feat: support multiple keys per email address

Stealthii · Stealthii · commit 73bef713ec16 · 2026-03-03T19:47:22.000Z
Parse combined/concatenated certificates from single files using
CertParser and merge keys from separate files for the same email
instead of overwriting. Serve all keys as concatenated binary output.
diff --git a/src/keys/db.rs b/src/keys/db.rs
@@ -27,7 +27,7 @@ pub struct CertEntry {
     pub path: OsString,
 }
 
-type Cache = HashMap<CertKey, CertEntry>;
+type Cache = HashMap<CertKey, Vec<CertEntry>>;
 
 pub struct KeyDb {
     _watcher: RecommendedWatcher,
@@ -136,29 +136,32 @@ impl KeyDb {
         path: &Path,
         split_keys: bool,
     ) -> Result<()> {
-        // first, we remove all files that might be in here still because of this path
+        // first, we remove all entries that came from this path
         Self::remove_file_from_cache(cache, path)?;
 
         let entries = read_key_file(path, split_keys).context("Reading file")?;
         if entries.is_empty() {
             info!("Ignoring file {}, no entries found", path.to_string_lossy());
             return Ok(());
         }
-        entries.into_iter().for_each(|(entry, content)| {
+        entries.into_iter().for_each(|(key, entry)| {
             info!(
                 "Adding key '{}@{}' from file {} to db",
-                content.username,
-                entry.domain,
+                entry.username,
+                key.domain,
                 path.to_string_lossy()
             );
-            cache.insert(entry, content);
+            cache.entry(key).or_default().push(entry);
         });
         Ok(())
     }
 
     fn remove_file_from_cache(cache: &mut RwLockWriteGuard<Cache>, path: &Path) -> Result<()> {
-        // we remove all items that were inserted into the map because of this file.
-        cache.retain(|_, v| v.path != path.as_os_str());
+        // Remove entries from this path, and clean up empty keys
+        for entries in cache.values_mut() {
+            entries.retain(|e| e.path != path.as_os_str());
+        }
+        cache.retain(|_, v| !v.is_empty());
         Ok(())
     }
 
@@ -168,7 +171,7 @@ impl KeyDb {
         domain: &str,
         username: Option<&String>,
     ) -> Result<Option<Vec<u8>>> {
-        let value = self
+        let entries = self
             .keys
             .read()
             .await
@@ -178,14 +181,35 @@ impl KeyDb {
             })
             .cloned();
 
-        match (username, value) {
-            (Some(requested), Some(CertEntry { username, .. })) if requested != &username => {
+        let Some(entries) = entries else {
+            return Ok(None);
+        };
+
+        // Filter by username if provided (for advanced method)
+        let filtered: Vec<_> = if let Some(requested) = username {
+            entries
+                .into_iter()
+                .filter(|e| &e.username == requested)
+                .collect()
+        } else {
+            entries
+        };
+
+        if filtered.is_empty() {
+            if let Some(requested) = username {
                 info!(
-                    "hash matched for '{username}@{domain}', but requested local part '{requested}' did not match. Ignoring."
+                    "hash matched for domain '{domain}', but requested local part '{requested}' did not match any entries. Ignoring."
                 );
-                Ok(None)
             }
-            (_, value) => Ok(value.map(|entry| entry.cert.to_vec().unwrap())),
+            return Ok(None);
+        }
+
+        // Concatenate all certs into a single binary response
+        let mut result = Vec::new();
+        for entry in filtered {
+            result.extend(entry.cert.to_vec()?);
         }
+
+        Ok(Some(result))
     }
 }
diff --git a/src/keys/fs.rs b/src/keys/fs.rs
@@ -4,57 +4,67 @@ use anyhow::{Context, Result, bail};
 use openpgp::armor::{Kind, Reader, ReaderMode};
 use sequoia_openpgp as openpgp;
 use sequoia_openpgp::Cert;
+use sequoia_openpgp::cert::CertParser;
 use sequoia_openpgp::parse::Parse;
 use sequoia_openpgp::policy::StandardPolicy;
 use std::io::BufReader;
 use std::path::Path;
 use tracing::warn;
 
 pub fn read_key_file(path: &Path, split_keys: bool) -> Result<Vec<(CertKey, CertEntry)>> {
-    let Some(cert) = read_cert(path)? else {
+    let certs = read_certs(path)?;
+    if certs.is_empty() {
         return Ok(vec![]);
-    };
+    }
 
     let p = StandardPolicy::new();
-    let cert = cert.with_policy(&p, None).context("invalid certificate")?;
-
-    let mut certs = Vec::new();
+    let mut results = Vec::new();
 
-    for userid in cert.userids() {
-        let Some(email) = userid
-            .userid()
-            .email()
-            .context("user id does not have a valid email")?
-        else {
-            warn!(
-                "user id {} does not have an email, skipping",
-                userid.userid()
-            );
-            continue;
+    for cert in certs {
+        let validated_cert = match cert.with_policy(&p, None) {
+            Ok(c) => c,
+            Err(e) => {
+                warn!("Skipping invalid certificate in {}: {}", path.to_string_lossy(), e);
+                continue;
+            }
         };
 
-        let Some((username, cert_key)) = hash::mail_to_key_entry(email)? else {
-            bail!("could not hash {email}");
-        };
+        for userid in validated_cert.userids() {
+            let Some(email) = userid
+                .userid()
+                .email()
+                .context("user id does not have a valid email")?
+            else {
+                warn!(
+                    "user id {} does not have an email, skipping",
+                    userid.userid()
+                );
+                continue;
+            };
 
-        let mut cert = userid.cert().clone().strip_secret_key_material();
-        if split_keys {
-            cert = cert.retain_userids(|uid| uid.userid() == userid.userid());
-        }
+            let Some((username, cert_key)) = hash::mail_to_key_entry(email)? else {
+                bail!("could not hash {email}");
+            };
 
-        let cert_entry = CertEntry {
-            username,
-            cert,
-            path: path.as_os_str().into(),
-        };
+            let mut cert = userid.cert().clone().strip_secret_key_material();
+            if split_keys {
+                cert = cert.retain_userids(|uid| uid.userid() == userid.userid());
+            }
+
+            let cert_entry = CertEntry {
+                username,
+                cert,
+                path: path.as_os_str().into(),
+            };
 
-        certs.push((cert_key, cert_entry));
+            results.push((cert_key, cert_entry));
+        }
     }
 
-    Ok(certs)
+    Ok(results)
 }
 
-fn read_cert(path: &Path) -> Result<Option<Cert>> {
+fn read_certs(path: &Path) -> Result<Vec<Cert>> {
     if !path.exists() || !path.is_file() {
         bail!("File {} not found or not a file", path.to_string_lossy());
     }
@@ -67,9 +77,15 @@ fn read_cert(path: &Path) -> Result<Option<Cert>> {
         &content,
         ReaderMode::Tolerant(Some(Kind::PublicKey)),
     ));
-    if let Ok(cert) = Cert::from_reader(reader) {
-        Ok(Some(cert))
-    } else {
-        Ok(None)
+
+    // Use CertParser to handle multiple concatenated certificates
+    let mut certs = Vec::new();
+    for cert_result in CertParser::from_reader(reader)? {
+        match cert_result {
+            Ok(cert) => certs.push(cert),
+            Err(e) => warn!("Skipping malformed certificate in {}: {}", path.to_string_lossy(), e),
+        }
     }
+
+    Ok(certs)
 }
