diff options
| author | David Shaw <[email protected]> | 2005-08-27 03:09:40 +0000 |
|---|---|---|
| committer | David Shaw <[email protected]> | 2005-08-27 03:09:40 +0000 |
| commit | f74282bee03f26af0887dfcc806c89ad0bc142d3 (patch) | |
| tree | fe83661e8e82fcf199880c26fa26d7dc8215b204 | |
| parent | * keyedit.c (ask_revoke_sig): Add a revsig --with-colons mode. (diff) | |
| download | gnupg-f74282bee03f26af0887dfcc806c89ad0bc142d3.tar.gz gnupg-f74282bee03f26af0887dfcc806c89ad0bc142d3.zip | |
* misc.c (openpgp_pk_algo_usage): Default to allowing CERT for signing
algorithms.
* keyedit.c (sign_uids): Don't request a signing key to make a
certification.
* keygen.c (do_add_key_flags): Force the certify flag on for all
primary keys, as the spec requires primary keys must be able to
certify (if nothing else, which key is going to issue the user ID
signature?) (print_key_flags): Show certify flag. (ask_key_flags,
ask_algo): Don't allow setting the C flag for subkeys.
* keyid.c (usagestr_from_pk), getkey.c (parse_key_usage): Distinguish
between a sign/certify key and a certify-only key.
| -rw-r--r-- | g10/ChangeLog | 17 | ||||
| -rw-r--r-- | g10/getkey.c | 16 | ||||
| -rw-r--r-- | g10/keyedit.c | 4 | ||||
| -rw-r--r-- | g10/keygen.c | 24 | ||||
| -rw-r--r-- | g10/keyid.c | 5 | ||||
| -rw-r--r-- | g10/keyserver.c | 2 | ||||
| -rw-r--r-- | g10/misc.c | 7 |
7 files changed, 58 insertions, 17 deletions
diff --git a/g10/ChangeLog b/g10/ChangeLog index bfc6334a5..152fa8033 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,5 +1,22 @@ 2005-08-26 David Shaw <[email protected]> + * misc.c (openpgp_pk_algo_usage): Default to allowing CERT for + signing algorithms. + + * keyedit.c (sign_uids): Don't request a signing key to make a + certification. + + * keygen.c (do_add_key_flags): Force the certify flag on for all + primary keys, as the spec requires primary keys must be able to + certify (if nothing else, which key is going to issue the user ID + signature?) + (print_key_flags): Show certify flag. + (ask_key_flags, ask_algo): Don't allow setting the C flag for + subkeys. + + * keyid.c (usagestr_from_pk), getkey.c (parse_key_usage): + Distinguish between a sign/certify key and a certify-only key. + * keyedit.c (ask_revoke_sig): Add a revsig --with-colons mode. Suggested by Michael Schierl. diff --git a/g10/getkey.c b/g10/getkey.c index 4a8438168..07bdfcbd7 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1331,16 +1331,24 @@ parse_key_usage(PKT_signature *sig) /* first octet of the keyflags */ flags=*p; - if(flags & 3) + if(flags & 1) + { + key_usage |= PUBKEY_USAGE_CERT; + flags&=~1; + } + + if(flags & 2) { key_usage |= PUBKEY_USAGE_SIG; - flags&=~3; + flags&=~2; } - if(flags & 12) + /* We do not distinguish between encrypting communications and + encrypting storage. */ + if(flags & (0x04|0x08)) { key_usage |= PUBKEY_USAGE_ENC; - flags&=~12; + flags&=~(0x04|0x08); } if(flags & 0x20) diff --git a/g10/keyedit.c b/g10/keyedit.c index 8712c4bcf..52247233f 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -529,8 +529,8 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, * be one which is capable of signing keys. I can't see a reason * why to sign keys using a subkey. Implementation of USAGE_CERT * is just a hack in getkey.c and does not mean that a subkey - * marked as certification capable will be used */ - rc=build_sk_list( locusr, &sk_list, 0, PUBKEY_USAGE_SIG|PUBKEY_USAGE_CERT); + * marked as certification capable will be used. */ + rc=build_sk_list( locusr, &sk_list, 0, PUBKEY_USAGE_CERT); if( rc ) goto leave; diff --git a/g10/keygen.c b/g10/keygen.c index fb93363e8..3bf5af48b 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -190,9 +190,6 @@ do_add_key_flags (PKT_signature *sig, unsigned int use) { byte buf[1]; - if (!use) - return; - buf[0] = 0; /* The spec says that all primary keys MUST be able to certify. */ @@ -205,6 +202,10 @@ do_add_key_flags (PKT_signature *sig, unsigned int use) buf[0] |= 0x04 | 0x08; if (use & PUBKEY_USAGE_AUTH) buf[0] |= 0x20; + + if (!buf[0]) + return; + build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1); } @@ -1238,6 +1239,9 @@ print_key_flags(int flags) if(flags&PUBKEY_USAGE_SIG) tty_printf("%s ",_("Sign")); + if(flags&PUBKEY_USAGE_CERT) + tty_printf("%s ",_("Certify")); + if(flags&PUBKEY_USAGE_ENC) tty_printf("%s ",_("Encrypt")); @@ -1248,7 +1252,7 @@ print_key_flags(int flags) /* Returns the key flags */ static unsigned int -ask_key_flags(int algo) +ask_key_flags(int algo,int subkey) { const char *togglers=_("SsEeAaQq"); char *answer=NULL; @@ -1258,6 +1262,10 @@ ask_key_flags(int algo) if(strlen(togglers)!=8) BUG(); + /* Only primary keys may certify. */ + if(subkey) + possible&=~PUBKEY_USAGE_CERT; + /* Preload the current set with the possible set, minus authentication, since nobody really uses auth yet. */ current=possible&~PUBKEY_USAGE_AUTH; @@ -1291,7 +1299,7 @@ ask_key_flags(int algo) cpr_kill_prompt(); if(strlen(answer)>1) - continue; + tty_printf(_("Invalid selection.\n")); else if(*answer=='\0' || *answer==togglers[6] || *answer==togglers[7]) break; else if((*answer==togglers[0] || *answer==togglers[1]) @@ -1318,6 +1326,8 @@ ask_key_flags(int algo) else current|=PUBKEY_USAGE_AUTH; } + else + tty_printf(_("Invalid selection.\n")); } xfree(answer); @@ -1362,7 +1372,7 @@ ask_algo (int addmode, unsigned int *r_usage) } else if( algo == 7 && opt.expert ) { algo = PUBKEY_ALGO_RSA; - *r_usage=ask_key_flags(algo); + *r_usage=ask_key_flags(algo,addmode); break; } else if( algo == 6 && addmode ) { @@ -1382,7 +1392,7 @@ ask_algo (int addmode, unsigned int *r_usage) } else if( algo == 3 && opt.expert ) { algo = PUBKEY_ALGO_DSA; - *r_usage=ask_key_flags(algo); + *r_usage=ask_key_flags(algo,addmode); break; } else if( algo == 2 ) { diff --git a/g10/keyid.c b/g10/keyid.c index 7d5b905a5..7c2bd3ba4 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -547,10 +547,13 @@ usagestr_from_pk( PKT_public_key *pk ) if ( use & PUBKEY_USAGE_SIG ) { if (pk->is_primary) - buffer[i++] = 'C'; + use|=PUBKEY_USAGE_CERT; buffer[i++] = 'S'; } + if ( use & PUBKEY_USAGE_CERT ) + buffer[i++] = 'C'; + if ( use & PUBKEY_USAGE_ENC ) buffer[i++] = 'E'; diff --git a/g10/keyserver.c b/g10/keyserver.c index c4938e061..9bd316d21 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -853,6 +853,8 @@ keyserver_typemap(const char *type) } #ifdef GPGKEYS_CURL +/* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are + sufficiently different that we can't use curl to do LDAP. */ static int curl_cant_handle(const char *scheme) { diff --git a/g10/misc.c b/g10/misc.c index 31348b324..9ccc841e9 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -407,19 +407,19 @@ openpgp_pk_algo_usage ( int algo ) /* they are hardwired in gpg 1.0 */ switch ( algo ) { case PUBKEY_ALGO_RSA: - use = PUBKEY_USAGE_SIG | PUBKEY_USAGE_ENC | PUBKEY_USAGE_AUTH; + use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG | PUBKEY_USAGE_ENC | PUBKEY_USAGE_AUTH; break; case PUBKEY_ALGO_RSA_E: use = PUBKEY_USAGE_ENC; break; case PUBKEY_ALGO_RSA_S: - use = PUBKEY_USAGE_SIG; + use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG; break; case PUBKEY_ALGO_ELGAMAL_E: use = PUBKEY_USAGE_ENC; break; case PUBKEY_ALGO_DSA: - use = PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH; + use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH; break; default: break; @@ -1224,6 +1224,7 @@ get_libexecdir (void) return GNUPG_LIBEXECDIR; } +/* Similar to access(2), but uses PATH to find the file. */ int path_access(const char *file,int mode) { |