gpg: Allow the use of an ADSK subkey as ADSK subkey.

* g10/packet.h (PKT_public_key): Increased size of req_usage to 16. * g10/getkey.c (key_byname): Set allow_adsk in the context if ir was requested via req_usage. (finish_lookup): Allow RENC usage matching. * g10/keyedit.c (append_adsk_to_key): Adjust the assert. * g10/keygen.c (prepare_adsk): Also allow to find an RENC subkey. -- If an ADSK is to be added it may happen that an ADSK subkey is found first and this should then be used even that it does not have the E usage. However, it used to have that E usage when it was added. While testing this I found another pecularity: If you do gpg -k ADSK_SUBKEY_FPR without the '!' suffix and no corresponding encryption subkey is dound, you will get an unusabe key error. I hesitate to fix that due to possible side-effects. GnuPG-bug-id: 6882
2025-07-03 22:56:33 +02:00 · 2024-10-31 15:11:55 +01:00 · 2024-10-31 15:11:55 +01:00 · d30e345692
commit d30e345692
parent a7c81efe51
4 changed files with 16 additions and 10 deletions
--- a/g10/getkey.c
+++ b/g10/getkey.c
@ -79,7 +79,8 @@ struct getkey_ctx_s
  /* Part of the search criteria: The type of the requested key.  A
     mask of PUBKEY_USAGE_SIG, PUBKEY_USAGE_ENC and PUBKEY_USAGE_CERT.
     If non-zero, then for a key to match, it must implement one of
-     the required uses.  */
+     the required uses.  FWIW: the req_usage field in PKT_public_key
+     used to be an u8 but meanwhile is an u16.  */
  int req_usage;

  /* The database handle.  */
@ -870,7 +871,12 @@ key_byname (ctrl_t ctrl, GETKEY_CTX *retctx, strlist_t namelist,

  if (pk)
    {
+      /* It is a bit tricky to allow returning an ADSK key: lookup
+       * masks the req_usage flags using the standard usage maps and
+       * only if ctx->allow_adsk is set, sets the RENC flag again.  */
      ctx->req_usage = pk->req_usage;
+      if ((pk->req_usage & PUBKEY_USAGE_RENC))
+        ctx->allow_adsk = 1;
    }

  rc = lookup (ctrl, ctx, want_secret, ret_kb, &found_key);
@ -3684,7 +3690,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,

 #define USAGE_MASK  (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
  req_usage &= USAGE_MASK;
-  /* In allow ADSK mode make sure both encryption bis are set.  */
+  /* In allow ADSK mode make sure both encryption bits are set.  */
  if (allow_adsk && (req_usage & PUBKEY_USAGE_XENC_MASK))
    req_usage |= PUBKEY_USAGE_XENC_MASK;

@ -3790,7 +3796,8 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
 		log_debug ("\tsubkey not valid\n");
 	      continue;
 	    }
-	  if (!((pk->pubkey_usage & USAGE_MASK) & req_usage))
+	  if (!((pk->pubkey_usage & (USAGE_MASK | PUBKEY_USAGE_RENC))
+                & req_usage))
 	    {
 	      if (DBG_LOOKUP)
 		log_debug ("\tusage does not match: want=%x have=%x\n",