From 6afe6896d8a8d9cef6dbc79e38dd461c0662a33f Mon Sep 17 00:00:00 2001
From: Paul Schaub <vanitasvitae@fsfe.org>
Date: Wed, 12 Jul 2023 01:06:41 +0200
Subject: [PATCH] Implement '--signing-only' option for 'generate-key' command

---
 .../operation/GenerateKeyExternal.java        |  6 ++++++
 .../cli/picocli/commands/GenerateKeyCmd.java  |  7 +++++++
 .../main/java/sop/operation/GenerateKey.java  |  7 +++++++
 .../testsuite/operation/GenerateKeyTest.java  | 21 +++++++++++++++++++
 4 files changed, 41 insertions(+)

diff --git a/external-sop/src/main/java/sop/external/operation/GenerateKeyExternal.java b/external-sop/src/main/java/sop/external/operation/GenerateKeyExternal.java
index e0ca97e..c46dfb3 100644
--- a/external-sop/src/main/java/sop/external/operation/GenerateKeyExternal.java
+++ b/external-sop/src/main/java/sop/external/operation/GenerateKeyExternal.java
@@ -57,6 +57,12 @@ public class GenerateKeyExternal implements GenerateKey {
         return this;
     }
 
+    @Override
+    public GenerateKey signingOnly() {
+        commandList.add("--signing-only");
+        return this;
+    }
+
     @Override
     public Ready generate()
             throws SOPGPException.MissingArg, SOPGPException.UnsupportedAsymmetricAlgo {
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
index aac7124..a41f086 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java
@@ -34,6 +34,9 @@ public class GenerateKeyCmd extends AbstractSopCmd {
             paramLabel = "PROFILE")
     String profile;
 
+    @CommandLine.Option(names = "--signing-only")
+    boolean signingOnly = false;
+
     @Override
     public void run() {
         GenerateKey generateKey = throwIfUnsupportedSubcommand(
@@ -48,6 +51,10 @@ public class GenerateKeyCmd extends AbstractSopCmd {
             }
         }
 
+        if (signingOnly) {
+            generateKey.signingOnly();
+        }
+
         for (String userId : userId) {
             generateKey.userId(userId);
         }
diff --git a/sop-java/src/main/java/sop/operation/GenerateKey.java b/sop-java/src/main/java/sop/operation/GenerateKey.java
index b788785..77afea1 100644
--- a/sop-java/src/main/java/sop/operation/GenerateKey.java
+++ b/sop-java/src/main/java/sop/operation/GenerateKey.java
@@ -80,6 +80,13 @@ public interface GenerateKey {
      */
     GenerateKey profile(String profile);
 
+    /**
+     * If this options is set, the generated key will not be capable of encryption / decryption.
+     *
+     * @return builder instance
+     */
+    GenerateKey signingOnly();
+
     /**
      * Generate the OpenPGP key and return it encoded as an {@link InputStream}.
      *
diff --git a/sop-java/src/testFixtures/java/sop/testsuite/operation/GenerateKeyTest.java b/sop-java/src/testFixtures/java/sop/testsuite/operation/GenerateKeyTest.java
index ce10763..4a5da58 100644
--- a/sop-java/src/testFixtures/java/sop/testsuite/operation/GenerateKeyTest.java
+++ b/sop-java/src/testFixtures/java/sop/testsuite/operation/GenerateKeyTest.java
@@ -10,12 +10,16 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import sop.SOP;
+import sop.exception.SOPGPException;
 import sop.testsuite.JUtils;
 import sop.testsuite.TestData;
 
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 import java.util.stream.Stream;
 
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
 @EnabledIf("sop.testsuite.operation.AbstractSOPTest#hasBackends")
 public class GenerateKeyTest extends AbstractSOPTest {
 
@@ -97,4 +101,21 @@ public class GenerateKeyTest extends AbstractSOPTest {
         JUtils.assertArrayStartsWith(key, TestData.BEGIN_PGP_PRIVATE_KEY_BLOCK);
         JUtils.assertArrayEndsWithIgnoreNewlines(key, TestData.END_PGP_PRIVATE_KEY_BLOCK);
     }
+
+    @ParameterizedTest
+    @MethodSource("provideInstances")
+    public void generateSigningOnlyKey(SOP sop) throws IOException {
+        byte[] signingOnlyKey = sop.generateKey()
+                .signingOnly()
+                .userId("Alice <alice@pgpainless.org>")
+                .generate()
+                .getBytes();
+        byte[] signingOnlyCert = sop.extractCert()
+                .key(signingOnlyKey)
+                .getBytes();
+
+        assertThrows(SOPGPException.CertCannotEncrypt.class, () ->
+                sop.encrypt().withCert(signingOnlyCert)
+                        .plaintext(TestData.PLAINTEXT.getBytes(StandardCharsets.UTF_8)));
+    }
 }