write().unwrap(); let mut pending = std::mem::take(&mut inner.by_email_pending); for (userid, fpr) in pending.drain(..) { if let Ok(Some(email)) = userid.email_normalized() { inner.by_email .entry(email) .or_default() .insert(fpr.clone()); } } // std::sync::RwLock doesn't implement downgrading a // writer lock to a reader lock, so we loop. drop(inner); } } /// An implementation of [`Store::select_userid`]. /// /// [`Store::select_userid`]: crate::Store::select_userid pub fn select_userid(&self, params: &UserIDQueryParams, pattern: &str) -> Result> { tracer!(TRACE, "UserIDIndex::select_userid"); t!("params: {:?}, pattern: {:?}", params, pattern); // XXX: If you change this function, // UserIDQueryParams::select_userid contains similar code. // Update that too. let mut matches = match params { UserIDQueryParams { anchor_start: true, anchor_end: true, email: false, ignore_case: false, } => { // Exact User ID match. let userid = UserID::from(pattern); let inner = self.inner.read().unwrap(); inner.by_userid.get(&userid) .ok_or_else(|| { StoreError::NoMatches(pattern.into()) })? .iter() .cloned() .collect() } UserIDQueryParams { anchor_start: true, anchor_end: true, email: true, ignore_case: false, } => { // Exact email match. let inner = self.execute_pending_insertions(); inner.by_email .get(pattern) .ok_or_else(|| { StoreError::NoMatches(pattern.into()) })? .iter() .cloned() .collect() } UserIDQueryParams { anchor_start, anchor_end, email, ignore_case, } => { // Substring search. let mut pattern = pattern; let _pattern; if *ignore_case { // Convert to lowercase without tailoring, // i.e. without taking any locale into account. // See: // // - https://www.w3.org/International/wiki/Case_folding // - https://doc.rust-lang.org/std/primitive.str.html#method.to_lowercase // - http://www.unicode.org/versions/Unicode7.0.0/ch03.pdf#G33992 _pattern = pattern.to_lowercase(); pattern = &_pattern[..]; } // Checks if user id a match. let check = |userid: &str| -> bool { let mut userid = userid; let _userid: String; if *ignore_case { _userid = userid.to_lowercase(); userid = &_userid[..]; } t!("Considering if {:?} matches {:?} \ (anchors: {}, {}, ignore case: {})", pattern, userid, anchor_start, anchor_end, ignore_case); // XXX: Consider using // https://crates.io/crates/memchr instead. if match (*anchor_start, *anchor_end) { (true, true) => userid == pattern, (true, false) => userid.starts_with(pattern), (false, true) => userid.ends_with(pattern), (false, false) => userid.contains(pattern), } { t!("*** {:?} matches {:?} (anchors: {}, {})", pattern, userid, *anchor_start, anchor_end); true } else { false } }; if *email { let inner = self.execute_pending_insertions(); inner.by_email .iter() .filter_map(|(email, matches)| { if check(email) { Some(matches.iter()) } else { None } }) .flatten() .cloned() .collect::>() } else { let inner = self.inner.read().unwrap(); inner.by_userid .iter() .filter_map(|(userid, matches)| { let userid = String::from_utf8_lossy(userid.value()); if check(&userid) { Some(matches.iter()) } else { None } }) .flatten() .cloned() .collect::>() } } }; if matches.is_empty() { return Err(StoreError::NoMatches(pattern.into()).into()); } matches.sort(); matches.dedup(); Ok(matches) } /// Returns a write-locked reference to the inner. /// /// Can be used to insert in bulk. pub(crate) fn inner_mut(&self) -> RwLockWriteGuard { self.inner.write().unwrap() } } sequoia-cert-store-0.6.0/src/store.rs000064400000000000000000001371521046102023000156640ustar 00000000000000use std::borrow::Cow; use std::str; use std::sync::Arc; use std::sync::atomic::AtomicUsize; use std::sync::atomic::Ordering; use anyhow::Context; use sequoia_openpgp as openpgp; use openpgp::Fingerprint; use openpgp::KeyHandle; use openpgp::Result; use openpgp::cert::Cert; use openpgp::cert::ValidCert; use openpgp::packet::UserID; pub use openpgp_cert_d; mod userid_index; pub use userid_index::UserIDIndex; pub mod certd; pub use certd::CertD; pub mod certs; pub use certs::Certs; // The keyserver backend is optional. #[cfg(feature = "keyserver")] pub mod keyserver; #[cfg(feature = "keyserver")] pub use keyserver::KeyServer; // If it is disabled, we swap in a dummy to reduce changes to the rest // of the code. pub mod no_keyserver; #[cfg(not(feature = "keyserver"))] use no_keyserver as keyserver; #[cfg(not(feature = "keyserver"))] pub(crate) use keyserver::KeyServer; pub mod pep; pub use pep::Pep; use super::TRACE; use crate::LazyCert; #[derive(Debug, Clone)] pub struct UserIDQueryParams { anchor_start: bool, anchor_end: bool, email: bool, ignore_case: bool, } assert_send_and_sync!(UserIDQueryParams); impl UserIDQueryParams { /// Returns a new `UserIDQueryParams`. /// /// By default, the query is configured to perform an exact match /// on the User ID. That is, the pattern must match the start and /// end of the User ID, and case is considered significant. pub fn new() -> Self { Self { anchor_start: true, anchor_end: true, email: false, ignore_case: false, } } /// Sets whether the pattern must match the start of the User ID /// or email address. pub fn set_anchor_start(&mut self, anchor_start: bool) -> &mut Self { self.anchor_start = anchor_start; self } /// Returns whether the pattern must match the start of the User /// ID or email address. pub fn anchor_start(&self) -> bool { self.anchor_start } /// Sets whether the pattern must match the end of the User /// ID or email address. pub fn set_anchor_end(&mut self, anchor_end: bool) -> &mut Self { self.anchor_end = anchor_end; self } /// Returns whether the pattern must match the end of the User /// ID or email address. pub fn anchor_end(&self) -> bool { self.anchor_end } /// Sets whether the pattern must match the User ID or the /// normalized email address. /// /// The email address to check the pattern against is extracted /// from the User ID using [`UserID::email_normalized`]. /// /// Note: the pattern is *not* normalized, even if the anchors are /// set. If you want to search by email address you need to /// normalize it your yourself. /// /// [`UserID::email_normalized`]: https://docs.rs/sequoia-openpgp/latest/sequoia_openpgp/packet/prelude/struct.UserID.html#method.email_normalized pub fn set_email(&mut self, email: bool) -> &mut Self { self.email = email; self } /// Returns whether the pattern must match the User ID or the /// normalized email address. /// /// See [`UserIDQueryParams::set_email`] for more details. pub fn email(&self) -> bool { self.email } /// Sets whether to ignore the case when matching the User ID or /// email address. /// /// Uses the empty local. /// /// When matching an email address, the domain is always matched /// in a case insensitive manner. The localpart, however, is /// matched in a case sensitive manner by default. pub fn set_ignore_case(&mut self, ignore_case: bool) -> &mut Self { self.ignore_case = ignore_case; self } /// Returns whether to ignore the case when matching the User ID /// or email address. /// /// See [`UserIDQueryParams::set_ignore_case`] for more details. pub fn ignore_case(&self) -> bool { self.ignore_case } /// Checks that the User ID satisfies the constraints. pub fn check(&self, userid: &UserID, pattern: &str) -> bool { tracer!(TRACE, "UserIDQueryParams::check"); // XXX: If you change this function, // UserIDIndex::select_userid contains similar code. Update // that too. match self { UserIDQueryParams { anchor_start: true, anchor_end: true, email: false, ignore_case: false, } => { // Exact User ID match. userid.value() == pattern.as_bytes() } UserIDQueryParams { anchor_start: true, anchor_end: true, email: true, ignore_case: false, } => { // Exact email match. if let Ok(Some(email)) = userid.email_normalized() { email == pattern } else { false } } UserIDQueryParams { anchor_start, anchor_end, email, ignore_case, } => { t!("Considering if {:?} matches {:?} \ (anchors: {}, {}, ignore case: {})", pattern, userid, anchor_start, anchor_end, ignore_case); // Substring search. let mut userid = if *email { if let Ok(Some(email)) = userid.email_normalized() { Cow::Owned(email) } else { t!("User ID does not contain a valid email address"); return false; } } else { String::from_utf8_lossy(userid.value()) }; if *ignore_case { userid = Cow::Owned(userid.to_lowercase()); } let mut pattern = pattern; let _pattern; if *ignore_case { // Convert to lowercase without tailoring, // i.e. without taking any locale into account. // See: // // - https://www.w3.org/International/wiki/Case_folding // - https://doc.rust-lang.org/std/primitive.str.html#method.to_lowercase // - http://www.unicode.org/versions/Unicode7.0.0/ch03.pdf#G33992 _pattern = pattern.to_lowercase(); pattern = &_pattern[..]; } if match (*anchor_start, *anchor_end) { (true, true) => userid == pattern, (true, false) => userid.starts_with(pattern), (false, true) => userid.ends_with(pattern), (false, false) => userid.contains(pattern), } { t!("*** {:?} matches {:?} (anchors: {}, {})", pattern, userid, *anchor_start, anchor_end); true } else { false } } } } /// Checks that at least one User ID satisfies the constraints. pub fn check_lazy_cert(&self, cert: &LazyCert, pattern: &str) -> bool { cert.userids().any(|userid| self.check(&userid, pattern)) } /// Checks that at least one User ID satisfies the constraints. pub fn check_cert(&self, cert: &Cert, pattern: &str) -> bool { cert.userids().any(|ua| self.check(ua.userid(), pattern)) } /// Checks that at least one User ID satisfies the constraints. pub fn check_valid_cert(&self, vc: &ValidCert, pattern: &str) -> bool { vc.userids().any(|ua| self.check(ua.userid(), pattern)) } /// Returns whether the supplied email address is actually a valid /// email address. /// /// If it is valid, returns the normalized email address. pub fn is_email(email: &str) -> Result { let email_check = UserID::from(format!("<{}>", email)); match email_check.email2() { Ok(Some(email_check)) => { if email != email_check { return Err(StoreError::InvalidEmail( email.to_string(), None).into()); } } Ok(None) => { return Err(StoreError::InvalidEmail( email.to_string(), None).into()); } Err(err) => { return Err(StoreError::InvalidEmail( email.to_string(), Some(err)).into()); } } match UserID::from(&email[..]).email_normalized() { Err(err) => { Err(StoreError::InvalidEmail( email.to_string(), Some(err)).into()) } Ok(None) => { Err(StoreError::InvalidEmail( email.to_string(), None).into()) } Ok(Some(email)) => { Ok(email) } } } /// Returns whether the supplied domain address is actually a /// valid domain for an email address. /// /// Returns the normalized domain. pub fn is_domain(domain: &str) -> Result { let localpart = "user@"; let email = format!("{}{}", localpart, domain); let email = Self::is_email(&email)?; // We get the normalized email address back. Chop off the // username and the @. assert!(email.starts_with(localpart)); Ok(email[localpart.len()..].to_string()) } } /// [`Store`] specific error codes. #[non_exhaustive] #[derive(thiserror::Error, Debug)] pub enum StoreError { /// No certificate was found. #[error("{0} was not found")] NotFound(KeyHandle), /// No certificate matches the search criteria. #[error("No certificates matched {0}")] NoMatches(String), /// The email address does not appear to be a valid email address. #[error("{0:?} does not appear to be a valid email address")] InvalidEmail(String, #[source] Option), } /// Status messages. /// /// Status messages sent by [`StatusListener::update`]. /// /// The transaction id allows messages to be grouped together. For /// instance, `LookupStarted` will return a new transaction id and /// further messages related to that lookup including `LookupFinished` /// and `LookupFailed` will use the same transaction id. #[non_exhaustive] #[derive(Debug)] pub enum StatusUpdate<'a, 'c> { /// Sent when a lookup is starting. /// /// usize is the transaction id. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what is being looked up. /// /// The last `&str` is a short human-readable message describing /// the look up. LookupStarted(usize, &'a str, &'a KeyHandle, Option<&'a str>), /// Sent while a lookup is on-going. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what was being looked up. /// /// The last `&str` is a short human-readable message describing /// something that happened, e.g., "WKD returned FPR", etc. LookupStatus(usize, &'a str, &'a KeyHandle, &'a str), /// Sent when a lookup has been successful. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what was being looked up. /// /// The certificates are the returned results. /// /// The last `&str` is a short human-readable message describing /// what happened, e.g., "found in cache", etc. LookupFinished(usize, &'a str, &'a KeyHandle, &'a [Arc>], Option<&'a str>), /// Sent when a lookup has failed. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// `KeyHandle` is what was being looked up. /// /// The error is the reason that the lookup failed. A backend /// should set this to `None` if no certificate was present. LookupFailed(usize, &'a str, &'a KeyHandle, Option<&'a anyhow::Error>), /// Sent when a search is started. /// /// usize is the transaction id. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The last `&str` is a short human-readable message describing /// what is being looked up. SearchStarted(usize, &'a str, &'a str, Option<&'a str>), /// Sent while a search is on-going. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The last `&str` is a short human-readable message describing /// something that happened, e.g., "WKD returned FPR", etc. SearchStatus(usize, &'a str, &'a str, &'a str), /// Sent when a search is successful. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The certificates are the returned results. /// /// The last `&str` is a short human-readable message describing /// what happened, e.g., "found in cache", "found 5 matching /// certificates", etc. SearchFinished(usize, &'a str, &'a str, &'a [Arc>], Option<&'a str>), /// Sent whenever something has been lookup successfully. /// /// usize is the transaction id. It will match the transaction id /// sent in the `LookupStart` message. /// /// The first `&str` is a short human-readable description of the /// backend. /// /// The second `&str` is the pattern being searched for. /// /// The error is the reason that the search failed. A backend /// should set this to `None` if no matching certificate was /// found. SearchFailed(usize, &'a str, &'a str, Option<&'a anyhow::Error>), } impl<'a, 'c> std::fmt::Display for StatusUpdate<'a, 'c> { fn fmt(&self, fmt: &mut std::fmt::Formatter<'_>) -> std::result::Result<(), std::fmt::Error> { use StatusUpdate::*; match self { LookupStarted(_tx, backend, kh, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Looking up {}: {}...", backend, kh, msg) } else { write!(fmt, "{}: Looking up {}...", backend, kh) } } LookupStatus(_tx, backend, kh, msg) => { write!(fmt, "{}: Looking up {}: {}", backend, kh, msg) } LookupFinished(_tx, backend, kh, results, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Looking up {}, returned {} results: {}", backend, kh, results.len(), msg) } else { write!(fmt, "{}: Looking up {}, returned {} results", backend, kh, results.len()) } } LookupFailed(_tx, backend, kh, err) => { if let Some(err) = err { write!(fmt, "{}: Looking up {}, failed: {}", backend, kh, err) } else { write!(fmt, "{}: Looking up {}, returned no results", backend, kh) } } SearchStarted(_tx, backend, pattern, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Searching for {:?}: {}...", backend, pattern, msg) } else { write!(fmt, "{}: Searching for {:?}...", backend, pattern) } } SearchStatus(_tx, backend, pattern, msg) => { write!(fmt, "{}: Searching for {:?}: {}", backend, pattern, msg) } SearchFinished(_tx, backend, pattern, results, msg) => { if let Some(msg) = msg { write!(fmt, "{}: Searching for {:?}, returned {} results: {}", backend, pattern, results.len(), msg) } else { write!(fmt, "{}: Searching for {:?}, returned {} results", backend, pattern, results.len()) } } SearchFailed(_tx, backend, pattern, err) => { if let Some(err) = err { write!(fmt, "{}: Searching for {:?} failed: {}", backend, pattern, err) } else { write!(fmt, "{}: Searching for {:?}, returned no results", backend, pattern) } } } } } /// A callback mechanism to indicate what a backend is doing. /// /// We use an enum instead of a separate function for each message so /// that a naive listener can just print each message to stdout. /// /// This is primarily interesting for backends like a keyserver. /// /// Currently, backends are not required to implement this trait. In /// fact [`KeyServer`] is the only backend that implements it. A /// caller can add a listener to a `KeyServer` using /// [`KeyServer::add_listener`]. pub trait StatusListener { /// A status update. fn update(&self, status: &StatusUpdate); } /// Returns certificates from a backing store. pub trait Store<'a> { /// Returns the certificates whose fingerprint matches the handle. /// /// Returns [`StoreError::NotFound`] if no certificate is found. /// /// The caller may assume that looking up a fingerprint returns at /// most one certificate. fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>>; /// Returns the certificate with the specified fingerprint, if any. /// /// Returns [`StoreError::NotFound`] if the certificate is not found. /// /// The default implementation is implemented in terms of /// [`Store::lookup_by_cert`]. fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { let kh = KeyHandle::from(fingerprint.clone()); self.lookup_by_cert(&kh) .and_then(|v| { assert!(v.len() <= 1, "Looking up {} returned multiple certificates: {}", fingerprint, v.iter() .map(|c| { c.fingerprint().to_string() }) .collect::>() .join(", ")); v.into_iter().next() .ok_or(StoreError::NotFound(kh).into()) }) } /// Returns certificates that have a key with the specified /// handle, if any. /// /// Returns [`StoreError::NotFound`] if no certificate is not found. /// /// Note: even if you pass a fingerprint, this may return multiple /// certificates as the same subkey may be attached to multiple /// certificates. fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>>; /// Returns certificates that have a User ID matching the /// specified pattern according to the query parameters. /// /// User IDs are interpreted as UTF-8 strings. If a user ID is /// not valid UTF-8, then it will be converted to UTF-8 in a lossy /// manner using the same semantics as /// [`String::from_utf8_lossy`]. /// /// This function returns all matching user IDs, even those that /// are not self signed. It's up to the caller to authenticate /// the returned user IDs. fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>>; /// Performs an exact match on the User ID. /// /// The pattern is anchored, and the match is case sensitive. /// /// The user ID is interpreted as a UTF-8 string. If the user ID /// is not valid UTF-8, then it will be converted to UTF-8 in a /// lossy manner using the same semantics as /// [`String::from_utf8_lossy`]. /// /// This function returns all matching user IDs, even those that /// are not self signed. It's up to the caller to authenticate /// the returned user IDs. fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { self.select_userid( &UserIDQueryParams::new() .set_email(false) .set_anchor_start(true) .set_anchor_end(true) .set_ignore_case(false), &String::from_utf8_lossy(userid.value())) } /// Performs a case insenitive, substring match on the User ID. /// /// The pattern is not anchored, and it is matched case /// insensitively. /// /// User IDs are interpreted as UTF-8 strings. If a user ID is /// not valid UTF-8, then it will be converted to UTF-8 in a lossy /// manner using the same semantics as /// [`String::from_utf8_lossy`]. /// /// This function returns all matching user IDs, even those that /// are not self signed. It's up to the caller to authenticate /// the returned user IDs. fn grep_userid(&self, pattern: &str) -> Result>>> { self.select_userid( &UserIDQueryParams::new() .set_email(false) .set_anchor_start(false) .set_anchor_end(false) .set_ignore_case(true), pattern) } /// Returns certificates that have a User ID with the specified /// email address. /// /// The pattern is interpreted as an email address. It is first /// normalized, and then matched against the normalized email /// address, it is anchored, and the match is case sensitive. /// /// User IDs are interpreted as UTF-8 strings. If a user ID is /// not valid UTF-8, then it will be converted to UTF-8 in a lossy /// manner using the same semantics as /// [`String::from_utf8_lossy`]. /// /// This function returns all matching user IDs, even those that /// are not self signed. It's up to the caller to authenticate /// the returned user IDs. fn lookup_by_email(&self, email: &str) -> Result>>> { let userid = crate::email_to_userid(&email)?; let email = userid.email_normalized()?.expect("have one"); self.select_userid( &UserIDQueryParams::new() .set_email(true) .set_anchor_start(true) .set_anchor_end(true) .set_ignore_case(false), &email) } /// Performs a case insenitive, substring match on the normalized /// email address. /// /// The pattern is matched against the normalized email address, /// it is not anchored, and it is matched case insensitively. The /// pattern itself is *not* normalized. /// /// User IDs are interpreted as UTF-8 strings. If a user ID is /// not valid UTF-8, then it will be converted to UTF-8 in a lossy /// manner using the same semantics as /// [`String::from_utf8_lossy`]. /// /// This function returns all matching user IDs, even those that /// are not self signed. It's up to the caller to authenticate /// the returned user IDs. fn grep_email(&self, pattern: &str) -> Result>>> { self.select_userid( &UserIDQueryParams::new() .set_email(true) .set_anchor_start(false) .set_anchor_end(false) .set_ignore_case(true), pattern) } /// Returns certificates that have User ID with an email address /// from the specified domain. /// /// The pattern is interpreted as a domain address. It is first /// normalized, and then matched against the normalized email /// address, it is anchored, and the match is case sensitive. /// /// `domain` must be a bare domain, like `example.org`; it should /// not start with an `@`. This does not match subdomains. That /// is, it will match `alice@foo.bar.com` when searching for /// `bar.com`. /// /// User IDs are interpreted as UTF-8 strings. If a user ID is /// not valid UTF-8, then it will be converted to UTF-8 in a lossy /// manner using the same semantics as /// [`String::from_utf8_lossy`]. /// /// This function returns all matching user IDs, even those that /// are not self signed. It's up to the caller to authenticate /// the returned user IDs. fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { let localpart = "localpart"; let email = format!("{}@{}", localpart, domain); let userid = crate::email_to_userid(&email)?; let email = userid.email_normalized()?.expect("have one"); let domain = &email[email.rfind('@').expect("have an @")..]; self.select_userid( &UserIDQueryParams::new() .set_email(true) .set_anchor_start(false) .set_anchor_end(true) .set_ignore_case(false), domain) } /// Lists all of the certificates. /// /// If a backend is not able to enumerate all the certificates, /// then it should return those that it knows about. For /// instance, some keyservers allow certificates to be looked up /// by fingerprint, but not to enumerate all of the certificates. /// Thus, a user must not assume that if a certificate is not /// returned by this function, it cannot be found by name. fn fingerprints<'b>(&'b self) -> Box + 'b>; /// Returns all of the certificates. /// /// The default implementation is implemented in terms of /// [`Store::fingerprints`] and [`Store::lookup_by_cert_fpr`]. Many backends /// will be able to do this more efficiently. fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { Box::new(self.fingerprints() .filter_map(|fpr| { self.lookup_by_cert_fpr(&fpr).ok() })) } /// Prefills the cache. /// /// Prefilling the cache makes sense when you plan to examine most /// certificates. It doesn't make sense if you are just /// authenticating a single or a few bindings. /// /// This function may be multi-threaded. /// /// Errors should be silently ignored and propagated when the /// operation in question is executed directly. fn prefetch_all(&self) { } /// Prefetches some certificates. /// /// Prefilling the cache makes sense when you plan to examine some /// certificates in the near future. /// /// This interface is useful as it allows batching, which may be /// more efficient, especially when the certificates are accessed /// over the network. And, the function may be multi-threaded. /// /// Errors should be silently ignored and propagated when the /// operation in question is executed directly. fn prefetch_some(&self, certs: &[KeyHandle]) { let _ = certs; } } // The references in Store need a different lifetime from the contents // of the Box. Otherwise, a `Backend` that is a `&Box` would // create a self referential data structure. impl<'a: 't, 't, T> Store<'a> for Box where T: Store<'a> + ?Sized + 't { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { self.as_ref().lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { self.as_ref().lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { self.as_ref().lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { self.as_ref().select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { self.as_ref().lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { self.as_ref().grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { self.as_ref().lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { self.as_ref().grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { self.as_ref().lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { self.as_ref().fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { self.as_ref().certs() } fn prefetch_all(&self) { self.as_ref().prefetch_all() } fn prefetch_some(&self, certs: &[KeyHandle]) { self.as_ref().prefetch_some(certs) } } impl<'a: 't, 't, T> Store<'a> for &'t T where T: Store<'a> + ?Sized { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { (*self).lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { (*self).lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { (*self).lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { (*self).select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { (*self).lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { (*self).grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { (*self).lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { (*self).grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { (*self).lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { (*self).fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { (*self).certs() } } impl<'a: 't, 't, T> Store<'a> for &'t mut T where T: Store<'a> + ?Sized { fn lookup_by_cert(&self, kh: &KeyHandle) -> Result>>> { (**self).lookup_by_cert(kh) } fn lookup_by_cert_fpr(&self, fingerprint: &Fingerprint) -> Result>> { (**self).lookup_by_cert_fpr(fingerprint) } fn lookup_by_cert_or_subkey(&self, kh: &KeyHandle) -> Result>>> { (**self).lookup_by_cert_or_subkey(kh) } fn select_userid(&self, query: &UserIDQueryParams, pattern: &str) -> Result>>> { (**self).select_userid(query, pattern) } fn lookup_by_userid(&self, userid: &UserID) -> Result>>> { (**self).lookup_by_userid(userid) } fn grep_userid(&self, pattern: &str) -> Result>>> { (**self).grep_userid(pattern) } fn lookup_by_email(&self, email: &str) -> Result>>> { (**self).lookup_by_email(email) } fn grep_email(&self, pattern: &str) -> Result>>> { (**self).grep_email(pattern) } fn lookup_by_email_domain(&self, domain: &str) -> Result>>> { (**self).lookup_by_email_domain(domain) } fn fingerprints<'b>(&'b self) -> Box + 'b> { (**self).fingerprints() } fn certs<'b>(&'b self) -> Box>> + 'b> where 'a: 'b { (**self).certs() } fn prefetch_all(&self) { (**self).prefetch_all() } fn prefetch_some(&self, certs: &[KeyHandle]) { (**self).prefetch_some(certs) } } /// Merges two certificates. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. pub trait MergeCerts<'a> { /// Merges two certificates. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. /// /// The default implementation merges the two certificates using /// [`Cert::merge_public`]. This means that any secret key /// material in `disk` is preserved, any secret key material in /// `new` is ignored, and unhashed subpacket areas are merged. /// /// Note: `self` is a normal reference, not a mutable reference. /// This means that the underlying implementation has to use /// interior mutability. The advantage is that multiple threads /// can have a reference to the store, and update it in parallel. fn merge_public<'b>(&self, new: Arc>, disk: Option>>) -> Result>> { if let Some(disk) = disk { let merged = disk.to_cert()?.clone() .merge_public(new.to_cert()?.clone())?; Ok(Arc::new(LazyCert::from(merged))) } else { if new.is_tsk() { Ok(Arc::new(LazyCert::from(new.to_cert()?.clone() .strip_secret_key_material()))) } else { Ok(new) } } } } impl<'a> MergeCerts<'a> for () { } /// Provides an interface to update a backing store. pub trait StoreUpdate<'a>: Store<'a> { /// Insert a certificate. /// /// This uses the default implementation of [`MergeCerts`] to /// merge the certificate with any existing certificate. /// /// Note: `self` is a normal reference, not a mutable reference. /// This means that the underlying implementation has to use /// interior mutability. The advantage is that multiple threads /// can have a reference to the store, and update it in parallel. fn update(&self, cert: Arc>) -> Result<()> { self.update_by(cert, &mut ())?; Ok(()) } /// Inserts a certificate into the store. /// /// Inserts a certificate into the store and uses `merge_strategy` /// to merge it with the existing certificate, if any. /// /// Unless there is an error, you must call `merge_strategy`. /// This is the case even if the certificate is not on the /// backend. In that case, you must pass `None` for the on-disk /// version. This allows `merge_strategy` to generate statistics, /// and to modify the certificate before it is saved, e.g., by /// stripping third-party certifications. /// /// To use the default merge strategy, either call /// [`StoreUpdate::update`] directly, or pass `&mut ()`. /// /// Note: `self` and `merge_strategy` are normal references, not a /// mutable reference. This means that the underlying /// implementation has to use interior mutability. The advantage /// is that multiple threads can have a reference to the store, /// and update it in parallel. fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>>; } impl<'a: 't, 't, T> StoreUpdate<'a> for Box where T: StoreUpdate<'a> + ?Sized + 't { fn update(&self, cert: Arc>) -> Result<()> { self.as_ref().update(cert) } fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { self.as_ref().update_by(cert, merge_strategy) } } impl<'a: 't, 't, T> StoreUpdate<'a> for &'t T where T: StoreUpdate<'a> + ?Sized { fn update(&self, cert: Arc>) -> Result<()> { (*self).update(cert) } fn update_by(&self, cert: Arc>, merge_strategy: &dyn MergeCerts<'a>) -> Result>> { (*self).update_by(cert, merge_strategy) } } /// Merges two certificates and collects statistics. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. #[derive(Debug)] #[non_exhaustive] pub struct MergePublicCollectStats { /// Number of new certificates. new_certs: AtomicUsize, /// Number of unchanged certificates. /// /// Note: there may be false negative. That is some certificates /// may be unchanged, but the heuristic thinks that they have been /// updated. unchanged_certs: AtomicUsize, /// Number of update certificates. updated_certs: AtomicUsize, /// Number of errors. errors: AtomicUsize, } assert_send_and_sync!(MergePublicCollectStats); impl MergePublicCollectStats { /// Returns a new `MergePublicCollectStats` with all stats set to 0. pub fn new() -> Self { Self { new_certs: AtomicUsize::new(0), unchanged_certs: AtomicUsize::new(0), updated_certs: AtomicUsize::new(0), errors: AtomicUsize::new(0), } } /// Returns the number of new certificates. pub fn new_certs(&self) -> usize { self.new_certs.load(Ordering::Relaxed) } /// Returns the number of unchanged certificates. pub fn unchanged_certs(&self) -> usize { self.unchanged_certs.load(Ordering::Relaxed) } /// Returns the number of updated certificates. pub fn updated_certs(&self) -> usize { self.updated_certs.load(Ordering::Relaxed) } /// Returns the number of errors. pub fn errors(&self) -> usize { self.errors.load(Ordering::Relaxed) } /// Increments the number of new certificates by 1. pub fn inc_new_certs(&self) { self.new_certs.fetch_add(1, Ordering::Relaxed); } /// Increments the number of unchanged certificates by 1. pub fn inc_unchanged_certs(&self) { self.unchanged_certs.fetch_add(1, Ordering::Relaxed); } /// Increments the number of updated certificates by 1. pub fn inc_updated_certs(&self) { self.updated_certs.fetch_add(1, Ordering::Relaxed); } /// Increments the number of errors by 1. pub fn inc_errors(&self) { self.errors.fetch_add(1, Ordering::Relaxed); } } impl<'a> MergeCerts<'a> for MergePublicCollectStats { /// Merges two certificates. /// /// This is primarily useful as the `merge_strategy` callback to /// [`StoreUpdate::update_by`]. /// /// This implementation has the same merge semantics as the /// default implementation, but it also updates the statistics in /// `self`. /// /// # Examples /// /// ```rust /// use std::any::Any; /// use std::sync::Arc; /// /// use sequoia_openpgp as openpgp; /// # use openpgp::Result; /// use openpgp::cert::prelude::*; /// use openpgp::parse::Parse; /// /// use sequoia_cert_store as cert_store; /// use cert_store::CertStore; /// use cert_store::LazyCert; /// use cert_store::store::MergePublicCollectStats; /// use cert_store::store::StoreUpdate; /// /// # fn main() -> Result<()> { /// let (cert, _rev) = CertBuilder::new().generate()?; /// /// let mut certs = CertStore::empty(); /// /// let mut stats = MergePublicCollectStats::new(); /// /// certs.update_by(Arc::new(LazyCert::from(cert)), &mut stats) /// .expect("valid"); /// /// assert_eq!(stats.new_certs(), 1); /// # Ok(()) } /// ``` fn merge_public<'b, 'rb>(&self, new: Arc>, disk: Option>>) -> Result>> { let disk = if let Some(disk) = disk { disk } else { self.inc_new_certs(); if new.is_tsk() { return Ok(Arc::new(LazyCert::from( new.to_cert()?.clone().strip_secret_key_material()))) } else { return Ok(new); } }; let fpr = new.fingerprint(); let disk = disk.to_cert() .with_context(|| { format!("Parsing {} as returned from the cert directory", fpr) })? .clone(); let new = new.to_cert() .with_context(|| { format!("Parsing {} as being inserted into \ the cert directory", fpr) })? .clone(); if disk == new { self.inc_unchanged_certs(); Ok(Arc::new(LazyCert::from(new))) } else { // If the on-disk version has secrets, we preserve them. // If new has secrets, we ignore them. match disk.clone().merge_public(new) { Ok(merged) => { if merged == disk { self.inc_unchanged_certs(); } else { self.inc_updated_certs(); } Ok(Arc::new(LazyCert::from(merged))) } Err(err) => { self.inc_errors(); Err(err.into()) } } } } } #[cfg(test)] mod tests { use super::*; use crate::store; // Make sure we can pass a &Box where a generic type // needs to implement Store. #[test] fn store_boxed() -> Result<()> { struct Foo<'a, B> where B: Store<'a> { backend: B, _a: std::marker::PhantomData<&'a ()>, } impl<'a, B> Foo<'a, B> where B: Store<'a> { fn new(backend: B) -> Self { Foo { backend, _a: std::marker::PhantomData, } } fn count(&self) -> usize { self.backend.certs().count() } } let backend = store::Certs::empty(); let backend: Box = Box::new(backend); let foo = Foo::new(&backend); // Do something (anything) with the backend. assert_eq!(foo.count(), 0); Ok(()) } // Make sure we can pass a &Box where a generic type // needs to implement Store. #[test] fn store_update_boxed() -> Result<()> { struct Foo<'a, B> where B: StoreUpdate<'a> { backend: B, _a: std::marker::PhantomData<&'a ()>, } impl<'a, B> Foo<'a, B> where B: StoreUpdate<'a> { fn new(backend: B) -> Self { Foo { backend, _a: std::marker::PhantomData, } } fn count(&self) -> usize { self.backend.certs().count() } } let backend = store::Certs::empty(); let backend: Box = Box::new(backend); let foo = Foo::new(&backend); // Do something (anything) with the backend. assert_eq!(foo.count(), 0); Ok(()) } #[test] fn is_email() { assert!(UserIDQueryParams::is_email("foo@domain.com").is_ok()); // Need a local part. assert!(UserIDQueryParams::is_email("@domain.com").is_err()); // Need a domain. assert!(UserIDQueryParams::is_email("foo@").is_err()); // One @ assert!(UserIDQueryParams::is_email("foo").is_err()); assert!(UserIDQueryParams::is_email("foo@@domain.com").is_err()); assert!(UserIDQueryParams::is_email("foo@a@domain.com").is_err()); // Bare email address, not wrapped in angle brackets. assert!(UserIDQueryParams::is_email("").is_err()); // Whitespace is not allowed. assert!(UserIDQueryParams::is_email(" foo@domain.com").is_err()); assert!(UserIDQueryParams::is_email("foo o@domain.com").is_err()); assert!(UserIDQueryParams::is_email("foo@do main.com").is_err()); assert!(UserIDQueryParams::is_email("foo@domain.com ").is_err()); } #[test] fn is_domain() { assert!(UserIDQueryParams::is_domain("domain.com").is_ok()); // No at. assert!(UserIDQueryParams::is_domain("foo").is_ok()); assert!(UserIDQueryParams::is_domain("@domain.com").is_err()); assert!(UserIDQueryParams::is_domain("foo@").is_err()); assert!(UserIDQueryParams::is_domain("foo@@domain.com").is_err()); assert!(UserIDQueryParams::is_domain("foo@a@domain.com").is_err()); assert!(UserIDQueryParams::is_domain("").is_err()); } include!("../tests/keyring.rs"); // Check that MergePublicCollectStats works as advertised. #[test] fn store_update_merge_public_collect_stats() { use std::collections::HashSet; use openpgp::Cert; use openpgp::parse::Parse; use crate::CertStore; use crate::store::MergePublicCollectStats; let certs = CertStore::empty(); let mut stats = MergePublicCollectStats::new(); let mut seen = HashSet::new(); for (i, cert) in keyring::certs.iter().enumerate() { let cert = Cert::from_bytes(&cert.bytes()).expect("valid"); let fpr = cert.fingerprint(); seen.insert(fpr.clone()); certs.update_by(Arc::new(LazyCert::from(cert)), &mut stats) .expect("valid"); eprintln!("After inserting {} ({}), stats: {:?}", i, fpr, stats); assert_eq!(stats.new_certs(), seen.len()); assert_eq!(stats.new_certs() + stats.updated_certs() + stats.unchanged_certs(), i + 1); } let new = stats.new_certs(); let updated = stats.updated_certs(); let unchanged = stats.unchanged_certs(); // Insert again. This time nothing should change. for (i, cert) in keyring::certs.iter().enumerate() { let cert = Cert::from_bytes(&cert.bytes()).expect("valid"); let fpr = cert.fingerprint(); certs.update_by(Arc::new(LazyCert::from(cert)), &mut stats) .expect("valid"); eprintln!("After reinserting {} ({}), stats: {:?}", i, fpr, stats); // These should not change: assert_eq!(stats.new_certs(), new); // Update should also not change, but there may be false // positives. assert_eq!(stats.unchanged_certs() + stats.updated_certs(), updated + unchanged + i + 1); } } } sequoia-cert-store-0.6.0/tests/Makefile000064400000000000000000000006411046102023000161650ustar 00000000000000certs = data/alice.pgp \ data/alice2.pgp \ data/alice2-adopted-alice.pgp \ data/bob.pgp \ data/carol.pgp \ data/david.pgp \ data/ed.pgp \ data/halfling-signing.pgp \ data/halfling-encryption.pgp \ data/hans-puny-code.pgp \ data/una.pgp \ data/peter.pgp \ data/steve.pgp keyring.rs keyring.pgp: $(certs) cert2rust.sh ./cert2rust.sh $(certs) > keyring.rs sq toolbox keyring merge $(certs) > keyring.pgp sequoia-cert-store-0.6.0/tests/cert2rust.sh000075500000000000000000000046601046102023000170260ustar 00000000000000#! /bin/bash set -e echo "#[allow(non_upper_case_globals, dead_code)] mod keyring { use std::path::Path; use anyhow::Result; use sequoia_openpgp as openpgp; use openpgp::parse::Parse; pub struct Cert { pub filename: &'static str, pub base: &'static str, pub fingerprint: &'static str, pub subkeys: &'static [&'static str], pub userids: &'static [&'static str], } impl Cert { pub fn bytes(&self) -> Vec { let filename = Path::new(env!(\"CARGO_MANIFEST_DIR\")) .join(\"tests\") .join(self.filename); std::fs::read(filename).expect(\"exists\") } pub fn to_cert(&self) -> Result { openpgp::Cert::from_bytes(&self.bytes()) } } " for file in "$@" "EOF!" do base=${file%-priv.pgp} base=${base%.pgp} base=${base#*/} base=$(echo $base | sed 's/-/_/g') echo "FILE:$file:$base" if test "x$file" != "xEOF!" then sq toolbox packet dump "$file" fi done | awk -F '[ \t]*:[ \t]*' ' BEGIN { # Initialize the arrays. delete certs[0]; delete fprs[0]; delete userids[0]; print " pub const certs: &[Cert] = &[" } END { print " ];" for (i = 0; i < length(certs) - 1; i ++) { print " pub const "certs[i]": &Cert = &certs["i"];"; } } $1 ~ /^FILE$/ { # Print the pending record. if (length(fprs) > 0) { print " // "base print " Cert {" print " filename: \""file"\"," print " base: \""base"\"," print " fingerprint: \""fprs[0]"\"," print " subkeys: &["; for(i = 1; i < length(fprs); i ++) { print " \""fprs[i]"\"," } print " ],"; print " userids: &["; for(i = 0; i < length(userids); i ++) { print " \""userids[i]"\"," } print " ]," print " }," } # Reinitialize the state. delete fprs; delete userids; # Make sure the arrays are interrupted as arrays and not scalars # (need for length(fprs). delete fprs[0]; delete userids[0]; file=$2; base=$3; certs[length(certs)] = base; } $1 ~ /^ *Fingerprint$/ { fprs[length(fprs)] = $2; } $1 ~ /^ *Value$/ { userids[length(userids)] = $2; } ' echo "} // mod keyring" sequoia-cert-store-0.6.0/tests/data/README.md000064400000000000000000000126021046102023000167150ustar 00000000000000The certificates: ``` $ { for i in $(ls -1 *.pgp | grep -v -- -priv.pgp | sort); do echo; echo "- $i:"; sq inspect $i; done | grep -E '^- |Fingerprint|Key flags|Subkey|UserID'; } 2>/dev/null - alice2-adopted-alice.pgp: Fingerprint: 23CFE49D4BB7A0AA83619C147E716FFE77DF170A Key flags: certification Subkey: 662F03FC47C05D070B53A93AD5A5048A71CD012A Key flags: signing Subkey: 5989D7BE9908AE24799DF6CFBE678043781349F1 Key flags: transport encryption, data-at-rest encryption UserID: UserID: - alice2.pgp: Fingerprint: 23CFE49D4BB7A0AA83619C147E716FFE77DF170A Key flags: certification UserID: UserID: - alice.pgp: Fingerprint: 30505BCEB7403A1BBFA9DBF0BFBE63567B4BA57A Key flags: certification Subkey: 662F03FC47C05D070B53A93AD5A5048A71CD012A Key flags: signing Subkey: A6D92948A7ADEB809F04202F1CF1943DFE153D1E Key flags: authentication Subkey: 5989D7BE9908AE24799DF6CFBE678043781349F1 Key flags: transport encryption, data-at-rest encryption UserID: UserID: - bob.pgp: Fingerprint: 9994DBF9D34E88E2A21D0CE8E79C9395A1004BB0 Key flags: certification Subkey: 7E01441CBF6FAB5C4AB457E2FBD6F5322354B331 Key flags: authentication UserID: - carol.pgp: Fingerprint: E9C6EFC0E39CE6F9DF5274E7E362D45C7FF7B654 Key flags: certification Subkey: CD22D4BD99FF10FDA11A83D4213DCB92C95346CE Key flags: authentication UserID: UserID: - david.pgp: Fingerprint: A82BC944220BD5EBECC4D42883F74A0EAC207446 Key flags: certification Subkey: DF674FBAC52E00F0E6E48436481D2E18158FB594 Key flags: authentication Subkey: CD22D4BD99FF10FDA11A83D4213DCB92C95346CE UserID: - ed.pgp: Fingerprint: 0C346B2B6241263F64E9C7CF1EA300797258A74E Key flags: certification Subkey: 0C346B2B6241263F64E9C7CF1EA300797258A74E Key flags: certification UserID: - halfling-encryption.pgp: Fingerprint: D58E047C05D115EA4F3D1A98A67A733127BBE804 Key flags: certification Subkey: 69669E91C8D5C546D442FB246FE6D4751AC09E15 Key flags: authentication Subkey: CC4EFA3BFAB8E92A54CDEA3F3DC7543293DD4E53 Key flags: transport encryption, data-at-rest encryption UserID: UserID: Halfling - halfling-signing.pgp: Fingerprint: D58E047C05D115EA4F3D1A98A67A733127BBE804 Key flags: certification Subkey: 69669E91C8D5C546D442FB246FE6D4751AC09E15 Key flags: authentication Subkey: 9DCDA2A95A17B728D6A5115EFF5C6582E4D14B68 Key flags: signing UserID: UserID: Halfling - hans-puny-code.pgp: Fingerprint: F6675D0E4DA40823715C4811B89491F07D08E4F8 Key flags: certification Subkey: 3F60EA0AEBC13E290939A080DB1F5F11C17CB2D4 Key flags: signing UserID: Hans - peter.pgp: Fingerprint: 692E359EFB0BE115373F6CEAD5D8BA16C805A81F Key flags: certification Subkey: 69D325E20DA4D404279A6534A6DE34867DE8927E Key flags: authentication Subkey: 62D2D97F00DF96D2DFED85F98CE4FE6BD01282DE Key flags: signing Subkey: DBEF1760AA2631194301E60F485BDDEF4BD2AD9A Key flags: transport encryption, data-at-rest encryption UserID: Dad UserID: Peter - steve.pgp: Fingerprint: 217E256E176719A5452EDFF935AADEC66B56585B Key flags: certification Subkey: 32C5820540308752B7092EE5B596B656FD8F700B Key flags: signing UserID: Steve - una.pgp: Fingerprint: 119B01460659D8EF3732BEC271424ADE3EC61BBC Key flags: certification Subkey: EE58C32E3D2336F223BD89CED0BE447BF39B439F Key flags: signing UserID: Una ``` alice: A normal certificate with two User IDs. Shares one with alice. alice2: A normal certificate with two User IDs. Shares one with alice. alice2-adopted-alice: alice2, but adopts the signing and encryption subkeys from alice. (Note: does *not* adopt the authentication subkey.) bob: A normal certificate with two User IDs. carol: A normal certificate with two User IDs. david: A normal certificate, but with a copy of one of carol's subkeys (CD22D4BD99FF10FDA11A83D4213DCB92C95346CE). That is, the subkey is appended to david's certificate, but there is no binding signature. ed: An unusual certificate: his primary key is also a subkey on his certificate! halfling: Two versions of the same certificate. Both have the same authentication subkey, one has a signing subkey, the other an encryption subkey. Likewise, both have one User ID in common (regis@pup.com) and a second User ID ('Halfling ' and 'Halfling ', respectively). hans: A certificate with an email address that uses puny code. peter: A certificate with a user ID that has a third-party certification from Una, but is not self signed. steve: A certificate with an email address for a subdomain of `sub.company.com`. una: A certificate with an email address for the domain `company.com`. sequoia-cert-store-0.6.0/tests/data/alice-priv.pgp000064400000000000000000000051251046102023000202030ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 3050 5BCE B740 3A1B BFA9 DBF0 BFBE 6356 7B4B A57A Comment: Comment: xVgEY+UZ6hYJKwYBBAHaRw8BAQdApx8xAVNjcUkGW31wZ6Q9vu3nyxJWtXmHZv3s fNltYBAAAQDsK+BQsRsLPvAIHJu3C+BKXcHM8mT1IjaM8DWG+nzGUxBLwsALBB8W CgB9BYJj5RnqAwsJBwkQv75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jnva4FJbJxx7sK7X3dhFq2wNvcZsFejb7GQ3lC8VLAYgoD FQoIApsBAh4BFiEEMFBbzrdAOhu/qdvwv75jVntLpXoAAP5cAQD061B+gQ3jEOpw 6Q/wjnDozuYsGzLHBFWEFVi/IbItLwD/TWIPqi8u+rg6izg5FyWKUKmOM4aQJ1Vf 197wsnS4owbNEzxhbGljZUBiZWlzcGllbC5kZT7CwAsEExYKAH0FgmPlGeoDCwkH CRC/vmNWe0ulekcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdH+TPK9LgWpgPdmdKdauHGsYnmmqULgjFaoKg1gCusNwMVCggCmwECHgEWIQQw UFvOt0A6G7+p2/C/vmNWe0ulegAAeYEBALQonPFqr7aboFpg0XJYDP87Yj/p2pdQ r/Esmfq6B+3rAP0VuZjSj3jGQdhANQEajzgt+jPiBdHiXYyg1EL3bYJ8Cc0TPGFs aWNlQGV4YW1wbGUub3JnPsLADgQTFgoAgAWCY+UZ6gMLCQcJEL++Y1Z7S6V6RxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6VXkc72cU7i9Ybj ZAE/9tKUTWlrkjezQ4RNMjCAFjW5AxUKCAKZAQKbAQIeARYhBDBQW863QDobv6nb 8L++Y1Z7S6V6AAC0swEAjcl5uncoHJJq3TDFd9djxobft/sG1fRfDZkCbnSDSaEA /Rjc4Q1eMgz1cM8W2wqvbdgdlFVr7kzTkdrsKUaN9ZoIx1gEY+UZ6hYJKwYBBAHa Rw8BAQdA7Xh768P0ELWKVha7jvlrf96N6bK8+ISBFSWBwQeTLakAAQCtqQCQsy1s v2FYdJMNdYhSWii805Yl5cC3A0IYgnrnpw8dwsC/BBgWCgExBYJj5RnqCRC/vmNW e0ulekcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdtYYQ1 1XlNWLv9gxhoTYet69Lh8X77HOWBpzAdtJBmXwKbAr6gBBkWCgBvBYJj5RnqCRDV pQSKcc0BKkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdQ lNFzuInCVzUbKl51HCYaZFdTs2LNrQh8L9q/1owAWhYhBGYvA/xHwF0HC1OpOtWl BIpxzQEqAADLjAD/QUyfRGsEP2hWDBpFpCtUdGfP6A1jeKQn+9Xw9DtxbKQA/3R4 DWT92tQVKhxACYZ0fwonKES3O/LoXUNlAiopk3oHFiEEMFBbzrdAOhu/qdvwv75j VntLpXoAAApDAP0aJdpJydTAcca0k3PXSbkesKGt6FzRX2FfaVYsF344PgEA53Wg I0BP1JaXYVluRw/e810Cs6WU1mfx8+es89IjMg/HWARj5RnqFgkrBgEEAdpHDwEB B0D5ukYoevx2XvwlWHTFXAwCOan5xlwnfSGOMQ1zfxvZNwAA/iWeus2V/ORnJWtL uI/494HqbfeN0iqt8No362LvB4bvFPPCwAAEGBYKAHIFgmPlGeoJEL++Y1Z7S6V6 RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+lcv7W/p/Na pcQEogXqYyBZMz8ravDhJf05LAAF5taFApsgFiEEMFBbzrdAOhu/qdvwv75jVntL pXoAABJ9AQCWbnMz/xaOEjnPVOGDL+zL24fn0p0hsaeoqg3vi5fWxwD8CLVImAhu tMIo5RVprJMPtvB/HYohbEzKhGfPnjDGjALHXQRj5RnqEgorBgEEAZdVAQUBAQdA Znn93nJMi4jDuZCRv4apwCIdKrm/NZbCy0wnDX7MEwgDAQgHAAD/WLQhnzGd2f++ ac/vRlm+/e4+FNeEjUhR0szxsnYg3CgTTMLAAAQYFgoAcgWCY+UZ6gkQv75jVntL pXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jny+Hpckkt MWCWN9rhA2ojDCEHFohdcAL/OqZVDI4A7dQCmwwWIQQwUFvOt0A6G7+p2/C/vmNW e0ulegAAAfwBAI57hRdq6yb6HQLiH1zd4VuKvqCwpHPvNgtniyN8iWKwAQCSHyAV X0P3g8IpYr9kGrcaOJlZBL7lGacyWnqO5X8rAA== =fTyc -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/alice.pgp000064400000000000000000000046101046102023000172230ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 3050 5BCE B740 3A1B BFA9 DBF0 BFBE 6356 7B4B A57A Comment: Comment: xjMEY+UZ6hYJKwYBBAHaRw8BAQdApx8xAVNjcUkGW31wZ6Q9vu3nyxJWtXmHZv3s fNltYBDCwAsEHxYKAH0FgmPlGeoDCwkHCRC/vmNWe0ulekcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcme9rgUlsnHHuwrtfd2EWrbA29xmwV6N vsZDeULxUsBiCgMVCggCmwECHgEWIQQwUFvOt0A6G7+p2/C/vmNWe0ulegAA/lwB APTrUH6BDeMQ6nDpD/COcOjO5iwbMscEVYQVWL8hsi0vAP9NYg+qLy76uDqLODkX JYpQqY4zhpAnVV/X3vCydLijBs0TPGFsaWNlQGJlaXNwaWVsLmRlPsLACwQTFgoA fQWCY+UZ6gMLCQcJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ0f5M8r0uBamA92Z0p1q4caxieaapQuCMVqgqDWAK6w3AxUK CAKbAQIeARYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAB5gQEAtCic8WqvtpugWmDR clgM/ztiP+nal1Cv8SyZ+roH7esA/RW5mNKPeMZB2EA1ARqPOC36M+IF0eJdjKDU QvdtgnwJzRM8YWxpY2VAZXhhbXBsZS5vcmc+wsAOBBMWCgCABYJj5RnqAwsJBwkQ v75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn pVeRzvZxTuL1huNkAT/20pRNaWuSN7NDhE0yMIAWNbkDFQoIApkBApsBAh4BFiEE MFBbzrdAOhu/qdvwv75jVntLpXoAALSzAQCNyXm6dygckmrdMMV312PGht+3+wbV 9F8NmQJudINJoQD9GNzhDV4yDPVwzxbbCq9t2B2UVWvuTNOR2uwpRo31mgjOMwRj 5RnqFgkrBgEEAdpHDwEBB0DteHvrw/QQtYpWFruO+Wt/3o3psrz4hIEVJYHBB5Mt qcLAvwQYFgoBMQWCY+UZ6gkQv75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlv bnMuc2VxdW9pYS1wZ3Aub3JnbWGENdV5TVi7/YMYaE2HrevS4fF++xzlgacwHbSQ Zl8CmwK+oAQZFgoAbwWCY+UZ6gkQ1aUEinHNASpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnUJTRc7iJwlc1GypedRwmGmRXU7Niza0IfC/a v9aMAFoWIQRmLwP8R8BdBwtTqTrVpQSKcc0BKgAAy4wA/0FMn0RrBD9oVgwaRaQr VHRnz+gNY3ikJ/vV8PQ7cWykAP90eA1k/drUFSocQAmGdH8KJyhEtzvy6F1DZQIq KZN6BxYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAAKQwD9GiXaScnUwHHGtJNz10m5 HrChrehc0V9hX2lWLBd+OD4BAOd1oCNAT9SWl2FZbkcP3vNdArOllNZn8fPnrPPS IzIPzjMEY+UZ6hYJKwYBBAHaRw8BAQdA+bpGKHr8dl78JVh0xVwMAjmp+cZcJ30h jjENc38b2TfCwAAEGBYKAHIFgmPlGeoJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+lcv7W/p/NapcQEogXqYyBZMz8ravDh Jf05LAAF5taFApsgFiEEMFBbzrdAOhu/qdvwv75jVntLpXoAABJ9AQCWbnMz/xaO EjnPVOGDL+zL24fn0p0hsaeoqg3vi5fWxwD8CLVImAhutMIo5RVprJMPtvB/HYoh bEzKhGfPnjDGjALOOARj5RnqEgorBgEEAZdVAQUBAQdAZnn93nJMi4jDuZCRv4ap wCIdKrm/NZbCy0wnDX7MEwgDAQgHwsAABBgWCgByBYJj5RnqCRC/vmNWe0ulekcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfL4elySS0xYJY3 2uEDaiMMIQcWiF1wAv86plUMjgDt1AKbDBYhBDBQW863QDobv6nb8L++Y1Z7S6V6 AAAB/AEAjnuFF2rrJvodAuIfXN3hW4q+oLCkc+82C2eLI3yJYrABAJIfIBVfQ/eD wiliv2Qatxo4mVkEvuUZpzJaeo7lfysA =BY+x -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/alice2-adopted-alice-priv.pgp000064400000000000000000000043151046102023000227560ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xVgEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vMAAP9zhzAUmgRsXfq0k+HAauIoMJZolK3EM2kI5CsiIsAniw+WwsALBB8W CgB9BYJj5RobAwsJBwkQfnFv/nffFwpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JncVBBE88Gk0KMiijn6+D2YEwnUHeM/zg0vALIwDl2RrQD FQoIApsBAh4BFiEEI8/knUu3oKqDYZwUfnFv/nffFwoAAOMlAP9D/ZD6KFO8d1TB Ki2nvKSmm/RwX6aVPDEVS0uPu9iMtwD/QhVzSsD6wzcd80Ula9IDT+C7yEZ2CMpc IeiIA2WGQwjNEzxhbGljZUBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGhsDCwkH CRB+cW/+d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdoocXr9PuRzwDItT2MITA36GIBcBfqXedZAbR7P5nqLgMVCggCmQECmwECHgEW IQQjz+SdS7egqoNhnBR+cW/+d98XCgAAqY0BALITDqYhnN3dLZlK3ybrImivQ83D b17zs/FaDBU8rM7MAPsEPi8BtIDh3sgcsjn600t0hlEszveHHFQgoMnuYc3jBM0R PGFsaWNlQHZlcmVpbi5kZT7CwAsEExYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmckJt7Ocdb1SmQu A6weRYznf4bioouOY5+r/FSgtpPc+wMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+ cW/+d98XCgAA9hUBAPQK/vysGLQwjN0dZD2WILPlzbt7qn6VGc9hDCHNPsUDAP4k CdMGyA0acViE1AIc5Twwn3sEPIXJihzjfsUyuk2FDcdYBGPlGeoWCSsGAQQB2kcP AQEHQO14e+vD9BC1ilYWu475a3/ejemyvPiEgRUlgcEHky2pAAEArakAkLMtbL9h WHSTDXWIUloovNOWJeXAtwNCGIJ656cPHcLAvwQYFgoBMQWCY+UagAkQfnFv/nff FwpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnqMoVP0Pd Oi25d/qc8ueT5jt9aF33lxjSugNbcEQ4a4wCmwK+oAQZFgoAbwWCY+UavAkQ1aUE inHNASpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnRoBN k8e87zbsqsgeb64KBZIzl9XnTskLml6gFmtRn6wWIQRmLwP8R8BdBwtTqTrVpQSK cc0BKgAAu0oA/0JDvSmuSOijhvPXMy8g0hX0MjiamfiVNTrk5P1PcnLfAPwNzR12 KvEokeqJ+kbZsl9T1qVqMMfR2/dFEjMPc6atChYhBCPP5J1Lt6Cqg2GcFH5xb/53 3xcKAAAdJQD+OZbuEBjzGBetUP8CPeqyckDWZQCe0dCNw6BBp9JUcAsBAKyVZINQ Q4xRXEaSr/j3yEXXeLAktweByQ9rq75bMTECx10EY+UZ6hIKKwYBBAGXVQEFAQEH QGZ5/d5yTIuIw7mQkb+GqcAiHSq5vzWWwstMJw1+zBMIAwEIBwAA/1i0IZ8xndn/ vmnP70ZZvv3uPhTXhI1IUdLM8bJ2INwoE0zCwAAEGBYKAHIFgmPlGoAJEH5xb/53 3xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZzKM37Ew uBHlB0dJ4Ljo9MIUDIEaVEFyJ+l+659sYwQsApsMFiEEI8/knUu3oKqDYZwUfnFv /nffFwoAANJrAP0aUjgxFCD789m2w0nAry0SA5JlLjuxWOJ42ziWEYAYUgEAzJwW RDgabsLC7VZ+v+TZ7wEh0JhGk6dX2lbH0v1apwE= =Qflk -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/alice2-adopted-alice.pgp000064400000000000000000000040651046102023000220020ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vPCwAsEHxYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdxUEETzwaTQoyKKOfr4PZgTCdQd4z/ ODS8AsjAOXZGtAMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAA4yUA /0P9kPooU7x3VMEqLae8pKab9HBfppU8MRVLS4+72Iy3AP9CFXNKwPrDNx3zRSVr 0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFsaWNlQGV4YW1wbGUub3JnPsLADgQTFgoA gAWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1PYwhMDfoYgFwF+pd51kBtHs/meouAxUK CAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAACpjQEAshMOpiGc3d0t mUrfJusiaK9DzcNvXvOz8VoMFTyszswA+wQ+LwG0gOHeyByyOfrTS3SGUSzO94cc VCCgye5hzeMEzRE8YWxpY2VAdmVyZWluLmRlPsLACwQTFgoAfQWCY+UaGwMLCQcJ EH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y ZyQm3s5x1vVKZC4DrB5FjOd/huKii45jn6v8VKC2k9z7AxUKCAKbAQIeARYhBCPP 5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA9Ar+/KwYtDCM3R1kPZYgs+XNu3uqfpUZ z2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzlPDCfewQ8hcmKHON+xTK6TYUNzjMEY+UZ 6hYJKwYBBAHaRw8BAQdA7Xh768P0ELWKVha7jvlrf96N6bK8+ISBFSWBwQeTLanC wL8EGBYKATEFgmPlGoAJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ6jKFT9D3TotuXf6nPLnk+Y7fWhd95cY0roDW3BEOGuM ApsCvqAEGRYKAG8FgmPlGrwJENWlBIpxzQEqRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZ0aATZPHvO827KrIHm+uCgWSM5fV507JC5peoBZr UZ+sFiEEZi8D/EfAXQcLU6k61aUEinHNASoAALtKAP9CQ70prkjoo4bz1zMvINIV 9DI4mpn4lTU65OT9T3Jy3wD8Dc0ddirxKJHqifpG2bJfU9alajDH0dv3RRIzD3Om rQoWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAAHSUA/jmW7hAY8xgXrVD/Aj3qsnJA 1mUAntHQjcOgQafSVHALAQCslWSDUEOMUVxGkq/498hF13iwJLcHgckPa6u+WzEx As44BGPlGeoSCisGAQQBl1UBBQEBB0Bmef3eckyLiMO5kJG/hqnAIh0qub81lsLL TCcNfswTCAMBCAfCwAAEGBYKAHIFgmPlGoAJEH5xb/533xcKRxQAAAAAAB4AIHNh bHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZzKM37EwuBHlB0dJ4Ljo9MIUDIEa VEFyJ+l+659sYwQsApsMFiEEI8/knUu3oKqDYZwUfnFv/nffFwoAANJrAP0aUjgx FCD789m2w0nAry0SA5JlLjuxWOJ42ziWEYAYUgEAzJwWRDgabsLC7VZ+v+TZ7wEh 0JhGk6dX2lbH0v1apwE= =teyh -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/alice2-priv.pgp000064400000000000000000000023011046102023000202560ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xVgEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vMAAP9zhzAUmgRsXfq0k+HAauIoMJZolK3EM2kI5CsiIsAniw+WwsALBB8W CgB9BYJj5RobAwsJBwkQfnFv/nffFwpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JncVBBE88Gk0KMiijn6+D2YEwnUHeM/zg0vALIwDl2RrQD FQoIApsBAh4BFiEEI8/knUu3oKqDYZwUfnFv/nffFwoAAOMlAP9D/ZD6KFO8d1TB Ki2nvKSmm/RwX6aVPDEVS0uPu9iMtwD/QhVzSsD6wzcd80Ula9IDT+C7yEZ2CMpc IeiIA2WGQwjNEzxhbGljZUBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGhsDCwkH CRB+cW/+d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdoocXr9PuRzwDItT2MITA36GIBcBfqXedZAbR7P5nqLgMVCggCmQECmwECHgEW IQQjz+SdS7egqoNhnBR+cW/+d98XCgAAqY0BALITDqYhnN3dLZlK3ybrImivQ83D b17zs/FaDBU8rM7MAPsEPi8BtIDh3sgcsjn600t0hlEszveHHFQgoMnuYc3jBM0R PGFsaWNlQHZlcmVpbi5kZT7CwAsEExYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmckJt7Ocdb1SmQu A6weRYznf4bioouOY5+r/FSgtpPc+wMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+ cW/+d98XCgAA9hUBAPQK/vysGLQwjN0dZD2WILPlzbt7qn6VGc9hDCHNPsUDAP4k CdMGyA0acViE1AIc5Twwn3sEPIXJihzjfsUyuk2FDQ== =gFrK -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/alice2.pgp000064400000000000000000000022121046102023000173010ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 23CF E49D 4BB7 A0AA 8361 9C14 7E71 6FFE 77DF 170A Comment: Comment: xjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+gE3eN9Sewy6RIwvaHi2OEIDB7fQr6 pram3vPCwAsEHxYKAH0FgmPlGhsDCwkHCRB+cW/+d98XCkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdxUEETzwaTQoyKKOfr4PZgTCdQd4z/ ODS8AsjAOXZGtAMVCggCmwECHgEWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAA4yUA /0P9kPooU7x3VMEqLae8pKab9HBfppU8MRVLS4+72Iy3AP9CFXNKwPrDNx3zRSVr 0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFsaWNlQGV4YW1wbGUub3JnPsLADgQTFgoA gAWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1PYwhMDfoYgFwF+pd51kBtHs/meouAxUK CAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAACpjQEAshMOpiGc3d0t mUrfJusiaK9DzcNvXvOz8VoMFTyszswA+wQ+LwG0gOHeyByyOfrTS3SGUSzO94cc VCCgye5hzeMEzRE8YWxpY2VAdmVyZWluLmRlPsLACwQTFgoAfQWCY+UaGwMLCQcJ EH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y ZyQm3s5x1vVKZC4DrB5FjOd/huKii45jn6v8VKC2k9z7AxUKCAKbAQIeARYhBCPP 5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA9Ar+/KwYtDCM3R1kPZYgs+XNu3uqfpUZ z2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzlPDCfewQ8hcmKHON+xTK6TYUN =YlOd -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/bob-priv.pgp000064400000000000000000000023611046102023000176670ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 9994 DBF9 D34E 88E2 A21D 0CE8 E79C 9395 A100 4BB0 Comment: xVgEY+UatRYJKwYBBAHaRw8BAQdAQIdC7Mtji2y/IXhu8JCxu1G0qqYTgr49Bdj8 snAIEM8AAQCfCfQG/hHyGgmqdj4+UgZp+vloXbyCYj8D42Gex98QCA5ewsALBB8W CgB9BYJj5Rq1AwsJBwkQ55yTlaEAS7BHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jn7D3pLAHwD1YR/1SDpvqqikIW/jpemK0r8zWs/l/3DdUD FQoIApsBAh4BFiEEmZTb+dNOiOKiHQzo55yTlaEAS7AAAPV6AQDhSfx5nt+3MJyo 7B52cukyqIOnoqCYGWo+4t828i9XaAEAx2jWVjseyux9vdanQYlrLdgHsAx0B4tJ ogMFSR6XRwjNETxib2JAZXhhbXBsZS5vcmc+wsAOBBMWCgCABYJj5Rq1AwsJBwkQ 55yTlaEAS7BHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn bfF/2XNAdjk1Z4tNpf8fjcymgy+YqdjnN0x32eHY/k0DFQoIApkBApsBAh4BFiEE mZTb+dNOiOKiHQzo55yTlaEAS7AAAI8xAQCUN00BU9dDjLwlBK4IyF/UBjOXxAR+ +/vMa/HG7n3HHAD5Aa3gipNh3e/ebxKxU6nUel0/UWWc9c4/gTm+uQEQFAvHWARj 5Rq1FgkrBgEEAdpHDwEBB0CCpHHKZeveaGq/F/p022nymMdI3AuvaxqA0AR8avec TwAA/16FbccP13iBXOXTbvnujSBR2XdVR/24wXn/jX85yzEMEoPCwAAEGBYKAHIF gmPlGrUJEOeck5WhAEuwRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEt cGdwLm9yZ5os3w7f5+o4HuUxBV2h63k5B43y/CMMuZ273JSDTn7ZApsgFiEEmZTb +dNOiOKiHQzo55yTlaEAS7AAACSnAQDdhmWSrUA+k1fugEjo5Z6qZ2CRHAdMs0ou 70ih530UIgD+IphnO+r+t4vmL38Q5axtrveDaT5/CaObmyWdGpPnJgA= =t/bH -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/bob.pgp000064400000000000000000000022121046102023000167040ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 9994 DBF9 D34E 88E2 A21D 0CE8 E79C 9395 A100 4BB0 Comment: xjMEY+UatRYJKwYBBAHaRw8BAQdAQIdC7Mtji2y/IXhu8JCxu1G0qqYTgr49Bdj8 snAIEM/CwAsEHxYKAH0FgmPlGrUDCwkHCRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfsPeksAfAPVhH/VIOm+qqKQhb+Ol6Y rSvzNaz+X/cN1QMVCggCmwECHgEWIQSZlNv5006I4qIdDOjnnJOVoQBLsAAA9XoB AOFJ/Hme37cwnKjsHnZy6TKog6eioJgZaj7i3zbyL1doAQDHaNZWOx7K7H291qdB iWst2AewDHQHi0miAwVJHpdHCM0RPGJvYkBleGFtcGxlLm9yZz7CwA4EExYKAIAF gmPlGrUDCwkHCRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmdt8X/Zc0B2OTVni02l/x+NzKaDL5ip2Oc3THfZ4dj+TQMVCggC mQECmwECHgEWIQSZlNv5006I4qIdDOjnnJOVoQBLsAAAjzEBAJQ3TQFT10OMvCUE rgjIX9QGM5fEBH77+8xr8cbufcccAPkBreCKk2Hd795vErFTqdR6XT9RZZz1zj+B Ob65ARAUC84zBGPlGrUWCSsGAQQB2kcPAQEHQIKkccpl695oar8X+nTbafKYx0jc C69rGoDQBHxq95xPwsAABBgWCgByBYJj5Rq1CRDnnJOVoQBLsEcUAAAAAAAeACBz YWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeaLN8O3+fqOB7lMQVdoet5OQeN 8vwjDLmdu9yUg05+2QKbIBYhBJmU2/nTTojioh0M6Oeck5WhAEuwAAAkpwEA3YZl kq1APpNX7oBI6OWeqmdgkRwHTLNKLu9Ioed9FCIA/iKYZzvq/reL5i9/EOWsba73 g2k+fwmjm5slnRqT5yYA =Td4n -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/carol-priv.pgp000064400000000000000000000030741046102023000202270ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: E9C6 EFC0 E39C E6F9 DF52 74E7 E362 D45C 7FF7 B654 Comment: Comment: xVgEY+Ua1hYJKwYBBAHaRw8BAQdAY65xupenq6zarpL8+IP4ET8SMHNc2uB5lyRk SkP9o7MAAP96LHgnISslAvTOZmzOKS0ht2NaL6mTXhcJrbZPk/QM+A4qwsALBB8W CgB9BYJj5RrWAwsJBwkQ42LUXH/3tlRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JntxsJyG6tZauXoqu4wDrfT47CuTSEhcZGU50batT3ybUD FQoIApsBAh4BFiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAAPElAP41eTwyyOfcsuHT rFbj3HiWH0KlVONvhUHQMJwKYwzGzgD7BHMzoL1/nVJyaLvUe/REk7bBEloWyWMb HYB+CqT+Zw7NEDxjYXJvbEBjbHViLm9yZz7CwA4EExYKAIAFgmPlGtYDCwkHCRDj YtRcf/e2VEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcB Mlo76iLhVDgLJ277jEun5W2LaQAUV8oTStIxVQ22QAMVCggCmQECmwECHgEWIQTp xu/A45zm+d9SdOfjYtRcf/e2VAAAODUBAOVX3lR6yBsA17Io99wqBExrThnBZP+u hYplpK64E+JwAQDTid1PU54Go8KtN23T39ucl996t3VsIMRVFFqdqhC/Cc0RPGNh cm9sQHZlcmVpbi5kZT7CwAsEExYKAH0FgmPlGtYDCwkHCRDjYtRcf/e2VEcUAAAA AAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfPf6EmtFTrqcqACSnG Zh0/hfvNau9XtWDwMALA524ExAMVCggCmwECHgEWIQTpxu/A45zm+d9SdOfjYtRc f/e2VAAAUXwBAK/EgWyclBzKPzfBtfwphRtLzAEiHDsKXzNyLsreeotbAQDxc4Oq PIG0N71AIBdaQC/l8PRD6WpkyUWPHOhcU9ONAMdYBGPlGtYWCSsGAQQB2kcPAQEH QIO0pe9j/3u853twGgG1CVK3g9SytDdw/i94umEExMbcAAD+OqsXOsky+0KUALOK d0X6bXElePGMHjYUySwNNt4fkZ8OuMLAAAQYFgoAcgWCY+Ua1gkQ42LUXH/3tlRH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnlKNI5wDCnCTp jVDFKO5eSYqxhk0fCNg8Jk2dqnvukt8CmyAWIQTpxu/A45zm+d9SdOfjYtRcf/e2 VAAA1QUA/2EUWkTsVcQsFOs2jqnH5TYYk8dS8ytGEGT4CDnh3h7VAQDXfTW3rRDI MA0aKgKzAtabfE1TIfmq++9ok2NVY6VmCA== =9u3W -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/carol.pgp000064400000000000000000000027241046102023000172520ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: E9C6 EFC0 E39C E6F9 DF52 74E7 E362 D45C 7FF7 B654 Comment: Comment: xjMEY+Ua1hYJKwYBBAHaRw8BAQdAY65xupenq6zarpL8+IP4ET8SMHNc2uB5lyRk SkP9o7PCwAsEHxYKAH0FgmPlGtYDCwkHCRDjYtRcf/e2VEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcme3GwnIbq1lq5eiq7jAOt9PjsK5NISF xkZTnRtq1PfJtQMVCggCmwECHgEWIQTpxu/A45zm+d9SdOfjYtRcf/e2VAAA8SUA /jV5PDLI59yy4dOsVuPceJYfQqVU42+FQdAwnApjDMbOAPsEczOgvX+dUnJou9R7 9ESTtsESWhbJYxsdgH4KpP5nDs0QPGNhcm9sQGNsdWIub3JnPsLADgQTFgoAgAWC Y+Ua1gMLCQcJEONi1Fx/97ZURxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVv aWEtcGdwLm9yZwEyWjvqIuFUOAsnbvuMS6flbYtpABRXyhNK0jFVDbZAAxUKCAKZ AQKbAQIeARYhBOnG78DjnOb531J05+Ni1Fx/97ZUAAA4NQEA5VfeVHrIGwDXsij3 3CoETGtOGcFk/66FimWkrrgT4nABANOJ3U9Tngajwq03bdPf25yX33q3dWwgxFUU Wp2qEL8JzRE8Y2Fyb2xAdmVyZWluLmRlPsLACwQTFgoAfQWCY+Ua1gMLCQcJEONi 1Fx/97ZURxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ89/ oSa0VOupyoAJKcZmHT+F+81q71e1YPAwAsDnbgTEAxUKCAKbAQIeARYhBOnG78Dj nOb531J05+Ni1Fx/97ZUAABRfAEAr8SBbJyUHMo/N8G1/CmFG0vMASIcOwpfM3Iu yt56i1sBAPFzg6o8gbQ3vUAgF1pAL+Xw9EPpamTJRY8c6FxT040AzjMEY+Ua1hYJ KwYBBAHaRw8BAQdAg7Sl72P/e7zne3AaAbUJUreD1LK0N3D+L3i6YQTExtzCwAAE GBYKAHIFgmPlGtYJEONi1Fx/97ZURxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ5SjSOcAwpwk6Y1QxSjuXkmKsYZNHwjYPCZNnap77pLfApsg FiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAANUFAP9hFFpE7FXELBTrNo6px+U2GJPH UvMrRhBk+Ag54d4e1QEA1301t60QyDANGioCswLWm3xNUyH5qvvvaJNjVWOlZgg= =EKJk -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/david-priv.pgp000064400000000000000000000023671046102023000202220ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: A82B C944 220B D5EB ECC4 D428 83F7 4A0E AC20 7446 Comment: xVgEY+Ua5hYJKwYBBAHaRw8BAQdAXAh2K8fjAUO0OgzlDev4uNbX5BGK3Esw4/0J XI1JyzoAAQDkIRWTuiPoOD7sBdGWVpou8lTmj8QQ4a9Szkr2QgacrxBxwsALBB8W CgB9BYJj5RrmAwsJBwkQg/dKDqwgdEZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnaQnCtjdzUum2zN5rDlJ5oAubbIlB22DQi9u3RCozk2ID FQoIApsBAh4BFiEEqCvJRCIL1evsxNQog/dKDqwgdEYAADcHAQC+pct6ehrApldr muFXouCHhgNJY/kluxb1Sm86nbOMBgD/WB1z2zyClo/ih/C4W2lID9/DyiES0Qxx HyTtnVKkBQjNEzxkYXZpZEBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGuYDCwkH CRCD90oOrCB0RkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmcpieSeQNbpWGyU3MABKsAQsYerarlIivPGeZEeWiaitQMVCggCmQECmwECHgEW IQSoK8lEIgvV6+zE1CiD90oOrCB0RgAAfyEBAJPHJI7fgqwKbNRNxQkX9MiB3cRF 3E/PUPzG5j5s9OPuAQClPa4DMSU+eq6R2eKhqRnvVXu0xhjq9X5YSCZNItgkD8dY BGPlGuYWCSsGAQQB2kcPAQEHQEcWx/3XYvqCV2gZckVmuswudsq9SJLCGxqOC39Q UpGlAAEA7hA6/QxuHZ+v0wWaXqoAiMJEGVjQbteS3HyfrOJgFFgPjMLAAAQYFgoA cgWCY+Ua5gkQg/dKDqwgdEZHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnXiZfmH9Jd4GM1HP00xfTTv6MYOlIEdNjDvq8wAM1GDkCmyAWIQSo K8lEIgvV6+zE1CiD90oOrCB0RgAAO8YA/1ZbLxcWywe3Jusa1qlXMOlg45BpYKwS wwDXOL2luG8SAPwK69yqLy9ScYsAEL4OhmDL7yM1Uilj6dqj5wf5J2c2Dw== =jWEy -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/david.pgp000064400000000000000000000022001046102023000172260ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY+Ua5hYJKwYBBAHaRw8BAQdAXAh2K8fjAUO0OgzlDev4uNbX5BGK3Esw4/0J XI1JyzrCwAsEHxYKAH0FgmPlGuYDCwkHCRCD90oOrCB0RkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdpCcK2N3NS6bbM3msOUnmgC5tsiUHb YNCL27dEKjOTYgMVCggCmwECHgEWIQSoK8lEIgvV6+zE1CiD90oOrCB0RgAANwcB AL6ly3p6GsCmV2ua4Vei4IeGA0lj+SW7FvVKbzqds4wGAP9YHXPbPIKWj+KH8Lhb aUgP38PKIRLRDHEfJO2dUqQFCM0TPGRhdmlkQGV4YW1wbGUub3JnPsLADgQTFgoA gAWCY+Ua5gMLCQcJEIP3Sg6sIHRGRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZymJ5J5A1ulYbJTcwAEqwBCxh6tquUiK88Z5kR5aJqK1AxUK CAKZAQKbAQIeARYhBKgryUQiC9Xr7MTUKIP3Sg6sIHRGAAB/IQEAk8ckjt+CrAps 1E3FCRf0yIHdxEXcT89Q/MbmPmz04+4BAKU9rgMxJT56rpHZ4qGpGe9Ve7TGGOr1 flhIJk0i2CQPzjMEY+Ua5hYJKwYBBAHaRw8BAQdARxbH/ddi+oJXaBlyRWa6zC52 yr1IksIbGo4Lf1BSkaXCwAAEGBYKAHIFgmPlGuYJEIP3Sg6sIHRGRxQAAAAAAB4A IHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ14mX5h/SXeBjNRz9NMX007+ jGDpSBHTYw76vMADNRg5ApsgFiEEqCvJRCIL1evsxNQog/dKDqwgdEYAADvGAP9W Wy8XFssHtybrGtapVzDpYOOQaWCsEsMA1zi9pbhvEgD8Cuvcqi8vUnGLABC+DoZg y+8jNVIpY+nao+cH+SdnNg/OMwRj5RrWFgkrBgEEAdpHDwEBB0CDtKXvY/97vOd7 cBoBtQlSt4PUsrQ3cP4veLphBMTG3A== =qvwl -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/ed-priv.pgp000064400000000000000000000015771046102023000175250ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 0C34 6B2B 6241 263F 64E9 C7CF 1EA3 0079 7258 A74E Comment: xVgEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9GlRVnuTclWR3NJHksXjREY3cH JDyH1voAAQDORtejD38d+8iWdYv3M63QpoyPL/L3+TvN3SbXnUJphBK6wsARBB8W CgCDBYJj6KT0BYkFpI+9AwsJBwkQHqMAeXJYp05HFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3Jnh7+35183eD+a3pvIXkdz7DCCR2ISYaxyaHOD 3WtribIDFQoIApsBAh4BFiEEDDRrK2JBJj9k6cfPHqMAeXJYp04AAJ26AP4ovN3U DSrlm7jGTB+tf8JMdwgcQcUKgnoDBuMJvkLccwEAoRtHRXNH+sYHURU/jahToikJ Zfgzh8sf+uCiL5szGQrNEDxlZEBleGFtcGxlLm9yZz7CwBQEExYKAIYFgmPopPQF iQWkj70DCwkHCRAeowB5clinTkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmfyK5UQkGketo/v4NZTwsJ0zVJ3ELy8grkWl8XLxGytqAMVCggC mQECmwECHgEWIQQMNGsrYkEmP2Tpx88eowB5clinTgAAfqYA/R9/VwnlCaLf3t5I /xVwdg1Ts0YfyV03/A4o2hPFGcOtAP4j0mlIKP819VEtQOR0bGQJoefzbjRRpXPB muVIbumoDA== =rB7Y -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/ed.pgp000064400000000000000000000026351046102023000165430ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 0C34 6B2B 6241 263F 64E9 C7CF 1EA3 0079 7258 A74E Comment: xjMEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9GlRVnuTclWR3NJHksXjREY3cH JDyH1vrCwBEEHxYKAIMFgmPopPQFiQWkj70DCwkHCRAeowB5clinTkcUAAAAAAAe ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeHv7fnXzd4P5rem8heR3Ps MIJHYhJhrHJoc4Pda2uJsgMVCggCmwECHgEWIQQMNGsrYkEmP2Tpx88eowB5clin TgAAnboA/ii83dQNKuWbuMZMH61/wkx3CBxBxQqCegMG4wm+QtxzAQChG0dFc0f6 xgdRFT+NqFOiKQll+DOHyx/64KIvmzMZCs0QPGVkQGV4YW1wbGUub3JnPsLAFAQT FgoAhgWCY+ik9AWJBaSPvQMLCQcJEB6jAHlyWKdORxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZ/IrlRCQaR62j+/g1lPCwnTNUncQvLyCuRaX xcvEbK2oAxUKCAKZAQKbAQIeARYhBAw0aytiQSY/ZOnHzx6jAHlyWKdOAAB+pgD9 H39XCeUJot/e3kj/FXB2DVOzRh/JXTf8DijaE8UZw60A/iPSaUgo/zX1US1A5HRs ZAmh5/NuNFGlc8Ga5Uhu6agMzjMEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9G lRVnuTclWR3NJHksXjREY3cHJDyH1vrCwL8EGBYKATEFgmPopZYJEB6jAHlyWKdO RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2DwGaTs9JDD fiZEnYLt1gnn9Y1BPath3jMWJVieWnMiApsBvqAEGRYKAG8FgmPopZYJEB6jAHly WKdORxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZykmDJ78 rKWJ5keAV7xA/cXU/fILUT42Pl4hKER8n+dpFiEEDDRrK2JBJj9k6cfPHqMAeXJY p04AAFWuAQCgRxcn47GVYgjnCTtM2nR65cDP2tD8Asi17yTK9B4hQQD+NeIuSbjw nJZ20Lc775PN966+4yvmw0yIcqy78W6/qgYWIQQMNGsrYkEmP2Tpx88eowB5clin TgAAHtcA/1Z6hgFz6HduwMGO8pU1UdZOHN9tyof10as2/77QvadlAQCx5HBD+d5P NkOu/RHHPp5w26LRENwzmeWxF7/WwAulAw== =h26d -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/halfling-encryption.pgp000064400000000000000000000033151046102023000221230ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC 3W7Si6vCwAsEHxYKAH0FgmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdPYAQhUEP91O1VnH3HoKmNbyxdQj3b 9oC2B/UsIp4yAQMVCggCmwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAA/tEA /ArkGemMlBvohv/fimDmlg2zkt/Nw5oM2okjWJHphji4AP94j9uSMI3GAEoOLaxI kus5vG90Ud7/qVLpWj+9ychXCM0PPHJlZ2lzQHB1cC5jb20+wsALBBMWCgB9BYJj /y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnGsjX3qd44eMJYm2mbl8MwYPkxEXNI19YCMKg2sveytoDFQoIApsB Ah4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAEtPAQC/ah2Y+9ZEASbXJi+qU/+o vdDlZlLe6ebEhXSC+IbQBwEA9yls7wgOdo/Hd2ObuBZ4yVsYl3mWWiyaHEiBUWaj dAvNIkhhbGZsaW5nIDxlbmNyeXB0aW9uQGhhbGZsaW5nLm9yZz7CwAsEExYKAH0F gmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmcSil+Zw+IntviqsJbeZxDhvtQYNpnCz9ZFvRN21TFxdAMVCggC mwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAh0EA/0ByKwDxhH+/vv1M5RbO og3XIVwZHNcvMAgeP3xc8cv8AQCj8NuNWA69IqmIL6wA3fk2sA8+vsaPeiv5V663 p0FWDM4zBGP/LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4 VqDnXdVfPw6zwsAABBgWCgByBYJj/y4jCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmf9Zi+LJShZF85Q891p2IEzeanqA2l4 3XJl5/Rb/qRaIgKbIBYhBNWOBHwF0RXqTz0amKZ6czEnu+gEAAAgeQEA7Q8yHq28 RY3PAcSTDua7ggtz3G9DFcsE6fUQNWu47vYBAI+IYKsqLqQM6HKyNhQOAAxQy9mK eL+hrmAeQPam+e0MzjgEY/8uIxIKKwYBBAGXVQEFAQEHQCVvNNnL1FUU6TCMyUPF e1jUiulQT/zau/KV4KPofFYnAwEIB8LAAAQYFgoAcgWCY/8uIwkQpnpzMSe76ARH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnYZaiMhnJCms6 gTancmz+JeZeLV2cZ3S13gA1nOQMckICmwwWIQTVjgR8BdEV6k89GpimenMxJ7vo BAAAJsAA/AnJSCYRCloktWNPvfOUszKy4+R7CZ/IAIiCniCk/hIGAP9uf6mJIpnb /bIcfuDmUm5aWgAVUE+FpvNIjY9+mjoNAQ== =98QG -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/halfling-priv.pgp000064400000000000000000000057321046102023000207160ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: D58E 047C 05D1 15EA 4F3D 1A98 A67A 7331 27BB E804 Comment: Comment: Halfling Comment: Halfling xVgEY/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC 3W7Si6sAAQDpLGjeWahSE6psgYSmz7OTAisgRPTCas0HZDlHJrVZQw54wsALBB8W CgB9BYJj/y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnT2AEIVBD/dTtVZx9x6CpjW8sXUI92/aAtgf1LCKeMgED FQoIApsBAh4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAP7RAPwK5BnpjJQb6Ib/ 34pg5pYNs5LfzcOaDNqJI1iR6YY4uAD/eI/bkjCNxgBKDi2sSJLrObxvdFHe/6lS 6Vo/vcnIVwjNDzxyZWdpc0BwdXAuY29tPsLACwQTFgoAfQWCY/8uIwMLCQcJEKZ6 czEnu+gERxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZxrI 196neOHjCWJtpm5fDMGD5MRFzSNfWAjCoNrL3sraAxUKCAKbAQIeARYhBNWOBHwF 0RXqTz0amKZ6czEnu+gEAABLTwEAv2odmPvWRAEm1yYvqlP/qL3Q5WZS3unmxIV0 gviG0AcBAPcpbO8IDnaPx3djm7gWeMlbGJd5llosmhxIgVFmo3QLzSJIYWxmbGlu ZyA8ZW5jcnlwdGlvbkBoYWxmbGluZy5vcmc+wsALBBMWCgB9BYJj/y4jAwsJBwkQ pnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn EopfmcPiJ7b4qrCW3mcQ4b7UGDaZws/WRb0TdtUxcXQDFQoIApsBAh4BFiEE1Y4E fAXRFepPPRqYpnpzMSe76AQAAIdBAP9AcisA8YR/v779TOUWzqIN1yFcGRzXLzAI Hj98XPHL/AEAo/DbjVgOvSKpiC+sAN35NrAPPr7Gj3or+Veut6dBVgzNH0hhbGZs aW5nIDxzaWduaW5nQGhhbGZsaW5nLm9yZz7CwA4EExYKAIAFgmP/LiMDCwkHCRCm enMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmef WyvuawQMSACunre9VWwnwXCShhv05eNmAIx4hDt6CAMVCggCmQECmwECHgEWIQTV jgR8BdEV6k89GpimenMxJ7voBAAAUWIA/jFrXrOw4h6iOJovCvGD9zoJfyZWhCEt t7x/+6amswwgAP0fYkSVoKfBFYKaBjTYRKF3THLsNBeF5YiRQFqG4MknCMdYBGP/ LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4VqDnXdVfPw6z AAEA5teNruqH9A7+PSQEK3dXgr6Fr4ghOKYoNye4GEfhIuoPTcLAAAQYFgoAcgWC Y/8uIwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3Jn/WYviyUoWRfOUPPdadiBM3mp6gNpeN1yZef0W/6kWiICmyAWIQTVjgR8 BdEV6k89GpimenMxJ7voBAAAIHkBAO0PMh6tvEWNzwHEkw7mu4ILc9xvQxXLBOn1 EDVruO72AQCPiGCrKi6kDOhysjYUDgAMUMvZini/oa5gHkD2pvntDMdYBGP/LiMW CSsGAQQB2kcPAQEHQLwKdrFqa5xqwwWWc/XcOJ1lHWcafCeupBQYG9cKzh5MAAEA ro5+ebXHuOPjY/pujqygi0th6+Fol06kvQ7S6SVFW/0TD8LAvwQYFgoBMQWCY/8u IwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Au b3JnzfCsG7qn234cMZF4CFsc4ONjr3AJlHydRYL8Qy1bIs0CmwK+oAQZFgoAbwWC Y/8uIwkQ/1xlguTRS2hHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3JnQoH/CrlAhnFSborWNoHT9TYvuRiBNEDQEYxnNfAWUekWIQSdzaKpWhe3 KNalEV7/XGWC5NFLaAAAQbABAJWxv0yuD0OoNgdD1yJBjGdP+VbNkBppuH8kmFzs KQu2AP49z+hhBHCj6fw9IcFZUPoMH29Sn8ZQJ8uiPUK718fmCBYhBNWOBHwF0RXq Tz0amKZ6czEnu+gEAACFcAEA9/VC7suSJyisJ64qeBryGm9sX2KOm8F3BQlD1ck7 h2IA/i330B58jaJ8JOhaoLqIfNx5OaNx3CNlpkXakPoG+RoLx10EY/8uIxIKKwYB BAGXVQEFAQEHQCVvNNnL1FUU6TCMyUPFe1jUiulQT/zau/KV4KPofFYnAwEIBwAA /1rxV+ZmdBzBr1NKc5q54iqv5/XNCosvy3KIZ7hYswNYEcLCwAAEGBYKAHIFgmP/ LiMJEKZ6czEnu+gERxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdw Lm9yZ2GWojIZyQprOoE2p3Js/iXmXi1dnGd0td4ANZzkDHJCApsMFiEE1Y4EfAXR FepPPRqYpnpzMSe76AQAACbAAPwJyUgmEQpaJLVjT73zlLMysuPkewmfyACIgp4g pP4SBgD/bn+piSKZ2/2yHH7g5lJuWloAFVBPhabzSI2Pfpo6DQE= =GU9G -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/halfling-signing.pgp000064400000000000000000000037111046102023000213670ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY/8uIxYJKwYBBAHaRw8BAQdAA9aW4B1xTRkp7iBYjGFguvS4QSBtDECaz5IC 3W7Si6vCwAsEHxYKAH0FgmP/LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdPYAQhUEP91O1VnH3HoKmNbyxdQj3b 9oC2B/UsIp4yAQMVCggCmwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAA/tEA /ArkGemMlBvohv/fimDmlg2zkt/Nw5oM2okjWJHphji4AP94j9uSMI3GAEoOLaxI kus5vG90Ud7/qVLpWj+9ychXCM0PPHJlZ2lzQHB1cC5jb20+wsALBBMWCgB9BYJj /y4jAwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnGsjX3qd44eMJYm2mbl8MwYPkxEXNI19YCMKg2sveytoDFQoIApsB Ah4BFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAEtPAQC/ah2Y+9ZEASbXJi+qU/+o vdDlZlLe6ebEhXSC+IbQBwEA9yls7wgOdo/Hd2ObuBZ4yVsYl3mWWiyaHEiBUWaj dAvNH0hhbGZsaW5nIDxzaWduaW5nQGhhbGZsaW5nLm9yZz7CwA4EExYKAIAFgmP/ LiMDCwkHCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lh LXBncC5vcmefWyvuawQMSACunre9VWwnwXCShhv05eNmAIx4hDt6CAMVCggCmQEC mwECHgEWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAUWIA/jFrXrOw4h6iOJovCvGD 9zoJfyZWhCEtt7x/+6amswwgAP0fYkSVoKfBFYKaBjTYRKF3THLsNBeF5YiRQFqG 4MknCM4zBGP/LiMWCSsGAQQB2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4 VqDnXdVfPw6zwsAABBgWCgByBYJj/y4jCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmf9Zi+LJShZF85Q891p2IEzeanqA2l4 3XJl5/Rb/qRaIgKbIBYhBNWOBHwF0RXqTz0amKZ6czEnu+gEAAAgeQEA7Q8yHq28 RY3PAcSTDua7ggtz3G9DFcsE6fUQNWu47vYBAI+IYKsqLqQM6HKyNhQOAAxQy9mK eL+hrmAeQPam+e0MzjMEY/8uIxYJKwYBBAHaRw8BAQdAvAp2sWprnGrDBZZz9dw4 nWUdZxp8J66kFBgb1wrOHkzCwL8EGBYKATEFgmP/LiMJEKZ6czEnu+gERxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ83wrBu6p9t+HDGReAhb HODjY69wCZR8nUWC/EMtWyLNApsCvqAEGRYKAG8FgmP/LiMJEP9cZYLk0UtoRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ0KB/wq5QIZxUm6K 1jaB0/U2L7kYgTRA0BGMZzXwFlHpFiEEnc2iqVoXtyjWpRFe/1xlguTRS2gAAEGw AQCVsb9Mrg9DqDYHQ9ciQYxnT/lWzZAaabh/JJhc7CkLtgD+Pc/oYQRwo+n8PSHB WVD6DB9vUp/GUCfLoj1Cu9fH5ggWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAhXAB APf1Qu7LkicorCeuKnga8hpvbF9ijpvBdwUJQ9XJO4diAP4t99AefI2ifCToWqC6 iHzceTmjcdwjZaZF2pD6BvkaCw== =RcKT -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/hans-puny-code-priv.pgp000064400000000000000000000030221046102023000217520ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: F667 5D0E 4DA4 0823 715C 4811 B894 91F0 7D08 E4F8 Comment: Hans xVgEY+oqshYJKwYBBAHaRw8BAQdAT3RaMo+Mm0kzj5kQhqNQWwHzsxsXFC10ZWBf tdIAKWMAAP9//c94gjDUS6nzSSxBTkqH7CQPZS5Lfh1x01ZYWkGmXg8twsALBB8W CgB9BYJj6iqyAwsJBwkQuJSR8H0I5PhHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnTonT+wh1nQ6+SGZM/3caxq3V5hflG/hX3IrX/Q/NR3YD FQoIApsBAh4BFiEE9mddDk2kCCNxXEgRuJSR8H0I5PgAAJ4xAP9y4me1jRRfxrnW 3jnV+jB7n6m3xxpn/Y0Tmh/EhZsrGwEAvrMBIyXycmSLB1giDnmeLi8U+z3cx5+x kRJGHi/cvAnNHUhhbnMgPGhhbnNAeG4tLWJjaGVyLWt2YS50bGQ+wsAOBBMWCgCA BYJj6iqyAwsJBwkQuJSR8H0I5PhHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3Jn6ABJrqKC61PG6PamtZM1YuRmoxFWwuBcEadTWjH6VYYDFQoI ApkBApsBAh4BFiEE9mddDk2kCCNxXEgRuJSR8H0I5PgAANV2AP47sc59UcqS0woi p3aqR9rhgQ0PlGR1dlKCved1ScfU4AD7BOlXuMdm9rkPHsMWUVv2zBWHsfOzU9Tr Vt6OsaTrpAjHWARj6iqyFgkrBgEEAdpHDwEBB0AZMvj3dmsZZS+1bL+WX6HDv+gN 8i+QyhyBjB0s8wUjkwAA/RFddhggq/2q9zpOfb0C/mhdZgBCPcZMNz/UbxVzzZuB DwrCwL8EGBYKATEFgmPqKrIJELiUkfB9COT4RxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZyuXD0xCb8liVrUy7F6WOBJOxfEELZY6ysI1tpUL Tb3YApsCvqAEGRYKAG8FgmPqKrIJENsfXxHBfLLURxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZw9UPiixBgUO/0gAwW41/f5qoJTwNSRxtQ3N 2gZw/PPMFiEEP2DqCuvBPikJOaCA2x9fEcF8stQAALtoAP9N9fc0d+mq59zflgdM QSljALYqug0xOECe15Z01FHuPAEAy2VMaBiv140AkT+AoUgFjT5UGbttbAGR5PaT z0f9ZQAWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAAOB0BAOE6N1BWh63R0bozConx 708Xahe/6434g1ypTKLKrPiaAP9qK8oK38FKpoSjL2tLRzDhqUvBsRYPvYZ070tV sKPqCw== =Patr -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/hans-puny-code.pgp000064400000000000000000000026521046102023000210040ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: F667 5D0E 4DA4 0823 715C 4811 B894 91F0 7D08 E4F8 Comment: Hans xjMEY+oqshYJKwYBBAHaRw8BAQdAT3RaMo+Mm0kzj5kQhqNQWwHzsxsXFC10ZWBf tdIAKWPCwAsEHxYKAH0FgmPqKrIDCwkHCRC4lJHwfQjk+EcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdOidP7CHWdDr5IZkz/dxrGrdXmF+Ub +Ffcitf9D81HdgMVCggCmwECHgEWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAAnjEA /3LiZ7WNFF/GudbeOdX6MHufqbfHGmf9jROaH8SFmysbAQC+swEjJfJyZIsHWCIO eZ4uLxT7PdzHn7GREkYeL9y8Cc0dSGFucyA8aGFuc0B4bi0tYmNoZXIta3ZhLnRs ZD7CwA4EExYKAIAFgmPqKrIDCwkHCRC4lJHwfQjk+EcUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmfoAEmuooLrU8bo9qa1kzVi5GajEVbC4FwR p1NaMfpVhgMVCggCmQECmwECHgEWIQT2Z10OTaQII3FcSBG4lJHwfQjk+AAA1XYA /juxzn1RypLTCiKndqpH2uGBDQ+UZHV2UoK953VJx9TgAPsE6Ve4x2b2uQ8ewxZR W/bMFYex87NT1OtW3o6xpOukCM4zBGPqKrIWCSsGAQQB2kcPAQEHQBky+Pd2axll L7Vsv5ZfocO/6A3yL5DKHIGMHSzzBSOTwsC/BBgWCgExBYJj6iqyCRC4lJHwfQjk +EcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcrlw9MQm/J Yla1MuxeljgSTsXxBC2WOsrCNbaVC0292AKbAr6gBBkWCgBvBYJj6iqyCRDbH18R wXyy1EcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcPVD4o sQYFDv9IAMFuNf3+aqCU8DUkcbUNzdoGcPzzzBYhBD9g6grrwT4pCTmggNsfXxHB fLLUAAC7aAD/TfX3NHfpqufc35YHTEEpYwC2KroNMThAnteWdNRR7jwBAMtlTGgY r9eNAJE/gKFIBY0+VBm7bWwBkeT2k89H/WUAFiEE9mddDk2kCCNxXEgRuJSR8H0I 5PgAADgdAQDhOjdQVoet0dG6MwqJ8e9PF2oXv+uN+INcqUyiyqz4mgD/aivKCt/B SqaEoy9rS0cw4alLwbEWD72GdO9LVbCj6gs= =zJtz -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/peter-priv.pgp000064400000000000000000000050251046102023000202440ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 692E 359E FB0B E115 373F 6CEA D5D8 BA16 C805 A81F Comment: Peter xVgEZitRShYJKwYBBAHaRw8BAQdAfch6qYuSZjyAxB0kd4uERbpxItJdvUmi0ZHy rPBbB8IAAQCrkLH4DTl/2z/bfp+dmAxxlqQ4ro4wxUkiiPe79sdqkBFtwsALBB8W CgB9BYJmK1FKAwsJBwkQ1di6FsgFqB9HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jn7HF77MOi515FrejwVmfLUFfIcrxa+oic9Jk0PlrCInUD FQoIApsBAh4BFiEEaS41nvsL4RU3P2zq1di6FsgFqB8AAM1wAQDH1gsixgOpJyca 2Sv0Ef1lJkm+Y5znZHRrHZV1opPoOQD/akLLUJ9DxNnYlyuw3LVtmQv1IwH6Nb6O G0z98PsSFQ/NGVBldGVyIDxwZXRlckBleGFtcGxlLmNvbT7CwA4EExYKAIAFgmYr UUoDCwkHCRDV2LoWyAWoH0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lh LXBncC5vcmftDrRqfDLoEu3qCLDVc/aKgQmt69pfOE30XqXhkPmu4wMVCggCmQEC mwECHgEWIQRpLjWe+wvhFTc/bOrV2LoWyAWoHwAAfTMA/0To1wdestrfd1WexWXc psro96XQeMROYniDnfhCWHXUAQD54C4NTDccWIcZrblnPWkse1rYLTJqH2kKrJYo qlyiAsdYBGYrUUoWCSsGAQQB2kcPAQEHQB3h014ilCSIgHF3TQeC6lr1a3L7s2zR A5T1FaWsD7AyAAD/bd9utKrTNcEJ/oTtq2QbEn8ySe7w2dcWldRK9bEUA+ASgsLA vwQYFgoBMQWCZitRSgkQ1di6FsgFqB9HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnK2icAwzi+Ymx3DYOr86UO74QH5glWksQwYyR/gSK5R0C myC+oAQZFgoAbwWCZitRSgkQpt40hn3okn5HFAAAAAAAHgAgc2FsdEBub3RhdGlv bnMuc2VxdW9pYS1wZ3Aub3JnGYy4/+hFO+daveB8l3Slgb554LrkFgBEoaah7LCI UMIWIQRp0yXiDaTUBCeaZTSm3jSGfeiSfgAAiw8A/32xpxX40LOA3nSfH2hp3J+V fIMHhXSf/TiKhbWKmS0DAQDX3d8R7r5jGVwEcZUxlpoD5x3SPl61f1A+UbJeDtHt DxYhBGkuNZ77C+EVNz9s6tXYuhbIBagfAACLdAD8DAMQE+rY0WuXcV03uCT/FaMb Lw6p3vOCZl6LbYeRxygA/3Gq3paT6/jjOfrUNx0xdzk1hpkFwBxA0ixijoKAbCMB x1gEZitRShYJKwYBBAHaRw8BAQdAzEvkt/byIxI1nI272QhZqVO1FVydSiHIjLiL wpG1Pt4AAP9O8L7nYMTCGUEI+ZZQ8gFeCeFxs78PPrIAukF6CtsQkhAiwsC/BBgW CgExBYJmK1FKCRDV2LoWyAWoH0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmcWkH3FxecXafa5wHXDRwGMStIsDRvR3DB1lkSkdnNqhQKbAr6g BBkWCgBvBYJmK1FKCRCM5P5r0BKC3kcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5z ZXF1b2lhLXBncC5vcmd2QAurF8c4wnx0g3LZ9HelAuYMTO3giXGC6Gnz+venfRYh BGLS2X8A35bS3+2F+Yzk/mvQEoLeAAA0ZAD/bBk9lA0m8cz6525UqP3AwWfDFjCa L8IxWnwVeDJ2AuQBAPoh87u0YBoYXJRGVdI5/PNspoAm9JQhb2zACyeamicAFiEE aS41nvsL4RU3P2zq1di6FsgFqB8AAFbOAP9yf9XQJT/14/n6Nfwa8mXlWPJTevxN 8sRQ1n3fedoJmwEA7TMrjTbPpBiHV3YpgFe6hgB+/ldbK3tFrHyvLDf1vgjHXQRm K1FKEgorBgEEAZdVAQUBAQdAHg2H8RYYi6/HEjLud/qWg4GDl32E95OfbtFITo20 /lgDAQgHAAD/bDrNGNquCLldUOBVDDR1EocRCZzjAUIlx/KsLECz/0gOz8LAAAQY FgoAcgWCZitRSgkQ1di6FsgFqB9HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3JnzI1VKKf0spgFecKS1tW0Plt98+QdFU97L3BepZEKpNwCmwwW IQRpLjWe+wvhFTc/bOrV2LoWyAWoHwAAAkgA/A67IJvzCsvzXvlLttfzdYTv/+Rh INF4vhbiSz/GmkyqAQCWBW6rQx0bgIeIkAz25ShuOOjDu9eRWLXJYoo7l7NIAw== =2/un -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/peter.pgp000064400000000000000000000050361046102023000172700ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZitRShYJKwYBBAHaRw8BAQdAfch6qYuSZjyAxB0kd4uERbpxItJdvUmi0ZHy rPBbB8LCwAsEHxYKAH0FgmYrUUoDCwkHCRDV2LoWyAWoH0cUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmfscXvsw6LnXkWt6PBWZ8tQV8hyvFr6 iJz0mTQ+WsIidQMVCggCmwECHgEWIQRpLjWe+wvhFTc/bOrV2LoWyAWoHwAAzXAB AMfWCyLGA6knJxrZK/QR/WUmSb5jnOdkdGsdlXWik+g5AP9qQstQn0PE2diXK7Dc tW2ZC/UjAfo1vo4bTP3w+xIVD80aRGFkIDxwZXRlckBleGFtcGxlLmZhbWlseT7C wAMEEBYKAHUFgmYrUV0FgwlnmjsJEHFCSt4+xhu8RxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZ/zclAkuPM9+PHfXBpkWIhWpTb2yPER1yjMP 41e1eU+KFiEEEZsBRgZZ2O83Mr7CcUJK3j7GG7wAAMrdAQCHabjPugiOSNJeIfkV jGU5/MxmAwHN1pCZ4c+xT/ddIwEAm03iqwhnaionr5yU3m1+4dzlIZ0CVr2Sp6bR jCGJxwvNGVBldGVyIDxwZXRlckBleGFtcGxlLmNvbT7CwA4EExYKAIAFgmYrUUoD CwkHCRDV2LoWyAWoH0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBn cC5vcmftDrRqfDLoEu3qCLDVc/aKgQmt69pfOE30XqXhkPmu4wMVCggCmQECmwEC HgEWIQRpLjWe+wvhFTc/bOrV2LoWyAWoHwAAfTMA/0To1wdestrfd1WexWXcpsro 96XQeMROYniDnfhCWHXUAQD54C4NTDccWIcZrblnPWkse1rYLTJqH2kKrJYoqlyi As4zBGYrUUoWCSsGAQQB2kcPAQEHQB3h014ilCSIgHF3TQeC6lr1a3L7s2zRA5T1 FaWsD7AywsC/BBgWCgExBYJmK1FKCRDV2LoWyAWoH0cUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmcraJwDDOL5ibHcNg6vzpQ7vhAfmCVaSxDB jJH+BIrlHQKbIL6gBBkWCgBvBYJmK1FKCRCm3jSGfeiSfkcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcZjLj/6EU751q94HyXdKWBvnnguuQW AEShpqHssIhQwhYhBGnTJeINpNQEJ5plNKbeNIZ96JJ+AACLDwD/fbGnFfjQs4De dJ8faGncn5V8gweFdJ/9OIqFtYqZLQMBANfd3xHuvmMZXARxlTGWmgPnHdI+XrV/ UD5Rsl4O0e0PFiEEaS41nvsL4RU3P2zq1di6FsgFqB8AAIt0APwMAxAT6tjRa5dx XTe4JP8VoxsvDqne84JmXotth5HHKAD/carelpPr+OM5+tQ3HTF3OTWGmQXAHEDS LGKOgoBsIwHOMwRmK1FKFgkrBgEEAdpHDwEBB0DMS+S39vIjEjWcjbvZCFmpU7UV XJ1KIciMuIvCkbU+3sLAvwQYFgoBMQWCZitRSgkQ1di6FsgFqB9HFAAAAAAAHgAg c2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnFpB9xcXnF2n2ucB1w0cBjErS LA0b0dwwdZZEpHZzaoUCmwK+oAQZFgoAbwWCZitRSgkQjOT+a9ASgt5HFAAAAAAA HgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JndkALqxfHOMJ8dINy2fR3 pQLmDEzt4Ilxguhp8/r3p30WIQRi0tl/AN+W0t/thfmM5P5r0BKC3gAANGQA/2wZ PZQNJvHM+uduVKj9wMFnwxYwmi/CMVp8FXgydgLkAQD6IfO7tGAaGFyURlXSOfzz bKaAJvSUIW9swAsnmponABYhBGkuNZ77C+EVNz9s6tXYuhbIBagfAABWzgD/cn/V 0CU/9eP5+jX8GvJl5VjyU3r8TfLEUNZ933naCZsBAO0zK402z6QYh1d2KYBXuoYA fv5XWyt7Rax8ryw39b4IzjgEZitRShIKKwYBBAGXVQEFAQEHQB4Nh/EWGIuvxxIy 7nf6loOBg5d9hPeTn27RSE6NtP5YAwEIB8LAAAQYFgoAcgWCZitRSgkQ1di6FsgF qB9HFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnzI1VKKf0 spgFecKS1tW0Plt98+QdFU97L3BepZEKpNwCmwwWIQRpLjWe+wvhFTc/bOrV2LoW yAWoHwAAAkgA/A67IJvzCsvzXvlLttfzdYTv/+RhINF4vhbiSz/GmkyqAQCWBW6r Qx0bgIeIkAz25ShuOOjDu9eRWLXJYoo7l7NIAw== =z2JX -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/steve-priv.pgp000064400000000000000000000030221046102023000202460ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 217E 256E 1767 19A5 452E DFF9 35AA DEC6 6B56 585B Comment: Steve xVgEY+oyohYJKwYBBAHaRw8BAQdAvt5KOKjBeor71rpom6N/6+TbHhXDIa7qQ0Ht zQneFeQAAQDAzUbk5663nYv1gGFw2L4lix8PKG/VAlTJ60U+WuOSPhDswsALBB8W CgB9BYJj6jKiAwsJBwkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnB5GN1ytb4OBEuWTGbe6YLQERrMyH25xx+ROabT1IlpMD FQoIApsBAh4BFiEEIX4lbhdnGaVFLt/5NarexmtWWFsAAD1FAQC3lqYfMNO+16bQ kczC9nFpKXR0w31T0Y5gcTTUFEPf5wEAsE3qZgUSk5jbAKdApQjae/L7Fg/n3rBT oxcJobSEIQDNHVN0ZXZlIDxzdGV2ZUBzdWIuY29tcGFueS5jb20+wsAOBBMWCgCA BYJj6jKiAwsJBwkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3JnpHmJbxKKXD9L7rb6Nm4QO7MAwEL9tAij4pRJ5nLW3RoDFQoI ApkBApsBAh4BFiEEIX4lbhdnGaVFLt/5NarexmtWWFsAACRKAQComL8m5O1VFzkQ ppd3FiNZ55JFriChzKE4l/PDJtFWKwD+K1v/rPt8xoluiXkcCzCwy5bVTcxhAGD3 yG/kFty8Gw7HWARj6jKiFgkrBgEEAdpHDwEBB0CUDl/MXB9n4zhULNYtn4AvcLYJ p7VEwrrO4SEWTg3SQwABAMUq0/p6feCGZGQBviCqhhOCIn6HIs9NjnDev5dwBn8r Dz3CwL8EGBYKATEFgmPqMqIJEDWq3sZrVlhbRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZyBzXATYY9Bisl9qX3bybDnuHdvr2i0LuDdkCyeH WAjlApsCvqAEGRYKAG8FgmPqMqIJELWWtlb9j3ALRxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZ3ctrGVdHZWTXgkQgDuARO7gqTuwb/rNDolL avWFIE3cFiEEMsWCBUAwh1K3CS7ltZa2Vv2PcAsAAL/oAQDdllWylqthNy+e5OYl 4mr1GWUSOCfDlFaH146drBGyPAEArRTopl2w0KiDbo92kfrx+y3L4cLSK85byPOL swX4eAsWIQQhfiVuF2cZpUUu3/k1qt7Ga1ZYWwAAw3oBAMVzhKa/ZmUQmNX8zk6v GK0vbOw47hPaVRCG1RRrSGrwAQC5Tteh+McKoFQzKea/CreuPbaqDaMfEUarKO1b E0wPCA== =M99G -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/steve.pgp000064400000000000000000000026521046102023000173000ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 217E 256E 1767 19A5 452E DFF9 35AA DEC6 6B56 585B Comment: Steve xjMEY+oyohYJKwYBBAHaRw8BAQdAvt5KOKjBeor71rpom6N/6+TbHhXDIa7qQ0Ht zQneFeTCwAsEHxYKAH0FgmPqMqIDCwkHCRA1qt7Ga1ZYW0cUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcHkY3XK1vg4ES5ZMZt7pgtARGszIfb nHH5E5ptPUiWkwMVCggCmwECHgEWIQQhfiVuF2cZpUUu3/k1qt7Ga1ZYWwAAPUUB ALeWph8w077XptCRzML2cWkpdHTDfVPRjmBxNNQUQ9/nAQCwTepmBRKTmNsAp0Cl CNp78vsWD+fesFOjFwmhtIQhAM0dU3RldmUgPHN0ZXZlQHN1Yi5jb21wYW55LmNv bT7CwA4EExYKAIAFgmPqMqIDCwkHCRA1qt7Ga1ZYW0cUAAAAAAAeACBzYWx0QG5v dGF0aW9ucy5zZXF1b2lhLXBncC5vcmekeYlvEopcP0vutvo2bhA7swDAQv20CKPi lEnmctbdGgMVCggCmQECmwECHgEWIQQhfiVuF2cZpUUu3/k1qt7Ga1ZYWwAAJEoB AKiYvybk7VUXORCml3cWI1nnkkWuIKHMoTiX88Mm0VYrAP4rW/+s+3zGiW6JeRwL MLDLltVNzGEAYPfIb+QW3LwbDs4zBGPqMqIWCSsGAQQB2kcPAQEHQJQOX8xcH2fj OFQs1i2fgC9wtgmntUTCus7hIRZODdJDwsC/BBgWCgExBYJj6jKiCRA1qt7Ga1ZY W0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcgc1wE2GPQ YrJfal928mw57h3b69otC7g3ZAsnh1gI5QKbAr6gBBkWCgBvBYJj6jKiCRC1lrZW /Y9wC0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmd3Laxl XR2Vk14JEIA7gETu4Kk7sG/6zQ6JS2r1hSBN3BYhBDLFggVAMIdStwku5bWWtlb9 j3ALAAC/6AEA3ZZVsparYTcvnuTmJeJq9RllEjgnw5RWh9eOnawRsjwBAK0U6KZd sNCog26PdpH68fsty+HC0ivOW8jzi7MF+HgLFiEEIX4lbhdnGaVFLt/5NarexmtW WFsAAMN6AQDFc4Smv2ZlEJjV/M5OrxitL2zsOO4T2lUQhtUUa0hq8AEAuU7XofjH CqBUMynmvwq3rj22qg2jHxFGqyjtWxNMDwg= =ueVE -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/una-priv.pgp000064400000000000000000000027751046102023000177210ustar 00000000000000-----BEGIN PGP PRIVATE KEY BLOCK----- Comment: 119B 0146 0659 D8EF 3732 BEC2 7142 4ADE 3EC6 1BBC Comment: Una xVgEY+oykhYJKwYBBAHaRw8BAQdAkHZelZnKgyDf93+x3dEjxFGvfNZ2mzWxh4MM mp+V4YAAAP9c7yFPEUEo8s17G0UvwGdnR5dP7cARfMk9oOXvNpTv4REGwsALBB8W CgB9BYJj6jKSAwsJBwkQcUJK3j7GG7xHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3JnNkxF9jqWQFtCThu+2My8F4VNsMqIowBzbnMTtzLVFJUD FQoIApsBAh4BFiEEEZsBRgZZ2O83Mr7CcUJK3j7GG7wAAAiYAP0c90sDWGs5jsBv 03H5UkLZvw2uvMrKJd47pT3aloXpOQD8C1vt7PTgkzdr79G8h6nRhpg/FNrW/+pX Cq7qjUZ+/gnNFVVuYSA8dW5hQGNvbXBhbnkuY29tPsLADgQTFgoAgAWCY+oykgML CQcJEHFCSt4+xhu8RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdw Lm9yZ/PoQvY1cIKPZjLqb3HWViJXtrONf9GXxSMIr3z8o4kCAxUKCAKZAQKbAQIe ARYhBBGbAUYGWdjvNzK+wnFCSt4+xhu8AACMJQD+IkXutGYCxJMqwrbD18polWLx IhojofUTcwg9Qlmz3UUBAIP8bKENVhOCwA0hT/3GmOvMRSjosyNhiAMtPd09OIAC x1gEY+oykhYJKwYBBAHaRw8BAQdAINC4y2VLb5XeTxBjK7Pf/53xUXl0OJe/87tE ixluoMoAAQDhNvenwXoaY+Fw2iw1taVy5cZZ2ke/0crBn6RXMSUAnBGSwsC/BBgW CgExBYJj6jKSCRBxQkrePsYbvEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1 b2lhLXBncC5vcmcMvtVQROXLGIVC8DAhtcW6jbmlokmR9MMngd58P2KuVgKbAr6g BBkWCgBvBYJj6jKSCRDQvkR785tDn0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5z ZXF1b2lhLXBncC5vcmdCjEo62Cqb/N5XxGb1Tdnu225hTSuRiwXz3ss1+N7YwhYh BO5Ywy49IzbyI72JztC+RHvzm0OfAACnMwEAmPaEWKPd3hpJqdAph8KAdRYeVwhm rCwAi8NaE917S4sA/AzyJubT/4Sp/vK+SPa+d/VTNEApS1TRf9SQbkAjp40HFiEE EZsBRgZZ2O83Mr7CcUJK3j7GG7wAADLCAQC2h/atUVO/QhD6sg8uGFMj68/+QBy1 Qg/7f9TezlE2KgD+K6YyFlIZVuScF9xKkKGiQpxBiekcDoVdGev0jxE86QY= =UR1a -----END PGP PRIVATE KEY BLOCK----- sequoia-cert-store-0.6.0/tests/data/una.pgp000064400000000000000000000026261046102023000167360ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: 119B 0146 0659 D8EF 3732 BEC2 7142 4ADE 3EC6 1BBC Comment: Una xjMEY+oykhYJKwYBBAHaRw8BAQdAkHZelZnKgyDf93+x3dEjxFGvfNZ2mzWxh4MM mp+V4YDCwAsEHxYKAH0FgmPqMpIDCwkHCRBxQkrePsYbvEcUAAAAAAAeACBzYWx0 QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmc2TEX2OpZAW0JOG77YzLwXhU2wyoij AHNucxO3MtUUlQMVCggCmwECHgEWIQQRmwFGBlnY7zcyvsJxQkrePsYbvAAACJgA /Rz3SwNYazmOwG/TcflSQtm/Da68ysol3julPdqWhek5APwLW+3s9OCTN2vv0byH qdGGmD8U2tb/6lcKruqNRn7+Cc0VVW5hIDx1bmFAY29tcGFueS5jb20+wsAOBBMW CgCABYJj6jKSAwsJBwkQcUJK3j7GG7xHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMu c2VxdW9pYS1wZ3Aub3Jn8+hC9jVwgo9mMupvcdZWIle2s41/0ZfFIwivfPyjiQID FQoIApkBApsBAh4BFiEEEZsBRgZZ2O83Mr7CcUJK3j7GG7wAAIwlAP4iRe60ZgLE kyrCtsPXymiVYvEiGiOh9RNzCD1CWbPdRQEAg/xsoQ1WE4LADSFP/caY68xFKOiz I2GIAy093T04gALOMwRj6jKSFgkrBgEEAdpHDwEBB0Ag0LjLZUtvld5PEGMrs9// nfFReXQ4l7/zu0SLGW6gysLAvwQYFgoBMQWCY+oykgkQcUJK3j7GG7xHFAAAAAAA HgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnDL7VUETlyxiFQvAwIbXF uo25paJJkfTDJ4HefD9irlYCmwK+oAQZFgoAbwWCY+oykgkQ0L5Ee/ObQ59HFAAA AAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnQoxKOtgqm/zeV8Rm 9U3Z7ttuYU0rkYsF897LNfje2MIWIQTuWMMuPSM28iO9ic7QvkR785tDnwAApzMB AJj2hFij3d4aSanQKYfCgHUWHlcIZqwsAIvDWhPde0uLAPwM8ibm0/+Eqf7yvkj2 vnf1UzRAKUtU0X/UkG5AI6eNBxYhBBGbAUYGWdjvNzK+wnFCSt4+xhu8AAAywgEA tof2rVFTv0IQ+rIPLhhTI+vP/kActUIP+3/U3s5RNioA/iumMhZSGVbknBfcSpCh okKcQYnpHA6FXRnr9I8RPOkG =TWWI -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/keyring.pgp000064400000000000000000000425231046102023000167120ustar 00000000000000-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9GlRVnuTclWR3NJHksXjREY3cH JDyH1vrCwBEEHxYKAIMFgmPopPQFiQWkj70DCwkHCRAeowB5clinTkcUAAAAAAAe ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmeHv7fnXzd4P5rem8heR3Ps MIJHYhJhrHJoc4Pda2uJsgMVCggCmwECHgEWIQQMNGsrYkEmP2Tpx88eowB5clin TgAAnboA/ii83dQNKuWbuMZMH61/wkx3CBxBxQqCegMG4wm+QtxzAQChG0dFc0f6 xgdRFT+NqFOiKQll+DOHyx/64KIvmzMZCs0QPGVkQGV4YW1wbGUub3JnPsLAFAQT FgoAhgWCY+ik9AWJBaSPvQMLCQcJEB6jAHlyWKdORxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZ/IrlRCQaR62j+/g1lPCwnTNUncQvLyCuRaX xcvEbK2oAxUKCAKZAQKbAQIeARYhBAw0aytiQSY/ZOnHzx6jAHlyWKdOAAB+pgD9 H39XCeUJot/e3kj/FXB2DVOzRh/JXTf8DijaE8UZw60A/iPSaUgo/zX1US1A5HRs ZAmh5/NuNFGlc8Ga5Uhu6agMzjMEY+ik9BYJKwYBBAHaRw8BAQdAObLfcRUmRi9G lRVnuTclWR3NJHksXjREY3cHJDyH1vrCwL8EGBYKATEFgmPopZYJEB6jAHlyWKdO RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2DwGaTs9JDD fiZEnYLt1gnn9Y1BPath3jMWJVieWnMiApsBvqAEGRYKAG8FgmPopZYJEB6jAHly WKdORxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZykmDJ78 rKWJ5keAV7xA/cXU/fILUT42Pl4hKER8n+dpFiEEDDRrK2JBJj9k6cfPHqMAeXJY p04AAFWuAQCgRxcn47GVYgjnCTtM2nR65cDP2tD8Asi17yTK9B4hQQD+NeIuSbjw nJZ20Lc775PN966+4yvmw0yIcqy78W6/qgYWIQQMNGsrYkEmP2Tpx88eowB5clin TgAAHtcA/1Z6hgFz6HduwMGO8pU1UdZOHN9tyof10as2/77QvadlAQCx5HBD+d5P NkOu/RHHPp5w26LRENwzmeWxF7/WwAulA8YzBGPqMpIWCSsGAQQB2kcPAQEHQJB2 XpWZyoMg3/d/sd3RI8RRr3zWdps1sYeDDJqfleGAwsALBB8WCgB9BYJj6jKSAwsJ BwkQcUJK3j7GG7xHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Au b3JnNkxF9jqWQFtCThu+2My8F4VNsMqIowBzbnMTtzLVFJUDFQoIApsBAh4BFiEE EZsBRgZZ2O83Mr7CcUJK3j7GG7wAAAiYAP0c90sDWGs5jsBv03H5UkLZvw2uvMrK Jd47pT3aloXpOQD8C1vt7PTgkzdr79G8h6nRhpg/FNrW/+pXCq7qjUZ+/gnNFVVu YSA8dW5hQGNvbXBhbnkuY29tPsLADgQTFgoAgAWCY+oykgMLCQcJEHFCSt4+xhu8 RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ/PoQvY1cIKP ZjLqb3HWViJXtrONf9GXxSMIr3z8o4kCAxUKCAKZAQKbAQIeARYhBBGbAUYGWdjv NzK+wnFCSt4+xhu8AACMJQD+IkXutGYCxJMqwrbD18polWLxIhojofUTcwg9Qlmz 3UUBAIP8bKENVhOCwA0hT/3GmOvMRSjosyNhiAMtPd09OIACzjMEY+oykhYJKwYB BAHaRw8BAQdAINC4y2VLb5XeTxBjK7Pf/53xUXl0OJe/87tEixluoMrCwL8EGBYK ATEFgmPqMpIJEHFCSt4+xhu8RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVv aWEtcGdwLm9yZwy+1VBE5csYhULwMCG1xbqNuaWiSZH0wyeB3nw/Yq5WApsCvqAE GRYKAG8FgmPqMpIJENC+RHvzm0OfRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ0KMSjrYKpv83lfEZvVN2e7bbmFNK5GLBfPeyzX43tjCFiEE 7ljDLj0jNvIjvYnO0L5Ee/ObQ58AAKczAQCY9oRYo93eGkmp0CmHwoB1Fh5XCGas LACLw1oT3XtLiwD8DPIm5tP/hKn+8r5I9r539VM0QClLVNF/1JBuQCOnjQcWIQQR mwFGBlnY7zcyvsJxQkrePsYbvAAAMsIBALaH9q1RU79CEPqyDy4YUyPrz/5AHLVC D/t/1N7OUTYqAP4rpjIWUhlW5JwX3EqQoaJCnEGJ6RwOhV0Z6/SPETzpBsYzBGPq MqIWCSsGAQQB2kcPAQEHQL7eSjiowXqK+9a6aJujf+vk2x4VwyGu6kNB7c0J3hXk wsALBB8WCgB9BYJj6jKiAwsJBwkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnB5GN1ytb4OBEuWTGbe6YLQERrMyH25xx+ROa bT1IlpMDFQoIApsBAh4BFiEEIX4lbhdnGaVFLt/5NarexmtWWFsAAD1FAQC3lqYf MNO+16bQkczC9nFpKXR0w31T0Y5gcTTUFEPf5wEAsE3qZgUSk5jbAKdApQjae/L7 Fg/n3rBToxcJobSEIQDNHVN0ZXZlIDxzdGV2ZUBzdWIuY29tcGFueS5jb20+wsAO BBMWCgCABYJj6jKiAwsJBwkQNarexmtWWFtHFAAAAAAAHgAgc2FsdEBub3RhdGlv bnMuc2VxdW9pYS1wZ3Aub3JnpHmJbxKKXD9L7rb6Nm4QO7MAwEL9tAij4pRJ5nLW 3RoDFQoIApkBApsBAh4BFiEEIX4lbhdnGaVFLt/5NarexmtWWFsAACRKAQComL8m 5O1VFzkQppd3FiNZ55JFriChzKE4l/PDJtFWKwD+K1v/rPt8xoluiXkcCzCwy5bV TcxhAGD3yG/kFty8Gw7OMwRj6jKiFgkrBgEEAdpHDwEBB0CUDl/MXB9n4zhULNYt n4AvcLYJp7VEwrrO4SEWTg3SQ8LAvwQYFgoBMQWCY+oyogkQNarexmtWWFtHFAAA AAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnIHNcBNhj0GKyX2pf dvJsOe4d2+vaLQu4N2QLJ4dYCOUCmwK+oAQZFgoAbwWCY+oyogkQtZa2Vv2PcAtH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jndy2sZV0dlZNe CRCAO4BE7uCpO7Bv+s0OiUtq9YUgTdwWIQQyxYIFQDCHUrcJLuW1lrZW/Y9wCwAA v+gBAN2WVbKWq2E3L57k5iXiavUZZRI4J8OUVofXjp2sEbI8AQCtFOimXbDQqINu j3aR+vH7LcvhwtIrzlvI84uzBfh4CxYhBCF+JW4XZxmlRS7f+TWq3sZrVlhbAADD egEAxXOEpr9mZRCY1fzOTq8YrS9s7DjuE9pVEIbVFGtIavABALlO16H4xwqgVDMp 5r8Kt649tqoNox8RRqso7VsTTA8IxjMEY+UaGxYJKwYBBAHaRw8BAQdAEHlpai+g E3eN9Sewy6RIwvaHi2OEIDB7fQr6pram3vPCwAsEHxYKAH0FgmPlGhsDCwkHCRB+ cW/+d98XCkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdx UEETzwaTQoyKKOfr4PZgTCdQd4z/ODS8AsjAOXZGtAMVCggCmwECHgEWIQQjz+Sd S7egqoNhnBR+cW/+d98XCgAA4yUA/0P9kPooU7x3VMEqLae8pKab9HBfppU8MRVL S4+72Iy3AP9CFXNKwPrDNx3zRSVr0gNP4LvIRnYIylwh6IgDZYZDCM0TPGFsaWNl QGV4YW1wbGUub3JnPsLADgQTFgoAgAWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2ihxev0+5HPAMi1PYwh MDfoYgFwF+pd51kBtHs/meouAxUKCAKZAQKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5x b/533xcKAACpjQEAshMOpiGc3d0tmUrfJusiaK9DzcNvXvOz8VoMFTyszswA+wQ+ LwG0gOHeyByyOfrTS3SGUSzO94ccVCCgye5hzeMEzRE8YWxpY2VAdmVyZWluLmRl PsLACwQTFgoAfQWCY+UaGwMLCQcJEH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90 YXRpb25zLnNlcXVvaWEtcGdwLm9yZyQm3s5x1vVKZC4DrB5FjOd/huKii45jn6v8 VKC2k9z7AxUKCAKbAQIeARYhBCPP5J1Lt6Cqg2GcFH5xb/533xcKAAD2FQEA9Ar+ /KwYtDCM3R1kPZYgs+XNu3uqfpUZz2EMIc0+xQMA/iQJ0wbIDRpxWITUAhzlPDCf ewQ8hcmKHON+xTK6TYUNzjMEY+UZ6hYJKwYBBAHaRw8BAQdA7Xh768P0ELWKVha7 jvlrf96N6bK8+ISBFSWBwQeTLanCwL8EGBYKATEFgmPlGoAJEH5xb/533xcKRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ6jKFT9D3TotuXf6 nPLnk+Y7fWhd95cY0roDW3BEOGuMApsCvqAEGRYKAG8FgmPlGrwJENWlBIpxzQEq RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ0aATZPHvO82 7KrIHm+uCgWSM5fV507JC5peoBZrUZ+sFiEEZi8D/EfAXQcLU6k61aUEinHNASoA ALtKAP9CQ70prkjoo4bz1zMvINIV9DI4mpn4lTU65OT9T3Jy3wD8Dc0ddirxKJHq ifpG2bJfU9alajDH0dv3RRIzD3OmrQoWIQQjz+SdS7egqoNhnBR+cW/+d98XCgAA HSUA/jmW7hAY8xgXrVD/Aj3qsnJA1mUAntHQjcOgQafSVHALAQCslWSDUEOMUVxG kq/498hF13iwJLcHgckPa6u+WzExAs44BGPlGeoSCisGAQQBl1UBBQEBB0Bmef3e ckyLiMO5kJG/hqnAIh0qub81lsLLTCcNfswTCAMBCAfCwAAEGBYKAHIFgmPlGoAJ EH5xb/533xcKRxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9y ZzKM37EwuBHlB0dJ4Ljo9MIUDIEaVEFyJ+l+659sYwQsApsMFiEEI8/knUu3oKqD YZwUfnFv/nffFwoAANJrAP0aUjgxFCD789m2w0nAry0SA5JlLjuxWOJ42ziWEYAY UgEAzJwWRDgabsLC7VZ+v+TZ7wEh0JhGk6dX2lbH0v1apwHGMwRj5RnqFgkrBgEE AdpHDwEBB0CnHzEBU2NxSQZbfXBnpD2+7efLEla1eYdm/ex82W1gEMLACwQfFgoA fQWCY+UZ6gMLCQcJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ72uBSWycce7Cu193YRatsDb3GbBXo2+xkN5QvFSwGIKAxUK CAKbAQIeARYhBDBQW863QDobv6nb8L++Y1Z7S6V6AAD+XAEA9OtQfoEN4xDqcOkP 8I5w6M7mLBsyxwRVhBVYvyGyLS8A/01iD6ovLvq4Oos4ORclilCpjjOGkCdVX9fe 8LJ0uKMGzRM8YWxpY2VAYmVpc3BpZWwuZGU+wsALBBMWCgB9BYJj5RnqAwsJBwkQ v75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn R/kzyvS4FqYD3ZnSnWrhxrGJ5pqlC4IxWqCoNYArrDcDFQoIApsBAh4BFiEEMFBb zrdAOhu/qdvwv75jVntLpXoAAHmBAQC0KJzxaq+2m6BaYNFyWAz/O2I/6dqXUK/x LJn6ugft6wD9FbmY0o94xkHYQDUBGo84Lfoz4gXR4l2MoNRC922CfAnNEzxhbGlj ZUBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGeoDCwkHCRC/vmNWe0ulekcUAAAA AAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmelV5HO9nFO4vWG42QB P/bSlE1pa5I3s0OETTIwgBY1uQMVCggCmQECmwECHgEWIQQwUFvOt0A6G7+p2/C/ vmNWe0ulegAAtLMBAI3Jebp3KBySat0wxXfXY8aG37f7BtX0Xw2ZAm50g0mhAP0Y 3OENXjIM9XDPFtsKr23YHZRVa+5M05Ha7ClGjfWaCM4zBGPlGeoWCSsGAQQB2kcP AQEHQO14e+vD9BC1ilYWu475a3/ejemyvPiEgRUlgcEHky2pwsC/BBgWCgExBYJj 5RnqCRC/vmNWe0ulekcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBn cC5vcmdtYYQ11XlNWLv9gxhoTYet69Lh8X77HOWBpzAdtJBmXwKbAr6gBBkWCgBv BYJj5RnqCRDVpQSKcc0BKkcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lh LXBncC5vcmdQlNFzuInCVzUbKl51HCYaZFdTs2LNrQh8L9q/1owAWhYhBGYvA/xH wF0HC1OpOtWlBIpxzQEqAADLjAD/QUyfRGsEP2hWDBpFpCtUdGfP6A1jeKQn+9Xw 9DtxbKQA/3R4DWT92tQVKhxACYZ0fwonKES3O/LoXUNlAiopk3oHFiEEMFBbzrdA Ohu/qdvwv75jVntLpXoAAApDAP0aJdpJydTAcca0k3PXSbkesKGt6FzRX2FfaVYs F344PgEA53WgI0BP1JaXYVluRw/e810Cs6WU1mfx8+es89IjMg/OMwRj5RnqFgkr BgEEAdpHDwEBB0D5ukYoevx2XvwlWHTFXAwCOan5xlwnfSGOMQ1zfxvZN8LAAAQY FgoAcgWCY+UZ6gkQv75jVntLpXpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3Jn6Vy/tb+n81qlxASiBepjIFkzPytq8OEl/TksAAXm1oUCmyAW IQQwUFvOt0A6G7+p2/C/vmNWe0ulegAAEn0BAJZuczP/Fo4SOc9U4YMv7Mvbh+fS nSGxp6iqDe+Ll9bHAPwItUiYCG60wijlFWmskw+28H8diiFsTMqEZ8+eMMaMAs44 BGPlGeoSCisGAQQBl1UBBQEBB0Bmef3eckyLiMO5kJG/hqnAIh0qub81lsLLTCcN fswTCAMBCAfCwAAEGBYKAHIFgmPlGeoJEL++Y1Z7S6V6RxQAAAAAAB4AIHNhbHRA bm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ8vh6XJJLTFgljfa4QNqIwwhBxaIXXAC /zqmVQyOAO3UApsMFiEEMFBbzrdAOhu/qdvwv75jVntLpXoAAAH8AQCOe4UXausm +h0C4h9c3eFbir6gsKRz7zYLZ4sjfIlisAEAkh8gFV9D94PCKWK/ZBq3GjiZWQS+ 5RmnMlp6juV/KwDGMwRmK1FKFgkrBgEEAdpHDwEBB0B9yHqpi5JmPIDEHSR3i4RF unEi0l29SaLRkfKs8FsHwsLACwQfFgoAfQWCZitRSgMLCQcJENXYuhbIBagfRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ+xxe+zDoudeRa3o 8FZny1BXyHK8WvqInPSZND5awiJ1AxUKCAKbAQIeARYhBGkuNZ77C+EVNz9s6tXY uhbIBagfAADNcAEAx9YLIsYDqScnGtkr9BH9ZSZJvmOc52R0ax2VdaKT6DkA/2pC y1CfQ8TZ2JcrsNy1bZkL9SMB+jW+jhtM/fD7EhUPzRpEYWQgPHBldGVyQGV4YW1w bGUuZmFtaWx5PsLAAwQQFgoAdQWCZitRXQWDCWeaOwkQcUJK3j7GG7xHFAAAAAAA HgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn/NyUCS48z348d9cGmRYi FalNvbI8RHXKMw/jV7V5T4oWIQQRmwFGBlnY7zcyvsJxQkrePsYbvAAAyt0BAIdp uM+6CI5I0l4h+RWMZTn8zGYDAc3WkJnhz7FP910jAQCbTeKrCGdqKievnJTebX7h 3OUhnQJWvZKnptGMIYnHC80ZUGV0ZXIgPHBldGVyQGV4YW1wbGUuY29tPsLADgQT FgoAgAWCZitRSgMLCQcJENXYuhbIBagfRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ+0OtGp8MugS7eoIsNVz9oqBCa3r2l84TfRepeGQ+a7j AxUKCAKZAQKbAQIeARYhBGkuNZ77C+EVNz9s6tXYuhbIBagfAAB9MwD/ROjXB16y 2t93VZ7FZdymyuj3pdB4xE5ieIOd+EJYddQBAPngLg1MNxxYhxmtuWc9aSx7Wtgt MmofaQqsliiqXKICzjMEZitRShYJKwYBBAHaRw8BAQdAHeHTXiKUJIiAcXdNB4Lq WvVrcvuzbNEDlPUVpawPsDLCwL8EGBYKATEFgmYrUUoJENXYuhbIBagfRxQAAAAA AB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZytonAMM4vmJsdw2Dq/O lDu+EB+YJVpLEMGMkf4EiuUdApsgvqAEGRYKAG8FgmYrUUoJEKbeNIZ96JJ+RxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZxmMuP/oRTvnWr3g fJd0pYG+eeC65BYARKGmoeywiFDCFiEEadMl4g2k1AQnmmU0pt40hn3okn4AAIsP AP99sacV+NCzgN50nx9oadyflXyDB4V0n/04ioW1ipktAwEA193fEe6+YxlcBHGV MZaaA+cd0j5etX9QPlGyXg7R7Q8WIQRpLjWe+wvhFTc/bOrV2LoWyAWoHwAAi3QA /AwDEBPq2NFrl3FdN7gk/xWjGy8Oqd7zgmZei22HkccoAP9xqt6Wk+v44zn61Dcd MXc5NYaZBcAcQNIsYo6CgGwjAc4zBGYrUUoWCSsGAQQB2kcPAQEHQMxL5Lf28iMS NZyNu9kIWalTtRVcnUohyIy4i8KRtT7ewsC/BBgWCgExBYJmK1FKCRDV2LoWyAWo H0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcWkH3FxecX afa5wHXDRwGMStIsDRvR3DB1lkSkdnNqhQKbAr6gBBkWCgBvBYJmK1FKCRCM5P5r 0BKC3kcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmd2QAur F8c4wnx0g3LZ9HelAuYMTO3giXGC6Gnz+venfRYhBGLS2X8A35bS3+2F+Yzk/mvQ EoLeAAA0ZAD/bBk9lA0m8cz6525UqP3AwWfDFjCaL8IxWnwVeDJ2AuQBAPoh87u0 YBoYXJRGVdI5/PNspoAm9JQhb2zACyeamicAFiEEaS41nvsL4RU3P2zq1di6FsgF qB8AAFbOAP9yf9XQJT/14/n6Nfwa8mXlWPJTevxN8sRQ1n3fedoJmwEA7TMrjTbP pBiHV3YpgFe6hgB+/ldbK3tFrHyvLDf1vgjOOARmK1FKEgorBgEEAZdVAQUBAQdA Hg2H8RYYi6/HEjLud/qWg4GDl32E95OfbtFITo20/lgDAQgHwsAABBgWCgByBYJm K1FKCRDV2LoWyAWoH0cUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBn cC5vcmfMjVUop/SymAV5wpLW1bQ+W33z5B0VT3svcF6lkQqk3AKbDBYhBGkuNZ77 C+EVNz9s6tXYuhbIBagfAAACSAD8Drsgm/MKy/Ne+Uu21/N1hO//5GEg0Xi+FuJL P8aaTKoBAJYFbqtDHRuAh4iQDPblKG446MO715FYtcliijuXs0gDxjMEY+UatRYJ KwYBBAHaRw8BAQdAQIdC7Mtji2y/IXhu8JCxu1G0qqYTgr49Bdj8snAIEM/CwAsE HxYKAH0FgmPlGrUDCwkHCRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmfsPeksAfAPVhH/VIOm+qqKQhb+Ol6YrSvzNaz+X/cN 1QMVCggCmwECHgEWIQSZlNv5006I4qIdDOjnnJOVoQBLsAAA9XoBAOFJ/Hme37cw nKjsHnZy6TKog6eioJgZaj7i3zbyL1doAQDHaNZWOx7K7H291qdBiWst2AewDHQH i0miAwVJHpdHCM0RPGJvYkBleGFtcGxlLm9yZz7CwA4EExYKAIAFgmPlGrUDCwkH CRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5v cmdt8X/Zc0B2OTVni02l/x+NzKaDL5ip2Oc3THfZ4dj+TQMVCggCmQECmwECHgEW IQSZlNv5006I4qIdDOjnnJOVoQBLsAAAjzEBAJQ3TQFT10OMvCUErgjIX9QGM5fE BH77+8xr8cbufcccAPkBreCKk2Hd795vErFTqdR6XT9RZZz1zj+BOb65ARAUC84z BGPlGrUWCSsGAQQB2kcPAQEHQIKkccpl695oar8X+nTbafKYx0jcC69rGoDQBHxq 95xPwsAABBgWCgByBYJj5Rq1CRDnnJOVoQBLsEcUAAAAAAAeACBzYWx0QG5vdGF0 aW9ucy5zZXF1b2lhLXBncC5vcmeaLN8O3+fqOB7lMQVdoet5OQeN8vwjDLmdu9yU g05+2QKbIBYhBJmU2/nTTojioh0M6Oeck5WhAEuwAAAkpwEA3YZlkq1APpNX7oBI 6OWeqmdgkRwHTLNKLu9Ioed9FCIA/iKYZzvq/reL5i9/EOWsba73g2k+fwmjm5sl nRqT5yYAxjMEY+Ua5hYJKwYBBAHaRw8BAQdAXAh2K8fjAUO0OgzlDev4uNbX5BGK 3Esw4/0JXI1JyzrCwAsEHxYKAH0FgmPlGuYDCwkHCRCD90oOrCB0RkcUAAAAAAAe ACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmdpCcK2N3NS6bbM3msOUnmg C5tsiUHbYNCL27dEKjOTYgMVCggCmwECHgEWIQSoK8lEIgvV6+zE1CiD90oOrCB0 RgAANwcBAL6ly3p6GsCmV2ua4Vei4IeGA0lj+SW7FvVKbzqds4wGAP9YHXPbPIKW j+KH8LhbaUgP38PKIRLRDHEfJO2dUqQFCM0TPGRhdmlkQGV4YW1wbGUub3JnPsLA DgQTFgoAgAWCY+Ua5gMLCQcJEIP3Sg6sIHRGRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZymJ5J5A1ulYbJTcwAEqwBCxh6tquUiK88Z5kR5a JqK1AxUKCAKZAQKbAQIeARYhBKgryUQiC9Xr7MTUKIP3Sg6sIHRGAAB/IQEAk8ck jt+CrAps1E3FCRf0yIHdxEXcT89Q/MbmPmz04+4BAKU9rgMxJT56rpHZ4qGpGe9V e7TGGOr1flhIJk0i2CQPzjMEY+Ua5hYJKwYBBAHaRw8BAQdARxbH/ddi+oJXaBly RWa6zC52yr1IksIbGo4Lf1BSkaXCwAAEGBYKAHIFgmPlGuYJEIP3Sg6sIHRGRxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ14mX5h/SXeBjNRz 9NMX007+jGDpSBHTYw76vMADNRg5ApsgFiEEqCvJRCIL1evsxNQog/dKDqwgdEYA ADvGAP9WWy8XFssHtybrGtapVzDpYOOQaWCsEsMA1zi9pbhvEgD8Cuvcqi8vUnGL ABC+DoZgy+8jNVIpY+nao+cH+SdnNg/OMwRj5RrWFgkrBgEEAdpHDwEBB0CDtKXv Y/97vOd7cBoBtQlSt4PUsrQ3cP4veLphBMTG3MYzBGP/LiMWCSsGAQQB2kcPAQEH QAPWluAdcU0ZKe4gWIxhYLr0uEEgbQxAms+SAt1u0ourwsALBB8WCgB9BYJj/y4j AwsJBwkQpnpzMSe76ARHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3JnT2AEIVBD/dTtVZx9x6CpjW8sXUI92/aAtgf1LCKeMgEDFQoIApsBAh4B FiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAAP7RAPwK5BnpjJQb6Ib/34pg5pYNs5Lf zcOaDNqJI1iR6YY4uAD/eI/bkjCNxgBKDi2sSJLrObxvdFHe/6lS6Vo/vcnIVwjN DzxyZWdpc0BwdXAuY29tPsLACwQTFgoAfQWCY/8uIwMLCQcJEKZ6czEnu+gERxQA AAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZxrI196neOHjCWJt pm5fDMGD5MRFzSNfWAjCoNrL3sraAxUKCAKbAQIeARYhBNWOBHwF0RXqTz0amKZ6 czEnu+gEAABLTwEAv2odmPvWRAEm1yYvqlP/qL3Q5WZS3unmxIV0gviG0AcBAPcp bO8IDnaPx3djm7gWeMlbGJd5llosmhxIgVFmo3QLzSJIYWxmbGluZyA8ZW5jcnlw dGlvbkBoYWxmbGluZy5vcmc+wsALBBMWCgB9BYJj/y4jAwsJBwkQpnpzMSe76ARH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnEopfmcPiJ7b4 qrCW3mcQ4b7UGDaZws/WRb0TdtUxcXQDFQoIApsBAh4BFiEE1Y4EfAXRFepPPRqY pnpzMSe76AQAAIdBAP9AcisA8YR/v779TOUWzqIN1yFcGRzXLzAIHj98XPHL/AEA o/DbjVgOvSKpiC+sAN35NrAPPr7Gj3or+Veut6dBVgzNH0hhbGZsaW5nIDxzaWdu aW5nQGhhbGZsaW5nLm9yZz7CwA4EExYKAIAFgmP/LiMDCwkHCRCmenMxJ7voBEcU AAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmefWyvuawQMSACu nre9VWwnwXCShhv05eNmAIx4hDt6CAMVCggCmQECmwECHgEWIQTVjgR8BdEV6k89 GpimenMxJ7voBAAAUWIA/jFrXrOw4h6iOJovCvGD9zoJfyZWhCEtt7x/+6amswwg AP0fYkSVoKfBFYKaBjTYRKF3THLsNBeF5YiRQFqG4MknCM4zBGP/LiMWCSsGAQQB 2kcPAQEHQEKgATvrVSfdcu3z8dRVmSYNvRY4WiI4VqDnXdVfPw6zwsAABBgWCgBy BYJj/y4jCRCmenMxJ7voBEcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lh LXBncC5vcmf9Zi+LJShZF85Q891p2IEzeanqA2l43XJl5/Rb/qRaIgKbIBYhBNWO BHwF0RXqTz0amKZ6czEnu+gEAAAgeQEA7Q8yHq28RY3PAcSTDua7ggtz3G9DFcsE 6fUQNWu47vYBAI+IYKsqLqQM6HKyNhQOAAxQy9mKeL+hrmAeQPam+e0MzjMEY/8u IxYJKwYBBAHaRw8BAQdAvAp2sWprnGrDBZZz9dw4nWUdZxp8J66kFBgb1wrOHkzC wL8EGBYKATEFgmP/LiMJEKZ6czEnu+gERxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ83wrBu6p9t+HDGReAhbHODjY69wCZR8nUWC/EMtWyLN ApsCvqAEGRYKAG8FgmP/LiMJEP9cZYLk0UtoRxQAAAAAAB4AIHNhbHRAbm90YXRp b25zLnNlcXVvaWEtcGdwLm9yZ0KB/wq5QIZxUm6K1jaB0/U2L7kYgTRA0BGMZzXw FlHpFiEEnc2iqVoXtyjWpRFe/1xlguTRS2gAAEGwAQCVsb9Mrg9DqDYHQ9ciQYxn T/lWzZAaabh/JJhc7CkLtgD+Pc/oYQRwo+n8PSHBWVD6DB9vUp/GUCfLoj1Cu9fH 5ggWIQTVjgR8BdEV6k89GpimenMxJ7voBAAAhXABAPf1Qu7LkicorCeuKnga8hpv bF9ijpvBdwUJQ9XJO4diAP4t99AefI2ifCToWqC6iHzceTmjcdwjZaZF2pD6Bvka C844BGP/LiMSCisGAQQBl1UBBQEBB0AlbzTZy9RVFOkwjMlDxXtY1IrpUE/82rvy leCj6HxWJwMBCAfCwAAEGBYKAHIFgmP/LiMJEKZ6czEnu+gERxQAAAAAAB4AIHNh bHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ2GWojIZyQprOoE2p3Js/iXmXi1d nGd0td4ANZzkDHJCApsMFiEE1Y4EfAXRFepPPRqYpnpzMSe76AQAACbAAPwJyUgm EQpaJLVjT73zlLMysuPkewmfyACIgp4gpP4SBgD/bn+piSKZ2/2yHH7g5lJuWloA FVBPhabzSI2Pfpo6DQHGMwRj5RrWFgkrBgEEAdpHDwEBB0BjrnG6l6errNqukvz4 g/gRPxIwc1za4HmXJGRKQ/2js8LACwQfFgoAfQWCY+Ua1gMLCQcJEONi1Fx/97ZU RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNlcXVvaWEtcGdwLm9yZ7cbCchurWWr l6KruMA630+Owrk0hIXGRlOdG2rU98m1AxUKCAKbAQIeARYhBOnG78DjnOb531J0 5+Ni1Fx/97ZUAADxJQD+NXk8Msjn3LLh06xW49x4lh9CpVTjb4VB0DCcCmMMxs4A +wRzM6C9f51Scmi71Hv0RJO2wRJaFsljGx2Afgqk/mcOzRA8Y2Fyb2xAY2x1Yi5v cmc+wsAOBBMWCgCABYJj5RrWAwsJBwkQ42LUXH/3tlRHFAAAAAAAHgAgc2FsdEBu b3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnATJaO+oi4VQ4Cydu+4xLp+Vti2kAFFfK E0rSMVUNtkADFQoIApkBApsBAh4BFiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAADg1 AQDlV95UesgbANeyKPfcKgRMa04ZwWT/roWKZaSuuBPicAEA04ndT1OeBqPCrTdt 09/bnJfferd1bCDEVRRanaoQvwnNETxjYXJvbEB2ZXJlaW4uZGU+wsALBBMWCgB9 BYJj5RrWAwsJBwkQ42LUXH/3tlRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2Vx dW9pYS1wZ3Aub3Jnz3+hJrRU66nKgAkpxmYdP4X7zWrvV7Vg8DACwOduBMQDFQoI ApsBAh4BFiEE6cbvwOOc5vnfUnTn42LUXH/3tlQAAFF8AQCvxIFsnJQcyj83wbX8 KYUbS8wBIhw7Cl8zci7K3nqLWwEA8XODqjyBtDe9QCAXWkAv5fD0Q+lqZMlFjxzo XFPTjQDOMwRj5RrWFgkrBgEEAdpHDwEBB0CDtKXvY/97vOd7cBoBtQlSt4PUsrQ3 cP4veLphBMTG3MLAAAQYFgoAcgWCY+Ua1gkQ42LUXH/3tlRHFAAAAAAAHgAgc2Fs dEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnlKNI5wDCnCTpjVDFKO5eSYqxhk0f CNg8Jk2dqnvukt8CmyAWIQTpxu/A45zm+d9SdOfjYtRcf/e2VAAA1QUA/2EUWkTs VcQsFOs2jqnH5TYYk8dS8ytGEGT4CDnh3h7VAQDXfTW3rRDIMA0aKgKzAtabfE1T Ifmq++9ok2NVY6VmCMYzBGPqKrIWCSsGAQQB2kcPAQEHQE90WjKPjJtJM4+ZEIaj UFsB87MbFxQtdGVgX7XSACljwsALBB8WCgB9BYJj6iqyAwsJBwkQuJSR8H0I5PhH FAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnTonT+wh1nQ6+ SGZM/3caxq3V5hflG/hX3IrX/Q/NR3YDFQoIApsBAh4BFiEE9mddDk2kCCNxXEgR uJSR8H0I5PgAAJ4xAP9y4me1jRRfxrnW3jnV+jB7n6m3xxpn/Y0Tmh/EhZsrGwEA vrMBIyXycmSLB1giDnmeLi8U+z3cx5+xkRJGHi/cvAnNHUhhbnMgPGhhbnNAeG4t LWJjaGVyLWt2YS50bGQ+wsAOBBMWCgCABYJj6iqyAwsJBwkQuJSR8H0I5PhHFAAA AAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jn6ABJrqKC61PG6Pam tZM1YuRmoxFWwuBcEadTWjH6VYYDFQoIApkBApsBAh4BFiEE9mddDk2kCCNxXEgR uJSR8H0I5PgAANV2AP47sc59UcqS0woip3aqR9rhgQ0PlGR1dlKCved1ScfU4AD7 BOlXuMdm9rkPHsMWUVv2zBWHsfOzU9TrVt6OsaTrpAjOMwRj6iqyFgkrBgEEAdpH DwEBB0AZMvj3dmsZZS+1bL+WX6HDv+gN8i+QyhyBjB0s8wUjk8LAvwQYFgoBMQWC Y+oqsgkQuJSR8H0I5PhHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1w Z3Aub3JnK5cPTEJvyWJWtTLsXpY4Ek7F8QQtljrKwjW2lQtNvdgCmwK+oAQZFgoA bwWCY+oqsgkQ2x9fEcF8stRHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9p YS1wZ3Aub3JnD1Q+KLEGBQ7/SADBbjX9/mqglPA1JHG1Dc3aBnD888wWIQQ/YOoK 68E+KQk5oIDbH18RwXyy1AAAu2gA/0319zR36arn3N+WB0xBKWMAtiq6DTE4QJ7X lnTUUe48AQDLZUxoGK/XjQCRP4ChSAWNPlQZu21sAZHk9pPPR/1lABYhBPZnXQ5N pAgjcVxIEbiUkfB9COT4AAA4HQEA4To3UFaHrdHRujMKifHvTxdqF7/rjfiDXKlM osqs+JoA/2orygrfwUqmhKMva0tHMOGpS8GxFg+9hnTvS1Wwo+oL =YwIU -----END PGP PUBLIC KEY BLOCK----- sequoia-cert-store-0.6.0/tests/keyring.rs000064400000000000000000000153611046102023000165500ustar 00000000000000#[allow(non_upper_case_globals, dead_code)] mod keyring { use std::path::Path; use anyhow::Result; use sequoia_openpgp as openpgp; use openpgp::parse::Parse; pub struct Cert { pub filename: &'static str, pub base: &'static str, pub fingerprint: &'static str, pub subkeys: &'static [&'static str], pub userids: &'static [&'static str], } impl Cert { pub fn bytes(&self) -> Vec { let filename = Path::new(env!("CARGO_MANIFEST_DIR")) .join("tests") .join(self.filename); std::fs::read(filename).expect("exists") } pub fn to_cert(&self) -> Result { openpgp::Cert::from_bytes(&self.bytes()) } } pub const certs: &[Cert] = &[ // alice Cert { filename: "data/alice.pgp", base: "alice", fingerprint: "30505BCEB7403A1BBFA9DBF0BFBE63567B4BA57A", subkeys: &[ "662F03FC47C05D070B53A93AD5A5048A71CD012A", "A6D92948A7ADEB809F04202F1CF1943DFE153D1E", "5989D7BE9908AE24799DF6CFBE678043781349F1", ], userids: &[ "", "", ], }, // alice2 Cert { filename: "data/alice2.pgp", base: "alice2", fingerprint: "23CFE49D4BB7A0AA83619C147E716FFE77DF170A", subkeys: &[ ], userids: &[ "", "", ], }, // alice2_adopted_alice Cert { filename: "data/alice2-adopted-alice.pgp", base: "alice2_adopted_alice", fingerprint: "23CFE49D4BB7A0AA83619C147E716FFE77DF170A", subkeys: &[ "662F03FC47C05D070B53A93AD5A5048A71CD012A", "5989D7BE9908AE24799DF6CFBE678043781349F1", ], userids: &[ "", "", ], }, // bob Cert { filename: "data/bob.pgp", base: "bob", fingerprint: "9994DBF9D34E88E2A21D0CE8E79C9395A1004BB0", subkeys: &[ "7E01441CBF6FAB5C4AB457E2FBD6F5322354B331", ], userids: &[ "", ], }, // carol Cert { filename: "data/carol.pgp", base: "carol", fingerprint: "E9C6EFC0E39CE6F9DF5274E7E362D45C7FF7B654", subkeys: &[ "CD22D4BD99FF10FDA11A83D4213DCB92C95346CE", ], userids: &[ "", "", ], }, // david Cert { filename: "data/david.pgp", base: "david", fingerprint: "A82BC944220BD5EBECC4D42883F74A0EAC207446", subkeys: &[ "DF674FBAC52E00F0E6E48436481D2E18158FB594", "CD22D4BD99FF10FDA11A83D4213DCB92C95346CE", ], userids: &[ "", ], }, // ed Cert { filename: "data/ed.pgp", base: "ed", fingerprint: "0C346B2B6241263F64E9C7CF1EA300797258A74E", subkeys: &[ "0C346B2B6241263F64E9C7CF1EA300797258A74E", ], userids: &[ "", ], }, // halfling_signing Cert { filename: "data/halfling-signing.pgp", base: "halfling_signing", fingerprint: "D58E047C05D115EA4F3D1A98A67A733127BBE804", subkeys: &[ "69669E91C8D5C546D442FB246FE6D4751AC09E15", "9DCDA2A95A17B728D6A5115EFF5C6582E4D14B68", ], userids: &[ "", "Halfling ", ], }, // halfling_encryption Cert { filename: "data/halfling-encryption.pgp", base: "halfling_encryption", fingerprint: "D58E047C05D115EA4F3D1A98A67A733127BBE804", subkeys: &[ "69669E91C8D5C546D442FB246FE6D4751AC09E15", "CC4EFA3BFAB8E92A54CDEA3F3DC7543293DD4E53", ], userids: &[ "", "Halfling ", ], }, // hans_puny_code Cert { filename: "data/hans-puny-code.pgp", base: "hans_puny_code", fingerprint: "F6675D0E4DA40823715C4811B89491F07D08E4F8", subkeys: &[ "3F60EA0AEBC13E290939A080DB1F5F11C17CB2D4", ], userids: &[ "Hans ", ], }, // una Cert { filename: "data/una.pgp", base: "una", fingerprint: "119B01460659D8EF3732BEC271424ADE3EC61BBC", subkeys: &[ "EE58C32E3D2336F223BD89CED0BE447BF39B439F", ], userids: &[ "Una ", ], }, // peter Cert { filename: "data/peter.pgp", base: "peter", fingerprint: "692E359EFB0BE115373F6CEAD5D8BA16C805A81F", subkeys: &[ "69D325E20DA4D404279A6534A6DE34867DE8927E", "62D2D97F00DF96D2DFED85F98CE4FE6BD01282DE", "DBEF1760AA2631194301E60F485BDDEF4BD2AD9A", ], userids: &[ "Dad ", "Peter ", ], }, // steve Cert { filename: "data/steve.pgp", base: "steve", fingerprint: "217E256E176719A5452EDFF935AADEC66B56585B", subkeys: &[ "32C5820540308752B7092EE5B596B656FD8F700B", ], userids: &[ "Steve ", ], }, ]; pub const alice: &Cert = &certs[0]; pub const alice2: &Cert = &certs[1]; pub const alice2_adopted_alice: &Cert = &certs[2]; pub const bob: &Cert = &certs[3]; pub const carol: &Cert = &certs[4]; pub const david: &Cert = &certs[5]; pub const ed: &Cert = &certs[6]; pub const halfling_signing: &Cert = &certs[7]; pub const halfling_encryption: &Cert = &certs[8]; pub const hans_puny_code: &Cert = &certs[9]; pub const una: &Cert = &certs[10]; pub const peter: &Cert = &certs[11]; pub const steve: &Cert = &certs[12]; } // mod keyring sequoia-cert-store-0.6.0/tests/pep/keys.db000064400000000000000000005400001046102023000165710ustar 00000000000000SQLite format 3@ ,.O|   - # } 'Eindexuserids_indexuserids CREATE INDEX userids_index ON userids (userid COLLATE EMAIL, primary_key)g%tableuseridsuseridsCREATE TABLE userids ( userid TEXT NOT NULL COLLATE EMAIL, primary_key TEXT NOT NULL, UNIQUE(userid, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE )-Aindexsqlite_autoindex_userids_1userids o')indexsubkeys_indexsubkeysCREATE INDEX subkeys_index ON subkeys (subkey, primary_key)S}tablesubkeyssubkeysCREATE TABLE subkeys ( subkey TEXT NOT NULL, primary_key TEXT NOT NULL, UNIQUE(subkey, primary_key), FOREIGN KEY (primary_key) REFERENCES keys(primary_key) ON DELETE CASCADE )-Aindexsqlite_autoindex_subkeys_1subkeysc!indexkeys_indexkeysCREATE INDEX keys_index ON keys (primary_key, secret)5MtablekeyskeysCREATE TABLE keys ( primary_key TEXT UNIQUE PRIMARY KEY, secret BOOLEAN, tpk BLOB )';indexsqlite_autoindex_keys_1keys,*$)##"       %   ?M P   1 ^ 4 } l  o B # a z ,]AAB978A882B9A6E793960B071ADFC82AC3586C14%,]10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F$,]507212E4796EFBF4FF8E4B1BF411A72A5C89092C#,]08C6A9408241E6ED99A0A2767A6B35253722954D",]6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!,]E4C1FB98268170769154C21BBD1637EEB34E933B ,]2533E4E13EC84A784DE6F2962C3E64162620C978,]7A757276DFF48471EA032D2B98611755153523E6,]4925E278E468D55BA68B3AC49E1F03BA787E31EA,]B5AAD4575B2988D99E3FB3EE973EE71028459E9A,]D27B4F82C717A04DFF3A986489929D075908994E,]CDAE31CA330249BC5284C1F96033761A09D517DF,]9BC60CF498E584E5620014340C099ECDA62431FE,]CB4287D637F9BC0CB38F978AEB64F54F552F0AB7,]A2439F4C712EA9FA6B65BC17DECD473509E96847,]E1C12525BFAF4F092D109F2152B7186506DCC483,]2349DF0D7DBD60C6C20453350553D1E9E9AE5C54,]8A0293871D97E954B8397DFD072889CB0E82D77B,]F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3,]7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76,]EB4750A0B0A0F558ED5F768F8B893A26133B3F66,]5C55764028BE2DD718F9DAAAD8D14CE515A32801,]68A4E57878501CF89B9844039B3560C27904221F,]912E63F55388D9886151101CDA4FE8ECD8365D6E,]8049F106768CD5D6374645F3B0C0ABEFB3892D73 ,]FBD19974E304C95589F976BD71059020F2CC257C ,]C11BCCBB3F843593B8975AFB958E85734EF0ADE0 ,]1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 ,]9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 ,]A20EF4E353FF61FF6B8B401AC48BF850A5E9C611,]2F8EB6F51987B06706ED6E45064ABE0B9108844E,]04880CB55875B6548C25C729A00E4CD660454746,]43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3,]22A589136F68CC46076FFA6071B2EDA40DC29CC7,]F29B751A3123A1502E5C0665745FB6564FC5F7DC,]4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B+] B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 % [ 5I ; o  ! O  i } c [  U ' A w -]AAB978A882B9A6E793960B071ADFC82AC3586C14%-]10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F$-]507212E4796EFBF4FF8E4B1BF411A72A5C89092C#-]08C6A9408241E6ED99A0A2767A6B35253722954D"-]6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!-]E4C1FB98268170769154C21BBD1637EEB34E933B -]2533E4E13EC84A784DE6F2962C3E64162620C978-]7A757276DFF48471EA032D2B98611755153523E6-]4925E278E468D55BA68B3AC49E1F03BA787E31EA-]B5AAD4575B2988D99E3FB3EE973EE71028459E9A-]D27B4F82C717A04DFF3A986489929D075908994E-]CDAE31CA330249BC5284C1F96033761A09D517DF-]9BC60CF498E584E5620014340C099ECDA62431FE-]CB4287D637F9BC0CB38F978AEB64F54F552F0AB7-]A2439F4C712EA9FA6B65BC17DECD473509E96847-]E1C12525BFAF4F092D109F2152B7186506DCC483-]2349DF0D7DBD60C6C20453350553D1E9E9AE5C54-]8A0293871D97E954B8397DFD072889CB0E82D77B-]F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3-]7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76-] EB4750A0B0A0F558ED5F768F8B893A26133B3F66-]5C55764028BE2DD718F9DAAAD8D14CE515A32801-]68A4E57878501CF89B9844039B3560C27904221F-]912E63F55388D9886151101CDA4FE8ECD8365D6E-]8049F106768CD5D6374645F3B0C0ABEFB3892D73 -]FBD19974E304C95589F976BD71059020F2CC257C -]C11BCCBB3F843593B8975AFB958E85734EF0ADE0 -]1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 -]9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 -]A20EF4E353FF61FF6B8B401AC48BF850A5E9C611-]2F8EB6F51987B06706ED6E45064ABE0B9108844E-]04880CB55875B6548C25C729A00E4CD660454746-]43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3-]22A589136F68CC46076FFA6071B2EDA40DC29CC7-]F29B751A3123A1502E5C0665745FB6564FC5F7DC-]4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B,] B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79$@|"|=-]BD1637EEB34E933BE4C1FB98268170769154C21BBD1637EEB34E933B}=-]6033761A09D517DFCDAE31CA330249BC5284C1F96033761A09D517DFe|!|=-]BD1637EEB34E933BE4C1FB98268170769154C21BBD1637EEB34E933B}=-]6033761A09D517DFCDAE31CA330249BC5284C1F96033761A09D517DFe 3av0[ B s / ]  @ i "O }5j$d+^f(aE3A]volker.birk@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C14F2C]volker.birk@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C1461#]vb@pibit.chAAB978A882B9A6E793960B071ADFC82AC3586C14<0/]vb@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C14=/1]vb@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C149.)]vb@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14=-1]dingens@bumens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14=,1]bumens@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14@+7]pep3@ageinghacker.net10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F@*7]pep2@ageinghacker.net507212E4796EFBF4FF8E4B1BF411A72A5C89092CG)E]luca-mobile@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D7(%]luca@saiu.ch08C6A9408241E6ED99A0A2767A6B35253722954D?'5]saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D;&-]positron@gnu.org08C6A9408241E6ED99A0A2767A6B35253722954D@%7]luca@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954DD$?]luca.saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D?#5]iut@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954DB";]positron@pep.foundation08C6A9408241E6ED99A0A2767A6B35253722954DD!?]ziggy@fake.pep.foundation6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07F C]zenobia@fake.pep.foundationE4C1FB98268170769154C21BBD1637EEB34E933BFC]zachary@fake.pep.foundation2533E4E13EC84A784DE6F2962C3E64162620C978C=]yves@fake.pep.foundation7A757276DFF48471EA032D2B98611755153523E6C=]yoko@fake.pep.foundation4925E278E468D55BA68B3AC49E1F03BA787E31EAD?]xenia@fake.pep.foundationB5AAD4575B2988D99E3FB3EE973EE71028459E9AEA]xavier@fake.pep.foundationD27B4F82C717A04DFF3A986489929D075908994ED?]wyatt@fake.pep.foundationCDAE31CA330249BC5284C1F96033761A09D517DFEA]victor@fake.pep.foundation9BC60CF498E584E5620014340C099ECDA62431FEFC]valeria@fake.pep.foundationCB4287D637F9BC0CB38F978AEB64F54F552F0AB7FC]ulysses@fake.pep.foundationA2439F4C712EA9FA6B65BC17DECD473509E96847EA]tamara@fake.pep.foundationE1C12525BFAF4F092D109F2152B7186506DCC483FC]sabrina@fake.pep.foundation2349DF0D7DBD60C6C20453350553D1E9E9AE5C54D?]randy@fake.pep.foundation8A0293871D97E954B8397DFD072889CB0E82D77BHG]quasimodo@fake.pep.foundationF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3C=]paul@fake.pep.foundation7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76C=]owen@fake.pep.foundationEB4750A0B0A0F558ED5F768F8B893A26133B3F66FC]ophelia@fake.pep.foundation5C55764028BE2DD718F9DAAAD8D14CE515A32801C=]nkls@fake.pep.foundation68A4E57878501CF89B9844039B3560C27904221FB;]ned@fake.pep.foundation912E63F55388D9886151101CDA4FE8ECD8365D6EC =]mary@fake.pep.foundation8049F106768CD5D6374645F3B0C0ABEFB3892D73D ?]louis@fake.pep.foundationFBD19974E304C95589F976BD71059020F2CC257CB ;]ken@fake.pep.foundationC11BCCBB3F843593B8975AFB958E85734EF0ADE0C =]john@fake.pep.foundation1CF1202EC58B5514EADC477AAA9CAC9C7B935A45D ?]irene@fake.pep.foundation9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1D?]henry@fake.pep.foundationA20EF4E353FF61FF6B8B401AC48BF850A5E9C611FC]gilbert@fake.pep.foundation2F8EB6F51987B06706ED6E45064ABE0B9108844EFC]francis@fake.pep.foundation04880CB55875B6548C25C729A00E4CD660454746EA]ernest@fake.pep.foundation43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3D?]david@fake.pep.foundation22A589136F68CC46076FFA6071B2EDA40DC29CC7D?]carol@fake.pep.foundationF29B751A3123A1502E5C0665745FB6564FC5F7DCB;]bob@fake.pep.foundation4FDC731D26FAB6E8EAE6993C637DE61020C5DD1BD?]alice@fake.pep.foundationB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 3/u.V H 9  g " M w4 u ,> Rx8 w/{4_GA]volker.birk@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C143HC]volker.birk@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C1428#]vb@pibit.chAAB978A882B9A6E793960B071ADFC82AC3586C141>/]vb@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C140?1]vb@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C14/;)]vb@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14.?1]dingens@bumens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14-?1]bumens@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14,B7]pep3@ageinghacker.net10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F+B7]pep2@ageinghacker.net507212E4796EFBF4FF8E4B1BF411A72A5C89092C*IE]luca-mobile@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D)9%]luca@saiu.ch08C6A9408241E6ED99A0A2767A6B35253722954D(A5]saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D'=-]positron@gnu.org08C6A9408241E6ED99A0A2767A6B35253722954D&B7]luca@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D%F?]luca.saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D$A5]iut@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D#D;]positron@pep.foundation08C6A9408241E6ED99A0A2767A6B35253722954D"F?]ziggy@fake.pep.foundation6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!HC]zenobia@fake.pep.foundationE4C1FB98268170769154C21BBD1637EEB34E933B HC]zachary@fake.pep.foundation2533E4E13EC84A784DE6F2962C3E64162620C978E=]yves@fake.pep.foundation7A757276DFF48471EA032D2B98611755153523E6E=]yoko@fake.pep.foundation4925E278E468D55BA68B3AC49E1F03BA787E31EAF?]xenia@fake.pep.foundationB5AAD4575B2988D99E3FB3EE973EE71028459E9AGA]xavier@fake.pep.foundationD27B4F82C717A04DFF3A986489929D075908994EF?]wyatt@fake.pep.foundationCDAE31CA330249BC5284C1F96033761A09D517DFGA]victor@fake.pep.foundation9BC60CF498E584E5620014340C099ECDA62431FEHC]valeria@fake.pep.foundationCB4287D637F9BC0CB38F978AEB64F54F552F0AB7HC]ulysses@fake.pep.foundationA2439F4C712EA9FA6B65BC17DECD473509E96847GA]tamara@fake.pep.foundationE1C12525BFAF4F092D109F2152B7186506DCC483HC]sabrina@fake.pep.foundation2349DF0D7DBD60C6C20453350553D1E9E9AE5C54F?]randy@fake.pep.foundation8A0293871D97E954B8397DFD072889CB0E82D77BJG]quasimodo@fake.pep.foundationF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3E=]paul@fake.pep.foundation7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=]owen@fake.pep.foundationEB4750A0B0A0F558ED5F768F8B893A26133B3F66HC]ophelia@fake.pep.foundation5C55764028BE2DD718F9DAAAD8D14CE515A32801E=]nkls@fake.pep.foundation68A4E57878501CF89B9844039B3560C27904221FD;]ned@fake.pep.foundation912E63F55388D9886151101CDA4FE8ECD8365D6EE=]mary@fake.pep.foundation8049F106768CD5D6374645F3B0C0ABEFB3892D73 F?]louis@fake.pep.foundationFBD19974E304C95589F976BD71059020F2CC257C D;]ken@fake.pep.foundationC11BCCBB3F843593B8975AFB958E85734EF0ADE0 E=]john@fake.pep.foundation1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 F?]irene@fake.pep.foundation9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 F?]henry@fake.pep.foundationA20EF4E353FF61FF6B8B401AC48BF850A5E9C611HC]gilbert@fake.pep.foundation2F8EB6F51987B06706ED6E45064ABE0B9108844EHC]francis@fake.pep.foundation04880CB55875B6548C25C729A00E4CD660454746GA]ernest@fake.pep.foundation43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3F?]david@fake.pep.foundation22A589136F68CC46076FFA6071B2EDA40DC29CC7F?]carol@fake.pep.foundationF29B751A3123A1502E5C0665745FB6564FC5F7DCD;]bob@fake.pep.foundation4FDC731D26FAB6E8EAE6993C637DE61020C5DD1BE?] alice@fake.pep.foundationB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 3/u.V H 9  g " M w4 u ,> Rx8 w/{4_GA]volker.birk@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C143HC]volker.birk@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C1428#]vb@pibit.chAAB978A882B9A6E793960B071ADFC82AC3586C141>/]vb@pep.foundationAAB978A882B9A6E793960B071ADFC82AC3586C140?1]vb@pep-project.orgAAB978A882B9A6E793960B071ADFC82AC3586C14/;)]vb@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14.?1]dingens@bumens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14-?1]bumens@dingens.orgAAB978A882B9A6E793960B071ADFC82AC3586C14,B7]pep3@ageinghacker.net10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F+B7]pep2@ageinghacker.net507212E4796EFBF4FF8E4B1BF411A72A5C89092C*IE]luca-mobile@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D)9%]luca@saiu.ch08C6A9408241E6ED99A0A2767A6B35253722954D(A5]saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D'=-]positron@gnu.org08C6A9408241E6ED99A0A2767A6B35253722954D&B7]luca@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D%F?]luca.saiu@univ-paris13.fr08C6A9408241E6ED99A0A2767A6B35253722954D$A5]iut@ageinghacker.net08C6A9408241E6ED99A0A2767A6B35253722954D#D;]positron@pep.foundation08C6A9408241E6ED99A0A2767A6B35253722954D"F?]ziggy@fake.pep.foundation6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07!HC]zenobia@fake.pep.foundationE4C1FB98268170769154C21BBD1637EEB34E933B HC]zachary@fake.pep.foundation2533E4E13EC84A784DE6F2962C3E64162620C978E=]yves@fake.pep.foundation7A757276DFF48471EA032D2B98611755153523E6E=]yoko@fake.pep.foundation4925E278E468D55BA68B3AC49E1F03BA787E31EAF?]xenia@fake.pep.foundationB5AAD4575B2988D99E3FB3EE973EE71028459E9AGA]xavier@fake.pep.foundationD27B4F82C717A04DFF3A986489929D075908994EF?]wyatt@fake.pep.foundationCDAE31CA330249BC5284C1F96033761A09D517DFGA]victor@fake.pep.foundation9BC60CF498E584E5620014340C099ECDA62431FEHC]valeria@fake.pep.foundationCB4287D637F9BC0CB38F978AEB64F54F552F0AB7HC]ulysses@fake.pep.foundationA2439F4C712EA9FA6B65BC17DECD473509E96847GA]tamara@fake.pep.foundationE1C12525BFAF4F092D109F2152B7186506DCC483HC]sabrina@fake.pep.foundation2349DF0D7DBD60C6C20453350553D1E9E9AE5C54F?]randy@fake.pep.foundation8A0293871D97E954B8397DFD072889CB0E82D77BJG]quasimodo@fake.pep.foundationF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3E=]paul@fake.pep.foundation7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=]owen@fake.pep.foundationEB4750A0B0A0F558ED5F768F8B893A26133B3F66HC]ophelia@fake.pep.foundation5C55764028BE2DD718F9DAAAD8D14CE515A32801E=]nkls@fake.pep.foundation68A4E57878501CF89B9844039B3560C27904221FD;]ned@fake.pep.foundation912E63F55388D9886151101CDA4FE8ECD8365D6EE=]mary@fake.pep.foundation8049F106768CD5D6374645F3B0C0ABEFB3892D73 F?]louis@fake.pep.foundationFBD19974E304C95589F976BD71059020F2CC257C D;]ken@fake.pep.foundationC11BCCBB3F843593B8975AFB958E85734EF0ADE0 E=]john@fake.pep.foundation1CF1202EC58B5514EADC477AAA9CAC9C7B935A45 F?]irene@fake.pep.foundation9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1 F?]henry@fake.pep.foundationA20EF4E353FF61FF6B8B401AC48BF850A5E9C611HC]gilbert@fake.pep.foundation2F8EB6F51987B06706ED6E45064ABE0B9108844EHC]francis@fake.pep.foundation04880CB55875B6548C25C729A00E4CD660454746GA]ernest@fake.pep.foundation43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3F?]david@fake.pep.foundation22A589136F68CC46076FFA6071B2EDA40DC29CC7F?]carol@fake.pep.foundationF29B751A3123A1502E5C0665745FB6564FC5F7DCD;]bob@fake.pep.foundation4FDC731D26FAB6E8EAE6993C637DE61020C5DD1BE?] alice@fake.pep.foundationB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 l 5lF]>4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B3d- +G@ T8s*ng2wLˮTlAރ  }d-  c} G salt@notations.sequoia-pgp.orgD^n!-pPggw)# !Os&p-I5zuT /: g#?>SN !Os&@2y%u­T/*/=H]BB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D793d- +G@$Ji(;+ꞘCzj  }d-  ѫmyG salt@notations.sequoia-pgp.orgO J Y6^#ЅiP( !( 6Eޜ7ѫmyTiym?}NcX@L8 XAncQ#G ҴEXǸ&W(b alice@fake.pep.foundation d-  ѫmyG salt@notations.sequoia-pgp.orgRwpN'e[K'fjwPH !( 6Eޜ7ѫmy\ҹ;OI7   tIϹneoeKvKȽO&8d/u8t!+9 3d- +G@67_"6*kڬH?n| 1d- ѫmyG salt@notations.sequoia-pgp.org&KSGT0Œ r+4Xo< od- =Gx,8OG salt@notations.sequoia-pgp.orgmO{%}`.w+y!:s*y=Gx,8Oh?wyTk~mJm X"O8 3֐pvbycPdNOkc;X 8d- +U@/иxy8Uzq)a^]7a rd- ѫmyG salt@notations.sequoia-pgp.orguW dj/}dL)ֹ- !( 6Eޜ7ѫmy56sjhome<V=]ɱ@HSh:IZT@ j 5jH]B22A589136F68CC46076FFA6071B2EDA40DC29CC73d- +G@$m@=,ʻMCObwC  }d-  q œG salt@notations.sequoia-pgp.orgdٴqc0O+SjE4& !"ohFo`q œmnylYd)ygy<( }e@B3J_̿Eu :_͘[k.4HS!fdavid@fake.pep.foundation d-  q œG salt@notations.sequoia-pgp.org'9sZN"ho7csGt !"ohFo`q œT5zihN2 *.;xwl|jFi<ɍ (x"7։q13d- +G@sd0D٪Q,öT>k rd- q œG salt@notations.sequoia-pgp.org02w?0=ADZޤk !"ohFo`q œNgN _GzXsԖ#B>X &4Ww=\A$E#uGJTg3d- +G@廉! / {,}s̕'Q "L2Jd{ 1d- q œG salt@notations.sequoia-pgp.org8^VE ZÊ6n$,/(tBĩ od- GM·G%G salt@notations.sequoia-pgp.orgֳxS䊪24%1w^|ߌ!RT;p5F1GM·G% Kx,˶.DzH2UsLZD02x6_f }M'.J$ !"ohFo`q œH=Qm!oZAMq8BޢԈyi: sw⚭"MPNy$H]BF29B751A3123A1502E5C0665745FB6564FC5F7DC3d- +G@xލu{Ek6*vKt  }d-  t_VOG salt@notations.sequoia-pgp.org#O/`/͡NjH)_Bå !u1#P.\et_VO+pKEZ2to$ V?FR Eg${3O ݑd^pP1carol@fake.pep.foundation d-  t_VOG salt@notations.sequoia-pgp.orgy ABs ^86_:Mls !u1#P.\et_VO ~ :;=m>/J#i#nKmT2Q#wgaw3d- +G@jhQ~7Xrh gc#1FWj rd- t_VOG salt@notations.sequoia-pgp.org>W fi? ?ziA|G X !u1#P.\et_VO4k]fQɋ/nl@yoe*}AaL&H}8T$3d- +G@jK+!d*Va_ D+︿d 8tr 1d- t_VOG salt@notations.sequoia-pgp.orgjCzD05eqzS 4u\{_7 od- hfG salt@notations.sequoia-pgp.orgtQ[ o,Y~ zV!5eBmt hf /6!h#b_m(fd$D''="E Qcբ!u1#P.\et_VO%Pj{Wٞ8C$X+\B}1m:0gdt)#&ۏE>\\38d- +U@z][cq`e5RDi{Tm rd- t_VOG salt@notations.sequoia-pgp.orgװ:&PMlVt`WJҳ H_̣` !u1#P.\et_VO~TOLOQ-1A VP JLR}/QN\PGK$X i&g\a_̈́ g 4gJ]F04880CB55875B6548C25C729A00E4CD6604547463d- +G@Q< ;lR KQ7francis@fake.pep.foundation d-  L`EGFG salt@notations.sequoia-pgp.org:"W0떘Stb([.ڷ ! XuT%)L`EGFf`H# ķ&iVEqs?G^~Cvk)TLvE(džQe3d- +G@IAp]~G=_Ax;+o2 1d- L`EGFG salt@notations.sequoia-pgp.orgxccQ~8)FڍM+uR^ݪ od- gQG salt@notations.sequoia-pgp.orgf%^>ZW?x7aq!˼NQ"wgQH qv&策Ƥ:׊HT9'(HhǤaLTD92P ! XuT%)L`EGF_ۮ,mgO/qw> '~Kv/ł/?eګD[Zr ! XuT%)L`EGFa!7jyȑ,Q`0N)Afq7M&!,MAtXڗ7xyc I]D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F33d- +G@dh)` {8 ׅ=lÌƺl  }d-  IiEG salt@notations.sequoia-pgp.orghN$lܰ{? ûi Jv !C!}7/IiE_Հ/i>iz0-7@X]ۏ4& 8.RQ"E4ernest@fake.pep.foundation d-  IiEG salt@notations.sequoia-pgp.org!2A2/^H{5ߠ$Ye !C!}7/IiE]V^xwir\4ԍs}[3vV-U9[9.?FPx)s3d- +G@fTIAIs.;;Ɏ֥x 1d- IiEG salt@notations.sequoia-pgp.org]B[9Li jХf+ od- ({GG salt@notations.sequoia-pgp.orgLGVL$*M"cН%!p({GKL3z]x"T7<JXBkq={>08^о!C!}7/IiE 22IJaѵPȠ:38zhXF eB0Zwϙ;\-3d- +G@7.*|@! W͋!;P< rd- IiEG salt@notations.sequoia-pgp.orgU{3z8rMWr ?v1Cy !C!}7/IiE)v~ ~?8-*ǘH4G[* >_0K%DD+8d- +U@4RXw(@щN d3p rd- IiEG salt@notations.sequoia-pgp.orgV)چR4tȪnd<%m)Mo7P':Q !C!}7/IiE!%׽rG-BFuQ6pLsF!sVO5^ ͽKM|> h 3hH]BA20EF4E353FF61FF6B8B401AC48BF850A5E9C6113d- +G@@Sl^tlk(b{_'4)>  }d-  ċPG salt@notations.sequoia-pgp.orgrѼ5:D0dd9Z(e$b\ !Sak@ċPjH1ە4yx\/8Zj| P9ǯ0[L@.ɯF henry@fake.pep.foundation d-  ċPG salt@notations.sequoia-pgp.org_eSW JRUZ􊚬/ !Sak@ċP1pX@B91C@d% ㊀CH> "|{4@ =ͭطd F*3d- +G@} =Qr%⣳bt rd- ċPG salt@notations.sequoia-pgp.org5X1_Z4]E\!JЃ !Sak@ċPJΟqFmSbn[GN-bo7_uaM<[ w]"J 3d- +G@/]0phzdS{f$.! 1d- ċPG salt@notations.sequoia-pgp.org:6+W(7DaGo~ od- QNJG salt@notations.sequoia-pgp.orgdhuImKs[uIr⦜؀!ERkQNJHC5>Q).j 24czy>q(F _yMqCjK->WfU !Sak@ċP1Mv>ŀp2Ͽ.LvZ?ب⤂w`. QG1kX2 8d- +U@}Xz6v> S,HOd~ rd- ċPG salt@notations.sequoia-pgp.org*= Ǔ3OacG죵.&͉ !Sak@ċPG<n|~m дjKq7ah'B9;*~uFGL#bXJ]F2F8EB6F51987B06706ED6E45064ABE0B9108844E3d- +G@}{X.M Ӌ6k]{!٭  }d-  J NG salt@notations.sequoia-pgp.orgaâ)$0Njs* W_  !/gnEJ N:{Y2Zc]Vu! tjSQm 5=,aEgilbert@fake.pep.foundation d-  J NG salt@notations.sequoia-pgp.orgVj,a d0XF   !/gnEJ NјI疁L>F2 #D^SPYw&KPzu$'džy.q8g7 3d- +G@*+Az처qr"M||hkFف 1d- J NG salt@notations.sequoia-pgp.org>kR8{jCJH )`aIC od- -km}G salt@notations.sequoia-pgp.org"AJrd6}L s!8r`Îi-km}RÊs,b 2'.Y_fJBF\iTi^p@4uȬ@6Pl2J0!/gnEJ NGh>I1Wđ_cƏa4;bb *ڋB6xfSԭгᰖ3d- +G@zT =χguҁ\ )nA%|t rd- J NG salt@notations.sequoia-pgp.org0a9x%ɏ*ø:7 [mȑ !/gnEJ NyvGMi,bQ~˜ C«빽 ^#HX:ƾqMW5!Kc_azQf8d- +U@Պo$PP k 5kG ]@1CF1202EC58B5514EADC477AAA9CAC9C7B935A453d- +G@D4Q5Ho+3iNߔLP  }d-  {ZEG salt@notations.sequoia-pgp.orgGo- >0{C_[ ! .ŋUGz{ZE~6Aq(2`B@+.V{\n̛ rLY|􅮍#X=)U/dmfjohn@fake.pep.foundation d-  {ZEG salt@notations.sequoia-pgp.orgCӢO!TdDV聥% ! .ŋUGz{ZEyU7e5+ltlaer;1ڦn@;,5I"S]eW 3d- +G@&!a;M5biblXLL 1d- {ZEG salt@notations.sequoia-pgp.orgAT1fRh]L>rUX0b od- I1c+UvG salt@notations.sequoia-pgp.org}JmuN$Tդ؎ãşa!B=AvVʱI1c+Uv9ajQj8 E_ةAȚN>(~8/@»("tF;B (A! .ŋUGz{ZEX7xӰ"dJ/ĭ IwMj_K7 !$O[:{Mo~bUF:3d- +G@/mGXٸk+QM)):rAė rd- {ZEG salt@notations.sequoia-pgp.org"NA2xuKy) G6U/[?b! ! .ŋUGz{ZEHo2Pdoj{$ڨtm`pZpQɓlRK[h@m_6q9^0{Úgn ڶ 8d- +U@WhKtҘ`n6P@VX rd- {ZEG salt@notations.sequoia-pgp.orgjЬi)C7C-FTKܹ̳ Z( ! .ŋUGz{ZE]WeՃ1sؚlq(SB턱{^]yis9q 1H ]B9C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C13d- +G@YnF_nɌ/~a:i'3m  }d-  [2[G salt@notations.sequoia-pgp.org?)mWΛ` ږ/d !H'[2[]i疨C3HլAdb#p.^#l}O3d- +G@UZizZ20ERhv rd- [2[G salt@notations.sequoia-pgp.orgǖ姁GWE%6V] 1ߛze !H'[2[_B@ݔA^#6KoUr κB̵|0Z?6WQ 7B _> P|r-Rn~48d- +U@Q\̕xu*@+MeN-U-ce rd- [2[G salt@notations.sequoia-pgp.org#l͜nEF92إ{MANRUO+ !H'[2[z撬)2ဴzS+Ȗ$B<AWiP{N`0~$R0 l 7lH ]BFBD19974E304C95589F976BD71059020F2CC257C3d- +G@ >[Xy8n81+^F{  }d-  q %|G salt@notations.sequoia-pgp.orgNmX W*T>cٓ !љtUvq %|/Ȯ2-!6E1e8R}V3j=Slouis@fake.pep.foundation d-  q %|G salt@notations.sequoia-pgp.orgdm) }jy4GH@s LmϜ !љtUvq %|)K=wH{4h.B+֏[/LfgmZC_9/B.683d- +G@xFw5svYmm  rd- q %|G salt@notations.sequoia-pgp.org\EMcvaث'Nk'K͕J !љtUvq %|"JNjOM:t!E _1-XEPFHAwxVar6LM+tr Jw3d- +G@^|Xa45`B5 1d- q %|G salt@notations.sequoia-pgp.org'3myOڍAb<**- od- s̴hG salt@notations.sequoia-pgp.orgfXCC".fur'*GT!2)H6vIXs̴h6igIa촉N^~ǘ*S$xnrԣ4&LVn_'(} ΩE2!љtUvq %|5eEKJQnV6j(-.KYY` OJAA@+ GE88d- +U@pY1ՔH~muc`]| rd- q %|G salt@notations.sequoia-pgp.orgC&܄T D[Df{㠢K !љtUvq %|35R J!_"JJЁd6CT=4F6Gˉ?R]?,!P8mGXr F ]>C11BCCBB3F843593B8975AFB958E85734EF0ADE03d- +G@1 %mr&;HX'%lCw  }d-  sNG salt@notations.sequoia-pgp.orgW3ܐZ:@HB/%Ѧ=@ !̻?5ZsNGYo_tyck^r.5 2UtU7Ėt)fRiP}-+$ken@fake.pep.foundation d-  sNG salt@notations.sequoia-pgp.org/.+ˬ70 w}/胞A=Z  !̻?5ZsNo}UHlLH 낶tfVjָTIjgpl>Ңa%INNW ^s3d- +G@^S+o7bAz$ I-0_? 1d- sNG salt@notations.sequoia-pgp.orgrm<pL4Ȭ"|Mcis od- &(G salt@notations.sequoia-pgp.org 2ïH&㕙 )(ؼc鼖M!81qFFO~ &(JRX-Q=&31yq,ZM*BkX[.?q* Vc3 !̻?5ZsNf'*Й3\EB7 0@N(ͲY\Bw@*\S(0APU!"qۿšI 3d- +G@.u߫%-ϚTp+Q|  rd- sNG salt@notations.sequoia-pgp.orgpK|jZ^#81v3 !̻?5ZsNXO܏&&O(;5Jcr4yEqn6/jҍMtlؓP 8d- +U@rokXvj%=ƶxK rd- sNG salt@notations.sequoia-pgp.org?̼WYz갓+;hʫe> !̻?5ZsN0wPj0dg<@\&=A8I*veINPA$1KI R2^{ m 6mF]>912E63F55388D9886151101CDA4FE8ECD8365D6E3d- +G@ҙ-a=q&q`^|C2{J`  }d-  O6]nG salt@notations.sequoia-pgp.org}`|EVe_:x/%  !.cSوaQO6]nHYMs*qfɅ6Rm2f\vɫ)Hs GQhywaXt#j ned@fake.pep.foundation d-  O6]nG salt@notations.sequoia-pgp.org)s _c.\Laq !.cSوaQO6]n>kUU8iXd'Rbbu͉%.cu75޿TsI3oL V)1F{[q=3d- +G@W"a="X] +Σ ;ڟ 1d- O6]nG salt@notations.sequoia-pgp.orgM`wO3i&% t{y od- w0*yG salt@notations.sequoia-pgp.org፻*'m4UּLݚt}9`8 _W!"s05_Ww0*yO??qcL \x*(ߟֺZgi'rҕ(XjZf V6(!.cSوaQO6]n`L_E 6Q*Nx>0p Qw:#SPF&HԲEjM7bس 3d- +G@P*!M"R͋ZHO_`H rd- O6]nG salt@notations.sequoia-pgp.org-KDQ/m~%DT_ !.cSوaQO6]n_z4jzR\:_7ʱ(#IO !Yqz. 18d- +U@B︄ң,O"ws5Q rd- O6]nG salt@notations.sequoia-pgp.orgםb~"PeyazWWq4Mp !.cSوaQO6]nĠfs \ "V<A7 _ ^is \BUFZrX$I*^=w G ]@8049F106768CD5D6374645F3B0C0ABEFB3892D733d- +G@cVFw]uPtv2gn""@Hq  }d-  ﳉ-sG salt@notations.sequoia-pgp.orgooeu(~z`zb !Iv7FEﳉ-s+#kAgAg߻k|%O;*e5 zD²q}G&Gmary@fake.pep.foundation d-  ﳉ-sG salt@notations.sequoia-pgp.orgwb(M,Lu=DBDyQކ*vh !Iv7FEﳉ-s y”w\SWPRk(R!w; v8n0KbH߷WL}}Asʳyq3d- +G@@-㘂jDv&S| 1d- ﳉ-sG salt@notations.sequoia-pgp.org H>>?kz}N ,X-ry od- fFmG salt@notations.sequoia-pgp.org7n)!.=?+Mw_!i_%{E.fFmfL:Z>ͽbTG9  U7;EqkW7 !Iv7FEﳉ-s65IZh^򊊕d֞ @yTEKl3/e4jsV""E1)E O3d- +G@9$ YFJt ^pms rd- ﳉ-sG salt@notations.sequoia-pgp.orgY*lMVogKO  !Iv7FEﳉ-sihY}dREo tXǾM"=½Ht@ʾ +ATx.2Xۑ 8d- +U@Rׇėoi=/ £`oRoJ} rd- ﳉ-sG salt@notations.sequoia-pgp.org} / =HJ7҆K !Iv7FEﳉ-sD-ȁWJͺp\sx:DX;2|C@+4F0aV@D i 6iJ]F5C55764028BE2DD718F9DAAAD8D14CE515A328013d- +G@2O_7S5/E IOQ  }d-  L(G salt@notations.sequoia-pgp.orgAG;ۇdqyt/iz %=cophelia@fake.pep.foundation d-  L(G salt@notations.sequoia-pgp.org&@W,wel5={COi!@t !\Uv@(-ڪL(GCbas- |Wg47~1Յ.azx]Cԙ~ Ld<(Q_:b\ 3d- +G@Rׄ&- ǫ'](&Jb*B 1d- L(G salt@notations.sequoia-pgp.org;WX 1d- 5`y"G salt@notations.sequoia-pgp.orgX5sЄ-rf Va?( ~$ od- mQ]oG salt@notations.sequoia-pgp.org޽_fZ)ČZ7GV63!wmI27mQ]o !R?c7hB\hdlߨOUS?{C,#&3Cn9!hxxPD5`y"}G;7*>8X 9 K+NuXorhiz' q?|t",3d- +G@8£a<= PXЯ;?9M rd- 5`y"G salt@notations.sequoia-pgp.orgXx6я\Ƃ j  U1 !hxxPD5`y"$7 SU291`eߎD&yn~xl5Th긵SZ鿟Ȼp8d- +U@qؐ$ iFUA$ rd- 5`y"G salt@notations.sequoia-pgp.orgTJ L!WgW)gtp !hxxPD5`y"7 U{/[ch~O-dU4 h[4#H]}Aj㻐F 8hFN% V  ^ h e ' l . t 6|>FNVd^ >-]1ADFC82AC3586C14AAB978A882B9A6E793960B071ADFC82AC3586C14>-]5A826CAA7026DB6F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]4A869829AAB70CBE10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]0AC73BFE55E17D2208C6A9408241E6ED99A0A2767A6B35253722954D>-]53D8C1B7F801D54D08C6A9408241E6ED99A0A2767A6B35253722954D=-]5DFAD7D10C678DBED27B4F82C717A04DFF3A986489929D075908994Ej>-]5D5025F89BBA7A076C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]5609A4F9A4344957A2439F4C712EA9FA6B65BC17DECD473509E96847\=-]54E2200EE3627373CB4287D637F9BC0CB38F978AEB64F54F552F0AB7_=-]52B7186506DCC483E1C12525BFAF4F092D109F2152B7186506DCC483U=-]51074EA7D24AA490A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]50B9CB75C21518725C55764028BE2DD718F9DAAAD8D14CE515A32801@=-]4D2476E6EDCA3BE22533E4E13EC84A784DE6F2962C3E64162620C978|=-]4C34BA7BC16F86B3F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3I=-]4B8313F3BF069E6A7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76G=-]4A4DF6C29EDD1F767D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=-]49B0B5F169F745F343C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]47D04DC2B74725E122A589136F68CC46076FFA6071B2EDA40DC29CC7=-]42916177BEAA88747A757276DFF48471EA032D2B98611755153523E6x=-]3F0586841937BDFE912E63F55388D9886151101CDA4FE8ECD8365D6E8=-]3D4778FC2C38084FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]3BDE948165BE18002F8EB6F51987B06706ED6E45064ABE0B9108844E=-]3AD07BB3F42BD08E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]38E7A3645666C76922A589136F68CC46076FFA6071B2EDA40DC29CC7=-]38CBCE44873FE1A74925E278E468D55BA68B3AC49E1F03BA787E31EAr=-]34450D8FA47BE5781CF1202EC58B5514EADC477AAA9CAC9C7B935A45(=-]33DB91F8AAECA2FDA20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]2F8A666BE91A400F2349DF0D7DBD60C6C20453350553D1E9E9AE5C54S=-]2DD7EC6B89966D7D2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]2C7C1FA3369E4A4D7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76H=-]2C45488C98085D61CDAE31CA330249BC5284C1F96033761A09D517DFh=-]2C3E64162620C9782533E4E13EC84A784DE6F2962C3E64162620C978y=-]2B45B386DCB3A0CFE1C12525BFAF4F092D109F2152B7186506DCC483V=-]28967B47191899F843C5C721DCFF1D7D8FD1372F49B0B5F169F745F3>-]1DB2D0B226A87A276C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]1D7FA83415FD0C9CE4C1FB98268170769154C21BBD1637EEB34E933B=-]1C23477C835E5CEB7A757276DFF48471EA032D2B98611755153523E6w>-]1B23CEF521884A3F6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]19BAAA837AA0EDE3F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]1981CA07B08A2AA34FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]1949FBA7A090B71D4925E278E468D55BA68B3AC49E1F03BA787E31EAt=-]1908736247B42C7C2349DF0D7DBD60C6C20453350553D1E9E9AE5C54R=-]185B7A6512A4839143C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]1743133E219C1EB19BC60CF498E584E5620014340C099ECDA62431FEc=-]14180E23218FFEDAEB4750A0B0A0F558ED5F768F8B893A26133B3F66B=-]132E928709CB19568A0293871D97E954B8397DFD072889CB0E82D77BP=-]0DCD1F051766107FF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3J=-]0D6DF17AFEF1FFBAB5AAD4575B2988D99E3FB3EE973EE71028459E9Ao=-]0C099ECDA62431FE9BC60CF498E584E5620014340C099ECDA62431FEa=-]072889CB0E82D77B8A0293871D97E954B8397DFD072889CB0E82D77BM=-]064ABE0B9108844E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]0553D1E9E9AE5C542349DF0D7DBD60C6C20453350553D1E9E9AE5C54Q=-]054118196B963B7DCDAE31CA330249BC5284C1F96033761A09D517DFf=-]0509657A6BAC730C68A4E57878501CF89B9844039B3560C27904221F;=-]04EEFDB17B04F78B5C55764028BE2DD718F9DAAAD8D14CE515A32801?=-]01076D890F515D6F68A4E57878501CF89B9844039B3560C27904221F: 3;3a &I  ^ y;i+ iqYF#N Q V  e  w 9A3|=-]8451B62D9873AE16A20EF4E353FF61FF6B8B401AC48BF850A5E9C611 =-]83C69AF0F851437AB5AAD4575B2988D99E3FB3EE973EE71028459E9An=-]6286EF138550E5C09C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1$=-]98611755153523E67A757276DFF48471EA032D2B98611755153523E6u=-]637DE61020C5DD1B4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]9079AA6B02A61A8B8049F106768CD5D6374645F3B0C0ABEFB3892D733=-]8F07A6D986845B5AEB4750A0B0A0F558ED5F768F8B893A26133B3F66C=-]8B893A26133B3F66EB4750A0B0A0F558ED5F768F8B893A26133B3F66A=-]89E01368B3CFEA66F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]89929D075908994ED27B4F82C717A04DFF3A986489929D075908994Ei=-]884DFEDE8DF8A5B19BC60CF498E584E5620014340C099ECDA62431FEb=-]848F73B0CCB468D9FBD19974E304C95589F976BD71059020F2CC257C/=-]9E1F03BA787E31EA4925E278E468D55BA68B3AC49E1F03BA787E31EAq=-]64BF7EACFA7E07D3CB4287D637F9BC0CB38F978AEB64F54F552F0AB7`=-]973EE71028459E9AB5AAD4575B2988D99E3FB3EE973EE71028459E9Am=-]A685E0D6F5530952D27B4F82C717A04DFF3A986489929D075908994El=-]650BEEAE8BE0BA784FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]94D1A2CC4A9787279BC60CF498E584E5620014340C099ECDA62431FEd=-]6C9FF639C2D20ED28A0293871D97E954B8397DFD072889CB0E82D77BO=-]66CC46F715A66DBC8049F106768CD5D6374645F3B0C0ABEFB3892D732=-]B974664B34752AFCA2439F4C712EA9FA6B65BC17DECD473509E96847[=-]AA761009D6D131A0A2439F4C712EA9FA6B65BC17DECD473509E96847Z=-]780F3DCE8BA84184FBD19974E304C95589F976BD71059020F2CC257C0=-]773082B0012A791A912E63F55388D9886151101CDA4FE8ECD8365D6E6=-]745FB6564FC5F7DCF29B751A3123A1502E5C0665745FB6564FC5F7DC =-]71B2EDA40DC29CC722A589136F68CC46076FFA6071B2EDA40DC29CC7 =-]71059020F2CC257CFBD19974E304C95589F976BD71059020F2CC257C-=-]9C4396FA8EE7BB36F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3Lf>-]8EF85F1B1E37396F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]A9173FFEBD40DA28507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]7A6B35253722954D08C6A9408241E6ED99A0A2767A6B35253722954D>-]69AF5A6299EC8A606C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07>-]B929651D1EDAD644E4C1FB98268170769154C21BBD1637EEB34E933B=-]8134877075548DB72533E4E13EC84A784DE6F2962C3E64162620C978z=-]7F6B5258C086DC6B7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76F=-]7AB77AECC3703ED52533E4E13EC84A784DE6F2962C3E64162620C978{=-]7903174192105E48D27B4F82C717A04DFF3A986489929D075908994Ek=-]B4E5A2B2EF97E40568A4E57878501CF89B9844039B3560C27904221F<=-]B0C0ABEFB3892D738049F106768CD5D6374645F3B0C0ABEFB3892D731=-]B058180EE35C8BE05C55764028BE2DD718F9DAAAD8D14CE515A32801>=-]AF26C6724E7E40F3912E63F55388D9886151101CDA4FE8ECD8365D6E7=-]ADF2379966C7497222A589136F68CC46076FFA6071B2EDA40DC29CC7=-]AC9255C490B722199C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1#=-]AA9CAC9C7B935A451CF1202EC58B5514EADC477AAA9CAC9C7B935A45%=-]A7CB62B3422503EE04880CB55875B6548C25C729A00E4CD660454746=-]A00E4CD66045474604880CB55875B6548C25C729A00E4CD660454746=-]9F5599183124F72D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]9B3560C27904221F68A4E57878501CF89B9844039B3560C27904221F9=-]994931632B55CF761CF1202EC58B5514EADC477AAA9CAC9C7B935A45&=-]958E85734EF0ADE0C11BCCBB3F843593B8975AFB958E85734EF0ADE0)=-]94E766EE6359246DFBD19974E304C95589F976BD71059020F2CC257C. 8hFN% V  ^ h e ' l . t 6|>FNVd^ >-]1ADFC82AC3586C14AAB978A882B9A6E793960B071ADFC82AC3586C14>-]5A826CAA7026DB6F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]4A869829AAB70CBE10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]0AC73BFE55E17D2208C6A9408241E6ED99A0A2767A6B35253722954D>-]53D8C1B7F801D54D08C6A9408241E6ED99A0A2767A6B35253722954D=-]5DFAD7D10C678DBED27B4F82C717A04DFF3A986489929D075908994Ej>-]5D5025F89BBA7A076C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]5609A4F9A4344957A2439F4C712EA9FA6B65BC17DECD473509E96847\=-]54E2200EE3627373CB4287D637F9BC0CB38F978AEB64F54F552F0AB7_=-]52B7186506DCC483E1C12525BFAF4F092D109F2152B7186506DCC483U=-]51074EA7D24AA490A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]50B9CB75C21518725C55764028BE2DD718F9DAAAD8D14CE515A32801@=-]4D2476E6EDCA3BE22533E4E13EC84A784DE6F2962C3E64162620C978|=-]4C34BA7BC16F86B3F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3I=-]4B8313F3BF069E6A7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76G=-]4A4DF6C29EDD1F767D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76E=-]49B0B5F169F745F343C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]47D04DC2B74725E122A589136F68CC46076FFA6071B2EDA40DC29CC7=-]42916177BEAA88747A757276DFF48471EA032D2B98611755153523E6x=-]3F0586841937BDFE912E63F55388D9886151101CDA4FE8ECD8365D6E8=-]3D4778FC2C38084FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]3BDE948165BE18002F8EB6F51987B06706ED6E45064ABE0B9108844E=-]3AD07BB3F42BD08E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]38E7A3645666C76922A589136F68CC46076FFA6071B2EDA40DC29CC7=-]38CBCE44873FE1A74925E278E468D55BA68B3AC49E1F03BA787E31EAr=-]34450D8FA47BE5781CF1202EC58B5514EADC477AAA9CAC9C7B935A45(=-]33DB91F8AAECA2FDA20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]2F8A666BE91A400F2349DF0D7DBD60C6C20453350553D1E9E9AE5C54S=-]2DD7EC6B89966D7D2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]2C7C1FA3369E4A4D7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76H=-]2C45488C98085D61CDAE31CA330249BC5284C1F96033761A09D517DFh=-]2C3E64162620C9782533E4E13EC84A784DE6F2962C3E64162620C978y=-]2B45B386DCB3A0CFE1C12525BFAF4F092D109F2152B7186506DCC483V=-]28967B47191899F843C5C721DCFF1D7D8FD1372F49B0B5F169F745F3>-]1DB2D0B226A87A276C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]1D7FA83415FD0C9CE4C1FB98268170769154C21BBD1637EEB34E933B=-]1C23477C835E5CEB7A757276DFF48471EA032D2B98611755153523E6w>-]1B23CEF521884A3F6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07=-]19BAAA837AA0EDE3F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]1981CA07B08A2AA34FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]1949FBA7A090B71D4925E278E468D55BA68B3AC49E1F03BA787E31EAt=-]1908736247B42C7C2349DF0D7DBD60C6C20453350553D1E9E9AE5C54R=-]185B7A6512A4839143C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]1743133E219C1EB19BC60CF498E584E5620014340C099ECDA62431FEc=-]14180E23218FFEDAEB4750A0B0A0F558ED5F768F8B893A26133B3F66B=-]132E928709CB19568A0293871D97E954B8397DFD072889CB0E82D77BP=-]0DCD1F051766107FF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3J=-]0D6DF17AFEF1FFBAB5AAD4575B2988D99E3FB3EE973EE71028459E9Ao=-]0C099ECDA62431FE9BC60CF498E584E5620014340C099ECDA62431FEa=-]072889CB0E82D77B8A0293871D97E954B8397DFD072889CB0E82D77BM=-]064ABE0B9108844E2F8EB6F51987B06706ED6E45064ABE0B9108844E=-]0553D1E9E9AE5C542349DF0D7DBD60C6C20453350553D1E9E9AE5C54Q=-]054118196B963B7DCDAE31CA330249BC5284C1F96033761A09D517DFf=-]0509657A6BAC730C68A4E57878501CF89B9844039B3560C27904221F;=-]04EEFDB17B04F78B5C55764028BE2DD718F9DAAAD8D14CE515A32801?=-]01076D890F515D6F68A4E57878501CF89B9844039B3560C27904221F: 3;3a &I  ^ y;i+ iqYF#N Q V  e  w 9A3|=-]8451B62D9873AE16A20EF4E353FF61FF6B8B401AC48BF850A5E9C611 =-]83C69AF0F851437AB5AAD4575B2988D99E3FB3EE973EE71028459E9An=-]6286EF138550E5C09C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1$=-]98611755153523E67A757276DFF48471EA032D2B98611755153523E6u=-]637DE61020C5DD1B4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]9079AA6B02A61A8B8049F106768CD5D6374645F3B0C0ABEFB3892D733=-]8F07A6D986845B5AEB4750A0B0A0F558ED5F768F8B893A26133B3F66C=-]8B893A26133B3F66EB4750A0B0A0F558ED5F768F8B893A26133B3F66A=-]89E01368B3CFEA66F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]89929D075908994ED27B4F82C717A04DFF3A986489929D075908994Ei=-]884DFEDE8DF8A5B19BC60CF498E584E5620014340C099ECDA62431FEb=-]848F73B0CCB468D9FBD19974E304C95589F976BD71059020F2CC257C/=-]9E1F03BA787E31EA4925E278E468D55BA68B3AC49E1F03BA787E31EAq=-]64BF7EACFA7E07D3CB4287D637F9BC0CB38F978AEB64F54F552F0AB7`=-]973EE71028459E9AB5AAD4575B2988D99E3FB3EE973EE71028459E9Am=-]A685E0D6F5530952D27B4F82C717A04DFF3A986489929D075908994El=-]650BEEAE8BE0BA784FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]94D1A2CC4A9787279BC60CF498E584E5620014340C099ECDA62431FEd=-]6C9FF639C2D20ED28A0293871D97E954B8397DFD072889CB0E82D77BO=-]66CC46F715A66DBC8049F106768CD5D6374645F3B0C0ABEFB3892D732=-]B974664B34752AFCA2439F4C712EA9FA6B65BC17DECD473509E96847[=-]AA761009D6D131A0A2439F4C712EA9FA6B65BC17DECD473509E96847Z=-]780F3DCE8BA84184FBD19974E304C95589F976BD71059020F2CC257C0=-]773082B0012A791A912E63F55388D9886151101CDA4FE8ECD8365D6E6=-]745FB6564FC5F7DCF29B751A3123A1502E5C0665745FB6564FC5F7DC =-]71B2EDA40DC29CC722A589136F68CC46076FFA6071B2EDA40DC29CC7 =-]71059020F2CC257CFBD19974E304C95589F976BD71059020F2CC257C-=-]9C4396FA8EE7BB36F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3Lf>-]8EF85F1B1E37396F10E37AA3BBFD3348CF9AE3698EF85F1B1E37396F>-]A9173FFEBD40DA28507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]7A6B35253722954D08C6A9408241E6ED99A0A2767A6B35253722954D>-]69AF5A6299EC8A606C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A07>-]B929651D1EDAD644E4C1FB98268170769154C21BBD1637EEB34E933B=-]8134877075548DB72533E4E13EC84A784DE6F2962C3E64162620C978z=-]7F6B5258C086DC6B7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76F=-]7AB77AECC3703ED52533E4E13EC84A784DE6F2962C3E64162620C978{=-]7903174192105E48D27B4F82C717A04DFF3A986489929D075908994Ek=-]B4E5A2B2EF97E40568A4E57878501CF89B9844039B3560C27904221F<=-]B0C0ABEFB3892D738049F106768CD5D6374645F3B0C0ABEFB3892D731=-]B058180EE35C8BE05C55764028BE2DD718F9DAAAD8D14CE515A32801>=-]AF26C6724E7E40F3912E63F55388D9886151101CDA4FE8ECD8365D6E7=-]ADF2379966C7497222A589136F68CC46076FFA6071B2EDA40DC29CC7=-]AC9255C490B722199C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1#=-]AA9CAC9C7B935A451CF1202EC58B5514EADC477AAA9CAC9C7B935A45%=-]A7CB62B3422503EE04880CB55875B6548C25C729A00E4CD660454746=-]A00E4CD66045474604880CB55875B6548C25C729A00E4CD660454746=-]9F5599183124F72D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3=-]9B3560C27904221F68A4E57878501CF89B9844039B3560C27904221F9=-]994931632B55CF761CF1202EC58B5514EADC477AAA9CAC9C7B935A45&=-]958E85734EF0ADE0C11BCCBB3F843593B8975AFB958E85734EF0ADE0)=-]94E766EE6359246DFBD19974E304C95589F976BD71059020F2CC257C.  G]@7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F763d- +G@`aj6`s zesOS  }d-  JMžvG salt@notations.sequoia-pgp.orgUqnW7q;|2`b7nN !}mNXaJMžv+Yfd_/vuE'9r3wet-/ZsWIbo8(='^paul@fake.pep.foundation d-  JMžvG salt@notations.sequoia-pgp.orghu"iPueVa !}mNXaJMžv^Z>6,:C$ r©ڲTN0h A`* [|}4hwY43d- +G@$T.XaV#HnQaZz^1 rd- JMžvG salt@notations.sequoia-pgp.org,'yĔd7:k7h/GI`3! !}mNXaJMžv |mH J\>s]m`_|ﵺQ@g.YX3d- +G@>ډswrW^'DqWpS¶&: 1d- JMžvG salt@notations.sequoia-pgp.orgLfQ#E6 ٵa`~Wds od- KjG salt@notations.sequoia-pgp.org\;*a,bD=s3;eS460 !MAI ~$L͑U>\3v< dɆg!}mNXaJMžvDS+PM=/`  }d-  :&;?fG salt@notations.sequoia-pgp.org ~:&jԳ,(.l  !GPX_v:&;?f~غ^[ZB4Ko&K4]z^nN6ǐ] l4pxowen@fake.pep.foundation d-  :&;?fG salt@notations.sequoia-pgp.org 0{yoZNJUp !GPX_v:&;?fIlaϊ+5ud\s$}9e\k 2={!$FFx >Knw傣Xd- +G@!r(zCF|{8[x;ݤIIu0_,7¼9ȗ-K 1d- :&;?fG salt@notations.sequoia-pgp.org^*"uĚ6 \s=il /?d od- #!G salt@notations.sequoia-pgp.org}M7?0};f-V!m`Xe2#!|Hk/i W$pnKL tyR㱙k4z~uDDrFmb!GPX_v:&;?ffRh!Á1 Ĩ4a]HOlS1bRu.@r F˶3=Xd- +G@|p')u5O"-5&]}>aBAI':ںJTX&=-&~ rd- :&;?fG salt@notations.sequoia-pgp.org|W75ϘYi||6iZz !GPX_v:&;?fE͕CA1zqjPRSmj]n(rޕPupqpI]d- +U@F@鰘RӆA)EkS}?A.<BB~\k,Ihgߞ rd- :&;?fG salt@notations.sequoia-pgp.orgHiePdq*]W X%t%P, !GPX_v:&;?fPL,gїň~O3-_ݣ,mBYK$W'ʝϝģlQ! @I U a $ m 0 y < H T `#l/x;G S_"k.w:;@-]50B9CB75C21518725C55764028BE2DD718F9DAAAD8D14CE515A32801;?-]04EEFDB17B04F78B5C55764028BE2DD718F9DAAAD8D14CE515A32801;>-]B058180EE35C8BE05C55764028BE2DD718F9DAAAD8D14CE515A32801;=-]D8D14CE515A328015C55764028BE2DD718F9DAAAD8D14CE515A32801;<-]B4E5A2B2EF97E40568A4E57878501CF89B9844039B3560C27904221F;;-]0509657A6BAC730C68A4E57878501CF89B9844039B3560C27904221F;:-]01076D890F515D6F68A4E57878501CF89B9844039B3560C27904221F;9-]9B3560C27904221F68A4E57878501CF89B9844039B3560C27904221F;8-]3F0586841937BDFE912E63F55388D9886151101CDA4FE8ECD8365D6E;7-]AF26C6724E7E40F3912E63F55388D9886151101CDA4FE8ECD8365D6E;6-]773082B0012A791A912E63F55388D9886151101CDA4FE8ECD8365D6E;5-]DA4FE8ECD8365D6E912E63F55388D9886151101CDA4FE8ECD8365D6E;4-]FD289E27C690EE4E8049F106768CD5D6374645F3B0C0ABEFB3892D73;3-]9079AA6B02A61A8B8049F106768CD5D6374645F3B0C0ABEFB3892D73;2-]66CC46F715A66DBC8049F106768CD5D6374645F3B0C0ABEFB3892D73;1-]B0C0ABEFB3892D738049F106768CD5D6374645F3B0C0ABEFB3892D73;0-]780F3DCE8BA84184FBD19974E304C95589F976BD71059020F2CC257C;/-]848F73B0CCB468D9FBD19974E304C95589F976BD71059020F2CC257C;.-]94E766EE6359246DFBD19974E304C95589F976BD71059020F2CC257C;--]71059020F2CC257CFBD19974E304C95589F976BD71059020F2CC257C;,-]C0D868F1963180D8C11BCCBB3F843593B8975AFB958E85734EF0ADE0;+-]E572969A4BF0EAA1C11BCCBB3F843593B8975AFB958E85734EF0ADE0;*-]DD26BFF997B128D0C11BCCBB3F843593B8975AFB958E85734EF0ADE0;)-]958E85734EF0ADE0C11BCCBB3F843593B8975AFB958E85734EF0ADE0;(-]34450D8FA47BE5781CF1202EC58B5514EADC477AAA9CAC9C7B935A45;'-]DA2E401BDCC261401CF1202EC58B5514EADC477AAA9CAC9C7B935A45;&-]994931632B55CF761CF1202EC58B5514EADC477AAA9CAC9C7B935A45;%-]AA9CAC9C7B935A451CF1202EC58B5514EADC477AAA9CAC9C7B935A45;$-]6286EF138550E5C09C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1;#-]AC9255C490B722199C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1;"-]DE99B5AACE8010449C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1;!-]DC5BFE32065BD8C19C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1; -]8451B62D9873AE16A20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]51074EA7D24AA490A20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]33DB91F8AAECA2FDA20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]C48BF850A5E9C611A20EF4E353FF61FF6B8B401AC48BF850A5E9C611;-]3AD07BB3F42BD08E2F8EB6F51987B06706ED6E45064ABE0B9108844E;-]3BDE948165BE18002F8EB6F51987B06706ED6E45064ABE0B9108844E;-]2DD7EC6B89966D7D2F8EB6F51987B06706ED6E45064ABE0B9108844E;-]064ABE0B9108844E2F8EB6F51987B06706ED6E45064ABE0B9108844E;-]DAC435B561D44E7B04880CB55875B6548C25C729A00E4CD660454746;-]A7CB62B3422503EE04880CB55875B6548C25C729A00E4CD660454746;-]CADEEF67FAADD95104880CB55875B6548C25C729A00E4CD660454746;-]A00E4CD66045474604880CB55875B6548C25C729A00E4CD660454746;-]185B7A6512A4839143C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]9F5599183124F72D43C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]28967B47191899F843C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]49B0B5F169F745F343C5C721DCFF1D7D8FD1372F49B0B5F169F745F3;-]38E7A3645666C76922A589136F68CC46076FFA6071B2EDA40DC29CC7;-]47D04DC2B74725E122A589136F68CC46076FFA6071B2EDA40DC29CC7;-]ADF2379966C7497222A589136F68CC46076FFA6071B2EDA40DC29CC7; -]71B2EDA40DC29CC722A589136F68CC46076FFA6071B2EDA40DC29CC7; -]DF466C19D1E09129F29B751A3123A1502E5C0665745FB6564FC5F7DC; -]89E01368B3CFEA66F29B751A3123A1502E5C0665745FB6564FC5F7DC; -]19BAAA837AA0EDE3F29B751A3123A1502E5C0665745FB6564FC5F7DC; -]745FB6564FC5F7DCF29B751A3123A1502E5C0665745FB6564FC5F7DC;-]E8F03F5A4682799E4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]650BEEAE8BE0BA784FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]1981CA07B08A2AA34FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]637DE61020C5DD1B4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B;-]CDD45401DD0E759FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79;-]DF5F5C00DA897592B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79;-]3D4778FC2C38084FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79;-]D0D1AB8DA16D8D79B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79 @I U a $ m 0 y < H T `#l/x;G S_"k.w:;-]B929651D1EDAD644E4C1FB98268170769154C21BBD1637EEB34E933B;-]1D7FA83415FD0C9CE4C1FB98268170769154C21BBD1637EEB34E933B;~-]E7D3FED35EAF68B9E4C1FB98268170769154C21BBD1637EEB34E933B;}-]BD1637EEB34E933BE4C1FB98268170769154C21BBD1637EEB34E933B;|-]4D2476E6EDCA3BE22533E4E13EC84A784DE6F2962C3E64162620C978;{-]7AB77AECC3703ED52533E4E13EC84A784DE6F2962C3E64162620C978;z-]8134877075548DB72533E4E13EC84A784DE6F2962C3E64162620C978;y-]2C3E64162620C9782533E4E13EC84A784DE6F2962C3E64162620C978;x-]42916177BEAA88747A757276DFF48471EA032D2B98611755153523E6;w-]1C23477C835E5CEB7A757276DFF48471EA032D2B98611755153523E6;v-]EEE9E2E4D0403BA27A757276DFF48471EA032D2B98611755153523E6;u-]98611755153523E67A757276DFF48471EA032D2B98611755153523E6;t-]1949FBA7A090B71D4925E278E468D55BA68B3AC49E1F03BA787E31EA;s-]C96ADEF6A2CCFA984925E278E468D55BA68B3AC49E1F03BA787E31EA;r-]38CBCE44873FE1A74925E278E468D55BA68B3AC49E1F03BA787E31EA;q-]9E1F03BA787E31EA4925E278E468D55BA68B3AC49E1F03BA787E31EA;p-]CEFC4DCD7DD09BF9B5AAD4575B2988D99E3FB3EE973EE71028459E9A;o-]0D6DF17AFEF1FFBAB5AAD4575B2988D99E3FB3EE973EE71028459E9A;n-]83C69AF0F851437AB5AAD4575B2988D99E3FB3EE973EE71028459E9A;m-]973EE71028459E9AB5AAD4575B2988D99E3FB3EE973EE71028459E9A;l-]A685E0D6F5530952D27B4F82C717A04DFF3A986489929D075908994E;k-]7903174192105E48D27B4F82C717A04DFF3A986489929D075908994E;j-]5DFAD7D10C678DBED27B4F82C717A04DFF3A986489929D075908994E;i-]89929D075908994ED27B4F82C717A04DFF3A986489929D075908994E;h-]2C45488C98085D61CDAE31CA330249BC5284C1F96033761A09D517DF;g-]EA301A7C9A893815CDAE31CA330249BC5284C1F96033761A09D517DF;f-]054118196B963B7DCDAE31CA330249BC5284C1F96033761A09D517DF;e-]6033761A09D517DFCDAE31CA330249BC5284C1F96033761A09D517DF;d-]94D1A2CC4A9787279BC60CF498E584E5620014340C099ECDA62431FE;c-]1743133E219C1EB19BC60CF498E584E5620014340C099ECDA62431FE;b-]884DFEDE8DF8A5B19BC60CF498E584E5620014340C099ECDA62431FE;a-]0C099ECDA62431FE9BC60CF498E584E5620014340C099ECDA62431FE;`-]64BF7EACFA7E07D3CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;_-]54E2200EE3627373CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;^-]C25C74A408C599D8CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;]-]EB64F54F552F0AB7CB4287D637F9BC0CB38F978AEB64F54F552F0AB7;\-]5609A4F9A4344957A2439F4C712EA9FA6B65BC17DECD473509E96847;[-]B974664B34752AFCA2439F4C712EA9FA6B65BC17DECD473509E96847;Z-]AA761009D6D131A0A2439F4C712EA9FA6B65BC17DECD473509E96847;Y-]DECD473509E96847A2439F4C712EA9FA6B65BC17DECD473509E96847;X-]BDE25B8E80237EE2E1C12525BFAF4F092D109F2152B7186506DCC483;W-]DB24D05A4CFF4204E1C12525BFAF4F092D109F2152B7186506DCC483;V-]2B45B386DCB3A0CFE1C12525BFAF4F092D109F2152B7186506DCC483;U-]52B7186506DCC483E1C12525BFAF4F092D109F2152B7186506DCC483;T-]CDFBE06BBC5F6D292349DF0D7DBD60C6C20453350553D1E9E9AE5C54;S-]2F8A666BE91A400F2349DF0D7DBD60C6C20453350553D1E9E9AE5C54;R-]1908736247B42C7C2349DF0D7DBD60C6C20453350553D1E9E9AE5C54;Q-]0553D1E9E9AE5C542349DF0D7DBD60C6C20453350553D1E9E9AE5C54;P-]132E928709CB19568A0293871D97E954B8397DFD072889CB0E82D77B;O-]6C9FF639C2D20ED28A0293871D97E954B8397DFD072889CB0E82D77B;N-]D49FD2CB8EEF91038A0293871D97E954B8397DFD072889CB0E82D77B;M-]072889CB0E82D77B8A0293871D97E954B8397DFD072889CB0E82D77B;L-]9C4396FA8EE7BB36F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;K-]C1B27AC998ABABB8F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;J-]0DCD1F051766107FF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;I-]4C34BA7BC16F86B3F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3;H-]2C7C1FA3369E4A4D7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;G-]4B8313F3BF069E6A7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;F-]7F6B5258C086DC6B7D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;E-]4A4DF6C29EDD1F767D8A6D4E9F5804C3F161D2FC4A4DF6C29EDD1F76;D-]F300560992B840A8EB4750A0B0A0F558ED5F768F8B893A26133B3F66;C-]8F07A6D986845B5AEB4750A0B0A0F558ED5F768F8B893A26133B3F66;B-]14180E23218FFEDAEB4750A0B0A0F558ED5F768F8B893A26133B3F66;A-]8B893A26133B3F66EB4750A0B0A0F558ED5F768F8B893A26133B3F66 f 1fH]B8A0293871D97E954B8397DFD072889CB0E82D77B3d- +G@dQi\nj @ dnAwU*  }d-  ({G salt@notations.sequoia-pgp.org&79k_o)&,-) !T9}({؃OO `oȯʉ5DD- 0'2<To1<٢dkү:C%vg).&randy@fake.pep.foundation d-  ({G salt@notations.sequoia-pgp.orgDCk2Y?? xh{%f !T9}({$^g,Sě1'/"aQٺҢEWcL0l7"Q0Ozso 3d- +G@ɻ.gU>8.T`̴!D8Bo 1d- ({G salt@notations.sequoia-pgp.org% t1!߾p%͛n 6 od- ԟˎG salt@notations.sequoia-pgp.orgO;`{ @srC5sK|!aO-}#sԟˎ#Z4(*H jCm#[ɿ;CrlH _ف^ٖ `o tA{`LOoP !T9}({NJT:GphY4ļo[VTO^V/#1_+ho 3d- +G@Lxf4+>,:Y (EmJ rd- ({G salt@notations.sequoia-pgp.orgP7d `GcJKIperKzt !T9}({ibEIXWJ= QZ+]@MN7tgJչfHag)8d- +U@4"ԍʤXl%#IXt rd- ({G salt@notations.sequoia-pgp.orgCM#ނ]TpnC\4EFcAayv !T9}({'>D.{5'qnX|`̀b2GG]id*3\2uJn8Q L]JF749E746EAAFEB7A634BCE8A4C34BA7BC16F86B33d- +G@Jΰ%'(^oW5_<6]  }d-  L4{oG salt@notations.sequoia-pgp.orgLQ"H}0 e") !IFzcKΊL4{oL(t@NJI|'#\B?iX!E`Ҿ2 zɘ-q_i^, ªu[hp9Q\l8x4|4"@,@[6M !IFzcKΊL4{ojL} F*NPq8 Q#PʒZ'$W[;R2y ؋"f8d- +U@]吂edjlB[kl(pM rd- L4{oG salt@notations.sequoia-pgp.org g7bPYdx^3&yn!wG !IFzcKΊL4{om*. ; ۏՂ5%l_\IyJ(Gw<3f |R g 3gI]DE1C12525BFAF4F092D109F2152B7186506DCC4833d- +G@bÐk&0N)~ZKpv2  }d-  ReăG salt@notations.sequoia-pgp.org -mQ6FcنF$< !%%O -!Reă[6Χ<] צm 'DRen9"F yqg 3 tamara@fake.pep.foundation d-  ReăG salt@notations.sequoia-pgp.org#:̟CxxGA c"1u~Pu !%%O -!Reă`͍37/OY8=ygҜ.m]ךлNg&RF3d- +G@Wn#ϗk&gӅ%/ _ϋT rd- ReăG salt@notations.sequoia-pgp.org&_gƌ3nk`^OkOx@t _ !%%O -!Reă%k@?6l̬x"1{Ҙcsޮ].b,*LV94DUS'̄WHmQ !%%O -!ReăѡVOT#jdKԓT,R7}y^۽;A z Cwdk> 8d- +U@J:<,l**I~F+5[nF$p^  rd- ReăG salt@notations.sequoia-pgp.orgPT+hTD7?$o7} !%%O -!Reăn;@AMh/3;b;>1$LߊE4蘈?I4>3\:&|J]F2349DF0D7DBD60C6C20453350553D1E9E9AE5C543d- +G@8(0 w&KZ\ mR  }d-  S\TG salt@notations.sequoia-pgp.orgB"ioI`P%Iw,+$ !#I }`S5S\Tϟ*w6ɣ/)G+.$Be` jE,iW?sabrina@fake.pep.foundation d-  S\TG salt@notations.sequoia-pgp.orgaj7bOm.GbWݾ%;c|9W !#I }`S5S\TSSU B/%e8xU҈ahjj H[O(E3d- +G@>սEC`Hc2 rd- S\TG salt@notations.sequoia-pgp.orgG f]PrqJ+Z^ 9OsV).S !#I }`S5S\TQ?^03@d ʐ:3c\U)a*3S6|WI3d- +G@`,b;<%3J|KP*"eKuN 1d- S\TG salt@notations.sequoia-pgp.orgz/9ȤkT{Z͘wō5:6;%s od- /fk@G salt@notations.sequoia-pgp.org6FXN0o|qhG`.RMR!ྴq@/fk@yCɺfat}[$*{nuOh0@ IjJ>`y !#I }`S5S\T^$#b J)հ՘Y&9 V9~";Y]8d- +U@. ׻S7$amզ*͖g/V>5= rd- S\TG salt@notations.sequoia-pgp.orgF()AjyJUC;8 G3  !#I }`S5S\TPG?5zB12٦ T 3̆r K^c^UU.ΘQ' f 3fJ]FCB4287D637F9BC0CB38F978AEB64F54F552F0AB73d- +G@6 R!tŲub0 x  }d-  dOU/ G salt@notations.sequoia-pgp.orgeb>COyОR"dׂ !B7 dOU/ =4w5ݕ Z|:_f (LSHvԫ?d새q= \G{펡rmul17l !CLq.keG5 hG}DvA()1s =ڞUu,x |mc]<|]p_6QP!4TI>, ulysses@fake.pep.foundation d-  G5 hGG salt@notations.sequoia-pgp.orgÏJ/lcǻZP#-} !CLq.keG5 hG&ˮoΠz%bT;/2=`(#b3PN2X4Gl4>#mycat'TkA3d- +G@du#T`}ZoșI"U_NB rd- G5 hGG salt@notations.sequoia-pgp.org%0R+d/۵wk(uߔߍ !CLq.keG5 hG!ȓod7V:ـA& f E;ӧX{3d- +G@/rP?Yoz=.i$ 1d- `3v G salt@notations.sequoia-pgp.orgcݮϻV& `+K od- Ak;}G salt@notations.sequoia-pgp.orgV ݥOe4#l(^4=|,!K ן7Ak;}JH.$ˆr9՘Պy5_Ō dض: }.!ͮ13IR`3v K8PK %%Rr{4m!_M2ͤq/šrus$E3d- +G@ ~jxIH K3 !ͮ13IR`3v {d*I3}2}(o@7]>16+ šrA`y||a9 8d- +U@#BCf^[uYѰ[`|3gxF- rd- `3v G salt@notations.sequoia-pgp.org[4YQ/#wCE70`^< !ͮ13IR`3v -y6'Wj$KwZ\dzg1G+kPJDzn/t)I]D9BC60CF498E584E5620014340C099ECDA62431FE3d- +G@;'!PRH) \S13  }d-   ͦ$1G salt@notations.sequoia-pgp.org0@iDž"xG3d- +G@3] 2bQt&$iicP 1d-  ͦ$1G salt@notations.sequoia-pgp.orgyl3k̽VY k J^E| od- C>!G salt@notations.sequoia-pgp.orgm*9CL(]G4N͓؄Yz3!fP4e3C>!5 ~ X@QD]h Ƞ?Ǯ}w3;\FEE!_e\EXo ! b4 ͦ$1cgnA}&J0O'9coG6o*aDB4cYT]8d- +U@4E :q j9l[iTD޿ZG rd-  ͦ$1G salt@notations.sequoia-pgp.org$ 쪟2a'O&_4a< ! b4 ͦ$1W)IYaI{ sIX{ 3AC r v OhXN%ob? i 4iH]BB5AAD4575B2988D99E3FB3EE973EE71028459E9A3d- +G@˜lng>hjN]ٿ;g}mTwo:^  }d-  >(EG salt@notations.sequoia-pgp.org+6 ##h1uUOz !W[)ٞ?>(EW+.owL 'u/B"5 Hc73OR0,(Kjxenia@fake.pep.foundation d-  >(EG salt@notations.sequoia-pgp.orgu,|Eɢ0CO:~*2w!Z !W[)ٞ?>(EX\̝] u Mpf&X6ưNi5% I-넦 3d- +G@ef|m2[Ӌx\2/žQ rd- >(EG salt@notations.sequoia-pgp.orgb@|q>dj,8_buW_T !W[)ٞ?>(E._ VѩOLZsmB%+|F{1-Ԗ\,~'|:3-]մ 3d- +G@]lcbJ2cHK!3+vRͶ 1d- >(EG salt@notations.sequoia-pgp.org;f]4Z"AvI od-  mzG salt@notations.sequoia-pgp.orgzcZ b*:"P'Cp`J{ [!n | mz`k0gਬf  n=,mH(x_A2! 0T> !W[)ٞ?>(Eoum"gvM4{D"stUP2(~ñ6]!=PP;{rX v8d- +U@;KPZ|g1Un<WDON rd- >(EG salt@notations.sequoia-pgp.org:Ĩ7 h;3-مap !W[)ٞ?>(Ep\Z`αO1/`1@b .VRfALը$e}J7K1CDI]DD27B4F82C717A04DFF3A986489929D075908994E3d- +G@{R8&`cʼnny>oU? !{OM:dYN o\1vң32` uwa]́sfp:BV/gZ dp E.2+鑣pxavier@fake.pep.foundation d-  YNG salt@notations.sequoia-pgp.org֠(nYiR~Y-6^Z*ECEm !{OM:dYNKuZLyOXF%;lY=x\2ܫ ear p 3d- +G@S%gK:a#ޖCL*1# rd- YNG salt@notations.sequoia-pgp.orgIoF~",'ՐD !{OM:dYNehh@Ny|ʋ|¦f*ma st0^D(0$Zy0 3d- +G@܈N?]lyAp5ܓNB$[Or^ 1d- YNG salt@notations.sequoia-pgp.org<ġXyS}7  od- yA^HG salt@notations.sequoia-pgp.org=|3 ..` izZ"@~ !%YqyA^H/!#tE?d1ƨ=yȷ@&zZ'-يZ_]m/⺉z!{OM:dYNA^Z#Z~bS#><Y4㘏CH!nHHھ7߅8d- +U@-]q8ncqYnZ']]7 rd- YNG salt@notations.sequoia-pgp.orgVȓm2~)DY6tQ}*00 !{OM:dYNDWKǑo7\`"UMTjޡZ;&Mլ@E$3d- +G@Û;,IΚsfވ}oUӓO 1d- aU5#G salt@notations.sequoia-pgp.orgI,q$uWIL|{#qU] od- #G|^\G salt@notations.sequoia-pgp.org7X]c*9w(ڌqBDO+XU !6FFv㲇D#G|^\QQ=T?iVokUI B̭e^9]1chCK v !zurvq-+aU5#qfWS2|KO}X!"b%>I*bWmdw  Bnch*2!eS 8d- +U@j1t2ɾvY s5 AL߄# rd- aU5#G salt@notations.sequoia-pgp.orgb8xDYYX{g"nxM0X t}&WO !zurvq-+aU5#LJ5T{` ;yDT=)# "|jUMK"$T@'4 G]@4925E278E468D55BA68B3AC49E1F03BA787E31EA3d- +G@\r@OT[3]^PQ}  }d-  x~1G salt@notations.sequoia-pgp.orgAƔRs u 4"o-kߩ~8 !I%xh[:Ğx~1`,5:巚ЎqLo<>;IU)P jݷwn LN0Pyoko@fake.pep.foundation d-  x~1G salt@notations.sequoia-pgp.org+nq}h[1M'_H}Bwz0J2 !I%xh[:Ğx~15ڊiУp4w!ǩg6sف ('iF+WlvE34V: Fab.3d- +G@*eK&YZ){SDWi -Cm rd- x~1G salt@notations.sequoia-pgp.orgf`\=# ʘ>ai4}dUA !I%xh[:Ğx~1 z7MaRŢUpPuzȲz n@Pt}A>lց~zR 3d- +G@7u[eτdyA\Ɛ  1d- x~1G salt@notations.sequoia-pgp.orgP#pfPϴw{鉿+* g od- jG salt@notations.sequoia-pgp.org͜GBX)VO`ym!P ~M bjTI!FD঱ψw5t̍?~; v b]J .5 N߳!I%xh[:Ğx~1x?7Śޙ.--:(wbP,k&Ģ [TR)=' mʝC8d- +U@:֢]G{ΘTw"y˾T*O rd- x~1G salt@notations.sequoia-pgp.orgRaSK{QV$M3Qz|  !I%xh[:Ğx~1.a<ɔ7;P.1rvW/;J_hsaD+i}H-1ĉIڕ( f 3fJ ]FE4C1FB98268170769154C21BBD1637EEB34E933B3d- +G@ +1iM*B.NbtCKya  }d-  7N;G salt@notations.sequoia-pgp.org[&ȬIJƷ9dgl !&pvT7N;" *1ùiv,a^ j[L1ߟ}e" _~dF L~y9+zenobia@fake.pep.foundation d-  7N;G salt@notations.sequoia-pgp.org$wia!/Qcݐ?n搇(QwR !&pvT7N;Qe+ O2+NNᗯ! 9/u{c¾ ԸCSHS喵Y3d- +G@*[:2b\-@>"r0  1d- 7N;G salt@notations.sequoia-pgp.orgvG6 =feAO/o"M?䧳Ʊm od- ^hG salt@notations.sequoia-pgp.orgB%&`F~]~r͞r/*!`i7 E,Y^hn=Fo~oqV7;PY n7(3\?ϯ`S ZOfi!&pvT7N;6@39o My]Bl#k`%'xok5a~;jW0V@I_dIb3d- +G@aX_`h3$m J rd- 7N;G salt@notations.sequoia-pgp.orgԢ Z.DM^MM#o Eۏ⿊ !&pvT7N;Eb \Mߏ( KZ sKY[2Zߵ"$5  JI@8d- +U@u6e܀ Nwu rd- 7N;G salt@notations.sequoia-pgp.orgNl'Wd>޽FxW;^&ܠP]O !&pvT7N;{rۜ}]#AСr^ K $2ΓW,bKinth="J]F2533E4E13EC84A784DE6F2962C3E64162620C9783d- +G@M+u VK%:Đ `:=Gqԓ  }d-  ,>d& xG salt@notations.sequoia-pgp.org?qCDH w@O;Do !%3>JxM,>d& xhv2+L~sh>7 R`1Wb(^ksjh~gHzachary@fake.pep.foundation d-  ,>d& xG salt@notations.sequoia-pgp.org|857i;B3B} LF !%3>JxM,>d& xV1_SůE]>;{¤Ɏ2'6H,Tc1,F 3d- +G@ϛ={ID K'uc rd- ,>d& xG salt@notations.sequoia-pgp.orgo=JozƈhtM#.F4+$p.{ !%3>JxM,>d& x|6r\&ҍn.)XtT#Ea9n{SGuko@jؠ9\3d- +G@P;=PƏ;  1d- ,>d& xG salt@notations.sequoia-pgp.orgwm~]> UR{B 印V od- zzp>G salt@notations.sequoia-pgp.orgǝRj]6[գ֧0?!>%!&={kvFzzp>&J0eudz*yW urO7!90LAԮM`x.c_9Y !%3>JxM,>d& x\Ҿ^g4tz7 `@ [H'îb/WlGyO.7,8d- +U@]t<&L'e  }n rd- ,>d& xG salt@notations.sequoia-pgp.org҆|glIٖ.l !%3>JxM,>d& xt%hGo19V汖0!__)U E\WC\bd^F,Y5˞j| #FN W  @ _ ! g ) o 1 w 9>-]EDF969810BA5194CAAB978A882B9A6E793960B071ADFC82AC3586C14>-]E6F0D74501D65927507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]F411A72A5C89092C507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]D9D4C006F09088D108C6A9408241E6ED99A0A2767A6B35253722954D=-]FD289E27C690EE4E8049F106768CD5D6374645F3B0C0ABEFB3892D734=-]F300560992B840A8EB4750A0B0A0F558ED5F768F8B893A26133B3F66D=-]EEE9E2E4D0403BA27A757276DFF48471EA032D2B98611755153523E6v=-]EB64F54F552F0AB7CB4287D637F9BC0CB38F978AEB64F54F552F0AB7]=-]EA301A7C9A893815CDAE31CA330249BC5284C1F96033761A09D517DFg=-]E8F03F5A4682799E4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]E7D3FED35EAF68B9E4C1FB98268170769154C21BBD1637EEB34E933B~=-]E572969A4BF0EAA1C11BCCBB3F843593B8975AFB958E85734EF0ADE0+=-]DF5F5C00DA897592B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]DF466C19D1E09129F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]DECD473509E96847A2439F4C712EA9FA6B65BC17DECD473509E96847Y=-]DE99B5AACE8010449C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1"=-]DD26BFF997B128D0C11BCCBB3F843593B8975AFB958E85734EF0ADE0*=-]DC5BFE32065BD8C19C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1!=-]DB24D05A4CFF4204E1C12525BFAF4F092D109F2152B7186506DCC483W=-]DAC435B561D44E7B04880CB55875B6548C25C729A00E4CD660454746=-]DA4FE8ECD8365D6E912E63F55388D9886151101CDA4FE8ECD8365D6E5=-]DA2E401BDCC261401CF1202EC58B5514EADC477AAA9CAC9C7B935A45'=-]D8D14CE515A328015C55764028BE2DD718F9DAAAD8D14CE515A32801==-]D49FD2CB8EEF91038A0293871D97E954B8397DFD072889CB0E82D77BN<-] D0D1AB8DA16D8D79B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CEFC4DCD7DD09BF9B5AAD4575B2988D99E3FB3EE973EE71028459E9Ap=-]CDFBE06BBC5F6D292349DF0D7DBD60C6C20453350553D1E9E9AE5C54T=-]CDD45401DD0E759FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CADEEF67FAADD95104880CB55875B6548C25C729A00E4CD660454746=-]C96ADEF6A2CCFA984925E278E468D55BA68B3AC49E1F03BA787E31EAs=-]C48BF850A5E9C611A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]C25C74A408C599D8CB4287D637F9BC0CB38F978AEB64F54F552F0AB7^=-]C1B27AC998ABABB8F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3K=-]C0D868F1963180D8C11BCCBB3F843593B8975AFB958E85734EF0ADE0,=-]BDE25B8E80237EE2E1C12525BFAF4F092D109F2152B7186506DCC483X #FN W  @ _ ! g ) o 1 w 9>-]EDF969810BA5194CAAB978A882B9A6E793960B071ADFC82AC3586C14>-]E6F0D74501D65927507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]F411A72A5C89092C507212E4796EFBF4FF8E4B1BF411A72A5C89092C>-]D9D4C006F09088D108C6A9408241E6ED99A0A2767A6B35253722954D=-]FD289E27C690EE4E8049F106768CD5D6374645F3B0C0ABEFB3892D734=-]F300560992B840A8EB4750A0B0A0F558ED5F768F8B893A26133B3F66D=-]EEE9E2E4D0403BA27A757276DFF48471EA032D2B98611755153523E6v=-]EB64F54F552F0AB7CB4287D637F9BC0CB38F978AEB64F54F552F0AB7]=-]EA301A7C9A893815CDAE31CA330249BC5284C1F96033761A09D517DFg=-]E8F03F5A4682799E4FDC731D26FAB6E8EAE6993C637DE61020C5DD1B=-]E7D3FED35EAF68B9E4C1FB98268170769154C21BBD1637EEB34E933B~=-]E572969A4BF0EAA1C11BCCBB3F843593B8975AFB958E85734EF0ADE0+=-]DF5F5C00DA897592B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]DF466C19D1E09129F29B751A3123A1502E5C0665745FB6564FC5F7DC =-]DECD473509E96847A2439F4C712EA9FA6B65BC17DECD473509E96847Y=-]DE99B5AACE8010449C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1"=-]DD26BFF997B128D0C11BCCBB3F843593B8975AFB958E85734EF0ADE0*=-]DC5BFE32065BD8C19C1CCC07B3BF48BEA0278E93DC5BFE32065BD8C1!=-]DB24D05A4CFF4204E1C12525BFAF4F092D109F2152B7186506DCC483W=-]DAC435B561D44E7B04880CB55875B6548C25C729A00E4CD660454746=-]DA4FE8ECD8365D6E912E63F55388D9886151101CDA4FE8ECD8365D6E5=-]DA2E401BDCC261401CF1202EC58B5514EADC477AAA9CAC9C7B935A45'=-]D8D14CE515A328015C55764028BE2DD718F9DAAAD8D14CE515A32801==-]D49FD2CB8EEF91038A0293871D97E954B8397DFD072889CB0E82D77BN<-] D0D1AB8DA16D8D79B828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CEFC4DCD7DD09BF9B5AAD4575B2988D99E3FB3EE973EE71028459E9Ap=-]CDFBE06BBC5F6D292349DF0D7DBD60C6C20453350553D1E9E9AE5C54T=-]CDD45401DD0E759FB828EF1F203645DCDE9C37B0D0D1AB8DA16D8D79=-]CADEEF67FAADD95104880CB55875B6548C25C729A00E4CD660454746=-]C96ADEF6A2CCFA984925E278E468D55BA68B3AC49E1F03BA787E31EAs=-]C48BF850A5E9C611A20EF4E353FF61FF6B8B401AC48BF850A5E9C611=-]C25C74A408C599D8CB4287D637F9BC0CB38F978AEB64F54F552F0AB7^=-]C1B27AC998ABABB8F749E746EAAFEB7A634BCE8A4C34BA7BC16F86B3K=-]C0D868F1963180D8C11BCCBB3F843593B8975AFB958E85734EF0ADE0,=-]BDE25B8E80237EE2E1C12525BFAF4F092D109F2152B7186506DCC483X  5S"]V08C6A9408241E6ED99A0A2767A6B35253722954DM]Mɥə*T7CSCo^kX^vBCX *iʿxY@lW͞/ܜ?_ݥ4Au90^&Ieةʚ>@RZo4bf%EwDյ Yta{SQhgVII{^D r74їtxC-z\uHX}}Mk_fq˜n韷tA,'l2Jg>)P-V(J0!_JNKf{H2 *]v dfL~}$-S 0cyX4]h2 i.UdJ`%8G07Щ.u/El'seݩ&i[W#q[Y~R~aq"7AB= 0h,VWkJ2w\ep1Y3W!C2So.@`Ox2uU?Ԙ-},bM{o*LLuca Saiu (free software hacker at pEp foundation)  8!Ʃ@A홠vzk5%7"Mah    zk5%7"MA'>j:.̌VXsaY=p%?(Jب;R*$p^B9Y8[g7#;A;A5pymb ni\oy\~A U`dg '{`Y製Et6[l+9-] e4Ѽ׶8dyo'*-Le}H9CCH[#Sw;뱸5`=m+(gu@lVa/!R=қ<7,w3 *6Y"@̔Wd'SM .28:j=CoAn!-GeujZa,91>ls.6S ]TMZ@zN,N(Oŝ`[5Gг/ƷIPFSJͫ<[Luca Saiu (free software hacker, GNU maintainer, computer scientist)  8!Ʃ@A홠vzk5%7"M]XS%H!]B6C36B5E1ED2B4B1D06CD03FF5D5025F89BBA7A073d- +G@BvL"#Ji.%.7^oO1q0eG<uziggy@fake.pep.foundation d-  ]P%zG salt@notations.sequoia-pgp.orgU( ,mEr Q|kSqܱ !l6+K]P%zXt:Z"\Z>PzNbwegf,W , 1d- ]P%zG salt@notations.sequoia-pgp.org`ۇCé\C2Gu od- #!J?G salt@notations.sequoia-pgp.org4?Nr$ޱ0G?af4_!}x%;#!J?ʭ^jzݽ_K1Q[RDԨ;D@_fOay9Ojxڶ̃q,[!l6+K]P%z.wdxI:j0Z̻lM1$4$Zd-ai! FC?23d- +G@Q}'ͤ/*#l~t rd- ]P%zG salt@notations.sequoia-pgp.orgi ڑzYcJ !l6+K]P%z@l@BҳZh퓱$z5{^OEAA_@bm_JS;5YM܁8d- +U@IqYi}"G rd- ]P%zG salt@notations.sequoia-pgp.orgZ,vہoJV ,/҉{pƦXA)#u{r (&q2MF^~z%vhUoHFA'IT(i:ҖWz|hjz2f5dPۖ8r{lu%0~$y8Mk{^x$soRԖ:q̌?ham2[rom"cg8W"4V.n6`"7oK _hK8kԈ[i,7ITsbjs|$%r`Y*?laMPLA^[7nG/!~Ӓ#J os6]}+Ȑn ?yIjU?Ԍr@uTq6a4p2#넱fלB&"8_V+lYq,MBH06\rx3uģi& Gϸ >) }1 fSkFYxsXm#D)uq&duȹJCmɆ떻݋)#*Te#.%xЗnig6ٴRs!W\,82>#] >#O -~' p ٜxlf`8R#U75c}>]9Q' ֏Ln$/B}=BEp XD]ZnvWHF|S% R^D:;{z1~]_ 7lt=m]~01&TM(ցsTQa.,xASpxהW/qWI, qj$T8? 8!Ʃ@A홠vzk5%7"M]U    zk5%7"M%HJ @n44wdw-V-=ITTH&.H43[Go-W2{@TU 3mjHC}[_eʈOĊ/8]Ծ4,ꢽ ?ڐYt (PteRXlw`tظDbqR-Vy>2CGzb^^9̆ hD7rFA1 +q #irP2)f!z seoJ`c樫60yHM:KD 5-cДjަɟ7ceFF,S o Sf[ٿ#oӄ =[B4OnGhk\NkX\ЄgO= < 'M'+-߂79 l>֚6m(fI. q%F' Z1 -PXԉ2H_/Пb!s !xE +*C5] *C5O몓oZ0BE5Vr"?y8K^2"pľCi@ &֡-QjI s 5iP$qVyh/a {B/G~7#j"5H G}!JmN1vx5Ay>r-e26:=qhүh /IA. } y{=x`8*KKvj'xG۷tqu}4en l;l׋^ a$ yJBL2c.lW246?AY7e(;!½ՌuRp-w'|"SQ۹Ѹ )SSs ~Egh xa!"֊$qSMUG=VzJVN0hp[`^.ЉLx aWbݔe'*bg+nFkv[JzP7Y:s!W\,82>#] >#Y7R[fH# .̲HAK+s'I>.c!]̠<)Cf4a;q_[/S5怱acYяK1gz/M l Ee`.7=xq W<{Zr5\eNv}(-<%3D6YngGPJF&˽ěXg v^J׻'P,/d+ ugMп-&p/rk-|ml S,!gߢ㏵TX>X85D7ݡm:<@;aǮy9ZQcӑڕ"s rUiiPɂ׭1Y2!v1tqqwqvf:=A5Ẅp!. 6RasDKupbNPFyjy(nˑ|Y?ezR6?svD)Wkj]!r.<3&҆]X 3&҆DGr&lj]/y5/!!eUFZ!"x༏_n\Luca Saiu (free software hacker, GNU maintainer, computer scientist)  8   !Ʃ@A홠vzk5%7"M] zk5%7"M)U H*ҽ#I1LM)|oMG֊%3X?e䜫(G7һaR`mXު)iF@v0cXU G _!GɈZK!տx$)R,еkjkK\TpPxg)sxkW9^qFԬz L/U6YFԴ-HFQ?'ILQPmtOSAOUT*`*ת <> 6z2#jHai!>sBGr,GK"P,XJp;$FƋlYПk*wEZ(糎{֝@JS TKۜ'y/DW;L{^=BJ)&kyf6O R +miJN*F1;RD̫>:q0?R,I8fdt.[P2~/GQ k5(o3OM"*B[W~ 8!Ʃ@A홠vzk5%7"M]M    zk5%7"MWڌmC^q9Gz#tIȴQ$M±\ J-(mPHXӈZXcY:F}lbeŝp8;sTP[юC-pdrւ/< U7ۣ1?3gG5K ," TX'0Rz%yNh>r }8{Pr$u#6d5c)3-wQ{j]W 'n*Yŀ?FPEEx͝}" \,qTI'$w;@6hxr)%(@忙$ioֺ?R>& Z4F%zD95Ր}cBgBg)=CM8@9wV6qoߠ>jϙNnkW |(.]ŀ/m?<_>ϻybI 7½ ^a6Ռ[s !xE +*C5] *C5l fn֠3qz}u`E ]:f~`*vtc)nw =㝅Q=IY0E܉Z7yDo[  ݾױZz4t|M pw es T9`zD:Sǀ-uV/W$p"  6ak+4qTMo[V ,sfM{܈ݽ˅ -xCgo76q&f9y(#_?q_+3 =oʲ@2ʺtqU7nUEi׈"Z4*=BmScO/K:/Ax>KHg2k ({=Ymހn ==$0M}Nd+z5-=蕾#ᒡV_=ף+{RèOt"Km]d2I|p%ٮ!]M#] >#0DJ]vҎ8s)ik#ޕW`~77 ;WF/(-DUJl_<5u/2wg^U@ &W2`]1D,3>Ḧ́@-SLa2!4"5CwBQO l,ڹ/շ,mYXӗŴ6ya;bRm X_ qjW\\}wW 2|0e(5Vc^M(]1X8ß:Vd?Y`w<׼=Zt}*\{'U^Kn)f85\FIN4 !R~l7F/h A>Biu$zgWFۓ7Tzx ϼ)Q9,n,[ȲyUZEBhÐm:LvszBkufmE*ܥ_W3pMp '=)Z˪ *DUJ {O s WLuca Saiu (free software hacker, GNU maintainer, computer scientist)  ;   !Ʃ@A홠vzk5%7"M] zk5%7"MĀ'DLt]ބ4,j mbn?kZcIPc>YV >/@J!cQ =?cRI PKG=["zFvd J`-+%Yi٘Rx^ߟ~&6LK臥QzF<߹=H%Cwg'1>e<%L(oЁxb>$ٵO6S|P'.3EF!&gW\1픽6^P)q2 Z;@1㨷p9H!MS#Ͽ }76#qHrP=]E74=} N\62DF/ySe9Rbqt -9C<*oicIx`nHp7,? 4 < }>~nIhrL;L!F|/۪]}QCxān=Kϵl1w4\kªۥv\6|CC[ ;   !Ʃ@A홠vzk5%7"M] zk5%7"MoPk&P[ w:׈^OPDə@N"NCI: $3 jpm!Ym C]!(]hҠ%j: Bzᙈ컑*-uA>3 ͩB!H`DQ :D!eYjqZt;^8S#RbTE&<,8":.=\yY>ˡN^8Py maC|iGɁ߀U@%=M[UܛfXq;eM)(Rn'7{?+8fj~+"&PUֈ4 RN-<˝˂c*q[nڊ?acÍb}](_E̯ w* YJ˙ZrfTij r'{at;lqb8I;i{[\ֱ̲CRzwC'=%UE lWξFL%|' Kl iVssƺowuJx$!CQ4ss !xE +*C5] *C5Khɗ{L[*8A$=O'.ar;R ծӎH̕=z_Ƞ(^p@흞e'[V"A*Fyv5|߭]vA/%}7wsO&; 0- Ggs!W\,82>#] >#u$ !傯-~%;&}PW0QXL*P uhT͒l$8scןbyt &M !Y$ٓi$xK#O!0ë(();gucFs@V9<%zy6~hʾA.;5Q3 8!Ʃ@A홠vzk5%7"M]U    zk5%7"M@sv&(EI?h`C֜ZL/.m4:Su-wT$4* ?LT(.1i #DeaHm 7Su^Q8c]J~չi#Qug-n"(p*}}(opGAve*MNݸz%y{`9|-/^¢<,%!ۘ)F:j yd\J J|*9Ieu\1ZqL"i(r:)MPEfܶ>H”%+5$9҃ӜcjLVȜWyaQgכ+e2^/1DF+s !xE +*C5] *C5F\1$lltH5 NAǗ=hΎLAR ~ut2H%=%|944]a@l",kH3 P)7 7\hb9 ?f4je{!wklzqWlR\t7=O tlK/Rhg%.J;/1lXW[$QlM]agX"y0ǫzdJ-\ m<BiϷ*炏@۠6?v0K kbmF`XO(JӉ|憌[U:0ըUnh65(]Z4([o->vDtB?r;-IsӒ Hx觍+`!+~_IơǗ ,9 f,/C}鼟(ww,mgw>V{P6Ғ䚘Eo7t2)MsI" s!W\,82>#] >#T2U)lǗT !m\]ڶg iE!heoptj׻itt @#b)YMv Kiv.MX1N{髙L8kSWgO a-L`9{]$yuTUQ!%4֟E3 )o VY ק?іZ!X\FS^7z$)Ԟ lLhVM<ɺ|s{u벓IIcz:f&ay [LU #5ͰE +l_ ^]LRɚѰߏ噲t q!֊4E|@h1AΞ _[FLxy@ JMÐsflTQ s66&ؘ|`UekOͺ ~֊g)*(\*H _,HSܣA+l>>:.\]!r.<3&҆]X 3&҆-xC.ߎs΋ARi0Bs\P^eIе Luca Saiu  8!Ʃ@A홠vzk5%7"Mb_    zk5%7"M5#am\ZLҶ|TZc[x'n@o6? oue:w6Sm ~׶`Qӌ[i[ZDP?A{nt4h3Q83In[ed.H C pwF0y8EWņO!T֣cտ[ r$80I.&bo zyM;FK'RY$ALK/瓛tC^G ٔ8({/47 IȉHS)@:og]!K)Ep hN W C2{&ͯшV Z}gy7ãț'7$cJ=^Z w~Nk6wr_\T Fvh;ilG;+d6_Փߟ9d׎[_+PughKq^~έ7rI!ؿ0挒 Ubw5O,PLuca Saiu on mobile (do not use: only for myself)  8!Ʃ@A홠vzk5%7"Mb    zk5%7"MAؒK,?l#%fߑ+,V{zzQ۝OZL 6p$Yۏ'ra􍖇qfYky;pVw0k(pm90ERhxEqGIZz2O ]r|ZV<\n^BV'F M{d>Q}sKb* lU5 繆&"V m_WB@lIK9mZl1I򥞙 8xwc9tWBȊ 9M]VkP4c^趎e2({=+Ѷwwqz.p50o⊘E# M)\oa > Ikj-&DS,ͤѹ̢7F'a̫Fذ@>AuC1VT#h3:i3Ց;g53^7AE*h)>`C:})'3WBG!) [PEc',VfC`v\ MH»9yZa=HRZӟ^H`yHNL^P|R޽q(.^\{ǍiL XE҉;}؆)S,QcÀʆn81PV~|P :%+499n7Ry譳ie_oQÎ}~7Y]U ]I|ވpn3YU)v4K}\m`g KxM73MxH=v !Ʃ@A홠vzk5%7"M]V zk5%7"M=(B|הt2mdD3scؕh#GU-4w_ÃU&Z%CCBz58"B1&x#~YXړF/'Į澄cuvS|).SvOgTU N}̗An="O;YМ[-H#"HNOe22ykSս04hۆ8Cq؜JҘNZ ڃboXn~m{ʉ?"X?/ O.J_ O+9I,<:z/?"13NBx!jkU(:: 6MRi$Q᪆|̪Bj}F` LQ1o^Ep&/߾ۑ!SI>vmt@[Z#OYU;Xh/bo &LY%'H:p){l5D&+-S*\n}6y^6r+5+ J`WAG;EPM]VǔكnK7І%(z\bvBmTy1 N@+}IJK:P}T,q^-5ӡm O,Tşʑ&x6#G d(hŽ@#,ql8;0x [$}RN9$AŊqr À͉q0C0q#o>X5Sì !Ʃ@A홠vzk5%7"M]V@ zk5%7"Mt  !ۀh9a ]V /SF(facH;Fb*![wfzM/ya(WspxX}MЬ=9l<'Q֙?.B xʉ ʓYºfǞEѨ<&'hIG"p x P5&7H4Ԍ; Bj Ӝ.)j"R=>*PS|n}@Q¹"h9 Tr-^MNC wq;Hľ0k O!*s<42:RGeM@ $VlK{ږho{4bPrM,A:}u(fAʤPf$5rKtnoɛE<7XSd_WrG&uO[NJgϯ*d+%+-J~4f4`dƙF(1o3E;h&jup&ۏ@Uf2臖50 miBQb}lq\Őv υLG]>|KU{'Vxtޅ S(4_a*x1Qxol74noC4cftt5,s k)xq}0+~ Epr`l^*q`duLRb" 歠8D]lFDr[)cHșf" c<ozm8ʮЬs٘}[M7~ V)"T* z(!~jXGr7l:Ov(^sX7ýOƸ)5A&N!n+[Y5D0uр t%WZ"q RDg/&IHcDXz|K㑚b(7PLh>_&1 j&B{]=  hfTRʵ'TzZl\{91"_qI*T_+ u6gXlF8M]Me1[A[ɭI\#LҴES\܇n{m]xdV: zw@ +IeQM~ߑZkNa֛$*VR1Oc$ P&Hu r\#ѴעCQ< ` !eJ#y![B&J!/GvXh>ߦ"?\,y_Wڒ5JnUzZ9TEs Wa}J+d9$&~+j&h7[oH$+n1egc>%uAkڋP5߀5v:A4{@9M(R%2n quiݕML=U_~/IP!("-BFa83z?V$h? 3=NIZ_mOyjFU~By3?$Ó/\&ى`4Si%)fiQRUmxv !Ʃ@A홠vzk5%7"M]M zk5%7"MpjUXkb|sWl${"aE^Sw]@ Sz"Z~@*ժiXOlۿ"ߠ1Q-5F(}:]4e΃om46eekp8d,']>7|i4v|,J~ S b^ynBą*>Nb)Mv.\=נ_vT`钂J1X [q@Eq"` zp h+USq{__MjН >"in  -o 4#]507212E4796EFBF4FF8E4B1BF411A72A5C89092CMb59ɀXRJ]j_%t=\3LSgx R\wAy.GXGe--P_벙="`v p<74L82&Y<`K,԰{Nc$Ƌ|FD쏥v$KݮvA3yK,՘BX?FaώO I7.ecm MMkLsI* &Ϻj3EsGf^sΩ| b59  *\ ,G salt@notations.sequoia-pgp.orgEktB'$@Z?oҜΞʃo’WTƸl֘ے)v({)ဏS$WobEVLHW2,Y["b$fJ06nG& ^!@L*un0"pEpUserTwo  b59  *\ ,G salt@notations.sequoia-pgp.orgn8 Qrwį$9K_L=C !PrynK*\ ,6$bȺ,ɼ|xh(]j߿M|L6zhF;蝬Ai=^se$ ;JD#)^#iIfg|-*B4 }bU{:7ܚ(aںLPŽgCɽ> b#K`C€,$u3mO"pArtrgtR !HBgnD= egjp`v FTҽ(Mb59X۩ +Lч @_-x,ŐՇY~%h>[g^pPFrU٨S)@8u|'n /$ɉ'"0Ξ|e}~/[ZdLO~1BbsvIVB[f2~qXi# fXe1b|z*l ̽SxshwX/Bi[!M(Jy;ވXnçȋES~{?t!B b59 *\ ,G salt@notations.sequoia-pgp.org)#b_}u\A@{Q Um膢 ob59 ?@(G salt@notations.sequoia-pgp.org>Pdf;} "=pX؝zE!(.{9`Qy9b?@(h#@ ?NqGALcl-Qt=A `$ 7|7'.̽Cyφ9 %!PrynK*\ ,LC`Gd:UG01*sfJX7T)l:iFEt* l'$Nr.LXX\D",d~jْBD+bIVr3'ͥ_ɮoҤ"D[D=#6:^nyqa}: F{QI7qG31L ޒd)+4o;zg e!s c^$*(bF Mb59&Q;؜H# ,CSYR>X&Հ9:^lEMs ՛f&߀O>>otvCCcG_@xyugEHO4W`փrC3ia4V:|sG U-cOT2拂›0ˋ;£ F嶷tW +ߙSxC/P/3p?PMBlqUoJ(0 &S|!|POm>1Ak xb59 *\ ,G salt@notations.sequoia-pgp.org#c}TڗFj't>pJ !PrynK*\ ,J @x:wWP8m^iy\oӻfG]j8I"۔j)KfZ޷y爀=O)Ԟ/Kv/6^LSU# z"xĦ㰄lx`(l7*+OKF.Fc˷VpH&AhyP#r͙?BU1Owvwn`[#Bd:NM 6$]10E37AA3BBFD3348CF9AE3698EF85F1B1E37396FMb5:E"zKZ M N]֨S8fBPh6$@$Vx+]d5LN1nB-x\N¹G]礛=!$- Z0-65$7^>߇gd~RZbJ( m^F f3|ʔ1ZLMgdaCez|n8,6cwhL`#*=,ׄx`#3Eth b5:  _79oG salt@notations.sequoia-pgp.org>Cg7G zz| oKw !z3HϚi_79o#aHqXޒ26vilVd\W(p1fSHwt3=?u:bgB{xСl(ЈC>G椰 5Kò*FF\ F7/4ǞшZN9* >#ݪGgeca^L$pEpUserThree  b5:  _79oG salt@notations.sequoia-pgp.orgjW 8moD1\a–L pL+n !z3HϚi_79oяQUz;C/c !(yMty<+(+v^Mq,XeH=^n> ۽Pݚs;sɆam F(p{O!9d,U7PNt/5^3NٮlՇ;bzs7ʪ$^Q![KK* r^usޭ;Q 4)Ԟ޵<]Ts.[H @+âr SӸ؊{XD\Sߤ@A'Mb5:b9G7uV!.'T˳1%aQfWw \nqa$32}tj'9$" ˑB%6n - QխQk-֞sNC?9 䄸Z.L4$1ϻm{Wcm9F^a̵Q~z(m2_0} N&7-WQ xb5: _79oG salt@notations.sequoia-pgp.org)P攌@lBv$x; zP, !z3HϚi_79ob3mVaYЋ,xXk&'.C> %;r{t( ŋ )s`CkSR$BEI*s:(ўy7 J3D$9dKOum͛/cNRklWX?,E Hy~#A%o .dV19;|BӪOm=3/a%SI>v+rB#֓0SE+Ub  PMb5:Vv {҇QgY8OBċ;~* g -h"aDB |ɝs ΋]-՝h ,5Gpޖx뺦;둔B mi qz,D߭gr{>yFcJ(MM/ʅY! KU GK_/byjm.N]r.5f p?m*Q:rךv=3z.6>{ wiB.,B b5: _79oG salt@notations.sequoia-pgp.orgE0BtP>Lδ:*!h_ ob5: Zlp&oG salt@notations.sequoia-pgp.orgyf`A[3 P:!?9(Zlp&ozmM\4b&eQFZ[!εW::HL O_}⃋DCB2 %wu<~f\@ڻg>[,tD'efKB$}Uh}J[ ¶IZKQv،Su78\y> l>85aly^`sHb[}a%p*c ^B]W~1RCdAҙZ9rzgt^,;RUJmA4;"OI8t Js("CXK ;:m6m:rNvzx6k)^~Q&dy'jFDk4*Xl<{ LW//?hRQ+6/M\ESvb;/--,NVf]'L 5s ̃ڈF=mLC? M %~؟SBo=J(ֿ!_ZMvJpFN!x瓖 *Xl]D g    *Xl[ڢy)<ӁM 0>   !x瓖 *XlcA( M *Xln'Cäd^J78'Dݧ,JW^H,V/<?9;14F%|ǶB7Tڄ~+{NZ.28 ZqmF S!=Q(rDgךI& {+CkݼG!O'ud nn95rCW,H@oVBY .Xv8nX#qp;|R#ЎZVECv¢Pu#BR%2>!x瓖 *Xl] g    *XlxE!j+JEqeKES̝E2q[/uN>6x *|t ~zȒVl0$Ew_gO_lٻA(pԄZ^'Ǽ&5O.$՝qhuԔNݲ$`qxڬua A2mdIm|-zq.\7 qҬ!P ubicfRP^\u$ >4;"Volker Birk >   !x瓖 *XlcA( M *Xl)N 3l|G>3*% imO#'v%x5G{%߭w.㵘ѨN[Y ~#(X f,{QGGʮ!p\I~)ֶ=%*fF/b3 &+%Ry hsS~V9]^b`o>!E.裑56gf"x`RR?Qsi/g*/uǎGZ~>!x瓖 *Xl]: g    *XlX s;f,K!DtE[z*-"K\NskԢtC*d #ZSPU 26,Ik%}‰¶aGaK؋d2,R=w&AٰpqM] b*Â|8`aPmq%N *nalE gIbI{zy ;5W?9?8D<U&O)cSE,5=̎h*NMx)Volker Birk >   !x瓖 *XlcA( M *XlպYt X!%lhswF#:\=j~oF5(ԃX쪐B#ݥfdKh3>!x瓖 *Xl] g    *Xl(1Sl3 {xc1zIqBŊe[l$?SGX~OBH[Sҩry 4-7HH¦;(^xG$ٌia{_\ wL܅jٔϬr%fg&831]OK}]q^ߌi8MOɴgAx4o\حHb胵/A:X@:=\1%1(Volker Birk >   !x瓖 *XlcA( M *Xlěa}Cy= N U9F#y-f#>AX@w⦡ʙX/$. &cݿݑ7uGqƀptYuŸQ*zAcnL;_8= "Y>5w&`]K) =7B!5r=k?'KJosKYaJd养xMx!L T==a-\f>g^oODj`Q`|[->!x瓖 *Xl] g    *Xlp(xISq-hq&OD5 d\J5 8:Zt62xobO&IV }R2C)}cjtr8l" D]0?$B'Gbǒ=j N!$Wߊ-!pC?IYnKČ~`M]Dfa͹ ;(YiڞAa=x̼Xp޵wQ-XY1cOy̗;qgsMxMw{R-%? +2Q=@cN\yYAk>   !x瓖 *XlcA( M *Xl#tOLa曾t L}^`0jV rpln @"XM޳69K·}$_VV̦]qFj_Aq u "4'o<3"5?+_b9tNe =-(uY F*,ŸgRY:mLv.ewKp.~*\& tunEdhg|ׇ [iIpѽ*Iua1 X3>!x瓖 *Xl] g    *XlU8;&:3ԝM`7k"MrQ=_?gW*bIb4;u $ ?^cƞ#dPaޏ2l7t%i43ϗ)8cbMDVb"ea S%40\hqGecްnn>ײDOB: j='R<,Bιy'JT?覦Lz~ olhO:0 Volker Birk >   !x瓖 *XlcA( M *Xl5٪&?Y|z`RN˂[w%OQs*?;M15i6Rt܀7i1 ´=J~X؜Җa]F (+?81] ]r"`NZ[^oC_{!jJ?"ѕ;w䬓n oߏ TtcL, /v}ƅթ]PS_6D!&Hq=3L uD>!x瓖 *Xl]' g    *XlE0e_)ʑ#ť1p)OYmgVǢpcRzx2nΝs6#搣kdцzJʮT!(XbDQWn <$ jC tOU3&.48=@r̈́&+i-ר(ߕWH]7R #JNYjO VPqmqXN dR%)/mxkuKrA]C1I[0NTŭQs~.ةxVolker Birk >   !x瓖 *XlcA( M *Xll\Z隒_p}䇈.`J#Rԕ$oA􌪶xUi=&<_kk6qƻTph:4LP2IAYd{8O5ynBPP5o oܾ6goz/_2{l fH+3wG!˥!\뼋F1l߀zw\SuI=|_TlPDyv Yp6: I(re5& qs;I>!x瓖 *Xl] g    *Xl#Qf!<񼍏EnLKbk$||́xNr,]3Xw}cCM; ;4Vs8yp*WK[ |/"tz}Kɖt^wd]ZZa1凐7̍~աzvU=ۏ^AWV]mXaCʞQMX[50K?g\6(?ZaA$'y2n&SRf5) wjtg1R+aeȊ Volker Birk >   !x瓖 *XlcA( M +