Drop Store, use callback functions

This PR drops the Cert-D integration through Store object. I has been problematic for several small reasons: it's not possible to lookup by subkey fingerprints (the test was broken due to the primary key being `CS`). Instead of that ask the client to supply a get_certs callback function and let them plug their own lookup mechanisms (either through local storage, keyservers, or any other means). Signed-off-by: Wiktor Kwapisiewicz <[email protected]>
wiktor-k · Mar 18, 2024 · 11c4f2a · 11c4f2a
1 parent b5d2345
commit 11c4f2a
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 155 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,7 +23,6 @@ hex = "0.4.3"
 once_cell = "1.18"
 openpgp-card = "0.4.0"
 openpgp-card-sequoia = { version = "0.2.0", default-features = false }
-openpgp-cert-d = "0.1"
 pyo3 = { version = "0.20", features = ["extension-module", "anyhow", "chrono"] }
 sequoia-openpgp = { version = "1.17", default-features = false, features = ["compression"] }
 testresult = "0.3"

diff --git a/NEXT.md b/NEXT.md
@@ -1,11 +1,14 @@
 # Next version changes
 ## This file contains changes that will be included in the next version that is released
-v0.1.22
+v0.1.23
 
 New:
-  - `verify` - rudimentary support for verifying and extracting signed data.
 
 Changed:
+  - `verify` now accepts a callback for supplying signing certificates ([#20])
 
 Removed:
+  - `Store` and the Cert-D has been removed ([#20]) due to confusing semantics
+
+[#20]: https://github.com/wiktor-k/pysequoia/pull/20
 ### git tag --edit -s -F NEXT.md v...
diff --git a/README.md b/README.md
@@ -128,17 +128,18 @@ assert "PGP MESSAGE" in str(signed)
 Verifies signed data and returns verified data:
 
 ```python
-from pysequoia import Store, verify
+from pysequoia import verify
 
 # sign some data
 signing_key = Cert.from_file("signing-key.asc")
 signed = sign(s.secrets.signer(), "data to be signed".encode("utf8"))
 
-# verify the data
-store = Store("/tmp/store")
-store.put(signing_key)
+def get_certs(key_ids):
+  print(f"For verification, we need these keys: {key_ids}")
+  return [signing_key]
 
-result = verify(signed, store)
+# verify the data
+result = verify(signed, get_certs)
 assert result.bytes.decode("utf8") == "data to be signed"
 ```
 
@@ -230,7 +231,6 @@ Merges packets from a new version into an old version of a certificate:
 old = Cert.from_file("wiktor.asc")
 new = Cert.from_file("wiktor-fresh.asc")
 merged = old.merge(new)
-print(f"Merged, updated cert: {merged}")
 ```
 
 ### User IDs
@@ -386,37 +386,6 @@ private_parts = Cert.from_bytes(f"{c.secrets}".encode("utf8"))
 assert private_parts.has_secret_keys
 ```
 
-## Certificate management
-
-### CertD integration
-
-This library exposes [OpenPGP Certificate Directory][CERT-D]
-integration, which allows storing and retrieving OpenPGP certificates
-in a persistent way directly in the file system.
-
-Note that this will *not* allow you to read GnuPG-specific key
-directories. Cert-D [does not allow certificate removal][NO-REMOV].
-
-[CERT-D]: https://sequoia-pgp.gitlab.io/pgp-cert-d/
-[NO-REMOV]: https://gitlab.com/sequoia-pgp/pgp-cert-d/-/issues/33
-
-```python
-from pysequoia import Store
-
-cert = Cert.from_file("wiktor.asc")
-s = Store("/tmp/store")
-s.put(cert)
-assert s.get(cert.fingerprint) != None
-```
-
-The certificate is now stored in the given directory and can be
-retrieved later by its fingerprint:
-
-```python
-s = Store("/tmp/store")
-assert s.get("653909a2f0e37c106f5faf546c8857e0d8e8f074") != None
-```
-
 ## OpenPGP Cards
 
 There's an experimental feature allowing communication with OpenPGP

diff --git a/src/lib.rs b/src/lib.rs
@@ -11,7 +11,6 @@ mod notation;
 mod sign;
 mod signature;
 mod signer;
-mod store;
 mod user_id;
 mod verify;
 
@@ -51,7 +50,6 @@ impl Decrypted {
 #[pymodule]
 fn pysequoia(_py: Python, m: &PyModule) -> PyResult<()> {
     m.add_class::<cert::Cert>()?;
-    m.add_class::<store::Store>()?;
     m.add_class::<card::Card>()?;
     m.add_class::<notation::Notation>()?;
     m.add_function(wrap_pyfunction!(sign::sign, m)?)?;

diff --git a/src/store.rs b/src/store.rs
diff --git a/src/verify.rs b/src/verify.rs
@@ -3,11 +3,10 @@ use openpgp::{parse::stream::*, policy::StandardPolicy};
 use pyo3::prelude::*;
 use sequoia_openpgp as openpgp;
 
-use crate::store::Store;
 use crate::Decrypted;
 
 #[pyfunction]
-pub fn verify(bytes: &[u8], store: &Store) -> PyResult<Decrypted> {
+pub fn verify(bytes: &[u8], store: Py<PyAny>) -> PyResult<Decrypted> {
     let helper = PyVerifier { store };
 
     let policy = &StandardPolicy::new();
@@ -20,17 +19,19 @@ pub fn verify(bytes: &[u8], store: &Store) -> PyResult<Decrypted> {
     Ok(Decrypted { content: sink })
 }
 
-struct PyVerifier<'a> {
-    store: &'a Store,
+struct PyVerifier {
+    store: Py<PyAny>,
 }
 
-impl VerificationHelper for PyVerifier<'_> {
+impl VerificationHelper for PyVerifier {
     fn get_certs(&mut self, ids: &[openpgp::KeyHandle]) -> openpgp::Result<Vec<openpgp::Cert>> {
         let mut certs = vec![];
-        for id in ids {
-            if let Some(cert) = self.store.get(id.to_string())? {
-                certs.push(cert.cert().clone());
-            }
+        let result: Vec<crate::cert::Cert> = Python::with_gil(|py| {
+            let str_ids = ids.iter().map(|x| x.to_hex()).collect::<Vec<_>>();
+            self.store.call1(py, (str_ids,))?.extract(py)
+        })?;
+        for cert in result.into_iter() {
+            certs.push(cert.cert().clone());
         }
         Ok(certs)
     }