* keyedit.c (menu_addrevoker), getkey.c (finish_lookup): Fix problem with

adding a cert-only designated revoker.  Code was looking for a key with
sign ability, and not cert ability.  Noted by Timo Schulz.

g10/ChangeLog

@@ -1,3 +1,10 @@
+2005-10-27  David Shaw  <dshaw@jabberwocky.com>
+
+	* keyedit.c (menu_addrevoker), getkey.c (finish_lookup): Fix
+	problem with adding a cert-only designated revoker.  Code was
+	looking for a key with sign ability, and not cert ability.  Noted
+	by Timo Schulz.
+
 2005-10-27  Werner Koch  <wk@g10code.com>
 
 	* gpg.c [__CYGWIN__]: Set default driver to winscard.dll.

g10/getkey.c

@@ -2345,7 +2345,7 @@ finish_lookup (GETKEY_CTX ctx)
     KBNODE k;
     KBNODE foundk = NULL;
     PKT_user_id *foundu = NULL;
-#define USAGE_MASK  (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC)
+#define USAGE_MASK  (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
     unsigned int req_usage = ( ctx->req_usage & USAGE_MASK );
     /* Request the primary if we're certifying another key, and also
        if signing data while --pgp6 or --pgp7 is on since pgp 6 and 7

g10/keyedit.c

@@ -3380,9 +3380,11 @@ menu_addrevoker( KBNODE pub_keyblock, KBNODE sec_keyblock, int sensitive )
 	  goto fail;
 	}
 
-      /* Note that I'm requesting SIG here and not CERT.  We're making
-	 a certification, but it is okay to be a subkey. */
-      revoker_pk->req_usage=PUBKEY_USAGE_SIG;
+      /* Note that I'm requesting CERT here, which usually implies
+	 primary keys only, but some casual testing shows that PGP and
+	 GnuPG both can handle a designated revokation from a
+	 subkey. */
+      revoker_pk->req_usage=PUBKEY_USAGE_CERT;
       rc=get_pubkey_byname(revoker_pk,answer,NULL,NULL,1);
       if(rc)
 	{