1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

gpg: Do not allow to accidently set the RENC usage.

* g10/keygen.c (print_key_flags): Print "RENC" if set.
(ask_key_flags_with_mask): Remove RENC from the possible set of
usages.  Add a direct way to set it iff the key is encryption capable.
--

This could be done by using "set your own capabilities" for an RSA
key.  In fact it was always set in this case.

GnuPG-bug-id: 7072
This commit is contained in:
Werner Koch 2024-04-04 16:39:14 +02:00
parent 72c5c70871
commit 1f31dc6200
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -1859,6 +1859,9 @@ print_key_flags(int flags)
if(flags&PUBKEY_USAGE_AUTH) if(flags&PUBKEY_USAGE_AUTH)
tty_printf("%s ",_("Authenticate")); tty_printf("%s ",_("Authenticate"));
if(flags&PUBKEY_USAGE_RENC)
tty_printf("%s ", "RENC");
} }
@ -1892,8 +1895,11 @@ ask_key_flags_with_mask (int algo, int subkey, unsigned int current,
} }
/* Mask the possible usage flags. This is for example used for a /* Mask the possible usage flags. This is for example used for a
* card based key. */ * card based key. For ECDH we need to allows additional usages if
* they are provided. RENC is not directly poissible here but see
* below for a workaround. */
possible = (openpgp_pk_algo_usage (algo) & mask); possible = (openpgp_pk_algo_usage (algo) & mask);
possible &= ~PUBKEY_USAGE_RENC;
/* However, only primary keys may certify. */ /* However, only primary keys may certify. */
if (subkey) if (subkey)
@ -1956,6 +1962,12 @@ ask_key_flags_with_mask (int algo, int subkey, unsigned int current,
want to experiment with a cert-only primary key. */ want to experiment with a cert-only primary key. */
current |= PUBKEY_USAGE_CERT; current |= PUBKEY_USAGE_CERT;
} }
else if ((*s == 'r' || *s == 'R') && (possible&PUBKEY_USAGE_ENC))
{
/* Allow to set RENC or an encryption capable key.
* This is on purpose not shown in the menu. */
current |= PUBKEY_USAGE_RENC;
}
} }
break; break;
} }