ENGINE-583: removed the cert check (neal says this is the right thing to do) and refactored pgp_key_expired ENGINE-559
authorKrista 'DarthMama' Bennett <krista@pep.foundation>
Tue, 09 Jul 2019 12:50:59 +0200
branchENGINE-559
changeset 39190700d69d0210
parent 3917 6d33fd0289b2
child 3926 4b83788c7a45
ENGINE-583: removed the cert check (neal says this is the right thing to do) and refactored pgp_key_expired
src/pgp_sequoia.c
test/src/engine_tests/IOS1664Tests.cc
     1.1 --- a/src/pgp_sequoia.c	Tue Jul 09 12:30:56 2019 +0200
     1.2 +++ b/src/pgp_sequoia.c	Tue Jul 09 12:50:59 2019 +0200
     1.3 @@ -15,7 +15,7 @@
     1.4  
     1.5  #include "wrappers.h"
     1.6  
     1.7 -#define TRACING 1
     1.8 +#define TRACING 0
     1.9  #ifndef TRACING
    1.10  #  ifndef NDEBUG
    1.11  #    define TRACING 0
    1.12 @@ -2393,6 +2393,245 @@
    1.13      return PEP_UNKNOWN_ERROR;
    1.14  }
    1.15  
    1.16 +
    1.17 +PEP_STATUS pgp_renew_key(
    1.18 +    PEP_SESSION session, const char *fpr, const timestamp *ts)
    1.19 +{
    1.20 +    PEP_STATUS status = PEP_STATUS_OK;
    1.21 +    pgp_error_t err = NULL;
    1.22 +    pgp_tpk_t tpk = NULL;
    1.23 +    pgp_tpk_key_iter_t iter = NULL;
    1.24 +    pgp_key_pair_t keypair = NULL;
    1.25 +    pgp_signer_t signer = NULL;
    1.26 +    time_t t = mktime((struct tm *) ts);
    1.27 +
    1.28 +    T("(%s)", fpr);
    1.29 +
    1.30 +    status = tpk_find_by_fpr_hex(session, fpr, true, &tpk, NULL);
    1.31 +    ERROR_OUT(NULL, status, "Looking up '%s'", fpr);
    1.32 +
    1.33 +    uint32_t creation_time = pgp_key_creation_time(pgp_tpk_primary(tpk));
    1.34 +    if (creation_time > t)
    1.35 +        // The creation time is after the expiration time!
    1.36 +        ERROR_OUT(NULL, PEP_UNKNOWN_ERROR,
    1.37 +                  "creation time can't be after expiration time");
    1.38 +
    1.39 +    uint32_t delta = t - creation_time;
    1.40 +
    1.41 +
    1.42 +    iter = pgp_tpk_key_iter_valid(tpk);
    1.43 +    pgp_tpk_key_iter_certification_capable (iter);
    1.44 +    pgp_tpk_key_iter_unencrypted_secret (iter, true);
    1.45 +
    1.46 +    // If there are multiple certification capable subkeys, we just
    1.47 +    // take the first one, whichever one that happens to be.
    1.48 +    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
    1.49 +    if (! key)
    1.50 +        ERROR_OUT (err, PEP_UNKNOWN_ERROR,
    1.51 +                   "%s has no usable certification capable key", fpr);
    1.52 +
    1.53 +    keypair = pgp_key_into_key_pair (NULL, pgp_key_clone (key));
    1.54 +    if (! keypair)
    1.55 +        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a keypair");
    1.56 +
    1.57 +    signer = pgp_key_pair_as_signer (keypair);
    1.58 +    if (! signer)
    1.59 +        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a signer");
    1.60 +
    1.61 +    tpk = pgp_tpk_set_expiry(&err, tpk, signer, delta);
    1.62 +    if (! tpk)
    1.63 +        ERROR_OUT(err, PEP_UNKNOWN_ERROR, "setting expiration");
    1.64 +
    1.65 +    status = tpk_save(session, tpk, NULL);
    1.66 +    tpk = NULL;
    1.67 +    ERROR_OUT(NULL, status, "Saving %s", fpr);
    1.68 +
    1.69 + out:
    1.70 +    pgp_signer_free (signer);
    1.71 +    pgp_key_pair_free (keypair);
    1.72 +    pgp_tpk_key_iter_free (iter);
    1.73 +    pgp_tpk_free(tpk);
    1.74 +
    1.75 +    T("(%s) -> %s", fpr, pEp_status_to_string(status));
    1.76 +    return status;
    1.77 +}
    1.78 +
    1.79 +PEP_STATUS pgp_revoke_key(
    1.80 +    PEP_SESSION session, const char *fpr, const char *reason)
    1.81 +{
    1.82 +    PEP_STATUS status = PEP_STATUS_OK;
    1.83 +    pgp_error_t err = NULL;
    1.84 +    pgp_tpk_t tpk = NULL;
    1.85 +    pgp_tpk_key_iter_t iter = NULL;
    1.86 +    pgp_key_pair_t keypair = NULL;
    1.87 +    pgp_signer_t signer = NULL;
    1.88 +
    1.89 +    T("(%s)", fpr);
    1.90 +
    1.91 +    status = tpk_find_by_fpr_hex(session, fpr, true, &tpk, NULL);
    1.92 +    ERROR_OUT(NULL, status, "Looking up %s", fpr);
    1.93 +
    1.94 +    iter = pgp_tpk_key_iter_valid(tpk);
    1.95 +    pgp_tpk_key_iter_certification_capable (iter);
    1.96 +    pgp_tpk_key_iter_unencrypted_secret (iter, true);
    1.97 +
    1.98 +    // If there are multiple certification capable subkeys, we just
    1.99 +    // take the first one, whichever one that happens to be.
   1.100 +    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
   1.101 +    if (! key)
   1.102 +        ERROR_OUT (err, PEP_UNKNOWN_ERROR,
   1.103 +                   "%s has no usable certification capable key", fpr);
   1.104 +
   1.105 +    keypair = pgp_key_into_key_pair (NULL, pgp_key_clone (key));
   1.106 +    if (! keypair)
   1.107 +        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a keypair");
   1.108 +
   1.109 +    signer = pgp_key_pair_as_signer (keypair);
   1.110 +    if (! signer)
   1.111 +        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a signer");
   1.112 +
   1.113 +    tpk = pgp_tpk_revoke_in_place(&err, tpk, signer,
   1.114 +                                  PGP_REASON_FOR_REVOCATION_UNSPECIFIED,
   1.115 +                                  reason);
   1.116 +    if (! tpk)
   1.117 +        ERROR_OUT(err, PEP_UNKNOWN_ERROR, "setting expiration");
   1.118 +
   1.119 +    assert(pgp_revocation_status_variant(pgp_tpk_revocation_status(tpk))
   1.120 +           == PGP_REVOCATION_STATUS_REVOKED);
   1.121 +
   1.122 +    status = tpk_save(session, tpk, NULL);
   1.123 +    tpk = NULL;
   1.124 +    ERROR_OUT(NULL, status, "Saving %s", fpr);
   1.125 +
   1.126 + out:
   1.127 +    pgp_signer_free (signer);
   1.128 +    pgp_key_pair_free (keypair);
   1.129 +    pgp_tpk_key_iter_free (iter);
   1.130 +    pgp_tpk_free(tpk);
   1.131 +
   1.132 +    T("(%s) -> %s", fpr, pEp_status_to_string(status));
   1.133 +    return status;
   1.134 +}
   1.135 +
   1.136 +static void _pgp_key_expired(pgp_tpk_t tpk, const time_t when, bool* expired)
   1.137 +{
   1.138 +    // Is the TPK live?
   1.139 +    *expired = !pgp_tpk_alive_at(tpk, when);
   1.140 +
   1.141 +#ifdef TRACING
   1.142 +    {
   1.143 +        char buffer[26];
   1.144 +        time_t now = time(NULL);
   1.145 +
   1.146 +        if (when == now || when == now - 1) {
   1.147 +            sprintf(buffer, "now");
   1.148 +        } else {
   1.149 +            struct tm tm;
   1.150 +            gmtime_r(&when, &tm);
   1.151 +            strftime(buffer, sizeof(buffer), "%Y-%m-%d %H:%M:%S", &tm);
   1.152 +        }
   1.153 +
   1.154 +        T("TPK is %slive as of %s", *expired ? "not " : "", buffer);
   1.155 +    }
   1.156 +#endif
   1.157 +    if (*expired)
   1.158 +        goto out;
   1.159 +
   1.160 +    // Are there at least one certification subkey, one signing subkey
   1.161 +    // and one encryption subkey that are live?
   1.162 +    //    int can_certify = 0, can_encrypt = 0, can_sign = 0;
   1.163 +    int can_encrypt = 0, can_sign = 0;
   1.164 +
   1.165 +    pgp_tpk_key_iter_t key_iter = pgp_tpk_key_iter_valid(tpk);
   1.166 +    pgp_key_t key;
   1.167 +    pgp_signature_t sig;
   1.168 +    pgp_revocation_status_t rev;
   1.169 +    while ((key = pgp_tpk_key_iter_next(key_iter, &sig, &rev))) {
   1.170 +        if (! sig)
   1.171 +            continue;
   1.172 +
   1.173 +        if (pgp_signature_can_encrypt_for_transport(sig)
   1.174 +            || pgp_signature_can_encrypt_at_rest(sig))
   1.175 +            can_encrypt = 1;
   1.176 +        if (pgp_signature_can_sign(sig))
   1.177 +            can_sign = 1;
   1.178 +        // if (pgp_signature_can_certify(sig))
   1.179 +        //     can_certify = 1;
   1.180 +
   1.181 +//        if (can_encrypt && can_sign && can_certify)
   1.182 +        if (can_encrypt && can_sign)
   1.183 +            break;
   1.184 +    }
   1.185 +    pgp_tpk_key_iter_free(key_iter);
   1.186 +
   1.187 +//    *expired = !(can_encrypt && can_sign && can_certify);
   1.188 +    *expired = !(can_encrypt && can_sign);
   1.189 +
   1.190 +    T("Key can%s encrypt, can%s sign, can%s certify => %sexpired",
   1.191 +      can_encrypt ? "" : "not",
   1.192 +      can_sign ? "" : "not",
   1.193 +      // can_certify ? "" : "not",
   1.194 +      *expired ? "" : "not ");
   1.195 +      
   1.196 +out:
   1.197 +    // Er, this might be problematic in terms of internal vs. external in log. FIXME?
   1.198 +    T("(%s) -> %s (expired: %d)", fpr, pEp_status_to_string(status), *expired);
   1.199 +    return;
   1.200 +}
   1.201 +                            
   1.202 +PEP_STATUS pgp_key_expired(PEP_SESSION session, const char *fpr,
   1.203 +                           const time_t when, bool *expired)
   1.204 +{
   1.205 +    PEP_STATUS status = PEP_STATUS_OK;
   1.206 +    pgp_tpk_t tpk = NULL;
   1.207 +    T("(%s)", fpr);
   1.208 +
   1.209 +    assert(session);
   1.210 +    assert(fpr);
   1.211 +    assert(expired);
   1.212 +
   1.213 +    *expired = false;
   1.214 +
   1.215 +    pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
   1.216 +    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
   1.217 +    pgp_fingerprint_free(pgp_fpr);
   1.218 +    ERROR_OUT(NULL, status, "Looking up %s", fpr);
   1.219 +
   1.220 +    _pgp_key_expired(tpk, when, expired);
   1.221 + out:
   1.222 +    pgp_tpk_free(tpk);
   1.223 +    T("(%s) -> %s (expired: %d)", fpr, pEp_status_to_string(status), *expired);
   1.224 +    return status;
   1.225 +}
   1.226 +
   1.227 +PEP_STATUS pgp_key_revoked(PEP_SESSION session, const char *fpr, bool *revoked)
   1.228 +{
   1.229 +    PEP_STATUS status = PEP_STATUS_OK;
   1.230 +    pgp_tpk_t tpk;
   1.231 +
   1.232 +    T("(%s)", fpr);
   1.233 +
   1.234 +    assert(session);
   1.235 +    assert(fpr);
   1.236 +    assert(revoked);
   1.237 +
   1.238 +    *revoked = false;
   1.239 +
   1.240 +    pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
   1.241 +    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
   1.242 +    pgp_fingerprint_free(pgp_fpr);
   1.243 +    ERROR_OUT(NULL, status, "Looking up %s", fpr);
   1.244 +
   1.245 +    pgp_revocation_status_t rs = pgp_tpk_revocation_status(tpk);
   1.246 +    *revoked = pgp_revocation_status_variant(rs) == PGP_REVOCATION_STATUS_REVOKED;
   1.247 +    pgp_revocation_status_free (rs);
   1.248 +    pgp_tpk_free(tpk);
   1.249 +
   1.250 + out:
   1.251 +    T("(%s) -> %s", fpr, pEp_status_to_string(status));
   1.252 +    return status;
   1.253 +}
   1.254 +
   1.255  PEP_STATUS pgp_get_key_rating(
   1.256      PEP_SESSION session, const char *fpr, PEP_comm_type *comm_type)
   1.257  {
   1.258 @@ -2414,9 +2653,8 @@
   1.259  
   1.260      bool expired = false;
   1.261      
   1.262 -    // FIXME: we should refactor this and pgp_key_expired. For now, we 
   1.263      // MUST guarantee the same behaviour.
   1.264 -    pgp_key_expired(session, fpr, time(NULL), &expired);
   1.265 +    _pgp_key_expired(tpk, time(NULL), &expired);
   1.266      
   1.267      if (expired) {
   1.268          *comm_type = PEP_ct_key_expired;
   1.269 @@ -2489,231 +2727,6 @@
   1.270  }
   1.271  
   1.272  
   1.273 -PEP_STATUS pgp_renew_key(
   1.274 -    PEP_SESSION session, const char *fpr, const timestamp *ts)
   1.275 -{
   1.276 -    PEP_STATUS status = PEP_STATUS_OK;
   1.277 -    pgp_error_t err = NULL;
   1.278 -    pgp_tpk_t tpk = NULL;
   1.279 -    pgp_tpk_key_iter_t iter = NULL;
   1.280 -    pgp_key_pair_t keypair = NULL;
   1.281 -    pgp_signer_t signer = NULL;
   1.282 -    time_t t = mktime((struct tm *) ts);
   1.283 -
   1.284 -    T("(%s)", fpr);
   1.285 -
   1.286 -    status = tpk_find_by_fpr_hex(session, fpr, true, &tpk, NULL);
   1.287 -    ERROR_OUT(NULL, status, "Looking up '%s'", fpr);
   1.288 -
   1.289 -    uint32_t creation_time = pgp_key_creation_time(pgp_tpk_primary(tpk));
   1.290 -    if (creation_time > t)
   1.291 -        // The creation time is after the expiration time!
   1.292 -        ERROR_OUT(NULL, PEP_UNKNOWN_ERROR,
   1.293 -                  "creation time can't be after expiration time");
   1.294 -
   1.295 -    uint32_t delta = t - creation_time;
   1.296 -
   1.297 -
   1.298 -    iter = pgp_tpk_key_iter_valid(tpk);
   1.299 -    pgp_tpk_key_iter_certification_capable (iter);
   1.300 -    pgp_tpk_key_iter_unencrypted_secret (iter, true);
   1.301 -
   1.302 -    // If there are multiple certification capable subkeys, we just
   1.303 -    // take the first one, whichever one that happens to be.
   1.304 -    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
   1.305 -    if (! key)
   1.306 -        ERROR_OUT (err, PEP_UNKNOWN_ERROR,
   1.307 -                   "%s has no usable certification capable key", fpr);
   1.308 -
   1.309 -    keypair = pgp_key_into_key_pair (NULL, pgp_key_clone (key));
   1.310 -    if (! keypair)
   1.311 -        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a keypair");
   1.312 -
   1.313 -    signer = pgp_key_pair_as_signer (keypair);
   1.314 -    if (! signer)
   1.315 -        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a signer");
   1.316 -
   1.317 -    tpk = pgp_tpk_set_expiry(&err, tpk, signer, delta);
   1.318 -    if (! tpk)
   1.319 -        ERROR_OUT(err, PEP_UNKNOWN_ERROR, "setting expiration");
   1.320 -
   1.321 -    status = tpk_save(session, tpk, NULL);
   1.322 -    tpk = NULL;
   1.323 -    ERROR_OUT(NULL, status, "Saving %s", fpr);
   1.324 -
   1.325 - out:
   1.326 -    pgp_signer_free (signer);
   1.327 -    pgp_key_pair_free (keypair);
   1.328 -    pgp_tpk_key_iter_free (iter);
   1.329 -    pgp_tpk_free(tpk);
   1.330 -
   1.331 -    T("(%s) -> %s", fpr, pEp_status_to_string(status));
   1.332 -    return status;
   1.333 -}
   1.334 -
   1.335 -PEP_STATUS pgp_revoke_key(
   1.336 -    PEP_SESSION session, const char *fpr, const char *reason)
   1.337 -{
   1.338 -    PEP_STATUS status = PEP_STATUS_OK;
   1.339 -    pgp_error_t err = NULL;
   1.340 -    pgp_tpk_t tpk = NULL;
   1.341 -    pgp_tpk_key_iter_t iter = NULL;
   1.342 -    pgp_key_pair_t keypair = NULL;
   1.343 -    pgp_signer_t signer = NULL;
   1.344 -
   1.345 -    T("(%s)", fpr);
   1.346 -
   1.347 -    status = tpk_find_by_fpr_hex(session, fpr, true, &tpk, NULL);
   1.348 -    ERROR_OUT(NULL, status, "Looking up %s", fpr);
   1.349 -
   1.350 -    iter = pgp_tpk_key_iter_valid(tpk);
   1.351 -    pgp_tpk_key_iter_certification_capable (iter);
   1.352 -    pgp_tpk_key_iter_unencrypted_secret (iter, true);
   1.353 -
   1.354 -    // If there are multiple certification capable subkeys, we just
   1.355 -    // take the first one, whichever one that happens to be.
   1.356 -    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
   1.357 -    if (! key)
   1.358 -        ERROR_OUT (err, PEP_UNKNOWN_ERROR,
   1.359 -                   "%s has no usable certification capable key", fpr);
   1.360 -
   1.361 -    keypair = pgp_key_into_key_pair (NULL, pgp_key_clone (key));
   1.362 -    if (! keypair)
   1.363 -        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a keypair");
   1.364 -
   1.365 -    signer = pgp_key_pair_as_signer (keypair);
   1.366 -    if (! signer)
   1.367 -        ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a signer");
   1.368 -
   1.369 -    tpk = pgp_tpk_revoke_in_place(&err, tpk, signer,
   1.370 -                                  PGP_REASON_FOR_REVOCATION_UNSPECIFIED,
   1.371 -                                  reason);
   1.372 -    if (! tpk)
   1.373 -        ERROR_OUT(err, PEP_UNKNOWN_ERROR, "setting expiration");
   1.374 -
   1.375 -    assert(pgp_revocation_status_variant(pgp_tpk_revocation_status(tpk))
   1.376 -           == PGP_REVOCATION_STATUS_REVOKED);
   1.377 -
   1.378 -    status = tpk_save(session, tpk, NULL);
   1.379 -    tpk = NULL;
   1.380 -    ERROR_OUT(NULL, status, "Saving %s", fpr);
   1.381 -
   1.382 - out:
   1.383 -    pgp_signer_free (signer);
   1.384 -    pgp_key_pair_free (keypair);
   1.385 -    pgp_tpk_key_iter_free (iter);
   1.386 -    pgp_tpk_free(tpk);
   1.387 -
   1.388 -    T("(%s) -> %s", fpr, pEp_status_to_string(status));
   1.389 -    return status;
   1.390 -}
   1.391 -
   1.392 -PEP_STATUS pgp_key_expired(PEP_SESSION session, const char *fpr,
   1.393 -                           const time_t when, bool *expired)
   1.394 -{
   1.395 -    PEP_STATUS status = PEP_STATUS_OK;
   1.396 -    pgp_tpk_t tpk = NULL;
   1.397 -    T("(%s)", fpr);
   1.398 -
   1.399 -    assert(session);
   1.400 -    assert(fpr);
   1.401 -    assert(expired);
   1.402 -
   1.403 -    *expired = false;
   1.404 -
   1.405 -    pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
   1.406 -    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
   1.407 -    pgp_fingerprint_free(pgp_fpr);
   1.408 -    ERROR_OUT(NULL, status, "Looking up %s", fpr);
   1.409 -
   1.410 -    // Is the TPK live?
   1.411 -    *expired = !pgp_tpk_alive_at(tpk, when);
   1.412 -#ifdef TRACING
   1.413 -    {
   1.414 -        char buffer[26];
   1.415 -        time_t now = time(NULL);
   1.416 -
   1.417 -        if (when == now || when == now - 1) {
   1.418 -            sprintf(buffer, "now");
   1.419 -        } else {
   1.420 -            struct tm tm;
   1.421 -            gmtime_r(&when, &tm);
   1.422 -            strftime(buffer, sizeof(buffer), "%Y-%m-%d %H:%M:%S", &tm);
   1.423 -        }
   1.424 -
   1.425 -        T("TPK is %slive as of %s", *expired ? "not " : "", buffer);
   1.426 -    }
   1.427 -#endif
   1.428 -    if (*expired)
   1.429 -        goto out;
   1.430 -
   1.431 -    // Are there at least one certification subkey, one signing subkey
   1.432 -    // and one encryption subkey that are live?
   1.433 -    int can_certify = 0, can_encrypt = 0, can_sign = 0;
   1.434 -
   1.435 -    pgp_tpk_key_iter_t key_iter = pgp_tpk_key_iter_valid(tpk);
   1.436 -    pgp_key_t key;
   1.437 -    pgp_signature_t sig;
   1.438 -    pgp_revocation_status_t rev;
   1.439 -    while ((key = pgp_tpk_key_iter_next(key_iter, &sig, &rev))) {
   1.440 -        if (! sig)
   1.441 -            continue;
   1.442 -
   1.443 -        if (pgp_signature_can_encrypt_for_transport(sig)
   1.444 -            || pgp_signature_can_encrypt_at_rest(sig))
   1.445 -            can_encrypt = 1;
   1.446 -        if (pgp_signature_can_sign(sig))
   1.447 -            can_sign = 1;
   1.448 -        if (pgp_signature_can_certify(sig))
   1.449 -            can_certify = 1;
   1.450 -
   1.451 -        if (can_encrypt && can_sign && can_certify)
   1.452 -            break;
   1.453 -    }
   1.454 -    pgp_tpk_key_iter_free(key_iter);
   1.455 -
   1.456 -    *expired = !(can_encrypt && can_sign && can_certify);
   1.457 -
   1.458 -    T("Key can%s encrypt, can%s sign, can%s certify => %sexpired",
   1.459 -      can_encrypt ? "" : "not",
   1.460 -      can_sign ? "" : "not",
   1.461 -      can_certify ? "" : "not",
   1.462 -      *expired ? "" : "not ");
   1.463 -
   1.464 - out:
   1.465 -    pgp_tpk_free(tpk);
   1.466 -    T("(%s) -> %s (expired: %d)", fpr, pEp_status_to_string(status), *expired);
   1.467 -    return status;
   1.468 -}
   1.469 -
   1.470 -PEP_STATUS pgp_key_revoked(PEP_SESSION session, const char *fpr, bool *revoked)
   1.471 -{
   1.472 -    PEP_STATUS status = PEP_STATUS_OK;
   1.473 -    pgp_tpk_t tpk;
   1.474 -
   1.475 -    T("(%s)", fpr);
   1.476 -
   1.477 -    assert(session);
   1.478 -    assert(fpr);
   1.479 -    assert(revoked);
   1.480 -
   1.481 -    *revoked = false;
   1.482 -
   1.483 -    pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
   1.484 -    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
   1.485 -    pgp_fingerprint_free(pgp_fpr);
   1.486 -    ERROR_OUT(NULL, status, "Looking up %s", fpr);
   1.487 -
   1.488 -    pgp_revocation_status_t rs = pgp_tpk_revocation_status(tpk);
   1.489 -    *revoked = pgp_revocation_status_variant(rs) == PGP_REVOCATION_STATUS_REVOKED;
   1.490 -    pgp_revocation_status_free (rs);
   1.491 -    pgp_tpk_free(tpk);
   1.492 -
   1.493 - out:
   1.494 -    T("(%s) -> %s", fpr, pEp_status_to_string(status));
   1.495 -    return status;
   1.496 -}
   1.497 -
   1.498  PEP_STATUS pgp_key_created(PEP_SESSION session, const char *fpr, time_t *created)
   1.499  {
   1.500      PEP_STATUS status = PEP_STATUS_OK;
     2.1 --- a/test/src/engine_tests/IOS1664Tests.cc	Tue Jul 09 12:30:56 2019 +0200
     2.2 +++ b/test/src/engine_tests/IOS1664Tests.cc	Tue Jul 09 12:50:59 2019 +0200
     2.3 @@ -63,11 +63,11 @@
     2.4      TEST_ASSERT(status == PEP_STATUS_OK);
     2.5      TEST_ASSERT_MSG(rating == PEP_rating_trusted_and_anonymized, tl_rating_string(rating));
     2.6      status = identity_rating(session, out_msg->to->ident, &rating);
     2.7 -    TEST_ASSERT_MSG(status == PEP_KEY_NOT_FOUND, tl_status_string(status));
     2.8 -    TEST_ASSERT_MSG(rating == PEP_rating_undefined, tl_rating_string(rating));
     2.9 +    TEST_ASSERT_MSG(status == PEP_STATUS_OK, tl_status_string(status));
    2.10 +    TEST_ASSERT_MSG(rating == PEP_rating_reliable, tl_rating_string(rating));
    2.11  
    2.12      status = outgoing_message_rating(session, out_msg, &rating);
    2.13 -    TEST_ASSERT(rating == PEP_rating_unencrypted);
    2.14 +    TEST_ASSERT(rating == PEP_rating_reliable);
    2.15      
    2.16      TEST_ASSERT(true);
    2.17  }