Page MenuHome GnuPG
Create Task
Maniphest T6753

Kleopatra: Review usage of Key::canEncrypt and replace with hasEncrypt where appropriate
Testing, NormalPublic
Actions

Description

If we are looking for a certificate which can be used for encryption (regardless of expiration, revocation, etc.), then we need to use the new Key::hasEncrypt (added with T6748) because Key::canEncrypt returns false for an expired OpenPGP certificate with encryption subkey and non-encryption primary key.

Similar problems could occur when looking for signing certificates or authentication certificates.

This task tracks the changes that are not directly related to T6743: Libkleo Keyresolver: check for existing encryption subkey instead valid one, as first step.

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO549e093333ea Add compat helpers for new hasCertify, hasSign, etc. methods of GpgME::Key
rLIBKLEO6e8f01222c59 Use hasX instead of canX to check key capabilities
rLIBKLEOe9e527fb9d9b Add support for hasCertify, hasSign, etc. methods of GpgME::Key
rLIBKLEOd6678bc03a08 Use hasX instead of canX to check key capabilities
rLIBKLEO961ba7af666b Add support for new Key::hasX capability checks to KConfigBasedKeyFilter
rLIBKLEO27a82e9da227 Use hasEncrypt instead of canEncrypt to check for encryption keys
rLIBKLEOe18ef83d2070 Use new key flags to check for sign and encryption capability
rKLEOPATRA Kleopatra
rKLEOPATRA55d683fe117e Use new key flags to check for certify capability
rKLEOPATRA513030f91f51 Use new key flags to check for sign capability
rKLEOPATRA4262ff99cbc1 Use new key flags to check for sign and encryption capability
rKLEOPATRA20d9415dce1b Don't filter out expired signing/encryption certificates

Related Objects

Event Timeline

ikloecker claimed this task.Oct 9 2023, 9:58 AM
ikloecker triaged this task as Normal priority.
ikloecker created this task.
ikloecker updated the task description. (Show Details)Oct 9 2023, 10:30 AM
ikloecker added a commit: rKLEOPATRA20d9415dce1b: Don't filter out expired signing/encryption certificates.Oct 9 2023, 12:26 PM
ikloecker added a commit: rKLEOPATRA4262ff99cbc1: Use new key flags to check for sign and encryption capability.
ikloecker added a commit: rKLEOPATRA513030f91f51: Use new key flags to check for sign capability.
ikloecker added a commit: rKLEOPATRA55d683fe117e: Use new key flags to check for certify capability.
ikloecker added a commit: rLIBKLEOe18ef83d2070: Use new key flags to check for sign and encryption capability.
ikloecker added commits: rLIBKLEO27a82e9da227: Use hasEncrypt instead of canEncrypt to check for encryption keys, rLIBKLEO961ba7af666b: Add support for new Key::hasX capability checks to KConfigBasedKeyFilter, rLIBKLEOd6678bc03a08: Use hasX instead of canX to check key capabilities, rLIBKLEOe9e527fb9d9b: Add support for hasCertify, hasSign, etc. methods of GpgME::Key, rLIBKLEO6e8f01222c59: Use hasX instead of canX to check key capabilities, rLIBKLEO549e093333ea: Add compat helpers for new hasCertify, hasSign, etc. methods of GpgME::Key.Oct 9 2023, 2:07 PM
ikloecker added a comment.Oct 10 2023, 9:50 AM

The changes are best reviewed by a developer to check that I didn't make a mistake when I replaced usage of the canSign, canEncrypt, etc. methods with the new hasSign, hasEncrypt, etc. methods or the corresponding compatibility helpers keyHasSign, etc..

ikloecker changed the task status from Open to Testing.Oct 31 2023, 9:26 AM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

The changes affect:

  • State of "Clipboard -> OpenPGP Sign" action in tray icon context menu
  • Selection of signing key in "OpenPGP Sign Clipboard" dialog
  • Selection of encryption key in "Sign/Encrypt" via dialog
  • Selection of recipients in "Encrypt Clipboard" dialog
  • Usage information in tool tips for certificates in main certificate list

In the above cases, expired keys with sign/encrypt subkeys but without sign/encrypt primary key may now be selectable as sign/encrypt keys. And the usage info in the tool tips should show the capabilities even for expired keys.

Nothing should have changed to before here:

  • Selection of certification key in Certify dialogs
  • State of "Revoke User ID" button/context menu entry in Certificate Details dialog
  • Write certificate to PIV card
  • Key selection when writing key to PIV card