* packet.h, sig-check.c (signature_check2, do_check, do_check_messages):

Provide a signing-key-is-revoked flag.  Change all callers.

* status.h, status.c (get_status_string): New REVKEYSIG status tag for a
good signature from a revoked key.

* mainproc.c (do_check_sig, check_sig_and_print): Use it here.

* import.c (import_revoke_cert, merge_blocks, merge_sigs): Compare actual
signatures on import rather than using keyid or class matching.  This does
not change actual behavior with a key, but does mean that all sigs are
imported whether they will be used or not.

* parse-packet.c (parse_signature): Don't give "signature packet without
xxxx" warnings for experimental pk algorithms.  An experimental algorithm
may not have a notion of (for example) a keyid (i.e. PGP's x.509 stuff).

1 files changed, 10 insertions, 8 deletions

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index b1d1e17df..1ba8f3239 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -1281,17 +1281,19 @@ parse_signature( IOBUF inp, int pkttype, unsigned long pktlen,
 	}
 
 	p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_CREATED, NULL );
-	if( !p )
-	    log_error("signature packet without timestamp\n");
-	else
-	    sig->timestamp = buffer_to_u32(p);
+	if(p)
+	  sig->timestamp = buffer_to_u32(p);
+	else if(!(sig->pubkey_algo>=100 && sig->pubkey_algo<=110))
+	  log_error("signature packet without timestamp\n");
+
 	p = parse_sig_subpkt2( sig, SIGSUBPKT_ISSUER, NULL );
-	if( !p )
-	    log_error("signature packet without keyid\n");
-	else {
+	if(p)
+	  {
 	    sig->keyid[0] = buffer_to_u32(p);
 	    sig->keyid[1] = buffer_to_u32(p+4);
-	}
+	  }
+	else if(!(sig->pubkey_algo>=100 && sig->pubkey_algo<=110))
+	  log_error("signature packet without keyid\n");
 
 	p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_SIG_EXPIRE,NULL);
 	if(p)