Track API changes to sequoia. sync
authorNeal H. Walfield <neal@pep.foundation>
Thu, 05 Dec 2019 08:47:16 +0100
branchsync
changeset 42351daffdbc64aa
parent 4234 b720642cd9e0
child 4236 01980e34ecdf
Track API changes to sequoia.
Makefile.conf
src/pEp_internal.h
src/pgp_sequoia.c
test/Makefile
     1.1 --- a/Makefile.conf	Wed Dec 04 15:28:34 2019 +0100
     1.2 +++ b/Makefile.conf	Thu Dec 05 08:47:16 2019 +0100
     1.3 @@ -93,7 +93,7 @@
     1.4  endif
     1.5  
     1.6  ifeq ($(BUILD_FOR),Linux)
     1.7 -    CFLAGS=-fPIC -fstrict-aliasing -fdiagnostics-color=always
     1.8 +    CFLAGS=-fPIC -fstrict-aliasing -fdiagnostics-color=auto
     1.9  else ifeq ($(BUILD_FOR),Darwin)
    1.10      CFLAGS=-pthread -fPIC -fstrict-aliasing -fcolor-diagnostics
    1.11  endif
    1.12 @@ -148,7 +148,7 @@
    1.13  # The flag -DNDEBUG will always be removed from CXXFLAGS for compiling tests.
    1.14  # The tests do not work properly, if compiled with -DNDEBUG
    1.15  ifeq ($(BUILD_FOR),Linux)
    1.16 -    CXXFLAGS=-fdiagnostics-color=always -I../src -I../asn.1 $(ETPAN_INC)
    1.17 +    CXXFLAGS=-fdiagnostics-color=auto -I../src -I../asn.1 $(ETPAN_INC)
    1.18      ifdef WARN
    1.19          CXXFLAGS+=
    1.20      else
     2.1 --- a/src/pEp_internal.h	Wed Dec 04 15:28:34 2019 +0100
     2.2 +++ b/src/pEp_internal.h	Thu Dec 05 08:47:16 2019 +0100
     2.3 @@ -143,17 +143,17 @@
     2.4          sqlite3_stmt *begin_transaction;
     2.5          sqlite3_stmt *commit_transaction;
     2.6          sqlite3_stmt *rollback_transaction;
     2.7 -        sqlite3_stmt *tpk_find;
     2.8 +        sqlite3_stmt *cert_find;
     2.9          sqlite3_stmt *tsk_find;
    2.10 -        sqlite3_stmt *tpk_find_by_keyid;
    2.11 +        sqlite3_stmt *cert_find_by_keyid;
    2.12          sqlite3_stmt *tsk_find_by_keyid;
    2.13 -        sqlite3_stmt *tpk_find_by_email;
    2.14 +        sqlite3_stmt *cert_find_by_email;
    2.15          sqlite3_stmt *tsk_find_by_email;
    2.16 -        sqlite3_stmt *tpk_all;
    2.17 +        sqlite3_stmt *cert_all;
    2.18          sqlite3_stmt *tsk_all;
    2.19 -        sqlite3_stmt *tpk_save_insert_primary;
    2.20 -        sqlite3_stmt *tpk_save_insert_subkeys;
    2.21 -        sqlite3_stmt *tpk_save_insert_userids;
    2.22 +        sqlite3_stmt *cert_save_insert_primary;
    2.23 +        sqlite3_stmt *cert_save_insert_subkeys;
    2.24 +        sqlite3_stmt *cert_save_insert_userids;
    2.25          sqlite3_stmt *delete_keypair;
    2.26      } sq_sql;
    2.27  #endif
     3.1 --- a/src/pgp_sequoia.c	Wed Dec 04 15:28:34 2019 +0100
     3.2 +++ b/src/pgp_sequoia.c	Thu Dec 05 08:47:16 2019 +0100
     3.3 @@ -166,24 +166,24 @@
     3.4      }
     3.5  }
     3.6  
     3.7 -static pgp_tpk_cipher_suite_t cipher_suite(PEP_CIPHER_SUITE suite)
     3.8 +static pgp_cert_cipher_suite_t cipher_suite(PEP_CIPHER_SUITE suite)
     3.9  {
    3.10      switch (suite) {
    3.11          // supported cipher suites
    3.12          case PEP_CIPHER_SUITE_RSA2K:
    3.13 -            return PGP_TPK_CIPHER_SUITE_RSA2K;
    3.14 +            return PGP_CERT_CIPHER_SUITE_RSA2K;
    3.15          case PEP_CIPHER_SUITE_RSA3K:
    3.16 -            return PGP_TPK_CIPHER_SUITE_RSA3K;
    3.17 +            return PGP_CERT_CIPHER_SUITE_RSA3K;
    3.18          case PEP_CIPHER_SUITE_CV25519:
    3.19 -            return PGP_TPK_CIPHER_SUITE_CV25519;
    3.20 +            return PGP_CERT_CIPHER_SUITE_CV25519;
    3.21          case PEP_CIPHER_SUITE_P256:
    3.22 -            return PGP_TPK_CIPHER_SUITE_P256;
    3.23 +            return PGP_CERT_CIPHER_SUITE_P256;
    3.24          case PEP_CIPHER_SUITE_P384:
    3.25 -            return PGP_TPK_CIPHER_SUITE_P384;
    3.26 +            return PGP_CERT_CIPHER_SUITE_P384;
    3.27          case PEP_CIPHER_SUITE_P521:
    3.28 -            return PGP_TPK_CIPHER_SUITE_P521;
    3.29 +            return PGP_CERT_CIPHER_SUITE_P521;
    3.30          default:
    3.31 -            return PGP_TPK_CIPHER_SUITE_RSA2K;
    3.32 +            return PGP_CERT_CIPHER_SUITE_RSA2K;
    3.33      }
    3.34  }
    3.35  
    3.36 @@ -385,7 +385,7 @@
    3.37          = sqlite3_prepare_v2(session->key_db,
    3.38                               "SELECT tpk, secret FROM keys"
    3.39                               " WHERE primary_key == ?",
    3.40 -                             -1, &session->sq_sql.tpk_find, NULL);
    3.41 +                             -1, &session->sq_sql.cert_find, NULL);
    3.42      assert(sqlite_result == SQLITE_OK);
    3.43  
    3.44      sqlite_result
    3.45 @@ -401,7 +401,7 @@
    3.46                               " LEFT JOIN keys"
    3.47                               "  ON subkeys.primary_key == keys.primary_key"
    3.48                               " WHERE subkey == ?",
    3.49 -                             -1, &session->sq_sql.tpk_find_by_keyid, NULL);
    3.50 +                             -1, &session->sq_sql.cert_find_by_keyid, NULL);
    3.51      assert(sqlite_result == SQLITE_OK);
    3.52  
    3.53      sqlite_result
    3.54 @@ -410,7 +410,7 @@
    3.55                               " LEFT JOIN keys"
    3.56                               "  ON subkeys.primary_key == keys.primary_key"
    3.57                               " WHERE subkey == ?",
    3.58 -                             -1, &session->sq_sql.tpk_find_by_keyid, NULL);
    3.59 +                             -1, &session->sq_sql.cert_find_by_keyid, NULL);
    3.60      assert(sqlite_result == SQLITE_OK);
    3.61  
    3.62      sqlite_result
    3.63 @@ -428,7 +428,7 @@
    3.64                               " LEFT JOIN keys"
    3.65                               "  ON userids.primary_key == keys.primary_key"
    3.66                               " WHERE userid == ?",
    3.67 -                             -1, &session->sq_sql.tpk_find_by_email, NULL);
    3.68 +                             -1, &session->sq_sql.cert_find_by_email, NULL);
    3.69      assert(sqlite_result == SQLITE_OK);
    3.70  
    3.71      sqlite_result
    3.72 @@ -443,7 +443,7 @@
    3.73      sqlite_result
    3.74          = sqlite3_prepare_v2(session->key_db,
    3.75                               "select tpk, secret from keys",
    3.76 -                             -1, &session->sq_sql.tpk_all, NULL);
    3.77 +                             -1, &session->sq_sql.cert_all, NULL);
    3.78      assert(sqlite_result == SQLITE_OK);
    3.79  
    3.80      sqlite_result
    3.81 @@ -457,7 +457,7 @@
    3.82                               "INSERT OR REPLACE INTO keys"
    3.83                               "   (primary_key, secret, tpk)"
    3.84                               " VALUES (?, ?, ?)",
    3.85 -                             -1, &session->sq_sql.tpk_save_insert_primary, NULL);
    3.86 +                             -1, &session->sq_sql.cert_save_insert_primary, NULL);
    3.87      assert(sqlite_result == SQLITE_OK);
    3.88  
    3.89      sqlite_result
    3.90 @@ -465,7 +465,7 @@
    3.91                               "INSERT OR REPLACE INTO subkeys"
    3.92                               "   (subkey, primary_key)"
    3.93                               " VALUES (?, ?)",
    3.94 -                             -1, &session->sq_sql.tpk_save_insert_subkeys, NULL);
    3.95 +                             -1, &session->sq_sql.cert_save_insert_subkeys, NULL);
    3.96      assert(sqlite_result == SQLITE_OK);
    3.97  
    3.98      sqlite_result
    3.99 @@ -473,7 +473,7 @@
   3.100                               "INSERT OR REPLACE INTO userids"
   3.101                               "   (userid, primary_key)"
   3.102                               " VALUES (?, ?)",
   3.103 -                             -1, &session->sq_sql.tpk_save_insert_userids, NULL);
   3.104 +                             -1, &session->sq_sql.cert_save_insert_userids, NULL);
   3.105      assert(sqlite_result == SQLITE_OK);
   3.106  
   3.107      sqlite_result
   3.108 @@ -521,24 +521,24 @@
   3.109      return fpr_canonicalized;
   3.110  }
   3.111  
   3.112 -// step statement and load the tpk and secret.
   3.113 -static PEP_STATUS key_load(PEP_SESSION, sqlite3_stmt *, pgp_tpk_t *, int *)
   3.114 +// step statement and load the certificate and secret.
   3.115 +static PEP_STATUS key_load(PEP_SESSION, sqlite3_stmt *, pgp_cert_t *, int *)
   3.116      __attribute__((nonnull(1, 2)));
   3.117  static PEP_STATUS key_load(PEP_SESSION session, sqlite3_stmt *stmt,
   3.118 -                           pgp_tpk_t *tpkp, int *secretp)
   3.119 +                           pgp_cert_t *certp, int *secretp)
   3.120  {
   3.121      PEP_STATUS status = PEP_STATUS_OK;
   3.122      int sqlite_result = sqlite3_step(stmt);
   3.123      switch (sqlite_result) {
   3.124      case SQLITE_ROW:
   3.125 -        if (tpkp) {
   3.126 +        if (certp) {
   3.127              int data_len = sqlite3_column_bytes(stmt, 0);
   3.128              const void *data = sqlite3_column_blob(stmt, 0);
   3.129  
   3.130              pgp_error_t err = NULL;
   3.131 -            *tpkp = pgp_tpk_from_bytes(&err, data, data_len);
   3.132 -            if (!*tpkp)
   3.133 -                ERROR_OUT(err, PEP_GET_KEY_FAILED, "parsing TPK");
   3.134 +            *certp = pgp_cert_from_bytes(&err, data, data_len);
   3.135 +            if (!*certp)
   3.136 +                ERROR_OUT(err, PEP_GET_KEY_FAILED, "parsing certificate");
   3.137          }
   3.138  
   3.139          if (secretp)
   3.140 @@ -559,59 +559,59 @@
   3.141      return status;
   3.142  }
   3.143  
   3.144 -// step statement until exhausted and load the tpks.
   3.145 -static PEP_STATUS key_loadn(PEP_SESSION, sqlite3_stmt *, pgp_tpk_t **, int *)
   3.146 +// step statement until exhausted and load the certificates.
   3.147 +static PEP_STATUS key_loadn(PEP_SESSION, sqlite3_stmt *, pgp_cert_t **, int *)
   3.148      __attribute__((nonnull));
   3.149  static PEP_STATUS key_loadn(PEP_SESSION session, sqlite3_stmt *stmt,
   3.150 -                            pgp_tpk_t **tpksp, int *tpks_countp)
   3.151 +                            pgp_cert_t **certsp, int *certs_countp)
   3.152  {
   3.153      PEP_STATUS status = PEP_STATUS_OK;
   3.154 -    int tpks_count = 0;
   3.155 -    int tpks_capacity = 8;
   3.156 -    pgp_tpk_t *tpks = calloc(tpks_capacity, sizeof(pgp_tpk_t));
   3.157 -    if (!tpks)
   3.158 +    int certs_count = 0;
   3.159 +    int certs_capacity = 8;
   3.160 +    pgp_cert_t *certs = calloc(certs_capacity, sizeof(pgp_cert_t));
   3.161 +    if (!certs)
   3.162          ERROR_OUT(NULL, PEP_OUT_OF_MEMORY, "out of memory");
   3.163  
   3.164      for (;;) {
   3.165 -        pgp_tpk_t tpk = NULL;
   3.166 -        status = key_load(session, stmt, &tpk, NULL);
   3.167 +        pgp_cert_t cert = NULL;
   3.168 +        status = key_load(session, stmt, &cert, NULL);
   3.169          if (status == PEP_KEY_NOT_FOUND) {
   3.170              status = PEP_STATUS_OK;
   3.171              break;
   3.172          }
   3.173 -        ERROR_OUT(NULL, status, "loading TPK");
   3.174 -
   3.175 -        if (tpks_count == tpks_capacity) {
   3.176 -            tpks_capacity *= 2;
   3.177 -            tpks = realloc(tpks, sizeof(tpks[0]) * tpks_capacity);
   3.178 -            if (!tpks)
   3.179 -                ERROR_OUT(NULL, PEP_OUT_OF_MEMORY, "tpks");
   3.180 +        ERROR_OUT(NULL, status, "loading certificate");
   3.181 +
   3.182 +        if (certs_count == certs_capacity) {
   3.183 +            certs_capacity *= 2;
   3.184 +            certs = realloc(certs, sizeof(certs[0]) * certs_capacity);
   3.185 +            if (!certs)
   3.186 +                ERROR_OUT(NULL, PEP_OUT_OF_MEMORY, "certs");
   3.187          }
   3.188 -        tpks[tpks_count ++] = tpk;
   3.189 +        certs[certs_count ++] = cert;
   3.190      }
   3.191  
   3.192   out:
   3.193      if (status != PEP_STATUS_OK) {
   3.194 -        for (int i = 0; i < tpks_count; i ++)
   3.195 -            pgp_tpk_free(tpks[i]);
   3.196 -        free(tpks);
   3.197 +        for (int i = 0; i < certs_count; i ++)
   3.198 +            pgp_cert_free(certs[i]);
   3.199 +        free(certs);
   3.200      } else {
   3.201 -        *tpksp = tpks;
   3.202 -        *tpks_countp = tpks_count;
   3.203 +        *certsp = certs;
   3.204 +        *certs_countp = certs_count;
   3.205      }
   3.206  
   3.207 -    T(" -> %s (%d tpks)", pEp_status_to_string(status), *tpks_countp);
   3.208 +    T(" -> %s (%d certs)", pEp_status_to_string(status), *certs_countp);
   3.209      return status;
   3.210  }
   3.211  
   3.212 -// Returns the TPK identified by the provided fingerprint.
   3.213 +// Returns the certificate identified by the provided fingerprint.
   3.214  //
   3.215  // This function only matches on the primary key!
   3.216 -static PEP_STATUS tpk_find(PEP_SESSION, pgp_fingerprint_t, int, pgp_tpk_t *, int *)
   3.217 +static PEP_STATUS cert_find(PEP_SESSION, pgp_fingerprint_t, int, pgp_cert_t *, int *)
   3.218      __attribute__((nonnull(1, 2)));
   3.219 -static PEP_STATUS tpk_find(PEP_SESSION session,
   3.220 +static PEP_STATUS cert_find(PEP_SESSION session,
   3.221                             pgp_fingerprint_t fpr, int private_only,
   3.222 -                           pgp_tpk_t *tpk, int *secret)
   3.223 +                           pgp_cert_t *cert, int *secret)
   3.224  {
   3.225      PEP_STATUS status = PEP_STATUS_OK;
   3.226      char *fpr_str = pgp_fingerprint_to_hex(fpr);
   3.227 @@ -619,10 +619,10 @@
   3.228      T("(%s, %d)", fpr_str, private_only);
   3.229  
   3.230      sqlite3_stmt *stmt
   3.231 -        = private_only ? session->sq_sql.tsk_find : session->sq_sql.tpk_find;
   3.232 +        = private_only ? session->sq_sql.tsk_find : session->sq_sql.cert_find;
   3.233      sqlite3_bind_text(stmt, 1, fpr_str, -1, SQLITE_STATIC);
   3.234  
   3.235 -    status = key_load(session, stmt, tpk, secret);
   3.236 +    status = key_load(session, stmt, cert, secret);
   3.237      ERROR_OUT(NULL, status, "Looking up %s", fpr_str);
   3.238  
   3.239   out:
   3.240 @@ -632,31 +632,31 @@
   3.241      return status;
   3.242  }
   3.243  
   3.244 -// Returns the TPK identified by the provided keyid.
   3.245 +// Returns the certificate identified by the provided keyid.
   3.246  //
   3.247  // This function matches on both primary keys and subkeys!
   3.248  //
   3.249 -// Note: There can be multiple TPKs for a given keyid.  This can
   3.250 -// occur, because an encryption subkey can be bound to multiple TPKs.
   3.251 +// Note: There can be multiple certificates for a given keyid.  This can
   3.252 +// occur, because an encryption subkey can be bound to multiple certificates.
   3.253  // Also, it is possible to collide key ids.  If there are multiple key
   3.254  // ids for a given key, this just returns one of them.
   3.255  //
   3.256 -// If private_only is set, this will only consider TPKs with some
   3.257 +// If private_only is set, this will only consider certificates with some
   3.258  // secret key material.
   3.259 -static PEP_STATUS tpk_find_by_keyid_hex(PEP_SESSION, const char *, int, pgp_tpk_t *, int *)
   3.260 +static PEP_STATUS cert_find_by_keyid_hex(PEP_SESSION, const char *, int, pgp_cert_t *, int *)
   3.261    __attribute__((nonnull(1, 2)));
   3.262 -static PEP_STATUS tpk_find_by_keyid_hex(
   3.263 +static PEP_STATUS cert_find_by_keyid_hex(
   3.264          PEP_SESSION session, const char *keyid_hex, int private_only,
   3.265 -        pgp_tpk_t *tpkp, int *secretp)
   3.266 +        pgp_cert_t *certp, int *secretp)
   3.267  {
   3.268      PEP_STATUS status = PEP_STATUS_OK;
   3.269      T("(%s, %d)", keyid_hex, private_only);
   3.270  
   3.271      sqlite3_stmt *stmt
   3.272 -        = private_only ? session->sq_sql.tsk_find_by_keyid : session->sq_sql.tpk_find_by_keyid;
   3.273 +        = private_only ? session->sq_sql.tsk_find_by_keyid : session->sq_sql.cert_find_by_keyid;
   3.274      sqlite3_bind_text(stmt, 1, keyid_hex, -1, SQLITE_STATIC);
   3.275  
   3.276 -    status = key_load(session, stmt, tpkp, secretp);
   3.277 +    status = key_load(session, stmt, certp, secretp);
   3.278      ERROR_OUT(NULL, status, "Looking up %s", keyid_hex);
   3.279  
   3.280   out:
   3.281 @@ -665,63 +665,63 @@
   3.282      return status;
   3.283  }
   3.284  
   3.285 -// See tpk_find_by_keyid_hex.
   3.286 -PEP_STATUS tpk_find_by_keyid(PEP_SESSION, pgp_keyid_t, int, pgp_tpk_t *, int *)
   3.287 +// See cert_find_by_keyid_hex.
   3.288 +PEP_STATUS cert_find_by_keyid(PEP_SESSION, pgp_keyid_t, int, pgp_cert_t *, int *)
   3.289      __attribute__((nonnull(1, 2)));
   3.290 -PEP_STATUS tpk_find_by_keyid(PEP_SESSION session,
   3.291 +PEP_STATUS cert_find_by_keyid(PEP_SESSION session,
   3.292                               pgp_keyid_t keyid, int private_only,
   3.293 -                             pgp_tpk_t *tpkp, int *secretp)
   3.294 +                             pgp_cert_t *certp, int *secretp)
   3.295  {
   3.296      char *keyid_hex = pgp_keyid_to_hex(keyid);
   3.297      if (! keyid_hex)
   3.298          return PEP_OUT_OF_MEMORY;
   3.299      PEP_STATUS status
   3.300 -        = tpk_find_by_keyid_hex(session, keyid_hex, private_only, tpkp, secretp);
   3.301 +        = cert_find_by_keyid_hex(session, keyid_hex, private_only, certp, secretp);
   3.302      free(keyid_hex);
   3.303      return status;
   3.304  }
   3.305  
   3.306 -// See tpk_find_by_keyid_hex.
   3.307 -static PEP_STATUS tpk_find_by_fpr(PEP_SESSION, pgp_fingerprint_t, int,
   3.308 -                                  pgp_tpk_t *, int *)
   3.309 +// See cert_find_by_keyid_hex.
   3.310 +static PEP_STATUS cert_find_by_fpr(PEP_SESSION, pgp_fingerprint_t, int,
   3.311 +                                  pgp_cert_t *, int *)
   3.312      __attribute__((nonnull(1, 2)));
   3.313 -static PEP_STATUS tpk_find_by_fpr(
   3.314 +static PEP_STATUS cert_find_by_fpr(
   3.315      PEP_SESSION session, pgp_fingerprint_t fpr, int private_only,
   3.316 -    pgp_tpk_t *tpkp, int *secretp)
   3.317 +    pgp_cert_t *certp, int *secretp)
   3.318  {
   3.319      pgp_keyid_t keyid = pgp_fingerprint_to_keyid(fpr);
   3.320      if (! keyid)
   3.321          return PEP_OUT_OF_MEMORY;
   3.322      PEP_STATUS status
   3.323 -        = tpk_find_by_keyid(session, keyid, private_only, tpkp, secretp);
   3.324 +        = cert_find_by_keyid(session, keyid, private_only, certp, secretp);
   3.325      pgp_keyid_free(keyid);
   3.326      return status;
   3.327  }
   3.328  
   3.329 -// See tpk_find_by_keyid_hex.
   3.330 -static PEP_STATUS tpk_find_by_fpr_hex(PEP_SESSION, const char *, int, pgp_tpk_t *, int *secret)
   3.331 +// See cert_find_by_keyid_hex.
   3.332 +static PEP_STATUS cert_find_by_fpr_hex(PEP_SESSION, const char *, int, pgp_cert_t *, int *secret)
   3.333      __attribute__((nonnull(1, 2)));
   3.334 -static PEP_STATUS tpk_find_by_fpr_hex(
   3.335 +static PEP_STATUS cert_find_by_fpr_hex(
   3.336      PEP_SESSION session, const char *fpr, int private_only,
   3.337 -    pgp_tpk_t *tpkp, int *secretp)
   3.338 +    pgp_cert_t *certp, int *secretp)
   3.339  {
   3.340      pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
   3.341      if (! pgp_fpr)
   3.342          return PEP_OUT_OF_MEMORY;
   3.343      PEP_STATUS status
   3.344 -        = tpk_find_by_fpr(session, pgp_fpr, private_only, tpkp, secretp);
   3.345 +        = cert_find_by_fpr(session, pgp_fpr, private_only, certp, secretp);
   3.346      pgp_fingerprint_free(pgp_fpr);
   3.347      return status;
   3.348  }
   3.349  
   3.350 -// Returns all known TPKs.
   3.351 -static PEP_STATUS tpk_all(PEP_SESSION, int, pgp_tpk_t **, int *) __attribute__((nonnull));
   3.352 -static PEP_STATUS tpk_all(PEP_SESSION session, int private_only,
   3.353 -                          pgp_tpk_t **tpksp, int *tpks_countp) {
   3.354 +// Returns all known certificates.
   3.355 +static PEP_STATUS cert_all(PEP_SESSION, int, pgp_cert_t **, int *) __attribute__((nonnull));
   3.356 +static PEP_STATUS cert_all(PEP_SESSION session, int private_only,
   3.357 +                          pgp_cert_t **certsp, int *certs_countp) {
   3.358      PEP_STATUS status = PEP_STATUS_OK;
   3.359 -    sqlite3_stmt *stmt = private_only ? session->sq_sql.tsk_all : session->sq_sql.tpk_all;
   3.360 -    status = key_loadn(session, stmt, tpksp, tpks_countp);
   3.361 -    ERROR_OUT(NULL, status, "loading TPKs");
   3.362 +    sqlite3_stmt *stmt = private_only ? session->sq_sql.tsk_all : session->sq_sql.cert_all;
   3.363 +    status = key_loadn(session, stmt, certsp, certs_countp);
   3.364 +    ERROR_OUT(NULL, status, "loading certificates");
   3.365   out:
   3.366      sqlite3_reset(stmt);
   3.367      return status;
   3.368 @@ -729,21 +729,21 @@
   3.369  
   3.370  // Returns keys that have a user id that matches the specified pattern.
   3.371  //
   3.372 -// The keys returned must be freed using pgp_tpk_free.
   3.373 -static PEP_STATUS tpk_find_by_email(PEP_SESSION, const char *, int, pgp_tpk_t **, int *)
   3.374 +// The keys returned must be freed using pgp_cert_free.
   3.375 +static PEP_STATUS cert_find_by_email(PEP_SESSION, const char *, int, pgp_cert_t **, int *)
   3.376      __attribute__((nonnull));
   3.377 -static PEP_STATUS tpk_find_by_email(PEP_SESSION session,
   3.378 +static PEP_STATUS cert_find_by_email(PEP_SESSION session,
   3.379                                      const char *pattern, int private_only,
   3.380 -                                    pgp_tpk_t **tpksp, int *countp)
   3.381 +                                    pgp_cert_t **certsp, int *countp)
   3.382  {
   3.383      PEP_STATUS status = PEP_STATUS_OK;
   3.384      T("(%s)", pattern);
   3.385  
   3.386      sqlite3_stmt *stmt
   3.387 -        = private_only ? session->sq_sql.tsk_find_by_email : session->sq_sql.tpk_find_by_email;
   3.388 +        = private_only ? session->sq_sql.tsk_find_by_email : session->sq_sql.cert_find_by_email;
   3.389      sqlite3_bind_text(stmt, 1, pattern, -1, SQLITE_STATIC);
   3.390  
   3.391 -    status = key_loadn(session, stmt, tpksp, countp);
   3.392 +    status = key_loadn(session, stmt, certsp, countp);
   3.393      ERROR_OUT(NULL, status, "Searching for '%s'", pattern);
   3.394  
   3.395   out:
   3.396 @@ -753,12 +753,12 @@
   3.397  }
   3.398  
   3.399  
   3.400 -// Saves the specified TPK.
   3.401 +// Saves the specified certificates.
   3.402  //
   3.403 -// This function takes ownership of TPK.
   3.404 -static PEP_STATUS tpk_save(PEP_SESSION, pgp_tpk_t, identity_list **)
   3.405 +// This function takes ownership of CERT.
   3.406 +static PEP_STATUS cert_save(PEP_SESSION, pgp_cert_t, identity_list **)
   3.407      __attribute__((nonnull(1, 2)));
   3.408 -static PEP_STATUS tpk_save(PEP_SESSION session, pgp_tpk_t tpk,
   3.409 +static PEP_STATUS cert_save(PEP_SESSION session, pgp_cert_t cert,
   3.410                             identity_list **private_idents)
   3.411  {
   3.412      PEP_STATUS status = PEP_STATUS_OK;
   3.413 @@ -768,7 +768,7 @@
   3.414      void *tsk_buffer = NULL;
   3.415      size_t tsk_buffer_len = 0;
   3.416      int tried_commit = 0;
   3.417 -    pgp_tpk_key_iter_t key_iter = NULL;
   3.418 +    pgp_cert_key_iter_t key_iter = NULL;
   3.419      pgp_user_id_binding_iter_t user_id_iter = NULL;
   3.420      char *email = NULL;
   3.421      char *name = NULL;
   3.422 @@ -781,24 +781,24 @@
   3.423                    "begin transaction failed: %s",
   3.424                    sqlite3_errmsg(session->key_db));
   3.425  
   3.426 -    pgp_fpr = pgp_tpk_fingerprint(tpk);
   3.427 +    pgp_fpr = pgp_cert_fingerprint(cert);
   3.428      fpr = pgp_fingerprint_to_hex(pgp_fpr);
   3.429      T("(%s, private_idents: %s)", fpr, private_idents ? "yes" : "no");
   3.430  
   3.431 -    // Merge any existing data into TPK.
   3.432 -    pgp_tpk_t current = NULL;
   3.433 -    status = tpk_find(session, pgp_fpr, false, &current, NULL);
   3.434 +    // Merge any existing data into certificate.
   3.435 +    pgp_cert_t current = NULL;
   3.436 +    status = cert_find(session, pgp_fpr, false, &current, NULL);
   3.437      if (status == PEP_KEY_NOT_FOUND)
   3.438          status = PEP_STATUS_OK;
   3.439      else
   3.440          ERROR_OUT(NULL, status, "Looking up %s", fpr);
   3.441      if (current) {
   3.442 -        tpk = pgp_tpk_merge(&err, tpk, current);
   3.443 -        if (! tpk)
   3.444 -            ERROR_OUT(err, PEP_UNKNOWN_ERROR, "Merging TPKs");
   3.445 +        cert = pgp_cert_merge(&err, cert, current);
   3.446 +        if (! cert)
   3.447 +            ERROR_OUT(err, PEP_UNKNOWN_ERROR, "Merging certificates");
   3.448      }
   3.449  
   3.450 -    int is_tsk = pgp_tpk_is_tsk(tpk);
   3.451 +    int is_tsk = pgp_cert_is_tsk(cert);
   3.452  
   3.453      // Serialize it.
   3.454      pgp_writer_t writer = pgp_writer_alloc(&tsk_buffer, &tsk_buffer_len);
   3.455 @@ -806,16 +806,16 @@
   3.456          ERROR_OUT(NULL, PEP_OUT_OF_MEMORY, "out of memory");
   3.457  
   3.458      pgp_status_t pgp_status;
   3.459 -    pgp_tsk_t tsk = pgp_tpk_as_tsk(tpk);
   3.460 +    pgp_tsk_t tsk = pgp_cert_as_tsk(cert);
   3.461      pgp_status = pgp_tsk_serialize(&err, tsk, writer);
   3.462      pgp_tsk_free(tsk);
   3.463      pgp_writer_free(writer);
   3.464      if (pgp_status != 0)
   3.465 -        ERROR_OUT(err, PEP_UNKNOWN_ERROR, "Serializing TPK");
   3.466 +        ERROR_OUT(err, PEP_UNKNOWN_ERROR, "Serializing certificates");
   3.467  
   3.468  
   3.469      // Insert the TSK into the DB.
   3.470 -    stmt = session->sq_sql.tpk_save_insert_primary;
   3.471 +    stmt = session->sq_sql.cert_save_insert_primary;
   3.472      sqlite3_bind_text(stmt, 1, fpr, -1, SQLITE_STATIC);
   3.473      sqlite3_bind_int(stmt, 2, is_tsk);
   3.474      sqlite3_bind_blob(stmt, 3, tsk_buffer, tsk_buffer_len, SQLITE_STATIC);
   3.475 @@ -824,15 +824,15 @@
   3.476      sqlite3_reset(stmt);
   3.477      if (sqlite_result != SQLITE_DONE)
   3.478          ERROR_OUT(NULL, PEP_UNKNOWN_ERROR,
   3.479 -                  "Saving TPK: %s", sqlite3_errmsg(session->key_db));
   3.480 +                  "Saving certificate: %s", sqlite3_errmsg(session->key_db));
   3.481  
   3.482      // Insert the "subkeys" (the primary key and the subkeys).
   3.483 -    stmt = session->sq_sql.tpk_save_insert_subkeys;
   3.484 -    // This inserts all of the keys in the TPK, i.e., revoked and
   3.485 +    stmt = session->sq_sql.cert_save_insert_subkeys;
   3.486 +    // This inserts all of the keys in the certificate, i.e., revoked and
   3.487      // expired keys, which is what we want.
   3.488 -    key_iter = pgp_tpk_key_iter_all(tpk);
   3.489 +    key_iter = pgp_cert_key_iter_all(cert);
   3.490      pgp_key_t key;
   3.491 -    while ((key = pgp_tpk_key_iter_next(key_iter, NULL, NULL))) {
   3.492 +    while ((key = pgp_cert_key_iter_next(key_iter, NULL, NULL))) {
   3.493          pgp_keyid_t keyid = pgp_key_keyid(key);
   3.494          char *keyid_hex = pgp_keyid_to_hex(keyid);
   3.495          sqlite3_bind_text(stmt, 1, keyid_hex, -1, SQLITE_STATIC);
   3.496 @@ -843,17 +843,17 @@
   3.497          free(keyid_hex);
   3.498          pgp_keyid_free(keyid);
   3.499          if (sqlite_result != SQLITE_DONE) {
   3.500 -            pgp_tpk_key_iter_free(key_iter);
   3.501 +            pgp_cert_key_iter_free(key_iter);
   3.502              ERROR_OUT(NULL, PEP_UNKNOWN_ERROR,
   3.503                        "Updating subkeys: %s", sqlite3_errmsg(session->key_db));
   3.504          }
   3.505      }
   3.506 -    pgp_tpk_key_iter_free(key_iter);
   3.507 +    pgp_cert_key_iter_free(key_iter);
   3.508      key_iter = NULL;
   3.509  
   3.510      // Insert the "userids".
   3.511 -    stmt = session->sq_sql.tpk_save_insert_userids;
   3.512 -    user_id_iter = pgp_tpk_user_id_binding_iter(tpk);
   3.513 +    stmt = session->sq_sql.cert_save_insert_userids;
   3.514 +    user_id_iter = pgp_cert_user_id_binding_iter(cert);
   3.515      pgp_user_id_binding_t binding;
   3.516      int first = 1;
   3.517      while ((binding = pgp_user_id_binding_iter_next(user_id_iter))) {
   3.518 @@ -938,11 +938,11 @@
   3.519      free(email);
   3.520      free(name);
   3.521      pgp_user_id_binding_iter_free(user_id_iter);
   3.522 -    pgp_tpk_key_iter_free(key_iter);
   3.523 +    pgp_cert_key_iter_free(key_iter);
   3.524      if (stmt)
   3.525        sqlite3_reset(stmt);
   3.526      free(tsk_buffer);
   3.527 -    pgp_tpk_free(tpk);
   3.528 +    pgp_cert_free(cert);
   3.529      free(fpr);
   3.530      pgp_fingerprint_free(pgp_fpr);
   3.531  
   3.532 @@ -971,27 +971,27 @@
   3.533  static pgp_status_t
   3.534  get_public_keys_cb(void *cookie_raw,
   3.535                     pgp_keyid_t *keyids, size_t keyids_len,
   3.536 -                   pgp_tpk_t **tpks, size_t *tpk_len,
   3.537 +                   pgp_cert_t **certs, size_t *certs_len,
   3.538                     void (**our_free)(void *))
   3.539  {
   3.540      struct decrypt_cookie *cookie = cookie_raw;
   3.541      PEP_SESSION session = cookie->session;
   3.542  
   3.543 -    *tpks = calloc(keyids_len, sizeof(*tpks));
   3.544 -    if (!*tpks)
   3.545 +    *certs = calloc(keyids_len, sizeof(*certs));
   3.546 +    if (!*certs)
   3.547          return PGP_STATUS_UNKNOWN_ERROR;
   3.548      *our_free = free;
   3.549  
   3.550      int i, j;
   3.551      j = 0;
   3.552      for (i = 0; i < keyids_len; i ++) {
   3.553 -        pgp_tpk_t tpk = NULL;
   3.554 +        pgp_cert_t cert = NULL;
   3.555          PEP_STATUS status
   3.556 -            = tpk_find_by_keyid(session, keyids[i], false, &tpk, NULL);
   3.557 +            = cert_find_by_keyid(session, keyids[i], false, &cert, NULL);
   3.558          if (status == PEP_STATUS_OK)
   3.559 -            (*tpks)[j ++] = tpk;
   3.560 +            (*certs)[j ++] = cert;
   3.561      }
   3.562 -    *tpk_len = j;
   3.563 +    *certs_len = j;
   3.564      return PGP_STATUS_SUCCESS;
   3.565  }
   3.566  
   3.567 @@ -1006,7 +1006,7 @@
   3.568      pgp_error_t err = NULL;
   3.569      struct decrypt_cookie *cookie = cookie_opaque;
   3.570      PEP_SESSION session = cookie->session;
   3.571 -    pgp_tpk_t *tsks = NULL;
   3.572 +    pgp_cert_t *tsks = NULL;
   3.573      int tsks_count = 0;
   3.574      int wildcards = 0;
   3.575  
   3.576 @@ -1022,7 +1022,7 @@
   3.577          pgp_pkesk_t pkesk = pkesks[i];
   3.578          pgp_keyid_t keyid = pgp_pkesk_recipient(pkesk); /* Reference. */
   3.579          char *keyid_str = pgp_keyid_to_hex(keyid);
   3.580 -        pgp_tpk_key_iter_t key_iter = NULL;
   3.581 +        pgp_cert_key_iter_t key_iter = NULL;
   3.582          pgp_session_key_t sk = NULL;
   3.583  
   3.584          T("Considering PKESK for %s", keyid_str);
   3.585 @@ -1035,12 +1035,12 @@
   3.586  
   3.587          // Collect the recipients.  Note: we must return the primary
   3.588          // key's fingerprint.
   3.589 -        pgp_tpk_t tpk = NULL;
   3.590 +        pgp_cert_t cert = NULL;
   3.591          int is_tsk = 0;
   3.592 -        if (tpk_find_by_keyid(session, keyid, false, &tpk, &is_tsk) != PEP_STATUS_OK)
   3.593 +        if (cert_find_by_keyid(session, keyid, false, &cert, &is_tsk) != PEP_STATUS_OK)
   3.594              goto eol;
   3.595  
   3.596 -        pgp_fingerprint_t fp = pgp_tpk_fingerprint(tpk);
   3.597 +        pgp_fingerprint_t fp = pgp_cert_fingerprint(cert);
   3.598          char *fp_string = pgp_fingerprint_to_hex(fp);
   3.599          stringlist_add_unique(cookie->recipient_keylist, fp_string);
   3.600          free(fp_string);
   3.601 @@ -1050,13 +1050,13 @@
   3.602              goto eol;
   3.603  
   3.604          // See if we have the secret key.
   3.605 -        assert(is_tsk == pgp_tpk_is_tsk(tpk));
   3.606 +        assert(is_tsk == pgp_cert_is_tsk(cert));
   3.607          if (! is_tsk)
   3.608              goto eol;
   3.609  
   3.610 -        key_iter = pgp_tpk_key_iter_all(tpk);
   3.611 +        key_iter = pgp_cert_key_iter_all(cert);
   3.612          pgp_key_t key;
   3.613 -        while ((key = pgp_tpk_key_iter_next(key_iter, NULL, NULL))) {
   3.614 +        while ((key = pgp_cert_key_iter_next(key_iter, NULL, NULL))) {
   3.615              pgp_keyid_t this_keyid = pgp_key_keyid(key);
   3.616              char *this_keyid_hex = pgp_keyid_to_hex(this_keyid);
   3.617              pgp_keyid_free(this_keyid);
   3.618 @@ -1090,14 +1090,14 @@
   3.619  
   3.620          T("Decrypted PKESK for %s", keyid_str);
   3.621  
   3.622 -        *identity_out = pgp_tpk_fingerprint(tpk);
   3.623 +        *identity_out = pgp_cert_fingerprint(cert);
   3.624          cookie->decrypted = 1;
   3.625  
   3.626      eol:
   3.627          pgp_session_key_free (sk);
   3.628          free(keyid_str);
   3.629 -        pgp_tpk_key_iter_free(key_iter);
   3.630 -        pgp_tpk_free(tpk);
   3.631 +        pgp_cert_key_iter_free(key_iter);
   3.632 +        pgp_cert_free(cert);
   3.633      }
   3.634  
   3.635      // Consider wildcard recipients.
   3.636 @@ -1105,27 +1105,27 @@
   3.637          pgp_pkesk_t pkesk = pkesks[i];
   3.638          pgp_keyid_t keyid = pgp_pkesk_recipient(pkesk); /* Reference. */
   3.639          char *keyid_str = pgp_keyid_to_hex(keyid);
   3.640 -        pgp_tpk_key_iter_t key_iter = NULL;
   3.641 +        pgp_cert_key_iter_t key_iter = NULL;
   3.642          pgp_session_key_t sk = NULL;
   3.643  
   3.644          if (strcmp(keyid_str, "0000000000000000") != 0)
   3.645              goto eol2;
   3.646  
   3.647          if (!tsks) {
   3.648 -            if (tpk_all(session, true, &tsks, &tsks_count) != PEP_STATUS_OK) {
   3.649 +            if (cert_all(session, true, &tsks, &tsks_count) != PEP_STATUS_OK) {
   3.650                  DUMP_ERR(NULL, PEP_UNKNOWN_ERROR, "Getting all tsks");
   3.651              }
   3.652          }
   3.653  
   3.654          for (int j = 0; j < tsks_count; j ++) {
   3.655 -            pgp_tpk_t tsk = tsks[j];
   3.656 -
   3.657 -            key_iter = pgp_tpk_key_iter_all(tsk);
   3.658 +            pgp_cert_t tsk = tsks[j];
   3.659 +
   3.660 +            key_iter = pgp_cert_key_iter_all(tsk);
   3.661              pgp_key_t key;
   3.662              pgp_signature_t selfsig;
   3.663 -            while ((key = pgp_tpk_key_iter_next(key_iter, &selfsig, NULL))) {
   3.664 -                if (! (pgp_signature_can_encrypt_at_rest(selfsig)
   3.665 -                       || pgp_signature_can_encrypt_for_transport(selfsig)))
   3.666 +            while ((key = pgp_cert_key_iter_next(key_iter, &selfsig, NULL))) {
   3.667 +                if (! (pgp_signature_for_storage_encryption(selfsig)
   3.668 +                       || pgp_signature_for_transport_encryption(selfsig)))
   3.669                      continue;
   3.670  
   3.671                  fprintf(stderr, "key: %s\n", pgp_key_debug(key));
   3.672 @@ -1145,7 +1145,7 @@
   3.673                  }
   3.674  
   3.675                  // Add it to the recipient list.
   3.676 -                pgp_fingerprint_t fp = pgp_tpk_fingerprint(tsk);
   3.677 +                pgp_fingerprint_t fp = pgp_cert_fingerprint(tsk);
   3.678                  char *fp_string = pgp_fingerprint_to_hex(fp);
   3.679                  T("wildcard recipient appears to be %s", fp_string);
   3.680                  stringlist_add_unique(cookie->recipient_keylist, fp_string);
   3.681 @@ -1160,24 +1160,24 @@
   3.682                      goto eol2;
   3.683                  }
   3.684  
   3.685 -                *identity_out = pgp_tpk_fingerprint(tsk);
   3.686 +                *identity_out = pgp_cert_fingerprint(tsk);
   3.687                  cookie->decrypted = 1;
   3.688  
   3.689                  break;
   3.690              }
   3.691  
   3.692 -            pgp_tpk_key_iter_free(key_iter);
   3.693 +            pgp_cert_key_iter_free(key_iter);
   3.694              key_iter = NULL;
   3.695          }
   3.696      eol2:
   3.697          pgp_session_key_free (sk);
   3.698          free(keyid_str);
   3.699 -        pgp_tpk_key_iter_free(key_iter);
   3.700 +        pgp_cert_key_iter_free(key_iter);
   3.701      }
   3.702  
   3.703      if (tsks) {
   3.704          for (int i = 0; i < tsks_count; i ++)
   3.705 -            pgp_tpk_free(tsks[i]);
   3.706 +            pgp_cert_free(tsks[i]);
   3.707          free(tsks);
   3.708      }
   3.709  
   3.710 @@ -1218,7 +1218,7 @@
   3.711                      pgp_verification_result_good_checksum (result, &sig, NULL,
   3.712                                                             NULL, NULL, NULL);
   3.713  
   3.714 -                    // First try looking up by the TPK using the
   3.715 +                    // First try looking up by the certificate using the
   3.716                      // IssuerFingerprint subpacket.
   3.717                      pgp_fingerprint_t fpr
   3.718                          = pgp_signature_issuer_fingerprint(sig);
   3.719 @@ -1240,48 +1240,48 @@
   3.720                          goto eol;
   3.721                      }
   3.722  
   3.723 -                    pgp_tpk_t tpk;
   3.724 -                    if (tpk_find_by_keyid(session, keyid, false,
   3.725 -                                          &tpk, NULL) != PEP_STATUS_OK)
   3.726 +                    pgp_cert_t cert;
   3.727 +                    if (cert_find_by_keyid(session, keyid, false,
   3.728 +                                          &cert, NULL) != PEP_STATUS_OK)
   3.729                          ; // Soft error.  Ignore.
   3.730  
   3.731                      keyid_str = pgp_keyid_to_string (keyid);
   3.732  
   3.733 -                    if (tpk) {
   3.734 -                        // Ok, we have a TPK.
   3.735 +                    if (cert) {
   3.736 +                        // Ok, we have a certificate.
   3.737  
   3.738                          // We need the primary key's fingerprint (not
   3.739                          // the issuer fingerprint).
   3.740                          pgp_fingerprint_t primary_fpr
   3.741 -                            = pgp_tpk_fingerprint(tpk);
   3.742 +                            = pgp_cert_fingerprint(cert);
   3.743                          char *primary_fpr_str
   3.744                              = pgp_fingerprint_to_hex(primary_fpr);
   3.745  
   3.746                          bool good = true;
   3.747  
   3.748 -                        // Make sure the TPK is not revoked, it's
   3.749 +                        // Make sure the certificate is not revoked, its
   3.750                          // creation time is <= now, and it hasn't
   3.751                          // expired.
   3.752 -                        pgp_revocation_status_t rs = pgp_tpk_revoked(tpk, 0);
   3.753 +                        pgp_revocation_status_t rs = pgp_cert_revoked(cert, 0);
   3.754                          bool revoked = (pgp_revocation_status_variant(rs)
   3.755                                          == PGP_REVOCATION_STATUS_REVOKED);
   3.756                          pgp_revocation_status_free(rs);
   3.757                          if (revoked) {
   3.758 -                            T("TPK %s is revoked.", primary_fpr_str);
   3.759 +                            T("certificate %s is revoked.", primary_fpr_str);
   3.760                              good = false;
   3.761                              cookie->good_but_revoked ++;
   3.762 -                        } else if (! pgp_tpk_alive(tpk, 0)) {
   3.763 -                            T("TPK %s is not alive.", primary_fpr_str);
   3.764 +                        } else if (! pgp_cert_alive(cert, 0)) {
   3.765 +                            T("certificate %s is not alive.", primary_fpr_str);
   3.766                              good = false;
   3.767                              cookie->good_but_expired ++;
   3.768                          }
   3.769  
   3.770                          // Same thing for the signing key.
   3.771                          if (good) {
   3.772 -                            pgp_tpk_key_iter_t iter = pgp_tpk_key_iter_all(tpk);
   3.773 +                            pgp_cert_key_iter_t iter = pgp_cert_key_iter_all(cert);
   3.774                              pgp_key_t key;
   3.775                              pgp_signature_t sig;
   3.776 -                            while ((key = pgp_tpk_key_iter_next(iter, &sig, &rs))
   3.777 +                            while ((key = pgp_cert_key_iter_next(iter, &sig, &rs))
   3.778                                     && good) {
   3.779                                  pgp_keyid_t x = pgp_key_keyid(key);
   3.780                                  if (pgp_keyid_equal(keyid, x)) {
   3.781 @@ -1291,12 +1291,12 @@
   3.782                                      revoked = (pgp_revocation_status_variant(rs)
   3.783                                                 == PGP_REVOCATION_STATUS_REVOKED);
   3.784                                      if (revoked) {
   3.785 -                                        T("TPK %s's signing key %s is revoked.",
   3.786 +                                        T("certificate %s's signing key %s is revoked.",
   3.787                                            primary_fpr_str, keyid_str);
   3.788                                          good = false;
   3.789                                          cookie->good_but_revoked ++;
   3.790                                      } else if (! pgp_signature_key_alive(sig, key, 0)) {
   3.791 -                                        T("TPK %s's signing key %s is expired.",
   3.792 +                                        T("certificate %s's signing key %s is expired.",
   3.793                                            primary_fpr_str, keyid_str);
   3.794                                          good = false;
   3.795                                          cookie->good_but_expired ++;
   3.796 @@ -1307,7 +1307,7 @@
   3.797                                  pgp_signature_free(sig);
   3.798                                  pgp_key_free(key);
   3.799                              }
   3.800 -                            pgp_tpk_key_iter_free(iter);
   3.801 +                            pgp_cert_key_iter_free(iter);
   3.802                          }
   3.803  
   3.804                          if (good) {
   3.805 @@ -1321,11 +1321,11 @@
   3.806  
   3.807                          free(primary_fpr_str);
   3.808                          pgp_fingerprint_free(primary_fpr);
   3.809 -                        pgp_tpk_free(tpk);
   3.810 +                        pgp_cert_free(cert);
   3.811                      } else {
   3.812                          // If we get
   3.813                          // PGP_VERIFICATION_RESULT_CODE_GOOD_CHECKSUM,
   3.814 -                        // then the TPK should be available.  But,
   3.815 +                        // then the CERT should be available.  But,
   3.816                          // another process could have deleted the key
   3.817                          // from the store in the mean time, so be
   3.818                          // tolerant.
   3.819 @@ -1345,7 +1345,8 @@
   3.820                      break;
   3.821  
   3.822                  case PGP_VERIFICATION_RESULT_BAD_CHECKSUM:
   3.823 -                    pgp_verification_result_bad_checksum (result, &sig);
   3.824 +                    pgp_verification_result_bad_checksum
   3.825 +                        (result, &sig, NULL, NULL, NULL, NULL);
   3.826                      keyid = pgp_signature_issuer (sig);
   3.827                      if (keyid) {
   3.828                          keyid_str = pgp_keyid_to_string (keyid);
   3.829 @@ -1653,22 +1654,22 @@
   3.830  
   3.831      PEP_STATUS status = PEP_STATUS_OK;
   3.832      pgp_error_t err = NULL;
   3.833 -    pgp_tpk_t signer_tpk = NULL;
   3.834 -    pgp_tpk_key_iter_t iter = NULL;
   3.835 +    pgp_cert_t signer_cert = NULL;
   3.836 +    pgp_cert_key_iter_t iter = NULL;
   3.837      pgp_key_pair_t signing_keypair = NULL;
   3.838      pgp_signer_t signer = NULL;
   3.839      pgp_writer_stack_t ws = NULL;
   3.840  
   3.841 -    status = tpk_find_by_fpr_hex(session, fpr, true, &signer_tpk, NULL);
   3.842 +    status = cert_find_by_fpr_hex(session, fpr, true, &signer_cert, NULL);
   3.843      ERROR_OUT(NULL, status, "Looking up key '%s'", fpr);
   3.844  
   3.845 -    iter = pgp_tpk_key_iter_valid(signer_tpk);
   3.846 -    pgp_tpk_key_iter_signing_capable (iter);
   3.847 -    pgp_tpk_key_iter_unencrypted_secret (iter, true);
   3.848 +    iter = pgp_cert_key_iter_valid(signer_cert);
   3.849 +    pgp_cert_key_iter_for_signing (iter);
   3.850 +    pgp_cert_key_iter_unencrypted_secret (iter);
   3.851  
   3.852      // If there are multiple signing capable subkeys, we just take
   3.853      // the first one, whichever one that happens to be.
   3.854 -    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
   3.855 +    pgp_key_t key = pgp_cert_key_iter_next (iter, NULL, NULL);
   3.856      if (! key)
   3.857          ERROR_OUT (err, PEP_UNKNOWN_ERROR,
   3.858                     "%s has no signing capable key", fpr);
   3.859 @@ -1721,8 +1722,8 @@
   3.860      // will become a leak.
   3.861      //
   3.862      //pgp_key_pair_free (signing_keypair);
   3.863 -    pgp_tpk_key_iter_free (iter);
   3.864 -    pgp_tpk_free(signer_tpk);
   3.865 +    pgp_cert_key_iter_free (iter);
   3.866 +    pgp_cert_free(signer_cert);
   3.867  
   3.868      T("(%s)-> %s", fpr, pEp_status_to_string(status));
   3.869      return status;
   3.870 @@ -1735,8 +1736,8 @@
   3.871      PEP_STATUS status = PEP_STATUS_OK;
   3.872      pgp_error_t err = NULL;
   3.873  
   3.874 -    int recipient_tpk_count = 0;
   3.875 -    pgp_tpk_t *recipient_tpks = NULL;
   3.876 +    int recipient_cert_count = 0;
   3.877 +    pgp_cert_t *recipient_certs = NULL;
   3.878  
   3.879      int recipient_count = 0;
   3.880      int recipient_alloc = 0;
   3.881 @@ -1744,9 +1745,9 @@
   3.882      int recipient_keys_count = 0;
   3.883      pgp_key_t *recipient_keys = NULL;
   3.884  
   3.885 -    pgp_tpk_t signer_tpk = NULL;
   3.886 +    pgp_cert_t signer_cert = NULL;
   3.887      pgp_writer_stack_t ws = NULL;
   3.888 -    pgp_tpk_key_iter_t iter = NULL;
   3.889 +    pgp_cert_key_iter_t iter = NULL;
   3.890      pgp_key_pair_t signing_keypair = NULL;
   3.891      pgp_signer_t signer = NULL;
   3.892  
   3.893 @@ -1762,14 +1763,14 @@
   3.894  
   3.895      int keylist_len = stringlist_length(keylist);
   3.896  
   3.897 -    // We don't need to worry about extending recipient_tpks, because
   3.898 -    // there will be at most KEYLIST_LEN tpks, which we allocate up
   3.899 +    // We don't need to worry about extending recipient_certs, because
   3.900 +    // there will be at most KEYLIST_LEN certs, which we allocate up
   3.901      // front.
   3.902 -    recipient_tpks = calloc(keylist_len, sizeof(*recipient_tpks));
   3.903 -    if (recipient_tpks == NULL)
   3.904 +    recipient_certs = calloc(keylist_len, sizeof(*recipient_certs));
   3.905 +    if (recipient_certs == NULL)
   3.906          ERROR_OUT(NULL, PEP_OUT_OF_MEMORY, "out of memory");
   3.907  
   3.908 -    // Because there may be multiple encryption keys per TPK, we may
   3.909 +    // Because there may be multiple encryption keys per certificate, we may
   3.910      // need to extend recipient_keys and recipients.
   3.911      recipient_alloc = keylist_len;
   3.912      recipient_keys = calloc(recipient_alloc, sizeof(*recipient_keys));
   3.913 @@ -1786,24 +1787,24 @@
   3.914      for (_keylist = keylist; _keylist != NULL; _keylist = _keylist->next) {
   3.915          assert(_keylist->value);
   3.916  
   3.917 -        pgp_tpk_t tpk;
   3.918 -        status = tpk_find_by_fpr_hex(session, _keylist->value,
   3.919 -                                     false, &tpk, NULL);
   3.920 +        pgp_cert_t cert;
   3.921 +        status = cert_find_by_fpr_hex(session, _keylist->value,
   3.922 +                                     false, &cert, NULL);
   3.923          // We couldn't find a key for this recipient.
   3.924          ERROR_OUT(NULL, status,
   3.925                    "Looking up key for recipient '%s'", _keylist->value);
   3.926  
   3.927 -        recipient_tpks[recipient_tpk_count ++] = tpk;
   3.928 +        recipient_certs[recipient_cert_count ++] = cert;
   3.929  
   3.930          // Collect all of the keys that have the encryption for
   3.931          // transport capability.
   3.932 -        pgp_tpk_key_iter_t iter = pgp_tpk_key_iter_valid(tpk);
   3.933 +        pgp_cert_key_iter_t iter = pgp_cert_key_iter_valid(cert);
   3.934          if (! iter)
   3.935              ERROR_OUT(NULL, PEP_OUT_OF_MEMORY, "out of memory");
   3.936 -        pgp_tpk_key_iter_encrypting_capable_for_transport(iter);
   3.937 +        pgp_cert_key_iter_for_transport_encryption(iter);
   3.938  
   3.939          pgp_key_t key;
   3.940 -        while ((key = pgp_tpk_key_iter_next (iter, NULL, NULL))) {
   3.941 +        while ((key = pgp_cert_key_iter_next (iter, NULL, NULL))) {
   3.942              assert(recipient_count == recipient_keys_count);
   3.943              if (recipient_count == recipient_alloc) {
   3.944                  assert(recipient_alloc > 0);
   3.945 @@ -1835,12 +1836,12 @@
   3.946  
   3.947              recipients[recipient_count++] = pgp_recipient_new(keyid, key);
   3.948          }
   3.949 -        pgp_tpk_key_iter_free(iter);
   3.950 +        pgp_cert_key_iter_free(iter);
   3.951      }
   3.952  
   3.953      if (sign) {
   3.954          // The first key in the keylist is the signer.
   3.955 -        status = tpk_find_by_fpr_hex(session, keylist->value, true, &signer_tpk, NULL);
   3.956 +        status = cert_find_by_fpr_hex(session, keylist->value, true, &signer_cert, NULL);
   3.957          ERROR_OUT(NULL, status, "Looking up key for signing '%s'", keylist->value);
   3.958      }
   3.959  
   3.960 @@ -1861,13 +1862,13 @@
   3.961      recipient_count = 0;
   3.962  
   3.963      if (sign) {
   3.964 -        iter = pgp_tpk_key_iter_valid(signer_tpk);
   3.965 -        pgp_tpk_key_iter_signing_capable (iter);
   3.966 -        pgp_tpk_key_iter_unencrypted_secret (iter, true);
   3.967 +        iter = pgp_cert_key_iter_valid(signer_cert);
   3.968 +        pgp_cert_key_iter_for_signing (iter);
   3.969 +        pgp_cert_key_iter_unencrypted_secret (iter);
   3.970  
   3.971          // If there are multiple signing capable subkeys, we just take
   3.972          // the first one, whichever one that happens to be.
   3.973 -        pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
   3.974 +        pgp_key_t key = pgp_cert_key_iter_next (iter, NULL, NULL);
   3.975          if (! key)
   3.976              ERROR_OUT (err, PEP_UNKNOWN_ERROR,
   3.977                         "%s has no signing capable key", keylist->value);
   3.978 @@ -1921,8 +1922,8 @@
   3.979      // will become a leak.
   3.980      //
   3.981      // pgp_key_pair_free (signing_keypair);
   3.982 -    pgp_tpk_key_iter_free (iter);
   3.983 -    pgp_tpk_free(signer_tpk);
   3.984 +    pgp_cert_key_iter_free (iter);
   3.985 +    pgp_cert_free(signer_cert);
   3.986  
   3.987      for (int i = 0; i < recipient_count; i ++)
   3.988          pgp_recipient_free(recipients[i]);
   3.989 @@ -1930,9 +1931,9 @@
   3.990      for (int i = 0; i < recipient_keys_count; i ++)
   3.991          pgp_key_free(recipient_keys[i]);
   3.992      free(recipient_keys);
   3.993 -    for (int i = 0; i < recipient_tpk_count; i ++)
   3.994 -        pgp_tpk_free(recipient_tpks[i]);
   3.995 -    free(recipient_tpks);
   3.996 +    for (int i = 0; i < recipient_cert_count; i ++)
   3.997 +        pgp_cert_free(recipient_certs[i]);
   3.998 +    free(recipient_certs);
   3.999  
  3.1000      T("-> %s", pEp_status_to_string(status));
  3.1001      return status;
  3.1002 @@ -1961,7 +1962,7 @@
  3.1003      pgp_error_t err = NULL;
  3.1004      pgp_packet_t userid_packet = NULL;
  3.1005      char *userid = NULL;
  3.1006 -    pgp_tpk_t tpk = NULL;
  3.1007 +    pgp_cert_t cert = NULL;
  3.1008      pgp_fingerprint_t pgp_fpr = NULL;
  3.1009      char *fpr = NULL;
  3.1010  
  3.1011 @@ -1991,21 +1992,21 @@
  3.1012      T("(%s)", userid);
  3.1013  
  3.1014      // Generate a key.
  3.1015 -    pgp_tpk_builder_t tpkb = pgp_tpk_builder_general_purpose(
  3.1016 +    pgp_cert_builder_t certb = pgp_cert_builder_general_purpose(
  3.1017          cipher_suite(session->cipher_suite), userid);
  3.1018      pgp_signature_t rev;
  3.1019 -    if (pgp_tpk_builder_generate(&err, tpkb, &tpk, &rev))
  3.1020 +    if (pgp_cert_builder_generate(&err, certb, &cert, &rev))
  3.1021          ERROR_OUT(err, PEP_CANNOT_CREATE_KEY, "Generating a key pair");
  3.1022  
  3.1023      // XXX: We should return this.
  3.1024      pgp_signature_free(rev);
  3.1025  
  3.1026      // Get the fingerprint.
  3.1027 -    pgp_fpr = pgp_tpk_fingerprint(tpk);
  3.1028 +    pgp_fpr = pgp_cert_fingerprint(cert);
  3.1029      fpr = pgp_fingerprint_to_hex(pgp_fpr);
  3.1030  
  3.1031 -    status = tpk_save(session, tpk, NULL);
  3.1032 -    tpk = NULL;
  3.1033 +    status = cert_save(session, cert, NULL);
  3.1034 +    cert = NULL;
  3.1035      if (status != 0)
  3.1036          ERROR_OUT(NULL, PEP_CANNOT_CREATE_KEY, "saving TSK");
  3.1037  
  3.1038 @@ -2016,7 +2017,7 @@
  3.1039   out:
  3.1040      pgp_fingerprint_free(pgp_fpr);
  3.1041      free(fpr);
  3.1042 -    pgp_tpk_free(tpk);
  3.1043 +    pgp_cert_free(cert);
  3.1044      free(userid);
  3.1045      pgp_packet_free(userid_packet);
  3.1046  
  3.1047 @@ -2082,7 +2083,7 @@
  3.1048  {
  3.1049      PEP_STATUS status = PEP_NO_KEY_IMPORTED;
  3.1050      pgp_error_t err;
  3.1051 -    pgp_tpk_parser_t parser = NULL;
  3.1052 +    pgp_cert_parser_t parser = NULL;
  3.1053  
  3.1054      if (private_idents)
  3.1055          *private_idents = NULL;
  3.1056 @@ -2110,15 +2111,15 @@
  3.1057          pgp_signature_t sig = pgp_packet_ref_signature (packet);
  3.1058          assert(sig);
  3.1059  
  3.1060 -        pgp_tpk_t tpk = NULL;
  3.1061 +        pgp_cert_t cert = NULL;
  3.1062  
  3.1063          pgp_fingerprint_t issuer_fpr = pgp_signature_issuer_fingerprint(sig);
  3.1064          if (issuer_fpr) {
  3.1065              char *issuer_fpr_hex = pgp_fingerprint_to_hex(issuer_fpr);
  3.1066              T("Importing a signature issued by %s", issuer_fpr_hex);
  3.1067  
  3.1068 -            status = tpk_find_by_fpr_hex(session, issuer_fpr_hex,
  3.1069 -                                         false, &tpk, NULL);
  3.1070 +            status = cert_find_by_fpr_hex(session, issuer_fpr_hex,
  3.1071 +                                         false, &cert, NULL);
  3.1072              if (status && status != PEP_KEY_NOT_FOUND)
  3.1073                  DUMP_ERR(NULL, status, "Looking up %s", issuer_fpr_hex);
  3.1074  
  3.1075 @@ -2126,14 +2127,14 @@
  3.1076              pgp_fingerprint_free(issuer_fpr);
  3.1077          }
  3.1078  
  3.1079 -        if (! tpk) {
  3.1080 +        if (! cert) {
  3.1081              pgp_keyid_t issuer = pgp_signature_issuer(sig);
  3.1082              if (issuer) {
  3.1083                  char *issuer_hex = pgp_keyid_to_hex(issuer);
  3.1084                  T("Importing a signature issued by %s", issuer_hex);
  3.1085  
  3.1086 -                status = tpk_find_by_keyid_hex(session, issuer_hex,
  3.1087 -                                               false, &tpk, NULL);
  3.1088 +                status = cert_find_by_keyid_hex(session, issuer_hex,
  3.1089 +                                               false, &cert, NULL);
  3.1090                  if (status && status != PEP_KEY_NOT_FOUND)
  3.1091                      DUMP_ERR(NULL, status, "Looking up %s", issuer_hex);
  3.1092  
  3.1093 @@ -2146,40 +2147,40 @@
  3.1094          // to free it.
  3.1095          pgp_signature_free(sig);
  3.1096  
  3.1097 -        if (tpk) {
  3.1098 +        if (cert) {
  3.1099              T("Merging packet: %s", pgp_packet_debug(packet));
  3.1100  
  3.1101 -            tpk = pgp_tpk_merge_packets (&err, tpk, &packet, 1);
  3.1102 -            if (! tpk)
  3.1103 +            cert = pgp_cert_merge_packets (&err, cert, &packet, 1);
  3.1104 +            if (! cert)
  3.1105                  ERROR_OUT(err, PEP_UNKNOWN_ERROR, "Merging signature");
  3.1106  
  3.1107 -            status = tpk_save(session, tpk, NULL);
  3.1108 +            status = cert_save(session, cert, NULL);
  3.1109              if (status)
  3.1110 -                ERROR_OUT(NULL, status, "saving merged TPK");
  3.1111 +                ERROR_OUT(NULL, status, "saving merged CERT");
  3.1112              status = PEP_KEY_IMPORTED;
  3.1113          }
  3.1114          break;
  3.1115      }
  3.1116      case PGP_TAG_PUBLIC_KEY:
  3.1117      case PGP_TAG_SECRET_KEY: {
  3.1118 -        parser = pgp_tpk_parser_from_packet_parser(ppr);
  3.1119 -        pgp_tpk_t tpk;
  3.1120 +        parser = pgp_cert_parser_from_packet_parser(ppr);
  3.1121 +        pgp_cert_t cert;
  3.1122          int count = 0;
  3.1123          err = NULL;
  3.1124 -        while ((tpk = pgp_tpk_parser_next(&err, parser))) {
  3.1125 +        while ((cert = pgp_cert_parser_next(&err, parser))) {
  3.1126              count ++;
  3.1127  
  3.1128 -            T("#%d. TPK for %s, %s",
  3.1129 -              count, pgp_tpk_primary_user_id(tpk),
  3.1130 -              pgp_fingerprint_to_hex(pgp_tpk_fingerprint(tpk)));
  3.1131 +            T("#%d. CERT for %s, %s",
  3.1132 +              count, pgp_cert_primary_user_id(cert),
  3.1133 +              pgp_fingerprint_to_hex(pgp_cert_fingerprint(cert)));
  3.1134  
  3.1135              // If private_idents is not NULL and there is any private key
  3.1136              // material, it will be saved.
  3.1137 -            status = tpk_save(session, tpk, private_idents);
  3.1138 +            status = cert_save(session, cert, private_idents);
  3.1139              if (status == PEP_STATUS_OK)
  3.1140                  status = PEP_KEY_IMPORTED;
  3.1141              else
  3.1142 -                ERROR_OUT(NULL, status, "saving TPK");
  3.1143 +                ERROR_OUT(NULL, status, "saving certificate");
  3.1144          }
  3.1145          if (err || count == 0)
  3.1146              ERROR_OUT(err, PEP_UNKNOWN_ERROR, "parsing key data");
  3.1147 @@ -2203,7 +2204,7 @@
  3.1148          status = PEP_UNKNOWN_DB_ERROR;
  3.1149  
  3.1150   out:
  3.1151 -    pgp_tpk_parser_free(parser);
  3.1152 +    pgp_cert_parser_free(parser);
  3.1153  
  3.1154      T("-> %s", pEp_status_to_string(status));
  3.1155      return status;
  3.1156 @@ -2287,7 +2288,7 @@
  3.1157  {
  3.1158      PEP_STATUS status = PEP_STATUS_OK;
  3.1159      pgp_error_t err = NULL;
  3.1160 -    pgp_tpk_t tpk = NULL;
  3.1161 +    pgp_cert_t cert = NULL;
  3.1162      pgp_writer_t armor_writer = NULL;
  3.1163      pgp_writer_t memory_writer = NULL;
  3.1164  
  3.1165 @@ -2303,7 +2304,7 @@
  3.1166  
  3.1167      // If the caller asks for a secret key and we only have a
  3.1168      // public key, then we return an error.
  3.1169 -    status = tpk_find_by_fpr_hex(session, fpr, secret, &tpk, NULL);
  3.1170 +    status = cert_find_by_fpr_hex(session, fpr, secret, &cert, NULL);
  3.1171      ERROR_OUT(NULL, status, "Looking up TSK for %s", fpr);
  3.1172  
  3.1173      memory_writer = pgp_writer_alloc((void **) key_data, size);
  3.1174 @@ -2316,13 +2317,13 @@
  3.1175      }
  3.1176  
  3.1177      if (secret) {
  3.1178 -        pgp_tsk_t tsk = pgp_tpk_as_tsk(tpk);
  3.1179 +        pgp_tsk_t tsk = pgp_cert_as_tsk(cert);
  3.1180          if (pgp_tsk_serialize(&err, tsk, armor_writer))
  3.1181              ERROR_OUT(err, PEP_UNKNOWN_ERROR, "serializing TSK");
  3.1182          pgp_tsk_free(tsk);
  3.1183      } else {
  3.1184 -        if (pgp_tpk_serialize(&err, tpk, armor_writer))
  3.1185 -            ERROR_OUT(err, PEP_UNKNOWN_ERROR, "serializing TPK");
  3.1186 +        if (pgp_cert_serialize(&err, cert, armor_writer))
  3.1187 +            ERROR_OUT(err, PEP_UNKNOWN_ERROR, "serializing certificate");
  3.1188      }
  3.1189  
  3.1190   out:
  3.1191 @@ -2338,8 +2339,8 @@
  3.1192          pgp_writer_free(memory_writer);
  3.1193      }
  3.1194  
  3.1195 -    if (tpk)
  3.1196 -        pgp_tpk_free(tpk);
  3.1197 +    if (cert)
  3.1198 +        pgp_cert_free(cert);
  3.1199  
  3.1200      (*size)--;  // Sequoia is delivering the 0 byte at the end with size, but
  3.1201                  // pEp is expecting it without
  3.1202 @@ -2380,11 +2381,11 @@
  3.1203  static stringpair_list_t *add_key(PEP_SESSION session,
  3.1204                                    stringpair_list_t *keyinfo_list,
  3.1205                                    stringlist_t* keylist,
  3.1206 -                                  pgp_tpk_t tpk, pgp_fingerprint_t fpr) {
  3.1207 +                                  pgp_cert_t cert, pgp_fingerprint_t fpr) {
  3.1208      bool revoked = false;
  3.1209      // Don't add revoked keys to the keyinfo_list.
  3.1210      if (keyinfo_list) {
  3.1211 -        pgp_revocation_status_t rs = pgp_tpk_revoked(tpk, 0);
  3.1212 +        pgp_revocation_status_t rs = pgp_cert_revoked(cert, 0);
  3.1213          pgp_revocation_status_variant_t rsv = pgp_revocation_status_variant(rs);
  3.1214          pgp_revocation_status_free(rs);
  3.1215          if (rsv == PGP_REVOCATION_STATUS_REVOKED)
  3.1216 @@ -2397,12 +2398,12 @@
  3.1217      int dealloc_fpr = 0;
  3.1218      if (!fpr) {
  3.1219          dealloc_fpr = 1;
  3.1220 -        fpr = pgp_tpk_fingerprint(tpk);
  3.1221 +        fpr = pgp_cert_fingerprint(cert);
  3.1222      }
  3.1223      char *fpr_str = pgp_fingerprint_to_hex(fpr);
  3.1224  
  3.1225      if (!revoked && keyinfo_list) {
  3.1226 -        char *user_id = pgp_tpk_primary_user_id(tpk);
  3.1227 +        char *user_id = pgp_cert_primary_user_id(cert);
  3.1228          if (user_id)
  3.1229              keyinfo_list = stringpair_list_add(keyinfo_list,
  3.1230                                                 new_stringpair(fpr_str, user_id));
  3.1231 @@ -2424,7 +2425,7 @@
  3.1232                              stringpair_list_t** keyinfo_list, stringlist_t** keylist)
  3.1233  {
  3.1234      PEP_STATUS status = PEP_STATUS_OK;
  3.1235 -    pgp_tpk_t tpk = NULL;
  3.1236 +    pgp_cert_t cert = NULL;
  3.1237      pgp_fingerprint_t fpr = NULL;
  3.1238  
  3.1239      T("('%s', private: %d)", pattern, private_only);
  3.1240 @@ -2449,15 +2450,15 @@
  3.1241  
  3.1242      if (strchr(pattern, '@')) {
  3.1243          // Looks like a mailbox.
  3.1244 -        pgp_tpk_t *tpks = NULL;
  3.1245 +        pgp_cert_t *certs = NULL;
  3.1246          int count = 0;
  3.1247 -        status = tpk_find_by_email(session, pattern, private_only, &tpks, &count);
  3.1248 +        status = cert_find_by_email(session, pattern, private_only, &certs, &count);
  3.1249          ERROR_OUT(NULL, status, "Looking up '%s'", pattern);
  3.1250          for (int i = 0; i < count; i ++) {
  3.1251 -            add_key(session, _keyinfo_list, _keylist, tpks[i], NULL);
  3.1252 -            pgp_tpk_free(tpks[i]);
  3.1253 +            add_key(session, _keyinfo_list, _keylist, certs[i], NULL);
  3.1254 +            pgp_cert_free(certs[i]);
  3.1255          }
  3.1256 -        free(tpks);
  3.1257 +        free(certs);
  3.1258  
  3.1259          if (count == 0) {
  3.1260              // If match failed, check to see if we've got a dotted
  3.1261 @@ -2481,27 +2482,27 @@
  3.1262          // Fingerprint.  Note: the pep engine never looks keys up by
  3.1263          // keyid, so we don't handle them.
  3.1264          fpr = pgp_fingerprint_from_hex(pattern);
  3.1265 -        status = tpk_find_by_fpr(session, fpr, false, &tpk, NULL);
  3.1266 +        status = cert_find_by_fpr(session, fpr, false, &cert, NULL);
  3.1267          ERROR_OUT(NULL, status, "Looking up key");
  3.1268 -        add_key(session, _keyinfo_list, _keylist, tpk, fpr);
  3.1269 +        add_key(session, _keyinfo_list, _keylist, cert, fpr);
  3.1270      } else if (pattern[0] == 0) {
  3.1271          // Empty string.
  3.1272  
  3.1273 -        pgp_tpk_t *tpks = NULL;
  3.1274 +        pgp_cert_t *certs = NULL;
  3.1275          int count = 0;
  3.1276 -        status = tpk_all(session, private_only, &tpks, &count);
  3.1277 +        status = cert_all(session, private_only, &certs, &count);
  3.1278          ERROR_OUT(NULL, status, "Looking up '%s'", pattern);
  3.1279          for (int i = 0; i < count; i ++) {
  3.1280 -            add_key(session, _keyinfo_list, _keylist, tpks[i], NULL);
  3.1281 -            pgp_tpk_free(tpks[i]);
  3.1282 +            add_key(session, _keyinfo_list, _keylist, certs[i], NULL);
  3.1283 +            pgp_cert_free(certs[i]);
  3.1284          }
  3.1285 -        free(tpks);
  3.1286 +        free(certs);
  3.1287      } else {
  3.1288          T("unsupported pattern '%s'", pattern);
  3.1289      }
  3.1290  
  3.1291   out:
  3.1292 -    pgp_tpk_free(tpk);
  3.1293 +    pgp_cert_free(cert);
  3.1294      pgp_fingerprint_free(fpr);
  3.1295  
  3.1296      if (status == PEP_KEY_NOT_FOUND)
  3.1297 @@ -2575,18 +2576,18 @@
  3.1298  {
  3.1299      PEP_STATUS status = PEP_STATUS_OK;
  3.1300      pgp_error_t err = NULL;
  3.1301 -    pgp_tpk_t tpk = NULL;
  3.1302 -    pgp_tpk_key_iter_t iter = NULL;
  3.1303 +    pgp_cert_t cert = NULL;
  3.1304 +    pgp_cert_key_iter_t iter = NULL;
  3.1305      pgp_key_pair_t keypair = NULL;
  3.1306      pgp_signer_t signer = NULL;
  3.1307      time_t t = mktime((struct tm *) ts);
  3.1308  
  3.1309      T("(%s)", fpr);
  3.1310  
  3.1311 -    status = tpk_find_by_fpr_hex(session, fpr, true, &tpk, NULL);
  3.1312 +    status = cert_find_by_fpr_hex(session, fpr, true, &cert, NULL);
  3.1313      ERROR_OUT(NULL, status, "Looking up '%s'", fpr);
  3.1314  
  3.1315 -    uint32_t creation_time = pgp_key_creation_time(pgp_tpk_primary_key(tpk));
  3.1316 +    uint32_t creation_time = pgp_key_creation_time(pgp_cert_primary_key(cert));
  3.1317      if (creation_time > t)
  3.1318          // The creation time is after the expiration time!
  3.1319          ERROR_OUT(NULL, PEP_UNKNOWN_ERROR,
  3.1320 @@ -2595,13 +2596,13 @@
  3.1321      uint32_t delta = t - creation_time;
  3.1322  
  3.1323  
  3.1324 -    iter = pgp_tpk_key_iter_valid(tpk);
  3.1325 -    pgp_tpk_key_iter_certification_capable (iter);
  3.1326 -    pgp_tpk_key_iter_unencrypted_secret (iter, true);
  3.1327 +    iter = pgp_cert_key_iter_valid(cert);
  3.1328 +    pgp_cert_key_iter_for_certification (iter);
  3.1329 +    pgp_cert_key_iter_unencrypted_secret (iter);
  3.1330  
  3.1331      // If there are multiple certification capable subkeys, we just
  3.1332      // take the first one, whichever one that happens to be.
  3.1333 -    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
  3.1334 +    pgp_key_t key = pgp_cert_key_iter_next (iter, NULL, NULL);
  3.1335      if (! key)
  3.1336          ERROR_OUT (err, PEP_UNKNOWN_ERROR,
  3.1337                     "%s has no usable certification capable key", fpr);
  3.1338 @@ -2614,12 +2615,12 @@
  3.1339      if (! signer)
  3.1340          ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a signer");
  3.1341  
  3.1342 -    tpk = pgp_tpk_set_expiry(&err, tpk, signer, delta);
  3.1343 -    if (! tpk)
  3.1344 +    cert = pgp_cert_set_expiry(&err, cert, signer, delta);
  3.1345 +    if (! cert)
  3.1346          ERROR_OUT(err, PEP_UNKNOWN_ERROR, "setting expiration");
  3.1347  
  3.1348 -    status = tpk_save(session, tpk, NULL);
  3.1349 -    tpk = NULL;
  3.1350 +    status = cert_save(session, cert, NULL);
  3.1351 +    cert = NULL;
  3.1352      ERROR_OUT(NULL, status, "Saving %s", fpr);
  3.1353  
  3.1354   out:
  3.1355 @@ -2629,8 +2630,8 @@
  3.1356      // will become a leak.
  3.1357      //
  3.1358      pgp_key_pair_free (keypair);
  3.1359 -    pgp_tpk_key_iter_free (iter);
  3.1360 -    pgp_tpk_free(tpk);
  3.1361 +    pgp_cert_key_iter_free (iter);
  3.1362 +    pgp_cert_free(cert);
  3.1363  
  3.1364      T("(%s) -> %s", fpr, pEp_status_to_string(status));
  3.1365      return status;
  3.1366 @@ -2641,23 +2642,23 @@
  3.1367  {
  3.1368      PEP_STATUS status = PEP_STATUS_OK;
  3.1369      pgp_error_t err = NULL;
  3.1370 -    pgp_tpk_t tpk = NULL;
  3.1371 -    pgp_tpk_key_iter_t iter = NULL;
  3.1372 +    pgp_cert_t cert = NULL;
  3.1373 +    pgp_cert_key_iter_t iter = NULL;
  3.1374      pgp_key_pair_t keypair = NULL;
  3.1375      pgp_signer_t signer = NULL;
  3.1376  
  3.1377      T("(%s)", fpr);
  3.1378  
  3.1379 -    status = tpk_find_by_fpr_hex(session, fpr, true, &tpk, NULL);
  3.1380 +    status = cert_find_by_fpr_hex(session, fpr, true, &cert, NULL);
  3.1381      ERROR_OUT(NULL, status, "Looking up %s", fpr);
  3.1382  
  3.1383 -    iter = pgp_tpk_key_iter_valid(tpk);
  3.1384 -    pgp_tpk_key_iter_certification_capable (iter);
  3.1385 -    pgp_tpk_key_iter_unencrypted_secret (iter, true);
  3.1386 +    iter = pgp_cert_key_iter_valid(cert);
  3.1387 +    pgp_cert_key_iter_for_certification (iter);
  3.1388 +    pgp_cert_key_iter_unencrypted_secret (iter);
  3.1389  
  3.1390      // If there are multiple certification capable subkeys, we just
  3.1391      // take the first one, whichever one that happens to be.
  3.1392 -    pgp_key_t key = pgp_tpk_key_iter_next (iter, NULL, NULL);
  3.1393 +    pgp_key_t key = pgp_cert_key_iter_next (iter, NULL, NULL);
  3.1394      if (! key)
  3.1395          ERROR_OUT (err, PEP_UNKNOWN_ERROR,
  3.1396                     "%s has no usable certification capable key", fpr);
  3.1397 @@ -2670,33 +2671,33 @@
  3.1398      if (! signer)
  3.1399          ERROR_OUT (err, PEP_UNKNOWN_ERROR, "Creating a signer");
  3.1400  
  3.1401 -    tpk = pgp_tpk_revoke_in_place(&err, tpk, signer,
  3.1402 +    cert = pgp_cert_revoke_in_place(&err, cert, signer,
  3.1403                                    PGP_REASON_FOR_REVOCATION_UNSPECIFIED,
  3.1404                                    reason);
  3.1405 -    if (! tpk)
  3.1406 +    if (! cert)
  3.1407          ERROR_OUT(err, PEP_UNKNOWN_ERROR, "setting expiration");
  3.1408  
  3.1409 -    assert(pgp_revocation_status_variant(pgp_tpk_revoked(tpk, 0))
  3.1410 +    assert(pgp_revocation_status_variant(pgp_cert_revoked(cert, 0))
  3.1411             == PGP_REVOCATION_STATUS_REVOKED);
  3.1412  
  3.1413 -    status = tpk_save(session, tpk, NULL);
  3.1414 -    tpk = NULL;
  3.1415 +    status = cert_save(session, cert, NULL);
  3.1416 +    cert = NULL;
  3.1417      ERROR_OUT(NULL, status, "Saving %s", fpr);
  3.1418  
  3.1419   out:
  3.1420      pgp_signer_free (signer);
  3.1421      pgp_key_pair_free (keypair);
  3.1422 -    pgp_tpk_key_iter_free (iter);
  3.1423 -    pgp_tpk_free(tpk);
  3.1424 +    pgp_cert_key_iter_free (iter);
  3.1425 +    pgp_cert_free(cert);
  3.1426  
  3.1427      T("(%s) -> %s", fpr, pEp_status_to_string(status));
  3.1428      return status;
  3.1429  }
  3.1430  
  3.1431 -static void _pgp_key_expired(pgp_tpk_t tpk, const time_t when, bool* expired)
  3.1432 +static void _pgp_key_expired(pgp_cert_t cert, const time_t when, bool* expired)
  3.1433  {
  3.1434 -    // Is the TPK live?
  3.1435 -    *expired = !pgp_tpk_alive(tpk, when);
  3.1436 +    // Is the certificate live?
  3.1437 +    *expired = !pgp_cert_alive(cert, when);
  3.1438  
  3.1439  #ifdef TRACING
  3.1440      {
  3.1441 @@ -2711,7 +2712,7 @@
  3.1442              strftime(buffer, sizeof(buffer), "%Y-%m-%d %H:%M:%S", &tm);
  3.1443          }
  3.1444  
  3.1445 -        T("TPK is %slive as of %s", *expired ? "not " : "", buffer);
  3.1446 +        T("certificate is %slive as of %s", *expired ? "not " : "", buffer);
  3.1447      }
  3.1448  #endif
  3.1449      if (*expired)
  3.1450 @@ -2722,27 +2723,27 @@
  3.1451      //    int can_certify = 0, can_encrypt = 0, can_sign = 0;
  3.1452      int can_encrypt = 0, can_sign = 0;
  3.1453  
  3.1454 -    pgp_tpk_key_iter_t key_iter = pgp_tpk_key_iter_valid(tpk);
  3.1455 +    pgp_cert_key_iter_t key_iter = pgp_cert_key_iter_valid(cert);
  3.1456      pgp_key_t key;
  3.1457      pgp_signature_t sig;
  3.1458      pgp_revocation_status_t rev;
  3.1459 -    while ((key = pgp_tpk_key_iter_next(key_iter, &sig, &rev))) {
  3.1460 +    while ((key = pgp_cert_key_iter_next(key_iter, &sig, &rev))) {
  3.1461          if (! sig)
  3.1462              continue;
  3.1463  
  3.1464 -        if (pgp_signature_can_encrypt_for_transport(sig)
  3.1465 -            || pgp_signature_can_encrypt_at_rest(sig))
  3.1466 +        if (pgp_signature_for_transport_encryption(sig)
  3.1467 +            || pgp_signature_for_storage_encryption(sig))
  3.1468              can_encrypt = 1;
  3.1469 -        if (pgp_signature_can_sign(sig))
  3.1470 +        if (pgp_signature_for_signing(sig))
  3.1471              can_sign = 1;
  3.1472 -        // if (pgp_signature_can_certify(sig))
  3.1473 +        // if (pgp_signature_for_certification(sig))
  3.1474          //     can_certify = 1;
  3.1475  
  3.1476  //        if (can_encrypt && can_sign && can_certify)
  3.1477          if (can_encrypt && can_sign)
  3.1478              break;
  3.1479      }
  3.1480 -    pgp_tpk_key_iter_free(key_iter);
  3.1481 +    pgp_cert_key_iter_free(key_iter);
  3.1482  
  3.1483  //    *expired = !(can_encrypt && can_sign && can_certify);
  3.1484      *expired = !(can_encrypt && can_sign);
  3.1485 @@ -2751,18 +2752,18 @@
  3.1486        can_encrypt ? "" : "not",
  3.1487        can_sign ? "" : "not",
  3.1488        *expired ? "" : "not");
  3.1489 -      
  3.1490 +
  3.1491  out:
  3.1492      // Er, this might be problematic in terms of internal vs. external in log. FIXME?
  3.1493      T(" -> expired: %d", *expired);
  3.1494      return;
  3.1495  }
  3.1496 -                            
  3.1497 +
  3.1498  PEP_STATUS pgp_key_expired(PEP_SESSION session, const char *fpr,
  3.1499                             const time_t when, bool *expired)
  3.1500  {
  3.1501      PEP_STATUS status = PEP_STATUS_OK;
  3.1502 -    pgp_tpk_t tpk = NULL;
  3.1503 +    pgp_cert_t cert = NULL;
  3.1504      T("(%s)", fpr);
  3.1505  
  3.1506      assert(session);
  3.1507 @@ -2772,13 +2773,13 @@
  3.1508      *expired = false;
  3.1509  
  3.1510      pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
  3.1511 -    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
  3.1512 +    status = cert_find_by_fpr(session, pgp_fpr, false, &cert, NULL);
  3.1513      pgp_fingerprint_free(pgp_fpr);
  3.1514      ERROR_OUT(NULL, status, "Looking up %s", fpr);
  3.1515  
  3.1516 -    _pgp_key_expired(tpk, when, expired);
  3.1517 +    _pgp_key_expired(cert, when, expired);
  3.1518   out:
  3.1519 -    pgp_tpk_free(tpk);
  3.1520 +    pgp_cert_free(cert);
  3.1521      T("(%s) -> %s (expired: %d)", fpr, pEp_status_to_string(status), *expired);
  3.1522      return status;
  3.1523  }
  3.1524 @@ -2786,7 +2787,7 @@
  3.1525  PEP_STATUS pgp_key_revoked(PEP_SESSION session, const char *fpr, bool *revoked)
  3.1526  {
  3.1527      PEP_STATUS status = PEP_STATUS_OK;
  3.1528 -    pgp_tpk_t tpk;
  3.1529 +    pgp_cert_t cert;
  3.1530  
  3.1531      T("(%s)", fpr);
  3.1532  
  3.1533 @@ -2797,14 +2798,14 @@
  3.1534      *revoked = false;
  3.1535  
  3.1536      pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
  3.1537 -    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
  3.1538 +    status = cert_find_by_fpr(session, pgp_fpr, false, &cert, NULL);
  3.1539      pgp_fingerprint_free(pgp_fpr);
  3.1540      ERROR_OUT(NULL, status, "Looking up %s", fpr);
  3.1541  
  3.1542 -    pgp_revocation_status_t rs = pgp_tpk_revoked(tpk, 0);
  3.1543 +    pgp_revocation_status_t rs = pgp_cert_revoked(cert, 0);
  3.1544      *revoked = pgp_revocation_status_variant(rs) == PGP_REVOCATION_STATUS_REVOKED;
  3.1545      pgp_revocation_status_free (rs);
  3.1546 -    pgp_tpk_free(tpk);
  3.1547 +    pgp_cert_free(cert);
  3.1548  
  3.1549   out:
  3.1550      T("(%s) -> %s", fpr, pEp_status_to_string(status));
  3.1551 @@ -2815,7 +2816,7 @@
  3.1552      PEP_SESSION session, const char *fpr, PEP_comm_type *comm_type)
  3.1553  {
  3.1554      PEP_STATUS status = PEP_STATUS_OK;
  3.1555 -    pgp_tpk_t tpk = NULL;
  3.1556 +    pgp_cert_t cert = NULL;
  3.1557  
  3.1558      assert(session);
  3.1559      assert(fpr);
  3.1560 @@ -2824,7 +2825,7 @@
  3.1561      *comm_type = PEP_ct_unknown;
  3.1562  
  3.1563      pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
  3.1564 -    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
  3.1565 +    status = cert_find_by_fpr(session, pgp_fpr, false, &cert, NULL);
  3.1566      pgp_fingerprint_free(pgp_fpr);
  3.1567      ERROR_OUT(NULL, status, "Looking up key: %s", fpr);
  3.1568  
  3.1569 @@ -2833,19 +2834,19 @@
  3.1570      bool expired = false;
  3.1571      
  3.1572      // MUST guarantee the same behaviour.
  3.1573 -    _pgp_key_expired(tpk, time(NULL), &expired);
  3.1574 +    _pgp_key_expired(cert, time(NULL), &expired);
  3.1575      
  3.1576      if (expired) {
  3.1577          *comm_type = PEP_ct_key_expired;
  3.1578          goto out;        
  3.1579      }
  3.1580      
  3.1581 -    // if (pgp_tpk_expired(tpk)) {
  3.1582 +    // if (pgp_cert_expired(cert)) {
  3.1583      //     *comm_type = PEP_ct_key_expired;
  3.1584      //     goto out;
  3.1585      // }
  3.1586  
  3.1587 -    pgp_revocation_status_t rs = pgp_tpk_revoked(tpk, 0);
  3.1588 +    pgp_revocation_status_t rs = pgp_cert_revoked(cert, 0);
  3.1589      pgp_revocation_status_variant_t rsv = pgp_revocation_status_variant(rs);
  3.1590      pgp_revocation_status_free(rs);
  3.1591      if (rsv == PGP_REVOCATION_STATUS_REVOKED) {
  3.1592 @@ -2854,19 +2855,19 @@
  3.1593      }
  3.1594  
  3.1595      PEP_comm_type best_enc = PEP_ct_no_encryption, best_sign = PEP_ct_no_encryption;
  3.1596 -    pgp_tpk_key_iter_t key_iter = pgp_tpk_key_iter_valid(tpk);
  3.1597 +    pgp_cert_key_iter_t key_iter = pgp_cert_key_iter_valid(cert);
  3.1598      pgp_key_t key;
  3.1599      pgp_signature_t sig;
  3.1600      pgp_revocation_status_t rev;
  3.1601 -    while ((key = pgp_tpk_key_iter_next(key_iter, &sig, &rev))) {
  3.1602 +    while ((key = pgp_cert_key_iter_next(key_iter, &sig, &rev))) {
  3.1603          if (! sig)
  3.1604              continue;
  3.1605  
  3.1606          PEP_comm_type curr = PEP_ct_no_encryption;
  3.1607  
  3.1608 -        int can_enc = pgp_signature_can_encrypt_for_transport(sig)
  3.1609 -            || pgp_signature_can_encrypt_at_rest(sig);
  3.1610 -        int can_sign = pgp_signature_can_sign(sig);
  3.1611 +        int can_enc = pgp_signature_for_transport_encryption(sig)
  3.1612 +            || pgp_signature_for_storage_encryption(sig);
  3.1613 +        int can_sign = pgp_signature_for_signing(sig);
  3.1614  
  3.1615          pgp_public_key_algo_t pk_algo = pgp_key_public_key_algo(key);
  3.1616          if (pk_algo == PGP_PUBLIC_KEY_ALGO_RSA_ENCRYPT_SIGN
  3.1617 @@ -2889,7 +2890,7 @@
  3.1618          if (can_sign)
  3.1619              best_sign = _MAX(best_sign, curr);
  3.1620      }
  3.1621 -    pgp_tpk_key_iter_free(key_iter);
  3.1622 +    pgp_cert_key_iter_free(key_iter);
  3.1623  
  3.1624      if (best_enc == PEP_ct_no_encryption || best_sign == PEP_ct_no_encryption) {
  3.1625          *comm_type = PEP_ct_key_b0rken;
  3.1626 @@ -2899,7 +2900,7 @@
  3.1627      }
  3.1628  
  3.1629   out:
  3.1630 -    pgp_tpk_free(tpk);
  3.1631 +    pgp_cert_free(cert);
  3.1632  
  3.1633      T("(%s) -> %s", fpr, pEp_comm_type_to_string(*comm_type));
  3.1634      return status;
  3.1635 @@ -2909,19 +2910,19 @@
  3.1636  PEP_STATUS pgp_key_created(PEP_SESSION session, const char *fpr, time_t *created)
  3.1637  {
  3.1638      PEP_STATUS status = PEP_STATUS_OK;
  3.1639 -    pgp_tpk_t tpk = NULL;
  3.1640 +    pgp_cert_t cert = NULL;
  3.1641      T("(%s)", fpr);
  3.1642  
  3.1643      *created = 0;
  3.1644  
  3.1645      pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
  3.1646 -    status = tpk_find_by_fpr(session, pgp_fpr, false, &tpk, NULL);
  3.1647 +    status = cert_find_by_fpr(session, pgp_fpr, false, &cert, NULL);
  3.1648      pgp_fingerprint_free(pgp_fpr);
  3.1649      ERROR_OUT(NULL, status, "Looking up %s", fpr);
  3.1650  
  3.1651 -    pgp_key_t k = pgp_tpk_primary_key(tpk);
  3.1652 +    pgp_key_t k = pgp_cert_primary_key(cert);
  3.1653      *created = pgp_key_creation_time(k);
  3.1654 -    pgp_tpk_free(tpk);
  3.1655 +    pgp_cert_free(cert);
  3.1656  
  3.1657   out:
  3.1658      T("(%s) -> %s", fpr, pEp_status_to_string(status));
  3.1659 @@ -2939,7 +2940,7 @@
  3.1660  {
  3.1661      T("(%s)", fpr);
  3.1662      pgp_fingerprint_t pgp_fpr = pgp_fingerprint_from_hex(fpr);
  3.1663 -    PEP_STATUS status = tpk_find_by_fpr(session, pgp_fpr, true, NULL, NULL);
  3.1664 +    PEP_STATUS status = cert_find_by_fpr(session, pgp_fpr, true, NULL, NULL);
  3.1665      pgp_fingerprint_free(pgp_fpr);
  3.1666      if (status == PEP_STATUS_OK) {
  3.1667          *has_private = 1;
     4.1 --- a/test/Makefile	Wed Dec 04 15:28:34 2019 +0100
     4.2 +++ b/test/Makefile	Thu Dec 05 08:47:16 2019 +0100
     4.3 @@ -113,7 +113,7 @@
     4.4  
     4.5  test: all
     4.6  	$(RM) -rf ./pEp_test_home/*
     4.7 -	$(TEST_CMD_PFX) $(TEST_DEBUGGER) python3 $(GTEST_PL) ./$(TARGET)
     4.8 +	$(TEST_CMD_PFX) $(TEST_DEBUGGER) GTEST_COLOR=no python3 $(GTEST_PL) --gtest_color=no ./$(TARGET)
     4.9  clean:
    4.10  	$(RM) $(TARGET) $(TARGET).o $(TARGET).d $(OBJS) $(notdir $(basename $(OBJS))) $(DEPS)
    4.11  	$(RM) -rf ./pEp_test_home/*