diff options
| -rw-r--r-- | g10/ChangeLog | 17 | ||||
| -rw-r--r-- | g10/getkey.c | 16 | ||||
| -rw-r--r-- | g10/keyedit.c | 4 | ||||
| -rw-r--r-- | g10/keygen.c | 24 | ||||
| -rw-r--r-- | g10/keyid.c | 5 | ||||
| -rw-r--r-- | g10/keyserver.c | 2 | ||||
| -rw-r--r-- | g10/misc.c | 7 |
7 files changed, 58 insertions, 17 deletions
diff --git a/g10/ChangeLog b/g10/ChangeLog index bfc6334a5..152fa8033 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,5 +1,22 @@ 2005-08-26 David Shaw <[email protected]> + * misc.c (openpgp_pk_algo_usage): Default to allowing CERT for + signing algorithms. + + * keyedit.c (sign_uids): Don't request a signing key to make a + certification. + + * keygen.c (do_add_key_flags): Force the certify flag on for all + primary keys, as the spec requires primary keys must be able to + certify (if nothing else, which key is going to issue the user ID + signature?) + (print_key_flags): Show certify flag. + (ask_key_flags, ask_algo): Don't allow setting the C flag for + subkeys. + + * keyid.c (usagestr_from_pk), getkey.c (parse_key_usage): + Distinguish between a sign/certify key and a certify-only key. + * keyedit.c (ask_revoke_sig): Add a revsig --with-colons mode. Suggested by Michael Schierl. diff --git a/g10/getkey.c b/g10/getkey.c index 4a8438168..07bdfcbd7 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1331,16 +1331,24 @@ parse_key_usage(PKT_signature *sig) /* first octet of the keyflags */ flags=*p; - if(flags & 3) + if(flags & 1) + { + key_usage |= PUBKEY_USAGE_CERT; + flags&=~1; + } + + if(flags & 2) { key_usage |= PUBKEY_USAGE_SIG; - flags&=~3; + flags&=~2; } - if(flags & 12) + /* We do not distinguish between encrypting communications and + encrypting storage. */ + if(flags & (0x04|0x08)) { key_usage |= PUBKEY_USAGE_ENC; - flags&=~12; + flags&=~(0x04|0x08); } if(flags & 0x20) diff --git a/g10/keyedit.c b/g10/keyedit.c index 8712c4bcf..52247233f 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -529,8 +529,8 @@ sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, * be one which is capable of signing keys. I can't see a reason * why to sign keys using a subkey. Implementation of USAGE_CERT * is just a hack in getkey.c and does not mean that a subkey - * marked as certification capable will be used */ - rc=build_sk_list( locusr, &sk_list, 0, PUBKEY_USAGE_SIG|PUBKEY_USAGE_CERT); + * marked as certification capable will be used. */ + rc=build_sk_list( locusr, &sk_list, 0, PUBKEY_USAGE_CERT); if( rc ) goto leave; diff --git a/g10/keygen.c b/g10/keygen.c index fb93363e8..3bf5af48b 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -190,9 +190,6 @@ do_add_key_flags (PKT_signature *sig, unsigned int use) { byte buf[1]; - if (!use) - return; - buf[0] = 0; /* The spec says that all primary keys MUST be able to certify. */ @@ -205,6 +202,10 @@ do_add_key_flags (PKT_signature *sig, unsigned int use) buf[0] |= 0x04 | 0x08; if (use & PUBKEY_USAGE_AUTH) buf[0] |= 0x20; + + if (!buf[0]) + return; + build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1); } @@ -1238,6 +1239,9 @@ print_key_flags(int flags) if(flags&PUBKEY_USAGE_SIG) tty_printf("%s ",_("Sign")); + if(flags&PUBKEY_USAGE_CERT) + tty_printf("%s ",_("Certify")); + if(flags&PUBKEY_USAGE_ENC) tty_printf("%s ",_("Encrypt")); @@ -1248,7 +1252,7 @@ print_key_flags(int flags) /* Returns the key flags */ static unsigned int -ask_key_flags(int algo) +ask_key_flags(int algo,int subkey) { const char *togglers=_("SsEeAaQq"); char *answer=NULL; @@ -1258,6 +1262,10 @@ ask_key_flags(int algo) if(strlen(togglers)!=8) BUG(); + /* Only primary keys may certify. */ + if(subkey) + possible&=~PUBKEY_USAGE_CERT; + /* Preload the current set with the possible set, minus authentication, since nobody really uses auth yet. */ current=possible&~PUBKEY_USAGE_AUTH; @@ -1291,7 +1299,7 @@ ask_key_flags(int algo) cpr_kill_prompt(); if(strlen(answer)>1) - continue; + tty_printf(_("Invalid selection.\n")); else if(*answer=='\0' || *answer==togglers[6] || *answer==togglers[7]) break; else if((*answer==togglers[0] || *answer==togglers[1]) @@ -1318,6 +1326,8 @@ ask_key_flags(int algo) else current|=PUBKEY_USAGE_AUTH; } + else + tty_printf(_("Invalid selection.\n")); } xfree(answer); @@ -1362,7 +1372,7 @@ ask_algo (int addmode, unsigned int *r_usage) } else if( algo == 7 && opt.expert ) { algo = PUBKEY_ALGO_RSA; - *r_usage=ask_key_flags(algo); + *r_usage=ask_key_flags(algo,addmode); break; } else if( algo == 6 && addmode ) { @@ -1382,7 +1392,7 @@ ask_algo (int addmode, unsigned int *r_usage) } else if( algo == 3 && opt.expert ) { algo = PUBKEY_ALGO_DSA; - *r_usage=ask_key_flags(algo); + *r_usage=ask_key_flags(algo,addmode); break; } else if( algo == 2 ) { diff --git a/g10/keyid.c b/g10/keyid.c index 7d5b905a5..7c2bd3ba4 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -547,10 +547,13 @@ usagestr_from_pk( PKT_public_key *pk ) if ( use & PUBKEY_USAGE_SIG ) { if (pk->is_primary) - buffer[i++] = 'C'; + use|=PUBKEY_USAGE_CERT; buffer[i++] = 'S'; } + if ( use & PUBKEY_USAGE_CERT ) + buffer[i++] = 'C'; + if ( use & PUBKEY_USAGE_ENC ) buffer[i++] = 'E'; diff --git a/g10/keyserver.c b/g10/keyserver.c index c4938e061..9bd316d21 100644 --- a/g10/keyserver.c +++ b/g10/keyserver.c @@ -853,6 +853,8 @@ keyserver_typemap(const char *type) } #ifdef GPGKEYS_CURL +/* The PGP LDAP and the curl fetch-a-LDAP-object methodologies are + sufficiently different that we can't use curl to do LDAP. */ static int curl_cant_handle(const char *scheme) { diff --git a/g10/misc.c b/g10/misc.c index 31348b324..9ccc841e9 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -407,19 +407,19 @@ openpgp_pk_algo_usage ( int algo ) /* they are hardwired in gpg 1.0 */ switch ( algo ) { case PUBKEY_ALGO_RSA: - use = PUBKEY_USAGE_SIG | PUBKEY_USAGE_ENC | PUBKEY_USAGE_AUTH; + use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG | PUBKEY_USAGE_ENC | PUBKEY_USAGE_AUTH; break; case PUBKEY_ALGO_RSA_E: use = PUBKEY_USAGE_ENC; break; case PUBKEY_ALGO_RSA_S: - use = PUBKEY_USAGE_SIG; + use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG; break; case PUBKEY_ALGO_ELGAMAL_E: use = PUBKEY_USAGE_ENC; break; case PUBKEY_ALGO_DSA: - use = PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH; + use = PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG | PUBKEY_USAGE_AUTH; break; default: break; @@ -1224,6 +1224,7 @@ get_libexecdir (void) return GNUPG_LIBEXECDIR; } +/* Similar to access(2), but uses PATH to find the file. */ int path_access(const char *file,int mode) { |