From b614716c0b77da44443f75a77ba48aacac380b95 Mon Sep 17 00:00:00 2001
From: Heiko Schaefer <heiko@schaefer.name>
Date: Mon, 25 Jul 2022 16:20:02 +0200
Subject: [PATCH] Don't require a certificate for signing or decryption (use
 the public key material from the card instead).

---
 tools/README.md                |  8 ++++----
 tools/src/bin/opgpcard/cli.rs  |  6 ------
 tools/src/bin/opgpcard/main.rs | 17 ++++-------------
 3 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/tools/README.md b/tools/README.md
index cf7edfd..6f1d8f4 100644
--- a/tools/README.md
+++ b/tools/README.md
@@ -453,13 +453,13 @@ For now, this tool only supports creating detached signatures, like this
 (if no input file is set, stdin is read):
 
 ```
-$ opgpcard sign --detached -c ABCD:01234567 -p <user-pin-file> -s <cert-file> <input-file>
+$ opgpcard sign --detached -c ABCD:01234567 -p <user-pin-file> <input-file>
 ```
 
 or interactively
 
 ```
-$ opgpcard sign --detached -c ABCD:01234567 -s <cert-file> <input-file>
+$ opgpcard sign --detached -c ABCD:01234567 <input-file>
 ```
 
 ### Decrypting
@@ -467,13 +467,13 @@ $ opgpcard sign --detached -c ABCD:01234567 -s <cert-file> <input-file>
 Decryption using a card (if no input file is set, stdin is read):
 
 ```
-$ opgpcard decrypt -c ABCD:01234567 -p <user-pin-file> -r <cert-file> <input-file>
+$ opgpcard decrypt -c ABCD:01234567 -p <user-pin-file> <input-file>
 ```
 
 or interactively
 
 ```
-$ opgpcard decrypt -c ABCD:01234567 -r <cert-file> <input-file>
+$ opgpcard decrypt -c ABCD:01234567 <input-file>
 ```
 
 ### PIN management
diff --git a/tools/src/bin/opgpcard/cli.rs b/tools/src/bin/opgpcard/cli.rs
index 7e52926..a21ef96 100644
--- a/tools/src/bin/opgpcard/cli.rs
+++ b/tools/src/bin/opgpcard/cli.rs
@@ -85,9 +85,6 @@ pub enum Command {
         #[clap(name = "User PIN file", short = 'p', long = "user-pin")]
         user_pin: Option<PathBuf>,
 
-        #[clap(name = "recipient-cert-file", short = 'r', long = "recipient-cert")]
-        cert_file: PathBuf,
-
         /// Input file (stdin if unset)
         #[clap(name = "input")]
         input: Option<PathBuf>,
@@ -105,9 +102,6 @@ pub enum Command {
         #[clap(name = "detached", short = 'd', long = "detached")]
         detached: bool,
 
-        #[clap(name = "signer-cert-file", short = 's', long = "signer-cert")]
-        cert_file: PathBuf,
-
         /// Input file (stdin if unset)
         #[clap(name = "input")]
         input: Option<PathBuf>,
diff --git a/tools/src/bin/opgpcard/main.rs b/tools/src/bin/opgpcard/main.rs
index fe8eeac..14dc249 100644
--- a/tools/src/bin/opgpcard/main.rs
+++ b/tools/src/bin/opgpcard/main.rs
@@ -62,20 +62,18 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
         cli::Command::Decrypt {
             ident,
             user_pin,
-            cert_file,
             input,
         } => {
-            decrypt(&ident, user_pin, &cert_file, input.as_deref())?;
+            decrypt(&ident, user_pin, input.as_deref())?;
         }
         cli::Command::Sign {
             ident,
             user_pin,
-            cert_file,
             detached,
             input,
         } => {
             if detached {
-                sign_detached(&ident, user_pin, &cert_file, input.as_deref())?;
+                sign_detached(&ident, user_pin, input.as_deref())?;
             } else {
                 return Err(
                     anyhow::anyhow!("Only detached signatures are supported for now").into(),
@@ -878,11 +876,9 @@ fn print_pubkey(ident: Option<String>, user_pin: Option<PathBuf>) -> Result<()>
 fn decrypt(
     ident: &str,
     pin_file: Option<PathBuf>,
-    cert_file: &Path,
     input: Option<&Path>,
 ) -> Result<(), Box<dyn std::error::Error>> {
     let p = StandardPolicy::new();
-    let cert = Cert::from_file(cert_file)?;
 
     let input = util::open_or_stdin(input)?;
 
@@ -894,9 +890,7 @@ fn decrypt(
     let user_pin = util::get_pin(&mut open, pin_file, ENTER_USER_PIN);
 
     let mut user = util::verify_to_user(&mut open, user_pin.as_deref())?;
-    let d = user.decryptor(&cert, &|| {
-        println!("Touch confirmation needed for decryption")
-    })?;
+    let d = user.decryptor(&|| println!("Touch confirmation needed for decryption"))?;
 
     let db = DecryptorBuilder::from_reader(input)?;
     let mut decryptor = db.with_policy(&p, None, d)?;
@@ -909,11 +903,8 @@ fn decrypt(
 fn sign_detached(
     ident: &str,
     pin_file: Option<PathBuf>,
-    cert_file: &Path,
     input: Option<&Path>,
 ) -> Result<(), Box<dyn std::error::Error>> {
-    let cert = Cert::from_file(cert_file)?;
-
     let mut input = util::open_or_stdin(input)?;
 
     let mut card = util::open_card(ident)?;
@@ -924,7 +915,7 @@ fn sign_detached(
     let user_pin = util::get_pin(&mut open, pin_file, ENTER_USER_PIN);
 
     let mut sign = util::verify_to_sign(&mut open, user_pin.as_deref())?;
-    let s = sign.signer(&cert, &|| println!("Touch confirmation needed for signing"))?;
+    let s = sign.signer(&|| println!("Touch confirmation needed for signing"))?;
 
     let message = Armorer::new(Message::new(std::io::stdout())).build()?;
     let mut signer = Signer::new(message, s).detached().build()?;