From 8395d6ea2a8f00a6a8cffe511ecc5f3fe48cca91 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 13 Oct 2021 22:32:18 +0800 Subject: [PATCH] fix: rename cryptographic decryptionKeys to decryptingKeys --- cmd/piv-agent/setup.go | 4 +-- internal/keyservice/gpg/keyservice.go | 2 +- .../{decryptionkey.go => decryptingkey.go} | 14 +++++----- internal/securitykey/securitykey.go | 28 ++++++++++--------- internal/securitykey/setup.go | 4 +-- internal/securitykey/slotspec.go | 2 +- internal/securitykey/string.go | 17 ++++++----- 7 files changed, 36 insertions(+), 35 deletions(-) rename internal/securitykey/{decryptionkey.go => decryptingkey.go} (68%) diff --git a/cmd/piv-agent/setup.go b/cmd/piv-agent/setup.go index eab0fdb..ef94eff 100644 --- a/cmd/piv-agent/setup.go +++ b/cmd/piv-agent/setup.go @@ -17,7 +17,7 @@ type SetupCmd struct { ResetSecurityKey bool `kong:"help='Overwrite any existing keys'"` PIN uint64 `kong:"help='Set the PIN/PUK of the device (6-8 digits). Will be prompted interactively if not provided.'"` SigningKeys []string `kong:"default='cached,always,never',enum='cached,always,never',help='Generate signing keys with various touch policies (cached,always,never)'"` - DecryptionKey bool `kong:"default='true',help='Generate a decryption key (default true)'"` + DecryptingKey bool `kong:"default='true',help='Generate a decrypting key (default true)'"` } func interactivePIN() (uint64, error) { @@ -61,7 +61,7 @@ func (cmd *SetupCmd) Run() error { return fmt.Errorf("couldn't get security key: %v", err) } err = k.Setup(strconv.FormatUint(cmd.PIN, 10), version, - cmd.ResetSecurityKey, cmd.SigningKeys, cmd.DecryptionKey) + cmd.ResetSecurityKey, cmd.SigningKeys, cmd.DecryptingKey) if errors.Is(err, securitykey.ErrNotReset) { return fmt.Errorf("--reset-security-key not specified: %w", err) } diff --git a/internal/keyservice/gpg/keyservice.go b/internal/keyservice/gpg/keyservice.go index fe8edcc..724490d 100644 --- a/internal/keyservice/gpg/keyservice.go +++ b/internal/keyservice/gpg/keyservice.go @@ -29,7 +29,7 @@ type privateKeyfile struct { // KeyService implements an interface for getting cryptographic keys from // keyfiles on disk. type KeyService struct { - // cache passphrases used for decryption + // cache passphrases used for keyfile decryption passphrases [][]byte privKeys []privateKeyfile log *zap.Logger diff --git a/internal/securitykey/decryptionkey.go b/internal/securitykey/decryptingkey.go similarity index 68% rename from internal/securitykey/decryptionkey.go rename to internal/securitykey/decryptingkey.go index 642d7c1..8c3fc10 100644 --- a/internal/securitykey/decryptionkey.go +++ b/internal/securitykey/decryptingkey.go @@ -9,16 +9,16 @@ import ( "golang.org/x/crypto/openpgp/packet" ) -// DecryptionKey is a cryptographic decryption key on a hardware security +// DecryptingKey is a cryptographic decrypting key on a hardware security // device. -type DecryptionKey struct { +type DecryptingKey struct { CryptoKey PubPGP *packet.PublicKey } -// decryptionKeys returns the decryption keys available on the given yubikey. -func decryptionKeys(yk *piv.YubiKey) ([]DecryptionKey, error) { - var decryptionKeys []DecryptionKey +// decryptingKeys returns the decrypting keys available on the given yubikey. +func decryptingKeys(yk *piv.YubiKey) ([]DecryptingKey, error) { + var decryptingKeys []DecryptingKey for _, s := range defaultDecryptSlots { cert, err := yk.Certificate(s.Slot) if err != nil { @@ -32,7 +32,7 @@ func decryptionKeys(yk *piv.YubiKey) ([]DecryptionKey, error) { if !ok { return nil, fmt.Errorf("invalid public key type: %T", cert.PublicKey) } - decryptionKeys = append(decryptionKeys, DecryptionKey{ + decryptingKeys = append(decryptingKeys, DecryptingKey{ CryptoKey: CryptoKey{ Public: pubKey, SlotSpec: s, @@ -40,5 +40,5 @@ func decryptionKeys(yk *piv.YubiKey) ([]DecryptionKey, error) { PubPGP: packet.NewECDSAPublicKey(cert.NotBefore, pubKey), }) } - return decryptionKeys, nil + return decryptingKeys, nil } diff --git a/internal/securitykey/securitykey.go b/internal/securitykey/securitykey.go index 6026bf5..3d12b16 100644 --- a/internal/securitykey/securitykey.go +++ b/internal/securitykey/securitykey.go @@ -17,7 +17,7 @@ type SecurityKey struct { serial uint32 yubikey *piv.YubiKey signingKeys []SigningKey - decryptionKeys []DecryptionKey + decryptingKeys []DecryptingKey cryptoKeys []CryptoKey } @@ -39,30 +39,30 @@ func New(card string) (*SecurityKey, error) { card, err) } - signingKeys, err := signingKeys(yk) + sks, err := signingKeys(yk) if err != nil { return nil, fmt.Errorf(`couldn't get signing keys for card "%s": %v`, card, err) } var cryptoKeys []CryptoKey - for _, k := range signingKeys { + for _, k := range sks { cryptoKeys = append(cryptoKeys, k.CryptoKey) } - decryptionKeys, err := decryptionKeys(yk) + dks, err := decryptingKeys(yk) if err != nil { - return nil, fmt.Errorf(`couldn't get decryption keys for card "%s": %v`, + return nil, fmt.Errorf(`couldn't get decrypting keys for card "%s": %v`, card, err) } - for _, k := range decryptionKeys { + for _, k := range dks { cryptoKeys = append(cryptoKeys, k.CryptoKey) } return &SecurityKey{ card: card, serial: serial, yubikey: yk, - signingKeys: signingKeys, - decryptionKeys: decryptionKeys, + signingKeys: sks, + decryptingKeys: dks, cryptoKeys: cryptoKeys, }, nil } @@ -77,17 +77,19 @@ func (k *SecurityKey) Serial() uint32 { return k.serial } -// SigningKeys returns the slice of signing keys held by the SecurityKey. +// SigningKeys returns the slice of cryptographic signing keys held by the +// SecurityKey. func (k *SecurityKey) SigningKeys() []SigningKey { return k.signingKeys } -// DecryptionKeys returns the slice of decryption keys held by the SecurityKey. -func (k *SecurityKey) DecryptionKeys() []DecryptionKey { - return k.decryptionKeys +// DecryptingKeys returns the slice of cryptographic decrypting keys held by +// the SecurityKey. +func (k *SecurityKey) DecryptingKeys() []DecryptingKey { + return k.decryptingKeys } -// CryptoKeys returns the slice of cryptographic signing and decryption keys +// CryptoKeys returns the slice of cryptographic signing and decrypting keys // held by the SecurityKey. func (k *SecurityKey) CryptoKeys() []CryptoKey { return k.cryptoKeys diff --git a/internal/securitykey/setup.go b/internal/securitykey/setup.go index d783d54..7598f66 100644 --- a/internal/securitykey/setup.go +++ b/internal/securitykey/setup.go @@ -20,7 +20,7 @@ var ErrNotReset = errors.New("security key already set up") // Setup configures the SecurityKey to work with piv-agent. func (k *SecurityKey) Setup(pin, version string, reset bool, - signingKeys []string, decryptionKey bool) error { + signingKeys []string, decryptingKey bool) error { _, err := k.yubikey.Certificate(piv.SlotAuthentication) if err == nil { if !reset { @@ -58,7 +58,7 @@ func (k *SecurityKey) Setup(pin, version string, reset bool, } } // setup decrypt key - if decryptionKey { + if decryptingKey { err := k.configureSlot(mgmtKey, defaultDecryptSlots["cached"], version) if err != nil { return fmt.Errorf("couldn't configure slot %v: %v", diff --git a/internal/securitykey/slotspec.go b/internal/securitykey/slotspec.go index 5c0dd21..9d5c083 100644 --- a/internal/securitykey/slotspec.go +++ b/internal/securitykey/slotspec.go @@ -35,7 +35,7 @@ var defaultSignSlots = map[string]SlotSpec{ "never": {piv.SlotCardAuthentication, piv.TouchPolicyNever}, } -// defaultDecryptSlots represents the slot specifications for decryption +// defaultDecryptSlots represents the slot specifications for decrypting // operations. var defaultDecryptSlots = map[string]SlotSpec{ // Slot 9d: Key Management diff --git a/internal/securitykey/string.go b/internal/securitykey/string.go index b754d66..687dcc8 100644 --- a/internal/securitykey/string.go +++ b/internal/securitykey/string.go @@ -97,14 +97,14 @@ func (k *SecurityKey) synthesizeEntity(ck *CryptoKey, now time.Time, name, email }, nil } -// synthesizeEntities returns an array of signing and decryption Entities for +// synthesizeEntities returns an array of signing and decrypting Entities for // k's cryptographic keys. // Because OpenPGP entities must be self-signed, this function needs a physical // touch on the yubikey for slots with touch policies that require it. func (k *SecurityKey) synthesizeEntities(name, email string) ([]Entity, []Entity, error) { now := time.Now() - var signing, decryption []Entity + var signing, decrypting []Entity for _, sk := range k.SigningKeys() { e, err := k.synthesizeEntity(&sk.CryptoKey, now, name, email) if err != nil { @@ -112,20 +112,19 @@ func (k *SecurityKey) synthesizeEntities(name, email string) ([]Entity, } signing = append(signing, Entity{Entity: *e, CryptoKey: sk.CryptoKey}) } - for _, dk := range k.DecryptionKeys() { + for _, dk := range k.DecryptingKeys() { e, err := k.synthesizeEntity(&dk.CryptoKey, now, name, email) if err != nil { return nil, nil, fmt.Errorf("couldn't synthesize entity: %v", err) } - decryption = append(decryption, Entity{Entity: *e, CryptoKey: dk.CryptoKey}) + decrypting = append(decrypting, Entity{Entity: *e, CryptoKey: dk.CryptoKey}) } - return signing, decryption, nil + return signing, decrypting, nil } func (k *SecurityKey) armorEntity(e *openpgp.Entity, t piv.TouchPolicy) (string, error) { buf := bytes.Buffer{} - // TODO: print Signing Keys: ... Decryption Keys: .. w, err := armor.Encode(&buf, openpgp.PublicKeyType, map[string]string{ "Comment": fmt.Sprintf("%v #%v, touch policy: %s", @@ -148,7 +147,7 @@ func (k *SecurityKey) armorEntity(e *openpgp.Entity, // StringsGPG returns an array of commonly formatted GPG keys as strings. func (k *SecurityKey) StringsGPG(name, email string) ([]string, error) { var ss []string - signing, decryption, err := k.synthesizeEntities(name, email) + signing, decrypting, err := k.synthesizeEntities(name, email) if err != nil { return nil, fmt.Errorf("couldn't synthesize entities: %v", err) } @@ -160,8 +159,8 @@ func (k *SecurityKey) StringsGPG(name, email string) ([]string, error) { } ss = append(ss, s) } - ss = append(ss, "\nDecryption GPG Keys:") - for _, key := range decryption { + ss = append(ss, "\nDecrypting GPG Keys:") + for _, key := range decrypting { s, err := k.armorEntity(&key.Entity, key.SlotSpec.TouchPolicy) if err != nil { return nil, fmt.Errorf("couldn't armor entity: %v", err)