diff options
| author | Werner Koch <[email protected]> | 2024-10-31 14:11:55 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2024-10-31 14:11:55 +0000 |
| commit | d30e345692440b9c6677118c1d20b9d17d80f873 (patch) | |
| tree | d2b7f924c0f5d733245a46173ba8f575531f10de /g10/getkey.c | |
| parent | agent: Fix status output for LISTTRUSTED. (diff) | |
| download | gnupg-d30e345692440b9c6677118c1d20b9d17d80f873.tar.gz gnupg-d30e345692440b9c6677118c1d20b9d17d80f873.zip | |
gpg: Allow the use of an ADSK subkey as ADSK subkey.
* g10/packet.h (PKT_public_key): Increased size of req_usage to 16.
* g10/getkey.c (key_byname): Set allow_adsk in the context if ir was
requested via req_usage.
(finish_lookup): Allow RENC usage matching.
* g10/keyedit.c (append_adsk_to_key): Adjust the assert.
* g10/keygen.c (prepare_adsk): Also allow to find an RENC subkey.
--
If an ADSK is to be added it may happen that an ADSK subkey is found
first and this should then be used even that it does not have the E
usage. However, it used to have that E usage when it was added.
While testing this I found another pecularity: If you do
gpg -k ADSK_SUBKEY_FPR
without the '!' suffix and no corresponding encryption subkey is dound,
you will get an unusabe key error. I hesitate to fix that due to
possible side-effects.
GnuPG-bug-id: 6882
Diffstat (limited to 'g10/getkey.c')
| -rw-r--r-- | g10/getkey.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/g10/getkey.c b/g10/getkey.c index f91ec34eb..a5effb606 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -79,7 +79,8 @@ struct getkey_ctx_s /* Part of the search criteria: The type of the requested key. A mask of PUBKEY_USAGE_SIG, PUBKEY_USAGE_ENC and PUBKEY_USAGE_CERT. If non-zero, then for a key to match, it must implement one of - the required uses. */ + the required uses. FWIW: the req_usage field in PKT_public_key + used to be an u8 but meanwhile is an u16. */ int req_usage; /* The database handle. */ @@ -870,7 +871,12 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist, if (pk) { + /* It is a bit tricky to allow returning an ADSK key: lookup + * masks the req_usage flags using the standard usage maps and + * only if ctx->allow_adsk is set, sets the RENC flag again. */ ctx->req_usage = pk->req_usage; + if ((pk->req_usage & PUBKEY_USAGE_RENC)) + ctx->allow_adsk = 1; } rc = lookup (ctrl, ctx, want_secret, ret_kb, &found_key); @@ -3684,7 +3690,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, #define USAGE_MASK (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT) req_usage &= USAGE_MASK; - /* In allow ADSK mode make sure both encryption bis are set. */ + /* In allow ADSK mode make sure both encryption bits are set. */ if (allow_adsk && (req_usage & PUBKEY_USAGE_XENC_MASK)) req_usage |= PUBKEY_USAGE_XENC_MASK; @@ -3790,7 +3796,8 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact, log_debug ("\tsubkey not valid\n"); continue; } - if (!((pk->pubkey_usage & USAGE_MASK) & req_usage)) + if (!((pk->pubkey_usage & (USAGE_MASK | PUBKEY_USAGE_RENC)) + & req_usage)) { if (DBG_LOOKUP) log_debug ("\tusage does not match: want=%x have=%x\n", |