Skip to content

Add a keystore integrity check subcommand

This ticket is about implementing the arti keys verify from doc/dev/notes/state-management-cli.md. The original design for the command is roughly as follows (but we should come up with a different design if this one doesn't make sense anymore):

NAME
       arti-keys-verify - perform consistency, validity, and integrity checks
       on the specified stores

SYNOPSIS
       arti keys verify [OPTIONS]

DESCRIPTION
       The key validity checks fail if there are any
         * keys and certificates not associated with any current identity
         * unrecognized keys
         * expired keys
         * ... (TODO)

       If --fix is not specified, this command lists the keys and
       certificates that failed the validity checks from each key store,
       along with the reason for the failure.

       Note:
          * expired keys and certificates are annotated with (exp).
          * unrecognized keys and certificates (i.e. keys that have an unknown
            purpose) are annotated with (unk)
          * the keys and certificates that are not associated with one of the
            configured identities (i.e. keys with an unrecognized client/service
            nickname) are also annotated with (unk)

OPTIONS
       --keystore default
            Perform checks on the default keystore. This is the default
            behavior if the --keystore flag is omitted
       --keystore [<kid>...]
            Specifies the IDs of the keystores to check. The IDs must
            be associated with keystores from the Arti TOML config. It is an
            error to specify a key store ID not associated with any of the
            configured key stores.
       --fix
            Attempt to fix the problems detected. Any expired or unrecognized
            keys and certificates are removed. Prompts before every removal
        --output [pretty|json]
            The output format. Defaults to 'pretty', a pretty-printed,
            human-friendly format
       --verbose
            Print more information about each reported problem. This flag is
            disregarded if --output=json, because the JSON output always
            contains the full error report

EXAMPLES
       Perform validity checks on keystores foo and bar:

         arti keys verify --config arti.toml \
           --keystore foo,bar                \
           --output pretty

       Sample output:

         verifying 2 keystores
         bar ... OK
         foo ... FAILED

         failures:

         ====== foo ======
         client/alice/xyz.onion/KS_hsc_desc_not_a_valid_name.x25519_private (unk)
         hs/carol/KS_hs_blind_id+19666_1440_43200.ed25519_expanded_private (exp)
         hs/carol/KS_hs_desc_sign+19666_1440_43200.ed25519_expanded_private (exp)

       Perform validity checks on keystores foo and bar, removing any invalid keys:

        arti keys verify --config arti.toml \
          --keystore foo,bar                \
          --fix

       Sample output:

         verifying 2 keystores
         bar ... OK
         foo ... FAILED

         failures:

         ====== foo ======
         client/alice/xyz.onion/KS_hsc_desc_not_a_valid_name.x25519_private (unk) Remove? [y/N]: y
         hs/carol/KS_hs_blind_id+19666_1440_43200.ed25519_expanded_private (exp) Remove? [y/N]: y
         hs/carol/KS_hs_desc_sign+19666_1440_43200.ed25519_expanded_private (exp) Remove? [y/N]: N

Implementation

Required KeyMgr APIs:

  • KeyMgr::list_matching
  • KeyMgr::describe
  • KeyMgr::remove

This command is exactly like arti keys list, except it also removes the invalid keys if prompted to do so.