1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

Fixes pertaining to revocation creation with subkey-only exported card keys

This commit is contained in:
Werner Koch 2005-08-04 09:53:21 +00:00
parent 1990aacce0
commit cd4c621017
6 changed files with 44 additions and 7 deletions

View File

@ -1,3 +1,17 @@
2005-08-04 Werner Koch <wk@g10code.com>
* export.c (do_export_stream): Skip on-card keys when only subkeys
are to be exported. It does not make sense to replace the on-card
key stub by a no-key stub.
* revoke.c (gen_revoke): Check for non-online keys.
* seckey-cert.c (is_secret_key_protected): Return -3 for
non-online key stubs. The old code assumes that a protection
algorithm is still set but in some cases this one is 0 and thus it
won't be possible to decide whether it is unprotected or
protected.
2005-07-28 Werner Koch <wk@g10code.com>
* Makefile.am (other_libs): Add SRVLIBS.

View File

@ -533,7 +533,7 @@ check_card_serialno (app_t app, const char *serialno)
const char *s;
int ask = 0;
int n;
for (s = serialno, n=0; *s != '/' && hexdigitp (s); s++, n++)
;
if (n != 32)

View File

@ -230,6 +230,17 @@ do_export_stream( IOBUF out, STRLIST users, int secret,
keystr(sk_keyid));
continue;
}
/* It does not make sense to export a key with a primary
key on card using a non-key stub. We simply skip those
keys when used with --export-secret-subkeys. */
if (secret == 2 && sk->is_protected
&& sk->protect.s2k.mode == 1002 )
{
log_info(_("key %s: key material on-card - skipped\n"),
keystr(sk_keyid));
continue;
}
}
else
{

View File

@ -540,7 +540,6 @@ check_signatures_trust( PKT_signature *sig )
size_t fprlen;
int okay;
log_info (_("Note: Verified address is `%s'\n"), sig->pka_info->email);
primary_pk = xmalloc_clear (sizeof *primary_pk);
get_pubkey (primary_pk, pk->main_keyid);
@ -548,9 +547,17 @@ check_signatures_trust( PKT_signature *sig )
free_public_key (primary_pk);
if ( fprlen == 20 && !memcmp (sig->pka_info->fpr, fpr, 20) )
okay = 1;
{
okay = 1;
log_info (_("Note: Verified signer's address is `%s'\n"),
sig->pka_info->email);
}
else
okay = 0;
{
okay = 0;
log_info (_("Note: Signer's address `%s' "
"does not match DNS entry\n"), sig->pka_info->email);
}
switch ( (trustlevel & TRUST_MASK) )
{

View File

@ -497,11 +497,15 @@ gen_revoke( const char *uname )
log_error(_("unknown protection algorithm\n"));
rc = G10ERR_PUBKEY_ALGO;
break;
case -3:
tty_printf (_("Secret parts of primary key are not available.\n"));
rc = G10ERR_NO_SECKEY;
break;
case 0:
tty_printf(_("NOTE: This key is not protected!\n"));
break;
default:
rc = check_secret_key( sk, 0 );
rc = check_secret_key( sk, 0 );
break;
}
if( rc )

View File

@ -289,13 +289,14 @@ check_secret_key( PKT_secret_key *sk, int n )
* check whether the secret key is protected.
* Returns: 0 not protected, -1 on error or the protection algorithm
* -2 indicates a card stub.
* -3 indicates a not-online stub.
*/
int
is_secret_key_protected( PKT_secret_key *sk )
{
return sk->is_protected?
sk->protect.s2k.mode == 1002? -2
: sk->protect.algo : 0;
sk->protect.s2k.mode == 1002? -2 :
sk->protect.s2k.mode == 1001? -3 : sk->protect.algo : 0;
}