signstar_config::nethsm::backend

Function add_namespaced_openpgp_certificates

Source 
fn add_namespaced_openpgp_certificates(
    nethsm: &NetHsm,
    admin_credentials: &AdminCredentials,
    users: &[UserMapping],
) -> Result<(), Error>
Expand description

Adds OpenPGP certificates for namespaced keys that are used for OpenPGP signing.

§Note

It is assumed that the default R-Administrator, all namespaced keys, all N-Administrators and all namespaced non-administrative users are already set up, before calling this function (see add_system_wide_admins, add_namespaced_keys, add_namespace_admins and add_namespaced_non_administrative_users, respectively).

This function uses the nethsm with the default R-Administrator, but may switch to a namespace-specific N-Administrator or non-administrative user for individual operations. If this function succeeds, the nethsm is guaranteed to use the default R-Administrator again. If this function fails, the nethsm may still use a namespace-specific N-Administrator or non-administrative user.

This function does not overwrite or alter existing OpenPGP certificates, as this would introduce inconsistencies between signatures created with a previous version of a certificate and those created with a new version of the certificate, which is hard to debug.

§Errors

Returns an error if

  • using the default R-Administrator fails,
  • retrieving the names of all users fails,
  • a namespaced user is not in a namespace,
  • no usable N-Administrator for a namespace is known,
  • a user used for OpenPGP signing does not exist,
  • the tags assigned to a user cannot be retrieved from the nethsm,
  • a user used for OpenPGP signing does not have a required tag,
  • retrieving the names of all keys in a namespace fails,
  • a key used for OpenPGP signing does not exist,
  • the tags assigned to a key cannot be retrieved from the nethsm,
  • a key used for OpenPGP signing does not have a required tag,
  • the key setup for a key used for OpenPGP signing does not have at least one User ID,
  • the user assigned the same tag as the key that is used for OpenPGP signing cannot be used to create an OpenPGP certificate for the key,
  • or the N-Administrator cannot be used to import the generated OpenPGP certificate for the key.