From cd4c6210176ac53c73416cd87607445722678923 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 4 Aug 2005 09:53:21 +0000 Subject: [PATCH] Fixes pertaining to revocation creation with subkey-only exported card keys --- g10/ChangeLog | 14 ++++++++++++++ g10/cardglue.c | 2 +- g10/export.c | 11 +++++++++++ g10/pkclist.c | 13 ++++++++++--- g10/revoke.c | 6 +++++- g10/seckey-cert.c | 5 +++-- 6 files changed, 44 insertions(+), 7 deletions(-) diff --git a/g10/ChangeLog b/g10/ChangeLog index f9fab2bea..2f1ba5bbc 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,17 @@ +2005-08-04 Werner Koch + + * export.c (do_export_stream): Skip on-card keys when only subkeys + are to be exported. It does not make sense to replace the on-card + key stub by a no-key stub. + + * revoke.c (gen_revoke): Check for non-online keys. + + * seckey-cert.c (is_secret_key_protected): Return -3 for + non-online key stubs. The old code assumes that a protection + algorithm is still set but in some cases this one is 0 and thus it + won't be possible to decide whether it is unprotected or + protected. + 2005-07-28 Werner Koch * Makefile.am (other_libs): Add SRVLIBS. diff --git a/g10/cardglue.c b/g10/cardglue.c index 14feb4188..6330b73d3 100644 --- a/g10/cardglue.c +++ b/g10/cardglue.c @@ -533,7 +533,7 @@ check_card_serialno (app_t app, const char *serialno) const char *s; int ask = 0; int n; - + for (s = serialno, n=0; *s != '/' && hexdigitp (s); s++, n++) ; if (n != 32) diff --git a/g10/export.c b/g10/export.c index cf1a3cc2b..26aac1969 100644 --- a/g10/export.c +++ b/g10/export.c @@ -230,6 +230,17 @@ do_export_stream( IOBUF out, STRLIST users, int secret, keystr(sk_keyid)); continue; } + + /* It does not make sense to export a key with a primary + key on card using a non-key stub. We simply skip those + keys when used with --export-secret-subkeys. */ + if (secret == 2 && sk->is_protected + && sk->protect.s2k.mode == 1002 ) + { + log_info(_("key %s: key material on-card - skipped\n"), + keystr(sk_keyid)); + continue; + } } else { diff --git a/g10/pkclist.c b/g10/pkclist.c index 1b3238926..6558f0d6a 100644 --- a/g10/pkclist.c +++ b/g10/pkclist.c @@ -540,7 +540,6 @@ check_signatures_trust( PKT_signature *sig ) size_t fprlen; int okay; - log_info (_("Note: Verified address is `%s'\n"), sig->pka_info->email); primary_pk = xmalloc_clear (sizeof *primary_pk); get_pubkey (primary_pk, pk->main_keyid); @@ -548,9 +547,17 @@ check_signatures_trust( PKT_signature *sig ) free_public_key (primary_pk); if ( fprlen == 20 && !memcmp (sig->pka_info->fpr, fpr, 20) ) - okay = 1; + { + okay = 1; + log_info (_("Note: Verified signer's address is `%s'\n"), + sig->pka_info->email); + } else - okay = 0; + { + okay = 0; + log_info (_("Note: Signer's address `%s' " + "does not match DNS entry\n"), sig->pka_info->email); + } switch ( (trustlevel & TRUST_MASK) ) { diff --git a/g10/revoke.c b/g10/revoke.c index aadb1824e..f5860f409 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -497,11 +497,15 @@ gen_revoke( const char *uname ) log_error(_("unknown protection algorithm\n")); rc = G10ERR_PUBKEY_ALGO; break; + case -3: + tty_printf (_("Secret parts of primary key are not available.\n")); + rc = G10ERR_NO_SECKEY; + break; case 0: tty_printf(_("NOTE: This key is not protected!\n")); break; default: - rc = check_secret_key( sk, 0 ); + rc = check_secret_key( sk, 0 ); break; } if( rc ) diff --git a/g10/seckey-cert.c b/g10/seckey-cert.c index afa071fdf..79cf22aeb 100644 --- a/g10/seckey-cert.c +++ b/g10/seckey-cert.c @@ -289,13 +289,14 @@ check_secret_key( PKT_secret_key *sk, int n ) * check whether the secret key is protected. * Returns: 0 not protected, -1 on error or the protection algorithm * -2 indicates a card stub. + * -3 indicates a not-online stub. */ int is_secret_key_protected( PKT_secret_key *sk ) { return sk->is_protected? - sk->protect.s2k.mode == 1002? -2 - : sk->protect.algo : 0; + sk->protect.s2k.mode == 1002? -2 : + sk->protect.s2k.mode == 1001? -3 : sk->protect.algo : 0; }