Now keys (pgp_key_t) contains only validated keys, uid or subkey,

along with signature info and signature raw packet.

Effects :
 - Should import untrusted key data safely, keyring file/mem read replaced
   by validating filter. Only keys, uid or subkey with valid sig can enter.
 - Keyring queries use stored signature infos to elect best result. Uses
   youngest relevant signature to decide about expiration.
 - Support for key/subkey encryption and signing roles described in rfc4880
   through the Key Flags subpacket.

Side effects:
 - Encrypted seckey support broken
 - SSH keyring support broken
 - Probably some quircks in packet-print.c

Status:
 - Builds
 - Untested

dist/src/lib/create.c

@@ -480,13 +480,20 @@ write_seckey_body(const pgp_seckey_t *key,
  * \return 1 if OK, otherwise 0
  */
 unsigned 
-pgp_write_struct_pubkey(pgp_output_t *output, const pgp_pubkey_t *key)
+pgp_write_struct_pubkey_ptag(
+        pgp_output_t *output,
+        const pgp_pubkey_t *key,
+	    pgp_content_enum ptag)
 {
 	return pgp_write_ptag(output, PGP_PTAG_CT_PUBLIC_KEY) &&
 		pgp_write_length(output, 1 + 4 + 1 + pubkey_length(key)) &&
 		write_pubkey_body(key, output);
 }
-
+unsigned 
+pgp_write_struct_pubkey(pgp_output_t *output, const pgp_pubkey_t *key)
+{
+    return pgp_write_struct_pubkey_ptag(output, key, PGP_PTAG_CT_PUBLIC_KEY);
+}
 
 /**
    \ingroup HighLevel_KeyWrite
@@ -500,55 +507,110 @@ pgp_write_struct_pubkey(pgp_output_t *output, const pgp_pubkey_t *key)
 */
 
 unsigned 
-pgp_write_xfer_pubkey(pgp_output_t *output,
-			const pgp_key_t *key,
-			const unsigned armoured)
+pgp_write_xfer_key(pgp_output_t *output,
+            const pgp_key_t *key,
+            const unsigned armoured)
 {
-	unsigned    /*i,*/ j;
+    unsigned          directsigidx = 0;
+    pgp_directsig_t  *directsigp;
+    unsigned          uididx = 0;
+    unsigned          uidsigidx = 0;
+    uint8_t         **uidp;
+    pgp_uidsig_t     *uidsigp;
+    pgp_subkey_t     *subkeyp;
+    unsigned          subkeyidx = 0;
+    unsigned          subkeysigidx = 0;
+    pgp_subkeysig_t  *subkeysigp;
+
+    if (armoured) {
+        pgp_writer_push_armoured(output, PGP_PGP_PUBLIC_KEY_BLOCK);
+    }
 
-	if (armoured) {
-		pgp_writer_push_armoured(output, PGP_PGP_PUBLIC_KEY_BLOCK);
-	}
-	/* public key */
-	if (!pgp_write_struct_pubkey(output, &key->key.pubkey)) {
-		return 0;
-	}
+    /* primary key */
+    if (key->type == PGP_PTAG_CT_PUBLIC_KEY) {
+        if (!pgp_write_struct_pubkey(output, &key->key.pubkey)) {
+            return 0;
+        }
+    }else{
+        if (!pgp_write_struct_seckey(&key->key.seckey, (const uint8_t *)"", 0, output)) {
+            return 0;
+        }
+    }
 
-	/* TODO: revocation signatures go here */
-
-    /* TODO : fix this */
-	// /* user ids and corresponding signatures */
-	// for (i = 0; i < key->uidc; i++) {
-	// 	if (!pgp_write_struct_userid(output, key->uids[i])) {
-	// 		return 0;
-	// 	}
-	// 	for (j = 0; j < key->packetc; j++) {
-	// 		if (!pgp_write(output, key->packets[j].raw, (unsigned)key->packets[j].length)) {
-	// 			return 0;
-	// 		}
-	// 	}
-	// }
-
-    /* until fixed, output all raw subpackets, except 1st, the key itself */
-	for (j = 1; j < key->packetc; j++) {
-		if (!pgp_write(output, key->packets[j].raw, 
-                       (unsigned)key->packets[j].length)) {
-			return 0;
-		}
-	}
+    directsigp = key->directsigs;
+    for (directsigidx = 0 ; directsigidx < key->directsigc; 
+            directsigidx++, directsigp++)
+    {
+        if (!pgp_write(output, directsigp->packet.raw, 
+                       (unsigned)directsigp->packet.length)) {
+            return 0;
+        }
+    }
 
-	/* TODO: user attributes and corresponding signatures */
+    /* Loop over key's user ids*/
+    uidp = key->uids;
+    for (uididx = 0 ; uididx < key->uidc; uididx++, uidp++)
+    {
+        if (!pgp_write_struct_userid(output, *uidp)) {
+            return 0;
+        }
+        /* Loop over key's user ids sigs */
+        uidsigp = key->uidsigs;
+        for (uidsigidx = 0 ; uidsigidx < key->uidsigc; uidsigidx++, uidsigp++)
+        {
+            /* matching selected user id */
+            if(uidsigp->uid == uididx)
+            {
+                if (!pgp_write(output, &uidsigp->packet.raw, 
+                               (unsigned)uidsigp->packet.length)) {
+                    return 0;
+                }
+            }
+        }
+    }
 
-	/*
-	 * subkey packets and corresponding signatures and optional
-	 * revocation
-	 */
+    /* TODO attibutes */
+
+    /* Loop over key's subkeys */
+    subkeyp = key->subkeys;
+    for (subkeyidx = 0 ; subkeyidx < key->subkeyc; subkeyidx++, subkeyp++)
+    {
+        if (key->type == PGP_PTAG_CT_PUBLIC_KEY) {
+            if (!pgp_write_struct_pubkey_ptag(
+                    output, &subkeyp->key.pubkey,
+                    PGP_PTAG_CT_PUBLIC_SUBKEY)) {
+                return 0;
+            }
+        }else{
+            if (!pgp_write_struct_seckey_ptag(
+                    /* TODO support passphrase again */
+                    &subkeyp->key.seckey, (const uint8_t *)"", 0, output,
+                    PGP_PTAG_CT_SECRET_SUBKEY)) {
+                return 0;
+            }
+        }
 
-	if (armoured) {
-		pgp_writer_info_finalise(&output->errors, &output->writer);
-		pgp_writer_pop(output);
-	}
-	return 1;
+        /* Loop over key's subkeys sigs */
+        subkeysigp = key->subkeysigs;
+        for (subkeysigidx = 0 ; subkeysigidx < key->subkeysigc; 
+                subkeysigidx++, subkeysigp++)
+        {
+            /* matching selected subkey */
+            if(subkeysigp->subkey == subkeyidx)
+            {
+                if (!pgp_write(output, &subkeysigp->packet.raw, 
+                               (unsigned)subkeysigp->packet.length)) {
+                    return 0;
+                }
+            }
+        }
+    }
+
+    if (armoured) {
+        pgp_writer_info_finalise(&output->errors, &output->writer);
+        pgp_writer_pop(output);
+    }
+    return 1;
 }
 
 /**
@@ -563,61 +625,14 @@ pgp_write_xfer_pubkey(pgp_output_t *output,
    \param output Output stream
 
 */
-
+/* TODO have encrypted key export again
 unsigned 
 pgp_write_xfer_seckey(pgp_output_t *output,
 				const pgp_key_t *key,
 				const uint8_t *passphrase,
 				const size_t pplen,
 				unsigned armoured)
-{
-	unsigned	/*i,*/ j;
-
-	if (armoured) {
-		pgp_writer_push_armoured(output, PGP_PGP_PRIVATE_KEY_BLOCK);
-	}
-	/* public key */
-	if (!pgp_write_struct_seckey(&key->key.seckey, passphrase,
-			pplen, output)) {
-		return 0;
-	}
-
-	/* TODO: revocation signatures go here */
-
-    /* TODO : fix this */
-	// /* user ids and corresponding signatures */
-	// for (i = 0; i < key->uidc; i++) {
-	// 	if (!pgp_write_struct_userid(output, key->uids[i])) {
-	// 		return 0;
-	// 	}
-	// 	for (j = 0; j < key->packetc; j++) {
-	// 		if (!pgp_write(output, key->packets[j].raw, (unsigned)key->packets[j].length)) {
-	// 			return 0;
-	// 		}
-	// 	}
-	// }
-
-    /* until fixed, output all raw subpackets, except 1st, the key itself */
-	for (j = 1; j < key->packetc; j++) {
-		if (!pgp_write(output, key->packets[j].raw,
-                       (unsigned)key->packets[j].length)) {
-			return 0;
-		}
-	}
-
-	/* TODO: user attributes and corresponding signatures */
-
-	/*
-	 * subkey packets and corresponding signatures and optional
-	 * revocation
-	 */
-
-	if (armoured) {
-		pgp_writer_info_finalise(&output->errors, &output->writer);
-		pgp_writer_pop(output);
-	}
-	return 1;
-}
+*/
 
 /**
  * \ingroup Core_WritePackets
@@ -711,10 +726,11 @@ pgp_fast_create_rsa_seckey(pgp_seckey_t *key, time_t t,
  * \return 1 if OK; else 0
  */
 unsigned 
-pgp_write_struct_seckey(const pgp_seckey_t *key,
+pgp_write_struct_seckey_ptag(const pgp_seckey_t *key,
 			    const uint8_t *passphrase,
 			    const size_t pplen,
-			    pgp_output_t *output)
+			    pgp_output_t *output,
+	            pgp_content_enum ptag)
 {
 	int             length = 0;
 
@@ -794,12 +810,21 @@ pgp_write_struct_seckey(const pgp_seckey_t *key,
 	/* secret key and public key MPIs */
 	length += (unsigned)seckey_length(key);
 
-	return pgp_write_ptag(output, PGP_PTAG_CT_SECRET_KEY) &&
+	return pgp_write_ptag(output, ptag) &&
 		/* pgp_write_length(output,1+4+1+1+seckey_length(key)+2) && */
 		pgp_write_length(output, (unsigned)length) &&
 		write_seckey_body(key, passphrase, pplen, output);
 }
 
+unsigned 
+pgp_write_struct_seckey(const pgp_seckey_t *key,
+			    const uint8_t *passphrase,
+			    const size_t pplen,
+			    pgp_output_t *output)
+{
+    return  pgp_write_struct_seckey_ptag(
+            key, passphrase, pplen, output, PGP_PTAG_CT_SECRET_KEY);
+}
 /**
  * \ingroup Core_Create
  *
@@ -968,13 +993,8 @@ pgp_create_pk_sesskey(const pgp_key_t *key, const char *ciphername, pgp_pk_sessk
 	uint8_t			*encoded_m_buf;
 	size_t			 sz_encoded_m_buf;
 
-	if (memcmp(key->encid, "\0\0\0\0\0\0\0\0", 8) == 0) {
-		pubkey = pgp_get_pubkey(key);
-		id = key->sigid;
-	} else {
-		pubkey = &key->enckey;
-		id = key->encid;
-	}
+    pubkey = pgp_key_get_enckey(key, &id);
+
 	/* allocate unencoded_m_buf here */
 	(void) memset(&cipherinfo, 0x0, sizeof(cipherinfo));
 	pgp_crypt_any(&cipherinfo,

dist/src/lib/create.h

@@ -79,6 +79,11 @@ void pgp_build_pubkey(pgp_memory_t *, const pgp_pubkey_t *, unsigned);
 unsigned pgp_calc_sesskey_checksum(pgp_pk_sesskey_t *, uint8_t *);
 unsigned pgp_write_struct_userid(pgp_output_t *, const uint8_t *);
 unsigned pgp_write_ss_header(pgp_output_t *, unsigned, pgp_content_enum);
+unsigned pgp_write_struct_seckey_ptag(const pgp_seckey_t *key,
+			    const uint8_t *passphrase,
+			    const size_t pplen,
+			    pgp_output_t *output,
+	            pgp_content_enum ptag);
 unsigned pgp_write_struct_seckey(const pgp_seckey_t *,
 			    const uint8_t *,
 			    const size_t,
@@ -94,13 +99,9 @@ unsigned pgp_write_litdata(pgp_output_t *,
 				const pgp_litdata_enum);
 pgp_pk_sesskey_t *pgp_create_pk_sesskey(const pgp_key_t *, const char *, pgp_pk_sesskey_t *);
 unsigned pgp_write_pk_sesskey(pgp_output_t *, pgp_pk_sesskey_t *);
-unsigned pgp_write_xfer_pubkey(pgp_output_t *,
-				const pgp_key_t *, const unsigned);
-unsigned   pgp_write_xfer_seckey(pgp_output_t *,
-				const pgp_key_t *,
-				const uint8_t *,
-				const size_t,
-				const unsigned);
+unsigned pgp_write_xfer_key(pgp_output_t *output,
+            const pgp_key_t *key,
+            const unsigned armoured);
 
 void pgp_fast_create_userid(uint8_t **, uint8_t *);
 unsigned pgp_write_userid(const uint8_t *, pgp_output_t *);

dist/src/lib/crypto.c

@@ -700,7 +700,6 @@ pgp_decrypt_and_validate_buf(pgp_io_t *io,
 	validation.keyring = pubring;
 	validation.mem = pgp_memory_new();
 	pgp_memory_init(validation.mem, 128);
-	validation.reader = stream->readinfo.arg;
 
 	/* setup for writing decrypted contents to given output file */
 	pgp_setup_memory_write(&stream->cbinfo.output, &outmem, insize);

dist/src/lib/keyring.h

@@ -56,6 +56,7 @@
 #include "packet.h"
 #include "packet-parse.h"
 #include "mj.h"
+#include "memory.h"
 
 enum {
 	MAX_ID_LENGTH		= 128,
@@ -76,7 +77,7 @@ const pgp_key_t *pgp_getkeybyid(pgp_io_t *,
 					const pgp_keyring_t *,
 					const uint8_t *,
 					unsigned *,
-					pgp_pubkey_t **);
+					const pgp_pubkey_t **);
 unsigned pgp_deletekeybyid(pgp_io_t *, 
                     pgp_keyring_t *,
 			        const uint8_t *);
@@ -98,44 +99,52 @@ const pgp_key_t *pgp_getnextkeybyname(pgp_io_t *,
 					unsigned *);
 void pgp_key_free(pgp_key_t *);
 void pgp_keydata_free(pgp_key_t *);
-int pgp_keydata_dup(pgp_key_t *, pgp_key_t *, unsigned);
 void pgp_keyring_free(pgp_keyring_t *);
 void pgp_keyring_purge(pgp_keyring_t *);
 void pgp_dump_keyring(const pgp_keyring_t *);
-const pgp_pubkey_t *pgp_get_pubkey(const pgp_key_t *);
+const pgp_pubkey_t *pgp_key_get_pubkey(const pgp_key_t *);
 unsigned   pgp_is_key_secret(const pgp_key_t *);
 const pgp_seckey_t *pgp_get_seckey(const pgp_key_t *);
 pgp_seckey_t *pgp_get_writable_seckey(pgp_key_t *);
-pgp_seckey_t *pgp_decrypt_seckey(const pgp_key_t *, void *);
-
-unsigned   pgp_keyring_fileread(pgp_keyring_t *, const unsigned,
-					const char *);
+// pgp_seckey_t *pgp_decrypt_seckey(const pgp_key_t *, void *);
+
+unsigned 
+pgp_keyring_fileread(
+            pgp_keyring_t *pubring,
+            pgp_keyring_t *secring,
+			const unsigned armour,
+			const char *filename);
+
+unsigned 
+pgp_keyring_read_from_mem(pgp_io_t *io,
+            pgp_keyring_t *pubring,
+            pgp_keyring_t *secring,
+            const unsigned armour,
+            pgp_memory_t *mem);
 
 int pgp_keyring_list(pgp_io_t *, const pgp_keyring_t *, const int);
 int pgp_keyring_json(pgp_io_t *, const pgp_keyring_t *, mj_t *, const int);
 
-void pgp_set_seckey(pgp_contents_t *, const pgp_key_t *);
 void pgp_forget(void *, unsigned);
 
-const uint8_t *pgp_get_key_id(const pgp_key_t *);
-unsigned pgp_get_userid_count(const pgp_key_t *);
-const uint8_t *pgp_get_userid(const pgp_key_t *, unsigned);
-unsigned pgp_is_key_supported(const pgp_key_t *);
+// uint8_t *pgp_add_userid(pgp_key_t *, const uint8_t *);
+unsigned pgp_update_userid(
+        pgp_key_t *key,
+        uint8_t *userid,
+        const pgp_subpacket_t *sigpkt,
+        pgp_sig_info_t *siginfo);
 
-uint8_t *pgp_add_userid(pgp_key_t *, const uint8_t *);
-pgp_subpacket_t *pgp_add_subpacket(pgp_key_t *,
-						const pgp_subpacket_t *);
-pgp_subpacket_t *pgp_replace_subpacket(pgp_key_t *,
-                                       const pgp_subpacket_t *,
-                                       unsigned );
+// pgp_subpacket_t *pgp_add_subpacket(pgp_key_t *,
+// 						const pgp_subpacket_t *);
+// pgp_subpacket_t *pgp_replace_subpacket(pgp_key_t *,
+//                                        const pgp_subpacket_t *,
+//                                        unsigned );
 
 unsigned pgp_add_selfsigned_userid(pgp_key_t *, uint8_t *);
 
 pgp_key_t  *pgp_keydata_new(void);
 void pgp_keydata_init(pgp_key_t *, const pgp_content_enum);
 
-int pgp_parse_and_accumulate(pgp_keyring_t *, pgp_stream_t *);
-
 int pgp_sprint_keydata(pgp_io_t *, const pgp_keyring_t *,
 			const pgp_key_t *, char **, const char *,
 			const pgp_pubkey_t *, const int);
@@ -163,15 +172,42 @@ int pgp_list_packets(pgp_io_t *,
 char *pgp_export_key(pgp_io_t *, const pgp_key_t *, uint8_t *);
 
 int pgp_keyring_add(pgp_keyring_t *, const pgp_key_t *);
-int pgp_add_to_pubring(pgp_keyring_t *, const pgp_pubkey_t *, pgp_content_enum tag);
+// int pgp_add_to_pubring(pgp_keyring_t *, const pgp_pubkey_t *, pgp_content_enum tag);
 pgp_key_t *pgp_ensure_pubkey(
         pgp_keyring_t *,
         pgp_pubkey_t *,
         uint8_t *);
-int pgp_add_to_secring(pgp_keyring_t *, const pgp_seckey_t *);
+pgp_key_t *pgp_ensure_seckey(
+        pgp_keyring_t *keyring,
+        pgp_seckey_t *seckey,
+        uint8_t *pubkeyid);
+unsigned pgp_add_directsig(
+        pgp_key_t *key,
+        const pgp_subpacket_t *sigpkt,
+        pgp_sig_info_t *siginfo);
+unsigned pgp_update_subkey(
+        pgp_key_t *key,
+	    pgp_content_enum subkeytype,
+        pgp_keydata_key_t *subkey,
+        const pgp_subpacket_t *sigpkt,
+        pgp_sig_info_t *siginfo);
+// int pgp_add_to_secring(pgp_keyring_t *, const pgp_seckey_t *);
 
 int pgp_append_keyring(pgp_keyring_t *, pgp_keyring_t *);
 
 pgp_subpacket_t * pgp_copy_packet(pgp_subpacket_t *, const pgp_subpacket_t *);
 uint8_t * pgp_copy_userid(uint8_t **dst, const uint8_t *src);
+
+const int32_t pgp_key_get_uid0(const pgp_key_t *keydata);
+
+const pgp_pubkey_t * pgp_key_get_enckey(const pgp_key_t *key, const uint8_t **id);
+
+const int32_t
+pgp_key_find_uid_cond(
+        const pgp_key_t *key,
+        unsigned(*uidcond) ( uint8_t *, void *),
+        void *uidcondarg,
+        unsigned(*sigcond) ( const pgp_sig_info_t *),
+        time_t	*youngest);
+
 #endif /* KEYRING_H_ */

dist/src/lib/misc.c

@@ -96,105 +96,6 @@ __RCSID("$NetBSD$");
 #define vsnprintf _vsnprintf
 #endif
 
-
-typedef struct {
-	pgp_keyring_t		*keyring;
-} accumulate_t;
-
-/**
- * \ingroup Core_Callbacks
- */
-static pgp_cb_ret_t
-accumulate_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
-{
-	const pgp_contents_t	*content = &pkt->u;
-	pgp_keyring_t		*keyring;
-	accumulate_t		*accumulate;
-
-	if (pgp_get_debug_level(__FILE__)) {
-		(void) fprintf(stderr, "accumulate callback: packet tag %u\n", pkt->tag);
-	}
-	accumulate = pgp_callback_arg(cbinfo);
-	keyring = accumulate->keyring;
-	switch (pkt->tag) {
-	case PGP_PTAG_CT_PUBLIC_KEY:
-	case PGP_PTAG_CT_PUBLIC_SUBKEY:
-		pgp_add_to_pubring(keyring, &content->pubkey, pkt->tag);
-		return PGP_KEEP_MEMORY;
-	case PGP_PTAG_CT_SECRET_KEY:
-	case PGP_PTAG_CT_ENCRYPTED_SECRET_KEY:
-		pgp_add_to_secring(keyring, &content->seckey);
-		return PGP_KEEP_MEMORY;
-	case PGP_PTAG_CT_USER_ID:
-		if (pgp_get_debug_level(__FILE__)) {
-			(void) fprintf(stderr, "User ID: %s for key %d\n",
-					content->userid,
-					keyring->keyc - 1);
-		}
-		if (keyring->keyc == 0) {
-			PGP_ERROR_1(cbinfo->errors, PGP_E_P_NO_USERID, "%s",
-			    "No userid found");
-		} else {
-			pgp_add_userid(&keyring->keys[keyring->keyc - 1], content->userid);
-		}
-		return PGP_KEEP_MEMORY;
-	case PGP_PARSER_PACKET_END:
-		if (keyring->keyc > 0) {
-			pgp_add_subpacket(&keyring->keys[keyring->keyc - 1],
-						&content->packet);
-			return PGP_KEEP_MEMORY;
-		}
-		return PGP_RELEASE_MEMORY;
-	case PGP_PARSER_ERROR:
-		(void) fprintf(stderr, "Error: %s\n", content->error);
-		return PGP_FINISHED;
-	case PGP_PARSER_ERRCODE:
-		(void) fprintf(stderr, "parse error: %s\n",
-				pgp_errcode(content->errcode.errcode));
-		break;
-	default:
-		break;
-	}
-	/* XXX: we now exclude so many things, we should either drop this or */
-	/* do something to pass on copies of the stuff we keep */
-	return pgp_stacked_callback(pkt, cbinfo);
-}
-
-/**
- * \ingroup Core_Parse
- *
- * Parse packets from an input stream until EOF or error.
- *
- * Key data found in the parsed data is added to #keyring.
- *
- * \param keyring Pointer to an existing keyring
- * \param parse Options to use when parsing
-*/
-int 
-pgp_parse_and_accumulate(pgp_keyring_t *keyring, pgp_stream_t *parse)
-{
-	accumulate_t	accumulate;
-	const int	printerrors = 1;
-	int             ret;
-
-	if (parse->readinfo.accumulate) {
-		(void) fprintf(stderr,
-			"pgp_parse_and_accumulate: already init\n");
-		return 0;
-	}
-
-	(void) memset(&accumulate, 0x0, sizeof(accumulate));
-
-	accumulate.keyring = keyring;
-
-	pgp_callback_push(parse, accumulate_cb, &accumulate);
-	parse->readinfo.accumulate = 1;
-	ret = pgp_parse(parse, !printerrors);
-
-	return ret;
-}
-
-
 /** \file
  * \brief Error Handling
  */

dist/src/lib/netpgp.c

@@ -142,7 +142,7 @@ resultp(pgp_io_t *io,
 	pgp_keyring_t *ring)
 {
 	const pgp_key_t	*key;
-	pgp_pubkey_t		*sigkey;
+	const pgp_pubkey_t		*sigkey;
 	unsigned		 from;
 	unsigned		 i;
 	time_t			 t;
@@ -165,11 +165,6 @@ resultp(pgp_io_t *io,
 		key = pgp_getkeybyid(io, ring,
 			(const uint8_t *) res->valid_sigs[i].signer_id,
 			&from, &sigkey);
-		if (sigkey == &key->enckey) {
-			(void) fprintf(io->res,
-				"WARNING: signature for %s made with encryption key\n",
-				(f) ? f : "<stdin>");
-		}
 		pgp_print_keydata(io, ring, key, "signature ", &key->key.pubkey, 0);
 	}
 }
@@ -223,10 +218,12 @@ findvar(netpgp_t *netpgp, const char *name)
 }
 
 /* read a keyring and return it */
-static void *
-readkeyring(netpgp_t *netpgp, const char *name)
+static unsigned
+readkeyring(netpgp_t *netpgp,
+            const char *name, 
+            pgp_keyring_t *pubring,
+            pgp_keyring_t *secring)
 {
-	pgp_keyring_t	*keyring;
 	const unsigned	 noarmor = 0;
 	char		 f[MAXPATHLEN];
 	char		*filename;
@@ -237,17 +234,12 @@ readkeyring(netpgp_t *netpgp, const char *name)
 		(void) snprintf(f, sizeof(f), "%s/%s.gpg", homedir, name);
 		filename = f;
 	}
-	if ((keyring = calloc(1, sizeof(*keyring))) == NULL) {
-		(void) fprintf(stderr, "readkeyring: bad alloc\n");
-		return NULL;
-	}
-	if (!pgp_keyring_fileread(keyring, noarmor, filename)) {
-		free(keyring);
+	if (!pgp_keyring_fileread(pubring, secring, noarmor, filename)) {
 		(void) fprintf(stderr, "Can't read %s %s\n", name, filename);
-		return NULL;
+		return 0;
 	}
 	netpgp_setvar(netpgp, name, filename);
-	return keyring;
+	return 1;
 }
 
 /* read keys from ssh key files */
@@ -342,7 +334,7 @@ get_first_ring(pgp_keyring_t *ring, char *id, size_t len, int last)
 		return 0;
 	}
 	(void) memset(id, 0x0, len);
-	src = ring->keys[(last) ? ring->keyc - 1 : 0].sigid;
+	src = ring->keys[(last) ? ring->keyc - 1 : 0].pubkeyid;
 	for (i = 0, n = 0 ; i < PGP_KEY_ID_SIZE ; i += 2) {
 		n += snprintf(&id[n], len - n, "%02x%02x", src[i], src[i + 1]);
 	}
@@ -457,7 +449,7 @@ appendkey(pgp_io_t *io, pgp_key_t *key, char *ringfile)
 		(void) fprintf(io->errs, "can't open pubring '%s'\n", ringfile);
 		return 0;
 	}
-	if (!pgp_write_xfer_pubkey(create, key, noarmor)) {
+	if (!pgp_write_xfer_key(create, key, noarmor)) {
 		(void) fprintf(io->errs, "Cannot write pubkey\n");
 		return 0;
 	}
@@ -721,43 +713,43 @@ formatbignum(char *buffer, BIGNUM *bn)
 
 #define MAX_PASSPHRASE_ATTEMPTS	3
 #define INFINITE_ATTEMPTS	-1
-
-/* get the passphrase from the user */
-static int
-find_passphrase(FILE *passfp, const char *id, char *passphrase, size_t size, int attempts)
-{
-	char	 prompt[BUFSIZ];
-	char	 buf[128];
-	char	*cp;
-	int	 cc;
-	int	 i;
-
-	if (passfp) {
-		if (fgets(passphrase, (int)size, passfp) == NULL) {
-			return 0;
-		}
-		return (int)strlen(passphrase);
-	}
-	for (i = 0 ; i < attempts ; i++) {
-		(void) snprintf(prompt, sizeof(prompt), "Enter passphrase for %.16s: ", id);
-		if ((cp = getpass(prompt)) == NULL) {
-			break;
-		}
-		cc = snprintf(buf, sizeof(buf), "%s", cp);
-		(void) snprintf(prompt, sizeof(prompt), "Repeat passphrase for %.16s: ", id);
-		if ((cp = getpass(prompt)) == NULL) {
-			break;
-		}
-		cc = snprintf(passphrase, size, "%s", cp);
-		if (strcmp(buf, passphrase) == 0) {
-			(void) memset(buf, 0x0, sizeof(buf));
-			return cc;
-		}
-	}
-	(void) memset(buf, 0x0, sizeof(buf));
-	(void) memset(passphrase, 0x0, size);
-	return 0;
-}
+// FIXME support passphrase again 
+// /* get the passphrase from the user */
+// static int
+// find_passphrase(FILE *passfp, const char *id, char *passphrase, size_t size, int attempts)
+// {
+// 	char	 prompt[BUFSIZ];
+// 	char	 buf[128];
+// 	char	*cp;
+// 	int	 cc;
+// 	int	 i;
+// 
+// 	if (passfp) {
+// 		if (fgets(passphrase, (int)size, passfp) == NULL) {
+// 			return 0;
+// 		}
+// 		return (int)strlen(passphrase);
+// 	}
+// 	for (i = 0 ; i < attempts ; i++) {
+// 		(void) snprintf(prompt, sizeof(prompt), "Enter passphrase for %.16s: ", id);
+// 		if ((cp = getpass(prompt)) == NULL) {
+// 			break;
+// 		}
+// 		cc = snprintf(buf, sizeof(buf), "%s", cp);
+// 		(void) snprintf(prompt, sizeof(prompt), "Repeat passphrase for %.16s: ", id);
+// 		if ((cp = getpass(prompt)) == NULL) {
+// 			break;
+// 		}
+// 		cc = snprintf(passphrase, size, "%s", cp);
+// 		if (strcmp(buf, passphrase) == 0) {
+// 			(void) memset(buf, 0x0, sizeof(buf));
+// 			return cc;
+// 		}
+// 	}
+// 	(void) memset(buf, 0x0, sizeof(buf));
+// 	(void) memset(passphrase, 0x0, size);
+// 	return 0;
+// }
 
 /***************************************************************************/
 /* exported functions start here */
@@ -840,9 +832,20 @@ netpgp_init(netpgp_t *netpgp)
 		return 0;
 	}
 	if (netpgp_getvar(netpgp, "ssh keys") == NULL) {
-		/* read from ordinary pgp keyrings */
-		netpgp->pubring = readkeyring(netpgp, "pubring");
-		if (netpgp->pubring == NULL) {
+		
+        if ((netpgp->pubring = calloc(1, sizeof(pgp_keyring_t))) == NULL) {
+            (void) fprintf(io->errs, "Can't alloc pubring\n");
+            return 0;
+        }
+        if ((netpgp->secring = calloc(1, sizeof(pgp_keyring_t))) == NULL) {
+            (void) fprintf(io->errs, "Can't alloc secring\n");
+            return 0;
+        }
+
+		if (!readkeyring(netpgp, 
+                        "pubring", 
+                        netpgp->pubring, 
+                        netpgp->secring)) {
 			(void) fprintf(io->errs, "Can't read pub keyring\n");
 			return 0;
 		}
@@ -858,8 +861,10 @@ netpgp_init(netpgp_t *netpgp)
 		/* only read secret keys if we need to */
 		if (netpgp_getvar(netpgp, "need seckey")) {
 			/* read the secret ring */
-			netpgp->secring = readkeyring(netpgp, "secring");
-			if (netpgp->secring == NULL) {
+            if (!readkeyring(netpgp, 
+                            "secring", 
+                            netpgp->pubring, 
+                            netpgp->secring)) {
 				(void) fprintf(io->errs, "Can't read sec keyring\n");
 				return 0;
 			}
@@ -1192,16 +1197,7 @@ netpgp_save_ring(netpgp_t           *netpgp,
     }
 
     for (n = 0, key = keyring->keys; n < keyring->keyc; ++n, ++key) {
-        /* Dump raw key packets to ring file */
-	    unsigned j;
-        for (j = 0; j < key->packetc; j++) {
-            if (!pgp_write(output, key->packets[j].raw, (unsigned)key->packets[j].length)) {
-                err = 1;
-                (void) fprintf(io->errs, 
-                    "netpgp_save_%s : couldn't save key #%d\n", name, n);
-                break;
-            }
-        }
+        pgp_write_xfer_key(output, key, 1);
     }
 
     pgp_teardown_file_write(output, fd);
@@ -1246,7 +1242,10 @@ netpgp_import_key(netpgp_t *netpgp, char *f)
 
 	io = netpgp->io;
 	realarmor = isarmoured(io, f, NULL, IMPORT_ARMOR_HEAD);
-	done = pgp_keyring_fileread(netpgp->pubring, realarmor, f);
+	done = pgp_keyring_fileread(
+            netpgp->pubring,
+            netpgp->secring,
+            realarmor, f);
 	if (!done) {
 		(void) fprintf(io->errs, "Cannot import key from file %s\n", f);
 		return 0;
@@ -1265,7 +1264,7 @@ netpgp_generate_key(netpgp_t *netpgp, char *id, int numbits)
 	pgp_key_t		*key;
 	pgp_io_t		*io;
 	uint8_t			*uid;
-	char			 passphrase[128];
+	/*char			 passphrase[128];*/
 	char			 newid[1024];
 	char			 filename[MAXPATHLEN];
 	char			 dir[MAXPATHLEN];
@@ -1273,7 +1272,7 @@ netpgp_generate_key(netpgp_t *netpgp, char *id, int numbits)
 	char			*ringfile;
 	char			*numtries;
 	int             	 attempts;
-	int             	 passc;
+	/*int             	 passc;*/
 	int             	 fd;
 	int             	 cc;
 
@@ -1329,8 +1328,9 @@ netpgp_generate_key(netpgp_t *netpgp, char *id, int numbits)
 	} else if (strcmp(numtries, "unlimited") == 0) {
 		attempts = INFINITE_ATTEMPTS;
 	}
-	passc = find_passphrase(netpgp->passfp, &cp[ID_OFFSET], passphrase, sizeof(passphrase), attempts);
-	if (!pgp_write_xfer_seckey(create, key, (uint8_t *)passphrase, (const unsigned)passc, noarmor)) {
+	/* TODO use passphrase again */
+    /* passc = find_passphrase(netpgp->passfp, &cp[ID_OFFSET], passphrase, sizeof(passphrase), attempts);*/
+	if (!pgp_write_xfer_key(create, key, noarmor)) {
 		(void) fprintf(io->errs, "Cannot write seckey\n");
 		return 0;
 	}
@@ -1423,7 +1423,7 @@ netpgp_sign_file(netpgp_t *netpgp,
 	const pgp_key_t		*keypair;
 	const pgp_key_t		*pubkey;
 	const unsigned		 overwrite = 1;
-	pgp_seckey_t		*seckey;
+	const pgp_seckey_t		*seckey;
 	const char		*hashalg;
 	pgp_io_t		*io;
 	char			*numtries;
@@ -1464,7 +1464,9 @@ netpgp_sign_file(netpgp_t *netpgp,
 		}
 		if (netpgp_getvar(netpgp, "ssh keys") == NULL) {
 			/* now decrypt key */
-			seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
+			seckey = pgp_get_seckey(keypair);
+                // FIXME : support encrypted seckeys again
+                // seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
 			if (seckey == NULL) {
 				(void) fprintf(io->errs, "Bad passphrase\n");
 			}
@@ -1497,7 +1499,8 @@ netpgp_sign_file(netpgp_t *netpgp,
 				(unsigned)armored, (unsigned)cleartext,
 				overwrite);
 	}
-	pgp_forget(seckey, (unsigned)sizeof(*seckey));
+    /* FIXME should forget if key would have been unencrypted */
+	// pgp_forget(seckey, (unsigned)sizeof(*seckey));
 	return ret;
 }
 
@@ -1552,7 +1555,7 @@ netpgp_sign_memory(netpgp_t *netpgp,
 {
 	const pgp_key_t		*keypair;
 	const pgp_key_t		*pubkey;
-	pgp_seckey_t		*seckey;
+	const pgp_seckey_t		*seckey;
 	pgp_memory_t		*signedmem;
 	const char		*hashalg;
 	pgp_io_t		*io;
@@ -1592,7 +1595,9 @@ netpgp_sign_memory(netpgp_t *netpgp,
 			}
 		}
 		/* now decrypt key */
-		seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
+        seckey = pgp_get_seckey(keypair);
+            // FIXME : support encrypted seckeys again
+            // seckey = pgp_decrypt_seckey(keypair, netpgp->passfp);
 		if (seckey == NULL) {
 			(void) fprintf(io->errs, "Bad passphrase\n");
 		}
@@ -1621,7 +1626,7 @@ netpgp_sign_memory(netpgp_t *netpgp,
 	} else {
 		ret = 0;
 	}
-	pgp_forget(seckey, (unsigned)sizeof(*seckey));
+	// pgp_forget(seckey, (unsigned)sizeof(*seckey));
 	return ret;
 }
 
@@ -1832,7 +1837,7 @@ netpgp_list_packets(netpgp_t *netpgp, char *f, int armor, char *pubringname)
 		(void) fprintf(io->errs, "netpgp_list_packets: bad alloc\n");
 		return 0;
 	}
-	if (!pgp_keyring_fileread(keyring, noarmor, pubringname)) {
+	if (!pgp_keyring_fileread(keyring, NULL, noarmor, pubringname)) {
 		free(keyring);
 		(void) fprintf(io->errs, "Cannot read pub keyring %s\n",
 			pubringname);
@@ -1959,9 +1964,8 @@ netpgp_set_homedir(netpgp_t *netpgp, char *home, const char *subdir, const int q
 int
 netpgp_validate_sigs(netpgp_t *netpgp)
 {
-	pgp_validation_t	result;
-
-	return (int)pgp_validate_all_sigs(&result, netpgp->pubring, NULL);
+    /* keys in keyring are now forced to be valid */
+	return 1;
 }
 
 /* print the json out on 'fp' */
@@ -2024,7 +2028,7 @@ netpgp_write_sshkey(netpgp_t *netpgp, char *s, const char *userid, char *out, si
 		(void) fprintf(stderr, "netpgp_save_sshpub: bad alloc 2\n");
 		goto done;
 	}
-	if (!pgp_keyring_fileread(netpgp->pubring = keyring, 1, f)) {
+	if (!pgp_keyring_fileread(netpgp->pubring = keyring, NULL, 1, f)) {
 		(void) fprintf(stderr, "can't import key\n");
 		goto done;
 	}

dist/src/lib/openssl_crypto.c

@@ -736,8 +736,8 @@ pgp_rsa_generate_keypair(pgp_key_t *keydata,
 
 	RSA_free(rsa);
 
-	pgp_keyid(keydata->sigid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
-	pgp_fingerprint(&keydata->sigfingerprint, &keydata->key.seckey.pubkey, seckey->hash_alg);
+	pgp_keyid(keydata->pubkeyid, PGP_KEY_ID_SIZE, &keydata->key.seckey.pubkey, seckey->hash_alg);
+	pgp_fingerprint(&keydata->pubkeyfpr, &keydata->key.seckey.pubkey, seckey->hash_alg);
 
 	/* Generate checksum */
 
@@ -783,12 +783,7 @@ pgp_rsa_generate_keypair(pgp_key_t *keydata,
 
 	if (!pgp_write_struct_seckey(seckey, passphrase, pplen, output)) {
 		return 0;
-	}else{
-    	pgp_subpacket_t	 seckeypacket;
-        seckeypacket.length = pgp_mem_len(mem);
-        seckeypacket.raw = pgp_mem_data(mem);
-	    (void) pgp_add_subpacket(keydata, &seckeypacket);
-    }
+	}
 
 	pgp_writer_close(output);
 	pgp_teardown_memory_write(output, mem);

dist/src/lib/packet-parse.c

@@ -1256,6 +1256,7 @@ pgp_pubkey_free(pgp_pubkey_t *p)
 	default:
 		(void) fprintf(stderr, "pgp_pubkey_free: bad alg\n");
 	}
+    memset(p, 0, sizeof(*p));
 }
 
 int 
@@ -2424,6 +2425,7 @@ pgp_seckey_free(pgp_seckey_t *key)
 	}
 	free(key->checkhash);
     pgp_pubkey_free(&key->pubkey);
+    memset(key, 0, sizeof(*key));
 }
 
 int 

dist/src/lib/packet-print.c

@@ -366,26 +366,38 @@ psubkeybinding(char *buf, size_t size, const pgp_key_t *key, const char *expired
 {
 	char	keyid[512];
 	char	t[32];
+    const uint8_t *encid;
+    const pgp_pubkey_t *enckey = pgp_key_get_enckey(key, &encid);
 
 	return snprintf(buf, size, "encryption %d/%s %s %s %s\n",
-		numkeybits(&key->enckey),
-		pgp_show_pka(key->enckey.alg),
-		strhexdump(keyid, key->encid, PGP_KEY_ID_SIZE, ""),
-		ptimestr(t, sizeof(t), key->enckey.birthtime),
+		numkeybits(enckey),
+		pgp_show_pka(enckey->alg),
+		strhexdump(keyid, encid, PGP_KEY_ID_SIZE, ""),
+		ptimestr(t, sizeof(t), enckey->birthtime),
 		expired);
 }
 
+static unsigned uidmatch ( uint8_t *id, void *arg){
+    const char *refuid = arg;
+    return (strcmp((const char*)id, refuid) == 0);
+}
+
 static int
 isrevoked(const pgp_key_t *key, unsigned uid)
 {
-	unsigned	r;
+    return (pgp_key_find_uid_cond(key, &uidmatch, (void*)(key->uids[uid]),
+                                  NULL,0) == -1)? 
+            0 :  /* None found ? -> revoked (or expired) -> 0*/
+            -1 ; /* Found one -> not revoked -> -1 */
+}
 
-	for (r = 0 ; r < key->revokec ; r++) {
-		if (key->revokes[r].uid == uid) {
-			return r;
-		}
-	}
-	return -1;
+static int
+iskeyrevoked(const pgp_key_t *key)
+{
+    return (pgp_key_find_uid_cond(key, NULL, NULL,
+                                  NULL,0) == -1)? 
+            0 :  /* None found ? -> revoked (or expired) -> 0*/
+            -1 ; /* Found one -> not revoked -> -1 */
 }
 
 #ifndef KB
@@ -410,9 +422,8 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 	char			 t[32];
 	int			 cc;
 	int			 n;
-	int			 r;
 
-	if (key == NULL || key->revoked) {
+	if (key == NULL || iskeyrevoked(key)) {
 		return -1;
 	}
 	now = time(NULL);
@@ -428,10 +439,6 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 		expired[0] = 0x0;
 	}
 	for (i = 0, n = 0; i < key->uidc; i++) {
-		if ((r = isrevoked(key, i)) >= 0 &&
-		    key->revokes[r].code == PGP_REVOCATION_COMPROMISED) {
-			continue;
-		}
 		n += snprintf(&uidbuf[n], sizeof(uidbuf) - n, "uid%s%s%s\n",
 				(psigs) ? "    " : "              ",
 				key->uids[i],
@@ -458,7 +465,7 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 					"sig        %s  %s  %s\n",
 					strhexdump(keyid, key->uidsigs[j].siginfo.signer_id, PGP_KEY_ID_SIZE, ""),
 					ptimestr(t, sizeof(t), key->uidsigs[j].siginfo.birthtime),
-					(trustkey) ? (char *)trustkey->uids[trustkey->uid0] : "[unknown]");
+					(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "[unknown]");
 			}
 		}
 	}
@@ -466,10 +473,10 @@ pgp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 		header,
 		numkeybits(pubkey),
 		pgp_show_pka(pubkey->alg),
-		strhexdump(keyid, key->sigid, PGP_KEY_ID_SIZE, ""),
+		strhexdump(keyid, key->pubkeyid, PGP_KEY_ID_SIZE, ""),
 		ptimestr(t, sizeof(t), pubkey->birthtime),
 		expired,
-		strhexdump(fp, key->sigfingerprint.fingerprint, key->sigfingerprint.length, " "),
+		strhexdump(fp, key->pubkeyfpr.fingerprint, key->pubkeyfpr.length, " "),
 		uidbuf);
 }
 
@@ -486,9 +493,8 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
 	mj_t			 sub_obj;
 	char			 keyid[PGP_KEY_ID_SIZE * 3];
 	char			 fp[(PGP_FINGERPRINT_SIZE * 3) + 1];
-	int			 r;
 
-	if (key == NULL || key->revoked) {
+	if (key == NULL || iskeyrevoked(key)) {
 		return -1;
 	}
 	(void) memset(keyjson, 0x0, sizeof(*keyjson));
@@ -496,20 +502,16 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
 	mj_append_field(keyjson, "header", "string", header, -1);
 	mj_append_field(keyjson, "key bits", "integer", (int64_t) numkeybits(pubkey));
 	mj_append_field(keyjson, "pka", "string", pgp_show_pka(pubkey->alg), -1);
-	mj_append_field(keyjson, "key id", "string", strhexdump(keyid, key->sigid, PGP_KEY_ID_SIZE, ""), -1);
+	mj_append_field(keyjson, "key id", "string", strhexdump(keyid, key->pubkeyid, PGP_KEY_ID_SIZE, ""), -1);
 	mj_append_field(keyjson, "fingerprint", "string",
-		strhexdump(fp, key->sigfingerprint.fingerprint, key->sigfingerprint.length, " "), -1);
+		strhexdump(fp, key->pubkeyfpr.fingerprint, key->pubkeyfpr.length, " "), -1);
 	mj_append_field(keyjson, "birthtime", "integer", pubkey->birthtime);
 	mj_append_field(keyjson, "duration", "integer", pubkey->duration);
 	for (i = 0; i < key->uidc; i++) {
-		if ((r = isrevoked(key, i)) >= 0 &&
-		    key->revokes[r].code == PGP_REVOCATION_COMPROMISED) {
-			continue;
-		}
 		(void) memset(&sub_obj, 0x0, sizeof(sub_obj));
 		mj_create(&sub_obj, "array");
 		mj_append(&sub_obj, "string", key->uids[i], -1);
-		mj_append(&sub_obj, "string", (r >= 0) ? "[REVOKED]" : "", -1);
+		//mj_append(&sub_obj, "string", (r >= 0) ? "[REVOKED]" : "", -1);
 		mj_append_field(keyjson, "uid", "array", &sub_obj);
 		mj_delete(&sub_obj);
 		for (j = 0 ; j < key->uidsigc ; j++) {
@@ -528,12 +530,14 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
 			mj_create(&sub_obj, "array");
 			if (key->uidsigs[j].siginfo.version == 4 &&
 					key->uidsigs[j].siginfo.type == PGP_SIG_SUBKEY) {
-				mj_append(&sub_obj, "integer", (int64_t)numkeybits(&key->enckey));
+                const uint8_t *encid;
+                const pgp_pubkey_t *enckey = pgp_key_get_enckey(key, &encid);
+				mj_append(&sub_obj, "integer", (int64_t)numkeybits(enckey));
 				mj_append(&sub_obj, "string",
-					(const char *)pgp_show_pka(key->enckey.alg), -1);
+					(const char *)pgp_show_pka(enckey->alg), -1);
 				mj_append(&sub_obj, "string",
-					strhexdump(keyid, key->encid, PGP_KEY_ID_SIZE, ""), -1);
-				mj_append(&sub_obj, "integer", (int64_t)key->enckey.birthtime);
+					strhexdump(keyid, encid, PGP_KEY_ID_SIZE, ""), -1);
+				mj_append(&sub_obj, "integer", (int64_t)enckey->birthtime);
 				mj_append_field(keyjson, "encryption", "array", &sub_obj);
 				mj_delete(&sub_obj);
 			} else {
@@ -544,7 +548,7 @@ pgp_sprint_mj(pgp_io_t *io, const pgp_keyring_t *keyring,
 				from = 0;
 				trustkey = pgp_getkeybyid(io, keyring, key->uidsigs[j].siginfo.signer_id, &from, NULL);
 				mj_append(&sub_obj, "string",
-					(trustkey) ? (char *)trustkey->uids[trustkey->uid0] : "[unknown]", -1);
+					(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "[unknown]", -1);
 				mj_append_field(keyjson, "sig", "array", &sub_obj);
 				mj_delete(&sub_obj);
 			}
@@ -574,7 +578,7 @@ pgp_hkp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 	char		 	 fp[(PGP_FINGERPRINT_SIZE * 3) + 1];
 	int		 	 n;
 
-	if (key->revoked) {
+	if (iskeyrevoked(key)) {
 		return -1;
 	}
 	for (i = 0, n = 0; i < key->uidc; i++) {
@@ -610,12 +614,12 @@ pgp_hkp_sprint_keydata(pgp_io_t *io, const pgp_keyring_t *keyring,
 					"sig:%s:%lld:%s\n",
 					strhexdump(keyid, key->uidsigs[j].siginfo.signer_id, PGP_KEY_ID_SIZE, ""),
 					(long long)key->uidsigs[j].siginfo.birthtime,
-					(trustkey) ? (char *)trustkey->uids[trustkey->uid0] : "");
+					(trustkey) ? (char *)trustkey->uids[pgp_key_get_uid0(trustkey)] : "");
 			}
 		}
 	}
 	return pgp_asprintf(buf, "pub:%s:%d:%d:%lld:%lld\n%s",
-		strhexdump(fp, key->sigfingerprint.fingerprint, PGP_FINGERPRINT_SIZE, ""),
+		strhexdump(fp, key->pubkeyfpr.fingerprint, PGP_FINGERPRINT_SIZE, ""),
 		pubkey->alg,
 		numkeybits(pubkey),
 		(long long)pubkey->birthtime,
@@ -689,8 +693,8 @@ pgp_sprint_pubkey(const pgp_key_t *key, char *out, size_t outsize)
 	int	cc;
 
 	cc = snprintf(out, outsize, "key=%s\nname=%s\ncreation=%lld\nexpiry=%lld\nversion=%d\nalg=%d\n",
-		strhexdump(fp, key->sigfingerprint.fingerprint, PGP_FINGERPRINT_SIZE, ""),
-		key->uids[key->uid0],
+		strhexdump(fp, key->pubkeyfpr.fingerprint, PGP_FINGERPRINT_SIZE, ""),
+		key->uids[pgp_key_get_uid0(key)],
 		(long long)key->key.pubkey.birthtime,
 		(long long)key->key.pubkey.days_valid,
 		key->key.pubkey.version,

dist/src/lib/packet.h

@@ -640,6 +640,16 @@ typedef struct pgp_sig_info_t {
 	unsigned	 primary_userid:1;
 } pgp_sig_info_t;
 
+typedef enum {
+	PGP_KEYFLAG_CERT_KEYS = 0x01,
+	PGP_KEYFLAG_SIGN_DATA = 0x02,
+	PGP_KEYFLAG_ENC_COMM = 0x04,
+	PGP_KEYFLAG_ENC_STORAGE = 0x08,
+	PGP_KEYFLAG_SPLIT = 0x10,
+	PGP_KEYFLAG_AUTH = 0x20,
+	PGP_KEYFLAG_GROUP = 0x80
+} pgp_key_flags_t;
+
 /** Struct used when parsing a signature */
 typedef struct pgp_sig_t {
 	pgp_sig_info_t info;	/* The signature information */
@@ -948,21 +958,12 @@ typedef union {
 	pgp_seckey_t seckey;
 } pgp_keydata_key_t;
 
-/* user revocation info */
-typedef struct pgp_revoke_t {
-	uint32_t		 uid;		/* index in uid array */
-	uint8_t			 code;		/* revocation code */
-	char			*reason;	/* c'mon, spill the beans */
-	pgp_subpacket_t	*packet;
-} pgp_revoke_t;
-
 /** userid signature subpackets */
 typedef struct pgp_uidsig_t {
 	uint32_t		uid;		/* index in userid array in key */
 	pgp_sig_info_t		siginfo;
 	uint8_t			trustlevel;	/* level of trust */
 	uint8_t			trustamount;	/* amount of trust */
-	uint8_t			revoked;	/* sigs revokes uid */
 	pgp_subpacket_t	packet;
 } pgp_uidsig_t;
 
@@ -970,7 +971,6 @@ typedef struct pgp_uidsig_t {
 typedef struct pgp_subkeysig_t {
 	uint32_t		subkey;		/* index of subkey in array */
 	pgp_sig_info_t		siginfo;
-	uint8_t			revoked;	/* sigs revokes subkey */
 	pgp_subpacket_t	packet;
 } pgp_subkeysig_t;
 
@@ -989,39 +989,19 @@ struct pgp_key_t {
 	pgp_content_enum	type;		/* type of key */
 	pgp_keydata_key_t	key;		/* pubkey/seckey data */
 
-    /* TODO remove */
-	DYNARRAY(pgp_subpacket_t, packet);	/* array of raw subpackets */
+	DYNARRAY(pgp_directsig_t, directsig);		/* direct signatures */
 
 	DYNARRAY(uint8_t *, uid);		/* array of user ids */
 	DYNARRAY(pgp_uidsig_t, uidsig);	/* array of signature for user ids */
-    /* TODO remove */
-	uint32_t		uid0;		/* primary uid index in uids array */
 
     /* TODO user attributes */
 
-    /* TODO remove */
-	DYNARRAY(pgp_revoke_t, revoke);	/* array of signature revocations */
-
 	DYNARRAY(pgp_subkey_t,	subkey);	/* array of subkeys */
 	DYNARRAY(pgp_subkeysig_t, subkeysig);	/* array of sigs for subkeys */
 	
-	pgp_pubkey_t		sigkey;		/* signature key */
-	uint8_t			sigid[PGP_KEY_ID_SIZE];
-	pgp_fingerprint_t	sigfingerprint;	/* pgp signature fingerprint */
-
-	pgp_pubkey_t		enckey;		/* encryption key */
-	uint8_t			encid[PGP_KEY_ID_SIZE];
-	pgp_fingerprint_t	encfingerprint;	/* pgp encryption id fingerprint */
-
-	DYNARRAY(pgp_directsig_t, directsig);		/* direct signatures */
-
-	uint8_t			revoked;	/* key has been revoked */
-	pgp_sig_info_t		revokeinfo;		/* trust signature */
-	pgp_subpacket_t	    revokepacket;
-    /* TODO remove */
-	pgp_revoke_t		revocation;	/* revocation reason */
+	uint8_t			pubkeyid[PGP_KEY_ID_SIZE];
+	pgp_fingerprint_t	pubkeyfpr;	/* pgp signature fingerprint */
 };
 
 #define MDC_PKT_TAG	0xd3
-
 #endif /* PACKET_H_ */

dist/src/lib/reader.c

@@ -2252,7 +2252,9 @@ pgp_get_seckey_cb(const pgp_packet_t *pkt, pgp_cbdata_t *cbinfo)
 			pgp_print_keydata(io, cbinfo->cryptinfo.pubring, pubkey,
 				"signature ", &pubkey->key.pubkey, 0);
 			/* now decrypt key */
-			secret = pgp_decrypt_seckey(keypair, cbinfo->passfp);
+			secret = pgp_get_seckey(keypair);
+                // FIXME : support encrypted seckeys again
+                // pgp_decrypt_seckey(keypair, cbinfo->passfp);
 			if (secret != NULL) {
 				break;
 			}

dist/src/lib/signature.c

@@ -87,19 +87,6 @@ __RCSID("$NetBSD$");
 #include "netpgpdigest.h"
 
 
-/** \ingroup Core_Create
- * needed for signature creation
- */
-struct pgp_create_sig_t {
-	pgp_hash_t		 hash;
-	pgp_sig_t		 sig;